diff --git a/.env.example b/.env.example
index f9318cc..7446591 100644
--- a/.env.example
+++ b/.env.example
@@ -1,3 +1,7 @@
+# Shared (applies to both control plane and host agent)
+WRENN_DIR=/var/lib/wrenn
+LOG_LEVEL=info
+
 # Database
 DATABASE_URL=postgres://wrenn:wrenn@localhost:5432/wrenn?sslmode=disable
 
@@ -5,24 +9,14 @@ DATABASE_URL=postgres://wrenn:wrenn@localhost:5432/wrenn?sslmode=disable
 REDIS_URL=redis://localhost:6379/0
 
 # Control Plane
-WRENN_CP_LISTEN_ADDR=:8080
+WRENN_CP_LISTEN_ADDR=:9725
 
 # Host Agent
 WRENN_HOST_LISTEN_ADDR=:50051
-WRENN_DIR=/var/lib/wrenn
 WRENN_HOST_INTERFACE=eth0
-WRENN_CP_URL=http://localhost:8080
-
-# Lago (billing — external service)
-LAGO_API_URL=http://localhost:3000
-LAGO_API_KEY=
-
-# Object Storage (hibernate snapshots — Hetzner Object Storage, S3-compatible)
-S3_BUCKET=wrenn-snapshots
-S3_REGION=fsn1
-S3_ENDPOINT=https://fsn1.your-objectstorage.com
-AWS_ACCESS_KEY_ID=
-AWS_SECRET_ACCESS_KEY=
+WRENN_CP_URL=http://localhost:9725
+WRENN_DEFAULT_ROOTFS_SIZE=5Gi
+WRENN_FIRECRACKER_BIN=/usr/local/bin/firecracker
 
 # Auth
 JWT_SECRET=
@@ -43,4 +37,11 @@ WRENN_ENCRYPTION_KEY=
 OAUTH_GITHUB_CLIENT_ID=
 OAUTH_GITHUB_CLIENT_SECRET=
 OAUTH_REDIRECT_URL=https://app.wrenn.dev
-CP_PUBLIC_URL=https://api.wrenn.dev
+CP_PUBLIC_URL=https://app.wrenn.dev
+
+# SMTP — transactional email (optional; omit SMTP_HOST to disable)
+SMTP_HOST=
+SMTP_PORT=587
+SMTP_USERNAME=
+SMTP_PASSWORD=
+SMTP_FROM_EMAIL=noreply@wrenn.dev
diff --git a/.gitignore b/.gitignore
index 96b55a4..4be2db8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -47,4 +47,5 @@ frontend/build/
 
 ## Dashboard embedded static (built from frontend, not committed)
 internal/dashboard/static/*
-!internal/dashboard/static/.gitkeep
\ No newline at end of file
+!internal/dashboard/static/.gitkeep.dual-graph/
+.dual-graph/
diff --git a/CLAUDE.md b/CLAUDE.md
index d3cfa02..56fdbbc 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -12,10 +12,10 @@ All commands go through the Makefile. Never use raw `go build` or `go run`.
 
 ```bash
 make build              # Build all binaries → builds/
-make build-cp           # Control plane only (builds frontend first)
+make build-cp           # Control plane only
 make build-agent        # Host agent only
 make build-envd         # envd static binary (verified statically linked)
-make build-frontend     # SvelteKit dashboard → internal/dashboard/static/
+make build-frontend     # SvelteKit dashboard → frontend/build/ (served by Caddy)
 
 make dev                # Full local dev: infra + migrate + control plane
 make dev-infra          # Start PostgreSQL + Prometheus + Grafana (Docker)
@@ -55,7 +55,7 @@ User SDK → HTTPS/WS → Control Plane → Connect RPC → Host Agent → HTTP/
 | Binary | Module | Entry point | Runs as |
 |--------|--------|-------------|---------|
 | wrenn-cp | `git.omukk.dev/wrenn/wrenn` | `cmd/control-plane/main.go` | Unprivileged |
-| wrenn-agent | `git.omukk.dev/wrenn/wrenn` | `cmd/host-agent/main.go` | Root (NET_ADMIN + /dev/kvm) |
+| wrenn-agent | `git.omukk.dev/wrenn/wrenn` | `cmd/host-agent/main.go` | `wrenn` user with capabilities (SYS_ADMIN, NET_ADMIN, NET_RAW, SYS_PTRACE, KILL, DAC_OVERRIDE, MKNOD) via setcap; also accepts root |
 | envd | `git.omukk.dev/wrenn/wrenn/envd` (standalone `envd/go.mod`) | `envd/main.go` | PID 1 inside guest VM |
 
 envd is a **completely independent Go module**. It is never imported by the main module. The only connection is the protobuf contract. It compiles to a static binary baked into rootfs images.
@@ -64,21 +64,31 @@ envd is a **completely independent Go module**. It is never imported by the main
 
 ### Control Plane
 
-**Packages:** `internal/api/`, `internal/dashboard/`, `internal/auth/`, `internal/scheduler/`, `internal/lifecycle/`, `internal/config/`, `internal/db/`
+**Internal packages:** `internal/api/`, `internal/email/`
 
-Startup (`cmd/control-plane/main.go`) wires: config (env vars) → pgxpool → `db.Queries` (sqlc-generated) → Connect RPC client to host agent → `api.Server`. Everything flows through constructor injection.
+**Public packages (importable by cloud repo):** `pkg/config/`, `pkg/db/`, `pkg/auth/`, `pkg/auth/oauth/`, `pkg/scheduler/`, `pkg/lifecycle/`, `pkg/channels/`, `pkg/audit/`, `pkg/service/`, `pkg/events/`, `pkg/id/`, `pkg/validate/`
 
-- **API Server** (`internal/api/server.go`): chi router with middleware. Creates handler structs (`sandboxHandler`, `execHandler`, `filesHandler`, etc.) injected with `db.Queries` and the host agent Connect RPC client. Routes under `/v1/sandboxes/*`.
+**Extension framework:** `pkg/cpextension/` (shared `Extension` interface + `ServerContext`), `pkg/cpserver/` (exported `Run()` entrypoint with functional options for cloud `main.go`)
+
+The cloud repo imports this module as a Go dependency and calls `cpserver.Run(cpserver.WithExtensions(myExt))`. Each extension implements two methods: `RegisterRoutes(r chi.Router, sctx ServerContext)` to add HTTP routes, and `BackgroundWorkers(sctx ServerContext) []func(context.Context)` to add long-running goroutines. `ServerContext` carries all OSS services (DB, scheduler, auth, etc.) so extensions can use them without reimplementing anything. To expose a new OSS service to extensions, add it to `ServerContext` in `pkg/cpextension/extension.go` and populate it in `pkg/cpserver/run.go`.
+
+**pkg/ vs internal/ decision rule:** A package belongs in `pkg/` only if the cloud repo needs to import it directly. Everything else stays in `internal/`. New OSS services (e.g. email, notifications) go in `internal/` — the cloud repo accesses them through `ServerContext`, not by importing the package. Do not put a service in `pkg/` just because the cloud repo uses it.
+
+Startup (`cmd/control-plane/main.go`) is a thin wrapper: `cpserver.Run(cpserver.WithVersion(...))`. All 20 initialization steps live in `pkg/cpserver/run.go`: config → pgxpool → `db.Queries` → Redis → mTLS CA → host client pool → scheduler → OAuth → channels → audit logger → `api.New()` → background workers → HTTP server. Everything flows through constructor injection.
+
+- **API Server** (`internal/api/server.go`): chi router with middleware. Creates handler structs (`sandboxHandler`, `execHandler`, `filesHandler`, etc.) injected with `db.Queries` and the host agent Connect RPC client. Routes under `/v1/capsules/*`. Accepts `[]cpextension.Extension` — each extension's `RegisterRoutes()` is called after all core routes are registered.
 - **Reconciler** (`internal/api/reconciler.go`): background goroutine (every 30s) that compares DB records against `agent.ListSandboxes()` RPC. Marks orphaned DB entries as "stopped".
-- **Dashboard** (SvelteKit + Tailwind + Bits UI, statically built and embedded via `go:embed`, served as catch-all at root)
-- **Database**: PostgreSQL via pgx/v5. Queries generated by sqlc from `db/queries/sandboxes.sql`. Migrations in `db/migrations/` (goose, plain SQL).
-- **Config** (`internal/config/config.go`): purely environment variables (`DATABASE_URL`, `CP_LISTEN_ADDR`, `CP_HOST_AGENT_ADDR`), no YAML/file config.
+- **Dashboard** (SvelteKit + Tailwind + Bits UI, built to static files in `frontend/build/`, served by Caddy as a reverse proxy)
+- **Database**: PostgreSQL via pgx/v5. Queries generated by sqlc from `db/queries/*.sql` → `pkg/db/`. Migrations in `db/migrations/` (goose, plain SQL). `db/migrations/embed.go` exposes `migrations.FS` so the cloud repo can run OSS migrations via `go:embed`.
+- **Config** (`pkg/config/config.go`): purely environment variables (`DATABASE_URL`, `CP_LISTEN_ADDR`, `CP_HOST_AGENT_ADDR`), no YAML/file config.
 
 ### Host Agent
 
 **Packages:** `internal/hostagent/`, `internal/sandbox/`, `internal/vm/`, `internal/network/`, `internal/devicemapper/`, `internal/envdclient/`, `internal/snapshot/`
 
-Startup (`cmd/host-agent/main.go`) wires: root check → enable IP forwarding → clean up stale dm devices → `sandbox.Manager` (containing `vm.Manager` + `network.SlotAllocator` + `devicemapper.LoopRegistry`) → `hostagent.Server` (Connect RPC handler) → HTTP server.
+**Production deployment:** `scripts/prepare-wrenn-user.sh` creates the `wrenn` system user, sets Linux capabilities (setcap) on wrenn-agent and all child binaries (iptables, losetup, dmsetup, etc.), installs an apt hook to restore capabilities after package updates, configures udev rules for `/dev/net/tun`, loads required kernel modules, and writes systemd unit files for both services. No sudo grants — all privilege is via capabilities.
+
+Startup (`cmd/host-agent/main.go`) wires: root/capabilities check → enable IP forwarding → clean up stale dm devices → `sandbox.Manager` (containing `vm.Manager` + `network.SlotAllocator` + `devicemapper.LoopRegistry`) → `hostagent.Server` (Connect RPC handler) → HTTP server.
 
 - **RPC Server** (`internal/hostagent/server.go`): implements `hostagentv1connect.HostAgentServiceHandler`. Thin wrapper — every method delegates to `sandbox.Manager`. Maps Connect error codes on return.
 - **Sandbox Manager** (`internal/sandbox/manager.go`): the core orchestration layer. Maintains in-memory state in `boxes map[string]*sandboxState` (protected by `sync.RWMutex`). Each `sandboxState` holds a `models.Sandbox`, a `*network.Slot`, and an `*envdclient.Client`. Runs a TTL reaper (every 10s) that auto-destroys timed-out sandboxes.
@@ -105,8 +115,8 @@ Runs as PID 1 inside the microVM via `wrenn-init.sh` (mounts procfs/sysfs/dev, s
 - **Package manager**: pnpm
 - **Routing**: SvelteKit file-based routing under `frontend/src/routes/`
 - **Routing layout**: `/login` and `/signup` at root, authenticated pages under `/dashboard/*` (e.g. `/dashboard/capsules`, `/dashboard/keys`)
-- **Build output**: `frontend/build/` → copied to `internal/dashboard/static/` → embedded via `go:embed` into the control plane binary
-- **Serving**: `internal/dashboard/dashboard.go` registers a `NotFound` catch-all SPA handler with fallback to `index.html`. API routes (`/v1/*`, `/openapi.yaml`, `/docs`) are registered first and take priority
+- **Build output**: `frontend/build/` — static files served by Caddy
+- **Serving**: Caddy reverse-proxies API requests to the control plane and serves the SvelteKit SPA directly. The control plane does not serve frontend assets.
 - **Dev workflow**: `make dev-frontend` runs Vite dev server on port 5173 with HMR. API calls proxy to `http://localhost:8000`
 - **Fonts**: Manrope (UI), Instrument Serif (headings), JetBrains Mono (code), Alice (brand wordmark) — all self-hosted via `@fontsource`
 - **Dark mode**: class-based (`.dark` on `<html>`) with system preference detection + localStorage persistence
@@ -147,19 +157,19 @@ HIBERNATED → RUNNING (cold snapshot resume, slower)
 
 ### Key Request Flows
 
-**Sandbox creation** (`POST /v1/sandboxes`):
+**Sandbox creation** (`POST /v1/capsules`):
 1. API handler generates sandbox ID, inserts into DB as "pending"
 2. RPC `CreateSandbox` → host agent → `sandbox.Manager.Create()`
 3. Manager: resolve base rootfs → acquire shared loop device → create dm-snapshot (sparse CoW file) → allocate network slot → `CreateNetwork()` (netns + veth + tap + NAT) → `vm.Create()` (start Firecracker with `/dev/mapper/wrenn-{id}`, configure via HTTP API, boot) → `envdclient.WaitUntilReady()` (poll /health) → store in-memory state
 4. API handler updates DB to "running" with host_ip
 
-**Command execution** (`POST /v1/sandboxes/{id}/exec`):
+**Command execution** (`POST /v1/capsules/{id}/exec`):
 1. API handler verifies sandbox is "running" in DB
 2. RPC `Exec` → host agent → `sandbox.Manager.Exec()` → `envdclient.Exec()`
 3. envd client opens bidirectional Connect RPC stream (`process.Start`), collects stdout/stderr/exit_code
 4. API handler checks UTF-8 validity (base64-encodes if binary), updates last_active_at, returns result
 
-**Streaming exec** (`WS /v1/sandboxes/{id}/exec/stream`):
+**Streaming exec** (`WS /v1/capsules/{id}/exec/stream`):
 1. WebSocket upgrade, read first message for cmd/args
 2. RPC `ExecStream` → host agent → `sandbox.Manager.ExecStream()` → `envdclient.ExecStream()`
 3. envd client returns a channel of events; host agent forwards events through the RPC stream
@@ -189,7 +199,7 @@ To add a new RPC method: edit the `.proto` file → `make proto` → implement t
 
 ### sqlc
 
-Config: `sqlc.yaml` (project root). Reads queries from `db/queries/*.sql`, reads schema from `db/migrations/`, outputs to `internal/db/`.
+Config: `sqlc.yaml` (project root). Reads queries from `db/queries/*.sql`, reads schema from `db/migrations/`, outputs to `pkg/db/`.
 
 To add a new query: add it to the appropriate `.sql` file in `db/queries/` → `make generate` → use the new method on `*db.Queries`.
 
@@ -201,7 +211,7 @@ To add a new query: add it to the appropriate `.sql` file in `db/queries/` → `
 - **TAP networking** (not vsock) for host-to-envd communication
 - **Device-mapper snapshots** for rootfs CoW — shared read-only loop device per base template, per-sandbox sparse CoW file, Firecracker gets `/dev/mapper/wrenn-{id}`
 - **PostgreSQL** via pgx/v5 + sqlc (type-safe query generation). Goose for migrations (plain SQL, up/down)
-- **Dashboard**: SvelteKit (Svelte 5, adapter-static) + Tailwind CSS v4 + Bits UI. Built to static files, embedded into the Go binary via `go:embed`, served as catch-all at root
+- **Dashboard**: SvelteKit (Svelte 5, adapter-static) + Tailwind CSS v4 + Bits UI. Built to static files in `frontend/build/`, served by Caddy (not embedded in the Go binary)
 - **Lago** for billing (external service, not in this codebase)
 
 ## Coding Conventions
@@ -233,7 +243,9 @@ The main module (`go.mod`) and envd (`envd/go.mod`) are fully independent. `make
 ## Design Context
 
 ### Users
-Developers across the full spectrum — solo engineers building side projects, startup teams integrating sandboxed execution into products, and platform/infra engineers at larger organizations. The interface must feel at home for all three: approachable enough not to intimidate a hacker, precise enough to earn the trust of a production ops team. Never condescend, never oversimplify. Trust the user to understand what they're looking at.
+Developers across the full spectrum — solo engineers building side projects, startup teams integrating sandboxed execution into products, and platform/infra engineers at larger organizations running production workloads on Firecracker microVMs. They arrive with context: they know what a process is, what a rootfs is, what a TTY means. The interface must feel at home for all three: approachable enough not to intimidate a hacker, precise enough to earn the trust of a production ops team. Never condescend, never oversimplify. Trust the user to understand what they're looking at.
+
+**Primary job to be done:** Understand what's running, act on it confidently, and get back to code.
 
 ### Brand Personality
 **Precise. Warm. Uncompromising.**
@@ -243,9 +255,9 @@ Wrenn is an engineer's favorite tool — built with visible care, not assembled
 Emotional goal: **in control.** Users leave a session with full confidence in what's running, what happened, and what comes next. Nothing is hidden, nothing is ambiguous.
 
 ### Aesthetic Direction
-**Dark-first, industrial-warm, data-forward.**
+**Dark-only (permanently), industrial-warm, data-forward.**
 
-The near-black-green background palette (`#0a0c0b` through `#2a302d`) reads as "black with intention" — not pitch black (cold) and not charcoal (dated). The sage green accent (`#5e8c58`) is muted and organic, a meaningful departure from the startup-green neon that saturates the developer tool space.
+No light mode planned. All design decisions should optimize for dark. The near-black-green background palette (`#0a0c0b` through `#2a302d`) reads as "black with intention" — not pitch black (cold) and not charcoal (dated). The sage green accent (`#5e8c58`) is muted and organic, a meaningful departure from the startup-green neon that saturates the developer tool space.
 
 **Anti-references:**
 - **Supabase**: avoid the friendly, approachable startup-green energy — too generic, too eager to please
@@ -259,30 +271,95 @@ The near-black-green background palette (`#0a0c0b` through `#2a302d`) reads as "
 ### Type System
 Four fonts with strict roles — this is the design system's strongest personality trait and must be respected:
 
-| Font | Role | When to use |
-|------|------|-------------|
-| **Manrope** (variable, sans) | UI workhorse | All body copy, nav, labels, buttons, form text |
-| **Instrument Serif** | Display / editorial | Page titles (h1), dialog headings, metric values, hero moments |
-| **JetBrains Mono** (variable) | Data / code | IDs, timestamps, key prefixes, file paths, terminal output, metrics |
-| **Alice** | Brand wordmark | "Wrenn" in sidebar and login only — nowhere else |
+| Font | CSS Class | Role | When to use |
+|------|-----------|------|-------------|
+| **Manrope** (variable, sans) | `font-sans` | UI workhorse | All body copy, nav, labels, buttons, form text |
+| **Instrument Serif** | `font-serif` | Display / editorial | Page titles (h1), dialog headings, metric values, hero moments |
+| **JetBrains Mono** (variable) | `font-mono` | Data / code | IDs, timestamps, key prefixes, file paths, terminal output, metrics |
+| **Alice** | brand wordmark only | Brand wordmark | "Wrenn" in sidebar and login only — nowhere else |
 
 Instrument Serif at scale creates the signature editorial moments. Mono provides the precision signal for technical data. Never swap these roles.
 
+**Tracking overrides (app.css):**
+- `.font-serif` — `letter-spacing: 0.015em` (positive tracking; Instrument Serif reads less condensed at display sizes)
+- `.font-mono` — `font-variant-numeric: tabular-nums` (numbers align in tables and metric displays)
+
+**Type scale (root: 87.5% = 14px base):**
+| Token | Value | Use |
+|---|---|---|
+| `--text-display` | 2.571rem (~36px) | Auth section headings |
+| `--text-page` | 2rem (~28px) | Page h1 titles |
+| `--text-heading` | 1.429rem (~20px) | Dialog headings, empty states |
+| `--text-body` | 1rem (~14px) | Primary body, buttons, inputs |
+| `--text-ui` | 0.929rem (~13px) | Nav labels, table cells |
+| `--text-meta` | 0.857rem (~12px) | Key prefixes, minor info |
+| `--text-label` | 0.786rem (~11px) | Uppercase section labels |
+| `--text-badge` | 0.714rem (~10px) | Live badges, tiny indicators |
+
 ### Color System
-```
-Backgrounds: bg-0 (#0a0c0b) through bg-5 (#2a302d) — 6 steps
-Text:        bright > primary > secondary > tertiary > muted — 5 levels
-Accent:      accent (#5e8c58) / accent-mid / accent-bright / glow / glow-mid
-Status:      amber (#d4a73c) / red (#cf8172) / blue (#5a9fd4)
-```
 
-Use accent sparingly. It should feel earned — reserved for live/active state indicators, primary CTAs, focus rings, and active nav. When accent appears, it should register.
+All values are CSS custom properties in `frontend/src/app.css`.
 
-### Upcoming Surfaces (design must accommodate)
-- **Terminal / shell output**: streaming exec output, TTY sessions. Needs strong mono treatment, high contrast for long sessions.
-- **File browser**: filesystem tree inside capsule. Density matters — breadcrumbs, file icons, permission bits.
-- **SDK / docs embedding**: code samples, quickstart flows inline in dashboard. Code blocks must feel premium, not afterthought.
-- **Billing / usage charts**: pool consumption, cost curves, usage over time. Instrument Serif at large scale for metrics; chart containers should feel like instruments, not dashboards.
+**Backgrounds (6-step near-black-green scale):**
+| Token | Value | Use |
+|---|---|---|
+| `--color-bg-0` | `#0a0c0b` | Page base, sidebar deepest layer |
+| `--color-bg-1` | `#0f1211` | Sidebar surface |
+| `--color-bg-2` | `#141817` | Card backgrounds |
+| `--color-bg-3` | `#1a1e1c` | Table headers, elevated surfaces |
+| `--color-bg-4` | `#212624` | Hover states, inputs |
+| `--color-bg-5` | `#2a302d` | Highlighted items, selected rows |
+
+**Text (5-level hierarchy):**
+| Token | Value | Use |
+|---|---|---|
+| `--color-text-bright` | `#eae7e2` | H1s, dialog headings |
+| `--color-text-primary` | `#d0cdc6` | Body copy, primary labels |
+| `--color-text-secondary` | `#9b9790` | Secondary labels, descriptions |
+| `--color-text-tertiary` | `#6b6862` | Hints, placeholders |
+| `--color-text-muted` | `#454340` | Dividers as text, ultra-subtle |
+
+**Accent (sage green — use sparingly, must feel earned):**
+| Token | Value | Use |
+|---|---|---|
+| `--color-accent` | `#5e8c58` | Primary CTA, live indicators, focus rings, active nav |
+| `--color-accent-mid` | `#89a785` | Hover accent text |
+| `--color-accent-bright` | `#a4c89f` | Accent on dark backgrounds |
+| `--color-accent-glow` | `rgba(94,140,88,0.07)` | Subtle tinted backgrounds |
+| `--color-accent-glow-mid` | `rgba(94,140,88,0.14)` | Hover tint on accent items |
+
+**Status semantics:**
+| Token | Value | Use |
+|---|---|---|
+| `--color-amber` | `#d4a73c` | Warning, paused state |
+| `--color-red` | `#cf8172` | Error, destructive actions |
+| `--color-blue` | `#5a9fd4` | Info, neutral system states |
+
+**Borders:** `--color-border` (`#1f2321`) default; `--color-border-mid` (`#2a2f2c`) for inputs/hover.
+
+### Component Patterns
+
+**Buttons:**
+- Primary: solid sage green (`--color-accent`), hover brightness boost + micro-lift (`-translate-y-px`)
+- Secondary: bordered (`--color-border-mid`), text transitions to accent on hover
+- Danger: red text + subtle red background on hover
+- All: `transition-all duration-150`
+
+**Inputs:**
+- Border `--color-border`, background `--color-bg-2`; focus transitions border and icon to accent
+- Group focus pattern: `group` wrapper + `group-focus-within:text-[var(--color-accent)]` on icon
+
+**Tables / data lists:**
+- Grid layout; header `bg-3` + uppercase `--text-label`; row hover `hover:bg-[var(--color-bg-3)]`
+- Status stripe: left border color matches sandbox state
+
+**Status indicators:** Running = animated ping + sage green dot; Paused = amber dot; Stopped = muted gray. Color is never the sole differentiator.
+
+**Modals & dialogs:** Border + shadow only — no accent gradient bars/strips. `fadeUp` 0.35s entrance.
+
+**Empty states:** Large icon with glow, Instrument Serif heading, secondary body text, CTA below, `iconFloat` 4s animation.
+
+**Animations (always respect `prefers-reduced-motion`):** `fadeUp` (entrance), `status-ping` (live indicator), `iconFloat` (empty states), `spin-once` (refresh), staggered `animation-delay` on lists.
 
 ### Design Principles
 
diff --git a/Makefile b/Makefile
index 2dbcc76..e80869c 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,10 @@
 DATABASE_URL   ?= postgres://wrenn:wrenn@localhost:5432/wrenn?sslmode=disable
 GOBIN          := $(shell pwd)/builds
 ENVD_DIR       := envd
+COMMIT         := $(shell git rev-parse --short HEAD 2>/dev/null || echo "unknown")
+VERSION_CP     := $(shell cat VERSION_CP 2>/dev/null | tr -d '[:space:]' || echo "0.0.0-dev")
+VERSION_AGENT  := $(shell cat VERSION_AGENT 2>/dev/null | tr -d '[:space:]' || echo "0.0.0-dev")
+VERSION_ENVD   := $(shell cat envd/VERSION 2>/dev/null | tr -d '[:space:]' || echo "0.0.0-dev")
 LDFLAGS        := -s -w
 
 # ═══════════════════════════════════════════════════
@@ -17,14 +21,14 @@ build-frontend:
 	cd frontend && pnpm install --frozen-lockfile && pnpm build
 
 build-cp:
-	go build -v -ldflags="$(LDFLAGS)" -o $(GOBIN)/wrenn-cp ./cmd/control-plane
+	go build -v -ldflags="$(LDFLAGS) -X main.version=$(VERSION_CP) -X main.commit=$(COMMIT)" -o $(GOBIN)/wrenn-cp ./cmd/control-plane
 
 build-agent:
-	go build -v -ldflags="$(LDFLAGS)" -o $(GOBIN)/wrenn-agent ./cmd/host-agent
+	go build -v -ldflags="$(LDFLAGS) -X main.version=$(VERSION_AGENT) -X main.commit=$(COMMIT)" -o $(GOBIN)/wrenn-agent ./cmd/host-agent
 
 build-envd:
 	cd $(ENVD_DIR) && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
-		go build -ldflags="$(LDFLAGS)" -o $(GOBIN)/envd .
+		go build -ldflags="$(LDFLAGS) -X main.Version=$(VERSION_ENVD) -X main.commitSHA=$(COMMIT)" -o $(GOBIN)/envd .
 	@file $(GOBIN)/envd | grep -q "statically linked" || \
 		(echo "ERROR: envd is not statically linked!" && exit 1)
 
diff --git a/README.md b/README.md
index c312494..765be5a 100644
--- a/README.md
+++ b/README.md
@@ -2,16 +2,16 @@
 
 Secure infrastructure for AI
 
-## Deployment
-
-### Prerequisites
+## Prerequisites
 
 - Linux host with `/dev/kvm` access (bare metal or nested virt)
 - Firecracker binary at `/usr/local/bin/firecracker`
 - PostgreSQL
 - Go 1.25+
+- pnpm (for frontend)
+- Docker (for dev infra and rootfs builds)
 
-### Build
+## Build
 
 ```bash
 make build    # outputs to builds/
@@ -19,30 +19,77 @@ make build    # outputs to builds/
 
 Produces three binaries: `wrenn-cp` (control plane), `wrenn-agent` (host agent), `envd` (guest agent).
 
-### Host setup
+## Host setup
 
-The host agent machine needs:
+The host agent needs a kernel, a minimal rootfs image, and working directories on the host machine.
 
-```bash
-# Kernel for guest VMs
-mkdir -p /var/lib/wrenn/kernels
-# Place a vmlinux kernel at /var/lib/wrenn/kernels/vmlinux
+### Directory structure
 
-# Rootfs images
-mkdir -p /var/lib/wrenn/images
-# Build or place .ext4 rootfs images (e.g., minimal.ext4)
-
-# Sandbox working directory
-mkdir -p /var/lib/wrenn/sandboxes
-
-# Snapshots directory
-mkdir -p /var/lib/wrenn/snapshots
-
-# Enable IP forwarding
-sysctl -w net.ipv4.ip_forward=1
+```
+/var/lib/wrenn/
+├── kernels/
+│   └── vmlinux              # uncompressed Linux kernel (not bzImage)
+├── images/
+│   └── minimal/
+│       └── rootfs.ext4      # base rootfs (all other templates snapshot from this)
+├── sandboxes/               # per-sandbox CoW files (created at runtime)
+└── snapshots/               # pause/hibernate snapshot files (created at runtime)
 ```
 
-### Configure
+Create the directories:
+
+```bash
+sudo mkdir -p /var/lib/wrenn/{kernels,images/minimal,sandboxes,snapshots}
+```
+
+### Kernel
+
+Place an uncompressed `vmlinux` kernel at `/var/lib/wrenn/kernels/vmlinux`. Versioned kernels (`vmlinux-{semver}`) are also supported — the agent picks the latest by semver.
+
+### Minimal rootfs
+
+The minimal rootfs is the base image that all other templates (Python, Node, etc.) are built on top of via device-mapper snapshots. It must contain:
+
+| Package | Why |
+|---------|-----|
+| `socat` | Bidirectional relay for port forwarding |
+| `chrony` | Time sync from KVM PTP clock (`/dev/ptp0`) |
+| `tini` | PID 1 zombie reaper (injected by build script, not apt) |
+| `sudo` | User privilege management inside the guest |
+| `wget` | HTTP fetching |
+| `curl` | HTTP client |
+| `ca-certificates` | TLS certificate verification |
+
+**To build a rootfs from a Docker container:**
+
+1. Create and configure a container with the required packages:
+   ```bash
+   docker run -it --name wrenn-minimal debian:bookworm bash
+   # Inside the container:
+   apt update && apt install -y socat chrony sudo wget curl ca-certificates
+   exit
+   ```
+
+2. Export to a rootfs image (builds envd, injects wrenn-init + tini, shrinks to minimum size):
+   ```bash
+   sudo bash scripts/rootfs-from-container.sh wrenn-minimal minimal
+   ```
+
+**To update an existing rootfs** after changing envd or `wrenn-init.sh`:
+
+```bash
+bash scripts/update-minimal-rootfs.sh
+```
+
+This rebuilds envd via `make build-envd` and copies the fresh binaries into the mounted rootfs image.
+
+### IP forwarding
+
+```bash
+sudo sysctl -w net.ipv4.ip_forward=1
+```
+
+## Configure
 
 Copy `.env.example` to `.env` and edit:
 
@@ -59,25 +106,21 @@ WRENN_HOST_LISTEN_ADDR=:50051
 WRENN_DIR=/var/lib/wrenn
 ```
 
-### Run
+## Development
 
 ```bash
-# Apply database migrations
-make migrate-up
-
-# Start control plane
-./builds/wrenn-cp
+make dev          # Start PostgreSQL (Docker), run migrations, start control plane
+make dev-agent    # Start host agent (separate terminal, sudo)
+make dev-frontend # Vite dev server with HMR (port 5173)
+make check        # fmt + vet + lint + test
 ```
 
-Control plane listens on `WRENN_CP_LISTEN_ADDR` (default `:8000`).
-
 ### Host registration
 
 Hosts must be registered with the control plane before they can serve sandboxes.
 
 1. **Create a host record** (via API or dashboard):
    ```bash
-   # As an admin (JWT auth)
    curl -X POST http://localhost:8000/v1/hosts \
      -H "Authorization: Bearer $JWT_TOKEN" \
      -H "Content-Type: application/json" \
@@ -87,17 +130,16 @@ Hosts must be registered with the control plane before they can serve sandboxes.
 
 2. **Start the host agent** with the registration token and its externally-reachable address:
    ```bash
-   sudo WRENN_CP_URL=http://cp-host:8000 \
+   sudo WRENN_CP_URL=http://localhost:8000 \
         ./builds/wrenn-agent \
         --register <token-from-step-1> \
-        --address 10.0.1.5:50051
+        --address <host-ip>:50051
    ```
    On first startup the agent sends its specs (arch, CPU, memory, disk) to the control plane, receives a long-lived host JWT, and saves it to `$WRENN_DIR/host-token`.
 
 3. **Subsequent startups** don't need `--register` — the agent loads the saved JWT automatically:
    ```bash
-   sudo WRENN_CP_URL=http://cp-host:8000 \
-        ./builds/wrenn-agent --address 10.0.1.5:50051
+   sudo ./builds/wrenn-agent --address <host-ip>:50051
    ```
 
 4. **If registration fails** (e.g., network error after token was consumed), regenerate a token:
@@ -107,23 +149,6 @@ Hosts must be registered with the control plane before they can serve sandboxes.
    ```
    Then restart the agent with the new token.
 
-The agent sends heartbeats to the control plane every 30 seconds. Host agent listens on `WRENN_HOST_LISTEN_ADDR` (default `:50051`).
-
-### Rootfs images
-
-envd must be baked into every rootfs image. After building:
-
-```bash
-make build-envd
-bash scripts/update-debug-rootfs.sh /var/lib/wrenn/images/minimal.ext4
-```
-
-## Development
-
-```bash
-make dev          # Start PostgreSQL (Docker), run migrations, start control plane
-make dev-agent    # Start host agent (separate terminal, sudo)
-make check        # fmt + vet + lint + test
-```
+The agent sends heartbeats to the control plane every 30 seconds.
 
 See `CLAUDE.md` for full architecture documentation.
diff --git a/VERSION_AGENT b/VERSION_AGENT
new file mode 100644
index 0000000..6e8bf73
--- /dev/null
+++ b/VERSION_AGENT
@@ -0,0 +1 @@
+0.1.0
diff --git a/VERSION_CP b/VERSION_CP
new file mode 100644
index 0000000..6e8bf73
--- /dev/null
+++ b/VERSION_CP
@@ -0,0 +1 @@
+0.1.0
diff --git a/cmd/control-plane/main.go b/cmd/control-plane/main.go
index d7ae18d..26c57be 100644
--- a/cmd/control-plane/main.go
+++ b/cmd/control-plane/main.go
@@ -1,191 +1,15 @@
 package main
 
-import (
-	"context"
-	"log/slog"
-	"net/http"
-	"os"
-	"os/signal"
-	"strings"
-	"syscall"
-	"time"
+import "git.omukk.dev/wrenn/wrenn/pkg/cpserver"
 
-	"github.com/jackc/pgx/v5/pgxpool"
-	"github.com/redis/go-redis/v9"
-
-	"git.omukk.dev/wrenn/wrenn/internal/api"
-	"git.omukk.dev/wrenn/wrenn/internal/audit"
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/auth/oauth"
-	"git.omukk.dev/wrenn/wrenn/internal/channels"
-	"git.omukk.dev/wrenn/wrenn/internal/config"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
-	"git.omukk.dev/wrenn/wrenn/internal/scheduler"
+// Set via -ldflags at build time.
+var (
+	version = "dev"
+	commit  = "unknown"
 )
 
 func main() {
-	slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
-		Level: slog.LevelDebug,
-	})))
-
-	cfg := config.Load()
-
-	if len(cfg.JWTSecret) < 32 {
-		slog.Error("JWT_SECRET must be at least 32 characters")
-		os.Exit(1)
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	// Database connection pool.
-	pool, err := pgxpool.New(ctx, cfg.DatabaseURL)
-	if err != nil {
-		slog.Error("failed to connect to database", "error", err)
-		os.Exit(1)
-	}
-	defer pool.Close()
-
-	if err := pool.Ping(ctx); err != nil {
-		slog.Error("failed to ping database", "error", err)
-		os.Exit(1)
-	}
-	slog.Info("connected to database")
-
-	queries := db.New(pool)
-
-	// Redis client.
-	redisOpts, err := redis.ParseURL(cfg.RedisURL)
-	if err != nil {
-		slog.Error("failed to parse REDIS_URL", "error", err)
-		os.Exit(1)
-	}
-	rdb := redis.NewClient(redisOpts)
-	defer rdb.Close()
-
-	if err := rdb.Ping(ctx).Err(); err != nil {
-		slog.Error("failed to ping redis", "error", err)
-		os.Exit(1)
-	}
-	slog.Info("connected to redis")
-
-	// mTLS is mandatory — parse internal CA for CP↔agent communication.
-	if cfg.CACert == "" || cfg.CAKey == "" {
-		slog.Error("WRENN_CA_CERT and WRENN_CA_KEY are required — mTLS is mandatory for CP↔agent communication")
-		os.Exit(1)
-	}
-	ca, err := auth.ParseCA(cfg.CACert, cfg.CAKey)
-	if err != nil {
-		slog.Error("failed to parse mTLS CA from environment", "error", err)
-		os.Exit(1)
-	}
-	slog.Info("mTLS enabled: CA loaded")
-
-	// Host client pool — manages Connect RPC clients to host agents.
-	cpCertStore, err := auth.NewCPCertStore(ca)
-	if err != nil {
-		slog.Error("failed to issue CP client certificate", "error", err)
-		os.Exit(1)
-	}
-	// Renew the CP client certificate periodically so it never expires
-	// while the control plane is running (TTL = 24h, renewal = every 12h).
-	go func() {
-		ticker := time.NewTicker(auth.CPCertRenewInterval)
-		defer ticker.Stop()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-ticker.C:
-				if err := cpCertStore.Refresh(); err != nil {
-					slog.Error("failed to renew CP client certificate", "error", err)
-				} else {
-					slog.Info("CP client certificate renewed")
-				}
-			}
-		}
-	}()
-	hostPool := lifecycle.NewHostClientPoolTLS(auth.CPClientTLSConfig(ca, cpCertStore))
-	slog.Info("host client pool: mTLS enabled")
-
-	// Scheduler — picks a host for each new sandbox (round-robin for now).
-	hostScheduler := scheduler.NewRoundRobinScheduler(queries)
-
-	// OAuth provider registry.
-	oauthRegistry := oauth.NewRegistry()
-	if cfg.OAuthGitHubClientID != "" && cfg.OAuthGitHubClientSecret != "" {
-		if cfg.CPPublicURL == "" {
-			slog.Error("CP_PUBLIC_URL must be set when OAuth providers are configured")
-			os.Exit(1)
-		}
-		callbackURL := strings.TrimRight(cfg.CPPublicURL, "/") + "/auth/oauth/github/callback"
-		ghProvider := oauth.NewGitHubProvider(cfg.OAuthGitHubClientID, cfg.OAuthGitHubClientSecret, callbackURL)
-		oauthRegistry.Register(ghProvider)
-		slog.Info("registered OAuth provider", "provider", "github")
-	}
-
-	// Channels: publisher, service, dispatcher.
-	if len(cfg.EncryptionKeyHex) != 64 {
-		slog.Error("WRENN_ENCRYPTION_KEY must be a hex-encoded 32-byte key (64 hex chars)")
-		os.Exit(1)
-	}
-	channelPub := channels.NewPublisher(rdb)
-	channelSvc := &channels.Service{DB: queries, EncKey: cfg.EncryptionKey}
-	channelDispatcher := channels.NewDispatcher(rdb, queries, cfg.EncryptionKey)
-
-	// Shared audit logger with event publishing.
-	al := audit.NewWithPublisher(queries, channelPub)
-
-	// API server.
-	srv := api.New(queries, hostPool, hostScheduler, pool, rdb, []byte(cfg.JWTSecret), oauthRegistry, cfg.OAuthRedirectURL, ca, al, channelSvc)
-
-	// Start template build workers (2 concurrent).
-	stopBuildWorkers := srv.BuildSvc.StartWorkers(ctx, 2)
-	defer stopBuildWorkers()
-
-	// Start channel event dispatcher.
-	channelDispatcher.Start(ctx)
-
-	// Start host monitor (passive + active reconciliation every 30s).
-	monitor := api.NewHostMonitor(queries, hostPool, al, 30*time.Second)
-	monitor.Start(ctx)
-
-	// Start metrics sampler (records per-team sandbox stats every 10s).
-	sampler := api.NewMetricsSampler(queries, 10*time.Second)
-	sampler.Start(ctx)
-
-	// Wrap the API handler with the sandbox proxy so that requests with
-	// {port}-{sandbox_id}.{domain} Host headers are routed to the sandbox's
-	// host agent. All other requests pass through to the normal API router.
-	proxyWrapper := api.NewSandboxProxyWrapper(srv.Handler(), queries, hostPool)
-
-	httpServer := &http.Server{
-		Addr:    cfg.ListenAddr,
-		Handler: proxyWrapper,
-	}
-
-	// Graceful shutdown on signal.
-	sigCh := make(chan os.Signal, 1)
-	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		sig := <-sigCh
-		slog.Info("received signal, shutting down", "signal", sig)
-		cancel()
-
-		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 30*time.Second)
-		defer shutdownCancel()
-
-		if err := httpServer.Shutdown(shutdownCtx); err != nil {
-			slog.Error("http server shutdown error", "error", err)
-		}
-	}()
-
-	slog.Info("control plane starting", "addr", cfg.ListenAddr)
-	if err := httpServer.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-		slog.Error("http server error", "error", err)
-		os.Exit(1)
-	}
-
-	slog.Info("control plane stopped")
+	cpserver.Run(
+		cpserver.WithVersion(version, commit),
+	)
 }
diff --git a/cmd/host-agent/main.go b/cmd/host-agent/main.go
index 4e5d8ed..5896c2c 100644
--- a/cmd/host-agent/main.go
+++ b/cmd/host-agent/main.go
@@ -1,28 +1,40 @@
 package main
 
 import (
+	"bufio"
 	"context"
 	"crypto/tls"
 	"flag"
+	"fmt"
 	"log/slog"
 	"net/http"
 	"os"
 	"os/signal"
 	"path/filepath"
+	"strconv"
+	"strings"
 	"sync"
 	"syscall"
 	"time"
 
 	"github.com/joho/godotenv"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
 	"git.omukk.dev/wrenn/wrenn/internal/devicemapper"
 	"git.omukk.dev/wrenn/wrenn/internal/hostagent"
+	"git.omukk.dev/wrenn/wrenn/internal/layout"
 	"git.omukk.dev/wrenn/wrenn/internal/network"
 	"git.omukk.dev/wrenn/wrenn/internal/sandbox"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/logging"
 	"git.omukk.dev/wrenn/wrenn/proto/hostagent/gen/hostagentv1connect"
 )
 
+// Set via -ldflags at build time.
+var (
+	version = "dev"
+	commit  = "unknown"
+)
+
 func main() {
 	// Best-effort load — missing .env file is fine.
 	_ = godotenv.Load()
@@ -31,18 +43,24 @@ func main() {
 	advertiseAddr := flag.String("address", "", "Externally-reachable address (ip:port) for this host agent")
 	flag.Parse()
 
-	slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
-		Level: slog.LevelDebug,
-	})))
+	rootDir := envOrDefault("WRENN_DIR", "/var/lib/wrenn")
+	cleanupLog := logging.Setup(filepath.Join(rootDir, "logs"), "host-agent")
+	defer cleanupLog()
 
-	if os.Geteuid() != 0 {
-		slog.Error("host agent must run as root")
+	if err := checkPrivileges(); err != nil {
+		slog.Error("insufficient privileges", "error", err)
 		os.Exit(1)
 	}
 
-	// Enable IP forwarding (required for NAT).
+	// Enable IP forwarding (required for NAT). The write may fail if running
+	// as non-root without DAC_OVERRIDE on this path — that's OK if the systemd
+	// unit's ExecStartPre already set it. We verify the value regardless.
 	if err := os.WriteFile("/proc/sys/net/ipv4/ip_forward", []byte("1"), 0644); err != nil {
-		slog.Warn("failed to enable ip_forward", "error", err)
+		slog.Warn("failed to enable ip_forward (may have been set by systemd unit)", "error", err)
+	}
+	if b, err := os.ReadFile("/proc/sys/net/ipv4/ip_forward"); err != nil || strings.TrimSpace(string(b)) != "1" {
+		slog.Error("ip_forward is not enabled — sandbox networking will be broken", "error", err)
+		os.Exit(1)
 	}
 
 	// Clean up stale resources from a previous crash.
@@ -50,7 +68,6 @@ func main() {
 	network.CleanupStaleNamespaces()
 
 	listenAddr := envOrDefault("WRENN_HOST_LISTEN_ADDR", ":50051")
-	rootDir := envOrDefault("WRENN_DIR", "/var/lib/wrenn")
 	cpURL := os.Getenv("WRENN_CP_URL")
 	credsFile := filepath.Join(rootDir, "host-credentials.json")
 
@@ -63,15 +80,50 @@ func main() {
 		os.Exit(1)
 	}
 
-	// Expand base images to the standard disk size (sparse, no extra physical
+	// Parse default rootfs size from env (e.g. "5G", "2Gi", "1000M").
+	defaultRootfsSizeMB := sandbox.DefaultDiskSizeMB
+	if sizeStr := os.Getenv("WRENN_DEFAULT_ROOTFS_SIZE"); sizeStr != "" {
+		parsed, err := sandbox.ParseSizeToMB(sizeStr)
+		if err != nil {
+			slog.Error("invalid WRENN_DEFAULT_ROOTFS_SIZE", "value", sizeStr, "error", err)
+			os.Exit(1)
+		}
+		defaultRootfsSizeMB = parsed
+		slog.Info("using custom rootfs size", "size_mb", defaultRootfsSizeMB)
+	}
+
+	// Expand base images to the configured disk size (sparse, no extra physical
 	// disk). This ensures dm-snapshot sandboxes see the full size from boot.
-	if err := sandbox.EnsureImageSizes(rootDir, sandbox.DefaultDiskSizeMB); err != nil {
+	if err := sandbox.EnsureImageSizes(rootDir, defaultRootfsSizeMB); err != nil {
 		slog.Error("failed to expand base images", "error", err)
 		os.Exit(1)
 	}
 
+	// Resolve latest kernel version.
+	kernelPath, kernelVersion, err := layout.LatestKernel(rootDir)
+	if err != nil {
+		slog.Error("failed to find kernel", "error", err)
+		os.Exit(1)
+	}
+	slog.Info("resolved kernel", "version", kernelVersion, "path", kernelPath)
+
+	// Detect firecracker version.
+	fcBin := envOrDefault("WRENN_FIRECRACKER_BIN", "/usr/local/bin/firecracker")
+	fcVersion, err := sandbox.DetectFirecrackerVersion(fcBin)
+	if err != nil {
+		slog.Error("failed to detect firecracker version", "error", err)
+		os.Exit(1)
+	}
+	slog.Info("resolved firecracker", "version", fcVersion, "path", fcBin)
+
 	cfg := sandbox.Config{
-		WrennDir: rootDir,
+		WrennDir:            rootDir,
+		DefaultRootfsSizeMB: defaultRootfsSizeMB,
+		KernelPath:          kernelPath,
+		KernelVersion:       kernelVersion,
+		FirecrackerBin:      fcBin,
+		FirecrackerVersion:  fcVersion,
+		AgentVersion:        version,
 	}
 
 	mgr := sandbox.New(cfg)
@@ -128,6 +180,7 @@ func main() {
 			shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 30*time.Second)
 			defer shutdownCancel()
 			mgr.Shutdown(shutdownCtx)
+			sandbox.ShrinkMinimalImage(rootDir)
 			if err := httpServer.Shutdown(shutdownCtx); err != nil {
 				slog.Error("http server shutdown error", "error", err)
 			}
@@ -180,7 +233,7 @@ func main() {
 		doShutdown("signal: " + sig.String())
 	}()
 
-	slog.Info("host agent starting", "addr", listenAddr, "host_id", creds.HostID)
+	slog.Info("host agent starting", "addr", listenAddr, "host_id", creds.HostID, "version", version, "commit", commit)
 	// TLSConfig is always set (mTLS is mandatory). Create the TLS listener
 	// manually because ListenAndServeTLS requires on-disk cert/key paths
 	// but we use GetCertificate callback for hot-swap support.
@@ -203,3 +256,63 @@ func envOrDefault(key, def string) string {
 	}
 	return def
 }
+
+// checkPrivileges verifies the process has the required Linux capabilities.
+// Always reads CapEff — even for root — because a root process inside a
+// restricted container (e.g. docker --cap-drop=all) may not have all caps.
+func checkPrivileges() error {
+	capEff, err := readEffectiveCaps()
+	if err != nil {
+		return fmt.Errorf("read capabilities: %w", err)
+	}
+
+	// All capabilities required by the host agent at runtime.
+	required := []struct {
+		bit  uint
+		name string
+	}{
+		{1, "CAP_DAC_OVERRIDE"}, // /dev/loop*, /dev/mapper/*, /dev/net/tun
+		{5, "CAP_KILL"},         // SIGTERM/SIGKILL to Firecracker processes
+		{12, "CAP_NET_ADMIN"},   // netlink, iptables, routing, TAP/veth
+		{13, "CAP_NET_RAW"},     // raw sockets (iptables)
+		{19, "CAP_SYS_PTRACE"},  // reading /proc/self/ns/net (netns.Get)
+		{21, "CAP_SYS_ADMIN"},   // netns, mount ns, losetup, dmsetup
+		{27, "CAP_MKNOD"},       // device-mapper node creation
+	}
+
+	var missing []string
+	for _, cap := range required {
+		if capEff&(1<<cap.bit) == 0 {
+			missing = append(missing, cap.name)
+		}
+	}
+
+	if len(missing) > 0 {
+		return fmt.Errorf("missing capabilities: %s — run as root or apply setcap to the binary",
+			strings.Join(missing, ", "))
+	}
+
+	return nil
+}
+
+// readEffectiveCaps parses the CapEff bitmask from /proc/self/status.
+func readEffectiveCaps() (uint64, error) {
+	f, err := os.Open("/proc/self/status")
+	if err != nil {
+		return 0, err
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if hexStr, ok := strings.CutPrefix(line, "CapEff:"); ok {
+			return strconv.ParseUint(strings.TrimSpace(hexStr), 16, 64)
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return 0, fmt.Errorf("read /proc/self/status: %w", err)
+	}
+	return 0, fmt.Errorf("CapEff not found in /proc/self/status")
+}
diff --git a/db/migrations/20260310094104_initial.sql b/db/migrations/20260310094104_initial.sql
index 6c8afc4..22544a5 100644
--- a/db/migrations/20260310094104_initial.sql
+++ b/db/migrations/20260310094104_initial.sql
@@ -171,7 +171,7 @@ CREATE TABLE audit_logs (
     metadata      JSONB NOT NULL DEFAULT '{}',
     created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
-CREATE INDEX idx_audit_logs_team_time ON audit_logs(team_id, created_at DESC);
+CREATE INDEX idx_audit_logs_team_time ON audit_logs(team_id, created_at DESC, id DESC);
 CREATE INDEX idx_audit_logs_team_resource ON audit_logs(team_id, resource_type, created_at DESC);
 
 -- sandbox_metrics_snapshots
diff --git a/db/migrations/20260411182550_template_defaults.sql b/db/migrations/20260411182550_template_defaults.sql
new file mode 100644
index 0000000..3378453
--- /dev/null
+++ b/db/migrations/20260411182550_template_defaults.sql
@@ -0,0 +1,17 @@
+-- +goose Up
+ALTER TABLE templates
+    ADD COLUMN default_user TEXT NOT NULL DEFAULT 'root',
+    ADD COLUMN default_env  JSONB NOT NULL DEFAULT '{}';
+
+ALTER TABLE template_builds
+    ADD COLUMN default_user TEXT NOT NULL DEFAULT 'root',
+    ADD COLUMN default_env  JSONB NOT NULL DEFAULT '{}';
+
+-- +goose Down
+ALTER TABLE template_builds
+    DROP COLUMN default_env,
+    DROP COLUMN default_user;
+
+ALTER TABLE templates
+    DROP COLUMN default_env,
+    DROP COLUMN default_user;
diff --git a/db/migrations/20260412213141_seed_platform_team.sql b/db/migrations/20260412213141_seed_platform_team.sql
new file mode 100644
index 0000000..751a0cc
--- /dev/null
+++ b/db/migrations/20260412213141_seed_platform_team.sql
@@ -0,0 +1,12 @@
+-- +goose Up
+
+-- Seed the platform team row. This is the sentinel team (all-zeros UUID) that
+-- owns platform-wide resources: global templates, admin-created capsules, etc.
+-- No user can become a member of this team — it exists solely to satisfy
+-- foreign key constraints and to act as a namespace for platform resources.
+INSERT INTO teams (id, name, slug)
+VALUES ('00000000-0000-0000-0000-000000000000', 'Platform', 'platform')
+ON CONFLICT (id) DO NOTHING;
+
+-- +goose Down
+DELETE FROM teams WHERE id = '00000000-0000-0000-0000-000000000000';
diff --git a/db/migrations/20260414213729_add_user_active_deleted.sql b/db/migrations/20260414213729_add_user_active_deleted.sql
new file mode 100644
index 0000000..b54b588
--- /dev/null
+++ b/db/migrations/20260414213729_add_user_active_deleted.sql
@@ -0,0 +1,7 @@
+-- +goose Up
+ALTER TABLE users ADD COLUMN is_active BOOLEAN NOT NULL DEFAULT TRUE;
+ALTER TABLE users ADD COLUMN deleted_at TIMESTAMPTZ;
+
+-- +goose Down
+ALTER TABLE users DROP COLUMN deleted_at;
+ALTER TABLE users DROP COLUMN is_active;
diff --git a/db/migrations/20260415134310_add_metadata.sql b/db/migrations/20260415134310_add_metadata.sql
new file mode 100644
index 0000000..ada4e35
--- /dev/null
+++ b/db/migrations/20260415134310_add_metadata.sql
@@ -0,0 +1,9 @@
+-- +goose Up
+ALTER TABLE sandboxes ADD COLUMN metadata JSONB NOT NULL DEFAULT '{}';
+ALTER TABLE templates ADD COLUMN metadata JSONB NOT NULL DEFAULT '{}';
+ALTER TABLE template_builds ADD COLUMN metadata JSONB NOT NULL DEFAULT '{}';
+
+-- +goose Down
+ALTER TABLE sandboxes DROP COLUMN metadata;
+ALTER TABLE templates DROP COLUMN metadata;
+ALTER TABLE template_builds DROP COLUMN metadata;
diff --git a/db/migrations/20260415215033_replace_is_active_with_status.sql b/db/migrations/20260415215033_replace_is_active_with_status.sql
new file mode 100644
index 0000000..2ea091a
--- /dev/null
+++ b/db/migrations/20260415215033_replace_is_active_with_status.sql
@@ -0,0 +1,15 @@
+-- +goose Up
+ALTER TABLE users ADD COLUMN status TEXT NOT NULL DEFAULT 'active';
+
+-- Backfill from existing columns.
+UPDATE users SET status = 'deleted'  WHERE deleted_at IS NOT NULL;
+UPDATE users SET status = 'disabled' WHERE is_active = false AND deleted_at IS NULL;
+
+ALTER TABLE users DROP COLUMN is_active;
+
+-- +goose Down
+ALTER TABLE users ADD COLUMN is_active BOOLEAN NOT NULL DEFAULT TRUE;
+
+UPDATE users SET is_active = false WHERE status IN ('inactive', 'disabled', 'deleted');
+
+ALTER TABLE users DROP COLUMN status;
diff --git a/db/migrations/20260415221116_cascade_user_delete.sql b/db/migrations/20260415221116_cascade_user_delete.sql
new file mode 100644
index 0000000..ac01674
--- /dev/null
+++ b/db/migrations/20260415221116_cascade_user_delete.sql
@@ -0,0 +1,72 @@
+-- +goose Up
+
+-- users_teams: remove membership when user is deleted
+ALTER TABLE users_teams DROP CONSTRAINT users_teams_user_id_fkey;
+ALTER TABLE users_teams ADD CONSTRAINT users_teams_user_id_fkey
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE;
+
+-- oauth_providers: remove auth links when user is deleted
+ALTER TABLE oauth_providers DROP CONSTRAINT oauth_providers_user_id_fkey;
+ALTER TABLE oauth_providers ADD CONSTRAINT oauth_providers_user_id_fkey
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE;
+
+-- admin_permissions: remove permissions when user is deleted
+ALTER TABLE admin_permissions DROP CONSTRAINT admin_permissions_user_id_fkey;
+ALTER TABLE admin_permissions ADD CONSTRAINT admin_permissions_user_id_fkey
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE;
+
+-- team_api_keys.created_by: make nullable, SET NULL on user delete
+ALTER TABLE team_api_keys ALTER COLUMN created_by DROP NOT NULL;
+ALTER TABLE team_api_keys DROP CONSTRAINT team_api_keys_created_by_fkey;
+ALTER TABLE team_api_keys ADD CONSTRAINT team_api_keys_created_by_fkey
+    FOREIGN KEY (created_by) REFERENCES users(id) ON DELETE SET NULL;
+
+-- hosts.created_by: make nullable, SET NULL on user delete
+ALTER TABLE hosts ALTER COLUMN created_by DROP NOT NULL;
+ALTER TABLE hosts DROP CONSTRAINT hosts_created_by_fkey;
+ALTER TABLE hosts ADD CONSTRAINT hosts_created_by_fkey
+    FOREIGN KEY (created_by) REFERENCES users(id) ON DELETE SET NULL;
+
+-- host_tokens.created_by: make nullable, SET NULL on user delete
+ALTER TABLE host_tokens ALTER COLUMN created_by DROP NOT NULL;
+ALTER TABLE host_tokens DROP CONSTRAINT host_tokens_created_by_fkey;
+ALTER TABLE host_tokens ADD CONSTRAINT host_tokens_created_by_fkey
+    FOREIGN KEY (created_by) REFERENCES users(id) ON DELETE SET NULL;
+
+-- +goose Down
+
+-- Revert host_tokens.created_by
+ALTER TABLE host_tokens DROP CONSTRAINT host_tokens_created_by_fkey;
+UPDATE host_tokens SET created_by = '00000000-0000-0000-0000-000000000000' WHERE created_by IS NULL;
+ALTER TABLE host_tokens ALTER COLUMN created_by SET NOT NULL;
+ALTER TABLE host_tokens ADD CONSTRAINT host_tokens_created_by_fkey
+    FOREIGN KEY (created_by) REFERENCES users(id);
+
+-- Revert hosts.created_by
+ALTER TABLE hosts DROP CONSTRAINT hosts_created_by_fkey;
+UPDATE hosts SET created_by = '00000000-0000-0000-0000-000000000000' WHERE created_by IS NULL;
+ALTER TABLE hosts ALTER COLUMN created_by SET NOT NULL;
+ALTER TABLE hosts ADD CONSTRAINT hosts_created_by_fkey
+    FOREIGN KEY (created_by) REFERENCES users(id);
+
+-- Revert team_api_keys.created_by
+ALTER TABLE team_api_keys DROP CONSTRAINT team_api_keys_created_by_fkey;
+UPDATE team_api_keys SET created_by = '00000000-0000-0000-0000-000000000000' WHERE created_by IS NULL;
+ALTER TABLE team_api_keys ALTER COLUMN created_by SET NOT NULL;
+ALTER TABLE team_api_keys ADD CONSTRAINT team_api_keys_created_by_fkey
+    FOREIGN KEY (created_by) REFERENCES users(id);
+
+-- Revert admin_permissions
+ALTER TABLE admin_permissions DROP CONSTRAINT admin_permissions_user_id_fkey;
+ALTER TABLE admin_permissions ADD CONSTRAINT admin_permissions_user_id_fkey
+    FOREIGN KEY (user_id) REFERENCES users(id);
+
+-- Revert oauth_providers
+ALTER TABLE oauth_providers DROP CONSTRAINT oauth_providers_user_id_fkey;
+ALTER TABLE oauth_providers ADD CONSTRAINT oauth_providers_user_id_fkey
+    FOREIGN KEY (user_id) REFERENCES users(id);
+
+-- Revert users_teams
+ALTER TABLE users_teams DROP CONSTRAINT users_teams_user_id_fkey;
+ALTER TABLE users_teams ADD CONSTRAINT users_teams_user_id_fkey
+    FOREIGN KEY (user_id) REFERENCES users(id);
diff --git a/db/migrations/embed.go b/db/migrations/embed.go
new file mode 100644
index 0000000..d5bbfcb
--- /dev/null
+++ b/db/migrations/embed.go
@@ -0,0 +1,10 @@
+// Package migrations embeds the SQL migration files so that external modules
+// (such as the enterprise edition) can access them programmatically.
+package migrations
+
+import "embed"
+
+// FS contains all SQL migration files.
+//
+//go:embed *.sql
+var FS embed.FS
diff --git a/db/queries/api_keys.sql b/db/queries/api_keys.sql
index 7ea9645..f57bf5b 100644
--- a/db/queries/api_keys.sql
+++ b/db/queries/api_keys.sql
@@ -13,7 +13,7 @@ SELECT * FROM team_api_keys WHERE team_id = $1 ORDER BY created_at DESC;
 SELECT k.id, k.team_id, k.name, k.key_hash, k.key_prefix, k.created_by, k.created_at, k.last_used,
        u.email AS creator_email
 FROM team_api_keys k
-JOIN users u ON u.id = k.created_by
+LEFT JOIN users u ON u.id = k.created_by
 WHERE k.team_id = $1
 ORDER BY k.created_at DESC;
 
@@ -22,3 +22,9 @@ DELETE FROM team_api_keys WHERE id = $1 AND team_id = $2;
 
 -- name: UpdateAPIKeyLastUsed :exec
 UPDATE team_api_keys SET last_used = NOW() WHERE id = $1;
+
+-- name: DeleteAPIKeysByTeam :exec
+DELETE FROM team_api_keys WHERE team_id = $1;
+
+-- name: DeleteAPIKeysByCreator :exec
+DELETE FROM team_api_keys WHERE created_by = $1;
diff --git a/db/queries/channels.sql b/db/queries/channels.sql
index 5772c99..6df0449 100644
--- a/db/queries/channels.sql
+++ b/db/queries/channels.sql
@@ -22,6 +22,9 @@ RETURNING *;
 -- name: DeleteChannelByTeam :exec
 DELETE FROM channels WHERE id = $1 AND team_id = $2;
 
+-- name: DeleteAllChannelsByTeam :exec
+DELETE FROM channels WHERE team_id = $1;
+
 -- name: ListChannelsForEvent :many
 SELECT * FROM channels
 WHERE team_id = $1
diff --git a/db/queries/hosts.sql b/db/queries/hosts.sql
index 0a5a150..3e133cb 100644
--- a/db/queries/hosts.sql
+++ b/db/queries/hosts.sql
@@ -81,6 +81,41 @@ SELECT * FROM hosts WHERE id = $1 AND team_id = $2;
 -- Returns all hosts that have completed registration (not pending/offline).
 SELECT * FROM hosts WHERE status NOT IN ('pending', 'offline') ORDER BY created_at;
 
+-- name: GetHostsWithLoad :many
+-- Returns all online hosts with raw per-host sandbox resource consumption.
+-- Separates running and paused sandbox totals so the caller can apply its own formulas.
+SELECT
+    h.id,
+    h.type,
+    h.team_id,
+    h.provider,
+    h.availability_zone,
+    h.arch,
+    h.cpu_cores,
+    h.memory_mb,
+    h.disk_gb,
+    h.address,
+    h.status,
+    h.last_heartbeat_at,
+    h.metadata,
+    h.created_by,
+    h.created_at,
+    h.updated_at,
+    h.cert_fingerprint,
+    h.cert_expires_at,
+    COALESCE(SUM(s.vcpus)       FILTER (WHERE s.status IN ('running', 'starting', 'pending')), 0)::int AS running_vcpus,
+    COALESCE(SUM(s.memory_mb)   FILTER (WHERE s.status IN ('running', 'starting', 'pending')), 0)::int AS running_memory_mb,
+    COALESCE(SUM(s.disk_size_mb) FILTER (WHERE s.status IN ('running', 'starting', 'pending')), 0)::int AS running_disk_mb,
+    COALESCE(SUM(s.memory_mb)   FILTER (WHERE s.status = 'paused'), 0)::int AS paused_memory_mb,
+    COALESCE(SUM(s.disk_size_mb) FILTER (WHERE s.status = 'paused'), 0)::int AS paused_disk_mb
+FROM hosts h
+LEFT JOIN sandboxes s ON s.host_id = h.id
+    AND s.status IN ('running', 'paused', 'starting', 'pending')
+WHERE h.status = 'online'
+  AND h.address != ''
+GROUP BY h.id
+ORDER BY h.created_at;
+
 -- name: UpdateHostHeartbeatAndStatus :execrows
 -- Updates last_heartbeat_at and transitions unreachable hosts back to online.
 -- Returns 0 if no host was found (deleted), which the caller treats as 404.
diff --git a/db/queries/metrics.sql b/db/queries/metrics.sql
index f58d480..6c612c6 100644
--- a/db/queries/metrics.sql
+++ b/db/queries/metrics.sql
@@ -51,6 +51,13 @@ WHERE sandbox_id = $1 AND tier = $2;
 DELETE FROM sandbox_metric_points
 WHERE ts < EXTRACT(EPOCH FROM NOW() - INTERVAL '30 days')::BIGINT;
 
+-- name: DeleteMetricsSnapshotsByTeam :exec
+DELETE FROM sandbox_metrics_snapshots WHERE team_id = $1;
+
+-- name: DeleteMetricPointsByTeam :exec
+DELETE FROM sandbox_metric_points
+WHERE sandbox_id IN (SELECT id FROM sandboxes WHERE team_id = $1);
+
 -- name: SampleSandboxMetrics :many
 -- Aggregates per-team resource usage from the live sandboxes table.
 -- Groups by all teams that have any sandbox row (including stopped) so that
diff --git a/db/queries/oauth.sql b/db/queries/oauth.sql
index 31b1ff8..9dc7929 100644
--- a/db/queries/oauth.sql
+++ b/db/queries/oauth.sql
@@ -5,3 +5,9 @@ VALUES ($1, $2, $3, $4);
 -- name: GetOAuthProvider :one
 SELECT * FROM oauth_providers
 WHERE provider = $1 AND provider_id = $2;
+
+-- name: GetOAuthProvidersByUserID :many
+SELECT * FROM oauth_providers WHERE user_id = $1;
+
+-- name: DeleteOAuthProvider :exec
+DELETE FROM oauth_providers WHERE user_id = $1 AND provider = $2;
diff --git a/db/queries/sandboxes.sql b/db/queries/sandboxes.sql
index 2b19574..2bf5db7 100644
--- a/db/queries/sandboxes.sql
+++ b/db/queries/sandboxes.sql
@@ -1,6 +1,6 @@
 -- name: InsertSandbox :one
-INSERT INTO sandboxes (id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, template_id, template_team_id)
-VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
+INSERT INTO sandboxes (id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, template_id, template_team_id, metadata)
+VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
 RETURNING *;
 
 -- name: GetSandbox :one
@@ -15,7 +15,7 @@ SELECT * FROM sandboxes WHERE id = $1 AND team_id = $2;
 SELECT s.status, h.address AS host_address
 FROM sandboxes s
 JOIN hosts h ON h.id = s.host_id
-WHERE s.id = $1 AND s.team_id = $2;
+WHERE s.id = $1;
 
 -- name: ListSandboxes :many
 SELECT * FROM sandboxes ORDER BY created_at DESC;
@@ -62,7 +62,7 @@ WHERE id = ANY($1::uuid[]);
 
 -- name: ListActiveSandboxesByTeam :many
 SELECT * FROM sandboxes
-WHERE team_id = $1 AND status IN ('running', 'paused', 'starting')
+WHERE team_id = $1 AND status IN ('running', 'paused', 'starting', 'hibernated')
 ORDER BY created_at DESC;
 
 -- name: MarkSandboxesMissingByHost :exec
@@ -74,6 +74,12 @@ SET status       = 'missing',
     last_updated = NOW()
 WHERE host_id = $1 AND status IN ('running', 'starting', 'pending');
 
+-- name: UpdateSandboxMetadata :exec
+UPDATE sandboxes
+SET metadata = $2,
+    last_updated = NOW()
+WHERE id = $1;
+
 -- name: BulkRestoreRunning :exec
 -- Called by the reconciler when a host comes back online and its sandboxes are
 -- confirmed alive. Restores only sandboxes that are in 'missing' state.
diff --git a/db/queries/teams.sql b/db/queries/teams.sql
index 2117e95..f4de808 100644
--- a/db/queries/teams.sql
+++ b/db/queries/teams.sql
@@ -53,3 +53,48 @@ UPDATE users_teams SET role = $3 WHERE team_id = $1 AND user_id = $2;
 
 -- name: DeleteTeamMember :exec
 DELETE FROM users_teams WHERE team_id = $1 AND user_id = $2;
+
+-- name: ListTeamsAdmin :many
+SELECT
+    t.id,
+    t.name,
+    t.slug,
+    t.is_byoc,
+    t.created_at,
+    t.deleted_at,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.team_id = t.id)::int AS member_count,
+    COALESCE(owner_u.name, '') AS owner_name,
+    COALESCE(owner_u.email, '') AS owner_email,
+    (SELECT COUNT(*) FROM sandboxes s WHERE s.team_id = t.id AND s.status IN ('running', 'paused', 'starting'))::int AS active_sandbox_count,
+    (SELECT COUNT(*) FROM channels c WHERE c.team_id = t.id)::int AS channel_count
+FROM teams t
+LEFT JOIN users_teams owner_ut ON owner_ut.team_id = t.id AND owner_ut.role = 'owner'
+LEFT JOIN users owner_u ON owner_u.id = owner_ut.user_id
+WHERE t.id != '00000000-0000-0000-0000-000000000000'
+ORDER BY t.deleted_at ASC NULLS FIRST, t.created_at DESC
+LIMIT $1 OFFSET $2;
+
+-- name: ListSoleOwnedTeams :many
+-- Returns teams where the user is the owner and no other members exist.
+SELECT t.id FROM teams t
+JOIN users_teams ut ON ut.team_id = t.id
+WHERE ut.user_id = $1
+  AND ut.role = 'owner'
+  AND t.deleted_at IS NULL
+  AND NOT EXISTS (
+      SELECT 1 FROM users_teams ut2
+      WHERE ut2.team_id = t.id AND ut2.user_id <> $1
+  );
+
+-- name: GetOwnedTeamIDs :many
+-- Returns team IDs where the given user has the 'owner' role.
+SELECT t.id FROM teams t
+JOIN users_teams ut ON ut.team_id = t.id
+WHERE ut.user_id = $1
+  AND ut.role = 'owner'
+  AND t.deleted_at IS NULL;
+
+-- name: CountTeamsAdmin :one
+SELECT COUNT(*)::int AS total
+FROM teams
+WHERE id != '00000000-0000-0000-0000-000000000000';
diff --git a/db/queries/template_builds.sql b/db/queries/template_builds.sql
index 1fb07be..69eebc5 100644
--- a/db/queries/template_builds.sql
+++ b/db/queries/template_builds.sql
@@ -31,3 +31,8 @@ WHERE id = $1;
 UPDATE template_builds
 SET error = $2, status = 'failed', completed_at = NOW()
 WHERE id = $1;
+
+-- name: UpdateBuildDefaults :exec
+UPDATE template_builds
+SET default_user = $2, default_env = $3, metadata = $4
+WHERE id = $1;
diff --git a/db/queries/templates.sql b/db/queries/templates.sql
index de4d6f2..7c50ea6 100644
--- a/db/queries/templates.sql
+++ b/db/queries/templates.sql
@@ -1,6 +1,6 @@
 -- name: InsertTemplate :one
-INSERT INTO templates (id, name, type, vcpus, memory_mb, size_bytes, team_id)
-VALUES ($1, $2, $3, $4, $5, $6, $7)
+INSERT INTO templates (id, name, type, vcpus, memory_mb, size_bytes, team_id, default_user, default_env, metadata)
+VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
 RETURNING *;
 
 -- name: GetTemplate :one
diff --git a/db/queries/users.sql b/db/queries/users.sql
index a244fc9..eb41d00 100644
--- a/db/queries/users.sql
+++ b/db/queries/users.sql
@@ -4,16 +4,21 @@ VALUES ($1, $2, $3, $4)
 RETURNING *;
 
 -- name: GetUserByEmail :one
-SELECT * FROM users WHERE email = $1;
+SELECT * FROM users WHERE email = $1 AND status != 'deleted';
 
 -- name: GetUserByID :one
-SELECT * FROM users WHERE id = $1;
+SELECT * FROM users WHERE id = $1 AND status != 'deleted';
 
 -- name: InsertUserOAuth :one
 INSERT INTO users (id, email, name)
 VALUES ($1, $2, $3)
 RETURNING *;
 
+-- name: InsertUserInactive :one
+INSERT INTO users (id, email, password_hash, name, status)
+VALUES ($1, $2, $3, $4, 'inactive')
+RETURNING *;
+
 -- name: SetUserAdmin :exec
 UPDATE users SET is_admin = $2, updated_at = NOW() WHERE id = $1;
 
@@ -35,8 +40,59 @@ SELECT EXISTS(
     SELECT 1 FROM admin_permissions WHERE user_id = $1 AND permission = $2
 ) AS has_permission;
 
+-- name: CountUsers :one
+SELECT COUNT(*) FROM users;
+
+-- name: CountActiveUsers :one
+SELECT COUNT(*) FROM users WHERE status = 'active';
+
 -- name: SearchUsersByEmailPrefix :many
 SELECT id, email FROM users WHERE email LIKE $1 || '%' ORDER BY email LIMIT 10;
 
 -- name: UpdateUserName :exec
 UPDATE users SET name = $2, updated_at = NOW() WHERE id = $1;
+
+-- name: ListUsersAdmin :many
+SELECT
+    u.id,
+    u.email,
+    u.name,
+    u.is_admin,
+    u.status,
+    u.created_at,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id)::int AS teams_joined,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id AND ut.role = 'owner')::int AS teams_owned
+FROM users u
+WHERE u.status != 'deleted'
+ORDER BY u.created_at DESC
+LIMIT $1 OFFSET $2;
+
+-- name: CountUsersAdmin :one
+SELECT COUNT(*)::int AS total
+FROM users
+WHERE status != 'deleted';
+
+-- name: SetUserStatus :exec
+UPDATE users SET status = $2, updated_at = NOW() WHERE id = $1;
+
+-- name: UpdateUserPassword :exec
+UPDATE users SET password_hash = $2, updated_at = NOW() WHERE id = $1;
+
+-- name: SoftDeleteUser :exec
+UPDATE users SET deleted_at = NOW(), status = 'deleted', updated_at = NOW() WHERE id = $1;
+
+-- name: CountUserOwnedTeamsWithOtherMembers :one
+SELECT COUNT(DISTINCT ut.team_id)::int
+FROM users_teams ut
+WHERE ut.user_id = $1
+  AND ut.role = 'owner'
+  AND EXISTS (
+      SELECT 1 FROM users_teams ut2
+      WHERE ut2.team_id = ut.team_id AND ut2.user_id <> $1
+  );
+
+-- name: HardDeleteExpiredUsers :exec
+DELETE FROM users WHERE deleted_at IS NOT NULL AND deleted_at < NOW() - INTERVAL '15 days';
+
+-- name: HardDeleteUser :exec
+DELETE FROM users WHERE id = $1;
diff --git a/deploy/Caddyfile.dev b/deploy/Caddyfile.dev
index 789f8df..bbeb7d7 100644
--- a/deploy/Caddyfile.dev
+++ b/deploy/Caddyfile.dev
@@ -8,7 +8,7 @@
 # Option 2: Use dnsmasq: address=/.localhost/127.0.0.1
 # Option 3: Use systemd-resolved (Ubuntu default — *.localhost resolves to 127.0.0.1)
 http://*.localhost {
-	reverse_proxy host.docker.internal:8080
+	reverse_proxy host.docker.internal:9725
 }
 
 # Main entry point: API + frontend
@@ -16,21 +16,21 @@ http://localhost {
 	# API routes — strip /api prefix and proxy to the control plane.
 	# The frontend calls /api/v1/... which becomes /v1/... at the CP.
 	handle_path /api/* {
-		reverse_proxy host.docker.internal:8080
+		reverse_proxy host.docker.internal:9725
 	}
 
 	# Backend routes served directly (SDK clients, OAuth initiation)
 	handle /v1/* {
-		reverse_proxy host.docker.internal:8080
+		reverse_proxy host.docker.internal:9725
 	}
 	handle /openapi.yaml {
-		reverse_proxy host.docker.internal:8080
+		reverse_proxy host.docker.internal:9725
 	}
 	handle /docs {
-		reverse_proxy host.docker.internal:8080
+		reverse_proxy host.docker.internal:9725
 	}
 	handle /auth/oauth/* {
-		reverse_proxy host.docker.internal:8080
+		reverse_proxy host.docker.internal:9725
 	}
 
 	# Everything else — proxy to the frontend dev server
diff --git a/deploy/ansible/playbook.yml b/deploy/ansible/playbook.yml
deleted file mode 100644
index e69de29..0000000
diff --git a/deploy/logrotate/wrenn b/deploy/logrotate/wrenn
new file mode 100644
index 0000000..f05a606
--- /dev/null
+++ b/deploy/logrotate/wrenn
@@ -0,0 +1,19 @@
+/var/lib/wrenn/logs/control-plane.log
+/var/lib/wrenn/logs/host-agent.log
+{
+    daily
+    rotate 3
+    missingok
+    notifempty
+    dateext
+    dateformat -%Y-%m-%d
+    compress
+    delaycompress
+    sharedscripts
+    postrotate
+        # Signal the processes to reopen their log files.
+        # Use SIGHUP — both binaries handle it gracefully.
+        pkill -HUP -f wrenn-cp || true
+        pkill -HUP -f wrenn-agent || true
+    endscript
+}
diff --git a/deploy/systemd/wrenn-control-plane.service b/deploy/systemd/wrenn-control-plane.service
deleted file mode 100644
index e69de29..0000000
diff --git a/deploy/systemd/wrenn-host-agent.service b/deploy/systemd/wrenn-host-agent.service
deleted file mode 100644
index e69de29..0000000
diff --git a/envd/VERSION b/envd/VERSION
new file mode 100644
index 0000000..6e8bf73
--- /dev/null
+++ b/envd/VERSION
@@ -0,0 +1 @@
+0.1.0
diff --git a/envd/go.mod b/envd/go.mod
index c739bc6..200e8ef 100644
--- a/envd/go.mod
+++ b/envd/go.mod
@@ -19,7 +19,7 @@ require (
 	github.com/shirou/gopsutil/v4 v4.26.2
 	github.com/stretchr/testify v1.11.1
 	github.com/txn2/txeh v1.8.0
-	golang.org/x/sys v0.42.0
+	golang.org/x/sys v0.43.0
 	google.golang.org/protobuf v1.36.11
 )
 
@@ -37,6 +37,6 @@ require (
 	github.com/tklauser/go-sysconf v0.3.16 // indirect
 	github.com/tklauser/numcpus v0.11.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/crypto v0.50.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/envd/go.sum b/envd/go.sum
index a051cf5..3e857f5 100644
--- a/envd/go.sum
+++ b/envd/go.sum
@@ -72,15 +72,15 @@ github.com/txn2/txeh v1.8.0 h1:G1vZgom6+P/xWwU53AMOpcZgC5ni382ukcPP1TDVYHk=
 github.com/txn2/txeh v1.8.0/go.mod h1:rRI3Egi3+AFmEXQjft051YdYbxeCT3nFmBLsNCZZaxM=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
diff --git a/envd/internal/api/api.gen.go b/envd/internal/api/api.gen.go
index 512747b..257326d 100644
--- a/envd/internal/api/api.gen.go
+++ b/envd/internal/api/api.gen.go
@@ -1,6 +1,6 @@
 // Package api provides primitives to interact with the openapi HTTP API.
 //
-// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version v2.5.1 DO NOT EDIT.
+// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version v2.6.0 DO NOT EDIT.
 package api
 
 import (
@@ -23,6 +23,16 @@ const (
 	File EntryInfoType = "file"
 )
 
+// Valid indicates whether the value is a known member of the EntryInfoType enum.
+func (e EntryInfoType) Valid() bool {
+	switch e {
+	case File:
+		return true
+	default:
+		return false
+	}
+}
+
 // EntryInfo defines model for EntryInfo.
 type EntryInfo struct {
 	// Name Name of the file
@@ -193,6 +203,9 @@ type ServerInterface interface {
 	// Get the stats of the service
 	// (GET /metrics)
 	GetMetrics(w http.ResponseWriter, r *http.Request)
+	// Quiesce continuous goroutines before Firecracker snapshot
+	// (POST /snapshot/prepare)
+	PostSnapshotPrepare(w http.ResponseWriter, r *http.Request)
 }
 
 // Unimplemented server implementation that returns http.StatusNotImplemented for each endpoint.
@@ -235,6 +248,12 @@ func (_ Unimplemented) GetMetrics(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusNotImplemented)
 }
 
+// Quiesce continuous goroutines before Firecracker snapshot
+// (POST /snapshot/prepare)
+func (_ Unimplemented) PostSnapshotPrepare(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusNotImplemented)
+}
+
 // ServerInterfaceWrapper converts contexts to parameters.
 type ServerInterfaceWrapper struct {
 	Handler            ServerInterface
@@ -280,7 +299,7 @@ func (siw *ServerInterfaceWrapper) GetFiles(w http.ResponseWriter, r *http.Reque
 
 	// ------------- Optional query parameter "path" -------------
 
-	err = runtime.BindQueryParameter("form", true, false, "path", r.URL.Query(), &params.Path)
+	err = runtime.BindQueryParameterWithOptions("form", true, false, "path", r.URL.Query(), &params.Path, runtime.BindQueryParameterOptions{Type: "string", Format: ""})
 	if err != nil {
 		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "path", Err: err})
 		return
@@ -288,7 +307,7 @@ func (siw *ServerInterfaceWrapper) GetFiles(w http.ResponseWriter, r *http.Reque
 
 	// ------------- Optional query parameter "username" -------------
 
-	err = runtime.BindQueryParameter("form", true, false, "username", r.URL.Query(), &params.Username)
+	err = runtime.BindQueryParameterWithOptions("form", true, false, "username", r.URL.Query(), &params.Username, runtime.BindQueryParameterOptions{Type: "string", Format: ""})
 	if err != nil {
 		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "username", Err: err})
 		return
@@ -296,7 +315,7 @@ func (siw *ServerInterfaceWrapper) GetFiles(w http.ResponseWriter, r *http.Reque
 
 	// ------------- Optional query parameter "signature" -------------
 
-	err = runtime.BindQueryParameter("form", true, false, "signature", r.URL.Query(), &params.Signature)
+	err = runtime.BindQueryParameterWithOptions("form", true, false, "signature", r.URL.Query(), &params.Signature, runtime.BindQueryParameterOptions{Type: "string", Format: ""})
 	if err != nil {
 		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "signature", Err: err})
 		return
@@ -304,7 +323,7 @@ func (siw *ServerInterfaceWrapper) GetFiles(w http.ResponseWriter, r *http.Reque
 
 	// ------------- Optional query parameter "signature_expiration" -------------
 
-	err = runtime.BindQueryParameter("form", true, false, "signature_expiration", r.URL.Query(), &params.SignatureExpiration)
+	err = runtime.BindQueryParameterWithOptions("form", true, false, "signature_expiration", r.URL.Query(), &params.SignatureExpiration, runtime.BindQueryParameterOptions{Type: "integer", Format: ""})
 	if err != nil {
 		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "signature_expiration", Err: err})
 		return
@@ -337,7 +356,7 @@ func (siw *ServerInterfaceWrapper) PostFiles(w http.ResponseWriter, r *http.Requ
 
 	// ------------- Optional query parameter "path" -------------
 
-	err = runtime.BindQueryParameter("form", true, false, "path", r.URL.Query(), &params.Path)
+	err = runtime.BindQueryParameterWithOptions("form", true, false, "path", r.URL.Query(), &params.Path, runtime.BindQueryParameterOptions{Type: "string", Format: ""})
 	if err != nil {
 		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "path", Err: err})
 		return
@@ -345,7 +364,7 @@ func (siw *ServerInterfaceWrapper) PostFiles(w http.ResponseWriter, r *http.Requ
 
 	// ------------- Optional query parameter "username" -------------
 
-	err = runtime.BindQueryParameter("form", true, false, "username", r.URL.Query(), &params.Username)
+	err = runtime.BindQueryParameterWithOptions("form", true, false, "username", r.URL.Query(), &params.Username, runtime.BindQueryParameterOptions{Type: "string", Format: ""})
 	if err != nil {
 		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "username", Err: err})
 		return
@@ -353,7 +372,7 @@ func (siw *ServerInterfaceWrapper) PostFiles(w http.ResponseWriter, r *http.Requ
 
 	// ------------- Optional query parameter "signature" -------------
 
-	err = runtime.BindQueryParameter("form", true, false, "signature", r.URL.Query(), &params.Signature)
+	err = runtime.BindQueryParameterWithOptions("form", true, false, "signature", r.URL.Query(), &params.Signature, runtime.BindQueryParameterOptions{Type: "string", Format: ""})
 	if err != nil {
 		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "signature", Err: err})
 		return
@@ -361,7 +380,7 @@ func (siw *ServerInterfaceWrapper) PostFiles(w http.ResponseWriter, r *http.Requ
 
 	// ------------- Optional query parameter "signature_expiration" -------------
 
-	err = runtime.BindQueryParameter("form", true, false, "signature_expiration", r.URL.Query(), &params.SignatureExpiration)
+	err = runtime.BindQueryParameterWithOptions("form", true, false, "signature_expiration", r.URL.Query(), &params.SignatureExpiration, runtime.BindQueryParameterOptions{Type: "integer", Format: ""})
 	if err != nil {
 		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "signature_expiration", Err: err})
 		return
@@ -432,6 +451,20 @@ func (siw *ServerInterfaceWrapper) GetMetrics(w http.ResponseWriter, r *http.Req
 	handler.ServeHTTP(w, r)
 }
 
+// PostSnapshotPrepare operation middleware
+func (siw *ServerInterfaceWrapper) PostSnapshotPrepare(w http.ResponseWriter, r *http.Request) {
+
+	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		siw.Handler.PostSnapshotPrepare(w, r)
+	}))
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		handler = middleware(handler)
+	}
+
+	handler.ServeHTTP(w, r)
+}
+
 type UnescapedCookieParamError struct {
 	ParamName string
 	Err       error
@@ -563,6 +596,9 @@ func HandlerWithOptions(si ServerInterface, options ChiServerOptions) http.Handl
 	r.Group(func(r chi.Router) {
 		r.Get(options.BaseURL+"/metrics", wrapper.GetMetrics)
 	})
+	r.Group(func(r chi.Router) {
+		r.Post(options.BaseURL+"/snapshot/prepare", wrapper.PostSnapshotPrepare)
+	})
 
 	return r
 }
diff --git a/envd/internal/api/auth.go b/envd/internal/api/auth.go
index b626f5a..fc6b97c 100644
--- a/envd/internal/api/auth.go
+++ b/envd/internal/api/auth.go
@@ -1,4 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
+// Modifications by M/S Omukk
 
 package api
 
@@ -30,6 +31,7 @@ var authExcludedPaths = []string{
 	"GET/files",
 	"POST/files",
 	"POST/init",
+	"POST/snapshot/prepare",
 }
 
 func (a *API) WithAuthorization(handler http.Handler) http.Handler {
diff --git a/envd/internal/api/download.go b/envd/internal/api/download.go
index b90a8ac..0a2119e 100644
--- a/envd/internal/api/download.go
+++ b/envd/internal/api/download.go
@@ -1,4 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
+// Modifications by M/S Omukk
 
 package api
 
@@ -106,6 +107,17 @@ func (a *API) GetFiles(w http.ResponseWriter, r *http.Request, params GetFilesPa
 		return
 	}
 
+	// Reject anything that isn't a regular file (devices, pipes, sockets, etc.).
+	// Reading device files like /dev/zero or /dev/urandom produces infinite data
+	// and will exhaust memory on all layers of the stack.
+	if !stat.Mode().IsRegular() {
+		errMsg = fmt.Errorf("path '%s' is not a regular file", resolvedPath)
+		errorCode = http.StatusBadRequest
+		jsonError(w, errorCode, errMsg)
+
+		return
+	}
+
 	// Validate Accept-Encoding header
 	encoding, err := parseAcceptEncoding(r)
 	if err != nil {
diff --git a/envd/internal/api/download_test.go b/envd/internal/api/download_test.go
index 235a613..a4379cc 100644
--- a/envd/internal/api/download_test.go
+++ b/envd/internal/api/download_test.go
@@ -1,10 +1,12 @@
 // SPDX-License-Identifier: Apache-2.0
+// Modifications by M/S Omukk
 
 package api
 
 import (
 	"bytes"
 	"compress/gzip"
+	"context"
 	"io"
 	"mime/multipart"
 	"net/http"
@@ -97,7 +99,7 @@ func TestGetFilesContentDisposition(t *testing.T) {
 				EnvVars: utils.NewMap[string, string](),
 				User:    currentUser.Username,
 			}
-			api := New(&logger, defaults, nil, false)
+			api := New(&logger, defaults, nil, false, context.Background(), nil, "test")
 
 			// Create request and response recorder
 			req := httptest.NewRequest(http.MethodGet, "/files?path="+url.QueryEscape(tempFile), nil)
@@ -146,7 +148,7 @@ func TestGetFilesContentDispositionWithNestedPath(t *testing.T) {
 		EnvVars: utils.NewMap[string, string](),
 		User:    currentUser.Username,
 	}
-	api := New(&logger, defaults, nil, false)
+	api := New(&logger, defaults, nil, false, context.Background(), nil, "test")
 
 	// Create request and response recorder
 	req := httptest.NewRequest(http.MethodGet, "/files?path="+url.QueryEscape(tempFile), nil)
@@ -189,7 +191,7 @@ func TestGetFiles_GzipEncoding_ExplicitIdentityOffWithRange(t *testing.T) {
 		EnvVars: utils.NewMap[string, string](),
 		User:    currentUser.Username,
 	}
-	api := New(&logger, defaults, nil, false)
+	api := New(&logger, defaults, nil, false, context.Background(), nil, "test")
 
 	// Create request and response recorder
 	req := httptest.NewRequest(http.MethodGet, "/files?path="+url.QueryEscape(tempFile), nil)
@@ -230,7 +232,7 @@ func TestGetFiles_GzipDownload(t *testing.T) {
 		EnvVars: utils.NewMap[string, string](),
 		User:    currentUser.Username,
 	}
-	api := New(&logger, defaults, nil, false)
+	api := New(&logger, defaults, nil, false, context.Background(), nil, "test")
 
 	req := httptest.NewRequest(http.MethodGet, "/files?path="+url.QueryEscape(tempFile), nil)
 	req.Header.Set("Accept-Encoding", "gzip")
@@ -295,7 +297,7 @@ func TestPostFiles_GzipUpload(t *testing.T) {
 		EnvVars: utils.NewMap[string, string](),
 		User:    currentUser.Username,
 	}
-	api := New(&logger, defaults, nil, false)
+	api := New(&logger, defaults, nil, false, context.Background(), nil, "test")
 
 	req := httptest.NewRequest(http.MethodPost, "/files?path="+url.QueryEscape(destPath), &gzBuf)
 	req.Header.Set("Content-Type", mpWriter.FormDataContentType())
@@ -355,7 +357,7 @@ func TestGzipUploadThenGzipDownload(t *testing.T) {
 		EnvVars: utils.NewMap[string, string](),
 		User:    currentUser.Username,
 	}
-	api := New(&logger, defaults, nil, false)
+	api := New(&logger, defaults, nil, false, context.Background(), nil, "test")
 
 	uploadReq := httptest.NewRequest(http.MethodPost, "/files?path="+url.QueryEscape(destPath), &gzBuf)
 	uploadReq.Header.Set("Content-Type", mpWriter.FormDataContentType())
diff --git a/envd/internal/api/init.go b/envd/internal/api/init.go
index 301400c..3b2be4b 100644
--- a/envd/internal/api/init.go
+++ b/envd/internal/api/init.go
@@ -150,6 +150,13 @@ func (a *API) PostInit(w http.ResponseWriter, r *http.Request) {
 		host.PollForMMDSOpts(ctx, a.mmdsChan, a.defaults.EnvVars)
 	}()
 
+	// Start the port scanner and forwarder if they were stopped by a
+	// pre-snapshot prepare call. Start is a no-op if already running,
+	// so this is safe on first boot and only takes effect after restore.
+	if a.portSubsystem != nil {
+		a.portSubsystem.Start(a.rootCtx)
+	}
+
 	w.Header().Set("Cache-Control", "no-store")
 	w.Header().Set("Content-Type", "")
 
diff --git a/envd/internal/api/init_test.go b/envd/internal/api/init_test.go
index f3db361..18ee203 100644
--- a/envd/internal/api/init_test.go
+++ b/envd/internal/api/init_test.go
@@ -79,7 +79,7 @@ func newTestAPI(accessToken *SecureToken, mmdsClient MMDSClient) *API {
 	defaults := &execcontext.Defaults{
 		EnvVars: utils.NewMap[string, string](),
 	}
-	api := New(&logger, defaults, nil, false)
+	api := New(&logger, defaults, nil, false, context.Background(), nil, "test")
 	if accessToken != nil {
 		api.accessToken.TakeFrom(accessToken)
 	}
diff --git a/envd/internal/api/snapshot.go b/envd/internal/api/snapshot.go
new file mode 100644
index 0000000..d9e2edd
--- /dev/null
+++ b/envd/internal/api/snapshot.go
@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: Apache-2.0
+// Modifications by M/S Omukk
+
+package api
+
+import (
+	"net/http"
+)
+
+// PostSnapshotPrepare quiesces continuous goroutines (port scanner, forwarder)
+// and forces a GC cycle before Firecracker takes a VM snapshot. This ensures
+// the Go runtime's page allocator is in a consistent state when vCPUs are frozen.
+//
+// Called by the host agent as a best-effort signal before vm.Pause().
+func (a *API) PostSnapshotPrepare(w http.ResponseWriter, r *http.Request) {
+	defer r.Body.Close()
+
+	if a.portSubsystem != nil {
+		a.portSubsystem.Stop()
+		a.logger.Info().Msg("snapshot/prepare: port subsystem quiesced")
+	}
+
+	w.Header().Set("Cache-Control", "no-store")
+	w.WriteHeader(http.StatusNoContent)
+}
diff --git a/envd/internal/api/store.go b/envd/internal/api/store.go
index 088222a..ca97957 100644
--- a/envd/internal/api/store.go
+++ b/envd/internal/api/store.go
@@ -1,4 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
+// Modifications by M/S Omukk
 
 package api
 
@@ -12,6 +13,7 @@ import (
 
 	"git.omukk.dev/wrenn/sandbox/envd/internal/execcontext"
 	"git.omukk.dev/wrenn/sandbox/envd/internal/host"
+	publicport "git.omukk.dev/wrenn/sandbox/envd/internal/port"
 	"git.omukk.dev/wrenn/sandbox/envd/internal/utils"
 )
 
@@ -32,6 +34,7 @@ type API struct {
 	logger      *zerolog.Logger
 	accessToken *SecureToken
 	defaults    *execcontext.Defaults
+	version     string
 
 	mmdsChan      chan *host.MMDSOpts
 	hyperloopLock sync.Mutex
@@ -39,17 +42,25 @@ type API struct {
 
 	lastSetTime *utils.AtomicMax
 	initLock    sync.Mutex
+
+	// rootCtx is the parent context from main(), used to restart
+	// long-lived goroutines after snapshot restore.
+	rootCtx       context.Context
+	portSubsystem *publicport.PortSubsystem
 }
 
-func New(l *zerolog.Logger, defaults *execcontext.Defaults, mmdsChan chan *host.MMDSOpts, isNotFC bool) *API {
+func New(l *zerolog.Logger, defaults *execcontext.Defaults, mmdsChan chan *host.MMDSOpts, isNotFC bool, rootCtx context.Context, portSubsystem *publicport.PortSubsystem, version string) *API {
 	return &API{
-		logger:      l,
-		defaults:    defaults,
-		mmdsChan:    mmdsChan,
-		isNotFC:     isNotFC,
-		mmdsClient:  &DefaultMMDSClient{},
-		lastSetTime: utils.NewAtomicMax(),
-		accessToken: &SecureToken{},
+		logger:        l,
+		defaults:      defaults,
+		mmdsChan:      mmdsChan,
+		isNotFC:       isNotFC,
+		mmdsClient:    &DefaultMMDSClient{},
+		lastSetTime:   utils.NewAtomicMax(),
+		accessToken:   &SecureToken{},
+		rootCtx:       rootCtx,
+		portSubsystem: portSubsystem,
+		version:       version,
 	}
 }
 
@@ -59,9 +70,11 @@ func (a *API) GetHealth(w http.ResponseWriter, r *http.Request) {
 	a.logger.Trace().Msg("Health check")
 
 	w.Header().Set("Cache-Control", "no-store")
-	w.Header().Set("Content-Type", "")
+	w.Header().Set("Content-Type", "application/json")
 
-	w.WriteHeader(http.StatusNoContent)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"version": a.version,
+	})
 }
 
 func (a *API) GetMetrics(w http.ResponseWriter, r *http.Request) {
diff --git a/envd/internal/port/forward.go b/envd/internal/port/forward.go
index bf516ff..cc71a41 100644
--- a/envd/internal/port/forward.go
+++ b/envd/internal/port/forward.go
@@ -1,4 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
+// Modifications by M/S Omukk
 
 // portf (port forward) periodaically scans opened TCP ports on the 127.0.0.1 (or localhost)
 // and launches `socat` process for every such port in the background.
@@ -80,8 +81,16 @@ func (f *Forwarder) StartForwarding(ctx context.Context) {
 	}
 
 	for {
-		// procs is an array of currently opened ports.
-		if procs, ok := <-f.scannerSubscriber.Messages; ok {
+		select {
+		case <-ctx.Done():
+			f.stopAllForwarding()
+			return
+		case procs, ok := <-f.scannerSubscriber.Messages:
+			if !ok {
+				f.stopAllForwarding()
+				return
+			}
+
 			// Now we are going to refresh all ports that are being forwarded in the `ports` map. Maybe add new ones
 			// and maybe remove some.
 
@@ -133,11 +142,22 @@ func (f *Forwarder) StartForwarding(ctx context.Context) {
 	}
 }
 
-func (f *Forwarder) startPortForwarding(ctx context.Context, p *PortToForward) {
+func (f *Forwarder) stopAllForwarding() {
+	for _, p := range f.ports {
+		f.stopPortForwarding(p)
+	}
+	f.ports = make(map[string]*PortToForward)
+}
+
+func (f *Forwarder) startPortForwarding(_ context.Context, p *PortToForward) {
 	// https://unix.stackexchange.com/questions/311492/redirect-application-listening-on-localhost-to-listening-on-external-interface
 	// socat -d -d TCP4-LISTEN:4000,bind=169.254.0.21,fork TCP4:localhost:4000
 	// reuseaddr is used to fix the "Address already in use" error when restarting socat quickly.
-	cmd := exec.CommandContext(ctx,
+	//
+	// We use exec.Command (not CommandContext) because stopAllForwarding kills
+	// socat via SIGKILL to the process group. CommandContext would also call
+	// cmd.Wait() on context cancellation, racing with the wait goroutine below.
+	cmd := exec.Command(
 		"socat", "-d", "-d", "-d",
 		fmt.Sprintf("TCP4-LISTEN:%v,bind=%s,reuseaddr,fork", p.port, f.sourceIP.To4()),
 		fmt.Sprintf("TCP%d:localhost:%v", p.family, p.port),
diff --git a/envd/internal/port/scan.go b/envd/internal/port/scan.go
index 2b15523..878b361 100644
--- a/envd/internal/port/scan.go
+++ b/envd/internal/port/scan.go
@@ -1,8 +1,10 @@
 // SPDX-License-Identifier: Apache-2.0
+// Modifications by M/S Omukk
 
 package port
 
 import (
+	"context"
 	"sync"
 	"time"
 
@@ -10,8 +12,7 @@ import (
 )
 
 type Scanner struct {
-	scanExit chan struct{}
-	period   time.Duration
+	period time.Duration
 
 	// Plain mutex-protected map instead of concurrent-map. The concurrent-map
 	// library's Items() spawns goroutines and uses a WaitGroup internally,
@@ -20,15 +21,10 @@ type Scanner struct {
 	subs map[string]*ScannerSubscriber
 }
 
-func (s *Scanner) Destroy() {
-	close(s.scanExit)
-}
-
 func NewScanner(period time.Duration) *Scanner {
 	return &Scanner{
-		period:   period,
-		subs:     make(map[string]*ScannerSubscriber),
-		scanExit: make(chan struct{}),
+		period: period,
+		subs:   make(map[string]*ScannerSubscriber),
 	}
 }
 
@@ -51,7 +47,8 @@ func (s *Scanner) Unsubscribe(sub *ScannerSubscriber) {
 }
 
 // ScanAndBroadcast starts scanning open TCP ports and broadcasts every open port to all subscribers.
-func (s *Scanner) ScanAndBroadcast() {
+// It exits when ctx is cancelled.
+func (s *Scanner) ScanAndBroadcast(ctx context.Context) {
 	for {
 		// Read directly from /proc/net/tcp and /proc/net/tcp6 instead of
 		// using gopsutil's net.Connections(), which walks /proc/{pid}/fd
@@ -60,15 +57,14 @@ func (s *Scanner) ScanAndBroadcast() {
 
 		s.mu.RLock()
 		for _, sub := range s.subs {
-			sub.Signal(conns)
+			sub.Signal(ctx, conns)
 		}
 		s.mu.RUnlock()
 
 		select {
-		case <-s.scanExit:
+		case <-ctx.Done():
 			return
-		default:
-			time.Sleep(s.period)
+		case <-time.After(s.period):
 		}
 	}
 }
diff --git a/envd/internal/port/scanSubscriber.go b/envd/internal/port/scanSubscriber.go
index bad9908..312f8d2 100644
--- a/envd/internal/port/scanSubscriber.go
+++ b/envd/internal/port/scanSubscriber.go
@@ -1,8 +1,11 @@
 // SPDX-License-Identifier: Apache-2.0
+// Modifications by M/S Omukk
 
 package port
 
 import (
+	"context"
+
 	"github.com/rs/zerolog"
 )
 
@@ -33,19 +36,26 @@ func (ss *ScannerSubscriber) Destroy() {
 	close(ss.Messages)
 }
 
-func (ss *ScannerSubscriber) Signal(conns []ConnStat) {
-	// Filter isn't specified. Accept everything.
+// Signal sends the (filtered) connection list to the subscriber. It respects
+// ctx cancellation so the scanner goroutine is never stuck waiting for a
+// consumer that has already exited.
+func (ss *ScannerSubscriber) Signal(ctx context.Context, conns []ConnStat) {
+	var payload []ConnStat
+
 	if ss.filter == nil {
-		ss.Messages <- conns
+		payload = conns
 	} else {
 		filtered := []ConnStat{}
 		for i := range conns {
-			// We need to access the list directly otherwise there will be implicit memory aliasing
-			// If the filter matched a connection, we will send it to a channel.
 			if ss.filter.Match(&conns[i]) {
 				filtered = append(filtered, conns[i])
 			}
 		}
-		ss.Messages <- filtered
+		payload = filtered
+	}
+
+	select {
+	case ss.Messages <- payload:
+	case <-ctx.Done():
 	}
 }
diff --git a/envd/internal/port/subsystem.go b/envd/internal/port/subsystem.go
new file mode 100644
index 0000000..094b2c4
--- /dev/null
+++ b/envd/internal/port/subsystem.go
@@ -0,0 +1,106 @@
+// SPDX-License-Identifier: Apache-2.0
+// Modifications by M/S Omukk
+
+package port
+
+import (
+	"context"
+	"runtime"
+	"runtime/debug"
+	"sync"
+	"time"
+
+	"github.com/rs/zerolog"
+
+	"git.omukk.dev/wrenn/sandbox/envd/internal/services/cgroups"
+)
+
+// PortSubsystem owns the port scanner and forwarder lifecycle.
+// It supports stop/restart across Firecracker snapshot/restore cycles.
+type PortSubsystem struct {
+	logger        *zerolog.Logger
+	cgroupManager cgroups.Manager
+	period        time.Duration
+
+	mu      sync.Mutex
+	cancel  context.CancelFunc
+	wg      *sync.WaitGroup // per-cycle WaitGroup; nil when not running
+	running bool
+}
+
+// NewPortSubsystem creates a new PortSubsystem. Call Start() to begin scanning.
+func NewPortSubsystem(logger *zerolog.Logger, cgroupManager cgroups.Manager, period time.Duration) *PortSubsystem {
+	return &PortSubsystem{
+		logger:        logger,
+		cgroupManager: cgroupManager,
+		period:        period,
+	}
+}
+
+// Start creates a fresh scanner and forwarder, launching their goroutines.
+// Safe to call multiple times; does nothing if already running.
+func (p *PortSubsystem) Start(parentCtx context.Context) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if p.running {
+		return
+	}
+
+	ctx, cancel := context.WithCancel(parentCtx)
+	p.cancel = cancel
+	p.running = true
+
+	// Allocate a fresh WaitGroup for this lifecycle so a concurrent Stop
+	// on the previous cycle's WaitGroup cannot interfere.
+	wg := &sync.WaitGroup{}
+	p.wg = wg
+
+	scanner := NewScanner(p.period)
+	forwarder := NewForwarder(p.logger, scanner, p.cgroupManager)
+
+	wg.Add(2)
+
+	go func() {
+		defer wg.Done()
+		forwarder.StartForwarding(ctx)
+	}()
+
+	go func() {
+		defer wg.Done()
+		scanner.ScanAndBroadcast(ctx)
+	}()
+}
+
+// Stop quiesces the scanner and forwarder goroutines and forces a GC cycle
+// to put the Go runtime's page allocator in a consistent state before snapshot.
+// Blocks until both goroutines have exited. Safe to call if already stopped.
+func (p *PortSubsystem) Stop() {
+	p.mu.Lock()
+	if !p.running {
+		p.mu.Unlock()
+		return
+	}
+	cancelFn := p.cancel
+	wg := p.wg
+	p.cancel = nil
+	p.wg = nil
+	p.running = false
+	p.mu.Unlock()
+
+	cancelFn()
+	wg.Wait()
+
+	// Force two GC cycles to ensure all spans are swept and the page
+	// allocator summary tree is fully consistent before the VM is frozen.
+	runtime.GC()
+	runtime.GC()
+	debug.FreeOSMemory()
+}
+
+// Restart stops the subsystem (if running) and starts it again with a fresh
+// scanner and forwarder. Used after snapshot restore via PostInit.
+func (p *PortSubsystem) Restart(parentCtx context.Context) {
+	p.Stop()
+	p.Start(parentCtx)
+}
diff --git a/envd/internal/services/process/handler/multiplex.go b/envd/internal/services/process/handler/multiplex.go
index 4fe696e..88f0916 100644
--- a/envd/internal/services/process/handler/multiplex.go
+++ b/envd/internal/services/process/handler/multiplex.go
@@ -25,34 +25,38 @@ func NewMultiplexedChannel[T any](buffer int) *MultiplexedChannel[T] {
 			c.mu.RLock()
 
 			for _, cons := range c.channels {
-				cons <- v
+				select {
+				case cons <- v:
+				default:
+					// Consumer not reading — skip to prevent deadlock
+				}
 			}
 
 			c.mu.RUnlock()
 		}
 
+		c.mu.Lock()
 		c.exited.Store(true)
-
 		for _, cons := range c.channels {
 			close(cons)
 		}
+		c.mu.Unlock()
 	}()
 
 	return c
 }
 
 func (m *MultiplexedChannel[T]) Fork() (chan T, func()) {
-	if m.exited.Load() {
-		ch := make(chan T)
-		close(ch)
-
-		return ch, func() {}
-	}
-
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
-	consumer := make(chan T)
+	if m.exited.Load() {
+		ch := make(chan T)
+		close(ch)
+		return ch, func() {}
+	}
+
+	consumer := make(chan T, 4096)
 
 	m.channels = append(m.channels, consumer)
 
diff --git a/envd/internal/services/process/service.go b/envd/internal/services/process/service.go
index e00f345..9b89521 100644
--- a/envd/internal/services/process/service.go
+++ b/envd/internal/services/process/service.go
@@ -62,16 +62,15 @@ func (s *Service) getProcess(selector *rpc.ProcessSelector) (*handler.Handler, e
 
 		s.processes.Range(func(_ uint32, value *handler.Handler) bool {
 			if value.Tag == nil {
-				return true
+				return true // no tag, keep looking
 			}
 
 			if *value.Tag == tag {
 				proc = value
-
-				return true
+				return false // found, stop iterating
 			}
 
-			return false
+			return true // different tag, keep looking
 		})
 
 		if proc == nil {
diff --git a/envd/main.go b/envd/main.go
index 751788d..1cd9403 100644
--- a/envd/main.go
+++ b/envd/main.go
@@ -50,7 +50,7 @@ const (
 )
 
 var (
-	Version = "0.5.4"
+	Version = "0.1.0"
 
 	commitSHA string
 
@@ -190,7 +190,14 @@ func main() {
 	processLogger := l.With().Str("logger", "process").Logger()
 	processService := processRpc.Handle(m, &processLogger, defaults, cgroupManager)
 
-	service := api.New(&envLogger, defaults, mmdsChan, isNotFC)
+	// Port scanner and forwarder are managed by PortSubsystem, which
+	// supports stop/restart across Firecracker snapshot/restore cycles.
+	portLogger := l.With().Str("logger", "port-forwarder").Logger()
+	portSubsystem := publicport.NewPortSubsystem(&portLogger, cgroupManager, portScannerInterval)
+	portSubsystem.Start(ctx)
+	defer portSubsystem.Stop()
+
+	service := api.New(&envLogger, defaults, mmdsChan, isNotFC, ctx, portSubsystem, Version)
 	handler := api.HandlerFromMux(service, m)
 	middleware := authn.NewMiddleware(permissions.AuthenticateUsername)
 
@@ -229,16 +236,6 @@ func main() {
 		}
 	}
 
-	// Bind all open ports on 127.0.0.1 and localhost to the eth0 interface
-	portScanner := publicport.NewScanner(portScannerInterval)
-	defer portScanner.Destroy()
-
-	portLogger := l.With().Str("logger", "port-forwarder").Logger()
-	portForwarder := publicport.NewForwarder(&portLogger, portScanner, cgroupManager)
-	go portForwarder.StartForwarding(ctx)
-
-	go portScanner.ScanAndBroadcast()
-
 	err := s.ListenAndServe()
 	if err != nil {
 		log.Fatalf("error starting server: %v", err)
diff --git a/envd/spec/envd.yaml b/envd/spec/envd.yaml
index b86d563..5160ab7 100644
--- a/envd/spec/envd.yaml
+++ b/envd/spec/envd.yaml
@@ -1,4 +1,5 @@
 # SPDX-License-Identifier: Apache-2.0
+# Modifications by M/S Omukk
 
 openapi: 3.0.0
 info:
@@ -70,6 +71,13 @@ paths:
         "204":
           description: Env vars set, the time and metadata is synced with the host
 
+  /snapshot/prepare:
+    post:
+      summary: Quiesce continuous goroutines before Firecracker snapshot
+      responses:
+        "204":
+          description: Goroutines quiesced, safe to snapshot
+
   /envs:
     get:
       summary: Get the environment variables
diff --git a/frontend/package.json b/frontend/package.json
index 85030ec..73dd6b7 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -18,16 +18,20 @@
 		"@fontsource/instrument-serif": "^5.2.8",
 		"@sveltejs/adapter-static": "^3.0.10",
 		"@sveltejs/kit": "^2.50.2",
-		"@sveltejs/vite-plugin-svelte": "^6.2.4",
+		"@sveltejs/vite-plugin-svelte": "^7.0.0",
 		"@tailwindcss/vite": "^4.2.1",
 		"bits-ui": "^2.16.3",
 		"svelte": "^5.51.0",
 		"svelte-check": "^4.4.2",
 		"tailwindcss": "^4.2.1",
-		"typescript": "^5.9.3",
-		"vite": "^7.3.1"
+		"typescript": "^6.0.2",
+		"vite": "^8.0.8"
 	},
 	"dependencies": {
-		"chart.js": "^4.5.1"
+		"@xterm/addon-fit": "^0.11.0",
+		"@xterm/addon-web-links": "^0.12.0",
+		"@xterm/xterm": "^6.0.0",
+		"chart.js": "^4.5.1",
+		"shiki": "^4.0.2"
 	}
 }
diff --git a/frontend/pnpm-lock.yaml b/frontend/pnpm-lock.yaml
index 5b60992..3521570 100644
--- a/frontend/pnpm-lock.yaml
+++ b/frontend/pnpm-lock.yaml
@@ -8,9 +8,21 @@ importers:
 
   .:
     dependencies:
+      '@xterm/addon-fit':
+        specifier: ^0.11.0
+        version: 0.11.0
+      '@xterm/addon-web-links':
+        specifier: ^0.12.0
+        version: 0.12.0
+      '@xterm/xterm':
+        specifier: ^6.0.0
+        version: 6.0.0
       chart.js:
         specifier: ^4.5.1
         version: 4.5.1
+      shiki:
+        specifier: ^4.0.2
+        version: 4.0.2
     devDependencies:
       '@fontsource-variable/jetbrains-mono':
         specifier: ^5.2.8
@@ -26,192 +38,45 @@ importers:
         version: 5.2.8
       '@sveltejs/adapter-static':
         specifier: ^3.0.10
-        version: 3.0.10(@sveltejs/kit@2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))
+        version: 3.0.10(@sveltejs/kit@2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1)))
       '@sveltejs/kit':
         specifier: ^2.50.2
-        version: 2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))
+        version: 2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1))
       '@sveltejs/vite-plugin-svelte':
-        specifier: ^6.2.4
-        version: 6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))
+        specifier: ^7.0.0
+        version: 7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1))
       '@tailwindcss/vite':
         specifier: ^4.2.1
-        version: 4.2.1(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))
+        version: 4.2.2(vite@8.0.8(jiti@2.6.1))
       bits-ui:
         specifier: ^2.16.3
-        version: 2.16.3(@internationalized/date@3.12.0)(@sveltejs/kit@2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)
+        version: 2.17.3(@internationalized/date@3.12.0)(@sveltejs/kit@2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)
       svelte:
         specifier: ^5.51.0
-        version: 5.53.12
+        version: 5.55.3
       svelte-check:
         specifier: ^4.4.2
-        version: 4.4.5(picomatch@4.0.3)(svelte@5.53.12)(typescript@5.9.3)
+        version: 4.4.6(picomatch@4.0.4)(svelte@5.55.3)(typescript@6.0.2)
       tailwindcss:
         specifier: ^4.2.1
-        version: 4.2.1
+        version: 4.2.2
       typescript:
-        specifier: ^5.9.3
-        version: 5.9.3
+        specifier: ^6.0.2
+        version: 6.0.2
       vite:
-        specifier: ^7.3.1
-        version: 7.3.1(jiti@2.6.1)(lightningcss@1.31.1)
+        specifier: ^8.0.8
+        version: 8.0.8(jiti@2.6.1)
 
 packages:
 
-  '@esbuild/aix-ppc64@0.27.4':
-    resolution: {integrity: sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==}
-    engines: {node: '>=18'}
-    cpu: [ppc64]
-    os: [aix]
+  '@emnapi/core@1.9.2':
+    resolution: {integrity: sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==}
 
-  '@esbuild/android-arm64@0.27.4':
-    resolution: {integrity: sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==}
-    engines: {node: '>=18'}
-    cpu: [arm64]
-    os: [android]
+  '@emnapi/runtime@1.9.2':
+    resolution: {integrity: sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==}
 
-  '@esbuild/android-arm@0.27.4':
-    resolution: {integrity: sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==}
-    engines: {node: '>=18'}
-    cpu: [arm]
-    os: [android]
-
-  '@esbuild/android-x64@0.27.4':
-    resolution: {integrity: sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==}
-    engines: {node: '>=18'}
-    cpu: [x64]
-    os: [android]
-
-  '@esbuild/darwin-arm64@0.27.4':
-    resolution: {integrity: sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==}
-    engines: {node: '>=18'}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@esbuild/darwin-x64@0.27.4':
-    resolution: {integrity: sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==}
-    engines: {node: '>=18'}
-    cpu: [x64]
-    os: [darwin]
-
-  '@esbuild/freebsd-arm64@0.27.4':
-    resolution: {integrity: sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==}
-    engines: {node: '>=18'}
-    cpu: [arm64]
-    os: [freebsd]
-
-  '@esbuild/freebsd-x64@0.27.4':
-    resolution: {integrity: sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==}
-    engines: {node: '>=18'}
-    cpu: [x64]
-    os: [freebsd]
-
-  '@esbuild/linux-arm64@0.27.4':
-    resolution: {integrity: sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==}
-    engines: {node: '>=18'}
-    cpu: [arm64]
-    os: [linux]
-
-  '@esbuild/linux-arm@0.27.4':
-    resolution: {integrity: sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==}
-    engines: {node: '>=18'}
-    cpu: [arm]
-    os: [linux]
-
-  '@esbuild/linux-ia32@0.27.4':
-    resolution: {integrity: sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==}
-    engines: {node: '>=18'}
-    cpu: [ia32]
-    os: [linux]
-
-  '@esbuild/linux-loong64@0.27.4':
-    resolution: {integrity: sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==}
-    engines: {node: '>=18'}
-    cpu: [loong64]
-    os: [linux]
-
-  '@esbuild/linux-mips64el@0.27.4':
-    resolution: {integrity: sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==}
-    engines: {node: '>=18'}
-    cpu: [mips64el]
-    os: [linux]
-
-  '@esbuild/linux-ppc64@0.27.4':
-    resolution: {integrity: sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==}
-    engines: {node: '>=18'}
-    cpu: [ppc64]
-    os: [linux]
-
-  '@esbuild/linux-riscv64@0.27.4':
-    resolution: {integrity: sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==}
-    engines: {node: '>=18'}
-    cpu: [riscv64]
-    os: [linux]
-
-  '@esbuild/linux-s390x@0.27.4':
-    resolution: {integrity: sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==}
-    engines: {node: '>=18'}
-    cpu: [s390x]
-    os: [linux]
-
-  '@esbuild/linux-x64@0.27.4':
-    resolution: {integrity: sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==}
-    engines: {node: '>=18'}
-    cpu: [x64]
-    os: [linux]
-
-  '@esbuild/netbsd-arm64@0.27.4':
-    resolution: {integrity: sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==}
-    engines: {node: '>=18'}
-    cpu: [arm64]
-    os: [netbsd]
-
-  '@esbuild/netbsd-x64@0.27.4':
-    resolution: {integrity: sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==}
-    engines: {node: '>=18'}
-    cpu: [x64]
-    os: [netbsd]
-
-  '@esbuild/openbsd-arm64@0.27.4':
-    resolution: {integrity: sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==}
-    engines: {node: '>=18'}
-    cpu: [arm64]
-    os: [openbsd]
-
-  '@esbuild/openbsd-x64@0.27.4':
-    resolution: {integrity: sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==}
-    engines: {node: '>=18'}
-    cpu: [x64]
-    os: [openbsd]
-
-  '@esbuild/openharmony-arm64@0.27.4':
-    resolution: {integrity: sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==}
-    engines: {node: '>=18'}
-    cpu: [arm64]
-    os: [openharmony]
-
-  '@esbuild/sunos-x64@0.27.4':
-    resolution: {integrity: sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==}
-    engines: {node: '>=18'}
-    cpu: [x64]
-    os: [sunos]
-
-  '@esbuild/win32-arm64@0.27.4':
-    resolution: {integrity: sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==}
-    engines: {node: '>=18'}
-    cpu: [arm64]
-    os: [win32]
-
-  '@esbuild/win32-ia32@0.27.4':
-    resolution: {integrity: sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==}
-    engines: {node: '>=18'}
-    cpu: [ia32]
-    os: [win32]
-
-  '@esbuild/win32-x64@0.27.4':
-    resolution: {integrity: sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==}
-    engines: {node: '>=18'}
-    cpu: [x64]
-    os: [win32]
+  '@emnapi/wasi-threads@1.2.1':
+    resolution: {integrity: sha512-uTII7OYF+/Mes/MrcIOYp5yOtSMLBWSIoLPpcgwipoiKbli6k322tcoFsxoIIxPDqW01SQGAgko4EzZi2BNv2w==}
 
   '@floating-ui/core@1.7.5':
     resolution: {integrity: sha512-1Ih4WTWyw0+lKyFMcBHGbb5U5FtuHJuujoyyr5zTaWS5EYMeT6Jb2AuDeftsCsEuchO+mM2ij5+q9crhydzLhQ==}
@@ -256,133 +121,140 @@ packages:
   '@kurkle/color@0.3.4':
     resolution: {integrity: sha512-M5UknZPHRu3DEDWoipU6sE8PdkZ6Z/S+v4dD+Ke8IaNlpdSQah50lz1KtcFBa2vsdOnwbbnxJwVM4wty6udA5w==}
 
+  '@napi-rs/wasm-runtime@1.1.3':
+    resolution: {integrity: sha512-xK9sGVbJWYb08+mTJt3/YV24WxvxpXcXtP6B172paPZ+Ts69Re9dAr7lKwJoeIx8OoeuimEiRZ7umkiUVClmmQ==}
+    peerDependencies:
+      '@emnapi/core': ^1.7.1
+      '@emnapi/runtime': ^1.7.1
+
+  '@oxc-project/types@0.124.0':
+    resolution: {integrity: sha512-VBFWMTBvHxS11Z5Lvlr3IWgrwhMTXV+Md+EQF0Xf60+wAdsGFTBx7X7K/hP4pi8N7dcm1RvcHwDxZ16Qx8keUg==}
+
   '@polka/url@1.0.0-next.29':
     resolution: {integrity: sha512-wwQAWhWSuHaag8c4q/KN/vCoeOJYshAIvMQwD4GpSb3OiZklFfvAgmj0VCBBImRpuF/aFgIRzllXlVX93Jevww==}
 
-  '@rollup/rollup-android-arm-eabi@4.59.0':
-    resolution: {integrity: sha512-upnNBkA6ZH2VKGcBj9Fyl9IGNPULcjXRlg0LLeaioQWueH30p6IXtJEbKAgvyv+mJaMxSm1l6xwDXYjpEMiLMg==}
-    cpu: [arm]
-    os: [android]
-
-  '@rollup/rollup-android-arm64@4.59.0':
-    resolution: {integrity: sha512-hZ+Zxj3SySm4A/DylsDKZAeVg0mvi++0PYVceVyX7hemkw7OreKdCvW2oQ3T1FMZvCaQXqOTHb8qmBShoqk69Q==}
+  '@rolldown/binding-android-arm64@1.0.0-rc.15':
+    resolution: {integrity: sha512-YYe6aWruPZDtHNpwu7+qAHEMbQ/yRl6atqb/AhznLTnD3UY99Q1jE7ihLSahNWkF4EqRPVC4SiR4O0UkLK02tA==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [android]
 
-  '@rollup/rollup-darwin-arm64@4.59.0':
-    resolution: {integrity: sha512-W2Psnbh1J8ZJw0xKAd8zdNgF9HRLkdWwwdWqubSVk0pUuQkoHnv7rx4GiF9rT4t5DIZGAsConRE3AxCdJ4m8rg==}
+  '@rolldown/binding-darwin-arm64@1.0.0-rc.15':
+    resolution: {integrity: sha512-oArR/ig8wNTPYsXL+Mzhs0oxhxfuHRfG7Ikw7jXsw8mYOtk71W0OkF2VEVh699pdmzjPQsTjlD1JIOoHkLP1Fg==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [darwin]
 
-  '@rollup/rollup-darwin-x64@4.59.0':
-    resolution: {integrity: sha512-ZW2KkwlS4lwTv7ZVsYDiARfFCnSGhzYPdiOU4IM2fDbL+QGlyAbjgSFuqNRbSthybLbIJ915UtZBtmuLrQAT/w==}
+  '@rolldown/binding-darwin-x64@1.0.0-rc.15':
+    resolution: {integrity: sha512-YzeVqOqjPYvUbJSWJ4EDL8ahbmsIXQpgL3JVipmN+MX0XnXMeWomLN3Fb+nwCmP/jfyqte5I3XRSm7OfQrbyxw==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [x64]
     os: [darwin]
 
-  '@rollup/rollup-freebsd-arm64@4.59.0':
-    resolution: {integrity: sha512-EsKaJ5ytAu9jI3lonzn3BgG8iRBjV4LxZexygcQbpiU0wU0ATxhNVEpXKfUa0pS05gTcSDMKpn3Sx+QB9RlTTA==}
-    cpu: [arm64]
-    os: [freebsd]
-
-  '@rollup/rollup-freebsd-x64@4.59.0':
-    resolution: {integrity: sha512-d3DuZi2KzTMjImrxoHIAODUZYoUUMsuUiY4SRRcJy6NJoZ6iIqWnJu9IScV9jXysyGMVuW+KNzZvBLOcpdl3Vg==}
+  '@rolldown/binding-freebsd-x64@1.0.0-rc.15':
+    resolution: {integrity: sha512-9Erhx956jeQ0nNTyif1+QWAXDRD38ZNjr//bSHrt6wDwB+QkAfl2q6Mn1k6OBPerznjRmbM10lgRb1Pli4xZPw==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [x64]
     os: [freebsd]
 
-  '@rollup/rollup-linux-arm-gnueabihf@4.59.0':
-    resolution: {integrity: sha512-t4ONHboXi/3E0rT6OZl1pKbl2Vgxf9vJfWgmUoCEVQVxhW6Cw/c8I6hbbu7DAvgp82RKiH7TpLwxnJeKv2pbsw==}
+  '@rolldown/binding-linux-arm-gnueabihf@1.0.0-rc.15':
+    resolution: {integrity: sha512-cVwk0w8QbZJGTnP/AHQBs5yNwmpgGYStL88t4UIaqcvYJWBfS0s3oqVLZPwsPU6M0zlW4GqjP0Zq5MnAGwFeGA==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm]
     os: [linux]
 
-  '@rollup/rollup-linux-arm-musleabihf@4.59.0':
-    resolution: {integrity: sha512-CikFT7aYPA2ufMD086cVORBYGHffBo4K8MQ4uPS/ZnY54GKj36i196u8U+aDVT2LX4eSMbyHtyOh7D7Zvk2VvA==}
-    cpu: [arm]
-    os: [linux]
-
-  '@rollup/rollup-linux-arm64-gnu@4.59.0':
-    resolution: {integrity: sha512-jYgUGk5aLd1nUb1CtQ8E+t5JhLc9x5WdBKew9ZgAXg7DBk0ZHErLHdXM24rfX+bKrFe+Xp5YuJo54I5HFjGDAA==}
+  '@rolldown/binding-linux-arm64-gnu@1.0.0-rc.15':
+    resolution: {integrity: sha512-eBZ/u8iAK9SoHGanqe/jrPnY0JvBN6iXbVOsbO38mbz+ZJsaobExAm1Iu+rxa4S1l2FjG0qEZn4Rc6X8n+9M+w==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [linux]
 
-  '@rollup/rollup-linux-arm64-musl@4.59.0':
-    resolution: {integrity: sha512-peZRVEdnFWZ5Bh2KeumKG9ty7aCXzzEsHShOZEFiCQlDEepP1dpUl/SrUNXNg13UmZl+gzVDPsiCwnV1uI0RUA==}
+  '@rolldown/binding-linux-arm64-musl@1.0.0-rc.15':
+    resolution: {integrity: sha512-ZvRYMGrAklV9PEkgt4LQM6MjQX2P58HPAuecwYObY2DhS2t35R0I810bKi0wmaYORt6m/2Sm+Z+nFgb0WhXNcQ==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [linux]
 
-  '@rollup/rollup-linux-loong64-gnu@4.59.0':
-    resolution: {integrity: sha512-gbUSW/97f7+r4gHy3Jlup8zDG190AuodsWnNiXErp9mT90iCy9NKKU0Xwx5k8VlRAIV2uU9CsMnEFg/xXaOfXg==}
-    cpu: [loong64]
-    os: [linux]
-
-  '@rollup/rollup-linux-loong64-musl@4.59.0':
-    resolution: {integrity: sha512-yTRONe79E+o0FWFijasoTjtzG9EBedFXJMl888NBEDCDV9I2wGbFFfJQQe63OijbFCUZqxpHz1GzpbtSFikJ4Q==}
-    cpu: [loong64]
-    os: [linux]
-
-  '@rollup/rollup-linux-ppc64-gnu@4.59.0':
-    resolution: {integrity: sha512-sw1o3tfyk12k3OEpRddF68a1unZ5VCN7zoTNtSn2KndUE+ea3m3ROOKRCZxEpmT9nsGnogpFP9x6mnLTCaoLkA==}
+  '@rolldown/binding-linux-ppc64-gnu@1.0.0-rc.15':
+    resolution: {integrity: sha512-VDpgGBzgfg5hLg+uBpCLoFG5kVvEyafmfxGUV0UHLcL5irxAK7PKNeC2MwClgk6ZAiNhmo9FLhRYgvMmedLtnQ==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [ppc64]
     os: [linux]
 
-  '@rollup/rollup-linux-ppc64-musl@4.59.0':
-    resolution: {integrity: sha512-+2kLtQ4xT3AiIxkzFVFXfsmlZiG5FXYW7ZyIIvGA7Bdeuh9Z0aN4hVyXS/G1E9bTP/vqszNIN/pUKCk/BTHsKA==}
-    cpu: [ppc64]
-    os: [linux]
-
-  '@rollup/rollup-linux-riscv64-gnu@4.59.0':
-    resolution: {integrity: sha512-NDYMpsXYJJaj+I7UdwIuHHNxXZ/b/N2hR15NyH3m2qAtb/hHPA4g4SuuvrdxetTdndfj9b1WOmy73kcPRoERUg==}
-    cpu: [riscv64]
-    os: [linux]
-
-  '@rollup/rollup-linux-riscv64-musl@4.59.0':
-    resolution: {integrity: sha512-nLckB8WOqHIf1bhymk+oHxvM9D3tyPndZH8i8+35p/1YiVoVswPid2yLzgX7ZJP0KQvnkhM4H6QZ5m0LzbyIAg==}
-    cpu: [riscv64]
-    os: [linux]
-
-  '@rollup/rollup-linux-s390x-gnu@4.59.0':
-    resolution: {integrity: sha512-oF87Ie3uAIvORFBpwnCvUzdeYUqi2wY6jRFWJAy1qus/udHFYIkplYRW+wo+GRUP4sKzYdmE1Y3+rY5Gc4ZO+w==}
+  '@rolldown/binding-linux-s390x-gnu@1.0.0-rc.15':
+    resolution: {integrity: sha512-y1uXY3qQWCzcPgRJATPSOUP4tCemh4uBdY7e3EZbVwCJTY3gLJWnQABgeUetvED+bt1FQ01OeZwvhLS2bpNrAQ==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [s390x]
     os: [linux]
 
-  '@rollup/rollup-linux-x64-gnu@4.59.0':
-    resolution: {integrity: sha512-3AHmtQq/ppNuUspKAlvA8HtLybkDflkMuLK4DPo77DfthRb71V84/c4MlWJXixZz4uruIH4uaa07IqoAkG64fg==}
+  '@rolldown/binding-linux-x64-gnu@1.0.0-rc.15':
+    resolution: {integrity: sha512-023bTPBod7J3Y/4fzAN6QtpkSABR0rigtrwaP+qSEabUh5zf6ELr9Nc7GujaROuPY3uwdSIXWrvhn1KxOvurWA==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [x64]
     os: [linux]
 
-  '@rollup/rollup-linux-x64-musl@4.59.0':
-    resolution: {integrity: sha512-2UdiwS/9cTAx7qIUZB/fWtToJwvt0Vbo0zmnYt7ED35KPg13Q0ym1g442THLC7VyI6JfYTP4PiSOWyoMdV2/xg==}
+  '@rolldown/binding-linux-x64-musl@1.0.0-rc.15':
+    resolution: {integrity: sha512-witB2O0/hU4CgfOOKUoeFgQ4GktPi1eEbAhaLAIpgD6+ZnhcPkUtPsoKKHRzmOoWPZue46IThdSgdo4XneOLYw==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [x64]
     os: [linux]
 
-  '@rollup/rollup-openbsd-x64@4.59.0':
-    resolution: {integrity: sha512-M3bLRAVk6GOwFlPTIxVBSYKUaqfLrn8l0psKinkCFxl4lQvOSz8ZrKDz2gxcBwHFpci0B6rttydI4IpS4IS/jQ==}
-    cpu: [x64]
-    os: [openbsd]
-
-  '@rollup/rollup-openharmony-arm64@4.59.0':
-    resolution: {integrity: sha512-tt9KBJqaqp5i5HUZzoafHZX8b5Q2Fe7UjYERADll83O4fGqJ49O1FsL6LpdzVFQcpwvnyd0i+K/VSwu/o/nWlA==}
+  '@rolldown/binding-openharmony-arm64@1.0.0-rc.15':
+    resolution: {integrity: sha512-UCL68NJ0Ud5zRipXZE9dF5PmirzJE4E4BCIOOssEnM7wLDsxjc6Qb0sGDxTNRTP53I6MZpygyCpY8Aa8sPfKPg==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [openharmony]
 
-  '@rollup/rollup-win32-arm64-msvc@4.59.0':
-    resolution: {integrity: sha512-V5B6mG7OrGTwnxaNUzZTDTjDS7F75PO1ae6MJYdiMu60sq0CqN5CVeVsbhPxalupvTX8gXVSU9gq+Rx1/hvu6A==}
+  '@rolldown/binding-wasm32-wasi@1.0.0-rc.15':
+    resolution: {integrity: sha512-ApLruZq/ig+nhaE7OJm4lDjayUnOHVUa77zGeqnqZ9pn0ovdVbbNPerVibLXDmWeUZXjIYIT8V3xkT58Rm9u5Q==}
+    engines: {node: '>=14.0.0'}
+    cpu: [wasm32]
+
+  '@rolldown/binding-win32-arm64-msvc@1.0.0-rc.15':
+    resolution: {integrity: sha512-KmoUoU7HnN+Si5YWJigfTws1jz1bKBYDQKdbLspz0UaqjjFkddHsqorgiW1mxcAj88lYUE6NC/zJNwT+SloqtA==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [win32]
 
-  '@rollup/rollup-win32-ia32-msvc@4.59.0':
-    resolution: {integrity: sha512-UKFMHPuM9R0iBegwzKF4y0C4J9u8C6MEJgFuXTBerMk7EJ92GFVFYBfOZaSGLu6COf7FxpQNqhNS4c4icUPqxA==}
-    cpu: [ia32]
-    os: [win32]
-
-  '@rollup/rollup-win32-x64-gnu@4.59.0':
-    resolution: {integrity: sha512-laBkYlSS1n2L8fSo1thDNGrCTQMmxjYY5G0WFWjFFYZkKPjsMBsgJfGf4TLxXrF6RyhI60L8TMOjBMvXiTcxeA==}
+  '@rolldown/binding-win32-x64-msvc@1.0.0-rc.15':
+    resolution: {integrity: sha512-3P2A8L+x75qavWLe/Dll3EYBJLQmtkJN8rfh+U/eR3MqMgL/h98PhYI+JFfXuDPgPeCB7iZAKiqii5vqOvnA0g==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [x64]
     os: [win32]
 
-  '@rollup/rollup-win32-x64-msvc@4.59.0':
-    resolution: {integrity: sha512-2HRCml6OztYXyJXAvdDXPKcawukWY2GpR5/nxKp4iBgiO3wcoEGkAaqctIbZcNB6KlUQBIqt8VYkNSj2397EfA==}
-    cpu: [x64]
-    os: [win32]
+  '@rolldown/pluginutils@1.0.0-rc.15':
+    resolution: {integrity: sha512-UromN0peaE53IaBRe9W7CjrZgXl90fqGpK+mIZbA3qSTeYqg3pqpROBdIPvOG3F5ereDHNwoHBI2e50n1BDr1g==}
+
+  '@shikijs/core@4.0.2':
+    resolution: {integrity: sha512-hxT0YF4ExEqB8G/qFdtJvpmHXBYJ2lWW7qTHDarVkIudPFE6iCIrqdgWxGn5s+ppkGXI0aEGlibI0PAyzP3zlw==}
+    engines: {node: '>=20'}
+
+  '@shikijs/engine-javascript@4.0.2':
+    resolution: {integrity: sha512-7PW0Nm49DcoUIQEXlJhNNBHyoGMjalRETTCcjMqEaMoJRLljy1Bi/EGV3/qLBgLKQejdspiiYuHGQW6dX94Nag==}
+    engines: {node: '>=20'}
+
+  '@shikijs/engine-oniguruma@4.0.2':
+    resolution: {integrity: sha512-UpCB9Y2sUKlS9z8juFSKz7ZtysmeXCgnRF0dlhXBkmQnek7lAToPte8DkxmEYGNTMii72zU/lyXiCB6StuZeJg==}
+    engines: {node: '>=20'}
+
+  '@shikijs/langs@4.0.2':
+    resolution: {integrity: sha512-KaXby5dvoeuZzN0rYQiPMjFoUrz4hgwIE+D6Du9owcHcl6/g16/yT5BQxSW5cGt2MZBz6Hl0YuRqf12omRfUUg==}
+    engines: {node: '>=20'}
+
+  '@shikijs/primitive@4.0.2':
+    resolution: {integrity: sha512-M6UMPrSa3fN5ayeJwFVl9qWofl273wtK1VG8ySDZ1mQBfhCpdd8nEx7nPZ/tk7k+TYcpqBZzj/AnwxT9lO+HJw==}
+    engines: {node: '>=20'}
+
+  '@shikijs/themes@4.0.2':
+    resolution: {integrity: sha512-mjCafwt8lJJaVSsQvNVrJumbnnj1RI8jbUKrPKgE6E3OvQKxnuRoBaYC51H4IGHePsGN/QtALglWBU7DoKDFnA==}
+    engines: {node: '>=20'}
+
+  '@shikijs/types@4.0.2':
+    resolution: {integrity: sha512-qzbeRooUTPnLE+sHD/Z8DStmaDgnbbc/pMrU203950aRqjX/6AFHeDYT+j00y2lPdz0ywJKx7o/7qnqTivtlXg==}
+    engines: {node: '>=20'}
+
+  '@shikijs/vscode-textmate@10.0.2':
+    resolution: {integrity: sha512-83yeghZ2xxin3Nj8z1NMd/NCuca+gsYXswywDy5bHvwlWL8tpTQmzGeUuHd9FC3E/SBEMvzJRwWEOz5gGes9Qg==}
 
   '@standard-schema/spec@1.1.0':
     resolution: {integrity: sha512-l2aFy5jALhniG5HgqrD6jXLi/rUWrKvqN/qJx6yoJsgKhblVd+iqqU4RCXavm/jPityDo5TCvKMnpjKnOriy0w==}
@@ -397,15 +269,15 @@ packages:
     peerDependencies:
       '@sveltejs/kit': ^2.0.0
 
-  '@sveltejs/kit@2.55.0':
-    resolution: {integrity: sha512-MdFRjevVxmAknf2NbaUkDF16jSIzXMWd4Nfah0Qp8TtQVoSp3bV4jKt8mX7z7qTUTWvgSaxtR0EG5WJf53gcuA==}
+  '@sveltejs/kit@2.57.1':
+    resolution: {integrity: sha512-VRdSbB96cI1EnRh09CqmnQqP/YJvET5buj8S6k7CxaJqBJD4bw4fRKDjcarAj/eX9k2eHifQfDH8NtOh+ZxxPw==}
     engines: {node: '>=18.13'}
     hasBin: true
     peerDependencies:
       '@opentelemetry/api': ^1.0.0
       '@sveltejs/vite-plugin-svelte': ^3.0.0 || ^4.0.0-next.1 || ^5.0.0 || ^6.0.0-next.0 || ^7.0.0
       svelte: ^4.0.0 || ^5.0.0-next.0
-      typescript: ^5.3.3
+      typescript: ^5.3.3 || ^6.0.0
       vite: ^5.0.3 || ^6.0.0 || ^7.0.0-beta.0 || ^8.0.0
     peerDependenciesMeta:
       '@opentelemetry/api':
@@ -413,83 +285,75 @@ packages:
       typescript:
         optional: true
 
-  '@sveltejs/vite-plugin-svelte-inspector@5.0.2':
-    resolution: {integrity: sha512-TZzRTcEtZffICSAoZGkPSl6Etsj2torOVrx6Uw0KpXxrec9Gg6jFWQ60Q3+LmNGfZSxHRCZL7vXVZIWmuV50Ig==}
+  '@sveltejs/vite-plugin-svelte@7.0.0':
+    resolution: {integrity: sha512-ILXmxC7HAsnkK2eslgPetrqqW1BKSL7LktsFgqzNj83MaivMGZzluWq32m25j2mDOjmSKX7GGWahePhuEs7P/g==}
     engines: {node: ^20.19 || ^22.12 || >=24}
     peerDependencies:
-      '@sveltejs/vite-plugin-svelte': ^6.0.0-next.0
-      svelte: ^5.0.0
-      vite: ^6.3.0 || ^7.0.0
+      svelte: ^5.46.4
+      vite: ^8.0.0-beta.7 || ^8.0.0
 
-  '@sveltejs/vite-plugin-svelte@6.2.4':
-    resolution: {integrity: sha512-ou/d51QSdTyN26D7h6dSpusAKaZkAiGM55/AKYi+9AGZw7q85hElbjK3kEyzXHhLSnRISHOYzVge6x0jRZ7DXA==}
-    engines: {node: ^20.19 || ^22.12 || >=24}
-    peerDependencies:
-      svelte: ^5.0.0
-      vite: ^6.3.0 || ^7.0.0
+  '@swc/helpers@0.5.21':
+    resolution: {integrity: sha512-jI/VAmtdjB/RnI8GTnokyX7Ug8c+g+ffD6QRLa6XQewtnGyukKkKSk3wLTM3b5cjt1jNh9x0jfVlagdN2gDKQg==}
 
-  '@swc/helpers@0.5.19':
-    resolution: {integrity: sha512-QamiFeIK3txNjgUTNppE6MiG3p7TdninpZu0E0PbqVh1a9FNLT2FRhisaa4NcaX52XVhA5l7Pk58Ft7Sqi/2sA==}
+  '@tailwindcss/node@4.2.2':
+    resolution: {integrity: sha512-pXS+wJ2gZpVXqFaUEjojq7jzMpTGf8rU6ipJz5ovJV6PUGmlJ+jvIwGrzdHdQ80Sg+wmQxUFuoW1UAAwHNEdFA==}
 
-  '@tailwindcss/node@4.2.1':
-    resolution: {integrity: sha512-jlx6sLk4EOwO6hHe1oCGm1Q4AN/s0rSrTTPBGPM0/RQ6Uylwq17FuU8IeJJKEjtc6K6O07zsvP+gDO6MMWo7pg==}
-
-  '@tailwindcss/oxide-android-arm64@4.2.1':
-    resolution: {integrity: sha512-eZ7G1Zm5EC8OOKaesIKuw77jw++QJ2lL9N+dDpdQiAB/c/B2wDh0QPFHbkBVrXnwNugvrbJFk1gK2SsVjwWReg==}
+  '@tailwindcss/oxide-android-arm64@4.2.2':
+    resolution: {integrity: sha512-dXGR1n+P3B6748jZO/SvHZq7qBOqqzQ+yFrXpoOWWALWndF9MoSKAT3Q0fYgAzYzGhxNYOoysRvYlpixRBBoDg==}
     engines: {node: '>= 20'}
     cpu: [arm64]
     os: [android]
 
-  '@tailwindcss/oxide-darwin-arm64@4.2.1':
-    resolution: {integrity: sha512-q/LHkOstoJ7pI1J0q6djesLzRvQSIfEto148ppAd+BVQK0JYjQIFSK3JgYZJa+Yzi0DDa52ZsQx2rqytBnf8Hw==}
+  '@tailwindcss/oxide-darwin-arm64@4.2.2':
+    resolution: {integrity: sha512-iq9Qjr6knfMpZHj55/37ouZeykwbDqF21gPFtfnhCCKGDcPI/21FKC9XdMO/XyBM7qKORx6UIhGgg6jLl7BZlg==}
     engines: {node: '>= 20'}
     cpu: [arm64]
     os: [darwin]
 
-  '@tailwindcss/oxide-darwin-x64@4.2.1':
-    resolution: {integrity: sha512-/f/ozlaXGY6QLbpvd/kFTro2l18f7dHKpB+ieXz+Cijl4Mt9AI2rTrpq7V+t04nK+j9XBQHnSMdeQRhbGyt6fw==}
+  '@tailwindcss/oxide-darwin-x64@4.2.2':
+    resolution: {integrity: sha512-BlR+2c3nzc8f2G639LpL89YY4bdcIdUmiOOkv2GQv4/4M0vJlpXEa0JXNHhCHU7VWOKWT/CjqHdTP8aUuDJkuw==}
     engines: {node: '>= 20'}
     cpu: [x64]
     os: [darwin]
 
-  '@tailwindcss/oxide-freebsd-x64@4.2.1':
-    resolution: {integrity: sha512-5e/AkgYJT/cpbkys/OU2Ei2jdETCLlifwm7ogMC7/hksI2fC3iiq6OcXwjibcIjPung0kRtR3TxEITkqgn0TcA==}
+  '@tailwindcss/oxide-freebsd-x64@4.2.2':
+    resolution: {integrity: sha512-YUqUgrGMSu2CDO82hzlQ5qSb5xmx3RUrke/QgnoEx7KvmRJHQuZHZmZTLSuuHwFf0DJPybFMXMYf+WJdxHy/nQ==}
     engines: {node: '>= 20'}
     cpu: [x64]
     os: [freebsd]
 
-  '@tailwindcss/oxide-linux-arm-gnueabihf@4.2.1':
-    resolution: {integrity: sha512-Uny1EcVTTmerCKt/1ZuKTkb0x8ZaiuYucg2/kImO5A5Y/kBz41/+j0gxUZl+hTF3xkWpDmHX+TaWhOtba2Fyuw==}
+  '@tailwindcss/oxide-linux-arm-gnueabihf@4.2.2':
+    resolution: {integrity: sha512-FPdhvsW6g06T9BWT0qTwiVZYE2WIFo2dY5aCSpjG/S/u1tby+wXoslXS0kl3/KXnULlLr1E3NPRRw0g7t2kgaQ==}
     engines: {node: '>= 20'}
     cpu: [arm]
     os: [linux]
 
-  '@tailwindcss/oxide-linux-arm64-gnu@4.2.1':
-    resolution: {integrity: sha512-CTrwomI+c7n6aSSQlsPL0roRiNMDQ/YzMD9EjcR+H4f0I1SQ8QqIuPnsVp7QgMkC1Qi8rtkekLkOFjo7OlEFRQ==}
+  '@tailwindcss/oxide-linux-arm64-gnu@4.2.2':
+    resolution: {integrity: sha512-4og1V+ftEPXGttOO7eCmW7VICmzzJWgMx+QXAJRAhjrSjumCwWqMfkDrNu1LXEQzNAwz28NCUpucgQPrR4S2yw==}
     engines: {node: '>= 20'}
     cpu: [arm64]
     os: [linux]
 
-  '@tailwindcss/oxide-linux-arm64-musl@4.2.1':
-    resolution: {integrity: sha512-WZA0CHRL/SP1TRbA5mp9htsppSEkWuQ4KsSUumYQnyl8ZdT39ntwqmz4IUHGN6p4XdSlYfJwM4rRzZLShHsGAQ==}
+  '@tailwindcss/oxide-linux-arm64-musl@4.2.2':
+    resolution: {integrity: sha512-oCfG/mS+/+XRlwNjnsNLVwnMWYH7tn/kYPsNPh+JSOMlnt93mYNCKHYzylRhI51X+TbR+ufNhhKKzm6QkqX8ag==}
     engines: {node: '>= 20'}
     cpu: [arm64]
     os: [linux]
 
-  '@tailwindcss/oxide-linux-x64-gnu@4.2.1':
-    resolution: {integrity: sha512-qMFzxI2YlBOLW5PhblzuSWlWfwLHaneBE0xHzLrBgNtqN6mWfs+qYbhryGSXQjFYB1Dzf5w+LN5qbUTPhW7Y5g==}
+  '@tailwindcss/oxide-linux-x64-gnu@4.2.2':
+    resolution: {integrity: sha512-rTAGAkDgqbXHNp/xW0iugLVmX62wOp2PoE39BTCGKjv3Iocf6AFbRP/wZT/kuCxC9QBh9Pu8XPkv/zCZB2mcMg==}
     engines: {node: '>= 20'}
     cpu: [x64]
     os: [linux]
 
-  '@tailwindcss/oxide-linux-x64-musl@4.2.1':
-    resolution: {integrity: sha512-5r1X2FKnCMUPlXTWRYpHdPYUY6a1Ar/t7P24OuiEdEOmms5lyqjDRvVY1yy9Rmioh+AunQ0rWiOTPE8F9A3v5g==}
+  '@tailwindcss/oxide-linux-x64-musl@4.2.2':
+    resolution: {integrity: sha512-XW3t3qwbIwiSyRCggeO2zxe3KWaEbM0/kW9e8+0XpBgyKU4ATYzcVSMKteZJ1iukJ3HgHBjbg9P5YPRCVUxlnQ==}
     engines: {node: '>= 20'}
     cpu: [x64]
     os: [linux]
 
-  '@tailwindcss/oxide-wasm32-wasi@4.2.1':
-    resolution: {integrity: sha512-MGFB5cVPvshR85MTJkEvqDUnuNoysrsRxd6vnk1Lf2tbiqNlXpHYZqkqOQalydienEWOHHFyyuTSYRsLfxFJ2Q==}
+  '@tailwindcss/oxide-wasm32-wasi@4.2.2':
+    resolution: {integrity: sha512-eKSztKsmEsn1O5lJ4ZAfyn41NfG7vzCg496YiGtMDV86jz1q/irhms5O0VrY6ZwTUkFy/EKG3RfWgxSI3VbZ8Q==}
     engines: {node: '>=14.0.0'}
     cpu: [wasm32]
     bundledDependencies:
@@ -500,26 +364,29 @@ packages:
       - '@emnapi/wasi-threads'
       - tslib
 
-  '@tailwindcss/oxide-win32-arm64-msvc@4.2.1':
-    resolution: {integrity: sha512-YlUEHRHBGnCMh4Nj4GnqQyBtsshUPdiNroZj8VPkvTZSoHsilRCwXcVKnG9kyi0ZFAS/3u+qKHBdDc81SADTRA==}
+  '@tailwindcss/oxide-win32-arm64-msvc@4.2.2':
+    resolution: {integrity: sha512-qPmaQM4iKu5mxpsrWZMOZRgZv1tOZpUm+zdhhQP0VhJfyGGO3aUKdbh3gDZc/dPLQwW4eSqWGrrcWNBZWUWaXQ==}
     engines: {node: '>= 20'}
     cpu: [arm64]
     os: [win32]
 
-  '@tailwindcss/oxide-win32-x64-msvc@4.2.1':
-    resolution: {integrity: sha512-rbO34G5sMWWyrN/idLeVxAZgAKWrn5LiR3/I90Q9MkA67s6T1oB0xtTe+0heoBvHSpbU9Mk7i6uwJnpo4u21XQ==}
+  '@tailwindcss/oxide-win32-x64-msvc@4.2.2':
+    resolution: {integrity: sha512-1T/37VvI7WyH66b+vqHj/cLwnCxt7Qt3WFu5Q8hk65aOvlwAhs7rAp1VkulBJw/N4tMirXjVnylTR72uI0HGcA==}
     engines: {node: '>= 20'}
     cpu: [x64]
     os: [win32]
 
-  '@tailwindcss/oxide@4.2.1':
-    resolution: {integrity: sha512-yv9jeEFWnjKCI6/T3Oq50yQEOqmpmpfzG1hcZsAOaXFQPfzWprWrlHSdGPEF3WQTi8zu8ohC9Mh9J470nT5pUw==}
+  '@tailwindcss/oxide@4.2.2':
+    resolution: {integrity: sha512-qEUA07+E5kehxYp9BVMpq9E8vnJuBHfJEC0vPC5e7iL/hw7HR61aDKoVoKzrG+QKp56vhNZe4qwkRmMC0zDLvg==}
     engines: {node: '>= 20'}
 
-  '@tailwindcss/vite@4.2.1':
-    resolution: {integrity: sha512-TBf2sJjYeb28jD2U/OhwdW0bbOsxkWPwQ7SrqGf9sVcoYwZj7rkXljroBO9wKBut9XnmQLXanuDUeqQK0lGg/w==}
+  '@tailwindcss/vite@4.2.2':
+    resolution: {integrity: sha512-mEiF5HO1QqCLXoNEfXVA1Tzo+cYsrqV7w9Juj2wdUFyW07JRenqMG225MvPwr3ZD9N1bFQj46X7r33iHxLUW0w==}
     peerDependencies:
-      vite: ^5.2.0 || ^6 || ^7
+      vite: ^5.2.0 || ^6 || ^7 || ^8
+
+  '@tybys/wasm-util@0.10.1':
+    resolution: {integrity: sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==}
 
   '@types/cookie@0.6.0':
     resolution: {integrity: sha512-4Kh9a6B2bQciAhf7FSuMRRkUWecJgJu9nPnx3yzpsfXX/c50REIqpHY4C82bXP90qrLtXtkDxTZosYO3UpOwlA==}
@@ -527,12 +394,29 @@ packages:
   '@types/estree@1.0.8':
     resolution: {integrity: sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==}
 
+  '@types/hast@3.0.4':
+    resolution: {integrity: sha512-WPs+bbQw5aCj+x6laNGWLH3wviHtoCv/P3+otBhbOhJgG8qtpdAMlTCxLtsTWA7LH1Oh/bFCHsBn0TPS5m30EQ==}
+
+  '@types/mdast@4.0.4':
+    resolution: {integrity: sha512-kGaNbPh1k7AFzgpud/gMdvIm5xuECykRR+JnWKQno9TAXVa6WIVCGTPvYGekIDL4uwCZQSYbUxNBSb1aUo79oA==}
+
   '@types/trusted-types@2.0.7':
     resolution: {integrity: sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==}
 
-  '@typescript-eslint/types@8.57.1':
-    resolution: {integrity: sha512-S29BOBPJSFUiblEl6RzPPjJt6w25A6XsBqRVDt53tA/tlL8q7ceQNZHTjPeONt/3S7KRI4quk+yP9jK2WjBiPQ==}
-    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+  '@types/unist@3.0.3':
+    resolution: {integrity: sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q==}
+
+  '@ungap/structured-clone@1.3.0':
+    resolution: {integrity: sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==}
+
+  '@xterm/addon-fit@0.11.0':
+    resolution: {integrity: sha512-jYcgT6xtVYhnhgxh3QgYDnnNMYTcf8ElbxxFzX0IZo+vabQqSPAjC3c1wJrKB5E19VwQei89QCiZZP86DCPF7g==}
+
+  '@xterm/addon-web-links@0.12.0':
+    resolution: {integrity: sha512-4Smom3RPyVp7ZMYOYDoC/9eGJJJqYhnPLGGqJ6wOBfB8VxPViJNSKdgRYb8NpaM6YSelEKbA2SStD7lGyqaobw==}
+
+  '@xterm/xterm@6.0.0':
+    resolution: {integrity: sha512-TQwDdQGtwwDt+2cgKDLn0IRaSxYu1tSUjgKarSDkUM0ZNiSRXFpjxEsvc/Zgc5kq5omJ+V0a8/kIM2WD3sMOYg==}
 
   acorn@8.16.0:
     resolution: {integrity: sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==}
@@ -547,13 +431,22 @@ packages:
     resolution: {integrity: sha512-qIj0G9wZbMGNLjLmg1PT6v2mE9AH2zlnADJD/2tC6E00hgmhUOfEB6greHPAfLRSufHqROIUTkw6E+M3lH0PTQ==}
     engines: {node: '>= 0.4'}
 
-  bits-ui@2.16.3:
-    resolution: {integrity: sha512-5hJ5dEhf5yPzkRFcxzgQHScGodeo0gK0MUUXrdLlRHWaBOBGZiacWLG96j/wwFatKwZvouw7q+sn14i0fx3RIg==}
+  bits-ui@2.17.3:
+    resolution: {integrity: sha512-Bef41uY9U2jaBJHPhcPvmBNkGec5Wx2z6eioDsTmsaR2vH4QoaOcPi75gzCG3+/2TNr6v/qBwzgWNPYCxNtrEA==}
     engines: {node: '>=20'}
     peerDependencies:
       '@internationalized/date': ^3.8.1
       svelte: ^5.33.0
 
+  ccount@2.0.1:
+    resolution: {integrity: sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==}
+
+  character-entities-html4@2.1.0:
+    resolution: {integrity: sha512-1v7fgQRj6hnSwFpq1Eu0ynr/CDEw0rXo2B61qXrLNdHZmPKgb7fqS1a2JwF0rISo9q77jDI8VMEHoApn8qDoZA==}
+
+  character-entities-legacy@3.0.0:
+    resolution: {integrity: sha512-RpPp0asT/6ufRm//AJVwpViZbGM/MkjQFxJccQRHmISF/22NBtsHqAWmL+/pmkPWoIUJdWyeVleTl1wydHATVQ==}
+
   chart.js@4.5.1:
     resolution: {integrity: sha512-GIjfiT9dbmHRiYi6Nl2yFCq7kkwdkp1W/lp2J99rX0yo9tgJGn3lKQATztIjb5tVtevcBtIdICNWqlq5+E8/Pw==}
     engines: {pnpm: '>=8'}
@@ -566,6 +459,9 @@ packages:
     resolution: {integrity: sha512-eYm0QWBtUrBWZWG0d386OGAw16Z995PiOVo2B7bjWSbHedGl5e0ZWaq65kOGgUSNesEIDkB9ISbTg/JK9dhCZA==}
     engines: {node: '>=6'}
 
+  comma-separated-tokens@2.0.3:
+    resolution: {integrity: sha512-Fu4hJdvzeylCfQPp9SGWidpzrMs7tTrlu6Vb8XGaRGck8QSNZJJp538Wrb60Lax4fPwR64ViY468OIUTbRlGZg==}
+
   cookie@0.6.0:
     resolution: {integrity: sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==}
     engines: {node: '>= 0.6'}
@@ -582,23 +478,26 @@ packages:
     resolution: {integrity: sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==}
     engines: {node: '>=8'}
 
-  devalue@5.6.4:
-    resolution: {integrity: sha512-Gp6rDldRsFh/7XuouDbxMH3Mx8GMCcgzIb1pDTvNyn8pZGQ22u+Wa+lGV9dQCltFQ7uVw0MhRyb8XDskNFOReA==}
+  devalue@5.7.1:
+    resolution: {integrity: sha512-MUbZ586EgQqdRnC4yDrlod3BEdyvE4TapGYHMW2CiaW+KkkFmWEFqBUaLltEZCGi0iFXCEjRF0OjF0DV2QHjOA==}
+
+  devlop@1.1.0:
+    resolution: {integrity: sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==}
 
   enhanced-resolve@5.20.1:
     resolution: {integrity: sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA==}
     engines: {node: '>=10.13.0'}
 
-  esbuild@0.27.4:
-    resolution: {integrity: sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==}
-    engines: {node: '>=18'}
-    hasBin: true
-
   esm-env@1.2.2:
     resolution: {integrity: sha512-Epxrv+Nr/CaL4ZcFGPJIYLWFom+YeV1DqMLHJoEd9SYRxNbaFruBwfEX/kkHUJf55j2+TUbmDcmuilbP1TmXHA==}
 
-  esrap@2.2.4:
-    resolution: {integrity: sha512-suICpxAmZ9A8bzJjEl/+rLJiDKC0X4gYWUxT6URAWBLvlXmtbZd5ySMu/N2ZGEtMCAmflUDPSehrP9BQcsGcSg==}
+  esrap@2.2.5:
+    resolution: {integrity: sha512-/yLB1538mag+dn0wsePTe8C0rDIjUOaJpMs2McodSzmM2msWcZsBSdRtg6HOBt0A/r82BN+Md3pgwSc/uWt2Ig==}
+    peerDependencies:
+      '@typescript-eslint/types': ^8.2.0
+    peerDependenciesMeta:
+      '@typescript-eslint/types':
+        optional: true
 
   fdir@6.5.0:
     resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
@@ -617,6 +516,15 @@ packages:
   graceful-fs@4.2.11:
     resolution: {integrity: sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==}
 
+  hast-util-to-html@9.0.5:
+    resolution: {integrity: sha512-OguPdidb+fbHQSU4Q4ZiLKnzWo8Wwsf5bZfbvu7//a9oTYoqD/fWpe96NuHkoS9h0ccGOTe0C4NGXdtS0iObOw==}
+
+  hast-util-whitespace@3.0.0:
+    resolution: {integrity: sha512-88JUN06ipLwsnv+dVn+OIYOvAuvBMy/Qoi6O7mQHxdPXpjy+Cd6xRkWwux7DKO+4sYILtLBRIKgsdpS2gQc7qw==}
+
+  html-void-elements@3.0.0:
+    resolution: {integrity: sha512-bEqo66MRXsUGxWHV5IP0PUiAWwoEjba4VCzg0LjFJBpchPaTfyfCKTG6bc5F8ucKec3q5y6qOdGyYTSBEvhCrg==}
+
   inline-style-parser@0.2.7:
     resolution: {integrity: sha512-Nb2ctOyNR8DqQoR0OwRG95uNWIC0C1lCgf5Naz5H6Ji72KZ8OcFZLz2P5sNgwlyoJ8Yif11oMuYs5pBQa86csA==}
 
@@ -631,74 +539,74 @@ packages:
     resolution: {integrity: sha512-o+NO+8WrRiQEE4/7nwRJhN1HWpVmJm511pBHUxPLtp0BUISzlBplORYSmTclCnJvQq2tKu/sgl3xVpkc7ZWuQQ==}
     engines: {node: '>=6'}
 
-  lightningcss-android-arm64@1.31.1:
-    resolution: {integrity: sha512-HXJF3x8w9nQ4jbXRiNppBCqeZPIAfUo8zE/kOEGbW5NZvGc/K7nMxbhIr+YlFlHW5mpbg/YFPdbnCh1wAXCKFg==}
+  lightningcss-android-arm64@1.32.0:
+    resolution: {integrity: sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==}
     engines: {node: '>= 12.0.0'}
     cpu: [arm64]
     os: [android]
 
-  lightningcss-darwin-arm64@1.31.1:
-    resolution: {integrity: sha512-02uTEqf3vIfNMq3h/z2cJfcOXnQ0GRwQrkmPafhueLb2h7mqEidiCzkE4gBMEH65abHRiQvhdcQ+aP0D0g67sg==}
+  lightningcss-darwin-arm64@1.32.0:
+    resolution: {integrity: sha512-RzeG9Ju5bag2Bv1/lwlVJvBE3q6TtXskdZLLCyfg5pt+HLz9BqlICO7LZM7VHNTTn/5PRhHFBSjk5lc4cmscPQ==}
     engines: {node: '>= 12.0.0'}
     cpu: [arm64]
     os: [darwin]
 
-  lightningcss-darwin-x64@1.31.1:
-    resolution: {integrity: sha512-1ObhyoCY+tGxtsz1lSx5NXCj3nirk0Y0kB/g8B8DT+sSx4G9djitg9ejFnjb3gJNWo7qXH4DIy2SUHvpoFwfTA==}
+  lightningcss-darwin-x64@1.32.0:
+    resolution: {integrity: sha512-U+QsBp2m/s2wqpUYT/6wnlagdZbtZdndSmut/NJqlCcMLTWp5muCrID+K5UJ6jqD2BFshejCYXniPDbNh73V8w==}
     engines: {node: '>= 12.0.0'}
     cpu: [x64]
     os: [darwin]
 
-  lightningcss-freebsd-x64@1.31.1:
-    resolution: {integrity: sha512-1RINmQKAItO6ISxYgPwszQE1BrsVU5aB45ho6O42mu96UiZBxEXsuQ7cJW4zs4CEodPUioj/QrXW1r9pLUM74A==}
+  lightningcss-freebsd-x64@1.32.0:
+    resolution: {integrity: sha512-JCTigedEksZk3tHTTthnMdVfGf61Fky8Ji2E4YjUTEQX14xiy/lTzXnu1vwiZe3bYe0q+SpsSH/CTeDXK6WHig==}
     engines: {node: '>= 12.0.0'}
     cpu: [x64]
     os: [freebsd]
 
-  lightningcss-linux-arm-gnueabihf@1.31.1:
-    resolution: {integrity: sha512-OOCm2//MZJ87CdDK62rZIu+aw9gBv4azMJuA8/KB74wmfS3lnC4yoPHm0uXZ/dvNNHmnZnB8XLAZzObeG0nS1g==}
+  lightningcss-linux-arm-gnueabihf@1.32.0:
+    resolution: {integrity: sha512-x6rnnpRa2GL0zQOkt6rts3YDPzduLpWvwAF6EMhXFVZXD4tPrBkEFqzGowzCsIWsPjqSK+tyNEODUBXeeVHSkw==}
     engines: {node: '>= 12.0.0'}
     cpu: [arm]
     os: [linux]
 
-  lightningcss-linux-arm64-gnu@1.31.1:
-    resolution: {integrity: sha512-WKyLWztD71rTnou4xAD5kQT+982wvca7E6QoLpoawZ1gP9JM0GJj4Tp5jMUh9B3AitHbRZ2/H3W5xQmdEOUlLg==}
+  lightningcss-linux-arm64-gnu@1.32.0:
+    resolution: {integrity: sha512-0nnMyoyOLRJXfbMOilaSRcLH3Jw5z9HDNGfT/gwCPgaDjnx0i8w7vBzFLFR1f6CMLKF8gVbebmkUN3fa/kQJpQ==}
     engines: {node: '>= 12.0.0'}
     cpu: [arm64]
     os: [linux]
 
-  lightningcss-linux-arm64-musl@1.31.1:
-    resolution: {integrity: sha512-mVZ7Pg2zIbe3XlNbZJdjs86YViQFoJSpc41CbVmKBPiGmC4YrfeOyz65ms2qpAobVd7WQsbW4PdsSJEMymyIMg==}
+  lightningcss-linux-arm64-musl@1.32.0:
+    resolution: {integrity: sha512-UpQkoenr4UJEzgVIYpI80lDFvRmPVg6oqboNHfoH4CQIfNA+HOrZ7Mo7KZP02dC6LjghPQJeBsvXhJod/wnIBg==}
     engines: {node: '>= 12.0.0'}
     cpu: [arm64]
     os: [linux]
 
-  lightningcss-linux-x64-gnu@1.31.1:
-    resolution: {integrity: sha512-xGlFWRMl+0KvUhgySdIaReQdB4FNudfUTARn7q0hh/V67PVGCs3ADFjw+6++kG1RNd0zdGRlEKa+T13/tQjPMA==}
+  lightningcss-linux-x64-gnu@1.32.0:
+    resolution: {integrity: sha512-V7Qr52IhZmdKPVr+Vtw8o+WLsQJYCTd8loIfpDaMRWGUZfBOYEJeyJIkqGIDMZPwPx24pUMfwSxxI8phr/MbOA==}
     engines: {node: '>= 12.0.0'}
     cpu: [x64]
     os: [linux]
 
-  lightningcss-linux-x64-musl@1.31.1:
-    resolution: {integrity: sha512-eowF8PrKHw9LpoZii5tdZwnBcYDxRw2rRCyvAXLi34iyeYfqCQNA9rmUM0ce62NlPhCvof1+9ivRaTY6pSKDaA==}
+  lightningcss-linux-x64-musl@1.32.0:
+    resolution: {integrity: sha512-bYcLp+Vb0awsiXg/80uCRezCYHNg1/l3mt0gzHnWV9XP1W5sKa5/TCdGWaR/zBM2PeF/HbsQv/j2URNOiVuxWg==}
     engines: {node: '>= 12.0.0'}
     cpu: [x64]
     os: [linux]
 
-  lightningcss-win32-arm64-msvc@1.31.1:
-    resolution: {integrity: sha512-aJReEbSEQzx1uBlQizAOBSjcmr9dCdL3XuC/6HLXAxmtErsj2ICo5yYggg1qOODQMtnjNQv2UHb9NpOuFtYe4w==}
+  lightningcss-win32-arm64-msvc@1.32.0:
+    resolution: {integrity: sha512-8SbC8BR40pS6baCM8sbtYDSwEVQd4JlFTOlaD3gWGHfThTcABnNDBda6eTZeqbofalIJhFx0qKzgHJmcPTnGdw==}
     engines: {node: '>= 12.0.0'}
     cpu: [arm64]
     os: [win32]
 
-  lightningcss-win32-x64-msvc@1.31.1:
-    resolution: {integrity: sha512-I9aiFrbd7oYHwlnQDqr1Roz+fTz61oDDJX7n9tYF9FJymH1cIN1DtKw3iYt6b8WZgEjoNwVSncwF4wx/ZedMhw==}
+  lightningcss-win32-x64-msvc@1.32.0:
+    resolution: {integrity: sha512-Amq9B/SoZYdDi1kFrojnoqPLxYhQ4Wo5XiL8EVJrVsB8ARoC1PWW6VGtT0WKCemjy8aC+louJnjS7U18x3b06Q==}
     engines: {node: '>= 12.0.0'}
     cpu: [x64]
     os: [win32]
 
-  lightningcss@1.31.1:
-    resolution: {integrity: sha512-l51N2r93WmGUye3WuFoN5k10zyvrVs0qfKBhyC5ogUQ6Ew6JUSswh78mbSO+IU3nTWsyOArqPCcShdQSadghBQ==}
+  lightningcss@1.32.0:
+    resolution: {integrity: sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==}
     engines: {node: '>= 12.0.0'}
 
   locate-character@3.0.0:
@@ -711,6 +619,24 @@ packages:
   magic-string@0.30.21:
     resolution: {integrity: sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==}
 
+  mdast-util-to-hast@13.2.1:
+    resolution: {integrity: sha512-cctsq2wp5vTsLIcaymblUriiTcZd0CwWtCbLvrOzYCDZoWyMNV8sZ7krj09FSnsiJi3WVsHLM4k6Dq/yaPyCXA==}
+
+  micromark-util-character@2.1.1:
+    resolution: {integrity: sha512-wv8tdUTJ3thSFFFJKtpYKOYiGP2+v96Hvk4Tu8KpCAsTMs6yi+nVmGh1syvSCsaxz45J6Jbw+9DD6g97+NV67Q==}
+
+  micromark-util-encode@2.0.1:
+    resolution: {integrity: sha512-c3cVx2y4KqUnwopcO9b/SCdo2O67LwJJ/UyqGfbigahfegL9myoEFoDYZgkT7f36T0bLrM9hZTAaAyH+PCAXjw==}
+
+  micromark-util-sanitize-uri@2.0.1:
+    resolution: {integrity: sha512-9N9IomZ/YuGGZZmQec1MbgxtlgougxTodVwDzzEouPKo3qFWvymFHWcnDi2vzV1ff6kas9ucW+o3yzJK9YB1AQ==}
+
+  micromark-util-symbol@2.0.1:
+    resolution: {integrity: sha512-vs5t8Apaud9N28kgCrRUdEed4UJ+wWNvicHLPxCa9ENlYuAY31M0ETy5y1vA33YoNPDFTghEbnh6efaE8h4x0Q==}
+
+  micromark-util-types@2.0.2:
+    resolution: {integrity: sha512-Yw0ECSpJoViF1qTU4DC6NwtC4aWGt1EkzaQB8KPPyCRR8z9TWeV0HbEFGTO+ZY1wB22zmxnJqhPyTpOVCpeHTA==}
+
   mri@1.2.0:
     resolution: {integrity: sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==}
     engines: {node: '>=4'}
@@ -727,24 +653,42 @@ packages:
   obug@2.1.1:
     resolution: {integrity: sha512-uTqF9MuPraAQ+IsnPf366RG4cP9RtUi7MLO1N3KEc+wb0a6yKpeL0lmk2IB1jY5KHPAlTc6T/JRdC/YqxHNwkQ==}
 
+  oniguruma-parser@0.12.1:
+    resolution: {integrity: sha512-8Unqkvk1RYc6yq2WBYRj4hdnsAxVze8i7iPfQr8e4uSP3tRv0rpZcbGUDvxfQQcdwHt/e9PrMvGCsa8OqG9X3w==}
+
+  oniguruma-to-es@4.3.5:
+    resolution: {integrity: sha512-Zjygswjpsewa0NLTsiizVuMQZbp0MDyM6lIt66OxsF21npUDlzpHi1Mgb/qhQdkb+dWFTzJmFbEWdvZgRho8eQ==}
+
   picocolors@1.1.1:
     resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==}
 
-  picomatch@4.0.3:
-    resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==}
+  picomatch@4.0.4:
+    resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==}
     engines: {node: '>=12'}
 
-  postcss@8.5.8:
-    resolution: {integrity: sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==}
+  postcss@8.5.9:
+    resolution: {integrity: sha512-7a70Nsot+EMX9fFU3064K/kdHWZqGVY+BADLyXc8Dfv+mTLLVl6JzJpPaCZ2kQL9gIJvKXSLMHhqdRRjwQeFtw==}
     engines: {node: ^10 || ^12 || >=14}
 
+  property-information@7.1.0:
+    resolution: {integrity: sha512-TwEZ+X+yCJmYfL7TPUOcvBZ4QfoT5YenQiJuX//0th53DE6w0xxLEtfK3iyryQFddXuvkIk51EEgrJQ0WJkOmQ==}
+
   readdirp@4.1.2:
     resolution: {integrity: sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==}
     engines: {node: '>= 14.18.0'}
 
-  rollup@4.59.0:
-    resolution: {integrity: sha512-2oMpl67a3zCH9H79LeMcbDhXW/UmWG/y2zuqnF2jQq5uq9TbM9TVyXvA4+t+ne2IIkBdrLpAaRQAvo7YI/Yyeg==}
-    engines: {node: '>=18.0.0', npm: '>=8.0.0'}
+  regex-recursion@6.0.2:
+    resolution: {integrity: sha512-0YCaSCq2VRIebiaUviZNs0cBz1kg5kVS2UKUfNIx8YVs1cN3AV7NTctO5FOKBA+UT2BPJIWZauYHPqJODG50cg==}
+
+  regex-utilities@2.3.0:
+    resolution: {integrity: sha512-8VhliFJAWRaUiVvREIiW2NXXTmHs4vMNnSzuJVhscgmGav3g9VDxLrQndI3dZZVVdp0ZO/5v0xmX516/7M9cng==}
+
+  regex@6.1.0:
+    resolution: {integrity: sha512-6VwtthbV4o/7+OaAF9I5L5V3llLEsoPyq9P1JVXkedTP33c7MfCG0/5NOPcSJn0TzXcG9YUrR0gQSWioew3LDg==}
+
+  rolldown@1.0.0-rc.15:
+    resolution: {integrity: sha512-Ff31guA5zT6WjnGp0SXw76X6hzGRk/OQq2hE+1lcDe+lJdHSgnSX6nK3erbONHyCbpSj9a9E+uX/OvytZoWp2g==}
+    engines: {node: ^20.19.0 || >=22.12.0}
     hasBin: true
 
   runed@0.35.1:
@@ -760,8 +704,12 @@ packages:
     resolution: {integrity: sha512-xal3CZX1Xlo/k4ApwCFrHVACi9fBqJ7V+mwhBsuf/1IOKbBy098Fex+Wa/5QMubw09pSZ/u8EY8PWgevJsXp1A==}
     engines: {node: '>=6'}
 
-  set-cookie-parser@3.0.1:
-    resolution: {integrity: sha512-n7Z7dXZhJbwuAHhNzkTti6Aw9QDDjZtm3JTpTGATIdNzdQz5GuFs22w90BcvF4INfnrL5xrX3oGsuqO5Dx3A1Q==}
+  set-cookie-parser@3.1.0:
+    resolution: {integrity: sha512-kjnC1DXBHcxaOaOXBHBeRtltsDG2nUiUni+jP92M9gYdW12rsmx92UsfpH7o5tDRs7I1ZZPSQJQGv3UaRfCiuw==}
+
+  shiki@4.0.2:
+    resolution: {integrity: sha512-eAVKTMedR5ckPo4xne/PjYQYrU3qx78gtJZ+sHlXEg5IHhhoQhMfZVzetTYuaJS0L2Ef3AcCRzCHV8T0WI6nIQ==}
+    engines: {node: '>=20'}
 
   sirv@3.0.2:
     resolution: {integrity: sha512-2wcC/oGxHis/BoHkkPwldgiPSYcpZK3JU28WoMVv55yHJgcZ8rlXvuG9iZggz+sU1d4bRgIGASwyWqjxu3FM0g==}
@@ -771,11 +719,17 @@ packages:
     resolution: {integrity: sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==}
     engines: {node: '>=0.10.0'}
 
+  space-separated-tokens@2.0.2:
+    resolution: {integrity: sha512-PEGlAwrG8yXGXRjW32fGbg66JAlOAwbObuqVoJpv/mRgoWDQfgH1wDPvtzWyUSNAXBGSk8h755YDbbcEy3SH2Q==}
+
+  stringify-entities@4.0.4:
+    resolution: {integrity: sha512-IwfBptatlO+QCJUo19AqvrPNqlVMpW9YEL2LIVY+Rpv2qsjCGxaDLNRgeGsQWJhfItebuJhsGSLjaBbNSQ+ieg==}
+
   style-to-object@1.0.14:
     resolution: {integrity: sha512-LIN7rULI0jBscWQYaSswptyderlarFkjQ+t79nzty8tcIAceVomEVlLzH5VP4Cmsv6MtKhs7qaAiwlcp+Mgaxw==}
 
-  svelte-check@4.4.5:
-    resolution: {integrity: sha512-1bSwIRCvvmSHrlK52fOlZmVtUZgil43jNL/2H18pRpa+eQjzGt6e3zayxhp1S7GajPFKNM/2PMCG+DZFHlG9fw==}
+  svelte-check@4.4.6:
+    resolution: {integrity: sha512-kP1zG81EWaFe9ZyTv4ZXv44Csi6Pkdpb7S3oj6m+K2ec/IcDg/a8LsFsnVLqm2nxtkSwsd5xPj/qFkTBgXHXjg==}
     engines: {node: '>= 18.0.0'}
     hasBin: true
     peerDependencies:
@@ -788,45 +742,70 @@ packages:
     peerDependencies:
       svelte: ^5.30.2
 
-  svelte@5.53.12:
-    resolution: {integrity: sha512-4x/uk4rQe/d7RhfvS8wemTfNjQ0bJbKvamIzRBfTe2eHHjzBZ7PZicUQrC2ryj83xxEacfA1zHKd1ephD1tAxA==}
+  svelte@5.55.3:
+    resolution: {integrity: sha512-dS1N+i3bA1v+c4UDb750MlN5vCO82G6vxh8HeTsPsTdJ1BLsN1zxSyDlIdBBqUjqZ/BxEwM8UrFf98aaoVnZFQ==}
     engines: {node: '>=18'}
 
   tabbable@6.4.0:
     resolution: {integrity: sha512-05PUHKSNE8ou2dwIxTngl4EzcnsCDZGJ/iCLtDflR/SHB/ny14rXc+qU5P4mG9JkusiV7EivzY9Mhm55AzAvCg==}
 
-  tailwindcss@4.2.1:
-    resolution: {integrity: sha512-/tBrSQ36vCleJkAOsy9kbNTgaxvGbyOamC30PRePTQe/o1MFwEKHQk4Cn7BNGaPtjp+PuUrByJehM1hgxfq4sw==}
+  tailwindcss@4.2.2:
+    resolution: {integrity: sha512-KWBIxs1Xb6NoLdMVqhbhgwZf2PGBpPEiwOqgI4pFIYbNTfBXiKYyWoTsXgBQ9WFg/OlhnvHaY+AEpW7wSmFo2Q==}
 
-  tapable@2.3.0:
-    resolution: {integrity: sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==}
+  tapable@2.3.2:
+    resolution: {integrity: sha512-1MOpMXuhGzGL5TTCZFItxCc0AARf1EZFQkGqMm7ERKj8+Hgr5oLvJOVFcC+lRmR8hCe2S3jC4T5D7Vg/d7/fhA==}
     engines: {node: '>=6'}
 
-  tinyglobby@0.2.15:
-    resolution: {integrity: sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==}
+  tinyglobby@0.2.16:
+    resolution: {integrity: sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==}
     engines: {node: '>=12.0.0'}
 
   totalist@3.0.1:
     resolution: {integrity: sha512-sf4i37nQ2LBx4m3wB74y+ubopq6W/dIzXg0FDGjsYnZHVa1Da8FH853wlL2gtUhg+xJXjfk3kUZS3BRoQeoQBQ==}
     engines: {node: '>=6'}
 
+  trim-lines@3.0.1:
+    resolution: {integrity: sha512-kRj8B+YHZCc9kQYdWfJB2/oUl9rA99qbowYYBtr4ui4mZyAQ2JpvVBd/6U2YloATfqBhBTSMhTpgBHtU0Mf3Rg==}
+
   tslib@2.8.1:
     resolution: {integrity: sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==}
 
-  typescript@5.9.3:
-    resolution: {integrity: sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==}
+  typescript@6.0.2:
+    resolution: {integrity: sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==}
     engines: {node: '>=14.17'}
     hasBin: true
 
-  vite@7.3.1:
-    resolution: {integrity: sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==}
+  unist-util-is@6.0.1:
+    resolution: {integrity: sha512-LsiILbtBETkDz8I9p1dQ0uyRUWuaQzd/cuEeS1hoRSyW5E5XGmTzlwY1OrNzzakGowI9Dr/I8HVaw4hTtnxy8g==}
+
+  unist-util-position@5.0.0:
+    resolution: {integrity: sha512-fucsC7HjXvkB5R3kTCO7kUjRdrS0BJt3M/FPxmHMBOm8JQi2BsHAHFsy27E0EolP8rp0NzXsJ+jNPyDWvOJZPA==}
+
+  unist-util-stringify-position@4.0.0:
+    resolution: {integrity: sha512-0ASV06AAoKCDkS2+xw5RXJywruurpbC4JZSm7nr7MOt1ojAzvyyaO+UxZf18j8FCF6kmzCZKcAgN/yu2gm2XgQ==}
+
+  unist-util-visit-parents@6.0.2:
+    resolution: {integrity: sha512-goh1s1TBrqSqukSc8wrjwWhL0hiJxgA8m4kFxGlQ+8FYQ3C/m11FcTs4YYem7V664AhHVvgoQLk890Ssdsr2IQ==}
+
+  unist-util-visit@5.1.0:
+    resolution: {integrity: sha512-m+vIdyeCOpdr/QeQCu2EzxX/ohgS8KbnPDgFni4dQsfSCtpz8UqDyY5GjRru8PDKuYn7Fq19j1CQ+nJSsGKOzg==}
+
+  vfile-message@4.0.3:
+    resolution: {integrity: sha512-QTHzsGd1EhbZs4AsQ20JX1rC3cOlt/IWJruk893DfLRr57lcnOeMaWG4K0JrRta4mIJZKth2Au3mM3u03/JWKw==}
+
+  vfile@6.0.3:
+    resolution: {integrity: sha512-KzIbH/9tXat2u30jf+smMwFCsno4wHVdNmzFyL+T/L3UGqqk6JKfVqOFOZEpZSHADH1k40ab6NUIXZq422ov3Q==}
+
+  vite@8.0.8:
+    resolution: {integrity: sha512-dbU7/iLVa8KZALJyLOBOQ88nOXtNG8vxKuOT4I2mD+Ya70KPceF4IAmDsmU0h1Qsn5bPrvsY9HJstCRh3hG6Uw==}
     engines: {node: ^20.19.0 || >=22.12.0}
     hasBin: true
     peerDependencies:
       '@types/node': ^20.19.0 || >=22.12.0
+      '@vitejs/devtools': ^0.1.0
+      esbuild: ^0.27.0 || ^0.28.0
       jiti: '>=1.21.0'
       less: ^4.0.0
-      lightningcss: ^1.21.0
       sass: ^1.70.0
       sass-embedded: ^1.70.0
       stylus: '>=0.54.8'
@@ -837,12 +816,14 @@ packages:
     peerDependenciesMeta:
       '@types/node':
         optional: true
+      '@vitejs/devtools':
+        optional: true
+      esbuild:
+        optional: true
       jiti:
         optional: true
       less:
         optional: true
-      lightningcss:
-        optional: true
       sass:
         optional: true
       sass-embedded:
@@ -858,10 +839,10 @@ packages:
       yaml:
         optional: true
 
-  vitefu@1.1.2:
-    resolution: {integrity: sha512-zpKATdUbzbsycPFBN71nS2uzBUQiVnFoOrr2rvqv34S1lcAgMKKkjWleLGeiJlZ8lwCXvtWaRn7R3ZC16SYRuw==}
+  vitefu@1.1.3:
+    resolution: {integrity: sha512-ub4okH7Z5KLjb6hDyjqrGXqWtWvoYdU3IGm/NorpgHncKoLTCfRIbvlhBm7r0YstIaQRYlp4yEbFqDcKSzXSSg==}
     peerDependencies:
-      vite: ^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0-beta.0
+      vite: ^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0
     peerDependenciesMeta:
       vite:
         optional: true
@@ -869,84 +850,25 @@ packages:
   zimmerframe@1.1.4:
     resolution: {integrity: sha512-B58NGBEoc8Y9MWWCQGl/gq9xBCe4IiKM0a2x7GZdQKOW5Exr8S1W24J6OgM1njK8xCRGvAJIL/MxXHf6SkmQKQ==}
 
+  zwitch@2.0.4:
+    resolution: {integrity: sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A==}
+
 snapshots:
 
-  '@esbuild/aix-ppc64@0.27.4':
+  '@emnapi/core@1.9.2':
+    dependencies:
+      '@emnapi/wasi-threads': 1.2.1
+      tslib: 2.8.1
     optional: true
 
-  '@esbuild/android-arm64@0.27.4':
+  '@emnapi/runtime@1.9.2':
+    dependencies:
+      tslib: 2.8.1
     optional: true
 
-  '@esbuild/android-arm@0.27.4':
-    optional: true
-
-  '@esbuild/android-x64@0.27.4':
-    optional: true
-
-  '@esbuild/darwin-arm64@0.27.4':
-    optional: true
-
-  '@esbuild/darwin-x64@0.27.4':
-    optional: true
-
-  '@esbuild/freebsd-arm64@0.27.4':
-    optional: true
-
-  '@esbuild/freebsd-x64@0.27.4':
-    optional: true
-
-  '@esbuild/linux-arm64@0.27.4':
-    optional: true
-
-  '@esbuild/linux-arm@0.27.4':
-    optional: true
-
-  '@esbuild/linux-ia32@0.27.4':
-    optional: true
-
-  '@esbuild/linux-loong64@0.27.4':
-    optional: true
-
-  '@esbuild/linux-mips64el@0.27.4':
-    optional: true
-
-  '@esbuild/linux-ppc64@0.27.4':
-    optional: true
-
-  '@esbuild/linux-riscv64@0.27.4':
-    optional: true
-
-  '@esbuild/linux-s390x@0.27.4':
-    optional: true
-
-  '@esbuild/linux-x64@0.27.4':
-    optional: true
-
-  '@esbuild/netbsd-arm64@0.27.4':
-    optional: true
-
-  '@esbuild/netbsd-x64@0.27.4':
-    optional: true
-
-  '@esbuild/openbsd-arm64@0.27.4':
-    optional: true
-
-  '@esbuild/openbsd-x64@0.27.4':
-    optional: true
-
-  '@esbuild/openharmony-arm64@0.27.4':
-    optional: true
-
-  '@esbuild/sunos-x64@0.27.4':
-    optional: true
-
-  '@esbuild/win32-arm64@0.27.4':
-    optional: true
-
-  '@esbuild/win32-ia32@0.27.4':
-    optional: true
-
-  '@esbuild/win32-x64@0.27.4':
+  '@emnapi/wasi-threads@1.2.1':
+    dependencies:
+      tslib: 2.8.1
     optional: true
 
   '@floating-ui/core@1.7.5':
@@ -970,7 +892,7 @@ snapshots:
 
   '@internationalized/date@3.12.0':
     dependencies:
-      '@swc/helpers': 0.5.19
+      '@swc/helpers': 0.5.21
 
   '@jridgewell/gen-mapping@0.3.13':
     dependencies:
@@ -993,82 +915,107 @@ snapshots:
 
   '@kurkle/color@0.3.4': {}
 
+  '@napi-rs/wasm-runtime@1.1.3(@emnapi/core@1.9.2)(@emnapi/runtime@1.9.2)':
+    dependencies:
+      '@emnapi/core': 1.9.2
+      '@emnapi/runtime': 1.9.2
+      '@tybys/wasm-util': 0.10.1
+    optional: true
+
+  '@oxc-project/types@0.124.0': {}
+
   '@polka/url@1.0.0-next.29': {}
 
-  '@rollup/rollup-android-arm-eabi@4.59.0':
+  '@rolldown/binding-android-arm64@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-android-arm64@4.59.0':
+  '@rolldown/binding-darwin-arm64@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-darwin-arm64@4.59.0':
+  '@rolldown/binding-darwin-x64@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-darwin-x64@4.59.0':
+  '@rolldown/binding-freebsd-x64@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-freebsd-arm64@4.59.0':
+  '@rolldown/binding-linux-arm-gnueabihf@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-freebsd-x64@4.59.0':
+  '@rolldown/binding-linux-arm64-gnu@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-linux-arm-gnueabihf@4.59.0':
+  '@rolldown/binding-linux-arm64-musl@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-linux-arm-musleabihf@4.59.0':
+  '@rolldown/binding-linux-ppc64-gnu@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-linux-arm64-gnu@4.59.0':
+  '@rolldown/binding-linux-s390x-gnu@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-linux-arm64-musl@4.59.0':
+  '@rolldown/binding-linux-x64-gnu@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-linux-loong64-gnu@4.59.0':
+  '@rolldown/binding-linux-x64-musl@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-linux-loong64-musl@4.59.0':
+  '@rolldown/binding-openharmony-arm64@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-linux-ppc64-gnu@4.59.0':
+  '@rolldown/binding-wasm32-wasi@1.0.0-rc.15':
+    dependencies:
+      '@emnapi/core': 1.9.2
+      '@emnapi/runtime': 1.9.2
+      '@napi-rs/wasm-runtime': 1.1.3(@emnapi/core@1.9.2)(@emnapi/runtime@1.9.2)
     optional: true
 
-  '@rollup/rollup-linux-ppc64-musl@4.59.0':
+  '@rolldown/binding-win32-arm64-msvc@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-linux-riscv64-gnu@4.59.0':
+  '@rolldown/binding-win32-x64-msvc@1.0.0-rc.15':
     optional: true
 
-  '@rollup/rollup-linux-riscv64-musl@4.59.0':
-    optional: true
+  '@rolldown/pluginutils@1.0.0-rc.15': {}
 
-  '@rollup/rollup-linux-s390x-gnu@4.59.0':
-    optional: true
+  '@shikijs/core@4.0.2':
+    dependencies:
+      '@shikijs/primitive': 4.0.2
+      '@shikijs/types': 4.0.2
+      '@shikijs/vscode-textmate': 10.0.2
+      '@types/hast': 3.0.4
+      hast-util-to-html: 9.0.5
 
-  '@rollup/rollup-linux-x64-gnu@4.59.0':
-    optional: true
+  '@shikijs/engine-javascript@4.0.2':
+    dependencies:
+      '@shikijs/types': 4.0.2
+      '@shikijs/vscode-textmate': 10.0.2
+      oniguruma-to-es: 4.3.5
 
-  '@rollup/rollup-linux-x64-musl@4.59.0':
-    optional: true
+  '@shikijs/engine-oniguruma@4.0.2':
+    dependencies:
+      '@shikijs/types': 4.0.2
+      '@shikijs/vscode-textmate': 10.0.2
 
-  '@rollup/rollup-openbsd-x64@4.59.0':
-    optional: true
+  '@shikijs/langs@4.0.2':
+    dependencies:
+      '@shikijs/types': 4.0.2
 
-  '@rollup/rollup-openharmony-arm64@4.59.0':
-    optional: true
+  '@shikijs/primitive@4.0.2':
+    dependencies:
+      '@shikijs/types': 4.0.2
+      '@shikijs/vscode-textmate': 10.0.2
+      '@types/hast': 3.0.4
 
-  '@rollup/rollup-win32-arm64-msvc@4.59.0':
-    optional: true
+  '@shikijs/themes@4.0.2':
+    dependencies:
+      '@shikijs/types': 4.0.2
 
-  '@rollup/rollup-win32-ia32-msvc@4.59.0':
-    optional: true
+  '@shikijs/types@4.0.2':
+    dependencies:
+      '@shikijs/vscode-textmate': 10.0.2
+      '@types/hast': 3.0.4
 
-  '@rollup/rollup-win32-x64-gnu@4.59.0':
-    optional: true
-
-  '@rollup/rollup-win32-x64-msvc@4.59.0':
-    optional: true
+  '@shikijs/vscode-textmate@10.0.2': {}
 
   '@standard-schema/spec@1.1.0': {}
 
@@ -1076,126 +1023,139 @@ snapshots:
     dependencies:
       acorn: 8.16.0
 
-  '@sveltejs/adapter-static@3.0.10(@sveltejs/kit@2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))':
+  '@sveltejs/adapter-static@3.0.10(@sveltejs/kit@2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1)))':
     dependencies:
-      '@sveltejs/kit': 2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))
+      '@sveltejs/kit': 2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1))
 
-  '@sveltejs/kit@2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))':
+  '@sveltejs/kit@2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1))':
     dependencies:
       '@standard-schema/spec': 1.1.0
       '@sveltejs/acorn-typescript': 1.0.9(acorn@8.16.0)
-      '@sveltejs/vite-plugin-svelte': 6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))
+      '@sveltejs/vite-plugin-svelte': 7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1))
       '@types/cookie': 0.6.0
       acorn: 8.16.0
       cookie: 0.6.0
-      devalue: 5.6.4
+      devalue: 5.7.1
       esm-env: 1.2.2
       kleur: 4.1.5
       magic-string: 0.30.21
       mrmime: 2.0.1
-      set-cookie-parser: 3.0.1
+      set-cookie-parser: 3.1.0
       sirv: 3.0.2
-      svelte: 5.53.12
-      vite: 7.3.1(jiti@2.6.1)(lightningcss@1.31.1)
+      svelte: 5.55.3
+      vite: 8.0.8(jiti@2.6.1)
     optionalDependencies:
-      typescript: 5.9.3
+      typescript: 6.0.2
 
-  '@sveltejs/vite-plugin-svelte-inspector@5.0.2(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))':
+  '@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1))':
     dependencies:
-      '@sveltejs/vite-plugin-svelte': 6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))
-      obug: 2.1.1
-      svelte: 5.53.12
-      vite: 7.3.1(jiti@2.6.1)(lightningcss@1.31.1)
-
-  '@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))':
-    dependencies:
-      '@sveltejs/vite-plugin-svelte-inspector': 5.0.2(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))
       deepmerge: 4.3.1
       magic-string: 0.30.21
       obug: 2.1.1
-      svelte: 5.53.12
-      vite: 7.3.1(jiti@2.6.1)(lightningcss@1.31.1)
-      vitefu: 1.1.2(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))
+      svelte: 5.55.3
+      vite: 8.0.8(jiti@2.6.1)
+      vitefu: 1.1.3(vite@8.0.8(jiti@2.6.1))
 
-  '@swc/helpers@0.5.19':
+  '@swc/helpers@0.5.21':
     dependencies:
       tslib: 2.8.1
 
-  '@tailwindcss/node@4.2.1':
+  '@tailwindcss/node@4.2.2':
     dependencies:
       '@jridgewell/remapping': 2.3.5
       enhanced-resolve: 5.20.1
       jiti: 2.6.1
-      lightningcss: 1.31.1
+      lightningcss: 1.32.0
       magic-string: 0.30.21
       source-map-js: 1.2.1
-      tailwindcss: 4.2.1
+      tailwindcss: 4.2.2
 
-  '@tailwindcss/oxide-android-arm64@4.2.1':
+  '@tailwindcss/oxide-android-arm64@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide-darwin-arm64@4.2.1':
+  '@tailwindcss/oxide-darwin-arm64@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide-darwin-x64@4.2.1':
+  '@tailwindcss/oxide-darwin-x64@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide-freebsd-x64@4.2.1':
+  '@tailwindcss/oxide-freebsd-x64@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide-linux-arm-gnueabihf@4.2.1':
+  '@tailwindcss/oxide-linux-arm-gnueabihf@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide-linux-arm64-gnu@4.2.1':
+  '@tailwindcss/oxide-linux-arm64-gnu@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide-linux-arm64-musl@4.2.1':
+  '@tailwindcss/oxide-linux-arm64-musl@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide-linux-x64-gnu@4.2.1':
+  '@tailwindcss/oxide-linux-x64-gnu@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide-linux-x64-musl@4.2.1':
+  '@tailwindcss/oxide-linux-x64-musl@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide-wasm32-wasi@4.2.1':
+  '@tailwindcss/oxide-wasm32-wasi@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide-win32-arm64-msvc@4.2.1':
+  '@tailwindcss/oxide-win32-arm64-msvc@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide-win32-x64-msvc@4.2.1':
+  '@tailwindcss/oxide-win32-x64-msvc@4.2.2':
     optional: true
 
-  '@tailwindcss/oxide@4.2.1':
+  '@tailwindcss/oxide@4.2.2':
     optionalDependencies:
-      '@tailwindcss/oxide-android-arm64': 4.2.1
-      '@tailwindcss/oxide-darwin-arm64': 4.2.1
-      '@tailwindcss/oxide-darwin-x64': 4.2.1
-      '@tailwindcss/oxide-freebsd-x64': 4.2.1
-      '@tailwindcss/oxide-linux-arm-gnueabihf': 4.2.1
-      '@tailwindcss/oxide-linux-arm64-gnu': 4.2.1
-      '@tailwindcss/oxide-linux-arm64-musl': 4.2.1
-      '@tailwindcss/oxide-linux-x64-gnu': 4.2.1
-      '@tailwindcss/oxide-linux-x64-musl': 4.2.1
-      '@tailwindcss/oxide-wasm32-wasi': 4.2.1
-      '@tailwindcss/oxide-win32-arm64-msvc': 4.2.1
-      '@tailwindcss/oxide-win32-x64-msvc': 4.2.1
+      '@tailwindcss/oxide-android-arm64': 4.2.2
+      '@tailwindcss/oxide-darwin-arm64': 4.2.2
+      '@tailwindcss/oxide-darwin-x64': 4.2.2
+      '@tailwindcss/oxide-freebsd-x64': 4.2.2
+      '@tailwindcss/oxide-linux-arm-gnueabihf': 4.2.2
+      '@tailwindcss/oxide-linux-arm64-gnu': 4.2.2
+      '@tailwindcss/oxide-linux-arm64-musl': 4.2.2
+      '@tailwindcss/oxide-linux-x64-gnu': 4.2.2
+      '@tailwindcss/oxide-linux-x64-musl': 4.2.2
+      '@tailwindcss/oxide-wasm32-wasi': 4.2.2
+      '@tailwindcss/oxide-win32-arm64-msvc': 4.2.2
+      '@tailwindcss/oxide-win32-x64-msvc': 4.2.2
 
-  '@tailwindcss/vite@4.2.1(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))':
+  '@tailwindcss/vite@4.2.2(vite@8.0.8(jiti@2.6.1))':
     dependencies:
-      '@tailwindcss/node': 4.2.1
-      '@tailwindcss/oxide': 4.2.1
-      tailwindcss: 4.2.1
-      vite: 7.3.1(jiti@2.6.1)(lightningcss@1.31.1)
+      '@tailwindcss/node': 4.2.2
+      '@tailwindcss/oxide': 4.2.2
+      tailwindcss: 4.2.2
+      vite: 8.0.8(jiti@2.6.1)
+
+  '@tybys/wasm-util@0.10.1':
+    dependencies:
+      tslib: 2.8.1
+    optional: true
 
   '@types/cookie@0.6.0': {}
 
   '@types/estree@1.0.8': {}
 
+  '@types/hast@3.0.4':
+    dependencies:
+      '@types/unist': 3.0.3
+
+  '@types/mdast@4.0.4':
+    dependencies:
+      '@types/unist': 3.0.3
+
   '@types/trusted-types@2.0.7': {}
 
-  '@typescript-eslint/types@8.57.1': {}
+  '@types/unist@3.0.3': {}
+
+  '@ungap/structured-clone@1.3.0': {}
+
+  '@xterm/addon-fit@0.11.0': {}
+
+  '@xterm/addon-web-links@0.12.0': {}
+
+  '@xterm/xterm@6.0.0': {}
 
   acorn@8.16.0: {}
 
@@ -1203,19 +1163,25 @@ snapshots:
 
   axobject-query@4.1.0: {}
 
-  bits-ui@2.16.3(@internationalized/date@3.12.0)(@sveltejs/kit@2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12):
+  bits-ui@2.17.3(@internationalized/date@3.12.0)(@sveltejs/kit@2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3):
     dependencies:
       '@floating-ui/core': 1.7.5
       '@floating-ui/dom': 1.7.6
       '@internationalized/date': 3.12.0
       esm-env: 1.2.2
-      runed: 0.35.1(@sveltejs/kit@2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)
-      svelte: 5.53.12
-      svelte-toolbelt: 0.10.6(@sveltejs/kit@2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)
+      runed: 0.35.1(@sveltejs/kit@2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)
+      svelte: 5.55.3
+      svelte-toolbelt: 0.10.6(@sveltejs/kit@2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)
       tabbable: 6.4.0
     transitivePeerDependencies:
       - '@sveltejs/kit'
 
+  ccount@2.0.1: {}
+
+  character-entities-html4@2.1.0: {}
+
+  character-entities-legacy@3.0.0: {}
+
   chart.js@4.5.1:
     dependencies:
       '@kurkle/color': 0.3.4
@@ -1226,6 +1192,8 @@ snapshots:
 
   clsx@2.1.1: {}
 
+  comma-separated-tokens@2.0.3: {}
+
   cookie@0.6.0: {}
 
   deepmerge@4.3.1: {}
@@ -1234,58 +1202,52 @@ snapshots:
 
   detect-libc@2.1.2: {}
 
-  devalue@5.6.4: {}
+  devalue@5.7.1: {}
+
+  devlop@1.1.0:
+    dependencies:
+      dequal: 2.0.3
 
   enhanced-resolve@5.20.1:
     dependencies:
       graceful-fs: 4.2.11
-      tapable: 2.3.0
-
-  esbuild@0.27.4:
-    optionalDependencies:
-      '@esbuild/aix-ppc64': 0.27.4
-      '@esbuild/android-arm': 0.27.4
-      '@esbuild/android-arm64': 0.27.4
-      '@esbuild/android-x64': 0.27.4
-      '@esbuild/darwin-arm64': 0.27.4
-      '@esbuild/darwin-x64': 0.27.4
-      '@esbuild/freebsd-arm64': 0.27.4
-      '@esbuild/freebsd-x64': 0.27.4
-      '@esbuild/linux-arm': 0.27.4
-      '@esbuild/linux-arm64': 0.27.4
-      '@esbuild/linux-ia32': 0.27.4
-      '@esbuild/linux-loong64': 0.27.4
-      '@esbuild/linux-mips64el': 0.27.4
-      '@esbuild/linux-ppc64': 0.27.4
-      '@esbuild/linux-riscv64': 0.27.4
-      '@esbuild/linux-s390x': 0.27.4
-      '@esbuild/linux-x64': 0.27.4
-      '@esbuild/netbsd-arm64': 0.27.4
-      '@esbuild/netbsd-x64': 0.27.4
-      '@esbuild/openbsd-arm64': 0.27.4
-      '@esbuild/openbsd-x64': 0.27.4
-      '@esbuild/openharmony-arm64': 0.27.4
-      '@esbuild/sunos-x64': 0.27.4
-      '@esbuild/win32-arm64': 0.27.4
-      '@esbuild/win32-ia32': 0.27.4
-      '@esbuild/win32-x64': 0.27.4
+      tapable: 2.3.2
 
   esm-env@1.2.2: {}
 
-  esrap@2.2.4:
+  esrap@2.2.5:
     dependencies:
       '@jridgewell/sourcemap-codec': 1.5.5
-      '@typescript-eslint/types': 8.57.1
 
-  fdir@6.5.0(picomatch@4.0.3):
+  fdir@6.5.0(picomatch@4.0.4):
     optionalDependencies:
-      picomatch: 4.0.3
+      picomatch: 4.0.4
 
   fsevents@2.3.3:
     optional: true
 
   graceful-fs@4.2.11: {}
 
+  hast-util-to-html@9.0.5:
+    dependencies:
+      '@types/hast': 3.0.4
+      '@types/unist': 3.0.3
+      ccount: 2.0.1
+      comma-separated-tokens: 2.0.3
+      hast-util-whitespace: 3.0.0
+      html-void-elements: 3.0.0
+      mdast-util-to-hast: 13.2.1
+      property-information: 7.1.0
+      space-separated-tokens: 2.0.2
+      stringify-entities: 4.0.4
+      zwitch: 2.0.4
+
+  hast-util-whitespace@3.0.0:
+    dependencies:
+      '@types/hast': 3.0.4
+
+  html-void-elements@3.0.0: {}
+
   inline-style-parser@0.2.7: {}
 
   is-reference@3.0.3:
@@ -1296,54 +1258,54 @@ snapshots:
 
   kleur@4.1.5: {}
 
-  lightningcss-android-arm64@1.31.1:
+  lightningcss-android-arm64@1.32.0:
     optional: true
 
-  lightningcss-darwin-arm64@1.31.1:
+  lightningcss-darwin-arm64@1.32.0:
     optional: true
 
-  lightningcss-darwin-x64@1.31.1:
+  lightningcss-darwin-x64@1.32.0:
     optional: true
 
-  lightningcss-freebsd-x64@1.31.1:
+  lightningcss-freebsd-x64@1.32.0:
     optional: true
 
-  lightningcss-linux-arm-gnueabihf@1.31.1:
+  lightningcss-linux-arm-gnueabihf@1.32.0:
     optional: true
 
-  lightningcss-linux-arm64-gnu@1.31.1:
+  lightningcss-linux-arm64-gnu@1.32.0:
     optional: true
 
-  lightningcss-linux-arm64-musl@1.31.1:
+  lightningcss-linux-arm64-musl@1.32.0:
     optional: true
 
-  lightningcss-linux-x64-gnu@1.31.1:
+  lightningcss-linux-x64-gnu@1.32.0:
     optional: true
 
-  lightningcss-linux-x64-musl@1.31.1:
+  lightningcss-linux-x64-musl@1.32.0:
     optional: true
 
-  lightningcss-win32-arm64-msvc@1.31.1:
+  lightningcss-win32-arm64-msvc@1.32.0:
     optional: true
 
-  lightningcss-win32-x64-msvc@1.31.1:
+  lightningcss-win32-x64-msvc@1.32.0:
     optional: true
 
-  lightningcss@1.31.1:
+  lightningcss@1.32.0:
     dependencies:
       detect-libc: 2.1.2
     optionalDependencies:
-      lightningcss-android-arm64: 1.31.1
-      lightningcss-darwin-arm64: 1.31.1
-      lightningcss-darwin-x64: 1.31.1
-      lightningcss-freebsd-x64: 1.31.1
-      lightningcss-linux-arm-gnueabihf: 1.31.1
-      lightningcss-linux-arm64-gnu: 1.31.1
-      lightningcss-linux-arm64-musl: 1.31.1
-      lightningcss-linux-x64-gnu: 1.31.1
-      lightningcss-linux-x64-musl: 1.31.1
-      lightningcss-win32-arm64-msvc: 1.31.1
-      lightningcss-win32-x64-msvc: 1.31.1
+      lightningcss-android-arm64: 1.32.0
+      lightningcss-darwin-arm64: 1.32.0
+      lightningcss-darwin-x64: 1.32.0
+      lightningcss-freebsd-x64: 1.32.0
+      lightningcss-linux-arm-gnueabihf: 1.32.0
+      lightningcss-linux-arm64-gnu: 1.32.0
+      lightningcss-linux-arm64-musl: 1.32.0
+      lightningcss-linux-x64-gnu: 1.32.0
+      lightningcss-linux-x64-musl: 1.32.0
+      lightningcss-win32-arm64-msvc: 1.32.0
+      lightningcss-win32-x64-msvc: 1.32.0
 
   locate-character@3.0.0: {}
 
@@ -1353,6 +1315,35 @@ snapshots:
     dependencies:
       '@jridgewell/sourcemap-codec': 1.5.5
 
+  mdast-util-to-hast@13.2.1:
+    dependencies:
+      '@types/hast': 3.0.4
+      '@types/mdast': 4.0.4
+      '@ungap/structured-clone': 1.3.0
+      devlop: 1.1.0
+      micromark-util-sanitize-uri: 2.0.1
+      trim-lines: 3.0.1
+      unist-util-position: 5.0.0
+      unist-util-visit: 5.1.0
+      vfile: 6.0.3
+
+  micromark-util-character@2.1.1:
+    dependencies:
+      micromark-util-symbol: 2.0.1
+      micromark-util-types: 2.0.2
+
+  micromark-util-encode@2.0.1: {}
+
+  micromark-util-sanitize-uri@2.0.1:
+    dependencies:
+      micromark-util-character: 2.1.1
+      micromark-util-encode: 2.0.1
+      micromark-util-symbol: 2.0.1
+
+  micromark-util-symbol@2.0.1: {}
+
+  micromark-util-types@2.0.2: {}
+
   mri@1.2.0: {}
 
   mrmime@2.0.1: {}
@@ -1361,63 +1352,84 @@ snapshots:
 
   obug@2.1.1: {}
 
+  oniguruma-parser@0.12.1: {}
+
+  oniguruma-to-es@4.3.5:
+    dependencies:
+      oniguruma-parser: 0.12.1
+      regex: 6.1.0
+      regex-recursion: 6.0.2
+
   picocolors@1.1.1: {}
 
-  picomatch@4.0.3: {}
+  picomatch@4.0.4: {}
 
-  postcss@8.5.8:
+  postcss@8.5.9:
     dependencies:
       nanoid: 3.3.11
       picocolors: 1.1.1
       source-map-js: 1.2.1
 
+  property-information@7.1.0: {}
+
   readdirp@4.1.2: {}
 
-  rollup@4.59.0:
+  regex-recursion@6.0.2:
     dependencies:
-      '@types/estree': 1.0.8
-    optionalDependencies:
-      '@rollup/rollup-android-arm-eabi': 4.59.0
-      '@rollup/rollup-android-arm64': 4.59.0
-      '@rollup/rollup-darwin-arm64': 4.59.0
-      '@rollup/rollup-darwin-x64': 4.59.0
-      '@rollup/rollup-freebsd-arm64': 4.59.0
-      '@rollup/rollup-freebsd-x64': 4.59.0
-      '@rollup/rollup-linux-arm-gnueabihf': 4.59.0
-      '@rollup/rollup-linux-arm-musleabihf': 4.59.0
-      '@rollup/rollup-linux-arm64-gnu': 4.59.0
-      '@rollup/rollup-linux-arm64-musl': 4.59.0
-      '@rollup/rollup-linux-loong64-gnu': 4.59.0
-      '@rollup/rollup-linux-loong64-musl': 4.59.0
-      '@rollup/rollup-linux-ppc64-gnu': 4.59.0
-      '@rollup/rollup-linux-ppc64-musl': 4.59.0
-      '@rollup/rollup-linux-riscv64-gnu': 4.59.0
-      '@rollup/rollup-linux-riscv64-musl': 4.59.0
-      '@rollup/rollup-linux-s390x-gnu': 4.59.0
-      '@rollup/rollup-linux-x64-gnu': 4.59.0
-      '@rollup/rollup-linux-x64-musl': 4.59.0
-      '@rollup/rollup-openbsd-x64': 4.59.0
-      '@rollup/rollup-openharmony-arm64': 4.59.0
-      '@rollup/rollup-win32-arm64-msvc': 4.59.0
-      '@rollup/rollup-win32-ia32-msvc': 4.59.0
-      '@rollup/rollup-win32-x64-gnu': 4.59.0
-      '@rollup/rollup-win32-x64-msvc': 4.59.0
-      fsevents: 2.3.3
+      regex-utilities: 2.3.0
 
-  runed@0.35.1(@sveltejs/kit@2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12):
+  regex-utilities@2.3.0: {}
+
+  regex@6.1.0:
+    dependencies:
+      regex-utilities: 2.3.0
+
+  rolldown@1.0.0-rc.15:
+    dependencies:
+      '@oxc-project/types': 0.124.0
+      '@rolldown/pluginutils': 1.0.0-rc.15
+    optionalDependencies:
+      '@rolldown/binding-android-arm64': 1.0.0-rc.15
+      '@rolldown/binding-darwin-arm64': 1.0.0-rc.15
+      '@rolldown/binding-darwin-x64': 1.0.0-rc.15
+      '@rolldown/binding-freebsd-x64': 1.0.0-rc.15
+      '@rolldown/binding-linux-arm-gnueabihf': 1.0.0-rc.15
+      '@rolldown/binding-linux-arm64-gnu': 1.0.0-rc.15
+      '@rolldown/binding-linux-arm64-musl': 1.0.0-rc.15
+      '@rolldown/binding-linux-ppc64-gnu': 1.0.0-rc.15
+      '@rolldown/binding-linux-s390x-gnu': 1.0.0-rc.15
+      '@rolldown/binding-linux-x64-gnu': 1.0.0-rc.15
+      '@rolldown/binding-linux-x64-musl': 1.0.0-rc.15
+      '@rolldown/binding-openharmony-arm64': 1.0.0-rc.15
+      '@rolldown/binding-wasm32-wasi': 1.0.0-rc.15
+      '@rolldown/binding-win32-arm64-msvc': 1.0.0-rc.15
+      '@rolldown/binding-win32-x64-msvc': 1.0.0-rc.15
+
+  runed@0.35.1(@sveltejs/kit@2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3):
     dependencies:
       dequal: 2.0.3
       esm-env: 1.2.2
       lz-string: 1.5.0
-      svelte: 5.53.12
+      svelte: 5.55.3
     optionalDependencies:
-      '@sveltejs/kit': 2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1))
+      '@sveltejs/kit': 2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1))
 
   sade@1.8.1:
     dependencies:
       mri: 1.2.0
 
-  set-cookie-parser@3.0.1: {}
+  set-cookie-parser@3.1.0: {}
+
+  shiki@4.0.2:
+    dependencies:
+      '@shikijs/core': 4.0.2
+      '@shikijs/engine-javascript': 4.0.2
+      '@shikijs/engine-oniguruma': 4.0.2
+      '@shikijs/langs': 4.0.2
+      '@shikijs/themes': 4.0.2
+      '@shikijs/types': 4.0.2
+      '@shikijs/vscode-textmate': 10.0.2
+      '@types/hast': 3.0.4
 
   sirv@3.0.2:
     dependencies:
@@ -1427,32 +1439,39 @@ snapshots:
 
   source-map-js@1.2.1: {}
 
+  space-separated-tokens@2.0.2: {}
+
+  stringify-entities@4.0.4:
+    dependencies:
+      character-entities-html4: 2.1.0
+      character-entities-legacy: 3.0.0
+
   style-to-object@1.0.14:
     dependencies:
       inline-style-parser: 0.2.7
 
-  svelte-check@4.4.5(picomatch@4.0.3)(svelte@5.53.12)(typescript@5.9.3):
+  svelte-check@4.4.6(picomatch@4.0.4)(svelte@5.55.3)(typescript@6.0.2):
     dependencies:
       '@jridgewell/trace-mapping': 0.3.31
       chokidar: 4.0.3
-      fdir: 6.5.0(picomatch@4.0.3)
+      fdir: 6.5.0(picomatch@4.0.4)
       picocolors: 1.1.1
       sade: 1.8.1
-      svelte: 5.53.12
-      typescript: 5.9.3
+      svelte: 5.55.3
+      typescript: 6.0.2
     transitivePeerDependencies:
       - picomatch
 
-  svelte-toolbelt@0.10.6(@sveltejs/kit@2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12):
+  svelte-toolbelt@0.10.6(@sveltejs/kit@2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3):
     dependencies:
       clsx: 2.1.1
-      runed: 0.35.1(@sveltejs/kit@2.55.0(@sveltejs/vite-plugin-svelte@6.2.4(svelte@5.53.12)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)(typescript@5.9.3)(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)))(svelte@5.53.12)
+      runed: 0.35.1(@sveltejs/kit@2.57.1(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)(typescript@6.0.2)(vite@8.0.8(jiti@2.6.1)))(svelte@5.55.3)
       style-to-object: 1.0.14
-      svelte: 5.53.12
+      svelte: 5.55.3
     transitivePeerDependencies:
       - '@sveltejs/kit'
 
-  svelte@5.53.12:
+  svelte@5.55.3:
     dependencies:
       '@jridgewell/remapping': 2.3.5
       '@jridgewell/sourcemap-codec': 1.5.5
@@ -1463,46 +1482,83 @@ snapshots:
       aria-query: 5.3.1
       axobject-query: 4.1.0
       clsx: 2.1.1
-      devalue: 5.6.4
+      devalue: 5.7.1
       esm-env: 1.2.2
-      esrap: 2.2.4
+      esrap: 2.2.5
       is-reference: 3.0.3
       locate-character: 3.0.0
       magic-string: 0.30.21
       zimmerframe: 1.1.4
+    transitivePeerDependencies:
+      - '@typescript-eslint/types'
 
   tabbable@6.4.0: {}
 
-  tailwindcss@4.2.1: {}
+  tailwindcss@4.2.2: {}
 
-  tapable@2.3.0: {}
+  tapable@2.3.2: {}
 
-  tinyglobby@0.2.15:
+  tinyglobby@0.2.16:
     dependencies:
-      fdir: 6.5.0(picomatch@4.0.3)
-      picomatch: 4.0.3
+      fdir: 6.5.0(picomatch@4.0.4)
+      picomatch: 4.0.4
 
   totalist@3.0.1: {}
 
+  trim-lines@3.0.1: {}
+
   tslib@2.8.1: {}
 
-  typescript@5.9.3: {}
+  typescript@6.0.2: {}
 
-  vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1):
+  unist-util-is@6.0.1:
     dependencies:
-      esbuild: 0.27.4
-      fdir: 6.5.0(picomatch@4.0.3)
-      picomatch: 4.0.3
-      postcss: 8.5.8
-      rollup: 4.59.0
-      tinyglobby: 0.2.15
+      '@types/unist': 3.0.3
+
+  unist-util-position@5.0.0:
+    dependencies:
+      '@types/unist': 3.0.3
+
+  unist-util-stringify-position@4.0.0:
+    dependencies:
+      '@types/unist': 3.0.3
+
+  unist-util-visit-parents@6.0.2:
+    dependencies:
+      '@types/unist': 3.0.3
+      unist-util-is: 6.0.1
+
+  unist-util-visit@5.1.0:
+    dependencies:
+      '@types/unist': 3.0.3
+      unist-util-is: 6.0.1
+      unist-util-visit-parents: 6.0.2
+
+  vfile-message@4.0.3:
+    dependencies:
+      '@types/unist': 3.0.3
+      unist-util-stringify-position: 4.0.0
+
+  vfile@6.0.3:
+    dependencies:
+      '@types/unist': 3.0.3
+      vfile-message: 4.0.3
+
+  vite@8.0.8(jiti@2.6.1):
+    dependencies:
+      lightningcss: 1.32.0
+      picomatch: 4.0.4
+      postcss: 8.5.9
+      rolldown: 1.0.0-rc.15
+      tinyglobby: 0.2.16
     optionalDependencies:
       fsevents: 2.3.3
       jiti: 2.6.1
-      lightningcss: 1.31.1
 
-  vitefu@1.1.2(vite@7.3.1(jiti@2.6.1)(lightningcss@1.31.1)):
+  vitefu@1.1.3(vite@8.0.8(jiti@2.6.1)):
     optionalDependencies:
-      vite: 7.3.1(jiti@2.6.1)(lightningcss@1.31.1)
+      vite: 8.0.8(jiti@2.6.1)
 
   zimmerframe@1.1.4: {}
+
+  zwitch@2.0.4: {}
diff --git a/frontend/src/app.css b/frontend/src/app.css
index 9c2e326..d76358b 100644
--- a/frontend/src/app.css
+++ b/frontend/src/app.css
@@ -92,6 +92,11 @@ body {
 	min-height: 100vh;
 }
 
+/* Instrument Serif reads less condensed with a touch of positive tracking */
+.font-serif {
+	letter-spacing: 0.015em;
+}
+
 /* Tabular figures on all mono text — numbers align in tables and metric displays */
 .font-mono {
 	font-variant-numeric: tabular-nums;
@@ -175,6 +180,13 @@ body {
 	50%       { transform: translateY(-6px); }
 }
 
+/* CSS containment — isolate paint for independent UI regions.
+   Note: `contain: layout` is omitted because it creates a containing block
+   that breaks `position: fixed` popups rendered inside <main>. */
+main {
+	contain: style;
+}
+
 /* Respect user motion preferences — covers both CSS class animations and inline style animations */
 @media (prefers-reduced-motion: reduce) {
 	*,
diff --git a/frontend/src/lib/api/admin-capsules.ts b/frontend/src/lib/api/admin-capsules.ts
new file mode 100644
index 0000000..337ee0a
--- /dev/null
+++ b/frontend/src/lib/api/admin-capsules.ts
@@ -0,0 +1,40 @@
+import { apiFetch, type ApiResult } from '$lib/api/client';
+import type { Capsule, CreateCapsuleParams, Snapshot } from '$lib/api/capsules';
+import type { AdminTemplate } from '$lib/api/builds';
+
+export async function listAdminCapsules(): Promise<ApiResult<Capsule[]>> {
+	return apiFetch('GET', '/api/v1/admin/capsules');
+}
+
+export async function getAdminCapsule(id: string): Promise<ApiResult<Capsule>> {
+	return apiFetch('GET', `/api/v1/admin/capsules/${id}`);
+}
+
+export async function createAdminCapsule(params: CreateCapsuleParams): Promise<ApiResult<Capsule>> {
+	return apiFetch('POST', '/api/v1/admin/capsules', params);
+}
+
+export async function destroyAdminCapsule(id: string): Promise<ApiResult<void>> {
+	return apiFetch('DELETE', `/api/v1/admin/capsules/${id}`);
+}
+
+export async function snapshotAdminCapsule(id: string, name?: string): Promise<ApiResult<Snapshot>> {
+	return apiFetch('POST', `/api/v1/admin/capsules/${id}/snapshot`, { name });
+}
+
+/** Fetch platform templates for the admin create dialog. */
+export async function listPlatformTemplates(): Promise<ApiResult<Snapshot[]>> {
+	const result = await apiFetch<AdminTemplate[]>('GET', '/api/v1/admin/templates');
+	if (!result.ok) return result;
+	// Map AdminTemplate → Snapshot shape.
+	const snapshots: Snapshot[] = result.data.map((t) => ({
+		name: t.name,
+		type: t.type,
+		vcpus: t.vcpus || undefined,
+		memory_mb: t.memory_mb || undefined,
+		size_bytes: t.size_bytes,
+		created_at: t.created_at,
+		platform: true,
+	}));
+	return { ok: true, data: snapshots };
+}
diff --git a/frontend/src/lib/api/admin-users.ts b/frontend/src/lib/api/admin-users.ts
new file mode 100644
index 0000000..c5dd339
--- /dev/null
+++ b/frontend/src/lib/api/admin-users.ts
@@ -0,0 +1,28 @@
+import { apiFetch, type ApiResult } from '$lib/api/client';
+
+export type AdminUser = {
+	id: string;
+	email: string;
+	name: string;
+	is_admin: boolean;
+	status: string;
+	created_at: string;
+	teams_joined: number;
+	teams_owned: number;
+};
+
+export type AdminUsersResponse = {
+	users: AdminUser[];
+	total: number;
+	page: number;
+	per_page: number;
+	total_pages: number;
+};
+
+export async function listAdminUsers(page: number = 1): Promise<ApiResult<AdminUsersResponse>> {
+	return apiFetch('GET', `/api/v1/admin/users?page=${page}`);
+}
+
+export async function setUserActive(id: string, active: boolean): Promise<ApiResult<void>> {
+	return apiFetch('PUT', `/api/v1/admin/users/${id}/active`, { active });
+}
diff --git a/frontend/src/lib/api/auth.ts b/frontend/src/lib/api/auth.ts
index 845b8a3..1a3ede9 100644
--- a/frontend/src/lib/api/auth.ts
+++ b/frontend/src/lib/api/auth.ts
@@ -6,17 +6,26 @@ export type AuthResponse = {
 	name: string;
 };
 
+export type SignupResponse = {
+	message: string;
+};
+
 export type AuthResult = { ok: true; data: AuthResponse } | { ok: false; error: string };
+export type SignupResult = { ok: true; data: SignupResponse } | { ok: false; error: string };
 
 export async function apiLogin(email: string, password: string): Promise<AuthResult> {
 	return authFetch('/api/v1/auth/login', { email, password });
 }
 
-export async function apiSignup(email: string, password: string, name: string): Promise<AuthResult> {
+export async function apiSignup(email: string, password: string, name: string): Promise<SignupResult> {
 	return authFetch('/api/v1/auth/signup', { email, password, name });
 }
 
-async function authFetch(url: string, body: Record<string, string>): Promise<AuthResult> {
+export async function apiActivate(token: string): Promise<AuthResult> {
+	return authFetch('/api/v1/auth/activate', { token });
+}
+
+async function authFetch<T = AuthResponse>(url: string, body: Record<string, string>): Promise<{ ok: true; data: T } | { ok: false; error: string }> {
 	try {
 		const res = await fetch(url, {
 			method: 'POST',
@@ -31,7 +40,7 @@ async function authFetch(url: string, body: Record<string, string>): Promise<Aut
 			return { ok: false, error: message };
 		}
 
-		return { ok: true, data: data as AuthResponse };
+		return { ok: true, data: data as T };
 	} catch {
 		return { ok: false, error: 'Unable to connect to the server' };
 	}
diff --git a/frontend/src/lib/api/builds.ts b/frontend/src/lib/api/builds.ts
index 1de23b8..fe9fa1f 100644
--- a/frontend/src/lib/api/builds.ts
+++ b/frontend/src/lib/api/builds.ts
@@ -1,4 +1,4 @@
-import { apiFetch, type ApiResult } from '$lib/api/client';
+import { apiFetch, apiFetchMultipart, type ApiResult } from '$lib/api/client';
 
 export type BuildLogEntry = {
 	step: number;
@@ -26,6 +26,8 @@ export type Build = {
 	error?: string;
 	sandbox_id?: string;
 	host_id?: string;
+	default_user: string;
+	default_env: Record<string, string>;
 	created_at: string;
 	started_at?: string;
 	completed_at?: string;
@@ -39,9 +41,18 @@ export type CreateBuildParams = {
 	vcpus?: number;
 	memory_mb?: number;
 	skip_pre_post?: boolean;
+	archive?: File;
 };
 
 export async function createBuild(params: CreateBuildParams): Promise<ApiResult<Build>> {
+	if (params.archive) {
+		// Use multipart when an archive file is provided.
+		const { archive, ...config } = params;
+		const formData = new FormData();
+		formData.append('config', JSON.stringify(config));
+		formData.append('archive', archive);
+		return apiFetchMultipart('POST', '/api/v1/admin/builds', formData);
+	}
 	return apiFetch('POST', '/api/v1/admin/builds', params);
 }
 
diff --git a/frontend/src/lib/api/capsules.ts b/frontend/src/lib/api/capsules.ts
index 565f14f..3e8f7f3 100644
--- a/frontend/src/lib/api/capsules.ts
+++ b/frontend/src/lib/api/capsules.ts
@@ -17,11 +17,11 @@ export type Capsule = {
 
 
 export async function listCapsules(): Promise<ApiResult<Capsule[]>> {
-	return apiFetch('GET', '/api/v1/sandboxes');
+	return apiFetch('GET', '/api/v1/capsules');
 }
 
 export async function getCapsule(id: string): Promise<ApiResult<Capsule>> {
-	return apiFetch('GET', `/api/v1/sandboxes/${id}`);
+	return apiFetch('GET', `/api/v1/capsules/${id}`);
 }
 
 export type CreateCapsuleParams = {
@@ -32,19 +32,19 @@ export type CreateCapsuleParams = {
 };
 
 export async function createCapsule(params: CreateCapsuleParams): Promise<ApiResult<Capsule>> {
-	return apiFetch('POST', '/api/v1/sandboxes', params);
+	return apiFetch('POST', '/api/v1/capsules', params);
 }
 
 export async function pauseCapsule(id: string): Promise<ApiResult<Capsule>> {
-	return apiFetch('POST', `/api/v1/sandboxes/${id}/pause`);
+	return apiFetch('POST', `/api/v1/capsules/${id}/pause`);
 }
 
 export async function resumeCapsule(id: string): Promise<ApiResult<Capsule>> {
-	return apiFetch('POST', `/api/v1/sandboxes/${id}/resume`);
+	return apiFetch('POST', `/api/v1/capsules/${id}/resume`);
 }
 
 export async function destroyCapsule(id: string): Promise<ApiResult<void>> {
-	return apiFetch('DELETE', `/api/v1/sandboxes/${id}`);
+	return apiFetch('DELETE', `/api/v1/capsules/${id}`);
 }
 
 export type Snapshot = {
@@ -57,8 +57,8 @@ export type Snapshot = {
 	platform: boolean;
 };
 
-export async function createSnapshot(sandboxId: string, name?: string): Promise<ApiResult<Snapshot>> {
-	return apiFetch('POST', '/api/v1/snapshots', { sandbox_id: sandboxId, name });
+export async function createSnapshot(capsuleId: string, name?: string): Promise<ApiResult<Snapshot>> {
+	return apiFetch('POST', '/api/v1/snapshots', { sandbox_id: capsuleId, name });
 }
 
 export async function listSnapshots(typeFilter?: string): Promise<ApiResult<Snapshot[]>> {
diff --git a/frontend/src/lib/api/client.ts b/frontend/src/lib/api/client.ts
index 00fa381..d6e6459 100644
--- a/frontend/src/lib/api/client.ts
+++ b/frontend/src/lib/api/client.ts
@@ -22,3 +22,24 @@ export async function apiFetch<T>(method: string, path: string, body?: unknown):
 		return { ok: false, error: 'Unable to connect to the server' };
 	}
 }
+
+export async function apiFetchMultipart<T>(method: string, path: string, formData: FormData): Promise<ApiResult<T>> {
+	try {
+		const headers: Record<string, string> = {};
+		if (auth.token) headers['Authorization'] = `Bearer ${auth.token}`;
+
+		const res = await fetch(path, {
+			method,
+			headers,
+			body: formData
+		});
+
+		if (res.status === 204) return { ok: true, data: undefined as T };
+
+		const data = await res.json();
+		if (!res.ok) return { ok: false, error: data?.error?.message ?? 'Something went wrong' };
+		return { ok: true, data: data as T };
+	} catch {
+		return { ok: false, error: 'Unable to connect to the server' };
+	}
+}
diff --git a/frontend/src/lib/api/files.ts b/frontend/src/lib/api/files.ts
new file mode 100644
index 0000000..7d066ec
--- /dev/null
+++ b/frontend/src/lib/api/files.ts
@@ -0,0 +1,141 @@
+import { auth } from '$lib/auth.svelte';
+import { type ApiResult } from '$lib/api/client';
+
+export type FileEntry = {
+	name: string;
+	path: string;
+	type: 'file' | 'directory' | 'symlink' | 'unknown';
+	size: number;
+	mode: number;
+	permissions: string;
+	owner: string;
+	group: string;
+	modified_at: number;
+	symlink_target?: string | null;
+};
+
+export type ListDirResponse = {
+	entries: FileEntry[];
+};
+
+const MAX_READABLE_SIZE = 10 * 1024 * 1024; // 10 MB
+
+/**
+ * Whether a file can be previewed as text in the browser.
+ * Binary/unreadable extensions and files > 10 MB should be downloaded instead.
+ */
+const BINARY_EXTENSIONS = new Set([
+	'.png', '.jpg', '.jpeg', '.gif', '.bmp', '.ico', '.webp', '.avif', '.svg',
+	'.mp3', '.mp4', '.wav', '.ogg', '.flac', '.avi', '.mkv', '.mov', '.webm',
+	'.zip', '.tar', '.gz', '.bz2', '.xz', '.7z', '.rar', '.zst',
+	'.pdf', '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx',
+	'.exe', '.dll', '.so', '.dylib', '.bin', '.o', '.a', '.class', '.pyc',
+	'.woff', '.woff2', '.ttf', '.otf', '.eot',
+	'.db', '.sqlite', '.sqlite3',
+	'.iso', '.img', '.dmg',
+]);
+
+export function isBinaryFile(name: string): boolean {
+	const dot = name.lastIndexOf('.');
+	if (dot === -1) return false;
+	return BINARY_EXTENSIONS.has(name.slice(dot).toLowerCase());
+}
+
+export function isFileTooLarge(size: number): boolean {
+	return size > MAX_READABLE_SIZE;
+}
+
+export function formatFileSize(bytes: number): string {
+	if (bytes === 0) return '0 B';
+	const units = ['B', 'KB', 'MB', 'GB', 'TB'];
+	const i = Math.floor(Math.log(bytes) / Math.log(1024));
+	const val = bytes / Math.pow(1024, i);
+	return `${val < 10 ? val.toFixed(1) : Math.round(val)} ${units[i]}`;
+}
+
+export async function listDir(capsuleId: string, path: string, depth = 1, basePath = '/api/v1/capsules'): Promise<ApiResult<ListDirResponse>> {
+	try {
+		const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+		if (auth.token) headers['Authorization'] = `Bearer ${auth.token}`;
+
+		const res = await fetch(`${basePath}/${capsuleId}/files/list`, {
+			method: 'POST',
+			headers,
+			body: JSON.stringify({ path, depth }),
+		});
+
+		const data = await res.json();
+		if (!res.ok) return { ok: false, error: data?.error?.message ?? 'Failed to list directory' };
+		return { ok: true, data: data as ListDirResponse };
+	} catch {
+		return { ok: false, error: 'Unable to connect to the server' };
+	}
+}
+
+export async function readFile(
+	capsuleId: string,
+	path: string,
+	signal?: AbortSignal,
+	basePath = '/api/v1/capsules',
+): Promise<ApiResult<string>> {
+	try {
+		const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+		if (auth.token) headers['Authorization'] = `Bearer ${auth.token}`;
+
+		const res = await fetch(`${basePath}/${capsuleId}/files/read`, {
+			method: 'POST',
+			headers,
+			body: JSON.stringify({ path }),
+			signal,
+		});
+
+		if (!res.ok) {
+			try {
+				const data = await res.json();
+				return { ok: false, error: data?.error?.message ?? 'Failed to read file' };
+			} catch {
+				return { ok: false, error: `HTTP ${res.status}` };
+			}
+		}
+
+		const blob = await res.blob();
+		const text = await blob.text();
+		return { ok: true, data: text };
+	} catch (e) {
+		if (e instanceof DOMException && e.name === 'AbortError') {
+			return { ok: false, error: 'Request aborted' };
+		}
+		return { ok: false, error: 'Unable to connect to the server' };
+	}
+}
+
+export async function downloadFile(
+	capsuleId: string,
+	path: string,
+	filename: string,
+	signal?: AbortSignal,
+	basePath = '/api/v1/capsules',
+): Promise<void> {
+	const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+	if (auth.token) headers['Authorization'] = `Bearer ${auth.token}`;
+
+	const res = await fetch(`${basePath}/${capsuleId}/files/read`, {
+		method: 'POST',
+		headers,
+		body: JSON.stringify({ path }),
+		signal,
+	});
+
+	if (!res.ok) throw new Error('Download failed');
+
+	const blob = await res.blob();
+	const url = URL.createObjectURL(blob);
+	const a = document.createElement('a');
+	a.href = url;
+	a.download = filename;
+	document.body.appendChild(a);
+	a.click();
+	a.remove();
+	// Delay revocation so the browser has time to start the download
+	setTimeout(() => URL.revokeObjectURL(url), 5000);
+}
diff --git a/frontend/src/lib/api/me.ts b/frontend/src/lib/api/me.ts
new file mode 100644
index 0000000..1396d9d
--- /dev/null
+++ b/frontend/src/lib/api/me.ts
@@ -0,0 +1,42 @@
+import { apiFetch, type ApiResult } from '$lib/api/client';
+import type { AuthResponse } from '$lib/api/auth';
+
+export type MeResponse = {
+	name: string;
+	email: string;
+	has_password: boolean;
+	providers: string[];
+};
+
+export type ChangePasswordBody = {
+	current_password?: string;
+	new_password: string;
+	confirm_password?: string;
+};
+
+export const getMe = (): Promise<ApiResult<MeResponse>> =>
+	apiFetch('GET', '/api/v1/me');
+
+export const updateName = (name: string): Promise<ApiResult<AuthResponse>> =>
+	apiFetch('PATCH', '/api/v1/me', { name });
+
+export const changePassword = (body: ChangePasswordBody): Promise<ApiResult<void>> =>
+	apiFetch('POST', '/api/v1/me/password', body);
+
+export const requestPasswordReset = (email: string): Promise<ApiResult<void>> =>
+	apiFetch('POST', '/api/v1/me/password/reset', { email });
+
+export const confirmPasswordReset = (
+	token: string,
+	new_password: string
+): Promise<ApiResult<void>> =>
+	apiFetch('POST', '/api/v1/me/password/reset/confirm', { token, new_password });
+
+export const getProviderConnectURL = (provider: string): Promise<ApiResult<{ auth_url: string }>> =>
+	apiFetch('GET', `/api/v1/me/providers/${provider}/connect`);
+
+export const disconnectProvider = (provider: string): Promise<ApiResult<void>> =>
+	apiFetch('DELETE', `/api/v1/me/providers/${provider}`);
+
+export const deleteAccount = (confirmation: string): Promise<ApiResult<void>> =>
+	apiFetch('DELETE', '/api/v1/me', { confirmation });
diff --git a/frontend/src/lib/api/metrics.ts b/frontend/src/lib/api/metrics.ts
index baf9f11..f093bf5 100644
--- a/frontend/src/lib/api/metrics.ts
+++ b/frontend/src/lib/api/metrics.ts
@@ -15,11 +15,20 @@ export type MetricsResponse = {
 	points: MetricPoint[];
 };
 
-export async function fetchSandboxMetrics(id: string, range: MetricRange): Promise<ApiResult<MetricsResponse>> {
-	return apiFetch('GET', `/api/v1/sandboxes/${id}/metrics?range=${range}`);
+export async function fetchCapsuleMetrics(id: string, range: MetricRange, basePath = '/api/v1/capsules'): Promise<ApiResult<MetricsResponse>> {
+	return apiFetch('GET', `${basePath}/${id}/metrics?range=${range}`);
 }
 
 export const METRIC_RANGES: MetricRange[] = ['5m', '10m', '1h', '6h', '24h'];
 
-// All ranges poll every 10 seconds.
+// Poll interval varies by range — shorter ranges need fresher data.
+export const METRIC_POLL_INTERVALS: Record<MetricRange, number> = {
+	'5m':  10_000,
+	'10m': 10_000,
+	'1h':  30_000,
+	'6h':  60_000,
+	'24h': 120_000,
+};
+
+/** @deprecated Use METRIC_POLL_INTERVALS instead */
 export const METRIC_POLL_INTERVAL = 10_000;
diff --git a/frontend/src/lib/api/stats.ts b/frontend/src/lib/api/stats.ts
index 3f85483..948ae12 100644
--- a/frontend/src/lib/api/stats.ts
+++ b/frontend/src/lib/api/stats.ts
@@ -24,7 +24,7 @@ export type StatsResponse = {
 };
 
 export async function fetchStats(range: TimeRange): Promise<ApiResult<StatsResponse>> {
-	return apiFetch('GET', `/api/v1/sandboxes/stats?range=${range}`);
+	return apiFetch('GET', `/api/v1/capsules/stats?range=${range}`);
 }
 
 export const POLL_INTERVALS: Record<TimeRange, number> = {
diff --git a/frontend/src/lib/api/team.ts b/frontend/src/lib/api/team.ts
index 0ffc4ed..2cebb8e 100644
--- a/frontend/src/lib/api/team.ts
+++ b/frontend/src/lib/api/team.ts
@@ -83,3 +83,39 @@ export async function leaveTeam(id: string): Promise<ApiResult<void>> {
 export async function searchUsers(email: string): Promise<ApiResult<UserSearchResult[]>> {
 	return apiFetch('GET', `/api/v1/users/search?email=${encodeURIComponent(email)}`);
 }
+
+// Admin team types and API functions
+
+export type AdminTeam = {
+	id: string;
+	name: string;
+	slug: string;
+	is_byoc: boolean;
+	created_at: string;
+	deleted_at: string | null;
+	member_count: number;
+	owner_name: string;
+	owner_email: string;
+	active_sandbox_count: number;
+	channel_count: number;
+};
+
+export type AdminTeamsResponse = {
+	teams: AdminTeam[];
+	total: number;
+	page: number;
+	per_page: number;
+	total_pages: number;
+};
+
+export async function listAdminTeams(page: number = 1): Promise<ApiResult<AdminTeamsResponse>> {
+	return apiFetch('GET', `/api/v1/admin/teams?page=${page}`);
+}
+
+export async function adminSetBYOC(id: string, enabled: boolean): Promise<ApiResult<void>> {
+	return apiFetch('PUT', `/api/v1/admin/teams/${id}/byoc`, { enabled });
+}
+
+export async function adminDeleteTeam(id: string): Promise<ApiResult<void>> {
+	return apiFetch('DELETE', `/api/v1/admin/teams/${id}`);
+}
diff --git a/frontend/src/lib/components/AdminSidebar.svelte b/frontend/src/lib/components/AdminSidebar.svelte
index ebf4b64..e7421b0 100644
--- a/frontend/src/lib/components/AdminSidebar.svelte
+++ b/frontend/src/lib/components/AdminSidebar.svelte
@@ -3,14 +3,17 @@
 	import { auth } from '$lib/auth.svelte';
 	import {
 		IconServer,
-		IconTemplate,
+		IconBox,
+		IconMonitor,
 		IconSettings,
 		IconLogout,
 		IconSidebar,
 		IconBell,
 		IconDocs,
 		IconChevron,
-		IconShield
+		IconShield,
+		IconMembers,
+		IconUser
 	} from './icons';
 
 	let { collapsed = $bindable(false) }: { collapsed: boolean } = $props();
@@ -22,8 +25,14 @@
 	};
 
 	const managementItems: NavItem[] = [
-		{ label: 'Hosts', icon: IconServer, href: '/admin/hosts' },
-		{ label: 'Templates', icon: IconTemplate, href: '/admin/templates' }
+		{ label: 'Users', icon: IconUser, href: '/admin/users' },
+		{ label: 'Teams', icon: IconMembers, href: '/admin/teams' }
+	];
+
+	const platformItems: NavItem[] = [
+		{ label: 'Templates', icon: IconBox, href: '/admin/templates' },
+		{ label: 'Capsules', icon: IconMonitor, href: '/admin/capsules' },
+		{ label: 'Hosts', icon: IconServer, href: '/admin/hosts' }
 	];
 
 	function isActive(href: string): boolean {
@@ -96,43 +105,8 @@
 
 	<!-- Navigation -->
 	<nav class="flex-1 overflow-y-auto px-3 {collapsed ? 'px-1.5' : ''}">
-		<div class="mb-3">
-			{#if !collapsed}
-				<div class="mb-1 px-2.5 py-1.5 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">
-					Management
-				</div>
-			{:else}
-				<div class="mx-1 my-2 h-px bg-[var(--color-border)]"></div>
-			{/if}
-			{#each managementItems as item}
-				{#if isActive(item.href)}
-					<a
-						href={item.href}
-						class="group relative flex items-center rounded-[var(--radius-input)] bg-[var(--color-accent-glow-mid)] px-2.5 py-2.5 transition-colors duration-150 {collapsed ? 'justify-center px-2' : 'gap-3'}"
-						title={collapsed ? item.label : undefined}
-					>
-						{#if !collapsed}
-							<div class="absolute left-0 top-1/2 h-5 w-[3px] -translate-y-1/2 rounded-r-full bg-[var(--color-accent)]"></div>
-						{/if}
-						<item.icon size={16} class="shrink-0 text-[var(--color-accent-bright)]" />
-						{#if !collapsed}
-							<span class="text-ui font-medium text-[var(--color-accent-bright)]">{item.label}</span>
-						{/if}
-					</a>
-				{:else}
-					<a
-						href={item.href}
-						class="group flex items-center rounded-[var(--radius-input)] px-2.5 py-2.5 transition-colors duration-150 hover:bg-[var(--color-bg-3)] {collapsed ? 'justify-center px-2' : 'gap-3'}"
-						title={collapsed ? item.label : undefined}
-					>
-						<item.icon size={16} class="shrink-0 opacity-50 transition-opacity duration-150 group-hover:opacity-100" />
-						{#if !collapsed}
-							<span class="text-ui text-[var(--color-text-primary)] transition-colors duration-150 group-hover:text-[var(--color-text-bright)]">{item.label}</span>
-						{/if}
-					</a>
-				{/if}
-			{/each}
-		</div>
+		{@render navSection('Platform', platformItems)}
+		{@render navSection('Management', managementItems)}
 	</nav>
 
 	<!-- Bottom links -->
@@ -184,3 +158,43 @@
 		</button>
 	</div>
 </aside>
+
+{#snippet navSection(title: string, items: NavItem[])}
+	<div class="mb-3">
+		{#if !collapsed}
+			<div class="mb-1 px-2.5 py-1.5 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">
+				{title}
+			</div>
+		{:else}
+			<div class="mx-1 my-2 h-px bg-[var(--color-border)]"></div>
+		{/if}
+		{#each items as item}
+			{#if isActive(item.href)}
+				<a
+					href={item.href}
+					class="group relative flex items-center rounded-[var(--radius-input)] bg-[var(--color-accent-glow-mid)] px-2.5 py-2.5 transition-colors duration-150 {collapsed ? 'justify-center px-2' : 'gap-3'}"
+					title={collapsed ? item.label : undefined}
+				>
+					{#if !collapsed}
+						<div class="absolute left-0 top-1/2 h-5 w-[3px] -translate-y-1/2 rounded-r-full bg-[var(--color-accent)]"></div>
+					{/if}
+					<item.icon size={16} class="shrink-0 text-[var(--color-accent-bright)]" />
+					{#if !collapsed}
+						<span class="text-ui font-medium text-[var(--color-accent-bright)]">{item.label}</span>
+					{/if}
+				</a>
+			{:else}
+				<a
+					href={item.href}
+					class="group flex items-center rounded-[var(--radius-input)] px-2.5 py-2.5 transition-colors duration-150 hover:bg-[var(--color-bg-3)] {collapsed ? 'justify-center px-2' : 'gap-3'}"
+					title={collapsed ? item.label : undefined}
+				>
+					<item.icon size={16} class="shrink-0 opacity-50 transition-opacity duration-150 group-hover:opacity-100" />
+					{#if !collapsed}
+						<span class="text-ui text-[var(--color-text-primary)] transition-colors duration-150 group-hover:text-[var(--color-text-bright)]">{item.label}</span>
+					{/if}
+				</a>
+			{/if}
+		{/each}
+	</div>
+{/snippet}
diff --git a/frontend/src/lib/components/AuthModal.svelte b/frontend/src/lib/components/AuthModal.svelte
deleted file mode 100644
index 2f23a5c..0000000
--- a/frontend/src/lib/components/AuthModal.svelte
+++ /dev/null
@@ -1,210 +0,0 @@
-<script lang="ts">
-	import { Dialog } from 'bits-ui';
-	import {
-		IconGithub,
-		IconMail,
-		IconLock,
-		IconUser,
-		IconX,
-		IconEye,
-		IconEyeOff
-	} from './icons';
-
-	let {
-		mode = $bindable('signin'),
-		open = $bindable(false),
-		onSwitchMode
-	}: {
-		mode: 'signin' | 'signup';
-		open: boolean;
-		onSwitchMode: () => void;
-	} = $props();
-
-	let email = $state('');
-	let password = $state('');
-	let name = $state('');
-	let showPassword = $state(false);
-
-	const title = $derived(mode === 'signin' ? 'Welcome back' : 'Create account');
-	const subtitle = $derived(
-		mode === 'signin' ? 'Sign in to your Wrenn account' : 'Get started with Wrenn'
-	);
-	const submitLabel = $derived(mode === 'signin' ? 'Sign in' : 'Create account');
-	const switchText = $derived(
-		mode === 'signin' ? "Don't have an account?" : 'Already have an account?'
-	);
-	const switchAction = $derived(mode === 'signin' ? 'Sign up' : 'Sign in');
-
-	function handleSubmit(e: Event) {
-		e.preventDefault();
-	}
-</script>
-
-<Dialog.Root bind:open>
-	<Dialog.Portal>
-		<Dialog.Overlay
-			class="fixed inset-0 z-50 bg-black/70 backdrop-blur-[3px]"
-			style="animation: overlayFadeIn 200ms ease"
-		/>
-		<Dialog.Content
-			class="fixed left-1/2 top-1/2 z-50 w-[calc(100%-2rem)] max-w-[400px] -translate-x-1/2 -translate-y-1/2 rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-0"
-			style="animation: contentSlideIn 250ms cubic-bezier(0.16, 1, 0.3, 1)"
-		>
-			<!-- Close button -->
-			<Dialog.Close
-				class="absolute right-3 top-3 flex h-7 w-7 items-center justify-center rounded-[var(--radius-button)] border border-transparent text-[var(--color-text-tertiary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-secondary)]"
-			>
-				<IconX size={14} />
-			</Dialog.Close>
-
-			<div class="px-7 pb-7 pt-8">
-				<!-- Header -->
-				<div class="mb-7">
-					<Dialog.Title
-						class="font-serif text-page tracking-[-0.02em] text-[var(--color-text-bright)]"
-					>
-						{title}
-					</Dialog.Title>
-					<Dialog.Description
-						class="mt-1 text-ui text-[var(--color-text-secondary)]"
-					>
-						{subtitle}
-					</Dialog.Description>
-				</div>
-
-				<!-- GitHub OAuth -->
-				<button
-					type="button"
-					class="flex w-full items-center justify-center gap-2.5 rounded-[var(--radius-button)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] px-4 py-2.5 text-ui font-medium text-[var(--color-text-bright)] transition-all duration-150 hover:border-[var(--color-accent)] hover:text-[var(--color-text-bright)]"
-				>
-					<IconGithub size={16} />
-					Continue with GitHub
-				</button>
-
-				<!-- Divider -->
-				<div class="my-5 flex items-center gap-3">
-					<div class="h-px flex-1 bg-[var(--color-border)]"></div>
-					<span
-						class="font-mono text-badge uppercase tracking-[0.1em] text-[var(--color-text-muted)]"
-						>or</span
-					>
-					<div class="h-px flex-1 bg-[var(--color-border)]"></div>
-				</div>
-
-				<!-- Form -->
-				<form onsubmit={handleSubmit} class="space-y-3">
-					{#if mode === 'signup'}
-						<div class="group relative">
-							<div
-								class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
-							>
-								<IconUser size={14} />
-							</div>
-							<input
-								type="text"
-								bind:value={name}
-								placeholder="Full name"
-								autocomplete="name"
-								class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-2.5 pl-9 pr-3 text-ui text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
-							/>
-						</div>
-					{/if}
-
-					<div class="group relative">
-						<div
-							class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
-						>
-							<IconMail size={14} />
-						</div>
-						<input
-							type="email"
-							bind:value={email}
-							placeholder="Email address"
-							autocomplete="email"
-							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-2.5 pl-9 pr-3 text-ui text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
-						/>
-					</div>
-
-					<div class="group relative">
-						<div
-							class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
-						>
-							<IconLock size={14} />
-						</div>
-						<input
-							type={showPassword ? 'text' : 'password'}
-							bind:value={password}
-							placeholder="Password"
-							autocomplete={mode === 'signin' ? 'current-password' : 'new-password'}
-							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-2.5 pl-9 pr-10 text-ui text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
-						/>
-						<button
-							type="button"
-							onclick={() => (showPassword = !showPassword)}
-							class="absolute right-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
-							tabindex={-1}
-						>
-							{#if showPassword}
-								<IconEyeOff size={14} />
-							{:else}
-								<IconEye size={14} />
-							{/if}
-						</button>
-					</div>
-
-					{#if mode === 'signin'}
-						<div class="flex justify-end">
-							<button
-								type="button"
-								class="text-meta text-[var(--color-text-secondary)] transition-colors duration-150 hover:text-[var(--color-accent-mid)]"
-							>
-								Forgot password?
-							</button>
-						</div>
-					{/if}
-
-					<button
-						type="submit"
-						class="!mt-5 w-full rounded-[var(--radius-button)] bg-[var(--color-accent)] px-4 py-2.5 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0"
-					>
-						{submitLabel}
-					</button>
-				</form>
-
-				<!-- Switch mode -->
-				<p class="mt-5 text-center text-meta text-[var(--color-text-secondary)]">
-					{switchText}
-					<button
-						type="button"
-						onclick={onSwitchMode}
-						class="font-medium text-[var(--color-text-primary)] transition-colors duration-150 hover:text-[var(--color-text-bright)]"
-					>
-						{switchAction}
-					</button>
-				</p>
-			</div>
-		</Dialog.Content>
-	</Dialog.Portal>
-</Dialog.Root>
-
-<style>
-	@keyframes overlayFadeIn {
-		from {
-			opacity: 0;
-		}
-		to {
-			opacity: 1;
-		}
-	}
-
-	@keyframes contentSlideIn {
-		from {
-			opacity: 0;
-			transform: translate(-50%, -48%) scale(0.96);
-		}
-		to {
-			opacity: 1;
-			transform: translate(-50%, -50%) scale(1);
-		}
-	}
-</style>
diff --git a/frontend/src/lib/components/CopyButton.svelte b/frontend/src/lib/components/CopyButton.svelte
new file mode 100644
index 0000000..97ca2be
--- /dev/null
+++ b/frontend/src/lib/components/CopyButton.svelte
@@ -0,0 +1,112 @@
+<script lang="ts">
+	let { value }: { value: string } = $props();
+
+	let copied = $state(false);
+	let timer: ReturnType<typeof setTimeout> | null = null;
+
+	async function copy(e: MouseEvent) {
+		e.preventDefault();
+		e.stopPropagation();
+		try {
+			await navigator.clipboard.writeText(value);
+			copied = true;
+			if (timer) clearTimeout(timer);
+			timer = setTimeout(() => (copied = false), 1800);
+		} catch {
+			// Clipboard API unavailable
+		}
+	}
+</script>
+
+<button
+	onclick={copy}
+	class="copy-btn"
+	class:copied
+	aria-label="Copy to clipboard"
+>
+	<span class="copy-btn-inner">
+		{#if copied}
+			<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" class="check-icon">
+				<polyline points="20 6 9 17 4 12" />
+			</svg>
+		{:else}
+			<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="clipboard-icon">
+				<rect x="9" y="9" width="13" height="13" rx="2" ry="2" />
+				<path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1" />
+			</svg>
+		{/if}
+	</span>
+
+
+</button>
+
+<style>
+	.copy-btn {
+		position: relative;
+		display: inline-flex;
+		align-items: center;
+		gap: 4px;
+		height: 22px;
+		padding: 0 4px;
+		border-radius: 4px;
+		color: var(--color-text-muted);
+		background: transparent;
+		border: 1px solid transparent;
+		cursor: pointer;
+		transition: color 0.15s ease, background 0.15s ease, border-color 0.15s ease;
+		flex-shrink: 0;
+	}
+
+	.copy-btn:hover {
+		color: var(--color-text-secondary);
+		background: var(--color-bg-4);
+		border-color: var(--color-border);
+	}
+
+	.copy-btn:active {
+		transform: scale(0.92);
+	}
+
+	/* ── Copied state ── */
+	.copy-btn.copied {
+		opacity: 1;
+		color: var(--color-accent-bright);
+		background: rgba(94, 140, 88, 0.1);
+		border-color: rgba(94, 140, 88, 0.25);
+	}
+
+	.copy-btn-inner {
+		display: flex;
+		align-items: center;
+		justify-content: center;
+		width: 14px;
+		height: 14px;
+	}
+
+	/* ── Clipboard icon — subtle nudge on hover ── */
+	.clipboard-icon {
+		transition: transform 0.15s ease;
+	}
+	.copy-btn:hover .clipboard-icon {
+		transform: translate(-0.5px, -0.5px);
+	}
+
+	/* ── Check icon draw animation ── */
+	.check-icon {
+		animation: checkDraw 0.3s cubic-bezier(0.25, 1, 0.5, 1) both;
+	}
+	.check-icon polyline {
+		stroke-dasharray: 24;
+		stroke-dashoffset: 24;
+		animation: drawCheck 0.3s cubic-bezier(0.25, 1, 0.5, 1) 0.05s forwards;
+	}
+	@keyframes drawCheck {
+		to { stroke-dashoffset: 0; }
+	}
+	@keyframes checkDraw {
+		0% { transform: scale(0.6); opacity: 0; }
+		50% { opacity: 1; }
+		100% { transform: scale(1); opacity: 1; }
+	}
+
+</style>
diff --git a/frontend/src/lib/components/CreateCapsuleDialog.svelte b/frontend/src/lib/components/CreateCapsuleDialog.svelte
index 2bd027d..36d893f 100644
--- a/frontend/src/lib/components/CreateCapsuleDialog.svelte
+++ b/frontend/src/lib/components/CreateCapsuleDialog.svelte
@@ -1,23 +1,126 @@
 <script lang="ts">
-	import { createCapsule, type Capsule, type CreateCapsuleParams } from '$lib/api/capsules';
+	import { createCapsule, listSnapshots, type Capsule, type CreateCapsuleParams, type Snapshot } from '$lib/api/capsules';
+	import { createAdminCapsule, listPlatformTemplates } from '$lib/api/admin-capsules';
 
 	type Props = {
 		open: boolean;
 		onclose: () => void;
 		oncreated?: (capsule: Capsule) => void;
+		/** 'team' = user-scoped templates (default), 'platform' = admin platform templates only */
+		templateSource?: 'team' | 'platform';
 	};
-	let { open, onclose, oncreated }: Props = $props();
+	let { open, onclose, oncreated, templateSource = 'team' }: Props = $props();
 
 	let createForm = $state<CreateCapsuleParams>({ template: 'minimal', vcpus: 1, memory_mb: 512, timeout_sec: 0 });
 	let creating = $state(false);
 	let createError = $state<string | null>(null);
 
+	// Template combobox state
+	let templates = $state<Snapshot[]>([]);
+	let templatesLoading = $state(false);
+	let templateQuery = $state('');
+	let comboOpen = $state(false);
+	let highlightIdx = $state(-1);
+	let inputEl = $state<HTMLInputElement | undefined>(undefined);
+	let listEl = $state<HTMLUListElement | undefined>(undefined);
+
+	// Resolve selected template for type indicator + snapshot locking
+	let selectedTemplate = $derived(
+		templates.find((t) => t.name === createForm.template)
+	);
+	let selectedIsSnapshot = $derived(selectedTemplate?.type === 'snapshot');
+
+	let filtered = $derived.by(() => {
+		const q = templateQuery.toLowerCase();
+		if (!q) return templates;
+		return templates.filter((t) => t.name.toLowerCase().includes(q));
+	});
+
+	// Fetch templates when dialog opens
+	$effect(() => {
+		if (open && templates.length === 0 && !templatesLoading) {
+			templatesLoading = true;
+			const fetcher = templateSource === 'platform' ? listPlatformTemplates : listSnapshots;
+			fetcher().then((result) => {
+				if (result.ok) templates = result.data;
+				templatesLoading = false;
+			});
+		}
+		if (open) {
+			templateQuery = createForm.template ?? '';
+		}
+	});
+
+	function selectTemplate(t: Snapshot) {
+		createForm.template = t.name;
+		templateQuery = t.name;
+		// Pre-fill specs from the template if available
+		if (t.vcpus) createForm.vcpus = t.vcpus;
+		if (t.memory_mb) createForm.memory_mb = t.memory_mb;
+		comboOpen = false;
+		highlightIdx = -1;
+	}
+
+	function handleInputKeydown(e: KeyboardEvent) {
+		if (!comboOpen && (e.key === 'ArrowDown' || e.key === 'ArrowUp')) {
+			comboOpen = true;
+			highlightIdx = 0;
+			e.preventDefault();
+			return;
+		}
+		if (!comboOpen) return;
+
+		if (e.key === 'ArrowDown') {
+			e.preventDefault();
+			highlightIdx = Math.min(highlightIdx + 1, filtered.length - 1);
+			scrollToHighlighted();
+		} else if (e.key === 'ArrowUp') {
+			e.preventDefault();
+			highlightIdx = Math.max(highlightIdx - 1, 0);
+			scrollToHighlighted();
+		} else if (e.key === 'Enter' && highlightIdx >= 0 && highlightIdx < filtered.length) {
+			e.preventDefault();
+			selectTemplate(filtered[highlightIdx]);
+		} else if (e.key === 'Escape') {
+			comboOpen = false;
+			highlightIdx = -1;
+		}
+	}
+
+	function scrollToHighlighted() {
+		if (!listEl) return;
+		const item = listEl.children[highlightIdx] as HTMLElement | undefined;
+		item?.scrollIntoView({ block: 'nearest' });
+	}
+
+	function handleInputFocus() {
+		comboOpen = true;
+		highlightIdx = -1;
+	}
+
+	function handleInputBlur() {
+		// Delay to allow click on dropdown item to fire first
+		setTimeout(() => {
+			comboOpen = false;
+			// If the typed query matches an existing template, apply it
+			const match = templates.find((t) => t.name === templateQuery);
+			if (match) {
+				createForm.template = match.name;
+			} else {
+				// Allow free-form entry (user might know a template name not in the list)
+				createForm.template = templateQuery;
+			}
+		}, 150);
+	}
+
 	async function handleCreate() {
 		creating = true;
 		createError = null;
-		const result = await createCapsule(createForm);
+		const creator = templateSource === 'platform' ? createAdminCapsule : createCapsule;
+		const result = await creator(createForm);
 		if (result.ok) {
 			createForm = { template: 'minimal', vcpus: 1, memory_mb: 512, timeout_sec: 0 };
+			templateQuery = 'minimal';
 			oncreated?.(result.data);
 			onclose();
 		} else {
@@ -36,8 +139,9 @@
 			onkeydown={(e) => { if (e.key === 'Escape' && !creating) onclose(); }}
 		></div>
 
-		<div class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Launch Capsule</h2>
+		<div class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
+			<div class="p-6">
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Launch Capsule</h2>
 			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">Configure resources and launch. The VM will be ready in under a second.</p>
 
 			{#if createError}
@@ -47,16 +151,101 @@
 			{/if}
 
 			<div class="mt-5 space-y-4">
-				<div>
+				<!-- Template combobox -->
+				<div class="relative">
 					<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]" for="create-template">Template</label>
-					<input
-						id="create-template"
-						type="text"
-						bind:value={createForm.template}
-						class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 font-mono text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-colors duration-150 focus:border-[var(--color-accent)]"
-						placeholder="minimal"
-					/>
-					<p class="mt-1.5 text-meta text-[var(--color-text-muted)]">Name of a snapshot or base image to boot from.</p>
+					<div class="relative">
+						{#if selectedTemplate}
+							<span class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 h-1.5 w-1.5 rounded-full {selectedTemplate.type === 'snapshot' ? 'bg-[var(--color-accent)]' : 'bg-[var(--color-blue)]'}"></span>
+						{/if}
+						<input
+							bind:this={inputEl}
+							id="create-template"
+							type="text"
+							role="combobox"
+							aria-expanded={comboOpen}
+							aria-autocomplete="list"
+							aria-controls="template-listbox"
+							autocomplete="off"
+							bind:value={templateQuery}
+							onfocus={handleInputFocus}
+							onblur={handleInputBlur}
+							onkeydown={handleInputKeydown}
+							disabled={creating}
+							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] py-2 pr-8 font-mono text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-colors duration-150 focus:border-[var(--color-accent)] disabled:opacity-60 {selectedTemplate ? 'pl-7' : 'pl-3'}"
+							placeholder="Search templates..."
+						/>
+						<!-- Chevron -->
+						<svg
+							class="pointer-events-none absolute right-2.5 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-transform duration-150 {comboOpen ? 'rotate-180' : ''}"
+							width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"
+						>
+							<polyline points="6 9 12 15 18 9" />
+						</svg>
+					</div>
+
+					<!-- Dropdown -->
+					{#if comboOpen}
+						<ul
+							bind:this={listEl}
+							id="template-listbox"
+							role="listbox"
+							class="absolute z-10 mt-1 max-h-[200px] w-full overflow-y-auto rounded-[var(--radius-input)] border border-[var(--color-border-mid)] bg-[var(--color-bg-3)] py-1 shadow-lg"
+							style="animation: fadeUp 0.12s ease both"
+						>
+							{#if templatesLoading}
+								<li class="flex items-center gap-2 px-3 py-2.5 text-meta text-[var(--color-text-muted)]">
+									<svg class="animate-spin" width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+									Loading templates...
+								</li>
+							{:else if filtered.length === 0}
+								<li class="px-3 py-2.5 text-meta text-[var(--color-text-muted)]">
+									{templateQuery ? 'No matching templates' : 'No templates available'}
+								</li>
+							{:else}
+								{#each filtered as t, i (t.name)}
+									<!-- svelte-ignore a11y_click_events_have_key_events -->
+									<li
+										role="option"
+										aria-selected={i === highlightIdx}
+										class="flex cursor-pointer items-center gap-2.5 px-3 py-2 transition-colors duration-75
+											{i === highlightIdx
+												? 'bg-[var(--color-bg-5)] text-[var(--color-text-bright)]'
+												: 'text-[var(--color-text-primary)] hover:bg-[var(--color-bg-4)]'}
+											{createForm.template === t.name ? 'font-medium' : ''}"
+										onmousedown={(e) => { e.preventDefault(); selectTemplate(t); }}
+										onmouseenter={() => { highlightIdx = i; }}
+									>
+										<!-- Type badge -->
+										{#if t.type === 'snapshot'}
+											<span class="inline-flex shrink-0 items-center rounded-full border border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8 px-1.5 py-0.5 text-[10px] font-semibold uppercase tracking-[0.04em] text-[var(--color-accent-bright)]">
+												snap
+											</span>
+										{:else}
+											<span class="inline-flex shrink-0 items-center rounded-full border border-[var(--color-blue)]/25 bg-[var(--color-blue)]/8 px-1.5 py-0.5 text-[10px] font-semibold uppercase tracking-[0.04em] text-[var(--color-blue)]">
+												base
+											</span>
+										{/if}
+										<span class="truncate font-mono text-meta">{t.name}</span>
+										<!-- Specs hint -->
+										{#if t.vcpus && t.memory_mb}
+											<span class="ml-auto shrink-0 text-[10px] text-[var(--color-text-muted)]">
+												{t.vcpus}v · {t.memory_mb}MB
+											</span>
+										{/if}
+										<!-- Selected check -->
+										{#if createForm.template === t.name}
+											<svg class="ml-auto shrink-0 text-[var(--color-accent)]" width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
+												<polyline points="20 6 9 17 4 12" />
+											</svg>
+										{/if}
+									</li>
+								{/each}
+							{/if}
+						</ul>
+					{/if}
+
+					<p class="mt-1.5 text-meta text-[var(--color-text-muted)]">Snapshot or base image to boot from.</p>
 				</div>
 
 				<div class="grid grid-cols-2 gap-3">
@@ -68,7 +257,8 @@
 							min="1"
 							max="8"
 							bind:value={createForm.vcpus}
-							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 font-mono text-ui text-[var(--color-text-bright)] outline-none transition-colors duration-150 focus:border-[var(--color-accent)]"
+							disabled={creating || selectedIsSnapshot}
+							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 font-mono text-ui text-[var(--color-text-bright)] outline-none transition-colors duration-150 focus:border-[var(--color-accent)] disabled:opacity-60"
 						/>
 					</div>
 					<div>
@@ -80,7 +270,8 @@
 							max="8192"
 							step="128"
 							bind:value={createForm.memory_mb}
-							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 font-mono text-ui text-[var(--color-text-bright)] outline-none transition-colors duration-150 focus:border-[var(--color-accent)]"
+							disabled={creating || selectedIsSnapshot}
+							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 font-mono text-ui text-[var(--color-text-bright)] outline-none transition-colors duration-150 focus:border-[var(--color-accent)] disabled:opacity-60"
 						/>
 					</div>
 				</div>
@@ -92,7 +283,8 @@
 						type="number"
 						min="0"
 						bind:value={createForm.timeout_sec}
-						class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 font-mono text-ui text-[var(--color-text-bright)] outline-none transition-colors duration-150 focus:border-[var(--color-accent)]"
+						disabled={creating}
+						class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 font-mono text-ui text-[var(--color-text-bright)] outline-none transition-colors duration-150 focus:border-[var(--color-accent)] disabled:opacity-60"
 						placeholder="0"
 					/>
 					<p class="mt-1.5 text-meta text-[var(--color-text-muted)]">Seconds of inactivity before the capsule pauses. Set to 0 to keep it running indefinitely.</p>
@@ -109,7 +301,7 @@
 				</button>
 				<button
 					onclick={handleCreate}
-					disabled={creating}
+					disabled={creating || !templateQuery.trim()}
 					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
 				>
 					{#if creating}
@@ -122,6 +314,7 @@
 					{/if}
 				</button>
 			</div>
+			</div>
 		</div>
 	</div>
 {/if}
diff --git a/frontend/src/lib/components/DestroyDialog.svelte b/frontend/src/lib/components/DestroyDialog.svelte
new file mode 100644
index 0000000..512fdc8
--- /dev/null
+++ b/frontend/src/lib/components/DestroyDialog.svelte
@@ -0,0 +1,87 @@
+<script lang="ts">
+	import { destroyCapsule } from '$lib/api/capsules';
+	import type { ApiResult } from '$lib/api/client';
+
+	type Props = {
+		open: boolean;
+		capsuleId: string;
+		onclose: () => void;
+		ondestroyed?: () => void;
+		destroyFn?: (id: string) => Promise<ApiResult<void>>;
+	};
+	let { open, capsuleId, onclose, ondestroyed, destroyFn }: Props = $props();
+
+	let destroying = $state(false);
+	let error = $state<string | null>(null);
+
+	async function handleDestroy() {
+		destroying = true;
+		error = null;
+		const destroy = destroyFn ?? destroyCapsule;
+		const result = await destroy(capsuleId);
+		if (result.ok) {
+			error = null;
+			ondestroyed?.();
+			onclose();
+		} else {
+			error = result.error;
+		}
+		destroying = false;
+	}
+
+	function handleClose() {
+		if (!destroying) {
+			error = null;
+			onclose();
+		}
+	}
+</script>
+
+{#if open}
+	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
+		<div
+			class="absolute inset-0 bg-black/60"
+			onclick={handleClose}
+			onkeydown={(e) => { if (e.key === 'Escape') handleClose(); }}
+		></div>
+		<div class="relative w-full max-w-[380px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
+			<div class="p-6">
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Destroy Capsule</h2>
+			<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
+				Terminate <span class="font-mono text-[var(--color-text-secondary)]">{capsuleId}</span> and destroy all data inside it. This cannot be undone.
+			</p>
+
+			{#if error}
+				<div class="mt-4 rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
+					{error}
+				</div>
+			{/if}
+
+			<div class="mt-6 flex justify-end gap-3">
+				<button
+					onclick={handleClose}
+					disabled={destroying}
+					class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+				>
+					Cancel
+				</button>
+				<button
+					onclick={handleDestroy}
+					disabled={destroying}
+					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-110 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+				>
+					{#if destroying}
+						<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+							<path d="M21 12a9 9 0 1 1-6.219-8.56" />
+						</svg>
+						Destroying...
+					{:else}
+						Destroy
+					{/if}
+				</button>
+			</div>
+			</div>
+		</div>
+	</div>
+{/if}
diff --git a/frontend/src/lib/components/FilesTab.svelte b/frontend/src/lib/components/FilesTab.svelte
new file mode 100644
index 0000000..46c2d4a
--- /dev/null
+++ b/frontend/src/lib/components/FilesTab.svelte
@@ -0,0 +1,856 @@
+<script lang="ts">
+	import { onDestroy } from 'svelte';
+	import {
+		listDir,
+		readFile,
+		downloadFile,
+		isBinaryFile,
+		isFileTooLarge,
+		formatFileSize,
+		type FileEntry,
+	} from '$lib/api/files';
+	import { tokenize, type ThemedToken } from '$lib/highlight';
+
+	type Props = {
+		capsuleId: string;
+		isRunning: boolean;
+		apiBasePath?: string;
+		/** Hide the file preview pane when no file is selected */
+		compact?: boolean;
+		/** Show only the file tree, completely removing the preview panel */
+		treeOnly?: boolean;
+	};
+
+	let { capsuleId, isRunning, apiBasePath = '/api/v1/capsules', compact = false, treeOnly = false }: Props = $props();
+
+	// Directory navigation state
+	let currentPath = $state('~');
+	let entries = $state<FileEntry[]>([]);
+	let dirLoading = $state(false);
+	let dirError = $state<string | null>(null);
+
+	// File preview state
+	let selectedFile = $state<FileEntry | null>(null);
+	let fileContent = $state<string | null>(null);
+	let fileLoading = $state(false);
+	let fileError = $state<string | null>(null);
+	let downloading = $state(false);
+
+	// Syntax highlighting (lazy — loaded on first use)
+	let highlightedTokens = $state<ThemedToken[][] | null>(null);
+
+	// Request generation counters — discard stale responses from rapid clicks
+	let dirGeneration = 0;
+	let fileGeneration = 0;
+
+	// AbortController for in-flight file reads — aborted when the user
+	// selects a different file or the component is torn down.
+	let fileAbort: AbortController | null = null;
+
+	onDestroy(() => {
+		fileAbort?.abort();
+	});
+
+	const MAX_PREVIEW_LINES = 5000;
+	const MAX_HIGHLIGHT_LINES = 2000; // Don't tokenize huge files — diminishing returns
+
+	// Path input
+	let pathInput = $state('~');
+	let pathInputFocused = $state(false);
+	let pathInputEl = $state<HTMLInputElement | undefined>(undefined);
+
+	// Pre-computed preview lines — avoids re-splitting on every render
+	const previewLines = $derived.by(() => {
+		if (!fileContent) return { lines: [] as string[], truncated: false, totalLines: 0 };
+		const allLines = fileContent.split('\n');
+		const truncated = allLines.length > MAX_PREVIEW_LINES;
+		return {
+			lines: truncated ? allLines.slice(0, MAX_PREVIEW_LINES) : allLines,
+			truncated,
+			totalLines: allLines.length,
+		};
+	});
+
+	// Sorted entries: directories first, then files, alphabetical within each group
+	const sortedEntries = $derived(
+		[...entries].sort((a, b) => {
+			if (a.type === 'directory' && b.type !== 'directory') return -1;
+			if (a.type !== 'directory' && b.type === 'directory') return 1;
+			return a.name.localeCompare(b.name);
+		})
+	);
+
+	// Breadcrumb segments from currentPath
+	const breadcrumbs = $derived.by(() => {
+		const parts = currentPath.split('/').filter(Boolean);
+		const crumbs: { name: string; path: string }[] = [{ name: '/', path: '/' }];
+		for (let i = 0; i < parts.length; i++) {
+			crumbs.push({ name: parts[i], path: '/' + parts.slice(0, i + 1).join('/') });
+		}
+		return crumbs;
+	});
+
+	// Count of dirs vs files for the footer
+	const dirCount = $derived(entries.filter((e) => e.type === 'directory').length);
+	const fileCount = $derived(entries.filter((e) => e.type !== 'directory').length);
+
+	const canGoUp = $derived(currentPath !== '/' && currentPath.startsWith('/'));
+
+	// Only regular files can be downloaded — symlinks and other non-regular types
+	// may point to devices, sockets, or directories that can't be read as a file.
+	const isDownloadable = $derived(selectedFile?.type === 'file');
+
+	// Device files, pipes, sockets, etc. — can't be read or downloaded.
+	const isSpecialFile = $derived(selectedFile?.type === 'unknown');
+
+	async function navigateTo(path: string) {
+		// Abort any in-flight file read and invalidate stale generation so the
+		// abort error isn't surfaced in the UI.
+		fileAbort?.abort();
+		++fileGeneration;
+		currentPath = normalizePath(path);
+		pathInput = currentPath;
+		selectedFile = null;
+		fileContent = null;
+		fileError = null;
+		highlightedTokens = null;
+		await loadDir();
+	}
+
+	function normalizePath(p: string): string {
+		// Let envd handle ~ expansion — pass through as-is
+		if (p === '~' || p.startsWith('~/')) {
+			return p;
+		}
+
+		if (!p.startsWith('/')) {
+			// Relative path — resolve against current directory
+			p = currentPath.replace(/\/$/, '') + '/' + p;
+		}
+		// Collapse .. and .
+		const parts = p.split('/').filter(Boolean);
+		const resolved: string[] = [];
+		for (const part of parts) {
+			if (part === '..') resolved.pop();
+			else if (part !== '.') resolved.push(part);
+		}
+		return '/' + resolved.join('/');
+	}
+
+	/** Derive the parent directory from an entry's absolute path. */
+	function parentFromEntry(entryPath: string): string {
+		const lastSlash = entryPath.lastIndexOf('/');
+		if (lastSlash <= 0) return '/';
+		return entryPath.slice(0, lastSlash);
+	}
+
+	async function loadDir() {
+		if (!isRunning) return;
+		dirLoading = true;
+		dirError = null;
+		const gen = ++dirGeneration;
+		const result = await listDir(capsuleId, currentPath, 1, apiBasePath);
+		if (gen !== dirGeneration) return; // stale response
+		if (result.ok) {
+			entries = result.data.entries ?? [];
+			// Resolve actual path when envd expanded ~ or a relative path
+			if (!currentPath.startsWith('/') && entries.length > 0) {
+				currentPath = parentFromEntry(entries[0].path);
+				pathInput = currentPath;
+			}
+		} else {
+			dirError = result.error;
+			entries = [];
+		}
+		dirLoading = false;
+	}
+
+	async function selectFile(entry: FileEntry) {
+		if (entry.type === 'directory') {
+			await navigateTo(entry.path);
+			return;
+		}
+
+		// Abort any in-flight file read before starting a new one.
+		fileAbort?.abort();
+
+		selectedFile = entry;
+		fileContent = null;
+		fileError = null;
+		highlightedTokens = null;
+
+		// Non-regular files (devices, pipes, sockets) — nothing to read
+		if (entry.type === 'unknown') {
+			return;
+		}
+
+		// Check if we should preview or prompt download
+		if (isBinaryFile(entry.name) || isFileTooLarge(entry.size)) {
+			// Don't load content — the preview pane will show download prompt
+			return;
+		}
+
+		fileLoading = true;
+		const gen = ++fileGeneration;
+		const controller = new AbortController();
+		fileAbort = controller;
+		try {
+			const result = await readFile(capsuleId, entry.path, controller.signal, apiBasePath);
+			if (gen !== fileGeneration) return; // stale response — user clicked another file
+			if (result.ok) {
+				if (looksLikeBinary(result.data)) {
+					fileContent = null;
+				} else {
+					fileContent = result.data;
+					// Kick off highlighting in the background — preview shows plain text immediately.
+					// Only tokenize up to MAX_HIGHLIGHT_LINES to avoid freezing on large files.
+					const linesToHighlight = result.data.split('\n').length > MAX_HIGHLIGHT_LINES
+						? result.data.split('\n').slice(0, MAX_HIGHLIGHT_LINES).join('\n')
+						: result.data;
+					tokenize(linesToHighlight, entry.name).then((tokens) => {
+						if (gen === fileGeneration) highlightedTokens = tokens;
+					});
+				}
+			} else if (result.error !== 'Request aborted') {
+				fileError = result.error;
+			}
+		} finally {
+			if (gen === fileGeneration) fileLoading = false;
+		}
+	}
+
+	function looksLikeBinary(text: string): boolean {
+		// Sample first 8KB for null bytes or high ratio of non-printable chars
+		const sample = text.slice(0, 8192);
+		let nonPrintable = 0;
+		for (let i = 0; i < sample.length; i++) {
+			const code = sample.charCodeAt(i);
+			if (code === 0) return true;
+			if (code < 32 && code !== 9 && code !== 10 && code !== 13) nonPrintable++;
+		}
+		return sample.length > 0 && nonPrintable / sample.length > 0.1;
+	}
+
+	async function handleDownload() {
+		if (!selectedFile || downloading || selectedFile.type !== 'file') return;
+		downloading = true;
+		try {
+			await downloadFile(capsuleId, selectedFile.path, selectedFile.name, undefined, apiBasePath);
+		} catch {
+			fileError = 'Download failed';
+		}
+		downloading = false;
+	}
+
+	function handlePathSubmit(e: SubmitEvent) {
+		e.preventDefault();
+		const target = pathInput.trim();
+		if (!target) return;
+		const resolved = normalizePath(target);
+		navigateOrOpenFile(resolved);
+	}
+
+	async function navigateOrOpenFile(path: string) {
+		// First try as directory
+		const dirResult = await listDir(capsuleId, path, 1, apiBasePath);
+		if (dirResult.ok) {
+			// Resolve actual path from entries (handles ~ expansion by envd)
+			const resolvedEntries = dirResult.data.entries ?? [];
+			let resolvedPath = path;
+			if (resolvedEntries.length > 0) {
+				// Derive parent dir from first entry's absolute path
+				const firstPath = resolvedEntries[0].path;
+				const lastSlash = firstPath.lastIndexOf('/');
+				if (lastSlash >= 0) {
+					resolvedPath = lastSlash === 0 ? '/' : firstPath.slice(0, lastSlash);
+				}
+			}
+			currentPath = resolvedPath;
+			pathInput = resolvedPath;
+			entries = resolvedEntries;
+			selectedFile = null;
+			fileContent = null;
+			fileError = null;
+			return;
+		}
+
+		// If directory listing failed, try reading as a file
+		// We need the parent dir to get the file entry info
+		const lastSlash = path.lastIndexOf('/');
+		const parentPath = lastSlash <= 0 ? '/' : path.slice(0, lastSlash);
+		const fileName = path.slice(lastSlash + 1);
+
+		// Navigate to parent directory
+		currentPath = parentPath;
+		pathInput = parentPath;
+		const parentResult = await listDir(capsuleId, parentPath, 1, apiBasePath);
+		if (parentResult.ok) {
+			entries = parentResult.data.entries ?? [];
+			// Find the file in parent listing
+			const found = entries.find((e) => e.name === fileName);
+			if (found && found.type !== 'directory') {
+				await selectFile(found);
+			} else {
+				dirError = `Not found: ${path}`;
+			}
+		} else {
+			dirError = parentResult.error;
+			entries = [];
+		}
+	}
+
+	function handleKeydown(e: KeyboardEvent) {
+		if (e.key === 'Escape') {
+			(e.target as HTMLInputElement)?.blur();
+		}
+	}
+
+	function fileIcon(entry: FileEntry): string {
+		if (entry.type === 'directory') return 'dir';
+		if (entry.type === 'symlink') return 'link';
+		if (entry.type === 'unknown') return 'special';
+		return 'file';
+	}
+
+	// File extension for subtle coloring
+	function fileExt(name: string): string {
+		const dot = name.lastIndexOf('.');
+		return dot > 0 ? name.slice(dot + 1).toLowerCase() : '';
+	}
+
+	// Extension → color mapping for file icons and badges
+	function extColor(name: string): string {
+		const ext = fileExt(name);
+		switch (ext) {
+			case 'go': case 'mod': case 'sum':
+				return '#5a9fd4';           // blue — Go
+			case 'py': case 'pyi': case 'pyx':
+				return '#d4a73c';           // amber — Python
+			case 'js': case 'mjs': case 'cjs':
+				return '#d4a73c';           // amber — JavaScript
+			case 'ts': case 'mts': case 'cts': case 'tsx': case 'jsx':
+				return '#5a9fd4';           // blue — TypeScript/React
+			case 'rs':
+				return '#cf8172';           // red — Rust
+			case 'sh': case 'bash': case 'zsh': case 'fish':
+				return '#5e8c58';           // accent — shell
+			case 'json': case 'yaml': case 'yml': case 'toml': case 'ini': case 'env':
+				return '#8b7ec8';           // purple — config
+			case 'md': case 'mdx': case 'txt': case 'rst':
+				return 'var(--color-text-secondary)'; // neutral — docs
+			case 'sql':
+				return '#5a9fd4';           // blue — SQL
+			case 'proto':
+				return '#5e8c58';           // accent — protobuf
+			case 'svelte': case 'vue':
+				return '#cf8172';           // red — Svelte/Vue
+			case 'css': case 'scss': case 'less':
+				return '#5a9fd4';           // blue — styles
+			case 'html': case 'htm':
+				return '#cf8172';           // red — HTML
+			case 'dockerfile': case 'makefile':
+				return '#5e8c58';           // accent — build
+			default:
+				return 'var(--color-text-muted)';
+		}
+	}
+
+	// Descriptive label for file type badge in preview header
+	function extLabel(name: string): string {
+		const ext = fileExt(name);
+		const lower = name.toLowerCase();
+		if (lower === 'makefile') return 'Make';
+		if (lower === 'dockerfile') return 'Docker';
+		switch (ext) {
+			case 'go': return 'Go';
+			case 'py': return 'Python';
+			case 'js': case 'mjs': case 'cjs': return 'JS';
+			case 'ts': case 'mts': case 'cts': return 'TS';
+			case 'tsx': return 'TSX';
+			case 'jsx': return 'JSX';
+			case 'rs': return 'Rust';
+			case 'sh': case 'bash': return 'Shell';
+			case 'json': return 'JSON';
+			case 'yaml': case 'yml': return 'YAML';
+			case 'toml': return 'TOML';
+			case 'sql': return 'SQL';
+			case 'proto': return 'Proto';
+			case 'svelte': return 'Svelte';
+			case 'css': return 'CSS';
+			case 'html': case 'htm': return 'HTML';
+			case 'md': case 'mdx': return 'Markdown';
+			default: return ext ? ext.toUpperCase() : '';
+		}
+	}
+
+	// Load initial directory on mount, falling back to / if home can't be resolved
+	let hasInitiallyLoaded = false;
+	$effect(() => {
+		if (isRunning && !hasInitiallyLoaded) {
+			hasInitiallyLoaded = true;
+			loadDir().then(() => {
+				if (!currentPath.startsWith('/')) {
+					currentPath = '/';
+					pathInput = '/';
+					if (dirError) loadDir();
+				}
+			});
+		}
+	});
+</script>
+
+<style>
+	.file-row {
+		transition: background-color 0.1s ease;
+	}
+	.file-row:hover {
+		background-color: var(--color-bg-3);
+	}
+	.file-row.active {
+		background-color: var(--color-accent-glow);
+		border-left: 3px solid var(--color-accent);
+		box-shadow: inset 0 0 20px rgba(94, 140, 88, 0.06);
+	}
+	.file-row:not(.active) {
+		border-left: 3px solid transparent;
+	}
+
+	.preview-code {
+		tab-size: 4;
+		-moz-tab-size: 4;
+	}
+
+	/* Let the browser skip rendering off-screen lines in long files */
+	.code-line {
+		content-visibility: auto;
+		contain-intrinsic-size: auto 1.65rem;
+	}
+
+	/* Staggered row entrance */
+	@keyframes rowSlideIn {
+		from { opacity: 0; transform: translateX(-4px); }
+		to   { opacity: 1; transform: translateX(0); }
+	}
+	.row-enter {
+		animation: rowSlideIn 0.15s ease both;
+	}
+
+	/* Line highlight on hover */
+	.code-line:hover .line-content {
+		background-color: var(--color-bg-3);
+	}
+	.code-line:hover .line-num {
+		color: var(--color-text-tertiary);
+	}
+</style>
+
+{#if !isRunning}
+	<div class="flex flex-1 items-center justify-center">
+		<div class="flex flex-col items-center gap-4 text-center">
+			<div class="flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]" style="animation: iconFloat 3s ease-in-out infinite">
+				<svg class="text-[var(--color-text-muted)]" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">
+					<path d="M22 19a2 2 0 0 1-2 2H4a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h5l2 3h9a2 2 0 0 1 2 2z" />
+				</svg>
+			</div>
+			<div class="flex flex-col gap-1">
+				<span class="text-ui font-medium text-[var(--color-text-secondary)]">Capsule not running</span>
+				<span class="text-meta text-[var(--color-text-muted)]">Start or resume the capsule to browse files</span>
+			</div>
+		</div>
+	</div>
+{:else}
+	<div class="flex flex-1 min-h-0">
+
+		<!-- Left panel: File tree -->
+		<div class="flex shrink-0 flex-col bg-[var(--color-bg-2)] {(treeOnly || (compact && !selectedFile)) ? 'flex-1' : compact ? 'w-[28.57%] border-r border-[var(--color-border)]' : 'w-[380px] border-r border-[var(--color-border)]'}"
+		>
+
+			<!-- Path input -->
+			<form onsubmit={handlePathSubmit} class="border-b border-[var(--color-border)] px-4 py-3">
+				<div class="flex items-center gap-2 rounded-[var(--radius-input)] border px-3 py-1.5 transition-colors duration-150
+					{pathInputFocused
+						? 'border-[var(--color-accent)]/50 bg-[var(--color-bg-0)]'
+						: 'border-[var(--color-border)] bg-[var(--color-bg-1)]'}">
+					<!-- Terminal prompt icon -->
+					<span class="shrink-0 font-mono text-badge text-[var(--color-text-muted)] select-none" aria-hidden="true">
+						$
+					</span>
+					<input
+						type="text"
+						bind:this={pathInputEl}
+						bind:value={pathInput}
+						onfocus={() => (pathInputFocused = true)}
+						onblur={() => (pathInputFocused = false)}
+						onkeydown={handleKeydown}
+						placeholder="/home/user or ~/file.txt"
+						spellcheck="false"
+						autocomplete="off"
+						class="flex-1 bg-transparent font-mono text-meta text-[var(--color-text-primary)] outline-none placeholder:text-[var(--color-text-muted)]"
+					/>
+					<button
+						type="submit"
+						class="shrink-0 flex items-center gap-1 rounded-[var(--radius-button)] px-2 py-0.5 text-badge font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)] transition-colors hover:bg-[var(--color-accent-glow-mid)] hover:text-[var(--color-accent-mid)]"
+					>
+						<svg width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
+							<line x1="5" y1="12" x2="19" y2="12" />
+							<polyline points="12 5 19 12 12 19" />
+						</svg>
+						Go
+					</button>
+				</div>
+			</form>
+
+			<!-- Breadcrumbs -->
+			<div class="flex items-center gap-0.5 border-b border-[var(--color-border)] px-2 py-2 overflow-x-auto">
+				<!-- Up button -->
+				<button
+					onclick={() => navigateTo(currentPath + '/..')}
+					disabled={!canGoUp}
+					title="Go to parent directory"
+					class="shrink-0 flex items-center justify-center rounded-[3px] w-6 h-6 transition-colors
+						{canGoUp
+							? 'text-[var(--color-text-secondary)] hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-primary)]'
+							: 'text-[var(--color-text-muted)] opacity-30 cursor-not-allowed'}"
+				>
+					<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+						<path d="M15 18l-6-6 6-6" />
+					</svg>
+				</button>
+				<span class="w-px h-4 bg-[var(--color-border)] shrink-0 mx-1"></span>
+				{#each breadcrumbs as crumb, i}
+					{#if i > 0}
+						<svg class="shrink-0 text-[var(--color-text-muted)]" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
+							<polyline points="9 18 15 12 9 6" />
+						</svg>
+					{/if}
+					<button
+						onclick={() => navigateTo(crumb.path)}
+						class="shrink-0 rounded-[3px] px-1.5 py-0.5 font-mono text-label transition-colors hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-primary)]
+							{i === breadcrumbs.length - 1
+								? 'text-[var(--color-text-primary)]'
+								: 'text-[var(--color-text-tertiary)]'}"
+					>
+						{#if i === 0}
+							<!-- Root icon -->
+							<svg class="inline -mt-px" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+								<path d="M3 9l9-7 9 7v11a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2z" />
+							</svg>
+						{:else}
+							{crumb.name}
+						{/if}
+					</button>
+				{/each}
+			</div>
+
+			<!-- File list -->
+			<div class="flex-1 overflow-y-auto">
+				{#if dirLoading}
+					<div class="flex items-center justify-center py-12">
+						<div class="flex items-center gap-2 text-meta text-[var(--color-text-secondary)]">
+							<svg class="animate-spin" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+								<path d="M21 12a9 9 0 1 1-6.219-8.56" />
+							</svg>
+							Loading...
+						</div>
+					</div>
+				{:else if dirError}
+					<div class="px-4 py-4">
+						<div class="flex items-start gap-2.5 rounded-[var(--radius-card)] border border-[var(--color-red)]/25 bg-[var(--color-red)]/6 px-3.5 py-3">
+							<svg class="mt-0.5 shrink-0 text-[var(--color-red)]" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+								<circle cx="12" cy="12" r="10" /><line x1="12" y1="8" x2="12" y2="12" /><line x1="12" y1="16" x2="12.01" y2="16" />
+							</svg>
+							<span class="text-meta text-[var(--color-red)]">{dirError}</span>
+						</div>
+					</div>
+				{:else if entries.length === 0}
+					<div class="flex flex-col items-center justify-center py-16 gap-3">
+						<div class="flex h-10 w-10 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-3)]" style="animation: iconFloat 3s ease-in-out infinite">
+							<svg class="text-[var(--color-text-muted)]" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+								<path d="M22 19a2 2 0 0 1-2 2H4a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h5l2 3h9a2 2 0 0 1 2 2z" />
+							</svg>
+						</div>
+						<span class="text-meta text-[var(--color-text-muted)]">Empty directory</span>
+					</div>
+				{:else}
+					{#each sortedEntries as entry, idx (entry.path)}
+						<button
+							onclick={() => selectFile(entry)}
+							class="file-row flex w-full items-center gap-3 px-4 py-[7px] text-left
+								{selectedFile?.path === entry.path ? 'active' : ''}
+								{idx < 30 ? 'row-enter' : ''}"
+							style={idx < 30 ? `animation-delay: ${idx * 12}ms` : undefined}
+						>
+							<!-- Icon -->
+							{#if fileIcon(entry) === 'dir'}
+								<svg class="shrink-0 text-[var(--color-accent-mid)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+									<path d="M22 19a2 2 0 0 1-2 2H4a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h5l2 3h9a2 2 0 0 1 2 2z" />
+								</svg>
+							{:else if fileIcon(entry) === 'link'}
+								<svg class="shrink-0 text-[var(--color-blue)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+									<path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" />
+									<path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" />
+								</svg>
+							{:else if fileIcon(entry) === 'special'}
+								<svg class="shrink-0 text-[var(--color-text-muted)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+									<circle cx="12" cy="12" r="10" />
+									<line x1="4.93" y1="4.93" x2="19.07" y2="19.07" />
+								</svg>
+							{:else}
+								<svg class="shrink-0" style="color: {extColor(entry.name)}" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+									<path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z" />
+									<polyline points="14 2 14 8 20 8" />
+								</svg>
+							{/if}
+
+							<!-- Name + metadata -->
+							<div class="flex flex-1 items-center gap-2 overflow-hidden">
+								<span class="truncate font-mono text-meta
+									{entry.type === 'directory'
+										? 'text-[var(--color-text-primary)] font-medium'
+										: 'text-[var(--color-text-secondary)]'}">
+									{entry.name}
+								</span>
+								{#if entry.type === 'symlink' && entry.symlink_target}
+									<span class="truncate font-mono text-badge text-[var(--color-text-muted)]">
+										&rarr; {entry.symlink_target}
+									</span>
+								{/if}
+							</div>
+
+							<!-- Size + extension hint (files only) -->
+							{#if entry.type === 'file'}
+								{#if fileExt(entry.name)}
+									<span class="shrink-0 font-mono text-[9px] uppercase tracking-[0.05em]" style="color: {extColor(entry.name)}; opacity: 0.7">
+										{fileExt(entry.name)}
+									</span>
+								{/if}
+								<span class="shrink-0 font-mono text-badge text-[var(--color-text-muted)]">
+									{formatFileSize(entry.size)}
+								</span>
+							{/if}
+
+							<!-- Permissions -->
+							<span class="hidden shrink-0 font-mono text-badge text-[var(--color-text-muted)] xl:inline">
+								{entry.permissions}
+							</span>
+						</button>
+					{/each}
+				{/if}
+			</div>
+
+			<!-- Footer: entry count -->
+			{#if !dirLoading && !dirError && entries.length > 0}
+				<div class="border-t border-[var(--color-border)] px-4 py-2 flex items-center gap-3">
+					{#if dirCount > 0}
+						<span class="font-mono text-badge text-[var(--color-text-muted)]">
+							{dirCount} dir{dirCount !== 1 ? 's' : ''}
+						</span>
+					{/if}
+					{#if fileCount > 0}
+						<span class="font-mono text-badge text-[var(--color-text-muted)]">
+							{fileCount} file{fileCount !== 1 ? 's' : ''}
+						</span>
+					{/if}
+				</div>
+			{/if}
+		</div>
+
+		<!-- Right panel: File preview -->
+		{#if !treeOnly && (!compact || selectedFile)}
+		<div class="flex flex-1 flex-col min-w-0 bg-[var(--color-bg-1)]">
+			{#if !selectedFile}
+				<!-- Empty state -->
+				<div class="flex flex-1 items-center justify-center">
+					<div class="flex flex-col items-center gap-3 text-center">
+						<div class="flex h-12 w-12 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]" style="animation: iconFloat 3s ease-in-out infinite">
+							<svg class="text-[var(--color-text-muted)]" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+								<path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z" />
+								<polyline points="14 2 14 8 20 8" />
+							</svg>
+						</div>
+						<div class="flex flex-col gap-1">
+							<span class="text-ui text-[var(--color-text-secondary)]">Select a file to preview</span>
+							<span class="text-meta text-[var(--color-text-muted)]">Click a file in the tree or type a path above</span>
+						</div>
+					</div>
+				</div>
+			{:else}
+				<!-- File header -->
+				<div class="flex items-center justify-between border-b border-[var(--color-border)] bg-[var(--color-bg-2)] px-5 py-2.5">
+					<div class="flex items-center gap-2.5 overflow-hidden">
+						{#if isBinaryFile(selectedFile.name) || isFileTooLarge(selectedFile.size)}
+							<svg class="shrink-0 text-[var(--color-amber)]" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+								<path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z" />
+								<polyline points="14 2 14 8 20 8" />
+							</svg>
+						{:else}
+							<svg class="shrink-0" style="color: {extColor(selectedFile.name)}" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+								<path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z" />
+								<polyline points="14 2 14 8 20 8" />
+							</svg>
+						{/if}
+						<span class="truncate font-mono text-meta text-[var(--color-text-primary)]">{selectedFile.path}</span>
+						{#if extLabel(selectedFile.name)}
+							<span
+								class="shrink-0 rounded-[3px] border px-1.5 py-0.5 font-mono text-badge font-semibold uppercase tracking-[0.03em]"
+								style="color: {extColor(selectedFile.name)}; border-color: color-mix(in srgb, {extColor(selectedFile.name)} 25%, transparent); background: color-mix(in srgb, {extColor(selectedFile.name)} 8%, transparent)"
+							>
+								{extLabel(selectedFile.name)}
+							</span>
+						{/if}
+					</div>
+					<div class="flex items-center gap-3 shrink-0 ml-4">
+						<span class="font-mono text-badge text-[var(--color-text-muted)]">{formatFileSize(selectedFile.size)}</span>
+						<button
+							onclick={handleDownload}
+							disabled={downloading || !isDownloadable}
+							title={isDownloadable ? 'Download file' : 'Not a regular file — download unavailable'}
+							class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-border)] bg-[var(--color-bg-3)] px-2.5 py-1 text-badge font-semibold uppercase tracking-[0.05em] text-[var(--color-text-secondary)] transition-colors hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-primary)] disabled:opacity-50 disabled:cursor-not-allowed"
+						>
+							{#if downloading}
+								<svg class="animate-spin" width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+							{:else}
+								<svg width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
+									<path d="M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4" />
+									<polyline points="7 10 12 15 17 10" />
+									<line x1="12" y1="15" x2="12" y2="3" />
+								</svg>
+							{/if}
+							Download
+						</button>
+					</div>
+				</div>
+
+				<!-- File content -->
+				<div class="flex-1 overflow-auto">
+					{#if fileLoading}
+						<div class="flex items-center justify-center py-16">
+							<div class="flex items-center gap-2 text-meta text-[var(--color-text-secondary)]">
+								<svg class="animate-spin" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+									<path d="M21 12a9 9 0 1 1-6.219-8.56" />
+								</svg>
+								Reading file...
+							</div>
+						</div>
+					{:else if fileError}
+						<div class="px-5 py-5">
+							<div class="flex items-start gap-2.5 rounded-[var(--radius-card)] border border-[var(--color-red)]/25 bg-[var(--color-red)]/6 px-3.5 py-3">
+								<svg class="mt-0.5 shrink-0 text-[var(--color-red)]" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+									<circle cx="12" cy="12" r="10" /><line x1="12" y1="8" x2="12" y2="12" /><line x1="12" y1="16" x2="12.01" y2="16" />
+								</svg>
+								<span class="text-meta text-[var(--color-red)]">{fileError}</span>
+							</div>
+						</div>
+					{:else if isSpecialFile}
+						<!-- Device file, pipe, socket, etc. — can't read or download -->
+						<div class="flex flex-1 items-center justify-center py-20">
+							<div class="flex flex-col items-center gap-5 text-center" style="animation: fadeUp 0.25s ease both">
+								<div class="flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-3)]">
+									<svg class="text-[var(--color-text-muted)]" width="22" height="22" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+										<circle cx="12" cy="12" r="10" />
+										<line x1="4.93" y1="4.93" x2="19.07" y2="19.07" />
+									</svg>
+								</div>
+								<div class="flex flex-col gap-1.5">
+									<span class="text-ui font-medium text-[var(--color-text-primary)]">Not a regular file</span>
+									<span class="text-meta text-[var(--color-text-tertiary)]">
+										<code class="rounded bg-[var(--color-bg-4)] px-1.5 py-0.5 font-mono text-[var(--color-text-secondary)]">{selectedFile.name}</code>
+										is a device, socket, or pipe
+									</span>
+									<span class="mt-1 text-meta text-[var(--color-text-muted)]">
+										These file types can't be read or downloaded.
+									</span>
+								</div>
+							</div>
+						</div>
+					{:else if !isDownloadable}
+						<!-- Symlink — no preview or download -->
+						<div class="flex flex-1 items-center justify-center py-20">
+							<div class="flex flex-col items-center gap-5 text-center" style="animation: fadeUp 0.25s ease both">
+								<div class="flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-3)]">
+									<svg class="text-[var(--color-blue)]" width="22" height="22" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+										<path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" />
+										<path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" />
+									</svg>
+								</div>
+								<div class="flex flex-col gap-1.5">
+									<span class="text-ui font-medium text-[var(--color-text-primary)]">Symlink</span>
+									{#if selectedFile.symlink_target}
+										<span class="text-meta text-[var(--color-text-tertiary)]">
+											Points to <code class="rounded bg-[var(--color-bg-4)] px-1.5 py-0.5 font-mono text-[var(--color-text-secondary)]">{selectedFile.symlink_target}</code>
+										</span>
+									{/if}
+									<span class="mt-1 text-meta text-[var(--color-text-muted)]">
+										Open the target path to view or download its contents.
+									</span>
+								</div>
+							</div>
+						</div>
+					{:else if isBinaryFile(selectedFile.name) || isFileTooLarge(selectedFile.size) || (selectedFile && fileContent === null && !fileLoading)}
+						<!-- Binary / too large / unreadable — download prompt -->
+						<div class="flex flex-1 items-center justify-center py-20">
+							<div class="flex flex-col items-center gap-5 text-center" style="animation: fadeUp 0.25s ease both">
+								<div class="flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-3)]">
+									{#if isFileTooLarge(selectedFile.size)}
+										<svg class="text-[var(--color-amber)]" width="22" height="22" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+											<path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z" />
+											<line x1="12" y1="9" x2="12" y2="13" />
+											<line x1="12" y1="17" x2="12.01" y2="17" />
+										</svg>
+									{:else}
+										<svg class="text-[var(--color-text-muted)]" width="22" height="22" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+											<rect x="3" y="3" width="18" height="18" rx="2" ry="2" />
+											<line x1="9" y1="3" x2="9" y2="21" />
+										</svg>
+									{/if}
+								</div>
+								<div class="flex flex-col gap-1.5">
+									{#if isFileTooLarge(selectedFile.size)}
+										<span class="text-ui font-medium text-[var(--color-text-primary)]">File too large to preview</span>
+										<span class="text-meta text-[var(--color-text-tertiary)]">
+											{formatFileSize(selectedFile.size)} exceeds the 10 MB preview limit
+										</span>
+									{:else}
+										<span class="text-ui font-medium text-[var(--color-text-primary)]">Binary file</span>
+										<span class="text-meta text-[var(--color-text-tertiary)]">
+											This file type can't be displayed as text
+										</span>
+									{/if}
+								</div>
+								<button
+									onclick={handleDownload}
+									class="mt-1 flex items-center gap-2 rounded-[var(--radius-button)] border border-[var(--color-accent)]/30 bg-[var(--color-accent-glow-mid)] px-4 py-2 text-meta font-semibold text-[var(--color-accent-bright)] transition-all duration-150 hover:border-[var(--color-accent)]/50 hover:bg-[var(--color-accent)]/15 hover:-translate-y-px active:translate-y-0"
+								>
+									<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+										<path d="M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4" />
+										<polyline points="7 10 12 15 17 10" />
+										<line x1="12" y1="15" x2="12" y2="3" />
+									</svg>
+									Download file
+								</button>
+							</div>
+						</div>
+					{:else if fileContent !== null}
+						<!-- Text preview with line numbers (capped at MAX_PREVIEW_LINES) -->
+						<div style="animation: fadeUp 0.15s ease both">
+							<pre class="preview-code p-0 m-0"><code class="block">{#each previewLines.lines as line, i}<div class="code-line flex"><span class="line-num sticky left-0 inline-block w-[52px] shrink-0 select-none border-r border-[var(--color-border)] bg-[var(--color-bg-2)] px-3 py-0 text-right font-mono text-badge leading-[1.65rem] text-[var(--color-text-muted)]">{i + 1}</span><span class="line-content flex-1 whitespace-pre-wrap break-all px-4 py-0 font-mono text-meta leading-[1.65rem]">{#if highlightedTokens && highlightedTokens[i]}{#each highlightedTokens[i] as token}<span style="color: {token.color ?? 'var(--color-text-secondary)'}">{token.content}</span>{/each}{:else}<span class="text-[var(--color-text-secondary)]">{line || ' '}</span>{/if}</span></div>{/each}</code></pre>
+						</div>
+						{#if previewLines.truncated}
+							<div class="flex items-center justify-center gap-2 border-t border-[var(--color-border)] bg-[var(--color-bg-2)] px-4 py-3">
+								<span class="text-meta text-[var(--color-text-tertiary)]">
+									Showing {MAX_PREVIEW_LINES.toLocaleString()} of {previewLines.totalLines.toLocaleString()} lines
+								</span>
+								<button
+									onclick={handleDownload}
+									class="font-mono text-meta text-[var(--color-accent-mid)] transition-colors hover:text-[var(--color-accent-bright)]"
+								>Download full file</button>
+							</div>
+						{/if}
+					{/if}
+				</div>
+			{/if}
+		</div>
+		{/if}
+
+	</div>
+{/if}
diff --git a/frontend/src/lib/components/MetricsPanel.svelte b/frontend/src/lib/components/MetricsPanel.svelte
new file mode 100644
index 0000000..38a424d
--- /dev/null
+++ b/frontend/src/lib/components/MetricsPanel.svelte
@@ -0,0 +1,350 @@
+<script lang="ts">
+	import { onMount, onDestroy, tick } from 'svelte';
+	import {
+		fetchCapsuleMetrics,
+		METRIC_RANGES,
+		METRIC_POLL_INTERVALS,
+		type MetricRange,
+		type MetricPoint
+	} from '$lib/api/metrics';
+
+	type Props = {
+		capsuleId: string;
+		/** Whether the capsule is in a state that supports metrics */
+		available: boolean;
+		/** Initial range selection */
+		initialRange?: MetricRange;
+		/** API base path for fetching metrics */
+		apiBasePath?: string;
+		/** Layout: 'full' shows padded cards with gap, 'compact' shows borderless stacked charts */
+		layout?: 'full' | 'compact';
+	};
+
+	let { capsuleId, available, initialRange = '10m' as MetricRange, apiBasePath = '/api/v1/capsules', layout = 'full' }: Props = $props();
+
+	// svelte-ignore state_referenced_locally
+	let range = $state<MetricRange>(initialRange);
+	let points = $state<MetricPoint[]>([]);
+	let metricsLoading = $state(true);
+	let metricsError = $state<string | null>(null);
+
+	let canvasCpu = $state<HTMLCanvasElement | undefined>(undefined);
+	let canvasRam = $state<HTMLCanvasElement | undefined>(undefined);
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	let chartCpu: any = null;
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	let chartRam: any = null;
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	let ChartJS = $state<any>(null);
+	let pollInterval: ReturnType<typeof setInterval> | null = null;
+	let lastDataKey = '';
+	let visibilityHandler: (() => void) | null = null;
+
+	const latestCpu = $derived<number | null>(
+		points.length > 0 ? points[points.length - 1].cpu_pct : null
+	);
+	const latestRamMB = $derived<number | null>(
+		points.length > 0 ? points[points.length - 1].mem_bytes / 1_048_576 : null
+	);
+
+	async function loadMetrics() {
+		if (!available) return;
+		const result = await fetchCapsuleMetrics(capsuleId, range, apiBasePath);
+		if (result.ok) {
+			points = result.data.points;
+			metricsError = null;
+		} else {
+			metricsError = result.error;
+		}
+		metricsLoading = false;
+		updateCharts();
+	}
+
+	function smooth(data: number[], window: number): number[] {
+		if (window <= 1) return data;
+		const out: number[] = [];
+		for (let i = 0; i < data.length; i++) {
+			const start = Math.max(0, i - Math.floor(window / 2));
+			const end = Math.min(data.length, i + Math.ceil(window / 2));
+			let sum = 0;
+			for (let j = start; j < end; j++) sum += data[j];
+			out.push(+(sum / (end - start)).toFixed(2));
+		}
+		return out;
+	}
+
+	function smoothWindow(count: number): number {
+		if (count < 60) return 1;
+		if (count < 200) return 3;
+		if (count < 600) return 5;
+		return 9;
+	}
+
+	function updateCharts() {
+		if (!points.length) return;
+		const key = `${points.length}:${points.at(-1)?.timestamp_unix ?? ''}`;
+		if (key === lastDataKey) return;
+		lastDataKey = key;
+		const labels = points.map((p) => {
+			const d = new Date(p.timestamp_unix * 1000);
+			if (range === '5m' || range === '10m') {
+				return d.toLocaleTimeString([], { hour: '2-digit', minute: '2-digit', second: '2-digit' });
+			}
+			return d.toLocaleTimeString([], { hour: '2-digit', minute: '2-digit' });
+		});
+		const w = smoothWindow(points.length);
+		if (chartCpu) {
+			chartCpu.data.labels = labels;
+			chartCpu.data.datasets[0].data = smooth(points.map((p) => +p.cpu_pct.toFixed(2)), w);
+			chartCpu.update();
+		}
+		if (chartRam) {
+			chartRam.data.labels = labels;
+			chartRam.data.datasets[0].data = smooth(points.map((p) => +(p.mem_bytes / 1_048_576).toFixed(1)), w);
+			chartRam.update();
+		}
+	}
+
+	function setRange(r: MetricRange) {
+		range = r;
+		lastDataKey = '';
+		metricsLoading = true;
+		restartPolling();
+	}
+
+	function stopPolling() {
+		if (pollInterval) { clearInterval(pollInterval); pollInterval = null; }
+	}
+
+	function restartPolling() {
+		stopPolling();
+		loadMetrics();
+		pollInterval = setInterval(loadMetrics, METRIC_POLL_INTERVALS[range]);
+	}
+
+	const C_BLUE       = '#5a9fd4';
+	const C_BLUE_FILL  = 'rgba(90,159,212,0.11)';
+	const C_AMBER      = '#d4a73c';
+	const C_AMBER_FILL = 'rgba(212,167,60,0.11)';
+	const C_GRID       = 'rgba(255,255,255,0.05)';
+	const C_TICK       = '#635f5c';
+	const FONT_MONO    = "'JetBrains Mono', monospace";
+
+	const BASE_CHART_OPTIONS = {
+		responsive: true,
+		maintainAspectRatio: false,
+		animation: false as const,
+		interaction: { mode: 'index' as const, intersect: false },
+		plugins: {
+			legend: { display: false },
+			tooltip: {
+				backgroundColor: '#111412',
+				borderColor: '#1f2321',
+				borderWidth: 1,
+				titleColor: '#454340',
+				bodyColor: '#d4cfc8',
+				titleFont: { family: FONT_MONO, size: 10 },
+				bodyFont: { family: FONT_MONO, size: 11 },
+				padding: 10,
+				caretSize: 4,
+			},
+		},
+		scales: {
+			x: {
+				grid: { color: C_GRID },
+				ticks: { color: C_TICK, font: { family: FONT_MONO, size: 10 }, maxTicksLimit: 8, maxRotation: 0 },
+				border: { color: C_GRID },
+			},
+			y: {
+				grid: { color: C_GRID },
+				ticks: { color: C_TICK, font: { family: FONT_MONO, size: 10 } },
+				border: { color: C_GRID },
+				beginAtZero: true,
+			},
+		},
+	};
+
+	function initCharts() {
+		if (!ChartJS || !canvasCpu || !canvasRam) return;
+		chartCpu?.destroy();
+		chartRam?.destroy();
+
+		chartCpu = new ChartJS(canvasCpu, {
+			type: 'line',
+			data: {
+				labels: [],
+				datasets: [{
+					data: [], borderColor: C_BLUE, backgroundColor: C_BLUE_FILL,
+					borderWidth: 2, fill: true, tension: 0, pointRadius: 0,
+					pointHoverRadius: 4, pointHoverBackgroundColor: C_BLUE,
+				}],
+			},
+			options: {
+				...BASE_CHART_OPTIONS,
+				plugins: { ...BASE_CHART_OPTIONS.plugins, tooltip: { ...BASE_CHART_OPTIONS.plugins.tooltip,
+					// eslint-disable-next-line @typescript-eslint/no-explicit-any
+					callbacks: { label: (ctx: any) => ` ${ctx.parsed.y.toFixed(1)}%` },
+				}},
+				scales: { ...BASE_CHART_OPTIONS.scales, y: { ...BASE_CHART_OPTIONS.scales.y,
+					ticks: { ...BASE_CHART_OPTIONS.scales.y.ticks, callback: (v: string | number) => `${+v}%` },
+				}},
+			},
+		});
+
+		chartRam = new ChartJS(canvasRam, {
+			type: 'line',
+			data: {
+				labels: [],
+				datasets: [{
+					data: [], borderColor: C_AMBER, backgroundColor: C_AMBER_FILL,
+					borderWidth: 2, fill: true, tension: 0, pointRadius: 0,
+					pointHoverRadius: 4, pointHoverBackgroundColor: C_AMBER,
+				}],
+			},
+			options: {
+				...BASE_CHART_OPTIONS,
+				plugins: { ...BASE_CHART_OPTIONS.plugins, tooltip: { ...BASE_CHART_OPTIONS.plugins.tooltip,
+					// eslint-disable-next-line @typescript-eslint/no-explicit-any
+					callbacks: { label: (ctx: any) => ` ${ctx.parsed.y.toFixed(0)} MB` },
+				}},
+				scales: { ...BASE_CHART_OPTIONS.scales, y: { ...BASE_CHART_OPTIONS.scales.y,
+					ticks: { ...BASE_CHART_OPTIONS.scales.y.ticks, callback: (v: string | number) => `${+v} MB` },
+				}},
+			},
+		});
+
+		updateCharts();
+	}
+
+	$effect(() => {
+		if (!ChartJS || !available) return;
+		tick().then(() => {
+			if (canvasCpu && canvasRam) {
+				initCharts();
+				restartPolling();
+			}
+		});
+		return () => {
+			stopPolling();
+			chartCpu?.destroy(); chartCpu = null;
+			chartRam?.destroy(); chartRam = null;
+		};
+	});
+
+	onMount(async () => {
+		if (!available) return;
+		const mod = await import('chart.js/auto');
+		ChartJS = mod.Chart;
+
+		visibilityHandler = () => {
+			if (document.hidden) {
+				stopPolling();
+			} else if (available) {
+				restartPolling();
+			}
+		};
+		document.addEventListener('visibilitychange', visibilityHandler);
+	});
+
+	onDestroy(() => {
+		stopPolling();
+		if (visibilityHandler) document.removeEventListener('visibilitychange', visibilityHandler);
+		chartCpu?.destroy();
+		chartRam?.destroy();
+	});
+</script>
+
+<style>
+	.metric-val {
+		transition: color 0.3s ease;
+	}
+</style>
+
+<div class="flex flex-1 flex-col min-h-0">
+	<!-- Controls row -->
+	<div class="flex shrink-0 items-center justify-between {layout === 'full' ? 'px-0 pb-5' : 'border-b border-[var(--color-border)] bg-[var(--color-bg-1)] px-5 py-2'}">
+		{#if layout === 'full'}
+			{#if !metricsLoading}
+				<span class="flex items-center gap-1.5 rounded-[3px] border border-[var(--color-accent)]/25 bg-[var(--color-accent-glow-mid)] px-2 py-1 text-badge font-semibold uppercase tracking-[0.05em] text-[var(--color-accent-mid)]">
+					<span class="h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]" style="animation: wrenn-glow 2.5s ease-in-out infinite"></span>
+					Live
+				</span>
+			{:else}
+				<div></div>
+			{/if}
+		{:else}
+			<div></div>
+		{/if}
+
+		<div class="flex overflow-hidden rounded-[var(--radius-button)] border border-[var(--color-border)]">
+			{#each METRIC_RANGES as r, i}
+				<button
+					onclick={() => setRange(r)}
+					class="px-3 py-1.5 font-mono text-label transition-colors duration-150
+						{range === r
+							? 'bg-[var(--color-bg-5)] text-[var(--color-text-bright)]'
+							: 'text-[var(--color-text-tertiary)] hover:bg-[var(--color-bg-3)] hover:text-[var(--color-text-secondary)]'}
+						{i > 0 ? 'border-l border-[var(--color-border)]' : ''}"
+				>
+					{r}
+				</button>
+			{/each}
+		</div>
+	</div>
+
+	{#if metricsError}
+		<div class="flex shrink-0 items-center gap-3 rounded-[var(--radius-card)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/8 px-4 py-3 {layout === 'full' ? 'mb-5' : 'mx-5 my-3'}">
+			<svg class="shrink-0 text-[var(--color-red)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+				<circle cx="12" cy="12" r="10" /><line x1="12" y1="8" x2="12" y2="12" /><line x1="12" y1="16" x2="12.01" y2="16" />
+			</svg>
+			<span class="text-ui text-[var(--color-red)]">Could not load metrics: {metricsError}. Will retry automatically.</span>
+		</div>
+	{/if}
+
+	<!-- Charts — stacked, each grows to fill half -->
+	<div class="flex flex-1 flex-col min-h-0 {layout === 'full' ? 'gap-5' : 'divide-y divide-[var(--color-border)]'}">
+
+		<!-- CPU Usage -->
+		<div class="flex flex-1 flex-col min-h-0 {layout === 'full' ? 'rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-2)]' : 'bg-[var(--color-bg-1)]'}">
+			<div class="flex shrink-0 items-center justify-between {layout === 'full' ? 'border-b border-[var(--color-border)] px-6 py-4' : 'px-5 py-2'}">
+				<div class="flex items-center gap-2">
+					<span class="h-2 w-2 shrink-0 rounded-full" style="background: {C_BLUE}"></span>
+					<span class="text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">CPU Usage</span>
+				</div>
+				{#if latestCpu !== null}
+					<div class="flex items-baseline gap-1">
+						<span class="metric-val font-serif {layout === 'full' ? 'text-[2.571rem]' : 'text-heading'} leading-none tracking-[-0.04em] text-[var(--color-text-bright)]">{latestCpu.toFixed(1)}</span>
+						<span class="font-mono {layout === 'full' ? 'text-label' : 'text-badge'} text-[var(--color-text-muted)]">%</span>
+					</div>
+				{:else if metricsLoading}
+					<span class="font-serif {layout === 'full' ? 'text-[2.571rem]' : 'text-heading'} leading-none text-[var(--color-text-muted)]">—</span>
+				{/if}
+			</div>
+			<div class="relative flex-1 min-h-0 {layout === 'full' ? 'min-h-[180px] px-5 pb-5 pt-3' : 'px-4 pb-3 pt-1'}">
+				<canvas bind:this={canvasCpu}></canvas>
+			</div>
+		</div>
+
+		<!-- RAM Usage -->
+		<div class="flex flex-1 flex-col min-h-0 {layout === 'full' ? 'rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-2)]' : 'bg-[var(--color-bg-1)]'}">
+			<div class="flex shrink-0 items-center justify-between {layout === 'full' ? 'border-b border-[var(--color-border)] px-6 py-4' : 'px-5 py-2'}">
+				<div class="flex items-center gap-2">
+					<span class="h-2 w-2 shrink-0 rounded-full" style="background: {C_AMBER}"></span>
+					<span class="text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">RAM Usage</span>
+				</div>
+				{#if latestRamMB !== null}
+					<div class="flex items-baseline gap-1">
+						<span class="metric-val font-serif {layout === 'full' ? 'text-[2.571rem]' : 'text-heading'} leading-none tracking-[-0.04em] text-[var(--color-text-bright)]">{latestRamMB.toFixed(0)}</span>
+						<span class="font-mono {layout === 'full' ? 'text-label' : 'text-badge'} text-[var(--color-text-muted)]">MB</span>
+					</div>
+				{:else if metricsLoading}
+					<span class="font-serif {layout === 'full' ? 'text-[2.571rem]' : 'text-heading'} leading-none text-[var(--color-text-muted)]">—</span>
+				{/if}
+			</div>
+			<div class="relative flex-1 min-h-0 {layout === 'full' ? 'min-h-[180px] px-5 pb-5 pt-3' : 'px-4 pb-3 pt-1'}">
+				<canvas bind:this={canvasRam}></canvas>
+			</div>
+		</div>
+
+	</div>
+</div>
diff --git a/frontend/src/lib/components/Sidebar.svelte b/frontend/src/lib/components/Sidebar.svelte
index 4111dd8..47d2960 100644
--- a/frontend/src/lib/components/Sidebar.svelte
+++ b/frontend/src/lib/components/Sidebar.svelte
@@ -49,7 +49,7 @@
 
 	const platformItems: NavItem[] = [
 		{ label: 'Capsules', icon: IconMonitor, href: '/dashboard/capsules' },
-		{ label: 'Templates', icon: IconBox, href: '/dashboard/snapshots' },
+		{ label: 'Templates', icon: IconBox, href: '/dashboard/templates' },
 		{ label: 'Metrics', icon: IconMetrics, href: '/dashboard/metrics' }
 	];
 
@@ -280,13 +280,21 @@
 			<IconBell size={16} class="shrink-0" />
 			{#if !collapsed}<span class="text-ui">Notifications</span>{/if}
 		</div>
-		<div
-			class="flex cursor-not-allowed items-center rounded-[var(--radius-input)] px-2.5 py-2.5 opacity-35 {collapsed ? 'justify-center px-2' : 'gap-3'}"
-			title={collapsed ? 'Settings (coming soon)' : 'Coming soon'}
+		<a
+			href="/dashboard/settings"
+			class="group relative flex items-center rounded-[var(--radius-input)] px-2.5 py-2.5 transition-colors duration-150 hover:bg-[var(--color-bg-3)] {collapsed ? 'justify-center px-2' : 'gap-3'} {isActive('/dashboard/settings') ? (collapsed ? 'bg-[var(--color-accent-glow-mid)]' : 'bg-[var(--color-accent)]/[0.12]') : ''}"
+			title={collapsed ? 'Settings' : undefined}
 		>
-			<IconSettings size={16} class="shrink-0" />
-			{#if !collapsed}<span class="text-ui">Settings</span>{/if}
-		</div>
+			{#if isActive('/dashboard/settings') && !collapsed}
+				<div class="absolute left-0 top-1/2 h-6 w-1 -translate-y-1/2 rounded-r-full bg-[var(--color-accent)]"></div>
+			{/if}
+			<IconSettings size={16} class="shrink-0 {isActive('/dashboard/settings') ? 'text-[var(--color-accent-bright)]' : 'opacity-50 transition-opacity duration-150 group-hover:opacity-100'}" />
+			{#if !collapsed}
+				<span class="text-ui transition-colors duration-150 {isActive('/dashboard/settings') ? 'font-semibold text-[var(--color-accent-bright)]' : 'text-[var(--color-text-primary)] group-hover:text-[var(--color-text-bright)]'}">
+					Settings
+				</span>
+			{/if}
+		</a>
 	</div>
 
 	<!-- User footer -->
@@ -402,7 +410,7 @@
 			class="relative w-full max-w-[380px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
 			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">
 				Create Team
 			</h2>
 			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
diff --git a/frontend/src/lib/components/SnapshotDialog.svelte b/frontend/src/lib/components/SnapshotDialog.svelte
new file mode 100644
index 0000000..3db648d
--- /dev/null
+++ b/frontend/src/lib/components/SnapshotDialog.svelte
@@ -0,0 +1,130 @@
+<script lang="ts">
+	import { createSnapshot } from '$lib/api/capsules';
+
+	type Props = {
+		open: boolean;
+		capsuleId: string;
+		pauseFirst?: boolean;
+		onclose: () => void;
+		onsnapshot?: () => void;
+	};
+	let { open, capsuleId, pauseFirst = false, onclose, onsnapshot }: Props = $props();
+
+	let snapshotName = $state('');
+	let snapshotting = $state(false);
+	let error = $state<string | null>(null);
+
+	function reset() {
+		snapshotName = '';
+		error = null;
+	}
+
+	async function handleConfirm() {
+		snapshotting = true;
+		error = null;
+		const result = await createSnapshot(capsuleId, snapshotName.trim() || undefined);
+		if (result.ok) {
+			reset();
+			onsnapshot?.();
+			onclose();
+		} else {
+			error = result.error;
+		}
+		snapshotting = false;
+	}
+
+	function handleClose() {
+		if (!snapshotting) {
+			reset();
+			onclose();
+		}
+	}
+</script>
+
+{#if open}
+	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
+		<div
+			class="absolute inset-0 bg-black/60"
+			onclick={handleClose}
+			onkeydown={(e) => { if (e.key === 'Escape') handleClose(); }}
+		></div>
+
+		<div class="relative w-full max-w-[420px] overflow-hidden rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
+			<div class="flex items-center gap-4 border-b border-[var(--color-border)] bg-[var(--color-bg-3)] px-6 py-5">
+				<div class="flex h-10 w-10 shrink-0 items-center justify-center rounded-[var(--radius-input)] bg-[var(--color-accent)]/15 text-[var(--color-accent)] shadow-[0_0_12px_var(--color-accent-glow)]">
+					<svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.75" stroke-linecap="round" stroke-linejoin="round">
+						<path d="M14.5 4h-5L7 7H2v13a2 2 0 002 2h16a2 2 0 002-2V7h-5l-2.5-3z" />
+						<circle cx="12" cy="15" r="3" />
+					</svg>
+				</div>
+				<div>
+					<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Capture snapshot</h2>
+					<p class="mt-0.5 text-meta text-[var(--color-text-muted)] font-mono">{capsuleId}</p>
+				</div>
+			</div>
+
+			<div class="px-6 pt-5 pb-6 space-y-4">
+				{#if pauseFirst}
+					<div class="flex items-start gap-2.5 rounded-[var(--radius-input)] border border-[var(--color-amber)]/25 bg-[var(--color-amber)]/8 px-3 py-2.5">
+						<svg class="mt-px shrink-0 text-[var(--color-amber)]" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+							<path d="M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0z" />
+							<line x1="12" y1="9" x2="12" y2="13" />
+							<line x1="12" y1="17" x2="12.01" y2="17" />
+						</svg>
+						<p class="text-meta text-[var(--color-amber)] leading-relaxed">This capsule will be <strong class="font-semibold">paused first</strong>, then its full state (memory + disk) will be captured.</p>
+					</div>
+				{:else}
+					<p class="text-ui text-[var(--color-text-tertiary)]">The capsule's current state (memory + disk) will be captured and stored as a reusable snapshot.</p>
+				{/if}
+
+				{#if error}
+					<div class="rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
+						{error}
+					</div>
+				{/if}
+
+				<div>
+					<div class="mb-1.5 flex items-baseline justify-between">
+						<label class="text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]" for="snapshot-name">Snapshot name</label>
+						<span class="text-meta text-[var(--color-text-muted)]">optional</span>
+					</div>
+					<input
+						id="snapshot-name"
+						type="text"
+						bind:value={snapshotName}
+						disabled={snapshotting}
+						class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 font-mono text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-colors duration-150 focus:border-[var(--color-accent)] disabled:opacity-50"
+						placeholder="e.g. after-apt-install, pre-migration"
+						onkeydown={(e) => { if (e.key === 'Enter' && !snapshotting) handleConfirm(); }}
+					/>
+					<p class="mt-1.5 text-meta text-[var(--color-text-muted)]">Leave blank to use an auto-generated name.</p>
+				</div>
+
+				<div class="flex justify-end gap-3 pt-1">
+					<button
+						onclick={handleClose}
+						disabled={snapshotting}
+						class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+					>
+						Cancel
+					</button>
+					<button
+						onclick={handleConfirm}
+						disabled={snapshotting}
+						class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+					>
+						{#if snapshotting}
+							<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+								<path d="M21 12a9 9 0 1 1-6.219-8.56" />
+							</svg>
+							Capturing...
+						{:else}
+							Capture snapshot
+						{/if}
+					</button>
+				</div>
+			</div>
+		</div>
+	</div>
+{/if}
diff --git a/frontend/src/lib/components/StatsPanel.svelte b/frontend/src/lib/components/StatsPanel.svelte
index d7a2f12..b40d558 100644
--- a/frontend/src/lib/components/StatsPanel.svelte
+++ b/frontend/src/lib/components/StatsPanel.svelte
@@ -26,6 +26,8 @@
 	let chartRam: any = null;
 
 	let pollInterval: ReturnType<typeof setInterval> | null = null;
+	let lastDataKey = '';   // cheap fingerprint to skip redundant chart redraws
+	let visibilityHandler: (() => void) | null = null;
 
 	async function load() {
 		const result = await fetchStats(range);
@@ -43,6 +45,10 @@
 
 	function updateCharts() {
 		if (!stats) return;
+		// Skip redraw if data hasn't changed (same length + same last label).
+		const key = `${stats.series.labels.length}:${stats.series.labels.at(-1) ?? ''}`;
+		if (key === lastDataKey) return;
+		lastDataKey = key;
 		// Use Array.from to pass plain JS arrays to Chart.js — Svelte 5 $state
 		// wraps arrays in reactive proxies which Chart.js can't iterate reliably.
 		const labels = formatLabels(Array.from(stats.series.labels), range);
@@ -77,14 +83,19 @@
 		});
 	}
 
+	function stopPolling() {
+		if (pollInterval) { clearInterval(pollInterval); pollInterval = null; }
+	}
+
 	function restartPolling() {
-		if (pollInterval) clearInterval(pollInterval);
+		stopPolling();
 		load();
 		pollInterval = setInterval(load, POLL_INTERVALS[range]);
 	}
 
 	function setRange(r: TimeRange) {
 		range = r;
+		lastDataKey = '';   // force chart redraw on range switch
 		goto(`?range=${r}`, { replaceState: true, noScroll: true, keepFocus: true });
 		restartPolling();
 	}
@@ -185,7 +196,7 @@
 						...BASE_CHART_OPTIONS.scales.y,
 						ticks: {
 							...BASE_CHART_OPTIONS.scales.y.ticks,
-							callback: (v: number) => `${v}`,
+							callback: (v: string | number) => `${v}`,
 						},
 					},
 				},
@@ -215,7 +226,8 @@
 					tooltip: {
 						...BASE_CHART_OPTIONS.plugins.tooltip,
 						callbacks: {
-							label: (ctx: { parsed: { y: number } }) => ` ${ctx.parsed.y.toFixed(1)} GB`,
+							// eslint-disable-next-line @typescript-eslint/no-explicit-any
+							label: (ctx: any) => ` ${ctx.parsed.y.toFixed(1)} GB`,
 						},
 					},
 				},
@@ -225,7 +237,7 @@
 						...BASE_CHART_OPTIONS.scales.y,
 						ticks: {
 							...BASE_CHART_OPTIONS.scales.y.ticks,
-							callback: (v: number) => `${(+v).toFixed(1)} GB`,
+							callback: (v: string | number) => `${(+v).toFixed(1)} GB`,
 						},
 					},
 				},
@@ -236,10 +248,21 @@
 		updateCharts();
 
 		restartPolling();
+
+		// Pause polling when the browser tab is hidden to save bandwidth/CPU.
+		visibilityHandler = () => {
+			if (document.hidden) {
+				stopPolling();
+			} else {
+				restartPolling();
+			}
+		};
+		document.addEventListener('visibilitychange', visibilityHandler);
 	});
 
 	onDestroy(() => {
-		if (pollInterval) clearInterval(pollInterval);
+		stopPolling();
+		if (visibilityHandler) document.removeEventListener('visibilitychange', visibilityHandler);
 		chartRunning?.destroy();
 		chartCpu?.destroy();
 		chartRam?.destroy();
@@ -312,7 +335,7 @@
 				</div>
 				<div class="bg-[var(--color-bg-2)] px-6 py-6 transition-colors duration-150 hover:bg-[var(--color-bg-3)]">
 					<div class="text-label text-[var(--color-text-muted)]">Peak · 30d</div>
-					<div class="mt-2 font-serif text-[1.714rem] leading-none tracking-[-0.03em] text-[var(--color-text-secondary)]">
+					<div class="mt-2 font-serif text-[1.714rem] leading-none text-[var(--color-text-secondary)]">
 						{loading ? '—' : (stats?.peaks.running_count ?? 0)}
 					</div>
 				</div>
@@ -334,7 +357,7 @@
 				</div>
 				<div class="bg-[var(--color-bg-2)] px-6 py-6 transition-colors duration-150 hover:bg-[var(--color-bg-3)]">
 					<div class="text-label text-[var(--color-text-muted)]">Peak · 30d</div>
-					<div class="mt-2 font-serif text-[1.714rem] leading-none tracking-[-0.03em] text-[var(--color-text-secondary)]">
+					<div class="mt-2 font-serif text-[1.714rem] leading-none text-[var(--color-text-secondary)]">
 						{loading ? '—' : (stats?.peaks.vcpus ?? 0)}
 					</div>
 				</div>
@@ -356,7 +379,7 @@
 				</div>
 				<div class="bg-[var(--color-bg-2)] px-6 py-6 transition-colors duration-150 hover:bg-[var(--color-bg-3)]">
 					<div class="text-label text-[var(--color-text-muted)]">Peak · 30d</div>
-					<div class="mt-2 font-serif text-[1.714rem] leading-none tracking-[-0.03em] text-[var(--color-text-secondary)]">
+					<div class="mt-2 font-serif text-[1.714rem] leading-none text-[var(--color-text-secondary)]">
 						{loading ? '—' : fmtGB(stats?.peaks.memory_mb ?? 0)}
 					</div>
 				</div>
diff --git a/frontend/src/lib/components/TerminalTab.svelte b/frontend/src/lib/components/TerminalTab.svelte
new file mode 100644
index 0000000..e7eadf4
--- /dev/null
+++ b/frontend/src/lib/components/TerminalTab.svelte
@@ -0,0 +1,602 @@
+<script lang="ts">
+	import { onDestroy, tick } from 'svelte';
+	import { auth } from '$lib/auth.svelte';
+
+	type Props = {
+		capsuleId: string;
+		isRunning: boolean;
+		visible?: boolean;
+		apiBasePath?: string;
+	};
+
+	let { capsuleId, isRunning, visible = true, apiBasePath = '/api/v1/capsules' }: Props = $props();
+
+	type ConnectionState = 'idle' | 'connecting' | 'connected' | 'disconnected' | 'error';
+
+	type SessionDisplay = {
+		id: number;
+		state: ConnectionState;
+		errorMessage: string | null;
+		ptyTag: string | null;
+		ptyPid: number | null;
+	};
+
+	type SessionInternal = {
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		term: any;
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		fitAddon: any;
+		ws: WebSocket | null;
+		resizeObserver: ResizeObserver | null;
+		fitDebounce: ReturnType<typeof setTimeout> | null;
+		inputFlushTimer: ReturnType<typeof setTimeout> | null;
+		inputBuffer: string;
+	};
+
+	const MAX_SESSIONS = 8;
+
+	let sessions = $state<SessionDisplay[]>([]);
+	const internals = new Map<number, SessionInternal>();
+	let activeSessionId = $state<number | null>(null);
+	let nextId = 0;
+	let cssLoaded = false;
+	let containerRef = $state<HTMLDivElement | undefined>(undefined);
+	let hasAutoCreated = false;
+
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	let TerminalClass: any = null;
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	let FitAddonClass: any = null;
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	let WebLinksAddonClass: any = null;
+
+	const activeSession = $derived(sessions.find(s => s.id === activeSessionId) ?? null);
+
+	const TERM_THEME = {
+		background: '#0a0c0b',
+		foreground: '#d0cdc6',
+		cursor: '#5e8c58',
+		cursorAccent: '#0a0c0b',
+		selectionBackground: 'rgba(94, 140, 88, 0.25)',
+		selectionForeground: '#eae7e2',
+		selectionInactiveBackground: 'rgba(94, 140, 88, 0.12)',
+		black: '#1a1e1c',
+		red: '#cf8172',
+		green: '#5e8c58',
+		yellow: '#d4a73c',
+		blue: '#5a9fd4',
+		magenta: '#b07ab8',
+		cyan: '#5aafb0',
+		white: '#d0cdc6',
+		brightBlack: '#454340',
+		brightRed: '#e09585',
+		brightGreen: '#89a785',
+		brightYellow: '#e0c070',
+		brightBlue: '#7ab8e0',
+		brightMagenta: '#c898cf',
+		brightCyan: '#7ac5c6',
+		brightWhite: '#eae7e2',
+	};
+
+	// Binary-safe base64 encode (handles multi-byte UTF-8 from xterm onData)
+	function toBase64(str: string): string {
+		return btoa(
+			Array.from(new TextEncoder().encode(str), (b) => String.fromCharCode(b)).join('')
+		);
+	}
+
+	// Binary-safe base64 decode (handles raw PTY bytes)
+	function fromBase64(b64: string): string {
+		const bytes = Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
+		return new TextDecoder().decode(bytes);
+	}
+
+	function getWsUrl(): string {
+		const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
+		return `${proto}//${window.location.host}${apiBasePath}/${capsuleId}/pty`;
+	}
+
+	function wsSend(ws: WebSocket | null, data: string) {
+		try {
+			if (ws?.readyState === WebSocket.OPEN) ws.send(data);
+		} catch {
+			// Connection closing — ignore
+		}
+	}
+
+	function updateSession(id: number, updates: Partial<SessionDisplay>) {
+		const idx = sessions.findIndex(s => s.id === id);
+		if (idx === -1) return;
+		Object.assign(sessions[idx], updates);
+	}
+
+	async function loadModules() {
+		if (TerminalClass) return;
+		const [{ Terminal }, { FitAddon }, { WebLinksAddon }] = await Promise.all([
+			import('@xterm/xterm'),
+			import('@xterm/addon-fit'),
+			import('@xterm/addon-web-links')
+		]);
+		TerminalClass = Terminal;
+		FitAddonClass = FitAddon;
+		WebLinksAddonClass = WebLinksAddon;
+		if (!cssLoaded) {
+			await import('@xterm/xterm/css/xterm.css');
+			cssLoaded = true;
+		}
+	}
+
+	// Create first session when the tab becomes visible for the first time
+	$effect(() => {
+		if (visible && isRunning && !hasAutoCreated && containerRef) {
+			hasAutoCreated = true;
+			createSession();
+		}
+	});
+
+	// Re-fit active terminal when tab becomes visible (after being hidden)
+	$effect(() => {
+		if (visible && activeSessionId !== null) {
+			const int = internals.get(activeSessionId);
+			if (int?.fitAddon && int.term) {
+				requestAnimationFrame(() => {
+					int.fitAddon.fit();
+					int.term.focus();
+				});
+			}
+		}
+	});
+
+	// Close all sessions when capsule stops running
+	$effect(() => {
+		if (!isRunning && sessions.length > 0) {
+			// Copy IDs to avoid mutating during iteration
+			const ids = sessions.map(s => s.id);
+			for (const id of ids) closeSession(id);
+		}
+	});
+
+	async function createSession() {
+		if (!isRunning || !containerRef) return;
+		if (sessions.length >= MAX_SESSIONS) return;
+		await loadModules();
+
+		const id = nextId++;
+
+		sessions = [...sessions, {
+			id,
+			state: 'connecting',
+			errorMessage: null,
+			ptyTag: null,
+			ptyPid: null,
+		}];
+		activeSessionId = id;
+
+		await tick();
+
+		const el = containerRef?.querySelector(`[data-session-id="${id}"]`) as HTMLDivElement | null;
+		if (!el) {
+			// DOM didn't render — clean up the orphaned display entry
+			sessions = sessions.filter(s => s.id !== id);
+			if (activeSessionId === id) activeSessionId = null;
+			return;
+		}
+
+		const fitAddon = new FitAddonClass();
+		const term = new TerminalClass({
+			cursorBlink: true,
+			cursorStyle: 'bar',
+			cursorInactiveStyle: 'outline',
+			fontFamily: "'JetBrains Mono Variable', 'JetBrains Mono', monospace",
+			fontSize: 14,
+			lineHeight: 1.35,
+			letterSpacing: 0,
+			theme: TERM_THEME,
+			allowProposedApi: true,
+			scrollback: 5000,
+			convertEol: true,
+		});
+
+		term.loadAddon(fitAddon);
+		term.loadAddon(new WebLinksAddonClass());
+		term.open(el);
+
+		const internal: SessionInternal = {
+			term,
+			fitAddon,
+			ws: null,
+			resizeObserver: null,
+			fitDebounce: null,
+			inputFlushTimer: null,
+			inputBuffer: '',
+		};
+		internals.set(id, internal);
+
+		requestAnimationFrame(() => fitAddon.fit());
+
+		internal.resizeObserver = new ResizeObserver(() => {
+			if (internal.fitDebounce) clearTimeout(internal.fitDebounce);
+			internal.fitDebounce = setTimeout(() => {
+				if (internal.fitAddon && internal.term && activeSessionId === id) {
+					internal.fitAddon.fit();
+				}
+			}, 50);
+		});
+		internal.resizeObserver.observe(el);
+
+		// Register input/resize handlers ONCE per terminal (not per connection).
+		function flushInput() {
+			const int = internals.get(id);
+			if (!int) return;
+			int.inputFlushTimer = null;
+			if (!int.inputBuffer) return;
+			wsSend(int.ws, JSON.stringify({ type: 'input', data: toBase64(int.inputBuffer) }));
+			int.inputBuffer = '';
+		}
+
+		term.onData((data: string) => {
+			const int = internals.get(id);
+			if (!int) return;
+			int.inputBuffer += data;
+			if (!int.inputFlushTimer) {
+				int.inputFlushTimer = setTimeout(flushInput, 50);
+			}
+		});
+
+		term.onResize(({ cols, rows }: { cols: number; rows: number }) => {
+			const i = internals.get(id);
+			wsSend(i?.ws ?? null, JSON.stringify({ type: 'resize', cols, rows }));
+		});
+
+		connectSession(id);
+	}
+
+	function connectSession(id: number, reconnectTag?: string) {
+		const int = internals.get(id);
+		if (!int) return;
+
+		if (!auth.token) {
+			updateSession(id, { state: 'error', errorMessage: 'Not authenticated' });
+			return;
+		}
+
+		const display = sessions.find(s => s.id === id);
+		const tag = reconnectTag ?? display?.ptyTag;
+
+		const ws = new WebSocket(getWsUrl());
+		int.ws = ws;
+		updateSession(id, { state: 'connecting', errorMessage: null });
+
+		ws.onopen = () => {
+			// Send auth as the first message (JWT no longer in URL).
+			wsSend(ws, JSON.stringify({ type: 'auth', token: auth.token }));
+			const { cols, rows } = int.term;
+			const msg: Record<string, unknown> = {
+				type: tag ? 'connect' : 'start',
+				cols,
+				rows,
+			};
+			if (tag) {
+				msg.tag = tag;
+			} else {
+				msg.cmd = '/bin/bash';
+				msg.envs = { TERM: 'xterm-256color' };
+			}
+			wsSend(ws, JSON.stringify(msg));
+		};
+
+		ws.onmessage = (event) => {
+			try {
+				const msg = JSON.parse(event.data);
+				switch (msg.type) {
+					case 'started':
+						updateSession(id, {
+							state: 'connected',
+							ptyTag: msg.tag,
+							ptyPid: msg.pid ?? null,
+						});
+						if (activeSessionId === id) int.term.focus();
+						break;
+					case 'output':
+						if (msg.data) int.term.write(fromBase64(msg.data));
+						break;
+					case 'exit':
+						closeSession(id);
+						break;
+					case 'error':
+						if (msg.fatal) {
+							updateSession(id, { state: 'error', errorMessage: msg.data || 'Connection error' });
+							int.term.write(`\r\n\x1b[38;2;207;129;114m${msg.data}\x1b[0m\r\n`);
+						}
+						break;
+					case 'ping':
+						wsSend(ws, JSON.stringify({ type: 'pong' }));
+						break;
+				}
+			} catch {
+				// Ignore malformed messages
+			}
+		};
+
+		ws.onclose = (event) => {
+			const s = sessions.find(s => s.id === id);
+			if (!s) return;
+
+			// Abnormal close with a live session — auto-reconnect
+			if (!event.wasClean && s.state === 'connected' && s.ptyTag) {
+				updateSession(id, { state: 'connecting', errorMessage: null });
+				int.term.write('\r\n\x1b[38;2;107;104;98m[reconnecting...]\x1b[0m\r\n');
+				setTimeout(() => connectSession(id, s.ptyTag ?? undefined), 1000);
+				return;
+			}
+
+			if (s.state === 'connected') {
+				updateSession(id, { state: 'disconnected' });
+			}
+		};
+
+		ws.onerror = () => {
+			updateSession(id, { state: 'error', errorMessage: 'Connection lost — check that the capsule is running' });
+		};
+	}
+
+	function switchTo(id: number) {
+		activeSessionId = id;
+		requestAnimationFrame(() => {
+			const int = internals.get(id);
+			if (int?.fitAddon && int.term) {
+				int.fitAddon.fit();
+				int.term.focus();
+			}
+		});
+	}
+
+	function closeSession(id: number) {
+		const idx = sessions.findIndex(s => s.id === id);
+		if (idx === -1) return;
+
+		const int = internals.get(id);
+		if (int) {
+			if (int.fitDebounce) clearTimeout(int.fitDebounce);
+			if (int.inputFlushTimer) clearTimeout(int.inputFlushTimer);
+			int.resizeObserver?.disconnect();
+			wsSend(int.ws, JSON.stringify({ type: 'kill' }));
+			int.ws?.close();
+			int.term?.dispose();
+			internals.delete(id);
+		}
+
+		sessions = sessions.filter(s => s.id !== id);
+
+		if (activeSessionId === id) {
+			if (sessions.length === 0) {
+				activeSessionId = null;
+			} else {
+				const newIdx = Math.min(idx, sessions.length - 1);
+				switchTo(sessions[newIdx].id);
+			}
+		}
+	}
+
+	function reconnectSession(id: number) {
+		const int = internals.get(id);
+		const display = sessions.find(s => s.id === id);
+		if (!int || !display) return;
+		int.ws?.close();
+		connectSession(id, display.ptyTag ?? undefined);
+	}
+
+	function statusDot(state: ConnectionState): string {
+		switch (state) {
+			case 'connected': return 'bg-[var(--color-accent)]';
+			case 'connecting': return 'bg-[var(--color-text-tertiary)] animate-pulse';
+			case 'error': return 'bg-[var(--color-red)]';
+			default: return 'bg-[var(--color-text-muted)]';
+		}
+	}
+
+	onDestroy(() => {
+		for (const [, int] of internals) {
+			if (int.fitDebounce) clearTimeout(int.fitDebounce);
+			if (int.inputFlushTimer) clearTimeout(int.inputFlushTimer);
+			int.resizeObserver?.disconnect();
+			int.ws?.close();
+			int.term?.dispose();
+		}
+		internals.clear();
+	});
+</script>
+
+<style>
+	.terminal-container :global(.xterm) {
+		padding: 12px 4px 12px 16px;
+		height: 100%;
+	}
+	.terminal-container :global(.xterm-viewport),
+	.terminal-container :global(.xterm-screen) {
+		background-color: #0a0c0b !important;
+	}
+	.terminal-container :global(.xterm-viewport) {
+		scrollbar-width: thin;
+		scrollbar-color: rgba(94, 140, 88, 0.18) transparent;
+	}
+	.terminal-container :global(.xterm-viewport::-webkit-scrollbar) {
+		width: 6px;
+	}
+	.terminal-container :global(.xterm-viewport::-webkit-scrollbar-track) {
+		background: transparent;
+	}
+	.terminal-container :global(.xterm-viewport::-webkit-scrollbar-thumb) {
+		background: rgba(94, 140, 88, 0.18);
+		border-radius: 3px;
+	}
+	.terminal-container :global(.xterm-viewport::-webkit-scrollbar-thumb:hover) {
+		background: rgba(94, 140, 88, 0.32);
+	}
+	.tab-scroll {
+		scrollbar-width: none;
+	}
+	.tab-scroll::-webkit-scrollbar {
+		display: none;
+	}
+	.term-tab {
+		position: relative;
+	}
+	.term-tab::after {
+		content: '';
+		position: absolute;
+		right: 0;
+		top: 25%;
+		bottom: 25%;
+		width: 1px;
+		background: var(--color-border);
+	}
+	.term-tab:last-child::after {
+		display: none;
+	}
+	.term-tab-active::after {
+		display: none;
+	}
+	.term-tab:has(+ .term-tab-active)::after {
+		display: none;
+	}
+</style>
+
+<div class="flex flex-1 flex-col min-h-0">
+	{#if !isRunning}
+		<div class="flex flex-1 items-center justify-center">
+			<div class="flex flex-col items-center gap-5 text-center">
+				<div class="flex h-16 w-16 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]" style="animation: iconFloat 3s ease-in-out infinite">
+					<svg class="text-[var(--color-text-muted)]" width="28" height="28" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">
+						<polyline points="4 17 10 11 4 5" /><line x1="12" y1="19" x2="20" y2="19" />
+					</svg>
+				</div>
+				<div class="flex flex-col gap-1.5">
+					<span class="text-body font-medium text-[var(--color-text-secondary)]">Terminal unavailable</span>
+					<span class="text-ui text-[var(--color-text-muted)]">Start the capsule to connect</span>
+				</div>
+			</div>
+		</div>
+	{:else}
+		<!-- Unified session bar (hidden when no sessions) -->
+		<div class="flex items-stretch bg-[var(--color-bg-1)]" style:display={sessions.length === 0 ? 'none' : 'flex'}>
+			<div class="tab-scroll flex items-stretch overflow-x-auto">
+				{#each sessions as session (session.id)}
+					<!-- svelte-ignore a11y_no_static_element_interactions -->
+					<div
+						onclick={() => switchTo(session.id)}
+						onkeydown={(e) => { if (e.key === 'Enter' || e.key === ' ') switchTo(session.id); }}
+						role="tab"
+						tabindex="0"
+						aria-selected={session.id === activeSessionId}
+						class="term-tab group flex shrink-0 cursor-pointer items-center gap-2.5 px-5 py-2.5 text-meta transition-colors
+							{session.id === activeSessionId
+								? 'term-tab-active bg-[var(--color-bg-0)] text-[var(--color-text-primary)]'
+								: 'bg-[var(--color-bg-1)] text-[var(--color-text-tertiary)] hover:bg-[var(--color-bg-2)] hover:text-[var(--color-text-secondary)] border-b border-b-[var(--color-border)]'}"
+					>
+						{#if session.state === 'connected'}
+							<span class="relative flex h-[7px] w-[7px] shrink-0">
+								<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+								<span class="relative inline-flex h-[7px] w-[7px] rounded-full bg-[var(--color-accent)]"></span>
+							</span>
+						{:else if session.state === 'connecting'}
+							<svg class="animate-spin shrink-0 text-[var(--color-text-tertiary)]" width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+						{:else if session.state === 'error'}
+							<span class="h-[7px] w-[7px] shrink-0 rounded-full bg-[var(--color-red)]"></span>
+						{:else}
+							<span class="h-[7px] w-[7px] shrink-0 rounded-full bg-[var(--color-text-muted)]"></span>
+						{/if}
+
+						<span class="font-mono">
+							bash{#if session.ptyPid}<span class="text-[var(--color-text-muted)]">:{session.ptyPid}</span>{/if}
+						</span>
+
+						<button
+							onclick={(e) => { e.stopPropagation(); closeSession(session.id); }}
+							class="ml-0.5 flex h-5 w-5 items-center justify-center rounded-[3px] text-[var(--color-text-muted)] opacity-0 transition-all group-hover:opacity-100 hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-secondary)]"
+							title="Close session"
+						>
+							<svg width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
+								<line x1="18" y1="6" x2="6" y2="18" /><line x1="6" y1="6" x2="18" y2="18" />
+							</svg>
+						</button>
+					</div>
+				{/each}
+			</div>
+
+			<button
+				onclick={createSession}
+				disabled={sessions.length >= MAX_SESSIONS}
+				class="flex shrink-0 items-center justify-center aspect-square self-stretch border-b border-[var(--color-border)] text-[var(--color-text-tertiary)] transition-colors hover:bg-[var(--color-bg-2)] hover:text-[var(--color-text-primary)] disabled:opacity-30 disabled:cursor-not-allowed disabled:hover:bg-transparent disabled:hover:text-[var(--color-text-tertiary)]"
+				title={sessions.length >= MAX_SESSIONS ? `Maximum ${MAX_SESSIONS} sessions` : 'New terminal session'}
+			>
+				<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+					<line x1="12" y1="5" x2="12" y2="19" /><line x1="5" y1="12" x2="19" y2="12" />
+				</svg>
+			</button>
+
+			<div class="flex-1 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]"></div>
+
+			{#if activeSession}
+				<div class="flex items-center gap-3 border-b border-[var(--color-border)] bg-[var(--color-bg-1)] pr-4">
+					{#if activeSession.state === 'error' && activeSession.errorMessage}
+						<span class="text-meta text-[var(--color-red)]/70">{activeSession.errorMessage}</span>
+					{/if}
+
+					{#if (activeSession.state === 'disconnected' || activeSession.state === 'error') && activeSession.ptyTag}
+						<button
+							onclick={() => activeSession && reconnectSession(activeSession.id)}
+							class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-border)] bg-[var(--color-bg-3)] px-3 py-1 text-meta font-medium text-[var(--color-text-secondary)] transition-colors hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-primary)]"
+						>
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+								<polyline points="1 4 1 10 7 10" /><polyline points="23 20 23 14 17 14" />
+								<path d="M20.49 9A9 9 0 0 0 5.64 5.64L1 10m22 4l-4.64 4.36A9 9 0 0 1 3.51 15" />
+							</svg>
+							Reconnect
+						</button>
+					{/if}
+
+					{#if activeSession.ptyTag}
+						<span class="font-mono text-label text-[var(--color-text-muted)]">{activeSession.ptyTag}</span>
+					{/if}
+				</div>
+			{/if}
+		</div>
+
+		<!-- Terminal surfaces -->
+		<div class="relative flex-1 min-h-0 bg-[var(--color-bg-0)]" bind:this={containerRef}>
+			{#each sessions as session (session.id)}
+				<div
+					data-session-id={session.id}
+					class="terminal-container absolute inset-0 bg-[var(--color-bg-0)]"
+					style:display={session.id === activeSessionId ? 'block' : 'none'}
+				></div>
+			{/each}
+
+			{#if sessions.length === 0}
+				<div class="flex h-full items-center justify-center">
+					<div class="flex flex-col items-center gap-5 text-center">
+						<div class="flex h-16 w-16 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]" style="animation: iconFloat 3s ease-in-out infinite">
+							<svg class="text-[var(--color-text-muted)]" width="28" height="28" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">
+								<polyline points="4 17 10 11 4 5" /><line x1="12" y1="19" x2="20" y2="19" />
+							</svg>
+						</div>
+						<div class="flex flex-col gap-1.5">
+							<span class="text-body font-medium text-[var(--color-text-secondary)]">No active sessions</span>
+							<span class="text-ui text-[var(--color-text-muted)]">All terminal sessions have been closed</span>
+						</div>
+						<button
+							onclick={createSession}
+							class="mt-1 flex items-center gap-2 rounded-[var(--radius-button)] border border-[var(--color-accent)]/30 bg-[var(--color-accent-glow-mid)] px-5 py-2.5 text-ui font-semibold text-[var(--color-accent-bright)] transition-all duration-150 hover:border-[var(--color-accent)]/50 hover:bg-[var(--color-accent)]/15 hover:-translate-y-px active:translate-y-0"
+						>
+							<svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+								<line x1="12" y1="5" x2="12" y2="19" /><line x1="5" y1="12" x2="19" y2="12" />
+							</svg>
+							New session
+						</button>
+					</div>
+				</div>
+			{/if}
+		</div>
+	{/if}
+</div>
diff --git a/frontend/src/lib/components/Toaster.svelte b/frontend/src/lib/components/Toaster.svelte
index bb846dc..d81917f 100644
--- a/frontend/src/lib/components/Toaster.svelte
+++ b/frontend/src/lib/components/Toaster.svelte
@@ -13,6 +13,7 @@
 			<span class="flex-1 leading-relaxed">{t.message}</span>
 			<button
 				onclick={() => toast.dismiss(t.id)}
+				aria-label="Dismiss"
 				class="mt-0.5 shrink-0 opacity-50 transition-opacity hover:opacity-100"
 			>
 				<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
diff --git a/frontend/src/lib/highlight.ts b/frontend/src/lib/highlight.ts
new file mode 100644
index 0000000..93028ea
--- /dev/null
+++ b/frontend/src/lib/highlight.ts
@@ -0,0 +1,128 @@
+/**
+ * Lazy syntax highlighting via shiki.
+ *
+ * The highlighter WASM engine + theme are loaded on first use.
+ * Language grammars load on-demand per extension.
+ * All imports are dynamic so nothing touches the main bundle.
+ */
+
+import type { HighlighterGeneric, ThemedToken } from 'shiki';
+export type { ThemedToken };
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let highlighter: HighlighterGeneric<any, any> | null = null;
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let loadingPromise: Promise<HighlighterGeneric<any, any>> | null = null;
+
+const THEME = 'vesper';
+
+// Extensions → shiki language IDs.
+// Only map what we expect users to encounter in capsules.
+const EXT_TO_LANG: Record<string, string> = {
+	// Go
+	go: 'go', mod: 'go', sum: 'go',
+	// Python
+	py: 'python', pyi: 'python', pyx: 'python',
+	// JavaScript / TypeScript
+	js: 'javascript', mjs: 'javascript', cjs: 'javascript', jsx: 'jsx',
+	ts: 'typescript', mts: 'typescript', cts: 'typescript', tsx: 'tsx',
+	// Rust
+	rs: 'rust',
+	// Shell
+	sh: 'shellscript', bash: 'shellscript', zsh: 'shellscript',
+	// Config
+	json: 'json', yaml: 'yaml', yml: 'yaml', toml: 'toml', ini: 'ini',
+	env: 'shellscript',
+	// Markup / docs
+	md: 'markdown', mdx: 'mdx', html: 'html', htm: 'html', xml: 'xml',
+	// CSS
+	css: 'css', scss: 'scss', less: 'less',
+	// SQL
+	sql: 'sql',
+	// Svelte / Vue
+	svelte: 'svelte', vue: 'vue',
+	// Docker / Make
+	dockerfile: 'dockerfile',
+	makefile: 'makefile',
+	// Proto
+	proto: 'protobuf',
+	// C / C++
+	c: 'c', h: 'c', cpp: 'cpp', cc: 'cpp', cxx: 'cpp', hpp: 'cpp',
+	// Java / Kotlin
+	java: 'java', kt: 'kotlin', kts: 'kotlin',
+	// Ruby
+	rb: 'ruby',
+	// PHP
+	php: 'php',
+	// Lua
+	lua: 'lua',
+	// Misc
+	txt: 'plaintext',
+};
+
+// Filenames without extensions
+const NAME_TO_LANG: Record<string, string> = {
+	Dockerfile: 'dockerfile',
+	Makefile: 'makefile',
+	Containerfile: 'dockerfile',
+	Vagrantfile: 'ruby',
+};
+
+/** Resolve a filename to a shiki language ID, or null if unknown. */
+export function langFromFilename(name: string): string | null {
+	// Check full filename first (Dockerfile, Makefile, etc.)
+	const basename = name.includes('/') ? name.slice(name.lastIndexOf('/') + 1) : name;
+	if (NAME_TO_LANG[basename]) return NAME_TO_LANG[basename];
+
+	const dot = basename.lastIndexOf('.');
+	if (dot <= 0) return null;
+	const ext = basename.slice(dot + 1).toLowerCase();
+	return EXT_TO_LANG[ext] ?? null;
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+async function getHighlighter(): Promise<HighlighterGeneric<any, any>> {
+	if (highlighter) return highlighter;
+	if (loadingPromise) return loadingPromise;
+
+	loadingPromise = (async () => {
+		const { createHighlighter } = await import('shiki');
+
+		const h = await createHighlighter({
+			themes: [THEME],
+			langs: [], // load languages on demand
+		});
+		highlighter = h;
+		return h;
+	})();
+
+	return loadingPromise;
+}
+
+/**
+ * Tokenize code for a given language.
+ * Returns an array of lines, each containing themed tokens with `color` and `content`.
+ * Returns null if the language is unknown or highlighting fails.
+ */
+export async function tokenize(
+	code: string,
+	filename: string,
+): Promise<ThemedToken[][] | null> {
+	const lang = langFromFilename(filename);
+	if (!lang || lang === 'plaintext') return null;
+
+	try {
+		const h = await getHighlighter();
+
+		// Load grammar on demand if not yet loaded
+		const loaded = h.getLoadedLanguages();
+		if (!loaded.includes(lang)) {
+			await h.loadLanguage(lang);
+		}
+
+		return h.codeToTokensBase(code, { lang, theme: THEME });
+	} catch {
+		// Grammar not available or other error — fall back to plain text
+		return null;
+	}
+}
diff --git a/frontend/src/routes/activate/+page.svelte b/frontend/src/routes/activate/+page.svelte
new file mode 100644
index 0000000..14bea92
--- /dev/null
+++ b/frontend/src/routes/activate/+page.svelte
@@ -0,0 +1,75 @@
+<script lang="ts">
+	import { onMount } from 'svelte';
+	import { page } from '$app/stores';
+	import { goto } from '$app/navigation';
+	import { auth } from '$lib/auth.svelte';
+	import { teams } from '$lib/teams.svelte';
+	import { apiActivate } from '$lib/api/auth';
+
+	let loading = $state(true);
+	let error = $state('');
+	let done = $state(false);
+
+	onMount(async () => {
+		const token = $page.url.searchParams.get('token');
+		if (!token) {
+			error = 'No activation token provided.';
+			loading = false;
+			return;
+		}
+
+		const result = await apiActivate(token);
+		loading = false;
+
+		if (!result.ok) {
+			error = result.error;
+			return;
+		}
+
+		done = true;
+		teams.reset();
+		auth.login(result.data);
+		goto('/dashboard');
+	});
+</script>
+
+<svelte:head>
+	<title>Wrenn — Activate account</title>
+</svelte:head>
+
+<div class="flex min-h-screen items-center justify-center bg-[var(--color-bg-0)] px-4">
+	<div class="w-full max-w-[400px]" style="animation: fadeUp 0.35s ease both">
+		<!-- Brand -->
+		<div class="mb-8 flex items-center gap-3">
+			<img src="/logo.svg" alt="Wrenn" class="h-10 w-10 rounded-[var(--radius-logo)]" />
+			<span class="font-brand text-page text-[var(--color-text-bright)]">Wrenn</span>
+		</div>
+
+		{#if loading}
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] p-6">
+				<div class="flex items-center gap-3">
+					<span class="inline-block h-4 w-4 animate-spin rounded-full border-2 border-[var(--color-accent)]/30 border-t-[var(--color-accent)]"></span>
+					<p class="text-body text-[var(--color-text-secondary)]">Activating your account...</p>
+				</div>
+			</div>
+		{:else if error}
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] p-6">
+				<h1 class="font-serif text-display text-[var(--color-text-bright)]">Activation failed</h1>
+				<p class="mt-2 text-ui text-[var(--color-red)]">{error}</p>
+				<a
+					href="/login"
+					class="mt-6 flex w-full items-center justify-center rounded-[var(--radius-button)] bg-[var(--color-accent)] py-3 text-body font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0"
+				>
+					Back to sign in
+				</a>
+			</div>
+		{:else if done}
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] p-6">
+				<div class="flex items-center gap-3">
+					<span class="inline-block h-4 w-4 animate-spin rounded-full border-2 border-[var(--color-accent)]/30 border-t-[var(--color-accent)]"></span>
+					<p class="text-body text-[var(--color-text-secondary)]">Redirecting to dashboard...</p>
+				</div>
+			</div>
+		{/if}
+	</div>
+</div>
diff --git a/frontend/src/routes/admin/+layout.svelte b/frontend/src/routes/admin/+layout.svelte
index 599de61..de91ec9 100644
--- a/frontend/src/routes/admin/+layout.svelte
+++ b/frontend/src/routes/admin/+layout.svelte
@@ -1,7 +1,19 @@
 <script lang="ts">
+	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
 	import Toaster from '$lib/components/Toaster.svelte';
 	let { children } = $props();
+
+	let collapsed = $state(
+		typeof window !== 'undefined'
+			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
+			: false
+	);
 </script>
 
+<div class="flex h-screen overflow-hidden">
+	<AdminSidebar bind:collapsed />
+	<div class="flex flex-1 flex-col overflow-hidden">
+		{@render children()}
+	</div>
+</div>
 <Toaster />
-{@render children()}
diff --git a/frontend/src/routes/admin/+page.svelte b/frontend/src/routes/admin/+page.svelte
index b5a56c1..c6c45dc 100644
--- a/frontend/src/routes/admin/+page.svelte
+++ b/frontend/src/routes/admin/+page.svelte
@@ -1,5 +1,5 @@
 <script lang="ts">
 	import { goto } from '$app/navigation';
 	import { onMount } from 'svelte';
-	onMount(() => goto('/admin/hosts', { replaceState: true }));
+	onMount(() => goto('/admin/templates', { replaceState: true }));
 </script>
diff --git a/frontend/src/routes/admin/capsules/+page.svelte b/frontend/src/routes/admin/capsules/+page.svelte
new file mode 100644
index 0000000..b0f1923
--- /dev/null
+++ b/frontend/src/routes/admin/capsules/+page.svelte
@@ -0,0 +1,549 @@
+<script lang="ts">
+	import CreateCapsuleDialog from '$lib/components/CreateCapsuleDialog.svelte';
+	import DestroyDialog from '$lib/components/DestroyDialog.svelte';
+	import CopyButton from '$lib/components/CopyButton.svelte';
+	import { onMount, onDestroy } from 'svelte';
+	import { goto } from '$app/navigation';
+	import { toast } from '$lib/toast.svelte';
+	import {
+		listAdminCapsules,
+		destroyAdminCapsule,
+	} from '$lib/api/admin-capsules';
+	import type { Capsule } from '$lib/api/capsules';
+
+	const REFRESH_INTERVAL = 15;
+	const SPIN_DURATION = 600;
+
+	let capsules = $state<Capsule[]>([]);
+	let loading = $state(true);
+	let error = $state<string | null>(null);
+	let showCreateDialog = $state(false);
+	let searchQuery = $state('');
+	let spinning = $state(false);
+
+	// Auto-refresh
+	let autoRefresh = $state(true);
+	let countdown = $state(REFRESH_INTERVAL);
+	let countdownInterval: ReturnType<typeof setInterval> | null = null;
+	let refreshInterval: ReturnType<typeof setInterval> | null = null;
+
+	// Sorting
+	type SortKey = 'status' | 'vcpus' | 'memory_mb' | 'started_at' | 'template';
+	let sortKey = $state<SortKey | null>(null);
+	let sortDir = $state<'asc' | 'desc'>('asc');
+
+	// Destroy state
+	let destroyTarget = $state<Capsule | null>(null);
+
+	// Animation tracking
+	let initialAnimationDone = $state(false);
+	let newCapsuleId = $state<string | null>(null);
+
+	let runningCount = $derived(capsules.filter((c) => c.status === 'running').length);
+
+	let filteredCapsules = $derived.by(() => {
+		let list = searchQuery
+			? capsules.filter((c) =>
+				c.id.toLowerCase().includes(searchQuery.toLowerCase()) ||
+				c.template.toLowerCase().includes(searchQuery.toLowerCase())
+			)
+			: [...capsules];
+
+		if (sortKey) {
+			const key = sortKey;
+			const dir = sortDir === 'asc' ? 1 : -1;
+			list.sort((a, b) => {
+				if (key === 'status' || key === 'template') {
+					return a[key].localeCompare(b[key]) * dir;
+				}
+				if (key === 'started_at') {
+					const ta = a.started_at ? new Date(a.started_at).getTime() : 0;
+					const tb = b.started_at ? new Date(b.started_at).getTime() : 0;
+					return (ta - tb) * dir;
+				}
+				return ((a[key] as number) - (b[key] as number)) * dir;
+			});
+		}
+
+		return list;
+	});
+
+	function toggleSort(key: SortKey) {
+		if (sortKey === key) {
+			sortDir = sortDir === 'asc' ? 'desc' : 'asc';
+		} else {
+			sortKey = key;
+			sortDir = 'asc';
+		}
+	}
+
+	function startAutoRefresh() {
+		stopAutoRefresh();
+		countdown = REFRESH_INTERVAL;
+		countdownInterval = setInterval(() => {
+			countdown--;
+			if (countdown <= 0) countdown = REFRESH_INTERVAL;
+		}, 1000);
+		refreshInterval = setInterval(fetchCapsules, REFRESH_INTERVAL * 1000);
+	}
+
+	function stopAutoRefresh() {
+		if (countdownInterval) { clearInterval(countdownInterval); countdownInterval = null; }
+		if (refreshInterval) { clearInterval(refreshInterval); refreshInterval = null; }
+	}
+
+	function toggleAutoRefresh() {
+		autoRefresh = !autoRefresh;
+		if (autoRefresh) {
+			startAutoRefresh();
+		} else {
+			stopAutoRefresh();
+		}
+	}
+
+	async function fetchCapsules(manual = false) {
+		const wasEmpty = capsules.length === 0;
+		if (wasEmpty) loading = true;
+
+		if (manual) {
+			spinning = true;
+			var spinTimer = new Promise<void>((resolve) => setTimeout(resolve, SPIN_DURATION));
+		}
+
+		const result = await listAdminCapsules();
+		if (result.ok) {
+			capsules = result.data;
+			error = null;
+		} else {
+			error = result.error;
+		}
+		loading = false;
+
+		if (!initialAnimationDone) {
+			setTimeout(() => { initialAnimationDone = true; }, 400 + (capsules.length * 40));
+		}
+
+		if (autoRefresh) countdown = REFRESH_INTERVAL;
+
+		if (manual) {
+			await spinTimer!;
+			spinning = false;
+		}
+	}
+
+	function handleCreated(capsule: Capsule) {
+		goto(`/admin/capsules/${capsule.id}`);
+	}
+
+	function handleDestroyed() {
+		if (destroyTarget) {
+			const id = destroyTarget.id;
+			capsules = capsules.filter((c) => c.id !== id);
+			toast.success('Capsule destroyed');
+		}
+		destroyTarget = null;
+	}
+
+	function statusColor(status: string): string {
+		switch (status) {
+			case 'running': return 'var(--color-accent)';
+			case 'paused':  return 'var(--color-amber)';
+			case 'error':   return 'var(--color-red)';
+			default:        return 'var(--color-text-muted)';
+		}
+	}
+
+	function statusBg(status: string): string {
+		switch (status) {
+			case 'running': return 'rgba(94,140,88,0.12)';
+			case 'paused':  return 'rgba(212,167,60,0.12)';
+			case 'error':   return 'rgba(207,129,114,0.12)';
+			default:        return 'rgba(255,255,255,0.05)';
+		}
+	}
+
+	function statusBorder(status: string): string {
+		switch (status) {
+			case 'running': return 'rgba(94,140,88,0.3)';
+			case 'paused':  return 'rgba(212,167,60,0.3)';
+			case 'error':   return 'rgba(207,129,114,0.3)';
+			default:        return 'rgba(255,255,255,0.08)';
+		}
+	}
+
+	function formatTime(iso: string | null | undefined): string {
+		if (!iso) return '\u2014';
+		return new Date(iso).toLocaleString([], {
+			month: 'short', day: 'numeric',
+			hour: '2-digit', minute: '2-digit',
+		});
+	}
+
+	function timeAgo(iso: string | undefined): string {
+		if (!iso) return '';
+		const seconds = Math.floor((Date.now() - new Date(iso).getTime()) / 1000);
+		if (seconds < 60) return `${seconds}s ago`;
+		if (seconds < 3600) return `${Math.floor(seconds / 60)}m ago`;
+		if (seconds < 86400) return `${Math.floor(seconds / 3600)}h ago`;
+		return `${Math.floor(seconds / 86400)}d ago`;
+	}
+
+	function handleVisibility() {
+		if (document.hidden) {
+			stopAutoRefresh();
+		} else if (autoRefresh) {
+			fetchCapsules();
+			startAutoRefresh();
+		}
+	}
+
+	onMount(() => {
+		fetchCapsules();
+		startAutoRefresh();
+		document.addEventListener('visibilitychange', handleVisibility);
+	});
+
+	onDestroy(() => {
+		stopAutoRefresh();
+		document.removeEventListener('visibilitychange', handleVisibility);
+	});
+</script>
+
+<svelte:head>
+	<title>Wrenn Admin — Capsules</title>
+</svelte:head>
+
+<style>
+	.refresh-spin {
+		animation: spin-once 0.6s ease-in-out;
+	}
+
+	@keyframes capsule-born {
+		0%, 25% { background-color: rgba(94, 140, 88, 0.1); }
+		100% { background-color: transparent; }
+	}
+	.capsule-born {
+		animation: capsule-born 1.6s ease-out forwards;
+	}
+
+	.row-stripe {
+		transform: scaleY(0);
+		transform-origin: center;
+		transition: transform 0.18s cubic-bezier(0.25, 1, 0.5, 1);
+	}
+	.capsule-row:hover .row-stripe {
+		transform: scaleY(1);
+	}
+</style>
+
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+	<!-- Header -->
+		<div class="shrink-0 px-8 pt-8 pb-6">
+			<div class="flex items-center justify-between">
+				<div>
+					<h1 class="font-serif text-page leading-none text-[var(--color-text-bright)]">
+						Capsules
+					</h1>
+					<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
+						Launch temporary capsules to build and snapshot platform templates.
+					</p>
+				</div>
+
+				<div class="flex items-center gap-3">
+					{#if !loading && runningCount > 0}
+						<div class="flex items-center gap-2.5 rounded-[var(--radius-card)] border border-[var(--color-accent)]/20 bg-[var(--color-bg-2)] px-3.5 py-2">
+							<span class="relative flex h-[8px] w-[8px]">
+								<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+								<span class="relative inline-flex h-[8px] w-[8px] rounded-full bg-[var(--color-accent)]"></span>
+							</span>
+							<span class="font-mono text-body font-semibold text-[var(--color-accent-bright)]">{runningCount}</span>
+							<span class="text-ui text-[var(--color-text-secondary)]">running</span>
+						</div>
+					{/if}
+
+					<button
+						onclick={() => { showCreateDialog = true; }}
+						class="group flex items-center gap-2.5 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2.5 text-ui font-semibold text-white shadow-sm transition-all duration-200 hover:shadow-[0_0_20px_var(--color-accent-glow-mid)] hover:brightness-115 hover:-translate-y-px active:translate-y-0"
+					>
+						<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" class="transition-transform duration-200 group-hover:rotate-90"><line x1="12" y1="5" x2="12" y2="19"/><line x1="5" y1="12" x2="19" y2="12"/></svg>
+						Launch Capsule
+					</button>
+				</div>
+			</div>
+		</div>
+
+		<!-- Content -->
+		<div class="flex-1 overflow-y-auto px-8 pb-6" style="animation: fadeUp 0.35s ease both">
+			<!-- Toolbar -->
+			<div class="mb-4 flex items-center gap-3">
+				<div class="relative flex-1 max-w-[300px]">
+					<svg class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+						<circle cx="11" cy="11" r="8" /><line x1="21" y1="21" x2="16.65" y2="16.65" />
+					</svg>
+					<input
+						type="text"
+						placeholder="Search by ID or template..."
+						bind:value={searchQuery}
+						class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-2 pl-9 pr-3 font-mono text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-colors duration-150 focus:border-[var(--color-accent)]"
+					/>
+				</div>
+				<span class="text-ui text-[var(--color-text-secondary)]">{filteredCapsules.length} capsule{filteredCapsules.length !== 1 ? 's' : ''}</span>
+
+				<div class="flex-1"></div>
+
+				<!-- Refresh -->
+				<button
+					onclick={() => fetchCapsules(true)}
+					disabled={spinning}
+					class="flex h-8 w-8 items-center justify-center rounded-[var(--radius-button)] border border-[var(--color-border)] text-[var(--color-text-tertiary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-secondary)] disabled:opacity-50"
+					title="Refresh"
+				>
+					<svg
+						class={spinning ? 'refresh-spin' : ''}
+						width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"
+					>
+						<polyline points="23 4 23 10 17 10" />
+						<path d="M20.49 15a9 9 0 1 1-2.12-9.36L23 10" />
+					</svg>
+				</button>
+
+				<!-- Auto-refresh countdown -->
+				<button
+					onclick={toggleAutoRefresh}
+					class="flex items-center gap-1.5 rounded-[var(--radius-button)] border px-2.5 py-1.5 font-mono text-label transition-colors duration-150
+						{autoRefresh
+							? 'border-[var(--color-accent)]/30 text-[var(--color-accent-mid)] hover:border-[var(--color-accent)]/50'
+							: 'border-[var(--color-border)] text-[var(--color-text-muted)] hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-secondary)]'}"
+					title={autoRefresh ? 'Click to disable auto-refresh' : `Click to enable auto-refresh (${REFRESH_INTERVAL}s)`}
+				>
+					{#if autoRefresh}
+						<svg width="14" height="14" viewBox="0 0 16 16" fill="none" aria-hidden="true">
+							<circle cx="8" cy="8" r="5" stroke="var(--color-accent-glow-mid)" stroke-width="1.5" />
+							<circle
+								cx="8" cy="8" r="5"
+								stroke="var(--color-accent)"
+								stroke-width="1.5"
+								stroke-linecap="round"
+								stroke-dasharray="31.416"
+								stroke-dashoffset={31.416 * (1 - countdown / REFRESH_INTERVAL)}
+								transform="rotate(-90 8 8)"
+								style="transition: stroke-dashoffset 1s linear"
+							/>
+						</svg>
+						{countdown}s
+					{:else}
+						Off
+					{/if}
+				</button>
+			</div>
+
+			{#if error}
+				<div class="mb-4 flex items-start gap-3 rounded-[var(--radius-card)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-4 py-3">
+					<svg class="mt-0.5 shrink-0 text-[var(--color-red)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+						<circle cx="12" cy="12" r="10" /><line x1="12" y1="8" x2="12" y2="12" /><line x1="12" y1="16" x2="12.01" y2="16" />
+					</svg>
+					<span class="text-ui text-[var(--color-red)]">{error}. Try refreshing the page.</span>
+				</div>
+			{/if}
+
+			<!-- Table -->
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
+				<!-- Header row -->
+				<div class="grid grid-cols-[1.6fr_0.9fr_0.5fr_0.5fr_1fr_0.7fr_0.8fr] rounded-t-[var(--radius-card)] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]">
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">ID</div>
+					{@render sortableHeader('Template', 'template')}
+					{@render sortableHeader('CPU', 'vcpus')}
+					{@render sortableHeader('Memory', 'memory_mb')}
+					{@render sortableHeader('Started', 'started_at')}
+					{@render sortableHeader('Status', 'status')}
+					<div class="px-5 py-3 text-right text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Actions</div>
+				</div>
+
+				{#if loading && capsules.length === 0}
+					<div class="flex items-center justify-center py-16">
+						<div class="flex items-center gap-3 text-ui text-[var(--color-text-secondary)]">
+							<svg class="animate-spin" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+								<path d="M21 12a9 9 0 1 1-6.219-8.56" />
+							</svg>
+							Loading capsules...
+						</div>
+					</div>
+				{:else if filteredCapsules.length === 0 && searchQuery}
+					<div class="flex flex-col items-center justify-center py-[72px]">
+						<div class="relative mb-5">
+							<div class="relative flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-3)]">
+								<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="var(--color-text-muted)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+									<circle cx="11" cy="11" r="8" /><line x1="21" y1="21" x2="16.65" y2="16.65" />
+								</svg>
+							</div>
+						</div>
+						<p class="font-serif text-heading text-[var(--color-text-bright)]">
+							No matching capsules
+						</p>
+						<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+							No capsules match "<span class="font-mono text-[var(--color-text-secondary)]">{searchQuery}</span>".
+						</p>
+						<button
+							onclick={() => { searchQuery = ''; }}
+							class="mt-4 rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)]"
+						>
+							Clear search
+						</button>
+					</div>
+				{:else if filteredCapsules.length === 0}
+					<div class="flex flex-col items-center justify-center py-[72px]">
+						<div class="relative mb-5">
+							<div class="absolute inset-0 -m-4 rounded-full" style="background: radial-gradient(circle, rgba(94,140,88,0.08) 0%, transparent 70%)"></div>
+							<div class="relative flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-accent)]/20 bg-[var(--color-bg-3)]" style="animation: iconFloat 4s ease-in-out infinite">
+								<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="var(--color-accent-mid)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+									<polyline points="4 17 10 11 4 5" /><line x1="12" y1="19" x2="20" y2="19" />
+								</svg>
+							</div>
+						</div>
+						<p class="font-serif text-heading text-[var(--color-text-bright)]">
+							No capsules
+						</p>
+						<p class="mt-1.5 max-w-[340px] text-center text-ui text-[var(--color-text-tertiary)]">
+							Launch a capsule, configure it interactively, then snapshot it as a platform template.
+						</p>
+						<button
+							onclick={() => { showCreateDialog = true; }}
+							class="mt-6 flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2.5 text-ui font-semibold text-white shadow-sm transition-all duration-200 hover:shadow-[0_0_20px_var(--color-accent-glow-mid)] hover:brightness-115 hover:-translate-y-px active:translate-y-0"
+						>
+							Launch Capsule
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
+								<line x1="12" y1="5" x2="12" y2="19" /><line x1="5" y1="12" x2="19" y2="12" />
+							</svg>
+						</button>
+					</div>
+				{:else}
+					{#each filteredCapsules as capsule, i (capsule.id)}
+						{@const stripeColor = capsule.status === 'running' ? 'bg-[var(--color-accent)]' : capsule.status === 'paused' ? 'bg-[var(--color-amber)]' : capsule.status === 'error' ? 'bg-[var(--color-red)]' : 'bg-[var(--color-text-muted)]'}
+						<div
+							class="capsule-row relative grid grid-cols-[1.6fr_0.9fr_0.5fr_0.5fr_1fr_0.7fr_0.8fr] items-center overflow-hidden border-b border-[var(--color-border)] transition-colors duration-150 hover:bg-[var(--color-bg-3)] last:border-b-0 {newCapsuleId === capsule.id ? 'capsule-born' : ''}"
+							style={initialAnimationDone ? '' : `animation: fadeUp 0.35s ease both; animation-delay: ${i * 40}ms`}
+						>
+							<!-- Left accent stripe -->
+							<div class="row-stripe pointer-events-none absolute left-0 top-0 h-full w-0.5 {stripeColor}"></div>
+
+							<!-- ID -->
+							<div class="flex items-center gap-2.5 px-5 py-4">
+								{#if capsule.status === 'running'}
+									<span class="relative flex h-[6px] w-[6px] shrink-0">
+										<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+										<span class="relative inline-flex h-[6px] w-[6px] rounded-full bg-[var(--color-accent)]"></span>
+									</span>
+								{:else if capsule.status === 'paused'}
+									<span class="inline-flex h-[6px] w-[6px] shrink-0 rounded-full bg-[var(--color-amber)]"></span>
+								{:else if capsule.status === 'error'}
+									<span class="inline-flex h-[6px] w-[6px] shrink-0 rounded-full bg-[var(--color-red)]"></span>
+								{:else}
+									<span class="inline-flex h-[6px] w-[6px] shrink-0 rounded-full bg-[var(--color-text-muted)]"></span>
+								{/if}
+								{#if searchQuery && capsule.id.toLowerCase().includes(searchQuery.toLowerCase())}
+									{@const matchIdx = capsule.id.toLowerCase().indexOf(searchQuery.toLowerCase())}
+									<a href="/admin/capsules/{capsule.id}" class="font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id.slice(0, matchIdx)}<mark class="rounded-[2px] bg-[var(--color-accent-glow-mid)] px-0.5 text-[var(--color-accent-bright)] not-italic">{capsule.id.slice(matchIdx, matchIdx + searchQuery.length)}</mark>{capsule.id.slice(matchIdx + searchQuery.length)}</a>
+								{:else}
+									<a href="/admin/capsules/{capsule.id}" class="font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id}</a>
+								{/if}
+								<CopyButton value={capsule.id} />
+							</div>
+
+							<!-- Template -->
+							<div class="min-w-0 px-5 py-4">
+								<span class="block truncate font-mono text-ui text-[var(--color-text-secondary)]">{capsule.template}</span>
+							</div>
+
+							<!-- CPU -->
+							<div class="px-5 py-4">
+								<span class="font-mono text-ui text-[var(--color-text-secondary)]">{capsule.vcpus}</span>
+							</div>
+
+							<!-- Memory -->
+							<div class="px-5 py-4">
+								<span class="font-mono text-ui text-[var(--color-text-secondary)]">{capsule.memory_mb}MB</span>
+							</div>
+
+							<!-- Started -->
+							<div class="px-5 py-4">
+								<span class="text-ui text-[var(--color-text-secondary)]" title={capsule.started_at ?? ''}>{formatTime(capsule.started_at)}</span>
+								{#if capsule.last_active_at}
+									<span class="ml-1.5 text-label text-[var(--color-text-muted)]">active {timeAgo(capsule.last_active_at)}</span>
+								{/if}
+							</div>
+
+							<!-- Status -->
+							<div class="px-5 py-4">
+								<span
+									class="inline-flex items-center gap-1.5 rounded-full px-2.5 py-1 text-label font-semibold uppercase tracking-[0.05em]"
+									style="color: {statusColor(capsule.status)}; background: {statusBg(capsule.status)}; border: 1px solid {statusBorder(capsule.status)}"
+								>
+									{capsule.status}
+								</span>
+							</div>
+
+							<!-- Actions -->
+							<div class="flex items-center justify-end gap-2 px-5 py-4">
+								{#if capsule.status === 'running' || capsule.status === 'paused'}
+									<button
+										onclick={() => { destroyTarget = capsule; }}
+										class="rounded-[var(--radius-button)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/8 px-3 py-1.5 text-meta font-medium text-[var(--color-red)] transition-all duration-150 hover:bg-[var(--color-red)]/15 hover:border-[var(--color-red)]/50"
+									>
+										Destroy
+									</button>
+								{/if}
+							</div>
+						</div>
+					{/each}
+				{/if}
+			</div>
+		</div>
+
+		<!-- Status bar -->
+		<footer
+			class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7"
+		>
+			<div class="flex items-center gap-1.5">
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
+				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+			</div>
+		</footer>
+</main>
+
+<CreateCapsuleDialog
+	open={showCreateDialog}
+	onclose={() => { showCreateDialog = false; }}
+	oncreated={handleCreated}
+	templateSource="platform"
+/>
+
+{#if destroyTarget}
+	<DestroyDialog
+		open={true}
+		capsuleId={destroyTarget.id}
+		onclose={() => { destroyTarget = null; }}
+		ondestroyed={handleDestroyed}
+		destroyFn={destroyAdminCapsule}
+	/>
+{/if}
+
+{#snippet sortableHeader(label: string, key: SortKey)}
+	<button
+		onclick={() => toggleSort(key)}
+		class="flex items-center gap-1 px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
+	>
+		{label}
+		{#if sortKey === key}
+			<svg width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" class="text-[var(--color-accent)]">
+				{#if sortDir === 'asc'}
+					<polyline points="18 15 12 9 6 15" />
+				{:else}
+					<polyline points="6 9 12 15 18 9" />
+				{/if}
+			</svg>
+		{/if}
+	</button>
+{/snippet}
diff --git a/frontend/src/routes/admin/capsules/[id]/+page.js b/frontend/src/routes/admin/capsules/[id]/+page.js
new file mode 100644
index 0000000..d43d0cd
--- /dev/null
+++ b/frontend/src/routes/admin/capsules/[id]/+page.js
@@ -0,0 +1 @@
+export const prerender = false;
diff --git a/frontend/src/routes/admin/capsules/[id]/+page.svelte b/frontend/src/routes/admin/capsules/[id]/+page.svelte
new file mode 100644
index 0000000..0c9d587
--- /dev/null
+++ b/frontend/src/routes/admin/capsules/[id]/+page.svelte
@@ -0,0 +1,323 @@
+<script lang="ts">
+	import { onMount, onDestroy } from 'svelte';
+	import { page } from '$app/stores';
+	import { goto } from '$app/navigation';
+	import TerminalTab from '$lib/components/TerminalTab.svelte';
+	import FilesTab from '$lib/components/FilesTab.svelte';
+	import MetricsPanel from '$lib/components/MetricsPanel.svelte';
+	import DestroyDialog from '$lib/components/DestroyDialog.svelte';
+	import CopyButton from '$lib/components/CopyButton.svelte';
+	import { toast } from '$lib/toast.svelte';
+	import {
+		getAdminCapsule,
+		destroyAdminCapsule,
+		snapshotAdminCapsule,
+	} from '$lib/api/admin-capsules';
+	import type { Capsule } from '$lib/api/capsules';
+
+	const capsuleId: string = $page.params.id ?? '';
+	const API_BASE = '/api/v1/admin/capsules';
+
+	let capsule = $state<Capsule | null>(null);
+	let capsuleLoading = $state(true);
+	let capsuleError = $state<string | null>(null);
+
+	// Destroy dialog
+	let showDestroy = $state(false);
+
+	// Snapshot dialog
+	let showSnapshot = $state(false);
+	let snapshotName = $state('');
+	let snapshotting = $state(false);
+	let snapshotError = $state<string | null>(null);
+
+	const metricsAvailable = $derived(
+		capsule?.status === 'running' || capsule?.status === 'paused'
+	);
+
+	async function loadCapsule() {
+		const result = await getAdminCapsule(capsuleId);
+		if (result.ok) {
+			capsule = result.data;
+			capsuleError = null;
+		} else {
+			capsuleError = result.error;
+		}
+		capsuleLoading = false;
+	}
+
+	async function handleSnapshot() {
+		snapshotting = true;
+		snapshotError = null;
+		const result = await snapshotAdminCapsule(capsuleId, snapshotName.trim() || undefined);
+		if (result.ok) {
+			toast.success(`Snapshot "${result.data.name}" created`);
+			goto('/admin/templates');
+		} else {
+			snapshotError = result.error;
+		}
+		snapshotting = false;
+	}
+
+	function statusColor(status: string): string {
+		switch (status) {
+			case 'running': return 'var(--color-accent)';
+			case 'paused':  return 'var(--color-amber)';
+			case 'error':   return 'var(--color-red)';
+			default:        return 'var(--color-text-muted)';
+		}
+	}
+
+	function statusBg(status: string): string {
+		switch (status) {
+			case 'running': return 'rgba(94,140,88,0.12)';
+			case 'paused':  return 'rgba(212,167,60,0.12)';
+			case 'error':   return 'rgba(207,129,114,0.12)';
+			default:        return 'rgba(255,255,255,0.05)';
+		}
+	}
+
+	function statusBorder(status: string): string {
+		switch (status) {
+			case 'running': return 'rgba(94,140,88,0.3)';
+			case 'paused':  return 'rgba(212,167,60,0.3)';
+			case 'error':   return 'rgba(207,129,114,0.3)';
+			default:        return 'rgba(255,255,255,0.08)';
+		}
+	}
+
+	let pollTimer: ReturnType<typeof setInterval> | null = null;
+
+	function startPolling() {
+		stopPolling();
+		pollTimer = setInterval(loadCapsule, 10_000);
+	}
+
+	function stopPolling() {
+		if (pollTimer) { clearInterval(pollTimer); pollTimer = null; }
+	}
+
+	function handleVisibility() {
+		if (document.hidden) {
+			stopPolling();
+		} else {
+			loadCapsule();
+			startPolling();
+		}
+	}
+
+	onMount(() => {
+		loadCapsule();
+		startPolling();
+		document.addEventListener('visibilitychange', handleVisibility);
+	});
+
+	onDestroy(() => {
+		stopPolling();
+		document.removeEventListener('visibilitychange', handleVisibility);
+	});
+</script>
+
+<svelte:head>
+	<title>Wrenn Admin — {capsuleId}</title>
+</svelte:head>
+
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+		{#if capsuleLoading}
+			<div class="flex flex-1 items-center justify-center">
+				<div class="flex items-center gap-3 text-ui text-[var(--color-text-secondary)]">
+					<svg class="animate-spin" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+					Loading capsule...
+				</div>
+			</div>
+		{:else if capsuleError}
+			<div class="p-8">
+				<div class="flex items-center gap-3 rounded-[var(--radius-card)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/8 px-5 py-4">
+					<svg class="shrink-0 text-[var(--color-red)]" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+						<circle cx="12" cy="12" r="10" /><line x1="12" y1="8" x2="12" y2="12" /><line x1="12" y1="16" x2="12.01" y2="16" />
+					</svg>
+					<span class="text-ui text-[var(--color-red)]">{capsuleError}</span>
+				</div>
+			</div>
+		{:else if capsule}
+			<!-- Breadcrumb + summary + actions -->
+			<div class="shrink-0 px-7 pt-8">
+				<div class="flex items-center gap-2.5">
+					<a
+						href="/admin/capsules"
+						class="font-serif text-page leading-none text-[var(--color-text-secondary)] transition-colors duration-150 hover:text-[var(--color-text-bright)]"
+					>
+						Capsules
+					</a>
+					<span class="text-[var(--color-text-muted)] select-none" style="font-size: 1.1rem">&rsaquo;</span>
+					<span class="flex items-center gap-1.5">
+						<span class="font-mono text-[1.1rem] leading-none text-[var(--color-text-bright)]">{capsuleId}</span>
+						<CopyButton value={capsuleId} />
+					</span>
+
+					<span
+						class="ml-1 inline-flex items-center gap-1.5 rounded-full px-2.5 py-1 text-label font-semibold uppercase tracking-[0.05em]"
+						style="color: {statusColor(capsule.status)}; background: {statusBg(capsule.status)}; border: 1px solid {statusBorder(capsule.status)}"
+					>
+						{#if capsule.status === 'running'}
+							<span class="relative flex h-[5px] w-[5px] shrink-0">
+								<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+								<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+							</span>
+						{/if}
+						{capsule.status}
+					</span>
+					<span class="font-mono text-ui text-[var(--color-text-muted)]">{capsule.template} &middot; {capsule.vcpus}v &middot; {capsule.memory_mb}MB</span>
+
+					<div class="ml-auto flex items-center gap-2">
+						{#if capsule.status === 'running' || capsule.status === 'paused'}
+							<button
+								onclick={() => { showSnapshot = true; snapshotName = ''; snapshotError = null; }}
+								disabled={snapshotting}
+								class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-accent)]/30 bg-[var(--color-accent)]/8 px-3 py-1.5 text-meta font-medium text-[var(--color-accent-bright)] transition-all duration-150 hover:bg-[var(--color-accent)]/15 hover:border-[var(--color-accent)]/50 disabled:opacity-50"
+							>
+								<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.75" stroke-linecap="round" stroke-linejoin="round"><path d="M14.5 4h-5L7 7H2v13a2 2 0 002 2h16a2 2 0 002-2V7h-5l-2.5-3z" /><circle cx="12" cy="15" r="3" /></svg>
+								Snapshot
+							</button>
+							<button
+								onclick={() => { showDestroy = true; }}
+								class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/8 px-3 py-1.5 text-meta font-medium text-[var(--color-red)] transition-all duration-150 hover:bg-[var(--color-red)]/15 hover:border-[var(--color-red)]/50"
+							>
+								<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="3 6 5 6 21 6" /><path d="M19 6v14a2 2 0 01-2 2H7a2 2 0 01-2-2V6m3 0V4a2 2 0 012-2h4a2 2 0 012 2v2" /></svg>
+								Destroy
+							</button>
+						{/if}
+					</div>
+				</div>
+			</div>
+
+			<div class="mt-5 shrink-0 border-b border-[var(--color-border)]"></div>
+
+			<!-- Split panels: 50/50 -->
+			<div class="flex flex-1 overflow-hidden">
+				<!-- Left: Terminal -->
+				<div class="flex w-1/2 flex-col overflow-hidden border-r border-[var(--color-border)]">
+					<TerminalTab {capsuleId} isRunning={capsule.status === 'running'} apiBasePath={API_BASE} />
+				</div>
+
+				<!-- Right: Metrics (top 50%) + Files (bottom 50%) -->
+				<div class="flex w-1/2 flex-col overflow-hidden">
+					{#if metricsAvailable}
+						<div class="flex flex-1 flex-col min-h-0 border-b border-[var(--color-border)]">
+							<MetricsPanel {capsuleId} available={metricsAvailable} initialRange="5m" apiBasePath={API_BASE} layout="compact" />
+						</div>
+					{/if}
+
+					<div class="flex flex-1 flex-col min-h-0 overflow-hidden">
+						<FilesTab {capsuleId} isRunning={capsule.status === 'running'} apiBasePath={API_BASE} compact />
+					</div>
+				</div>
+			</div>
+		{/if}
+
+		<!-- Status bar -->
+		<footer
+			class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7"
+		>
+			<div class="flex items-center gap-1.5">
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
+				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+			</div>
+		</footer>
+</main>
+
+<!-- Snapshot dialog -->
+{#if showSnapshot}
+	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
+		<div
+			class="absolute inset-0 bg-black/60"
+			onclick={() => { if (!snapshotting) showSnapshot = false; }}
+			onkeydown={(e) => { if (e.key === 'Escape' && !snapshotting) showSnapshot = false; }}
+		></div>
+
+		<div class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] overflow-hidden" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
+			<div class="flex items-center gap-4 border-b border-[var(--color-border)] bg-[var(--color-bg-3)] px-6 py-5">
+				<div class="flex h-10 w-10 shrink-0 items-center justify-center rounded-[var(--radius-input)] bg-[var(--color-accent)]/15 text-[var(--color-accent)] shadow-[0_0_12px_var(--color-accent-glow)]">
+					<svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.75" stroke-linecap="round" stroke-linejoin="round">
+						<path d="M14.5 4h-5L7 7H2v13a2 2 0 002 2h16a2 2 0 002-2V7h-5l-2.5-3z" />
+						<circle cx="12" cy="15" r="3" />
+					</svg>
+				</div>
+				<div>
+					<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Snapshot as platform template</h2>
+					<p class="mt-0.5 text-meta text-[var(--color-text-muted)] font-mono">{capsuleId}</p>
+				</div>
+			</div>
+
+			<div class="px-6 pt-5 pb-6 space-y-4">
+				<div class="flex items-start gap-2.5 rounded-[var(--radius-input)] border border-[var(--color-amber)]/25 bg-[var(--color-amber)]/8 px-3 py-2.5">
+					<svg class="mt-px shrink-0 text-[var(--color-amber)]" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+						<path d="M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0z" />
+						<line x1="12" y1="9" x2="12" y2="13" />
+						<line x1="12" y1="17" x2="12.01" y2="17" />
+					</svg>
+					<p class="text-meta text-[var(--color-amber)] leading-relaxed">This will <strong class="font-semibold">pause, snapshot, and destroy</strong> the capsule. The snapshot will be available as a platform template for all teams.</p>
+				</div>
+
+				{#if snapshotError}
+					<div class="rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
+						{snapshotError}
+					</div>
+				{/if}
+
+				<div>
+					<div class="mb-1.5 flex items-baseline justify-between">
+						<label class="text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]" for="admin-snapshot-name">Template name</label>
+						<span class="text-meta text-[var(--color-text-muted)]">optional</span>
+					</div>
+					<input
+						id="admin-snapshot-name"
+						type="text"
+						bind:value={snapshotName}
+						disabled={snapshotting}
+						class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 font-mono text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-colors duration-150 focus:border-[var(--color-accent)] disabled:opacity-50"
+						placeholder="e.g. python-3.12, node-22-dev"
+						onkeydown={(e) => { if (e.key === 'Enter' && !snapshotting) handleSnapshot(); }}
+					/>
+					<p class="mt-1.5 text-meta text-[var(--color-text-muted)]">Leave blank for an auto-generated name. If the name already exists, it will be overwritten.</p>
+				</div>
+
+				<div class="flex justify-end gap-3 pt-1">
+					<button
+						onclick={() => { showSnapshot = false; }}
+						disabled={snapshotting}
+						class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+					>
+						Cancel
+					</button>
+					<button
+						onclick={handleSnapshot}
+						disabled={snapshotting}
+						class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+					>
+						{#if snapshotting}
+							<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+								<path d="M21 12a9 9 0 1 1-6.219-8.56" />
+							</svg>
+							Snapshotting...
+						{:else}
+							Snapshot & Destroy
+						{/if}
+					</button>
+				</div>
+			</div>
+		</div>
+	</div>
+{/if}
+
+<DestroyDialog
+	open={showDestroy}
+	{capsuleId}
+	onclose={() => { showDestroy = false; }}
+	ondestroyed={() => { toast.success('Capsule destroyed'); goto('/admin/capsules'); }}
+	destroyFn={destroyAdminCapsule}
+/>
diff --git a/frontend/src/routes/admin/hosts/+page.svelte b/frontend/src/routes/admin/hosts/+page.svelte
index 16c7476..30b3ad5 100644
--- a/frontend/src/routes/admin/hosts/+page.svelte
+++ b/frontend/src/routes/admin/hosts/+page.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
 	import { onMount } from 'svelte';
 	import { toast } from '$lib/toast.svelte';
 	import { formatDate, timeAgo } from '$lib/utils/format';
@@ -16,12 +15,6 @@
 
 	const PAGE_SIZE = 50;
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	let activeTab = $state<'platform' | 'byoc'>('platform');
 
 	// All hosts fetched once
@@ -77,7 +70,7 @@
 
 	// Delete confirmation
 	let deleteTarget = $state<Host | null>(null);
-	let deletePreviewSandboxes = $state<string[]>([]);
+	let deletePreviewCapsules = $state<string[]>([]);
 	let deletePreviewLoading = $state(false);
 	let deleting = $state(false);
 	let deleteError = $state<string | null>(null);
@@ -124,12 +117,12 @@
 	async function openDeleteConfirm(host: Host) {
 		deleteTarget = host;
 		deleteError = null;
-		deletePreviewSandboxes = [];
+		deletePreviewCapsules = [];
 		deletePreviewLoading = true;
 		const preview = await getDeletePreview(host.id);
 		deletePreviewLoading = false;
 		if (preview.ok) {
-			deletePreviewSandboxes = preview.data.sandbox_ids;
+			deletePreviewCapsules = preview.data.sandbox_ids;
 		}
 	}
 
@@ -137,7 +130,7 @@
 		if (!deleteTarget) return;
 		deleting = true;
 		deleteError = null;
-		const result = await deleteHost(deleteTarget.id, deletePreviewSandboxes.length > 0);
+		const result = await deleteHost(deleteTarget.id, deletePreviewCapsules.length > 0);
 		if (result.ok) {
 			allHosts = allHosts.filter((h) => h.id !== deleteTarget!.id);
 			deleteTarget = null;
@@ -163,50 +156,50 @@
 	onMount(fetchHosts);
 </script>
 
-<div class="flex h-screen overflow-hidden bg-[var(--color-bg-0)]">
-	<AdminSidebar bind:collapsed />
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+	<!-- Header -->
+	<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
+		<!-- Subtle gradient wash behind header for depth -->
+		<div class="absolute inset-0 bg-gradient-to-b from-[var(--color-accent)]/[0.02] to-transparent pointer-events-none"></div>
 
-	<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
-		<!-- Header -->
-		<header class="flex shrink-0 flex-col gap-4 border-b border-[var(--color-border)] bg-[var(--color-bg-1)] px-6 py-5">
-			<div class="flex items-start justify-between">
-				<div>
-					<h1 class="font-serif text-[1.75rem] leading-none tracking-[-0.03em] text-[var(--color-text-bright)]">
-						Hosts
+		<div class="relative flex items-start justify-between px-8 pt-7 pb-5">
+			<div>
+				<h1 class="font-serif text-page leading-none text-[var(--color-text-bright)]">
+					Hosts
 					</h1>
-					<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+					<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
 						Platform and BYOC compute across all teams.
 					</p>
 				</div>
 				{#if activeTab === 'platform'}
 					<button
 						onclick={() => { showCreate = true; createError = null; createForm = { provider: '', availability_zone: '' }; }}
-						class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-4 py-2 text-ui font-semibold text-white shadow-sm transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0"
+						class="group flex items-center gap-2.5 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2.5 text-ui font-semibold text-white shadow-sm transition-all duration-200 hover:shadow-[0_0_20px_var(--color-accent-glow-mid)] hover:brightness-115 hover:-translate-y-px active:translate-y-0"
 					>
-						<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="12" y1="5" x2="12" y2="19"/><line x1="5" y1="12" x2="19" y2="12"/></svg>
+						<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" class="transition-transform duration-200 group-hover:rotate-90"><line x1="12" y1="5" x2="12" y2="19"/><line x1="5" y1="12" x2="19" y2="12"/></svg>
 						Add Host
 					</button>
 				{/if}
 			</div>
 
-			<!-- Stat pills -->
+			<!-- Stat strip — bolder presence -->
 			{#if !loading && !error}
-				<div class="flex items-center gap-2">
-					<div class="flex items-baseline gap-1 rounded-[var(--radius-button)] border border-[var(--color-border)] bg-[var(--color-bg-2)] px-2.5 py-1">
-						<span class="font-mono font-semibold text-ui tabular-nums text-[var(--color-text-bright)]">{totalCount}</span>
+				<div class="relative flex items-center gap-3 px-8 pb-5">
+					<div class="stat-pill border-[var(--color-border)] bg-[var(--color-bg-2)]">
+						<span class="font-mono text-body font-bold tabular-nums text-[var(--color-text-bright)]">{totalCount}</span>
 						<span class="text-label text-[var(--color-text-muted)]">total</span>
 					</div>
-					<div class="flex items-baseline gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8 px-2.5 py-1">
-						<span class="relative mt-px flex h-1.5 w-1.5 shrink-0 self-center">
-							<span class="absolute inline-flex h-full w-full animate-ping rounded-full bg-[var(--color-accent)] opacity-60"></span>
-							<span class="relative inline-flex h-1.5 w-1.5 rounded-full bg-[var(--color-accent)]"></span>
+					<div class="stat-pill border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8 gap-2">
+						<span class="relative flex h-2 w-2 shrink-0">
+							<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)] opacity-60"></span>
+							<span class="relative inline-flex h-2 w-2 rounded-full bg-[var(--color-accent)]"></span>
 						</span>
-						<span class="font-mono font-semibold text-ui tabular-nums text-[var(--color-accent-bright)]">{onlineCount}</span>
+						<span class="font-mono text-body font-bold tabular-nums text-[var(--color-accent-bright)]">{onlineCount}</span>
 						<span class="text-label text-[var(--color-accent-bright)]/70">online</span>
 					</div>
 					{#if pendingCount > 0}
-						<div class="flex items-baseline gap-1 rounded-[var(--radius-button)] border border-[var(--color-amber)]/25 bg-[var(--color-amber)]/8 px-2.5 py-1">
-							<span class="font-mono font-semibold text-ui tabular-nums text-[var(--color-amber)]">{pendingCount}</span>
+						<div class="stat-pill border-[var(--color-amber)]/25 bg-[var(--color-amber)]/8">
+							<span class="font-mono text-body font-bold tabular-nums text-[var(--color-amber)]">{pendingCount}</span>
 							<span class="text-label text-[var(--color-amber)]/70">pending</span>
 						</div>
 					{/if}
@@ -214,30 +207,32 @@
 			{/if}
 		</header>
 
-		<!-- Tabs -->
-		<div class="flex shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)] px-6">
+		<!-- Tabs — heavier presence -->
+		<div class="flex shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)] px-8">
 			{#each [['platform', 'Platform', platformHosts.length], ['byoc', 'BYOC', byocHosts.length]] as [id, label, count] (id)}
 				<button
 					onclick={() => { activeTab = id as 'platform' | 'byoc'; if (id === 'byoc') byocPage = 0; }}
-					class="relative py-3 pr-5 text-ui transition-colors duration-150 {activeTab === id
-						? 'font-medium text-[var(--color-text-bright)]'
+					class="tab-button {activeTab === id
+						? 'text-[var(--color-text-bright)] font-medium'
 						: 'text-[var(--color-text-tertiary)] hover:text-[var(--color-text-secondary)]'}"
 				>
 					{label}
-					{#if activeTab === id}
-						<span class="absolute bottom-0 left-0 right-5 h-[2px] rounded-t-full bg-[var(--color-accent)]"></span>
-					{/if}
 					{#if !loading}
-						<span class="ml-2 rounded-full bg-[var(--color-bg-4)] px-1.5 py-0.5 text-label text-[var(--color-text-muted)]">
+						<span class="ml-2 rounded-full px-2 py-0.5 text-label tabular-nums transition-colors duration-200 {activeTab === id
+							? 'bg-[var(--color-accent)]/12 text-[var(--color-accent-bright)]'
+							: 'bg-[var(--color-bg-4)] text-[var(--color-text-muted)]'}">
 							{count}
 						</span>
 					{/if}
+					{#if activeTab === id}
+						<span class="absolute bottom-0 left-0 right-0 h-[2px] rounded-t-full bg-[var(--color-accent)]"></span>
+					{/if}
 				</button>
 			{/each}
 		</div>
 
 		<!-- Body -->
-		<div class="flex-1 overflow-y-auto p-6">
+		<div class="flex-1 overflow-y-auto px-8 py-6">
 			{#if loading}
 				{@render skeletonRows()}
 			{:else if error}
@@ -251,16 +246,16 @@
 				{#if byocHosts.length === 0}
 					{@render emptyState('byoc')}
 				{:else}
-					<div class="space-y-5">
+					<div class="space-y-6">
 						{#each byocGroups as group (group.teamId ?? '__none__')}
 							{@const groupPageHosts = byocPageHosts.filter(h => h.team_id === group.teamId || (group.teamId === null && !h.team_id))}
 							{#if groupPageHosts.length > 0}
 								<div>
-									<div class="mb-2.5 flex items-center gap-2.5">
+									<div class="mb-3 flex items-center gap-2.5">
 										<span class="text-label font-semibold uppercase tracking-[0.08em] text-[var(--color-text-tertiary)]">
 											{group.teamName}
 										</span>
-										<span class="rounded-full bg-[var(--color-bg-3)] px-1.5 py-0.5 font-mono text-label text-[var(--color-text-muted)]">
+										<span class="rounded-full bg-[var(--color-bg-3)] px-2 py-0.5 font-mono text-label tabular-nums text-[var(--color-text-muted)]">
 											{group.hosts.length}
 										</span>
 									</div>
@@ -271,22 +266,22 @@
 
 						<!-- Pagination -->
 						{#if byocPageCount > 1}
-							<div class="flex items-center justify-between pt-2">
+							<div class="flex items-center justify-between pt-3">
 								<span class="text-meta text-[var(--color-text-muted)]">
-									Page {byocPage + 1} of {byocPageCount} · {byocHosts.length} hosts
+									Page <span class="font-mono tabular-nums">{byocPage + 1}</span> of <span class="font-mono tabular-nums">{byocPageCount}</span> · <span class="font-mono tabular-nums">{byocHosts.length}</span> hosts
 								</span>
 								<div class="flex items-center gap-2">
 									<button
 										onclick={() => (byocPage = Math.max(0, byocPage - 1))}
 										disabled={byocPage === 0}
-										class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-meta text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:cursor-not-allowed disabled:opacity-40"
+										class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-3.5 py-1.5 text-meta text-[var(--color-text-secondary)] transition-all duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:cursor-not-allowed disabled:opacity-40"
 									>
 										← Previous
 									</button>
 									<button
 										onclick={() => (byocPage = Math.min(byocPageCount - 1, byocPage + 1))}
 										disabled={byocPage >= byocPageCount - 1}
-										class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-meta text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:cursor-not-allowed disabled:opacity-40"
+										class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-3.5 py-1.5 text-meta text-[var(--color-text-secondary)] transition-all duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:cursor-not-allowed disabled:opacity-40"
 									>
 										Next →
 									</button>
@@ -298,37 +293,46 @@
 			{/if}
 		</div>
 	</main>
-</div>
+
+	<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+		<div class="flex items-center gap-1.5">
+			<span class="relative flex h-[5px] w-[5px]">
+				<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+				<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+			</span>
+			<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+		</div>
+	</footer>
 
 {#snippet skeletonRows()}
-	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden">
+	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden shadow-sm">
 		<table class="w-full">
 			<thead>
-				<tr class="border-b border-[var(--color-border)]">
-					<th class="px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Host</th>
-					<th class="px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Status</th>
-					<th class="hidden px-4 py-3 md:table-cell text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Specs</th>
-					<th class="hidden px-4 py-3 lg:table-cell text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Last Heartbeat</th>
-					<th class="px-4 py-3"></th>
+				<tr class="border-b border-[var(--color-border)] bg-[var(--color-bg-0)]/40">
+					<th class="table-header">Host</th>
+					<th class="table-header">Status</th>
+					<th class="table-header hidden md:table-cell">Specs</th>
+					<th class="table-header hidden lg:table-cell">Last Heartbeat</th>
+					<th class="table-header w-20"></th>
 				</tr>
 			</thead>
 			<tbody>
 				{#each Array(5) as _, i}
-					<tr class="border-b border-[var(--color-border)] last:border-0" style="animation-delay: {i * 60}ms">
-						<td class="px-4 py-3.5">
+					<tr class="table-row-animate border-b border-[var(--color-border)] last:border-0" style="animation-delay: {i * 60}ms">
+						<td class="px-5 py-3.5">
 							<div class="skeleton mb-1.5 h-3 w-28 rounded"></div>
 							<div class="skeleton h-2.5 w-20 rounded"></div>
 						</td>
-						<td class="px-4 py-3.5">
+						<td class="px-5 py-3.5">
 							<div class="skeleton h-3 w-16 rounded-full"></div>
 						</td>
-						<td class="hidden px-4 py-3.5 md:table-cell">
+						<td class="hidden px-5 py-3.5 md:table-cell">
 							<div class="skeleton h-3 w-24 rounded"></div>
 						</td>
-						<td class="hidden px-4 py-3.5 lg:table-cell">
+						<td class="hidden px-5 py-3.5 lg:table-cell">
 							<div class="skeleton h-3 w-20 rounded"></div>
 						</td>
-						<td class="px-4 py-3.5 text-right">
+						<td class="px-5 py-3.5 text-right">
 							<div class="skeleton ml-auto h-6 w-14 rounded"></div>
 						</td>
 					</tr>
@@ -342,26 +346,28 @@
 	{#if hosts.length === 0}
 		{@render emptyState('platform')}
 	{:else}
-		<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden">
+		<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden shadow-sm">
 			<table class="w-full">
 				<thead>
-					<tr class="border-b border-[var(--color-border)]">
-						<th class="px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Host</th>
-						<th class="px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Status</th>
-						<th class="hidden px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)] md:table-cell">Specs</th>
-						<th class="hidden px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)] lg:table-cell">Last Heartbeat</th>
-						<th class="px-4 py-3"></th>
+					<tr class="border-b border-[var(--color-border)] bg-[var(--color-bg-0)]/40">
+						<th class="table-header">Host</th>
+						<th class="table-header">Status</th>
+						<th class="table-header hidden md:table-cell">Specs</th>
+						<th class="table-header hidden lg:table-cell">Last Heartbeat</th>
+						<th class="table-header w-20"></th>
 					</tr>
 				</thead>
 				<tbody>
-					{#each hosts as host (host.id)}
+					{#each hosts as host, i (host.id)}
 						<tr
-							class="row-entry border-b border-[var(--color-border)] last:border-0 transition-colors duration-200
+							class="table-row-animate border-b border-[var(--color-border)] last:border-0 transition-colors duration-200
 								{host.id === newHostId ? 'new-row' : ''}
-								{flashHostId === host.id ? 'bg-[var(--color-accent-glow)]' : 'hover:bg-[var(--color-bg-2)]'}"
+								{flashHostId === host.id ? 'bg-[var(--color-accent-glow)]' : 'hover:bg-[var(--color-bg-2)]'}
+								{host.status === 'online' ? 'host-row-online' : ''}"
+							style="animation-delay: {i * 30}ms"
 						>
-							<td class="px-4 py-3.5">
-								<div class="font-mono text-meta text-[var(--color-text-primary)]">{host.id}</div>
+							<td class="px-5 py-3.5">
+								<div class="font-mono text-ui font-medium text-[var(--color-text-bright)]">{host.id}</div>
 								{#if host.address}
 									<div class="mt-0.5 font-mono text-label text-[var(--color-text-muted)]">{host.address}</div>
 								{/if}
@@ -371,31 +377,31 @@
 									</div>
 								{/if}
 							</td>
-							<td class="px-4 py-3.5">
-								<span class="flex items-center gap-1.5 text-meta font-medium" style="color: {statusColor(host.status)}">
+							<td class="px-5 py-3.5">
+								<span class="flex items-center gap-2 text-meta font-semibold" style="color: {statusColor(host.status)}">
 									{#if host.status === 'online'}
-										<span class="relative flex h-1.5 w-1.5 shrink-0">
-											<span class="absolute inline-flex h-full w-full animate-ping rounded-full opacity-60" style="background: {statusColor(host.status)}"></span>
-											<span class="relative inline-flex h-1.5 w-1.5 rounded-full" style="background: {statusColor(host.status)}"></span>
+										<span class="relative flex h-2 w-2 shrink-0">
+											<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full opacity-60" style="background: {statusColor(host.status)}"></span>
+											<span class="relative inline-flex h-2 w-2 rounded-full" style="background: {statusColor(host.status)}"></span>
 										</span>
 									{:else}
-										<span class="h-1.5 w-1.5 shrink-0 rounded-full" style="background: {statusColor(host.status)}"></span>
+										<span class="h-2 w-2 shrink-0 rounded-full" style="background: {statusColor(host.status)}"></span>
 									{/if}
 									{host.status}
 								</span>
 							</td>
-							<td class="hidden px-4 py-3.5 md:table-cell">
-								<span class="text-meta text-[var(--color-text-secondary)]">{formatSpecs(host)}</span>
+							<td class="hidden px-5 py-3.5 md:table-cell">
+								<span class="font-mono text-meta tabular-nums text-[var(--color-text-secondary)]">{formatSpecs(host)}</span>
 							</td>
-							<td class="hidden px-4 py-3.5 lg:table-cell">
+							<td class="hidden px-5 py-3.5 lg:table-cell">
 								<span class="text-meta text-[var(--color-text-muted)]" title={host.last_heartbeat_at ? formatDate(host.last_heartbeat_at) : undefined}>
 									{host.last_heartbeat_at ? timeAgo(host.last_heartbeat_at) : '—'}
 								</span>
 							</td>
-							<td class="px-4 py-3.5 text-right">
+							<td class="px-5 py-3.5 text-right">
 								<button
 									onclick={() => openDeleteConfirm(host)}
-									class="rounded-[var(--radius-button)] px-3 py-1.5 text-meta text-[var(--color-text-tertiary)] transition-colors duration-150 hover:bg-[var(--color-red)]/10 hover:text-[var(--color-red)]"
+									class="rounded-[var(--radius-button)] px-3 py-1.5 text-meta text-[var(--color-text-tertiary)] transition-all duration-150 hover:bg-[var(--color-red)]/10 hover:text-[var(--color-red)]"
 								>
 									Delete
 								</button>
@@ -409,18 +415,31 @@
 {/snippet}
 
 {#snippet emptyState(type: 'platform' | 'byoc')}
-	<div class="flex flex-col items-center justify-center py-24 text-center">
-		<div class="mb-5 flex h-16 w-16 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-2)]">
-			<svg width="28" height="28" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" class="text-[var(--color-text-muted)]"><rect x="2" y="2" width="20" height="8" rx="2"/><rect x="2" y="14" width="20" height="8" rx="2"/><line x1="6" y1="6" x2="6.01" y2="6"/><line x1="6" y1="18" x2="6.01" y2="18"/></svg>
+	<div class="flex flex-col items-center justify-center py-28 text-center">
+		<!-- Floating icon with glow ring -->
+		<div class="relative mb-7">
+			<div class="absolute -inset-3 rounded-2xl bg-[var(--color-accent-glow)] blur-xl"></div>
+			<div class="empty-icon-float relative flex h-18 w-18 items-center justify-center rounded-xl border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] shadow-card">
+				<svg width="32" height="32" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" class="text-[var(--color-accent-mid)]"><rect x="2" y="2" width="20" height="8" rx="2"/><rect x="2" y="14" width="20" height="8" rx="2"/><line x1="6" y1="6" x2="6.01" y2="6"/><line x1="6" y1="18" x2="6.01" y2="18"/></svg>
+			</div>
 		</div>
-		<p class="font-serif text-[1.125rem] leading-snug text-[var(--color-text-secondary)]">
-			{type === 'platform' ? 'No platform hosts yet.' : 'No BYOC hosts across any team.'}
+		<p class="font-serif text-heading leading-snug text-[var(--color-text-secondary)]">
+			{type === 'platform' ? 'No platform hosts yet' : 'No BYOC hosts across any team'}
 		</p>
-		<p class="mt-1.5 text-ui text-[var(--color-text-muted)]">
+		<p class="mt-2 max-w-[320px] text-ui text-[var(--color-text-muted)]">
 			{type === 'platform'
 				? 'Add a host to start scheduling capsules onto your own compute.'
 				: 'Teams that register their own compute will appear here.'}
 		</p>
+		{#if type === 'platform'}
+			<button
+				onclick={() => { showCreate = true; createError = null; createForm = { provider: '', availability_zone: '' }; }}
+				class="mt-6 flex items-center gap-2 rounded-[var(--radius-button)] border border-[var(--color-accent)]/30 bg-[var(--color-accent)]/10 px-4 py-2 text-ui font-medium text-[var(--color-accent-bright)] transition-all duration-200 hover:bg-[var(--color-accent)]/20 hover:border-[var(--color-accent)]/50"
+			>
+				<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="12" y1="5" x2="12" y2="19"/><line x1="5" y1="12" x2="19" y2="12"/></svg>
+				Add your first host
+			</button>
+		{/if}
 	</div>
 {/snippet}
 
@@ -435,10 +454,14 @@
 			onkeydown={(e) => { if (e.key === 'Escape' && !creating) showCreate = false; }}
 		></div>
 		<div
-			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6 shadow-xl"
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] shadow-dialog"
 			style="animation: fadeUp 0.18s cubic-bezier(0.25,1,0.5,1) both"
 		>
-			<h2 class="font-serif text-[1.375rem] leading-tight tracking-[-0.02em] text-[var(--color-text-bright)]">
+			<!-- Top accent edge -->
+			<div class="h-[2px] rounded-t-[var(--radius-card)] bg-gradient-to-r from-transparent via-[var(--color-accent)] to-transparent"></div>
+
+			<div class="p-6">
+			<h2 class="font-serif text-heading leading-tight text-[var(--color-text-bright)]">
 				Add Platform Host
 			</h2>
 			<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
@@ -491,7 +514,7 @@
 				<button
 					onclick={handleCreatePlatform}
 					disabled={creating}
-					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+					class="group flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2.5 text-ui font-semibold text-white transition-all duration-200 hover:shadow-[0_0_20px_var(--color-accent-glow-mid)] hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0 disabled:hover:shadow-none"
 				>
 					{#if creating}
 						<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
@@ -501,6 +524,7 @@
 					{/if}
 				</button>
 			</div>
+			</div>
 		</div>
 	</div>
 {/if}
@@ -510,11 +534,15 @@
 	<div class="fixed inset-0 z-50 flex items-center justify-center">
 		<div class="absolute inset-0 bg-black/60"></div>
 		<div
-			class="relative w-full max-w-[500px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6 shadow-xl"
+			class="relative w-full max-w-[500px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] shadow-dialog"
 			style="animation: fadeUp 0.18s cubic-bezier(0.25,1,0.5,1) both"
 		>
+			<!-- Success accent edge -->
+			<div class="h-[2px] rounded-t-[var(--radius-card)] bg-gradient-to-r from-transparent via-[var(--color-accent-bright)] to-transparent"></div>
+
+			<div class="p-6">
 			<!-- Animated checkmark -->
-			<div class="mb-5 flex h-12 w-12 items-center justify-center rounded-full bg-[var(--color-accent-glow)]">
+			<div class="mb-5 flex h-12 w-12 items-center justify-center rounded-full bg-[var(--color-accent-glow-mid)]">
 				<svg width="22" height="22" viewBox="0 0 24 24" fill="none" stroke="var(--color-accent-bright)" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
 					<polyline
 						points="20 6 9 17 4 12"
@@ -524,7 +552,7 @@
 				</svg>
 			</div>
 
-			<h2 class="font-serif text-[1.375rem] leading-tight tracking-[-0.02em] text-[var(--color-text-bright)]">
+			<h2 class="font-serif text-heading leading-tight text-[var(--color-text-bright)]">
 				Host registered
 			</h2>
 			<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
@@ -558,11 +586,12 @@
 			<div class="mt-6">
 				<button
 					onclick={closeTokenReveal}
-					class="w-full rounded-[var(--radius-button)] bg-[var(--color-bg-4)] px-4 py-2.5 text-ui font-medium text-[var(--color-text-primary)] transition-colors duration-150 hover:bg-[var(--color-bg-5)]"
+					class="w-full rounded-[var(--radius-button)] bg-[var(--color-bg-4)] px-4 py-2.5 text-ui font-medium text-[var(--color-text-primary)] transition-all duration-150 hover:bg-[var(--color-bg-5)]"
 				>
 					Done
 				</button>
 			</div>
+			</div>
 		</div>
 	</div>
 {/if}
@@ -578,10 +607,14 @@
 			onkeydown={(e) => { if (e.key === 'Escape' && !deleting) deleteTarget = null; }}
 		></div>
 		<div
-			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6 shadow-xl"
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] shadow-dialog"
 			style="animation: fadeUp 0.18s cubic-bezier(0.25,1,0.5,1) both"
 		>
-			<h2 class="font-serif text-[1.375rem] leading-tight tracking-[-0.02em] text-[var(--color-text-bright)]">
+			<!-- Danger accent edge -->
+			<div class="h-[2px] rounded-t-[var(--radius-card)] bg-gradient-to-r from-transparent via-[var(--color-red)] to-transparent"></div>
+
+			<div class="p-6">
+			<h2 class="font-serif text-heading leading-tight text-[var(--color-text-bright)]">
 				Delete Host
 			</h2>
 			<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
@@ -593,10 +626,10 @@
 					<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
 					Checking active capsules…
 				</div>
-			{:else if deletePreviewSandboxes.length > 0}
+			{:else if deletePreviewCapsules.length > 0}
 				<div class="mt-4 rounded-[var(--radius-input)] border border-[var(--color-amber)]/30 bg-[var(--color-amber)]/6 px-3 py-2.5">
 					<p class="text-meta font-semibold text-[var(--color-amber)]">
-						{deletePreviewSandboxes.length} active capsule{deletePreviewSandboxes.length === 1 ? '' : 's'} will be destroyed.
+						{deletePreviewCapsules.length} active capsule{deletePreviewCapsules.length === 1 ? '' : 's'} will be destroyed.
 					</p>
 					<p class="mt-0.5 text-meta text-[var(--color-amber)]/70">
 						All running workloads on this host will be terminated immediately.
@@ -621,16 +654,17 @@
 				<button
 					onclick={handleDelete}
 					disabled={deleting || deletePreviewLoading}
-					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-110 disabled:opacity-50"
+					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2.5 text-ui font-semibold text-white transition-all duration-200 hover:shadow-[0_0_16px_rgba(207,129,114,0.25)] hover:brightness-110 disabled:opacity-50"
 				>
 					{#if deleting}
 						<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
 						Deleting…
 					{:else}
-						{deletePreviewSandboxes.length > 0 ? 'Force Delete' : 'Delete'}
+						{deletePreviewCapsules.length > 0 ? 'Force Delete' : 'Delete'}
 					{/if}
 				</button>
 			</div>
+			</div>
 		</div>
 	</div>
 {/if}
@@ -676,4 +710,54 @@
 	.checkmark-drawn {
 		stroke-dashoffset: 0;
 	}
+
+	/* Stat pill — shared base */
+	.stat-pill {
+		display: flex;
+		align-items: baseline;
+		gap: 6px;
+		border-radius: var(--radius-button);
+		border-width: 1px;
+		padding: 6px 12px;
+		transition: transform 0.15s ease, box-shadow 0.15s ease;
+	}
+	.stat-pill:hover {
+		transform: translateY(-1px);
+		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.25);
+	}
+
+	/* Table header */
+	.table-header {
+		padding: 10px 20px;
+		text-align: left;
+		font-size: var(--text-label);
+		font-weight: 600;
+		text-transform: uppercase;
+		letter-spacing: 0.06em;
+		color: var(--color-text-tertiary);
+	}
+
+	/* Staggered row entrance */
+	.table-row-animate {
+		animation: fadeUp 0.25s ease both;
+	}
+
+	/* Tab button */
+	.tab-button {
+		position: relative;
+		padding: 14px 20px 14px 0;
+		font-size: var(--text-ui);
+		transition: color 0.15s ease;
+		cursor: pointer;
+	}
+
+	/* Online host row — subtle left accent */
+	.host-row-online {
+		box-shadow: inset 3px 0 0 var(--color-accent);
+	}
+
+	/* Empty state icon float */
+	.empty-icon-float {
+		animation: iconFloat 3s ease-in-out infinite;
+	}
 </style>
diff --git a/frontend/src/routes/admin/teams/+page.svelte b/frontend/src/routes/admin/teams/+page.svelte
new file mode 100644
index 0000000..90a8db2
--- /dev/null
+++ b/frontend/src/routes/admin/teams/+page.svelte
@@ -0,0 +1,498 @@
+<script lang="ts">
+	import { onMount } from 'svelte';
+	import { toast } from '$lib/toast.svelte';
+	import { formatDate } from '$lib/utils/format';
+	import {
+		listAdminTeams,
+		adminSetBYOC,
+		adminDeleteTeam,
+		type AdminTeam,
+		type AdminTeamsResponse
+	} from '$lib/api/team';
+
+	// Data state
+	let teams = $state<AdminTeam[]>([]);
+	let loading = $state(true);
+	let error = $state<string | null>(null);
+	let currentPage = $state(1);
+	let totalPages = $state(1);
+	let totalTeams = $state(0);
+
+	// Delete state
+	let deleteTarget = $state<AdminTeam | null>(null);
+	let deleting = $state(false);
+	let deleteError = $state<string | null>(null);
+
+	// BYOC toggle state
+	let byocTarget = $state<AdminTeam | null>(null);
+	let enablingByoc = $state(false);
+	let byocError = $state<string | null>(null);
+
+	// Animation
+	let initialAnimationDone = $state(false);
+
+	// Stats
+	let byocCount = $derived(teams.filter((t) => t.is_byoc).length);
+	let totalActiveSandboxes = $derived(teams.reduce((sum, t) => sum + t.active_sandbox_count, 0));
+
+	async function fetchTeams(page: number = 1) {
+		const wasEmpty = teams.length === 0;
+		if (wasEmpty) loading = true;
+		error = null;
+
+		const result = await listAdminTeams(page);
+		if (result.ok) {
+			teams = result.data.teams;
+			currentPage = result.data.page;
+			totalPages = result.data.total_pages;
+			totalTeams = result.data.total;
+		} else {
+			error = result.error;
+		}
+		loading = false;
+
+		if (!initialAnimationDone) {
+			setTimeout(() => { initialAnimationDone = true; }, 400 + (teams.length * 30));
+		}
+	}
+
+	async function handleEnableBYOC() {
+		if (!byocTarget) return;
+		enablingByoc = true;
+		byocError = null;
+
+		const result = await adminSetBYOC(byocTarget.id, true);
+		if (result.ok) {
+			byocTarget.is_byoc = true;
+			toast.success(`BYOC enabled for ${byocTarget.name}`);
+			byocTarget = null;
+		} else {
+			byocError = result.error;
+		}
+		enablingByoc = false;
+	}
+
+	async function handleDelete() {
+		if (!deleteTarget) return;
+		deleting = true;
+		deleteError = null;
+		const name = deleteTarget.name;
+		const result = await adminDeleteTeam(deleteTarget.id);
+		if (result.ok) {
+			teams = teams.filter((t) => t.id !== deleteTarget!.id);
+			totalTeams--;
+			deleteTarget = null;
+			toast.success(`Team "${name}" deleted`);
+		} else {
+			deleteError = result.error;
+		}
+		deleting = false;
+	}
+
+	function goToPage(page: number) {
+		if (page < 1 || page > totalPages) return;
+		fetchTeams(page);
+	}
+
+	onMount(() => {
+		fetchTeams();
+	});
+</script>
+
+<svelte:head>
+	<title>Wrenn Admin — Teams</title>
+</svelte:head>
+
+<style>
+	.team-grid {
+		display: grid;
+		grid-template-columns: 1.4fr 0.5fr 1.4fr 0.6fr 0.6fr 0.5fr 1fr 0.5fr;
+	}
+
+	.stat-pill {
+		display: flex;
+		align-items: baseline;
+		gap: 6px;
+		border-radius: var(--radius-button);
+		border-width: 1px;
+		padding: 6px 12px;
+		transition: transform 0.15s ease, box-shadow 0.15s ease;
+	}
+	.stat-pill:hover {
+		transform: translateY(-1px);
+		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.25);
+	}
+
+	.row-stripe {
+		transform: scaleY(0);
+		transform-origin: center;
+		transition: transform 0.18s cubic-bezier(0.25, 1, 0.5, 1);
+	}
+	.team-row:hover .row-stripe {
+		transform: scaleY(1);
+	}
+
+	@keyframes fadeUp {
+		from { opacity: 0; transform: translateY(10px); }
+		to { opacity: 1; transform: translateY(0); }
+	}
+</style>
+
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+	<!-- Header -->
+		<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
+			<div class="absolute inset-0 bg-gradient-to-b from-[var(--color-accent)]/[0.02] to-transparent pointer-events-none"></div>
+
+			<div class="relative flex items-start justify-between px-8 pt-7 pb-5">
+				<div>
+					<h1 class="font-serif text-page leading-none text-[var(--color-text-bright)]">
+						Teams
+					</h1>
+					<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
+						All registered teams, BYOC status, and active capsules.
+					</p>
+				</div>
+			</div>
+
+			<!-- Stat strip -->
+			{#if !loading && !error}
+				<div class="relative flex items-center gap-3 px-8 pb-5">
+					<div class="stat-pill border-[var(--color-border)] bg-[var(--color-bg-2)]">
+						<span class="font-mono text-body font-bold tabular-nums text-[var(--color-text-bright)]">{totalTeams}</span>
+						<span class="text-label text-[var(--color-text-muted)]">team{totalTeams !== 1 ? 's' : ''}</span>
+					</div>
+					{#if byocCount > 0}
+						<div class="stat-pill border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8">
+							<span class="font-mono text-body font-bold tabular-nums text-[var(--color-accent-bright)]">{byocCount}</span>
+							<span class="text-label text-[var(--color-accent-bright)]/70">BYOC</span>
+						</div>
+					{/if}
+					{#if totalActiveSandboxes > 0}
+						<div class="stat-pill border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8 gap-2">
+							<span class="relative flex h-2 w-2 shrink-0">
+								<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)] opacity-60"></span>
+								<span class="relative inline-flex h-2 w-2 rounded-full bg-[var(--color-accent)]"></span>
+							</span>
+							<span class="font-mono text-body font-bold tabular-nums text-[var(--color-accent-bright)]">{totalActiveSandboxes}</span>
+							<span class="text-label text-[var(--color-accent-bright)]/70">active</span>
+						</div>
+					{/if}
+				</div>
+			{/if}
+		</header>
+
+		<!-- Content -->
+		<div class="flex-1 overflow-y-auto px-8 py-6" style="animation: fadeUp 0.35s ease both">
+			{#if error}
+				<div class="mb-4 flex items-start gap-3 rounded-[var(--radius-card)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-4 py-3">
+					<svg class="mt-0.5 shrink-0 text-[var(--color-red)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+						<circle cx="12" cy="12" r="10" /><line x1="12" y1="8" x2="12" y2="12" /><line x1="12" y1="16" x2="12.01" y2="16" />
+					</svg>
+					<span class="text-ui text-[var(--color-red)]">{error}. Try refreshing the page.</span>
+				</div>
+			{/if}
+
+			<!-- Table -->
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
+				<!-- Header row -->
+				<div class="team-grid rounded-t-[var(--radius-card)] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]">
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Name</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Members</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Owner</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">BYOC</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Capsules</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Channels</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Created</div>
+					<div class="px-5 py-3 text-right text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Actions</div>
+				</div>
+
+				{#if loading && teams.length === 0}
+					<div class="flex items-center justify-center py-16">
+						<div class="flex items-center gap-3 text-ui text-[var(--color-text-secondary)]">
+							<svg class="animate-spin" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+								<path d="M21 12a9 9 0 1 1-6.219-8.56" />
+							</svg>
+							Loading teams...
+						</div>
+					</div>
+				{:else if teams.length === 0}
+					<div class="flex flex-col items-center justify-center py-[72px]">
+						<div class="relative mb-5">
+							<div class="absolute inset-0 -m-4 rounded-full" style="background: radial-gradient(circle, rgba(94,140,88,0.08) 0%, transparent 70%)"></div>
+							<div class="relative flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-accent)]/20 bg-[var(--color-bg-3)]">
+								<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="var(--color-accent-mid)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+									<path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2" /><circle cx="9" cy="7" r="4" /><path d="M23 21v-2a4 4 0 0 0-3-3.87" /><path d="M16 3.13a4 4 0 0 1 0 7.75" />
+								</svg>
+							</div>
+						</div>
+						<p class="font-serif text-heading text-[var(--color-text-bright)]">
+							No teams yet
+						</p>
+						<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+							Teams are created when users sign up.
+						</p>
+					</div>
+				{:else}
+					{#each teams as team, i (team.id)}
+						{@const isDeleted = !!team.deleted_at}
+						<div
+							class="team-row team-grid relative items-center overflow-hidden border-b border-[var(--color-border)] transition-colors duration-150 last:border-b-0 {isDeleted ? 'opacity-50' : 'hover:bg-[var(--color-bg-3)]'}"
+							style={initialAnimationDone ? '' : `animation: fadeUp 0.35s ease both; animation-delay: ${i * 30}ms`}
+						>
+							<!-- Left accent stripe -->
+							{#if !isDeleted}
+								<div class="row-stripe pointer-events-none absolute left-0 top-0 h-full w-0.5 bg-[var(--color-accent)]"></div>
+							{/if}
+
+							<!-- Name -->
+							<div class="min-w-0 px-5 py-4">
+								<div class="flex items-center gap-2">
+									<span class="block truncate text-ui font-medium text-[var(--color-text-bright)]">{team.name}</span>
+									{#if isDeleted}
+										<span class="inline-flex shrink-0 items-center rounded-full border border-[var(--color-red)]/30 bg-[var(--color-red)]/10 px-2 py-0.5 text-[10px] font-semibold uppercase tracking-[0.05em] text-[var(--color-red)]">
+											Deleted
+										</span>
+									{/if}
+								</div>
+								<span class="block truncate font-mono text-label text-[var(--color-text-muted)]">{team.slug}</span>
+							</div>
+
+							<!-- Members -->
+							<div class="px-5 py-4">
+								<span class="font-mono text-ui text-[var(--color-text-secondary)]">{team.member_count}</span>
+							</div>
+
+							<!-- Owner -->
+							<div class="min-w-0 px-5 py-4">
+								{#if team.owner_name || team.owner_email}
+									<span class="block truncate text-ui text-[var(--color-text-secondary)]">{team.owner_name || '\u2014'}</span>
+									<span class="block truncate font-mono text-label text-[var(--color-text-muted)]">{team.owner_email}</span>
+								{:else}
+									<span class="text-ui text-[var(--color-text-muted)]">&mdash;</span>
+								{/if}
+							</div>
+
+							<!-- BYOC -->
+							<div class="px-5 py-4">
+								{#if team.is_byoc}
+									<span class="inline-flex items-center gap-1.5 rounded-full border border-[var(--color-accent)]/30 bg-[var(--color-accent)]/10 px-2.5 py-1 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-accent-bright)]">
+										Enabled
+									</span>
+								{:else if !isDeleted}
+									<button
+										onclick={() => { byocTarget = team; byocError = null; }}
+										class="inline-flex items-center gap-1.5 rounded-full border border-[var(--color-border)] bg-transparent px-2.5 py-1 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)] transition-all duration-150 hover:border-[var(--color-accent)]/40 hover:text-[var(--color-accent-mid)]"
+									>
+										Enable
+									</button>
+								{:else}
+									<span class="text-ui text-[var(--color-text-muted)]">&mdash;</span>
+								{/if}
+							</div>
+
+							<!-- Capsules -->
+							<div class="px-5 py-4">
+								{#if team.active_sandbox_count > 0}
+									<span class="flex items-center gap-1.5">
+										<span class="relative flex h-[6px] w-[6px] shrink-0">
+											<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+											<span class="relative inline-flex h-[6px] w-[6px] rounded-full bg-[var(--color-accent)]"></span>
+										</span>
+										<span class="font-mono text-ui text-[var(--color-accent-bright)]">{team.active_sandbox_count}</span>
+									</span>
+								{:else}
+									<span class="font-mono text-ui text-[var(--color-text-muted)]">0</span>
+								{/if}
+							</div>
+
+							<!-- Channels -->
+							<div class="px-5 py-4">
+								<span class="font-mono text-ui text-[var(--color-text-secondary)]">{team.channel_count}</span>
+							</div>
+
+							<!-- Created -->
+							<div class="px-5 py-4">
+								<span class="text-ui text-[var(--color-text-secondary)]">{formatDate(team.created_at)}</span>
+							</div>
+
+							<!-- Actions -->
+							<div class="flex items-center justify-end px-5 py-4">
+								{#if !isDeleted}
+									<button
+										onclick={() => { deleteTarget = team; deleteError = null; }}
+										class="rounded-[var(--radius-button)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/8 px-3 py-1.5 text-meta font-medium text-[var(--color-red)] transition-all duration-150 hover:bg-[var(--color-red)]/15 hover:border-[var(--color-red)]/50"
+									>
+										Delete
+									</button>
+								{/if}
+							</div>
+						</div>
+					{/each}
+				{/if}
+			</div>
+
+			<!-- Pagination -->
+			{#if totalPages > 1}
+				<div class="mt-4 flex items-center justify-between">
+					<span class="text-ui text-[var(--color-text-tertiary)]">
+						Page <span class="font-mono text-[var(--color-text-secondary)]">{currentPage}</span> of <span class="font-mono text-[var(--color-text-secondary)]">{totalPages}</span>
+					</span>
+					<div class="flex items-center gap-2">
+						<button
+							onclick={() => goToPage(currentPage - 1)}
+							disabled={currentPage <= 1}
+							class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-40 disabled:hover:border-[var(--color-border)] disabled:hover:text-[var(--color-text-secondary)]"
+						>
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="15 18 9 12 15 6"/></svg>
+							Previous
+						</button>
+						<button
+							onclick={() => goToPage(currentPage + 1)}
+							disabled={currentPage >= totalPages}
+							class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-40 disabled:hover:border-[var(--color-border)] disabled:hover:text-[var(--color-text-secondary)]"
+						>
+							Next
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="9 18 15 12 9 6"/></svg>
+						</button>
+					</div>
+				</div>
+			{/if}
+		</div>
+
+		<!-- Status bar -->
+		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+			<div class="flex items-center gap-1.5">
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
+				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+			</div>
+		</footer>
+</main>
+
+<!-- BYOC confirmation dialog -->
+{#if byocTarget}
+	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
+		<div
+			class="absolute inset-0 bg-black/60"
+			onclick={() => { if (!enablingByoc) byocTarget = null; }}
+			onkeydown={(e) => { if (e.key === 'Escape' && !enablingByoc) byocTarget = null; }}
+		></div>
+		<div
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
+		>
+			<div class="p-6">
+				<h2 class="font-serif text-heading leading-tight text-[var(--color-text-bright)]">
+					Enable BYOC
+				</h2>
+				<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+					Allow <code class="rounded bg-[var(--color-bg-4)] px-1.5 py-0.5 font-mono text-[0.8rem] text-[var(--color-text-primary)]">{byocTarget.name}</code> to register and run capsules on their own hosts.
+				</p>
+
+				<div class="mt-3 flex items-start gap-2.5 rounded-[var(--radius-input)] border border-[var(--color-amber)]/30 bg-[var(--color-amber)]/5 px-3 py-2.5">
+					<svg class="mt-0.5 shrink-0 text-[var(--color-amber)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+						<path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z" /><line x1="12" y1="9" x2="12" y2="13" /><line x1="12" y1="17" x2="12.01" y2="17" />
+					</svg>
+					<span class="text-meta text-[var(--color-amber)]">
+						BYOC cannot be disabled once enabled.
+					</span>
+				</div>
+
+				{#if byocError}
+					<div class="mt-3 rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
+						{byocError}
+					</div>
+				{/if}
+
+				<div class="mt-6 flex justify-end gap-3">
+					<button
+						onclick={() => (byocTarget = null)}
+						disabled={enablingByoc}
+						class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+					>
+						Cancel
+					</button>
+					<button
+						onclick={handleEnableBYOC}
+						disabled={enablingByoc}
+						class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-110 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+					>
+						{#if enablingByoc}
+							<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
+							Enabling...
+						{:else}
+							Enable BYOC
+						{/if}
+					</button>
+				</div>
+			</div>
+		</div>
+	</div>
+{/if}
+
+<!-- Delete confirmation dialog -->
+{#if deleteTarget}
+	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
+		<div
+			class="absolute inset-0 bg-black/60"
+			onclick={() => { if (!deleting) deleteTarget = null; }}
+			onkeydown={(e) => { if (e.key === 'Escape' && !deleting) deleteTarget = null; }}
+		></div>
+		<div
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
+		>
+			<div class="p-6">
+				<h2 class="font-serif text-heading leading-tight text-[var(--color-text-bright)]">
+					Delete Team
+				</h2>
+				<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+					Remove <code class="rounded bg-[var(--color-bg-4)] px-1.5 py-0.5 font-mono text-[0.8rem] text-[var(--color-text-primary)]">{deleteTarget.name}</code> and stop all its running capsules. Members will lose access immediately.
+				</p>
+
+				{#if deleteTarget.active_sandbox_count > 0}
+					<div class="mt-3 flex items-start gap-2.5 rounded-[var(--radius-input)] border border-[var(--color-amber)]/30 bg-[var(--color-amber)]/5 px-3 py-2.5">
+						<svg class="mt-0.5 shrink-0 text-[var(--color-amber)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+							<path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z" /><line x1="12" y1="9" x2="12" y2="13" /><line x1="12" y1="17" x2="12.01" y2="17" />
+						</svg>
+						<span class="text-meta text-[var(--color-amber)]">
+							<strong class="font-semibold">{deleteTarget.active_sandbox_count}</strong> active capsule{deleteTarget.active_sandbox_count !== 1 ? 's' : ''} will be destroyed immediately.
+						</span>
+					</div>
+				{/if}
+
+				{#if deleteError}
+					<div class="mt-3 rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
+						{deleteError}
+					</div>
+				{/if}
+
+				<div class="mt-6 flex justify-end gap-3">
+					<button
+						onclick={() => (deleteTarget = null)}
+						disabled={deleting}
+						class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+					>
+						Cancel
+					</button>
+					<button
+						onclick={handleDelete}
+						disabled={deleting}
+						class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-110 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+					>
+						{#if deleting}
+							<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
+							Deleting...
+						{:else}
+							Delete team
+						{/if}
+					</button>
+				</div>
+			</div>
+		</div>
+	</div>
+{/if}
diff --git a/frontend/src/routes/admin/templates/+page.svelte b/frontend/src/routes/admin/templates/+page.svelte
index 4619e7b..ae678ed 100644
--- a/frontend/src/routes/admin/templates/+page.svelte
+++ b/frontend/src/routes/admin/templates/+page.svelte
@@ -1,5 +1,5 @@
 <script lang="ts">
-	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
+	import CopyButton from '$lib/components/CopyButton.svelte';
 	import { onMount, onDestroy } from 'svelte';
 	import { toast } from '$lib/toast.svelte';
 	import { formatDate, timeAgo } from '$lib/utils/format';
@@ -14,12 +14,6 @@
 		type AdminTemplate
 	} from '$lib/api/builds';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	let activeTab = $state<'templates' | 'builds'>('templates');
 
 	// Templates state
@@ -35,6 +29,7 @@
 	// Polling
 	let pollInterval: ReturnType<typeof setInterval> | null = null;
 	let hasActiveBuilds = $derived(builds.some((b) => b.status === 'pending' || b.status === 'running'));
+	let visibilityHandler: (() => void) | null = null;
 
 	// Build log expansion
 	let expandedBuildId = $state<string | null>(null);
@@ -54,7 +49,8 @@
 		memory_mb: 512,
 		recipe: '',
 		healthcheck: '',
-		skip_pre_post: false
+		skip_pre_post: false,
+		archive: null as File | null
 	});
 	let creating = $state(false);
 	let createError = $state<string | null>(null);
@@ -96,7 +92,7 @@
 	function startPolling() {
 		stopPolling();
 		pollInterval = setInterval(() => {
-			if (hasActiveBuilds) fetchBuilds();
+			if (hasActiveBuilds && activeTab === 'builds') fetchBuilds();
 		}, 3000);
 	}
 
@@ -129,12 +125,13 @@
 			healthcheck: createForm.healthcheck.trim() || undefined,
 			vcpus: createForm.vcpus,
 			memory_mb: createForm.memory_mb,
-			skip_pre_post: createForm.skip_pre_post
+			skip_pre_post: createForm.skip_pre_post,
+			archive: createForm.archive || undefined
 		});
 
 		if (result.ok) {
 			showCreate = false;
-			createForm = { name: '', base_template: 'minimal', vcpus: 1, memory_mb: 512, recipe: '', healthcheck: '', skip_pre_post: false };
+			createForm = { name: '', base_template: 'minimal', vcpus: 1, memory_mb: 512, recipe: '', healthcheck: '', skip_pre_post: false, archive: null };
 			builds = [result.data, ...builds];
 			activeTab = 'builds';
 			expandedBuildId = result.data.id;
@@ -233,6 +230,8 @@
 			case 'RUN':     return 'var(--color-blue)';
 			case 'START':   return 'var(--color-accent-bright)';
 			case 'ENV':     return 'var(--color-amber)';
+			case 'USER':    return 'var(--color-accent)';
+			case 'COPY':    return 'var(--color-text-bright)';
 			case 'WORKDIR': return 'var(--color-text-tertiary)';
 			default:        return 'var(--color-text-muted)';
 		}
@@ -241,57 +240,70 @@
 	onMount(() => {
 		fetchTemplates();
 		fetchBuilds().then(startPolling);
+
+		// Pause polling when the browser tab is hidden.
+		visibilityHandler = () => {
+			if (document.hidden) {
+				stopPolling();
+			} else {
+				startPolling();
+			}
+		};
+		document.addEventListener('visibilitychange', visibilityHandler);
 	});
 
-	onDestroy(stopPolling);
+	onDestroy(() => {
+		stopPolling();
+		if (visibilityHandler) document.removeEventListener('visibilitychange', visibilityHandler);
+	});
 </script>
 
-<div class="flex h-screen overflow-hidden bg-[var(--color-bg-0)]">
-	<AdminSidebar bind:collapsed />
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+	<!-- Header -->
+	<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
+			<!-- Subtle gradient wash behind header for depth -->
+			<div class="absolute inset-0 bg-gradient-to-b from-[var(--color-accent)]/[0.02] to-transparent pointer-events-none"></div>
 
-	<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
-		<!-- Header -->
-		<header class="flex shrink-0 flex-col gap-4 border-b border-[var(--color-border)] bg-[var(--color-bg-1)] px-6 py-5">
-			<div class="flex items-start justify-between">
+			<div class="relative flex items-start justify-between px-8 pt-7 pb-5">
 				<div>
-					<h1 class="font-serif text-[1.75rem] leading-none tracking-[-0.03em] text-[var(--color-text-bright)]">
+					<h1 class="font-serif text-page leading-none text-[var(--color-text-bright)]">
 						Templates
 					</h1>
-					<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+					<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
 						Build and manage global templates available to all teams.
 					</p>
 				</div>
 				<button
-					onclick={() => { showCreate = true; createError = null; createForm = { name: '', base_template: 'minimal', vcpus: 1, memory_mb: 512, recipe: '', healthcheck: '' }; }}
-					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-4 py-2 text-ui font-semibold text-white shadow-sm transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0"
+					onclick={() => { showCreate = true; createError = null; createForm = { name: '', base_template: 'minimal', vcpus: 1, memory_mb: 512, recipe: '', healthcheck: '', skip_pre_post: false, archive: null }; }}
+					class="group flex items-center gap-2.5 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2.5 text-ui font-semibold text-white shadow-sm transition-all duration-200 hover:shadow-[0_0_20px_var(--color-accent-glow-mid)] hover:brightness-115 hover:-translate-y-px active:translate-y-0"
 				>
-					<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="12" y1="5" x2="12" y2="19"/><line x1="5" y1="12" x2="19" y2="12"/></svg>
+					<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" class="transition-transform duration-200 group-hover:rotate-90"><line x1="12" y1="5" x2="12" y2="19"/><line x1="5" y1="12" x2="19" y2="12"/></svg>
 					Create Template
 				</button>
 			</div>
 
-			<!-- Stat pills -->
+			<!-- Stat strip — generous horizontal spacing, bolder presence -->
 			{#if !templatesLoading && !templatesError}
-				<div class="flex items-center gap-2">
-					<div class="flex items-baseline gap-1 rounded-[var(--radius-button)] border border-[var(--color-border)] bg-[var(--color-bg-2)] px-2.5 py-1">
-						<span class="font-mono font-semibold text-ui tabular-nums text-[var(--color-text-bright)]">{templateCount}</span>
+				<div class="relative flex items-center gap-3 px-8 pb-5">
+					<div class="stat-pill border-[var(--color-border)] bg-[var(--color-bg-2)]">
+						<span class="font-mono text-body font-bold tabular-nums text-[var(--color-text-bright)]">{templateCount}</span>
 						<span class="text-label text-[var(--color-text-muted)]">templates</span>
 					</div>
-					<div class="flex items-baseline gap-1 rounded-[var(--radius-button)] border border-[var(--color-border)] bg-[var(--color-bg-2)] px-2.5 py-1">
-						<span class="font-mono font-semibold text-ui tabular-nums text-[var(--color-text-bright)]">{baseCount}</span>
+					<div class="stat-pill border-[var(--color-border)] bg-[var(--color-bg-2)]">
+						<span class="font-mono text-body font-bold tabular-nums text-[var(--color-text-bright)]">{baseCount}</span>
 						<span class="text-label text-[var(--color-text-muted)]">base</span>
 					</div>
-					<div class="flex items-baseline gap-1 rounded-[var(--radius-button)] border border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8 px-2.5 py-1">
-						<span class="font-mono font-semibold text-ui tabular-nums text-[var(--color-accent-bright)]">{snapshotCount}</span>
+					<div class="stat-pill border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8">
+						<span class="font-mono text-body font-bold tabular-nums text-[var(--color-accent-bright)]">{snapshotCount}</span>
 						<span class="text-label text-[var(--color-accent-bright)]/70">snapshots</span>
 					</div>
 					{#if runningBuilds > 0}
-						<div class="flex items-baseline gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-blue)]/25 bg-[var(--color-blue)]/8 px-2.5 py-1">
-							<span class="relative mt-px flex h-1.5 w-1.5 shrink-0 self-center">
-								<span class="absolute inline-flex h-full w-full animate-ping rounded-full bg-[var(--color-blue)] opacity-60"></span>
-								<span class="relative inline-flex h-1.5 w-1.5 rounded-full bg-[var(--color-blue)]"></span>
+						<div class="stat-pill border-[var(--color-blue)]/25 bg-[var(--color-blue)]/8 gap-2">
+							<span class="relative flex h-2 w-2 shrink-0">
+								<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-blue)] opacity-60"></span>
+								<span class="relative inline-flex h-2 w-2 rounded-full bg-[var(--color-blue)]"></span>
 							</span>
-							<span class="font-mono font-semibold text-ui tabular-nums text-[var(--color-blue)]">{runningBuilds}</span>
+							<span class="font-mono text-body font-bold tabular-nums text-[var(--color-blue)]">{runningBuilds}</span>
 							<span class="text-label text-[var(--color-blue)]/70">building</span>
 						</div>
 					{/if}
@@ -299,30 +311,32 @@
 			{/if}
 		</header>
 
-		<!-- Tabs -->
-		<div class="flex shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)] px-6">
+		<!-- Tabs — heavier presence -->
+		<div class="flex shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)] px-8">
 			{#each [['templates', 'Templates', templateCount], ['builds', 'Builds', builds.length]] as [id, label, count] (id)}
 				<button
 					onclick={() => { activeTab = id as 'templates' | 'builds'; }}
-					class="relative py-3 pr-5 text-ui transition-colors duration-150 {activeTab === id
-						? 'font-medium text-[var(--color-text-bright)]'
+					class="tab-button {activeTab === id
+						? 'text-[var(--color-text-bright)] font-medium'
 						: 'text-[var(--color-text-tertiary)] hover:text-[var(--color-text-secondary)]'}"
 				>
 					{label}
-					{#if activeTab === id}
-						<span class="absolute bottom-0 left-0 right-5 h-[2px] rounded-t-full bg-[var(--color-accent)]"></span>
-					{/if}
 					{#if !templatesLoading}
-						<span class="ml-2 rounded-full bg-[var(--color-bg-4)] px-1.5 py-0.5 text-label text-[var(--color-text-muted)]">
+						<span class="ml-2 rounded-full px-2 py-0.5 text-label tabular-nums transition-colors duration-200 {activeTab === id
+							? 'bg-[var(--color-accent)]/12 text-[var(--color-accent-bright)]'
+							: 'bg-[var(--color-bg-4)] text-[var(--color-text-muted)]'}">
 							{count}
 						</span>
 					{/if}
+					{#if activeTab === id}
+						<span class="absolute bottom-0 left-0 right-0 h-[2px] rounded-t-full bg-[var(--color-accent)]"></span>
+					{/if}
 				</button>
 			{/each}
 		</div>
 
 		<!-- Body -->
-		<div class="flex-1 overflow-y-auto p-6">
+		<div class="flex-1 overflow-y-auto px-8 py-6">
 			{#if activeTab === 'templates'}
 				{#if templatesLoading}
 					{@render skeletonRows(5, ['Name', 'Type', 'Specs', 'Size', 'Created', ''])}
@@ -349,26 +363,35 @@
 				{/if}
 			{/if}
 		</div>
-	</main>
-</div>
+</main>
+
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
 
 <!-- ── Snippets ─────────────────────────────────────────────────────── -->
 
 {#snippet skeletonRows(count: number, headers: string[])}
-	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden">
+	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden shadow-sm">
 		<table class="w-full">
 			<thead>
-				<tr class="border-b border-[var(--color-border)]">
+				<tr class="border-b border-[var(--color-border)] bg-[var(--color-bg-0)]/40">
 					{#each headers as h}
-						<th class="px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">{h}</th>
+						<th class="table-header">{h}</th>
 					{/each}
 				</tr>
 			</thead>
 			<tbody>
 				{#each Array(count) as _, i}
-					<tr class="border-b border-[var(--color-border)] last:border-0" style="animation-delay: {i * 60}ms">
+					<tr class="border-b border-[var(--color-border)] last:border-0 table-row-animate" style="animation-delay: {i * 60}ms">
 						{#each headers as _h, j}
-							<td class="px-4 py-3.5">
+							<td class="px-5 py-3.5">
 								<div class="skeleton h-3 rounded" style="width: {60 + j * 12}px"></div>
 							</td>
 						{/each}
@@ -380,78 +403,99 @@
 {/snippet}
 
 {#snippet emptyState(type: 'templates' | 'builds')}
-	<div class="flex flex-col items-center justify-center py-24 text-center">
-		<div class="mb-5 flex h-16 w-16 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-2)]">
-			{#if type === 'templates'}
-				<svg width="28" height="28" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" class="text-[var(--color-text-muted)]"><rect x="3" y="3" width="7" height="7"/><rect x="14" y="3" width="7" height="7"/><rect x="14" y="14" width="7" height="7"/><rect x="3" y="14" width="7" height="7"/></svg>
-			{:else}
-				<svg width="28" height="28" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" class="text-[var(--color-text-muted)]"><path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8Z"/><path d="M14 2v6h6"/><path d="m16 13-3.5 3.5-2-2L8 17"/></svg>
-			{/if}
+	<div class="flex flex-col items-center justify-center py-28 text-center">
+		<!-- Floating icon with glow ring -->
+		<div class="relative mb-7">
+			<div class="absolute -inset-3 rounded-2xl bg-[var(--color-accent-glow)] blur-xl"></div>
+			<div class="empty-icon-float relative flex h-18 w-18 items-center justify-center rounded-xl border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] shadow-card">
+				{#if type === 'templates'}
+					<svg width="32" height="32" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" class="text-[var(--color-accent-mid)]"><rect x="3" y="3" width="7" height="7"/><rect x="14" y="3" width="7" height="7"/><rect x="14" y="14" width="7" height="7"/><rect x="3" y="14" width="7" height="7"/></svg>
+				{:else}
+					<svg width="32" height="32" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" class="text-[var(--color-accent-mid)]"><path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8Z"/><path d="M14 2v6h6"/><path d="m16 13-3.5 3.5-2-2L8 17"/></svg>
+				{/if}
+			</div>
 		</div>
-		<p class="font-serif text-[1.125rem] leading-snug text-[var(--color-text-secondary)]">
-			{type === 'templates' ? 'No templates yet.' : 'No builds yet.'}
+		<p class="font-serif text-heading leading-snug text-[var(--color-text-secondary)]">
+			{type === 'templates' ? 'No templates yet' : 'No builds yet'}
 		</p>
-		<p class="mt-1.5 text-ui text-[var(--color-text-muted)]">
+		<p class="mt-2 max-w-[320px] text-ui text-[var(--color-text-muted)]">
 			{type === 'templates'
 				? 'Create a template to provide pre-configured environments for all teams.'
 				: 'Start a template build to see progress and logs here.'}
 		</p>
+		{#if type === 'templates'}
+			<button
+				onclick={() => { showCreate = true; createError = null; createForm = { name: '', base_template: 'minimal', vcpus: 1, memory_mb: 512, recipe: '', healthcheck: '', skip_pre_post: false, archive: null }; }}
+				class="mt-6 flex items-center gap-2 rounded-[var(--radius-button)] border border-[var(--color-accent)]/30 bg-[var(--color-accent)]/10 px-4 py-2 text-ui font-medium text-[var(--color-accent-bright)] transition-all duration-200 hover:bg-[var(--color-accent)]/20 hover:border-[var(--color-accent)]/50"
+			>
+				<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="12" y1="5" x2="12" y2="19"/><line x1="5" y1="12" x2="19" y2="12"/></svg>
+				Create your first template
+			</button>
+		{/if}
 	</div>
 {/snippet}
 
 {#snippet templatesTable()}
-	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden">
+	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden shadow-sm">
 		<table class="w-full">
 			<thead>
-				<tr class="border-b border-[var(--color-border)]">
-					<th class="px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Name</th>
-					<th class="px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Type</th>
-					<th class="hidden px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)] md:table-cell">Specs</th>
-					<th class="hidden px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)] lg:table-cell">Size</th>
-					<th class="hidden px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)] lg:table-cell">Created</th>
-					<th class="px-4 py-3"></th>
+				<tr class="border-b border-[var(--color-border)] bg-[var(--color-bg-0)]/40">
+					<th class="table-header">Name</th>
+					<th class="table-header">Type</th>
+					<th class="table-header hidden md:table-cell">Specs</th>
+					<th class="table-header hidden lg:table-cell">Size</th>
+					<th class="table-header hidden lg:table-cell">Created</th>
+					<th class="table-header w-20"></th>
 				</tr>
 			</thead>
 			<tbody>
-				{#each templates as tmpl (tmpl.name)}
-					<tr class="border-b border-[var(--color-border)] last:border-0 transition-colors duration-200 hover:bg-[var(--color-bg-2)]">
-						<td class="px-4 py-3.5">
-							<span class="font-mono text-meta text-[var(--color-text-primary)]">{tmpl.name}</span>
+				{#each templates as tmpl, i (tmpl.name)}
+					<tr
+						class="table-row-animate border-b border-[var(--color-border)] last:border-0 transition-colors duration-200 hover:bg-[var(--color-bg-2)]"
+						style="animation-delay: {i * 30}ms"
+					>
+						<td class="px-5 py-3.5">
+							<div class="flex items-center gap-2">
+								<span class="font-mono text-ui font-medium text-[var(--color-text-bright)]">{tmpl.name}</span>
+								<CopyButton value={tmpl.name} />
+							</div>
 						</td>
-						<td class="px-4 py-3.5">
+						<td class="px-5 py-3.5">
 							{#if tmpl.type === 'snapshot'}
-								<span class="inline-flex items-center rounded-full border border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8 px-2 py-0.5 text-label font-medium text-[var(--color-accent-bright)]">
+								<span class="inline-flex items-center gap-1.5 rounded-full border border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8 px-2.5 py-0.5 text-label font-medium text-[var(--color-accent-bright)]">
+									<span class="h-1.5 w-1.5 rounded-full bg-[var(--color-accent)]"></span>
 									snapshot
 								</span>
 							{:else}
-								<span class="inline-flex items-center rounded-full border border-[var(--color-border)] bg-[var(--color-bg-3)] px-2 py-0.5 text-label font-medium text-[var(--color-text-secondary)]">
+								<span class="inline-flex items-center gap-1.5 rounded-full border border-[var(--color-border)] bg-[var(--color-bg-3)] px-2.5 py-0.5 text-label font-medium text-[var(--color-text-secondary)]">
+									<span class="h-1.5 w-1.5 rounded-full bg-[var(--color-text-muted)]"></span>
 									base
 								</span>
 							{/if}
 						</td>
-						<td class="hidden px-4 py-3.5 md:table-cell">
+						<td class="hidden px-5 py-3.5 md:table-cell">
 							{#if tmpl.vcpus && tmpl.memory_mb}
-								<span class="text-meta text-[var(--color-text-secondary)]">
+								<span class="font-mono text-meta tabular-nums text-[var(--color-text-secondary)]">
 									{tmpl.vcpus} vCPU · {tmpl.memory_mb} MB
 								</span>
 							{:else}
 								<span class="text-meta text-[var(--color-text-muted)]">—</span>
 							{/if}
 						</td>
-						<td class="hidden px-4 py-3.5 lg:table-cell">
-							<span class="font-mono text-meta text-[var(--color-text-muted)]">
+						<td class="hidden px-5 py-3.5 lg:table-cell">
+							<span class="font-mono text-meta tabular-nums text-[var(--color-text-muted)]">
 								{tmpl.size_bytes ? formatBytes(tmpl.size_bytes) : '—'}
 							</span>
 						</td>
-						<td class="hidden px-4 py-3.5 lg:table-cell">
+						<td class="hidden px-5 py-3.5 lg:table-cell">
 							<span class="text-meta text-[var(--color-text-muted)]" title={formatDate(tmpl.created_at)}>
 								{timeAgo(tmpl.created_at)}
 							</span>
 						</td>
-						<td class="px-4 py-3.5 text-right">
+						<td class="px-5 py-3.5 text-right">
 							<button
 								onclick={() => { deleteTarget = tmpl; deleteError = null; }}
-								class="rounded-[var(--radius-button)] px-3 py-1.5 text-meta text-[var(--color-text-tertiary)] transition-colors duration-150 hover:bg-[var(--color-red)]/10 hover:text-[var(--color-red)]"
+								class="rounded-[var(--radius-button)] px-3 py-1.5 text-meta text-[var(--color-text-tertiary)] transition-all duration-150 hover:bg-[var(--color-red)]/10 hover:text-[var(--color-red)]"
 							>
 								Delete
 							</button>
@@ -464,28 +508,30 @@
 {/snippet}
 
 {#snippet buildsTable()}
-	<div class="space-y-0 rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden">
+	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden shadow-sm">
 		<table class="w-full">
 			<thead>
-				<tr class="border-b border-[var(--color-border)]">
-					<th class="px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Build</th>
-					<th class="px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Name</th>
-					<th class="hidden px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)] md:table-cell">Base</th>
-					<th class="px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Status</th>
-					<th class="hidden px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)] md:table-cell">Progress</th>
-					<th class="hidden px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)] lg:table-cell">Started</th>
-					<th class="hidden px-4 py-3 text-left text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)] lg:table-cell">Duration</th>
+				<tr class="border-b border-[var(--color-border)] bg-[var(--color-bg-0)]/40">
+					<th class="table-header">Build</th>
+					<th class="table-header">Name</th>
+					<th class="table-header hidden md:table-cell">Base</th>
+					<th class="table-header">Status</th>
+					<th class="table-header hidden md:table-cell">Progress</th>
+					<th class="table-header hidden lg:table-cell">Started</th>
+					<th class="table-header hidden lg:table-cell">Duration</th>
 				</tr>
 			</thead>
 			<tbody>
-				{#each builds as build (build.id)}
+				{#each builds as build, i (build.id)}
 					<tr
-						class="border-b border-[var(--color-border)] last:border-0 cursor-pointer transition-colors duration-200
-							{expandedBuildId === build.id ? 'bg-[var(--color-bg-2)]' : 'hover:bg-[var(--color-bg-2)]'}"
+						class="table-row-animate border-b border-[var(--color-border)] last:border-0 cursor-pointer transition-colors duration-200
+							{expandedBuildId === build.id ? 'bg-[var(--color-bg-2)]' : 'hover:bg-[var(--color-bg-2)]'}
+							{build.status === 'running' ? 'build-row-active' : ''}"
+						style="animation-delay: {i * 30}ms"
 						onclick={() => toggleBuildExpand(build.id)}
 					>
-						<td class="px-4 py-3.5">
-							<div class="flex items-center gap-2">
+						<td class="px-5 py-3.5">
+							<div class="flex items-center gap-2.5">
 								<svg
 									width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor"
 									stroke-width="2" stroke-linecap="round" stroke-linejoin="round"
@@ -496,49 +542,51 @@
 								<span class="font-mono text-meta text-[var(--color-text-primary)]">{build.id}</span>
 							</div>
 						</td>
-						<td class="px-4 py-3.5">
-							<span class="text-meta text-[var(--color-text-primary)]">{build.name}</span>
+						<td class="px-5 py-3.5">
+							<span class="text-ui font-medium text-[var(--color-text-primary)]">{build.name}</span>
 						</td>
-						<td class="hidden px-4 py-3.5 md:table-cell">
+						<td class="hidden px-5 py-3.5 md:table-cell">
 							<span class="font-mono text-meta text-[var(--color-text-muted)]">{build.base_template}</span>
 						</td>
-						<td class="px-4 py-3.5">
-							<span class="flex items-center gap-1.5 text-meta font-medium" style="color: {statusColor(build.status)}">
+						<td class="px-5 py-3.5">
+							<span class="flex items-center gap-2 text-meta font-semibold" style="color: {statusColor(build.status)}">
 								{#if build.status === 'running'}
-									<span class="relative flex h-1.5 w-1.5 shrink-0">
-										<span class="absolute inline-flex h-full w-full animate-ping rounded-full opacity-60" style="background: {statusColor(build.status)}"></span>
-										<span class="relative inline-flex h-1.5 w-1.5 rounded-full" style="background: {statusColor(build.status)}"></span>
+									<span class="relative flex h-2 w-2 shrink-0">
+										<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full opacity-60" style="background: {statusColor(build.status)}"></span>
+										<span class="relative inline-flex h-2 w-2 rounded-full" style="background: {statusColor(build.status)}"></span>
 									</span>
 								{:else if build.status === 'success'}
-									<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg>
+									<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg>
 								{:else if build.status === 'failed'}
-									<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
+									<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
 								{:else}
-									<span class="h-1.5 w-1.5 shrink-0 rounded-full" style="background: {statusColor(build.status)}"></span>
+									<span class="h-2 w-2 shrink-0 rounded-full" style="background: {statusColor(build.status)}"></span>
 								{/if}
 								{build.status}
 							</span>
 						</td>
-						<td class="hidden px-4 py-3.5 md:table-cell">
-							<span class="font-mono text-meta text-[var(--color-text-muted)]">
-								{build.current_step} / {build.total_steps}
-							</span>
-							{#if build.status === 'running' && build.total_steps > 0}
-								<div class="mt-1.5 h-1 w-20 overflow-hidden rounded-full bg-[var(--color-bg-4)]">
-									<div
-										class="h-full rounded-full bg-[var(--color-blue)] transition-all duration-500"
-										style="width: {(build.current_step / build.total_steps) * 100}%"
-									></div>
-								</div>
-							{/if}
+						<td class="hidden px-5 py-3.5 md:table-cell">
+							<div class="flex items-center gap-3">
+								<span class="font-mono text-meta tabular-nums text-[var(--color-text-secondary)]">
+									{build.current_step}/{build.total_steps}
+								</span>
+								{#if build.total_steps > 0}
+									<div class="relative h-1.5 w-24 overflow-hidden rounded-full bg-[var(--color-bg-4)]">
+										<div
+											class="h-full rounded-full transition-all duration-700 ease-out {build.status === 'running' ? 'progress-bar-glow' : ''}"
+											style="width: {(build.current_step / build.total_steps) * 100}%; background: {statusColor(build.status)}"
+										></div>
+									</div>
+								{/if}
+							</div>
 						</td>
-						<td class="hidden px-4 py-3.5 lg:table-cell">
+						<td class="hidden px-5 py-3.5 lg:table-cell">
 							<span class="text-meta text-[var(--color-text-muted)]" title={formatDate(build.started_at)}>
 								{build.started_at ? timeAgo(build.started_at) : '—'}
 							</span>
 						</td>
-						<td class="hidden px-4 py-3.5 lg:table-cell">
-							<span class="font-mono text-meta text-[var(--color-text-muted)]">
+						<td class="hidden px-5 py-3.5 lg:table-cell">
+							<span class="font-mono text-meta tabular-nums text-[var(--color-text-muted)]">
 								{formatDuration(build.started_at, build.completed_at)}
 							</span>
 						</td>
@@ -547,7 +595,7 @@
 					{#if expandedBuildId === build.id}
 						<tr>
 							<td colspan="7" class="border-b border-[var(--color-border)] last:border-0">
-								<div class="bg-[var(--color-bg-0)] px-6 py-4" style="animation: fadeUp 0.15s ease both">
+								<div class="bg-[var(--color-bg-0)] px-6 py-5" style="animation: fadeUp 0.15s ease both">
 									{#if build.status === 'pending' || build.status === 'running'}
 										<div class="mb-4 flex justify-end">
 											<button
@@ -590,7 +638,7 @@
 															<svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="var(--color-red)" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" class="shrink-0"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
 														{/if}
 														<span class="shrink-0 text-label font-semibold text-[var(--color-text-tertiary)]">{phaseLabel}</span>
-														<code class="flex-1 truncate font-mono text-meta"><span style="color: {keywordColor(kw)}">{kw}</span>{#if kwRest}<span class="text-[var(--color-text-secondary)]"> {kwRest}</span>{/if}</code>
+														<code class="flex-1 truncate font-mono text-meta"><span style="color: {keywordColor(kw)}">{kw}</span>{#if kwRest}{' '}<span class="text-[var(--color-text-secondary)]">{kwRest}</span>{/if}</code>
 														<span class="shrink-0 font-mono text-label text-[var(--color-text-muted)]">{log.elapsed_ms}ms</span>
 														{#if log.exit !== 0}
 															<span class="shrink-0 rounded-full bg-[var(--color-red)]/10 px-1.5 py-0.5 font-mono text-label text-[var(--color-red)]">
@@ -643,13 +691,16 @@
 									<!-- Recipe reference -->
 									{#if build.recipe && build.recipe.length > 0}
 										<div class="mt-4 border-t border-[var(--color-border)] pt-4">
-											<span class="text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Recipe</span>
+											<div class="flex items-center gap-1.5">
+												<span class="text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Recipe</span>
+												<CopyButton value={build.recipe.join('\n')} />
+											</div>
 											<div class="mt-2 rounded-[var(--radius-input)] bg-[var(--color-bg-1)] border border-[var(--color-border)] px-3 py-2">
 												{#each build.recipe as cmd, i}
 													{@const [kw, kwRest] = splitInstruction(cmd)}
 													<div class="flex gap-2 py-0.5">
 														<span class="shrink-0 font-mono text-label text-[var(--color-text-muted)] tabular-nums">{i + 1}.</span>
-														<code class="font-mono text-meta"><span style="color: {keywordColor(kw)}">{kw}</span>{#if kwRest}<span class="text-[var(--color-text-secondary)]"> {kwRest}</span>{/if}</code>
+														<code class="font-mono text-meta"><span style="color: {keywordColor(kw)}">{kw}</span>{#if kwRest}{' '}<span class="text-[var(--color-text-secondary)]">{kwRest}</span>{/if}</code>
 													</div>
 												{/each}
 											</div>
@@ -675,18 +726,18 @@
 <!-- ── Create Template Dialog ──────────────────────────────────────── -->
 {#if showCreate}
 	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
 		<div
 			class="absolute inset-0 bg-black/60"
-			role="button"
-			tabindex="-1"
 			onclick={() => { if (!creating) showCreate = false; }}
 			onkeydown={(e) => { if (e.key === 'Escape' && !creating) showCreate = false; }}
 		></div>
 		<div
-			class="relative w-full max-w-[520px] max-h-[90vh] overflow-y-auto rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6 shadow-xl"
-			style="animation: fadeUp 0.18s cubic-bezier(0.25,1,0.5,1) both"
+			class="relative w-full max-w-[520px] max-h-[90vh] overflow-y-auto rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
-			<h2 class="font-serif text-[1.375rem] leading-tight tracking-[-0.02em] text-[var(--color-text-bright)]">
+			<div class="p-6">
+			<h2 class="font-serif text-heading leading-tight text-[var(--color-text-bright)]">
 				Create Template
 			</h2>
 			<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
@@ -769,10 +820,46 @@
 						class="w-full resize-y rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 font-mono text-meta leading-relaxed text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-colors duration-150 focus:border-[var(--color-accent)] disabled:opacity-60"
 					></textarea>
 					<p class="mt-1 text-label text-[var(--color-text-muted)]">
-						Supports <code class="font-mono">RUN</code>, <code class="font-mono">START</code>, <code class="font-mono">WORKDIR</code>, <code class="font-mono">ENV key=value</code>. RUN steps have a 30s timeout; override with <code class="font-mono">RUN --timeout=5m</code>.
+						Supports <code class="font-mono">RUN</code>, <code class="font-mono">START</code>, <code class="font-mono">WORKDIR</code>, <code class="font-mono">ENV key=value</code>, <code class="font-mono">USER name</code>, <code class="font-mono">COPY src dst</code>. RUN steps have a 30s timeout; override with <code class="font-mono">RUN --timeout=5m</code>. COPY references files from the uploaded archive.
 					</p>
 				</div>
 
+				<div>
+					<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]" for="tmpl-archive">
+						Build Archive <span class="normal-case font-normal text-[var(--color-text-muted)]">(optional, for COPY commands)</span>
+					</label>
+					<div class="flex items-center gap-3">
+						<label
+							class="flex cursor-pointer items-center gap-2 rounded-[var(--radius-button)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)]"
+						>
+							<svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4"/><polyline points="17 8 12 3 7 8"/><line x1="12" y1="3" x2="12" y2="15"/></svg>
+							Choose file
+							<input
+								id="tmpl-archive"
+								type="file"
+								accept=".tar,.tar.gz,.tgz,.zip"
+								disabled={creating}
+								onchange={(e) => { const f = (e.target as HTMLInputElement).files?.[0]; createForm.archive = f ?? null; }}
+								class="hidden"
+							/>
+						</label>
+						{#if createForm.archive}
+							<span class="flex items-center gap-1.5 text-meta text-[var(--color-text-secondary)]">
+								<span class="font-mono">{createForm.archive.name}</span>
+								<button
+									onclick={() => { createForm.archive = null; }}
+									aria-label="Remove file"
+									class="text-[var(--color-text-muted)] hover:text-[var(--color-red)] transition-colors"
+								>
+									<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
+								</button>
+							</span>
+						{:else}
+							<span class="text-meta text-[var(--color-text-muted)]">tar, tar.gz, or zip</span>
+						{/if}
+					</div>
+				</div>
+
 				<div>
 					<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]" for="tmpl-healthcheck">
 						Healthcheck <span class="normal-case font-normal text-[var(--color-text-muted)]">(optional)</span>
@@ -822,6 +909,7 @@
 					{/if}
 				</button>
 			</div>
+			</div>
 		</div>
 	</div>
 {/if}
@@ -829,18 +917,18 @@
 <!-- ── Delete Template Confirmation ────────────────────────────────── -->
 {#if deleteTarget}
 	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
 		<div
 			class="absolute inset-0 bg-black/60"
-			role="button"
-			tabindex="-1"
 			onclick={() => { if (!deleting) deleteTarget = null; }}
 			onkeydown={(e) => { if (e.key === 'Escape' && !deleting) deleteTarget = null; }}
 		></div>
 		<div
-			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6 shadow-xl"
-			style="animation: fadeUp 0.18s cubic-bezier(0.25,1,0.5,1) both"
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
-			<h2 class="font-serif text-[1.375rem] leading-tight tracking-[-0.02em] text-[var(--color-text-bright)]">
+			<div class="p-6">
+			<h2 class="font-serif text-heading leading-tight text-[var(--color-text-bright)]">
 				Delete Template
 			</h2>
 			<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
@@ -864,7 +952,7 @@
 				<button
 					onclick={handleDeleteTemplate}
 					disabled={deleting}
-					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-110 disabled:opacity-50"
+					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-110 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
 				>
 					{#if deleting}
 						<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
@@ -874,6 +962,7 @@
 					{/if}
 				</button>
 			</div>
+			</div>
 		</div>
 	</div>
 {/if}
@@ -899,4 +988,59 @@
 		background-size: 200% 100%;
 		animation: shimmer 1.4s ease infinite;
 	}
+
+	/* Stat pill — shared base */
+	.stat-pill {
+		display: flex;
+		align-items: baseline;
+		gap: 6px;
+		border-radius: var(--radius-button);
+		border-width: 1px;
+		padding: 6px 12px;
+		transition: transform 0.15s ease, box-shadow 0.15s ease;
+	}
+	.stat-pill:hover {
+		transform: translateY(-1px);
+		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.25);
+	}
+
+	/* Table header */
+	.table-header {
+		padding: 10px 20px;
+		text-align: left;
+		font-size: var(--text-label);
+		font-weight: 600;
+		text-transform: uppercase;
+		letter-spacing: 0.06em;
+		color: var(--color-text-tertiary);
+	}
+
+	/* Staggered row entrance */
+	.table-row-animate {
+		animation: fadeUp 0.25s ease both;
+	}
+
+	/* Tab button */
+	.tab-button {
+		position: relative;
+		padding: 14px 20px 14px 0;
+		font-size: var(--text-ui);
+		transition: color 0.15s ease;
+		cursor: pointer;
+	}
+
+	/* Active build row — subtle left accent */
+	.build-row-active {
+		box-shadow: inset 3px 0 0 var(--color-blue);
+	}
+
+	/* Progress bar glow for running builds */
+	.progress-bar-glow {
+		box-shadow: 0 0 8px rgba(90, 159, 212, 0.4);
+	}
+
+	/* Empty state icon float */
+	.empty-icon-float {
+		animation: iconFloat 3s ease-in-out infinite;
+	}
 </style>
diff --git a/frontend/src/routes/admin/users/+page.svelte b/frontend/src/routes/admin/users/+page.svelte
new file mode 100644
index 0000000..3630f4f
--- /dev/null
+++ b/frontend/src/routes/admin/users/+page.svelte
@@ -0,0 +1,294 @@
+<script lang="ts">
+	import { onMount } from 'svelte';
+	import { toast } from '$lib/toast.svelte';
+	import { formatDate } from '$lib/utils/format';
+	import {
+		listAdminUsers,
+		setUserActive,
+		type AdminUser,
+	} from '$lib/api/admin-users';
+
+	// Data state
+	let users = $state<AdminUser[]>([]);
+	let loading = $state(true);
+	let error = $state<string | null>(null);
+	let currentPage = $state(1);
+	let totalPages = $state(1);
+	let totalUsers = $state(0);
+
+	// Animation
+	let initialAnimationDone = $state(false);
+
+	// Toggle state
+	let togglingId = $state<string | null>(null);
+
+	async function fetchUsers(page: number = 1) {
+		const wasEmpty = users.length === 0;
+		if (wasEmpty) loading = true;
+		error = null;
+
+		const result = await listAdminUsers(page);
+		if (result.ok) {
+			users = result.data.users;
+			currentPage = result.data.page;
+			totalPages = result.data.total_pages;
+			totalUsers = result.data.total;
+		} else {
+			error = result.error;
+		}
+		loading = false;
+
+		if (!initialAnimationDone) {
+			setTimeout(() => { initialAnimationDone = true; }, 400 + (users.length * 30));
+		}
+	}
+
+	async function handleToggleActive(user: AdminUser) {
+		togglingId = user.id;
+		const newActive = user.status !== 'active';
+		const result = await setUserActive(user.id, newActive);
+		if (result.ok) {
+			user.status = newActive ? 'active' : 'disabled';
+			toast.success(`${user.email} ${newActive ? 'activated' : 'deactivated'}`);
+		} else {
+			toast.error(result.error);
+		}
+		togglingId = null;
+	}
+
+	function goToPage(page: number) {
+		if (page < 1 || page > totalPages) return;
+		fetchUsers(page);
+	}
+
+	onMount(() => {
+		fetchUsers();
+	});
+</script>
+
+<svelte:head>
+	<title>Wrenn Admin — Users</title>
+</svelte:head>
+
+<style>
+	.user-grid {
+		display: grid;
+		grid-template-columns: 1.6fr 1.4fr 0.7fr 0.7fr 0.5fr 1fr 0.6fr;
+	}
+
+	.stat-pill {
+		display: flex;
+		align-items: baseline;
+		gap: 6px;
+		border-radius: var(--radius-button);
+		border-width: 1px;
+		padding: 6px 12px;
+		transition: transform 0.15s ease, box-shadow 0.15s ease;
+	}
+	.stat-pill:hover {
+		transform: translateY(-1px);
+		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.25);
+	}
+
+	.row-stripe {
+		transform: scaleY(0);
+		transform-origin: center;
+		transition: transform 0.18s cubic-bezier(0.25, 1, 0.5, 1);
+	}
+	.user-row:hover .row-stripe {
+		transform: scaleY(1);
+	}
+
+	@keyframes fadeUp {
+		from { opacity: 0; transform: translateY(10px); }
+		to { opacity: 1; transform: translateY(0); }
+	}
+</style>
+
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+	<!-- Header -->
+	<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
+			<div class="absolute inset-0 bg-gradient-to-b from-[var(--color-accent)]/[0.02] to-transparent pointer-events-none"></div>
+
+			<div class="relative flex items-start justify-between px-8 pt-7 pb-5">
+				<div>
+					<h1 class="font-serif text-page leading-none text-[var(--color-text-bright)]">
+						Users
+					</h1>
+					<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
+						All registered users, team memberships, and account status.
+					</p>
+				</div>
+			</div>
+
+			<!-- Stat strip -->
+			{#if !loading && !error}
+				<div class="relative flex items-center gap-3 px-8 pb-5">
+					<div class="stat-pill border-[var(--color-border)] bg-[var(--color-bg-2)]">
+						<span class="font-mono text-body font-bold tabular-nums text-[var(--color-text-bright)]">{totalUsers}</span>
+						<span class="text-label text-[var(--color-text-muted)]">user{totalUsers !== 1 ? 's' : ''}</span>
+					</div>
+				</div>
+			{/if}
+		</header>
+
+		<!-- Content -->
+		<div class="flex-1 overflow-y-auto px-8 py-6" style="animation: fadeUp 0.35s ease both">
+			{#if error}
+				<div class="mb-4 flex items-start gap-3 rounded-[var(--radius-card)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-4 py-3">
+					<svg class="mt-0.5 shrink-0 text-[var(--color-red)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+						<circle cx="12" cy="12" r="10" /><line x1="12" y1="8" x2="12" y2="12" /><line x1="12" y1="16" x2="12.01" y2="16" />
+					</svg>
+					<span class="text-ui text-[var(--color-red)]">{error}. Try refreshing the page.</span>
+				</div>
+			{/if}
+
+			<!-- Table -->
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
+				<!-- Header row -->
+				<div class="user-grid rounded-t-[var(--radius-card)] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]">
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Name</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Email</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Teams</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Owned</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Role</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Joined</div>
+					<div class="px-5 py-3 text-right text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Status</div>
+				</div>
+
+				{#if loading && users.length === 0}
+					<div class="flex items-center justify-center py-16">
+						<div class="flex items-center gap-3 text-ui text-[var(--color-text-secondary)]">
+							<svg class="animate-spin" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+								<path d="M21 12a9 9 0 1 1-6.219-8.56" />
+							</svg>
+							Loading users...
+						</div>
+					</div>
+				{:else if users.length === 0}
+					<div class="flex flex-col items-center justify-center py-[72px]">
+						<div class="relative mb-5">
+							<div class="absolute inset-0 -m-4 rounded-full" style="background: radial-gradient(circle, rgba(94,140,88,0.08) 0%, transparent 70%)"></div>
+							<div class="relative flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-accent)]/20 bg-[var(--color-bg-3)]">
+								<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="var(--color-accent-mid)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+									<path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2" /><circle cx="12" cy="7" r="4" />
+								</svg>
+							</div>
+						</div>
+						<p class="font-serif text-heading text-[var(--color-text-bright)]">
+							No users yet
+						</p>
+						<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+							Users appear here when they sign up.
+						</p>
+					</div>
+				{:else}
+					{#each users as user, i (user.id)}
+						<div
+							class="user-row user-grid relative items-center overflow-hidden border-b border-[var(--color-border)] transition-colors duration-150 last:border-b-0 {user.status !== 'active' ? 'opacity-50' : 'hover:bg-[var(--color-bg-3)]'}"
+							style={initialAnimationDone ? '' : `animation: fadeUp 0.35s ease both; animation-delay: ${i * 30}ms`}
+						>
+							<!-- Left accent stripe -->
+							{#if user.status === 'active'}
+								<div class="row-stripe pointer-events-none absolute left-0 top-0 h-full w-0.5 bg-[var(--color-accent)]"></div>
+							{/if}
+
+							<!-- Name -->
+							<div class="min-w-0 px-5 py-4">
+								<div class="flex items-center gap-2">
+									<span class="block truncate text-ui font-medium text-[var(--color-text-bright)]">{user.name || '\u2014'}</span>
+									{#if user.is_admin}
+										<span class="inline-flex shrink-0 items-center rounded-full border border-[var(--color-amber)]/30 bg-[var(--color-amber)]/10 px-2 py-0.5 text-[10px] font-semibold uppercase tracking-[0.05em] text-[var(--color-amber)]">
+											Admin
+										</span>
+									{/if}
+								</div>
+								<span class="block truncate font-mono text-label text-[var(--color-text-muted)]">{user.id}</span>
+							</div>
+
+							<!-- Email -->
+							<div class="min-w-0 px-5 py-4">
+								<span class="block truncate font-mono text-ui text-[var(--color-text-secondary)]">{user.email}</span>
+							</div>
+
+							<!-- Teams Joined -->
+							<div class="px-5 py-4">
+								<span class="font-mono text-ui text-[var(--color-text-secondary)]">{user.teams_joined}</span>
+							</div>
+
+							<!-- Teams Owned -->
+							<div class="px-5 py-4">
+								<span class="font-mono text-ui text-[var(--color-text-secondary)]">{user.teams_owned}</span>
+							</div>
+
+							<!-- Role -->
+							<div class="px-5 py-4">
+								<span class="text-ui text-[var(--color-text-secondary)]">{user.is_admin ? 'Admin' : 'User'}</span>
+							</div>
+
+							<!-- Joined -->
+							<div class="px-5 py-4">
+								<span class="text-ui text-[var(--color-text-secondary)]">{formatDate(user.created_at)}</span>
+							</div>
+
+							<!-- Status / Toggle -->
+							<div class="flex items-center justify-end px-5 py-4">
+								<button
+									onclick={() => handleToggleActive(user)}
+									disabled={togglingId === user.id}
+									class="rounded-[var(--radius-button)] border px-3 py-1.5 text-meta font-medium transition-all duration-150 disabled:opacity-50
+										{user.status === 'active'
+											? 'border-[var(--color-accent)]/30 bg-[var(--color-accent)]/8 text-[var(--color-accent-bright)] hover:bg-[var(--color-accent)]/15 hover:border-[var(--color-accent)]/50'
+											: 'border-[var(--color-red)]/30 bg-[var(--color-red)]/8 text-[var(--color-red)] hover:bg-[var(--color-red)]/15 hover:border-[var(--color-red)]/50'}"
+								>
+									{#if togglingId === user.id}
+										<svg class="inline animate-spin" width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
+									{:else}
+										{user.status === 'active' ? 'Active' : user.status.charAt(0).toUpperCase() + user.status.slice(1)}
+									{/if}
+								</button>
+							</div>
+						</div>
+					{/each}
+				{/if}
+			</div>
+
+			<!-- Pagination -->
+			{#if totalPages > 1}
+				<div class="mt-4 flex items-center justify-between">
+					<span class="text-ui text-[var(--color-text-tertiary)]">
+						Page <span class="font-mono text-[var(--color-text-secondary)]">{currentPage}</span> of <span class="font-mono text-[var(--color-text-secondary)]">{totalPages}</span>
+					</span>
+					<div class="flex items-center gap-2">
+						<button
+							onclick={() => goToPage(currentPage - 1)}
+							disabled={currentPage <= 1}
+							class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-40 disabled:hover:border-[var(--color-border)] disabled:hover:text-[var(--color-text-secondary)]"
+						>
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="15 18 9 12 15 6"/></svg>
+							Previous
+						</button>
+						<button
+							onclick={() => goToPage(currentPage + 1)}
+							disabled={currentPage >= totalPages}
+							class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-40 disabled:hover:border-[var(--color-border)] disabled:hover:text-[var(--color-text-secondary)]"
+						>
+							Next
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="9 18 15 12 9 6"/></svg>
+						</button>
+					</div>
+				</div>
+			{/if}
+		</div>
+
+		<!-- Status bar -->
+		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+			<div class="flex items-center gap-1.5">
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
+				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+			</div>
+		</footer>
+</main>
diff --git a/frontend/src/routes/dashboard/+layout.svelte b/frontend/src/routes/dashboard/+layout.svelte
index 404b561..910fc04 100644
--- a/frontend/src/routes/dashboard/+layout.svelte
+++ b/frontend/src/routes/dashboard/+layout.svelte
@@ -1,7 +1,19 @@
 <script lang="ts">
+	import Sidebar from '$lib/components/Sidebar.svelte';
 	import Toaster from '$lib/components/Toaster.svelte';
 	let { children } = $props();
+
+	let collapsed = $state(
+		typeof window !== 'undefined'
+			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
+			: false
+	);
 </script>
 
-{@render children()}
+<div class="flex h-screen overflow-hidden">
+	<Sidebar bind:collapsed />
+	<div class="flex flex-1 flex-col overflow-hidden">
+		{@render children()}
+	</div>
+</div>
 <Toaster />
diff --git a/frontend/src/routes/dashboard/audit/+page.svelte b/frontend/src/routes/dashboard/audit/+page.svelte
index 1cd4e93..3923155 100644
--- a/frontend/src/routes/dashboard/audit/+page.svelte
+++ b/frontend/src/routes/dashboard/audit/+page.svelte
@@ -1,14 +1,7 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { listAuditLogs, type AuditLog } from '$lib/api/audit';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// ─── Data state ───────────────────────────────────────────────────────────
 
 	let logs = $state<AuditLog[]>([]);
@@ -282,16 +275,12 @@
 	<title>Wrenn — Audit Logs</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 
 			<!-- Header -->
 			<div class="px-7 pt-8">
 				<div>
-					<h1 class="font-serif text-page tracking-[-0.02em] text-[var(--color-text-bright)]">
+					<h1 class="font-serif text-page text-[var(--color-text-bright)]">
 						Audit Logs
 					</h1>
 					<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
@@ -456,7 +445,7 @@
 								</svg>
 							</div>
 						</div>
-						<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">
+						<p class="font-serif text-heading text-[var(--color-text-bright)]">
 							{activeFilterCount > 0 ? 'No matching events' : 'No activity yet'}
 						</p>
 						<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
@@ -551,9 +540,15 @@
 			</div>
 		</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 	</div>
-</div>
+</footer>
 
 <style>
 	/* fadeUp and iconFloat are defined globally in app.css — no need to redeclare them here */
diff --git a/frontend/src/routes/dashboard/billing/+page.svelte b/frontend/src/routes/dashboard/billing/+page.svelte
index 2ba5cd6..f82fccc 100644
--- a/frontend/src/routes/dashboard/billing/+page.svelte
+++ b/frontend/src/routes/dashboard/billing/+page.svelte
@@ -1,14 +1,7 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { auth } from '$lib/auth.svelte';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	type EndpointStatus = 'loading' | 'available' | 'not_available' | 'error';
 	let status = $state<EndpointStatus>('loading');
 	let errorMsg = $state<string | null>(null);
@@ -47,23 +40,18 @@
 	<title>Wrenn — Billing</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
-				<h1 class="font-serif text-page tracking-[-0.02em] text-[var(--color-text-bright)]">
+				<h1 class="font-serif text-page text-[var(--color-text-bright)]">
 					Billing
 				</h1>
 				<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
 					Subscription, invoices, and payment methods for your team.
 				</p>
+				<div class="mt-6 border-b border-[var(--color-border)]"></div>
 			</div>
 
-			<div class="mt-6 border-b border-[var(--color-border)]"></div>
-
 			<!-- Content -->
 			<div class="p-8" style="animation: fadeUp 0.35s ease both">
 				{#if status === 'loading'}
@@ -98,8 +86,8 @@
 								</svg>
 							</div>
 						</div>
-						<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">
-							Enterprise feature
+						<p class="font-serif text-heading text-[var(--color-text-bright)]">
+							Cloud Feature
 						</p>
 						<p class="mt-2 max-w-sm text-center text-ui leading-relaxed text-[var(--color-text-tertiary)]">
 							Billing management is available on Wrenn Cloud.
@@ -124,8 +112,14 @@
 					</div>
 				{/if}
 			</div>
-		</main>
+	</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 	</div>
-</div>
+</footer>
diff --git a/frontend/src/routes/dashboard/capsules/+layout.svelte b/frontend/src/routes/dashboard/capsules/+layout.svelte
index 5c400b9..d2080a7 100644
--- a/frontend/src/routes/dashboard/capsules/+layout.svelte
+++ b/frontend/src/routes/dashboard/capsules/+layout.svelte
@@ -1,88 +1,81 @@
 <script lang="ts">
 	import { page } from '$app/stores';
-	import Sidebar from '$lib/components/Sidebar.svelte';
+	import CopyButton from '$lib/components/CopyButton.svelte';
 	import { capsuleRunningCount } from '$lib/capsule-store.svelte';
 
 	let { children } = $props();
-
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
 </script>
 
 <svelte:head>
 	<title>Wrenn — Capsules</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex flex-1 flex-col overflow-y-auto bg-[var(--color-bg-0)]">
-			<!-- Header area -->
-			{#if $page.params.id}
-				<!-- Breadcrumb header for capsule detail (no border-b — tabs provide it) -->
-				<div class="px-7 pt-8">
-					<div class="flex items-center gap-2.5">
-						<a
-							href="/dashboard/capsules"
-							class="font-serif text-page leading-none tracking-[-0.02em] text-[var(--color-text-secondary)] transition-colors duration-150 hover:text-[var(--color-text-bright)]"
-						>
-							Capsules
-						</a>
-						<span class="text-[var(--color-text-muted)] select-none" style="font-size: 1.1rem">›</span>
-						<span class="font-mono text-[1.1rem] leading-none text-[var(--color-text-bright)]">
-							{$page.params.id}
-						</span>
-					</div>
-				</div>
-			{:else}
-				<!-- Default list header -->
-				<div class="px-7 pt-8 pb-6">
-					<div class="flex items-center justify-between">
-						<div>
-							<h1 class="font-serif text-page tracking-[-0.02em] text-[var(--color-text-bright)]">
-								Capsules
-							</h1>
-							<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
-								All active and recent capsules across your team.
-							</p>
-						</div>
-
-						<div class="flex items-center gap-3">
-							<div
-								class="flex items-center gap-2.5 rounded-[var(--radius-card)] border border-[var(--color-accent)]/20 bg-[var(--color-bg-2)] px-3.5 py-2"
-							>
-								<span class="relative flex h-[8px] w-[8px]">
-									<span
-										class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"
-									></span>
-									<span class="relative inline-flex h-[8px] w-[8px] rounded-full bg-[var(--color-accent)]"></span>
-								</span>
-								<span class="font-mono text-body font-semibold text-[var(--color-accent-bright)]">{capsuleRunningCount.value}</span>
-								<span class="text-ui text-[var(--color-text-secondary)]">running now</span>
-							</div>
-						</div>
-					</div>
-				</div>
-			{/if}
-
-			{@render children()}
-		</main>
-
-		<!-- Status bar -->
-		<footer
-			class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7"
-		>
-			<div class="flex items-center gap-1.5">
-				<span class="relative flex h-[5px] w-[5px]">
-					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
-					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+<main class="flex flex-1 flex-col overflow-y-auto bg-[var(--color-bg-0)]">
+	<!-- Header area -->
+	{#if $page.params.id}
+		<!-- Breadcrumb header for capsule detail (no border-b — tabs provide it) -->
+		<div class="px-7 pt-8">
+			<div class="flex items-center gap-2.5">
+				<a
+					href="/dashboard/capsules"
+					class="font-serif text-page leading-none text-[var(--color-text-secondary)] transition-colors duration-150 hover:text-[var(--color-text-bright)]"
+				>
+					Capsules
+				</a>
+				<span class="text-[var(--color-text-muted)] select-none" style="font-size: 1.1rem">›</span>
+				<span class="copy-host flex items-center gap-1.5">
+					<span class="font-mono text-[1.1rem] leading-none text-[var(--color-text-bright)]">
+						{$page.params.id}
+					</span>
+					<CopyButton value={$page.params.id} />
 				</span>
-				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
-		</footer>
+		</div>
+	{:else}
+		<!-- Default list header -->
+		<div class="px-7 pt-8">
+			<div class="flex items-center justify-between">
+				<div>
+					<h1 class="font-serif text-page text-[var(--color-text-bright)]">
+						Capsules
+					</h1>
+					<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
+						All active and recent capsules across your team.
+					</p>
+				</div>
+
+				<div class="flex items-center gap-3">
+					<div
+						class="flex items-center gap-2.5 rounded-[var(--radius-card)] border border-[var(--color-accent)]/20 bg-[var(--color-bg-2)] px-3.5 py-2"
+					>
+						<span class="relative flex h-[8px] w-[8px]">
+							<span
+								class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"
+							></span>
+							<span class="relative inline-flex h-[8px] w-[8px] rounded-full bg-[var(--color-accent)]"></span>
+						</span>
+						<span class="font-mono text-body font-semibold text-[var(--color-accent-bright)]">{capsuleRunningCount.value}</span>
+						<span class="text-ui text-[var(--color-text-secondary)]">running now</span>
+					</div>
+				</div>
+			</div>
+
+			<div class="mt-6 border-b border-[var(--color-border)]"></div>
+		</div>
+	{/if}
+
+	{@render children()}
+</main>
+
+<!-- Status bar -->
+<footer
+	class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7"
+>
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 	</div>
-</div>
+</footer>
diff --git a/frontend/src/routes/dashboard/capsules/+page.svelte b/frontend/src/routes/dashboard/capsules/+page.svelte
index afb9de0..d7fd84c 100644
--- a/frontend/src/routes/dashboard/capsules/+page.svelte
+++ b/frontend/src/routes/dashboard/capsules/+page.svelte
@@ -1,5 +1,8 @@
 <script lang="ts">
 	import CreateCapsuleDialog from '$lib/components/CreateCapsuleDialog.svelte';
+	import SnapshotDialog from '$lib/components/SnapshotDialog.svelte';
+	import DestroyDialog from '$lib/components/DestroyDialog.svelte';
+	import CopyButton from '$lib/components/CopyButton.svelte';
 	import { capsuleRunningCount } from '$lib/capsule-store.svelte';
 	import { onMount } from 'svelte';
 	import { toast } from '$lib/toast.svelte';
@@ -8,8 +11,6 @@
 		listCapsules,
 		pauseCapsule,
 		resumeCapsule,
-		destroyCapsule,
-		createSnapshot,
 		type Capsule
 	} from '$lib/api/capsules';
 
@@ -44,14 +45,9 @@
 
 	// Snapshot dialog state
 	let snapshotTarget = $state<{ capsule: Capsule; pauseFirst: boolean } | null>(null);
-	let snapshotName = $state('');
-	let snapshotting = $state(false);
-	let snapshotError = $state<string | null>(null);
 
 	// Destroy confirmation state
 	let destroyTarget = $state<Capsule | null>(null);
-	let destroying = $state(false);
-	let destroyError = $state<string | null>(null);
 
 	// Briefly highlight a newly created capsule row
 	let newCapsuleId = $state<string | null>(null);
@@ -136,6 +132,9 @@
 		const result = await listCapsules();
 		if (result.ok) {
 			capsules = result.data;
+			error = null;
+		} else {
+			error = result.error;
 		}
 		loading = false;
 
@@ -178,45 +177,25 @@
 
 	function handleSnapshot(capsule: Capsule) {
 		openMenuId = null;
-		snapshotName = '';
-		snapshotError = null;
 		snapshotTarget = { capsule, pauseFirst: false };
 	}
 
 	function handlePauseAndSnapshot(capsule: Capsule) {
 		openMenuId = null;
-		snapshotName = '';
-		snapshotError = null;
 		snapshotTarget = { capsule, pauseFirst: true };
 	}
 
-	async function handleSnapshotConfirm() {
-		if (!snapshotTarget) return;
-		snapshotting = true;
-		snapshotError = null;
-		const result = await createSnapshot(snapshotTarget.capsule.id, snapshotName.trim() || undefined);
-		if (result.ok) {
-			snapshotTarget = null;
-			await fetchCapsules();
-		} else {
-			snapshotError = result.error;
-		}
-		snapshotting = false;
+	function handleSnapshotDone() {
+		snapshotTarget = null;
+		fetchCapsules();
 	}
 
-	async function handleDestroy() {
-		if (!destroyTarget) return;
-		destroying = true;
-		destroyError = null;
-		const id = destroyTarget.id;
-		const result = await destroyCapsule(id);
-		if (result.ok) {
+	function handleDestroyed() {
+		if (destroyTarget) {
+			const id = destroyTarget.id;
 			capsules = capsules.filter((c) => c.id !== id);
-			destroyTarget = null;
-		} else {
-			destroyError = result.error;
 		}
-		destroying = false;
+		destroyTarget = null;
 	}
 
 	function handleCapsuleCreated(capsule: Capsule) {
@@ -260,10 +239,23 @@
 		}
 	}
 
+	function handleVisibility() {
+		if (document.hidden) {
+			stopAutoRefresh();
+		} else if (autoRefresh) {
+			fetchCapsules();
+			startAutoRefresh();
+		}
+	}
+
 	onMount(() => {
 		fetchCapsules();
 		startAutoRefresh();
-		return () => stopAutoRefresh();
+		document.addEventListener('visibilitychange', handleVisibility);
+		return () => {
+			stopAutoRefresh();
+			document.removeEventListener('visibilitychange', handleVisibility);
+		};
 	});
 </script>
 
@@ -379,7 +371,7 @@
 	{/if}
 
 	<!-- Table -->
-	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
+	<div class="min-w-0 rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
 		<!-- Table header -->
 		<div class="grid grid-cols-[1.6fr_0.8fr_0.5fr_0.5fr_0.6fr_1fr_0.9fr] rounded-t-[var(--radius-card)] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]">
 			<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">ID</div>
@@ -388,7 +380,7 @@
 			{@render sortableHeader('Memory', 'memory_mb')}
 			{@render sortableHeader('Idle Timeout', 'timeout_sec')}
 			{@render sortableHeader('Started', 'started_at')}
-			{@render sortableHeader('Status', 'status')}
+			{@render sortableHeader('Status', 'status', 'right')}
 		</div>
 
 		{#if loading && capsules.length === 0}
@@ -400,7 +392,31 @@
 					Loading capsules...
 				</div>
 			</div>
+		{:else if filteredCapsules.length === 0 && searchQuery}
+			<!-- No search results -->
+			<div class="flex flex-col items-center justify-center py-[72px]">
+				<div class="relative mb-5">
+					<div class="relative flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-3)]">
+						<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="var(--color-text-muted)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+							<circle cx="11" cy="11" r="8" /><line x1="21" y1="21" x2="16.65" y2="16.65" />
+						</svg>
+					</div>
+				</div>
+				<p class="font-serif text-heading text-[var(--color-text-bright)]">
+					No matching capsules
+				</p>
+				<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+					No capsules match "<span class="font-mono text-[var(--color-text-secondary)]">{searchQuery}</span>". Try a different ID.
+				</p>
+				<button
+					onclick={() => { searchQuery = ''; }}
+					class="mt-4 rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)]"
+				>
+					Clear search
+				</button>
+			</div>
 		{:else if filteredCapsules.length === 0}
+			<!-- No capsules at all -->
 			<div class="flex flex-col items-center justify-center py-[72px]">
 				<div class="relative mb-5">
 					<div class="absolute inset-0 -m-4 rounded-full" style="background: radial-gradient(circle, rgba(94,140,88,0.08) 0%, transparent 70%)"></div>
@@ -412,7 +428,7 @@
 						</svg>
 					</div>
 				</div>
-				<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">
+				<p class="font-serif text-heading text-[var(--color-text-bright)]">
 					No capsules yet
 				</p>
 				<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
@@ -440,7 +456,7 @@
 					<div class="row-stripe pointer-events-none absolute left-0 top-0 h-full w-0.5 {stripeColor}"></div>
 
 					<!-- ID with status dot -->
-					<div class="flex items-center gap-2.5 px-5 py-4">
+					<div class="flex min-w-0 items-center gap-2.5 px-5 py-4">
 						{#if capsule.status === 'running'}
 							<span class="relative flex h-[6px] w-[6px] shrink-0">
 								<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
@@ -453,10 +469,11 @@
 						{/if}
 						{#if searchQuery && capsule.id.toLowerCase().includes(searchQuery.toLowerCase())}
 							{@const matchIdx = capsule.id.toLowerCase().indexOf(searchQuery.toLowerCase())}
-							<a href="/dashboard/capsules/{capsule.id}" class="font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id.slice(0, matchIdx)}<mark class="rounded-[2px] bg-[var(--color-accent-glow-mid)] px-0.5 text-[var(--color-accent-bright)] not-italic">{capsule.id.slice(matchIdx, matchIdx + searchQuery.length)}</mark>{capsule.id.slice(matchIdx + searchQuery.length)}</a>
+							<a href="/dashboard/capsules/{capsule.id}" class="truncate font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id.slice(0, matchIdx)}<mark class="rounded-[2px] bg-[var(--color-accent-glow-mid)] px-0.5 text-[var(--color-accent-bright)] not-italic">{capsule.id.slice(matchIdx, matchIdx + searchQuery.length)}</mark>{capsule.id.slice(matchIdx + searchQuery.length)}</a>
 						{:else}
-							<a href="/dashboard/capsules/{capsule.id}" class="font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id}</a>
+							<a href="/dashboard/capsules/{capsule.id}" class="truncate font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id}</a>
 						{/if}
+						<CopyButton value={capsule.id} />
 					</div>
 
 					<!-- Template -->
@@ -488,7 +505,7 @@
 					</div>
 
 					<!-- Status button with popover -->
-					<div class="relative px-5 py-4 status-menu-container">
+					<div class="relative flex items-center justify-end px-5 py-4 status-menu-container">
 						{#if actionLoading === capsule.id}
 							<span class="inline-flex items-center gap-1.5 text-ui text-[var(--color-text-secondary)]">
 								<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -503,7 +520,16 @@
 										openMenuId = null;
 									} else {
 										const rect = (e.currentTarget as HTMLElement).getBoundingClientRect();
-										menuPos = { top: rect.bottom + 4, left: rect.right - 180 };
+										const menuW = 180;
+										const menuH = 140; // approximate max menu height
+										const vw = document.documentElement.clientWidth;
+										const top = rect.bottom + 4 + menuH > window.innerHeight
+											? rect.top - menuH - 4
+											: rect.bottom + 4;
+										// Anchor right edge of menu to right edge of button, clamped within viewport
+										const idealLeft = rect.right - menuW;
+										const left = Math.min(Math.max(8, idealLeft), vw - menuW - 8);
+										menuPos = { top, left };
 										openMenuId = capsule.id;
 									}
 								}}
@@ -577,7 +603,7 @@
 			{/if}
 			<div class="my-1 border-t border-[var(--color-border)]"></div>
 			<button
-				onclick={() => { const target = openCapsule; openMenuId = null; destroyError = null; destroyTarget = target; }}
+				onclick={() => { const target = openCapsule; openMenuId = null; destroyTarget = target; }}
 				class="flex w-full items-center gap-2.5 px-3 py-2 text-meta text-[var(--color-red)] transition-colors duration-150 hover:bg-[var(--color-red)]/5"
 			>
 				<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="shrink-0">
@@ -592,139 +618,23 @@
 
 <!-- Snapshot Dialog -->
 {#if snapshotTarget}
-	<div class="fixed inset-0 z-50 flex items-center justify-center">
-		<!-- svelte-ignore a11y_no_static_element_interactions -->
-		<div
-			class="absolute inset-0 bg-black/60"
-			onclick={() => { if (!snapshotting) snapshotTarget = null; }}
-			onkeydown={(e) => { if (e.key === 'Escape' && !snapshotting) snapshotTarget = null; }}
-		></div>
-
-		<div class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] overflow-hidden" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
-			<div class="flex items-center gap-4 border-b border-[var(--color-border)] bg-[var(--color-bg-3)] px-6 py-5">
-				<div class="flex h-10 w-10 shrink-0 items-center justify-center rounded-[var(--radius-input)] bg-[var(--color-accent)]/15 text-[var(--color-accent)] shadow-[0_0_12px_var(--color-accent-glow)]">
-					<svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.75" stroke-linecap="round" stroke-linejoin="round">
-						<path d="M14.5 4h-5L7 7H2v13a2 2 0 002 2h16a2 2 0 002-2V7h-5l-2.5-3z" />
-						<circle cx="12" cy="15" r="3" />
-					</svg>
-				</div>
-				<div>
-					<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Capture snapshot</h2>
-					<p class="mt-0.5 text-meta text-[var(--color-text-muted)] font-mono">{snapshotTarget.capsule.id}</p>
-				</div>
-			</div>
-
-			<div class="px-6 pt-5 pb-6 space-y-4">
-				{#if snapshotTarget.pauseFirst}
-					<div class="flex items-start gap-2.5 rounded-[var(--radius-input)] border border-[var(--color-amber)]/25 bg-[var(--color-amber)]/8 px-3 py-2.5">
-						<svg class="mt-px shrink-0 text-[var(--color-amber)]" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
-							<path d="M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0z" />
-							<line x1="12" y1="9" x2="12" y2="13" />
-							<line x1="12" y1="17" x2="12.01" y2="17" />
-						</svg>
-						<p class="text-meta text-[var(--color-amber)] leading-relaxed">This capsule will be <strong class="font-semibold">paused first</strong>, then its full state (memory + disk) will be captured.</p>
-					</div>
-				{:else}
-					<p class="text-ui text-[var(--color-text-tertiary)]">The capsule's current memory state will be captured and stored as a reusable snapshot.</p>
-				{/if}
-
-				{#if snapshotError}
-					<div class="rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
-						{snapshotError}
-					</div>
-				{/if}
-
-				<div>
-					<div class="mb-1.5 flex items-baseline justify-between">
-						<label class="text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]" for="snapshot-name">Snapshot name</label>
-						<span class="text-meta text-[var(--color-text-muted)]">optional</span>
-					</div>
-					<input
-						id="snapshot-name"
-						type="text"
-						bind:value={snapshotName}
-						disabled={snapshotting}
-						class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 font-mono text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-colors duration-150 focus:border-[var(--color-accent)] disabled:opacity-50"
-						placeholder="e.g. after-apt-install, pre-migration"
-						onkeydown={(e) => { if (e.key === 'Enter' && !snapshotting) handleSnapshotConfirm(); }}
-					/>
-					<p class="mt-1.5 text-meta text-[var(--color-text-muted)]">Leave blank to use an auto-generated name.</p>
-				</div>
-
-				<div class="flex justify-end gap-3 pt-1">
-					<button
-						onclick={() => { snapshotTarget = null; }}
-						disabled={snapshotting}
-						class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
-					>
-						Cancel
-					</button>
-					<button
-						onclick={handleSnapshotConfirm}
-						disabled={snapshotting}
-						class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
-					>
-						{#if snapshotting}
-							<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
-								<path d="M21 12a9 9 0 1 1-6.219-8.56" />
-							</svg>
-							Capturing...
-						{:else}
-							Capture snapshot
-						{/if}
-					</button>
-				</div>
-			</div>
-		</div>
-	</div>
+	<SnapshotDialog
+		open={true}
+		capsuleId={snapshotTarget.capsule.id}
+		pauseFirst={snapshotTarget.pauseFirst}
+		onclose={() => { snapshotTarget = null; }}
+		onsnapshot={handleSnapshotDone}
+	/>
 {/if}
 
-<!-- Destroy confirmation dialog -->
+<!-- Destroy Dialog -->
 {#if destroyTarget}
-	<div class="fixed inset-0 z-50 flex items-center justify-center">
-		<!-- svelte-ignore a11y_no_static_element_interactions -->
-		<div
-			class="absolute inset-0 bg-black/60"
-			onclick={() => { if (!destroying) destroyTarget = null; }}
-			onkeydown={(e) => { if (e.key === 'Escape' && !destroying) destroyTarget = null; }}
-		></div>
-		<div class="relative w-full max-w-[380px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6" style="animation: fadeUp 0.2s ease both">
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Destroy Capsule</h2>
-			<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
-				Terminate <span class="font-mono text-[var(--color-text-secondary)]">{destroyTarget.id}</span> and destroy all data inside it. This cannot be undone.
-			</p>
-
-			{#if destroyError}
-				<div class="mt-4 rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
-					{destroyError}
-				</div>
-			{/if}
-
-			<div class="mt-6 flex justify-end gap-3">
-				<button
-					onclick={() => { destroyTarget = null; }}
-					disabled={destroying}
-					class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
-				>
-					Cancel
-				</button>
-				<button
-					onclick={handleDestroy}
-					disabled={destroying}
-					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-110 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
-				>
-					{#if destroying}
-						<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
-							<path d="M21 12a9 9 0 1 1-6.219-8.56" />
-						</svg>
-						Destroying...
-					{:else}
-						Destroy
-					{/if}
-				</button>
-			</div>
-		</div>
-	</div>
+	<DestroyDialog
+		open={true}
+		capsuleId={destroyTarget.id}
+		onclose={() => { destroyTarget = null; }}
+		ondestroyed={handleDestroyed}
+	/>
 {/if}
 
 <!-- Create Capsule Dialog -->
@@ -734,10 +644,10 @@
 	oncreated={handleCapsuleCreated}
 />
 
-{#snippet sortableHeader(label: string, key: SortKey)}
+{#snippet sortableHeader(label: string, key: SortKey, align: 'left' | 'right' = 'left')}
 	<button
 		onclick={() => toggleSort(key)}
-		class="flex items-center gap-1 px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
+		class="flex items-center gap-1 px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)] {align === 'right' ? 'ml-auto' : ''}"
 	>
 		{label}
 		{#if sortKey === key}
diff --git a/frontend/src/routes/dashboard/capsules/[id]/+page.svelte b/frontend/src/routes/dashboard/capsules/[id]/+page.svelte
index ed26426..a8bfb4d 100644
--- a/frontend/src/routes/dashboard/capsules/[id]/+page.svelte
+++ b/frontend/src/routes/dashboard/capsules/[id]/+page.svelte
@@ -2,24 +2,70 @@
 	import { onMount, onDestroy, tick } from 'svelte';
 	import { page } from '$app/stores';
 	import { goto } from '$app/navigation';
-	import { getCapsule, type Capsule } from '$lib/api/capsules';
+	import { getCapsule, pauseCapsule, resumeCapsule, type Capsule } from '$lib/api/capsules';
+	import { toast } from '$lib/toast.svelte';
+	import SnapshotDialog from '$lib/components/SnapshotDialog.svelte';
+	import DestroyDialog from '$lib/components/DestroyDialog.svelte';
+	import FilesTab from '$lib/components/FilesTab.svelte';
+	import TerminalTab from '$lib/components/TerminalTab.svelte';
 	import {
-		fetchSandboxMetrics,
+		fetchCapsuleMetrics,
 		METRIC_RANGES,
-		METRIC_POLL_INTERVAL,
+		METRIC_POLL_INTERVALS,
 		type MetricRange,
 		type MetricPoint
 	} from '$lib/api/metrics';
 
-	const sandboxId: string = $page.params.id ?? '';
+	const capsuleId: string = $page.params.id ?? '';
 
 	let capsule = $state<Capsule | null>(null);
 	let capsuleLoading = $state(true);
 	let capsuleError = $state<string | null>(null);
 
-	type Tab = 'metrics' | 'files';
+	// Lifecycle action state
+	let actionLoading = $state<string | null>(null);
+	let showDestroy = $state(false);
+	let showSnapshot = $state(false);
+
+	async function handlePause() {
+		if (!capsule) return;
+		actionLoading = 'pause';
+		const result = await pauseCapsule(capsule.id);
+		if (result.ok) {
+			capsule = result.data;
+		} else {
+			toast.error(result.error);
+		}
+		actionLoading = null;
+	}
+
+	async function handleResume() {
+		if (!capsule) return;
+		actionLoading = 'resume';
+		const result = await resumeCapsule(capsule.id);
+		if (result.ok) {
+			capsule = result.data;
+		} else {
+			toast.error(result.error);
+		}
+		actionLoading = null;
+	}
+
+	type Tab = 'metrics' | 'files' | 'terminal';
+	const VALID_TABS: Tab[] = ['metrics', 'files', 'terminal'];
 	let activeTab = $state<Tab>('metrics');
 
+	function setTab(tab: Tab) {
+		activeTab = tab;
+		const url = new URL(window.location.href);
+		if (tab === 'metrics') {
+			url.searchParams.delete('tab');
+		} else {
+			url.searchParams.set('tab', tab);
+		}
+		history.replaceState(null, '', url.toString());
+	}
+
 	let range = $state<MetricRange>('10m');
 	let points = $state<MetricPoint[]>([]);
 	let metricsLoading = $state(true);
@@ -31,7 +77,11 @@
 	let chartCpu: any = null;
 	// eslint-disable-next-line @typescript-eslint/no-explicit-any
 	let chartRam: any = null;
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	let ChartJS = $state<any>(null);
 	let pollInterval: ReturnType<typeof setInterval> | null = null;
+	let lastDataKey = '';   // fingerprint to skip redundant chart redraws
+	let visibilityHandler: (() => void) | null = null;
 
 	const metricsAvailable = $derived(
 		capsule?.status === 'running' || capsule?.status === 'paused'
@@ -46,7 +96,7 @@
 	);
 
 	async function loadCapsule() {
-		const result = await getCapsule(sandboxId);
+		const result = await getCapsule(capsuleId);
 		if (result.ok) {
 			capsule = result.data;
 			capsuleError = null;
@@ -58,7 +108,7 @@
 
 	async function loadMetrics() {
 		if (!metricsAvailable) return;
-		const result = await fetchSandboxMetrics(sandboxId, range);
+		const result = await fetchCapsuleMetrics(capsuleId, range);
 		if (result.ok) {
 			points = result.data.points;
 			metricsError = null;
@@ -93,6 +143,10 @@
 
 	function updateCharts() {
 		if (!points.length) return;
+		// Skip redraw if data hasn't changed.
+		const key = `${points.length}:${points.at(-1)?.timestamp_unix ?? ''}`;
+		if (key === lastDataKey) return;
+		lastDataKey = key;
 		const labels = formatLabels(Array.from(points), range);
 		const w = smoothWindow(points.length);
 		if (chartCpu) {
@@ -123,15 +177,20 @@
 
 	function setRange(r: MetricRange) {
 		range = r;
+		lastDataKey = '';   // force chart redraw on range switch
 		goto(`?range=${r}`, { replaceState: true, noScroll: true, keepFocus: true });
 		metricsLoading = true;
 		restartPolling();
 	}
 
+	function stopPolling() {
+		if (pollInterval) { clearInterval(pollInterval); pollInterval = null; }
+	}
+
 	function restartPolling() {
-		if (pollInterval) clearInterval(pollInterval);
+		stopPolling();
 		loadMetrics();
-		pollInterval = setInterval(loadMetrics, METRIC_POLL_INTERVAL);
+		pollInterval = setInterval(loadMetrics, METRIC_POLL_INTERVALS[range]);
 	}
 
 	// Chart design tokens (match StatsPanel.svelte)
@@ -182,23 +241,13 @@
 		},
 	};
 
-	onMount(async () => {
-		const urlRange = new URLSearchParams(window.location.search).get('range');
-		if (urlRange && METRIC_RANGES.includes(urlRange as MetricRange)) {
-			range = urlRange as MetricRange;
-		}
+	function initCharts() {
+		if (!ChartJS || !canvasCpu || !canvasRam) return;
 
-		await loadCapsule();
+		chartCpu?.destroy();
+		chartRam?.destroy();
 
-		if (!metricsAvailable) return;
-
-		await tick();
-
-		if (!canvasCpu || !canvasRam) return;
-
-		const { Chart } = await import('chart.js/auto');
-
-		chartCpu = new Chart(canvasCpu, {
+		chartCpu = new ChartJS(canvasCpu, {
 			type: 'line',
 			data: {
 				labels: [],
@@ -241,7 +290,7 @@
 			},
 		});
 
-		chartRam = new Chart(canvasRam, {
+		chartRam = new ChartJS(canvasRam, {
 			type: 'line',
 			data: {
 				labels: [],
@@ -285,11 +334,65 @@
 		});
 
 		updateCharts();
-		restartPolling();
+	}
+
+	// Re-create charts whenever the metrics tab becomes active (canvases remount)
+	$effect(() => {
+		// Only track these two values for re-triggering
+		const tab = activeTab;
+		const chartLib = ChartJS;
+
+		if (tab !== 'metrics' || !chartLib) return;
+
+		// Wait for canvases to mount after the tab switch
+		tick().then(() => {
+			if (canvasCpu && canvasRam) {
+				initCharts();
+				restartPolling();
+			}
+		});
+
+		return () => {
+			stopPolling();
+			chartCpu?.destroy(); chartCpu = null;
+			chartRam?.destroy(); chartRam = null;
+		};
+	});
+
+	onMount(async () => {
+		const params = new URLSearchParams(window.location.search);
+
+		const urlTab = params.get('tab') as Tab | null;
+		if (urlTab && VALID_TABS.includes(urlTab)) {
+			activeTab = urlTab;
+		}
+
+		const urlRange = params.get('range');
+		if (urlRange && METRIC_RANGES.includes(urlRange as MetricRange)) {
+			range = urlRange as MetricRange;
+		}
+
+		await loadCapsule();
+
+		if (!metricsAvailable) return;
+
+		const mod = await import('chart.js/auto');
+		ChartJS = mod.Chart;
+
+		// Pause polling when the browser tab is hidden.
+		visibilityHandler = () => {
+			if (document.hidden) {
+				stopPolling();
+			} else if (activeTab === 'metrics' && metricsAvailable) {
+				restartPolling();
+			}
+		};
+		document.addEventListener('visibilitychange', visibilityHandler);
 	});
 
 	onDestroy(() => {
-		if (pollInterval) clearInterval(pollInterval);
+		stopPolling();
+		if (visibilityHandler) document.removeEventListener('visibilitychange', visibilityHandler);
 		chartCpu?.destroy();
 		chartRam?.destroy();
 	});
@@ -338,7 +441,7 @@
 </script>
 
 <svelte:head>
-	<title>Wrenn — {sandboxId}</title>
+	<title>Wrenn — {capsuleId}</title>
 </svelte:head>
 
 <style>
@@ -375,10 +478,10 @@
 {:else if capsule}
 <div class="flex flex-1 flex-col min-h-0">
 
-	<!-- Tabs (matches Templates page pattern) -->
-	<div class="mt-5 flex gap-0 border-b border-[var(--color-border)] px-7">
+	<!-- Tabs + lifecycle actions -->
+	<div class="mt-5 flex items-center border-b border-[var(--color-border)] px-7">
 			<button
-				onclick={() => (activeTab = 'metrics')}
+				onclick={() => setTab('metrics')}
 				class="flex items-center gap-2 border-b-2 px-4 py-2.5 text-ui font-medium transition-colors duration-150
 					{activeTab === 'metrics'
 						? 'border-[var(--color-accent)] text-[var(--color-accent-bright)]'
@@ -391,22 +494,94 @@
 			</button>
 
 			<button
-				disabled
-				title="Coming soon"
-				class="flex cursor-not-allowed items-center gap-2 border-b-2 border-transparent px-4 py-2.5 text-ui font-medium opacity-40"
+				onclick={() => setTab('files')}
+				class="flex items-center gap-2 border-b-2 px-4 py-2.5 text-ui font-medium transition-colors duration-150
+					{activeTab === 'files'
+						? 'border-[var(--color-accent)] text-[var(--color-accent-bright)]'
+						: 'border-transparent text-[var(--color-text-secondary)] hover:text-[var(--color-text-primary)]'}"
 			>
 				<svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">
 					<path d="M22 19a2 2 0 0 1-2 2H4a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h5l2 3h9a2 2 0 0 1 2 2z" />
 				</svg>
 				Files
-				<span class="rounded-[3px] bg-[var(--color-bg-4)] px-1.5 py-0.5 text-badge font-semibold uppercase tracking-[0.06em] text-[var(--color-text-muted)]">
-					Soon
-				</span>
 			</button>
+
+			<button
+				onclick={() => setTab('terminal')}
+				class="flex items-center gap-2 border-b-2 px-4 py-2.5 text-ui font-medium transition-colors duration-150
+					{activeTab === 'terminal'
+						? 'border-[var(--color-accent)] text-[var(--color-accent-bright)]'
+						: 'border-transparent text-[var(--color-text-secondary)] hover:text-[var(--color-text-primary)]'}"
+			>
+				<svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">
+					<polyline points="4 17 10 11 4 5" /><line x1="12" y1="19" x2="20" y2="19" />
+				</svg>
+				Terminal
+			</button>
+
+			<!-- Lifecycle actions (right-aligned) -->
+			<div class="ml-auto flex items-center gap-2">
+				{#if capsule.status === 'running'}
+					<button
+						onclick={handlePause}
+						disabled={actionLoading !== null}
+						class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-amber)]/30 bg-[var(--color-amber)]/8 px-3 py-1.5 text-meta font-medium text-[var(--color-amber)] transition-all duration-150 hover:bg-[var(--color-amber)]/15 hover:border-[var(--color-amber)]/50 disabled:opacity-50"
+					>
+						{#if actionLoading === 'pause'}
+							<svg class="animate-spin" width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+							Pausing...
+						{:else}
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><rect x="6" y="4" width="4" height="16" /><rect x="14" y="4" width="4" height="16" /></svg>
+							Pause
+						{/if}
+					</button>
+				{:else if capsule.status === 'paused'}
+					<button
+						onclick={handleResume}
+						disabled={actionLoading !== null}
+						class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-accent)]/30 bg-[var(--color-accent)]/8 px-3 py-1.5 text-meta font-medium text-[var(--color-accent-bright)] transition-all duration-150 hover:bg-[var(--color-accent)]/15 hover:border-[var(--color-accent)]/50 disabled:opacity-50"
+					>
+						{#if actionLoading === 'resume'}
+							<svg class="animate-spin" width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+							Resuming...
+						{:else}
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polygon points="5 3 19 12 5 21 5 3" /></svg>
+							Resume
+						{/if}
+					</button>
+					<button
+						onclick={() => { showSnapshot = true; }}
+						disabled={actionLoading !== null}
+						class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-border)] bg-[var(--color-bg-3)] px-3 py-1.5 text-meta font-medium text-[var(--color-text-secondary)] transition-all duration-150 hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+					>
+						<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.75" stroke-linecap="round" stroke-linejoin="round"><path d="M14.5 4h-5L7 7H2v13a2 2 0 002 2h16a2 2 0 002-2V7h-5l-2.5-3z" /><circle cx="12" cy="15" r="3" /></svg>
+						Snapshot
+					</button>
+				{/if}
+
+				{#if capsule.status === 'running' || capsule.status === 'paused'}
+					<button
+						onclick={() => { showDestroy = true; }}
+						disabled={actionLoading !== null}
+						class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/8 px-3 py-1.5 text-meta font-medium text-[var(--color-red)] transition-all duration-150 hover:bg-[var(--color-red)]/15 hover:border-[var(--color-red)]/50 disabled:opacity-50"
+					>
+						<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="3 6 5 6 21 6" /><path d="M19 6v14a2 2 0 01-2 2H7a2 2 0 01-2-2V6m3 0V4a2 2 0 012-2h4a2 2 0 012 2v2" /></svg>
+						Destroy
+					</button>
+				{/if}
+			</div>
 	</div>
 
-	<!-- Stats tab content -->
-	{#if activeTab === 'metrics'}
+	<!-- Tab content -->
+	<!-- Terminal stays mounted so sessions survive tab switches -->
+	<div class="flex flex-1 min-h-0" style:display={activeTab === 'terminal' ? 'flex' : 'none'}>
+		<TerminalTab capsuleId={capsuleId} isRunning={capsule.status === 'running'} visible={activeTab === 'terminal'} />
+	</div>
+	{#if activeTab === 'files'}
+		<div class="anim-in flex flex-1 min-h-0" style="animation-delay: 0.05s">
+			<FilesTab capsuleId={capsuleId} isRunning={capsule.status === 'running'} />
+		</div>
+	{:else if activeTab === 'metrics'}
 		<div
 			class="anim-in flex flex-1 flex-col gap-5 min-h-0 p-8"
 			style="animation-delay: 0.05s"
@@ -579,4 +754,18 @@
 		</div>
 	{/if}
 </div>
+
+<SnapshotDialog
+	open={showSnapshot}
+	capsuleId={capsuleId}
+	onclose={() => { showSnapshot = false; }}
+	onsnapshot={() => { goto('/dashboard/capsules'); }}
+/>
+
+<DestroyDialog
+	open={showDestroy}
+	capsuleId={capsuleId}
+	onclose={() => { showDestroy = false; }}
+	ondestroyed={() => { goto('/dashboard/capsules'); }}
+/>
 {/if}
diff --git a/frontend/src/routes/dashboard/channels/+page.svelte b/frontend/src/routes/dashboard/channels/+page.svelte
index 62a9e26..2f5cb0d 100644
--- a/frontend/src/routes/dashboard/channels/+page.svelte
+++ b/frontend/src/routes/dashboard/channels/+page.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { fly } from 'svelte/transition';
 	import { cubicIn, cubicOut } from 'svelte/easing';
@@ -17,12 +16,6 @@
 	import { toast } from '$lib/toast.svelte';
 	import { formatDate, timeAgo } from '$lib/utils/format';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// List state
 	let channels = $state<Channel[]>([]);
 	let loading = $state(true);
@@ -94,6 +87,21 @@
 		return PROVIDERS.find((p) => p.value === value)?.label ?? value;
 	}
 
+	// Per-provider color palette — [text, bg, border, stripe]
+	const PROVIDER_COLORS: Record<string, { text: string; bg: string; border: string }> = {
+		discord:    { text: '#8b9cef', bg: 'rgba(88,101,242,0.12)', border: 'rgba(88,101,242,0.3)' },
+		slack:      { text: '#d4a0c0', bg: 'rgba(180,120,160,0.10)', border: 'rgba(180,120,160,0.3)' },
+		teams:      { text: '#a78bda', bg: 'rgba(120,90,200,0.10)', border: 'rgba(120,90,200,0.3)' },
+		googlechat: { text: '#6ec07a', bg: 'rgba(60,176,80,0.10)',  border: 'rgba(60,176,80,0.25)' },
+		telegram:   { text: '#6cb8d9', bg: 'rgba(42,171,226,0.10)', border: 'rgba(42,171,226,0.25)' },
+		matrix:     { text: '#6bccc4', bg: 'rgba(80,200,190,0.10)', border: 'rgba(80,200,190,0.25)' },
+		webhook:    { text: 'var(--color-text-secondary)', bg: 'rgba(255,255,255,0.04)', border: 'var(--color-border-mid)' },
+	};
+
+	function providerColor(provider: string): typeof PROVIDER_COLORS['discord'] {
+		return PROVIDER_COLORS[provider] ?? PROVIDER_COLORS['webhook'];
+	}
+
 	function fieldLabel(field: string): string {
 		return field.replace(/_/g, ' ').replace(/\b\w/g, (c) => c.toUpperCase());
 	}
@@ -286,39 +294,22 @@
 		return `${events.length} events`;
 	}
 
-	// Click-outside handlers for dropdowns
-	$effect(() => {
-		if (!providerDropdownOpen) return;
-		function handleMouseDown(e: MouseEvent) {
-			if (providerDropdownEl && !providerDropdownEl.contains(e.target as Node)) {
-				providerDropdownOpen = false;
+	// Click-outside handler — single listener covers all dropdowns
+	function useClickOutside(open: () => boolean, el: () => HTMLElement | null, close: () => void) {
+		$effect(() => {
+			if (!open()) return;
+			function onMouseDown(e: MouseEvent) {
+				const container = el();
+				if (container && !container.contains(e.target as Node)) close();
 			}
-		}
-		document.addEventListener('mousedown', handleMouseDown);
-		return () => document.removeEventListener('mousedown', handleMouseDown);
-	});
+			document.addEventListener('mousedown', onMouseDown);
+			return () => document.removeEventListener('mousedown', onMouseDown);
+		});
+	}
 
-	$effect(() => {
-		if (!eventsDropdownOpen) return;
-		function handleMouseDown(e: MouseEvent) {
-			if (eventsDropdownEl && !eventsDropdownEl.contains(e.target as Node)) {
-				eventsDropdownOpen = false;
-			}
-		}
-		document.addEventListener('mousedown', handleMouseDown);
-		return () => document.removeEventListener('mousedown', handleMouseDown);
-	});
-
-	$effect(() => {
-		if (!editEventsDropdownOpen) return;
-		function handleMouseDown(e: MouseEvent) {
-			if (editEventsDropdownEl && !editEventsDropdownEl.contains(e.target as Node)) {
-				editEventsDropdownOpen = false;
-			}
-		}
-		document.addEventListener('mousedown', handleMouseDown);
-		return () => document.removeEventListener('mousedown', handleMouseDown);
-	});
+	useClickOutside(() => providerDropdownOpen, () => providerDropdownEl, () => { providerDropdownOpen = false; });
+	useClickOutside(() => eventsDropdownOpen, () => eventsDropdownEl, () => { eventsDropdownOpen = false; });
+	useClickOutside(() => editEventsDropdownOpen, () => editEventsDropdownEl, () => { editEventsDropdownOpen = false; });
 
 	onMount(fetchChannels);
 </script>
@@ -347,18 +338,19 @@
 	}}
 />
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
-				<div class="flex items-start justify-between">
+				<div class="flex items-center justify-between">
 					<div>
-						<h1 class="font-serif text-page tracking-[-0.02em] text-[var(--color-text-bright)]">
-							Channels
-						</h1>
+						<div class="flex items-baseline gap-4">
+							<h1 class="font-serif text-page text-[var(--color-text-bright)]">
+								Channels
+							</h1>
+							{#if !loading && channels.length > 0}
+								<span class="font-serif text-[1.75rem] text-[var(--color-text-muted)]">{channels.length}</span>
+							{/if}
+						</div>
 						<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
 							Route capsule events to Discord, Slack, Telegram, and other destinations.
 						</p>
@@ -375,7 +367,7 @@
 					</button>
 				</div>
 
-				<div class="mt-5 border-b border-[var(--color-border)]"></div>
+				<div class="mt-6 border-b border-[var(--color-border)]"></div>
 			</div>
 
 			<!-- Content -->
@@ -436,7 +428,7 @@
 								</svg>
 							</div>
 						</div>
-						<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">No channels yet</p>
+						<p class="font-serif text-heading text-[var(--color-text-bright)]">No channels yet</p>
 						<p class="mt-1.5 max-w-[340px] text-center text-ui text-[var(--color-text-tertiary)]">Channels deliver capsule events to your team's tools. Connect Discord, Slack, or a custom webhook.</p>
 						<button
 							onclick={() => { showCreate = true; resetCreateForm(); }}
@@ -449,13 +441,6 @@
 						</button>
 					</div>
 				{:else}
-					<!-- Count row -->
-					<div class="mb-4 flex items-center justify-end">
-						<span class="text-meta text-[var(--color-text-muted)]">
-							{channels.length} {channels.length === 1 ? 'channel' : 'channels'} total
-						</span>
-					</div>
-
 					<!-- Table -->
 					<div class="overflow-hidden rounded-[var(--radius-card)] border border-[var(--color-border)]">
 						<!-- Header -->
@@ -474,7 +459,7 @@
 								in:fly={{ y: 6, duration: 350, delay: i * 40, easing: cubicOut }}
 								out:fly={{ x: -12, duration: 180, easing: cubicIn }}
 							>
-								<div class="row-stripe pointer-events-none absolute left-0 top-0 h-full w-[3px] bg-[var(--color-accent)]"></div>
+								<div class="row-stripe pointer-events-none absolute left-0 top-0 h-full w-[3px]" style="background: {providerColor(ch.provider).text}"></div>
 
 								<!-- Name -->
 								<div class="min-w-0 px-5 py-4">
@@ -484,7 +469,10 @@
 
 								<!-- Provider -->
 								<div class="px-5 py-4">
-									<span class="inline-flex items-center gap-1.5 rounded-[3px] border border-[var(--color-accent)]/25 bg-[var(--color-accent)]/10 px-2.5 py-1 text-badge font-semibold uppercase tracking-[0.04em] text-[var(--color-accent-mid)]">
+									<span
+										class="inline-flex items-center gap-1.5 rounded-[3px] border px-2.5 py-1 text-badge font-semibold uppercase tracking-[0.04em]"
+										style="color: {providerColor(ch.provider).text}; background: {providerColor(ch.provider).bg}; border-color: {providerColor(ch.provider).border}"
+									>
 										{@render providerIcon(ch.provider)}
 										{providerLabel(ch.provider)}
 									</span>
@@ -535,6 +523,7 @@
 													openDropdownId = ch.id;
 												}
 											}}
+											aria-label="More actions"
 											class="flex items-center px-2 py-1.5 text-[var(--color-text-secondary)] transition-colors duration-150 hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-bright)]"
 										>
 											<svg
@@ -556,15 +545,13 @@
 		<!-- Status bar -->
 		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
 			<div class="flex items-center gap-1.5">
-				<span
-					class="inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"
-					style="animation: wrenn-glow 2.4s ease-in-out infinite"
-				></span>
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
-	</div>
-</div>
 
 <!-- Split button dropdown -->
 {#if openDropdownId}
@@ -654,7 +641,7 @@
 
 			{#if createStep === 1}
 				<!-- Step 1: Connection -->
-				<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">New Channel</h2>
+				<h2 class="font-serif text-heading text-[var(--color-text-bright)]">New Channel</h2>
 				<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">Name the channel, pick a provider, and enter its connection details.</p>
 
 				<!-- Name -->
@@ -674,11 +661,12 @@
 
 				<!-- Provider -->
 				<div class="mt-4">
-					<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+					<label for="provider-select" class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 						Provider
 					</label>
 					<div class="relative" bind:this={providerDropdownEl}>
 						<button
+							id="provider-select"
 							onclick={() => { providerDropdownOpen = !providerDropdownOpen; }}
 							disabled={creating}
 							class="flex w-full items-center justify-between rounded-[var(--radius-input)] border px-3 py-2 text-ui transition-colors duration-150 disabled:opacity-60
@@ -704,9 +692,11 @@
 								style="animation: fadeUp 0.12s ease both"
 							>
 								{#each PROVIDERS as p}
+									{@const ppc = providerColor(p.value)}
 									<button
 										class="flex w-full items-center gap-2.5 px-3 py-2 text-ui transition-colors duration-100 hover:bg-[var(--color-bg-3)]
-											{createProvider === p.value ? 'bg-[var(--color-accent-glow)] text-[var(--color-accent-bright)] font-medium' : 'text-[var(--color-text-primary)]'}"
+											{createProvider === p.value ? 'font-medium' : 'text-[var(--color-text-primary)]'}"
+										style={createProvider === p.value ? `color: ${ppc.text}; background: ${ppc.bg}` : ''}
 										onclick={() => { createProvider = p.value; createConfig = {}; providerDropdownOpen = false; }}
 									>
 										{@render providerIcon(p.value)}
@@ -802,7 +792,7 @@
 
 			{:else}
 				<!-- Step 2: Events -->
-				<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Choose Events</h2>
+				<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Choose Events</h2>
 				<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
 					Pick the events that trigger a notification to
 					<span class="font-medium text-[var(--color-text-secondary)]">{createName}</span>
@@ -811,11 +801,12 @@
 
 				<!-- Events dropdown -->
 				<div class="mt-5">
-					<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+					<label for="events-select" class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 						Events
 					</label>
 					<div class="relative" bind:this={eventsDropdownEl}>
 						<button
+							id="events-select"
 							onclick={() => { eventsDropdownOpen = !eventsDropdownOpen; }}
 							disabled={creating}
 							class="flex w-full items-center justify-between rounded-[var(--radius-input)] border px-3 py-2 text-ui transition-colors duration-150 disabled:opacity-60
@@ -848,29 +839,7 @@
 								class="absolute left-0 top-full z-20 mt-1.5 w-full overflow-y-auto rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] py-1.5 shadow-xl"
 								style="max-height: 280px; animation: fadeUp 0.12s ease both"
 							>
-								{#each Object.entries(groupedEvents) as [group, events], gi}
-									<div class="px-3 py-1.5 text-badge font-semibold uppercase tracking-[0.06em] text-[var(--color-text-muted)]">{group}</div>
-
-									{#each events as et}
-										{@const checked = createEvents.includes(et.value)}
-										<label class="flex cursor-pointer items-center gap-2.5 px-3 py-2 transition-colors duration-100 hover:bg-[var(--color-bg-3)]">
-											<span class="flex h-3.5 w-3.5 shrink-0 items-center justify-center rounded-sm border transition-colors duration-100
-												{checked ? 'border-[var(--color-accent)] bg-[var(--color-accent)]' : 'border-[var(--color-border-mid)] bg-[var(--color-bg-4)]'}">
-												{#if checked}
-													<svg width="8" height="8" viewBox="0 0 24 24" fill="none" stroke="white" stroke-width="3.5" stroke-linecap="round" stroke-linejoin="round">
-														<polyline points="20 6 9 17 4 12" />
-													</svg>
-												{/if}
-											</span>
-											<input type="checkbox" class="sr-only" {checked} onchange={() => { createEvents = toggleEvent(createEvents, et.value); }} />
-											<span class="font-mono text-meta {checked ? 'text-[var(--color-text-bright)]' : 'text-[var(--color-text-secondary)]'}">{et.value}</span>
-										</label>
-									{/each}
-
-									{#if gi < Object.entries(groupedEvents).length - 1}
-										<div class="mx-3 my-1 border-t border-[var(--color-border)]"></div>
-									{/if}
-								{/each}
+								{@render eventsDropdownItems(createEvents, (v) => { createEvents = toggleEvent(createEvents, v); })}
 							</div>
 						{/if}
 					</div>
@@ -884,6 +853,7 @@
 								{ev}
 								<button
 									onclick={() => { createEvents = createEvents.filter((e) => e !== ev); }}
+									aria-label="Remove {ev}"
 									class="flex items-center justify-center text-[var(--color-accent)] opacity-60 transition-opacity duration-100 hover:opacity-100"
 								>
 									<svg width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round">
@@ -949,7 +919,7 @@
 				<span class="text-meta font-semibold text-[var(--color-accent-mid)]" style="animation: fadeUp 0.3s 0.15s ease both">Channel created</span>
 			</div>
 
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">{revealChannel.name}</h2>
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">{revealChannel.name}</h2>
 			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
 				Copy the webhook signing secret now — it won't be shown again.
 			</p>
@@ -1020,13 +990,13 @@
 		></div>
 
 		<div class="relative w-full max-w-[480px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Edit Channel</h2>
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Edit Channel</h2>
 			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
 				Update the name or subscribed events. To change the provider, delete this channel and create a new one.
 			</p>
 
 			<div class="mt-2">
-				<span class="inline-flex items-center gap-1.5 rounded-sm border border-[var(--color-border-mid)] bg-[var(--color-bg-4)] px-2 py-0.5 text-meta text-[var(--color-text-secondary)]">
+				<span class="inline-flex items-center gap-1.5 rounded-sm border px-2 py-0.5 text-meta font-medium" style="color: {providerColor(editTarget.provider).text}; background: {providerColor(editTarget.provider).bg}; border-color: {providerColor(editTarget.provider).border}">
 					{@render providerIcon(editTarget.provider)}
 					{providerLabel(editTarget.provider)}
 				</span>
@@ -1054,11 +1024,12 @@
 
 			<!-- Events -->
 			<div class="mt-5">
-				<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+				<label for="edit-events-select" class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 					Events
 				</label>
 				<div class="relative" bind:this={editEventsDropdownEl}>
 					<button
+						id="edit-events-select"
 						onclick={() => { editEventsDropdownOpen = !editEventsDropdownOpen; }}
 						disabled={editing}
 						class="flex w-full items-center justify-between rounded-[var(--radius-input)] border px-3 py-2 text-ui transition-colors duration-150 disabled:opacity-60
@@ -1091,29 +1062,7 @@
 							class="absolute left-0 top-full z-20 mt-1.5 w-full overflow-y-auto rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] py-1.5 shadow-xl"
 							style="max-height: 280px; animation: fadeUp 0.12s ease both"
 						>
-							{#each Object.entries(groupedEvents) as [group, events], gi}
-								<div class="px-3 py-1.5 text-badge font-semibold uppercase tracking-[0.06em] text-[var(--color-text-muted)]">{group}</div>
-
-								{#each events as et}
-									{@const checked = editEvents.includes(et.value)}
-									<label class="flex cursor-pointer items-center gap-2.5 px-3 py-2 transition-colors duration-100 hover:bg-[var(--color-bg-3)]">
-										<span class="flex h-3.5 w-3.5 shrink-0 items-center justify-center rounded-sm border transition-colors duration-100
-											{checked ? 'border-[var(--color-accent)] bg-[var(--color-accent)]' : 'border-[var(--color-border-mid)] bg-[var(--color-bg-4)]'}">
-											{#if checked}
-												<svg width="8" height="8" viewBox="0 0 24 24" fill="none" stroke="white" stroke-width="3.5" stroke-linecap="round" stroke-linejoin="round">
-													<polyline points="20 6 9 17 4 12" />
-												</svg>
-											{/if}
-										</span>
-										<input type="checkbox" class="sr-only" {checked} onchange={() => { editEvents = toggleEvent(editEvents, et.value); }} />
-										<span class="font-mono text-meta {checked ? 'text-[var(--color-text-bright)]' : 'text-[var(--color-text-secondary)]'}">{et.value}</span>
-									</label>
-								{/each}
-
-								{#if gi < Object.entries(groupedEvents).length - 1}
-									<div class="mx-3 my-1 border-t border-[var(--color-border)]"></div>
-								{/if}
-							{/each}
+							{@render eventsDropdownItems(editEvents, (v) => { editEvents = toggleEvent(editEvents, v); })}
 						</div>
 					{/if}
 				</div>
@@ -1157,12 +1106,12 @@
 		></div>
 
 		<div class="relative w-full max-w-[380px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Delete Channel</h2>
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Delete Channel</h2>
 			<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
 				Permanently delete <span class="font-medium text-[var(--color-text-secondary)]">{deleteTarget.name}</span>?
 				Events will stop being delivered to this destination immediately.
 			</p>
-			<span class="mt-2 inline-flex items-center gap-1.5 rounded-sm border border-[var(--color-border-mid)] bg-[var(--color-bg-4)] px-2 py-0.5 text-meta text-[var(--color-text-muted)]">
+			<span class="mt-2 inline-flex items-center gap-1.5 rounded-sm border px-2 py-0.5 text-meta font-medium" style="color: {providerColor(deleteTarget.provider).text}; background: {providerColor(deleteTarget.provider).bg}; border-color: {providerColor(deleteTarget.provider).border}">
 				{@render providerIcon(deleteTarget.provider)}
 				{providerLabel(deleteTarget.provider)}
 			</span>
@@ -1211,7 +1160,7 @@
 		></div>
 
 		<div class="relative w-full max-w-[460px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">
 				{rotateTarget.provider === 'webhook' ? 'Rotate Signing Secret' : 'Rotate Credentials'}
 			</h2>
 			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
@@ -1223,7 +1172,7 @@
 			</p>
 
 			<div class="mt-2">
-				<span class="inline-flex items-center gap-1.5 rounded-sm border border-[var(--color-border-mid)] bg-[var(--color-bg-4)] px-2 py-0.5 text-meta text-[var(--color-text-secondary)]">
+				<span class="inline-flex items-center gap-1.5 rounded-sm border px-2 py-0.5 text-meta font-medium" style="color: {providerColor(rotateTarget.provider).text}; background: {providerColor(rotateTarget.provider).bg}; border-color: {providerColor(rotateTarget.provider).border}">
 					{@render providerIcon(rotateTarget.provider)}
 					{providerLabel(rotateTarget.provider)}
 				</span>
@@ -1296,13 +1245,45 @@
 	</div>
 {/if}
 
+{#snippet eventsDropdownItems(selected: string[], toggle: (value: string) => void)}
+	{#each Object.entries(groupedEvents) as [group, events], gi}
+		<div class="px-3 py-1.5 text-badge font-semibold uppercase tracking-[0.06em] text-[var(--color-text-muted)]">{group}</div>
+
+		{#each events as et}
+			{@const checked = selected.includes(et.value)}
+			<label class="flex cursor-pointer items-center gap-2.5 px-3 py-2 transition-colors duration-100 hover:bg-[var(--color-bg-3)]">
+				<span class="flex h-3.5 w-3.5 shrink-0 items-center justify-center rounded-sm border transition-colors duration-100
+					{checked ? 'border-[var(--color-accent)] bg-[var(--color-accent)]' : 'border-[var(--color-border-mid)] bg-[var(--color-bg-4)]'}">
+					{#if checked}
+						<svg width="8" height="8" viewBox="0 0 24 24" fill="none" stroke="white" stroke-width="3.5" stroke-linecap="round" stroke-linejoin="round">
+							<polyline points="20 6 9 17 4 12" />
+						</svg>
+					{/if}
+				</span>
+				<input type="checkbox" class="sr-only" {checked} onchange={() => toggle(et.value)} />
+				<span class="font-mono text-meta {checked ? 'text-[var(--color-text-bright)]' : 'text-[var(--color-text-secondary)]'}">{et.value}</span>
+			</label>
+		{/each}
+
+		{#if gi < Object.entries(groupedEvents).length - 1}
+			<div class="mx-3 my-1 border-t border-[var(--color-border)]"></div>
+		{/if}
+	{/each}
+{/snippet}
+
 {#snippet providerIcon(provider: string)}
 	{#if provider === 'discord'}
 		<svg width="12" height="12" viewBox="0 0 24 24" fill="currentColor"><path d="M20.317 4.37a19.791 19.791 0 0 0-4.885-1.515.074.074 0 0 0-.079.037c-.21.375-.444.864-.608 1.25a18.27 18.27 0 0 0-5.487 0 12.64 12.64 0 0 0-.617-1.25.077.077 0 0 0-.079-.037A19.736 19.736 0 0 0 3.677 4.37a.07.07 0 0 0-.032.027C.533 9.046-.32 13.58.099 18.057a.082.082 0 0 0 .031.057 19.9 19.9 0 0 0 5.993 3.03.078.078 0 0 0 .084-.028c.462-.63.874-1.295 1.226-1.994a.076.076 0 0 0-.041-.106 13.107 13.107 0 0 1-1.872-.892.077.077 0 0 1-.008-.128 10.2 10.2 0 0 0 .372-.292.074.074 0 0 1 .077-.01c3.928 1.793 8.18 1.793 12.062 0a.074.074 0 0 1 .078.01c.12.098.246.198.373.292a.077.077 0 0 1-.006.127 12.299 12.299 0 0 1-1.873.892.077.077 0 0 0-.041.107c.36.698.772 1.362 1.225 1.993a.076.076 0 0 0 .084.028 19.839 19.839 0 0 0 6.002-3.03.077.077 0 0 0 .032-.054c.5-5.177-.838-9.674-3.549-13.66a.061.061 0 0 0-.031-.03z" /></svg>
 	{:else if provider === 'slack'}
 		<svg width="12" height="12" viewBox="0 0 24 24" fill="currentColor"><path d="M5.042 15.165a2.528 2.528 0 0 1-2.52 2.523A2.528 2.528 0 0 1 0 15.165a2.527 2.527 0 0 1 2.522-2.52h2.52v2.52zm1.271 0a2.527 2.527 0 0 1 2.521-2.52 2.527 2.527 0 0 1 2.521 2.52v6.313A2.528 2.528 0 0 1 8.834 24a2.528 2.528 0 0 1-2.521-2.522v-6.313zM8.834 5.042a2.528 2.528 0 0 1-2.521-2.52A2.528 2.528 0 0 1 8.834 0a2.528 2.528 0 0 1 2.521 2.522v2.52H8.834zm0 1.271a2.528 2.528 0 0 1 2.521 2.521 2.528 2.528 0 0 1-2.521 2.521H2.522A2.528 2.528 0 0 1 0 8.834a2.528 2.528 0 0 1 2.522-2.521h6.312zm10.122 2.521a2.528 2.528 0 0 1 2.522-2.521A2.528 2.528 0 0 1 24 8.834a2.528 2.528 0 0 1-2.522 2.521h-2.522V8.834zm-1.268 0a2.528 2.528 0 0 1-2.523 2.521 2.527 2.527 0 0 1-2.52-2.521V2.522A2.527 2.527 0 0 1 15.165 0a2.528 2.528 0 0 1 2.523 2.522v6.312zm-2.523 10.122a2.528 2.528 0 0 1 2.523 2.522A2.528 2.528 0 0 1 15.165 24a2.527 2.527 0 0 1-2.52-2.522v-2.522h2.52zm0-1.268a2.527 2.527 0 0 1-2.52-2.523 2.526 2.526 0 0 1 2.52-2.52h6.313A2.527 2.527 0 0 1 24 15.165a2.528 2.528 0 0 1-2.522 2.523h-6.313z" /></svg>
+	{:else if provider === 'teams'}
+		<svg width="12" height="12" viewBox="0 0 24 24" fill="currentColor"><path d="M20.625 8.5h-3.25V6.25a1.75 1.75 0 0 1 1.75-1.75h.002a1.75 1.75 0 1 1 0 3.5h-.002a1.7 1.7 0 0 1-.5-.074V8.5zM22.25 10h-4.375a.875.875 0 0 0-.875.875v5.25a3.375 3.375 0 0 0 3.016 3.355A3.5 3.5 0 0 0 24 16v-2.5A3.5 3.5 0 0 0 22.25 10zM9.5 7a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm5.25 3H4.25A2.25 2.25 0 0 0 2 12.25V18a5.5 5.5 0 0 0 11 0v-5.75A2.25 2.25 0 0 0 14.75 10zM16 8.5a2.5 2.5 0 1 0 0-5 2.5 2.5 0 0 0 0 5z" /></svg>
+	{:else if provider === 'googlechat'}
+		<svg width="12" height="12" viewBox="0 0 24 24" fill="currentColor"><path d="M12 0C5.372 0 0 5.042 0 11.264c0 2.026.564 3.94 1.544 5.612L.05 21.932a.75.75 0 0 0 .96.932l5.112-1.7A12.4 12.4 0 0 0 12 22.528c6.628 0 12-5.042 12-11.264S18.628 0 12 0zm4.5 14.25h-9a.75.75 0 0 1 0-1.5h9a.75.75 0 0 1 0 1.5zm0-3h-9a.75.75 0 0 1 0-1.5h9a.75.75 0 0 1 0 1.5zm0-3h-9a.75.75 0 0 1 0-1.5h9a.75.75 0 0 1 0 1.5z" /></svg>
 	{:else if provider === 'telegram'}
 		<svg width="12" height="12" viewBox="0 0 24 24" fill="currentColor"><path d="M11.944 0A12 12 0 0 0 0 12a12 12 0 0 0 12 12 12 12 0 0 0 12-12A12 12 0 0 0 12 0a12 12 0 0 0-.056 0zm4.962 7.224c.1-.002.321.023.465.14a.506.506 0 0 1 .171.325c.016.093.036.306.02.472-.18 1.898-.962 6.502-1.36 8.627-.168.9-.499 1.201-.82 1.23-.696.065-1.225-.46-1.9-.902-1.056-.693-1.653-1.124-2.678-1.8-1.185-.78-.417-1.21.258-1.91.177-.184 3.247-2.977 3.307-3.23.007-.032.014-.15-.056-.212s-.174-.041-.249-.024c-.106.024-1.793 1.14-5.061 3.345-.479.33-.913.49-1.302.48-.428-.008-1.252-.241-1.865-.44-.752-.245-1.349-.374-1.297-.789.027-.216.325-.437.893-.663 3.498-1.524 5.83-2.529 6.998-3.014 3.332-1.386 4.025-1.627 4.476-1.635z" /></svg>
+	{:else if provider === 'matrix'}
+		<svg width="12" height="12" viewBox="0 0 24 24" fill="currentColor"><path d="M.632.55v22.9H2.28V24H0V0h2.28v.55zm7.043 7.26v1.157h.033c.309-.443.683-.784 1.117-1.024.434-.24.905-.36 1.416-.36.54 0 1.033.107 1.48.32.448.214.773.553.974 1.02.309-.4.694-.727 1.154-.98a3.1 3.1 0 0 1 1.49-.36c.434 0 .839.058 1.213.172.375.115.694.303.957.565.264.262.467.6.61 1.014.144.414.215.907.215 1.478V17.3h-2.36v-5.18c0-.312-.013-.603-.04-.873a1.84 1.84 0 0 0-.195-.685 1.08 1.08 0 0 0-.432-.45c-.187-.108-.438-.162-.754-.162-.316 0-.573.058-.77.172a1.27 1.27 0 0 0-.472.46 1.98 1.98 0 0 0-.24.672 4.4 4.4 0 0 0-.065.746V17.3H9.36v-5.07c0-.282-.006-.558-.02-.826a2.15 2.15 0 0 0-.148-.72 1.04 1.04 0 0 0-.403-.498c-.182-.126-.44-.19-.773-.19a1.55 1.55 0 0 0-.416.068c-.158.052-.31.147-.458.286a1.62 1.62 0 0 0-.36.566c-.1.238-.15.545-.15.924V17.3H4.28V7.81zm15.693 15.64V.55H21.72V0H24v24h-2.28v-.55z" /></svg>
 	{:else if provider === 'webhook'}
 		<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" /><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" /></svg>
 	{:else}
diff --git a/frontend/src/routes/dashboard/hosts/+page.svelte b/frontend/src/routes/dashboard/hosts/+page.svelte
index 8e657d6..0b7e134 100644
--- a/frontend/src/routes/dashboard/hosts/+page.svelte
+++ b/frontend/src/routes/dashboard/hosts/+page.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { auth } from '$lib/auth.svelte';
 	import { toast } from '$lib/toast.svelte';
@@ -15,12 +14,6 @@
 		type CreateHostResult
 	} from '$lib/api/hosts';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	let canManage = $derived(auth.role === 'owner' || auth.role === 'admin');
 
 	// List state
@@ -43,7 +36,7 @@
 
 	// Delete confirmation
 	let deleteTarget = $state<Host | null>(null);
-	let deletePreviewSandboxes = $state<string[]>([]);
+	let deletePreviewCapsules = $state<string[]>([]);
 	let deletePreviewLoading = $state(false);
 	let deleting = $state(false);
 	let deleteError = $state<string | null>(null);
@@ -97,12 +90,12 @@
 	async function openDeleteConfirm(host: Host) {
 		deleteTarget = host;
 		deleteError = null;
-		deletePreviewSandboxes = [];
+		deletePreviewCapsules = [];
 		deletePreviewLoading = true;
 		const preview = await getDeletePreview(host.id);
 		deletePreviewLoading = false;
 		if (preview.ok) {
-			deletePreviewSandboxes = preview.data.sandbox_ids;
+			deletePreviewCapsules = preview.data.sandbox_ids;
 		}
 	}
 
@@ -110,7 +103,7 @@
 		if (!deleteTarget) return;
 		deleting = true;
 		deleteError = null;
-		const result = await deleteHost(deleteTarget.id, deletePreviewSandboxes.length > 0);
+		const result = await deleteHost(deleteTarget.id, deletePreviewCapsules.length > 0);
 		if (result.ok) {
 			hosts = hosts.filter((h) => h.id !== deleteTarget!.id);
 			deleteTarget = null;
@@ -156,16 +149,12 @@
 	<title>Wrenn — Hosts</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
 				<div class="flex items-center justify-between">
 					<div>
-						<h1 class="font-serif text-page tracking-[-0.02em] text-[var(--color-text-bright)]">
+						<h1 class="font-serif text-page text-[var(--color-text-bright)]">
 							Hosts
 						</h1>
 						<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
@@ -326,11 +315,17 @@
 					</p>
 				{/if}
 			</div>
-		</main>
+	</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 	</div>
-</div>
+</footer>
 
 {#snippet skeletonRows()}
 	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
@@ -378,7 +373,7 @@
 			</div>
 		</div>
 		{#if canManage}
-			<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">No hosts yet</p>
+			<p class="font-serif text-heading text-[var(--color-text-bright)]">No hosts yet</p>
 			<p class="mt-1.5 max-w-[340px] text-center text-ui text-[var(--color-text-tertiary)]">
 				Register a server and Wrenn will schedule capsules on your own infrastructure.
 			</p>
@@ -392,7 +387,7 @@
 				</svg>
 			</button>
 		{:else}
-			<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">No hosts registered</p>
+			<p class="font-serif text-heading text-[var(--color-text-bright)]">No hosts registered</p>
 			<p class="mt-1.5 max-w-[320px] text-center text-ui text-[var(--color-text-tertiary)]">
 				Ask a team owner or admin to register a host for your team.
 			</p>
@@ -411,7 +406,7 @@
 		></div>
 
 		<div class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Register Host</h2>
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Register Host</h2>
 			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
 				Add a server to your team's host pool. You'll receive a one-time registration token.
 			</p>
@@ -501,7 +496,7 @@
 				<span class="text-meta font-semibold text-[var(--color-accent-mid)]" style="animation: fadeUp 0.3s 0.15s ease both">Host registered successfully</span>
 			</div>
 
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Registration Token</h2>
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Registration Token</h2>
 			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
 				Pass this token to the host agent to complete registration. It expires in
 				<strong class="font-semibold text-[var(--color-amber)]">1 hour</strong> and is single-use.
@@ -573,7 +568,7 @@
 		></div>
 
 		<div class="relative w-full max-w-[380px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Delete Host</h2>
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Delete Host</h2>
 			<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
 				Remove <span class="inline-flex items-center rounded-sm border border-[var(--color-border-mid)] bg-[var(--color-bg-4)] px-1.5 py-0.5 font-mono text-badge text-[var(--color-text-primary)]">{deleteTarget.id}</span> from your host pool.
 			</p>
@@ -583,10 +578,10 @@
 					<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
 					Checking active capsules…
 				</div>
-			{:else if deletePreviewSandboxes.length > 0}
+			{:else if deletePreviewCapsules.length > 0}
 				<div class="mt-4 rounded-[var(--radius-input)] border border-[var(--color-amber)]/20 bg-[var(--color-amber)]/5 px-3 py-2.5">
 					<p class="text-meta font-semibold text-[var(--color-amber)]">
-						{deletePreviewSandboxes.length} active capsule{deletePreviewSandboxes.length === 1 ? '' : 's'} will be destroyed.
+						{deletePreviewCapsules.length} active capsule{deletePreviewCapsules.length === 1 ? '' : 's'} will be destroyed.
 					</p>
 					<p class="mt-0.5 text-meta text-[var(--color-amber)]/70">
 						All running workloads on this host will be terminated immediately.
@@ -617,7 +612,7 @@
 						<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
 						Deleting…
 					{:else}
-						{deletePreviewSandboxes.length > 0 ? 'Force Delete' : 'Delete Host'}
+						{deletePreviewCapsules.length > 0 ? 'Force Delete' : 'Delete Host'}
 					{/if}
 				</button>
 			</div>
diff --git a/frontend/src/routes/dashboard/keys/+page.svelte b/frontend/src/routes/dashboard/keys/+page.svelte
index 87e9be5..89828f8 100644
--- a/frontend/src/routes/dashboard/keys/+page.svelte
+++ b/frontend/src/routes/dashboard/keys/+page.svelte
@@ -1,16 +1,9 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { listKeys, createKey, revokeKey, type APIKey } from '$lib/api/keys';
 	import { toast } from '$lib/toast.svelte';
 	import { formatDate, timeAgo } from '$lib/utils/format';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// List state
 	let keys = $state<APIKey[]>([]);
 	let loading = $state(true);
@@ -108,16 +101,12 @@
 	<title>Wrenn — API Keys</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
 				<div class="flex items-center justify-between">
 					<div>
-						<h1 class="font-serif text-page tracking-[-0.02em] text-[var(--color-text-bright)]">
+						<h1 class="font-serif text-page text-[var(--color-text-bright)]">
 							API Keys
 						</h1>
 						<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
@@ -172,7 +161,7 @@
 								</svg>
 							</div>
 						</div>
-						<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">No API keys yet</p>
+						<p class="font-serif text-heading text-[var(--color-text-bright)]">No API keys yet</p>
 						<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">Nothing can call the API without a key. Create one to authenticate your SDK or HTTP requests.</p>
 						<button
 							onclick={() => { showCreate = true; createError = null; createName = ''; }}
@@ -246,11 +235,17 @@
 					</p>
 				{/if}
 			</div>
-		</main>
+	</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 	</div>
-</div>
+</footer>
 
 <!-- Create Key Dialog -->
 {#if showCreate}
@@ -263,7 +258,7 @@
 		></div>
 
 		<div class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">New API Key</h2>
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">New API Key</h2>
 			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">Name it after its environment or purpose — production, staging, CI. You can't rename it later.</p>
 
 			{#if createError}
@@ -334,7 +329,7 @@
 				<span class="text-meta font-semibold text-[var(--color-accent-mid)]" style="animation: fadeUp 0.3s 0.15s ease both">Key created successfully</span>
 			</div>
 
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">{newKey.name || 'API Key'}</h2>
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">{newKey.name || 'API Key'}</h2>
 			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
 				Copy this key now — it won't be shown again.
 			</p>
@@ -405,7 +400,7 @@
 		></div>
 
 		<div class="relative w-full max-w-[380px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6" style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)">
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Revoke Key</h2>
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Revoke Key</h2>
 			<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
 				Permanently revoke <span class="font-medium text-[var(--color-text-secondary)]">{revokeTarget.name || revokeTarget.id}</span>.
 				Any request using this key will fail immediately.
diff --git a/frontend/src/routes/dashboard/metrics/+page.svelte b/frontend/src/routes/dashboard/metrics/+page.svelte
index 271c757..80d747c 100644
--- a/frontend/src/routes/dashboard/metrics/+page.svelte
+++ b/frontend/src/routes/dashboard/metrics/+page.svelte
@@ -1,15 +1,8 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import StatsPanel from '$lib/components/StatsPanel.svelte';
 	import CreateCapsuleDialog from '$lib/components/CreateCapsuleDialog.svelte';
 	import { auth } from '$lib/auth.svelte';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	let showCreateDialog = $state(false);
 </script>
 
@@ -17,18 +10,16 @@
 	<title>Wrenn — Metrics</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+	<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<div class="px-7 pt-8">
-				<h1 class="font-serif text-page tracking-[-0.02em] text-[var(--color-text-bright)]">
+				<h1 class="font-serif text-page text-[var(--color-text-bright)]">
 					Metrics
 				</h1>
 				<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
 					Resource usage and performance across all capsules.
 				</p>
+
+				<div class="mt-6 border-b border-[var(--color-border)]"></div>
 			</div>
 
 			<StatsPanel
@@ -48,8 +39,6 @@
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
-	</div>
-</div>
 
 <CreateCapsuleDialog
 	open={showCreateDialog}
diff --git a/frontend/src/routes/dashboard/settings/+page.svelte b/frontend/src/routes/dashboard/settings/+page.svelte
new file mode 100644
index 0000000..92d3479
--- /dev/null
+++ b/frontend/src/routes/dashboard/settings/+page.svelte
@@ -0,0 +1,673 @@
+<script lang="ts">
+	import { onMount, onDestroy } from 'svelte';
+	import { page } from '$app/stores';
+	import { goto } from '$app/navigation';
+	import { auth } from '$lib/auth.svelte';
+	import { toast } from '$lib/toast.svelte';
+	import {
+		getMe,
+		updateName,
+		changePassword,
+		requestPasswordReset,
+		getProviderConnectURL,
+		disconnectProvider,
+		deleteAccount,
+		type MeResponse
+	} from '$lib/api/me';
+
+	let me = $state<MeResponse | null>(null);
+	let loadError = $state<string | null>(null);
+
+	let initials = $derived(
+		me?.name
+			? me.name.split(' ').map(w => w[0]).join('').toUpperCase().slice(0, 2)
+			: me?.email?.[0]?.toUpperCase() ?? '?'
+	);
+
+	// Profile
+	let editName = $state('');
+	let savingName = $state(false);
+	let nameError = $state<string | null>(null);
+	let nameSaved = $state(false);
+	let nameSavedTimer: ReturnType<typeof setTimeout> | null = null;
+
+	// Password
+	let currentPassword = $state('');
+	let newPassword = $state('');
+	let confirmPassword = $state('');
+	let savingPassword = $state(false);
+	let passwordError = $state<string | null>(null);
+	let sendingReset = $state(false);
+	let passwordSaved = $state(false);
+	let passwordSavedTimer: ReturnType<typeof setTimeout> | null = null;
+
+	// GitHub connect/disconnect
+	let connectingGitHub = $state(false);
+	let disconnectingGitHub = $state(false);
+	let showDisconnectConfirm = $state(false);
+	let disconnectError = $state<string | null>(null);
+
+	// Delete account
+	let showDeleteConfirm = $state(false);
+	let deleteConfirmation = $state('');
+	let deleting = $state(false);
+	let deleteError = $state<string | null>(null);
+
+	const connectErrors: Record<string, string> = {
+		already_linked: 'This GitHub account is already connected to another Wrenn account.',
+		db_error: 'Something went wrong — please try again.',
+		invalid_state: 'The connection attempt expired — please try again.',
+		access_denied: 'GitHub access was denied.',
+		exchange_failed: 'Authentication failed — please try again.'
+	};
+
+	async function fetchMe() {
+		const result = await getMe();
+		if (result.ok) {
+			me = result.data;
+			editName = result.data.name;
+		} else {
+			loadError = result.error;
+		}
+	}
+
+	async function handleSaveName() {
+		if (!editName.trim() || editName.trim() === me?.name) return;
+		savingName = true;
+		nameError = null;
+		const result = await updateName(editName.trim());
+		if (result.ok) {
+			auth.login(result.data);
+			me = { ...me!, name: result.data.name };
+			editName = result.data.name;
+			toast.success('Name updated.');
+			nameSaved = true;
+			if (nameSavedTimer) clearTimeout(nameSavedTimer);
+			nameSavedTimer = setTimeout(() => (nameSaved = false), 1500);
+		} else {
+			nameError = result.error;
+		}
+		savingName = false;
+	}
+
+	async function handleSendPasswordReset() {
+		if (!me) return;
+		sendingReset = true;
+		const result = await requestPasswordReset(me.email);
+		sendingReset = false;
+		if (result.ok) {
+			toast.success('Password reset link sent to your email.');
+		} else {
+			toast.error(result.error);
+		}
+	}
+
+	async function handleChangePassword() {
+		savingPassword = true;
+		passwordError = null;
+
+		const body = me?.has_password
+			? { current_password: currentPassword, new_password: newPassword }
+			: { new_password: newPassword, confirm_password: confirmPassword };
+
+		const result = await changePassword(body);
+		if (result.ok) {
+			currentPassword = '';
+			newPassword = '';
+			confirmPassword = '';
+			const wasPasswordSet = !!me?.has_password;
+			if (me) me = { ...me, has_password: true };
+			toast.success(wasPasswordSet ? 'Password updated.' : 'Password added.');
+			passwordSaved = true;
+			if (passwordSavedTimer) clearTimeout(passwordSavedTimer);
+			passwordSavedTimer = setTimeout(() => (passwordSaved = false), 1500);
+		} else {
+			passwordError = result.error;
+		}
+		savingPassword = false;
+	}
+
+	async function handleConnectGitHub() {
+		connectingGitHub = true;
+		const result = await getProviderConnectURL('github');
+		if (result.ok) {
+			window.location.href = result.data.auth_url;
+		} else {
+			toast.error(result.error);
+			connectingGitHub = false;
+		}
+	}
+
+	async function handleDisconnectGitHub() {
+		disconnectingGitHub = true;
+		disconnectError = null;
+		const result = await disconnectProvider('github');
+		if (result.ok) {
+			me = { ...me!, providers: me!.providers.filter((p) => p !== 'github') };
+			showDisconnectConfirm = false;
+			toast.success('GitHub disconnected.');
+		} else {
+			disconnectError = result.error;
+		}
+		disconnectingGitHub = false;
+	}
+
+	async function handleDeleteAccount() {
+		deleting = true;
+		deleteError = null;
+		const result = await deleteAccount(deleteConfirmation);
+		if (result.ok) {
+			auth.logout();
+		} else {
+			deleteError = result.error;
+			deleting = false;
+		}
+	}
+
+	onMount(async () => {
+		await fetchMe();
+
+		// Read OAuth callback params and clean URL immediately,
+		// regardless of whether fetchMe succeeds.
+		const connected = $page.url.searchParams.get('connected');
+		const connectErr = $page.url.searchParams.get('connect_error');
+		if (connected || connectErr) {
+			goto('/dashboard/settings', { replaceState: true });
+		}
+
+		if (connected) {
+			if (me) me = { ...me, providers: [...new Set([...me.providers, connected])] };
+			toast.success(`${connected.charAt(0).toUpperCase() + connected.slice(1)} connected successfully.`);
+		} else if (connectErr) {
+			toast.error(connectErrors[connectErr] ?? 'Failed to connect account.');
+		}
+	});
+
+	onDestroy(() => {
+		if (nameSavedTimer) clearTimeout(nameSavedTimer);
+		if (passwordSavedTimer) clearTimeout(passwordSavedTimer);
+	});
+</script>
+
+<svelte:head>
+	<title>Wrenn — Settings</title>
+</svelte:head>
+
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+			<!-- Header -->
+			<div class="px-7 pt-8">
+				<div>
+					<h1 class="font-serif text-page text-[var(--color-text-bright)]">Settings</h1>
+					<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
+						Manage your account details and security.
+					</p>
+				</div>
+				<div class="mt-6 border-b border-[var(--color-border)]"></div>
+			</div>
+
+			<!-- Content -->
+			<div class="p-8">
+				{#if loadError}
+					<div class="rounded-[var(--radius-card)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-4 py-3 text-ui text-[var(--color-red)]" style="animation: fadeUp 0.35s ease both">
+						{loadError}
+					</div>
+				{:else if me}
+					<div class="mx-auto max-w-[560px] space-y-8">
+
+						<!-- ── Profile ── -->
+						<section style="animation: fadeUp 0.35s ease both">
+							<div class="flex items-center gap-4">
+								<div class="avatar-ring flex h-14 w-14 shrink-0 items-center justify-center rounded-full border border-[var(--color-border-mid)] bg-[var(--color-bg-3)]">
+									<span class="font-serif text-heading leading-none text-[var(--color-text-bright)]">{initials}</span>
+								</div>
+								<div>
+									<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Profile</h2>
+									<p class="mt-0.5 text-ui text-[var(--color-text-tertiary)]">How you appear across Wrenn.</p>
+								</div>
+							</div>
+
+							<div class="mt-6 space-y-4">
+								<div>
+									<label
+										for="display-name"
+										class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]"
+									>
+										Display name
+									</label>
+									<input
+										id="display-name"
+										type="text"
+										bind:value={editName}
+										disabled={savingName}
+										placeholder="Your name"
+										class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] px-3 py-2 text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-[color,border-color,box-shadow] duration-150 focus:border-[var(--color-accent)] focus:shadow-[0_0_0_2px_var(--color-accent-glow)] disabled:opacity-60"
+									/>
+								</div>
+
+								<div>
+									<span class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+										Email
+									</span>
+									<div class="rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-1)] px-3 py-2 font-mono text-ui text-[var(--color-text-secondary)]">
+										{me.email}
+									</div>
+								</div>
+
+								{#if nameError}
+									<p class="text-ui text-[var(--color-red)]">{nameError}</p>
+								{/if}
+
+								<div class="flex justify-end">
+									<button
+										onclick={handleSaveName}
+										disabled={savingName || nameSaved || !editName.trim() || editName.trim() === me.name}
+										class="flex items-center gap-2 rounded-[var(--radius-button)] px-4 py-2 text-ui font-semibold text-white transition-all duration-150 hover:-translate-y-px active:translate-y-0 disabled:hover:translate-y-0 {nameSaved ? 'bg-[var(--color-accent-bright)]' : 'bg-[var(--color-accent)] hover:brightness-115 disabled:opacity-50'}"
+									>
+										{#if savingName}
+											<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+											Saving…
+										{:else if nameSaved}
+											<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" class="check-draw"><polyline points="20 6 9 17 4 12" /></svg>
+											Saved
+										{:else}
+											Save
+										{/if}
+									</button>
+								</div>
+							</div>
+						</section>
+
+						<div class="border-t border-[var(--color-border)]"></div>
+
+						<!-- ── Security ── -->
+						<section style="animation: fadeUp 0.35s ease both; animation-delay: 60ms">
+							<div class="flex items-start gap-3">
+								<div class="mt-0.5 flex h-8 w-8 shrink-0 items-center justify-center rounded-[var(--radius-avatar)] border border-[var(--color-border)] bg-[var(--color-bg-2)]">
+									<svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="text-[var(--color-text-tertiary)]"><rect x="3" y="11" width="18" height="11" rx="2" ry="2" /><path d="M7 11V7a5 5 0 0 1 10 0v4" /></svg>
+								</div>
+								<div>
+									<h2 class="font-serif text-heading text-[var(--color-text-bright)]">
+										{me.has_password ? 'Change password' : 'Add a password'}
+									</h2>
+									<p class="mt-0.5 text-ui text-[var(--color-text-tertiary)]">
+										{me.has_password
+											? 'Use a strong, unique password you don\'t use elsewhere.'
+											: 'Set a password so you can sign in with your email.'}
+									</p>
+								</div>
+							</div>
+
+							<div class="mt-5 space-y-4">
+								{#if me.has_password}
+									<div>
+										<label
+											for="current-password"
+											class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]"
+										>
+											Current password
+										</label>
+										<input
+											id="current-password"
+											type="password"
+											bind:value={currentPassword}
+											disabled={savingPassword}
+											autocomplete="current-password"
+											class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] px-3 py-2 text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-[color,border-color,box-shadow] duration-150 focus:border-[var(--color-accent)] focus:shadow-[0_0_0_2px_var(--color-accent-glow)] disabled:opacity-60"
+										/>
+									</div>
+								{/if}
+
+								<div>
+									<label
+										for="new-password"
+										class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]"
+									>
+										New password
+									</label>
+									<input
+										id="new-password"
+										type="password"
+										bind:value={newPassword}
+										disabled={savingPassword}
+										autocomplete="new-password"
+										placeholder="Min. 8 characters"
+										class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] px-3 py-2 text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-[color,border-color,box-shadow] duration-150 focus:border-[var(--color-accent)] focus:shadow-[0_0_0_2px_var(--color-accent-glow)] disabled:opacity-60"
+									/>
+								</div>
+
+								{#if !me.has_password}
+									<div>
+										<label
+											for="confirm-password"
+											class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]"
+										>
+											Confirm password
+										</label>
+										<input
+											id="confirm-password"
+											type="password"
+											bind:value={confirmPassword}
+											disabled={savingPassword}
+											autocomplete="new-password"
+											class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] px-3 py-2 text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-[color,border-color,box-shadow] duration-150 focus:border-[var(--color-accent)] focus:shadow-[0_0_0_2px_var(--color-accent-glow)] disabled:opacity-60"
+										/>
+									</div>
+								{/if}
+
+								{#if passwordError}
+									<p class="text-ui text-[var(--color-red)]">{passwordError}</p>
+								{/if}
+
+								<div class="flex items-center justify-between">
+									{#if me.has_password}
+										<button
+											type="button"
+											onclick={handleSendPasswordReset}
+											disabled={sendingReset}
+											class="text-meta text-[var(--color-text-tertiary)] transition-colors duration-150 hover:text-[var(--color-text-secondary)] disabled:opacity-50"
+										>
+											{sendingReset ? 'Sending…' : 'Forgot password?'}
+										</button>
+									{:else}
+										<span></span>
+									{/if}
+
+									<button
+										onclick={handleChangePassword}
+										disabled={savingPassword || passwordSaved || !newPassword || (me.has_password && !currentPassword) || (!me.has_password && !confirmPassword)}
+										class="flex items-center gap-2 rounded-[var(--radius-button)] px-4 py-2 text-ui font-semibold text-white transition-all duration-150 hover:-translate-y-px active:translate-y-0 disabled:hover:translate-y-0 {passwordSaved ? 'bg-[var(--color-accent-bright)]' : 'bg-[var(--color-accent)] hover:brightness-115 disabled:opacity-50'}"
+									>
+										{#if savingPassword}
+											<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+											Saving…
+										{:else if passwordSaved}
+											<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" class="check-draw"><polyline points="20 6 9 17 4 12" /></svg>
+											Saved
+										{:else}
+											{me.has_password ? 'Update password' : 'Set password'}
+										{/if}
+									</button>
+								</div>
+							</div>
+						</section>
+
+						<div class="border-t border-[var(--color-border)]"></div>
+
+						<!-- ── Connected Accounts ── -->
+						<section style="animation: fadeUp 0.35s ease both; animation-delay: 120ms">
+							<div class="flex items-start gap-3">
+								<div class="mt-0.5 flex h-8 w-8 shrink-0 items-center justify-center rounded-[var(--radius-avatar)] border border-[var(--color-border)] bg-[var(--color-bg-2)]">
+									<svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="text-[var(--color-text-tertiary)]"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" /><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" /></svg>
+								</div>
+								<div>
+									<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Connected accounts</h2>
+									<p class="mt-0.5 text-ui text-[var(--color-text-tertiary)]">
+										Sign in with a linked account instead of your password.
+									</p>
+								</div>
+							</div>
+
+							<div class="mt-5">
+								<!-- GitHub row -->
+								<div class="flex items-center justify-between rounded-[var(--radius-card)] border px-4 py-3 transition-colors duration-200 {me.providers.includes('github') ? 'border-[var(--color-accent)]/30 bg-[var(--color-accent-glow)]' : 'border-[var(--color-border)] bg-[var(--color-bg-1)]'}">
+									<div class="flex items-center gap-3">
+										<!-- GitHub icon -->
+										<svg width="20" height="20" viewBox="0 0 24 24" fill="currentColor" class="{me.providers.includes('github') ? 'text-[var(--color-text-bright)]' : 'text-[var(--color-text-secondary)]'}">
+											<path d="M12 0C5.37 0 0 5.37 0 12c0 5.31 3.435 9.795 8.205 11.385.6.105.825-.255.825-.57 0-.285-.015-1.23-.015-2.235-3.015.555-3.795-.735-4.035-1.41-.135-.345-.72-1.41-1.23-1.695-.42-.225-1.02-.78-.015-.795.945-.015 1.62.87 1.845 1.23 1.08 1.815 2.805 1.305 3.495.99.105-.78.42-1.305.765-1.605-2.67-.3-5.46-1.335-5.46-5.925 0-1.305.465-2.385 1.23-3.225-.12-.3-.54-1.53.12-3.18 0 0 1.005-.315 3.3 1.23.96-.27 1.98-.405 3-.405s2.04.135 3 .405c2.295-1.56 3.3-1.23 3.3-1.23.66 1.65.24 2.88.12 3.18.765.84 1.23 1.905 1.23 3.225 0 4.605-2.805 5.625-5.475 5.925.435.375.81 1.095.81 2.22 0 1.605-.015 2.895-.015 3.3 0 .315.225.69.825.57A12.02 12.02 0 0 0 24 12c0-6.63-5.37-12-12-12z" />
+										</svg>
+										<div>
+											<div class="text-ui font-medium text-[var(--color-text-primary)]">GitHub</div>
+											{#if me.providers.includes('github')}
+												<div class="flex items-center gap-1 text-meta text-[var(--color-accent)]">
+													<svg width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" class="check-draw"><polyline points="20 6 9 17 4 12" /></svg>
+													Connected
+												</div>
+											{:else}
+												<div class="text-meta text-[var(--color-text-muted)]">Not connected</div>
+											{/if}
+										</div>
+									</div>
+
+									{#if me.providers.includes('github')}
+										<button
+											onclick={() => { showDisconnectConfirm = true; disconnectError = null; }}
+											class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-red)]/50 hover:text-[var(--color-red)]"
+										>
+											Disconnect
+										</button>
+									{:else}
+										<button
+											onclick={handleConnectGitHub}
+											disabled={connectingGitHub}
+											class="flex items-center gap-2 rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+										>
+											{#if connectingGitHub}
+												<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+											{/if}
+											Connect
+										</button>
+									{/if}
+								</div>
+							</div>
+						</section>
+
+						<div class="border-t border-[var(--color-border)]"></div>
+
+						<!-- ── Danger Zone ── -->
+						<section style="animation: fadeUp 0.35s ease both; animation-delay: 180ms">
+							<h2 class="font-serif text-heading text-[var(--color-red)]">Danger zone</h2>
+							<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
+								Deleting your account is irreversible.
+							</p>
+
+							<div class="mt-5 rounded-[var(--radius-card)] border border-[var(--color-red)]/25 border-l-[2px] border-l-[var(--color-red)]/40 bg-[var(--color-red)]/[0.03] px-4 py-4">
+								<div class="flex items-start justify-between gap-4">
+									<div>
+										<div class="text-ui font-medium text-[var(--color-text-primary)]">Delete account</div>
+										<div class="mt-0.5 text-meta text-[var(--color-text-muted)]">
+											Your account will be deactivated immediately and permanently removed after 15 days.
+										</div>
+									</div>
+									<button
+										onclick={() => { showDeleteConfirm = true; deleteConfirmation = ''; deleteError = null; }}
+										class="shrink-0 rounded-[var(--radius-button)] border border-[var(--color-red)]/30 px-3 py-1.5 text-ui text-[var(--color-red)] transition-colors duration-150 hover:bg-[var(--color-red)]/10"
+									>
+										Delete account
+									</button>
+								</div>
+							</div>
+						</section>
+
+					</div>
+				{:else}
+					<!-- Loading skeleton -->
+					<div class="mx-auto max-w-[560px] space-y-6">
+						<div class="flex items-center gap-4" style="animation: fadeUp 0.35s ease both">
+							<div class="h-14 w-14 shrink-0 animate-pulse rounded-full bg-[var(--color-bg-3)]"></div>
+							<div class="flex-1 space-y-2">
+								<div class="h-4 w-24 animate-pulse rounded bg-[var(--color-bg-3)]"></div>
+								<div class="h-3 w-40 animate-pulse rounded bg-[var(--color-bg-2)]"></div>
+							</div>
+						</div>
+						{#each [140, 180, 100] as h, i}
+							<div style="animation: fadeUp 0.35s ease both; animation-delay: {(i + 1) * 60}ms">
+								<div class="animate-pulse rounded-[var(--radius-card)] bg-[var(--color-bg-2)]" style="height: {h}px"></div>
+							</div>
+						{/each}
+					</div>
+				{/if}
+			</div>
+		</main>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
+
+<!-- Disconnect GitHub dialog -->
+{#if showDisconnectConfirm}
+	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
+		<div
+			class="absolute inset-0 bg-black/60 backdrop-fade"
+			onclick={() => { if (!disconnectingGitHub) showDisconnectConfirm = false; }}
+			onkeydown={(e) => { if (e.key === 'Escape' && !disconnectingGitHub) showDisconnectConfirm = false; }}
+		></div>
+		<div
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
+		>
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Disconnect GitHub</h2>
+			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
+				You won't be able to sign in with GitHub. You can reconnect it later.
+			</p>
+
+			{#if disconnectError}
+				<div class="mt-4 rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
+					{disconnectError}
+				</div>
+			{/if}
+
+			<div class="mt-6 flex justify-end gap-3">
+				<button
+					onclick={() => showDisconnectConfirm = false}
+					disabled={disconnectingGitHub}
+					class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+				>
+					Cancel
+				</button>
+				<button
+					onclick={handleDisconnectGitHub}
+					disabled={disconnectingGitHub}
+					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+				>
+					{#if disconnectingGitHub}
+						<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+					{/if}
+					Disconnect
+				</button>
+			</div>
+		</div>
+	</div>
+{/if}
+
+<!-- Delete account dialog -->
+{#if showDeleteConfirm}
+	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
+		<div
+			class="absolute inset-0 bg-black/60 backdrop-fade"
+			onclick={() => { if (!deleting) showDeleteConfirm = false; }}
+			onkeydown={(e) => { if (e.key === 'Escape' && !deleting) showDeleteConfirm = false; }}
+		></div>
+		<div
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
+		>
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Delete account</h2>
+			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
+				Your account will be deactivated immediately and permanently deleted after 15 days. This cannot be undone.
+			</p>
+
+			{#if deleteError}
+				<div class="mt-4 rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
+					{deleteError}
+				</div>
+			{/if}
+
+			<div class="mt-5">
+				<label
+					for="delete-confirm"
+					class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]"
+				>
+					Type your email to confirm
+				</label>
+				<input
+					id="delete-confirm"
+					type="email"
+					bind:value={deleteConfirmation}
+					disabled={deleting}
+					placeholder={me?.email ?? ''}
+					class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-4)] px-3 py-2 text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-[color,border-color,box-shadow] duration-150 focus:border-[var(--color-red)] focus:shadow-[0_0_0_2px_rgba(207,129,114,0.1)] disabled:opacity-60"
+				/>
+			</div>
+
+			<div class="mt-6 flex justify-end gap-3">
+				<button
+					onclick={() => showDeleteConfirm = false}
+					disabled={deleting}
+					class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+				>
+					Cancel
+				</button>
+				<button
+					onclick={handleDeleteAccount}
+					disabled={deleting || deleteConfirmation !== me?.email}
+					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+				>
+					{#if deleting}
+						<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+					{/if}
+					Delete account
+				</button>
+			</div>
+		</div>
+	</div>
+{/if}
+
+<style>
+	/* ── Checkmark draw animation (mirrors CopyButton pattern) ── */
+	.check-draw {
+		animation: checkScale 0.3s cubic-bezier(0.25, 1, 0.5, 1) both;
+	}
+	:global(.check-draw polyline) {
+		stroke-dasharray: 24;
+		stroke-dashoffset: 24;
+		animation: checkStroke 0.3s cubic-bezier(0.25, 1, 0.5, 1) 0.05s forwards;
+	}
+	@keyframes checkScale {
+		0% { transform: scale(0.6); opacity: 0; }
+		50% { opacity: 1; }
+		100% { transform: scale(1); opacity: 1; }
+	}
+	@keyframes checkStroke {
+		to { stroke-dashoffset: 0; }
+	}
+
+	/* ── Avatar hover ring ── */
+	.avatar-ring {
+		transition: border-color 0.2s ease, box-shadow 0.2s ease;
+	}
+	.avatar-ring:hover {
+		border-color: var(--color-accent-mid);
+		box-shadow: 0 0 0 3px var(--color-accent-glow-mid);
+	}
+
+	/* ── Dialog backdrop fade ── */
+	.backdrop-fade {
+		animation: backdropIn 0.2s ease both;
+	}
+	@keyframes backdropIn {
+		from { opacity: 0; }
+		to { opacity: 1; }
+	}
+
+	/* ── Respect reduced motion ── */
+	@media (prefers-reduced-motion: reduce) {
+		.check-draw,
+		.avatar-ring,
+		.backdrop-fade {
+			animation-duration: 0.01ms !important;
+			animation-iteration-count: 1 !important;
+			transition-duration: 0.01ms !important;
+		}
+		:global(.check-draw polyline) {
+			animation-duration: 0.01ms !important;
+			animation-iteration-count: 1 !important;
+		}
+	}
+</style>
diff --git a/frontend/src/routes/dashboard/team/+page.svelte b/frontend/src/routes/dashboard/team/+page.svelte
index f17311b..d8f9823 100644
--- a/frontend/src/routes/dashboard/team/+page.svelte
+++ b/frontend/src/routes/dashboard/team/+page.svelte
@@ -1,6 +1,5 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
-	import { onMount } from 'svelte';
+	import { onMount, onDestroy } from 'svelte';
 	import { goto } from '$app/navigation';
 	import { fly } from 'svelte/transition';
 	import { cubicOut } from 'svelte/easing';
@@ -23,12 +22,6 @@
 	} from '$lib/api/team';
 	import { teams as teamsStore } from '$lib/teams.svelte';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// Page data
 	let team = $state<TeamInfo | null>(null);
 	let members = $state<TeamMember[]>([]);
@@ -284,6 +277,10 @@
 	}
 
 	onMount(fetchTeam);
+
+	onDestroy(() => {
+		if (searchTimeout) clearTimeout(searchTimeout);
+	});
 </script>
 
 <svelte:head>
@@ -318,14 +315,10 @@
 	}}
 />
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
-				<h1 class="font-serif text-page tracking-[-0.02em] text-[var(--color-text-bright)]">
+				<h1 class="font-serif text-page text-[var(--color-text-bright)]">
 					Team
 				</h1>
 				<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
@@ -375,7 +368,7 @@
 								<path d="M23 21v-2a4 4 0 0 0-3-3.87"/><path d="M16 3.13a4 4 0 0 1 0 7.75"/>
 							</svg>
 						</div>
-						<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">No team yet</p>
+						<p class="font-serif text-heading text-[var(--color-text-bright)]">No team yet</p>
 						<p class="mt-1.5 max-w-xs text-center text-ui text-[var(--color-text-tertiary)]">
 							Use the team switcher in the sidebar to create your first team.
 						</p>
@@ -466,26 +459,18 @@
 											<p class="mt-1.5 text-meta text-[var(--color-red)]">{nameError}</p>
 										{/if}
 									{:else}
-										<!-- svelte-ignore a11y_click_events_have_key_events -->
-										<div
-											class="group flex items-center gap-2"
-											onclick={canManage ? startEditName : undefined}
-											role={canManage ? 'button' : undefined}
-											tabindex={canManage ? 0 : undefined}
-											onkeydown={canManage
-												? (e) => {
-														if (e.key === 'Enter' || e.key === ' ') startEditName();
-													}
-												: undefined}
-											class:cursor-pointer={canManage}
-											title={canManage ? 'Click to edit' : undefined}
-										>
-											<span
-												class="text-ui font-medium transition-colors duration-300 {nameSavedFlash ? 'text-[var(--color-accent-mid)]' : 'text-[var(--color-text-bright)]'} {canManage ? 'group-hover:text-[var(--color-text-bright)]' : ''}"
+										{#if canManage}
+											<button
+												type="button"
+												class="group flex items-center gap-2 cursor-pointer"
+												onclick={startEditName}
+												title="Click to edit"
 											>
-												{team.name}
-											</span>
-											{#if canManage}
+												<span
+													class="text-ui font-medium transition-colors duration-300 {nameSavedFlash ? 'text-[var(--color-accent-mid)]' : 'text-[var(--color-text-bright)]'} group-hover:text-[var(--color-text-bright)]"
+												>
+													{team.name}
+												</span>
 												<svg
 													width="12"
 													height="12"
@@ -502,8 +487,14 @@
 													/>
 													<path d="M18.5 2.5a2.121 2.121 0 0 1 3 3L12 15l-4 1 1-4 9.5-9.5z" />
 												</svg>
-											{/if}
-										</div>
+											</button>
+										{:else}
+											<span
+												class="text-ui font-medium text-[var(--color-text-bright)]"
+											>
+												{team.name}
+											</span>
+										{/if}
 									{/if}
 								</div>
 							</div>
@@ -569,7 +560,7 @@
 						<div class="mb-4 flex items-center justify-between">
 							<div>
 								<h2
-									class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]"
+									class="font-serif text-heading text-[var(--color-text-bright)]"
 								>
 									Members
 								</h2>
@@ -717,6 +708,7 @@
 												<div class="w-px shrink-0 bg-[var(--color-border-mid)]"></div>
 												<!-- Chevron: Make Admin / Make Member -->
 												<button
+													aria-label="Role actions"
 													onclick={(e) => {
 														e.stopPropagation();
 														if (openDropdownId === member.user_id) {
@@ -765,7 +757,7 @@
 						>
 							<div class="border-b border-[var(--color-red)]/15 px-5 py-4">
 								<h2
-									class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]"
+									class="font-serif text-heading text-[var(--color-text-bright)]"
 								>
 									Danger Zone
 								</h2>
@@ -811,9 +803,15 @@
 			</div>
 		</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
-	</div>
-</div>
+	<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+		<div class="flex items-center gap-1.5">
+			<span class="relative flex h-[5px] w-[5px]">
+				<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+				<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+			</span>
+			<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+		</div>
+	</footer>
 
 <!-- Split button dropdown -->
 {#if openDropdownId}
@@ -893,10 +891,10 @@
 
 		<div
 			class="relative w-full max-w-[400px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
-			style="animation: fadeUp 0.2s ease both"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
 			<h2
-				class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]"
+				class="font-serif text-heading text-[var(--color-text-bright)]"
 			>
 				Add Member
 			</h2>
@@ -1030,10 +1028,10 @@
 
 		<div
 			class="relative w-full max-w-[380px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
-			style="animation: fadeUp 0.2s ease both"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
 			<h2
-				class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]"
+				class="font-serif text-heading text-[var(--color-text-bright)]"
 			>
 				Remove Member
 			</h2>
@@ -1104,11 +1102,11 @@
 
 		<div
 			class="relative w-full max-w-[400px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
-			style="animation: fadeUp 0.2s ease both"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
 			{#if myRole === 'owner'}
 				<h2
-					class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]"
+					class="font-serif text-heading text-[var(--color-text-bright)]"
 				>
 					Delete Team
 				</h2>
@@ -1119,7 +1117,7 @@
 				</p>
 			{:else}
 				<h2
-					class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]"
+					class="font-serif text-heading text-[var(--color-text-bright)]"
 				>
 					Leave Team
 				</h2>
diff --git a/frontend/src/routes/dashboard/snapshots/+page.svelte b/frontend/src/routes/dashboard/templates/+page.svelte
similarity index 82%
rename from frontend/src/routes/dashboard/snapshots/+page.svelte
rename to frontend/src/routes/dashboard/templates/+page.svelte
index 2ae201a..f159ed1 100644
--- a/frontend/src/routes/dashboard/snapshots/+page.svelte
+++ b/frontend/src/routes/dashboard/templates/+page.svelte
@@ -1,5 +1,5 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
+	import CopyButton from '$lib/components/CopyButton.svelte';
 	import { onMount } from 'svelte';
 	import { goto } from '$app/navigation';
 	import { fly } from 'svelte/transition';
@@ -12,12 +12,6 @@
 	} from '$lib/api/capsules';
 	import { formatDate, timeAgo } from '$lib/utils/format';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// Page tab — Images is disabled/future
 	let pageTab = $state<'snapshots' | 'images'>('snapshots');
 
@@ -52,6 +46,9 @@
 		return snapshots.filter((s) => s.type === typeFilter);
 	});
 
+	// Suppress row fly-transitions after initial load so filter switches are instant.
+	let initialLoadDone = $state(false);
+
 	async function fetchSnapshots() {
 		loading = true;
 		error = null;
@@ -62,6 +59,9 @@
 			error = result.error;
 		}
 		loading = false;
+		// Allow entrance animations to play on initial load, then suppress
+		// them on subsequent filter changes to avoid visual flicker.
+		setTimeout(() => { initialLoadDone = true; }, 400);
 	}
 
 	async function handleDelete() {
@@ -149,16 +149,12 @@
 	}}
 />
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+	<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
 				<div class="flex items-start justify-between">
 					<div>
-						<h1 class="font-serif text-page tracking-[-0.02em] text-[var(--color-text-bright)]">
+						<h1 class="font-serif text-page text-[var(--color-text-bright)]">
 							Templates
 						</h1>
 						<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
@@ -168,7 +164,7 @@
 				</div>
 
 				<!-- Page-level tabs -->
-				<div class="mt-5 flex gap-0 border-b border-[var(--color-border)]">
+				<div class="mt-6 flex gap-0 border-b border-[var(--color-border)]">
 					<!-- Snapshots tab (active) -->
 					<button
 						onclick={() => (pageTab = 'snapshots')}
@@ -224,15 +220,15 @@
 							</div>
 							<div class="skeleton h-4 w-20 rounded-sm"></div>
 						</div>
-						<div class="overflow-hidden rounded-[var(--radius-card)] border border-[var(--color-border)]">
-							<div class="grid border-b border-[var(--color-border)] bg-[var(--color-bg-3)]" style="grid-template-columns: 2fr 1fr 0.7fr 0.9fr 0.8fr 1.3fr 140px">
-								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Name</div>
-								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Type</div>
-								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">vCPUs</div>
-								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Memory</div>
-								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Size</div>
-								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Created</div>
-								<div class="px-5 py-3 text-right text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Actions</div>
+						<div class="overflow-hidden rounded-[var(--radius-card)] border border-[var(--color-border)] shadow-sm">
+							<div class="grid border-b border-[var(--color-border)] bg-[var(--color-bg-0)]/40" style="grid-template-columns: 2fr 1fr 0.7fr 0.9fr 0.8fr 1.3fr 140px">
+								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Name</div>
+								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Type</div>
+								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">vCPUs</div>
+								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Memory</div>
+								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Size</div>
+								<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Created</div>
+								<div class="px-5 py-3 text-right text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Actions</div>
 							</div>
 							{#each Array(4) as _, i}
 								<div
@@ -287,30 +283,28 @@
 
 						{#if filteredSnapshots.length === 0}
 							<!-- Empty state -->
-							<div class="flex flex-col items-center justify-center py-[72px]">
-								<div class="relative mb-5">
-									<!-- Radial glow behind icon -->
-									<div class="absolute inset-0 -m-4 rounded-full" style="background: radial-gradient(circle, rgba(94,140,88,0.08) 0%, transparent 70%)"></div>
+							<div class="flex flex-col items-center justify-center py-28 text-center">
+								<div class="relative mb-7">
+									<div class="absolute -inset-3 rounded-2xl bg-[var(--color-accent-glow)] blur-xl"></div>
 									<div
-										class="relative flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-3)]"
-										style="animation: iconFloat 4s ease-in-out infinite"
+										class="empty-icon-float relative flex h-18 w-18 items-center justify-center rounded-xl border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] shadow-card"
 									>
-										<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="var(--color-text-secondary)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+										<svg width="32" height="32" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" class="text-[var(--color-accent-mid)]">
 											<path d="M21 16V8a2 2 0 0 0-1-1.73l-7-4a2 2 0 0 0-2 0l-7 4A2 2 0 0 0 3 8v8a2 2 0 0 0 1 1.73l7 4a2 2 0 0 0 2 0l7-4A2 2 0 0 0 21 16z" />
 											<polyline points="3.27 6.96 12 12.01 20.73 6.96" /><line x1="12" y1="22.08" x2="12" y2="12" />
 										</svg>
 									</div>
 								</div>
-								<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">
+								<p class="font-serif text-heading leading-snug text-[var(--color-text-secondary)]">
 									{emptyHeading(typeFilter)}
 								</p>
-								<p class="mt-1.5 max-w-[340px] text-center text-ui text-[var(--color-text-tertiary)]">
+								<p class="mt-2 max-w-[320px] text-ui text-[var(--color-text-muted)]">
 									{emptyDescription(typeFilter)}
 								</p>
 								{#if typeFilter === 'all' || typeFilter === 'snapshot'}
 									<a
 										href="/dashboard/capsules"
-										class="mt-6 flex items-center gap-2 rounded-[var(--radius-button)] border border-[var(--color-border-mid)] bg-[var(--color-bg-3)] px-4 py-2 text-ui font-medium text-[var(--color-text-secondary)] transition-all duration-150 hover:border-[var(--color-border-mid)] hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-primary)] active:scale-95"
+										class="mt-6 flex items-center gap-2 rounded-[var(--radius-button)] border border-[var(--color-accent)]/30 bg-[var(--color-accent)]/10 px-4 py-2 text-ui font-medium text-[var(--color-accent-bright)] transition-all duration-200 hover:bg-[var(--color-accent)]/20 hover:border-[var(--color-accent)]/50"
 									>
 										Go to Capsules
 										<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
@@ -322,16 +316,16 @@
 							</div>
 						{:else}
 							<!-- Table -->
-							<div class="overflow-hidden rounded-[var(--radius-card)] border border-[var(--color-border)]">
+							<div class="overflow-hidden rounded-[var(--radius-card)] border border-[var(--color-border)] shadow-sm">
 								<!-- Header -->
-								<div class="grid border-b border-[var(--color-border)] bg-[var(--color-bg-3)]" style="grid-template-columns: 2fr 1fr 0.7fr 0.9fr 0.8fr 1.3fr 140px">
-									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Name</div>
-									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Type</div>
-									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">vCPUs</div>
-									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Memory</div>
-									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Size</div>
-									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Created</div>
-									<div class="px-5 py-3 text-right text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Actions</div>
+								<div class="grid border-b border-[var(--color-border)] bg-[var(--color-bg-0)]/40" style="grid-template-columns: 2fr 1fr 0.7fr 0.9fr 0.8fr 1.3fr 140px">
+									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Name</div>
+									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Type</div>
+									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">vCPUs</div>
+									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Memory</div>
+									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Size</div>
+									<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Created</div>
+									<div class="px-5 py-3 text-right text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">Actions</div>
 								</div>
 
 								<!-- Rows -->
@@ -342,39 +336,39 @@
 										class="snapshot-row row-item relative grid items-center overflow-hidden border-b border-[var(--color-border)] transition-colors duration-150 last:border-b-0
 											{isSnapshot ? 'type-snapshot' : 'type-image'}"
 										style="grid-template-columns: 2fr 1fr 0.7fr 0.9fr 0.8fr 1.3fr 140px"
-										in:fly={{ y: 6, duration: 350, delay: i * 40, easing: cubicOut }}
-										out:fly={{ x: -12, duration: 180, easing: cubicIn }}
+										in:fly={initialLoadDone ? { duration: 0 } : { y: 6, duration: 350, delay: i * 40, easing: cubicOut }}
+										out:fly={initialLoadDone ? { duration: 0 } : { x: -12, duration: 180, easing: cubicIn }}
 									>
 										<!-- Left accent stripe -->
 										<div class="row-stripe pointer-events-none absolute left-0 top-0 h-full w-[3px]" style="background: {typeColor}"></div>
 
 										<!-- Name -->
 										<div class="min-w-0 px-5 py-4">
-											<span class="block truncate font-mono text-ui text-[var(--color-text-bright)]">{snapshot.name}</span>
+											<div class="flex items-center gap-1.5">
+												<span class="block truncate font-mono text-ui text-[var(--color-text-bright)]">{snapshot.name}</span>
+												<CopyButton value={snapshot.name} />
+											</div>
 										</div>
 
 										<!-- Type badge -->
 										<div class="px-5 py-4">
 											{#if isSnapshot}
-												<span class="inline-flex items-center gap-1.5 rounded-[3px] border border-[var(--color-accent)]/25 bg-[var(--color-accent)]/10 px-2.5 py-1 text-badge font-semibold uppercase tracking-[0.04em] text-[var(--color-accent-mid)]">
-													<span
-														class="inline-block h-[5px] w-[5px] shrink-0 rounded-full bg-[var(--color-accent)]"
-														style="box-shadow: 0 0 6px rgba(94,140,88,0.5); animation: wrenn-glow 1.8s ease-in-out infinite"
-													></span>
-													Snapshot
+												<span class="inline-flex items-center gap-1.5 rounded-full border border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8 px-2.5 py-0.5 text-label font-medium text-[var(--color-accent-bright)]">
+													<span class="h-1.5 w-1.5 rounded-full bg-[var(--color-accent)]"></span>
+													snapshot
 												</span>
 											{:else}
-												<span class="inline-flex items-center gap-1.5 rounded-[3px] border border-[var(--color-blue)]/25 bg-[var(--color-blue)]/10 px-2.5 py-1 text-badge font-semibold uppercase tracking-[0.04em] text-[var(--color-blue)]">
-													<span class="inline-block h-[5px] w-[5px] shrink-0 rounded-full bg-[var(--color-blue)]"></span>
-													Image
+												<span class="inline-flex items-center gap-1.5 rounded-full border border-[var(--color-blue)]/25 bg-[var(--color-blue)]/8 px-2.5 py-0.5 text-label font-medium text-[var(--color-blue)]">
+													<span class="h-1.5 w-1.5 rounded-full bg-[var(--color-blue)]"></span>
+													image
 												</span>
 											{/if}
 										</div>
 
 										<!-- vCPUs -->
 										<div class="px-5 py-4">
-											{#if snapshot.type === 'snapshot' && snapshot.vcpus != null}
-												<span class="flex items-center gap-1.5">
+											{#if snapshot.vcpus != null && snapshot.vcpus > 0}
+												<span class="flex items-center gap-1.5" title={isSnapshot ? 'Required' : 'Recommended'}>
 													<svg width="11" height="11" viewBox="0 0 24 24" fill="none" stroke={typeColor} stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="shrink-0 opacity-50">
 														<rect x="4" y="4" width="16" height="16" rx="2" /><rect x="9" y="9" width="6" height="6" /><line x1="9" y1="1" x2="9" y2="4" /><line x1="15" y1="1" x2="15" y2="4" /><line x1="9" y1="20" x2="9" y2="23" /><line x1="15" y1="20" x2="15" y2="23" /><line x1="20" y1="9" x2="23" y2="9" /><line x1="20" y1="14" x2="23" y2="14" /><line x1="1" y1="9" x2="4" y2="9" /><line x1="1" y1="14" x2="4" y2="14" />
 													</svg>
@@ -387,8 +381,8 @@
 
 										<!-- Memory -->
 										<div class="px-5 py-4">
-											{#if snapshot.type === 'snapshot' && snapshot.memory_mb != null}
-												<span class="flex items-center gap-1.5">
+											{#if snapshot.memory_mb != null && snapshot.memory_mb > 0}
+												<span class="flex items-center gap-1.5" title={isSnapshot ? 'Required' : 'Recommended'}>
 													<svg width="11" height="11" viewBox="0 0 24 24" fill="none" stroke={typeColor} stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="shrink-0 opacity-50">
 														<rect x="2" y="6" width="20" height="12" rx="2" /><line x1="6" y1="12" x2="6" y2="12.01" /><line x1="10" y1="12" x2="10" y2="12.01" /><line x1="14" y1="12" x2="14" y2="12.01" /><line x1="18" y1="12" x2="18" y2="12.01" />
 													</svg>
@@ -423,6 +417,7 @@
 												<div class="w-px shrink-0 bg-[var(--color-border-mid)]"></div>
 												<!-- Chevron / dropdown trigger -->
 												<button
+													aria-label="More actions"
 													disabled={snapshot.platform}
 													onclick={(e) => {
 														e.stopPropagation();
@@ -467,15 +462,13 @@
 		<!-- Status bar -->
 		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
 			<div class="flex items-center gap-1.5">
-				<span
-					class="inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"
-					style="animation: wrenn-glow 2.4s ease-in-out infinite"
-				></span>
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
-	</div>
-</div>
 
 <!-- Split button dropdown -->
 {#if openDropdownName}
@@ -509,19 +502,23 @@
 <!-- Delete Confirmation Dialog -->
 {#if deleteTarget}
 	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
 		<div
 			class="absolute inset-0 bg-black/60"
+			role="presentation"
 			onclick={() => { if (!deleting) deleteTarget = null; }}
 			onkeydown={(e) => { if (e.key === 'Escape' && !deleting) deleteTarget = null; }}
 		></div>
 
 		<div
-			class="relative w-full max-w-[380px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
-			style="animation: fadeUp 0.2s ease both"
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Delete snapshot</h2>
-			<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
-				Permanently delete <span class="font-mono font-medium text-[var(--color-text-secondary)]">{deleteTarget.name}</span>.
+
+			<div class="p-6">
+			<h2 class="font-serif text-heading leading-tight text-[var(--color-text-bright)]">Delete snapshot</h2>
+			<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+				Permanently delete <code class="rounded bg-[var(--color-bg-4)] px-1.5 py-0.5 font-mono text-[0.8rem] text-[var(--color-text-primary)]">{deleteTarget.name}</code>.
 				Running capsules won't be affected, but you won't be able to launch new ones from it.
 			</p>
 
@@ -538,7 +535,7 @@
 			{/if}
 
 			{#if deleteError}
-				<div class="mt-4 rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
+				<div class="mt-3 rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
 					{deleteError}
 				</div>
 			{/if}
@@ -554,7 +551,7 @@
 				<button
 					onclick={handleDelete}
 					disabled={deleting}
-					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 active:scale-95 disabled:opacity-50 disabled:hover:translate-y-0"
+					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-110 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
 				>
 					{#if deleting}
 						<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -566,6 +563,7 @@
 					{/if}
 				</button>
 			</div>
+			</div>
 		</div>
 	</div>
 {/if}
@@ -581,12 +579,14 @@
 		></div>
 
 		<div
-			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
-			style="animation: fadeUp 0.2s ease both"
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
-			<h2 class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">Launch Capsule</h2>
+
+			<div class="p-6">
+			<h2 class="font-serif text-heading text-[var(--color-text-bright)]">Launch Capsule</h2>
 			<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
-				Configure resources and launch a new capsule from this snapshot.
+				Configure resources and launch a new capsule from this template.
 			</p>
 
 			{#if launchError}
@@ -597,17 +597,14 @@
 
 			<!-- Template name (readonly) -->
 			<div class="mt-5">
-				<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+				<span class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 					Template
-				</label>
+				</span>
 				<div class="flex items-center gap-2 rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-0)] px-3 py-2">
 					{#if launchTarget.type === 'snapshot'}
-						<span
-							class="inline-block h-[6px] w-[6px] shrink-0 rounded-full bg-[var(--color-accent)]"
-							style="box-shadow: 0 0 6px rgba(94,140,88,0.5); animation: wrenn-glow 1.8s ease-in-out infinite"
-						></span>
+						<span class="h-1.5 w-1.5 shrink-0 rounded-full bg-[var(--color-accent)]"></span>
 					{:else}
-						<span class="inline-block h-[6px] w-[6px] shrink-0 rounded-full bg-[var(--color-blue)]"></span>
+						<span class="h-1.5 w-1.5 shrink-0 rounded-full bg-[var(--color-blue)]"></span>
 					{/if}
 					<span class="flex-1 font-mono text-ui text-[var(--color-text-bright)]">{launchTarget.name}</span>
 					<span class="text-label text-[var(--color-text-muted)]">
@@ -684,7 +681,7 @@
 				<button
 					onclick={handleLaunch}
 					disabled={launching}
-					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 active:scale-95 disabled:opacity-50 disabled:hover:translate-y-0"
+					class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
 				>
 					{#if launching}
 						<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -696,6 +693,7 @@
 					{/if}
 				</button>
 			</div>
+			</div>
 		</div>
 	</div>
 {/if}
@@ -705,17 +703,17 @@
 	.skeleton {
 		background: linear-gradient(
 			90deg,
-			var(--color-bg-4) 0%,
-			var(--color-bg-5) 50%,
-			var(--color-bg-4) 100%
+			var(--color-bg-3) 25%,
+			var(--color-bg-4) 50%,
+			var(--color-bg-3) 75%
 		);
 		background-size: 200% 100%;
-		animation: shimmer 1.6s ease-in-out infinite;
+		animation: shimmer 1.4s ease infinite;
 	}
 
 	@keyframes shimmer {
-		0% { background-position: 200% center; }
-		100% { background-position: -200% center; }
+		0% { background-position: -200% 0; }
+		100% { background-position: 200% 0; }
 	}
 
 	/* Left accent stripe — slides in on hover, color-keyed to snapshot type */
@@ -735,4 +733,9 @@
 	.snapshot-row.type-image:hover {
 		background: rgba(90, 159, 212, 0.04);
 	}
+
+	/* Empty state icon float — matches admin pattern */
+	.empty-icon-float {
+		animation: iconFloat 3s ease-in-out infinite;
+	}
 </style>
diff --git a/frontend/src/routes/dashboard/usage/+page.svelte b/frontend/src/routes/dashboard/usage/+page.svelte
index e7fdbed..216a8f5 100644
--- a/frontend/src/routes/dashboard/usage/+page.svelte
+++ b/frontend/src/routes/dashboard/usage/+page.svelte
@@ -1,14 +1,7 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { auth } from '$lib/auth.svelte';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	type EndpointStatus = 'loading' | 'available' | 'not_available' | 'error';
 	let status = $state<EndpointStatus>('loading');
 	let errorMsg = $state<string | null>(null);
@@ -47,23 +40,18 @@
 	<title>Wrenn — Usage</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
-				<h1 class="font-serif text-page tracking-[-0.02em] text-[var(--color-text-bright)]">
+				<h1 class="font-serif text-page text-[var(--color-text-bright)]">
 					Usage
 				</h1>
 				<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
 					Resource consumption and execution metrics across your team.
 				</p>
+				<div class="mt-6 border-b border-[var(--color-border)]"></div>
 			</div>
 
-			<div class="mt-6 border-b border-[var(--color-border)]"></div>
-
 			<!-- Content -->
 			<div class="p-8" style="animation: fadeUp 0.35s ease both">
 				{#if status === 'loading'}
@@ -97,8 +85,8 @@
 								</svg>
 							</div>
 						</div>
-						<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">
-							Enterprise feature
+						<p class="font-serif text-heading text-[var(--color-text-bright)]">
+							Cloud Feature
 						</p>
 						<p class="mt-2 max-w-sm text-center text-ui leading-relaxed text-[var(--color-text-tertiary)]">
 							Usage tracking is available on Wrenn Cloud.
@@ -123,8 +111,14 @@
 					</div>
 				{/if}
 			</div>
-		</main>
+	</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 	</div>
-</div>
+</footer>
diff --git a/frontend/src/routes/forgot-password/+page.svelte b/frontend/src/routes/forgot-password/+page.svelte
new file mode 100644
index 0000000..4395366
--- /dev/null
+++ b/frontend/src/routes/forgot-password/+page.svelte
@@ -0,0 +1,99 @@
+<script lang="ts">
+	import { requestPasswordReset } from '$lib/api/me';
+
+	let email = $state('');
+	let loading = $state(false);
+	let submitted = $state(false);
+	let error = $state('');
+
+	async function handleSubmit(e: Event) {
+		e.preventDefault();
+		error = '';
+		loading = true;
+		await requestPasswordReset(email.trim().toLowerCase());
+		// Always show success to avoid leaking account existence
+		submitted = true;
+		loading = false;
+	}
+</script>
+
+<svelte:head>
+	<title>Wrenn — Reset password</title>
+</svelte:head>
+
+<div class="flex min-h-screen items-center justify-center bg-[var(--color-bg-0)] px-4">
+	<div class="w-full max-w-[400px]" style="animation: fadeUp 0.35s ease both">
+		<!-- Brand -->
+		<div class="mb-8 flex items-center gap-3">
+			<img src="/logo.svg" alt="Wrenn" class="h-10 w-10 rounded-[var(--radius-logo)]" />
+			<span class="font-brand text-page text-[var(--color-text-bright)]">Wrenn</span>
+		</div>
+
+		{#if submitted}
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] p-6">
+				<h1 class="font-serif text-heading text-[var(--color-text-bright)]">Check your email</h1>
+				<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
+					If an account exists for <span class="font-mono text-[var(--color-text-primary)]">{email}</span>, you'll receive a reset link shortly. The link expires in 15 minutes.
+				</p>
+				<a
+					href="/login"
+					class="mt-6 block text-center text-ui text-[var(--color-text-tertiary)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
+				>
+					Back to sign in
+				</a>
+			</div>
+		{:else}
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] p-6">
+				<h1 class="font-serif text-heading text-[var(--color-text-bright)]">Reset your password</h1>
+				<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">
+					Enter your email and we'll send you a reset link.
+				</p>
+
+				{#if error}
+					<p class="mt-4 text-ui text-[var(--color-red)]">{error}</p>
+				{/if}
+
+				<form onsubmit={handleSubmit} class="mt-5 space-y-4">
+					<div>
+						<label
+							for="email"
+							class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]"
+						>
+							Email
+						</label>
+						<input
+							id="email"
+							type="email"
+							bind:value={email}
+							required
+							disabled={loading}
+							placeholder="you@example.com"
+							autocomplete="email"
+							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] px-3 py-2 text-ui text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-colors duration-150 focus:border-[var(--color-accent)] disabled:opacity-60"
+						/>
+					</div>
+
+					<button
+						type="submit"
+						disabled={loading || !email.trim()}
+						class="flex w-full items-center justify-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] py-2.5 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+					>
+						{#if loading}
+							<svg class="animate-spin" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56" /></svg>
+							Sending…
+						{:else}
+							Send reset link
+						{/if}
+					</button>
+				</form>
+
+				<a
+					href="/login"
+					class="mt-5 block text-center text-meta text-[var(--color-text-tertiary)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
+				>
+					Back to sign in
+				</a>
+			</div>
+		{/if}
+	</div>
+</div>
diff --git a/frontend/src/routes/login/+page.svelte b/frontend/src/routes/login/+page.svelte
index b3b76e8..18c55fa 100644
--- a/frontend/src/routes/login/+page.svelte
+++ b/frontend/src/routes/login/+page.svelte
@@ -1,6 +1,6 @@
 <script lang="ts">
 	import { goto } from '$app/navigation';
-	import { onMount } from 'svelte';
+	import { onMount, onDestroy } from 'svelte';
 	import { page } from '$app/stores';
 	import { auth } from '$lib/auth.svelte';
 	import { teams } from '$lib/teams.svelte';
@@ -17,15 +17,32 @@
 	let mode: 'signin' | 'signup' = $state('signin');
 	let email = $state('');
 	let password = $state('');
+	let confirmPassword = $state('');
 	let name = $state('');
 	let showPassword = $state(false);
 	let error = $state('');
 	let loading = $state(false);
+	let signupDone = $state(false);
+
+	const oauthErrorMessages: Record<string, string> = {
+		account_deactivated: 'Your account has been deactivated — contact the administrator to regain access',
+		access_denied: 'Access was denied by the provider',
+		email_taken: 'An account with this email already exists',
+		exchange_failed: 'Authentication failed — please try again',
+	};
 
 	// Read OAuth error forwarded from /auth/github/callback
 	onMount(() => {
+		if (auth.isAuthenticated) {
+			goto('/dashboard');
+			return;
+		}
+
 		const urlErr = $page.url.searchParams.get('error');
-		if (urlErr) error = decodeURIComponent(urlErr);
+		if (urlErr) {
+			const decoded = decodeURIComponent(urlErr);
+			error = oauthErrorMessages[decoded] ?? decoded;
+		}
 	});
 
 	// Mouse-reactive glow — moves opposite to cursor with viscous drag
@@ -35,7 +52,7 @@
 	let targetY = 50;
 	let rafId: number | null = null;
 
-	const LERP_FACTOR = 0.04; // lower = more drag
+	const LERP_FACTOR = 0.04;
 
 	function lerpLoop() {
 		const dx = targetX - glowX;
@@ -58,7 +75,6 @@
 		const normX = (e.clientX - rect.left) / rect.width;
 		const normY = (e.clientY - rect.top) / rect.height;
 
-		// Invert: mouse goes right → glow goes left
 		targetX = 55 - normX * 10;
 		targetY = 55 - normY * 10;
 
@@ -67,6 +83,10 @@
 		}
 	}
 
+	onDestroy(() => {
+		if (rafId !== null) cancelAnimationFrame(rafId);
+	});
+
 	const title = $derived(mode === 'signin' ? 'Welcome back' : 'Create account');
 	const subtitle = $derived(
 		mode === 'signin' ? 'Sign in to your Wrenn account' : 'Get started with Wrenn'
@@ -81,6 +101,8 @@
 		mode = mode === 'signin' ? 'signup' : 'signin';
 		error = '';
 		name = '';
+		confirmPassword = '';
+		signupDone = false;
 	}
 
 	async function handleSubmit(e: Event) {
@@ -88,11 +110,32 @@
 		error = '';
 		loading = true;
 
-		const result =
-			mode === 'signin'
-				? await apiLogin(email, password)
-				: await apiSignup(email, password, name);
+		if (mode === 'signup') {
+			if (password !== confirmPassword) {
+				error = 'Passwords do not match.';
+				loading = false;
+				return;
+			}
+			if (password.length < 8) {
+				error = 'Password must be at least 8 characters.';
+				loading = false;
+				return;
+			}
 
+			const result = await apiSignup(email, password, name);
+			loading = false;
+
+			if (!result.ok) {
+				error = result.error;
+				return;
+			}
+
+			signupDone = true;
+			return;
+		}
+
+		// Sign in
+		const result = await apiLogin(email, password);
 		loading = false;
 
 		if (!result.ok) {
@@ -138,7 +181,7 @@
 		>
 			<img src="/logo.svg" alt="Wrenn" class="h-20 w-20 rounded-[var(--radius-card)]" />
 			<span
-				class="mt-5 font-brand text-[3.143rem] tracking-[-0.01em] text-[var(--color-text-bright)]"
+				class="mt-5 font-brand text-[3.143rem] text-[var(--color-text-bright)]"
 			>
 				Wrenn
 			</span>
@@ -176,148 +219,185 @@
 		>
 			<img src="/logo.svg" alt="Wrenn" class="h-12 w-12 rounded-[var(--radius-card)]" />
 			<span
-				class="mt-2 font-brand text-page tracking-[-0.01em] text-[var(--color-text-bright)]"
+				class="mt-2 font-brand text-page text-[var(--color-text-bright)]"
 			>
 				Wrenn
 			</span>
 		</div>
 
 		<div class="w-full max-w-[400px]" style="animation: fadeUp 0.35s ease 0.1s both">
-			<!-- Header -->
-			<div class="mb-8">
-				<h2
-					class="font-serif text-display tracking-[-0.02em] text-[var(--color-text-bright)]"
+			{#if signupDone}
+				<!-- Post-signup confirmation -->
+				<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] p-6" style="animation: fadeUp 0.3s ease both">
+					<h2 class="font-serif text-display text-[var(--color-text-bright)]">Check your email</h2>
+					<p class="mt-2 text-body text-[var(--color-text-secondary)]">
+						We've sent an activation link to <span class="font-medium text-[var(--color-text-bright)]">{email}</span>. Click the link to activate your account.
+					</p>
+					<p class="mt-4 text-ui text-[var(--color-text-tertiary)]">
+						The link expires in 30 minutes. If you don't see it, check your spam folder.
+					</p>
+					<button
+						type="button"
+						onclick={switchMode}
+						class="mt-6 w-full rounded-[var(--radius-button)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] px-4 py-3 text-body font-medium text-[var(--color-text-bright)] transition-all duration-150 hover:border-[var(--color-accent)]"
+					>
+						Back to sign in
+					</button>
+				</div>
+			{:else}
+				<!-- Header -->
+				<div class="mb-8">
+					<h2
+						class="font-serif text-display tracking-[0.01em] text-[var(--color-text-bright)]"
+					>
+						{title}
+					</h2>
+					<p class="mt-2 text-body text-[var(--color-text-secondary)]">
+						{subtitle}
+					</p>
+				</div>
+
+				<!-- GitHub OAuth -->
+				<a
+					href="/api/auth/oauth/github"
+					class="flex w-full items-center justify-center gap-2.5 rounded-[var(--radius-button)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] px-4 py-3 text-body font-medium text-[var(--color-text-bright)] no-underline transition-all duration-150 hover:border-[var(--color-accent)] hover:text-[var(--color-text-bright)]"
 				>
-					{title}
-				</h2>
-				<p class="mt-2 text-body text-[var(--color-text-secondary)]">
-					{subtitle}
-				</p>
-			</div>
+					<IconGithub size={16} />
+					Continue with GitHub
+				</a>
 
-			<!-- GitHub OAuth -->
-			<a
-				href="/api/auth/oauth/github"
-				class="flex w-full items-center justify-center gap-2.5 rounded-[var(--radius-button)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] px-4 py-3 text-body font-medium text-[var(--color-text-bright)] no-underline transition-all duration-150 hover:border-[var(--color-accent)] hover:text-[var(--color-text-bright)]"
-			>
-				<IconGithub size={16} />
-				Continue with GitHub
-			</a>
+				<!-- Divider -->
+				<div class="my-6 flex items-center gap-3">
+					<div class="h-px flex-1 bg-[var(--color-border)]"></div>
+					<span
+						class="font-mono text-badge uppercase tracking-[0.1em] text-[var(--color-text-muted)]"
+						>or</span
+					>
+					<div class="h-px flex-1 bg-[var(--color-border)]"></div>
+				</div>
 
-			<!-- Divider -->
-			<div class="my-6 flex items-center gap-3">
-				<div class="h-px flex-1 bg-[var(--color-border)]"></div>
-				<span
-					class="font-mono text-badge uppercase tracking-[0.1em] text-[var(--color-text-muted)]"
-					>or</span
-				>
-				<div class="h-px flex-1 bg-[var(--color-border)]"></div>
-			</div>
-
-			<!-- Form -->
-			<form onsubmit={handleSubmit} class="space-y-3">
-				{#if mode === 'signup'}
+				<!-- Form -->
+				<form onsubmit={handleSubmit} class="space-y-3">
+					{#if mode === 'signup'}
+						<div class="group relative">
+							<div
+								class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
+							>
+								<IconUser size={14} />
+							</div>
+							<input
+								type="text"
+								bind:value={name}
+								placeholder="Full name"
+								autocomplete="name"
+								class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-3 pl-9 pr-3 text-body text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
+							/>
+						</div>
+					{/if}
 					<div class="group relative">
 						<div
 							class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
 						>
-							<IconUser size={14} />
+							<IconMail size={14} />
 						</div>
 						<input
-							type="text"
-							bind:value={name}
-							placeholder="Full name"
-							autocomplete="name"
+							type="email"
+							bind:value={email}
+							placeholder="Email address"
+							autocomplete="email"
 							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-3 pl-9 pr-3 text-body text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
 						/>
 					</div>
-				{/if}
-				<div class="group relative">
-					<div
-						class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
-					>
-						<IconMail size={14} />
-					</div>
-					<input
-						type="email"
-						bind:value={email}
-						placeholder="Email address"
-						autocomplete="email"
-						class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-3 pl-9 pr-3 text-body text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
-					/>
-				</div>
 
-				<div class="group relative">
-					<div
-						class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
-					>
-						<IconLock size={14} />
-					</div>
-					<input
-						type={showPassword ? 'text' : 'password'}
-						bind:value={password}
-						placeholder="Password"
-						autocomplete={mode === 'signin' ? 'current-password' : 'new-password'}
-						class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-3 pl-9 pr-10 text-body text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
-					/>
-					<button
-						type="button"
-						onclick={() => (showPassword = !showPassword)}
-						class="absolute right-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
-						tabindex={-1}
-					>
-						{#if showPassword}
-							<IconEyeOff size={14} />
-						{:else}
-							<IconEye size={14} />
-						{/if}
-					</button>
-				</div>
-
-				{#if mode === 'signin'}
-					<div class="flex justify-end">
+					<div class="group relative">
+						<div
+							class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
+						>
+							<IconLock size={14} />
+						</div>
+						<input
+							type={showPassword ? 'text' : 'password'}
+							bind:value={password}
+							placeholder="Password"
+							autocomplete={mode === 'signin' ? 'current-password' : 'new-password'}
+							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-3 pl-9 pr-10 text-body text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
+						/>
 						<button
 							type="button"
-							class="text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:text-[var(--color-accent-mid)]"
+							onclick={() => (showPassword = !showPassword)}
+							class="absolute right-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
+							tabindex={-1}
 						>
-							Forgot password?
+							{#if showPassword}
+								<IconEyeOff size={14} />
+							{:else}
+								<IconEye size={14} />
+							{/if}
 						</button>
 					</div>
-				{/if}
 
-				{#if error}
-					<p class="text-ui text-[var(--color-red)]">{error}</p>
-				{/if}
-
-				<button
-					type="submit"
-					disabled={loading}
-					class="!mt-5 w-full rounded-[var(--radius-button)] bg-[var(--color-accent)] px-4 py-3 text-body font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:pointer-events-none disabled:opacity-50"
-				>
-					{#if loading}
-						<span class="inline-flex items-center gap-2">
-							<span
-								class="inline-block h-3.5 w-3.5 animate-spin rounded-full border-2 border-white/30 border-t-white"
-							></span>
-							{submitLabel}
-						</span>
-					{:else}
-						{submitLabel}
+					{#if mode === 'signup'}
+						<div class="group relative">
+							<div
+								class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
+							>
+								<IconLock size={14} />
+							</div>
+							<input
+								type="password"
+								bind:value={confirmPassword}
+								placeholder="Confirm password"
+								autocomplete="new-password"
+								class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-3 pl-9 pr-3 text-body text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
+							/>
+						</div>
 					{/if}
-				</button>
-			</form>
 
-			<!-- Switch mode -->
-			<p class="mt-6 text-center text-ui text-[var(--color-text-secondary)]">
-				{switchText}
-				<button
-					type="button"
-					onclick={switchMode}
-					class="font-medium text-[var(--color-text-primary)] transition-colors duration-150 hover:text-[var(--color-text-bright)]"
-				>
-					{switchAction}
-				</button>
-			</p>
+					{#if mode === 'signin'}
+						<div class="flex justify-end">
+							<a
+								href="/forgot-password"
+								class="text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:text-[var(--color-accent-mid)]"
+							>
+								Forgot password?
+							</a>
+						</div>
+					{/if}
+
+					{#if error}
+						<p class="text-ui text-[var(--color-red)]">{error}</p>
+					{/if}
+
+					<button
+						type="submit"
+						disabled={loading}
+						class="!mt-5 w-full rounded-[var(--radius-button)] bg-[var(--color-accent)] px-4 py-3 text-body font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:pointer-events-none disabled:opacity-50"
+					>
+						{#if loading}
+							<span class="inline-flex items-center gap-2">
+								<span
+									class="inline-block h-3.5 w-3.5 animate-spin rounded-full border-2 border-white/30 border-t-white"
+								></span>
+								{submitLabel}
+							</span>
+						{:else}
+							{submitLabel}
+						{/if}
+					</button>
+				</form>
+
+				<!-- Switch mode -->
+				<p class="mt-6 text-center text-ui text-[var(--color-text-secondary)]">
+					{switchText}
+					<button
+						type="button"
+						onclick={switchMode}
+						class="font-medium text-[var(--color-text-primary)] transition-colors duration-150 hover:text-[var(--color-text-bright)]"
+					>
+						{switchAction}
+					</button>
+				</p>
+			{/if}
 		</div>
 	</div>
 </div>
diff --git a/frontend/src/routes/reset-password/+page.svelte b/frontend/src/routes/reset-password/+page.svelte
new file mode 100644
index 0000000..8dfbd12
--- /dev/null
+++ b/frontend/src/routes/reset-password/+page.svelte
@@ -0,0 +1,138 @@
+<script lang="ts">
+	import { onMount } from 'svelte';
+	import { page } from '$app/stores';
+	import { goto } from '$app/navigation';
+	import { confirmPasswordReset } from '$lib/api/me';
+	import { IconLock } from '$lib/components/icons';
+
+	let token = $state('');
+	let newPassword = $state('');
+	let confirmPassword = $state('');
+	let loading = $state(false);
+	let error = $state('');
+	let done = $state(false);
+
+	onMount(() => {
+		token = $page.url.searchParams.get('token') ?? '';
+		if (!token) {
+			goto('/forgot-password');
+		}
+	});
+
+	async function handleSubmit(e: Event) {
+		e.preventDefault();
+		error = '';
+
+		if (newPassword !== confirmPassword) {
+			error = 'Passwords do not match.';
+			return;
+		}
+		if (newPassword.length < 8) {
+			error = 'Password must be at least 8 characters.';
+			return;
+		}
+
+		loading = true;
+		const result = await confirmPasswordReset(token, newPassword);
+		if (result.ok) {
+			done = true;
+		} else {
+			error = result.error;
+		}
+		loading = false;
+	}
+</script>
+
+<svelte:head>
+	<title>Wrenn — Set new password</title>
+</svelte:head>
+
+<div class="flex min-h-screen items-center justify-center bg-[var(--color-bg-0)] px-4">
+	<div class="w-full max-w-[400px]" style="animation: fadeUp 0.35s ease both">
+		<!-- Brand -->
+		<div class="mb-8 flex items-center gap-3">
+			<img src="/logo.svg" alt="Wrenn" class="h-10 w-10 rounded-[var(--radius-logo)]" />
+			<span class="font-brand text-page text-[var(--color-text-bright)]">Wrenn</span>
+		</div>
+
+		{#if done}
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] p-6" style="animation: fadeUp 0.3s ease both">
+				<h1 class="font-serif text-display text-[var(--color-text-bright)]">All set</h1>
+				<p class="mt-1 text-ui text-[var(--color-text-secondary)]">
+					Your password has been updated. Sign in to continue.
+				</p>
+				<a
+					href="/login"
+					class="mt-6 flex w-full items-center justify-center rounded-[var(--radius-button)] bg-[var(--color-accent)] py-3 text-body font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0"
+				>
+					Sign in
+				</a>
+			</div>
+		{:else}
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] p-6">
+				<h1 class="font-serif text-display text-[var(--color-text-bright)]">Set new password</h1>
+				<p class="mt-1 text-ui text-[var(--color-text-tertiary)]">Must be at least 8 characters.</p>
+
+				{#if error}
+					<p class="mt-4 text-ui text-[var(--color-red)]">{error}</p>
+				{/if}
+
+				<form onsubmit={handleSubmit} class="mt-6 space-y-3">
+					<div class="group relative">
+						<div class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]">
+							<IconLock size={14} />
+						</div>
+						<input
+							id="new-password"
+							type="password"
+							bind:value={newPassword}
+							required
+							disabled={loading}
+							placeholder="New password"
+							autocomplete="new-password"
+							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-3 pl-9 pr-3 text-body text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-all duration-150 focus:border-[var(--color-accent)] disabled:opacity-60"
+						/>
+					</div>
+
+					<div class="group relative">
+						<div class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]">
+							<IconLock size={14} />
+						</div>
+						<input
+							id="confirm-password"
+							type="password"
+							bind:value={confirmPassword}
+							required
+							disabled={loading}
+							placeholder="Confirm password"
+							autocomplete="new-password"
+							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-3 pl-9 pr-3 text-body text-[var(--color-text-bright)] outline-none placeholder:text-[var(--color-text-muted)] transition-all duration-150 focus:border-[var(--color-accent)] disabled:opacity-60"
+						/>
+					</div>
+
+					<button
+						type="submit"
+						disabled={loading || !newPassword || !confirmPassword}
+						class="!mt-5 w-full rounded-[var(--radius-button)] bg-[var(--color-accent)] py-3 text-body font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+					>
+						{#if loading}
+							<span class="inline-flex items-center gap-2">
+								<span class="inline-block h-3.5 w-3.5 animate-spin rounded-full border-2 border-white/30 border-t-white"></span>
+								Updating…
+							</span>
+						{:else}
+							Set password
+						{/if}
+					</button>
+				</form>
+			</div>
+		{/if}
+
+		<a
+			href="/login"
+			class="mt-5 block text-center text-meta text-[var(--color-text-tertiary)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
+		>
+			Back to sign in
+		</a>
+	</div>
+</div>
diff --git a/frontend/static/logo.svg b/frontend/static/logo.svg
index 26f2ab1..560d80f 100644
--- a/frontend/static/logo.svg
+++ b/frontend/static/logo.svg
@@ -1 +1,38 @@
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="256" zoomAndPan="magnify" viewBox="0 0 192 191.999996" height="256" preserveAspectRatio="xMidYMid meet" version="1.0"><defs><filter x="0%" y="0%" width="100%" height="100%" id="6078813fb7"><feColorMatrix values="0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0 0 1 0" color-interpolation-filters="sRGB"/></filter><filter x="0%" y="0%" width="100%" height="100%" id="f02fe6c74b"><feColorMatrix values="0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0.2126 0.7152 0.0722 0 0" color-interpolation-filters="sRGB"/></filter><clipPath id="759b6f290c"><path d="M 15 0 L 178.6875 0 C 186.96875 0 193.6875 6.714844 193.6875 15 L 193.6875 177.078125 C 193.6875 185.363281 186.96875 192.078125 178.6875 192.078125 L 15 192.078125 C 6.714844 192.078125 0 185.363281 0 177.078125 L 0 15 C 0 6.714844 6.714844 0 15 0 Z M 15 0 " clip-rule="nonzero"/></clipPath><clipPath id="0098ea3924"><path d="M 0 0 L 192 0 L 192 192 L 0 192 Z M 0 0 " clip-rule="nonzero"/></clipPath><clipPath id="3f3e5e128e"><path d="M 15 0 L 178.6875 0 C 186.96875 0 193.6875 6.714844 193.6875 15 L 193.6875 177.078125 C 193.6875 185.363281 186.96875 192.078125 178.6875 192.078125 L 15 192.078125 C 6.714844 192.078125 0 185.363281 0 177.078125 L 0 15 C 0 6.714844 6.714844 0 15 0 Z M 15 0 " clip-rule="nonzero"/></clipPath><clipPath id="07d5eadf19"><rect x="0" width="192" y="0" height="192"/></clipPath><mask id="00b42c55a1"><g filter="url(#6078813fb7)"><g filter="url(#f02fe6c74b)" transform="matrix(0.208243, 0, 0, 0.208243, -50.60874, -0.000000000000023674)"><image x="0" y="0" width="1383" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABWcAAAOaCAAAAADRmb89AAAAAmJLR0QA/4ePzL8AACAASURBVHic7N13nFTV2Qfw5zl3tsOy9N5BRKUpvduj0SQajTWWJL5qFBW7Yu8Fu9HEGAtYEGvsxtiNYheR3uvusuwu28vMPc/7x4IC7jBzZ2fuPffO7/tJTGSHnTN3zv3NmVOJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACDZ2OsCAMB2vMM/iYhkp/8B30LOAniLt/2HhYTkl5nKzMRCJCSIXJ9CzgJ4hJv+q3f8o8xQRkgxExGJiGit7XDjDg9QhLT1IeQsgBf4p7DMzsvIbNWmoKBVfn62ysnNygopxSwkonUkYodrqutqqyurKssrGsLV9dv/NrLWT5CzAN5Q+Xk5bbt36965dU526zatczMzMrjZG1Ik0tjYUFVZUVdfXbRh3Yat1VvDrpcWWgI5C+CSn5uw+V069+jXp3vrnFZ5ea0ynPyOSGVlZU3N5jXL1hQXVsouvxZMhZwFcAGzCBGx1bZb5wFDBnQpKMhVOz9ie2j+kvzyB7pma8XmJT+sXLexThMRKUHYmgw5C5BiTEoLEeX07Ndz2F5d2xVkJuf3Sk1l6fJvl65ZU6YJUWs05CxAKrEim4izuwzqPmxs9/w8JiJJwo0n1PRLIhVlP3y2evHGaiGySCNqjYScBUgZZtZC3HbAkH1GDmiTzUSamh/rSogQCTNJY/Xabxf+sKjERtQaCjkLkBpNIZvVbciQwaO7ZysiTckM2e00MRNRY9G38xf8uKGG2LKRtKZBzgKkABOLUEaPcSOHDSnIIBJJRcY2ERIiRWRXLZ3/xWdr67YPuoExkLMAycdClLHnhBEDhrUnIhFSMf9KC217jooFP3761doGTPYyC3IWIAVyu008eO89cohIJGUN2V2IMBNJ+fLv/vvtWh378eAa5CxAErEQUajn+MP26p9PyZlZ4ETT89mbV37y/sJClqbigOeQswBJo0SI2o88fGK/AiIi8eT+EiYiXbTg9Y+WNWwrEngMOQuQHMwilL33xCP36hjyuixERFWrPnnvi0LCqJgBkLMAycBKi2o/8tAjemR51I7dhTDZ5f974/31jaQIvbXeMqA+APgeWxGyBk4+cnRHbhqNMoEQS+Wy9z6at5UU216XJq0ZUiMA/CxkS6v9Djx43wzetmrAEJoUUeF/3/q4yA5ptGm9Y1CdAPAnS0vrgw4/sJdlTlN2OxFipi1fvP3OSo0RMe8YVi0AfIel9a9/fXBnV1YjJECEiau/fP3txZjl5RnkLEBLsGT/6riDOhBp09qyPxNiql3w5nNLEbQeMbZqABiPhSh04En79/BqqmzchIlq5785ZyUJstYDRlcOAIMxCYXGnXxYT2Ex/z4SJqpd9PKc1YKlC+4zv34AGEmJWPudfEQfX91CNYtfenGljaR1m68qCYApFNuhfY48YfC2Za7+0bDoqRfWETNmebnJX3UEwAisbB70u+OHKMO7ZX9JiKu/ffq1QkVo0rrIZ7UEwABKU+ffnDJeaSMncu2eiKLKj59+qwILF1yEnAVwyLKzp55+RK5ZS7/iJ6Jo82tPzIuo5LRo0S6OzZcVxX3bLhNqFBCT9D/3qN6GrkqIixDRgjnPrUrSr9t2hC9Eh5wFcIKlzcmnjGLTJ8zGIMR18594WecqpYiZmJlIN500JkLbzhxrOlGXSIREdFOHLhMziZD+6Y91LfaoicXPdcU13KVr64LWqmLL1oriMBFh/WLaYglNOuPwNj5PWWpaV1G6nHJDSkQ0CTE3BSprImEhTaJJRIREE2kt0hS9TNx0+JiICJFt2w1l61YtXIKs3R2f1xY35I45ZFzn/ByLwtUVZUs/XLyqipC06UmJtD3nrC6W3+ZypZg01ha+/c8luCeiQ32JZdi0g7pk/fRvdnXx4nf+tyiCoE0/TGIdfs6EVgjZZjT8MPOlCG4KSIiiKd9qES1NtBYRaVh43Zgssnw7CgIJUUydLy4Re3tlSAndnFQ+YbJovfYkr98hg1leF8BoLD3unkA/t/qZSYisTpMmd99ULEmaFgO+YBEdcstpBSnZlUuIaNunORET8XZEJCRNf274l08p6D2v2OgSegk5uztKzjsxY+dZksxMwh3GD42sbsDFSxts2fmnzByZISrJUbJt8ImYWSmlFDNpW9vbiCi1/c+ZRLt+TnncmKh94edY+RCFEQdzmop1wdTcX9ZrZhGaNHjc7WsZHVLpgZW9x/knFmhOameRkDSN3pMONzZU1VSUl1dXVDeGxdZaiIgsDuXmZWe06tyxTX52VpZFRCS66a+YhnXWwbM24IZoHnJ2N5Tdv0ezQ8vMotuf3ev+d7GZZ1pg0r+6akxIJzFlhYiZmOrrGysK128oLisrraqsaYyE7Z3bhBxiFcrJa9uhfdsuvXt1LsjKy9q2LMC0rGUa0H8DbofmIWd3g2nPblF/RPTrwY89UImgDT6W3D+dN1BLMhuzTGRXbS1ctHhTRcmG6saw/sWPqalTIUxE1SVriDgjM7tTp4Ke+wzq3qatkfdtbluvS2AsI98vc3TNjfYTJuF+l/e/ZQW28gw4Fhl2+UEdkjIAtv3LUW1Z1eYVi1cWF24K/1R7eIe5gtvr1E8DsKRJGhurtywiDrXv0an/4AFd27fPbHqsMS1bf2734Ark7G5l7aYJw0StTtnz7tcaFHr/g4tF6Nc3DlMtP8lWtgVR5cYtq75cVLKlZHu12dYPIM3sESA7/u+22QfhoiIiLujcdc8Re/btvm1xlhEJ11jrdQmMhZzdrUiMOenW2IdH3LOFsYtGUDFR/l/O6dfiINsWhY1r1q//5ruNxXW7/Cze3/Hz/y8vX/JBVre9x+7Te0ArYjJg7zDh8kKPi2Au5OxuVYWzYjyi/aUDZ34lFlZ3BxIru/+Vx+S3cAWYCDOR1K/6cdFnKzbXUtPRYi0uGzWsXv1Gu17j9t1ncL4i8X4z3PlrsUwyCuTsbgit39p59w9hsX4/9N7HG9BLG0RKRUbesn+oZTErolgiFT8uWPTd0gpNpCQ5Rxk09UOUln6f13v0iJF751nkadIK179XgS924JyiwfMl1qpHbUvVbX0p2fPXwXuKMg/7rIULbW1bpHHLh7efNCibiNhK9td7thQRZe1x0gML62yxU7sqeLcvVL4cbEY3MfgMU/v3YlcwbUvkv0daCqvDAkZR28uXS6QFyaW1iFR/d8dxe+QQkWWl5sNYWYqI8kZOe2mDLdqjpLV1/QVGrp8A47FS/4qrjomsv6yt591jkFRMfZ+ualFrVovUrnvlzBG5RKSsVGYQWxaR1eFXDy5t3L7bkbu0RGZ3xR0ACbHotK1x1TJbqueM8bq0kFzD32rhZll2yefXTu1IRKRSn0CsiChrxCVflMfs6koBLZ8MQ8xCYpgGfhtnPdP20tNC3k+ugeRgRZM/lhbFbHjV62f0t8jF6fuKibj3X98pEu161i48DHtSQaKYn4y3omkpmdnyeZZgBLbo8Dg/YZurClokvHT24R2JXa4QTMTU7sS5xeJm94EWWXkcWrOQMKbjy+Ovbw3zjlRo0gYAW/T7BQmnjhap/+ruya08Kz21+8PTRSJutWm1yJLjEbPQEl0dNWsKL+mEgxZ8Tyl1yspEQ8cWafjmxn2Vh19tmKnt0c9VirYTfBHOXrGWb4/C9zhomVsdVFYtda+NR9D6nKKc6RsS+9attUj4u2vGZHo8n9pi6nzqe1rbqU9areXD/RGz0ELD1zj4/qVtWXByPkYE/ExR3vVbJKGAsrU0LLplQgZZXtcADhENunGZndjrcEDb9msj0GkALZU120k/l47Iln8MppROloRUYmp1d2Vi37i1NCy/fkw2qZABb78KUebEZ7bYqR0O0zoyZwDaFdByx2x1FLS2tj86xID7DBLU/qHahBZVaWksfGxqFrEpqaMU5Z/wTUqneGmpf6I3YhZajKn9686+fGlbVlyc73W5IUGdH29IMHSqXj22A5m00QUz8aAHNyT4cuKgpf4fWAUGyXHkRodBq2XrU3tgaMCHmLo8mWDM1v7vwm7Ehs3qU0yhY75I9IMjtsp7OiBmIRmYsu9IYJX7xwdYSFq/UdQlkdas1iILb+9v4jm0TEQDHixK0XBY2Q2tzHvJ4E8WDVmQQD1dfWN3DIf5i0VdH0ssZstfPjDD69JHw5RzzvLkrw7TWgovz/T6xUFgMNNfEtibQ4dfGmpgAweisqhLYjGrv5vW1evC7wazOuLrZK8O01rWT0OXASSPonZPO28PaFt/c3IOxmJ9Q1GXx+udf5xqKZo1kY3upWSL9nupLqlBq7Ws+D80IyCZQrT/kgQatLZsuaMT+g58QlHnf9U77ofXWi/4c3vjlwAq6nlPmWh7F/onjl+2vex0DEBAcll0aU0iQasjTw/FFl6+wNTpUccxq7VUvnYAs0FzuaKwqODyouivw3nNXnRiyLC5FUbD19p4sKwb0d9xrWIWNXTf8NII6qPxWDrdfnKGw+QQ5g0PXL9AsU5RqZJHrLpvajvWVFdV19TUVFdVVVZV1dTU1NU1NNTWhcMRh2srWH68/nnBoYvxQwTExbKPvbdbAn9PmMoeu30LTls2Xtfbj8t0fK5t/ZKbXg0n44xwFyid2SvT2jbBV4iIiZkzmNjKLDrD2ZCWfHnd25b2xcsGX1H0iMPvVtu/YUnDC2OxKa3ZmLrNanT67VnLlsdGGLX+a/d2V863nL30DyZi2AFSgWnAvMQGbLXYy87ORtIaTFH3pxudvq1aNl6U46+3lZulOONpR/VZvz3cP58u4DfHbklwZoyWrff1JaNn/qQ1i7o/FXb8nka+PykjCN1urOgeB7OGtejXhwThdYOhQo42SNy5bjZ+9gcLbQAzKeo+O+zsrdVa6l8eF4g3lC06v9TJK7dfG4yYhRQatjDRZeJaS9GlXfz1JTNdKOo2u9HZB6gWKb+zTyC+oLBFx66K/0NG2/bLeyJmIZV4Wm2iJy5pLXXPTfJ+m33YlaJuT4adzZvVElk1vVUgYpYUjf8+/taDtvUrewTjhYOpmNrOdr5y5uebUxaekoWmgGGYuj7Z6DRmG947MsSBSBtFgz6VSLwvX9v6lYGYcg+ppWi/bxNfJK5tKbqlPxoDRmHq8mSjs89OLTVPDQnIqCZT27kOYlbrfw8MxgsHgzHTOQksv/25mkrthwd7/SJgJ12czpvVUnVnp8D0tIeuqnPyKfNvHAUGqaeow6yW7C+ntSw5OxeL8EzB1NV5zJZe3To4bbrfbHIytPtvfB0DN4Ro/+Ut2l5OS9ms4QhaMyjq+qTDebNaNp2bGZSwYRr5fdy1WYu8NQAVF9zAiq5s6T6ekW8OU4H53ulnFnV70ukqMFn9FxWU946pS/zLbbWWd/dCzII7mDq+2uL9ktde0gXLwz1nUbdZzpYnaJHlp7qUsk1LYlP7FHRTXdwvXcv/hqe0NAA7sOiYdQlE6863a/XLIykUkC+ffqWox9PO5s1q0QuPceObCLMKWcyslJXCxnOIjo37xHFty9cT0ZoF96jQ3Y6/bO5aa7V8+bvsoPTy+ZOiHs9ohzEbXvBbF2JWhZiIfnoiDqXmq49Fgz+Lv3NWLzgUMdsSuHgOsez1zLAW/g7R1obZD23ADp6eYek581hxEppC9vwZ76R6r1lm0qTadOvTv63YkYqlS6pqNVEKKgqz3HRJRpwb7mpeddmLPtlmFwKC6YySFnfRaml4fSQ+5bzC1P05cdiabfx0Yso3jmEi6vOnB17+ZlNdONzYULn83afuO298QQoqikXHbYy3Fmsp+6sKwp454CvZ/4x7CU3Uqqu1fP+nPK9fSdrq+ZzTA4zDH+3nwhz9nKkPfF658xNXLXrhjE7JDlqL9v48/phtvDk7GMuMwVdGLU10464da6+UPd4fLVoPMPWd62y5iZbw+yMplOJiMQ35x2otIrLLObRb/nNOu6TWFKacO+y4P2j0o20xmADu4zMrWtxzIFpEPv0NdpZxnaL+Lzpd1We/MzzVrVlFrS5YHBHZpaHd9G8VLx+Q3FO8/1gWf1Ph5e6IWXAfU8dXWt6gFRHRG29sH4jdov2DLRr0itPtZiOvDE1x1DBT/39VRU//yNrpeUkrAlPvefFX4I/2QcyCF5gOWZ2UoNUSnjWIUY3dwxYNfUM77DRoeHFw6t+jg78I76ZUWqrv6ZK0QmReHe+qRi3fT8FXLvAEU8YNkZb3HIiIrSOfn5SLJq1b2KKR/4m/Z7IpaRrnDEp9zJ6wdvcjc1rqZ/VIVjF+Wxhn7bVl/bFoBoBHLNrrf0nJWdG2lN41kDCc6w6Lxr3vdHlCw7Mp33RV0bHFseaZaWl4vHNympbt34rzXBCtay5OxhMCJCREp5UmJ2jFlshHJ2ciaN3ANP4jhzGrG+b0T/0Q2PhFsfuhtNTfk5eMoFXXx7mvgdb2g5h7CN5R1OEZB3frbiuzLbL5JgzpuoBp0kfO5s1qqX8h5a1Zps4vx/OhraX6yswWL/xlmrA6viaC1pHXe6NzFjxk0aRFDu7X3ddnWxpePxh9tKnGNPkzpzHbMDflRwgwZ94Z35YZthQd09LSMLV+Ks5Xb8vyqfj4B09ZdF3cu8rFpMVecTam0qaWokmfOl2e0PBc6k9qCdGRcQ5LaVtebekXH4vO3Rrvq6+9NLmTdgGcYur2qoNbNlad1lJ2V8+AnO5nJovGfuz0bWlMfWuWFLV9Jt5WtpaGS1q2ZZiiPefFWSXF/ld7VEjwGNPUtU7v291W67pPjrZw0EKKcIjGfeh04DLsxoSuEP1ha9yTsW2Z16KpvExZ98c9e/i9vXDqIhjg3gaHN+5uaSm+PDgnqZqFLRr7gdNVYI3PDUh9zDK1eiT+TmMtDdNbsntXiA6OcxDMlo1HImbBBL3fTc7y2233kJbat6aSQuVOOrZo7AeOlyc868bxroomrnRQi2x5q0fiOauo01PxdlFXXo6YBTMcU56kSbRNtMiKU1tjdVjSKZrseN5s/Vw3YpaJzo84+ACwpeSIluTsCfFO+258rDXGwMAETLkPhR1uY7p7OiIl9w7CIY1JpuiwLx0vT3ClNdvUbeDgS5G27asSngSgaMB78T2Zli+wewwYgmnPb5LZcyAiWho/mIRO2qRiOuoHh/Nmdd0zfV3JGUX9vpKIg6JF5KU2CeYsE18YX7tAS8mJiFkwBBOdVZ3UngMRbcvCUzO8fmVBwnTSUqfLExpn9XKnd5JpyiZHH9W2zO+XcM7u+0Ncma6l/q7MJL9QgIQp6vh4cjbu2qGS21L8jwFev7LgYPrLaqfLE+rdilki+v1udp1thi3rRiX6VBk3xzcWqOWzPkl8hQAtZNGEJUnOWdFaIp9OJHQeJAMrnrbB6TvQ8GRP98baT3fWxa+l9NBEn2pcfDMbbCn+QzJfIUALMatLa5IdtCIiKy/uQAo9ZC3FnHFhsdP3p/6f3VzsnLzQ6cG7lb9L8JlCd8fZmq27OQdzDcAkinrEtdeSY/UvDkOLtqUUZV202dnbo6XusW6upQyTutZpzlYfneCTjVse16Ww5eM9MAgGZgnRr1c5uY/jvZ20fHlsLmaKt4ii7BlbnE2801L/eE/3GnNMoZuczVjRUnVUYs+VcV9c8xq0FJ2I1iyYRtE1VU5ulHjZUnxfb0ylbQGmrOsqHcasrn+ql4uNOSbrGqft2a2/SeyZxiyP7wrIYwVozoJpmHp96ORWjvuGsnXk9YnYwithTJm31MR5QMtP17zxmd4uX/HznOZsya8SeRq27gzH9wzfTaZQsl8kQEspOsbxiHZcbFt+OC8fQZuorNtrHfbN6ro5/dy+3ic6K6Qt68Yn8CyK9vsxrksgdZehtwrM9I84mwoOaS1Vj/ZCZ1lisu50HLMNz6X8LLBdMB2+xeE6ha8TOEuGlbojzlVn77t9CQDiNOT7lMw5EC1iv3OYhXkHjjHl3FnndKZBw5x+bmcM034rHObsMwls8KJor2/iuxobjkfMgqlOLUtN0IoWvf7aAszwcogpb2a907ek0f2YJUVd33Kyv4HWkRnO95FhRVeH45vUNQdTZ8FQTPkvONnczhEtdU8OQtA6oqjNPY5jtuFpF7b13hVTxi1OBsJsKfmt82dR1Of9+C7HkimIWTDX2B+SvHHXjsJfHp+BGV7xU5R/b6PTToP6J/t4ETFMxzn5LmTL+wnMOwvRWfH1Vdffj1oGxmLisyudTSFyQGu9+doOaNLGS1H+PY2Olyc80oJzClpU2L7/if8jWmt9tfNuA0WdX4gnZm35ep+UvEiApFDU7fmU9RyI1tIwexz2O4gPU9sHncasrnu4s0cT6BRdYsfdoLVl1VTn5bToqJI4slxLzZWpeIUAyaJo0g8pGgprur/shWfnMII2NqYODzs85ULr2vs7ejVP2aL9vou3Qau1PJznfBSMWv89ng14bf1RnxS8QICkYaZrkr0T7S532NaZfTHlJiamdo84O3FRtK65v4Nny0HYomvibdDasmiC8zqgaPKquJqzFWeiawrMZlG/N53c3E5pWxo+OEJhNHj3mDo8oh2vAruvnYer7hT1fzfOkkp4hvNTOpmsq3TsTx6t7ee7oHqB4UL0h00pbNCKaC3rpmXjTtgdps6POY1ZqfWwNUtEFKKj4124/e8ezkvK1O/bOKboaik6CpULTMeU+w8nB+olQEvZ3wcRboaoLOrxdPyDStvUPeRtzBIpmhnPKgIt88cmVNJ4tlDQ2n6kLaoWGI9p0AcpbdCKiDTO+zUjaaOwqNezzmP24U5eX0+mDnNiH2GmZev/JdBBz9T25bh6Z4uOxpZF4AOK/lzi7B5PxMbpnZz30aUFi/rMdToEJvWPdPQ6ZomI+r8dY0aA1lJ7S2LDoIeWxNOclac8m3IB4EjrJ1LccyCipXruKLJwR/yCor4vaEd7uYrW9Y8YMfbDtM+bu11+q7UUX5OV0O/OvCuuPomNx2I2C/jEsAUpXH67/Y6Qr36bg6bHrizq96KzLbNF23X/7GLGlVS0x7ONYkepPNrW+ttTnS8EIyKigYvi6kqZi+Ys+Mb0rSnvotW2rLu5H/Y72JmiPV6KY/bSzhey/u+dTAkXRZ2vWR5p9oNC21rXPD1aJbjw+qzqOC6FbDkDzVnwjQ6vpW757U9sqX9zHPY72BHTPq/Fs+ZpB1rXPGxMzBIpypr6aqUtu3xYaK1FV385vXOiH6wFb8R1Nd7pa86lAIjlt4Up7zkQ0bZ8f3qm1y/VIEwj3ok9Yr/zNZTae9ublC1KUacT3yn8ZUkrv7hsr1CCJWWasCaeq1F6Lpqz4BtMObc2pL5BK1pL8UM9vX61xrBov/ccx2zFHW1NilkiZqL8Qx//vmSHU5Aatyx48U8DVMJfXphmxnU5PhhgwnBgcOHiJpfSg2fvJ65cVf3epd8ziRtPZTjLHj1zktO/VPm32yqVTkVxEsdCFOozYL8h7Vrn5yhdX7px+fyF62q2/SShX9j1+QlxPK7h5htNuxYA0THR6XFMV0yO+We2xWaJxCEa85njK152YwLHbKVeU5GyOvYaOmnK+CHds1v46yw6fnM8V2PBfiZeDIBomFo/7HBAJnEV/xrE6X6DcIjGzXP8yVZ+Q24aXDhWGY/FczUa/5bhdVEBHAnRhPkuNWi1RP53Ym6aD2BYNOlLx8sTyq43+7hB3qaFvya+Y261rD0oKaUGcI9Ffy13K2ht2TKza1ovw1V00LeOlyeUpUVrlsiic6viydmX2npdUgCHmDq86lYPrbZ15Nl903g4U9GRPzqeN1t+Xau0uGJMbZ6J43pI+Z+8LimAYxYdtjTR4HRKa5F5p6btMlxFxy51GrN22Q2t0uN6WTRpeTzN2S/6eV1SAOcUXVebeHQ6pEWKb2uXFu2zX1B07Ernrdkb8tIjZlnR5bGPV9dSe3XI66ICOMfU5+MWJKdDWkvDnFHpuAzXomNWOr5aZdenSWuWmPJnxW7O2rJhitclBUgE01Hr3eqiFRGRyJK/Zqdb0rJFRy13fKXKrk2PITAismj4/JiLwLUtL7ZPlysCQaMeCruZs1oq7uhMaXXuOCs6epnjD7MtV2WlTagoOr06jm6DqnNwuif41WDnc+dbQkvDB0dnpNEML0Xqj6udbmkgRZdnpM0VYsq8K/aMN1vmj0iTfhQIouNKXNi462daS/FlndKm74BJ/d8mpyNgsmF6KH2abooGzYvdbaAj9+enzzWBgGEqeDzs1vLbbXeM1D47mVRarA5j4rM2O/sc09pee04axSwxHV0RO2el9I9pdE0gaBSNWeJqg1a0LbLwtNx0+BLIRNNKfMjzzwAAIABJREFUnK0C01qvPi2dNoNgsmbYMS+Rlg8Hp0ONgYBiyr6hwdUuWhFty+Y79wp+Jy0zX1jmsG9W2ytPTqeYJaaOr0usY0G1hO9Im/kXEEQWDXzX5ZwVraX+s98E/rZhdbHTHSS0XvoHTq/5GDRxXRzdBmuPTPN9iMDnLDrJYaMrCbSWVZfke/3SU4o5dLnj0y71D0cEv52/iz/Fc7LHi93QbQB+xpT/sHY9aEVLxQsjAryzDFP2VRWOL+v3h6TZAcFMuY/G0ZwNX5/oMboAZrBo4o+JpmWL6G8Pt4I6w0tR7nVx7PW38/WQhYem37fjQQvi6TY4nLC5AfiboqurEk/Llth4Uy+ygvh9UFHu9bEXOe1My5qj0vDL8UHxnJ/0du80vDIQLEwdnnN1atd2Whre2C+I/ZFMuTfUaGfX1JbiXaeIJum4ArOdFUf3bOTuUMCvAqQBRUesTjQrW0Tb8vUf8gL3XZkp54Yah6s/tJSdQUxErJRlWVYoZFlqG8uyQqFQyFIqeKGb/XQc07fXHR24OgJpiDNuqk40K1tE21L4QN+ANWmZcm6scdhpYOvyM8iyQqFYV4KVZQUpbXvHcTKYfDgA3QauQCd4Skn4/lGHiAc3L5Pucma/Oz4iFvefPEVYcmZMz3V2NUWVn/cU20QUys/MzW+VkdGxIJSRFVJMRHY40lhRSZHqyoryusZGIiJSJBSIS9a5S+zHyKJ1AaofJkPOptjmh/fq4UnQsliH9370ia3uP3WKsORcNT3H2bXUquTMlyl/cO9O3brl57XKzQ6F8nKU1dTMZxE70tCoI3U1W8ura8rWrVxXUVcTlNwZGscZGyWfNyrtRmHSHnI21d4YemmeF0FLTLL3NcOuXxOQFgtL3uVOY5aE/lt0+bDOXTvlZTX781BW3vb/qxuqSrdUVm1YtLywpNL/1yzrgOzY12rjgmC03SHtMfX4yNV9u3agRSLvHZYZiDULTHk31TnemEdL5eaf/46OYse/ESlfNW/uBRN6ZTQ9q28vXa/v47g8L+M8cZdgtDHlKqsnt9ae3K9MpPpMbv1jrf/HOpS0uuLCHHH6Qpiy8n6+9BzFTk+U3bbHXhMO/tXQ1rl1DUTEyo8tPqahp7WO+ajKWR+4UBYg5GzqMW3qua+H62ALxvdcVCq+TIufKZ17xYVOOw0Sxlnteo089LDxHXPra0X8OGdDybFHxOoSFN748FpXSgPI2dRTdVtGdvMsZ1lb+4wJLw37+o1myZ1xUbaL11CIs9vtOfWQsd1oS1jYdxdPMs8eEfNBvPTx4IySGs53Nch/RK3X47zb5JOJek7NW1xJ/m3SKsmdcaGr5ycyEwmFCvaYOrVv66oK4ZCvLh5Th//rFftR7z1ju1AYIOSsG1iKBg5hT+YcEBExUc64gVvXastXWfEzllZXXehma5aoqS+XRKz2Iw8d1q2+NKz8NAVByZ6ntYvxGOHaWZ+7UhpAzrpBQhVlw7t418vHJNaek7Pm1/tz9Jyl4Orpmd7MQWYRlT1w8ti+sjHso8FEJYcf3fxEth3w5n+udqMwQMhZV2hrVdtRMet96jALFYzruqbYjznL0va68zK8+jbATEKhruMnDa1b482kkQQwySlTYj1IeNUj5W6UBgg56w6W9UMGeloAlsyhY6qW+CYqfsLS/tpzQp51ujQ1aokLhk8cWLrRs0I4w9Lq5L1jPUj43efCbpQGCDnrDlFbS8a297QILKrbpKwf/NZ3oKT9dWdlaG+/szcl7b77d11b5ouDKpS0P7VPjMcINzz5PzcKA0TIWZcIreo3NMPTIjBTq9FDN68RPyWt0gXXnZnpeHlC0jETqXajx4fX+uGDSsngkzvG+grA5bOXulMcAPf0/K/jVaNJp/Wav7Tx0WJSiwrudvtw9t2qfWNihvkHVYToxNJYV82WJcP80DYPCLRn3VJZe0Ce992jBZP32LRB+WQqrdLtr/trhkFpIBkDpuavLRfL7EleLL87RMW4bMLznqo158oGHXLWNev77W15nBnMOmfImMJVEV8ErdKdrzszZNJG1CzSduqIxg21YvJ0WhbrmLExOpJFNbz03why1i3IWbdww6rx3TwcN99WCpEuEzOXVfngfVe6x41/Mipmm0bE+h42KFxU532fcVQsbU4aHKOmCVc/95VL5QHkrHuYynInZnkftCRtxg5cscn4N17pftefEjIuzpgkY++DB0eK64zt5rZkj9O6xuw2KH5qlakvIICMv92CQ9lreu/Nnvc2MkvG4GHrVpr7vZeIiJQefMPx5sVsU5M2d58D91Xr671+K6NQMuXknFj1jBfMKvNF71EwIGddI1ZlyZQ4DhNJOSbuOSprVY3X5dgdSw+/6SgvlyfsBpNw3p4HjVRFRl5CJjnssBgjAUL0zr/r3SoRIGddVdR6vAnZwSwdxw5ZVOx1OaKz7OG3H2rCpWoWMwln7XHwqKwNteaducCkjpwSaz0Fh1/8wNTLG0TIWRepyOp+g42o3ExZA0eXrrRNy4htlJ509yRjY5aIiIk4c8ABI2ljnWlHLrDk/mG4xGjPcs3L3xp8eQMHOesisbY2ji3wuhTbcLfJ7ZdWGDkTlOXwe0ZYhn4GbMfElDngkFFcWGPWEjslXU7uH6NjW7j02eVmfTwEG3LWVbysyyhTjhiW1qMHLCw2byIos5xw90B/nBYjWQMOGRourhOD7iMlA0+LtepWeMXsYuSsewyqH+lA6Y1jehjyfZiFB+9bYtyaBWY59fYe3s/LiAuLZA46ZGhkY505a+yUjD4xN+buBl8+X2XcJ2yAIWddJapERsc+iNQdTNJzQoeFZq1ZYNYn3tbdF9tiERExi84ZfGD/8rUe7yn2Exba/4gYi5WF6b3XsSmii4y6x9KA0MLBe5rSc8AkBWN6rd5kUqhZ+vhbepnV4bl7rERyh0/pUFhiRqFZ6JBDYk83eOdD7zfbSCPIWbfZW8Z1NqTngJhFDdmPljZ6XZCfWPbxt/Yx5fLEiVmo7YQxaq0R+7IwZf52XKwPKq7/9zxD2t/pATnruvWhsTnGJAkTd5vQ5dtqM8rDSp96S2+TmtfxYSLV/cC9StYZ0OOppO3xe8daR8clTy9T2p0CASFnvbB6XF8zvmISEbFwzvB9iteakPxMdNYt3u+1kwBmoYzBB3ZZXeb5O8vS7fSYQ628dNZmYwbu0gFy1n21hRPam9M5xkTWgKmZ8xs9/x6pJOOcGzr4MWaJiJm49djR5asiHi9bYNnrtDYxc/brOTWYbuAi5KzrmNbnTjBssVObcd2WlJLXAZEx7eq2/us02I6JueeB3Vd4fR1p1O9j9Usxzfs3phu4CTnrPmVv2Ke/URNEmTOHjaxaZntZG1hC5/k5ZomIWHJHj6te0+Dt4o/xR8ae1vXx27avr7TfIGfdJ6p88/h2ZjVoRfWeqhfXete7qCR0wdUFZl0U55io+4HdV5WwZ0HLRJMPj/UhzuE3P/S8myitIGc9Udh9jFENWmKiVhN6Fm/w6u5TOnP6jJjdiuZjtnP3HV27usGrG4spdOj+Mad11Tz/PaYbuAk56wWrsWjPvmZlChNlDh9Zs8CbzkUleRfNyPd/zBKREukxtfMqr1YtMOUeNTJmzhbPWYHpBm5CznpBrEJ7fCuvS7EzZqGuY1str/QgH1jaX3FJXiBilohJckaNrl9se/Ts+SftGXP67JpnC5GzbkLOemRd/xFeF2FXTJI/evjmVa4/sZKuV/01x5QNAlqMmajH1I4Lqrx4ciXtTusZ41IyLZqzFdO63ISc9YZVt2ZYT68LsStmCvWbULPA5cm9lu56w+nZgYlZImKi3HHDileyF50HvU/pELPrf/4rmD7rKuSsN0QVtRmd43Upfomp3Zh2K7a6OUandMfrT8k28MTFFmAm6ncALWxw/ds506ATY3d0f/caDgdzFXLWI0JLB+1lYIckU6uRe69b596iJqU73HBadkD6Znck+Qf0XLbZ/Y+Pvf4Qc/dZ+ur1cPAuuMmQs56pK5wQa9t7T0jGwLFbVoZdCghLd77u9Gyj5rglCYsaNqpkpe12k3bIMVmxLqd8/KY7ZYFtkLPe2dhuXxPbcSzUcVKb1WWuHB1m2T2vOy0niDFLxKR7TpYf612+x0YdrWJdz9q3P8Z0A1chZ70ji4f3NzFhmKXVmCEbVrmwqMmyB9xyQpaBHzZJwUrnT+yxstjdvoNJR8TcJr38pfnIWVchZz1UU7d/ayMzhoX7j7JX16b6ZrTswbf93rAtdZKKdWjfkSVL3Fz8wVMOiZmzm+esQs66CjnrHab1BftmGJkyLNJpwl7LilL7LEoPu+PXysgLkCws1GOKtbDOvddoHTg1Zs5unLMJ07pchZz1kGpcP7a75xtDN4uJsvcesXVJKu9GSw+ZeXCwY5aIiVpP6b3crV21mTIOHx9zjtyG50uQs65CznqqlCabc4bNTpiJekzstagiZaVTetg9+1smdlAnFbOEho4uWuHO28yUffzQmE+1dm65G4WBnyBnvaRkbdcRZm3c9TNmar3fPosKU9PgZpbR90yKOTIeBCzUfX+9qN6N4TCmgtP6xczZVc97sYtFOkPOekms2trRnQyu8mrAJGtVTQoqCQv96t6RysxOk2RjltYT+y0vdmE4jKnDH7vHzNnlLxpy8GbaQM56S63KHGviJNrtpNOUnis2S7IDgoWOu2eQMvd1JxlLaNiY8tWpX/zB1OHk2MfWL33JiCPQ0why1lsshcMGGvzlmXXGkFGR5UnetpqJ/nhrHzL4dScbk3Q7oN2SranvO+h6YuyjLOe/Up8+l94IyFlviVUeHtXW61LsBhN3n9J+0dZkfsNnltNv7BVz9lGgMNt54watTP2BFV1PiH0k0ufY3sBlyFmPifqx14iQ16XYDWadPXpg8erk7SzDrE+/oafBnSWpoTTvMbZkZarPP+xyYsxT1uTjtwjTulyFnPUaS9HoHl4XIgY1aGzGD41JCggmOe3GHkHabjZOTLrL1KwfU9w12vWP+bH6Y+yP3023DzmvIWe9JlxcM8roEwiZhTuM67y0LCktWib64409g7XdbJxY2a3HDVhSnNL3ut/JubFyNvzBR1h26y7krAEW7znE5J4DIhbOGj6hYUkS9vhjoRNv7WXyx0oqKbH2Hl+1WKdwBHCf42Juixj+8BMsB3MXctYAsnZ8V5fPinGIiVT3yZnz61o6dsVCx92Zfn2zP2GWLgd0WVhBKRsEHPb7jFg52/j+Z8hZdyFnTVAcnppjdtASMeWN3rtoXcum0rLQCXf2SN+YJSKm7DEjitbqVAXtqN/FXGTX8J8vkbPuQs4agGn9XoOMX4LKkrHnQXULWzLXnoVOvTW9Y5aIiPoc2Hp5pUpN1o07ImaC1772PXLWXchZE3Dt+nGdjI8fJiqYnLukMuGWGAudfnN30z9PXKDzJw0rWR9OyYkVE34V8/2pemkxctZdyFkTMBXnTcj0Q9Bmj96ndKVKrO9AMf3llq7Gv0oXsMiAA/OWVaTixIqJh8a8wlufX5n0p4XdQs4aQdmbBgwyP4CYdWjgpLpFCR2Xzcx/uTH22vu0wKTzxw+vWGEnf3rbxINj5+zcdXgX3IWcNYJYZXUTjZ5Euw2LtJ3QZXWJ86BlyT7r2s5puDyhWay0GrB/j8KipPeiTDooZjUqf2G9+TUtWJCzptjUeaTlh6BlyRkxrnip478nbS64sj1i9idM1HrM5IxlyT7SZvKBMWtR2fMbza9owYKcNYRVv2rwAF/UfhbVfVKrRbWOWmJK2s2YVoCY3QETcceD9i1bk9xVC1MOiJmzpc8X+qKmBQhy1hBibeHR+V6XIi7M0mbsyFXrHcy1V7rDzafnp+Vi2+iYhdWAQ7uv2yLJ26SHpu4fM2e3zC1CzroLOWuO5d1H+OTtYMroP2nL8ki8ual0h9tOzvNBr4jLmIhyRh+QsbZKOEmfQTwlds6WPJ/aLRbgF3xyY6cDDq8bF/vIEVNIh/27riiNbwao0gU3nmroeZOeY+p4wJjG4hpJcLbcrr9u6tQ4cnYz3gt3IWfNwSV5I/O8LkS8WHLHjFi9Np5luJbOv/KMXMRsFKytPofuJ1uqkpK0vP+UmFd68/MleDPchZw1yY8D9/LNmVksus9YWVpvxcoGyy644pxWiNmomO2sgYful7N1q1Yt7j2IJ2eLnivFu+Eu5KxJGgsPin3oiCmYdadJfRduiVGFlG5/5bnom90tJTq7/yETOtdujlALP2j5wMkxr/WmOeV4O9yFnDVKoWX06bc7YyUZw4euXbXbByndccZZuZjQtXusRGf0mLz/4JyKSmnRNC8+cFLMCrRxToVf6lhQIGdNwrJqZD8fHU/IRH0m5i2ui/4Ipbte92fEbGystKgOIw+f2tfe0pITguLJ2Q1zqvxTx4IBOWuWmhpfLL/djonbTRj445ZoJVa6+8wTchCz8WAm4swekw+f3EvKG5v+xHlNUAdNjN2enVvpnyoWDMhZozCtDo3JMn3L7x2wcChz5fwog2FK933gN1lYnhAnZiGmvAH7Hzm5T6S2UYiIFTvrRuCDJyBnzYOcNYuKFA7p76OeA2Fae8sTrJv7GbPs/cAhIR+9Gs81XSvO67//kQfs04klbIsQsRV/2vLB42OPgyFn3Wb2+X/pR6uVjw7u7ZueAyFac+0sarY1yyRjZ47FB3kChKhTpynhTSsXfrds09aqiE1EbBGRkMSaRhfPHe2X6hUcyFnDCL06+gLzt/xuIqJWXjm3+TVhzPrAu4aRT16JWZhIREK9ex8QKVu3ZtmyjcVbK6vsph9ZxERCJNs+3eTnv0NEorK8KDDEgJw1jFjhOeMn+iOcRNQPV72monQa6CNn7tGyOUrpjJlEa7Y6dRpJjeVlJRvWFm0s2lpdWRX5+TFqx5apbIvcOHIWn32uQ86axra+e6xfN69LEQ8R9f3F71nNx6yyj7pjAG7olmBWQlqIMzt3HkwUqa6sKtuyubS8rKq6trqmPlJbFd75LyhL6Q5d4/jNOBzMbchZ42h68aATfBFQ6quLPw7Zzd+09lG3D8B8rpbibV0IQqRCBQVERBRpbIyE66rrG2sqahvCjeGwFiIVClkqZDUWWYPxFcJAyFnjiKp8YPAIr0sRB553yadRYpblN3f2R8wmR1PYbhsBUxQK5e70Y/3zg0gaKjrGkbNoz7oNOWsezfNe7dfG61LE9tElX1mR5n8khyJmk4u39cXK9n9s/wPa8TJzdnYcvyvmnAVINtwLBhKa9aXhbQ4henv6V1GGwIgOf2APrE5ICWZmVkqpbYvFZAdIUGPhZjDSqvtXNz/33xDC8u8LvmPd3G3NQkf8bSCGwNzBO6B4TxJCGrsNOWum9/5dnbwjo5JOxJ5z/tIo82aFjnuoD2LWYOZWrMBCzhqJ6x74ytz2rOjIMxetjbY8gU6+pydi1mTIWdchZ40ktOrxMjI1aSUy+9LC5pvbzHLKzK6IWbMhaN2GnDUT05tzGw3tOdCNs68sirYKTE69s7ONmDWaqZ/fAYacNZOo0n98a2bMSuOsKzZHm2lgnX5bJ429Y8xmZr0KNOSsoYR/eL42rlO73Vb7xFVbosSsZJ15a2cbdcpwJtaqgMM9YShhevolMTBoKx+bUdL8nDMl2edfi9as+cyrVIGHnDWVDm2eu8qwtepCVPTAVWVRZhro3Msu7YDlCeZDzroOd4WxbH7nuVqvC7ETIVp567WVzd+nStrcMN0/p6KnM4yDuQ45ayzh8JPzTGp7CNHim++3m/+h0h1uP9tPR0imsWaX8UEqIWfNpdWy5zaYE1xCsvT2WVF+aOn2N52Si5j1BY0GrduQswbT9PirxvQcCOkFtz0bZWqspfOv/GMOYtYftG3S16S0gJw1WnjWMmNuifCX1z8Tbn4ITNn5l/4FrVm/QL+B65CzZvvyb4WGzO2KfHLlyzrKEJguuHRavkbM+gRy1nXIWbPJs/+tMyJoG969/EOr+RuUdcEV0/KxrbdvSJSxTEgZ3ByGq/nnahN6DhrevPBrFSVmpe2t57RGzPqHAfUp3eDuMN3/HixvfpWrm2pfmr6Uo2zWL90fOC0PyxN8JMrRmZA6uD0Mp/Rrn0a87jmofXH62ubPRGGivf9+bLZh69Zgt+qjnOoGKYOcNZzmDX9b4WWKieiauRcXN/9DJhr/yOGZ7pYIWqiszusSpB3krPk+eLbWyy41XffcZZubryesZOqD4w3dJheisLfiDXMbctZ0YjW+8LF3G3eJ1M+Jut2ssg+6b4Rg3qy/RKq8LkH6Qc4azw4temKDZx2gUjvnqs1WlMMT7MPvH6rjPGMVTGHXe12C9IOcNZ9N7/7XsxkHNU/NKLKanW/JRMfeNxjzuXzHrvG6BOkHd4n5xCp75HOPnrvyyauKVfPT2kX94fYBODzBf3Sl1yVIP7hNfMBWX8zd7Mkz1z53TWnzhycQ0e9u6YuY9aHGEq9LkH5wn/iB0OwPXB8IE6GaOZeVNz/VgYl+fUdfsdA36z+NGAdzHXLWD4TK71/g8twuIa6cfXF58z9koYPv7oeJBj4k1NDgdRnSD3LWJz6bu9XVuV1CXPLo5dFilulXD+6BRWD+1NDodQnSD3LWLx55L+xirgnR+vuuroiyPIH1bx/cA5PdfQrtWfchZ/2i5J8bXDxvRGTJTXfXRlmewOr4e/pju1m/qsb8WdchZ32C6ZOnat1b4SoLrn+sIUrMUujk2zHTwL8qsL2B63C3+ISo2sc/d23jLvnh6rnS/PnTLNln3NgLMetfVWjPug63i18IrX5mi0vPpb+75jXVfC8FS6uLruqhMaHLvyrQP+s65KxfiKIXnqh3pUErX1/8epTDE0ja33JhF/TN+pjGdl3uQ876hraqn/vcjYSLfHrRB9EOT6DeD/+5rSjkrF8JR0q9LkMaQs76h1bfP1eS8tUKEvnw3E+jHJ6gaNA/f5uLebO+Fi7zugRpCDnrHyL09EupnkSrw/8594coP1N6r4cPwOEJPlfnVi8//Aw56yNiVT//Y0obtKLtd85bGqVShOyhD0+yUvjs4IbqKIv8IIWQs35iWx88tTmFDVoR++0LVza/qzeFIkPum2BhDMXfhOprvS5DGkLO+oqmZ79K5anQ4XcuWhFqfrtZK7LPfZMUDk/wvVps1+U+5KyvCBc+uCJ1c7sa37lgudX8odNs73n3ZKSs77GUYhzMfchZfxF6+6WKVAVt/Vvnr2x+rS2xDH5wf4Xa4ndCkfXVXhciDeHO8Z2nF6coZuten7aGoy1P2OfhKVgDFgR6NbZFdB9y1ncW3rUp6lEyCROhrS+ctyHqZIahf58UQswGAIfXNt//DqmEnPUbpv/8pz7ZG3cJcfGzFxZGeUamEY+MQ00JhgYsB/MA7h6/Ea58ZEWyfyfRhieu2tJ8g5VZ9v37GFSUQBCqw6niHsDt40Nfz65N9lDYukduK2v+d7LSYx4endxnA+/UVmHdtPuQs74jKvLCf3Qyg1Zo+b33bW2+L4KVPeVvo7E6ITC2YlqXB5Cz/qOtVQ8tTeovXHTbP6qinVGjD713P+yDGBybKr0uQTpCzvqQpk9frUteg9b+bsbshuanMLDw0TOHa9SSgBCS1Ti1xgO4g3xIVN3f30paL1vkiwv/raX5mWJinXzbPjijJjg4vBan1ngAt5AfaWvNrJVJ+l325+d9EmVXbyY+87oBaM0GCNeXScq3MIZfwD3kS5refSs5pzxFPrvgm+Z39SYWPufyPjg8IUCE6rdiuoEHkLO+JFx73+dJaJdI5LPp30b5mSI17bKeuCuDpWIj3lEPIGf9SXjFi8UtvWFE7A8v+CbKb1ESOveSHi18BjDNqmKvS5CWkLM+JTTr3eZ3MIz/V0jko+nfRdm529Ktpl/WAz15gSJEy8vRPesB5KxvVf5rHbVkPxmh8PsX/GhF2dXb7nTFRd0EXzGDRUU2YFqXF5Cz/vX5k1HWcMVFqOGDi36McniCsnvc8tdOiNnAqS+R1G0TD1EhZ32LGx75oDHxm4Yb379wYbTDE3Tvu07KR8wGjVBNEYbBvICc9S2hoicKE2+b1L8/fXGUwxNIet39u2zckAG0bh3eVi8gZ/2L6Z2HqhJt0Na+e96yaIcnUO8HjsjE/Rg4wrR8M4bBvICc9S9RDS/+z04kaIUqX5m2ovk7jpn6/u3wzJYWDgzEkTVbkbNeQM76mFYrZxcl8ve47KmL1jb/M2YZ8PBhoRaVC0zVWNKIryleQM76mdBrL0QcN2i1KvrHNUXRDk/Qez58CGpFQJWuoWQfeQTxwB3lZ2JVvzjfaUeqqPV331Ya9fCE/R45KBlFAxOtXOJ1CdIUctbXbOuTWQ73xxdec/vfqqIenjDm/klJP0wXjCBMqza0aGkLJAo5629Cr8xzNLIhvPaOf9ZHO5jcHnfPeM3owgsoXVyD99YTyFl/02rd35c4uXd4zS2PhqM0algm3D3ORswGVv0GQfesJ5CzPqf5tdeqHDx+zc2PRqK1ZmX83WM1tpsNrs3LvC5BukLO+p3Qv6LtINvMY1dd86huvjXLRJPvHY1Og+BiWrMSs2e9gZz1v6X3b4xvdEN45TVPUZSZBkS/uneUIGaDbEMZctYbyNkAeOf9xni63YSXX/FMlNOhmOUP94wgxGyQ6bUVUXYbhhRDzgZAzV3x9BxoXnLpC1FuM1byp9v2TGqhwDiFX3tdgrSFnA2C+Q+Xx+w5EF586StR2quKrbNv6IumTsCt/gGzZz2CnA0AprfeiMToORBacOFrVvMH2yqdc+E13TX6DAJuE84G8wpyNgBElTywKMYIh/7ugret5vdBVLr1jEs7a1SFgGtcVoPZsx7BzRUEQt+9sPuhMP3dBR+oKNvN6jY3n9sWMRt4m+Z5XYL0hbsrCMQKz3lndwc/Rb4+/xNuvtOAqO22G6TCAAAgAElEQVQ9f26NM2qCb/1CzOryCnI2EOzQisfWRf9xeN65n1G0m6zDfSfmYkJX8OmNxchZryBng8Gmd/8d5WgFoYaPz/sqSswydbj3uKzUlg2MUPYxjhT3DHI2GETV/OOzZneiFW54b/p3UZqrSjrffSzOqEkDQpvRPesd5GxAaLXo2dJm/lyo7q1LF0TpurV015nHIWbTQ1kiRxxBciBng0LT7LfsX/ypcN0bVy6MMhXBsrvOPD4j1QUDI8jKcq+LkMaQs4HB1f9as+ufCVe/efViq/lVQMruNvM4VIC0IFz+cb3XhUhjuM0CQ+iTJ6p3Hu0Srnz7qiXWL5u5RERK97j3BMZEgzSxZbHXJUhnyNkAsf/+xc5zZLn0lSuXRolZ1r3uPxb7IKaNwvVelyCdIWeDZMvfinbqit38/Izl3HzMkgx46Cjs6p0mhGs/xuYGHkLOBgjTm482/NRzILTh0Rkbosw0YNrnoV+jNZsuhCo+C3tdiHSGnA0QUQ2zv/npX2j1AzeVRTk8QcmIBw+mZufbQiBtXot320OW1wWAJBIqqxzfRjMRCa+4/Z/10WJWj71nMmI2bQhHXn6pEW+3d9CeDRSmt+aEWYi0LL3xiWgxa9lT75vodtHAO8LVn1djcwMPIWcDRayaud8QaeHl1z0TidaatY+8d3S0zbsggJg2LMW3Fy+h3yBYxNpQN7oNyZJrn4+2cwzzsbfsjZkGaUQ4PPeFBrzhHkJ7NmA0vfJ6bXjBZc9H225W+OSbByFm00v9t5W72Z0YUi7kdQEgucSqnT04dMO7UXf15tNn9EHMphXhjcsIOesl5GzQ2Orz+zZG226WiM69pCfmzaYVYfpsqdeFSHPI2cDR9JodtfUSmnZhD8GQSHrh+h/L0Zz1FHI2eNiOeniCdeEFXZGyaWfNN6SiLL8GVyBngyday4Up84LpnV0tCnhPmD5fgMmz3kLOpg2lcy+4oKPXpQD3NS4pj7JpG7gEOZsulM6/5K9tcX542mFa8ZXXZUh7yNk0oXS7q/6Uj77ZdPT9fGr+RA1wC3I2PbBuf/MfswXLUtJQ2Tdl6DbwGHI2LbB0uPWPmYjZtPTjOxgF8xpyNi1IhztPzESnQVrSy5cqdBt4DC2cNMDU6e6TMr0uBXij6L8Rr4sAaM8Gn9KdZp6IjdnS1fLP0W3gObRnA0/pzjNPQsymq9qv1yFnPYecDTpLd595osKdlp6ENr6K99576DcIOMvuddtxjOUJaWvpQq9LAGjPBp2y+95+HE5cTFfCZW+Vel0IQHs24Fj3u+33hO1m09fmeV6XAAg5G2ws/e84Cq3ZtCVc//EKrwsBhH6DYEPMpjehstcqvS4EEHI2wFjRHjOPZsRs+mJa8g3efxMgZ4OKlR529+/Qmk1jwrVvbPa6EECEnA0sVvbkew/zuhTgrXXzbBwMZgKMgwUTs/3bGfviUzSdCTe+Nt/rQgARIWcDiomPnzFYYXlCOhPe8kkNtuoyAnI2kESddHUfhb7ZdCZKf/i114WAJsjZAGKiU6/sh5kG6a787UIcpGAG5GwACZ1xZW/MNEhvwvLxJ9ipyxDI2QBS513YUxCz6a72f2vQnDUEcjZomKzLz++AlE13TN++i+asKZCzAcOSe/m0Aq9LAd5rmLcQc2dNgZwNFqVbXTGtNeZzAf34ko1JXaZAzgaK0q1mTMtFzAJFvvoGzVljYMVQkCidd+Vfc9A3C0QrXw8jZ42B9myAsG599dm52NUbiBq++YDQa2AM5GxwsLS54YwsxCyQ8Lrnar0uBPwMORsYLG1v+nMW+maBiGX+f70uA+wAORsULB1u+ZOFmAUi4cI5aM6aBONgAcHS486/WBgCAyKi8FdozhoF7dlgsOyet53AaM0CEQmXPl7hdSFgR2jPBoJl97njOMQsEBEJRb78DN9sjIL2bBBYdr/bfo9dvaEJlz5Wgq0NjIL2bABY9qA7jkZrFoiISLjx3XlozpoFOet/lj38nqOwqzc0ESp+ulihOWsU9Bv4nrJH3zYV281CE1H22195XQjYBdqzfqf0xDv3J8YbCURExLTixVILS27Ngvaszyk9+faxOKMGthGOvPMpdjYwDZpB/mbpKbePJQyBwTZMC56vsdA7axi0Z30tFJl8135ozcLPat/7gtGcNQ3asz7GKnLwPft6XQowyvdPYN9Z8yBn/YtJH3XfCK9LAUapfG8hmrPmQc76Fgv/8a490XSBnwl9+YjXZYBmoH/Wr1jUX67qqbGtN/yMi+ZuQK+BgZCzPsVC517RBTELO9KfPoeNDUyEnPUnFmva5Z0FMQs/Ey58utLrQkBzkLM+FZp+SUdMm4UdCNfOfsfrQkCzkLN+xJJ14YXtMW0WdrZ4Vh16Z42EnPUhltxLLihAaxZ2JLzlwcXonTUTctZ/lG516XltELOwIyH77TcIzVkzYf6s7yidd8n5iFnYBa98sgTbzhoK7Vm/YZ1z+fmtELOwE6Hw8x+i18BUaM/6DEvuZefnYQgMdsb05asR7NNlKuSsv7DkXDq9FabNws6ESp/80rK9LgZEgX4DX2HJvfz8fHQawC5Yf/gGeg3MhZz1E5a8K89D3yz80tf3bkJz1lzIWR9haX/F2bmIWfiFipf+pxCz5kLO+ofSHWecmY2YhV8IfzIbvQYmQ876htLtrzkjCzELuxJeevsm5KzJMN/ALyzELDRLuOqlz70uBOwW2rM+oewOV/1fJmIWdiVc/+bD6Js1G3LWHyy7y4wzMrE8AX5Jlt5Z5HUZYPeQs76g7D4zTs1AaxZ+QaTqqfnYP8ZwyFk/UHrvq4/O0OhMh10JNzzzeAQxazjkrA8oPeGaAy1BzEIzvvpbqcJJ4oZDzppP6ak3j2N0GsAvCW9+aiFas8ZDzhrPsiffMRIxC80Qrn/yKWI0Z02HnDUcK3vsrfsRZhpAM5g+/lcteg3Mhz4/szHbk+8di30QoXlrZy21ELPmQ84ajUUf9sAoxCw0R6j0kWcZSxR8ADlrMhY67oEhSFlojnD1Cw9qjIH5AXLWYCz8fzP7o28WmsWNX95bibrhCxgHMxeznHNtB0HMQrMaV969BFO6/AE5ay7Wf72uPeZzQbOESm7DUTV+gX4DUzHTGVe314hZaI5w5SNz8VXHL5CzhmKxzr6pC9baQrOEG9/7V71Cc9Yn0G9gJqUzzrq+LToNIJqlD27EOjDfQM4aiXXmBTNwfjhEIbz61g9QO/wDOWsipbMvuqw1Yhai4OK75jAGwfwDOWsgpXMvvsx354f7rbx+Vj17lmBbAx9BzpqHde6VF+b4aldvISESIqwQdkXk00eqELN+gpw1DkvOZRdn+SVmm767MjHas66xF9y23MK2Bn6CnDUNS+6ll2T5Y0KXNDVgJdJYXbV+qSpou1d3pG3qLZ/xEXaP8RfkrGFYci++1C+dBkyRmtrK8uJlizaVrq+0uu71567YkDzFhNfc9BaGwHwGOWsWpfMuu9jcmN1hswW7oapiS2nhDws3VVbWNd32K9ZUWgdnImhTSXjLQ3O8LgQ4hXvCKErnzbggx8SkEqKfaovUlhYWlpQsXryxuvan0RgmEuLeZ/2pI3a+SR3huqcuqsLuMX6DO8IkSre55pws02J2+1AXEVFjzZaijZs3Lf1hU31zD2XJPvq8UQpJmypivzttJWLWd3A/GMSy2197ZoZR74lsH+siaShft7qwtHT18o0NRETMTbO5dsas9znz6G4imOGVCpo+m/41YtZ/cDeYw7I7X/N/ljFviZAQExORXV++fs2aosIV68o1EbEikWj3OpO0OuT8CcofEyZ8RtNXl3yCibM+ZMpNDWTZva47OcOITgMhEm7qcW2oKl74w/otmzaV2UTEikWaacbuyLJpz7+e0EGjRZtsQt9e8oGFk2p8CPeCKSy7900nWN7HrFBTrdCR+pqKdUsWry9aV6qJiJQSHdd8Imadf/S04YwmbbJ9d8U7iFlf8vy2hiZK97352JDXMds0gGWHayu2rluwZNPW4ooaImJFFKsVuxOlrSFnHIezIJJs8dUvqqgdNmAy3AlmULr/rUdb3s+bldqtWyuKF/6wuqKsMkxERMxOEnYbZt3q6Gn7oXYl08obn8QeXT6FO8EISve46/f/396dR9dd1nkc/36fe5O2SbM1abO0aaAbpaVSLFIUKXuBUgV1Bpdx1HEZcTnMOXqOczzKHHWcUUbHM6uIDsrgDCiLqCgKSMsyFOgCtHSjJd3SrDfLTXKT3OTe+/vOHzcJKSRpmtzkbu/XH8Ahyb0/6Pf3yXOf3/d5nmRMGtiIEgh3BgLN+1460tXZF3/UojKZjJXBn7VVX7y5lG28EsS04Qf/LLQapCluglSgVnr7x2d60mDkyoNIa3NL68lX9zZ0DbfFJuCWztt0y4YcemkTwbT1p9/oS/ZVYLK4B1KA2uxvfMk/c38WIxceWE9HQ31H68H9x7vCiR8sVX3y48vopZ06k+6HvtrMaDZtcQekAvelb86ZmT+K4Y4tEYmGA8ePBU4eOdLQExEZXDmbUGr+DZ+9voAWryky6/nN148Ts+mLGyD51DbdVTH9j8CG1x2YZ9He1rpj9S1Hj9V3mYiok4m1bJ0pdbHSD39ulcQchTZ5Zt2P3lbL+oQ0RvmngIV3Xz29c7PDq2fNiwz0BV4/3NhyvKk1FJXBxV3T+BTbmVv/mffOY0g7eSahR247wsbe6YzqT77Zt38uZ9pefPhpl9ff39fZWFvb0N7U3BbfyNDpNA1jR3LiFW7+yvnGqoVJMun649dqidm0Rs4mm/Ouv6tyet/C+nu7gif2v9bQ1tI9OBUb74pNVMaO29ap6skFn/vAPBoPJqnrj19lNJvmKP0kUyu+8+bpe/lwqKe77fjrtXVtLV2RwT6DUTfamk7Ok7wbvnwhc7ST0vH412pZn5DmKP0k88Xe86OqhL3aiGUHXjjUHgzUHjrcFGztH7xLVRLVUjDilUrm1ZxX91jveFGgYrLi0x9fwJD2TJkGH/3asWRfBaaKuk8uVfuPzyfihYa2fxERkd625ta2o4drG9uDb7xTAmcJNL7KXueWL1p5wYrKwtk9W364wztN0vqv+/K7/STtmTBzgV9/+0SyLwNTRtUnl/NKf3nV1JoNRoxVRaI9HS2NgfoDr41Y2ZU4qiomnohofkll2epLlpSWzFYRkcix79/XrW68WUS1xX/16UVC58GEmUj9ff/UmuzLwNRR88nli51/76rJ5+yI4w68SLC5vqG9vvZEYygskuhlByrqLB6jvrLyinPWvW1B0RyfDE5VmGjwoZ8+b6rjNHmq2LW3XjXLPF/iLiujee7oD38UYnlCBiBnk8sXu+JnNZPJWYsnnIqYF+1rbTpW39Zw4mSg15N4N0EiH3U5VTNPRKSgsqpi3sI155YU5oiIDYW8iIl6r//nb447GWfjPlWv6i8+scoznohNhMmhf/l5DzGbCSj45PLFLr17yZnmrA2vnY3193WceK02UNfcFuwXEXFOvARGrIo49TwRkbzyxTUVy1ctnztbRcRMRE+pHk81/Mxdjwd9NvaQVl1M133mz+bFlGba04sd/O79UWEVWCYgZ5PLeefc+/YzyNnhLWBikXBPW92RI03N9c3xtbOqCV7ZFd/dW8TNrVq+bFFlxZKy3MFR7JsidvDSzEnTY/dtHRhvL2onXv6Nt77DsVviacX2/sOvZJxfWkgjlHtyqRXec+MZ/oyFQz2thw7UtjQFens9kcH9CRLbYhlvHsjNK112fnXF2dUl8RVr8Ywdq2pMRI/++icHxttTUV1Ml37+L8sSea0ZKbrnW7/h9IRMQc4mmS/2xb8vnvB3x3pCwcDRA4cDTS19Q8cdTNOqA//8quVrllcWlc33i8ip29WOyUQHXrr3oYbxvkfF5lx961VU3riiu77+J1YnZAyqPcnU5v/rB93opw6MPOxAIr0dwbZjBw/UtbVEh1q5Jn/cwbiX5Iqrl7xtxaKKsuLhp1wTrRQTla7td/+xbZyMUDGp+ORnzhKaacdgGn7xb1/k9ITMQaEnm9rS72/2nxKqp3TEing97R2dgcO1R5s6AtGhn5q2oY5a0S3XLS4tPOOIHSH4wo+eDKmO+6l3wxeuLWIL8FGZhp687dVkXwUSiDJPAcu+sqnq1G7XoZDr62pp7gweee1oIBiaqatR2/A3m3OnNta04B/u2BmWcQ/BLtj0qQ2zWLXwVqZND/7gKIPZTEKVJ59a0fUb31k9Z0Svk8WioUBjQyBw/Fh9KBTv2LKEH3cwptIvfaJqSkFr6rXfd9e+6DgrxFSs4mOfXs4W4G9iYrV33N1BzGYUajwFqEnJ2vOqK6pK1GKxSH+oo6Onu+lkfUsoKjIt3QTjc57/vbdukKl8qPdEvSP3P7A35nTMpHXmLrrlpkJ2ph3JJLb7u7/rH29dHdIPOZsKVD1R/9zSQrGYFx3oC/V7sfh5MmrTetrBWNfjYiu/+Ofzp1Qenqrt/5+HD3tjL1xw4hVv/sJ6YSHuMNPwjr97ary1HkhH5GxqcPqmW0t1Jg47GIu6WOHGW985paPOzVT7X/79b/fFxp6mdWbLbvnYfGZphwWfvH0HbbMZh5FEajATdYNURVUsuTebG9i3vbA6bwqvoCqWs+jSi8tbA2PGtTlpf3Zf6aIc1oeJiIjX8JNvH6RtNvOQs6nDhiX7SkTEVFr+1FA9fypzp6omvqp3bVja0jT227jIa4+1righaEUkcvhbd7QTsxmInMXoTGXg5Z2lC/Kn0nigauKvWH/p2a1t3hiTVKbas317/vKs3wLcNPzq1x+I0miQichZjEmlcUtrZcXYGxpM5DVUxJVfvPntPW1hldFHx2p1jx+trlTL4kGtqQYe/caWZF8Gpgc5i/H07dybV5k/5eelrmj1dWskGDIZo1s28vLW8LK5krUPZk29Iz/+7kHHYDYzkbMYlzvxTMOicjf1D/X5qzddVNAWNHOjfjLWtq175y32Z+eQ1kQj+//xzi7mDDIVOYtxmevbeTh30Rz1phaA6lnukisuma8d/eZGmz5wdvhPrZULnJd9Q1pT63vh2w+Ovx8E0hk5i/GZuiPPNy4t8U1xSKtqllN95VUr89p7YvrWujP1dW/f5i3Nz7ohrWms/YHvbaVrNoORszgNM9e9a3dOdd5UJ09VxdPiC65YvzQaGBhlotacNj61b2FNlg1pTfuPfu/fDhGzmYycxek578QzLWcXTWl5mIiIOjHLW7rhsrX+zq63jo9NXPTAU+0LyzSrhrTBrd/5Rcix0jaTkbM4PVPX+9KuOTVzppx/quqZm3f+1Zev8drDbx3SinY894xbNDd7gjZWd8c3X/aI2cxGzmIiTOXk090Lynyjn/xwJlRNdM7i9VeuK4h0RVXklM0NVL2mx16Zs3C2Zcegtm/n9+7sZM4g05GzmCANb3s+t6pAE5S0Wrjq2k0Xzu0Nxg/rHfFV8Wr/sK9gYa5keDetqUjb/bc94dHOlfHIWUyYNj99ctZZPpl6/sVz1T9vzcYrauZGe2Ii6hv5mpEDT5zIr8zRTH4iZqKRvT/7Vh0pmwXIWUyc9u/eNrCgNAFD2jiT3Mp3v+fylfnhnpiZ+kd8qW/XEycKKnIkY7dMNNGuX33nf8PEbDYgZ3EG1Nfx9AHfwtkJar1SNbPcheuvfdeqav9Ar2fqH35ZF9qxpbl8vs+8TDxuwUQGXv3p7Xs50zY7ZOhgAdPFiVd29afeNUcSdtqMmflEIg27n3u2tj0q4vfiJ0ioi8mq99903qyYZtyY1jTW+dv/2jEw7kGVyByZVsCYbupiuvx9Hz53iifinsI8cSqx+oMHd+15PSSizjwRceL5l9/4ofN8mXaEmGn/y/c83ETKZg3mDXCGzGnrjl0yvyhxv6PVqXjiK1q6fuNV6xe6aK9noiImzgIvPlVfUJGAdrJUom2//8pjXXRzZY9Mql7MFGeWd9mX15YmNvzMRFUk0lS/f9uuQ70ab/jyxNVc98GLZyXynZIssu/u+xudsDQhe5CzmAQ1kfIPfXRlwtdtDU5G9B/fs+PlYyf7hv714us+euGcDDlwwQI7/uF54QFYVsmIysXMUxO39oPvXeEk0fE3+HrRrvpju3e/dqLbExHRyps+uSY37ScPTKV/9y9/0ZDs68AMS/fCRfKo5V5+8zWLJeFJOywWbK3bvv9kQ3uoX63srz+7eHreZqaYinf02TtfSPZ1YMaRs5g8tYKNN2ys0unpB4jHt9ff2XV0zyu1gWDnNf++bBreZqaYqLU8+/Aj3ewZk33IWUyBz7Piq2+6vthNU+eViYkTES/UU3cw0H/xZWnbH2OiFt7180dP8vwrG5GzmBJ/zCquff/lc910LZCNL1pwIrGIaU665qypDdTf8+vdyuE0WYmcxdQ4F9WaK29eX5iAsxrHZGKSzovCTPtbf/erZ8JOY8m+FCRDGtcuUoQTz5115UfWlkzvYgKTdC1XUy/44j2PtwsLwLJVehYuUouKydkbP7KmJNkXkqI6dj/wcLPH+q/sRc4iEdRElmz60KqStG9xTbyefY/8rEHiA3JkJ+4KJISaiC65YfPbyqexnzbdmKiE9z734/0s/8py3BBIIFdx/bWXVJG0IhL/nxDdv+2/XyRisx63AxJIxeZdd821FUrSmqjEap9+cGsk2VeC5MvymwEJpmpWfPmNm0p9ZunciDVVJmqx+q2/fSLE0y+Qs0g09cWs5NIPbCzNyeKkNbVoyxO/e7qV1V8QIWeReM5FpezCG6+pmpOlswem1t/61MPPBlSJWYiQs5gOTmNSsGbz5rMKJLMOQpgIU+tt2/LQiwFhMItB2XYTYGY48SR39RWbl1f4T//NGaa7btuDO9pFlZTFIHIW08OZiSu/6H3rzs43zaJRbUftc/fuD4myLAFvyJryx4xTE7VZF25+97mlkgUttaYi1rTn/x58PcqyBJwqw2sfyZdz1jWXXVjjy+ykNVGRyJFXtjzSmOxLQQrK3MpHalAxKb7oygsvKHaSoZ1eJqIivXu3Pb2li5EsRpGJZY/U4sQT34pLLrp0SY6Kl9b7yI7GRNRinbu2Prezj228MaoMq3mkJHWeSfG6iy5bV5QjFj+KJkOYqVq47cmnth02UhZjIGcxE1TFE//Cd1x8RU1hzuAH7fRnIir9nceeeH5XU/yXCTCajCh3pAOnnknewnWXX1JV5MuEh2ImKrHuk889ub82HP+vA0aX9sWONOLzTDSv5pIbVlYWJvtaEqH35P5Hdtb2CCu/MD5yFjNJ1RPRopqrrzmrOi/ZFzM10aYTWx850CWkLE6LnMUMi6+UKlp5xcU1SwpFJM1mawcnPAKHDj32fENUWJKACUijAkeGyV911dql5xSIpE3UDh65a8HagzsfP9Kf7MtB2kiH6kZGUlObu+rSc9esLFBJ/WPDh64v2rH3wIHnD/SygwEmLpUrGxlO1Uzyzl27ZvXqkhyfSOq21pqJqlhsILB7/8Htr0dEfMacLCaMnEUy+SQmMrv63Jrl684umOVzg4mWSkxMRc0Gehtf2HNkT0NU1OexIAFnIrVKGtlHnUZFrWDRsrMuOL+8IM8f/4ieIpUZnzi2/r7u48/uPnK0TUSd0CmLM5Qa1YysNhhdvuKKRSsuOae0OM8nKbG7l6mIeAPdwRO7XjrZ1Ngros6MaVmcsaTXMiAiqvH1VP6C8kVrL64uLiqcnQKlaaFgsOnV7Ycag2GJhywZi8lIgWIGREREJX7Si8svXXD+urOLy8reWDQ286NbLxRoadqz62hz54CIiBMyFpNGziKlDHX95xSXLT1/VXlFeYlv6Evxr0xPxZ46Jdzf0dTc+NorB1p7Bi+KuQJMCTmL1DWrdMnqFQvmVVYUzh5O2wTH7WCADr1crC/Y1tjSdGDf8fZogt4BIGeRsuKjSN/sudXLakqLFlTOL8jP8Q3219rwuoFJVbAN/VWHft7zBoINja3B1mPH6gLhN94eSAByFilMReN7tOjseRXlZfOLKivLykrm+N+IW3nLAHeUkrZT/klP+T4vGgkHWxpOdHY11jW0h2IiIk49QhYJRM4itamIqgw+6c8pLC4sqyzKL66qLi/Ozcn1+04t4MFx6ilbu+ib/h5feWBeNBrp625rrGvqDLYFAm3h+Dc5MZ54IdHIWaQDHWyrGkzAWQUl88oK8vJL5xcWlpXO8vn9fp9zTkXF5+TN2WtmZp5nnpkXjUYGwp1dXa2Bju5Qd1tPV0dv/DWdOKM5FtODnEX60Ph86hsf6nNn5+TMnTfLlzMrJzd/bsHcObm+WaX5Lsfv08E53KgXCXf1hPt7+8KRyEB/qHcgGukN9Q/0hSNDr+pExUyIWEwbchZpR0VU9C2DT/X7fKqam+P8vqGc9WJeNBKLeRbzPHvz1i8ELGYIOYv0Fe83GPEwbKI/Ev9+8hUzhJxFxhi/mElVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlrThAAAAAqSURBVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQ0v4fpkx4t23KlF0AAAAASUVORK5CYII=" height="922" preserveAspectRatio="xMidYMid meet"/></g></g></mask></defs><g clip-path="url(#759b6f290c)"><g transform="matrix(1, 0, 0, 1, 0, 0)"><g clip-path="url(#07d5eadf19)"><g clip-path="url(#0098ea3924)"><g clip-path="url(#3f3e5e128e)"><rect x="-42.24" width="276.48" fill="#f8f8f8" height="276.479994" y="-42.239999" fill-opacity="1"/></g></g></g></g></g><g mask="url(#00b42c55a1)"><g transform="matrix(0.208243, 0, 0, 0.208243, -50.60874, -0.000000000000023674)"><image x="0" y="0" width="1383" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABWcAAAOaCAIAAAB7kHe2AAAABmJLR0QA/wD/AP+gvaeTAAAgAElEQVR4nOzdeWBU5bn48ed9z8xkAcIadgRxARKs1n2pEqrWttzrUg3V3tof1q0tt7Zo1Wu3TKqtViu2alFbe9Vr16S21p1aJVgtCmjdiMomOySRJUC2mTnn+f1xZiazJgGCoHw/xmTmzNlmYc55n/O8zysCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwd5l9vQMAAABADqoiUiVSLlLpT1myZEl9fX19fX3O+cvKysrKysrLy1Om1YosEak2nPMCwO7iGxQAAAD7gKr6N5KxgObm5u3btzc1Na1du3bdunVlZU11dSKiqUtVV1d3sc6qqqqsaaaiQurrS0ePHj1mzJiCgoKSkpKSkpKTTjopNcRgiCsAQB58PwIAAGCvq6qqKi8vr6ysTMQIasvKyiorw/6jyVjAkiVLRKSpqamuri518aVLlx522GGNjY1NTU1NTQ0inoiKGBErYv15SktLS0tLhw4d6t9dtmzZ4YcfnlxDRUVFaWmpf9sPFiRDDOFwuL6+vrKykjgCAGTj2xAAAAAfhmRyQSJGEL788sUjhx+zYf3a1atWLV22dGNDQ2NTU1NjQ0NDQ1NTU3Pz9rEHjZ03f36ulbUkbvTpeqOfrqhYs3ZNSUm/wYOHlJYO6du33+DBg0cOH3HkUUcdcuiho0aPfvXVV4899thwOCzpcYSukxoA4MBB1AAAAAB7V1VV1ec+d5bn6Yjhw995552lS5e+//4r/fr2u/HHvxYRaZGNDUuWv7+pfvnyDRvWfNDQuGXr1ubm7e2trZ5q0AZccXe2tsQiUc9TVfGMGE+NeFasJ0asWE8koFYCYtSq9YwJOE4wGAwFgzZgnYANhQqLigoHDOrfr9+AEaXDDzn44E8eeeS4iRP93fvaFZfvbGk54cQTJk2YWD55cv/+AxYuWjR16tR9+ZIBwH6DqAEAAAB607Jly7Zt27xt29a5z8x9p/7dAQMH/vZ3vxeRzZvXvfXW8vo33li5dtWmDRu3b9vS2tbR0dEeiUaj0Q4vGlM1jnXUGFU3FvPUUzFqHSsaz1Mwxqiq8c9gO09j028Z43deUFFRFSOqRlSNMUZUPVXHOGJN0CmwgUAoGAqG+vYrGVw6ePjIEYcddshxRxz9ieOPF5ELvzh9/Yb1Y8eOPfroI8455+xBgwYOHDiSbgsADkB88QEAAKB7qur3/6+trU1OrKqqCofD7y9btnL58rfffmvr9uaGxoaSfv0v/9rXV69e+v77q1eteH/D+k1NTZs2b93W1tIa6Yh4nudpzBjrWGusY40RkzglNSZerEDUiNH0HchqsWdFD/w7KuL/Uk3eFRHP8++qMSa5rHrqeZ7reaIi6hnrBIOBosJgv34lQ0YMHzVqbHn5hFGjRhx66Ijx44/55Z2/2LFz+7gRIydMnDhy6PB7Hn44tRdDsnBDrl0FgI8wvtEAAACQm3+Ff8GCBX6kYPbs2X57uLKysm9xcSAYLB085Me33CwiD9x1V0RkXeOGLU2bGzY1bNmyuXlrc3ukzXM9I2IcxxpjrPUX13jT3W9dq9+6j29RMm6p/78x/kCMiWSCHJKxh0SsID1qoInpJnUlJrELaowRY4zneaqe56nruqLqOE5BYUHfviXDhg0dPWbMiOEj+w/ud8LYwz7xmc/c8D/Xvfvee6NHjxk9ekxbW1t1dbX/ctXW1tbW1paVlVEZAcDHA1EDAAAApFHV2traBQsWiMjs2bNFZPr06bW1tffeO2fjhg0vvfTiYYceNufeX91cXb29pX3z5sbm5s2bGzZv297c0tbqRmPWGus4jmOttUasGFHVzlqIIskmfDzNIPlAonNB1g75s2uegEGupIPEE0m9bfxuC/FNmWTwwt8HY4w/0VqTCCeIqqpqLBaLxWKiEgoVFBUWDh02ZMiwoaVDSksGDigtHXHFFVdcM+vbB48fP3nyEf1KSo499lh/zSeeeGJlZeWYMWMqKyvJPgDw0cX3FwAAAOIqKioaGxuPO+64Bx980I8ULF68WNVbtHDR17/xDRG5++6fvfP2u9uatzdva962bdu2bdsiHR0qErBOMBh0Ao5jred5nmpnpCA1XJCMESQCBDlORlOnJWMIuYIJqfPnChlIaqaBdmYbZK/AJCompKwwEVbw4wfWWjHG87xIRyQWjXnqBgKBouI+Q0pLBwwcUDKg/6ghw6p+8hMR+dV99zZv3z5s2PAnnnhCRGpqaq6++moROemkkwgfAPgo4msLAADgQFdRUVFQULBly5ZFixaFw2F/GMJwuKq9ve3mm38qIldffdXGdU2tO5t37Ny5bfu2ttZWddUJOMGgY63jN7A9z1PPExU1KmLiqQHdpAnkYNJ/dTt7zhVnRCsygxe5ljepfRxSelKoqoqxRlTVWKueWmOtY1zXjUVjrhsTI8FQwYD+A/oP6F/Sr+/A0iFf+9p/l5eXh6uqDho71nXdK664orKysqam5uc///mAAQNmzJhB7ADARwhfWAAAAAeoqqoqEVm1atVDDz0UDoeXLFlSW1v71RkzioqK7p4zZ+GbCx/8xX3rNm7csXN7e3t7a0tbNNphrA0FAk4g4F/J9zv/q/ot7HiwQJNtYu0sTRiX2jTPpTMXoUeBAyOi+Vrgye4JaUkHOdfSuYaMugnxu/4aEsERTW7UcRxrjajxXC/qRl3XDQaCxX37FhcXFRYU9B886MIL/+vss8++ZtasPn373njTTRUVFfPmzfODMhUVFRUVFYQPAOz/nH29AwAAANg35s+fX1dX98Ybb9TV1U2eXF46ZMhLL700YtCgxa8tuvPndz75l0fXrF23eXPTjh07Y9FoIBAIBUMBxxEV1/NHHvAk2RxP9hLw8wtEJG+PgJ4FBHo8EEHO+TTrxi6sIiNskLip6vmzGmPiiRR+hoWoigQCgVCowDE20hHZvmPHtu3bt32w+aUXXvjd/z3sBJzzKysffPDBxoaNb7z5xnXXXT916tQZM2ZMnz69vr6+R08SAPYdopsAAAAHqNtv/9nAAQO279jxrW99+x//+EdNzR+Wv7d0Z/MOV91oNObXBXScQDxLXz2RZIEAkcQ1fO2MEXTq5up+1/kGGXPtenRBU//PtXtdrsKk/k0WVcj+I+nzJYZmiPPUi0Vjnud56gWdoHWckpJ+5UeWXXvttePHT7zn3jn9+vW7+Mtf6ea5AcB+gKgBAADAAURVV7y34tHHHt2xvTl8448WLKir+cNf3nzzza1bNrtuzBjjX0S31okXJFDNqiSY1hrPbpZ3FTIwGX+78uFFDbKSDdJuZo8GmZhi4tUb0p9VymsVCDiu57oxT9Wz1rFigqFA6dBhJ550whe/evGEsRO+851ZxsisWd8eOXJszucCAPscX0wAAAAfT+FwuK6urrGx0U+Df+juu7fsaO7Xf8ClX//G3x//+wv/mvfa4lc2NjTEItFAMKBqrPUT742Kn3RvVNJGK/Qnpg5omMg8yGpYS65L8trTLIPEElnz5l44rVhCashAdjNqkL2l1BEcsxfOWERF/bEcRUTUU2uNsdaIiY8p4annuX36Fo875NCTP3XyyScf++9X37rsim8sX7r0t7//fXV1dUVFhV9ygsIHAPYHfA0BAAB83PgDKJaXl5eXl4fD4f/3/y4eMXx4+86dn5xUvmLD2iVv1a9et6Z1Z2swFLDWiogxxvM8UfXLCybOEDujBialpmBqOzxvokHuIQ53LWoQXyD1T+bktPsp28wMHfRgM93vWXq8IPdQkPHSicmgQXL8CBVjjTHGGuO/yKoaiUSdgDN40MBJkydNOrz8v2fN+sH3b1izZrUTCIwde0hVVVU4HJba2oqhQyvq6jhrB7CvUA0RAADgY0JVy8vLReSpp56aOXPmnDlzyssmnv7pqXffPeeFF57funXbs/PqFi1a1Li5yRoTDAWNMeolixP44wTsRpJ8nvQC01keMX5vl0MGGatLv5WrzZ62Cz0qhNi5bLKeY7aseEHefcucapLPP+V19YwYMdYEA4GAY1tb295///236+v/8fe5Awf0P/HkY3Y0txx99NEvvPDPa6+9durMmTMefDBcVjZ15sy6urpdekoA0CuIGgAAAHzkqeq4ceO2bds2bdq02tra+vr68rKyhQsXNjS+v/Td9x968P7Fi15buXxZW0dHYUFhMBAQFc/zVNXkyAxItG813vBPaxN3efXepCzixwhMMnDQq9fKO+MP3a+2h8GDHOMmZC3Zk1VlDNuY8kD8ZY3ve7xghBjr2FAw6LnuxvUbVq5Y8f7K1X2Lixs3b73hhhuKCgtbX118xrvvTZ05s7m5+eijjx43bhzDLgD4kBE1AAAA+GirqKhYtGjR9773vUsuuSQajYwZPerJp556Y/Gbd901+7XFbyxfunTjxo3WmFCowBrreZ7nedkN4JSE+64a4l21mzXt0b3cHz+lSd6bG8q3rl3LW+jcvdQYQiLUkdEbIhm+CRWErONs2bJ1zdq12z7Y/Nijj7Z1tP7i93+0In369LGOs2rVqoKCgqOPPvrcc88l7wDAh4YeUgAAAB9VlZWVlZWVy5cv//vf/15XV3fbbbd+5zvXXn31VUvr393RvH37zu3RaDQUKrDWuq6rKXn2GSX9Mtu3uaWtIGUl6v/KrH74IZ1m5tiOZvzdN/yBGPNN6ewQ4YcQNPEuWMcaMZGOSMx1QwUFgwaUjBwx+udz5gwePPi+++754x9rKioq/HciHA5TKxHAhyCwr3cAAAAAu0NVa2tra2tra2pqgoHAvHnzvnzR9E+dckKsI9rW1iaigUCwoMBRz4vFYiIiYlTTx0RIrkpEtOt2vua5nZDSyaGLAgF7gWbs+H4ZMsjxcvhjVIgRVU0+rp5x1TPGBELBgAYj0eimhsYtW5vP/s9pI0pLr/3utVdeOe+G/7n+lp/eqqrhcPjDeCoADniEJwEAAD5iUi/6P/Xkk5+fNu2Sr3zl7bdej0VjKqoqTtAxKp4nIl7qwIhZQx6YjK4Jqd3wUzeYvXjGKAX+ZP/Oh3/9O7nju10LsbflTjTIObEzyJJ4K+JBHFEx1loTc2NuzA0GQwXB0MjRI779nVl1z8/f1NB0z7337fXnAQAidl/vAAAAAHbHokULReT5fzxz/FFHLV78cizmqkgwEHSs1ZjnuZ6qJ5roQKDJoRMzOxqkytXq1tyz7NtWeUKuAIXu050zXYQMRDJ2TePvjIpfGlFV1UvcEqOe57quY5yCwgIRbW9vW7Vy9bVXXf3m629UTj93+gXnicg3v1lbVaUiVR/GkwNwQCLXAAAAYL/m56LX19fX1tZWVVWdfvrpInLqqaf+9Cc/efKZJ5samwpDQWPEivVUPc+LX7fOGIVQO1v7uTICUpLp858eakpyQWbaQlohxF18hj2QtUqTc5PZnS8+XPlexly7v4uvkzHGGCMq6nquek7QObJ88kUz/uuss842Ri699Le/+c3FFRUV/szUSgTQi4gaAAAA7L/C4bAfNTDGfHXGjCOPOuqqb33r5ptvfumFF1a/vyIQDAQCjuepqqinyXa9MakjJGbmFsSjBpLjj+SPGnQVMkhZc68XNcjTaUKyEwr2dfZDepyg66hB16swKcGdrHUYMcaIqnREOvoUFX7i6GMmf+KoWbNmzbn77i1btriq4XC4qqqqoqKioqKCcokA9hwjLwIAAOyP/Fp3LS0tQ4cOnTp16u0/u+2Wn946/7nnZt8xe/68ec3N24qLi0WM+iGDeD94EUlpaGr6tfeUkEFSjsatydHG7bZBnqyO0ItRAxPfl+RPrscTAxDsa5m7t3tRg+63kSh8YERCwZDr6cr3Vy5d9u7LL/5rUEnJ9d///nPPPnv4YYf1HzBgxowZS5YsGTp0KHkHAPYQUQMAAID9i6qWl5cXFBQMGjRozpw5nzrllPkvvDDv2Wfvve+el17658YNG4oKCxzHicVinueJMZpWhl8kK8PAn5QeP8hbnC97ekbRw67b6L0aNejhikzOoMKHq+uogaTFcnpjWyrqqYo1BQUF0Y7Y+yuXr167+sUX/jl+zBgnFDjlU5865JBD77nnnrq6unHjxq1atWqPNwrgwEU1RAAAgP1IOByuq6urrKycO3eusaKqw4YPv+AL5z75zNNvvP66G3OLiopirue6MY2XOczuLZCvZaoplQIz+hpkLhYvzpcdMsivt9vtu7C+fVv/sGe0l3bTpN5QT2OxmDHSp2/J9u07Xn75X4899fi6dWuLiorvuGN2OByuqKioq6urqKhgmEYAuy2wr3cAAAAAnfx88k2bNp573jknnX7yF7/whY0NG5u3bRMjRUWFXsxz1RWxif7qRlVzhQCyB0TMbq8mlzIpCQIpvelztnA7cxZyPNxbSQa7uB41YvI8x31H878c3dZsTM1LyMy40NSHkjc8LxYMBkMFoU2bGpo+2Lx27dqxBx+sqt+55mq/wEFZWdnbb79dXl6+u89nv1GbsK93BDhwkGsAAACwH6mrq3OsvfDCixYvWviVc/9r2fJl27c2F4QKAk4gFo0lMgs8P1iQDBkkBlb0pTQs84YM0qjkTTpInaWLNaS1bHvUeDf5fnY19KBitLvd2zc05Sflbvc7mr6UJn8k5VmazJnV8zzXLSoqchy7cf2GNxcuPuvTU8cfMnbevHmDBw+sr6//OIQMRKSyspKQAfDh2tddwAAAAA54/igJ1dXVInLZpV+95KuX/vSmm9ZtWB/paA8Gg9Za13Uzrl0n+yXk7KCQmKlHIYMEk/J/xvScJRUz6yakrGbP9ag8wr4eZzFVjp3NrDTRq5tK31489cQkykc6juNGXdfzCopC48ePv+32Wxct/PeECZMmTSyLxWLRaNQTV9Xzw0+qqmpU1fNU/LE4RIwxjrUiYtQvtSlqxBprjDF+mMb4BTgT4R5V8Tx/SbFWNREDMmIdMUaMUSPWcYxjrPF7V4haMVasiPVEPL9Wg795a4xYfz6xIp5Ya621Yq0sWbKkvr5+yZKtI0eKyJVXXtmLLy2AnIgaAB8GVV29evXcuXMXLly4bu3a9va2aCyqIsFAcPiw4WWTys4779xBQ4aMHj2aEZIA4ABUU1NTWVl5609/et311186Y8Zbb/67vaPDGONYR/w2nd/8ylWLQDWrQZrWhWBXm6vdHYi6jRrI7p1gmrQajT1ebD8PHOSxe/ucPUhm8q/JuG2METHWGjcWE2OCBcFPTzn9lttvF5GtG7d2mI5IJGJtVEQikYi/omjUGBOJRIyIRCTSJ9hHRIJBjUQklAxNhbSf9uuQjuRdEVENxbfd3i4iWlAQf1TjNwoLRQtU2qWwUFULi4q0WItapMV/tI/0EYnfMaZNWqVVpLhYVIukVfqU6s6dIiJ9RaRv35yvy7TPf35ny84jP3HkwePHz5o1i1MpoNdR1wDYuxYvXrxy5fLamj9VTv/ipEmTiouLN27cuLN58862dtf1CvsWD+8/fMzoYW0dHaNHj7791lt/VHXDgAF9+5QELr30ehGpqqryyxdxCASAj5lwOFw3pa6xrrG+ur5tR6uIiGtOO+XEzZu3hgIBxzjWGv/arz88Qo7oQE57FDIQERXt4dgFJu/6u+jSn7mG1Ll7L2SQugOasqcm1wwfnj0McMSfQ8ZTkayn64eVjIjnqeMERDTSHnn6madfeumfHe0R14upiGfEqDGiEr+6r0ZFrKgasSJeZypLPIvB+J8K6/chMWrU35HE7qhnRFRNfBEj6okY4xhXRUQcEbXGqKox1hO1IvGUAxFxRYx6IuJ/5FWtiBjjWSMijqeixjjGmPi2/BQHxzPqGFtc1GfI8CFHlJcfd+KJ559//kMP3P+5z33m6af/vmcvNYA0tEOAvejO2293VU+tqHjuubmvLXxt7do1O3fuUM8TEU9UPc+ICQRDjjWhgtCAQYNGjRxz2PjxpaMK3nx9eVFx/4LCovLyIyorK/21ETgAgI8Hvz+CiBhjqqvC37jr61d+8us33fHDt5fUi0goGJAexggyOiDk+5trwS7OAU2uDPhc203fRM6tdXfgSm3Oa8rfnsQtMkMGGTtgUibmj29k7kf2GnZZL46w2NUmsrpwpJ4mdM5gjFEVa8XzNKuTS/Ljk9bLpfNOrg9CvrORXD1lUnMg0u+kL5nvldK0Qg4Zj/lxDuO5nhuLeaqhgoLxB48783NnLF/2/i/u/KWfv9PFDgPoOWdf7wDwsXXWWacXFAQH9h/40AMP1D33/KaGRlU3EAg4gaATcILBYCAQDIZCxojreR0dkS0fbF69euWbb769ctnaoj59hpQODodvampsiMUigwYPCYfDxpgZM2b4tbUBAB9R/sCK4XB46tSpk86fuPD4RS/8+bl7H5izfPnyosJCa1NbOKYHdfhzhgq6jBekyrXy7qMGqanxXW5hl5MHUtdi88YOuokXZG1URZP9/v3Xx6RcsdeUCIPJs4ZdsQdt1Owsgvyb6DJqkEwNSI8lJD5dydZ4N4EN08W9HHKVtsgXK+g2kCPiJzWksSZeWSF+0xrjODYYCgaDAVXdsH5D/dtvjRo1euGiV//10ovHHHOsiPjlQgDsCaIGQC/zI+bz58//zOmfHnfIQbW1j6xZu7a4uCgQDKgaP9Tvz6OeqoqqZ4yxjuNHERzHbmtufn/F+2tWrn76mbmb1q/+0sUz7rrjjv/57ndnzJghIv7Ay/v0KQIAdlNNTc1rr73Wv3//qVOnfvd/bjju4OOrqr638OWFLTt39inu47quiedwG9WUsQSMSLKjQpfX97tph+V7OLNxmN3OS1S82/V1S3eFDU36b5Oo4GBU1CZrORhj/T8ioiZ+T0xau1KMSe68SucNMf6rZ/1RKsUYk4wj+C9tsmm9Z1GDbl6iTD3JRci7PpP+qprEpOR9k9kw9+MlqSkB2aNu9CSSkPPtzAjkpH2CdvNifw8CXJ2TPRUjWlRc1NravnbNmiVLXj9o9EGPPfrovPnz58+fvzubB5CCqAHQ+8Lh8PZt26668ms33/qzLVu29enTx3Vdf3Cs7KN6kqrnn+WEQqGCooKo6zas39CwqfHJJx47aOiwieVlxthAMLhgwYKCgoKmpqYP/WkBAPZIWVlZU1PT2WefPXPmTFV98rG/PfP4kyveXxEKBoOBoOe58dZysgWbSDXIk3CQL2SQv6t/F7q6Opy18Z42AuMBkOxr42nN60SpR/8QaeK18o1xrOM41jrWiT8iYtR/TRIJFfERCTUx7qQRMapqrLXWscYY41gj1jjGOtaIsX7P+NSMeE1kIpjEHmZGSHr6bBOBD//96/LlzvVg3kZy7u1nN96zG+fGpHx6MgMIGdvrQbygiz3SrMdTYl49Dxrk7PqSstouOq6oGGPcWKywqLCjo6Opccuo0tKWjo4f33xzTzcOID+iBkBvUtWmpqbJkyd/6cIL//TII8uWr/AehHcAACAASURBVCgsCHqu6x+3E4fAHNeKNOWoriKqnrEmVFgQjcQ+aGpaunJFYXHhnHvve/vtNzZtapw/f35lZeWSJUtIugOAjwRVra+vnz9/fnl5uRuLzX/hhQvPP++1119r3t5cXFis6nme54cHUhpYu9IrPlESIOf0jAmpV6BzBgdSGmfZF8/zTklvGnb2iU/2BMhstRpj/Txzx7HWGGs9UVX1u6lHY9Go60aj0Vg0EolGIx0RT1VVXNeLRmMx1/XU81TVU/XUqHiiRj3V+MX0jo5IJOKvI9YRibixaCwa81zXn8NYY6y18fwEERFjTfxQLIlkBE1JQDCpmRDZUiMNpvNVzCdv74rcb4vkTtbI7qSQ/S7k2nh69YGcw3Z2GavqsfSxIPPszG6XfkgJRWj8tTeqItb1vMKiom3bthaW9Pvlvfdt3Ljx1Vdf3d2tAIhjDAWgN9XW1lZWVt5zz5yvfe3rxx1zTMAxnucZMenHxczwfkqCoFGTuOoiEou51rGFwaLW1tYlb7/9+bM+/f2q77/5xpsiUlNT41fSAgDs/6ZPn15TU2OM6denePLhh595xhkNG9YZawoLC2KxmDH+FXkV09nhvEfdvn3d5Bikzph5QVnzNjNTm6AmdRvxAIURk4h5+/OkHulUxZj4eJGa6GthjBixxoix1oi4nsbcmOt6nut6nl8tXwKBQDBUECwOBawTDAWDoZDjBK2VYCBUUFQUClixGot5Yr2ABlSNMcYTLyhWHBHraNS1gYCr7s6Wlmg05sVcx7Hqee2Rtva2NtfViB9M6IhGYzFjRD11Ao4TcAImYIwVq8bYjGEtxe8tEu/tkFp4IF4cIaP1mvWSZb4H3dzsvGsyp/WgEd95gSK7D0F2gCBXyEA00WsjYx92MYSQfGlyL6fxTexe2MCIxnfQX5cm4jpGVIznesFgcP3adffff//48eN3awsA0hA1AHrT8uXLp0+ffvqnpz700P2R9nZJ6VWZlWCQeS9+OE/+SQy05bpeKBD0PG/dmvXf+ua3zzj9s6o6+/bbq6ur/XEZKQ4MAPu52tpa//L1Ddddd9ecu7fv2BEIBKzYWCzm90rIU9mwB7pYpItDTvr0Lo8iJuW3iFGTEilIvRvPy++MS8SbjNZaNcbvRhCNRd1YzPM8EbVOIBAI9OlXMqCkpG+/vkWFBUWhwgH9+zuFhQXFxQUFBcXFdsIxp/xHRUVyV34U/mF9/dvGiqjd1NS4c0dLW1u7f6A1xhQVFZX06ze0tHTCxIk/rP5R6nN4+umnFy5c2L59u2dMe3t7a2trW3t7a1vbjh07WrZvb2lvbW/riHW0qXhOIBhwnGAwaB1rjfUPxuolchhEjDGep+kpIZ3BlayXLm9kIH/IIGN62llE+qOmiymaXDozjSDjTuZuZe1mIqEhLWCSHiyRPPun4gfCcoQwMifsmqxPvR9oi0cqVL2CUMHWrVuamprWrFmzZ5sCIELUAOhd82trO/r3n//0U6GSElc9I+IlAuDxk43kzXQ5UwST92Oea411HKejPfrM3KeWLV3650cfLSgMzpx5VTgcpj4iAOznzjnnPx999LGLL7zw9TdeszYQcBxVcdWV9C72IrkmZNOuG6T5luliXek3TfqvrLZnyt14WUG/tEC8G72xJpGREIlEXTcmrrrihYKBPsV9+5UOLS0dNGjgkP4DBxb1LRowYHC/fv3Ky8tPOeUUEbnz9tsXvPJK886d7e1txx5//MS21h0tLf369FmyZMlLL730fN0LPalsN2XKlPVXXnnGGWeUlZWVl5fv2LFj0KBBBaHQmq1bW3bsOPmUU6769rf9Of/whz9s2LChra2ttbV125YtjU0NWz7YvHXrto6O9khrh7XGOoFAwPHL9juO/zTV+sUUNW1QwV3vUJJ1M++8XUZ10mMFOTIU8t3JzDvJdyqSNl9PRsTs1EXEY0/jBjnWoIneJZ4nAce2RyKRSGTE8OF7vCEAe9ZfCUCGstLSoU1N0SM/0ad0yLp16x1/BK30f2eZ/+p24fKSsdaIiud6/YcM+OZVM9tbYytXraarAgDstyYcfnj5pInnXXDOr355b2PT5qKiImOStfsku/2Yea03Q9aDuebOPqR03UpLOVJ19kRPdCpIeSgZz1DVxCOqnorxu+IZUVXPi7luLBZTT60xwYKC/n37jzxoxMiRo0eMGD1q5KCSQf3PPfdCEfnlXXcuXLy4paXF83Tw4MGTJk0aM2ZMZWVlagJdaq+H3UisS128urraP1yqam1t7datW995553NmzdHIpE+ffqccPzxV1x5pYg89dRTmzdt2rptW8OmTesbNjZtbGje1tzStrOjo8PfBcdxUnbFqHqdoxXkCOXkPrznuMjflewSBskHuugDIF31k8gVIMh3ASNjnakVFuOz596B5Kcn863LDlj0kvhnVlUcx3ZEYxecf0EgGPwhp0nAHiPXAOhNTU1N9SKTm5sL+peY+EHR5DpXyCnXyWAicdUYEz83ExMoCDZv3nbrT2771KlT7rjzzu3NzbPvuKOysrKsrIwOCwCwb/mN0unTp8+aNWvrli0d7W0HjTnoZz++LRKLFhUXqT/8bp72ZeYBI229yV8iu3xtOyObPPfqU2eymSswEh+eUEX8MSATgxdacT3Pi3mu54nnOdb269d34IBBhx5++KTJk0eMGDthwsGTJ0++8+c/b9m5I+rq0CHD169fM2rUQTO/edV/d3nAqqys9KsFSaJsUG1tbc+fc+riS5YsUVU/NS/nUfI3v/mNiGzcuHHQgAGbGxs91x03fvyPb721uXnNv195d+W6VUvffW/F8hXr16zbsXN7JBr1+y84jmMSoy+oqpFEX/t4pkXyZuZLvRtt5pxtc81/OT/PxkV6lM2SU87Axe5cgtztcgbdURHxVETEU3WMKS4udr3YXtkUcIChdQH0ptLS0qampiMml5cOGdywqSGRapD6Dy15MaKrg2aiY15nN9GUkxzjONZa67mu63qHT5rw45tvvWfOL3/+izv9U1XfXnuKAIC8/O9hv6U6+9bbTply2i/uuP21hYuLi4vUiOf5GdT+nPGLoslFu1xvt3NkzZ17gS4ajJ15BfFcg+RYhIla+KJGRY1frV7VjbmeX+3QcQqMHTBkyMGHjj/ppFNOP+X0cRPHXTJjRktL65FHffLcc88tLR08dOjQj1ZQW1Xb25s3N23+61//unDha0XFxff96tcNq1f/+dFHXnll4epVq7Zt2xaNuX6Bx/hgkYkFE6vwf+VMP9jVVnO+dIO8aQi5nlHavVwzdLtXyQSUnuicOWMchb2WaxB/jtaamOsW9+0z/YsXrFu76Rd33rU3tgUcUD5KX9/A/u+Tn/xk//79HSN9iwtXrFgl/vEykTHXbXg95/E6LRPQr/lkrRHxB41qa28bOWrUlNOmfq+q6oH//d+nn3lm9OjRJSUlJB0AwIcsHA6rqv/1e/cv7hzVf+hv/nT/sqUri4uKRNRzvURHeJPejsx/aMiX7p4mIzCddw1ZkzOvUHc2Po2xIinlCeKHHfUHRnQ9VXWsEwgF+hQXl5aWHnFE+Tnnn3PUUSc++OCDo0aMLCsvf+vNtz437XO5t/2RNffppwcNGrhh/Vtnn3eZiDzyyB+ffuLpVatWNm9rjsXcSCQqoo61TiAgIuqpJ55RSbzdqb92r8Fs8kQHsianJI101YElY2o3LfmUaxc9jhqk9m/JSnfZ46hBzkROVTFiHWdnS8uEwyfOuPTS55579r77fr2n2wIOePRQAHpTeXl5R0fH0NLBVnT5spXGGr/prn7m4i6fKqhfaEpEOlMW/ErUxriqRqRPcZ9NGzfNnfv0ylUrfvPA/733bv1Pb7vdv9iVOtY0AGCv8vvMG2OMMd+55uqIG/v5/XduamgoLir01POv4saHV8xsnnXT1O+uldXlcSWZJZ8WmtCUG/GMh4xrwWqsUU+MNY5xjI16rhvrUE9DoYJ+fQuLC/sMHTr0mONPvvq6q0XkFz+fvXjRG0uXrlq9evWMGTNE5Nf3fwzbaf96+eVwOFxd/cy/3zRTpvwpFCq+/4GHRGTu44//7bG/LluxvKW1rb21rb293RoTCoWscdRVVz3R+KUDkb2Vnd9tGkE3i3e/SykxprwdIrLXmjwLiQ8M1as619m5Z0ZURFUdY0eNGvH0U0+88+7S3t4ucCBy9vUOAB8rV111VWFh4THHHF1WPvH5Z5+Pn4/Facrp2y4zqfl98cRRERHP84KhUKS9vaGx4dG/PHJR5Tnjxh96+uln1NTUzJ49+7LLLqO3AgDsbcmqtH379p07d+7jj//t6b89vmPH9oJQSDVe2T1v3bq8tW96r3GZldaejENLvANComxBvH1rHGutdYw1kUgkGokGA8HB/QcOHzny8EPHXXD+uT+7c87zz8/riHRs2Ljhk5/8ZL+S/jff8tPJk4+YMmVKaWnp0KFDKyoqqqure23/9w91dXV1dXV9+qwqLa2YNm3mD37wg/r6+s0ffLD4tVeNsQ///k8jBpd+sHVLYUGRdWxLS2tHe4d1bCAQFCOep8YvF+F/IDS9QmCP2uEmo4mcc56UNXYnM32lJ5+3XegQ4c+/KzP3WNYlGP8ltSKeasBx2tpahg4dOuXTU5o+2PL440/09uaBA1FmsRsAe2Lt2rVVVVXNzdunTTsvVBD0RI2faBAP4+sengUml/fPQv3Vum7MWMeIWb9+/U23zG7vaPezDMaMGdPU1MQICwCwt/nD3w4fMeyaa6459z+nzX+urr2jPRgMpH//iyQv6mrKT+Y92fODhYgkG3cmdYJJfTjRhU7FiPq1CsSIGOMErKrX3t7W3t46oH/JhAkTjz/26P84//y/PflU3wGDPtjWcu89c+bcd+/qtWtWr16tqlOmTLn66qurqqqqq6snT57sJ1zs8f7vd4wxU6dOnT69urIyXFtbe9ZZZzU3N7+9ZMk77y392R0/v/9Xv1q+evWQIUMff+aZs6Z97sijPzn+0PGO4+zcsT0ajTgBxzhW4vEBY+LXxFOP691tPe1PPpr7w6O5fvZSaYH0Dff+JjT5xy8Q4sdhjKh6osaYaMy1xhl/8Phvf/u6UKig17cPHJjooQD0Mv9U6Yorrhw4YGDrxg1+zwQ/2B4fqiolRt4rp1VGjOe5xpqCglBzc/O8fzx70Re/oKo/qq7e+ycEAACpq6ubMPHQqZ+beupJJ2zevCXgOMFgwHU9/1FNjQZIWlstK8+gZ/nr3V+aTtbi9fMccqxUE8kFfp5BsqpfNBrraGsrLiocO27cQWNGjR499gc/+tHsn91WXFh444033vGLuysrK2tqapYuW15fXz969Oi6urqZM2d+LMME+SSfbDgcbmxs3L59+6xZsy674orp06fX1tZOKJt0/HEnfu97VU888Yfnn32xcdMHK1as2Lzlg2AgGCoIua6n6kn6O9KD1+6j/PL2tEdDz2R8qBPFn1TFqNiAbWtpGT1q5A3XXHvbLTcPGzbcHzij9zYPHKA+yt9BwH7JL5197DHHrFuzau7cZ0LBgs4hE/J1UMiXtpo2S2ef08Qo2iZ1ur8Vx3E8z3Vj7qAhpRfPuGRzU+OwYcNWvL/q45cpCgD7icllZYceOv7Ms06/d8590Y5YMOhYa/2RcjPiAHtaBy5jubyHjRxZ4emV/DvrGCQr4BhjorFYLOoOKOl38CHjy8oml33iE0889rfjjz++b99+xx5//J///GcRWbBgQVlZ2UknnVRZWXlARQq65pcTWrBggYjMnj27urp68uRJy5YubW9vD1ffdNctt7yzYsVbb73R0NQQdIJOwE9CSSs6IZK30mHnrd1+vbsqitndTFn7s6t7kr9zzu6Kf5qTiTzxT7Q10h6JlPTrf/lXL31u3rzav/61oqKioqKCpEtgz/F1D/SympqaysrKOXN+OXnyEd+48jKjxlrriVoxXtYQ3XHdH0/Tzs1Msp9g6niMfkGrRF6oep51zHHHHHfPbx744Q++f+NNP+6VZwcAyPDZz5z5qZNP+f3DD4tjHcexRrxk7UNVkzliwu7KuWhWwYLckxOryKiZF6/OaEw0ElFPB5cOPuaYYw+bWPbNb34zXPXDdevWL6mvf/nll1W1rq5u/vz5/nK0wbrgv1Yi4r9c4XD4sksuOfbYY6/8xjee+svv57+4cMHLL2/auNEJBAKBgEiiR37aYT6tHFJ62GC3d6uHj/QocLDvowYikuj+aYyJx1+siUQioYLQZ8787OJXX53/z3/28vaAAxtRA6CX+Rccpk+frqpnVkxZv2GDf2bgd0/I28PPdPWvMWOg49Rzi2TpKr9zauLYbMRIwAY6OiLjDxlfedGX5j333KZNm5546ik/qCEZcQgAwG6ZXF72ubM+++RTjxsxjnVUPZM69k3POx1k63ahPA3KtMhBVtU4MfFMA1VVUc9T8bR02JCTT5taWVm5eNHCy6+4ctmyZb/73e/8JLWqqioRYTTfXRUOh+vq6hobG+vr66uqqgb17/etq79z680/nnb2ubW/+928efM2NW6y1jHGOI6TaABLZ5s8+QnqRRmdInazDGf+ooz59zklW7KbfcyxaObOJvMLNPHbGCNRNxYKBqZOOX3BwlcWLn51VzcDoGscAIDeV1VVFQ6Hf3n33WvXrftLzZ+Kioo89Uwig243cg0yowY5ggjqF17sPJobo6qBQKCttXXAgAGnTz29+pZbfvPrX196+eWSOP/jehEA7ImzPvOZg8ePffGFF9WLBZyAetrV+Lo5e3fvSfmZXFGD1OvAfvyiM3SRaF+pqOu6YownOqJ0xOfPOeeaa675UXX4g81bbrjhhhEjRgiR5b3j/vvvv/TSS//4299eePbZN/7sZ3//x7Nbtm5xjFFPrGPV8zqzC3o2qkL+h3bxg5UjZpD3KkfP6jKmL9PFAl1nWmY/bBIJGvE0DSNGo7FowAlMmTLllYWLF7/2713YMwA9wxgKQO/zW+OTysqmTZvWp28f142JGi9epDq3XTo7yzgr9btHpvTyU1FVT0UkFosVFhbu3Lnzb489esmXLhw0ZMjdd97pV7desmQJUQMA2CXhcLiiosK/rarDhw5d8NK/RL1gIOh5yWSylG90Tb+RUsFeNTEaTt7C97vGpIUMTOKW8UMFKiLGWsdEY64b80LB0OBBg6/46sznXnihtLT04YcfrgpX33XXXSNHjvy4joCwP7j00kvD4fBFF18sJSWDhgz5578WTL/g/EGDBzmOjUQiIsYYq5oYZkEk8T7m++lCtzNkzZ7jZk5dRhXyfI67GrGh249+xpPWtIsn1ppoNFpYUHTmmZ99ZREhA2BvIWoA9D7/lCsYDD71+N/KJ0/u6IhYa621Yh3dnUrCuRbIc1ROOS+NVwmKxmLWcazjLHrt1fvu/sXmxsb/uqgyHA6Xl5c3Njb6vRUAAN3yI60VFRXXX3+dql7whQtee+01db2A43iel2OB1EhBjmHvci/RxU/u9WcWp0tED4wfLxArxhhjrXXdWEckWlBYNKR06HnTL5z/0oKtO7YYY77yla+sWLFiN18U7ApjTHV1dVVV1dVXXz3/xReNMQOHDK3757+OPvbogQMHuK4bi0YdJ5gyv4j/jpqexgxMF/d6vp+7t1j38n+o8/2ryN6VeMhAxUggEIhEIyX9+p533vmvLHxl8auEDIC9hagBsLecdtppBx988MnHH1NYWKDxVnwi16DzIlA3FQ3yUdHuB0HWeHFsz1NXNRQqWL9+w5NPPibibd68bHvzlqamJr/gMwCga6o6ZcoUEZkw4fBbbvnp2Wd//t1360XUOtZ13ZQZ4/3QepBH0HWIIEf7KnMlJutu4gK1f5Cx1oqK4wQ8z2tray8qKho5atQpp51W9+KLmzZtmj59+jvvvjtr1qxwOEzq2Yepurp63bp1o0ePVtW/Pvq37373hvGHHPbjH9106GGHFfcpbmtv9YsdJKI/0lm9KHnmkPibM5Swi2kGCXs5v6TLTIPuekXEGf+yjBo11jiObe9o69+/3xWXf/2Ff77wr5df6dX9BZCGqAGwF40de9Bn/uO88Ycc2tHRYRwr6iWqFopIPF7Q3WG6q16LXUvMFe8Z4bpuKFTQEYm99cY7X/zCZcefcPKY0SPXrVvXG08UAD7+KioqKiqmXHjhRZ876/SVy5YHjDjWuK6bHvvNLj/Y09SBnkhbMlEVLrXQnBExJj6mn7XGCQRa2lqDweChh0444ZSp/3i+rqWlxRhTX19fW1u7du3adevWVVdX0yXhQ1ZbWzt79uwHH3ywsrKyoKDwuXl1c59//m9PPnle5Xnjxx8SjUTaO9qdgJO4tqCdCSXZHRck5UwhR0eDHscQ9rCHTM+2kP8nEWfL+4/DmMS/NCvGOk5HJFo6ZGj4+9Uv/uuJ5+bV7fW9Bw5sRA2AvejJZ569555fHjbxEOtfKBAbP+j3KF6wp5KVgvzes0ZMzI1Za43IB41Nd9zyk+I+IVW9/rpr/RLZAIC8IpHXFy+eMqXirDNPX7dmveMExIoX80y8wSOpLfoeXjndRfnCDX7NgkSz0hgjxljrBJyOjkhHR8fYcQefOnXKE888NXrUcGPMAw88UFpaumTJknHjxr388su1tbW9upPoKWPMJZdc0tTUtGrVqrKysqI+fYwxXlTDs64+7dTTBg4Y2LJzp7FijIgn0sU5Q3aCgcn424PP4a59VPfOB1xSwgbpazaJ6pzG723jOJGO6LBhw6tuvP2V155vaX+yrKyX9wRABmdf7wDwcbZw4cJDDhl/8smnvb98+QebPygoCKmnxvSkjlGSSfl/DyTqKfhjOznWRmPuO2/X/3P+c/f+6jeNjQ3FxcVvvPHGnm0DAD5uVDUcDl/77W8//+yznzrhhNM//elNmzYFAgEjop5nrEktLiCSOrxur1+6zbis3Fn30CRC0v49J+B4nra2tg0YOOjUM0677LL/2rjhg9tuu+3e++5T1fr6+kWLFrW2tm7btq239xC7rK6u7vXXX582bVpNTU1TU9PzdXVzn3/+hzfeGIm1dexs27hxoxgbCAZVVURzpIQkUhe7/LjlP4HYrQ9pSs5Dno30xlURk/JfoqOGESPGmmg0NmbMmF//74Mvvji/rV1FpE+fVfX1vbBRAPmQawDsXe+9t+ztt9+acOSkosJCUbWOk9ZFoftDay+dd6adZ2rMc8UYxzpvv/XOp6eeNnjwkIPGjBaRmpqatN4NAHAAC4fDdXV1IvLav/99zFFHnXrWWQ0fNAaCAb+DmBjjpXYGkx5/Ye9mlwVNX1hUNFFSPt5JwbFWrLS1tzvWnHLqqf9z00320IkVFf/xoxt//PTTz1RWVobD4Zqaml18GbDXhcPh+vp6f9jmdZs2GWM2rG/806N/++KFXyoqDLa3tTvWijGiWR+UXU1cTOkPILlKb/RO55mer0KzP9fJR+IDRMXvJc6dotHIuLFjn5r77LKlS7ds2SwiQ4dWkDED7G1EDYC9a9GiRZFo5Jd33jtm7EEdkUjAH0YhWbJKZLfrFvVU1nmm32HBU0+McQJO44ZNN1x/TcB4qtqyY7uI1NbWVlVVETsAcCCrrKxsbGycP3/+Y48/Pubgg6d/+cvNm5uCwaCoxoMFubsjdBkD6LpNtostNiNGNTUQbSKxmOd6EyZO+sH3vm+PP+6cM8+MDh9pjPHrONbW1lLCYH/mvzt+WOe9pcvCVVWxWOzG6h+PHTu2ra3DxPP0be6Dc54hFnK+2dr5Oy1okPwoZ/YQyLuOLh/POUvOSFnqP6X0GIb6I0nHH1HPjU04fOJjTz3z1ptvnnHmmf4Hm1qewIeAIwewd40ePfqkk05yHDt27Mj5z7/QvLW5sLAg5rqd//gyzjtzMXnyAbuXcjYbvyJlOnsr+Des9QdZkCOPnPzfl3/9jXff/frMmcmQAeeXAA5AyVFpP3XqKWeefe7Miy9uamoIBoOe53WOYKMp3a8TrZq8a8x6JDmhm/7q3TDGGGusp54R7Vsy4Jyzv3Ddd6+r/eMfH5k8+U+TJ0s4LNXVPVkR9k+V559f8+c/X/qVLy94+ZWA4xjr9zbM//HI/UnL+JVn1p7pMiKxq7o6BzKJkxBrrSdqxJSVTfx9zV8WvPTSSaecEp+HsxTgQ0GuAbB3lZSU1NbW/vGPf2rZ2X7o+IMdx/FDBv7Vob17rEuJ2icuHSR6H8Tz/lREPE+ttSHH+ferr//P97+3s7VVVZ999u8iUltbmzx1BoADRDgcLi0tFZETTzjuogvPuerii5saGwLBoOd5mswyyB8FyEEz72neB/PPl72AijFGVaOxmOM45eVHvPTyy2PGjfnLI3+pvPDCPx1xhBhDyOCjrvaRR4wxv/m/3/7HudNCBQWxaMyIiRfUyPh4dJvJknF/93sj7IaMvMe0ZIN8e6EinqoxJuq6xpXJk8p/X/OXOb+8e+6zz5qED2fvARA1APau+vr6srKycDjcV83Df6wdXDpEVa1fFjkxnsJekXlJIWOAJmNSIvSq6qkWFhY2fdD0p9//9qtf/X9nnvmZJ598ora2dvTo0fRWAHDg8LOdhw4denpFxcVfmXHR9BkbGxoCoaB6XkZfhIxEg9xtn8yu2tn3VOID3Yjm6Laeq2Vo4gtZx7qeq6LDhgy58MKLf19be8fs2UuXLX3r7bdoTX1sVFZWqqoxxovJRRdeMHTYsFgsppp19qBd9HfMyokR7byV3lmgx5+bblMdMjohdFOwMfe6VK11Yq7nWOeoo4/+bW3tDddfP/O/v1lNLAz40BE1APa66dOny6pVhfX1V19++SmnTQkVFnrqGTHWGPF7pXYzRsKun/xlhgySU02yv2L8XEHiJ6qq6nluUVFRW2vbqwsX/+e0s4499rhBA/rfcccd/jk0gQMAH3uq6veUPmz8+C9fcMHFF13UsGlTSc6pzgAAIABJREFUIOio66V+pWZ/Kffk+zEr4SDn48kggqaMYK/ZTTDr2Lb2jmAwWFZW9vwzz6xavdIYs33Hjp49UXxk1NTUhMPhqqqqfv0Hbtz0wVcu+tIhh4yPxSLGiDHGWmutNcYam7j4bk3n7cSEzNtixMRHM4yfgPiTeuE4nzr8YzKMoekPdcrbT0dFPLWOE41GAgF7zNHHPPi7311++eW33Hrrnu8igN1A1ADY68LhsKxatUTkjvvvb2rYdNBBY6yYzrh+vNJA3k6KnVN7eDjv6opB5xUxkzprInIQi8VCoaCorlq56vxzpx067uCf3Pijvzzy5/hMBA4AfKyFw+GKioqKKVO+dPHFX/jSl9atXxdwHElcmdVEUrcmy8WlXbVNl5VXkPuB7mT0MvMTtsWYto7ImDGjz/zs52se+aspKRk+aqSI+IX0KA73cWKM8askNjY2rtmwce0HHzz01DNHHvmJto6OmOfGYm4sFnM913Vdz/Nc/8d1XS/1x/PU8+eJxf9L8DxXPc/z1PUk5aPpRxZMPCuy83dyyq4+iZQbGZmPyeyZzg35O2EDTsyNBYOhY4878X8fftgYc//99+/56wlg95DABnxIKioqKioqNm1Y/4Prrj+n8vxoJCJiVFQ9NSJqxORplJv0X93IcZKa7/TUiD/4c1a8wlpjxERjseI+xUd9ovy+//3tsqXvHXb4hPhiJL4C+Ph66P/+7ysXX3zG1P/P3nkHRlFtf/ycO7O7aYSWBJAACZ1EugiCkg0IiICouBH1qViezyfPhr9nRbMRbE8fYgH12UAQJStPERSQp2xARTpBEgQEAgktCS11y8yc3x+zZbalA0m4H9ewuzM7M1tm7r3fe873GE8ePyGIArgEU/JEa/lcUl2CQYjcBP9LsnbetdaoL2YCczglUqhP337jx48XBeG+++/3VIhU/3KaJR6boesnTph219233nLzwf0HUBAUWVZ/VIigeDIVFHD5JxEAKABIiASEREQoy5KigLsEB4GsADKZZJEJyKCa3oYnR6Ze+MxhkNf1mYBU+0N0SE6doL965Ih573/IOx4czkWHn4QczgXCbDYXFhYWFRVFhYdddlnssq+WGwwGRVEAXDWYXX98m2LUnqR1UQ2CN+xuEYJ87vosRoExRZGJ4LIO7Vf9uG699aeRxlFpaWkWXhaZw+E0L1QpYOHixYfz8x969NGbx4wpPl2sE0VGpJB7XOMe5vipBlVIBhBKUKjqUNx3NJVu1L9EJIqizW6LjIwcMTL1nXfemTlz5uzZswHAbDYjIg8xaPaYTKbY2Ni4uLjRo0ddffU10++/v2WrOEWxyYqiKIoiy9qVmSC47zoUWQHQMUFQFEVQFIcoCoIATqdCJBgMOsQDhw+3atFiQ9b68IgwRZFrqnDVV0FQzy5VKvD+4pGhLMuiXjfiymsOFeStWrOmzjvgcDgNBVcNOJwLh8lk2rhxY0FBwZhRqZLDWVhUKIqioiguvQARgYh8+oo+NJxqoNmYp8EPkCfQ5ZjodDhaREXefsftpRW2555Pr8FBcDgcTlMiPT3dbDb/uO5/PfsOmHrDDWdOndLrRI0koI0oCLzIVh1oUJsRVZB1yZ13TshYZWVlYmLClJtMv27eXFRcvHr1agDIzMw0mUx8MvYSwWw2p6SkGI3GDz/44NdfNu7d+wdjqrpF/gGLrt8EuVJqtJkFGgeDyy+/XNTpFFn68899hccLBZGRot1ODX7A9Yg7cOkFSGrso0syUBSdqLvhhsm//Lrxf+t+qvvWORxOw8HbGA7nImC85pr055575LEZAIpfioBGcQ+gQVUDzyaDTRW4AhDUfxhDp1NCgQ0bcsWHCxbdMHHiiu++A3fOBZ/d4nA4TReTyZSTk5Obmztv/tvXjh457c6/njl9xhCmJ8VlN+MbTOBvaFilZFDHKANXiLYWRIVkWaEBAwYutSx7+625jz72eO02zmlGqOqA2WxuqFICRDT0yivPnj4VER4my4rfwhq83u8RIWBIr6bAlyIhIBCobo2KooRHhN39l2m//PZbzz59eB+Dw2kkcNWAw7kI3P2Xv/Tq2etk4cmVK1dGR0VKsoSI6iQBauf+/bMGakAtVYOguOUCT8CDWhKZbDZ7YtfE0SON2bk5OkNYl4QET9+FT3NxOJwmhydxLL5L/IOPPnjPjbefOnvWEKYHT1aCajjjvRrXINCgHrkJ5DaC85GSESRJCjeEpRrHvDnv7Tlz5syYMYMni3HqQ0pKSlxcXGZmJiKmpqToEA/n50dEhEuS2hupe6yB788+WM9A27dBUItKEhEiEwQmy7IhXP/YwzM+/2LJqh/WJiUlxcXFcbcODqcxIF7sA+BwLkUWLl783rx5V11z9e7c3w8fyouKjJJlWfUmdBdiBIB6yXp1lgzAp+/qKrVABAAUGRlx6NDBr86cGthv0Hsff/zCzOdmvfQyEVksFrXhr/vhcjgczoVFncOMi4tL7JowZtLYe2+569SZMwaDAVQnA1UuQO2lNHhFBB/qYxGHPhduUs3tSJGdckxs7E233HqsoEC9zJaUlKjjvXrsjHPporbaalbLTTfeGG4wbN+2LSI8TJIlH+tl14+5OoODOvzm0fsr90QZMAZOp7NFdPRjD/9z8ZefrfphLQDk5ubm5ubWfgccDqfh4ZUXOZyLQ++kpKMF+ZMn3NAiKsrhcAgCU8sZ1KYfeF67jOSrPBAAOJ3OiIjI8rKKX37+edL11/Xt3uP+e+9BRJPJNGfOHLXiF4fD4TQJ1AnM2NjYSRNvePjuB0+dKg4LM6gzpZpBTVX4RxOEnHGtAaSOoIgI1UINjDFJlhWCHt17PG+eVVZa2rJ166SkJABQ6/DVbvscjhuz2axKBrdPndq+Q4ft27aFGQxqRSdw//4BfGwQQlIDt0QvqJEg0PsMAjImOCU5qkWL/3vqmS8sS1Z+/33t3xaHwzm/cNWAw7k4pKamHj585OEZM/r260cEAKhQDYsaemomQ3Vlk+vfrXS5KKl1xxBRliRBFAWdeGD/wXkf/6d121aPPPwPROzUqVNSUlKI2pEcDofTiCCi9PR0q9WqKPLo0aPvv++e4lPFBr2eiLyDGh/ZgPwkAQgcLnkTE2oiGQRUrXdd05ExAAJRFO12e5g+/MrBw1auWbvpt9+QMQBIS0ur65vmcFzk5uYi4l/vvbff5ZdvWLdOFAQAkiUZ0W2f6FnVe696CSGowwdqa45o64OQa28IgALYHfbWbdq88OzMzxctWr7i27q+Mw6Hcx4Rql+Fw+GcH3766afS0pJnnpv5i9VaWFxkMOhJkQFR1QLcuoDnhgioaWY1zwZryxt0HkqTM4GokIKIOp1YWlKSfyQ/Kio6e9euX3/5+brx481mc1ZWVkPumcPhcM4DZrM5vlPHW6aY7rv37uLCQoNe71lUVXqXzzIKeLJusqlLCPaorkxkNpstNibWODLlvY8/QkRjaqrnsOu0Cw7HS25u7s2Tbrxu7LWfLVxoczh0BlGWvZIBACCpv8jabTZEBUZNjWfNA1fBaQQUmMPhbBsT8/Szs9asXb1w0aL6vDUOh3P+4BFuHM5FZtyYMSOGDVv5/XdlpSUGvUFWFHT7AwH4avOh0Pp4B/ZjGwjUFHtAAAJkDGVZAoK4du2eeGzGL7/99tJrrzXgHjkcDuc88Z8PP7jxtptM424qKi7SiyKBQgpA1dYFQSUDgCDX31rirlcPAICM2WyV8fGdxo0ZB4JQXlkpiGJOTk5ycjKXDDgNwoP3/21i6qS3Pp6Tn38kTKeXFQVZsCF/FRk4wZ6r0vbDW69J9W9iiAQgCMzhdMTGtXtu9su/rLMikNVq5d6HHE7jhKsGHM7F5+8P/e3E8fz9ew4IAgMAj2O3V5yvmguiGqiHgj5HBgwZAcmSHBEZed21YwpPn45q2fL1N97gObccDqexoU7mL/j440MHDtzzwAN3TJ167uwZnU5UFHIv9K4b8OJqPQzqaAqH7jlaAkBESXImdu02Mz3jX6++unzFCiKyWq1ZWVlcMuA0CM89+8zsl16+dYpp587t4eFhiqIA+DoeevwQq1UNqjgl/PHzMwBEEAQmSXJcu3azX3ntp3U/Ze/Mjo2NjYuL4z91DqdxwjMUOJyLSVJS0vTp00vLSuZ/9uF/v1hWXlbGRNGTB4g18SIKxnlyF8AAIwW12gITmCw5c3NzY2Pj5n/wweJPP0VF2bNv3/k5Cg6Hw6k16lAkISGhsPDEmJEpt0+dWlJSotPpXGoBeUrOBqMhbQ+DgICgFt8lGjhw0H+Xr1iw4NP3P/jAZDLl5ORMmzYt1Z2hwOHUhxtumJjUu/dXmV+u37A+LCwMkLRKAbhzB+rQ76hBfRH0RBwggiAITkluF9vurTnzD+UdPHnyJAAUFRXNnz+/9jvncDgXAu6GyOFcTNLS0qxW6949++++5a5rjNcYwsNkSXJH8flPfl10CIB8TcHUGTIiAIY6nX7Tpt/Gjh7FJKlb925/ueN2AMjMzCSixvZGOBzOJYXJBIWF1qysLMtXX7bt0u6Ou+46W1Yq6kQixXt18oYM+I6AahKnXXVdOqpOykWQFVkQ2JXDhn++1LJ48SJFIaPRaLFYeLkETgPSrUtCy9bRP6z5n6jXIQIp3h9/fX5kvr/uUFvyngaI6JSkuLax78ydu/6XdbekmVJSUuLi4iwWSz2OgsPhnF/Ei30AHM4ljdlsTkhIyMvLA4C+zz/X8bL2hw4dAQAfb+2qCRkz2PDpCe5g2sBjIFJAAQoPDz+anz/n3beNo4yLFn+eYjSaTCYAsFgsXqcGDofDuYCYTCaAnKIia3yHAd27dXr4nulnSs7pdTpSY7MB1GIx/u5vBIA10Qtqhl/NewTXFZUQGciKIor6K4cO+eiThYioZiWAuzYkpwrS09OTk5M9DU1OTk5GRsbFPqhGysgRI56Z8cSU228nIlFksiyjJsZAWzPEx7rQRTXpCaEXoGarBICCwByS1KZVq1f+/e/PvvjitTfeKDx9ymw284AaDqeRwzvxHM7Fx2QyZWZmvvLyS888+9yVgwZU2OwCc1khVjXQ9pshcz9zfhwNXKgda383ZAJwWSITY0ySZFlR+g3of9e0e48cPvz3hx4iIrPZjIg8X5HD4VxIzGZzYWFhUVFR1y7Rk8be+s+ZM8+ePaMTRTVGynN9Je21DLRXVfCuEkhNfBC14zCfynMAAIwxSZb0Bv3QocM/+OgjRHzggQc6dOigXjBr91YvDdTYkJycnKysrA8//HDnzp3aWDZETEhIuPvuu00mU3JyMkAN6xk3Z4xGY05OTlFR0cTx1yHD/X/sCw8Pd0pONTGGgk0GaM4LLbV95GuDBECgiIJodzqjo1o88/wzP/5vXe6evT/99FOd3xqHw7mQXOoXUw6nMUBEFovFYrEk9elTWV6+fMW3BlFUZ5x8h+meF2jvBvU/PG/OBq6Nu20RQTuR4Oq8CYhEYHPaO3XuMvmmKUcO573+xr89egEXDjgczoXBDABGIxiNDqd98KArXn/55XOlJXpXYoJ2ZBRgIE++V9lAgpZSCIV2iepbg4AETGB2p8MQFnbNsBGCwfDOvHk1fmeXImazOS8vr2XLlnPnzgWAjIyMUH77ZrM5PT0dAB544IHExMTu3bubTKZLUz7IzMzcsmXLli1bWke37Nz5stWr1oSFhSmK7LY7BHAV7/D5cNyhMHVzQwyMNQAAIiJRFO0Oe0RY2F333fvDmrXfr1pT9zfG4XAuONzXgMO5+CCixWLZuHFjxosvvvbGG926JtodToYMQG22g5siElCwia5qM2jrd6gAqAZAeHZCHpMjV09DJgKGYYawYwUFn3/6idNWSkRh4QYAIKL09HRuc8DhcM43RJSSng5WKys8NnjEFa/MnlVaVqrX60ght2TguVpqNFd/I4OqJINaH5L7taiQIAo2m80QFj50yLDC06ffmTePiNRIe44WIlq3bl16enpOTk5CQkJ2djYirl27NjEx8bIOHW65+WbVOmfcmGv79OrZv1+/u+66q0ePHr/++isi7t+/f8eOHSaTaePGjarJzsV+NxcUIsrPzx8yZMjwq4bfN+2vG9b/ojfo3aoVABAChZRSavlRaVYPFrlAKIqizWYPM0Rcd/2kxYuWcMmAw2lycF8DDqdR4DEBSn/hhQfuvT9j1otOp5MxBghIRGqqQtAEhCoiamuPOueg2YXPFFxIjyMidLspqceqKAoiM+j1FZXlGzb8OmXyhLc//c/cV+e88focNVuh/ofK4XA4VWA2m81mc55BaJ3Uw/yU2emw6fQ6WfJ6GQCAeonzFLuteRZ3sKstVr1ce6lGUSgrL28V3WLwFUN//vXXPXv3qhFnmZmZl+aUeCjUcb7RaMzKyrJYLC1bRw8ZMnjdunUAsHDhwratWh07dmzyhPECChFhht69exjEsPbt248dOzYmJoaI7rv3noEDBy5Z8vk33yzPzMy81Joe9RRQ4xavNY6y2WyiyBRSvJGB7h8++qcS1CcU2fNqcu0IgQmC3eEMDw9LMRorbbat27bX531xOJyLAm+cOJxGRHp6utlsXrpkyfoNG35YsyYqMkpRJEQkTSMfQjKAWk8NBEOjGrgeanoPwToSmr6BmrigEDFQTQ4AGIiCKMsyQ6FFqxb3P3D/8WOF586VvPzKK/U/VA6Hw6ma1159+YqRQ5+4/2GHJOl0IilK0Kto9YJArVO//LMeVOWXiICACUJ5ZXmrlm2uuvrqTRs3btuxA9zuNlwy8ENt97Kzs3/68cc9e3JmPPfP1zJmH9x7sMJeiUREiizJskLqx4YIjAmiKKrp+nq9rm1M7Kgxox95ZMZnCxfkFxTMnPm82sheCp+zyWSKj49/8803H3/00VPFJ7du2c4YInNVdg6WRRCQpFATrayqsByXMIGIkiIzxoYNGfrRQpffZ1paGq+YwOE0LZr/dZPDaUKoPaTt27YNGjx4/NhrDx7Ii4gIU7xG3661PH/8H9QVjTpQxWyD5onAK4e3k+yzGgIygSECETCGQ64Y+t5HH71oNreNjZ0+fTpwqyoOh9OgqFfROXPe2Lcn93bT1Ecff9whSzpRVC+kiO7QKM9Fy+fyWbXlYe0OBAC82eGqZKAAE1lFZUV0i1ajR43b8Ov6zVu31GXblwz/fv31/v37jR4z9t133/122bLCwmOAois/D5GIBEFQ10TXV4sKKZ68OQSUZcWgE3r2Sfr33Le/WPL5Y4/PqKioiIiIgGbd+njMktrFxcW3a7ds+ddlJaV6vV6WZfSvDBK8XW8g1QDV1l8hSkq+3LJsmWqK7DFIrv0743A4Fw3ua8DhNCIQEREHDR68csXylFEpkS3CnJLEWMB56pYKGirEQJPaqzmYkEcZ+knV2QDdTgcAAESKQgSIjBTYuPGX8deOvnrkyE4dL3Mvpkst15TD4Zw/1Cj0tm1ajR6b+viTT0iKrBdFIgXdIVBe6PxJBp7rIIB7dIqITGAVlZXRLdtMuH7ynr25XDKolhPHj50uLLp+3Jj/zHu7sPCEgCICMcaYwJjAREEAUr9FtR0hAmKITEDGGAICEUNwSsqu7TvHjxqZs3tXQUFB9s4doMkKbK6YTKa0tLR33n13bda6knOlOr1OVuQgaTShf+EBzwdr+9Hb+msWq9EfLgckhZSELl0sy5bNmTPHbDbn5OSoXZ06vS0Oh3PR4KoBh9PoQMQdO3c+/fTzA/r2k5xOICTtsJ60hocXcrxdszY+2FpERIoCCKIoHj9xfOZT/7dr23YA+PPP/QBgsVi4RSKHw6knSUlJ8fHxGRkZz898Lixc98rsNxx2pygKal4AqppByEtnsCfqek1Cn79q+hYgos1pb922lenWW4vPFkdGRyUlJdVxB5cAN994IxHZKsv/9fprh/PyRJ2eMQEYIqKqRJOseERnt2IARKQopMiKoshqQgoiIkOdQVRQ3JC1/i+335L10zoAYAwBwGg0NkuzA7PZnD4z/ezpM3fccUdB/hGdTiBFcTl9kq8NqE98IQR/UC2+wgEiqik5jKEsy7Ft23z3zQ9Ll3xZWloKAMnJyc3yM+dwmj3CxT4ADocThHXrrAX5eQMGJx0tOH7mzBm9QU/krpgQoo1vEALrNgeuUZutuWJENYEHoNOJklPeu2/v+vXWW2+73ZL55e2336EW0EpMTAxaRovD4XCqpaioaNy4cX2SevfvP+DdN99xOO06nei6ciIA1MwvvnaKrM+oyxNlRZ6rHwIgMERkaHc62rZpec/U+04WnWwT0xYAIiMjc3Nza/0+LwHGjh59y403Zpif37xlKyDodDpSFPILDlFj37VT1uRvJ+FBVhQE0Bv0ZaUVe/7I3brpt6effU5grEtCAgAYjcZm1vRkZWUNHDig4mzl1m2bHHabKAiqcA8AGv8ib1Zi6ORDP6rvIahfCENAAKcsR0dH/evVN7Jzsn/PzVFX4ZIBh9NE4bEGHE5jxGQyffzJQlslXH55f31YmMPhJO/kQNB8Ag3ke7sYaHQCb0UGNYJUkmVABITd2b+n3Xyjw3mWiL784ousrCxel5HD4dSH4qLCQUMHf/j++3aHXacTFUUh8nV0deM1fdXqBFTbC2doHUKbF86Yze5o0yZm+iP/d+z0yYgWLQAgLi6u2QfJ14GePXuMGD5sxIihnyxa9McfeyPCwhiioiiuLARPKoLbwMKVoUDkWqqZSvfcVEsLApJlWRQFRVY2bNgw+frrrhk5skVElLrfZjaUffbZZ958a+723ZtPnyoKM+hltdl1oX5OPmpXLQleDRpU0YAQCJAxpyyHh0fe98Ajfxw4MPHGySkpKdDsPmcO55KCpxVxOI0R1ef53//+9xNPPHHtKGNBfr5eZyBS0LeqgT9Vd3VrdLpXmWtYtxwF9ExwIAAgQyBABJ1OZ7NVtm7VekC/AW++917GC8+bZ832mCTxvgWHw6kVA/r2vXH8+OVrVjnsDr1OJ8uSGikNAG7hErQagV9UQf3lStfl2fcqzRBtDkdsbMyD0x/5c/9+dPvU8EucFvXTkBz2/PzDMXFxG6xZpSUl4ZERklNimuS86qPhQkBEql0iqAYTjJWUlnVN7PrsP1/Yvf/3U2dOp6SkGI3G5pFsv2fTpt92Ze/K3b16xfc6vU5RJN9m2Vv6CPyb/Fq9/aAnDAIQIipEOkG8fvKNFRWVLVtGN6ePl8O5ZOGxBhxOY8RsNlsslk2bNv1j+vRrUlIjW7RwOB1qD5j8psM8DXe1Xd76hB6EnFqoAd79EgCR4nrscDgMhvBzJSW/btqUNnnC5b37PPPkk6pJUk5ODu9SczicmtPv8suvHT36vytX2isrdaIgyxJ4ZYIGCV+qQQSXjzOcKpKySrs9rk3MQw8/lrP7dy4ZBIWI1Ino8rLSDu3br/vfj+Vl5eHh4ZLDia5mQ13PW4A4ZEgauRx2tYCrWIb6EiQASZZbREUdOnRo9hsZEyZNHD58uNForGqzTQciOnzy5LB+/X/Z8DO67Aj9Gu+GOiOCdwsQgRBkRbly6LBwgyEqKhIAsrKyuGTA4TR1uGrA4TRGENFisZSUlMybP7+4qLBnYjedKEqSpPYAXG1+oBlyTTj/aQuhetbuJ109OUR0OBxMEGRF2v9n3vz5804XFamxBsnJyVYA4B1rDocTGjWnCQCuGjpk/Nixq39Y7ZQcer1BkmS/ynHekaeH2g1hqCav8YYyECigMEGw2+3t27f7x/Tpu7OzDxw8VFhYCFwy8EUdqBuNxqQ+vfr06rF27f9slXa9Xi9LkjeyAF1fn0s6J0BAHxnHqxAEtjzuEANPBj8REEiSFBkZkX/o8PQHHxwzZsyaNasBwGKxNF3hQP1k9u17adykSTNffvnsqTN6g16WSWNcgB6zDbWIQT0CDUBzUnjVMkRigmi32ZN693n/o49Ky8pmzZplNpv5b57DaQZw1YDDaaRYLBa73W42mwVB/GLZssioKHXuijSKgTdjN2jlgoBwhJoQZOW6zhD4aAcezcDVt3ZFDquJx6JOOH32zPZt2yeOG/Przh9PoWQFMDXZ3huHw7kAqKORfzz0d+PIq1f9sFqRFINOL0sSY6g1gNHmJdQVrcuhR4/wF29R480nMsFWWRkbG3PHXfds373bEBERGxtbVFTEh09aiEg1d1i1apUpbeqiz5dUVtoMBr0sS6r9jSa/BDShABozA3fpxSp2Al7PCvfvgoghKkQRERGHDh281TRl3LjrENFkMlma5hdERADpAHD8WNjcuXNzc/dERIbLksxQdTAgj0yA1SQi1hzfrSASEROEioqKzp07zXjyqX9Mn/7av/7VIHvicDiNAR4vxOE0Xsxmc2FhYVFRUWxMTEKnTgsWLgAAhi7vY3+PA99+U5AJl8AdhHiqPi5JVeKzcbcBtstwWUBGRIoiR0RFjrt+7AsvvISImZmZJpMJAHhwI4fD8WA2m9XCKw8/ND26RdTXK75FRRaZoCiK6pzimp0OYqivUTJ9RM2qh57B7WQ812DXrKvHy4Axm93WPq79XX+5c8fu3wuLT8XGxsbFxXHJwI9PP/102rRpquPADTdMPLBvn0FvUGRFDQwgj+DjFQ+Cl0ioHeRKISECFBgQMUFISTF2iYn5NT19XHp6QRM01lHbyv/9+Nq1o58aesUVpaWlosCQIKD0kh8N0LASkcuuSECH3RkVHT1x0g1xcbEPPTTdZDJxy08Op9nAYw04nMaL2WwuKiqKj4+f/957JWVlXRMTgBAJvfbfoVv8wIxDdbKF/J7y57xO77vChMnTR0fv/I+syIDABLGirOKbr1f+9d5pRHTu7GkAsFrNZjPPV+BwOAAAJpOpsLDQaDROuXlKVGT0ihXLGSmiICpEgOhzoavyeuYnRdZh/ERA6I448IaAI1baKtu2bXvXfffvzMkpLD4FADzKIBAxe0deAAAgAElEQVSz2VxRUZGamjr3zTn//OeMowUFOp2ICMhcFStd+HyXDdFCoRqgz5CpdoAoS9LO7B133ntv3NSpBYgeN4SmgtlsLikpSUtLO/Bny6l3pJWWlepEwZWJEcR8AN3zDojBugo1QBvISIwhECECyCQKQp/evdLT0wVBJKKkpKQGeHscDqdxwFUDDqdRY7FYoqOjiah3nz6fLvo8KioCANB15lbV4vsmBGitBnwzP/27Rujz3HnpOKlTR0TePy5/R0VRSCFBEJiibNr42y2TJ3Tu0v6br79SlE4AQGTidRk5nEuchISEP//8s6ioqODIkd59en/3/bcAKAqC2x7fnTfgnxwVym7FhyplWD/8dQn3pC7a7PbWrVo/9PBje/f+cbKoSF3KZ1wDsVqtRUVFyclJjz72+LZNmyS7XWCCopDHvEBDQ8QXuL9/r6+w2zuRMVZy5tzDM2bo42LVtBer1VrfPV4oVC/JgoKC4VddlZjYdW92rsjcgRr+kRmuIEX0BP65bxikOkXgKaN9xquSuepTANidjk7x8Z8tXrJ40aLjx49bVb2fw+E0F4SLfQAcDqca1O5Lv379Vq5Y0f6yjju2b9eJOlDnEFxo3I78CeFy7J+RGPzBeUtV8NsZuo/JFUZBBDqd7mRR4ZZNWwQm3P/A02vWHnxp9hdWq9VisWRmZmZkZJyvA+JwOI2VeIAjZ8/27t07KiIivkOHlStWIAJjjIgACD1aget6FTytoIHw2hwggDtvHO1OR6uWrR+c/vDBA38aDGEAUFFRwSWDQIgoLy8vIyPjhkmTPvxgfn7BUUAUGCN11rrBcu99h72epsaV9YZq7hsTBMnpIKDxE8f26zsga/36vLy8rKysBjqC8860adNyc3MffuSRB+65p6SshAkCaN6jey3Ng6D9Au9ZE3yBj8ygWaA6JjgkqW1Mm0dnPPL1f7/JWr8eAIqLi1NTUxvoLXI4nIsPjzXgcBo7npT+yzp2PHHiWO9evSpsFYIgBJl0r0XuYu2nbmr+Ch8XsiC+Va55JG8shLugpGqBrRABSbJs0BvKSspXfrvy5kkT2nbqd/e0O1W3qhkzZqhmBxwO55KiAMAEoLfZ4jt3XrVmNZDMGCqkEBF4E7e0qfDVBRf4DH9871UPeveCAIiVNluLqKiZT5vzDx9hgggAcXFxXDIIijqlP/O5Z2c+//zhQ8dslTbGmCwrgKAoXpuJOsaWVRlcQqAKE966jIosizpdUWHh6pU/kqJs27atqQjT6mQ+IooMH3vsH0WnToHahhKpbxAA/EWCWssxgZ+jNtCGAFBWSKfTXzty7NIvvtqxMxt4Sg6H0xzhqgGH0wRQZ7Guueaa9h3a/eOZx9u0bOV0OgUW7PytSjioS2fB517VEb4+aRDuJ4JEmZJ3ieYlpF2HAABkWQFEvUGfu2fPd4v/G9uq7UMPPoiIBQUFJSUlanltDodzSXGs7+WXDx++du0PktMpiKIsy+fXjKV6iACQMZvNFh3damb6i7v2ZANzXWz5wCkUubm5iNiqZatHp//NZitjjLlaC8UV7q7SACNcv6U+k+8e0QgRUVLkU0Unhw0fcfpUcW13e7GwWq2IePutt95+081bN25xOuyiKLiLUqJb2KrZGVLNWsEWuyIPSHI6B1zeVzCIXyzNjI+PB56Sw+E0R7hqwOE0Jfbs2/e/lWuuHDJYkmVgIcyR3UH/CEEX144gPQUKfgt8zk8mCNieX21t1ysISHGHHciyIslSZGTkiROF//thTdm500VFRZ06drzqqqusVqvpPBkvcDicRklyUp8rRqX89L8fyOHU6XWyLGsWNtjFoPprpvvaqjr9C4zZKm0xbdo+bzbv/v13mRR1LS4ZhCI9Pd1isaSnp+/bt+9IwYnyykqdTqcoCqC7MQlUkavFd3RMLm3at0Vyh9S7J+E9c+akKKQTdafOnP7fmu8GDhjYEO/yvGM2m2NjY81mc0ybNtP++tdz586JOkENMED0BMLUye4wOOR2DXHZIiAAY4Ld7kxMSPjsyy9bt21DRNHR0Vwy4HCaJVw14HCaEp998tmRvCNvv/9h927dKsrK9TqPwUGAT4Hb4kht2rWeRxjYjfDpb/kP/0NkGPjfgmkJUIP5C3L5IboyFDzbU0hRABQElCQpMjJcUZStW7f/Zeqtw/oO3rVzJwBkAqQ1xKfK4XAaP4P69Rs57CrrT+slh6TXibJTUivQgyfhiTTDwBrjk5yAPnd9ksKD3QBIEMRKhz02Ju7Bhx/ZlZ0tK1wyqAm5RNS+vfzBhx+WlJbJsoyILq0Y/b/LGqFpv9ztUcjXExH6+2UCKYooCqVlpWdOl7wzb97UqVPr8K4uMFarNTk5+blnnu7Vo8fxEyecklMQRHKN6yGkWBBa968Ot4uHWv6ZABBlWY5uET39sRkfvP/+6TNnuAMih9OM4W6IHE4T4/fduw/s3z94wIAjBQUV5RWiqJqHVxnRGdDVDc75Mw6rKQied+I+GLWHp5AiiCJDdq7k7K49OaPHjrrcYLhu3/7ci3WkHA7nAtK/X98hAwZu3LxZkZ16neiUJcQA6bNu+FkbBFwkfZ7wBH2rIV2CYLfZ2rdv9+gT//f7rl2iTqeuxQdOVWM0JmdlpYnCVcu//e7g/gM2m00UBVI0ThEAUHNTA29gQvAXeL9an+x+9PnqkRDB4XBERoTFtuuwZ0/uzp3ZtXhLF4O8vLxePXvMmfvWa6+/mpd3ODwsjBQZvT9Q98/Ue6ehQAYICIIgOO22KVNucjidhUXFAHD48GHugMjhNFe4asDhND3atm3brn07AOXE8ZMCE90VljzTC9XJA/6dbfLrTFUF+XfsavrCWoIBPTwiQoYCE+0O++7s7Da9emzfvrPw5Mn+/fvv2LGjIffN4XAaE/36Xj5w0OBNWzYxBFEQZEUJLRk0UJ4C+t5H16a1cd+IaLPb27dv98LTz2345edDeYcBIDIykksG1YKYu2ABtG4FsiMsL+8IoueTDWxdavqFVrEeav8NKiG4YDIpTGSRUWHHjp3cvXt3DXd9ERl77bWbfrH+8utvkiSJggigVcG0gTJVU6vYHJcSIerEsvKywVcMfmveB4fz8oqKi4HrZRxOs4ZnKHA4TQyj0ZhiNIr6c08+/Vy7y+IqbZUCE9wJAn7UIqExdIJCNTkH/i+sxZ6qXou0E02uPRMprqrsbNMvv10/7to777qrW5fO8954o0Yb5XA4TYeUlBQAmDz5hgH9+27dtElEFBhTAhxW62izXwPclx1vgrj6DyIwRKfD0b5duxeenv3T+p/zjuQD942vMVYrAMCpYoPDSU6HgzGh7t9iXQUjnwbN7acgCmJFhb2iQtaJYh2P5wKSYTa//OprO7Jzzp0tCTcYiBS3JUQoaR9Ct+s1RE1QACYKNrv9snbtJ914iyVz6S1pt6pFMer7ljgcTiOGqwYcThPDaDTGx9OePe+vXfvfLgndI6IiHE4HQxZaI6heO6iRA4FmZT87A5+40MCuSKDiUOPZI01P0r0XJCJSgPR6/eHDRx5/ZHrLiMj8kyemTbtbXS8pKYn3XTicZkBWVhYRhYXpt27dwRAAUXaVlPPkL/ldTOo48gx1fXQ5xgQmiSPaHPaYmLazX31n4/bf/jx8SH2am8DVilYtW5aUlkqKjMG+gFp9l1WvTMHX8nofuKo8goKM2SttjoqKuLi42uz/IkBEgwcPemXWrNw9f4SHGWRF9kTEBKQkeNrdBovEURQSBHHEiGt27dyxNNPiH/vD4XCaI1w14HCaGGazOToaMjPpqadmL1iwoEPHjoTgNu0OAvr96wv5juOrjjPQuB6G2o7/sz47D+yzVdeH8Q0T9vSJCAhkWQnTG2wVle9/8uHJ4qK77542elQqAKSlpXmqcHM4nKaF2Wz2FFUloltuuTl75+8iIkN0mR4SePRE39Fg3U/5kNOybss8dM9IAyBjzCk5YtvFfbRw8ckTeQrIsbGxwCWDWpKent6jZy+QnUBaw38N1X6fdRsFV/ESAsbQITlLKkrttsrab/qCsnnzbxMmTtq0ZZOt0iboRLV5duPX3FcRelA7EICQGDKHw56cdPlLr79+9OixZcuWNcjGORxOI4f7GnA4TY/MTKvZbE5NTV3zw+oHH/v7ulU/2myVghDkdPadJPMXDsh/3UDPpCpsDILuK8SEg9ZyAfzFgKq3qp3DQETNMSIRocAYY4cPHczeuf2GCde1b3/Z3LfeUm2cs7KyanLYHA6nkaBGCSUkJAwdOvTnn3++dcqUP/bsEQAYQ9e8cJXe8A2JVgdFl00rIjDGHE5nbKu4JRbLqVPFY8aOBYDi4uL58+ef/2NqVhiNxlmzZ3+2aPHpU8V6vV5RCF2hHTUgsKWqjqDWBoFbQUSnw5nQNVFRaOu27bXbxwWEiHZlZ//ww/fffbcqzKAnhTQf3vk9PQRRsNnt7dtdZrp54rvz3/904WfndXccDqfxwGMNOJymByIiYl5e3m8bN8156Y2rhl8p6EQiqiJKsAYOB9ogxtA2BrU+1oA7tTkmP1yFGcl1H4AUWSFFCQ8LP1pwdPFnX+iIEdGsF1/MyMgwmUzp6ek86IDDaRIQkWpk0Lt3r1dfffXmm2/c88ceIGKMkaJ4JlIb/nyudsOqlQoCE5jNbm/bNubfb7y9ddOWIUOuBACj0chTouoMKdWHyVW/kVqs4xOjEvBSV5uECoIc+sAuKmok3eFDh8ZfP2Hl8u9Jkhm6qiFW8aKG2jtDJklSeETE5QMG5O7P++iTT5OSkhpq4xwOp5HDYw04nCaJ1Wpt1apVUlLSggULRwwf7nQ4Tp0+w9BnriGYy3hgKEG11KjvFjLQoNbBBT4vrkGyJCKSLMt6g8HpcB49VrBixbd333tvUeGJr79ZbrVarVZrYmKiVXXf4nA4jRJV3UtISGCMTZgwYfKE8X8eOAAEgsAUUnxD2IPmbNdj165/UfvAZ6NIQCCIzFZRGRvT1jz75c1bN+cfK1APmGd01w2j0Wg0Ghd9vujs6dN6g55cdTFq8GFSdXerxL90gs/XRwzRKTm7dU5AZFu3N9JYA6PRuHr1qh1bt678bkVYmIGIgCGiJ5kmkAb4iboqMyFIkty+fYcvvly68rvvx48fX1RUlJeXV//tczicxg+PNeBwmipWqzU2NpaIWrdumzHzBZ0oku90nLYbFdjRDlXaOgCfXEnNDbU3nwhQ7Q3q02NxuygEHqnXaIEUBQBRcjpBQAXp4IE/H31k+oirh7yYkf7222+peQp8MpDDafzs379v5MiRk8aPP3DwkAAoMFRIAVd+ALhPewzmuVp73E4tngfkvd5ot0wAJIisvLyidWzMs0+9uG3L1rKKMgDIysrikkF9ePrpJwX3YDeQ6hx56vjdu318PY/J65dBQASMEHU6vV5fp82fX9SGDBGn3nb7UsuXatQhQ4aAQFVoLvVS1tTtEgEw5pCcBoMuZeTov//twezs7Ly8PI8LCYfDafbwBo/DacIQkdVqzcrKspeXlZWUrlm7Njw8TJZlRISAhAXyeR3UoSdRdTeu6iX1QPM20Dt6cOPT/WOIAOh02vV6Q3K/vp9/sfSTTz/JP5KfkpJiNBp5F5/DaZyoedr9+ve//rqx+YePMMYQkUgmqkN4VLU7C9yWarEYZPsEIIpiRWV5TNuYB/7+j/179xnCw9RFXIusJ1cPH9Y2ts0fu/+IDI+USfa30aFQX1QdjBMD8TdRIAAGqKCCjE2acMOhQ4eWZGbWfrPnl6SkpLS0NFl29u3bY5b5X4whkKJ+bKRUMRNQX9XA88XIipLYNaFt23afLV48cODAli1b8jg+DufSgccacDhNGERU59Jlhc6UnO2c2KWyshIFVEsIhJiNqWMHoga5AnXbcLWQ12KBQFPHgTyLPCvIRAopok7vlJy7duwYdc3woSnG5ORknnvM4TRCyM36rKx+/fuPHzPmcN5hQRAQ1YvYebimhBqJBluNAJCxsvLyNq3bPDj9b9u3b/3z4IHCwkLgkkFDYLc7IsVwURCVYEWAatxQ1TXmwDcojwCAoeRUWrZoFS6KVdoEXByMRmNubq7ZbH7xxdkf/WeRrEhAisvlR6nruVKteZFHikCUZTnMYHjvg48B0WQy2e12LhlwOJcU3NeAw2naqKn7v2zcaByVYkwduWnTZubODkUEBPSdvqk7GPRulc9dIDTpnO4Kj8QYA8DSsvJvLZaYtm1TUlNTU1MBwARgAuDFFTici44no2rXruwrhw4dN2ZMfv4RvU6nXdRwO6vdAvWyiQxttsq2rds89sSTW7ZsPXmyCAAqKip4xYR6kpSUVFRUdMXgwa1atTp9+rRTkpjAgChYQ1IH74Ia4go38OxSEASHw9nhssvuvO++Xbt27czObtj91Z/HHnss/rLLWorism+XC4iI6JLWalF/whfUNKBBP373dglAlpVrx4xzOhy7c3OHDRvmcDhyc3Pr+lY4HE7Tg8cacDjNhIMHD/2w5serhg2tLC8XBEbB+90UcKdW1L7swfnEJ6BYk5/ssTwQRcHhcC79cukdJhMRPTNpUiZABoDJZOK1FTici4jZbFYnKvfv39evX//rrx9bkH9EJ4qKplxCfQntfhDEKYUA3fOqaqoCMbTZ7W1axzz13PO/79p14kShuqbFYmmYw7u0MZvN8Z06DRk+PCwyUnI6GTLyfvghfwL1s7II3Jh2rp2ISAElumWLESNGtGzdusH20xAYjca8vDyz2dyiRcSb770nSwoAEBGinw1HLaGAh+Rzh9wnhSRJsW1j5rz1VnznzpmZmZ06deInAodzqcFVAw6nmbBy5Sqbzd6la4+OneLLystEUfB2vVxuYkFic2tOVS+qh5JQ55eST0/JMzhAIHXehQCAFBIE1InC9u3brjWmdBo9/snJkwEgMzPTYrHwuowczkVBDe/Pyspan5XVo0fP68aNOZLnijJQ50y1M6AaanO2hl436BLXVKt7zhYZs9vtbdq0+ecz5jOnz4aFh8fGxgKXDBqIuLg4s9mMjD3wwAMtWkS6ruUe99yg31DIoJA6gwDk+d4ZMkWWIyMj28TEvfPO3JYtWzYqn7/CwkKz2Zw6KiVt2pQTx48jeH2Lqqs9UeVHhJq1tPfd/6AqHCAoCtxz332/bNiglkc1mUx1fzMcDqdpwjMUOJzmg06nj+/YoXtil/37/5QVRRREAtJE7tc/TCBYrmedtuqpwlCHDQSM9H0fq0GbCIheDydDWFjRycI/9u3pkNz7t81b/vXKK3978EGr1WqxWDIzMzMyMuryHjgcTu3xOAL06tVzwsSJ11937ZH8Ar2o844W3WduwPixxpeK2kkG6DdgRQGdDmdsXNtX/zVPFCkt7RYAKC4u5okJDUVeXl5SUtL3339fXlZiL688d/asQuRy8PX5hgKdEf2oc6PmbRMRgRRAxhxOR/t2HUZdO6Ko6Awiy8vLayQ1BdVTZv78+TffNHmlZcXZs+cYY+pA37duUu2hqsUaJACGWF5Z2a9f31def0OW5datW0PNqiJzOJxmBo814HCaD7m5uS1aRM9+7d/JSZeTRMxVMMkTa0jk8hIMlb9YBRhcMoCquiue3khgyUbNAahbrq4P4ko68Pichw4+BvLOF4Ja1oucTmdUdFRZWelPP1pNN02+c8qURx+ejogmk8lsNnNjMw7nwkBE6lxlr549p0697fpxY/KPFBj0OvS4nGqvGto7tdhHDVfSXj0I1OJ1CIjMYbfHxcV9tvjLosL8ceOuBQBup9rgqOEGubm5o8enRrZo6XQ4BYEFTSahGlcJrjnaJokIgAEiioIYE9PmgQceLSoqalRft9VqTU5Ovm3qbU899Vzx6VNOySkwAdF3oB+kVa9B5gIG/PW+FgCIAcqy0io6Ku22O5Z++UVi165qucd6vR8Oh9M04bEGHE7zwWg0JnbtuiEra/L48Tuyd505d1an08uyDIhEVD9TaAxyL/hjnyXo/ReDjAAw5AMX5PunlnjECIagKKQTRQI6cfL4mp9+6tq906BBV1x//YTU1NScnJy0tDRuB83hnFfUhKCEhAQEmDhp0vhrrz16rECv07lLKYD3IuDxbT8vTirk/wiBiBAABeawVV52WUfL2uWrVn5/6OAh1wHzYVJDM23atI0bN65evSZMHy457BWVFei2NtDSsHqB+1t0CcvqRDogMGSSJEW3ajlg8MDjx44/++xMk8n0/fffN+jO6wgR5eXlZWRk3DJlysJPFhaePInoyeHxNSmu54fl/3IkAhSxsrIiZWTK2dNn2nfs2Ldv3/rtg8PhNGG4asDhNB+mTZtGROaMjIgWUV17JuYfPGxzOARRUCfoPVmQ7tUDggCq6p+H1gqCvchXLwi9w4BVvNRPL9AenCcLgogQUa/Xnzt7tqDgRGSEIXtXTmpqalpaWmFhYUJCAneE5nDOK0ajcd/evYOvuGJMauqxE8f1op5A69zqvoO+D6ulBiuGtHVxXapQ9TLoHN95+arVy5d9XZB/DAAOHz6sll/hNCxWq9Vut48bN+7PPw/cajLt2Ztrs9l0OpFcXpQ1v+wHbci8N9Tc/OLaEBGIkCEiU4jad+z4yScL161bt3r16pycHLWqcWPAbDY7HI5Zs2Z9+P57p8+cNhgMsixr2s0gAXf126H6FQAT0GZ3tG0bM3mCqWu3xLSpt9ZvsxwOp2nDMxQ4nOaDGlRJRB98+FFx4aGYdrEEiqLI7jGzdhDuLyG48ZMP6jLDhn7/1os6934w4EAQAYlAVpSwsHBbReXO7dnXXZualbXGVlleVFT0eHx8gxp0czgcF0SUnp6ekZHxxZIlPXv1GjXymhMnTuh1IvkPDxG01vbqa8F/hSBUF5MQUn90ZyogYzaHvXPHTmu/+275smWH8/LV5Y0qUr2ZER0dbbFYduzc+Xvu7tZt2gqCKMsKVWFiUBuqFcLV3xoiMoE5JWdkVNQY49g777zz1183zpgxo/F877m5uYjYo3v3+++///S5M2qdEd/Yl9pqbCHQbJPc0wyyLA8cdMW0B6cdOJRXz81zOJymDlcNOJxmhdlsnjNnRmamiUB59Il/RkSFy7KCmrhfnzDgakwJ6pJYHFwyOD9xxqEPIWgkhNc3SpIkUWSiKBbkH33qsafDdGJmZmZF+3YAYL5gh8nhXBqowoDZbF6wYMFtt98+auTI4uJivV4kIlBcuoHn5AwpF1S/m1qu5B6ekpqYIDkT4rusXb/+i2+++dPtgdd4ho7Nktzc3KSkJLPZbHc6X3rlRVEUiYhpDRHrWuOmOrHAs30gAFlWBFHXqUvnQ4cPLF682GKxrFmzpvHkpFgslokTJ95z773nTp0qLy0XdaKiKACe1hwCfvoNIX0TMIFVVFR0SUicNHnyw//4x5PPPNkAm+VwOE0ZnqHA4TQrMjIy7r+/k90+cN263I4dO0gOx4njJwiAMc1AuiE6RKEyFNBPIQhis1TbHdTqNb5TMAFP+CWDijpRcjr37MnduPHXGf9+c/6Rw0/u3FmHHXM4nKCoFdqSk5O3bN58xZAh468be/bsGUEQVLHAdYaSp9pJ/aKLIMh1I8hGNY/UmHWH5Owc33Htt1lfWpbsO3hAXcQlgwvA9OnT8/LyjhzJz965a9AVg/fv3aupI+j+hQASEIZuEoKkvlWRsuD59hGRMYExBZRWrVqv+nq59ZcNY8aOLSwsbGypasOHX5WdnZ39+y6n3SYIAigEXmmlYSQDv2acMVRkRafXDRw4mJBmz37JZDI1to+Fw+FcYHisAYfT3EhLs0hSh3Xr1nXr1n3BoiUtW7WSZdnVY1Ldj9FVj7E+hAjmDwgxCHgu+LZCULPDDBKLGiK4wTs1Q0SkECkKMGSCbsuWLePHjooeNfrpJ/959513AkB6errHoo3D4dQBVTKwWCwLP1lgCAubMnny2VOnBMbcZxa5TQ1QjUiob352cMnA/ynvkwiA6JSlju3b/3f5+p9+W7f3wH51CZcMLgxms1mtwrg08yu9ztClSxe704kInkuvWjcnqGTg8S0I7pijWQU8Xgbk1yqRpMg6nf7eaff8a+7ciMgoAEhLSzuvb7m2DBo0yG635+fnnSku1ul0iuQKNPChAZPrEIAAkdkdjg4d4l/9z+uFxUVElJSU1EA74HA4TRWuGnA4zZBp06YBwLhx13399X+fenYmQ6Yo7jl29J9qq46qyxyG2FpNUhJ8NxlkyFD9wQUJLnC5XVVzAKS+WiFSFEVR5Ijw8IKCY/PfeUuPbMFnn83KyCguLgYAi8XChQMOpw6okgEA9OjatVvn7n+///5z587oDQZXLVhtHLrH3cBlaVC/MZD/iR9gDQ8ESKqI6nA64trG/PT9moLDuaPGpKpVIblkcCGxWq2xsbFEFBcXt3L1D63btLbbHIiIzFV10T80Tuu6E1wzQPC0A97gN0RwFStE12NUiGRShl55Zf6xo1t37CgsLITG9+33vTz5mmtGFhQUuJ8gchUo9ebYuE+Yup81pBFXUABJdkZERHXu3Pndl99+7eXXeH1iDocDFzLVmMPhXEiIyGq1ZmVlRUZE7M75/ecNP0eEhSmK4jOwr20msPeVvg9cTyAGX6UmWw0xNKcqnLFCHUZN8DlUdSJLEASnLCHBwIEDJt+StmvnTvOLLxKR2WxGRN5n4nBqRVJSUnJyctfEzsbUq1958bUzZ88YwgyyJAMAqSHW/mYGwSIDQl0XqsZnCKUtx0IIqNZSAYb2ysq2bWM3bt26NyenV3KyunbjSWi/dPD8EtatW2cwGB7621/tNodBr5cVmdTiiACua3zoL0dVBPxsC9zL3EIxgiqgM4FJsqwocu9eScuWL5/37jtZ6zcAgMViaeg3Vy/S09MVWYoM1y9ZslRgTHU0cOlu/k1jw1hIEgFjzG63d7is40/r198zbVpCYhmhPrUAACAASURBVKLVauWViTkcDo814HCaJ4ioFo6KiY1ZsOCzjh3b2+0OgbmsTLwBnzWaz6/VjuuVklAHvBNOtcB9BK661wQIsiyLgiCIbPOWzR+9Nz8qPPyJxx9DdLlAcNWAw6khJoAkgNzc3FatokeNTpmd8bKrXJxT9mQkBAx4KPBxfVKX/CUDdMcXASECMlZRUdG2bcy3q7J+WLOWSwYXF89lNjU11bpu3TMzXwiPMFTaKsgdEeBeLfCFrte63BA0oQfqEo2XASECESBDUSc6nA4i6NO7z7Lly3f//vv0fzxssVgam2QAADfeeOOLs2bv2LnT6XAwxgAAa6Kj1SNYBxlKsqQzGLp2S3j5pZcWLFyYk5NjNBrruDkOh9OM4A0kh9PMIaIPPni/vLzi44/+I6DgmmpxhWm6ZyuqiTvwW1ZlrEFNLir+A4Qg+/AsrCLWwL3bGuwx5CbQe8c1T4UCYw6nvUVUZL++A9//5JMXM8wEmJmZyb2gOJxqMZvNhVZrkdXacspNN95z30uzZp07dybCYJBkWV2BCFAbaAA+EQWuHIWqqMF4KFisgWdHyLCioiImNnbpV2t+WPPt8RMFKSkpRqORSwYXFzWwKyMjY/KkCQ/cc+dLr/zr1OmzjAkGg16WJVe2Abp+PwCIrkD94JYH2rADdzOCTEBFUew2W0RUVJ+kfouXLF69etV1142HxioYfWXJLC0rf/fNNyVFUt+8QqT1fQCAKsw+XdT8nSEyAIckt2oR/evWrTOmTWvJAw04HI4bHmvA4TRzELG8vCLv0MF+fS+vtNkEneDtUHk6VvWZ/McQ96t+SeCsUYjeXwjrbLdCUa+envfFXic2IlmR9TpDWXnlb1s23XD9dSOuHnL8aD6XDDicaiGilJSUOKOx59//dtO9d740O/3c2TPhBoMkS+gytyOPZKAa3YHmPlUzR1qHKVRtNLc6cGTlFRXt2rf/9rtVP6z55viJAgDIyspqnIPGSwpEzMjIAIDlK76z/rJx8dKFvZN66fVieVkZY4IaKEeauANERGSoDvg1QQeehwCuNoIhIqKoY06nw+lwxsTFjh83fvGSxYioSgaNk0OHDv25/8/fft1QWlYmMCQiRY2a8TEO1ZwRdQ0xQHf4IQLJpIiC2LVbtzdfeKFg4cJzPNCAw+G44aoBh9P8eeKJJ9q0aX3DjVPi4mJsNjsTBVTzFwMTQWtJHRSDYNuo8qXBFtbSxSA0Pn0vdwgzgKzIOp0OiI4czn9x5uzuid1umDihIfbH4TRb1BGd0WhsFxfX96oRszJeKSspD3d5GXgDq12SAYDnpNOEHVR9qx1uzzv3sBIAGFZUVsZ3jF+0ZOXyb749fuKYuibPP2pUGI3GyBatly5d/s2336emjuvcuVNFRWWFrQIFFEWRCa50Brd+AADAwCMXeFoGAgCGTGCCIIoKyWWl5VERLfoN7G9+82UWpkNEIlKzEhqbZqQWGSk5d+7W227L/T3XYNArCgAAw1AZCqGprnX1hOx5rIQNBsO8t98+c+pUstlsLyriZweHw1ERLvYBcDicC0FMTGxlZUV0yxb5R44IKBApakw+1sgT0dO1QM+A3c9NwNUpr3vXC6uQAty9Ge+tpvvSBlMEX9+nu+i7ZWIMmcDsNvvunN29evfcum3HmTPFQ4desWnT1pq+LQ7n0kCtmJCcnLzsv8ucTufb896pLCs36PWq/SF4s6E897TXnQZ1OgHfa4knCQuZw+HoFN8xa/Wvy1d+dfS4y5SeD4oaG2oNIFlWUlNTU0cZrx13ncCY5JROnz7tdDpEUScKAiLzxBmooDt5gQCQMYEJyBgB2e0Ou80eERmZ1PfykVdfOffdD+a+MTcyIiolJcVqtU6fPr2xSQYqRqPx888/P3zw4E9ZWTqdQAoheGJ1QrwGtTJATWLxEAFJNYBw5XCAoih9+/etsNk37d49aNAguU0bnp7A4XBUeKwBh3NJsGzZMp1O/+GHn3SJT7DZ7EwUVQtAb/ejtraIqL1XT8mguoPAYLdQ+M1N1tkXioBUu3UBGeLmTZsnT7zukUce7JGQMPn66+u0RQ6neaJKBhaL5bVXXzl68ugH8+bZKyr0ep0sy+5cKJ9wAp8gn4ZWDFybV2srAiBDxhARZNnZo2u3dRt++eKbz48cPayuyCWDRoj6pWRmZgLAy6+8cujQIUlR7n3ggam3mpJ6JwlMqKissNvtpMgACgAIAlMVXsaYqhRITkdFeUV5WanT6YyJjRs9atS0O+/6YqmlzKYg4jtvvWO1WtWEiEYoGRBRcnIyIpaWnF2zZjUCMVfJSKKayfw1yd3TTgWo/wgMASA8IvKZ5548evxYZmZmdHQ0P0E4HI4HHmvA4VwSJCUl9e/ff/l/l0W30BWfKbFVVuoEUSGqQ49Ja3/o/6jWGwrybL3MCgImMTHIPb+lfgUlNAEHRJ53yBg7fer0D6tWXznwypKK8q3btwNAUhIkJ8O0acAnYziXLAkJCZWVlW3atGkRFdkhNm7JZ4vtdptBr1dkxcfMNDDEIEjQQYgxUd2uU56tIzgluXti95U/rF2flbVtx3Z1FT4iarRYrdaioqL09PT58+fPmzdPp9eXlpyLbtnqg48+7tCxY7v2cZHhYSQTKkCKYnc47ZU2pyxLDklyOkWDPq5NbHynTsn9B9w85YaJN9xUXFSU2LVrRVnZiu9XqQ41eXl5jXYKPTk52WQyRYTr//bgtHffeg/AdaZQTWMDa4q3qVNj8RjKkty/X7/ColMvpL+oHobqNMHhcDgAIF7sA+BwOBeCuLg4s9n87NNP9erV89TZst27d5Pql0xKrbcVNOagISds6tUzomAPa3h0vrbb3qNRFAIknU5XWlrxzgfzhw0fsWvXrrlz53zyyYK0NEhJSScyN8I5Kw7nfBMbG5uXl5eQkKDTiR0TO31psTgcNp1OlCWZwP2flyqSFABClEtB8D0ba4i7JAoCyIrSPbHbijVr/ty/f2RKikKUlZXFJYPGj2fIunnz5s2bN6enp+/duzciIlxkYp/k5E8+W3zixImjR4/m7dt35MQJkCQh0hAdETZw4ND+/fubn3++pKzEZpPOnTs9IiVl3LhxF/e91By1BuTwq4bOMr9qdzhEUQAgP1fg+ksH3g0SIHOFHYg68SbTzcXFZ9R6FmlpafXeD4fDaT7wbi6Hc6mQnp5uNpuXfL749jv+MvKqq4pPnxJFgZTadT+0oQVVT+PXgmCHELrgYvWbCl55KmT2g3+VBvdYw3vf9QwBExgQOWS5c3zHCZMn/v3vj37++Zt33PG4xU1djpnDacoYjUa9KA4eMmTd2rVlZaUGg16WZfDarXoKH9ZcMggSLVSrq42a9cAQZVIUhboldl+x+vs/9+/v3qOHaxtc42viENGiRYtOnDihE8X4+PiELl0kRWaMHT5yWCfqioqK//rXvzbFb9loNKpBEEQ0cuQ1Z4uLVetiAkBAAnL7Ida3AJJfiB1jzG639+zZ+5uVK48eze/YsRPw04TD4fjCrwgczqUCES1YsGDhwoVdExKio6Ks6350SE6B1S5PwWc07b1b/4ML8lQde0NU9ZjDn2CqgaZD5fGMVEdAiAAoMLRV2iKiopL6JH26ePHX33z1xZLM+Ph4NQuU97Q4lxRXDRt29VVXbcjKKqusCNPrJB/7Q9WhDrRlE2ojGaj4in7VnV7qrhgiIUiS0r1bt2+/55JBc4Z824om/f0mJSWlpaXt27f3+hsnvP7iq4osAQIQqRUfNCUUGqBssqvaInNp406nfN/993fo2HHqbbc16c+Qw+GcJ7gbIodzqYCICxcuTEpK+mTBgqjo6C4JXUF1+3Mtr33QATSc8BhkO3XttmiKb9XtIDXF3YHcYx5FTeUgAoUkWTaEh5eXl2/bunXi2NGde7ULj9C9+eabaswznRd7Nw6nMXLlkCFXDBmy4ZefyysrDHq9U5KCRFL7SAZB7Ek1A6GQ5453WUAdRiKfGxIwRAVIlpVuPbhk0MwxmUzaIC+LxZKenn4Rj6c+EJHJZDKbze3bt1++9CvZKQEAECCgGm0QYAHSAG2NQsSQOZ3O9h3aDxk2zFXBksPhcALglwYO59JCzVN45f1XnnnwmcED+jrsTkQkACLF442E7n6+13vJY5jk8//5IURHiKpeXFfQ90/AUkQAl3M1ATDX/hFQEAVZku0Oe8sWLa+74TqB6fskJU+ZcovVauVZ05xLgSsGD7xq+FUbf91kr6ww6HROp4SIBKq+FnDCBsppPikLVbiZYMgHPptxLUVEApJluWfPnl+v+G79+vUjR450LeXDIU4jJjMz02QyzZ0757HHZgwbdEV5eakgigrJ4EpP8NBQjSAiAhHpRLHcVnnTlCmREVHG1FHXXHNNA22fw+E0K3gLyuFcWhCRJcdiybW02hzdRmrx7fcrdaKOXB16AlL71VV0SgJVg0ADwfofZc2XNMBOMbRq4F7B9y6CGi+qVvqyOxyGMP2AgQM/+mThhvXrf1q3LiUlxWg08iEKpxkzaOCAKwYN2LZth9PhEHWi5JTQrTK65QEf3aCKLIRQJiZuARNDeZqS1yWOCAAREFABkmSpe48eK1auzly6dM8ff/DzkdMkUCuY9ut3eUXF2e+//UE9s4CoOlmt7qiBBZIsR7Vseeutt3fu3OmWW0wNvhcOh9M84BkKHM6lBSJaci0b52z88I2Ps3NzErt2dTicoiC4tAJv/xyD9dKrkAwa9iirWuJ783uibrjjqEOHObhvrpVUF0lSSJGVMINBckg7tm+/ceL114wc2ad3L6PRyN2nOc2YQYMGXjHkys1btsmSU6cTFUlmbtM2t4WB9pzyyygAn1MKyO8Edv/1PtKe255tkWtDWp0CCcjhlBK7JK5YufrNN+fs+eMPAMjKyuKSAaeRk56erlrqHjp4KHtbjsNhR4aaAJ36SQYhXq0oBMhsNkdip4THH3/8sss61msvHA6nWcNVAw7nksOSZin4rQAATp89+3x6RnhEhCzLiIgM/Y0BfXrygXkJgSs3HDXemJ+IEPAWakhNcqvdyz09OQQFSJJlQRSQ/p+98w6Mo7r2/zl3ZotkWa4yLnLFDck2xGDANK8BY7AJLawoCXmQEFLIy8tL8kt9iVYJkEYMKZCQQAglBrSElgRiG2zJFBvci+Ru2ZbcJFvVKrs7c8/vj9kyszuzO1skt/tBWKuZOzN3du+dved7zzkX9+2tu2r2xceOH/3FIw+L9RQEZyozZ86cOfPCTz75GIkzxlRV1bQCImO31XkcGFISZGH/mJpQBKR5GRBAIBQ6d/z4t5e++/JLL33rW9/W0tGLcCHBqU97ezsRff/733vmr8+2trZy4rIkQQ4dDBISggAAMuSc5+XljRgxovyHP16yZEmuriYQCM48pJNdAYFAcNI4ePDQ8OHnjBk3uramxuV0qaqKzNToTnAtyHEuRAsyPb2mHaR1NMb9Tqc+WmgoIMoOuacnsHHtun798tau37Bt8+aa7dsBoKS8/MG5czUDRiA4rblw5syLL7547ccfcyXIGOOcU3SBBNStfGLUCuK2RCFz6RGtQoZ0m2IX0kpzIlVRJk2c9O8ly3bt3DnH4wGA5557TvQ7wWnB7Nmzn3nmmbFjRy9fvqS2ZnswEJAkbYieay+D6NoLSEySOru6xowe+5kFd9Turv31o7/O6loCgeCMRvgaCARnO7/+9aIpkyd39XTLsoyA4YH8KeLPaxp8gAm7zAMU0hAOjJ4GFv4Gxj1oNGGISFFUxiRk0vvvv//p+fMe8Hrv+P73gKgMkYjKy8vF8gqC05rr58+/aObMNR99pIQCkiRxVScZgIkngJXjjr4nxc19JryIPzD+IAQAVIlCqjJx4uR/vrPklZdfnjR5MggXA8Hpg9aP/H7/vrp9G9Zu7OzqlGVHNOAni/Mm206ARMAYGzlqxK2fv/VoY2NW1xIIBGc6QjUQCM5qHnro4cXPP3f7bbf3LygIhUKICIgx7cCUkyUoJIY+Jy8DAOk4HZDR6tHWcYPwv+GN+uvEzJ7oLyKVqyrn/fIL9tTt/fHvHhvR2UEAjUMGVVRU+Hw+v98vhAPBaYSmdgHA/fd/kYhGFY9Yu25tUAnKsqyqnKJ5DCmSZCB6oIm5Y9KPsq4fIILKVSIoLS395zvvIKKWywDEigmC04eqKt+iRYue+tNP/vyXp5ubW9WQwhhS9Nsn3T5jLX1Hz0ZADFlPoGfQoEHnjhq9+MUX/P/wa+kYBQKBwBShGggEZzWI+Oqr/1hWtaJkxjSV89hA22zAnbDpFDaAUyzWZkncWCuady1unXljUnciIG0dCgQg4sFQsF+/go7W9hXvLb/lxgXXjhr0pS99ARG9Xu+iRYsqKyszuiWBoE/RFC6fz+f3V/7lL0/f89k7P/lkrRLoccoOVVFjKyXoIxDCXSVRMUgmGVi4G4DV5nAOVAImMZVzQJg+fdprb/xz0W9+AwAVFRVizXnB6UVVVW1FBXZ2Bh768Y9DSoAxxsISPjNP5pEEG8XCfRRJUdTBg4f++Oc/37VrNxGVlJRkegcCgeDMR+Q1EAjOdrbv3Dlo8KBbb/3Mvj07m5tbnE43JzWcGsA0+eHpMhqPXy8xZyfVpYVE0AQW0i2MRYCAqqrKsoRMamxs3Fa7e+z4sRfNvHDBwhvvv//+pqamiy++WIRbC05lok4xtbW1c+Z4Pv+5u2o21hBXHbKsqKq+oE49M/wyFEmKWfeMbdO7PUWSshIBSJIUVEIyk2ee/6nF/lf37tmzYOFCAKiurk55dwLBKUVTU63fDyXnjd5zoPFg/UEpLBkgEWGc51+SLzOLjmbmOIjIkKvcKctjJoxd9dGqn//ylwDg8/kqKiqyvRmBQHCGInwNBIKzHa/XW1298vixpqnTSvsVFIRCAUSmRVSaD0JOYQ+DeHIvcMQFVmsrKoSnVwlB8zjgwAFAVVTi3O10Hzl0aMXS5U2HjxDRttrapqYmkeZAcIqjLR3q9/s3rF9/9513btq4iYPqkGWFq1q/IohGXRPEXAyMTdq4aEI6zZ0o6rgQex3ZxUmWpFAoKDFp+vQZz7/ySt3evRPOPRdELgPBaUg5QG0tPHzbLYsef6mrvT0Y6JFkSfs2iQbkUUa9KAJRrMNqPZUYspASyu9XcMmnLhszZqzWcYSHjkAgSIJQDQSCs52SkhJtCYA//OGpc4YVhRQFERPilHWcluOKHFba3NanWCg3hf9E4MQVrjicjmAosLVm65yrLjt3zJiuEx1amoPcVUkgyDF+v1+LqfnnW2/VbNkCBLIsKVwBAABuiEFI4WKQtrFjHZGtKQgoy45AMChL8oWfuvDvlZWPLVo0fsIErYQwewSnHbUABBCSpGef/f2Jzi5EBhReSyTyXZI5cTp31EmOiANg4aAB3/zuNwsKCsrLyz0eTxbXEQgEZz4iQkEgONupqqry+/1Lly5b9dEHl181u7Zme1dXt0OWiQgSIxRO6pg8RYL1PgVtvhtajnmGDBFOdHSuW79u9Mjijz7++KXFiydOnPjwww/3dkUFAvto/i9TpkxZt24dEd11xx01mzcjA1mSVFUFxHgbJpzNINVpk+41W3zR/CyIIEksGAw5ZHnmRbOe+/vfEXHJ0qUA4PF4hGQgOB3xAswFmD1qxK7Onr07dwECY8g5YcI6yFkHCcaOVFXucLimTpm6aePGb33n2wBw7733ivAEgUCQBPEVKxAIwOv1FhcXP/bYYz/7acXHq1bX7asDIsZYnDnQt6pBNE9ANK7T0vRIZpPEplpyGw5gVzUIX50AEQk4cVCVUMn0aX9++ln/yy/LjN3/1a/mtGICQYZEQ2a0gOrbb7tl5/adiMAQ9dE0CY4GZqqBMXOofdUgeUmGUkgJOWR22aWX1zU0LFm2LGlxgeD04Nprrx05fLiqKGvXfJyXl895eE1T0LT7uPV7rDDrh8bjEYiQIQCEQqGCfgNee+Wll15/vTsQICIhGQgEguSICAWBQAB+v7+wsJCIJEn+59tv9+9fwFVuyEAWv6Jh3xBdNzEa3Wn+kzAloz9Hb1UutQgRGfVF/iQgZAxdbve2mprbb7pJZqzjRMePvv89APB6vSLTgeDkokXN/Oc/7xCR9zM379yxExkgQ73bUaL6ln2TjQb2pBAXkIWUkFOSr7l2/p79+4RkIDhjmF5a+o1vfrOluTmc/pAIk68xbIr5KkeGRYEQgTgBASIbMLhw9JQp3/vBD0R4gkAgsIOIUBAIBACROIX3li9f/t5750+fsWPXTuKcMYYRsaDPHZPsz+XbMbVzbo3HLaZgcjXSF43+i0BEsuzoOtG1bv36wQMKfrno8YaDB1588e9VVVU+n2/u3LlieQVBH6PpBc8999x5U6fecsutN9+8cOf2XbLEEMJeBhFLRtfcc9elUnZzJGAMFUWVnfINCxY2t7Qwh6O9vb29vT1nlRAITh6XX3ZZ48GDGzZtCAZDjDGI+1bLNDYvIcABCQAZcuKSQ7740ks/fP9DSZY2btz4la98RfgaCASC5AhfA4FAAACAiH6/v7i4+E9PPUVEY4pHq5xrgwwg0E3s2yA35kRqx2ZbV+vtyfvEGdJYKnmK5G8D3XwqEIDKueSQOKn/WfLeLTctuOo6zwNf+qK2yDxpazIIBH0FEc2ZM8fj8Sz6zW/uuPPOm66/fvf23ZLEiIgT19KuEydAICJdQ05KdiojAkYvRETIWFBRHE55/jXX7Ny9a8z48UVFRbNnz87qGgLBKYPMWEtnZ1t7m+yQOTfrYza/fuPLRB3xwuueaC84505Zrvj+Q6NGjfJ4PJMnTxY5QQQCQUrEY0IgEMQoLy/3+XyPPfro/375yxdddVWoJ2AmLZpZDFarLZgtFW2+0ex4sxMk5GJLTiSDe0aGOFpfJJkrRMLqc4ayqJs4klDqCfQMHTJkwYL523buef7FxUTk9/v8/gq/P5MaCwRpEZWoVq5cedVVV914/XV79+11ym4kzmOdhyJLx2Nib7DMGGI7tUGSbgZEkiwHQyGG7LIrrtywYf3a9Rs8Hk95eTkANDU1rVq1Kup0EAgE6uvrGxoampqaUt03FBUVFRUVDRs2DABcLpf25+zZs0tKSkpLS8MVE6aUoPepq6t7/m9/a9i/f3nV8v4F/VVV1e3M6Isr4RsII/1Ue60oavGYMcveW67166qqqrlz52ZxBwKB4KxAfCMKBIIY2gCiurraJUnt7S1vvPamOz9fVbXl1qJZlXRrOSXLURjBVDVIXiDpfpuX1V8rzVSISdQAtFnO8NtwiC4JQzgnvBQIBNxu5+Sp0xa/8sqiR3+8+pOHiou9hYUlPp9P2C2C3iMqGezetWvipEmfvnFB3e69siwBhB1eIrnUKNIK41tjsp5l1PfStX4QgHOSHXJ3ICAz+cJZsw4dPvze8uWXX375wYMHFyxY8MQTT2g+1TU1NdGjmpqa7Af46GO5i4qKNLFA0yMAoKysrL6+3uv1zp49u6GhoaamRrhwC3qD95YsmTB58oNf/squXTv79cvjKgeMdb1Mzmi1CipqPZsUrt5w/cJ+/fvv3LVr3Lhxv/rVr8QXjUAgSIl4TAgEAgM+n6+qqqqqqoqIblwwf/eu3fl5+ZxzgNjIn5LZxQmkVA2sipkVSXsMZW9lOP1F7Gd0t1YNbF4QEZCAy7IcDIVkWRo5YtRXv/TA3yv/9Mqry4kIfD6oqBCPaUEvofkW7dq1a9KkSZ++4Ya6ujqHUybOY0Eysa6D0VAlvXNAQoZ3HWmoBhinxmlxOg6Hs6u7W5Kk8y/41Naamq01NZWVlU8++SQAVFVVrVixon///pu3bG5oqG9qbAoGAp1dnY1HjzY2NnV0dGhnIB7TOaORQ1ooUP/+/QsLC/v378+QOZ2OgYMHnTN8+EUzL5w2bTogTj3vPADwer0AUFlZqR1VUlKibQEAoSAIcsWrLy1uPd781LPPdHZ2ykwm4ohgWLTEHBvfVLolhBABkAGRylWQJL//taf/8pcBAweuWrVqyZIlubgPgUBwhiOGowKBwITy8vJAT8/YceP+9sxfOju7ZEkiIm0gox+G28VyeKObve+lp1E6qoFp2ke9g4FNJwk7qkE4MVXkFIwx4pxzcOU551073+l2lQaC3l/9KslVBIKMISKfz1dRUfHySy/dceedC66fX3/ggMRYzMtAa/i6rhNusXHnyZGvgWEZFAROJDOpo/NEnitvxvTpjry851988Uc//L/W1pae7q72jvZK/6ta2bVr127YuuHgvv2h7lCIQnV1ezraOgGAVFXhHDgnNXxmDhw4R4mIJFlmiFK/fFd+XkFQDcooDxxcOKho6HnnzbjtuusKhg8HgFtu+rSqqpdfccWsiy9xu90NDQ133nmnz+crLy8XE7OCHPLQT/7P4ZSfe+7vslMGAgJC834Vl2DXaq/Znkg2U0TsCQaLR4x6b+VKrRl7PB6Rf1cgENhBfPMJBAJz/vjHPwa6u+oP1L3zzlK3y6WqKsTMifg4gbiogfh8BHZUA+iFB1KajgYpF4tIqRpk5oMRWV6BIQPiRKCeN7Xk5X+8XlVeXjJs2LAHHwQRYi3IHVFPgpdffunOO++68frr9x/Y75AlTkCaV1FYOzD0aYx4TRtOFf3H5DLGayatEsY/B1BRlPz8vKmTp+b1y+8OBF5c/NI777y7fs3Hu/dsO9RwsLmlNdTVHSIuSYwhqEQMJWRInIh4WI4zrnMSfkXAkVBbDgIZARDnwDkAcUJFVRiS7HTl5+cP7N9/yNAh4yefN2PGjBtuuKGgoAAAHv3VL4lo7LhxTceONzU1CY8DQZYQ0WOP/mrX9u3vLq/Kz8/jnKOWg5gyeOAn64naFzdD7O4JLFywcMz48e0nTtTV1T333HOZ114gEJxNiGGoQCCw5Ec//MFDDz9y20031tbU9uvfX1WUVUVNcQAAIABJREFU8DJsOsMDTExlc7kgIemZ2cxJDp9J6edBxFSXt5RFTFSUNNCuSwgSImOMCLiiDBky9McPPdTW2nzzLbf5/f6ysrK0zikQmBLtuVpgwvz58w7VNzhlmesDEyAqGkTbNWK0fcc39NyqBqSZ/JzzcedOePy3jz/se2jfgQPNLceVQFBC4ERMkpBFpAAiZBhZp4QYMq2CiEw7abx8GXGhiCxWoq1djwQEBJyrnIgxRiohIidABAbgkOSCwn6DhwwdPWbMlCmTpk7/1NVXX/2/3/zvx3/7h1//+hc33HB9aen5QtcTZMD+/XvGjJmw8Prr9tXtczgdXOXRdhR17bONZU+M+rURkQL0m5//ypGXN2/+fJEHUSAQ2Ed8yQkEgmT8zzf+mxOs//jj1rY2p9OhchU4aTn9iIiAECy8KQHiFxpISJUeybKWhWpgfuXUIaGJpHQ0SDybzZBuW1cPmz+ICIwxROwOBPPyXTd9+tM/qXj4pRdeuPvzn/cClAD4xINbkAXhXAY7d06aPHnB/OsP1B9wyBJwrpnNBtVAh7lFnDzBCZkVtCDS+wgACDXpgAFgoKeLMcnpckqyRCpRWMgAxmKTscZuGPaSSN5H4kSPmMGv1QMRdG8HMsY555wT50SABPn9+g0tGjxy9KgJEydNnDjW6/38E799rFvpOX/mhcNHjfjH4n9oPgher7ekpET4IwhM0brY1q2/bW0t+eY3vhMKBBGRiGsNO+JxkN4pLTdrjkIIoZAyeMjQD1evPnzw4IhRo0B4sQkEAtuIh4VAILCkvLw8GAwWjxy5Yc2aj9esYQiASJwAKeqrnCrDARpUg/iCiYHS9h5LlPhX2oZ6wmUzfB4mXDjDmmB4+IbaPKrEmKKoKLGS88579GcPP/rkE4t++zsCqPJ4qj0en8+X2VUEZy3RRKcvLV585113XT/vmoMHDzplJyc1vGCCcXIzeRR1tJClcJC2ahD9AwkICQGBIWOa/aTpAUjhP8L54jDqm2BywtikLYU36WtrrHecV0LE0yIcCg6IEmPan5pPRigUCqmKJEkDB/QfNXLk6OLRo4rHjpg+5u6Fd//oRz843txcPHr0//3w/6I5FD0ej8fjERaaIMqKFR6Pp+qFF75+7NiYp//4F4fLCZrzi060y41qEAEZ9nR1X3b5ZeeVTvvu938oWqNAIEgL8cgQCASWaGOX3z7++M233PLAF77QUF/vdrsVVdG8e2NOwkkHK1bWuNHUTxi/2JgrzHBVKgvSUg0SPLXj9mRUAQwHY2PY5GFMQgAIBUODhw664cZbv/vd7y7+0Y92OZ3FxcWFhYVer1cM+wQ2iS6q2r+g4Fvf/vb18+YdamhwOGVtoQGdpZJmA7ZSDSjupX3VINYRtf4QySePUasfrcUCi3PGLh/vRKErrA8yikqi0fCMaHADIJMYQ8Sw+4HKg8EgJ8rLzzunqGj48NGDhwyadOF5X7v3a889++yu3bsffuQRLYfiE088MWzYMNFtBRorVniqqz3Fo1qrVzZ98uEqd54bAPSKgfEfO1gW1Ho4Y9gTCD7w1S+HgqEf/PDHmVddIBCclcgnuwICgeCURku0vnLlyk/NmnW8pTnU3cNkSeVc71GcLmZmRng20NZouhckg3TR7jzDm7e4SW0mUwvbQAAArqqIiC6X+/ix5n9UvrRze83Tf33uySd+v2TJksrKyqqqKp/PJ5wOBCnRvAw8Hg8QeebOvdbjOdp41OVycoWHV0ZJd1IzSqpngM3T6mx1vdmOkfwKAEA8ZswTpNIVbV2aKKoKkPEQ0gkHkQQPEQ8rIlVVIx4PKDscskNWVa4q6r59++vq9rnz8rZs3vjBv5YPGjz4iT//ORgMNDYeRUSv11tZWfn4448/++yz9957r9AOzmY0Fe9zd408d/LkF567UpKlsDpmFgWX4Ret/jQIgExR1f4F/ceMmTBYHpTd+QQCwdmI+NISCAQpKCkpqa2tvfe++5qbjuzZvZdp/sOg5TPQlmNLQdw0fpJY6PgJf8to6txLBjZ9DTI0kUzdoRODM3Szq5pfNCASkcMpBwNBIBpZXPzILyo2b9pxtPFYd3f3qlWrCgsL/X6/nZoLzk6iXgZzrrrKM3fu1VddcexYs8Ph4Fy3KkryDAUpzm92YAYTpfGLHsS2meQ1jD8s+tJkeUhdVSnuRfgoOwY86jMgEHEChpE0C0QEDMPeQirnwWAQAAoLCwcUFA4YNvCOO+55tfKV4tFjFj32mMfjWbFihc/nQ0Qh+Z21rFixwuPxrF+3dsroMVfMu0YNKkxiCY4wifE0yTErFY3jkVhXV9ekiVPefmxJTVPNtLnTsroBgUBw9sFOdgUEAsGpzrBhw3w+HxH5Hn1sQP9CVeEMGWjxxTYkAwCgyCQKJZUMIiWNzs2JP8mN8/jCdokvi7p/EzDbmUIyIN1v0v6yOkLLW4XhVO8MIRQIyZJDkuQD+/d//avfXP3R6u9+97s+n6+wsPB/i4upvPxk+l0ITmE0O8Tj8Vx15ZWeuXPnXHnFsePNLqeDuBouAPoul3PJIF0QTBeci8z4Wx5CiIRI8ZKDrp4Ui8BIDCsiinZKSyh2nnC6A0LiEF14ghOpKlc5R0S3252Xl9fV2dVwqH5n7Y7Hfv2LE+1tQwYMIKIrr7hcy5VQUlKyYsUKq4gJwZnNnj17KioqNm/e9Mw/XlZ6gpFwP3MylwwicNBScqgTz53w+D9+U1pUmlZtBQKBAIRqIBAIUuLxePbt27d/375Hf/pTz9y5kiSrKkdtlJ44NWI58k7Dms+lK4HtM5lnVEs4XL8QhP1apm2VRa0cIiJiDDlXAcntzutob1+79uMb5l9NRBdccP7sRYugosJnuyaCs4eoRbp927a5V1992aWXtrW2ulxOznm4gLF4jq6a2WGW/gGx30kfLKT7MR5NllO4pqcyO01iSQqfV+dToWkPBNqCC6qqyA7JnZeHgG0trfv373/jzdevuGRWx4lmInI65NraWo9Ia3q28tRTT9XU1CxZumzT2vVhDcrQStPUvJMUjqTY5Vx1uVzFo0d38A6cJhyNBQJB2gjVQCAQpMDn8+3btw8AFi9efPDwoVFjRmhpyWKLlSWOWHJggFgNm9Kfm8t+pib1oXaOtlFGPxtKYbOPCLhKAMRVIpU7nM5QKHSo4chVs2cXFuY/9Z1vI4CnvDw2myoQ6CSDzZs3TT3vvMsuuvhER7vDIXNFjdi6ltqXzXZk4mhgOZ2f+mRJd1HUXyn1aShWmsyzH5qYTGaKJhm1iNhPGKNkoL8RbSdXOVc5IrrcbocsdXV1trW1VS2tunTWzLb2lvLy8mf/+kxFRUV5eXnK2xKcSZSXl69Zs8bv9zsdzsMNhyGh/RhIqbEnK6GFEgJDUEKh/oWFef37jxw1KuOaCwSCsxmhGggEgtRUVVUBgM/na+9of+QXP2VOhzZOwWhgrw5Tn+V00fnzJ2w7GRiNirhapTrSophZfgbS79VbdcQBADiRonDGJNkhd5xof/7ZZzd2dhDR/nHjAKCsrMzu/QjOaHw+qKryAcC6dZ8MGTJ09sUzu3q6XE4X52HJgMKyn85rX2cXQ0S3spIPiMwlg4y7KEZN+RTLPNo8fVhosN6b6uCkPwlXSjyhFruF2l6Vc5WTLDskWVa42tXR9dbrb1x15Ww10EVEDln6z3/+A6CTIwRnOkT029/+9rnnn29tbU0IT6BoU7NuxKaN0bQYIBEyFgwpg4cOnTJlypTzzsvBDQgEgrMPoRoIBAJbeDyeqqqq19946ze/+d286+YEgiHGGEAkDTkZbIbYbHl26GYu+2AknewSumGd5QxtJudNLBk33Rn2eo5MYAIhAHHOVS4xmVRc/eGH3ltvPf+CC5760x9FWkQBAPh8PgBPdXXFO2//efjwQu/tt3V1BRxOmXOFOAFgeF0CY0NO1K/C+3VT90B6vSC+fHZEdIPUdpB97cD8+CyO1Z0j4nRgcUJNNIgJAQhAxDnniIgMHZJ8vPH4bx///d1lt1806+L1a1c9+YdHn3jicQDw+/1CODizGT16dEVFxeTJk48dO9bT3c20lT11K5/m/juPiDgfMmjoddddN2LEiByeWCAQnD1IJ7sCAoHg9KCqqkqLUygoyO/frwA4Nbe0yLIcHcEb7WrdxGHWEZRpnMCqqL1TJFnBIcHFwB6p/C5iCeKNm63fN10eRiQgcMiOpsajH6xcMWzY0OUrqmtramprawHA6/XW1NRUVFSkXWfB6YzX6wWAfv1Kx465dt51933mVm/XiU6HLKuqqiuV4CyTpYGS3Tkw+o/u79SHnKyVC8muIoqaN5ZmEMbVlkBiDBlrOHjww5UrBw0YfOXcWS3HO2ddfEllZeUzzzxTXFy8cOFCzclLcIZRWFh4+PDh7u6u3bt3bFy/kQCY1k60787U7dpmV4socRj+vpgx/fxl7767fceO6urqzGsvEAjOVoRqIBAI0qOh4dAN11976+03f1D9IeecRSzciOFgWF6gr1UDq9J2T2E+YOuNhR5jlzS/bCxrRPRNRf0REF5knhPJTmdXZ9fOHbuq3lv+mbKygw0N9Q0NNTU13/rWt0aPHq2JCIKzAS21XlNT05QpU+6480u33Ligva1Nlh2cK5rdGnN/jzqvJIYY2YUs/0iTeMHArsbXG8JB9D7MnMaNJeyTkFY16p4FDtmhKuqu3btqNu8qHlW8ZNmy3/3+9yuWLx8/fnxbW9vMmTOFdnDmIUmSqqotzcfbWzsOHz4UdkxBm1809iUDrTghw5Ci5OfnT5g0uaa29plnnsms2gKB4CxHRCgIBIK0ufjSWZs3bbv0istURUXGwGS4QxEv3tzEKZDudW9ykhyDTS4b9QhPLBB2fo5ae4oSYowBss1btvz5iScuveii/37wa4jY0NDQ3t4ukrSfJWgf9LBhwy668MLrrrvu5oULm5tbHA6nqoS0pBixkHmdZJApqQ/WiVxp2vZphPTktMMalmaMJlQ0BJdnLY5E343we8KJA4Db5d6/f98rL7903z2fnTx9+qWzL3G5nA0NDcOGDQMAn88nevEZAxGNGTOmqqoKkTUdPcpVDgjIkPPkjSvDqAUCYIwpoVBhv8KhQ4cWFBRkXHOBQHCWI1QDgUCQNrfcctf+Aw333HNv8ejRXd1dkiRFFglMnPszhmlmMejuq9wGdldpy90Vk1+Gou+hvmbh1eWJOCcEVDlX1VB+vvvo0caV1SuONR0lIr/fP3v27MrKyt69AcEpQNSqzHe553g8X7zv3uaWZqfLGQqFIn2TU8QY1iXcSzS7U+cVMC2Dxteoe9FLgQQR6753OmiCWpfN80d3sgT9k4ADV9SQ250XCATXr1v/u5//rLWl6fvf/8Ett9w0alQ4BL2kpGTFihUi38GZwRtvvAEAb771Vmt7q/aZaouhWny8SZue5Reroe2qnBcUFvzgBz8oLCzMquoCgeAsRqgGAoEgE5555q+LX3xx5gUX5Ofnh4IhiTFjQGZsPk2fmp0glh4stnyZXlPIiTaACT96Ul/OUKk+ILqem/Ulo29euCjEjD+ucq4ZhcFA0OlyKArftHHzNXOvrKys3Lxpo4hQOOOJSgYS0bTJk7751a+3tLS4nE4lGNJcUjiPuP5QVG6KtJ+wO5C+vSf2kFSdEwEQMPJjUcIOURcbsx+rA+znRzQa7iZ1tNiXQtPL5ElhSJqCiIoSkiUmy/L+/fXvLVt+z+fvKCx03n//A7NmzZg4YUxtba3H44GsXUQEJ51Vq1YBwBtvvgEA3V09iFpiGyQgNHQei4Zl6B/65UAh4cs05jYjO+SCwoFf/fIDJ06c6KsbFQgEZxoir4FAIMiQoqKiZ59/fvmSpYeOHHU45Eg0QrwLrn0MWQHjhk/GcjnG8oS6pAJ9B+r+T1omkjwr8hoBkRNnDCVkra3tmzZvnH/1nPx+Bdt37OyDegtOClHJIBQITJ4w4ZePPtrR1ZXndCqKggBkNCDCfbS3SZDq0HSrYW86Zzc7AI3/mJDai8K8hpZyhUUl7BHJ/KJJLRG7EQAcDkdXZ3dTU9Ouul2Hj9dNKh1/+ZSLRk0ccc6wYgDwAVT7fCCynJ62lJSUPPbYY0OHDllWtWz75q2qojDGAChZ46FULw3oxHsERFRV7nS5J547rrV2e+V/lngA9mVzAwKB4GxFqAYCgSBDdu3effTIkbs///l1a9d0tHU4nU6Vq9rS05nZ2WhppVOsiPF3zjhJ6dit0b2NyUSN2HILiGG7UOXEJOaQWXdX1/ZtOz41a+ZHH61ubW259NJLP/74476ou6CviKyY0O9Ee/vwkSP/8vTTnV0n3C6noqqaEWo0LLS/rKfUc0tCu01LO0hlEploB0l2pTytrmqGg60lA/0eC7kzBbF8jhjJda+5TkiyDJyONR07fOiQSsF2qU2lwJDCfh82NX5xwJCv1Nevfewx+5cRnFJo6Sq2b9/Wery58WgjESFGFkM1hSx+pyB8OsZYKBQcUNh/0oRJ44tHXbn647Feb7VwQBMIBOkjIhQEAkGGeL3ePz31VM3WLRPPHdevX79gKCSxRCEyjUG0RQZpfbBArwUN9KYZlcyIsUTnOB71OzUtFykYiXAAxoCIcwJZkhWuLH3n7VtvXvA///PNcWNGPfnk41nch+DUQpMMmpqaDh88WOB2v/z3Fzu7Ol1Op6IoWri8rsvoG1AfuribWdM67cDEPk/p75/EdoodmHiWjG46pZdBmoac3QsS54jglNyHDxz791vvfrx6TWNL04q11by+dtNHH81sa3h/43vrd60HACIoL4fy8hxdX9DLlJeX19bW+v1+CVnr8WY1FEJEIgrLVdbtKFmMTFIQkQCcrry777tvxIiR5SLCRSAQZIpQDQQCQYaUlJQQkcPpfPaFlwYPHcJJjS32ZPMUZjGbKYOI07nAaY3B7gl7mZsUiES0gqa7RLNFcC3Y1SE5d+/Y+7k7bnflOQ+3dT795ptH9VklBKctNTU1AOCQ5SFFRf9auvRExwmnQ+YqD0c+GyMSwvITGBIF6DNp9FZTMAlVMGzQBxXYrEPyUAtzBwuzP6xPb6tM1u+bsXdHX5KW5RSAyO1wdTb3LHl9ZdWyD4OB7s7u1j1du8d2HO7Xb1Bz84Elqyr3HrxDi1coKSkR6yyc+pSWlmpP3dffeLOz/YTKubbiIoDJ8z2KZYACGV+YHkscEGWH44ILLtjW3IyIws1AIBBkhlANBAJBhvh8vqqqqubmlscf+81//+9X+/cvVFSVIcuFtz+ZvOotdPOFOb9YDiIqjNqBYRm4ZJdFQCIAQJWTwyG3tXX8ftEfDu+pu/Smm9a8+65W7JlnnhGWxulLbW1t8/HjAwYOXLZ0aXfHCYfTwVUeZ8pGVw+0tHEpYmcnV+ySkST1qG6/xQEECJGMAml2kyRWltEJIL27is/pardMVstFGKqoD5VwSS6mSB8s++QN/9tdnZ35/Rydna0H9m8KKV0Sk480z/zxw/MBoKys7PbbbxdS4ClOSUkJALz33nsAEAyFIHUKG9tYfX8ROGRHYf/+n7nttl/+8pcA4Pf7c3E9gUBw1iFUA4FAkCGIWF1dXVxc/NGqjzdt3DalZKokSUQcEfXWMqY5mjYa8RbjoJxh36owmEZpBB3Esp5lg7Ge8dpBbHI5YT8BASfucDpkh7xy+fL/W7hAOXbsb8/+taysrKGhoaamRggHpynnT58+ctSoNatXd57ocLocqqrqW4nZwgIpHKApoiDYFKcAwKxrW2sHFsen+4iIHZrshrJ5StgRDvSVzlFalLBwE37vMfJaliS35Fr/4dZXF/+r+VhrXr5LcrDu7q4TXW2dXRMvW/A/jz31q6nTJpeWlgJAfX391q1bhXZwarJ69eqKiopjx5refPNNlStEFPtmSNacNRJ9Dij+i9KgFwIAKKrqcMgFAwqONTUBQFFRUS7uQyAQnI2cchnABALB6UVlZaXX69WCM6+Zc+XhI0cdsqStBBXNbWg5i0nJbIloEbO9SZOlpyQy5DKePDJ8iz+t1WxQOtESev/jrDBUJEGK0N1B+H8CQEQgDowhAfT09AwcOviGm25sPHjkySf/FJUMhHZwejFjWsmnpp+/efPWAA+6ZIeiqtqnjBiebaYUzTNd2StFT411kviJfmvMRA373QNtJAzRl7Db9cwiGkyOjNuU4bMo7iZQ/6xBRCBALQ8+IGPQ1dNT+qkp3s8t7D+4IBBQHA5nKBSQJaeELqdr8DUXX7N7/84Nn2zyer1Llixqbx9dVlaWWbUEvcT8+fMLCwsL+xcMHNS/allVd0+30+nknANANEVNhMTvjLidia0y8rUY+d5Fhoqi9O/f/4rLr+zo7mpta29vb1+yZEkv3JlAIDjzEaqBQCDICiLy+XyIqISC06ZPfajiIYaME2mDYS3PE8ZPjGeFQTDI7BkWmdNLPLeZcKCzzdGq+qQrAclDVC3jrtO7F12l0GI7ACEgASACETAEAsakYDDQLy9v+gUznvnbCw8/9DNF5ZqdqX2OaVVCcFKYPGnirE+dv3XbNlUhWWKqJhkQAnDtY9e1v+Tdze7HbdEuLB1p4i0gKxKEAzvRN+l2f8tem6Q+EQVEd3B6ooY9TKSP6CaM/gdh7UBirKenZ8qMc2///E2FA/v19AQkyemQWSigSswBjI0YM6nn2IF337mtpKSy8NJC12iXBzyiU586FBUVNTU1XXnF5aNHFdfWbFFUhWE0hXDcd4O1amCpZcVUA0QkIIlJwVBw8NAh5RUPtba01G7bVlxcfP/99+f6tgQCwVmBiFAQCARZgYjaqFR2OPfvqz9/5gU9gaCETIuwRQiPvDH6k134r3bN2Mscj+Ijbt2604Zn/6K1Ng/ijt2eFsGgv2M06g5oZYKlWdXoj9GfXLcdNMkgYkVyAiJVVVwuZyAU3LB+48J582659fqjRw5VVFT4fD4An/BrPvWZMmXypbMvqandpqoky5KqquGV27QIg4irgXWAjx47ZQDM4x3CmIpWdnt6fJH4XoPGhwcaepmdigNkLBlAXJdHXb/OXUyCySdgsBzDuU2JiHNVVfPceds37Xnl2beam9pdTpeqKqGgwiSGMldCPYf3b28PQHk5Occ0rx692gMeMGpIgpNLU1MTAHR0dHR3dyqKwlBChuGulcNoPAQgQkROHACcLue8efMumjWrvLz80ksvzbjyAoHgLEeoBgKBIFuizu1Fw8558cVXBg8cFAiGIgN8wDgjO9vogj7AOMpOXlMrA8bcHIqesBdu38R3gsIx6uH9WrgCKIqKiKqqHGg48PnPfmn86LE/9fle9X8foCL3tRLklKlTplw8+7KazVs4JwdjXFWQaWYhmbYAe7KAbdMkTRvGbk+3VAF0W3NnqWcFGuJ/ciT/JfxNZk5JAASkqEqe27Vjy65Xnn/zeGObU3aonCtcDQRDklPioCpK59vLK4fJU248cG3sQCEcnAJoS6U+8MADM2bM6AoEOOcMWSSFRY6bN4VlOyKgfs58AFi7di0A1NaKJRQEAkGGCNVAIBDkAJ/P5/P57rvvi3/43e8W3HyzQko4QgERDY+ZHAgHSWbmMjmN1eE5GWYnaAdJX2VMxDQ0Ew7ipp0184ETIaIky8FAzwsvvrijtvZ27y/e/8DX3PYnkYb9lOWCGTMunz27Zv26UDDEJKZNJMZcC5JEJeRQOEiNqYSW6aF9jM0K6ByQsq8yRWUf/bbIrsgvorCQQCrxPLd719a6V1/8Z+uxdlmSOVcRQVEUTipKEILuY+31x+sOHT6883DjgawrKMgN2lrF8+bNe+75FwLdPZwAEIgo8hWZu9ZPgICcOHGSmOzql/elL36hrKwMEbXlWgUCgSADhGogEAhyBiK2tLXtq9s7Y/r0ru4uWZK0rdquaKncX5h0/9oqrHPitjowh9U0N6PQ8GeuLmf+JpioF5wDEUmSBMA3bdo098rL3IMWVC8fCmJprlOSW26+acb06evWr1NUBRG5ysNRA1rW0ZTuzbaEAzL2irifTCL7Yy5GaR4Qv/FUw+gGkVusHkja+09EnCjf5d5dW/eGf8mJji5kyDknIOIUDAaAEZOxG3rW7FizbfsmAKg7tOOLX/uvXFdTkB6lpaUVFRUDBgzYuXMncUULIoiEF4XJTVtCAAAtwZDDIQ8eOKClpcXr9ZaUlFRUCIcygUCQIUI1EAgEueQnP/nJwIEDPFfPGzR0cCAYkCSJOGkrLBhm5WLuBjkLEA7/Gz+5bixjFUBqaQvlqHq9ZmDoSOI9YTKViUjAiYiQMSazo41ND5T91wdVKwGAtJzeglMGInK6HJs2biBVZYzF+4/0wgXt7eg1nxRM+LdvSPeGdNEKObgwmW6L/IqlrgAAIiSX01mzYfvbry9XAioCqKpKQIDAFR4KKUiESO2B5ndWLj7Senj2ZRdrZy0pKfF4PGLNlL5HU2OXv/fea6+9pio8odHkujchAJBDkmZMv+CC888HgNmzZ+f4EgKB4GxCSl1EIBAI0mHgoMESY6OGj9hbVyezyEMmWRbAuLDmlCPwbIbp8dOvZBIwoV//rNcSkKdeNi7T8yZzmzYGRuj+csgyJ9q9c9e7y5b89OFHdu/asWXLVgDweDz33ntvVVVVr1RWYIEWd1BdXf3FL3xh/fr1d91+e03NVkDGEDhPiHq3jk0gyxCZzEi0ktFOb8wkIqnvJQP9de3vyaWuaHif0LAt/hkFAIgoSexg/RFg0rmTxxNw7XGlJajVQo0kWeLET3S2Dh92zv99/2ddgY6l/1l277331tTUlJWViX7dx/j9/qFDh7olqW7/XiWkSpKkCwdL3pLsaAqRRkKADBGQA7jz8hf9/BecSYFQqLS09K233sruDgQCwdnLKej2JxAITns+e/fdL/797zctuH737j0ul0tVFGTMuDpBNE4gCVabC2SgAAAgAElEQVS77dgpUUXAPA9CnEu3fgE0vU5guiY8RpYm0M5jcomklUow8Ux9A9I4a3zt7MoqEXsv8jahhAxYT09g+PBh1y28bsvmbU6na9z4CWJdxj4makhUvvJK2R133HnbbbW1tSjJiOGE+mDZj1K5AuTgA0xTODB4wKTfpONlj17Dpu1mfmwGoRvxxGkF8X9ERUzDMYjISCV04MKya2dfNbOnJ4ARtBJEgAhOlyMYCLqd/QqcQ5a/W1X+o4f0vgbC76AvueqKy0vOK1m96iNFUWRZJs5jXcTQSchkm+GlRffWeiMRMlRUZdDgoR+uWn3k8OHhI0bU1NRMmzYt53ckEAjOEkSEgkAgyD1/X7z4ns9+9uILZxUO7B8IBiWHHN5hYoEnIZP4BYosEhefsiDi021YptD8orqrW3tHRF4g2FyJLXxNgyahO9rwo107o1Uq04g/17ydo/oKEamk5rldh48cef0fb7gc8rN/e87tcmrrMvr9fpElsQ/w+XzaDPDu3bvL7rjjtk9/ekttDXNKDImIA0bX2Qz7qvf5R5LYwIxZQuLLhskkIumkNLekF9X3UuPmXrl8/IKqkU88+sOJMxnVoLLsn9W7ave7XU4gijy2EIAQCRECPUHGpIDS09Jx9Iq5F27fvn30uBHhM5eAj3y5q78gBW63q7OnI6gEJYZhfdgEi1ZoX5/W1nNEyMtzA8Dx5mYAKC0tzaTGAoFAAABCNRAIBL2B1+t9cfFikKWJY8e6ZFlVOQCAMe0T6HyQLcbiaWMuB0TXPNfrBcbcB5HfhpyN1pUxneRJNRGfZLf1zWdia9mFYqfWPA4IgUDlan5eXld754a1626cf81dd3/26w9+DRG9Xq8QDnobbda3urp6ZXX1xIkTb7nxxt179jgdDuDAiSMg6DNOEKDBVu+zjyYaXB/bErFqjfJBTprtqdXiUN9pomRfR2t/EYMMapx2JiBSOHc4nSeaT/z7taVNR5udDgcRMGQAgNoYj4gx5ConziUXdXS37z66YdLU0eXl5QAAXqhfVK8tCijobbxe72WXze7p6OIqZ0yKeA5ZEOeMlkYj0xRnQmCFBQW333arcDEQCATZI1QDgUCQe7Qlppwu94v+1wcMGsBVFRnGDM7oi8RZdlvuCCbmiclMZ2Q6NubjGfvRHR13mBYvDMmn+a122PXgT3ZiszfE/I2xxL67QczVABAgkpJfUVTZ4SCAurp9d99xm5NJX/9aWDjQlti0XRNBGvh8Pm1dtH75+VfNmbPguuv37tkjy5JmOYaXUtM3Zohr2Qn0rm8/JSRXMIZKJNQo/ZZ8ymF0nogLH8jdyU0+Uu1ZRpE3PbYbiRQ15M53H6w7tOxfKwPdisQQCBBBi5/S3Ii0SoZCIWSg8sDx7salH7567bXXTloxYf7o+X6/31vpxVNLoDkDGTRoUHnFQyFF4TziZYDxH7M5JjuSO+ohATFJGjhg0LFjxwGgrKwskxoLBAJBBKEaCASC3KM5tK9dv/7Br331mvnzXA5ZCSkYXpY66Wx1rq0Kc98D88umvm7EUMhycG0v7UCsbPR3+k4HqWuKBLEpa9QOQVQ5JwCXy93a3F5dXd146BBF1gkTGdR6AyKaM2dOaWmpz+f7zv/7f/Pmzj146IDDIWuGohaYECka9/tkY7R6UtpAySJ/EotCX4oMab+j0RvJVR1tfbZmkSBcVd0u98ZPNq9ZtV6SGAHXahfRcsIVJAJVVYlAQtYVONES2j2ycLSzHyOiV71ivdVeRPPmmDVrFgAEAiEI92pCMqaqsPrDvIXpBGaM61WEgIxJg4eeM2rUKK/XW19fLxLTCASCbBCqgUAgyD2I6Pf7i4uLn/zjn7hCxWPHaFMfYRNII70huuVwx9x3N6NTZV+ZXjlL/Ixm7kd+BvdyAKDwSFbl3OF0hkKhbbW111x55UcffXSssbGqqirs2yzIEVouA4/HU1BY2NDefuXsS44ePaytahGJrUEwWhe22jolRAHlGpuqXCLpNv6+wsz/SAfqX/VWbgMyvLSoTNxmTgSADOSqpR/urzsoyzIRRzL54BGBc64oCmOoErS27SsYIgHAv46/8WDbl3N2EwIjmv8dcP7SSy8FAwEtKozIzhq3GbSssCQhSzi9dOp5JSUgkhoIBIKsEaqBQCDoFfx+f2FhIRE53Xlv/uudfHce5ypjaMgcYIrJdvMghSxIGEzHzWpa1qGXUgykIvNohWQO7JHdxldk2KlyFRnIDrmpqel/H3ywoJ+LiM4pKhLCQa7wer2NjY3V1dXPPvPX8WPH3nXt9S2t7U6Xi6uc9LE8GbT5vpirz7gnovVSrH1OQixA0i5jRmQdCf0jxCzeyH5drOTQcNgVxBK7hn0JOKlOh6Oj5cTy/7zf3RVgTLK6pPbWKwoHIEnGjs62t6sXn9s1pmzPrfc+cE95eXllZaVR4hXkgIqKisbGxp0bNypqiEmIgMhYokOB5RPeThuKNEPUPA2YdMkVV4wZO7a0tLSwsDAndyEQCM5ahGogEAh6Cy1OYcOGjY889LN77rlTUTkRkD0DyGLQlDaGpcswfp/pOCxhBhEjYzE7FehNQyjqi2qjMia77QkHCSoCECcCkh1yd3fX2//692fLPvPVBx9UlBAAlJeXC+siG3w+X1FRUVNTE6g0YNDA3/3yN63tLXl5LlVRI+8qxRIGpGvK6snmWGuybu0nSYaLQqZqGaTWDhK3RxZDia1+grqfqD2XTqUS1lCwqp7WWJATOR3uXVv2bli9RZbCaWj1vVMrpvkSMQacc1XhkoRBNbRt22YidtmciysqKjR3ehGLlEP8fr/P51u/dq2KGAoqjDGy812ICbFppnJUwlebpikRk6ZOnTp9+nQAmD17du7vSiAQnE0I1UAgEPQWWpxCUVFRSOXN7Z2TJk0MBhWZSZq/gaWlabKdrHYkO8x0Xt5smGWM9rSMH7UBJbmtuApmZcSF7yu5QmFmDKWoXHykQuRSwIkURUHGGJPXr9+44Pprp02bfvedZfv31QGASJGYGdqbNmzYsJnnz7x69jW/X7ToePtxd55LCSrGNq+1q7hF2tJsPifbPLei14InUmGrB0aM89jfSY9JashF+2v6Tgd2ShIAEAEiI8IPq9c0HDjsdDg454jh9K9RMzXmEIEIgKrKGUPZLR1vaRg3bsSu47vefPu1iooKgH0rVpQLTTAn1NbWAkB7e3tPV1cgFJIkBtqCKJatISYT6FWolBeKliBEpywDwKhRo8rLy0tKSrK7A4FAcLYjVAOBQNCL+P3+YcOGAcCIESP/+e93+hX0UxSFMRYZCdv03kXzDGB2QICkgy1dPjPdZI7xlY1RfswE6SP7J7Gyuj2oe3Ns1ycu4QTpTSYtBzsBEfG8vLz9+/Y/9cTvpk46d+KECVqKxJKSkhUrVggDwz5aYAIADCgsnHf9vJ/+uvx48/G8PHcoFDS0d2PAiJE0padT98OJTdH3hYgQ71Fj/jYaIgTI7GMggHSrmr4rksGpwKwBGJ2DiAPJsuP40eYP3vuEFGLIuO5QnQqF+jvkXFUUxSHLJ7o6dm5aM3xEUen5g6qr7/N4fBDxZBBkT16eu7OrKxQMIFosWGHVQGIiePL+gQDaB4zEueyQAaCtrQ1EXgOBQJA1QjUQCAS9izYR/cCXv+L3V95w4/UhJUhJRtvpjU7TKG20STA2dRMdiqVvqZhe3rxOxhn/3I3Bw27P0T8SbyLeT8PWtWMeB5HY6fBglBMoqupyuZqPN7/15r/27dlLRKoSqq2t9Xg8wunAJpoHeFNTk6oo02fM+N63v3308CG32xUKhRBR8yyg2KqhOaLvJvTNao2Rf5M7V8cCgnqnvvZ8b/QlLAtZK3dJyeS2klU03EpQ39cZk7ds2LZp/Ta3281VVXft8MMnJixSVBOhoBKSJFQgdPjYvnOKp9x449ramncBoL6+fuvWrUI7yJ5BAwa0dbYrSoghi65tkVQBNtmQsgFhJPLBne8EgMmTJ2dRZYFAIAgjVAOBQNAXIOKQIYMfeugXkydP7u7pkmTZpBCZvkz4K35XqhlXg/0RnbIxn7NJa0SPkWlASjTOLaub4dDb3LxKsjdcHdLXKotRv3YeAgBE4CqXHA6F87Xr1tx208LxE84N9HRrTgc1NTVCOEiOJhkAwLCiovETJjxSUXG08Yg7zx0MhgCQ8zjrzHSS+dTHWjgw3W7hY2AqMkT1h9zX0G7xLD6UTOsdiziycIyI/s+5Kkks1B36aOUnLcdbXE4HV1XS6QqY8BTSBCqGqHKVA2cOaGk/erynrmTEzK2161avXl1aWlpT4xfCQZYEQkE1GFJVHvE6MTyfzbCKmEvWjMJfRgSFBYVl3s8AQFlZWSbVFQgEAh1CNRAIBH3E1Vdf+8rLL933pS8PGjQw0NPDGDN4+ur+sC0ZpIP19KbO0UA/GEs9ujcOxKMz8mblsgMTXpjtTIHOOTnzKiGGPyGucIZMdsh79ux94dm/IqPPffYun89XWloqkqglISoZDB4wsKS09OmnnmpsOprndodCQUSIZUAMy0vhrpH4cZ1CCxDkllhUUDJvg96WDMx2k3EX6bq+pbphcQ+ZfXa6jmvswrGIFgz7p3DistPRUHdo/cdbJW0xhcgqnuHspRQ7HVH4wUdECKjlSESGPYHOtza90w09g4Z1VVRgaam3qqpKaIIZQ0RTzyvhGG0UBAkRJulg3Yi0TIiAQwYPVUKq1+utr6/HM/SBIRAI+gyhGggEgj4CEV9/481VH354wQUXEgBhbOgUzcJv9DbIwrq1WSWjZJDWqCpS4fAQ0I6vQcb+5nGHpTn6M3kbM35bI0u9EQFxUlWVnE5na0vLknfeUQMBIjpUXy9UAyu0FRMAoCA/f8LYMYufe6G1rcWV5w6FFCCM2A/xE7rWH9YpbgZk2oX74rZSXMN2FWzdXRIvoZwRewBp6UcIkbjC13+y+fChRqfTSSqn8PMq9qlwAG64g5j4qagKSgxIPXJkr+QePG/hKyuqn6+urp4zZ47wOMiY8p/+jHhM8zN5I9N4a02LEkE4GE+S2ciRY8ePHw8iqYFAIMgFQjUQCAR9xyuvvNJw8OBTTz89Zmxxd3cPkyQeGeRA33phh/UCvZcB6EfzhhlPu+cznkJPrvSPeG0iDfMj3oTLdOQfPkkkNyLnqirLEqm0Y+eOeZ45V86a9e1v/s8PfvB9YVrEoaU/HDZs2OBBA4vHDH/jrX91tLflufOUoKITCijNucfet7DJ+JPhKdLExm1lWBfbzkTxzgLJRMU4rwJbj43M3A2SbtX3biKVO5yOw/VH13+yhVRCbSkFs7SOFHFEiDi5aKIuqYrCiYNEbSeOd3SzuXM+f/NtCzwej/A4yAxNTiVSIaK9mhbL3tWOwvIuKx55zpDBQ0pLSwsLCzM4j0AgEOgRqoFAIOhTXnr55bIy78TJJf0L+/f09DDGdEnfoiMkoxdwunZLqpKxlAa6PFTGLAGRLbZlg+iB6c1T2r6v3Pld6K5n+vZGfQlI7xJtWR9tUUYAAMKW1tbf/vGJoBp65JGf//P11x+4777cVPmMoKampqmp6fChwwMHDV6xrLqzs93hcqghBTH2YUTdDWIWXepPPYUzf6qD0fgTwapZ2muFCaUy9rPJ/NZyis06xNU2iUSB9k8ah9UbGTX4AQgBOBERR4LNa2sO1R9xuZzROW4EbQWF8AvdkivhJ1g0UR8RVxUuO6SeYMd/ql925bvWbVpdXV1NtxMSWCwDIDBn49q1AKBoAhQHIjQ+cxN7iUk3AhvfBeHPmNQBhYWTp0wGgNmzZ+fsNgQCwdmKUA0EAkFfc/DgoYI896jRowmADA6yGBsR6X7Hk3zElGogazaQ1ysIGPs/c2vFcGTiTGDiX+Zb7F7KsqJJTxlVBgyz2xSNQohMWVF0g8n5CSLhCoCAQIhYtWz5TQtvGFlUxLkKAJWVlZFY6rOa2tra7q6uYecM+2Dl++3tbQ6HrKqKLiRdP/Ubt8UmabdXs5xqJidJUote/FDR8o/cndnOadH8fYph9R4kPXnmooHVlWMyU2T5DeIqdzldjYeaNq2t4QpnCNFsGdz8wRqv3iIiIimKwiQW5D27923tVtvLy8snsGIA+ElNuVhv1T5bt27dvHRpqKtHUVUirktjEv7H2PPNJQPTP+LKERFxApUGnXPOmLHjy8vLS0pKcnILAoHgbEaoBgKBoE/xeDzXXXddd1f3k7/41ZAhg4NKCBmjqGusNn4yjqLsOxnYkwzighHiB/B2xvLZDpNzP8zOygLRyQdWTrPmmkH0l/bhqSpXVdXtdtbv3/+Nb31j8uQp3/ved7T8f36/v7y8/GwzMIiovLxce33JxRdPmjx5+dKlHW2tDoeDc9JkMop4GcSrZIlvumlivZQlzEiiiem3J9qR9smBd0y8cJAj7SCNapmstHKyPR+SiI8m7YUDyZK8ed3Wo4ePORxO0FJuWgmy8aeOyAwAnHMikBy8ueXoso/e+PTwq59YtwhfRY/HAzonGUESjh079u9167q6TzCEiENHtP/bPUnqggSASACy0zls2Nhx48eByGsgEAhygdniZwKBQNBreDweqqz8Q20t37pl6uSpa9euUUIhWZJ5dNFw6xGttjG9WP54OSBeMjAnaYFcD5ApW0skPF+Nua+aDgLCWAZLAkQCiuS0JKTwDgBUFFWW5Z6ewMsvvzht2gXvvP/O8f1N99zzX0SkRUSfJUHRminl8/l2bN+2a+eOSy666KP3V3Z3dbpcrpCiaNnQrA+22Gf8kNF8W7JmYK6PRT+9+DPEncpWQ+0DCzKrSxjeoaRvl91+aasLx18JAQgTF0G0eT0wv6ShJgRAqup0ORqPHN+8Yes5I4fqjk3xNA13cYi4JyAiQCikyLLcHWj/eNPai4dcqN6EO3bVTplUUlNTs2LFCo/HIxL1J6Gzu5sxFgxxxOiMne2Hv11Hg6gUSQxx+PABeXn5GVVWIBAI4hG+BgKBoE/x+XxQW0sAT37wYVdPT9E5RZyMU1WWLtLpj67TlgxSD+B6wSLKxTg7HNveR0N2Ex96DNu5hKC5RgMyZNKGjesX/ejndTt3E9HfX3ihurq6uLhYi1nom6qeLIjI7/cDwJNPPDF+7LgZ06e9/35Vd3eXw+kKhUIYyRmhd67RHZx2M0tIzGHSEnRbzV/abYnpVO40/phz05tsqQlpkt6bSgRO2bFpXe3x462SJIW9QBAptmyH5YHxl0UIKQpjGKKeg031J0LHpkwqWbf541dffdXj8dTU1Jzx/TobCvv3Z6EQV0IMGZr3UWtSFtb59mjajcMhDx061OVyZlJXgUAgSECoBgKBoK/xAfhKSnw+n9Pt+tGPfXkuF+ccEJMupZCxo3QKdCsvnhGEU9rpkjT0EvEWBYEWUKsSSsiJEycicrlcR5qOvv3vf3/u9ts/e889/Qv7LVmyxOv1+v3+M9jA0CQDr9eLiKs/+qiurm7tJ+tVTg7ZoSpKZA43km8u9jbYe0MwQRbA+D1aLH6kKYQzHZoceVJbvq2L57aGllETtvI75C5GQn+RnH8G+oguIiDOyeF0HT54dFfNHk0JQYy4xxv8EszOFXM6CQcxIYCiKJwTk+jEifZ3PngVpNCsy86vqKjQ3ODP4H6dJUMHDWKqqnKFADgn0NZgjEHGzy5Noq0zokW63W4AkGXhUywQCHKDUA0EAkFfgwBYVtbY2NjTE/jjk3+YecmnOOdIWk7pmNN1wnwoRjOAJz114sGIoLObwLjdHrZHcyYFMe43xNcwtsUeelNQn/0eDSXCmyNqTA6ME2PexEhWA9JSImrh0ggIXOWISMCBk6KE3G53T6Cndvv2a+deOXri2OLRIxHR6/WeqaEKesngxgU3tLe2btu8WZKZJDFFCQGApqdEAEObictOaSDhE9S3IrT6QetdSW8j7JeDRtEhozfErOOErVc7xycUytwqjZhVFnUx3q6xhHVVLfw8DL0x4VVWGN83y7dDC1tCLfMhI7ZpXU1PZw9jjIh0d6l9Phi/LGP0LOHtqHX6sEsRcK4qjLGeQMeR4/sKB+ffcvtCrfyZLQhmw4Rx4wIAKsdIHAeaRQClaGjGZmpeTFuWxZXnBoCamppc1V8gEJzlCNVAIBCcBHw+X1NTU3t7+6v/eL2lua3onCIigMhqYAC6CdMsrhI7gYnBlfTEZPE6xTEZxVDYM8fi7Tdz+zCsESSKCIiQK+0gBkV/6zUEAtJWhkcOgIiKEmIyQ4ZNjccfe+jXEle/8fUHtZrOmTPnDDMw9JLBTTculBju3rObOSVEIEWLDedawcikrO5NTB2YYNPizxH2L5XmZ5he7U0luMwhMK4SkuTcWb3XvdaurUUJ02oQAHCuOhyOA/sbDuw/KDMp/EwkwJg3ASHq35PE2hu3IHIChXPGGBG0tDW1nGgCAE0QBOFxYIbCucQYAOhUgzjlOF1iwkHcwUTkcjoBYNq0aWVlZemfWSAQCOIRqoFAIDg5+P3+QCDg8/mmTj3v/i9/kTFkms0LGJdSK6Oxu252NLlkkGLMbd/FIGltbF0syeG6E9iZJY6KCAlnyTYew+JGSfdOERIPbyPiBIBc5UTkdDh6ujpXrvygpbGJiAYNGOjxeLT8iFlV6ZSBAPxlZZpk8NWvfLmgwFW3d6/skDkR5zw8WUto0qpS6AVWs/X2PQds34ApudYokmcx6dWrx3z39Q4eZpfI6WVt+HXYPlW65ri2vglDFuwJ1W7agSiFPYNQS3kIEHMoAKt4mXhPhLBfUXiVP9mBHZ3H3/3orR2Hdixb/g5o+WsERpCxnp4eAJ7Kxybp7vidFhkSiJjkmH/dPADw+/0iS6VAIMgeoRoIBIKThsfjmTNnziM//yWSfNFFF/UEehhL+lAyGR/pHYL10+5W5SHenTgBMvwy3a9PsmDXxSBj4QAzP9T8mFyNH8lo7IZN4djceeQnPKVOKlcRWSgU2lKzdZ5nzjmDhj/312erq6vPmGlJH4DX70dEIjrR3rF16w7GGAIghRsimTauZHdv3rosPkE0doc0Sf4h5KDRJDpjZ3KKPmgrtjUYs4KpqmjyAOtltCsQkMSkndt3t7W2OyRZy2kQWcKBLIzK+Dsh0t1epP9zToqiSDL2hNr379k6eEC/t5e+WVFRoa20Go3DEahcdefnA3HIUueLPxj1vzQ3LmTodEj19fUZX0QgEAjiEKqBQCA4afh8Pm2576lTz/vrCy8MHzY8EAhgnNOl5WSqfhOabDW3l9FQ1AIL4UBvEJBpieRk4oGapZtCXLJH67fGNglKgeHP8MRm2FSIrI4R/osT5xwAkGFj07FfLnpkzepV5eXleS4ZALxer2ZmZFG3k0wFwB3Din50y033/dfnNm/eGHEO16/LDlHfbesgmCRe4jbJtWRg56ypXNpPCexFgOTyjOEyvRyukOryAEBEjLHjjS27d+xxOB3Eo5EysSAFncpnh7D7AQFxopCiAAeFAkdOHBwwtICIJp03trHlEESuflp37ZygAu8KdgWDCjLkFh4uEdLtwqg5oaCW0oATcSJJOmcYAkBJSRaVFggEgghCNRAIBCcTbV5k1iWX/On3v7/p+usdspTN4DKpIoDmmy1IUAVyOOS1VYscRBNYXzy7Mye8FUnCFmJ7w0H8REScGEPgvHrl+wvnXXPHXTc++LUv+/1+n893OgYsEFF5eTkAjB839uC5E/b1c61Zuw4IGIKWds668VCSfVlj+yM2UceSnjL+xKmiK1IXSsqpa2xmUrM+vhvtctqzD5FxlbZt2akqKjKm7Y1EKMSrWEmSI0bA6Im1vzhwRVUkCVvaji5f/eYFs2Z0nGhrP9GiO/bU/Sz7gEAgEAyGVE5h2x4AsnE6SDhMCxgBBGBIABLhsHPO8fmgtFTIBgKBIAcI1UAgEJx8EPG11157f93a6dOnBYM9kiRRMnsq6UDLeme6g7PekQw0UtYlR5HquSbRCyMuMMHskEgRouicIxFxIKfTsXfvvrvvfEBGmYhefPEFLWDhNHI60Orp8/n+33e+XTxy5HlTp25ZtwURkGHEzyLqg2FpiRmxKyrlplTWb7NJIHxcEI/5UfYUk9y2grQCxu2SxDEkfnuSJ5p9MohxitSFZCbX7z/YeOSYLMucq2Bhyes2JvkAwppgVBzU3ItCoRAiPxHo2Hdw9/HmI4UFg5paj0YO8RP50q3+GUMwEAh29yihEGpjb4oltcWIX52OtL8Cok4lxDlxcjnlESOGA/i0FTEFAoEgS4RqIBAITgmWVVUdOnp03MxZQ4cWdff0yLKcOKmVGvujrJNkktu8jd4Nfs7ubAn+9bHAhPjk9BSzLGIbojEMnCs81K8gv625ZcXyd++64/bPfe6eUDBYUVHh8/lOi/XbojVcteojibGJEyesW7MOZUliEuc80YjWH5rcASHFde1a06m8AEwNRltnTuucVmXTKJ2rpoBJ/8wOs6Zv3G33NFntN4Coea6HnymMSR1tnXV76iUmEQeg+NSz8ddK0xuGAycghVTgXAJ+tLlh2ao39h7bt6/xE4AKgNpFi+q1RRbOQoKBQDAY5ERa4t84j69M85GYg4gFAwqdjlEA/5+9946T4yjz/5+neuKudpUlB62CbQWvnHDC2etsMDjB6PCZu/MRDBzhbI47uOMFGnGA4Xc/bIPBcBjw9wuYsONMcAJLTnK2sS2tbdmSJWsly1plbZzpruf7R4fpUB2nZ7WS6v0azfZ0V1dVV1e36vnUU1UAIFUDiUSSAlI1kEgkY4Xnnnl27YpXOo86IpfL1tSawhDAWFDB7I+prynomu4gTFfYo/32ni4kwd76zr1ktmvROoHOPnXzY+gJHIjr32DNeUBQrVXzhRwB/u35Fy+64Lx58+d/5cv/oa/fdv3113d3d++Ja4tEuVzWB1N0//73zzz11Au3bIIAACAASURBVJtr3nzu2Rf0akoa18cleIwugT3pqbp+9z+u4RzU0e+jF6TlCeGTkVhX0CzJyP4OCVr2PhivQhD6iRd7ShDonusAAETEENUR9c3X14wMVxGBiBOF1LcowoExiwnUXQ8IaEStIuLAwI4t61f3rtuyFv5p1bojOzouqFQqixeX9kOng1pNrVVHiMg5d4/5AhD/H5b4fwMa394+o6MDADrlxAYSiSQNpGogkUjGEPlc7pZbbj14xsGaqiEyREZkmtK+0yJGalgJxmKLDKdk2Y6UvHtSQrFLc5rtxhg5iofldA9+/gXuD5kmdP1E/RuB1WoaQywUCmveWnvrLT/ZtWOn3rDu6Ojo6+sbm9Mc6FqIPivHor/7u0cfXvr6ypVKhhFppHFENG0ty1Pf33K0SWKhyUazQ/2P2o5YN9F35ERkw5fCs2QGSyQckONXY6D1Pok9uYegJFLKmW/hRwsbKXbTqEfA9W/19r27JZvN6LOTmi4z3pttbDgrs2d1xvptIlc0qqZmsoyYtnXn5tefeAFGjhhRB8vlcrm8cOXKzqVLl459f6IU4cQ1IqZrBubCuF4ROdFr2Vsrsb1tQseMGYsXL5aqgUQiSQWpGkgkkrFCV1fX7Nlz/usrX/nwxZe1TWiv1WoKYyDslolP5O4+b6jRbNemrRA0Oe8EbkNB4GtgGqX6YXBaqASEiASkEc/nclu3bFv+5BMf+tClRPTaqz19fX3Lli1r7jXEx5rLoFwuE9EFF5z95uo3M9kcAhLpziKico9xLyJWA2GlDjLunaeFKAGxcMcdIWhQAEcNGSWCEyLXD7tlbd8TRdVxx9vESzQMU70zGwEJGGM7t+9e91avOSefoVcR+LmaGMKBWyxwbRuPtuOpBwRN5ZqmogLVkf43ep+bOfegxYsXP/rEgttv7+nq6hqbmmDzYEwBAEBE3bKHlOe8tdasAeDjx48/6OAZACDnNZBIJKkgVQOJRDJW6OrqIqLrvvvdzTu2z5k1M5NRVE1jjg4Zk8YmLvP/be0VboviitXgj9SZPKqkkqNohlJdVgD3Qmz1ZRoZY5qq9ry84rRTTpk3/5DBwf5ly5bpKxSMEax833XXXUR0bldX77oNSjZDpK8riabx5TR8ybnhQwPdjFGrI7n+BgaKmw/f8316p/dKHNfi9/Ecjx256GdoeM9BhyhBQEAMWW1YXbd2vVrTEIGThqacZ4UVjaxxbDj1BY/MU6/tREhEwDUCBFK07Tvf+fOjv5t80LwLPnj2r277v0uWLNmLpj5tECIkfTIJq7y8D7zAKS48Yts/a9JZyBQK2WymoRxLJBKJDakaSCSSsYLe70RESibTfcc9EydM4ho3Jo0SagdpWR9i4cAnbq8ZsDe2eGOZp3HFkVgxGxjzvHMgRJbLZbf19V33ze+oKieitnHj3njjjebkIDZ6LX38sceOPvroM888vXfjxmK+QJyIOw0nz3a94jSvPAMg+9eoJx/90aXgUE3ulvdBlI3gnHgCJM646O0UL7L61C/1mWK2vLOlf/eAks0AOWc28PUpCM2ER0mwbyComlpTVaaAqlZXrX55YGT7xR+49KGH77Ne+y4pcR+EiHPxELuEU2sId+k3miCfZ4qiJIhYIpFIhEjVQCKRjCH0yfOff+HF//7Gkqs/d3U+n+eckKHuxz7q2fG0+z09aiQKGMQoX4RgQS/nseAc2W3c9I1Nd7+qOYyBE0E2l9E07U/33PWRRR++5NJL/3jvPe+/8EIAKJVKe6pzslwud3V1LVmy5Nvf/vbA4OBVH/3HTRveaWktaFzTnbHdkN67G6fkmlQ9yPmVjDTy5siDvWgiFdMYMCmdnfABzgbkOG6d641NmEbYia5MhGTYkXMiYoqyc9vuvk1bM0wBIOCi89zTXejnWjEKUkVhGZhXpKsVmsqJSFFw5+4ty567t21iHgA2be3d0b8NzEdsXx22QAAIPO1qLFC0iAgQi5mikpG+BhKJJDWkaiCRSMYQiFipVE466aRXVqzcsW33YfMOIwREZMZ61omVA3c3mLthG2y0BHYc1juQI7In1khIIhwI+7JSNdc9vfN1I5IIGGKxWHzpby9+/Kp/zGWy8+YedsUVH6lUKuVyeeXKlaMsHOiWTFdX16c//ak5c+Z855vf3Nq3ua2tlauaNX+8p4NVXCkiVJgmXdoolJho8hHnL78uUteO9Drro9LMBETSW5AmEIKgw9r2RiNzGQNx1AiKwgYHBje/24fIwt5HZNMOLOHAPCRcScU/Kv0UTlzTNEVhwLQN77710JN3vLv9nQnjJt33wD1LlizRx6l1d3fvY64HRDR//nxuzCUREM6+5R/U/9kw1wjBbEtLhklfA4lEkhpSNZBIJGOLSqXS0dHR3d09b/6C7jvumtDWptY0RGZrGQV1oPvj2ylIkZtqwbHHItiMTxPx2A63YhCWsFUuYa3ehtFNBf0ec+LFYnHHtm23/uynw8NDv/nNb2/6wfeXLFmycOHCSqUyakaF1fnZ2tJ+xhln/vTmm97dtGlc+zhNVYF0LYtMV4n6hPTh1oG3so0RKyl8uLXgHIGftc/speR66NxH9xhC8TD9fLrfOAExBnkj2H+7VDdzj1OqMC+PoaKpfPvWnZqmAaL/4otBebAiNJddtMsJ5uB6c9iBTWAwMsGJiBPLKbsHd65et+LhJ/8we+akn/z8+5u2bFyyZEmpVAKAB1Y+0E1jd+3VuPz7l7+C5ppAzUkBrSUcGVKBMSUjVQOJRJIaUjWQSCRjDr3JeO555z3+6CMfvfIf7MukORqwdjOloWYYmf1mtn5gtzeCLWikOFH0cQXwntMci0kfzuw7qWSwcCA2+6Ji71mNbBRZ0xwAgaZqyFiN86VLH77s4g9MmtzeNq4FEUulkr6KQeSsJKRUKm3evBkAOjpmn3veZT+/5ZZN725uGdc6PDKs51OoD0QpoXoPblMNZcNWi5lGQM31CSvYGyFrTnvWL5fJCyjZyiuh6cW4vxFPoghhbIgGxAhfWzZpzZzagDEEYLt39quqqigswmvHioRs3860bTKB74XYsqIbuMQJCbOZTP/w1tXvrDt0/qzPXPPZO//w+zvvvn3JkiW7Fu7aBbt+RD/aZ7QDIjTeGQFhICSAWHLSMXUDApZpych5DSQSSYpI1UAikYw5rIEIp51xZq5YWNA5d2hwQMkoxrxdRneN97TGU3Z4H6TSDWw3Wuoqh09WRYPjUyTc48CeldRwmDCBR217yeYazTkAQDFfeK3n1Z/c9OPdO7YRESIi4ubNm3WNqUnokff19c3s6PjYx/7pK1+6+p0NG8a1jlNrVYZIQA4TwNfq9TWKRU4u5D5vrCOe4C2MANPHfiSVIoilGxgPK5mfRhIWqY7+B8UHxFZkBElC+NTpCyIiA9i9s39keIQxxokI0G7rB9dUZ4aS3B2svwgJALSaqmnAGd89tG3d269MmJw/fP7C4y84prgq3wu9U2HqjPW73n77/hUrVuztYxYIG86/6LlB5z4kUBCLxfEZOa+BRCJJD6kaSCSSsYglHCzoPLxyx73jJ7QND48wxtxtrsQ9ibZVxUU2nSUf2L1ryac3z3aSf758+vlD90W0m1DsIu6OWjQxBPqMYkDfH/Vc+WXMU551p3SBSeQHge7+DJxzzjkV8vktW7bedc+9V3z4ciIaGtjd19c3Y8aMJs2PWC6Xp06dCgCnn376P3/sY+efc9aG3reLxUKtVjOGzBCYFcO6EIJ6z6yf+iSqat6gDdll0QiszlFAYY2Kl3zcQ3HTwDjD79H27dpZ/9lYzhzF7dIUghU2ZyQ+P/yTBAIwXbYQlf7dgwP9QwpTyKjCIXqAvRBtb1CwvyEjfPSobH4JRukS1zREINR2DOxYtenFTI3PwjmLYfG8HRNO7uh96qldCxcurEClm7qX0tK9VD5AamB4guiKvc8uIhIAMcwDZBSpGkgkktSQqoFEIhmj6J3JJ59yWuX3vz3jtLO4xgkRgJBZLfv4zS/D0rP67+omn7AVHyE6nx97DNFIBOOI629wNH4H/K/S39whn+36nghGIgFpnOcKebVa63n11XPPPP209x6rAL/hhhuaMU5Bj3PatGlnnHHGVVdddc45Z23Y8E4un1NVFUwxA8RSSMSKkJphvJcjrhHNjH+08bvTFPDLsUt8CRRwLCgvQMCRsYGB4Z07dzMmEhsFCduUB/c8Bo4QgRqUYA5HMNdw4ARAoGkaMmJMG6zuWrvh5fsfvV3pHQ+w+NgTZjyx9rEe6OmBni7oAoC9UThAwoYqZOhLxvy/MaMo+fb211etAoBKpZI8RYlEIjGRqoFEIhnTIOJLL6/4nxtvnDP3kMH+/kwmy7llr8XBJhWA/a9tO75wENwdH+fkNDGHL8dO1u8s9HzbsFsJSQzhiKKBkThXNUXJENHmvi2Lv/Hdw+fOL3/tazf/6IdxUw3GkiHGt4+78MILL/7ABzZu6M0XspqmubIN0JAV4Hvy2DaITFeatKpwBHtzlAjPQ+L8kfClExZpsJ0YLCv4ncA5KYi14ZGd23eSrsVCtEc4zsUH5dfEXKwRCAjNuRE41zS1xpAQaaQ2uKbvtT8+/JuNW3YsaOs8Zm3n6ZtPeG3XS2B7SPci9BEK7lIILtVY4hAB6KNrEFtbW1e98Ya+LFHcfEokEokXqRpIJJKxzre+/e1rv/T5Y0/vnDB+wuDQkMIYAJkWbgSPA3I1roXt4rjCQWi6QanYY0kJlw2SUjecIH/R7broWTBLPTRuAgLgnOtDWNRq9Y677upZ+cq/fPZzN//opscffySt1dqWLVsGAAh85qzp//LJT255d3NLoahLBoZkpY9NcGfY6Ii1X1T9iK9BGmYzN3Wyi8igOSspRhkXNLZVj8ZoVCXyezUExut3RsTnkVyPFzJWq6nbt+7gmoaMBTw1QbIW2fwOyDlkQQ8keBMJ4kOor+KAuo89ARGpag0YMYVxULdu37z8b/cXezMT322bOIR3//E3S5Ys+f+/d91rr71mj2rx4sWlUmnx4sUh5bGH0FUD82LFilC0WUTDDiPkcjm9cKRqIJFIUkEOeZJIJHsB9z/wQNdpZyzonP/ss8+ZY2Gt70DI+SUMgO6txonWB6hPJxDNCCHrjJAgsWfLd0fgt8PbUSrMjSMYmZ3SdXPFN2ljYkErqO7Mi/ZbjQCcjA5KDowxIlq5sueU95546YcufmTZI6eeekYqTeRly5bNnNlx8smn/PDGn/a9u7nQkq/VatY1+UhLQeaV/XBoWYQcikXEuiCe1KKxTKT5PIUl5EfyDIyi7CHqfnYdT7MgDcGLNJW2bN4xPFhV8grXZxyNcjKgmR+y7XQGAevR940kJBHjPYZcI67VFMaUHEPgg9Vd6zbvWr850zqx+Nzflo4rHNi3a93jT983bcpBLflxt9zyyyVLluhTpXZ2di5cuLBUKukbYJsrZw/C6nmgSO/+aI4GaJUZoK7TcI3jWLhgiUSyDyF9DSQSyV7AayveaG+f9Kvf/L5jxsxaVWWM2RqlId2ebskgrGc3ARg0nUBQtqyzE07T4I4x8JICLja8HIQhXDqCI3WytXgj6yIkDG91RBKZU9rrk7dpHBCYwnZu33H3Hfds2Lhx0aJFkZISJk+kd1QCQFdX19y58373m1+/s2ljrpCrVmtgOHKT56odG26ZhQR3hWyX6p6MM9Vq6c2lmyj1Dn0+ERNu3tX5x2b1dzumM00t6fRtsSjGYwNqoCMdAiAiQkKAHVt3Dg4OMsbqeXDcX9+nPpoxW38oEpU9GlO8MuRAmqZpGmcMlAxihg+M7Frbt+aNjc9Va8Msx7Zv6Tv44EMO7Zz5q9///KYf3/g/3/tOT0/PwoUL9W8AWL/+i8uXl362fPH9b9+/glak5ZQU+5J44H2MlCNHIO+AMePWcIKhob1x6geJRDJmkb4GEolkL6Crq6ulpfVL/3btSaed8OCfd/X392ezGc41W6tJ5HdgN+U8Xb7WabauL3tPWlSE6w9EOm2UW3QJUnSMeBYSscM9egnpEdSH/5JtiXME5ESo6whEjLGaWlNY5qgjF/a8vurmm3/S2dkZNR1XqkSVSqVcLiPiqaeecvbZZz90//19m99taWnRpz8EtLf2hcKB4FdIoqIzmtM9mKCqhXkbNFKBrRNTvVrPIy6onEiNz8aQ6nMb8nw1FrN4hBEAIXFChP7dAwP9QxOnTDB0T1FGBBMYIoFzpUZxSCsTgpyEv2XrUqE5Go2AiIP+9CNiNqMA8p2DW3cOgsKyDyy/q2PW9JEaTZsx8fxTLps4ZVzflq1HH/meV1f1zO7Y1tFxw1NPldph4VMnP7UYFgPAj35UXr78ewAdM2bMANjV0TEDoA+gq6k99Kg4/AvI4SYQBUEw0U0mQhhGlKqBRCJJEelrIJFI9gK6urqI6HvX35hVirPnzEQErmmILLSx5e3jDQgQvNMLJpYMrPP3DqJmNEYTNcZ9M24covENCECcMVZVq4yxhUccuWbd29t37ACAnp6eBCMUdMmgVCoh4t+VSu9973F/+tOf+vo2F4tFtaYiIGKkzl5bE13keuC+IHEv/Bhq5sesn+T5Dgjg2JUA3xMjVKzmOHQkIW4eopuW5Nm226YIBATIhodHBgcHwXctyXg1wN/zwxGA3L/E5+kOImK/FgQi4pyrmsoUpmQUzFC1trtvxzuDw1tGRobuf6x71iHTjzthgTIe1BGtWDzthVeun3bwkfnZuy/qvfDxVx9DxGnTenp7O04+GZ56qrej4wKA2wG6yj/67A/v+fj99/9q6dLuFStWPP/888uXL1++fPnbb99PtIJMJwWi7u7uUsDkCYsXQ3d3iajbtsIkgK4a6AuwkPOONAza/hjKKyJFHXgikUgk4UhfA4lEshdQLpcXL15MRD/9zne+fvtdJ59w3O7duxW37unf+ykw+Mg8pQHinm11LQV6SOwBArJhHGowo3EdOMBWWGDYemQ2uAGYolRrI7ls4dijj3nhpZde6elJnjObZHD5ZZdNaG9f9tdHhwYHi8WCqqp6x6NXDhDF486+T5ULyU4zxKRm1TJPvLGEg3SnE4lugtVTT+MdkByPa0SKcYLlE+Dab7oaAAFDVh2pDvQPkDHmP2ZGyO2pZU8K3UEd+7yTHoi9InQbmMg1J4F+OhIQIemWsQaIlMkwRABFHeHV/hFVYQpWq2/1r9j42KvIZhLBBLU4kbUeevh7iejXv/v+jJm7lz8z5ZgTpm9894VdO845fAGWuqE00p1v7wE4s6+vr6urS1chTz65BLAEwNIJSqXSokWL4F8Wn9m18FhzZy8ArAd4+dmBJUv+TFQB6Lby/Pzzzx933HF8RLNqaqR6F/u2GDq2BgBDQwuJAKAEIKdDlEgkjbPXdHVJJJL9HCJaWan0VCovTpyYmTTprnvuQgBEpjut2sxxR2Pc+ApUDey9NPU9QW9HM2gyQ9jvUBRSeWfbOsLdyZJ/d7dxBMV2QXg/eWBpRbwuBOKkKGxkZKS1tXjCsac88sRjr72xKtrJAuySwaWXXDxh4vhnlz/DgRcKBa6qYEgGTivYfhPFpqqucTh+xgLTmIvQNzvhqet/oiVPws0Ioc3UknjriKQK335uceTCDuywnFB63cO26hHj1oTeFE/+HCegKSXol0qokXrxRy44uevEanUERCUQVHiEPj4KzhdqhPiMY56rMzQ7QACqHzVeQra3mLFhLNiAgIBEgAxRyShApHFOGkemICBTFARinAGgksnnii3TJ0yZOGXKgRPmAMBPfv/tiZOUKblDctl8W/sBSAyR5bL5KZNo0qQpq1evnTf/ZH3Fx5UrV0IJSkbiDsO8ArCwZ6G+bS0P+eqrPQsWHP6pqz/21wf/2t7erqoqQxQ8Pdb/WJ4jfr+9B4g4MPjDHfc+9MMfXn3zzYukaiCRSNJA+hpIJJK9A0TsLpXWz5hx3Q03fO2rX509c/aaNW8qmSyi3gutY2tRYcAviNY6TpvGU0mlY9Zq9Bt2hBExgDEMAIWWTN2kcDXfY6RpP8++EeW6CAA5KJlMdWS4pbW1q6vrwb883IhkAADlclmfy+CSiz9QKGaeXv40AuXy2VqtxhiCNfmiMDPiEQt2uy2heenTiZsU3eYCiGWgRiJedE1xdwjpsEe/YhRY1rru5asdNHZPA0jdE8R6uIIOAyBDraYND48A6QKAo7YLcuVbmGJEYYPOr09gUA9NaIxMMisvWjcLwRy/oD+I1lUTEHECIA5InGP9dcaZwgA0zrmqEQGCNjJc6+/f2Udvo8KeQlDmHDRPYZDPFCEDKg3liy0tmG2Z0Dqu9QBWpbnzTiKim396Y02rHd9xVKFaHRgP7dAOsBbhBIJdCLCT6Ozh/PChudxITlO5fWaBLVvWDQ4NITKjNCPeeHcwgVzrhXPQnTAQLGlDIpFIGkKqBhKJZK9hUaWij1O44frr/3D//ccefYRaVaE+u4F/KwzNZmaEVGJYamnZdXskenuPoLGaodn6JnSrCQExYP206IkLggZfLQEioMKq1ZFisXj+eRc++vhjK3pejZ6ikJ6eHkS87JKLW4r555//Wy6jKApTVY0hM8qDbCYYOQrFVzIQbPtjhXJ7ead65y3/gQA3E28uAgg00kedYB+X6KcbWg24xCIMuOONE6nMnFM4Ot31rS9wCAbo2QM2RwMCYIDEqTpc5bq9bo29tydjKYNOwTCQYDHQdbFCOdF3h5FJ2w2q+3/YJQ9zwIXxT/c246BxDYAAGAEAEkNEJFAAiGvEAaBa5ZzTLtyNRISb0RwVxTkAUgaUbDZ78KFTgRMhY2hIF0hESAwO5gCTNa4VNI0IkBPxOx66FThnwCCLfETdvnMrQ0ZkyHj1aR6Dq4H9JnocMlyFY49oJSJIRwOJRJISUjWQSCR7E+VyedmyZbt27772C5+/5MKLfndHJZcvEBDTZ9c3Ogp92/hhLfQ0u3gbweZ2m1pmgjpQzQ5WY9LtuhcCuRvtflETmG3geB3abqvZbqXYfBIQEBjV1Founz///R9cu2ZNvtgSJx0xlUrl+GPfM3FC+zPPPKtkFGSKxjWGCjnugE09iHIpwsUWQk8X3unU66JlSpo6kU9S/qmGmTbouYe242nY3QG5Ti1qh+e9zakkPd3AURhY1+w8oexfoMsH6AlDTscXK3K0B7JtECEiIhLByHCVNBLcKbtMELuMg4UDV0hHzuImVs+5TStxuCVAvdSsIPp8hFwXUVRTOyViDFEBBoBorbaBRHqFQACoUpVzjXMA4gQARMgYGc4agIho1hcEwxOCFFA1NQeKphARB9QLH9BWsyJKR5GO60oGERUKTV0PQiKR7G/INRQkEsneBCI+8sgjy5Ytu/GmH778as/sOYcOj1QZMm5zYjWDOjvg6s1u98edRFgWGryEYIyOMfenIdD/6j2F4Ghqe4/7XrwtSJA8EXwxZH6j4xcAAENV1bKZzBVXXrFmzZscYMOGDbNnzw6ILJT3nnDCeWeddeYpp774t5cAMaMoxhwZSLb0g/MtuEd1t4RQzwPy/dn0HntDJ4pwZ+2Q48+ecSxw04w8eG9oExJC1w90Ppy6XYnul5TwPgnfYgF3FM3RNwTVkSpxc9aAZJfo+2jUt4I/znNcslCEPHmCBF49gm7eW7KGqREhAhGBRlzjao1zldSaptY0TeWkcdK4pqmcq0CcIWcMFAaMIUPKKExRWEZhCmOMocKYwhhDVBgiIgOmMAWZklEyYmEu0X8pfv9/WUcLRFI1kEgkKSJVA4lEspehuxsAAAF+4p//OZNTVFWztY7COkPTozk2kzvWJltmWPc0ALNFLT5uCxIWp59wEHAtDhPC9gcBUGEqr2Wy2av+4aqXX1qxcOGRlUolm82uXbs2PC+uVIgWL14MAMcff+ysWTMP7+xc9tijmqplmAKmrwq5Zs/0NVxEu4OvcLQIlcaMQLY/kbHEHN/rCTVyxwTht8NeJZtz89z3xi4aCMrO7WbQUNKoCxXVao1zh76akAYUzrCT/OIlABJOOxoouAqP2Pboxc/AcLhwWPf1G0SE+nw6RMg5aZyIiHs+xl8gVVM550QAlMJtdD1i7mwCAHCACNNnSiQSSWTkCAWJRLK3cuVHPvLG2jWnnnbqsr8syygF07hDa9SoAKEnqLfXJ0KXukFsj9ogGndSjYo9HltrmSCwiEh4zBamftDX6ToQAsNrVx9ljUSEClNVNZvJ/Ptn//2XldseWvpwZ2dnV1eXrhzFi50IAMrl8uDgwJNPLp80ZdKyZUuJKKMoGte8vcs+Yy38r8ndFd8ICStWQMUHb84C76cgR757BcmibSM1m7vxiOxykHf+gmalGojr3gT5CKSeMNZqNc55BuutQZ/hOIG30bduiGIizyF0HET7UbKs7Dh3wVaYid/Q4veX8YoEYc13TaBqm98RzUVjR087pEIBmOwalEgkqSFfKBKJZG/lw1deuXHTu1//+jcO7pgxNDioKIrD2dXRPHO2UNG5MbZJNY9+bdZ4iUQLjX5OB05c/YKOb8ZYtVbLF4o3/M/Nb72z/qGlDwNAT09PMslAX3r9xzffnFWUuXMPe3Tpo4iQURjn3JkfABJKBuF9qVFtgqS9suljczQJYozk1kHyPNlrm8PDZQ9eZrDHuREiXQgANI3r9d9e4clXMkuQhLdv3/uke7LlHqcg+ogfUudOMp5lv8C++RZVBvsOdLi3oTtdWzxklCZavlMx8pEUY10h6WsgkUjSQ6oGEolkL+amm374rW99q+vsc4ptrdWqyhgSeeZ5E4KejfATfIKmZ2mE5CWFFmC9B6/RGKIeRL8DwZlAAKawarU6rqXlZ7+49Z0Vz3/tG4v1wQUJ0CWDUqmEiOvffnvdurefe+rZbCaDgJrGPYFdOWvA9zpK3poUrwj/mxdjVIGvtZck3YZIVnTCsxzaJTjnrgAAIABJREFUwdgD07f/iIAIgXNOhmomGorjVxoBlcD3WYkgH5D9gONHWMaC/YMg0lH/R52sLKHtp3lLEM1JKQAQyJQH6tOjkD2i+mbgBSZH4AQhkUgkjSNVA4lEsnfz6KOPrnp9ZefhCwA46JNYk3AAcGgrKolnMFmtwgZbflYD1DMpmt8g5+iQvdUr2CR30zYkk2HCAbp2BEgGPt15RMBYtVZrm9D+vVt+sex3v33zy/+xrFwul8uheRSkZJMMiOiNVa+9+PzzuWyWIRq9rEBEZn9kvUCcFoS9x9L2IfvHfkV+hSSoKs6b0hjBCod4f/222m6eqAzAedtiqSm2eqwbWYapFaNie7ScBPifFetJGE0QG34DALguiqxqzDXO9QH45vKERKYzvf0210+NnA97/QiwyF1ZtJnS5lPleczIFsS6adG8Ccgbmei59s0eANifE2NLLLfYL4WAOOn/M5GxhIN1kZaCYHyFX0bYA06cNIpSHBKJRBIZqRpIJJK9m56enr6+vk986qMTJ0+sjVSZooDV8HI3tdFtGjkOAdibo55DAaTdOnPmM/moXME+kbXrbof7Xk7S6xTNBuHZbUXOgRCr1ZHx7e3f/8Evn3vs8f5xbdDV9ciSJQkm93JJBpdddtmKnlezuZyqqhrXjFw4rCOyGxJORaCe00gGM3pqnEgkcU4HEff6fBHbMX5ES9d72+LmV/BExjrZnZeYCE5ymbbmnzFjcEUqIWFuyX/b9pMTN0focCLiYLjeuEfh18110cMbPXUDNARSdHlRCLQzjzlPph1u2+9OIlwD8M9b1EjQ/Xg7Lq9+JdYFIiACB0OSsZRKSzmAaJKBIHP2pWKN//r05r3bkUoikUgSI1UDiUSyl1OCh/6y7Gu//U7nEUfnWvK1Wg0Zc9qBQrwmnUFye6FBS0PYDk9gRrqNoATnhwQIj9hHEPBN0LIGEDCDqlobP3H8r/73Z/fe9euB3bsAALq6yqGJiiiXy5Zk8OHLL3+tZ2U+mwHgdV1JN4TERg55PqFX4o//wHXvuJFU1INYWY8Sn1f6INffWDTmPtMYfqWSUlElxpt4BC8DsRhibdi2nZMX6E8dmQasub+ukwXoJ8I7HzAcyRks6KLsyoBYaKvLF4IwAbc19GmI/cT4/i8SdIYpyYArKc/QqIjo+onNtYAACAlgELhUDSQSSWrINRQkEsleTicgwZP4zCFXHjZt+tQNb28k4MaC5KMIjc2BpLGyJejncx9NA3JvWF1xBMCwWlOnTp123f/3k/++/nu//s1tXV1dXV1dycYmAMCSJUvGjRtHRJe8/4OrVq8q5PNEnLipF7jNIr9t4U5PH+m+jr9VE6fuRwqLgiJtSKKIf9ooP9Lk12ndQJS2Cf2tq/FelulWQKCHRyTQHenrqxd48hEw7CiQeL4TCOCzpEPcdBs4xR1UVDetYM6DRIBYH/ZU1wpcMSTUC9y5s7IAwAEGAfh+8V6SSCSjg/Q1kEgkezdYhsPLneVymTH2ve/9IJfLqzUNfRp2EQnoYgvoVgo4K2r3lT32ZCOZA7rZIpzo23gl4WYCRN2iVmOagVqrTZ005XeVh17629O//s1tALBs2bLEkgEAfObTn/7Sl770/vPPf/X1nkI+S8SJGyO4wex8FVmjUa6yoY785CZw8jQDCatvAQnGsHl8kojZYRufYEUsDdLJfCpZ9NVbnD+tTn1nN7XDuHWE9Yvf/s4KJP4AI/M7+NMUgmKPcyHWk07WYAWjlIXjn8Ijsu3xnGopsT5DoiQSiSQxUjWQSCR7N4SwCBdNnTp1/free+6+e+7cOdlMljgBq7fsEAyv2IggJLegxHZ7pDNdOYi+O1IufMPVm8bhJzXWJ+bXAtfnEyNN1WbNmfP400/3vv3a5z7/6cQrJpTL0NUFAHDppZd+/BOfOO+ss95Y/WZrawvnnDiBd5IBMjOyB5rZcWYJIE9dGr3sBqcUwzs7dHdwXDQalx3DT8llLifXDkR2d/JJDZwGt19ABGD6/Hzuvu8EKgs6v9PRfxIoBKmICuFn+Vxf8ImcUC/ZNGqwKA40vkiuuSiRSNJGqgYSiWSvp1wut7S0LF269OuLF1fuvLe1rVXVNKthprsdGMKB/knaqkXPhhhRX196/WL+iVudh+DYcGcCxId985ZCpv0sGwIiZEhApNKCeZ0PPPTXRx955KRTTgSAZC4G5XIZoKurCz56xZknnXTSl665Zu3ateNaW1VNtTSPgI7TUWtrRxwCXsfvLoyGdjAK4kS9v1qcWBrOAgm7ukOiRO+seHvWYvNqAD6hgICUTJYpiucxMK3PoGhD8RQDiXY6I3d5F/iFDHc8IMEpEUmpurv1ATInIEgxej8QCQC4XEZBIpGkh1QNJBLJvsBVV11VLpfL5fJ//ddXPvPZq+3zexGAe+59rPfJeEm5xe/tnW+gIRfq4+BpKotOEckJUSSDBhwNxDFzIGSMONc0WnjUUWee3fW7235zxplnokncKEul0ubNmwG6qsNXHjP/rD/cddeGjRvbx7erqoqARGSNXCHBBaV1dbEFgfgqlsdQSks7cOfCqBv+cTdpVEEEszdpZADQcLaNWyyKAiP4KkVMI45/lIVAKQRR/UACIKJMJpNRMg69w35ZIgFUfMCLS52NUOQCUc91OPoHPD8jPCXxHqPgK7JLJGQqCI2Y8eGVAS29hwj7OZceBxKJJEWkaiCRSPYFLCMzny+uW7th1qzZtVpNUTLGTFpEgiaeKRy4ZxLwaQtGaX85erpGoxPYLxck2hYHDgrRzPwTgYKKxjWV887OhZU771zf23vFR69MIBbolEql9evX9/X1bd2yef7hJ99x3583921ubWmpVqtGeogObwO/q6tXgmCzQKgOoP8hZxDv7/Dr9qtVTu0gnbsWMSKKYX/7xhfoPkOuvykSIeP+eQ482bDfErs1xcA39kiGfTaTYUwhAv0lalsm0FdYdb1fAnOFRlSJi6Bu+Seo2R7BwPmUiKQGc9OrQURPtS7Dmn+MH8b/Qynh8x5BBAQFsVAoHHjwwamlJpFI9nukaiCRSPYRLIf2qVOnP/CXv7SNa1M1VVEYOFp9vm34YN/iRhq9oXsig+Z4i4BIBUeFPVzks18UJ8SYssvC6mbz9hsTEJHCUOMacTrssHlXfPvbpSuvvOHGG+MlYaNcLk+dOrWjo6NSqXzhX6/92f/+btuWLcVisabWwOxBRcMYML8DMu6oJujzAdu3n3kYueJ4vMHrWyLbR/QRLP/uiM6yvsheDqJOWiBPyvGuQhxrBGwLAOoZtF1UskfHfpJ3LEFSm1twmqCC1H8ggDVASvRxRYOJHQ1sNUV4TeZ+YzYRyuQyLGM+H4D6RAd15c5//QIrLndtcz8Hzmck4j2s33DXrQ98AsSVzvWUiCpl/dHwpmuKCQ78nncCIjQVDl0+0FeyJCJOQMST1mMP/tI2AgLDKVOmHHH44akkJZFIJCBXXpRIJPsSunBARHdUKpdccslvb7sNMxlEQGCE+jJi+nThpu2tN7KCOoAQAg4mJmGXUzqtTTP9GJJBwjS8OdbXIENkyGqahoCdhx3+X98sH3/EEUmSMNHv+7Rp03LZ7HPPPfSpT358y5Z3C8WCpmmsbpFRdO/gIAkpWLQRR+Y5nujux74NbuHA8Tu4DiasauT7AyKYwanVbxco3kbQK7f1FvDBUVIeF4NQZ5TwcKJomwkCIDBAQMYKhTwyBqZqgFhXCkJWorGt6xj+PiPbcxAauuF6EJiC7SDZdwbEQIbegaLw6H5Fkv0sxxaB37QdKYAABGjcwgzLtAGcc/rpzUpNIpHsf0hfA4lEsq+BiFOmTPnaN75xeGfn4MBANpOtrzwOIosw7QZ7bLsytXSD2/iOPraIkkGDOIrWyB8igqqpBDB/4RGbdmw5/vjjG0mCiM4880wAKBbHXXLpVf/+b9/cuGFDLpflnNDeRk/rokSOBU33Qo+NuEfT08+adrVMZA0G2usNE2KtN3bjxthdN4lQbgjEiTHW2taqZJju0YE2Bxr7drz74NeZLujbFwUIEp5i+BgIU/CPxr3Xcx1CEbQO2kK5E7N5HQRlKgl2Pw7HBhHu2rkzk5FdgxKJJDWkaiCRSPZBzjzrrLvuuONTn//8lOnTBkdGlHrjqZEhtpEg24bTNmuacBDSoLWH85iNPrHZfjWUbcfpuuszA06cc37icSe88vJLy596qpH4AaBcLnd1dc3s6Jg379BvfuOL72zcmM8XODeGX4xRsy4Sjff3h9xxvwRiJuy2rYRxBMYZZ9X6CNGlAgq2/ELsccjxJ+o5pCisrX2coigA9Sljw70GxCk5D0R72bhVzDDJIAExzXR3jsOFg6DXb5IVLGPiHmqjj3hRGLXPmAFSNZBIJOkhVQOJRLIPgoitbW1r1rx53InHKQyJc2GoMPfi5GZB7F7VFGg4cnfnWvy5DMJTII1zqtH7PnDJsy++sHrNW43HuWTJkq9//Wv5QuHm739/04beYkuBk/B2N4ExZDfWiZkpr20X76aLzKjQvubwSINEjnRrpaEjOobfiyQD2/6x51sSBwIAROCcWEZpbW1hyIgoZBbSAO+A+qZXAIhWr8JuqK/o5as4iMNGSEeQZuPqnbHDmNsg3erj0VZ0txFAAMi2tKSWjkQi2e+RqoFEItk3efLJJ9va2n7wg5sPnTN7pFZlSqbeKg73N4jU3xZ2PHV/1JD0kp/cTL2gXuqIAKBp2kevuOLVFStee31V45Gfe+5ZpQ9fPnHipJ/d8r/v9vW1tLZyVQVrwHXUtrl+/c0wBH0qQISeWKqHA0gwqYE4wuCdCaurNR9e+PkxovdkzZVAQyUinJ2gvuqBscspHsSqVM45AMM/kSP2kLBAEAiyuUy+UAD7ygmunAjvqNi49gthD5Te+9B11a43bshjFRZzPQaXcBDsOkABBxER9OlYmzJNji0h/VtRUk9GIpHs50jVQCKR7LO8+eaaL33x2gWHzZ84YeLIyDBjRkMKCclhD7ja7e5mHYU0R4XH/VqP5PrbEGT1yvqbpmGnu36nphcgEJgdmASAoJEGAP/y+Wt6392k6qshJoKISqUSAHR2ds6bO/e444+55/bbN2/clMtmarUqeSWD8GZ6o4abN4/xDJdAbaF5koE9lTBrS3SCe5/zQGLRrLk6m6ij1+Zs4AxSX+PAqSiEpwExK5NXZYhEkrJCAkBAznkulyu25AF0W9aykM3EA81jx7ZN4rJ9/OptjOoWSZQIPjlaJRSLXk7hQHypTrw3Ds2AXCUi/f+eJgiU5gUQABHXFw+SSCSSFJGvFYlEss9CRN+74cbWSZMOO2xuJqNomoZMtw9I1DSP29RPbBWlBAm2jF/2fHmNQnfGyVzfLuWLQUR9hXKFMeIaU5TPf/XfHl/+6NreDQ8/9liyOImoUql0d3cDwPi2tmnTD7r7jrv7tvbli4WR2ggnz0pxOJq3KEKVCDbfY55hJ9jaTM1McRmM4bXLbm/5ClzikOmDzm10/7LtMzrgoxnxXseBOMGT+hzUl9l07g1J2vjLibe0FlpaC0RkrhAQnjQ50iDHAVHdj2C5+x30yUyyqkHCzaDk/ZJzFbhDTbBjSlF6yTLEWrVWrVbR7vPWCDZFw5W6pmntba0NRS6RSCQepGogkUj2TaxVGAstLb+87bZJkyerGjd8DKxWXqRmW6hVFBty/GkkCk8cjo4x11r3jg/ZxILUqXecIgJjKmn5fOFzn7/2ztvuuL37zvvvvz9ZtLpkUCqVEPHSSy4++sgj/3Tv3f39A4V8QVVVBGb3IjFsoHiXl7wwIhm6grvlrFGJ0o9i7aVzl0WxkKMuuT9R43HKWKlk1kncDl70jFBwGfbGB40JVmN9gvPp2fJiqAW2UotaZnU7U+Na2/i2YmuRc45YXzQBQ+IyZvhz1tpIr8SY7820q4GztDyZDpA13FXTqttk7fDHKFeGgwNDgwODjLGUFFpvDKivbMs5FQrFr/zHvzWchEQikdSRqoFEItlnKZfLlUrlueee+8ynP3XKiSdlczmVq4wxvSFnayWPMlRvh8ZqPboNTCJRu5ccDXr3eSloHmHY1ztEhhpX84XC1f/4+btuv+OhB/6SOFq7ZHDR+97HAB97/LHBwaFsJquqKuhDImyeBRRDGLLOSJq3OJIBOZ07Elh+gYgN1OZU8vDxLC7tgFzXKrC5IhdCpEtKNvDEPjGgUYy2MsWIAkC0pOIPSyB3qTqORTkfgTgR0ISJ7blCTuNccKbzvULeW+l8h1kBdAK0I5/XkRWbpWnGfR6iveTExRZWkUXiahTJAAAAkYAQqFqrVkdqyNAYIxKUXMDHT+wlAEMyJc5zheLrr70WMsOlRCKRxEGqBhKJZJ8FESuVyowZM37yvz/FXPagA6cxYMS5aQUAWE7IvjTVvo6TiLvl7XfOqGTYHwQgIAQEBGSo1tTWca2fuPozd95/x4N/TS4ZAMCiRYt0yeBj/3yVRuqrK1YgMn3giX4HiezFYioGMcqjaS1sR59smjfItDSxPgDfbYWmY9s2hViSgf06ol5TFMkAPT/t7wRTIEhTJ7An5Zcd/2QarT76xSERMKa0TWjLZDLWEjOoy31msQX3wweXhFsOC3NpsqsSvkFjCwmj/jJE68ueC+OiEBCBIQBR3La39ahEuSJEREXJZDPZmKlIJBJJEFI1kEgk+zKVSqW9vZ2ICsXi7yp3FopFXl9jrG5UptMlE69DnwTmEjl/gjCqoH6xRrrLHWkljYgs4QBBVbVJEyd/8dOf++O99zzUmGQAAJVKRZ8oYf26t1e/ukrJZxkD4oRo2jd1RwNy/IqR9yaQrCPdibB61odiBNReFG4mJWkUDj2nwQxEzUP0vMYUA/a0DtNYUZqTS3DK5ZTx49sYIhGhMeOLzyn1b//joQebMhbKTuQb43qjpiHEiHaZjimm5sQ5J2NRWB6UsNjrIzSXlkxIKud5VLJZqRpIJJI0kaqBRCLZx9HHKbzyyop/u/bac84+WxcInK6baRgBSfyFnUMMXP1JAt2Bgpregb104vB+AgeFBRBhFSIBMIWpmjZ50tTrb7rprvvuu++BB2NkzIcPfehyInrfuee+9dZbLeNamXv8tWVMOf/EIG1b0FluEYw9gf2Pxl7L+LC+sX4wLNYIXdjJaIoDdErGZfRowuq3n2YTyfvA/3kOyWCSosUIGQIERFQ1Ld9SmDxlonkLyRXGtiOCy0bgi4IEW83D5ZSSHIFaK0jLd5/HiYWNjKiqyuvLykT6LyNykVn3kSEQz7UWxrXKCRElEkmaZPZ0BiQSiaS5IGKpVHryySd7e3s/eNH7Zxx48NsbejNKRrfY0egaT9A1DQARzrG6wf2PmxOYhyeTsNUd7h2sE2YYRGmEE6CCNVUdP278r3//u5/8+MeVO++MlMlAPnL55QfN7Lj44oveWrOmtaUFkRsFR96bZ/4YdfdkB2EGhx2hXzMKjkRxufdLQBdZzJHPsaMIiDrFgk43tgSpO/7GOM+Ta70Kov2XsYGuQCKSF0JYCaJeGVVNbRs/bvLUSRrnRLqK6hYO0PFMiTIYYPeKy9AYvRSb2OXRqJxl915C+16n8w45HkmyH/BGODI0rKkqA0acyHJ1s6utjmQivnBdiSAQMlSmT5tKTXfukEgk+xfS10Aikez7VCqV3t5eANA4/fgXvyjk8ipXAQDAWBoQEDxL9iVH0OsW2J1JRke067z6nnAX1UjtQ/L5BGU8OgQACIyxWq1WbCn+/s67nlz+xNDwcLLYAICIFi9eDABHHNG5s3/XxnXrV73+asu4VgAirucS7R3p9owkJXXv80D3EG/ijs1IPccx0F0WREUWLxL3jngeBxE8LtIipreM/bxGEzZSFD1soU9z/cQYiO6LX0gE0EibOHlC+/g2fQGFsASj5MV5oc5xVO6XYXSSv5BSwGO423UU4zmyeZw4N01XHMspaHh4mGumr4G9Ojiusb5ERdRXhyV2GUA2n5kyedL4CRPiXq9EIpEEIFUDiUSyHzFv/vxf/eJn53SdpqoqY4zMeapMGzQF7C1B9yRgYdqB/XSXuROh+egTxGaDhMoG4VF5j1gdbIgAWFWrE8a3PXz3H5954vGTTzn1xhtvDM+4MCmiSqVSLpcXlT7c2lKcMHniKytXthRaiHO9ta6bOqj3oXt79pplacSy462aFRKjK866ZOCTfCTX+ID00KYfJIzBnWVz0ITvGTaCi6QZgx6sdClwTzqVJsJQFOEzXZcIfc8PrlBorzoBxYga54gwZcqkbD6nqqptnhfxWZiwtqT8ECZSgAKji3AkUXJO7yBjSAKNDNaIk+XDYZOQwH73wVk/wjNj/udlP5QpFlvb2mJnXCKRSPyRqoFEItmPuPHGG3dv3/ruth0zDj54aHiYKQoAoTnJtah12LgNI14mSxzU/I7XTo1knIb0JMZI1BUaAQgYIAFpmjpp4qQ/P7j0R7f+4vlnnp01a1bEKN0p2BZZLORyh8ya+fJLL+fyWd29OT2FJy7YnK5PH93AE8jZn4nQyLQCqZSfx5T09zvYI/dLSISHrIHMxqwcdqMxUt0Kj99RmwQCjz79YSaXnXrA5ExG4Zyir88Xe4SMn40b64Uoiim1h9ArOEYK5fYL8vyqu0EhACISwfBI1RiZ4PgPIfy2W29cf1mu7vgACIwpxWJ7S2t7cLQSiUQSC6kaSCSS/Yvv/uDmiZOn/P0/XtWay1dHRhBZiv3S/i1i2wrk6Rue5PgTECJiROFnGBdKevcYA400TeOTp0x/4ulny4sXf7W85DuNeRnoksHVH//44K7dr7z8Wj6XByAwZiD3ZCVOX3ZjiPtc3bui6Th+CYhi9Ntb7wRGUdBQAy8Fa95tmbpt0MAralamAgm7NUkrUBSD2PP0U0PVRYjDTd4uNhkJalxraStMnT6F6pImOs8Pitv7xFmIri4Rtoj83pfNfMztyQQm7qseOGJAAK7x/p39muZ4g8WVQnyFA5vuTRwyWZw4cWJ7+/iw+CQSiSQGUjWQSCT7HWvWrlv++NMLjjmCaxoAOBuGzerTMmMz02o8YooQH4FfszcgVgDwaZ3adQ8iJEAOiBrnnOiggzu+cM01l1122Q9uuilOgs4EbJIBEW3asOG1N97IF7KkafoUYt6LQUjrpoW6XET2yTC7GaPSkJlcT8w1eCEs1rSNc1/hQCwj7BVEqkrk/LLvJ3GtoaCDaWIrawJCAiIETdMmTZ44ZfrkWq3KmGL5GridXtw3SuBbEo7f68d72Z7iCC2ZRosumqNB6CG7a4fnFxAAMNA0rb9/wCgNUbnFF3bd+xGQEDjXctlie3t7Pp+PFqVEIpFEQqoGEolkv+Oee+7Z8M6mL37xxinTpw0NDzBFAeJgzodos3ia1CdptnUTN3gN67neZvaPKVkaftYAAiBZE0cSIDBOnAgOPfTQvzz88KJFi+6+++5EKRqUy2VLMrj4ovetWftWsVjQkzAh2zdAXFHElwZjETp5h4sHiSaUdxHkuRyUgWYY77bBE2if7MCRVtAdI7PLdAwRye0mNNyodY6b2AQkUxWoS37TDpg2YXy7pmm6wzy6x5a4LF/HIadniSDNGFhPc7gB31R1xR+HpOKfBR8fAP0hYKhoNW1gcEifsVAYSYOPIxIY0/QQ5XKZoaEhqRpIJJJ0kSsvSiSS/ZH77rsHgd5z3AmPPfzw0NBwoZDnGtetPKIQM8xA3MyN2jeJ1hfEaTCKfJl9k0zFnkbTLNXzS+ZalQCAqBER1xZ2HnX73XcjYrlc7u7u7unpSZzakiVLoJBZT3TRhReuW7uuWCxomkqcOy+InD/tJLjkxkoJfSKweXJj8J2IN0xcMEjBGUvsy/G7gkYJvC6yhfJ0w48tgl4H0SWD8LgigYCxVRXUBT4kIEQkrrGsctCM6ZlcdmRgmDGlHiUanjvkOV0Qq9j4FYULRhQL+R5uuAQbxKEpBylydacCIkAcGVGH+ocY01UcDHoCwhD+p2HdNM4pny9OmDBhglxDQSKRpIr0NZBIJPspL738/MDu3TNnz0RE4KQwJnJ2bxampeH4G3KCZ3r1oPOSjoQQ9DjavhkiACEiAwQizrUjFhxR03YsWoRERESLFi2KmaCDv//HK0ofv+yT5523bu1b+VxWVVWNc7OQQq3LBB4cKd5uj3lU73gVry8Q5Gjg29MamuHRsKlsfgRoztgfvZvZ6XhQ/7uHOpOD8OTO9Qm4KQGu5HsIRGTINM7HtRc7Zh5EpIJu/NenNjA8ExBT8YLxdNRHwFkJhIWVej1JEpv79Rro7sUYq46MDA8PM8Zs+Q9adiRqBjxoXMvmCl1dXVI1kEgk6SJ9DSQSyX7Khg0b8oXCvX+676QTj929sz+fy2tqDYAQWVA/UnrtVTMNs8ke0ovm1gv8AzaUxXouvJnRDXdEAiCEWrV20kmnLH/qyTfXvAUAX/ziouuv744+H7uL888/f9q0qZdf+qEv/N1nNm18N5/Pca4R6V2a5G6kR5AQRJdlL+L0bmS9s1DvQyT3UTA6e+33xs9gCK4Fuo3qdfr3y1ATcNxgj5+D/WD0PIwRsSDYpUBYrIly3lB/edKyMtQB0rg2dfrUgzoOrNaq1pqLwhpT92sw67BfzKZbTZS8RXzHRXyifaILe4QawOfmea7e8bpBHB4cGRkeYcjMUGh74yd8YO1OB/o2IwTOi/nc1776n//9resSxCmRSCR+SF8DiUSynzJjxoyt27Z96PLLjlp4dC6XHxkZYYx5GnC2BmJ4F1fslp+zlezvehwx4hiLPMbGaKEjIiIhqTX1ve89edUbq3TJAABuuKGSWDI464wzDpsz+5hj3vM/37nunY3v5PM54tz3UuJJBtZta6ZvM9o3fYwKAADnaH9ImKNYPhX+3igJUg65wej4uNwQXApDQ/nYI7ifVr+ci11digdlAAAgAElEQVSCInSiNwtj0gJ9rglkOGv2jHHtrTVVYwzJJfXE8BmxhXMLjVhPNFp0iUpHFEyUXixPmDiEPogEAESkIA4MDmo1zSbTEKWUIVvRESBpRIWW3Oo3ViV+G0skEokQqRpIJJL9lPb29kqlcuddd0+ZPn3q9CkAQMTB3Qhs2DaLe6LLvhDZJuK0Uhrlb4DiX4jAOSdNu/D8C/p37x4cGk6cgp1sNnPg1Gm/+r+/2L5tez6b55rGDQcDMqb40iUR81tsiYFxwLZJnoOB9l4jRBUOAvcAgNf52TdM+FXscYvcabC5PBGacyOajn+eIwmL5N2MQ1xb0DF5Idd4rpg7ZO4s4hzJFplw1IhwvJJvOs6t0Xem8EnU7RqTKGMhQ4l8s2wVL/bvGlBrKmNorpLoCtKYha+7kXAiAs6pmCu2tBQbilAikUg8SNVAIpHsp/T09JRKJSJqbRv34F+WFltbNY3rvXHulmBY+z5W36/wdJsl4d3rSD66ZNAA4tgQkZPGAC5/3wd7elZu3LTp5RUrGk9swYJ58zvn/ra7e2hgOJfPaVzT29WWQ3+9lW0KCI0n2hSiCAcoCOxLM2tdfPxtsrgzG4xRhHJNM0q4UacDb0kLnTocBjMiY0wjbcrUibPmzKipNTQ7vBFAdzgQSgj+9djjSoBQ9y9JWB3iFYczaWEAb8HETtGphwRLfT4HiXbt2MWJ0NBwKJ1pI2wgESDoDlrj2ttaW9vSjV8ikUikaiCRSPZfuru7K5XKSy+9/MlPfPzUM04x9nJAQohniQf6KkfrVfXpgoyQCR8vg4bcH6g+DEC33pEh5xqCcknp0oefXP7QI48+/dxzSVOoc/RRR5144kkPPfBXVdMKxTxXVdCXsagvJGYXC6JfkzBkLJM9EQ7byyeV9KzrYOEgVXvXaTAFjDnwtd/2XqI9jz56XqzQIdT7pesWu7C8LbPdPAOJAAAJ+Kw5M9ontNc0lTFW1+KCkgyvr95A/lV/FDDUC9EDiM56HPjDZ0/s3CCQxnfu2E3cKm+sz9XS+FNqxYBIQIqSaRs3oXXcuIbjlUgkEgdyNkSJRLL/goilUunJJ5/s7e09/7xzD+w4qPft3kI2rxEHAjBXzNMbjuRxsPZFD+oNYd8jao36dUEKI7Nfhl04iNoKJZ8LsyJBQnOaNFRQVVVg7IPve/8zDy1b/syzERMJ5vhj33Ps8Sc8unQpAORzGdI4IAJxXTjQZ3c3Fnij5N7FIuLafjGTNm+YcCW7KGdHhxzTqgHpPhqBJ7i2YpstUfLnm4mx6ifiwv1QRMi24JJ9hUesxxk6DapfKt63EfqEBABChhy4klPmHn6YIQQmWDTGfY2C3wkQeFp5jkWMOkIfftjb1EzWHZHnBeQodLTtcqaFjKk1vntXPxJDY75UMvWc+n8VCR8MAsfpBNmsUiwWUfYJSiSStJHvFYlEsl9TqVR6e3sB4NDDDvvud7+Xy+RqXAXdlZSMMcFWH3eM/u7QQHH6zhu1tMi5YbV2yRPABAHQ7OlnyEhTCfD0M89e9crL1aefnd1gfgAA4NSTT+w67b1PPf44IM9mMsYEBkYLmMCY0YCs5SbJ8jtIXhyBYkFwzHETtXUEI6JzasDQM2MRzcD1ucDIl2XzPElEsFvEPkLEO+yvD8ZLpf7xn3rS3EZErmnjJ7bNmn2wpqkMGRDoy3HYzWFh3gMvSJAb/09M/J08HNEZnhWmc0FY4giI7vNFEoHjd0D+rdeTfZcxzI0AGWPVqtq/e4Cxuppoe595FtQVgZ5vQRhC4jybLYybUFSy2bAoJRKJJB5SNZBIJBJYvHjxzTf/+JmnnjzuuGNGhoaZonBO9d4gD85Gf2O2UKOWMACA7xRp9pi9DrH+zXir54oANK2qcjj3grNf+tuLysRJO2fMmN1YZgHgzDNOv+iD739o6aPVWjWbyRFZpi8a/ruOLnGy5SikY87Wiys8tIewmTPxMhKhYlBAJfI/0Hil24dJpWTSKl4MMxfDzkVd/6yqasesg8dPGK+qWsAE+84DQkExfj4SEKf4RIuSGDoK1odpuE4RaQ9+0SfKKSICccaU4cHhwYEhNMeJxK0ZkSQDAGSoca1YzA4OapmsdCWWSCQpI1UDiUQigXK5DAAHHnjg7v7Bgw46eGhoUFEY6X1xo2laNZyW29b2c/71GprOn0YLlaHGVRXh0itLTz39/FNPP1OpVEba25c1lsnTTzvt3PPOv/33d9WqtVwmC0Ro9MkbOfEphhTsXHHL27d3Pp1E62nXtQME8bjrVImjIuwTNG7RNuQEkDSlUBWsvhGr716vbgTAEDlBJscOP3KeklUM2zVa1kKy1Rjk+4aKDHoN/7pSYGkJHuEg+gU08JgSEGGGKf39A0ODQxlkyJrx0CMAECJD5BpvbWktFApz5y5IPRmJRLKfI1UDiUQiAURExMs+9OFJk6dcViplM1lV1fQ+b9ObFHws78ZptNnsEyX5ZDv0XH1kAgFiTVWzTPnsZ69Z8cIrzz7zvH68p6cncb5OP/2U97/vgnPOPffO7t8ODw9llQzZ5l10l2+QMR9EcLPcXzKwl5io6FK5Qe4+0VRsCJG3gcM5w1q2shHZYIxrDXX7ek86lSTB1zUmii4gFBFctQsRa2p10uTxhx46m3NNIIWSYCtJ2im70TiTixYuoDc+7AB6DkQy8l1ByFJ4dHOesZ3bdo0MVVFfdjHmejcRXCAI0Vg+gRMViy3XXnvt1KlTY6UikUgkoUjVQCKRSOq83dv76LK/HHX0kSPVEcaYs2FrjVhIaHaJmup2M5WSR08+2zFjqXfzM1ZT1Xy+8B9f/Xrv2+u0Gk8cqcWJJ544q2PmMe858s7ublXjuazCbZ2ezXZ8juiQPfq2MYZeekM3NLF6lDp7Ov2o2DSs0XQ3CCdcQ0Db2gFokwwQWU2rHTb/kEmTJnDOddf5BBkOyV26kkE0McJzxM8oF0Qhkguie3KY6QVeiy48bN22XVVVbMoUhQT6ojPm3S62tJS/9tWTTz65CWlJJJL9GqkaSCQSSZ0HHnhg4zsbFiw8ePrUacPDQ0pGcfbexm5qu3p3ndqAMHj81Ag8Nk7YmQJPfXtrm2q1kfZxLTde991H/vrXN1avue+++6JlxZM1olKppG8XC4WJk6f+4c4/ciCFMc4J0a0Y2DsKG+kyDh4DLCqd4BJrlvmIjk1/WyV++rH7NFPEU3WbnxN0Fl/zvQ1GW4/xDlBw/fT0kyMA6NMdAictl8suPLpTyWZUVUN/B6cUHKgilH2Aq0ODSWLi14bwtMhxid/mBICoqXzblu1cM2dIjJm/gKIxozOEA+KEDAqF3JrVqwPmrZBIJJJkyOlSJBKJxMEzz7506KFz5y2ct+vJHaqqMYbxzC9f293XCRh9ggGYPYLptgCt2MhqcwIQIgEhEUKtVhs/ccq/f/nLN/3sljvvuTdxOkRUqVS6u7sRccH8+fMXLHj4wQcz2QwCABEC6guQmcVruHJEau4Gu+0aM8PHGuGAo2P8uXBWFtMAMDPUeKTpQzFGxMeQsRomHW+begTGwKT6zSCfOuIjHERcbjOgOINLOmL/OwIoijI4NDjzsIPnzJmpaioyXU4we6cd2fQTE9zRJy7h2CeKrtLrXxDhcfGmnOIjb9QU15ucCBmyWlXdsXUHEjBkHDi6z2s8aQAgxhAQMtlMId/6zrvvNBipRCKReJG+BhKJROJm67adt9766+kzDtI0DZERJPHPj+42QJ6P+0hIfxN5d/lid/p12kKoIACotdqUydM++9HP/fIXv2xcMiiVSoh42SUXn3ziicsfeyyjMAQgMssz0GtYdAgTuyAEFcrY6pare8i7DTpP/fA7O6LJGj9nNkcZ0UdUjVPovU5EgzfVcReMoTvkvjrhtQXdON+SEN+xJGXnlAwAEYBUUo84ZkFre4um1eqJjeqdsUpR+ImB/b563wU+NV+4YohnR0OjpAgAOAA3LpQIEIgrChscGNy1czdjDCwtqimgpmnZbLZ1fMvu/oEmpSGRSPZnpGogkUgkbh588KGPXvn3555+Vmtra62mKsxyywob8ipojSdpJAoa1NacA+72dt288U/NPw8I+hIG+nRaGufTpx90xT/8w8+7f/bH+/+YIOcWixYt0iWDT1/9yXEt+aeffZYxBMZ0yYDb51AwM2LbFH5sfyJRP6UhcyBFgmqGeFCF2KgKsdsFulNaJiI5p1QkYw+Rr0249+LOvFMHqV+vs0xsF+4nKsTPR9TxJuj8gagwVq1VJ00Zf/jC+ahwzu1PnvuFQuJ4xOlEe6Yc5dM4aH0BWo4gZkLWF7k/ovdpUBoxXxnmFVp/dAmBa8QZst07+gcHhhhjqL+QGl47RfhCQADStJZccXhYU2u1hhKQSCQSEVI1kEgkEjelUum23/y2SjRz1qxMBjXOEa1WpH8DWGBlpNBUrjeHhSabPZnw3jQ3CKBfGgdStdoBBxxwWan0hS984fEnn2gw25VKBRGJqO/dzS+88HJWYbqbgZ4rs/VPAJFa0egZuR4No28vmhXbTGHBoxeI7hXVb7TzIzCEfD5u29Z13enY9WNfF0iUq6jyjN/Jfkc955L7cMT8uUPaJzcAseKEwKpqbd7Cw6YdMLVW1ZzDk0BURcR5SiS9kSim2HUnnhVPnp/iHKQD2fQQcmUS9SEKbNu2HUODw7qvgdvZIFqBkm3DoXtYFQoJEDWiQjE/74ADDjjgwITXI5FIJP5I1UAikUjcdHZ2ElH7hAl33nNP6/g2TprZvIuoFzRAo7ZYbLuYCDgQV2tzOuYse+yJL37xi4nTtnPVVVcR0UUXXbSipyebySCi2etnqh/OjAXkuzFrfk/PD+C5m6Jo07a9bTKSRzAQBR6z5n9yol2Py4KNXg5RNARBNgLPCU/a02nvU7t1VY4xpaZVi62FI49emC9mazW1Ho9YwUijGsTSVRpW8uKrEiTYio5LynNqOVahEhEZsx/i1i3barUaY9ZEjbHfSIIJKATHgWta67jWaxcvPvBAqRpIJJL0kaqBRCKRuCmXy8uWLdu5c+d3v3vdpz718SzLck13N9gzE9OH2yaeQC47yGuR6F4GenekOlI9YsERI2otlZm3S6XSjTfccOutt15w7rlvvraqUMgBEjfnMvBryY+JEQQ2yPY9KkmlHh+56oDt8L6mEABAwotKUO1c5RekO0TNUtysC8K7pjPQXXMY1mrq7EM6Zs2eUavWrEDGLKThZnVIHgID+jgaCA16n4jG2jvB/kiJninjkg1plAgVpqrqlr6tmsZ1x6um5Qz19TVzhRYAmDx1atMSkkgk+y9SNZBIJBI3iPjII4/MmDHj+edfHOivHvGehVzvPrJCeLrKPTTcQAyLIL6lQZ7mOhGiVqsdf8x71q1fv+yxx2NGKebUU0/512uuOffss9e+9VZLS540zonM5GPne49YDqm17iP0HqeVlDM+gYHisXP2JZwSWSy8NSxx2YiUO1HPt79bQeSkxa4MBghAiMhVrmTZ4UfNb2tvrVZraC6eAML6EZ8Yz6ZpUDt3xcoE+mzHiqVebPEKIP7DQ8QVxoaHR7Zu2YYcGCJRtAViRIn77Kprm0TEGBYyuU9/6uqenp4kyUgkEkkgUjWQSCQSAeVyub29vbu7e8Hhh992W2V86zjOOQOjM963re7zIwmBESRv85vREgInUqvVY445dtvOHcPVauIo7fzzVf/0r/96zXnnnNW7fl1ra5GII9r7Hb3fIFAzbIyGdUuiP6kwypoHuf4GBAkOtZ8R/TbFKLPmF2/AawiRMVQ1ddqBUw89bDYHzomDd+aLcMSCaHxPHHL9iJwJ10QMiVdQoeQPuLFKpXVeSAT65LJEoGTYwMDArp39iAwSrf7iO6QBbX90JzjOs7lsob315ZdfqlQqsVOSSCSSMKRqIJFIJGJKpRIAnHPOed+/8cZP/Mtnub6WlqPN2ASjsNEZ/wPW9kLLeEdE4FStVjuPOubNt9as3/TuK6+9ljhJO7+49f+879yzN254p7XYojsZeBrb5twG5o/QRnzd97cZhEkG9T3JbornrJQXdPD0ZTdp2cWxQcKR4fEi9os+riNAQGLNkpPq8XIiQpq74JDJ0ycNj4wggjVKqM7o1BSPK79324l9gkdXELfg2EBeoofWsxFlzlbzPAJEUpiyY9vOgd0DCmMEpM/tEkU7QNtaMVjfKdSldRcGrKm1XC6Xy2WmTpkKAJ2dneHJSCQSSRykaiCRSCRidL+Ccrl8zbXXPvPE4/Pmzx0aGVGYYh03v23NOdvKYM2zDZM19REIgQAJETSuaSO1o4885tWelc+/+LeVr76aOGOlUslqodJzz11w7gW9Gzbm81lOXF/4wKYRONyi9dnE4pVR4osPiHAUQOenaVA0yUAQoskZiwBG+0AawkHQFIIJJAOXGRwwAiD83oRcltsz3/tA6OYmItNU3j65ff7CwxgDTVP1EwRD68ln2z/piEXv9WrxRO+tdvY9Me5EYMGSYCsUcsqbMV8UiACEClO2bd82PDysZDKGEBBDMoj21kAAAkTgXCsUCgtmHnreQQeXy+VSvPxKJBJJOFI1kEgkEl8QccmSJQCgIN56ww/GtbbUqjVmvTmFQxLQc2R0CEwSTQMDgakar9bUQ+fPX7Fy5eur3mgkTd0dY+HChRd/8KKf//zn53/5Pzdt6s3mMqR7GXizQWZOQzoLBQpJMgM/yIp2xp26IuGLWUPCakoEU95tme2lXgZ1f2s/qcDnrARqh0vsa/RJtYrdVqN970IzXgu2946xSQSIqJI265COgzsOHBmp6j3SVs+9O3+Rqn5Sd58GqmSgYwI1ucp71YLglJyCDhEy1DhsfXe7WlMZY4C6ZBOiefl7oYj265IBQwAkQEVRrv3qVw886KDF5XJgViUSiSQJUjWQSCSScL75n//150ce6Trz7JqmIjK9ywgJna08r4qwRzpwbYmaprfe5EdkKmmaWlvQOX/V6jdfX726wZRWrlwJANOnT/lw6QO//j8/2/TO+oyiuE1ZV3YodFSC0Ce5fjUhrfcoVoRHjhhtazu8XoT2uO4zkgFAmPkeeDTWVSd9Hn166KleJSO5ATXjDrlTRWSM1VStpb149HELs4WsxjXGGAEQEaG/jhbyTCJFCRhFo4uJVzuIHlV8Fy2yllR0RhMPIlIUpVqtbt2ynTgyNHQEAAhwOAirnegOQ7rMYPgmKEoOALZu3IgAICdElEgkaSNVA4lEIgln8ty5r65efcNNN805ZM7Q0GAmkwXQu3oQELFu1niHKIyicFBP19ajhaanAYKq1dRa9fhjj179xuo3Vq9pPMGenp5sLnf00cf++Oaf9/VtzygKJ24uNhHiTuCDn2d3vdlP7h3iswXqhDsawws5NIN+DtYN4evxLXTbbiZ7eGyCv6eBMJhgd/QLSHQLxSdFmZHDTZg/UPDRwADW00YAABpph8ybOWfuzJHqiMKYeRgx2UMZ8QybEudStFKXS7yPbRItJFLgKDF4bg1RJqv07+7fvmWHgkyfDdEZ3Hs3o9RkFLzziAgIGSu2tFx6ycWf+ulPAWBJhExLJBJJLKRqIJFIJJH49nXXfelL1553wZntbW3Dw1WmKGDrNkrafZQ2DuGA0FiWnZABJ41UOvnEU5594ZXXVjXqZaDzgYved/b733/LT36yc/uubFYhIiAeyRAXE8N+d9r+DjPC8q6IEs/YINxaiLAval3b0ypBZKIKB5DKWAMByWtyikTVC4zQCBrXim3F4096TyargNHFrU/SUjfmBTGKE9nz1x+IYwRBo3mNfLu9IoHnNyHg9i07du3YrTDFPjzEFkOSGuv2ZyMCBE3VsrlMW1tx65b/x96bx9lRnPfez1Pd55zRaEELEiAkoQ0kzYhFIARiHTYhISS8MOA1xnsSZ7ET3yz3Xl8N980bO46XOL7xEtvxlsSxxksgtjHYhpEBs5pVkgEDkhCLEEIgoZlzTi/13D96Ob1Ub+f0GQnf5/sZzZzTXV31VHV1q59fPVW9DwDmzJnTRs4MwzDpaNlJGIZhGAAAGB09eNSU6ZOnTXnu+T26QGyFmqb5N9jOK7c6AAEQnCW7AQARhKZZtgWAl6274r777//N4090XsjGjRvPWnn64Ma1/+dzn6+PjlYqFddVd1602PUaxyeDxAL2I8SGPIv6GFhu7Iii+PZdX8znh8QKOHzTaEJG5HqnQKn+a6zLdLm8cMGK+ib3rpynx70bCSEMyzrl9GWrL1gppS2EQPTuBK07VqHrM19aUnzKakPfnIJlhVIH2+0wduVo0bquP779qa0PPa6j86StbItQaE3eMx3+JgRapjmhd+JpJ582dfr0BQsXHXXUUU91PPuMYRgmAscaMAzD5OWRR7ZPnDTl29/+zpzjjjGaTSFEYNG/WNhB2EXrzmBoMHtoPYASCBRAQEAghGlamqZfsWbttkcfefjRRzsv7LLLLlq06IQLLrrk7z/7xbFDo7quu8N0/ngaeT56AderaCxxNOAg+lGVd8FJzpkld5AJAEQ7SHFiGkCSRKXSCw63WuCSbEYXx7lTT2FqJ8pel6NksstCb9QZAE3Lnji59+xzz9B1DREEIgDGVApVnonnoehKAlHZIOFgZYh+hwQvTooaUsqV62WWUDQAABEJgZZp731hr23aQtPcXcH6xU5JO9NsXHkWCaBarb7zve9dc/na/v5+Z5FahmGYcmHVgGEYJi8DAwO9vRM//OE/6Ttl2eSjjjIMU9c1cBfHJkpy19w/CC23vlxCZXjhyISImiZs05jUM+E977zmwMH9jXqjlPKqujZ79qzPfe4zY826XtGd6jvtkP5M3rUg8lSHwH+Yz8wp8iG6P7xOWhseSHl+i5ubQ2yqAoZ+4uJVp2JFyYx3oEEs36Cbme4RHgbynCEkJEBCgYZt9J+2ZM6C4yxpOEv3O7oBpocXFJgDkZFCGXNQvMz8kKqsmEwY2UmRr9EVEDPvYwm3cQIgIik0fWys/tKefUCAvmgTyxSL/48QzsO58xIIrFQqp5xyyo6dOzdt2rR79+7c+TEMw+SFVQOGYZi8DAwMENHnPvf5o6YcfeysY4RAKYlkVryzKv62XGctHtzsvOjBMM2pU6f/0Uc/et+D2599/rm777uvvfyJyB+/6lt60slLT/rm178Ftqzqmj/w6j11xx2IULuMt5fq+hQqySAuOEQ+qE8oheSD/A5l6X4nhn8nuiDJvsmRIBnkoMyWU5705DJcr8z7KSnKQJFNBzmTE1SEKAzTnDp98urzVgIQuCpmPNCge6e9wMoC5d8K06WB1iZvR+tjwnWenGXS7cG7L6BAfHXfgX0v7deFFmyVMlueAACllNK2BWBvb88brtrw53/+5xnyEMMwTLuwasAwDJOXoaEhACCi3qZx4003TeidYJmmEJjglQboosuG0T8IKBAQpLSPnXnsX/yP//mD73//u9//4S233t5eAUQ0PDy8efNmAFi8aMGqs8/4zxt/iiQ0IZyJCJj03J1obPdJfK4vOOCflkw5wFrMum6NYEeEAqWycKQ4F6WHXmSnyxGgEtQLxpF2SvMvfbRs46zzVx5z/CzLthGRPDnRUQ7QQzFbpSs2j3t8RmK4UOQ8YmCjIsRAedtQfg6l8XcgIOCLL+577dUxXdcJZMfrNPpFBzJCACAhhC2lrunTZ846eOAgAMycOfP6668vpzyGYZgAvBoiwzBMAUZGRoaHhn7x8Y/f9OBDM4+d+/xLzwFALPw3wSeLrXhVhuOGAF4YOroxBkQkpTXnmOPf8wf/48tf+sebb/lpJwVs3759aGgIEdevv2LevOPv+dX9lWpF19z/PhDRWQUxchRF/gbsLd9dTX4oD4Uvt/3snmixalwvuCkST9xeIR0SFA6OSNJHR2MB6B3VJDseKDttp3iufHy7ImYoT4ZEoGvaWKN+wolz1m28pNajSylR+KsgxnLCwAfldi/jHGUXSRwqCv1PScXnyyfz2BLOYwFhFAgRpS0f+fW2HU88U61WiWQrlxIh99Tatl3Tq1et3zB/8aKp06add955d999d6klMQzDABzRzxEMwzBHJIMAB/v6bt6+/drBwb17X9iz50VNCARndYNkl7G1TTG61Rktt8sZS7RMc/68uf/7259aOXtlCdkDAMCV66/Q9MqjDz3UU6vqugYEKHx3xK942IdQzVAI7C7kU6vIEAtSPsaPjJy4/JEheQOCU6qHOdIchpHb8SJRNaBO4vYTslRHpLcidTpWmLLB8K/gnpiuqPgegoCABAopJVZx8B0blp+21CIbUbjZESVmoOrmyptTjmAC5X0t8fCEFlAamn0ilE2psC+5jLwlqQ8LVVNK0iv62Gv14W/f+NutT0+c0Gvbtnu3a930FLe/7HJU90tENC2zd8LEXz/yyH/deOOGjRvvuuuuc845p72qMAzDpMAzFBiGYYoxDNCcNWtoaGjqtGn/+28+XqkId4YCYngZuqRpCaHtHWu3rs+FbtABWpa5YMGiH//8tpWzVw4NDfX19XVaAsDCRQsm9NYee+Th3p6qpjuvH0cIPfxS0FHIkAwg1xBhGuSXTcqf1PBzUu3Oilhv14vMMxPBTzM+Qv4RN01BfZa64LirJQOIddYOTnaOo4vknnZ+nHsJIggNm7Zx2qqTl558kgQJhI6M2Wbebclg+SuV4OSXaI17GpSXdJfUoJYqgYCIB149tG/vfk3TvAVigx2sDBMIAIGIJEhErE3qBYCNV10FAKtXry4hf4ZhmBisGjAMwxRmYGAAAI6bPfufv/ylM1eublqmEAIAvedBb+gSVY5Z2QscOOtvEZCmCaPZXLBw0Y9uvhkRh4aGtm3bds0113SWPZx8cv/Ks898+IFHaj09QtOBSKDIGIDM82CMkbjfws1QzK+MpY1Mbg54fPktyUhZ1D/whTuuLSoAACAASURBVAOVS99RN0mRCTDhZ1yJOHZUnn+Vm0DFiy8oF+5A2UJRGTiFaJpebzSPnTNz9QVn6jVdEgkNiWRGoEEuOjg4S+4o0YyyWrrT+7CbByLgi8/vPXjgNU3TO1/SQC07IgABIpIkFGL6UdMGr34zAHR+t2cYhkmCVQOGYZjCOMsijoyMfPtf/+3Z556dfcwxlmnrKAAAIi9gLHdFa4VPQogAIFGIsfrYkiUn/eimlmTQ39/vmNoeK1asOO+cc85euerh+x6YUKsKTQCQu5CBV62wLYHf40lWoEDSQZlbXBLc6PSgkYKjr3l89fQkIa8//PLFJGUgTTEYN+GgFabSCiF5XREIUShbLkjKD53QJiGELUlUcfUFK+fMO9YyTQwuY4DYjjWKuP6UNCm0OtK4qFEE3ksMMlenTSKvhW4AQaQcIpBCCCnp2d0vGHVTE8J9Ky20+foNSvnorXqLCCcvXTp96ozBwcGDBw/yOxQYhukSrBowDMO0w9DQ0MjICAAITfu997xP0zUCQBThR2X/c5zsGb3qgyjmZREg4lh9bOnSZSct67vk4osBYPPmzR1KBvPmzZ1z/Owly5bdfscdvT01FCCl9NYwQyB0B8Yp5DUVfTRu+wm3NRqdp0T103d5BDy1NkqJaEHBNkkWKzC2Jf0oFYmiQfjPuBBTfsZTOsCsNs8gMi8m00OMzIhIty1hi+Ow4lhzbGn/4jPOOs2yLTdXct1UCEXH58m5aIJMUjtqeX2rkF7TpY7lTFATQjRGjeeeeQEJXbkgVJ76S6pJiTUjIiBChLe+9d3r1q3r7+/334/LMAxTOqwaMAzDdMTVg9c8ufXRs1auGB0b0zUdnVHAXIe2UuV93g26I47LjgAIY2Njy5b23/jjnzYN89bbbgPvxQf5a+HlT5s2bXI+T5446aipU+785S8nTKiRdJYyQHLHOF3bKeDhqaqQVa22hkKdA2MFeSsaUHxPfoM6NgY7qFRy9gndSTF8q06MsSNy6QEKeeL/mXHM3BVNONlZKzm230e8SBLUhGZY5tQZkwfWnDtx8gTLsoRwFkF0FZ92pgmoOkabJz0Uh9O2AFX+ZI9y+nBADPAVTEQQQhx49eDL+/brFZ0gONMmXIvYnbNA6FPocJwwYeIpq04xTHPTpk2LFi1qqzIMwzDZ6IfbAIZhmNc3733vez+z6X8NrDj98ad27nlxz6TeXsuyvJ2Y9cjrJshMBxB77CRCRCJq1Ov9S5bd8JOf3HH77dOmz2ivFg7XXHPN5s2bEfGRRx5GSffffV9PT822bcc8/2mbAv8C+kHkaTzvQGrnPkE0h9K99oJ7S6lU0Twzgg06cJW8ABMK5lR2HH4w77Kzz6JDNzJNHohfFqllJiaPHYqIkiSBff7A2YuXLBwdG3XFAoEkAaHDFQ18c3JuLqvLB6Nt8mTYjUutTRCACFCIPS+8NHpwrEevkSTXQPcen3CUarsnNGB0K3p7nRVpCaYfPf26d/3eN7/17bvvvfszn/lMmVViGIYJwKoBwzBMp/QvWnzHIw9ftvaSzZu/Z1m2EEKSLP1pljA0BwARpZTNZnNJf98NP7n5ux/96LWTJp1//fWdFDE8POwoEVdeecWTjz/e09NDJN3oe0p6mM8XZqsk5G91/ek/PVy7ON7zeztqSXbG8Qz95o/41qEx3fECAUt9y8FhDGIo5s6VhPcakhwpQ2cYnQsRAbHZbCw9dfEFl5xjGAYiCkTfmYyenfjUl/QCMzbkJqURFeFCbRTYreChQvm2lAEAy7Kf2fWsZdlYEZLstOrHwhDI3YzY2kjRo5y/6E2JQXnioiUTJvQ6cxN4UQOGYboHqwYMwzCdsub3fq920QW/mjZj6YlLtz76aE9PFSTlfvhEiK7dlTDi2hrrJUC0pTRNc8nSvuOOne34EqWwdevWjevWPf30kz21GklC9IIaohZ1XGBnTmfyGB2hyj0qWzII2JEBqfz9IhmGxZrEGfhd9xdQVX4pTTqerk7U5lLm7pfZsdK7iTNTCNG0rMnTJq1df0nPhOqhsTFNCNeLBKTItaWo8TiOz3chNOXIglqRBEKI+qH6szue1VAjkpmHemeidUaSZiuED0NnOQMAsG37DZes146aMHDpxXfddddnP/vZtuvBMAyTDq9rwDAMUwIX3vbLsRf3XrFhw4yjp9XrDV2vAID/+J/lmfgjRP4jtj92FZoSjF5wMhHZtrWkbxkh/svXv0FEwx2vg7Xmssu+9a1vffTDf/T0009XKxUE1/9A942S/gNtCTONKToS2kaG6a4V+YEZXu55i4h6XIVL94+ncKNBp02XVGbbc8Y7o+wFHMJ5l0uo4TH2u5s2JDSSKndl0nAoCTqRBCjRvnjtefMXzRsdHdU1ze/hKnEpkn3qWevSKcWs9qbYDYZCV+8RS/A+puvavr37X3pxf1WvoPOErZQwA2Dkr5tl+jkiZ+VFAOqp9V7y5vVO6tWrV7dhP8MwTE5YNWAYhimB4cHBv7nzzpdeenFp/7KeCb2maSICABFFX8+VgPsUGJYJMPAo7QafogCbpJRyxWlnIIif3nwzEQ0PDw9u3tyJl/Oed7/7f23a9PWvfPGZ3c/ruoaIkojQX2LQ8UrafX53Rj8DP62tHYU/u68U9N4v2CrNL7M7ngeCf25iHk5AMkiiLZP8HhH/OUyU1KYtZa3145/aTmqoOvlejuj/juyIWJZdvOPKez0weJYyD1MaTdB6f2BUB0BEAl0TdWNs+YoTzz7vjHpzVGgagQSQAf+UQkepz1Nsq6JLoipdypSOfJWOmBksN6lLKaWEDu5GHSaIJ0cgIhKg7d71bGO0rms6kPeW2sC7T0OtFPjr9UYMpU0CkYgQwbLlcbOP++D733fxZZd08rochmGYPLBqwDAM0ykIsK2vj4gQxVe/+s1jjj3Wtm3wvex8D7ixsfeAR+M5D4ho2zZKXL1y1QMPPfTjn9zkSgaDg23PaP2rv/rw3/zN0Kc+/em//LM/e3HPSxVdRwG2lFmDZLmhYAN0x43PGdKRO7tU49xSjuwR0BDF2kXlTjp/wyoMZQ7W5zcPoeU8+b5lzNcqUlTm6Uly8VGRKIdw0Eof8Pra6yORq8MxAEECEaEm6kbzmOOPXrP+EtSFlBIhpOwVCSUo233OT1ldp60bSXqx2fmF3p4ABEju6xXRaFpPP7HTuV27p8S/jWIw7iAsGOTHFSicSSoopX3K8v6X9r00NDTkLElTJC+GYZhiaIfbAIZhmN8FRkZGhoeHf/azn2/ftu3yiy++/9cPNOqNiq6TDA/6ZT/X+Q6Sn9pdHB2FsGxL1/WBSwfu+/WD2x97HLw3LLb9vHj/bbcJXXvHu65ec9n6A6++Uq1WETExpIA8AyFnXYLP4K8XLxtVfxQJlJvaih8Ibyr1yT/uGmdknzgujcrDUbGtKJjc1C1fK+pupZN+GoKuWnKh4e85hINoijSr4/6jMlM3jsH1EkHTNAmk9+gb3rR28ZL5pmk4MRmuoJj/PGDgWqbEeIS2rthOuy/lKFkhaBYstpSLLPDeGCKiil55ee/+LT+70zZJQ6EuRqnFFjpxgIAgEADRBnrP+95VrU342Mc29ff379y5s51qMAzD5INjDRiGYUoAEYeHh1esWDGyZcuL+/cvPvFEoWmWZYXWEcz7dBgcQUP36RTBNM1atXb5FRv2v/zKa6OHnN2dDDG9613vuuvBB5fOP/HiCzceOnCgVq0CAJGMqwbeRAWg4OfojANVPfK5Aepj1QeluVslj7XlfsBvN3yiu0qKymdRb3dRmONXK7Iv5HZjitaRs4rpZy46TjsuY6pteKYY/ilehAJyRpcJBQKgYRmrz1u5/NQlpmWIllJQ8BZAqV87pf2zk/Ne4d2Bwkd2XIuMPAI3u1ZKLwqMpNQ0fcdTu197dUwXerpY2onW5h9m2/aUSZPe8Ia3TJgwAQBGRkbay5BhGCYnrBowDMOUw/Dw8HHHHXfbbbdNnDTp37/73RkzZ9qSnCXPAcIP9rEnRs8lj4z6uRuF0EzT6umd8OY3Xb390Ud3PfPcU0/t6NzgalVbvmLF+/7kT+pjh6rVqpREkoiSHmfTZhUnCQfl+iOed4p+1p2OOUaPxdCf8aBbwkGK+YnxBDlShUsIFpLguGaN0Rdo6tA4bUducl5aVWxXqlAfl9dtpFZa1ITWMBpLly8+/+KzUCMpW3VKj5zIKqAtyro6Osin7XewtFNmeC2WkBWerGua1o4nd4EkFIgIbnxIknTXvk2EgIhC2nL+vAXXf+xjH/7wn+c/mGEYpm1YNWAYhimN6667bmRk5Jndu//7f//vH/j9369WqxQRAXwU8cygeopHFGhZxuSJk9589bU/u+3Wm2655a677mrbwsFB6OsDAFi37tKLLlr95x/+cLNRr1arUko/2jY0kAb+6FqckHxABMmqQkHyHOtKB6W4L6j49LtLVh0V8QWBIIWUo7vfeAVnK3g9sbPuGNAOitUwIXVuoYQQ3MtP00XDMI6ZM3PtxksmT51kmLZQ21LaKcjwyROH0Ds0o+hpirvwXYSiX7yFa6Sta9r+fa/s3vWcJjQicsRXkgUCzIIkHYPkvNZGIiARLVq4sF4/xMsZMAwzPrBqwDAMUxqIuGXLlpGRkY9//OP333vPitNOltJGb4H/6DOt97BHke8BhEDLNCdOnrLx6qt//rOf3X7HnZ2YNzg4CNDX3w9vGVzzhjes/9Qn/7HZbFSrFSJC3yV0ooS9VdyTJYMgpT6tJ2aGoT/q1JS4JxHXI843rpwz03YbpMvP/8rJBmGfmgJ2+O0RCbtPtLLgCpptuTsh6SItAy/c3ZfAOuulXghKxxMk8h+NBACImtBMy+6d0rN2wyVz5s42moYQ3sNbUiBDZ2S3VIlBPkeGz1v0HhecmCWJdL2y+5kXDux/TWga+rFQid6/SoBT68jhQpEQAFFIkj09tQVL5h53/OwswxmGYcpBP9wGMAzD/E7hvwHrhT17/uO7m887e9X+/a9omgZAXjR24PkTIyufo7sat+OkaGiYxuTJR6294sqf3XLL7Xfc0ZFhMLR3296X+vtnTj3l1L71//xPf2+YRkXXpZSRIAiK+pB5IMfJiTzqYlEHulCB4c/qWfmQ7pYExn3zei+ZmRaqMSZ+CW0r7PFGrKTYh4Qjkgwol9QVELOPBgBACk5SSYqFKRuvQxfu2O7ReecmACB4l5MtpUnmmksuOHnFkkajDv4CiKqZQegG4HR52D2bw2HDeAkQ5C6E6LxWlwDAtmjHb3daptVT6XEmLDgvR8wi+t9BUEJWqHsIRCCQDNM87rhjqtWpmtYoq1IMwzDp8DsUGIZhusK2bdsnT+ydP3/uww8/pOuVtHDlKAQAmhBNo9nb07Nx/eW3jvzyjjt/1YkxjpYx8b6JtX79tFWnfelrnzdMo6JrROQ6zv74WMCGgig8wcK5JE4DzrPensqFUuYZSOHKBiX4G224SbHhxcTxxo6GctPMSoslUbULqn5C+9NFGsQOJQO1fTnzKlB0WhVzF+kdju57JNN6mncFurKdG6KEKMaao6ee2X/FVZfZ0iIggQIQCdD5HZ+q4CkT2QYWl5AyGOe4gdxxJ/GjWmTMIogrko5i4945ybbtSqV64JXX7rztnvprjYquu+fZXdUgK3QqsXD1JBACEEKYhtV/6imvvLzv+Dkn3HDDDSnmMwzDlAXPUGAYhukWh0ZH/+em/2/JsqX1sbomtMBCg4EnRc8H8ZbodsaxcKzR6KlOuHL9xp/fdvsdv2p/IQOHkZERGIDGO0YXnL/4C1/7qmkZuqaRBIDweCWp3MiWYT4pI/shCvjjWash+BHmoWHzVhi66kh1RH7LukCkQed0KhlkJWjT0CzJIPSRFNtymBD2rTPisqFQt0gG2/AaKfI3K+PWT1gNySUctGZ2qLQHRYGOvOAdggCI2mizPm/xnA1vWqtXNduWAoVzxQovqEAW7XdpZF2EOSgu5QSPzXtI9OSHt6f/xEmscGtH61BvChdISURIRJpW2bXj+ZdfOqBpeitFZgUyGiiw0zsnCIgI0iZNE8fPOq6np/rud787vRyGYZiyYNWAYRimW2waun743//t/W/7vekzpjaaTSEiY9+Kh0YCQsR6vTFhwsRzLrzwlltvvePuezu3ZGRk5MnHn1iw8vivfOlLptEUQkiSkoiinjjEH3dVz8CJL1tsUdRlyPCslBbmcv7GewA0g8R6hseMx83olkqkatbuBPm/vog4wd22n7ywBBR1ozlt5lHXvP2q6TOPqjcaui4cnQsJJLkKg/9q1+LlZG3ogA4aqa1Du1FevIEIPc3APUhKiYiWaT39+NNGw9A0Ian1Ltqcgl1OHPEWES3bmDxlytSZk1atOqtwLgzDMO3CqgHDMEy3QMQf/uCHt//6vtNXrSIp0Ykrji045yyViAhAJIQYa9QnT5x00bmX3n/Pfffef3/nZixf3rdhw4b+U1b+ny9/CYEECilVY/NFVyBIT1+WDxJyYXOoFfEDD/sUb4BMUSR3JuWT1Tzd1RCOYNJrm1tDKHTSyAtNQLSkVevV3/zWjXMXzq7XxyoVnbxrrjXNo90z0lXJoDDx0KvxIiFqylsMNgwG7imOeiClXatV9r348s6ndgvnVYuhvLNLz2Vi0DAAy7Jnzjj6L/5i03HHH5cnA4ZhmFJg1YBhGKaLfOf739/9/J4vfvGfTzxxcX10VNe0BMcXiQA00WgYU6dOfdPatfc9cNevH3qgFBvmzp179tlnfPvbX0KBQqBsvRchNl03RhE3vTtE3YjcBqWFdIwzJbqW5VUmbUWD9KMydiUkOfynAdpzjuPHlFaVhIyEsKQNmrzq2itOOX3p2KFRgRq6CqMTFQ/o+LZK84IkT9zpNm03UsE3cZRN8i2PwIvrQHQG/olIoL7jyV37972qa5V8KyAWVAuCMxUICAiFmHb00R/64Ad/9rORPBkxDMOUAq+GyDAM0122bt36yv6Xpx8968V9L46NjtWqFQLyZ0s7fwUiItQb9Vkzj37bO9/101/8/M577mm7RCI6ePDg3XffDQBnrVp19upzvvfdYV3TEDDpmThVHUjQORSP99GFAtrxT4IzC0qZ/Z66O2pxaaTPpFbaETlcyTipOLHic9UifUJ3aF2DUshWvRRWtApPNqPQ4HdSitxvTAjoW4gCNUkk0bryjWvOv+SsRmMUhYYCvYUS0X+xX2BhyRCk+JS0oV263A0z20zRk0oRG6L3wcisodA6B7aUmq6bTfPO2+598bmXenpqAdUg2ZaouJZwQ458R0QETWiWZU2cNGnZ/AXPvPDCl7/ylaz6MAzDlAbHGjAMw3SXTZs2TZw0edmypSctOkkIlJKEO2blupTOjdi0zPmz5378Q398209/uuWOO9sujoiGh4c/85nPDA4Onn3WWeeed94NP/yhrgsEdFcyDM+6pWJx/+NFigfgLn5IedJmUmDEnWI/JZFrfNJLW1qpAJBciVhd0+oc2DeOPSkjtCHzuLQjKZS9+1OooNZ5SjssLCqROzHBlM3LrrzggjWrm82Ge3sIhBX48xTc9VMTukTE3NQOW7AJCyQfrxgaT0npKFPVXIWEzeREfeia/uLz+57b9YIm3EE4KRPWNKBor4qeE0rumgjuMrkITdOcNn3GVW9/u2VZBarGMAzTMawaMAzDdJehoaG//du/nTHj6O9s3jxr1izTsIQzeIiECJomQBMN0zz22ON+ceedX/jhD//rlls6Ke6aa64ZHBxExPknzFu+bNlNP7pRFygQ3TcfuH5KSzJIozMfsGQPMsM3bc/toNa/dCGgG+6wu5qdckc3acvF9+WD+E9OHSWPu17AjlA92s0x9bgsjSjtNEXDINL0FjcjIZCImlb9wsvOvmTdhZZlEEmBiI7I6C57mLuRszbm2lmIWGxNJ2sUpoQOeCEcIcFFRfuCUuB76OT5RRKRJgQQPvXkrgOvHKxWqyQJQDVDIXb2E9SJtASIgIgEpGvi6KlTvvLlLx6q17MrxDAMUx6sGjAMw3Sd4eHh4eHhP/jgB845e1VtYo9t2wIFECIIAjQNY97c40duvxMRh2+8sfOyEJGIdu148ld33aEJoWlC2hLAe2Oi5+1lP722Rdkj8V6mqd9zxoInZO03TEKzUCtlvsqpLXFCyls/iRZ3c8S+Ndo5jnEBkbI7ziCfVJGvP5TRDLnOo8LYloYnEAlgzBw76/wzLt94KYGUNrnLnTjx6c4bWUswNs2g9kH15yyD05KmHpt4/8pfpTwpAz2uFXeAiECk6/roobGnn9hpWRIFEkg/GCTePcMbYlEGoRIVogEAohCmaU6cOGnmrKNP7V++ZcuWTZs25a4rwzBMp7BqwDAM010QcXh4eM6cOV/6569UeyctWjAfiIhQq2igoWmbc+ae8PPbfum4+oODg52XSEQbNlzx6CNbEYWmaZZl+0+pzgfV+uuK5+3xdysTCQ0rduwoZhJsjM6HMTFxCnriAV3icJ/Rw12+i7qjd+Zu5j1nwUvRcyQFIqAYM8ZOP+vkq65Zp+vCNk0h0FsBEYGI3CX4IoVScLJ9q89SaxK+ytjyZb3i5GkwxUVT2mqDhTKJhHkgIqKmVfY8v/eFZ/dUKxUROCRiYVqoQZ4wBABHiBAobFseNWXK9R/961defZWOxHllDMP8LsOqAcMwTNcZHh6eMmUKEc2ePef7//lfPZMm2LYlpWwa5tKFC06Yf4IjGQwPD2/evLntUjZt2vTfPvpRIrryysufeuJJITRdaLZtIyIAYfhhNSwjxB5A23EryvV1k0biKSlVZ4sntircapGMRkjaF1huD1MjrceZ0LBnqS4HJfyokqb4suUSCz9J7SCRqyH9J2/poE4dWDAPAREFII41xvpOWfKGa9bVeqqGYaDQJDnr76F0FAOApCUMIiUlSAYFK5CBm1ViR2o1dlwxC653CqGTojhFGFxWNFb/lBF7pU15SZMMAIgIEW3bfuq3u147MFqtVKV0X00TmbGjav8kg/1DFZYjgpSyousTJk/+qz/90098+jND11wzNDSUv0YMwzAdwqoBwzDMeDA0NLRt27bpM2b89V//5dor1omKsC1r2ZKlv3lyx1f/5euOZOCsR9B2EUtOPPGTf//3b1i/fsdvd2goNE3Y0vYzTBhyVBF6Sj4sI1oY+5Avef5DcpDlYGUUVG40eUd0dWh5PDtISyFKbdxof4j6m8VXyVO2YExmUnjAqlURndT+W/wAGs36kuWLB9+xYdKUiUbD0DTd3eMl8ceVg/eHeJSBM/MIu39KAs2RJo8E8AWCNq6K3EepbQieiOKlxyQDAAAiTRMHXnntyceeFij819nG7Mil1OS4OgkALNucOGHi/GPmTp4+fQhg+7ZtnfxnwTAMUxRWDRiGYcYDRNy+ffvw8PAnPvHJ57dunzP7mOX9S3fvfmbfy/shsIRhe5kT0X/867/ueeGFjVdc8dRTT+m6pmmalIQYuclT4HdqhpG/qgolOWIdP8lmeeNJW8fvETqlsNYA65GJ0gkaZxM6Cjfw2h5jbnn+DAJ/Uoj7e2khB76gkbRgRWS8HUEIEELTGqZx4rJF177rDUfNmGwYhqZrBAAIAtOCC5KkAeWEhXLPuB9f4PSlnFkXm6CjCjrIFXyUbU3BDhNVGwgAUAih6TuffnbPsy9OqPWQ/z7MlgUFhLp8UzWELWVtYs8Xvv6VE+YdgqGhMqayMQzDFOBIfa5hGIb53eVN553z/T/58N9v+cU3b71t22+e6DC3wcHBC84794/+5E/ftH79408/VRGC3EhZAih+m6ecjqX/nIwQ9MTUz/D5nZZkxyDgDTkVU5eW1/485Xo7VOtAJKsXnnEZBaUqMmkUrFqnZ6RdW9Iqkf1W+0IGKCqV3AmipyYejF6s8KgckD+NEKJpNBf2LXjrdVdNnTGlXm9omoYA5PZtRbB+0EePT0NIXs6gVNUgtrpC2tmMlUyK+4QqXeLm+KZYwaHZKUmdLKZ3BDZEOgU5IpU7CQE0HaUNw9/+0YO/emTKpEm2bXvlFGnnXL3Vay9EKeX8BSfMmnXcN771bSIYGRm46KKRAsUxDMN0BqsGDMMwh4FNg4NDg4N4zTVt50AE11wDw8POZ7pq7ZodzzyraYJIkvNy73YyzeVyY+CpHMNP6H4+6r/ZKPWHXDoABX4VFA5SHdyM/ep8YqpBPo8qhz2dqAYlSwZJOWU3V1hpUiegAu0Q1w5UPQABKD63IcFVTCoy4vF6vT/R2tgOBAQBAEKM1scW9y18+3vfdNT0ic2m4bxXxZfjIqqBJxlQvBh3dNsVCeOqQSfRAArvPraWQUQ1UFy7wW+pslke7SBHnwsJBom9KNpHlKqBm8hTDRABqKpXXnju5X/5wr/WX21UKrqUss1rKt5lVQlQoGVZ1Qm9Z595ul7r3fvSvvnzd37yk/cdsQFNDMP8TsIzFBiGYQ4D1w8PdyIZDA0NjYwMOCsnEtEbNm7csWu3ron29QKARHcj+SldLRm0T3TOQ/ZchcAP+vYUsygjbe7WLCoZtE2R3MocYw7nWSAEuyjRoHB/Myo6CPofM9tF7dmrDqPwbwpUl1QpUwIO4pIBIoIQr9VHF/UteOf7rp46fXKzYTpKQnC8Ovp+hATJwN8dTF+SZKDYrswutjE70iZ5f+QnsDktD0qodJYgmONqIk8HcSMNCBC0J7Y/9eq+A9VKhWT6IpW5yLCEQJJEoi999Ru1Wq2/v3909EyWDBiGGWf0w20AwzAMUwxn6ewtWwZ27DiD6FNXXnHF7l07NV0joNyzjGPEj0uRDFzKlQwi+RZPpIp7LqWozvIpvYG65awfGaRHm7eEg/F58Vw7HYpiHwCBCBEJQKAAxION0ZNXLHnrdW+adFRvs17XNGe8OkEuieQcszAyFSkWeH9Y40qTAJrRlQAAIABJREFUr8p816sXeBE6IOnQYlUNKD7ptzkKCgMoxOhofeuD23WhO3Eh6L6gpniPxGQjqJWGgASKngm973jb2//tO/9++eWXr169unBZDMMwncGqAcMwzOsJ/21b8+fP37Bhw/r16559Zpf7RncnzICij9j5acUepx+a+WSOsef83GQMDmYa1goib6cFjgwOr5/XGbkMV0wUSMotbdhaNcZNgV95CST2D2pnjD7i9WNwCByJQGgaAY02Rs9YdfI1v7ehZ0K1PtbQNc1dTo/iObZcVlTJJN4RSbMsSun/qtaJloLBv0WzRtWhpEjY7Ws6EFPg2EAYlAwQkUhWq5VtDz/x7DMv1Co127bb1AuiZYah0H5bSkBxyvLTjpl9zODg4Jw5c/idiwzDjD88Q4FhGOZ1AxFdeOGFADB37tw3vvGNb712cPfOnQIFIkp3xDH4BFrY82z5aBhwgcLh1kGfqBu+beIDeHGHJP8xGK1oZrHBZlB4jh2jnABQcFZA6f5VUpi+T4H2LhF1buOlGGHkb3AXYmsOhaZrkmTdqK++cOW1111VremNuqHruqsGOM6p532HC0h01iHcJ9qVDNJPR0syiA6GU3BnZEfe7JPiK2LXY3t9pqMJGui9HROQkMgJGDEN6+H7HwWLhEBozQrpSndzlBIiErr25a99ecqUKZs3b+ZAA4ZhDgva4TaAYRiGKcB1111XH6ufe+65V1/9ppdefFETAgiJZCtyu5W2yINsPo85uHoAJg0ERy0o9Dyddwg6Y1/kV3LKiHMS/5o62K30FBNMSkc1ztw+GU2epJC0nWH+LDHaqNGjQhpVWpax8fWQA5sUFR/OkQBQ4fcWICS0hbYDAhIAIgqBQtMs27akObBm9ZVvvlzoaBqmrukEQEjOagdeH1B0usSIfAJ/sQP1hR8IdM+ohyp7/28ox5iq4fzB0NdywMCP16iZR0T+5jEo0oVC+bm6BiIR6VrlmZ3P/vJndwny1qEoTSZMOsOSCI+fffzdd9/ztx//WwD40Ic+dP3115dTKsMwTG54hgLDMMzrhuuvv37OvHnXDg6uu3TtKwf3VXQdAIikF1Ybf5wvLBx4c3SVO9O8PZ/OvDAIRyt3OoKXHK2eMECNgJRZyzQhIR8J9epcO0htsHBDpHaPog2fHZ2es1bZGcVH1JNemZd4cNjP7lQviO9x5AhyXU0UmmGaqMOaDQMXrTnPlpbZtCvVirTbP9/BNyYoQgxKGPmOSwZ+zhSwGzPOWHlj8K2T5ozx57uoyb2mWykS5RUEjPvuTjsjEgEBIcK2hx6vH2pOqNZISiivfvHCyWtr27bXXb5h2+Nbh4aGRkZGkBdCZBjmcMCqAcMwzJGOs17BV77+9R27dq0fHLxo4PyxQ2PVSgUDgoFPQakgRq6xueTnVoV4UYhgtHWskLYydoQDv1kw1THFbKc1sZTAnwiRTPN5tpHcM32zfCc+7C/HRqlTzcn25juPFMljSVgjoNjWpHFbVQ5tSwZJXwC8VRuEQCAQmqgb9Z6J1Q1Xrzlj9amWZZAkXdNJSidcJ3r15rCKCGLTFrLEgoyzQ4rOEMqSYlucY/xf7msJ40aVS8C79g3O7JitS1+tIVIoXaQ8B0myUqm89MLLj299UkPN2ZV7Sc7ki1MZz+HtEChsaU2ZNvkjf/kRRBwcHBwYGBgZGclZKsMwTInwDAWGYZgjmiEAAJg/MPDcc8+ed8mlV19++dihQ7VqDcBZ/TDwxNyFZ/QY4QjzyON6Vw0IZl7Q70TvNwa+qtPlzTkUjlBKbHbOxkudNJGXWDR91JRUHzRZM0ozLGEqQnI0h6IYin5RSAZtdsP8/h9isKPEjERPehKIKLDerE+ZPunqd151+lmnmIZBkoRoLSmF8YHjjJFkUpWZL76gULeJr4xK4c2hLAOzlooWlEnsqgxfAgmFFZiX0PqOwV0tqQ4BQEpZ0fS7bv/1Yw//tqLr3iKJOaWyzDQJJw/BNK2zV5/345/8eMOGDSMjI8PDwzmKYxiGKR9WDRiGYY50cMuWXbXq3GV973vH24xmo1qptAZNKeCmdDFwFdXecTnRAG2ZU0qaTtLnc166R8u7LLvRM33QxHiURAkgdaaHYmfQBw1aFUK9pbtdMO7kBz85ggIhohAChRg1GsfNO+Zt77n6pL6FjXoDAIUQFMhHEW2eKAupIyiSoieSGjUnytkbcQvUqkEpYLjjlHs5p7Skd7j7YgsAAJAShC727Xnl1p/ePnawrmualz6nWQnJlK3sHoHu9BZN+4u/+utDh0Y/9rGP9ff379y5M1+JDMMwJcPvUGAYhjlCGRwc7OvrGwF4/sorp/Uv/4P3v8doNnVNc16yCOQNtJLnLJHzqxQw/JOQJB0K/HRICXHkCXs7cHNKlAzaqB+R+xPMhMIfUujEZKfkDjLw82n9VuxJK4ECAkHgT5dVq+jEhHAP8CPmhRBEMGbUT1o2/x3vHzxh4ez6WB1bywVmTkwnxY8qrD5lwkVHl506X4qkUdWimyegk+st0pzRnRQNrXBmMrgvs0Vb2iDhN48+8fKLr2jOGpah1MWszzbVwzLNOccff/HFF0+ZMgUAeG4CwzCHkXEfHGEYhmHy0dfX19/fLxCvWL/+U3/3d4bZrOkV8pZBC0bQQsBjQbUTUYgcEehpo6FR76KE/2oi9UjOkOLuTbcoc9H42ATpeBXaioVILzShuJxtiADRqeypIQUpGalShCYpKPSBMiWDvLNDkiuL/tWoaZotbVNap53Zf+Wb10w+qrfRaAihB0pxq+Ysl5iQYZp10ROX7MLmODuqAlWqQVS3IPe1D95V4OsmJT1Yps5PiZvTBolZBAK5AFBKKYFee3X0B9/58e4nnqtVq5KkYt3ENgxqnbhg3dxgFCFwbKz+jmvfOmfhwvd+4AO8CCLDMIcXjjVgGIY5Qtm+fTtZcvU553z6k5+wTKNWrUrniRLTHlDDe0p70Mw5AaLDuGg1RZ7Gx/vJuivlKStczCcZh3YoTZtxYmTSswsPrI+PLBQm7N6r5uY4koFpW6DTxVec9+Z3bOyd3NNoNIVwVp7GYEw7UXxNA1X0S27fNLtNirVa0mSE0PdOwg0yoiFSs+mwe6uLDoW+kARCBAJqGk0gePqJXXt279WFRok9EMO/s26ZSRVEJEBENC1r2tRpp5x1ltlssmTAMMxhh1UDhmGYIwsi2rRpEwBccuHAhecMfPXLXzEMs1qtkLTBX4ErfEToj2pXJ/hRDHmTlsvhcBBzUHJV8zkFnZ2ExBknsdiQIrR5fiI2JA36RmdhREbVx01IyF6wAQGFpjdNszKxcsWb11y2/iIUZBimEP4ceArmEjrjoZOSFiqUdKrCx7Tc33ZahXybogS7T1sOcRG65iYnGueHizgxFIhEYDSbCDh2qPHYtqeaY4au6SBLKCqSKHj+nUgfIYRpmIuXLf3lbb84Zs6c/EUyDMN0CV4NkWEY5ohjaGiocejQilNO+fo3v2ZbVrWqS9v2Xx+I6L3bzSUUKZ/3YTv4QKscRkzamT5PAZ1lvBKA0E8BC9MMVBnQKiJzbYP4TzrYmsSey0FP/wkcU8BNykgaOkHKamHU/44ESRe1JGGyBkb2IATOfWywOtyk6joGXOHiril6BkRzT+1PgL7ZzpGe+UjuXoGAqImx5tjkaRPf+JZ1K886pdlsSElC04KyQtDpVsUZhE+VWiHIKfGEbgZZjZqTlGziL0/ILinPxVY26plA6CujCODPAUMwmoZt25VqbeeTz95/x4PSJKFh6uSIYvdgr3xHr0DfEGdNTaGJSwfOr07o/YM//FD+DBmGYbqEfrgNYBiGYUJcf/31ltFYeMIJ//TFL1rSqtaqtmU5c4h9d0npsoYCbFOIp6C0B92CyVNpDaj537szRuxl7PgyYY8rzYcKxJArDUvwjmMJcpPaAokNHa2I2oJsW9xZ8W3pBZ2Sde7jlQ/N4Y9mldmVMPobM6ZFJOlCSAQokGRIv3tt7ODc+ce/4dp1C0+a16g3nHnpSEBI4eUPSSEPRYtSViZRL0ioBAYTFJKkvEn7ATPcayJ+aWD4V5tlFqSNXpomN7W6gfMyW0TblqZlSGkLoVkN+ZuHf3vo4NiEWg9JGyD/fSshXUwBClzPSCA1Xa/X63PmzDthcd+r+1/KUxLDMEy3YdWAYRjmiGBgYAAA5s2ZY1nGiUsWfvZTnyeQlUrFti3F43d7D+QJngZClx/y43gPyJT1YF1WacEp5QETklL6+xUhGeVJBjlIOy/lnDP1IHbxTHKZEvSelaXmzaiItQqfNt8x0W/YWvMQUCASkq5phmkY0jh99Yp1GwemHz11bKwuhBBCAAFFooIgsGhgGlm1yxI7ukVIOwhtHOeogYxVMMJpW39Se5e/PqUtZdNoEkmBUKtUd+x8/qkndlQ0HRHIeR1iwaIzt4W0Pme9C4S58+ff8J//acsCMyIYhmG6B89QYBiGOSLYuXPnddddpwmx8rQVn//HL5BtCaERuY+MkQfVlLfG5yHgKAafVtNzUw3U5y02HHpdxD51IXlyirk2mLgztFt1XGt3svAQ/RI9MqehPmlTSNJ2ZGobpZLeH8K9K3tSipdSkUNwln6y1+Y3t1Nc1jSV5HkygdpgZAsCIhEIIVBgvdmsTapevuHitVdd1NNbbTQamtAQnWkMiJE6xwP5Y6WBMkEBlUThGWerZYkkN0+gc6e0YRcoJG8R5JYYCAgRpaRmowlICIAoyIZf/fK+Hb99plbrkbZELK5XJVsdaSBEkASaJoymOW369Dlz59m2vXnz5gIFMgzDdA1eDZFhGOZI4Y7bb586ffrnv/AF27aEEEQSCDJ8gDTSJ0b7Y71xXywlOjrPMzNCeP0CDO2C2LdYaHO0pCIji/nsU39Pbdmo81nEJyoimRTKPzM4PSfdn5hArYkimSnDXyJdNHmsFlsdqp0GT8Nd08DVARB1TbNBNqzmor757/3jd5x/6SrbNo2mqTmvS/BDVgrIavmgzHNVRr1Vy6bENxTUAhPJrlMobf7bAVG+9zM6dyhElLbdbDYRQCAiQkXXn9n1wmPbnqxoFSxkZsDajKJjlgihWbZ5zMyZX/7yl19++eWCJTIMw3QLVg0YhmGOCJaedNKSxYuHv/MdIBKakBRYxiBC9nN67AGXglvjj7/KLWmkxPkq92LU18jMp2VJgs3toHByVBbEAxPyxwt04keV5uiO3+oEuQkP0ia7/4m2Z9Ypn/iTM4+QooUhAxAR60YTKrhm40Xv/v23zJ4zq9FoIKAmNAyf/jZC2bsxQJ9lhrrMNOEgm0KHEAD5bzRUXerkpYnMsor8+DuI/HkEOc4BERCCZdmNpkEkUaDzhlvTlI88uP3g/kOVSsW2bcC8wlcOInUBBHd+hGkavb2TZhxz9Ne+9pWbb755cHCwtDIZhmE6gFUDhmGYw8+lF1+8asWKLVu22CB1TYAkZ12uIl6H4um5tTNRLwinUgzzRremkt9ViI6xKYyJegJAhUcloxuUHkaKiYkSQAcx3yqjkil70DzBhq5Dka6UWqZ6MDmfmZ1JBvEyWpMYEFETGgGMNRtHHz/9bde98dK1FxBZhtF0ZiX4Q9YpZWRWoksnI7Wbg6KzZ6lrWXE5SVYEQ5wU3n5AIIgmyK0CEEQ6W2Z6BMuyDKOJCOhIA0QVvfLC7hd/u/3pWqUKRAio6pcpZaQV7wfPuCEpzrsegYQmGoYxY+q0f/mXbz/11NNE1NfXl7MaDMMwXYXXNWAYhjnMENFPbrrhkYcelURVXZdSZg+r5veNKPwrM9fsnDHwL2FXZ6Rb24qeTvFNMjbEjlY6jMpjksMVijv4SUVmVTApfcSavCWnJw1NYY9Hq4dG+FNcy/a6hX9U15WNkPPs1gURyPXoBApN05pWU6I8eeXSq65ZO3/RnNGxQyBQoAjGKHgt4mSiXqVBsZxCqPnyBdZHc82XJkPwyu7FGPjdxuFB8sSPRJXMpKza6iFEhAJN0zQN06sYIiAhSQtuv/XeZ556tqdak9JOFYOyqqy2LfgGUqe7IQBpujZr7pyHH3jo7/7ukwAwNDR0/fXXF68ZwzBMyXCsAcMwzOHhwgsvfO9730NEb3nT4CMPbrPJrlZ0W9r+MJQflKsg5yNyAckA3LLGPbg98sSdJ6C49Tf2ExmjpJYHFh3Vz+mNJBrqbU0LSUgrIWlD0RPQmUqTIs4o5pKgX191Bm2OvPopkuNDcudSmFD7BfInx+sHANQ1HRBGx8amTJ90+caBq9925cxZ00ZHD+mapqHwRAZshRt4YkqBtfNa155a48qUdnLtzRsjo5SeErJpbcvsikltnUj+izTaQPkuCxTQbDZNw3S+OSVIaeua/szOFx7f+mRVr9hgA0DgzQnxKIl46ET6lRAKuCD3BzShGYYxedLkP/qDP/rN448NDQ1t2bIlPXSFYRhm3OBYA4ZhmMPDrl27HnjggbcMvmnr9q1AVNUrktwRLSLvNWBJYdOhPzEo+LewF5r6mBoYEk0eck81SnlQ5Li2nfhClU33grwdaapA9hM9pXxTbUbX50xe3V9tZcqnVNOSa+4Pu/u1D4RA+BWPiSZ5/dKYJYcLalmJrVUPAQFBoEDUK7phNS1pLz9j2YbBy08+bZkk2zBMXde9lJ6kEowygOTIAgz8i6O84EPHFkZ1TnJklBxOkLYZwz8hCs41SGyKsJiQmo9Cd0AAIIFCEjWbhm1bAP5JQ4EAALYtb7v5Vy88s7dWqVA09qtkN9695BGISGhixowZzz733Hf/Y/PMmTNXrVo1MjJSbnEMwzDtwRImwzDMeLNp06ZtW7fOmD79wIH9jzz0CCDommbbUjircKW7DR6JbkdHkoGTc4rHGvWIIhYlGaUypWVo0ORxD3hIaMhcXhUGvwAoRYKsukTdmmjsRc6+AJEjU+x3zQr+idiRMFelsJiT5xmj2LkOXh+lPcFQrN0REFBoAlGrN0anHzP14rUXnLKyr1arjNXrJEkIDZCQAAPTE5LePKBSDSCt4yW7yp1eHEVUpUAfieSR7EVnXPyBP9Ga5D+Z0frnVw2ce4szEQCIGk3Dtm10RDByT7qUslqr/Wbrkzf+x0/BdNISoNMUqou8sMmKmhOAEMKyzGqt9sE/++MffOf7555z3sjICEsGDMMcOfAMBYZhmHFlcHBw+vTpw9/73kt79jzy8FaBqGu6lCQQoyvGdUB33O5cwbLKolPi8w/rQDOoHbFC/mhwTDU6vpq/cqr4/OK2FCZhhr261PJNyds+0ZkKZRsRctURAVDTdMOy69bYaWef/J4/fPs5F67UNa1ebyKgrmneGxhdzx/dhswxMt763u5UlE7OQvktmCEZ5I5siIf9J6VpG/LfgSClbDSbUkp/7UMAcF68gAIbY837fvWQWbeE8M4pJYYbFbVBuQkBgUDTtBnTjv7lzSM/u+Xn27ZtGxgYKKNEhmGYcuAZCgzDMOOBMy12y5Yt27dvv+mmm9atu/ypp34rhBBCOBGwbTyTKp7I2w4wCGWbFGuQEmgQ2lqgLkeEehBTQ3JVIOfikcUsUW3JFGtihmQFGiRkgq2s2q5XZ3aEukNSKA36nlY5YPgDIhJSo9mccvTkDVevWXPlRZOnTmk0mkTkiwVe+QihqyLJsVedQUzY1e0Y0PwzFBJSJQVUBD+qJyjkrVtmlEu4k6V59CFFiIgQ0TBMwzBUaiHatt0zoeeh+7c/cNcjVVFxEiBGOlvBM5TjxiZQ2NLWtMq1115bqVYvveyymTNn8iKIDMMcUbBqwDAMM04MDQ1NnjTp5ltu2bB27Y4dO3RNFygoFCKOyd5SIthu2GxihurR5nTJQLGvncocHulAvdB99iGpKYutg690svLaVEQ1UCXCyNa2Dcllh2q4tdDcB9e5L8m/9oQ2BEBEFMKUlinN5acvfft7BvtOPdEyTct2Fhwh9JabQG+9h0C0gWdbgllJ8xQUqkFZA9sJdgT/tJVB5Ey0PioNTygp5+INuS6iYMiH3z2i5REAgGmapmk5jd7qdQgASCQrlcrBV8du+fFI/UC9onlPyN57NDpGEXHlr58pCWZMn/alr37t0ssuu+222wDgm9/8ZgllMgzDlES3NW2GYZj/1xkaGnJmqP7Hd75z7VvecuXaNTt37NZ0QSCB/KW5/Zna7WgHvm7gH6OarJ4/t7hqUOCljMqtSTMUvAd39dfxIuC55R2CVQorASi3apA3VUqQQJEx3VDPUE9bT/gSTpft9GWOGLvbCp/svLEG0X4XnYkAgASEgOTKAJZtN21j+tFTzr9s9QUXr9Y00Ww2AYUz+4BIAiA4oUFJQRGJV0BchXP/pMUapAgsbV8iBVQDdR9Bd4NCMkjLK7imgWpWUNzElg35iJ/s1osPiAjAMAzLtBAx0OncLoAIlmX39vaO/OLuO26+p6ZVobUKottxKHTS2zAr/ClwpyciKentb3/Hsy88f+xxs3fs2PGNb3yD357AMMwRBd+SGIZhusjQ0JDzYcqUKR/5yEc2rFu3Y9cOXdPIJkAiohyL/wU9nYybdlBvaHuyQtwlTl0fUWlFJq51ISOjDuS4aQd5wigCqYMDy0mkqAbxzSpZRZFfpj2ZVgFEWzxiVUw+cd7lET0+4VvkUHXZwS9qNyyHGpArXSqB60QTwiZqGk2s4rKTT7x8w0UnLJhTr9clgSaEK+25LmikOXIFSfh2KwWCtNPXDdUAUk5QtKxgQeEOElUNsvOKqgaQXIdiqoHn08cqFNhiW1bTMEjK6MlDACAEtG3ZM2HCvj2vbv7WjQf3HaxWdGrJQ5lKW5Z9yk8B80zbOmrK5Hvuf8hRCgYGBngdRIZhjjR4hgLDMEy3cCSBXbt2LV2y5H3vf/+G9et2PfOMJgQQARB1uvhh8rBm60M7jlXHqkHclpSjU6IiIjHH3SKXCpCRPp+debyk4kmKqQYpBUSiS9zwe+89kDmzzRe2kaZEZB6edrow68ct3X2zqRBCaIbVbFrmsfOOuXzDRes2XjJ1xlGjo3VEFF6dvQX044HqRdtaMRem6Okr4WIoFFoTaG21oW3faKIHYexDIU3G/+MFQ4ArJ9hSNppNktJ9vaGzx5vZReQkRk3od95279OP7eipVoGkmwnGiygDAu/tDAgAhmlceskVDz746/MvuGDv3r333XdfeSUxDMOUA6sGDMMwXcF5Op0/fz4irr/yyg3r1j2ze7dw3+TlDbJ3OpqueIzt/Mm2PNUgw6LIIFxkuDkif2Dgp21T4rYVlwwg5idlyDcuimD5QLpszUHtthebnlAARXy0YppKvKy4Wxwjh2SQdri/J2ZKgZoLRE3TbFvWm/WJR01cPXDmlW+8rO+Uk0zLbDYamqY7r0F135KArX6CzpsTWmevUBy5ItygoGqQ6MQXawAM/SlO5O4Q35soMqRmWFgijITIOLaglxMCWJZpNJtAIAQ692SnjOBovy3tnp7azqefv/Pn95IlNU1zuqji1GbPTcplc1AysExz0qRJP7zxxt3PPLt///7+/n4ONGAY5gikxGcvhmEYxsWfAvvYY48tXbr08ksv3fPCCwIBEKWU7vhWaS9ajPmv4bG6oiG1KkemQ1c9crA/PSExjl/xvJ4W799+vEYh7ynkMAT8RoUxwUDswL6YqeGG9ac6q1HObci1LZJBSoCHm0eSL0w58lDrKcp5KJknLrGCiS4ptjL2PyIgIQEBOvHoKIhko9GoTqj1nbrkrPPPWLB4LmpUH63rmq7purPYPrhLHijOS7gZ8qt/6nU3oyv0U/QSDhOM9Ve3Qd4LIqP355swlPZ+gYAwqJihEEyTz4ZWFtHSydcLAAAIEW0pTcMwLRP9Wy0BIkrfFFe6lZomTEve9P1bH3/o6QkTeqS0nXOgvkVH5lVlEpuh4AkWRASa0F6rj1562WVnnL7yg7//B7yWAcMwRyz64TaAYRjmdw6iIYAhgEe3bj15+fJzz1198JVXdU0DACnlYbYtJ+HQ3PiU4bayC/leCR5JfDg7uEdxJLoOQ+fiSwYJLZDSMLE1AZTHBhs3ezw2q5o5JIOSiRgVMkDRcYpIBgkQACb3SfLHmd1ECE4XcWQDAQiNZpPQXtS34NyBVScuWzhhYq3eaEqDKtVafB67Ei9XV4eI9c2CIl3E/nx5OApIGeS7vgNyTHBLVEUrTN4DY963+5mwFfHhzz6wbdtoNi3bBgBq+f9ARAit6WEAQARC03/7yGNPPbarp1Yl8OcmkHcBR6+7dm836AsmjoYlAJumMWPajA9+8A/vv/8+lgwYhjmSYdWAYRimTIhoCOB6gKPvuefNfX2rV648eOi1aqVCrdcldN/B9WnbpY77etRhuEF81M73zwpaF3PR2tYMjtyH9MQqBcWX3BHgaoWmw26IoROQM7/ud/3QNArXrUUCQhQowLCMpmkcd/zR516w+uQVfUdNn2QYRn2sIYTQdOGkjio9mT61oiUiLaI6X63sVZdWWkO1ygvHVRS/mFpGUSCz1NqqIi86JhhuUECidBenCBzl/LMsy2gaRLbn9ju6Tks78FeokER6VXt1/4EH79lmG7LaU7Ftu2VLmbROGXmvckRdGE1jxYpT/+vGGzZsvKr0IhmGYUqEVQOGYZjSGBwcHB4eHhocnPSLX5w5adKGgYGxQ6OViu6HGJBi7LnzB/DYc7biwTt/KWp1gICCY6o5c1KjiE9ufW1vNkQbjZi/kPTM1V6Oe0zYoVSNWyZmmmYOhMrMHdzduaNHIfPDdUkc+i+0PacdCXNLojEISESIgJqQ0m6ajSnTJp+/6qyVZ62YddwMy7bHGnUAFEIgojsrwTlMWZfYqXPjF2K7VMPv5bqh3QiuyZ1hrAPmzlBZRFKyHAVQ6zcAOa9UNJqGZVrgvfLCyyocXkCAiP64/28e/u2eXXtrtZq0patmUjBSqJSmDoidCEAoNBw92eHEAAAgAElEQVQbq8+adezKs855/tndK1euLKMUhmGYbsGqAcMwTDkMDg4CwPDw8Csvv7xq4cIPfeADo42xaqVCNoGgVnAqABSYCN0WseftYjEHycOi4SFVCI+mxkqOjCCGNieOixYZakz2YMcPAsCUgnOZVaDOqgKS8kz8ptoQ2U0JnnP0uHhPGCe8Ngt5mOiP4gICgBCCiCxpGc3mxCm9K04//czVZ8yZN5uAmkaDvJUNISoZtNWXih7UqYyAwU+udNHGfUXR9/JmklqDtiUD9a6MmmFrVoIn0bbuMMGZQogk3UUuEYAquv7i8y89cu82HTUBJD0VCJIkg9YdEMHRUtOJ7vdCH5AEAoGcP2/+TT/6kdXl/xAYhmE6h1UDhmGYEnAkAwCYO2/OvPnzP/rXf31obLRWrUop0RkCcxMqw8O7EG4Qo1SvOtEloLAzE0wb1Q0S7OnEfR6XR++AuxqN7lYaFPBZQuEGOYIFOrFR8TFrW0dmFJIPSjhR8eZzotMdP1EgApJlW6Zt1Hprp59x6lnnn3HCormI1Gg0EMNvQgj4bMWnlsfmJ0AbMfwdtT4FDRgv97OQZKCKsYonSzQ9yacmAkQCQCKwLNMwDHfZgvCCD+6rExCIvI+ITlSTbcn773zo1f2v9fb02mQD+QJMqkFFCcwpQSACEpoYHavPnDZj1uTJW/fsue2OO8oqimEYpkvwmxcZhmHKYdasWcceO2vVeWd94m/+/9cOHuipVZ1H2PhU4O482KuXZy/qjJTxZrGocKBUSpxAYLUBHZTuR09jViVC9UxNmjglIKaQ5CY5faGckhIHRuHDJLlf8dycMfg8BxejYPdKa6jIaXDCBoTQhNCkbTesplYTi5fNX/eGSy+87NwZs6YZjaZl2858hOAhiP4bFv0Mw7EzGacr1t3yxPBHk5chHbV9hgrfJdK3lR45E4fAm2QgiUyjaZomgHceASkpK0ctQiFJ1qq1J7Y9fdfI/TW9QkAYuCPlVHGy08R7ghfKIsleeMIJCw8cOHbHzktefXVLjuIYhmEOIxxrwDAMUwLbt29fvmzZacv6P/93nz746qu1Ss2yJApnArYzwTY4QSGeQaejhGrJoOxS8tGatqDWC7pMkvtCCduL5lnssFZwQXBLMiU1VYGWp/CHQFVJoSZkknOYNjIun3RIogVu3wr6/4ia0GzbNsx6tUdfdOIJZ5y1YtmpJ02e0js6OtY0SNM0N7DcnY9ALTezSyT1v7R0r0ci9pcVbxIP13GPJe+XZVuGaZAtndkoznZUvb2k9fZFQCmlpmmHDo3efft9YAFWhCQ7+yx0cm160jFJ0nQxVq9Pnz7zwnMv2PODH3x8504AuL6DvBmGYcYBjjVgGIZpn6GhIQDYuXPnwPnnX3j++V//128fPHCwp9Zj2XbrNVqBUIP2Zkyn441yZg+b5xnSjI3gjjfFYg1aKSm6ISGtYlA4qzhUOK+RAzHg/YazK20cOcGyLmY4Plb7TZcnOoQCnwOKAaLQNEmy3mhoNbF46YKBy8+/eO0FC5ecQCAbDUMIoWmakz6whAEGggtC/6J25lRClPYrZysU7iM59JsOfdr208YPDm1JmJ6A4d8Y25Joluf+S8M0TMMAb9aB89tZ2DKW3C/UkY1ktVq7/dZ7H3/4yVqtRiT993SqiuoMv/MgABEKlDbpmj537mzDhn/48Y+gr2/gpZdYNWAY5gjn9S5vMwzDHDYcyQAAfrN128nL+3/wgx8cGj3UM6HHNu202dFpwkHKQ6pquDVvQmX2Sc/yngtT9IG50P8n5PzqeIZCaAI/uYeHfMugK6ByvYr/N9iSVaLHum6p6x8oTI2MmGYUoCBnvATlWKctKefcHS1fdhk7M6ZRKBy51jlFBEShacKy7abRrPToCxfPP/PsFSf1LZ4ytbdpGc1GEwVqQnPGoP3z75yGwEWKgICtslRNkHxFxCfepFevVY/Qx3ih6QcHQpfKEiLzneccqkHctoSR/2wUWRGRZVmWZdq2BCBE0TIlKhlAS7VAICIEtG17Qm/vk48985/f+QkYhBqCDJnZ+pVoS5F6eP0KEUFK1ES92Zg+Y8b3vnHDn336I31z+kdGRkZGRjKzYRiGObxwrAHDMEw7+JLBK/v2zTn++Bt+eEO9Ua/1VG3TFsVXVEsF3fjr2E84Sb7B2tZPGHB/OrW0swPaXlWB3MPQOz4ydOkX16lkEDgoFJaBEIwtAf+URQ7LVWC65ASqmnVOnv6TaFBbZaXuDo3Q+y69u8gdEhAiappGQGPNutDF4r5Fl6678OJ1Fy5YPA81qDca0pZC0/zV8ltKAbl93S/ONUcVZJBZz1KmFam6hkJfwqTdZdGOatBmL2zdccI/gIGbnZs/AqDzUg8UCCRN07Isw1lo1rmR+Rkqm9Ef7AdAaUu9Uq2PNW++8dYDe1+r6DpJZ0ZDVlXULZ7jXu+eXZRAQtMs267qtSUnnXioZ+xTWz994ekXLpi+gFUDhmGOfER2EoZhGCbM4ODg3r17AWD/vn2TJk688b9uaJqNWrVKlhQi7T18OYh4VNj6l/LTOaXkVrDmno8Q1izalAz8vzmM6KymFB3yD+QVdXjiLlZ0iLkwmZLBuC4iQary8lkQ1lriO1up/Ak+zhZEIQQBjTYO2WguPXXxtde98Z3vv/rMc07rnVgdHTtkmE2hCaEJr1e5EezoD/n6xYcd95LJbAYK6CKh76EBdiJ3DxFQpMWVzX/4KaE1/YvH+eCcNZKy2TQN0wACIURQMvCg4GdHbiD3zRpEJAEJAe++/YHnd75Yq1UICBAI3HVrveYsuU2dvJ0wKClp0sRJ//bd742ZY7SZYEpLgGYYhjmS6cb/kwzDML/LDAwM9Pb2Tpw4ceqUKcfOmvWjn/zEaNZ1XZe2HRzVLJGSYxcyiVagYPFFrY1M/C5yeLypcw79dY4/kyIUoKEY6fT+BbZQLEHo+A4tTJ79cWSSfL20LiUvRgAB0Ja2YZmVWuWkZQvOPn/lSX2Lqj0VKaVpWpJsTWju6/ec4WkKdixnXdJY+0Y3qE9AfGv29IrAx8Sz2pqTk2MGUVdpJ9Yg6TB/OkHoa+wQP4qilc45T4jOsoZuyxGQZZqmZZG0IcdNlvyrgFqmmJY1YWLvE9ue+sn3brUbtq5pROSkdSYvJF41aaVlmOJc0kQkNGFZFqB2yZo1ixYuvOPOOz/ykY+sXr0ax/v+zjAM0w78DgWGYZhibNu2rb+/f1Jv7/SpU3/8kx+bzaau62TLbkkGJeenzrkTqzNje3PZ0UYWipUDUnN5XT2cR/yqI4V4rHxhosqKai66W1QgOAAJyLIt07Z6Jk04ecniVeeesbR/kaZrtrQbjYYz7KwJzS/AHZ0OR+60vrQb0uL796oMEiWD5EPcEfHXWe/MR6ANknRBjCQIKnDeGzHRtqVpNm3bjmWScXEE1AiypazWqq+8dOBXt/7aONTs6emRUoI7YSU1aKOMKxCFI4bQ0TNmfO5zn3P6/PDwMEsGDMO8XuC7FcMwTGEuuvCC009bMTIyUm+M6bpO0vULoiPHZdClp8pYZHbA9g5jDTo4qBitkcGQL5F3pLgz/MDoVkuqx1zbjDVQRC3kpKxYg1gGCte2cKsmOM7kZe8uP+C+6cBxrqSUlmURyslHTVqy/KQVq05ZvGRBtabV6w0iEkIgIhEQkRAIRCFnkVprVHZopL8vOatof4yfBWUwifIaPzyxBvnki9i8mziRjg75so6EHggAsizTME3wgwIkBSJI4m0UOj9E7kKHUkoCQhI/+9HtD9+zrXfCBCDpTP3wzVJfMtlnIeOu31qUA4iIPvpnf3LHPQ/MmTuPiIaGhlg1YBjm9QKvhsgwDJONMxa6ZcsWAFi75rIF8+f+8s5fNRuNarVK0vZiaLtCN1UDb0p+1NdGRdp2yxh3EhpsHFSDeCmF+4Sba/vGli0ZpLpDpakGXkOSu+IdoKZpgGDZlmEahPLo2TNOP/vUdVddet5Fq445bnrTaBqGKQQiao6ygIF1CwJGh95/2qGRqahjJZJzDxVxxHmOWfbkmaRA6m+KlMoIEESU0jYMw7KsYBYYOgRTblZEQOBKDASyUtEfum/7Pbf+ulapCj+8xTsZ6pOV6zLKPHno9GrLNufPW/D4009/5z827927d/ny5RdddFGeAhiGYY4EjrT/qRiGYY44/PDpf/jsZz/8kY984N3vvvfee5um0VOrWZblOy1dmJ3QfcnAJ+hthobCO7Cgy//DJIR2xNqse20YVw38v4Gx0MiAa8ilV8UaBDyihEySSB7iLkaiZBANQikqHDjjrhBpJC9vRCBAIVACGEbTtMxqTZ9zwuzlp/YtP23prGOOFhUcq9dJkhACAIQQ0lkAHwi8NQzcyIKWSxgqI1+7dKYaZJ2FJB0j0nEPQ6xBkHwRBxSuTuT24fVc3ytPyBRD1wsiSikt0zItg4gQRfiSSYiICuFHOhAR2FLquvbcsy/957/+pHGgUe2p2baNkaiUJJUjLxkvsiUABPG5f/mnv/jj/3bfffcXzZ1hGOaww6oBwzBMGr4UsH379r6+vuve+faHHnjIsKxKVZeWhSjc59PQumsl0NZAbr5s3U9xl0oV8l9OYV0gpnD4pY6zahAuIeTqA0Qd49j0hEiShFxThICgU5aZOCeKlk0cOM/ZUf1ggtZ315FsRQoIoVm21Wg2AGnilN7j58855bRlff0nTZ1+lCS7aTRJktCEv0Se77Ji2H8FQH+iQ3bNEowtgkIygNSzoBQO/I6bsMhDTvNS/fM26KAx/O/+DTLSXfyN/nsxpZRSStM0bFuCHzhCil6erhr4R0giArIt+V+bf/7kI09PmjjJkqZ/1Sjud+1fOqpzhAAAmqaNNRurzzpn+swZn/nMP7RdAMMwzGGEZygwDMNkMDAw8Jvt2x964IFPfPzjDz/4oC3tSrUi3SiD0krx/R//veXl4mWJAMnvu4ukTv/JU2SJqMYxlaWG4p2TbAi5CxEn1D009ilcjPMrK39Qeo8ptqskg5yU0xkLSkfp78v0ehuS85I8t/MgECIiISCgpumIwrLNseYYoTXz+KNPO/P/svfecXZU5/3/85yZuXV700paCTXUFjDGDQGGBdvIoirGK8DGGILtvOLYTlx+dhIXreJviBPbcZqd79eOW4IdLGGKaaaZFU0guuSVEBJCIFHUu7R7Z855fn+cmbnT79y7V/28Je3eO+W0OTOa53Oe85zeC+a+/5zz3zf15JMMgx0sDVuWhQyZpiEiAaHjVIDOVXPkFnQ/IjrtGewRo+/ZnsaK/5bYaJ7fThuN2tzH0If6kSbJcDenCGelaJ1JtgBRqVQqlUpEwplbQs61rKJ3k7zqCLK3ZPTMC8uHnnn0+XwuL8iSK2wEZYg63DzBLiTnzGgas0yrra3t5/990+DDg0899dToc1IoFIrDj/I1UCgUigr88z//8xe/+MVrP/axF154npMwNN11cK0PkSOPdcU3GJ5k6FZTp5SH1qVWsZ4FEflVNPg9CSak6THfY03ikMGc7J0ezLJ8jGtnBDZEn+/fUE/Tx5fgaFSD6GbzyDOIDBhqRGSaJZOsbM7omTRu9mkzZ8ya1jGmzTD0klkyLYuIdKb5rqrvAntVA1/u0VWomzNN0vV1vlX0NXA+Bloq5KBSPYddOIjs+b6JBYS+ixj0s+Ccl0ojnPO4NTWCGcYfQvbcAwQgQ8+8tWnb4l/cPrxvRDM0EiLstlAnvQ0AnFYi98KiprPhkeHLP3LFO047/UMXzm1vb69fZgqFQnH4UKqBQqFQRCBfWwcGBhYtWkREV1111aqVK4hIY8yWDGDU75r+90s4lE9k9P+IhZJMncjjU+Y9SuJDpkfkV0E1qM4wTvLAjxRgotWNOFvKl1qyahBtptZzSkm8qJFI2Gj3twzaA8YASCSHgIEhWoKbpRLTsbW9dfLJJ8069eTJU09qaC4SCrNkci6IBGMMkTmF8bdQkmNIQMjByDrV1GQJpmp4Q02qQeSkiqo5Mm938fcWAaBXOPCKBkII0zQ550SiiryiG4YAsPwYYwwsdsuv7lr/0mv5TJYLHi5ZPSUDCDa8rusHRw5Omzr1d3ff961vffPb3/4/dc1MoVAoDh/6kS6AQqFQHHW4I12zZs0koqv7+1etHCIUzJUM6vuieYhJNfbuOaRulTuyunQ6u7sS5PGCr3xweJA4vZWaNpPozNKT8gonmscY+A5+e90/jAyOxIbAGAoibpoWt3IN2alTJ808dcb0mVM6xrSxDCPOR0rDQsgJ7ZqmMc+Yc9nerFyi8gaqUJe0VErhUD0QfGrZYbyfys2ePvN4byByA5cSkROu0r5AlmWZZkkekNLLACA6koz0YaGycEBZPbP0D0++uua1nJER6SSDam9Dm6i7ijFmmmZTQ8M7zjj9y1/6y3/+wb/VkLBCoVAcJai4BgqFQhFBX1/funVrzz33vMsvv3j1qtWaJudmU2iCbY0vmQDOecFhx/oTMbqXdGj9SlH/+lROMXmavaTasfS4VkGfaRrsF6mnVPgTjLeNfcnXwYm9SryZhEqH5YYvdzfZcIzZ8QuF4CPmCEerravl9Pee+oGLzzv3A2edPHNysSkvkFvcFJwAQNM0RMaYtAyxHOkjLm/v1uBh6PyNODu0r2K160ZEgXxdyZd1YsOnyKE6KnvfxJwWp4+VdQB3ZUyJZVkjIyOcW+CdsOC/2LGFiJAMyEkHAYCEyOXzq/+49uHfP8EE8zzZ/ImH1KbYGiaVxv/ZieGByEzTnDl91sSeCagbfX3ny7V7FQqF4lhEzVBQKBSKMgMDA4ODg4ODgzf/76+vvOrqyy+5aO3adbquMUQhpBkYmJpQk2qQ9OJaZ8pGScpsbGM3tbF0dE1SiB+QjjBqIkYqY9OMspMdGyM0PFrtRA9PmvGeIeUEI/IbPRWnJ4QzCU1JsFvK0W0YYwTAObe4BQwamgo9J42ffdr06bOmdXS2IQOTW9zi0rmAgNDvxB6YCR/MMrI4KVovZqpHHCnaNuaQyD5Qza0feNRUPMcVHkZzv9VyP8d71XhdB1yrHji3TNMSghPZi2jWsGpt+C5wN3AuMpnMti27bvv1PTs37zZ0nYg8eXh+Y3CDtwEr9DavQ4abiHOOpuvDw8Njxoy5tv/KV9988+/+4R8AgtEcFAqF4hhCzVBQKBQKGyIaHBwEgMsuveTKq66+5MMXvv76JsMwiIhE2WZ13A3cd8YqBqgO80tj1ZIBOGNltqNv2uPrOrEhKZ8oazBkKdbgaOD1ZE/j0FCzcRZopbBjfTndsJc4QO0TEyoxiivoNjsBMESGDBhwLkrmiADK5nPjxnWfPHPq7NNm9Ewcly1kzJJZMk0hCJm8oZAch/WEgHkVkTcl+lovpV99TTtrStbfbSp0omqyx9CHaqmlspWeEghA3oUVOeecW5bF5VQFxlgNegH47gL7WYyOfMeFYBorlcxH7n9y+1s7s5kskYi+bSIcDbwPAk9vijwRYy8gQ8Ytns1mppw8ddv+fd/+zndOPeOM/v7+quqoUCgURxVKNVAoFAoAZ7Crr6+PMXbuuefO+9D5b77xtmEY3LKc91rnVdL+nW5kr7K/fD1J8qOPPsy1sci3jezTUmkHFauXdipAhb3RtUtDVYZJ0iWNcDuoPPAfM86NEGHbRmVeFjqiHABq61yxIoFfnfFrLFEnoSN0IDLGkIhGrBEuuGaw1q7myVNPmnXajMnTJrW0NgOKEdPct28/ygUXdcY5jyuNR7eKN86ioKCpV+Haj1bvijl51DJaemO6Lk8XCnyJuiK+39GXJMm7gsySaVmcQACA7CquZJA+ooFzvK+BEIBIAKIMp6hp+hMPP7X2j+szegaIQg5i6Un1ePcUwj6JEEzL6mzr/OlPf/nd7/4TEQ0MDCxYsKCWIigUCsXRgfKVUigUirLv6rq1a6edfPLF8+a9/toGw9AEF9Lb3BPNy305TGXJHE7ngqAWUMHI9lvhdpWCBm79l1SodHjkdIDREuGanFgUXwHKMxRiFk0Iui2EVzYI6QYJ/hGuq3+ogEHLrt4kuGH4K2Db8UgAyJChxoDILFklXmI6Nrc2TZw0bsrJk6bNmDJmbFc2lzHlGooAGtOQoUxFBsy3w+b75nRg2PT3lyVew3BSSOpFMSdFbY5ySElN4gyF2MJXHLuP/ZaG0C0f+yXJ0K4iXykHWFbJsrgQIvqq1u5u4CslAuOcZ7LZ1SvW3r3kASqBntGFEP4JQ1EuPPHPuvRapeuChoxZlqUZ+nnnnzsybO3ctbu/v7+/v19NT1AoFMc06hGmUChOdNx31pdffnn69OmXzpu3cePrmqYJIQQJlAe4L55BGyqJ+LfECsPVNZBmMkKsZOApCAXfpKsvXvzhsUa7j0STrwbCSkjiMU4pwuUJFSwc8jDUS9I1YCDlspJAYeOmPiS3b8iOI8eWlyOpiCgjFgKYplkyS4TU0FwcP3HsjNknT546cez4Mfl8jlCURoaFEICaprFId3Qikb56Hhux1i5UuXPGbKvlJki2QmtTDWp3uEnMLPQpyZKPdbPyuAAgY0BEpmlxbjnrF8RrJbXENSh3B6npCUGGbrz91vbbfn337i17ctksJ+50XW9po1Qn7xM+QX+Nl6LKdUfggnrGdXePn/DL/7lp7ty5TU1NS5YsqbaCCoVCcVShVAOFQnFC476tvvTSSzNnzrzwgxe+/fYmQ9OEsL1nnRFRqGHwPXFSrK8U1RY7PtH6qQYQsorJY8gmMFrzCz3/6kFFR4O4zY7xXlYNQmpPrGpQneYSrvIh6SSBHGMpt5QdoRDKlx0ZY4RgmiNmqSSAio35sT1jT541ddrMyWPHdzU0FAjAsizLMkEIxjSmaSgXr8SyCSZ/lGPUBeapx5UrlWQASV0odGpiWrWIZp6TD4WvwWFRDaIcDbxj9MFdZdcQlFeZiDi3LMviQgARYwAQOwchnWQQ1NC8/QYBiEDTtIMHzNtv/v361RsaCnmLc8eU9z62Ym9/390c96xMdmBBQETTsjLZ3M2Ll3zvu//UM2GiDK+booIKhUJxVKNUA4VCceLivq2ueHHFae847eyz5+zZsSOTyZCwrRn7AOeX/HEIVAO7OKkTTkg0VjXw2/u1+hokmA7hYyK2paxjtJd+jYQrlHAkBs0Gz1KOKVWDUXQW/8yIUOHqSPTld4JZ2BmSXPwQABDlPWBZ5ohZAhSNTcWxE7omT5s8bcbk7nFjGpuKgMAFtyyTBDDGGBIA8yyox9wqOv3QtvsCqkFCVSuoBj49K0Y4qEK+qrLPRpycoBr4Cuu1a6tWDUZzm6RWDbxfysUmAMe/wFlVEYnAskzOLc6F3BuxTGKgFBVUg+hLSGUnAiJBgMiYfv+djzzz6IuFXI5A+rCkbNd6qAbOrpGSNe+SD2/bumOkZHZ2dnZ1dQ0MDFTIXaFQKI56tCNdAIVCoTgyyBe5SZP6lj3xxNhxY+de8MFdu3dnMgZ4jD302FA2VS1HUJ1qMCrS+Br4DgsXpCrr6NBqznVSDaq19zD0IVk1COVBcTvSZV9PDwu3ECk6Ido/mevHLeUCZIiIQpBpmSWzxLlZaMpPm33SORe870MXX3DuB+bMOvXkjq42TWecW5ZlCiEY0zTGEP2agb9qUTZcnaodVg282+skvASSQf+uZAs10MWo3PgRqUWdi+FNdSSy5GGvA0Sfqe/6F1iWVSqNWJYFAIh1Ef4QEHx/vWILIjryQcbILH985eMPLc9lctKtwdNcKcsRrQ6kUQ3Iri+WLD527Lht23bcfsfv9uzZ09bW9qMf/Shd7gqFQnFUo3wNFArFicgAAPQB9MEps/6la+wZf/vlL+/Zt08zdBLcO9puu2aHHPX9A5axD9J4I7CuRownxfSqRpRskOhoEC5sNT4T1Y/bjlo4oMhvVbc5lnWDYJsFQ7N7+kls1PZEZw1MeflCw6E14W9dRCg7FqAQwuLcEhYRoYYtrc0Tp4yfPnPqpCkndXa35fIZi3PLMgXngDJKPTFkbiO7+opHNsDozulanykmKcS7uDu5lLMMKgaBxCuNPif5JCSrBnHHYuC3f3g/xWj4IVANYn0NYrSwsncBeK+y1AssyxKCu12IiNLE/6s4PaGcC3hbyu01xElkMtmXh9bf8ev7hEW6phGJqp+x/rlFsfJqRAcGBJALh3IhEOH//uRn3/zGNx5WsxIUCsXxhVp5UaFQnHD09/dvGRrqGlw1/uxPnXna3P7rr9+/d6+Ry3DT8tqWqeNzeQ1Bn4hA4KxKF3tK3Sjnk6RjBEoQ7+kd0EbqRhrjyFMQSlBeDhdO7hXaNTxbIeqY4OcoIyQpmwRnhrSt5O+fAIDoRhwgIUxuccEBwcgZHS1tJ00aP3XmlCnTJrV3tGXzhmmVLNPcv/8AMiAByMC1EAVROXBBUByR9wHZ1pWnAp5KVOgbae9HckvgsTZr7kTR2lN0nlF7k10HDsUtVhv+wvjnFHgEGOd5hkCEACCE4Nzi3OKcwGvhl7UgCisIVcQ+DElb4OaOAIRcmLlcdvNbO++/8xE+wg3DEEI4D41qJYNAbcOFCW9AQgJCIGIamiV+0eUX/3Hli5OnTFGqgUKhOM5QvgYKheLEYmBgYMuWLVu3bj1n4uQrPvWFj9+wYNuObdlMVnAOBMQCQ8VeAzrO1yBA8Ll62Oze0GBmlflG1s+/KzK/NAfXNNQfZTCkIan41dppXmPHP4PAHwMiqoekaMaISoWG6aNO96YUO6oeOh2dKTcIyBgDJCAkIiG4aVmCOOqsobnQ0dnWM3Hc5GkTek7qaWtvNTKG4KWRkREhpy0gusY/gQiVqaydeZsuzosiNNod7aSRENEgbIFiTIs4lnF040Wn72/zGgz9xGsSVR3nrPjOEnGjV0Ew3Wi3Aoyx7WUHEEJwzi3L4pwnNEnY16DKtQB065UAACAASURBVBLCCXiVWeSWZWT0/fuHf/vf92xc/2bGyAA4wWsjnakiSXye+5IJ+XnIW4lAaJo2MlyaPOmku+5/8P77750796J0FVQoFIpjBqUaKBSKE4j+/n4ZnqpYKFx2+eWfveGGLdu3ZTIZzi17NCxyjcWQ434lGzj60Xp4lusOagapBq7jbbLYrbWpBgnJxRGlwiTkHswswQpLk7fX2PVE8/MmHl5pIs5TI5X44leZIvzZg9+SGsQekgUAQsaAABkiMiSyiAsuOOcAkMnrze2N43rGjZ8wdvxJ3WO6xzQ1N+oGsyzTNC3OOSJoTLNtSQhOaw/Z006J/KpBoJIxFnOUakAx7Sl3+veERLpKukAyqTpu0h1S6aaPbobEs2qVBaMz9N37TmdxzGEqG+7oTEVJoxc4p6RSDZyN4W4TmQgCAhKzOGc64xa/6zcPrn7h5WwmSyTAcZJAp+/HEv0Q930LPkAjn60kUNdKpVKuUPjrL3zRYnj1tZ9MMzVDoVAoji3UDAWFQnGiMACwZWhoa2/vmDFd5/X1/dmnP7VdSgYWt61Dj3ES0A3A+6lWz2J3UnD1Zzr5VncsSa/w6HMTLTFfWqMjZAKFmq9C7YK7AwpHYPwfos2BGmoSc6ECqSfqLZEnRmwP5VTeFjsaDc4hzjQO13T32jYyKCEDRIbI7PnnYoSI9IxWbCl2dLV2j+seP3HMuIljusZ05Ap5AuCWZZojwyMCGTBkuq75xukDzuxRhn7ArxzAmZvgbI9pjFBKyWPTUVHvQ805ik5cD8kghQQQOb6dXKxQO6Z8qoSfZv697gwSWyFDAEDGgMiejGBZlhBCXhY59SApt8TDQhude4kCjioebG8ZJoTQdIbIHrr30dUvrs1mc0TCJxPIJyCFBKtYxbeKfuLpysQY4yQ0Qz/1Xe988sUXNr664WOfvC59UgqFQnGsoFQDhUJxQjAwMACDg12Dg8XTTz/ttHd88a8+t3vHnlw2Y1mWbdQAhEaNA5Tf7yvpBkmWgjsUVk71EOB9N0YIFrzCC3I9xIJEotqvgnUVP9QM4J8tn3RwOuI83AMZpBcMnKRCw/Pe5Pw6ASb7Jbg2EYTTIcePHJEBAhAX3DQtLjgyyBXzne2d4yZ0j58wrmtsZ1t7S7Ehb2R1QYKI79+3F4AhYwikaeiavfbqegBOJDxA7+1QoQ9T+WfwKnu+RBiWyRZpYob1vq2qlwrTF6JWGbJ+kNPh5BqKBEBEjDEAGemQWxaXsxLA7lxARCmnG4QPq3Sip+ncOTXliAkIIJBBxsg8+oennlu2MqNn7AedV06hcmK1iaMJjga2HCtbijGzVJo2ZdovfvKLq66+askdd1TITaFQKI5NlA+VQqE4Iejr6+vr69v70kvj3/ve39x0094D+3LZrOAc7NdQx7CJHKyOmpIQGyTfpsLTNTwWe7Q8j9PbL3EFDnkSxFhFUaN+R74REiSDKG0iLDSR/0foDPdjheSjckTHrnP3+oQDBESUS9URCc4tLrgAymT1praGrjEdY8Z1jZ84dkx3V1NzQyaXQYaWaZlmiXMuBGmMMYa6ZuiGwTRGBETCsxpCeXw7dry2BlxfkfAaCgn3WKy+h55/oyOVo0HCzqqcipKfJJT41fc7RT7Bdi5LiWgb3tI7QAgpFHDOZfQKcoMkutENq4xT4OSb6izH48A7RwKABBBAIZ9/9qmV9976EJmg6xrn3PZoqE6BqXBowpqLMh9d10qlUmtb6/d+8O+//MUvfvSf/5k+b4VCoTi2OPIvaAqFQnF4+OgVH5k1fcb99923f/9+I2sILmwfU69hGxkZK0pKiA/Php638SRSGI2Hhfg3Z1nv4JibS2SBQ5JB5YyPCtUgSiuINeN9fSTCfE22q6NN3aQigaeDysth+37LPwgADBGIhCWE4IJAGFm9sbnQ0dU2rqd7bE9355j25pamTC7DNEZCCMEtzoUgOWSMDBFRhoMHAKZpuqYxTdM0DRACrt92JSJqVpOIEDLzvMpclZKBm2Rsn02LL213ln/lQyOKUX1+VVJNZT2qQdxDiog4t4QDgC+yQHhxhGqLW80pcr1OdMtABEJAQ0NxzdArv73pLvOAZRia7MaAThDEysmnLYCvZb3TEgAAQGPM5DxfKHz4ogsffXTZ4OAjqeulUCgUxx5qhoJCoTghmHPmmdNOnnL3PfeYIyOZrCFjGQCgY9/FagBxOK+P0bNvU57uI5XUMGqqfsm3m6jactVoBh1un4ugm0e6mSNljcn54jdW0O1Y3lSofDYkX+6Y3iEdo2W60swnIBCcCy5KgojpWGwsdHa1jT9pbPf4MWO6O1pam/P5LGOaICEEtyyTlwQRobTC5IgxAhDY47QAACA4H7E4Y1I3kNoBegqC3mHnULEjK1ZFd0i0+1KtB0quG0ZVfSnC5iS3SOAPrpeiFPXqx4EuGigl+jbH4SsuRmk+SEAghGlZQlgy6iE6S3IG1k0sp1qTo0F0AUOzbdBxQEFPtyKiQiG/8bW37r7lwZF9I7lcznmSp3+CV1Xm6DtRyhicBBF0jxu3fftuJRkoFIrjHuVroFAojn/OmXPW2We9/4EH7zl4YDiblQt6M2cib3D8ONoxOcrdIGZTWio7pI8uzWiH7/KRATskAudF3uMUn5AfxLVdHPFtdwj/a6ogBlRXAPL/SDogtDW2CBGXA20bHxBBCEGCOHEiLpD0jF5syLe2t4wZ3zl2/Jix47tbWpvyhZzGmAx3L7jwLiSByGIH9+3RVPnLvitkeARd1zVNc6QK8nYIv+VY4bIHdsc1s+v2U40LR4CoNftic4uQQOKSDRYyZe5JpMm64hh6rC99SAfxzkgAQCSpJ1kWAYHtwwLkX2a0fH6quIaxpD/d0SmkuwEDABIim8vu3rX/Nz+/463XtubzWcEtXxVjalozkTMUUG7XoFSyCsXi088+/9WvfrVYLC5evHjVqlWjyU6hUCiOZpRqoFAojnPOOWvOB8+/4J577927Z082lxFCAAEyjDOdIHJz3O/481O/46fcUYGI93vPp8gh2ng7w3OeY8dipLgQrVJE1z3CuT/u6DSjpqP67ytRA6nerzy+85QttGr8WMoGE9lzCIiEsAQHEoigZ7WGxmLHmLaucZ1je7q7u7taOprzuQwicCGkUiCEcGd6M2D+YpF0hoh2oUe3COgZ70VA1DRNY4wxFpAewtHunIRCylVEVhGEVIOghZ7axE/ssVEpp03YX5DyfRI4oLLdmuY54TOAvXl5Buirux8ISXDBuRDCElzIlGSHcX9Gn3hYVANHlpITcBABBZGR0UaGrdt/dd+6ofX5fN5e+jFC86mbB0RZ/ZEORYiyUzKNcRIg6JqPXbN5+/amlhZ51MDAQP2yVigUiqML7UgXQKFQKOqMfAddunQpAJx6Su8HPnj+A/c/uGfP7lwuJzgHlJPB5aulaxJHp1T+WHHgEj1/PRsiSTfeXQV++9/O2WPZRL9G+8/yeQiHTsGkSdr+PSE15lDK07WkHe3kUbWjQdqMULYeOoEKIzNFQCb/ACLYbgKWZVmWyTlHhtmi0drVPHHK+FPfM+t9555xdt973nPW6TNOmTZ2fGe+mCUQpmmVTJNzQcK2AAHAm2fgQ+wFLasG9nf3s+BCznh3V9RDZGBLCpBsrfkyczpFxZYOjOyHPlYmOh/bGK82eF5yLiHJAILPhFGknfIIr8rgKRazvxIRAVncMk3TMk0hLPdSentEnHAwyikJaU539AJyuqC8HYSma2aJ333LQ2tWrMvncyRIVtP/+B7F0ybm1HKMDOe+QERkaJl86rSpW7Zt/+nPfw4AkyZNUpKBQqE4vlG+BgqF4rjCfTH92NVXr3lp9fve896nnn5q3959hULeMi3bAEo70B/tP1CFl3TMofV1NIiwVZxsyf7lL0f8CVI+iKpYjK9BOMuIDYkjylHnVE3V7YaxX9KnFvKAjvSZiBpFtR3/CYAhuteIc24JLjgnIsNg2Xyu0FBobW/pGNPWOaa9o6utvbO1oTFvZHUEGhkxTdOSrgSIyJBhdH7x6kAcPtXAERrKqcsAeAhA0ulAuh+4vgmB+QtOpe1lG52AdfJHjLNDpJtBKs+ghApB5bs7ZUKVPd9DVnyFDKsuSdiXw2PxU3khUiRERgRCCHu2imUJGf/S9yBMrEyKtRLq4mtgL/pIbhcBAmDIhABNQwK8786lLz7xx3w2z4nb3cKXWpXNmNbFybtiiX2vHRgZ7urqfOSxZXEeGQqFQnH8oZ53CoXi+MF9iVy9atXgw3948YXnlj3x5PDIcCFfsCzLHnyVR9QmHMQ5TCeVKSKhQ6AaRBdbOsZHhJx3zgnZ9AmqQWViLOiEU6vzD/eLHimSj6ZSAukTTJiZ4I0WWJ4pgGR7ugARCC64EJxbAjgyzOWyhcZCU0tDa0dLR2d7V3d7e2drU3NjNpfVdEaCm6ZpWZZlcUSGiBpzYhq68f391mzVeoH3TI9q4L/29hfb0CNgDAFQ0zTG0JEPyi3higTkRHF0ZmuEU/Y2oLfPRvjKVGtnR43GR2UbPjwqifKmiHslRjII5JC4KRny/iq7TbmX245wKcUCwQUnISyLC26fZfufuFNUKhQgzUIJo1EN3OU1/aoBATIg4JwzTUNNe/j3jz+99IW8kRcQKRlAHVQDSdTjABGQEBggw5GRUmNT41NPP/frX/3KyGQWLFhQXb4KhUJxbKJUA4VCcfzQ39+/ePHiW25Z8tGP9n/i4x9f8dxzI2Ypl89xy2LIHDPErxtU+xQMqgBVeBxUpkbVINo6ca2LONUgMk8CKK8AAJBSL4AKDRKZRoUmTBxdjrRka6ailhSFR8MoW6K2aYwyFoAdPgMRAQSREFwIwTnngjNNy2aNQjFfbC62drR0drZ1dne0tTc3NOXzhYKR0RGBc26ZJre4sF2kEZn0KiivTF8uMgLQKJQCJxHbnvQ0sFOdmBNse88ewEYEGf0AHWRoBreETi5OU8UUxB5/DnVd2750SlZ7TT0VcNPEcuTPkJiWkEBKiczFZ/dXB3k+ScEInCcAAhISEclwBVwunMi5cwSiW9LQ5ay5HUftZQDl5vB7HACi4IJpjDFt6QNPLX/kuayWJduVxbkDRuNrAPFuI6HmkG3HNM3ilqbrf3JF//vff84FF3wAyl45CoVCcZyjHnYKheJ44xt/+zevb1j/3HMvIpCma5ZlIcpocBFj1WEDwbOngjlbf+GgDqpByCKJCYWYOre0ZapdNYj9GJeanabPYE5L5JBxWEyKO8r57NpdBM5AvywTc4YmpQEnZLg5EgI1NHQtV8w1NTe0d7W1d7a3d7a2trc0NRdz+YxhGMhQjg1zzknIMVdgiMgYOpmXvf+JAvbKaPWCcipB1cCpWlKQPPAPGjOGRKhpyJhm1wCZezp5zP7onuGIImFfgzi7d7SQ9yJCOqt6FAWQ3cadSlD5AeGIG+XTZUlBgAACILD1KCFs0xqIABhCcHXYstNH+UPNpu+hUA0kgoTGNAB89A/Lly99wWAGIpAQ4LkVAolVX/z4sz1XRk4mQkRAsiyac845kydN+vo3vmEfqFQDhUJxYqAedgqF4piHiAYGBt56660f//jHH77wwvHdncufeU5wYeg6FxYSEka+UKLnX1X5JXyL2hCzLZpK9nXEOJhnU6Qzd/WqQS3/NYxKNYhNIqnhyoHKqiZeKIhpXvdo6UBtD4cCMscb3LFyiXMuBBcgkIFu6PlirqmloaWtub2jraOzta2zram5IV/IGRkDgAiIBFncIsfWswfoIXogPehf4G2H0eMZuI7tZumykv4FspUQGWMggyBIEQE8tpY8DPwyiGsRhgIcOMPMoXLVSILRi4nCQbk0AFX1Q9/4djWGbnnOCzreGyS4ECQ4585KG2QXHGOrFrC2K4pBaRKp+ZTyhSbfAUIITWOci6UPPf384yt11BlDIuGe4lEbyomFko+QUxOLGDqb5G1ICICaNnxweMq0KR2d3WPHjcvn8wMDA0oyUCgUJw7qeadQKI55Fi5cKF/giOgvPvOZx598gpuWpjEuBDre0FHvjB6jcXTCQeUNdVQNQsckvRrHvWDHZ5VqZxRBV/LKaVZUDSq0WvWqgX2pw4a3u5/ICdHnxH9Ex6CVFqxjktn2luCCg/QHJ2RoZPRcMdPY1NDa0dLZ3d7V1dnW3tLYXMjmM5quyXMFF5bFibgcDyYCxhiEBy3Do/0JjTB60P2NgS3BXJIzDLsHOEPKsoJy8oIzhcH2pfDcn57YnYH19OKCCIzCvT5pb2Cigi0ahfKvSjWg2C+e1AJf7La3RQECIpJuBVJy8pa3bILXlVEunRCXSHBKAgAASgcdTWemyZfe/9QLTw5ltAwiCCHKZ/kaKlFSDZXCOSxJ2y1rgFIzANJ0/cDBA93jxj/yyGNXfORPbr3t9nSVVigUiuMH/UgXQKFQKEbLokWLWlqaiejPbrjhmWefJs51XROCGCBFDr+PntBrZ8h09x8R85pamdRn1buSsZb1oaKiVBBhHVRXSAx9AI9tAPa4N9oTEKA87E8IiCiEAEQhuJBDvESajrqh53K5xuZiR1d755j2jq7W1vaWlpamfCGjGxogCGFPM7csU3BhOyoAEtl+CrG1Li+JV2X1YlowfCOkVxzIu95BfFeLvNccs9C2DDnnsp2JiDnItRg8bggkbNOt7LXuuiT4MqxpsFfOiU86whfXwbvdX30KHZBMud+GTicoq1ROPnJ9QcGFXGJDCBH2HHLFAp9+AJW1g7poAbURWPuACGUryE6iaVgaLg3e99SLy1dnDcMrGYDX5QIg1Bfdlou4euT7FiUCYfkgr4CgadrwyEhbW9u5737vVQsWKMlAoVCcmChfA4VCcawiJyYsWrToa1/76ne+84/XX3/N808/JwQxxoiEZ0Qq4eW4nu4GUfur9zioNB4ffVhSIWrzNag2p2p9DSo6GoSOiRpTdFYkiMiJfG//qYxLREa2RCDD+LmhCQSRQARN0zWDZQvZhsZiS1tTR2d7x5j21s6WlpamhuaiYSARWJYliHOLEwkiAmCOcWjbcu7c/mTNI41eEOkXYBPRwBFXJ8mzIJRm0kKJiZDflyAcll8qKZ4QitIFAYC5Ig66cxkgYBFXJRz4xpNji11u/BQNW71y4TSYv80JSAgCEkQgBBEJsieuQMQ0IycCRXSIh3hF4EiJBYE+4HywfwPIqJmCMRweKT1877IVy1fnM1lwugoCCHvOSzmZqHyi1Z7oIoUT8W+SwpYluKbpZ737PU8++8yKoVWVUlUoFIrjE+VroFAojkkGBgYGBwcHBgZmzZp15ZVXfuzK/pUrVjDGNI3JAbng6H7dx84TTeB65lJz4jT6JOCQOR1ElypRMnC3VC6Pd/Q1eUTdXoYOpW1PQhAXQpAgIAChGVq2mCkWGxubGlraGts72zq62lpaW5paG/LFnGEYDECQsDjn1kipJKRLAkMEQATmxOS316RwXLLLFyYsDaSfZF7BUyDSoz49dZIMQrMMACBiJT93Vr7XBHYnMsgZHNL5A0DGmvRMavCG96vUdN7SRslQ5fIgxtS40v3kbXgMdGkqW/sEBMLuD0QgSJAgqU+Rr7d7k/YUSI7QQ6jiR86DICUBRwP3g4xlMHxw5KHfP75y+Us5I+9dJcH1CPJowaN8skmi/6OQ/YQxJq/NtFmT17+RU5KBQqE4kVG+BgqF4thjYGBAfji/r+/c886bP/+ydavWMJ0hYzLIdsSQVJLxi55/dYL8P/zbk6iXr0HYWKspt+hB56QMqyqx76RKXgaejU7QAQgZ3l6HZH+WCPZS9ohgr4lIQJwLd6UDQNJ0LZvPFov5lramto7Wjq729o7WtvaWhuaGXC5jZHREFJxb3LKERZyEHCBFx7teGoSC5DJ43jFiaSAGuuZooqmljTVQbuNqfA1iEvSvylldjgT24HiF0+XBwT5bDjMgV3a0N0rFx5nakGxHxlrjgVkIMkAgCzdBOHnHwETPjeKJgmF/dz7KiAR2IEMhhCA3QUEUvZaBv8MkUelIuwceMsLBLH25l/0LfE4HsvG4xTVNHxkuPXD3IyufWVMwcsDQG3nUvvpxz1VPKSI+JeJL0olsQkTAEBFGTGvypEm/v/9Bp3MtAFiSLmGFQqE4rlCqgUKhOMYgosHBwaVLl06fPv3qq6++6MILN7y+oZDJWcLiQjBk0WNZaVQDqOtDMfkFt4J3beJhkUfGnhi2uSMSS6FmpBzhj6tY4AKER5u9u4JjtO6go2e9OMe6LV85gnJgNXusF+35BgzRXr+QE+fc4lwIIVBDXdeyuWyxsdjU2tDS3tze0dbZ1d7S3tzU3JjP5wxdByQuLCE4t7h9lswUgQEDBAIiIgRGcg28UD1CoQHrrRokp2FflThruYoZCpUJDqwH9tp9II1w4DVxA5Ma7MvuOnKgPbEBnE92Nv6lKDwD1Sj1G+YpMXlG7N1/aB+AzinusQFPByQQblcUQriuMUTEuSfyP3FhfyPwX320yxD0J6jYSumv0iFVDQI9OSH2oacs9rXgltAM3SxZD9z5yMpnVueMnKO/uM1BrjiTIP24ZfH9qoTvliUAEFL1QYYjptnR1vbYk8u/973v7t9/YPFiWrVqQL05KxSKExP17FMoFMcS7svoI0uXnnveeR/60PkbN2zMZ/OCuD1GBAQh28Vrg8a8UXo2p3gu+syqBEspOHo+ild276kprMTAppAhXjP+ForSAWJqGnZrKA8dRssqcQl5PLLR1QrkLmm+A0ONSbtSEAlBnHMuTGnzZ7JGoZhvamlsaWtu62htbWtt62xpbm1saCzkC3nd0BmiEMLilgxjKAQRUHlBRG8RfaOmULZvPFX0dMs6k9a2rzS8X51wEJ9SUi6JykUysSpUuVNjeSVMtycg2hEcHY3HlgBcr4SAi4rbr9FTd4/85C0RAZFwJCESACAEMUR7agGJsjlPIEi4aQbEAlcNqSgexckH6VUDV4BJd3hq4oseE8jAqxdIVYXrumGWzIfufWLl06tyRpYibn5bccAoGS5cJqjy7da5xnYpiYAxKJm8UCh+/q/+fMvmHQeHS/JI181NoVAoTjSUaqBQKI4Z3FfPdWvXTjv55IsuvHD9+vW5fE7OQ0f0R1kL/vYR9V4Zbw/7D4t9J420cyO+je7FPWzFxGcX2FQni8E7HhuRVajGMY1V4SyfgYMyFpprDSI4ofF8o81yk2WZpZGSxQUy1DQwMoae1RsaG9o6WseM7Ro3rru9s7WptTGXz2YyOiICklz0ngtOXJAAAEA7OAEDhugaveTaFX4toIL6cUgGeNN7BCQPWVdYajHeQSTKm8B/Sky2NTSIT54BexJB2ePEg+unT0Bo/2ROE3i8POwv9rlMCgtJVrgnckCySwUAApL3nHr0gZqjGAaarm74nDii8g3MRCAA203DvnRCgBBcN7Thg+Yf7nl86LmXs0bGdcTweiUEapKiMavz4ZF9Q05MkBKhXBb14nmXvPLqes3IdHZ2dnV1KclAoVCcyCjVQKFQHBuUJYN166ZNm3bpxfPWr1tvGLodQi1se1ZUDSDwCAxti35AxqsGEGMeHArhoJIl7i1RnbwMvMQIB4ltHqJsamPoyoUNHNkBmFyAAEDG25fDyUII07Q4t4hIQ5bLZtu7usZNHMc0NIrY3d3W3tXV0dlWKOSz+QxjTJAdmsCyTLnuPbhKgdQePNZvtM8DRe+KvPpHVjVIY22GNYLkCSkJPjVpT6kJrxnqH+T2lz9GKIvuWGCLEMmWZtooEnZGFGjA0feC0aoGySEPUsfgtKkkGUCEauALUUsEQgjd0Pbs2vfgnY+tW/1a1sggohC8XOyyr0e5Mimfn5VnVPm7CgEgke0cxNjB4eE5c9732uublj76+OzZs3t7e5csUeEMFArFCY1SDRQKxTHAwACcd97Cvr4B6WUw/7JLXl7zsmEYRCJsF3g/Jox7xxj/ns01qgZR2QaPitmRkkjVIDqxOs5NCBDTDmnNyeC4oa+QrgxEBI4Lt3eagBBkWhZxTkAa0zOG0dja0t7e0drS0t0+pq2zdUSIhQsXAsCqTcu2bd26f99eQcQ5L1klbnHBOQAQCdc/3LaaCGQulQrrfgleycOpGoDHmz6B+qoGNegFEWfVSrkzR1i5Hg2lWtUA4j3tI/0vqmeU6x3WdnpFvSCcbFrtIIVq4KYf/gmAQohMxti2Zec9t/7hzVc353JZchwS/EWO1FzTtEZ8TWKfWkREqLGDB4dPOeW0qdOmPvDA/S+uHEqRl0KhUBz/KNVAoVAc7QwMDAAMAgyef/7/nnvuVZde9OFXXnnFyBhQjjLmEudw4P2IUb+8JAsHiaqBx+D1b437Vr0xUN0Zo1MN4pwabKJMjAp18+9Gp4jOLhneTk4AIHdKAgEBCS4sbhEXgiCXyTS2tY3p6urp6uqeNKmzs3Oirl/ymc985+9v3LZ5y7Yd23PFgqbr02dNbewpbGzZ/C44afiAiQYAALe4Y8DEL3EXX3CvLpRKNYBDJRyk9jWA6sZm44UDir+6h04ZSU1l1QDizO9DLBnIgoymiWpQDZIkkvhkPTEXgmsylNsonWTgTV8QOSUiwQUiZjLGpg2b77zlwR2bdxZyeVFunkDBD4tq4BSVaezAgQNTp5x87wMPfPGv/upf/vVfU2SkUCgUJwRKNVAoFEc17lTSGdMbrrr6yxfPm/vqK+uNTIZAIMkh4tArZoRpE3jLTO1xcGhUg+gyVqR6wyFiGH80GWHgW4wlFeXg4fy0wwHYa5uhM0EdQAhChiQEIZIQCMCJhOCCA3CTaUZDsdg5fuy0aZNPOeXs/vPe09nb+/W//utt27aNHTt2bHv77Nmzx7S3T3/XuwIGYN8n+7438A/vmnTm4ODt20Z2EpiMMc654NxeBjBsOIWDF4ZFgapUg0SrjkgUgwAAIABJREFUbzSxEtOMDKc0ONOuyABHoV7goRx8wPfLJWhLVzSA003ZqEAVtm5MAqlVg6r0hciDnVsSwWme4OyN2lQDAgDBBSFAJpN5+aUN9/72D3t37Svk8oLkhA7Po/PwqgaymIzhcKnU1d55ybnnrnz99ZtuvjlFLgqFQnGioFQDhUJx9NLf3y/DUE2bOvXj11xz4QUXvPnGplw+XzJL4C6KDqFXzLApF4HnxTd+nLEG4SB2aLeCB0QitRr9NQ1QBj/6JRbwfAvGoYsVDBy9AEDaH+5sAHvCs5w+AGAvnMgtAuSZbK6jre2UWaf86Js/Pe/Kc9a+tq6hsdjS2nHKzJnnvv/c/ssvLXZ1pTeb/7jqhYZCy3NrHjKFACBdY6ZVsu0Uj81vx7qPvVpeeSCtZOAtRghfBWowLJNbIL0NmXbe/tEsGUgSRTLPvUEA6Qzg0QsHo1MNEi5ieTVKGe9j1JIBVOpR8gj7d7pc3Iw458iYpmkrn1vzwB1LzYNWNpsRJLw5UtQv8O8elWrgeqMEnmaMmaZZLDZc9icX/+H+hx9+9PEUWSgUCsUJhFINFArFUUp/f7/80HfeeZ+49tqPzL/89Q0bisWiZVngGO4ht1/y//BsjMB5941/EMY4gScIClWpBpXefWP2V0i9ZpLTCAoEEa3gvJAT2r4D8u1cxiIgAOBcCCAgZ/V1ALleHXFOiLlspq257R3vO/0HP/jR+X3nlUY2NhQbZkyZtn1r9te31z7u5xotixYt+tC8vp27dhwwdwDjjDGLm0JwdFZjcAof5WuA4dD51akGTmF837xZp0whQEJogyrmX7hJOZ9iidRQjinSedJE70svHMjG8S64WDNpVIM6pll5MUgMPQsqZWSvsGjognD5o88/+sBTYIJh6IKEdGmIUTojHQ1C2yPLGFeuqM2IyLnQdePCiz70xONPPvb4sorpKxQKxYkGO9IFUCgUighcyeCUU3vnXXTRRy+//LXX1heKRdMyoRyfvE5GS8WRSQq/y0ZZZMHDorNIJRlEJUVJm0dHxTTCM9ztE2wDAqWbgB1GAREZ0zVkTCBwzi3TNE1rpFTiloUMDU1DJBKQNbITu8d94vobVr/yanNr23DJyjY2bNu6GxEHlz4yfsK7z3r/yn//yW2jkQzAGTsdGhpauHDhWe89r7W5ffakM3UjL4O165pOFHmBfN9Hafh5ClP+6zVG7b/VQ0CBstlrDI6mvJW7MR2jkgGEGhs9P2Oh+L+xuSACjv7urFfHCxAWBZy1SzFyb6BMvm+BlihHNCQn1ChalshkjNKI+dCdjyy9dxkTzMjogjgAUGgFU0+qMYWvw4iX6y6BgMg5R8A5Z5752oZNjz2+zP3fR6FQKBQuSjVQKBRHHe5L27QZU886/+zP3PDJ1za+Viw0CMtigIjuauiA5H1/jByvSnjntl9MbQ0g+jVVrutI9vz30NuxZ3cqA6GCZBAqRrx5UslqqS9OPrYt5HyxQ4gxZBpjTGNMQ0SL81KpVBoeHjk4wkdMQzMK+WI+m83lDCObn9Dd86lPXDe05pWx48YNm+bOgweffOIJRFz+zLNr1r3S2Nwy7eTpMvkNGwaXLevp66tD8RGxt7cXADZu3PjG65vf2vJGg9GWL7RmWVYI0nTNNl3QtpfC7vpBQwUjPvsaJ1WpaqpMFOQBbB2h6u5BCVqAk5jT2Y8HytKjL7x/EuS/48nX8N5r4PlQ603q9e2PO6C2lA9Jam7dEV29ABGFAMF5IZ/bsX3P725+4JnHVmT0DNOYEAKBlaOd2N0qpTQaXVR07sGk25A8ByPKJVoE0jvfe9qW7dt+s3gJEc2ePXsUDaFQKBTHJ2qGgkKhOLoYGBjYsmXL1q1bp0w96cJL5w189eub395cLBQsy17H2w6t54Tp8uCOcUVsTCTKzz720Ng5C7GZBjWMqCKl3Ra/uQbclMqRyGJm/TqHeaqPjEmrQMYsFJwECtJ1punZQiFv6DrTEJnRnG+aNWPKjf/2b3POfO/uXbunTzt56rRpb7711s2LFwNAf3+/uxB6T0+Pa9uvWrWqbtX0sHjxYrn6+qJFi877wISe7t51r7+6d2SXnDDBuQCQ8TUj7JbgZBiKvsp1D3onN6ZdEm/URAQ48HXgKmoXqM5hq0J6ZEev4JB/JKhow4/GyK89ooHnUJlQ4EFsOyB5DhSCstns66++cd8dS996bXMul2MMORf2TVaOkJBYnRSP0IqzawK5OYu5MsHN0+e8Z++ufbff9jsiWrJkSX9//9HWHxQKheKIox6LCoXiKMJdMaE0MnzmnDO+8/ff37FjWy6XExZ3B6VktDovvgH82haU97xPQvBT+NBI4SCemlSDKmSE8B5MscvvNOFGAXTq5g7JIRAwxuRm+TLNubAsUwhCQE1jhqE3NDYViw0ZXc/kcg0FQy80X3nlX/7bD74+fHDfrJkzi42N//i978r0+vv7e3t75YXu7OzMZrMAsGnTptiq1RsiGhwc7Ozc2tu76u6nxx7Y0NrSaRywdhwcHtF0JqNmQCC6AUnHCvC3WoVrVpt8ECcc1NeMSVYiggEOqlcNkm3ao8ckO6FUg7pfFHdZV7mQDUJ58pibXTaTW7lizUN3Prp3+75cLitDn9qxDISoQTVwv3u3JTyRI+5SRCZXcmFYKpXedfq7lj//7MtrX1GSgUKhUCSgnowKheJowZUMdE3rmTDhZ//v/23dujWbz3KLy+Ff942Uol8z66oaRH+3t8YcHUWCwBFzTNSGytucNiG3ZTzRH9D30/PNXrcSPRYAEBEgMsZQEDHGpL+xvVqhEKizrJEpFBqb21ubmxqL+WxDobnY1nbjjTdef+21K1a8aHLe2tpVMq0DBw6uWPHMwMDAwoUL5Yv4YfAmSAnRAMB5AH24CO+86NbJk6a/uvrFg7v3gI4EQi7o4BxJ0sciKnxASgEoKsJibMFiPRrqaMykVQ3CJ6aoRVqD9ogaZ4FWdkMAHmbPjjCpJkrUWzKAhCqHt5MzOyns1eU8UIiEpjEA9vRjKx996EnroGVkdDnlAssCXOABlVD66O8eZ6mUkgEAkPQyYIyVStapp542tGpoaPVLANDf37948WIlGSgUCkUk6uGoUCiOFvr6+vr6+tra2qZNm/aPN357x7admUzGtEpExBgTgsojWhFnR0oGUOFl1EeUn0HsMzJp8cWEzKN9DWraEPRg8BbOs1UO69mDc85iBvIAQcTk+7bzIu8uZimXNeC8xDkxxrLZbL6Qb29r72zr6Orq6powgTH2la98ZdG3vvH6hld37dk3Y+YsPZNhjC1atMhbktmzZ7tRKgK7jjhENDA40NvZ29/bDwBPDz0yvG//lm1vjoiSrgMXgoSUYEhOzQj5GkDa3pV6rL6CO0O6TpeqREeDamBndgSstJARGlQNjlC5ZFnqrxqkPz5Y66hGCOgF3vVKEVAIgQiGYQwfKD3y4FPPLluhgaZrGpEgbwo+KbNiBRL2UHIwEf9yqihdS5jORkrm9KknT5w06fbf/W7TG29ULoNCoVCc2CjVQKFQHEX84z9+5+Mfv+aTn/jEGxs3FgsF0zK9M2aT9AL5KWZIqhrST1WI9zhINZMg1t0g5uw4WSR0slcYKAsFAABEwBgAMEJCQkAiYSeJiFwIblkAIEBoANlcobmpZez47tmnzp4z57wLp0//2nf/6a3t27vGdDe3tb3jne/s6Og466yzjvWhOdegem3T2jff3jhp/KwX1izduXsXMoEMiYQTWTDyXKihjyWYcEFHA082LoehwWtWDWqcbH94+1BEEaNUgzCHp5h1Vw3qKxmAbEDh76iOCCUEAVA2m9m+decf7n7i5aH1OSMrHRNcjxvPTZNaO6ipWzmnejwSgBAZMCgNlyaM7/nZTTf93aJFP/mv/6o9dYVCoThhOLbf9hQKxfHE3/zN39x4442XXXLRmjUvFwsFbplAntFviHPyPsSqQfBLeWvcA5Q8Z0S9ESd5EiQOqiUKCp6PzlrxTthCRLB97AUQChIEBMJuLelujMRyxXw+l2vvaJ01derZH5x32WWXAcAlF1+kG/p573vfZRd+eGp7O06eHFvAY58333xz2Ny7e98O0vjatatMbmo6IpAQQoCwRyw9je0O/funz9Ru9aVRDaAe5uuh8zUYTZS+w6YeBExeb9a1e/LXifQNmPLIqq6Ir3aRNSUiwnKndKccIBIHTQOmaevXvP7QXY9u27wzl8sBAMkVFstzp0ITDEJfYmqSvh7uGYSIJAQyJsuOiJbF2zva//xzX7jn7rtv+tWvqk5UoVAoTkiUaqBQKI4KPvnJa3/xi19+6k+vW/bEk5mMQUIQEJBnQrjzypgwRl/BOK+ClB4Ho3mEJgkgkUWPefuX7ST3ITIgAZomo4OhIEGCSAh7fgcAY5quaagzQ2P5bLG5pXFM9/j39/Vdf/31AHDxRfO6x3R1dHT29va+vWXr1772tVFU8JhENuSzLzz1rtPfd+8fluzYvxUAdA2FEEJwRCQnCkSESeXOCUlQeJwjwweEPRfi9LBDbbgebl8DX96Htm6RjgZQlWpQ/lRD+MDKYRePrGoA3isQrRq4Txt7sUUEIEIiymWyZsl89smVTzy8vHTQzGaz5WMDD/Fgj05XwppEYBKeWW0ammapuanl09f96e333HPXPfdUn6JCoVCcoCjVQKFQHBUsWvgtQnHbb+8Q3NKQCRJOEAMIGNOxlnU9VQPwDCQHtiV9D+VbTbzEwGu1/4CIgP3Scx6BAbNjEwAAgWmalmXas3mRdN3IZ3O6njEMI5fPNzU2dnZ1nXbGGZ///OcB4CPz5+cL+XnzLhrT3X3hhRfCCR8SzDWxFixYMP+KM894xzkrXx0qjRxAHWwrSchZHl6i/KvLVzWVWwEc+6pBHSQDO/tDUj2PpBPYUZ1qAE46zqf4topKKjmAQt0lg6qO9JWn/PwLtpmQs3bs5xIJwRliLpPfuWPvYw8++cdnVzOmGRmDcw7OBKmgZBD6lpYa3A3IFUzRNK2GxoZrrvzYE/fdd/NDD1WdlkKhUJzAnKDvhQqF4uhh4cKFWV2/6AMf+LMv/uWenbuy2YxcZxEBydUNXEIvoP7tzpf6kH62QtVphoi1Mj3GJEmDzv1DSIILy+KcW5wLEJwxTTO0nJHLFvOGrmcMvbnY1NzefuY553z2s58FgI9+5CO7d+/+8Lx502fMkHMQ5FKICxcuBIAFCxb09PQAQFNT09EWvPCwIRdg6+nZM2fOJsQBIrrj/psOmvtNy8xlDdMsSatPtn+kge2z07xDrb6Dghujpyc4+wDqGQ0xmSOsGhwa3aCsvbmJR61PUUMtIktbx9aoOcGay4AAhCyqH8hIHwBAQgAACcvSNE03tHVrNj7+4FNvbdicy+YI3X4SFbZgNDFr0xzol5rBnqfATLPU2FC87hPXrXj8se2/vXUI4Egu4qJQKBTHGvqRLoBCoThxkUstnnrK7I9c0X/pxfO2bdnS1NhomdweiMOQZBAHeWzuuuEZAIz9UgPe893g3mAH9wYAO0qhPY7nRCRAO74DgSBhccuyLOIcEFHTsplMU3NTNp/Ja7lcPpMrNOYbGk6fcfqXvv4lALhi/nyT8wMHDjz22GMvvvjib2+7DQBa29u//JWvENGCBQv27NnT09MzNDTU29t7InsZuMgWIBpYskT6Vy8qjJnWPXz627vW7RvZg4iMoRvdLUVyAABIFVZerGDfnfAXpTZ8/gXuDPx62/PeJQEOEXXXICpkBwDOgqP+msmKCgBAJMuyMll95KD5xMPPPfvkytL+4Ww+T0ByPlQgvcOEJ18CsJfsZVgyS42NDddcd8OKR5ZuZxrMnt17ZJd+VSgUimMN9SKiUCiODEQ0ODi4dOnS6dOmvv7a+p//7L+z+awbMgvjhIBIX4NqVYPAUUkPwig/g9E9OH2mZnnUk6S56vVbJkIAwbnggnPOhcWBMWQsl8k2FotNLU16JlfI5VoKzZmW4oc+9KH58+dff+21K/64snvM2LlzJzAt//kv/Cs43gQAsHDhQkTs7Oy85ppr+vv758yZA4c7gP2xBBEBDAH04iL81qSvn9Iys6G1afeut0piOJ/LlkolRIxrvaCZF+Vx4D0maXqCw2G7TseNr4FdoBQFG42vwaGm5iKNsi6IzB/ZxY6hCQBCcMF5Jme8tXHLow88teGljcC0jKELIWz/sPgLWEtEg+Rjvc4F/nyJgGmsVBopFBpvuPba3y3+TeOTT23s6ZkwZ86SJUuqyFqhUChOeNTLokKhODIsXry4v7//liWLP9q/4Kx3v3vPvn26wUjYw4Hu+GB4DC9iubuqVIPIQyoFO0wR4MAzrkmRh6HHW1dGeXSGwqTnOTJZFSIySyYXQnALgHTDKBbyjU1t7W3NrS3tbc3NxYaGhmz2ywsXAsCfferTf/zjH41MZlzP+La2ti1btsi34YGBgYULBxChs7PzjDPOmD179pw5c4aGhgDgeJp68Ohdd23duXPbzu0PDi59fePrXWO6e3p68sWG73//+3VJn4gGBgdgK+AqfPaFZyZPmXjtx/70ja1r9hzYgQbomiZXp3eHsf2xCPzzFAJREivNUIBQVz2c/2FHz7yodH/Vy+Sup2qQMk7B0aoajKY8VcQ+8PcucjuALYth+RBCQRYRMo2tXrH2sfue3LVldyabRQ0FF97UIl1xDkkQxKjOIsPoMsZGSqVisfHT11//8COP3HzLLQAwW81NUCgUiupRqoFCoTgCENEPf/jDpUuXnt933o5tW2666deGoTNg0pS2wxk4A4UB4YDK291NlVSD9C/eUfJAJUkhNqWQ1QjghEOTXu6MoRBERJZlAQARMkDGsNDU2N7W1tXR3jluQmvrmK6ulmnT9L6+6777Dze+/eZbO7ZvzxWL48aPn9nbOzQ0FFYBZs+e3d8vP646jiQCWLhw4dlnn719+5aVK1eYIwd37tiZ04wr51+xav36tetffumllxsK+X/+j//85c9/9jdf/0Yd8x0YGBgcHBwcHASASy6d9453nvLhi+du3rZx2NxnZOT4KrnagRAkO02kagB+dxnydeyjUTVIs5Cky1GnGqQuz9GpGhxqySAckdG7JKe9TojvWiCC0NA4OFJ6aumzTz/+vCgJwzAIgEhAQBTwuABEhTeApOeyV3hNoxo4z1d0qkMEyNAyrcam4mc++5mXV69buXLVXffeWykthUKhUESjVAOFQnEEePjhh/v6+qT9/KEPXrDptY26oTFkzoBtJAF349SqQbySEPQloAjVIOIpWX5JRd85RIgoiNAJ5YgMyeuCQOQO4RGR4FxnGjAkgnwh19bR1tMzYcqkidOnznzXWWf9y/e/t3PXzo7O7o7OrrFjm2fNmj5mTNukSacffxMK+vr6stlsD8DQ0NCmTZs2+ff2z58PDN7YtMkS1jtPP+P//uSnX/va1woFNjxs7dyy+c233tq2dfvuPXsQQNd1EtTa3v6BC/q++Xc3fuzqa/735l8BQE9Pz5x6OyTf9rsl8y/96P2P3bJ951ZA0nXdsjiRQDdOhUNsZMTwnIWK6zUeC9TF6q5LJ6+qJEehanDoJIPKKUtXAbdZ7EgfxBjTkL39xvbHHnpq3epXdU23V24pL69IwadiVP6JRa9QtIQy2w5cQIhIiNyyWpobP/3ZL6xbu3rK1JOuv/7Pa01aoVAoFCoaokKhOBK88sorS5cu/e//+W8A2PL2FkTwSgaexboiqCLqWNk6S9gPPkMv9Lob8f5b3kR2DAb5ysoQAJnj2AsEXAhbSuBCHqKhpmmaxiCXLRYbCxNPmth72jsvuOCC00477U8uv+z551/Yvm2HIG3shAl/9eWvTJ48OWVFjyGIAGDh0BAsXdq1ZMmSoaGhwcHBgYGBoaGhCZs2PQkAAHPnfpAEvbbhtenTZyy+7bYlP/rRrY/en2GZvTu3X37xvF07d+7du3dk+CAQ6LqeyWUbig2IKEhoyHbv3n377+4cGlr9+S99BxF+/b+/mjNnzty5cz/72c8uXbpUBuAcPeYwAcCGNVvOPvO81W88bQ4PawYjQiE4OO4k8kj0xugITMA+WuzTeuKt+7HIUVL+2jwF0pybqnbeRxwgcSIkQ9dHRswXX3j5ycFn9+zcl8lkgYhIeJ+dnt/R07Tq4A4WCbozvwARAZGEGDOm8xtf+eubb7t1846d3/4/3xldBgqFQnGic7yNWSkUimOCG264Yc+ePe9577vbuzu++/ffAUtkMhl3kr9nlrgX74TwSlugsmQQICrsIQRmKDhh8+2l95AREDJmxyMQXAgSQMQFEZGuaZqh60zTkYGmZbJaQ7F54tRJ7zr19M987nMA8JH5l2ey2Qsu+EBDY+OWLVu++MUvpi7sMcbAwMCWLVv27NkzNDQ0ceKrt9++C4AWLVok3f4/+clPdnS0GQcOPr18+ebNW3pmz7r3vvs//emPvbpmEzOMjK4fGD54cP/+4QMHTMskACObMTRdXhl7/TcZS5IBEeqMCaKDwwfHjRs/69TZ//qvP7zx7//+b7/+dZkdAMifo4SIBgYG5NyQ7//bP8x+98m7d+wgEpoOpmkh8/sQEPin2Hj77fHmawD1GK4/gr4G1Z54KKiD2T+6c4ns2QnSQ4ppDBm+uWnrM4+9uHbFKwx1w9Atbjnqrquz1Kr01qO9EYFstRaIaOy4cZ/6zDeX3PyjJbeqqIcKhUJRB5RqoFAojgD9/f0AMKa7q5DP/u723yFBJpPxDJ05w0Z+X2/3d1gjCE9bCIXd8tj+EUTNOrDnEoDjS2D/QYYIKEgQELe4nNbONF1HlsnlNB0Z0zOa3tDQ0NjS0jV27Pvf/35Z3/mXXZrN5uZddNG48ePnzp0LzuoGcmmD6lrwKMa9jsuWLRscHFyyZElzc3NfX9/Q0NDWrVul0X7LLYu2b+++++4739i4cdKkSbfcevvnPveZoRdXgxAHzRFN0yzLLA0PWyVTEDGN6brBGGO2BwcRCDkDBICccBgychtK5w5N0w4ePJjL5To6O8469/yR0si3/+7bAwMDAwMDs2fPXrBgQV2cDvr7++Valf+75D/Oft9lzw8tHREHBHKGzLRMX3g5ilYHAlZczQahN/Dc0SA9jDp6/5FUDao9t4ZcEtKvbVdKUrkwOM9A4oKQdMPYt3f/0AsvP/vEyj3b9hbyBUDkgstJC+Bd96WGjufRdjHmQ9hXIRhWFgllSFlEAODCmjRx0oKPf+Kee+67+eZfVV0khUKhUETBjnQBFArFiUhTUxMA5HMFTcsy1Biy4OzvYPxtivjkAUPxuhED75vk/I2E0A0BRoQeKxQ1pumarmmISEAls3TgwIG9Bw6MjJS4JYyM0dzY3N7eMaZrzJQpU3p7ey+6dP6//Pt/LF22rCTEpjfe2Lt3L+f8oYceQsQ77rxry7Ztr73++oUXXkhE/f39e/bs6enpGRgYWLhwYbqWO3qRNnl/f/91110nt8yZM+f5559vbm4eHBxsb2877dTe5sbiO07tnfvBD1xxxbf27NmjaZjPGa+uW//ud75j+WPLd+/YsWXb1r27du3cvv3Avn1EYGSz+UI+Y2QAgHNuWZbFLSIhzRV5eQUIAQQAJEiGZBMkTMvM5/NciDfefOP+u+984Znlr+7cueG11wBgwYIFs2fPfvjhh0dvgy1evHjJkiVEpNHSFW8/ctmHr+ls7jYwZ1lCYwxcfxk7nIXXMnVCY45au0fZ92VvR1veGn2yoy3VKMz+40ZBwxAVT4nrk0Q0mvUXXdIchkRCCG5ZiKhpxoZ1G++65Q8P3/3E/p0HisWCIC6EhY4/gpNowqM1Lj8g8p0W94H8f31iMtrf0ZlaIjifMmX6nb+//9prr5058+S+vr7qSqVQKBSKGFRcA4VCcQSYM2fOpk2bZs2ahYi333orECGCsF/+gAgBA0Om5XdFz1ujbzTXjeBlfw0e6X+plZ61dtx7AkKyhQNkGpOv+ATEubBM07IsAEIEXc8UC8V8MZvL5/PZQqGpUMw2tnR0/MVf/MWUKVOumD//9U2bJk+btmHDhjPPPFPmM66nZ82aNVdddRURzZ8/f/fu3Z2dnUNDQ729vXKY+r777qtnyx45BgcH+/r6ent7BwYGfvnLXz733PPbt22bPn26rmnSsvjFL378ytriwY6Ondu3vfOU2UAoGAjTsiwLEDTGNF03dB1lNDNBgohblvDGYwMAAJQaAZF3g5BCj0AAAgaIaJolpukZI7t7z569+/Z9bN7cd51+BhF942//dtWqVQsXLhy9u4E0VIaGljSdOffJCeueWbRoxqypVy24/p6Hl+w9uBNBMEZccCcSPRHZcd7R9etGcPo6gRMOI8FZoCwHJFig6OoUR9LvoNoAAXUXC45UhII0Fakq+OJhqIWzdAIQoSAhBGWymb17D7z45NDzy4f27tyfz2ZRY5wLj1dXSIYIOwbE5hful+GnfXRa9j0vH91gT0uQpbG4NWPGjFvvuAsRZaiUvr6+usxIUigUCsVxougrFIpjC7mGwp133nnppZeeMns2Cq5pukABwnEz93u+AkBwukJM1APPdo/brD8t31QIQMbQzlWOo3FumSYJDkzLZjLFfLGttamhuaWQyxbzLQLY9Mnjv7JwIQBc2f/R3Xv2nH/+BePGj9+1a9cXvvAFcLzWAQAROzs7zzjjjP7+/jPPPLO3txeOo3HUMD/7+U+JxDPLn9m7d+//3PQrAPjNb24ffOietete3r1rz8GD+wg1Jk19Of1EECBqjCGzjWhBIMcu7SXikZzZKt7/q6LH0dFdncLpPW5sDKZpRGRZHBHa2tuvu+bavaXh/QcOfPX/+1q96j5AA0MDQ0sWLVm8ePFZ55w5fuyEZcsG39698cDI3kxG40IQCdfecSeBl+MduEqB65kdQq5GWsV/2m7CR47k5u+zAAAgAElEQVQjqxqkL0lk1rXZ6tXWIs0UlVGqBpFZ2JIKoidMCxIB51zTGNPYK2s2LX/0hU3r3wCCjGEQkCACcu/F8vO2HMU2nHdkY3h6um9TBNGNiY4I7MReAAAQ3Jo5+9S2jvYf/+S/ZNgRqR3EpKxQKBSK6jhu318VCsXRDBEtW7bsBz/4waWXXHLHbUv+OPRSPpPlJIBIBheEpHdle5w2ImIiUdCFlQgQZMg8533eNTCBEAXn3OKcm1wIXdOzGaNQLDa1tnZ1tDc3t7e3NTXkjWLbuM9//vM3Llr0+ONPlEpmU0vzuPHjSpb14x//GADk/AJpLfT09PT39/f392/atGloaEhGyzvOkG/kY8d2bNjw6owZMx54YNCyrN/8ZvG2A9seu/vhJ59dvvaltVs2b961e7fghBoheQYGgZAxx8UDhBBOouX/jpzl08CJPWlv9f+GsHxgj+j7IlPIH0gEDJFIEAkBeErvqd/87qKf/cd/Hdh/gAB/+MMf1qVlpDz0pS99CQDe3vyaZb75yqbtm7e9ZQrTMDTOhevI7REOytpWnS38o0A1cKnBaD/iBajBVq+tIpGC5miKEXl6dDr2MxQZQxIICJmMvnPn7qcff3HVc+uG9w3ruoYMORfeBBGDZn70rDGIesesQjKIPN/d6sxMAOBE3DTPOO30F1cNDb20hoiWLFnS399/HEu0CoVCcfhRj1SFQnFkWPz/s3fngXGV5f7An+c9Z2ayt2mbLjTdKBRJWGS1hYsN3qvAtV4Qnao/RVEUrlZlUfTiQibXHWW5eOHKdauAW6KiKFctIikILS2UQknaUtqm+5K02ZNZznmf3x/nzMyZmTOTSbrD92NtJzNnnwnJ85znfd7m5nA4/Pi3v/X2/7jt3LPPikWjgWBQtHZugiX/zq0dSN/pSvf5Tt530iJuE+3kTTE3OhWn2kCIWIvYtmVblpVIaOZQKDS+snzchIlTpp100km1tVOmVE+eXB+Nnnf99Xff+d3nV68aGo5On157Uu2ML33pS7m/htbV1TmdDonodZkjyHXnnXfecsstzPzcc39rb9+yfv1rHR1b9uzZPXCwdzgWZ6dNhVJEpJRKN1dPBrFZEwqMJJ3qyX7B+6w3l5CVHEqVLggRs5BmUomEVRIMzv+niz71mRuX/uQn3/nud4morq6OiCZPnnwoJc3e2GzbznV7d++q4Ilb+jb3Dx0MBk3btpPDy5lIJ0eapwOpw544QNagmMM4brMGh7H9YXpTyYEbbh8XrYnYMJRhmJZlrV/32uqnXzq4t8dQig12Wr2St4bLKXop7oOV8c3rqf3KOsbCa/u8kPzpwIq1Lba233LRP+3fvXvdK69s37Ur1aO0iAMEAIBi4b+qAHBsiAhFItTU9Jdbb42ed97tjY2W2IFA0Ak1RTQna7kz7jlnlqs7+QWi1LBxYUmvJSKiRYhEtG1rJm1ZYgSMivLKaSdNnV07c8bcWaeffuab3/zmWbNmfePrX+vp6Zk6ZeqMyspT582bMm7cSeedh189c33qU59qaGj48Q9/sG9vZzQWcy6QaRoqWURAbr7Gzdto0alyZkq+f6lHXNRY6My3gXNeysoaZFQuZHTBcIMNYmKOxmITqsZdeNFF111//be++Y2f/+KXTkPHm2++ecGCBWO+V+mN9NpWr+6OHYzZ0dKyyj092+KJmGkorbW2NZHbuzHVTi5PIJZzY3cUh5Lc8HFgVBH78XAMo43Yx3wiBcoBDnvWQFIZVucLEWY2zQCR7NnZteofL25ev01pNkxDSzKr5amHSWYM3C/9dlhomILfCoVPsECtARGz1nbACCxatOiZlSsP9vauXbu24NYAAGDs8AsxABwzzi+M98yf//K8U65YdNl3vnNnfCjqtCl0QlC305U7pJvSBbWeeoTUb8NaSzImFC3OWHllKh0IlZSXVUycPOmUeaeec87577jkHROmT/jKlVfu3LWzuro6cdpp8+cvWLRo0fjx45EjKNI1H/rQaW960+9/2zIwOGQGTNMwtdbuAOn0Pf70PUpP8JNdaVDcFc8pds4dqJB+JjuP4OW54cqKVSKRiMVjM2dMn3da3X0PPHDr5z5na71z167m5uZbbrll586dLS2HYbL37Tu3vPDic1ct+pfWZ1Z29XVqTjCLtsWyEunuHdlZgzy13aN13JQbOHLD4MP4TectRir+AHyP4agVGlBWPD/SAaTzpJ4vs54ssPF0CkFIRMygwcwH9nevW7Oxfc2r0YF4MGBKMj2gtXi2QakKL++WcuQvEDiMWQNmIbFsXVlZfs37rv7tH/7c+o9nC24HAAAOFeZQAIBjxv2VcOVKWrnynPPPf/75F8Phqzteey2htZWwbMtSrEgR6XTk4/zeys5IXFZaaydCNUzTMA0WzaJKKsomjK+snjDl3AsuePcVV8w5/XQiuu5jH62qHDexekLb5rZ1j6z7xqOPujek//bEfffdf4wuwIkqFo+XlpasXrP28n952+69e+KxWCgYcqo6nLzOiCFXZs1yUfIVJeQ8706L4bdkKq4UEbLEMkyjPFi+ffuuvXv3/dsVb6+ZNPXHDz10339/n5nD4fCOHTvq6urq6+sPMXcwY/qcGdPnMPMdP/la+NIPvbJ1xWB0SCnbMJSttRv45UkZeMbgcLKUQ5jSy3sfH/+8cwccuSRdUfUrx4fi6wvylSSMmODICvqdCiwzYCrT7O3uXf/ypnWrN/Qc6A+awWAoqG3bmeFDtPO97Fk7e7CY/97yXfuiPqOphQq8f+7sNvbkSRMXLGp4sOWR1avWFLNtAAA4FCfKD1YAeD1zpsH7xz+e3rtnz3vDi2+8ccmGV9r6Bwa1lbAVRYfihiEkipxsAQkbhjLMEtNgM1ASCBhGoKyidOrkaW+9+OL3ffjDRPRvi96pRc466+x/uvjiqnHjLnnrW53uA6nZDcLJXR+GW8lvPE5n8tmzZ33kI9cuWfLvK/7x7PDwUDAYNExDW+INY8XzP49RRblc8JH7dW59QXLqQfJEMuJmFDRrJiJRTFqLaZra1kNDg1XjqiZPmXr6aaffee+9n7/lc3fefVc4HK6qqgqFQpMnTx5zP3anfyTVE4c5whEReXbVX/b17InGoobJiUSCsjItwumxHgV+ShdTR+BOWMGSmWt4nck6K84fvB65WgPf7RTm29FgxKxB8Qcg6aDfrf7RWgxDBYOBwcHhTe3bXl7VtmfHfkOZZtDUtnZ7FmgScuaizTc8ocis4IikwFdugVH6jWQSUoaytW1b9ozp0//65JOoDgMAOGrwH1wAOPZSv5o2NTVVVlYM9Pff3hhxnrn7/rs3PL8uECClQqGKimAwWFFRMXXq1LPOOuu8885LbWFx+L2K1eWXXz55ypR3LlpERA0NDTU1NfX19Y2NjUS0ZMmSuXPnLliw4HU8u8FRE4lEFi5c2NDQwMwf+tC/XXLJ23/10K86u7qEKBgM2XbCrZomFnLuWhK5XdgLx3fppgc5i3n+Id+fXez5vw9vF0bvTBtOZzdmVkpZCSuRSIyvHl9ZWbnoiqtv/MKNTZFIW3t7fX19bW1tVVXVoTRmj0hEWiQSjhDRH7seucS89JkXlg0N90etwUBQ2ZYWLaySgb07Nqdg1oByRpr7LOD73GHIHRzRYoERdz3yQmM9uENvJTCqLgkFWiEWPpjUS1kjFNweh54cBDNrTaJtZg6WhBKxxNbXtr/8wvptm3bZCTsUDBGzbdvEnklBKTW2iDKfSH9ZhBHfAcl9mLlpTlYNOSkDI56IK1PNOXnOlMnTfvyTn0Yikebm5vb29uKOBwAAxg5ZAwA4LohIa2trZ2dne3t7W1tbS0vLypUr+/r7Vq1atW3rlngsrgzDMEwzEKiqqqqpqTnnnHNOPfXUmTNnbtq0ad68eUTkrSa46qqrtm/fXl9f39DQMH/+/Pr6ejq6fdde90Rk8eLFLS0t4TCFzEWNN34lcs8dr67fOjDUV1JS6rRS4/QEmdlV1YXvB2d+WUytARXOGmRVWXuSBhkxm2LFzPF43Ba7tLR0XNW4az563cc//vH//v73n3r66ebm5kgkcij5JucqtFHbb+g3TRT5/hP3nFt99r4DOwaG+wylRbMWO+djWqjBwcgTUhTKJxxSeHxMsgbFh/SH3pvwSCs80OBQKg7IPX33W8yZ3zQYDGiRHVv3rHth/eaN24cHhoOBoGEYtm1nfUOkvy8k83tE8oT2+Y9ipAUysga+yUJJfk+zacTisfLS8tPPOKNvxbN/3LLVKeFh5jEXAQEAQPHwOzQAHEcikcj+/fvLy8vvuOMOImpqampra8tdzMkCOEUEjsWLF+/YsSMcDi9YsGDBggWEHMFRUVtLO3eSM/XAB98XXnDJgkcf+cO2bTtKQiVuG8vkXUrJDtJH5JNTKJg1cJ/Nfdu9KYMRwx4RUopFJB6PE5ERNKvHj19yw80f+MgH7vj2t794223Fn0A+EYkISYQizHx705eabv/GX55q6R/ojlkx01RW3GLm3FP1m4V0pKyBd5R4qlDd89KhJA6OctbgqLUnPApZg2JqCnwPI9+Tbn2B5+11C1WIRDgQNIlk1469r7ywYfOG7QN9g4qNQCDgzqroMy+C99NFNPasAY3Ym9Jnr+mnUv1wiZWKJWJTJk+bf845j/3tb23r1wtRSzgcxgyLAABHC/5rCwDHHfeWbFvbypUrV6xY0dfX5321qqqqqqpqwYIFTqe61PP49fGYaGhocP6ORCLvuvwd17zryj88+/RLa17Utg6FQs59Tm/6oGgZYW7+/EH2sxnlBplxzgjt3z0FECJCxCJiW7YzIHza9JOuu/Zjjzz6h7mnnPKe97z3LQsWHMrnLVWpEYlETpk3Z3x1xWmnzNmwta138CCbLNoZ0TFyxFUoa+BNGeRZYMxZA0m1Zzwqjk6XgTHv6BB3UUyVQeqCF7EwJyfm4EDAJFZ7d3e+8kL7pvZtgz2Dig0jYIibxtPOEBjf7wufJw9z1iBPoUHG3JDEiokoHk/MmjH7gcav3Pyd7/z+L38hojBRM36FBQA4ivCfXAAAOCSp0cV1p556Zn0dK3Xueec/+qc/HTxwoKQkpLXWoikZh3tXLHImhTzDEfyX9b6SFeSMNGlcejXnRqfWkorTtJZEIjFrzqwrF/3bZ2655Uf/+7+xeDxhWTfffHNjY+Py5cuJqLW1daRTydDQ0LBw4UKnyvp/fnDvv9/wmadWL9u7f1vcigYCyra1uA0YsgoN0mfhkzXwfuUdBZJVunEItQbeEfVjWP1Q9jgqx2HW4LBXGRA5Sa7km6yFmJjZNE0t0rn3YPtLr776ypaBnkFFhmEqSa3l9AXNnBI1c+M5Tx6xrIH35JwxTc66zKxFbMs+ed686dXVVjzx05bmoncNAACHE7IGAABwOL39bW+7/IorFr///Z+/+ca2dW3KUKSYxW3ozp4gx1EgBMmfHCj+hdzgpGDMk641SK/CSjnbjcXioq1Zs+ZcOH/+BfPnP7961de/8c0f//jHO3fujEQidXV1RDR58uTi0wfO2Oz29vaWlhYR2blnc0nAWrth3f6u/aK0YbBtu20kcxIHGVkD70ucOx4hz5keYtaAjkriYMyR/KHMaHCEjFgpkCc7QH5RvfNsMv0jQkRKKcM0LMveu6uzfe2mzRu3D/YMmoapDDdBkBqO4Myp4PmsjLzHw5o1yK1r8IxSYLfKIGElSoKhBRdc/MK6td19vZs2bSp6vwAAcJghawAAAIfZjh07Wpqbb77lltu/9KVlTzw+0N/PRKYytEgyXEkumj8QGX3KwPtyvljI/yXPQu4GUoXS4t7/VEzCzEwci8VF7Om1009705tOfVP9zTfffNed31u/Yf2PfvQTp8VDXV3d4sWLR9WkzWnScdttnwuFKv/wp1/Om3v6+q0vDCeGjYDSWmtbEzkNFzxnI94Hnkg+dYFO/KzBoUTyx3nWoEAuIP1l5tIZyzi9DLQWIRJRpjKUEY9be3Z2tr24ccuGjuHBqGGapjKcbzefDWcMycmaiuOwpAwcRXQ8TU3OykQiShmaxLYSZVWVV199bfOvlr607qVR7hQAAA4zZA0AAODwa2xsbGpquvEzn/70Rz92y1e/1NGx3bYs0zCZSYvNpCg9N2PRCky8kF6C/AMbKRgU+W0qOQFEctiDECsiYqUUM0ejMRE9ZcrUGbWzp82ceMcd997x7W8/t2rV7x55JBKJrFixoq6ubsGCBaOarNEpPWhqaoo0faXx9q/9/Zk/dnbvsrVWJmmtxRZWufFj1lAFJiquT+EhDFIgOkrdEIuJ5PM1WTgRsgaU9667z7ruS8ykhUnEaWdoBgxDmUOD0d079rW/tGnLxm3RgeFgMGgYRvqTkUw0pD7Snl0XUfcj3tdG+x2bT9bnmMlpzWiwbWstuqqyctULa9GtBgDgOKGO9QEAAMDrUFNTU0NDQ/XESaeee27ADC685KLqCRMSlqVtbaoAOfMqEBGRZP7Jiz1/55VnG6NLGXCymwAnRyewM8pahEVEa23bdkkoVFZa1tXV9fya5555auWVV1yxc/v23/7ud0233z7Y3//Xv/51586d4XD4vvvua25uLn7CPOe6kZjMHB3YdOmFV5eVj9MJEi2kWNvuzBQplB1qHoMJEY8hb8VFkZMXHpbdHbr8k32kv3SecD/T7CTMWITF1iISCARKS0OxWGLDK5uXPbr8T81PtK3ZqBO6tKxUmUqLFq2FRJMWIifPQCzJ1qTpD8wI33yHdMa+K2d+LzopCdHCwoZKxOMkds2k8afXn+F0FXGm1AUAgGMLWQMAADgiGhoa2traIpHI7/7waO/Q8C2Nt86aPVsFA0PDw4ZhMitPMJ+clT13K5zvhZGIM97bk59wnx0Nd/I3YiZiYU9Mbou2tQ4FgxVlZX09fa9t3bJq1XPv+Oe3bdjQ9oUbbxSRs886i5mXL18eDocjkUhjY+OTTz5ZTNjZ0NAg0ixCg30znml7+qp//uBJJ51qqFIrbpMiYqV1Rqd5ZmKPUQW2fByXHBa+VrlpghFXOcR9ife+/WGT/nCnugC6X7G3QwU7fzm35UtKS8vKyoYGh19c3f7n37Y+/shTr768hSxdUVZmGM6QFmeeBErNXuJ+Yry5gsI8mYTsf30XS2U4fJbIPWVKf0szkZBSillFo9HSktIZtbM7tu1+8KGfi0hLS0tzMzogAgAce8axPgAAAHh9am1tXbx4cWtr6+zZs88957y9O/b86Mc/eWHNqlg02tPTQ8JmwBCtvXddM0LYsSULKKugegw4I1WRbsHAbtW7pF/SWrTWZsAMmGYsFuvr6+/u6W7+TXPzr375prr6v/71r7t2bH/6qae/8tWvXnrppddee20kEnEmXCigtbW1tbWzrS0ci+184ZnY/Z33XzgpPq3i/WQcjEeH41bMNA2RdKjpzSB4HxR/tuxmbUax5nHb0cB7YEUe5IgpgwK7GBV2UwGpYhZvpoCTY2GSO3TH43DybrwYyigtLVHK2L+nc82qV1YsX9O2emPX3m4mDoWCRGxrW+vUSAKf7iF+X7m7ymfUAxNGMeWJczVIKWVrHUvEqirLL1901dq1azdt3kJE7e3tzgwjxe4aAACOGPy3GAAAjqyGhobW1tZIJDJx4gRtJy64sP7OO+5/bdOmaDRaWlKmRfvMyDjmn04+I/VTUX6RkQ+n/so+kMyuCk5bBk+4rpRStm1blqWUMgxVVl5y7rlvueNrX/uPr3517rx5VePGffRjH2tsbCwyFopEIrXzV1x32V+JIk1NkXdc8ahB4/b27jzY12UYopShbdsJ+tPNF0bF50qJN3cw5q4Hh6j4dga5si5sMde5wO6K3MuoZHU0yJp3kCg5i0cyWUCKAqYZMINDQ9HtW3e9tn7r9i27eg/0iy0B01SGEtFaRLT4RPh+b7H3PHxObeQkQ8EXi+timqqjYIOj0ZhhBKbVTvvb355cHH5vy29+W2iPAABwLCBrAAAAR1xDQ8PChQudaPkD71/8i1/++itf+dzTf1+xe8/OktIyZoMkOcWg+4//nHAjOJTBCGnufeAil3Qfpe4MMylm0WLbthBpLaGgOWPGrHdfeeW1N9zwX3d978ZbPr9rx/rpM6YRjaeR4k8RImro6Jg1e/ZSInpy+d8uXfgvz67+v11du4eG+4OhkG1bTpfEzHAvz11mnx0UfrFQOH1okfPY8xEjrjuqcoN8WytmL2O7CFktD3PGPaSzCsrgQCCgRQ509mze0LF5w7b9e7piQzFFSinDMDidLMiYKMEttpHsz0G+M8p3CkW8R76L+G8v3cvUmxaMx+Pl5eXnnbnggYce+PznP3fnnXeNvFMAADjqkDUAAICjwZkgoL29vaWlhYg+8uFr/vNrX7/15ptfWrtWSEKhULKJQO4PpmJTAaOups4rXWmQjrvEmyTIXCznQDhZjO7MjKctMQ2eUD3xjHPOuPStl1wZvviR3z7z7vd8sKNjy9KlDzY1NVFy8kUicr7M2FwyHGTmm2/5zPkXnnvaKWf2xnZ0dXUOW0OBoNLaDTY5OfSdMybby39BRs4qHOZyg0PsC1DM6qMqN/Dd4KgOcvSTNfjsyE0dOG+iYkMZhmkMD8Z37dizqX1zx+YdfQcHSJNhGM70n1p0ci1y3qV0XsDzbcBHrmCkwFbzZA28BT/KULZtk8i0k2qXPfHER6758IMPPxQOh53/OAAAwPEGWQMAADhmvvrlL0+rqXnwoYcOHOwKlZQoUs5d+4wIwxv5+A0/GOGJsSj0w3GkjIHTN5HETR2QMCliZmVZlm3bJSWh6TNm1tef/qb60z784U988Qu3dnf32FpffvnlzjSNtbW19fX14XB47ty5DQ0NnBzsnsq5XH/99R/+2Ps2Vb72zpp3v/Lqir1dexISDwSUiFur7r0NXmAyP88B+y9yeAPOo5AvcBSfNTj0lEHh7efZacZjb0rIMBQrZVt21/6e7Zt3bFq/ZffOfVY0YSjTUAYrN1ng/b5g4uQ2fPMGR8zosgZM7qGSYhYSLRIwAhc3XLRj++4/PPqnI3eYAABwWCBrAAAAx0Y4HG5ubr7nrrtuuuWW66754PNr1+qEzYoNQ1GqQT67t2HddbIrrY/owPuRKq3JE297n/UMFEiNdnBuETOzFklYlm1bVVXj5pw866RpJ02rnXXrrbf+8hcPd3d3d3Z1RSL/GQ6H6+vrGxsbb7rppnnz5tXV1aXSBym3Dtz6vfLvPrrtP88PfeDFjS92d++3SAcDhoitbXFzB1mXyre9A3teTde2O10bDs/lPWr5AsehZA3GdqiFdkFuAomIRbS3u6FTFaKYDTNgsEpYib7e/l3b927dtH3Hll293QMsZAbMVNrI2ZzkvC35v0GO2HdHMRvmnK8UM7FtayYqG1f18MPfv+nGrz72f48fkSMEAIDDyjzWBwAAAG9Qzc3NkUikqakpYVkXXXLJJ667pvFr39m/b38iYZmGqZTS2iZxBy7k3BMvLnVwSLnxPCPeyTORQtbh+FU+uFG5iJCwMDOVBAPEwXg02vbyKxvb1k+cNOnF1avHja+cPvOkxsav7d61p7S0tLy8nJkbGhqqq6sbGhquv/76b37zm6eccopTj0BE3yv/LhF1T1kxteT2gWc/+463fvUfa/4yMNhDBpsBZSdsYc9RcVa2I+dLn9M8qqH+kd7OEd2yt14g6yXnMouIM25FtDjTHChDmaZpGqZt68G+ob27uzq2dHS8trNr30GdsA3DDAWDoiXVGdEtX3GzaN59U8ZgFHenR+yqFcObh0oNklBKa61FG8qor6v/ZUvLBz4QRsoAAOBEgawBAAAcG06I1djYeOsXvrB48eItW0/+6xNP3nTTp9esXt3b2x9PxIPBoIhobbslB5x7j9X7b+bGU68d/qK61Fj0vMUI6QXTjQaESDnnYdm2U44eDJVrrQ90Hdize1+oJFi1fvzqFe8sKy8vLSv7/Oc//8rLL5eVl02dOtVJH/T09Nx2223333//fffdt3DhwnqqJyIq4dZWal937+L33Lv05z88f/6C9RtfTiSGiNk0lW3Z7pD37EIDkawWEuz5+5AjztEG5PnaCo4hsB9NU4PsgRkj7s57nG4PgjyH7QwSSe6FtHZnOFCKA8GAaZq21oO9/fv3Hti2ZdeOjj379nRGB6OGCoSCAS4JanGmFkmnbliTcLHtPkc6jeSDkTJHY9q6Z+NETq6EFFsJyzCNcRUVi6/60HNrV2A+RQCAE4s61gcAAABvaJFIpKWl5bLLLguWlDJzLJ740W8emjv35Krx46LRmG1bppFMcLvxr1vc7cTCyYrs7D/p0KbIIMdnG2NbRyT9J93WXoSTRenk3PrX2hmqYBumUVFVrgyj+8CBzZtf27C+ffWKFW9vaDiwf2/IMG+44QYRqTv9Te94x9t//etft7S0dHZ21tfXE9EXvvCFJUs+tXx5g0hYRB77/bL2l14dX1ZTW31yyCwRW4low1CkWEREp07JrT3wXKNRz1bofy2Sil3Fs7z4KbziiNsvfCI5d+2LPc5020LmrCPJPB0SLbZlWZbFzMFgoKysNGAG+3r716979Yk/Pf27h//8yM//8o/HV+3cvEviUlFaHgoFRcS2Lee2fPIj5X6ckvvwfjh9P+rif9q5n2rJfL6oz3xmuUry7/Sq3kyUkFJKtI7HEyWBYO2sOc+uen7QHrCP7MAiAAA4/IxjfQAAAPCG1tTU1NLScu655zY3N3d2ds6Zc7KO2d+7857eXbsHYrGBwYGhoaFAIEDpm7eOEW+SeuffG+kgcu7gZobRxZzHSIeRMZ+j0+SAnOaFxGRbNhOZphkImCQUHR7qG+jr7evbvXvX0h//6Jc/fzhYGrjookve/e53b3n11VkzZ3Ud6DrllFOmT58+Z86c1taO2bMvePTRR6+77rrL3hni3DsAACAASURBVH7FQz/75XB0z8yp5yjDNBTH4xaJbQZMLZqdUnenzwKxco8i2XHBnfbBPb4x5A7c7RVnbAMEstbyGRGQcY0LbirzaH2PJpUdyLMx/2xLsiulsFKhkmAwFLDiuruzd9OGbWtWrXvuqRdfXtXWsWlH78EBFg6GgmYgwMzijl7I88HOUwbid9h+q4/qYo/4HnJm7oA9T3jWNQzDsuJa1PSTpr69YdFQbPC94fc+8fe/r1ixoq+vr7OzczTHBAAAxxIqxAAA4HhRV1c3Y8aMBQsWEFFFWdnnbr31K1/87Asvtu/Ytk2IgsGgbduUETrm6f7vvsbppQrIP9LhMOUO3DDdfcyZrwgp5ZQlOP0HORnHkxZtxRNCotgImKZhmCXB4PSTprz97Ys+tuQGIrrti1+cO3fu0NDQjTff3NjYGIlEnD4RItLUxOOqv3TJxVfv79kSTwwORIcsO2YGlNaa3LEJitnnpJwb5ekvxffC+EgVVRS18FjH3R/OrAHl3Kc/tOaIboqB2DANwzSVqOhwbN/erh1bd27v2N21/+BAz2A8ESfNAdM0TcMZtSI5JR+FdplbV+D3qk9Piuzl2Jl/wX8vY/uoS/pbjhUTcTwWDZaUn3H62Q83P/zRD187e+6cSCTi9EDFCAUAgBML+hoAAMDxor29ffHixc7jgaEhZv73Gz6x5LM3/fX/Hl313Kqe7t5QSYkb84gzO2NuZUDOrdqxpgyytz5CUmGEnbB7XMnQ0t2AEJHTtyGZNtAk7AwnICEzEGAiLWLZdiKeGI4Od/f1tm+4+977/2vSpJozzjqrbt68ixoaent7v9rY+Nyzz5aVlCxduvTaaxt+9jOKRIJbt22ac/LM89580VOrlvX3dfUNHNTaDgSDtlvjwEw5kaPbeM/9IpXwEL8oNetiOPflR0wcHK6Ugc8xFJ0yoGTxRypZwM7ZjpSVyDyeVDECKaUMw1CGYVt2f9/gvt2duzr27ty2p3PvweGBIa21UoZSqiRYwswkpEWzJKN3Z2KFEYdMjHjZkm9cTsMGn20lBxYU9SHmZJYh9bfPsTlbFFKKbdu2LXvmrFnnnfnmTdt3OJfRmQqkpaUFKQMAgBMO/sMNAADHnUgk0tzc3N7efsYZZ5x37jmmYcy/6OJljz32SvsrWuuQ0yVRhMSNUj1xiHhicu8/eWRnDbLCoVQX+IKbKTLySv/f84zvuuKN/JwWfCLiztzHrGzbJmbb1oq5orJy1owZZ59zzgXnnnv6m9/8ox888Nprr42fMOGk6Se96fTTr7766m27Nvf2HdjfuXvaxBm79ncc6NlnKzsYMG1taxGV0b0xOXTfPTzJTRYU0zLwEBcY1YreENQ7wiJ3EfGLpFNZA2+tgX+nQ7exJDvtDJxMAStWpLRNsVj8QFfPnl17d2zdvX9PV9/B/kTCZqHkIsmZLMWnEMDzAct7+99zyDnH7/d0TlFCgS2OnGVj7wuc/nyKk1eSjOfjibgyAuefc95Af29VZdXK51/YsGlTgYMAAIDjH7IGAABwvHvXu9511plnfv0b3/jf++751a9b9u3Zy8pk5Y7P16KTY/U9YVAxP98yUgUFoqt0BJ8RPuUuMsJOvSMVsl/KXTWjAZ6bNhDF7KRKiMlpR6C1xBMJ0TpgGhMn1tTOmnXqnFMm1kwYjMe/+MUv3vnd7+7YsaNq/Pj58y+cOWv6GfXnbHzxxW19m7v7upRBhmEk4nFS7Alnk5373cDTG4Z6cwp5HfOsgecZ/7va3lRIxun5DM1Ih8oGM7OhmEmxYmVpOzoc6+/p37+3a9e2/ft27z/Y2ROLxsR2ywqcvUuyEaVfPir3q7yfr+TxZn8xpqxBwUPJfIIzv0g9cq6VcvpBkihWWkSLTsSjkyZPve4TN/zjqeV2PPHgL3+Z52QAAOBEgqwBAACcABobG5uamh568GcfuubDX7hlyZN/f2Y4GtXaVkqxUt7b4slAp1DLA1dGtmAMoaxfTDryz1VP3mB0qY2MG/7eCFkpxcxaRGwdj8ctrYNmYMKkCVMnnzR58qTy8eNjsdi8efOWLFny/Xvu/uzNt/x06QPXfuT6J5Y39w71i7YsO6FJiBSxpOrMnVID8uQLKCtul+yjSi6Tc+j+C4x8wbOmOcw+gMxlMh/45gsyPhLObAfOUlpr95lknYVDGUopt2ekrbWVsGPD8b7egYNd3fv3du3bvf9gV+9g/7BYogylWCmliERrSW5M8hy154hy/x05a1A4ZUAF34TcQykua+AZ/OF8/JhIkzArEtJaW9pWhnHGmWcf6NxvBAKLF7/vuuuuy3MmAABwgkHWAAAAThjNzc3hcPjPj/3pincuuub/ve+VV9rjiYSdSAQCAaWU1toJDJk9VdQZZQC5QS9lPz86eYZojyp34LuKXx2EaGHF6fp58eQenMIDYlZKMYvW8Xg8kUiQSDAUqqqoHDeppmZCdVVl5WBieNasudddd11tbS0RvfTSsoHBA4ODAzHLSohYWts6NW1kesIFTdp7VO7xJEeIpJ8Q96Jkh62ece+55+lsJ+PqMHufzKx0yKwpyRmUkDXlATOLZHQtyJjr0enGQETJ5ItSikQRacvS8XgiOhzt6xvoOdB3oLOnu6unt7uvv7c/OhgVTYYyDMNQhnKOzpk5gckpLUjejndaV4jTDiB5SJT7KPVV/kEKuaNF/Bcgyps1yH7aP0uRThRkpwwo2QxDiyjFzGzZtq21Yahx1dXf/tFPb/noR1etWJHnBAAA4ESFrAEAAJwwRKSlpaWlpaW5ufm7d9xx6xe+8J6r3rVz5+7Bgf64ZZeEgkwsWhOn2iWm+GQNslMIh8An1Cv2B+zI7RcyqwxyY87M0E+IiBQTK6VYiYgmbcdtW9u2bQWDJWUVZeUVlVWVpROrJ4yrKD/ttNkTJpZUVgSDISMuok1TDMPpv2hpB2nRWty78ako2ym/51RLxeScgZnVB6nuj96x7+lz8VYx+HYoyLgOnnEEhdsZpMoNRKeqJ9wgXikWImZWrJTBJCxCWovYdjwWHxqKDg4M9/X093T39vT09nUP9Pf09/cPRaMxndBKKYMNM2AYpsHOoBEtmrRI6rTT+R3PIWdfl7ypIm+hjM/5Z/xDeRMC+T7avh/yvG0MKPXB8gz4cJtsECulRLRt24YRKC0vuWzh23b1dP/wf3/otwsAADjhIWsAAAAnknA4HA6HX3vttWXLlrW2tt5042f/3wc/1HT77d0H9nf39ti2lJaUiLCITgayTOS905tb8X+oKYNMfiMPiup6kLEFIvI5sOQJpUdjZAWg7o7EG2EyK+U07mMSEcuy4om4tjUTG6ZJIiUl5tSacRPGV5SXl5RXV1XXTKyaMK6ysrKkrNQMBtgw2FDOxrXWTqSsbUtLWqrVHzOnsweU6pQnqZkCvIMOnFr3rHyB91xSAaskpytwkkGepgPi3NR37nu7Z6zIaT+oWLFyRhqwYqWIiZUQi4ht27Hh2HA0OjgwPNA70H2w52BXb193X19vX3//UHQoGo8ntK0NVoYyTNMwTVMpg5WbN3EyKOl3iZNdITy5g8ycSEbWqkDWILt6xeez4DfcITM1kC+vIDnb44w8Tu44CU8SI9l3VLEipaxEnJnLKqomTZ7ctX/fylWrI5FIY2Pj4sWLW1pacg8QAABOaMgaAADAiaehocH5u7W1df78+d/61rd+8IMf/G3Zn/ft3tPZ1aWUCgZDIlqLZlLkU2lAToTnM4fc4cCpmRYLLjRq3sNNZiIKbIbdSI/SZfhMikkZiki5Bfoi2ratREK0ZibD4FAoWFpWUl5RXlFRUVpREiorKasoq6gorxxXWVpREgwFgsFgMBQIBgOs2GkqQczkFCOQOJkF5wa8Tg/xdwpAdGpghfMKEZMbhqdHlaQvoEqeqqRu27vlBszKqScwDOWEskq5TR6YSSlDtGhb21ozcSwWG+gfiA4motH44MBQf+9AX19/X+9Af1//8MBwPBZ3/oiQO+TAmUZRcTILot2sRXZ6gzNzBORNE6TzGnmyU37ppbxP+9VxeF7zfFFgRIJkJQbySVVsJD9hnMwbsGHYlra0XVlRWVVdvWzZsiuvvPLRRx8Nh8OzZ8/+13/914aGBkysCADw+mMe6wMAAAAYtdbW1kgk0tHRUVdXV1JSwsx33XXXb373h/+5++5nVz/32qbXDh44YAYDATNARM4sjU5U6r21mh1fHb5gJ3njueAWJV/c6L+wEztnPJP8W7LvUCcXcXaRMWKAtJDWmthOTsLAZjAQCAacegHRYmvd2xvt6R4W2e9OVKHYMJUZCgQDATNoBkOB0rLSyqqyUGlJMBgMhoIVlRXlFWWhYMAwDaVUSUlJMGQ6+QTDMExDubf9FTErIW1rm0mZhsq4aZ8hPfrCqUdwpplkpWxta+2kI8iyrFg8oW0h4kQiEYvGhgaH47FEIm4NDQ719/UPDg4nEtbwYHSgfygWjemEnUjYlmVr23bGKbCQYShDGeWl5cTuZdRCImJrndM/we3bkPkeZJYVUGas7jk5zkkc5NQeULJ0we/dHCFl4NsyIgP7v+ZXCSPERM6771CGEpJ4NBoqKZs6ddpFF13yyiuvXH311aFQiIhWrFhBRJdeeqnfgQMAwAkP+WAAADiBRSKR1tbWhQsXRiIRZr7uo9cODw5eeslbV6557pV17d0HDpaWlTpF7Fkj7JOhnvhGc0dS/vr0gr0NMv/Ns1KhUerZz/k0VGBW5ATTTJIcHeAUA0jyf04SRrQyWAs59+ADgYAZMJRSrMgwzVBJSTBoKsWGqYLBYDAQUAYrw1CGETANNphJAsFgaWmpodwaAVbKG52TsLjdAUS0jsVjw8NxElKK4/FENBq1E7Zt29FYLBaN25ZmYsuyrUQiHk9oS2utbVunag2SnSLJaXbojFug5KAJZ+7O5Knk6W+Z0UfB8yhjtka/N8q3w0DOZvzeoKxIvlDKIDuhkL/eIHO7eT5wTn7NaQ6inAknVTSWMAw1c8a0U2efevcDDyxatOixxx4jotra2qqqqvb2dv9NAQDA6wKyBgAAcMITkUgk0t7e3tLSct4558yZPfPkk2effe7Zf//r39esfXl4aCiYvJfuVLq7d7CJskI9ouJ+MOaEX2PlE7lnbzN/vmCkDY20cNZuM5reJV9Ozu/oNj5MN1YQYhathVhrnSwIYHceASbtFPVr4eTwAmc8BDMzKWYi0sKskk95wnInucPkhvXk9B3UnvCcxY1riUglEx1EpNx746l/3Q17eiikukJIauZFdwHPRWZycyaZgb1PPsGvqsA/gM/39o3qjcu3+4KdPSX3Ofb9+GZ9lewIYdmWtu0pU09acMl53/jG3X59KAAA4HUO/90HAIDXoZ///CclwbKr3/u+P//5zy2/fnjd2nWx4RibyhmdTSRau+PwiQrcBc4xQvA3NgXvOhfcrc+2ij6SrLg4s0VCzlZSMWbmA0n2VvBOFpBL3BYS3oEWzpV3kjmcDtg95fmpI3LDVE6eYHLqBueRd4AAsaeIhEhI3OX8x0F4J33MjaIlpyjD/+Lmm+cwfZY+z2ZlJHw3XFBGoqBAcsI3a5D5L3myYE6VAQsLE0vCsisqqt566aU7tm3Zt2/frDknP/jgwwsXLly+fPnojxgAAE5UyBoAAMDrk4hs2rTp6aef+tjHrtuxY8dXv/zlje3rhqNx5944syJx7oinY6rs8F1yHhd2mEoPvI9GNXYib/zpHYeRL1GQuf9Cp5KMeZP1GllZA0ltOD0qRJxhIsSeCR6SmQC/g8u+1e+2dcyX2eBkfYSblPAL41M9CXIaBKRmX8iVuUvf61sgZC9UfuA/4qFY2VscXa2BszNnTousbAkza7dgRJlsXHDhhT/86U/vuvPO3Xv23HnnnUUfHwAAvK6oY30AAAAARwQzz5s3b/v2Hcw8c+bMWXNmr3j+xbPffFZZWZlhGIlEwtbaLYF3b4NL3ikViozdD7U9QkawK4eyvdTK4nkm6yUiyW25774q4r7q/PFuz5lPQFIpA0o/FE9oLk6Zv5sPSFYQeK5wahcZT7p/3EkL3D+eKQpEfK+NGxq700LkP0/ft7jAZU5u17MHv7v8fu9VoZRBxip+j/Ifju+pj7RGLjfLIpKsziClFJEkEgmtbTNgnn7aqWvb2s6/8MLnV6++5XOfQ8oAAOCNDFkDAAB4PWtqagqHwyKilMHMtTNnr3z+hdPrzpgwcaJpGrHhqNaalUHMkooo0yP8k4/TN2Ml80+OAoFfVhifd6FDShe4Rrxr7QlVffaXSqGk0ympmDxnJ8nBApnr+5xEZgGDe+Pe+5xkv+73fEYMn3rGL5pPpSCyDySX3w1691FOKiedNUldo6K3m//17NyB7x//9Yv5tGSUSaTeOCEWIcNQRBRPxLWm0rKSqVOnvfRy+7QZs5j5hk9+8vwLLkAjAwCANzhkDQAA4HWuubm5tbV11qxZIvLsipXMPPvkk/+xYuWs2XOnTq9RioeHhrRtm6bJijV57pzn1vC7cS4TsThTFfrevs4X8onfq/7GkjtwYun07XvJCf+zdptxD90vfZC9de/CObf9OV+2Ir3VrLyBZF6SPCsReRsjZGQKcg7Es4yklinuWue+V8k0gUjhDfhdX7/FfdfPWK1AxiDfp8mnqSGn3wt2HzkNJMidTsIdQEKGwYbB8VjMSiTKKiomT570+S9+ec7cU5l54sSaxsbGSCSS76IBAMAbB5LHAADwhiAiS5cuXbt2bXV1dWtr60ULFpSXl1108T/d/d3vDg8N7N23b2hoOBQMmgFTa7c83p01IF+Hv/RwfPH7eVogAPe7dVvoB3JRr402x5C90TwtBXw37L+v/AuOtLz4HFFOm/98B5ivk0MhWS+P4rehvLfdR7r+kvXv6Pc+qj1zxh6TTSWISEhYhA2DiWKJONl2ZVXVuOrqt7398hUrnv3jH//kZAra2trq6+uRNQAAAELWAAAA3lAikUhHR0dZWdnkyZPb2tpOPeWUyoqKd7/nPd/5zncOdO7r2LJ1YGAwEDCDoRARiWjRQkSsWNwmCL7Rn4w+ePdrrDfWxEHRUseWpwGfT299//WLe7lgysDzWmaxBuc5uKzncqpAjrYxtS6UjK9H8wEocBiS8yDP3t3ujkKs4rGYbSWqxk2YMmnS2RfWbdq4/WB379+fbHW+QWbPnk1ESBkAAIADWQMAAHjDiUQi+/fvD4VC48aNI6Le3t7x48bd3tj4tdtuf3Xrhg2bNh480G0oFQyVKGYi0Vqn79Mm2/Vnx4JjkZk7GPlncs7992LlO8KcO+c52/avtPCNTyk13mGEvWaskblKcqc5FQ+5CxwXv8IUcxAZn5R8hQGj3mqhFcTTakIy5q1gjsdjtqXHj6+cOWvuzJNPXvXciq7Ozo2bNkcikba2ts7OzoaGBuQLAADAyzjWBwAAAHC0tba2rl69+vLLL3e+LCkpiUQi27Z0zDn15G9/705iY9KEiqHheG9vr2VZipmVcoaHp3IH+aLpUcqpOBghXMzuzViEEQ9yNMMlijrj9Kj6vI0OspfOugYj1TwUkVbwV2jUyCg3NfL6xbU1KLCV0R2SJ/vkDKxhVoqdSRLYnR/BSljxqvETzjnnwkVXXbVp06aXXnpp1ernDxzsrqur6+zsvPDCC5cuXdra2jqqHQMAwOsesgYAAPAG1dra2tra2tDQ0NraWlZW9vgTf7tw/luee+65m2666ZJL5j/8i28Nx8oHB/p7urtj8bgWzczEzgR1nLqde8hGVW4w2qzBWIdLHJ7b+Fx8XQR7MgzFZA2SLxb9Jowqw5Mq6chXUjFWfvUp/lsf29vByRwQMycnPhAtOm5ZCduaPGni5Yuu+NUnP7Opq3N/b9/uvXuefvppZ8XOzs6Ojg7kCwAAwNdxUd4HAABwXGls/Ixplg0OJr71rTsff/xPP/vpw23r2+NDQ5Zls1KKlTNZncgoyw38w+gRRvLnLl/cnkYrf+4gY2MFuvm5ofbo9p1Tv19k1oBSiYPCSx5iRQh7NjLmASKUNTYh74CRQs+OkENhSX6SlDJExNa21ppEE/OUKVPf/8H3/OH3j82dWHNlQ8M/z53Hl146+nMAAIA3KGQNAAAACvnsZz5dUhL6zh3f++ptX3j2Hyu6Ojvj2ta2xazMgKmYna4HzrAFzh26PnLPfE+4Pppm/vlf8mlLyJ7DyjMNQJGH4Hs+fs0JipSnq2TOcfkrJsEwuhg9z+pFlASMsPv8kyiMvMWM98ZbppBK1DARsWEorcXWthZtKMMMBGbPmvnI0oc/tOST+7u6Hv/b34s4XAAAgGzqWB8AAADA8auurm7CxEl3fPfOe+65e+r0GU88/fTnP//l006bO6FmYklZSSIWiw7HRIQNpZQiIi05sWHu4P4CYeOht0rIisKTf7LLBfLvaKQXszZMQlJwlUNW1NFK1nKeY5Ps400uWcxhi+eBf1fIAlvxvJR3R5L1t+TbaPrr5DgVp9RFtJBiwzCIJDocteKxgGlWlVWcf/ZZL770yrhxE3nixFPfVIeUAQAAjBmyBgAAAHktXry4tbW1sbHxpptuXv7U08x8oL/rLfMvWbHy+YUXXXLy7JMnTKkRoeHBoXgsrgxlmAYzizd3kBsAFhizPopag7zBMBFJZrjsu6ZfWJodUftmB45cgoALnJfPWfoeeuFT91lJCg6pyE34+B9Fnrcic8mcZ5PJAvH87X0bvW9H6kjY2YYIMynDUKZhW/bw0HDCssvLKydOmvK2d1yxcs3aGXNrmXnOKacQ0dKlSxsaGgpeDQAAgLzQDREAACCv1tZWp0tcS0tLTU3NY4899tdly2ytn3j8cTKMn/3857FYn23FK8rKLZKB/v5YNMamMs2AkzuQwk0T83VCPMThg8WF9UUMSMgqiD96ZORrcHhnXswzaGOkky96lIiM9DD/Nr1dH5lIiJlYsaEMrXUsGrUTVklpqLp6woRx1VeGw3v27h3f2fmv11wzZerKtjZZunRpdXX12rVrOzo6Cp4KAABAXuhrAAAAUBQRaW1t7ezsbG9vJyJnTvtrr72msrz83v/+n49+9KN2PH6ga9/u3fsG+nqVoYKhkGKlRUR0EQEiFxHGF3mgRQX6Y99d8bfmx7K1IpMUhzdrUGhzYztdn+SA51/Om1bIzB1ltHpkZmbFzByPxSzLDpYEJk2cVD1uQkmJ+sVv7v3Mkm+0r9/89yefDIfDzS0t94UXTg43hMMRzpsSAQAAKAp+kAAAAIxOJBJpbW3dv39/X1/fggULWlpa7r333pPnzHnnokUvv/zygw8+2HfgwGsbN+7dvzcaS4RKgqZpELFoT5zo043fM5vjIdcaFB155zuYQhsvertj3uAxSRyMpdzAd5V8+YJCRQaSvTnOmkqC2aleSSQSQjxxfPXMk2dVV1WffNppT/5tWXl5sLu3929P/CMSiaxYsaKurW1BVVW4vR2/5AEAwGGBHygAAABjFA6H29raLrvssrvuuqupqWnSpElbt27Vtn3X3Xcvveeeff39bevXv7phQ1fPAUVkmgFDKWFmEU1EIkop0eKEh0JMLFxwQEOxis4a0GiHRYxqsMLYcwdFZyYO328xxVx372EVyLT4lBbkyx9wZuGBkx7wHpNTJ8BsWZZtJYKh0toZtfWn11dUV2/Z9Org0JDWsnnr1pdffpmI6urqJk+e3NDQ4FTBAAAAHC7IGgAAABwSZ+QCETU1NTkP7vj6188844xVK1faSn/kusV//OOTK55ZuXnjpv6BfmJS7ASDbrU5kWgtSqnMMLT4eRd8Fiwy7PYpdyhi4/m2P/a5CX22OOIZFJc1kILxfcbmRv0bke9Ws8cd5L4d4tN8MdVAQhGTIhFx5vJkZtu2taXLqyrOOOOsRVdeGa6puefvT3TGE8HSUmQHAADg6EDWAAAA4EjZvPn5jRu3Pr7syXhc//d9//Nf/3Xn8if/3rGpI27FtS2kRDSxYmUY7M6kJ8na9Kxg9/BnDaj4OD9PQX1RGzykgQ8FsxNHqK/BSKMO8snpU8BO1iCdaUm/NZ5iA3HfcaeqQIsWEhEhVqQlEDSnTpt21dVXfupTN33kwx+eO2nSe/75n+vLy/nSS0d7ggAAAGNmHusDAAAAeN2aO/f81OMpU0+6/fbbP3btR37X9tiPf/CDRx/9/a7dexPxuK3tWCyumA2lVMAw2BARIRItGdXqhe6bZ3dM8J38IPXkCOF21hj7kYfje78ea+e9oqZrGP22fS/BGPaQ072wwKriWSG9kmfYSLLagJmJFDOxbdtaaxFtmKbJhjJ5wqRJlzRc8p//+a1PL/nki2vWpToaNt5990jnAAAAcJipY30AAAAAbwjr1q0TkZ8s/RkzP73i2ZNqZz6/du11n/n32XNOrplUU15RYQSMRDwxHB2KxeNaazYUG4Y7miE7ZpWc8JZzb8Jz5p/0i0W2MJCMIQlF3G73O6hR8Zl1MPcMxrRlh+Q7E04vUODYitipf38GJ08gDmKlWDGRxBOJ6HA0FosRUUkwVFFWPnX69Pddc81L7RvmzD1lypSTHnjgB/fd/4PaGTPr6uqKOD0AAIAjwjjWBwAAAPCG0NbWFolEJk+e3NfXN3XqtAcfeqhmcg3ZZJhG829+Gyot7TnYQySlJaWBgGklrHgsbiUSQqKUYlasWBGLO5yfk3ervYUBBQcnZEXfOQFwVqu/fC8Ves4zJ4P/hopRIDjPk0DIazSTH+SfvSIzc8HJoQzs3wnBqQkQEU4+omQLC2ceBNu2E/FEPBrTtm2ESspLSsdVjTtp6tRPfPzj9//4J61Ptu7ZuzccDo8fXz158pTPfe7zRLR8+fJ3vvOdTssMAACAow8jFAAAAI6GVJG5M/PCzTffvORTSxYvXtzZ2fnwww/bltX829/e8IlPPPDDHy5ZsmTfrl1Dw8MDmtMgjgAADqpJREFUQwPDg4ODff0xK8FEgWDANAKGwU4oqoVIhJzGeckoVtxRAp4MQoEg3CHZS+UPt0cuODiklMFhWde7kTzDK/yKInyHbvgNBnE7FSavM3sGj4ibJXCWdFIFImLbOmEltGWTCBuqpKSssrIyaJqhEuOTn73+e9/574TIpm3bmDkcDjsr9/T01NTUtLa2RiIRZkbKAAAAjiF0QwQAADgGRKSlpeW1114jottuu23x4sUtLS1E9JGPfKSqsnJ4ePiHP/rRfffdt/qZJ4fjVk//4EBv78BAX3Q4ZmmtSIKhkGmYzMrpoZiqgCciZk434ScW/+RBsZmBQl9lyxz9cPz8ipFThJHVfSE592UxWQP3Wc9UiakpD8hQyskciBZbdCKRsC1LmA1llJaFqiorzWCIRU2eOPHu++//zJJPGQYPDQ//6bG/EFEkEmlsbGRmZzBCe3v74ThzAACAwwC1BgAAAMdAqvTASR/U1tbW1NR0dnbOmTOnra2tpaWl68ABQ/HBgwdOmTv317/5/W233TZw8GBfdKD7QHfnnn39g31DsWGyhZUyDdM0TWJWSokWImFmrZ3dpG+he7shSlalQcaRZT/tuWfvvX3v04SgyFPP3FbR00OMWeqE/Zsa+o7Z8B+rIELEbmdDEeddZKWYmMnWlrZty0okEpooZJrl5ZXjx1VWj58QrKiw+/o+deutd373O1u3dGiiD7z//cufeiocDp9/wfw/PfaX2bNni4iTOGhqajrsFwAAAOBQHD83AgAAAN7oGhoaQqEQEbW1te3cudN5srGxUWudiMc3bFh/wfnnf+krX73jjjv0cPfuvT37Ovft37f3QE+PFU3YVoIVE3PANJiVE9I6dQdOJUL6DrlTjJAsSSCnWx97swWeiD79MDfgzt9aceTfL9zCfk5u9ognD/LMHpHsTyDMLNmJBeciETNrrTlJRJwSA6fSIJGwRNtaS0mopKKidNzECTUTJ02pmRooLz/nnNDjf1n/6sadpeXltmXFbXv58uXOpmtra+vr64koFothAAIAABzPkDUAAAA4YYjIM88807lv99o1a7oPHgiEpnzgQ1/bsqVl166tOzq2b+vo2Lt7b3/fQDQWE8WKlaEUMxO7pQ1KKTdT4Aa9TvzrDtYnJ7IW9ya6m0qQ9ESOnkQC0ViKDcY2L6N/PiFz3AVnZDjcbpF5EhGZ6QM3ayDCTMTKnfCAmYVZsZDb11BEtIiIO3uF1tomUURlwZKSiorq8eNnzppVd+aZl5x66v/++pd9w8PV1ROmTa8qqwhMm2YuXhwZy3kDAAAcHzBCAQAA4ITBmXH3889Ld3ebUtWbNj3x6oYN1dUT/rHq+Wcef7x11TNtbRu69u7vHxiwYrFYPG6LrW1bKcPp5S9a3MJ6JlbsZgqIFLPWmtwZAonJSSdwZqFB4S6L+Q9+rCedud+MR8kMgDcTwIXKFiTVxiC9glLsVA0QEyslQkRk25o0EbuJBKdiQxErwwiUllSWl06aOOlN8868/F3/dNFF73jP1Vdv2LixNBicOWHC9e/7wNmXXTbGcwUAADj+oNYAAADg9eOmz372LW+5cMuWLcL85S9/hYi2bt3a0vKLl9as7dzXNTQ8NBwdthNxrYWUIiFb20Skbe3kDlgppVRycIMbW4sWIRHtdlwkSpUgJOcrzFN84EgVMoyCfwMCzyZ9Vsiz6+QcEyLCyZoLdgswyNbaOU3b1iJatBiGKUSk2CnSMAzDMDgQCJSVV9ZMHD939twL3vrWK6+88oP/7wMV5RWTp9TU1dWvfn7V3XffO7oTBAAAOHGg1gAAAOD145577yUiEWlqamLmP/zhD7NmzRw3bmLc0mVVlcuefJKIWlr+9Nxzj3ds3DIUjVrx+MDwYDwRI1sTsdP5X9tuSoCZtNakWLFSTllCshkBs0oPWUiODhD3MZFTnuBWMHh7IjhRuyeT4G3S6MGeEgIRcfMX2T0QkmUDJKlNp8sxnFNwEgXMWoS01lprESbS7rGKYRiGMoNBg5lIlDIMxUZpSbBi/Pg506dfOH/hoo8vqqbqK9/1rpgl2jSZ6KGHHvrFL38VDocf+OEPeWyjLgAAAE4c+FEHAADwutLY2EhEHR0dP/vZz5w4vqmpyZmXwVngV7/61dYtW5995ukd23eMr65+cvnyVRtWPffH5Zu2bNm7e3dff//Q8KC2hZk1cyI+ZNuSSCSYSGuxbCueSJCIYiZm0zSUMpz79ko5QbzTL5CcWN0J2pPdEyg5C0HyGSYSYZ+kQUYPhOQm2Fk5ObEkO5kHLcJMot0uDLaI1lrbllNf4GClRLTBphFQzv8MImIzEDTKy8qCJeVlpaU106ZdccUVixYtuuxf3r7z1Y1TpkyZd+ppF1/xjr7+/k8v+TQRhcNhp39hY2PjLbfc4hxbVVUVZj0AAIDXN2QNAAAAXp8aGxvr6+vr6upWrlzZ0tKyZs2azs7OVB6htbU11br/pz/98a7du3Zv37Vly5b9+/cfOHjg9Ded/udly1pbW//vkUf27t+vyNYiQ/F4f/+AFY9alra1kK0TthWLRrXYTCxMtq1tyyIhIc3EWjQJaa2dnoKKDcM0iEixIs9gAb9jFxFiEU3kVCrYWhORaE3KbU6oSbTWihQTK9NgJtKkmUw2VECZZoANFWBWgSAzk23bJOVllRXl5aJ11cTKU0+td9Ir73rnv+7du3dSzeTTTjttwUUXdXR0/Md//AcRNRDVhMP19fWNjY3MXFNTc+6559bV1S1YsKCmpqahoQFVBgAA8AaBH3gAAABvFKk8wvLly1taWtauXdvT0+MMZyCitrY2IkqVJNxxxx2nn3baymXLNr26cc/u3T0iZsA886yzfvbgwwcPHnzxxeUbN762Zs3LieGYUgaRaZpmPDEwPBCNEymRhGWLZdmWlYhbmp1GChKLWrYVEyLLFrEtWztdBzQTCSki9xcTpYjFYMMmYdMIBEyTFCk2xBbDVMo0iUhIa9GsWSnTUMoIKBFlEQWDQdM0TdueNGHC+GnTrrrqqosvvnjJJ2946qmnE5ZVUV4xYUL1zFmzLrr44srKqra2Nufcw+EwEaVyBER0ak3NW849tyEc3rFjBxGhoAAAAN6wkDUAAAB443Lut9fX169YsaKvr6+trW3z5s2dnZ2UbI5ARG2RSEty+YULFy5evPicc842TV63bt2zz67Yvm37/n2dzlQDoVCwtLSkevz40+vP+MY3v+2s8vKyZQeDwb6+vv7+bU89tYKGDFWhEglLhKLRWLlZTkREsYRlEJGlEkRUqQO90ehgMGh0d4eCwfG1tVOmTKmpqakcqpxx/oyGhobU8d/0mSUvr32pr79/KBqNxePEipkNZtM0Q8HgxJqak6ZPtyxr165dy5cvd1bJTRDU1NTMnTu3vr5+wYIFO3bsaG9vT6VOAAAAAFkDAAAAyBYOh+vq6urr61e0tLS3tbW1t+/0vJoa5kBEkUgkd3URaWlp6e7u3vLqq0NDQ/39/VEr1tvbPdDXNzQ0LMTEYtuaiUlYMYmQM7WhkDgzHWphy7ZJJGAYodLSsoqKsmBZWVnZhAkTTqs/7bzzzkvlDkY1UqC2tra2thYJAgAAgOIhawAAAACjEA6HnZyCE3K3tbW1t7cf64MCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAID/3x4cEgAAAAAI+v/aD2YAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPgCImdgILyU7T0AAAAASUVORK5CYII=" height="922" preserveAspectRatio="xMidYMid meet"/></g></g></svg>
\ No newline at end of file
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="70px" height="70px" viewBox="0 0 70 70" version="1.1">
+<defs>
+<clipPath id="clip1">
+  <path d="M 5.46875 0 L 65.148438 0 C 68.164062 0 70.617188 2.449219 70.617188 5.46875 L 70.617188 64.558594 C 70.617188 67.582031 68.164062 70.027344 65.148438 70.027344 L 5.46875 70.027344 C 2.449219 70.027344 0 67.582031 0 64.558594 L 0 5.46875 C 0 2.449219 2.449219 0 5.46875 0 Z M 5.46875 0 "/>
+</clipPath>
+<clipPath id="clip2">
+  <path d="M 5.46875 0 L 65.148438 0 C 68.164062 0 70.617188 2.449219 70.617188 5.46875 L 70.617188 64.558594 C 70.617188 67.582031 68.164062 70.027344 65.148438 70.027344 L 5.46875 70.027344 C 2.449219 70.027344 0 67.582031 0 64.558594 L 0 5.46875 C 0 2.449219 2.449219 0 5.46875 0 Z M 5.46875 0 "/>
+</clipPath>
+<filter id="alpha" filterUnits="objectBoundingBox" x="0%" y="0%" width="100%" height="100%">
+  <feColorMatrix type="matrix" in="SourceGraphic" values="0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0 0 1 0"/>
+</filter>
+<image id="image18" width="70" height="70" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEYAAABGCAYAAABxLuKEAAAABmJLR0QA/wD/AP+gvaeTAAAEqElEQVR4nO3afcidcxzH8dftnrH2ZITNGJPnFEZsrA3xx/xBlkUheUhRIvOQIWl/KI95SOMPDxEjWZTCJMkfxJhZKQ1Z5HEL926zzX3f/vjuONc59znXOdc513Wfpetd39ru67p+v+/3c36P39+PkpKSkpKSkpKSkpKSkpKS7ujvtQM50Y9pO208tmOkpx71iD6civuxBlswLMQY2fn/D7Ecx/bIxzGlD4uxTlWEVjaMd7Ega0VJ7sJ5eAjPdex+MUzHU1hU9/c/8Rk2YBCTcDjmYGLivRH8mvh3xQYwP/GsIQ8nPngBe3UeR67MwQ+qvg1hFc7G7k2+mYAl+FR6i/pAjEupHCr6Z+WjbzC302hyYi5+V/XpS8zL8H0/lonutFatKG+pbVWpLK37eDtu05sZrF6U1zE55f1xLZ69lyjrDeyRxZlxGje/1ZiZpaAuOU2tKCs17zb9Ykz8C29jSoN3bk6UtUaGlpLkJOwwWpzfcG4nBWbkdDGoVup9UXprOFOtn9fUPZ+pOkQM4LBunHvAaGEq09+j2LObwlM4S8wuyUkgTRQ4Qe06Zknd8wcTz27r1sGJ+FZjcUbEFHlUt5XUsUh0h0odz2stSoWrRXe/Hbsl/j4Bm3eW94sOu1A956j9JeptAJfnUZHoon8nyn5W+6KkcX6izHtzKO8/VmouTHIMmNpFHedjW6K8r3ADbhEtYa7ORVqRKPfELnwcxXRs0lqcr8X+JSsXqG760myjECmrQJ/v/H6T2i6WC1dqb1+yHbdmcOBSjWe/NPvK6MG1GeNVu+c7bX6TiT6xcmzX+TexX4syr8I/Gcqst1XYp0UdByfef6LNWDNzJLa2cDZpPxq94atwnfRBvV37TmwAmzEn8e7yzBFnYFkbziZtWKyHkkvvG+UjSsV2iLzMtAb+zk+8d2vX0acwXnUwa9eGxKwDd8hXlKQNiBn0epE6WShaZuX5TXmLUc88EWy7v+ZlYoxanjHQvG1pEWLU81gbjmwT2bY+0dR7KcqIaD2FM0WsK5o5MSgG3n48nmNw3djFhSjRgPOaOPAHzhALsadzCCgvW1iMDI15pa7yzThFDNIvdRFEETajIA0aMlM1mfQzjhe72de6DCJv21iUAGlci+9xjNjSr27T2bG0Z4oKPo3dRMuZivfbdHSsbXFh0bdgmjj567UAjWyT4rKNqewrsnm9FqCZ3Vdc6M2ZgfUdODtWNogDCou+CbNEbqTXwafZ3YVF34TZImPX68DT7EuxdBgzjpC+HdgVbFAcqXRM1vzpMSJF2GoVOSSOXtaINMU6HCiy9I1OCfNkGFeICWFMmCQWcvW/zhZ8hCfFDnaB2lsSU1Sz/AeJ8+eiWsqQ0aeQhTNZ7H9exT24CEdrfJ7chztFP68ku9eKHXcfLlR7rSMP24pLco24ICaIrlN/CvCxOKSbJe7jbNO9KBtw8tiElR/Habx/2irup6zQ+WC+A49Ivxqyy7NQ3ElpNy3aSpCXxWTwv2G2OHj/RLZzpWF8Ie4JHlK0k/WXE8eavcXYcKwQbH/RLfrEWmSzmPbXi03qT71xs6SkpKSkpKSkpKSkpKSkpCQ3/gWAWEZ2VUkmNwAAAABJRU5ErkJggg=="/>
+<mask id="mask0">
+  <g filter="url(#alpha)">
+<use xlink:href="#image18"/>
+  </g>
+</mask>
+<image id="image6" width="1383" height="922" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABWcAAAOaCAIAAAB7kHe2AAAABmJLR0QA/wD/AP+gvaeTAAAgAElEQVR4nOzdeWBU5bn48ed9z8xkAcIadgRxARKs1n2pEqrWttzrUg3V3tof1q0tt7Zo1Wu3TKqtViu2alFbe9Vr16S21p1aJVgtCmjdiMomOySRJUC2mTnn+f1xZiazJgGCoHw/xmTmzNlmYc55n/O8zysCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwd5l9vQMAAABADqoiUiVSLlLpT1myZEl9fX19fX3O+cvKysrKysrLy1Om1YosEak2nPMCwO7iGxQAAAD7gKr6N5KxgObm5u3btzc1Na1du3bdunVlZU11dSKiqUtVV1d3sc6qqqqsaaaiQurrS0ePHj1mzJiCgoKSkpKSkpKTTjopNcRgiCsAQB58PwIAAGCvq6qqKi8vr6ysTMQIasvKyiorw/6jyVjAkiVLRKSpqamuri518aVLlx522GGNjY1NTU1NTQ0inoiKGBErYv15SktLS0tLhw4d6t9dtmzZ4YcfnlxDRUVFaWmpf9sPFiRDDOFwuL6+vrKykjgCAGTj2xAAAAAfhmRyQSJGEL788sUjhx+zYf3a1atWLV22dGNDQ2NTU1NjQ0NDQ1NTU3Pz9rEHjZ03f36ulbUkbvTpeqOfrqhYs3ZNSUm/wYOHlJYO6du33+DBg0cOH3HkUUcdcuiho0aPfvXVV4899thwOCzpcYSukxoA4MBB1AAAAAB7V1VV1ec+d5bn6Yjhw995552lS5e+//4r/fr2u/HHvxYRaZGNDUuWv7+pfvnyDRvWfNDQuGXr1ubm7e2trZ5q0AZccXe2tsQiUc9TVfGMGE+NeFasJ0asWE8koFYCYtSq9YwJOE4wGAwFgzZgnYANhQqLigoHDOrfr9+AEaXDDzn44E8eeeS4iRP93fvaFZfvbGk54cQTJk2YWD55cv/+AxYuWjR16tR9+ZIBwH6DqAEAAAB607Jly7Zt27xt29a5z8x9p/7dAQMH/vZ3vxeRzZvXvfXW8vo33li5dtWmDRu3b9vS2tbR0dEeiUaj0Q4vGlM1jnXUGFU3FvPUUzFqHSsaz1Mwxqiq8c9gO09j028Z43deUFFRFSOqRlSNMUZUPVXHOGJN0CmwgUAoGAqG+vYrGVw6ePjIEYcddshxRxz9ieOPF5ELvzh9/Yb1Y8eOPfroI8455+xBgwYOHDiSbgsADkB88QEAAKB7qur3/6+trU1OrKqqCofD7y9btnL58rfffmvr9uaGxoaSfv0v/9rXV69e+v77q1eteH/D+k1NTZs2b93W1tIa6Yh4nudpzBjrWGusY40RkzglNSZerEDUiNH0HchqsWdFD/w7KuL/Uk3eFRHP8++qMSa5rHrqeZ7reaIi6hnrBIOBosJgv34lQ0YMHzVqbHn5hFGjRhx66Ijx44/55Z2/2LFz+7gRIydMnDhy6PB7Hn44tRdDsnBDrl0FgI8wvtEAAACQm3+Ff8GCBX6kYPbs2X57uLKysm9xcSAYLB085Me33CwiD9x1V0RkXeOGLU2bGzY1bNmyuXlrc3ukzXM9I2IcxxpjrPUX13jT3W9dq9+6j29RMm6p/78x/kCMiWSCHJKxh0SsID1qoInpJnUlJrELaowRY4zneaqe56nruqLqOE5BYUHfviXDhg0dPWbMiOEj+w/ud8LYwz7xmc/c8D/Xvfvee6NHjxk9ekxbW1t1dbX/ctXW1tbW1paVlVEZAcDHA1EDAAAApFHV2traBQsWiMjs2bNFZPr06bW1tffeO2fjhg0vvfTiYYceNufeX91cXb29pX3z5sbm5s2bGzZv297c0tbqRmPWGus4jmOttUasGFHVzlqIIskmfDzNIPlAonNB1g75s2uegEGupIPEE0m9bfxuC/FNmWTwwt8HY4w/0VqTCCeIqqpqLBaLxWKiEgoVFBUWDh02ZMiwoaVDSksGDigtHXHFFVdcM+vbB48fP3nyEf1KSo499lh/zSeeeGJlZeWYMWMqKyvJPgDw0cX3FwAAAOIqKioaGxuPO+64Bx980I8ULF68WNVbtHDR17/xDRG5++6fvfP2u9uatzdva962bdu2bdsiHR0qErBOMBh0Ao5jred5nmpnpCA1XJCMESQCBDlORlOnJWMIuYIJqfPnChlIaqaBdmYbZK/AJCompKwwEVbw4wfWWjHG87xIRyQWjXnqBgKBouI+Q0pLBwwcUDKg/6ghw6p+8hMR+dV99zZv3z5s2PAnnnhCRGpqaq6++moROemkkwgfAPgo4msLAADgQFdRUVFQULBly5ZFixaFw2F/GMJwuKq9ve3mm38qIldffdXGdU2tO5t37Ny5bfu2ttZWddUJOMGgY63jN7A9z1PPExU1KmLiqQHdpAnkYNJ/dTt7zhVnRCsygxe5ljepfRxSelKoqoqxRlTVWKueWmOtY1zXjUVjrhsTI8FQwYD+A/oP6F/Sr+/A0iFf+9p/l5eXh6uqDho71nXdK664orKysqam5uc///mAAQNmzJhB7ADARwhfWAAAAAeoqqoqEVm1atVDDz0UDoeXLFlSW1v71RkzioqK7p4zZ+GbCx/8xX3rNm7csXN7e3t7a0tbNNphrA0FAk4g4F/J9zv/q/ot7HiwQJNtYu0sTRiX2jTPpTMXoUeBAyOi+Vrgye4JaUkHOdfSuYaMugnxu/4aEsERTW7UcRxrjajxXC/qRl3XDQaCxX37FhcXFRYU9B886MIL/+vss8++ZtasPn373njTTRUVFfPmzfODMhUVFRUVFYQPAOz/nH29AwAAANg35s+fX1dX98Ybb9TV1U2eXF46ZMhLL700YtCgxa8tuvPndz75l0fXrF23eXPTjh07Y9FoIBAIBUMBxxEV1/NHHvAk2RxP9hLw8wtEJG+PgJ4FBHo8EEHO+TTrxi6sIiNskLip6vmzGmPiiRR+hoWoigQCgVCowDE20hHZvmPHtu3bt32w+aUXXvjd/z3sBJzzKysffPDBxoaNb7z5xnXXXT916tQZM2ZMnz69vr6+R08SAPYdopsAAAAHqNtv/9nAAQO279jxrW99+x//+EdNzR+Wv7d0Z/MOV91oNObXBXScQDxLXz2RZIEAkcQ1fO2MEXTq5up+1/kGGXPtenRBU//PtXtdrsKk/k0WVcj+I+nzJYZmiPPUi0Vjnud56gWdoHWckpJ+5UeWXXvttePHT7zn3jn9+vW7+Mtf6ea5AcB+gKgBAADAAURVV7y34tHHHt2xvTl8448WLKir+cNf3nzzza1bNrtuzBjjX0S31okXJFDNqiSY1hrPbpZ3FTIwGX+78uFFDbKSDdJuZo8GmZhi4tUb0p9VymsVCDiu57oxT9Wz1rFigqFA6dBhJ550whe/evGEsRO+851ZxsisWd8eOXJszucCAPscX0wAAAAfT+FwuK6urrGx0U+Df+juu7fsaO7Xf8ClX//G3x//+wv/mvfa4lc2NjTEItFAMKBqrPUT742Kn3RvVNJGK/Qnpg5omMg8yGpYS65L8trTLIPEElnz5l44rVhCashAdjNqkL2l1BEcsxfOWERF/bEcRUTUU2uNsdaIiY8p4annuX36Fo875NCTP3XyyScf++9X37rsim8sX7r0t7//fXV1dUVFhV9ygsIHAPYHfA0BAAB83PgDKJaXl5eXl4fD4f/3/y4eMXx4+86dn5xUvmLD2iVv1a9et6Z1Z2swFLDWiogxxvM8UfXLCybOEDujBialpmBqOzxvokHuIQ53LWoQXyD1T+bktPsp28wMHfRgM93vWXq8IPdQkPHSicmgQXL8CBVjjTHGGuO/yKoaiUSdgDN40MBJkydNOrz8v2fN+sH3b1izZrUTCIwde0hVVVU4HJba2oqhQyvq6jhrB7CvUA0RAADgY0JVy8vLReSpp56aOXPmnDlzyssmnv7pqXffPeeFF57funXbs/PqFi1a1Li5yRoTDAWNMeolixP44wTsRpJ8nvQC01keMX5vl0MGGatLv5WrzZ62Cz0qhNi5bLKeY7aseEHefcucapLPP+V19YwYMdYEA4GAY1tb295///236+v/8fe5Awf0P/HkY3Y0txx99NEvvPDPa6+9durMmTMefDBcVjZ15sy6urpdekoA0CuIGgAAAHzkqeq4ceO2bds2bdq02tra+vr68rKyhQsXNjS+v/Td9x968P7Fi15buXxZW0dHYUFhMBAQFc/zVNXkyAxItG813vBPaxN3efXepCzixwhMMnDQq9fKO+MP3a+2h8GDHOMmZC3Zk1VlDNuY8kD8ZY3ve7xghBjr2FAw6LnuxvUbVq5Y8f7K1X2Lixs3b73hhhuKCgtbX118xrvvTZ05s7m5+eijjx43bhzDLgD4kBE1AAAA+GirqKhYtGjR9773vUsuuSQajYwZPerJp556Y/Gbd901+7XFbyxfunTjxo3WmFCowBrreZ7nedkN4JSE+64a4l21mzXt0b3cHz+lSd6bG8q3rl3LW+jcvdQYQiLUkdEbIhm+CRWErONs2bJ1zdq12z7Y/Nijj7Z1tP7i93+0In369LGOs2rVqoKCgqOPPvrcc88l7wDAh4YeUgAAAB9VlZWVlZWVy5cv//vf/15XV3fbbbd+5zvXXn31VUvr393RvH37zu3RaDQUKrDWuq6rKXn2GSX9Mtu3uaWtIGUl6v/KrH74IZ1m5tiOZvzdN/yBGPNN6ewQ4YcQNPEuWMcaMZGOSMx1QwUFgwaUjBwx+udz5gwePPi+++754x9rKioq/HciHA5TKxHAhyCwr3cAAAAAu0NVa2tra2tra2pqgoHAvHnzvnzR9E+dckKsI9rW1iaigUCwoMBRz4vFYiIiYlTTx0RIrkpEtOt2vua5nZDSyaGLAgF7gWbs+H4ZMsjxcvhjVIgRVU0+rp5x1TPGBELBgAYj0eimhsYtW5vP/s9pI0pLr/3utVdeOe+G/7n+lp/eqqrhcPjDeCoADniEJwEAAD5iUi/6P/Xkk5+fNu2Sr3zl7bdej0VjKqoqTtAxKp4nIl7qwIhZQx6YjK4Jqd3wUzeYvXjGKAX+ZP/Oh3/9O7nju10LsbflTjTIObEzyJJ4K+JBHFEx1loTc2NuzA0GQwXB0MjRI779nVl1z8/f1NB0z7337fXnAQAidl/vAAAAAHbHokULReT5fzxz/FFHLV78cizmqkgwEHSs1ZjnuZ6qJ5roQKDJoRMzOxqkytXq1tyz7NtWeUKuAIXu050zXYQMRDJ2TePvjIpfGlFV1UvcEqOe57quY5yCwgIRbW9vW7Vy9bVXXf3m629UTj93+gXnicg3v1lbVaUiVR/GkwNwQCLXAAAAYL/m56LX19fX1tZWVVWdfvrpInLqqaf+9Cc/efKZJ5samwpDQWPEivVUPc+LX7fOGIVQO1v7uTICUpLp858eakpyQWbaQlohxF18hj2QtUqTc5PZnS8+XPlexly7v4uvkzHGGCMq6nquek7QObJ88kUz/uuss842Ri699Le/+c3FFRUV/szUSgTQi4gaAAAA7L/C4bAfNTDGfHXGjCOPOuqqb33r5ptvfumFF1a/vyIQDAQCjuepqqinyXa9MakjJGbmFsSjBpLjj+SPGnQVMkhZc68XNcjTaUKyEwr2dfZDepyg66hB16swKcGdrHUYMcaIqnREOvoUFX7i6GMmf+KoWbNmzbn77i1btriq4XC4qqqqoqKioqKCcokA9hwjLwIAAOyP/Fp3LS0tQ4cOnTp16u0/u+2Wn946/7nnZt8xe/68ec3N24qLi0WM+iGDeD94EUlpaGr6tfeUkEFSjsatydHG7bZBnqyO0ItRAxPfl+RPrscTAxDsa5m7t3tRg+63kSh8YERCwZDr6cr3Vy5d9u7LL/5rUEnJ9d///nPPPnv4YYf1HzBgxowZS5YsGTp0KHkHAPYQUQMAAID9i6qWl5cXFBQMGjRozpw5nzrllPkvvDDv2Wfvve+el17658YNG4oKCxzHicVinueJMZpWhl8kK8PAn5QeP8hbnC97ekbRw67b6L0aNejhikzOoMKHq+uogaTFcnpjWyrqqYo1BQUF0Y7Y+yuXr167+sUX/jl+zBgnFDjlU5865JBD77nnnrq6unHjxq1atWqPNwrgwEU1RAAAgP1IOByuq6urrKycO3eusaKqw4YPv+AL5z75zNNvvP66G3OLiopirue6MY2XOczuLZCvZaoplQIz+hpkLhYvzpcdMsivt9vtu7C+fVv/sGe0l3bTpN5QT2OxmDHSp2/J9u07Xn75X4899fi6dWuLiorvuGN2OByuqKioq6urqKhgmEYAuy2wr3cAAAAAnfx88k2bNp573jknnX7yF7/whY0NG5u3bRMjRUWFXsxz1RWxif7qRlVzhQCyB0TMbq8mlzIpCQIpvelztnA7cxZyPNxbSQa7uB41YvI8x31H878c3dZsTM1LyMy40NSHkjc8LxYMBkMFoU2bGpo+2Lx27dqxBx+sqt+55mq/wEFZWdnbb79dXl6+u89nv1GbsK93BDhwkGsAAACwH6mrq3OsvfDCixYvWviVc/9r2fJl27c2F4QKAk4gFo0lMgs8P1iQDBkkBlb0pTQs84YM0qjkTTpInaWLNaS1bHvUeDf5fnY19KBitLvd2zc05Sflbvc7mr6UJn8k5VmazJnV8zzXLSoqchy7cf2GNxcuPuvTU8cfMnbevHmDBw+sr6//OIQMRKSyspKQAfDh2tddwAAAAA54/igJ1dXVInLZpV+95KuX/vSmm9ZtWB/paA8Gg9Za13Uzrl0n+yXk7KCQmKlHIYMEk/J/xvScJRUz6yakrGbP9ag8wr4eZzFVjp3NrDTRq5tK31489cQkykc6juNGXdfzCopC48ePv+32Wxct/PeECZMmTSyLxWLRaNQTV9Xzw0+qqmpU1fNU/LE4RIwxjrUiYtQvtSlqxBprjDF+mMb4BTgT4R5V8Tx/SbFWNREDMmIdMUaMUSPWcYxjrPF7V4haMVasiPVEPL9Wg795a4xYfz6xIp5Ya621Yq0sWbKkvr5+yZKtI0eKyJVXXtmLLy2AnIgaAB8GVV29evXcuXMXLly4bu3a9va2aCyqIsFAcPiw4WWTys4779xBQ4aMHj2aEZIA4ABUU1NTWVl5609/et311186Y8Zbb/67vaPDGONYR/w2nd/8ylWLQDWrQZrWhWBXm6vdHYi6jRrI7p1gmrQajT1ebD8PHOSxe/ucPUhm8q/JuG2METHWGjcWE2OCBcFPTzn9lttvF5GtG7d2mI5IJGJtVEQikYi/omjUGBOJRIyIRCTSJ9hHRIJBjUQklAxNhbSf9uuQjuRdEVENxbfd3i4iWlAQf1TjNwoLRQtU2qWwUFULi4q0WItapMV/tI/0EYnfMaZNWqVVpLhYVIukVfqU6s6dIiJ9RaRv35yvy7TPf35ny84jP3HkwePHz5o1i1MpoNdR1wDYuxYvXrxy5fLamj9VTv/ipEmTiouLN27cuLN58862dtf1CvsWD+8/fMzoYW0dHaNHj7791lt/VHXDgAF9+5QELr30ehGpqqryyxdxCASAj5lwOFw3pa6xrrG+ur5tR6uIiGtOO+XEzZu3hgIBxzjWGv/arz88Qo7oQE57FDIQERXt4dgFJu/6u+jSn7mG1Ll7L2SQugOasqcm1wwfnj0McMSfQ8ZTkayn64eVjIjnqeMERDTSHnn6madfeumfHe0R14upiGfEqDGiEr+6r0ZFrKgasSJeZypLPIvB+J8K6/chMWrU35HE7qhnRFRNfBEj6okY4xhXRUQcEbXGqKox1hO1IvGUAxFxRYx6IuJ/5FWtiBjjWSMijqeixjjGmPi2/BQHxzPqGFtc1GfI8CFHlJcfd+KJ559//kMP3P+5z33m6af/vmcvNYA0tEOAvejO2293VU+tqHjuubmvLXxt7do1O3fuUM8TEU9UPc+ICQRDjjWhgtCAQYNGjRxz2PjxpaMK3nx9eVFx/4LCovLyIyorK/21ETgAgI8Hvz+CiBhjqqvC37jr61d+8us33fHDt5fUi0goGJAexggyOiDk+5trwS7OAU2uDPhc203fRM6tdXfgSm3Oa8rfnsQtMkMGGTtgUibmj29k7kf2GnZZL46w2NUmsrpwpJ4mdM5gjFEVa8XzNKuTS/Ljk9bLpfNOrg9CvrORXD1lUnMg0u+kL5nvldK0Qg4Zj/lxDuO5nhuLeaqhgoLxB48783NnLF/2/i/u/KWfv9PFDgPoOWdf7wDwsXXWWacXFAQH9h/40AMP1D33/KaGRlU3EAg4gaATcILBYCAQDIZCxojreR0dkS0fbF69euWbb769ctnaoj59hpQODodvampsiMUigwYPCYfDxpgZM2b4tbUBAB9R/sCK4XB46tSpk86fuPD4RS/8+bl7H5izfPnyosJCa1NbOKYHdfhzhgq6jBekyrXy7qMGqanxXW5hl5MHUtdi88YOuokXZG1URZP9/v3Xx6RcsdeUCIPJs4ZdsQdt1Owsgvyb6DJqkEwNSI8lJD5dydZ4N4EN08W9HHKVtsgXK+g2kCPiJzWksSZeWSF+0xrjODYYCgaDAVXdsH5D/dtvjRo1euGiV//10ovHHHOsiPjlQgDsCaIGQC/zI+bz58//zOmfHnfIQbW1j6xZu7a4uCgQDKgaP9Tvz6OeqoqqZ4yxjuNHERzHbmtufn/F+2tWrn76mbmb1q/+0sUz7rrjjv/57ndnzJghIv7Ay/v0KQIAdlNNTc1rr73Wv3//qVOnfvd/bjju4OOrqr638OWFLTt39inu47quiedwG9WUsQSMSLKjQpfX97tph+V7OLNxmN3OS1S82/V1S3eFDU36b5Oo4GBU1CZrORhj/T8ioiZ+T0xau1KMSe68SucNMf6rZ/1RKsUYk4wj+C9tsmm9Z1GDbl6iTD3JRci7PpP+qprEpOR9k9kw9+MlqSkB2aNu9CSSkPPtzAjkpH2CdvNifw8CXJ2TPRUjWlRc1NravnbNmiVLXj9o9EGPPfrovPnz58+fvzubB5CCqAHQ+8Lh8PZt26668ms33/qzLVu29enTx3Vdf3Cs7KN6kqrnn+WEQqGCooKo6zas39CwqfHJJx47aOiwieVlxthAMLhgwYKCgoKmpqYP/WkBAPZIWVlZU1PT2WefPXPmTFV98rG/PfP4kyveXxEKBoOBoOe58dZysgWbSDXIk3CQL2SQv6t/F7q6Opy18Z42AuMBkOxr42nN60SpR/8QaeK18o1xrOM41jrWiT8iYtR/TRIJFfERCTUx7qQRMapqrLXWscYY41gj1jjGOtaIsX7P+NSMeE1kIpjEHmZGSHr6bBOBD//96/LlzvVg3kZy7u1nN96zG+fGpHx6MgMIGdvrQbygiz3SrMdTYl49Dxrk7PqSstouOq6oGGPcWKywqLCjo6Opccuo0tKWjo4f33xzTzcOID+iBkBvUtWmpqbJkyd/6cIL//TII8uWr/AehHcAACAASURBVCgsCHqu6x+3E4fAHNeKNOWoriKqnrEmVFgQjcQ+aGpaunJFYXHhnHvve/vtNzZtapw/f35lZeWSJUtIugOAjwRVra+vnz9/fnl5uRuLzX/hhQvPP++1119r3t5cXFis6nme54cHUhpYu9IrPlESIOf0jAmpV6BzBgdSGmfZF8/zTklvGnb2iU/2BMhstRpj/Txzx7HWGGs9UVX1u6lHY9Go60aj0Vg0EolGIx0RT1VVXNeLRmMx1/XU81TVU/XUqHiiRj3V+MX0jo5IJOKvI9YRibixaCwa81zXn8NYY6y18fwEERFjTfxQLIlkBE1JQDCpmRDZUiMNpvNVzCdv74rcb4vkTtbI7qSQ/S7k2nh69YGcw3Z2GavqsfSxIPPszG6XfkgJRWj8tTeqItb1vMKiom3bthaW9Pvlvfdt3Ljx1Vdf3d2tAIhjDAWgN9XW1lZWVt5zz5yvfe3rxx1zTMAxnucZMenHxczwfkqCoFGTuOoiEou51rGFwaLW1tYlb7/9+bM+/f2q77/5xpsiUlNT41fSAgDs/6ZPn15TU2OM6denePLhh595xhkNG9YZawoLC2KxmDH+FXkV09nhvEfdvn3d5Bikzph5QVnzNjNTm6AmdRvxAIURk4h5+/OkHulUxZj4eJGa6GthjBixxoix1oi4nsbcmOt6nut6nl8tXwKBQDBUECwOBawTDAWDoZDjBK2VYCBUUFQUClixGot5Yr2ABlSNMcYTLyhWHBHraNS1gYCr7s6Wlmg05sVcx7Hqee2Rtva2NtfViB9M6IhGYzFjRD11Ao4TcAImYIwVq8bYjGEtxe8tEu/tkFp4IF4cIaP1mvWSZb4H3dzsvGsyp/WgEd95gSK7D0F2gCBXyEA00WsjYx92MYSQfGlyL6fxTexe2MCIxnfQX5cm4jpGVIznesFgcP3adffff//48eN3awsA0hA1AHrT8uXLp0+ffvqnpz700P2R9nZJ6VWZlWCQeS9+OE/+SQy05bpeKBD0PG/dmvXf+ua3zzj9s6o6+/bbq6ur/XEZKQ4MAPu52tpa//L1Ddddd9ecu7fv2BEIBKzYWCzm90rIU9mwB7pYpItDTvr0Lo8iJuW3iFGTEilIvRvPy++MS8SbjNZaNcbvRhCNRd1YzPM8EbVOIBAI9OlXMqCkpG+/vkWFBUWhwgH9+zuFhQXFxQUFBcXFdsIxp/xHRUVyV34U/mF9/dvGiqjd1NS4c0dLW1u7f6A1xhQVFZX06ze0tHTCxIk/rP5R6nN4+umnFy5c2L59u2dMe3t7a2trW3t7a1vbjh07WrZvb2lvbW/riHW0qXhOIBhwnGAwaB1rjfUPxuolchhEjDGep+kpIZ3BlayXLm9kIH/IIGN62llE+qOmiymaXDozjSDjTuZuZe1mIqEhLWCSHiyRPPun4gfCcoQwMifsmqxPvR9oi0cqVL2CUMHWrVuamprWrFmzZ5sCIELUAOhd82trO/r3n//0U6GSElc9I+IlAuDxk43kzXQ5UwST92Oea411HKejPfrM3KeWLV3650cfLSgMzpx5VTgcpj4iAOznzjnnPx999LGLL7zw9TdeszYQcBxVcdWV9C72IrkmZNOuG6T5luliXek3TfqvrLZnyt14WUG/tEC8G72xJpGREIlEXTcmrrrihYKBPsV9+5UOLS0dNGjgkP4DBxb1LRowYHC/fv3Ky8tPOeUUEbnz9tsXvPJK886d7e1txx5//MS21h0tLf369FmyZMlLL730fN0LPalsN2XKlPVXXnnGGWeUlZWVl5fv2LFj0KBBBaHQmq1bW3bsOPmUU6769rf9Of/whz9s2LChra2ttbV125YtjU0NWz7YvHXrto6O9khrh7XGOoFAwPHL9juO/zTV+sUUNW1QwV3vUJJ1M++8XUZ10mMFOTIU8t3JzDvJdyqSNl9PRsTs1EXEY0/jBjnWoIneJZ4nAce2RyKRSGTE8OF7vCEAe9ZfCUCGstLSoU1N0SM/0ad0yLp16x1/BK30f2eZ/+p24fKSsdaIiud6/YcM+OZVM9tbYytXraarAgDstyYcfnj5pInnXXDOr355b2PT5qKiImOStfsku/2Yea03Q9aDuebOPqR03UpLOVJ19kRPdCpIeSgZz1DVxCOqnorxu+IZUVXPi7luLBZTT60xwYKC/n37jzxoxMiRo0eMGD1q5KCSQf3PPfdCEfnlXXcuXLy4paXF83Tw4MGTJk0aM2ZMZWVlagJdaq+H3UisS128urraP1yqam1t7datW995553NmzdHIpE+ffqccPzxV1x5pYg89dRTmzdt2rptW8OmTesbNjZtbGje1tzStrOjo8PfBcdxUnbFqHqdoxXkCOXkPrznuMjflewSBskHuugDIF31k8gVIMh3ASNjnakVFuOz596B5Kcn863LDlj0kvhnVlUcx3ZEYxecf0EgGPwhp0nAHiPXAOhNTU1N9SKTm5sL+peY+EHR5DpXyCnXyWAicdUYEz83ExMoCDZv3nbrT2771KlT7rjzzu3NzbPvuKOysrKsrIwOCwCwb/mN0unTp8+aNWvrli0d7W0HjTnoZz++LRKLFhUXqT/8bp72ZeYBI229yV8iu3xtOyObPPfqU2eymSswEh+eUEX8MSATgxdacT3Pi3mu54nnOdb269d34IBBhx5++KTJk0eMGDthwsGTJ0++8+c/b9m5I+rq0CHD169fM2rUQTO/edV/d3nAqqys9KsFSaJsUG1tbc+fc+riS5YsUVU/NS/nUfI3v/mNiGzcuHHQgAGbGxs91x03fvyPb721uXnNv195d+W6VUvffW/F8hXr16zbsXN7JBr1+y84jmMSoy+oqpFEX/t4pkXyZuZLvRtt5pxtc81/OT/PxkV6lM2SU87Axe5cgtztcgbdURHxVETEU3WMKS4udr3YXtkUcIChdQH0ptLS0qampiMml5cOGdywqSGRapD6Dy15MaKrg2aiY15nN9GUkxzjONZa67mu63qHT5rw45tvvWfOL3/+izv9U1XfXnuKAIC8/O9hv6U6+9bbTply2i/uuP21hYuLi4vUiOf5GdT+nPGLoslFu1xvt3NkzZ17gS4ajJ15BfFcg+RYhIla+KJGRY1frV7VjbmeX+3QcQqMHTBkyMGHjj/ppFNOP+X0cRPHXTJjRktL65FHffLcc88tLR08dOjQj1ZQW1Xb25s3N23+61//unDha0XFxff96tcNq1f/+dFHXnll4epVq7Zt2xaNuX6Bx/hgkYkFE6vwf+VMP9jVVnO+dIO8aQi5nlHavVwzdLtXyQSUnuicOWMchb2WaxB/jtaamOsW9+0z/YsXrFu76Rd33rU3tgUcUD5KX9/A/u+Tn/xk//79HSN9iwtXrFgl/vEykTHXbXg95/E6LRPQr/lkrRHxB41qa28bOWrUlNOmfq+q6oH//d+nn3lm9OjRJSUlJB0AwIcsHA6rqv/1e/cv7hzVf+hv/nT/sqUri4uKRNRzvURHeJPejsx/aMiX7p4mIzCddw1ZkzOvUHc2Po2xIinlCeKHHfUHRnQ9VXWsEwgF+hQXl5aWHnFE+Tnnn3PUUSc++OCDo0aMLCsvf+vNtz437XO5t/2RNffppwcNGrhh/Vtnn3eZiDzyyB+ffuLpVatWNm9rjsXcSCQqoo61TiAgIuqpJ55RSbzdqb92r8Fs8kQHsianJI101YElY2o3LfmUaxc9jhqk9m/JSnfZ46hBzkROVTFiHWdnS8uEwyfOuPTS55579r77fr2n2wIOePRQAHpTeXl5R0fH0NLBVnT5spXGGr/prn7m4i6fKqhfaEpEOlMW/ErUxriqRqRPcZ9NGzfNnfv0ylUrfvPA/733bv1Pb7vdv9iVOtY0AGCv8vvMG2OMMd+55uqIG/v5/XduamgoLir01POv4saHV8xsnnXT1O+uldXlcSWZJZ8WmtCUG/GMh4xrwWqsUU+MNY5xjI16rhvrUE9DoYJ+fQuLC/sMHTr0mONPvvq6q0XkFz+fvXjRG0uXrlq9evWMGTNE5Nf3fwzbaf96+eVwOFxd/cy/3zRTpvwpFCq+/4GHRGTu44//7bG/LluxvKW1rb21rb293RoTCoWscdRVVz3R+KUDkb2Vnd9tGkE3i3e/SykxprwdIrLXmjwLiQ8M1as619m5Z0ZURFUdY0eNGvH0U0+88+7S3t4ucCBy9vUOAB8rV111VWFh4THHHF1WPvH5Z5+Pn4/Facrp2y4zqfl98cRRERHP84KhUKS9vaGx4dG/PHJR5Tnjxh96+uln1NTUzJ49+7LLLqO3AgDsbcmqtH379p07d+7jj//t6b89vmPH9oJQSDVe2T1v3bq8tW96r3GZldaejENLvANComxBvH1rHGutdYw1kUgkGokGA8HB/QcOHzny8EPHXXD+uT+7c87zz8/riHRs2Ljhk5/8ZL+S/jff8tPJk4+YMmVKaWnp0KFDKyoqqqure23/9w91dXV1dXV9+qwqLa2YNm3mD37wg/r6+s0ffLD4tVeNsQ///k8jBpd+sHVLYUGRdWxLS2tHe4d1bCAQFCOep8YvF+F/IDS9QmCP2uEmo4mcc56UNXYnM32lJ5+3XegQ4c+/KzP3WNYlGP8ltSKeasBx2tpahg4dOuXTU5o+2PL440/09uaBA1FmsRsAe2Lt2rVVVVXNzdunTTsvVBD0RI2faBAP4+sengUml/fPQv3Vum7MWMeIWb9+/U23zG7vaPezDMaMGdPU1MQICwCwt/nD3w4fMeyaa6459z+nzX+urr2jPRgMpH//iyQv6mrKT+Y92fODhYgkG3cmdYJJfTjRhU7FiPq1CsSIGOMErKrX3t7W3t46oH/JhAkTjz/26P84//y/PflU3wGDPtjWcu89c+bcd+/qtWtWr16tqlOmTLn66qurqqqqq6snT57sJ1zs8f7vd4wxU6dOnT69urIyXFtbe9ZZZzU3N7+9ZMk77y392R0/v/9Xv1q+evWQIUMff+aZs6Z97sijPzn+0PGO4+zcsT0ajTgBxzhW4vEBY+LXxFOP691tPe1PPpr7w6O5fvZSaYH0Dff+JjT5xy8Q4sdhjKh6osaYaMy1xhl/8Phvf/u6UKig17cPHJjooQD0Mv9U6Yorrhw4YGDrxg1+zwQ/2B4fqiolRt4rp1VGjOe5xpqCglBzc/O8fzx70Re/oKo/qq7e+ycEAACpq6ubMPHQqZ+beupJJ2zevCXgOMFgwHU9/1FNjQZIWlstK8+gZ/nr3V+aTtbi9fMccqxUE8kFfp5BsqpfNBrraGsrLiocO27cQWNGjR499gc/+tHsn91WXFh444033vGLuysrK2tqapYuW15fXz969Oi6urqZM2d+LMME+SSfbDgcbmxs3L59+6xZsy674orp06fX1tZOKJt0/HEnfu97VU888Yfnn32xcdMHK1as2Lzlg2AgGCoIua6n6kn6O9KD1+6j/PL2tEdDz2R8qBPFn1TFqNiAbWtpGT1q5A3XXHvbLTcPGzbcHzij9zYPHKA+yt9BwH7JL5197DHHrFuzau7cZ0LBgs4hE/J1UMiXtpo2S2ef08Qo2iZ1ur8Vx3E8z3Vj7qAhpRfPuGRzU+OwYcNWvL/q45cpCgD7icllZYceOv7Ms06/d8590Y5YMOhYa/2RcjPiAHtaBy5jubyHjRxZ4emV/DvrGCQr4BhjorFYLOoOKOl38CHjy8oml33iE0889rfjjz++b99+xx5//J///GcRWbBgQVlZ2UknnVRZWXlARQq65pcTWrBggYjMnj27urp68uRJy5YubW9vD1ffdNctt7yzYsVbb73R0NQQdIJOwE9CSSs6IZK30mHnrd1+vbsqitndTFn7s6t7kr9zzu6Kf5qTiTzxT7Q10h6JlPTrf/lXL31u3rzav/61oqKioqKCpEtgz/F1D/SympqaysrKOXN+OXnyEd+48jKjxlrriVoxXtYQ3XHdH0/Tzs1Msp9g6niMfkGrRF6oep51zHHHHHfPbx744Q++f+NNP+6VZwcAyPDZz5z5qZNP+f3DD4tjHcexRrxk7UNVkzliwu7KuWhWwYLckxOryKiZF6/OaEw0ElFPB5cOPuaYYw+bWPbNb34zXPXDdevWL6mvf/nll1W1rq5u/vz5/nK0wbrgv1Yi4r9c4XD4sksuOfbYY6/8xjee+svv57+4cMHLL2/auNEJBAKBgEiiR37aYT6tHFJ62GC3d6uHj/QocLDvowYikuj+aYyJx1+siUQioYLQZ8787OJXX53/z3/28vaAAxtRA6CX+Rccpk+frqpnVkxZv2GDf2bgd0/I28PPdPWvMWOg49Rzi2TpKr9zauLYbMRIwAY6OiLjDxlfedGX5j333KZNm5546ik/qCEZcQgAwG6ZXF72ubM+++RTjxsxjnVUPZM69k3POx1k63ahPA3KtMhBVtU4MfFMA1VVUc9T8bR02JCTT5taWVm5eNHCy6+4ctmyZb/73e/8JLWqqioRYTTfXRUOh+vq6hobG+vr66uqqgb17/etq79z680/nnb2ubW/+928efM2NW6y1jHGOI6TaABLZ5s8+QnqRRmdInazDGf+ooz59zklW7KbfcyxaObOJvMLNPHbGCNRNxYKBqZOOX3BwlcWLn51VzcDoGscAIDeV1VVFQ6Hf3n33WvXrftLzZ+Kioo89Uwig243cg0yowY5ggjqF17sPJobo6qBQKCttXXAgAGnTz29+pZbfvPrX196+eWSOP/jehEA7ImzPvOZg8ePffGFF9WLBZyAetrV+Lo5e3fvSfmZXFGD1OvAfvyiM3SRaF+pqOu6YownOqJ0xOfPOeeaa675UXX4g81bbrjhhhEjRgiR5b3j/vvvv/TSS//4299eePbZN/7sZ3//x7Nbtm5xjFFPrGPV8zqzC3o2qkL+h3bxg5UjZpD3KkfP6jKmL9PFAl1nWmY/bBIJGvE0DSNGo7FowAlMmTLllYWLF7/2713YMwA9wxgKQO/zW+OTysqmTZvWp28f142JGi9epDq3XTo7yzgr9btHpvTyU1FVT0UkFosVFhbu3Lnzb489esmXLhw0ZMjdd97pV7desmQJUQMA2CXhcLiiosK/rarDhw5d8NK/RL1gIOh5yWSylG90Tb+RUsFeNTEaTt7C97vGpIUMTOKW8UMFKiLGWsdEY64b80LB0OBBg6/46sznXnihtLT04YcfrgpX33XXXSNHjvy4joCwP7j00kvD4fBFF18sJSWDhgz5578WTL/g/EGDBzmOjUQiIsYYq5oYZkEk8T7m++lCtzNkzZ7jZk5dRhXyfI67GrGh249+xpPWtIsn1ppoNFpYUHTmmZ99ZREhA2BvIWoA9D7/lCsYDD71+N/KJ0/u6IhYa621Yh3dnUrCuRbIc1ROOS+NVwmKxmLWcazjLHrt1fvu/sXmxsb/uqgyHA6Xl5c3Njb6vRUAAN3yI60VFRXXX3+dql7whQtee+01db2A43iel2OB1EhBjmHvci/RxU/u9WcWp0tED4wfLxArxhhjrXXdWEckWlBYNKR06HnTL5z/0oKtO7YYY77yla+sWLFiN18U7ApjTHV1dVVV1dVXXz3/xReNMQOHDK3757+OPvbogQMHuK4bi0YdJ5gyv4j/jpqexgxMF/d6vp+7t1j38n+o8/2ryN6VeMhAxUggEIhEIyX9+p533vmvLHxl8auEDIC9hagBsLecdtppBx988MnHH1NYWKDxVnwi16DzIlA3FQ3yUdHuB0HWeHFsz1NXNRQqWL9+w5NPPibibd68bHvzlqamJr/gMwCga6o6ZcoUEZkw4fBbbvnp2Wd//t1360XUOtZ13ZQZ4/3QepBH0HWIIEf7KnMlJutu4gK1f5Cx1oqK4wQ8z2tray8qKho5atQpp51W9+KLmzZtmj59+jvvvjtr1qxwOEzq2Yepurp63bp1o0ePVtW/Pvq37373hvGHHPbjH9106GGHFfcpbmtv9YsdJKI/0lm9KHnmkPibM5Swi2kGCXs5v6TLTIPuekXEGf+yjBo11jiObe9o69+/3xWXf/2Ff77wr5df6dX9BZCGqAGwF40de9Bn/uO88Ycc2tHRYRwr6iWqFopIPF7Q3WG6q16LXUvMFe8Z4bpuKFTQEYm99cY7X/zCZcefcPKY0SPXrVvXG08UAD7+KioqKiqmXHjhRZ876/SVy5YHjDjWuK6bHvvNLj/Y09SBnkhbMlEVLrXQnBExJj6mn7XGCQRa2lqDweChh0444ZSp/3i+rqWlxRhTX19fW1u7du3adevWVVdX0yXhQ1ZbWzt79uwHH3ywsrKyoKDwuXl1c59//m9PPnle5Xnjxx8SjUTaO9qdgJO4tqCdCSXZHRck5UwhR0eDHscQ9rCHTM+2kP8nEWfL+4/DmMS/NCvGOk5HJFo6ZGj4+9Uv/uuJ5+bV7fW9Bw5sRA2AvejJZ569555fHjbxEOtfKBAbP+j3KF6wp5KVgvzes0ZMzI1Za43IB41Nd9zyk+I+IVW9/rpr/RLZAIC8IpHXFy+eMqXirDNPX7dmveMExIoX80y8wSOpLfoeXjndRfnCDX7NgkSz0hgjxljrBJyOjkhHR8fYcQefOnXKE888NXrUcGPMAw88UFpaumTJknHjxr388su1tbW9upPoKWPMJZdc0tTUtGrVqrKysqI+fYwxXlTDs64+7dTTBg4Y2LJzp7FijIgn0sU5Q3aCgcn424PP4a59VPfOB1xSwgbpazaJ6pzG723jOJGO6LBhw6tuvP2V155vaX+yrKyX9wRABmdf7wDwcbZw4cJDDhl/8smnvb98+QebPygoCKmnxvSkjlGSSfl/DyTqKfhjOznWRmPuO2/X/3P+c/f+6jeNjQ3FxcVvvPHGnm0DAD5uVDUcDl/77W8//+yznzrhhNM//elNmzYFAgEjop5nrEktLiCSOrxur1+6zbis3Fn30CRC0v49J+B4nra2tg0YOOjUM0677LL/2rjhg9tuu+3e++5T1fr6+kWLFrW2tm7btq239xC7rK6u7vXXX582bVpNTU1TU9PzdXVzn3/+hzfeGIm1dexs27hxoxgbCAZVVURzpIQkUhe7/LjlP4HYrQ9pSs5Dno30xlURk/JfoqOGESPGmmg0NmbMmF//74Mvvji/rV1FpE+fVfX1vbBRAPmQawDsXe+9t+ztt9+acOSkosJCUbWOk9ZFoftDay+dd6adZ2rMc8UYxzpvv/XOp6eeNnjwkIPGjBaRmpqatN4NAHAAC4fDdXV1IvLav/99zFFHnXrWWQ0fNAaCAb+DmBjjpXYGkx5/Ye9mlwVNX1hUNFFSPt5JwbFWrLS1tzvWnHLqqf9z00320IkVFf/xoxt//PTTz1RWVobD4Zqaml18GbDXhcPh+vp6f9jmdZs2GWM2rG/806N/++KFXyoqDLa3tTvWijGiWR+UXU1cTOkPILlKb/RO55mer0KzP9fJR+IDRMXvJc6dotHIuLFjn5r77LKlS7ds2SwiQ4dWkDED7G1EDYC9a9GiRZFo5Jd33jtm7EEdkUjAH0YhWbJKZLfrFvVU1nmm32HBU0+McQJO44ZNN1x/TcB4qtqyY7uI1NbWVlVVETsAcCCrrKxsbGycP3/+Y48/Pubgg6d/+cvNm5uCwaCoxoMFubsjdBkD6LpNtostNiNGNTUQbSKxmOd6EyZO+sH3vm+PP+6cM8+MDh9pjPHrONbW1lLCYH/mvzt+WOe9pcvCVVWxWOzG6h+PHTu2ra3DxPP0be6Dc54hFnK+2dr5Oy1okPwoZ/YQyLuOLh/POUvOSFnqP6X0GIb6I0nHH1HPjU04fOJjTz3z1ptvnnHmmf4Hm1qewIeAIwewd40ePfqkk05yHDt27Mj5z7/QvLW5sLAg5rqd//gyzjtzMXnyAbuXcjYbvyJlOnsr+Des9QdZkCOPnPzfl3/9jXff/frMmcmQAeeXAA5AyVFpP3XqKWeefe7Miy9uamoIBoOe53WOYKMp3a8TrZq8a8x6JDmhm/7q3TDGGGusp54R7Vsy4Jyzv3Ddd6+r/eMfH5k8+U+TJ0s4LNXVPVkR9k+V559f8+c/X/qVLy94+ZWA4xjr9zbM//HI/UnL+JVn1p7pMiKxq7o6BzKJkxBrrSdqxJSVTfx9zV8WvPTSSaecEp+HsxTgQ0GuAbB3lZSU1NbW/vGPf2rZ2X7o+IMdx/FDBv7Vob17rEuJ2icuHSR6H8Tz/lREPE+ttSHH+ferr//P97+3s7VVVZ999u8iUltbmzx1BoADRDgcLi0tFZETTzjuogvPuerii5saGwLBoOd5mswyyB8FyEEz72neB/PPl72AijFGVaOxmOM45eVHvPTyy2PGjfnLI3+pvPDCPx1xhBhDyOCjrvaRR4wxv/m/3/7HudNCBQWxaMyIiRfUyPh4dJvJknF/93sj7IaMvMe0ZIN8e6EinqoxJuq6xpXJk8p/X/OXOb+8e+6zz5qED2fvARA1APau+vr6srKycDjcV83Df6wdXDpEVa1fFjkxnsJekXlJIWOAJmNSIvSq6qkWFhY2fdD0p9//9qtf/X9nnvmZJ598ora2dvTo0fRWAHDg8LOdhw4denpFxcVfmXHR9BkbGxoCoaB6XkZfhIxEg9xtn8yu2tn3VOID3Yjm6Laeq2Vo4gtZx7qeq6LDhgy58MKLf19be8fs2UuXLX3r7bdoTX1sVFZWqqoxxovJRRdeMHTYsFgsppp19qBd9HfMyokR7byV3lmgx5+bblMdMjohdFOwMfe6VK11Yq7nWOeoo4/+bW3tDddfP/O/v1lNLAz40BE1APa66dOny6pVhfX1V19++SmnTQkVFnrqGTHWGPF7pXYzRsKun/xlhgySU02yv2L8XEHiJ6qq6nluUVFRW2vbqwsX/+e0s4499rhBA/rfcccd/jk0gQMAH3uq6veUPmz8+C9fcMHFF13UsGlTSc6pzgAAIABJREFUIOio66V+pWZ/Kffk+zEr4SDn48kggqaMYK/ZTTDr2Lb2jmAwWFZW9vwzz6xavdIYs33Hjp49UXxk1NTUhMPhqqqqfv0Hbtz0wVcu+tIhh4yPxSLGiDHGWmutNcYam7j4bk3n7cSEzNtixMRHM4yfgPiTeuE4nzr8YzKMoekPdcrbT0dFPLWOE41GAgF7zNHHPPi7311++eW33Hrrnu8igN1A1ADY68LhsKxatUTkjvvvb2rYdNBBY6yYzrh+vNJA3k6KnVN7eDjv6opB5xUxkzprInIQi8VCoaCorlq56vxzpx067uCf3Pijvzzy5/hMBA4AfKyFw+GKioqKKVO+dPHFX/jSl9atXxdwHElcmdVEUrcmy8WlXbVNl5VXkPuB7mT0MvMTtsWYto7ImDGjz/zs52se+aspKRk+aqSI+IX0KA73cWKM8askNjY2rtmwce0HHzz01DNHHvmJto6OmOfGYm4sFnM913Vdz/Nc/8d1XS/1x/PU8+eJxf9L8DxXPc/z1PUk5aPpRxZMPCuy83dyyq4+iZQbGZmPyeyZzg35O2EDTsyNBYOhY4878X8fftgYc//99+/56wlg95DABnxIKioqKioqNm1Y/4Prrj+n8vxoJCJiVFQ9NSJqxORplJv0X93IcZKa7/TUiD/4c1a8wlpjxERjseI+xUd9ovy+//3tsqXvHXb4hPhiJL4C+Ph66P/+7ysXX3zG1P/P3nkHRlFtf/ycO7O7aYSWBJAACZ1EugiCkg0IiICouBH1qViezyfPhr9nRbMRbE8fYgH12UAQJStPERSQp2xARTpBEgQEAgktCS11y8yc3x+zZbalA0m4H9ewuzM7M1tm7r3fe873GE8ePyGIArgEU/JEa/lcUl2CQYjcBP9LsnbetdaoL2YCczglUqhP337jx48XBeG+++/3VIhU/3KaJR6boesnTph219233nLzwf0HUBAUWVZ/VIigeDIVFHD5JxEAKABIiASEREQoy5KigLsEB4GsADKZZJEJyKCa3oYnR6Ze+MxhkNf1mYBU+0N0SE6doL965Ih573/IOx4czkWHn4QczgXCbDYXFhYWFRVFhYdddlnssq+WGwwGRVEAXDWYXX98m2LUnqR1UQ2CN+xuEYJ87vosRoExRZGJ4LIO7Vf9uG699aeRxlFpaWkWXhaZw+E0L1QpYOHixYfz8x969NGbx4wpPl2sE0VGpJB7XOMe5vipBlVIBhBKUKjqUNx3NJVu1L9EJIqizW6LjIwcMTL1nXfemTlz5uzZswHAbDYjIg8xaPaYTKbY2Ni4uLjRo0ddffU10++/v2WrOEWxyYqiKIoiy9qVmSC47zoUWQHQMUFQFEVQFIcoCoIATqdCJBgMOsQDhw+3atFiQ9b68IgwRZFrqnDVV0FQzy5VKvD+4pGhLMuiXjfiymsOFeStWrOmzjvgcDgNBVcNOJwLh8lk2rhxY0FBwZhRqZLDWVhUKIqioiguvQARgYh8+oo+NJxqoNmYp8EPkCfQ5ZjodDhaREXefsftpRW2555Pr8FBcDgcTlMiPT3dbDb/uO5/PfsOmHrDDWdOndLrRI0koI0oCLzIVh1oUJsRVZB1yZ13TshYZWVlYmLClJtMv27eXFRcvHr1agDIzMw0mUx8MvYSwWw2p6SkGI3GDz/44NdfNu7d+wdjqrpF/gGLrt8EuVJqtJkFGgeDyy+/XNTpFFn68899hccLBZGRot1ODX7A9Yg7cOkFSGrso0syUBSdqLvhhsm//Lrxf+t+qvvWORxOw8HbGA7nImC85pr055575LEZAIpfioBGcQ+gQVUDzyaDTRW4AhDUfxhDp1NCgQ0bcsWHCxbdMHHiiu++A3fOBZ/d4nA4TReTyZSTk5Obmztv/tvXjh457c6/njl9xhCmJ8VlN+MbTOBvaFilZFDHKANXiLYWRIVkWaEBAwYutSx7+625jz72eO02zmlGqOqA2WxuqFICRDT0yivPnj4VER4my4rfwhq83u8RIWBIr6bAlyIhIBCobo2KooRHhN39l2m//PZbzz59eB+Dw2kkcNWAw7kI3P2Xv/Tq2etk4cmVK1dGR0VKsoSI6iQBauf+/bMGakAtVYOguOUCT8CDWhKZbDZ7YtfE0SON2bk5OkNYl4QET9+FT3NxOJwmhydxLL5L/IOPPnjPjbefOnvWEKYHT1aCajjjvRrXINCgHrkJ5DaC85GSESRJCjeEpRrHvDnv7Tlz5syYMYMni3HqQ0pKSlxcXGZmJiKmpqToEA/n50dEhEuS2hupe6yB788+WM9A27dBUItKEhEiEwQmy7IhXP/YwzM+/2LJqh/WJiUlxcXFcbcODqcxIF7sA+BwLkUWLl783rx5V11z9e7c3w8fyouKjJJlWfUmdBdiBIB6yXp1lgzAp+/qKrVABAAUGRlx6NDBr86cGthv0Hsff/zCzOdmvfQyEVksFrXhr/vhcjgczoVFncOMi4tL7JowZtLYe2+569SZMwaDAVQnA1UuQO2lNHhFBB/qYxGHPhduUs3tSJGdckxs7E233HqsoEC9zJaUlKjjvXrsjHPporbaalbLTTfeGG4wbN+2LSI8TJIlH+tl14+5OoODOvzm0fsr90QZMAZOp7NFdPRjD/9z8ZefrfphLQDk5ubm5ubWfgccDqfh4ZUXOZyLQ++kpKMF+ZMn3NAiKsrhcAgCU8sZ1KYfeF67jOSrPBAAOJ3OiIjI8rKKX37+edL11/Xt3uP+e+9BRJPJNGfOHLXiF4fD4TQJ1AnM2NjYSRNvePjuB0+dKg4LM6gzpZpBTVX4RxOEnHGtAaSOoIgI1UINjDFJlhWCHt17PG+eVVZa2rJ166SkJABQ6/DVbvscjhuz2axKBrdPndq+Q4ft27aFGQxqRSdw//4BfGwQQlIDt0QvqJEg0PsMAjImOCU5qkWL/3vqmS8sS1Z+/33t3xaHwzm/cNWAw7k4pKamHj585OEZM/r260cEAKhQDYsaemomQ3Vlk+vfrXS5KKl1xxBRliRBFAWdeGD/wXkf/6d121aPPPwPROzUqVNSUlKI2pEcDofTiCCi9PR0q9WqKPLo0aPvv++e4lPFBr2eiLyDGh/ZgPwkAQgcLnkTE2oiGQRUrXdd05ExAAJRFO12e5g+/MrBw1auWbvpt9+QMQBIS0ur65vmcFzk5uYi4l/vvbff5ZdvWLdOFAQAkiUZ0W2f6FnVe696CSGowwdqa45o64OQa28IgALYHfbWbdq88OzMzxctWr7i27q+Mw6Hcx4Rql+Fw+GcH3766afS0pJnnpv5i9VaWFxkMOhJkQFR1QLcuoDnhgioaWY1zwZryxt0HkqTM4GokIKIOp1YWlKSfyQ/Kio6e9euX3/5+brx481mc1ZWVkPumcPhcM4DZrM5vlPHW6aY7rv37uLCQoNe71lUVXqXzzIKeLJusqlLCPaorkxkNpstNibWODLlvY8/QkRjaqrnsOu0Cw7HS25u7s2Tbrxu7LWfLVxoczh0BlGWvZIBACCpv8jabTZEBUZNjWfNA1fBaQQUmMPhbBsT8/Szs9asXb1w0aL6vDUOh3P+4BFuHM5FZtyYMSOGDVv5/XdlpSUGvUFWFHT7AwH4avOh0Pp4B/ZjGwjUFHtAAAJkDGVZAoK4du2eeGzGL7/99tJrrzXgHjkcDuc88Z8PP7jxtptM424qKi7SiyKBQgpA1dYFQSUDgCDX31rirlcPAICM2WyV8fGdxo0ZB4JQXlkpiGJOTk5ycjKXDDgNwoP3/21i6qS3Pp6Tn38kTKeXFQVZsCF/FRk4wZ6r0vbDW69J9W9iiAQgCMzhdMTGtXtu9su/rLMikNVq5d6HHE7jhKsGHM7F5+8P/e3E8fz9ew4IAgMAj2O3V5yvmguiGqiHgj5HBgwZAcmSHBEZed21YwpPn45q2fL1N97gObccDqexoU7mL/j440MHDtzzwAN3TJ167uwZnU5UFHIv9K4b8OJqPQzqaAqH7jlaAkBESXImdu02Mz3jX6++unzFCiKyWq1ZWVlcMuA0CM89+8zsl16+dYpp587t4eFhiqIA+DoeevwQq1UNqjgl/PHzMwBEEAQmSXJcu3azX3ntp3U/Ze/Mjo2NjYuL4z91DqdxwjMUOJyLSVJS0vTp00vLSuZ/9uF/v1hWXlbGRNGTB4g18SIKxnlyF8AAIwW12gITmCw5c3NzY2Pj5n/wweJPP0VF2bNv3/k5Cg6Hw6k16lAkISGhsPDEmJEpt0+dWlJSotPpXGoBeUrOBqMhbQ+DgICgFt8lGjhw0H+Xr1iw4NP3P/jAZDLl5ORMmzYt1Z2hwOHUhxtumJjUu/dXmV+u37A+LCwMkLRKAbhzB+rQ76hBfRH0RBwggiAITkluF9vurTnzD+UdPHnyJAAUFRXNnz+/9jvncDgXAu6GyOFcTNLS0qxW6949++++5a5rjNcYwsNkSXJH8flPfl10CIB8TcHUGTIiAIY6nX7Tpt/Gjh7FJKlb925/ueN2AMjMzCSixvZGOBzOJYXJBIWF1qysLMtXX7bt0u6Ou+46W1Yq6kQixXt18oYM+I6AahKnXXVdOqpOykWQFVkQ2JXDhn++1LJ48SJFIaPRaLFYeLkETgPSrUtCy9bRP6z5n6jXIQIp3h9/fX5kvr/uUFvyngaI6JSkuLax78ydu/6XdbekmVJSUuLi4iwWSz2OgsPhnF/Ei30AHM4ljdlsTkhIyMvLA4C+zz/X8bL2hw4dAQAfb+2qCRkz2PDpCe5g2sBjIFJAAQoPDz+anz/n3beNo4yLFn+eYjSaTCYAsFgsXqcGDofDuYCYTCaAnKIia3yHAd27dXr4nulnSs7pdTpSY7MB1GIx/u5vBIA10Qtqhl/NewTXFZUQGciKIor6K4cO+eiThYioZiWAuzYkpwrS09OTk5M9DU1OTk5GRsbFPqhGysgRI56Z8cSU228nIlFksiyjJsZAWzPEx7rQRTXpCaEXoGarBICCwByS1KZVq1f+/e/PvvjitTfeKDx9ymw284AaDqeRwzvxHM7Fx2QyZWZmvvLyS888+9yVgwZU2OwCc1khVjXQ9pshcz9zfhwNXKgda383ZAJwWSITY0ySZFlR+g3of9e0e48cPvz3hx4iIrPZjIg8X5HD4VxIzGZzYWFhUVFR1y7Rk8be+s+ZM8+ePaMTRTVGynN9Je21DLRXVfCuEkhNfBC14zCfynMAAIwxSZb0Bv3QocM/+OgjRHzggQc6dOigXjBr91YvDdTYkJycnKysrA8//HDnzp3aWDZETEhIuPvuu00mU3JyMkAN6xk3Z4xGY05OTlFR0cTx1yHD/X/sCw8Pd0pONTGGgk0GaM4LLbV95GuDBECgiIJodzqjo1o88/wzP/5vXe6evT/99FOd3xqHw7mQXOoXUw6nMUBEFovFYrEk9elTWV6+fMW3BlFUZ5x8h+meF2jvBvU/PG/OBq6Nu20RQTuR4Oq8CYhEYHPaO3XuMvmmKUcO573+xr89egEXDjgczoXBDABGIxiNDqd98KArXn/55XOlJXpXYoJ2ZBRgIE++V9lAgpZSCIV2iepbg4AETGB2p8MQFnbNsBGCwfDOvHk1fmeXImazOS8vr2XLlnPnzgWAjIyMUH77ZrM5PT0dAB544IHExMTu3bubTKZLUz7IzMzcsmXLli1bWke37Nz5stWr1oSFhSmK7LY7BHAV7/D5cNyhMHVzQwyMNQAAIiJRFO0Oe0RY2F333fvDmrXfr1pT9zfG4XAuONzXgMO5+CCixWLZuHFjxosvvvbGG926JtodToYMQG22g5siElCwia5qM2jrd6gAqAZAeHZCHpMjV09DJgKGYYawYwUFn3/6idNWSkRh4QYAIKL09HRuc8DhcM43RJSSng5WKys8NnjEFa/MnlVaVqrX60ght2TguVpqNFd/I4OqJINaH5L7taiQIAo2m80QFj50yLDC06ffmTePiNRIe44WIlq3bl16enpOTk5CQkJ2djYirl27NjEx8bIOHW65+WbVOmfcmGv79OrZv1+/u+66q0ePHr/++isi7t+/f8eOHSaTaePGjarJzsV+NxcUIsrPzx8yZMjwq4bfN+2vG9b/ojfo3aoVABAChZRSavlRaVYPFrlAKIqizWYPM0Rcd/2kxYuWcMmAw2lycF8DDqdR4DEBSn/hhQfuvT9j1otOp5MxBghIRGqqQtAEhCoiamuPOueg2YXPFFxIjyMidLspqceqKAoiM+j1FZXlGzb8OmXyhLc//c/cV+e88focNVuh/ofK4XA4VWA2m81mc55BaJ3Uw/yU2emw6fQ6WfJ6GQCAeonzFLuteRZ3sKstVr1ce6lGUSgrL28V3WLwFUN//vXXPXv3qhFnmZmZl+aUeCjUcb7RaMzKyrJYLC1bRw8ZMnjdunUAsHDhwratWh07dmzyhPECChFhht69exjEsPbt248dOzYmJoaI7rv3noEDBy5Z8vk33yzPzMy81Joe9RRQ4xavNY6y2WyiyBRSvJGB7h8++qcS1CcU2fNqcu0IgQmC3eEMDw9LMRorbbat27bX531xOJyLAm+cOJxGRHp6utlsXrpkyfoNG35YsyYqMkpRJEQkTSMfQjKAWk8NBEOjGrgeanoPwToSmr6BmrigEDFQTQ4AGIiCKMsyQ6FFqxb3P3D/8WOF586VvPzKK/U/VA6Hw6ma1159+YqRQ5+4/2GHJOl0IilK0Kto9YJArVO//LMeVOWXiICACUJ5ZXmrlm2uuvrqTRs3btuxA9zuNlwy8ENt97Kzs3/68cc9e3JmPPfP1zJmH9x7sMJeiUREiizJskLqx4YIjAmiKKrp+nq9rm1M7Kgxox95ZMZnCxfkFxTMnPm82sheCp+zyWSKj49/8803H3/00VPFJ7du2c4YInNVdg6WRRCQpFATrayqsByXMIGIkiIzxoYNGfrRQpffZ1paGq+YwOE0LZr/dZPDaUKoPaTt27YNGjx4/NhrDx7Ii4gIU7xG3661PH/8H9QVjTpQxWyD5onAK4e3k+yzGgIygSECETCGQ64Y+t5HH71oNreNjZ0+fTpwqyoOh9OgqFfROXPe2Lcn93bT1Ecff9whSzpRVC+kiO7QKM9Fy+fyWbXlYe0OBAC82eGqZKAAE1lFZUV0i1ajR43b8Ov6zVu31GXblwz/fv31/v37jR4z9t133/122bLCwmOAois/D5GIBEFQ10TXV4sKKZ68OQSUZcWgE3r2Sfr33Le/WPL5Y4/PqKioiIiIgGbd+njMktrFxcW3a7ds+ddlJaV6vV6WZfSvDBK8XW8g1QDV1l8hSkq+3LJsmWqK7DFIrv0743A4Fw3ua8DhNCIQEREHDR68csXylFEpkS3CnJLEWMB56pYKGirEQJPaqzmYkEcZ+knV2QDdTgcAAESKQgSIjBTYuPGX8deOvnrkyE4dL3Mvpkst15TD4Zw/1Cj0tm1ajR6b+viTT0iKrBdFIgXdIVBe6PxJBp7rIIB7dIqITGAVlZXRLdtMuH7ynr25XDKolhPHj50uLLp+3Jj/zHu7sPCEgCICMcaYwJjAREEAUr9FtR0hAmKITEDGGAICEUNwSsqu7TvHjxqZs3tXQUFB9s4doMkKbK6YTKa0tLR33n13bda6knOlOr1OVuQgaTShf+EBzwdr+9Hb+msWq9EfLgckhZSELl0sy5bNmTPHbDbn5OSoXZ06vS0Oh3PR4KoBh9PoQMQdO3c+/fTzA/r2k5xOICTtsJ60hocXcrxdszY+2FpERIoCCKIoHj9xfOZT/7dr23YA+PPP/QBgsVi4RSKHw6knSUlJ8fHxGRkZz898Lixc98rsNxx2pygKal4AqppByEtnsCfqek1Cn79q+hYgos1pb922lenWW4vPFkdGRyUlJdVxB5cAN994IxHZKsv/9fprh/PyRJ2eMQEYIqKqRJOseERnt2IARKQopMiKoshqQgoiIkOdQVRQ3JC1/i+335L10zoAYAwBwGg0NkuzA7PZnD4z/ezpM3fccUdB/hGdTiBFcTl9kq8NqE98IQR/UC2+wgEiqik5jKEsy7Ft23z3zQ9Ll3xZWloKAMnJyc3yM+dwmj3CxT4ADocThHXrrAX5eQMGJx0tOH7mzBm9QU/krpgQoo1vEALrNgeuUZutuWJENYEHoNOJklPeu2/v+vXWW2+73ZL55e2336EW0EpMTAxaRovD4XCqpaioaNy4cX2SevfvP+DdN99xOO06nei6ciIA1MwvvnaKrM+oyxNlRZ6rHwIgMERkaHc62rZpec/U+04WnWwT0xYAIiMjc3Nza/0+LwHGjh59y403Zpif37xlKyDodDpSFPILDlFj37VT1uRvJ+FBVhQE0Bv0ZaUVe/7I3brpt6effU5grEtCAgAYjcZm1vRkZWUNHDig4mzl1m2bHHabKAiqcA8AGv8ib1Zi6ORDP6rvIahfCENAAKcsR0dH/evVN7Jzsn/PzVFX4ZIBh9NE4bEGHE5jxGQyffzJQlslXH55f31YmMPhJO/kQNB8Ag3ke7sYaHQCb0UGNYJUkmVABITd2b+n3Xyjw3mWiL784ousrCxel5HD4dSH4qLCQUMHf/j++3aHXacTFUUh8nV0deM1fdXqBFTbC2doHUKbF86Yze5o0yZm+iP/d+z0yYgWLQAgLi6u2QfJ14GePXuMGD5sxIihnyxa9McfeyPCwhiioiiuLARPKoLbwMKVoUDkWqqZSvfcVEsLApJlWRQFRVY2bNgw+frrrhk5skVElLrfZjaUffbZZ958a+723ZtPnyoKM+hltdl1oX5OPmpXLQleDRpU0YAQCJAxpyyHh0fe98Ajfxw4MPHGySkpKdDsPmcO55KCpxVxOI0R1ef53//+9xNPPHHtKGNBfr5eZyBS0LeqgT9Vd3VrdLpXmWtYtxwF9ExwIAAgQyBABJ1OZ7NVtm7VekC/AW++917GC8+bZ832mCTxvgWHw6kVA/r2vXH8+OVrVjnsDr1OJ8uSGikNAG7hErQagV9UQf3lStfl2fcqzRBtDkdsbMyD0x/5c/9+dPvU8EucFvXTkBz2/PzDMXFxG6xZpSUl4ZERklNimuS86qPhQkBEql0iqAYTjJWUlnVN7PrsP1/Yvf/3U2dOp6SkGI3G5pFsv2fTpt92Ze/K3b16xfc6vU5RJN9m2Vv6CPyb/Fq9/aAnDAIQIipEOkG8fvKNFRWVLVtGN6ePl8O5ZOGxBhxOY8RsNlsslk2bNv1j+vRrUlIjW7RwOB1qD5j8psM8DXe1Xd76hB6EnFqoAd79EgCR4nrscDgMhvBzJSW/btqUNnnC5b37PPPkk6pJUk5ODu9SczicmtPv8suvHT36vytX2isrdaIgyxJ4ZYIGCV+qQQSXjzOcKpKySrs9rk3MQw8/lrP7dy4ZBIWI1Ino8rLSDu3br/vfj+Vl5eHh4ZLDia5mQ13PW4A4ZEgauRx2tYCrWIb6EiQASZZbREUdOnRo9hsZEyZNHD58uNForGqzTQciOnzy5LB+/X/Z8DO67Aj9Gu+GOiOCdwsQgRBkRbly6LBwgyEqKhIAsrKyuGTA4TR1uGrA4TRGENFisZSUlMybP7+4qLBnYjedKEqSpPYAXG1+oBlyTTj/aQuhetbuJ109OUR0OBxMEGRF2v9n3vz5804XFamxBsnJyVYA4B1rDocTGjWnCQCuGjpk/Nixq39Y7ZQcer1BkmS/ynHekaeH2g1hqCav8YYyECigMEGw2+3t27f7x/Tpu7OzDxw8VFhYCFwy8EUdqBuNxqQ+vfr06rF27f9slXa9Xi9LkjeyAF1fn0s6J0BAHxnHqxAEtjzuEANPBj8REEiSFBkZkX/o8PQHHxwzZsyaNasBwGKxNF3hQP1k9u17adykSTNffvnsqTN6g16WSWNcgB6zDbWIQT0CDUBzUnjVMkRigmi32ZN693n/o49Ky8pmzZplNpv5b57DaQZw1YDDaaRYLBa73W42mwVB/GLZssioKHXuijSKgTdjN2jlgoBwhJoQZOW6zhD4aAcezcDVt3ZFDquJx6JOOH32zPZt2yeOG/Przh9PoWQFMDXZ3huHw7kAqKORfzz0d+PIq1f9sFqRFINOL0sSY6g1gNHmJdQVrcuhR4/wF29R480nMsFWWRkbG3PHXfds373bEBERGxtbVFTEh09aiEg1d1i1apUpbeqiz5dUVtoMBr0sS6r9jSa/BDShABozA3fpxSp2Al7PCvfvgoghKkQRERGHDh281TRl3LjrENFkMlma5hdERADpAHD8WNjcuXNzc/dERIbLksxQdTAgj0yA1SQi1hzfrSASEROEioqKzp07zXjyqX9Mn/7av/7VIHvicDiNAR4vxOE0Xsxmc2FhYVFRUWxMTEKnTgsWLgAAhi7vY3+PA99+U5AJl8AdhHiqPi5JVeKzcbcBtstwWUBGRIoiR0RFjrt+7AsvvISImZmZJpMJAHhwI4fD8WA2m9XCKw8/ND26RdTXK75FRRaZoCiK6pzimp0OYqivUTJ9RM2qh57B7WQ812DXrKvHy4Axm93WPq79XX+5c8fu3wuLT8XGxsbFxXHJwI9PP/102rRpquPADTdMPLBvn0FvUGRFDQwgj+DjFQ+Cl0ioHeRKISECFBgQMUFISTF2iYn5NT19XHp6QRM01lHbyv/9+Nq1o58aesUVpaWlosCQIKD0kh8N0LASkcuuSECH3RkVHT1x0g1xcbEPPTTdZDJxy08Op9nAYw04nMaL2WwuKiqKj4+f/957JWVlXRMTgBAJvfbfoVv8wIxDdbKF/J7y57xO77vChMnTR0fv/I+syIDABLGirOKbr1f+9d5pRHTu7GkAsFrNZjPPV+BwOAAAJpOpsLDQaDROuXlKVGT0ihXLGSmiICpEgOhzoavyeuYnRdZh/ERA6I448IaAI1baKtu2bXvXfffvzMkpLD4FADzKIBAxe0deAAAgAElEQVSz2VxRUZGamjr3zTn//OeMowUFOp2ICMhcFStd+HyXDdFCoRqgz5CpdoAoS9LO7B133ntv3NSpBYgeN4SmgtlsLikpSUtLO/Bny6l3pJWWlepEwZWJEcR8AN3zDojBugo1QBvISIwhECECyCQKQp/evdLT0wVBJKKkpKQGeHscDqdxwFUDDqdRY7FYoqOjiah3nz6fLvo8KioCANB15lbV4vsmBGitBnwzP/27Rujz3HnpOKlTR0TePy5/R0VRSCFBEJiibNr42y2TJ3Tu0v6br79SlE4AQGTidRk5nEuchISEP//8s6ioqODIkd59en/3/bcAKAqC2x7fnTfgnxwVym7FhyplWD/8dQn3pC7a7PbWrVo/9PBje/f+cbKoSF3KZ1wDsVqtRUVFyclJjz72+LZNmyS7XWCCopDHvEBDQ8QXuL9/r6+w2zuRMVZy5tzDM2bo42LVtBer1VrfPV4oVC/JgoKC4VddlZjYdW92rsjcgRr+kRmuIEX0BP65bxikOkXgKaN9xquSuepTANidjk7x8Z8tXrJ40aLjx49bVb2fw+E0F4SLfQAcDqca1O5Lv379Vq5Y0f6yjju2b9eJOlDnEFxo3I78CeFy7J+RGPzBeUtV8NsZuo/JFUZBBDqd7mRR4ZZNWwQm3P/A02vWHnxp9hdWq9VisWRmZmZkZJyvA+JwOI2VeIAjZ8/27t07KiIivkOHlStWIAJjjIgACD1aget6FTytoIHw2hwggDtvHO1OR6uWrR+c/vDBA38aDGEAUFFRwSWDQIgoLy8vIyPjhkmTPvxgfn7BUUAUGCN11rrBcu99h72epsaV9YZq7hsTBMnpIKDxE8f26zsga/36vLy8rKysBjqC8860adNyc3MffuSRB+65p6SshAkCaN6jey3Ng6D9Au9ZE3yBj8ygWaA6JjgkqW1Mm0dnPPL1f7/JWr8eAIqLi1NTUxvoLXI4nIsPjzXgcBo7npT+yzp2PHHiWO9evSpsFYIgBJl0r0XuYu2nbmr+Ch8XsiC+Va55JG8shLugpGqBrRABSbJs0BvKSspXfrvy5kkT2nbqd/e0O1W3qhkzZqhmBxwO55KiAMAEoLfZ4jt3XrVmNZDMGCqkEBF4E7e0qfDVBRf4DH9871UPeveCAIiVNluLqKiZT5vzDx9hgggAcXFxXDIIijqlP/O5Z2c+//zhQ8dslTbGmCwrgKAoXpuJOsaWVRlcQqAKE966jIosizpdUWHh6pU/kqJs27atqQjT6mQ+IooMH3vsH0WnToHahhKpbxAA/EWCWssxgZ+jNtCGAFBWSKfTXzty7NIvvtqxMxt4Sg6H0xzhqgGH0wRQZ7Guueaa9h3a/eOZx9u0bOV0OgUW7PytSjioS2fB517VEb4+aRDuJ4JEmZJ3ieYlpF2HAABkWQFEvUGfu2fPd4v/G9uq7UMPPoiIBQUFJSUlanltDodzSXGs7+WXDx++du0PktMpiKIsy+fXjKV6iACQMZvNFh3damb6i7v2ZANzXWz5wCkUubm5iNiqZatHp//NZitjjLlaC8UV7q7SACNcv6U+k+8e0QgRUVLkU0Unhw0fcfpUcW13e7GwWq2IePutt95+081bN25xOuyiKLiLUqJb2KrZGVLNWsEWuyIPSHI6B1zeVzCIXyzNjI+PB56Sw+E0R7hqwOE0Jfbs2/e/lWuuHDJYkmVgIcyR3UH/CEEX144gPQUKfgt8zk8mCNieX21t1ysISHGHHciyIslSZGTkiROF//thTdm500VFRZ06drzqqqusVqvpPBkvcDicRklyUp8rRqX89L8fyOHU6XWyLGsWNtjFoPprpvvaqjr9C4zZKm0xbdo+bzbv/v13mRR1LS4ZhCI9Pd1isaSnp+/bt+9IwYnyykqdTqcoCqC7MQlUkavFd3RMLm3at0Vyh9S7J+E9c+akKKQTdafOnP7fmu8GDhjYEO/yvGM2m2NjY81mc0ybNtP++tdz586JOkENMED0BMLUye4wOOR2DXHZIiAAY4Ld7kxMSPjsyy9bt21DRNHR0Vwy4HCaJVw14HCaEp998tmRvCNvv/9h927dKsrK9TqPwUGAT4Hb4kht2rWeRxjYjfDpb/kP/0NkGPjfgmkJUIP5C3L5IboyFDzbU0hRABQElCQpMjJcUZStW7f/Zeqtw/oO3rVzJwBkAqQ1xKfK4XAaP4P69Rs57CrrT+slh6TXibJTUivQgyfhiTTDwBrjk5yAPnd9ksKD3QBIEMRKhz02Ju7Bhx/ZlZ0tK1wyqAm5RNS+vfzBhx+WlJbJsoyILq0Y/b/LGqFpv9ztUcjXExH6+2UCKYooCqVlpWdOl7wzb97UqVPr8K4uMFarNTk5+blnnu7Vo8fxEyecklMQRHKN6yGkWBBa968Ot4uHWv6ZABBlWY5uET39sRkfvP/+6TNnuAMih9OM4W6IHE4T4/fduw/s3z94wIAjBQUV5RWiqJqHVxnRGdDVDc75Mw6rKQied+I+GLWHp5AiiCJDdq7k7K49OaPHjrrcYLhu3/7ci3WkHA7nAtK/X98hAwZu3LxZkZ16neiUJcQA6bNu+FkbBFwkfZ7wBH2rIV2CYLfZ2rdv9+gT//f7rl2iTqeuxQdOVWM0JmdlpYnCVcu//e7g/gM2m00UBVI0ThEAUHNTA29gQvAXeL9an+x+9PnqkRDB4XBERoTFtuuwZ0/uzp3ZtXhLF4O8vLxePXvMmfvWa6+/mpd3ODwsjBQZvT9Q98/Ue6ehQAYICIIgOO22KVNucjidhUXFAHD48GHugMjhNFe4asDhND3atm3brn07AOXE8ZMCE90VljzTC9XJA/6dbfLrTFUF+XfsavrCWoIBPTwiQoYCE+0O++7s7Da9emzfvrPw5Mn+/fvv2LGjIffN4XAaE/36Xj5w0OBNWzYxBFEQZEUJLRk0UJ4C+t5H16a1cd+IaLPb27dv98LTz2345edDeYcBIDIykksG1YKYu2ABtG4FsiMsL+8IoueTDWxdavqFVrEeav8NKiG4YDIpTGSRUWHHjp3cvXt3DXd9ERl77bWbfrH+8utvkiSJggigVcG0gTJVU6vYHJcSIerEsvKywVcMfmveB4fz8oqKi4HrZRxOs4ZnKHA4TQyj0ZhiNIr6c08+/Vy7y+IqbZUCE9wJAn7UIqExdIJCNTkH/i+sxZ6qXou0E02uPRMprqrsbNMvv10/7to777qrW5fO8954o0Yb5XA4TYeUlBQAmDz5hgH9+27dtElEFBhTAhxW62izXwPclx1vgrj6DyIwRKfD0b5duxeenv3T+p/zjuQD942vMVYrAMCpYoPDSU6HgzGh7t9iXQUjnwbN7acgCmJFhb2iQtaJYh2P5wKSYTa//OprO7Jzzp0tCTcYiBS3JUQoaR9Ct+s1RE1QACYKNrv9snbtJ914iyVz6S1pt6pFMer7ljgcTiOGqwYcThPDaDTGx9OePe+vXfvfLgndI6IiHE4HQxZaI6heO6iRA4FmZT87A5+40MCuSKDiUOPZI01P0r0XJCJSgPR6/eHDRx5/ZHrLiMj8kyemTbtbXS8pKYn3XTicZkBWVhYRhYXpt27dwRAAUXaVlPPkL/ldTOo48gx1fXQ5xgQmiSPaHPaYmLazX31n4/bf/jx8SH2am8DVilYtW5aUlkqKjMG+gFp9l1WvTMHX8nofuKo8goKM2SttjoqKuLi42uz/IkBEgwcPemXWrNw9f4SHGWRF9kTEBKQkeNrdBovEURQSBHHEiGt27dyxNNPiH/vD4XCaI1w14HCaGGazOToaMjPpqadmL1iwoEPHjoTgNu0OAvr96wv5juOrjjPQuB6G2o7/sz47D+yzVdeH8Q0T9vSJCAhkWQnTG2wVle9/8uHJ4qK77542elQqAKSlpXmqcHM4nKaF2Wz2FFUloltuuTl75+8iIkN0mR4SePRE39Fg3U/5kNOybss8dM9IAyBjzCk5YtvFfbRw8ckTeQrIsbGxwCWDWpKent6jZy+QnUBaw38N1X6fdRsFV/ESAsbQITlLKkrttsrab/qCsnnzbxMmTtq0ZZOt0iboRLV5duPX3FcRelA7EICQGDKHw56cdPlLr79+9OixZcuWNcjGORxOI4f7GnA4TY/MTKvZbE5NTV3zw+oHH/v7ulU/2myVghDkdPadJPMXDsh/3UDPpCpsDILuK8SEg9ZyAfzFgKq3qp3DQETNMSIRocAYY4cPHczeuf2GCde1b3/Z3LfeUm2cs7KyanLYHA6nkaBGCSUkJAwdOvTnn3++dcqUP/bsEQAYQ9e8cJXe8A2JVgdFl00rIjDGHE5nbKu4JRbLqVPFY8aOBYDi4uL58+ef/2NqVhiNxlmzZ3+2aPHpU8V6vV5RCF2hHTUgsKWqjqDWBoFbQUSnw5nQNVFRaOu27bXbxwWEiHZlZ//ww/fffbcqzKAnhTQf3vk9PQRRsNnt7dtdZrp54rvz3/904WfndXccDqfxwGMNOJymByIiYl5e3m8bN8156Y2rhl8p6EQiqiJKsAYOB9ogxtA2BrU+1oA7tTkmP1yFGcl1H4AUWSFFCQ8LP1pwdPFnX+iIEdGsF1/MyMgwmUzp6ek86IDDaRIQkWpk0Lt3r1dfffXmm2/c88ceIGKMkaJ4JlIb/nyudsOqlQoCE5jNbm/bNubfb7y9ddOWIUOuBACj0chTouoMKdWHyVW/kVqs4xOjEvBSV5uECoIc+sAuKmok3eFDh8ZfP2Hl8u9Jkhm6qiFW8aKG2jtDJklSeETE5QMG5O7P++iTT5OSkhpq4xwOp5HDYw04nCaJ1Wpt1apVUlLSggULRwwf7nQ4Tp0+w9BnriGYy3hgKEG11KjvFjLQoNbBBT4vrkGyJCKSLMt6g8HpcB49VrBixbd333tvUeGJr79ZbrVarVZrYmKiVXXf4nA4jRJV3UtISGCMTZgwYfKE8X8eOAAEgsAUUnxD2IPmbNdj165/UfvAZ6NIQCCIzFZRGRvT1jz75c1bN+cfK1APmGd01w2j0Wg0Ghd9vujs6dN6g55cdTFq8GFSdXerxL90gs/XRwzRKTm7dU5AZFu3N9JYA6PRuHr1qh1bt678bkVYmIGIgCGiJ5kmkAb4iboqMyFIkty+fYcvvly68rvvx48fX1RUlJeXV//tczicxg+PNeBwmipWqzU2NpaIWrdumzHzBZ0oku90nLYbFdjRDlXaOgCfXEnNDbU3nwhQ7Q3q02NxuygEHqnXaIEUBQBRcjpBQAXp4IE/H31k+oirh7yYkf7222+peQp8MpDDafzs379v5MiRk8aPP3DwkAAoMFRIAVd+ALhPewzmuVp73E4tngfkvd5ot0wAJIisvLyidWzMs0+9uG3L1rKKMgDIysrikkF9ePrpJwX3YDeQ6hx56vjdu318PY/J65dBQASMEHU6vV5fp82fX9SGDBGn3nb7UsuXatQhQ4aAQFVoLvVS1tTtEgEw5pCcBoMuZeTov//twezs7Ly8PI8LCYfDafbwBo/DacIQkdVqzcrKspeXlZWUrlm7Njw8TJZlRISAhAXyeR3UoSdRdTeu6iX1QPM20Dt6cOPT/WOIAOh02vV6Q3K/vp9/sfSTTz/JP5KfkpJiNBp5F5/DaZyoedr9+ve//rqx+YePMMYQkUgmqkN4VLU7C9yWarEYZPsEIIpiRWV5TNuYB/7+j/179xnCw9RFXIusJ1cPH9Y2ts0fu/+IDI+USfa30aFQX1QdjBMD8TdRIAAGqKCCjE2acMOhQ4eWZGbWfrPnl6SkpLS0NFl29u3bY5b5X4whkKJ+bKRUMRNQX9XA88XIipLYNaFt23afLV48cODAli1b8jg+DufSgccacDhNGERU59Jlhc6UnO2c2KWyshIFVEsIhJiNqWMHoga5AnXbcLWQ12KBQFPHgTyLPCvIRAopok7vlJy7duwYdc3woSnG5ORknnvM4TRCyM36rKx+/fuPHzPmcN5hQRAQ1YvYebimhBqJBluNAJCxsvLyNq3bPDj9b9u3b/3z4IHCwkLgkkFDYLc7IsVwURCVYEWAatxQ1TXmwDcojwCAoeRUWrZoFS6KVdoEXByMRmNubq7ZbH7xxdkf/WeRrEhAisvlR6nruVKteZFHikCUZTnMYHjvg48B0WQy2e12LhlwOJcU3NeAw2naqKn7v2zcaByVYkwduWnTZubODkUEBPSdvqk7GPRulc9dIDTpnO4Kj8QYA8DSsvJvLZaYtm1TUlNTU1MBwARgAuDFFTici44no2rXruwrhw4dN2ZMfv4RvU6nXdRwO6vdAvWyiQxttsq2rds89sSTW7ZsPXmyCAAqKip4xYR6kpSUVFRUdMXgwa1atTp9+rRTkpjAgChYQ1IH74Ia4go38OxSEASHw9nhssvuvO++Xbt27czObtj91Z/HHnss/rLLWorism+XC4iI6JLWalF/whfUNKBBP373dglAlpVrx4xzOhy7c3OHDRvmcDhyc3Pr+lY4HE7Tg8cacDjNhIMHD/2w5serhg2tLC8XBEbB+90UcKdW1L7swfnEJ6BYk5/ssTwQRcHhcC79cukdJhMRPTNpUiZABoDJZOK1FTici4jZbFYnKvfv39evX//rrx9bkH9EJ4qKplxCfQntfhDEKYUA3fOqaqoCMbTZ7W1axzz13PO/79p14kShuqbFYmmYw7u0MZvN8Z06DRk+PCwyUnI6GTLyfvghfwL1s7II3Jh2rp2ISAElumWLESNGtGzdusH20xAYjca8vDyz2dyiRcSb770nSwoAEBGinw1HLaGAh+Rzh9wnhSRJsW1j5rz1VnznzpmZmZ06deInAodzqcFVAw6nmbBy5Sqbzd6la4+OneLLystEUfB2vVxuYkFic2tOVS+qh5JQ55eST0/JMzhAIHXehQCAFBIE1InC9u3brjWmdBo9/snJkwEgMzPTYrHwuowczkVBDe/Pyspan5XVo0fP68aNOZLnijJQ50y1M6AaanO2hl436BLXVKt7zhYZs9vtbdq0+ecz5jOnz4aFh8fGxgKXDBqIuLg4s9mMjD3wwAMtWkS6ruUe99yg31DIoJA6gwDk+d4ZMkWWIyMj28TEvfPO3JYtWzYqn7/CwkKz2Zw6KiVt2pQTx48jeH2Lqqs9UeVHhJq1tPfd/6AqHCAoCtxz332/bNiglkc1mUx1fzMcDqdpwjMUOJzmg06nj+/YoXtil/37/5QVRRREAtJE7tc/TCBYrmedtuqpwlCHDQSM9H0fq0GbCIheDydDWFjRycI/9u3pkNz7t81b/vXKK3978EGr1WqxWDIzMzMyMuryHjgcTu3xOAL06tVzwsSJ11937ZH8Ar2o844W3WduwPixxpeK2kkG6DdgRQGdDmdsXNtX/zVPFCkt7RYAKC4u5okJDUVeXl5SUtL3339fXlZiL688d/asQuRy8PX5hgKdEf2oc6PmbRMRgRRAxhxOR/t2HUZdO6Ko6Awiy8vLayQ1BdVTZv78+TffNHmlZcXZs+cYY+pA37duUu2hqsUaJACGWF5Z2a9f31def0OW5datW0PNqiJzOJxmBo814HCaD7m5uS1aRM9+7d/JSZeTRMxVMMkTa0jk8hIMlb9YBRhcMoCquiue3khgyUbNAahbrq4P4ko68Pichw4+BvLOF4Ja1oucTmdUdFRZWelPP1pNN02+c8qURx+ejogmk8lsNnNjMw7nwkBE6lxlr549p0697fpxY/KPFBj0OvS4nGqvGto7tdhHDVfSXj0I1OJ1CIjMYbfHxcV9tvjLosL8ceOuBQBup9rgqOEGubm5o8enRrZo6XQ4BYEFTSahGlcJrjnaJokIgAEiioIYE9PmgQceLSoqalRft9VqTU5Ovm3qbU899Vzx6VNOySkwAdF3oB+kVa9B5gIG/PW+FgCIAcqy0io6Ku22O5Z++UVi165qucd6vR8Oh9M04bEGHE7zwWg0JnbtuiEra/L48Tuyd505d1an08uyDIhEVD9TaAxyL/hjnyXo/ReDjAAw5AMX5PunlnjECIagKKQTRQI6cfL4mp9+6tq906BBV1x//YTU1NScnJy0tDRuB83hnFfUhKCEhAQEmDhp0vhrrz16rECv07lLKYD3IuDxbT8vTirk/wiBiBAABeawVV52WUfL2uWrVn5/6OAh1wHzYVJDM23atI0bN65evSZMHy457BWVFei2NtDSsHqB+1t0CcvqRDogMGSSJEW3ajlg8MDjx44/++xMk8n0/fffN+jO6wgR5eXlZWRk3DJlysJPFhaePInoyeHxNSmu54fl/3IkAhSxsrIiZWTK2dNn2nfs2Ldv3/rtg8PhNGG4asDhNB+mTZtGROaMjIgWUV17JuYfPGxzOARRUCfoPVmQ7tUDggCq6p+H1gqCvchXLwi9w4BVvNRPL9AenCcLgogQUa/Xnzt7tqDgRGSEIXtXTmpqalpaWmFhYUJCAneE5nDOK0ajcd/evYOvuGJMauqxE8f1op5A69zqvoO+D6ulBiuGtHVxXapQ9TLoHN95+arVy5d9XZB/DAAOHz6sll/hNCxWq9Vut48bN+7PPw/cajLt2Ztrs9l0OpFcXpQ1v+wHbci8N9Tc/OLaEBGIkCEiU4jad+z4yScL161bt3r16pycHLWqcWPAbDY7HI5Zs2Z9+P57p8+cNhgMsixr2s0gAXf126H6FQAT0GZ3tG0bM3mCqWu3xLSpt9ZvsxwOp2nDMxQ4nOaDGlRJRB98+FFx4aGYdrEEiqLI7jGzdhDuLyG48ZMP6jLDhn7/1os6934w4EAQAYlAVpSwsHBbReXO7dnXXZualbXGVlleVFT0eHx8gxp0czgcF0SUnp6ekZHxxZIlPXv1GjXymhMnTuh1IvkPDxG01vbqa8F/hSBUF5MQUn90ZyogYzaHvXPHTmu/+275smWH8/LV5Y0qUr2ZER0dbbFYduzc+Xvu7tZt2gqCKMsKVWFiUBuqFcLV3xoiMoE5JWdkVNQY49g777zz1183zpgxo/F877m5uYjYo3v3+++///S5M2qdEd/Yl9pqbCHQbJPc0wyyLA8cdMW0B6cdOJRXz81zOJymDlcNOJxmhdlsnjNnRmamiUB59Il/RkSFy7KCmrhfnzDgakwJ6pJYHFwyOD9xxqEPIWgkhNc3SpIkUWSiKBbkH33qsafDdGJmZmZF+3YAYL5gh8nhXBqowoDZbF6wYMFtt98+auTI4uJivV4kIlBcuoHn5AwpF1S/m1qu5B6ekpqYIDkT4rusXb/+i2+++dPtgdd4ho7Nktzc3KSkJLPZbHc6X3rlRVEUiYhpDRHrWuOmOrHAs30gAFlWBFHXqUvnQ4cPLF682GKxrFmzpvHkpFgslokTJ95z773nTp0qLy0XdaKiKACe1hwCfvoNIX0TMIFVVFR0SUicNHnyw//4x5PPPNkAm+VwOE0ZnqHA4TQrMjIy7r+/k90+cN263I4dO0gOx4njJwiAMc1AuiE6RKEyFNBPIQhis1TbHdTqNb5TMAFP+CWDijpRcjr37MnduPHXGf9+c/6Rw0/u3FmHHXM4nKCoFdqSk5O3bN58xZAh468be/bsGUEQVLHAdYaSp9pJ/aKLIMh1I8hGNY/UmHWH5Owc33Htt1lfWpbsO3hAXcQlgwvA9OnT8/LyjhzJz965a9AVg/fv3aupI+j+hQASEIZuEoKkvlWRsuD59hGRMYExBZRWrVqv+nq59ZcNY8aOLSwsbGypasOHX5WdnZ39+y6n3SYIAigEXmmlYSQDv2acMVRkRafXDRw4mJBmz37JZDI1to+Fw+FcYHisAYfT3EhLs0hSh3Xr1nXr1n3BoiUtW7WSZdnVY1Ldj9FVj7E+hAjmDwgxCHgu+LZCULPDDBKLGiK4wTs1Q0SkECkKMGSCbsuWLePHjooeNfrpJ/959513AkB6errHoo3D4dQBVTKwWCwLP1lgCAubMnny2VOnBMbcZxa5TQ1QjUiob352cMnA/ynvkwiA6JSlju3b/3f5+p9+W7f3wH51CZcMLgxms1mtwrg08yu9ztClSxe704kInkuvWjcnqGTg8S0I7pijWQU8Xgbk1yqRpMg6nf7eaff8a+7ciMgoAEhLSzuvb7m2DBo0yG635+fnnSku1ul0iuQKNPChAZPrEIAAkdkdjg4d4l/9z+uFxUVElJSU1EA74HA4TRWuGnA4zZBp06YBwLhx13399X+fenYmQ6Yo7jl29J9qq46qyxyG2FpNUhJ8NxlkyFD9wQUJLnC5XVVzAKS+WiFSFEVR5Ijw8IKCY/PfeUuPbMFnn83KyCguLgYAi8XChQMOpw6okgEA9OjatVvn7n+///5z587oDQZXLVhtHLrH3cBlaVC/MZD/iR9gDQ8ESKqI6nA64trG/PT9moLDuaPGpKpVIblkcCGxWq2xsbFEFBcXt3L1D63btLbbHIiIzFV10T80Tuu6E1wzQPC0A97gN0RwFStE12NUiGRShl55Zf6xo1t37CgsLITG9+33vTz5mmtGFhQUuJ8gchUo9ebYuE+Yup81pBFXUABJdkZERHXu3Pndl99+7eXXeH1iDocDFzLVmMPhXEiIyGq1ZmVlRUZE7M75/ecNP0eEhSmK4jOwr20msPeVvg9cTyAGX6UmWw0xNKcqnLFCHUZN8DlUdSJLEASnLCHBwIEDJt+StmvnTvOLLxKR2WxGRN5n4nBqRVJSUnJyctfEzsbUq1958bUzZ88YwgyyJAMAqSHW/mYGwSIDQl0XqsZnCKUtx0IIqNZSAYb2ysq2bWM3bt26NyenV3KyunbjSWi/dPD8EtatW2cwGB7621/tNodBr5cVmdTiiACua3zoL0dVBPxsC9zL3EIxgiqgM4FJsqwocu9eScuWL5/37jtZ6zcAgMViaeg3Vy/S09MVWYoM1y9ZslRgTHU0cOlu/k1jw1hIEgFjzG63d7is40/r198zbVpCYhmhPrUAACAASURBVKLVauWViTkcDo814HCaJ4ioFo6KiY1ZsOCzjh3b2+0OgbmsTLwBnzWaz6/VjuuVklAHvBNOtcB9BK661wQIsiyLgiCIbPOWzR+9Nz8qPPyJxx9DdLlAcNWAw6khJoAkgNzc3FatokeNTpmd8bKrXJxT9mQkBAx4KPBxfVKX/CUDdMcXASECMlZRUdG2bcy3q7J+WLOWSwYXF89lNjU11bpu3TMzXwiPMFTaKsgdEeBeLfCFrte63BA0oQfqEo2XASECESBDUSc6nA4i6NO7z7Lly3f//vv0fzxssVgam2QAADfeeOOLs2bv2LnT6XAwxgAAa6Kj1SNYBxlKsqQzGLp2S3j5pZcWLFyYk5NjNBrruDkOh9OM4A0kh9PMIaIPPni/vLzi44/+I6DgmmpxhWm6ZyuqiTvwW1ZlrEFNLir+A4Qg+/AsrCLWwL3bGuwx5CbQe8c1T4UCYw6nvUVUZL++A9//5JMXM8wEmJmZyb2gOJxqMZvNhVZrkdXacspNN95z30uzZp07dybCYJBkWV2BCFAbaAA+EQWuHIWqqMF4KFisgWdHyLCioiImNnbpV2t+WPPt8RMFKSkpRqORSwYXFzWwKyMjY/KkCQ/cc+dLr/zr1OmzjAkGg16WJVe2Abp+PwCIrkD94JYH2rADdzOCTEBFUew2W0RUVJ+kfouXLF69etV1142HxioYfWXJLC0rf/fNNyVFUt+8QqT1fQCAKsw+XdT8nSEyAIckt2oR/evWrTOmTWvJAw04HI4bHmvA4TRzELG8vCLv0MF+fS+vtNkEneDtUHk6VvWZ/McQ96t+SeCsUYjeXwjrbLdCUa+envfFXic2IlmR9TpDWXnlb1s23XD9dSOuHnL8aD6XDDicaiGilJSUOKOx59//dtO9d740O/3c2TPhBoMkS+gytyOPZKAa3YHmPlUzR1qHKVRtNLc6cGTlFRXt2rf/9rtVP6z55viJAgDIyspqnIPGSwpEzMjIAIDlK76z/rJx8dKFvZN66fVieVkZY4IaKEeauANERGSoDvg1QQeehwCuNoIhIqKoY06nw+lwxsTFjh83fvGSxYioSgaNk0OHDv25/8/fft1QWlYmMCQiRY2a8TEO1ZwRdQ0xQHf4IQLJpIiC2LVbtzdfeKFg4cJzPNCAw+G44aoBh9P8eeKJJ9q0aX3DjVPi4mJsNjsTBVTzFwMTQWtJHRSDYNuo8qXBFtbSxSA0Pn0vdwgzgKzIOp0OiI4czn9x5uzuid1umDihIfbH4TRb1BGd0WhsFxfX96oRszJeKSspD3d5GXgDq12SAYDnpNOEHVR9qx1uzzv3sBIAGFZUVsZ3jF+0ZOXyb749fuKYuibPP2pUGI3GyBatly5d/s2336emjuvcuVNFRWWFrQIFFEWRCa50Brd+AADAwCMXeFoGAgCGTGCCIIoKyWWl5VERLfoN7G9+82UWpkNEIlKzEhqbZqQWGSk5d+7W227L/T3XYNArCgAAw1AZCqGprnX1hOx5rIQNBsO8t98+c+pUstlsLyriZweHw1ERLvYBcDicC0FMTGxlZUV0yxb5R44IKBApakw+1sgT0dO1QM+A3c9NwNUpr3vXC6uQAty9Ge+tpvvSBlMEX9+nu+i7ZWIMmcDsNvvunN29evfcum3HmTPFQ4desWnT1pq+LQ7n0kCtmJCcnLzsv8ucTufb896pLCs36PWq/SF4s6E897TXnQZ1OgHfa4knCQuZw+HoFN8xa/Wvy1d+dfS4y5SeD4oaG2oNIFlWUlNTU0cZrx13ncCY5JROnz7tdDpEUScKAiLzxBmooDt5gQCQMYEJyBgB2e0Ou80eERmZ1PfykVdfOffdD+a+MTcyIiolJcVqtU6fPr2xSQYqRqPx888/P3zw4E9ZWTqdQAoheGJ1QrwGtTJATWLxEAFJNYBw5XCAoih9+/etsNk37d49aNAguU0bnp7A4XBUeKwBh3NJsGzZMp1O/+GHn3SJT7DZ7EwUVQtAb/ejtraIqL1XT8mguoPAYLdQ+M1N1tkXioBUu3UBGeLmTZsnT7zukUce7JGQMPn66+u0RQ6neaJKBhaL5bVXXzl68ugH8+bZKyr0ep0sy+5cKJ9wAp8gn4ZWDFybV2srAiBDxhARZNnZo2u3dRt++eKbz48cPayuyCWDRoj6pWRmZgLAy6+8cujQIUlR7n3ggam3mpJ6JwlMqKissNvtpMgACgAIAlMVXsaYqhRITkdFeUV5WanT6YyJjRs9atS0O+/6YqmlzKYg4jtvvWO1WtWEiEYoGRBRcnIyIpaWnF2zZjUCMVfJSKKayfw1yd3TTgWo/wgMASA8IvKZ5548evxYZmZmdHQ0P0E4HI4HHmvA4VwSJCUl9e/ff/l/l0W30BWfKbFVVuoEUSGqQ49Ja3/o/6jWGwrybL3MCgImMTHIPb+lfgUlNAEHRJ53yBg7fer0D6tWXznwypKK8q3btwNAUhIkJ8O0acAnYziXLAkJCZWVlW3atGkRFdkhNm7JZ4vtdptBr1dkxcfMNDDEIEjQQYgxUd2uU56tIzgluXti95U/rF2flbVtx3Z1FT4iarRYrdaioqL09PT58+fPmzdPp9eXlpyLbtnqg48+7tCxY7v2cZHhYSQTKkCKYnc47ZU2pyxLDklyOkWDPq5NbHynTsn9B9w85YaJN9xUXFSU2LVrRVnZiu9XqQ41eXl5jXYKPTk52WQyRYTr//bgtHffeg/AdaZQTWMDa4q3qVNj8RjKkty/X7/ColMvpL+oHobqNMHhcDgAIF7sA+BwOBeCuLg4s9n87NNP9erV89TZst27d5Pql0xKrbcVNOagISds6tUzomAPa3h0vrbb3qNRFAIknU5XWlrxzgfzhw0fsWvXrrlz53zyyYK0NEhJSScyN8I5Kw7nfBMbG5uXl5eQkKDTiR0TO31psTgcNp1OlCWZwP2flyqSFABClEtB8D0ba4i7JAoCyIrSPbHbijVr/ty/f2RKikKUlZXFJYPGj2fIunnz5s2bN6enp+/duzciIlxkYp/k5E8+W3zixImjR4/m7dt35MQJkCQh0hAdETZw4ND+/fubn3++pKzEZpPOnTs9IiVl3LhxF/e91By1BuTwq4bOMr9qdzhEUQAgP1fg+ksH3g0SIHOFHYg68SbTzcXFZ9R6FmlpafXeD4fDaT7wbi6Hc6mQnp5uNpuXfL749jv+MvKqq4pPnxJFgZTadT+0oQVVT+PXgmCHELrgYvWbCl55KmT2g3+VBvdYw3vf9QwBExgQOWS5c3zHCZMn/v3vj37++Zt33PG4xU1djpnDacoYjUa9KA4eMmTd2rVlZaUGg16WZfDarXoKH9ZcMggSLVSrq42a9cAQZVIUhboldl+x+vs/9+/v3qOHaxtc42viENGiRYtOnDihE8X4+PiELl0kRWaMHT5yWCfqioqK//rXvzbFb9loNKpBEEQ0cuQ1Z4uLVetiAkBAAnL7Ida3AJJfiB1jzG639+zZ+5uVK48eze/YsRPw04TD4fjCrwgczqUCES1YsGDhwoVdExKio6Ks6350SE6B1S5PwWc07b1b/4ML8lQde0NU9ZjDn2CqgaZD5fGMVEdAiAAoMLRV2iKiopL6JH26ePHX33z1xZLM+Ph4NQuU97Q4lxRXDRt29VVXbcjKKqusCNPrJB/7Q9WhDrRlE2ojGaj4in7VnV7qrhgiIUiS0r1bt2+/55JBc4Z824om/f0mJSWlpaXt27f3+hsnvP7iq4osAQIQqRUfNCUUGqBssqvaInNp406nfN/993fo2HHqbbc16c+Qw+GcJ7gbIodzqYCICxcuTEpK+mTBgqjo6C4JXUF1+3Mtr33QATSc8BhkO3XttmiKb9XtIDXF3YHcYx5FTeUgAoUkWTaEh5eXl2/bunXi2NGde7ULj9C9+eabaswznRd7Nw6nMXLlkCFXDBmy4ZefyysrDHq9U5KCRFL7SAZB7Ek1A6GQ5453WUAdRiKfGxIwRAVIlpVuPbhk0MwxmUzaIC+LxZKenn4Rj6c+EJHJZDKbze3bt1++9CvZKQEAECCgGm0QYAHSAG2NQsSQOZ3O9h3aDxk2zFXBksPhcALglwYO59JCzVN45f1XnnnwmcED+jrsTkQkACLF442E7n6+13vJY5jk8//5IURHiKpeXFfQ90/AUkQAl3M1ATDX/hFQEAVZku0Oe8sWLa+74TqB6fskJU+ZcovVauVZ05xLgSsGD7xq+FUbf91kr6ww6HROp4SIBKq+FnDCBsppPikLVbiZYMgHPptxLUVEApJluWfPnl+v+G79+vUjR450LeXDIU4jJjMz02QyzZ0757HHZgwbdEV5eakgigrJ4EpP8NBQjSAiAhHpRLHcVnnTlCmREVHG1FHXXHNNA22fw+E0K3gLyuFcWhCRJcdiybW02hzdRmrx7fcrdaKOXB16AlL71VV0SgJVg0ADwfofZc2XNMBOMbRq4F7B9y6CGi+qVvqyOxyGMP2AgQM/+mThhvXrf1q3LiUlxWg08iEKpxkzaOCAKwYN2LZth9PhEHWi5JTQrTK65QEf3aCKLIRQJiZuARNDeZqS1yWOCAAREFABkmSpe48eK1auzly6dM8ff/DzkdMkUCuY9ut3eUXF2e+//UE9s4CoOlmt7qiBBZIsR7Vseeutt3fu3OmWW0wNvhcOh9M84BkKHM6lBSJaci0b52z88I2Ps3NzErt2dTicoiC4tAJv/xyD9dKrkAwa9iirWuJ783uibrjjqEOHObhvrpVUF0lSSJGVMINBckg7tm+/ceL114wc2ad3L6PRyN2nOc2YQYMGXjHkys1btsmSU6cTFUlmbtM2t4WB9pzyyygAn1MKyO8Edv/1PtKe255tkWtDWp0CCcjhlBK7JK5YufrNN+fs+eMPAMjKyuKSAaeRk56erlrqHjp4KHtbjsNhR4aaAJ36SQYhXq0oBMhsNkdip4THH3/8sss61msvHA6nWcNVAw7nksOSZin4rQAATp89+3x6RnhEhCzLiIgM/Y0BfXrygXkJgSs3HDXemJ+IEPAWakhNcqvdyz09OQQFSJJlQRSQ/p+98w6Mo7r2/zl3ZotkWa4yLnLFDck2xGDANK8BY7AJLawoCXmQEFLIy8tL8kt9iVYJkEYMKZCQQAglBrSElgRiG2zJFBvci+Ru2ZbcJFvVKrs7c8/vj9kyszuzO1skt/tBWKuZOzN3du+dved7zzkX9+2tu2r2xceOH/3FIw+L9RQEZyozZ86cOfPCTz75GIkzxlRV1bQCImO31XkcGFISZGH/mJpQBKR5GRBAIBQ6d/z4t5e++/JLL33rW9/W0tGLcCHBqU97ezsRff/733vmr8+2trZy4rIkQQ4dDBISggAAMuSc5+XljRgxovyHP16yZEmuriYQCM48pJNdAYFAcNI4ePDQ8OHnjBk3uramxuV0qaqKzNToTnAtyHEuRAsyPb2mHaR1NMb9Tqc+WmgoIMoOuacnsHHtun798tau37Bt8+aa7dsBoKS8/MG5czUDRiA4rblw5syLL7547ccfcyXIGOOcU3SBBNStfGLUCuK2RCFz6RGtQoZ0m2IX0kpzIlVRJk2c9O8ly3bt3DnH4wGA5557TvQ7wWnB7Nmzn3nmmbFjRy9fvqS2ZnswEJAkbYieay+D6NoLSEySOru6xowe+5kFd9Turv31o7/O6loCgeCMRvgaCARnO7/+9aIpkyd39XTLsoyA4YH8KeLPaxp8gAm7zAMU0hAOjJ4GFv4Gxj1oNGGISFFUxiRk0vvvv//p+fMe8Hrv+P73gKgMkYjKy8vF8gqC05rr58+/aObMNR99pIQCkiRxVScZgIkngJXjjr4nxc19JryIPzD+IAQAVIlCqjJx4uR/vrPklZdfnjR5MggXA8Hpg9aP/H7/vrp9G9Zu7OzqlGVHNOAni/Mm206ARMAYGzlqxK2fv/VoY2NW1xIIBGc6QjUQCM5qHnro4cXPP3f7bbf3LygIhUKICIgx7cCUkyUoJIY+Jy8DAOk4HZDR6tHWcYPwv+GN+uvEzJ7oLyKVqyrn/fIL9tTt/fHvHhvR2UEAjUMGVVRU+Hw+v98vhAPBaYSmdgHA/fd/kYhGFY9Yu25tUAnKsqyqnKJ5DCmSZCB6oIm5Y9KPsq4fIILKVSIoLS395zvvIKKWywDEigmC04eqKt+iRYue+tNP/vyXp5ubW9WQwhhS9Nsn3T5jLX1Hz0ZADFlPoGfQoEHnjhq9+MUX/P/wa+kYBQKBwBShGggEZzWI+Oqr/1hWtaJkxjSV89hA22zAnbDpFDaAUyzWZkncWCuady1unXljUnciIG0dCgQg4sFQsF+/go7W9hXvLb/lxgXXjhr0pS99ARG9Xu+iRYsqKyszuiWBoE/RFC6fz+f3V/7lL0/f89k7P/lkrRLoccoOVVFjKyXoIxDCXSVRMUgmGVi4G4DV5nAOVAImMZVzQJg+fdprb/xz0W9+AwAVFRVizXnB6UVVVW1FBXZ2Bh768Y9DSoAxxsISPjNP5pEEG8XCfRRJUdTBg4f++Oc/37VrNxGVlJRkegcCgeDMR+Q1EAjOdrbv3Dlo8KBbb/3Mvj07m5tbnE43JzWcGsA0+eHpMhqPXy8xZyfVpYVE0AQW0i2MRYCAqqrKsoRMamxs3Fa7e+z4sRfNvHDBwhvvv//+pqamiy++WIRbC05lok4xtbW1c+Z4Pv+5u2o21hBXHbKsqKq+oE49M/wyFEmKWfeMbdO7PUWSshIBSJIUVEIyk2ee/6nF/lf37tmzYOFCAKiurk55dwLBKUVTU63fDyXnjd5zoPFg/UEpLBkgEWGc51+SLzOLjmbmOIjIkKvcKctjJoxd9dGqn//ylwDg8/kqKiqyvRmBQHCGInwNBIKzHa/XW1298vixpqnTSvsVFIRCAUSmRVSaD0JOYQ+DeHIvcMQFVmsrKoSnVwlB8zjgwAFAVVTi3O10Hzl0aMXS5U2HjxDRttrapqYmkeZAcIqjLR3q9/s3rF9/9513btq4iYPqkGWFq1q/IohGXRPEXAyMTdq4aEI6zZ0o6rgQex3ZxUmWpFAoKDFp+vQZz7/ySt3evRPOPRdELgPBaUg5QG0tPHzbLYsef6mrvT0Y6JFkSfs2iQbkUUa9KAJRrMNqPZUYspASyu9XcMmnLhszZqzWcYSHjkAgSIJQDQSCs52SkhJtCYA//OGpc4YVhRQFERPilHWcluOKHFba3NanWCg3hf9E4MQVrjicjmAosLVm65yrLjt3zJiuEx1amoPcVUkgyDF+v1+LqfnnW2/VbNkCBLIsKVwBAABuiEFI4WKQtrFjHZGtKQgoy45AMChL8oWfuvDvlZWPLVo0fsIErYQwewSnHbUABBCSpGef/f2Jzi5EBhReSyTyXZI5cTp31EmOiANg4aAB3/zuNwsKCsrLyz0eTxbXEQgEZz4iQkEgONupqqry+/1Lly5b9dEHl181u7Zme1dXt0OWiQgSIxRO6pg8RYL1PgVtvhtajnmGDBFOdHSuW79u9Mjijz7++KXFiydOnPjwww/3dkUFAvto/i9TpkxZt24dEd11xx01mzcjA1mSVFUFxHgbJpzNINVpk+41W3zR/CyIIEksGAw5ZHnmRbOe+/vfEXHJ0qUA4PF4hGQgOB3xAswFmD1qxK7Onr07dwECY8g5YcI6yFkHCcaOVFXucLimTpm6aePGb33n2wBw7733ivAEgUCQBPEVKxAIwOv1FhcXP/bYYz/7acXHq1bX7asDIsZYnDnQt6pBNE9ANK7T0vRIZpPEplpyGw5gVzUIX50AEQk4cVCVUMn0aX9++ln/yy/LjN3/1a/mtGICQYZEQ2a0gOrbb7tl5/adiMAQ9dE0CY4GZqqBMXOofdUgeUmGUkgJOWR22aWX1zU0LFm2LGlxgeD04Nprrx05fLiqKGvXfJyXl895eE1T0LT7uPV7rDDrh8bjEYiQIQCEQqGCfgNee+Wll15/vTsQICIhGQgEguSICAWBQAB+v7+wsJCIJEn+59tv9+9fwFVuyEAWv6Jh3xBdNzEa3Wn+kzAloz9Hb1UutQgRGfVF/iQgZAxdbve2mprbb7pJZqzjRMePvv89APB6vSLTgeDkokXN/Oc/7xCR9zM379yxExkgQ73bUaL6ln2TjQb2pBAXkIWUkFOSr7l2/p79+4RkIDhjmF5a+o1vfrOluTmc/pAIk68xbIr5KkeGRYEQgTgBASIbMLhw9JQp3/vBD0R4gkAgsIOIUBAIBACROIX3li9f/t5750+fsWPXTuKcMYYRsaDPHZPsz+XbMbVzbo3HLaZgcjXSF43+i0BEsuzoOtG1bv36wQMKfrno8YaDB1588e9VVVU+n2/u3LlieQVBH6PpBc8999x5U6fecsutN9+8cOf2XbLEEMJeBhFLRtfcc9elUnZzJGAMFUWVnfINCxY2t7Qwh6O9vb29vT1nlRAITh6XX3ZZ48GDGzZtCAZDjDGI+1bLNDYvIcABCQAZcuKSQ7740ks/fP9DSZY2btz4la98RfgaCASC5AhfA4FAAACAiH6/v7i4+E9PPUVEY4pHq5xrgwwg0E3s2yA35kRqx2ZbV+vtyfvEGdJYKnmK5G8D3XwqEIDKueSQOKn/WfLeLTctuOo6zwNf+qK2yDxpazIIBH0FEc2ZM8fj8Sz6zW/uuPPOm66/fvf23ZLEiIgT19KuEydAICJdQ05KdiojAkYvRETIWFBRHE55/jXX7Ny9a8z48UVFRbNnz87qGgLBKYPMWEtnZ1t7m+yQOTfrYza/fuPLRB3xwuueaC84505Zrvj+Q6NGjfJ4PJMnTxY5QQQCQUrEY0IgEMQoLy/3+XyPPfro/375yxdddVWoJ2AmLZpZDFarLZgtFW2+0ex4sxMk5GJLTiSDe0aGOFpfJJkrRMLqc4ayqJs4klDqCfQMHTJkwYL523buef7FxUTk9/v8/gq/P5MaCwRpEZWoVq5cedVVV914/XV79+11ym4kzmOdhyJLx2Nib7DMGGI7tUGSbgZEkiwHQyGG7LIrrtywYf3a9Rs8Hk95eTkANDU1rVq1Kup0EAgE6uvrGxoampqaUt03FBUVFRUVDRs2DABcLpf25+zZs0tKSkpLS8MVE6aUoPepq6t7/m9/a9i/f3nV8v4F/VVV1e3M6Isr4RsII/1Ue60oavGYMcveW67166qqqrlz52ZxBwKB4KxAfCMKBIIY2gCiurraJUnt7S1vvPamOz9fVbXl1qJZlXRrOSXLURjBVDVIXiDpfpuX1V8rzVSISdQAtFnO8NtwiC4JQzgnvBQIBNxu5+Sp0xa/8sqiR3+8+pOHiou9hYUlPp9P2C2C3iMqGezetWvipEmfvnFB3e69siwBhB1eIrnUKNIK41tjsp5l1PfStX4QgHOSHXJ3ICAz+cJZsw4dPvze8uWXX375wYMHFyxY8MQTT2g+1TU1NdGjmpqa7Af46GO5i4qKNLFA0yMAoKysrL6+3uv1zp49u6GhoaamRrhwC3qD95YsmTB58oNf/squXTv79cvjKgeMdb1Mzmi1CipqPZsUrt5w/cJ+/fvv3LVr3Lhxv/rVr8QXjUAgSIl4TAgEAgM+n6+qqqqqqoqIblwwf/eu3fl5+ZxzgNjIn5LZxQmkVA2sipkVSXsMZW9lOP1F7Gd0t1YNbF4QEZCAy7IcDIVkWRo5YtRXv/TA3yv/9Mqry4kIfD6oqBCPaUEvofkW7dq1a9KkSZ++4Ya6ujqHUybOY0Eysa6D0VAlvXNAQoZ3HWmoBhinxmlxOg6Hs6u7W5Kk8y/41Naamq01NZWVlU8++SQAVFVVrVixon///pu3bG5oqG9qbAoGAp1dnY1HjzY2NnV0dGhnIB7TOaORQ1ooUP/+/QsLC/v378+QOZ2OgYMHnTN8+EUzL5w2bTogTj3vPADwer0AUFlZqR1VUlKibQEAoSAIcsWrLy1uPd781LPPdHZ2ykwm4ohgWLTEHBvfVLolhBABkAGRylWQJL//taf/8pcBAweuWrVqyZIlubgPgUBwhiOGowKBwITy8vJAT8/YceP+9sxfOju7ZEkiIm0gox+G28VyeKObve+lp1E6qoFp2ke9g4FNJwk7qkE4MVXkFIwx4pxzcOU551073+l2lQaC3l/9KslVBIKMISKfz1dRUfHySy/dceedC66fX3/ggMRYzMtAa/i6rhNusXHnyZGvgWEZFAROJDOpo/NEnitvxvTpjry851988Uc//L/W1pae7q72jvZK/6ta2bVr127YuuHgvv2h7lCIQnV1ezraOgGAVFXhHDgnNXxmDhw4R4mIJFlmiFK/fFd+XkFQDcooDxxcOKho6HnnzbjtuusKhg8HgFtu+rSqqpdfccWsiy9xu90NDQ133nmnz+crLy8XE7OCHPLQT/7P4ZSfe+7vslMGAgJC834Vl2DXaq/Znkg2U0TsCQaLR4x6b+VKrRl7PB6Rf1cgENhBfPMJBAJz/vjHPwa6u+oP1L3zzlK3y6WqKsTMifg4gbiogfh8BHZUA+iFB1KajgYpF4tIqRpk5oMRWV6BIQPiRKCeN7Xk5X+8XlVeXjJs2LAHHwQRYi3IHVFPgpdffunOO++68frr9x/Y75AlTkCaV1FYOzD0aYx4TRtOFf3H5DLGayatEsY/B1BRlPz8vKmTp+b1y+8OBF5c/NI777y7fs3Hu/dsO9RwsLmlNdTVHSIuSYwhqEQMJWRInIh4WI4zrnMSfkXAkVBbDgIZARDnwDkAcUJFVRiS7HTl5+cP7N9/yNAh4yefN2PGjBtuuKGgoAAAHv3VL4lo7LhxTceONzU1CY8DQZYQ0WOP/mrX9u3vLq/Kz8/jnKOWg5gyeOAn64naFzdD7O4JLFywcMz48e0nTtTV1T333HOZ114gEJxNiGGoQCCw5Ec//MFDDz9y20031tbU9uvfX1WUVUVNcQAAIABJREFU8DJsOsMDTExlc7kgIemZ2cxJDp9J6edBxFSXt5RFTFSUNNCuSwgSImOMCLiiDBky9McPPdTW2nzzLbf5/f6ysrK0zikQmBLtuVpgwvz58w7VNzhlmesDEyAqGkTbNWK0fcc39NyqBqSZ/JzzcedOePy3jz/se2jfgQPNLceVQFBC4ERMkpBFpAAiZBhZp4QYMq2CiEw7abx8GXGhiCxWoq1djwQEBJyrnIgxRiohIidABAbgkOSCwn6DhwwdPWbMlCmTpk7/1NVXX/2/3/zvx3/7h1//+hc33HB9aen5QtcTZMD+/XvGjJmw8Prr9tXtczgdXOXRdhR17bONZU+M+rURkQL0m5//ypGXN2/+fJEHUSAQ2Ed8yQkEgmT8zzf+mxOs//jj1rY2p9OhchU4aTn9iIiAECy8KQHiFxpISJUeybKWhWpgfuXUIaGJpHQ0SDybzZBuW1cPmz+ICIwxROwOBPPyXTd9+tM/qXj4pRdeuPvzn/cClAD4xINbkAXhXAY7d06aPHnB/OsP1B9wyBJwrpnNBtVAh7lFnDzBCZkVtCDS+wgACDXpgAFgoKeLMcnpckqyRCpRWMgAxmKTscZuGPaSSN5H4kSPmMGv1QMRdG8HMsY555wT50SABPn9+g0tGjxy9KgJEydNnDjW6/38E799rFvpOX/mhcNHjfjH4n9oPgher7ekpET4IwhM0brY1q2/bW0t+eY3vhMKBBGRiGsNO+JxkN4pLTdrjkIIoZAyeMjQD1evPnzw4IhRo0B4sQkEAtuIh4VAILCkvLw8GAwWjxy5Yc2aj9esYQiASJwAKeqrnCrDARpUg/iCiYHS9h5LlPhX2oZ6wmUzfB4mXDjDmmB4+IbaPKrEmKKoKLGS88579GcPP/rkE4t++zsCqPJ4qj0en8+X2VUEZy3RRKcvLV585113XT/vmoMHDzplJyc1vGCCcXIzeRR1tJClcJC2ahD9AwkICQGBIWOa/aTpAUjhP8L54jDqm2BywtikLYU36WtrrHecV0LE0yIcCg6IEmPan5pPRigUCqmKJEkDB/QfNXLk6OLRo4rHjpg+5u6Fd//oRz843txcPHr0//3w/6I5FD0ej8fjERaaIMqKFR6Pp+qFF75+7NiYp//4F4fLCZrzi060y41qEAEZ9nR1X3b5ZeeVTvvu938oWqNAIEgL8cgQCASWaGOX3z7++M233PLAF77QUF/vdrsVVdG8e2NOwkkHK1bWuNHUTxi/2JgrzHBVKgvSUg0SPLXj9mRUAQwHY2PY5GFMQgAIBUODhw664cZbv/vd7y7+0Y92OZ3FxcWFhYVer1cM+wQ2iS6q2r+g4Fvf/vb18+YdamhwOGVtoQGdpZJmA7ZSDSjupX3VINYRtf4QySePUasfrcUCi3PGLh/vRKErrA8yikqi0fCMaHADIJMYQ8Sw+4HKg8EgJ8rLzzunqGj48NGDhwyadOF5X7v3a889++yu3bsffuQRLYfiE088MWzYMNFtBRorVniqqz3Fo1qrVzZ98uEqd54bAPSKgfEfO1gW1Ho4Y9gTCD7w1S+HgqEf/PDHmVddIBCclcgnuwICgeCURku0vnLlyk/NmnW8pTnU3cNkSeVc71GcLmZmRng20NZouhckg3TR7jzDm7e4SW0mUwvbQAAArqqIiC6X+/ix5n9UvrRze83Tf33uySd+v2TJksrKyqqqKp/PJ5wOBCnRvAw8Hg8QeebOvdbjOdp41OVycoWHV0ZJd1IzSqpngM3T6mx1vdmOkfwKAEA8ZswTpNIVbV2aKKoKkPEQ0gkHkQQPEQ8rIlVVIx4PKDscskNWVa4q6r59++vq9rnz8rZs3vjBv5YPGjz4iT//ORgMNDYeRUSv11tZWfn4448/++yz9957r9AOzmY0Fe9zd408d/LkF567UpKlsDpmFgWX4Ret/jQIgExR1f4F/ceMmTBYHpTd+QQCwdmI+NISCAQpKCkpqa2tvfe++5qbjuzZvZdp/sOg5TPQlmNLQdw0fpJY6PgJf8to6txLBjZ9DTI0kUzdoRODM3Szq5pfNCASkcMpBwNBIBpZXPzILyo2b9pxtPFYd3f3qlWrCgsL/X6/nZoLzk6iXgZzrrrKM3fu1VddcexYs8Ph4Fy3KkryDAUpzm92YAYTpfGLHsS2meQ1jD8s+tJkeUhdVSnuRfgoOwY86jMgEHEChpE0C0QEDMPeQirnwWAQAAoLCwcUFA4YNvCOO+55tfKV4tFjFj32mMfjWbFihc/nQ0Qh+Z21rFixwuPxrF+3dsroMVfMu0YNKkxiCY4wifE0yTErFY3jkVhXV9ekiVPefmxJTVPNtLnTsroBgUBw9sFOdgUEAsGpzrBhw3w+HxH5Hn1sQP9CVeEMGWjxxTYkAwCgyCQKJZUMIiWNzs2JP8mN8/jCdokvi7p/EzDbmUIyIN1v0v6yOkLLW4XhVO8MIRQIyZJDkuQD+/d//avfXP3R6u9+97s+n6+wsPB/i4upvPxk+l0ITmE0O8Tj8Vx15ZWeuXPnXHnFsePNLqeDuBouAPoul3PJIF0QTBeci8z4Wx5CiIRI8ZKDrp4Ui8BIDCsiinZKSyh2nnC6A0LiEF14ghOpKlc5R0S3252Xl9fV2dVwqH5n7Y7Hfv2LE+1tQwYMIKIrr7hcy5VQUlKyYsUKq4gJwZnNnj17KioqNm/e9Mw/XlZ6gpFwP3MylwwicNBScqgTz53w+D9+U1pUmlZtBQKBAIRqIBAIUuLxePbt27d/375Hf/pTz9y5kiSrKkdtlJ44NWI58k7Dms+lK4HtM5lnVEs4XL8QhP1apm2VRa0cIiJiDDlXAcntzutob1+79uMb5l9NRBdccP7sRYugosJnuyaCs4eoRbp927a5V1992aWXtrW2ulxOznm4gLF4jq6a2WGW/gGx30kfLKT7MR5NllO4pqcyO01iSQqfV+dToWkPBNqCC6qqyA7JnZeHgG0trfv373/jzdevuGRWx4lmInI65NraWo9Ia3q28tRTT9XU1CxZumzT2vVhDcrQStPUvJMUjqTY5Vx1uVzFo0d38A6cJhyNBQJB2gjVQCAQpMDn8+3btw8AFi9efPDwoVFjRmhpyWKLlSWOWHJggFgNm9Kfm8t+pib1oXaOtlFGPxtKYbOPCLhKAMRVIpU7nM5QKHSo4chVs2cXFuY/9Z1vI4CnvDw2myoQ6CSDzZs3TT3vvMsuuvhER7vDIXNFjdi6ltqXzXZk4mhgOZ2f+mRJd1HUXyn1aShWmsyzH5qYTGaKJhm1iNhPGKNkoL8RbSdXOVc5IrrcbocsdXV1trW1VS2tunTWzLb2lvLy8mf/+kxFRUV5eXnK2xKcSZSXl69Zs8bv9zsdzsMNhyGh/RhIqbEnK6GFEgJDUEKh/oWFef37jxw1KuOaCwSCsxmhGggEgtRUVVUBgM/na+9of+QXP2VOhzZOwWhgrw5Tn+V00fnzJ2w7GRiNirhapTrSophZfgbS79VbdcQBADiRonDGJNkhd5xof/7ZZzd2dhDR/nHjAKCsrMzu/QjOaHw+qKryAcC6dZ8MGTJ09sUzu3q6XE4X52HJgMKyn85rX2cXQ0S3spIPiMwlg4y7KEZN+RTLPNo8fVhosN6b6uCkPwlXSjyhFruF2l6Vc5WTLDskWVa42tXR9dbrb1x15Ww10EVEDln6z3/+A6CTIwRnOkT029/+9rnnn29tbU0IT6BoU7NuxKaN0bQYIBEyFgwpg4cOnTJlypTzzsvBDQgEgrMPoRoIBAJbeDyeqqqq19946ze/+d286+YEgiHGGEAkDTkZbIbYbHl26GYu+2AknewSumGd5QxtJudNLBk33Rn2eo5MYAIhAHHOVS4xmVRc/eGH3ltvPf+CC5760x9FWkQBAPh8PgBPdXXFO2//efjwQu/tt3V1BRxOmXOFOAFgeF0CY0NO1K/C+3VT90B6vSC+fHZEdIPUdpB97cD8+CyO1Z0j4nRgcUJNNIgJAQhAxDnniIgMHZJ8vPH4bx///d1lt1806+L1a1c9+YdHn3jicQDw+/1CODizGT16dEVFxeTJk48dO9bT3c20lT11K5/m/juPiDgfMmjoddddN2LEiByeWCAQnD1IJ7sCAoHg9KCqqkqLUygoyO/frwA4Nbe0yLIcHcEb7WrdxGHWEZRpnMCqqL1TJFnBIcHFwB6p/C5iCeKNm63fN10eRiQgcMiOpsajH6xcMWzY0OUrqmtramprawHA6/XW1NRUVFSkXWfB6YzX6wWAfv1Kx465dt51933mVm/XiU6HLKuqqiuV4CyTpYGS3Tkw+o/u79SHnKyVC8muIoqaN5ZmEMbVlkBiDBlrOHjww5UrBw0YfOXcWS3HO2ddfEllZeUzzzxTXFy8cOFCzclLcIZRWFh4+PDh7u6u3bt3bFy/kQCY1k60787U7dpmV4socRj+vpgx/fxl7767fceO6urqzGsvEAjOVoRqIBAI0qOh4dAN11976+03f1D9IeecRSzciOFgWF6gr1UDq9J2T2E+YOuNhR5jlzS/bCxrRPRNRf0REF5knhPJTmdXZ9fOHbuq3lv+mbKygw0N9Q0NNTU13/rWt0aPHq2JCIKzAS21XlNT05QpU+6480u33Ligva1Nlh2cK5rdGnN/jzqvJIYY2YUs/0iTeMHArsbXG8JB9D7MnMaNJeyTkFY16p4FDtmhKuqu3btqNu8qHlW8ZNmy3/3+9yuWLx8/fnxbW9vMmTOFdnDmIUmSqqotzcfbWzsOHz4UdkxBm1809iUDrTghw5Ci5OfnT5g0uaa29plnnsms2gKB4CxHRCgIBIK0ufjSWZs3bbv0istURUXGwGS4QxEv3tzEKZDudW9ykhyDTS4b9QhPLBB2fo5ae4oSYowBss1btvz5iScuveii/37wa4jY0NDQ3t4ukrSfJWgf9LBhwy668MLrrrvu5oULm5tbHA6nqoS0pBixkHmdZJApqQ/WiVxp2vZphPTktMMalmaMJlQ0BJdnLY5E343we8KJA4Db5d6/f98rL7903z2fnTx9+qWzL3G5nA0NDcOGDQMAn88nevEZAxGNGTOmqqoKkTUdPcpVDgjIkPPkjSvDqAUCYIwpoVBhv8KhQ4cWFBRkXHOBQHCWI1QDgUCQNrfcctf+Aw333HNv8ejRXd1dkiRFFglMnPszhmlmMejuq9wGdldpy90Vk1+Gou+hvmbh1eWJOCcEVDlX1VB+vvvo0caV1SuONR0lIr/fP3v27MrKyt69AcEpQNSqzHe553g8X7zv3uaWZqfLGQqFIn2TU8QY1iXcSzS7U+cVMC2Dxteoe9FLgQQR6753OmiCWpfN80d3sgT9k4ADV9SQ250XCATXr1v/u5//rLWl6fvf/8Ett9w0alQ4BL2kpGTFihUi38GZwRtvvAEAb771Vmt7q/aZaouhWny8SZue5Reroe2qnBcUFvzgBz8oLCzMquoCgeAsRqgGAoEgE5555q+LX3xx5gUX5Ofnh4IhiTFjQGZsPk2fmp0glh4stnyZXlPIiTaACT96Ul/OUKk+ILqem/Ulo29euCjEjD+ucq4ZhcFA0OlyKArftHHzNXOvrKys3Lxpo4hQOOOJSgYS0bTJk7751a+3tLS4nE4lGNJcUjiPuP5QVG6KtJ+wO5C+vSf2kFSdEwEQMPJjUcIOURcbsx+rA+znRzQa7iZ1tNiXQtPL5ElhSJqCiIoSkiUmy/L+/fXvLVt+z+fvKCx03n//A7NmzZg4YUxtba3H44GsXUQEJ51Vq1YBwBtvvgEA3V09iFpiGyQgNHQei4Zl6B/65UAh4cs05jYjO+SCwoFf/fIDJ06c6KsbFQgEZxoir4FAIMiQoqKiZ59/fvmSpYeOHHU45Eg0QrwLrn0MWQHjhk/GcjnG8oS6pAJ9B+r+T1omkjwr8hoBkRNnDCVkra3tmzZvnH/1nPx+Bdt37OyDegtOClHJIBQITJ4w4ZePPtrR1ZXndCqKggBkNCDCfbS3SZDq0HSrYW86Zzc7AI3/mJDai8K8hpZyhUUl7BHJ/KJJLRG7EQAcDkdXZ3dTU9Ouul2Hj9dNKh1/+ZSLRk0ccc6wYgDwAVT7fCCynJ62lJSUPPbYY0OHDllWtWz75q2qojDGAChZ46FULw3oxHsERFRV7nS5J547rrV2e+V/lngA9mVzAwKB4GxFqAYCgSBDdu3effTIkbs///l1a9d0tHU4nU6Vq9rS05nZ2WhppVOsiPF3zjhJ6dit0b2NyUSN2HILiGG7UOXEJOaQWXdX1/ZtOz41a+ZHH61ubW259NJLP/74476ou6CviKyY0O9Ee/vwkSP/8vTTnV0n3C6noqqaEWo0LLS/rKfUc0tCu01LO0hlEploB0l2pTytrmqGg60lA/0eC7kzBbF8jhjJda+5TkiyDJyONR07fOiQSsF2qU2lwJDCfh82NX5xwJCv1Nevfewx+5cRnFJo6Sq2b9/Wery58WgjESFGFkM1hSx+pyB8OsZYKBQcUNh/0oRJ44tHXbn647Feb7VwQBMIBOkjIhQEAkGGeL3ePz31VM3WLRPPHdevX79gKCSxRCEyjUG0RQZpfbBArwUN9KYZlcyIsUTnOB71OzUtFykYiXAAxoCIcwJZkhWuLH3n7VtvXvA///PNcWNGPfnk41nch+DUQpMMmpqaDh88WOB2v/z3Fzu7Ol1Op6IoWri8rsvoG1AfuribWdM67cDEPk/p75/EdoodmHiWjG46pZdBmoac3QsS54jglNyHDxz791vvfrx6TWNL04q11by+dtNHH81sa3h/43vrd60HACIoL4fy8hxdX9DLlJeX19bW+v1+CVnr8WY1FEJEIgrLVdbtKFmMTFIQkQCcrry777tvxIiR5SLCRSAQZIpQDQQCQYaUlJQQkcPpfPaFlwYPHcJJjS32ZPMUZjGbKYOI07nAaY3B7gl7mZsUiES0gqa7RLNFcC3Y1SE5d+/Y+7k7bnflOQ+3dT795ptH9VklBKctNTU1AOCQ5SFFRf9auvRExwmnQ+YqD0c+GyMSwvITGBIF6DNp9FZTMAlVMGzQBxXYrEPyUAtzBwuzP6xPb6tM1u+bsXdHX5KW5RSAyO1wdTb3LHl9ZdWyD4OB7s7u1j1du8d2HO7Xb1Bz84Elqyr3HrxDi1coKSkR6yyc+pSWlmpP3dffeLOz/YTKubbiIoDJ8z2KZYACGV+YHkscEGWH44ILLtjW3IyIws1AIBBkhlANBAJBhvh8vqqqqubmlscf+81//+9X+/cvVFSVIcuFtz+ZvOotdPOFOb9YDiIqjNqBYRm4ZJdFQCIAQJWTwyG3tXX8ftEfDu+pu/Smm9a8+65W7JlnnhGWxulLbW1t8/HjAwYOXLZ0aXfHCYfTwVUeZ8pGVw+0tHEpYmcnV+ySkST1qG6/xQEECJGMAml2kyRWltEJIL27is/pardMVstFGKqoD5VwSS6mSB8s++QN/9tdnZ35/Rydna0H9m8KKV0Sk480z/zxw/MBoKys7PbbbxdS4ClOSUkJALz33nsAEAyFIHUKG9tYfX8ROGRHYf/+n7nttl/+8pcA4Pf7c3E9gUBw1iFUA4FAkCGIWF1dXVxc/NGqjzdt3DalZKokSUQcEfXWMqY5mjYa8RbjoJxh36owmEZpBB3Esp5lg7Ge8dpBbHI5YT8BASfucDpkh7xy+fL/W7hAOXbsb8/+taysrKGhoaamRggHpynnT58+ctSoNatXd57ocLocqqrqW4nZwgIpHKApoiDYFKcAwKxrW2sHFsen+4iIHZrshrJ5StgRDvSVzlFalLBwE37vMfJaliS35Fr/4dZXF/+r+VhrXr5LcrDu7q4TXW2dXRMvW/A/jz31q6nTJpeWlgJAfX391q1bhXZwarJ69eqKiopjx5refPNNlStEFPtmSNacNRJ9Dij+i9KgFwIAKKrqcMgFAwqONTUBQFFRUS7uQyAQnI2cchnABALB6UVlZaXX69WCM6+Zc+XhI0cdsqStBBXNbWg5i0nJbIloEbO9SZOlpyQy5DKePDJ8iz+t1WxQOtESev/jrDBUJEGK0N1B+H8CQEQgDowhAfT09AwcOviGm25sPHjkySf/FJUMhHZwejFjWsmnpp+/efPWAA+6ZIeiqtqnjBiebaYUzTNd2StFT411kviJfmvMRA373QNtJAzRl7Db9cwiGkyOjNuU4bMo7iZQ/6xBRCBALQ8+IGPQ1dNT+qkp3s8t7D+4IBBQHA5nKBSQJaeELqdr8DUXX7N7/84Nn2zyer1Llixqbx9dVlaWWbUEvcT8+fMLCwsL+xcMHNS/allVd0+30+nknANANEVNhMTvjLidia0y8rUY+d5Fhoqi9O/f/4rLr+zo7mpta29vb1+yZEkv3JlAIDjzEaqBQCDICiLy+XyIqISC06ZPfajiIYaME2mDYS3PE8ZPjGeFQTDI7BkWmdNLPLeZcKCzzdGq+qQrAclDVC3jrtO7F12l0GI7ACEgASACETAEAsakYDDQLy9v+gUznvnbCw8/9DNF5ZqdqX2OaVVCcFKYPGnirE+dv3XbNlUhWWKqJhkQAnDtY9e1v+Tdze7HbdEuLB1p4i0gKxKEAzvRN+l2f8tem6Q+EQVEd3B6ooY9TKSP6CaM/gdh7UBirKenZ8qMc2///E2FA/v19AQkyemQWSigSswBjI0YM6nn2IF337mtpKSy8NJC12iXBzyiU586FBUVNTU1XXnF5aNHFdfWbFFUhWE0hXDcd4O1amCpZcVUA0QkIIlJwVBw8NAh5RUPtba01G7bVlxcfP/99+f6tgQCwVmBiFAQCARZgYjaqFR2OPfvqz9/5gU9gaCETIuwRQiPvDH6k134r3bN2Mscj+Ijbt2604Zn/6K1Ng/ijt2eFsGgv2M06g5oZYKlWdXoj9GfXLcdNMkgYkVyAiJVVVwuZyAU3LB+48J582659fqjRw5VVFT4fD4An/BrPvWZMmXypbMvqandpqoky5KqquGV27QIg4irgXWAjx47ZQDM4x3CmIpWdnt6fJH4XoPGhwcaepmdigNkLBlAXJdHXb/OXUyCySdgsBzDuU2JiHNVVfPceds37Xnl2beam9pdTpeqKqGgwiSGMldCPYf3b28PQHk5Occ0rx692gMeMGpIgpNLU1MTAHR0dHR3dyqKwlBChuGulcNoPAQgQkROHACcLue8efMumjWrvLz80ksvzbjyAoHgLEeoBgKBIFuizu1Fw8558cVXBg8cFAiGIgN8wDgjO9vogj7AOMpOXlMrA8bcHIqesBdu38R3gsIx6uH9WrgCKIqKiKqqHGg48PnPfmn86LE/9fle9X8foCL3tRLklKlTplw8+7KazVs4JwdjXFWQaWYhmbYAe7KAbdMkTRvGbk+3VAF0W3NnqWcFGuJ/ciT/JfxNZk5JAASkqEqe27Vjy65Xnn/zeGObU3aonCtcDQRDklPioCpK59vLK4fJU248cG3sQCEcnAJoS6U+8MADM2bM6AoEOOcMWSSFRY6bN4VlOyKgfs58AFi7di0A1NaKJRQEAkGGCNVAIBDkAJ/P5/P57rvvi3/43e8W3HyzQko4QgERDY+ZHAgHSWbmMjmN1eE5GWYnaAdJX2VMxDQ0Ew7ipp0184ETIaIky8FAzwsvvrijtvZ27y/e/8DX3PYnkYb9lOWCGTMunz27Zv26UDDEJKZNJMZcC5JEJeRQOEiNqYSW6aF9jM0K6ByQsq8yRWUf/bbIrsgvorCQQCrxPLd719a6V1/8Z+uxdlmSOVcRQVEUTipKEILuY+31x+sOHT6883DjgawrKMgN2lrF8+bNe+75FwLdPZwAEIgo8hWZu9ZPgICcOHGSmOzql/elL36hrKwMEbXlWgUCgSADhGogEAhyBiK2tLXtq9s7Y/r0ru4uWZK0rdquaKncX5h0/9oqrHPitjowh9U0N6PQ8GeuLmf+JpioF5wDEUmSBMA3bdo098rL3IMWVC8fCmJprlOSW26+acb06evWr1NUBRG5ysNRA1rW0ZTuzbaEAzL2irifTCL7Yy5GaR4Qv/FUw+gGkVusHkja+09EnCjf5d5dW/eGf8mJji5kyDknIOIUDAaAEZOxG3rW7FizbfsmAKg7tOOLX/uvXFdTkB6lpaUVFRUDBgzYuXMncUULIoiEF4XJTVtCAAAtwZDDIQ8eOKClpcXr9ZaUlFRUCIcygUCQIUI1EAgEueQnP/nJwIEDPFfPGzR0cCAYkCSJOGkrLBhm5WLuBjkLEA7/Gz+5bixjFUBqaQvlqHq9ZmDoSOI9YTKViUjAiYiQMSazo41ND5T91wdVKwGAtJzeglMGInK6HJs2biBVZYzF+4/0wgXt7eg1nxRM+LdvSPeGdNEKObgwmW6L/IqlrgAAIiSX01mzYfvbry9XAioCqKpKQIDAFR4KKUiESO2B5ndWLj7Senj2ZRdrZy0pKfF4PGLNlL5HU2OXv/fea6+9pio8odHkujchAJBDkmZMv+CC888HgNmzZ+f4EgKB4GxCSl1EIBAI0mHgoMESY6OGj9hbVyezyEMmWRbAuLDmlCPwbIbp8dOvZBIwoV//rNcSkKdeNi7T8yZzmzYGRuj+csgyJ9q9c9e7y5b89OFHdu/asWXLVgDweDz33ntvVVVVr1RWYIEWd1BdXf3FL3xh/fr1d91+e03NVkDGEDhPiHq3jk0gyxCZzEi0ktFOb8wkIqnvJQP9de3vyaWuaHif0LAt/hkFAIgoSexg/RFg0rmTxxNw7XGlJajVQo0kWeLET3S2Dh92zv99/2ddgY6l/1l277331tTUlJWViX7dx/j9/qFDh7olqW7/XiWkSpKkCwdL3pLsaAqRRkKADBGQA7jz8hf9/BecSYFQqLS09K233sruDgQCwdnLKej2JxAITns+e/fdL/797zctuH737j0ul0tVFGTMuDpBNE4gCVabC2SgAAAgAElEQVS77dgpUUXAPA9CnEu3fgE0vU5guiY8RpYm0M5jcomklUow8Ux9A9I4a3zt7MoqEXsv8jahhAxYT09g+PBh1y28bsvmbU6na9z4CWJdxj4makhUvvJK2R133HnbbbW1tSjJiOGE+mDZj1K5AuTgA0xTODB4wKTfpONlj17Dpu1mfmwGoRvxxGkF8X9ERUzDMYjISCV04MKya2dfNbOnJ4ARtBJEgAhOlyMYCLqd/QqcQ5a/W1X+o4f0vgbC76AvueqKy0vOK1m96iNFUWRZJs5jXcTQSchkm+GlRffWeiMRMlRUZdDgoR+uWn3k8OHhI0bU1NRMmzYt53ckEAjOEkSEgkAgyD1/X7z4ns9+9uILZxUO7B8IBiWHHN5hYoEnIZP4BYosEhefsiDi021YptD8orqrW3tHRF4g2FyJLXxNgyahO9rwo107o1Uq04g/17ydo/oKEamk5rldh48cef0fb7gc8rN/e87tcmrrMvr9fpElsQ/w+XzaDPDu3bvL7rjjtk9/ekttDXNKDImIA0bX2Qz7qvf5R5LYwIxZQuLLhskkIumkNLekF9X3UuPmXrl8/IKqkU88+sOJMxnVoLLsn9W7ave7XU4gijy2EIAQCRECPUHGpIDS09Jx9Iq5F27fvn30uBHhM5eAj3y5q78gBW63q7OnI6gEJYZhfdgEi1ZoX5/W1nNEyMtzA8Dx5mYAKC0tzaTGAoFAAABCNRAIBL2B1+t9cfFikKWJY8e6ZFlVOQCAMe0T6HyQLcbiaWMuB0TXPNfrBcbcB5HfhpyN1pUxneRJNRGfZLf1zWdia9mFYqfWPA4IgUDlan5eXld754a1626cf81dd3/26w9+DRG9Xq8QDnobbda3urp6ZXX1xIkTb7nxxt179jgdDuDAiSMg6DNOEKDBVu+zjyYaXB/bErFqjfJBTprtqdXiUN9pomRfR2t/EYMMapx2JiBSOHc4nSeaT/z7taVNR5udDgcRMGQAgNoYj4gx5ConziUXdXS37z66YdLU0eXl5QAAXqhfVK8tCijobbxe72WXze7p6OIqZ0yKeA5ZEOeMlkYj0xRnQmCFBQW333arcDEQCATZI1QDgUCQe7Qlppwu94v+1wcMGsBVFRnGDM7oi8RZdlvuCCbmiclMZ2Q6NubjGfvRHR13mBYvDMmn+a122PXgT3ZiszfE/I2xxL67QczVABAgkpJfUVTZ4SCAurp9d99xm5NJX/9aWDjQlti0XRNBGvh8Pm1dtH75+VfNmbPguuv37tkjy5JmOYaXUtM3Zohr2Qn0rm8/JSRXMIZKJNQo/ZZ8ymF0nogLH8jdyU0+Uu1ZRpE3PbYbiRQ15M53H6w7tOxfKwPdisQQCBBBi5/S3Ii0SoZCIWSg8sDx7salH7567bXXTloxYf7o+X6/31vpxVNLoDkDGTRoUHnFQyFF4TziZYDxH7M5JjuSO+ohATFJGjhg0LFjxwGgrKwskxoLBAJBBKEaCASC3KM5tK9dv/7Br331mvnzXA5ZCSkYXpY66Wx1rq0Kc98D88umvm7EUMhycG0v7UCsbPR3+k4HqWuKBLEpa9QOQVQ5JwCXy93a3F5dXd146BBF1gkTGdR6AyKaM2dOaWmpz+f7zv/7f/Pmzj146IDDIWuGohaYECka9/tkY7R6UtpAySJ/EotCX4oMab+j0RvJVR1tfbZmkSBcVd0u98ZPNq9ZtV6SGAHXahfRcsIVJAJVVYlAQtYVONES2j2ycLSzHyOiV71ivdVeRPPmmDVrFgAEAiEI92pCMqaqsPrDvIXpBGaM61WEgIxJg4eeM2rUKK/XW19fLxLTCASCbBCqgUAgyD2I6Pf7i4uLn/zjn7hCxWPHaFMfYRNII70huuVwx9x3N6NTZV+ZXjlL/Ixm7kd+BvdyAKDwSFbl3OF0hkKhbbW111x55UcffXSssbGqqirs2yzIEVouA4/HU1BY2NDefuXsS44ePaytahGJrUEwWhe22jolRAHlGpuqXCLpNv6+wsz/SAfqX/VWbgMyvLSoTNxmTgSADOSqpR/urzsoyzIRRzL54BGBc64oCmOoErS27SsYIgHAv46/8WDbl3N2EwIjmv8dcP7SSy8FAwEtKozIzhq3GbSssCQhSzi9dOp5JSUgkhoIBIKsEaqBQCDoFfx+f2FhIRE53Xlv/uudfHce5ypjaMgcYIrJdvMghSxIGEzHzWpa1qGXUgykIvNohWQO7JHdxldk2KlyFRnIDrmpqel/H3ywoJ+LiM4pKhLCQa7wer2NjY3V1dXPPvPX8WPH3nXt9S2t7U6Xi6uc9LE8GbT5vpirz7gnovVSrH1OQixA0i5jRmQdCf0jxCzeyH5drOTQcNgVxBK7hn0JOKlOh6Oj5cTy/7zf3RVgTLK6pPbWKwoHIEnGjs62t6sXn9s1pmzPrfc+cE95eXllZaVR4hXkgIqKisbGxp0bNypqiEmIgMhYokOB5RPeThuKNEPUPA2YdMkVV4wZO7a0tLSwsDAndyEQCM5ahGogEAh6Cy1OYcOGjY889LN77rlTUTkRkD0DyGLQlDaGpcswfp/pOCxhBhEjYzE7FehNQyjqi2qjMia77QkHCSoCECcCkh1yd3fX2//692fLPvPVBx9UlBAAlJeXC+siG3w+X1FRUVNTE6g0YNDA3/3yN63tLXl5LlVRI+8qxRIGpGvK6snmWGuybu0nSYaLQqZqGaTWDhK3RxZDia1+grqfqD2XTqUS1lCwqp7WWJATOR3uXVv2bli9RZbCaWj1vVMrpvkSMQacc1XhkoRBNbRt22YidtmciysqKjR3ehGLlEP8fr/P51u/dq2KGAoqjDGy812ICbFppnJUwlebpikRk6ZOnTp9+nQAmD17du7vSiAQnE0I1UAgEPQWWpxCUVFRSOXN7Z2TJk0MBhWZSZq/gaWlabKdrHYkO8x0Xt5smGWM9rSMH7UBJbmtuApmZcSF7yu5QmFmDKWoXHykQuRSwIkURUHGGJPXr9+44Pprp02bfvedZfv31QGASJGYGdqbNmzYsJnnz7x69jW/X7ToePtxd55LCSrGNq+1q7hF2tJsPifbPLei14InUmGrB0aM89jfSY9JashF+2v6Tgd2ShIAEAEiI8IPq9c0HDjsdDg454jh9K9RMzXmEIEIgKrKGUPZLR1vaRg3bsSu47vefPu1iooKgH0rVpQLTTAn1NbWAkB7e3tPV1cgFJIkBtqCKJatISYT6FWolBeKliBEpywDwKhRo8rLy0tKSrK7A4FAcLYjVAOBQNCL+P3+YcOGAcCIESP/+e93+hX0UxSFMRYZCdv03kXzDGB2QICkgy1dPjPdZI7xlY1RfswE6SP7J7Gyuj2oe3Ns1ycu4QTpTSYtBzsBEfG8vLz9+/Y/9cTvpk46d+KECVqKxJKSkhUrVggDwz5aYAIADCgsnHf9vJ/+uvx48/G8PHcoFDS0d2PAiJE0padT98OJTdH3hYgQ71Fj/jYaIgTI7GMggHSrmr4rksGpwKwBGJ2DiAPJsuP40eYP3vuEFGLIuO5QnQqF+jvkXFUUxSHLJ7o6dm5aM3xEUen5g6qr7/N4fBDxZBBkT16eu7OrKxQMIFosWGHVQGIiePL+gQDaB4zEueyQAaCtrQ1EXgOBQJA1QjUQCAS9izYR/cCXv+L3V95w4/UhJUhJRtvpjU7TKG20STA2dRMdiqVvqZhe3rxOxhn/3I3Bw27P0T8SbyLeT8PWtWMeB5HY6fBglBMoqupyuZqPN7/15r/27dlLRKoSqq2t9Xg8wunAJpoHeFNTk6oo02fM+N63v3308CG32xUKhRBR8yyg2KqhOaLvJvTNao2Rf5M7V8cCgnqnvvZ8b/QlLAtZK3dJyeS2klU03EpQ39cZk7ds2LZp/Ta3281VVXft8MMnJixSVBOhoBKSJFQgdPjYvnOKp9x449ramncBoL6+fuvWrUI7yJ5BAwa0dbYrSoghi65tkVQBNtmQsgFhJPLBne8EgMmTJ2dRZYFAIAgjVAOBQNAXIOKQIYMfeugXkydP7u7pkmTZpBCZvkz4K35XqhlXg/0RnbIxn7NJa0SPkWlASjTOLaub4dDb3LxKsjdcHdLXKotRv3YeAgBE4CqXHA6F87Xr1tx208LxE84N9HRrTgc1NTVCOEiOJhkAwLCiovETJjxSUXG08Yg7zx0MhgCQ8zjrzHSS+dTHWjgw3W7hY2AqMkT1h9zX0G7xLD6UTOsdiziycIyI/s+5Kkks1B36aOUnLcdbXE4HV1XS6QqY8BTSBCqGqHKVA2cOaGk/erynrmTEzK2161avXl1aWlpT4xfCQZYEQkE1GFJVHvE6MTyfzbCKmEvWjMJfRgSFBYVl3s8AQFlZWSbVFQgEAh1CNRAIBH3E1Vdf+8rLL933pS8PGjQw0NPDGDN4+ur+sC0ZpIP19KbO0UA/GEs9ujcOxKMz8mblsgMTXpjtTIHOOTnzKiGGPyGucIZMdsh79ux94dm/IqPPffYun89XWloqkqglISoZDB4wsKS09OmnnmpsOprndodCQUSIZUAMy0vhrpH4cZ1CCxDkllhUUDJvg96WDMx2k3EX6bq+pbphcQ+ZfXa6jmvswrGIFgz7p3DistPRUHdo/cdbJW0xhcgqnuHspRQ7HVH4wUdECKjlSESGPYHOtza90w09g4Z1VVRgaam3qqpKaIIZQ0RTzyvhGG0UBAkRJulg3Yi0TIiAQwYPVUKq1+utr6/HM/SBIRAI+gyhGggEgj4CEV9/481VH354wQUXEgBhbOgUzcJv9DbIwrq1WSWjZJDWqCpS4fAQ0I6vQcb+5nGHpTn6M3kbM35bI0u9EQFxUlWVnE5na0vLknfeUQMBIjpUXy9UAyu0FRMAoCA/f8LYMYufe6G1rcWV5w6FFCCM2A/xE7rWH9YpbgZk2oX74rZSXMN2FWzdXRIvoZwRewBp6UcIkbjC13+y+fChRqfTSSqn8PMq9qlwAG64g5j4qagKSgxIPXJkr+QePG/hKyuqn6+urp4zZ47wOMiY8p/+jHhM8zN5I9N4a02LEkE4GE+S2ciRY8ePHw8iqYFAIMgFQjUQCAR9xyuvvNJw8OBTTz89Zmxxd3cPkyQeGeRA33phh/UCvZcB6EfzhhlPu+cznkJPrvSPeG0iDfMj3oTLdOQfPkkkNyLnqirLEqm0Y+eOeZ45V86a9e1v/s8PfvB9YVrEoaU/HDZs2OBBA4vHDH/jrX91tLflufOUoKITCijNucfet7DJ+JPhKdLExm1lWBfbzkTxzgLJRMU4rwJbj43M3A2SbtX3biKVO5yOw/VH13+yhVRCbSkFs7SOFHFEiDi5aKIuqYrCiYNEbSeOd3SzuXM+f/NtCzwej/A4yAxNTiVSIaK9mhbL3tWOwvIuKx55zpDBQ0pLSwsLCzM4j0AgEOgRqoFAIOhTXnr55bIy78TJJf0L+/f09DDGdEnfoiMkoxdwunZLqpKxlAa6PFTGLAGRLbZlg+iB6c1T2r6v3Pld6K5n+vZGfQlI7xJtWR9tUUYAAMKW1tbf/vGJoBp65JGf//P11x+4777cVPmMoKampqmp6fChwwMHDV6xrLqzs93hcqghBTH2YUTdDWIWXepPPYUzf6qD0fgTwapZ2muFCaUy9rPJ/NZyis06xNU2iUSB9k8ah9UbGTX4AQgBOBERR4LNa2sO1R9xuZzROW4EbQWF8AvdkivhJ1g0UR8RVxUuO6SeYMd/ql925bvWbVpdXV1NtxMSWCwDIDBn49q1AKBoAhQHIjQ+cxN7iUk3AhvfBeHPmNQBhYWTp0wGgNmzZ+fsNgQCwdmKUA0EAkFfc/DgoYI896jRowmADA6yGBsR6X7Hk3zElGogazaQ1ysIGPs/c2vFcGTiTGDiX+Zb7F7KsqJJTxlVBgyz2xSNQohMWVF0g8n5CSLhCoCAQIhYtWz5TQtvGFlUxLkKAJWVlZFY6rOa2tra7q6uYecM+2Dl++3tbQ6HrKqKLiRdP/Ubt8UmabdXs5xqJidJUote/FDR8o/cndnOadH8fYph9R4kPXnmooHVlWMyU2T5DeIqdzldjYeaNq2t4QpnCNFsGdz8wRqv3iIiIimKwiQW5D27923tVtvLy8snsGIA+ElNuVhv1T5bt27dvHRpqKtHUVUirktjEv7H2PPNJQPTP+LKERFxApUGnXPOmLHjy8vLS0pKcnILAoHgbEaoBgKBoE/xeDzXXXddd1f3k7/41ZAhg4NKCBmjqGusNn4yjqLsOxnYkwzighHiB/B2xvLZDpNzP8zOygLRyQdWTrPmmkH0l/bhqSpXVdXtdtbv3/+Nb31j8uQp3/ved7T8f36/v7y8/GwzMIiovLxce33JxRdPmjx5+dKlHW2tDoeDc9JkMop4GcSrZIlvumlivZQlzEiiiem3J9qR9smBd0y8cJAj7SCNapmstHKyPR+SiI8m7YUDyZK8ed3Wo4ePORxO0FJuWgmy8aeOyAwAnHMikBy8ueXoso/e+PTwq59YtwhfRY/HAzonGUESjh079u9167q6TzCEiENHtP/bPUnqggSASACy0zls2Nhx48eByGsgEAhygdniZwKBQNBreDweqqz8Q20t37pl6uSpa9euUUIhWZJ5dNFw6xGttjG9WP54OSBeMjAnaYFcD5ApW0skPF+Nua+aDgLCWAZLAkQCiuS0JKTwDgBUFFWW5Z6ewMsvvzht2gXvvP/O8f1N99zzX0SkRUSfJUHRminl8/l2bN+2a+eOSy666KP3V3Z3dbpcrpCiaNnQrA+22Gf8kNF8W7JmYK6PRT+9+DPEncpWQ+0DCzKrSxjeoaRvl91+aasLx18JAQgTF0G0eT0wv6ShJgRAqup0ORqPHN+8Yes5I4fqjk3xNA13cYi4JyAiQCikyLLcHWj/eNPai4dcqN6EO3bVTplUUlNTs2LFCo/HIxL1J6Gzu5sxFgxxxOiMne2Hv11Hg6gUSQxx+PABeXn5GVVWIBAI4hG+BgKBoE/x+XxQW0sAT37wYVdPT9E5RZyMU1WWLtLpj67TlgxSD+B6wSLKxTg7HNveR0N2Ex96DNu5hKC5RgMyZNKGjesX/ejndTt3E9HfX3ihurq6uLhYi1nom6qeLIjI7/cDwJNPPDF+7LgZ06e9/35Vd3eXw+kKhUIYyRmhd67RHZx2M0tIzGHSEnRbzV/abYnpVO40/phz05tsqQlpkt6bSgRO2bFpXe3x462SJIW9QBAptmyH5YHxl0UIKQpjGKKeg031J0LHpkwqWbf541dffdXj8dTU1Jzx/TobCvv3Z6EQV0IMGZr3UWtSFtb59mjajcMhDx061OVyZlJXgUAgSECoBgKBoK/xAfhKSnw+n9Pt+tGPfXkuF+ccEJMupZCxo3QKdCsvnhGEU9rpkjT0EvEWBYEWUKsSSsiJEycicrlcR5qOvv3vf3/u9ts/e889/Qv7LVmyxOv1+v3+M9jA0CQDr9eLiKs/+qiurm7tJ+tVTg7ZoSpKZA43km8u9jbYe0MwQRbA+D1aLH6kKYQzHZoceVJbvq2L57aGllETtvI75C5GQn+RnH8G+oguIiDOyeF0HT54dFfNHk0JQYy4xxv8EszOFXM6CQcxIYCiKJwTk+jEifZ3PngVpNCsy86vqKjQ3ODP4H6dJUMHDWKqqnKFADgn0NZgjEHGzy5Noq0zokW63W4AkGXhUywQCHKDUA0EAkFfgwBYVtbY2NjTE/jjk3+YecmnOOdIWk7pmNN1wnwoRjOAJz114sGIoLObwLjdHrZHcyYFMe43xNcwtsUeelNQn/0eDSXCmyNqTA6ME2PexEhWA9JSImrh0ggIXOWISMCBk6KE3G53T6Cndvv2a+deOXri2OLRIxHR6/WeqaEKesngxgU3tLe2btu8WZKZJDFFCQGApqdEAEObictOaSDhE9S3IrT6QetdSW8j7JeDRtEhozfErOOErVc7xycUytwqjZhVFnUx3q6xhHVVLfw8DL0x4VVWGN83y7dDC1tCLfMhI7ZpXU1PZw9jjIh0d6l9Phi/LGP0LOHtqHX6sEsRcK4qjLGeQMeR4/sKB+ffcvtCrfyZLQhmw4Rx4wIAKsdIHAeaRQClaGjGZmpeTFuWxZXnBoCamppc1V8gEJzlCNVAIBCcBHw+X1NTU3t7+6v/eL2lua3onCIigMhqYAC6CdMsrhI7gYnBlfTEZPE6xTEZxVDYM8fi7Tdz+zCsESSKCIiQK+0gBkV/6zUEAtJWhkcOgIiKEmIyQ4ZNjccfe+jXEle/8fUHtZrOmTPnDDMw9JLBTTculBju3rObOSVEIEWLDedawcikrO5NTB2YYNPizxH2L5XmZ5he7U0luMwhMK4SkuTcWb3XvdaurUUJ02oQAHCuOhyOA/sbDuw/KDMp/EwkwJg3ASHq35PE2hu3IHIChXPGGBG0tDW1nGgCAE0QBOFxYIbCucQYAOhUgzjlOF1iwkHcwUTkcjoBYNq0aWVlZemfWSAQCOIRqoFAIDg5+P3+QCDg8/mmTj3v/i9/kTFkms0LGJdSK6Oxu252NLlkkGLMbd/FIGltbF0syeG6E9iZJY6KCAlnyTYew+JGSfdOERIPbyPiBIBc5UTkdDh6ujpXrvygpbGJiAYNGOjxeLT8iFlV6ZSBAPxlZZpk8NWvfLmgwFW3d6/skDkR5zw8WUto0qpS6AVWs/X2PQds34ApudYokmcx6dWrx3z39Q4eZpfI6WVt+HXYPlW65ri2vglDFuwJ1W7agSiFPYNQS3kIEHMoAKt4mXhPhLBfUXiVP9mBHZ3H3/3orR2Hdixb/g5o+WsERpCxnp4eAJ7Kxybp7vidFhkSiJjkmH/dPADw+/0iS6VAIMgeoRoIBIKThsfjmTNnziM//yWSfNFFF/UEehhL+lAyGR/pHYL10+5W5SHenTgBMvwy3a9PsmDXxSBj4QAzP9T8mFyNH8lo7IZN4djceeQnPKVOKlcRWSgU2lKzdZ5nzjmDhj/312erq6vPmGlJH4DX70dEIjrR3rF16w7GGAIghRsimTauZHdv3rosPkE0doc0Sf4h5KDRJDpjZ3KKPmgrtjUYs4KpqmjyAOtltCsQkMSkndt3t7W2OyRZy2kQWcKBLIzK+Dsh0t1epP9zToqiSDL2hNr379k6eEC/t5e+WVFRoa20Go3DEahcdefnA3HIUueLPxj1vzQ3LmTodEj19fUZX0QgEAjiEKqBQCA4afh8Pm2576lTz/vrCy8MHzY8EAhgnNOl5WSqfhOabDW3l9FQ1AIL4UBvEJBpieRk4oGapZtCXLJH67fGNglKgeHP8MRm2FSIrI4R/osT5xwAkGFj07FfLnpkzepV5eXleS4ZALxer2ZmZFG3k0wFwB3Din50y033/dfnNm/eGHEO16/LDlHfbesgmCRe4jbJtWRg56ypXNpPCexFgOTyjOEyvRyukOryAEBEjLHjjS27d+xxOB3Eo5EysSAFncpnh7D7AQFxopCiAAeFAkdOHBwwtICIJp03trHlEESuflp37ZygAu8KdgWDCjLkFh4uEdLtwqg5oaCW0oATcSJJOmcYAkBJSRaVFggEgghCNRAIBCcTbV5k1iWX/On3v7/p+usdspTN4DKpIoDmmy1IUAVyOOS1VYscRBNYXzy7Mye8FUnCFmJ7w0H8REScGEPgvHrl+wvnXXPHXTc++LUv+/1+n893OgYsEFF5eTkAjB839uC5E/b1c61Zuw4IGIKWds668VCSfVlj+yM2UceSnjL+xKmiK1IXSsqpa2xmUrM+vhvtctqzD5FxlbZt2akqKjKm7Y1EKMSrWEmSI0bA6Im1vzhwRVUkCVvaji5f/eYFs2Z0nGhrP9GiO/bU/Sz7gEAgEAyGVE5h2x4AsnE6SDhMCxgBBGBIABLhsHPO8fmgtFTIBgKBIAcI1UAgEJx8EPG11157f93a6dOnBYM9kiRRMnsq6UDLeme6g7PekQw0UtYlR5HquSbRCyMuMMHskEgRouicIxFxIKfTsXfvvrvvfEBGmYhefPEFLWDhNHI60Orp8/n+33e+XTxy5HlTp25ZtwURkGHEzyLqg2FpiRmxKyrlplTWb7NJIHxcEI/5UfYUk9y2grQCxu2SxDEkfnuSJ5p9MohxitSFZCbX7z/YeOSYLMucq2Bhyes2JvkAwppgVBzU3ItCoRAiPxHo2Hdw9/HmI4UFg5paj0YO8RP50q3+GUMwEAh29yihEGpjb4oltcWIX52OtL8Cok4lxDlxcjnlESOGA/i0FTEFAoEgS4RqIBAITgmWVVUdOnp03MxZQ4cWdff0yLKcOKmVGvujrJNkktu8jd4Nfs7ubAn+9bHAhPjk9BSzLGIbojEMnCs81K8gv625ZcXyd++64/bPfe6eUDBYUVHh8/lOi/XbojVcteojibGJEyesW7MOZUliEuc80YjWH5rcASHFde1a06m8AEwNRltnTuucVmXTKJ2rpoBJ/8wOs6Zv3G33NFntN4Coea6HnymMSR1tnXV76iUmEQeg+NSz8ddK0xuGAycghVTgXAJ+tLlh2ao39h7bt6/xE4AKgNpFi+q1RRbOQoKBQDAY5ERa4t84j69M85GYg4gFAwqdjlEA/5+9946T4yjz/5+neuKudpUlB62CbQWvnHDC2etsMDjB6PCZu/MRDBzhbI47uOMFGnGA4Xc/bIPBcBjw9wuYsONMcAJLTnK2sS2tbdmSJWsly1plbZzpruf7R4fpUB2nZ7WS6v0azfZ0V1dVV1e36vnUU1UAIFUDiUSSAlI1kEgkY4Xnnnl27YpXOo86IpfL1tSawhDAWFDB7I+prynomu4gTFfYo/32ni4kwd76zr1ktmvROoHOPnXzY+gJHIjr32DNeUBQrVXzhRwB/u35Fy+64Lx58+d/5cv/oa/fdv3113d3d++Ja4tEuVzWB1N0//73zzz11Au3bIIAACAASURBVJtr3nzu2Rf0akoa18cleIwugT3pqbp+9z+u4RzU0e+jF6TlCeGTkVhX0CzJyP4OCVr2PhivQhD6iRd7ShDonusAAETEENUR9c3X14wMVxGBiBOF1LcowoExiwnUXQ8IaEStIuLAwI4t61f3rtuyFv5p1bojOzouqFQqixeX9kOng1pNrVVHiMg5d4/5AhD/H5b4fwMa394+o6MDADrlxAYSiSQNpGogkUjGEPlc7pZbbj14xsGaqiEyREZkmtK+0yJGalgJxmKLDKdk2Y6UvHtSQrFLc5rtxhg5iofldA9+/gXuD5kmdP1E/RuB1WoaQywUCmveWnvrLT/ZtWOn3rDu6Ojo6+sbm9Mc6FqIPivHor/7u0cfXvr6ypVKhhFppHFENG0ty1Pf33K0SWKhyUazQ/2P2o5YN9F35ERkw5fCs2QGSyQckONXY6D1Pok9uYegJFLKmW/hRwsbKXbTqEfA9W/19r27JZvN6LOTmi4z3pttbDgrs2d1xvptIlc0qqZmsoyYtnXn5tefeAFGjhhRB8vlcrm8cOXKzqVLl459f6IU4cQ1IqZrBubCuF4ROdFr2Vsrsb1tQseMGYsXL5aqgUQiSQWpGkgkkrFCV1fX7Nlz/usrX/nwxZe1TWiv1WoKYyDslolP5O4+b6jRbNemrRA0Oe8EbkNB4GtgGqX6YXBaqASEiASkEc/nclu3bFv+5BMf+tClRPTaqz19fX3Lli1r7jXEx5rLoFwuE9EFF5z95uo3M9kcAhLpziKico9xLyJWA2GlDjLunaeFKAGxcMcdIWhQAEcNGSWCEyLXD7tlbd8TRdVxx9vESzQMU70zGwEJGGM7t+9e91avOSefoVcR+LmaGMKBWyxwbRuPtuOpBwRN5ZqmogLVkf43ep+bOfegxYsXP/rEgttv7+nq6hqbmmDzYEwBAEBE3bKHlOe8tdasAeDjx48/6OAZACDnNZBIJKkgVQOJRDJW6OrqIqLrvvvdzTu2z5k1M5NRVE1jjg4Zk8YmLvP/be0VboviitXgj9SZPKqkkqNohlJdVgD3Qmz1ZRoZY5qq9ry84rRTTpk3/5DBwf5ly5bpKxSMEax833XXXUR0bldX77oNSjZDpK8riabx5TR8ybnhQwPdjFGrI7n+BgaKmw/f8316p/dKHNfi9/Ecjx256GdoeM9BhyhBQEAMWW1YXbd2vVrTEIGThqacZ4UVjaxxbDj1BY/MU6/tREhEwDUCBFK07Tvf+fOjv5t80LwLPnj2r277v0uWLNmLpj5tECIkfTIJq7y8D7zAKS48Yts/a9JZyBQK2WymoRxLJBKJDakaSCSSsYLe70RESibTfcc9EydM4ho3Jo0SagdpWR9i4cAnbq8ZsDe2eGOZp3HFkVgxGxjzvHMgRJbLZbf19V33ze+oKieitnHj3njjjebkIDZ6LX38sceOPvroM888vXfjxmK+QJyIOw0nz3a94jSvPAMg+9eoJx/90aXgUE3ulvdBlI3gnHgCJM646O0UL7L61C/1mWK2vLOlf/eAks0AOWc28PUpCM2ER0mwbyComlpTVaaAqlZXrX55YGT7xR+49KGH77Ne+y4pcR+EiHPxELuEU2sId+k3miCfZ4qiJIhYIpFIhEjVQCKRjCH0yfOff+HF//7Gkqs/d3U+n+eckKHuxz7q2fG0+z09aiQKGMQoX4RgQS/nseAc2W3c9I1Nd7+qOYyBE0E2l9E07U/33PWRRR++5NJL/3jvPe+/8EIAKJVKe6pzslwud3V1LVmy5Nvf/vbA4OBVH/3HTRveaWktaFzTnbHdkN67G6fkmlQ9yPmVjDTy5siDvWgiFdMYMCmdnfABzgbkOG6d641NmEbYia5MhGTYkXMiYoqyc9vuvk1bM0wBIOCi89zTXejnWjEKUkVhGZhXpKsVmsqJSFFw5+4ty567t21iHgA2be3d0b8NzEdsXx22QAAIPO1qLFC0iAgQi5mikpG+BhKJJDWkaiCRSMYQiFipVE466aRXVqzcsW33YfMOIwREZMZ61omVA3c3mLthG2y0BHYc1juQI7In1khIIhwI+7JSNdc9vfN1I5IIGGKxWHzpby9+/Kp/zGWy8+YedsUVH6lUKuVyeeXKlaMsHOiWTFdX16c//ak5c+Z855vf3Nq3ua2tlauaNX+8p4NVXCkiVJgmXdoolJho8hHnL78uUteO9Drro9LMBETSW5AmEIKgw9r2RiNzGQNx1AiKwgYHBje/24fIwt5HZNMOLOHAPCRcScU/Kv0UTlzTNEVhwLQN77710JN3vLv9nQnjJt33wD1LlizRx6l1d3fvY64HRDR//nxuzCUREM6+5R/U/9kw1wjBbEtLhklfA4lEkhpSNZBIJGOLSqXS0dHR3d09b/6C7jvumtDWptY0RGZrGQV1oPvj2ylIkZtqwbHHItiMTxPx2A63YhCWsFUuYa3ehtFNBf0ec+LFYnHHtm23/uynw8NDv/nNb2/6wfeXLFmycOHCSqUyakaF1fnZ2tJ+xhln/vTmm97dtGlc+zhNVYF0LYtMV4n6hPTh1oG3so0RKyl8uLXgHIGftc/speR66NxH9xhC8TD9fLrfOAExBnkj2H+7VDdzj1OqMC+PoaKpfPvWnZqmAaL/4otBebAiNJddtMsJ5uB6c9iBTWAwMsGJiBPLKbsHd65et+LhJ/8we+akn/z8+5u2bFyyZEmpVAKAB1Y+0E1jd+3VuPz7l7+C5ppAzUkBrSUcGVKBMSUjVQOJRJIaUjWQSCRjDr3JeO555z3+6CMfvfIf7MukORqwdjOloWYYmf1mtn5gtzeCLWikOFH0cQXwntMci0kfzuw7qWSwcCA2+6Ji71mNbBRZ0xwAgaZqyFiN86VLH77s4g9MmtzeNq4FEUulkr6KQeSsJKRUKm3evBkAOjpmn3veZT+/5ZZN725uGdc6PDKs51OoD0QpoXoPblMNZcNWi5lGQM31CSvYGyFrTnvWL5fJCyjZyiuh6cW4vxFPoghhbIgGxAhfWzZpzZzagDEEYLt39quqqigswmvHioRs3860bTKB74XYsqIbuMQJCbOZTP/w1tXvrDt0/qzPXPPZO//w+zvvvn3JkiW7Fu7aBbt+RD/aZ7QDIjTeGQFhICSAWHLSMXUDApZpych5DSQSSYpI1UAikYw5rIEIp51xZq5YWNA5d2hwQMkoxrxdRneN97TGU3Z4H6TSDWw3Wuoqh09WRYPjUyTc48CeldRwmDCBR217yeYazTkAQDFfeK3n1Z/c9OPdO7YRESIi4ubNm3WNqUnokff19c3s6PjYx/7pK1+6+p0NG8a1jlNrVYZIQA4TwNfq9TWKRU4u5D5vrCOe4C2MANPHfiSVIoilGxgPK5mfRhIWqY7+B8UHxFZkBElC+NTpCyIiA9i9s39keIQxxokI0G7rB9dUZ4aS3B2svwgJALSaqmnAGd89tG3d269MmJw/fP7C4y84prgq3wu9U2HqjPW73n77/hUrVuztYxYIG86/6LlB5z4kUBCLxfEZOa+BRCJJD6kaSCSSsYglHCzoPLxyx73jJ7QND48wxtxtrsQ9ibZVxUU2nSUf2L1ryac3z3aSf758+vlD90W0m1DsIu6OWjQxBPqMYkDfH/Vc+WXMU551p3SBSeQHge7+DJxzzjkV8vktW7bedc+9V3z4ciIaGtjd19c3Y8aMJs2PWC6Xp06dCgCnn376P3/sY+efc9aG3reLxUKtVjOGzBCYFcO6EIJ6z6yf+iSqat6gDdll0QiszlFAYY2Kl3zcQ3HTwDjD79H27dpZ/9lYzhzF7dIUghU2ZyQ+P/yTBAIwXbYQlf7dgwP9QwpTyKjCIXqAvRBtb1CwvyEjfPSobH4JRukS1zREINR2DOxYtenFTI3PwjmLYfG8HRNO7uh96qldCxcurEClm7qX0tK9VD5AamB4guiKvc8uIhIAMcwDZBSpGkgkktSQqoFEIhmj6J3JJ59yWuX3vz3jtLO4xgkRgJBZLfv4zS/D0rP67+omn7AVHyE6nx97DNFIBOOI629wNH4H/K/S39whn+36nghGIgFpnOcKebVa63n11XPPPP209x6rAL/hhhuaMU5Bj3PatGlnnHHGVVdddc45Z23Y8E4un1NVFUwxA8RSSMSKkJphvJcjrhHNjH+08bvTFPDLsUt8CRRwLCgvQMCRsYGB4Z07dzMmEhsFCduUB/c8Bo4QgRqUYA5HMNdw4ARAoGkaMmJMG6zuWrvh5fsfvV3pHQ+w+NgTZjyx9rEe6OmBni7oAoC9UThAwoYqZOhLxvy/MaMo+fb211etAoBKpZI8RYlEIjGRqoFEIhnTIOJLL6/4nxtvnDP3kMH+/kwmy7llr8XBJhWA/a9tO75wENwdH+fkNDGHL8dO1u8s9HzbsFsJSQzhiKKBkThXNUXJENHmvi2Lv/Hdw+fOL3/tazf/6IdxUw3GkiHGt4+78MILL/7ABzZu6M0XspqmubIN0JAV4Hvy2DaITFeatKpwBHtzlAjPQ+L8kfClExZpsJ0YLCv4ncA5KYi14ZGd23eSrsVCtEc4zsUH5dfEXKwRCAjNuRE41zS1xpAQaaQ2uKbvtT8+/JuNW3YsaOs8Zm3n6ZtPeG3XS2B7SPci9BEK7lIILtVY4hAB6KNrEFtbW1e98Ya+LFHcfEokEokXqRpIJJKxzre+/e1rv/T5Y0/vnDB+wuDQkMIYAJkWbgSPA3I1roXt4rjCQWi6QanYY0kJlw2SUjecIH/R7broWTBLPTRuAgLgnOtDWNRq9Y677upZ+cq/fPZzN//opscffySt1dqWLVsGAAh85qzp//LJT255d3NLoahLBoZkpY9NcGfY6Ii1X1T9iK9BGmYzN3Wyi8igOSspRhkXNLZVj8ZoVCXyezUExut3RsTnkVyPFzJWq6nbt+7gmoaMBTw1QbIW2fwOyDlkQQ8keBMJ4kOor+KAuo89ARGpag0YMYVxULdu37z8b/cXezMT322bOIR3//E3S5Ys+f+/d91rr71mj2rx4sWlUmnx4sUh5bGH0FUD82LFilC0WUTDDiPkcjm9cKRqIJFIUkEOeZJIJHsB9z/wQNdpZyzonP/ss8+ZY2Gt70DI+SUMgO6txonWB6hPJxDNCCHrjJAgsWfLd0fgt8PbUSrMjSMYmZ3SdXPFN2ljYkErqO7Mi/ZbjQCcjA5KDowxIlq5sueU95546YcufmTZI6eeekYqTeRly5bNnNlx8smn/PDGn/a9u7nQkq/VatY1+UhLQeaV/XBoWYQcikXEuiCe1KKxTKT5PIUl5EfyDIyi7CHqfnYdT7MgDcGLNJW2bN4xPFhV8grXZxyNcjKgmR+y7XQGAevR940kJBHjPYZcI67VFMaUHEPgg9Vd6zbvWr850zqx+Nzflo4rHNi3a93jT983bcpBLflxt9zyyyVLluhTpXZ2di5cuLBUKukbYJsrZw/C6nmgSO/+aI4GaJUZoK7TcI3jWLhgiUSyDyF9DSQSyV7AayveaG+f9Kvf/L5jxsxaVWWM2RqlId2ebskgrGc3ARg0nUBQtqyzE07T4I4x8JICLja8HIQhXDqCI3WytXgj6yIkDG91RBKZU9rrk7dpHBCYwnZu33H3Hfds2Lhx0aJFkZISJk+kd1QCQFdX19y58373m1+/s2ljrpCrVmtgOHKT56odG26ZhQR3hWyX6p6MM9Vq6c2lmyj1Dn0+ERNu3tX5x2b1dzumM00t6fRtsSjGYwNqoCMdAiAiQkKAHVt3Dg4OMsbqeXDcX9+nPpoxW38oEpU9GlO8MuRAmqZpGmcMlAxihg+M7Frbt+aNjc9Va8Msx7Zv6Tv44EMO7Zz5q9///KYf3/g/3/tOT0/PwoUL9W8AWL/+i8uXl362fPH9b9+/glak5ZQU+5J44H2MlCNHIO+AMePWcIKhob1x6geJRDJmkb4GEolkL6Crq6ulpfVL/3btSaed8OCfd/X392ezGc41W6tJ5HdgN+U8Xb7WabauL3tPWlSE6w9EOm2UW3QJUnSMeBYSscM9egnpEdSH/5JtiXME5ESo6whEjLGaWlNY5qgjF/a8vurmm3/S2dkZNR1XqkSVSqVcLiPiqaeecvbZZz90//19m99taWnRpz8EtLf2hcKB4FdIoqIzmtM9mKCqhXkbNFKBrRNTvVrPIy6onEiNz8aQ6nMb8nw1FrN4hBEAIXFChP7dAwP9QxOnTDB0T1FGBBMYIoFzpUZxSCsTgpyEv2XrUqE5Go2AiIP+9CNiNqMA8p2DW3cOgsKyDyy/q2PW9JEaTZsx8fxTLps4ZVzflq1HH/meV1f1zO7Y1tFxw1NPldph4VMnP7UYFgPAj35UXr78ewAdM2bMANjV0TEDoA+gq6k99Kg4/AvI4SYQBUEw0U0mQhhGlKqBRCJJEelrIJFI9gK6urqI6HvX35hVirPnzEQErmmILLSx5e3jDQgQvNMLJpYMrPP3DqJmNEYTNcZ9M24covENCECcMVZVq4yxhUccuWbd29t37ACAnp6eBCMUdMmgVCoh4t+VSu9973F/+tOf+vo2F4tFtaYiIGKkzl5bE13keuC+IHEv/Bhq5sesn+T5Dgjg2JUA3xMjVKzmOHQkIW4eopuW5Nm226YIBATIhodHBgcHwXctyXg1wN/zwxGA3L/E5+kOImK/FgQi4pyrmsoUpmQUzFC1trtvxzuDw1tGRobuf6x71iHTjzthgTIe1BGtWDzthVeun3bwkfnZuy/qvfDxVx9DxGnTenp7O04+GZ56qrej4wKA2wG6yj/67A/v+fj99/9q6dLuFStWPP/888uXL1++fPnbb99PtIJMJwWi7u7uUsDkCYsXQ3d3iajbtsIkgK4a6AuwkPOONAza/hjKKyJFHXgikUgk4UhfA4lEshdQLpcXL15MRD/9zne+fvtdJ59w3O7duxW37unf+ykw+Mg8pQHinm11LQV6SOwBArJhHGowo3EdOMBWWGDYemQ2uAGYolRrI7ls4dijj3nhpZde6elJnjObZHD5ZZdNaG9f9tdHhwYHi8WCqqp6x6NXDhDF486+T5ULyU4zxKRm1TJPvLGEg3SnE4lugtVTT+MdkByPa0SKcYLlE+Dab7oaAAFDVh2pDvQPkDHmP2ZGyO2pZU8K3UEd+7yTHoi9InQbmMg1J4F+OhIQIemWsQaIlMkwRABFHeHV/hFVYQpWq2/1r9j42KvIZhLBBLU4kbUeevh7iejXv/v+jJm7lz8z5ZgTpm9894VdO845fAGWuqE00p1v7wE4s6+vr6urS1chTz65BLAEwNIJSqXSokWL4F8Wn9m18FhzZy8ArAd4+dmBJUv+TFQB6Lby/Pzzzx933HF8RLNqaqR6F/u2GDq2BgBDQwuJAKAEIKdDlEgkjbPXdHVJJJL9HCJaWan0VCovTpyYmTTprnvuQgBEpjut2sxxR2Pc+ApUDey9NPU9QW9HM2gyQ9jvUBRSeWfbOsLdyZJ/d7dxBMV2QXg/eWBpRbwuBOKkKGxkZKS1tXjCsac88sRjr72xKtrJAuySwaWXXDxh4vhnlz/DgRcKBa6qYEgGTivYfhPFpqqucTh+xgLTmIvQNzvhqet/oiVPws0Ioc3UknjriKQK335uceTCDuywnFB63cO26hHj1oTeFE/+HCegKSXol0qokXrxRy44uevEanUERCUQVHiEPj4KzhdqhPiMY56rMzQ7QACqHzVeQra3mLFhLNiAgIBEgAxRyShApHFOGkemICBTFARinAGgksnnii3TJ0yZOGXKgRPmAMBPfv/tiZOUKblDctl8W/sBSAyR5bL5KZNo0qQpq1evnTf/ZH3Fx5UrV0IJSkbiDsO8ArCwZ6G+bS0P+eqrPQsWHP6pqz/21wf/2t7erqoqQxQ8Pdb/WJ4jfr+9B4g4MPjDHfc+9MMfXn3zzYukaiCRSNJA+hpIJJK9A0TsLpXWz5hx3Q03fO2rX509c/aaNW8qmSyi3gutY2tRYcAviNY6TpvGU0mlY9Zq9Bt2hBExgDEMAIWWTN2kcDXfY6RpP8++EeW6CAA5KJlMdWS4pbW1q6vrwb883IhkAADlclmfy+CSiz9QKGaeXv40AuXy2VqtxhiCNfmiMDPiEQt2uy2heenTiZsU3eYCiGWgRiJedE1xdwjpsEe/YhRY1rru5asdNHZPA0jdE8R6uIIOAyBDraYND48A6QKAo7YLcuVbmGJEYYPOr09gUA9NaIxMMisvWjcLwRy/oD+I1lUTEHECIA5InGP9dcaZwgA0zrmqEQGCNjJc6+/f2Udvo8KeQlDmHDRPYZDPFCEDKg3liy0tmG2Z0Dqu9QBWpbnzTiKim396Y02rHd9xVKFaHRgP7dAOsBbhBIJdCLCT6Ozh/PChudxITlO5fWaBLVvWDQ4NITKjNCPeeHcwgVzrhXPQnTAQLGlDIpFIGkKqBhKJZK9hUaWij1O44frr/3D//ccefYRaVaE+u4F/KwzNZmaEVGJYamnZdXskenuPoLGaodn6JnSrCQExYP206IkLggZfLQEioMKq1ZFisXj+eRc++vhjK3pejZ6ikJ6eHkS87JKLW4r555//Wy6jKApTVY0hM8qDbCYYOQrFVzIQbPtjhXJ7ead65y3/gQA3E28uAgg00kedYB+X6KcbWg24xCIMuOONE6nMnFM4Ot31rS9wCAbo2QM2RwMCYIDEqTpc5bq9bo29tydjKYNOwTCQYDHQdbFCOdF3h5FJ2w2q+3/YJQ9zwIXxT/c246BxDYAAGAEAEkNEJFAAiGvEAaBa5ZzTLtyNRISb0RwVxTkAUgaUbDZ78KFTgRMhY2hIF0hESAwO5gCTNa4VNI0IkBPxOx66FThnwCCLfETdvnMrQ0ZkyHj1aR6Dq4H9JnocMlyFY49oJSJIRwOJRJISUjWQSCR7E+VyedmyZbt27772C5+/5MKLfndHJZcvEBDTZ9c3Ogp92/hhLfQ0u3gbweZ2m1pmgjpQzQ5WY9LtuhcCuRvtflETmG3geB3abqvZbqXYfBIQEBjV1Founz///R9cu2ZNvtgSJx0xlUrl+GPfM3FC+zPPPKtkFGSKxjWGCjnugE09iHIpwsUWQk8X3unU66JlSpo6kU9S/qmGmTbouYe242nY3QG5Ti1qh+e9zakkPd3AURhY1+w8oexfoMsH6AlDTscXK3K0B7JtECEiIhLByHCVNBLcKbtMELuMg4UDV0hHzuImVs+5TStxuCVAvdSsIPp8hFwXUVRTOyViDFEBBoBorbaBRHqFQACoUpVzjXMA4gQARMgYGc4agIho1hcEwxOCFFA1NQeKphARB9QLH9BWsyJKR5GO60oGERUKTV0PQiKR7G/INRQkEsneBCI+8sgjy5Ytu/GmH778as/sOYcOj1QZMm5zYjWDOjvg6s1u98edRFgWGryEYIyOMfenIdD/6j2F4Ghqe4/7XrwtSJA8EXwxZH6j4xcAAENV1bKZzBVXXrFmzZscYMOGDbNnzw6ILJT3nnDCeWeddeYpp774t5cAMaMoxhwZSLb0g/MtuEd1t4RQzwPy/dn0HntDJ4pwZ+2Q48+ecSxw04w8eG9oExJC1w90Ppy6XYnul5TwPgnfYgF3FM3RNwTVkSpxc9aAZJfo+2jUt4I/znNcslCEPHmCBF49gm7eW7KGqREhAhGBRlzjao1zldSaptY0TeWkcdK4pqmcq0CcIWcMFAaMIUPKKExRWEZhCmOMocKYwhhDVBgiIgOmMAWZklEyYmEu0X8pfv9/WUcLRFI1kEgkKSJVA4lEspehuxsAAAF+4p//OZNTVFWztY7COkPTozk2kzvWJltmWPc0ALNFLT5uCxIWp59wEHAtDhPC9gcBUGEqr2Wy2av+4aqXX1qxcOGRlUolm82uXbs2PC+uVIgWL14MAMcff+ysWTMP7+xc9tijmqplmAKmrwq5Zs/0NVxEu4OvcLQIlcaMQLY/kbHEHN/rCTVyxwTht8NeJZtz89z3xi4aCMrO7WbQUNKoCxXVao1zh76akAYUzrCT/OIlABJOOxoouAqP2Pboxc/AcLhwWPf1G0SE+nw6RMg5aZyIiHs+xl8gVVM550QAlMJtdD1i7mwCAHCACNNnSiQSSWTkCAWJRLK3cuVHPvLG2jWnnnbqsr8syygF07hDa9SoAKEnqLfXJ0KXukFsj9ogGndSjYo9HltrmSCwiEh4zBamftDX6ToQAsNrVx9ljUSEClNVNZvJ/Ptn//2XldseWvpwZ2dnV1eXrhzFi50IAMrl8uDgwJNPLp80ZdKyZUuJKKMoGte8vcs+Yy38r8ndFd8ICStWQMUHb84C76cgR757BcmibSM1m7vxiOxykHf+gmalGojr3gT5CKSeMNZqNc55BuutQZ/hOIG30bduiGIizyF0HET7UbKs7Dh3wVaYid/Q4veX8YoEYc13TaBqm98RzUVjR087pEIBmOwalEgkqSFfKBKJZG/lw1deuXHTu1//+jcO7pgxNDioKIrD2dXRPHO2UNG5MbZJNY9+bdZ4iUQLjX5OB05c/YKOb8ZYtVbLF4o3/M/Nb72z/qGlDwNAT09PMslAX3r9xzffnFWUuXMPe3Tpo4iQURjn3JkfABJKBuF9qVFtgqS9suljczQJYozk1kHyPNlrm8PDZQ9eZrDHuREiXQgANI3r9d9e4clXMkuQhLdv3/uke7LlHqcg+ogfUudOMp5lv8C++RZVBvsOdLi3oTtdWzxklCZavlMx8pEUY10h6WsgkUjSQ6oGEolkL+amm374rW99q+vsc4ptrdWqyhgSeeZ5E4KejfATfIKmZ2mE5CWFFmC9B6/RGKIeRL8DwZlAAKawarU6rqXlZ7+49Z0Vz3/tG4v1wQUJ0CWDUqmEiOvffnvdurefe+rZbCaDgJrGPYFdOWvA9zpK3poUrwj/mxdjVIGvtZck3YZIVnTCsxzaJTjnrgAAIABJREFUwdgD07f/iIAIgXNOhmomGorjVxoBlcD3WYkgH5D9gONHWMaC/YMg0lH/R52sLKHtp3lLEM1JKQAQyJQH6tOjkD2i+mbgBSZH4AQhkUgkjSNVA4lEsnfz6KOPrnp9ZefhCwA46JNYk3AAcGgrKolnMFmtwgZbflYD1DMpmt8g5+iQvdUr2CR30zYkk2HCAbp2BEgGPt15RMBYtVZrm9D+vVt+sex3v33zy/+xrFwul8uheRSkZJMMiOiNVa+9+PzzuWyWIRq9rEBEZn9kvUCcFoS9x9L2IfvHfkV+hSSoKs6b0hjBCod4f/222m6eqAzAedtiqSm2eqwbWYapFaNie7ScBPifFetJGE0QG34DALguiqxqzDXO9QH45vKERKYzvf0210+NnA97/QiwyF1ZtJnS5lPleczIFsS6adG8Ccgbmei59s0eANifE2NLLLfYL4WAOOn/M5GxhIN1kZaCYHyFX0bYA06cNIpSHBKJRBIZqRpIJJK9m56enr6+vk986qMTJ0+sjVSZooDV8HI3tdFtGjkOAdibo55DAaTdOnPmM/moXME+kbXrbof7Xk7S6xTNBuHZbUXOgRCr1ZHx7e3f/8Evn3vs8f5xbdDV9ciSJQkm93JJBpdddtmKnlezuZyqqhrXjFw4rCOyGxJORaCe00gGM3pqnEgkcU4HEff6fBHbMX5ES9d72+LmV/BExjrZnZeYCE5ymbbmnzFjcEUqIWFuyX/b9pMTN0focCLiYLjeuEfh18110cMbPXUDNARSdHlRCLQzjzlPph1u2+9OIlwD8M9b1EjQ/Xg7Lq9+JdYFIiACB0OSsZRKSzmAaJKBIHP2pWKN//r05r3bkUoikUgSI1UDiUSyl1OCh/6y7Gu//U7nEUfnWvK1Wg0Zc9qBQrwmnUFye6FBS0PYDk9gRrqNoATnhwQIj9hHEPBN0LIGEDCDqlobP3H8r/73Z/fe9euB3bsAALq6yqGJiiiXy5Zk8OHLL3+tZ2U+mwHgdV1JN4TERg55PqFX4o//wHXvuJFU1INYWY8Sn1f6INffWDTmPtMYfqWSUlElxpt4BC8DsRhibdi2nZMX6E8dmQasub+ukwXoJ8I7HzAcyRks6KLsyoBYaKvLF4IwAbc19GmI/cT4/i8SdIYpyYArKc/QqIjo+onNtYAACAlgELhUDSQSSWrINRQkEsleTicgwZP4zCFXHjZt+tQNb28k4MaC5KMIjc2BpLGyJejncx9NA3JvWF1xBMCwWlOnTp123f/3k/++/nu//s1tXV1dXV1dycYmAMCSJUvGjRtHRJe8/4OrVq8q5PNEnLipF7jNIr9t4U5PH+m+jr9VE6fuRwqLgiJtSKKIf9ooP9Lk12ndQJS2Cf2tq/FelulWQKCHRyTQHenrqxd48hEw7CiQeL4TCOCzpEPcdBs4xR1UVDetYM6DRIBYH/ZU1wpcMSTUC9y5s7IAwAEGAfh+8V6SSCSjg/Q1kEgkezdYhsPLneVymTH2ve/9IJfLqzUNfRp2EQnoYgvoVgo4K2r3lT32ZCOZA7rZIpzo23gl4WYCRN2iVmOagVqrTZ005XeVh17629O//s1tALBs2bLEkgEAfObTn/7Sl770/vPPf/X1nkI+S8SJGyO4wex8FVmjUa6yoY785CZw8jQDCatvAQnGsHl8kojZYRufYEUsDdLJfCpZ9NVbnD+tTn1nN7XDuHWE9Yvf/s4KJP4AI/M7+NMUgmKPcyHWk07WYAWjlIXjn8Ijsu3xnGopsT5DoiQSiSQxUjWQSCR7N4SwCBdNnTp1/free+6+e+7cOdlMljgBq7fsEAyv2IggJLegxHZ7pDNdOYi+O1IufMPVm8bhJzXWJ+bXAtfnEyNN1WbNmfP400/3vv3a5z7/6cQrJpTL0NUFAHDppZd+/BOfOO+ss95Y/WZrawvnnDiBd5IBMjOyB5rZcWYJIE9dGr3sBqcUwzs7dHdwXDQalx3DT8llLifXDkR2d/JJDZwGt19ABGD6/Hzuvu8EKgs6v9PRfxIoBKmICuFn+Vxf8ImcUC/ZNGqwKA40vkiuuSiRSNJGqgYSiWSvp1wut7S0LF269OuLF1fuvLe1rVXVNKthprsdGMKB/knaqkXPhhhRX196/WL+iVudh+DYcGcCxId985ZCpv0sGwIiZEhApNKCeZ0PPPTXRx955KRTTgSAZC4G5XIZoKurCz56xZknnXTSl665Zu3ateNaW1VNtTSPgI7TUWtrRxwCXsfvLoyGdjAK4kS9v1qcWBrOAgm7ukOiRO+seHvWYvNqAD6hgICUTJYpiucxMK3PoGhD8RQDiXY6I3d5F/iFDHc8IMEpEUmpurv1ATInIEgxej8QCQC4XEZBIpGkh1QNJBLJvsBVV11VLpfL5fJ//ddXPvPZq+3zexGAe+59rPfJeEm5xe/tnW+gIRfq4+BpKotOEckJUSSDBhwNxDFzIGSMONc0WnjUUWee3fW7235zxplnokncKEul0ubNmwG6qsNXHjP/rD/cddeGjRvbx7erqoqARGSNXCHBBaV1dbEFgfgqlsdQSks7cOfCqBv+cTdpVEEEszdpZADQcLaNWyyKAiP4KkVMI45/lIVAKQRR/UACIKJMJpNRMg69w35ZIgFUfMCLS52NUOQCUc91OPoHPD8jPCXxHqPgK7JLJGQqCI2Y8eGVAS29hwj7OZceBxKJJEWkaiCRSPYFLCMzny+uW7th1qzZtVpNUTLGTFpEgiaeKRy4ZxLwaQtGaX85erpGoxPYLxck2hYHDgrRzPwTgYKKxjWV887OhZU771zf23vFR69MIBbolEql9evX9/X1bd2yef7hJ99x3583921ubWmpVqtGeogObwO/q6tXgmCzQKgOoP8hZxDv7/Dr9qtVTu0gnbsWMSKKYX/7xhfoPkOuvykSIeP+eQ482bDfErs1xcA39kiGfTaTYUwhAv0lalsm0FdYdb1fAnOFRlSJi6Bu+Seo2R7BwPmUiKQGc9OrQURPtS7Dmn+MH8b/Qynh8x5BBAQFsVAoHHjwwamlJpFI9nukaiCRSPYRLIf2qVOnP/CXv7SNa1M1VVEYOFp9vm34YN/iRhq9oXsig+Z4i4BIBUeFPVzks18UJ8SYssvC6mbz9hsTEJHCUOMacTrssHlXfPvbpSuvvOHGG+MlYaNcLk+dOrWjo6NSqXzhX6/92f/+btuWLcVisabWwOxBRcMYML8DMu6oJujzAdu3n3kYueJ4vMHrWyLbR/QRLP/uiM6yvsheDqJOWiBPyvGuQhxrBGwLAOoZtF1UskfHfpJ3LEFSm1twmqCC1H8ggDVASvRxRYOJHQ1sNUV4TeZ+YzYRyuQyLGM+H4D6RAd15c5//QIrLndtcz8Hzmck4j2s33DXrQ98AsSVzvWUiCpl/dHwpmuKCQ78nncCIjQVDl0+0FeyJCJOQMST1mMP/tI2AgLDKVOmHHH44akkJZFIJCBXXpRIJPsSunBARHdUKpdccslvb7sNMxlEQGCE+jJi+nThpu2tN7KCOoAQAg4mJmGXUzqtTTP9GJJBwjS8OdbXIENkyGqahoCdhx3+X98sH3/EEUmSMNHv+7Rp03LZ7HPPPfSpT358y5Z3C8WCpmmsbpFRdO/gIAkpWLQRR+Y5nujux74NbuHA8Tu4DiasauT7AyKYwanVbxco3kbQK7f1FvDBUVIeF4NQZ5TwcKJomwkCIDBAQMYKhTwyBqZqgFhXCkJWorGt6xj+PiPbcxAauuF6EJiC7SDZdwbEQIbegaLw6H5Fkv0sxxaB37QdKYAABGjcwgzLtAGcc/rpzUpNIpHsf0hfA4lEsq+BiFOmTPnaN75xeGfn4MBANpOtrzwOIosw7QZ7bLsytXSD2/iOPraIkkGDOIrWyB8igqqpBDB/4RGbdmw5/vjjG0mCiM4880wAKBbHXXLpVf/+b9/cuGFDLpflnNDeRk/rokSOBU33Qo+NuEfT08+adrVMZA0G2usNE2KtN3bjxthdN4lQbgjEiTHW2taqZJju0YE2Bxr7drz74NeZLujbFwUIEp5i+BgIU/CPxr3Xcx1CEbQO2kK5E7N5HQRlKgl2Pw7HBhHu2rkzk5FdgxKJJDWkaiCRSPZBzjzrrLvuuONTn//8lOnTBkdGlHrjqZEhtpEg24bTNmuacBDSoLWH85iNPrHZfjWUbcfpuuszA06cc37icSe88vJLy596qpH4AaBcLnd1dc3s6Jg379BvfuOL72zcmM8XODeGX4xRsy4Sjff3h9xxvwRiJuy2rYRxBMYZZ9X6CNGlAgq2/ELsccjxJ+o5pCisrX2coigA9Sljw70GxCk5D0R72bhVzDDJIAExzXR3jsOFg6DXb5IVLGPiHmqjj3hRGLXPmAFSNZBIJOkhVQOJRLIPgoitbW1r1rx53InHKQyJc2GoMPfi5GZB7F7VFGg4cnfnWvy5DMJTII1zqtH7PnDJsy++sHrNW43HuWTJkq9//Wv5QuHm739/04beYkuBk/B2N4ExZDfWiZkpr20X76aLzKjQvubwSINEjnRrpaEjOobfiyQD2/6x51sSBwIAROCcWEZpbW1hyIgoZBbSAO+A+qZXAIhWr8JuqK/o5as4iMNGSEeQZuPqnbHDmNsg3erj0VZ0txFAAMi2tKSWjkQi2e+RqoFEItk3efLJJ9va2n7wg5sPnTN7pFZlSqbeKg73N4jU3xZ2PHV/1JD0kp/cTL2gXuqIAKBp2kevuOLVFStee31V45Gfe+5ZpQ9fPnHipJ/d8r/v9vW1tLZyVQVrwHXUtrl+/c0wBH0qQISeWKqHA0gwqYE4wuCdCaurNR9e+PkxovdkzZVAQyUinJ2gvuqBscspHsSqVM45AMM/kSP2kLBAEAiyuUy+UAD7ygmunAjvqNi49gthD5Te+9B11a43bshjFRZzPQaXcBDsOkABBxER9OlYmzJNji0h/VtRUk9GIpHs50jVQCKR7LO8+eaaL33x2gWHzZ84YeLIyDBjRkMKCclhD7ja7e5mHYU0R4XH/VqP5PrbEGT1yvqbpmGnu36nphcgEJgdmASAoJEGAP/y+Wt6392k6qshJoKISqUSAHR2ds6bO/e444+55/bbN2/clMtmarUqeSWD8GZ6o4abN4/xDJdAbaF5koE9lTBrS3SCe5/zQGLRrLk6m6ij1+Zs4AxSX+PAqSiEpwExK5NXZYhEkrJCAkBAznkulyu25AF0W9aykM3EA81jx7ZN4rJ9/OptjOoWSZQIPjlaJRSLXk7hQHypTrw3Ds2AXCUi/f+eJgiU5gUQABHXFw+SSCSSFJGvFYlEss9CRN+74cbWSZMOO2xuJqNomoZMtw9I1DSP29RPbBWlBAm2jF/2fHmNQnfGyVzfLuWLQUR9hXKFMeIaU5TPf/XfHl/+6NreDQ8/9liyOImoUql0d3cDwPi2tmnTD7r7jrv7tvbli4WR2ggnz0pxOJq3KEKVCDbfY55hJ9jaTM1McRmM4bXLbm/5ClzikOmDzm10/7LtMzrgoxnxXseBOMGT+hzUl9l07g1J2vjLibe0FlpaC0RkrhAQnjQ50iDHAVHdj2C5+x30yUyyqkHCzaDk/ZJzFbhDTbBjSlF6yTLEWrVWrVbR7vPWCDZFw5W6pmntba0NRS6RSCQepGogkUj2TaxVGAstLb+87bZJkyerGjd8DKxWXqRmW6hVFBty/GkkCk8cjo4x11r3jg/ZxILUqXecIgJjKmn5fOFzn7/2ztvuuL37zvvvvz9ZtLpkUCqVEPHSSy4++sgj/3Tv3f39A4V8QVVVBGb3IjFsoHiXl7wwIhm6grvlrFGJ0o9i7aVzl0WxkKMuuT9R43HKWKlk1kncDl70jFBwGfbGB40JVmN9gvPp2fJiqAW2UotaZnU7U+Na2/i2YmuRc45YXzQBQ+IyZvhz1tpIr8SY7820q4GztDyZDpA13FXTqttk7fDHKFeGgwNDgwODjLGUFFpvDKivbMs5FQrFr/zHvzWchEQikdSRqoFEItlnKZfLlUrlueee+8ynP3XKiSdlczmVq4wxvSFnayWPMlRvh8ZqPboNTCJRu5ccDXr3eSloHmHY1ztEhhpX84XC1f/4+btuv+OhB/6SOFq7ZHDR+97HAB97/LHBwaFsJquqKuhDImyeBRRDGLLOSJq3OJIBOZ07Elh+gYgN1OZU8vDxLC7tgFzXKrC5IhdCpEtKNvDEPjGgUYy2MsWIAkC0pOIPSyB3qTqORTkfgTgR0ISJ7blCTuNccKbzvULeW+l8h1kBdAK0I5/XkRWbpWnGfR6iveTExRZWkUXiahTJAAAAkYAQqFqrVkdqyNAYIxKUXMDHT+wlAEMyJc5zheLrr70WMsOlRCKRxEGqBhKJZJ8FESuVyowZM37yvz/FXPagA6cxYMS5aQUAWE7IvjTVvo6TiLvl7XfOqGTYHwQgIAQEBGSo1tTWca2fuPozd95/x4N/TS4ZAMCiRYt0yeBj/3yVRuqrK1YgMn3giX4HiezFYioGMcqjaS1sR59smjfItDSxPgDfbYWmY9s2hViSgf06ol5TFMkAPT/t7wRTIEhTJ7An5Zcd/2QarT76xSERMKa0TWjLZDLWEjOoy31msQX3wweXhFsOC3NpsqsSvkFjCwmj/jJE68ueC+OiEBCBIQBR3La39ahEuSJEREXJZDPZmKlIJBJJEFI1kEgk+zKVSqW9vZ2ICsXi7yp3FopFXl9jrG5UptMlE69DnwTmEjl/gjCqoH6xRrrLHWkljYgs4QBBVbVJEyd/8dOf++O99zzUmGQAAJVKRZ8oYf26t1e/ukrJZxkD4oRo2jd1RwNy/IqR9yaQrCPdibB61odiBNReFG4mJWkUDj2nwQxEzUP0vMYUA/a0DtNYUZqTS3DK5ZTx49sYIhGhMeOLzyn1b//joQebMhbKTuQb43qjpiHEiHaZjimm5sQ5J2NRWB6UsNjrIzSXlkxIKud5VLJZqRpIJJI0kaqBRCLZx9HHKbzyyop/u/bac84+WxcInK6baRgBSfyFnUMMXP1JAt2Bgpregb104vB+AgeFBRBhFSIBMIWpmjZ50tTrb7rprvvuu++BB2NkzIcPfehyInrfuee+9dZbLeNamXv8tWVMOf/EIG1b0FluEYw9gf2Pxl7L+LC+sX4wLNYIXdjJaIoDdErGZfRowuq3n2YTyfvA/3kOyWCSosUIGQIERFQ1Ld9SmDxlonkLyRXGtiOCy0bgi4IEW83D5ZSSHIFaK0jLd5/HiYWNjKiqyuvLykT6LyNykVn3kSEQz7UWxrXKCRElEkmaZPZ0BiQSiaS5IGKpVHryySd7e3s/eNH7Zxx48NsbejNKRrfY0egaT9A1DQARzrG6wf2PmxOYhyeTsNUd7h2sE2YYRGmEE6CCNVUdP278r3//u5/8+MeVO++MlMlAPnL55QfN7Lj44oveWrOmtaUFkRsFR96bZ/4YdfdkB2EGhx2hXzMKjkRxufdLQBdZzJHPsaMIiDrFgk43tgSpO/7GOM+Ta70Kov2XsYGuQCKSF0JYCaJeGVVNbRs/bvLUSRrnRLqK6hYO0PFMiTIYYPeKy9AYvRSb2OXRqJxl915C+16n8w45HkmyH/BGODI0rKkqA0acyHJ1s6utjmQivnBdiSAQMlSmT5tKTXfukEgk+xfS10Aikez7VCqV3t5eANA4/fgXvyjk8ipXAQDAWBoQEDxL9iVH0OsW2J1JRke067z6nnAX1UjtQ/L5BGU8OgQACIyxWq1WbCn+/s67nlz+xNDwcLLYAICIFi9eDABHHNG5s3/XxnXrV73+asu4VgAirucS7R3p9owkJXXv80D3EG/ijs1IPccx0F0WREUWLxL3jngeBxE8LtIipreM/bxGEzZSFD1soU9z/cQYiO6LX0gE0EibOHlC+/g2fQGFsASj5MV5oc5xVO6XYXSSv5BSwGO423UU4zmyeZw4N01XHMspaHh4mGumr4G9Ojiusb5ERdRXhyV2GUA2n5kyedL4CRPiXq9EIpEEIFUDiUSyHzFv/vxf/eJn53SdpqoqY4zMeapMGzQF7C1B9yRgYdqB/XSXuROh+egTxGaDhMoG4VF5j1gdbIgAWFWrE8a3PXz3H5954vGTTzn1xhtvDM+4MCmiSqVSLpcXlT7c2lKcMHniKytXthRaiHO9ta6bOqj3oXt79pplacSy462aFRKjK866ZOCTfCTX+ID00KYfJIzBnWVz0ITvGTaCi6QZgx6sdClwTzqVJsJQFOEzXZcIfc8PrlBorzoBxYga54gwZcqkbD6nqqptnhfxWZiwtqT8ECZSgAKji3AkUXJO7yBjSAKNDNaIk+XDYZOQwH73wVk/wjNj/udlP5QpFlvb2mJnXCKRSPyRqoFEItmPuPHGG3dv3/ruth0zDj54aHiYKQoAoTnJtah12LgNI14mSxzU/I7XTo1knIb0JMZI1BUaAQgYIAFpmjpp4qQ/P7j0R7f+4vlnnp01a1bEKN0p2BZZLORyh8ya+fJLL+fyWd29OT2FJy7YnK5PH93AE8jZn4nQyLQCqZSfx5T09zvYI/dLSISHrIHMxqwcdqMxUt0Kj99RmwQCjz79YSaXnXrA5ExG4Zyir88Xe4SMn40b64Uoiim1h9ArOEYK5fYL8vyqu0EhACISwfBI1RiZ4PgPIfy2W29cf1mu7vgACIwpxWJ7S2t7cLQSiUQSC6kaSCSS/Yvv/uDmiZOn/P0/XtWay1dHRhBZiv3S/i1i2wrk6Rue5PgTECJiROFnGBdKevcYA400TeOTp0x/4ulny4sXf7W85DuNeRnoksHVH//44K7dr7z8Wj6XByAwZiD3ZCVOX3ZjiPtc3bui6Th+CYhi9Ntb7wRGUdBQAy8Fa95tmbpt0MAralamAgm7NUkrUBSD2PP0U0PVRYjDTd4uNhkJalxraStMnT6F6pImOs8Pitv7xFmIri4Rtoj83pfNfMztyQQm7qseOGJAAK7x/p39muZ4g8WVQnyFA5vuTRwyWZw4cWJ7+/iw+CQSiSQGUjWQSCT7HWvWrlv++NMLjjmCaxoAOBuGzerTMmMz02o8YooQH4FfszcgVgDwaZ3adQ8iJEAOiBrnnOiggzu+cM01l1122Q9uuilOgs4EbJIBEW3asOG1N97IF7KkafoUYt6LQUjrpoW6XET2yTC7GaPSkJlcT8w1eCEs1rSNc1/hQCwj7BVEqkrk/LLvJ3GtoaCDaWIrawJCAiIETdMmTZ44ZfrkWq3KmGL5GridXtw3SuBbEo7f68d72Z7iCC2ZRosumqNB6CG7a4fnFxAAMNA0rb9/wCgNUbnFF3bd+xGQEDjXctlie3t7Pp+PFqVEIpFEQqoGEolkv+Oee+7Z8M6mL37xxinTpw0NDzBFAeJgzodos3ia1CdptnUTN3gN67neZvaPKVkaftYAAiBZE0cSIDBOnAgOPfTQvzz88KJFi+6+++5EKRqUy2VLMrj4ovetWftWsVjQkzAh2zdAXFHElwZjETp5h4sHiSaUdxHkuRyUgWYY77bBE2if7MCRVtAdI7PLdAwRye0mNNyodY6b2AQkUxWoS37TDpg2YXy7pmm6wzy6x5a4LF/HIadniSDNGFhPc7gB31R1xR+HpOKfBR8fAP0hYKhoNW1gcEifsVAYSYOPIxIY0/QQ5XKZoaEhqRpIJJJ0kSsvSiSS/ZH77rsHgd5z3AmPPfzw0NBwoZDnGtetPKIQM8xA3MyN2jeJ1hfEaTCKfJl9k0zFnkbTLNXzS+ZalQCAqBER1xZ2HnX73XcjYrlc7u7u7unpSZzakiVLoJBZT3TRhReuW7uuWCxomkqcOy+InD/tJLjkxkoJfSKweXJj8J2IN0xcMEjBGUvsy/G7gkYJvC6yhfJ0w48tgl4H0SWD8LgigYCxVRXUBT4kIEQkrrGsctCM6ZlcdmRgmDGlHiUanjvkOV0Qq9j4FYULRhQL+R5uuAQbxKEpBylydacCIkAcGVGH+ocY01UcDHoCwhD+p2HdNM4pny9OmDBhglxDQSKRpIr0NZBIJPspL738/MDu3TNnz0RE4KQwJnJ2bxampeH4G3KCZ3r1oPOSjoQQ9DjavhkiACEiAwQizrUjFhxR03YsWoRERESLFi2KmaCDv//HK0ofv+yT5523bu1b+VxWVVWNc7OQQq3LBB4cKd5uj3lU73gVry8Q5Gjg29MamuHRsKlsfgRoztgfvZvZ6XhQ/7uHOpOD8OTO9Qm4KQGu5HsIRGTINM7HtRc7Zh5EpIJu/NenNjA8ExBT8YLxdNRHwFkJhIWVej1JEpv79Rro7sUYq46MDA8PM8Zs+Q9adiRqBjxoXMvmCl1dXVI1kEgk6SJ9DSQSyX7Khg0b8oXCvX+676QTj929sz+fy2tqDYAQWVA/UnrtVTMNs8ke0ovm1gv8AzaUxXouvJnRDXdEAiCEWrV20kmnLH/qyTfXvAUAX/ziouuv744+H7uL888/f9q0qZdf+qEv/N1nNm18N5/Pca4R6V2a5G6kR5AQRJdlL+L0bmS9s1DvQyT3UTA6e+33xs9gCK4Fuo3qdfr3y1ATcNxgj5+D/WD0PIwRsSDYpUBYrIly3lB/edKyMtQB0rg2dfrUgzoOrNaq1pqLwhpT92sw67BfzKZbTZS8RXzHRXyifaILe4QawOfmea7e8bpBHB4cGRkeYcjMUGh74yd8YO1OB/o2IwTOi/nc1776n//9resSxCmRSCR+SF8DiUSynzJjxoyt27Z96PLLjlp4dC6XHxkZYYx5GnC2BmJ4F1fslp+zlezvehwx4hiLPMbGaKEjIiIhqTX1ve89edUbq3TJAABuuKGSWDI464wzDpsz+5hj3vM/37nunY3v5PM54tz3UuJJBtZta6ZvM9o3fYwKAADnaH9ImKNYPhX+3igJUg65wej4uNwQXApDQ/nYI7ifVr+ci11digdlAAAgAElEQVSCInSiNwtj0gJ9rglkOGv2jHHtrTVVYwzJJfXE8BmxhXMLjVhPNFp0iUpHFEyUXixPmDiEPogEAESkIA4MDmo1zSbTEKWUIVvRESBpRIWW3Oo3ViV+G0skEokQqRpIJJL9lPb29kqlcuddd0+ZPn3q9CkAQMTB3Qhs2DaLe6LLvhDZJuK0Uhrlb4DiX4jAOSdNu/D8C/p37x4cGk6cgp1sNnPg1Gm/+r+/2L5tez6b55rGDQcDMqb40iUR81tsiYFxwLZJnoOB9l4jRBUOAvcAgNf52TdM+FXscYvcabC5PBGacyOajn+eIwmL5N2MQ1xb0DF5Idd4rpg7ZO4s4hzJFplw1IhwvJJvOs6t0Xem8EnU7RqTKGMhQ4l8s2wVL/bvGlBrKmNorpLoCtKYha+7kXAiAs6pmCu2tBQbilAikUg8SNVAIpHsp/T09JRKJSJqbRv34F+WFltbNY3rvXHulmBY+z5W36/wdJsl4d3rSD66ZNAA4tgQkZPGAC5/3wd7elZu3LTp5RUrGk9swYJ58zvn/ra7e2hgOJfPaVzT29WWQ3+9lW0KCI0n2hSiCAcoCOxLM2tdfPxtsrgzG4xRhHJNM0q4UacDb0kLnTocBjMiY0wjbcrUibPmzKipNTQ7vBFAdzgQSgj+9djjSoBQ9y9JWB3iFYczaWEAb8HETtGphwRLfT4HiXbt2MWJ0NBwKJ1pI2wgESDoDlrj2ttaW9vSjV8ikUikaiCRSPZfuru7K5XKSy+9/MlPfPzUM04x9nJAQohniQf6KkfrVfXpgoyQCR8vg4bcH6g+DEC33pEh5xqCcknp0oefXP7QI48+/dxzSVOoc/RRR5144kkPPfBXVdMKxTxXVdCXsagvJGYXC6JfkzBkLJM9EQ7byyeV9KzrYOEgVXvXaTAFjDnwtd/2XqI9jz56XqzQIdT7pesWu7C8LbPdPAOJAAAJ+Kw5M9ontNc0lTFW1+KCkgyvr95A/lV/FDDUC9EDiM56HPjDZ0/s3CCQxnfu2E3cKm+sz9XS+FNqxYBIQIqSaRs3oXXcuIbjlUgkEgdyNkSJRLL/goilUunJJ5/s7e09/7xzD+w4qPft3kI2rxEHAjBXzNMbjuRxsPZFD+oNYd8jao36dUEKI7Nfhl04iNoKJZ8LsyJBQnOaNFRQVVVg7IPve/8zDy1b/syzERMJ5vhj33Ps8Sc8unQpAORzGdI4IAJxXTjQZ3c3Fnij5N7FIuLafjGTNm+YcCW7KGdHhxzTqgHpPhqBJ7i2YpstUfLnm4mx6ifiwv1QRMi24JJ9hUesxxk6DapfKt63EfqEBABChhy4klPmHn6YIQQmWDTGfY2C3wkQeFp5jkWMOkIfftjb1EzWHZHnBeQodLTtcqaFjKk1vntXPxJDY75UMvWc+n8VCR8MAsfpBNmsUiwWUfYJSiSStJHvFYlEsl9TqVR6e3sB4NDDDvvud7+Xy+RqXAXdlZSMMcFWH3eM/u7QQHH6zhu1tMi5YbV2yRPABAHQ7OlnyEhTCfD0M89e9crL1aefnd1gfgAA4NSTT+w67b1PPf44IM9mMsYEBkYLmMCY0YCs5SbJ8jtIXhyBYkFwzHETtXUEI6JzasDQM2MRzcD1ucDIl2XzPElEsFvEPkLEO+yvD8ZLpf7xn3rS3EZErmnjJ7bNmn2wpqkMGRDoy3HYzWFh3gMvSJAb/09M/J08HNEZnhWmc0FY4giI7vNFEoHjd0D+rdeTfZcxzI0AGWPVqtq/e4Cxuppoe595FtQVgZ5vQRhC4jybLYybUFSy2bAoJRKJJB5SNZBIJBJYvHjxzTf/+JmnnjzuuGNGhoaZonBO9d4gD85Gf2O2UKOWMACA7xRp9pi9DrH+zXir54oANK2qcjj3grNf+tuLysRJO2fMmN1YZgHgzDNOv+iD739o6aPVWjWbyRFZpi8a/ruOLnGy5SikY87Wiys8tIewmTPxMhKhYlBAJfI/0Hil24dJpWTSKl4MMxfDzkVd/6yqasesg8dPGK+qWsAE+84DQkExfj4SEKf4RIuSGDoK1odpuE4RaQ9+0SfKKSICccaU4cHhwYEhNMeJxK0ZkSQDAGSoca1YzA4OapmsdCWWSCQpI1UDiUQigXK5DAAHHnjg7v7Bgw46eGhoUFEY6X1xo2laNZyW29b2c/71GprOn0YLlaHGVRXh0itLTz39/FNPP1OpVEba25c1lsnTTzvt3PPOv/33d9WqtVwmC0Ro9MkbOfEphhTsXHHL27d3Pp1E62nXtQME8bjrVImjIuwTNG7RNuQEkDSlUBWsvhGr716vbgTAEDlBJscOP3KeklUM2zVa1kKy1Rjk+4aKDHoN/7pSYGkJHuEg+gU08JgSEGGGKf39A0ODQxlkyJrx0CMAECJD5BpvbWktFApz5y5IPRmJRLKfI1UDiUQiAURExMs+9OFJk6dcViplM1lV1fQ+b9ObFHws78ZptNnsEyX5ZDv0XH1kAgFiTVWzTPnsZ69Z8cIrzz7zvH68p6cncb5OP/2U97/vgnPOPffO7t8ODw9llQzZ5l10l2+QMR9EcLPcXzKwl5io6FK5Qe4+0VRsCJG3gcM5w1q2shHZYIxrDXX7ek86lSTB1zUmii4gFBFctQsRa2p10uTxhx46m3NNIIWSYCtJ2im70TiTixYuoDc+7AB6DkQy8l1ByFJ4dHOesZ3bdo0MVVFfdjHmejcRXCAI0Vg+gRMViy3XXnvt1KlTY6UikUgkoUjVQCKRSOq83dv76LK/HHX0kSPVEcaYs2FrjVhIaHaJmup2M5WSR08+2zFjqXfzM1ZT1Xy+8B9f/Xrv2+u0Gk8cqcWJJ544q2PmMe858s7ublXjuazCbZ2ezXZ8juiQPfq2MYZeekM3NLF6lDp7Ov2o2DSs0XQ3CCdcQ0Db2gFokwwQWU2rHTb/kEmTJnDOddf5BBkOyV26kkE0McJzxM8oF0Qhkguie3KY6QVeiy48bN22XVVVbMoUhQT6ojPm3S62tJS/9tWTTz65CWlJJJL9GqkaSCQSSZ0HHnhg4zsbFiw8ePrUacPDQ0pGcfbexm5qu3p3ndqAMHj81Ag8Nk7YmQJPfXtrm2q1kfZxLTde991H/vrXN1avue+++6JlxZM1olKppG8XC4WJk6f+4c4/ciCFMc4J0a0Y2DsKG+kyDh4DLCqd4BJrlvmIjk1/WyV++rH7NFPEU3WbnxN0Fl/zvQ1GW4/xDlBw/fT0kyMA6NMdAictl8suPLpTyWZUVUN/B6cUHKgilH2Aq0ODSWLi14bwtMhxid/mBICoqXzblu1cM2dIjJm/gKIxozOEA+KEDAqF3JrVqwPmrZBIJJJkyOlSJBKJxMEzz7506KFz5y2ct+vJHaqqMYbxzC9f293XCRh9ggGYPYLptgCt2MhqcwIQIgEhEUKtVhs/ccq/f/nLN/3sljvvuTdxOkRUqVS6u7sRccH8+fMXLHj4wQcz2QwCABEC6guQmcVruHJEau4Gu+0aM8PHGuGAo2P8uXBWFtMAMDPUeKTpQzFGxMeQsRomHW+begTGwKT6zSCfOuIjHERcbjOgOINLOmL/OwIoijI4NDjzsIPnzJmpaioyXU4we6cd2fQTE9zRJy7h2CeKrtLrXxDhcfGmnOIjb9QU15ucCBmyWlXdsXUHEjBkHDi6z2s8aQAgxhAQMtlMId/6zrvvNBipRCKReJG+BhKJROJm67adt9766+kzDtI0DZERJPHPj+42QJ6P+0hIfxN5d/lid/p12kKoIACotdqUydM++9HP/fIXv2xcMiiVSoh42SUXn3ziicsfeyyjMAQgMssz0GtYdAgTuyAEFcrY6pare8i7DTpP/fA7O6LJGj9nNkcZ0UdUjVPovU5EgzfVcReMoTvkvjrhtQXdON+SEN+xJGXnlAwAEYBUUo84ZkFre4um1eqJjeqdsUpR+ImB/b563wU+NV+4YohnR0OjpAgAOAA3LpQIEIgrChscGNy1czdjDCwtqimgpmnZbLZ1fMvu/oEmpSGRSPZnpGogkUgkbh588KGPXvn3555+Vmtra62mKsxyywob8ipojSdpJAoa1NacA+72dt288U/NPw8I+hIG+nRaGufTpx90xT/8w8+7f/bH+/+YIOcWixYt0iWDT1/9yXEt+aeffZYxBMZ0yYDb51AwM2LbFH5sfyJRP6UhcyBFgmqGeFCF2KgKsdsFulNaJiI5p1QkYw+Rr0249+LOvFMHqV+vs0xsF+4nKsTPR9TxJuj8gagwVq1VJ00Zf/jC+ahwzu1PnvuFQuJ4xOlEe6Yc5dM4aH0BWo4gZkLWF7k/ovdpUBoxXxnmFVp/dAmBa8QZst07+gcHhhhjqL+QGl47RfhCQADStJZccXhYU2u1hhKQSCQSEVI1kEgkEjelUum23/y2SjRz1qxMBjXOEa1WpH8DWGBlpNBUrjeHhSabPZnw3jQ3CKBfGgdStdoBBxxwWan0hS984fEnn2gw25VKBRGJqO/dzS+88HJWYbqbgZ4rs/VPAJFa0egZuR4No28vmhXbTGHBoxeI7hXVb7TzIzCEfD5u29Z13enY9WNfF0iUq6jyjN/Jfkc955L7cMT8uUPaJzcAseKEwKpqbd7Cw6YdMLVW1ZzDk0BURcR5SiS9kSim2HUnnhVPnp/iHKQD2fQQcmUS9SEKbNu2HUODw7qvgdvZIFqBkm3DoXtYFQoJEDWiQjE/74ADDjjgwITXI5FIJP5I1UAikUjcdHZ2ElH7hAl33nNP6/g2TprZvIuoFzRAo7ZYbLuYCDgQV2tzOuYse+yJL37xi4nTtnPVVVcR0UUXXbSipyebySCi2etnqh/OjAXkuzFrfk/PD+C5m6Jo07a9bTKSRzAQBR6z5n9yol2Py4KNXg5RNARBNgLPCU/a02nvU7t1VY4xpaZVi62FI49emC9mazW1Ho9YwUijGsTSVRpW8uKrEiTYio5LynNqOVahEhEZsx/i1i3barUaY9ZEjbHfSIIJKATHgWta67jWaxcvPvBAqRpIJJL0kaqBRCKRuCmXy8uWLdu5c+d3v3vdpz718SzLck13N9gzE9OH2yaeQC47yGuR6F4GenekOlI9YsERI2otlZm3S6XSjTfccOutt15w7rlvvraqUMgBEjfnMvBryY+JEQQ2yPY9KkmlHh+56oDt8L6mEABAwotKUO1c5RekO0TNUtysC8K7pjPQXXMY1mrq7EM6Zs2eUavWrEDGLKThZnVIHgID+jgaCA16n4jG2jvB/kiJninjkg1plAgVpqrqlr6tmsZ1x6um5Qz19TVzhRYAmDx1atMSkkgk+y9SNZBIJBI3iPjII4/MmDHj+edfHOivHvGehVzvPrJCeLrKPTTcQAyLIL6lQZ7mOhGiVqsdf8x71q1fv+yxx2NGKebUU0/512uuOffss9e+9VZLS540zonM5GPne49YDqm17iP0HqeVlDM+gYHisXP2JZwSWSy8NSxx2YiUO1HPt79bQeSkxa4MBghAiMhVrmTZ4UfNb2tvrVZraC6eAML6EZ8Yz6ZpUDt3xcoE+mzHiqVebPEKIP7DQ8QVxoaHR7Zu2YYcGCJRtAViRIn77Kprm0TEGBYyuU9/6uqenp4kyUgkEkkgUjWQSCQSAeVyub29vbu7e8Hhh992W2V86zjOOQOjM963re7zIwmBESRv85vREgInUqvVY445dtvOHcPVauIo7fzzVf/0r/96zXnnnNW7fl1ra5GII9r7Hb3fIFAzbIyGdUuiP6kwypoHuf4GBAkOtZ8R/TbFKLPmF2/AawiRMVQ1ddqBUw89bDYHzomDd+aLcMSCaHxPHHL9iJwJ10QMiVdQoeQPuLFKpXVeSAT65LJEoGTYwMDArp39iAwSrf7iO6QBbX90JzjOs7lsob315ZdfqlQqsVOSSCSSMKRqIJFIJGJKpRIAnHPOed+/8cZP/Mtnub6WlqPN2ASjsNEZ/wPW9kLLeEdE4FStVjuPOubNt9as3/TuK6+9ljhJO7+49f+879yzN254p7XYojsZeBrb5twG5o/QRnzd97cZhEkG9T3JbornrJQXdPD0ZTdp2cWxQcKR4fEi9os+riNAQGLNkpPq8XIiQpq74JDJ0ycNj4wggjVKqM7o1BSPK79324l9gkdXELfg2EBeoofWsxFlzlbzPAJEUpiyY9vOgd0DCmMEpM/tEkU7QNtaMVjfKdSldRcGrKm1XC6Xy2WmTpkKAJ2dneHJSCQSSRykaiCRSCRidL+Ccrl8zbXXPvPE4/Pmzx0aGVGYYh03v23NOdvKYM2zDZM19REIgQAJETSuaSO1o4885tWelc+/+LeVr76aOGOlUslqodJzz11w7gW9Gzbm81lOXF/4wKYRONyi9dnE4pVR4osPiHAUQOenaVA0yUAQoskZiwBG+0AawkHQFIIJJAOXGRwwAiD83oRcltsz3/tA6OYmItNU3j65ff7CwxgDTVP1EwRD68ln2z/piEXv9WrxRO+tdvY9Me5EYMGSYCsUcsqbMV8UiACEClO2bd82PDysZDKGEBBDMoj21kAAAkTgXCsUCgtmHnreQQeXy+VSvPxKJBJJOFI1kEgkEl8QccmSJQCgIN56ww/GtbbUqjVmvTmFQxLQc2R0CEwSTQMDgakar9bUQ+fPX7Fy5eur3mgkTd0dY+HChRd/8KKf//zn53/5Pzdt6s3mMqR7GXizQWZOQzoLBQpJMgM/yIp2xp26IuGLWUPCakoEU95tme2lXgZ1f2s/qcDnrARqh0vsa/RJtYrdVqN970IzXgu2946xSQSIqJI265COgzsOHBmp6j3SVs+9O3+Rqn5Sd58GqmSgYwI1ucp71YLglJyCDhEy1DhsfXe7WlMZY4C6ZBOiefl7oYj265IBQwAkQEVRrv3qVw886KDF5XJgViUSiSQJUjWQSCSScL75n//150ce6Trz7JqmIjK9ywgJna08r4qwRzpwbYmaprfe5EdkKmmaWlvQOX/V6jdfX726wZRWrlwJANOnT/lw6QO//j8/2/TO+oyiuE1ZV3YodFSC0Ce5fjUhrfcoVoRHjhhtazu8XoT2uO4zkgFAmPkeeDTWVSd9Hn166KleJSO5ATXjDrlTRWSM1VStpb149HELs4WsxjXGGAEQEaG/jhbyTCJFCRhFo4uJVzuIHlV8Fy2yllR0RhMPIlIUpVqtbt2ynTgyNHQEAAhwOAirnegOQ7rMYPgmKEoOALZu3IgAICdElEgkaSNVA4lEIgln8ty5r65efcNNN805ZM7Q0GAmkwXQu3oQELFu1niHKIyicFBP19ajhaanAYKq1dRa9fhjj179xuo3Vq9pPMGenp5sLnf00cf++Oaf9/VtzygKJ24uNhHiTuCDn2d3vdlP7h3iswXqhDsawws5NIN+DtYN4evxLXTbbiZ7eGyCv6eBMJhgd/QLSHQLxSdFmZHDTZg/UPDRwADW00YAABpph8ybOWfuzJHqiMKYeRgx2UMZ8QybEudStFKXS7yPbRItJFLgKDF4bg1RJqv07+7fvmWHgkyfDdEZ3Hs3o9RkFLzziAgIGSu2tFx6ycWf+ulPAWBJhExLJBJJLKRqIJFIJJH49nXXfelL1553wZntbW3Dw1WmKGDrNkrafZQ2DuGA0FiWnZABJ41UOvnEU5594ZXXVjXqZaDzgYved/b733/LT36yc/uubFYhIiAeyRAXE8N+d9r+DjPC8q6IEs/YINxaiLAval3b0ypBZKIKB5DKWAMByWtyikTVC4zQCBrXim3F4096TyargNHFrU/SUjfmBTGKE9nz1x+IYwRBo3mNfLu9IoHnNyHg9i07du3YrTDFPjzEFkOSGuv2ZyMCBE3VsrlMW1tx65b/x96bx9lRnPfez1Pd55zRaEELEiAkoQ0kzYhFIARiHTYhISS8MOA1xnsSZ7ET3yz3Xl8N980bO46XOL7xEtvxlsSxxksgtjHYhpEBs5pVkgEDkhCLEEIgoZlzTi/13D96Ob1Ub+f0GQnf5/sZzZzTXV31VHV1q59fPVW9DwDmzJnTRs4MwzDpaNlJGIZhGAAAGB09eNSU6ZOnTXnu+T26QGyFmqb5N9jOK7c6AAEQnCW7AQARhKZZtgWAl6274r777//N4090XsjGjRvPWnn64Ma1/+dzn6+PjlYqFddVd1602PUaxyeDxAL2I8SGPIv6GFhu7Iii+PZdX8znh8QKOHzTaEJG5HqnQKn+a6zLdLm8cMGK+ib3rpynx70bCSEMyzrl9GWrL1gppS2EQPTuBK07VqHrM19aUnzKakPfnIJlhVIH2+0wduVo0bquP779qa0PPa6j86StbItQaE3eMx3+JgRapjmhd+JpJ582dfr0BQsXHXXUUU91PPuMYRgmAscaMAzD5OWRR7ZPnDTl29/+zpzjjjGaTSFEYNG/WNhB2EXrzmBoMHtoPYASCBRAQEAghGlamqZfsWbttkcfefjRRzsv7LLLLlq06IQLLrrk7z/7xbFDo7quu8N0/ngaeT56AderaCxxNOAg+lGVd8FJzpkld5AJAEQ7SHFiGkCSRKXSCw63WuCSbEYXx7lTT2FqJ8pel6NksstCb9QZAE3Lnji59+xzz9B1DREEIgDGVApVnonnoehKAlHZIOFgZYh+hwQvTooaUsqV62WWUDQAABEJgZZp731hr23aQtPcXcH6xU5JO9NsXHkWCaBarb7zve9dc/na/v5+Z5FahmGYcmHVgGEYJi8DAwO9vRM//OE/6Ttl2eSjjjIMU9c1cBfHJkpy19w/CC23vlxCZXjhyISImiZs05jUM+E977zmwMH9jXqjlPKqujZ79qzPfe4zY826XtGd6jvtkP5M3rUg8lSHwH+Yz8wp8iG6P7xOWhseSHl+i5ubQ2yqAoZ+4uJVp2JFyYx3oEEs36Cbme4RHgbynCEkJEBCgYZt9J+2ZM6C4yxpOEv3O7oBpocXFJgDkZFCGXNQvMz8kKqsmEwY2UmRr9EVEDPvYwm3cQIgIik0fWys/tKefUCAvmgTyxSL/48QzsO58xIIrFQqp5xyyo6dOzdt2rR79+7c+TEMw+SFVQOGYZi8DAwMENHnPvf5o6YcfeysY4RAKYlkVryzKv62XGctHtzsvOjBMM2pU6f/0Uc/et+D2599/rm777uvvfyJyB+/6lt60slLT/rm178Ftqzqmj/w6j11xx2IULuMt5fq+hQqySAuOEQ+qE8oheSD/A5l6X4nhn8nuiDJvsmRIBnkoMyWU5705DJcr8z7KSnKQJFNBzmTE1SEKAzTnDp98urzVgIQuCpmPNCge6e9wMoC5d8K06WB1iZvR+tjwnWenGXS7cG7L6BAfHXfgX0v7deFFmyVMlueAACllNK2BWBvb88brtrw53/+5xnyEMMwTLuwasAwDJOXoaEhACCi3qZx4003TeidYJmmEJjglQboosuG0T8IKBAQpLSPnXnsX/yP//mD73//u9//4S233t5eAUQ0PDy8efNmAFi8aMGqs8/4zxt/iiQ0IZyJCJj03J1obPdJfK4vOOCflkw5wFrMum6NYEeEAqWycKQ4F6WHXmSnyxGgEtQLxpF2SvMvfbRs46zzVx5z/CzLthGRPDnRUQ7QQzFbpSs2j3t8RmK4UOQ8YmCjIsRAedtQfg6l8XcgIOCLL+577dUxXdcJZMfrNPpFBzJCACAhhC2lrunTZ846eOAgAMycOfP6668vpzyGYZgAvBoiwzBMAUZGRoaHhn7x8Y/f9OBDM4+d+/xLzwFALPw3wSeLrXhVhuOGAF4YOroxBkQkpTXnmOPf8wf/48tf+sebb/lpJwVs3759aGgIEdevv2LevOPv+dX9lWpF19z/PhDRWQUxchRF/gbsLd9dTX4oD4Uvt/3snmixalwvuCkST9xeIR0SFA6OSNJHR2MB6B3VJDseKDttp3iufHy7ImYoT4ZEoGvaWKN+wolz1m28pNajSylR+KsgxnLCwAfldi/jHGUXSRwqCv1PScXnyyfz2BLOYwFhFAgRpS0f+fW2HU88U61WiWQrlxIh99Tatl3Tq1et3zB/8aKp06add955d999d6klMQzDABzRzxEMwzBHJIMAB/v6bt6+/drBwb17X9iz50VNCARndYNkl7G1TTG61Rktt8sZS7RMc/68uf/7259aOXtlCdkDAMCV66/Q9MqjDz3UU6vqugYEKHx3xK942IdQzVAI7C7kU6vIEAtSPsaPjJy4/JEheQOCU6qHOdIchpHb8SJRNaBO4vYTslRHpLcidTpWmLLB8K/gnpiuqPgegoCABAopJVZx8B0blp+21CIbUbjZESVmoOrmyptTjmAC5X0t8fCEFlAamn0ilE2psC+5jLwlqQ8LVVNK0iv62Gv14W/f+NutT0+c0Gvbtnu3a930FLe/7HJU90tENC2zd8LEXz/yyH/deOOGjRvvuuuuc845p72qMAzDpMAzFBiGYYoxDNCcNWtoaGjqtGn/+28+XqkId4YCYngZuqRpCaHtHWu3rs+FbtABWpa5YMGiH//8tpWzVw4NDfX19XVaAsDCRQsm9NYee+Th3p6qpjuvH0cIPfxS0FHIkAwg1xBhGuSXTcqf1PBzUu3Oilhv14vMMxPBTzM+Qv4RN01BfZa64LirJQOIddYOTnaOo4vknnZ+nHsJIggNm7Zx2qqTl558kgQJhI6M2Wbebclg+SuV4OSXaI17GpSXdJfUoJYqgYCIB149tG/vfk3TvAVigx2sDBMIAIGIJEhErE3qBYCNV10FAKtXry4hf4ZhmBisGjAMwxRmYGAAAI6bPfufv/ylM1eublqmEAIAvedBb+gSVY5Z2QscOOtvEZCmCaPZXLBw0Y9uvhkRh4aGtm3bds0113SWPZx8cv/Ks898+IFHaj09QtOBSKDIGIDM82CMkbjfws1QzK+MpY1Mbg54fPktyUhZ1D/whTuuLSoAACAASURBVAOVS99RN0mRCTDhZ1yJOHZUnn+Vm0DFiy8oF+5A2UJRGTiFaJpebzSPnTNz9QVn6jVdEgkNiWRGoEEuOjg4S+4o0YyyWrrT+7CbByLgi8/vPXjgNU3TO1/SQC07IgABIpIkFGL6UdMGr34zAHR+t2cYhkmCVQOGYZjCOMsijoyMfPtf/+3Z556dfcwxlmnrKAAAIi9gLHdFa4VPQogAIFGIsfrYkiUn/eimlmTQ39/vmNoeK1asOO+cc85euerh+x6YUKsKTQCQu5CBV62wLYHf40lWoEDSQZlbXBLc6PSgkYKjr3l89fQkIa8//PLFJGUgTTEYN+GgFabSCiF5XREIUShbLkjKD53QJiGELUlUcfUFK+fMO9YyTQwuY4DYjjWKuP6UNCm0OtK4qFEE3ksMMlenTSKvhW4AQaQcIpBCCCnp2d0vGHVTE8J9Ky20+foNSvnorXqLCCcvXTp96ozBwcGDBw/yOxQYhukSrBowDMO0w9DQ0MjICAAITfu997xP0zUCQBThR2X/c5zsGb3qgyjmZREg4lh9bOnSZSct67vk4osBYPPmzR1KBvPmzZ1z/Owly5bdfscdvT01FCCl9NYwQyB0B8Yp5DUVfTRu+wm3NRqdp0T103d5BDy1NkqJaEHBNkkWKzC2Jf0oFYmiQfjPuBBTfsZTOsCsNs8gMi8m00OMzIhIty1hi+Ow4lhzbGn/4jPOOs2yLTdXct1UCEXH58m5aIJMUjtqeX2rkF7TpY7lTFATQjRGjeeeeQEJXbkgVJ76S6pJiTUjIiBChLe+9d3r1q3r7+/334/LMAxTOqwaMAzDdMTVg9c8ufXRs1auGB0b0zUdnVHAXIe2UuV93g26I47LjgAIY2Njy5b23/jjnzYN89bbbgPvxQf5a+HlT5s2bXI+T5446aipU+785S8nTKiRdJYyQHLHOF3bKeDhqaqQVa22hkKdA2MFeSsaUHxPfoM6NgY7qFRy9gndSTF8q06MsSNy6QEKeeL/mXHM3BVNONlZKzm230e8SBLUhGZY5tQZkwfWnDtx8gTLsoRwFkF0FZ92pgmoOkabJz0Uh9O2AFX+ZI9y+nBADPAVTEQQQhx49eDL+/brFZ0gONMmXIvYnbNA6FPocJwwYeIpq04xTHPTpk2LFi1qqzIMwzDZ6IfbAIZhmNc3733vez+z6X8NrDj98ad27nlxz6TeXsuyvJ2Y9cjrJshMBxB77CRCRCJq1Ov9S5bd8JOf3HH77dOmz2ivFg7XXHPN5s2bEfGRRx5GSffffV9PT822bcc8/2mbAv8C+kHkaTzvQGrnPkE0h9K99oJ7S6lU0Twzgg06cJW8ABMK5lR2HH4w77Kzz6JDNzJNHohfFqllJiaPHYqIkiSBff7A2YuXLBwdG3XFAoEkAaHDFQ18c3JuLqvLB6Nt8mTYjUutTRCACFCIPS+8NHpwrEevkSTXQPcen3CUarsnNGB0K3p7nRVpCaYfPf26d/3eN7/17bvvvfszn/lMmVViGIYJwKoBwzBMp/QvWnzHIw9ftvaSzZu/Z1m2EEKSLP1pljA0BwARpZTNZnNJf98NP7n5ux/96LWTJp1//fWdFDE8POwoEVdeecWTjz/e09NDJN3oe0p6mM8XZqsk5G91/ek/PVy7ON7zeztqSXbG8Qz95o/41qEx3fECAUt9y8FhDGIo5s6VhPcakhwpQ2cYnQsRAbHZbCw9dfEFl5xjGAYiCkTfmYyenfjUl/QCMzbkJqURFeFCbRTYreChQvm2lAEAy7Kf2fWsZdlYEZLstOrHwhDI3YzY2kjRo5y/6E2JQXnioiUTJvQ6cxN4UQOGYboHqwYMwzCdsub3fq920QW/mjZj6YlLtz76aE9PFSTlfvhEiK7dlTDi2hrrJUC0pTRNc8nSvuOOne34EqWwdevWjevWPf30kz21GklC9IIaohZ1XGBnTmfyGB2hyj0qWzII2JEBqfz9IhmGxZrEGfhd9xdQVX4pTTqerk7U5lLm7pfZsdK7iTNTCNG0rMnTJq1df0nPhOqhsTFNCNeLBKTItaWo8TiOz3chNOXIglqRBEKI+qH6szue1VAjkpmHemeidUaSZiuED0NnOQMAsG37DZes146aMHDpxXfddddnP/vZtuvBMAyTDq9rwDAMUwIX3vbLsRf3XrFhw4yjp9XrDV2vAID/+J/lmfgjRP4jtj92FZoSjF5wMhHZtrWkbxkh/svXv0FEwx2vg7Xmssu+9a1vffTDf/T0009XKxUE1/9A942S/gNtCTONKToS2kaG6a4V+YEZXu55i4h6XIVL94+ncKNBp02XVGbbc8Y7o+wFHMJ5l0uo4TH2u5s2JDSSKndl0nAoCTqRBCjRvnjtefMXzRsdHdU1ze/hKnEpkn3qWevSKcWs9qbYDYZCV+8RS/A+puvavr37X3pxf1WvoPOErZQwA2Dkr5tl+jkiZ+VFAOqp9V7y5vVO6tWrV7dhP8MwTE5YNWAYhimB4cHBv7nzzpdeenFp/7KeCb2maSICABFFX8+VgPsUGJYJMPAo7QafogCbpJRyxWlnIIif3nwzEQ0PDw9u3tyJl/Oed7/7f23a9PWvfPGZ3c/ruoaIkojQX2LQ8UrafX53Rj8DP62tHYU/u68U9N4v2CrNL7M7ngeCf25iHk5AMkiiLZP8HhH/OUyU1KYtZa3145/aTmqoOvlejuj/juyIWJZdvOPKez0weJYyD1MaTdB6f2BUB0BEAl0TdWNs+YoTzz7vjHpzVGgagQSQAf+UQkepz1Nsq6JLoipdypSOfJWOmBksN6lLKaWEDu5GHSaIJ0cgIhKg7d71bGO0rms6kPeW2sC7T0OtFPjr9UYMpU0CkYgQwbLlcbOP++D733fxZZd08rochmGYPLBqwDAM0ykIsK2vj4gQxVe/+s1jjj3Wtm3wvex8D7ixsfeAR+M5D4ho2zZKXL1y1QMPPfTjn9zkSgaDg23PaP2rv/rw3/zN0Kc+/em//LM/e3HPSxVdRwG2lFmDZLmhYAN0x43PGdKRO7tU49xSjuwR0BDF2kXlTjp/wyoMZQ7W5zcPoeU8+b5lzNcqUlTm6Uly8VGRKIdw0Eof8Pra6yORq8MxAEECEaEm6kbzmOOPXrP+EtSFlBIhpOwVCSUo233OT1ldp60bSXqx2fmF3p4ABEju6xXRaFpPP7HTuV27p8S/jWIw7iAsGOTHFSicSSoopX3K8v6X9r00NDTkLElTJC+GYZhiaIfbAIZhmN8FRkZGhoeHf/azn2/ftu3yiy++/9cPNOqNiq6TDA/6ZT/X+Q6Sn9pdHB2FsGxL1/WBSwfu+/WD2x97HLw3LLb9vHj/bbcJXXvHu65ec9n6A6++Uq1WETExpIA8AyFnXYLP4K8XLxtVfxQJlJvaih8Ibyr1yT/uGmdknzgujcrDUbGtKJjc1C1fK+pupZN+GoKuWnKh4e85hINoijSr4/6jMlM3jsH1EkHTNAmk9+gb3rR28ZL5pmk4MRmuoJj/PGDgWqbEeIS2rthOuy/lKFkhaBYstpSLLPDeGCKiil55ee/+LT+70zZJQ6EuRqnFFjpxgIAgEADRBnrP+95VrU342Mc29ff379y5s51qMAzD5INjDRiGYUoAEYeHh1esWDGyZcuL+/cvPvFEoWmWZYXWEcz7dBgcQUP36RTBNM1atXb5FRv2v/zKa6OHnN2dDDG9613vuuvBB5fOP/HiCzceOnCgVq0CAJGMqwbeRAWg4OfojANVPfK5Aepj1QeluVslj7XlfsBvN3yiu0qKymdRb3dRmONXK7Iv5HZjitaRs4rpZy46TjsuY6pteKYY/ilehAJyRpcJBQKgYRmrz1u5/NQlpmWIllJQ8BZAqV87pf2zk/Ne4d2Bwkd2XIuMPAI3u1ZKLwqMpNQ0fcdTu197dUwXerpY2onW5h9m2/aUSZPe8Ia3TJgwAQBGRkbay5BhGCYnrBowDMOUw/Dw8HHHHXfbbbdNnDTp37/73RkzZ9qSnCXPAcIP9rEnRs8lj4z6uRuF0EzT6umd8OY3Xb390Ud3PfPcU0/t6NzgalVbvmLF+/7kT+pjh6rVqpREkoiSHmfTZhUnCQfl+iOed4p+1p2OOUaPxdCf8aBbwkGK+YnxBDlShUsIFpLguGaN0Rdo6tA4bUducl5aVWxXqlAfl9dtpFZa1ITWMBpLly8+/+KzUCMpW3VKj5zIKqAtyro6Osin7XewtFNmeC2WkBWerGua1o4nd4EkFIgIbnxIknTXvk2EgIhC2nL+vAXXf+xjH/7wn+c/mGEYpm1YNWAYhimN6667bmRk5Jndu//7f//vH/j9369WqxQRAXwU8cygeopHFGhZxuSJk9589bU/u+3Wm2655a677mrbwsFB6OsDAFi37tKLLlr95x/+cLNRr1arUko/2jY0kAb+6FqckHxABMmqQkHyHOtKB6W4L6j49LtLVh0V8QWBIIWUo7vfeAVnK3g9sbPuGNAOitUwIXVuoYQQ3MtP00XDMI6ZM3PtxksmT51kmLZQ21LaKcjwyROH0Ds0o+hpirvwXYSiX7yFa6Sta9r+fa/s3vWcJjQicsRXkgUCzIIkHYPkvNZGIiARLVq4sF4/xMsZMAwzPrBqwDAMUxqIuGXLlpGRkY9//OP333vPitNOltJGb4H/6DOt97BHke8BhEDLNCdOnrLx6qt//rOf3X7HnZ2YNzg4CNDX3w9vGVzzhjes/9Qn/7HZbFSrFSJC3yV0ooS9VdyTJYMgpT6tJ2aGoT/q1JS4JxHXI843rpwz03YbpMvP/8rJBmGfmgJ2+O0RCbtPtLLgCpptuTsh6SItAy/c3ZfAOuulXghKxxMk8h+NBACImtBMy+6d0rN2wyVz5s42moYQ3sNbUiBDZ2S3VIlBPkeGz1v0HhecmCWJdL2y+5kXDux/TWga+rFQid6/SoBT68jhQpEQAFFIkj09tQVL5h53/OwswxmGYcpBP9wGMAzD/E7hvwHrhT17/uO7m887e9X+/a9omgZAXjR24PkTIyufo7sat+OkaGiYxuTJR6294sqf3XLL7Xfc0ZFhMLR3296X+vtnTj3l1L71//xPf2+YRkXXpZSRIAiK+pB5IMfJiTzqYlEHulCB4c/qWfmQ7pYExn3zei+ZmRaqMSZ+CW0r7PFGrKTYh4Qjkgwol9QVELOPBgBACk5SSYqFKRuvQxfu2O7ReecmACB4l5MtpUnmmksuOHnFkkajDv4CiKqZQegG4HR52D2bw2HDeAkQ5C6E6LxWlwDAtmjHb3daptVT6XEmLDgvR8wi+t9BUEJWqHsIRCCQDNM87rhjqtWpmtYoq1IMwzDp8DsUGIZhusK2bdsnT+ydP3/uww8/pOuVtHDlKAQAmhBNo9nb07Nx/eW3jvzyjjt/1YkxjpYx8b6JtX79tFWnfelrnzdMo6JrROQ6zv74WMCGgig8wcK5JE4DzrPensqFUuYZSOHKBiX4G224SbHhxcTxxo6GctPMSoslUbULqn5C+9NFGsQOJQO1fTnzKlB0WhVzF+kdju57JNN6mncFurKdG6KEKMaao6ee2X/FVZfZ0iIggQIQCdD5HZ+q4CkT2QYWl5AyGOe4gdxxJ/GjWmTMIogrko5i4945ybbtSqV64JXX7rztnvprjYquu+fZXdUgK3QqsXD1JBACEEKYhtV/6imvvLzv+Dkn3HDDDSnmMwzDlAXPUGAYhukWh0ZH/+em/2/JsqX1sbomtMBCg4EnRc8H8ZbodsaxcKzR6KlOuHL9xp/fdvsdv2p/IQOHkZERGIDGO0YXnL/4C1/7qmkZuqaRBIDweCWp3MiWYT4pI/shCvjjWash+BHmoWHzVhi66kh1RH7LukCkQed0KhlkJWjT0CzJIPSRFNtymBD2rTPisqFQt0gG2/AaKfI3K+PWT1gNySUctGZ2qLQHRYGOvOAdggCI2mizPm/xnA1vWqtXNduWAoVzxQovqEAW7XdpZF2EOSgu5QSPzXtI9OSHt6f/xEmscGtH61BvChdISURIRJpW2bXj+ZdfOqBpeitFZgUyGiiw0zsnCIgI0iZNE8fPOq6np/rud787vRyGYZiyYNWAYRimW2waun743//t/W/7vekzpjaaTSEiY9+Kh0YCQsR6vTFhwsRzLrzwlltvvePuezu3ZGRk5MnHn1iw8vivfOlLptEUQkiSkoiinjjEH3dVz8CJL1tsUdRlyPCslBbmcv7GewA0g8R6hseMx83olkqkatbuBPm/vog4wd22n7ywBBR1ozlt5lHXvP2q6TOPqjcaui4cnQsJJLkKg/9q1+LlZG3ogA4aqa1Du1FevIEIPc3APUhKiYiWaT39+NNGw9A0Ian1Ltqcgl1OHPEWES3bmDxlytSZk1atOqtwLgzDMO3CqgHDMEy3QMQf/uCHt//6vtNXrSIp0Ykrji045yyViAhAJIQYa9QnT5x00bmX3n/Pfffef3/nZixf3rdhw4b+U1b+ny9/CYEECilVY/NFVyBIT1+WDxJyYXOoFfEDD/sUb4BMUSR3JuWT1Tzd1RCOYNJrm1tDKHTSyAtNQLSkVevV3/zWjXMXzq7XxyoVnbxrrjXNo90z0lXJoDDx0KvxIiFqylsMNgwG7imOeiClXatV9r348s6ndgvnVYuhvLNLz2Vi0DAAy7Jnzjj6L/5i03HHH5cnA4ZhmFJg1YBhGKaLfOf739/9/J4vfvGfTzxxcX10VNe0BMcXiQA00WgYU6dOfdPatfc9cNevH3qgFBvmzp179tlnfPvbX0KBQqBsvRchNl03RhE3vTtE3YjcBqWFdIwzJbqW5VUmbUWD9KMydiUkOfynAdpzjuPHlFaVhIyEsKQNmrzq2itOOX3p2KFRgRq6CqMTFQ/o+LZK84IkT9zpNm03UsE3cZRN8i2PwIvrQHQG/olIoL7jyV37972qa5V8KyAWVAuCMxUICAiFmHb00R/64Ad/9rORPBkxDMOUAq+GyDAM0122bt36yv6Xpx8968V9L46NjtWqFQLyZ0s7fwUiItQb9Vkzj37bO9/101/8/M577mm7RCI6ePDg3XffDQBnrVp19upzvvfdYV3TEDDpmThVHUjQORSP99GFAtrxT4IzC0qZ/Z66O2pxaaTPpFbaETlcyTipOLHic9UifUJ3aF2DUshWvRRWtApPNqPQ4HdSitxvTAjoW4gCNUkk0bryjWvOv+SsRmMUhYYCvYUS0X+xX2BhyRCk+JS0oV263A0z20zRk0oRG6L3wcisodA6B7aUmq6bTfPO2+598bmXenpqAdUg2ZaouJZwQ458R0QETWiWZU2cNGnZ/AXPvPDCl7/ylaz6MAzDlAbHGjAMw3SXTZs2TZw0edmypSctOkkIlJKEO2blupTOjdi0zPmz5378Q398209/uuWOO9sujoiGh4c/85nPDA4Onn3WWeeed94NP/yhrgsEdFcyDM+6pWJx/+NFigfgLn5IedJmUmDEnWI/JZFrfNJLW1qpAJBciVhd0+oc2DeOPSkjtCHzuLQjKZS9+1OooNZ5SjssLCqROzHBlM3LrrzggjWrm82Ge3sIhBX48xTc9VMTukTE3NQOW7AJCyQfrxgaT0npKFPVXIWEzeREfeia/uLz+57b9YIm3EE4KRPWNKBor4qeE0rumgjuMrkITdOcNn3GVW9/u2VZBarGMAzTMawaMAzDdJehoaG//du/nTHj6O9s3jxr1izTsIQzeIiECJomQBMN0zz22ON+ceedX/jhD//rlls6Ke6aa64ZHBxExPknzFu+bNlNP7pRFygQ3TcfuH5KSzJIozMfsGQPMsM3bc/toNa/dCGgG+6wu5qdckc3acvF9+WD+E9OHSWPu17AjlA92s0x9bgsjSjtNEXDINL0FjcjIZCImlb9wsvOvmTdhZZlEEmBiI7I6C57mLuRszbm2lmIWGxNJ2sUpoQOeCEcIcFFRfuCUuB76OT5RRKRJgQQPvXkrgOvHKxWqyQJQDVDIXb2E9SJtASIgIgEpGvi6KlTvvLlLx6q17MrxDAMUx6sGjAMw3Sd4eHh4eHhP/jgB845e1VtYo9t2wIFECIIAjQNY97c40duvxMRh2+8sfOyEJGIdu148ld33aEJoWlC2hLAe2Oi5+1lP722Rdkj8V6mqd9zxoInZO03TEKzUCtlvsqpLXFCyls/iRZ3c8S+Ndo5jnEBkbI7ziCfVJGvP5TRDLnOo8LYloYnEAlgzBw76/wzLt94KYGUNrnLnTjx6c4bWUswNs2g9kH15yyD05KmHpt4/8pfpTwpAz2uFXeAiECk6/roobGnn9hpWRIFEkg/GCTePcMbYlEGoRIVogEAohCmaU6cOGnmrKNP7V++ZcuWTZs25a4rwzBMp7BqwDAM010QcXh4eM6cOV/6569UeyctWjAfiIhQq2igoWmbc+ae8PPbfum4+oODg52XSEQbNlzx6CNbEYWmaZZl+0+pzgfV+uuK5+3xdysTCQ0rduwoZhJsjM6HMTFxCnriAV3icJ/Rw12+i7qjd+Zu5j1nwUvRcyQFIqAYM8ZOP+vkq65Zp+vCNk0h0FsBEYGI3CX4IoVScLJ9q89SaxK+ytjyZb3i5GkwxUVT2mqDhTKJhHkgIqKmVfY8v/eFZ/dUKxUROCRiYVqoQZ4wBABHiBAobFseNWXK9R/961defZWOxHllDMP8LsOqAcMwTNcZHh6eMmUKEc2ePef7//lfPZMm2LYlpWwa5tKFC06Yf4IjGQwPD2/evLntUjZt2vTfPvpRIrryysufeuJJITRdaLZtIyIAYfhhNSwjxB5A23EryvV1k0biKSlVZ4sntircapGMRkjaF1huD1MjrceZ0LBnqS4HJfyokqb4suUSCz9J7SCRqyH9J2/poE4dWDAPAREFII41xvpOWfKGa9bVeqqGYaDQJDnr76F0FAOApCUMIiUlSAYFK5CBm1ViR2o1dlwxC653CqGTojhFGFxWNFb/lBF7pU15SZMMAIgIEW3bfuq3u147MFqtVKV0X00TmbGjav8kg/1DFZYjgpSyousTJk/+qz/90098+jND11wzNDSUv0YMwzAdwqoBwzDMeDA0NLRt27bpM2b89V//5dor1omKsC1r2ZKlv3lyx1f/5euOZOCsR9B2EUtOPPGTf//3b1i/fsdvd2goNE3Y0vYzTBhyVBF6Sj4sI1oY+5Avef5DcpDlYGUUVG40eUd0dWh5PDtISyFKbdxof4j6m8VXyVO2YExmUnjAqlURndT+W/wAGs36kuWLB9+xYdKUiUbD0DTd3eMl8ceVg/eHeJSBM/MIu39KAs2RJo8E8AWCNq6K3EepbQieiOKlxyQDAAAiTRMHXnntyceeFij819nG7Mil1OS4OgkALNucOGHi/GPmTp4+fQhg+7ZtnfxnwTAMUxRWDRiGYcYDRNy+ffvw8PAnPvHJ57dunzP7mOX9S3fvfmbfy/shsIRhe5kT0X/867/ueeGFjVdc8dRTT+m6pmmalIQYuclT4HdqhpG/qgolOWIdP8lmeeNJW8fvETqlsNYA65GJ0gkaZxM6Cjfw2h5jbnn+DAJ/Uoj7e2khB76gkbRgRWS8HUEIEELTGqZx4rJF177rDUfNmGwYhqZrBAAIAtOCC5KkAeWEhXLPuB9f4PSlnFkXm6CjCjrIFXyUbU3BDhNVGwgAUAih6TuffnbPsy9OqPWQ/z7MlgUFhLp8UzWELWVtYs8Xvv6VE+YdgqGhMqayMQzDFOBIfa5hGIb53eVN553z/T/58N9v+cU3b71t22+e6DC3wcHBC84794/+5E/ftH79408/VRGC3EhZAih+m6ecjqX/nIwQ9MTUz/D5nZZkxyDgDTkVU5eW1/485Xo7VOtAJKsXnnEZBaUqMmkUrFqnZ6RdW9Iqkf1W+0IGKCqV3AmipyYejF6s8KgckD+NEKJpNBf2LXjrdVdNnTGlXm9omoYA5PZtRbB+0EePT0NIXs6gVNUgtrpC2tmMlUyK+4QqXeLm+KZYwaHZKUmdLKZ3BDZEOgU5IpU7CQE0HaUNw9/+0YO/emTKpEm2bXvlFGnnXL3Vay9EKeX8BSfMmnXcN771bSIYGRm46KKRAsUxDMN0BqsGDMMwh4FNg4NDg4N4zTVt50AE11wDw8POZ7pq7ZodzzyraYJIkvNy73YyzeVyY+CpHMNP6H4+6r/ZKPWHXDoABX4VFA5SHdyM/ep8YqpBPo8qhz2dqAYlSwZJOWU3V1hpUiegAu0Q1w5UPQABKD63IcFVTCoy4vF6vT/R2tgOBAQBAEKM1scW9y18+3vfdNT0ic2m4bxXxZfjIqqBJxlQvBh3dNsVCeOqQSfRAArvPraWQUQ1UFy7wW+pslke7SBHnwsJBom9KNpHlKqBm8hTDRABqKpXXnju5X/5wr/WX21UKrqUss1rKt5lVQlQoGVZ1Qm9Z595ul7r3fvSvvnzd37yk/cdsQFNDMP8TsIzFBiGYQ4D1w8PdyIZDA0NjYwMOCsnEtEbNm7csWu3ron29QKARHcj+SldLRm0T3TOQ/ZchcAP+vYUsygjbe7WLCoZtE2R3MocYw7nWSAEuyjRoHB/Myo6CPofM9tF7dmrDqPwbwpUl1QpUwIO4pIBIoIQr9VHF/UteOf7rp46fXKzYTpKQnC8Ovp+hATJwN8dTF+SZKDYrswutjE70iZ5f+QnsDktD0qodJYgmONqIk8HcSMNCBC0J7Y/9eq+A9VKhWT6IpW5yLCEQJJEoi999Ru1Wq2/v3909EyWDBiGGWf0w20AwzAMUwxn6ewtWwZ27DiD6FNXXnHF7l07NV0joNyzjGPEj0uRDFzKlQwi+RZPpIp7LqWozvIpvYG65awfGaRHm7eEg/F58Vw7HYpiHwCBCBEJQKAAxION0ZNXLHnrdW+adFRvs17XNGe8OkEuieQcszAyFSkWeH9Y40qTAJrRlQAAIABJREFUr8p816sXeBE6IOnQYlUNKD7ptzkKCgMoxOhofeuD23WhO3Eh6L6gpniPxGQjqJWGgASKngm973jb2//tO/9++eWXr169unBZDMMwncGqAcMwzOsJ/21b8+fP37Bhw/r16559Zpf7RncnzICij9j5acUepx+a+WSOsef83GQMDmYa1goib6cFjgwOr5/XGbkMV0wUSMotbdhaNcZNgV95CST2D2pnjD7i9WNwCByJQGgaAY02Rs9YdfI1v7ehZ0K1PtbQNc1dTo/iObZcVlTJJN4RSbMsSun/qtaJloLBv0WzRtWhpEjY7Ws6EFPg2EAYlAwQkUhWq5VtDz/x7DMv1Co127bb1AuiZYah0H5bSkBxyvLTjpl9zODg4Jw5c/idiwzDjD88Q4FhGOZ1AxFdeOGFADB37tw3vvGNb712cPfOnQIFIkp3xDH4BFrY82z5aBhwgcLh1kGfqBu+beIDeHGHJP8xGK1oZrHBZlB4jh2jnABQcFZA6f5VUpi+T4H2LhF1buOlGGHkb3AXYmsOhaZrkmTdqK++cOW1111VremNuqHruqsGOM6p532HC0h01iHcJ9qVDNJPR0syiA6GU3BnZEfe7JPiK2LXY3t9pqMJGui9HROQkMgJGDEN6+H7HwWLhEBozQrpSndzlBIiErr25a99ecqUKZs3b+ZAA4ZhDgva4TaAYRiGKcB1111XH6ufe+65V1/9ppdefFETAgiJZCtyu5W2yINsPo85uHoAJg0ERy0o9Dyddwg6Y1/kV3LKiHMS/5o62K30FBNMSkc1ztw+GU2epJC0nWH+LDHaqNGjQhpVWpax8fWQA5sUFR/OkQBQ4fcWICS0hbYDAhIAIgqBQtMs27akObBm9ZVvvlzoaBqmrukEQEjOagdeH1B0usSIfAJ/sQP1hR8IdM+ohyp7/28ox5iq4fzB0NdywMCP16iZR0T+5jEo0oVC+bm6BiIR6VrlmZ3P/vJndwny1qEoTSZMOsOSCI+fffzdd9/ztx//WwD40Ic+dP3115dTKsMwTG54hgLDMMzrhuuvv37OvHnXDg6uu3TtKwf3VXQdAIikF1Ybf5wvLBx4c3SVO9O8PZ/OvDAIRyt3OoKXHK2eMECNgJRZyzQhIR8J9epcO0htsHBDpHaPog2fHZ2es1bZGcVH1JNemZd4cNjP7lQviO9x5AhyXU0UmmGaqMOaDQMXrTnPlpbZtCvVirTbP9/BNyYoQgxKGPmOSwZ+zhSwGzPOWHlj8K2T5ozx57uoyb2mWykS5RUEjPvuTjsjEgEBIcK2hx6vH2pOqNZISiivfvHCyWtr27bXXb5h2+Nbh4aGRkZGkBdCZBjmcMCqAcMwzJGOs17BV77+9R27dq0fHLxo4PyxQ2PVSgUDgoFPQakgRq6xueTnVoV4UYhgtHWskLYydoQDv1kw1THFbKc1sZTAnwiRTPN5tpHcM32zfCc+7C/HRqlTzcn25juPFMljSVgjoNjWpHFbVQ5tSwZJXwC8VRuEQCAQmqgb9Z6J1Q1Xrzlj9amWZZAkXdNJSidcJ3r15rCKCGLTFrLEgoyzQ4rOEMqSYlucY/xf7msJ40aVS8C79g3O7JitS1+tIVIoXaQ8B0myUqm89MLLj299UkPN2ZV7Sc7ki1MZz+HtEChsaU2ZNvkjf/kRRBwcHBwYGBgZGclZKsMwTInwDAWGYZgjmiEAAJg/MPDcc8+ed8mlV19++dihQ7VqDcBZ/TDwxNyFZ/QY4QjzyON6Vw0IZl7Q70TvNwa+qtPlzTkUjlBKbHbOxkudNJGXWDR91JRUHzRZM0ozLGEqQnI0h6IYin5RSAZtdsP8/h9isKPEjERPehKIKLDerE+ZPunqd151+lmnmIZBkoRoLSmF8YHjjJFkUpWZL76gULeJr4xK4c2hLAOzlooWlEnsqgxfAgmFFZiX0PqOwV0tqQ4BQEpZ0fS7bv/1Yw//tqLr3iKJOaWyzDQJJw/BNK2zV5/345/8eMOGDSMjI8PDwzmKYxiGKR9WDRiGYY50cMuWXbXq3GV973vH24xmo1qptAZNKeCmdDFwFdXecTnRAG2ZU0qaTtLnc166R8u7LLvRM33QxHiURAkgdaaHYmfQBw1aFUK9pbtdMO7kBz85ggIhohAChRg1GsfNO+Zt77n6pL6FjXoDAIUQFMhHEW2eKAupIyiSoieSGjUnytkbcQvUqkEpYLjjlHs5p7Skd7j7YgsAAJAShC727Xnl1p/ePnawrmualz6nWQnJlK3sHoHu9BZN+4u/+utDh0Y/9rGP9ff379y5M1+JDMMwJcPvUGAYhjlCGRwc7OvrGwF4/sorp/Uv/4P3v8doNnVNc16yCOQNtJLnLJHzqxQw/JOQJB0K/HRICXHkCXs7cHNKlAzaqB+R+xPMhMIfUujEZKfkDjLw82n9VuxJK4ECAkHgT5dVq+jEhHAP8CPmhRBEMGbUT1o2/x3vHzxh4ez6WB1bywVmTkwnxY8qrD5lwkVHl506X4qkUdWimyegk+st0pzRnRQNrXBmMrgvs0Vb2iDhN48+8fKLr2jOGpah1MWszzbVwzLNOccff/HFF0+ZMgUAeG4CwzCHkXEfHGEYhmHy0dfX19/fLxCvWL/+U3/3d4bZrOkV8pZBC0bQQsBjQbUTUYgcEehpo6FR76KE/2oi9UjOkOLuTbcoc9H42ATpeBXaioVILzShuJxtiADRqeypIQUpGalShCYpKPSBMiWDvLNDkiuL/tWoaZotbVNap53Zf+Wb10w+qrfRaAihB0pxq+Ysl5iQYZp10ROX7MLmODuqAlWqQVS3IPe1D95V4OsmJT1Yps5PiZvTBolZBAK5AFBKKYFee3X0B9/58e4nnqtVq5KkYt3ENgxqnbhg3dxgFCFwbKz+jmvfOmfhwvd+4AO8CCLDMIcXjjVgGIY5Qtm+fTtZcvU553z6k5+wTKNWrUrniRLTHlDDe0p70Mw5AaLDuGg1RZ7Gx/vJuivlKStczCcZh3YoTZtxYmTSswsPrI+PLBQm7N6r5uY4koFpW6DTxVec9+Z3bOyd3NNoNIVwVp7GYEw7UXxNA1X0S27fNLtNirVa0mSE0PdOwg0yoiFSs+mwe6uLDoW+kARCBAJqGk0gePqJXXt279WFRok9EMO/s26ZSRVEJEBENC1r2tRpp5x1ltlssmTAMMxhh1UDhmGYIwsi2rRpEwBccuHAhecMfPXLXzEMs1qtkLTBX4ErfEToj2pXJ/hRDHmTlsvhcBBzUHJV8zkFnZ2ExBknsdiQIrR5fiI2JA36RmdhREbVx01IyF6wAQGFpjdNszKxcsWb11y2/iIUZBimEP4ceArmEjrjoZOSFiqUdKrCx7Tc33ZahXybogS7T1sOcRG65iYnGueHizgxFIhEYDSbCDh2qPHYtqeaY4au6SBLKCqSKHj+nUgfIYRpmIuXLf3lbb84Zs6c/EUyDMN0CV4NkWEY5ohjaGiocejQilNO+fo3v2ZbVrWqS9v2Xx+I6L3bzSUUKZ/3YTv4QKscRkzamT5PAZ1lvBKA0E8BC9MMVBnQKiJzbYP4TzrYmsSey0FP/wkcU8BNykgaOkHKamHU/44ESRe1JGGyBkb2IATOfWywOtyk6joGXOHiril6BkRzT+1PgL7ZzpGe+UjuXoGAqImx5tjkaRPf+JZ1K886pdlsSElC04KyQtDpVsUZhE+VWiHIKfGEbgZZjZqTlGziL0/ILinPxVY26plA6CujCODPAUMwmoZt25VqbeeTz95/x4PSJKFh6uSIYvdgr3xHr0DfEGdNTaGJSwfOr07o/YM//FD+DBmGYbqEfrgNYBiGYUJcf/31ltFYeMIJ//TFL1rSqtaqtmU5c4h9d0npsoYCbFOIp6C0B92CyVNpDaj537szRuxl7PgyYY8rzYcKxJArDUvwjmMJcpPaAokNHa2I2oJsW9xZ8W3pBZ2Sde7jlQ/N4Y9mldmVMPobM6ZFJOlCSAQokGRIv3tt7ODc+ce/4dp1C0+a16g3nHnpSEBI4eUPSSEPRYtSViZRL0ioBAYTFJKkvEn7ATPcayJ+aWD4V5tlFqSNXpomN7W6gfMyW0TblqZlSGkLoVkN+ZuHf3vo4NiEWg9JGyD/fSshXUwBClzPSCA1Xa/X63PmzDthcd+r+1/KUxLDMEy3YdWAYRjmiGBgYAAA5s2ZY1nGiUsWfvZTnyeQlUrFti3F43d7D+QJngZClx/y43gPyJT1YF1WacEp5QETklL6+xUhGeVJBjlIOy/lnDP1IHbxTHKZEvSelaXmzaiItQqfNt8x0W/YWvMQUCASkq5phmkY0jh99Yp1GwemHz11bKwuhBBCAAFFooIgsGhgGlm1yxI7ukVIOwhtHOeogYxVMMJpW39Se5e/PqUtZdNoEkmBUKtUd+x8/qkndlQ0HRHIeR1iwaIzt4W0Pme9C4S58+ff8J//acsCMyIYhmG6B89QYBiGOSLYuXPnddddpwmx8rQVn//HL5BtCaERuY+MkQfVlLfG5yHgKAafVtNzUw3U5y02HHpdxD51IXlyirk2mLgztFt1XGt3svAQ/RI9MqehPmlTSNJ2ZGobpZLeH8K9K3tSipdSkUNwln6y1+Y3t1Nc1jSV5HkygdpgZAsCIhEIIVBgvdmsTapevuHitVdd1NNbbTQamtAQnWkMiJE6xwP5Y6WBMkEBlUThGWerZYkkN0+gc6e0YRcoJG8R5JYYCAgRpaRmowlICIAoyIZf/fK+Hb99plbrkbZELK5XJVsdaSBEkASaJoymOW369Dlz59m2vXnz5gIFMgzDdA1eDZFhGOZI4Y7bb586ffrnv/AF27aEEEQSCDJ8gDTSJ0b7Y71xXywlOjrPMzNCeP0CDO2C2LdYaHO0pCIji/nsU39Pbdmo81nEJyoimRTKPzM4PSfdn5hArYkimSnDXyJdNHmsFlsdqp0GT8Nd08DVARB1TbNBNqzmor757/3jd5x/6SrbNo2mqTmvS/BDVgrIavmgzHNVRr1Vy6bENxTUAhPJrlMobf7bAVG+9zM6dyhElLbdbDYRQCAiQkXXn9n1wmPbnqxoFSxkZsDajKJjlgihWbZ5zMyZX/7yl19++eWCJTIMw3QLVg0YhmGOCJaedNKSxYuHv/MdIBKakBRYxiBC9nN67AGXglvjj7/KLWmkxPkq92LU18jMp2VJgs3toHByVBbEAxPyxwt04keV5uiO3+oEuQkP0ia7/4m2Z9Ypn/iTM4+QooUhAxAR60YTKrhm40Xv/v23zJ4zq9FoIKAmNAyf/jZC2bsxQJ9lhrrMNOEgm0KHEAD5bzRUXerkpYnMsor8+DuI/HkEOc4BERCCZdmNpkEkUaDzhlvTlI88uP3g/kOVSsW2bcC8wlcOInUBBHd+hGkavb2TZhxz9Ne+9pWbb755cHCwtDIZhmE6gFUDhmGYw8+lF1+8asWKLVu22CB1TYAkZ12uIl6H4um5tTNRLwinUgzzRremkt9ViI6xKYyJegJAhUcloxuUHkaKiYkSQAcx3yqjkil70DzBhq5Dka6UWqZ6MDmfmZ1JBvEyWpMYEFETGgGMNRtHHz/9bde98dK1FxBZhtF0ZiX4Q9YpZWRWoksnI7Wbg6KzZ6lrWXE5SVYEQ5wU3n5AIIgmyK0CEEQ6W2Z6BMuyDKOJCOhIA0QVvfLC7hd/u/3pWqUKRAio6pcpZaQV7wfPuCEpzrsegYQmGoYxY+q0f/mXbz/11NNE1NfXl7MaDMMwXYXXNWAYhjnMENFPbrrhkYcelURVXZdSZg+r5veNKPwrM9fsnDHwL2FXZ6Rb24qeTvFNMjbEjlY6jMpjksMVijv4SUVmVTApfcSavCWnJw1NYY9Hq4dG+FNcy/a6hX9U15WNkPPs1gURyPXoBApN05pWU6I8eeXSq65ZO3/RnNGxQyBQoAjGKHgt4mSiXqVBsZxCqPnyBdZHc82XJkPwyu7FGPjdxuFB8sSPRJXMpKza6iFEhAJN0zQN06sYIiAhSQtuv/XeZ556tqdak9JOFYOyqqy2LfgGUqe7IQBpujZr7pyHH3jo7/7ukwAwNDR0/fXXF68ZwzBMyXCsAcMwzOHhwgsvfO9730NEb3nT4CMPbrPJrlZ0W9r+MJQflKsg5yNyAckA3LLGPbg98sSdJ6C49Tf2ExmjpJYHFh3Vz+mNJBrqbU0LSUgrIWlD0RPQmUqTIs4o5pKgX191Bm2OvPopkuNDcudSmFD7BfInx+sHANQ1HRBGx8amTJ90+caBq9925cxZ00ZHD+mapqHwRAZshRt4YkqBtfNa155a48qUdnLtzRsjo5SeErJpbcvsikltnUj+izTaQPkuCxTQbDZNw3S+OSVIaeua/szOFx7f+mRVr9hgA0DgzQnxKIl46ET6lRAKuCD3BzShGYYxedLkP/qDP/rN448NDQ1t2bIlPXSFYRhm3OBYA4ZhmMPDrl27HnjggbcMvmnr9q1AVNUrktwRLSLvNWBJYdOhPzEo+LewF5r6mBoYEk0eck81SnlQ5Li2nfhClU33grwdaapA9hM9pXxTbUbX50xe3V9tZcqnVNOSa+4Pu/u1D4RA+BWPiSZ5/dKYJYcLalmJrVUPAQFBoEDUK7phNS1pLz9j2YbBy08+bZkk2zBMXde9lJ6kEowygOTIAgz8i6O84EPHFkZ1TnJklBxOkLYZwz8hCs41SGyKsJiQmo9Cd0AAIIFCEjWbhm1bAP5JQ4EAALYtb7v5Vy88s7dWqVA09qtkN9695BGISGhixowZzz733Hf/Y/PMmTNXrVo1MjJSbnEMwzDtwRImwzDMeLNp06ZtW7fOmD79wIH9jzz0CCDommbbUjircKW7DR6JbkdHkoGTc4rHGvWIIhYlGaUypWVo0ORxD3hIaMhcXhUGvwAoRYKsukTdmmjsRc6+AJEjU+x3zQr+idiRMFelsJiT5xmj2LkOXh+lPcFQrN0REFBoAlGrN0anHzP14rUXnLKyr1arjNXrJEkIDZCQAAPTE5LePKBSDSCt4yW7yp1eHEVUpUAfieSR7EVnXPyBP9Ga5D+Z0frnVw2ce4szEQCIGk3Dtm10RDByT7qUslqr/Wbrkzf+x0/BdNISoNMUqou8sMmKmhOAEMKyzGqt9sE/++MffOf7555z3sjICEsGDMMcOfAMBYZhmHFlcHBw+vTpw9/73kt79jzy8FaBqGu6lCQQoyvGdUB33O5cwbLKolPi8w/rQDOoHbFC/mhwTDU6vpq/cqr4/OK2FCZhhr261PJNyds+0ZkKZRsRctURAVDTdMOy69bYaWef/J4/fPs5F67UNa1ebyKgrmneGxhdzx/dhswxMt763u5UlE7OQvktmCEZ5I5siIf9J6VpG/LfgSClbDSbUkp/7UMAcF68gAIbY837fvWQWbeE8M4pJYYbFbVBuQkBgUDTtBnTjv7lzSM/u+Xn27ZtGxgYKKNEhmGYcuAZCgzDMOOBMy12y5Yt27dvv+mmm9atu/ypp34rhBBCOBGwbTyTKp7I2w4wCGWbFGuQEmgQ2lqgLkeEehBTQ3JVIOfikcUsUW3JFGtihmQFGiRkgq2s2q5XZ3aEukNSKA36nlY5YPgDIhJSo9mccvTkDVevWXPlRZOnTmk0mkTkiwVe+QihqyLJsVedQUzY1e0Y0PwzFBJSJQVUBD+qJyjkrVtmlEu4k6V59CFFiIgQ0TBMwzBUaiHatt0zoeeh+7c/cNcjVVFxEiBGOlvBM5TjxiZQ2NLWtMq1115bqVYvveyymTNn8iKIDMMcUbBqwDAMM04MDQ1NnjTp5ltu2bB27Y4dO3RNFygoFCKOyd5SIthu2GxihurR5nTJQLGvncocHulAvdB99iGpKYutg690svLaVEQ1UCXCyNa2Dcllh2q4tdDcB9e5L8m/9oQ2BEBEFMKUlinN5acvfft7BvtOPdEyTct2Fhwh9JabQG+9h0C0gWdbgllJ8xQUqkFZA9sJdgT/tJVB5Ey0PioNTygp5+INuS6iYMiH3z2i5REAgGmapmk5jd7qdQgASCQrlcrBV8du+fFI/UC9onlPyN57NDpGEXHlr58pCWZMn/alr37t0ssuu+222wDgm9/8ZgllMgzDlES3NW2GYZj/1xkaGnJmqP7Hd75z7VvecuXaNTt37NZ0QSCB/KW5/Zna7WgHvm7gH6OarJ4/t7hqUOCljMqtSTMUvAd39dfxIuC55R2CVQorASi3apA3VUqQQJEx3VDPUE9bT/gSTpft9GWOGLvbCp/svLEG0X4XnYkAgASEgOTKAJZtN21j+tFTzr9s9QUXr9Y00Ww2AYUz+4BIAiA4oUFJQRGJV0BchXP/pMUapAgsbV8iBVQDdR9Bd4NCMkjLK7imgWpWUNzElg35iJ/s1osPiAjAMAzLtBAx0OncLoAIlmX39vaO/OLuO26+p6ZVobUKottxKHTS2zAr/ClwpyciKentb3/Hsy88f+xxs3fs2PGNb3yD357AMMwRBd+SGIZhusjQ0JDzYcqUKR/5yEc2rFu3Y9cOXdPIJkAiohyL/wU9nYybdlBvaHuyQtwlTl0fUWlFJq51ISOjDuS4aQd5wigCqYMDy0mkqAbxzSpZRZFfpj2ZVgFEWzxiVUw+cd7lET0+4VvkUHXZwS9qNyyHGpArXSqB60QTwiZqGk2s4rKTT7x8w0UnLJhTr9clgSaEK+25LmikOXIFSfh2KwWCtNPXDdUAUk5QtKxgQeEOElUNsvOKqgaQXIdiqoHn08cqFNhiW1bTMEjK6MlDACAEtG3ZM2HCvj2vbv7WjQf3HaxWdGrJQ5lKW5Z9yk8B80zbOmrK5Hvuf8hRCgYGBngdRIZhjjR4hgLDMEy3cCSBXbt2LV2y5H3vf/+G9et2PfOMJgQQARB1uvhh8rBm60M7jlXHqkHclpSjU6IiIjHH3SKXCpCRPp+debyk4kmKqQYpBUSiS9zwe+89kDmzzRe2kaZEZB6edrow68ct3X2zqRBCaIbVbFrmsfOOuXzDRes2XjJ1xlGjo3VEFF6dvQX044HqRdtaMRem6Okr4WIoFFoTaG21oW3faKIHYexDIU3G/+MFQ4ArJ9hSNppNktJ9vaGzx5vZReQkRk3od95279OP7eipVoGkmwnGiygDAu/tDAgAhmlceskVDz746/MvuGDv3r333XdfeSUxDMOUA6sGDMMwXcF5Op0/fz4irr/yyg3r1j2ze7dw3+TlDbJ3OpqueIzt/Mm2PNUgw6LIIFxkuDkif2Dgp21T4rYVlwwg5idlyDcuimD5QLpszUHtthebnlAARXy0YppKvKy4Wxwjh2SQdri/J2ZKgZoLRE3TbFvWm/WJR01cPXDmlW+8rO+Uk0zLbDYamqY7r0F135KArX6CzpsTWmevUBy5ItygoGqQ6MQXawAM/SlO5O4Q35soMqRmWFgijITIOLaglxMCWJZpNJtAIAQ692SnjOBovy3tnp7azqefv/Pn95IlNU1zuqji1GbPTcplc1AysExz0qRJP7zxxt3PPLt///7+/n4ONGAY5gikxGcvhmEYxsWfAvvYY48tXbr08ksv3fPCCwIBEKWU7vhWaS9ajPmv4bG6oiG1KkemQ1c9crA/PSExjl/xvJ4W799+vEYh7ynkMAT8RoUxwUDswL6YqeGG9ac6q1HObci1LZJBSoCHm0eSL0w58lDrKcp5KJknLrGCiS4ptjL2PyIgIQEBOvHoKIhko9GoTqj1nbrkrPPPWLB4LmpUH63rmq7purPYPrhLHijOS7gZ8qt/6nU3oyv0U/QSDhOM9Ve3Qd4LIqP355swlPZ+gYAwqJihEEyTz4ZWFtHSydcLAAAIEW0pTcMwLRP9Wy0BIkrfFFe6lZomTEve9P1bH3/o6QkTeqS0nXOgvkVH5lVlEpuh4AkWRASa0F6rj1562WVnnL7yg7//B7yWAcMwRyz64TaAYRjmdw6iIYAhgEe3bj15+fJzz1198JVXdU0DACnlYbYtJ+HQ3PiU4bayC/leCR5JfDg7uEdxJLoOQ+fiSwYJLZDSMLE1AZTHBhs3ezw2q5o5JIOSiRgVMkDRcYpIBgkQACb3SfLHmd1ECE4XcWQDAQiNZpPQXtS34NyBVScuWzhhYq3eaEqDKtVafB67Ei9XV4eI9c2CIl3E/nx5OApIGeS7vgNyTHBLVEUrTN4DY963+5mwFfHhzz6wbdtoNi3bBgBq+f9ARAit6WEAQARC03/7yGNPPbarp1Yl8OcmkHcBR6+7dm836AsmjoYlAJumMWPajA9+8A/vv/8+lgwYhjmSYdWAYRimTIhoCOB6gKPvuefNfX2rV648eOi1aqVCrdcldN/B9WnbpY77etRhuEF81M73zwpaF3PR2tYMjtyH9MQqBcWX3BHgaoWmw26IoROQM7/ud/3QNArXrUUCQhQowLCMpmkcd/zR516w+uQVfUdNn2QYRn2sIYTQdOGkjio9mT61oiUiLaI6X63sVZdWWkO1ygvHVRS/mFpGUSCz1NqqIi86JhhuUECidBenCBzl/LMsy2gaRLbn9ju6Tks78FeokER6VXt1/4EH79lmG7LaU7Ftu2VLmbROGXmvckRdGE1jxYpT/+vGGzZsvKr0IhmGYUqEVQOGYZjSGBwcHB4eHhocnPSLX5w5adKGgYGxQ6OViu6HGJBi7LnzB/DYc7biwTt/KWp1gICCY6o5c1KjiE9ufW1vNkQbjZi/kPTM1V6Oe0zYoVSNWyZmmmYOhMrMHdzduaNHIfPDdUkc+i+0PacdCXNLojEISESIgJqQ0m6ajSnTJp+/6qyVZ62YddwMy7bHGnUAFEIgojsrwTlMWZfYqXPjF2K7VMPv5bqh3QiuyZ1hrAPmzlBZRFKyHAVQ6zcAOa9UNJqGZVrgvfLCyyocXkCAiP64/28e/u2eXXtrtZq0patmUjBSqJSmDoidCEAoNBw92eHEAAAgAElEQVQbq8+adezKs855/tndK1euLKMUhmGYbsGqAcMwTDkMDg4CwPDw8Csvv7xq4cIPfeADo42xaqVCNoGgVnAqABSYCN0WseftYjEHycOi4SFVCI+mxkqOjCCGNieOixYZakz2YMcPAsCUgnOZVaDOqgKS8kz8ptoQ2U0JnnP0uHhPGCe8Ngt5mOiP4gICgBCCiCxpGc3mxCm9K04//czVZ8yZN5uAmkaDvJUNISoZtNWXih7UqYyAwU+udNHGfUXR9/JmklqDtiUD9a6MmmFrVoIn0bbuMMGZQogk3UUuEYAquv7i8y89cu82HTUBJD0VCJIkg9YdEMHRUtOJ7vdCH5AEAoGcP2/+TT/6kdXl/xAYhmE6h1UDhmGYEnAkAwCYO2/OvPnzP/rXf31obLRWrUop0RkCcxMqw8O7EG4Qo1SvOtEloLAzE0wb1Q0S7OnEfR6XR++AuxqN7lYaFPBZQuEGOYIFOrFR8TFrW0dmFJIPSjhR8eZzotMdP1EgApJlW6Zt1Hprp59x6lnnn3HCormI1Gg0EMNvQgj4bMWnlsfmJ0AbMfwdtT4FDRgv97OQZKCKsYonSzQ9yacmAkQCQCKwLNMwDHfZgvCCD+6rExCIvI+ITlSTbcn773zo1f2v9fb02mQD+QJMqkFFCcwpQSACEpoYHavPnDZj1uTJW/fsue2OO8oqimEYpkvwmxcZhmHKYdasWcceO2vVeWd94m/+/9cOHuipVZ1H2PhU4O482KuXZy/qjJTxZrGocKBUSpxAYLUBHZTuR09jViVC9UxNmjglIKaQ5CY5faGckhIHRuHDJLlf8dycMfg8BxejYPdKa6jIaXDCBoTQhNCkbTesplYTi5fNX/eGSy+87NwZs6YZjaZl2858hOAhiP4bFv0Mw7EzGacr1t3yxPBHk5chHbV9hgrfJdK3lR45E4fAm2QgiUyjaZomgHceASkpK0ctQiFJ1qq1J7Y9fdfI/TW9QkAYuCPlVHGy08R7ghfKIsleeMIJCw8cOHbHzktefXVLjuIYhmEOIxxrwDAMUwLbt29fvmzZacv6P/93nz746qu1Ss2yJApnArYzwTY4QSGeQaejhGrJoOxS8tGatqDWC7pMkvtCCduL5lnssFZwQXBLMiU1VYGWp/CHQFVJoSZkknOYNjIun3RIogVu3wr6/4ia0GzbNsx6tUdfdOIJZ5y1YtmpJ02e0js6OtY0SNM0N7DcnY9ALTezSyT1v7R0r0ci9pcVbxIP13GPJe+XZVuGaZAtndkoznZUvb2k9fZFQCmlpmmHDo3efft9YAFWhCQ7+yx0cm160jFJ0nQxVq9Pnz7zwnMv2PODH3x8504AuL6DvBmGYcYBjjVgGIZpn6GhIQDYuXPnwPnnX3j++V//128fPHCwp9Zj2XbrNVqBUIP2Zkyn441yZg+b5xnSjI3gjjfFYg1aKSm6ISGtYlA4qzhUOK+RAzHg/YazK20cOcGyLmY4Plb7TZcnOoQCnwOKAaLQNEmy3mhoNbF46YKBy8+/eO0FC5ecQCAbDUMIoWmakz6whAEGggtC/6J25lRClPYrZysU7iM59JsOfdr208YPDm1JmJ6A4d8Y25Joluf+S8M0TMMAb9aB89tZ2DKW3C/UkY1ktVq7/dZ7H3/4yVqtRiT993SqiuoMv/MgABEKlDbpmj537mzDhn/48Y+gr2/gpZdYNWAY5gjn9S5vMwzDHDYcyQAAfrN128nL+3/wgx8cGj3UM6HHNu202dFpwkHKQ6pquDVvQmX2Sc/yngtT9IG50P8n5PzqeIZCaAI/uYeHfMugK6ByvYr/N9iSVaLHum6p6x8oTI2MmGYUoCBnvATlWKctKefcHS1fdhk7M6ZRKBy51jlFBEShacKy7abRrPToCxfPP/PsFSf1LZ4ytbdpGc1GEwVqQnPGoP3z75yGwEWKgICtslRNkHxFxCfepFevVY/Qx3ih6QcHQpfKEiLzneccqkHctoSR/2wUWRGRZVmWZdq2BCBE0TIlKhlAS7VAICIEtG17Qm/vk48985/f+QkYhBqCDJnZ+pVoS5F6eP0KEUFK1ES92Zg+Y8b3vnHDn336I31z+kdGRkZGRjKzYRiGObxwrAHDMEw7+JLBK/v2zTn++Bt+eEO9Ua/1VG3TFsVXVEsF3fjr2E84Sb7B2tZPGHB/OrW0swPaXlWB3MPQOz4ydOkX16lkEDgoFJaBEIwtAf+URQ7LVWC65ASqmnVOnv6TaFBbZaXuDo3Q+y69u8gdEhAiappGQGPNutDF4r5Fl6678OJ1Fy5YPA81qDca0pZC0/zV8ltKAbl93S/ONUcVZJBZz1KmFam6hkJfwqTdZdGOatBmL2zdccI/gIGbnZs/AqDzUg8UCCRN07Isw1lo1rmR+Rkqm9Ef7AdAaUu9Uq2PNW++8dYDe1+r6DpJZ0ZDVlXULZ7jXu+eXZRAQtMs267qtSUnnXioZ+xTWz994ekXLpi+gFUDhmGOfER2EoZhGCbM4ODg3r17AWD/vn2TJk688b9uaJqNWrVKlhQi7T18OYh4VNj6l/LTOaXkVrDmno8Q1izalAz8vzmM6KymFB3yD+QVdXjiLlZ0iLkwmZLBuC4iQary8lkQ1lriO1up/Ak+zhZEIQQBjTYO2WguPXXxtde98Z3vv/rMc07rnVgdHTtkmE2hCaEJr1e5EezoD/n6xYcd95LJbAYK6CKh76EBdiJ3DxFQpMWVzX/4KaE1/YvH+eCcNZKy2TQN0wACIURQMvCg4GdHbiD3zRpEJAEJAe++/YHnd75Yq1UICBAI3HVrveYsuU2dvJ0wKClp0sRJ//bd742ZY7SZYEpLgGYYhjmS6cb/kwzDML/LDAwM9Pb2Tpw4ceqUKcfOmvWjn/zEaNZ1XZe2HRzVLJGSYxcyiVagYPFFrY1M/C5yeLypcw79dY4/kyIUoKEY6fT+BbZQLEHo+A4tTJ79cWSSfL20LiUvRgAB0Ja2YZmVWuWkZQvOPn/lSX2Lqj0VKaVpWpJsTWju6/ec4WkKdixnXdJY+0Y3qE9AfGv29IrAx8Sz2pqTk2MGUVdpJ9Yg6TB/OkHoa+wQP4qilc45T4jOsoZuyxGQZZqmZZG0IcdNlvyrgFqmmJY1YWLvE9ue+sn3brUbtq5pROSkdSYvJF41aaVlmOJc0kQkNGFZFqB2yZo1ixYuvOPOOz/ykY+sXr0ax/v+zjAM0w78DgWGYZhibNu2rb+/f1Jv7/SpU3/8kx+bzaau62TLbkkGJeenzrkTqzNje3PZ0UYWipUDUnN5XT2cR/yqI4V4rHxhosqKai66W1QgOAAJyLIt07Z6Jk04ecniVeeesbR/kaZrtrQbjYYz7KwJzS/AHZ0OR+60vrQb0uL796oMEiWD5EPcEfHXWe/MR6ANknRBjCQIKnDeGzHRtqVpNm3bjmWScXEE1AiypazWqq+8dOBXt/7aONTs6emRUoI7YSU1aKOMKxCFI4bQ0TNmfO5zn3P6/PDwMEsGDMO8XuC7FcMwTGEuuvCC009bMTIyUm+M6bpO0vULoiPHZdClp8pYZHbA9g5jDTo4qBitkcGQL5F3pLgz/MDoVkuqx1zbjDVQRC3kpKxYg1gGCte2cKsmOM7kZe8uP+C+6cBxrqSUlmURyslHTVqy/KQVq05ZvGRBtabV6w0iEkIgIhEQkRAIRCFnkVprVHZopL8vOatof4yfBWUwifIaPzyxBvnki9i8mziRjg75so6EHggAsizTME3wgwIkBSJI4m0UOj9E7kKHUkoCQhI/+9HtD9+zrXfCBCDpTP3wzVJfMtlnIeOu31qUA4iIPvpnf3LHPQ/MmTuPiIaGhlg1YBjm9QKvhsgwDJONMxa6ZcsWAFi75rIF8+f+8s5fNRuNarVK0vZiaLtCN1UDb0p+1NdGRdp2yxh3EhpsHFSDeCmF+4Sba/vGli0ZpLpDpakGXkOSu+IdoKZpgGDZlmEahPLo2TNOP/vUdVddet5Fq445bnrTaBqGKQQiao6ygIF1CwJGh95/2qGRqahjJZJzDxVxxHmOWfbkmaRA6m+KlMoIEESU0jYMw7KsYBYYOgRTblZEQOBKDASyUtEfum/7Pbf+ulapCj+8xTsZ6pOV6zLKPHno9GrLNufPW/D4009/5z827927d/ny5RdddFGeAhiGYY4EjrT/qRiGYY44/PDpf/jsZz/8kY984N3vvvfee5um0VOrWZblOy1dmJ3QfcnAJ+hthobCO7Cgy//DJIR2xNqse20YVw38v4Gx0MiAa8ilV8UaBDyihEySSB7iLkaiZBANQikqHDjjrhBpJC9vRCBAIVACGEbTtMxqTZ9zwuzlp/YtP23prGOOFhUcq9dJkhACAIQQ0lkAHwi8NQzcyIKWSxgqI1+7dKYaZJ2FJB0j0nEPQ6xBkHwRBxSuTuT24fVc3ytPyBRD1wsiSikt0zItg4gQRfiSSYiICuFHOhAR2FLquvbcsy/957/+pHGgUe2p2baNkaiUJJUjLxkvsiUABPG5f/mnv/jj/3bfffcXzZ1hGOaww6oBwzBMGr4UsH379r6+vuve+faHHnjIsKxKVZeWhSjc59PQumsl0NZAbr5s3U9xl0oV8l9OYV0gpnD4pY6zahAuIeTqA0Qd49j0hEiShFxThICgU5aZOCeKlk0cOM/ZUf1ggtZ315FsRQoIoVm21Wg2AGnilN7j58855bRlff0nTZ1+lCS7aTRJktCEv0Se77Ji2H8FQH+iQ3bNEowtgkIygNSzoBQO/I6bsMhDTvNS/fM26KAx/O/+DTLSXfyN/nsxpZRSStM0bFuCHzhCil6erhr4R0giArIt+V+bf/7kI09PmjjJkqZ/1Sjud+1fOqpzhAAAmqaNNRurzzpn+swZn/nMP7RdAMMwzGGEZygwDMNkMDAw8Jvt2x964IFPfPzjDz/4oC3tSrUi3SiD0krx/R//veXl4mWJAMnvu4ukTv/JU2SJqMYxlaWG4p2TbAi5CxEn1D009ilcjPMrK39Qeo8ptqskg5yU0xkLSkfp78v0ehuS85I8t/MgECIiISCgpumIwrLNseYYoTXz+KNPO/P/svfecXZU5/3/85yZuXV700paCTXUFjDGDQGGBdvIoirGK8DGGILtvOLYTlx+dhIXreJviBPbcZqd79eOW4IdLGGKaaaZFU0guuSVEBJCIFHUu7R7Z855fn+cmbnT79y7V/28Je3eO+W0OTOa53Oe85zeC+a+/5zz3zf15JMMgx0sDVuWhQyZpiEiAaHjVIDOVXPkFnQ/IjrtGewRo+/ZnsaK/5bYaJ7fThuN2tzH0If6kSbJcDenCGelaJ1JtgBRqVQqlUpEwplbQs61rKJ3k7zqCLK3ZPTMC8uHnnn0+XwuL8iSK2wEZYg63DzBLiTnzGgas0yrra3t5/990+DDg0899dToc1IoFIrDj/I1UCgUigr88z//8xe/+MVrP/axF154npMwNN11cK0PkSOPdcU3GJ5k6FZTp5SH1qVWsZ4FEflVNPg9CSak6THfY03ikMGc7J0ezLJ8jGtnBDZEn+/fUE/Tx5fgaFSD6GbzyDOIDBhqRGSaJZOsbM7omTRu9mkzZ8ya1jGmzTD0klkyLYuIdKb5rqrvAntVA1/u0VWomzNN0vV1vlX0NXA+Bloq5KBSPYddOIjs+b6JBYS+ixj0s+Ccl0ojnPO4NTWCGcYfQvbcAwQgQ8+8tWnb4l/cPrxvRDM0EiLstlAnvQ0AnFYi98KiprPhkeHLP3LFO047/UMXzm1vb69fZgqFQnH4UKqBQqFQRCBfWwcGBhYtWkREV1111aqVK4hIY8yWDGDU75r+90s4lE9k9P+IhZJMncjjU+Y9SuJDpkfkV0E1qM4wTvLAjxRgotWNOFvKl1qyahBtptZzSkm8qJFI2Gj3twzaA8YASCSHgIEhWoKbpRLTsbW9dfLJJ8069eTJU09qaC4SCrNkci6IBGMMkTmF8bdQkmNIQMjByDrV1GQJpmp4Q02qQeSkiqo5Mm938fcWAaBXOPCKBkII0zQ550SiiryiG4YAsPwYYwwsdsuv7lr/0mv5TJYLHi5ZPSUDCDa8rusHRw5Omzr1d3ff961vffPb3/4/dc1MoVAoDh/6kS6AQqFQHHW4I12zZs0koqv7+1etHCIUzJUM6vuieYhJNfbuOaRulTuyunQ6u7sS5PGCr3xweJA4vZWaNpPozNKT8gonmscY+A5+e90/jAyOxIbAGAoibpoWt3IN2alTJ808dcb0mVM6xrSxDCPOR0rDQsgJ7ZqmMc+Yc9nerFyi8gaqUJe0VErhUD0QfGrZYbyfys2ePvN4byByA5cSkROu0r5AlmWZZkkekNLLACA6koz0YaGycEBZPbP0D0++uua1nJER6SSDam9Dm6i7ijFmmmZTQ8M7zjj9y1/6y3/+wb/VkLBCoVAcJai4BgqFQhFBX1/funVrzz33vMsvv3j1qtWaJudmU2iCbY0vmQDOecFhx/oTMbqXdGj9SlH/+lROMXmavaTasfS4VkGfaRrsF6mnVPgTjLeNfcnXwYm9SryZhEqH5YYvdzfZcIzZ8QuF4CPmCEerravl9Pee+oGLzzv3A2edPHNysSkvkFvcFJwAQNM0RMaYtAyxHOkjLm/v1uBh6PyNODu0r2K160ZEgXxdyZd1YsOnyKE6KnvfxJwWp4+VdQB3ZUyJZVkjIyOcW+CdsOC/2LGFiJAMyEkHAYCEyOXzq/+49uHfP8EE8zzZ/ImH1KbYGiaVxv/ZieGByEzTnDl91sSeCagbfX3ny7V7FQqF4lhEzVBQKBSKMgMDA4ODg4ODgzf/76+vvOrqyy+5aO3adbquMUQhpBkYmJpQk2qQ9OJaZ8pGScpsbGM3tbF0dE1SiB+QjjBqIkYqY9OMspMdGyM0PFrtRA9PmvGeIeUEI/IbPRWnJ4QzCU1JsFvK0W0YYwTAObe4BQwamgo9J42ffdr06bOmdXS2IQOTW9zi0rmAgNDvxB6YCR/MMrI4KVovZqpHHCnaNuaQyD5Qza0feNRUPMcVHkZzv9VyP8d71XhdB1yrHji3TNMSghPZi2jWsGpt+C5wN3AuMpnMti27bvv1PTs37zZ0nYg8eXh+Y3CDtwEr9DavQ4abiHOOpuvDw8Njxoy5tv/KV9988+/+4R8AgtEcFAqF4hhCzVBQKBQKGyIaHBwEgMsuveTKq66+5MMXvv76JsMwiIhE2WZ13A3cd8YqBqgO80tj1ZIBOGNltqNv2uPrOrEhKZ8oazBkKdbgaOD1ZE/j0FCzcRZopbBjfTndsJc4QO0TEyoxiivoNjsBMESGDBhwLkrmiADK5nPjxnWfPHPq7NNm9Ewcly1kzJJZMk0hCJm8oZAch/WEgHkVkTcl+lovpV99TTtrStbfbSp0omqyx9CHaqmlspWeEghA3oUVOeecW5bF5VQFxlgNegH47gL7WYyOfMeFYBorlcxH7n9y+1s7s5kskYi+bSIcDbwPAk9vijwRYy8gQ8Ytns1mppw8ddv+fd/+zndOPeOM/v7+quqoUCgURxVKNVAoFAoAZ7Crr6+PMXbuuefO+9D5b77xtmEY3LKc91rnVdL+nW5kr7K/fD1J8qOPPsy1sci3jezTUmkHFauXdipAhb3RtUtDVYZJ0iWNcDuoPPAfM86NEGHbRmVeFjqiHABq61yxIoFfnfFrLFEnoSN0IDLGkIhGrBEuuGaw1q7myVNPmnXajMnTJrW0NgOKEdPct28/ygUXdcY5jyuNR7eKN86ioKCpV+Haj1bvijl51DJaemO6Lk8XCnyJuiK+39GXJMm7gsySaVmcQACA7CquZJA+ooFzvK+BEIBIAKIMp6hp+hMPP7X2j+szegaIQg5i6Un1ePcUwj6JEEzL6mzr/OlPf/nd7/4TEQ0MDCxYsKCWIigUCsXRgfKVUigUirLv6rq1a6edfPLF8+a9/toGw9AEF9Lb3BPNy305TGXJHE7ngqAWUMHI9lvhdpWCBm79l1SodHjkdIDREuGanFgUXwHKMxRiFk0Iui2EVzYI6QYJ/hGuq3+ogEHLrt4kuGH4K2Db8UgAyJChxoDILFklXmI6Nrc2TZw0bsrJk6bNmDJmbFc2lzHlGooAGtOQoUxFBsy3w+b75nRg2PT3lyVew3BSSOpFMSdFbY5ySElN4gyF2MJXHLuP/ZaG0C0f+yXJ0K4iXykHWFbJsrgQIvqq1u5u4CslAuOcZ7LZ1SvW3r3kASqBntGFEP4JQ1EuPPHPuvRapeuChoxZlqUZ+nnnnzsybO3ctbu/v7+/v19NT1AoFMc06hGmUChOdNx31pdffnn69OmXzpu3cePrmqYJIQQJlAe4L55BGyqJ+LfECsPVNZBmMkKsZOApCAXfpKsvXvzhsUa7j0STrwbCSkjiMU4pwuUJFSwc8jDUS9I1YCDlspJAYeOmPiS3b8iOI8eWlyOpiCgjFgKYplkyS4TU0FwcP3HsjNknT546cez4Mfl8jlCURoaFEICaprFId3Qikb56Hhux1i5UuXPGbKvlJki2QmtTDWp3uEnMLPQpyZKPdbPyuAAgY0BEpmlxbjnrF8RrJbXENSh3B6npCUGGbrz91vbbfn337i17ctksJ+50XW9po1Qn7xM+QX+Nl6LKdUfggnrGdXePn/DL/7lp7ty5TU1NS5YsqbaCCoVCcVShVAOFQnFC476tvvTSSzNnzrzwgxe+/fYmQ9OEsL1nnRFRqGHwPXFSrK8U1RY7PtH6qQYQsorJY8gmMFrzCz3/6kFFR4O4zY7xXlYNQmpPrGpQneYSrvIh6SSBHGMpt5QdoRDKlx0ZY4RgmiNmqSSAio35sT1jT541ddrMyWPHdzU0FAjAsizLMkEIxjSmaSgXr8SyCSZ/lGPUBeapx5UrlWQASV0odGpiWrWIZp6TD4WvwWFRDaIcDbxj9MFdZdcQlFeZiDi3LMviQgARYwAQOwchnWQQ1NC8/QYBiEDTtIMHzNtv/v361RsaCnmLc8eU9z62Ym9/390c96xMdmBBQETTsjLZ3M2Ll3zvu//UM2GiDK+booIKhUJxVKNUA4VCceLivq2ueHHFae847eyz5+zZsSOTyZCwrRn7AOeX/HEIVAO7OKkTTkg0VjXw2/u1+hokmA7hYyK2paxjtJd+jYQrlHAkBs0Gz1KOKVWDUXQW/8yIUOHqSPTld4JZ2BmSXPwQABDlPWBZ5ohZAhSNTcWxE7omT5s8bcbk7nFjGpuKgMAFtyyTBDDGGBIA8yyox9wqOv3QtvsCqkFCVSuoBj49K0Y4qEK+qrLPRpycoBr4Cuu1a6tWDUZzm6RWDbxfysUmAMe/wFlVEYnAskzOLc6F3BuxTGKgFBVUg+hLSGUnAiJBgMiYfv+djzzz6IuFXI5A+rCkbNd6qAbOrpGSNe+SD2/bumOkZHZ2dnZ1dQ0MDFTIXaFQKI56tCNdAIVCoTgyyBe5SZP6lj3xxNhxY+de8MFdu3dnMgZ4jD302FA2VS1HUJ1qMCrS+Br4DgsXpCrr6NBqznVSDaq19zD0IVk1COVBcTvSZV9PDwu3ECk6Ido/mevHLeUCZIiIQpBpmSWzxLlZaMpPm33SORe870MXX3DuB+bMOvXkjq42TWecW5ZlCiEY0zTGEP2agb9qUTZcnaodVg282+skvASSQf+uZAs10MWo3PgRqUWdi+FNdSSy5GGvA0Sfqe/6F1iWVSqNWJYFAIh1Ef4QEHx/vWILIjryQcbILH985eMPLc9lctKtwdNcKcsRrQ6kUQ3Iri+WLD527Lht23bcfsfv9uzZ09bW9qMf/Shd7gqFQnFUo3wNFArFicgAAPQB9MEps/6la+wZf/vlL+/Zt08zdBLcO9puu2aHHPX9A5axD9J4I7CuRownxfSqRpRskOhoEC5sNT4T1Y/bjlo4oMhvVbc5lnWDYJsFQ7N7+kls1PZEZw1MeflCw6E14W9dRCg7FqAQwuLcEhYRoYYtrc0Tp4yfPnPqpCkndXa35fIZi3PLMgXngDJKPTFkbiO7+opHNsDozulanykmKcS7uDu5lLMMKgaBxCuNPif5JCSrBnHHYuC3f3g/xWj4IVANYn0NYrSwsncBeK+y1AssyxKCu12IiNLE/6s4PaGcC3hbyu01xElkMtmXh9bf8ev7hEW6phGJqp+x/rlFsfJqRAcGBJALh3IhEOH//uRn3/zGNx5WsxIUCsXxhVp5UaFQnHD09/dvGRrqGlw1/uxPnXna3P7rr9+/d6+Ry3DT8tqWqeNzeQ1Bn4hA4KxKF3tK3Sjnk6RjBEoQ7+kd0EbqRhrjyFMQSlBeDhdO7hXaNTxbIeqY4OcoIyQpmwRnhrSt5O+fAIDoRhwgIUxuccEBwcgZHS1tJ00aP3XmlCnTJrV3tGXzhmmVLNPcv/8AMiAByMC1EAVROXBBUByR9wHZ1pWnAp5KVOgbae9HckvgsTZr7kTR2lN0nlF7k10HDsUtVhv+wvjnFHgEGOd5hkCEACCE4Nzi3OKcwGvhl7UgCisIVcQ+DElb4OaOAIRcmLlcdvNbO++/8xE+wg3DEEI4D41qJYNAbcOFCW9AQgJCIGIamiV+0eUX/3Hli5OnTFGqgUKhOM5QvgYKheLEYmBgYMuWLVu3bj1n4uQrPvWFj9+wYNuObdlMVnAOBMQCQ8VeAzrO1yBA8Ll62Oze0GBmlflG1s+/KzK/NAfXNNQfZTCkIan41dppXmPHP4PAHwMiqoekaMaISoWG6aNO96YUO6oeOh2dKTcIyBgDJCAkIiG4aVmCOOqsobnQ0dnWM3Hc5GkTek7qaWtvNTKG4KWRkREhpy0gusY/gQiVqaydeZsuzosiNNod7aSRENEgbIFiTIs4lnF040Wn72/zGgz9xGsSVR3nrPjOEnGjV0Ew3Wi3Aoyx7WUHEEJwzi3L4pwnNEnY16DKtQB065UAACAASURBVBLCCXiVWeSWZWT0/fuHf/vf92xc/2bGyAA4wWsjnakiSXye+5IJ+XnIW4lAaJo2MlyaPOmku+5/8P77750796J0FVQoFIpjBqUaKBSKE4j+/n4ZnqpYKFx2+eWfveGGLdu3ZTIZzi17NCxyjcWQ434lGzj60Xp4lusOagapBq7jbbLYrbWpBgnJxRGlwiTkHswswQpLk7fX2PVE8/MmHl5pIs5TI5X44leZIvzZg9+SGsQekgUAQsaAABkiMiSyiAsuOOcAkMnrze2N43rGjZ8wdvxJ3WO6xzQ1N+oGsyzTNC3OOSJoTLNtSQhOaw/Z006J/KpBoJIxFnOUakAx7Sl3+veERLpKukAyqTpu0h1S6aaPbobEs2qVBaMz9N37TmdxzGEqG+7oTEVJoxc4p6RSDZyN4W4TmQgCAhKzOGc64xa/6zcPrn7h5WwmSyTAcZJAp+/HEv0Q930LPkAjn60kUNdKpVKuUPjrL3zRYnj1tZ9MMzVDoVAoji3UDAWFQnGiMACwZWhoa2/vmDFd5/X1/dmnP7VdSgYWt61Dj3ES0A3A+6lWz2J3UnD1Zzr5VncsSa/w6HMTLTFfWqMjZAKFmq9C7YK7AwpHYPwfos2BGmoSc6ECqSfqLZEnRmwP5VTeFjsaDc4hzjQO13T32jYyKCEDRIbI7PnnYoSI9IxWbCl2dLV2j+seP3HMuIljusZ05Ap5AuCWZZojwyMCGTBkuq75xukDzuxRhn7ArxzAmZvgbI9pjFBKyWPTUVHvQ805ik5cD8kghQQQOb6dXKxQO6Z8qoSfZv697gwSWyFDAEDGgMiejGBZlhBCXhY59SApt8TDQhude4kCjioebG8ZJoTQdIbIHrr30dUvrs1mc0TCJxPIJyCFBKtYxbeKfuLpysQY4yQ0Qz/1Xe988sUXNr664WOfvC59UgqFQnGsoFQDhUJxQjAwMACDg12Dg8XTTz/ttHd88a8+t3vHnlw2Y1mWbdQAhEaNA5Tf7yvpBkmWgjsUVk71EOB9N0YIFrzCC3I9xIJEotqvgnUVP9QM4J8tn3RwOuI83AMZpBcMnKRCw/Pe5Pw6ASb7Jbg2EYTTIcePHJEBAhAX3DQtLjgyyBXzne2d4yZ0j58wrmtsZ1t7S7Ehb2R1QYKI79+3F4AhYwikaeiavfbqegBOJDxA7+1QoQ9T+WfwKnu+RBiWyRZpYob1vq2qlwrTF6JWGbJ+kNPh5BqKBEBEjDEAGemQWxaXsxLA7lxARCmnG4QPq3Sip+ncOTXliAkIIJBBxsg8+oennlu2MqNn7AedV06hcmK1iaMJjga2HCtbijGzVJo2ZdovfvKLq66+askdd1TITaFQKI5NlA+VQqE4Iejr6+vr69v70kvj3/ve39x0094D+3LZrOAc7NdQx7CJHKyOmpIQGyTfpsLTNTwWe7Q8j9PbL3EFDnkSxFhFUaN+R74REiSDKG0iLDSR/0foDPdjheSjckTHrnP3+oQDBESUS9URCc4tLrgAymT1praGrjEdY8Z1jZ84dkx3V1NzQyaXQYaWaZlmiXMuBGmMMYa6ZuiGwTRGBETCsxpCeXw7dry2BlxfkfAaCgn3WKy+h55/oyOVo0HCzqqcipKfJJT41fc7RT7Bdi5LiWgb3tI7QAgpFHDOZfQKcoMkutENq4xT4OSb6izH48A7RwKABBBAIZ9/9qmV9976EJmg6xrn3PZoqE6BqXBowpqLMh9d10qlUmtb6/d+8O+//MUvfvSf/5k+b4VCoTi2OPIvaAqFQnF4+OgVH5k1fcb99923f/9+I2sILmwfU69hGxkZK0pKiA/Php638SRSGI2Hhfg3Z1nv4JibS2SBQ5JB5YyPCtUgSiuINeN9fSTCfE22q6NN3aQigaeDysth+37LPwgADBGIhCWE4IJAGFm9sbnQ0dU2rqd7bE9355j25pamTC7DNEZCCMEtzoUgOWSMDBFRhoMHAKZpuqYxTdM0DRACrt92JSJqVpOIEDLzvMpclZKBm2Rsn02LL213ln/lQyOKUX1+VVJNZT2qQdxDiog4t4QDgC+yQHhxhGqLW80pcr1OdMtABEJAQ0NxzdArv73pLvOAZRia7MaAThDEysmnLYCvZb3TEgAAQGPM5DxfKHz4ogsffXTZ4OAjqeulUCgUxx5qhoJCoTghmHPmmdNOnnL3PfeYIyOZrCFjGQCgY9/FagBxOK+P0bNvU57uI5XUMGqqfsm3m6jactVoBh1un4ugm0e6mSNljcn54jdW0O1Y3lSofDYkX+6Y3iEdo2W60swnIBCcCy5KgojpWGwsdHa1jT9pbPf4MWO6O1pam/P5LGOaICEEtyyTlwQRobTC5IgxAhDY47QAACA4H7E4Y1I3kNoBegqC3mHnULEjK1ZFd0i0+1KtB0quG0ZVfSnC5iS3SOAPrpeiFPXqx4EuGigl+jbH4SsuRmk+SEAghGlZQlgy6iE6S3IG1k0sp1qTo0F0AUOzbdBxQEFPtyKiQiG/8bW37r7lwZF9I7lcznmSp3+CV1Xm6DtRyhicBBF0jxu3fftuJRkoFIrjHuVroFAojn/OmXPW2We9/4EH7zl4YDiblQt6M2cib3D8ONoxOcrdIGZTWio7pI8uzWiH7/KRATskAudF3uMUn5AfxLVdHPFtdwj/a6ogBlRXAPL/SDogtDW2CBGXA20bHxBBCEGCOHEiLpD0jF5syLe2t4wZ3zl2/Jix47tbWpvyhZzGmAx3L7jwLiSByGIH9+3RVPnLvitkeARd1zVNc6QK8nYIv+VY4bIHdsc1s+v2U40LR4CoNftic4uQQOKSDRYyZe5JpMm64hh6rC99SAfxzkgAQCSpJ1kWAYHtwwLkX2a0fH6quIaxpD/d0SmkuwEDABIim8vu3rX/Nz+/463XtubzWcEtXxVjalozkTMUUG7XoFSyCsXi088+/9WvfrVYLC5evHjVqlWjyU6hUCiOZpRqoFAojnPOOWvOB8+/4J577927Z082lxFCAAEyjDOdIHJz3O/481O/46fcUYGI93vPp8gh2ng7w3OeY8dipLgQrVJE1z3CuT/u6DSjpqP67ytRA6nerzy+85QttGr8WMoGE9lzCIiEsAQHEoigZ7WGxmLHmLaucZ1je7q7u7taOprzuQwicCGkUiCEcGd6M2D+YpF0hoh2oUe3COgZ70VA1DRNY4wxFpAewtHunIRCylVEVhGEVIOghZ7axE/ssVEpp03YX5DyfRI4oLLdmuY54TOAvXl5Buirux8ISXDBuRDCElzIlGSHcX9Gn3hYVANHlpITcBABBZGR0UaGrdt/dd+6ofX5fN5e+jFC86mbB0RZ/ZEORYiyUzKNcRIg6JqPXbN5+/amlhZ51MDAQP2yVigUiqML7UgXQKFQKOqMfAddunQpAJx6Su8HPnj+A/c/uGfP7lwuJzgHlJPB5aulaxJHp1T+WHHgEj1/PRsiSTfeXQV++9/O2WPZRL9G+8/yeQiHTsGkSdr+PSE15lDK07WkHe3kUbWjQdqMULYeOoEKIzNFQCb/ACLYbgKWZVmWyTlHhtmi0drVPHHK+FPfM+t9555xdt973nPW6TNOmTZ2fGe+mCUQpmmVTJNzQcK2AAHAm2fgQ+wFLasG9nf3s+BCznh3V9RDZGBLCpBsrfkyczpFxZYOjOyHPlYmOh/bGK82eF5yLiHJAILPhFGknfIIr8rgKRazvxIRAVncMk3TMk0hLPdSentEnHAwyikJaU539AJyuqC8HYSma2aJ333LQ2tWrMvncyRIVtP/+B7F0ybm1HKMDOe+QERkaJl86rSpW7Zt/+nPfw4AkyZNUpKBQqE4vlG+BgqF4rjCfTH92NVXr3lp9fve896nnn5q3959hULeMi3bAEo70B/tP1CFl3TMofV1NIiwVZxsyf7lL0f8CVI+iKpYjK9BOMuIDYkjylHnVE3V7YaxX9KnFvKAjvSZiBpFtR3/CYAhuteIc24JLjgnIsNg2Xyu0FBobW/pGNPWOaa9o6utvbO1oTFvZHUEGhkxTdOSrgSIyJBhdH7x6kAcPtXAERrKqcsAeAhA0ulAuh+4vgmB+QtOpe1lG52AdfJHjLNDpJtBKs+ghApB5bs7ZUKVPd9DVnyFDKsuSdiXw2PxU3khUiRERgRCCHu2imUJGf/S9yBMrEyKtRLq4mtgL/pIbhcBAmDIhABNQwK8786lLz7xx3w2z4nb3cKXWpXNmNbFybtiiX2vHRgZ7urqfOSxZXEeGQqFQnH8oZ53CoXi+MF9iVy9atXgw3948YXnlj3x5PDIcCFfsCzLHnyVR9QmHMQ5TCeVKSKhQ6AaRBdbOsZHhJx3zgnZ9AmqQWViLOiEU6vzD/eLHimSj6ZSAukTTJiZ4I0WWJ4pgGR7ugARCC64EJxbAjgyzOWyhcZCU0tDa0dLR2d7V3d7e2drU3NjNpfVdEaCm6ZpWZZlcUSGiBpzYhq68f391mzVeoH3TI9q4L/29hfb0CNgDAFQ0zTG0JEPyi3higTkRHF0ZmuEU/Y2oLfPRvjKVGtnR43GR2UbPjwqifKmiHslRjII5JC4KRny/iq7TbmX245wKcUCwQUnISyLC26fZfufuFNUKhQgzUIJo1EN3OU1/aoBATIg4JwzTUNNe/j3jz+99IW8kRcQKRlAHVQDSdTjABGQEBggw5GRUmNT41NPP/frX/3KyGQWLFhQXb4KhUJxbKJUA4VCcfzQ39+/ePHiW25Z8tGP9n/i4x9f8dxzI2Ypl89xy2LIHDPErxtU+xQMqgBVeBxUpkbVINo6ca2LONUgMk8CKK8AAJBSL4AKDRKZRoUmTBxdjrRka6ailhSFR8MoW6K2aYwyFoAdPgMRAQSREFwIwTnngjNNy2aNQjFfbC62drR0drZ1dne0tTc3NOXzhYKR0RGBc26ZJre4sF2kEZn0KiivTF8uMgLQKJQCJxHbnvQ0sFOdmBNse88ewEYEGf0AHWRoBreETi5OU8UUxB5/DnVd2750SlZ7TT0VcNPEcuTPkJiWkEBKiczFZ/dXB3k+ScEInCcAAhISEclwBVwunMi5cwSiW9LQ5ay5HUftZQDl5vB7HACi4IJpjDFt6QNPLX/kuayWJduVxbkDRuNrAPFuI6HmkG3HNM3ilqbrf3JF//vff84FF3wAyl45CoVCcZyjHnYKheJ44xt/+zevb1j/3HMvIpCma5ZlIcpocBFj1WEDwbOngjlbf+GgDqpByCKJCYWYOre0ZapdNYj9GJeanabPYE5L5JBxWEyKO8r57NpdBM5AvywTc4YmpQEnZLg5EgI1NHQtV8w1NTe0d7W1d7a3d7a2trc0NRdz+YxhGMhQjg1zzknIMVdgiMgYOpmXvf+JAvbKaPWCcipB1cCpWlKQPPAPGjOGRKhpyJhm1wCZezp5zP7onuGIImFfgzi7d7SQ9yJCOqt6FAWQ3cadSlD5AeGIG+XTZUlBgAACILD1KCFs0xqIABhCcHXYstNH+UPNpu+hUA0kgoTGNAB89A/Lly99wWAGIpAQ4LkVAolVX/z4sz1XRk4mQkRAsiyac845kydN+vo3vmEfqFQDhUJxYqAedgqF4piHiAYGBt56660f//jHH77wwvHdncufeU5wYeg6FxYSEka+UKLnX1X5JXyL2hCzLZpK9nXEOJhnU6Qzd/WqQS3/NYxKNYhNIqnhyoHKqiZeKIhpXvdo6UBtD4cCMscb3LFyiXMuBBcgkIFu6PlirqmloaWtub2jraOzta2zram5IV/IGRkDgAiIBFncIsfWswfoIXogPehf4G2H0eMZuI7tZumykv4FspUQGWMggyBIEQE8tpY8DPwyiGsRhgIcOMPMoXLVSILRi4nCQbk0AFX1Q9/4djWGbnnOCzreGyS4ECQ4585KG2QXHGOrFrC2K4pBaRKp+ZTyhSbfAUIITWOci6UPPf384yt11BlDIuGe4lEbyomFko+QUxOLGDqb5G1ICICaNnxweMq0KR2d3WPHjcvn8wMDA0oyUCgUJw7qeadQKI55Fi5cKF/giOgvPvOZx598gpuWpjEuBDre0FHvjB6jcXTCQeUNdVQNQsckvRrHvWDHZ5VqZxRBV/LKaVZUDSq0WvWqgX2pw4a3u5/ICdHnxH9Ex6CVFqxjktn2luCCg/QHJ2RoZPRcMdPY1NDa0dLZ3d7V1dnW3tLYXMjmM5quyXMFF5bFibgcDyYCxhiEBy3Do/0JjTB60P2NgS3BXJIzDLsHOEPKsoJy8oIzhcH2pfDcn57YnYH19OKCCIzCvT5pb2Cigi0ahfKvSjWg2C+e1AJf7La3RQECIpJuBVJy8pa3bILXlVEunRCXSHBKAgAASgcdTWemyZfe/9QLTw5ltAwiCCHKZ/kaKlFSDZXCOSxJ2y1rgFIzANJ0/cDBA93jxj/yyGNXfORPbr3t9nSVVigUiuMH/UgXQKFQKEbLokWLWlqaiejPbrjhmWefJs51XROCGCBFDr+PntBrZ8h09x8R85pamdRn1buSsZb1oaKiVBBhHVRXSAx9AI9tAPa4N9oTEKA87E8IiCiEAEQhuJBDvESajrqh53K5xuZiR1d755j2jq7W1vaWlpamfCGjGxogCGFPM7csU3BhOyoAEtl+CrG1Li+JV2X1YlowfCOkVxzIu95BfFeLvNccs9C2DDnnsp2JiDnItRg8bggkbNOt7LXuuiT4MqxpsFfOiU86whfXwbvdX30KHZBMud+GTicoq1ROPnJ9QcGFXGJDCBH2HHLFAp9+AJW1g7poAbURWPuACGUryE6iaVgaLg3e99SLy1dnDcMrGYDX5QIg1Bfdlou4euT7FiUCYfkgr4CgadrwyEhbW9u5737vVQsWKMlAoVCcmChfA4VCcawiJyYsWrToa1/76ne+84/XX3/N808/JwQxxoiEZ0Qq4eW4nu4GUfur9zioNB4ffVhSIWrzNag2p2p9DSo6GoSOiRpTdFYkiMiJfG//qYxLREa2RCDD+LmhCQSRQARN0zWDZQvZhsZiS1tTR2d7x5j21s6WlpamhuaiYSARWJYliHOLEwkiAmCOcWjbcu7c/mTNI41eEOkXYBPRwBFXJ8mzIJRm0kKJiZDflyAcll8qKZ4QitIFAYC5Ig66cxkgYBFXJRz4xpNji11u/BQNW71y4TSYv80JSAgCEkQgBBEJsieuQMQ0IycCRXSIh3hF4EiJBYE+4HywfwPIqJmCMRweKT1877IVy1fnM1lwugoCCHvOSzmZqHyi1Z7oIoUT8W+SwpYluKbpZ737PU8++8yKoVWVUlUoFIrjE+VroFAojkkGBgYGBwcHBgZmzZp15ZVXfuzK/pUrVjDGNI3JAbng6H7dx84TTeB65lJz4jT6JOCQOR1ElypRMnC3VC6Pd/Q1eUTdXoYOpW1PQhAXQpAgIAChGVq2mCkWGxubGlraGts72zq62lpaW5paG/LFnGEYDECQsDjn1kipJKRLAkMEQATmxOS316RwXLLLFyYsDaSfZF7BUyDSoz49dZIMQrMMACBiJT93Vr7XBHYnMsgZHNL5A0DGmvRMavCG96vUdN7SRslQ5fIgxtS40v3kbXgMdGkqW/sEBMLuD0QgSJAgqU+Rr7d7k/YUSI7QQ6jiR86DICUBRwP3g4xlMHxw5KHfP75y+Us5I+9dJcH1CPJowaN8skmi/6OQ/YQxJq/NtFmT17+RU5KBQqE4kVG+BgqF4thjYGBAfji/r+/c886bP/+ydavWMJ0hYzLIdsSQVJLxi55/dYL8P/zbk6iXr0HYWKspt+hB56QMqyqx76RKXgaejU7QAQgZ3l6HZH+WCPZS9ohgr4lIQJwLd6UDQNJ0LZvPFov5lramto7Wjq729o7WtvaWhuaGXC5jZHREFJxb3LKERZyEHCBFx7teGoSC5DJ43jFiaSAGuuZooqmljTVQbuNqfA1iEvSvylldjgT24HiF0+XBwT5bDjMgV3a0N0rFx5nakGxHxlrjgVkIMkAgCzdBOHnHwETPjeKJgmF/dz7KiAR2IEMhhCA3QUEUvZaBv8MkUelIuwceMsLBLH25l/0LfE4HsvG4xTVNHxkuPXD3IyufWVMwcsDQG3nUvvpxz1VPKSI+JeJL0olsQkTAEBFGTGvypEm/v/9Bp3MtAFiSLmGFQqE4rlCqgUKhOMYgosHBwaVLl06fPv3qq6++6MILN7y+oZDJWcLiQjBk0WNZaVQDqOtDMfkFt4J3beJhkUfGnhi2uSMSS6FmpBzhj6tY4AKER5u9u4JjtO6go2e9OMe6LV85gnJgNXusF+35BgzRXr+QE+fc4lwIIVBDXdeyuWyxsdjU2tDS3tze0dbZ1d7S3tzU3JjP5wxdByQuLCE4t7h9lswUgQEDBAIiIgRGcg28UD1CoQHrrRokp2FflThruYoZCpUJDqwH9tp9II1w4DVxA5Ma7MvuOnKgPbEBnE92Nv6lKDwD1Sj1G+YpMXlG7N1/aB+AzinusQFPByQQblcUQriuMUTEuSfyP3FhfyPwX320yxD0J6jYSumv0iFVDQI9OSH2oacs9rXgltAM3SxZD9z5yMpnVueMnKO/uM1BrjiTIP24ZfH9qoTvliUAEFL1QYYjptnR1vbYk8u/973v7t9/YPFiWrVqQL05KxSKExP17FMoFMcS7svoI0uXnnveeR/60PkbN2zMZ/OCuD1GBAQh28Vrg8a8UXo2p3gu+syqBEspOHo+ild276kprMTAppAhXjP+ForSAWJqGnZrKA8dRssqcQl5PLLR1QrkLmm+A0ONSbtSEAlBnHMuTGnzZ7JGoZhvamlsaWtu62htbWtt62xpbm1saCzkC3nd0BmiEMLilgxjKAQRUHlBRG8RfaOmULZvPFX0dMs6k9a2rzS8X51wEJ9SUi6JykUysSpUuVNjeSVMtycg2hEcHY3HlgBcr4SAi4rbr9FTd4/85C0RAZFwJCESACAEMUR7agGJsjlPIEi4aQbEAlcNqSgexckH6VUDV4BJd3hq4oseE8jAqxdIVYXrumGWzIfufWLl06tyRpYibn5bccAoGS5cJqjy7da5xnYpiYAxKJm8UCh+/q/+fMvmHQeHS/JI181NoVAoTjSUaqBQKI4Z3FfPdWvXTjv55IsuvHD9+vW5fE7OQ0f0R1kL/vYR9V4Zbw/7D4t9J420cyO+je7FPWzFxGcX2FQni8E7HhuRVajGMY1V4SyfgYMyFpprDSI4ofF8o81yk2WZpZGSxQUy1DQwMoae1RsaG9o6WseM7Ro3rru9s7WptTGXz2YyOiICklz0ngtOXJAAAEA7OAEDhugaveTaFX4toIL6cUgGeNN7BCQPWVdYajHeQSTKm8B/Sky2NTSIT54BexJB2ePEg+unT0Bo/2ROE3i8POwv9rlMCgtJVrgnckCySwUAApL3nHr0gZqjGAaarm74nDii8g3MRCAA203DvnRCgBBcN7Thg+Yf7nl86LmXs0bGdcTweiUEapKiMavz4ZF9Q05MkBKhXBb14nmXvPLqes3IdHZ2dnV1KclAoVCcyCjVQKFQHBuUJYN166ZNm3bpxfPWr1tvGLodQi1se1ZUDSDwCAxti35AxqsGEGMeHArhoJIl7i1RnbwMvMQIB4ltHqJsamPoyoUNHNkBmFyAAEDG25fDyUII07Q4t4hIQ5bLZtu7usZNHMc0NIrY3d3W3tXV0dlWKOSz+QxjTJAdmsCyTLnuPbhKgdQePNZvtM8DRe+KvPpHVjVIY22GNYLkCSkJPjVpT6kJrxnqH+T2lz9GKIvuWGCLEMmWZtooEnZGFGjA0feC0aoGySEPUsfgtKkkGUCEauALUUsEQgjd0Pbs2vfgnY+tW/1a1sggohC8XOyyr0e5Mimfn5VnVPm7CgEgke0cxNjB4eE5c9732uublj76+OzZs3t7e5csUeEMFArFCY1SDRQKxTHAwACcd97Cvr4B6WUw/7JLXl7zsmEYRCJsF3g/Jox7xxj/ns01qgZR2QaPitmRkkjVIDqxOs5NCBDTDmnNyeC4oa+QrgxEBI4Lt3eagBBkWhZxTkAa0zOG0dja0t7e0drS0t0+pq2zdUSIhQsXAsCqTcu2bd26f99eQcQ5L1klbnHBOQAQCdc/3LaaCGQulQrrfgleycOpGoDHmz6B+qoGNegFEWfVSrkzR1i5Hg2lWtUA4j3tI/0vqmeU6x3WdnpFvSCcbFrtIIVq4KYf/gmAQohMxti2Zec9t/7hzVc353JZchwS/EWO1FzTtEZ8TWKfWkREqLGDB4dPOeW0qdOmPvDA/S+uHEqRl0KhUBz/KNVAoVAc7QwMDAAMAgyef/7/nnvuVZde9OFXXnnFyBhQjjLmEudw4P2IUb+8JAsHiaqBx+D1b437Vr0xUN0Zo1MN4pwabKJMjAp18+9Gp4jOLhneTk4AIHdKAgEBCS4sbhEXgiCXyTS2tY3p6urp6uqeNKmzs3Oirl/ymc985+9v3LZ5y7Yd23PFgqbr02dNbewpbGzZ/C44afiAiQYAALe4Y8DEL3EXX3CvLpRKNYBDJRyk9jWA6sZm44UDir+6h04ZSU1l1QDizO9DLBnIgoymiWpQDZIkkvhkPTEXgmsylNsonWTgTV8QOSUiwQUiZjLGpg2b77zlwR2bdxZyeVFunkDBD4tq4BSVaezAgQNTp5x87wMPfPGv/upf/vVfU2SkUCgUJwRKNVAoFEc17lTSGdMbrrr6yxfPm/vqK+uNTIZAIMkh4tArZoRpE3jLTO1xcGhUg+gyVqR6wyFiGH80GWHgW4wlFeXg4fy0wwHYa5uhM0EdQAhChiQEIZIQCMCJhOCCA3CTaUZDsdg5fuy0aZNPOeXs/vPe09nb+/W//utt27aNHTt2bHv77Nmzx7S3T3/XuwIGYN8n+7438A/vmnTm4ODt20Z2EpiMMc654NxeBjBsOIWDF4ZFgapUg0SrjkgUgwAAIABJREFUbzSxEtOMDKc0ONOuyABHoV7goRx8wPfLJWhLVzSA003ZqEAVtm5MAqlVg6r0hciDnVsSwWme4OyN2lQDAgDBBSFAJpN5+aUN9/72D3t37Svk8oLkhA7Po/PwqgaymIzhcKnU1d55ybnnrnz99ZtuvjlFLgqFQnGioFQDhUJx9NLf3y/DUE2bOvXj11xz4QUXvPnGplw+XzJL4C6KDqFXzLApF4HnxTd+nLEG4SB2aLeCB0QitRr9NQ1QBj/6JRbwfAvGoYsVDBy9AEDaH+5sAHvCs5w+AGAvnMgtAuSZbK6jre2UWaf86Js/Pe/Kc9a+tq6hsdjS2nHKzJnnvv/c/ssvLXZ1pTeb/7jqhYZCy3NrHjKFACBdY6ZVsu0Uj81vx7qPvVpeeSCtZOAtRghfBWowLJNbIL0NmXbe/tEsGUgSRTLPvUEA6Qzg0QsHo1MNEi5ieTVKGe9j1JIBVOpR8gj7d7pc3Iw458iYpmkrn1vzwB1LzYNWNpsRJLw5UtQv8O8elWrgeqMEnmaMmaZZLDZc9icX/+H+hx9+9PEUWSgUCsUJhFINFArFUUp/f7/80HfeeZ+49tqPzL/89Q0bisWiZVngGO4ht1/y//BsjMB5941/EMY4gScIClWpBpXefWP2V0i9ZpLTCAoEEa3gvJAT2r4D8u1cxiIgAOBcCCAgZ/V1ALleHXFOiLlspq257R3vO/0HP/jR+X3nlUY2NhQbZkyZtn1r9te31z7u5xotixYt+tC8vp27dhwwdwDjjDGLm0JwdFZjcAof5WuA4dD51akGTmF837xZp0whQEJogyrmX7hJOZ9iidRQjinSedJE70svHMjG8S64WDNpVIM6pll5MUgMPQsqZWSvsGjognD5o88/+sBTYIJh6IKEdGmIUTojHQ1C2yPLGFeuqM2IyLnQdePCiz70xONPPvb4sorpKxQKxYkGO9IFUCgUighcyeCUU3vnXXTRRy+//LXX1heKRdMyoRyfvE5GS8WRSQq/y0ZZZMHDorNIJRlEJUVJm0dHxTTCM9ztE2wDAqWbgB1GAREZ0zVkTCBwzi3TNE1rpFTiloUMDU1DJBKQNbITu8d94vobVr/yanNr23DJyjY2bNu6GxEHlz4yfsK7z3r/yn//yW2jkQzAGTsdGhpauHDhWe89r7W5ffakM3UjL4O165pOFHmBfN9Hafh5ClP+6zVG7b/VQ0CBstlrDI6mvJW7MR2jkgGEGhs9P2Oh+L+xuSACjv7urFfHCxAWBZy1SzFyb6BMvm+BlihHNCQn1ChalshkjNKI+dCdjyy9dxkTzMjogjgAUGgFU0+qMYWvw4iX6y6BgMg5R8A5Z5752oZNjz2+zP3fR6FQKBQuSjVQKBRHHe5L27QZU886/+zP3PDJ1za+Viw0CMtigIjuauiA5H1/jByvSnjntl9MbQ0g+jVVrutI9vz30NuxZ3cqA6GCZBAqRrx5UslqqS9OPrYt5HyxQ4gxZBpjTGNMQ0SL81KpVBoeHjk4wkdMQzMK+WI+m83lDCObn9Dd86lPXDe05pWx48YNm+bOgweffOIJRFz+zLNr1r3S2Nwy7eTpMvkNGwaXLevp66tD8RGxt7cXADZu3PjG65vf2vJGg9GWL7RmWVYI0nTNNl3QtpfC7vpBQwUjPvsaJ1WpaqpMFOQBbB2h6u5BCVqAk5jT2Y8HytKjL7x/EuS/48nX8N5r4PlQ603q9e2PO6C2lA9Jam7dEV29ABGFAMF5IZ/bsX3P725+4JnHVmT0DNOYEAKBlaOd2N0qpTQaXVR07sGk25A8ByPKJVoE0jvfe9qW7dt+s3gJEc2ePXsUDaFQKBTHJ2qGgkKhOLoYGBjYsmXL1q1bp0w96cJL5w189eub395cLBQsy17H2w6t54Tp8uCOcUVsTCTKzz720Ng5C7GZBjWMqCKl3Ra/uQbclMqRyGJm/TqHeaqPjEmrQMYsFJwECtJ1punZQiFv6DrTEJnRnG+aNWPKjf/2b3POfO/uXbunTzt56rRpb7711s2LFwNAf3+/uxB6T0+Pa9uvWrWqbtX0sHjxYrn6+qJFi877wISe7t51r7+6d2SXnDDBuQCQ8TUj7JbgZBiKvsp1D3onN6ZdEm/URAQ48HXgKmoXqM5hq0J6ZEev4JB/JKhow4/GyK89ooHnUJlQ4EFsOyB5DhSCstns66++cd8dS996bXMul2MMORf2TVaOkJBYnRSP0IqzawK5OYu5MsHN0+e8Z++ufbff9jsiWrJkSX9//9HWHxQKheKIox6LCoXiKMJdMaE0MnzmnDO+8/ff37FjWy6XExZ3B6VktDovvgH82haU97xPQvBT+NBI4SCemlSDKmSE8B5MscvvNOFGAXTq5g7JIRAwxuRm+TLNubAsUwhCQE1jhqE3NDYViw0ZXc/kcg0FQy80X3nlX/7bD74+fHDfrJkzi42N//i978r0+vv7e3t75YXu7OzMZrMAsGnTptiq1RsiGhwc7Ozc2tu76u6nxx7Y0NrSaRywdhwcHtF0JqNmQCC6AUnHCvC3WoVrVpt8ECcc1NeMSVYiggEOqlcNkm3ao8ckO6FUg7pfFHdZV7mQDUJ58pibXTaTW7lizUN3Prp3+75cLitDn9qxDISoQTVwv3u3JTyRI+5SRCZXcmFYKpXedfq7lj//7MtrX1GSgUKhUCSgnowKheJowZUMdE3rmTDhZ//v/23dujWbz3KLy+Ff942Uol8z66oaRH+3t8YcHUWCwBFzTNSGytucNiG3ZTzRH9D30/PNXrcSPRYAEBEgMsZQEDHGpL+xvVqhEKizrJEpFBqb21ubmxqL+WxDobnY1nbjjTdef+21K1a8aHLe2tpVMq0DBw6uWPHMwMDAwoUL5Yv4YfAmSAnRAMB5AH24CO+86NbJk6a/uvrFg7v3gI4EQi7o4BxJ0sciKnxASgEoKsJibMFiPRrqaMykVQ3CJ6aoRVqD9ogaZ4FWdkMAHmbPjjCpJkrUWzKAhCqHt5MzOyns1eU8UIiEpjEA9vRjKx996EnroGVkdDnlAssCXOABlVD66O8eZ6mUkgEAkPQyYIyVStapp542tGpoaPVLANDf37948WIlGSgUCkUk6uGoUCiOFvr6+vr6+tra2qZNm/aPN357x7admUzGtEpExBgTgsojWhFnR0oGUOFl1EeUn0HsMzJp8cWEzKN9DWraEPRg8BbOs1UO69mDc85iBvIAQcTk+7bzIu8uZimXNeC8xDkxxrLZbL6Qb29r72zr6Orq6powgTH2la98ZdG3vvH6hld37dk3Y+YsPZNhjC1atMhbktmzZ7tRKgK7jjhENDA40NvZ29/bDwBPDz0yvG//lm1vjoiSrgMXgoSUYEhOzQj5GkDa3pV6rL6CO0O6TpeqREeDamBndgSstJARGlQNjlC5ZFnqrxqkPz5Y66hGCOgF3vVKEVAIgQiGYQwfKD3y4FPPLluhgaZrGpEgbwo+KbNiBRL2UHIwEf9yqihdS5jORkrm9KknT5w06fbf/W7TG29ULoNCoVCc2CjVQKFQHEX84z9+5+Mfv+aTn/jEGxs3FgsF0zK9M2aT9AL5KWZIqhrST1WI9zhINZMg1t0g5uw4WSR0slcYKAsFAABEwBgAMEJCQkAiYSeJiFwIblkAIEBoANlcobmpZez47tmnzp4z57wLp0//2nf/6a3t27vGdDe3tb3jne/s6Og466yzjvWhOdegem3T2jff3jhp/KwX1izduXsXMoEMiYQTWTDyXKihjyWYcEFHA082LoehwWtWDWqcbH94+1BEEaNUgzCHp5h1Vw3qKxmAbEDh76iOCCUEAVA2m9m+decf7n7i5aH1OSMrHRNcjxvPTZNaO6ipWzmnejwSgBAZMCgNlyaM7/nZTTf93aJFP/mv/6o9dYVCoThhOLbf9hQKxfHE3/zN39x4442XXXLRmjUvFwsFbplAntFviHPyPsSqQfBLeWvcA5Q8Z0S9ESd5EiQOqiUKCp6PzlrxTthCRLB97AUQChIEBMJuLelujMRyxXw+l2vvaJ01derZH5x32WWXAcAlF1+kG/p573vfZRd+eGp7O06eHFvAY58333xz2Ny7e98O0vjatatMbmo6IpAQQoCwRyw9je0O/funz9Ru9aVRDaAe5uuh8zUYTZS+w6YeBExeb9a1e/LXifQNmPLIqq6Ir3aRNSUiwnKndKccIBIHTQOmaevXvP7QXY9u27wzl8sBAMkVFstzp0ITDEJfYmqSvh7uGYSIJAQyJsuOiJbF2zva//xzX7jn7rtv+tWvqk5UoVAoTkiUaqBQKI4KPvnJa3/xi19+6k+vW/bEk5mMQUIQEJBnQrjzypgwRl/BOK+ClB4Ho3mEJgkgkUWPefuX7ST3ITIgAZomo4OhIEGCSAh7fgcAY5quaagzQ2P5bLG5pXFM9/j39/Vdf/31AHDxRfO6x3R1dHT29va+vWXr1772tVFU8JhENuSzLzz1rtPfd+8fluzYvxUAdA2FEEJwRCQnCkSESeXOCUlQeJwjwweEPRfi9LBDbbgebl8DX96Htm6RjgZQlWpQ/lRD+MDKYRePrGoA3isQrRq4Txt7sUUEIEIiymWyZsl89smVTzy8vHTQzGaz5WMDD/Fgj05XwppEYBKeWW0ammapuanl09f96e333HPXPfdUn6JCoVCcoCjVQKFQHBUsWvgtQnHbb+8Q3NKQCRJOEAMIGNOxlnU9VQPwDCQHtiV9D+VbTbzEwGu1/4CIgP3Scx6BAbNjEwAAgWmalmXas3mRdN3IZ3O6njEMI5fPNzU2dnZ1nXbGGZ///OcB4CPz5+cL+XnzLhrT3X3hhRfCCR8SzDWxFixYMP+KM894xzkrXx0qjRxAHWwrSchZHl6i/KvLVzWVWwEc+6pBHSQDO/tDUj2PpBPYUZ1qAE46zqf4topKKjmAQt0lg6qO9JWn/PwLtpmQs3bs5xIJwRliLpPfuWPvYw8++cdnVzOmGRmDcw7OBKmgZBD6lpYa3A3IFUzRNK2GxoZrrvzYE/fdd/NDD1WdlkKhUJzAnKDvhQqF4uhh4cKFWV2/6AMf+LMv/uWenbuy2YxcZxEBydUNXEIvoP7tzpf6kH62QtVphoi1Mj3GJEmDzv1DSIILy+KcW5wLEJwxTTO0nJHLFvOGrmcMvbnY1NzefuY553z2s58FgI9+5CO7d+/+8Lx502fMkHMQ5FKICxcuBIAFCxb09PQAQFNT09EWvPCwIRdg6+nZM2fOJsQBIrrj/psOmvtNy8xlDdMsSatPtn+kge2z07xDrb6Dghujpyc4+wDqGQ0xmSOsGhwa3aCsvbmJR61PUUMtIktbx9aoOcGay4AAhCyqH8hIHwBAQgAACcvSNE03tHVrNj7+4FNvbdicy+YI3X4SFbZgNDFr0xzol5rBnqfATLPU2FC87hPXrXj8se2/vXUI4Egu4qJQKBTHGvqRLoBCoThxkUstnnrK7I9c0X/pxfO2bdnS1NhomdweiMOQZBAHeWzuuuEZAIz9UgPe893g3mAH9wYAO0qhPY7nRCRAO74DgSBhccuyLOIcEFHTsplMU3NTNp/Ja7lcPpMrNOYbGk6fcfqXvv4lALhi/nyT8wMHDjz22GMvvvjib2+7DQBa29u//JWvENGCBQv27NnT09MzNDTU29t7InsZuMgWIBpYskT6Vy8qjJnWPXz627vW7RvZg4iMoRvdLUVyAABIFVZerGDfnfAXpTZ8/gXuDPx62/PeJQEOEXXXICpkBwDOgqP+msmKCgBAJMuyMll95KD5xMPPPfvkytL+4Ww+T0ByPlQgvcOEJ18CsJfsZVgyS42NDddcd8OKR5ZuZxrMnt17ZJd+VSgUimMN9SKiUCiODEQ0ODi4dOnS6dOmvv7a+p//7L+z+awbMgvjhIBIX4NqVYPAUUkPwig/g9E9OH2mZnnUk6S56vVbJkIAwbnggnPOhcWBMWQsl8k2FotNLU16JlfI5VoKzZmW4oc+9KH58+dff+21K/64snvM2LlzJzAt//kv/Cs43gQAsHDhQkTs7Oy85ppr+vv758yZA4c7gP2xBBEBDAH04iL81qSvn9Iys6G1afeut0piOJ/LlkolRIxrvaCZF+Vx4D0maXqCw2G7TseNr4FdoBQFG42vwaGm5iKNsi6IzB/ZxY6hCQBCcMF5Jme8tXHLow88teGljcC0jKELIWz/sPgLWEtEg+Rjvc4F/nyJgGmsVBopFBpvuPba3y3+TeOTT23s6ZkwZ86SJUuqyFqhUChOeNTLokKhODIsXry4v7//liWLP9q/4Kx3v3vPvn26wUjYw4Hu+GB4DC9iubuqVIPIQyoFO0wR4MAzrkmRh6HHW1dGeXSGwqTnOTJZFSIySyYXQnALgHTDKBbyjU1t7W3NrS3tbc3NxYaGhmz2ywsXAsCfferTf/zjH41MZlzP+La2ti1btsi34YGBgYULBxChs7PzjDPOmD179pw5c4aGhgDgeJp68Ohdd23duXPbzu0PDi59fePrXWO6e3p68sWG73//+3VJn4gGBgdgK+AqfPaFZyZPmXjtx/70ja1r9hzYgQbomiZXp3eHsf2xCPzzFAJREivNUIBQVz2c/2FHz7yodH/Vy+Sup2qQMk7B0aoajKY8VcQ+8PcucjuALYth+RBCQRYRMo2tXrH2sfue3LVldyabRQ0FF97UIl1xDkkQxKjOIsPoMsZGSqVisfHT11//8COP3HzLLQAwW81NUCgUiupRqoFCoTgCENEPf/jDpUuXnt933o5tW2666deGoTNg0pS2wxk4A4UB4YDK291NlVSD9C/eUfJAJUkhNqWQ1QjghEOTXu6MoRBERJZlAQARMkDGsNDU2N7W1tXR3jluQmvrmK6ulmnT9L6+6777Dze+/eZbO7ZvzxWL48aPn9nbOzQ0FFYBZs+e3d8vP646jiQCWLhw4dlnn719+5aVK1eYIwd37tiZ04wr51+xav36tetffumllxsK+X/+j//85c9/9jdf/0Yd8x0YGBgcHBwcHASASy6d9453nvLhi+du3rZx2NxnZOT4KrnagRAkO02kagB+dxnydeyjUTVIs5Cky1GnGqQuz9GpGhxqySAckdG7JKe9TojvWiCC0NA4OFJ6aumzTz/+vCgJwzAIgEhAQBTwuABEhTeApOeyV3hNoxo4z1d0qkMEyNAyrcam4mc++5mXV69buXLVXffeWykthUKhUESjVAOFQnEEePjhh/v6+qT9/KEPXrDptY26oTFkzoBtJAF349SqQbySEPQloAjVIOIpWX5JRd85RIgoiNAJ5YgMyeuCQOQO4RGR4FxnGjAkgnwh19bR1tMzYcqkidOnznzXWWf9y/e/t3PXzo7O7o7OrrFjm2fNmj5mTNukSacffxMK+vr6stlsD8DQ0NCmTZs2+ff2z58PDN7YtMkS1jtPP+P//uSnX/va1woFNjxs7dyy+c233tq2dfvuPXsQQNd1EtTa3v6BC/q++Xc3fuzqa/735l8BQE9Pz5x6OyTf9rsl8y/96P2P3bJ951ZA0nXdsjiRQDdOhUNsZMTwnIWK6zUeC9TF6q5LJ6+qJEehanDoJIPKKUtXAbdZ7EgfxBjTkL39xvbHHnpq3epXdU23V24pL69IwadiVP6JRa9QtIQy2w5cQIhIiNyyWpobP/3ZL6xbu3rK1JOuv/7Pa01aoVAoFCoaokKhOBK88sorS5cu/e//+W8A2PL2FkTwSgaexboiqCLqWNk6S9gPPkMv9Lob8f5b3kR2DAb5ysoQAJnj2AsEXAhbSuBCHqKhpmmaxiCXLRYbCxNPmth72jsvuOCC00477U8uv+z551/Yvm2HIG3shAl/9eWvTJ48OWVFjyGIAGDh0BAsXdq1ZMmSoaGhwcHBgYGBoaGhCZs2PQkAAHPnfpAEvbbhtenTZyy+7bYlP/rRrY/en2GZvTu3X37xvF07d+7du3dk+CAQ6LqeyWUbig2IKEhoyHbv3n377+4cGlr9+S99BxF+/b+/mjNnzty5cz/72c8uXbpUBuAcPeYwAcCGNVvOPvO81W88bQ4PawYjQiE4OO4k8kj0xugITMA+WuzTeuKt+7HIUVL+2jwF0pybqnbeRxwgcSIkQ9dHRswXX3j5ycFn9+zcl8lkgYhIeJ+dnt/R07Tq4A4WCbozvwARAZGEGDOm8xtf+eubb7t1846d3/4/3xldBgqFQnGic7yNWSkUimOCG264Yc+ePe9577vbuzu++/ffAUtkMhl3kr9nlrgX74TwSlugsmQQICrsIQRmKDhh8+2l95AREDJmxyMQXAgSQMQFEZGuaZqh60zTkYGmZbJaQ7F54tRJ7zr19M987nMA8JH5l2ey2Qsu+EBDY+OWLVu++MUvpi7sMcbAwMCWLVv27NkzNDQ0ceKrt9++C4AWLVok3f4/+clPdnS0GQcOPr18+ebNW3pmz7r3vvs//emPvbpmEzOMjK4fGD54cP/+4QMHTMskACObMTRdXhl7/TcZS5IBEeqMCaKDwwfHjRs/69TZ//qvP7zx7//+b7/+dZkdAMifo4SIBgYG5NyQ7//bP8x+98m7d+wgEpoOpmkh8/sQEPin2Hj77fHmawD1GK4/gr4G1Z54KKiD2T+6c4ns2QnSQ4ppDBm+uWnrM4+9uHbFKwx1w9Atbjnqrquz1Kr01qO9EYFstRaIaOy4cZ/6zDeX3PyjJbeqqIcKhUJRB5RqoFAojgD9/f0AMKa7q5DP/u723yFBJpPxDJ05w0Z+X2/3d1gjCE9bCIXd8tj+EUTNOrDnEoDjS2D/QYYIKEgQELe4nNbONF1HlsnlNB0Z0zOa3tDQ0NjS0jV27Pvf/35Z3/mXXZrN5uZddNG48ePnzp0LzuoGcmmD6lrwKMa9jsuWLRscHFyyZElzc3NfX9/Q0NDWrVul0X7LLYu2b+++++4739i4cdKkSbfcevvnPveZoRdXgxAHzRFN0yzLLA0PWyVTEDGN6brBGGO2BwcRCDkDBICccBgychtK5w5N0w4ePJjL5To6O8469/yR0si3/+7bAwMDAwMDs2fPXrBgQV2cDvr7++Valf+75D/Oft9lzw8tHREHBHKGzLRMX3g5ilYHAlZczQahN/Dc0SA9jDp6/5FUDao9t4ZcEtKvbVdKUrkwOM9A4oKQdMPYt3f/0AsvP/vEyj3b9hbyBUDkgstJC+Bd96WGjufRdjHmQ9hXIRhWFgllSFlEAODCmjRx0oKPf+Kee+67+eZfVV0khUKhUETBjnQBFArFiUhTUxMA5HMFTcsy1Biy4OzvYPxtivjkAUPxuhED75vk/I2E0A0BRoQeKxQ1pumarmmISEAls3TgwIG9Bw6MjJS4JYyM0dzY3N7eMaZrzJQpU3p7ey+6dP6//Pt/LF22rCTEpjfe2Lt3L+f8oYceQsQ77rxry7Ztr73++oUXXkhE/f39e/bs6enpGRgYWLhwYbqWO3qRNnl/f/91110nt8yZM+f5559vbm4eHBxsb2877dTe5sbiO07tnfvBD1xxxbf27NmjaZjPGa+uW//ud75j+WPLd+/YsWXb1r27du3cvv3Avn1EYGSz+UI+Y2QAgHNuWZbFLSIhzRV5eQUIAQQAJEiGZBMkTMvM5/NciDfefOP+u+984Znlr+7cueG11wBgwYIFs2fPfvjhh0dvgy1evHjJkiVEpNHSFW8/ctmHr+ls7jYwZ1lCYwxcfxk7nIXXMnVCY45au0fZ92VvR1veGn2yoy3VKMz+40ZBwxAVT4nrk0Q0mvUXXdIchkRCCG5ZiKhpxoZ1G++65Q8P3/3E/p0HisWCIC6EhY4/gpNowqM1Lj8g8p0W94H8f31iMtrf0ZlaIjifMmX6nb+//9prr5058+S+vr7qSqVQKBSKGFRcA4VCcQSYM2fOpk2bZs2ahYi333orECGCsF/+gAgBA0Om5XdFz1ujbzTXjeBlfw0e6X+plZ61dtx7AkKyhQNkGpOv+ATEubBM07IsAEIEXc8UC8V8MZvL5/PZQqGpUMw2tnR0/MVf/MWUKVOumD//9U2bJk+btmHDhjPPPFPmM66nZ82aNVdddRURzZ8/f/fu3Z2dnUNDQ729vXKY+r777qtnyx45BgcH+/r6ent7BwYGfvnLXz733PPbt22bPn26rmnSsvjFL378ytriwY6Ondu3vfOU2UAoGAjTsiwLEDTGNF03dB1lNDNBgohblvDGYwMAAJQaAZF3g5BCj0AAAgaIaJolpukZI7t7z569+/Z9bN7cd51+BhF942//dtWqVQsXLhy9u4E0VIaGljSdOffJCeueWbRoxqypVy24/p6Hl+w9uBNBMEZccCcSPRHZcd7R9etGcPo6gRMOI8FZoCwHJFig6OoUR9LvoNoAAXUXC45UhII0Fakq+OJhqIWzdAIQoSAhBGWymb17D7z45NDzy4f27tyfz2ZRY5wLj1dXSIYIOwbE5hful+GnfXRa9j0vH91gT0uQpbG4NWPGjFvvuAsRZaiUvr6+usxIUigUCsVxougrFIpjC7mGwp133nnppZeeMns2Cq5pukABwnEz93u+AkBwukJM1APPdo/brD8t31QIQMbQzlWOo3FumSYJDkzLZjLFfLGttamhuaWQyxbzLQLY9Mnjv7JwIQBc2f/R3Xv2nH/+BePGj9+1a9cXvvAFcLzWAQAROzs7zzjjjP7+/jPPPLO3txeOo3HUMD/7+U+JxDPLn9m7d+//3PQrAPjNb24ffOietete3r1rz8GD+wg1Jk19Of1EECBqjCGzjWhBIMcu7SXikZzZKt7/q6LH0dFdncLpPW5sDKZpRGRZHBHa2tuvu+bavaXh/QcOfPX/+1q96j5AA0MDQ0sWLVm8ePFZ55w5fuyEZcsG39698cDI3kxG40IQCdfecSeBl+MduEqB65kdQq5GWsV/2m7CR47k5u+zAAAgAElEQVQjqxqkL0lk1rXZ6tXWIs0UlVGqBpFZ2JIKoidMCxIB51zTGNPYK2s2LX/0hU3r3wCCjGEQkCACcu/F8vO2HMU2nHdkY3h6um9TBNGNiY4I7MReAAAQ3Jo5+9S2jvYf/+S/ZNgRqR3EpKxQKBSK6jhu318VCsXRDBEtW7bsBz/4waWXXHLHbUv+OPRSPpPlJIBIBheEpHdle5w2ImIiUdCFlQgQZMg8533eNTCBEAXn3OKcm1wIXdOzGaNQLDa1tnZ1tDc3t7e3NTXkjWLbuM9//vM3Llr0+ONPlEpmU0vzuPHjSpb14x//GADk/AJpLfT09PT39/f392/atGloaEhGyzvOkG/kY8d2bNjw6owZMx54YNCyrN/8ZvG2A9seu/vhJ59dvvaltVs2b961e7fghBoheQYGgZAxx8UDhBBOouX/jpzl08CJPWlv9f+GsHxgj+j7IlPIH0gEDJFIEAkBeErvqd/87qKf/cd/Hdh/gAB/+MMf1qVlpDz0pS99CQDe3vyaZb75yqbtm7e9ZQrTMDTOhevI7REOytpWnS38o0A1cKnBaD/iBajBVq+tIpGC5miKEXl6dDr2MxQZQxIICJmMvnPn7qcff3HVc+uG9w3ruoYMORfeBBGDZn70rDGIesesQjKIPN/d6sxMAOBE3DTPOO30F1cNDb20hoiWLFnS399/HEu0CoVCcfhRj1SFQnFkWPz/s3fngXGV5f7An+c9Z2ayt2mbLjTdKBRJWGS1hYsN3qvAtV4Qnao/RVEUrlZlUfTiQibXHWW5eOHKdauAW6KiKFctIikILS2UQknaUtqm+5K02ZNZznmf3x/nzMyZmTOTSbrD92NtJzNnnwnJ85znfd7m5nA4/Pi3v/X2/7jt3LPPikWjgWBQtHZugiX/zq0dSN/pSvf5Tt530iJuE+3kTTE3OhWn2kCIWIvYtmVblpVIaOZQKDS+snzchIlTpp100km1tVOmVE+eXB+Nnnf99Xff+d3nV68aGo5On157Uu2ML33pS7m/htbV1TmdDonodZkjyHXnnXfecsstzPzcc39rb9+yfv1rHR1b9uzZPXCwdzgWZ6dNhVJEpJRKN1dPBrFZEwqMJJ3qyX7B+6w3l5CVHEqVLggRs5BmUomEVRIMzv+niz71mRuX/uQn3/nud4morq6OiCZPnnwoJc3e2GzbznV7d++q4Ilb+jb3Dx0MBk3btpPDy5lIJ0eapwOpw544QNagmMM4brMGh7H9YXpTyYEbbh8XrYnYMJRhmJZlrV/32uqnXzq4t8dQig12Wr2St4bLKXop7oOV8c3rqf3KOsbCa/u8kPzpwIq1Lba233LRP+3fvXvdK69s37Ur1aO0iAMEAIBi4b+qAHBsiAhFItTU9Jdbb42ed97tjY2W2IFA0Ak1RTQna7kz7jlnlqs7+QWi1LBxYUmvJSKiRYhEtG1rJm1ZYgSMivLKaSdNnV07c8bcWaeffuab3/zmWbNmfePrX+vp6Zk6ZeqMyspT582bMm7cSeedh189c33qU59qaGj48Q9/sG9vZzQWcy6QaRoqWURAbr7Gzdto0alyZkq+f6lHXNRY6My3gXNeysoaZFQuZHTBcIMNYmKOxmITqsZdeNFF111//be++Y2f/+KXTkPHm2++ecGCBWO+V+mN9NpWr+6OHYzZ0dKyyj092+KJmGkorbW2NZHbuzHVTi5PIJZzY3cUh5Lc8HFgVBH78XAMo43Yx3wiBcoBDnvWQFIZVucLEWY2zQCR7NnZteofL25ev01pNkxDSzKr5amHSWYM3C/9dlhomILfCoVPsECtARGz1nbACCxatOiZlSsP9vauXbu24NYAAGDs8AsxABwzzi+M98yf//K8U65YdNl3vnNnfCjqtCl0QlC305U7pJvSBbWeeoTUb8NaSzImFC3OWHllKh0IlZSXVUycPOmUeaeec87577jkHROmT/jKlVfu3LWzuro6cdpp8+cvWLRo0fjx45EjKNI1H/rQaW960+9/2zIwOGQGTNMwtdbuAOn0Pf70PUpP8JNdaVDcFc8pds4dqJB+JjuP4OW54cqKVSKRiMVjM2dMn3da3X0PPHDr5z5na71z167m5uZbbrll586dLS2HYbL37Tu3vPDic1ct+pfWZ1Z29XVqTjCLtsWyEunuHdlZgzy13aN13JQbOHLD4MP4TectRir+AHyP4agVGlBWPD/SAaTzpJ4vs54ssPF0CkFIRMygwcwH9nevW7Oxfc2r0YF4MGBKMj2gtXi2QakKL++WcuQvEDiMWQNmIbFsXVlZfs37rv7tH/7c+o9nC24HAAAOFeZQAIBjxv2VcOVKWrnynPPPf/75F8Phqzteey2htZWwbMtSrEgR6XTk4/zeys5IXFZaaydCNUzTMA0WzaJKKsomjK+snjDl3AsuePcVV8w5/XQiuu5jH62qHDexekLb5rZ1j6z7xqOPujek//bEfffdf4wuwIkqFo+XlpasXrP28n952+69e+KxWCgYcqo6nLzOiCFXZs1yUfIVJeQ8706L4bdkKq4UEbLEMkyjPFi+ffuuvXv3/dsVb6+ZNPXHDz10339/n5nD4fCOHTvq6urq6+sPMXcwY/qcGdPnMPMdP/la+NIPvbJ1xWB0SCnbMJSttRv45UkZeMbgcLKUQ5jSy3sfH/+8cwccuSRdUfUrx4fi6wvylSSMmODICvqdCiwzYCrT7O3uXf/ypnWrN/Qc6A+awWAoqG3bmeFDtPO97Fk7e7CY/97yXfuiPqOphQq8f+7sNvbkSRMXLGp4sOWR1avWFLNtAAA4FCfKD1YAeD1zpsH7xz+e3rtnz3vDi2+8ccmGV9r6Bwa1lbAVRYfihiEkipxsAQkbhjLMEtNgM1ASCBhGoKyidOrkaW+9+OL3ffjDRPRvi96pRc466+x/uvjiqnHjLnnrW53uA6nZDcLJXR+GW8lvPE5n8tmzZ33kI9cuWfLvK/7x7PDwUDAYNExDW+INY8XzP49RRblc8JH7dW59QXLqQfJEMuJmFDRrJiJRTFqLaZra1kNDg1XjqiZPmXr6aaffee+9n7/lc3fefVc4HK6qqgqFQpMnTx5zP3anfyTVE4c5whEReXbVX/b17InGoobJiUSCsjItwumxHgV+ShdTR+BOWMGSmWt4nck6K84fvB65WgPf7RTm29FgxKxB8Qcg6aDfrf7RWgxDBYOBwcHhTe3bXl7VtmfHfkOZZtDUtnZ7FmgScuaizTc8ocis4IikwFdugVH6jWQSUoaytW1b9ozp0//65JOoDgMAOGrwH1wAOPZSv5o2NTVVVlYM9Pff3hhxnrn7/rs3PL8uECClQqGKimAwWFFRMXXq1LPOOuu8885LbWFx+L2K1eWXXz55ypR3LlpERA0NDTU1NfX19Y2NjUS0ZMmSuXPnLliw4HU8u8FRE4lEFi5c2NDQwMwf+tC/XXLJ23/10K86u7qEKBgM2XbCrZomFnLuWhK5XdgLx3fppgc5i3n+Id+fXez5vw9vF0bvTBtOZzdmVkpZCSuRSIyvHl9ZWbnoiqtv/MKNTZFIW3t7fX19bW1tVVXVoTRmj0hEWiQSjhDRH7seucS89JkXlg0N90etwUBQ2ZYWLaySgb07Nqdg1oByRpr7LOD73GHIHRzRYoERdz3yQmM9uENvJTCqLgkFWiEWPpjUS1kjFNweh54cBDNrTaJtZg6WhBKxxNbXtr/8wvptm3bZCTsUDBGzbdvEnklBKTW2iDKfSH9ZhBHfAcl9mLlpTlYNOSkDI56IK1PNOXnOlMnTfvyTn0Yikebm5vb29uKOBwAAxg5ZAwA4LohIa2trZ2dne3t7W1tbS0vLypUr+/r7Vq1atW3rlngsrgzDMEwzEKiqqqqpqTnnnHNOPfXUmTNnbtq0ad68eUTkrSa46qqrtm/fXl9f39DQMH/+/Pr6ejq6fdde90Rk8eLFLS0t4TCFzEWNN34lcs8dr67fOjDUV1JS6rRS4/QEmdlV1YXvB2d+WUytARXOGmRVWXuSBhkxm2LFzPF43Ba7tLR0XNW4az563cc//vH//v73n3r66ebm5kgkcij5JucqtFHbb+g3TRT5/hP3nFt99r4DOwaG+wylRbMWO+djWqjBwcgTUhTKJxxSeHxMsgbFh/SH3pvwSCs80OBQKg7IPX33W8yZ3zQYDGiRHVv3rHth/eaN24cHhoOBoGEYtm1nfUOkvy8k83tE8oT2+Y9ipAUysga+yUJJfk+zacTisfLS8tPPOKNvxbN/3LLVKeFh5jEXAQEAQPHwOzQAHEcikcj+/fvLy8vvuOMOImpqampra8tdzMkCOEUEjsWLF+/YsSMcDi9YsGDBggWEHMFRUVtLO3eSM/XAB98XXnDJgkcf+cO2bTtKQiVuG8vkXUrJDtJH5JNTKJg1cJ/Nfdu9KYMRwx4RUopFJB6PE5ERNKvHj19yw80f+MgH7vj2t794223Fn0A+EYkISYQizHx705eabv/GX55q6R/ojlkx01RW3GLm3FP1m4V0pKyBd5R4qlDd89KhJA6OctbgqLUnPApZg2JqCnwPI9+Tbn2B5+11C1WIRDgQNIlk1469r7ywYfOG7QN9g4qNQCDgzqroMy+C99NFNPasAY3Ym9Jnr+mnUv1wiZWKJWJTJk+bf845j/3tb23r1wtRSzgcxgyLAABHC/5rCwDHHfeWbFvbypUrV6xY0dfX5321qqqqqqpqwYIFTqe61PP49fGYaGhocP6ORCLvuvwd17zryj88+/RLa17Utg6FQs59Tm/6oGgZYW7+/EH2sxnlBplxzgjt3z0FECJCxCJiW7YzIHza9JOuu/Zjjzz6h7mnnPKe97z3LQsWHMrnLVWpEYlETpk3Z3x1xWmnzNmwta138CCbLNoZ0TFyxFUoa+BNGeRZYMxZA0m1Zzwqjk6XgTHv6BB3UUyVQeqCF7EwJyfm4EDAJFZ7d3e+8kL7pvZtgz2Dig0jYIibxtPOEBjf7wufJw9z1iBPoUHG3JDEiokoHk/MmjH7gcav3Pyd7/z+L38hojBRM36FBQA4ivCfXAAAOCSp0cV1p556Zn0dK3Xueec/+qc/HTxwoKQkpLXWoikZh3tXLHImhTzDEfyX9b6SFeSMNGlcejXnRqfWkorTtJZEIjFrzqwrF/3bZ2655Uf/+7+xeDxhWTfffHNjY+Py5cuJqLW1daRTydDQ0LBw4UKnyvp/fnDvv9/wmadWL9u7f1vcigYCyra1uA0YsgoN0mfhkzXwfuUdBZJVunEItQbeEfVjWP1Q9jgqx2HW4LBXGRA5Sa7km6yFmJjZNE0t0rn3YPtLr776ypaBnkFFhmEqSa3l9AXNnBI1c+M5Tx6xrIH35JwxTc66zKxFbMs+ed686dXVVjzx05bmoncNAACHE7IGAABwOL39bW+7/IorFr///Z+/+ca2dW3KUKSYxW3ozp4gx1EgBMmfHCj+hdzgpGDMk641SK/CSjnbjcXioq1Zs+ZcOH/+BfPnP7961de/8c0f//jHO3fujEQidXV1RDR58uTi0wfO2Oz29vaWlhYR2blnc0nAWrth3f6u/aK0YbBtu20kcxIHGVkD70ucOx4hz5keYtaAjkriYMyR/KHMaHCEjFgpkCc7QH5RvfNsMv0jQkRKKcM0LMveu6uzfe2mzRu3D/YMmoapDDdBkBqO4Myp4PmsjLzHw5o1yK1r8IxSYLfKIGElSoKhBRdc/MK6td19vZs2bSp6vwAAcJghawAAAIfZjh07Wpqbb77lltu/9KVlTzw+0N/PRKYytEgyXEkumj8QGX3KwPtyvljI/yXPQu4GUoXS4t7/VEzCzEwci8VF7Om1009705tOfVP9zTfffNed31u/Yf2PfvQTp8VDXV3d4sWLR9WkzWnScdttnwuFKv/wp1/Om3v6+q0vDCeGjYDSWmtbEzkNFzxnI94Hnkg+dYFO/KzBoUTyx3nWoEAuIP1l5tIZyzi9DLQWIRJRpjKUEY9be3Z2tr24ccuGjuHBqGGapjKcbzefDWcMycmaiuOwpAwcRXQ8TU3OykQiShmaxLYSZVWVV199bfOvlr607qVR7hQAAA4zZA0AAODwa2xsbGpquvEzn/70Rz92y1e/1NGx3bYs0zCZSYvNpCg9N2PRCky8kF6C/AMbKRgU+W0qOQFEctiDECsiYqUUM0ejMRE9ZcrUGbWzp82ceMcd997x7W8/t2rV7x55JBKJrFixoq6ubsGCBaOarNEpPWhqaoo0faXx9q/9/Zk/dnbvsrVWJmmtxRZWufFj1lAFJiquT+EhDFIgOkrdEIuJ5PM1WTgRsgaU9667z7ruS8ykhUnEaWdoBgxDmUOD0d079rW/tGnLxm3RgeFgMGgYRvqTkUw0pD7Snl0XUfcj3tdG+x2bT9bnmMlpzWiwbWstuqqyctULa9GtBgDgOKGO9QEAAMDrUFNTU0NDQ/XESaeee27ADC685KLqCRMSlqVtbaoAOfMqEBGRZP7Jiz1/55VnG6NLGXCymwAnRyewM8pahEVEa23bdkkoVFZa1tXV9fya5555auWVV1yxc/v23/7ud0233z7Y3//Xv/51586d4XD4vvvua25uLn7CPOe6kZjMHB3YdOmFV5eVj9MJEi2kWNvuzBQplB1qHoMJEY8hb8VFkZMXHpbdHbr8k32kv3SecD/T7CTMWITF1iISCARKS0OxWGLDK5uXPbr8T81PtK3ZqBO6tKxUmUqLFq2FRJMWIifPQCzJ1qTpD8wI33yHdMa+K2d+LzopCdHCwoZKxOMkds2k8afXn+F0FXGm1AUAgGMLWQMAADgiGhoa2traIpHI7/7waO/Q8C2Nt86aPVsFA0PDw4ZhMitPMJ+clT13K5zvhZGIM97bk59wnx0Nd/I3YiZiYU9Mbou2tQ4FgxVlZX09fa9t3bJq1XPv+Oe3bdjQ9oUbbxSRs886i5mXL18eDocjkUhjY+OTTz5ZTNjZ0NAg0ixCg30znml7+qp//uBJJ51qqFIrbpMiYqV1Rqd5ZmKPUQW2fByXHBa+VrlpghFXOcR9ife+/WGT/nCnugC6X7G3QwU7fzm35UtKS8vKyoYGh19c3f7n37Y+/shTr768hSxdUVZmGM6QFmeeBErNXuJ+Yry5gsI8mYTsf30XS2U4fJbIPWVKf0szkZBSillFo9HSktIZtbM7tu1+8KGfi0hLS0tzMzogAgAce8axPgAAAHh9am1tXbx4cWtr6+zZs88957y9O/b86Mc/eWHNqlg02tPTQ8JmwBCtvXddM0LYsSULKKugegw4I1WRbsHAbtW7pF/SWrTWZsAMmGYsFuvr6+/u6W7+TXPzr375prr6v/71r7t2bH/6qae/8tWvXnrppddee20kEnEmXCigtbW1tbWzrS0ci+184ZnY/Z33XzgpPq3i/WQcjEeH41bMNA2RdKjpzSB4HxR/tuxmbUax5nHb0cB7YEUe5IgpgwK7GBV2UwGpYhZvpoCTY2GSO3TH43DybrwYyigtLVHK2L+nc82qV1YsX9O2emPX3m4mDoWCRGxrW+vUSAKf7iF+X7m7ymfUAxNGMeWJczVIKWVrHUvEqirLL1901dq1azdt3kJE7e3tzgwjxe4aAACOGPy3GAAAjqyGhobW1tZIJDJx4gRtJy64sP7OO+5/bdOmaDRaWlKmRfvMyDjmn04+I/VTUX6RkQ+n/so+kMyuCk5bBk+4rpRStm1blqWUMgxVVl5y7rlvueNrX/uPr3517rx5VePGffRjH2tsbCwyFopEIrXzV1x32V+JIk1NkXdc8ahB4/b27jzY12UYopShbdsJ+tPNF0bF50qJN3cw5q4Hh6j4dga5si5sMde5wO6K3MuoZHU0yJp3kCg5i0cyWUCKAqYZMINDQ9HtW3e9tn7r9i27eg/0iy0B01SGEtFaRLT4RPh+b7H3PHxObeQkQ8EXi+timqqjYIOj0ZhhBKbVTvvb355cHH5vy29+W2iPAABwLCBrAAAAR1xDQ8PChQudaPkD71/8i1/++itf+dzTf1+xe8/OktIyZoMkOcWg+4//nHAjOJTBCGnufeAil3Qfpe4MMylm0WLbthBpLaGgOWPGrHdfeeW1N9zwX3d978ZbPr9rx/rpM6YRjaeR4k8RImro6Jg1e/ZSInpy+d8uXfgvz67+v11du4eG+4OhkG1bTpfEzHAvz11mnx0UfrFQOH1okfPY8xEjrjuqcoN8WytmL2O7CFktD3PGPaSzCsrgQCCgRQ509mze0LF5w7b9e7piQzFFSinDMDidLMiYKMEttpHsz0G+M8p3CkW8R76L+G8v3cvUmxaMx+Pl5eXnnbnggYce+PznP3fnnXeNvFMAADjqkDUAAICjwZkgoL29vaWlhYg+8uFr/vNrX7/15ptfWrtWSEKhULKJQO4PpmJTAaOups4rXWmQjrvEmyTIXCznQDhZjO7MjKctMQ2eUD3xjHPOuPStl1wZvviR3z7z7vd8sKNjy9KlDzY1NVFy8kUicr7M2FwyHGTmm2/5zPkXnnvaKWf2xnZ0dXUOW0OBoNLaDTY5OfSdMybby39BRs4qHOZyg0PsC1DM6qMqN/Dd4KgOcvSTNfjsyE0dOG+iYkMZhmkMD8Z37dizqX1zx+YdfQcHSJNhGM70n1p0ci1y3qV0XsDzbcBHrmCkwFbzZA28BT/KULZtk8i0k2qXPfHER6758IMPPxQOh53/OAAAwPEGWQMAADhmvvrlL0+rqXnwoYcOHOwKlZQoUs5d+4wIwxv5+A0/GOGJsSj0w3GkjIHTN5HETR2QMCliZmVZlm3bJSWh6TNm1tef/qb60z784U988Qu3dnf32FpffvnlzjSNtbW19fX14XB47ty5DQ0NnBzsnsq5XH/99R/+2Ps2Vb72zpp3v/Lqir1dexISDwSUiFur7r0NXmAyP88B+y9yeAPOo5AvcBSfNTj0lEHh7efZacZjb0rIMBQrZVt21/6e7Zt3bFq/ZffOfVY0YSjTUAYrN1ng/b5g4uQ2fPMGR8zosgZM7qGSYhYSLRIwAhc3XLRj++4/PPqnI3eYAABwWCBrAAAAx0Y4HG5ubr7nrrtuuuWW66754PNr1+qEzYoNQ1GqQT67t2HddbIrrY/owPuRKq3JE297n/UMFEiNdnBuETOzFklYlm1bVVXj5pw866RpJ02rnXXrrbf+8hcPd3d3d3Z1RSL/GQ6H6+vrGxsbb7rppnnz5tXV1aXSBym3Dtz6vfLvPrrtP88PfeDFjS92d++3SAcDhoitbXFzB1mXyre9A3teTde2O10bDs/lPWr5AsehZA3GdqiFdkFuAomIRbS3u6FTFaKYDTNgsEpYib7e/l3b927dtH3Hll293QMsZAbMVNrI2ZzkvC35v0GO2HdHMRvmnK8UM7FtayYqG1f18MPfv+nGrz72f48fkSMEAIDDyjzWBwAAAG9Qzc3NkUikqakpYVkXXXLJJ667pvFr39m/b38iYZmGqZTS2iZxBy7k3BMvLnVwSLnxPCPeyTORQtbh+FU+uFG5iJCwMDOVBAPEwXg02vbyKxvb1k+cNOnF1avHja+cPvOkxsav7d61p7S0tLy8nJkbGhqqq6sbGhquv/76b37zm6eccopTj0BE3yv/LhF1T1kxteT2gWc/+463fvUfa/4yMNhDBpsBZSdsYc9RcVa2I+dLn9M8qqH+kd7OEd2yt14g6yXnMouIM25FtDjTHChDmaZpGqZt68G+ob27uzq2dHS8trNr30GdsA3DDAWDoiXVGdEtX3GzaN59U8ZgFHenR+yqFcObh0oNklBKa61FG8qor6v/ZUvLBz4QRsoAAOBEgawBAAAcG06I1djYeOsXvrB48eItW0/+6xNP3nTTp9esXt3b2x9PxIPBoIhobbslB5x7j9X7b+bGU68d/qK61Fj0vMUI6QXTjQaESDnnYdm2U44eDJVrrQ90Hdize1+oJFi1fvzqFe8sKy8vLSv7/Oc//8rLL5eVl02dOtVJH/T09Nx2223333//fffdt3DhwnqqJyIq4dZWal937+L33Lv05z88f/6C9RtfTiSGiNk0lW3Z7pD37EIDkawWEuz5+5AjztEG5PnaCo4hsB9NU4PsgRkj7s57nG4PgjyH7QwSSe6FtHZnOFCKA8GAaZq21oO9/fv3Hti2ZdeOjj379nRGB6OGCoSCAS4JanGmFkmnbliTcLHtPkc6jeSDkTJHY9q6Z+NETq6EFFsJyzCNcRUVi6/60HNrV2A+RQCAE4s61gcAAABvaJFIpKWl5bLLLguWlDJzLJ740W8emjv35Krx46LRmG1bppFMcLvxr1vc7cTCyYrs7D/p0KbIIMdnG2NbRyT9J93WXoSTRenk3PrX2hmqYBumUVFVrgyj+8CBzZtf27C+ffWKFW9vaDiwf2/IMG+44QYRqTv9Te94x9t//etft7S0dHZ21tfXE9EXvvCFJUs+tXx5g0hYRB77/bL2l14dX1ZTW31yyCwRW4low1CkWEREp07JrT3wXKNRz1bofy2Sil3Fs7z4KbziiNsvfCI5d+2LPc5020LmrCPJPB0SLbZlWZbFzMFgoKysNGAG+3r716979Yk/Pf27h//8yM//8o/HV+3cvEviUlFaHgoFRcS2Lee2fPIj5X6ckvvwfjh9P+rif9q5n2rJfL6oz3xmuUry7/Sq3kyUkFJKtI7HEyWBYO2sOc+uen7QHrCP7MAiAAA4/IxjfQAAAPCG1tTU1NLScu655zY3N3d2ds6Zc7KO2d+7857eXbsHYrGBwYGhoaFAIEDpm7eOEW+SeuffG+kgcu7gZobRxZzHSIeRMZ+j0+SAnOaFxGRbNhOZphkImCQUHR7qG+jr7evbvXvX0h//6Jc/fzhYGrjookve/e53b3n11VkzZ3Ud6DrllFOmT58+Z86c1taO2bMvePTRR6+77rrL3hni3DsAACAASURBVH7FQz/75XB0z8yp5yjDNBTH4xaJbQZMLZqdUnenzwKxco8i2XHBnfbBPb4x5A7c7RVnbAMEstbyGRGQcY0LbirzaH2PJpUdyLMx/2xLsiulsFKhkmAwFLDiuruzd9OGbWtWrXvuqRdfXtXWsWlH78EBFg6GgmYgwMzijl7I88HOUwbid9h+q4/qYo/4HnJm7oA9T3jWNQzDsuJa1PSTpr69YdFQbPC94fc+8fe/r1ixoq+vr7OzczTHBAAAxxIqxAAA4HhRV1c3Y8aMBQsWEFFFWdnnbr31K1/87Asvtu/Ytk2IgsGgbduUETrm6f7vvsbppQrIP9LhMOUO3DDdfcyZrwgp5ZQlOP0HORnHkxZtxRNCotgImKZhmCXB4PSTprz97Ys+tuQGIrrti1+cO3fu0NDQjTff3NjYGIlEnD4RItLUxOOqv3TJxVfv79kSTwwORIcsO2YGlNaa3LEJitnnpJwb5ekvxffC+EgVVRS18FjH3R/OrAHl3Kc/tOaIboqB2DANwzSVqOhwbN/erh1bd27v2N21/+BAz2A8ESfNAdM0TcMZtSI5JR+FdplbV+D3qk9Piuzl2Jl/wX8vY/uoS/pbjhUTcTwWDZaUn3H62Q83P/zRD187e+6cSCTi9EDFCAUAgBML+hoAAMDxor29ffHixc7jgaEhZv73Gz6x5LM3/fX/Hl313Kqe7t5QSYkb84gzO2NuZUDOrdqxpgyytz5CUmGEnbB7XMnQ0t2AEJHTtyGZNtAk7AwnICEzEGAiLWLZdiKeGI4Od/f1tm+4+977/2vSpJozzjqrbt68ixoaent7v9rY+Nyzz5aVlCxduvTaaxt+9jOKRIJbt22ac/LM89580VOrlvX3dfUNHNTaDgSDtlvjwEw5kaPbeM/9IpXwEL8oNetiOPflR0wcHK6Ugc8xFJ0yoGTxRypZwM7ZjpSVyDyeVDECKaUMw1CGYVt2f9/gvt2duzr27ty2p3PvweGBIa21UoZSqiRYwswkpEWzJKN3Z2KFEYdMjHjZkm9cTsMGn20lBxYU9SHmZJYh9bfPsTlbFFKKbdu2LXvmrFnnnfnmTdt3OJfRmQqkpaUFKQMAgBMO/sMNAADHnUgk0tzc3N7efsYZZ5x37jmmYcy/6OJljz32SvsrWuuQ0yVRhMSNUj1xiHhicu8/eWRnDbLCoVQX+IKbKTLySv/f84zvuuKN/JwWfCLiztzHrGzbJmbb1oq5orJy1owZZ59zzgXnnnv6m9/8ox888Nprr42fMOGk6Se96fTTr7766m27Nvf2HdjfuXvaxBm79ncc6NlnKzsYMG1taxGV0b0xOXTfPTzJTRYU0zLwEBcY1YreENQ7wiJ3EfGLpFNZA2+tgX+nQ7exJDvtDJxMAStWpLRNsVj8QFfPnl17d2zdvX9PV9/B/kTCZqHkIsmZLMWnEMDzAct7+99zyDnH7/d0TlFCgS2OnGVj7wuc/nyKk1eSjOfjibgyAuefc95Af29VZdXK51/YsGlTgYMAAIDjH7IGAABwvHvXu9511plnfv0b3/jf++751a9b9u3Zy8pk5Y7P16KTY/U9YVAxP98yUgUFoqt0BJ8RPuUuMsJOvSMVsl/KXTWjAZ6bNhDF7KRKiMlpR6C1xBMJ0TpgGhMn1tTOmnXqnFMm1kwYjMe/+MUv3vnd7+7YsaNq/Pj58y+cOWv6GfXnbHzxxW19m7v7upRBhmEk4nFS7Alnk5373cDTG4Z6cwp5HfOsgecZ/7va3lRIxun5DM1Ih8oGM7OhmEmxYmVpOzoc6+/p37+3a9e2/ft27z/Y2ROLxsR2ywqcvUuyEaVfPir3q7yfr+TxZn8xpqxBwUPJfIIzv0g9cq6VcvpBkihWWkSLTsSjkyZPve4TN/zjqeV2PPHgL3+Z52QAAOBEgqwBAACcABobG5uamh568GcfuubDX7hlyZN/f2Y4GtXaVkqxUt7b4slAp1DLA1dGtmAMoaxfTDryz1VP3mB0qY2MG/7eCFkpxcxaRGwdj8ctrYNmYMKkCVMnnzR58qTy8eNjsdi8efOWLFny/Xvu/uzNt/x06QPXfuT6J5Y39w71i7YsO6FJiBSxpOrMnVID8uQLKCtul+yjSi6Tc+j+C4x8wbOmOcw+gMxlMh/45gsyPhLObAfOUlpr95lknYVDGUopt2ekrbWVsGPD8b7egYNd3fv3du3bvf9gV+9g/7BYogylWCmliERrSW5M8hy154hy/x05a1A4ZUAF34TcQykua+AZ/OF8/JhIkzArEtJaW9pWhnHGmWcf6NxvBAKLF7/vuuuuy3MmAABwgkHWAAAAThjNzc3hcPjPj/3pincuuub/ve+VV9rjiYSdSAQCAaWU1toJDJk9VdQZZQC5QS9lPz86eYZojyp34LuKXx2EaGHF6fp58eQenMIDYlZKMYvW8Xg8kUiQSDAUqqqoHDeppmZCdVVl5WBieNasudddd11tbS0RvfTSsoHBA4ODAzHLSohYWts6NW1kesIFTdp7VO7xJEeIpJ8Q96Jkh62ece+55+lsJ+PqMHufzKx0yKwpyRmUkDXlATOLZHQtyJjr0enGQETJ5ItSikQRacvS8XgiOhzt6xvoOdB3oLOnu6unt7uvv7c/OhgVTYYyDMNQhnKOzpk5gckpLUjejndaV4jTDiB5SJT7KPVV/kEKuaNF/Bcgyps1yH7aP0uRThRkpwwo2QxDiyjFzGzZtq21Yahx1dXf/tFPb/noR1etWJHnBAAA4ESFrAEAAJwwRKSlpaWlpaW5ufm7d9xx6xe+8J6r3rVz5+7Bgf64ZZeEgkwsWhOn2iWm+GQNslMIh8An1Cv2B+zI7RcyqwxyY87M0E+IiBQTK6VYiYgmbcdtW9u2bQWDJWUVZeUVlVWVpROrJ4yrKD/ttNkTJpZUVgSDISMuok1TDMPpv2hpB2nRWty78ako2ym/51RLxeScgZnVB6nuj96x7+lz8VYx+HYoyLgOnnEEhdsZpMoNRKeqJ9wgXikWImZWrJTBJCxCWovYdjwWHxqKDg4M9/X093T39vT09nUP9Pf09/cPRaMxndBKKYMNM2AYpsHOoBEtmrRI6rTT+R3PIWdfl7ypIm+hjM/5Z/xDeRMC+T7avh/yvG0MKPXB8gz4cJtsECulRLRt24YRKC0vuWzh23b1dP/wf3/otwsAADjhIWsAAAAnknA4HA6HX3vttWXLlrW2tt5042f/3wc/1HT77d0H9nf39ti2lJaUiLCITgayTOS905tb8X+oKYNMfiMPiup6kLEFIvI5sOQJpUdjZAWg7o7EG2EyK+U07mMSEcuy4om4tjUTG6ZJIiUl5tSacRPGV5SXl5RXV1XXTKyaMK6ysrKkrNQMBtgw2FDOxrXWTqSsbUtLWqrVHzOnsweU6pQnqZkCvIMOnFr3rHyB91xSAaskpytwkkGepgPi3NR37nu7Z6zIaT+oWLFyRhqwYqWIiZUQi4ht27Hh2HA0OjgwPNA70H2w52BXb193X19vX3//UHQoGo8ntK0NVoYyTNMwTVMpg5WbN3EyKOl3iZNdITy5g8ycSEbWqkDWILt6xeez4DfcITM1kC+vIDnb44w8Tu44CU8SI9l3VLEipaxEnJnLKqomTZ7ctX/fylWrI5FIY2Pj4sWLW1pacg8QAABOaMgaAADAiaehocH5u7W1df78+d/61rd+8IMf/G3Zn/ft3tPZ1aWUCgZDIlqLZlLkU2lAToTnM4fc4cCpmRYLLjRq3sNNZiIKbIbdSI/SZfhMikkZiki5Bfoi2ratREK0ZibD4FAoWFpWUl5RXlFRUVpREiorKasoq6gorxxXWVpREgwFgsFgMBQIBgOs2GkqQczkFCOQOJkF5wa8Tg/xdwpAdGpghfMKEZMbhqdHlaQvoEqeqqRu27vlBszKqScwDOWEskq5TR6YSSlDtGhb21ozcSwWG+gfiA4motH44MBQf+9AX19/X+9Af1//8MBwPBZ3/oiQO+TAmUZRcTILot2sRXZ6gzNzBORNE6TzGnmyU37ppbxP+9VxeF7zfFFgRIJkJQbySVVsJD9hnMwbsGHYlra0XVlRWVVdvWzZsiuvvPLRRx8Nh8OzZ8/+13/914aGBkysCADw+mMe6wMAAAAYtdbW1kgk0tHRUVdXV1JSwsx33XXXb373h/+5++5nVz/32qbXDh44YAYDATNARM4sjU5U6r21mh1fHb5gJ3njueAWJV/c6L+wEztnPJP8W7LvUCcXcXaRMWKAtJDWmthOTsLAZjAQCAacegHRYmvd2xvt6R4W2e9OVKHYMJUZCgQDATNoBkOB0rLSyqqyUGlJMBgMhoIVlRXlFWWhYMAwDaVUSUlJMGQ6+QTDMExDubf9FTErIW1rm0mZhsq4aZ8hPfrCqUdwpplkpWxta+2kI8iyrFg8oW0h4kQiEYvGhgaH47FEIm4NDQ719/UPDg4nEtbwYHSgfygWjemEnUjYlmVr23bGKbCQYShDGeWl5cTuZdRCImJrndM/we3bkPkeZJYVUGas7jk5zkkc5NQeULJ0we/dHCFl4NsyIgP7v+ZXCSPERM6771CGEpJ4NBoqKZs6ddpFF13yyiuvXH311aFQiIhWrFhBRJdeeqnfgQMAwAkP+WAAADiBRSKR1tbWhQsXRiIRZr7uo9cODw5eeslbV6557pV17d0HDpaWlTpF7Fkj7JOhnvhGc0dS/vr0gr0NMv/Ns1KhUerZz/k0VGBW5ATTTJIcHeAUA0jyf04SRrQyWAs59+ADgYAZMJRSrMgwzVBJSTBoKsWGqYLBYDAQUAYrw1CGETANNphJAsFgaWmpodwaAVbKG52TsLjdAUS0jsVjw8NxElKK4/FENBq1E7Zt29FYLBaN25ZmYsuyrUQiHk9oS2utbVunag2SnSLJaXbojFug5KAJZ+7O5Knk6W+Z0UfB8yhjtka/N8q3w0DOZvzeoKxIvlDKIDuhkL/eIHO7eT5wTn7NaQ6inAknVTSWMAw1c8a0U2efevcDDyxatOixxx4jotra2qqqqvb2dv9NAQDA6wKyBgAAcMITkUgk0t7e3tLSct4558yZPfPkk2effe7Zf//r39esfXl4aCiYvJfuVLq7d7CJskI9ouJ+MOaEX2PlE7lnbzN/vmCkDY20cNZuM5reJV9Ozu/oNj5MN1YQYhathVhrnSwIYHceASbtFPVr4eTwAmc8BDMzKWYi0sKskk95wnInucPkhvXk9B3UnvCcxY1riUglEx1EpNx746l/3Q17eiikukJIauZFdwHPRWZycyaZgb1PPsGvqsA/gM/39o3qjcu3+4KdPSX3Ofb9+GZ9lewIYdmWtu0pU09acMl53/jG3X59KAAA4HUO/90HAIDXoZ///CclwbKr3/u+P//5zy2/fnjd2nWx4RibyhmdTSRau+PwiQrcBc4xQvA3NgXvOhfcrc+2ij6SrLg4s0VCzlZSMWbmA0n2VvBOFpBL3BYS3oEWzpV3kjmcDtg95fmpI3LDVE6eYHLqBueRd4AAsaeIhEhI3OX8x0F4J33MjaIlpyjD/+Lmm+cwfZY+z2ZlJHw3XFBGoqBAcsI3a5D5L3myYE6VAQsLE0vCsisqqt566aU7tm3Zt2/frDknP/jgwwsXLly+fPnojxgAAE5UyBoAAMDrk4hs2rTp6aef+tjHrtuxY8dXv/zlje3rhqNx5944syJx7oinY6rs8F1yHhd2mEoPvI9GNXYib/zpHYeRL1GQuf9Cp5KMeZP1GllZA0ltOD0qRJxhIsSeCR6SmQC/g8u+1e+2dcyX2eBkfYSblPAL41M9CXIaBKRmX8iVuUvf61sgZC9UfuA/4qFY2VscXa2BszNnTousbAkza7dgRJlsXHDhhT/86U/vuvPO3Xv23HnnnUUfHwAAvK6oY30AAAAARwQzz5s3b/v2Hcw8c+bMWXNmr3j+xbPffFZZWZlhGIlEwtbaLYF3b4NL3ikViozdD7U9QkawK4eyvdTK4nkm6yUiyW25774q4r7q/PFuz5lPQFIpA0o/FE9oLk6Zv5sPSFYQeK5wahcZT7p/3EkL3D+eKQpEfK+NGxq700LkP0/ft7jAZU5u17MHv7v8fu9VoZRBxip+j/Ifju+pj7RGLjfLIpKsziClFJEkEgmtbTNgnn7aqWvb2s6/8MLnV6++5XOfQ8oAAOCNDFkDAAB4PWtqagqHwyKilMHMtTNnr3z+hdPrzpgwcaJpGrHhqNaalUHMkooo0yP8k4/TN2Ml80+OAoFfVhifd6FDShe4Rrxr7QlVffaXSqGk0ympmDxnJ8nBApnr+5xEZgGDe+Pe+5xkv+73fEYMn3rGL5pPpSCyDySX3w1691FOKiedNUldo6K3m//17NyB7x//9Yv5tGSUSaTeOCEWIcNQRBRPxLWm0rKSqVOnvfRy+7QZs5j5hk9+8vwLLkAjAwCANzhkDQAA4HWuubm5tbV11qxZIvLsipXMPPvkk/+xYuWs2XOnTq9RioeHhrRtm6bJijV57pzn1vC7cS4TsThTFfrevs4X8onfq/7GkjtwYun07XvJCf+zdptxD90vfZC9de/CObf9OV+2Ir3VrLyBZF6SPCsReRsjZGQKcg7Es4yklinuWue+V8k0gUjhDfhdX7/FfdfPWK1AxiDfp8mnqSGn3wt2HzkNJMidTsIdQEKGwYbB8VjMSiTKKiomT570+S9+ec7cU5l54sSaxsbGSCSS76IBAMAbB5LHAADwhiAiS5cuXbt2bXV1dWtr60ULFpSXl1108T/d/d3vDg8N7N23b2hoOBQMmgFTa7c83p01IF+Hv/RwfPH7eVogAPe7dVvoB3JRr402x5C90TwtBXw37L+v/AuOtLz4HFFOm/98B5ivk0MhWS+P4rehvLfdR7r+kvXv6Pc+qj1zxh6TTSWISEhYhA2DiWKJONl2ZVXVuOrqt7398hUrnv3jH//kZAra2trq6+uRNQAAAELWAAAA3lAikUhHR0dZWdnkyZPb2tpOPeWUyoqKd7/nPd/5zncOdO7r2LJ1YGAwEDCDoRARiWjRQkSsWNwmCL7Rn4w+ePdrrDfWxEHRUseWpwGfT299//WLe7lgysDzWmaxBuc5uKzncqpAjrYxtS6UjK9H8wEocBiS8yDP3t3ujkKs4rGYbSWqxk2YMmnS2RfWbdq4/WB379+fbHW+QWbPnk1ESBkAAIADWQMAAHjDiUQi+/fvD4VC48aNI6Le3t7x48bd3tj4tdtuf3Xrhg2bNh480G0oFQyVKGYi0Vqn79Mm2/Vnx4JjkZk7GPlncs7992LlO8KcO+c52/avtPCNTyk13mGEvWaskblKcqc5FQ+5CxwXv8IUcxAZn5R8hQGj3mqhFcTTakIy5q1gjsdjtqXHj6+cOWvuzJNPXvXciq7Ozo2bNkcikba2ts7OzoaGBuQLAADAyzjWBwAAAHC0tba2rl69+vLLL3e+LCkpiUQi27Z0zDn15G9/705iY9KEiqHheG9vr2VZipmVcoaHp3IH+aLpUcqpOBghXMzuzViEEQ9yNMMlijrj9Kj6vI0OspfOugYj1TwUkVbwV2jUyCg3NfL6xbU1KLCV0R2SJ/vkDKxhVoqdSRLYnR/BSljxqvETzjnnwkVXXbVp06aXXnpp1ernDxzsrqur6+zsvPDCC5cuXdra2jqqHQMAwOsesgYAAPAG1dra2tra2tDQ0NraWlZW9vgTf7tw/luee+65m2666ZJL5j/8i28Nx8oHB/p7urtj8bgWzczEzgR1nLqde8hGVW4w2qzBWIdLHJ7b+Fx8XQR7MgzFZA2SLxb9Jowqw5Mq6chXUjFWfvUp/lsf29vByRwQMycnPhAtOm5ZCduaPGni5Yuu+NUnP7Opq3N/b9/uvXuefvppZ8XOzs6Ojg7kCwAAwNdxUd4HAABwXGls/Ixplg0OJr71rTsff/xPP/vpw23r2+NDQ5Zls1KKlTNZncgoyw38w+gRRvLnLl/cnkYrf+4gY2MFuvm5ofbo9p1Tv19k1oBSiYPCSx5iRQh7NjLmASKUNTYh74CRQs+OkENhSX6SlDJExNa21ppEE/OUKVPf/8H3/OH3j82dWHNlQ8M/z53Hl146+nMAAIA3KGQNAAAACvnsZz5dUhL6zh3f++ptX3j2Hyu6Ojvj2ta2xazMgKmYna4HzrAFzh26PnLPfE+4Pppm/vlf8mlLyJ7DyjMNQJGH4Hs+fs0JipSnq2TOcfkrJsEwuhg9z+pFlASMsPv8kyiMvMWM98ZbppBK1DARsWEorcXWthZtKMMMBGbPmvnI0oc/tOST+7u6Hv/b34s4XAAAgGzqWB8AAADA8auurm7CxEl3fPfOe+65e+r0GU88/fTnP//l006bO6FmYklZSSIWiw7HRIQNpZQiIi05sWHu4P4CYeOht0rIisKTf7LLBfLvaKQXszZMQlJwlUNW1NFK1nKeY5Ps400uWcxhi+eBf1fIAlvxvJR3R5L1t+TbaPrr5DgVp9RFtJBiwzCIJDocteKxgGlWlVWcf/ZZL770yrhxE3nixFPfVIeUAQAAjBmyBgAAAHktXry4tbW1sbHxpptuXv7U08x8oL/rLfMvWbHy+YUXXXLy7JMnTKkRoeHBoXgsrgxlmAYzizd3kBsAFhizPopag7zBMBFJZrjsu6ZfWJodUftmB45cgoALnJfPWfoeeuFT91lJCg6pyE34+B9Fnrcic8mcZ5PJAvH87X0bvW9H6kjY2YYIMynDUKZhW/bw0HDCssvLKydOmvK2d1yxcs3aGXNrmXnOKacQ0dKlSxsaGgpeDQAAgLzQDREAACCv1tZWp0tcS0tLTU3NY4899tdly2ytn3j8cTKMn/3857FYn23FK8rKLZKB/v5YNMamMs2AkzuQwk0T83VCPMThg8WF9UUMSMgqiD96ZORrcHhnXswzaGOkky96lIiM9DD/Nr1dH5lIiJlYsaEMrXUsGrUTVklpqLp6woRx1VeGw3v27h3f2fmv11wzZerKtjZZunRpdXX12rVrOzo6Cp4KAABAXuhrAAAAUBQRaW1t7ezsbG9vJyJnTvtrr72msrz83v/+n49+9KN2PH6ga9/u3fsG+nqVoYKhkGKlRUR0EQEiFxHGF3mgRQX6Y99d8bfmx7K1IpMUhzdrUGhzYztdn+SA51/Om1bIzB1ltHpkZmbFzByPxSzLDpYEJk2cVD1uQkmJ+sVv7v3Mkm+0r9/89yefDIfDzS0t94UXTg43hMMRzpsSAQAAKAp+kAAAAIxOJBJpbW3dv39/X1/fggULWlpa7r333pPnzHnnokUvv/zygw8+2HfgwGsbN+7dvzcaS4RKgqZpELFoT5zo043fM5vjIdcaFB155zuYQhsvertj3uAxSRyMpdzAd5V8+YJCRQaSvTnOmkqC2aleSSQSQjxxfPXMk2dVV1WffNppT/5tWXl5sLu3929P/CMSiaxYsaKurW1BVVW4vR2/5AEAwGGBHygAAABjFA6H29raLrvssrvuuqupqWnSpElbt27Vtn3X3Xcvveeeff39bevXv7phQ1fPAUVkmgFDKWFmEU1EIkop0eKEh0JMLFxwQEOxis4a0GiHRYxqsMLYcwdFZyYO328xxVx372EVyLT4lBbkyx9wZuGBkx7wHpNTJ8BsWZZtJYKh0toZtfWn11dUV2/Z9Org0JDWsnnr1pdffpmI6urqJk+e3NDQ4FTBAAAAHC7IGgAAABwSZ+QCETU1NTkP7vj6188844xVK1faSn/kusV//OOTK55ZuXnjpv6BfmJS7ASDbrU5kWgtSqnMMLT4eRd8Fiwy7PYpdyhi4/m2P/a5CX22OOIZFJc1kILxfcbmRv0bke9Ws8cd5L4d4tN8MdVAQhGTIhFx5vJkZtu2taXLqyrOOOOsRVdeGa6puefvT3TGE8HSUmQHAADg6EDWAAAA4EjZvPn5jRu3Pr7syXhc//d9//Nf/3Xn8if/3rGpI27FtS2kRDSxYmUY7M6kJ8na9Kxg9/BnDaj4OD9PQX1RGzykgQ8FsxNHqK/BSKMO8snpU8BO1iCdaUm/NZ5iA3HfcaeqQIsWEhEhVqQlEDSnTpt21dVXfupTN33kwx+eO2nSe/75n+vLy/nSS0d7ggAAAGNmHusDAAAAeN2aO/f81OMpU0+6/fbbP3btR37X9tiPf/CDRx/9/a7dexPxuK3tWCyumA2lVMAw2BARIRItGdXqhe6bZ3dM8J38IPXkCOF21hj7kYfje78ea+e9oqZrGP22fS/BGPaQ072wwKriWSG9kmfYSLLagJmJFDOxbdtaaxFtmKbJhjJ5wqRJlzRc8p//+a1PL/nki2vWpToaNt5990jnAAAAcJipY30AAAAAbwjr1q0TkZ8s/RkzP73i2ZNqZz6/du11n/n32XNOrplUU15RYQSMRDwxHB2KxeNaazYUG4Y7miE7ZpWc8JZzb8Jz5p/0i0W2MJCMIQlF3G73O6hR8Zl1MPcMxrRlh+Q7E04vUODYitipf38GJ08gDmKlWDGRxBOJ6HA0FosRUUkwVFFWPnX69Pddc81L7RvmzD1lypSTHnjgB/fd/4PaGTPr6uqKOD0AAIAjwjjWBwAAAPCG0NbWFolEJk+e3NfXN3XqtAcfeqhmcg3ZZJhG829+Gyot7TnYQySlJaWBgGklrHgsbiUSQqKUYlasWBGLO5yfk3ervYUBBQcnZEXfOQFwVqu/fC8Ves4zJ4P/hopRIDjPk0DIazSTH+SfvSIzc8HJoQzs3wnBqQkQEU4+omQLC2ceBNu2E/FEPBrTtm2ESspLSsdVjTtp6tRPfPzj9//4J61Ptu7ZuzccDo8fXz158pTPfe7zRLR8+fJ3vvOdTssMAACAow8jFAAAAI6GVJG5M/PCzTffvORTSxYvXtzZ2fnwww/bltX829/e8IlPPPDDHy5ZsmTfrl1Dw8MDmtMgjgAADqpJREFUQwPDg4ODff0xK8FEgWDANAKGwU4oqoVIhJzGeckoVtxRAp4MQoEg3CHZS+UPt0cuODiklMFhWde7kTzDK/yKInyHbvgNBnE7FSavM3sGj4ibJXCWdFIFImLbOmEltGWTCBuqpKSssrIyaJqhEuOTn73+e9/574TIpm3bmDkcDjsr9/T01NTUtLa2RiIRZkbKAAAAjiF0QwQAADgGRKSlpeW1114jottuu23x4sUtLS1E9JGPfKSqsnJ4ePiHP/rRfffdt/qZJ4fjVk//4EBv78BAX3Q4ZmmtSIKhkGmYzMrpoZiqgCciZk434ScW/+RBsZmBQl9lyxz9cPz8ipFThJHVfSE592UxWQP3Wc9UiakpD8hQyskciBZbdCKRsC1LmA1llJaFqiorzWCIRU2eOPHu++//zJJPGQYPDQ//6bG/EFEkEmlsbGRmZzBCe3v74ThzAACAwwC1BgAAAMdAqvTASR/U1tbW1NR0dnbOmTOnra2tpaWl68ABQ/HBgwdOmTv317/5/W233TZw8GBfdKD7QHfnnn39g31DsWGyhZUyDdM0TWJWSokWImFmrZ3dpG+he7shSlalQcaRZT/tuWfvvX3v04SgyFPP3FbR00OMWeqE/Zsa+o7Z8B+rIELEbmdDEeddZKWYmMnWlrZty0okEpooZJrl5ZXjx1VWj58QrKiw+/o+deutd373O1u3dGiiD7z//cufeiocDp9/wfw/PfaX2bNni4iTOGhqajrsFwAAAOBQHD83AgAAAN7oGhoaQqEQEbW1te3cudN5srGxUWudiMc3bFh/wfnnf+krX73jjjv0cPfuvT37Ovft37f3QE+PFU3YVoIVE3PANJiVE9I6dQdOJUL6DrlTjJAsSSCnWx97swWeiD79MDfgzt9aceTfL9zCfk5u9ognD/LMHpHsTyDMLNmJBeciETNrrTlJRJwSA6fSIJGwRNtaS0mopKKidNzECTUTJ02pmRooLz/nnNDjf1n/6sadpeXltmXFbXv58uXOpmtra+vr64koFothAAIAABzPkDUAAAA4YYjIM88807lv99o1a7oPHgiEpnzgQ1/bsqVl166tOzq2b+vo2Lt7b3/fQDQWE8WKlaEUMxO7pQ1KKTdT4Aa9TvzrDtYnJ7IW9ya6m0qQ9ESOnkQC0ViKDcY2L6N/PiFz3AVnZDjcbpF5EhGZ6QM3ayDCTMTKnfCAmYVZsZDb11BEtIiIO3uF1tomUURlwZKSiorq8eNnzppVd+aZl5x66v/++pd9w8PV1ROmTa8qqwhMm2YuXhwZy3kDAAAcHzBCAQAA4ITBmXH3889Ld3ebUtWbNj3x6oYN1dUT/rHq+Wcef7x11TNtbRu69u7vHxiwYrFYPG6LrW1bKcPp5S9a3MJ6JlbsZgqIFLPWmtwZAonJSSdwZqFB4S6L+Q9+rCedud+MR8kMgDcTwIXKFiTVxiC9glLsVA0QEyslQkRk25o0EbuJBKdiQxErwwiUllSWl06aOOlN8868/F3/dNFF73jP1Vdv2LixNBicOWHC9e/7wNmXXTbGcwUAADj+oNYAAADg9eOmz372LW+5cMuWLcL85S9/hYi2bt3a0vKLl9as7dzXNTQ8NBwdthNxrYWUIiFb20Skbe3kDlgppVRycIMbW4sWIRHtdlwkSpUgJOcrzFN84EgVMoyCfwMCzyZ9Vsiz6+QcEyLCyZoLdgswyNbaOU3b1iJatBiGKUSk2CnSMAzDMDgQCJSVV9ZMHD939twL3vrWK6+88oP/7wMV5RWTp9TU1dWvfn7V3XffO7oTBAAAOHGg1gAAAOD145577yUiEWlqamLmP/zhD7NmzRw3bmLc0mVVlcuefJKIWlr+9Nxzj3ds3DIUjVrx+MDwYDwRI1sTsdP5X9tuSoCZtNakWLFSTllCshkBs0oPWUiODhD3MZFTnuBWMHh7IjhRuyeT4G3S6MGeEgIRcfMX2T0QkmUDJKlNp8sxnFNwEgXMWoS01lprESbS7rGKYRiGMoNBg5lIlDIMxUZpSbBi/Pg506dfOH/hoo8vqqbqK9/1rpgl2jSZ6KGHHvrFL38VDocf+OEPeWyjLgAAAE4c+FEHAADwutLY2EhEHR0dP/vZz5w4vqmpyZmXwVngV7/61dYtW5995ukd23eMr65+cvnyVRtWPffH5Zu2bNm7e3dff//Q8KC2hZk1cyI+ZNuSSCSYSGuxbCueSJCIYiZm0zSUMpz79ko5QbzTL5CcWN0J2pPdEyg5C0HyGSYSYZ+kQUYPhOQm2Fk5ObEkO5kHLcJMot0uDLaI1lrbllNf4GClRLTBphFQzv8MImIzEDTKy8qCJeVlpaU106ZdccUVixYtuuxf3r7z1Y1TpkyZd+ppF1/xjr7+/k8v+TQRhcNhp39hY2PjLbfc4hxbVVUVZj0AAIDXN2QNAAAAXp8aGxvr6+vr6upWrlzZ0tKyZs2azs7OVB6htbU11br/pz/98a7du3Zv37Vly5b9+/cfOHjg9Ded/udly1pbW//vkUf27t+vyNYiQ/F4f/+AFY9alra1kK0TthWLRrXYTCxMtq1tyyIhIc3EWjQJaa2dnoKKDcM0iEixIs9gAb9jFxFiEU3kVCrYWhORaE3KbU6oSbTWihQTK9NgJtKkmUw2VECZZoANFWBWgSAzk23bJOVllRXl5aJ11cTKU0+td9Ir73rnv+7du3dSzeTTTjttwUUXdXR0/Md//AcRNRDVhMP19fWNjY3MXFNTc+6559bV1S1YsKCmpqahoQFVBgAA8AaBH3gAAABvFKk8wvLly1taWtauXdvT0+MMZyCitrY2IkqVJNxxxx2nn3baymXLNr26cc/u3T0iZsA886yzfvbgwwcPHnzxxeUbN762Zs3LieGYUgaRaZpmPDEwPBCNEymRhGWLZdmWlYhbmp1GChKLWrYVEyLLFrEtWztdBzQTCSki9xcTpYjFYMMmYdMIBEyTFCk2xBbDVMo0iUhIa9GsWSnTUMoIKBFlEQWDQdM0TdueNGHC+GnTrrrqqosvvnjJJ2946qmnE5ZVUV4xYUL1zFmzLrr44srKqra2Nufcw+EwEaVyBER0ak3NW849tyEc3rFjBxGhoAAAAN6wkDUAAAB443Lut9fX169YsaKvr6+trW3z5s2dnZ2UbI5ARG2RSEty+YULFy5evPicc842TV63bt2zz67Yvm37/n2dzlQDoVCwtLSkevz40+vP+MY3v+2s8vKyZQeDwb6+vv7+bU89tYKGDFWhEglLhKLRWLlZTkREsYRlEJGlEkRUqQO90ehgMGh0d4eCwfG1tVOmTKmpqakcqpxx/oyGhobU8d/0mSUvr32pr79/KBqNxePEipkNZtM0Q8HgxJqak6ZPtyxr165dy5cvd1bJTRDU1NTMnTu3vr5+wYIFO3bsaG9vT6VOAAAAAFkDAAAAyBYOh+vq6urr61e0tLS3tbW1t+/0vJoa5kBEkUgkd3URaWlp6e7u3vLqq0NDQ/39/VEr1tvbPdDXNzQ0LMTEYtuaiUlYMYmQM7WhkDgzHWphy7ZJJGAYodLSsoqKsmBZWVnZhAkTTqs/7bzzzkvlDkY1UqC2tra2thYJAgAAgOIhawAAAACjEA6HnZyCE3K3tbW1t7cf64MCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAID/3x4cEgAAAAAI+v/aD2YAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPgCImdgILyU7T0AAAAASUVORK5CYII="/>
+<pattern id="pattern0" patternUnits="userSpaceOnUse" width="1383" height="922"  patternTransform="matrix(0.0759219,0,0,0.0759219,-18.451104,-0.000000000000008631)">
+  <use xlink:href="#image6"/>
+</pattern>
+<clipPath id="clip3">
+  <rect x="0" y="0" width="70" height="70"/>
+</clipPath>
+<g id="surface17" clip-path="url(#clip3)">
+<rect x="0" y="0" width="70" height="70" style="fill:url(#pattern0);stroke:none;"/>
+</g>
+</defs>
+<g id="surface1">
+<g clip-path="url(#clip1)" clip-rule="nonzero">
+<g clip-path="url(#clip2)" clip-rule="nonzero">
+<rect x="0" y="0" width="70" height="70" style="fill:rgb(97.254902%,97.254902%,97.254902%);fill-opacity:1;stroke:none;"/>
+</g>
+</g>
+<use xlink:href="#surface17" mask="url(#mask0)"/>
+</g>
+</svg>
diff --git a/frontend/vite.config.ts b/frontend/vite.config.ts
index 350070b..76405cc 100644
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -8,7 +8,8 @@ export default defineConfig({
 		proxy: {
 			'/api': {
 				target: 'http://localhost:8080',
-				rewrite: (path) => path.replace(/^\/api/, '')
+				rewrite: (path) => path.replace(/^\/api/, ''),
+				ws: true
 			}
 		}
 	}
diff --git a/go.mod b/go.mod
index d37ace7..539abaa 100644
--- a/go.mod
+++ b/go.mod
@@ -9,14 +9,14 @@ require (
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.3
-	github.com/jackc/pgx/v5 v5.8.0
+	github.com/jackc/pgx/v5 v5.9.1
 	github.com/joho/godotenv v1.5.1
 	github.com/redis/go-redis/v9 v9.18.0
-	github.com/vishvananda/netlink v1.1.1-0.20210330154013-f5de75959ad5
-	github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f
-	golang.org/x/crypto v0.49.0
+	github.com/vishvananda/netlink v1.3.1
+	github.com/vishvananda/netns v0.0.5
+	golang.org/x/crypto v0.50.0
 	golang.org/x/oauth2 v0.36.0
-	golang.org/x/sys v0.42.0
+	golang.org/x/sys v0.43.0
 	google.golang.org/protobuf v1.36.11
 )
 
@@ -31,5 +31,5 @@ require (
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 )
diff --git a/go.sum b/go.sum
index 27ca5de..1c183c4 100644
--- a/go.sum
+++ b/go.sum
@@ -37,8 +37,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
-github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
+github.com/jackc/pgx/v5 v5.9.1 h1:uwrxJXBnx76nyISkhr33kQLlUqjv7et7b9FjCen/tdc=
+github.com/jackc/pgx/v5 v5.9.1/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jarcoal/httpmock v1.3.0 h1:2RJ8GP0IIaWwcC9Fp2BmVi8Kog3v2Hn7VXM3fTd+nuc=
@@ -65,32 +65,31 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/vishvananda/netlink v1.1.1-0.20210330154013-f5de75959ad5 h1:+UB2BJA852UkGH42H+Oee69djmxS3ANzl2b/JtT1YiA=
-github.com/vishvananda/netlink v1.1.1-0.20210330154013-f5de75959ad5/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
-github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f h1:p4VB7kIXpOQvVn1ZaTIVp+3vuYAXFe3OJEvjbUYJLaA=
-github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
+github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
+github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
+github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
-golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
-golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff --git a/images/wrenn-init.sh b/images/wrenn-init.sh
index d83be1c..8a9e22e 100644
--- a/images/wrenn-init.sh
+++ b/images/wrenn-init.sh
@@ -17,8 +17,9 @@ mkdir -p /sys/fs/cgroup
 mount -t cgroup2 cgroup2 /sys/fs/cgroup 2>/dev/null || true
 echo "+cpu +memory +io" > /sys/fs/cgroup/cgroup.subtree_control 2>/dev/null || true
 
-# Set hostname
+# Set hostname and make it resolvable (sudo requires this).
 hostname sandbox
+echo "127.0.0.1 sandbox" >> /etc/hosts
 
 # Configure networking if the kernel ip= boot arg did not already set it up.
 if ! ip addr show eth0 2>/dev/null | grep -q "169.254.0.21"; then
diff --git a/internal/api/agent_helper.go b/internal/api/agent_helper.go
index e4a3545..6a7acf5 100644
--- a/internal/api/agent_helper.go
+++ b/internal/api/agent_helper.go
@@ -6,8 +6,8 @@ import (
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
 	"git.omukk.dev/wrenn/wrenn/proto/hostagent/gen/hostagentv1connect"
 )
 
diff --git a/internal/api/handler_sandbox_proxy.go b/internal/api/handler_sandbox_proxy.go
index 9abae06..5e3754d 100644
--- a/internal/api/handler_sandbox_proxy.go
+++ b/internal/api/handler_sandbox_proxy.go
@@ -17,10 +17,9 @@ import (
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
 )
 
 // Sentinel errors returned by proxyTarget, used to map to HTTP status codes
@@ -44,7 +43,7 @@ func (e errProxySandboxNotRunning) Error() string {
 	return fmt.Sprintf("sandbox is not running (status: %s)", e.status)
 }
 
-// proxyCacheEntry caches the resolved agent URL for a (sandbox, team) pair.
+// proxyCacheEntry caches the resolved agent URL for a sandbox.
 // The *httputil.ReverseProxy is built per-request (cheap) so the Director closure
 // can capture the correct port without the cache key needing to include it.
 type proxyCacheEntry struct {
@@ -52,23 +51,13 @@ type proxyCacheEntry struct {
 	expiresAt time.Time
 }
 
-// proxyCacheKey is a fixed-size key from two UUIDs, avoids string allocation.
-type proxyCacheKey [32]byte
-
-func makeProxyCacheKey(sandboxID, teamID pgtype.UUID) proxyCacheKey {
-	var k proxyCacheKey
-	copy(k[:16], sandboxID.Bytes[:])
-	copy(k[16:], teamID.Bytes[:])
-	return k
-}
-
 // SandboxProxyWrapper wraps an existing HTTP handler and intercepts requests
 // whose Host header matches the {port}-{sandbox_id}.{domain} pattern. Matching
 // requests are reverse-proxied through the host agent that owns the sandbox.
 // All other requests are passed through to the inner handler.
 //
-// Authentication is via X-API-Key header only (no JWT). The API key's team
-// must own the sandbox.
+// No authentication is required — sandbox URLs are unguessable and access is
+// scoped to the sandbox ID embedded in the hostname.
 type SandboxProxyWrapper struct {
 	inner     http.Handler
 	db        *db.Queries
@@ -76,7 +65,7 @@ type SandboxProxyWrapper struct {
 	transport http.RoundTripper
 
 	cacheMu sync.Mutex
-	cache   map[proxyCacheKey]proxyCacheEntry
+	cache   map[pgtype.UUID]proxyCacheEntry
 }
 
 // NewSandboxProxyWrapper creates a new proxy wrapper.
@@ -86,19 +75,15 @@ func NewSandboxProxyWrapper(inner http.Handler, queries *db.Queries, pool *lifec
 		db:        queries,
 		pool:      pool,
 		transport: pool.Transport(),
-		cache:     make(map[proxyCacheKey]proxyCacheEntry),
+		cache:     make(map[pgtype.UUID]proxyCacheEntry),
 	}
 }
 
-// proxyTarget looks up the cached agent URL for (sandboxID, teamID).
+// proxyTarget looks up the cached agent URL for sandboxID.
 // On a miss it queries the DB, resolves the address, and populates the cache.
-// The *httputil.ReverseProxy is built by the caller so the Director closure
-// captures the correct port without the cache key needing to include it.
-func (h *SandboxProxyWrapper) proxyTarget(ctx context.Context, sandboxID, teamID pgtype.UUID) (*url.URL, error) {
-	cacheKey := makeProxyCacheKey(sandboxID, teamID)
-
+func (h *SandboxProxyWrapper) proxyTarget(ctx context.Context, sandboxID pgtype.UUID) (*url.URL, error) {
 	h.cacheMu.Lock()
-	entry, ok := h.cache[cacheKey]
+	entry, ok := h.cache[sandboxID]
 	h.cacheMu.Unlock()
 
 	if ok && time.Now().Before(entry.expiresAt) {
@@ -106,10 +91,7 @@ func (h *SandboxProxyWrapper) proxyTarget(ctx context.Context, sandboxID, teamID
 	}
 
 	// Cache miss or expired — query DB.
-	target, err := h.db.GetSandboxProxyTarget(ctx, db.GetSandboxProxyTargetParams{
-		ID:     sandboxID,
-		TeamID: teamID,
-	})
+	target, err := h.db.GetSandboxProxyTarget(ctx, sandboxID)
 	if err != nil {
 		return nil, errProxySandboxNotFound
 	}
@@ -126,7 +108,7 @@ func (h *SandboxProxyWrapper) proxyTarget(ctx context.Context, sandboxID, teamID
 	}
 
 	h.cacheMu.Lock()
-	h.cache[cacheKey] = proxyCacheEntry{
+	h.cache[sandboxID] = proxyCacheEntry{
 		agentURL:  agentURL,
 		expiresAt: time.Now().Add(proxyCacheTTL),
 	}
@@ -135,11 +117,11 @@ func (h *SandboxProxyWrapper) proxyTarget(ctx context.Context, sandboxID, teamID
 	return agentURL, nil
 }
 
-// evictProxyCache removes the cached entry for a (sandbox, team) pair.
+// evictProxyCache removes the cached entry for a sandbox.
 // Called on 502 so a stopped/moved sandbox is re-resolved on the next request.
-func (h *SandboxProxyWrapper) evictProxyCache(sandboxID, teamID pgtype.UUID) {
+func (h *SandboxProxyWrapper) evictProxyCache(sandboxID pgtype.UUID) {
 	h.cacheMu.Lock()
-	delete(h.cache, makeProxyCacheKey(sandboxID, teamID))
+	delete(h.cache, sandboxID)
 	h.cacheMu.Unlock()
 }
 
@@ -166,20 +148,13 @@ func (h *SandboxProxyWrapper) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	// Authenticate: require API key or JWT, extract team ID.
-	teamID, err := h.authenticateRequest(r)
-	if err != nil {
-		writeError(w, http.StatusUnauthorized, "unauthorized", err.Error())
-		return
-	}
-
 	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
 	if err != nil {
 		http.Error(w, "invalid sandbox ID", http.StatusBadRequest)
 		return
 	}
 
-	agentURL, err := h.proxyTarget(r.Context(), sandboxID, teamID)
+	agentURL, err := h.proxyTarget(r.Context(), sandboxID)
 	if err != nil {
 		switch {
 		case errors.Is(err, errProxySandboxNotFound):
@@ -206,25 +181,9 @@ func (h *SandboxProxyWrapper) ServeHTTP(w http.ResponseWriter, r *http.Request)
 				"port", port,
 				"error", err,
 			)
-			h.evictProxyCache(sandboxID, teamID)
+			h.evictProxyCache(sandboxID)
 			http.Error(w, "proxy error: "+err.Error(), http.StatusBadGateway)
 		},
 	}
 	proxy.ServeHTTP(w, r)
 }
-
-// authenticateRequest validates the request's API key and returns the team ID.
-// Only API key authentication is supported for sandbox proxy requests (not JWT).
-func (h *SandboxProxyWrapper) authenticateRequest(r *http.Request) (pgtype.UUID, error) {
-	key := r.Header.Get("X-API-Key")
-	if key == "" {
-		return pgtype.UUID{}, fmt.Errorf("X-API-Key header required")
-	}
-
-	hash := auth.HashAPIKey(key)
-	row, err := h.db.GetAPIKeyByHash(r.Context(), hash)
-	if err != nil {
-		return pgtype.UUID{}, fmt.Errorf("invalid API key")
-	}
-	return row.TeamID, nil
-}
diff --git a/internal/api/handlers_admin_capsules.go b/internal/api/handlers_admin_capsules.go
new file mode 100644
index 0000000..13250e5
--- /dev/null
+++ b/internal/api/handlers_admin_capsules.go
@@ -0,0 +1,248 @@
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"time"
+
+	"connectrpc.com/connect"
+	"github.com/go-chi/chi/v5"
+
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
+	"git.omukk.dev/wrenn/wrenn/pkg/validate"
+	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
+)
+
+type adminCapsuleHandler struct {
+	svc   *service.SandboxService
+	db    *db.Queries
+	pool  *lifecycle.HostClientPool
+	audit *audit.AuditLogger
+}
+
+func newAdminCapsuleHandler(svc *service.SandboxService, db *db.Queries, pool *lifecycle.HostClientPool, al *audit.AuditLogger) *adminCapsuleHandler {
+	return &adminCapsuleHandler{svc: svc, db: db, pool: pool, audit: al}
+}
+
+// Create handles POST /v1/admin/capsules.
+func (h *adminCapsuleHandler) Create(w http.ResponseWriter, r *http.Request) {
+	var req createSandboxRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+
+	ac := auth.MustFromContext(r.Context())
+
+	sb, err := h.svc.Create(r.Context(), service.SandboxCreateParams{
+		TeamID:     id.PlatformTeamID,
+		Template:   req.Template,
+		VCPUs:      req.VCPUs,
+		MemoryMB:   req.MemoryMB,
+		TimeoutSec: req.TimeoutSec,
+	})
+	if err != nil {
+		status, code, msg := serviceErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	h.audit.LogSandboxCreate(r.Context(), ac, sb.ID, sb.Template)
+	writeJSON(w, http.StatusCreated, sandboxToResponse(sb))
+}
+
+// List handles GET /v1/admin/capsules.
+func (h *adminCapsuleHandler) List(w http.ResponseWriter, r *http.Request) {
+	sandboxes, err := h.svc.List(r.Context(), id.PlatformTeamID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to list sandboxes")
+		return
+	}
+
+	resp := make([]sandboxResponse, len(sandboxes))
+	for i, sb := range sandboxes {
+		resp[i] = sandboxToResponse(sb)
+	}
+
+	writeJSON(w, http.StatusOK, resp)
+}
+
+// Get handles GET /v1/admin/capsules/{id}.
+func (h *adminCapsuleHandler) Get(w http.ResponseWriter, r *http.Request) {
+	sandboxIDStr := chi.URLParam(r, "id")
+
+	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid sandbox ID")
+		return
+	}
+
+	sb, err := h.svc.Get(r.Context(), sandboxID, id.PlatformTeamID)
+	if err != nil {
+		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, sandboxToResponse(sb))
+}
+
+// Destroy handles DELETE /v1/admin/capsules/{id}.
+func (h *adminCapsuleHandler) Destroy(w http.ResponseWriter, r *http.Request) {
+	sandboxIDStr := chi.URLParam(r, "id")
+	ac := auth.MustFromContext(r.Context())
+
+	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid sandbox ID")
+		return
+	}
+
+	if err := h.svc.Destroy(r.Context(), sandboxID, id.PlatformTeamID); err != nil {
+		status, code, msg := serviceErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	h.audit.LogSandboxDestroy(r.Context(), ac, sandboxID)
+	w.WriteHeader(http.StatusNoContent)
+}
+
+type adminSnapshotRequest struct {
+	Name string `json:"name"`
+}
+
+// Snapshot handles POST /v1/admin/capsules/{id}/snapshot.
+// Pauses the capsule, takes a snapshot as a platform template, then destroys the capsule.
+func (h *adminCapsuleHandler) Snapshot(w http.ResponseWriter, r *http.Request) {
+	sandboxIDStr := chi.URLParam(r, "id")
+	ac := auth.MustFromContext(r.Context())
+
+	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid sandbox ID")
+		return
+	}
+
+	var req adminSnapshotRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+
+	if req.Name == "" {
+		req.Name = id.NewSnapshotName()
+	}
+	if err := validate.SafeName(req.Name); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", fmt.Sprintf("invalid snapshot name: %s", err))
+		return
+	}
+
+	ctx := r.Context()
+
+	// Verify sandbox exists and belongs to platform team BEFORE any
+	// destructive operations (template overwrite).
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: id.PlatformTeamID})
+	if err != nil {
+		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
+		return
+	}
+	if sb.Status != "running" && sb.Status != "paused" {
+		writeError(w, http.StatusConflict, "invalid_state", "sandbox must be running or paused")
+		return
+	}
+
+	// Check if name already exists as a platform template.
+	if existing, err := h.db.GetPlatformTemplateByName(ctx, req.Name); err == nil {
+		// Delete old snapshot files from all hosts before removing the DB record.
+		if err := deleteSnapshotBroadcast(ctx, h.db, h.pool, existing.TeamID, existing.ID); err != nil {
+			writeError(w, http.StatusInternalServerError, "agent_error", "failed to delete existing snapshot files")
+			return
+		}
+		if err := h.db.DeleteTemplateByTeam(ctx, db.DeleteTemplateByTeamParams{Name: req.Name, TeamID: id.PlatformTeamID}); err != nil {
+			writeError(w, http.StatusInternalServerError, "db_error", "failed to remove existing template record")
+			return
+		}
+	}
+
+	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
+	if err != nil {
+		writeError(w, http.StatusServiceUnavailable, "host_unavailable", "sandbox host is not reachable")
+		return
+	}
+
+	// Pre-mark sandbox as "paused" to prevent the reconciler from racing.
+	if sb.Status == "running" {
+		if _, err := h.db.UpdateSandboxStatus(ctx, db.UpdateSandboxStatusParams{
+			ID: sandboxID, Status: "paused",
+		}); err != nil {
+			writeError(w, http.StatusInternalServerError, "db_error", "failed to update sandbox status")
+			return
+		}
+	}
+
+	// Use a detached context so the snapshot completes even if the client disconnects.
+	snapCtx, snapCancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer snapCancel()
+
+	newTemplateID := id.NewTemplateID()
+
+	resp, err := agent.CreateSnapshot(snapCtx, connect.NewRequest(&pb.CreateSnapshotRequest{
+		SandboxId:  sandboxIDStr,
+		Name:       req.Name,
+		TeamId:     formatUUIDForRPC(id.PlatformTeamID),
+		TemplateId: formatUUIDForRPC(newTemplateID),
+	}))
+	if err != nil {
+		// Snapshot failed — revert status.
+		if sb.Status == "running" {
+			if _, dbErr := h.db.UpdateSandboxStatus(snapCtx, db.UpdateSandboxStatusParams{
+				ID: sandboxID, Status: "running",
+			}); dbErr != nil {
+				slog.Error("failed to revert sandbox status after snapshot error", "sandbox_id", sandboxIDStr, "error", dbErr)
+			}
+		}
+		status, code, msg := agentErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	tmpl, err := h.db.InsertTemplate(snapCtx, db.InsertTemplateParams{
+		ID:          newTemplateID,
+		Name:        req.Name,
+		Type:        "snapshot",
+		Vcpus:       sb.Vcpus,
+		MemoryMb:    sb.MemoryMb,
+		SizeBytes:   resp.Msg.SizeBytes,
+		TeamID:      id.PlatformTeamID,
+		DefaultUser: "root",
+		DefaultEnv:  []byte("{}"),
+		Metadata:    sb.Metadata,
+	})
+	if err != nil {
+		slog.Error("failed to insert template record", "name", req.Name, "error", err)
+		writeError(w, http.StatusInternalServerError, "db_error", "snapshot created but failed to record in database")
+		return
+	}
+
+	// Destroy the ephemeral capsule after successful snapshot.
+	if err := h.svc.Destroy(snapCtx, sandboxID, id.PlatformTeamID); err != nil {
+		slog.Error("failed to destroy capsule after snapshot", "sandbox_id", sandboxIDStr, "error", err)
+		// Don't fail the response — the snapshot was created successfully.
+	}
+
+	h.audit.LogSnapshotCreate(snapCtx, ac, req.Name)
+
+	if ctx.Err() != nil {
+		slog.Info("snapshot created but client disconnected before response", "name", req.Name)
+		return
+	}
+	writeJSON(w, http.StatusCreated, templateToResponse(tmpl))
+}
diff --git a/internal/api/handlers_apikeys.go b/internal/api/handlers_apikeys.go
index 440cb59..9fc315d 100644
--- a/internal/api/handlers_apikeys.go
+++ b/internal/api/handlers_apikeys.go
@@ -6,11 +6,11 @@ import (
 
 	"github.com/go-chi/chi/v5"
 
-	"git.omukk.dev/wrenn/wrenn/internal/audit"
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/service"
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
 )
 
 type apiKeyHandler struct {
@@ -63,7 +63,7 @@ func apiKeyWithCreatorToResponse(k db.ListAPIKeysByTeamWithCreatorRow) apiKeyRes
 		Name:         k.Name,
 		KeyPrefix:    k.KeyPrefix,
 		CreatedBy:    id.FormatUserID(k.CreatedBy),
-		CreatorEmail: k.CreatorEmail,
+		CreatorEmail: k.CreatorEmail.String,
 	}
 	if k.CreatedAt.Valid {
 		resp.CreatedAt = k.CreatedAt.Time.Format(time.RFC3339)
diff --git a/internal/api/handlers_audit.go b/internal/api/handlers_audit.go
index 66768ec..feaebb7 100644
--- a/internal/api/handlers_audit.go
+++ b/internal/api/handlers_audit.go
@@ -8,9 +8,9 @@ import (
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/service"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
 )
 
 type auditHandler struct {
diff --git a/internal/api/handlers_auth.go b/internal/api/handlers_auth.go
index 4c24b6e..1768606 100644
--- a/internal/api/handlers_auth.go
+++ b/internal/api/handlers_auth.go
@@ -2,19 +2,32 @@ package api
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
 	"errors"
+	"fmt"
 	"log/slog"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgconn"
 	"github.com/jackc/pgx/v5/pgtype"
 	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/redis/go-redis/v9"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/internal/email"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+)
+
+const (
+	activationKeyPrefix = "wrenn:activation:"
+	activationTTL       = 30 * time.Minute
+	signupCooldown      = 30 * time.Minute
 )
 
 // loginTeam returns the team and role to stamp into a login JWT.
@@ -52,18 +65,89 @@ func loginTeam(ctx context.Context, q *db.Queries, userID pgtype.UUID) (db.Team,
 	}, first.Role, nil
 }
 
+// ensureDefaultTeam creates a default team for a user if they have none.
+// This happens on first login after activation or for edge cases where a user
+// has no teams. Returns the team, role, and whether the user was set as admin.
+func ensureDefaultTeam(ctx context.Context, qtx *db.Queries, pool *pgxpool.Pool, userID pgtype.UUID, userName string) (db.Team, string, bool, error) {
+	// Try existing teams first.
+	team, role, err := loginTeam(ctx, qtx, userID)
+	if err == nil {
+		return team, role, false, nil
+	}
+	if !errors.Is(err, pgx.ErrNoRows) {
+		return db.Team{}, "", false, err
+	}
+
+	// No teams — create default team in a transaction.
+	tx, err := pool.Begin(ctx)
+	if err != nil {
+		return db.Team{}, "", false, fmt.Errorf("begin tx: %w", err)
+	}
+	defer tx.Rollback(ctx) //nolint:errcheck
+
+	txq := qtx.WithTx(tx)
+
+	// First active user to have a team becomes admin.
+	activeCount, err := txq.CountActiveUsers(ctx)
+	if err != nil {
+		return db.Team{}, "", false, fmt.Errorf("count active users: %w", err)
+	}
+	isFirstUser := activeCount == 1 // only this user is active
+
+	teamID := id.NewTeamID()
+	teamRow, err := txq.InsertTeam(ctx, db.InsertTeamParams{
+		ID:   teamID,
+		Name: userName + "'s Team",
+		Slug: id.NewTeamSlug(),
+	})
+	if err != nil {
+		return db.Team{}, "", false, fmt.Errorf("insert team: %w", err)
+	}
+
+	if err := txq.InsertTeamMember(ctx, db.InsertTeamMemberParams{
+		UserID:    userID,
+		TeamID:    teamID,
+		IsDefault: true,
+		Role:      "owner",
+	}); err != nil {
+		return db.Team{}, "", false, fmt.Errorf("insert team member: %w", err)
+	}
+
+	if isFirstUser {
+		if err := txq.SetUserAdmin(ctx, db.SetUserAdminParams{ID: userID, IsAdmin: true}); err != nil {
+			return db.Team{}, "", false, fmt.Errorf("set admin: %w", err)
+		}
+	}
+
+	if err := tx.Commit(ctx); err != nil {
+		return db.Team{}, "", false, fmt.Errorf("commit: %w", err)
+	}
+
+	return db.Team{
+		ID:        teamRow.ID,
+		Name:      teamRow.Name,
+		Slug:      teamRow.Slug,
+		IsByoc:    teamRow.IsByoc,
+		CreatedAt: teamRow.CreatedAt,
+		DeletedAt: teamRow.DeletedAt,
+	}, "owner", isFirstUser, nil
+}
+
 type switchTeamRequest struct {
 	TeamID string `json:"team_id"`
 }
 
 type authHandler struct {
-	db        *db.Queries
-	pool      *pgxpool.Pool
-	jwtSecret []byte
+	db          *db.Queries
+	pool        *pgxpool.Pool
+	jwtSecret   []byte
+	mailer      email.Mailer
+	rdb         *redis.Client
+	redirectURL string
 }
 
-func newAuthHandler(db *db.Queries, pool *pgxpool.Pool, jwtSecret []byte) *authHandler {
-	return &authHandler{db: db, pool: pool, jwtSecret: jwtSecret}
+func newAuthHandler(db *db.Queries, pool *pgxpool.Pool, jwtSecret []byte, mailer email.Mailer, rdb *redis.Client, redirectURL string) *authHandler {
+	return &authHandler{db: db, pool: pool, jwtSecret: jwtSecret, mailer: mailer, rdb: rdb, redirectURL: strings.TrimRight(redirectURL, "/")}
 }
 
 type signupRequest struct {
@@ -77,6 +161,10 @@ type loginRequest struct {
 	Password string `json:"password"`
 }
 
+type activateRequest struct {
+	Token string `json:"token"`
+}
+
 type authResponse struct {
 	Token  string `json:"token"`
 	UserID string `json:"user_id"`
@@ -85,6 +173,10 @@ type authResponse struct {
 	Name   string `json:"name"`
 }
 
+type signupResponse struct {
+	Message string `json:"message"`
+}
+
 // Signup handles POST /v1/auth/signup.
 func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 	var req signupRequest
@@ -110,24 +202,41 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 
 	ctx := r.Context()
 
+	// Check for existing user with this email.
+	existing, err := h.db.GetUserByEmail(ctx, req.Email)
+	if err == nil {
+		// User exists — decide what to do based on status.
+		switch existing.Status {
+		case "inactive":
+			// Unactivated user — allow re-signup after cooldown.
+			if time.Since(existing.CreatedAt.Time) < signupCooldown {
+				writeError(w, http.StatusConflict, "signup_cooldown",
+					"an activation email was recently sent to this address — please check your inbox or try again later")
+				return
+			}
+			// Cooldown passed — delete the old row and proceed with fresh signup.
+			if err := h.db.HardDeleteUser(ctx, existing.ID); err != nil {
+				writeError(w, http.StatusInternalServerError, "db_error", "failed to clean up previous signup")
+				return
+			}
+		default:
+			// active, disabled, deleted — email is taken.
+			writeError(w, http.StatusConflict, "email_taken", "an account with this email already exists")
+			return
+		}
+	} else if !errors.Is(err, pgx.ErrNoRows) {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to look up user")
+		return
+	}
+
 	passwordHash, err := auth.HashPassword(req.Password)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to hash password")
 		return
 	}
 
-	// Use a transaction to atomically create user + team + membership.
-	tx, err := h.pool.Begin(ctx)
-	if err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to begin transaction")
-		return
-	}
-	defer tx.Rollback(ctx) //nolint:errcheck
-
-	qtx := h.db.WithTx(tx)
-
 	userID := id.NewUserID()
-	_, err = qtx.InsertUser(ctx, db.InsertUserParams{
+	_, err = h.db.InsertUserInactive(ctx, db.InsertUserInactiveParams{
 		ID:           userID,
 		Email:        req.Email,
 		PasswordHash: pgtype.Text{String: passwordHash, Valid: true},
@@ -143,44 +252,111 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Create default team.
-	teamID := id.NewTeamID()
-	if _, err := qtx.InsertTeam(ctx, db.InsertTeamParams{
-		ID:   teamID,
-		Name: req.Name + "'s Team",
-		Slug: id.NewTeamSlug(),
+	// Generate activation token and store in Redis.
+	rawToken := generateActivationToken()
+	tokenHash := hashActivationToken(rawToken)
+	redisKey := activationKeyPrefix + tokenHash
+
+	if err := h.rdb.Set(ctx, redisKey, id.FormatUserID(userID), activationTTL).Err(); err != nil {
+		slog.Error("signup: failed to store activation token in redis", "error", err)
+		writeError(w, http.StatusInternalServerError, "internal_error", "failed to create activation token")
+		return
+	}
+
+	activateURL := h.redirectURL + "/activate?token=" + rawToken
+	go func() {
+		sendCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		if err := h.mailer.Send(sendCtx, req.Email, "Activate your Wrenn account", email.EmailData{
+			RecipientName: req.Name,
+			Message:       "Welcome to Wrenn! Click the button below to activate your account. This link expires in 30 minutes.",
+			Button:        &email.Button{Text: "Activate Account", URL: activateURL},
+			Closing:       "If you didn't create this account, you can safely ignore this email.",
+		}); err != nil {
+			slog.Warn("signup: failed to send activation email", "email", req.Email, "error", err)
+		}
+	}()
+
+	writeJSON(w, http.StatusCreated, signupResponse{
+		Message: "Account created. Please check your email to activate your account.",
+	})
+}
+
+// Activate handles POST /v1/auth/activate.
+func (h *authHandler) Activate(w http.ResponseWriter, r *http.Request) {
+	var req activateRequest
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+
+	if req.Token == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "token is required")
+		return
+	}
+
+	ctx := r.Context()
+	tokenHash := hashActivationToken(req.Token)
+	redisKey := activationKeyPrefix + tokenHash
+
+	userIDStr, err := h.rdb.GetDel(ctx, redisKey).Result()
+	if errors.Is(err, redis.Nil) {
+		writeError(w, http.StatusBadRequest, "invalid_token", "activation link is invalid or has expired")
+		return
+	}
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "internal_error", "failed to verify token")
+		return
+	}
+
+	userID, err := id.ParseUserID(userIDStr)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "internal_error", "invalid stored user ID")
+		return
+	}
+
+	user, err := h.db.GetUserByID(ctx, userID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to get user")
+		return
+	}
+
+	if user.Status != "inactive" {
+		writeError(w, http.StatusBadRequest, "already_activated", "this account has already been activated")
+		return
+	}
+
+	// Activate the user.
+	if err := h.db.SetUserStatus(ctx, db.SetUserStatusParams{
+		ID:     userID,
+		Status: "active",
 	}); err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to create team")
+		slog.Error("activate: failed to set user status", "user_id", id.FormatUserID(userID), "error", err)
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to activate user")
 		return
 	}
 
-	if err := qtx.InsertTeamMember(ctx, db.InsertTeamMemberParams{
-		UserID:    userID,
-		TeamID:    teamID,
-		IsDefault: true,
-		Role:      "owner",
-	}); err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to add user to team")
+	// Create default team and log them in.
+	team, role, isFirstUser, err := ensureDefaultTeam(ctx, h.db, h.pool, userID, user.Name)
+	if err != nil {
+		slog.Error("activate: failed to create default team", "error", err)
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to set up account")
 		return
 	}
 
-	if err := tx.Commit(ctx); err != nil {
-		writeError(w, http.StatusInternalServerError, "db_error", "failed to commit signup")
-		return
-	}
-
-	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, req.Email, req.Name, "owner", false)
+	isAdmin := user.IsAdmin || isFirstUser
+	token, err := auth.SignJWT(h.jwtSecret, userID, team.ID, user.Email, user.Name, role, isAdmin)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
 	}
 
-	writeJSON(w, http.StatusCreated, authResponse{
+	writeJSON(w, http.StatusOK, authResponse{
 		Token:  token,
 		UserID: id.FormatUserID(userID),
-		TeamID: id.FormatTeamID(teamID),
-		Email:  req.Email,
-		Name:   req.Name,
+		TeamID: id.FormatTeamID(team.ID),
+		Email:  user.Email,
+		Name:   user.Name,
 	})
 }
 
@@ -222,17 +398,36 @@ func (h *authHandler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	team, role, err := loginTeam(ctx, h.db, user.ID)
+	switch user.Status {
+	case "active":
+		// OK — proceed.
+	case "inactive":
+		slog.Warn("login failed: account not activated", "email", req.Email, "ip", r.RemoteAddr)
+		writeError(w, http.StatusForbidden, "account_not_activated", "please check your email and activate your account before signing in")
+		return
+	case "disabled":
+		slog.Warn("login failed: account disabled", "email", req.Email, "ip", r.RemoteAddr)
+		writeError(w, http.StatusForbidden, "account_disabled", "your account has been deactivated — contact your administrator to regain access")
+		return
+	case "deleted":
+		slog.Warn("login failed: account deleted", "email", req.Email, "ip", r.RemoteAddr)
+		writeError(w, http.StatusUnauthorized, "unauthorized", "invalid email or password")
+		return
+	default:
+		writeError(w, http.StatusUnauthorized, "unauthorized", "invalid email or password")
+		return
+	}
+
+	// Ensure user has a default team (creates one on first login after activation).
+	team, role, isFirstUser, err := ensureDefaultTeam(ctx, h.db, h.pool, user.ID, user.Name)
 	if err != nil {
-		if errors.Is(err, pgx.ErrNoRows) {
-			writeError(w, http.StatusForbidden, "no_team", "user is not a member of any team")
-			return
-		}
+		slog.Error("login: failed to ensure default team", "error", err)
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to look up team")
 		return
 	}
 
-	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, user.IsAdmin)
+	isAdmin := user.IsAdmin || isFirstUser
+	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, isAdmin)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
@@ -322,3 +517,18 @@ func (h *authHandler) SwitchTeam(w http.ResponseWriter, r *http.Request) {
 		Name:   user.Name,
 	})
 }
+
+// --- helpers ---
+
+func generateActivationToken() string {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		panic(fmt.Sprintf("crypto/rand failed: %v", err))
+	}
+	return hex.EncodeToString(b)
+}
+
+func hashActivationToken(raw string) string {
+	h := sha256.Sum256([]byte(raw))
+	return hex.EncodeToString(h[:])
+}
diff --git a/internal/api/handlers_builds.go b/internal/api/handlers_builds.go
index bd3260e..5228420 100644
--- a/internal/api/handlers_builds.go
+++ b/internal/api/handlers_builds.go
@@ -3,19 +3,21 @@ package api
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"log/slog"
 	"net/http"
+	"strings"
 	"time"
 
 	"connectrpc.com/connect"
 	"github.com/go-chi/chi/v5"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
 	"git.omukk.dev/wrenn/wrenn/internal/layout"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
-	"git.omukk.dev/wrenn/wrenn/internal/service"
-	"git.omukk.dev/wrenn/wrenn/internal/validate"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
+	"git.omukk.dev/wrenn/wrenn/pkg/validate"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
@@ -54,6 +56,8 @@ type buildResponse struct {
 	Error        *string         `json:"error,omitempty"`
 	SandboxID    *string         `json:"sandbox_id,omitempty"`
 	HostID       *string         `json:"host_id,omitempty"`
+	DefaultUser  string          `json:"default_user"`
+	DefaultEnv   json.RawMessage `json:"default_env"`
 	CreatedAt    string          `json:"created_at"`
 	StartedAt    *string         `json:"started_at,omitempty"`
 	CompletedAt  *string         `json:"completed_at,omitempty"`
@@ -71,6 +75,8 @@ func buildToResponse(b db.TemplateBuild) buildResponse {
 		CurrentStep:  b.CurrentStep,
 		TotalSteps:   b.TotalSteps,
 		Logs:         b.Logs,
+		DefaultUser:  b.DefaultUser,
+		DefaultEnv:   b.DefaultEnv,
 	}
 	if b.Healthcheck != "" {
 		resp.Healthcheck = &b.Healthcheck
@@ -101,11 +107,54 @@ func buildToResponse(b db.TemplateBuild) buildResponse {
 }
 
 // Create handles POST /v1/admin/builds.
+// Accepts either JSON body or multipart/form-data with a "config" JSON part
+// and an optional "archive" file part (tar/tar.gz/zip for COPY commands).
 func (h *buildHandler) Create(w http.ResponseWriter, r *http.Request) {
 	var req createBuildRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
-		return
+	var archive []byte
+	var archiveName string
+
+	ct := r.Header.Get("Content-Type")
+	if strings.HasPrefix(ct, "multipart/") {
+		// 100 MB max for multipart (archive + JSON config).
+		if err := r.ParseMultipartForm(100 << 20); err != nil {
+			writeError(w, http.StatusBadRequest, "invalid_request", "failed to parse multipart form")
+			return
+		}
+
+		// Parse JSON config from "config" field.
+		configStr := r.FormValue("config")
+		if configStr == "" {
+			writeError(w, http.StatusBadRequest, "invalid_request", "multipart form requires a 'config' JSON field")
+			return
+		}
+		if err := json.Unmarshal([]byte(configStr), &req); err != nil {
+			writeError(w, http.StatusBadRequest, "invalid_request", "invalid config JSON in multipart form")
+			return
+		}
+
+		// Read optional archive file (max 100 MB).
+		file, header, err := r.FormFile("archive")
+		if err == nil {
+			defer file.Close()
+			const maxArchiveSize = 100 << 20 // 100 MB
+			lr := io.LimitReader(file, maxArchiveSize+1)
+			archive, err = io.ReadAll(lr)
+			if err != nil {
+				writeError(w, http.StatusBadRequest, "invalid_request", "failed to read archive file")
+				return
+			}
+			if int64(len(archive)) > maxArchiveSize {
+				writeError(w, http.StatusRequestEntityTooLarge, "invalid_request", "archive exceeds 100 MB limit")
+				return
+			}
+			archiveName = header.Filename
+		}
+	} else {
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+			return
+		}
 	}
 
 	if req.Name == "" {
@@ -129,6 +178,8 @@ func (h *buildHandler) Create(w http.ResponseWriter, r *http.Request) {
 		VCPUs:        req.VCPUs,
 		MemoryMB:     req.MemoryMB,
 		SkipPrePost:  req.SkipPrePost,
+		Archive:      archive,
+		ArchiveName:  archiveName,
 	})
 	if err != nil {
 		slog.Error("failed to create build", "error", err)
diff --git a/internal/api/handlers_channels.go b/internal/api/handlers_channels.go
index 9da20e0..a221e31 100644
--- a/internal/api/handlers_channels.go
+++ b/internal/api/handlers_channels.go
@@ -8,11 +8,11 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/jackc/pgx/v5"
 
-	"git.omukk.dev/wrenn/wrenn/internal/audit"
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/channels"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/channels"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 type channelHandler struct {
diff --git a/internal/api/handlers_exec.go b/internal/api/handlers_exec.go
index 87abf07..8e94da7 100644
--- a/internal/api/handlers_exec.go
+++ b/internal/api/handlers_exec.go
@@ -12,10 +12,10 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
@@ -29,9 +29,13 @@ func newExecHandler(db *db.Queries, pool *lifecycle.HostClientPool) *execHandler
 }
 
 type execRequest struct {
-	Cmd        string   `json:"cmd"`
-	Args       []string `json:"args"`
-	TimeoutSec int32    `json:"timeout_sec"`
+	Cmd        string            `json:"cmd"`
+	Args       []string          `json:"args"`
+	TimeoutSec int32             `json:"timeout_sec"`
+	Background bool              `json:"background"`
+	Tag        string            `json:"tag"`
+	Envs       map[string]string `json:"envs"`
+	Cwd        string            `json:"cwd"`
 }
 
 type execResponse struct {
@@ -45,7 +49,14 @@ type execResponse struct {
 	Encoding string `json:"encoding"`
 }
 
-// Exec handles POST /v1/sandboxes/{id}/exec.
+type backgroundExecResponse struct {
+	SandboxID string `json:"sandbox_id"`
+	Cmd       string `json:"cmd"`
+	PID       uint32 `json:"pid"`
+	Tag       string `json:"tag"`
+}
+
+// Exec handles POST /v1/capsules/{id}/exec.
 func (h *execHandler) Exec(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ctx := r.Context()
@@ -78,14 +89,54 @@ func (h *execHandler) Exec(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	start := time.Now()
-
 	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
 	if err != nil {
 		writeError(w, http.StatusServiceUnavailable, "host_unavailable", "sandbox host is not reachable")
 		return
 	}
 
+	// Background mode: start process and return immediately.
+	if req.Background {
+		tag := req.Tag
+		if tag == "" {
+			tag = "proc-" + id.NewPtyTag()
+		}
+
+		bgResp, err := agent.StartBackground(ctx, connect.NewRequest(&pb.StartBackgroundRequest{
+			SandboxId: sandboxIDStr,
+			Tag:       tag,
+			Cmd:       req.Cmd,
+			Args:      req.Args,
+			Envs:      req.Envs,
+			Cwd:       req.Cwd,
+		}))
+		if err != nil {
+			status, code, msg := agentErrToHTTP(err)
+			writeError(w, status, code, msg)
+			return
+		}
+
+		if err := h.db.UpdateLastActive(ctx, db.UpdateLastActiveParams{
+			ID: sandboxID,
+			LastActiveAt: pgtype.Timestamptz{
+				Time:  time.Now(),
+				Valid: true,
+			},
+		}); err != nil {
+			slog.Warn("failed to update last_active_at", "id", sandboxIDStr, "error", err)
+		}
+
+		writeJSON(w, http.StatusAccepted, backgroundExecResponse{
+			SandboxID: sandboxIDStr,
+			Cmd:       req.Cmd,
+			PID:       bgResp.Msg.Pid,
+			Tag:       bgResp.Msg.Tag,
+		})
+		return
+	}
+
+	start := time.Now()
+
 	resp, err := agent.Exec(ctx, connect.NewRequest(&pb.ExecRequest{
 		SandboxId:  sandboxIDStr,
 		Cmd:        req.Cmd,
diff --git a/internal/api/handlers_exec_stream.go b/internal/api/handlers_exec_stream.go
index 137885c..c8b101f 100644
--- a/internal/api/handlers_exec_stream.go
+++ b/internal/api/handlers_exec_stream.go
@@ -12,20 +12,21 @@ import (
 	"github.com/gorilla/websocket"
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
 type execStreamHandler struct {
-	db   *db.Queries
-	pool *lifecycle.HostClientPool
+	db        *db.Queries
+	pool      *lifecycle.HostClientPool
+	jwtSecret []byte
 }
 
-func newExecStreamHandler(db *db.Queries, pool *lifecycle.HostClientPool) *execStreamHandler {
-	return &execStreamHandler{db: db, pool: pool}
+func newExecStreamHandler(db *db.Queries, pool *lifecycle.HostClientPool, jwtSecret []byte) *execStreamHandler {
+	return &execStreamHandler{db: db, pool: pool, jwtSecret: jwtSecret}
 }
 
 var upgrader = websocket.Upgrader{
@@ -47,11 +48,10 @@ type wsOutMsg struct {
 	ExitCode *int32 `json:"exit_code,omitempty"` // only for "exit"
 }
 
-// ExecStream handles WS /v1/sandboxes/{id}/exec/stream.
+// ExecStream handles WS /v1/capsules/{id}/exec/stream.
 func (h *execStreamHandler) ExecStream(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ctx := r.Context()
-	ac := auth.MustFromContext(ctx)
 
 	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
 	if err != nil {
@@ -59,13 +59,31 @@ func (h *execStreamHandler) ExecStream(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
-	if err != nil {
-		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
-		return
-	}
-	if sb.Status != "running" {
-		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running (status: "+sb.Status+")")
+	// Authenticate: use context from middleware (API key) or WS first message (JWT).
+	ac, hasAuth := auth.FromContext(ctx)
+
+	if !hasAuth {
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			slog.Error("websocket upgrade failed", "error", err)
+			return
+		}
+		defer conn.Close()
+
+		var wsAC auth.AuthContext
+		var authErr error
+		if isAdminWSRoute(ctx) {
+			wsAC, authErr = wsAuthenticateAdmin(ctx, conn, h.jwtSecret, h.db)
+		} else {
+			wsAC, authErr = wsAuthenticate(ctx, conn, h.jwtSecret, h.db)
+		}
+		if authErr != nil {
+			sendWSError(conn, "authentication failed")
+			return
+		}
+		ac = wsAC
+
+		h.runExecStream(ctx, conn, ac, sandboxID, sandboxIDStr)
 		return
 	}
 
@@ -76,6 +94,20 @@ func (h *execStreamHandler) ExecStream(w http.ResponseWriter, r *http.Request) {
 	}
 	defer conn.Close()
 
+	h.runExecStream(ctx, conn, ac, sandboxID, sandboxIDStr)
+}
+
+func (h *execStreamHandler) runExecStream(ctx context.Context, conn *websocket.Conn, ac auth.AuthContext, sandboxID pgtype.UUID, sandboxIDStr string) {
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		sendWSError(conn, "sandbox not found")
+		return
+	}
+	if sb.Status != "running" {
+		sendWSError(conn, "sandbox is not running (status: "+sb.Status+")")
+		return
+	}
+
 	// Read the start message.
 	var startMsg wsStartMsg
 	if err := conn.ReadJSON(&startMsg); err != nil {
diff --git a/internal/api/handlers_files.go b/internal/api/handlers_files.go
index 5dd2006..f69c8f1 100644
--- a/internal/api/handlers_files.go
+++ b/internal/api/handlers_files.go
@@ -9,10 +9,10 @@ import (
 	"connectrpc.com/connect"
 	"github.com/go-chi/chi/v5"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
@@ -25,7 +25,7 @@ func newFilesHandler(db *db.Queries, pool *lifecycle.HostClientPool) *filesHandl
 	return &filesHandler{db: db, pool: pool}
 }
 
-// Upload handles POST /v1/sandboxes/{id}/files/write.
+// Upload handles POST /v1/capsules/{id}/files/write.
 // Expects multipart/form-data with:
 //   - "path" text field: absolute destination path inside the sandbox
 //   - "file" file field: binary content to write
@@ -105,7 +105,7 @@ type readFileRequest struct {
 	Path string `json:"path"`
 }
 
-// Download handles POST /v1/sandboxes/{id}/files/read.
+// Download handles POST /v1/capsules/{id}/files/read.
 // Accepts JSON body with path, returns raw file content with Content-Disposition.
 func (h *filesHandler) Download(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
diff --git a/internal/api/handlers_files_stream.go b/internal/api/handlers_files_stream.go
index 99066b4..88377ae 100644
--- a/internal/api/handlers_files_stream.go
+++ b/internal/api/handlers_files_stream.go
@@ -10,10 +10,10 @@ import (
 	"connectrpc.com/connect"
 	"github.com/go-chi/chi/v5"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
@@ -26,7 +26,7 @@ func newFilesStreamHandler(db *db.Queries, pool *lifecycle.HostClientPool) *file
 	return &filesStreamHandler{db: db, pool: pool}
 }
 
-// StreamUpload handles POST /v1/sandboxes/{id}/files/stream/write.
+// StreamUpload handles POST /v1/capsules/{id}/files/stream/write.
 // Expects multipart/form-data with "path" text field and "file" file field.
 // Streams file content directly from the request body to the host agent without buffering.
 func (h *filesStreamHandler) StreamUpload(w http.ResponseWriter, r *http.Request) {
@@ -150,7 +150,7 @@ func (h *filesStreamHandler) StreamUpload(w http.ResponseWriter, r *http.Request
 	w.WriteHeader(http.StatusNoContent)
 }
 
-// StreamDownload handles POST /v1/sandboxes/{id}/files/stream/read.
+// StreamDownload handles POST /v1/capsules/{id}/files/stream/read.
 // Accepts JSON body with path, streams file content back without buffering.
 func (h *filesStreamHandler) StreamDownload(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
diff --git a/internal/api/handlers_fs.go b/internal/api/handlers_fs.go
new file mode 100644
index 0000000..cfdd6a7
--- /dev/null
+++ b/internal/api/handlers_fs.go
@@ -0,0 +1,236 @@
+package api
+
+import (
+	"net/http"
+
+	"connectrpc.com/connect"
+	"github.com/go-chi/chi/v5"
+
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
+	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
+)
+
+type fsHandler struct {
+	db   *db.Queries
+	pool *lifecycle.HostClientPool
+}
+
+func newFSHandler(db *db.Queries, pool *lifecycle.HostClientPool) *fsHandler {
+	return &fsHandler{db: db, pool: pool}
+}
+
+type listDirRequest struct {
+	Path  string `json:"path"`
+	Depth uint32 `json:"depth"`
+}
+
+type fileEntryResponse struct {
+	Name          string  `json:"name"`
+	Path          string  `json:"path"`
+	Type          string  `json:"type"`
+	Size          int64   `json:"size"`
+	Mode          uint32  `json:"mode"`
+	Permissions   string  `json:"permissions"`
+	Owner         string  `json:"owner"`
+	Group         string  `json:"group"`
+	ModifiedAt    int64   `json:"modified_at"`
+	SymlinkTarget *string `json:"symlink_target,omitempty"`
+}
+
+type listDirResponse struct {
+	Entries []fileEntryResponse `json:"entries"`
+}
+
+type makeDirRequest struct {
+	Path string `json:"path"`
+}
+
+type makeDirResponse struct {
+	Entry fileEntryResponse `json:"entry"`
+}
+
+type removeRequest struct {
+	Path string `json:"path"`
+}
+
+// ListDir handles POST /v1/capsules/{id}/files/list.
+func (h *fsHandler) ListDir(w http.ResponseWriter, r *http.Request) {
+	sandboxIDStr := chi.URLParam(r, "id")
+	ctx := r.Context()
+	ac := auth.MustFromContext(ctx)
+
+	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid sandbox ID")
+		return
+	}
+
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
+		return
+	}
+	if sb.Status != "running" {
+		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running")
+		return
+	}
+
+	var req listDirRequest
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+	if req.Path == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "path is required")
+		return
+	}
+
+	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
+	if err != nil {
+		writeError(w, http.StatusServiceUnavailable, "host_unavailable", "sandbox host is not reachable")
+		return
+	}
+
+	resp, err := agent.ListDir(ctx, connect.NewRequest(&pb.ListDirRequest{
+		SandboxId: sandboxIDStr,
+		Path:      req.Path,
+		Depth:     req.Depth,
+	}))
+	if err != nil {
+		status, code, msg := agentErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	entries := make([]fileEntryResponse, 0, len(resp.Msg.Entries))
+	for _, e := range resp.Msg.Entries {
+		entries = append(entries, fileEntryFromPB(e))
+	}
+
+	writeJSON(w, http.StatusOK, listDirResponse{Entries: entries})
+}
+
+// MakeDir handles POST /v1/capsules/{id}/files/mkdir.
+func (h *fsHandler) MakeDir(w http.ResponseWriter, r *http.Request) {
+	sandboxIDStr := chi.URLParam(r, "id")
+	ctx := r.Context()
+	ac := auth.MustFromContext(ctx)
+
+	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid sandbox ID")
+		return
+	}
+
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
+		return
+	}
+	if sb.Status != "running" {
+		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running")
+		return
+	}
+
+	var req makeDirRequest
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+	if req.Path == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "path is required")
+		return
+	}
+
+	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
+	if err != nil {
+		writeError(w, http.StatusServiceUnavailable, "host_unavailable", "sandbox host is not reachable")
+		return
+	}
+
+	resp, err := agent.MakeDir(ctx, connect.NewRequest(&pb.MakeDirRequest{
+		SandboxId: sandboxIDStr,
+		Path:      req.Path,
+	}))
+	if err != nil {
+		status, code, msg := agentErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, makeDirResponse{Entry: fileEntryFromPB(resp.Msg.Entry)})
+}
+
+// Remove handles POST /v1/capsules/{id}/files/remove.
+func (h *fsHandler) Remove(w http.ResponseWriter, r *http.Request) {
+	sandboxIDStr := chi.URLParam(r, "id")
+	ctx := r.Context()
+	ac := auth.MustFromContext(ctx)
+
+	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid sandbox ID")
+		return
+	}
+
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
+		return
+	}
+	if sb.Status != "running" {
+		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running")
+		return
+	}
+
+	var req removeRequest
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+	if req.Path == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "path is required")
+		return
+	}
+
+	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
+	if err != nil {
+		writeError(w, http.StatusServiceUnavailable, "host_unavailable", "sandbox host is not reachable")
+		return
+	}
+
+	if _, err := agent.RemovePath(ctx, connect.NewRequest(&pb.RemovePathRequest{
+		SandboxId: sandboxIDStr,
+		Path:      req.Path,
+	})); err != nil {
+		status, code, msg := agentErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func fileEntryFromPB(e *pb.FileEntry) fileEntryResponse {
+	if e == nil {
+		return fileEntryResponse{}
+	}
+	resp := fileEntryResponse{
+		Name:        e.Name,
+		Path:        e.Path,
+		Type:        e.Type,
+		Size:        e.Size,
+		Mode:        e.Mode,
+		Permissions: e.Permissions,
+		Owner:       e.Owner,
+		Group:       e.Group,
+		ModifiedAt:  e.ModifiedAt,
+	}
+	if e.SymlinkTarget != nil {
+		resp.SymlinkTarget = e.SymlinkTarget
+	}
+	return resp
+}
diff --git a/internal/api/handlers_hosts.go b/internal/api/handlers_hosts.go
index 51aa833..9536197 100644
--- a/internal/api/handlers_hosts.go
+++ b/internal/api/handlers_hosts.go
@@ -10,11 +10,11 @@ import (
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/audit"
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/service"
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
 )
 
 type hostHandler struct {
diff --git a/internal/api/handlers_me.go b/internal/api/handlers_me.go
new file mode 100644
index 0000000..15aa0bb
--- /dev/null
+++ b/internal/api/handlers_me.go
@@ -0,0 +1,585 @@
+package api
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/jackc/pgx/v5/pgtype"
+	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/redis/go-redis/v9"
+
+	"git.omukk.dev/wrenn/wrenn/internal/email"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth/oauth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
+)
+
+const (
+	passwordResetKeyPrefix = "wrenn:password_reset:"
+	passwordResetTTL       = 15 * time.Minute
+)
+
+type meHandler struct {
+	db            *db.Queries
+	pool          *pgxpool.Pool
+	rdb           *redis.Client
+	jwtSecret     []byte
+	mailer        email.Mailer
+	oauthRegistry *oauth.Registry
+	redirectURL   string
+	teamSvc       *service.TeamService
+}
+
+func newMeHandler(
+	db *db.Queries,
+	pool *pgxpool.Pool,
+	rdb *redis.Client,
+	jwtSecret []byte,
+	mailer email.Mailer,
+	registry *oauth.Registry,
+	redirectURL string,
+	teamSvc *service.TeamService,
+) *meHandler {
+	return &meHandler{
+		db:            db,
+		pool:          pool,
+		rdb:           rdb,
+		jwtSecret:     jwtSecret,
+		mailer:        mailer,
+		oauthRegistry: registry,
+		redirectURL:   strings.TrimRight(redirectURL, "/"),
+		teamSvc:       teamSvc,
+	}
+}
+
+type meResponse struct {
+	Name        string   `json:"name"`
+	Email       string   `json:"email"`
+	HasPassword bool     `json:"has_password"`
+	Providers   []string `json:"providers"`
+}
+
+type updateNameRequest struct {
+	Name string `json:"name"`
+}
+
+type changePasswordRequest struct {
+	CurrentPassword string `json:"current_password"`
+	NewPassword     string `json:"new_password"`
+	ConfirmPassword string `json:"confirm_password"`
+}
+
+type requestPasswordResetRequest struct {
+	Email string `json:"email"`
+}
+
+type confirmPasswordResetRequest struct {
+	Token       string `json:"token"`
+	NewPassword string `json:"new_password"`
+}
+
+type deleteAccountRequest struct {
+	Confirmation string `json:"confirmation"`
+}
+
+// GetMe handles GET /v1/me.
+func (h *meHandler) GetMe(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
+	ctx := r.Context()
+
+	user, err := h.db.GetUserByID(ctx, ac.UserID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to get user")
+		return
+	}
+
+	providers, err := h.db.GetOAuthProvidersByUserID(ctx, ac.UserID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to get providers")
+		return
+	}
+
+	providerNames := make([]string, 0, len(providers))
+	for _, p := range providers {
+		providerNames = append(providerNames, p.Provider)
+	}
+
+	writeJSON(w, http.StatusOK, meResponse{
+		Name:        user.Name,
+		Email:       user.Email,
+		HasPassword: user.PasswordHash.Valid,
+		Providers:   providerNames,
+	})
+}
+
+// UpdateName handles PATCH /v1/me — updates the user's name and re-issues a JWT.
+func (h *meHandler) UpdateName(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
+	ctx := r.Context()
+
+	var req updateNameRequest
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+
+	req.Name = strings.TrimSpace(req.Name)
+	if req.Name == "" || len(req.Name) > 100 {
+		writeError(w, http.StatusBadRequest, "invalid_request", "name must be between 1 and 100 characters")
+		return
+	}
+
+	if err := h.db.UpdateUserName(ctx, db.UpdateUserNameParams{
+		ID:   ac.UserID,
+		Name: req.Name,
+	}); err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to update name")
+		return
+	}
+
+	user, err := h.db.GetUserByID(ctx, ac.UserID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to get user")
+		return
+	}
+
+	team, role, err := loginTeam(ctx, h.db, ac.UserID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to get team")
+		return
+	}
+
+	token, err := auth.SignJWT(h.jwtSecret, ac.UserID, team.ID, user.Email, req.Name, role, user.IsAdmin)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, authResponse{
+		Token:  token,
+		UserID: id.FormatUserID(ac.UserID),
+		TeamID: id.FormatTeamID(team.ID),
+		Email:  user.Email,
+		Name:   req.Name,
+	})
+}
+
+// ChangePassword handles POST /v1/me/password.
+// For users with a password: requires current_password + new_password.
+// For OAuth-only users: requires new_password + confirm_password.
+func (h *meHandler) ChangePassword(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
+	ctx := r.Context()
+
+	var req changePasswordRequest
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+
+	user, err := h.db.GetUserByID(ctx, ac.UserID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to get user")
+		return
+	}
+
+	if user.PasswordHash.Valid {
+		// Changing existing password — verify current.
+		if req.CurrentPassword == "" {
+			writeError(w, http.StatusBadRequest, "invalid_request", "current_password is required")
+			return
+		}
+		if err := auth.CheckPassword(user.PasswordHash.String, req.CurrentPassword); err != nil {
+			writeError(w, http.StatusUnauthorized, "wrong_password", "current password is incorrect")
+			return
+		}
+	} else {
+		// OAuth user adding a password — confirm must match.
+		if req.ConfirmPassword == "" {
+			writeError(w, http.StatusBadRequest, "invalid_request", "confirm_password is required")
+			return
+		}
+		if req.NewPassword != req.ConfirmPassword {
+			writeError(w, http.StatusBadRequest, "invalid_request", "passwords do not match")
+			return
+		}
+	}
+
+	if len(req.NewPassword) < 8 {
+		writeError(w, http.StatusBadRequest, "invalid_request", "password must be at least 8 characters")
+		return
+	}
+
+	hash, err := auth.HashPassword(req.NewPassword)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "internal_error", "failed to hash password")
+		return
+	}
+
+	if err := h.db.UpdateUserPassword(ctx, db.UpdateUserPasswordParams{
+		ID:           ac.UserID,
+		PasswordHash: pgtype.Text{String: hash, Valid: true},
+	}); err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to update password")
+		return
+	}
+
+	isAdding := !user.PasswordHash.Valid
+	go func() {
+		sendCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		subject, message := "Your Wrenn password was changed", "Your account password was successfully updated. If you did not make this change, reset your password immediately."
+		if isAdding {
+			subject = "Password added to your Wrenn account"
+			message = "A password has been added to your Wrenn account. You can now sign in with your email and password in addition to any connected OAuth providers."
+		}
+		if err := h.mailer.Send(sendCtx, user.Email, subject, email.EmailData{
+			RecipientName: user.Name,
+			Message:       message,
+			Closing:       "If you didn't make this change, contact support immediately.",
+		}); err != nil {
+			slog.Warn("change password: failed to send notification", "email", user.Email, "error", err)
+		}
+	}()
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// RequestPasswordReset handles POST /v1/me/password/reset (unauthenticated).
+// Always returns 200 to avoid leaking account existence.
+func (h *meHandler) RequestPasswordReset(w http.ResponseWriter, r *http.Request) {
+	var req requestPasswordResetRequest
+	if err := decodeJSON(r, &req); err != nil {
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+
+	req.Email = strings.TrimSpace(strings.ToLower(req.Email))
+	if req.Email == "" {
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+
+	ctx := r.Context()
+
+	user, err := h.db.GetUserByEmail(ctx, req.Email)
+	if err != nil {
+		// Don't leak whether the email exists.
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+
+	if user.Status != "active" {
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+
+	rawToken := generateResetToken()
+	tokenHash := hashResetToken(rawToken)
+	redisKey := passwordResetKeyPrefix + tokenHash
+
+	if err := h.rdb.Set(ctx, redisKey, id.FormatUserID(user.ID), passwordResetTTL).Err(); err != nil {
+		slog.Error("password reset: failed to store token in redis", "error", err)
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+
+	resetURL := h.redirectURL + "/reset-password?token=" + rawToken
+	go func() {
+		sendCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		if err := h.mailer.Send(sendCtx, user.Email, "Reset your Wrenn password", email.EmailData{
+			RecipientName: user.Name,
+			Message:       "We received a request to reset your password. Click the button below to set a new password. This link expires in 15 minutes.",
+			Button:        &email.Button{Text: "Reset Password", URL: resetURL},
+			Closing:       "If you didn't request a password reset, you can safely ignore this email.",
+		}); err != nil {
+			slog.Error("password reset: failed to send email", "email", user.Email, "error", err)
+		}
+	}()
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// ConfirmPasswordReset handles POST /v1/me/password/reset/confirm (unauthenticated).
+func (h *meHandler) ConfirmPasswordReset(w http.ResponseWriter, r *http.Request) {
+	var req confirmPasswordResetRequest
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+
+	if req.Token == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "token is required")
+		return
+	}
+	if len(req.NewPassword) < 8 {
+		writeError(w, http.StatusBadRequest, "invalid_request", "password must be at least 8 characters")
+		return
+	}
+
+	ctx := r.Context()
+	tokenHash := hashResetToken(req.Token)
+	redisKey := passwordResetKeyPrefix + tokenHash
+
+	// GetDel atomically retrieves and removes the token in a single round-trip,
+	// preventing concurrent requests from both consuming the same token.
+	userIDStr, err := h.rdb.GetDel(ctx, redisKey).Result()
+	if errors.Is(err, redis.Nil) {
+		writeError(w, http.StatusBadRequest, "invalid_token", "reset token is invalid or has expired")
+		return
+	}
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "internal_error", "failed to verify token")
+		return
+	}
+
+	userID, err := id.ParseUserID(userIDStr)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "internal_error", "invalid stored user ID")
+		return
+	}
+
+	user, err := h.db.GetUserByID(ctx, userID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to get user")
+		return
+	}
+
+	hash, err := auth.HashPassword(req.NewPassword)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "internal_error", "failed to hash password")
+		return
+	}
+
+	if err := h.db.UpdateUserPassword(ctx, db.UpdateUserPasswordParams{
+		ID:           userID,
+		PasswordHash: pgtype.Text{String: hash, Valid: true},
+	}); err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to update password")
+		return
+	}
+
+	go func() {
+		sendCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		if err := h.mailer.Send(sendCtx, user.Email, "Your Wrenn password was reset", email.EmailData{
+			RecipientName: user.Name,
+			Message:       "Your password has been successfully reset. You can now sign in with your new password.",
+			Closing:       "If you didn't request this change, contact support immediately.",
+		}); err != nil {
+			slog.Warn("confirm password reset: failed to send notification", "email", user.Email, "error", err)
+		}
+	}()
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// ConnectProvider handles GET /v1/me/providers/{provider}/connect.
+// Sets OAuth state + link cookies and returns the provider auth URL.
+func (h *meHandler) ConnectProvider(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
+	provider := chi.URLParam(r, "provider")
+
+	p, ok := h.oauthRegistry.Get(provider)
+	if !ok {
+		writeError(w, http.StatusNotFound, "provider_not_found", "unsupported OAuth provider")
+		return
+	}
+
+	state, err := generateState()
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate state")
+		return
+	}
+
+	mac := computeHMAC(h.jwtSecret, state)
+	http.SetCookie(w, &http.Cookie{
+		Name:     "oauth_state",
+		Value:    state + ":" + mac,
+		Path:     "/",
+		MaxAge:   600,
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		Secure:   isSecure(r),
+	})
+
+	userIDStr := id.FormatUserID(ac.UserID)
+	linkMac := computeHMAC(h.jwtSecret, userIDStr)
+	http.SetCookie(w, &http.Cookie{
+		Name:     "oauth_link_user_id",
+		Value:    userIDStr + ":" + linkMac,
+		Path:     "/",
+		MaxAge:   600,
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		Secure:   isSecure(r),
+	})
+
+	writeJSON(w, http.StatusOK, map[string]string{"auth_url": p.AuthCodeURL(state)})
+}
+
+// DisconnectProvider handles DELETE /v1/me/providers/{provider}.
+func (h *meHandler) DisconnectProvider(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
+	provider := chi.URLParam(r, "provider")
+	ctx := r.Context()
+
+	user, err := h.db.GetUserByID(ctx, ac.UserID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to get user")
+		return
+	}
+
+	providers, err := h.db.GetOAuthProvidersByUserID(ctx, ac.UserID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to get providers")
+		return
+	}
+
+	// Ensure the user will still have at least one login method after disconnecting.
+	if !user.PasswordHash.Valid && len(providers) <= 1 {
+		writeError(w, http.StatusBadRequest, "last_login_method", "cannot disconnect your only login method — add a password first")
+		return
+	}
+
+	// Check the provider is actually linked to this user.
+	found := false
+	for _, p := range providers {
+		if p.Provider == provider {
+			found = true
+			break
+		}
+	}
+	if !found {
+		writeError(w, http.StatusNotFound, "not_found", "provider not connected")
+		return
+	}
+
+	if err := h.db.DeleteOAuthProvider(ctx, db.DeleteOAuthProviderParams{
+		UserID:   ac.UserID,
+		Provider: provider,
+	}); err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to disconnect provider")
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// DeleteAccount handles DELETE /v1/me — soft-deletes the user's account.
+func (h *meHandler) DeleteAccount(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
+	ctx := r.Context()
+
+	var req deleteAccountRequest
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+
+	user, err := h.db.GetUserByID(ctx, ac.UserID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to get user")
+		return
+	}
+
+	if !strings.EqualFold(strings.TrimSpace(req.Confirmation), user.Email) {
+		writeError(w, http.StatusBadRequest, "invalid_request", "confirmation does not match your email address")
+		return
+	}
+
+	teamsBlocking, err := h.db.CountUserOwnedTeamsWithOtherMembers(ctx, ac.UserID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to check team ownership")
+		return
+	}
+	if teamsBlocking > 0 {
+		writeError(w, http.StatusConflict, "owns_team_with_members",
+			fmt.Sprintf("you own %d team(s) with other members — transfer ownership or remove members before deleting your account", teamsBlocking))
+		return
+	}
+
+	// Delete all teams the user solely owns (no other members).
+	// Team deletion involves RPC calls (sandbox destruction) that cannot be
+	// transactional, so we do those first as best-effort, then wrap the
+	// DB-only cleanup in a transaction.
+	soleTeams, err := h.db.ListSoleOwnedTeams(ctx, ac.UserID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to list owned teams")
+		return
+	}
+	for _, teamID := range soleTeams {
+		if err := h.teamSvc.DeleteTeamInternal(ctx, teamID); err != nil {
+			writeError(w, http.StatusInternalServerError, "db_error",
+				fmt.Sprintf("failed to delete sole-owned team %s", id.FormatTeamID(teamID)))
+			return
+		}
+	}
+
+	tx, err := h.pool.Begin(ctx)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to start transaction")
+		return
+	}
+	defer tx.Rollback(ctx)
+
+	qtx := h.db.WithTx(tx)
+
+	if err := qtx.DeleteAPIKeysByCreator(ctx, ac.UserID); err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to delete user's API keys")
+		return
+	}
+
+	if err := qtx.SoftDeleteUser(ctx, ac.UserID); err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to delete account")
+		return
+	}
+
+	if err := tx.Commit(ctx); err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to commit account deletion")
+		return
+	}
+
+	slog.Info("account soft-deleted", "user_id", id.FormatUserID(ac.UserID), "email", user.Email)
+
+	go func() {
+		sendCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		if err := h.mailer.Send(sendCtx, user.Email, "Your Wrenn account has been deleted", email.EmailData{
+			RecipientName: user.Name,
+			Message:       "Your Wrenn account has been deactivated and is scheduled for permanent deletion in 15 days. If this was a mistake, contact support before then to recover your account.",
+			Closing:       "Thank you for using Wrenn.",
+		}); err != nil {
+			slog.Warn("delete account: failed to send notification", "email", user.Email, "error", err)
+		}
+	}()
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// --- helpers ---
+
+func generateResetToken() string {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		panic(fmt.Sprintf("crypto/rand failed: %v", err))
+	}
+	return hex.EncodeToString(b)
+}
+
+func hashResetToken(raw string) string {
+	h := sha256.Sum256([]byte(raw))
+	return hex.EncodeToString(h[:])
+}
diff --git a/internal/api/handlers_metrics.go b/internal/api/handlers_metrics.go
index 4d04430..28a2157 100644
--- a/internal/api/handlers_metrics.go
+++ b/internal/api/handlers_metrics.go
@@ -9,10 +9,10 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
@@ -38,7 +38,7 @@ type metricsResponse struct {
 	Points    []metricPointResponse `json:"points"`
 }
 
-// GetMetrics handles GET /v1/sandboxes/{id}/metrics?range=10m|2h|24h.
+// GetMetrics handles GET /v1/capsules/{id}/metrics?range=10m|2h|24h.
 func (h *sandboxMetricsHandler) GetMetrics(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ctx := r.Context()
diff --git a/internal/api/handlers_oauth.go b/internal/api/handlers_oauth.go
index 037929f..9c9a14a 100644
--- a/internal/api/handlers_oauth.go
+++ b/internal/api/handlers_oauth.go
@@ -16,10 +16,10 @@ import (
 	"github.com/jackc/pgx/v5/pgconn"
 	"github.com/jackc/pgx/v5/pgxpool"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/auth/oauth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth/oauth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 type oauthHandler struct {
@@ -137,6 +137,73 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 
 	email := strings.TrimSpace(strings.ToLower(profile.Email))
 
+	// Check for a link operation initiated from the settings page.
+	if linkCookie, err := r.Cookie("oauth_link_user_id"); err == nil && linkCookie.Value != "" {
+		// Clear the link cookie immediately.
+		http.SetCookie(w, &http.Cookie{
+			Name:     "oauth_link_user_id",
+			Value:    "",
+			Path:     "/",
+			MaxAge:   -1,
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+			Secure:   isSecure(r),
+		})
+
+		settingsBase := h.redirectURL + "/dashboard/settings"
+
+		// Verify the HMAC to prevent cookie forgery.
+		linkParts := strings.SplitN(linkCookie.Value, ":", 2)
+		if len(linkParts) != 2 || !hmac.Equal([]byte(computeHMAC(h.jwtSecret, linkParts[0])), []byte(linkParts[1])) {
+			slog.Warn("oauth link: invalid or tampered link cookie")
+			http.Redirect(w, r, settingsBase+"?connect_error=invalid_state", http.StatusFound)
+			return
+		}
+
+		userID, parseErr := id.ParseUserID(linkParts[0])
+		if parseErr != nil {
+			slog.Error("oauth link: invalid user ID in cookie", "error", parseErr)
+			http.Redirect(w, r, settingsBase+"?connect_error=invalid_state", http.StatusFound)
+			return
+		}
+
+		// Ensure the GitHub account isn't already linked to a different user.
+		existing, lookupErr := h.db.GetOAuthProvider(ctx, db.GetOAuthProviderParams{
+			Provider:   provider,
+			ProviderID: profile.ProviderID,
+		})
+		if lookupErr == nil && existing.UserID != userID {
+			slog.Warn("oauth link: provider already linked to another account", "provider", provider)
+			http.Redirect(w, r, settingsBase+"?connect_error=already_linked", http.StatusFound)
+			return
+		}
+		if lookupErr == nil && existing.UserID == userID {
+			// Already linked to this user — treat as success.
+			http.Redirect(w, r, settingsBase+"?connected="+provider, http.StatusFound)
+			return
+		}
+		if !errors.Is(lookupErr, pgx.ErrNoRows) {
+			slog.Error("oauth link: db lookup failed", "error", lookupErr)
+			http.Redirect(w, r, settingsBase+"?connect_error=db_error", http.StatusFound)
+			return
+		}
+
+		if insertErr := h.db.InsertOAuthProvider(ctx, db.InsertOAuthProviderParams{
+			Provider:   provider,
+			ProviderID: profile.ProviderID,
+			UserID:     userID,
+			Email:      email,
+		}); insertErr != nil {
+			slog.Error("oauth link: failed to insert provider", "error", insertErr)
+			http.Redirect(w, r, settingsBase+"?connect_error=db_error", http.StatusFound)
+			return
+		}
+
+		slog.Info("oauth link: provider linked", "provider", provider, "user_id", id.FormatUserID(userID))
+		http.Redirect(w, r, settingsBase+"?connected="+provider, http.StatusFound)
+		return
+	}
+
 	// Check if this OAuth identity already exists.
 	existing, err := h.db.GetOAuthProvider(ctx, db.GetOAuthProviderParams{
 		Provider:   provider,
@@ -145,18 +212,29 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 	if err == nil {
 		// Existing OAuth user — log them in.
 		user, err := h.db.GetUserByID(ctx, existing.UserID)
+		if errors.Is(err, pgx.ErrNoRows) {
+			slog.Warn("oauth login: user no longer exists", "user_id", existing.UserID)
+			redirectWithError(w, r, redirectBase, "account_deactivated")
+			return
+		}
 		if err != nil {
 			slog.Error("oauth login: failed to get user", "error", err)
 			redirectWithError(w, r, redirectBase, "db_error")
 			return
 		}
-		team, role, err := loginTeam(ctx, h.db, user.ID)
+		if user.Status != "active" {
+			slog.Warn("oauth login: account not active", "email", user.Email, "status", user.Status)
+			redirectWithError(w, r, redirectBase, "account_deactivated")
+			return
+		}
+		team, role, isFirstUser, err := ensureDefaultTeam(ctx, h.db, h.pool, user.ID, user.Name)
 		if err != nil {
-			slog.Error("oauth login: failed to get team", "error", err)
+			slog.Error("oauth login: failed to ensure team", "error", err)
 			redirectWithError(w, r, redirectBase, "db_error")
 			return
 		}
-		token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, user.IsAdmin)
+		isAdmin := user.IsAdmin || isFirstUser
+		token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, isAdmin)
 		if err != nil {
 			slog.Error("oauth login: failed to sign jwt", "error", err)
 			redirectWithError(w, r, redirectBase, "internal_error")
@@ -172,13 +250,21 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// New OAuth identity — check for email collision.
-	_, err = h.db.GetUserByEmail(ctx, email)
+	existingUser, err := h.db.GetUserByEmail(ctx, email)
 	if err == nil {
-		// Email already taken by another account.
-		redirectWithError(w, r, redirectBase, "email_taken")
-		return
-	}
-	if !errors.Is(err, pgx.ErrNoRows) {
+		if existingUser.Status == "inactive" {
+			// Unactivated email signup — delete and let OAuth take over.
+			if delErr := h.db.HardDeleteUser(ctx, existingUser.ID); delErr != nil {
+				slog.Error("oauth: failed to delete inactive user", "error", delErr)
+				redirectWithError(w, r, redirectBase, "db_error")
+				return
+			}
+		} else {
+			// Email already taken by an active/disabled/deleted account.
+			redirectWithError(w, r, redirectBase, "email_taken")
+			return
+		}
+	} else if !errors.Is(err, pgx.ErrNoRows) {
 		slog.Error("oauth: email check failed", "error", err)
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
@@ -195,6 +281,15 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 
 	qtx := h.db.WithTx(tx)
 
+	// The first user to sign up becomes a platform admin.
+	userCount, err := qtx.CountUsers(ctx)
+	if err != nil {
+		slog.Error("oauth: failed to count users", "error", err)
+		redirectWithError(w, r, redirectBase, "db_error")
+		return
+	}
+	isFirstUser := userCount == 0
+
 	userID := id.NewUserID()
 	_, err = qtx.InsertUserOAuth(ctx, db.InsertUserOAuthParams{
 		ID:    userID,
@@ -238,6 +333,14 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if isFirstUser {
+		if err := qtx.SetUserAdmin(ctx, db.SetUserAdminParams{ID: userID, IsAdmin: true}); err != nil {
+			slog.Error("oauth: failed to set admin status", "error", err)
+			redirectWithError(w, r, redirectBase, "db_error")
+			return
+		}
+	}
+
 	if err := qtx.InsertOAuthProvider(ctx, db.InsertOAuthProviderParams{
 		Provider:   provider,
 		ProviderID: profile.ProviderID,
@@ -255,7 +358,7 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, email, profile.Name, "owner", false)
+	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, email, profile.Name, "owner", isFirstUser)
 	if err != nil {
 		slog.Error("oauth: failed to sign jwt", "error", err)
 		redirectWithError(w, r, redirectBase, "internal_error")
@@ -279,18 +382,29 @@ func (h *oauthHandler) retryAsLogin(w http.ResponseWriter, r *http.Request, prov
 		return
 	}
 	user, err := h.db.GetUserByID(ctx, existing.UserID)
+	if errors.Is(err, pgx.ErrNoRows) {
+		slog.Warn("oauth: retry login: user no longer exists", "user_id", existing.UserID)
+		redirectWithError(w, r, redirectBase, "account_deactivated")
+		return
+	}
 	if err != nil {
 		slog.Error("oauth: retry login: failed to get user", "error", err)
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
 	}
-	team, role, err := loginTeam(ctx, h.db, user.ID)
+	if user.Status != "active" {
+		slog.Warn("oauth: retry login: account not active", "email", user.Email, "status", user.Status)
+		redirectWithError(w, r, redirectBase, "account_deactivated")
+		return
+	}
+	team, role, isFirstUser, err := ensureDefaultTeam(ctx, h.db, h.pool, user.ID, user.Name)
 	if err != nil {
-		slog.Error("oauth: retry login: failed to get team", "error", err)
+		slog.Error("oauth: retry login: failed to ensure team", "error", err)
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
 	}
-	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, user.IsAdmin)
+	isAdmin := user.IsAdmin || isFirstUser
+	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, isAdmin)
 	if err != nil {
 		slog.Error("oauth: retry login: failed to sign jwt", "error", err)
 		redirectWithError(w, r, redirectBase, "internal_error")
diff --git a/internal/api/handlers_process.go b/internal/api/handlers_process.go
new file mode 100644
index 0000000..2bb6bb9
--- /dev/null
+++ b/internal/api/handlers_process.go
@@ -0,0 +1,298 @@
+package api
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"strconv"
+	"time"
+
+	"connectrpc.com/connect"
+	"github.com/go-chi/chi/v5"
+	"github.com/gorilla/websocket"
+	"github.com/jackc/pgx/v5/pgtype"
+
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
+	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
+)
+
+type processHandler struct {
+	db        *db.Queries
+	pool      *lifecycle.HostClientPool
+	jwtSecret []byte
+}
+
+func newProcessHandler(db *db.Queries, pool *lifecycle.HostClientPool, jwtSecret []byte) *processHandler {
+	return &processHandler{db: db, pool: pool, jwtSecret: jwtSecret}
+}
+
+// processResponse is a single entry in the process list.
+type processResponse struct {
+	PID  uint32   `json:"pid"`
+	Tag  string   `json:"tag,omitempty"`
+	Cmd  string   `json:"cmd"`
+	Args []string `json:"args,omitempty"`
+}
+
+// processListResponse wraps the list of processes.
+type processListResponse struct {
+	Processes []processResponse `json:"processes"`
+}
+
+// ListProcesses handles GET /v1/capsules/{id}/processes.
+func (h *processHandler) ListProcesses(w http.ResponseWriter, r *http.Request) {
+	sandboxIDStr := chi.URLParam(r, "id")
+	ctx := r.Context()
+	ac := auth.MustFromContext(ctx)
+
+	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid sandbox ID")
+		return
+	}
+
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
+		return
+	}
+	if sb.Status != "running" {
+		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running (status: "+sb.Status+")")
+		return
+	}
+
+	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
+	if err != nil {
+		writeError(w, http.StatusServiceUnavailable, "host_unavailable", "sandbox host is not reachable")
+		return
+	}
+
+	resp, err := agent.ListProcesses(ctx, connect.NewRequest(&pb.ListProcessesRequest{
+		SandboxId: sandboxIDStr,
+	}))
+	if err != nil {
+		status, code, msg := agentErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	procs := make([]processResponse, 0, len(resp.Msg.Processes))
+	for _, p := range resp.Msg.Processes {
+		procs = append(procs, processResponse{
+			PID:  p.Pid,
+			Tag:  p.Tag,
+			Cmd:  p.Cmd,
+			Args: p.Args,
+		})
+	}
+
+	writeJSON(w, http.StatusOK, processListResponse{Processes: procs})
+}
+
+// KillProcess handles DELETE /v1/capsules/{id}/processes/{selector}.
+// The selector can be a numeric PID or a string tag.
+func (h *processHandler) KillProcess(w http.ResponseWriter, r *http.Request) {
+	sandboxIDStr := chi.URLParam(r, "id")
+	selectorStr := chi.URLParam(r, "selector")
+	ctx := r.Context()
+	ac := auth.MustFromContext(ctx)
+
+	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid sandbox ID")
+		return
+	}
+
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
+		return
+	}
+	if sb.Status != "running" {
+		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running (status: "+sb.Status+")")
+		return
+	}
+
+	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
+	if err != nil {
+		writeError(w, http.StatusServiceUnavailable, "host_unavailable", "sandbox host is not reachable")
+		return
+	}
+
+	// Build the kill request with PID or tag selector.
+	killReq := &pb.KillProcessRequest{
+		SandboxId: sandboxIDStr,
+		Signal:    "SIGKILL",
+	}
+	if sig := r.URL.Query().Get("signal"); sig == "SIGTERM" {
+		killReq.Signal = "SIGTERM"
+	}
+
+	if pid, err := strconv.ParseUint(selectorStr, 10, 32); err == nil {
+		killReq.Selector = &pb.KillProcessRequest_Pid{Pid: uint32(pid)}
+	} else {
+		killReq.Selector = &pb.KillProcessRequest_Tag{Tag: selectorStr}
+	}
+
+	if _, err := agent.KillProcess(ctx, connect.NewRequest(killReq)); err != nil {
+		status, code, msg := agentErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// wsProcessOut is the JSON message sent to the WebSocket client.
+type wsProcessOut struct {
+	Type     string `json:"type"`                // "start", "stdout", "stderr", "exit", "error"
+	PID      uint32 `json:"pid,omitempty"`       // only for "start"
+	Data     string `json:"data,omitempty"`      // only for "stdout", "stderr", "error"
+	ExitCode *int32 `json:"exit_code,omitempty"` // only for "exit"
+}
+
+// ConnectProcess handles WS /v1/capsules/{id}/processes/{selector}/stream.
+func (h *processHandler) ConnectProcess(w http.ResponseWriter, r *http.Request) {
+	sandboxIDStr := chi.URLParam(r, "id")
+	selectorStr := chi.URLParam(r, "selector")
+	ctx := r.Context()
+
+	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid sandbox ID")
+		return
+	}
+
+	// Authenticate: use context from middleware (API key) or WS first message (JWT).
+	ac, hasAuth := auth.FromContext(ctx)
+
+	if !hasAuth {
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			slog.Error("process stream websocket upgrade failed", "error", err)
+			return
+		}
+		defer conn.Close()
+
+		var wsAC auth.AuthContext
+		var authErr error
+		if isAdminWSRoute(ctx) {
+			wsAC, authErr = wsAuthenticateAdmin(ctx, conn, h.jwtSecret, h.db)
+		} else {
+			wsAC, authErr = wsAuthenticate(ctx, conn, h.jwtSecret, h.db)
+		}
+		if authErr != nil {
+			sendProcessWSError(conn, "authentication failed")
+			return
+		}
+		ac = wsAC
+
+		h.runConnectProcess(ctx, conn, ac, sandboxID, sandboxIDStr, selectorStr)
+		return
+	}
+
+	conn, err := upgrader.Upgrade(w, r, nil)
+	if err != nil {
+		slog.Error("process stream websocket upgrade failed", "error", err)
+		return
+	}
+	defer conn.Close()
+
+	h.runConnectProcess(ctx, conn, ac, sandboxID, sandboxIDStr, selectorStr)
+}
+
+func (h *processHandler) runConnectProcess(ctx context.Context, conn *websocket.Conn, ac auth.AuthContext, sandboxID pgtype.UUID, sandboxIDStr, selectorStr string) {
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		sendProcessWSError(conn, "sandbox not found")
+		return
+	}
+	if sb.Status != "running" {
+		sendProcessWSError(conn, "sandbox is not running (status: "+sb.Status+")")
+		return
+	}
+
+	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
+	if err != nil {
+		sendProcessWSError(conn, "sandbox host is not reachable")
+		return
+	}
+
+	// Build the connect request with PID or tag selector.
+	connectReq := &pb.ConnectProcessRequest{
+		SandboxId: sandboxIDStr,
+	}
+	if pid, err := strconv.ParseUint(selectorStr, 10, 32); err == nil {
+		connectReq.Selector = &pb.ConnectProcessRequest_Pid{Pid: uint32(pid)}
+	} else {
+		connectReq.Selector = &pb.ConnectProcessRequest_Tag{Tag: selectorStr}
+	}
+
+	streamCtx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	stream, err := agent.ConnectProcess(streamCtx, connect.NewRequest(connectReq))
+	if err != nil {
+		sendProcessWSError(conn, "failed to connect to process: "+err.Error())
+		return
+	}
+	defer stream.Close()
+
+	// Listen for client disconnect in a goroutine.
+	go func() {
+		for {
+			_, _, err := conn.ReadMessage()
+			if err != nil {
+				cancel()
+				return
+			}
+		}
+	}()
+
+	// Forward stream events to WebSocket.
+	for stream.Receive() {
+		resp := stream.Msg()
+		switch ev := resp.Event.(type) {
+		case *pb.ConnectProcessResponse_Start:
+			writeWSJSON(conn, wsProcessOut{Type: "start", PID: ev.Start.Pid})
+
+		case *pb.ConnectProcessResponse_Data:
+			switch o := ev.Data.Output.(type) {
+			case *pb.ExecStreamData_Stdout:
+				writeWSJSON(conn, wsProcessOut{Type: "stdout", Data: string(o.Stdout)})
+			case *pb.ExecStreamData_Stderr:
+				writeWSJSON(conn, wsProcessOut{Type: "stderr", Data: string(o.Stderr)})
+			}
+
+		case *pb.ConnectProcessResponse_End:
+			exitCode := ev.End.ExitCode
+			writeWSJSON(conn, wsProcessOut{Type: "exit", ExitCode: &exitCode})
+		}
+	}
+
+	if err := stream.Err(); err != nil {
+		if streamCtx.Err() == nil {
+			sendProcessWSError(conn, err.Error())
+		}
+	}
+
+	// Update last active using a fresh context.
+	updateCtx, updateCancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer updateCancel()
+	if err := h.db.UpdateLastActive(updateCtx, db.UpdateLastActiveParams{
+		ID: sandboxID,
+		LastActiveAt: pgtype.Timestamptz{
+			Time:  time.Now(),
+			Valid: true,
+		},
+	}); err != nil {
+		slog.Warn("failed to update last active after process stream", "sandbox_id", sandboxIDStr, "error", err)
+	}
+}
+
+func sendProcessWSError(conn *websocket.Conn, msg string) {
+	writeWSJSON(conn, wsProcessOut{Type: "error", Data: msg})
+}
diff --git a/internal/api/handlers_pty.go b/internal/api/handlers_pty.go
new file mode 100644
index 0000000..181fc9d
--- /dev/null
+++ b/internal/api/handlers_pty.go
@@ -0,0 +1,400 @@
+package api
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"sync"
+	"time"
+
+	"connectrpc.com/connect"
+	"github.com/go-chi/chi/v5"
+	"github.com/gorilla/websocket"
+	"github.com/jackc/pgx/v5/pgtype"
+
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
+	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
+	"git.omukk.dev/wrenn/wrenn/proto/hostagent/gen/hostagentv1connect"
+)
+
+const (
+	ptyKeepaliveInterval = 30 * time.Second
+	ptyDefaultCmd        = "/bin/bash"
+	ptyDefaultCols       = 80
+	ptyDefaultRows       = 24
+)
+
+type ptyHandler struct {
+	db        *db.Queries
+	pool      *lifecycle.HostClientPool
+	jwtSecret []byte
+}
+
+func newPtyHandler(db *db.Queries, pool *lifecycle.HostClientPool, jwtSecret []byte) *ptyHandler {
+	return &ptyHandler{db: db, pool: pool, jwtSecret: jwtSecret}
+}
+
+// --- WebSocket message types ---
+
+// wsPtyIn is the inbound message from the client.
+type wsPtyIn struct {
+	Type string            `json:"type"`           // "start", "connect", "input", "resize", "kill"
+	Cmd  string            `json:"cmd,omitempty"`  // for "start"
+	Args []string          `json:"args,omitempty"` // for "start"
+	Cols uint32            `json:"cols,omitempty"` // for "start", "resize"
+	Rows uint32            `json:"rows,omitempty"` // for "start", "resize"
+	Envs map[string]string `json:"envs,omitempty"` // for "start"
+	Cwd  string            `json:"cwd,omitempty"`  // for "start"
+	User string            `json:"user,omitempty"` // for "start"
+	Tag  string            `json:"tag,omitempty"`  // for "connect"
+	Data string            `json:"data,omitempty"` // for "input" (base64)
+}
+
+// wsPtyOut is the outbound message to the client.
+type wsPtyOut struct {
+	Type     string `json:"type"`                // "started", "output", "exit", "error"
+	Tag      string `json:"tag,omitempty"`       // for "started"
+	PID      uint32 `json:"pid,omitempty"`       // for "started"
+	Data     string `json:"data,omitempty"`      // for "output" (base64), "error"
+	ExitCode *int32 `json:"exit_code,omitempty"` // for "exit"
+	Fatal    bool   `json:"fatal,omitempty"`     // for "error"
+}
+
+// wsWriter wraps a websocket.Conn with a mutex for concurrent writes.
+type wsWriter struct {
+	conn *websocket.Conn
+	mu   sync.Mutex
+}
+
+func (w *wsWriter) writeJSON(v any) {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	if err := w.conn.WriteJSON(v); err != nil {
+		slog.Debug("pty websocket write error", "error", err)
+	}
+}
+
+// PtySession handles WS /v1/capsules/{id}/pty.
+func (h *ptyHandler) PtySession(w http.ResponseWriter, r *http.Request) {
+	sandboxIDStr := chi.URLParam(r, "id")
+	ctx := r.Context()
+
+	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid sandbox ID")
+		return
+	}
+
+	// API key auth is handled by middleware (sets context).
+	// For browser JWT auth, we authenticate after upgrade via first WS message.
+	ac, hasAuth := auth.FromContext(ctx)
+
+	if !hasAuth {
+		// No pre-upgrade auth — upgrade first, then authenticate via WS message.
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			slog.Error("pty websocket upgrade failed", "error", err)
+			return
+		}
+		defer conn.Close()
+
+		ws := &wsWriter{conn: conn}
+
+		var wsAC auth.AuthContext
+		if isAdminWSRoute(ctx) {
+			wsAC, err = wsAuthenticateAdmin(ctx, conn, h.jwtSecret, h.db)
+		} else {
+			wsAC, err = wsAuthenticate(ctx, conn, h.jwtSecret, h.db)
+		}
+		if err != nil {
+			ws.writeJSON(wsPtyOut{Type: "error", Data: "authentication failed", Fatal: true})
+			return
+		}
+		ac = wsAC
+
+		h.runPtySession(ctx, ws, conn, ac, sandboxID, sandboxIDStr)
+		return
+	}
+
+	conn, err := upgrader.Upgrade(w, r, nil)
+	if err != nil {
+		slog.Error("pty websocket upgrade failed", "error", err)
+		return
+	}
+	defer conn.Close()
+
+	ws := &wsWriter{conn: conn}
+	h.runPtySession(ctx, ws, conn, ac, sandboxID, sandboxIDStr)
+}
+
+func (h *ptyHandler) runPtySession(ctx context.Context, ws *wsWriter, conn *websocket.Conn, ac auth.AuthContext, sandboxID pgtype.UUID, sandboxIDStr string) {
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "sandbox not found", Fatal: true})
+		return
+	}
+	if sb.Status != "running" {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "sandbox is not running (status: " + sb.Status + ")", Fatal: true})
+		return
+	}
+
+	// Read the first message to determine start vs connect.
+	var firstMsg wsPtyIn
+	if err := conn.ReadJSON(&firstMsg); err != nil {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "failed to read first message: " + err.Error(), Fatal: true})
+		return
+	}
+
+	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
+	if err != nil {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "sandbox host is not reachable", Fatal: true})
+		return
+	}
+
+	streamCtx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	switch firstMsg.Type {
+	case "start":
+		h.handleStart(streamCtx, cancel, ws, agent, sandboxIDStr, firstMsg)
+	case "connect":
+		h.handleConnect(streamCtx, cancel, ws, agent, sandboxIDStr, firstMsg)
+	default:
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "first message must be type 'start' or 'connect'", Fatal: true})
+	}
+
+	// Update last active using a fresh context.
+	updateCtx, updateCancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer updateCancel()
+	if err := h.db.UpdateLastActive(updateCtx, db.UpdateLastActiveParams{
+		ID: sandboxID,
+		LastActiveAt: pgtype.Timestamptz{
+			Time:  time.Now(),
+			Valid: true,
+		},
+	}); err != nil {
+		slog.Warn("failed to update last active after pty session", "sandbox_id", sandboxIDStr, "error", err)
+	}
+}
+
+func (h *ptyHandler) handleStart(
+	ctx context.Context,
+	cancel context.CancelFunc,
+	ws *wsWriter,
+	agent hostagentv1connect.HostAgentServiceClient,
+	sandboxIDStr string,
+	msg wsPtyIn,
+) {
+	cmd := msg.Cmd
+	if cmd == "" {
+		cmd = ptyDefaultCmd
+	}
+	cols := msg.Cols
+	if cols == 0 {
+		cols = ptyDefaultCols
+	}
+	rows := msg.Rows
+	if rows == 0 {
+		rows = ptyDefaultRows
+	}
+
+	tag := newPtyTag()
+
+	stream, err := agent.PtyAttach(ctx, connect.NewRequest(&pb.PtyAttachRequest{
+		SandboxId: sandboxIDStr,
+		Tag:       tag,
+		Cmd:       cmd,
+		Args:      msg.Args,
+		Cols:      cols,
+		Rows:      rows,
+		Envs:      msg.Envs,
+		Cwd:       msg.Cwd,
+		User:      msg.User,
+	}))
+	if err != nil {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "failed to start pty: " + err.Error(), Fatal: true})
+		return
+	}
+	defer stream.Close()
+
+	// Wait for the started event and forward it.
+	if !stream.Receive() {
+		if err := stream.Err(); err != nil {
+			ws.writeJSON(wsPtyOut{Type: "error", Data: "pty stream failed: " + err.Error(), Fatal: true})
+		}
+		return
+	}
+	resp := stream.Msg()
+	started, ok := resp.Event.(*pb.PtyAttachResponse_Started)
+	if !ok {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "expected started event from host agent", Fatal: true})
+		return
+	}
+	ws.writeJSON(wsPtyOut{Type: "started", Tag: started.Started.Tag, PID: started.Started.Pid})
+
+	runPtyLoop(ctx, cancel, ws, stream, agent, sandboxIDStr, tag)
+}
+
+func (h *ptyHandler) handleConnect(
+	ctx context.Context,
+	cancel context.CancelFunc,
+	ws *wsWriter,
+	agent hostagentv1connect.HostAgentServiceClient,
+	sandboxIDStr string,
+	msg wsPtyIn,
+) {
+	if msg.Tag == "" {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "connect requires a 'tag' field", Fatal: true})
+		return
+	}
+
+	stream, err := agent.PtyAttach(ctx, connect.NewRequest(&pb.PtyAttachRequest{
+		SandboxId: sandboxIDStr,
+		Tag:       msg.Tag,
+	}))
+	if err != nil {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "failed to connect to pty: " + err.Error(), Fatal: true})
+		return
+	}
+	defer stream.Close()
+
+	runPtyLoop(ctx, cancel, ws, stream, agent, sandboxIDStr, msg.Tag)
+}
+
+// runPtyLoop drives the bidirectional communication between the WebSocket
+// and the host agent PTY stream.
+func runPtyLoop(
+	ctx context.Context,
+	cancel context.CancelFunc,
+	ws *wsWriter,
+	stream *connect.ServerStreamForClient[pb.PtyAttachResponse],
+	agent hostagentv1connect.HostAgentServiceClient,
+	sandboxID string,
+	tag string,
+) {
+	var wg sync.WaitGroup
+
+	// Output pump: read from Connect stream, write to WebSocket.
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		defer cancel()
+
+		for stream.Receive() {
+			resp := stream.Msg()
+			switch ev := resp.Event.(type) {
+			case *pb.PtyAttachResponse_Started:
+				// Already handled before the loop for "start" mode.
+				// For "connect" mode this won't appear.
+				ws.writeJSON(wsPtyOut{Type: "started", Tag: ev.Started.Tag, PID: ev.Started.Pid})
+
+			case *pb.PtyAttachResponse_Output:
+				ws.writeJSON(wsPtyOut{
+					Type: "output",
+					Data: base64.StdEncoding.EncodeToString(ev.Output.Data),
+				})
+
+			case *pb.PtyAttachResponse_Exited:
+				exitCode := ev.Exited.ExitCode
+				ws.writeJSON(wsPtyOut{Type: "exit", ExitCode: &exitCode})
+				return
+			}
+		}
+
+		if err := stream.Err(); err != nil && ctx.Err() == nil {
+			ws.writeJSON(wsPtyOut{Type: "error", Data: err.Error()})
+		}
+	}()
+
+	// Input pump: read from WebSocket, dispatch to host agent.
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		defer cancel()
+
+		for {
+			_, raw, err := ws.conn.ReadMessage()
+			if err != nil {
+				return
+			}
+
+			var msg wsPtyIn
+			if json.Unmarshal(raw, &msg) != nil {
+				continue
+			}
+
+			// Use a background context for unary RPCs so they complete
+			// even if the stream context is being cancelled.
+			rpcCtx, rpcCancel := context.WithTimeout(context.Background(), 5*time.Second)
+
+			switch msg.Type {
+			case "input":
+				data, err := base64.StdEncoding.DecodeString(msg.Data)
+				if err != nil {
+					rpcCancel()
+					continue
+				}
+				if _, err := agent.PtySendInput(rpcCtx, connect.NewRequest(&pb.PtySendInputRequest{
+					SandboxId: sandboxID,
+					Tag:       tag,
+					Data:      data,
+				})); err != nil {
+					slog.Debug("pty send input error", "error", err)
+				}
+
+			case "resize":
+				cols := msg.Cols
+				rows := msg.Rows
+				if cols > 0 && rows > 0 {
+					if _, err := agent.PtyResize(rpcCtx, connect.NewRequest(&pb.PtyResizeRequest{
+						SandboxId: sandboxID,
+						Tag:       tag,
+						Cols:      cols,
+						Rows:      rows,
+					})); err != nil {
+						slog.Debug("pty resize error", "error", err)
+					}
+				}
+
+			case "kill":
+				if _, err := agent.PtyKill(rpcCtx, connect.NewRequest(&pb.PtyKillRequest{
+					SandboxId: sandboxID,
+					Tag:       tag,
+				})); err != nil {
+					slog.Debug("pty kill error", "error", err)
+				}
+			}
+
+			rpcCancel()
+		}
+	}()
+
+	// Keepalive pump: send periodic pings to prevent idle WS closure.
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		ticker := time.NewTicker(ptyKeepaliveInterval)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ticker.C:
+				ws.writeJSON(wsPtyOut{Type: "ping"})
+			case <-ctx.Done():
+				return
+			}
+		}
+	}()
+
+	wg.Wait()
+}
+
+// newPtyTag returns a PTY session tag: "pty-" + 8 random hex chars.
+func newPtyTag() string {
+	return "pty-" + id.NewPtyTag()
+}
diff --git a/internal/api/handlers_sandbox.go b/internal/api/handlers_sandbox.go
index 18d5305..badb3d0 100644
--- a/internal/api/handlers_sandbox.go
+++ b/internal/api/handlers_sandbox.go
@@ -7,11 +7,11 @@ import (
 
 	"github.com/go-chi/chi/v5"
 
-	"git.omukk.dev/wrenn/wrenn/internal/audit"
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/service"
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
 )
 
 type sandboxHandler struct {
@@ -31,18 +31,19 @@ type createSandboxRequest struct {
 }
 
 type sandboxResponse struct {
-	ID           string  `json:"id"`
-	Status       string  `json:"status"`
-	Template     string  `json:"template"`
-	VCPUs        int32   `json:"vcpus"`
-	MemoryMB     int32   `json:"memory_mb"`
-	TimeoutSec   int32   `json:"timeout_sec"`
-	GuestIP      string  `json:"guest_ip,omitempty"`
-	HostIP       string  `json:"host_ip,omitempty"`
-	CreatedAt    string  `json:"created_at"`
-	StartedAt    *string `json:"started_at,omitempty"`
-	LastActiveAt *string `json:"last_active_at,omitempty"`
-	LastUpdated  string  `json:"last_updated"`
+	ID           string            `json:"id"`
+	Status       string            `json:"status"`
+	Template     string            `json:"template"`
+	VCPUs        int32             `json:"vcpus"`
+	MemoryMB     int32             `json:"memory_mb"`
+	TimeoutSec   int32             `json:"timeout_sec"`
+	GuestIP      string            `json:"guest_ip,omitempty"`
+	HostIP       string            `json:"host_ip,omitempty"`
+	CreatedAt    string            `json:"created_at"`
+	StartedAt    *string           `json:"started_at,omitempty"`
+	LastActiveAt *string           `json:"last_active_at,omitempty"`
+	LastUpdated  string            `json:"last_updated"`
+	Metadata     map[string]string `json:"metadata,omitempty"`
 }
 
 func sandboxToResponse(sb db.Sandbox) sandboxResponse {
@@ -56,6 +57,12 @@ func sandboxToResponse(sb db.Sandbox) sandboxResponse {
 		GuestIP:    sb.GuestIp,
 		HostIP:     sb.HostIp,
 	}
+	if len(sb.Metadata) > 0 {
+		var meta map[string]string
+		if err := json.Unmarshal(sb.Metadata, &meta); err == nil && len(meta) > 0 {
+			resp.Metadata = meta
+		}
+	}
 	if sb.CreatedAt.Valid {
 		resp.CreatedAt = sb.CreatedAt.Time.Format(time.RFC3339)
 	}
@@ -73,7 +80,7 @@ func sandboxToResponse(sb db.Sandbox) sandboxResponse {
 	return resp
 }
 
-// Create handles POST /v1/sandboxes.
+// Create handles POST /v1/capsules.
 func (h *sandboxHandler) Create(w http.ResponseWriter, r *http.Request) {
 	var req createSandboxRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
@@ -104,7 +111,7 @@ func (h *sandboxHandler) Create(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusCreated, sandboxToResponse(sb))
 }
 
-// List handles GET /v1/sandboxes.
+// List handles GET /v1/capsules.
 func (h *sandboxHandler) List(w http.ResponseWriter, r *http.Request) {
 	ac := auth.MustFromContext(r.Context())
 	sandboxes, err := h.svc.List(r.Context(), ac.TeamID)
@@ -121,7 +128,7 @@ func (h *sandboxHandler) List(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, resp)
 }
 
-// Get handles GET /v1/sandboxes/{id}.
+// Get handles GET /v1/capsules/{id}.
 func (h *sandboxHandler) Get(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ac := auth.MustFromContext(r.Context())
@@ -141,7 +148,7 @@ func (h *sandboxHandler) Get(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, sandboxToResponse(sb))
 }
 
-// Pause handles POST /v1/sandboxes/{id}/pause.
+// Pause handles POST /v1/capsules/{id}/pause.
 func (h *sandboxHandler) Pause(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ac := auth.MustFromContext(r.Context())
@@ -163,7 +170,7 @@ func (h *sandboxHandler) Pause(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, sandboxToResponse(sb))
 }
 
-// Resume handles POST /v1/sandboxes/{id}/resume.
+// Resume handles POST /v1/capsules/{id}/resume.
 func (h *sandboxHandler) Resume(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ac := auth.MustFromContext(r.Context())
@@ -185,7 +192,7 @@ func (h *sandboxHandler) Resume(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, sandboxToResponse(sb))
 }
 
-// Ping handles POST /v1/sandboxes/{id}/ping.
+// Ping handles POST /v1/capsules/{id}/ping.
 func (h *sandboxHandler) Ping(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ac := auth.MustFromContext(r.Context())
@@ -205,7 +212,7 @@ func (h *sandboxHandler) Ping(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusNoContent)
 }
 
-// Destroy handles DELETE /v1/sandboxes/{id}.
+// Destroy handles DELETE /v1/capsules/{id}.
 func (h *sandboxHandler) Destroy(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ac := auth.MustFromContext(r.Context())
diff --git a/internal/api/handlers_snapshots.go b/internal/api/handlers_snapshots.go
index 8855c29..43d3148 100644
--- a/internal/api/handlers_snapshots.go
+++ b/internal/api/handlers_snapshots.go
@@ -13,14 +13,14 @@ import (
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/audit"
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
 	"git.omukk.dev/wrenn/wrenn/internal/layout"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
-	"git.omukk.dev/wrenn/wrenn/internal/service"
-	"git.omukk.dev/wrenn/wrenn/internal/validate"
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
+	"git.omukk.dev/wrenn/wrenn/pkg/validate"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
@@ -38,8 +38,8 @@ func newSnapshotHandler(svc *service.TemplateService, db *db.Queries, pool *life
 // deleteSnapshotBroadcast attempts to delete snapshot files on all online hosts.
 // Snapshots aren't currently host-tracked in the DB, so we broadcast to all hosts
 // and ignore NotFound errors.
-func (h *snapshotHandler) deleteSnapshotBroadcast(ctx context.Context, teamID, templateID pgtype.UUID) error {
-	hosts, err := h.db.ListActiveHosts(ctx)
+func deleteSnapshotBroadcast(ctx context.Context, queries *db.Queries, pool *lifecycle.HostClientPool, teamID, templateID pgtype.UUID) error {
+	hosts, err := queries.ListActiveHosts(ctx)
 	if err != nil {
 		return fmt.Errorf("list hosts: %w", err)
 	}
@@ -47,7 +47,7 @@ func (h *snapshotHandler) deleteSnapshotBroadcast(ctx context.Context, teamID, t
 		if host.Status != "online" {
 			continue
 		}
-		agent, err := h.pool.GetForHost(host)
+		agent, err := pool.GetForHost(host)
 		if err != nil {
 			continue
 		}
@@ -69,13 +69,14 @@ type createSnapshotRequest struct {
 }
 
 type snapshotResponse struct {
-	Name      string `json:"name"`
-	Type      string `json:"type"`
-	VCPUs     *int32 `json:"vcpus,omitempty"`
-	MemoryMB  *int32 `json:"memory_mb,omitempty"`
-	SizeBytes int64  `json:"size_bytes"`
-	CreatedAt string `json:"created_at"`
-	Platform  bool   `json:"platform"`
+	Name      string            `json:"name"`
+	Type      string            `json:"type"`
+	VCPUs     *int32            `json:"vcpus,omitempty"`
+	MemoryMB  *int32            `json:"memory_mb,omitempty"`
+	SizeBytes int64             `json:"size_bytes"`
+	CreatedAt string            `json:"created_at"`
+	Platform  bool              `json:"platform"`
+	Metadata  map[string]string `json:"metadata,omitempty"`
 }
 
 func templateToResponse(t db.Template) snapshotResponse {
@@ -94,6 +95,12 @@ func templateToResponse(t db.Template) snapshotResponse {
 	if t.CreatedAt.Valid {
 		resp.CreatedAt = t.CreatedAt.Time.Format(time.RFC3339)
 	}
+	if len(t.Metadata) > 0 {
+		var meta map[string]string
+		if err := json.Unmarshal(t.Metadata, &meta); err == nil && len(meta) > 0 {
+			resp.Metadata = meta
+		}
+	}
 	return resp
 }
 
@@ -126,7 +133,6 @@ func (h *snapshotHandler) Create(w http.ResponseWriter, r *http.Request) {
 
 	ctx := r.Context()
 	ac := auth.MustFromContext(ctx)
-	overwrite := r.URL.Query().Get("overwrite") == "true"
 
 	// Check for global name collision.
 	if _, err := h.db.GetPlatformTemplateByName(ctx, req.Name); err == nil {
@@ -135,20 +141,10 @@ func (h *snapshotHandler) Create(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Check if name already exists for this team.
-	if existing, err := h.db.GetTemplateByTeam(ctx, db.GetTemplateByTeamParams{Name: req.Name, TeamID: ac.TeamID}); err == nil {
-		if !overwrite {
-			writeError(w, http.StatusConflict, "already_exists", "snapshot name already exists; use ?overwrite=true to replace")
-			return
-		}
-		// Delete old snapshot files from all hosts before removing the DB record.
-		if err := h.deleteSnapshotBroadcast(ctx, existing.TeamID, existing.ID); err != nil {
-			writeError(w, http.StatusInternalServerError, "agent_error", "failed to delete existing snapshot files")
-			return
-		}
-		if err := h.db.DeleteTemplateByTeam(ctx, db.DeleteTemplateByTeamParams{Name: req.Name, TeamID: ac.TeamID}); err != nil {
-			writeError(w, http.StatusInternalServerError, "db_error", "failed to remove existing template record")
-			return
-		}
+	if _, err := h.db.GetTemplateByTeam(ctx, db.GetTemplateByTeamParams{Name: req.Name, TeamID: ac.TeamID}); err == nil {
+		writeError(w, http.StatusConflict, "template_name_taken",
+			"snapshot name already exists; delete the existing snapshot first to reuse this name")
+		return
 	}
 
 	// Verify sandbox exists, belongs to team, and is running or paused.
@@ -210,13 +206,16 @@ func (h *snapshotHandler) Create(w http.ResponseWriter, r *http.Request) {
 	}
 
 	tmpl, err := h.db.InsertTemplate(snapCtx, db.InsertTemplateParams{
-		ID:        newTemplateID,
-		Name:      req.Name,
-		Type:      "snapshot",
-		Vcpus:     sb.Vcpus,
-		MemoryMb:  sb.MemoryMb,
-		SizeBytes: resp.Msg.SizeBytes,
-		TeamID:    ac.TeamID,
+		ID:          newTemplateID,
+		Name:        req.Name,
+		Type:        "snapshot",
+		Vcpus:       sb.Vcpus,
+		MemoryMb:    sb.MemoryMb,
+		SizeBytes:   resp.Msg.SizeBytes,
+		TeamID:      ac.TeamID,
+		DefaultUser: "root",
+		DefaultEnv:  []byte("{}"),
+		Metadata:    sb.Metadata,
 	})
 	if err != nil {
 		slog.Error("failed to insert template record", "name", req.Name, "error", err)
@@ -277,7 +276,7 @@ func (h *snapshotHandler) Delete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := h.deleteSnapshotBroadcast(ctx, tmpl.TeamID, tmpl.ID); err != nil {
+	if err := deleteSnapshotBroadcast(ctx, h.db, h.pool, tmpl.TeamID, tmpl.ID); err != nil {
 		writeError(w, http.StatusInternalServerError, "agent_error", "failed to delete snapshot files")
 		return
 	}
diff --git a/internal/api/handlers_stats.go b/internal/api/handlers_stats.go
index 6c04c7e..1289d68 100644
--- a/internal/api/handlers_stats.go
+++ b/internal/api/handlers_stats.go
@@ -5,8 +5,8 @@ import (
 	"net/http"
 	"time"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/service"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
 )
 
 type statsHandler struct {
@@ -43,7 +43,7 @@ type statsResponse struct {
 	Series  statsSeriesResponse  `json:"series"`
 }
 
-// GetStats handles GET /v1/sandboxes/stats?range=5m|1h|6h|24h|30d
+// GetStats handles GET /v1/capsules/stats?range=5m|1h|6h|24h|30d
 func (h *statsHandler) GetStats(w http.ResponseWriter, r *http.Request) {
 	ac := auth.MustFromContext(r.Context())
 
diff --git a/internal/api/handlers_team.go b/internal/api/handlers_team.go
index ed23134..bfbe76c 100644
--- a/internal/api/handlers_team.go
+++ b/internal/api/handlers_team.go
@@ -1,6 +1,8 @@
 package api
 
 import (
+	"context"
+	"fmt"
 	"log/slog"
 	"net/http"
 	"strings"
@@ -9,20 +11,22 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/audit"
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/service"
+	"git.omukk.dev/wrenn/wrenn/internal/email"
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
 )
 
 type teamHandler struct {
-	svc   *service.TeamService
-	audit *audit.AuditLogger
+	svc    *service.TeamService
+	audit  *audit.AuditLogger
+	mailer email.Mailer
 }
 
-func newTeamHandler(svc *service.TeamService, al *audit.AuditLogger) *teamHandler {
-	return &teamHandler{svc: svc, audit: al}
+func newTeamHandler(svc *service.TeamService, al *audit.AuditLogger, mailer email.Mailer) *teamHandler {
+	return &teamHandler{svc: svc, audit: al, mailer: mailer}
 }
 
 // teamResponse is the JSON shape for a team.
@@ -131,6 +135,15 @@ func (h *teamHandler) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	go func() {
+		if err := h.mailer.Send(context.Background(), ac.Email, "Your team has been created", email.EmailData{
+			RecipientName: ac.Name,
+			Message:       fmt.Sprintf("Your team \"%s\" has been created on Wrenn. You can now invite members and start creating sandboxes under this team.", req.Name),
+		}); err != nil {
+			slog.Warn("failed to send team created email", "email", ac.Email, "error", err)
+		}
+	}()
+
 	writeJSON(w, http.StatusCreated, teamWithRoleResponse{
 		teamResponse: teamToResponse(team.Team),
 		Role:         team.Role,
@@ -279,6 +292,21 @@ func (h *teamHandler) AddMember(w http.ResponseWriter, r *http.Request) {
 	if parseErr == nil {
 		h.audit.LogMemberAdd(r.Context(), ac, targetUserID, member.Email, member.Role)
 	}
+
+	go func() {
+		team, err := h.svc.GetTeam(context.Background(), teamID)
+		teamName := "a team"
+		if err == nil {
+			teamName = team.Name
+		}
+		if err := h.mailer.Send(context.Background(), member.Email, "You've been added to a team on Wrenn", email.EmailData{
+			RecipientName: member.Name,
+			Message:       fmt.Sprintf("%s has added you to the team \"%s\" on Wrenn.", ac.Name, teamName),
+		}); err != nil {
+			slog.Warn("failed to send team invitation email", "email", member.Email, "error", err)
+		}
+	}()
+
 	writeJSON(w, http.StatusCreated, memberInfoToResponse(member))
 }
 
@@ -388,3 +416,87 @@ func (h *teamHandler) SetBYOC(w http.ResponseWriter, r *http.Request) {
 
 	w.WriteHeader(http.StatusNoContent)
 }
+
+// AdminListTeams handles GET /v1/admin/teams?page=1
+// Returns a paginated list of all teams with member counts, owner info, and active sandbox counts.
+func (h *teamHandler) AdminListTeams(w http.ResponseWriter, r *http.Request) {
+	page := 1
+	if p := r.URL.Query().Get("page"); p != "" {
+		if _, err := fmt.Sscanf(p, "%d", &page); err != nil || page < 1 {
+			page = 1
+		}
+	}
+	const perPage = 100
+	offset := int32((page - 1) * perPage)
+
+	teams, total, err := h.svc.AdminListTeams(r.Context(), perPage, offset)
+	if err != nil {
+		status, code, msg := serviceErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	type adminTeamResponse struct {
+		ID                 string  `json:"id"`
+		Name               string  `json:"name"`
+		Slug               string  `json:"slug"`
+		IsByoc             bool    `json:"is_byoc"`
+		CreatedAt          string  `json:"created_at"`
+		DeletedAt          *string `json:"deleted_at"`
+		MemberCount        int32   `json:"member_count"`
+		OwnerName          string  `json:"owner_name"`
+		OwnerEmail         string  `json:"owner_email"`
+		ActiveSandboxCount int32   `json:"active_sandbox_count"`
+		ChannelCount       int32   `json:"channel_count"`
+	}
+
+	resp := make([]adminTeamResponse, len(teams))
+	for i, t := range teams {
+		r := adminTeamResponse{
+			ID:                 id.FormatTeamID(t.ID),
+			Name:               t.Name,
+			Slug:               t.Slug,
+			IsByoc:             t.IsByoc,
+			CreatedAt:          t.CreatedAt.Format(time.RFC3339),
+			MemberCount:        t.MemberCount,
+			OwnerName:          t.OwnerName,
+			OwnerEmail:         t.OwnerEmail,
+			ActiveSandboxCount: t.ActiveSandboxCount,
+			ChannelCount:       t.ChannelCount,
+		}
+		if t.DeletedAt != nil {
+			s := t.DeletedAt.Format(time.RFC3339)
+			r.DeletedAt = &s
+		}
+		resp[i] = r
+	}
+
+	totalPages := (total + perPage - 1) / perPage
+	writeJSON(w, http.StatusOK, map[string]any{
+		"teams":       resp,
+		"total":       total,
+		"page":        page,
+		"per_page":    perPage,
+		"total_pages": totalPages,
+	})
+}
+
+// AdminDeleteTeam handles DELETE /v1/admin/teams/{id}
+// Soft-deletes a team and destroys all its active sandboxes.
+func (h *teamHandler) AdminDeleteTeam(w http.ResponseWriter, r *http.Request) {
+	teamIDStr := chi.URLParam(r, "id")
+
+	teamID, err := id.ParseTeamID(teamIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid team ID")
+		return
+	}
+
+	if err := h.svc.AdminDeleteTeam(r.Context(), teamID); err != nil {
+		status, code, msg := serviceErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
diff --git a/internal/api/handlers_users.go b/internal/api/handlers_users.go
index 5f9ef6a..f8a8b67 100644
--- a/internal/api/handlers_users.go
+++ b/internal/api/handlers_users.go
@@ -1,22 +1,27 @@
 package api
 
 import (
+	"fmt"
 	"net/http"
 	"strings"
+	"time"
 
+	"github.com/go-chi/chi/v5"
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
 )
 
 type usersHandler struct {
-	db *db.Queries
+	db  *db.Queries
+	svc *service.UserService
 }
 
-func newUsersHandler(db *db.Queries) *usersHandler {
-	return &usersHandler{db: db}
+func newUsersHandler(db *db.Queries, svc *service.UserService) *usersHandler {
+	return &usersHandler{db: db, svc: svc}
 }
 
 // Search handles GET /v1/users/search?email=<prefix>
@@ -50,3 +55,96 @@ func (h *usersHandler) Search(w http.ResponseWriter, r *http.Request) {
 	}
 	writeJSON(w, http.StatusOK, resp)
 }
+
+// AdminListUsers handles GET /v1/admin/users?page=1
+// Returns a paginated list of all users with team counts.
+func (h *usersHandler) AdminListUsers(w http.ResponseWriter, r *http.Request) {
+	page := 1
+	if p := r.URL.Query().Get("page"); p != "" {
+		if _, err := fmt.Sscanf(p, "%d", &page); err != nil || page < 1 {
+			page = 1
+		}
+	}
+	const perPage = 100
+	offset := int32((page - 1) * perPage)
+
+	users, total, err := h.svc.AdminListUsers(r.Context(), perPage, offset)
+	if err != nil {
+		status, code, msg := serviceErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	type adminUserResponse struct {
+		ID          string `json:"id"`
+		Email       string `json:"email"`
+		Name        string `json:"name"`
+		IsAdmin     bool   `json:"is_admin"`
+		Status      string `json:"status"`
+		CreatedAt   string `json:"created_at"`
+		TeamsJoined int32  `json:"teams_joined"`
+		TeamsOwned  int32  `json:"teams_owned"`
+	}
+
+	resp := make([]adminUserResponse, len(users))
+	for i, u := range users {
+		resp[i] = adminUserResponse{
+			ID:          id.FormatUserID(u.ID),
+			Email:       u.Email,
+			Name:        u.Name,
+			IsAdmin:     u.IsAdmin,
+			Status:      u.Status,
+			CreatedAt:   u.CreatedAt.Format(time.RFC3339),
+			TeamsJoined: u.TeamsJoined,
+			TeamsOwned:  u.TeamsOwned,
+		}
+	}
+
+	totalPages := (total + perPage - 1) / perPage
+	writeJSON(w, http.StatusOK, map[string]any{
+		"users":       resp,
+		"total":       total,
+		"page":        page,
+		"per_page":    perPage,
+		"total_pages": totalPages,
+	})
+}
+
+// SetUserActive handles PUT /v1/admin/users/{id}/active
+// Enables or disables a user account. Admins cannot deactivate themselves.
+func (h *usersHandler) SetUserActive(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
+	userIDStr := chi.URLParam(r, "id")
+
+	userID, err := id.ParseUserID(userIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid user ID")
+		return
+	}
+
+	var req struct {
+		Active bool `json:"active"`
+	}
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+
+	if ac.UserID == userID && !req.Active {
+		writeError(w, http.StatusBadRequest, "invalid_request", "cannot deactivate your own account")
+		return
+	}
+
+	newStatus := "active"
+	if !req.Active {
+		newStatus = "disabled"
+	}
+
+	if err := h.svc.SetUserStatus(r.Context(), userID, newStatus); err != nil {
+		httpStatus, code, msg := serviceErrToHTTP(err)
+		writeError(w, httpStatus, code, msg)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
diff --git a/internal/api/helpers_ws.go b/internal/api/helpers_ws.go
new file mode 100644
index 0000000..ec1c126
--- /dev/null
+++ b/internal/api/helpers_ws.go
@@ -0,0 +1,109 @@
+package api
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/gorilla/websocket"
+
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+)
+
+// isWebSocketUpgrade returns true if the request is a WebSocket upgrade.
+func isWebSocketUpgrade(r *http.Request) bool {
+	return strings.EqualFold(r.Header.Get("Upgrade"), "websocket")
+}
+
+// ctxKeyAdminWS is a context key for flagging admin WS routes.
+type ctxKeyAdminWS struct{}
+
+// setAdminWSFlag marks the context as an admin WebSocket route.
+func setAdminWSFlag(ctx context.Context) context.Context {
+	return context.WithValue(ctx, ctxKeyAdminWS{}, true)
+}
+
+// isAdminWSRoute checks if the request context was marked as admin WS.
+func isAdminWSRoute(ctx context.Context) bool {
+	v, _ := ctx.Value(ctxKeyAdminWS{}).(bool)
+	return v
+}
+
+// wsAuthMsg is the first message a browser WS client sends to authenticate.
+type wsAuthMsg struct {
+	Type  string `json:"type"`
+	Token string `json:"token"`
+}
+
+// wsAuthenticate reads a JWT auth message from the WebSocket and returns the
+// authenticated context. The caller must send this as the first message after
+// connecting.
+func wsAuthenticate(ctx context.Context, conn *websocket.Conn, jwtSecret []byte, queries *db.Queries) (auth.AuthContext, error) {
+	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
+
+	var msg wsAuthMsg
+	if err := conn.ReadJSON(&msg); err != nil {
+		return auth.AuthContext{}, fmt.Errorf("read auth message: %w", err)
+	}
+
+	conn.SetReadDeadline(time.Time{}) // clear deadline
+
+	if msg.Type != "auth" || msg.Token == "" {
+		return auth.AuthContext{}, fmt.Errorf("first message must be type 'auth' with a token")
+	}
+
+	claims, err := auth.VerifyJWT(jwtSecret, msg.Token)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("invalid or expired token: %w", err)
+	}
+
+	teamID, err := id.ParseTeamID(claims.TeamID)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("invalid team ID in token: %w", err)
+	}
+
+	userID, err := id.ParseUserID(claims.Subject)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("invalid user ID in token: %w", err)
+	}
+
+	user, err := queries.GetUserByID(ctx, userID)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("user not found")
+	}
+	if user.Status != "active" {
+		return auth.AuthContext{}, fmt.Errorf("account deactivated")
+	}
+
+	return auth.AuthContext{
+		TeamID: teamID,
+		UserID: userID,
+		Email:  claims.Email,
+		Name:   claims.Name,
+		Role:   claims.Role,
+	}, nil
+}
+
+// wsAuthenticateAdmin performs WS-based auth and verifies admin status,
+// returning an AuthContext with the platform team ID.
+func wsAuthenticateAdmin(ctx context.Context, conn *websocket.Conn, jwtSecret []byte, queries *db.Queries) (auth.AuthContext, error) {
+	ac, err := wsAuthenticate(ctx, conn, jwtSecret, queries)
+	if err != nil {
+		return auth.AuthContext{}, err
+	}
+
+	user, err := queries.GetUserByID(ctx, ac.UserID)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("user not found")
+	}
+	if !user.IsAdmin {
+		return auth.AuthContext{}, fmt.Errorf("admin access required")
+	}
+
+	ac.TeamID = id.PlatformTeamID
+	return ac, nil
+}
diff --git a/internal/api/host_monitor.go b/internal/api/host_monitor.go
index 0779de8..763555e 100644
--- a/internal/api/host_monitor.go
+++ b/internal/api/host_monitor.go
@@ -8,10 +8,10 @@ import (
 	"connectrpc.com/connect"
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/audit"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
diff --git a/internal/api/metrics_sampler.go b/internal/api/metrics_sampler.go
index 096c2a2..864a789 100644
--- a/internal/api/metrics_sampler.go
+++ b/internal/api/metrics_sampler.go
@@ -5,7 +5,7 @@ import (
 	"log/slog"
 	"time"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
 )
 
 // MetricsSampler records per-team sandbox resource usage to
diff --git a/internal/api/middleware.go b/internal/api/middleware.go
index cf9108f..b1c9f00 100644
--- a/internal/api/middleware.go
+++ b/internal/api/middleware.go
@@ -14,7 +14,7 @@ import (
 	"connectrpc.com/connect"
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 type errorResponse struct {
@@ -50,8 +50,12 @@ func agentErrToHTTP(err error) (int, string, string) {
 		return http.StatusNotFound, "not_found", err.Error()
 	case connect.CodeInvalidArgument:
 		return http.StatusBadRequest, "invalid_request", err.Error()
-	case connect.CodeFailedPrecondition:
+	case connect.CodeFailedPrecondition, connect.CodeAlreadyExists:
 		return http.StatusConflict, "conflict", err.Error()
+	case connect.CodePermissionDenied:
+		return http.StatusForbidden, "forbidden", err.Error()
+	case connect.CodeUnimplemented:
+		return http.StatusNotImplemented, "agent_error", err.Error()
 	default:
 		return http.StatusBadGateway, "agent_error", err.Error()
 	}
@@ -90,21 +94,25 @@ func serviceErrToHTTP(err error) (int, string, string) {
 	}
 
 	// Map well-known service error patterns.
+	// Return generic messages for most cases to avoid leaking internal details.
 	switch {
 	case strings.Contains(msg, "not found"):
-		return http.StatusNotFound, "not_found", msg
-	case strings.Contains(msg, "not running"), strings.Contains(msg, "not paused"):
-		return http.StatusConflict, "invalid_state", msg
+		return http.StatusNotFound, "not_found", "resource not found"
+	case strings.Contains(msg, "not running"):
+		return http.StatusConflict, "invalid_state", "resource is not running"
+	case strings.Contains(msg, "not paused"):
+		return http.StatusConflict, "invalid_state", "resource is not paused"
 	case strings.Contains(msg, "conflict:"):
-		return http.StatusConflict, "conflict", msg
+		return http.StatusConflict, "conflict", strings.TrimPrefix(msg, "conflict: ")
 	case strings.Contains(msg, "forbidden"):
-		return http.StatusForbidden, "forbidden", msg
+		return http.StatusForbidden, "forbidden", "forbidden"
 	case strings.Contains(msg, "invalid or expired"):
-		return http.StatusUnauthorized, "unauthorized", msg
+		return http.StatusUnauthorized, "unauthorized", "invalid or expired credentials"
 	case strings.Contains(msg, "invalid"):
-		return http.StatusBadRequest, "invalid_request", msg
+		return http.StatusBadRequest, "invalid_request", "invalid request"
 	default:
-		return http.StatusInternalServerError, "internal_error", msg
+		slog.Error("unhandled service error", "error", err)
+		return http.StatusInternalServerError, "internal_error", "an internal error occurred"
 	}
 }
 
diff --git a/internal/api/middleware_admin.go b/internal/api/middleware_admin.go
index 0df76d2..670c586 100644
--- a/internal/api/middleware_admin.go
+++ b/internal/api/middleware_admin.go
@@ -3,19 +3,47 @@ package api
 import (
 	"net/http"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
+// injectPlatformTeam overwrites the AuthContext's TeamID with the platform
+// sentinel UUID. This lets existing team-scoped handlers (exec, files, pty,
+// metrics) work unchanged under admin routes. Must run after requireAdmin.
+func injectPlatformTeam() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if _, ok := auth.FromContext(r.Context()); !ok {
+				// No auth context yet (WS upgrade); handler will inject platform team after WS auth.
+				next.ServeHTTP(w, r)
+				return
+			}
+			ac := auth.MustFromContext(r.Context())
+			ac.TeamID = id.PlatformTeamID
+			ctx := auth.WithAuthContext(r.Context(), ac)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
 // requireAdmin validates that the authenticated user is a platform admin.
 // Must run after requireJWT (depends on AuthContext being present).
 // Re-validates against the DB — the JWT is_admin claim is for UI only;
 // the DB is the source of truth for admin access.
+// WebSocket upgrade requests without auth context are passed through —
+// admin WS handlers verify admin status after upgrade via wsAuthenticateAdmin.
 func requireAdmin(queries *db.Queries) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ac, ok := auth.FromContext(r.Context())
 			if !ok {
+				if isWebSocketUpgrade(r) {
+					ctx := r.Context()
+					ctx = setAdminWSFlag(ctx)
+					next.ServeHTTP(w, r.WithContext(ctx))
+					return
+				}
 				writeError(w, http.StatusUnauthorized, "unauthorized", "authentication required")
 				return
 			}
diff --git a/internal/api/middleware_auth.go b/internal/api/middleware_auth.go
index c8e2056..b671047 100644
--- a/internal/api/middleware_auth.go
+++ b/internal/api/middleware_auth.go
@@ -5,9 +5,9 @@ import (
 	"net/http"
 	"strings"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 // requireAPIKeyOrJWT accepts either X-API-Key header or Authorization: Bearer JWT.
@@ -38,9 +38,12 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 				return
 			}
 
-			// Try JWT bearer token.
+			// Try JWT bearer token from Authorization header.
+			tokenStr := ""
 			if header := r.Header.Get("Authorization"); strings.HasPrefix(header, "Bearer ") {
-				tokenStr := strings.TrimPrefix(header, "Bearer ")
+				tokenStr = strings.TrimPrefix(header, "Bearer ")
+			}
+			if tokenStr != "" {
 				claims, err := auth.VerifyJWT(jwtSecret, tokenStr)
 				if err != nil {
 					slog.Warn("jwt auth failed", "error", err, "ip", r.RemoteAddr)
@@ -59,6 +62,18 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 					return
 				}
 
+				// Verify user is still active in the database.
+				user, err := queries.GetUserByID(r.Context(), userID)
+				if err != nil {
+					slog.Warn("jwt auth: failed to look up user", "user_id", claims.Subject, "error", err)
+					writeError(w, http.StatusUnauthorized, "unauthorized", "user not found")
+					return
+				}
+				if user.Status != "active" {
+					writeError(w, http.StatusForbidden, "account_deactivated", "your account has been deactivated — contact your administrator to regain access")
+					return
+				}
+
 				ctx := auth.WithAuthContext(r.Context(), auth.AuthContext{
 					TeamID: teamID,
 					UserID: userID,
@@ -70,7 +85,15 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 				return
 			}
 
+			// WebSocket upgrade requests may not carry auth headers (browsers
+			// cannot set custom headers on WS connections). Pass through —
+			// the WS handler authenticates via the first message after upgrade.
+			if isWebSocketUpgrade(r) {
+				next.ServeHTTP(w, r)
+				return
+			}
+
 			writeError(w, http.StatusUnauthorized, "unauthorized", "X-API-Key or Authorization: Bearer <token> required")
 		})
 	}
-}
+}
\ No newline at end of file
diff --git a/internal/api/middleware_hosttoken.go b/internal/api/middleware_hosttoken.go
index 9f8cfc0..39ebdd9 100644
--- a/internal/api/middleware_hosttoken.go
+++ b/internal/api/middleware_hosttoken.go
@@ -3,8 +3,8 @@ package api
 import (
 	"net/http"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 // requireHostToken validates the X-Host-Token header containing a host JWT,
diff --git a/internal/api/middleware_jwt.go b/internal/api/middleware_jwt.go
index 16852e6..b19c838 100644
--- a/internal/api/middleware_jwt.go
+++ b/internal/api/middleware_jwt.go
@@ -1,25 +1,37 @@
 package api
 
 import (
+	"log/slog"
 	"net/http"
 	"strings"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
-// requireJWT validates the Authorization: Bearer <token> header, verifies the JWT
-// signature and expiry, and stamps UserID + TeamID + Email into the request context.
-func requireJWT(secret []byte) func(http.Handler) http.Handler {
+// requireJWT validates a JWT from the Authorization: Bearer header.
+// It also verifies the user is still active in the database.
+// WebSocket upgrade requests without an Authorization header are passed through
+// — WS handlers authenticate via the first message after upgrade.
+func requireJWT(secret []byte, queries *db.Queries) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			header := r.Header.Get("Authorization")
-			if !strings.HasPrefix(header, "Bearer ") {
+			var tokenStr string
+			if header := r.Header.Get("Authorization"); strings.HasPrefix(header, "Bearer ") {
+				tokenStr = strings.TrimPrefix(header, "Bearer ")
+			}
+			if tokenStr == "" {
+				// WebSocket upgrade requests may not have an Authorization header
+				// (browsers cannot set custom headers on WS connections). Let them
+				// through — the handler authenticates via the first WS message.
+				if isWebSocketUpgrade(r) {
+					next.ServeHTTP(w, r)
+					return
+				}
 				writeError(w, http.StatusUnauthorized, "unauthorized", "Authorization: Bearer <token> required")
 				return
 			}
-
-			tokenStr := strings.TrimPrefix(header, "Bearer ")
 			claims, err := auth.VerifyJWT(secret, tokenStr)
 			if err != nil {
 				writeError(w, http.StatusUnauthorized, "unauthorized", "invalid or expired token")
@@ -37,6 +49,18 @@ func requireJWT(secret []byte) func(http.Handler) http.Handler {
 				return
 			}
 
+			// Verify user is still active in the database.
+			user, err := queries.GetUserByID(r.Context(), userID)
+			if err != nil {
+				slog.Warn("jwt auth: failed to look up user", "user_id", claims.Subject, "error", err)
+				writeError(w, http.StatusUnauthorized, "unauthorized", "user not found")
+				return
+			}
+			if user.Status != "active" {
+				writeError(w, http.StatusForbidden, "account_deactivated", "your account has been deactivated — contact your administrator to regain access")
+				return
+			}
+
 			ctx := auth.WithAuthContext(r.Context(), auth.AuthContext{
 				TeamID:  teamID,
 				UserID:  userID,
diff --git a/internal/api/openapi.yaml b/internal/api/openapi.yaml
index 0b4fe74..f4c369d 100644
--- a/internal/api/openapi.yaml
+++ b/internal/api/openapi.yaml
@@ -1,6 +1,6 @@
 openapi: "3.1.0"
 info:
-  title: Wrenn Sandbox API
+  title: Wrenn API
   description: MicroVM-based code execution platform API.
   version: "0.1.0"
 
@@ -16,6 +16,10 @@ paths:
       summary: Create a new account
       operationId: signup
       tags: [auth]
+      description: |
+        Creates an inactive user account and sends an activation email.
+        The user must activate their account within 30 minutes.
+        Does not return a JWT — the user must activate first, then sign in.
       requestBody:
         required: true
         content:
@@ -24,11 +28,11 @@ paths:
               $ref: "#/components/schemas/SignupRequest"
       responses:
         "201":
-          description: Account created
+          description: Account created, activation email sent
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/AuthResponse"
+                $ref: "#/components/schemas/SignupResponse"
         "400":
           description: Invalid request (bad email, short password)
           content:
@@ -36,7 +40,39 @@ paths:
               schema:
                 $ref: "#/components/schemas/Error"
         "409":
-          description: Email already registered
+          description: Email already registered or signup cooldown active
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/auth/activate:
+    post:
+      summary: Activate account via email token
+      operationId: activate
+      tags: [auth]
+      description: |
+        Consumes the activation token sent via email and activates the user account.
+        Creates a default team and returns a JWT to log the user in.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [token]
+              properties:
+                token:
+                  type: string
+      responses:
+        "200":
+          description: Account activated, JWT issued
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/AuthResponse"
+        "400":
+          description: Invalid or expired token
           content:
             application/json:
               schema:
@@ -175,6 +211,252 @@ paths:
         "302":
           description: Redirect to frontend with token or error
 
+  /v1/me:
+    get:
+      summary: Get current user profile
+      operationId: getMe
+      tags: [account]
+      security:
+        - bearerAuth: []
+      responses:
+        "200":
+          description: User profile
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/MeResponse"
+
+    patch:
+      summary: Update display name
+      operationId: updateName
+      tags: [account]
+      security:
+        - bearerAuth: []
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [name]
+              properties:
+                name:
+                  type: string
+                  minLength: 1
+                  maxLength: 100
+      responses:
+        "200":
+          description: Name updated, new JWT issued
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/AuthResponse"
+        "400":
+          description: Invalid name
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+    delete:
+      summary: Delete current account
+      operationId: deleteAccount
+      tags: [account]
+      security:
+        - bearerAuth: []
+      description: |
+        Soft-deletes the account (sets status=deleted, deleted_at=now).
+        The account is permanently removed after 15 days. Blocked if the user
+        owns any team that has other members.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [confirmation]
+              properties:
+                confirmation:
+                  type: string
+                  description: Must match the user's email address (case-insensitive)
+      responses:
+        "204":
+          description: Account scheduled for deletion
+        "400":
+          description: Confirmation does not match email
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "409":
+          description: User owns teams with other members
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/me/password:
+    post:
+      summary: Change or add password
+      operationId: changePassword
+      tags: [account]
+      security:
+        - bearerAuth: []
+      description: |
+        For users with an existing password: requires `current_password` and `new_password`.
+        For OAuth-only users adding a password: requires `new_password` and `confirm_password`.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/ChangePasswordRequest"
+      responses:
+        "204":
+          description: Password updated
+        "400":
+          description: Invalid request (short password, mismatch, etc.)
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "401":
+          description: Current password is incorrect
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/me/password/reset:
+    post:
+      summary: Request a password reset email
+      operationId: requestPasswordReset
+      tags: [account]
+      description: |
+        Sends a password reset link to the given email. Always returns 200
+        regardless of whether the email exists, to prevent account enumeration.
+        The reset token expires in 15 minutes.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [email]
+              properties:
+                email:
+                  type: string
+                  format: email
+      responses:
+        "204":
+          description: Request accepted (email sent if account exists)
+
+  /v1/me/password/reset/confirm:
+    post:
+      summary: Confirm password reset
+      operationId: confirmPasswordReset
+      tags: [account]
+      description: |
+        Consumes a password reset token and sets a new password. The token is
+        single-use and expires after 15 minutes.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [token, new_password]
+              properties:
+                token:
+                  type: string
+                  description: Raw reset token from the email link
+                new_password:
+                  type: string
+                  minLength: 8
+      responses:
+        "204":
+          description: Password reset successful
+        "400":
+          description: Invalid or expired token, or password too short
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/me/providers/{provider}/connect:
+    parameters:
+      - name: provider
+        in: path
+        required: true
+        schema:
+          type: string
+          enum: [github]
+        description: OAuth provider name
+
+    get:
+      summary: Initiate OAuth provider link
+      operationId: connectProvider
+      tags: [account]
+      security:
+        - bearerAuth: []
+      description: |
+        Sets OAuth state and link cookies, then returns the provider's
+        authorization URL. The frontend navigates to this URL to start the
+        OAuth flow. On callback, the provider is linked to the current account
+        (not a new registration).
+      responses:
+        "200":
+          description: Authorization URL
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  auth_url:
+                    type: string
+                    format: uri
+        "404":
+          description: Provider not found or not configured
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/me/providers/{provider}:
+    parameters:
+      - name: provider
+        in: path
+        required: true
+        schema:
+          type: string
+          enum: [github]
+        description: OAuth provider name
+
+    delete:
+      summary: Disconnect an OAuth provider
+      operationId: disconnectProvider
+      tags: [account]
+      security:
+        - bearerAuth: []
+      description: |
+        Unlinks the OAuth provider from the current account. Blocked if this
+        is the user's only login method (no password and no other providers).
+      responses:
+        "204":
+          description: Provider disconnected
+        "400":
+          description: Cannot disconnect last login method
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "404":
+          description: Provider not connected
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
   /v1/api-keys:
     post:
       summary: Create an API key
@@ -393,7 +675,7 @@ paths:
         - bearerAuth: []
       description: |
         Owner only. Soft-deletes the team and destroys all running/paused/starting
-        sandboxes. All DB records are preserved. The team slug is permanently reserved.
+        capsulees. All DB records are preserved. The team slug is permanently reserved.
       responses:
         "204":
           description: Team deleted
@@ -570,11 +852,11 @@ paths:
               schema:
                 $ref: "#/components/schemas/Error"
 
-  /v1/sandboxes:
+  /v1/capsules:
     post:
-      summary: Create a sandbox
-      operationId: createSandbox
-      tags: [sandboxes]
+      summary: Create a capsule
+      operationId: createCapsule
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       requestBody:
@@ -582,14 +864,14 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/CreateSandboxRequest"
+              $ref: "#/components/schemas/CreateCapsuleRequest"
       responses:
         "201":
-          description: Sandbox created
+          description: Capsule created
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/Sandbox"
+                $ref: "#/components/schemas/Capsule"
         "502":
           description: Host agent error
           content:
@@ -598,26 +880,26 @@ paths:
                 $ref: "#/components/schemas/Error"
 
     get:
-      summary: List sandboxes for your team
-      operationId: listSandboxes
-      tags: [sandboxes]
+      summary: List capsulees for your team
+      operationId: listCapsules
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       responses:
         "200":
-          description: List of sandboxes
+          description: List of capsulees
           content:
             application/json:
               schema:
                 type: array
                 items:
-                  $ref: "#/components/schemas/Sandbox"
+                  $ref: "#/components/schemas/Capsule"
 
-  /v1/sandboxes/stats:
+  /v1/capsules/stats:
     get:
-      summary: Get sandbox usage stats for your team
-      operationId: getSandboxStats
-      tags: [sandboxes]
+      summary: Get capsule usage stats for your team
+      operationId: getCapsuleStats
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       parameters:
@@ -631,15 +913,15 @@ paths:
           description: Time window for the time-series data.
       responses:
         "200":
-          description: Sandbox stats for the team
+          description: Capsule stats for the team
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/SandboxStats"
+                $ref: "#/components/schemas/CapsuleStats"
         "400":
           $ref: "#/components/responses/BadRequest"
 
-  /v1/sandboxes/{id}:
+  /v1/capsules/{id}:
     parameters:
       - name: id
         in: path
@@ -648,36 +930,36 @@ paths:
           type: string
 
     get:
-      summary: Get sandbox details
-      operationId: getSandbox
-      tags: [sandboxes]
+      summary: Get capsule details
+      operationId: getCapsule
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       responses:
         "200":
-          description: Sandbox details
+          description: Capsule details
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/Sandbox"
+                $ref: "#/components/schemas/Capsule"
         "404":
-          description: Sandbox not found
+          description: Capsule not found
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
 
     delete:
-      summary: Destroy a sandbox
-      operationId: destroySandbox
-      tags: [sandboxes]
+      summary: Destroy a capsule
+      operationId: destroyCapsule
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       responses:
         "204":
-          description: Sandbox destroyed
+          description: Capsule destroyed
 
-  /v1/sandboxes/{id}/exec:
+  /v1/capsules/{id}/exec:
     parameters:
       - name: id
         in: path
@@ -688,7 +970,7 @@ paths:
     post:
       summary: Execute a command
       operationId: execCommand
-      tags: [sandboxes]
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       requestBody:
@@ -699,59 +981,31 @@ paths:
               $ref: "#/components/schemas/ExecRequest"
       responses:
         "200":
-          description: Command output
+          description: Command output (foreground exec)
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/ExecResponse"
+        "202":
+          description: Background process started
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/BackgroundExecResponse"
         "404":
-          description: Sandbox not found
+          description: Capsule not found
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
         "409":
-          description: Sandbox not running
+          description: Capsule not running
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
 
-  /v1/sandboxes/{id}/ping:
-    parameters:
-      - name: id
-        in: path
-        required: true
-        schema:
-          type: string
-
-    post:
-      summary: Reset sandbox inactivity timer
-      operationId: pingSandbox
-      tags: [sandboxes]
-      security:
-        - apiKeyAuth: []
-      description: |
-        Resets the last_active_at timestamp for a running sandbox, preventing
-        the auto-pause TTL from expiring. Use this as a keepalive for sandboxes
-        that are idle but should remain running.
-      responses:
-        "204":
-          description: Ping acknowledged, inactivity timer reset
-        "404":
-          description: Sandbox not found
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/Error"
-        "409":
-          description: Sandbox not running
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/Error"
-
-  /v1/sandboxes/{id}/metrics:
+  /v1/capsules/{id}/processes:
     parameters:
       - name: id
         in: path
@@ -760,22 +1014,172 @@ paths:
           type: string
 
     get:
-      summary: Get per-sandbox resource metrics
-      operationId: getSandboxMetrics
-      tags: [sandboxes]
+      summary: List running processes
+      operationId: listProcesses
+      tags: [capsules]
+      security:
+        - apiKeyAuth: []
+      description: |
+        Returns all running processes inside the capsule, including background
+        processes and any processes started by templates or init scripts.
+      responses:
+        "200":
+          description: Process list
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ProcessListResponse"
+        "404":
+          description: Capsule not found
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "409":
+          description: Capsule not running
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/capsules/{id}/processes/{selector}:
+    parameters:
+      - name: id
+        in: path
+        required: true
+        schema:
+          type: string
+      - name: selector
+        in: path
+        required: true
+        description: Process PID (numeric) or tag (string)
+        schema:
+          type: string
+
+    delete:
+      summary: Kill a process
+      operationId: killProcess
+      tags: [capsules]
+      security:
+        - apiKeyAuth: []
+      parameters:
+        - name: signal
+          in: query
+          required: false
+          description: Signal to send (SIGKILL or SIGTERM, default SIGKILL)
+          schema:
+            type: string
+            enum: [SIGKILL, SIGTERM]
+            default: SIGKILL
+      responses:
+        "204":
+          description: Process killed
+        "404":
+          description: Capsule or process not found
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "409":
+          description: Capsule not running
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/capsules/{id}/processes/{selector}/stream:
+    parameters:
+      - name: id
+        in: path
+        required: true
+        schema:
+          type: string
+      - name: selector
+        in: path
+        required: true
+        description: Process PID (numeric) or tag (string)
+        schema:
+          type: string
+
+    get:
+      summary: Stream process output via WebSocket
+      operationId: connectProcess
+      tags: [capsules]
+      security:
+        - apiKeyAuth: []
+      description: |
+        Opens a WebSocket connection to stream stdout/stderr from a running
+        background process. The selector can be a numeric PID or a string tag.
+
+        Server sends JSON messages:
+        - `{"type": "start", "pid": 42}` — connected to process
+        - `{"type": "stdout", "data": "..."}` — stdout output
+        - `{"type": "stderr", "data": "..."}` — stderr output
+        - `{"type": "exit", "exit_code": 0}` — process exited
+        - `{"type": "error", "data": "..."}` — error message
+      responses:
+        "101":
+          description: WebSocket upgrade
+
+  /v1/capsules/{id}/ping:
+    parameters:
+      - name: id
+        in: path
+        required: true
+        schema:
+          type: string
+
+    post:
+      summary: Reset capsule inactivity timer
+      operationId: pingCapsule
+      tags: [capsules]
+      security:
+        - apiKeyAuth: []
+      description: |
+        Resets the last_active_at timestamp for a running capsule, preventing
+        the auto-pause TTL from expiring. Use this as a keepalive for capsulees
+        that are idle but should remain running.
+      responses:
+        "204":
+          description: Ping acknowledged, inactivity timer reset
+        "404":
+          description: Capsule not found
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "409":
+          description: Capsule not running
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/capsules/{id}/metrics:
+    parameters:
+      - name: id
+        in: path
+        required: true
+        schema:
+          type: string
+
+    get:
+      summary: Get per-capsule resource metrics
+      operationId: getCapsuleMetrics
+      tags: [capsules]
       security:
         - apiKeyAuth: []
         - bearerAuth: []
       description: |
-        Returns time-series CPU, memory, and disk metrics for a sandbox.
+        Returns time-series CPU, memory, and disk metrics for a capsule.
         Three tiers are available with different granularity and retention:
         - `10m`: 500ms samples, last 10 minutes
         - `2h`: 30-second averages, last 2 hours
         - `24h`: 5-minute averages, last 24 hours
 
-        For running sandboxes, data comes from the host agent's in-memory
-        ring buffer. For paused sandboxes, data is read from persisted
-        snapshots in the database. Stopped/destroyed sandboxes return 404.
+        For running capsulees, data comes from the host agent's in-memory
+        ring buffer. For paused capsulees, data is read from persisted
+        snapshots in the database. Stopped/destroyed capsulees return 404.
       parameters:
         - name: range
           in: query
@@ -791,7 +1195,7 @@ paths:
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/SandboxMetrics"
+                $ref: "#/components/schemas/CapsuleMetrics"
         "400":
           description: Invalid range parameter
           content:
@@ -799,13 +1203,13 @@ paths:
               schema:
                 $ref: "#/components/schemas/Error"
         "404":
-          description: Sandbox not found or metrics not available
+          description: Capsule not found or metrics not available
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
 
-  /v1/sandboxes/{id}/pause:
+  /v1/capsules/{id}/pause:
     parameters:
       - name: id
         in: path
@@ -814,30 +1218,30 @@ paths:
           type: string
 
     post:
-      summary: Pause a running sandbox
-      operationId: pauseSandbox
-      tags: [sandboxes]
+      summary: Pause a running capsule
+      operationId: pauseCapsule
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       description: |
-        Takes a snapshot of the sandbox (VM state + memory + rootfs), then
-        destroys all running resources. The sandbox exists only as files on
+        Takes a snapshot of the capsule (VM state + memory + rootfs), then
+        destroys all running resources. The capsule exists only as files on
         disk and can be resumed later.
       responses:
         "200":
-          description: Sandbox paused (snapshot taken, resources released)
+          description: Capsule paused (snapshot taken, resources released)
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/Sandbox"
+                $ref: "#/components/schemas/Capsule"
         "409":
-          description: Sandbox not running
+          description: Capsule not running
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
 
-  /v1/sandboxes/{id}/resume:
+  /v1/capsules/{id}/resume:
     parameters:
       - name: id
         in: path
@@ -846,24 +1250,24 @@ paths:
           type: string
 
     post:
-      summary: Resume a paused sandbox
-      operationId: resumeSandbox
-      tags: [sandboxes]
+      summary: Resume a paused capsule
+      operationId: resumeCapsule
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       description: |
-        Restores a paused sandbox from its snapshot using UFFD for lazy
+        Restores a paused capsule from its snapshot using UFFD for lazy
         memory loading. Boots a fresh Firecracker process, sets up a new
         network slot, and waits for envd to become ready.
       responses:
         "200":
-          description: Sandbox resumed (new VM booted from snapshot)
+          description: Capsule resumed (new VM booted from snapshot)
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/Sandbox"
+                $ref: "#/components/schemas/Capsule"
         "409":
-          description: Sandbox not paused
+          description: Capsule not paused
           content:
             application/json:
               schema:
@@ -877,9 +1281,9 @@ paths:
       security:
         - apiKeyAuth: []
       description: |
-        Pauses a running sandbox, takes a full snapshot, copies the snapshot
+        Pauses a running capsule, takes a full snapshot, copies the snapshot
         files to the images directory as a reusable template, then destroys
-        the sandbox. The template can be used to create new sandboxes.
+        the capsule. The template can be used to create new capsulees.
       parameters:
         - name: overwrite
           in: query
@@ -902,7 +1306,7 @@ paths:
               schema:
                 $ref: "#/components/schemas/Template"
         "409":
-          description: Name already exists or sandbox not running
+          description: Name already exists or capsule not running
           content:
             application/json:
               schema:
@@ -957,7 +1361,7 @@ paths:
               schema:
                 $ref: "#/components/schemas/Error"
 
-  /v1/sandboxes/{id}/files/write:
+  /v1/capsules/{id}/files/write:
     parameters:
       - name: id
         in: path
@@ -968,7 +1372,7 @@ paths:
     post:
       summary: Upload a file
       operationId: uploadFile
-      tags: [sandboxes]
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       requestBody:
@@ -981,7 +1385,7 @@ paths:
               properties:
                 path:
                   type: string
-                  description: Absolute destination path inside the sandbox
+                  description: Absolute destination path inside the capsule
                 file:
                   type: string
                   format: binary
@@ -990,7 +1394,7 @@ paths:
         "204":
           description: File uploaded
         "409":
-          description: Sandbox not running
+          description: Capsule not running
           content:
             application/json:
               schema:
@@ -1002,7 +1406,7 @@ paths:
               schema:
                 $ref: "#/components/schemas/Error"
 
-  /v1/sandboxes/{id}/files/read:
+  /v1/capsules/{id}/files/read:
     parameters:
       - name: id
         in: path
@@ -1013,7 +1417,7 @@ paths:
     post:
       summary: Download a file
       operationId: downloadFile
-      tags: [sandboxes]
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       requestBody:
@@ -1031,13 +1435,129 @@ paths:
                 type: string
                 format: binary
         "404":
-          description: Sandbox or file not found
+          description: Capsule or file not found
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
 
-  /v1/sandboxes/{id}/exec/stream:
+  /v1/capsules/{id}/files/list:
+    parameters:
+      - name: id
+        in: path
+        required: true
+        schema:
+          type: string
+
+    post:
+      summary: List directory contents
+      operationId: listDir
+      tags: [capsules]
+      security:
+        - apiKeyAuth: []
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/ListDirRequest"
+      responses:
+        "200":
+          description: Directory listing
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ListDirResponse"
+        "404":
+          description: Capsule not found
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "409":
+          description: Capsule not running
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/capsules/{id}/files/mkdir:
+    parameters:
+      - name: id
+        in: path
+        required: true
+        schema:
+          type: string
+
+    post:
+      summary: Create a directory
+      operationId: makeDir
+      tags: [capsules]
+      security:
+        - apiKeyAuth: []
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/MakeDirRequest"
+      responses:
+        "200":
+          description: Directory created
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/MakeDirResponse"
+        "404":
+          description: Capsule not found
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "409":
+          description: Capsule not running
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/capsules/{id}/files/remove:
+    parameters:
+      - name: id
+        in: path
+        required: true
+        schema:
+          type: string
+
+    post:
+      summary: Remove a file or directory
+      operationId: removePath
+      tags: [capsules]
+      security:
+        - apiKeyAuth: []
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/RemoveRequest"
+      responses:
+        "204":
+          description: File or directory removed
+        "404":
+          description: Capsule not found
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "409":
+          description: Capsule not running
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/capsules/{id}/exec/stream:
     parameters:
       - name: id
         in: path
@@ -1048,7 +1568,7 @@ paths:
     get:
       summary: Stream command execution via WebSocket
       operationId: execStream
-      tags: [sandboxes]
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       description: |
@@ -1078,19 +1598,96 @@ paths:
         "101":
           description: WebSocket upgrade
         "404":
-          description: Sandbox not found
+          description: Capsule not found
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
         "409":
-          description: Sandbox not running
+          description: Capsule not running
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
 
-  /v1/sandboxes/{id}/files/stream/write:
+  /v1/capsules/{id}/pty:
+    parameters:
+      - name: id
+        in: path
+        required: true
+        schema:
+          type: string
+
+    get:
+      summary: Interactive PTY session via WebSocket
+      operationId: ptySession
+      tags: [capsules]
+      security:
+        - apiKeyAuth: []
+      description: |
+        Opens a WebSocket connection for an interactive PTY (terminal) session.
+        Supports creating new sessions, sending input, resizing, killing, and
+        reconnecting to existing sessions.
+
+        **Client sends** (first message — start a new PTY):
+        ```json
+        {
+          "type": "start",
+          "cmd": "/bin/bash",
+          "args": [],
+          "cols": 80,
+          "rows": 24,
+          "envs": {"TERM": "xterm-256color"},
+          "cwd": "/home/user",
+          "user": "user"
+        }
+        ```
+        All fields except `type` are optional. Defaults: cmd="/bin/bash", cols=80, rows=24.
+
+        **Client sends** (first message — reconnect to existing PTY):
+        ```json
+        {"type": "connect", "tag": "pty-abc123de"}
+        ```
+
+        **Client sends** (after session is established):
+        ```json
+        {"type": "input", "data": "<base64-encoded bytes>"}
+        {"type": "resize", "cols": 120, "rows": 40}
+        {"type": "kill"}
+        ```
+
+        **Server sends**:
+        ```json
+        {"type": "started", "tag": "pty-abc123de", "pid": 42}
+        {"type": "output", "data": "<base64-encoded PTY bytes>"}
+        {"type": "exit", "exit_code": 0}
+        {"type": "error", "data": "description", "fatal": true}
+        {"type": "ping"}
+        ```
+
+        PTY data (input and output) is base64-encoded because it contains raw
+        terminal bytes (escape sequences, control codes) that are not valid UTF-8.
+
+        Sessions persist across WebSocket disconnections — the process keeps
+        running in the capsule. Use the `tag` from the "started" response to
+        reconnect later.
+      responses:
+        "101":
+          description: WebSocket upgrade
+        "404":
+          description: Capsule not found
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "409":
+          description: Capsule not running
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/capsules/{id}/files/stream/write:
     parameters:
       - name: id
         in: path
@@ -1101,11 +1698,11 @@ paths:
     post:
       summary: Upload a file (streaming)
       operationId: streamUploadFile
-      tags: [sandboxes]
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       description: |
-        Streams file content to the sandbox without buffering in memory.
+        Streams file content to the capsule without buffering in memory.
         Suitable for large files. Uses the same multipart/form-data format
         as the non-streaming upload endpoint.
       requestBody:
@@ -1118,7 +1715,7 @@ paths:
               properties:
                 path:
                   type: string
-                  description: Absolute destination path inside the sandbox
+                  description: Absolute destination path inside the capsule
                 file:
                   type: string
                   format: binary
@@ -1127,19 +1724,19 @@ paths:
         "204":
           description: File uploaded
         "404":
-          description: Sandbox not found
+          description: Capsule not found
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
         "409":
-          description: Sandbox not running
+          description: Capsule not running
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
 
-  /v1/sandboxes/{id}/files/stream/read:
+  /v1/capsules/{id}/files/stream/read:
     parameters:
       - name: id
         in: path
@@ -1150,11 +1747,11 @@ paths:
     post:
       summary: Download a file (streaming)
       operationId: streamDownloadFile
-      tags: [sandboxes]
+      tags: [capsules]
       security:
         - apiKeyAuth: []
       description: |
-        Streams file content from the sandbox without buffering in memory.
+        Streams file content from the capsule without buffering in memory.
         Suitable for large files. Returns raw bytes with chunked transfer encoding.
       requestBody:
         required: true
@@ -1171,13 +1768,13 @@ paths:
                 type: string
                 format: binary
         "404":
-          description: Sandbox or file not found
+          description: Capsule or file not found
           content:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
         "409":
-          description: Sandbox not running
+          description: Capsule not running
           content:
             application/json:
               schema:
@@ -1275,14 +1872,14 @@ paths:
       description: |
         Admins can delete any host. Team owners and admins can delete BYOC hosts
         belonging to their team. Without `?force=true`, returns 409 if the host
-        has active sandboxes. With `?force=true`, destroys all sandboxes first.
+        has active capsulees. With `?force=true`, destroys all capsulees first.
       parameters:
         - name: force
           in: query
           required: false
           schema:
             type: boolean
-          description: If true, destroy all sandboxes on the host before deleting.
+          description: If true, destroy all capsulees on the host before deleting.
       responses:
         "204":
           description: Host deleted
@@ -1293,11 +1890,11 @@ paths:
               schema:
                 $ref: "#/components/schemas/Error"
         "409":
-          description: Host has active sandboxes (only when force is not set)
+          description: Host has active capsulees (only when force is not set)
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/HostHasSandboxesError"
+                $ref: "#/components/schemas/HostHasCapsulesError"
 
   /v1/hosts/{id}/token:
     parameters:
@@ -1450,7 +2047,7 @@ paths:
       security:
         - bearerAuth: []
       description: |
-        Returns the list of sandbox IDs that would be destroyed if the host
+        Returns the list of capsule IDs that would be destroyed if the host
         were deleted with `?force=true`. No state is modified.
       responses:
         "200":
@@ -1723,7 +2320,7 @@ components:
       type: apiKey
       in: header
       name: X-API-Key
-      description: API key for sandbox lifecycle operations. Create via POST /v1/api-keys.
+      description: API key for capsule lifecycle operations. Create via POST /v1/api-keys.
 
     bearerAuth:
       type: http
@@ -1762,6 +2359,13 @@ components:
         password:
           type: string
 
+    SignupResponse:
+      type: object
+      properties:
+        message:
+          type: string
+          description: Confirmation message instructing user to check email
+
     AuthResponse:
       type: object
       properties:
@@ -1808,7 +2412,7 @@ components:
           description: Full plaintext key. Only returned on creation, never again.
           nullable: true
 
-    CreateSandboxRequest:
+    CreateCapsuleRequest:
       type: object
       properties:
         template:
@@ -1824,11 +2428,11 @@ components:
           type: integer
           default: 0
           description: >
-            Auto-pause TTL in seconds. The sandbox is automatically paused
+            Auto-pause TTL in seconds. The capsule is automatically paused
             after this duration of inactivity (no exec or ping). 0 means
             no auto-pause.
 
-    SandboxStats:
+    CapsuleStats:
       type: object
       properties:
         range:
@@ -1879,7 +2483,7 @@ components:
               items:
                 type: integer
 
-    Sandbox:
+    Capsule:
       type: object
       properties:
         id:
@@ -1920,7 +2524,7 @@ components:
       properties:
         sandbox_id:
           type: string
-          description: ID of the running sandbox to snapshot.
+          description: ID of the running capsule to snapshot.
         name:
           type: string
           description: Name for the snapshot template. Auto-generated if omitted.
@@ -1959,6 +2563,56 @@ components:
         timeout_sec:
           type: integer
           default: 30
+          description: Timeout in seconds (foreground exec only, default 30)
+        background:
+          type: boolean
+          default: false
+          description: If true, starts the process in the background and returns immediately with a PID and tag (HTTP 202)
+        tag:
+          type: string
+          description: Optional user-chosen tag for the background process. Auto-generated if omitted. Only used when background is true.
+        envs:
+          type: object
+          additionalProperties:
+            type: string
+          description: Environment variables for the process (background exec only)
+        cwd:
+          type: string
+          description: Working directory for the process (background exec only)
+
+    BackgroundExecResponse:
+      type: object
+      properties:
+        sandbox_id:
+          type: string
+        cmd:
+          type: string
+        pid:
+          type: integer
+        tag:
+          type: string
+
+    ProcessEntry:
+      type: object
+      properties:
+        pid:
+          type: integer
+        tag:
+          type: string
+        cmd:
+          type: string
+        args:
+          type: array
+          items:
+            type: string
+
+    ProcessListResponse:
+      type: object
+      properties:
+        processes:
+          type: array
+          items:
+            $ref: "#/components/schemas/ProcessEntry"
 
     ExecResponse:
       type: object
@@ -1986,7 +2640,79 @@ components:
       properties:
         path:
           type: string
-          description: Absolute file path inside the sandbox
+          description: Absolute file path inside the capsule
+
+    ListDirRequest:
+      type: object
+      required: [path]
+      properties:
+        path:
+          type: string
+          description: Directory path inside the capsule
+        depth:
+          type: integer
+          default: 1
+          description: Recursion depth (0 = non-recursive, 1 = immediate children)
+
+    ListDirResponse:
+      type: object
+      properties:
+        entries:
+          type: array
+          items:
+            $ref: "#/components/schemas/FileEntry"
+
+    FileEntry:
+      type: object
+      properties:
+        name:
+          type: string
+        path:
+          type: string
+        type:
+          type: string
+          enum: [file, directory, symlink]
+        size:
+          type: integer
+          format: int64
+        mode:
+          type: integer
+        permissions:
+          type: string
+          description: Human-readable permissions (e.g. "-rwxr-xr-x")
+        owner:
+          type: string
+        group:
+          type: string
+        modified_at:
+          type: integer
+          format: int64
+          description: Unix timestamp (seconds)
+        symlink_target:
+          type: string
+          nullable: true
+
+    MakeDirRequest:
+      type: object
+      required: [path]
+      properties:
+        path:
+          type: string
+          description: Directory path to create inside the capsule
+
+    MakeDirResponse:
+      type: object
+      properties:
+        entry:
+          $ref: "#/components/schemas/FileEntry"
+
+    RemoveRequest:
+      type: object
+      required: [path]
+      properties:
+        path:
+          type: string
+          description: Path to remove inside the capsule
 
     CreateHostRequest:
       type: object
@@ -2124,9 +2850,9 @@ components:
           type: array
           items:
             type: string
-          description: IDs of sandboxes that would be destroyed on force-delete.
+          description: IDs of capsulees that would be destroyed on force-delete.
 
-    HostHasSandboxesError:
+    HostHasCapsulesError:
       type: object
       properties:
         error:
@@ -2141,7 +2867,7 @@ components:
               type: array
               items:
                 type: string
-              description: IDs of active sandboxes blocking deletion.
+              description: IDs of active capsulees blocking deletion.
 
     AddTagRequest:
       type: object
@@ -2205,7 +2931,7 @@ components:
           items:
             $ref: "#/components/schemas/TeamMember"
 
-    SandboxMetrics:
+    CapsuleMetrics:
       type: object
       properties:
         sandbox_id:
@@ -2343,6 +3069,37 @@ components:
           nullable: true
           description: Webhook secret. Only returned on creation, never again.
 
+    MeResponse:
+      type: object
+      properties:
+        name:
+          type: string
+        email:
+          type: string
+          format: email
+        has_password:
+          type: boolean
+          description: Whether the user has a password set (false for OAuth-only accounts)
+        providers:
+          type: array
+          items:
+            type: string
+          description: List of linked OAuth provider names (e.g. ["github"])
+
+    ChangePasswordRequest:
+      type: object
+      required: [new_password]
+      properties:
+        current_password:
+          type: string
+          description: Required when changing an existing password
+        new_password:
+          type: string
+          minLength: 8
+        confirm_password:
+          type: string
+          description: Required when adding a password to an OAuth-only account (must match new_password)
+
     Error:
       type: object
       properties:
diff --git a/internal/api/server.go b/internal/api/server.go
index aeb3625..9e81340 100644
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -9,14 +9,16 @@ import (
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/redis/go-redis/v9"
 
-	"git.omukk.dev/wrenn/wrenn/internal/audit"
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/auth/oauth"
-	"git.omukk.dev/wrenn/wrenn/internal/channels"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
-	"git.omukk.dev/wrenn/wrenn/internal/scheduler"
-	"git.omukk.dev/wrenn/wrenn/internal/service"
+	"git.omukk.dev/wrenn/wrenn/internal/email"
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth/oauth"
+	"git.omukk.dev/wrenn/wrenn/pkg/channels"
+	"git.omukk.dev/wrenn/wrenn/pkg/cpextension"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/scheduler"
+	"git.omukk.dev/wrenn/wrenn/pkg/service"
 )
 
 //go:embed openapi.yaml
@@ -26,9 +28,12 @@ var openapiYAML []byte
 type Server struct {
 	router   chi.Router
 	BuildSvc *service.BuildService
+	version  string
 }
 
 // New constructs the chi router and registers all routes.
+// Extensions are called after core routes are registered, allowing enterprise
+// or third-party code to add routes and middleware.
 func New(
 	queries *db.Queries,
 	pool *lifecycle.HostClientPool,
@@ -41,6 +46,10 @@ func New(
 	ca *auth.CA,
 	al *audit.AuditLogger,
 	channelSvc *channels.Service,
+	mailer email.Mailer,
+	extensions []cpextension.Extension,
+	sctx cpextension.ServerContext,
+	version string,
 ) *Server {
 	r := chi.NewRouter()
 	r.Use(requestLogger())
@@ -51,27 +60,39 @@ func New(
 	templateSvc := &service.TemplateService{DB: queries}
 	hostSvc := &service.HostService{DB: queries, Redis: rdb, JWT: jwtSecret, Pool: pool, CA: ca}
 	teamSvc := &service.TeamService{DB: queries, Pool: pgPool, HostPool: pool}
+	userSvc := &service.UserService{DB: queries, SandboxSvc: sandboxSvc}
 	auditSvc := &service.AuditService{DB: queries}
 	statsSvc := &service.StatsService{DB: queries, Pool: pgPool}
 	buildSvc := &service.BuildService{DB: queries, Redis: rdb, Pool: pool, Scheduler: sched}
 
 	sandbox := newSandboxHandler(sandboxSvc, al)
 	exec := newExecHandler(queries, pool)
-	execStream := newExecStreamHandler(queries, pool)
+	execStream := newExecStreamHandler(queries, pool, jwtSecret)
 	files := newFilesHandler(queries, pool)
 	filesStream := newFilesStreamHandler(queries, pool)
+	fsH := newFSHandler(queries, pool)
 	snapshots := newSnapshotHandler(templateSvc, queries, pool, al)
-	authH := newAuthHandler(queries, pgPool, jwtSecret)
+	authH := newAuthHandler(queries, pgPool, jwtSecret, mailer, rdb, oauthRedirectURL)
 	oauthH := newOAuthHandler(queries, pgPool, jwtSecret, oauthRegistry, oauthRedirectURL)
 	apiKeys := newAPIKeyHandler(apiKeySvc, al)
 	hostH := newHostHandler(hostSvc, queries, al)
-	teamH := newTeamHandler(teamSvc, al)
-	usersH := newUsersHandler(queries)
+	teamH := newTeamHandler(teamSvc, al, mailer)
+	usersH := newUsersHandler(queries, userSvc)
 	auditH := newAuditHandler(auditSvc)
 	statsH := newStatsHandler(statsSvc)
 	metricsH := newSandboxMetricsHandler(queries, pool)
 	buildH := newBuildHandler(buildSvc, queries, pool)
 	channelH := newChannelHandler(channelSvc, al)
+	ptyH := newPtyHandler(queries, pool, jwtSecret)
+	processH := newProcessHandler(queries, pool, jwtSecret)
+	adminCapsules := newAdminCapsuleHandler(sandboxSvc, queries, pool, al)
+	meH := newMeHandler(queries, pgPool, rdb, jwtSecret, mailer, oauthRegistry, oauthRedirectURL, teamSvc)
+
+	// Health check.
+	r.Get("/health", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprintf(w, `{"status":"ok","version":%q}`, version)
+	})
 
 	// OpenAPI spec and docs.
 	r.Get("/openapi.yaml", serveOpenAPI)
@@ -80,15 +101,31 @@ func New(
 	// Unauthenticated auth endpoints.
 	r.Post("/v1/auth/signup", authH.Signup)
 	r.Post("/v1/auth/login", authH.Login)
+	r.Post("/v1/auth/activate", authH.Activate)
 	r.Get("/auth/oauth/{provider}", oauthH.Redirect)
 	r.Get("/auth/oauth/{provider}/callback", oauthH.Callback)
 
+	// Unauthenticated: password reset request and confirmation.
+	r.Post("/v1/me/password/reset", meH.RequestPasswordReset)
+	r.Post("/v1/me/password/reset/confirm", meH.ConfirmPasswordReset)
+
+	// JWT-authenticated: self-service account management.
+	r.Route("/v1/me", func(r chi.Router) {
+		r.Use(requireJWT(jwtSecret, queries))
+		r.Get("/", meH.GetMe)
+		r.Patch("/", meH.UpdateName)
+		r.Post("/password", meH.ChangePassword)
+		r.Get("/providers/{provider}/connect", meH.ConnectProvider)
+		r.Delete("/providers/{provider}", meH.DisconnectProvider)
+		r.Delete("/", meH.DeleteAccount)
+	})
+
 	// JWT-authenticated: switch active team.
-	r.With(requireJWT(jwtSecret)).Post("/v1/auth/switch-team", authH.SwitchTeam)
+	r.With(requireJWT(jwtSecret, queries)).Post("/v1/auth/switch-team", authH.SwitchTeam)
 
 	// JWT-authenticated: API key management.
 	r.Route("/v1/api-keys", func(r chi.Router) {
-		r.Use(requireJWT(jwtSecret))
+		r.Use(requireJWT(jwtSecret, queries))
 		r.Post("/", apiKeys.Create)
 		r.Get("/", apiKeys.List)
 		r.Delete("/{id}", apiKeys.Delete)
@@ -96,7 +133,7 @@ func New(
 
 	// JWT-authenticated: team management.
 	r.Route("/v1/teams", func(r chi.Router) {
-		r.Use(requireJWT(jwtSecret))
+		r.Use(requireJWT(jwtSecret, queries))
 		r.Get("/", teamH.List)
 		r.Post("/", teamH.Create)
 		r.Route("/{id}", func(r chi.Router) {
@@ -112,10 +149,12 @@ func New(
 	})
 
 	// JWT-authenticated: user search (for add-member UI).
-	r.With(requireJWT(jwtSecret)).Get("/v1/users/search", usersH.Search)
+	r.With(requireJWT(jwtSecret, queries)).Get("/v1/users/search", usersH.Search)
 
-	// Sandbox lifecycle: accepts API key or JWT bearer token.
-	r.Route("/v1/sandboxes", func(r chi.Router) {
+	// Capsule lifecycle: accepts API key or JWT bearer token.
+	// WebSocket upgrade requests without auth headers are passed through by
+	// requireAPIKeyOrJWT — the WS handlers authenticate via first message.
+	r.Route("/v1/capsules", func(r chi.Router) {
 		r.Use(requireAPIKeyOrJWT(queries, jwtSecret))
 		r.Post("/", sandbox.Create)
 		r.Get("/", sandbox.List)
@@ -133,7 +172,14 @@ func New(
 			r.Post("/files/read", files.Download)
 			r.Post("/files/stream/write", filesStream.StreamUpload)
 			r.Post("/files/stream/read", filesStream.StreamDownload)
+			r.Post("/files/list", fsH.ListDir)
+			r.Post("/files/mkdir", fsH.MakeDir)
+			r.Post("/files/remove", fsH.Remove)
 			r.Get("/metrics", metricsH.GetMetrics)
+			r.Get("/pty", ptyH.PtySession)
+			r.Get("/processes", processH.ListProcesses)
+			r.Delete("/processes/{selector}", processH.KillProcess)
+			r.Get("/processes/{selector}/stream", processH.ConnectProcess)
 		})
 	})
 
@@ -158,7 +204,7 @@ func New(
 
 		// JWT-authenticated: host CRUD and tags.
 		r.Group(func(r chi.Router) {
-			r.Use(requireJWT(jwtSecret))
+			r.Use(requireJWT(jwtSecret, queries))
 			r.Post("/", hostH.Create)
 			r.Get("/", hostH.List)
 			r.Route("/{id}", func(r chi.Router) {
@@ -175,7 +221,7 @@ func New(
 
 	// JWT-authenticated: notification channels.
 	r.Route("/v1/channels", func(r chi.Router) {
-		r.Use(requireJWT(jwtSecret))
+		r.Use(requireJWT(jwtSecret, queries))
 		r.Post("/", channelH.Create)
 		r.Get("/", channelH.List)
 		r.Post("/test", channelH.Test)
@@ -188,22 +234,51 @@ func New(
 	})
 
 	// JWT-authenticated: audit log.
-	r.With(requireJWT(jwtSecret)).Get("/v1/audit-logs", auditH.List)
+	r.With(requireJWT(jwtSecret, queries)).Get("/v1/audit-logs", auditH.List)
 
 	// Platform admin routes — require JWT + DB-validated admin status.
 	r.Route("/v1/admin", func(r chi.Router) {
-		r.Use(requireJWT(jwtSecret))
+		r.Use(requireJWT(jwtSecret, queries))
 		r.Use(requireAdmin(queries))
+		r.Get("/teams", teamH.AdminListTeams)
 		r.Put("/teams/{id}/byoc", teamH.SetBYOC)
+		r.Delete("/teams/{id}", teamH.AdminDeleteTeam)
+		r.Get("/users", usersH.AdminListUsers)
+		r.Put("/users/{id}/active", usersH.SetUserActive)
 		r.Get("/templates", buildH.ListTemplates)
 		r.Delete("/templates/{name}", buildH.DeleteTemplate)
 		r.Post("/builds", buildH.Create)
 		r.Get("/builds", buildH.List)
 		r.Get("/builds/{id}", buildH.Get)
 		r.Post("/builds/{id}/cancel", buildH.Cancel)
+		r.Post("/capsules", adminCapsules.Create)
+		r.Get("/capsules", adminCapsules.List)
+		r.Route("/capsules/{id}", func(r chi.Router) {
+			r.Use(injectPlatformTeam())
+			r.Get("/", adminCapsules.Get)
+			r.Delete("/", adminCapsules.Destroy)
+			r.Post("/snapshot", adminCapsules.Snapshot)
+			r.Post("/exec", exec.Exec)
+			r.Get("/exec/stream", execStream.ExecStream)
+			r.Post("/files/write", files.Upload)
+			r.Post("/files/read", files.Download)
+			r.Post("/files/list", fsH.ListDir)
+			r.Post("/files/mkdir", fsH.MakeDir)
+			r.Post("/files/remove", fsH.Remove)
+			r.Get("/metrics", metricsH.GetMetrics)
+			r.Get("/pty", ptyH.PtySession)
+			r.Get("/processes", processH.ListProcesses)
+			r.Delete("/processes/{selector}", processH.KillProcess)
+			r.Get("/processes/{selector}/stream", processH.ConnectProcess)
+		})
 	})
 
-	return &Server{router: r, BuildSvc: buildSvc}
+	// Let extensions register their routes after all core routes.
+	for _, ext := range extensions {
+		ext.RegisterRoutes(r, sctx)
+	}
+
+	return &Server{router: r, BuildSvc: buildSvc, version: version}
 }
 
 // Handler returns the HTTP handler.
@@ -211,6 +286,11 @@ func (s *Server) Handler() http.Handler {
 	return s.router
 }
 
+// Router returns the underlying chi.Router for direct access.
+func (s *Server) Router() chi.Router {
+	return s.router
+}
+
 func serveOpenAPI(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/yaml")
 	_, _ = w.Write(openapiYAML)
@@ -223,7 +303,7 @@ func serveDocs(w http.ResponseWriter, r *http.Request) {
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Wrenn Sandbox API</title>
+  <title>Wrenn API</title>
   <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5.18.2/swagger-ui.css" integrity="sha384-rcbEi6xgdPk0iWkAQzT2F3FeBJXdG+ydrawGlfHAFIZG7wU6aKbQaRewysYpmrlW" crossorigin="anonymous">
   <style>
     body { margin: 0; background: #fafafa; }
diff --git a/internal/email/email.go b/internal/email/email.go
new file mode 100644
index 0000000..89482e0
--- /dev/null
+++ b/internal/email/email.go
@@ -0,0 +1,233 @@
+// Package email provides transactional email sending via SMTP.
+//
+// Emails are rendered from embedded Go templates (html/template + text/template)
+// and sent as multipart/alternative MIME messages. When SMTP is not configured
+// (Host is empty), a no-op mailer is returned that logs and discards.
+package email
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"fmt"
+	"log/slog"
+	"mime"
+	"mime/multipart"
+	"mime/quotedprintable"
+	"net"
+	"net/smtp"
+	"net/textproto"
+	"net/url"
+	"strconv"
+	"strings"
+)
+
+// Config holds SMTP connection credentials. All fields except Host are
+// optional — omitting Host disables email entirely (no-op mailer).
+type Config struct {
+	Host      string // SMTP server hostname
+	Port      int    // SMTP server port (default 587)
+	Username  string // SMTP auth username
+	Password  string // SMTP auth password
+	FromEmail string // envelope sender address
+}
+
+// Mailer sends transactional emails.
+type Mailer interface {
+	Send(ctx context.Context, to string, subject string, data EmailData) error
+}
+
+// EmailData is the generic payload for all transactional emails.
+// Templates conditionally render each field based on presence.
+type EmailData struct {
+	RecipientName string  // optional — used after "Hello"
+	Message       string  // main body (plain text; HTML template wraps it)
+	Button        *Button // optional CTA button
+	Closing       string  // optional closing/footer message
+}
+
+// Button represents a call-to-action link rendered as a button in HTML
+// and as a plain URL in the text variant.
+type Button struct {
+	Text string // button label
+	URL  string // target URL
+}
+
+// New constructs a Mailer. If cfg.Host is empty, returns a no-op mailer
+// that logs at debug level and discards. Panics if templates fail to parse
+// (indicates a build-time bug in embedded templates).
+func New(cfg Config) Mailer {
+	if cfg.Host == "" {
+		slog.Info("email: SMTP not configured, using no-op mailer")
+		return &noopMailer{}
+	}
+	if cfg.Port == 0 {
+		cfg.Port = 587
+	}
+	tmpl := mustLoadTemplates()
+	slog.Info("email: SMTP configured", "host", cfg.Host, "port", cfg.Port, "from", cfg.FromEmail)
+	return &mailer{cfg: cfg, tmpl: tmpl}
+}
+
+// mailer is the live SMTP implementation.
+type mailer struct {
+	cfg  Config
+	tmpl *templates
+}
+
+func (m *mailer) Send(ctx context.Context, to string, subject string, data EmailData) error {
+	if data.Button != nil {
+		u, err := url.Parse(data.Button.URL)
+		if err != nil || (u.Scheme != "https" && u.Scheme != "http") {
+			return fmt.Errorf("invalid button URL scheme: %s", data.Button.URL)
+		}
+	}
+
+	htmlBody, err := m.tmpl.renderHTML(data)
+	if err != nil {
+		return fmt.Errorf("render html: %w", err)
+	}
+	textBody, err := m.tmpl.renderText(data)
+	if err != nil {
+		return fmt.Errorf("render text: %w", err)
+	}
+
+	msg, err := buildMIME(m.cfg.FromEmail, to, subject, htmlBody, textBody)
+	if err != nil {
+		return fmt.Errorf("build mime: %w", err)
+	}
+
+	if err := m.send(to, msg); err != nil {
+		return fmt.Errorf("send email to %s: %w", to, err)
+	}
+
+	slog.Info("email: sent", "to", to, "subject", subject)
+	return nil
+}
+
+// send dials the SMTP server and delivers the message.
+// Port 465 uses implicit TLS; all other ports use STARTTLS.
+func (m *mailer) send(to string, msg []byte) error {
+	addr := net.JoinHostPort(m.cfg.Host, strconv.Itoa(m.cfg.Port))
+	auth := smtp.PlainAuth("", m.cfg.Username, m.cfg.Password, m.cfg.Host)
+
+	if m.cfg.Port == 465 {
+		return m.sendImplicitTLS(addr, auth, to, msg)
+	}
+	// STARTTLS (port 587 or other).
+	return smtp.SendMail(addr, auth, m.cfg.FromEmail, []string{to}, msg)
+}
+
+// sendImplicitTLS handles port 465 (SMTPS) where the entire connection is TLS.
+func (m *mailer) sendImplicitTLS(addr string, auth smtp.Auth, to string, msg []byte) error {
+	conn, err := tls.Dial("tcp", addr, &tls.Config{ServerName: m.cfg.Host})
+	if err != nil {
+		return fmt.Errorf("tls dial: %w", err)
+	}
+	defer conn.Close()
+
+	c, err := smtp.NewClient(conn, m.cfg.Host)
+	if err != nil {
+		return fmt.Errorf("smtp client: %w", err)
+	}
+	defer c.Close()
+
+	if err := c.Auth(auth); err != nil {
+		return fmt.Errorf("smtp auth: %w", err)
+	}
+	if err := c.Mail(m.cfg.FromEmail); err != nil {
+		return fmt.Errorf("smtp mail: %w", err)
+	}
+	if err := c.Rcpt(to); err != nil {
+		return fmt.Errorf("smtp rcpt: %w", err)
+	}
+
+	w, err := c.Data()
+	if err != nil {
+		return fmt.Errorf("smtp data: %w", err)
+	}
+	if _, err := w.Write(msg); err != nil {
+		return fmt.Errorf("smtp write: %w", err)
+	}
+	if err := w.Close(); err != nil {
+		return fmt.Errorf("smtp close data: %w", err)
+	}
+	return c.Quit()
+}
+
+// buildMIME assembles a multipart/alternative message with text and HTML parts.
+// Both parts are quoted-printable encoded per RFC 2045.
+func buildMIME(from, to, subject, htmlBody, textBody string) ([]byte, error) {
+	var headerBuf bytes.Buffer
+	var bodyBuf bytes.Buffer
+
+	// Sanitize header values to prevent header injection.
+	from = sanitizeHeader(from)
+	to = sanitizeHeader(to)
+
+	// Encode "From" with display name.
+	encodedFrom := mime.QEncoding.Encode("utf-8", "Wrenn") + " <" + from + ">"
+
+	// Build multipart body first to get the boundary.
+	mw := multipart.NewWriter(&bodyBuf)
+
+	// Text part (first = lowest preference per RFC 2046).
+	textPart, err := mw.CreatePart(textproto.MIMEHeader{
+		"Content-Type":              {"text/plain; charset=utf-8"},
+		"Content-Transfer-Encoding": {"quoted-printable"},
+	})
+	if err != nil {
+		return nil, err
+	}
+	qpw := quotedprintable.NewWriter(textPart)
+	if _, err := qpw.Write([]byte(textBody)); err != nil {
+		return nil, err
+	}
+	if err := qpw.Close(); err != nil {
+		return nil, err
+	}
+
+	// HTML part (second = highest preference).
+	htmlPart, err := mw.CreatePart(textproto.MIMEHeader{
+		"Content-Type":              {"text/html; charset=utf-8"},
+		"Content-Transfer-Encoding": {"quoted-printable"},
+	})
+	if err != nil {
+		return nil, err
+	}
+	qpw = quotedprintable.NewWriter(htmlPart)
+	if _, err := qpw.Write([]byte(htmlBody)); err != nil {
+		return nil, err
+	}
+	if err := qpw.Close(); err != nil {
+		return nil, err
+	}
+
+	if err := mw.Close(); err != nil {
+		return nil, err
+	}
+
+	// Write headers.
+	fmt.Fprintf(&headerBuf, "From: %s\r\n", encodedFrom)
+	fmt.Fprintf(&headerBuf, "To: %s\r\n", to)
+	fmt.Fprintf(&headerBuf, "Subject: %s\r\n", mime.QEncoding.Encode("utf-8", subject))
+	fmt.Fprintf(&headerBuf, "MIME-Version: 1.0\r\n")
+	fmt.Fprintf(&headerBuf, "Content-Type: multipart/alternative; boundary=\"%s\"\r\n", mw.Boundary())
+	fmt.Fprintf(&headerBuf, "\r\n")
+
+	headerBuf.Write(bodyBuf.Bytes())
+	return headerBuf.Bytes(), nil
+}
+
+// sanitizeHeader strips CR and LF characters to prevent SMTP header injection.
+func sanitizeHeader(s string) string {
+	return strings.NewReplacer("\r", "", "\n", "").Replace(s)
+}
+
+// noopMailer discards emails when SMTP is not configured.
+type noopMailer struct{}
+
+func (n *noopMailer) Send(_ context.Context, to string, subject string, _ EmailData) error {
+	slog.Debug("email: no-op send", "to", to, "subject", subject)
+	return nil
+}
diff --git a/internal/email/email_test.go b/internal/email/email_test.go
new file mode 100644
index 0000000..f6e4f12
--- /dev/null
+++ b/internal/email/email_test.go
@@ -0,0 +1,191 @@
+package email
+
+import (
+	"context"
+	"strings"
+	"testing"
+)
+
+func TestNoopMailerDoesNotError(t *testing.T) {
+	m := &noopMailer{}
+	err := m.Send(context.Background(), "test@example.com", "Test Subject", EmailData{
+		RecipientName: "Alice",
+		Message:       "Hello world",
+	})
+	if err != nil {
+		t.Fatalf("noopMailer.Send() returned error: %v", err)
+	}
+}
+
+func TestNewReturnsNoopWhenHostEmpty(t *testing.T) {
+	m := New(Config{})
+	if _, ok := m.(*noopMailer); !ok {
+		t.Fatalf("expected noopMailer, got %T", m)
+	}
+}
+
+func TestNewReturnsMailerWhenHostSet(t *testing.T) {
+	m := New(Config{Host: "smtp.example.com"})
+	if _, ok := m.(*mailer); !ok {
+		t.Fatalf("expected *mailer, got %T", m)
+	}
+}
+
+func TestTemplateRenderHTML(t *testing.T) {
+	tmpl := mustLoadTemplates()
+
+	tests := []struct {
+		name string
+		data EmailData
+		want []string // substrings that must appear in output
+	}{
+		{
+			name: "with all fields",
+			data: EmailData{
+				RecipientName: "Alice",
+				Message:       "Welcome to Wrenn!",
+				Button:        &Button{Text: "Get Started", URL: "https://wrenn.dev"},
+				Closing:       "See you soon.",
+			},
+			want: []string{"Alice", "Welcome to Wrenn!", "Get Started", "https://wrenn.dev", "See you soon."},
+		},
+		{
+			name: "message only",
+			data: EmailData{
+				Message: "Your password has been changed.",
+			},
+			want: []string{"Your password has been changed."},
+		},
+		{
+			name: "with button no closing",
+			data: EmailData{
+				RecipientName: "Bob",
+				Message:       "Reset your password.",
+				Button:        &Button{Text: "Reset Password", URL: "https://wrenn.dev/reset?token=abc"},
+			},
+			want: []string{"Bob", "Reset your password.", "Reset Password", "https://wrenn.dev/reset?token=abc"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			html, err := tmpl.renderHTML(tt.data)
+			if err != nil {
+				t.Fatalf("renderHTML() error: %v", err)
+			}
+			for _, s := range tt.want {
+				if !strings.Contains(html, s) {
+					t.Errorf("renderHTML() missing substring %q", s)
+				}
+			}
+			// Verify basic HTML structure.
+			if !strings.Contains(html, "<!DOCTYPE html>") {
+				t.Error("renderHTML() missing DOCTYPE")
+			}
+			if !strings.Contains(html, "wrenn.dev") {
+				t.Error("renderHTML() missing wrenn.dev reference")
+			}
+		})
+	}
+}
+
+func TestTemplateRenderText(t *testing.T) {
+	tmpl := mustLoadTemplates()
+
+	tests := []struct {
+		name string
+		data EmailData
+		want []string
+	}{
+		{
+			name: "with all fields",
+			data: EmailData{
+				RecipientName: "Alice",
+				Message:       "Welcome to Wrenn!",
+				Button:        &Button{Text: "Get Started", URL: "https://wrenn.dev"},
+				Closing:       "See you soon.",
+			},
+			want: []string{"Hello Alice", "Welcome to Wrenn!", "Get Started: https://wrenn.dev", "See you soon."},
+		},
+		{
+			name: "message only",
+			data: EmailData{
+				Message: "Done.",
+			},
+			want: []string{"Hello,", "Done."},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			text, err := tmpl.renderText(tt.data)
+			if err != nil {
+				t.Fatalf("renderText() error: %v", err)
+			}
+			for _, s := range tt.want {
+				if !strings.Contains(text, s) {
+					t.Errorf("renderText() missing substring %q\nGot:\n%s", s, text)
+				}
+			}
+		})
+	}
+}
+
+func TestBuildMIME(t *testing.T) {
+	msg, err := buildMIME("noreply@wrenn.dev", "user@example.com", "Test Subject", "<h1>HTML</h1>", "Plain text")
+	if err != nil {
+		t.Fatalf("buildMIME() error: %v", err)
+	}
+
+	s := string(msg)
+	if !strings.Contains(s, "From:") {
+		t.Error("missing From header")
+	}
+	if !strings.Contains(s, "To: user@example.com") {
+		t.Error("missing To header")
+	}
+	if !strings.Contains(s, "Wrenn") {
+		t.Error("missing Wrenn sender name")
+	}
+	if !strings.Contains(s, "multipart/alternative") {
+		t.Error("missing multipart/alternative content type")
+	}
+	if !strings.Contains(s, "text/plain") {
+		t.Error("missing text/plain part")
+	}
+	if !strings.Contains(s, "text/html") {
+		t.Error("missing text/html part")
+	}
+}
+
+func TestBuildMIMENonASCII(t *testing.T) {
+	msg, err := buildMIME("noreply@wrenn.dev", "user@example.com", "Test", "<p>\u00c5ngstr\u00f6m</p>", "Hello \u00c5ngstr\u00f6m")
+	if err != nil {
+		t.Fatalf("buildMIME() error: %v", err)
+	}
+
+	s := string(msg)
+	// Non-ASCII characters should be QP-encoded, not appear as raw bytes.
+	// \u00c5 (U+00C5, 0xC3 0x85 in UTF-8) should be encoded as =C3=85.
+	if !strings.Contains(s, "=C3=85") {
+		t.Error("non-ASCII character not quoted-printable encoded")
+	}
+}
+
+func TestSanitizeHeader(t *testing.T) {
+	tests := []struct {
+		input string
+		want  string
+	}{
+		{"normal@example.com", "normal@example.com"},
+		{"injected\r\nBcc: evil@example.com", "injectedBcc: evil@example.com"},
+		{"has\nnewline", "hasnewline"},
+		{"has\rcarriage", "hascarriage"},
+	}
+	for _, tt := range tests {
+		got := sanitizeHeader(tt.input)
+		if got != tt.want {
+			t.Errorf("sanitizeHeader(%q) = %q, want %q", tt.input, got, tt.want)
+		}
+	}
+}
diff --git a/internal/email/templates.go b/internal/email/templates.go
new file mode 100644
index 0000000..081a158
--- /dev/null
+++ b/internal/email/templates.go
@@ -0,0 +1,52 @@
+package email
+
+import (
+	"bytes"
+	"embed"
+	"fmt"
+	"html/template"
+	text_template "text/template"
+)
+
+//go:embed templates/*.html templates/*.txt
+var templateFS embed.FS
+
+// templates holds the parsed HTML and plain-text template sets.
+type templates struct {
+	html *template.Template
+	text *text_template.Template
+}
+
+// mustLoadTemplates parses all embedded templates. Panics on error
+// because malformed templates are a build-time bug.
+func mustLoadTemplates() *templates {
+	html, err := template.ParseFS(templateFS, "templates/*.html")
+	if err != nil {
+		panic(fmt.Sprintf("email: failed to parse HTML templates: %v", err))
+	}
+
+	text, err := text_template.ParseFS(templateFS, "templates/*.txt")
+	if err != nil {
+		panic(fmt.Sprintf("email: failed to parse text templates: %v", err))
+	}
+
+	return &templates{html: html, text: text}
+}
+
+// renderHTML executes the HTML base template with the given data.
+func (t *templates) renderHTML(data EmailData) (string, error) {
+	var buf bytes.Buffer
+	if err := t.html.ExecuteTemplate(&buf, "base.html", data); err != nil {
+		return "", fmt.Errorf("execute html template: %w", err)
+	}
+	return buf.String(), nil
+}
+
+// renderText executes the plain-text base template with the given data.
+func (t *templates) renderText(data EmailData) (string, error) {
+	var buf bytes.Buffer
+	if err := t.text.ExecuteTemplate(&buf, "base.txt", data); err != nil {
+		return "", fmt.Errorf("execute text template: %w", err)
+	}
+	return buf.String(), nil
+}
diff --git a/internal/email/templates/base.html b/internal/email/templates/base.html
new file mode 100644
index 0000000..ad6f57f
--- /dev/null
+++ b/internal/email/templates/base.html
@@ -0,0 +1,119 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <title>Wrenn</title>
+  <!--[if mso]>
+  <noscript>
+    <xml>
+      <o:OfficeDocumentSettings>
+        <o:PixelsPerInch>96</o:PixelsPerInch>
+      </o:OfficeDocumentSettings>
+    </xml>
+  </noscript>
+  <![endif]-->
+  <style type="text/css">
+    body, table, td, a { -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }
+    table, td { mso-table-lspace: 0pt; mso-table-rspace: 0pt; }
+    img { -ms-interpolation-mode: bicubic; border: 0; height: auto; line-height: 100%; outline: none; text-decoration: none; }
+    body { margin: 0; padding: 0; width: 100% !important; }
+  </style>
+</head>
+<body style="margin: 0; padding: 0; background-color: #f4f3f1; font-family: 'Manrope', -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif; -webkit-font-smoothing: antialiased;">
+
+  <!-- Outer wrapper -->
+  <table role="presentation" cellpadding="0" cellspacing="0" width="100%" style="background-color: #f4f3f1;">
+    <tr>
+      <td align="center" style="padding: 40px 16px;">
+
+        <!-- Logo + Wordmark -->
+        <table role="presentation" cellpadding="0" cellspacing="0" width="560" style="max-width: 560px;">
+          <tr>
+            <td align="left" style="padding-bottom: 32px;">
+              <a href="https://wrenn.dev" style="text-decoration: none;">
+                <table role="presentation" cellpadding="0" cellspacing="0">
+                  <tr>
+                    <td style="vertical-align: middle;">
+                      <img src="https://wrenn.dev/logo.png" alt="Wrenn" width="36" height="36" style="display: block; border-radius: 6px;">
+                    </td>
+                    <td style="vertical-align: middle; padding-left: 10px;">
+                      <span style="font-family: 'Alice', Georgia, 'Times New Roman', serif; font-size: 22px; color: #1a1917; letter-spacing: 0.01em;">Wrenn</span>
+                    </td>
+                  </tr>
+                </table>
+              </a>
+            </td>
+          </tr>
+        </table>
+
+        <!-- Card -->
+        <table role="presentation" cellpadding="0" cellspacing="0" width="560" style="max-width: 560px; background-color: #ffffff; border: 1px solid #e5e4e0; border-radius: 8px;">
+          <tr>
+            <td style="padding: 44px 48px;">
+
+              <!-- Greeting -->
+              <p style="margin: 0 0 8px 0; font-size: 15px; line-height: 1.6; color: #3a3835;">
+                Hello{{if .RecipientName}} {{.RecipientName}}{{end}},
+              </p>
+
+              <!-- Message -->
+              <p style="margin: 0 0 36px 0; font-size: 15px; line-height: 1.7; color: #3a3835;">
+                {{.Message}}
+              </p>
+
+              <!-- Button -->
+              {{if .Button}}
+              <table role="presentation" cellpadding="0" cellspacing="0" style="margin: 0 0 36px 0;">
+                <tr>
+                  <td align="center" style="background-color: #5e8c58; border-radius: 5px;">
+                    <!--[if mso]>
+                    <v:roundrect xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w="urn:schemas-microsoft-com:office:word" href="{{.Button.URL}}" style="height:44px;v-text-anchor:middle;width:200px;" arcsize="12%" strokecolor="#5e8c58" fillcolor="#5e8c58">
+                      <w:anchorlock/>
+                      <center style="color:#ffffff;font-family:'Manrope',-apple-system,sans-serif;font-size:14px;font-weight:600;">{{.Button.Text}}</center>
+                    </v:roundrect>
+                    <![endif]-->
+                    <!--[if !mso]><!-->
+                    <a href="{{.Button.URL}}" target="_blank" style="display: inline-block; padding: 12px 32px; font-size: 14px; font-weight: 600; color: #ffffff; text-decoration: none; border-radius: 5px; background-color: #5e8c58;">
+                      {{.Button.Text}}
+                    </a>
+                    <!--<![endif]-->
+                  </td>
+                </tr>
+              </table>
+
+              <p style="margin: 0 0 12px 0; font-size: 12px; line-height: 1.5; color: #b5b0a8;">
+                If the button doesn't work, copy and paste this URL into your browser:<br>
+                <a href="{{.Button.URL}}" style="color: #5e8c58; word-break: break-all;">{{.Button.URL}}</a>
+              </p>
+              {{end}}
+
+              <!-- Closing -->
+              {{if .Closing}}
+              <p style="margin: {{if .Button}}20px{{else}}0{{end}} 0 0 0; font-size: 15px; line-height: 1.7; color: #3a3835;">
+                {{.Closing}}
+              </p>
+              {{end}}
+
+            </td>
+          </tr>
+        </table>
+
+        <!-- Footer -->
+        <table role="presentation" cellpadding="0" cellspacing="0" width="560" style="max-width: 560px;">
+          <tr>
+            <td style="padding: 32px 0 16px 0; text-align: center;">
+              <p style="margin: 0; font-size: 12px; line-height: 1.5; color: #9b9790;">
+                This is a transactional email from <a href="https://wrenn.dev" style="color: #5e8c58; text-decoration: none;">Wrenn</a>.
+              </p>
+            </td>
+          </tr>
+        </table>
+
+      </td>
+    </tr>
+  </table>
+
+</body>
+</html>
diff --git a/internal/email/templates/base.txt b/internal/email/templates/base.txt
new file mode 100644
index 0000000..499ec01
--- /dev/null
+++ b/internal/email/templates/base.txt
@@ -0,0 +1,13 @@
+Hello{{if .RecipientName}} {{.RecipientName}}{{end}},
+
+{{.Message}}
+{{if .Button}}
+
+{{.Button.Text}}: {{.Button.URL}}
+{{end}}{{if .Closing}}
+
+{{.Closing}}
+{{end}}
+
+---
+This is a transactional email from Wrenn (https://wrenn.dev).
diff --git a/internal/envdclient/client.go b/internal/envdclient/client.go
index 3e05f7d..03994b2 100644
--- a/internal/envdclient/client.go
+++ b/internal/envdclient/client.go
@@ -3,6 +3,7 @@ package envdclient
 import (
 	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
 	"io"
 	"log/slog"
@@ -268,6 +269,82 @@ func (c *Client) ReadFile(ctx context.Context, path string) ([]byte, error) {
 	return data, nil
 }
 
+// PrepareSnapshot calls envd's POST /snapshot/prepare endpoint, which quiesces
+// continuous goroutines (port scanner, forwarder) and forces a GC cycle before
+// Firecracker takes a VM snapshot. This ensures the Go runtime's page allocator
+// is in a consistent state when vCPUs are frozen.
+//
+// Best-effort: the caller should log a warning on error but not abort the pause.
+func (c *Client) PrepareSnapshot(ctx context.Context) error {
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, c.base+"/snapshot/prepare", nil)
+	if err != nil {
+		return fmt.Errorf("create request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("prepare snapshot: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusNoContent {
+		respBody, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("prepare snapshot: status %d: %s", resp.StatusCode, string(respBody))
+	}
+
+	return nil
+}
+
+// PostInit calls envd's POST /init endpoint, which triggers a re-read of
+// Firecracker MMDS metadata. This updates WRENN_SANDBOX_ID, WRENN_TEMPLATE_ID
+// env vars and the corresponding files under /run/wrenn/ inside the guest.
+// Must be called after snapshot restore so envd picks up the new sandbox's metadata.
+func (c *Client) PostInit(ctx context.Context) error {
+	return c.PostInitWithDefaults(ctx, "", nil)
+}
+
+// PostInitWithDefaults calls envd's POST /init endpoint with optional default
+// user and environment variables. These are applied to envd's defaults so all
+// subsequent process executions use them.
+func (c *Client) PostInitWithDefaults(ctx context.Context, defaultUser string, envVars map[string]string) error {
+	var body io.Reader
+	if defaultUser != "" || len(envVars) > 0 {
+		payload := make(map[string]any)
+		if defaultUser != "" {
+			payload["defaultUser"] = defaultUser
+		}
+		if len(envVars) > 0 {
+			payload["envVars"] = envVars
+		}
+		data, err := json.Marshal(payload)
+		if err != nil {
+			return fmt.Errorf("marshal init body: %w", err)
+		}
+		body = bytes.NewReader(data)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, c.base+"/init", body)
+	if err != nil {
+		return fmt.Errorf("create request: %w", err)
+	}
+	if body != nil {
+		req.Header.Set("Content-Type", "application/json")
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("post init: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusNoContent {
+		respBody, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("post init: status %d: %s", resp.StatusCode, string(respBody))
+	}
+
+	return nil
+}
+
 // ListDir lists directory contents inside the sandbox.
 func (c *Client) ListDir(ctx context.Context, path string, depth uint32) (*envdpb.ListDirResponse, error) {
 	req := connect.NewRequest(&envdpb.ListDirRequest{
@@ -282,3 +359,30 @@ func (c *Client) ListDir(ctx context.Context, path string, depth uint32) (*envdp
 
 	return resp.Msg, nil
 }
+
+// MakeDir creates a directory inside the sandbox.
+func (c *Client) MakeDir(ctx context.Context, path string) (*envdpb.MakeDirResponse, error) {
+	req := connect.NewRequest(&envdpb.MakeDirRequest{
+		Path: path,
+	})
+
+	resp, err := c.filesystem.MakeDir(ctx, req)
+	if err != nil {
+		return nil, fmt.Errorf("make dir: %w", err)
+	}
+
+	return resp.Msg, nil
+}
+
+// Remove removes a file or directory inside the sandbox.
+func (c *Client) Remove(ctx context.Context, path string) error {
+	req := connect.NewRequest(&envdpb.RemoveRequest{
+		Path: path,
+	})
+
+	if _, err := c.filesystem.Remove(ctx, req); err != nil {
+		return fmt.Errorf("remove: %w", err)
+	}
+
+	return nil
+}
diff --git a/internal/envdclient/health.go b/internal/envdclient/health.go
index dfb7df8..4837051 100644
--- a/internal/envdclient/health.go
+++ b/internal/envdclient/health.go
@@ -2,7 +2,9 @@ package envdclient
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"io"
 	"log/slog"
 	"net/http"
 	"time"
@@ -31,6 +33,38 @@ func (c *Client) WaitUntilReady(ctx context.Context) error {
 	}
 }
 
+// FetchVersion queries envd's health endpoint and returns the reported version.
+func (c *Client) FetchVersion(ctx context.Context) (string, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.healthURL, nil)
+	if err != nil {
+		return "", fmt.Errorf("build health request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("fetch envd version: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusNoContent {
+		return "", fmt.Errorf("health check returned %d", resp.StatusCode)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil || len(body) == 0 {
+		return "", nil // envd may not support version reporting yet
+	}
+
+	var data struct {
+		Version string `json:"version"`
+	}
+	if err := json.Unmarshal(body, &data); err != nil {
+		return "", nil // non-JSON response, old envd
+	}
+
+	return data.Version, nil
+}
+
 // healthCheck sends a single GET /health request to envd.
 func (c *Client) healthCheck(ctx context.Context) error {
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.healthURL, nil)
diff --git a/internal/envdclient/process.go b/internal/envdclient/process.go
new file mode 100644
index 0000000..adb807b
--- /dev/null
+++ b/internal/envdclient/process.go
@@ -0,0 +1,187 @@
+package envdclient
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"log/slog"
+
+	"connectrpc.com/connect"
+
+	envdpb "git.omukk.dev/wrenn/wrenn/proto/envd/gen"
+)
+
+// ProcessInfo holds metadata about a running process inside the sandbox.
+type ProcessInfo struct {
+	PID  uint32
+	Tag  string
+	Cmd  string
+	Args []string
+}
+
+// StartBackground starts a process that runs independently of the RPC stream.
+// It opens a Start stream, reads the first StartEvent to obtain the PID,
+// then closes the stream. The process continues running inside the VM because
+// envd binds it to context.Background().
+func (c *Client) StartBackground(ctx context.Context, tag, cmd string, args []string, envs map[string]string, cwd string) (uint32, error) {
+	stdin := false
+	cfg := &envdpb.ProcessConfig{
+		Cmd:  cmd,
+		Args: args,
+		Envs: envs,
+	}
+	if cwd != "" {
+		cfg.Cwd = &cwd
+	}
+
+	req := connect.NewRequest(&envdpb.StartRequest{
+		Process: cfg,
+		Tag:     &tag,
+		Stdin:   &stdin,
+	})
+
+	stream, err := c.process.Start(ctx, req)
+	if err != nil {
+		return 0, fmt.Errorf("start background process: %w", err)
+	}
+	defer stream.Close()
+
+	// Read events until we get the StartEvent with the PID.
+	for stream.Receive() {
+		msg := stream.Msg()
+		if msg.Event == nil {
+			continue
+		}
+		if start, ok := msg.Event.GetEvent().(*envdpb.ProcessEvent_Start); ok {
+			return start.Start.GetPid(), nil
+		}
+	}
+
+	if err := stream.Err(); err != nil && err != io.EOF {
+		return 0, fmt.Errorf("start background process stream: %w", err)
+	}
+
+	return 0, fmt.Errorf("start background process: no start event received")
+}
+
+// ConnectProcess re-attaches to a running process by PID or tag and returns
+// a channel of streaming events. The channel is closed when the process ends
+// or the context is cancelled.
+func (c *Client) ConnectProcess(ctx context.Context, pid uint32, tag string) (<-chan ExecStreamEvent, error) {
+	var selector *envdpb.ProcessSelector
+	if tag != "" {
+		selector = &envdpb.ProcessSelector{
+			Selector: &envdpb.ProcessSelector_Tag{Tag: tag},
+		}
+	} else {
+		selector = &envdpb.ProcessSelector{
+			Selector: &envdpb.ProcessSelector_Pid{Pid: pid},
+		}
+	}
+
+	stream, err := c.process.Connect(ctx, connect.NewRequest(&envdpb.ConnectRequest{
+		Process: selector,
+	}))
+	if err != nil {
+		return nil, fmt.Errorf("connect process: %w", err)
+	}
+
+	ch := make(chan ExecStreamEvent, 16)
+	go func() {
+		defer close(ch)
+		defer stream.Close()
+
+		for stream.Receive() {
+			msg := stream.Msg()
+			if msg.Event == nil {
+				continue
+			}
+
+			var ev ExecStreamEvent
+			switch e := msg.Event.GetEvent().(type) {
+			case *envdpb.ProcessEvent_Start:
+				ev = ExecStreamEvent{Type: "start", PID: e.Start.GetPid()}
+
+			case *envdpb.ProcessEvent_Data:
+				switch o := e.Data.GetOutput().(type) {
+				case *envdpb.ProcessEvent_DataEvent_Stdout:
+					ev = ExecStreamEvent{Type: "stdout", Data: o.Stdout}
+				case *envdpb.ProcessEvent_DataEvent_Stderr:
+					ev = ExecStreamEvent{Type: "stderr", Data: o.Stderr}
+				default:
+					continue
+				}
+
+			case *envdpb.ProcessEvent_End:
+				ev = ExecStreamEvent{Type: "end", ExitCode: e.End.GetExitCode()}
+				if e.End.Error != nil {
+					ev.Error = e.End.GetError()
+				}
+
+			case *envdpb.ProcessEvent_Keepalive:
+				continue
+			}
+
+			select {
+			case ch <- ev:
+			case <-ctx.Done():
+				return
+			}
+		}
+
+		if err := stream.Err(); err != nil && err != io.EOF {
+			slog.Debug("connect process stream error", "error", err)
+		}
+	}()
+
+	return ch, nil
+}
+
+// ListProcesses returns all running processes inside the sandbox.
+func (c *Client) ListProcesses(ctx context.Context) ([]ProcessInfo, error) {
+	resp, err := c.process.List(ctx, connect.NewRequest(&envdpb.ListRequest{}))
+	if err != nil {
+		return nil, fmt.Errorf("list processes: %w", err)
+	}
+
+	procs := make([]ProcessInfo, 0, len(resp.Msg.Processes))
+	for _, p := range resp.Msg.Processes {
+		info := ProcessInfo{
+			PID: p.Pid,
+		}
+		if p.Tag != nil {
+			info.Tag = *p.Tag
+		}
+		if p.Config != nil {
+			info.Cmd = p.Config.Cmd
+			info.Args = p.Config.Args
+		}
+		procs = append(procs, info)
+	}
+
+	return procs, nil
+}
+
+// KillProcess sends a signal to a process identified by PID or tag.
+func (c *Client) KillProcess(ctx context.Context, pid uint32, tag string, signal envdpb.Signal) error {
+	var selector *envdpb.ProcessSelector
+	if tag != "" {
+		selector = &envdpb.ProcessSelector{
+			Selector: &envdpb.ProcessSelector_Tag{Tag: tag},
+		}
+	} else {
+		selector = &envdpb.ProcessSelector{
+			Selector: &envdpb.ProcessSelector_Pid{Pid: pid},
+		}
+	}
+
+	_, err := c.process.SendSignal(ctx, connect.NewRequest(&envdpb.SendSignalRequest{
+		Process: selector,
+		Signal:  signal,
+	}))
+	if err != nil {
+		return fmt.Errorf("kill process: %w", err)
+	}
+
+	return nil
+}
diff --git a/internal/envdclient/pty.go b/internal/envdclient/pty.go
new file mode 100644
index 0000000..7a625fb
--- /dev/null
+++ b/internal/envdclient/pty.go
@@ -0,0 +1,220 @@
+package envdclient
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"log/slog"
+
+	"connectrpc.com/connect"
+
+	envdpb "git.omukk.dev/wrenn/wrenn/proto/envd/gen"
+)
+
+// PtyEvent represents a single event from a PTY output stream.
+type PtyEvent struct {
+	Type     string // "started", "output", "end"
+	PID      uint32
+	Data     []byte
+	ExitCode int32
+	Error    string
+}
+
+// PtyStart starts a new PTY process in the guest and returns a channel of events.
+// The tag is the stable identifier used to reconnect via PtyConnect.
+// The channel is closed when the process ends or ctx is cancelled.
+// NOTE: The user parameter from PtyAttachRequest is not yet supported by envd's
+// ProcessConfig proto. When envd adds user support, thread it through here.
+func (c *Client) PtyStart(ctx context.Context, tag, cmd string, args []string, cols, rows uint32, envs map[string]string, cwd string) (<-chan PtyEvent, error) {
+	stdin := true
+	cfg := &envdpb.ProcessConfig{
+		Cmd:  cmd,
+		Args: args,
+		Envs: envs,
+	}
+	if cwd != "" {
+		cfg.Cwd = &cwd
+	}
+
+	req := connect.NewRequest(&envdpb.StartRequest{
+		Process: cfg,
+		Pty: &envdpb.PTY{
+			Size: &envdpb.PTY_Size{
+				Cols: cols,
+				Rows: rows,
+			},
+		},
+		Tag:   &tag,
+		Stdin: &stdin,
+	})
+
+	stream, err := c.process.Start(ctx, req)
+	if err != nil {
+		return nil, fmt.Errorf("pty start: %w", err)
+	}
+
+	return drainPtyStream(ctx, &startStream{s: stream}, true), nil
+}
+
+// PtyConnect re-attaches to an existing PTY process by tag.
+// Returns a channel of output events starting from the current point.
+func (c *Client) PtyConnect(ctx context.Context, tag string) (<-chan PtyEvent, error) {
+	req := connect.NewRequest(&envdpb.ConnectRequest{
+		Process: &envdpb.ProcessSelector{
+			Selector: &envdpb.ProcessSelector_Tag{Tag: tag},
+		},
+	})
+
+	stream, err := c.process.Connect(ctx, req)
+	if err != nil {
+		return nil, fmt.Errorf("pty connect: %w", err)
+	}
+
+	return drainPtyStream(ctx, &connectStream{s: stream}, false), nil
+}
+
+// PtySendInput sends raw bytes to the PTY process identified by tag.
+func (c *Client) PtySendInput(ctx context.Context, tag string, data []byte) error {
+	req := connect.NewRequest(&envdpb.SendInputRequest{
+		Process: &envdpb.ProcessSelector{
+			Selector: &envdpb.ProcessSelector_Tag{Tag: tag},
+		},
+		Input: &envdpb.ProcessInput{
+			Input: &envdpb.ProcessInput_Pty{Pty: data},
+		},
+	})
+
+	if _, err := c.process.SendInput(ctx, req); err != nil {
+		return fmt.Errorf("pty send input: %w", err)
+	}
+	return nil
+}
+
+// PtyResize updates the terminal dimensions for the PTY process identified by tag.
+func (c *Client) PtyResize(ctx context.Context, tag string, cols, rows uint32) error {
+	req := connect.NewRequest(&envdpb.UpdateRequest{
+		Process: &envdpb.ProcessSelector{
+			Selector: &envdpb.ProcessSelector_Tag{Tag: tag},
+		},
+		Pty: &envdpb.PTY{
+			Size: &envdpb.PTY_Size{
+				Cols: cols,
+				Rows: rows,
+			},
+		},
+	})
+
+	if _, err := c.process.Update(ctx, req); err != nil {
+		return fmt.Errorf("pty resize: %w", err)
+	}
+	return nil
+}
+
+// PtyKill sends SIGKILL to the PTY process identified by tag.
+func (c *Client) PtyKill(ctx context.Context, tag string) error {
+	req := connect.NewRequest(&envdpb.SendSignalRequest{
+		Process: &envdpb.ProcessSelector{
+			Selector: &envdpb.ProcessSelector_Tag{Tag: tag},
+		},
+		Signal: envdpb.Signal_SIGNAL_SIGKILL,
+	})
+
+	if _, err := c.process.SendSignal(ctx, req); err != nil {
+		return fmt.Errorf("pty kill: %w", err)
+	}
+	return nil
+}
+
+// eventStream is an interface covering both StartResponse and ConnectResponse streams.
+type eventStream interface {
+	Receive() bool
+	Err() error
+	Close() error
+}
+
+type startStream struct {
+	s *connect.ServerStreamForClient[envdpb.StartResponse]
+}
+
+func (s *startStream) Receive() bool { return s.s.Receive() }
+func (s *startStream) Err() error    { return s.s.Err() }
+func (s *startStream) Close() error  { return s.s.Close() }
+func (s *startStream) Event() *envdpb.ProcessEvent {
+	return s.s.Msg().GetEvent()
+}
+
+type connectStream struct {
+	s *connect.ServerStreamForClient[envdpb.ConnectResponse]
+}
+
+func (s *connectStream) Receive() bool { return s.s.Receive() }
+func (s *connectStream) Err() error    { return s.s.Err() }
+func (s *connectStream) Close() error  { return s.s.Close() }
+func (s *connectStream) Event() *envdpb.ProcessEvent {
+	return s.s.Msg().GetEvent()
+}
+
+type eventProvider interface {
+	eventStream
+	Event() *envdpb.ProcessEvent
+}
+
+// drainPtyStream reads events from either a Start or Connect stream and maps
+// them into PtyEvent values on a channel.
+func drainPtyStream(ctx context.Context, stream eventProvider, expectStart bool) <-chan PtyEvent {
+	ch := make(chan PtyEvent, 16)
+	go func() {
+		defer close(ch)
+		defer stream.Close()
+
+		for stream.Receive() {
+			event := stream.Event()
+			if event == nil {
+				continue
+			}
+
+			var ev PtyEvent
+			switch e := event.GetEvent().(type) {
+			case *envdpb.ProcessEvent_Start:
+				if expectStart {
+					ev = PtyEvent{Type: "started", PID: e.Start.GetPid()}
+				} else {
+					continue
+				}
+
+			case *envdpb.ProcessEvent_Data:
+				switch o := e.Data.GetOutput().(type) {
+				case *envdpb.ProcessEvent_DataEvent_Pty:
+					ev = PtyEvent{Type: "output", Data: o.Pty}
+				case *envdpb.ProcessEvent_DataEvent_Stdout:
+					ev = PtyEvent{Type: "output", Data: o.Stdout}
+				case *envdpb.ProcessEvent_DataEvent_Stderr:
+					ev = PtyEvent{Type: "output", Data: o.Stderr}
+				default:
+					continue
+				}
+
+			case *envdpb.ProcessEvent_End:
+				ev = PtyEvent{Type: "end", ExitCode: e.End.GetExitCode()}
+				if e.End.Error != nil {
+					ev.Error = e.End.GetError()
+				}
+
+			case *envdpb.ProcessEvent_Keepalive:
+				continue
+			}
+
+			select {
+			case ch <- ev:
+			case <-ctx.Done():
+				return
+			}
+		}
+
+		if err := stream.Err(); err != nil && err != io.EOF {
+			slog.Debug("pty stream error", "error", err)
+		}
+	}()
+
+	return ch
+}
diff --git a/internal/hostagent/server.go b/internal/hostagent/server.go
index f6a5522..663d2cb 100644
--- a/internal/hostagent/server.go
+++ b/internal/hostagent/server.go
@@ -15,6 +15,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5/pgtype"
 
+	envdpb "git.omukk.dev/wrenn/wrenn/proto/envd/gen"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 	"git.omukk.dev/wrenn/wrenn/proto/hostagent/gen/hostagentv1connect"
 
@@ -68,10 +69,18 @@ func (s *Server) CreateSandbox(
 		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("create sandbox: %w", err))
 	}
 
+	// Apply template defaults (user, env vars) if provided.
+	if msg.DefaultUser != "" || len(msg.DefaultEnv) > 0 {
+		if err := s.mgr.SetDefaults(ctx, sb.ID, msg.DefaultUser, msg.DefaultEnv); err != nil {
+			slog.Warn("failed to set sandbox defaults", "sandbox", sb.ID, "error", err)
+		}
+	}
+
 	return connect.NewResponse(&pb.CreateSandboxResponse{
 		SandboxId: sb.ID,
 		Status:    string(sb.Status),
 		HostIp:    sb.HostIP.String(),
+		Metadata:  sb.Metadata,
 	}), nil
 }
 
@@ -99,14 +108,24 @@ func (s *Server) ResumeSandbox(
 	ctx context.Context,
 	req *connect.Request[pb.ResumeSandboxRequest],
 ) (*connect.Response[pb.ResumeSandboxResponse], error) {
-	sb, err := s.mgr.Resume(ctx, req.Msg.SandboxId, int(req.Msg.TimeoutSec))
+	msg := req.Msg
+	sb, err := s.mgr.Resume(ctx, msg.SandboxId, int(msg.TimeoutSec), msg.KernelVersion)
 	if err != nil {
 		return nil, connect.NewError(connect.CodeInternal, err)
 	}
+
+	// Apply template defaults (user, env vars) if provided.
+	if msg.DefaultUser != "" || len(msg.DefaultEnv) > 0 {
+		if err := s.mgr.SetDefaults(ctx, sb.ID, msg.DefaultUser, msg.DefaultEnv); err != nil {
+			slog.Warn("failed to set sandbox defaults on resume", "sandbox", sb.ID, "error", err)
+		}
+	}
+
 	return connect.NewResponse(&pb.ResumeSandboxResponse{
 		SandboxId: sb.ID,
 		Status:    string(sb.Status),
 		HostIp:    sb.HostIP.String(),
+		Metadata:  sb.Metadata,
 	}), nil
 }
 
@@ -252,6 +271,69 @@ func (s *Server) ReadFile(
 	return connect.NewResponse(&pb.ReadFileResponse{Content: content}), nil
 }
 
+func (s *Server) ListDir(
+	ctx context.Context,
+	req *connect.Request[pb.ListDirRequest],
+) (*connect.Response[pb.ListDirResponse], error) {
+	msg := req.Msg
+
+	client, err := s.mgr.GetClient(msg.SandboxId)
+	if err != nil {
+		return nil, connect.NewError(connect.CodeNotFound, err)
+	}
+
+	resp, err := client.ListDir(ctx, msg.Path, msg.Depth)
+	if err != nil {
+		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("list dir: %w", err))
+	}
+
+	entries := make([]*pb.FileEntry, 0, len(resp.Entries))
+	for _, e := range resp.Entries {
+		entries = append(entries, entryInfoToPB(e))
+	}
+
+	return connect.NewResponse(&pb.ListDirResponse{Entries: entries}), nil
+}
+
+func (s *Server) MakeDir(
+	ctx context.Context,
+	req *connect.Request[pb.MakeDirRequest],
+) (*connect.Response[pb.MakeDirResponse], error) {
+	msg := req.Msg
+
+	client, err := s.mgr.GetClient(msg.SandboxId)
+	if err != nil {
+		return nil, connect.NewError(connect.CodeNotFound, err)
+	}
+
+	resp, err := client.MakeDir(ctx, msg.Path)
+	if err != nil {
+		return nil, fmt.Errorf("make dir: %w", err)
+	}
+
+	return connect.NewResponse(&pb.MakeDirResponse{
+		Entry: entryInfoToPB(resp.Entry),
+	}), nil
+}
+
+func (s *Server) RemovePath(
+	ctx context.Context,
+	req *connect.Request[pb.RemovePathRequest],
+) (*connect.Response[pb.RemovePathResponse], error) {
+	msg := req.Msg
+
+	client, err := s.mgr.GetClient(msg.SandboxId)
+	if err != nil {
+		return nil, connect.NewError(connect.CodeNotFound, err)
+	}
+
+	if err := client.Remove(ctx, msg.Path); err != nil {
+		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("remove: %w", err))
+	}
+
+	return connect.NewResponse(&pb.RemovePathResponse{}), nil
+}
+
 func (s *Server) ExecStream(
 	ctx context.Context,
 	req *connect.Request[pb.ExecStreamRequest],
@@ -436,6 +518,16 @@ func (s *Server) ReadFileStream(
 	// Stream file content in 64KB chunks.
 	buf := make([]byte, 64*1024)
 	for {
+		// Bail out early if the client disconnected or the context was cancelled.
+		select {
+		case <-ctx.Done():
+			if ctx.Err() == context.DeadlineExceeded {
+				return connect.NewError(connect.CodeDeadlineExceeded, ctx.Err())
+			}
+			return connect.NewError(connect.CodeCanceled, ctx.Err())
+		default:
+		}
+
 		n, err := resp.Body.Read(buf)
 		if n > 0 {
 			chunk := make([]byte, n)
@@ -474,6 +566,7 @@ func (s *Server) ListSandboxes(
 			CreatedAtUnix:    sb.CreatedAt.Unix(),
 			LastActiveAtUnix: sb.LastActiveAt.Unix(),
 			TimeoutSec:       int32(sb.TimeoutSec),
+			Metadata:         sb.Metadata,
 		}
 	}
 
@@ -545,3 +638,269 @@ func metricPointsToPB(pts []sandbox.MetricPoint) []*pb.MetricPoint {
 	}
 	return out
 }
+
+func (s *Server) PtyAttach(
+	ctx context.Context,
+	req *connect.Request[pb.PtyAttachRequest],
+	stream *connect.ServerStream[pb.PtyAttachResponse],
+) error {
+	msg := req.Msg
+
+	events, err := s.mgr.PtyAttach(ctx, msg.SandboxId, msg.Tag, msg.Cmd, msg.Args, msg.Cols, msg.Rows, msg.Envs, msg.Cwd)
+	if err != nil {
+		return connect.NewError(connect.CodeInternal, fmt.Errorf("pty attach: %w", err))
+	}
+
+	for ev := range events {
+		var resp pb.PtyAttachResponse
+		switch ev.Type {
+		case "started":
+			resp.Event = &pb.PtyAttachResponse_Started{
+				Started: &pb.PtyStarted{Pid: ev.PID, Tag: msg.Tag},
+			}
+		case "output":
+			resp.Event = &pb.PtyAttachResponse_Output{
+				Output: &pb.PtyOutput{Data: ev.Data},
+			}
+		case "end":
+			resp.Event = &pb.PtyAttachResponse_Exited{
+				Exited: &pb.PtyExited{ExitCode: ev.ExitCode, Error: ev.Error},
+			}
+		default:
+			continue
+		}
+		if err := stream.Send(&resp); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *Server) PtySendInput(
+	ctx context.Context,
+	req *connect.Request[pb.PtySendInputRequest],
+) (*connect.Response[pb.PtySendInputResponse], error) {
+	msg := req.Msg
+
+	if err := s.mgr.PtySendInput(ctx, msg.SandboxId, msg.Tag, msg.Data); err != nil {
+		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("pty send input: %w", err))
+	}
+
+	return connect.NewResponse(&pb.PtySendInputResponse{}), nil
+}
+
+func (s *Server) PtyResize(
+	ctx context.Context,
+	req *connect.Request[pb.PtyResizeRequest],
+) (*connect.Response[pb.PtyResizeResponse], error) {
+	msg := req.Msg
+
+	if err := s.mgr.PtyResize(ctx, msg.SandboxId, msg.Tag, msg.Cols, msg.Rows); err != nil {
+		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("pty resize: %w", err))
+	}
+
+	return connect.NewResponse(&pb.PtyResizeResponse{}), nil
+}
+
+func (s *Server) PtyKill(
+	ctx context.Context,
+	req *connect.Request[pb.PtyKillRequest],
+) (*connect.Response[pb.PtyKillResponse], error) {
+	msg := req.Msg
+
+	if err := s.mgr.PtyKill(ctx, msg.SandboxId, msg.Tag); err != nil {
+		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("pty kill: %w", err))
+	}
+
+	return connect.NewResponse(&pb.PtyKillResponse{}), nil
+}
+
+// entryInfoToPB maps an envd EntryInfo to a hostagent FileEntry.
+func entryInfoToPB(e *envdpb.EntryInfo) *pb.FileEntry {
+	if e == nil {
+		return nil
+	}
+
+	var fileType string
+	switch e.Type {
+	case envdpb.FileType_FILE_TYPE_FILE:
+		fileType = "file"
+	case envdpb.FileType_FILE_TYPE_DIRECTORY:
+		fileType = "directory"
+	case envdpb.FileType_FILE_TYPE_SYMLINK:
+		fileType = "symlink"
+	default:
+		fileType = "unknown"
+	}
+
+	entry := &pb.FileEntry{
+		Name:        e.Name,
+		Path:        e.Path,
+		Type:        fileType,
+		Size:        e.Size,
+		Mode:        e.Mode,
+		Permissions: e.Permissions,
+		Owner:       e.Owner,
+		Group:       e.Group,
+	}
+
+	if e.ModifiedTime != nil {
+		entry.ModifiedAt = e.ModifiedTime.GetSeconds()
+	}
+
+	if e.SymlinkTarget != nil {
+		entry.SymlinkTarget = e.SymlinkTarget
+	}
+
+	return entry
+}
+
+// ── Background Processes ────────────────────────────────────────────
+
+func (s *Server) StartBackground(
+	ctx context.Context,
+	req *connect.Request[pb.StartBackgroundRequest],
+) (*connect.Response[pb.StartBackgroundResponse], error) {
+	msg := req.Msg
+
+	pid, err := s.mgr.StartBackground(ctx, msg.SandboxId, msg.Tag, msg.Cmd, msg.Args, msg.Envs, msg.Cwd)
+	if err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			return nil, connect.NewError(connect.CodeNotFound, err)
+		}
+		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("start background: %w", err))
+	}
+
+	return connect.NewResponse(&pb.StartBackgroundResponse{
+		Pid: pid,
+		Tag: msg.Tag,
+	}), nil
+}
+
+func (s *Server) ListProcesses(
+	ctx context.Context,
+	req *connect.Request[pb.ListProcessesRequest],
+) (*connect.Response[pb.ListProcessesResponse], error) {
+	procs, err := s.mgr.ListProcesses(ctx, req.Msg.SandboxId)
+	if err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			return nil, connect.NewError(connect.CodeNotFound, err)
+		}
+		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("list processes: %w", err))
+	}
+
+	entries := make([]*pb.ProcessEntry, 0, len(procs))
+	for _, p := range procs {
+		entries = append(entries, &pb.ProcessEntry{
+			Pid:  p.PID,
+			Tag:  p.Tag,
+			Cmd:  p.Cmd,
+			Args: p.Args,
+		})
+	}
+
+	return connect.NewResponse(&pb.ListProcessesResponse{
+		Processes: entries,
+	}), nil
+}
+
+func (s *Server) KillProcess(
+	ctx context.Context,
+	req *connect.Request[pb.KillProcessRequest],
+) (*connect.Response[pb.KillProcessResponse], error) {
+	msg := req.Msg
+
+	// Resolve PID/tag selector.
+	var pid uint32
+	var tag string
+	switch sel := msg.Selector.(type) {
+	case *pb.KillProcessRequest_Pid:
+		pid = sel.Pid
+	case *pb.KillProcessRequest_Tag:
+		tag = sel.Tag
+	default:
+		return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("pid or tag is required"))
+	}
+
+	// Map signal string to envd enum.
+	var signal envdpb.Signal
+	switch msg.Signal {
+	case "", "SIGKILL":
+		signal = envdpb.Signal_SIGNAL_SIGKILL
+	case "SIGTERM":
+		signal = envdpb.Signal_SIGNAL_SIGTERM
+	default:
+		return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("unsupported signal: %s (use SIGKILL or SIGTERM)", msg.Signal))
+	}
+
+	if err := s.mgr.KillProcess(ctx, msg.SandboxId, pid, tag, signal); err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			return nil, connect.NewError(connect.CodeNotFound, err)
+		}
+		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("kill process: %w", err))
+	}
+
+	return connect.NewResponse(&pb.KillProcessResponse{}), nil
+}
+
+func (s *Server) ConnectProcess(
+	ctx context.Context,
+	req *connect.Request[pb.ConnectProcessRequest],
+	stream *connect.ServerStream[pb.ConnectProcessResponse],
+) error {
+	msg := req.Msg
+
+	var pid uint32
+	var tag string
+	switch sel := msg.Selector.(type) {
+	case *pb.ConnectProcessRequest_Pid:
+		pid = sel.Pid
+	case *pb.ConnectProcessRequest_Tag:
+		tag = sel.Tag
+	default:
+		return connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("pid or tag is required"))
+	}
+
+	events, err := s.mgr.ConnectProcess(ctx, msg.SandboxId, pid, tag)
+	if err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			return connect.NewError(connect.CodeNotFound, err)
+		}
+		return connect.NewError(connect.CodeInternal, fmt.Errorf("connect process: %w", err))
+	}
+
+	for ev := range events {
+		var resp pb.ConnectProcessResponse
+		switch ev.Type {
+		case "start":
+			resp.Event = &pb.ConnectProcessResponse_Start{
+				Start: &pb.ExecStreamStart{Pid: ev.PID},
+			}
+		case "stdout":
+			resp.Event = &pb.ConnectProcessResponse_Data{
+				Data: &pb.ExecStreamData{
+					Output: &pb.ExecStreamData_Stdout{Stdout: ev.Data},
+				},
+			}
+		case "stderr":
+			resp.Event = &pb.ConnectProcessResponse_Data{
+				Data: &pb.ExecStreamData{
+					Output: &pb.ExecStreamData_Stderr{Stderr: ev.Data},
+				},
+			}
+		case "end":
+			resp.Event = &pb.ConnectProcessResponse_End{
+				End: &pb.ExecStreamEnd{
+					ExitCode: ev.ExitCode,
+					Error:    ev.Error,
+				},
+			}
+		}
+		if err := stream.Send(&resp); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/internal/layout/layout.go b/internal/layout/layout.go
index dfe2f9b..fcb11ad 100644
--- a/internal/layout/layout.go
+++ b/internal/layout/layout.go
@@ -1,11 +1,15 @@
 package layout
 
 import (
+	"fmt"
+	"os"
 	"path/filepath"
+	"sort"
+	"strings"
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 // IsMinimal reports whether the given team and template IDs represent the
@@ -47,6 +51,75 @@ func KernelPath(wrennDir string) string {
 	return filepath.Join(wrennDir, "kernels", "vmlinux")
 }
 
+// KernelPathVersioned returns the path to a specific kernel version.
+func KernelPathVersioned(wrennDir, version string) string {
+	return filepath.Join(wrennDir, "kernels", "vmlinux-"+version)
+}
+
+// LatestKernel scans the kernels directory for files matching vmlinux-{semver}
+// and returns the path and version of the latest one (by semver sort).
+func LatestKernel(wrennDir string) (path, version string, err error) {
+	dir := filepath.Join(wrennDir, "kernels")
+	return latestVersionedFile(dir, "vmlinux-")
+}
+
+// latestVersionedFile scans dir for files with the given prefix, extracts the
+// version suffix, sorts by semver, and returns the path and version of the latest.
+func latestVersionedFile(dir, prefix string) (path, version string, err error) {
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		return "", "", fmt.Errorf("read directory %s: %w", dir, err)
+	}
+
+	var versions []string
+	for _, e := range entries {
+		if e.IsDir() {
+			continue
+		}
+		name := e.Name()
+		if v, ok := strings.CutPrefix(name, prefix); ok && v != "" {
+			versions = append(versions, v)
+		}
+	}
+
+	if len(versions) == 0 {
+		return "", "", fmt.Errorf("no %s* files found in %s", prefix, dir)
+	}
+
+	sort.Slice(versions, func(i, j int) bool {
+		return compareSemver(versions[i], versions[j]) < 0
+	})
+
+	latest := versions[len(versions)-1]
+	return filepath.Join(dir, prefix+latest), latest, nil
+}
+
+// compareSemver compares two dotted-numeric version strings.
+// Returns -1 if a < b, 0 if equal, 1 if a > b.
+func compareSemver(a, b string) int {
+	aParts := strings.Split(a, ".")
+	bParts := strings.Split(b, ".")
+
+	maxLen := max(len(aParts), len(bParts))
+
+	for i := 0; i < maxLen; i++ {
+		var av, bv int
+		if i < len(aParts) {
+			_, _ = fmt.Sscanf(aParts[i], "%d", &av)
+		}
+		if i < len(bParts) {
+			_, _ = fmt.Sscanf(bParts[i], "%d", &bv)
+		}
+		if av < bv {
+			return -1
+		}
+		if av > bv {
+			return 1
+		}
+	}
+	return 0
+}
+
 // ImagesRoot returns the root images directory.
 func ImagesRoot(wrennDir string) string {
 	return filepath.Join(wrennDir, "images")
diff --git a/internal/layout/layout_test.go b/internal/layout/layout_test.go
index 3501ee4..f3e3532 100644
--- a/internal/layout/layout_test.go
+++ b/internal/layout/layout_test.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 func TestIsMinimal(t *testing.T) {
diff --git a/internal/models/sandbox.go b/internal/models/sandbox.go
index ab72cd3..8228679 100644
--- a/internal/models/sandbox.go
+++ b/internal/models/sandbox.go
@@ -30,4 +30,5 @@ type Sandbox struct {
 	RootfsPath     string
 	CreatedAt      time.Time
 	LastActiveAt   time.Time
+	Metadata       map[string]string
 }
diff --git a/internal/network/allocator.go b/internal/network/allocator.go
index b7265e6..6a929d0 100644
--- a/internal/network/allocator.go
+++ b/internal/network/allocator.go
@@ -24,7 +24,7 @@ func (a *SlotAllocator) Allocate() (int, error) {
 	a.mu.Lock()
 	defer a.mu.Unlock()
 
-	for i := 1; i <= 65534; i++ {
+	for i := 1; i <= 32767; i++ {
 		if !a.inUse[i] {
 			a.inUse[i] = true
 			return i, nil
diff --git a/internal/network/setup.go b/internal/network/setup.go
index 614235a..3874c79 100644
--- a/internal/network/setup.go
+++ b/internal/network/setup.go
@@ -131,26 +131,31 @@ type Slot struct {
 }
 
 // NewSlot computes the addressing for the given slot index (1-based).
+// Index must be in [1, 32767] so that veth offset (index*2) fits in 16 bits.
 func NewSlot(index int) *Slot {
+	if index < 1 || index > 32767 {
+		panic(fmt.Sprintf("slot index %d out of range [1, 32767]", index))
+	}
+
 	hostBaseIP := net.ParseIP(hostBase).To4()
 	vrtBaseIP := net.ParseIP(vrtBase).To4()
 
 	hostIP := make(net.IP, 4)
 	copy(hostIP, hostBaseIP)
-	hostIP[2] += byte(index >> 8)
-	hostIP[3] += byte(index & 0xFF)
+	hostIP[2] = hostBaseIP[2] + byte(index>>8)
+	hostIP[3] = hostBaseIP[3] + byte(index&0xFF)
 
 	vethOffset := index * vrtAddressesPerSlot
 	vethIP := make(net.IP, 4)
 	copy(vethIP, vrtBaseIP)
-	vethIP[2] += byte(vethOffset >> 8)
-	vethIP[3] += byte(vethOffset & 0xFF)
+	vethIP[2] = vrtBaseIP[2] + byte(vethOffset>>8)
+	vethIP[3] = vrtBaseIP[3] + byte(vethOffset&0xFF)
 
 	vpeerOffset := vethOffset + 1
 	vpeerIP := make(net.IP, 4)
 	copy(vpeerIP, vrtBaseIP)
-	vpeerIP[2] += byte(vpeerOffset >> 8)
-	vpeerIP[3] += byte(vpeerOffset & 0xFF)
+	vpeerIP[2] = vrtBaseIP[2] + byte(vpeerOffset>>8)
+	vpeerIP[3] = vrtBaseIP[3] + byte(vpeerOffset&0xFF)
 
 	return &Slot{
 		Index:        index,
diff --git a/internal/recipe/context.go b/internal/recipe/context.go
index 71cc0bc..3a64059 100644
--- a/internal/recipe/context.go
+++ b/internal/recipe/context.go
@@ -7,10 +7,11 @@ import (
 )
 
 // ExecContext holds mutable state that persists across recipe steps.
-// It is initialized empty and updated by ENV and WORKDIR steps.
+// It is initialized empty and updated by ENV, WORKDIR, and USER steps.
 type ExecContext struct {
 	WorkDir string
 	EnvVars map[string]string
+	User    string // Current unix user for command execution.
 }
 
 // This regex matches:
@@ -25,7 +26,20 @@ var envRegex = regexp.MustCompile(`\$\$|\$\{([a-zA-Z0-9_]*)\}|\$([a-zA-Z0-9_]+)`
 // If WORKDIR and/or ENV are set, they are prepended as a shell preamble:
 //
 //	cd '/the/dir' && KEY='val' /bin/sh -c 'original command'
+//
+// If USER is set to a non-root user, the entire command is wrapped with su:
+//
+//	su <user> -s /bin/sh -c '<preamble + command>'
 func (c *ExecContext) WrappedCommand(cmd string) string {
+	inner := c.innerCommand(cmd)
+	if c.User != "" && c.User != "root" {
+		return "su " + shellescape(c.User) + " -s /bin/sh -c " + shellescape(inner)
+	}
+	return inner
+}
+
+// innerCommand builds the command with workdir/env preamble but without user wrapping.
+func (c *ExecContext) innerCommand(cmd string) string {
 	prefix := c.shellPrefix()
 	if prefix == "" {
 		return cmd
@@ -42,7 +56,11 @@ func (c *ExecContext) WrappedCommand(cmd string) string {
 // simultaneously before a healthcheck is evaluated.
 func (c *ExecContext) StartCommand(cmd string) string {
 	prefix := c.shellPrefix()
-	return prefix + "nohup /bin/sh -c " + shellescape(cmd) + " >/dev/null 2>&1 &"
+	inner := prefix + "nohup /bin/sh -c " + shellescape(cmd) + " >/dev/null 2>&1 &"
+	if c.User != "" && c.User != "root" {
+		return "su " + shellescape(c.User) + " -s /bin/sh -c " + shellescape(inner)
+	}
+	return inner
 }
 
 // shellPrefix builds the "cd ... && KEY=val " preamble for a shell command.
@@ -97,8 +115,11 @@ func expandEnv(s string, vars map[string]string) string {
 	})
 }
 
-// shellescape wraps s in single quotes, escaping any embedded single quotes.
+// Shellescape wraps s in single quotes, escaping any embedded single quotes.
 // This is POSIX-safe for paths, env values, and shell commands.
-func shellescape(s string) string {
+func Shellescape(s string) string {
 	return "'" + strings.ReplaceAll(s, "'", `'\''`) + "'"
 }
+
+// shellescape is the package-internal alias for Shellescape.
+func shellescape(s string) string { return Shellescape(s) }
diff --git a/internal/recipe/executor.go b/internal/recipe/executor.go
index 53aaeeb..ffecf04 100644
--- a/internal/recipe/executor.go
+++ b/internal/recipe/executor.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"path"
 	"strings"
 	"time"
 
@@ -16,6 +17,10 @@ import (
 // explicit --timeout flag.
 const DefaultStepTimeout = 30 * time.Second
 
+// BuildFilesDir is the directory inside the sandbox where uploaded build
+// archives are extracted. COPY instructions reference paths relative to this.
+const BuildFilesDir = "/tmp/build-files"
+
 // BuildLogEntry is the per-step record stored in template_builds.logs (JSONB).
 type BuildLogEntry struct {
 	Step    int    `json:"step"`
@@ -32,13 +37,18 @@ type BuildLogEntry struct {
 // the method on the hostagent Connect RPC client.
 type ExecFunc func(ctx context.Context, req *connect.Request[pb.ExecRequest]) (*connect.Response[pb.ExecResponse], error)
 
+// ProgressFunc is called after each step with the current step counter and
+// accumulated log entries. Used for per-step DB progress updates.
+type ProgressFunc func(step int, entries []BuildLogEntry)
+
 // Execute runs steps sequentially against sandboxID using execFn.
 //
 //   - phase labels the log entries (e.g., "pre-build", "recipe", "post-build").
 //   - startStep is the 1-based offset so entries are globally numbered across phases.
 //   - defaultTimeout applies to RUN steps with no per-step --timeout; 0 → 10 minutes.
-//   - bctx is mutated in place as ENV/WORKDIR steps execute, and carries forward
+//   - bctx is mutated in place as ENV/WORKDIR/USER steps execute, and carries forward
 //     into subsequent phases when the caller passes the same pointer.
+//   - onProgress is called after each step for live progress updates (may be nil).
 //
 // Returns all log entries appended during this call, the next step counter
 // value, and whether all steps succeeded. On false the last entry contains
@@ -53,6 +63,7 @@ func Execute(
 	defaultTimeout time.Duration,
 	bctx *ExecContext,
 	execFn ExecFunc,
+	onProgress ProgressFunc,
 ) (entries []BuildLogEntry, nextStep int, ok bool) {
 	if defaultTimeout <= 0 {
 		defaultTimeout = 10 * time.Minute
@@ -72,19 +83,30 @@ func Execute(
 			entries = append(entries, BuildLogEntry{Step: step, Phase: phase, Cmd: st.Raw, Ok: true})
 
 		case KindWORKDIR:
+			// Create the directory if it doesn't exist.
+			mkdirEntry := execRawShell(ctx, st.Raw, sandboxID, phase, step, 10*time.Second, execFn,
+				"mkdir -p "+shellescape(st.Path))
+			if !mkdirEntry.Ok {
+				entries = append(entries, mkdirEntry)
+				return entries, step, false
+			}
 			bctx.WorkDir = st.Path
-			entries = append(entries, BuildLogEntry{Step: step, Phase: phase, Cmd: st.Raw, Ok: true})
+			mkdirEntry.Ok = true
+			entries = append(entries, mkdirEntry)
 
-		case KindUSER, KindCOPY:
-			verb := strings.ToUpper(strings.Fields(st.Raw)[0])
-			entries = append(entries, BuildLogEntry{
-				Step:   step,
-				Phase:  phase,
-				Cmd:    st.Raw,
-				Stderr: verb + " is not yet supported",
-				Ok:     false,
-			})
-			return entries, step, false
+		case KindUSER:
+			entry, succeeded := execUser(ctx, st, sandboxID, phase, step, bctx, execFn)
+			entries = append(entries, entry)
+			if !succeeded {
+				return entries, step, false
+			}
+
+		case KindCOPY:
+			entry, succeeded := execCopy(ctx, st, sandboxID, phase, step, bctx, execFn)
+			entries = append(entries, entry)
+			if !succeeded {
+				return entries, step, false
+			}
 
 		case KindSTART:
 			entry, succeeded := execStart(ctx, st, sandboxID, phase, step, bctx, execFn)
@@ -104,6 +126,10 @@ func Execute(
 				return entries, step, false
 			}
 		}
+
+		if onProgress != nil {
+			onProgress(step, entries)
+		}
 	}
 	return entries, step, true
 }
@@ -145,6 +171,123 @@ func execRun(
 	return entry, entry.Ok
 }
 
+// execUser creates a unix user (if not exists), grants passwordless sudo,
+// and updates bctx.User for subsequent steps.
+func execUser(
+	ctx context.Context,
+	st Step,
+	sandboxID, phase string,
+	step int,
+	bctx *ExecContext,
+	execFn ExecFunc,
+) (BuildLogEntry, bool) {
+	username := st.Key
+	// Create user if not exists, with home directory and bash shell.
+	// Grant passwordless sudo access (E2B convention).
+	// Uses printf %s to avoid shell injection in the sudoers line.
+	script := fmt.Sprintf(
+		"id %s >/dev/null 2>&1 || (adduser --disabled-password --gecos '' --shell /bin/bash %s && printf '%%s ALL=(ALL) NOPASSWD:ALL\\n' %s >> /etc/sudoers)",
+		shellescape(username), shellescape(username), shellescape(username),
+	)
+
+	entry := execRawShell(ctx, st.Raw, sandboxID, phase, step, 30*time.Second, execFn, script)
+	if entry.Ok {
+		bctx.User = username
+		// Update HOME so ~ expands correctly in subsequent RUN/WORKDIR steps.
+		if bctx.EnvVars == nil {
+			bctx.EnvVars = make(map[string]string)
+		}
+		if username == "root" {
+			bctx.EnvVars["HOME"] = "/root"
+		} else {
+			bctx.EnvVars["HOME"] = "/home/" + username
+		}
+	}
+	return entry, entry.Ok
+}
+
+// execCopy copies a file or directory from the build archive (extracted at
+// BuildFilesDir) to the destination path inside the sandbox. Ownership is
+// set to the current user from bctx.
+func execCopy(
+	ctx context.Context,
+	st Step,
+	sandboxID, phase string,
+	step int,
+	bctx *ExecContext,
+	execFn ExecFunc,
+) (BuildLogEntry, bool) {
+	// Validate all source paths: must be relative and not escape the archive directory.
+	var srcPaths []string
+	for _, s := range st.Srcs {
+		cleaned := path.Clean(s)
+		if strings.HasPrefix(cleaned, "..") || strings.HasPrefix(cleaned, "/") {
+			return BuildLogEntry{
+				Step:   step,
+				Phase:  phase,
+				Cmd:    st.Raw,
+				Stderr: fmt.Sprintf("COPY source must be a relative path within the archive: %q", s),
+			}, false
+		}
+		srcPaths = append(srcPaths, shellescape(BuildFilesDir+"/"+cleaned))
+	}
+
+	dst := st.Dst
+	// Resolve relative destination against the current WORKDIR.
+	if dst != "" && dst[0] != '/' && bctx.WorkDir != "" {
+		dst = bctx.WorkDir + "/" + dst
+	}
+	owner := "root"
+	if bctx.User != "" {
+		owner = bctx.User
+	}
+	script := fmt.Sprintf(
+		"cp -r %s %s && chown -R %s:%s %s",
+		strings.Join(srcPaths, " "), shellescape(dst), shellescape(owner), shellescape(owner), shellescape(dst),
+	)
+
+	entry := execRawShell(ctx, st.Raw, sandboxID, phase, step, 60*time.Second, execFn, script)
+	return entry, entry.Ok
+}
+
+// execRawShell runs a shell command directly (as root) without ExecContext
+// wrapping. Used for internal operations like user creation and file copy.
+func execRawShell(
+	ctx context.Context,
+	raw, sandboxID, phase string,
+	step int,
+	timeout time.Duration,
+	execFn ExecFunc,
+	shellCmd string,
+) BuildLogEntry {
+	execCtx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	start := time.Now()
+	resp, err := execFn(execCtx, connect.NewRequest(&pb.ExecRequest{
+		SandboxId:  sandboxID,
+		Cmd:        "/bin/sh",
+		Args:       []string{"-c", shellCmd},
+		TimeoutSec: int32(timeout.Seconds()),
+	}))
+
+	entry := BuildLogEntry{
+		Step:    step,
+		Phase:   phase,
+		Cmd:     raw,
+		Elapsed: time.Since(start).Milliseconds(),
+	}
+	if err != nil {
+		entry.Stderr = fmt.Sprintf("exec error: %v", err)
+		return entry
+	}
+	entry.Stdout = string(resp.Msg.Stdout)
+	entry.Stderr = string(resp.Msg.Stderr)
+	entry.Exit = resp.Msg.ExitCode
+	entry.Ok = resp.Msg.ExitCode == 0
+	return entry
+}
+
 func execStart(
 	ctx context.Context,
 	st Step,
diff --git a/internal/recipe/step.go b/internal/recipe/step.go
index 7d51036..07e167e 100644
--- a/internal/recipe/step.go
+++ b/internal/recipe/step.go
@@ -24,9 +24,11 @@ type Step struct {
 	Raw     string        // original string, preserved for logging
 	Shell   string        // KindRUN, KindSTART: the shell command text
 	Timeout time.Duration // KindRUN: 0 means use caller's default
-	Key     string        // KindENV: variable name
+	Key     string        // KindENV: variable name; KindUSER: username
 	Value   string        // KindENV: variable value
 	Path    string        // KindWORKDIR: directory path
+	Srcs    []string      // KindCOPY: source paths (relative to build archive)
+	Dst     string        // KindCOPY: destination path inside sandbox
 }
 
 // ParseStep parses a single recipe instruction string into a Step.
@@ -61,9 +63,9 @@ func ParseStep(s string) (Step, error) {
 	case "WORKDIR":
 		return parseWORKDIR(s, rest)
 	case "USER":
-		return Step{Kind: KindUSER, Raw: s}, nil
+		return parseUSER(s, rest)
 	case "COPY":
-		return Step{Kind: KindCOPY, Raw: s}, nil
+		return parseCOPY(s, rest)
 	default:
 		return Step{}, fmt.Errorf("unknown instruction %q (expected RUN, START, ENV, WORKDIR, USER, or COPY)", keyword)
 	}
@@ -127,3 +129,33 @@ func parseWORKDIR(raw, path string) (Step, error) {
 	}
 	return Step{Kind: KindWORKDIR, Raw: raw, Path: path}, nil
 }
+
+func parseUSER(raw, username string) (Step, error) {
+	if username == "" {
+		return Step{}, fmt.Errorf("USER requires a username: %q", raw)
+	}
+	// Validate: alphanumeric, hyphens, underscores only; must start with a letter or underscore.
+	for i, c := range username {
+		if i == 0 && !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || c == '_') {
+			return Step{}, fmt.Errorf("USER username must start with a letter or underscore: %q", raw)
+		}
+		if !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '_' || c == '-') {
+			return Step{}, fmt.Errorf("USER username contains invalid character %q: %q", string(c), raw)
+		}
+	}
+	return Step{Kind: KindUSER, Raw: raw, Key: username}, nil
+}
+
+func parseCOPY(raw, rest string) (Step, error) {
+	if rest == "" {
+		return Step{}, fmt.Errorf("COPY requires <src>... <dst>: %q", raw)
+	}
+	parts := strings.Fields(rest)
+	if len(parts) < 2 {
+		return Step{}, fmt.Errorf("COPY requires <src>... <dst>: %q", raw)
+	}
+	// Last argument is the destination, everything before is sources.
+	dst := parts[len(parts)-1]
+	srcs := parts[:len(parts)-1]
+	return Step{Kind: KindCOPY, Raw: raw, Srcs: srcs, Dst: dst}, nil
+}
diff --git a/internal/recipe/step_test.go b/internal/recipe/step_test.go
index 2370bb2..2d0c9e2 100644
--- a/internal/recipe/step_test.go
+++ b/internal/recipe/step_test.go
@@ -1,6 +1,7 @@
 package recipe
 
 import (
+	"reflect"
 	"testing"
 	"time"
 )
@@ -111,16 +112,42 @@ func TestParseStep(t *testing.T) {
 			input:   "WORKDIR",
 			wantErr: true,
 		},
-		// USER and COPY stubs
+		// USER
 		{
-			name:  "USER stub",
+			name:  "USER basic",
 			input: "USER www-data",
-			want:  Step{Kind: KindUSER, Raw: "USER www-data"},
+			want:  Step{Kind: KindUSER, Raw: "USER www-data", Key: "www-data"},
 		},
 		{
-			name:  "COPY stub",
+			name:    "USER empty",
+			input:   "USER",
+			wantErr: true,
+		},
+		{
+			name:    "USER invalid chars",
+			input:   "USER bad user",
+			wantErr: true,
+		},
+		// COPY
+		{
+			name:  "COPY basic",
 			input: "COPY config.yaml /etc/app/config.yaml",
-			want:  Step{Kind: KindCOPY, Raw: "COPY config.yaml /etc/app/config.yaml"},
+			want:  Step{Kind: KindCOPY, Raw: "COPY config.yaml /etc/app/config.yaml", Srcs: []string{"config.yaml"}, Dst: "/etc/app/config.yaml"},
+		},
+		{
+			name:  "COPY multiple sources",
+			input: "COPY a.txt b.txt /dest/",
+			want:  Step{Kind: KindCOPY, Raw: "COPY a.txt b.txt /dest/", Srcs: []string{"a.txt", "b.txt"}, Dst: "/dest/"},
+		},
+		{
+			name:    "COPY missing dst",
+			input:   "COPY config.yaml",
+			wantErr: true,
+		},
+		{
+			name:    "COPY empty",
+			input:   "COPY",
+			wantErr: true,
 		},
 		// Unknown keyword
 		{
@@ -148,7 +175,7 @@ func TestParseStep(t *testing.T) {
 			if err != nil {
 				t.Fatalf("ParseStep(%q) unexpected error: %v", tc.input, err)
 			}
-			if got != tc.want {
+			if !reflect.DeepEqual(got, tc.want) {
 				t.Errorf("ParseStep(%q)\n  got  %+v\n  want %+v", tc.input, got, tc.want)
 			}
 		})
diff --git a/internal/sandbox/fcversion.go b/internal/sandbox/fcversion.go
new file mode 100644
index 0000000..092fbe0
--- /dev/null
+++ b/internal/sandbox/fcversion.go
@@ -0,0 +1,30 @@
+package sandbox
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+)
+
+// DetectFirecrackerVersion runs the firecracker binary with --version and
+// parses the semver from the output (e.g. "Firecracker v1.14.1" → "1.14.1").
+func DetectFirecrackerVersion(binaryPath string) (string, error) {
+	out, err := exec.Command(binaryPath, "--version").Output()
+	if err != nil {
+		return "", fmt.Errorf("run %s --version: %w", binaryPath, err)
+	}
+
+	// Output is typically "Firecracker v1.14.1\n" or similar.
+	line := strings.TrimSpace(string(out))
+	for _, field := range strings.Fields(line) {
+		v := strings.TrimPrefix(field, "v")
+		if v != field || strings.Contains(field, ".") {
+			// Either had a "v" prefix or contains a dot — likely the version.
+			if strings.Count(v, ".") >= 1 {
+				return v, nil
+			}
+		}
+	}
+
+	return "", fmt.Errorf("could not parse version from firecracker output: %q", line)
+}
diff --git a/internal/sandbox/images.go b/internal/sandbox/images.go
index ecee469..b1a848d 100644
--- a/internal/sandbox/images.go
+++ b/internal/sandbox/images.go
@@ -6,9 +6,11 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
+	"strings"
 
-	"git.omukk.dev/wrenn/wrenn/internal/id"
 	"git.omukk.dev/wrenn/wrenn/internal/layout"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 // DefaultDiskSizeMB is the standard disk size for base images. Images smaller
@@ -66,6 +68,73 @@ func EnsureImageSizes(wrennDir string, targetMB int) error {
 	return nil
 }
 
+// ParseSizeToMB parses a human-readable size string into megabytes.
+// Supported suffixes: G, Gi (gibibytes), M, Mi (mebibytes).
+// Examples: "5G" → 5120, "2Gi" → 2048, "1000M" → 1000, "512Mi" → 512.
+func ParseSizeToMB(s string) (int, error) {
+	s = strings.TrimSpace(s)
+	if s == "" {
+		return 0, fmt.Errorf("empty size string")
+	}
+
+	// Find where the numeric part ends.
+	i := 0
+	for i < len(s) && (s[i] == '.' || (s[i] >= '0' && s[i] <= '9')) {
+		i++
+	}
+	if i == 0 {
+		return 0, fmt.Errorf("invalid size %q: no numeric value", s)
+	}
+
+	numStr := s[:i]
+	suffix := strings.TrimSpace(s[i:])
+
+	num, err := strconv.ParseFloat(numStr, 64)
+	if err != nil {
+		return 0, fmt.Errorf("invalid size %q: %w", s, err)
+	}
+
+	switch suffix {
+	case "G", "Gi":
+		return int(num * 1024), nil
+	case "M", "Mi", "":
+		return int(num), nil
+	default:
+		return 0, fmt.Errorf("invalid size %q: unknown suffix %q (use G, Gi, M, or Mi)", s, suffix)
+	}
+}
+
+// ShrinkMinimalImage shrinks the built-in minimal rootfs back to its minimum
+// size using resize2fs -M. This is the inverse of EnsureImageSizes and should
+// be called during graceful shutdown so the image is stored compactly on disk.
+func ShrinkMinimalImage(wrennDir string) {
+	minimalRootfs := layout.TemplateRootfs(wrennDir, id.PlatformTeamID, id.MinimalTemplateID)
+	shrinkImage(minimalRootfs)
+}
+
+// shrinkImage shrinks a single rootfs image to its minimum size.
+func shrinkImage(rootfs string) {
+	if _, err := os.Stat(rootfs); err != nil {
+		return
+	}
+
+	slog.Info("shrinking base image", "path", rootfs)
+
+	if out, err := exec.Command("e2fsck", "-fy", rootfs).CombinedOutput(); err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok && exitErr.ExitCode() > 1 {
+			slog.Warn("e2fsck before shrink failed", "path", rootfs, "output", string(out), "error", err)
+			return
+		}
+	}
+
+	if out, err := exec.Command("resize2fs", "-M", rootfs).CombinedOutput(); err != nil {
+		slog.Warn("resize2fs -M failed", "path", rootfs, "output", string(out), "error", err)
+		return
+	}
+
+	slog.Info("base image shrunk", "path", rootfs)
+}
+
 // expandImage expands a single rootfs image if it is smaller than targetBytes.
 func expandImage(rootfs string, targetBytes int64, targetMB int) error {
 	info, err := os.Stat(rootfs)
diff --git a/internal/sandbox/manager.go b/internal/sandbox/manager.go
index e920476..524631d 100644
--- a/internal/sandbox/manager.go
+++ b/internal/sandbox/manager.go
@@ -17,19 +17,28 @@ import (
 
 	"git.omukk.dev/wrenn/wrenn/internal/devicemapper"
 	"git.omukk.dev/wrenn/wrenn/internal/envdclient"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
 	"git.omukk.dev/wrenn/wrenn/internal/layout"
 	"git.omukk.dev/wrenn/wrenn/internal/models"
 	"git.omukk.dev/wrenn/wrenn/internal/network"
 	"git.omukk.dev/wrenn/wrenn/internal/snapshot"
 	"git.omukk.dev/wrenn/wrenn/internal/uffd"
 	"git.omukk.dev/wrenn/wrenn/internal/vm"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	envdpb "git.omukk.dev/wrenn/wrenn/proto/envd/gen"
 )
 
 // Config holds the paths and defaults for the sandbox manager.
 type Config struct {
-	WrennDir    string // root directory (e.g. /var/lib/wrenn); all sub-paths derived via layout package
-	EnvdTimeout time.Duration
+	WrennDir            string // root directory (e.g. /var/lib/wrenn); all sub-paths derived via layout package
+	EnvdTimeout         time.Duration
+	DefaultRootfsSizeMB int // target size for template rootfs images; 0 → DefaultDiskSizeMB
+
+	// Resolved at startup by the host agent.
+	KernelPath         string // path to the latest vmlinux-x.y.z
+	KernelVersion      string // semver extracted from filename
+	FirecrackerBin     string // path to the firecracker binary
+	FirecrackerVersion string // semver from firecracker --version
+	AgentVersion       string // host agent version (injected via ldflags)
 }
 
 // Manager orchestrates sandbox lifecycle: VM, network, filesystem, envd.
@@ -84,6 +93,35 @@ type snapshotParent struct {
 // preventing the crash.
 const maxDiffGenerations = 8
 
+// buildMetadata constructs the metadata map with version information.
+func (m *Manager) buildMetadata(envdVersion string) map[string]string {
+	meta := map[string]string{
+		"kernel_version":      m.cfg.KernelVersion,
+		"firecracker_version": m.cfg.FirecrackerVersion,
+		"agent_version":       m.cfg.AgentVersion,
+	}
+	if envdVersion != "" {
+		meta["envd_version"] = envdVersion
+	}
+	return meta
+}
+
+// resolveKernelPath returns the kernel path for the given version hint.
+// If the exact version exists on disk, it is used. Otherwise, falls back to
+// the latest kernel (m.cfg.KernelPath).
+func (m *Manager) resolveKernelPath(versionHint string) string {
+	if versionHint == "" {
+		return m.cfg.KernelPath
+	}
+	exact := layout.KernelPathVersioned(m.cfg.WrennDir, versionHint)
+	if _, err := os.Stat(exact); err == nil {
+		return exact
+	}
+	slog.Warn("requested kernel version not found, using latest",
+		"requested", versionHint, "latest", m.cfg.KernelVersion)
+	return m.cfg.KernelPath
+}
+
 // New creates a new sandbox manager.
 func New(cfg Config) *Manager {
 	if cfg.EnvdTimeout == 0 {
@@ -173,7 +211,7 @@ func (m *Manager) Create(ctx context.Context, sandboxID string, teamID, template
 	vmCfg := vm.VMConfig{
 		SandboxID:        sandboxID,
 		TemplateID:       id.UUIDString(templateID),
-		KernelPath:       layout.KernelPath(m.cfg.WrennDir),
+		KernelPath:       m.cfg.KernelPath,
 		RootfsPath:       dmDev.DevicePath,
 		VCPUs:            vcpus,
 		MemoryMB:         memoryMB,
@@ -183,6 +221,7 @@ func (m *Manager) Create(ctx context.Context, sandboxID string, teamID, template
 		GuestIP:          slot.GuestIP,
 		GatewayIP:        slot.TapIP,
 		NetMask:          slot.GuestNetMask,
+		FirecrackerBin:   m.cfg.FirecrackerBin,
 	}
 
 	if _, err := m.vm.Create(ctx, vmCfg); err != nil {
@@ -209,6 +248,9 @@ func (m *Manager) Create(ctx context.Context, sandboxID string, teamID, template
 		return nil, fmt.Errorf("wait for envd: %w", err)
 	}
 
+	// Fetch envd version (best-effort).
+	envdVersion, _ := client.FetchVersion(ctx)
+
 	now := time.Now()
 	sb := &sandboxState{
 		Sandbox: models.Sandbox{
@@ -224,6 +266,7 @@ func (m *Manager) Create(ctx context.Context, sandboxID string, teamID, template
 			RootfsPath:     dmDev.DevicePath,
 			CreatedAt:      now,
 			LastActiveAt:   now,
+			Metadata:       m.buildMetadata(envdVersion),
 		},
 		slot:          slot,
 		client:        client,
@@ -326,6 +369,20 @@ func (m *Manager) Pause(ctx context.Context, sandboxID string) error {
 	sb.connTracker.Drain(2 * time.Second)
 	slog.Debug("pause: proxy connections drained", "id", sandboxID)
 
+	// Step 0b: Signal envd to quiesce continuous goroutines (port scanner,
+	// forwarder) and run GC before freezing vCPUs. This prevents Go runtime
+	// page allocator corruption ("bad summary data") on snapshot restore.
+	// Best-effort: a failure is logged but does not abort the pause.
+	func() {
+		prepCtx, prepCancel := context.WithTimeout(ctx, 3*time.Second)
+		defer prepCancel()
+		if err := sb.client.PrepareSnapshot(prepCtx); err != nil {
+			slog.Warn("pause: pre-snapshot quiesce failed (best-effort)", "id", sandboxID, "error", err)
+		} else {
+			slog.Debug("pause: envd goroutines quiesced", "id", sandboxID)
+		}
+	}()
+
 	pauseStart := time.Now()
 
 	// Step 1: Pause the VM (freeze vCPUs).
@@ -542,7 +599,7 @@ func (m *Manager) Pause(ctx context.Context, sandboxID string) error {
 
 // Resume restores a paused sandbox from its snapshot using UFFD for
 // lazy memory loading. The sandbox gets a new network slot.
-func (m *Manager) Resume(ctx context.Context, sandboxID string, timeoutSec int) (*models.Sandbox, error) {
+func (m *Manager) Resume(ctx context.Context, sandboxID string, timeoutSec int, kernelVersion string) (*models.Sandbox, error) {
 	pauseDir := layout.PauseSnapshotDir(m.cfg.WrennDir, sandboxID)
 	if _, err := os.Stat(pauseDir); err != nil {
 		return nil, fmt.Errorf("no snapshot found for sandbox %s", sandboxID)
@@ -656,7 +713,7 @@ func (m *Manager) Resume(ctx context.Context, sandboxID string, timeoutSec int)
 	// Restore VM from snapshot.
 	vmCfg := vm.VMConfig{
 		SandboxID:        sandboxID,
-		KernelPath:       layout.KernelPath(m.cfg.WrennDir),
+		KernelPath:       m.resolveKernelPath(kernelVersion),
 		RootfsPath:       dmDev.DevicePath,
 		VCPUs:            1,                                         // Placeholder; overridden by snapshot.
 		MemoryMB:         int(header.Metadata.Size / (1024 * 1024)), // Placeholder; overridden by snapshot.
@@ -666,6 +723,7 @@ func (m *Manager) Resume(ctx context.Context, sandboxID string, timeoutSec int)
 		GuestIP:          slot.GuestIP,
 		GatewayIP:        slot.TapIP,
 		NetMask:          slot.GuestNetMask,
+		FirecrackerBin:   m.cfg.FirecrackerBin,
 	}
 
 	resumeSnapPath := filepath.Join(pauseDir, snapshot.SnapFileName)
@@ -697,6 +755,14 @@ func (m *Manager) Resume(ctx context.Context, sandboxID string, timeoutSec int)
 		return nil, fmt.Errorf("wait for envd: %w", err)
 	}
 
+	// Trigger envd to re-read MMDS so it picks up the new sandbox/template IDs.
+	if err := client.PostInit(waitCtx); err != nil {
+		slog.Warn("post-init failed after resume, metadata files may be stale", "sandbox", sandboxID, "error", err)
+	}
+
+	// Fetch envd version (best-effort).
+	envdVersion, _ := client.FetchVersion(ctx)
+
 	now := time.Now()
 	sb := &sandboxState{
 		Sandbox: models.Sandbox{
@@ -710,6 +776,7 @@ func (m *Manager) Resume(ctx context.Context, sandboxID string, timeoutSec int)
 			RootfsPath:   dmDev.DevicePath,
 			CreatedAt:    now,
 			LastActiveAt: now,
+			Metadata:     m.buildMetadata(envdVersion),
 		},
 		slot:           slot,
 		client:         client,
@@ -880,6 +947,18 @@ func (m *Manager) FlattenRootfs(ctx context.Context, sandboxID string, teamID, t
 		return 0, fmt.Errorf("sandbox %s not found", sandboxID)
 	}
 
+	// Flush guest page cache to disk before stopping the VM. Without this,
+	// files written by the build (e.g. pip-installed packages) may exist in the
+	// guest's page cache but not yet on the dm block device — flatten would then
+	// capture 0-byte files.
+	func() {
+		syncCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
+		defer cancel()
+		if _, err := sb.client.Exec(syncCtx, "/bin/sync"); err != nil {
+			slog.Warn("flatten: guest sync failed (non-fatal)", "id", sb.ID, "error", err)
+		}
+	}()
+
 	// Stop the VM but keep the dm device alive for flattening.
 	m.stopSampler(sb)
 	if err := m.vm.Destroy(ctx, sb.ID); err != nil {
@@ -919,8 +998,8 @@ func (m *Manager) FlattenRootfs(ctx context.Context, sandboxID string, teamID, t
 	// Clean up dm device and loop device now that flatten is complete.
 	m.cleanupDM(sb)
 
-	// Shrink the flattened image to its minimum size so stored templates are
-	// compact. EnsureImageSizes will re-expand them on the next agent startup.
+	// Shrink the flattened image to its minimum size, then re-expand to the
+	// configured default rootfs size so sandboxes see the full disk from boot.
 	if out, err := exec.Command("e2fsck", "-fy", outputPath).CombinedOutput(); err != nil {
 		if exitErr, ok := err.(*exec.ExitError); ok && exitErr.ExitCode() > 1 {
 			slog.Warn("e2fsck before shrink failed (non-fatal)", "output", string(out), "error", err)
@@ -930,6 +1009,15 @@ func (m *Manager) FlattenRootfs(ctx context.Context, sandboxID string, teamID, t
 		slog.Warn("resize2fs -M failed (non-fatal)", "output", string(out), "error", err)
 	}
 
+	// Re-expand to default rootfs size.
+	targetMB := m.cfg.DefaultRootfsSizeMB
+	if targetMB <= 0 {
+		targetMB = DefaultDiskSizeMB
+	}
+	if err := expandImage(outputPath, int64(targetMB)*1024*1024, targetMB); err != nil {
+		slog.Warn("failed to expand template to default size (non-fatal)", "error", err)
+	}
+
 	sizeBytes, err := snapshot.DirSize(flattenDstDir, "")
 	if err != nil {
 		slog.Warn("failed to calculate template size", "error", err)
@@ -1057,7 +1145,7 @@ func (m *Manager) createFromSnapshot(ctx context.Context, sandboxID string, team
 	vmCfg := vm.VMConfig{
 		SandboxID:        sandboxID,
 		TemplateID:       id.UUIDString(templateID),
-		KernelPath:       layout.KernelPath(m.cfg.WrennDir),
+		KernelPath:       m.cfg.KernelPath,
 		RootfsPath:       dmDev.DevicePath,
 		VCPUs:            vcpus,
 		MemoryMB:         memoryMB,
@@ -1067,6 +1155,7 @@ func (m *Manager) createFromSnapshot(ctx context.Context, sandboxID string, team
 		GuestIP:          slot.GuestIP,
 		GatewayIP:        slot.TapIP,
 		NetMask:          slot.GuestNetMask,
+		FirecrackerBin:   m.cfg.FirecrackerBin,
 	}
 
 	snapPath := filepath.Join(tmplDir, snapshot.SnapFileName)
@@ -1098,6 +1187,14 @@ func (m *Manager) createFromSnapshot(ctx context.Context, sandboxID string, team
 		return nil, fmt.Errorf("wait for envd: %w", err)
 	}
 
+	// Trigger envd to re-read MMDS so it picks up the new sandbox/template IDs.
+	if err := client.PostInit(waitCtx); err != nil {
+		slog.Warn("post-init failed after template restore, metadata files may be stale", "sandbox", sandboxID, "error", err)
+	}
+
+	// Fetch envd version (best-effort).
+	envdVersion, _ := client.FetchVersion(ctx)
+
 	now := time.Now()
 	sb := &sandboxState{
 		Sandbox: models.Sandbox{
@@ -1113,6 +1210,7 @@ func (m *Manager) createFromSnapshot(ctx context.Context, sandboxID string, team
 			RootfsPath:     dmDev.DevicePath,
 			CreatedAt:      now,
 			LastActiveAt:   now,
+			Metadata:       m.buildMetadata(envdVersion),
 		},
 		slot:           slot,
 		client:         client,
@@ -1213,6 +1311,155 @@ func (m *Manager) GetClient(sandboxID string) (*envdclient.Client, error) {
 	return sb.client, nil
 }
 
+// SetDefaults calls envd's PostInit to configure the default user and
+// environment variables for a running sandbox. This is called by the host
+// agent after sandbox creation or resume when the template specifies defaults.
+func (m *Manager) SetDefaults(ctx context.Context, sandboxID, defaultUser string, defaultEnv map[string]string) error {
+	if defaultUser == "" && len(defaultEnv) == 0 {
+		return nil
+	}
+	sb, err := m.get(sandboxID)
+	if err != nil {
+		return err
+	}
+	if sb.Status != models.StatusRunning {
+		return fmt.Errorf("sandbox %s is not running (status: %s)", sandboxID, sb.Status)
+	}
+	return sb.client.PostInitWithDefaults(ctx, defaultUser, defaultEnv)
+}
+
+// PtyAttach starts a new PTY process or reconnects to an existing one.
+// If cmd is non-empty, starts a new process. If empty, reconnects using tag.
+func (m *Manager) PtyAttach(ctx context.Context, sandboxID, tag, cmd string, args []string, cols, rows uint32, envs map[string]string, cwd string) (<-chan envdclient.PtyEvent, error) {
+	sb, err := m.get(sandboxID)
+	if err != nil {
+		return nil, err
+	}
+	if sb.Status != models.StatusRunning {
+		return nil, fmt.Errorf("sandbox %s is not running (status: %s)", sandboxID, sb.Status)
+	}
+
+	m.mu.Lock()
+	sb.LastActiveAt = time.Now()
+	m.mu.Unlock()
+
+	if cmd != "" {
+		return sb.client.PtyStart(ctx, tag, cmd, args, cols, rows, envs, cwd)
+	}
+	return sb.client.PtyConnect(ctx, tag)
+}
+
+// PtySendInput sends raw bytes to a PTY process in a sandbox.
+func (m *Manager) PtySendInput(ctx context.Context, sandboxID, tag string, data []byte) error {
+	sb, err := m.get(sandboxID)
+	if err != nil {
+		return err
+	}
+	if sb.Status != models.StatusRunning {
+		return fmt.Errorf("sandbox %s is not running (status: %s)", sandboxID, sb.Status)
+	}
+
+	m.mu.Lock()
+	sb.LastActiveAt = time.Now()
+	m.mu.Unlock()
+
+	return sb.client.PtySendInput(ctx, tag, data)
+}
+
+// PtyResize updates the terminal dimensions for a PTY process in a sandbox.
+func (m *Manager) PtyResize(ctx context.Context, sandboxID, tag string, cols, rows uint32) error {
+	sb, err := m.get(sandboxID)
+	if err != nil {
+		return err
+	}
+	if sb.Status != models.StatusRunning {
+		return fmt.Errorf("sandbox %s is not running (status: %s)", sandboxID, sb.Status)
+	}
+
+	return sb.client.PtyResize(ctx, tag, cols, rows)
+}
+
+// PtyKill sends SIGKILL to a PTY process in a sandbox.
+func (m *Manager) PtyKill(ctx context.Context, sandboxID, tag string) error {
+	sb, err := m.get(sandboxID)
+	if err != nil {
+		return err
+	}
+	if sb.Status != models.StatusRunning {
+		return fmt.Errorf("sandbox %s is not running (status: %s)", sandboxID, sb.Status)
+	}
+
+	return sb.client.PtyKill(ctx, tag)
+}
+
+// StartBackground starts a background process inside a sandbox.
+func (m *Manager) StartBackground(ctx context.Context, sandboxID, tag, cmd string, args []string, envs map[string]string, cwd string) (uint32, error) {
+	sb, err := m.get(sandboxID)
+	if err != nil {
+		return 0, err
+	}
+	if sb.Status != models.StatusRunning {
+		return 0, fmt.Errorf("sandbox %s is not running (status: %s)", sandboxID, sb.Status)
+	}
+
+	m.mu.Lock()
+	sb.LastActiveAt = time.Now()
+	m.mu.Unlock()
+
+	return sb.client.StartBackground(ctx, tag, cmd, args, envs, cwd)
+}
+
+// ConnectProcess re-attaches to a running process inside a sandbox.
+func (m *Manager) ConnectProcess(ctx context.Context, sandboxID string, pid uint32, tag string) (<-chan envdclient.ExecStreamEvent, error) {
+	sb, err := m.get(sandboxID)
+	if err != nil {
+		return nil, err
+	}
+	if sb.Status != models.StatusRunning {
+		return nil, fmt.Errorf("sandbox %s is not running (status: %s)", sandboxID, sb.Status)
+	}
+
+	m.mu.Lock()
+	sb.LastActiveAt = time.Now()
+	m.mu.Unlock()
+
+	return sb.client.ConnectProcess(ctx, pid, tag)
+}
+
+// ListProcesses returns all running processes inside a sandbox.
+func (m *Manager) ListProcesses(ctx context.Context, sandboxID string) ([]envdclient.ProcessInfo, error) {
+	sb, err := m.get(sandboxID)
+	if err != nil {
+		return nil, err
+	}
+	if sb.Status != models.StatusRunning {
+		return nil, fmt.Errorf("sandbox %s is not running (status: %s)", sandboxID, sb.Status)
+	}
+
+	m.mu.Lock()
+	sb.LastActiveAt = time.Now()
+	m.mu.Unlock()
+
+	return sb.client.ListProcesses(ctx)
+}
+
+// KillProcess sends a signal to a process inside a sandbox.
+func (m *Manager) KillProcess(ctx context.Context, sandboxID string, pid uint32, tag string, signal envdpb.Signal) error {
+	sb, err := m.get(sandboxID)
+	if err != nil {
+		return err
+	}
+	if sb.Status != models.StatusRunning {
+		return fmt.Errorf("sandbox %s is not running (status: %s)", sandboxID, sb.Status)
+	}
+
+	m.mu.Lock()
+	sb.LastActiveAt = time.Now()
+	m.mu.Unlock()
+
+	return sb.client.KillProcess(ctx, pid, tag, signal)
+}
+
 // AcquireProxyConn atomically looks up a sandbox by ID and registers an
 // in-flight proxy connection. Returns the sandbox's host-reachable IP, the
 // connection tracker, and true on success. The caller must call
diff --git a/internal/scheduler/least_loaded.go b/internal/scheduler/least_loaded.go
deleted file mode 100644
index 6990da0..0000000
--- a/internal/scheduler/least_loaded.go
+++ /dev/null
@@ -1 +0,0 @@
-package scheduler
diff --git a/internal/vm/manager.go b/internal/vm/manager.go
index 9e9466f..99dbfe3 100644
--- a/internal/vm/manager.go
+++ b/internal/vm/manager.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
+	"sync"
 	"time"
 )
 
@@ -17,6 +18,7 @@ type VM struct {
 
 // Manager handles the lifecycle of Firecracker microVMs.
 type Manager struct {
+	mu sync.RWMutex
 	// vms tracks running VMs by sandbox ID.
 	vms map[string]*VM
 }
@@ -84,7 +86,9 @@ func (m *Manager) Create(ctx context.Context, cfg VMConfig) (*VM, error) {
 		client:  client,
 	}
 
+	m.mu.Lock()
 	m.vms[cfg.SandboxID] = vm
+	m.mu.Unlock()
 
 	slog.Info("VM started successfully", "sandbox", cfg.SandboxID)
 
@@ -126,7 +130,9 @@ func configureVM(ctx context.Context, client *fcClient, cfg *VMConfig) error {
 
 // Pause pauses a running VM.
 func (m *Manager) Pause(ctx context.Context, sandboxID string) error {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	if !ok {
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
@@ -141,7 +147,9 @@ func (m *Manager) Pause(ctx context.Context, sandboxID string) error {
 
 // Resume resumes a paused VM.
 func (m *Manager) Resume(ctx context.Context, sandboxID string) error {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	if !ok {
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
@@ -156,10 +164,14 @@ func (m *Manager) Resume(ctx context.Context, sandboxID string) error {
 
 // Destroy stops and cleans up a VM.
 func (m *Manager) Destroy(ctx context.Context, sandboxID string) error {
+	m.mu.Lock()
 	vm, ok := m.vms[sandboxID]
 	if !ok {
+		m.mu.Unlock()
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
+	delete(m.vms, sandboxID)
+	m.mu.Unlock()
 
 	slog.Info("destroying VM", "sandbox", sandboxID)
 
@@ -171,8 +183,6 @@ func (m *Manager) Destroy(ctx context.Context, sandboxID string) error {
 	// Clean up the API socket.
 	os.Remove(vm.Config.SocketPath)
 
-	delete(m.vms, sandboxID)
-
 	slog.Info("VM destroyed", "sandbox", sandboxID)
 	return nil
 }
@@ -180,7 +190,9 @@ func (m *Manager) Destroy(ctx context.Context, sandboxID string) error {
 // Snapshot creates a VM snapshot. The VM must already be paused.
 // snapshotType is "Full" (all memory) or "Diff" (only dirty pages since last resume).
 func (m *Manager) Snapshot(ctx context.Context, sandboxID, snapPath, memPath, snapshotType string) error {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	if !ok {
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
@@ -263,7 +275,9 @@ func (m *Manager) CreateFromSnapshot(ctx context.Context, cfg VMConfig, snapPath
 		client:  client,
 	}
 
+	m.mu.Lock()
 	m.vms[cfg.SandboxID] = vm
+	m.mu.Unlock()
 
 	slog.Info("VM restored from snapshot", "sandbox", cfg.SandboxID)
 	return vm, nil
@@ -277,7 +291,9 @@ func (v *VM) PID() int {
 
 // Get returns a running VM by sandbox ID.
 func (m *Manager) Get(sandboxID string) (*VM, bool) {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	return vm, ok
 }
 
diff --git a/internal/audit/logger.go b/pkg/audit/logger.go
similarity index 99%
rename from internal/audit/logger.go
rename to pkg/audit/logger.go
index 2210594..e101b3c 100644
--- a/internal/audit/logger.go
+++ b/pkg/audit/logger.go
@@ -7,10 +7,10 @@ import (
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/events"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/events"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 // AuditLogger writes audit log entries for user-initiated and system events.
diff --git a/internal/auth/apikey.go b/pkg/auth/apikey.go
similarity index 100%
rename from internal/auth/apikey.go
rename to pkg/auth/apikey.go
diff --git a/internal/auth/cert.go b/pkg/auth/cert.go
similarity index 100%
rename from internal/auth/cert.go
rename to pkg/auth/cert.go
diff --git a/internal/auth/context.go b/pkg/auth/context.go
similarity index 100%
rename from internal/auth/context.go
rename to pkg/auth/context.go
diff --git a/internal/auth/jwt.go b/pkg/auth/jwt.go
similarity index 98%
rename from internal/auth/jwt.go
rename to pkg/auth/jwt.go
index 21cd589..70dd947 100644
--- a/internal/auth/jwt.go
+++ b/pkg/auth/jwt.go
@@ -7,7 +7,7 @@ import (
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 const jwtExpiry = 6 * time.Hour
diff --git a/internal/auth/oauth/github.go b/pkg/auth/oauth/github.go
similarity index 100%
rename from internal/auth/oauth/github.go
rename to pkg/auth/oauth/github.go
diff --git a/internal/auth/oauth/provider.go b/pkg/auth/oauth/provider.go
similarity index 100%
rename from internal/auth/oauth/provider.go
rename to pkg/auth/oauth/provider.go
diff --git a/internal/auth/password.go b/pkg/auth/password.go
similarity index 100%
rename from internal/auth/password.go
rename to pkg/auth/password.go
diff --git a/internal/channels/crypto.go b/pkg/channels/crypto.go
similarity index 100%
rename from internal/channels/crypto.go
rename to pkg/channels/crypto.go
diff --git a/internal/channels/deliver.go b/pkg/channels/deliver.go
similarity index 94%
rename from internal/channels/deliver.go
rename to pkg/channels/deliver.go
index 1f5e333..51e01db 100644
--- a/internal/channels/deliver.go
+++ b/pkg/channels/deliver.go
@@ -7,7 +7,7 @@ import (
 
 	"github.com/containrrr/shoutrrr"
 
-	"git.omukk.dev/wrenn/wrenn/internal/events"
+	"git.omukk.dev/wrenn/wrenn/pkg/events"
 )
 
 // Deliver sends a notification to a single provider with the given config.
diff --git a/internal/channels/dispatcher.go b/pkg/channels/dispatcher.go
similarity index 97%
rename from internal/channels/dispatcher.go
rename to pkg/channels/dispatcher.go
index b28b05d..4a24d5a 100644
--- a/internal/channels/dispatcher.go
+++ b/pkg/channels/dispatcher.go
@@ -8,9 +8,9 @@ import (
 
 	"github.com/redis/go-redis/v9"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/events"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/events"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 const (
diff --git a/internal/channels/message.go b/pkg/channels/message.go
similarity index 97%
rename from internal/channels/message.go
rename to pkg/channels/message.go
index 2900c40..fe512de 100644
--- a/internal/channels/message.go
+++ b/pkg/channels/message.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strings"
 
-	"git.omukk.dev/wrenn/wrenn/internal/events"
+	"git.omukk.dev/wrenn/wrenn/pkg/events"
 )
 
 // FormatMessage produces a human-readable notification string containing
diff --git a/internal/channels/publisher.go b/pkg/channels/publisher.go
similarity index 95%
rename from internal/channels/publisher.go
rename to pkg/channels/publisher.go
index da632c5..3f2c36f 100644
--- a/internal/channels/publisher.go
+++ b/pkg/channels/publisher.go
@@ -7,7 +7,7 @@ import (
 
 	"github.com/redis/go-redis/v9"
 
-	"git.omukk.dev/wrenn/wrenn/internal/events"
+	"git.omukk.dev/wrenn/wrenn/pkg/events"
 )
 
 const streamKey = "wrenn:events"
diff --git a/internal/channels/service.go b/pkg/channels/service.go
similarity index 97%
rename from internal/channels/service.go
rename to pkg/channels/service.go
index 5f53742..248abfc 100644
--- a/internal/channels/service.go
+++ b/pkg/channels/service.go
@@ -13,10 +13,10 @@ import (
 	"github.com/jackc/pgx/v5/pgconn"
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/events"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/validate"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/events"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/validate"
 )
 
 // Valid providers.
diff --git a/internal/channels/shoutrrr.go b/pkg/channels/shoutrrr.go
similarity index 100%
rename from internal/channels/shoutrrr.go
rename to pkg/channels/shoutrrr.go
diff --git a/internal/channels/webhook.go b/pkg/channels/webhook.go
similarity index 100%
rename from internal/channels/webhook.go
rename to pkg/channels/webhook.go
diff --git a/internal/config/config.go b/pkg/config/config.go
similarity index 70%
rename from internal/config/config.go
rename to pkg/config/config.go
index dbc1f1f..a695392 100644
--- a/internal/config/config.go
+++ b/pkg/config/config.go
@@ -3,6 +3,7 @@ package config
 import (
 	"encoding/hex"
 	"os"
+	"strconv"
 
 	"github.com/joho/godotenv"
 )
@@ -13,6 +14,7 @@ type Config struct {
 	RedisURL    string
 	ListenAddr  string
 	JWTSecret   string
+	WrennDir    string // WRENN_DIR — base directory for wrenn data (logs, etc.)
 
 	// mTLS — CP→Agent channel. Both must be set to enable mTLS; omitting either
 	// disables cert issuance and leaves agent connections on plain HTTP (dev mode).
@@ -27,6 +29,13 @@ type Config struct {
 	// Channels — encryption for channel secrets (AES-256-GCM).
 	EncryptionKeyHex string   // WRENN_ENCRYPTION_KEY raw hex string (for validation)
 	EncryptionKey    [32]byte // parsed 32-byte key
+
+	// SMTP — transactional email. All fields optional; omitting SMTPHost disables email.
+	SMTPHost      string // SMTP_HOST
+	SMTPPort      int    // SMTP_PORT (default 587)
+	SMTPUsername  string // SMTP_USERNAME
+	SMTPPassword  string // SMTP_PASSWORD
+	SMTPFromEmail string // SMTP_FROM_EMAIL
 }
 
 // Load reads configuration from a .env file (if present) and environment variables.
@@ -40,6 +49,7 @@ func Load() Config {
 		RedisURL:    envOrDefault("REDIS_URL", "redis://localhost:6379/0"),
 		ListenAddr:  envOrDefault("WRENN_CP_LISTEN_ADDR", ":8080"),
 		JWTSecret:   os.Getenv("JWT_SECRET"),
+		WrennDir:    envOrDefault("WRENN_DIR", "/var/lib/wrenn"),
 
 		CACert: os.Getenv("WRENN_CA_CERT"),
 		CAKey:  os.Getenv("WRENN_CA_KEY"),
@@ -50,6 +60,12 @@ func Load() Config {
 		CPPublicURL:             os.Getenv("CP_PUBLIC_URL"),
 
 		EncryptionKeyHex: os.Getenv("WRENN_ENCRYPTION_KEY"),
+
+		SMTPHost:      os.Getenv("SMTP_HOST"),
+		SMTPPort:      envOrDefaultInt("SMTP_PORT", 587),
+		SMTPUsername:  os.Getenv("SMTP_USERNAME"),
+		SMTPPassword:  os.Getenv("SMTP_PASSWORD"),
+		SMTPFromEmail: envOrDefault("SMTP_FROM_EMAIL", "noreply@wrenn.dev"),
 	}
 
 	if cfg.EncryptionKeyHex != "" {
@@ -68,3 +84,15 @@ func envOrDefault(key, def string) string {
 	}
 	return def
 }
+
+func envOrDefaultInt(key string, def int) int {
+	v := os.Getenv(key)
+	if v == "" {
+		return def
+	}
+	n, err := strconv.Atoi(v)
+	if err != nil {
+		return def
+	}
+	return n
+}
diff --git a/pkg/cpextension/extension.go b/pkg/cpextension/extension.go
new file mode 100644
index 0000000..b2065f2
--- /dev/null
+++ b/pkg/cpextension/extension.go
@@ -0,0 +1,50 @@
+// Package cpextension defines the types for extending the control plane server.
+// This package is intentionally minimal and dependency-free (relative to internal/)
+// to avoid import cycles between pkg/cpserver and internal/api.
+package cpextension
+
+import (
+	"context"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/redis/go-redis/v9"
+
+	"git.omukk.dev/wrenn/wrenn/internal/email"
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/config"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/scheduler"
+)
+
+// ServerContext exposes the initialized dependencies that extensions can use
+// to register routes and start background workers. All fields are read-only
+// from the extension's perspective.
+type ServerContext struct {
+	Queries   *db.Queries
+	PgPool    *pgxpool.Pool
+	Redis     *redis.Client
+	HostPool  *lifecycle.HostClientPool
+	Scheduler scheduler.HostScheduler
+	CA        *auth.CA
+	Audit     *audit.AuditLogger
+	Mailer    email.Mailer
+	JWTSecret []byte
+	Config    config.Config
+}
+
+// Extension allows enterprise (or any external) code to plug additional
+// routes and background workers into the control plane without modifying
+// the core server.
+type Extension interface {
+	// RegisterRoutes is called after all core routes are registered.
+	// The chi.Router supports sub-routing, middleware, etc.
+	RegisterRoutes(r chi.Router, ctx ServerContext)
+
+	// BackgroundWorkers returns functions that will be called once with
+	// the application context after the server is fully initialized.
+	// Each function should start its own goroutine(s) and return.
+	BackgroundWorkers(ctx ServerContext) []func(context.Context)
+}
diff --git a/pkg/cpserver/extension.go b/pkg/cpserver/extension.go
new file mode 100644
index 0000000..26a0dc6
--- /dev/null
+++ b/pkg/cpserver/extension.go
@@ -0,0 +1,11 @@
+package cpserver
+
+import "git.omukk.dev/wrenn/wrenn/pkg/cpextension"
+
+// ServerContext is an alias for cpextension.ServerContext.
+// Enterprise code should use this package (pkg/cpserver) as the main entry point.
+type ServerContext = cpextension.ServerContext
+
+// Extension is an alias for cpextension.Extension.
+// Enterprise code should use this package (pkg/cpserver) as the main entry point.
+type Extension = cpextension.Extension
diff --git a/pkg/cpserver/options.go b/pkg/cpserver/options.go
new file mode 100644
index 0000000..dc2ce0a
--- /dev/null
+++ b/pkg/cpserver/options.go
@@ -0,0 +1,27 @@
+package cpserver
+
+// options holds the configuration for Run.
+type options struct {
+	version    string
+	commit     string
+	extensions []Extension
+}
+
+// Option configures the control plane server.
+type Option func(*options)
+
+// WithVersion sets the version and commit strings for logging.
+func WithVersion(version, commit string) Option {
+	return func(o *options) {
+		o.version = version
+		o.commit = commit
+	}
+}
+
+// WithExtensions registers one or more extensions that add routes and
+// background workers to the control plane.
+func WithExtensions(exts ...Extension) Option {
+	return func(o *options) {
+		o.extensions = append(o.extensions, exts...)
+	}
+}
diff --git a/pkg/cpserver/run.go b/pkg/cpserver/run.go
new file mode 100644
index 0000000..32a819a
--- /dev/null
+++ b/pkg/cpserver/run.go
@@ -0,0 +1,253 @@
+package cpserver
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/redis/go-redis/v9"
+
+	"git.omukk.dev/wrenn/wrenn/internal/api"
+	"git.omukk.dev/wrenn/wrenn/internal/email"
+	"git.omukk.dev/wrenn/wrenn/pkg/audit"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth/oauth"
+	"git.omukk.dev/wrenn/wrenn/pkg/channels"
+	"git.omukk.dev/wrenn/wrenn/pkg/config"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/logging"
+	"git.omukk.dev/wrenn/wrenn/pkg/scheduler"
+)
+
+// Run initializes and starts the control plane server. It blocks until a
+// SIGINT or SIGTERM signal is received, then shuts down gracefully.
+//
+// Extensions registered via WithExtensions get to add routes and start
+// background workers after the core server is fully initialized.
+func Run(opts ...Option) {
+	o := &options{
+		version: "dev",
+		commit:  "unknown",
+	}
+	for _, opt := range opts {
+		opt(o)
+	}
+
+	cfg := config.Load()
+	cleanupLog := logging.Setup(filepath.Join(cfg.WrennDir, "logs"), "control-plane")
+	defer cleanupLog()
+
+	if len(cfg.JWTSecret) < 32 {
+		slog.Error("JWT_SECRET must be at least 32 characters")
+		os.Exit(1)
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Database connection pool.
+	pool, err := pgxpool.New(ctx, cfg.DatabaseURL)
+	if err != nil {
+		slog.Error("failed to connect to database", "error", err)
+		os.Exit(1)
+	}
+	defer pool.Close()
+
+	if err := pool.Ping(ctx); err != nil {
+		slog.Error("failed to ping database", "error", err)
+		os.Exit(1)
+	}
+	slog.Info("connected to database")
+
+	queries := db.New(pool)
+
+	// Redis client.
+	redisOpts, err := redis.ParseURL(cfg.RedisURL)
+	if err != nil {
+		slog.Error("failed to parse REDIS_URL", "error", err)
+		os.Exit(1)
+	}
+	rdb := redis.NewClient(redisOpts)
+	defer rdb.Close()
+
+	if err := rdb.Ping(ctx).Err(); err != nil {
+		slog.Error("failed to ping redis", "error", err)
+		os.Exit(1)
+	}
+	slog.Info("connected to redis")
+
+	// mTLS is mandatory — parse internal CA for CP↔agent communication.
+	if cfg.CACert == "" || cfg.CAKey == "" {
+		slog.Error("WRENN_CA_CERT and WRENN_CA_KEY are required — mTLS is mandatory for CP↔agent communication")
+		os.Exit(1)
+	}
+	ca, err := auth.ParseCA(cfg.CACert, cfg.CAKey)
+	if err != nil {
+		slog.Error("failed to parse mTLS CA from environment", "error", err)
+		os.Exit(1)
+	}
+	slog.Info("mTLS enabled: CA loaded")
+
+	// Host client pool — manages Connect RPC clients to host agents.
+	cpCertStore, err := auth.NewCPCertStore(ca)
+	if err != nil {
+		slog.Error("failed to issue CP client certificate", "error", err)
+		os.Exit(1)
+	}
+	// Renew the CP client certificate periodically so it never expires
+	// while the control plane is running (TTL = 24h, renewal = every 12h).
+	go func() {
+		ticker := time.NewTicker(auth.CPCertRenewInterval)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				if err := cpCertStore.Refresh(); err != nil {
+					slog.Error("failed to renew CP client certificate", "error", err)
+				} else {
+					slog.Info("CP client certificate renewed")
+				}
+			}
+		}
+	}()
+	hostPool := lifecycle.NewHostClientPoolTLS(auth.CPClientTLSConfig(ca, cpCertStore))
+	slog.Info("host client pool: mTLS enabled")
+
+	// Scheduler — picks a host for each new sandbox (least-loaded, bottleneck-first).
+	hostScheduler := scheduler.NewLeastLoadedScheduler(queries)
+
+	// OAuth provider registry.
+	oauthRegistry := oauth.NewRegistry()
+	if cfg.OAuthGitHubClientID != "" && cfg.OAuthGitHubClientSecret != "" {
+		if cfg.CPPublicURL == "" {
+			slog.Error("CP_PUBLIC_URL must be set when OAuth providers are configured")
+			os.Exit(1)
+		}
+		callbackURL := strings.TrimRight(cfg.CPPublicURL, "/") + "/auth/oauth/github/callback"
+		ghProvider := oauth.NewGitHubProvider(cfg.OAuthGitHubClientID, cfg.OAuthGitHubClientSecret, callbackURL)
+		oauthRegistry.Register(ghProvider)
+		slog.Info("registered OAuth provider", "provider", "github")
+	}
+
+	// Channels: publisher, service, dispatcher.
+	if len(cfg.EncryptionKeyHex) != 64 {
+		slog.Error("WRENN_ENCRYPTION_KEY must be a hex-encoded 32-byte key (64 hex chars)")
+		os.Exit(1)
+	}
+	channelPub := channels.NewPublisher(rdb)
+	channelSvc := &channels.Service{DB: queries, EncKey: cfg.EncryptionKey}
+	channelDispatcher := channels.NewDispatcher(rdb, queries, cfg.EncryptionKey)
+
+	// Shared audit logger with event publishing.
+	al := audit.NewWithPublisher(queries, channelPub)
+
+	// Transactional email (no-op if SMTP_HOST is not set).
+	mailer := email.New(email.Config{
+		Host:      cfg.SMTPHost,
+		Port:      cfg.SMTPPort,
+		Username:  cfg.SMTPUsername,
+		Password:  cfg.SMTPPassword,
+		FromEmail: cfg.SMTPFromEmail,
+	})
+
+	// Build the server context that extensions receive.
+	sctx := ServerContext{
+		Queries:   queries,
+		PgPool:    pool,
+		Redis:     rdb,
+		HostPool:  hostPool,
+		Scheduler: hostScheduler,
+		CA:        ca,
+		Audit:     al,
+		Mailer:    mailer,
+		JWTSecret: []byte(cfg.JWTSecret),
+		Config:    cfg,
+	}
+
+	// API server.
+	srv := api.New(queries, hostPool, hostScheduler, pool, rdb, []byte(cfg.JWTSecret), oauthRegistry, cfg.OAuthRedirectURL, ca, al, channelSvc, mailer, o.extensions, sctx, o.version)
+
+	// Start template build workers (2 concurrent).
+	stopBuildWorkers := srv.BuildSvc.StartWorkers(ctx, 2)
+	defer stopBuildWorkers()
+
+	// Start channel event dispatcher.
+	channelDispatcher.Start(ctx)
+
+	// Start host monitor (passive + active reconciliation every 30s).
+	monitor := api.NewHostMonitor(queries, hostPool, al, 30*time.Second)
+	monitor.Start(ctx)
+
+	// Hard-delete accounts that have been soft-deleted for more than 15 days (runs every 24h).
+	go func() {
+		ticker := time.NewTicker(24 * time.Hour)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				if err := queries.HardDeleteExpiredUsers(ctx); err != nil {
+					slog.Error("account cleanup: failed to hard-delete expired users", "error", err)
+				} else {
+					slog.Info("account cleanup: hard-deleted expired users")
+				}
+			}
+		}
+	}()
+
+	// Start metrics sampler (records per-team sandbox stats every 10s).
+	sampler := api.NewMetricsSampler(queries, 10*time.Second)
+	sampler.Start(ctx)
+
+	// Start extension background workers.
+	for _, ext := range o.extensions {
+		for _, worker := range ext.BackgroundWorkers(sctx) {
+			worker(ctx)
+		}
+	}
+
+	// Wrap the API handler with the sandbox proxy so that requests with
+	// {port}-{sandbox_id}.{domain} Host headers are routed to the sandbox's
+	// host agent. All other requests pass through to the normal API router.
+	proxyWrapper := api.NewSandboxProxyWrapper(srv.Handler(), queries, hostPool)
+
+	httpServer := &http.Server{
+		Addr:    cfg.ListenAddr,
+		Handler: proxyWrapper,
+	}
+
+	// Graceful shutdown on signal.
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		sig := <-sigCh
+		slog.Info("received signal, shutting down", "signal", sig)
+		cancel()
+
+		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer shutdownCancel()
+
+		if err := httpServer.Shutdown(shutdownCtx); err != nil {
+			slog.Error("http server shutdown error", "error", err)
+		}
+	}()
+
+	slog.Info("control plane starting", "addr", cfg.ListenAddr, "version", o.version, "commit", o.commit)
+	if err := httpServer.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+		slog.Error("http server error", "error", err)
+		os.Exit(1)
+	}
+
+	slog.Info("control plane stopped")
+}
diff --git a/internal/db/api_keys.sql.go b/pkg/db/api_keys.sql.go
similarity index 87%
rename from internal/db/api_keys.sql.go
rename to pkg/db/api_keys.sql.go
index 4b8d369..b157931 100644
--- a/internal/db/api_keys.sql.go
+++ b/pkg/db/api_keys.sql.go
@@ -25,6 +25,24 @@ func (q *Queries) DeleteAPIKey(ctx context.Context, arg DeleteAPIKeyParams) erro
 	return err
 }
 
+const deleteAPIKeysByCreator = `-- name: DeleteAPIKeysByCreator :exec
+DELETE FROM team_api_keys WHERE created_by = $1
+`
+
+func (q *Queries) DeleteAPIKeysByCreator(ctx context.Context, createdBy pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteAPIKeysByCreator, createdBy)
+	return err
+}
+
+const deleteAPIKeysByTeam = `-- name: DeleteAPIKeysByTeam :exec
+DELETE FROM team_api_keys WHERE team_id = $1
+`
+
+func (q *Queries) DeleteAPIKeysByTeam(ctx context.Context, teamID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteAPIKeysByTeam, teamID)
+	return err
+}
+
 const getAPIKeyByHash = `-- name: GetAPIKeyByHash :one
 SELECT id, team_id, name, key_hash, key_prefix, created_by, created_at, last_used FROM team_api_keys WHERE key_hash = $1
 `
@@ -120,7 +138,7 @@ const listAPIKeysByTeamWithCreator = `-- name: ListAPIKeysByTeamWithCreator :man
 SELECT k.id, k.team_id, k.name, k.key_hash, k.key_prefix, k.created_by, k.created_at, k.last_used,
        u.email AS creator_email
 FROM team_api_keys k
-JOIN users u ON u.id = k.created_by
+LEFT JOIN users u ON u.id = k.created_by
 WHERE k.team_id = $1
 ORDER BY k.created_at DESC
 `
@@ -134,7 +152,7 @@ type ListAPIKeysByTeamWithCreatorRow struct {
 	CreatedBy    pgtype.UUID        `json:"created_by"`
 	CreatedAt    pgtype.Timestamptz `json:"created_at"`
 	LastUsed     pgtype.Timestamptz `json:"last_used"`
-	CreatorEmail string             `json:"creator_email"`
+	CreatorEmail pgtype.Text        `json:"creator_email"`
 }
 
 func (q *Queries) ListAPIKeysByTeamWithCreator(ctx context.Context, teamID pgtype.UUID) ([]ListAPIKeysByTeamWithCreatorRow, error) {
diff --git a/internal/db/audit.sql.go b/pkg/db/audit.sql.go
similarity index 100%
rename from internal/db/audit.sql.go
rename to pkg/db/audit.sql.go
diff --git a/internal/db/channels.sql.go b/pkg/db/channels.sql.go
similarity index 95%
rename from internal/db/channels.sql.go
rename to pkg/db/channels.sql.go
index 18f9048..d668700 100644
--- a/internal/db/channels.sql.go
+++ b/pkg/db/channels.sql.go
@@ -11,6 +11,15 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 )
 
+const deleteAllChannelsByTeam = `-- name: DeleteAllChannelsByTeam :exec
+DELETE FROM channels WHERE team_id = $1
+`
+
+func (q *Queries) DeleteAllChannelsByTeam(ctx context.Context, teamID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteAllChannelsByTeam, teamID)
+	return err
+}
+
 const deleteChannelByTeam = `-- name: DeleteChannelByTeam :exec
 DELETE FROM channels WHERE id = $1 AND team_id = $2
 `
diff --git a/internal/db/db.go b/pkg/db/db.go
similarity index 100%
rename from internal/db/db.go
rename to pkg/db/db.go
diff --git a/internal/db/host_refresh_tokens.sql.go b/pkg/db/host_refresh_tokens.sql.go
similarity index 100%
rename from internal/db/host_refresh_tokens.sql.go
rename to pkg/db/host_refresh_tokens.sql.go
diff --git a/internal/db/hosts.sql.go b/pkg/db/hosts.sql.go
similarity index 82%
rename from internal/db/hosts.sql.go
rename to pkg/db/hosts.sql.go
index 2e3962b..0e8f415 100644
--- a/internal/db/hosts.sql.go
+++ b/pkg/db/hosts.sql.go
@@ -154,6 +154,112 @@ func (q *Queries) GetHostTokensByHost(ctx context.Context, hostID pgtype.UUID) (
 	return items, nil
 }
 
+const getHostsWithLoad = `-- name: GetHostsWithLoad :many
+SELECT
+    h.id,
+    h.type,
+    h.team_id,
+    h.provider,
+    h.availability_zone,
+    h.arch,
+    h.cpu_cores,
+    h.memory_mb,
+    h.disk_gb,
+    h.address,
+    h.status,
+    h.last_heartbeat_at,
+    h.metadata,
+    h.created_by,
+    h.created_at,
+    h.updated_at,
+    h.cert_fingerprint,
+    h.cert_expires_at,
+    COALESCE(SUM(s.vcpus)       FILTER (WHERE s.status IN ('running', 'starting', 'pending')), 0)::int AS running_vcpus,
+    COALESCE(SUM(s.memory_mb)   FILTER (WHERE s.status IN ('running', 'starting', 'pending')), 0)::int AS running_memory_mb,
+    COALESCE(SUM(s.disk_size_mb) FILTER (WHERE s.status IN ('running', 'starting', 'pending')), 0)::int AS running_disk_mb,
+    COALESCE(SUM(s.memory_mb)   FILTER (WHERE s.status = 'paused'), 0)::int AS paused_memory_mb,
+    COALESCE(SUM(s.disk_size_mb) FILTER (WHERE s.status = 'paused'), 0)::int AS paused_disk_mb
+FROM hosts h
+LEFT JOIN sandboxes s ON s.host_id = h.id
+    AND s.status IN ('running', 'paused', 'starting', 'pending')
+WHERE h.status = 'online'
+  AND h.address != ''
+GROUP BY h.id
+ORDER BY h.created_at
+`
+
+type GetHostsWithLoadRow struct {
+	ID               pgtype.UUID        `json:"id"`
+	Type             string             `json:"type"`
+	TeamID           pgtype.UUID        `json:"team_id"`
+	Provider         string             `json:"provider"`
+	AvailabilityZone string             `json:"availability_zone"`
+	Arch             string             `json:"arch"`
+	CpuCores         int32              `json:"cpu_cores"`
+	MemoryMb         int32              `json:"memory_mb"`
+	DiskGb           int32              `json:"disk_gb"`
+	Address          string             `json:"address"`
+	Status           string             `json:"status"`
+	LastHeartbeatAt  pgtype.Timestamptz `json:"last_heartbeat_at"`
+	Metadata         []byte             `json:"metadata"`
+	CreatedBy        pgtype.UUID        `json:"created_by"`
+	CreatedAt        pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt        pgtype.Timestamptz `json:"updated_at"`
+	CertFingerprint  string             `json:"cert_fingerprint"`
+	CertExpiresAt    pgtype.Timestamptz `json:"cert_expires_at"`
+	RunningVcpus     int32              `json:"running_vcpus"`
+	RunningMemoryMb  int32              `json:"running_memory_mb"`
+	RunningDiskMb    int32              `json:"running_disk_mb"`
+	PausedMemoryMb   int32              `json:"paused_memory_mb"`
+	PausedDiskMb     int32              `json:"paused_disk_mb"`
+}
+
+// Returns all online hosts with raw per-host sandbox resource consumption.
+// Separates running and paused sandbox totals so the caller can apply its own formulas.
+func (q *Queries) GetHostsWithLoad(ctx context.Context) ([]GetHostsWithLoadRow, error) {
+	rows, err := q.db.Query(ctx, getHostsWithLoad)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetHostsWithLoadRow
+	for rows.Next() {
+		var i GetHostsWithLoadRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.Type,
+			&i.TeamID,
+			&i.Provider,
+			&i.AvailabilityZone,
+			&i.Arch,
+			&i.CpuCores,
+			&i.MemoryMb,
+			&i.DiskGb,
+			&i.Address,
+			&i.Status,
+			&i.LastHeartbeatAt,
+			&i.Metadata,
+			&i.CreatedBy,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+			&i.CertFingerprint,
+			&i.CertExpiresAt,
+			&i.RunningVcpus,
+			&i.RunningMemoryMb,
+			&i.RunningDiskMb,
+			&i.PausedMemoryMb,
+			&i.PausedDiskMb,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const insertHost = `-- name: InsertHost :one
 INSERT INTO hosts (id, type, team_id, provider, availability_zone, created_by)
 VALUES ($1, $2, $3, $4, $5, $6)
diff --git a/internal/db/metrics.sql.go b/pkg/db/metrics.sql.go
similarity index 92%
rename from internal/db/metrics.sql.go
rename to pkg/db/metrics.sql.go
index f522dc2..886daca 100644
--- a/internal/db/metrics.sql.go
+++ b/pkg/db/metrics.sql.go
@@ -11,6 +11,25 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 )
 
+const deleteMetricPointsByTeam = `-- name: DeleteMetricPointsByTeam :exec
+DELETE FROM sandbox_metric_points
+WHERE sandbox_id IN (SELECT id FROM sandboxes WHERE team_id = $1)
+`
+
+func (q *Queries) DeleteMetricPointsByTeam(ctx context.Context, teamID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteMetricPointsByTeam, teamID)
+	return err
+}
+
+const deleteMetricsSnapshotsByTeam = `-- name: DeleteMetricsSnapshotsByTeam :exec
+DELETE FROM sandbox_metrics_snapshots WHERE team_id = $1
+`
+
+func (q *Queries) DeleteMetricsSnapshotsByTeam(ctx context.Context, teamID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteMetricsSnapshotsByTeam, teamID)
+	return err
+}
+
 const deleteSandboxMetricPoints = `-- name: DeleteSandboxMetricPoints :exec
 DELETE FROM sandbox_metric_points
 WHERE sandbox_id = $1
diff --git a/internal/db/models.go b/pkg/db/models.go
similarity index 89%
rename from internal/db/models.go
rename to pkg/db/models.go
index 3b9cd9e..3111952 100644
--- a/internal/db/models.go
+++ b/pkg/db/models.go
@@ -111,6 +111,7 @@ type Sandbox struct {
 	LastUpdated    pgtype.Timestamptz `json:"last_updated"`
 	TemplateID     pgtype.UUID        `json:"template_id"`
 	TemplateTeamID pgtype.UUID        `json:"template_team_id"`
+	Metadata       []byte             `json:"metadata"`
 }
 
 type SandboxMetricPoint struct {
@@ -152,14 +153,17 @@ type TeamApiKey struct {
 }
 
 type Template struct {
-	Name      string             `json:"name"`
-	Type      string             `json:"type"`
-	Vcpus     int32              `json:"vcpus"`
-	MemoryMb  int32              `json:"memory_mb"`
-	SizeBytes int64              `json:"size_bytes"`
-	CreatedAt pgtype.Timestamptz `json:"created_at"`
-	TeamID    pgtype.UUID        `json:"team_id"`
-	ID        pgtype.UUID        `json:"id"`
+	Name        string             `json:"name"`
+	Type        string             `json:"type"`
+	Vcpus       int32              `json:"vcpus"`
+	MemoryMb    int32              `json:"memory_mb"`
+	SizeBytes   int64              `json:"size_bytes"`
+	CreatedAt   pgtype.Timestamptz `json:"created_at"`
+	TeamID      pgtype.UUID        `json:"team_id"`
+	ID          pgtype.UUID        `json:"id"`
+	DefaultUser string             `json:"default_user"`
+	DefaultEnv  []byte             `json:"default_env"`
+	Metadata    []byte             `json:"metadata"`
 }
 
 type TemplateBuild struct {
@@ -183,6 +187,9 @@ type TemplateBuild struct {
 	TemplateID   pgtype.UUID        `json:"template_id"`
 	TeamID       pgtype.UUID        `json:"team_id"`
 	SkipPrePost  bool               `json:"skip_pre_post"`
+	DefaultUser  string             `json:"default_user"`
+	DefaultEnv   []byte             `json:"default_env"`
+	Metadata     []byte             `json:"metadata"`
 }
 
 type User struct {
@@ -193,6 +200,8 @@ type User struct {
 	IsAdmin      bool               `json:"is_admin"`
 	CreatedAt    pgtype.Timestamptz `json:"created_at"`
 	UpdatedAt    pgtype.Timestamptz `json:"updated_at"`
+	DeletedAt    pgtype.Timestamptz `json:"deleted_at"`
+	Status       string             `json:"status"`
 }
 
 type UsersTeam struct {
diff --git a/internal/db/oauth.sql.go b/pkg/db/oauth.sql.go
similarity index 53%
rename from internal/db/oauth.sql.go
rename to pkg/db/oauth.sql.go
index 0270def..724277e 100644
--- a/internal/db/oauth.sql.go
+++ b/pkg/db/oauth.sql.go
@@ -11,6 +11,20 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 )
 
+const deleteOAuthProvider = `-- name: DeleteOAuthProvider :exec
+DELETE FROM oauth_providers WHERE user_id = $1 AND provider = $2
+`
+
+type DeleteOAuthProviderParams struct {
+	UserID   pgtype.UUID `json:"user_id"`
+	Provider string      `json:"provider"`
+}
+
+func (q *Queries) DeleteOAuthProvider(ctx context.Context, arg DeleteOAuthProviderParams) error {
+	_, err := q.db.Exec(ctx, deleteOAuthProvider, arg.UserID, arg.Provider)
+	return err
+}
+
 const getOAuthProvider = `-- name: GetOAuthProvider :one
 SELECT provider, provider_id, user_id, email, created_at FROM oauth_providers
 WHERE provider = $1 AND provider_id = $2
@@ -34,6 +48,36 @@ func (q *Queries) GetOAuthProvider(ctx context.Context, arg GetOAuthProviderPara
 	return i, err
 }
 
+const getOAuthProvidersByUserID = `-- name: GetOAuthProvidersByUserID :many
+SELECT provider, provider_id, user_id, email, created_at FROM oauth_providers WHERE user_id = $1
+`
+
+func (q *Queries) GetOAuthProvidersByUserID(ctx context.Context, userID pgtype.UUID) ([]OauthProvider, error) {
+	rows, err := q.db.Query(ctx, getOAuthProvidersByUserID, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []OauthProvider
+	for rows.Next() {
+		var i OauthProvider
+		if err := rows.Scan(
+			&i.Provider,
+			&i.ProviderID,
+			&i.UserID,
+			&i.Email,
+			&i.CreatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const insertOAuthProvider = `-- name: InsertOAuthProvider :exec
 INSERT INTO oauth_providers (provider, provider_id, user_id, email)
 VALUES ($1, $2, $3, $4)
diff --git a/internal/db/sandboxes.sql.go b/pkg/db/sandboxes.sql.go
similarity index 90%
rename from internal/db/sandboxes.sql.go
rename to pkg/db/sandboxes.sql.go
index 3ce1644..c48c9ab 100644
--- a/internal/db/sandboxes.sql.go
+++ b/pkg/db/sandboxes.sql.go
@@ -43,7 +43,7 @@ func (q *Queries) BulkUpdateStatusByIDs(ctx context.Context, arg BulkUpdateStatu
 }
 
 const getSandbox = `-- name: GetSandbox :one
-SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id FROM sandboxes WHERE id = $1
+SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id, metadata FROM sandboxes WHERE id = $1
 `
 
 func (q *Queries) GetSandbox(ctx context.Context, id pgtype.UUID) (Sandbox, error) {
@@ -67,12 +67,13 @@ func (q *Queries) GetSandbox(ctx context.Context, id pgtype.UUID) (Sandbox, erro
 		&i.LastUpdated,
 		&i.TemplateID,
 		&i.TemplateTeamID,
+		&i.Metadata,
 	)
 	return i, err
 }
 
 const getSandboxByTeam = `-- name: GetSandboxByTeam :one
-SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id FROM sandboxes WHERE id = $1 AND team_id = $2
+SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id, metadata FROM sandboxes WHERE id = $1 AND team_id = $2
 `
 
 type GetSandboxByTeamParams struct {
@@ -101,6 +102,7 @@ func (q *Queries) GetSandboxByTeam(ctx context.Context, arg GetSandboxByTeamPara
 		&i.LastUpdated,
 		&i.TemplateID,
 		&i.TemplateTeamID,
+		&i.Metadata,
 	)
 	return i, err
 }
@@ -109,14 +111,9 @@ const getSandboxProxyTarget = `-- name: GetSandboxProxyTarget :one
 SELECT s.status, h.address AS host_address
 FROM sandboxes s
 JOIN hosts h ON h.id = s.host_id
-WHERE s.id = $1 AND s.team_id = $2
+WHERE s.id = $1
 `
 
-type GetSandboxProxyTargetParams struct {
-	ID     pgtype.UUID `json:"id"`
-	TeamID pgtype.UUID `json:"team_id"`
-}
-
 type GetSandboxProxyTargetRow struct {
 	Status      string `json:"status"`
 	HostAddress string `json:"host_address"`
@@ -124,17 +121,17 @@ type GetSandboxProxyTargetRow struct {
 
 // Returns the sandbox status and its host's address in one query.
 // Used by SandboxProxyWrapper to avoid two round-trips.
-func (q *Queries) GetSandboxProxyTarget(ctx context.Context, arg GetSandboxProxyTargetParams) (GetSandboxProxyTargetRow, error) {
-	row := q.db.QueryRow(ctx, getSandboxProxyTarget, arg.ID, arg.TeamID)
+func (q *Queries) GetSandboxProxyTarget(ctx context.Context, id pgtype.UUID) (GetSandboxProxyTargetRow, error) {
+	row := q.db.QueryRow(ctx, getSandboxProxyTarget, id)
 	var i GetSandboxProxyTargetRow
 	err := row.Scan(&i.Status, &i.HostAddress)
 	return i, err
 }
 
 const insertSandbox = `-- name: InsertSandbox :one
-INSERT INTO sandboxes (id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, template_id, template_team_id)
-VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
-RETURNING id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id
+INSERT INTO sandboxes (id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, template_id, template_team_id, metadata)
+VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
+RETURNING id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id, metadata
 `
 
 type InsertSandboxParams struct {
@@ -149,6 +146,7 @@ type InsertSandboxParams struct {
 	DiskSizeMb     int32       `json:"disk_size_mb"`
 	TemplateID     pgtype.UUID `json:"template_id"`
 	TemplateTeamID pgtype.UUID `json:"template_team_id"`
+	Metadata       []byte      `json:"metadata"`
 }
 
 func (q *Queries) InsertSandbox(ctx context.Context, arg InsertSandboxParams) (Sandbox, error) {
@@ -164,6 +162,7 @@ func (q *Queries) InsertSandbox(ctx context.Context, arg InsertSandboxParams) (S
 		arg.DiskSizeMb,
 		arg.TemplateID,
 		arg.TemplateTeamID,
+		arg.Metadata,
 	)
 	var i Sandbox
 	err := row.Scan(
@@ -184,13 +183,14 @@ func (q *Queries) InsertSandbox(ctx context.Context, arg InsertSandboxParams) (S
 		&i.LastUpdated,
 		&i.TemplateID,
 		&i.TemplateTeamID,
+		&i.Metadata,
 	)
 	return i, err
 }
 
 const listActiveSandboxesByTeam = `-- name: ListActiveSandboxesByTeam :many
-SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id FROM sandboxes
-WHERE team_id = $1 AND status IN ('running', 'paused', 'starting')
+SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id, metadata FROM sandboxes
+WHERE team_id = $1 AND status IN ('running', 'paused', 'starting', 'hibernated')
 ORDER BY created_at DESC
 `
 
@@ -221,6 +221,7 @@ func (q *Queries) ListActiveSandboxesByTeam(ctx context.Context, teamID pgtype.U
 			&i.LastUpdated,
 			&i.TemplateID,
 			&i.TemplateTeamID,
+			&i.Metadata,
 		); err != nil {
 			return nil, err
 		}
@@ -233,7 +234,7 @@ func (q *Queries) ListActiveSandboxesByTeam(ctx context.Context, teamID pgtype.U
 }
 
 const listSandboxes = `-- name: ListSandboxes :many
-SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id FROM sandboxes ORDER BY created_at DESC
+SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id, metadata FROM sandboxes ORDER BY created_at DESC
 `
 
 func (q *Queries) ListSandboxes(ctx context.Context) ([]Sandbox, error) {
@@ -263,6 +264,7 @@ func (q *Queries) ListSandboxes(ctx context.Context) ([]Sandbox, error) {
 			&i.LastUpdated,
 			&i.TemplateID,
 			&i.TemplateTeamID,
+			&i.Metadata,
 		); err != nil {
 			return nil, err
 		}
@@ -275,7 +277,7 @@ func (q *Queries) ListSandboxes(ctx context.Context) ([]Sandbox, error) {
 }
 
 const listSandboxesByHostAndStatus = `-- name: ListSandboxesByHostAndStatus :many
-SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id FROM sandboxes
+SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id, metadata FROM sandboxes
 WHERE host_id = $1 AND status = ANY($2::text[])
 ORDER BY created_at DESC
 `
@@ -312,6 +314,7 @@ func (q *Queries) ListSandboxesByHostAndStatus(ctx context.Context, arg ListSand
 			&i.LastUpdated,
 			&i.TemplateID,
 			&i.TemplateTeamID,
+			&i.Metadata,
 		); err != nil {
 			return nil, err
 		}
@@ -324,7 +327,7 @@ func (q *Queries) ListSandboxesByHostAndStatus(ctx context.Context, arg ListSand
 }
 
 const listSandboxesByTeam = `-- name: ListSandboxesByTeam :many
-SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id FROM sandboxes
+SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id, metadata FROM sandboxes
 WHERE team_id = $1 AND status NOT IN ('stopped', 'error')
 ORDER BY created_at DESC
 `
@@ -356,6 +359,7 @@ func (q *Queries) ListSandboxesByTeam(ctx context.Context, teamID pgtype.UUID) (
 			&i.LastUpdated,
 			&i.TemplateID,
 			&i.TemplateTeamID,
+			&i.Metadata,
 		); err != nil {
 			return nil, err
 		}
@@ -399,6 +403,23 @@ func (q *Queries) UpdateLastActive(ctx context.Context, arg UpdateLastActivePara
 	return err
 }
 
+const updateSandboxMetadata = `-- name: UpdateSandboxMetadata :exec
+UPDATE sandboxes
+SET metadata = $2,
+    last_updated = NOW()
+WHERE id = $1
+`
+
+type UpdateSandboxMetadataParams struct {
+	ID       pgtype.UUID `json:"id"`
+	Metadata []byte      `json:"metadata"`
+}
+
+func (q *Queries) UpdateSandboxMetadata(ctx context.Context, arg UpdateSandboxMetadataParams) error {
+	_, err := q.db.Exec(ctx, updateSandboxMetadata, arg.ID, arg.Metadata)
+	return err
+}
+
 const updateSandboxRunning = `-- name: UpdateSandboxRunning :one
 UPDATE sandboxes
 SET status = 'running',
@@ -408,7 +429,7 @@ SET status = 'running',
     last_active_at = $4,
     last_updated = NOW()
 WHERE id = $1
-RETURNING id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id
+RETURNING id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id, metadata
 `
 
 type UpdateSandboxRunningParams struct {
@@ -444,6 +465,7 @@ func (q *Queries) UpdateSandboxRunning(ctx context.Context, arg UpdateSandboxRun
 		&i.LastUpdated,
 		&i.TemplateID,
 		&i.TemplateTeamID,
+		&i.Metadata,
 	)
 	return i, err
 }
@@ -453,7 +475,7 @@ UPDATE sandboxes
 SET status = $2,
     last_updated = NOW()
 WHERE id = $1
-RETURNING id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id
+RETURNING id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id, metadata
 `
 
 type UpdateSandboxStatusParams struct {
@@ -482,6 +504,7 @@ func (q *Queries) UpdateSandboxStatus(ctx context.Context, arg UpdateSandboxStat
 		&i.LastUpdated,
 		&i.TemplateID,
 		&i.TemplateTeamID,
+		&i.Metadata,
 	)
 	return i, err
 }
diff --git a/internal/db/teams.sql.go b/pkg/db/teams.sql.go
similarity index 65%
rename from internal/db/teams.sql.go
rename to pkg/db/teams.sql.go
index 334141f..30874b3 100644
--- a/internal/db/teams.sql.go
+++ b/pkg/db/teams.sql.go
@@ -11,6 +11,19 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 )
 
+const countTeamsAdmin = `-- name: CountTeamsAdmin :one
+SELECT COUNT(*)::int AS total
+FROM teams
+WHERE id != '00000000-0000-0000-0000-000000000000'
+`
+
+func (q *Queries) CountTeamsAdmin(ctx context.Context) (int32, error) {
+	row := q.db.QueryRow(ctx, countTeamsAdmin)
+	var total int32
+	err := row.Scan(&total)
+	return total, err
+}
+
 const deleteTeamMember = `-- name: DeleteTeamMember :exec
 DELETE FROM users_teams WHERE team_id = $1 AND user_id = $2
 `
@@ -77,6 +90,35 @@ func (q *Queries) GetDefaultTeamForUser(ctx context.Context, userID pgtype.UUID)
 	return i, err
 }
 
+const getOwnedTeamIDs = `-- name: GetOwnedTeamIDs :many
+SELECT t.id FROM teams t
+JOIN users_teams ut ON ut.team_id = t.id
+WHERE ut.user_id = $1
+  AND ut.role = 'owner'
+  AND t.deleted_at IS NULL
+`
+
+// Returns team IDs where the given user has the 'owner' role.
+func (q *Queries) GetOwnedTeamIDs(ctx context.Context, userID pgtype.UUID) ([]pgtype.UUID, error) {
+	rows, err := q.db.Query(ctx, getOwnedTeamIDs, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []pgtype.UUID
+	for rows.Next() {
+		var id pgtype.UUID
+		if err := rows.Scan(&id); err != nil {
+			return nil, err
+		}
+		items = append(items, id)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const getTeam = `-- name: GetTeam :one
 SELECT id, name, slug, is_byoc, created_at, deleted_at FROM teams WHERE id = $1
 `
@@ -271,6 +313,111 @@ func (q *Queries) InsertTeamMember(ctx context.Context, arg InsertTeamMemberPara
 	return err
 }
 
+const listSoleOwnedTeams = `-- name: ListSoleOwnedTeams :many
+SELECT t.id FROM teams t
+JOIN users_teams ut ON ut.team_id = t.id
+WHERE ut.user_id = $1
+  AND ut.role = 'owner'
+  AND t.deleted_at IS NULL
+  AND NOT EXISTS (
+      SELECT 1 FROM users_teams ut2
+      WHERE ut2.team_id = t.id AND ut2.user_id <> $1
+  )
+`
+
+// Returns teams where the user is the owner and no other members exist.
+func (q *Queries) ListSoleOwnedTeams(ctx context.Context, userID pgtype.UUID) ([]pgtype.UUID, error) {
+	rows, err := q.db.Query(ctx, listSoleOwnedTeams, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []pgtype.UUID
+	for rows.Next() {
+		var id pgtype.UUID
+		if err := rows.Scan(&id); err != nil {
+			return nil, err
+		}
+		items = append(items, id)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listTeamsAdmin = `-- name: ListTeamsAdmin :many
+SELECT
+    t.id,
+    t.name,
+    t.slug,
+    t.is_byoc,
+    t.created_at,
+    t.deleted_at,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.team_id = t.id)::int AS member_count,
+    COALESCE(owner_u.name, '') AS owner_name,
+    COALESCE(owner_u.email, '') AS owner_email,
+    (SELECT COUNT(*) FROM sandboxes s WHERE s.team_id = t.id AND s.status IN ('running', 'paused', 'starting'))::int AS active_sandbox_count,
+    (SELECT COUNT(*) FROM channels c WHERE c.team_id = t.id)::int AS channel_count
+FROM teams t
+LEFT JOIN users_teams owner_ut ON owner_ut.team_id = t.id AND owner_ut.role = 'owner'
+LEFT JOIN users owner_u ON owner_u.id = owner_ut.user_id
+WHERE t.id != '00000000-0000-0000-0000-000000000000'
+ORDER BY t.deleted_at ASC NULLS FIRST, t.created_at DESC
+LIMIT $1 OFFSET $2
+`
+
+type ListTeamsAdminParams struct {
+	Limit  int32 `json:"limit"`
+	Offset int32 `json:"offset"`
+}
+
+type ListTeamsAdminRow struct {
+	ID                 pgtype.UUID        `json:"id"`
+	Name               string             `json:"name"`
+	Slug               string             `json:"slug"`
+	IsByoc             bool               `json:"is_byoc"`
+	CreatedAt          pgtype.Timestamptz `json:"created_at"`
+	DeletedAt          pgtype.Timestamptz `json:"deleted_at"`
+	MemberCount        int32              `json:"member_count"`
+	OwnerName          string             `json:"owner_name"`
+	OwnerEmail         string             `json:"owner_email"`
+	ActiveSandboxCount int32              `json:"active_sandbox_count"`
+	ChannelCount       int32              `json:"channel_count"`
+}
+
+func (q *Queries) ListTeamsAdmin(ctx context.Context, arg ListTeamsAdminParams) ([]ListTeamsAdminRow, error) {
+	rows, err := q.db.Query(ctx, listTeamsAdmin, arg.Limit, arg.Offset)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListTeamsAdminRow
+	for rows.Next() {
+		var i ListTeamsAdminRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.Name,
+			&i.Slug,
+			&i.IsByoc,
+			&i.CreatedAt,
+			&i.DeletedAt,
+			&i.MemberCount,
+			&i.OwnerName,
+			&i.OwnerEmail,
+			&i.ActiveSandboxCount,
+			&i.ChannelCount,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const setTeamBYOC = `-- name: SetTeamBYOC :exec
 UPDATE teams SET is_byoc = $2 WHERE id = $1
 `
diff --git a/internal/db/template_builds.sql.go b/pkg/db/template_builds.sql.go
similarity index 84%
rename from internal/db/template_builds.sql.go
rename to pkg/db/template_builds.sql.go
index facfb19..051547d 100644
--- a/internal/db/template_builds.sql.go
+++ b/pkg/db/template_builds.sql.go
@@ -12,7 +12,7 @@ import (
 )
 
 const getTemplateBuild = `-- name: GetTemplateBuild :one
-SELECT id, name, base_template, recipe, healthcheck, vcpus, memory_mb, status, current_step, total_steps, logs, error, sandbox_id, host_id, created_at, started_at, completed_at, template_id, team_id, skip_pre_post FROM template_builds WHERE id = $1
+SELECT id, name, base_template, recipe, healthcheck, vcpus, memory_mb, status, current_step, total_steps, logs, error, sandbox_id, host_id, created_at, started_at, completed_at, template_id, team_id, skip_pre_post, default_user, default_env, metadata FROM template_builds WHERE id = $1
 `
 
 func (q *Queries) GetTemplateBuild(ctx context.Context, id pgtype.UUID) (TemplateBuild, error) {
@@ -39,6 +39,9 @@ func (q *Queries) GetTemplateBuild(ctx context.Context, id pgtype.UUID) (Templat
 		&i.TemplateID,
 		&i.TeamID,
 		&i.SkipPrePost,
+		&i.DefaultUser,
+		&i.DefaultEnv,
+		&i.Metadata,
 	)
 	return i, err
 }
@@ -46,7 +49,7 @@ func (q *Queries) GetTemplateBuild(ctx context.Context, id pgtype.UUID) (Templat
 const insertTemplateBuild = `-- name: InsertTemplateBuild :one
 INSERT INTO template_builds (id, name, base_template, recipe, healthcheck, vcpus, memory_mb, status, total_steps, template_id, team_id, skip_pre_post)
 VALUES ($1, $2, $3, $4, $5, $6, $7, 'pending', $8, $9, $10, $11)
-RETURNING id, name, base_template, recipe, healthcheck, vcpus, memory_mb, status, current_step, total_steps, logs, error, sandbox_id, host_id, created_at, started_at, completed_at, template_id, team_id, skip_pre_post
+RETURNING id, name, base_template, recipe, healthcheck, vcpus, memory_mb, status, current_step, total_steps, logs, error, sandbox_id, host_id, created_at, started_at, completed_at, template_id, team_id, skip_pre_post, default_user, default_env, metadata
 `
 
 type InsertTemplateBuildParams struct {
@@ -99,12 +102,15 @@ func (q *Queries) InsertTemplateBuild(ctx context.Context, arg InsertTemplateBui
 		&i.TemplateID,
 		&i.TeamID,
 		&i.SkipPrePost,
+		&i.DefaultUser,
+		&i.DefaultEnv,
+		&i.Metadata,
 	)
 	return i, err
 }
 
 const listTemplateBuilds = `-- name: ListTemplateBuilds :many
-SELECT id, name, base_template, recipe, healthcheck, vcpus, memory_mb, status, current_step, total_steps, logs, error, sandbox_id, host_id, created_at, started_at, completed_at, template_id, team_id, skip_pre_post FROM template_builds ORDER BY created_at DESC
+SELECT id, name, base_template, recipe, healthcheck, vcpus, memory_mb, status, current_step, total_steps, logs, error, sandbox_id, host_id, created_at, started_at, completed_at, template_id, team_id, skip_pre_post, default_user, default_env, metadata FROM template_builds ORDER BY created_at DESC
 `
 
 func (q *Queries) ListTemplateBuilds(ctx context.Context) ([]TemplateBuild, error) {
@@ -137,6 +143,9 @@ func (q *Queries) ListTemplateBuilds(ctx context.Context) ([]TemplateBuild, erro
 			&i.TemplateID,
 			&i.TeamID,
 			&i.SkipPrePost,
+			&i.DefaultUser,
+			&i.DefaultEnv,
+			&i.Metadata,
 		); err != nil {
 			return nil, err
 		}
@@ -148,6 +157,29 @@ func (q *Queries) ListTemplateBuilds(ctx context.Context) ([]TemplateBuild, erro
 	return items, nil
 }
 
+const updateBuildDefaults = `-- name: UpdateBuildDefaults :exec
+UPDATE template_builds
+SET default_user = $2, default_env = $3, metadata = $4
+WHERE id = $1
+`
+
+type UpdateBuildDefaultsParams struct {
+	ID          pgtype.UUID `json:"id"`
+	DefaultUser string      `json:"default_user"`
+	DefaultEnv  []byte      `json:"default_env"`
+	Metadata    []byte      `json:"metadata"`
+}
+
+func (q *Queries) UpdateBuildDefaults(ctx context.Context, arg UpdateBuildDefaultsParams) error {
+	_, err := q.db.Exec(ctx, updateBuildDefaults,
+		arg.ID,
+		arg.DefaultUser,
+		arg.DefaultEnv,
+		arg.Metadata,
+	)
+	return err
+}
+
 const updateBuildError = `-- name: UpdateBuildError :exec
 UPDATE template_builds
 SET error = $2, status = 'failed', completed_at = NOW()
@@ -204,7 +236,7 @@ SET status = $2,
     started_at   = CASE WHEN $2 = 'running'   AND started_at   IS NULL THEN NOW() ELSE started_at   END,
     completed_at = CASE WHEN $2 IN ('success', 'failed', 'cancelled') THEN NOW() ELSE completed_at END
 WHERE id = $1
-RETURNING id, name, base_template, recipe, healthcheck, vcpus, memory_mb, status, current_step, total_steps, logs, error, sandbox_id, host_id, created_at, started_at, completed_at, template_id, team_id, skip_pre_post
+RETURNING id, name, base_template, recipe, healthcheck, vcpus, memory_mb, status, current_step, total_steps, logs, error, sandbox_id, host_id, created_at, started_at, completed_at, template_id, team_id, skip_pre_post, default_user, default_env, metadata
 `
 
 type UpdateBuildStatusParams struct {
@@ -236,6 +268,9 @@ func (q *Queries) UpdateBuildStatus(ctx context.Context, arg UpdateBuildStatusPa
 		&i.TemplateID,
 		&i.TeamID,
 		&i.SkipPrePost,
+		&i.DefaultUser,
+		&i.DefaultEnv,
+		&i.Metadata,
 	)
 	return i, err
 }
diff --git a/internal/db/templates.sql.go b/pkg/db/templates.sql.go
similarity index 77%
rename from internal/db/templates.sql.go
rename to pkg/db/templates.sql.go
index 7d37808..97e528b 100644
--- a/internal/db/templates.sql.go
+++ b/pkg/db/templates.sql.go
@@ -45,7 +45,7 @@ func (q *Queries) DeleteTemplatesByTeam(ctx context.Context, teamID pgtype.UUID)
 }
 
 const getPlatformTemplateByName = `-- name: GetPlatformTemplateByName :one
-SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id FROM templates WHERE team_id = '00000000-0000-0000-0000-000000000000' AND name = $1
+SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id, default_user, default_env, metadata FROM templates WHERE team_id = '00000000-0000-0000-0000-000000000000' AND name = $1
 `
 
 // Check if a global (platform) template exists with the given name.
@@ -61,12 +61,15 @@ func (q *Queries) GetPlatformTemplateByName(ctx context.Context, name string) (T
 		&i.CreatedAt,
 		&i.TeamID,
 		&i.ID,
+		&i.DefaultUser,
+		&i.DefaultEnv,
+		&i.Metadata,
 	)
 	return i, err
 }
 
 const getTemplate = `-- name: GetTemplate :one
-SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id FROM templates WHERE id = $1
+SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id, default_user, default_env, metadata FROM templates WHERE id = $1
 `
 
 func (q *Queries) GetTemplate(ctx context.Context, id pgtype.UUID) (Template, error) {
@@ -81,12 +84,15 @@ func (q *Queries) GetTemplate(ctx context.Context, id pgtype.UUID) (Template, er
 		&i.CreatedAt,
 		&i.TeamID,
 		&i.ID,
+		&i.DefaultUser,
+		&i.DefaultEnv,
+		&i.Metadata,
 	)
 	return i, err
 }
 
 const getTemplateByName = `-- name: GetTemplateByName :one
-SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id FROM templates WHERE team_id = $1 AND name = $2
+SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id, default_user, default_env, metadata FROM templates WHERE team_id = $1 AND name = $2
 `
 
 type GetTemplateByNameParams struct {
@@ -107,12 +113,15 @@ func (q *Queries) GetTemplateByName(ctx context.Context, arg GetTemplateByNamePa
 		&i.CreatedAt,
 		&i.TeamID,
 		&i.ID,
+		&i.DefaultUser,
+		&i.DefaultEnv,
+		&i.Metadata,
 	)
 	return i, err
 }
 
 const getTemplateByTeam = `-- name: GetTemplateByTeam :one
-SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id FROM templates WHERE name = $1 AND (team_id = $2 OR team_id = '00000000-0000-0000-0000-000000000000')
+SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id, default_user, default_env, metadata FROM templates WHERE name = $1 AND (team_id = $2 OR team_id = '00000000-0000-0000-0000-000000000000')
 `
 
 type GetTemplateByTeamParams struct {
@@ -133,24 +142,30 @@ func (q *Queries) GetTemplateByTeam(ctx context.Context, arg GetTemplateByTeamPa
 		&i.CreatedAt,
 		&i.TeamID,
 		&i.ID,
+		&i.DefaultUser,
+		&i.DefaultEnv,
+		&i.Metadata,
 	)
 	return i, err
 }
 
 const insertTemplate = `-- name: InsertTemplate :one
-INSERT INTO templates (id, name, type, vcpus, memory_mb, size_bytes, team_id)
-VALUES ($1, $2, $3, $4, $5, $6, $7)
-RETURNING name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id
+INSERT INTO templates (id, name, type, vcpus, memory_mb, size_bytes, team_id, default_user, default_env, metadata)
+VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
+RETURNING name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id, default_user, default_env, metadata
 `
 
 type InsertTemplateParams struct {
-	ID        pgtype.UUID `json:"id"`
-	Name      string      `json:"name"`
-	Type      string      `json:"type"`
-	Vcpus     int32       `json:"vcpus"`
-	MemoryMb  int32       `json:"memory_mb"`
-	SizeBytes int64       `json:"size_bytes"`
-	TeamID    pgtype.UUID `json:"team_id"`
+	ID          pgtype.UUID `json:"id"`
+	Name        string      `json:"name"`
+	Type        string      `json:"type"`
+	Vcpus       int32       `json:"vcpus"`
+	MemoryMb    int32       `json:"memory_mb"`
+	SizeBytes   int64       `json:"size_bytes"`
+	TeamID      pgtype.UUID `json:"team_id"`
+	DefaultUser string      `json:"default_user"`
+	DefaultEnv  []byte      `json:"default_env"`
+	Metadata    []byte      `json:"metadata"`
 }
 
 func (q *Queries) InsertTemplate(ctx context.Context, arg InsertTemplateParams) (Template, error) {
@@ -162,6 +177,9 @@ func (q *Queries) InsertTemplate(ctx context.Context, arg InsertTemplateParams)
 		arg.MemoryMb,
 		arg.SizeBytes,
 		arg.TeamID,
+		arg.DefaultUser,
+		arg.DefaultEnv,
+		arg.Metadata,
 	)
 	var i Template
 	err := row.Scan(
@@ -173,12 +191,15 @@ func (q *Queries) InsertTemplate(ctx context.Context, arg InsertTemplateParams)
 		&i.CreatedAt,
 		&i.TeamID,
 		&i.ID,
+		&i.DefaultUser,
+		&i.DefaultEnv,
+		&i.Metadata,
 	)
 	return i, err
 }
 
 const listTemplates = `-- name: ListTemplates :many
-SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id FROM templates ORDER BY created_at DESC
+SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id, default_user, default_env, metadata FROM templates ORDER BY created_at DESC
 `
 
 func (q *Queries) ListTemplates(ctx context.Context) ([]Template, error) {
@@ -199,6 +220,9 @@ func (q *Queries) ListTemplates(ctx context.Context) ([]Template, error) {
 			&i.CreatedAt,
 			&i.TeamID,
 			&i.ID,
+			&i.DefaultUser,
+			&i.DefaultEnv,
+			&i.Metadata,
 		); err != nil {
 			return nil, err
 		}
@@ -211,7 +235,7 @@ func (q *Queries) ListTemplates(ctx context.Context) ([]Template, error) {
 }
 
 const listTemplatesByTeam = `-- name: ListTemplatesByTeam :many
-SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id FROM templates WHERE (team_id = $1 OR team_id = '00000000-0000-0000-0000-000000000000') ORDER BY created_at DESC
+SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id, default_user, default_env, metadata FROM templates WHERE (team_id = $1 OR team_id = '00000000-0000-0000-0000-000000000000') ORDER BY created_at DESC
 `
 
 // Platform templates are visible to all teams.
@@ -233,6 +257,9 @@ func (q *Queries) ListTemplatesByTeam(ctx context.Context, teamID pgtype.UUID) (
 			&i.CreatedAt,
 			&i.TeamID,
 			&i.ID,
+			&i.DefaultUser,
+			&i.DefaultEnv,
+			&i.Metadata,
 		); err != nil {
 			return nil, err
 		}
@@ -245,7 +272,7 @@ func (q *Queries) ListTemplatesByTeam(ctx context.Context, teamID pgtype.UUID) (
 }
 
 const listTemplatesByTeamAndType = `-- name: ListTemplatesByTeamAndType :many
-SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id FROM templates WHERE (team_id = $1 OR team_id = '00000000-0000-0000-0000-000000000000') AND type = $2 ORDER BY created_at DESC
+SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id, default_user, default_env, metadata FROM templates WHERE (team_id = $1 OR team_id = '00000000-0000-0000-0000-000000000000') AND type = $2 ORDER BY created_at DESC
 `
 
 type ListTemplatesByTeamAndTypeParams struct {
@@ -272,6 +299,9 @@ func (q *Queries) ListTemplatesByTeamAndType(ctx context.Context, arg ListTempla
 			&i.CreatedAt,
 			&i.TeamID,
 			&i.ID,
+			&i.DefaultUser,
+			&i.DefaultEnv,
+			&i.Metadata,
 		); err != nil {
 			return nil, err
 		}
@@ -284,7 +314,7 @@ func (q *Queries) ListTemplatesByTeamAndType(ctx context.Context, arg ListTempla
 }
 
 const listTemplatesByTeamOnly = `-- name: ListTemplatesByTeamOnly :many
-SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id FROM templates WHERE team_id = $1 ORDER BY created_at DESC
+SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id, default_user, default_env, metadata FROM templates WHERE team_id = $1 ORDER BY created_at DESC
 `
 
 // List templates owned by a specific team (NOT including platform templates).
@@ -306,6 +336,9 @@ func (q *Queries) ListTemplatesByTeamOnly(ctx context.Context, teamID pgtype.UUI
 			&i.CreatedAt,
 			&i.TeamID,
 			&i.ID,
+			&i.DefaultUser,
+			&i.DefaultEnv,
+			&i.Metadata,
 		); err != nil {
 			return nil, err
 		}
@@ -318,7 +351,7 @@ func (q *Queries) ListTemplatesByTeamOnly(ctx context.Context, teamID pgtype.UUI
 }
 
 const listTemplatesByType = `-- name: ListTemplatesByType :many
-SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id FROM templates WHERE type = $1 ORDER BY created_at DESC
+SELECT name, type, vcpus, memory_mb, size_bytes, created_at, team_id, id, default_user, default_env, metadata FROM templates WHERE type = $1 ORDER BY created_at DESC
 `
 
 func (q *Queries) ListTemplatesByType(ctx context.Context, type_ string) ([]Template, error) {
@@ -339,6 +372,9 @@ func (q *Queries) ListTemplatesByType(ctx context.Context, type_ string) ([]Temp
 			&i.CreatedAt,
 			&i.TeamID,
 			&i.ID,
+			&i.DefaultUser,
+			&i.DefaultEnv,
+			&i.Metadata,
 		); err != nil {
 			return nil, err
 		}
diff --git a/internal/db/users.sql.go b/pkg/db/users.sql.go
similarity index 53%
rename from internal/db/users.sql.go
rename to pkg/db/users.sql.go
index 9de866b..c48d9c9 100644
--- a/internal/db/users.sql.go
+++ b/pkg/db/users.sql.go
@@ -11,6 +11,59 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 )
 
+const countActiveUsers = `-- name: CountActiveUsers :one
+SELECT COUNT(*) FROM users WHERE status = 'active'
+`
+
+func (q *Queries) CountActiveUsers(ctx context.Context) (int64, error) {
+	row := q.db.QueryRow(ctx, countActiveUsers)
+	var count int64
+	err := row.Scan(&count)
+	return count, err
+}
+
+const countUserOwnedTeamsWithOtherMembers = `-- name: CountUserOwnedTeamsWithOtherMembers :one
+SELECT COUNT(DISTINCT ut.team_id)::int
+FROM users_teams ut
+WHERE ut.user_id = $1
+  AND ut.role = 'owner'
+  AND EXISTS (
+      SELECT 1 FROM users_teams ut2
+      WHERE ut2.team_id = ut.team_id AND ut2.user_id <> $1
+  )
+`
+
+func (q *Queries) CountUserOwnedTeamsWithOtherMembers(ctx context.Context, userID pgtype.UUID) (int32, error) {
+	row := q.db.QueryRow(ctx, countUserOwnedTeamsWithOtherMembers, userID)
+	var column_1 int32
+	err := row.Scan(&column_1)
+	return column_1, err
+}
+
+const countUsers = `-- name: CountUsers :one
+SELECT COUNT(*) FROM users
+`
+
+func (q *Queries) CountUsers(ctx context.Context) (int64, error) {
+	row := q.db.QueryRow(ctx, countUsers)
+	var count int64
+	err := row.Scan(&count)
+	return count, err
+}
+
+const countUsersAdmin = `-- name: CountUsersAdmin :one
+SELECT COUNT(*)::int AS total
+FROM users
+WHERE status != 'deleted'
+`
+
+func (q *Queries) CountUsersAdmin(ctx context.Context) (int32, error) {
+	row := q.db.QueryRow(ctx, countUsersAdmin)
+	var total int32
+	err := row.Scan(&total)
+	return total, err
+}
+
 const deleteAdminPermission = `-- name: DeleteAdminPermission :exec
 DELETE FROM admin_permissions WHERE user_id = $1 AND permission = $2
 `
@@ -55,7 +108,7 @@ func (q *Queries) GetAdminPermissions(ctx context.Context, userID pgtype.UUID) (
 }
 
 const getAdminUsers = `-- name: GetAdminUsers :many
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at FROM users WHERE is_admin = TRUE ORDER BY created_at
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE is_admin = TRUE ORDER BY created_at
 `
 
 func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
@@ -75,6 +128,8 @@ func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
 			&i.IsAdmin,
 			&i.CreatedAt,
 			&i.UpdatedAt,
+			&i.DeletedAt,
+			&i.Status,
 		); err != nil {
 			return nil, err
 		}
@@ -87,7 +142,7 @@ func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
 }
 
 const getUserByEmail = `-- name: GetUserByEmail :one
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at FROM users WHERE email = $1
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE email = $1 AND status != 'deleted'
 `
 
 func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error) {
@@ -101,12 +156,14 @@ func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error
 		&i.IsAdmin,
 		&i.CreatedAt,
 		&i.UpdatedAt,
+		&i.DeletedAt,
+		&i.Status,
 	)
 	return i, err
 }
 
 const getUserByID = `-- name: GetUserByID :one
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at FROM users WHERE id = $1
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE id = $1 AND status != 'deleted'
 `
 
 func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (User, error) {
@@ -120,10 +177,30 @@ func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (User, error)
 		&i.IsAdmin,
 		&i.CreatedAt,
 		&i.UpdatedAt,
+		&i.DeletedAt,
+		&i.Status,
 	)
 	return i, err
 }
 
+const hardDeleteExpiredUsers = `-- name: HardDeleteExpiredUsers :exec
+DELETE FROM users WHERE deleted_at IS NOT NULL AND deleted_at < NOW() - INTERVAL '15 days'
+`
+
+func (q *Queries) HardDeleteExpiredUsers(ctx context.Context) error {
+	_, err := q.db.Exec(ctx, hardDeleteExpiredUsers)
+	return err
+}
+
+const hardDeleteUser = `-- name: HardDeleteUser :exec
+DELETE FROM users WHERE id = $1
+`
+
+func (q *Queries) HardDeleteUser(ctx context.Context, id pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, hardDeleteUser, id)
+	return err
+}
+
 const hasAdminPermission = `-- name: HasAdminPermission :one
 SELECT EXISTS(
     SELECT 1 FROM admin_permissions WHERE user_id = $1 AND permission = $2
@@ -161,7 +238,7 @@ func (q *Queries) InsertAdminPermission(ctx context.Context, arg InsertAdminPerm
 const insertUser = `-- name: InsertUser :one
 INSERT INTO users (id, email, password_hash, name)
 VALUES ($1, $2, $3, $4)
-RETURNING id, email, password_hash, name, is_admin, created_at, updated_at
+RETURNING id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status
 `
 
 type InsertUserParams struct {
@@ -187,6 +264,43 @@ func (q *Queries) InsertUser(ctx context.Context, arg InsertUserParams) (User, e
 		&i.IsAdmin,
 		&i.CreatedAt,
 		&i.UpdatedAt,
+		&i.DeletedAt,
+		&i.Status,
+	)
+	return i, err
+}
+
+const insertUserInactive = `-- name: InsertUserInactive :one
+INSERT INTO users (id, email, password_hash, name, status)
+VALUES ($1, $2, $3, $4, 'inactive')
+RETURNING id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status
+`
+
+type InsertUserInactiveParams struct {
+	ID           pgtype.UUID `json:"id"`
+	Email        string      `json:"email"`
+	PasswordHash pgtype.Text `json:"password_hash"`
+	Name         string      `json:"name"`
+}
+
+func (q *Queries) InsertUserInactive(ctx context.Context, arg InsertUserInactiveParams) (User, error) {
+	row := q.db.QueryRow(ctx, insertUserInactive,
+		arg.ID,
+		arg.Email,
+		arg.PasswordHash,
+		arg.Name,
+	)
+	var i User
+	err := row.Scan(
+		&i.ID,
+		&i.Email,
+		&i.PasswordHash,
+		&i.Name,
+		&i.IsAdmin,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+		&i.DeletedAt,
+		&i.Status,
 	)
 	return i, err
 }
@@ -194,7 +308,7 @@ func (q *Queries) InsertUser(ctx context.Context, arg InsertUserParams) (User, e
 const insertUserOAuth = `-- name: InsertUserOAuth :one
 INSERT INTO users (id, email, name)
 VALUES ($1, $2, $3)
-RETURNING id, email, password_hash, name, is_admin, created_at, updated_at
+RETURNING id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status
 `
 
 type InsertUserOAuthParams struct {
@@ -214,10 +328,73 @@ func (q *Queries) InsertUserOAuth(ctx context.Context, arg InsertUserOAuthParams
 		&i.IsAdmin,
 		&i.CreatedAt,
 		&i.UpdatedAt,
+		&i.DeletedAt,
+		&i.Status,
 	)
 	return i, err
 }
 
+const listUsersAdmin = `-- name: ListUsersAdmin :many
+SELECT
+    u.id,
+    u.email,
+    u.name,
+    u.is_admin,
+    u.status,
+    u.created_at,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id)::int AS teams_joined,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id AND ut.role = 'owner')::int AS teams_owned
+FROM users u
+WHERE u.status != 'deleted'
+ORDER BY u.created_at DESC
+LIMIT $1 OFFSET $2
+`
+
+type ListUsersAdminParams struct {
+	Limit  int32 `json:"limit"`
+	Offset int32 `json:"offset"`
+}
+
+type ListUsersAdminRow struct {
+	ID          pgtype.UUID        `json:"id"`
+	Email       string             `json:"email"`
+	Name        string             `json:"name"`
+	IsAdmin     bool               `json:"is_admin"`
+	Status      string             `json:"status"`
+	CreatedAt   pgtype.Timestamptz `json:"created_at"`
+	TeamsJoined int32              `json:"teams_joined"`
+	TeamsOwned  int32              `json:"teams_owned"`
+}
+
+func (q *Queries) ListUsersAdmin(ctx context.Context, arg ListUsersAdminParams) ([]ListUsersAdminRow, error) {
+	rows, err := q.db.Query(ctx, listUsersAdmin, arg.Limit, arg.Offset)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListUsersAdminRow
+	for rows.Next() {
+		var i ListUsersAdminRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.Email,
+			&i.Name,
+			&i.IsAdmin,
+			&i.Status,
+			&i.CreatedAt,
+			&i.TeamsJoined,
+			&i.TeamsOwned,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const searchUsersByEmailPrefix = `-- name: SearchUsersByEmailPrefix :many
 SELECT id, email FROM users WHERE email LIKE $1 || '%' ORDER BY email LIMIT 10
 `
@@ -261,6 +438,29 @@ func (q *Queries) SetUserAdmin(ctx context.Context, arg SetUserAdminParams) erro
 	return err
 }
 
+const setUserStatus = `-- name: SetUserStatus :exec
+UPDATE users SET status = $2, updated_at = NOW() WHERE id = $1
+`
+
+type SetUserStatusParams struct {
+	ID     pgtype.UUID `json:"id"`
+	Status string      `json:"status"`
+}
+
+func (q *Queries) SetUserStatus(ctx context.Context, arg SetUserStatusParams) error {
+	_, err := q.db.Exec(ctx, setUserStatus, arg.ID, arg.Status)
+	return err
+}
+
+const softDeleteUser = `-- name: SoftDeleteUser :exec
+UPDATE users SET deleted_at = NOW(), status = 'deleted', updated_at = NOW() WHERE id = $1
+`
+
+func (q *Queries) SoftDeleteUser(ctx context.Context, id pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, softDeleteUser, id)
+	return err
+}
+
 const updateUserName = `-- name: UpdateUserName :exec
 UPDATE users SET name = $2, updated_at = NOW() WHERE id = $1
 `
@@ -274,3 +474,17 @@ func (q *Queries) UpdateUserName(ctx context.Context, arg UpdateUserNameParams)
 	_, err := q.db.Exec(ctx, updateUserName, arg.ID, arg.Name)
 	return err
 }
+
+const updateUserPassword = `-- name: UpdateUserPassword :exec
+UPDATE users SET password_hash = $2, updated_at = NOW() WHERE id = $1
+`
+
+type UpdateUserPasswordParams struct {
+	ID           pgtype.UUID `json:"id"`
+	PasswordHash pgtype.Text `json:"password_hash"`
+}
+
+func (q *Queries) UpdateUserPassword(ctx context.Context, arg UpdateUserPasswordParams) error {
+	_, err := q.db.Exec(ctx, updateUserPassword, arg.ID, arg.PasswordHash)
+	return err
+}
diff --git a/internal/events/event.go b/pkg/events/event.go
similarity index 100%
rename from internal/events/event.go
rename to pkg/events/event.go
diff --git a/internal/id/id.go b/pkg/id/id.go
similarity index 98%
rename from internal/id/id.go
rename to pkg/id/id.go
index 2ef5d88..6e1fd9e 100644
--- a/internal/id/id.go
+++ b/pkg/id/id.go
@@ -167,6 +167,11 @@ func UUIDString(id pgtype.UUID) string {
 	return uuid.UUID(id.Bytes).String()
 }
 
+// NewPtyTag generates a PTY session tag: 8 random hex characters.
+func NewPtyTag() string {
+	return hex8()
+}
+
 // --- Helpers ---
 
 func hex8() string {
diff --git a/internal/id/id_test.go b/pkg/id/id_test.go
similarity index 100%
rename from internal/id/id_test.go
rename to pkg/id/id_test.go
diff --git a/internal/lifecycle/hostpool.go b/pkg/lifecycle/hostpool.go
similarity index 98%
rename from internal/lifecycle/hostpool.go
rename to pkg/lifecycle/hostpool.go
index ca9e8bb..3931d7b 100644
--- a/internal/lifecycle/hostpool.go
+++ b/pkg/lifecycle/hostpool.go
@@ -8,8 +8,8 @@ import (
 	"sync"
 	"time"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 	"git.omukk.dev/wrenn/wrenn/proto/hostagent/gen/hostagentv1connect"
 )
 
diff --git a/internal/lifecycle/manager.go b/pkg/lifecycle/manager.go
similarity index 100%
rename from internal/lifecycle/manager.go
rename to pkg/lifecycle/manager.go
diff --git a/pkg/logging/logging.go b/pkg/logging/logging.go
new file mode 100644
index 0000000..6159a9c
--- /dev/null
+++ b/pkg/logging/logging.go
@@ -0,0 +1,135 @@
+package logging
+
+import (
+	"io"
+	"log/slog"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"strings"
+	"sync"
+	"syscall"
+)
+
+// Setup configures the global slog logger with dual output (stderr + rotating
+// log file). logsDir is the directory where log files are written. binaryName
+// is used as the log filename (e.g. "control-plane" → "control-plane.log").
+//
+// If logsDir is empty or the directory cannot be created, Setup falls back to
+// stderr-only logging and returns a no-op cleanup function.
+//
+// The returned cleanup function closes the log file and must be deferred.
+// Setup also installs a SIGHUP handler that reopens the log file, allowing
+// external log rotation tools (e.g. logrotate) to rotate files in place.
+func Setup(logsDir, binaryName string) func() {
+	level := parseLevel(os.Getenv("LOG_LEVEL"))
+
+	if logsDir == "" {
+		slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
+			Level: level,
+		})))
+		return func() {}
+	}
+
+	if err := os.MkdirAll(logsDir, 0750); err != nil {
+		// Fall back to stderr-only; log the error so operators notice.
+		slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
+			Level: level,
+		})))
+		slog.Warn("file logging unavailable: failed to create log directory", "dir", logsDir, "error", err)
+		return func() {}
+	}
+
+	logPath := filepath.Join(logsDir, binaryName+".log")
+	rf, err := newReopenableFile(logPath)
+	if err != nil {
+		slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
+			Level: level,
+		})))
+		slog.Warn("file logging unavailable: failed to open log file", "path", logPath, "error", err)
+		return func() {}
+	}
+
+	mw := io.MultiWriter(os.Stderr, rf)
+	slog.SetDefault(slog.New(slog.NewTextHandler(mw, &slog.HandlerOptions{
+		Level: level,
+	})))
+
+	// SIGHUP reopens the log file so logrotate can rotate in place.
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGHUP)
+	go func() {
+		for range sigCh {
+			if err := rf.Reopen(); err != nil {
+				slog.Error("failed to reopen log file on SIGHUP", "path", logPath, "error", err)
+			} else {
+				slog.Info("log file reopened", "path", logPath)
+			}
+		}
+	}()
+
+	return func() {
+		signal.Stop(sigCh)
+		close(sigCh)
+		rf.Close()
+	}
+}
+
+func parseLevel(s string) slog.Level {
+	switch strings.ToLower(strings.TrimSpace(s)) {
+	case "debug":
+		return slog.LevelDebug
+	case "warn", "warning":
+		return slog.LevelWarn
+	case "error":
+		return slog.LevelError
+	default:
+		return slog.LevelInfo
+	}
+}
+
+// reopenableFile is an io.Writer backed by an *os.File that can be atomically
+// reopened (for log rotation via SIGHUP). All operations are goroutine-safe.
+type reopenableFile struct {
+	path string
+	mu   sync.Mutex
+	f    *os.File
+}
+
+func newReopenableFile(path string) (*reopenableFile, error) {
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0640)
+	if err != nil {
+		return nil, err
+	}
+	return &reopenableFile{path: path, f: f}, nil
+}
+
+func (r *reopenableFile) Write(p []byte) (int, error) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	return r.f.Write(p)
+}
+
+// Reopen closes the current file and opens a new one at the same path.
+// This is the mechanism that makes logrotate's copytruncate-free rotation work:
+// logrotate renames the old file, then sends SIGHUP, and the process opens a
+// fresh file at the original path.
+func (r *reopenableFile) Reopen() error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	// Open the new file before closing the old one so a failed open doesn't
+	// leave the writer in a broken state with a closed fd.
+	f, err := os.OpenFile(r.path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0640)
+	if err != nil {
+		return err
+	}
+	r.f.Close()
+	r.f = f
+	return nil
+}
+
+func (r *reopenableFile) Close() error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	return r.f.Close()
+}
diff --git a/pkg/scheduler/least_loaded.go b/pkg/scheduler/least_loaded.go
new file mode 100644
index 0000000..57c4a18
--- /dev/null
+++ b/pkg/scheduler/least_loaded.go
@@ -0,0 +1,171 @@
+package scheduler
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/jackc/pgx/v5/pgtype"
+
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+)
+
+// Resource overhead reserved for the host OS.
+const (
+	reservedMemoryMB = 8192
+	reservedCPU      = 4
+	reservedDiskMB   = 30720 // 30 GB
+	cpuOvercommit    = 1.5
+	pausedMemoryFrac = 0.5
+	pausedDiskFrac   = 2.0 / 3.0
+)
+
+// LeastLoadedScheduler picks the online host with the most headroom at its
+// tightest resource (bottleneck-first strategy).
+//
+// For each eligible host it computes the remaining fraction of each resource:
+//
+//	RAM:  usable / total  where total = host.memory_mb - 8192
+//	CPU:  usable / total  where total = host.cpu_cores * 1.5 - 4
+//	Disk: usable / total  where total = host.disk_gb * 1024 - 30720
+//
+// The host's score is min(ram_frac, cpu_frac, disk_frac). The host with the
+// highest score wins. Admission control rejects when no host can fit the
+// requested sandbox on RAM or disk; CPU overcommit is allowed.
+type LeastLoadedScheduler struct {
+	db *db.Queries
+}
+
+// NewLeastLoadedScheduler creates a LeastLoadedScheduler backed by the given DB.
+func NewLeastLoadedScheduler(queries *db.Queries) *LeastLoadedScheduler {
+	return &LeastLoadedScheduler{db: queries}
+}
+
+// hostResources holds the computed resource availability for a single host.
+type hostResources struct {
+	host       db.Host
+	ramTotal   float64
+	ramUsable  float64
+	cpuTotal   float64
+	cpuUsable  float64
+	diskTotal  float64
+	diskUsable float64
+}
+
+// bottleneckScore returns the fraction of the tightest resource remaining.
+func (h *hostResources) bottleneckScore() float64 {
+	ramFrac := safeFrac(h.ramUsable, h.ramTotal)
+	cpuFrac := safeFrac(h.cpuUsable, h.cpuTotal)
+	diskFrac := safeFrac(h.diskUsable, h.diskTotal)
+	return min(ramFrac, cpuFrac, diskFrac)
+}
+
+// safeFrac returns usable/total, or 0 when total <= 0.
+func safeFrac(usable, total float64) float64 {
+	if total <= 0 {
+		return 0
+	}
+	return usable / total
+}
+
+// SelectHost returns the eligible host with the most resource headroom.
+func (s *LeastLoadedScheduler) SelectHost(ctx context.Context, teamID pgtype.UUID, isByoc bool, memoryMb, diskSizeMb int32) (db.Host, error) {
+	rows, err := s.db.GetHostsWithLoad(ctx)
+	if err != nil {
+		return db.Host{}, fmt.Errorf("get hosts with load: %w", err)
+	}
+
+	// Phase 1: filter eligible hosts and compute resources.
+	var candidates []hostResources
+	for i := range rows {
+		row := &rows[i]
+
+		if isByoc {
+			if row.Type != "byoc" || !row.TeamID.Valid || row.TeamID != teamID {
+				continue
+			}
+		} else {
+			if row.Type != "regular" {
+				continue
+			}
+		}
+
+		hr := computeResources(row)
+		candidates = append(candidates, hr)
+	}
+
+	if len(candidates) == 0 {
+		if isByoc {
+			return db.Host{}, fmt.Errorf("no online BYOC hosts available for team")
+		}
+		return db.Host{}, fmt.Errorf("no online platform hosts available")
+	}
+
+	// Phase 2: admission control + selection — pick the highest-scoring host
+	// that can actually fit the requested sandbox (RAM and disk).
+	best := -1
+	bestScore := 0.0
+	for i := range candidates {
+		if memoryMb > 0 && candidates[i].ramUsable < float64(memoryMb) {
+			continue
+		}
+		if diskSizeMb > 0 && candidates[i].diskUsable < float64(diskSizeMb) {
+			continue
+		}
+		score := candidates[i].bottleneckScore()
+		if best == -1 || score > bestScore {
+			best = i
+			bestScore = score
+		}
+	}
+
+	if best == -1 {
+		return db.Host{}, fmt.Errorf("no host has sufficient resources: need %d MB memory, %d MB disk", memoryMb, diskSizeMb)
+	}
+
+	return candidates[best].host, nil
+}
+
+// computeResources converts a raw DB row into computed resource availability.
+func computeResources(row *db.GetHostsWithLoadRow) hostResources {
+	ramTotal := float64(row.MemoryMb) - reservedMemoryMB
+	cpuTotal := float64(row.CpuCores)*cpuOvercommit - reservedCPU
+	diskTotal := float64(row.DiskGb)*1024 - reservedDiskMB
+
+	usedMemory := float64(row.RunningMemoryMb) + pausedMemoryFrac*float64(row.PausedMemoryMb)
+	usedCPU := float64(row.RunningVcpus)
+	usedDisk := float64(row.RunningDiskMb) + pausedDiskFrac*float64(row.PausedDiskMb)
+
+	return hostResources{
+		host:       hostFromRow(row),
+		ramTotal:   ramTotal,
+		ramUsable:  ramTotal - usedMemory,
+		cpuTotal:   cpuTotal,
+		cpuUsable:  cpuTotal - usedCPU,
+		diskTotal:  diskTotal,
+		diskUsable: diskTotal - usedDisk,
+	}
+}
+
+// hostFromRow converts the query row back to a plain db.Host.
+func hostFromRow(r *db.GetHostsWithLoadRow) db.Host {
+	return db.Host{
+		ID:               r.ID,
+		Type:             r.Type,
+		TeamID:           r.TeamID,
+		Provider:         r.Provider,
+		AvailabilityZone: r.AvailabilityZone,
+		Arch:             r.Arch,
+		CpuCores:         r.CpuCores,
+		MemoryMb:         r.MemoryMb,
+		DiskGb:           r.DiskGb,
+		Address:          r.Address,
+		Status:           r.Status,
+		LastHeartbeatAt:  r.LastHeartbeatAt,
+		Metadata:         r.Metadata,
+		CreatedBy:        r.CreatedBy,
+		CreatedAt:        r.CreatedAt,
+		UpdatedAt:        r.UpdatedAt,
+		CertFingerprint:  r.CertFingerprint,
+		CertExpiresAt:    r.CertExpiresAt,
+	}
+}
diff --git a/internal/scheduler/round_robin.go b/pkg/scheduler/round_robin.go
similarity index 80%
rename from internal/scheduler/round_robin.go
rename to pkg/scheduler/round_robin.go
index 7e4962d..693de30 100644
--- a/internal/scheduler/round_robin.go
+++ b/pkg/scheduler/round_robin.go
@@ -7,7 +7,7 @@ import (
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
 )
 
 // HostScheduler selects a host for a new sandbox. Implementations may use
@@ -16,8 +16,11 @@ type HostScheduler interface {
 	// SelectHost returns a host that can accept a new sandbox.
 	// For BYOC teams (isByoc=true), only online BYOC hosts belonging to teamID
 	// are considered. For non-BYOC teams, only online regular (platform) hosts
-	// are considered. Returns an error if no suitable host is available.
-	SelectHost(ctx context.Context, teamID pgtype.UUID, isByoc bool) (db.Host, error)
+	// are considered.
+	// memoryMb and diskSizeMb describe the sandbox's resource requirements so
+	// the scheduler can perform admission control (reject when no host has
+	// enough RAM or disk). Pass 0 to skip admission checks.
+	SelectHost(ctx context.Context, teamID pgtype.UUID, isByoc bool, memoryMb, diskSizeMb int32) (db.Host, error)
 }
 
 // RoundRobinScheduler cycles through eligible online hosts in round-robin order.
@@ -34,7 +37,9 @@ func NewRoundRobinScheduler(queries *db.Queries) *RoundRobinScheduler {
 }
 
 // SelectHost returns the next eligible online host in round-robin order.
-func (s *RoundRobinScheduler) SelectHost(ctx context.Context, teamID pgtype.UUID, isByoc bool) (db.Host, error) {
+// The memoryMb and diskSizeMb parameters are ignored — round-robin performs
+// no admission control.
+func (s *RoundRobinScheduler) SelectHost(ctx context.Context, teamID pgtype.UUID, isByoc bool, _, _ int32) (db.Host, error) {
 	hosts, err := s.db.ListActiveHosts(ctx)
 	if err != nil {
 		return db.Host{}, fmt.Errorf("list hosts: %w", err)
diff --git a/internal/scheduler/scheduler.go b/pkg/scheduler/scheduler.go
similarity index 100%
rename from internal/scheduler/scheduler.go
rename to pkg/scheduler/scheduler.go
diff --git a/internal/scheduler/single_host.go b/pkg/scheduler/single_host.go
similarity index 100%
rename from internal/scheduler/single_host.go
rename to pkg/scheduler/single_host.go
diff --git a/internal/service/apikey.go b/pkg/service/apikey.go
similarity index 93%
rename from internal/service/apikey.go
rename to pkg/service/apikey.go
index 90bdfb6..8eea896 100644
--- a/internal/service/apikey.go
+++ b/pkg/service/apikey.go
@@ -6,9 +6,9 @@ import (
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 // APIKeyService provides API key operations shared between the REST API and the dashboard.
diff --git a/internal/service/audit.go b/pkg/service/audit.go
similarity index 97%
rename from internal/service/audit.go
rename to pkg/service/audit.go
index e028625..cee95d6 100644
--- a/internal/service/audit.go
+++ b/pkg/service/audit.go
@@ -8,8 +8,8 @@ import (
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
 const auditMaxLimit = 200
diff --git a/internal/service/build.go b/pkg/service/build.go
similarity index 71%
rename from internal/service/build.go
rename to pkg/service/build.go
index b45ba1d..bdb1620 100644
--- a/internal/service/build.go
+++ b/pkg/service/build.go
@@ -13,11 +13,11 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 	"github.com/redis/go-redis/v9"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
 	"git.omukk.dev/wrenn/wrenn/internal/recipe"
-	"git.omukk.dev/wrenn/wrenn/internal/scheduler"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/scheduler"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
@@ -27,8 +27,11 @@ const (
 )
 
 // preBuildCmds run before the user recipe to prepare the build environment.
+// apt update runs as root first, then USER switches to wrenn-user for the recipe.
 var preBuildCmds = []string{
 	"RUN apt update",
+	"USER wrenn-user",
+	"WORKDIR /home/wrenn-user",
 }
 
 // postBuildCmds run after the user recipe to clean up caches and reduce image size.
@@ -36,6 +39,7 @@ var postBuildCmds = []string{
 	"RUN apt clean",
 	"RUN apt autoremove -y",
 	"RUN rm -rf /var/lib/apt/lists/*",
+	"RUN rm -rf /tmp/build-files /tmp/build-files.*",
 }
 
 // buildAgentClient is the subset of the host agent client used by the build worker.
@@ -43,6 +47,7 @@ type buildAgentClient interface {
 	CreateSandbox(ctx context.Context, req *connect.Request[pb.CreateSandboxRequest]) (*connect.Response[pb.CreateSandboxResponse], error)
 	DestroySandbox(ctx context.Context, req *connect.Request[pb.DestroySandboxRequest]) (*connect.Response[pb.DestroySandboxResponse], error)
 	Exec(ctx context.Context, req *connect.Request[pb.ExecRequest]) (*connect.Response[pb.ExecResponse], error)
+	WriteFile(ctx context.Context, req *connect.Request[pb.WriteFileRequest]) (*connect.Response[pb.WriteFileResponse], error)
 	CreateSnapshot(ctx context.Context, req *connect.Request[pb.CreateSnapshotRequest]) (*connect.Response[pb.CreateSnapshotResponse], error)
 	FlattenRootfs(ctx context.Context, req *connect.Request[pb.FlattenRootfsRequest]) (*connect.Response[pb.FlattenRootfsResponse], error)
 }
@@ -56,6 +61,7 @@ type BuildService struct {
 
 	mu        sync.Mutex
 	cancelMap map[string]context.CancelFunc // buildID → per-build cancel func
+	filesMap  map[string][]byte             // buildID → uploaded archive bytes
 }
 
 // BuildCreateParams holds the parameters for creating a template build.
@@ -67,6 +73,27 @@ type BuildCreateParams struct {
 	VCPUs        int32
 	MemoryMB     int32
 	SkipPrePost  bool
+	Archive      []byte // Optional tar/tar.gz/zip archive for COPY commands.
+	ArchiveName  string // Original filename (used to detect format).
+}
+
+// storeArchive stores uploaded archive bytes keyed by build ID for the worker.
+func (s *BuildService) storeArchive(buildID string, data []byte) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.filesMap == nil {
+		s.filesMap = make(map[string][]byte)
+	}
+	s.filesMap[buildID] = data
+}
+
+// takeArchive retrieves and removes stored archive bytes for a build.
+func (s *BuildService) takeArchive(buildID string) []byte {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	data := s.filesMap[buildID]
+	delete(s.filesMap, buildID)
+	return data
 }
 
 // Create inserts a new build record and enqueues it to Redis.
@@ -112,8 +139,13 @@ func (s *BuildService) Create(ctx context.Context, p BuildCreateParams) (db.Temp
 		return db.TemplateBuild{}, fmt.Errorf("insert build: %w", err)
 	}
 
-	// Enqueue build ID (as formatted string) to Redis for workers to pick up.
+	// Store archive before enqueue so the worker never dequeues without files.
+	if len(p.Archive) > 0 {
+		s.storeArchive(buildIDStr, p.Archive)
+	}
+
 	if err := s.Redis.RPush(ctx, buildQueueKey, buildIDStr).Err(); err != nil {
+		s.takeArchive(buildIDStr) // clean up on enqueue failure
 		return db.TemplateBuild{}, fmt.Errorf("enqueue build: %w", err)
 	}
 
@@ -251,7 +283,7 @@ func (s *BuildService) executeBuild(ctx context.Context, buildIDStr string) {
 	}
 
 	// Pick a platform host and create a sandbox.
-	host, err := s.Scheduler.SelectHost(buildCtx, id.PlatformTeamID, false)
+	host, err := s.Scheduler.SelectHost(buildCtx, id.PlatformTeamID, false, build.MemoryMb, 5120)
 	if err != nil {
 		s.failBuild(buildCtx, buildID, fmt.Sprintf("no host available: %v", err))
 		return
@@ -294,7 +326,8 @@ func (s *BuildService) executeBuild(ctx context.Context, buildIDStr string) {
 		s.failBuild(buildCtx, buildID, fmt.Sprintf("create sandbox failed: %v", err))
 		return
 	}
-	_ = resp
+	// Capture sandbox metadata (envd/kernel/firecracker/agent versions).
+	sandboxMetadata := resp.Msg.Metadata
 
 	// Record sandbox/host association.
 	_ = s.DB.UpdateBuildSandbox(buildCtx, db.UpdateBuildSandboxParams{
@@ -303,6 +336,16 @@ func (s *BuildService) executeBuild(ctx context.Context, buildIDStr string) {
 		HostID:    host.ID,
 	})
 
+	// Upload and extract build archive if provided.
+	archive := s.takeArchive(buildIDStr)
+	if len(archive) > 0 {
+		if err := s.uploadAndExtractArchive(buildCtx, agent, sandboxIDStr, archive, buildIDStr); err != nil {
+			s.destroySandbox(buildCtx, agent, sandboxIDStr)
+			s.failBuild(buildCtx, buildID, fmt.Sprintf("archive upload failed: %v", err))
+			return
+		}
+	}
+
 	// Parse recipe steps. preBuildCmds and postBuildCmds are hardcoded and always
 	// valid; panic on error is appropriate here since it would be a programmer mistake.
 	preBuildSteps, err := recipe.ParseRecipe(preBuildCmds)
@@ -331,10 +374,18 @@ func (s *BuildService) executeBuild(ctx context.Context, buildIDStr string) {
 			"HOME": "/root",
 		}
 	}
-	bctx := &recipe.ExecContext{EnvVars: envVars}
+	bctx := &recipe.ExecContext{EnvVars: envVars, User: "root"}
+
+	// Per-step progress callback for live UI updates.
+	progressFn := func(currentStep int, allEntries []recipe.BuildLogEntry) {
+		s.updateLogs(buildCtx, buildID, currentStep, allEntries)
+	}
 
 	runPhase := func(phase string, steps []recipe.Step, defaultTimeout time.Duration) bool {
-		newEntries, nextStep, ok := recipe.Execute(buildCtx, phase, steps, sandboxIDStr, step, defaultTimeout, bctx, agent.Exec)
+		newEntries, nextStep, ok := recipe.Execute(buildCtx, phase, steps, sandboxIDStr, step, defaultTimeout, bctx, agent.Exec, func(currentStep int, phaseEntries []recipe.BuildLogEntry) {
+			// Progress callback: combine prior logs with current phase entries.
+			progressFn(currentStep, append(logs, phaseEntries...))
+		})
 		logs = append(logs, newEntries...)
 		step = nextStep
 		s.updateLogs(buildCtx, buildID, step, logs)
@@ -344,24 +395,40 @@ func (s *BuildService) executeBuild(ctx context.Context, buildIDStr string) {
 			if buildCtx.Err() != nil {
 				return false
 			}
-			last := newEntries[len(newEntries)-1]
-			reason := last.Stderr
-			if reason == "" {
-				reason = fmt.Sprintf("exit code %d", last.Exit)
+			reason := "unknown error"
+			if len(newEntries) > 0 {
+				last := newEntries[len(newEntries)-1]
+				reason = last.Stderr
+				if reason == "" {
+					reason = fmt.Sprintf("exit code %d", last.Exit)
+				}
 			}
 			s.failBuild(buildCtx, buildID, fmt.Sprintf("%s step %d failed: %s", phase, step, reason))
 		}
 		return ok
 	}
 
+	// Phase 1: Pre-build (as root) — creates wrenn-user, updates apt.
 	if !build.SkipPrePost {
 		if !runPhase("pre-build", preBuildSteps, 0) {
 			return
 		}
 	}
+
+	// Phase 2: User recipe — starts as wrenn-user (set by USER in pre-build)
+	// or root if skip_pre_post.
 	if !runPhase("recipe", userRecipeSteps, buildCommandTimeout) {
 		return
 	}
+
+	// Capture the final user and env vars as template defaults.
+	// Filter out user-specific and runtime vars that should be resolved at
+	// sandbox creation time, not baked in from the build environment.
+	templateDefaultUser := bctx.User
+	templateDefaultEnv := filterBuildEnv(bctx.EnvVars)
+
+	// Phase 3: Post-build (as root) — cleanup.
+	bctx.User = "root"
 	if !build.SkipPrePost {
 		if !runPhase("post-build", postBuildSteps, 0) {
 			return
@@ -378,7 +445,7 @@ func (s *BuildService) executeBuild(ctx context.Context, buildIDStr string) {
 			return
 		}
 		log.Info("running healthcheck", "cmd", hc.Cmd, "interval", hc.Interval, "timeout", hc.Timeout, "start_period", hc.StartPeriod, "retries", hc.Retries)
-		if err := s.waitForHealthcheck(buildCtx, agent, sandboxIDStr, hc); err != nil {
+		if err := s.waitForHealthcheck(buildCtx, agent, sandboxIDStr, hc, templateDefaultUser); err != nil {
 			s.destroySandbox(buildCtx, agent, sandboxIDStr)
 			if buildCtx.Err() != nil {
 				return
@@ -430,19 +497,42 @@ func (s *BuildService) executeBuild(ctx context.Context, buildIDStr string) {
 		templateType = "snapshot"
 	}
 
+	// Serialize env vars for DB storage.
+	defaultEnvJSON, err := json.Marshal(templateDefaultEnv)
+	if err != nil {
+		defaultEnvJSON = []byte("{}")
+	}
+
+	// Serialize sandbox metadata for DB storage.
+	metadataJSON, err := json.Marshal(sandboxMetadata)
+	if err != nil || len(sandboxMetadata) == 0 {
+		metadataJSON = []byte("{}")
+	}
+
 	if _, err := s.DB.InsertTemplate(buildCtx, db.InsertTemplateParams{
-		ID:        build.TemplateID,
-		Name:      build.Name,
-		Type:      templateType,
-		Vcpus:     build.Vcpus,
-		MemoryMb:  build.MemoryMb,
-		SizeBytes: sizeBytes,
-		TeamID:    id.PlatformTeamID,
+		ID:          build.TemplateID,
+		Name:        build.Name,
+		Type:        templateType,
+		Vcpus:       build.Vcpus,
+		MemoryMb:    build.MemoryMb,
+		SizeBytes:   sizeBytes,
+		TeamID:      id.PlatformTeamID,
+		DefaultUser: templateDefaultUser,
+		DefaultEnv:  defaultEnvJSON,
+		Metadata:    metadataJSON,
 	}); err != nil {
 		log.Error("failed to insert template record", "error", err)
 		// Build succeeded on disk, just DB record failed — don't mark as failed.
 	}
 
+	// Record defaults and metadata on the build record for inspection.
+	_ = s.DB.UpdateBuildDefaults(buildCtx, db.UpdateBuildDefaultsParams{
+		ID:          buildID,
+		DefaultUser: templateDefaultUser,
+		DefaultEnv:  defaultEnvJSON,
+		Metadata:    metadataJSON,
+	})
+
 	// For CreateSnapshot, the sandbox is already destroyed by the snapshot process.
 	// For FlattenRootfs, the sandbox is already destroyed by the flatten process.
 	// No additional destroy needed.
@@ -463,7 +553,14 @@ func (s *BuildService) executeBuild(ctx context.Context, buildIDStr string) {
 // During the start period, failures are not counted toward the retry budget.
 // Returns nil on the first successful check, or an error if retries are
 // exhausted, the deadline passes, or the context is cancelled.
-func (s *BuildService) waitForHealthcheck(ctx context.Context, agent buildAgentClient, sandboxIDStr string, hc recipe.HealthcheckConfig) error {
+func (s *BuildService) waitForHealthcheck(ctx context.Context, agent buildAgentClient, sandboxIDStr string, hc recipe.HealthcheckConfig, user string) error {
+	// Wrap the healthcheck command with su when a non-root user is set, so that
+	// ~ expands to the correct home directory and the process runs with the
+	// right UID (matching the template's default user).
+	cmd := hc.Cmd
+	if user != "" && user != "root" {
+		cmd = "su " + recipe.Shellescape(user) + " -s /bin/sh -c " + recipe.Shellescape(hc.Cmd)
+	}
 	ticker := time.NewTicker(hc.Interval)
 	defer ticker.Stop()
 
@@ -490,7 +587,7 @@ func (s *BuildService) waitForHealthcheck(ctx context.Context, agent buildAgentC
 			resp, err := agent.Exec(execCtx, connect.NewRequest(&pb.ExecRequest{
 				SandboxId:  sandboxIDStr,
 				Cmd:        "/bin/sh",
-				Args:       []string{"-c", hc.Cmd},
+				Args:       []string{"-c", cmd},
 				TimeoutSec: int32(hc.Timeout.Seconds()),
 			}))
 			cancel()
@@ -603,3 +700,87 @@ func parseSandboxEnv(raw string) map[string]string {
 
 	return envVars
 }
+
+// uploadAndExtractArchive writes the archive to the sandbox and extracts it
+// to /tmp/build-files/. Detects format from content (tar.gz, tar, zip).
+func (s *BuildService) uploadAndExtractArchive(
+	ctx context.Context,
+	agent buildAgentClient,
+	sandboxID string,
+	archive []byte,
+	buildID string,
+) error {
+	// Detect archive type from magic bytes.
+	var archivePath, extractCmd string
+	switch {
+	case len(archive) >= 2 && archive[0] == 0x1f && archive[1] == 0x8b:
+		// gzip (tar.gz)
+		archivePath = "/tmp/build-files.tar.gz"
+		extractCmd = "mkdir -p /tmp/build-files && tar xzf /tmp/build-files.tar.gz -C /tmp/build-files"
+	case len(archive) >= 4 && string(archive[:4]) == "PK\x03\x04":
+		// zip
+		archivePath = "/tmp/build-files.zip"
+		extractCmd = "mkdir -p /tmp/build-files && unzip -o /tmp/build-files.zip -d /tmp/build-files"
+	case len(archive) >= 262 && string(archive[257:262]) == "ustar":
+		// tar (ustar magic at offset 257)
+		archivePath = "/tmp/build-files.tar"
+		extractCmd = "mkdir -p /tmp/build-files && tar xf /tmp/build-files.tar -C /tmp/build-files"
+	default:
+		// Fallback: try tar.gz
+		archivePath = "/tmp/build-files.tar.gz"
+		extractCmd = "mkdir -p /tmp/build-files && tar xzf /tmp/build-files.tar.gz -C /tmp/build-files"
+	}
+
+	slog.Info("uploading build archive", "build_id", buildID, "path", archivePath, "size", len(archive))
+
+	// Write archive to VM.
+	if _, err := agent.WriteFile(ctx, connect.NewRequest(&pb.WriteFileRequest{
+		SandboxId: sandboxID,
+		Path:      archivePath,
+		Content:   archive,
+	})); err != nil {
+		return fmt.Errorf("write archive: %w", err)
+	}
+
+	// Extract and ensure files are readable.
+	fullCmd := extractCmd + " && chmod -R a+rX /tmp/build-files"
+
+	resp, err := agent.Exec(ctx, connect.NewRequest(&pb.ExecRequest{
+		SandboxId:  sandboxID,
+		Cmd:        "/bin/sh",
+		Args:       []string{"-c", fullCmd},
+		TimeoutSec: 120,
+	}))
+	if err != nil {
+		return fmt.Errorf("extract archive: %w", err)
+	}
+	if resp.Msg.ExitCode != 0 {
+		return fmt.Errorf("extract archive: exit code %d: %s", resp.Msg.ExitCode, string(resp.Msg.Stderr))
+	}
+
+	return nil
+}
+
+// runtimeEnvVars lists env vars that are user- or session-specific and should
+// not be persisted into template defaults. These are resolved at runtime by
+// envd based on the actual user and sandbox context.
+var runtimeEnvVars = map[string]bool{
+	"HOME": true, "USER": true, "LOGNAME": true, "SHELL": true,
+	"PWD": true, "OLDPWD": true, "HOSTNAME": true, "TERM": true,
+	"SHLVL": true, "_": true,
+	// Per-sandbox identifiers set by envd at boot via MMDS.
+	"WRENN_SANDBOX_ID": true, "WRENN_TEMPLATE_ID": true,
+}
+
+// filterBuildEnv returns a copy of envVars with runtime/user-specific
+// variables removed so they don't override envd's per-user resolution.
+func filterBuildEnv(envVars map[string]string) map[string]string {
+	filtered := make(map[string]string, len(envVars))
+	for k, v := range envVars {
+		if runtimeEnvVars[k] {
+			continue
+		}
+		filtered[k] = v
+	}
+	return filtered
+}
diff --git a/internal/service/host.go b/pkg/service/host.go
similarity index 99%
rename from internal/service/host.go
rename to pkg/service/host.go
index 1ddffca..9f5b5c8 100644
--- a/internal/service/host.go
+++ b/pkg/service/host.go
@@ -14,10 +14,10 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 	"github.com/redis/go-redis/v9"
 
-	"git.omukk.dev/wrenn/wrenn/internal/auth"
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
diff --git a/internal/service/sandbox.go b/pkg/service/sandbox.go
similarity index 83%
rename from internal/service/sandbox.go
rename to pkg/service/sandbox.go
index 68c9bbf..d50520b 100644
--- a/internal/service/sandbox.go
+++ b/pkg/service/sandbox.go
@@ -2,6 +2,7 @@ package service
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"log/slog"
 	"time"
@@ -9,11 +10,11 @@ import (
 	"connectrpc.com/connect"
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
-	"git.omukk.dev/wrenn/wrenn/internal/scheduler"
-	"git.omukk.dev/wrenn/wrenn/internal/validate"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/scheduler"
+	"git.omukk.dev/wrenn/wrenn/pkg/validate"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
@@ -85,6 +86,8 @@ func (s *SandboxService) Create(ctx context.Context, p SandboxCreateParams) (db.
 	// Resolve template name → (teamID, templateID).
 	templateTeamID := id.PlatformTeamID
 	templateID := id.MinimalTemplateID
+	var templateDefaultUser string
+	var templateDefaultEnv map[string]string
 	if p.Template != "minimal" {
 		tmpl, err := s.DB.GetTemplateByTeam(ctx, db.GetTemplateByTeamParams{Name: p.Template, TeamID: p.TeamID})
 		if err != nil {
@@ -92,6 +95,11 @@ func (s *SandboxService) Create(ctx context.Context, p SandboxCreateParams) (db.
 		}
 		templateTeamID = tmpl.TeamID
 		templateID = tmpl.ID
+		templateDefaultUser = tmpl.DefaultUser
+		// Parse default_env JSONB into a map.
+		if len(tmpl.DefaultEnv) > 0 {
+			_ = json.Unmarshal(tmpl.DefaultEnv, &templateDefaultEnv)
+		}
 		// If the template is a snapshot, use its baked-in vcpus/memory.
 		if tmpl.Type == "snapshot" {
 			p.VCPUs = tmpl.Vcpus
@@ -110,7 +118,7 @@ func (s *SandboxService) Create(ctx context.Context, p SandboxCreateParams) (db.
 	}
 
 	// Pick a host for this sandbox.
-	host, err := s.Scheduler.SelectHost(ctx, p.TeamID, team.IsByoc)
+	host, err := s.Scheduler.SelectHost(ctx, p.TeamID, team.IsByoc, p.MemoryMB, p.DiskSizeMB)
 	if err != nil {
 		return db.Sandbox{}, fmt.Errorf("select host: %w", err)
 	}
@@ -135,19 +143,22 @@ func (s *SandboxService) Create(ctx context.Context, p SandboxCreateParams) (db.
 		DiskSizeMb:     p.DiskSizeMB,
 		TemplateID:     templateID,
 		TemplateTeamID: templateTeamID,
+		Metadata:       []byte("{}"),
 	}); err != nil {
 		return db.Sandbox{}, fmt.Errorf("insert sandbox: %w", err)
 	}
 
 	resp, err := agent.CreateSandbox(ctx, connect.NewRequest(&pb.CreateSandboxRequest{
-		SandboxId:  sandboxIDStr,
-		Template:   p.Template,
-		TeamId:     id.UUIDString(templateTeamID),
-		TemplateId: id.UUIDString(templateID),
-		Vcpus:      p.VCPUs,
-		MemoryMb:   p.MemoryMB,
-		TimeoutSec: p.TimeoutSec,
-		DiskSizeMb: p.DiskSizeMB,
+		SandboxId:   sandboxIDStr,
+		Template:    p.Template,
+		TeamId:      id.UUIDString(templateTeamID),
+		TemplateId:  id.UUIDString(templateID),
+		Vcpus:       p.VCPUs,
+		MemoryMb:    p.MemoryMB,
+		TimeoutSec:  p.TimeoutSec,
+		DiskSizeMb:  p.DiskSizeMB,
+		DefaultUser: templateDefaultUser,
+		DefaultEnv:  templateDefaultEnv,
 	}))
 	if err != nil {
 		if _, dbErr := s.DB.UpdateSandboxStatus(ctx, db.UpdateSandboxStatusParams{
@@ -172,6 +183,18 @@ func (s *SandboxService) Create(ctx context.Context, p SandboxCreateParams) (db.
 		return db.Sandbox{}, fmt.Errorf("update sandbox running: %w", err)
 	}
 
+	// Store runtime metadata from the agent (envd/kernel/firecracker/agent versions).
+	if meta := resp.Msg.Metadata; len(meta) > 0 {
+		metaJSON, _ := json.Marshal(meta)
+		if err := s.DB.UpdateSandboxMetadata(ctx, db.UpdateSandboxMetadataParams{
+			ID:       sandboxID,
+			Metadata: metaJSON,
+		}); err != nil {
+			slog.Warn("failed to store sandbox metadata", "id", sandboxIDStr, "error", err)
+		}
+		sb.Metadata = metaJSON
+	}
+
 	return sb, nil
 }
 
@@ -249,9 +272,34 @@ func (s *SandboxService) Resume(ctx context.Context, sandboxID, teamID pgtype.UU
 
 	sandboxIDStr := id.FormatSandboxID(sandboxID)
 
+	// Look up template defaults for resume.
+	var resumeDefaultUser string
+	var resumeDefaultEnv map[string]string
+	if sb.TemplateID.Valid {
+		tmpl, err := s.DB.GetTemplate(ctx, sb.TemplateID)
+		if err == nil {
+			resumeDefaultUser = tmpl.DefaultUser
+			if len(tmpl.DefaultEnv) > 0 {
+				_ = json.Unmarshal(tmpl.DefaultEnv, &resumeDefaultEnv)
+			}
+		}
+	}
+
+	// Extract kernel version hint from existing sandbox metadata.
+	var kernelVersion string
+	if len(sb.Metadata) > 0 {
+		var meta map[string]string
+		if err := json.Unmarshal(sb.Metadata, &meta); err == nil {
+			kernelVersion = meta["kernel_version"]
+		}
+	}
+
 	resp, err := agent.ResumeSandbox(ctx, connect.NewRequest(&pb.ResumeSandboxRequest{
-		SandboxId:  sandboxIDStr,
-		TimeoutSec: sb.TimeoutSec,
+		SandboxId:     sandboxIDStr,
+		TimeoutSec:    sb.TimeoutSec,
+		DefaultUser:   resumeDefaultUser,
+		DefaultEnv:    resumeDefaultEnv,
+		KernelVersion: kernelVersion,
 	}))
 	if err != nil {
 		return db.Sandbox{}, fmt.Errorf("agent resume: %w", err)
@@ -270,6 +318,19 @@ func (s *SandboxService) Resume(ctx context.Context, sandboxID, teamID pgtype.UU
 	if err != nil {
 		return db.Sandbox{}, fmt.Errorf("update status: %w", err)
 	}
+
+	// Update metadata with actual versions used after resume.
+	if meta := resp.Msg.Metadata; len(meta) > 0 {
+		metaJSON, _ := json.Marshal(meta)
+		if err := s.DB.UpdateSandboxMetadata(ctx, db.UpdateSandboxMetadataParams{
+			ID:       sandboxID,
+			Metadata: metaJSON,
+		}); err != nil {
+			slog.Warn("failed to update sandbox metadata after resume", "id", sandboxIDStr, "error", err)
+		}
+		sb.Metadata = metaJSON
+	}
+
 	return sb, nil
 }
 
diff --git a/internal/service/stats.go b/pkg/service/stats.go
similarity index 99%
rename from internal/service/stats.go
rename to pkg/service/stats.go
index 88abde2..d756a74 100644
--- a/internal/service/stats.go
+++ b/pkg/service/stats.go
@@ -10,7 +10,7 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 	"github.com/jackc/pgx/v5/pgxpool"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
 )
 
 // TimeRange identifies a chart time window.
diff --git a/internal/service/team.go b/pkg/service/team.go
similarity index 78%
rename from internal/service/team.go
rename to pkg/service/team.go
index f386338..0376406 100644
--- a/internal/service/team.go
+++ b/pkg/service/team.go
@@ -12,9 +12,9 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 	"github.com/jackc/pgx/v5/pgxpool"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
-	"git.omukk.dev/wrenn/wrenn/internal/id"
-	"git.omukk.dev/wrenn/wrenn/internal/lifecycle"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
 	pb "git.omukk.dev/wrenn/wrenn/proto/hostagent/gen"
 )
 
@@ -169,6 +169,12 @@ func (s *TeamService) DeleteTeam(ctx context.Context, teamID, callerUserID pgtyp
 		return fmt.Errorf("forbidden: only the owner can delete a team")
 	}
 
+	return s.deleteTeamCore(ctx, teamID)
+}
+
+// deleteTeamCore contains the shared team deletion logic:
+// destroy active sandboxes, clean up templates, soft-delete the team.
+func (s *TeamService) deleteTeamCore(ctx context.Context, teamID pgtype.UUID) error {
 	// Collect active sandboxes and stop them.
 	sandboxes, err := s.DB.ListActiveSandboxesByTeam(ctx, teamID)
 	if err != nil {
@@ -202,6 +208,24 @@ func (s *TeamService) DeleteTeam(ctx context.Context, teamID, callerUserID pgtyp
 		}
 	}
 
+	// Delete sandbox metrics for this team.
+	if err := s.DB.DeleteMetricPointsByTeam(ctx, teamID); err != nil {
+		slog.Warn("team delete: failed to delete metric points", "team_id", id.FormatTeamID(teamID), "error", err)
+	}
+	if err := s.DB.DeleteMetricsSnapshotsByTeam(ctx, teamID); err != nil {
+		slog.Warn("team delete: failed to delete metrics snapshots", "team_id", id.FormatTeamID(teamID), "error", err)
+	}
+
+	// Delete all API keys for this team.
+	if err := s.DB.DeleteAPIKeysByTeam(ctx, teamID); err != nil {
+		slog.Warn("team delete: failed to delete API keys", "team_id", id.FormatTeamID(teamID), "error", err)
+	}
+
+	// Delete all channels for this team.
+	if err := s.DB.DeleteAllChannelsByTeam(ctx, teamID); err != nil {
+		slog.Warn("team delete: failed to delete channels", "team_id", id.FormatTeamID(teamID), "error", err)
+	}
+
 	// Clean up team-owned templates from all hosts in the background.
 	go s.cleanupTeamTemplates(context.Background(), teamID)
 
@@ -441,3 +465,80 @@ func (s *TeamService) SetBYOC(ctx context.Context, teamID pgtype.UUID, enabled b
 	}
 	return nil
 }
+
+// AdminTeamRow is the shape returned by AdminListTeams.
+type AdminTeamRow struct {
+	ID                 pgtype.UUID
+	Name               string
+	Slug               string
+	IsByoc             bool
+	CreatedAt          time.Time
+	DeletedAt          *time.Time
+	MemberCount        int32
+	OwnerName          string
+	OwnerEmail         string
+	ActiveSandboxCount int32
+	ChannelCount       int32
+}
+
+// AdminListTeams returns a paginated list of all teams (excluding the platform
+// team) with member counts, owner info, and active sandbox counts.
+// Admin-only — caller must verify admin status.
+func (s *TeamService) AdminListTeams(ctx context.Context, limit, offset int32) ([]AdminTeamRow, int32, error) {
+	teams, err := s.DB.ListTeamsAdmin(ctx, db.ListTeamsAdminParams{
+		Limit:  limit,
+		Offset: offset,
+	})
+	if err != nil {
+		return nil, 0, fmt.Errorf("list teams: %w", err)
+	}
+
+	total, err := s.DB.CountTeamsAdmin(ctx)
+	if err != nil {
+		return nil, 0, fmt.Errorf("count teams: %w", err)
+	}
+
+	rows := make([]AdminTeamRow, len(teams))
+	for i, t := range teams {
+		row := AdminTeamRow{
+			ID:                 t.ID,
+			Name:               t.Name,
+			Slug:               t.Slug,
+			IsByoc:             t.IsByoc,
+			CreatedAt:          t.CreatedAt.Time,
+			MemberCount:        t.MemberCount,
+			OwnerName:          t.OwnerName,
+			OwnerEmail:         t.OwnerEmail,
+			ActiveSandboxCount: t.ActiveSandboxCount,
+			ChannelCount:       t.ChannelCount,
+		}
+		if t.DeletedAt.Valid {
+			deletedAt := t.DeletedAt.Time
+			row.DeletedAt = &deletedAt
+		}
+		rows[i] = row
+	}
+	return rows, total, nil
+}
+
+// DeleteTeamInternal soft-deletes a team and destroys all its active sandboxes.
+// Used for system-initiated deletions (e.g. cascading from user account deletion)
+// where no caller role check is needed.
+func (s *TeamService) DeleteTeamInternal(ctx context.Context, teamID pgtype.UUID) error {
+	return s.deleteTeamCore(ctx, teamID)
+}
+
+// AdminDeleteTeam soft-deletes a team and destroys all its active sandboxes.
+// Unlike DeleteTeam, this does not require the caller to be the team owner —
+// it is admin-only (caller must verify admin status).
+func (s *TeamService) AdminDeleteTeam(ctx context.Context, teamID pgtype.UUID) error {
+	team, err := s.DB.GetTeam(ctx, teamID)
+	if err != nil {
+		return fmt.Errorf("team not found: %w", err)
+	}
+	if team.DeletedAt.Valid {
+		return fmt.Errorf("team not found")
+	}
+
+	return s.deleteTeamCore(ctx, teamID)
+}
diff --git a/internal/service/template.go b/pkg/service/template.go
similarity index 94%
rename from internal/service/template.go
rename to pkg/service/template.go
index af18076..269af10 100644
--- a/internal/service/template.go
+++ b/pkg/service/template.go
@@ -5,7 +5,7 @@ import (
 
 	"github.com/jackc/pgx/v5/pgtype"
 
-	"git.omukk.dev/wrenn/wrenn/internal/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
 )
 
 // TemplateService provides template/snapshot operations shared between the
diff --git a/pkg/service/user.go b/pkg/service/user.go
new file mode 100644
index 0000000..f07b3f4
--- /dev/null
+++ b/pkg/service/user.go
@@ -0,0 +1,107 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/jackc/pgx/v5/pgtype"
+
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+)
+
+// UserService provides user management operations.
+type UserService struct {
+	DB         *db.Queries
+	SandboxSvc *SandboxService
+}
+
+// AdminUserRow is the shape returned by AdminListUsers.
+type AdminUserRow struct {
+	ID          pgtype.UUID
+	Email       string
+	Name        string
+	IsAdmin     bool
+	Status      string
+	CreatedAt   time.Time
+	TeamsJoined int32
+	TeamsOwned  int32
+}
+
+// AdminListUsers returns a paginated list of all non-deleted users with team counts.
+func (s *UserService) AdminListUsers(ctx context.Context, limit, offset int32) ([]AdminUserRow, int32, error) {
+	users, err := s.DB.ListUsersAdmin(ctx, db.ListUsersAdminParams{
+		Limit:  limit,
+		Offset: offset,
+	})
+	if err != nil {
+		return nil, 0, fmt.Errorf("list users: %w", err)
+	}
+
+	total, err := s.DB.CountUsersAdmin(ctx)
+	if err != nil {
+		return nil, 0, fmt.Errorf("count users: %w", err)
+	}
+
+	rows := make([]AdminUserRow, len(users))
+	for i, u := range users {
+		rows[i] = AdminUserRow{
+			ID:          u.ID,
+			Email:       u.Email,
+			Name:        u.Name,
+			IsAdmin:     u.IsAdmin,
+			Status:      u.Status,
+			CreatedAt:   u.CreatedAt.Time,
+			TeamsJoined: u.TeamsJoined,
+			TeamsOwned:  u.TeamsOwned,
+		}
+	}
+	return rows, total, nil
+}
+
+// SetUserStatus sets the status of a user account.
+func (s *UserService) SetUserStatus(ctx context.Context, userID pgtype.UUID, status string) error {
+	if err := s.DB.SetUserStatus(ctx, db.SetUserStatusParams{
+		ID:     userID,
+		Status: status,
+	}); err != nil {
+		return fmt.Errorf("set user status: %w", err)
+	}
+	if status == "disabled" || status == "deleted" {
+		if err := s.DB.DeleteAPIKeysByCreator(ctx, userID); err != nil {
+			slog.Warn("failed to delete API keys for deactivated user", "user_id", userID, "error", err)
+		}
+		s.destroySandboxesForOwnedTeams(ctx, userID)
+	}
+	return nil
+}
+
+// destroySandboxesForOwnedTeams destroys all active sandboxes (running, paused,
+// hibernated, starting) for every team the user owns. Best-effort: errors are
+// logged but do not prevent the user from being disabled.
+func (s *UserService) destroySandboxesForOwnedTeams(ctx context.Context, userID pgtype.UUID) {
+	if s.SandboxSvc == nil {
+		return
+	}
+
+	teamIDs, err := s.DB.GetOwnedTeamIDs(ctx, userID)
+	if err != nil {
+		slog.Warn("failed to list owned teams for sandbox cleanup", "user_id", userID, "error", err)
+		return
+	}
+
+	for _, teamID := range teamIDs {
+		sandboxes, err := s.DB.ListActiveSandboxesByTeam(ctx, teamID)
+		if err != nil {
+			slog.Warn("failed to list active sandboxes for team", "team_id", teamID, "user_id", userID, "error", err)
+			continue
+		}
+		for _, sb := range sandboxes {
+			if err := s.SandboxSvc.Destroy(ctx, sb.ID, teamID); err != nil {
+				slog.Warn("failed to destroy sandbox during user disable",
+					"sandbox_id", sb.ID, "team_id", teamID, "user_id", userID, "error", err)
+			}
+		}
+	}
+}
diff --git a/internal/validate/name.go b/pkg/validate/name.go
similarity index 100%
rename from internal/validate/name.go
rename to pkg/validate/name.go
diff --git a/internal/validate/name_test.go b/pkg/validate/name_test.go
similarity index 100%
rename from internal/validate/name_test.go
rename to pkg/validate/name_test.go
diff --git a/proto/hostagent/gen/hostagent.pb.go b/proto/hostagent/gen/hostagent.pb.go
index b4ab783..96a0512 100644
--- a/proto/hostagent/gen/hostagent.pb.go
+++ b/proto/hostagent/gen/hostagent.pb.go
@@ -40,7 +40,11 @@ type CreateSandboxRequest struct {
 	// Team UUID that owns the template (hex string). All-zeros = platform.
 	TeamId string `protobuf:"bytes,7,opt,name=team_id,json=teamId,proto3" json:"team_id,omitempty"`
 	// Template UUID (hex string). Both zeros + team zeros = "minimal" sentinel.
-	TemplateId    string `protobuf:"bytes,8,opt,name=template_id,json=templateId,proto3" json:"template_id,omitempty"`
+	TemplateId string `protobuf:"bytes,8,opt,name=template_id,json=templateId,proto3" json:"template_id,omitempty"`
+	// Default unix user for the sandbox (set in envd via PostInit).
+	DefaultUser string `protobuf:"bytes,9,opt,name=default_user,json=defaultUser,proto3" json:"default_user,omitempty"`
+	// Default environment variables (set in envd via PostInit).
+	DefaultEnv    map[string]string `protobuf:"bytes,10,rep,name=default_env,json=defaultEnv,proto3" json:"default_env,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -131,11 +135,28 @@ func (x *CreateSandboxRequest) GetTemplateId() string {
 	return ""
 }
 
+func (x *CreateSandboxRequest) GetDefaultUser() string {
+	if x != nil {
+		return x.DefaultUser
+	}
+	return ""
+}
+
+func (x *CreateSandboxRequest) GetDefaultEnv() map[string]string {
+	if x != nil {
+		return x.DefaultEnv
+	}
+	return nil
+}
+
 type CreateSandboxResponse struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
-	Status        string                 `protobuf:"bytes,2,opt,name=status,proto3" json:"status,omitempty"`
-	HostIp        string                 `protobuf:"bytes,3,opt,name=host_ip,json=hostIp,proto3" json:"host_ip,omitempty"`
+	state     protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	Status    string                 `protobuf:"bytes,2,opt,name=status,proto3" json:"status,omitempty"`
+	HostIp    string                 `protobuf:"bytes,3,opt,name=host_ip,json=hostIp,proto3" json:"host_ip,omitempty"`
+	// Runtime metadata collected during sandbox creation (e.g. envd_version,
+	// kernel_version, firecracker_version, agent_version).
+	Metadata      map[string]string `protobuf:"bytes,4,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -191,6 +212,13 @@ func (x *CreateSandboxResponse) GetHostIp() string {
 	return ""
 }
 
+func (x *CreateSandboxResponse) GetMetadata() map[string]string {
+	if x != nil {
+		return x.Metadata
+	}
+	return nil
+}
+
 type DestroySandboxRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
@@ -356,7 +384,14 @@ type ResumeSandboxRequest struct {
 	SandboxId string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
 	// TTL in seconds restored from the DB so the reaper can auto-pause
 	// the sandbox again after inactivity. 0 means no auto-pause.
-	TimeoutSec    int32 `protobuf:"varint,2,opt,name=timeout_sec,json=timeoutSec,proto3" json:"timeout_sec,omitempty"`
+	TimeoutSec int32 `protobuf:"varint,2,opt,name=timeout_sec,json=timeoutSec,proto3" json:"timeout_sec,omitempty"`
+	// Default unix user for the sandbox (set in envd via PostInit on resume).
+	DefaultUser string `protobuf:"bytes,3,opt,name=default_user,json=defaultUser,proto3" json:"default_user,omitempty"`
+	// Default environment variables (set in envd via PostInit on resume).
+	DefaultEnv map[string]string `protobuf:"bytes,4,rep,name=default_env,json=defaultEnv,proto3" json:"default_env,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	// Kernel version hint from the DB — the agent tries to use the exact version,
+	// falling back to latest if not found on disk.
+	KernelVersion string `protobuf:"bytes,5,opt,name=kernel_version,json=kernelVersion,proto3" json:"kernel_version,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -405,11 +440,35 @@ func (x *ResumeSandboxRequest) GetTimeoutSec() int32 {
 	return 0
 }
 
+func (x *ResumeSandboxRequest) GetDefaultUser() string {
+	if x != nil {
+		return x.DefaultUser
+	}
+	return ""
+}
+
+func (x *ResumeSandboxRequest) GetDefaultEnv() map[string]string {
+	if x != nil {
+		return x.DefaultEnv
+	}
+	return nil
+}
+
+func (x *ResumeSandboxRequest) GetKernelVersion() string {
+	if x != nil {
+		return x.KernelVersion
+	}
+	return ""
+}
+
 type ResumeSandboxResponse struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
-	Status        string                 `protobuf:"bytes,2,opt,name=status,proto3" json:"status,omitempty"`
-	HostIp        string                 `protobuf:"bytes,3,opt,name=host_ip,json=hostIp,proto3" json:"host_ip,omitempty"`
+	state     protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	Status    string                 `protobuf:"bytes,2,opt,name=status,proto3" json:"status,omitempty"`
+	HostIp    string                 `protobuf:"bytes,3,opt,name=host_ip,json=hostIp,proto3" json:"host_ip,omitempty"`
+	// Actual runtime metadata after resume (versions may differ from hint if
+	// the exact kernel was not available).
+	Metadata      map[string]string `protobuf:"bytes,4,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -465,6 +524,13 @@ func (x *ResumeSandboxResponse) GetHostIp() string {
 	return ""
 }
 
+func (x *ResumeSandboxResponse) GetMetadata() map[string]string {
+	if x != nil {
+		return x.Metadata
+	}
+	return nil
+}
+
 type CreateSnapshotRequest struct {
 	state     protoimpl.MessageState `protogen:"open.v1"`
 	SandboxId string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
@@ -920,8 +986,10 @@ type SandboxInfo struct {
 	TimeoutSec       int32  `protobuf:"varint,9,opt,name=timeout_sec,json=timeoutSec,proto3" json:"timeout_sec,omitempty"`
 	TeamId           string `protobuf:"bytes,10,opt,name=team_id,json=teamId,proto3" json:"team_id,omitempty"`
 	TemplateId       string `protobuf:"bytes,11,opt,name=template_id,json=templateId,proto3" json:"template_id,omitempty"`
-	unknownFields    protoimpl.UnknownFields
-	sizeCache        protoimpl.SizeCache
+	// Runtime metadata (envd_version, kernel_version, etc.).
+	Metadata      map[string]string `protobuf:"bytes,12,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *SandboxInfo) Reset() {
@@ -1031,6 +1099,13 @@ func (x *SandboxInfo) GetTemplateId() string {
 	return ""
 }
 
+func (x *SandboxInfo) GetMetadata() map[string]string {
+	if x != nil {
+		return x.Metadata
+	}
+	return nil
+}
+
 type WriteFileRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
@@ -1833,6 +1908,413 @@ func (x *ReadFileStreamResponse) GetChunk() []byte {
 	return nil
 }
 
+type ListDirRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	Path          string                 `protobuf:"bytes,2,opt,name=path,proto3" json:"path,omitempty"`
+	Depth         uint32                 `protobuf:"varint,3,opt,name=depth,proto3" json:"depth,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ListDirRequest) Reset() {
+	*x = ListDirRequest{}
+	mi := &file_hostagent_proto_msgTypes[31]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ListDirRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListDirRequest) ProtoMessage() {}
+
+func (x *ListDirRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[31]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListDirRequest.ProtoReflect.Descriptor instead.
+func (*ListDirRequest) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{31}
+}
+
+func (x *ListDirRequest) GetSandboxId() string {
+	if x != nil {
+		return x.SandboxId
+	}
+	return ""
+}
+
+func (x *ListDirRequest) GetPath() string {
+	if x != nil {
+		return x.Path
+	}
+	return ""
+}
+
+func (x *ListDirRequest) GetDepth() uint32 {
+	if x != nil {
+		return x.Depth
+	}
+	return 0
+}
+
+type ListDirResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Entries       []*FileEntry           `protobuf:"bytes,1,rep,name=entries,proto3" json:"entries,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ListDirResponse) Reset() {
+	*x = ListDirResponse{}
+	mi := &file_hostagent_proto_msgTypes[32]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ListDirResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListDirResponse) ProtoMessage() {}
+
+func (x *ListDirResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[32]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListDirResponse.ProtoReflect.Descriptor instead.
+func (*ListDirResponse) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{32}
+}
+
+func (x *ListDirResponse) GetEntries() []*FileEntry {
+	if x != nil {
+		return x.Entries
+	}
+	return nil
+}
+
+type FileEntry struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	Name  string                 `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	Path  string                 `protobuf:"bytes,2,opt,name=path,proto3" json:"path,omitempty"`
+	// "file", "directory", or "symlink".
+	Type string `protobuf:"bytes,3,opt,name=type,proto3" json:"type,omitempty"`
+	Size int64  `protobuf:"varint,4,opt,name=size,proto3" json:"size,omitempty"`
+	Mode uint32 `protobuf:"varint,5,opt,name=mode,proto3" json:"mode,omitempty"`
+	// Human-readable permissions string, e.g. "-rwxr-xr-x".
+	Permissions string `protobuf:"bytes,6,opt,name=permissions,proto3" json:"permissions,omitempty"`
+	Owner       string `protobuf:"bytes,7,opt,name=owner,proto3" json:"owner,omitempty"`
+	Group       string `protobuf:"bytes,8,opt,name=group,proto3" json:"group,omitempty"`
+	// Last modification time as Unix timestamp (seconds).
+	ModifiedAt    int64   `protobuf:"varint,9,opt,name=modified_at,json=modifiedAt,proto3" json:"modified_at,omitempty"`
+	SymlinkTarget *string `protobuf:"bytes,10,opt,name=symlink_target,json=symlinkTarget,proto3,oneof" json:"symlink_target,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *FileEntry) Reset() {
+	*x = FileEntry{}
+	mi := &file_hostagent_proto_msgTypes[33]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *FileEntry) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FileEntry) ProtoMessage() {}
+
+func (x *FileEntry) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[33]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use FileEntry.ProtoReflect.Descriptor instead.
+func (*FileEntry) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{33}
+}
+
+func (x *FileEntry) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *FileEntry) GetPath() string {
+	if x != nil {
+		return x.Path
+	}
+	return ""
+}
+
+func (x *FileEntry) GetType() string {
+	if x != nil {
+		return x.Type
+	}
+	return ""
+}
+
+func (x *FileEntry) GetSize() int64 {
+	if x != nil {
+		return x.Size
+	}
+	return 0
+}
+
+func (x *FileEntry) GetMode() uint32 {
+	if x != nil {
+		return x.Mode
+	}
+	return 0
+}
+
+func (x *FileEntry) GetPermissions() string {
+	if x != nil {
+		return x.Permissions
+	}
+	return ""
+}
+
+func (x *FileEntry) GetOwner() string {
+	if x != nil {
+		return x.Owner
+	}
+	return ""
+}
+
+func (x *FileEntry) GetGroup() string {
+	if x != nil {
+		return x.Group
+	}
+	return ""
+}
+
+func (x *FileEntry) GetModifiedAt() int64 {
+	if x != nil {
+		return x.ModifiedAt
+	}
+	return 0
+}
+
+func (x *FileEntry) GetSymlinkTarget() string {
+	if x != nil && x.SymlinkTarget != nil {
+		return *x.SymlinkTarget
+	}
+	return ""
+}
+
+type MakeDirRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	Path          string                 `protobuf:"bytes,2,opt,name=path,proto3" json:"path,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *MakeDirRequest) Reset() {
+	*x = MakeDirRequest{}
+	mi := &file_hostagent_proto_msgTypes[34]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *MakeDirRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*MakeDirRequest) ProtoMessage() {}
+
+func (x *MakeDirRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[34]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use MakeDirRequest.ProtoReflect.Descriptor instead.
+func (*MakeDirRequest) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{34}
+}
+
+func (x *MakeDirRequest) GetSandboxId() string {
+	if x != nil {
+		return x.SandboxId
+	}
+	return ""
+}
+
+func (x *MakeDirRequest) GetPath() string {
+	if x != nil {
+		return x.Path
+	}
+	return ""
+}
+
+type MakeDirResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Entry         *FileEntry             `protobuf:"bytes,1,opt,name=entry,proto3" json:"entry,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *MakeDirResponse) Reset() {
+	*x = MakeDirResponse{}
+	mi := &file_hostagent_proto_msgTypes[35]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *MakeDirResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*MakeDirResponse) ProtoMessage() {}
+
+func (x *MakeDirResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[35]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use MakeDirResponse.ProtoReflect.Descriptor instead.
+func (*MakeDirResponse) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{35}
+}
+
+func (x *MakeDirResponse) GetEntry() *FileEntry {
+	if x != nil {
+		return x.Entry
+	}
+	return nil
+}
+
+type RemovePathRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	Path          string                 `protobuf:"bytes,2,opt,name=path,proto3" json:"path,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RemovePathRequest) Reset() {
+	*x = RemovePathRequest{}
+	mi := &file_hostagent_proto_msgTypes[36]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RemovePathRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RemovePathRequest) ProtoMessage() {}
+
+func (x *RemovePathRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[36]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RemovePathRequest.ProtoReflect.Descriptor instead.
+func (*RemovePathRequest) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{36}
+}
+
+func (x *RemovePathRequest) GetSandboxId() string {
+	if x != nil {
+		return x.SandboxId
+	}
+	return ""
+}
+
+func (x *RemovePathRequest) GetPath() string {
+	if x != nil {
+		return x.Path
+	}
+	return ""
+}
+
+type RemovePathResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RemovePathResponse) Reset() {
+	*x = RemovePathResponse{}
+	mi := &file_hostagent_proto_msgTypes[37]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RemovePathResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RemovePathResponse) ProtoMessage() {}
+
+func (x *RemovePathResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[37]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RemovePathResponse.ProtoReflect.Descriptor instead.
+func (*RemovePathResponse) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{37}
+}
+
 type PingSandboxRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
@@ -1842,7 +2324,7 @@ type PingSandboxRequest struct {
 
 func (x *PingSandboxRequest) Reset() {
 	*x = PingSandboxRequest{}
-	mi := &file_hostagent_proto_msgTypes[31]
+	mi := &file_hostagent_proto_msgTypes[38]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1854,7 +2336,7 @@ func (x *PingSandboxRequest) String() string {
 func (*PingSandboxRequest) ProtoMessage() {}
 
 func (x *PingSandboxRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_hostagent_proto_msgTypes[31]
+	mi := &file_hostagent_proto_msgTypes[38]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1867,7 +2349,7 @@ func (x *PingSandboxRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PingSandboxRequest.ProtoReflect.Descriptor instead.
 func (*PingSandboxRequest) Descriptor() ([]byte, []int) {
-	return file_hostagent_proto_rawDescGZIP(), []int{31}
+	return file_hostagent_proto_rawDescGZIP(), []int{38}
 }
 
 func (x *PingSandboxRequest) GetSandboxId() string {
@@ -1885,7 +2367,7 @@ type PingSandboxResponse struct {
 
 func (x *PingSandboxResponse) Reset() {
 	*x = PingSandboxResponse{}
-	mi := &file_hostagent_proto_msgTypes[32]
+	mi := &file_hostagent_proto_msgTypes[39]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1897,7 +2379,7 @@ func (x *PingSandboxResponse) String() string {
 func (*PingSandboxResponse) ProtoMessage() {}
 
 func (x *PingSandboxResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_hostagent_proto_msgTypes[32]
+	mi := &file_hostagent_proto_msgTypes[39]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1910,7 +2392,7 @@ func (x *PingSandboxResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PingSandboxResponse.ProtoReflect.Descriptor instead.
 func (*PingSandboxResponse) Descriptor() ([]byte, []int) {
-	return file_hostagent_proto_rawDescGZIP(), []int{32}
+	return file_hostagent_proto_rawDescGZIP(), []int{39}
 }
 
 type TerminateRequest struct {
@@ -1921,7 +2403,7 @@ type TerminateRequest struct {
 
 func (x *TerminateRequest) Reset() {
 	*x = TerminateRequest{}
-	mi := &file_hostagent_proto_msgTypes[33]
+	mi := &file_hostagent_proto_msgTypes[40]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1933,7 +2415,7 @@ func (x *TerminateRequest) String() string {
 func (*TerminateRequest) ProtoMessage() {}
 
 func (x *TerminateRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_hostagent_proto_msgTypes[33]
+	mi := &file_hostagent_proto_msgTypes[40]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1946,7 +2428,7 @@ func (x *TerminateRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use TerminateRequest.ProtoReflect.Descriptor instead.
 func (*TerminateRequest) Descriptor() ([]byte, []int) {
-	return file_hostagent_proto_rawDescGZIP(), []int{33}
+	return file_hostagent_proto_rawDescGZIP(), []int{40}
 }
 
 type TerminateResponse struct {
@@ -1957,7 +2439,7 @@ type TerminateResponse struct {
 
 func (x *TerminateResponse) Reset() {
 	*x = TerminateResponse{}
-	mi := &file_hostagent_proto_msgTypes[34]
+	mi := &file_hostagent_proto_msgTypes[41]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1969,7 +2451,7 @@ func (x *TerminateResponse) String() string {
 func (*TerminateResponse) ProtoMessage() {}
 
 func (x *TerminateResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_hostagent_proto_msgTypes[34]
+	mi := &file_hostagent_proto_msgTypes[41]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1982,7 +2464,7 @@ func (x *TerminateResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use TerminateResponse.ProtoReflect.Descriptor instead.
 func (*TerminateResponse) Descriptor() ([]byte, []int) {
-	return file_hostagent_proto_rawDescGZIP(), []int{34}
+	return file_hostagent_proto_rawDescGZIP(), []int{41}
 }
 
 type MetricPoint struct {
@@ -1997,7 +2479,7 @@ type MetricPoint struct {
 
 func (x *MetricPoint) Reset() {
 	*x = MetricPoint{}
-	mi := &file_hostagent_proto_msgTypes[35]
+	mi := &file_hostagent_proto_msgTypes[42]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2009,7 +2491,7 @@ func (x *MetricPoint) String() string {
 func (*MetricPoint) ProtoMessage() {}
 
 func (x *MetricPoint) ProtoReflect() protoreflect.Message {
-	mi := &file_hostagent_proto_msgTypes[35]
+	mi := &file_hostagent_proto_msgTypes[42]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2022,7 +2504,7 @@ func (x *MetricPoint) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use MetricPoint.ProtoReflect.Descriptor instead.
 func (*MetricPoint) Descriptor() ([]byte, []int) {
-	return file_hostagent_proto_rawDescGZIP(), []int{35}
+	return file_hostagent_proto_rawDescGZIP(), []int{42}
 }
 
 func (x *MetricPoint) GetTimestampUnix() int64 {
@@ -2064,7 +2546,7 @@ type GetSandboxMetricsRequest struct {
 
 func (x *GetSandboxMetricsRequest) Reset() {
 	*x = GetSandboxMetricsRequest{}
-	mi := &file_hostagent_proto_msgTypes[36]
+	mi := &file_hostagent_proto_msgTypes[43]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2076,7 +2558,7 @@ func (x *GetSandboxMetricsRequest) String() string {
 func (*GetSandboxMetricsRequest) ProtoMessage() {}
 
 func (x *GetSandboxMetricsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_hostagent_proto_msgTypes[36]
+	mi := &file_hostagent_proto_msgTypes[43]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2089,7 +2571,7 @@ func (x *GetSandboxMetricsRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use GetSandboxMetricsRequest.ProtoReflect.Descriptor instead.
 func (*GetSandboxMetricsRequest) Descriptor() ([]byte, []int) {
-	return file_hostagent_proto_rawDescGZIP(), []int{36}
+	return file_hostagent_proto_rawDescGZIP(), []int{43}
 }
 
 func (x *GetSandboxMetricsRequest) GetSandboxId() string {
@@ -2115,7 +2597,7 @@ type GetSandboxMetricsResponse struct {
 
 func (x *GetSandboxMetricsResponse) Reset() {
 	*x = GetSandboxMetricsResponse{}
-	mi := &file_hostagent_proto_msgTypes[37]
+	mi := &file_hostagent_proto_msgTypes[44]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2127,7 +2609,7 @@ func (x *GetSandboxMetricsResponse) String() string {
 func (*GetSandboxMetricsResponse) ProtoMessage() {}
 
 func (x *GetSandboxMetricsResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_hostagent_proto_msgTypes[37]
+	mi := &file_hostagent_proto_msgTypes[44]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2140,7 +2622,7 @@ func (x *GetSandboxMetricsResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use GetSandboxMetricsResponse.ProtoReflect.Descriptor instead.
 func (*GetSandboxMetricsResponse) Descriptor() ([]byte, []int) {
-	return file_hostagent_proto_rawDescGZIP(), []int{37}
+	return file_hostagent_proto_rawDescGZIP(), []int{44}
 }
 
 func (x *GetSandboxMetricsResponse) GetPoints() []*MetricPoint {
@@ -2159,7 +2641,7 @@ type FlushSandboxMetricsRequest struct {
 
 func (x *FlushSandboxMetricsRequest) Reset() {
 	*x = FlushSandboxMetricsRequest{}
-	mi := &file_hostagent_proto_msgTypes[38]
+	mi := &file_hostagent_proto_msgTypes[45]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2171,7 +2653,7 @@ func (x *FlushSandboxMetricsRequest) String() string {
 func (*FlushSandboxMetricsRequest) ProtoMessage() {}
 
 func (x *FlushSandboxMetricsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_hostagent_proto_msgTypes[38]
+	mi := &file_hostagent_proto_msgTypes[45]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2184,7 +2666,7 @@ func (x *FlushSandboxMetricsRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use FlushSandboxMetricsRequest.ProtoReflect.Descriptor instead.
 func (*FlushSandboxMetricsRequest) Descriptor() ([]byte, []int) {
-	return file_hostagent_proto_rawDescGZIP(), []int{38}
+	return file_hostagent_proto_rawDescGZIP(), []int{45}
 }
 
 func (x *FlushSandboxMetricsRequest) GetSandboxId() string {
@@ -2205,7 +2687,7 @@ type FlushSandboxMetricsResponse struct {
 
 func (x *FlushSandboxMetricsResponse) Reset() {
 	*x = FlushSandboxMetricsResponse{}
-	mi := &file_hostagent_proto_msgTypes[39]
+	mi := &file_hostagent_proto_msgTypes[46]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2217,7 +2699,7 @@ func (x *FlushSandboxMetricsResponse) String() string {
 func (*FlushSandboxMetricsResponse) ProtoMessage() {}
 
 func (x *FlushSandboxMetricsResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_hostagent_proto_msgTypes[39]
+	mi := &file_hostagent_proto_msgTypes[46]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2230,7 +2712,7 @@ func (x *FlushSandboxMetricsResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use FlushSandboxMetricsResponse.ProtoReflect.Descriptor instead.
 func (*FlushSandboxMetricsResponse) Descriptor() ([]byte, []int) {
-	return file_hostagent_proto_rawDescGZIP(), []int{39}
+	return file_hostagent_proto_rawDescGZIP(), []int{46}
 }
 
 func (x *FlushSandboxMetricsResponse) GetPoints_10M() []*MetricPoint {
@@ -2269,7 +2751,7 @@ type FlattenRootfsRequest struct {
 
 func (x *FlattenRootfsRequest) Reset() {
 	*x = FlattenRootfsRequest{}
-	mi := &file_hostagent_proto_msgTypes[40]
+	mi := &file_hostagent_proto_msgTypes[47]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2281,7 +2763,7 @@ func (x *FlattenRootfsRequest) String() string {
 func (*FlattenRootfsRequest) ProtoMessage() {}
 
 func (x *FlattenRootfsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_hostagent_proto_msgTypes[40]
+	mi := &file_hostagent_proto_msgTypes[47]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2294,7 +2776,7 @@ func (x *FlattenRootfsRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use FlattenRootfsRequest.ProtoReflect.Descriptor instead.
 func (*FlattenRootfsRequest) Descriptor() ([]byte, []int) {
-	return file_hostagent_proto_rawDescGZIP(), []int{40}
+	return file_hostagent_proto_rawDescGZIP(), []int{47}
 }
 
 func (x *FlattenRootfsRequest) GetSandboxId() string {
@@ -2334,7 +2816,7 @@ type FlattenRootfsResponse struct {
 
 func (x *FlattenRootfsResponse) Reset() {
 	*x = FlattenRootfsResponse{}
-	mi := &file_hostagent_proto_msgTypes[41]
+	mi := &file_hostagent_proto_msgTypes[48]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2346,7 +2828,7 @@ func (x *FlattenRootfsResponse) String() string {
 func (*FlattenRootfsResponse) ProtoMessage() {}
 
 func (x *FlattenRootfsResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_hostagent_proto_msgTypes[41]
+	mi := &file_hostagent_proto_msgTypes[48]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2359,7 +2841,7 @@ func (x *FlattenRootfsResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use FlattenRootfsResponse.ProtoReflect.Descriptor instead.
 func (*FlattenRootfsResponse) Descriptor() ([]byte, []int) {
-	return file_hostagent_proto_rawDescGZIP(), []int{41}
+	return file_hostagent_proto_rawDescGZIP(), []int{48}
 }
 
 func (x *FlattenRootfsResponse) GetSizeBytes() int64 {
@@ -2369,11 +2851,1277 @@ func (x *FlattenRootfsResponse) GetSizeBytes() int64 {
 	return 0
 }
 
+type PtyAttachRequest struct {
+	state     protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	// Tag is the stable identifier for this PTY session (e.g. "pty-abc123de").
+	// Chosen by the caller and used to reconnect later.
+	Tag string `protobuf:"bytes,2,opt,name=tag,proto3" json:"tag,omitempty"`
+	// If cmd is non-empty, a new process is started. If empty, reconnects to
+	// the existing process identified by tag.
+	Cmd  string   `protobuf:"bytes,3,opt,name=cmd,proto3" json:"cmd,omitempty"`
+	Args []string `protobuf:"bytes,4,rep,name=args,proto3" json:"args,omitempty"`
+	Cols uint32   `protobuf:"varint,5,opt,name=cols,proto3" json:"cols,omitempty"`
+	Rows uint32   `protobuf:"varint,6,opt,name=rows,proto3" json:"rows,omitempty"`
+	// Environment variables for the process.
+	Envs map[string]string `protobuf:"bytes,7,rep,name=envs,proto3" json:"envs,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	// Working directory. Empty means default.
+	Cwd string `protobuf:"bytes,8,opt,name=cwd,proto3" json:"cwd,omitempty"`
+	// User to run as. Empty means default (root).
+	User          string `protobuf:"bytes,9,opt,name=user,proto3" json:"user,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PtyAttachRequest) Reset() {
+	*x = PtyAttachRequest{}
+	mi := &file_hostagent_proto_msgTypes[49]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PtyAttachRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PtyAttachRequest) ProtoMessage() {}
+
+func (x *PtyAttachRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[49]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PtyAttachRequest.ProtoReflect.Descriptor instead.
+func (*PtyAttachRequest) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{49}
+}
+
+func (x *PtyAttachRequest) GetSandboxId() string {
+	if x != nil {
+		return x.SandboxId
+	}
+	return ""
+}
+
+func (x *PtyAttachRequest) GetTag() string {
+	if x != nil {
+		return x.Tag
+	}
+	return ""
+}
+
+func (x *PtyAttachRequest) GetCmd() string {
+	if x != nil {
+		return x.Cmd
+	}
+	return ""
+}
+
+func (x *PtyAttachRequest) GetArgs() []string {
+	if x != nil {
+		return x.Args
+	}
+	return nil
+}
+
+func (x *PtyAttachRequest) GetCols() uint32 {
+	if x != nil {
+		return x.Cols
+	}
+	return 0
+}
+
+func (x *PtyAttachRequest) GetRows() uint32 {
+	if x != nil {
+		return x.Rows
+	}
+	return 0
+}
+
+func (x *PtyAttachRequest) GetEnvs() map[string]string {
+	if x != nil {
+		return x.Envs
+	}
+	return nil
+}
+
+func (x *PtyAttachRequest) GetCwd() string {
+	if x != nil {
+		return x.Cwd
+	}
+	return ""
+}
+
+func (x *PtyAttachRequest) GetUser() string {
+	if x != nil {
+		return x.User
+	}
+	return ""
+}
+
+type PtyAttachResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Types that are valid to be assigned to Event:
+	//
+	//	*PtyAttachResponse_Started
+	//	*PtyAttachResponse_Output
+	//	*PtyAttachResponse_Exited
+	Event         isPtyAttachResponse_Event `protobuf_oneof:"event"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PtyAttachResponse) Reset() {
+	*x = PtyAttachResponse{}
+	mi := &file_hostagent_proto_msgTypes[50]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PtyAttachResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PtyAttachResponse) ProtoMessage() {}
+
+func (x *PtyAttachResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[50]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PtyAttachResponse.ProtoReflect.Descriptor instead.
+func (*PtyAttachResponse) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{50}
+}
+
+func (x *PtyAttachResponse) GetEvent() isPtyAttachResponse_Event {
+	if x != nil {
+		return x.Event
+	}
+	return nil
+}
+
+func (x *PtyAttachResponse) GetStarted() *PtyStarted {
+	if x != nil {
+		if x, ok := x.Event.(*PtyAttachResponse_Started); ok {
+			return x.Started
+		}
+	}
+	return nil
+}
+
+func (x *PtyAttachResponse) GetOutput() *PtyOutput {
+	if x != nil {
+		if x, ok := x.Event.(*PtyAttachResponse_Output); ok {
+			return x.Output
+		}
+	}
+	return nil
+}
+
+func (x *PtyAttachResponse) GetExited() *PtyExited {
+	if x != nil {
+		if x, ok := x.Event.(*PtyAttachResponse_Exited); ok {
+			return x.Exited
+		}
+	}
+	return nil
+}
+
+type isPtyAttachResponse_Event interface {
+	isPtyAttachResponse_Event()
+}
+
+type PtyAttachResponse_Started struct {
+	Started *PtyStarted `protobuf:"bytes,1,opt,name=started,proto3,oneof"`
+}
+
+type PtyAttachResponse_Output struct {
+	Output *PtyOutput `protobuf:"bytes,2,opt,name=output,proto3,oneof"`
+}
+
+type PtyAttachResponse_Exited struct {
+	Exited *PtyExited `protobuf:"bytes,3,opt,name=exited,proto3,oneof"`
+}
+
+func (*PtyAttachResponse_Started) isPtyAttachResponse_Event() {}
+
+func (*PtyAttachResponse_Output) isPtyAttachResponse_Event() {}
+
+func (*PtyAttachResponse_Exited) isPtyAttachResponse_Event() {}
+
+type PtyStarted struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Pid           uint32                 `protobuf:"varint,1,opt,name=pid,proto3" json:"pid,omitempty"`
+	Tag           string                 `protobuf:"bytes,2,opt,name=tag,proto3" json:"tag,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PtyStarted) Reset() {
+	*x = PtyStarted{}
+	mi := &file_hostagent_proto_msgTypes[51]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PtyStarted) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PtyStarted) ProtoMessage() {}
+
+func (x *PtyStarted) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[51]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PtyStarted.ProtoReflect.Descriptor instead.
+func (*PtyStarted) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{51}
+}
+
+func (x *PtyStarted) GetPid() uint32 {
+	if x != nil {
+		return x.Pid
+	}
+	return 0
+}
+
+func (x *PtyStarted) GetTag() string {
+	if x != nil {
+		return x.Tag
+	}
+	return ""
+}
+
+type PtyOutput struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Data          []byte                 `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PtyOutput) Reset() {
+	*x = PtyOutput{}
+	mi := &file_hostagent_proto_msgTypes[52]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PtyOutput) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PtyOutput) ProtoMessage() {}
+
+func (x *PtyOutput) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[52]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PtyOutput.ProtoReflect.Descriptor instead.
+func (*PtyOutput) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{52}
+}
+
+func (x *PtyOutput) GetData() []byte {
+	if x != nil {
+		return x.Data
+	}
+	return nil
+}
+
+type PtyExited struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	ExitCode      int32                  `protobuf:"varint,1,opt,name=exit_code,json=exitCode,proto3" json:"exit_code,omitempty"`
+	Error         string                 `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PtyExited) Reset() {
+	*x = PtyExited{}
+	mi := &file_hostagent_proto_msgTypes[53]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PtyExited) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PtyExited) ProtoMessage() {}
+
+func (x *PtyExited) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[53]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PtyExited.ProtoReflect.Descriptor instead.
+func (*PtyExited) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{53}
+}
+
+func (x *PtyExited) GetExitCode() int32 {
+	if x != nil {
+		return x.ExitCode
+	}
+	return 0
+}
+
+func (x *PtyExited) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+type PtySendInputRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	Tag           string                 `protobuf:"bytes,2,opt,name=tag,proto3" json:"tag,omitempty"`
+	Data          []byte                 `protobuf:"bytes,3,opt,name=data,proto3" json:"data,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PtySendInputRequest) Reset() {
+	*x = PtySendInputRequest{}
+	mi := &file_hostagent_proto_msgTypes[54]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PtySendInputRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PtySendInputRequest) ProtoMessage() {}
+
+func (x *PtySendInputRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[54]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PtySendInputRequest.ProtoReflect.Descriptor instead.
+func (*PtySendInputRequest) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{54}
+}
+
+func (x *PtySendInputRequest) GetSandboxId() string {
+	if x != nil {
+		return x.SandboxId
+	}
+	return ""
+}
+
+func (x *PtySendInputRequest) GetTag() string {
+	if x != nil {
+		return x.Tag
+	}
+	return ""
+}
+
+func (x *PtySendInputRequest) GetData() []byte {
+	if x != nil {
+		return x.Data
+	}
+	return nil
+}
+
+type PtySendInputResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PtySendInputResponse) Reset() {
+	*x = PtySendInputResponse{}
+	mi := &file_hostagent_proto_msgTypes[55]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PtySendInputResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PtySendInputResponse) ProtoMessage() {}
+
+func (x *PtySendInputResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[55]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PtySendInputResponse.ProtoReflect.Descriptor instead.
+func (*PtySendInputResponse) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{55}
+}
+
+type PtyResizeRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	Tag           string                 `protobuf:"bytes,2,opt,name=tag,proto3" json:"tag,omitempty"`
+	Cols          uint32                 `protobuf:"varint,3,opt,name=cols,proto3" json:"cols,omitempty"`
+	Rows          uint32                 `protobuf:"varint,4,opt,name=rows,proto3" json:"rows,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PtyResizeRequest) Reset() {
+	*x = PtyResizeRequest{}
+	mi := &file_hostagent_proto_msgTypes[56]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PtyResizeRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PtyResizeRequest) ProtoMessage() {}
+
+func (x *PtyResizeRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[56]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PtyResizeRequest.ProtoReflect.Descriptor instead.
+func (*PtyResizeRequest) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{56}
+}
+
+func (x *PtyResizeRequest) GetSandboxId() string {
+	if x != nil {
+		return x.SandboxId
+	}
+	return ""
+}
+
+func (x *PtyResizeRequest) GetTag() string {
+	if x != nil {
+		return x.Tag
+	}
+	return ""
+}
+
+func (x *PtyResizeRequest) GetCols() uint32 {
+	if x != nil {
+		return x.Cols
+	}
+	return 0
+}
+
+func (x *PtyResizeRequest) GetRows() uint32 {
+	if x != nil {
+		return x.Rows
+	}
+	return 0
+}
+
+type PtyResizeResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PtyResizeResponse) Reset() {
+	*x = PtyResizeResponse{}
+	mi := &file_hostagent_proto_msgTypes[57]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PtyResizeResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PtyResizeResponse) ProtoMessage() {}
+
+func (x *PtyResizeResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[57]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PtyResizeResponse.ProtoReflect.Descriptor instead.
+func (*PtyResizeResponse) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{57}
+}
+
+type PtyKillRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	Tag           string                 `protobuf:"bytes,2,opt,name=tag,proto3" json:"tag,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PtyKillRequest) Reset() {
+	*x = PtyKillRequest{}
+	mi := &file_hostagent_proto_msgTypes[58]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PtyKillRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PtyKillRequest) ProtoMessage() {}
+
+func (x *PtyKillRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[58]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PtyKillRequest.ProtoReflect.Descriptor instead.
+func (*PtyKillRequest) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{58}
+}
+
+func (x *PtyKillRequest) GetSandboxId() string {
+	if x != nil {
+		return x.SandboxId
+	}
+	return ""
+}
+
+func (x *PtyKillRequest) GetTag() string {
+	if x != nil {
+		return x.Tag
+	}
+	return ""
+}
+
+type PtyKillResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PtyKillResponse) Reset() {
+	*x = PtyKillResponse{}
+	mi := &file_hostagent_proto_msgTypes[59]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PtyKillResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PtyKillResponse) ProtoMessage() {}
+
+func (x *PtyKillResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[59]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PtyKillResponse.ProtoReflect.Descriptor instead.
+func (*PtyKillResponse) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{59}
+}
+
+type StartBackgroundRequest struct {
+	state     protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	Cmd       string                 `protobuf:"bytes,2,opt,name=cmd,proto3" json:"cmd,omitempty"`
+	Args      []string               `protobuf:"bytes,3,rep,name=args,proto3" json:"args,omitempty"`
+	// User-chosen tag for the process. If empty, the host agent generates one.
+	Tag           string            `protobuf:"bytes,4,opt,name=tag,proto3" json:"tag,omitempty"`
+	Envs          map[string]string `protobuf:"bytes,5,rep,name=envs,proto3" json:"envs,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	Cwd           string            `protobuf:"bytes,6,opt,name=cwd,proto3" json:"cwd,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *StartBackgroundRequest) Reset() {
+	*x = StartBackgroundRequest{}
+	mi := &file_hostagent_proto_msgTypes[60]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *StartBackgroundRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StartBackgroundRequest) ProtoMessage() {}
+
+func (x *StartBackgroundRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[60]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StartBackgroundRequest.ProtoReflect.Descriptor instead.
+func (*StartBackgroundRequest) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{60}
+}
+
+func (x *StartBackgroundRequest) GetSandboxId() string {
+	if x != nil {
+		return x.SandboxId
+	}
+	return ""
+}
+
+func (x *StartBackgroundRequest) GetCmd() string {
+	if x != nil {
+		return x.Cmd
+	}
+	return ""
+}
+
+func (x *StartBackgroundRequest) GetArgs() []string {
+	if x != nil {
+		return x.Args
+	}
+	return nil
+}
+
+func (x *StartBackgroundRequest) GetTag() string {
+	if x != nil {
+		return x.Tag
+	}
+	return ""
+}
+
+func (x *StartBackgroundRequest) GetEnvs() map[string]string {
+	if x != nil {
+		return x.Envs
+	}
+	return nil
+}
+
+func (x *StartBackgroundRequest) GetCwd() string {
+	if x != nil {
+		return x.Cwd
+	}
+	return ""
+}
+
+type StartBackgroundResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Pid           uint32                 `protobuf:"varint,1,opt,name=pid,proto3" json:"pid,omitempty"`
+	Tag           string                 `protobuf:"bytes,2,opt,name=tag,proto3" json:"tag,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *StartBackgroundResponse) Reset() {
+	*x = StartBackgroundResponse{}
+	mi := &file_hostagent_proto_msgTypes[61]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *StartBackgroundResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StartBackgroundResponse) ProtoMessage() {}
+
+func (x *StartBackgroundResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[61]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StartBackgroundResponse.ProtoReflect.Descriptor instead.
+func (*StartBackgroundResponse) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{61}
+}
+
+func (x *StartBackgroundResponse) GetPid() uint32 {
+	if x != nil {
+		return x.Pid
+	}
+	return 0
+}
+
+func (x *StartBackgroundResponse) GetTag() string {
+	if x != nil {
+		return x.Tag
+	}
+	return ""
+}
+
+type ListProcessesRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId     string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ListProcessesRequest) Reset() {
+	*x = ListProcessesRequest{}
+	mi := &file_hostagent_proto_msgTypes[62]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ListProcessesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListProcessesRequest) ProtoMessage() {}
+
+func (x *ListProcessesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[62]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListProcessesRequest.ProtoReflect.Descriptor instead.
+func (*ListProcessesRequest) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{62}
+}
+
+func (x *ListProcessesRequest) GetSandboxId() string {
+	if x != nil {
+		return x.SandboxId
+	}
+	return ""
+}
+
+type ProcessEntry struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Pid           uint32                 `protobuf:"varint,1,opt,name=pid,proto3" json:"pid,omitempty"`
+	Tag           string                 `protobuf:"bytes,2,opt,name=tag,proto3" json:"tag,omitempty"`
+	Cmd           string                 `protobuf:"bytes,3,opt,name=cmd,proto3" json:"cmd,omitempty"`
+	Args          []string               `protobuf:"bytes,4,rep,name=args,proto3" json:"args,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ProcessEntry) Reset() {
+	*x = ProcessEntry{}
+	mi := &file_hostagent_proto_msgTypes[63]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ProcessEntry) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ProcessEntry) ProtoMessage() {}
+
+func (x *ProcessEntry) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[63]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ProcessEntry.ProtoReflect.Descriptor instead.
+func (*ProcessEntry) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{63}
+}
+
+func (x *ProcessEntry) GetPid() uint32 {
+	if x != nil {
+		return x.Pid
+	}
+	return 0
+}
+
+func (x *ProcessEntry) GetTag() string {
+	if x != nil {
+		return x.Tag
+	}
+	return ""
+}
+
+func (x *ProcessEntry) GetCmd() string {
+	if x != nil {
+		return x.Cmd
+	}
+	return ""
+}
+
+func (x *ProcessEntry) GetArgs() []string {
+	if x != nil {
+		return x.Args
+	}
+	return nil
+}
+
+type ListProcessesResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Processes     []*ProcessEntry        `protobuf:"bytes,1,rep,name=processes,proto3" json:"processes,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ListProcessesResponse) Reset() {
+	*x = ListProcessesResponse{}
+	mi := &file_hostagent_proto_msgTypes[64]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ListProcessesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListProcessesResponse) ProtoMessage() {}
+
+func (x *ListProcessesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[64]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListProcessesResponse.ProtoReflect.Descriptor instead.
+func (*ListProcessesResponse) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{64}
+}
+
+func (x *ListProcessesResponse) GetProcesses() []*ProcessEntry {
+	if x != nil {
+		return x.Processes
+	}
+	return nil
+}
+
+type KillProcessRequest struct {
+	state     protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	// Types that are valid to be assigned to Selector:
+	//
+	//	*KillProcessRequest_Pid
+	//	*KillProcessRequest_Tag
+	Selector isKillProcessRequest_Selector `protobuf_oneof:"selector"`
+	// Signal to send: "SIGTERM" or "SIGKILL" (default: "SIGKILL").
+	Signal        string `protobuf:"bytes,4,opt,name=signal,proto3" json:"signal,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *KillProcessRequest) Reset() {
+	*x = KillProcessRequest{}
+	mi := &file_hostagent_proto_msgTypes[65]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *KillProcessRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*KillProcessRequest) ProtoMessage() {}
+
+func (x *KillProcessRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[65]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use KillProcessRequest.ProtoReflect.Descriptor instead.
+func (*KillProcessRequest) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{65}
+}
+
+func (x *KillProcessRequest) GetSandboxId() string {
+	if x != nil {
+		return x.SandboxId
+	}
+	return ""
+}
+
+func (x *KillProcessRequest) GetSelector() isKillProcessRequest_Selector {
+	if x != nil {
+		return x.Selector
+	}
+	return nil
+}
+
+func (x *KillProcessRequest) GetPid() uint32 {
+	if x != nil {
+		if x, ok := x.Selector.(*KillProcessRequest_Pid); ok {
+			return x.Pid
+		}
+	}
+	return 0
+}
+
+func (x *KillProcessRequest) GetTag() string {
+	if x != nil {
+		if x, ok := x.Selector.(*KillProcessRequest_Tag); ok {
+			return x.Tag
+		}
+	}
+	return ""
+}
+
+func (x *KillProcessRequest) GetSignal() string {
+	if x != nil {
+		return x.Signal
+	}
+	return ""
+}
+
+type isKillProcessRequest_Selector interface {
+	isKillProcessRequest_Selector()
+}
+
+type KillProcessRequest_Pid struct {
+	Pid uint32 `protobuf:"varint,2,opt,name=pid,proto3,oneof"`
+}
+
+type KillProcessRequest_Tag struct {
+	Tag string `protobuf:"bytes,3,opt,name=tag,proto3,oneof"`
+}
+
+func (*KillProcessRequest_Pid) isKillProcessRequest_Selector() {}
+
+func (*KillProcessRequest_Tag) isKillProcessRequest_Selector() {}
+
+type KillProcessResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *KillProcessResponse) Reset() {
+	*x = KillProcessResponse{}
+	mi := &file_hostagent_proto_msgTypes[66]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *KillProcessResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*KillProcessResponse) ProtoMessage() {}
+
+func (x *KillProcessResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[66]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use KillProcessResponse.ProtoReflect.Descriptor instead.
+func (*KillProcessResponse) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{66}
+}
+
+type ConnectProcessRequest struct {
+	state     protoimpl.MessageState `protogen:"open.v1"`
+	SandboxId string                 `protobuf:"bytes,1,opt,name=sandbox_id,json=sandboxId,proto3" json:"sandbox_id,omitempty"`
+	// Types that are valid to be assigned to Selector:
+	//
+	//	*ConnectProcessRequest_Pid
+	//	*ConnectProcessRequest_Tag
+	Selector      isConnectProcessRequest_Selector `protobuf_oneof:"selector"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ConnectProcessRequest) Reset() {
+	*x = ConnectProcessRequest{}
+	mi := &file_hostagent_proto_msgTypes[67]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ConnectProcessRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ConnectProcessRequest) ProtoMessage() {}
+
+func (x *ConnectProcessRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[67]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ConnectProcessRequest.ProtoReflect.Descriptor instead.
+func (*ConnectProcessRequest) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{67}
+}
+
+func (x *ConnectProcessRequest) GetSandboxId() string {
+	if x != nil {
+		return x.SandboxId
+	}
+	return ""
+}
+
+func (x *ConnectProcessRequest) GetSelector() isConnectProcessRequest_Selector {
+	if x != nil {
+		return x.Selector
+	}
+	return nil
+}
+
+func (x *ConnectProcessRequest) GetPid() uint32 {
+	if x != nil {
+		if x, ok := x.Selector.(*ConnectProcessRequest_Pid); ok {
+			return x.Pid
+		}
+	}
+	return 0
+}
+
+func (x *ConnectProcessRequest) GetTag() string {
+	if x != nil {
+		if x, ok := x.Selector.(*ConnectProcessRequest_Tag); ok {
+			return x.Tag
+		}
+	}
+	return ""
+}
+
+type isConnectProcessRequest_Selector interface {
+	isConnectProcessRequest_Selector()
+}
+
+type ConnectProcessRequest_Pid struct {
+	Pid uint32 `protobuf:"varint,2,opt,name=pid,proto3,oneof"`
+}
+
+type ConnectProcessRequest_Tag struct {
+	Tag string `protobuf:"bytes,3,opt,name=tag,proto3,oneof"`
+}
+
+func (*ConnectProcessRequest_Pid) isConnectProcessRequest_Selector() {}
+
+func (*ConnectProcessRequest_Tag) isConnectProcessRequest_Selector() {}
+
+// Reuses ExecStream event types for symmetry.
+type ConnectProcessResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Types that are valid to be assigned to Event:
+	//
+	//	*ConnectProcessResponse_Start
+	//	*ConnectProcessResponse_Data
+	//	*ConnectProcessResponse_End
+	Event         isConnectProcessResponse_Event `protobuf_oneof:"event"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ConnectProcessResponse) Reset() {
+	*x = ConnectProcessResponse{}
+	mi := &file_hostagent_proto_msgTypes[68]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ConnectProcessResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ConnectProcessResponse) ProtoMessage() {}
+
+func (x *ConnectProcessResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hostagent_proto_msgTypes[68]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ConnectProcessResponse.ProtoReflect.Descriptor instead.
+func (*ConnectProcessResponse) Descriptor() ([]byte, []int) {
+	return file_hostagent_proto_rawDescGZIP(), []int{68}
+}
+
+func (x *ConnectProcessResponse) GetEvent() isConnectProcessResponse_Event {
+	if x != nil {
+		return x.Event
+	}
+	return nil
+}
+
+func (x *ConnectProcessResponse) GetStart() *ExecStreamStart {
+	if x != nil {
+		if x, ok := x.Event.(*ConnectProcessResponse_Start); ok {
+			return x.Start
+		}
+	}
+	return nil
+}
+
+func (x *ConnectProcessResponse) GetData() *ExecStreamData {
+	if x != nil {
+		if x, ok := x.Event.(*ConnectProcessResponse_Data); ok {
+			return x.Data
+		}
+	}
+	return nil
+}
+
+func (x *ConnectProcessResponse) GetEnd() *ExecStreamEnd {
+	if x != nil {
+		if x, ok := x.Event.(*ConnectProcessResponse_End); ok {
+			return x.End
+		}
+	}
+	return nil
+}
+
+type isConnectProcessResponse_Event interface {
+	isConnectProcessResponse_Event()
+}
+
+type ConnectProcessResponse_Start struct {
+	Start *ExecStreamStart `protobuf:"bytes,1,opt,name=start,proto3,oneof"`
+}
+
+type ConnectProcessResponse_Data struct {
+	Data *ExecStreamData `protobuf:"bytes,2,opt,name=data,proto3,oneof"`
+}
+
+type ConnectProcessResponse_End struct {
+	End *ExecStreamEnd `protobuf:"bytes,3,opt,name=end,proto3,oneof"`
+}
+
+func (*ConnectProcessResponse_Start) isConnectProcessResponse_Event() {}
+
+func (*ConnectProcessResponse_Data) isConnectProcessResponse_Event() {}
+
+func (*ConnectProcessResponse_End) isConnectProcessResponse_Event() {}
+
 var File_hostagent_proto protoreflect.FileDescriptor
 
 const file_hostagent_proto_rawDesc = "" +
 	"\n" +
-	"\x0fhostagent.proto\x12\fhostagent.v1\"\x81\x02\n" +
+	"\x0fhostagent.proto\x12\fhostagent.v1\"\xb8\x03\n" +
 	"\x14CreateSandboxRequest\x12\x1d\n" +
 	"\n" +
 	"sandbox_id\x18\x05 \x01(\tR\tsandboxId\x12\x1a\n" +
@@ -2386,12 +4134,23 @@ const file_hostagent_proto_rawDesc = "" +
 	"diskSizeMb\x12\x17\n" +
 	"\ateam_id\x18\a \x01(\tR\x06teamId\x12\x1f\n" +
 	"\vtemplate_id\x18\b \x01(\tR\n" +
-	"templateId\"g\n" +
+	"templateId\x12!\n" +
+	"\fdefault_user\x18\t \x01(\tR\vdefaultUser\x12S\n" +
+	"\vdefault_env\x18\n" +
+	" \x03(\v22.hostagent.v1.CreateSandboxRequest.DefaultEnvEntryR\n" +
+	"defaultEnv\x1a=\n" +
+	"\x0fDefaultEnvEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\xf3\x01\n" +
 	"\x15CreateSandboxResponse\x12\x1d\n" +
 	"\n" +
 	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x16\n" +
 	"\x06status\x18\x02 \x01(\tR\x06status\x12\x17\n" +
-	"\ahost_ip\x18\x03 \x01(\tR\x06hostIp\"6\n" +
+	"\ahost_ip\x18\x03 \x01(\tR\x06hostIp\x12M\n" +
+	"\bmetadata\x18\x04 \x03(\v21.hostagent.v1.CreateSandboxResponse.MetadataEntryR\bmetadata\x1a;\n" +
+	"\rMetadataEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"6\n" +
 	"\x15DestroySandboxRequest\x12\x1d\n" +
 	"\n" +
 	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\"\x18\n" +
@@ -2399,17 +4158,28 @@ const file_hostagent_proto_rawDesc = "" +
 	"\x13PauseSandboxRequest\x12\x1d\n" +
 	"\n" +
 	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\"\x16\n" +
-	"\x14PauseSandboxResponse\"V\n" +
+	"\x14PauseSandboxResponse\"\xb4\x02\n" +
 	"\x14ResumeSandboxRequest\x12\x1d\n" +
 	"\n" +
 	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x1f\n" +
 	"\vtimeout_sec\x18\x02 \x01(\x05R\n" +
-	"timeoutSec\"g\n" +
+	"timeoutSec\x12!\n" +
+	"\fdefault_user\x18\x03 \x01(\tR\vdefaultUser\x12S\n" +
+	"\vdefault_env\x18\x04 \x03(\v22.hostagent.v1.ResumeSandboxRequest.DefaultEnvEntryR\n" +
+	"defaultEnv\x12%\n" +
+	"\x0ekernel_version\x18\x05 \x01(\tR\rkernelVersion\x1a=\n" +
+	"\x0fDefaultEnvEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\xf3\x01\n" +
 	"\x15ResumeSandboxResponse\x12\x1d\n" +
 	"\n" +
 	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x16\n" +
 	"\x06status\x18\x02 \x01(\tR\x06status\x12\x17\n" +
-	"\ahost_ip\x18\x03 \x01(\tR\x06hostIp\"\x84\x01\n" +
+	"\ahost_ip\x18\x03 \x01(\tR\x06hostIp\x12M\n" +
+	"\bmetadata\x18\x04 \x03(\v21.hostagent.v1.ResumeSandboxResponse.MetadataEntryR\bmetadata\x1a;\n" +
+	"\rMetadataEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\x84\x01\n" +
 	"\x15CreateSnapshotRequest\x12\x1d\n" +
 	"\n" +
 	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x12\n" +
@@ -2441,7 +4211,7 @@ const file_hostagent_proto_rawDesc = "" +
 	"\x14ListSandboxesRequest\"\x87\x01\n" +
 	"\x15ListSandboxesResponse\x127\n" +
 	"\tsandboxes\x18\x01 \x03(\v2\x19.hostagent.v1.SandboxInfoR\tsandboxes\x125\n" +
-	"\x17auto_paused_sandbox_ids\x18\x02 \x03(\tR\x14autoPausedSandboxIds\"\xde\x02\n" +
+	"\x17auto_paused_sandbox_ids\x18\x02 \x03(\tR\x14autoPausedSandboxIds\"\xe0\x03\n" +
 	"\vSandboxInfo\x12\x1d\n" +
 	"\n" +
 	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x16\n" +
@@ -2457,7 +4227,11 @@ const file_hostagent_proto_rawDesc = "" +
 	"\ateam_id\x18\n" +
 	" \x01(\tR\x06teamId\x12\x1f\n" +
 	"\vtemplate_id\x18\v \x01(\tR\n" +
-	"templateId\"_\n" +
+	"templateId\x12C\n" +
+	"\bmetadata\x18\f \x03(\v2'.hostagent.v1.SandboxInfo.MetadataEntryR\bmetadata\x1a;\n" +
+	"\rMetadataEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"_\n" +
 	"\x10WriteFileRequest\x12\x1d\n" +
 	"\n" +
 	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x12\n" +
@@ -2505,7 +4279,39 @@ const file_hostagent_proto_rawDesc = "" +
 	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x12\n" +
 	"\x04path\x18\x02 \x01(\tR\x04path\".\n" +
 	"\x16ReadFileStreamResponse\x12\x14\n" +
-	"\x05chunk\x18\x01 \x01(\fR\x05chunk\"3\n" +
+	"\x05chunk\x18\x01 \x01(\fR\x05chunk\"Y\n" +
+	"\x0eListDirRequest\x12\x1d\n" +
+	"\n" +
+	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x12\n" +
+	"\x04path\x18\x02 \x01(\tR\x04path\x12\x14\n" +
+	"\x05depth\x18\x03 \x01(\rR\x05depth\"D\n" +
+	"\x0fListDirResponse\x121\n" +
+	"\aentries\x18\x01 \x03(\v2\x17.hostagent.v1.FileEntryR\aentries\"\x9d\x02\n" +
+	"\tFileEntry\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x12\n" +
+	"\x04path\x18\x02 \x01(\tR\x04path\x12\x12\n" +
+	"\x04type\x18\x03 \x01(\tR\x04type\x12\x12\n" +
+	"\x04size\x18\x04 \x01(\x03R\x04size\x12\x12\n" +
+	"\x04mode\x18\x05 \x01(\rR\x04mode\x12 \n" +
+	"\vpermissions\x18\x06 \x01(\tR\vpermissions\x12\x14\n" +
+	"\x05owner\x18\a \x01(\tR\x05owner\x12\x14\n" +
+	"\x05group\x18\b \x01(\tR\x05group\x12\x1f\n" +
+	"\vmodified_at\x18\t \x01(\x03R\n" +
+	"modifiedAt\x12*\n" +
+	"\x0esymlink_target\x18\n" +
+	" \x01(\tH\x00R\rsymlinkTarget\x88\x01\x01B\x11\n" +
+	"\x0f_symlink_target\"C\n" +
+	"\x0eMakeDirRequest\x12\x1d\n" +
+	"\n" +
+	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x12\n" +
+	"\x04path\x18\x02 \x01(\tR\x04path\"@\n" +
+	"\x0fMakeDirResponse\x12-\n" +
+	"\x05entry\x18\x01 \x01(\v2\x17.hostagent.v1.FileEntryR\x05entry\"F\n" +
+	"\x11RemovePathRequest\x12\x1d\n" +
+	"\n" +
+	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x12\n" +
+	"\x04path\x18\x02 \x01(\tR\x04path\"\x14\n" +
+	"\x12RemovePathResponse\"3\n" +
 	"\x12PingSandboxRequest\x12\x1d\n" +
 	"\n" +
 	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\"\x15\n" +
@@ -2542,7 +4348,98 @@ const file_hostagent_proto_rawDesc = "" +
 	"templateId\"6\n" +
 	"\x15FlattenRootfsResponse\x12\x1d\n" +
 	"\n" +
-	"size_bytes\x18\x01 \x01(\x03R\tsizeBytes2\xc8\f\n" +
+	"size_bytes\x18\x01 \x01(\x03R\tsizeBytes\"\xae\x02\n" +
+	"\x10PtyAttachRequest\x12\x1d\n" +
+	"\n" +
+	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x10\n" +
+	"\x03tag\x18\x02 \x01(\tR\x03tag\x12\x10\n" +
+	"\x03cmd\x18\x03 \x01(\tR\x03cmd\x12\x12\n" +
+	"\x04args\x18\x04 \x03(\tR\x04args\x12\x12\n" +
+	"\x04cols\x18\x05 \x01(\rR\x04cols\x12\x12\n" +
+	"\x04rows\x18\x06 \x01(\rR\x04rows\x12<\n" +
+	"\x04envs\x18\a \x03(\v2(.hostagent.v1.PtyAttachRequest.EnvsEntryR\x04envs\x12\x10\n" +
+	"\x03cwd\x18\b \x01(\tR\x03cwd\x12\x12\n" +
+	"\x04user\x18\t \x01(\tR\x04user\x1a7\n" +
+	"\tEnvsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\xb8\x01\n" +
+	"\x11PtyAttachResponse\x124\n" +
+	"\astarted\x18\x01 \x01(\v2\x18.hostagent.v1.PtyStartedH\x00R\astarted\x121\n" +
+	"\x06output\x18\x02 \x01(\v2\x17.hostagent.v1.PtyOutputH\x00R\x06output\x121\n" +
+	"\x06exited\x18\x03 \x01(\v2\x17.hostagent.v1.PtyExitedH\x00R\x06exitedB\a\n" +
+	"\x05event\"0\n" +
+	"\n" +
+	"PtyStarted\x12\x10\n" +
+	"\x03pid\x18\x01 \x01(\rR\x03pid\x12\x10\n" +
+	"\x03tag\x18\x02 \x01(\tR\x03tag\"\x1f\n" +
+	"\tPtyOutput\x12\x12\n" +
+	"\x04data\x18\x01 \x01(\fR\x04data\">\n" +
+	"\tPtyExited\x12\x1b\n" +
+	"\texit_code\x18\x01 \x01(\x05R\bexitCode\x12\x14\n" +
+	"\x05error\x18\x02 \x01(\tR\x05error\"Z\n" +
+	"\x13PtySendInputRequest\x12\x1d\n" +
+	"\n" +
+	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x10\n" +
+	"\x03tag\x18\x02 \x01(\tR\x03tag\x12\x12\n" +
+	"\x04data\x18\x03 \x01(\fR\x04data\"\x16\n" +
+	"\x14PtySendInputResponse\"k\n" +
+	"\x10PtyResizeRequest\x12\x1d\n" +
+	"\n" +
+	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x10\n" +
+	"\x03tag\x18\x02 \x01(\tR\x03tag\x12\x12\n" +
+	"\x04cols\x18\x03 \x01(\rR\x04cols\x12\x12\n" +
+	"\x04rows\x18\x04 \x01(\rR\x04rows\"\x13\n" +
+	"\x11PtyResizeResponse\"A\n" +
+	"\x0ePtyKillRequest\x12\x1d\n" +
+	"\n" +
+	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x10\n" +
+	"\x03tag\x18\x02 \x01(\tR\x03tag\"\x11\n" +
+	"\x0fPtyKillResponse\"\xfe\x01\n" +
+	"\x16StartBackgroundRequest\x12\x1d\n" +
+	"\n" +
+	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x10\n" +
+	"\x03cmd\x18\x02 \x01(\tR\x03cmd\x12\x12\n" +
+	"\x04args\x18\x03 \x03(\tR\x04args\x12\x10\n" +
+	"\x03tag\x18\x04 \x01(\tR\x03tag\x12B\n" +
+	"\x04envs\x18\x05 \x03(\v2..hostagent.v1.StartBackgroundRequest.EnvsEntryR\x04envs\x12\x10\n" +
+	"\x03cwd\x18\x06 \x01(\tR\x03cwd\x1a7\n" +
+	"\tEnvsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"=\n" +
+	"\x17StartBackgroundResponse\x12\x10\n" +
+	"\x03pid\x18\x01 \x01(\rR\x03pid\x12\x10\n" +
+	"\x03tag\x18\x02 \x01(\tR\x03tag\"5\n" +
+	"\x14ListProcessesRequest\x12\x1d\n" +
+	"\n" +
+	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\"X\n" +
+	"\fProcessEntry\x12\x10\n" +
+	"\x03pid\x18\x01 \x01(\rR\x03pid\x12\x10\n" +
+	"\x03tag\x18\x02 \x01(\tR\x03tag\x12\x10\n" +
+	"\x03cmd\x18\x03 \x01(\tR\x03cmd\x12\x12\n" +
+	"\x04args\x18\x04 \x03(\tR\x04args\"Q\n" +
+	"\x15ListProcessesResponse\x128\n" +
+	"\tprocesses\x18\x01 \x03(\v2\x1a.hostagent.v1.ProcessEntryR\tprocesses\"\x7f\n" +
+	"\x12KillProcessRequest\x12\x1d\n" +
+	"\n" +
+	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x12\n" +
+	"\x03pid\x18\x02 \x01(\rH\x00R\x03pid\x12\x12\n" +
+	"\x03tag\x18\x03 \x01(\tH\x00R\x03tag\x12\x16\n" +
+	"\x06signal\x18\x04 \x01(\tR\x06signalB\n" +
+	"\n" +
+	"\bselector\"\x15\n" +
+	"\x13KillProcessResponse\"j\n" +
+	"\x15ConnectProcessRequest\x12\x1d\n" +
+	"\n" +
+	"sandbox_id\x18\x01 \x01(\tR\tsandboxId\x12\x12\n" +
+	"\x03pid\x18\x02 \x01(\rH\x00R\x03pid\x12\x12\n" +
+	"\x03tag\x18\x03 \x01(\tH\x00R\x03tagB\n" +
+	"\n" +
+	"\bselector\"\xbd\x01\n" +
+	"\x16ConnectProcessResponse\x125\n" +
+	"\x05start\x18\x01 \x01(\v2\x1d.hostagent.v1.ExecStreamStartH\x00R\x05start\x122\n" +
+	"\x04data\x18\x02 \x01(\v2\x1c.hostagent.v1.ExecStreamDataH\x00R\x04data\x12/\n" +
+	"\x03end\x18\x03 \x01(\v2\x1b.hostagent.v1.ExecStreamEndH\x00R\x03endB\a\n" +
+	"\x05event2\xd3\x13\n" +
 	"\x10HostAgentService\x12X\n" +
 	"\rCreateSandbox\x12\".hostagent.v1.CreateSandboxRequest\x1a#.hostagent.v1.CreateSandboxResponse\x12[\n" +
 	"\x0eDestroySandbox\x12#.hostagent.v1.DestroySandboxRequest\x1a$.hostagent.v1.DestroySandboxResponse\x12U\n" +
@@ -2551,7 +4448,11 @@ const file_hostagent_proto_rawDesc = "" +
 	"\x04Exec\x12\x19.hostagent.v1.ExecRequest\x1a\x1a.hostagent.v1.ExecResponse\x12X\n" +
 	"\rListSandboxes\x12\".hostagent.v1.ListSandboxesRequest\x1a#.hostagent.v1.ListSandboxesResponse\x12L\n" +
 	"\tWriteFile\x12\x1e.hostagent.v1.WriteFileRequest\x1a\x1f.hostagent.v1.WriteFileResponse\x12I\n" +
-	"\bReadFile\x12\x1d.hostagent.v1.ReadFileRequest\x1a\x1e.hostagent.v1.ReadFileResponse\x12[\n" +
+	"\bReadFile\x12\x1d.hostagent.v1.ReadFileRequest\x1a\x1e.hostagent.v1.ReadFileResponse\x12F\n" +
+	"\aListDir\x12\x1c.hostagent.v1.ListDirRequest\x1a\x1d.hostagent.v1.ListDirResponse\x12F\n" +
+	"\aMakeDir\x12\x1c.hostagent.v1.MakeDirRequest\x1a\x1d.hostagent.v1.MakeDirResponse\x12O\n" +
+	"\n" +
+	"RemovePath\x12\x1f.hostagent.v1.RemovePathRequest\x1a .hostagent.v1.RemovePathResponse\x12[\n" +
 	"\x0eCreateSnapshot\x12#.hostagent.v1.CreateSnapshotRequest\x1a$.hostagent.v1.CreateSnapshotResponse\x12[\n" +
 	"\x0eDeleteSnapshot\x12#.hostagent.v1.DeleteSnapshotRequest\x1a$.hostagent.v1.DeleteSnapshotResponse\x12Q\n" +
 	"\n" +
@@ -2562,7 +4463,15 @@ const file_hostagent_proto_rawDesc = "" +
 	"\tTerminate\x12\x1e.hostagent.v1.TerminateRequest\x1a\x1f.hostagent.v1.TerminateResponse\x12d\n" +
 	"\x11GetSandboxMetrics\x12&.hostagent.v1.GetSandboxMetricsRequest\x1a'.hostagent.v1.GetSandboxMetricsResponse\x12j\n" +
 	"\x13FlushSandboxMetrics\x12(.hostagent.v1.FlushSandboxMetricsRequest\x1a).hostagent.v1.FlushSandboxMetricsResponse\x12X\n" +
-	"\rFlattenRootfs\x12\".hostagent.v1.FlattenRootfsRequest\x1a#.hostagent.v1.FlattenRootfsResponseB\xae\x01\n" +
+	"\rFlattenRootfs\x12\".hostagent.v1.FlattenRootfsRequest\x1a#.hostagent.v1.FlattenRootfsResponse\x12N\n" +
+	"\tPtyAttach\x12\x1e.hostagent.v1.PtyAttachRequest\x1a\x1f.hostagent.v1.PtyAttachResponse0\x01\x12U\n" +
+	"\fPtySendInput\x12!.hostagent.v1.PtySendInputRequest\x1a\".hostagent.v1.PtySendInputResponse\x12L\n" +
+	"\tPtyResize\x12\x1e.hostagent.v1.PtyResizeRequest\x1a\x1f.hostagent.v1.PtyResizeResponse\x12F\n" +
+	"\aPtyKill\x12\x1c.hostagent.v1.PtyKillRequest\x1a\x1d.hostagent.v1.PtyKillResponse\x12^\n" +
+	"\x0fStartBackground\x12$.hostagent.v1.StartBackgroundRequest\x1a%.hostagent.v1.StartBackgroundResponse\x12X\n" +
+	"\rListProcesses\x12\".hostagent.v1.ListProcessesRequest\x1a#.hostagent.v1.ListProcessesResponse\x12R\n" +
+	"\vKillProcess\x12 .hostagent.v1.KillProcessRequest\x1a!.hostagent.v1.KillProcessResponse\x12]\n" +
+	"\x0eConnectProcess\x12#.hostagent.v1.ConnectProcessRequest\x1a$.hostagent.v1.ConnectProcessResponse0\x01B\xae\x01\n" +
 	"\x10com.hostagent.v1B\x0eHostagentProtoP\x01Z9git.omukk.dev/wrenn/wrenn/proto/hostagent/gen;hostagentv1\xa2\x02\x03HXX\xaa\x02\fHostagent.V1\xca\x02\fHostagent\\V1\xe2\x02\x18Hostagent\\V1\\GPBMetadata\xea\x02\rHostagent::V1b\x06proto3"
 
 var (
@@ -2577,7 +4486,7 @@ func file_hostagent_proto_rawDescGZIP() []byte {
 	return file_hostagent_proto_rawDescData
 }
 
-var file_hostagent_proto_msgTypes = make([]protoimpl.MessageInfo, 42)
+var file_hostagent_proto_msgTypes = make([]protoimpl.MessageInfo, 76)
 var file_hostagent_proto_goTypes = []any{
 	(*CreateSandboxRequest)(nil),        // 0: hostagent.v1.CreateSandboxRequest
 	(*CreateSandboxResponse)(nil),       // 1: hostagent.v1.CreateSandboxResponse
@@ -2610,69 +4519,141 @@ var file_hostagent_proto_goTypes = []any{
 	(*WriteFileStreamResponse)(nil),     // 28: hostagent.v1.WriteFileStreamResponse
 	(*ReadFileStreamRequest)(nil),       // 29: hostagent.v1.ReadFileStreamRequest
 	(*ReadFileStreamResponse)(nil),      // 30: hostagent.v1.ReadFileStreamResponse
-	(*PingSandboxRequest)(nil),          // 31: hostagent.v1.PingSandboxRequest
-	(*PingSandboxResponse)(nil),         // 32: hostagent.v1.PingSandboxResponse
-	(*TerminateRequest)(nil),            // 33: hostagent.v1.TerminateRequest
-	(*TerminateResponse)(nil),           // 34: hostagent.v1.TerminateResponse
-	(*MetricPoint)(nil),                 // 35: hostagent.v1.MetricPoint
-	(*GetSandboxMetricsRequest)(nil),    // 36: hostagent.v1.GetSandboxMetricsRequest
-	(*GetSandboxMetricsResponse)(nil),   // 37: hostagent.v1.GetSandboxMetricsResponse
-	(*FlushSandboxMetricsRequest)(nil),  // 38: hostagent.v1.FlushSandboxMetricsRequest
-	(*FlushSandboxMetricsResponse)(nil), // 39: hostagent.v1.FlushSandboxMetricsResponse
-	(*FlattenRootfsRequest)(nil),        // 40: hostagent.v1.FlattenRootfsRequest
-	(*FlattenRootfsResponse)(nil),       // 41: hostagent.v1.FlattenRootfsResponse
+	(*ListDirRequest)(nil),              // 31: hostagent.v1.ListDirRequest
+	(*ListDirResponse)(nil),             // 32: hostagent.v1.ListDirResponse
+	(*FileEntry)(nil),                   // 33: hostagent.v1.FileEntry
+	(*MakeDirRequest)(nil),              // 34: hostagent.v1.MakeDirRequest
+	(*MakeDirResponse)(nil),             // 35: hostagent.v1.MakeDirResponse
+	(*RemovePathRequest)(nil),           // 36: hostagent.v1.RemovePathRequest
+	(*RemovePathResponse)(nil),          // 37: hostagent.v1.RemovePathResponse
+	(*PingSandboxRequest)(nil),          // 38: hostagent.v1.PingSandboxRequest
+	(*PingSandboxResponse)(nil),         // 39: hostagent.v1.PingSandboxResponse
+	(*TerminateRequest)(nil),            // 40: hostagent.v1.TerminateRequest
+	(*TerminateResponse)(nil),           // 41: hostagent.v1.TerminateResponse
+	(*MetricPoint)(nil),                 // 42: hostagent.v1.MetricPoint
+	(*GetSandboxMetricsRequest)(nil),    // 43: hostagent.v1.GetSandboxMetricsRequest
+	(*GetSandboxMetricsResponse)(nil),   // 44: hostagent.v1.GetSandboxMetricsResponse
+	(*FlushSandboxMetricsRequest)(nil),  // 45: hostagent.v1.FlushSandboxMetricsRequest
+	(*FlushSandboxMetricsResponse)(nil), // 46: hostagent.v1.FlushSandboxMetricsResponse
+	(*FlattenRootfsRequest)(nil),        // 47: hostagent.v1.FlattenRootfsRequest
+	(*FlattenRootfsResponse)(nil),       // 48: hostagent.v1.FlattenRootfsResponse
+	(*PtyAttachRequest)(nil),            // 49: hostagent.v1.PtyAttachRequest
+	(*PtyAttachResponse)(nil),           // 50: hostagent.v1.PtyAttachResponse
+	(*PtyStarted)(nil),                  // 51: hostagent.v1.PtyStarted
+	(*PtyOutput)(nil),                   // 52: hostagent.v1.PtyOutput
+	(*PtyExited)(nil),                   // 53: hostagent.v1.PtyExited
+	(*PtySendInputRequest)(nil),         // 54: hostagent.v1.PtySendInputRequest
+	(*PtySendInputResponse)(nil),        // 55: hostagent.v1.PtySendInputResponse
+	(*PtyResizeRequest)(nil),            // 56: hostagent.v1.PtyResizeRequest
+	(*PtyResizeResponse)(nil),           // 57: hostagent.v1.PtyResizeResponse
+	(*PtyKillRequest)(nil),              // 58: hostagent.v1.PtyKillRequest
+	(*PtyKillResponse)(nil),             // 59: hostagent.v1.PtyKillResponse
+	(*StartBackgroundRequest)(nil),      // 60: hostagent.v1.StartBackgroundRequest
+	(*StartBackgroundResponse)(nil),     // 61: hostagent.v1.StartBackgroundResponse
+	(*ListProcessesRequest)(nil),        // 62: hostagent.v1.ListProcessesRequest
+	(*ProcessEntry)(nil),                // 63: hostagent.v1.ProcessEntry
+	(*ListProcessesResponse)(nil),       // 64: hostagent.v1.ListProcessesResponse
+	(*KillProcessRequest)(nil),          // 65: hostagent.v1.KillProcessRequest
+	(*KillProcessResponse)(nil),         // 66: hostagent.v1.KillProcessResponse
+	(*ConnectProcessRequest)(nil),       // 67: hostagent.v1.ConnectProcessRequest
+	(*ConnectProcessResponse)(nil),      // 68: hostagent.v1.ConnectProcessResponse
+	nil,                                 // 69: hostagent.v1.CreateSandboxRequest.DefaultEnvEntry
+	nil,                                 // 70: hostagent.v1.CreateSandboxResponse.MetadataEntry
+	nil,                                 // 71: hostagent.v1.ResumeSandboxRequest.DefaultEnvEntry
+	nil,                                 // 72: hostagent.v1.ResumeSandboxResponse.MetadataEntry
+	nil,                                 // 73: hostagent.v1.SandboxInfo.MetadataEntry
+	nil,                                 // 74: hostagent.v1.PtyAttachRequest.EnvsEntry
+	nil,                                 // 75: hostagent.v1.StartBackgroundRequest.EnvsEntry
 }
 var file_hostagent_proto_depIdxs = []int32{
-	16, // 0: hostagent.v1.ListSandboxesResponse.sandboxes:type_name -> hostagent.v1.SandboxInfo
-	23, // 1: hostagent.v1.ExecStreamResponse.start:type_name -> hostagent.v1.ExecStreamStart
-	24, // 2: hostagent.v1.ExecStreamResponse.data:type_name -> hostagent.v1.ExecStreamData
-	25, // 3: hostagent.v1.ExecStreamResponse.end:type_name -> hostagent.v1.ExecStreamEnd
-	27, // 4: hostagent.v1.WriteFileStreamRequest.meta:type_name -> hostagent.v1.WriteFileStreamMeta
-	35, // 5: hostagent.v1.GetSandboxMetricsResponse.points:type_name -> hostagent.v1.MetricPoint
-	35, // 6: hostagent.v1.FlushSandboxMetricsResponse.points_10m:type_name -> hostagent.v1.MetricPoint
-	35, // 7: hostagent.v1.FlushSandboxMetricsResponse.points_2h:type_name -> hostagent.v1.MetricPoint
-	35, // 8: hostagent.v1.FlushSandboxMetricsResponse.points_24h:type_name -> hostagent.v1.MetricPoint
-	0,  // 9: hostagent.v1.HostAgentService.CreateSandbox:input_type -> hostagent.v1.CreateSandboxRequest
-	2,  // 10: hostagent.v1.HostAgentService.DestroySandbox:input_type -> hostagent.v1.DestroySandboxRequest
-	4,  // 11: hostagent.v1.HostAgentService.PauseSandbox:input_type -> hostagent.v1.PauseSandboxRequest
-	6,  // 12: hostagent.v1.HostAgentService.ResumeSandbox:input_type -> hostagent.v1.ResumeSandboxRequest
-	12, // 13: hostagent.v1.HostAgentService.Exec:input_type -> hostagent.v1.ExecRequest
-	14, // 14: hostagent.v1.HostAgentService.ListSandboxes:input_type -> hostagent.v1.ListSandboxesRequest
-	17, // 15: hostagent.v1.HostAgentService.WriteFile:input_type -> hostagent.v1.WriteFileRequest
-	19, // 16: hostagent.v1.HostAgentService.ReadFile:input_type -> hostagent.v1.ReadFileRequest
-	8,  // 17: hostagent.v1.HostAgentService.CreateSnapshot:input_type -> hostagent.v1.CreateSnapshotRequest
-	10, // 18: hostagent.v1.HostAgentService.DeleteSnapshot:input_type -> hostagent.v1.DeleteSnapshotRequest
-	21, // 19: hostagent.v1.HostAgentService.ExecStream:input_type -> hostagent.v1.ExecStreamRequest
-	26, // 20: hostagent.v1.HostAgentService.WriteFileStream:input_type -> hostagent.v1.WriteFileStreamRequest
-	29, // 21: hostagent.v1.HostAgentService.ReadFileStream:input_type -> hostagent.v1.ReadFileStreamRequest
-	31, // 22: hostagent.v1.HostAgentService.PingSandbox:input_type -> hostagent.v1.PingSandboxRequest
-	33, // 23: hostagent.v1.HostAgentService.Terminate:input_type -> hostagent.v1.TerminateRequest
-	36, // 24: hostagent.v1.HostAgentService.GetSandboxMetrics:input_type -> hostagent.v1.GetSandboxMetricsRequest
-	38, // 25: hostagent.v1.HostAgentService.FlushSandboxMetrics:input_type -> hostagent.v1.FlushSandboxMetricsRequest
-	40, // 26: hostagent.v1.HostAgentService.FlattenRootfs:input_type -> hostagent.v1.FlattenRootfsRequest
-	1,  // 27: hostagent.v1.HostAgentService.CreateSandbox:output_type -> hostagent.v1.CreateSandboxResponse
-	3,  // 28: hostagent.v1.HostAgentService.DestroySandbox:output_type -> hostagent.v1.DestroySandboxResponse
-	5,  // 29: hostagent.v1.HostAgentService.PauseSandbox:output_type -> hostagent.v1.PauseSandboxResponse
-	7,  // 30: hostagent.v1.HostAgentService.ResumeSandbox:output_type -> hostagent.v1.ResumeSandboxResponse
-	13, // 31: hostagent.v1.HostAgentService.Exec:output_type -> hostagent.v1.ExecResponse
-	15, // 32: hostagent.v1.HostAgentService.ListSandboxes:output_type -> hostagent.v1.ListSandboxesResponse
-	18, // 33: hostagent.v1.HostAgentService.WriteFile:output_type -> hostagent.v1.WriteFileResponse
-	20, // 34: hostagent.v1.HostAgentService.ReadFile:output_type -> hostagent.v1.ReadFileResponse
-	9,  // 35: hostagent.v1.HostAgentService.CreateSnapshot:output_type -> hostagent.v1.CreateSnapshotResponse
-	11, // 36: hostagent.v1.HostAgentService.DeleteSnapshot:output_type -> hostagent.v1.DeleteSnapshotResponse
-	22, // 37: hostagent.v1.HostAgentService.ExecStream:output_type -> hostagent.v1.ExecStreamResponse
-	28, // 38: hostagent.v1.HostAgentService.WriteFileStream:output_type -> hostagent.v1.WriteFileStreamResponse
-	30, // 39: hostagent.v1.HostAgentService.ReadFileStream:output_type -> hostagent.v1.ReadFileStreamResponse
-	32, // 40: hostagent.v1.HostAgentService.PingSandbox:output_type -> hostagent.v1.PingSandboxResponse
-	34, // 41: hostagent.v1.HostAgentService.Terminate:output_type -> hostagent.v1.TerminateResponse
-	37, // 42: hostagent.v1.HostAgentService.GetSandboxMetrics:output_type -> hostagent.v1.GetSandboxMetricsResponse
-	39, // 43: hostagent.v1.HostAgentService.FlushSandboxMetrics:output_type -> hostagent.v1.FlushSandboxMetricsResponse
-	41, // 44: hostagent.v1.HostAgentService.FlattenRootfs:output_type -> hostagent.v1.FlattenRootfsResponse
-	27, // [27:45] is the sub-list for method output_type
-	9,  // [9:27] is the sub-list for method input_type
-	9,  // [9:9] is the sub-list for extension type_name
-	9,  // [9:9] is the sub-list for extension extendee
-	0,  // [0:9] is the sub-list for field type_name
+	69, // 0: hostagent.v1.CreateSandboxRequest.default_env:type_name -> hostagent.v1.CreateSandboxRequest.DefaultEnvEntry
+	70, // 1: hostagent.v1.CreateSandboxResponse.metadata:type_name -> hostagent.v1.CreateSandboxResponse.MetadataEntry
+	71, // 2: hostagent.v1.ResumeSandboxRequest.default_env:type_name -> hostagent.v1.ResumeSandboxRequest.DefaultEnvEntry
+	72, // 3: hostagent.v1.ResumeSandboxResponse.metadata:type_name -> hostagent.v1.ResumeSandboxResponse.MetadataEntry
+	16, // 4: hostagent.v1.ListSandboxesResponse.sandboxes:type_name -> hostagent.v1.SandboxInfo
+	73, // 5: hostagent.v1.SandboxInfo.metadata:type_name -> hostagent.v1.SandboxInfo.MetadataEntry
+	23, // 6: hostagent.v1.ExecStreamResponse.start:type_name -> hostagent.v1.ExecStreamStart
+	24, // 7: hostagent.v1.ExecStreamResponse.data:type_name -> hostagent.v1.ExecStreamData
+	25, // 8: hostagent.v1.ExecStreamResponse.end:type_name -> hostagent.v1.ExecStreamEnd
+	27, // 9: hostagent.v1.WriteFileStreamRequest.meta:type_name -> hostagent.v1.WriteFileStreamMeta
+	33, // 10: hostagent.v1.ListDirResponse.entries:type_name -> hostagent.v1.FileEntry
+	33, // 11: hostagent.v1.MakeDirResponse.entry:type_name -> hostagent.v1.FileEntry
+	42, // 12: hostagent.v1.GetSandboxMetricsResponse.points:type_name -> hostagent.v1.MetricPoint
+	42, // 13: hostagent.v1.FlushSandboxMetricsResponse.points_10m:type_name -> hostagent.v1.MetricPoint
+	42, // 14: hostagent.v1.FlushSandboxMetricsResponse.points_2h:type_name -> hostagent.v1.MetricPoint
+	42, // 15: hostagent.v1.FlushSandboxMetricsResponse.points_24h:type_name -> hostagent.v1.MetricPoint
+	74, // 16: hostagent.v1.PtyAttachRequest.envs:type_name -> hostagent.v1.PtyAttachRequest.EnvsEntry
+	51, // 17: hostagent.v1.PtyAttachResponse.started:type_name -> hostagent.v1.PtyStarted
+	52, // 18: hostagent.v1.PtyAttachResponse.output:type_name -> hostagent.v1.PtyOutput
+	53, // 19: hostagent.v1.PtyAttachResponse.exited:type_name -> hostagent.v1.PtyExited
+	75, // 20: hostagent.v1.StartBackgroundRequest.envs:type_name -> hostagent.v1.StartBackgroundRequest.EnvsEntry
+	63, // 21: hostagent.v1.ListProcessesResponse.processes:type_name -> hostagent.v1.ProcessEntry
+	23, // 22: hostagent.v1.ConnectProcessResponse.start:type_name -> hostagent.v1.ExecStreamStart
+	24, // 23: hostagent.v1.ConnectProcessResponse.data:type_name -> hostagent.v1.ExecStreamData
+	25, // 24: hostagent.v1.ConnectProcessResponse.end:type_name -> hostagent.v1.ExecStreamEnd
+	0,  // 25: hostagent.v1.HostAgentService.CreateSandbox:input_type -> hostagent.v1.CreateSandboxRequest
+	2,  // 26: hostagent.v1.HostAgentService.DestroySandbox:input_type -> hostagent.v1.DestroySandboxRequest
+	4,  // 27: hostagent.v1.HostAgentService.PauseSandbox:input_type -> hostagent.v1.PauseSandboxRequest
+	6,  // 28: hostagent.v1.HostAgentService.ResumeSandbox:input_type -> hostagent.v1.ResumeSandboxRequest
+	12, // 29: hostagent.v1.HostAgentService.Exec:input_type -> hostagent.v1.ExecRequest
+	14, // 30: hostagent.v1.HostAgentService.ListSandboxes:input_type -> hostagent.v1.ListSandboxesRequest
+	17, // 31: hostagent.v1.HostAgentService.WriteFile:input_type -> hostagent.v1.WriteFileRequest
+	19, // 32: hostagent.v1.HostAgentService.ReadFile:input_type -> hostagent.v1.ReadFileRequest
+	31, // 33: hostagent.v1.HostAgentService.ListDir:input_type -> hostagent.v1.ListDirRequest
+	34, // 34: hostagent.v1.HostAgentService.MakeDir:input_type -> hostagent.v1.MakeDirRequest
+	36, // 35: hostagent.v1.HostAgentService.RemovePath:input_type -> hostagent.v1.RemovePathRequest
+	8,  // 36: hostagent.v1.HostAgentService.CreateSnapshot:input_type -> hostagent.v1.CreateSnapshotRequest
+	10, // 37: hostagent.v1.HostAgentService.DeleteSnapshot:input_type -> hostagent.v1.DeleteSnapshotRequest
+	21, // 38: hostagent.v1.HostAgentService.ExecStream:input_type -> hostagent.v1.ExecStreamRequest
+	26, // 39: hostagent.v1.HostAgentService.WriteFileStream:input_type -> hostagent.v1.WriteFileStreamRequest
+	29, // 40: hostagent.v1.HostAgentService.ReadFileStream:input_type -> hostagent.v1.ReadFileStreamRequest
+	38, // 41: hostagent.v1.HostAgentService.PingSandbox:input_type -> hostagent.v1.PingSandboxRequest
+	40, // 42: hostagent.v1.HostAgentService.Terminate:input_type -> hostagent.v1.TerminateRequest
+	43, // 43: hostagent.v1.HostAgentService.GetSandboxMetrics:input_type -> hostagent.v1.GetSandboxMetricsRequest
+	45, // 44: hostagent.v1.HostAgentService.FlushSandboxMetrics:input_type -> hostagent.v1.FlushSandboxMetricsRequest
+	47, // 45: hostagent.v1.HostAgentService.FlattenRootfs:input_type -> hostagent.v1.FlattenRootfsRequest
+	49, // 46: hostagent.v1.HostAgentService.PtyAttach:input_type -> hostagent.v1.PtyAttachRequest
+	54, // 47: hostagent.v1.HostAgentService.PtySendInput:input_type -> hostagent.v1.PtySendInputRequest
+	56, // 48: hostagent.v1.HostAgentService.PtyResize:input_type -> hostagent.v1.PtyResizeRequest
+	58, // 49: hostagent.v1.HostAgentService.PtyKill:input_type -> hostagent.v1.PtyKillRequest
+	60, // 50: hostagent.v1.HostAgentService.StartBackground:input_type -> hostagent.v1.StartBackgroundRequest
+	62, // 51: hostagent.v1.HostAgentService.ListProcesses:input_type -> hostagent.v1.ListProcessesRequest
+	65, // 52: hostagent.v1.HostAgentService.KillProcess:input_type -> hostagent.v1.KillProcessRequest
+	67, // 53: hostagent.v1.HostAgentService.ConnectProcess:input_type -> hostagent.v1.ConnectProcessRequest
+	1,  // 54: hostagent.v1.HostAgentService.CreateSandbox:output_type -> hostagent.v1.CreateSandboxResponse
+	3,  // 55: hostagent.v1.HostAgentService.DestroySandbox:output_type -> hostagent.v1.DestroySandboxResponse
+	5,  // 56: hostagent.v1.HostAgentService.PauseSandbox:output_type -> hostagent.v1.PauseSandboxResponse
+	7,  // 57: hostagent.v1.HostAgentService.ResumeSandbox:output_type -> hostagent.v1.ResumeSandboxResponse
+	13, // 58: hostagent.v1.HostAgentService.Exec:output_type -> hostagent.v1.ExecResponse
+	15, // 59: hostagent.v1.HostAgentService.ListSandboxes:output_type -> hostagent.v1.ListSandboxesResponse
+	18, // 60: hostagent.v1.HostAgentService.WriteFile:output_type -> hostagent.v1.WriteFileResponse
+	20, // 61: hostagent.v1.HostAgentService.ReadFile:output_type -> hostagent.v1.ReadFileResponse
+	32, // 62: hostagent.v1.HostAgentService.ListDir:output_type -> hostagent.v1.ListDirResponse
+	35, // 63: hostagent.v1.HostAgentService.MakeDir:output_type -> hostagent.v1.MakeDirResponse
+	37, // 64: hostagent.v1.HostAgentService.RemovePath:output_type -> hostagent.v1.RemovePathResponse
+	9,  // 65: hostagent.v1.HostAgentService.CreateSnapshot:output_type -> hostagent.v1.CreateSnapshotResponse
+	11, // 66: hostagent.v1.HostAgentService.DeleteSnapshot:output_type -> hostagent.v1.DeleteSnapshotResponse
+	22, // 67: hostagent.v1.HostAgentService.ExecStream:output_type -> hostagent.v1.ExecStreamResponse
+	28, // 68: hostagent.v1.HostAgentService.WriteFileStream:output_type -> hostagent.v1.WriteFileStreamResponse
+	30, // 69: hostagent.v1.HostAgentService.ReadFileStream:output_type -> hostagent.v1.ReadFileStreamResponse
+	39, // 70: hostagent.v1.HostAgentService.PingSandbox:output_type -> hostagent.v1.PingSandboxResponse
+	41, // 71: hostagent.v1.HostAgentService.Terminate:output_type -> hostagent.v1.TerminateResponse
+	44, // 72: hostagent.v1.HostAgentService.GetSandboxMetrics:output_type -> hostagent.v1.GetSandboxMetricsResponse
+	46, // 73: hostagent.v1.HostAgentService.FlushSandboxMetrics:output_type -> hostagent.v1.FlushSandboxMetricsResponse
+	48, // 74: hostagent.v1.HostAgentService.FlattenRootfs:output_type -> hostagent.v1.FlattenRootfsResponse
+	50, // 75: hostagent.v1.HostAgentService.PtyAttach:output_type -> hostagent.v1.PtyAttachResponse
+	55, // 76: hostagent.v1.HostAgentService.PtySendInput:output_type -> hostagent.v1.PtySendInputResponse
+	57, // 77: hostagent.v1.HostAgentService.PtyResize:output_type -> hostagent.v1.PtyResizeResponse
+	59, // 78: hostagent.v1.HostAgentService.PtyKill:output_type -> hostagent.v1.PtyKillResponse
+	61, // 79: hostagent.v1.HostAgentService.StartBackground:output_type -> hostagent.v1.StartBackgroundResponse
+	64, // 80: hostagent.v1.HostAgentService.ListProcesses:output_type -> hostagent.v1.ListProcessesResponse
+	66, // 81: hostagent.v1.HostAgentService.KillProcess:output_type -> hostagent.v1.KillProcessResponse
+	68, // 82: hostagent.v1.HostAgentService.ConnectProcess:output_type -> hostagent.v1.ConnectProcessResponse
+	54, // [54:83] is the sub-list for method output_type
+	25, // [25:54] is the sub-list for method input_type
+	25, // [25:25] is the sub-list for extension type_name
+	25, // [25:25] is the sub-list for extension extendee
+	0,  // [0:25] is the sub-list for field type_name
 }
 
 func init() { file_hostagent_proto_init() }
@@ -2693,13 +4674,32 @@ func file_hostagent_proto_init() {
 		(*WriteFileStreamRequest_Meta)(nil),
 		(*WriteFileStreamRequest_Chunk)(nil),
 	}
+	file_hostagent_proto_msgTypes[33].OneofWrappers = []any{}
+	file_hostagent_proto_msgTypes[50].OneofWrappers = []any{
+		(*PtyAttachResponse_Started)(nil),
+		(*PtyAttachResponse_Output)(nil),
+		(*PtyAttachResponse_Exited)(nil),
+	}
+	file_hostagent_proto_msgTypes[65].OneofWrappers = []any{
+		(*KillProcessRequest_Pid)(nil),
+		(*KillProcessRequest_Tag)(nil),
+	}
+	file_hostagent_proto_msgTypes[67].OneofWrappers = []any{
+		(*ConnectProcessRequest_Pid)(nil),
+		(*ConnectProcessRequest_Tag)(nil),
+	}
+	file_hostagent_proto_msgTypes[68].OneofWrappers = []any{
+		(*ConnectProcessResponse_Start)(nil),
+		(*ConnectProcessResponse_Data)(nil),
+		(*ConnectProcessResponse_End)(nil),
+	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_hostagent_proto_rawDesc), len(file_hostagent_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   42,
+			NumMessages:   76,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/proto/hostagent/gen/hostagentv1connect/hostagent.connect.go b/proto/hostagent/gen/hostagentv1connect/hostagent.connect.go
index 924f4b3..16f30ad 100644
--- a/proto/hostagent/gen/hostagentv1connect/hostagent.connect.go
+++ b/proto/hostagent/gen/hostagentv1connect/hostagent.connect.go
@@ -56,6 +56,15 @@ const (
 	// HostAgentServiceReadFileProcedure is the fully-qualified name of the HostAgentService's ReadFile
 	// RPC.
 	HostAgentServiceReadFileProcedure = "/hostagent.v1.HostAgentService/ReadFile"
+	// HostAgentServiceListDirProcedure is the fully-qualified name of the HostAgentService's ListDir
+	// RPC.
+	HostAgentServiceListDirProcedure = "/hostagent.v1.HostAgentService/ListDir"
+	// HostAgentServiceMakeDirProcedure is the fully-qualified name of the HostAgentService's MakeDir
+	// RPC.
+	HostAgentServiceMakeDirProcedure = "/hostagent.v1.HostAgentService/MakeDir"
+	// HostAgentServiceRemovePathProcedure is the fully-qualified name of the HostAgentService's
+	// RemovePath RPC.
+	HostAgentServiceRemovePathProcedure = "/hostagent.v1.HostAgentService/RemovePath"
 	// HostAgentServiceCreateSnapshotProcedure is the fully-qualified name of the HostAgentService's
 	// CreateSnapshot RPC.
 	HostAgentServiceCreateSnapshotProcedure = "/hostagent.v1.HostAgentService/CreateSnapshot"
@@ -86,6 +95,30 @@ const (
 	// HostAgentServiceFlattenRootfsProcedure is the fully-qualified name of the HostAgentService's
 	// FlattenRootfs RPC.
 	HostAgentServiceFlattenRootfsProcedure = "/hostagent.v1.HostAgentService/FlattenRootfs"
+	// HostAgentServicePtyAttachProcedure is the fully-qualified name of the HostAgentService's
+	// PtyAttach RPC.
+	HostAgentServicePtyAttachProcedure = "/hostagent.v1.HostAgentService/PtyAttach"
+	// HostAgentServicePtySendInputProcedure is the fully-qualified name of the HostAgentService's
+	// PtySendInput RPC.
+	HostAgentServicePtySendInputProcedure = "/hostagent.v1.HostAgentService/PtySendInput"
+	// HostAgentServicePtyResizeProcedure is the fully-qualified name of the HostAgentService's
+	// PtyResize RPC.
+	HostAgentServicePtyResizeProcedure = "/hostagent.v1.HostAgentService/PtyResize"
+	// HostAgentServicePtyKillProcedure is the fully-qualified name of the HostAgentService's PtyKill
+	// RPC.
+	HostAgentServicePtyKillProcedure = "/hostagent.v1.HostAgentService/PtyKill"
+	// HostAgentServiceStartBackgroundProcedure is the fully-qualified name of the HostAgentService's
+	// StartBackground RPC.
+	HostAgentServiceStartBackgroundProcedure = "/hostagent.v1.HostAgentService/StartBackground"
+	// HostAgentServiceListProcessesProcedure is the fully-qualified name of the HostAgentService's
+	// ListProcesses RPC.
+	HostAgentServiceListProcessesProcedure = "/hostagent.v1.HostAgentService/ListProcesses"
+	// HostAgentServiceKillProcessProcedure is the fully-qualified name of the HostAgentService's
+	// KillProcess RPC.
+	HostAgentServiceKillProcessProcedure = "/hostagent.v1.HostAgentService/KillProcess"
+	// HostAgentServiceConnectProcessProcedure is the fully-qualified name of the HostAgentService's
+	// ConnectProcess RPC.
+	HostAgentServiceConnectProcessProcedure = "/hostagent.v1.HostAgentService/ConnectProcess"
 )
 
 // HostAgentServiceClient is a client for the hostagent.v1.HostAgentService service.
@@ -106,6 +139,12 @@ type HostAgentServiceClient interface {
 	WriteFile(context.Context, *connect.Request[gen.WriteFileRequest]) (*connect.Response[gen.WriteFileResponse], error)
 	// ReadFile reads a file from inside a sandbox.
 	ReadFile(context.Context, *connect.Request[gen.ReadFileRequest]) (*connect.Response[gen.ReadFileResponse], error)
+	// ListDir lists directory contents inside a sandbox.
+	ListDir(context.Context, *connect.Request[gen.ListDirRequest]) (*connect.Response[gen.ListDirResponse], error)
+	// MakeDir creates a directory inside a sandbox.
+	MakeDir(context.Context, *connect.Request[gen.MakeDirRequest]) (*connect.Response[gen.MakeDirResponse], error)
+	// RemovePath removes a file or directory inside a sandbox.
+	RemovePath(context.Context, *connect.Request[gen.RemovePathRequest]) (*connect.Response[gen.RemovePathResponse], error)
 	// CreateSnapshot pauses a sandbox, takes a snapshot, stores it as a reusable
 	// template, and destroys the sandbox.
 	CreateSnapshot(context.Context, *connect.Request[gen.CreateSnapshotRequest]) (*connect.Response[gen.CreateSnapshotResponse], error)
@@ -134,6 +173,26 @@ type HostAgentServiceClient interface {
 	// cleans up all sandbox resources. Used by the template build system to
 	// produce image-only templates (no memory/CPU state).
 	FlattenRootfs(context.Context, *connect.Request[gen.FlattenRootfsRequest]) (*connect.Response[gen.FlattenRootfsResponse], error)
+	// PtyAttach starts a new PTY process or reconnects to an existing one.
+	// If cmd is non-empty, starts a new process with the given PTY dimensions.
+	// If tag is set and cmd is empty, reconnects to the existing process with that tag.
+	// Returns a stream of output events (started, output data, exit).
+	PtyAttach(context.Context, *connect.Request[gen.PtyAttachRequest]) (*connect.ServerStreamForClient[gen.PtyAttachResponse], error)
+	// PtySendInput sends raw bytes to a PTY process identified by tag.
+	PtySendInput(context.Context, *connect.Request[gen.PtySendInputRequest]) (*connect.Response[gen.PtySendInputResponse], error)
+	// PtyResize updates the terminal dimensions for a PTY process.
+	PtyResize(context.Context, *connect.Request[gen.PtyResizeRequest]) (*connect.Response[gen.PtyResizeResponse], error)
+	// PtyKill sends a signal to a PTY process.
+	PtyKill(context.Context, *connect.Request[gen.PtyKillRequest]) (*connect.Response[gen.PtyKillResponse], error)
+	// StartBackground starts a process in the background and returns immediately
+	// with the PID and tag. The process survives RPC disconnection.
+	StartBackground(context.Context, *connect.Request[gen.StartBackgroundRequest]) (*connect.Response[gen.StartBackgroundResponse], error)
+	// ListProcesses returns all running processes inside a sandbox.
+	ListProcesses(context.Context, *connect.Request[gen.ListProcessesRequest]) (*connect.Response[gen.ListProcessesResponse], error)
+	// KillProcess sends a signal to a process identified by PID or tag.
+	KillProcess(context.Context, *connect.Request[gen.KillProcessRequest]) (*connect.Response[gen.KillProcessResponse], error)
+	// ConnectProcess re-attaches to a running process and streams its output.
+	ConnectProcess(context.Context, *connect.Request[gen.ConnectProcessRequest]) (*connect.ServerStreamForClient[gen.ConnectProcessResponse], error)
 }
 
 // NewHostAgentServiceClient constructs a client for the hostagent.v1.HostAgentService service. By
@@ -195,6 +254,24 @@ func NewHostAgentServiceClient(httpClient connect.HTTPClient, baseURL string, op
 			connect.WithSchema(hostAgentServiceMethods.ByName("ReadFile")),
 			connect.WithClientOptions(opts...),
 		),
+		listDir: connect.NewClient[gen.ListDirRequest, gen.ListDirResponse](
+			httpClient,
+			baseURL+HostAgentServiceListDirProcedure,
+			connect.WithSchema(hostAgentServiceMethods.ByName("ListDir")),
+			connect.WithClientOptions(opts...),
+		),
+		makeDir: connect.NewClient[gen.MakeDirRequest, gen.MakeDirResponse](
+			httpClient,
+			baseURL+HostAgentServiceMakeDirProcedure,
+			connect.WithSchema(hostAgentServiceMethods.ByName("MakeDir")),
+			connect.WithClientOptions(opts...),
+		),
+		removePath: connect.NewClient[gen.RemovePathRequest, gen.RemovePathResponse](
+			httpClient,
+			baseURL+HostAgentServiceRemovePathProcedure,
+			connect.WithSchema(hostAgentServiceMethods.ByName("RemovePath")),
+			connect.WithClientOptions(opts...),
+		),
 		createSnapshot: connect.NewClient[gen.CreateSnapshotRequest, gen.CreateSnapshotResponse](
 			httpClient,
 			baseURL+HostAgentServiceCreateSnapshotProcedure,
@@ -255,6 +332,54 @@ func NewHostAgentServiceClient(httpClient connect.HTTPClient, baseURL string, op
 			connect.WithSchema(hostAgentServiceMethods.ByName("FlattenRootfs")),
 			connect.WithClientOptions(opts...),
 		),
+		ptyAttach: connect.NewClient[gen.PtyAttachRequest, gen.PtyAttachResponse](
+			httpClient,
+			baseURL+HostAgentServicePtyAttachProcedure,
+			connect.WithSchema(hostAgentServiceMethods.ByName("PtyAttach")),
+			connect.WithClientOptions(opts...),
+		),
+		ptySendInput: connect.NewClient[gen.PtySendInputRequest, gen.PtySendInputResponse](
+			httpClient,
+			baseURL+HostAgentServicePtySendInputProcedure,
+			connect.WithSchema(hostAgentServiceMethods.ByName("PtySendInput")),
+			connect.WithClientOptions(opts...),
+		),
+		ptyResize: connect.NewClient[gen.PtyResizeRequest, gen.PtyResizeResponse](
+			httpClient,
+			baseURL+HostAgentServicePtyResizeProcedure,
+			connect.WithSchema(hostAgentServiceMethods.ByName("PtyResize")),
+			connect.WithClientOptions(opts...),
+		),
+		ptyKill: connect.NewClient[gen.PtyKillRequest, gen.PtyKillResponse](
+			httpClient,
+			baseURL+HostAgentServicePtyKillProcedure,
+			connect.WithSchema(hostAgentServiceMethods.ByName("PtyKill")),
+			connect.WithClientOptions(opts...),
+		),
+		startBackground: connect.NewClient[gen.StartBackgroundRequest, gen.StartBackgroundResponse](
+			httpClient,
+			baseURL+HostAgentServiceStartBackgroundProcedure,
+			connect.WithSchema(hostAgentServiceMethods.ByName("StartBackground")),
+			connect.WithClientOptions(opts...),
+		),
+		listProcesses: connect.NewClient[gen.ListProcessesRequest, gen.ListProcessesResponse](
+			httpClient,
+			baseURL+HostAgentServiceListProcessesProcedure,
+			connect.WithSchema(hostAgentServiceMethods.ByName("ListProcesses")),
+			connect.WithClientOptions(opts...),
+		),
+		killProcess: connect.NewClient[gen.KillProcessRequest, gen.KillProcessResponse](
+			httpClient,
+			baseURL+HostAgentServiceKillProcessProcedure,
+			connect.WithSchema(hostAgentServiceMethods.ByName("KillProcess")),
+			connect.WithClientOptions(opts...),
+		),
+		connectProcess: connect.NewClient[gen.ConnectProcessRequest, gen.ConnectProcessResponse](
+			httpClient,
+			baseURL+HostAgentServiceConnectProcessProcedure,
+			connect.WithSchema(hostAgentServiceMethods.ByName("ConnectProcess")),
+			connect.WithClientOptions(opts...),
+		),
 	}
 }
 
@@ -268,6 +393,9 @@ type hostAgentServiceClient struct {
 	listSandboxes       *connect.Client[gen.ListSandboxesRequest, gen.ListSandboxesResponse]
 	writeFile           *connect.Client[gen.WriteFileRequest, gen.WriteFileResponse]
 	readFile            *connect.Client[gen.ReadFileRequest, gen.ReadFileResponse]
+	listDir             *connect.Client[gen.ListDirRequest, gen.ListDirResponse]
+	makeDir             *connect.Client[gen.MakeDirRequest, gen.MakeDirResponse]
+	removePath          *connect.Client[gen.RemovePathRequest, gen.RemovePathResponse]
 	createSnapshot      *connect.Client[gen.CreateSnapshotRequest, gen.CreateSnapshotResponse]
 	deleteSnapshot      *connect.Client[gen.DeleteSnapshotRequest, gen.DeleteSnapshotResponse]
 	execStream          *connect.Client[gen.ExecStreamRequest, gen.ExecStreamResponse]
@@ -278,6 +406,14 @@ type hostAgentServiceClient struct {
 	getSandboxMetrics   *connect.Client[gen.GetSandboxMetricsRequest, gen.GetSandboxMetricsResponse]
 	flushSandboxMetrics *connect.Client[gen.FlushSandboxMetricsRequest, gen.FlushSandboxMetricsResponse]
 	flattenRootfs       *connect.Client[gen.FlattenRootfsRequest, gen.FlattenRootfsResponse]
+	ptyAttach           *connect.Client[gen.PtyAttachRequest, gen.PtyAttachResponse]
+	ptySendInput        *connect.Client[gen.PtySendInputRequest, gen.PtySendInputResponse]
+	ptyResize           *connect.Client[gen.PtyResizeRequest, gen.PtyResizeResponse]
+	ptyKill             *connect.Client[gen.PtyKillRequest, gen.PtyKillResponse]
+	startBackground     *connect.Client[gen.StartBackgroundRequest, gen.StartBackgroundResponse]
+	listProcesses       *connect.Client[gen.ListProcessesRequest, gen.ListProcessesResponse]
+	killProcess         *connect.Client[gen.KillProcessRequest, gen.KillProcessResponse]
+	connectProcess      *connect.Client[gen.ConnectProcessRequest, gen.ConnectProcessResponse]
 }
 
 // CreateSandbox calls hostagent.v1.HostAgentService.CreateSandbox.
@@ -320,6 +456,21 @@ func (c *hostAgentServiceClient) ReadFile(ctx context.Context, req *connect.Requ
 	return c.readFile.CallUnary(ctx, req)
 }
 
+// ListDir calls hostagent.v1.HostAgentService.ListDir.
+func (c *hostAgentServiceClient) ListDir(ctx context.Context, req *connect.Request[gen.ListDirRequest]) (*connect.Response[gen.ListDirResponse], error) {
+	return c.listDir.CallUnary(ctx, req)
+}
+
+// MakeDir calls hostagent.v1.HostAgentService.MakeDir.
+func (c *hostAgentServiceClient) MakeDir(ctx context.Context, req *connect.Request[gen.MakeDirRequest]) (*connect.Response[gen.MakeDirResponse], error) {
+	return c.makeDir.CallUnary(ctx, req)
+}
+
+// RemovePath calls hostagent.v1.HostAgentService.RemovePath.
+func (c *hostAgentServiceClient) RemovePath(ctx context.Context, req *connect.Request[gen.RemovePathRequest]) (*connect.Response[gen.RemovePathResponse], error) {
+	return c.removePath.CallUnary(ctx, req)
+}
+
 // CreateSnapshot calls hostagent.v1.HostAgentService.CreateSnapshot.
 func (c *hostAgentServiceClient) CreateSnapshot(ctx context.Context, req *connect.Request[gen.CreateSnapshotRequest]) (*connect.Response[gen.CreateSnapshotResponse], error) {
 	return c.createSnapshot.CallUnary(ctx, req)
@@ -370,6 +521,46 @@ func (c *hostAgentServiceClient) FlattenRootfs(ctx context.Context, req *connect
 	return c.flattenRootfs.CallUnary(ctx, req)
 }
 
+// PtyAttach calls hostagent.v1.HostAgentService.PtyAttach.
+func (c *hostAgentServiceClient) PtyAttach(ctx context.Context, req *connect.Request[gen.PtyAttachRequest]) (*connect.ServerStreamForClient[gen.PtyAttachResponse], error) {
+	return c.ptyAttach.CallServerStream(ctx, req)
+}
+
+// PtySendInput calls hostagent.v1.HostAgentService.PtySendInput.
+func (c *hostAgentServiceClient) PtySendInput(ctx context.Context, req *connect.Request[gen.PtySendInputRequest]) (*connect.Response[gen.PtySendInputResponse], error) {
+	return c.ptySendInput.CallUnary(ctx, req)
+}
+
+// PtyResize calls hostagent.v1.HostAgentService.PtyResize.
+func (c *hostAgentServiceClient) PtyResize(ctx context.Context, req *connect.Request[gen.PtyResizeRequest]) (*connect.Response[gen.PtyResizeResponse], error) {
+	return c.ptyResize.CallUnary(ctx, req)
+}
+
+// PtyKill calls hostagent.v1.HostAgentService.PtyKill.
+func (c *hostAgentServiceClient) PtyKill(ctx context.Context, req *connect.Request[gen.PtyKillRequest]) (*connect.Response[gen.PtyKillResponse], error) {
+	return c.ptyKill.CallUnary(ctx, req)
+}
+
+// StartBackground calls hostagent.v1.HostAgentService.StartBackground.
+func (c *hostAgentServiceClient) StartBackground(ctx context.Context, req *connect.Request[gen.StartBackgroundRequest]) (*connect.Response[gen.StartBackgroundResponse], error) {
+	return c.startBackground.CallUnary(ctx, req)
+}
+
+// ListProcesses calls hostagent.v1.HostAgentService.ListProcesses.
+func (c *hostAgentServiceClient) ListProcesses(ctx context.Context, req *connect.Request[gen.ListProcessesRequest]) (*connect.Response[gen.ListProcessesResponse], error) {
+	return c.listProcesses.CallUnary(ctx, req)
+}
+
+// KillProcess calls hostagent.v1.HostAgentService.KillProcess.
+func (c *hostAgentServiceClient) KillProcess(ctx context.Context, req *connect.Request[gen.KillProcessRequest]) (*connect.Response[gen.KillProcessResponse], error) {
+	return c.killProcess.CallUnary(ctx, req)
+}
+
+// ConnectProcess calls hostagent.v1.HostAgentService.ConnectProcess.
+func (c *hostAgentServiceClient) ConnectProcess(ctx context.Context, req *connect.Request[gen.ConnectProcessRequest]) (*connect.ServerStreamForClient[gen.ConnectProcessResponse], error) {
+	return c.connectProcess.CallServerStream(ctx, req)
+}
+
 // HostAgentServiceHandler is an implementation of the hostagent.v1.HostAgentService service.
 type HostAgentServiceHandler interface {
 	// CreateSandbox boots a new microVM with the given configuration.
@@ -388,6 +579,12 @@ type HostAgentServiceHandler interface {
 	WriteFile(context.Context, *connect.Request[gen.WriteFileRequest]) (*connect.Response[gen.WriteFileResponse], error)
 	// ReadFile reads a file from inside a sandbox.
 	ReadFile(context.Context, *connect.Request[gen.ReadFileRequest]) (*connect.Response[gen.ReadFileResponse], error)
+	// ListDir lists directory contents inside a sandbox.
+	ListDir(context.Context, *connect.Request[gen.ListDirRequest]) (*connect.Response[gen.ListDirResponse], error)
+	// MakeDir creates a directory inside a sandbox.
+	MakeDir(context.Context, *connect.Request[gen.MakeDirRequest]) (*connect.Response[gen.MakeDirResponse], error)
+	// RemovePath removes a file or directory inside a sandbox.
+	RemovePath(context.Context, *connect.Request[gen.RemovePathRequest]) (*connect.Response[gen.RemovePathResponse], error)
 	// CreateSnapshot pauses a sandbox, takes a snapshot, stores it as a reusable
 	// template, and destroys the sandbox.
 	CreateSnapshot(context.Context, *connect.Request[gen.CreateSnapshotRequest]) (*connect.Response[gen.CreateSnapshotResponse], error)
@@ -416,6 +613,26 @@ type HostAgentServiceHandler interface {
 	// cleans up all sandbox resources. Used by the template build system to
 	// produce image-only templates (no memory/CPU state).
 	FlattenRootfs(context.Context, *connect.Request[gen.FlattenRootfsRequest]) (*connect.Response[gen.FlattenRootfsResponse], error)
+	// PtyAttach starts a new PTY process or reconnects to an existing one.
+	// If cmd is non-empty, starts a new process with the given PTY dimensions.
+	// If tag is set and cmd is empty, reconnects to the existing process with that tag.
+	// Returns a stream of output events (started, output data, exit).
+	PtyAttach(context.Context, *connect.Request[gen.PtyAttachRequest], *connect.ServerStream[gen.PtyAttachResponse]) error
+	// PtySendInput sends raw bytes to a PTY process identified by tag.
+	PtySendInput(context.Context, *connect.Request[gen.PtySendInputRequest]) (*connect.Response[gen.PtySendInputResponse], error)
+	// PtyResize updates the terminal dimensions for a PTY process.
+	PtyResize(context.Context, *connect.Request[gen.PtyResizeRequest]) (*connect.Response[gen.PtyResizeResponse], error)
+	// PtyKill sends a signal to a PTY process.
+	PtyKill(context.Context, *connect.Request[gen.PtyKillRequest]) (*connect.Response[gen.PtyKillResponse], error)
+	// StartBackground starts a process in the background and returns immediately
+	// with the PID and tag. The process survives RPC disconnection.
+	StartBackground(context.Context, *connect.Request[gen.StartBackgroundRequest]) (*connect.Response[gen.StartBackgroundResponse], error)
+	// ListProcesses returns all running processes inside a sandbox.
+	ListProcesses(context.Context, *connect.Request[gen.ListProcessesRequest]) (*connect.Response[gen.ListProcessesResponse], error)
+	// KillProcess sends a signal to a process identified by PID or tag.
+	KillProcess(context.Context, *connect.Request[gen.KillProcessRequest]) (*connect.Response[gen.KillProcessResponse], error)
+	// ConnectProcess re-attaches to a running process and streams its output.
+	ConnectProcess(context.Context, *connect.Request[gen.ConnectProcessRequest], *connect.ServerStream[gen.ConnectProcessResponse]) error
 }
 
 // NewHostAgentServiceHandler builds an HTTP handler from the service implementation. It returns the
@@ -473,6 +690,24 @@ func NewHostAgentServiceHandler(svc HostAgentServiceHandler, opts ...connect.Han
 		connect.WithSchema(hostAgentServiceMethods.ByName("ReadFile")),
 		connect.WithHandlerOptions(opts...),
 	)
+	hostAgentServiceListDirHandler := connect.NewUnaryHandler(
+		HostAgentServiceListDirProcedure,
+		svc.ListDir,
+		connect.WithSchema(hostAgentServiceMethods.ByName("ListDir")),
+		connect.WithHandlerOptions(opts...),
+	)
+	hostAgentServiceMakeDirHandler := connect.NewUnaryHandler(
+		HostAgentServiceMakeDirProcedure,
+		svc.MakeDir,
+		connect.WithSchema(hostAgentServiceMethods.ByName("MakeDir")),
+		connect.WithHandlerOptions(opts...),
+	)
+	hostAgentServiceRemovePathHandler := connect.NewUnaryHandler(
+		HostAgentServiceRemovePathProcedure,
+		svc.RemovePath,
+		connect.WithSchema(hostAgentServiceMethods.ByName("RemovePath")),
+		connect.WithHandlerOptions(opts...),
+	)
 	hostAgentServiceCreateSnapshotHandler := connect.NewUnaryHandler(
 		HostAgentServiceCreateSnapshotProcedure,
 		svc.CreateSnapshot,
@@ -533,6 +768,54 @@ func NewHostAgentServiceHandler(svc HostAgentServiceHandler, opts ...connect.Han
 		connect.WithSchema(hostAgentServiceMethods.ByName("FlattenRootfs")),
 		connect.WithHandlerOptions(opts...),
 	)
+	hostAgentServicePtyAttachHandler := connect.NewServerStreamHandler(
+		HostAgentServicePtyAttachProcedure,
+		svc.PtyAttach,
+		connect.WithSchema(hostAgentServiceMethods.ByName("PtyAttach")),
+		connect.WithHandlerOptions(opts...),
+	)
+	hostAgentServicePtySendInputHandler := connect.NewUnaryHandler(
+		HostAgentServicePtySendInputProcedure,
+		svc.PtySendInput,
+		connect.WithSchema(hostAgentServiceMethods.ByName("PtySendInput")),
+		connect.WithHandlerOptions(opts...),
+	)
+	hostAgentServicePtyResizeHandler := connect.NewUnaryHandler(
+		HostAgentServicePtyResizeProcedure,
+		svc.PtyResize,
+		connect.WithSchema(hostAgentServiceMethods.ByName("PtyResize")),
+		connect.WithHandlerOptions(opts...),
+	)
+	hostAgentServicePtyKillHandler := connect.NewUnaryHandler(
+		HostAgentServicePtyKillProcedure,
+		svc.PtyKill,
+		connect.WithSchema(hostAgentServiceMethods.ByName("PtyKill")),
+		connect.WithHandlerOptions(opts...),
+	)
+	hostAgentServiceStartBackgroundHandler := connect.NewUnaryHandler(
+		HostAgentServiceStartBackgroundProcedure,
+		svc.StartBackground,
+		connect.WithSchema(hostAgentServiceMethods.ByName("StartBackground")),
+		connect.WithHandlerOptions(opts...),
+	)
+	hostAgentServiceListProcessesHandler := connect.NewUnaryHandler(
+		HostAgentServiceListProcessesProcedure,
+		svc.ListProcesses,
+		connect.WithSchema(hostAgentServiceMethods.ByName("ListProcesses")),
+		connect.WithHandlerOptions(opts...),
+	)
+	hostAgentServiceKillProcessHandler := connect.NewUnaryHandler(
+		HostAgentServiceKillProcessProcedure,
+		svc.KillProcess,
+		connect.WithSchema(hostAgentServiceMethods.ByName("KillProcess")),
+		connect.WithHandlerOptions(opts...),
+	)
+	hostAgentServiceConnectProcessHandler := connect.NewServerStreamHandler(
+		HostAgentServiceConnectProcessProcedure,
+		svc.ConnectProcess,
+		connect.WithSchema(hostAgentServiceMethods.ByName("ConnectProcess")),
+		connect.WithHandlerOptions(opts...),
+	)
 	return "/hostagent.v1.HostAgentService/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
 		case HostAgentServiceCreateSandboxProcedure:
@@ -551,6 +834,12 @@ func NewHostAgentServiceHandler(svc HostAgentServiceHandler, opts ...connect.Han
 			hostAgentServiceWriteFileHandler.ServeHTTP(w, r)
 		case HostAgentServiceReadFileProcedure:
 			hostAgentServiceReadFileHandler.ServeHTTP(w, r)
+		case HostAgentServiceListDirProcedure:
+			hostAgentServiceListDirHandler.ServeHTTP(w, r)
+		case HostAgentServiceMakeDirProcedure:
+			hostAgentServiceMakeDirHandler.ServeHTTP(w, r)
+		case HostAgentServiceRemovePathProcedure:
+			hostAgentServiceRemovePathHandler.ServeHTTP(w, r)
 		case HostAgentServiceCreateSnapshotProcedure:
 			hostAgentServiceCreateSnapshotHandler.ServeHTTP(w, r)
 		case HostAgentServiceDeleteSnapshotProcedure:
@@ -571,6 +860,22 @@ func NewHostAgentServiceHandler(svc HostAgentServiceHandler, opts ...connect.Han
 			hostAgentServiceFlushSandboxMetricsHandler.ServeHTTP(w, r)
 		case HostAgentServiceFlattenRootfsProcedure:
 			hostAgentServiceFlattenRootfsHandler.ServeHTTP(w, r)
+		case HostAgentServicePtyAttachProcedure:
+			hostAgentServicePtyAttachHandler.ServeHTTP(w, r)
+		case HostAgentServicePtySendInputProcedure:
+			hostAgentServicePtySendInputHandler.ServeHTTP(w, r)
+		case HostAgentServicePtyResizeProcedure:
+			hostAgentServicePtyResizeHandler.ServeHTTP(w, r)
+		case HostAgentServicePtyKillProcedure:
+			hostAgentServicePtyKillHandler.ServeHTTP(w, r)
+		case HostAgentServiceStartBackgroundProcedure:
+			hostAgentServiceStartBackgroundHandler.ServeHTTP(w, r)
+		case HostAgentServiceListProcessesProcedure:
+			hostAgentServiceListProcessesHandler.ServeHTTP(w, r)
+		case HostAgentServiceKillProcessProcedure:
+			hostAgentServiceKillProcessHandler.ServeHTTP(w, r)
+		case HostAgentServiceConnectProcessProcedure:
+			hostAgentServiceConnectProcessHandler.ServeHTTP(w, r)
 		default:
 			http.NotFound(w, r)
 		}
@@ -612,6 +917,18 @@ func (UnimplementedHostAgentServiceHandler) ReadFile(context.Context, *connect.R
 	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.ReadFile is not implemented"))
 }
 
+func (UnimplementedHostAgentServiceHandler) ListDir(context.Context, *connect.Request[gen.ListDirRequest]) (*connect.Response[gen.ListDirResponse], error) {
+	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.ListDir is not implemented"))
+}
+
+func (UnimplementedHostAgentServiceHandler) MakeDir(context.Context, *connect.Request[gen.MakeDirRequest]) (*connect.Response[gen.MakeDirResponse], error) {
+	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.MakeDir is not implemented"))
+}
+
+func (UnimplementedHostAgentServiceHandler) RemovePath(context.Context, *connect.Request[gen.RemovePathRequest]) (*connect.Response[gen.RemovePathResponse], error) {
+	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.RemovePath is not implemented"))
+}
+
 func (UnimplementedHostAgentServiceHandler) CreateSnapshot(context.Context, *connect.Request[gen.CreateSnapshotRequest]) (*connect.Response[gen.CreateSnapshotResponse], error) {
 	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.CreateSnapshot is not implemented"))
 }
@@ -651,3 +968,35 @@ func (UnimplementedHostAgentServiceHandler) FlushSandboxMetrics(context.Context,
 func (UnimplementedHostAgentServiceHandler) FlattenRootfs(context.Context, *connect.Request[gen.FlattenRootfsRequest]) (*connect.Response[gen.FlattenRootfsResponse], error) {
 	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.FlattenRootfs is not implemented"))
 }
+
+func (UnimplementedHostAgentServiceHandler) PtyAttach(context.Context, *connect.Request[gen.PtyAttachRequest], *connect.ServerStream[gen.PtyAttachResponse]) error {
+	return connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.PtyAttach is not implemented"))
+}
+
+func (UnimplementedHostAgentServiceHandler) PtySendInput(context.Context, *connect.Request[gen.PtySendInputRequest]) (*connect.Response[gen.PtySendInputResponse], error) {
+	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.PtySendInput is not implemented"))
+}
+
+func (UnimplementedHostAgentServiceHandler) PtyResize(context.Context, *connect.Request[gen.PtyResizeRequest]) (*connect.Response[gen.PtyResizeResponse], error) {
+	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.PtyResize is not implemented"))
+}
+
+func (UnimplementedHostAgentServiceHandler) PtyKill(context.Context, *connect.Request[gen.PtyKillRequest]) (*connect.Response[gen.PtyKillResponse], error) {
+	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.PtyKill is not implemented"))
+}
+
+func (UnimplementedHostAgentServiceHandler) StartBackground(context.Context, *connect.Request[gen.StartBackgroundRequest]) (*connect.Response[gen.StartBackgroundResponse], error) {
+	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.StartBackground is not implemented"))
+}
+
+func (UnimplementedHostAgentServiceHandler) ListProcesses(context.Context, *connect.Request[gen.ListProcessesRequest]) (*connect.Response[gen.ListProcessesResponse], error) {
+	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.ListProcesses is not implemented"))
+}
+
+func (UnimplementedHostAgentServiceHandler) KillProcess(context.Context, *connect.Request[gen.KillProcessRequest]) (*connect.Response[gen.KillProcessResponse], error) {
+	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.KillProcess is not implemented"))
+}
+
+func (UnimplementedHostAgentServiceHandler) ConnectProcess(context.Context, *connect.Request[gen.ConnectProcessRequest], *connect.ServerStream[gen.ConnectProcessResponse]) error {
+	return connect.NewError(connect.CodeUnimplemented, errors.New("hostagent.v1.HostAgentService.ConnectProcess is not implemented"))
+}
diff --git a/proto/hostagent/hostagent.proto b/proto/hostagent/hostagent.proto
index 817d535..5dbf222 100644
--- a/proto/hostagent/hostagent.proto
+++ b/proto/hostagent/hostagent.proto
@@ -29,6 +29,15 @@ service HostAgentService {
   // ReadFile reads a file from inside a sandbox.
   rpc ReadFile(ReadFileRequest) returns (ReadFileResponse);
 
+  // ListDir lists directory contents inside a sandbox.
+  rpc ListDir(ListDirRequest) returns (ListDirResponse);
+
+  // MakeDir creates a directory inside a sandbox.
+  rpc MakeDir(MakeDirRequest) returns (MakeDirResponse);
+
+  // RemovePath removes a file or directory inside a sandbox.
+  rpc RemovePath(RemovePathRequest) returns (RemovePathResponse);
+
   // CreateSnapshot pauses a sandbox, takes a snapshot, stores it as a reusable
   // template, and destroys the sandbox.
   rpc CreateSnapshot(CreateSnapshotRequest) returns (CreateSnapshotResponse);
@@ -67,6 +76,34 @@ service HostAgentService {
   // produce image-only templates (no memory/CPU state).
   rpc FlattenRootfs(FlattenRootfsRequest) returns (FlattenRootfsResponse);
 
+  // PtyAttach starts a new PTY process or reconnects to an existing one.
+  // If cmd is non-empty, starts a new process with the given PTY dimensions.
+  // If tag is set and cmd is empty, reconnects to the existing process with that tag.
+  // Returns a stream of output events (started, output data, exit).
+  rpc PtyAttach(PtyAttachRequest) returns (stream PtyAttachResponse);
+
+  // PtySendInput sends raw bytes to a PTY process identified by tag.
+  rpc PtySendInput(PtySendInputRequest) returns (PtySendInputResponse);
+
+  // PtyResize updates the terminal dimensions for a PTY process.
+  rpc PtyResize(PtyResizeRequest) returns (PtyResizeResponse);
+
+  // PtyKill sends a signal to a PTY process.
+  rpc PtyKill(PtyKillRequest) returns (PtyKillResponse);
+
+  // StartBackground starts a process in the background and returns immediately
+  // with the PID and tag. The process survives RPC disconnection.
+  rpc StartBackground(StartBackgroundRequest) returns (StartBackgroundResponse);
+
+  // ListProcesses returns all running processes inside a sandbox.
+  rpc ListProcesses(ListProcessesRequest) returns (ListProcessesResponse);
+
+  // KillProcess sends a signal to a process identified by PID or tag.
+  rpc KillProcess(KillProcessRequest) returns (KillProcessResponse);
+
+  // ConnectProcess re-attaches to a running process and streams its output.
+  rpc ConnectProcess(ConnectProcessRequest) returns (stream ConnectProcessResponse);
+
 }
 
 message CreateSandboxRequest {
@@ -95,12 +132,22 @@ message CreateSandboxRequest {
 
   // Template UUID (hex string). Both zeros + team zeros = "minimal" sentinel.
   string template_id = 8;
+
+  // Default unix user for the sandbox (set in envd via PostInit).
+  string default_user = 9;
+
+  // Default environment variables (set in envd via PostInit).
+  map<string, string> default_env = 10;
 }
 
 message CreateSandboxResponse {
   string sandbox_id = 1;
   string status = 2;
   string host_ip = 3;
+
+  // Runtime metadata collected during sandbox creation (e.g. envd_version,
+  // kernel_version, firecracker_version, agent_version).
+  map<string, string> metadata = 4;
 }
 
 message DestroySandboxRequest {
@@ -121,12 +168,26 @@ message ResumeSandboxRequest {
   // TTL in seconds restored from the DB so the reaper can auto-pause
   // the sandbox again after inactivity. 0 means no auto-pause.
   int32 timeout_sec = 2;
+
+  // Default unix user for the sandbox (set in envd via PostInit on resume).
+  string default_user = 3;
+
+  // Default environment variables (set in envd via PostInit on resume).
+  map<string, string> default_env = 4;
+
+  // Kernel version hint from the DB — the agent tries to use the exact version,
+  // falling back to latest if not found on disk.
+  string kernel_version = 5;
 }
 
 message ResumeSandboxResponse {
   string sandbox_id = 1;
   string status = 2;
   string host_ip = 3;
+
+  // Actual runtime metadata after resume (versions may differ from hint if
+  // the exact kernel was not available).
+  map<string, string> metadata = 4;
 }
 
 message CreateSnapshotRequest {
@@ -192,6 +253,9 @@ message SandboxInfo {
   int32 timeout_sec = 9;
   string team_id = 10;
   string template_id = 11;
+
+  // Runtime metadata (envd_version, kernel_version, etc.).
+  map<string, string> metadata = 12;
 }
 
 message WriteFileRequest {
@@ -269,6 +333,50 @@ message ReadFileStreamResponse {
   bytes chunk = 1;
 }
 
+// ── Filesystem Operations ──────────────────────────────────────────
+
+message ListDirRequest {
+  string sandbox_id = 1;
+  string path = 2;
+  uint32 depth = 3;
+}
+
+message ListDirResponse {
+  repeated FileEntry entries = 1;
+}
+
+message FileEntry {
+  string name = 1;
+  string path = 2;
+  // "file", "directory", or "symlink".
+  string type = 3;
+  int64 size = 4;
+  uint32 mode = 5;
+  // Human-readable permissions string, e.g. "-rwxr-xr-x".
+  string permissions = 6;
+  string owner = 7;
+  string group = 8;
+  // Last modification time as Unix timestamp (seconds).
+  int64 modified_at = 9;
+  optional string symlink_target = 10;
+}
+
+message MakeDirRequest {
+  string sandbox_id = 1;
+  string path = 2;
+}
+
+message MakeDirResponse {
+  FileEntry entry = 1;
+}
+
+message RemovePathRequest {
+  string sandbox_id = 1;
+  string path = 2;
+}
+
+message RemovePathResponse {}
+
 // ── Ping ────────────────────────────────────────────────────────────
 
 message PingSandboxRequest {
@@ -329,3 +437,131 @@ message FlattenRootfsRequest {
 message FlattenRootfsResponse {
   int64 size_bytes = 1;
 }
+
+// ── PTY ─────────────────────────────────────────────────────────────
+
+message PtyAttachRequest {
+  string sandbox_id = 1;
+  // Tag is the stable identifier for this PTY session (e.g. "pty-abc123de").
+  // Chosen by the caller and used to reconnect later.
+  string tag = 2;
+  // If cmd is non-empty, a new process is started. If empty, reconnects to
+  // the existing process identified by tag.
+  string cmd = 3;
+  repeated string args = 4;
+  uint32 cols = 5;
+  uint32 rows = 6;
+  // Environment variables for the process.
+  map<string, string> envs = 7;
+  // Working directory. Empty means default.
+  string cwd = 8;
+  // User to run as. Empty means default (root).
+  string user = 9;
+}
+
+message PtyAttachResponse {
+  oneof event {
+    PtyStarted started = 1;
+    PtyOutput  output  = 2;
+    PtyExited  exited  = 3;
+  }
+}
+
+message PtyStarted {
+  uint32 pid = 1;
+  string tag = 2;
+}
+
+message PtyOutput {
+  bytes data = 1;
+}
+
+message PtyExited {
+  int32  exit_code = 1;
+  string error = 2;
+}
+
+message PtySendInputRequest {
+  string sandbox_id = 1;
+  string tag = 2;
+  bytes  data = 3;
+}
+
+message PtySendInputResponse {}
+
+message PtyResizeRequest {
+  string sandbox_id = 1;
+  string tag = 2;
+  uint32 cols = 3;
+  uint32 rows = 4;
+}
+
+message PtyResizeResponse {}
+
+message PtyKillRequest {
+  string sandbox_id = 1;
+  string tag = 2;
+}
+
+message PtyKillResponse {}
+
+// ── Background Processes ───────────────────────────────────────────
+
+message StartBackgroundRequest {
+  string sandbox_id = 1;
+  string cmd = 2;
+  repeated string args = 3;
+  // User-chosen tag for the process. If empty, the host agent generates one.
+  string tag = 4;
+  map<string, string> envs = 5;
+  string cwd = 6;
+}
+
+message StartBackgroundResponse {
+  uint32 pid = 1;
+  string tag = 2;
+}
+
+message ListProcessesRequest {
+  string sandbox_id = 1;
+}
+
+message ProcessEntry {
+  uint32 pid = 1;
+  string tag = 2;
+  string cmd = 3;
+  repeated string args = 4;
+}
+
+message ListProcessesResponse {
+  repeated ProcessEntry processes = 1;
+}
+
+message KillProcessRequest {
+  string sandbox_id = 1;
+  oneof selector {
+    uint32 pid = 2;
+    string tag = 3;
+  }
+  // Signal to send: "SIGTERM" or "SIGKILL" (default: "SIGKILL").
+  string signal = 4;
+}
+
+message KillProcessResponse {}
+
+message ConnectProcessRequest {
+  string sandbox_id = 1;
+  oneof selector {
+    uint32 pid = 2;
+    string tag = 3;
+  }
+}
+
+// Reuses ExecStream event types for symmetry.
+message ConnectProcessResponse {
+  oneof event {
+    ExecStreamStart start = 1;
+    ExecStreamData data = 2;
+    ExecStreamEnd end = 3;
+  }
+}
diff --git a/recipes/code-runner-beta.healthcheck b/recipes/code-runner-beta.healthcheck
new file mode 100644
index 0000000..186da39
--- /dev/null
+++ b/recipes/code-runner-beta.healthcheck
@@ -0,0 +1 @@
+--interval=5s --timeout=5s --start-period=60s --retries=5 curl -sf http://127.0.0.1:8888/api/status
diff --git a/recipes/code-runner-beta.recipefile b/recipes/code-runner-beta.recipefile
new file mode 100644
index 0000000..dc96779
--- /dev/null
+++ b/recipes/code-runner-beta.recipefile
@@ -0,0 +1,9 @@
+RUN --timeout=5m sudo apt install -y python3 python3-pip python3-venv
+ENV PYTHONUNBUFFERED=1
+
+RUN python3 -m venv ~/jupyter-env
+RUN --timeout=5m ~/jupyter-env/bin/pip install --upgrade pip
+RUN --timeout=5m ~/jupyter-env/bin/pip install jupyter-server ipykernel
+RUN --timeout=5m ~/jupyter-env/bin/python -m ipykernel install --sys-prefix
+
+START ~/jupyter-env/bin/jupyter server --ServerApp.ip=0.0.0.0 --ServerApp.port=8888 --ServerApp.token='' --ServerApp.password='' --ServerApp.allow_origin='*' --ServerApp.disable_check_xsrf=True --no-browser --log-level=INFO
diff --git a/recipes/python-interpreter-v0-beta.healthcheck b/recipes/python-interpreter-v0-beta.healthcheck
deleted file mode 100644
index ca2555c..0000000
--- a/recipes/python-interpreter-v0-beta.healthcheck
+++ /dev/null
@@ -1 +0,0 @@
---interval=5s --timeout=3s --start-period=3s --retries=3 python3 -c "import urllib.request; urllib.request.urlopen('http://127.0.0.1:8888/api/status', timeout=3)"
diff --git a/recipes/python-interpreter-v0-beta.recipefile b/recipes/python-interpreter-v0-beta.recipefile
deleted file mode 100644
index e83f5da..0000000
--- a/recipes/python-interpreter-v0-beta.recipefile
+++ /dev/null
@@ -1,7 +0,0 @@
-RUN apt-get install -y --no-install-recommends python3 python3-pip python3-venv
-RUN python3 -m venv /opt/venv
-ENV PATH=/opt/venv/bin:$PATH
-
-RUN --timeout=5m pip install --no-cache-dir jupyter-server ipykernel
-
-START jupyter server --ServerApp.ip=0.0.0.0 --ServerApp.port=8888 --ServerApp.token='' --ServerApp.allow_origin='*' --ServerApp.disable_check_xsrf=True --no-browser --allow-root
diff --git a/scripts/dev.sh b/scripts/dev.sh
deleted file mode 100644
index e69de29..0000000
diff --git a/scripts/generate-proto.sh b/scripts/generate-proto.sh
deleted file mode 100644
index e69de29..0000000
diff --git a/scripts/prepare-wrenn-user.sh b/scripts/prepare-wrenn-user.sh
new file mode 100755
index 0000000..c48eef0
--- /dev/null
+++ b/scripts/prepare-wrenn-user.sh
@@ -0,0 +1,385 @@
+#!/usr/bin/env bash
+#
+# prepare-wrenn-user.sh — Create the wrenn system user and configure minimal privileges.
+#
+# Creates a locked-down 'wrenn' system user that can run wrenn-agent and wrenn-cp
+# with only the privileges they need. The agent binary gets Linux capabilities
+# via setcap — no sudo is configured for the wrenn user at all. If an attacker
+# compromises the wrenn user, they cannot escalate via sudo.
+#
+# What this script does:
+#   1. Creates the 'wrenn' system user (bash shell for debugging, no home dir)
+#   2. Creates required directories with correct ownership
+#   3. Sets Linux capabilities on wrenn-agent and all child binaries
+#   4. Installs an apt hook to restore capabilities after package updates
+#   5. Installs a sudoers drop-in (comment-only, no grants — absence is the cage)
+#   6. Ensures required kernel modules are loaded
+#   7. Writes systemd unit files for both wrenn-agent and wrenn-cp
+#
+# Usage:
+#   sudo bash scripts/prepare-wrenn-user.sh
+#
+# Prerequisites:
+#   - wrenn-agent binary at /usr/local/bin/wrenn-agent
+#   - wrenn-cp binary at /usr/local/bin/wrenn-cp
+#   - firecracker binary at /usr/local/bin/firecracker
+#   - libcap2-bin installed (for setcap)
+
+set -euo pipefail
+
+# ── Guard ────────────────────────────────────────────────────────────────────
+
+if [[ $EUID -ne 0 ]]; then
+    echo "ERROR: This script must be run as root."
+    exit 1
+fi
+
+# ── Configuration ────────────────────────────────────────────────────────────
+
+WRENN_USER="wrenn"
+WRENN_GROUP="wrenn"
+WRENN_DIR="/var/lib/wrenn"
+AGENT_BIN="/usr/local/bin/wrenn-agent"
+CP_BIN="/usr/local/bin/wrenn-cp"
+FC_BIN="/usr/local/bin/firecracker"
+RESTORE_CAPS_SCRIPT="/etc/wrenn/restore-caps.sh"
+
+# ── 1. Create system user ───────────────────────────────────────────────────
+
+if id "${WRENN_USER}" &>/dev/null; then
+    echo "==> User '${WRENN_USER}' already exists, skipping creation."
+else
+    echo "==> Creating system user '${WRENN_USER}'..."
+    useradd \
+        --system \
+        --no-create-home \
+        --home-dir "${WRENN_DIR}" \
+        --shell /bin/bash \
+        "${WRENN_USER}"
+fi
+
+# Add wrenn to kvm group for /dev/kvm access.
+if getent group kvm &>/dev/null; then
+    usermod -aG kvm "${WRENN_USER}"
+    echo "==> Added '${WRENN_USER}' to 'kvm' group."
+fi
+
+# ── 2. Create directories with correct ownership ────────────────────────────
+
+echo "==> Setting up directories..."
+
+directories=(
+    "${WRENN_DIR}"
+    "${WRENN_DIR}/images"
+    "${WRENN_DIR}/kernels"
+    "${WRENN_DIR}/sandboxes"
+    "${WRENN_DIR}/snapshots"
+    "${WRENN_DIR}/logs"
+    "/run/netns"
+)
+
+for dir in "${directories[@]}"; do
+    mkdir -p "${dir}"
+done
+
+# Only chown wrenn-owned dirs (not /run/netns which is system-managed).
+for dir in "${WRENN_DIR}" "${WRENN_DIR}/images" "${WRENN_DIR}/kernels" \
+           "${WRENN_DIR}/sandboxes" "${WRENN_DIR}/snapshots" "${WRENN_DIR}/logs"; do
+    chown "${WRENN_USER}:${WRENN_GROUP}" "${dir}"
+    chmod 750 "${dir}"
+done
+
+# ── 3. Set capabilities on binaries ─────────────────────────────────────────
+#
+# These capabilities replace full root access. The wrenn-agent binary gets
+# exactly the capabilities it needs for:
+#
+#   CAP_SYS_ADMIN   — network namespaces (netns create/enter), mount namespaces
+#                     (unshare -m), losetup, dmsetup, mount/umount
+#   CAP_NET_ADMIN   — veth/TAP creation (netlink), iptables rules, IP forwarding,
+#                     routing table manipulation
+#   CAP_NET_RAW     — raw socket access (needed by iptables internally)
+#   CAP_SYS_PTRACE  — reading /proc/self/ns/net (netns.Get)
+#   CAP_KILL        — sending SIGTERM/SIGKILL to Firecracker processes
+#   CAP_DAC_OVERRIDE — accessing /dev/loop*, /dev/mapper/*, /dev/net/tun,
+#                      /proc/sys/net/ipv4/ip_forward
+#   CAP_MKNOD       — creating device nodes (dm-snapshot)
+#
+# The 'ep' suffix means Effective + Permitted (granted at exec time).
+
+echo "==> Setting capabilities on wrenn-agent..."
+
+if [[ ! -f "${AGENT_BIN}" ]]; then
+    echo "WARNING: ${AGENT_BIN} not found, skipping setcap. Install the binary first."
+else
+    setcap \
+        cap_sys_admin,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_kill,cap_dac_override,cap_mknod+ep \
+        "${AGENT_BIN}"
+
+    echo "    Capabilities set on ${AGENT_BIN}:"
+    getcap "${AGENT_BIN}"
+fi
+
+# Firecracker also needs capabilities when spawned by a non-root parent.
+# CAP_NET_ADMIN is required for network device access inside the netns.
+if [[ -f "${FC_BIN}" ]]; then
+    setcap cap_net_admin,cap_sys_admin,cap_dac_override+ep "${FC_BIN}"
+    echo "    Capabilities set on ${FC_BIN}:"
+    getcap "${FC_BIN}"
+fi
+
+# ── Helper: resolve binary path and apply setcap ────────────────────────────
+#
+# Uses `command -v` to find the binary in PATH (handles /usr/bin vs /usr/sbin
+# differences across distros), then `readlink -f` to resolve symlinks so that
+# setcap hits the real inode (important for iptables-nft/alternatives).
+
+setcap_binary() {
+    local name="$1" caps="$2"
+    local bin
+    bin=$(command -v "$name" 2>/dev/null) || {
+        echo "    WARNING: ${name} not found in PATH, skipping."
+        return 0
+    }
+    bin=$(readlink -f "$bin")
+    setcap "$caps" "$bin"
+    echo "    $(getcap "$bin")"
+}
+
+# The child binaries invoked by wrenn-agent (iptables, losetup, dmsetup, etc.)
+# also need capabilities since they'll be exec'd by a non-root user.
+echo "==> Setting capabilities on child binaries..."
+
+setcap_binary iptables      "cap_net_admin,cap_net_raw+ep"
+setcap_binary iptables-save "cap_net_admin,cap_net_raw+ep"
+setcap_binary ip            "cap_sys_admin,cap_net_admin+ep"
+setcap_binary sysctl        "cap_net_admin+ep"
+setcap_binary losetup       "cap_sys_admin,cap_dac_override+ep"
+setcap_binary blockdev      "cap_sys_admin,cap_dac_override+ep"
+setcap_binary dmsetup       "cap_sys_admin,cap_dac_override,cap_mknod+ep"
+setcap_binary e2fsck        "cap_sys_admin,cap_dac_override+ep"
+setcap_binary resize2fs     "cap_sys_admin,cap_dac_override+ep"
+setcap_binary dd            "cap_dac_override+ep"
+setcap_binary unshare       "cap_sys_admin+ep"
+setcap_binary mount         "cap_sys_admin,cap_dac_override+ep"
+
+# ── 4. Persist capabilities across package updates ──────────────────────────
+#
+# apt/dpkg overwrites binaries on package updates, which strips the xattr-based
+# capabilities set by setcap. This installs:
+#   - /etc/wrenn/restore-caps.sh: re-applies setcap to all child binaries
+#   - /etc/apt/apt.conf.d/99-wrenn-setcap: apt post-invoke hook that calls it
+
+echo "==> Installing capability restore hook..."
+
+mkdir -p /etc/wrenn
+
+cat > "${RESTORE_CAPS_SCRIPT}" << 'RESTORE'
+#!/usr/bin/env bash
+#
+# restore-caps.sh — Re-apply Linux capabilities to wrenn child binaries.
+# Called automatically by apt after package updates (see /etc/apt/apt.conf.d/99-wrenn-setcap).
+# Can also be run manually: sudo /etc/wrenn/restore-caps.sh
+
+set -euo pipefail
+
+setcap_binary() {
+    local name="$1" caps="$2"
+    local bin
+    bin=$(command -v "$name" 2>/dev/null) || return 0
+    bin=$(readlink -f "$bin")
+    setcap "$caps" "$bin" 2>/dev/null || true
+}
+
+# wrenn-agent and firecracker (only if present — they aren't package-managed).
+[[ -f /usr/local/bin/wrenn-agent ]] && \
+    setcap cap_sys_admin,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_kill,cap_dac_override,cap_mknod+ep \
+        /usr/local/bin/wrenn-agent 2>/dev/null || true
+[[ -f /usr/local/bin/firecracker ]] && \
+    setcap cap_net_admin,cap_sys_admin,cap_dac_override+ep \
+        /usr/local/bin/firecracker 2>/dev/null || true
+
+# Child binaries (these are the ones wiped by apt).
+setcap_binary iptables      "cap_net_admin,cap_net_raw+ep"
+setcap_binary iptables-save "cap_net_admin,cap_net_raw+ep"
+setcap_binary ip            "cap_sys_admin,cap_net_admin+ep"
+setcap_binary sysctl        "cap_net_admin+ep"
+setcap_binary losetup       "cap_sys_admin,cap_dac_override+ep"
+setcap_binary blockdev      "cap_sys_admin,cap_dac_override+ep"
+setcap_binary dmsetup       "cap_sys_admin,cap_dac_override,cap_mknod+ep"
+setcap_binary e2fsck        "cap_sys_admin,cap_dac_override+ep"
+setcap_binary resize2fs     "cap_sys_admin,cap_dac_override+ep"
+setcap_binary dd            "cap_dac_override+ep"
+setcap_binary unshare       "cap_sys_admin+ep"
+setcap_binary mount         "cap_sys_admin,cap_dac_override+ep"
+RESTORE
+
+chmod 755 "${RESTORE_CAPS_SCRIPT}"
+
+cat > /etc/apt/apt.conf.d/99-wrenn-setcap << 'APT'
+// Re-apply Linux capabilities to wrenn child binaries after any package update.
+// Capabilities (xattr) are stripped when dpkg overwrites a binary.
+DPkg::Post-Invoke { "/etc/wrenn/restore-caps.sh"; };
+APT
+
+echo "    Installed ${RESTORE_CAPS_SCRIPT} and apt post-invoke hook."
+
+# ── 5. Device access ────────────────────────────────────────────────────────
+#
+# /dev/kvm   — handled by kvm group membership above
+# /dev/net/tun — needs to be accessible by wrenn user
+
+echo "==> Configuring device access..."
+
+# Ensure /dev/net/tun is accessible (udev rule for persistence across reboots).
+cat > /etc/udev/rules.d/99-wrenn.rules << 'UDEV'
+# Allow wrenn user access to TUN device for TAP networking.
+SUBSYSTEM=="misc", KERNEL=="tun", GROUP="wrenn", MODE="0660"
+UDEV
+
+udevadm control --reload-rules 2>/dev/null || true
+echo "    Installed udev rule for /dev/net/tun."
+
+# ── 6. Kernel modules ───────────────────────────────────────────────────────
+
+echo "==> Ensuring kernel modules are loaded..."
+
+modules=(dm_snapshot dm_mod loop tun)
+for mod in "${modules[@]}"; do
+    if ! lsmod | grep -q "^${mod}"; then
+        modprobe "${mod}" 2>/dev/null && echo "    Loaded ${mod}" || echo "    WARNING: Could not load ${mod}"
+    else
+        echo "    ${mod} already loaded."
+    fi
+done
+
+# Persist across reboots.
+for mod in "${modules[@]}"; do
+    grep -qxF "${mod}" /etc/modules-load.d/wrenn.conf 2>/dev/null || echo "${mod}" >> /etc/modules-load.d/wrenn.conf
+done
+echo "    Module persistence written to /etc/modules-load.d/wrenn.conf."
+
+# ── 7. Sudoers ──────────────────────────────────────────────────────────────
+#
+# The wrenn user has no sudo grants. The absence of a grant is the cage — an
+# explicit "!ALL" deny is weaker due to known bypasses (CVE-2019-14287).
+# This file exists purely as documentation for operators running `sudo -l`.
+
+echo "==> Writing sudoers drop-in..."
+
+cat > /etc/sudoers.d/wrenn << 'SUDOERS'
+# Wrenn system user — no sudo access permitted.
+# All privilege is granted via Linux capabilities on specific binaries (setcap).
+# This file contains no active rules. The absence of any grant is intentional
+# and is the strongest way to deny escalation.
+#
+# Do not add rules here. If the wrenn user needs new privileges, use setcap
+# on the specific binary instead.
+SUDOERS
+
+chmod 440 /etc/sudoers.d/wrenn
+visudo -c -f /etc/sudoers.d/wrenn
+echo "    /etc/sudoers.d/wrenn installed and validated."
+
+# ── 8. Systemd units ────────────────────────────────────────────────────────
+
+echo "==> Writing systemd service files..."
+
+cat > /etc/systemd/system/wrenn-agent.service << 'UNIT'
+[Unit]
+Description=Wrenn Host Agent
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=wrenn
+Group=wrenn
+EnvironmentFile=-/etc/wrenn/agent.env
+
+# The binary has capabilities set via setcap. These systemd directives ensure
+# the capabilities are inherited into the process at exec time.
+AmbientCapabilities=CAP_SYS_ADMIN CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_PTRACE CAP_KILL CAP_DAC_OVERRIDE CAP_MKNOD
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_PTRACE CAP_KILL CAP_DAC_OVERRIDE CAP_MKNOD
+
+# IMPORTANT: must be false — child binaries (iptables, losetup, dmsetup, etc.)
+# have their own file capabilities via setcap which must be honored at exec time.
+NoNewPrivileges=false
+
+# Enable IP forwarding before the agent starts. The "+" prefix runs this
+# directive as root (bypassing User=wrenn) so it can write to procfs.
+ExecStartPre=+/bin/sh -c 'sysctl -w net.ipv4.ip_forward=1'
+
+ExecStart=/usr/local/bin/wrenn-agent --address ${WRENN_ADVERTISE_ADDR}
+
+Restart=on-failure
+RestartSec=5
+
+# File descriptor limits (Firecracker + loop devices + sockets).
+LimitNOFILE=65536
+LimitNPROC=4096
+
+# Protect host filesystem — only allow access to what's needed.
+ProtectHome=true
+ReadWritePaths=/var/lib/wrenn /tmp /run/netns /dev/mapper
+ReadOnlyPaths=/usr/local/bin/firecracker
+
+[Install]
+WantedBy=multi-user.target
+UNIT
+
+cat > /etc/systemd/system/wrenn-cp.service << 'UNIT'
+[Unit]
+Description=Wrenn Control Plane
+After=network-online.target postgresql.service
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=wrenn
+Group=wrenn
+EnvironmentFile=-/etc/wrenn/cp.env
+
+# Control plane is fully unprivileged — no capabilities needed.
+NoNewPrivileges=true
+CapabilityBoundingSet=
+
+ExecStart=/usr/local/bin/wrenn-cp
+
+Restart=on-failure
+RestartSec=5
+
+ProtectHome=true
+ProtectSystem=strict
+ReadWritePaths=/tmp
+
+[Install]
+WantedBy=multi-user.target
+UNIT
+
+mkdir -p /etc/wrenn
+touch /etc/wrenn/agent.env /etc/wrenn/cp.env
+chmod 640 /etc/wrenn/agent.env /etc/wrenn/cp.env
+chown root:${WRENN_GROUP} /etc/wrenn/agent.env /etc/wrenn/cp.env
+
+systemctl daemon-reload
+echo "    wrenn-agent.service and wrenn-cp.service installed."
+
+# ── Done ─────────────────────────────────────────────────────────────────────
+
+echo ""
+echo "=== Setup complete ==="
+echo ""
+echo "Next steps:"
+echo "  1. Copy wrenn-agent and wrenn-cp binaries to /usr/local/bin/"
+echo "  2. Edit /etc/wrenn/agent.env with WRENN_CP_URL and WRENN_ADVERTISE_ADDR"
+echo "  3. Edit /etc/wrenn/cp.env with DATABASE_URL and other control plane config"
+echo "  4. systemctl enable --now wrenn-agent"
+echo "  5. systemctl enable --now wrenn-cp"
+echo ""
+echo "Security summary:"
+echo "  - wrenn user: bash shell (for debugging), no home, no sudo (no grants in sudoers)"
+echo "  - wrenn-agent: runs as wrenn with 7 capabilities via setcap (not root)"
+echo "  - wrenn-cp: runs as wrenn with zero capabilities"
+echo "  - Capabilities auto-restored after apt upgrades via /etc/wrenn/restore-caps.sh"
+echo ""
diff --git a/scripts/rootfs-from-container.sh b/scripts/rootfs-from-container.sh
index 2f96a3a..74e309b 100755
--- a/scripts/rootfs-from-container.sh
+++ b/scripts/rootfs-from-container.sh
@@ -86,7 +86,7 @@ sudo mkfs.ext4 -F "${OUTPUT_FILE}"
 # Step 4: Mount and populate.
 echo "==> Mounting image at ${MOUNT_DIR}..."
 mkdir -p "${MOUNT_DIR}"
-sudo mount -o loop "${OUTPUT_FILE}" "${MOUNT_DIR}"
+sudo mount -o loop,rw "${OUTPUT_FILE}" "${MOUNT_DIR}"
 
 echo "==> Extracting container filesystem..."
 sudo tar xf "${TAR_FILE}" -C "${MOUNT_DIR}"
diff --git a/scripts/setup-host.sh b/scripts/setup-host.sh
deleted file mode 100644
index e69de29..0000000
diff --git a/scripts/test-host.sh b/scripts/test-host.sh
deleted file mode 100755
index 1cd61e7..0000000
--- a/scripts/test-host.sh
+++ /dev/null
@@ -1,233 +0,0 @@
-#!/usr/bin/env bash
-#
-# test-host.sh — Integration test for the Wrenn host agent.
-#
-# Prerequisites:
-#   - Host agent running: sudo ./builds/wrenn-agent
-#   - Firecracker installed at /usr/local/bin/firecracker
-#   - Kernel at /var/lib/wrenn/kernels/vmlinux
-#   - Base rootfs at /var/lib/wrenn/images/minimal.ext4 (with envd + wrenn-init baked in)
-#
-# Usage:
-#   ./scripts/test-host.sh [agent_url]
-#
-# The agent URL defaults to http://localhost:50051.
-
-set -euo pipefail
-
-AGENT="${1:-http://localhost:50051}"
-BASE="/hostagent.v1.HostAgentService"
-SANDBOX_ID=""
-
-# Colors for output.
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[0;33m'
-NC='\033[0m'
-
-pass() { echo -e "${GREEN}PASS${NC}: $1"; }
-fail() { echo -e "${RED}FAIL${NC}: $1"; exit 1; }
-info() { echo -e "${YELLOW}----${NC}: $1"; }
-
-rpc() {
-    local method="$1"
-    local body="$2"
-    curl -s -X POST \
-        -H "Content-Type: application/json" \
-        "${AGENT}${BASE}/${method}" \
-        -d "${body}"
-}
-
-# ──────────────────────────────────────────────────
-# Test 1: List sandboxes (should be empty)
-# ──────────────────────────────────────────────────
-info "Test 1: List sandboxes (expect empty)"
-
-RESULT=$(rpc "ListSandboxes" '{}')
-echo "  Response: ${RESULT}"
-
-echo "${RESULT}" | grep -q '"sandboxes"' || echo "${RESULT}" | grep -q '{}' && \
-    pass "ListSandboxes returned" || \
-    fail "ListSandboxes failed"
-
-# ──────────────────────────────────────────────────
-# Test 2: Create a sandbox
-# ──────────────────────────────────────────────────
-info "Test 2: Create a sandbox"
-
-RESULT=$(rpc "CreateSandbox" '{
-    "template": "minimal",
-    "vcpus": 1,
-    "memoryMb": 512,
-    "timeoutSec": 300
-}')
-echo "  Response: ${RESULT}"
-
-SANDBOX_ID=$(echo "${RESULT}" | python3 -c "import sys,json; print(json.load(sys.stdin)['sandboxId'])" 2>/dev/null) || \
-    fail "CreateSandbox did not return sandboxId"
-
-echo "  Sandbox ID: ${SANDBOX_ID}"
-pass "Sandbox created: ${SANDBOX_ID}"
-
-# ──────────────────────────────────────────────────
-# Test 3: List sandboxes (should have one)
-# ──────────────────────────────────────────────────
-info "Test 3: List sandboxes (expect one)"
-
-RESULT=$(rpc "ListSandboxes" '{}')
-echo "  Response: ${RESULT}"
-
-echo "${RESULT}" | grep -q "${SANDBOX_ID}" && \
-    pass "Sandbox ${SANDBOX_ID} found in list" || \
-    fail "Sandbox not found in list"
-
-# ──────────────────────────────────────────────────
-# Test 4: Execute a command
-# ──────────────────────────────────────────────────
-info "Test 4: Execute 'echo hello world'"
-
-RESULT=$(rpc "Exec" "{
-    \"sandboxId\": \"${SANDBOX_ID}\",
-    \"cmd\": \"/bin/sh\",
-    \"args\": [\"-c\", \"echo hello world\"],
-    \"timeoutSec\": 10
-}")
-echo "  Response: ${RESULT}"
-
-# stdout is base64-encoded in Connect RPC JSON.
-STDOUT=$(echo "${RESULT}" | python3 -c "
-import sys, json, base64
-r = json.load(sys.stdin)
-print(base64.b64decode(r['stdout']).decode().strip())
-" 2>/dev/null) || fail "Exec did not return stdout"
-
-[ "${STDOUT}" = "hello world" ] && \
-    pass "Exec returned correct output: '${STDOUT}'" || \
-    fail "Expected 'hello world', got '${STDOUT}'"
-
-# ──────────────────────────────────────────────────
-# Test 5: Execute a multi-line command
-# ──────────────────────────────────────────────────
-info "Test 5: Execute multi-line command"
-
-RESULT=$(rpc "Exec" "{
-    \"sandboxId\": \"${SANDBOX_ID}\",
-    \"cmd\": \"/bin/sh\",
-    \"args\": [\"-c\", \"echo line1; echo line2; echo line3\"],
-    \"timeoutSec\": 10
-}")
-echo "  Response: ${RESULT}"
-
-LINE_COUNT=$(echo "${RESULT}" | python3 -c "
-import sys, json, base64
-r = json.load(sys.stdin)
-lines = base64.b64decode(r['stdout']).decode().strip().split('\n')
-print(len(lines))
-" 2>/dev/null)
-
-[ "${LINE_COUNT}" = "3" ] && \
-    pass "Multi-line output: ${LINE_COUNT} lines" || \
-    fail "Expected 3 lines, got ${LINE_COUNT}"
-
-# ──────────────────────────────────────────────────
-# Test 6: Pause the sandbox
-# ──────────────────────────────────────────────────
-info "Test 6: Pause sandbox"
-
-RESULT=$(rpc "PauseSandbox" "{\"sandboxId\": \"${SANDBOX_ID}\"}")
-echo "  Response: ${RESULT}"
-
-# Verify status is paused.
-LIST=$(rpc "ListSandboxes" '{}')
-echo "${LIST}" | grep -q '"paused"' && \
-    pass "Sandbox paused" || \
-    fail "Sandbox not in paused state"
-
-# ──────────────────────────────────────────────────
-# Test 7: Exec should fail while paused
-# ──────────────────────────────────────────────────
-info "Test 7: Exec while paused (expect error)"
-
-RESULT=$(rpc "Exec" "{
-    \"sandboxId\": \"${SANDBOX_ID}\",
-    \"cmd\": \"/bin/echo\",
-    \"args\": [\"should fail\"]
-}")
-echo "  Response: ${RESULT}"
-
-echo "${RESULT}" | grep -qi "not running\|error\|code" && \
-    pass "Exec correctly rejected while paused" || \
-    fail "Exec should have failed while paused"
-
-# ──────────────────────────────────────────────────
-# Test 8: Resume the sandbox
-# ──────────────────────────────────────────────────
-info "Test 8: Resume sandbox"
-
-RESULT=$(rpc "ResumeSandbox" "{\"sandboxId\": \"${SANDBOX_ID}\"}")
-echo "  Response: ${RESULT}"
-
-# Verify status is running.
-LIST=$(rpc "ListSandboxes" '{}')
-echo "${LIST}" | grep -q '"running"' && \
-    pass "Sandbox resumed" || \
-    fail "Sandbox not in running state"
-
-# ──────────────────────────────────────────────────
-# Test 9: Exec after resume
-# ──────────────────────────────────────────────────
-info "Test 9: Exec after resume"
-
-RESULT=$(rpc "Exec" "{
-    \"sandboxId\": \"${SANDBOX_ID}\",
-    \"cmd\": \"/bin/sh\",
-    \"args\": [\"-c\", \"echo resumed ok\"],
-    \"timeoutSec\": 10
-}")
-echo "  Response: ${RESULT}"
-
-STDOUT=$(echo "${RESULT}" | python3 -c "
-import sys, json, base64
-r = json.load(sys.stdin)
-print(base64.b64decode(r['stdout']).decode().strip())
-" 2>/dev/null) || fail "Exec after resume failed"
-
-[ "${STDOUT}" = "resumed ok" ] && \
-    pass "Exec after resume works: '${STDOUT}'" || \
-    fail "Expected 'resumed ok', got '${STDOUT}'"
-
-# ──────────────────────────────────────────────────
-# Test 10: Destroy the sandbox
-# ──────────────────────────────────────────────────
-info "Test 10: Destroy sandbox"
-
-RESULT=$(rpc "DestroySandbox" "{\"sandboxId\": \"${SANDBOX_ID}\"}")
-echo "  Response: ${RESULT}"
-pass "Sandbox destroyed"
-
-# ──────────────────────────────────────────────────
-# Test 11: List sandboxes (should be empty again)
-# ──────────────────────────────────────────────────
-info "Test 11: List sandboxes (expect empty)"
-
-RESULT=$(rpc "ListSandboxes" '{}')
-echo "  Response: ${RESULT}"
-
-echo "${RESULT}" | grep -q "${SANDBOX_ID}" && \
-    fail "Destroyed sandbox still in list" || \
-    pass "Sandbox list is clean"
-
-# ──────────────────────────────────────────────────
-# Test 12: Destroy non-existent sandbox (expect error)
-# ──────────────────────────────────────────────────
-info "Test 12: Destroy non-existent sandbox (expect error)"
-
-RESULT=$(rpc "DestroySandbox" '{"sandboxId": "sb-nonexist"}')
-echo "  Response: ${RESULT}"
-
-echo "${RESULT}" | grep -qi "not found\|error\|code" && \
-    pass "Correctly rejected non-existent sandbox" || \
-    fail "Should have returned error for non-existent sandbox"
-
-echo ""
-echo -e "${GREEN}All tests passed!${NC}"
diff --git a/scripts/update-debug-rootfs.sh b/scripts/update-minimal-rootfs.sh
similarity index 98%
rename from scripts/update-debug-rootfs.sh
rename to scripts/update-minimal-rootfs.sh
index bdedded..71a9f47 100755
--- a/scripts/update-debug-rootfs.sh
+++ b/scripts/update-minimal-rootfs.sh
@@ -45,7 +45,7 @@ fi
 # Step 2: Mount the rootfs.
 echo "==> Mounting rootfs at ${MOUNT_DIR}..."
 mkdir -p "${MOUNT_DIR}"
-sudo mount -o loop "${ROOTFS}" "${MOUNT_DIR}"
+sudo mount -o loop,rw "${ROOTFS}" "${MOUNT_DIR}"
 
 cleanup() {
     echo "==> Unmounting rootfs..."
diff --git a/sqlc.yaml b/sqlc.yaml
index eb9298f..1840f4e 100644
--- a/sqlc.yaml
+++ b/sqlc.yaml
@@ -6,6 +6,6 @@ sql:
     gen:
       go:
         package: "db"
-        out: "internal/db"
+        out: "pkg/db"
         sql_package: "pgx/v5"
         emit_json_tags: true