From bf40687d8adb153aa92ad219e115436ad67b2b26 Mon Sep 17 00:00:00 2001
From: Aseem Shrey <LuD1161@users.noreply.github.com>
Date: Wed, 11 Feb 2026 20:53:44 -0500
Subject: [PATCH 1/5] feat(integrations): add first-class AWS and Slack
 integrations with redesigned UI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add comprehensive integrations module with AWS and Slack as first-class
providers, including a redesigned frontend, new backend services, worker
components, and sample CSPM workflows.

Backend:
- Expand integration_tokens schema with org-scoped fields, health tracking,
  credential types (api_key, iam_role, webhook, oauth), and display names
- Add @InternalOnly() guard for internal-only endpoints (X-Internal-Token)
- Add AwsService (STS AssumeRole, Organizations discovery) and SlackService
  (webhook messaging, OAuth token exchange)
- Add integration catalog with static provider definitions and setup instructions
- Add SetupTokenService and ExternalIdGenerator for secure onboarding flows
- Expand controller with catalog, org-connections, AWS/Slack creation,
  validation, credential resolution, and org-discovery endpoints
- Enforce @CurrentAuth() on all user-facing routes (D16)
- Add assertConnectionOwnership for org-bound authorization (D18)

Frontend:
- Redesign IntegrationsManager as provider card grid with connection counts
- Add IntegrationDetailPage with setup instructions, connection table,
  and provider-specific forms (AWS access key/IAM role, Slack webhook/OAuth)
- Update integrationStore with org-scoped connections, merge-and-dedup (D17),
  catalog fetching, and provider-specific create/validate/test actions
- Update API service with direct fetch calls for new endpoints
- Update ParameterField to use merged connections for workflow selectors

Worker:
- Add integration-credential-resolver component (resolves creds via internal API)
- Add aws-org-discovery component (lists AWS Organization accounts)
- Add aws-assume-role component (STS AssumeRole for cross-account scanning)

Sample workflows:
- AWS CSPM Org Account Discovery (resolve creds → discover accounts)
- AWS CSPM Prowler to Analytics (resolve creds → Prowler scan → Analytics Sink)

Signed-off-by: Aseem Shrey <LuD1161@users.noreply.github.com>
---
 backend/.env.example                          |    9 +
 .../0020_expand-integration-tokens.sql        |   62 +
 backend/package.json                          |    5 +-
 backend/scripts/seed-aws-cspm-workflow.ts     |   61 +
 .../src/common/guards/internal-only.guard.ts  |   77 +
 backend/src/database/schema/integrations.ts   |   19 +-
 backend/src/integrations/aws.service.ts       |  177 +++
 .../src/integrations/external-id-generator.ts |  109 ++
 .../src/integrations/integration-catalog.ts   |  175 +++
 .../src/integrations/integration-providers.ts |   26 +
 .../integrations/integrations.controller.ts   |  311 +++-
 backend/src/integrations/integrations.dto.ts  |  163 ++-
 .../src/integrations/integrations.module.ts   |   12 +-
 .../integrations/integrations.repository.ts   |  152 +-
 .../src/integrations/integrations.service.ts  |  451 +++++-
 .../src/integrations/setup-token.service.ts   |   75 +
 backend/src/integrations/slack.service.ts     |  116 ++
 backend/src/main.ts                           |    7 +
 bun.lock                                      |  160 +-
 docs/sample/aws-cspm-org-discovery.json       |  108 ++
 .../sample/aws-cspm-prowler-to-analytics.json |  122 ++
 frontend/.env.example                         |    5 +
 frontend/public/icons/aws.png                 |  Bin 0 -> 123445 bytes
 frontend/public/icons/github.svg              |    3 +
 frontend/public/icons/jira.svg                |   15 +
 frontend/public/icons/slack.svg               |    6 +
 frontend/src/App.tsx                          |    2 +
 .../components/workflow/ParameterField.tsx    |   59 +-
 frontend/src/config/env.ts                    |    2 +
 frontend/src/pages/IntegrationCallback.tsx    |   10 +-
 frontend/src/pages/IntegrationDetailPage.tsx  | 1283 +++++++++++++++++
 frontend/src/pages/IntegrationsManager.tsx    | 1048 +++-----------
 frontend/src/services/api.ts                  |  229 ++-
 frontend/src/store/integrationStore.ts        |  215 ++-
 worker/package.json                           |    2 +
 worker/src/components/core/aws-assume-role.ts |  133 ++
 .../src/components/core/aws-org-discovery.ts  |  106 ++
 .../core/integration-credential-resolver.ts   |  222 +++
 worker/src/components/index.ts                |    3 +
 .../src/components/security/prowler-scan.ts   |   13 +-
 worker/src/temporal/utils/component-output.ts |    3 +
 41 files changed, 4704 insertions(+), 1052 deletions(-)
 create mode 100644 backend/drizzle/0020_expand-integration-tokens.sql
 create mode 100644 backend/scripts/seed-aws-cspm-workflow.ts
 create mode 100644 backend/src/common/guards/internal-only.guard.ts
 create mode 100644 backend/src/integrations/aws.service.ts
 create mode 100644 backend/src/integrations/external-id-generator.ts
 create mode 100644 backend/src/integrations/integration-catalog.ts
 create mode 100644 backend/src/integrations/setup-token.service.ts
 create mode 100644 backend/src/integrations/slack.service.ts
 create mode 100644 docs/sample/aws-cspm-org-discovery.json
 create mode 100644 docs/sample/aws-cspm-prowler-to-analytics.json
 create mode 100644 frontend/public/icons/aws.png
 create mode 100644 frontend/public/icons/github.svg
 create mode 100644 frontend/public/icons/jira.svg
 create mode 100644 frontend/public/icons/slack.svg
 create mode 100644 frontend/src/pages/IntegrationDetailPage.tsx
 create mode 100644 worker/src/components/core/aws-assume-role.ts
 create mode 100644 worker/src/components/core/aws-org-discovery.ts
 create mode 100644 worker/src/components/core/integration-credential-resolver.ts

diff --git a/backend/.env.example b/backend/.env.example
index e2c3f27b..c4a7b2fb 100644
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -68,3 +68,12 @@ REDIS_URL=""
 
 # Kafka / Redpanda configuration for node I/O, log, and event ingestion
 LOG_KAFKA_BROKERS="localhost:19092"
+
+# Extra CORS origins (comma-separated), e.g. for ngrok tunnels
+# CORS_EXTRA_ORIGINS="https://your-ngrok-url.ngrok-free.app"
+
+# Slack OAuth integration (required for Slack app installation into customer workspaces)
+SLACK_OAUTH_CLIENT_ID=""
+SLACK_OAUTH_CLIENT_SECRET=""
+# Override default scopes (comma-separated); defaults: channels:read,chat:write,chat:write.public,commands,im:write
+# SLACK_OAUTH_SCOPES=""
diff --git a/backend/drizzle/0020_expand-integration-tokens.sql b/backend/drizzle/0020_expand-integration-tokens.sql
new file mode 100644
index 00000000..a7c9f34c
--- /dev/null
+++ b/backend/drizzle/0020_expand-integration-tokens.sql
@@ -0,0 +1,62 @@
+-- Step 1: Add new columns (all nullable initially for safe migration)
+-- organization_id is varchar(255), NOT varchar(191), because the backfill
+-- produces 'workspace-' || user_id (10 + up to 191 chars = 201), which
+-- would overflow varchar(191). (R4 Finding #1)
+-- This wider column is specific to integration_tokens — other tables use
+-- varchar(191) for org IDs because they store real Clerk org IDs directly.
+-- See D14 for rationale.
+ALTER TABLE "integration_tokens"
+  ADD COLUMN IF NOT EXISTS "credential_type" varchar(32) NOT NULL DEFAULT 'oauth',
+  ADD COLUMN IF NOT EXISTS "display_name" varchar(191),
+  ADD COLUMN IF NOT EXISTS "organization_id" varchar(255),
+  ADD COLUMN IF NOT EXISTS "last_validated_at" timestamptz,
+  ADD COLUMN IF NOT EXISTS "last_validation_status" varchar(16),
+  ADD COLUMN IF NOT EXISTS "last_validation_error" text,
+  ADD COLUMN IF NOT EXISTS "last_used_at" timestamptz;
+
+-- Step 2: Backfill organization_id = 'workspace-' || user_id for ALL rows.
+-- Why per-user workspace (not cross-table join):
+--   - `workflows` table has NO `created_by` column (R5 Finding #1), so we can't
+--     map user_id → org_id from existing DB data.
+--   - Per-user workspace guarantees ZERO collisions (R5 Finding #2): each user
+--     gets their own namespace, so (workspace-userA, slack, oauth, slack) and
+--     (workspace-userB, slack, oauth, slack) never conflict — even if both users are
+--     in the same real Clerk org. The unique index creation (Step 6) always succeeds.
+--   - Clerk auth resolves personal workspace as 'workspace-' || userId
+--     (backend/src/auth/providers/clerk-auth.provider.ts).
+-- Tradeoff: local-dev tokens land in 'workspace-admin' instead of 'local-dev'.
+-- Local dev users reconnect once after migration (acceptable for dev environments).
+UPDATE "integration_tokens"
+  SET "organization_id" = 'workspace-' || "user_id"
+  WHERE "organization_id" IS NULL;
+
+-- Step 3: Backfill display_name = provider for existing OAuth rows
+UPDATE "integration_tokens"
+  SET "display_name" = "provider"
+  WHERE "display_name" IS NULL;
+
+-- Step 4: Make both columns NOT NULL now that all rows are backfilled.
+-- organization_id MUST be NOT NULL — PostgreSQL unique indexes treat NULLs as
+-- distinct, so nullable org_id would bypass uniqueness entirely (R3 Finding #4).
+ALTER TABLE "integration_tokens" ALTER COLUMN "organization_id" SET NOT NULL;
+ALTER TABLE "integration_tokens" ALTER COLUMN "display_name" SET NOT NULL;
+
+-- Step 5: Drop old unique index on (user_id, provider)
+DROP INDEX IF EXISTS "integration_tokens_user_provider_uidx";
+
+-- Step 6: New unique index — org-scoped, includes credential_type (D15).
+-- Prevents Slack OAuth/webhook collision: (org, slack, oauth, slack) and
+-- (org, slack, webhook, slack) are distinct rows.
+-- All columns are NOT NULL, so uniqueness is always enforced.
+CREATE UNIQUE INDEX "integration_tokens_org_provider_type_name_uidx"
+  ON "integration_tokens" ("organization_id", "provider", "credential_type", "display_name");
+
+-- Step 7: Add organization_id to OAuth state table (R5 Finding #3).
+-- Without this, completeOAuthSession has no way to retrieve the org that was
+-- active when the user initiated the OAuth flow.
+ALTER TABLE "integration_oauth_states"
+  ADD COLUMN IF NOT EXISTS "organization_id" varchar(255);
+
+-- Step 8: Supporting indexes
+CREATE INDEX IF NOT EXISTS "integration_tokens_org_idx"
+  ON "integration_tokens" ("organization_id");
diff --git a/backend/package.json b/backend/package.json
index b609af47..c8e9b629 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -15,7 +15,8 @@
     "migration:push": "bun x drizzle-kit push",
     "migration:smoke": "bun scripts/migration-smoke.ts",
     "delete:runs": "bun scripts/delete-all-workflow-runs.ts",
-    "setup:opensearch": "bun scripts/setup-opensearch.ts"
+    "setup:opensearch": "bun scripts/setup-opensearch.ts",
+    "seed:aws-workflow": "bun scripts/seed-aws-cspm-workflow.ts"
   },
   "dependencies": {
     "@clerk/backend": "^2.29.5",
@@ -29,6 +30,8 @@
     "@nestjs/platform-express": "^10.4.22",
     "@nestjs/swagger": "^11.2.5",
     "@nestjs/throttler": "^6.5.0",
+    "@aws-sdk/client-organizations": "^3.750.0",
+    "@aws-sdk/client-sts": "^3.750.0",
     "@opensearch-project/opensearch": "^3.5.1",
     "@shipsec/backend-client": "workspace:*",
     "@shipsec/component-sdk": "workspace:*",
diff --git a/backend/scripts/seed-aws-cspm-workflow.ts b/backend/scripts/seed-aws-cspm-workflow.ts
new file mode 100644
index 00000000..50cb952f
--- /dev/null
+++ b/backend/scripts/seed-aws-cspm-workflow.ts
@@ -0,0 +1,61 @@
+/**
+ * Seed script: imports the AWS CSPM Org Discovery workflow via the backend API.
+ *
+ * Usage:
+ *   bun backend/scripts/seed-aws-cspm-workflow.ts
+ *
+ * The backend must be running on BACKEND_URL (default http://localhost:3001).
+ * Set ADMIN_USERNAME / ADMIN_PASSWORD env vars if admin auth is required,
+ * or CLERK_SESSION_TOKEN for Clerk-based auth.
+ */
+
+import { readFileSync } from 'fs';
+import { resolve } from 'path';
+
+const BACKEND_URL = process.env.BACKEND_URL ?? 'http://localhost:3001';
+const ADMIN_USER = process.env.ADMIN_USERNAME ?? 'admin';
+const ADMIN_PASS = process.env.ADMIN_PASSWORD ?? 'admin';
+
+async function main() {
+  const workflowPath = resolve(import.meta.dir, '../../docs/sample/aws-cspm-org-discovery.json');
+
+  const workflowJson = JSON.parse(readFileSync(workflowPath, 'utf-8'));
+  console.log(`Importing workflow: ${workflowJson.name}`);
+  console.log(`  Nodes: ${workflowJson.nodes.length}`);
+  console.log(`  Edges: ${workflowJson.edges.length}`);
+
+  // Build auth headers — try Clerk token first, then fall back to basic auth
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/json',
+  };
+
+  if (process.env.CLERK_SESSION_TOKEN) {
+    headers['Authorization'] = `Bearer ${process.env.CLERK_SESSION_TOKEN}`;
+  } else {
+    headers['Authorization'] = `Basic ${btoa(`${ADMIN_USER}:${ADMIN_PASS}`)}`;
+  }
+
+  const res = await fetch(`${BACKEND_URL}/api/v1/workflows`, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify(workflowJson),
+  });
+
+  if (!res.ok) {
+    const body = await res.text();
+    console.error(`Failed to create workflow (${res.status}): ${body}`);
+    process.exit(1);
+  }
+
+  const created = await res.json();
+  console.log(`\nWorkflow created successfully!`);
+  console.log(`  ID: ${created.id}`);
+  console.log(`  Name: ${created.name}`);
+  console.log(`  Version: ${created.currentVersion}`);
+  console.log(`\nOpen in dashboard: http://localhost:5173/workflows/${created.id}`);
+}
+
+main().catch((err) => {
+  console.error('Seed failed:', err);
+  process.exit(1);
+});
diff --git a/backend/src/common/guards/internal-only.guard.ts b/backend/src/common/guards/internal-only.guard.ts
new file mode 100644
index 00000000..fd7b10c6
--- /dev/null
+++ b/backend/src/common/guards/internal-only.guard.ts
@@ -0,0 +1,77 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+  Injectable,
+  Logger,
+  SetMetadata,
+  UseGuards,
+  applyDecorators,
+} from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import type { Request } from 'express';
+
+const INTERNAL_ONLY_KEY = 'internal_only';
+
+/**
+ * NestJS guard that restricts access to internal service calls only.
+ *
+ * Authentication is via the `X-Internal-Token` header matched against
+ * the `INTERNAL_SERVICE_TOKEN` environment variable.
+ *
+ * If `INTERNAL_SERVICE_TOKEN` is NOT set:
+ *   - If `ALLOW_INSECURE_INTERNAL_ENDPOINTS=true` → allow with warning
+ *   - Otherwise → reject with 403
+ *
+ * Note: Internal endpoints have no per-org scoping. Workers authenticate
+ * via a shared service secret, not per-user/per-org credentials. Tenant
+ * isolation is enforced at the workflow layer (workflows are org-scoped).
+ */
+@Injectable()
+export class InternalOnlyGuard implements CanActivate {
+  private readonly logger = new Logger(InternalOnlyGuard.name);
+
+  constructor(private readonly reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const isInternalOnly = this.reflector.getAllAndOverride<boolean>(INTERNAL_ONLY_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    if (!isInternalOnly) {
+      return true;
+    }
+
+    const request = context.switchToHttp().getRequest<Request>();
+    const providedToken = request.header('x-internal-token');
+    const expectedToken = process.env.INTERNAL_SERVICE_TOKEN;
+
+    if (!expectedToken) {
+      if (process.env.ALLOW_INSECURE_INTERNAL_ENDPOINTS === 'true') {
+        this.logger.warn(
+          `INTERNAL_SERVICE_TOKEN is not set. Allowing insecure access to ${request.method} ${request.path} because ALLOW_INSECURE_INTERNAL_ENDPOINTS=true.`,
+        );
+        return true;
+      }
+
+      throw new ForbiddenException(
+        'INTERNAL_SERVICE_TOKEN must be configured or ALLOW_INSECURE_INTERNAL_ENDPOINTS=true must be set',
+      );
+    }
+
+    if (providedToken !== expectedToken) {
+      throw new ForbiddenException('Invalid internal access token');
+    }
+
+    return true;
+  }
+}
+
+/**
+ * Decorator that restricts an endpoint to internal service calls only.
+ * Validates the `X-Internal-Token` header against `INTERNAL_SERVICE_TOKEN`.
+ */
+export function InternalOnly(): MethodDecorator & ClassDecorator {
+  return applyDecorators(SetMetadata(INTERNAL_ONLY_KEY, true), UseGuards(InternalOnlyGuard));
+}
diff --git a/backend/src/database/schema/integrations.ts b/backend/src/database/schema/integrations.ts
index c10e89f1..67e00eeb 100644
--- a/backend/src/database/schema/integrations.ts
+++ b/backend/src/database/schema/integrations.ts
@@ -2,11 +2,11 @@ import {
   index,
   jsonb,
   pgTable,
+  text,
   timestamp,
   uniqueIndex,
   uuid,
   varchar,
-  text,
 } from 'drizzle-orm/pg-core';
 
 export const integrationTokens = pgTable(
@@ -15,6 +15,9 @@ export const integrationTokens = pgTable(
     id: uuid('id').primaryKey().defaultRandom(),
     userId: varchar('user_id', { length: 191 }).notNull(),
     provider: varchar('provider', { length: 64 }).notNull(),
+    credentialType: varchar('credential_type', { length: 32 }).notNull().default('oauth'),
+    displayName: varchar('display_name', { length: 191 }).notNull(),
+    organizationId: varchar('organization_id', { length: 255 }).notNull(),
     scopes: jsonb('scopes').$type<string[]>().notNull().default([]),
     accessToken: jsonb('access_token')
       .$type<{
@@ -34,15 +37,22 @@ export const integrationTokens = pgTable(
       .default(null),
     tokenType: varchar('token_type', { length: 32 }).default('Bearer'),
     expiresAt: timestamp('expires_at', { withTimezone: true }),
+    lastValidatedAt: timestamp('last_validated_at', { withTimezone: true }),
+    lastValidationStatus: varchar('last_validation_status', { length: 16 }),
+    lastValidationError: text('last_validation_error'),
+    lastUsedAt: timestamp('last_used_at', { withTimezone: true }),
     metadata: jsonb('metadata').$type<Record<string, unknown>>().default({}),
     createdAt: timestamp('created_at', { withTimezone: true }).defaultNow().notNull(),
     updatedAt: timestamp('updated_at', { withTimezone: true }).defaultNow().notNull(),
   },
   (table) => ({
-    userProviderIdx: index('integration_tokens_user_idx').on(table.userId),
-    userProviderUnique: uniqueIndex('integration_tokens_user_provider_uidx').on(
-      table.userId,
+    userIdx: index('integration_tokens_user_idx').on(table.userId),
+    orgIdx: index('integration_tokens_org_idx').on(table.organizationId),
+    orgProviderTypeNameUnique: uniqueIndex('integration_tokens_org_provider_type_name_uidx').on(
+      table.organizationId,
       table.provider,
+      table.credentialType,
+      table.displayName,
     ),
   }),
 );
@@ -54,6 +64,7 @@ export const integrationOAuthStates = pgTable(
     state: text('state').notNull(),
     userId: varchar('user_id', { length: 191 }).notNull(),
     provider: varchar('provider', { length: 64 }).notNull(),
+    organizationId: varchar('organization_id', { length: 255 }),
     codeVerifier: text('code_verifier'),
     createdAt: timestamp('created_at', { withTimezone: true }).defaultNow().notNull(),
   },
diff --git a/backend/src/integrations/aws.service.ts b/backend/src/integrations/aws.service.ts
new file mode 100644
index 00000000..351f1a24
--- /dev/null
+++ b/backend/src/integrations/aws.service.ts
@@ -0,0 +1,177 @@
+import { Injectable, Logger, OnModuleInit } from '@nestjs/common';
+import { STSClient, GetCallerIdentityCommand, AssumeRoleCommand } from '@aws-sdk/client-sts';
+import { OrganizationsClient, paginateListAccounts } from '@aws-sdk/client-organizations';
+
+interface AwsCredentials {
+  accessKeyId: string;
+  secretAccessKey: string;
+  sessionToken?: string;
+}
+
+interface OrgAccount {
+  id: string;
+  name: string;
+  status: string;
+  email: string;
+}
+
+interface OrgAccountsResult {
+  accounts: OrgAccount[];
+}
+
+interface AssumedRoleCredentials {
+  accessKeyId: string;
+  secretAccessKey: string;
+  sessionToken: string;
+}
+
+@Injectable()
+export class AwsService implements OnModuleInit {
+  private readonly logger = new Logger(AwsService.name);
+
+  // ── Startup self-check ──
+  async onModuleInit(): Promise<void> {
+    const platformArn = process.env.SHIPSEC_PLATFORM_ROLE_ARN;
+    if (!platformArn) {
+      this.logger.warn('SHIPSEC_PLATFORM_ROLE_ARN not set — AWS IAM role integration disabled');
+      return;
+    }
+    try {
+      const client = this.getPlatformStsClient();
+      const identity = await client.send(new GetCallerIdentityCommand({}));
+      const callerArn = identity.Arn!;
+      const normalizedCaller = this.normalizeToRoleArn(callerArn);
+      if (normalizedCaller !== platformArn) {
+        const msg =
+          `Platform identity mismatch: SHIPSEC_PLATFORM_ROLE_ARN=${platformArn} ` +
+          `but actual caller is ${callerArn} (normalized: ${normalizedCaller})`;
+        if (process.env.SHIPSEC_AWS_STRICT_IDENTITY_CHECK === 'true') {
+          throw new Error(msg);
+        }
+        this.logger.warn(
+          msg + ' — continuing anyway (set SHIPSEC_AWS_STRICT_IDENTITY_CHECK=true to enforce)',
+        );
+      } else {
+        this.logger.log(`Platform identity verified: ${platformArn}`);
+      }
+    } catch (error) {
+      this.logger.error('AWS platform identity verification failed', error);
+      throw error; // Prevent app from starting with invalid AWS creds
+    }
+  }
+
+  // ── Platform STS client (env vars → default chain) ──
+  private getPlatformStsClient(region?: string): STSClient {
+    const keyId = process.env.SHIPSEC_AWS_ACCESS_KEY_ID;
+    const secret = process.env.SHIPSEC_AWS_SECRET_ACCESS_KEY;
+    if ((keyId && !secret) || (!keyId && secret)) {
+      throw new Error(
+        'Both SHIPSEC_AWS_ACCESS_KEY_ID and SHIPSEC_AWS_SECRET_ACCESS_KEY must be set, or neither',
+      );
+    }
+    const credentials =
+      keyId && secret
+        ? {
+            accessKeyId: keyId,
+            secretAccessKey: secret,
+            ...(process.env.SHIPSEC_AWS_SESSION_TOKEN && {
+              sessionToken: process.env.SHIPSEC_AWS_SESSION_TOKEN,
+            }),
+          }
+        : undefined; // SDK default chain
+    return new STSClient({ ...(credentials && { credentials }), ...(region && { region }) });
+  }
+
+  // ── Platform role ARN (from env var) ──
+  getPlatformRoleArn(): string {
+    const arn = process.env.SHIPSEC_PLATFORM_ROLE_ARN;
+    if (!arn) throw new Error('SHIPSEC_PLATFORM_ROLE_ARN is required');
+    return arn;
+  }
+
+  // ── Assume customer role via platform identity (with duration retry) ──
+  async assumeRoleWithPlatformIdentity(
+    roleArn: string,
+    externalId?: string,
+    region?: string,
+  ): Promise<AssumedRoleCredentials> {
+    const configured = parseInt(process.env.SHIPSEC_AWS_STS_DURATION_SECONDS || '3600', 10);
+    const durations = [...new Set([Math.min(configured, 43200), 3600, 900])];
+    let lastError: Error | undefined;
+    for (const duration of durations) {
+      try {
+        const client = this.getPlatformStsClient(region);
+        const response = await client.send(
+          new AssumeRoleCommand({
+            RoleArn: roleArn,
+            RoleSessionName: `shipsec-${Date.now()}`,
+            DurationSeconds: duration,
+            ...(externalId && { ExternalId: externalId }),
+          }),
+        );
+        if (!response.Credentials) throw new Error('No credentials returned');
+        return {
+          accessKeyId: response.Credentials.AccessKeyId!,
+          secretAccessKey: response.Credentials.SecretAccessKey!,
+          sessionToken: response.Credentials.SessionToken!,
+        };
+      } catch (error: any) {
+        lastError = error;
+        if (error.name === 'ValidationError' && error.message?.includes('DurationSeconds')) {
+          this.logger.warn(`STS duration=${duration}s too high for ${roleArn}, retrying lower`);
+          continue;
+        }
+        throw error;
+      }
+    }
+    throw lastError ?? new Error('All STS duration attempts failed');
+  }
+
+  // ── Normalize assumed-role ARN to role ARN ──
+  private normalizeToRoleArn(arn: string): string {
+    // arn:aws:sts::123456789012:assumed-role/RoleName/session
+    // → arn:aws:iam::123456789012:role/RoleName
+    const match = arn.match(/^arn:aws:sts::(\d{12}):assumed-role\/([^/]+)/);
+    if (match) return `arn:aws:iam::${match[1]}:role/${match[2]}`;
+    return arn; // Already a role/user ARN
+  }
+
+  // ── Discovers AWS Organization accounts ──
+  async discoverOrgAccounts(credentials: AwsCredentials): Promise<OrgAccountsResult> {
+    try {
+      const orgClient = new OrganizationsClient({
+        credentials: {
+          accessKeyId: credentials.accessKeyId,
+          secretAccessKey: credentials.secretAccessKey,
+          ...(credentials.sessionToken && {
+            sessionToken: credentials.sessionToken,
+          }),
+        },
+      });
+
+      const accounts: OrgAccount[] = [];
+
+      const paginator = paginateListAccounts({ client: orgClient }, {});
+
+      for await (const page of paginator) {
+        if (page.Accounts) {
+          for (const account of page.Accounts) {
+            accounts.push({
+              id: account.Id || '',
+              name: account.Name || '',
+              status: account.Status || '',
+              email: account.Email || '',
+            });
+          }
+        }
+      }
+
+      this.logger.log(`Successfully discovered ${accounts.length} organization accounts`);
+
+      return { accounts };
+    } catch (error) {
+      this.logger.error('Failed to discover organization accounts', error);
+      throw new Error(error.message || 'Failed to discover organization accounts');
+    }
+  }
+}
diff --git a/backend/src/integrations/external-id-generator.ts b/backend/src/integrations/external-id-generator.ts
new file mode 100644
index 00000000..2c7fa238
--- /dev/null
+++ b/backend/src/integrations/external-id-generator.ts
@@ -0,0 +1,109 @@
+import { randomUUID } from 'crypto';
+
+const ADJECTIVES = [
+  'cosmic',
+  'crystal',
+  'golden',
+  'silver',
+  'blazing',
+  'frozen',
+  'midnight',
+  'stellar',
+  'radiant',
+  'velvet',
+  'emerald',
+  'crimson',
+  'silent',
+  'rapid',
+  'ancient',
+  'bright',
+  'calm',
+  'deep',
+  'fierce',
+  'gentle',
+  'hollow',
+  'iron',
+  'jade',
+  'keen',
+  'lunar',
+  'mystic',
+  'noble',
+  'omega',
+  'primal',
+  'quiet',
+  'royal',
+  'swift',
+  'tidal',
+  'ultra',
+  'vivid',
+  'wild',
+  'zen',
+  'amber',
+  'bold',
+  'cedar',
+  'dawn',
+  'echo',
+  'flint',
+  'granite',
+  'harbor',
+  'ivory',
+];
+
+const NOUNS = [
+  'falcon',
+  'phoenix',
+  'summit',
+  'cascade',
+  'nebula',
+  'voyager',
+  'cipher',
+  'atlas',
+  'beacon',
+  'comet',
+  'delta',
+  'ember',
+  'forge',
+  'glacier',
+  'helix',
+  'iris',
+  'jaguar',
+  'kestrel',
+  'lancer',
+  'meteor',
+  'nexus',
+  'orbit',
+  'pulse',
+  'quasar',
+  'raven',
+  'sentry',
+  'titan',
+  'umbra',
+  'vertex',
+  'wraith',
+  'zenith',
+  'anchor',
+  'breeze',
+  'coral',
+  'drift',
+  'flare',
+  'grove',
+  'haven',
+  'inlet',
+  'karma',
+  'lotus',
+  'marsh',
+  'oasis',
+  'peak',
+];
+
+export function generateExternalId(): string {
+  return randomUUID();
+}
+
+export function formatExternalIdForDisplay(externalId: string): string {
+  const hex = externalId.replace(/-/g, '');
+  const adjIdx = parseInt(hex.slice(0, 2), 16) % ADJECTIVES.length;
+  const nounIdx = parseInt(hex.slice(2, 4), 16) % NOUNS.length;
+  const shortId = hex.slice(0, 8);
+  return `${ADJECTIVES[adjIdx]}-${NOUNS[nounIdx]}-${shortId}`;
+}
diff --git a/backend/src/integrations/integration-catalog.ts b/backend/src/integrations/integration-catalog.ts
new file mode 100644
index 00000000..929a1846
--- /dev/null
+++ b/backend/src/integrations/integration-catalog.ts
@@ -0,0 +1,175 @@
+import type { IntegrationProviderConfig } from './integration-providers';
+
+export interface AuthMethodField {
+  id: string;
+  label: string;
+  type: 'text' | 'password' | 'select';
+  required: boolean;
+  placeholder?: string;
+  helpText?: string;
+  options?: { label: string; value: string }[];
+}
+
+export interface AuthMethod {
+  type: string;
+  label: string;
+  description: string;
+  fields: AuthMethodField[];
+}
+
+export interface SetupInstructionSection {
+  title: string;
+  authMethodType: string;
+  scenario: string;
+  steps: string[];
+}
+
+export interface IntegrationProviderDefinition {
+  id: string;
+  name: string;
+  description: string;
+  docsUrl?: string;
+  iconUrl?: string;
+  authMethods: AuthMethod[];
+  supportsMultipleConnections: boolean;
+  setupInstructions: { sections: SetupInstructionSection[] };
+  oauthConfig?: IntegrationProviderConfig;
+}
+
+export const AWS_PROVIDER: IntegrationProviderDefinition = {
+  id: 'aws',
+  name: 'Amazon Web Services',
+  description:
+    'Connect AWS accounts for cloud security posture management (CSPM), compliance scanning, and resource discovery.',
+  docsUrl:
+    'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html',
+  iconUrl: '/icons/aws.png',
+  supportsMultipleConnections: true,
+  authMethods: [
+    {
+      type: 'iam_role',
+      label: 'IAM Role',
+      description:
+        'Create an IAM role in your AWS account with a trust policy that allows the ShipSec platform to assume it. No customer secrets are stored.',
+      fields: [
+        {
+          id: 'roleArn',
+          label: 'Role ARN',
+          type: 'text',
+          required: true,
+          placeholder: 'arn:aws:iam::123456789012:role/ShipSecAuditRole',
+        },
+        {
+          id: 'region',
+          label: 'Default Region',
+          type: 'text',
+          required: false,
+          placeholder: 'us-east-1',
+          helpText: 'Default AWS region for API calls. Can be overridden per workflow.',
+        },
+      ],
+    },
+  ],
+  setupInstructions: {
+    sections: [
+      {
+        title: 'Single Account',
+        authMethodType: 'iam_role',
+        scenario: 'single-account',
+        steps: [
+          'Click "Add Connection" to generate a trust policy with a unique External ID.',
+          'In the target AWS account, create an IAM role with `SecurityAudit` and `ViewOnlyAccess` policies.',
+          'Set the trust policy to the JSON shown in the setup dialog (includes the ShipSec platform ARN and External ID).',
+          'Copy the role ARN and paste it into the form, then click "Create Connection".',
+        ],
+      },
+      {
+        title: 'Cross-Account',
+        authMethodType: 'iam_role',
+        scenario: 'cross-account',
+        steps: [
+          'Click "Add Connection" to generate a trust policy with a unique External ID.',
+          'In each target account, create an IAM role with `SecurityAudit` and `ViewOnlyAccess` policies.',
+          'Use the same trust policy JSON from the setup dialog for each role.',
+          'Add one connection per target account using its role ARN.',
+        ],
+      },
+      {
+        title: 'Organizations',
+        authMethodType: 'iam_role',
+        scenario: 'organizations',
+        steps: [
+          'Click "Add Connection" for your management account and apply the trust policy shown.',
+          'Ensure the management role has `SecurityAudit`, `ViewOnlyAccess`, and `OrganizationsReadOnlyAccess` policies.',
+          'Use "Discover Accounts" to list all member accounts.',
+          'For each member account, create a role with the same trust policy and add a connection.',
+        ],
+      },
+    ],
+  },
+};
+
+export const SLACK_PROVIDER: IntegrationProviderDefinition = {
+  id: 'slack',
+  name: 'Slack',
+  description: 'Send workflow notifications, security alerts, and scan results to Slack channels.',
+  docsUrl: 'https://api.slack.com/messaging/webhooks',
+  iconUrl: '/icons/slack.svg',
+  supportsMultipleConnections: true,
+  authMethods: [
+    {
+      type: 'webhook',
+      label: 'Incoming Webhook',
+      description:
+        'Simple webhook URL for sending messages to a specific channel. No OAuth required.',
+      fields: [
+        {
+          id: 'webhookUrl',
+          label: 'Webhook URL',
+          type: 'password',
+          required: true,
+          placeholder: 'https://hooks.slack.com/services/T.../B.../...',
+          helpText: 'Create an incoming webhook at https://api.slack.com/apps',
+        },
+      ],
+    },
+    {
+      type: 'oauth',
+      label: 'Slack App (OAuth)',
+      description:
+        'Full Slack app with OAuth for sending messages, slash commands, and DMs. Requires a Slack app with channels:read, chat:write, chat:write.public, commands, and im:write scopes.',
+      fields: [],
+    },
+  ],
+  setupInstructions: {
+    sections: [
+      {
+        title: 'Incoming Webhook',
+        authMethodType: 'webhook',
+        scenario: 'webhook',
+        steps: [
+          'Go to https://api.slack.com/apps and create a new app (or select an existing one).',
+          'Navigate to "Incoming Webhooks" and toggle it on.',
+          'Click "Add New Webhook to Workspace" and select the target channel.',
+          'Copy the generated webhook URL and paste it below.',
+        ],
+      },
+      {
+        title: 'Slack App (OAuth)',
+        authMethodType: 'oauth',
+        scenario: 'oauth',
+        steps: [
+          'Go to https://api.slack.com/apps and create a new app.',
+          'Under "OAuth & Permissions", add the bot token scopes: channels:read, chat:write, chat:write.public, commands, im:write.',
+          'Set the redirect URL to the one shown below.',
+          'Copy the Client ID and Client Secret into the provider configuration.',
+          'Click "Add to Slack" to complete the OAuth flow.',
+        ],
+      },
+    ],
+  },
+};
+
+export function getCatalog(): IntegrationProviderDefinition[] {
+  return [AWS_PROVIDER, SLACK_PROVIDER];
+}
diff --git a/backend/src/integrations/integration-providers.ts b/backend/src/integrations/integration-providers.ts
index 1102dc68..eca03797 100644
--- a/backend/src/integrations/integration-providers.ts
+++ b/backend/src/integrations/integration-providers.ts
@@ -41,6 +41,16 @@ export function loadIntegrationProviders(): Record<string, IntegrationProviderCo
     .map((scope) => scope.trim())
     .filter(Boolean) ?? ['user:read:admin'];
 
+  const slackScopes = process.env.SLACK_OAUTH_SCOPES?.split(',')
+    .map((scope) => scope.trim())
+    .filter(Boolean) ?? [
+    'channels:read',
+    'chat:write',
+    'chat:write.public',
+    'commands',
+    'im:write',
+  ];
+
   return {
     github: {
       id: 'github',
@@ -82,6 +92,22 @@ export function loadIntegrationProviders(): Record<string, IntegrationProviderCo
       clientId: process.env.ZOOM_OAUTH_CLIENT_ID ?? null,
       clientSecret: process.env.ZOOM_OAUTH_CLIENT_SECRET ?? null,
     },
+    slack: {
+      id: 'slack',
+      name: 'Slack',
+      description: 'Send messages and alerts to Slack channels via the Slack API.',
+      docsUrl: 'https://api.slack.com/authentication/oauth-v2',
+      authorizeUrl: 'https://slack.com/oauth/v2/authorize',
+      tokenUrl: 'https://slack.com/api/oauth.v2.access',
+      defaultScopes: slackScopes,
+      scopeSeparator: ',',
+      supportsRefresh: false,
+      usesPkce: false,
+      tokenRequestEncoding: 'form',
+      tokenAuthMethod: 'client_secret_post',
+      clientId: process.env.SLACK_OAUTH_CLIENT_ID ?? null,
+      clientSecret: process.env.SLACK_OAUTH_CLIENT_SECRET ?? null,
+    },
   };
 }
 
diff --git a/backend/src/integrations/integrations.controller.ts b/backend/src/integrations/integrations.controller.ts
index fff157d4..4aa861d8 100644
--- a/backend/src/integrations/integrations.controller.ts
+++ b/backend/src/integrations/integrations.controller.ts
@@ -6,34 +6,59 @@ import {
   Get,
   HttpCode,
   HttpStatus,
-  Headers,
+  Logger,
   Param,
   Post,
   Put,
   Query,
-  UnauthorizedException,
 } from '@nestjs/common';
 import { ApiOkResponse, ApiTags } from '@nestjs/swagger';
 
+import { CurrentAuth } from '../auth/auth-context.decorator';
+import { Public } from '../auth/public.decorator';
+import type { AuthContext } from '../auth/types';
+import { InternalOnly } from '../common/guards/internal-only.guard';
+
 import {
+  AwsSetupInfoResponseDto,
   CompleteOAuthDto,
-  DisconnectConnectionDto,
+  ConnectionCredentialsResponseDto,
   ConnectionTokenResponseDto,
+  CreateAwsConnectionDto,
+  CreateSlackWebhookConnectionDto,
+  DiscoverOrgAccountsResponseDto,
   IntegrationConnectionResponse,
   IntegrationProviderResponse,
-  ProviderConfigurationResponse,
   OAuthStartResponseDto,
-  RefreshConnectionDto,
+  ProviderConfigurationResponse,
   StartOAuthDto,
   UpsertProviderConfigDto,
+  ValidateAwsResponseDto,
 } from './integrations.dto';
 import { IntegrationsService } from './integrations.service';
+import type { IntegrationProviderDefinition } from './integration-catalog';
 
 @ApiTags('integrations')
 @Controller('integrations')
 export class IntegrationsController {
+  private readonly logger = new Logger(IntegrationsController.name);
+
   constructor(private readonly integrations: IntegrationsService) {}
 
+  /* ------------------------------------------------------------------ */
+  /*  Provider catalog (D5)                                              */
+  /* ------------------------------------------------------------------ */
+
+  @Get('catalog')
+  @ApiOkResponse({ description: 'Returns the integration provider catalog (AWS + Slack)' })
+  getCatalog(): IntegrationProviderDefinition[] {
+    return this.integrations.getCatalog();
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  OAuth provider listing & configuration (existing, unchanged)       */
+  /* ------------------------------------------------------------------ */
+
   @Get('providers')
   @ApiOkResponse({ type: [IntegrationProviderResponse] })
   listProviders(): IntegrationProviderResponse[] {
@@ -84,32 +109,69 @@ export class IntegrationsController {
     await this.integrations.deleteProviderConfiguration(provider);
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Connection listing (D16: userId from auth, not query param)        */
+  /* ------------------------------------------------------------------ */
+
   @Get('connections')
   @ApiOkResponse({ type: [IntegrationConnectionResponse] })
   async listConnections(
-    @Query('userId') userId?: string,
+    @CurrentAuth() auth: AuthContext | null,
+    @Query('userId') queryUserId?: string,
   ): Promise<IntegrationConnectionResponse[]> {
+    if (queryUserId) {
+      this.logger.warn(
+        'Deprecated: userId query parameter is ignored. User is derived from auth context.',
+      );
+    }
+
+    const userId = auth?.userId;
     if (!userId) {
-      throw new BadRequestException('userId is required');
+      throw new BadRequestException('Authentication required');
     }
 
     const connections = await this.integrations.listConnections(userId);
-    return connections.map((connection) => ({
-      ...connection,
-      expiresAt: connection.expiresAt ? connection.expiresAt.toISOString() : null,
-      createdAt: connection.createdAt.toISOString(),
-      updatedAt: connection.updatedAt.toISOString(),
-    }));
+    return connections.map((c) => this.toConnectionResponse(c));
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  Org-scoped connection listing (D6, D17)                           */
+  /* ------------------------------------------------------------------ */
+
+  @Get('org/connections')
+  @ApiOkResponse({ type: [IntegrationConnectionResponse] })
+  async listOrgConnections(
+    @CurrentAuth() auth: AuthContext | null,
+    @Query('provider') provider?: string,
+  ): Promise<IntegrationConnectionResponse[]> {
+    if (!auth?.organizationId) {
+      throw new BadRequestException('Authentication with organization context required');
+    }
+
+    const connections = await this.integrations.listConnectionsForOrg(auth, provider);
+    return connections.map((c) => this.toConnectionResponse(c));
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  OAuth flow (D16: userId from auth context)                        */
+  /* ------------------------------------------------------------------ */
+
   @Post(':provider/start')
   @ApiOkResponse({ type: OAuthStartResponseDto })
   async startOAuth(
     @Param('provider') provider: string,
+    @CurrentAuth() auth: AuthContext | null,
     @Body() body: StartOAuthDto,
   ): Promise<OAuthStartResponseDto> {
+    if (!auth?.userId) {
+      throw new BadRequestException('Authentication required');
+    }
+
+    const organizationId = auth.organizationId ?? `workspace-${auth.userId}`;
+
     const response = await this.integrations.startOAuthSession(provider, {
-      userId: body.userId,
+      userId: auth.userId,
+      organizationId,
       redirectUri: body.redirectUri,
       scopes: body.scopes,
     });
@@ -122,60 +184,66 @@ export class IntegrationsController {
     };
   }
 
+  @Public()
   @Post(':provider/exchange')
   @ApiOkResponse({ type: IntegrationConnectionResponse })
   async completeOAuth(
     @Param('provider') provider: string,
     @Body() body: CompleteOAuthDto,
   ): Promise<IntegrationConnectionResponse> {
+    // The exchange endpoint is @Public because the OAuth callback may arrive on a
+    // different origin (e.g. ngrok) where the Clerk session cookie is unavailable.
+    // Security is enforced by the one-time state token created during startOAuth,
+    // which binds the exchange to a specific userId and provider.
     const connection = await this.integrations.completeOAuthSession(provider, {
-      userId: body.userId,
       code: body.code,
       state: body.state,
       redirectUri: body.redirectUri,
       scopes: body.scopes,
     });
 
-    return {
-      ...connection,
-      expiresAt: connection.expiresAt ? connection.expiresAt.toISOString() : null,
-      createdAt: connection.createdAt.toISOString(),
-      updatedAt: connection.updatedAt.toISOString(),
-    };
+    return this.toConnectionResponse(connection);
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Refresh & disconnect (D16 + D18)                                  */
+  /* ------------------------------------------------------------------ */
+
   @Post('connections/:id/refresh')
   @ApiOkResponse({ type: IntegrationConnectionResponse })
   async refreshConnection(
     @Param('id') id: string,
-    @Body() body: RefreshConnectionDto,
+    @CurrentAuth() auth: AuthContext | null,
   ): Promise<IntegrationConnectionResponse> {
-    const refreshed = await this.integrations.refreshConnection(id, body.userId);
-    return {
-      ...refreshed,
-      expiresAt: refreshed.expiresAt ? refreshed.expiresAt.toISOString() : null,
-      createdAt: refreshed.createdAt.toISOString(),
-      updatedAt: refreshed.updatedAt.toISOString(),
-    };
+    if (!auth?.userId) {
+      throw new BadRequestException('Authentication required');
+    }
+
+    const refreshed = await this.integrations.refreshConnection(id, auth);
+    return this.toConnectionResponse(refreshed);
   }
 
   @Delete('connections/:id')
   @ApiOkResponse({ description: 'Connection removed' })
   async disconnectConnection(
     @Param('id') id: string,
-    @Body() body: DisconnectConnectionDto,
+    @CurrentAuth() auth: AuthContext | null,
   ): Promise<void> {
-    await this.integrations.disconnect(id, body.userId);
+    if (!auth?.userId) {
+      throw new BadRequestException('Authentication required');
+    }
+
+    await this.integrations.disconnect(id, auth);
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Internal token endpoint (D4: @InternalOnly replaces inline check) */
+  /* ------------------------------------------------------------------ */
+
   @Post('connections/:id/token')
+  @InternalOnly()
   @ApiOkResponse({ type: ConnectionTokenResponseDto })
-  async issueConnectionToken(
-    @Param('id') id: string,
-    @Headers('x-internal-token') internalToken?: string,
-  ): Promise<ConnectionTokenResponseDto> {
-    this.assertInternalAccess(internalToken);
-
+  async issueConnectionToken(@Param('id') id: string): Promise<ConnectionTokenResponseDto> {
     const token = await this.integrations.getConnectionToken(id);
     return {
       provider: token.provider,
@@ -187,14 +255,171 @@ export class IntegrationsController {
     };
   }
 
-  private assertInternalAccess(token?: string): void {
-    const expected = process.env.INTERNAL_SERVICE_TOKEN;
-    if (!expected) {
-      return;
+  /* ------------------------------------------------------------------ */
+  /*  Credential resolution — internal only (D3, D4)                    */
+  /* ------------------------------------------------------------------ */
+
+  @Post('connections/:id/credentials')
+  @InternalOnly()
+  @ApiOkResponse({ type: ConnectionCredentialsResponseDto })
+  async resolveCredentials(@Param('id') id: string): Promise<ConnectionCredentialsResponseDto> {
+    const result = await this.integrations.resolveConnectionCredentials(id);
+    return {
+      credentialType: result.credentialType,
+      provider: result.provider,
+      data: result.data,
+      accountId: result.accountId,
+      region: result.region,
+      displayName: result.displayName,
+    };
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  AWS setup info & connections                                      */
+  /* ------------------------------------------------------------------ */
+
+  @Get('aws/setup-info')
+  @ApiOkResponse({ type: AwsSetupInfoResponseDto })
+  async getAwsSetupInfo(@CurrentAuth() auth: AuthContext | null): Promise<AwsSetupInfoResponseDto> {
+    if (!auth?.organizationId) {
+      throw new BadRequestException('Authentication with organization context required');
+    }
+    return this.integrations.getAwsSetupInfo(auth.organizationId);
+  }
+
+  @Post('aws/connections')
+  @ApiOkResponse({ type: IntegrationConnectionResponse })
+  async createAwsConnection(
+    @CurrentAuth() auth: AuthContext | null,
+    @Body() body: CreateAwsConnectionDto,
+  ): Promise<IntegrationConnectionResponse> {
+    if (!auth?.userId || !auth?.organizationId) {
+      throw new BadRequestException('Authentication with organization context required');
+    }
+
+    const connection = await this.integrations.createAwsConnection(auth, body);
+    return this.toConnectionResponse(connection);
+  }
+
+  @Post('aws/connections/:id/validate')
+  @ApiOkResponse({ type: ValidateAwsResponseDto })
+  async validateAwsConnection(
+    @Param('id') id: string,
+    @CurrentAuth() auth: AuthContext | null,
+  ): Promise<ValidateAwsResponseDto> {
+    if (!auth?.userId || !auth?.organizationId) {
+      throw new BadRequestException('Authentication with organization context required');
     }
 
-    if (token !== expected) {
-      throw new UnauthorizedException('Invalid internal access token');
+    await this.integrations.assertConnectionOwnership(id, auth);
+    const result = await this.integrations.validateConnection(id);
+
+    return {
+      valid: result.valid,
+      error: result.error,
+    };
+  }
+
+  @Post('aws/connections/:id/discover-org')
+  @ApiOkResponse({ type: DiscoverOrgAccountsResponseDto })
+  async discoverOrgAccounts(
+    @Param('id') id: string,
+    @CurrentAuth() auth: AuthContext | null,
+  ): Promise<DiscoverOrgAccountsResponseDto> {
+    if (!auth?.userId || !auth?.organizationId) {
+      throw new BadRequestException('Authentication with organization context required');
     }
+
+    await this.integrations.assertConnectionOwnership(id, auth);
+    const result = await this.integrations.discoverOrgAccounts(id);
+
+    return {
+      accounts: result.accounts.map((a) => ({
+        id: a.id,
+        name: a.name,
+        status: a.status,
+        email: a.email,
+      })),
+    };
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  Slack connections (chunk 8)                                       */
+  /* ------------------------------------------------------------------ */
+
+  @Post('slack/connections')
+  @ApiOkResponse({ type: IntegrationConnectionResponse })
+  async createSlackWebhookConnection(
+    @CurrentAuth() auth: AuthContext | null,
+    @Body() body: CreateSlackWebhookConnectionDto,
+  ): Promise<IntegrationConnectionResponse> {
+    if (!auth?.userId || !auth?.organizationId) {
+      throw new BadRequestException('Authentication with organization context required');
+    }
+
+    const connection = await this.integrations.createSlackWebhookConnection(auth, body);
+    return this.toConnectionResponse(connection);
+  }
+
+  @Post('slack/connections/:id/test')
+  @ApiOkResponse({ description: 'Test result for Slack connection' })
+  async testSlackConnection(
+    @Param('id') id: string,
+    @CurrentAuth() auth: AuthContext | null,
+  ): Promise<{ ok: boolean; error?: string }> {
+    if (!auth?.userId || !auth?.organizationId) {
+      throw new BadRequestException('Authentication with organization context required');
+    }
+
+    await this.integrations.assertConnectionOwnership(id, auth);
+    return this.integrations.validateConnection(id);
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  Private helpers                                                    */
+  /* ------------------------------------------------------------------ */
+
+  private toConnectionResponse(connection: {
+    id: string;
+    provider: string;
+    providerName: string;
+    userId: string;
+    credentialType: string;
+    displayName: string;
+    organizationId: string;
+    scopes: string[];
+    tokenType: string;
+    expiresAt: Date | null;
+    lastValidatedAt: Date | null;
+    lastValidationStatus: string | null;
+    lastUsedAt: Date | null;
+    createdAt: Date;
+    updatedAt: Date;
+    status: 'active' | 'expired';
+    supportsRefresh: boolean;
+    hasRefreshToken: boolean;
+    metadata: Record<string, unknown>;
+  }): IntegrationConnectionResponse {
+    return {
+      id: connection.id,
+      provider: connection.provider,
+      providerName: connection.providerName,
+      userId: connection.userId,
+      credentialType: connection.credentialType,
+      displayName: connection.displayName,
+      organizationId: connection.organizationId,
+      scopes: connection.scopes,
+      tokenType: connection.tokenType,
+      expiresAt: connection.expiresAt ? connection.expiresAt.toISOString() : null,
+      lastValidatedAt: connection.lastValidatedAt ? connection.lastValidatedAt.toISOString() : null,
+      lastValidationStatus: connection.lastValidationStatus ?? null,
+      lastUsedAt: connection.lastUsedAt ? connection.lastUsedAt.toISOString() : null,
+      createdAt: connection.createdAt.toISOString(),
+      updatedAt: connection.updatedAt.toISOString(),
+      status: connection.status,
+      supportsRefresh: connection.supportsRefresh,
+      hasRefreshToken: connection.hasRefreshToken,
+      metadata: connection.metadata,
+    };
   }
 }
diff --git a/backend/src/integrations/integrations.dto.ts b/backend/src/integrations/integrations.dto.ts
index 8a6ee425..9c573ca8 100644
--- a/backend/src/integrations/integrations.dto.ts
+++ b/backend/src/integrations/integrations.dto.ts
@@ -1,12 +1,9 @@
 import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
-import { IsArray, IsOptional, IsString, IsUrl, MinLength } from 'class-validator';
+import { IsArray, IsOptional, IsString, IsUrl, Matches, MinLength } from 'class-validator';
 
-export class StartOAuthDto {
-  @ApiProperty({ description: 'Application user identifier to associate the connection with' })
-  @IsString()
-  @MinLength(1)
-  userId!: string;
+// --- OAuth DTOs (D16: userId removed, derived from auth context) ---
 
+export class StartOAuthDto {
   @ApiProperty({ description: 'Frontend callback URL that receives the OAuth code' })
   @IsString()
   @IsUrl()
@@ -31,19 +28,12 @@ export class CompleteOAuthDto extends StartOAuthDto {
   code!: string;
 }
 
-export class RefreshConnectionDto {
-  @ApiProperty({ description: 'Application user identifier that owns the connection' })
-  @IsString()
-  @MinLength(1)
-  userId!: string;
-}
+// D16: userId removed from these DTOs — now derived from @CurrentAuth()
+export class RefreshConnectionDto {}
 
-export class DisconnectConnectionDto {
-  @ApiProperty({ description: 'Application user identifier that owns the connection' })
-  @IsString()
-  @MinLength(1)
-  userId!: string;
-}
+export class DisconnectConnectionDto {}
+
+// --- Provider config DTOs ---
 
 export class UpsertProviderConfigDto {
   @ApiProperty({ description: 'OAuth client identifier used for this provider' })
@@ -60,6 +50,70 @@ export class UpsertProviderConfigDto {
   clientSecret?: string;
 }
 
+// --- AWS connection DTOs ---
+
+export class CreateAwsConnectionDto {
+  @ApiProperty({ description: 'Display name for this connection' })
+  @IsString()
+  @MinLength(1)
+  displayName!: string;
+
+  @ApiProperty({ description: 'IAM role ARN for ShipSec to assume' })
+  @IsString()
+  @Matches(/^arn:aws:iam::\d{12}:role\/.+$/, {
+    message: 'roleArn must be a valid IAM role ARN (arn:aws:iam::<account-id>:role/<role-name>)',
+  })
+  roleArn!: string;
+
+  @ApiPropertyOptional({ description: 'Default AWS region' })
+  @IsOptional()
+  @IsString()
+  region?: string;
+
+  @ApiProperty({ description: 'External ID from setup-info endpoint' })
+  @IsString()
+  @MinLength(1)
+  externalId!: string;
+
+  @ApiProperty({ description: 'Signed setup token from setup-info endpoint' })
+  @IsString()
+  @MinLength(1)
+  setupToken!: string;
+}
+
+export class AwsSetupInfoResponseDto {
+  @ApiProperty()
+  platformRoleArn!: string;
+
+  @ApiProperty()
+  externalId!: string;
+
+  @ApiProperty()
+  setupToken!: string;
+
+  @ApiProperty()
+  trustPolicyTemplate!: string;
+
+  @ApiPropertyOptional()
+  externalIdDisplay?: string;
+}
+
+// --- Slack connection DTOs ---
+
+export class CreateSlackWebhookConnectionDto {
+  @ApiProperty({ description: 'Display name for this webhook connection' })
+  @IsString()
+  @MinLength(1)
+  displayName!: string;
+
+  @ApiProperty({ description: 'Slack incoming webhook URL' })
+  @IsString()
+  @IsUrl()
+  webhookUrl!: string;
+}
+
+// --- Response DTOs ---
+
 export class ProviderConfigurationResponse {
   @ApiProperty()
   provider!: string;
@@ -132,6 +186,15 @@ export class IntegrationConnectionResponse {
   @ApiProperty()
   userId!: string;
 
+  @ApiProperty()
+  credentialType!: string;
+
+  @ApiProperty()
+  displayName!: string;
+
+  @ApiPropertyOptional()
+  organizationId?: string;
+
   @ApiProperty({ type: [String] })
   scopes!: string[];
 
@@ -141,6 +204,15 @@ export class IntegrationConnectionResponse {
   @ApiPropertyOptional()
   expiresAt?: string | null;
 
+  @ApiPropertyOptional()
+  lastValidatedAt?: string | null;
+
+  @ApiPropertyOptional()
+  lastValidationStatus?: string | null;
+
+  @ApiPropertyOptional()
+  lastUsedAt?: string | null;
+
   @ApiProperty()
   createdAt!: string;
 
@@ -179,3 +251,58 @@ export class ConnectionTokenResponseDto {
   @ApiPropertyOptional()
   expiresAt?: string | null;
 }
+
+export class ValidateAwsResponseDto {
+  @ApiProperty()
+  valid!: boolean;
+
+  @ApiPropertyOptional()
+  accountId?: string;
+
+  @ApiPropertyOptional()
+  arn?: string;
+
+  @ApiPropertyOptional()
+  error?: string;
+}
+
+export class OrgAccountDto {
+  @ApiProperty()
+  id!: string;
+
+  @ApiProperty()
+  name!: string;
+
+  @ApiProperty()
+  status!: string;
+
+  @ApiPropertyOptional()
+  email?: string;
+}
+
+export class DiscoverOrgAccountsResponseDto {
+  @ApiProperty({ type: [OrgAccountDto] })
+  accounts!: OrgAccountDto[];
+}
+
+export class ConnectionCredentialsResponseDto {
+  @ApiProperty({ description: 'Credential type discriminator' })
+  credentialType!: string;
+
+  @ApiProperty()
+  provider!: string;
+
+  @ApiProperty({ description: 'Type-specific credential data' })
+  data!: Record<string, unknown>;
+
+  @ApiPropertyOptional({
+    description: 'Provider account identifier (e.g. AWS 12-digit account ID)',
+  })
+  accountId?: string;
+
+  @ApiPropertyOptional({ description: 'Default region from the connection' })
+  region?: string;
+
+  @ApiPropertyOptional({ description: 'Display name of the connection' })
+  displayName?: string;
+}
diff --git a/backend/src/integrations/integrations.module.ts b/backend/src/integrations/integrations.module.ts
index e9650554..cfa1a61b 100644
--- a/backend/src/integrations/integrations.module.ts
+++ b/backend/src/integrations/integrations.module.ts
@@ -1,15 +1,25 @@
 import { Module } from '@nestjs/common';
 
 import { DatabaseModule } from '../database/database.module';
+import { AwsService } from './aws.service';
 import { IntegrationsController } from './integrations.controller';
 import { IntegrationsRepository } from './integrations.repository';
 import { IntegrationsService } from './integrations.service';
+import { SetupTokenService } from './setup-token.service';
+import { SlackService } from './slack.service';
 import { TokenEncryptionService } from './token.encryption';
 
 @Module({
   imports: [DatabaseModule],
   controllers: [IntegrationsController],
-  providers: [IntegrationsService, IntegrationsRepository, TokenEncryptionService],
+  providers: [
+    IntegrationsService,
+    IntegrationsRepository,
+    TokenEncryptionService,
+    AwsService,
+    SlackService,
+    SetupTokenService,
+  ],
   exports: [IntegrationsService],
 })
 export class IntegrationsModule {}
diff --git a/backend/src/integrations/integrations.repository.ts b/backend/src/integrations/integrations.repository.ts
index abf05657..80aebdae 100644
--- a/backend/src/integrations/integrations.repository.ts
+++ b/backend/src/integrations/integrations.repository.ts
@@ -16,6 +16,9 @@ import {
 interface UpsertIntegrationTokenInput {
   userId: string;
   provider: string;
+  organizationId: string;
+  credentialType: string;
+  displayName: string;
   scopes: string[];
   accessToken: SecretEncryptionMaterial;
   refreshToken: SecretEncryptionMaterial | null;
@@ -24,6 +27,23 @@ interface UpsertIntegrationTokenInput {
   metadata?: Record<string, unknown>;
 }
 
+interface InsertConnectionInput {
+  userId: string;
+  provider: string;
+  organizationId: string;
+  credentialType: string;
+  displayName: string;
+  scopes?: string[];
+  accessToken: SecretEncryptionMaterial;
+  refreshToken?: SecretEncryptionMaterial | null;
+  tokenType?: string;
+  expiresAt?: Date | null;
+  lastValidatedAt?: Date | null;
+  lastValidationStatus?: string | null;
+  lastValidationError?: string | null;
+  metadata?: Record<string, unknown>;
+}
+
 @Injectable()
 export class IntegrationsRepository {
   constructor(
@@ -48,7 +68,7 @@ export class IntegrationsRepository {
     return record;
   }
 
-  async findByProvider(
+  async findByUserAndProvider(
     userId: string,
     provider: string,
   ): Promise<IntegrationTokenRecord | undefined> {
@@ -60,10 +80,45 @@ export class IntegrationsRepository {
     return record;
   }
 
+  async findByOrgAndProvider(
+    organizationId: string,
+    provider: string,
+  ): Promise<IntegrationTokenRecord | undefined> {
+    const [record] = await this.db
+      .select()
+      .from(integrationTokens)
+      .where(
+        and(
+          eq(integrationTokens.organizationId, organizationId),
+          eq(integrationTokens.provider, provider),
+        ),
+      )
+      .limit(1);
+    return record;
+  }
+
+  async listConnectionsByOrg(
+    organizationId: string,
+    provider?: string,
+  ): Promise<IntegrationTokenRecord[]> {
+    const conditions = [eq(integrationTokens.organizationId, organizationId)];
+    if (provider) {
+      conditions.push(eq(integrationTokens.provider, provider));
+    }
+    return await this.db
+      .select()
+      .from(integrationTokens)
+      .where(and(...conditions))
+      .orderBy(integrationTokens.provider);
+  }
+
   async upsertConnection(input: UpsertIntegrationTokenInput): Promise<IntegrationTokenRecord> {
     const payload = {
       userId: input.userId,
       provider: input.provider,
+      organizationId: input.organizationId,
+      credentialType: input.credentialType,
+      displayName: input.displayName,
       scopes: input.scopes,
       accessToken: input.accessToken,
       refreshToken: input.refreshToken,
@@ -80,7 +135,12 @@ export class IntegrationsRepository {
         createdAt: new Date(),
       })
       .onConflictDoUpdate({
-        target: [integrationTokens.userId, integrationTokens.provider],
+        target: [
+          integrationTokens.organizationId,
+          integrationTokens.provider,
+          integrationTokens.credentialType,
+          integrationTokens.displayName,
+        ],
         set: payload,
       })
       .returning();
@@ -88,10 +148,61 @@ export class IntegrationsRepository {
     return record;
   }
 
-  async deleteConnection(id: string, userId: string): Promise<void> {
-    await this.db
-      .delete(integrationTokens)
-      .where(and(eq(integrationTokens.id, id), eq(integrationTokens.userId, userId)));
+  /**
+   * Insert a new connection (no upsert). For non-OAuth connection types.
+   * On unique constraint violation, catches the error and returns the existing connection (D12).
+   */
+  async insertConnection(input: InsertConnectionInput): Promise<IntegrationTokenRecord> {
+    try {
+      const [record] = await this.db
+        .insert(integrationTokens)
+        .values({
+          userId: input.userId,
+          provider: input.provider,
+          organizationId: input.organizationId,
+          credentialType: input.credentialType,
+          displayName: input.displayName,
+          scopes: input.scopes ?? [],
+          accessToken: input.accessToken,
+          refreshToken: input.refreshToken ?? null,
+          tokenType: input.tokenType ?? 'Bearer',
+          expiresAt: input.expiresAt ?? null,
+          lastValidatedAt: input.lastValidatedAt ?? null,
+          lastValidationStatus: input.lastValidationStatus ?? null,
+          lastValidationError: input.lastValidationError ?? null,
+          metadata: input.metadata ?? {},
+          createdAt: new Date(),
+          updatedAt: new Date(),
+        })
+        .returning();
+
+      return record;
+    } catch (error: any) {
+      // Unique constraint violation — return existing connection (D12 natural idempotency)
+      if (error?.code === '23505') {
+        const existing = await this.db
+          .select()
+          .from(integrationTokens)
+          .where(
+            and(
+              eq(integrationTokens.organizationId, input.organizationId),
+              eq(integrationTokens.provider, input.provider),
+              eq(integrationTokens.credentialType, input.credentialType),
+              eq(integrationTokens.displayName, input.displayName),
+            ),
+          )
+          .limit(1);
+
+        if (existing[0]) {
+          return existing[0];
+        }
+      }
+      throw error;
+    }
+  }
+
+  async deleteConnection(id: string): Promise<void> {
+    await this.db.delete(integrationTokens).where(eq(integrationTokens.id, id));
   }
 
   async deleteByProvider(userId: string, provider: string): Promise<void> {
@@ -100,10 +211,37 @@ export class IntegrationsRepository {
       .where(and(eq(integrationTokens.userId, userId), eq(integrationTokens.provider, provider)));
   }
 
+  async updateConnectionHealth(
+    id: string,
+    health: {
+      lastValidatedAt: Date;
+      lastValidationStatus: string;
+      lastValidationError?: string | null;
+    },
+  ): Promise<void> {
+    await this.db
+      .update(integrationTokens)
+      .set({
+        lastValidatedAt: health.lastValidatedAt,
+        lastValidationStatus: health.lastValidationStatus,
+        lastValidationError: health.lastValidationError ?? null,
+        updatedAt: new Date(),
+      })
+      .where(eq(integrationTokens.id, id));
+  }
+
+  async updateLastUsedAt(id: string): Promise<void> {
+    await this.db
+      .update(integrationTokens)
+      .set({ lastUsedAt: new Date() })
+      .where(eq(integrationTokens.id, id));
+  }
+
   async createOAuthState(payload: {
     state: string;
     userId: string;
     provider: string;
+    organizationId?: string | null;
     codeVerifier?: string | null;
   }): Promise<IntegrationOAuthStateRecord> {
     const [record] = await this.db
@@ -112,6 +250,7 @@ export class IntegrationsRepository {
         state: payload.state,
         userId: payload.userId,
         provider: payload.provider,
+        organizationId: payload.organizationId ?? null,
         codeVerifier: payload.codeVerifier ?? null,
       })
       .onConflictDoUpdate({
@@ -119,6 +258,7 @@ export class IntegrationsRepository {
         set: {
           userId: payload.userId,
           provider: payload.provider,
+          organizationId: payload.organizationId ?? null,
           codeVerifier: payload.codeVerifier ?? null,
           createdAt: new Date(),
         },
diff --git a/backend/src/integrations/integrations.service.ts b/backend/src/integrations/integrations.service.ts
index 5b5dcc37..80a2797f 100644
--- a/backend/src/integrations/integrations.service.ts
+++ b/backend/src/integrations/integrations.service.ts
@@ -1,5 +1,6 @@
 import {
   BadRequestException,
+  ForbiddenException,
   Injectable,
   Logger,
   NotFoundException,
@@ -15,9 +16,16 @@ import {
   loadIntegrationProviders,
   summarizeProvider,
 } from './integration-providers';
+import { getCatalog, type IntegrationProviderDefinition } from './integration-catalog';
 import { IntegrationsRepository } from './integrations.repository';
 import { TokenEncryptionService } from './token.encryption';
+import { AwsService } from './aws.service';
+import { SlackService } from './slack.service';
+import { SetupTokenService } from './setup-token.service';
+import { generateExternalId, formatExternalIdForDisplay } from './external-id-generator';
+import type { CreateAwsConnectionDto } from './integrations.dto';
 import type { IntegrationTokenRecord } from '../database/schema';
+import type { AuthContext } from '../auth/types';
 
 export interface OAuthStartResponse {
   provider: string;
@@ -31,9 +39,15 @@ export interface IntegrationConnection {
   provider: string;
   providerName: string;
   userId: string;
+  credentialType: string;
+  displayName: string;
+  organizationId: string;
   scopes: string[];
   tokenType: string;
   expiresAt: Date | null;
+  lastValidatedAt: Date | null;
+  lastValidationStatus: string | null;
+  lastUsedAt: Date | null;
   createdAt: Date;
   updatedAt: Date;
   status: 'active' | 'expired';
@@ -84,6 +98,9 @@ export class IntegrationsService implements OnModuleInit {
   constructor(
     private readonly repository: IntegrationsRepository,
     private readonly encryption: TokenEncryptionService,
+    private readonly awsService: AwsService,
+    private readonly slackService: SlackService,
+    private readonly setupTokenService: SetupTokenService,
   ) {
     this.providers = loadIntegrationProviders();
   }
@@ -92,6 +109,18 @@ export class IntegrationsService implements OnModuleInit {
     await this.reloadProviderOverrides();
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Catalog                                                           */
+  /* ------------------------------------------------------------------ */
+
+  getCatalog(): IntegrationProviderDefinition[] {
+    return getCatalog();
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  Provider listing & configuration                                  */
+  /* ------------------------------------------------------------------ */
+
   listProviders(): IntegrationProviderSummary[] {
     return Object.values(this.providers).map((config) =>
       summarizeProvider(this.mergeProviderConfig(config)),
@@ -208,14 +237,30 @@ export class IntegrationsService implements OnModuleInit {
     this.providerOverrides.delete(providerId);
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Connection listing                                                */
+  /* ------------------------------------------------------------------ */
+
   async listConnections(userId: string): Promise<IntegrationConnection[]> {
     const records = await this.repository.listConnections(userId);
     return records.map((record) => this.toConnection(record));
   }
 
+  async listConnectionsForOrg(
+    auth: AuthContext,
+    provider?: string,
+  ): Promise<IntegrationConnection[]> {
+    const records = await this.repository.listConnectionsByOrg(auth.organizationId!, provider);
+    return records.map((record) => this.toConnection(record));
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  OAuth flow                                                        */
+  /* ------------------------------------------------------------------ */
+
   async startOAuthSession(
     providerId: string,
-    input: { userId: string; redirectUri: string; scopes?: string[] },
+    input: { userId: string; organizationId: string; redirectUri: string; scopes?: string[] },
   ): Promise<OAuthStartResponse> {
     const provider = await this.resolveProviderForAuth(providerId);
 
@@ -249,6 +294,7 @@ export class IntegrationsService implements OnModuleInit {
       state,
       userId: input.userId,
       provider: providerId,
+      organizationId: input.organizationId,
       codeVerifier,
     });
 
@@ -271,8 +317,13 @@ export class IntegrationsService implements OnModuleInit {
       scopes?: string[];
     },
   ): Promise<IntegrationConnection> {
+    this.logger.log(
+      `[completeOAuth] Starting exchange for provider=${providerId}, redirectUri=${input.redirectUri}`,
+    );
     const provider = await this.resolveProviderForAuth(providerId);
+    this.logger.log(`[completeOAuth] Provider resolved: ${provider.id}`);
     const stateRecord = await this.repository.consumeOAuthState(input.state);
+    this.logger.log(`[completeOAuth] State consumed: ${!!stateRecord}`);
 
     if (!stateRecord) {
       throw new BadRequestException('OAuth state is missing or has already been used');
@@ -284,8 +335,10 @@ export class IntegrationsService implements OnModuleInit {
       throw new BadRequestException('OAuth state does not match the provider');
     }
 
+    const organizationId = stateRecord.organizationId ?? `workspace-${input.userId}`;
     const scopes = this.normalizeScopes(input.scopes, provider);
 
+    this.logger.log(`[completeOAuth] Requesting tokens from ${provider.tokenUrl}`);
     const rawResponse = await this.requestTokens(provider, {
       grantType: 'authorization_code',
       code: input.code,
@@ -293,34 +346,51 @@ export class IntegrationsService implements OnModuleInit {
       codeVerifier: stateRecord.codeVerifier,
       scopes,
     });
+    this.logger.log(
+      `[completeOAuth] Token response received, keys: ${Object.keys(rawResponse).join(', ')}`,
+    );
 
     const persisted = await this.persistTokenResponse({
       userId: input.userId,
+      organizationId,
+      credentialType: 'oauth',
+      displayName: providerId,
       provider,
       scopes,
       rawResponse,
-      previous: await this.repository.findByProvider(input.userId, providerId),
+      previous: await this.repository.findByUserAndProvider(input.userId, providerId),
     });
+    this.logger.log(`[completeOAuth] Connection persisted: ${persisted.id}`);
 
     return this.toConnection(persisted);
   }
 
-  async refreshConnection(id: string, userId: string): Promise<IntegrationConnection> {
-    const record = await this.repository.findById(id);
-    if (!record || record.userId !== userId) {
-      throw new NotFoundException(`Connection ${id} was not found for user ${userId}`);
-    }
+  /* ------------------------------------------------------------------ */
+  /*  Refresh & disconnect                                              */
+  /* ------------------------------------------------------------------ */
 
+  async refreshConnection(id: string, auth: AuthContext): Promise<IntegrationConnection> {
+    const record = await this.assertConnectionOwnership(id, auth);
     const refreshed = await this.refreshTokenRecord(record);
     return this.toConnection(refreshed);
   }
 
-  async disconnect(id: string, userId: string): Promise<void> {
-    await this.repository.deleteConnection(id, userId);
+  async disconnect(id: string, auth: AuthContext): Promise<void> {
+    await this.assertConnectionOwnership(id, auth);
+
+    if (!auth.roles.includes('ADMIN')) {
+      throw new ForbiddenException('Only admins can disconnect integrations');
+    }
+
+    await this.repository.deleteConnection(id);
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Token retrieval                                                   */
+  /* ------------------------------------------------------------------ */
+
   async getProviderToken(providerId: string, userId: string): Promise<ProviderTokenResponse> {
-    const record = await this.repository.findByProvider(userId, providerId);
+    const record = await this.repository.findByUserAndProvider(userId, providerId);
     if (!record) {
       throw new NotFoundException(`No credentials found for provider ${providerId}`);
     }
@@ -365,6 +435,321 @@ export class IntegrationsService implements OnModuleInit {
     };
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  AWS connection                                                    */
+  /* ------------------------------------------------------------------ */
+
+  getAwsSetupInfo(orgId: string): {
+    platformRoleArn: string;
+    externalId: string;
+    setupToken: string;
+    trustPolicyTemplate: string;
+    externalIdDisplay: string;
+  } {
+    let platformRoleArn: string;
+    try {
+      platformRoleArn = this.awsService.getPlatformRoleArn();
+    } catch {
+      throw new BadRequestException(
+        'AWS integration is not configured. Set the SHIPSEC_PLATFORM_ROLE_ARN environment variable and restart the backend.',
+      );
+    }
+    const externalId = generateExternalId();
+    const setupToken = this.setupTokenService.generate(orgId, externalId);
+    const trustPolicyTemplate = JSON.stringify(
+      {
+        Version: '2012-10-17',
+        Statement: [
+          {
+            Effect: 'Allow',
+            Principal: { AWS: platformRoleArn },
+            Action: 'sts:AssumeRole',
+            Condition: { StringEquals: { 'sts:ExternalId': externalId } },
+          },
+        ],
+      },
+      null,
+      2,
+    );
+    return {
+      platformRoleArn,
+      externalId,
+      setupToken,
+      trustPolicyTemplate,
+      externalIdDisplay: formatExternalIdForDisplay(externalId),
+    };
+  }
+
+  async createAwsConnection(
+    auth: AuthContext,
+    input: CreateAwsConnectionDto,
+  ): Promise<IntegrationConnection> {
+    const orgId = auth.organizationId!;
+    const userId = auth.userId!;
+
+    // Verify setup token — cryptographically binds externalId to this org
+    this.setupTokenService.verify(input.setupToken, orgId, input.externalId);
+
+    // Validate: can platform identity assume this role with this externalId?
+    try {
+      await this.awsService.assumeRoleWithPlatformIdentity(
+        input.roleArn,
+        input.externalId,
+        input.region,
+      );
+    } catch (error: any) {
+      const platformArn = this.awsService.getPlatformRoleArn();
+      throw new BadRequestException(
+        `Cannot assume role ${input.roleArn}. Ensure the trust policy includes: ` +
+          `Principal {"AWS": "${platformArn}"} and Condition sts:ExternalId: "${input.externalId}". ` +
+          `Error: ${error.message}`,
+      );
+    }
+
+    // Store: roleArn + externalId + region only — no customer secrets
+    const encryptedCreds = await this.encryption.encrypt(
+      JSON.stringify({
+        roleArn: input.roleArn,
+        externalId: input.externalId,
+        region: input.region,
+      }),
+    );
+
+    const record = await this.repository.insertConnection({
+      userId,
+      provider: 'aws',
+      organizationId: orgId,
+      credentialType: 'iam_role',
+      displayName: input.displayName,
+      scopes: [],
+      accessToken: encryptedCreds,
+      refreshToken: null,
+      tokenType: 'Bearer',
+      expiresAt: null,
+      lastValidatedAt: new Date(),
+      lastValidationStatus: 'valid',
+      metadata: {
+        roleArn: input.roleArn,
+        externalId: input.externalId,
+        region: input.region ?? null,
+      },
+    });
+    return this.toConnection(record);
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  Slack webhook connection                                          */
+  /* ------------------------------------------------------------------ */
+
+  async createSlackWebhookConnection(
+    auth: AuthContext,
+    input: { displayName: string; webhookUrl: string },
+  ): Promise<IntegrationConnection> {
+    const userId = auth.userId!;
+    const organizationId = auth.organizationId!;
+
+    // Encrypt the webhook URL as a JSON payload
+    const encryptedCreds = await this.encryption.encrypt(
+      JSON.stringify({ webhookUrl: input.webhookUrl }),
+    );
+
+    const record = await this.repository.insertConnection({
+      userId,
+      provider: 'slack',
+      organizationId,
+      credentialType: 'webhook',
+      displayName: input.displayName,
+      scopes: [],
+      accessToken: encryptedCreds,
+      refreshToken: null,
+      tokenType: 'Bearer',
+      expiresAt: null,
+      metadata: {},
+    });
+
+    return this.toConnection(record);
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  Connection validation                                             */
+  /* ------------------------------------------------------------------ */
+
+  async validateConnection(connectionId: string): Promise<{ valid: boolean; error?: string }> {
+    const record = await this.repository.findById(connectionId);
+    if (!record) {
+      throw new NotFoundException(`Connection ${connectionId} was not found`);
+    }
+
+    const decrypted = await this.encryption.decrypt(record.accessToken as SecretEncryptionMaterial);
+
+    let result: { valid: boolean; error?: string };
+
+    if (record.provider === 'aws' && record.credentialType === 'iam_role') {
+      const creds = JSON.parse(decrypted);
+      try {
+        await this.awsService.assumeRoleWithPlatformIdentity(
+          creds.roleArn,
+          creds.externalId,
+          creds.region,
+        );
+        result = { valid: true };
+      } catch (error: any) {
+        result = { valid: false, error: error.message };
+      }
+    } else if (record.provider === 'slack' && record.credentialType === 'webhook') {
+      const creds = JSON.parse(decrypted);
+      const webhookResult = await this.slackService.testWebhook(creds.webhookUrl);
+      result = { valid: webhookResult.ok, error: webhookResult.error };
+    } else {
+      // For OAuth or other types, we cannot generically validate; treat as valid.
+      result = { valid: true };
+    }
+
+    // Update health fields
+    await this.repository.updateConnectionHealth(connectionId, {
+      lastValidatedAt: new Date(),
+      lastValidationStatus: result.valid ? 'valid' : 'invalid',
+      lastValidationError: result.error ?? null,
+    });
+
+    return result;
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  AWS Org discovery                                                 */
+  /* ------------------------------------------------------------------ */
+
+  async discoverOrgAccounts(
+    connectionId: string,
+  ): Promise<{ accounts: { id: string; name: string; status: string; email: string }[] }> {
+    const record = await this.repository.findById(connectionId);
+    if (!record) {
+      throw new NotFoundException(`Connection ${connectionId} was not found`);
+    }
+
+    const decrypted = await this.encryption.decrypt(record.accessToken as SecretEncryptionMaterial);
+    const creds = JSON.parse(decrypted);
+
+    const assumed = await this.awsService.assumeRoleWithPlatformIdentity(
+      creds.roleArn,
+      creds.externalId,
+      creds.region,
+    );
+    return this.awsService.discoverOrgAccounts({
+      accessKeyId: assumed.accessKeyId,
+      secretAccessKey: assumed.secretAccessKey,
+      sessionToken: assumed.sessionToken,
+    });
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  Credential resolution (for worker / internal use)                 */
+  /* ------------------------------------------------------------------ */
+
+  async resolveConnectionCredentials(connectionId: string): Promise<{
+    credentialType: string;
+    provider: string;
+    data: Record<string, unknown>;
+    accountId?: string;
+    region?: string;
+    displayName?: string;
+  }> {
+    const record = await this.repository.findById(connectionId);
+    if (!record) {
+      throw new NotFoundException(`Connection ${connectionId} was not found`);
+    }
+
+    const decrypted = await this.encryption.decrypt(record.accessToken as SecretEncryptionMaterial);
+
+    let data: Record<string, unknown>;
+    let accountId: string | undefined;
+    let region: string | undefined;
+
+    switch (record.credentialType) {
+      case 'oauth': {
+        // Existing OAuth flow: decrypt + optional refresh, return access token
+        const provider = this.providers[record.provider];
+        let hydratedRecord = record;
+        if (provider) {
+          hydratedRecord = await this.ensureFreshToken(record, provider);
+        }
+        const accessToken = await this.encryption.decrypt(
+          hydratedRecord.accessToken as SecretEncryptionMaterial,
+        );
+        data = {
+          accessToken,
+          tokenType: hydratedRecord.tokenType ?? 'Bearer',
+        };
+        break;
+      }
+      case 'iam_role': {
+        const creds = JSON.parse(decrypted);
+        const assumed = await this.awsService.assumeRoleWithPlatformIdentity(
+          creds.roleArn,
+          creds.externalId,
+          creds.region,
+        );
+        data = {
+          accessKeyId: assumed.accessKeyId,
+          secretAccessKey: assumed.secretAccessKey,
+          sessionToken: assumed.sessionToken,
+          region: creds.region,
+        };
+        // Extract account ID from role ARN (arn:aws:iam::<account-id>:role/...)
+        const arnMatch =
+          typeof creds.roleArn === 'string' ? creds.roleArn.match(/^arn:aws:iam::(\d{12}):/) : null;
+        accountId = arnMatch?.[1];
+        region = creds.region ?? undefined;
+        break;
+      }
+      case 'webhook': {
+        const creds = JSON.parse(decrypted);
+        data = {
+          webhookUrl: creds.webhookUrl,
+        };
+        break;
+      }
+      default:
+        throw new BadRequestException(`Unsupported credential type: ${record.credentialType}`);
+    }
+
+    // Update lastUsedAt
+    await this.repository.updateLastUsedAt(connectionId);
+
+    return {
+      credentialType: record.credentialType,
+      provider: record.provider,
+      data,
+      accountId,
+      region,
+      displayName: record.displayName ?? undefined,
+    };
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  Ownership assertion                                               */
+  /* ------------------------------------------------------------------ */
+
+  async assertConnectionOwnership(
+    connectionId: string,
+    auth: AuthContext,
+  ): Promise<IntegrationTokenRecord> {
+    const record = await this.repository.findById(connectionId);
+    if (!record) {
+      throw new NotFoundException(`Connection ${connectionId} was not found`);
+    }
+
+    if (record.organizationId !== auth.organizationId) {
+      throw new ForbiddenException('You do not have access to this connection');
+    }
+
+    return record;
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  Private helpers: scopes                                           */
+  /* ------------------------------------------------------------------ */
+
   private cleanScopes(scopes: string[]): string[] {
     return Array.from(new Set(scopes.map((scope) => scope.trim()).filter(Boolean))).sort();
   }
@@ -384,6 +769,10 @@ export class IntegrationsService implements OnModuleInit {
     return this.cleanScopes(source);
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Private helpers: provider resolution                              */
+  /* ------------------------------------------------------------------ */
+
   private async resolveProviderForAuth(providerId: string): Promise<ResolvedProviderConfig> {
     const base = this.requireProvider(providerId);
     const override = this.providerOverrides.get(providerId);
@@ -413,23 +802,34 @@ export class IntegrationsService implements OnModuleInit {
     return provider;
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Private helpers: record ↔ connection mapping                      */
+  /* ------------------------------------------------------------------ */
+
   private toConnection(record: IntegrationTokenRecord): IntegrationConnection {
-    const provider = this.requireProvider(record.provider);
+    const provider = this.providers[record.provider];
+    const providerName = provider?.name ?? record.provider;
     const expiresAt = record.expiresAt ? new Date(record.expiresAt) : null;
     const isExpired = expiresAt ? expiresAt.getTime() < Date.now() : false;
 
     return {
       id: record.id,
       provider: record.provider,
-      providerName: provider.name,
+      providerName,
       userId: record.userId,
+      credentialType: record.credentialType ?? 'oauth',
+      displayName: record.displayName ?? record.provider,
+      organizationId: record.organizationId,
       scopes: record.scopes ?? [],
       tokenType: record.tokenType ?? 'Bearer',
       expiresAt,
+      lastValidatedAt: record.lastValidatedAt ? new Date(record.lastValidatedAt) : null,
+      lastValidationStatus: record.lastValidationStatus ?? null,
+      lastUsedAt: record.lastUsedAt ? new Date(record.lastUsedAt) : null,
       createdAt: new Date(record.createdAt),
       updatedAt: new Date(record.updatedAt),
       status: isExpired ? 'expired' : 'active',
-      supportsRefresh: provider.supportsRefresh,
+      supportsRefresh: provider?.supportsRefresh ?? false,
       hasRefreshToken: Boolean(record.refreshToken),
       metadata: this.coerceMetadata(record.metadata),
     };
@@ -442,6 +842,10 @@ export class IntegrationsService implements OnModuleInit {
     return metadata as Record<string, unknown>;
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Private helpers: PKCE                                             */
+  /* ------------------------------------------------------------------ */
+
   private generateCodeVerifier(): string {
     return randomBytes(32).toString('base64url');
   }
@@ -450,6 +854,10 @@ export class IntegrationsService implements OnModuleInit {
     return createHash('sha256').update(verifier).digest('base64url');
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Private helpers: token exchange                                   */
+  /* ------------------------------------------------------------------ */
+
   private async requestTokens(
     provider: IntegrationProviderConfig,
     options: TokenRequestOptions,
@@ -539,8 +947,15 @@ export class IntegrationsService implements OnModuleInit {
     return payload;
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Private helpers: persist & refresh token records                   */
+  /* ------------------------------------------------------------------ */
+
   private async persistTokenResponse(input: {
     userId: string;
+    organizationId: string;
+    credentialType: string;
+    displayName: string;
     provider: IntegrationProviderConfig;
     scopes: string[];
     rawResponse: Record<string, any>;
@@ -571,6 +986,9 @@ export class IntegrationsService implements OnModuleInit {
 
     return this.repository.upsertConnection({
       userId: input.userId,
+      organizationId: input.organizationId,
+      credentialType: input.credentialType,
+      displayName: input.displayName,
       provider: input.provider.id,
       scopes: grantedScopes,
       accessToken: accessMaterial,
@@ -629,6 +1047,9 @@ export class IntegrationsService implements OnModuleInit {
 
     return this.repository.upsertConnection({
       userId: record.userId,
+      organizationId: record.organizationId,
+      credentialType: record.credentialType ?? 'oauth',
+      displayName: record.displayName ?? record.provider,
       provider: record.provider,
       scopes: grantedScopes,
       accessToken: accessMaterial,
@@ -639,6 +1060,10 @@ export class IntegrationsService implements OnModuleInit {
     });
   }
 
+  /* ------------------------------------------------------------------ */
+  /*  Private helpers: token extraction & expiry                        */
+  /* ------------------------------------------------------------------ */
+
   private extractToken(value: unknown, field: string): string {
     if (typeof value === 'string' && value.trim().length > 0) {
       return value;
diff --git a/backend/src/integrations/setup-token.service.ts b/backend/src/integrations/setup-token.service.ts
new file mode 100644
index 00000000..8b7f0282
--- /dev/null
+++ b/backend/src/integrations/setup-token.service.ts
@@ -0,0 +1,75 @@
+import { Injectable, Logger, BadRequestException } from '@nestjs/common';
+import { createHmac } from 'crypto';
+
+interface SetupTokenPayload {
+  orgId: string;
+  externalId: string;
+  exp: number; // Unix timestamp
+}
+
+const SETUP_TOKEN_TTL_MS = 30 * 60 * 1000; // 30 minutes
+const DEFAULT_DEV_SIGNING_KEY = 'fedcba9876543210fedcba9876543210';
+
+@Injectable()
+export class SetupTokenService {
+  private readonly logger = new Logger(SetupTokenService.name);
+  private readonly signingKey: string;
+
+  constructor() {
+    const key =
+      process.env.INTEGRATION_STORE_MASTER_KEY ??
+      process.env.SECRET_STORE_MASTER_KEY ??
+      DEFAULT_DEV_SIGNING_KEY;
+
+    if (!process.env.INTEGRATION_STORE_MASTER_KEY && !process.env.SECRET_STORE_MASTER_KEY) {
+      this.logger.warn(
+        'INTEGRATION_STORE_MASTER_KEY is not configured. Using insecure dev key for setup tokens.',
+      );
+    }
+
+    this.signingKey = key;
+  }
+
+  generate(orgId: string, externalId: string): string {
+    const payload: SetupTokenPayload = {
+      orgId,
+      externalId,
+      exp: Date.now() + SETUP_TOKEN_TTL_MS,
+    };
+    const data = JSON.stringify(payload);
+    const sig = createHmac('sha256', this.signingKey).update(data).digest('hex');
+    // base64url(payload.sig)
+    return Buffer.from(`${data}.${sig}`).toString('base64url');
+  }
+
+  verify(token: string, orgId: string, externalId: string): void {
+    let decoded: string;
+    try {
+      decoded = Buffer.from(token, 'base64url').toString('utf8');
+    } catch {
+      throw new BadRequestException('Invalid setup token');
+    }
+
+    const dotIdx = decoded.lastIndexOf('.');
+    if (dotIdx === -1) throw new BadRequestException('Invalid setup token format');
+
+    const data = decoded.slice(0, dotIdx);
+    const sig = decoded.slice(dotIdx + 1);
+
+    const expectedSig = createHmac('sha256', this.signingKey).update(data).digest('hex');
+    if (sig !== expectedSig) {
+      throw new BadRequestException('Setup token signature invalid');
+    }
+
+    const payload: SetupTokenPayload = JSON.parse(data);
+    if (Date.now() > payload.exp) {
+      throw new BadRequestException('Setup token expired — please restart the connection setup');
+    }
+    if (payload.orgId !== orgId) {
+      throw new BadRequestException('Setup token organization mismatch');
+    }
+    if (payload.externalId !== externalId) {
+      throw new BadRequestException('External ID does not match setup token');
+    }
+  }
+}
diff --git a/backend/src/integrations/slack.service.ts b/backend/src/integrations/slack.service.ts
new file mode 100644
index 00000000..e2ade5fe
--- /dev/null
+++ b/backend/src/integrations/slack.service.ts
@@ -0,0 +1,116 @@
+import { Injectable, Logger } from '@nestjs/common';
+
+@Injectable()
+export class SlackService {
+  private readonly logger = new Logger(SlackService.name);
+
+  /**
+   * Test a Slack webhook URL by sending a test message
+   */
+  async testWebhook(webhookUrl: string): Promise<{ ok: boolean; error?: string }> {
+    try {
+      const response = await fetch(webhookUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          text: 'ShipSec test message — your Slack webhook is configured correctly.',
+        }),
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        this.logger.error(`Webhook test failed: ${response.status} ${errorText}`);
+        return {
+          ok: false,
+          error: `Webhook returned status ${response.status}: ${errorText}`,
+        };
+      }
+
+      return { ok: true };
+    } catch (error) {
+      this.logger.error('Network error testing webhook:', error);
+      return {
+        ok: false,
+        error: error instanceof Error ? error.message : 'Unknown network error',
+      };
+    }
+  }
+
+  /**
+   * List Slack channels using a bot token
+   */
+  async listChannels(botToken: string): Promise<{ channels: { id: string; name: string }[] }> {
+    try {
+      const response = await fetch('https://slack.com/api/conversations.list', {
+        method: 'GET',
+        headers: {
+          Authorization: `Bearer ${botToken}`,
+          'Content-Type': 'application/json',
+        },
+      });
+
+      const data = await response.json();
+
+      if (!data.ok) {
+        this.logger.error(`Slack API error: ${data.error}`);
+        throw new Error(data.error || 'Failed to list channels');
+      }
+
+      const channels = (data.channels || []).map((channel: any) => ({
+        id: channel.id,
+        name: channel.name,
+      }));
+
+      return { channels };
+    } catch (error) {
+      this.logger.error('Error listing Slack channels:', error);
+      throw error;
+    }
+  }
+
+  /**
+   * Send a message to a Slack channel using a bot token
+   */
+  async sendMessage(
+    botToken: string,
+    channel: string,
+    text: string,
+  ): Promise<{ ok: boolean; error?: string; ts?: string }> {
+    try {
+      const response = await fetch('https://slack.com/api/chat.postMessage', {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${botToken}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          channel,
+          text,
+        }),
+      });
+
+      const data = await response.json();
+
+      if (!data.ok) {
+        this.logger.error(`Failed to send message: ${data.error}`);
+        return {
+          ok: false,
+          error: data.error || 'Failed to send message',
+        };
+      }
+
+      return {
+        ok: true,
+        ts: data.ts,
+      };
+    } catch (error) {
+      this.logger.error('Network error sending message:', error);
+      return {
+        ok: false,
+        error: error instanceof Error ? error.message : 'Unknown network error',
+      };
+    }
+  }
+}
diff --git a/backend/src/main.ts b/backend/src/main.ts
index 8c8c4236..233b259e 100644
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -41,6 +41,12 @@ async function bootstrap() {
     instanceOrigins.push(`http://127.0.0.1:${backendPort}`);
   }
 
+  // Allow extra CORS origins (e.g. ngrok tunnels) via comma-separated env var
+  const extraOrigins = (process.env.CORS_EXTRA_ORIGINS ?? '')
+    .split(',')
+    .map((o) => o.trim())
+    .filter(Boolean);
+
   app.enableCors({
     origin: [
       'http://localhost',
@@ -48,6 +54,7 @@ async function bootstrap() {
       'http://localhost:8090',
       'https://studio.shipsec.ai',
       ...instanceOrigins,
+      ...extraOrigins,
     ],
     credentials: true,
     methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
diff --git a/bun.lock b/bun.lock
index d994c1f6..bd31553e 100644
--- a/bun.lock
+++ b/bun.lock
@@ -31,6 +31,8 @@
       "name": "@shipsec/studio-backend",
       "version": "0.1.0",
       "dependencies": {
+        "@aws-sdk/client-organizations": "^3.750.0",
+        "@aws-sdk/client-sts": "^3.750.0",
         "@clerk/backend": "^2.29.5",
         "@clerk/types": "^4.101.13",
         "@grpc/grpc-js": "^1.14.3",
@@ -254,7 +256,9 @@
         "@ai-sdk/google": "^3.0.13",
         "@ai-sdk/mcp": "^1.0.13",
         "@ai-sdk/openai": "^3.0.18",
+        "@aws-sdk/client-organizations": "^3.987.0",
         "@aws-sdk/client-s3": "^3.975.0",
+        "@aws-sdk/client-sts": "^3.987.0",
         "@googleapis/admin": "^29.0.0",
         "@grpc/grpc-js": "^1.14.3",
         "@modelcontextprotocol/sdk": "^1.25.1",
@@ -351,29 +355,33 @@
 
     "@aws-crypto/util": ["@aws-crypto/util@5.2.0", "", { "dependencies": { "@aws-sdk/types": "^3.222.0", "@smithy/util-utf8": "^2.0.0", "tslib": "^2.6.2" } }, "sha512-4RkU9EsI6ZpBve5fseQlGNUWKMa1RLPQ1dnjnQoe07ldfIzcsGb5hC5W0Dm7u423KWzawlrpbjXBrXCEv9zazQ=="],
 
+    "@aws-sdk/client-organizations": ["@aws-sdk/client-organizations@3.986.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/credential-provider-node": "^3.972.6", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.986.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-t3uDpFtbUm4gW92EUJd0eEJW2K5FAeePBgbiAHg88mNTaKzLvHj3C96Kxc3yUg1xHH6XNKjEm+8yCuQ7LDrdPw=="],
+
     "@aws-sdk/client-s3": ["@aws-sdk/client-s3@3.980.0", "", { "dependencies": { "@aws-crypto/sha1-browser": "5.2.0", "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.5", "@aws-sdk/credential-provider-node": "^3.972.4", "@aws-sdk/middleware-bucket-endpoint": "^3.972.3", "@aws-sdk/middleware-expect-continue": "^3.972.3", "@aws-sdk/middleware-flexible-checksums": "^3.972.3", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-location-constraint": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-sdk-s3": "^3.972.5", "@aws-sdk/middleware-ssec": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.5", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/signature-v4-multi-region": "3.980.0", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.980.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.3", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.0", "@smithy/eventstream-serde-browser": "^4.2.8", "@smithy/eventstream-serde-config-resolver": "^4.3.8", "@smithy/eventstream-serde-node": "^4.2.8", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-blob-browser": "^4.2.9", "@smithy/hash-node": "^4.2.8", "@smithy/hash-stream-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/md5-js": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-retry": "^4.4.29", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.8", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.28", "@smithy/util-defaults-mode-node": "^4.2.31", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-stream": "^4.5.10", "@smithy/util-utf8": "^4.2.0", "@smithy/util-waiter": "^4.2.8", "tslib": "^2.6.2" } }, "sha512-ch8QqKehyn1WOYbd8LyDbWjv84Z9OEj9qUxz8q3IOCU3ftAVkVR0wAuN96a1xCHnpOJcQZo3rOB08RlyKdkGxQ=="],
 
-    "@aws-sdk/client-sso": ["@aws-sdk/client-sso@3.980.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.5", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.5", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.980.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.3", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.0", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-retry": "^4.4.29", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.8", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.28", "@smithy/util-defaults-mode-node": "^4.2.31", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-AhNXQaJ46C1I+lQ+6Kj+L24il5K9lqqIanJd8lMszPmP7bLnmX0wTKK0dxywcvrLdij3zhWttjAKEBNgLtS8/A=="],
+    "@aws-sdk/client-sso": ["@aws-sdk/client-sso@3.985.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.985.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-81J8iE8MuXhdbMfIz4sWFj64Pe41bFi/uqqmqOC5SlGv+kwoyLsyKS/rH2tW2t5buih4vTUxskRjxlqikTD4oQ=="],
+
+    "@aws-sdk/client-sts": ["@aws-sdk/client-sts@3.986.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/credential-provider-node": "^3.972.6", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.986.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-MKL3OSaUXJ4Xftl+sm7n7o8pJmX5FQgIFc/suWPoNvKEdMJOC+/+2DYjjpASw5X89LL4+9xL2BHhz0y32m5FYw=="],
 
-    "@aws-sdk/core": ["@aws-sdk/core@3.973.5", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@aws-sdk/xml-builder": "^3.972.2", "@smithy/core": "^3.22.0", "@smithy/node-config-provider": "^4.3.8", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/signature-v4": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-IMM7xGfLGW6lMvubsA4j6BHU5FPgGAxoQ/NA63KqNLMwTS+PeMBcx8DPHL12Vg6yqOZnqok9Mu4H2BdQyq7gSA=="],
+    "@aws-sdk/core": ["@aws-sdk/core@3.973.7", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@aws-sdk/xml-builder": "^3.972.4", "@smithy/core": "^3.22.1", "@smithy/node-config-provider": "^4.3.8", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/signature-v4": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-wNZZQQNlJ+hzD49cKdo+PY6rsTDElO8yDImnrI69p2PLBa7QomeUKAJWYp9xnaR38nlHqWhMHZuYLCQ3oSX+xg=="],
 
     "@aws-sdk/crc64-nvme": ["@aws-sdk/crc64-nvme@3.972.0", "", { "dependencies": { "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-ThlLhTqX68jvoIVv+pryOdb5coP1cX1/MaTbB9xkGDCbWbsqQcLqzPxuSoW1DCnAAIacmXCWpzUNOB9pv+xXQw=="],
 
-    "@aws-sdk/credential-provider-env": ["@aws-sdk/credential-provider-env@3.972.3", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-OBYNY4xQPq7Rx+oOhtyuyO0AQvdJSpXRg7JuPNBJH4a1XXIzJQl4UHQTPKZKwfJXmYLpv4+OkcFen4LYmDPd3g=="],
+    "@aws-sdk/credential-provider-env": ["@aws-sdk/credential-provider-env@3.972.5", "", { "dependencies": { "@aws-sdk/core": "^3.973.7", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-LxJ9PEO4gKPXzkufvIESUysykPIdrV7+Ocb9yAhbhJLE4TiAYqbCVUE+VuKP1leGR1bBfjWjYgSV5MxprlX3mQ=="],
 
-    "@aws-sdk/credential-provider-http": ["@aws-sdk/credential-provider-http@3.972.5", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/types": "^3.973.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/node-http-handler": "^4.4.8", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/util-stream": "^4.5.10", "tslib": "^2.6.2" } }, "sha512-GpvBgEmSZPvlDekd26Zi+XsI27Qz7y0utUx0g2fSTSiDzhnd1FSa1owuodxR0BcUKNL7U2cOVhhDxgZ4iSoPVg=="],
+    "@aws-sdk/credential-provider-http": ["@aws-sdk/credential-provider-http@3.972.7", "", { "dependencies": { "@aws-sdk/core": "^3.973.7", "@aws-sdk/types": "^3.973.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/node-http-handler": "^4.4.9", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/util-stream": "^4.5.11", "tslib": "^2.6.2" } }, "sha512-L2uOGtvp2x3bTcxFTpSM+GkwFIPd8pHfGWO1764icMbo7e5xJh0nfhx1UwkXLnwvocTNEf8A7jISZLYjUSNaTg=="],
 
-    "@aws-sdk/credential-provider-ini": ["@aws-sdk/credential-provider-ini@3.972.3", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/credential-provider-env": "^3.972.3", "@aws-sdk/credential-provider-http": "^3.972.5", "@aws-sdk/credential-provider-login": "^3.972.3", "@aws-sdk/credential-provider-process": "^3.972.3", "@aws-sdk/credential-provider-sso": "^3.972.3", "@aws-sdk/credential-provider-web-identity": "^3.972.3", "@aws-sdk/nested-clients": "3.980.0", "@aws-sdk/types": "^3.973.1", "@smithy/credential-provider-imds": "^4.2.8", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-rMQAIxstP7cLgYfsRGrGOlpyMl0l8JL2mcke3dsIPLWke05zKOFyR7yoJzWCsI/QiIxjRbxpvPiAeKEA6CoYkg=="],
+    "@aws-sdk/credential-provider-ini": ["@aws-sdk/credential-provider-ini@3.972.5", "", { "dependencies": { "@aws-sdk/core": "^3.973.7", "@aws-sdk/credential-provider-env": "^3.972.5", "@aws-sdk/credential-provider-http": "^3.972.7", "@aws-sdk/credential-provider-login": "^3.972.5", "@aws-sdk/credential-provider-process": "^3.972.5", "@aws-sdk/credential-provider-sso": "^3.972.5", "@aws-sdk/credential-provider-web-identity": "^3.972.5", "@aws-sdk/nested-clients": "3.985.0", "@aws-sdk/types": "^3.973.1", "@smithy/credential-provider-imds": "^4.2.8", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-SdDTYE6jkARzOeL7+kudMIM4DaFnP5dZVeatzw849k4bSXDdErDS188bgeNzc/RA2WGrlEpsqHUKP6G7sVXhZg=="],
 
-    "@aws-sdk/credential-provider-login": ["@aws-sdk/credential-provider-login@3.972.3", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/nested-clients": "3.980.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-Gc3O91iVvA47kp2CLIXOwuo5ffo1cIpmmyIewcYjAcvurdFHQ8YdcBe1KHidnbbBO4/ZtywGBACsAX5vr3UdoA=="],
+    "@aws-sdk/credential-provider-login": ["@aws-sdk/credential-provider-login@3.972.5", "", { "dependencies": { "@aws-sdk/core": "^3.973.7", "@aws-sdk/nested-clients": "3.985.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-uYq1ILyTSI6ZDCMY5+vUsRM0SOCVI7kaW4wBrehVVkhAxC6y+e9rvGtnoZqCOWL1gKjTMouvsf4Ilhc5NCg1Aw=="],
 
-    "@aws-sdk/credential-provider-node": ["@aws-sdk/credential-provider-node@3.972.4", "", { "dependencies": { "@aws-sdk/credential-provider-env": "^3.972.3", "@aws-sdk/credential-provider-http": "^3.972.5", "@aws-sdk/credential-provider-ini": "^3.972.3", "@aws-sdk/credential-provider-process": "^3.972.3", "@aws-sdk/credential-provider-sso": "^3.972.3", "@aws-sdk/credential-provider-web-identity": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@smithy/credential-provider-imds": "^4.2.8", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-UwerdzosMSY7V5oIZm3NsMDZPv2aSVzSkZxYxIOWHBeKTZlUqW7XpHtJMZ4PZpJ+HMRhgP+MDGQx4THndgqJfQ=="],
+    "@aws-sdk/credential-provider-node": ["@aws-sdk/credential-provider-node@3.972.6", "", { "dependencies": { "@aws-sdk/credential-provider-env": "^3.972.5", "@aws-sdk/credential-provider-http": "^3.972.7", "@aws-sdk/credential-provider-ini": "^3.972.5", "@aws-sdk/credential-provider-process": "^3.972.5", "@aws-sdk/credential-provider-sso": "^3.972.5", "@aws-sdk/credential-provider-web-identity": "^3.972.5", "@aws-sdk/types": "^3.973.1", "@smithy/credential-provider-imds": "^4.2.8", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-DZ3CnAAtSVtVz+G+ogqecaErMLgzph4JH5nYbHoBMgBkwTUV+SUcjsjOJwdBJTHu3Dm6l5LBYekZoU2nDqQk2A=="],
 
-    "@aws-sdk/credential-provider-process": ["@aws-sdk/credential-provider-process@3.972.3", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-xkSY7zjRqeVc6TXK2xr3z1bTLm0wD8cj3lAkproRGaO4Ku7dPlKy843YKnHrUOUzOnMezdZ4xtmFc0eKIDTo2w=="],
+    "@aws-sdk/credential-provider-process": ["@aws-sdk/credential-provider-process@3.972.5", "", { "dependencies": { "@aws-sdk/core": "^3.973.7", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-HDKF3mVbLnuqGg6dMnzBf1VUOywE12/N286msI9YaK9mEIzdsGCtLTvrDhe3Up0R9/hGFbB+9l21/TwF5L1C6g=="],
 
-    "@aws-sdk/credential-provider-sso": ["@aws-sdk/credential-provider-sso@3.972.3", "", { "dependencies": { "@aws-sdk/client-sso": "3.980.0", "@aws-sdk/core": "^3.973.5", "@aws-sdk/token-providers": "3.980.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-8Ww3F5Ngk8dZ6JPL/V5LhCU1BwMfQd3tLdoEuzaewX8FdnT633tPr+KTHySz9FK7fFPcz5qG3R5edVEhWQD4AA=="],
+    "@aws-sdk/credential-provider-sso": ["@aws-sdk/credential-provider-sso@3.972.5", "", { "dependencies": { "@aws-sdk/client-sso": "3.985.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/token-providers": "3.985.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-8urj3AoeNeQisjMmMBhFeiY2gxt6/7wQQbEGun0YV/OaOOiXrIudTIEYF8ZfD+NQI6X1FY5AkRsx6O/CaGiybA=="],
 
-    "@aws-sdk/credential-provider-web-identity": ["@aws-sdk/credential-provider-web-identity@3.972.3", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/nested-clients": "3.980.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-62VufdcH5rRfiRKZRcf1wVbbt/1jAntMj1+J0qAd+r5pQRg2t0/P9/Rz16B1o5/0Se9lVL506LRjrhIJAhYBfA=="],
+    "@aws-sdk/credential-provider-web-identity": ["@aws-sdk/credential-provider-web-identity@3.972.5", "", { "dependencies": { "@aws-sdk/core": "^3.973.7", "@aws-sdk/nested-clients": "3.985.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-OK3cULuJl6c+RcDZfPpaK5o3deTOnKZbxm7pzhFNGA3fI2hF9yDih17fGRazJzGGWaDVlR9ejZrpDef4DJCEsw=="],
 
     "@aws-sdk/middleware-bucket-endpoint": ["@aws-sdk/middleware-bucket-endpoint@3.972.3", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-arn-parser": "^3.972.2", "@smithy/node-config-provider": "^4.3.8", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-config-provider": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-fmbgWYirF67YF1GfD7cg5N6HHQ96EyRNx/rDIrTF277/zTWVuPI2qS/ZHgofwR1NZPe/NWvoppflQY01LrbVLg=="],
 
@@ -393,29 +401,29 @@
 
     "@aws-sdk/middleware-ssec": ["@aws-sdk/middleware-ssec@3.972.3", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-dU6kDuULN3o3jEHcjm0c4zWJlY1zWVkjG9NPe9qxYLLpcbdj5kRYBS2DdWYD+1B9f910DezRuws7xDEqKkHQIg=="],
 
-    "@aws-sdk/middleware-user-agent": ["@aws-sdk/middleware-user-agent@3.972.5", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.980.0", "@smithy/core": "^3.22.0", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-TVZQ6PWPwQbahUI8V+Er+gS41ctIawcI/uMNmQtQ7RMcg3JYn6gyKAFKUb3HFYx2OjYlx1u11sETSwwEUxVHTg=="],
+    "@aws-sdk/middleware-user-agent": ["@aws-sdk/middleware-user-agent@3.972.7", "", { "dependencies": { "@aws-sdk/core": "^3.973.7", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.985.0", "@smithy/core": "^3.22.1", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-HUD+geASjXSCyL/DHPQc/Ua7JhldTcIglVAoCV8kiVm99IaFSlAbTvEnyhZwdE6bdFyTL+uIaWLaCFSRsglZBQ=="],
 
-    "@aws-sdk/nested-clients": ["@aws-sdk/nested-clients@3.980.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.5", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.5", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.980.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.3", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.0", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-retry": "^4.4.29", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.8", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.28", "@smithy/util-defaults-mode-node": "^4.2.31", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-/dONY5xc5/CCKzOqHZCTidtAR4lJXWkGefXvTRKdSKMGaYbbKsxDckisd6GfnvPSLxWtvQzwgRGRutMRoYUApQ=="],
+    "@aws-sdk/nested-clients": ["@aws-sdk/nested-clients@3.985.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.985.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-TsWwKzb/2WHafAY0CE7uXgLj0FmnkBTgfioG9HO+7z/zCPcl1+YU+i7dW4o0y+aFxFgxTMG+ExBQpqT/k2ao8g=="],
 
     "@aws-sdk/region-config-resolver": ["@aws-sdk/region-config-resolver@3.972.3", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/config-resolver": "^4.4.6", "@smithy/node-config-provider": "^4.3.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-v4J8qYAWfOMcZ4MJUyatntOicTzEMaU7j3OpkRCGGFSL2NgXQ5VbxauIyORA+pxdKZ0qQG2tCQjQjZDlXEC3Ow=="],
 
     "@aws-sdk/signature-v4-multi-region": ["@aws-sdk/signature-v4-multi-region@3.980.0", "", { "dependencies": { "@aws-sdk/middleware-sdk-s3": "^3.972.5", "@aws-sdk/types": "^3.973.1", "@smithy/protocol-http": "^5.3.8", "@smithy/signature-v4": "^5.3.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-tO2jBj+ZIVM0nEgi1SyxWtaYGpuAJdsrugmWcI3/U2MPWCYsrvKasUo0026NvJJao38wyUq9B8XTG8Xu53j/VA=="],
 
-    "@aws-sdk/token-providers": ["@aws-sdk/token-providers@3.980.0", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/nested-clients": "3.980.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-1nFileg1wAgDmieRoj9dOawgr2hhlh7xdvcH57b1NnqfPaVlcqVJyPc6k3TLDUFPY69eEwNxdGue/0wIz58vjA=="],
+    "@aws-sdk/token-providers": ["@aws-sdk/token-providers@3.985.0", "", { "dependencies": { "@aws-sdk/core": "^3.973.7", "@aws-sdk/nested-clients": "3.985.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-+hwpHZyEq8k+9JL2PkE60V93v2kNhUIv7STFt+EAez1UJsJOQDhc5LpzEX66pNjclI5OTwBROs/DhJjC/BtMjQ=="],
 
     "@aws-sdk/types": ["@aws-sdk/types@3.973.1", "", { "dependencies": { "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-DwHBiMNOB468JiX6+i34c+THsKHErYUdNQ3HexeXZvVn4zouLjgaS4FejiGSi2HyBuzuyHg7SuOPmjSvoU9NRg=="],
 
     "@aws-sdk/util-arn-parser": ["@aws-sdk/util-arn-parser@3.972.2", "", { "dependencies": { "tslib": "^2.6.2" } }, "sha512-VkykWbqMjlSgBFDyrY3nOSqupMc6ivXuGmvci6Q3NnLq5kC+mKQe2QBZ4nrWRE/jqOxeFP2uYzLtwncYYcvQDg=="],
 
-    "@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.980.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-AjKBNEc+rjOZQE1HwcD9aCELqg1GmUj1rtICKuY8cgwB73xJ4U/kNyqKKpN2k9emGqlfDY2D8itIp/vDc6OKpw=="],
+    "@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.986.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-Mqi79L38qi1gCG3adlVdbNrSxvcm1IPDLiJPA3OBypY5ewxUyWbaA3DD4goG+EwET6LSFgZJcRSIh6KBNpP5pA=="],
 
     "@aws-sdk/util-locate-window": ["@aws-sdk/util-locate-window@3.965.4", "", { "dependencies": { "tslib": "^2.6.2" } }, "sha512-H1onv5SkgPBK2P6JR2MjGgbOnttoNzSPIRoeZTNPZYyaplwGg50zS3amXvXqF0/qfXpWEC9rLWU564QTB9bSog=="],
 
     "@aws-sdk/util-user-agent-browser": ["@aws-sdk/util-user-agent-browser@3.972.3", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "bowser": "^2.11.0", "tslib": "^2.6.2" } }, "sha512-JurOwkRUcXD/5MTDBcqdyQ9eVedtAsZgw5rBwktsPTN7QtPiS2Ld1jkJepNgYoCufz1Wcut9iup7GJDoIHp8Fw=="],
 
-    "@aws-sdk/util-user-agent-node": ["@aws-sdk/util-user-agent-node@3.972.3", "", { "dependencies": { "@aws-sdk/middleware-user-agent": "^3.972.5", "@aws-sdk/types": "^3.973.1", "@smithy/node-config-provider": "^4.3.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" }, "peerDependencies": { "aws-crt": ">=1.0.0" }, "optionalPeers": ["aws-crt"] }, "sha512-gqG+02/lXQtO0j3US6EVnxtwwoXQC5l2qkhLCrqUrqdtcQxV7FDMbm9wLjKqoronSHyELGTjbFKK/xV5q1bZNA=="],
+    "@aws-sdk/util-user-agent-node": ["@aws-sdk/util-user-agent-node@3.972.5", "", { "dependencies": { "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/types": "^3.973.1", "@smithy/node-config-provider": "^4.3.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" }, "peerDependencies": { "aws-crt": ">=1.0.0" }, "optionalPeers": ["aws-crt"] }, "sha512-GsUDF+rXyxDZkkJxUsDxnA67FG+kc5W1dnloCFLl6fWzceevsCYzJpASBzT+BPjwUgREE6FngfJYYYMQUY5fZQ=="],
 
-    "@aws-sdk/xml-builder": ["@aws-sdk/xml-builder@3.972.2", "", { "dependencies": { "@smithy/types": "^4.12.0", "fast-xml-parser": "5.2.5", "tslib": "^2.6.2" } }, "sha512-jGOOV/bV1DhkkUhHiZ3/1GZ67cZyOXaDb7d1rYD6ZiXf5V9tBNOcgqXwRRPvrCbYaFRa1pPMFb3ZjqjWpR3YfA=="],
+    "@aws-sdk/xml-builder": ["@aws-sdk/xml-builder@3.972.4", "", { "dependencies": { "@smithy/types": "^4.12.0", "fast-xml-parser": "5.3.4", "tslib": "^2.6.2" } }, "sha512-0zJ05ANfYqI6+rGqj8samZBFod0dPPousBjLEqg8WdxSgbMAkRgLyn81lP215Do0rFJ/17LIXwr7q0yK24mP6Q=="],
 
     "@aws/lambda-invoke-store": ["@aws/lambda-invoke-store@0.2.3", "", {}, "sha512-oLvsaPMTBejkkmHhjf09xTgk71mOqyr/409NKhRIL08If7AhVfUsJhVsx386uJaqNd42v9kWamQ9lFbkoC2dYw=="],
 
@@ -921,7 +929,7 @@
 
     "@smithy/config-resolver": ["@smithy/config-resolver@4.4.6", "", { "dependencies": { "@smithy/node-config-provider": "^4.3.8", "@smithy/types": "^4.12.0", "@smithy/util-config-provider": "^4.2.0", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "tslib": "^2.6.2" } }, "sha512-qJpzYC64kaj3S0fueiu3kXm8xPrR3PcXDPEgnaNMRn0EjNSZFoFjvbUp0YUDsRhN1CB90EnHJtbxWKevnH99UQ=="],
 
-    "@smithy/core": ["@smithy/core@3.22.0", "", { "dependencies": { "@smithy/middleware-serde": "^4.2.9", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-stream": "^4.5.10", "@smithy/util-utf8": "^4.2.0", "@smithy/uuid": "^1.1.0", "tslib": "^2.6.2" } }, "sha512-6vjCHD6vaY8KubeNw2Fg3EK0KLGQYdldG4fYgQmA0xSW0dJ8G2xFhSOdrlUakWVoP5JuWHtFODg3PNd/DN3FDA=="],
+    "@smithy/core": ["@smithy/core@3.22.1", "", { "dependencies": { "@smithy/middleware-serde": "^4.2.9", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-stream": "^4.5.11", "@smithy/util-utf8": "^4.2.0", "@smithy/uuid": "^1.1.0", "tslib": "^2.6.2" } }, "sha512-x3ie6Crr58MWrm4viHqqy2Du2rHYZjwu8BekasrQx4ca+Y24dzVAwq3yErdqIbc2G3I0kLQA13PQ+/rde+u65g=="],
 
     "@smithy/credential-provider-imds": ["@smithy/credential-provider-imds@4.2.8", "", { "dependencies": { "@smithy/node-config-provider": "^4.3.8", "@smithy/property-provider": "^4.2.8", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "tslib": "^2.6.2" } }, "sha512-FNT0xHS1c/CPN8upqbMFP83+ul5YgdisfCfkZ86Jh2NSmnqw/AJ6x5pEogVCTVvSm7j9MopRU89bmDelxuDMYw=="],
 
@@ -951,9 +959,9 @@
 
     "@smithy/middleware-content-length": ["@smithy/middleware-content-length@4.2.8", "", { "dependencies": { "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-RO0jeoaYAB1qBRhfVyq0pMgBoUK34YEJxVxyjOWYZiOKOq2yMZ4MnVXMZCUDenpozHue207+9P5ilTV1zeda0A=="],
 
-    "@smithy/middleware-endpoint": ["@smithy/middleware-endpoint@4.4.12", "", { "dependencies": { "@smithy/core": "^3.22.0", "@smithy/middleware-serde": "^4.2.9", "@smithy/node-config-provider": "^4.3.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-middleware": "^4.2.8", "tslib": "^2.6.2" } }, "sha512-9JMKHVJtW9RysTNjcBZQHDwB0p3iTP6B1IfQV4m+uCevkVd/VuLgwfqk5cnI4RHcp4cPwoIvxQqN4B1sxeHo8Q=="],
+    "@smithy/middleware-endpoint": ["@smithy/middleware-endpoint@4.4.13", "", { "dependencies": { "@smithy/core": "^3.22.1", "@smithy/middleware-serde": "^4.2.9", "@smithy/node-config-provider": "^4.3.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-middleware": "^4.2.8", "tslib": "^2.6.2" } }, "sha512-x6vn0PjYmGdNuKh/juUJJewZh7MoQ46jYaJ2mvekF4EesMuFfrl4LaW/k97Zjf8PTCPQmPgMvwewg7eNoH9n5w=="],
 
-    "@smithy/middleware-retry": ["@smithy/middleware-retry@4.4.29", "", { "dependencies": { "@smithy/node-config-provider": "^4.3.8", "@smithy/protocol-http": "^5.3.8", "@smithy/service-error-classification": "^4.2.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/uuid": "^1.1.0", "tslib": "^2.6.2" } }, "sha512-bmTn75a4tmKRkC5w61yYQLb3DmxNzB8qSVu9SbTYqW6GAL0WXO2bDZuMAn/GJSbOdHEdjZvWxe+9Kk015bw6Cg=="],
+    "@smithy/middleware-retry": ["@smithy/middleware-retry@4.4.30", "", { "dependencies": { "@smithy/node-config-provider": "^4.3.8", "@smithy/protocol-http": "^5.3.8", "@smithy/service-error-classification": "^4.2.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/uuid": "^1.1.0", "tslib": "^2.6.2" } }, "sha512-CBGyFvN0f8hlnqKH/jckRDz78Snrp345+PVk8Ux7pnkUCW97Iinse59lY78hBt04h1GZ6hjBN94BRwZy1xC8Bg=="],
 
     "@smithy/middleware-serde": ["@smithy/middleware-serde@4.2.9", "", { "dependencies": { "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-eMNiej0u/snzDvlqRGSN3Vl0ESn3838+nKyVfF2FKNXFbi4SERYT6PR392D39iczngbqqGG0Jl1DlCnp7tBbXQ=="],
 
@@ -961,7 +969,7 @@
 
     "@smithy/node-config-provider": ["@smithy/node-config-provider@4.3.8", "", { "dependencies": { "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-aFP1ai4lrbVlWjfpAfRSL8KFcnJQYfTl5QxLJXY32vghJrDuFyPZ6LtUL+JEGYiFRG1PfPLHLoxj107ulncLIg=="],
 
-    "@smithy/node-http-handler": ["@smithy/node-http-handler@4.4.8", "", { "dependencies": { "@smithy/abort-controller": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/querystring-builder": "^4.2.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-q9u+MSbJVIJ1QmJ4+1u+cERXkrhuILCBDsJUBAW1MPE6sFonbCNaegFuwW9ll8kh5UdyY3jOkoOGlc7BesoLpg=="],
+    "@smithy/node-http-handler": ["@smithy/node-http-handler@4.4.9", "", { "dependencies": { "@smithy/abort-controller": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/querystring-builder": "^4.2.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-KX5Wml5mF+luxm1szW4QDz32e3NObgJ4Fyw+irhph4I/2geXwUy4jkIMUs5ZPGflRBeR6BUkC2wqIab4Llgm3w=="],
 
     "@smithy/property-provider": ["@smithy/property-provider@4.2.8", "", { "dependencies": { "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-EtCTbyIveCKeOXDSWSdze3k612yCPq1YbXsbqX3UHhkOSW8zKsM9NOJG5gTIya0vbY2DIaieG8pKo1rITHYL0w=="],
 
@@ -977,7 +985,7 @@
 
     "@smithy/signature-v4": ["@smithy/signature-v4@5.3.8", "", { "dependencies": { "@smithy/is-array-buffer": "^4.2.0", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-hex-encoding": "^4.2.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-uri-escape": "^4.2.0", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-6A4vdGj7qKNRF16UIcO8HhHjKW27thsxYci+5r/uVRkdcBEkOEiY8OMPuydLX4QHSrJqGHPJzPRwwVTqbLZJhg=="],
 
-    "@smithy/smithy-client": ["@smithy/smithy-client@4.11.1", "", { "dependencies": { "@smithy/core": "^3.22.0", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-stack": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-stream": "^4.5.10", "tslib": "^2.6.2" } }, "sha512-SERgNg5Z1U+jfR6/2xPYjSEHY1t3pyTHC/Ma3YQl6qWtmiL42bvNId3W/oMUWIwu7ekL2FMPdqAmwbQegM7HeQ=="],
+    "@smithy/smithy-client": ["@smithy/smithy-client@4.11.2", "", { "dependencies": { "@smithy/core": "^3.22.1", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-stack": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-stream": "^4.5.11", "tslib": "^2.6.2" } }, "sha512-SCkGmFak/xC1n7hKRsUr6wOnBTJ3L22Qd4e8H1fQIuKTAjntwgU8lrdMe7uHdiT2mJAOWA/60qaW9tiMu69n1A=="],
 
     "@smithy/types": ["@smithy/types@4.12.0", "", { "dependencies": { "tslib": "^2.6.2" } }, "sha512-9YcuJVTOBDjg9LWo23Qp0lTQ3D7fQsQtwle0jVfpbUHy9qBwCEgKuVH4FqFB3VYu0nwdHKiEMA+oXz7oV8X1kw=="],
 
@@ -993,9 +1001,9 @@
 
     "@smithy/util-config-provider": ["@smithy/util-config-provider@4.2.0", "", { "dependencies": { "tslib": "^2.6.2" } }, "sha512-YEjpl6XJ36FTKmD+kRJJWYvrHeUvm5ykaUS5xK+6oXffQPHeEM4/nXlZPe+Wu0lsgRUcNZiliYNh/y7q9c2y6Q=="],
 
-    "@smithy/util-defaults-mode-browser": ["@smithy/util-defaults-mode-browser@4.3.28", "", { "dependencies": { "@smithy/property-provider": "^4.2.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-/9zcatsCao9h6g18p/9vH9NIi5PSqhCkxQ/tb7pMgRFnqYp9XUOyOlGPDMHzr8n5ih6yYgwJEY2MLEobUgi47w=="],
+    "@smithy/util-defaults-mode-browser": ["@smithy/util-defaults-mode-browser@4.3.29", "", { "dependencies": { "@smithy/property-provider": "^4.2.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-nIGy3DNRmOjaYaaKcQDzmWsro9uxlaqUOhZDHQed9MW/GmkBZPtnU70Pu1+GT9IBmUXwRdDuiyaeiy9Xtpn3+Q=="],
 
-    "@smithy/util-defaults-mode-node": ["@smithy/util-defaults-mode-node@4.2.31", "", { "dependencies": { "@smithy/config-resolver": "^4.4.6", "@smithy/credential-provider-imds": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/property-provider": "^4.2.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-JTvoApUXA5kbpceI2vuqQzRjeTbLpx1eoa5R/YEZbTgtxvIB7AQZxFJ0SEyfCpgPCyVV9IT7we+ytSeIB3CyWA=="],
+    "@smithy/util-defaults-mode-node": ["@smithy/util-defaults-mode-node@4.2.32", "", { "dependencies": { "@smithy/config-resolver": "^4.4.6", "@smithy/credential-provider-imds": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/property-provider": "^4.2.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-7dtFff6pu5fsjqrVve0YMhrnzJtccCWDacNKOkiZjJ++fmjGExmmSu341x+WU6Oc1IccL7lDuaUj7SfrHpWc5Q=="],
 
     "@smithy/util-endpoints": ["@smithy/util-endpoints@3.2.8", "", { "dependencies": { "@smithy/node-config-provider": "^4.3.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-8JaVTn3pBDkhZgHQ8R0epwWt+BqPSLCjdjXXusK1onwJlRuN69fbvSK66aIKKO7SwVFM6x2J2ox5X8pOaWcUEw=="],
 
@@ -3119,7 +3127,47 @@
 
     "@aws-crypto/util/@smithy/util-utf8": ["@smithy/util-utf8@2.3.0", "", { "dependencies": { "@smithy/util-buffer-from": "^2.2.0", "tslib": "^2.6.2" } }, "sha512-R8Rdn8Hy72KKcebgLiv8jQcQkXoLMOGGv5uI1/k0l+snqkOzQ1R0ChUBCxWMlBsFMekWjq0wRudIweFs7sKT5A=="],
 
-    "@aws-sdk/xml-builder/fast-xml-parser": ["fast-xml-parser@5.2.5", "", { "dependencies": { "strnum": "^2.1.0" }, "bin": { "fxparser": "src/cli/cli.js" } }, "sha512-pfX9uG9Ki0yekDHx2SiuRIyFdyAr1kMIMitPvb0YBo8SUfKvia7w7FIyd/l6av85pFYRhZscS75MwMnbvY+hcQ=="],
+    "@aws-sdk/client-s3/@aws-sdk/core": ["@aws-sdk/core@3.973.5", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@aws-sdk/xml-builder": "^3.972.2", "@smithy/core": "^3.22.0", "@smithy/node-config-provider": "^4.3.8", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/signature-v4": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-IMM7xGfLGW6lMvubsA4j6BHU5FPgGAxoQ/NA63KqNLMwTS+PeMBcx8DPHL12Vg6yqOZnqok9Mu4H2BdQyq7gSA=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node": ["@aws-sdk/credential-provider-node@3.972.4", "", { "dependencies": { "@aws-sdk/credential-provider-env": "^3.972.3", "@aws-sdk/credential-provider-http": "^3.972.5", "@aws-sdk/credential-provider-ini": "^3.972.3", "@aws-sdk/credential-provider-process": "^3.972.3", "@aws-sdk/credential-provider-sso": "^3.972.3", "@aws-sdk/credential-provider-web-identity": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@smithy/credential-provider-imds": "^4.2.8", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-UwerdzosMSY7V5oIZm3NsMDZPv2aSVzSkZxYxIOWHBeKTZlUqW7XpHtJMZ4PZpJ+HMRhgP+MDGQx4THndgqJfQ=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/middleware-user-agent": ["@aws-sdk/middleware-user-agent@3.972.5", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.980.0", "@smithy/core": "^3.22.0", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-TVZQ6PWPwQbahUI8V+Er+gS41ctIawcI/uMNmQtQ7RMcg3JYn6gyKAFKUb3HFYx2OjYlx1u11sETSwwEUxVHTg=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.980.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-AjKBNEc+rjOZQE1HwcD9aCELqg1GmUj1rtICKuY8cgwB73xJ4U/kNyqKKpN2k9emGqlfDY2D8itIp/vDc6OKpw=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/util-user-agent-node": ["@aws-sdk/util-user-agent-node@3.972.3", "", { "dependencies": { "@aws-sdk/middleware-user-agent": "^3.972.5", "@aws-sdk/types": "^3.973.1", "@smithy/node-config-provider": "^4.3.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" }, "peerDependencies": { "aws-crt": ">=1.0.0" }, "optionalPeers": ["aws-crt"] }, "sha512-gqG+02/lXQtO0j3US6EVnxtwwoXQC5l2qkhLCrqUrqdtcQxV7FDMbm9wLjKqoronSHyELGTjbFKK/xV5q1bZNA=="],
+
+    "@aws-sdk/client-s3/@smithy/core": ["@smithy/core@3.22.0", "", { "dependencies": { "@smithy/middleware-serde": "^4.2.9", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-stream": "^4.5.10", "@smithy/util-utf8": "^4.2.0", "@smithy/uuid": "^1.1.0", "tslib": "^2.6.2" } }, "sha512-6vjCHD6vaY8KubeNw2Fg3EK0KLGQYdldG4fYgQmA0xSW0dJ8G2xFhSOdrlUakWVoP5JuWHtFODg3PNd/DN3FDA=="],
+
+    "@aws-sdk/client-s3/@smithy/middleware-endpoint": ["@smithy/middleware-endpoint@4.4.12", "", { "dependencies": { "@smithy/core": "^3.22.0", "@smithy/middleware-serde": "^4.2.9", "@smithy/node-config-provider": "^4.3.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-middleware": "^4.2.8", "tslib": "^2.6.2" } }, "sha512-9JMKHVJtW9RysTNjcBZQHDwB0p3iTP6B1IfQV4m+uCevkVd/VuLgwfqk5cnI4RHcp4cPwoIvxQqN4B1sxeHo8Q=="],
+
+    "@aws-sdk/client-s3/@smithy/middleware-retry": ["@smithy/middleware-retry@4.4.29", "", { "dependencies": { "@smithy/node-config-provider": "^4.3.8", "@smithy/protocol-http": "^5.3.8", "@smithy/service-error-classification": "^4.2.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/uuid": "^1.1.0", "tslib": "^2.6.2" } }, "sha512-bmTn75a4tmKRkC5w61yYQLb3DmxNzB8qSVu9SbTYqW6GAL0WXO2bDZuMAn/GJSbOdHEdjZvWxe+9Kk015bw6Cg=="],
+
+    "@aws-sdk/client-s3/@smithy/node-http-handler": ["@smithy/node-http-handler@4.4.8", "", { "dependencies": { "@smithy/abort-controller": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/querystring-builder": "^4.2.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-q9u+MSbJVIJ1QmJ4+1u+cERXkrhuILCBDsJUBAW1MPE6sFonbCNaegFuwW9ll8kh5UdyY3jOkoOGlc7BesoLpg=="],
+
+    "@aws-sdk/client-s3/@smithy/smithy-client": ["@smithy/smithy-client@4.11.1", "", { "dependencies": { "@smithy/core": "^3.22.0", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-stack": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-stream": "^4.5.10", "tslib": "^2.6.2" } }, "sha512-SERgNg5Z1U+jfR6/2xPYjSEHY1t3pyTHC/Ma3YQl6qWtmiL42bvNId3W/oMUWIwu7ekL2FMPdqAmwbQegM7HeQ=="],
+
+    "@aws-sdk/client-s3/@smithy/util-defaults-mode-browser": ["@smithy/util-defaults-mode-browser@4.3.28", "", { "dependencies": { "@smithy/property-provider": "^4.2.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-/9zcatsCao9h6g18p/9vH9NIi5PSqhCkxQ/tb7pMgRFnqYp9XUOyOlGPDMHzr8n5ih6yYgwJEY2MLEobUgi47w=="],
+
+    "@aws-sdk/client-s3/@smithy/util-defaults-mode-node": ["@smithy/util-defaults-mode-node@4.2.31", "", { "dependencies": { "@smithy/config-resolver": "^4.4.6", "@smithy/credential-provider-imds": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/property-provider": "^4.2.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-JTvoApUXA5kbpceI2vuqQzRjeTbLpx1eoa5R/YEZbTgtxvIB7AQZxFJ0SEyfCpgPCyVV9IT7we+ytSeIB3CyWA=="],
+
+    "@aws-sdk/client-sso/@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.985.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-vth7UfGSUR3ljvaq8V4Rc62FsM7GUTH/myxPWkaEgOrprz1/Pc72EgTXxj+cPPPDAfHFIpjhkB7T7Td0RJx+BA=="],
+
+    "@aws-sdk/credential-provider-http/@smithy/util-stream": ["@smithy/util-stream@4.5.11", "", { "dependencies": { "@smithy/fetch-http-handler": "^5.3.9", "@smithy/node-http-handler": "^4.4.9", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-buffer-from": "^4.2.0", "@smithy/util-hex-encoding": "^4.2.0", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-lKmZ0S/3Qj2OF5H1+VzvDLb6kRxGzZHq6f3rAsoSu5cTLGsn3v3VQBA8czkNNXlLjoFEtVu3OQT2jEeOtOE2CA=="],
+
+    "@aws-sdk/middleware-flexible-checksums/@aws-sdk/core": ["@aws-sdk/core@3.973.5", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@aws-sdk/xml-builder": "^3.972.2", "@smithy/core": "^3.22.0", "@smithy/node-config-provider": "^4.3.8", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/signature-v4": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-IMM7xGfLGW6lMvubsA4j6BHU5FPgGAxoQ/NA63KqNLMwTS+PeMBcx8DPHL12Vg6yqOZnqok9Mu4H2BdQyq7gSA=="],
+
+    "@aws-sdk/middleware-sdk-s3/@aws-sdk/core": ["@aws-sdk/core@3.973.5", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@aws-sdk/xml-builder": "^3.972.2", "@smithy/core": "^3.22.0", "@smithy/node-config-provider": "^4.3.8", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/signature-v4": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-IMM7xGfLGW6lMvubsA4j6BHU5FPgGAxoQ/NA63KqNLMwTS+PeMBcx8DPHL12Vg6yqOZnqok9Mu4H2BdQyq7gSA=="],
+
+    "@aws-sdk/middleware-sdk-s3/@smithy/core": ["@smithy/core@3.22.0", "", { "dependencies": { "@smithy/middleware-serde": "^4.2.9", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-stream": "^4.5.10", "@smithy/util-utf8": "^4.2.0", "@smithy/uuid": "^1.1.0", "tslib": "^2.6.2" } }, "sha512-6vjCHD6vaY8KubeNw2Fg3EK0KLGQYdldG4fYgQmA0xSW0dJ8G2xFhSOdrlUakWVoP5JuWHtFODg3PNd/DN3FDA=="],
+
+    "@aws-sdk/middleware-sdk-s3/@smithy/smithy-client": ["@smithy/smithy-client@4.11.1", "", { "dependencies": { "@smithy/core": "^3.22.0", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-stack": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-stream": "^4.5.10", "tslib": "^2.6.2" } }, "sha512-SERgNg5Z1U+jfR6/2xPYjSEHY1t3pyTHC/Ma3YQl6qWtmiL42bvNId3W/oMUWIwu7ekL2FMPdqAmwbQegM7HeQ=="],
+
+    "@aws-sdk/middleware-user-agent/@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.985.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-vth7UfGSUR3ljvaq8V4Rc62FsM7GUTH/myxPWkaEgOrprz1/Pc72EgTXxj+cPPPDAfHFIpjhkB7T7Td0RJx+BA=="],
+
+    "@aws-sdk/nested-clients/@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.985.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-vth7UfGSUR3ljvaq8V4Rc62FsM7GUTH/myxPWkaEgOrprz1/Pc72EgTXxj+cPPPDAfHFIpjhkB7T7Td0RJx+BA=="],
+
+    "@aws-sdk/xml-builder/fast-xml-parser": ["fast-xml-parser@5.3.4", "", { "dependencies": { "strnum": "^2.1.0" }, "bin": { "fxparser": "src/cli/cli.js" } }, "sha512-EFd6afGmXlCx8H8WTZHhAoDaWaGyuIBoZJ2mknrNxug+aZKjkp0a0dlars9Izl+jF+7Gu1/5f/2h68cQpe0IiA=="],
 
     "@babel/core/semver": ["semver@6.3.1", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA=="],
 
@@ -3245,10 +3293,20 @@
 
     "@shipsec/studio-frontend/ai": ["ai@5.0.124", "", { "dependencies": { "@ai-sdk/gateway": "2.0.30", "@ai-sdk/provider": "2.0.1", "@ai-sdk/provider-utils": "3.0.20", "@opentelemetry/api": "1.9.0" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-Li6Jw9F9qsvFJXZPBfxj38ddP2iURCnMs96f9Q3OeQzrDVcl1hvtwSEAuxA/qmfh6SDV2ERqFUOFzigvr0697g=="],
 
+    "@shipsec/studio-worker/@aws-sdk/client-organizations": ["@aws-sdk/client-organizations@3.987.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/credential-provider-node": "^3.972.6", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.987.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-fz9OOrZj+ywtcCh4rVnCd38epnRQ7xg/khPi0l4CXQX4vorrSajOEzM0G89MlP1E0g5tId8Frbe/SlRvkpsSng=="],
+
+    "@shipsec/studio-worker/@aws-sdk/client-sts": ["@aws-sdk/client-sts@3.987.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/credential-provider-node": "^3.972.6", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.987.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-zDqUCxS/6oUgQjIoDRfijHRgCkUTO3bnC+Hvi1Jh8s0Hj6cGpaUTCWYjwksV3bJGfS+HcloUtUseGO26Pcbeeg=="],
+
     "@shipsec/studio-worker/@googleapis/admin": ["@googleapis/admin@29.0.0", "", { "dependencies": { "googleapis-common": "^8.0.0" } }, "sha512-lujnbfmDn1aetoJBDeExH4IDKniMZs7Ga8hGagN/lecO8hd0fy9hu+osROp0HFk6u2wCAiA89oXi5qHVXupbOQ=="],
 
     "@shipsec/studio-worker/@types/node": ["@types/node@25.2.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-DZ8VwRFUNzuqJ5khrvwMXHmvPe+zGayJhr2CDNiKB1WBE1ST8Djl00D0IC4vvNmHMdj6DlbYRIaFE7WHjlDl5w=="],
 
+    "@smithy/core/@smithy/util-stream": ["@smithy/util-stream@4.5.11", "", { "dependencies": { "@smithy/fetch-http-handler": "^5.3.9", "@smithy/node-http-handler": "^4.4.9", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-buffer-from": "^4.2.0", "@smithy/util-hex-encoding": "^4.2.0", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-lKmZ0S/3Qj2OF5H1+VzvDLb6kRxGzZHq6f3rAsoSu5cTLGsn3v3VQBA8czkNNXlLjoFEtVu3OQT2jEeOtOE2CA=="],
+
+    "@smithy/smithy-client/@smithy/util-stream": ["@smithy/util-stream@4.5.11", "", { "dependencies": { "@smithy/fetch-http-handler": "^5.3.9", "@smithy/node-http-handler": "^4.4.9", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-buffer-from": "^4.2.0", "@smithy/util-hex-encoding": "^4.2.0", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-lKmZ0S/3Qj2OF5H1+VzvDLb6kRxGzZHq6f3rAsoSu5cTLGsn3v3VQBA8czkNNXlLjoFEtVu3OQT2jEeOtOE2CA=="],
+
+    "@smithy/util-stream/@smithy/node-http-handler": ["@smithy/node-http-handler@4.4.8", "", { "dependencies": { "@smithy/abort-controller": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/querystring-builder": "^4.2.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-q9u+MSbJVIJ1QmJ4+1u+cERXkrhuILCBDsJUBAW1MPE6sFonbCNaegFuwW9ll8kh5UdyY3jOkoOGlc7BesoLpg=="],
+
     "@temporalio/common/ms": ["ms@3.0.0-canary.1", "", {}, "sha512-kh8ARjh8rMN7Du2igDRO9QJnqCb2xYTJxyQYK7vJJS4TvLLmsbyhiKpSW+t+y26gyOyMd0riphX0GeWKU3ky5g=="],
 
     "@temporalio/worker/supports-color": ["supports-color@8.1.1", "", { "dependencies": { "has-flag": "^4.0.0" } }, "sha512-MpUEN2OodtUzxvKQl72cUF7RQ5EiHsGvSsVG0ia9c5RbWGL2CI4C7EpPS8UTBIplnlzZiNuV56w+FuNxy3ty2Q=="],
@@ -3511,6 +3569,30 @@
 
     "@aws-crypto/util/@smithy/util-utf8/@smithy/util-buffer-from": ["@smithy/util-buffer-from@2.2.0", "", { "dependencies": { "@smithy/is-array-buffer": "^2.2.0", "tslib": "^2.6.2" } }, "sha512-IJdWBbTcMQ6DA0gdNhh/BwrLkDR+ADW5Kr1aZmd4k3DIF6ezMV4R2NIAmT08wQJ3yUK82thHWmC/TnK/wpMMIA=="],
 
+    "@aws-sdk/client-s3/@aws-sdk/core/@aws-sdk/xml-builder": ["@aws-sdk/xml-builder@3.972.2", "", { "dependencies": { "@smithy/types": "^4.12.0", "fast-xml-parser": "5.2.5", "tslib": "^2.6.2" } }, "sha512-jGOOV/bV1DhkkUhHiZ3/1GZ67cZyOXaDb7d1rYD6ZiXf5V9tBNOcgqXwRRPvrCbYaFRa1pPMFb3ZjqjWpR3YfA=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-env": ["@aws-sdk/credential-provider-env@3.972.3", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-OBYNY4xQPq7Rx+oOhtyuyO0AQvdJSpXRg7JuPNBJH4a1XXIzJQl4UHQTPKZKwfJXmYLpv4+OkcFen4LYmDPd3g=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-http": ["@aws-sdk/credential-provider-http@3.972.5", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/types": "^3.973.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/node-http-handler": "^4.4.8", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/util-stream": "^4.5.10", "tslib": "^2.6.2" } }, "sha512-GpvBgEmSZPvlDekd26Zi+XsI27Qz7y0utUx0g2fSTSiDzhnd1FSa1owuodxR0BcUKNL7U2cOVhhDxgZ4iSoPVg=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-ini": ["@aws-sdk/credential-provider-ini@3.972.3", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/credential-provider-env": "^3.972.3", "@aws-sdk/credential-provider-http": "^3.972.5", "@aws-sdk/credential-provider-login": "^3.972.3", "@aws-sdk/credential-provider-process": "^3.972.3", "@aws-sdk/credential-provider-sso": "^3.972.3", "@aws-sdk/credential-provider-web-identity": "^3.972.3", "@aws-sdk/nested-clients": "3.980.0", "@aws-sdk/types": "^3.973.1", "@smithy/credential-provider-imds": "^4.2.8", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-rMQAIxstP7cLgYfsRGrGOlpyMl0l8JL2mcke3dsIPLWke05zKOFyR7yoJzWCsI/QiIxjRbxpvPiAeKEA6CoYkg=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-process": ["@aws-sdk/credential-provider-process@3.972.3", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-xkSY7zjRqeVc6TXK2xr3z1bTLm0wD8cj3lAkproRGaO4Ku7dPlKy843YKnHrUOUzOnMezdZ4xtmFc0eKIDTo2w=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-sso": ["@aws-sdk/credential-provider-sso@3.972.3", "", { "dependencies": { "@aws-sdk/client-sso": "3.980.0", "@aws-sdk/core": "^3.973.5", "@aws-sdk/token-providers": "3.980.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-8Ww3F5Ngk8dZ6JPL/V5LhCU1BwMfQd3tLdoEuzaewX8FdnT633tPr+KTHySz9FK7fFPcz5qG3R5edVEhWQD4AA=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-web-identity": ["@aws-sdk/credential-provider-web-identity@3.972.3", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/nested-clients": "3.980.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-62VufdcH5rRfiRKZRcf1wVbbt/1jAntMj1+J0qAd+r5pQRg2t0/P9/Rz16B1o5/0Se9lVL506LRjrhIJAhYBfA=="],
+
+    "@aws-sdk/middleware-flexible-checksums/@aws-sdk/core/@aws-sdk/xml-builder": ["@aws-sdk/xml-builder@3.972.2", "", { "dependencies": { "@smithy/types": "^4.12.0", "fast-xml-parser": "5.2.5", "tslib": "^2.6.2" } }, "sha512-jGOOV/bV1DhkkUhHiZ3/1GZ67cZyOXaDb7d1rYD6ZiXf5V9tBNOcgqXwRRPvrCbYaFRa1pPMFb3ZjqjWpR3YfA=="],
+
+    "@aws-sdk/middleware-flexible-checksums/@aws-sdk/core/@smithy/core": ["@smithy/core@3.22.0", "", { "dependencies": { "@smithy/middleware-serde": "^4.2.9", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-stream": "^4.5.10", "@smithy/util-utf8": "^4.2.0", "@smithy/uuid": "^1.1.0", "tslib": "^2.6.2" } }, "sha512-6vjCHD6vaY8KubeNw2Fg3EK0KLGQYdldG4fYgQmA0xSW0dJ8G2xFhSOdrlUakWVoP5JuWHtFODg3PNd/DN3FDA=="],
+
+    "@aws-sdk/middleware-flexible-checksums/@aws-sdk/core/@smithy/smithy-client": ["@smithy/smithy-client@4.11.1", "", { "dependencies": { "@smithy/core": "^3.22.0", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-stack": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/types": "^4.12.0", "@smithy/util-stream": "^4.5.10", "tslib": "^2.6.2" } }, "sha512-SERgNg5Z1U+jfR6/2xPYjSEHY1t3pyTHC/Ma3YQl6qWtmiL42bvNId3W/oMUWIwu7ekL2FMPdqAmwbQegM7HeQ=="],
+
+    "@aws-sdk/middleware-sdk-s3/@aws-sdk/core/@aws-sdk/xml-builder": ["@aws-sdk/xml-builder@3.972.2", "", { "dependencies": { "@smithy/types": "^4.12.0", "fast-xml-parser": "5.2.5", "tslib": "^2.6.2" } }, "sha512-jGOOV/bV1DhkkUhHiZ3/1GZ67cZyOXaDb7d1rYD6ZiXf5V9tBNOcgqXwRRPvrCbYaFRa1pPMFb3ZjqjWpR3YfA=="],
+
+    "@aws-sdk/middleware-sdk-s3/@smithy/smithy-client/@smithy/middleware-endpoint": ["@smithy/middleware-endpoint@4.4.12", "", { "dependencies": { "@smithy/core": "^3.22.0", "@smithy/middleware-serde": "^4.2.9", "@smithy/node-config-provider": "^4.3.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-middleware": "^4.2.8", "tslib": "^2.6.2" } }, "sha512-9JMKHVJtW9RysTNjcBZQHDwB0p3iTP6B1IfQV4m+uCevkVd/VuLgwfqk5cnI4RHcp4cPwoIvxQqN4B1sxeHo8Q=="],
+
     "@aws-sdk/xml-builder/fast-xml-parser/strnum": ["strnum@2.1.2", "", {}, "sha512-l63NF9y/cLROq/yqKXSLtcMeeyOfnSQlfMSlzFt/K73oIaD8DGaQWd7Z34X9GPiKqP5rbSh84Hl4bOlLcjiSrQ=="],
 
     "@babel/helper-compilation-targets/lru-cache/yallist": ["yallist@3.1.1", "", {}, "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g=="],
@@ -3621,6 +3703,10 @@
 
     "@shipsec/studio-frontend/ai/@ai-sdk/provider-utils": ["@ai-sdk/provider-utils@3.0.20", "", { "dependencies": { "@ai-sdk/provider": "2.0.1", "@standard-schema/spec": "^1.0.0", "eventsource-parser": "^3.0.6" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-iXHVe0apM2zUEzauqJwqmpC37A5rihrStAih5Ks+JE32iTe4LZ58y17UGBjpQQTCRw9YxMeo2UFLxLpBluyvLQ=="],
 
+    "@shipsec/studio-worker/@aws-sdk/client-organizations/@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.987.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-rZnZwDq7Pn+TnL0nyS6ryAhpqTZtLtHbJaqfxuHlDX3v/bq0M7Ch/V3qF9dZWaGgsJ2H9xn7/vFOxlnL4fBMcQ=="],
+
+    "@shipsec/studio-worker/@aws-sdk/client-sts/@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.987.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-rZnZwDq7Pn+TnL0nyS6ryAhpqTZtLtHbJaqfxuHlDX3v/bq0M7Ch/V3qF9dZWaGgsJ2H9xn7/vFOxlnL4fBMcQ=="],
+
     "@types/express/@types/express-serve-static-core/@types/node": ["@types/node@25.2.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-DZ8VwRFUNzuqJ5khrvwMXHmvPe+zGayJhr2CDNiKB1WBE1ST8Djl00D0IC4vvNmHMdj6DlbYRIaFE7WHjlDl5w=="],
 
     "@typescript-eslint/typescript-estree/minimatch/brace-expansion": ["brace-expansion@2.0.2", "", { "dependencies": { "balanced-match": "^1.0.0" } }, "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ=="],
@@ -3761,6 +3847,24 @@
 
     "@aws-crypto/util/@smithy/util-utf8/@smithy/util-buffer-from/@smithy/is-array-buffer": ["@smithy/is-array-buffer@2.2.0", "", { "dependencies": { "tslib": "^2.6.2" } }, "sha512-GGP3O9QFD24uGeAXYUjwSTXARoqpZykHadOmA8G5vfJPK0/DC67qa//0qvqrJzL1xc8WQWX7/yc7fwudjPHPhA=="],
 
+    "@aws-sdk/client-s3/@aws-sdk/core/@aws-sdk/xml-builder/fast-xml-parser": ["fast-xml-parser@5.2.5", "", { "dependencies": { "strnum": "^2.1.0" }, "bin": { "fxparser": "src/cli/cli.js" } }, "sha512-pfX9uG9Ki0yekDHx2SiuRIyFdyAr1kMIMitPvb0YBo8SUfKvia7w7FIyd/l6av85pFYRhZscS75MwMnbvY+hcQ=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-ini/@aws-sdk/credential-provider-login": ["@aws-sdk/credential-provider-login@3.972.3", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/nested-clients": "3.980.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-Gc3O91iVvA47kp2CLIXOwuo5ffo1cIpmmyIewcYjAcvurdFHQ8YdcBe1KHidnbbBO4/ZtywGBACsAX5vr3UdoA=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-ini/@aws-sdk/nested-clients": ["@aws-sdk/nested-clients@3.980.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.5", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.5", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.980.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.3", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.0", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-retry": "^4.4.29", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.8", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.28", "@smithy/util-defaults-mode-node": "^4.2.31", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-/dONY5xc5/CCKzOqHZCTidtAR4lJXWkGefXvTRKdSKMGaYbbKsxDckisd6GfnvPSLxWtvQzwgRGRutMRoYUApQ=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-sso/@aws-sdk/client-sso": ["@aws-sdk/client-sso@3.980.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.5", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.5", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.980.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.3", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.0", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-retry": "^4.4.29", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.8", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.28", "@smithy/util-defaults-mode-node": "^4.2.31", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-AhNXQaJ46C1I+lQ+6Kj+L24il5K9lqqIanJd8lMszPmP7bLnmX0wTKK0dxywcvrLdij3zhWttjAKEBNgLtS8/A=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-sso/@aws-sdk/token-providers": ["@aws-sdk/token-providers@3.980.0", "", { "dependencies": { "@aws-sdk/core": "^3.973.5", "@aws-sdk/nested-clients": "3.980.0", "@aws-sdk/types": "^3.973.1", "@smithy/property-provider": "^4.2.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "tslib": "^2.6.2" } }, "sha512-1nFileg1wAgDmieRoj9dOawgr2hhlh7xdvcH57b1NnqfPaVlcqVJyPc6k3TLDUFPY69eEwNxdGue/0wIz58vjA=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-web-identity/@aws-sdk/nested-clients": ["@aws-sdk/nested-clients@3.980.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.5", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.5", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.980.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.3", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.0", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-retry": "^4.4.29", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.8", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.28", "@smithy/util-defaults-mode-node": "^4.2.31", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-/dONY5xc5/CCKzOqHZCTidtAR4lJXWkGefXvTRKdSKMGaYbbKsxDckisd6GfnvPSLxWtvQzwgRGRutMRoYUApQ=="],
+
+    "@aws-sdk/middleware-flexible-checksums/@aws-sdk/core/@aws-sdk/xml-builder/fast-xml-parser": ["fast-xml-parser@5.2.5", "", { "dependencies": { "strnum": "^2.1.0" }, "bin": { "fxparser": "src/cli/cli.js" } }, "sha512-pfX9uG9Ki0yekDHx2SiuRIyFdyAr1kMIMitPvb0YBo8SUfKvia7w7FIyd/l6av85pFYRhZscS75MwMnbvY+hcQ=="],
+
+    "@aws-sdk/middleware-flexible-checksums/@aws-sdk/core/@smithy/smithy-client/@smithy/middleware-endpoint": ["@smithy/middleware-endpoint@4.4.12", "", { "dependencies": { "@smithy/core": "^3.22.0", "@smithy/middleware-serde": "^4.2.9", "@smithy/node-config-provider": "^4.3.8", "@smithy/shared-ini-file-loader": "^4.4.3", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-middleware": "^4.2.8", "tslib": "^2.6.2" } }, "sha512-9JMKHVJtW9RysTNjcBZQHDwB0p3iTP6B1IfQV4m+uCevkVd/VuLgwfqk5cnI4RHcp4cPwoIvxQqN4B1sxeHo8Q=="],
+
+    "@aws-sdk/middleware-sdk-s3/@aws-sdk/core/@aws-sdk/xml-builder/fast-xml-parser": ["fast-xml-parser@5.2.5", "", { "dependencies": { "strnum": "^2.1.0" }, "bin": { "fxparser": "src/cli/cli.js" } }, "sha512-pfX9uG9Ki0yekDHx2SiuRIyFdyAr1kMIMitPvb0YBo8SUfKvia7w7FIyd/l6av85pFYRhZscS75MwMnbvY+hcQ=="],
+
     "@nestjs/platform-express/express/accepts/mime-types": ["mime-types@2.1.35", "", { "dependencies": { "mime-db": "1.52.0" } }, "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw=="],
 
     "@nestjs/platform-express/express/accepts/negotiator": ["negotiator@0.6.3", "", {}, "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg=="],
@@ -3779,6 +3883,14 @@
 
     "multer/type-is/mime-types/mime-db": ["mime-db@1.52.0", "", {}, "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg=="],
 
+    "@aws-sdk/client-s3/@aws-sdk/core/@aws-sdk/xml-builder/fast-xml-parser/strnum": ["strnum@2.1.2", "", {}, "sha512-l63NF9y/cLROq/yqKXSLtcMeeyOfnSQlfMSlzFt/K73oIaD8DGaQWd7Z34X9GPiKqP5rbSh84Hl4bOlLcjiSrQ=="],
+
+    "@aws-sdk/client-s3/@aws-sdk/credential-provider-node/@aws-sdk/credential-provider-sso/@aws-sdk/token-providers/@aws-sdk/nested-clients": ["@aws-sdk/nested-clients@3.980.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.5", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.5", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.980.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.3", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.0", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-retry": "^4.4.29", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.8", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.28", "@smithy/util-defaults-mode-node": "^4.2.31", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-/dONY5xc5/CCKzOqHZCTidtAR4lJXWkGefXvTRKdSKMGaYbbKsxDckisd6GfnvPSLxWtvQzwgRGRutMRoYUApQ=="],
+
+    "@aws-sdk/middleware-flexible-checksums/@aws-sdk/core/@aws-sdk/xml-builder/fast-xml-parser/strnum": ["strnum@2.1.2", "", {}, "sha512-l63NF9y/cLROq/yqKXSLtcMeeyOfnSQlfMSlzFt/K73oIaD8DGaQWd7Z34X9GPiKqP5rbSh84Hl4bOlLcjiSrQ=="],
+
+    "@aws-sdk/middleware-sdk-s3/@aws-sdk/core/@aws-sdk/xml-builder/fast-xml-parser/strnum": ["strnum@2.1.2", "", {}, "sha512-l63NF9y/cLROq/yqKXSLtcMeeyOfnSQlfMSlzFt/K73oIaD8DGaQWd7Z34X9GPiKqP5rbSh84Hl4bOlLcjiSrQ=="],
+
     "@nestjs/platform-express/express/accepts/mime-types/mime-db": ["mime-db@1.52.0", "", {}, "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg=="],
 
     "@nestjs/platform-express/express/type-is/mime-types/mime-db": ["mime-db@1.52.0", "", {}, "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg=="],
diff --git a/docs/sample/aws-cspm-org-discovery.json b/docs/sample/aws-cspm-org-discovery.json
new file mode 100644
index 00000000..227ebb4f
--- /dev/null
+++ b/docs/sample/aws-cspm-org-discovery.json
@@ -0,0 +1,108 @@
+{
+  "name": "AWS CSPM – Org Account Discovery",
+  "description": "Resolves AWS credentials from an integration connection, discovers all AWS Organization member accounts, and optionally assumes a cross-account role for scanning.",
+  "nodes": [
+    {
+      "id": "entry-1",
+      "type": "core.workflow.entrypoint",
+      "position": { "x": 250, "y": 50 },
+      "data": {
+        "label": "Entry Point",
+        "config": {
+          "params": {
+            "runtimeInputs": [
+              {
+                "id": "connectionId",
+                "label": "AWS Integration Connection ID",
+                "type": "text",
+                "required": true,
+                "description": "The ID of the AWS integration connection to resolve credentials from. Find this in Settings > Integrations > AWS."
+              },
+              {
+                "id": "targetRoleArn",
+                "label": "Target Role ARN (optional)",
+                "type": "text",
+                "required": false,
+                "description": "If provided, the workflow will assume this cross-account role after discovering accounts."
+              },
+              {
+                "id": "externalId",
+                "label": "External ID (optional)",
+                "type": "text",
+                "required": false,
+                "description": "External ID for the STS AssumeRole call, if required by the trust policy."
+              }
+            ]
+          },
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "resolve-creds-1",
+      "type": "core.integration.resolve-credentials",
+      "position": { "x": 250, "y": 280 },
+      "data": {
+        "label": "Resolve AWS Credentials",
+        "config": {
+          "params": {},
+          "inputOverrides": {
+            "connectionId": "{{entry-1.connectionId}}"
+          }
+        }
+      }
+    },
+    {
+      "id": "org-discovery-1",
+      "type": "core.aws.org-discovery",
+      "position": { "x": 100, "y": 510 },
+      "data": {
+        "label": "Discover Org Accounts",
+        "config": {
+          "params": {},
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "assume-role-1",
+      "type": "core.aws.assume-role",
+      "position": { "x": 400, "y": 510 },
+      "data": {
+        "label": "Assume Cross-Account Role",
+        "config": {
+          "params": {
+            "roleArn": "{{entry-1.targetRoleArn}}",
+            "externalId": "{{entry-1.externalId}}",
+            "sessionName": "shipsec-cspm-scan"
+          },
+          "inputOverrides": {}
+        }
+      }
+    }
+  ],
+  "edges": [
+    {
+      "id": "e-entry-to-resolve",
+      "source": "entry-1",
+      "target": "resolve-creds-1",
+      "sourceHandle": "connectionId",
+      "targetHandle": "connectionId"
+    },
+    {
+      "id": "e-resolve-to-discovery",
+      "source": "resolve-creds-1",
+      "target": "org-discovery-1",
+      "sourceHandle": "data",
+      "targetHandle": "credentials"
+    },
+    {
+      "id": "e-resolve-to-assume",
+      "source": "resolve-creds-1",
+      "target": "assume-role-1",
+      "sourceHandle": "data",
+      "targetHandle": "sourceCredentials"
+    }
+  ],
+  "viewport": { "x": 0, "y": 0, "zoom": 1 }
+}
diff --git a/docs/sample/aws-cspm-prowler-to-analytics.json b/docs/sample/aws-cspm-prowler-to-analytics.json
new file mode 100644
index 00000000..69a4cb9f
--- /dev/null
+++ b/docs/sample/aws-cspm-prowler-to-analytics.json
@@ -0,0 +1,122 @@
+{
+  "name": "AWS CSPM – Prowler Scan to Analytics",
+  "description": "End-to-end AWS CSPM workflow: resolves credentials from an integration connection, runs a Prowler security scan, and indexes the results into the Analytics dashboard via OpenSearch.",
+  "nodes": [
+    {
+      "id": "entry-1",
+      "type": "core.workflow.entrypoint",
+      "position": { "x": 300, "y": 50 },
+      "data": {
+        "label": "Entry Point",
+        "config": {
+          "params": {
+            "runtimeInputs": [
+              {
+                "id": "connectionId",
+                "label": "AWS Integration Connection ID",
+                "type": "text",
+                "required": true,
+                "description": "The ID of the AWS integration connection. Find this in Settings > Integrations > AWS."
+              },
+              {
+                "id": "regions",
+                "label": "AWS Regions",
+                "type": "text",
+                "required": false,
+                "description": "Comma-separated AWS regions to scan. Defaults to us-east-1.",
+                "default": "us-east-1"
+              }
+            ]
+          },
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "resolve-creds-1",
+      "type": "core.integration.resolve-credentials",
+      "position": { "x": 300, "y": 280 },
+      "data": {
+        "label": "Resolve AWS Credentials",
+        "config": {
+          "params": {},
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "prowler-1",
+      "type": "security.prowler.scan",
+      "position": { "x": 300, "y": 510 },
+      "data": {
+        "label": "Prowler Security Scan",
+        "config": {
+          "params": {
+            "scanMode": "aws",
+            "recommendedFlags": ["severity-high-critical", "ignore-exit-code", "no-banner"]
+          },
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "analytics-sink-1",
+      "type": "core.analytics.sink",
+      "position": { "x": 300, "y": 770 },
+      "data": {
+        "label": "Analytics Sink",
+        "config": {
+          "params": {
+            "dataInputs": [
+              {
+                "id": "input1",
+                "label": "Prowler Results",
+                "sourceTag": "prowler"
+              }
+            ],
+            "failOnError": false
+          },
+          "inputOverrides": {}
+        }
+      }
+    }
+  ],
+  "edges": [
+    {
+      "id": "e-entry-to-resolve",
+      "source": "entry-1",
+      "target": "resolve-creds-1",
+      "sourceHandle": "connectionId",
+      "targetHandle": "connectionId"
+    },
+    {
+      "id": "e-resolve-to-prowler-creds",
+      "source": "resolve-creds-1",
+      "target": "prowler-1",
+      "sourceHandle": "data",
+      "targetHandle": "credentials"
+    },
+    {
+      "id": "e-resolve-to-prowler-account",
+      "source": "resolve-creds-1",
+      "target": "prowler-1",
+      "sourceHandle": "accountId",
+      "targetHandle": "accountId"
+    },
+    {
+      "id": "e-entry-to-prowler-regions",
+      "source": "entry-1",
+      "target": "prowler-1",
+      "sourceHandle": "regions",
+      "targetHandle": "regions"
+    },
+    {
+      "id": "e-prowler-to-analytics",
+      "source": "prowler-1",
+      "target": "analytics-sink-1",
+      "sourceHandle": "results",
+      "targetHandle": "input1"
+    }
+  ],
+  "viewport": { "x": 0, "y": 0, "zoom": 1 }
+}
diff --git a/frontend/.env.example b/frontend/.env.example
index 8089b93e..88f10263 100644
--- a/frontend/.env.example
+++ b/frontend/.env.example
@@ -5,6 +5,11 @@ VITE_API_URL=http://localhost
 VITE_APP_NAME=Security Workflow Builder
 VITE_APP_VERSION=1.0.0
 
+# Public-facing app URL (used for OAuth redirect URIs, etc.)
+# Falls back to window.location.origin if not set.
+# Set this when using ngrok or a custom domain.
+# VITE_APP_URL=https://your-ngrok-url.ngrok-free.app
+
 # Git commit information (injected at build time)
 # Example: VITE_GIT_SHA=$(git rev-parse HEAD)
 VITE_GIT_SHA=
diff --git a/frontend/public/icons/aws.png b/frontend/public/icons/aws.png
new file mode 100644
index 0000000000000000000000000000000000000000..8c6b81cbd733984df8ce1d7dd96690e6acefb4c2
GIT binary patch
literal 123445
zcmeFYWl&t*wl)e0PJrM92=3CjTX2`)ZjHOU1a}Dpx8T~iTL%vw+}(p)BaM8#XYYN_
z_v2Q5x9<IUPgix<s=4MIJ?2=mhdkryC>14XG!#M<7#J8dSs4jc7?}5DZ*K~ucW)z~
zmRUJrU_QdgN{Fg^WuH7-rcp{aQ=??IiBo>mEmpEn-Kc2y>^fVpH4Mzo$P+$4zR~rU
zL{5?{nfUV#$*Q%>e}c^w7Lx*7w!VJCf|dOpY-`rr%YH>VMN>;FPAp%A4hJR7)SK?q
z|1!e6M(?FvsLC02-7$x4;-4FD_n&5dn*HmF4o5x=i|L;+I-F=~apcs0tsY3qhm-%e
zoMDyV;{TE;R%b@nqxvrq+U#<k3PV5tHJ;xJD_8q(d8r?`Fd6=J&GhNNM`O(~ndrlT
z2VK?fF8|iS)x;YmHAlYahXMV6jog>^xhRIpmHu1MEaHC@SZd8Rj#5tftNLHM)8Tmj
zG7a9d+i!HhcdmLm&Q$*Qyx`hM<GsZ>H2(R5d(nUIC{VQw<Nw;yW%;%7zrO0t047l=
z^Atn{^?-lPeAU07^{)MIRYD&BGnMHRHEzbgbxMuFI_UVf1yq>OY$(+KV~rpGJ^jBo
z{efEh-zv+8|KA$fnJ9P<FRh0yQ|do^MWF_+DV~4z__xKK5r0(gDgRqYw1Bw(f1COL
zB>VsP0RP{q{6At*{vZ4}{>QfY+U);hg#R(ZKd$S4PQw2f;s0Bl{GXun|F58PPi$;y
z=q#0gKmPMyX(-s0$yDxBX}tq_Pl2*-p~@4@zmn4E4G{~z)bUr&H0dSyJaxJN`2Q_K
zeTzQ<_D|PHkkK`s*T-kb!zmR1=o8p7XJ=;ZF7W2^VMVNoZ6NMV(!ECAZ{=-LM9-|R
zInU{%;}cD-8>y~OVdu4ZlkFMjeVs-V1q*=~_p_6u_0@NzuWj8#0h2(fOK1=l(?AU(
zG{er-akP%f=xpfJIj609L%3U@#&(T;`PEmn8{>Mp?|)nD>Rs&^vvHmN^{M*bd&^^H
znjxLbzyS-tDJ)Dv%I*G~D`Y54G&gv7_IN!|I>(Y0vC=rRcB92}&F!1T(YAU#+Py4k
zsYWOG&jR!_;K_S%%L82?bA#H0$oxs$q3%nav)1R{fM)si`V*JD_7I1S2^|!!>(Zyw
zo5AbV42K-VV@RRZ<^8ZhTE`qB&THsDHX!gDV|w+4cxBv9%UZr}{Oox!xIg`AND(S2
z<Z<`%WMA8wGis`pXKJ@-8_3*yS#IycH_S{@r=vKMX(WI#U*pR?Aj0&IMmR0=)x^q$
z5K=*sxSHO{m%KCG-QUx|Bku>Z221^U24B}V>uGbgR~dC2+|Xk02maXleVWt7PlG$N
zz*R$fRRgUvLmq7h`!R8_SQrNgpfbCPhRbEy*U)MMprY?s^>HRTTEhS<6wKmp$+!b5
zwRZHe$@x94z%^ppv#rQ3=Y+x%eEp<Mx*kOQ(E>lfBTTElO^`|AL44FrIVLfM>$i_8
z?#stm9JLajEC>B-%gobAc>L2Vu%7bnVIa}c&ACfX>T5RD;^7K!d{ta8g}d*4Oix|G
zZ<YuE8RxS3@%}k+xrS9Uel{2Z|LkWm`fW@4`mYv(SC>GS1Klh@5BQ}iB7NMh^B{ck
zWKQQ(#!WNbRa)L((W4HRXAXCy4IZ_FHVuIoaLJB8|K{yuNJNmdmKcwe6i|$Xnr4i$
z?X_xk(5*9Kho*ieiwk3U6>J#R{Io}OKpOhzu@_7qnzYQSzWZcV<ld%3W#07S-Q^$1
z5Ct83^OAK0o{*aQfE;%CW#gHnjlFa+=a(jv0ago-<>Bv<wJ#U3wrVuHlOuuh-bwl8
zte37XBVl&^j7g0>K7hUrtc<l}I9LBR^$EptS*vfOQ#9vqRVGNQWm>T<FXee}f?V{W
zJLif?6q^RyuN5cF>049|92!MIwL;QV<f|^jkh5S0m8XezK+vz0;Jg86>ga+{)=vr8
zhKr$n#h-0y&h9!;LLE>g$axf|^~@+9a}}`uc4HY#o3U@*(P+=?s3PZmN|3%cZj%U9
z(jS})7;oh`t{V6Axxz?5>noM%f5=Zdjs^xATzQROm=f;F+Qg1JBfTOikiIN?WIlB7
z1stf#u+XHj-?i5JZpq7B$cy2N77BfeAB;CF;E`PYh14h9YeBIsFaYHFBPT4gy|1k1
z?J>APv8=J#CF@nvAdcC0jWe>3PCbe8+!Tr!R>bb3PIL2%*P*bHJi5RQ#ii|~bNs$;
zq)yoO&CM_ccZK=w?RRaUw6XOxnz*XQs{G8L{H?!xMI@T6ruj5FubkGKbKgYA%5NAc
zC@-g=T_jO2V@`LB51VGKb2Pz=xxH0VR5qjv{~s)XTe;>*YJTjCh5F8ddDf{#Lr!y7
zw_}XZ@B-ej-T4#wp1F>lK917Y!>pB%CN{&hT5Tt38qvlW7kvBawT=gaUc7GKimdaQ
zSYYvUM&?R3IE9SP3lr5W_s2oP>v2^;y`D@U;AQxgFR;*_!1e1QWoxZ<Mrv9w_=>Ek
zE3wE!oUi9Jd@6ftvqg#fFaU7Om!`U5Z4xKN{<zwTd<zzIb%W{DW=Nrt@TVD+ufW9c
z4g9!nCUMpHP}*xdMqlUFHpu?oC7_b*mDUBMWPwb}jA^l3Oe^5tWx_$g9koibK|@rg
zF~#n?^77;^ow3dH?ag~4l8MYre9y9)3s?H3Mr8j?0UqAT@Mq_G_|1OiqQn-Is<Y0b
z<dr)<2~5RMwu_`uP&oTuCV(eRs%(`^G(j}{!AkYa%&v#q3XR5X8^5o=fo@qYZBf?*
z>s5Dqp>URj&$a7UDB*iWx(Sc=ov28Y{rSym@g21I5Tl1>@`n5O+XD92JBu0&Zhq@B
z2gIR{zF0@Z`l^AfiQNT#sdBv>5}Vt7*UyyRRP11)-MtJu9aP1}Al`^Q68U?xb`jWB
zYVkr_UIODybz2QTQ%=GtGP6_1L3-3uJpbW#dPA0->@so#e8o-dfO)glN%k|cY9vPa
zb4Q9141#e)wZk6?SUa+I{J5=x`Sl#x38H<xrWDkiQFIt2sb#u@i}473J!YKSCEJ8-
znzYD@?^_33)d4!R;VvWvFFyebG}cI2==QmAl8v8t=Hs9Hl-?JrR&V<6Olg-OWx!3B
zh;<ai$V-s^KxW>zq=pEz)2HhtGY*KrzBy?;@*0k{t>^j`3(zopOsG8WyR=VJ!4`=;
zWEK(i^>|3+zpjh`X^gn(&M-^~^Y9R<A5vauECo?KKQ1)WtaD6EBaoA5&8ie8l9T(R
zuDA#jI<(eA17VIs^X(hax)o)+n?&ie0xv~Buu5`h^Z<`Na()Bo$J|3VF?$M>aB>fr
zPOnTpHJZ&8&JXfnzSF7&=uCP}!2=fwqu!y^F=)FAj@Qn=<l-`clMceLALd?Vb|Mhv
z4ksm$H0Oag;dIm*4+FOgVSyfIbIJoPzi`dqGH*1h?#HaE1d#w8)i=Pfkcb2M^e9iZ
z*v@#*1<cHzXt-Vd3B+l6&<mO&X3`N^j<T6JdunO6htw>U&w!GZ)gzlOK+=x7MzeBJ
zV^hI6IYkcl`b*UBIP#rV{a|LdqU+$sJM_(85@%Ew6~kt%glL156h_$GWWJ-hvTKW-
z#LT|*xndve4<zh31gE_2q`hf`faddrjlVaJC=2gz|I0bUZ~WZm<bD?SN*-G)@+lIR
z$7_}yET|d<;TfKKmf!wqqfh%dR(9*twPe?<%NS=-__YS}ZxaeOVB6px*0C2~0B_0Z
zhkDSvmUkI2-+N#CwvgK4yLVd1yQK=14*uTk-dxq6wy&}A9k%MXwqjFQxyAxLM0?Hj
z>g%xMs4x*RM=PSnKjjD$&(~<Q7O-(r>wKfhzjI(`Gvkr(XE3BHNZ;#;M8-Sa90Fq7
z@zBHfTyZ&{c{WoXoQ;<u*8Hr}O8=<MJxAUzs-~BONw}jW_2H8~2SS7&yK+~6`~7|x
zNanGARA=s4AT(r)4Yg)6U=n@wMeK#nbiMbUKJC&mBi3y~zJp`DO;S42>37m81x2p#
z?3PxqS@2NeU{<W;^zMf?SkuvuaZKmw1vX8FHCusV?=iYwTV$03nsnpkQ;}(AsUT&$
z`=QvzW;?P&*dm0RCZrH(7c7al;L%!TL(DZ~4p+kFNlx!ae_Xiur~>Mw#$g$ilWyAb
zYoFO+tmi!O-oSeQ%95-}!y8QZ4{EtUDe|xkUvppt*$;BNCY(pj7+jkTpON1B0~gUo
zZ<@LL2|J)dlOf&QHeJ`2Ogk<m1=p|Ch#<uVH?~6IXG?Np*ts)(3S;k}YIf@oeGegP
z&%5wG@-Z_lEiHU}{L@j7j+vud1h0di8|NM!UPR*$tha3TSiyTwsv6%E!#aMxFBX;Z
zETk1h`4~cWjJ>`{ts6$5;M}A6<dPg~yjEn|wkcz}R4e8~VBa62Pg@P9IY=NKs{>PF
zU}hQEO;Po4$3F4T>61j6MpKkWZww8xIUB}P77WZ%p0#kHqqr0fn1e?X<qcvbcFitj
z73^@Dd!*P7EF87!jItN8Bwx75OB^8R8x^EiC5;!KUhhle?$GKD@va)zL}<Gg%#A_^
zkS5v6)RVo`3!Ccem$wf-V}B{^A+G!inzwn<xXdc&Wf+*}=se;7$vxE|OdMh$nsK&O
zJ}A;>a`5->%{K7{;?3q=N0%X~(fdbA8u)#)oqmz6T>Ps)#=rtz1Cz~Pk$Dd5oxM4W
zoU>ntQz#JMa=Dc)5BM&xTv`{_VFBwp&t_t(tgt?#OB6^I8QQIszrDRX5D2uiv~&dm
z?d|PdU0p3biDsCfBy|!R(P|QW7;4AG9BimkCgPu)C&(=#6+?HyT#yaxQd9{1d-&g)
z(2783XKxo5pNp5xx#I=eA=*ttt+h(SnwS=E()y?qjfT<N>$<Gkj)(;Aq=k@}VS6oy
zX1gTNyGFn*u^jJ2wBG<$L=z0Lyq(|48ntHr%6&m0E)!KR`iMk~I!|-6oQhz8(!w35
zJ!~?jb20RE0gWar7ZB>yl+8DYJ+=9e+(1wt<R!5nGdLeP5H6vgWyfG`j_BOh_q_c3
z*40KwKF~vSi1TPatR`j%nQbsCYbQzi4zN#*L=KZi7o2}NscvW&O6nFk<ABP<qv2B$
zzpvnBx*PnHJxyK%Qk1Pt@klKQT@<o+bQJQru?lo_bVW^gc^rJ?zsE(O7rMn{)G%X3
zETu>gwb0beo>lO9jpM<*s*Yy*{*<0DAP)1PLOBV~zUIO#FDEZ2Hzy}Mo0x>8+yDCP
z<OU~?r1<-gpANE66jcRs+)f?m#Hnb12PYmWi>hD7_Xn#TJ;jXZ$$wD)mZ6j7oor9D
z5qV9(LHllt|COUeOnV}wizX;ZU87ucWHH&aa@nS7eqn*N<t*6P-l4ks?epZ!VMp0x
zzdv78CzH~V;!2(I_Be;Kqb_&QunD<Ma}zY@61vgeh4~>Y-AT0e?DU+NH1C&>m$SFG
zhsXR;qje$b&0{TFyc((Nft|-~&(2swB~`k)879Y)q|CuCURYyT=i!Xy(seAlg4>Yq
z#)@jjeCnKLrEdB1>`Gq-5ppW3Nl3x&Rv={ATu;X=_&pvyf2W;t(X&)&ebri+gFeb?
zr=a*mQHY#olSF6vpH7tWl*Y}H_rub-ksT?h6CB++V)vhA8sRv#l`Ox^7m^>PwI=V5
z^o0tVmH%$N{()x^z&uv_dGZr6?Lt}a7pd7+Do+G|6_DniudP)Q+thm;-Q!2e#%c#t
z#7G}<C08#aBi<#jy})21pLhFrteo5tP#pb69|`}Ne4~6*`#o4@P^7U-Y{c!eCzh59
zNJC2()HFB0{J6Y+HnB65aCdk23sk$HYhb@+T6oc~(m^{Rg38(>-Pk2#akDZ;m$y%W
z#?YQFF${GQ?EdRMImr?U%*n;-S>7l-=vq7a?j}SW-5+Nn){A$|v94Q(&T<g@q)|eV
z^T*gW_&ghn@vUz(kfSnIw_~Y1JsH9R-_cKn4W=M;?nLX6axQ;2kT?6H`?=v@o}0UZ
z=-$!R6=-XV4Htt3QwyVMLerm{a;VjW1y957I5^_HU;!(iG0>|7UU?N?XSCD%m?8ry
zXwv12*UB1y+s!<Wk^fW#t_iEK0N4u(IfdSxW1yqQvmxeXH?EwLyael{i)TqRiD9UG
zY=tAfLSHOV5)sa}Zs*hKTf33pQln5Dmg0p4S!rZydqD2)$j?QuW2oOxpW+2_BI$X1
z$dbQ5+}qn5K0>}PXa%CtQcY>>V95(3mkwMp;u9@dNJN=4k+KI^Tz^1b=rR2;jKxyV
z@&YHMQZZYLRg-jtl!W-O_i=?TZHiZwA~|Y23(0kCMLJQgHE_GV3ox&-I#$>RT$PFC
z`^aaKy;}TT9$qD|>Y>|{bOZL<=oYoHp&P#FHZ}uq+ecLJV$Q6EDnP$t&Ih+Ip-+Ha
zymS=Pv8Ki;bSM;K?iBKc<>$h-$Oi-z&vc|x7H1rLCMtnOE8&jjpq5sq<pn1?%1?Q~
zZci$bul(U`n3T~=j9jv1gTm3d&v9|LAP{J+%K)oVlduxBzx)@a`h(Of*6^HpbI7Cr
zXTH=S8h^6LW?9tT`Q1j5;~|ivW39rp)`_V$w5M@LwLz2FvARaMJ<yT$9t*D@a9#qK
zn5@een>1DqJH-p&6%ar~4%tpokRr&#3Hp0|I2Dgs=pLK#ty(A*CMmY?p!BCCM(lL$
zB;lKL@RT%kaMq;A(@9GEMqFDpO9tBquUJv^HArhtH2+I!tsrNnVx&e#hX5;zab|Ib
z2k>)$3^j68oC{V6v#1OA!7|%Q`p=!BjnaA0QGz*k{kW!?yaoHTWUb9g6Rt-CYhj(W
zXEnsr6CLAjgOnr~D7wneCj>9hW(9odI&t@1+$gF0+y5anqqUKooX476+^ZdF!Vt}f
z3tJ5Wxu`LY66=FNASA1S-wcFPsjI4LGkid2c&6{MnWmX*e>Sh=>=aU_i;8{{IIT1U
zlM?S^dxVros$$toTzAS{X<f0^n(j9AGy*#jJ~|^_(76ak>ldq6EZAuOAQkaxY-m8s
z9C-0UJ0#u1LP`yzlcxOB=68}K69u5lu_pE8|IE6-P_yw(*_ex(k`11RYU|t~UK3ib
zDb{i?IYgsOBteEa0(*HiRfu?ZwiW`5ri@+3WU6hhL~xv~_4OJ~J`+&q({I#ML^iD7
zEI^j#xZbH~7@I$WGH1>p*F~c9)p~Vo&$2ytJiA&IwFy<V$<w$#2@suogoUKm5L6oA
zFAbAHi19j4^U{OgjHZFrxMamFxJY|CHsLrkM1zcxeZ4<Zo~4#p4Vt_Hy!=hN`<yHn
zD_gG0Jzmm@Z28%_6P4iL=;)KsMh^NRZEPgjc7(Jv0j*XJdTtI0bo5&7oR4liNY+ZF
zHW9CD<%iUBvKVsec4~S9R^mG|pu#w%?)vWyI*S@tIRo*jaaKn~R%-``>X1)@J~xLi
z&%V%(j$_+nu4ojys_H3+Ce2HeZ;MyUW6S$@LEo9H_dQH1PY{_O%JUqyent^}Ps3BZ
zR6!<L-B?-D34}ZiKMd?`ZCy^0zX<pYG2ZlSk(U^M#JRM>)I7SH0P9$-*sGJWq4%as
zViBnk=OMUqlFZv=83o?Xd2R&0?ha#DDQ@bexDc-mfbdYU0hJ4+-v~*FiMzZmw}(gr
zp04v={pPw%CoQLg7HgO-BzKkgwngAPM03e6jRuz@`hu(wKq>RjQ0Qcy2(%CUG+G#e
z!RnQXhC*e&zy@(vvR&MJH(%0Sk^3Jkz=d;E0lO-sFO9|M^z`)QX>^jsuq!xo2Nm%d
zQr_eWYik!G7uiVLs_HaCt4#8`0)8e6?|E4#iM4uZGvODORUp&8+7j$xubN3RC$`x%
z=7jCx=jDAmHhS@KhTV4xUr!}g;oco#5LR&5N93!v)M7Fma-lS9?L&$1CA^fWQ2mHf
zt_i(^kP7?V56rN9`B+z2@YDD(F;4eAWt&)X_?9YPlyak3Keb~1_e+5^3&otX=1xm9
zh*nzEk{Qs<K6Q@uGVR8MoAaX9z?zG3jy;_*18Iozu)}_EK$3_8uUYG3gHgAix0@dm
zCM)rPcEwkcCK*2jiB>H-xPKCeo&sc^vh&9B8}zmN@J~%j``tDm!!T9&WW2JuLTQY<
zJ4l^%*!`DgFrj~ttajSQ-wZbcq+SKOeBi;^`x;CbF;vIkoF({<>=F22ZHF)9+CAHi
zO-*RP{j;;Pt{F9z!MO49rnDNE6K8UB6D4#DE@#oYZlG#fVwI4C=t@x@v*kt*mn9XA
zjIMRIJ$F_@p5V*laSe%JD@IREujUT{OeSK&n6yZ3?JY8*pZS}SX{X#s#c&F}+oNnx
znjgCJaJDJO42{AB#Z4XdjiKb#7*xdby9Y)A4-x0!w*%mZn5qP<)U8ehDjiCKVoNi;
z<Z4$rdt4Ag2^PA=!Uq{5dyWR^?L;RQ`Ctpcxsc8MCqmU~ATHwP9{<<<tQzp^%Sui6
zqm894(GEGFjt8s78B6em-3GHlR`)=jVg^QL)oFYAl#!K)HDX^b`E$D*mUD-8PBt`}
zbdlUWn|B#%*#C0?Cak}?yScfcBTjY`c4sRjVntx3mAGtqtcVg)!agy+buFAr)qy;3
zD1h9$T{Boj#A54$(PYkUm2;PnRwl)njs^aapQ1^9KnIWG8f#LsfCxX79E=(i_Bfu!
z6EQSYO9Jr`x|(poUbYE7pg|BA_v;Vc&LjS(>@q%^;94^w8g{00Ra404OiCw%b;Xjp
zy=U7Ehu)oiUtl=YOj(t*IVmQt%R+#LwQg1b+S|u#Fxyzq!|XYDo~<#nh6{fNPQBp8
z#P=2K-Ev;q#*G%I%%#YIP++3~7ng<j35L&mEP)TujljWd-+%zN0s^6Uw{1FU)!vH{
zGY6iDJKKx}P8VzXG}|KBkC0m4I_JdJ0mTfqwON*U*$+5moF6Up(ggxu9xPpi+U%6u
z4P>2#WcyXp2f(i*#>!Q7UY~$tRgGjuYp*W?n=8;e&jqcllXbvAMabZhLhj&|@(s{*
z6{o{xOly9Afwz#cTu0>TzHe)bJPgoEZ_@vwn|2;exoU(G(W~eLVucg4gT6q|U+;%R
z1Os1)MYQNN5Cys$YEs8PbsP{!o|l{WY|}9ZgXZPNEkILMeXP<`Z8-9b!Y@<XmAO!D
zZvmPEJ<k*L2@_B1^i48&ke#E0(DU|i-pkEUsdAp3gI#r1qthTEb!$cHNL@CaNw^}w
zEvcSdeNeWj0IlKYZv<PHNLu74K3i=$+EM_SMtt2V{R&o$aXA<~$p{o<{><09`<XdS
zZt)$r?X9TmsvXD}t8eG-WC{O#z03FVYL5ln`6~p2t8(Skn29@!G4Y%hh|g`MYoYQ6
zeK@}_p+y#HxD<(B`$%VQ(iS?NSM(0f!_y<r{}M;-FLpd~@M<u<#uc$^s=_7F2#rj#
z)=fxQFi*|Aa?67K&(kLR?p%ZMjT*$~K^EPkTpW87<?kqXcN+1&!Cd)<l})--5uN@}
zbmB_+tYz8A`AjZ?vF4$1ES7mJs^O+rqzNQl70{m}zVB`mqsNd<5WmBh411?N7hF!v
zJLHb*sYCeYogyOH3&GMwnynKxsSK#Lq*0PIlfPzc5pk^~BLLvlG>0YC0S0$W+hMhF
z>a=QVYbrXFbCElY@h0<|43ici{$gb~_P{+pe0W&u@`cit(pp*`Jg@)R6JR{&eYRx<
zl{+&k!{Uk!maVL=`aw>X(u@MyT3SMSEW}Va(~jH*Lji0he+;$$WLp!YMb@V=WP8K|
zv38tsO7n7PY1+IKG%mG<<xM|_AC8QS4DLU^te@>fV1WHzo>tDmAy47>&SLb2>ec;r
zP>ZyI{xtfFPx5V44bFhHhtZ;09&MqSDI=>W16JnH=d4Q{=G#n80IDc*UR}?+!cp)P
zv$^=KTSW>&$HDpe>9<WW)i5NKHq;tYlFzqLf7SCO{Z~eue-gJ~MYU^I-sJJcBqCpT
zS6gh?!#+d|5}{D5Fw#379-hoNsdD`u0mMF&G3zv{W!6g$n$OigiW`fBj{6U!O8U8Q
zlGLycVo$Q$Nb%}o1nT1Xh({l6Z<Bd_UtL`LbjPKFtlW#gGH>YV>2-O&u7@Dr1w0;|
z-@hAgZ*6V;>ml8TIW*^5ThI{>kEex{xtb3b%Zs6D=1+?aByv)kRXUIp45G*Xs26bp
zI&hVK*|GLuB;Yb-B2bY4u&~g7xw>JZQT#4cSAaAYUO2p3dfmTWC5DWO;H>-lRZc~k
zI9xM<G7(w(da?X-mq9+2NnxEL>MC49*O)(pIboZJK(gyN$|~xtsV(q%Dg<ie|IoSC
zP5c#MIo}zKxYm<k|2>!r3Mdmiv3<+T`nU%>1mRQ3af`3=Fapj1&s->jW{lBln`YT;
z)JZ5vQ8=<Jzr9?g%Ng-BJ+_5e+CGe=uyd2BfXMazpXaX6!OxHD>%yFjfR2wTBbsu$
z@K}8qQvC=5#~_d7?1pY;gxVsX6mSy#qNJ;sSK`t6b_LBEMe~!29Ru-fahrt%>>ft4
z45@T$JVJy6x0a^n<wfn}%SOP{)_7LSqCOhpGjD}4*c&RXdg=Yf`P=3%64nea5k)>>
zKY2MdMMsOaT?BD^dU}4TB+C^Ec!DFgb@cRf1)@!(3v=aC8Edt<Ngvf&Bg9k<uQELO
z#<mFje&UXhX<NOsCSPBVGi>A2Vp1G-d^8`gOJbW-{l1LM_Ko4hW6q{<$%d1Dhf@Z|
zJfmhV!21$)sfCxG4srL>4u_oN#IB;IgG~w&>d%F-A|5|UJ<ITrt)ru(rK2Oc1`EZI
zXSeYjB+c&%Nl<jCq6oi`&_fOQDPs|ry2|tW<QdQ+J4XcNT4<uk);^V;*<ii@Pjvj+
z^788PvK9BSd9`v{rq{`hb4|wscZ2Pyw^dhFze+eaStAKCNmsygvkdjMSY#IeObr}B
zMc+cy%HQ4}2*j>H{%|5Zr&nRbY?VGf+a*Q}@Mo2k>Ld5IQHwf`QsFd8NO(}KARd>I
z*jmL(G|~S(DRvq0$LkH%$P@IwdRl6z>3+GYWXbb?IH4~y3H&l`oJqtR$h$#OFC{=4
zept_uQEuj(`{F%8>6jI5!@BT^x8d$81UpRMwjnpxBU=CQ0}eOBn)$hE#o~LD?y0gA
zMzh6GnANVodhJ30|Hc|pHhJGh9I)0u-6)A_i=SJ3e@tCWzy;s)e?N@KHFS5^q4fMc
zcI*y*-oC_EBK<O>l(K4(lb6o0SC8z`LUkf)koXt-H8aoNsyXD8%nBz-WU1v>n1wk<
z8sigCA=hy?iHDhr+yQfF#6>x4jBj2gl&2#{aT;7uJnnOP8R83~dAQz2eX`{wh#vxu
zwHX>aVKqsRX3DtbDlR1b!uA^YA-^-~(KC>d5=++`egCr7(f8bic;|V%yJ>$q?m!|*
zE&eFc`S^g(gmHI%PWpK*VgS3vTCn6dOS;g9y`o%|T%_|K*LAhm*euKX!FJ#>C@$}o
z&!Be0@f;K?aCd&noz<i&i#6wS2Ni4QsFC$TO=E-iw5ka)tMLU>`=K!Ib@{%*ARDGF
z-$w8DwO;vn=90nep>VSdO`!2p5XipjDBsW9W-O`297BSwPvY@MEe77uhNPb~?armf
zL506JvZULe^B@bpY8t9{6|!iR+!+oD-)&OZs6mQWB*u>7G5IJ0G_(4(bAitbfzSKL
zHMzpxtql!vU5LUe)k(3Ry%}pA%Q6C5cWL%=?QBsr#egNJ0VNm6YJTFE(ywHaFHB4D
z<Cj%DxyPkhp#Hn&4f5?rQOM~sgY%7Cn{MTHmo%dEX-p-&y$;fzb{@}L=VqT$+SIGy
z+LpA~FMl9OQ6`HhYZC1DIHxt){jhIaTe+6A=2Iw~|3j?mCbXQ<awqG&ie%cw!Y6hN
zXo1clcUOKSk&{P$8qC-#G<{2tU8|a)tAku5fhKQvLh&A`MqmAdP#aoTI^gr3Mgr0S
zes*$l<1BJ3lGVLuKIzS2vk-kU!h_;wM|O6>1@~QI!VWTJnFqH*_;*YFpaU>Cym(o8
zn)5t#jvif81RwG(RixB9Z3XjHTQ7g?UWjVD(N-NS6;P-kc;}_|@?W-v8>>{Brh^<E
zsvGp&sH~??vL&6j+77apOO9G(!VKUU4UI~Fa_6}-2lfjZJ=}`MB88wV<K8e5Y*X5v
zHvY|+Y|1)E(j(&#KB~~t8tii}RrJpFS*!l=71+5HZ@y#wJorkLv7Q}^vUHhv8jIb~
z|3;Lad`mjUc{ZN5FkY{2hACIsk#xhcF9z3{(j7e@%00(q*}v2I3RK%S(!nev3D-;D
ziEL&%<9TLP81WddZ&Ea|ghP5{A4lfAQu1s(eOyqE&NiRfIFG4l@eC7szo_}ezp*J=
zaV0)oWMtT>=Qjq$`9h(Kpn$uzg|`a!_}F%FI78(dcQh*Oj+!(BSxR&^PG#3jC=mbY
z(d5JikKENb@e7?zObjjIbb(b+Pj_|&oN0=je&yU-tdD7GYC1i&mrD>P&dtt28+<?9
z(kCjfKReL!XRpMM$j;D#p`oM7=bq^Uzon(R5NM^iLG*Y2J>*{ZCD}q<?(Ss1fe^@U
zgkz;uY0K>A-l0`El_;b<R>OK7lPmyD{yNX7t#Ro~toCw-9HwlHTZm(gR&l*n)L&7|
zJAyZr5UkG&E%?qul;Oi?OB*rsY?vx|nNy)z`3E1ic55Zj&F2YGgv;6GT{1#PyCC@R
z4vL*euT`ci6P&_e%BQj&yA`=3Z)=EX#s}&RLYmC=zkGcJzto&}Kku)<peyVnn~#wi
zD@Dp%H{jca?d#tcEL;bsn=d^uZ*>COdmXR7+ZOOnAIeut5*U8B$8{vT%&GQIVJHhW
z?nzo{Bcv+qr^9)pTt`1RUGIO1dg!(53lan6<mAvMydf`7t#dZU<h!9#<QGeA*@!YP
zWhF8p!2)4ffx23Y$C;A8GZ|XK=>|*L-UH?}#pB;k83jUIk=pJLqOq`3824^%?9I)&
zGFtD>*MYb7;Ki944#=x{avpJy(pTl<u+9^^qkZm%pWmu;a`N(Wv)x%^Fr>1<&{WOH
zU_uku6S)szDK_wo{qy^SOGnl%E3O%XkYRG#?QiTyWV+dlv69>xDkv8Wd5v8P)-_`h
z9bro=SBdoh!2&W!55JsD7};}|BYbr=FJ3!R3NM833xrtZrA9kDnd?_B%v(Q~Y|FGf
zsGRviRCi-2poGZJ>o9#+CntV?NSzk<S9y~jBGTZ#_MZc{OKyGqeSMFQl4)PBp6@pN
z?@nh*6SN53KU_G}ywY>b0sg-7rR7mDml(UMwlfCQU%apigK8ekc@G%RlZ*Pk)Q)gs
zn<~%gTKBB39w%#MeWfFK%MIbRkB^hRcH-_XQpZ6>7_6qv-!zc3xKBXk%?f7p@_Syr
z(mxYf)l>+pXS7kkZFH8g*K*3KgEVkA`mVo?_3jCRQ%G!=^&626KQaX*r3U5n7mkm|
zi98=E*Oe(i4jN`$6Pfw^wA-)kM&Jj2@7a>Zh<+bNXfop@G|D#WC4fE6-#FK(#O$DC
zZjV1+$>z)7-25Z+R$zFvc&>K__?iHyt=9R0mLF8X=%LzQsKaXEY?|7q3r;>1tLkds
z0oo|-UTUvGP{YYb^MBm>6wc{l<6phNAgp78ec6Ua1Yp-o<fbBeU7X$MY*$v)Yp^>q
zB^^7DzGOdT=Nes+^}C`F`un-L`1!Hl>|2~4@9yg$sC@x|q;RVRdBYRYh(5Klq?0yQ
zzCMV&9<*%uHN1t0x=@eg+YCKMYMOJGaa0oSv;d9=p@rZxmN8+D2zueY!6LkC`14$T
zc2fQNi7ziqX<5#(LK>iTx->?=E^yCVQ`!FwJ);OwbkFim#+KhX2_YWR(5!70bdBq+
z@z>GSZD@6H6a<nsqAFRrIA#IQvq0=8uRoSsTxupX=!M|`B5Qc3S%TQ|W_gOwMs&sR
z+6?7Erk&p$yr1sbLMtH}h?=;M!AFXJM;>^+(i{ayt3PTQsplR}e8CNAs+&2=Hp*^c
zVL9eHG^h5^ebJ^ZM`@d}w{viqXV8e!!zsA4zWpS1VWr%^i3Lv&KaHfTQ981ru7UhK
z+}4|nVKbY3hKx)j8y@s+p=djOk+~{2$6z-P=3K<^&{%+DOjtuiHZz<*MO@pc0~E}4
z&g<<m%<fvVAR;6rBqBf>FSTXRpvCqqC(QT$5e-kH9R1<VqyJ*Re*@|~yb_B3D&ds6
zJK%jb+7@j%bBodWuIFWbz2S&QuS%1%(;FjtU4M=4D6XTiu1iRIn7%@OxgYKE?vLnb
zF}pNodV)V0ZXW7Cq4pQ_{gR4tpR&A^poK)OwW{0{zdFwMcDl0M{n;`ze?_*t@3#3d
z3N%NS^(njC^&EJeDr!4@`_0*&gR|!kgHs#4(5HTU!yEoA*ROxFFKGYJyWwaaM<kGV
zR9BN>W#{GHJqq=ahqBf<`S~&gr6+pRnYpts=~@LR61>}5RPplh@N;>$|CK?_e|2&H
zbIw6yAS6XUo({|9%Xhs>IO2E~O6R;kt;x0oS%w$yANv!RF=rBY;2H>wxukNyJ6iP$
z)X9s0o}=8j4l0v@-5|xKzNJZI8>Zs;4~9+!XTvsaWJp)oA*76Q>@9NMzjSxYJ=Q$-
zG|5PrAO{_-t#E@1wW{sj<A}_ti#U!lUq9D=nEzAp)_i$A2EQN=_T-#`bej}RB9P6U
z`^ZJV+jB-3;0|_;HskE0FBl7BwWxowwsWHX6ICRB>lsSCPWwW>r5dX(4J!5ng~@Bu
z{lh}}wFeKXExqHWTweSR#$-OvzDYVBl4T{(Lu}aQDf!~#7fzezV6Rpul9igRsK0M*
zOAQbr{>|b&IHm*aq%tct9IeMjD0*=B;$gY9DB_IOH`rv<fuiQY^T{cwaLZf_-vGv{
zjbX40O4#_gzbgG4%Bh^_@H{uBu=C{aGEBhttd<1Y8UEhhEL%<Buq`j@BB|YZ8a`Tr
zOq?<73GiHYa`D{hk<;(aCS0LPPB;BdC|WOT0J)m+&MgJ|KVxkzXjF})4#2ztps+CO
z?{#69)k+K8*-G<LHlz54hFMn2sq37GT%Blk+qhIA3-dN}acHVh45HLmr<c}Z`$W~L
zL!y?Zun&K{8o#j859=1{fHXovUQHXE9v|TC2WWc&zJQdJltdqUUc#1@KAUXygsEze
zyu`p>A8z&4bo;&BY8i?5+casK8sXQg2>r=yJl79keTbsQR3lPG`o8CqD9o10Jc!4C
z{(M+t3i(^&f#a}#Oq1r_Q{1Q;*)16RpkLB9W~Z<9%dz0eqjYhU8z-T8%LVn5!x#mx
ztNduuHYxU-Z+G3CCiI-o<Sg_~mngCj6wn)>1~m6jPnZqM0e4-J<kDHo9+9Ee17;eH
z<-V<3OeFyzbMGK)j0GCTsa&>NjMrRxjJa5(usK>{x$RjO*M`mz@oM_~Co}d#jKLr2
zWDEmIHo{5tvl;M}ahw8Jw4Pf*^%U%CTk5xaytz(GdW+}~4^N-2(ufGekbv_c(!h4&
zO*bI7Vi-Ea@`}P>`I_84*{qV))FY#{i02UKE+{0Br;^g16gofo=&z7rWpHS1?WA;F
zh>#dOXVZf&nG*On&dh~c>A?i{K9q{F-_pl{NwI$ku?Vx-xOsJHi6$7=IoBENW}wW9
z;?#C|u=>=pm8!KgPU@jraXFOtt|Qv|LQ*hTKPe;4g5YUL{NCT>w$v3XL5F%9HHdki
z7pBv0C+rSL{(vI*-p!fyu*>`UabPr!K;lQKVlZk5x1SKz35>-ro3{F<wg;BCD4h3l
zFa5i*($+Q|QDSKz$e4kn{`}{B$sD`AgA~%(g6vrU?V!pIr7N3At(Ny8rd$;F)~@rD
zsaeAlwkmeP&s6*XK)-~FtVMI_3@mmUTz=|EL8{mJk965b(-S^TtTRDJYU>hti5V24
z0W$^zf}s<Iy#?K$8EumOFZ7J+^Z`Qu6p-JFj79=>@}AMhWh)d+^#zYFn0}}du#k)m
z$DjB)RJuhgSd!QDF3!HQGLUH>&hTsvh*$sfU6miXl4q-d9$zMfLl%i{IFr&NGyYwF
z$^L<Pn(nt?uHQ9}YI@sGEb3*G#X2=J3j-#I8|8xW1G*;V5<uI)!1KyC-0-h{4so8o
zp&`|?Y|?Jpqgz;mcZ{sVxJ=V~A2b><lvjQMqPW2fj^FPzXpa}glvm10+p?Yf&5PUW
z#fA@k*K*JCuj$+7nDmgTbb5DsJX>1wXHLZiq81VC#}u1DeP8QkhJ!&IHRbJ9&|y?i
zW3yC~vW><_xOppy=^q_`m|Xdd99z(XQ+x^$-&JQ3AJ)5C_oda<H|PMaXIsS5?)NzO
z>;Wk10n5%Sdb82(5B)n=IT|BRP*W!o?O;EL<;ozi<|yL-2)8_kZ{!DCqCx9E4#n3!
zRy+Xi%RvC*GG`f0e2<dIQ^p#3AEa(_a=inB{$7PDeskIo>`7{VeDCAF98Dx%tYE%s
zuYSdWUuuXpDU;uHM59=-7ddDlo*{N*i<#1sB-5VEP#IQQ=~T9okeooI6}^G^j}z@N
ze+*8>nLMf_MPgvZPchpvb^YRig-MCov1rUFUtZ7#VH8ess{1UX_-u#~-n{kgh3GaS
zdx|qBI?8}rznk)s=nv9KiEepsGX<dRMkCCCBk5KFOGyRKLe7C+f~j(qa^t|4qL@aC
z%`q~JZTo{bcD}zG?&4pf34L&L`{UmAffe6}u(VUi(UB}zr1q$;gcj19u{-U@Cb8eB
zZ2@@e6i-fszaJqqPg*p@FWqx73e)Op-tj-Jn*Hm*{Z~V-T`|a1L87qM%U`uX<J&D~
z);oB}9ppj-==1ezm_a09O*TW-!!sYAI}4|2%8JwY9^qO>(BFb5%e=;&-NG!p7^qOM
zPF0ZREQQes_ilY+0zGUW*%O@Apn6$U<tEnT14Z!ib)QqDCI%bH0VDCh<f4C^as)p>
z5(1xQ@QnobYI~w<K)d?$ohPDl$_^-nzrB}|JOxiy`d!}*Yuj1!*zuCY(farPjG!gq
z_yXQIb+6&iIh(`Xf7k3d5$F`j8+GswR}Zd~g7j;YyuHd|zg(g0ut?c{DDG&kdE7`5
zCMA<%MxATh->?@^(`p0|Dr7z?9bG3hxof57u81z+^{rq`fA3h9$)mOE0IFL!tu@fT
z_6HyVeq~+^`p0%1dC6!@hx<Q?>>dg{&67f`EKVUl2A$~jk|{60m#spasEw3n$)g<;
z<jqUeH72VWuo9Z<r?q?fb!#x8@74;KW_8+K(D9Rqw;}v9>0H7iA_`sQAXa~ILPfZO
z+J=tn!z)bg=Ys=$s~0QIIu3+n@2-?6W{L$9wqFG<&d$h~l`}`1Dy$0xEr;~Erdogw
zWB@2eeuKhe3basJX}hcFFQd~PtQQMyYMHL*)T<C%TwGgQT3^R{mf9w?ApYy%+^UW|
zW)71!k)k3yBpRdb_QsA|S}7ltho(PhYzu49gfo5CHLg>r@%uu}hEXfTI`+m?01R$R
z{=nF2&n_hYq&S$CmUD;r)>0bE9*q`ienztJ=eJ)G{8s*@YI$Yl8Sle!mSdTVc$W#j
zj1BkBWgFY>Q@jib9wTzA->G~}3~-0@=RpSs)|`VU0KmfkxmHw#@ub%0O^s6zA|KX(
zL23z9Ml=<p0lT{hIW5z8$?w=H43qB}%MDR4Rpn6TsS66^+Uzey+a98dUUuHo1PE;N
z7*p_0Z@l@&wc1n-UAar|FUYB;!uk&QK7G*aJhvx7^>q2`3qCK_Pj%OcmTbAHyaFU~
z!`Q@xlf%Qq^e5J|>MQq8A38J&bP_>6{)x;^)ls`EO7++%LvmhnREU0mXe^ZK8LrDI
zJ|d+D)f#Vfcsk<C-%UXF2L}oFE-NIzwj-w@iH>3}a2rH6*vh1UHtATnT<HWt%rP(^
z1oD&#{YlYrSM&4p*9S(X-U1>bZ~VjLF(vK8f(s#(w?J;SJ?$5-`DG;BJqW-rzTmc;
zBNqkP+u!;1m}oz1qnEWCaZ{oHpqLu@i;n&~0ia?|w`Y9&NtrY~_e*?cIeR%{+jxB?
zGV-r){m~um?cwLz=4|VO*fr-DLUcZ}tw&#-7v^^psCP#$kA+1M^p<|1XzGF9a>t(j
zSo00mz38j;3(tNlUIaBhVPOG&L2IMtVSs)mt#yw)&|&N`+#V%1L^)UR;jF_kS0oU{
zV^5HNB$O10>K2fR5dqh{&Uv0kBfnQdE1ZefK}**tEgg}#v<?mobaHa?@rh3ruYY$u
zkQ>uN2M1Wjp3LN30!QbXQfTjesU_GI9bA9s1*;HEeKzv=$lw0yRg~rJv@S1eSI%v-
zc?VyGkIU^L2q-ya0HWFLC!zy8^XLmzgmg8S!XmJkB+)6_%}~GPJnj&ei`?BkvADW&
zQmJpnzl&IeC%#_r;w2P&Aico%C{IgEJFvtrh1=G?SAvT<{0&!xqKgNq!p?-C$Vu2x
z{D9#k*TziI$mdF&7|=)1Q>$9a$|7>y=(e;r^R@J~wY0SLw+Ag*&71I*EeM<ORsIJH
zC?b?4Uee1PaH*H8e&3)(_NP<caF-E-M39%C{{^ZnA}aDrLmsx(do4Xf=W3~C3A%Dc
zC}`u!Z=C<ukNUVvSYqKY=x+CA9?|8-a08~F>R_>FH`#HB<Fe0{Z0ELU-^Lb~@I5Cy
z(B&%%sngSqbXMEYVrOw8nufN050Dj!EIp-N$X2?iLkJ~mLhaEvWZG3x4<(HeHevmv
z^>ib=su)3B{#LZmuVupU;@B#T$`8X=xRIk5_xCt|adX*E)MQqp3NdlPa?wI&_&Uhs
zm&UGFyTd!acMwrIb_AQ?GT;mV1wUiM-P>iaQn2+44=pmu8S*_TC&OXA<-tKjM8sRS
z(f{G^+}lx#Pf+G<0C;Fh_#C0S!uXo$(winX9HClK9$=TN5Tl39M)qkeeul>*N-4v$
z{Iqa&MzT29AynqtvEnPBS6K;iDb}<o4b}yzUOQLeJnK!MQ&glJs4GF#UJ8Dg(j)x?
zYAntcQN2CwO#U3tG%km!zb^jaa<YBz<NGtb0Kf8E11_hAr|MJ~B3}#1UwN?9wwwe%
z#hmsl_J<~U32SJxg+vbguo3*^6_N70G~t&go!RLqqc)M~%3C9bRuxH8>-_Y5YCi?G
z$yhuZC2b_k{X};lI6=uIXfW$Tu=YDtc$Tro&N`9t{e2p@hPfuLd6~iFPr<mFv;w!$
zZoa8;9MK5s_n%%rpPxAJt;j*=(+k$<q3!5bmP}mQqYG^(&JyHzIKt*jqJw_ykrdc}
zIUbLhUFE5`;|fQz#}RfAbIjLiUEPN6RB={Ziq*?gfymrDfV(~KF&y`gCY-Dh0u?&F
z@&!M#2xQHM?IWvLK1%G{E!O_U%_H@T?%H@UWB1c<S@DIQtwBA{S-k|wopgL%RwLon
zlS45qzfIv?&Fu^++uR}`X8g(T!cdbdR;8BrT5kH(-*1mupk5>L?ST{o9W{D=yxL<_
zKw1nn4h)OyPptHl`bvDYQ5TpJqd?ru4bOjgP^n_L>?@_jYZG+kRkx=lW=Mx;F4J%O
z=RCyijTpm1;Kexp<`wyOPoMum``I{7-VBmP=fR$<a8G8Zk#kW!J_(=#Y^OvKuhRV&
z={qK|911va-3$iHWM&OI4un{S@rDidbcYY4U88rX#yxh4md+d}7h}vvqtoHa^iFMk
zO;?@-{Fbz~;>Zz7dq=)2N$10#;WqA?VVjn`C&!&Cm^KX`yEuTV)`l7snP{`#CFIor
zJ?jbSlTJ{YU|D|aZivt57Ou)`jFoS@n>bFRRh{SfjW9DR>91!A=j*GP{tTT%UCm#h
zRQ3-5)*8XL9AxJYO7rrAPrT*f_I+;lS6Uo5I@f$5C(c`%=68VO1a*F=HuQ$_?2o3j
zCd@&fv3m^*zn1P%eVXdEpcE)A*-iS`{L%~4id`;BRydmovS&cwVG$SGi0f+RJwHLl
z%l3r8kK%HV?q<!{<>uvF-(MQa#!MWpM(CYXoqXJt##1MjFSWaHNpbPEb;X`%SVfiP
zIsmFSAZ*A9$>$mQiPEHwf8b`ej+9NjRK<)e^nB(`J&<95sF?aMCcKe`B0)$+Ov&g&
zbhcx&YTJ&QN_O0$pFHMQe$}PCvGEGW=Z1$_Sd3l{0$&zJwQ5)<CRa|;i;gk(n5di8
ztJQfgsJ$d~>c-87w|kj>7|PGTw=3hxrr|RIdu31+Q1R{+it}q3OoM5$zbe<^w|l+{
zdFW%H*S!W;HT6Xqj%FLW!yELl@!1jV3E^sQ;^N#pc#e%Mofx!YpSB-Ealv|T1rJVQ
zb+O<MZRf{}>$8@>Nv_|quM(Gf&Vl9?d)|zn;%G4Syy;*Pn|-jI=p!}W_~t{>Zw2U3
zDeb{qruzV|5M+7k(Q)1bI2Cu9sxODu<gwd-4D*_v{9r|Y{reZQ^Pm|Q+Gnk16aK9^
zgl_ahtY(q)&cHxF=XLKur>pI~mApXju;+&~BjLcu-Kl4&@3_Th1X=mu=zH%mBU$@>
z)4WFuf^#kL4Bt+|ZyH$dV3>sOAa@&G{)oqhrLF_)vSk+p?5{=HbkzDulEMBSK*(o$
z(M{intAY9X$3UoKV12f$j6(+V`jCE0>nd}z33AfyTC^FgQd>tyM+<mCU#BP4UxE#;
zo8KM4ZI>Y<DU)_xJoHe}M3`9z1}~H?M1FI26E;i}tiIMY!I#G0m#q}(Mh;<!^)N*?
z*9*=`_v_}K-vEn{*@w5b-34Tw{aI~yh^=c;L_5o)@($dc{!vy%i0KJXlP$Vz)sL>N
z74h=|BiE0<JF%OUG*q|-{cd5JtZFN)8|D)d7{Z6J%Ffe%{hgIXGVNHH9{+~~rd=uJ
zW&w@!=;aw&Th(WSH<0u&;iXGVxECU+KVQ9?XK+@RQovENa@_6ra24@J!GlhUfCHW%
zpL?bT_NX6z1tEWBsITW7wKTs7%AuL5Eu@d`*yMAsS7z6Dpp&>L`aYH4cHc+ktkt!C
zc!=aWd%RGi3&K0uU)hzfZD{F;7!AC+hgDyX+;55O`pmi$2Uz|*W?On-DNa!{qu3hG
z+y)<~;Yae8xzkY`DC3AV>pLh9U=y1wrK@mm7$@@ELYH#TK6`;gXnNg-!>;2K5|ofi
z$+TG!-f&K1-{^;!#W`cL>$cs~Q47<_$mv=2fbw+YjJ({us#kRrSvTPZzeRERWv8*_
z9oaz66Ax(GX=O~z#DF>U>Z-z5@`&uBd2P*Ju0R*ytdqjoHE+ts*y8HZ7N%wx$@}VV
zTP$lxva$m1^rE-Fgb;18gW<yP&Fbm{s7=ltAyaX6PajQ$gpV2pv{{xS78bbVk`iY}
zJ$rgN-)EEzoENFXGb$47YtpS*<%s{0-dCe+5{ft*pzaMtK{oLRzHgT_Y#45cpjdr(
z)pGdkstb$t-aohiuci4<p7x*e$sA><rb@kjx2&fQx`A<U8<i`7xYs2SE}}@W><My)
z{$a$OeWB!R1{IyZ2Khk?dmZu%A;KU15Ea7S+V(>RyOST69aZEW69>*rbGDiL4gzUz
z;nC94OMIj%l=Z1@Byv@(9nfrj0)H%^>(BsWRPGtQLRwxQ-yXl$<>=NF+xM)g#ZVe!
zweK@E;>`=3T2I7<NA54mZS^@06*0Y?()q#2ZVgie(KsY*`d)=op}Vo8Ly(;{=v^X=
zC>s%@B8o#C-G1G|@$>V65m~Qzugh>wB?EoVW9%D|X=|$qZYPdwKGRgDQ$FL{PPA9r
z2M+;OAlvYzU4*+2FNrZp;Op6QLf|Xr%FJ7{C?_}9@M{u03QVy7M>*UF?YM}j1;bd3
zLFc2VPr50t+rPQ17ruDRH5jT*;Gr=o^!>&t{E>){WY!D_$cjxyRpNmEWWwpw9q0&F
z1yN<c1ZnB$$;mIa|8SY8+T6McK$9tKqyu`TC>X7*aOL^@!g(_8lsjPQm;R!(Mg};i
z6e-}DoLGMQA5s(7A`3(B7)?~`-FlCSbX83fBj$d>oQ7Q6u##zBH-pL4A!A$bF`A2r
z4d?%&=^UIY|KGpAwb^!C+h*Ig+kC2%ZCjgdb90+*+qKnZpKM$A`F!vBoqwR2X5RC<
zt|uNBL90Ln5=xfFcP&5bIluA*r{*|UEFWxw@0u?$oxP7cC<e~kB$boB)MFytw><PI
zwJLSXG7zv$Rz$BSke-4q(#09xyg%{(hR87rhIc8{tOWs(Xs8sKDz234(lEv=i9t0K
zvYrUo<{b-=b<`tmy<OyM(#z|p0c>Up4>2x@#hV!w(+gmk_T%QT=i~D8{Zi=t2{Uu?
z^s&p>$f2EW$3n5OXZ>e}s$t$$^o&~^JHtY=J(2Vv(^y&Fnv`=sSC7|y$%nqbp00I3
z;N`{T4hxN@Z2Fhkioct&C~;S8`?qA5%prl``aOF54UJnN=cXDOrR+?#3A($1R9YHt
z=^l?`b8|D}ht}DF%(O=OIO--zr{Dd_rO@Zy!PM#Qu5rXyGA3mLC*`ZpQ5*t7a3p$v
zo#8LtK|w3zil;xj=MTtNHsyM%F(gz3IFN^*U#uLd<|B7GW_fpDtjsR;`M<I3EV0+Q
z6gu<P>wpVDzX&O5tPJbP5Swp%uLtx*ErAHM0C%6^V>ul<WE1ZY?-YI4?Ol*3UHmOk
z)G`!#l5J$|`f%jj`NNq)%qw2^E`Lv=h*ZtC-@o#vlmoELA`b{i+?&}Sf>nI=ICYLB
z9#!Z$QW8LnpRj!p6{7--f6H+A2qyi;KoI_5>@5n%xS`5gUI<G|3NX;jYqL;c4_jm4
zUGj;ACd85c!pXDD|I1S3CObY*JraR@o#0Z;E(kxC_~S|72#uBGvd?aldT4gt4Zyd+
zn8iBg^VL_f`g-r~?2gI*{nY<$#Q)=FVg@!WY}tNxG`4_L+kD0{L1Tthp6_;mY)?Xr
zk8OVM1D<UoxNBuaPzJkRX0jq#b4laza%<qxiRN3Z#W1%JpS^x_jHq%j7@;L4h&1Y?
zl_+lY+jBFi2!$8`3i~QghYPNQ_&x7KZwj+2CAxHIqWRY*1)1Ex+-D^v8IL2bUMfqI
zni`Xckbt~yJAnjAZ6i-VvUKDVS~_r;3^p9tC$Rr=A38^Cxo{Kx`UaZYB1sqe<Y7!J
zsLGkbmc3ATo?7`aVlB;iZ<J{mJkPKLggy4oGdMpxJG;EBv9Ap3=)>X3h&Eds>X+ni
z%7NB*_(36RkYnM_Yp>U{vbMIdx@pm*T?wIGeh2cD0LK{71)ZA3l+Yam=%!wRUjKX3
zQP&hkBZb05<fDQ}U`Up8n`1gBPhxnZe`aMR=5E{J*FtL2u~QeX?$GXSM&RgpP%Te_
zSJxr}Jei6n+J73+0HgYCf$IXFXP&QTux8}gxiZh<q^IpxZCYW$OX6~iiyFn8MlaoW
z?+1*%%@8;*1BE~M8%U=x8I6)mdkSg>)3?(GA?NXUsVC;teDkrmvgq)zA1^m5mg=)f
zW!h650~Dry_I0}Ja_0n?tzX`QpZzEO&r|>R*PhRj<71u>WYjQt8B;9Qj7=OSZ9+b0
zw4NmzetOS+ZxPgxIFo-frkHVQhYfAaHmpg5BP?uF1faGk)VN-)S><;>l1A*9Ln57G
zrG!WQ>o_pX0U?fgr=32S2_4ov0cEeIERbVZ-q*w9uBGSwS48Mwx(U)0iFey>VPR0v
z*Jaq6YTmMux%3-=f)Bi!P~r2}ESp<yb7Fm*eQl40*5P#GNuHz3f#^iVj@yGNLcFqX
zf?mHE_;7G!D~FD!RC&hr0S~s_KjZ~3(1nt@zvDDU+&8&WvttPhCX_cEqnD&>@E(UX
zmV~OZI_Z*z%jb!_UOxO5_zawbl*mYm$l59xau(Xcjh~S0YVPTQU8B}I`lFcOZosCc
z5(s&QJko{YV`~Y(^Mwryxo#ZGXePY(ilEOCWOeO_9>N8{+cM7f>So3J(t_q>xY?Fz
zSGN-@K1_NMEAk~iDcirHv_26(JIv?dgs3)Lz6MuArpiXEFgN}EKP`Z_w$iG2oQAQK
zz~^v!_{QJO4JKCN3?a^NR1YJ!MlCsIsq>BiL<pkQiqYA={>fQv5l2HSKsi!Vy=6bT
zMm;uqeGQ&^Y6ZM+4;YH+@tv7w%3e&Omh2*(1398b_Q>{rvvR!_0or(YU?l602cL`{
z$-kq%BpXq7NA^WHGN3`T#QY;vD32{ZlT8Tv@9Tt1pXuOfWe*Wf=QCxKI*7iu@bPkj
z3Hbz%XWLlJKWJ=%KE1P<(P(jdej_v(ZRQ927vZLG7so82MNUXqg**04v!^)BiSpI&
z%R-(9TbU#qH<F|++qLx7eVoqthjK4ze~;I95Vw*9+_DnW<vjVeU@L;o4Sdx1PV{I-
zrX+1`eX$XsrzOnh>ym4y*~Jf8aR{7vWcjJ2++a#+mf5$usD7=2L}gQ!LzA?e#oAeo
zZ<JHO8KTzzHt|3>BU56eFmZ?&CgkMA^nDMrHX2l>5p{55a+$AUfmO<$0KP^k`yX#?
z;d8a=;wq}GO0KbTjS=}TrR@u8uLSrqfJ|o*x}|fJ*RpS|vA>Nm0dcin1!7mB6+?&x
zzw`TsOB<r&cQut?r5I3AHd}?t;yj><qZxLI!)!@y#0C%1rU%Kr*DZ@YuGXu*a*N0e
zH`BoGy}22j;n1mfyPzK{>W?Sj2Ehk7&|Z>UIxw3jG|1;LQrL>6!UyMEPa;ZXA0uI;
z+O6}4h>FGwv$3;(NsvG+R*8AYu}zGwgR;)s={PrC6-0vt1rEs|xlOy61v!T*tfZ0u
z9&Em?-)K8|;N}?k#hHJWhag8#LjITO@SS1QFucUZh_WsLia$}64!gEQ;P2GPOoeKZ
z`K)*Fhl4zKigqD(Hd%ie!74basU-9syl`=xRGOuuW1w%cYJzUZyQOpyUGg{P1Buh!
zF+JJ(ewDLuqx;0|wObM{O;1r*Or-+x6En4bvLROxvIAkihg;w@{&D$_JbZ<%ibYh0
zZpyri$n&Z6mKtN4K}Nqef;RlX5nN~D4M+TwMU?f73U?|UKy3Dvg|~FY;-A%mN*k8M
z=6Q@(Npy;JFgd4?vbMu-;4j)JCNKT#x8oE8X3g>9Du(r|D$Y=Mmm$yIGi39ewm(_u
z(qS?r%(74Vfj&*`l7=t_?L(lxr6lA}(qa|r&kG^Mid6DU0wfxUnj+;U=r-z7mD`2k
z%8&v!xqVji1^X&twF-6J@#^Rnq!NThS7hh!rI6M!8+MQP6-!^RI7Xg>V&X_*beEM{
z<*hPj0w*^dF?Ac}d!(Bgs$q8)q#Wgv0=1KULcC<)Qe{-_{=Z1U6FkORxtB2GDt1e)
zz@Cm|ir+g9y8^8bs@l&^E=<6V6_jIa6hzOfNPY%%YS(@w8gx5x>LOOUJGMM$XUPG2
zHWUQ$8~xHI64R6U@7kc8!?T??^ez`FG_9?zYlHhuBp2Am_knF28OPjwjxVST^gsyC
zm~SnAjmj5R!MVxJE+L=Ci!LB#mW?z8zBva@lqE$pvXtA$^p#RPe4VT=`s_I(Rh@`x
zdY7KgQym`6Hu(U4+xyaqYgtGXICLcZ$*q-&*RY<5MW4imJKqCu6Ufb?aqETbB{KMa
z5S*e7Po7O>1=TJ*f)__K42e7#6IBuNJT;Z;mC2PbLX?h7wd3{qan6@r1*ApX--aDf
z+<NqETul%0v(!3umPK95!<e)CW1#$B9o*R&Q$zGP@XmQD3GaEyyUDb!<*sY16sr&{
z7<Sn)UE5G{*v+S*A|T0DD8&mub^vP@q?L8F`W^<J4HIqk=O$)a7}7sHTZHYhi8AAj
zBjf!y6Yji(tL4<jO7=wSPHDDoX~vBjTKoCXDm$f?ASX@yuZLAWkqL2u&*`Ux1hSY)
zI{3z2p$a;(N-%|}^{RA&|49sc2?`QMLlcN{eVAba=#}3)NZN+EPuZwoE=hjhv1$gT
zRA>aVYx;GeWcOu;B$*~O?y)*-elz?IfI@$+0vwXRi)6mSHhh}!^YZe0y&rHa>ey`6
z9X$J<b&4Gn!&p|nkvdv{{3$V6;1;K+FQy+9+khDkWrNo2i99y_pK|Z;#OM>)MdEo2
zm3_5l)j`NN>LT`Ri8#@p!y&14m5VZs0Lx~kHQ(DYbeOneZ3<!Qkkf^~QGygDOfLs>
z<r5)xj+E-Me+j{^ODN>l$<g7dCaBjyjOu5&Fx0(`yE&}8l!~Q;xNWjrNzWI?S7Wbb
zp39pL7g5FfN&D$rX(vcy2<sHAN^V)_()3fsvoM|xV=7B{+=1@6_!>q=^5Cn)IRjY}
z6E6loDa;IZ*eJ}5F)6#$wm>Rz`k$9FnXmlr8D`+N75990?wlGsirKhd4J@Wl>BjKG
zm-C1ag9KWWs$dIXSVvt&W1L-J&c`o{hdtl@=&9<C?NT$Rn&%I-z~WKxn6E6HX+vWw
z^4(jMQ;Nc9yZ~MRLo{UqEt8mr>m6@qGI|P5om1(i4wIyISAlp(_4%uR;1^;VVrfT}
zrwqhF%7P?=7OOGhQY7c$8UIhP9A@lpZ%wxeM^jy0r-tpB$1pi`qtm7mDqGjxJq<lg
znP@Dh?G(gpg19vb$tMHzzBBa9V-u2fY8@l#dwtU2U`pmoi4s9gJ=RsGCJWfT-Wt26
zk#Obd(Ic=<B=1P2_!G^8PKV)tf|EZ9Pe4u)<Z*GBB(B(DSLd+HJ&H)j^$&er9PsQw
z<iFAKRegdc%>Z#NFtD-hI|qKTUf;&jou$bn`CbNF##q`%#1rE$O^!C8QW+7fwqM8Y
zZNf<MS)X^^ZquxThmVgFINa;Fd7(OLmDx1@`rP&g;e@J#VfDi(oHNT}1|c``dU;2r
zj%%E~Z+xm`I6Z1keh;S)wEp$Q_qt;D1-VeASXO~pncEg<c7E0p`cuKFqCf*b5##&X
zEmW#B{8fgp(oZg-;7=MsO>xQmbP?rmqdps+=0rSo1<!fZEBQuIB-e99&%YbmhTBOu
z!>8!q;y-T=(+^DYS*F*m7TX)TvE_Bq%_mX;HvTz@tOAj>1f3qwH{dt0t<z>8{0Q;u
zG@pGgV9HwN0hiHiy@2#hR%_0@zT@44H3OK1J#nA{CG%RBN7?0v`Z5SM-4?4Ht;(C6
zwOg-xRZ1z&rpDwdwO7^wY2s<<Vu5%92|Ffg6F1JdNtA6!L3;nJPQ?Y5{<2XbVI<+A
z9q5L);u%+U+qA?f#cp-_-hOOvmwR(`cMF*t7Lyr5x4>v_S#Z)VL}C}7V%anLjH5ay
zwII(}n&9no@=F=!qs(Hc-JtdpVz=8h75$O>_=4Dtpb+7+FK@rrAOB^;=k|aY>PKXp
z!h5MlPa-1nG%D@`PvWvhd6fLhwgElNrOd^)30AJQBV(bP<Hr6qR8eF_0!o<;396+(
zS$SQ?bN1Bfz?xIqn>jA=h$r1ie~ntWd7s`z^#t-u+2f&pr!fhQp#C3lE*XNypT6fZ
z6`lnuMJvf`B(f2-r`i@r*b`eKW7Nq)Ht#BbAyiYeS4zuuf5}mmld)B;pg3rY29r*S
z*n~BuUe(JlF7xXpsPB}^zPXtzE>4L=@QjPF=?`#xroh>3EO72%itD*2O_oJGa$y0R
z9=NaKIobB56T(fTt_!+~YT>+mO@N!6{~ZLM`ZtkEj4};VaI5i-B<*$M)1)iYw6@63
z-qz0Ez90nfVA57h*-q}BK6%IH9jenL6wP>S<sw(8cc{&wvtSjnNs65;DkJ;j+hSi{
zCW*1f4{SC;!Qm;d`xlO6et<$)A^N1v_0*cQf7~CTBq(cI@~kG;BX{d<z^;rpKfdSJ
zrk?fnQF<(bE1}kqQs!LBs6(>4=Rs80)TVK@^y0d<I(XM4xJ6rmb%9>v@jX=w@-2vu
zkdGJ0*C1S`_6<7wY?tOdZEWs<QgOrG9XS(_-p_tG8Y73a*DSr-gl%Dh>SQSd0vs3y
zI1+Zzt7pZQuz~8@EZikjX#^x1E)#oK-n7qu{k!sAg6^rp-n8r}G;pCuWw*o_5uSeS
zGK=XQT5u`4z7PLp$ss}*vals0$)LK%Bs;gGa#;))rh-$~QM*UwUoz#7B-}VA5}l-a
z>iV4ZbAAtwk#OzYu%dV1PfX%3lS`PQhQ4D;i<g>%9Z7JEygK>jkTzYllrUb0rc)t&
zQ_@c{<&R{$Ff!Yd0sCb80iyx5HDpSl(V(IdkL@uzqr|-CH$OOcs<$lt;K=;@+T<qf
zJsZ8U)D`jc+AyV(J`WVGF6|B5`zD@8bB$V%cGoy0PAT5hV>ZL!=UU*O<AJwYClX@f
z9^coCt0OpqpNHj$3Kig<ntLO+#HQjBK-V_F($!nw55w(cv_hD3WQaVqwGW;)y*^J}
zHlbT~0d+sG1bTC4pz8ojX_nYftqea-26|Xe`-w{9<|)^P-3-Z?Jn`gohxJE<*-pgm
zm5LX32es5NnZup5QN1Im1?sOA4+sxt#G}7+YRc2hLv7WC&H;9E8t38y79Dq-`UV>d
z$haa)UDdtqESZ1xzkhe`7lk$L?0Zj)QU!@N`jcbGbmDSq@75J(g|3@x!9uMU6}}w*
z_2-HonMOPW;mG(&5lmI1_vkzt;fa1ZIpAP^bv5VM3{BUsY`)>9TpFI#lef%(wk#eE
z><-V=se-(TRvlJsGd_45#zS1(L)^5WKGN%A_X3CdHP_!jiM+N{Og{}e>?@>ceWf-|
zejy~uL}3g&Jp~->o+kX62NN2zTcY4DjS3kKGPc#6>vS4RRdRfm^BBoO@DGf}U}WM;
zacWvR4{%zrj%c&x^cZWv&RCWQ1?$Z9<H`@bZ^lPHZHfwYm5GTiIGz@g&LKy@1(5=d
zZn3ZXB85zx9-@B-!8<NdtFG$c!EYJHr^g@lyRQ-<YI-5zPbo%1Q6$^CMTh-}wZo{5
z%)+bA;>RIN5h7O4h6-Uy89UzOu00t`S1FkH9aNV}m^me->M)kSUS}<`yXM0s8iL0~
zT67qoXXB)lGt2+E4tL+DvW}D+4!o9Q-l7@6)>v5Qw?hnfs)gnPJI`-dJPg(?hfs_H
znfG(jWYg-4W_5m&2%kJ-+#Cgg#^#4XJJfGu@)%r>OKD=c%{@;`PlOsd+Ev<B>V?ap
z>Qig@2m&@yOFOS~uf{w7fR@z?3x8LMD+?{^r>3!{s`DBI@KceRzusW?efwv@S^HPh
z8XHg6X~(7?Z9R|>RGlDo*2z@IyEBOQwKi6S?W@1(OzCJ5Zf2Psqkmp>OVWn~zENCU
zESN>IhMRMt-m}r&e&TXn(9v`nkKAnmbk5wxFZ*WHeFv5YTK*kQZk6d|4^O@7axxoe
zauXvZ#drnL!HPei1S(q;)T}8)9Q9T+GOmJMZqTn3bYvxqb9VJ9H*t+ljD1L+LNk-g
zxlEw<8_uA&^-V&ERO$qUTMixS^#5rAuD^e^CNG~|u-<?~N2BDr?%qh`KOl1AK)1K(
z!0;c0L2$SsOx6uytyiw|ZDwITAhs}CK%|av38X$U(>o7~ouQoo*R3O8)jF<+3_%yS
zE1D*|pda%MZ)!$HUIS=x)5_R$=6u*#KPp46U8Qm}{-#q^B`DanCRo>;+jdCpsr@Q}
z6o2od_cM|6C!@qY0kuYqt%Kir?XeUaFP?TT1^rZsS*7o?xjXOqd_%*0!>wXz!`vUq
z1t-SeXdIljeP`7hOn#Nr3esJ>&`nr1RW)Gp16LL@eF&B!2RhE^S<FUW8{wqS`@nDd
zk?I5W%n0uD)Lr_Y08=hbFm;LZJ8|*G;BOEgsIvmd?Qr2$xz57(E!u!ufS21!-%TU4
zDym`PLBhML3C0(S+%lFs^P9<oKGH9zvRU$`L?l4GgM7D!A}{4(^=^aMg5vw0eG8n{
zbeN|a-GV^*pUw$Cp@2jv=cA_DW6Du`cnn!auW>xILpPCtj)nGVvCNAJ5B|X_*fl!M
z^66nra|A^ICl~j5=Roa+u?1Y}AT>fRj9v)hU~O1n$g3bhj2uO|2)tJePAr8j{G+nb
zpH>{9EDgJ+32*a#>a8;zbLESQHCoX3K<!rD4|+Y|#Qk2?^!~wPrv~F&XFftIh%x@B
z&~MFk-5R9UvYPd17pm?%W$(Yx=Q92-B1jmxzyA$UpQ%wO6yV2E>E<mFqaWVzoes8T
zCz$WZnCmCa_dQ8AdD8AvN8+?_5&2c)GP={i;b_C$xO;fGI63j+p&<HqZ*=oek<Ja}
z+iv5Slv}X}Uz7I%6Ngw!oTl#>5<7BC8MC}K9NjSepzsTUku5FF%`Gk8Pb8ZEYGhp^
zf0i%xbVf@(OVIG2-xS2uTwr74+w1GOu4)$UjHdl#=Q@SianX32a=gxF%uoLK&K10F
z<hEZjvic7h@g-WC*N|NWUbL3Zp;EHzo9Eb(hKq&WB?^uA>)7=*%f9$kUvkTF(3K|)
zZiEcf(y^r5j)+mBIRmZ~X)0<5)gNqfULgHKo!K=YFws_e%v!ZB3Khh`OcjFO@OR&Z
zuknvE37<Wf=J%Fu+dFAPvZ>h7{(c%c166K7V;7=k=(KWiVW%p_%e8X)@nXrsH0<y)
zI3(=&I|2@IGMsi^nTM3BBH%iiTo-NfJPTb>T&9wzN70J2>(pmr0u@^%DCKJEKdXKN
zoJF$tHD>6_Tz6;dpxyJIE><OnC<M|D_-TdpRjXvkJDh)|Yv#_{6w~DHWNQI3I00uP
z62jp$+8VpMnmQU{Fo%yJs&qO%##rS9IPsOdf<(e-9O6{I{PgUgd+C}veX;eFeMy32
zm`ahvl$?{rrlePV+BVzbi_>M`?w)$vVH4tP7bVGpkwkpAviB$HZ0@hT!0EC?<XZ9?
z&k!$a>o=fXS<6Rwe(xuC;_%eB^GS8b(UlqSrV1B{XSG0rdBQF#2bQsCnH9H*LPf3D
z8ci>t`eMZ`rK{#E$B35|4=Gn{&c+8pkVTpx?bB!pDLNg`3V!#?S&_MZ7Qv<;B93SK
zT+Z6`s8By#8o5Uh^FTdxOVd)nc_bf;N7M>ypWHN@FncbX%n=Twl=_X~xi;917X2PS
zN={d&t+~PYgw3sSSk9NL_~|l`Nt+m*fITZ~Os0tca|@uauWOqhkXSeoS_B^whjVf7
za$C)3pBgr~c$$Zsy!B0T9&)Jbo4lh`l4HkwTWisHEMUSh?Iq~DUsvZ@v}6)08vLIF
zm!@?isz<9XS)AcXqIL_LQXwVeY8ncaVAaopd-<I8#Jtq=OE7umf}QZ5yZJ#Qn^`HR
ztJ^r;|CeTfE-^8<82=8kXx%VC&iWF+gksE(pVdK@tr1F1b;FTN;O7e6{P#SESa!bG
za=29kJEe;}%qvyGlv*~WY*bF0QaTLLR5=9X4y|5`^&7^mufY3I4eB7NUyJJ!`Vxk$
z&N+RyuYwdFDeNn)UpBd*4)!M%*2H>wG0$=6J=rpBUECq4BjfUnf8eyTc<fV{#K`<e
zujlb#qhrZ_6WGhhnF$aqzd}vp3uhquTambvw}^Yc)5J?FRf}fS7gm1vvQKx4;h%5E
zN&nZ(N<(C%-4Oi_fiyVc&p)fCyiKsLp+>t<uuo+leg`}ATrkTK%MG=2ch@-I6&RAN
z5)4*=+dyY7c!3yC<xYosKmVxEZ~qM-1y+3}B>a0NyPuAU8183%Q$*{-E>(&EVUzD%
zp9)Jn(NR0=3!78^QzCQm<70Z05npC%sy6B+gY)ZvVaJA_|JBFQRX8HQKOA<#w5j9W
z4d@1gprmQZBqi(CpusWjjwk*;*j3}<sJybeTJZDcdF7d>8LHIW{4Q3!^E})PzecXF
zRoV*(;+}$mrEe%su%pHemHZr<-cZoZjAR7z9=vd84#o8qa4swHU()yygO{Nvm(~!-
zYd&GYVjqv8;AN^F2ZJ0u7LQ1!M71lKD5R|qo9{3)^|IoEfHFP94gLsQSzH=Xda8Yl
z#f+%isKUaehWT5?uzGIAF8h)U37ml|C)umu?=^Wjx)!weUJMuleQd(|QbW)}{Eo$}
z7cXqnq<FgyZwm`4;AUG>lX|*B5>He~)^R|zGkRZpYi}U(>vnojcOFNs<3B335gx-A
zL`hSx-f-4{lroc<6I!e$02aM<QE~#JvDtxhLrps9{8lsPeOxNUXTjp<Y8A&cq^JmL
z#PgScP}p)pXHQwQO7J@yHGwGob9QRMc5;0-M9C3u2pg+%%p*V0^*pB}U@-LxBkU*<
z5aM_bZj_kM<Zi5O>Feq+L<#(p{jp3#r^(zKRZ>7&VwdPwnYqRD!D1#nL={8}Ko~+o
z_;@wycffq;GxFQlomKg&RI;%SjXp%1x{Nxc$<=m>9@yYRA7c8q^TG7>=m}3-v8r9Q
zD)}}o-aUo(+h9BUjliK6z0p^4iu5WCjm*5jWQ#<iRLrrollrgB_wkjdEv3+luN;Nf
zQ)WT8nVidl;i|3i^G=}};8Gal;lGgxTE;I|wA9jjtSPNgQF5^_L`vwtPN7i~4r?<t
zWgQzt)FJ4wWnj#lL0dqQO0|x0<%+;^E?*;apG-Z*9H^2yZH6=lHpw$oMFa(x7LmT|
zbd-XP1@*K@8ux1IcWg;%nr@o7C3b%Wdqz91%9u^qiYNRmT;MGQ@f_Dr2GO!ii9$76
zd(p2jLBWhKXHlhKvJZt#2a|qR@ZRvfOY~MdGkR8$h8jUZ1dCvuoLgNs$uf_%P@t7B
zZ<X{)%754^<Lk1Pgq{V?g#&Wf5mzgz!kzTDbt*=h;x>MYZ)b~amd)2@YXF)OpTxd}
z&CCwHYNb}<p(l9$Lgxhme$tt&swwsOuW2Sxzu_s{vKPo28mBCK*cN0>t*xES%?VW$
zo3sttw2W+16V<HNOj-Qx{8VP|d_wG)a|;9Y;yoIgHENb<xKyUG(yYy7)$4<btyv}m
z^HiCQW6~A#jb|0(qbDZZ(r(&N3(`&c@4nb|TT1R>lX1nW^VbT108^9%oJVn?ZZ<g`
z$1qb?rp}wc-HiqWz$piDH*@z=l`0(e_Wqt~k6$5E20_O|@JJ;&(+14R+911=My`O2
z9Mk%&U;2i?fQo$Yd8Ysx^OiO_SLfIt=>B(Xf^wg+m`F>sgR>hOV8l`6`oR?-VEEoE
zIVD+$^l_o($IlN3_B!iQ#VbUnlj^nH{V6tgfw{BSlyu+!t^zz!1Kdk3*U~#Ww?abh
zmZVrzX&KN9cjAfvgvHkbRXFzuL>mM(D_z;H{hbMI=b5gpz(d)P<ePtA<C$wkNRBDB
zC|qJ5wZdpq+v_)OZjYO%@3?64<n|ter7_|ta5+}<yXndIrbVm=WG<)H*5E$*Urk}w
zyzso7&Fl0NPj7SEQ*dJ;hT&gXW1F2REb)!&>hhnxiCy`5kt8bh?tF|Md->n+IRE&V
zzqFy$Hj1#ewzu>4aF3i8d!!I8m}jZqb%Pu@%fpEhK9!&x9gCIqOIIf<G&Kd*NPONb
z8u7LElAP`bteRf7cY<J1Ni<H8Z-gQX^P<~<{#Ymt+uLeVPV(15VX&~UnmHBUUy%dZ
zhn0^XXi>BFxMwRGFkyp?Q8h%@-|g&wR*0Dvst=g%LqhImxKkg-_(dqSkVx1}mssYl
z0G|)C?5}R(87`UhyCIXJCibOato9nn0W_0mJVs;@uk-mG7Tf#3x7MC`Hf+Cjz<3_M
zt`Rxr|44VLocWKdOM>FPG?m$rwKiBeyR#H9H7Zr>neb^V>Zq8wvf>#E!bVP8%FWKW
zjAFZ_ulK86lNoGI)&X8*>*2OwT{Y_U_`3w}->08qc-=^ZQqq!ZG8f6Sr9qzF@C#3-
z#iwy{ae+^rIXWoTQxF7k$cVrj^Exn$j8CU@1%`?>tu6z=Q$kHLo#n`ZHm7F9RaG$*
zDkd!sR21Ow1l&MFdYu$8KYM5gzaHRiE5?l2DLEo$>bCQEvF+a~Marb(`4d+9*30V4
z^;iaj+bXQEU84*l%<Im%u*r8!PzA7zoN^gh3Oi8H-Q-Czr=nGgZZinx$hP`C&^^M~
zXX%!;1t5oA<Yg-F`3ZLZN7l?oZ#J~W3N&T4E?CMsh%jMnYL4QUUScdW#Z)cRAT<h@
zb$b;MJ6^}ILD~y-s#l(#7S6C317@c)kAKxv3L7R`v9W^Ma9O(GkMq6xu~D)R>Hh_6
zFT5og@4VPX&p?awop^GXo2eD^{dOg|utQQ?4>SEeqn%24_iA2hUJ87|xA|F37eVxa
zNp=6+&^*<DQ%^BTN2Xk;v1SI$)_-XCoyBqLKIg=P>EcRD(Drt&VH&Z2a_5yT6Gy;d
zr<c~U1cmlnozny$BHy1y_Kzoy8E^*<I!UZZye64|EO|&uh48Yob9({JU0u*dnBEfy
zl~&uH%<bXXd7?B#K1^wJq=3Iyv^86JuL*CFMMNw{Di<0N-=qKVvtiMPn^fVLG^;4K
zbSWgS-KD#nZO?pw(MftjI|Sn0WC<Asscw#Z$PL*nEu11hL=5A~a-S?K7HVU(UnYxW
zgl{|f{fU@$qs!9WP(vY^Monu6V`MDuQYW@kK1V*U{VRj?G|R!<t=;P}cmmV`MyOr%
zvEuDk*8;#i@#UUmC`49{i$)afQ3=9O4IJ1PjT_M|tzPT#Z}aBv*nV=>N3AH6bH&QS
zELy*5?qcMqU%&rl`A~@lbL`>R#VsJv(b;+S_^Lj=j|bGOrhtoLz+R9|*-OdE;i}n^
zJr?%dc)}2Ce4?OqO>7%r_yLKlTnSp`#Rm!3+Ia~5p5HGLRWw=&qp97nbMMehx*iO+
zmj8p~_IY&$ryoZmkVrk|Sv6r-PVIZAwcCMJ@qtpPQI!z~V_rFx1TmgYGP0kNLg|&a
zU=?7%<8EbE@_$-@X5O!**zn`;;Xz_XT_<i42sydRD39b3V<0?TI>vT<9;G=AibNom
z!pWm|El>YbXM@7D?|0gu3qErLS9EiY^bOKwhn>wqs=bU6hU$$r59m};+9v>Hz7=~W
zI8%6i@&4M-pgL~lwxA#?o<G&j>`h*kaXUG=P>mz-+!Cb1HU#_M1NXyFh@uZ13ov7_
zI=pAA&3V+s?Y5y^^#KGSz`9PC#CEv{Fqw|L!H|h`%n!dnZIt+~RNLAAGK%P%*wp>?
z9W{Rp3Ss_YdV2H1u8Yy~dzXtLcX?D&J?{Z>zt}sWT~PQ&XXX^;6ZVlrhIOe2D>v9i
zUJy@`#mIvI_uS4--awF&{j(-#ox2zuWozf%;Eut0$GhF54j`u&CI|6&cs)CcLr_88
z?W^#|LxA@y2k=!YxZJdArZmZw{IIey^Y5iWux(W{_4*9<+0+t|&4Yj%d)ZPLqzm}x
z<P?|-A+p079nhy_{1JoD?HiH6Z@(x??DPI|KmG8qD}_4yPqvLHN{(=8&N0`@n}@9n
z(4E5K-Hd*13hO!0R{}p`Djq={n=r)kc~>fAXJ-rU&f9c)^w|af*K%Th1q~}Cvg|vw
zxPb<A=OK)`VtJj38w3Fjmu)#E;K0T8&VO&6gGp1w<*zN1e(k~Pn~wFBrK$BE7(3H5
zR>mQ0|L*zks=vRHs14QpGVU{R^Fu*Dg{<Io2_)}q^9an!sG~REm&NB~rLP8q<_BfU
zDP?G%r8g4c8v;j5a-7(XT`IQ*4VaN>%jAcSjc5t5GMmB;p>H$ph<FT;VKg;!++Hy>
z`o{*xWKWj+NE&}7W{`ZVtD97Y+H1l+Ph!rfge11{Bt&8yZT*$0z;Q*85>M-s2Ixs>
zR4h>|L8<_QJPk6`v&r^W>PZ?M^IfoU)4<5IL-WI<Bzj!!O<ln*jjh!;I!1~aU}f*%
z8AQmZ<6dE*@l`H(D(Mj_dI;Oo=GnA6)N^`ir<&$Rvqj_2NY`?B<SiUj9|lK8h3g!6
z9V%~cqx4#&u(2p*mM?0PeDvV6d5<B9txp8ZWOTSfjQ(p+3Sv!XMFOwdWaugtx>!D!
z_;L(luR-$zj4Ehm?qdhW38u=QdB%19$<l#8cZgKP&}x9PIDfpo6+IFSS9+g>``-v$
zrep^q5k28V3|E(d_EnYO6hfZ?b$Lk2k$AONjDEiKsHoo*asy@YUh-FBYpzALS~?YR
zGI&<D=@skbVH)WizUd#rf`EM$3XofPQCLZCqSUIEKeI{TkmbMu3+~7O{-q(8XY8)=
zMfiPp-?k0G(!hcA#G9ajH>p}SHTsNm(l7femZR#7?DKhEzBnA+xW50)JxEHZ-OPV*
z^-I^fX-&Xy>{<TnL{zG!d}3tOhuC~P0@nI&;GRQ70g2IE9(9_|*&3g#OLu~k8K<w4
zhWp{vD8C(##$T`fS}X}d>#7^gna4->8K$*(15{KL{T{#DTX5di^A=}mq3dLIW%dOe
z34yFj!e_!(!~Lv$Is}LHhVE;f{b)N$5hC4duMTqPAI-`+JkI-)s>E@8(}dEIe{*gg
zaIhR#b4eIlxvJIxozYd@sM2iPJ=GH?R|Fm8EDBiqRz~N=v<p@eO5^)>s;gD~X7rbR
zXI|eJa8Yn8gWA~dVk3r*$Bt!Mwx~{{bBv-N2xd}16@wlIZ9(00+Lj_#kSm!E<fh~(
zmNt_0qLMyFf6F>jNQ9<w@Yzz2%^K>O5e_5`{U~IV3`$V9`{Ra;=Y;W5LPT>=V8wp3
z_ouV-;OTui4LkyOAR%DDjmq$l5&9#bvOPe*uA4}YNcr18NzBxWrly6cTe-U`inNmW
zg8o&TTJxI)qxUImzdVAyU(g#UHw!1L+B8LfYCRDQOS3ee)axDaE{(#B-8%%B6E$n}
z+<7%8?MDOUfYX$m9mgSJVJM87T$ZK9IFaY5M#~Ee3oFO?^6uWR-e{Y>o!l8gLQPo{
zAkk26OH%Vc9G>pp1)7$_46!Sf|H`Wt7N)BDE~YO&Hb20a)5S%~$@$jm-CfnP1A(JQ
zslqxY0fUCvZH*{i3scSS%8eN=r(C$s2kb0)R5EVJ$|m+6^*J&zNlT|D?qRRU>4hN7
z|2mB<K#@a0BTN_wyPo78{m5@P!J&GxfIK5-1Mia}`?6PRFl_K=J^|tga}0~Gq4^Ac
z?z08u2szNpLv^y<&P<0O!Nb6}DP}!jZ*uQPqQ|q8qOJ5{c%g%(5lx{=<1V~JRn#~(
z(3QN`GGXa&w&uXvfRmm_AtJ4kv|y(0>N=*l{0|>Yo*fQuSR}J#o4cb{v5a`hY%#tY
z4oqjDwUx}&XQDl=BE(m%7>GdVP;^I*V|Xh46k#vpA8AUFDNXzo^-e?bCIcKPa<eDn
z2(1$j;DW>|LCwl{VU}Q;Of-eV28f@%-3q1!6?TvN6`EjV^1vLRY7v8KJtWj9BQ6x>
z_`w@i?eVEryF)W>obl&(K820WxMaldUw0%Balpip-GPB!k{6-CI+@=CR+4Ey8MO%a
zU##s)VjP??qhHZsKEmw~ibT+su*V_m+GR_`G)GHPmFV{o8s|oP^DB=mz6J{~CjE_`
za61H}4f_2_#XPKJ6Y@u*cX9gY3mY>s8bNP8A!Y<MJJ<SJR<g^>N7K{Oc~o@+>$I7Q
zGP6b#0tUX<nVz-zgtO9P_o$Fjhjc&#QsADEgpl%{K@)-@QtED1RZOW8iE+)<%L3m)
zYz-LL8Rosx-ML3C#`>a2Ed*~`*!#q|f^nD{)p{q|Z#is|%finjVF@9fL>R{U$o;#H
z&YO+xxc_{z?Zmu5SEMHM#K2js<Ow=LD_Qq{TNfZ$r<U%y!p6u`iWXv16+t1jUD8G@
zF=Omie-vd=P9v5<sh`!SL`)-QPJp+@w5^<ivGlj+R`kDPzW5&{--^O0X3wxefCxC{
z3^6S-PNio|lB7vFOi8nUh+FmoxO($ZJjCRuTv=X7`nN34)*z;>2vnSXe-L*)M8+_Z
zd&8rK+fuXr1I0)bGPPQhwiX1qCr(NR;7cY~v>|XYqPv4%zCF=f4qxjRP2~7)23@gW
zwNsm7mBJD9_Pu}VZp5)nK2bI%=;POoA2D%|)z9h&8LQ%EBRg?K*nvKp6bk;ewXGY*
zE4xT#vq+Itn0`;)5m^Pv;fb`G*0`kgdOiuIb&i=xA9nbrRHDN#I_7X~(JIgGddGVi
z-BZm3*@9L`RTt+SEtgw8VUxR}JOe<#cl@RhDDpIKirr))`EAIg+xIQI7Losg=ehiz
z?QLy_)GLgVQWzsku@%g%L5usMewe2uyvDcu!IL2rWHIW0w5q^krtKdsJ{`Wthdj&k
zUSPOf5nilfDJqRMf8YDLt0C04zaLWHKFHNaog*xB5KVE5m~5}7pNMD@%nexQFb>zF
zA2Sh&xz6R|FZVlykN=tfcS<cTuqj^{kMIZch=@r3;1sJ)9UXm}b+|XOefStEWoR!N
zY(>u5P?)^IFj>amk8X|cIR<bk<Ov+zY6YE#H=3J9I8_+a=4X3vnf+nIY73!U#WGh8
ziqLGSl{U$XTGLT>^*l|nRLc&v@YrK4x2cP3cdFNNiu=bwIbQFv@0Zc^p$U6Ju6wEM
zo!mkrjK2d%xg(>S3Qv=pPgkdM0cds9s`KLrleRlbE~TBpJT-#ODAm*!&n+Oq#nW2k
zMWm%pL<#(Nko|!p5-;ZL8Gv22vgTY4cqGvy^h*uh5ke>$DzQEsIf)|n2OVEp&h(c{
zMgEOAT+gnRZK+gSB<T|EkR2;m>>Oc7hfcqdI;Ke53rI%*z2<nTEcIMcpyCEVAJ#ub
zzLs+wA0D^$Xl(e4@zV8MOvjg`l?C<3z&>oJa9g;c$gwKH`i7Db`CgVbA>A;)n$L$R
zzVUE3#{ktlor1yG6_Oe>;tc!p_bZ^|2i){OYKr5<Rjb?ULT_--J!w9wa98yR@bjNT
zU0#Yg-o^i1;`j>~{?A~rRe!fUxUw@EK%&&m!o%fh)(IbX3xLD%J}Xw2a$drCQJkA3
z{CpkJ%?I87ccFm{Sd+WAc}OnRu-phFj~I|3H#pz8EUZHOCbx*&cJG#(=X@oKf)j#`
zJHe=iJh`nHNj4wbJgKk3t}&`HJG@U`mro_W`{l!vOz78-7^<5FpIL&lB&xQ&!aBNY
zsQ6cxImzzqjBB>BDs7Sm<S7}>gX#IEE2_*(%nMV1fz%H@4@S!_e56_r)y6m2Z@DkO
zJ44DB?m5Oa?mw>n!o3?L%%rj87p-x9TT^(CURxnMnCp+3J~B(r(8nbnzQ%xCC|^3)
zGYGJ45jmZO<5V62)d*gX{ov+Wroh=k93@KbP&pI1UF9tl4)>7Nv#7AHX!ZIlf+R4#
zovEF0(b+nlD^4vK%HGx*WDw9^EHfNA@O`U!y~gBvc)s_Au5}gf4fJn`q==}&GJ#w%
z7LCF#H!fM>K3fMugU2Bgyu-a+4WQn8-S-8(lIASAid=}|JU&bjOD9A(Sruw*Yyx3r
zE`awl(~PJh^@^6b0c&wg>}O9;P+LqE%kH!A7U${Z4VYT2*=a)Iox@RHS`9?btd1&Z
zIa$wbS+RTyzO6P6w#>A`G&o=is}ajh|7W(Ac(d2$fgv}#+hi{09y(|xa#?IpDElqn
zc>1^40}|Jbs7S5&FG2N+g~f4%ks&!Jdmr0COP0R=tqBS<0L6y{uml0Q0Gr8-Ed#9*
z-I-=wVkKXecJBw>WRU;4gNJ_y-!Z;cJ?4a^@9-J&?(*XV9i#FdXc?h+LI*yoVt&JH
z)iTN8Z@u7`RO7nk`{3AM4(LV9BVOiQ!`Y3Ml|U1+9GlDfozzE3q8;^`1w+Du?1O#T
zOb<G;8iHA7prUu%c_y-mMbd3ikV=CRuX%ZNr7o7>VH%g$*9+#O9}6Dc+#@l2$x!o4
z6eD=iq0H#te&=q#Z<`p%%@%yCZS(gTrqGt2^)?W(umqFtv@3XM#n@R$g4t&@C)J<9
zI&m#(BC3W2>&?vPKcE?XBD%LwMt8C_ui%NQ(`;Ucw4f3hPC^#<W1W1jO5KFtCm2Ki
z`S^MHd2wI;A@sTR3Em7eCezr*8UaG~MV)jMYz-IEJaz|WzO8c|B4xF$<0dKY0J<px
zPm6_9zBRs9Jv0mceUDZ{*wAA%_S5%QcV^RX#3U_i#N(Gj1o=P8O~>Jc3T#ubP{{=C
zB9FhBW#T&4{h4ec9Zd4rdIy?Bh_b+fwXmgu4G?noI3CS)Cr=uF#5z_Hoa5Dwfu$S(
zUct^l=1f4BqN|){=L)&pN9rz;>w)l8M`vxyY`#L{iHQ<hh#GKKoMH_t_Z5w~Qw~8+
z4KrfTT+%fKgI?xs<G8U-)csGSttNd|;Z7};kaJbMFbR=K%FzF50hpB`J|{Mu&GU$x
z_WUEPG<C<Jgt)PYevcm;??K)b6?+0HK7S!kd2kj>wNw7|u6kwcZiu?Yj)u=iF}+)}
z{n%qr3>8c8YUqw-K?}nwQT~Wk<Qg2!v=EgAqnImD%3M;<yNEav!tX|d0ve?&dlDN9
z)=qcKqscJ0T*hc{4HCYRSh8o;#v4%wA}S7dt9{F%YmW-Y_Ja9=P(W;lfR&e$lA_%e
zy5sY1Sn^hyhz8LosFHkr`m`79gzw`0wD6RN{;fV?W|-$Nc9iAJ<yAbPDWm;NNao@>
zX%>8GLJ`6Gx@F5ZN~#IExJ|{4llAri_M)V*Oal2Sl(ARcI6Lo@88&%B{b~cgqkdOA
zUlV>OH2faiDc#sOcfUlLo+btAfp3T*OW`3WnaqVfXIsg|@!<8BB%pMY1=g@xEu%4{
zxA!or>BR?F2xT_Y3Yvp;Hy`Hg$=y9;?ANzdfYo<gd=fQ_K#2ZJ3ro%hP>@9I06?py
zx#hvl9So=)SpPy1)Ihe7=}N7Yf^nc+*_%?1#T51S$@w($3SHJp<n7g$ks)j8u|aML
zMzqV8nawpzFB8b1Eym|)PR~p;l>r^X);(*nc2930k!(hLv6WNWS-m#^hLJ6GHtW@h
zK@9g^R3&Sq%S`mvILbX+1A>0;?uR=;uWrt}L2Goga4E9*2b~($(CeIsd}l+s|3<w_
zqrMCbqc3UbG|{T>IFA8~DXqf|Q~o&|>;I&n&js(`U4r{`HOaDg8t_R*TYIfoju19)
zOFP=U?}DC`6n++p4AGX{J!5a7CM)KsKhm$5xh-*j))+6#FE628GOgU?R0gZ85gMZg
zyJBmM+#^$_`C+5t-2E+TjA?@$dE>;D<(|KQ#)a0CD27y0j4+6yO16t~`%%a5WEWfE
z=C;G;KPF{+pd?4Yq|0#%prSJOf1lVIcYGd8lJan>Q!g->TPa+->u;#gj(#SJa%q*7
z!2$r82m>P4f-KbOY@Q0UUyHqnQ`ZkZJ|2>&P`lqB2>Ay|b)=-E!03puPItG+us5<3
z7kSiXMg4%V6^uteB9#NhHxmiVZf<&a{#^9U<($6Y5d#qr=TuPf{~U$Z&I+nqx;j`&
zO8`pq-}sd=|8n54VwVhloCVL&czZ*K!kLx-=Vlj}KX6%<RKcV^LzgzVYJ!<W!CFh%
zg!a5uHKu4Yw@-Z*a;Uhsh$DE~>1itL$Dbx&8*Zqa52V+4GG!*Z^Y*1CsU-?D1lP(E
zA=syR?p{c6stDW;!hl;DG!-#ZJ+=om)wOH-HhcAg;j!acou0RD_V$k_C#Z?PePS=%
z_~J7vfuZY=eG!-%DZPqOoWwI)mGFjM65MHtHZORyzg6IK;0f`&)5hy!4stj<T$Bw>
zT4&n~2tg)Wu<<qhS*Ay`Oy~<O57*Wn33ed$maS7{sR1vQjtAM>Pp?D>4NV43;VMxg
z(-!+Kc>WRUjhONr`n3oM9ztWRzHXQo#AnW1%E_%yd}yYv4H*_SoKC6E&N^dh@71Ts
z$T79@fIE3M<H@}mUVg_F*u5#t)Zp*w@6SyBrgQ`wa^YEO_pI*d@Kgr3It5vKWx~g2
zoq~G`M3=&p*>j69t6^;+B$8WN%Lxm*F$$4{uilu^{<T)=qg&3YC;%iSMd~quT-URl
ztDleFU+)NCE1nH-NW4a?;$=nH*t2aj6q7wp=e|s7;s2%nk7VBxqH|Y&+u<L$kHnkq
zN6v;^GB}!SmBNZcdGyT3$ETDlxVf>?C)(899SRL|>*O4w2Jy23!&+RhRgkZECO2Lg
zTj|J*l2hyJ*<BR0JcEf(vQ<-OUH7UL=kP8Awa%AC<M^s?i^hpHFo20`R<{<5^M^&V
zkayOz$(6&0_>MwM7fKYZG+bP#;qX(+D<2o3#W;7hNc)zJwm>(kw%W;af&`%gdft5%
zQ!t1e4BDSepEQXejKSOj(8&bX|Eeqdn*MWd8P;DLwjE|3ud=uGkw^u1>M>NtzO?7=
zjM#vu=j~=<B8{ocNe-C!FGp~`iYr@TR6qAU^EmfGBzerZbU}7<{Q~nM^}sL5a0EHL
zY*3+1xk99Wz(T+{jdJlPB+J#OiBt}qwKB6=8~?YpA}$ER)|Q^n?GIn1k7WMhY_kV$
zuy(JY-=Bez2-WcwNn7e!ZWrxjbW*MR5Ko)8a=lSCIqT%<s$i>WTilcue@|FGHWnqU
z5Q5ym%a8Ey!^xDF?ws$ixYZbZqKuN~#gBM8&%F^h0>RAr>3SFn(aMIqhfShfw|2z1
zC@3Qp%U^$Bh>6@bHo9^I1%|~&=fZ%+=zP>iz9Uk5SaHY;*l7^G0t|)^JF7=3f$*@E
z;jHEq(9x)Q`KrT`<3=wP8Si5zGuN)IYj=51u;8xRkS(*nyWQ=4(PM?eZX!lzC1`FO
z!MuKDV+H&tz@KvANSttkHXU6pS088aIiGr7A$|tcp#hcSci2Xu*?*p@OA-B1s`e~g
zqKj;QDbfk#t1`P|hafOn2fr-mk48&hOD`YC(iVXlWs5y%DSc<lE?T3eq8yJ?g|dn-
znXzxrMJJdTL#e2e(NAycgF@m(7tV6bT`VC|@s~#(xOC{Y3lzq`GJhKf<&>MLrWvYi
z3=zy!c5X^RAqMUb55tV?KZ|2<`b^FDcBc0Ge^-FHOH(QP<_tqm2wnQ;4sY)e%DM3$
zd8jNzPGa_XyXNk-RjkdVh^(nk!4EUr+7@-X1#Gz57)nn^t)%CUVs>u#o&yr?@uA*Y
zyb%wmEAC&$3)W35&NJ3C*+P8gD!5|Q00RJXc%;2iEkcQH)+%B!iy01=+e=xgd~Ql>
zpsK-I0M*wS*t0Ah|23!%ZR@Ik<qNIi-bM0XCQzD=BIh(Kl_I~#JP^^ocC-o>pYe3%
zty8pDs-_dnJL{G&o-BaF5D^`}teX7W-6ge2+N_9Gi9q-gGTAx1ENuoQAq*)Fs{DJ|
zYReH^oxh!cS6r^MwvDHJ(_bQIkij1_ml1jgg5W{`PQ>uV?yjM#F|X6-$48nz#M1*2
zdxc7XhI(-(-jj11eMAFh4L~8Mv6T%tt#O%YDHK%XTfotj=^^BKbDm)^U6o8n-=Gi$
z(Ze-*F1-#_87OZF3;THH$HTbtWS0Rw=fN%;r~oM+@>ZKkckYI372iprBbPnl1ijCW
zDWhw)91(V-PY!SQesFNG_<$1%Ni{!iQf}>~_7S*%8n|x2ed6ZLytsk&*IWP*AB742
zysImR51E1x@>AN?I?#~AbG=@vOXk9f{Ktxz!`G9T;fDv#JvuM4@`d=l8^tSo5~NU&
zB@_X2)UpSA_q?*xh0E=SMf410e+$n8!a5udrweVcJX(j)=RT7KZ}Cm}!ji@k^>`w_
zd&q=#P}rW@DCBAD{=IBbbk4x$As$yu3y9+E*xtuA955G}Az5YA!dWY`yk>0LzC@Ck
z;Narr^a2`+`tAR*U;5iGkOQ3`iDZB}On$928+QO>zfXyf$@9KJAhn))hzvXv0Z|Wo
zz=0&xnjE7qMwf72RO~^l6jf!$(;Hh`-Zy*KOW;#lZxiPF{JwMAx+z4W*eK&{{MfN$
z-~)*ziWzaGQH9txoFs5rC!%bW;m2GmCpprcL2@Gb&Kf>Owwr1R-&TC?<h{94PTIfL
z1;`@|-qS2S&+hc?ysWN{%O=eyZamO4w)Q$cQ9XAE+pR#dtgiD52wbMyF|XsZ8N=5(
z$LQ+yl1)sYSY~$IOU4+pHArx$XdFCH!i=XI_qFdy%~PD7FE5E|{qqK4pom?rtkBqq
zsenqBRd5BfFEjf$Bzg?xgv-FDbH$#xG|IghDDqOD{Y&7msLawZb3>m|cU@g~Q``5z
zBVDcbiAE|u5adiA^!Ws*bkHLaEpTJf+*a?t?RZ@epy=sF4*j_oLYJ<q-ve<CzEIJh
zLGu4-I;ZH!+HQ@;wr$(CZCf4Nwr#VMbkebH+qTiMot*mqG0v#_y4baA@Aa<rtT_d}
zVhL%Qd?wcC7YDZ-vza1;!PtL5oCnP+I?CxYEmcJ_1bWmKfLL&!Jq1p)J<J;GQ0#40
z46wH1IURO_D@-h%Y|Ur&k^^+7+NtD7#-$ehLYe;>uT!D90M?(F!?0W7a$YlHBp}>#
zBDrh{q6esmGcYHuL@IT4a{zNj@AsqgM#dh`$Fu&gukN@wz}Ytc!Sxx|G1;l?;0VhA
znl;N1L@+z>$m`&9dAKy-AUJ3%bIk1ft{>ZMCMjl=>eF{JeD{1Bwx0+27@j6gb`G}=
zXfXBpY@T$?ks|)aktoAMp)6LWE^(W*bLB&`c6aCCFrT(@{1@3&YVk3#{}P~5K2)k>
zI7Y>9V~gv^V^rc|@r$QkmH23wv{I8iBFHeyYPJwKYV$?KkbQO*2!bCw(irW^@!o(T
zpx}N>g=+n~JaLhl4{tt=Gs69GKt_$<6|et`dvSe2qv%nyvXT}aCWGE5#`F7=lVl6i
z6|nQq$46ula8Kf_`jL>j5I(zZTWfS5(1xA<qHHdfua1D05@rE|loczP7%(>|IZFBS
z)%yk5qY)TAM1+tY|0m<r|KK1I*09)_cN^mN*1DO9L%a%_|57$OsfXtEg8Ff!PLkLe
zb)<VYa+(-OoE{gVudnNc!oRbz@eT-97y<Mq%k;ZlJ}=+5XJcXzB7fB;aCoBv;|J~g
zts)B#ya9ixsR8<L;vWLc-w@0%u}r4`wgccPIi;FF!2fwtS)0%A^L#X4oR@dCjPYwC
zsn62APadB-_mzc=qM)P?9EYv>_LzEy{bRq~COq$5mC2j#RVuq^-F$doCCv0L*V-bU
z!v{SErwh+IjW^@+0bfpPEvX<kS7l`QXd{|q^^?2}QC3~RQnBvAya2{~v5W1`LQ<5P
zVl+1=T{;KP3_=||kG;!Asmt}okjSHklt!ITw2`QRvuUD_=5IX$Slj}olVxD=e+2~z
zlBB$+3z&!y1n@-A==Yfh+NC8ZB}T&0BnBS(5TOUy!AMf#5mZDj%^IUlzsHYif{>i~
zXxo(>^&uf6Aa4+}AltSS$UKy!SCp`<Tgx=omC3>wE0;>eCTN^%+TB0?Wf(@9_P+|^
zBmg%1BXwiq0sN9Tx;)qfUCTJy<eh=d0bb|#mE4}mb6Nj%>R6h2N4xarVU@h!ZJ|EF
z1%Q5RYiDC~Z!c{6)Ab%d7dKs<okZF8x#|eJ7nUB@yZg?HVpPU|sE~T7^BEuDP7^^B
zP6e`dGz}RoegZ*%v2Tsp0@2Qn)?Ue)+U98E`C!#h36^7H+VQl7;Nj^ZRMt16fIoV-
z8|<-6rh*KuBWqclut~phqVItfn{#DFqhKJr$hW#iO6=bHU<)95STyZp$xi;RUIDl<
z`<1&lrNb3v-W!HiBX<q5aJFl;%0!U5u`<op(W{QAX(e-WPAutL2S`DHILxhj5!%DK
zQ_V$$nrvuV9LNb^GXyGIWFQ0|Vd(#R0lWIPvJ@>3GcvnlVq91<%IICYID~!_X1is~
zZRuPwcu>aXrRybQEcG@!+&<XrD|NZGF3ZGvyy^r{pfyG}9ad7ee~YHFu9x?|`jNRX
zP|w)fgI66INH@sgSjNqbs1AbS>9FN1)fb3_yW->Hf4+8qzV7c)LawmoffSA6T#h&C
zm|Lh!+S%0R+Ub}EvgnZ4*v;qI&NXq?ry5kvoTG#WQf67udSha&QBJL^*(w!<kT?tY
zKMpQG56+HWuQpo+e?DQyb;fi09hrzJRZ(G!5Fwe@F__WY(oCrV!(8V&fy2@vPgP(6
z_tsl*6EmB!MNKH=Q*F2a$e3XLy|)L(!uo)ZD^5j1!S!v>PHXi^W^)2+D2lXAbF9Qn
zT4$R^c5%w0DJ3J9-kBcauiMK5wqok`tqc2is&(pL*{=3GgqWnJ&TmAMe?81L4K9Aw
zXSp-#{L;UsgT?8Sf#&278VH%@OvNo1P~xpfg(c13c;i(?qjkZz^ZP68piYw!g%^m`
zKL!vWO9{$QXa~=vUh=T|P}{1qkn38rSu-V8S2t%*d+SBBek_~7>^UoV;o(cS8%2Z^
zA&b_)=W%V)CtK!Eki*YG0|w=wTFvDLp8rbd$XT}e&a3Cvk5#s;ldNiGz-VQtUq7E`
zKsi&EI;*efoo~x<k_6h%TrKorF${-X0>p+B5{i`bpWZ<y!uH{7!fG5@r>XAGa1(6`
zEs+0$XP|bVtmZln?ELp`8522a|1GAv4UlMD0dObPEnF8?WIB$?@oA~*UbKH{@B1zx
zHGKs>B}PY|!d78BLq&p73460i`K2Sh6mA@jWaZXWnzzc+=1;1x%xYIRd$%^Xw|Dw7
zDG{sFS{-)!=VED}ntOdg?P>~0zGW<`ad|ZU=cF1qGG~C1937$`pMgg&j+@XMHocVi
z>p<yVnW;yjQF0qls%Ou3VaVt69`K#;^UVm5bl!gRU(U)N!<c7;S_sz58N--vP`o7`
zjExeg{ISbsAWhN5^8A;3%E9k2KvP#>`CP#laJy@f@r^gy&`2nkklRqxbv`^LYyjo_
zHaKJBAOSDpAF~c_K2Lpur|>;NjXg}90R!3Z38o)3@Vbdl0$DGHrKgD4ATV}GTXoPU
z7d{MeuUfgx)7zFAE74`9Gd@W4b@&I@YJgd<T_#^HXA?KhyjtzVZ2fy$l`vby(AFD|
zZl5x@8BcHzrT;BA1@6X$AvAu{{E|2e>RdHX!GSGTDZgZGV=JrleE3f3tVHH-SN+NW
zPt29rWlF7X=dD0HH(W#>#zovafpM!umarblw#BJV=Sj#>(^@=)Se_#Hh0sR@Y(p4j
zRChh8w5GBgn9a$1`S#Qa4AfoYC-#in4EBuYt;%(*|Ih7N`C=)Kyx`a4BA`<H68s+h
zc^h6VQ!{~bS8qX#=|RI@2a2S~HM^9_RFhgVUi^xa=T3(g+#C?1pF&XKSo*_U=WCJ@
ze`!ktt=J5!lltU4Zn80`K*W%=yC3q^T?-J^-5*!>e!U+4#{?3Y?yxnK3ExcQ4i&uq
z{aM&PeWe!v^q-1MWKT2Q_AtYcfXgvbHt3hZtS3ILTjM<7Ds*`S{A@b(0En<RMp%6?
zYSn6zDT#R8ZN(}EB$(#x8Fu`G8}cgydK&ZXw5waxlP4UNE&?eKLKs~>f6CRg5bgFu
z&VB5zO*s{ET3*j}y8s|iE08f=U%Fx^)(F-E+|m5Eq>{Ih{2Up*R^CK({q1RUaK|u0
z7dX~}qbO$!$+Ys|CloR(JGZn4W5it9RXUr~3uXp7-J|iQmK~izqQB}wPM;_?D#m8-
zI(otrg=9ou-?#U{EDS>Z2fpG-F7CwZ@<(;4?<hBtf_ifnwJRDq<OZR6SsphJadkb&
z$iHf;IB-*EyA5hzoQ}<btFmylBz`r@l4nY`_dL+3yTS2HZTAskDShrS$A(~L;5*7I
ztT=@Dvhep@;gJYDrQ<4EinvAx0D?uWN8}8&A$jZS2@sp((C89FPc4kR0P0@}P&M1w
zaePJO2=q%r?F;E3={Ek+vriE8y6?vqtOAuz{Z~<)7)B#cNR<tYLl%K|YIW*!j+#0k
zI{yGbMog!nLuD1l05r6H-~g@XL>bMBEN&_3b9&pMT+!?3e*hTBPE9V(KSb^_Do7c}
z>zJeX4Yci0E7*W^v)5^!TIF*0b{-?3Ghz7ir1<K8v*T}CDs0s(E+aEUz9Pj9%YY(D
zjlm45KvoH=DBFNIv-DFXtb84Yl<59Nj<p|Ye^+384L<uhAl7OLKGEw*+Bp&M*_zAU
zjnoG+Zk8LU>-hTy0XAi;4G`mO?|rYi6IT7cr<SKex7y+27qoC07u!K)%ljKLc26zK
zLe3iq0a534Yp)+_gDs=rj?`&jcmP@3&R7+ah#!Hjic-ZyME&Rf49Z)kIosnWTaxQ)
zspxfs_L#lnmEHBvRTi%>OZ%XhRs@trkgxbs;@7uBYVEyz(TE%hDE0NzMQg2L??|4w
zpj3}WO_Il?@;fsU0b!V3jBHfJt@2ttamM%8X@PLq&wEC%-`nv6z|hI({px7pk#n!7
zR>?N$=o@?FC^?&`q;M`ia^T<BN{3>+VD3|r`aat}!YdWHdKUkE15W0;OPiycgVnS~
zaCvpJ^z*aa`*r1Tvy&v9+D&D`m_puKK#o=*2zW8FM4pH>hAB!yV~9m@7&|6cXL%a#
z^Ol;Huey79007J1|A~MQC-(*;*0N3CoJch8^wPjY(Y>t51fB};G@UWUlQYI8#$8`C
zcRM$@<K%Yt45>cZU)}~{vLX^9$vG;Ay+eK%EYvD8J79oiljje3@le;yq23}Zoco81
z&uk~IE`alNAf?f?Z`nCGbn|)=j%L_`U^sM3p-~$TuFqGUHYnxPwbi5~yjcI$%kSR1
zfX1v;0<EJ>%(+(g;KGxqfUX@n$)>GmnTq`6&U9<@o!hLYkCdYQwzHovYa~?3Q7=_l
zr(pb<E-of*RI<)PR3MW8!FnZ6BRWdOPS&_mkV`3k+xqn%xqlUq@F;y1wjh78Dw?NG
zXRC_798`op2WT+>7CLal!Tz`5H}crbyh>UvmIOtGddR_&`kodD?MRn56|V49iO4bA
zv$k(J66-{>NNLoxjnDCi42<mKlS|u6y!DMA-_0X+0d0&;_xe`b>Ke6*((k$mZFo&b
zM^8^TH*k@2_)iXeTA9ZGx{$!!knZzoo<1_^0yE|U1mi6zj3$fWd0R8j9BP#TAFTkP
zT#m!@^NTUZ@8oX1M~Gxi+Z&GFsY`*fSPtPa7z4F8%eF*e;+&xBycX4VqVpqz*v}8u
z5%)Z4W9r3Yw2)l>W#^M$#shzaAw6mriCZ&2AV0poH9dHjx=#93S~^=BTYF)nf<sYf
z2ow;!l<6e)se>sv@Cz!M3_y8-sr>8C_WX+PNqYWiYT}=f07&V76n7AZ7N6^WcQ1Md
z|7tTbJOx-x*VlIdK2xjju`W2tMM8uCIciD-mC6<O7x$NEcf&4EV~5GwPu@9APdOv2
zU<io#F#TwFZP4V-a<7sjc*#09ksj}l6MC|4J?nN6&i564(Y@=TOY`d_+8#9Dy*xho
zC5IF+m6h4vPY~~)Ma6*Kjh&8OKqIpMYZQ^N-@a|bnms3uWyv{xSL%Q+O?5q`5tDLY
z^LL_}vAIRs8~$3~o!<4$B5;I@htY#SVn?o+r)R)33b|6;&DAd85`VPDO~-wGeG&S<
z?$-u<(VERO{czPXE4)<QR|iM{&S7$cSyRjduiQDRT5rLWM>7o#3%&qtT<fm?!}6*j
zzwc||j-`YX+4z^Qx0yk82@H&Ki|fK+$(0EjQ_wOtVVvJ4_gH(ZRTkd#J=lB+1NT0@
z9DK;f)051y{*UWwl<NvghTGHV?0~=1!Pa}`g=~7dqa`$e9CUkodv=z|?;`k0*YiTN
zOv9E75Wm%sVM#ku;kw#d>*Oqudfk<X?B$jKp^WHo)0MV5z+<6Ep)YaWmQ)rR4cEKC
z9z`zoP!GZpMqEDuqOYwtJ5L|okJ-7ChFiI$uWspvK#W`FPw}Qe4io-+UReQ%Sn4S%
zu{A9k*-zeSVL6CN62_;)@ZD`~T-@CK9$PkJLivzKR8k#IS`5*cwq;Mn2XUi~yM%C*
zr<jReL#CH|{H5ajJbXL5n~=*p8(V7|TDrP+?AdWJ%M-C=17ZBTzW~E`-)?Ig*s^Tt
zs%(~u&)Kl_P4Ntt80>jD^O_Zzi}^uGq$U7`6-`?YM{ai8K7dWm_T-<}qP@(WBG7+i
zI68~gOo(;<HK%x6_dXI%x}9EeEz{?hm+#}wo9|nIO69gc1TYuJ=$LoZimuQzlE7e9
zQIff|7+gNc)dJ=2m>waXMH}v{mz4JPi{tCXhVKHzIJhTh$zL%c37vl9sFG>TZ89O6
zAhWR6RK@tWUp=0k;AC!1S=1h)tZZvbF|9U_nONaaO56H*@?4wu3Ucum*=iAypNJ;5
z6kxPEx69GMr4>{{yOeVEB(^x&TT}gT-uG8D5$RPaMP<^7T)Io0eaF9d1AiDj4MD<^
z(%;X_x$k%tvpqmn2dB<{y@rw^)sk*{B~u-;Rb?{;r-Zqf=Am&FnDOa_$1da!kjy)t
zlOH6LNBDFr(`z1_;V53(5J%C>%!~meAZkWceoN=!8E$VJ=^V5Y_RioG^uE?1AFL9K
z!$%y(+>y84^?wWkZgl8kBOBAho$l^3MFN1f<mh~{3>O!-UTqC|dhwmm&hh$QlbmK5
z&!Jb3HTO+QC&irraZ`&SiVtVpVamt`7$4P}%zSuqQWoh8V5dif#4lQ$^vOp5Sp&?<
zsQM;vCBWXJO3WkWLgC3y%_4E*-v4d<d$5@8`MiHS98I7yGy%w4h8k}3#w;xM$bKKC
z9+sQyB4u^$&Fa1kQ3fmOaW#Kl>{3S$TMki^j%cZcKf)d_Wyey!TCt?FOdVYj$ME>$
z#D^EXJN$ujI@7>!3fxwH%lYhMAYv|K1972~jS`#mC(fNDG9ekWH`B<ClppIeU2s7&
zgr024v1p*7J8vIe4ilu89KH7{vUQYgb)V7@shY^Zw5v;z039kn5_w&`n#pK}|ALMd
zYXD8n)M?(m7!0M`@yUA6azF@>)C?{RN$Ka2C{>#)@G?pEsWsdT9xZreyau&@KmK+4
z`3bVhf(IA%m(>cR^^C4nCBEqxox~Z8jJbBThYY%E^<vfL*9^PKA}^O8Zk&bU-yF?$
zy@4=?s#=aUQpxC`oFy6x0%HMkKa`2@R|0dB4ww(3Q@Y40Ja6qwt^&3cPSW<yQ2)L>
zK0!f3xOYz+I>sLn%RjMGs}88?;+GB!`NDVHPpPuu(9b3*upZdrqsubjhd|Z``}4h<
znwJ0H3%Ki_AK$+NEITVSDwiPz>d@0e0}7zokB*Nmh9LgC6Ji@-4i`Ba&9@dDkL}4u
zkHPT4h)_pY+bO&!Ecj{@>yFS!F6j}{&!3vjVK}j7FS6}gMbg&2b_^7rk5_8J4_iRb
z1OUtRppd91`-Me`Cpd-{l1F^2X^FV&|20kca~mO<5UHOwLH^mSlN9Je+lUx}bpJks
z;vZGTwZmG5CJjM65ygJM)7>!9m?A1u*YymNwVz9Jzo~^#FW*&|*1UKD@4Zc6=4FW`
zI$|_dG7)`{-Zlk2)~Pg9ih}7?y$4C>Y!nLQKOpOtJ#-FE5?`ssj{7Q_Ck@o2%Fe!{
za(HFCNImXLaJ<qvbd(%y(d}iYSti(?h&kr)>fk`pjUe``j{+W97q37aJ|YdM+XF~+
z|L(5ahgV67V#>#FV}4WdUwSH*E9UF+$q0liRAP%jyuGATE*M5$R(xz3!R5ZeADTV2
z&{~aC-?E3Tn%toQ<-`7B$^#JxQ$6IgFm68Ymv5j)5U`xeXPtulofA+jJB9v75VXen
zhD2tpY6ZoaBA{X23qZ3P_LU2h@6M0ej1qd-FCFMwBpHGkMME<u*UcGxl?5k05BH9u
z|8#2zsW?;n_m2tPsm)QBB9=97YL9=h2K8w83o!-T;t~Jq=k#6^8mhO>fl77>=59ol
zk+J@0I%yJrI3l*TRQfi&$VEgyth~tr?NaA~U=(H`GoM#mB2z(Jpjxu?0Rsc?w!zQq
z>th6AKrlr|b9=jFSY``&XXmEP5rSc5`s6`hM3AH^vb2<Iy#P7O58g@aXJd0A?Eo8V
zYop5kM9Fo&1XmaA+b78-fBpU;WKn46+o<4oz0O}_3&@&}_oolxUjBTe0%>o-@F6h?
zN8xh?MG_~f7~H?FkpJ^;bTw%orp$+Kg{G?lQ>3-Q!QAhCf8F$aJm)y{0LFGBTa*Pc
zqR_?#Oia}vd7h_A+-hciAbs_bip1)mGZN7F<v`%d%yQCNG5}(z76>AM$F2AubAD57
zhUZG57BP6aI~ZjC1`*WK9`;fUN_L{&3{XN2Q?b^<fK|%z9?O8&hUoNP4}w*O9``O=
zv*W^ln})5a7q_%Xtb^mkQ5Yl-P;itP(MxS{S0W$1G~{cQ(qw9*1S=0-2sR|v#k>Ft
z&ssp6ySnyJ1g9S#{~{&k+C;QriYv;rx~M>d$_|p=4OPG)b&_2N>BP~ch*SmTFAkK1
z_71lwbx789b{B2ooaWY9N=iy`@u7Vytb%fl8ddKvnT5e&i%QjJ)-QfF{AYrLR}l4z
z9G&=1C{_2jBg3GsyPu=0(0Z}-o;Z1Dd=gXgR&FdQano`AnAl;lNUJFMO0xHCZkxA9
z%R6F9FX+?(Z+tRQK3Kq3+|fxwQ303sKv`2|JE_C^*ttKp@X_j!y^ZP>rC;x(iWtQ1
zJk$qydGh=nGl4XpQKq^(0Mp&d0WfYpzjz3@m;WK=;5?S;HXv1qu|w>nSxdwg=Ha@5
z8`YbA&6CYvHKW&YC0{3Ishz*=<$P6nXXM@Q4>mQfS=-$VnLt40qbTV&g8Q?4^&F*2
z@!N!gBICK%ksv3!#zp7e>N?{<6Oe5bhnTEHq8!XtQsTd4T!})qXCctksg6J-^#8bO
z1@wcy8p{l;YS@Sk&}pGMh;X!a40(KM<VW`=e`%R$b_)}tDn>~s+*aR}-$WWENdti2
z1bBFWyk7#NL6`5#HxdQ06oQsoT@^|O3F?04#Eqkf*B`4XM_VfNGk!rmBSv?T$pxkc
z({$z`8Y*`YT-iYE90$M?ZQN0UV%WM_q0h!`t+9^5{>B!-g7}GH?CC3UkQH$7^4_-Z
zclDIrIMDo+gB)85N-KK$@83<p&&SEhJ0PwCAZch36)`5C)tMyiIbLYzxm8hE;2Hh2
za4j>Q7HliSu-$iCH}`1|i}1d5i*Rvw3dRY=LJ`NR-P*H}nGoljS+#d?>zNq14A#T*
zMtPKH8e52IlZ0#>-`}vo#-Dfpp^8tgR3|LR&qiRTG-=YCi)U4QmqIMc2Eq2BAE4pV
zQQ=C-8IA11OrDO5haN>d5Xg62iSzGeG_aIL(#@S-FNX073DA`$<LyLZOwyp%$@1jz
znQt%O#q9|Q@bq@3IoBG_?GV=1zB~N)ymA8AM3@0Mi%uw71eq~8>62C%{+O{c=T2yy
z05i{-o3tQv3Ny$$Mbz9{Nj89W7&Mt~HlePgwW2=^0@_e<&{1-s#bBKS*XpyUxu_Ut
z?R%dB${bJa|9MX%=ysw{;#JlmTMwU5KG*@8`q%ZwQ>1zhj+NrDl7SMMWWcJbe?gvo
zJGX3ljOnb~7?I~rh{}K2FHA;*&npMP9`C1<*Vn4WbHH*BS?qZ>mQz=I|Er8E#nUcK
z(Q?BeoK37LV`5Yyw~fnWwOEEzz61qKogNY*C~n}CQuPYce29f{^6vWf`3r<@j&A1l
zFj;+IB9~&@Wgeycg+R3x&`IWM?QS5pP**?Cl{4okqi}0kh@7-A1{2Mk=uuqimScC8
zjc=O%q2E)h7yp<yR^!(gtUjNoP(%HDu!-<nTZnkeEddWcca&(~Z|iVU1+SawNONZ5
zd=tZF9k+xO_Rr4)%m#xyD308jI5`nDDH?PKDk20yQ5NzvSHJ4!4w-S!bxuM2mUfpT
zoy!nA)(gsxQbDXHM&8j;u{sE~0H$%23{R51agF@tOhp*ZMPYEX<|4Y03|9?IFGTk)
zgb*fp*#$C6Pn61L7&SAK5?cD_NXY)*D59M{owye^)8^Id)&~x0*5dANMZQU#avP6F
zss_oeLMP+H-hbNGrRl=t81M+`5#jwt6)tza0B6s$*VnF1e4!znxRH?WMC-bVOZRPh
zrQv^#|3#IjjViV6JUm|38!Z6F=3x6EYV)CZbg#k4z7GmTiu7ucg94iICX~}w*Fqb#
z<ze+g+B9piH%c2#&27Mx`pqHW<A1>MF7Kykm?}3T8oZQ(aWdT>GMuCg#2n2Xd5&!_
zz<a1(f|y!tMeOIAEbZ2>3p0lkpWK-&3{K@|7+gMKbW}dmtRn3n=dM3!eg=cjI+;J{
z7X9vvG&2?)V4?xon+R}rc6VDo9jYre;_Nh)Dqu%ZgshPN8$0o<ifYw`4oY*5pfGp8
zOTeUWhQAIuJD89=i*uXX67;M8tYMp90HU9VGND$<H<7xfbMc-V2Z1<5I>_ukHM;vJ
zU;1k}+7aA`vPh>=Sbn{?b+?@J69(pkID<1WQ~NGkW^ERx_7Iw+^57kU2Pia1-v#C5
zS35G>D*4!m74BLy?8*bd8u2x0+aD^enT=gv%kdrai3yCy9xKwi2Z?SWqF;~ogMp#Y
zfq@6lCalX>#+&Q{f}KO*kQyS7&on;Y#!J->Rs5cwKRGu&8#~(+FICRcscKVfJ#y9x
zX5T>MiWCTA$?<YoqRI5M>TI5D*u~AMb>YvyquBJDq+_9`5<MFj#<d@<#Rx)Wa=!lp
zWC=;4buZ&bLn0Vo(OEV=IdEn#*V}_2QS`;q)S?^_7~L^^t>agRss$)0|BUrxsqSMJ
z_z{i%o;TGR^!meFKNbAE0e;tq0OKzs6?9(E9DOqXDcjW;vhzY{b4+I7HNF1$rM2`V
z`mD<b-1mX-&2}Tzx+ss71g<AOD|0r<<VL8IIrmQfy%h-)Gq{g~oR!wDr_)wFsCqt+
z(Zk8f$wgHfB)IGt-SM6iGpepdfn6M@7Ygu7joN-as^$K&)D$3ZezY}XaN1{zfp!6^
zDot{Zs#(hoM>YWFOJC)YP|73W>)!x<%SlZUaFvnpKu6*dgjReW{Eosy!tuRzRWaAZ
zJx!&P2nIalw#g`Q$f(3X-k6{q4wQ2gr-PkcO--_Rn%s2?S-d?K*GlH+q3K!@f)7H}
zTVRx`O0^CH2l;dttfT?YWtZk3!$%6<Xc(yi%X9vX3&*L3p;tgi){M<51o<X7aw0IT
zn6kd#^t|cm`Rik{^7*@aTc#Ss4M_wu%w2<~xdM%}!Z9#<Ded|2K0aNgHdNAIz)6pN
zl=lexa8Qr>I`a?-kZS<M09?Jio=&ED7ce2epoghGpN}-}bcF$rTF_~~rn)4bxcyJ{
zJq#^~>^O?G<-rKVLM^2@gJ<?AR^@W0ph(EdlwUa&abAKR6Cj8JM=pSyuuL6T|J>aN
zFvtbW6%Kd5CAgD>8|yr82c#J=oc^AaLmXtPduJ!zp^R=S>dm-mWZ#@@=8y%BhqaU@
z<NBCM^4Z)MMam|D^w;R%5yTsEEpmj_8S9t)V=w_7(4>BT`*&qaNC&y-l_u~V*yUPu
zg%nf=lsN0(ee$~yd>cdHkW>xZx!;<-a=8Jl#AUzN^BaI3rKxVx=o|0*=gSc?OdYbo
z8>0(qRkez%Clz$MF9ZgP*;hq%d%0O%a2W#LvPF=@Gw~5g<;L0?vyl=l-{ny_9}|`<
zA^w-_T-5Rv%&;=Eu_;9mW7TK`w_bdGW2a)ZA}Q=$b|Rcs{Q6H2sVVIh*?Qt5G@y^U
z0hH*1>!6uDzAbOu3+#Im+^2P%uANjz5yi!qlu^<syc1Jyh5)YuW1|2;w3$+AkBM@$
zf49GD_}L^gPbqJy14t!qZcXN-_PC;wRcTbFO=k5de5=gc@s9D9yVQ#C4Zbi((2SPU
zXgevCuHm52T1_3Ar%nP6EFXCaFJ*)QJe~n_SMEi|?XJZZWdtX?VHMS{B}&0hv#`7m
zy8q%P$(>M~R>8Z=S1%9=`8+?*kddoohC8D+EGsg*<=yB6L~fbUA)(`mDa9uOf;j^q
zV8Q7$1ixPof4*M=MqdDvLOlb$hSI3w&@~+*x0L}H>md_XRMz7u-vBC2N3U6WOX7*~
zHl|5grl-(c(*fL&oO;`4@^LmVQ?aZFcOJt{?yvWHh~OOaU2&I3TL&-<OKOapRHvJr
ze0kW|5}(g=c7FbnJRZHMe+|u<OletslzP1OGk@EE@Y<koJvjPgBD2h`Ah)Kp$sYWb
zcw^5IAtK=5umYrNunu#X#aZX<R%okIwLZt92Pvp-3zDbte(SkMc}=tO0>}Jiz8s#D
z1(fg_cjHGBad~a$Ye?M0UId{OOBe8Kr~spwb#q19J=e%i+tTbmK{QD(Z*N~Yr_?4?
zBuWaxZF9RFvX=|SEtk^XcE-)e+J3Eqfc{L|gWKBh0bY#l+*rwRBev-G?#ar@kd#5|
z>MjxRNR9E&skI%D*^Ln?n`RA7Dl37YF$}naZ?c)ve;w1!?3|GUbfgSd^@@u|W;8~J
zg~pO1JJvia%YTzSntNJ1<GRoG`{&o!v8B3_=0H2^V$cehQ;oh-1~6WwzuOT(5>RpB
zw8`se_<Ub)#}6q1l#<+F9vFpriUOf=bMsUqIj3`ylEW*6|L+CR^z;A0OCxug%}fc)
z&(9ZXet-FSP561Q73?hrp$NGP)%z#vsmw;8NOr&jKb|gj6_xe$nyIt;tLL$L95tNH
zb!*H_7A38~^DBpRvgT{Vr&X-!S}~W*4CTkeQU_ponv-ixu-UWcP(Ny}Wb?NQN<BXD
zTbXu%e*sK{1$lS`xViIVBTBhSH3Y~l#=7zZUmv4}{VGHRv?>8*MjFhR(g8Gv6CHJM
z>hQ4>!K!8H{MPo)`u0YRW~GSn*PdgIBgw&{T2i<nQ9p12KKw^56r(VmULCv7EO)_W
zzc~PA^J3gXOQ+sTAziiI-a%A+i2f^$UemNTQ>q7)cTlkrfhBjba%6nL2;I7dZCu%s
zuLz30;3?JCAY5awT<j~6EhjD_;TDcR&<l-{O0}lSQGoTBIMv5Y?!EIdDa`rd{&*5l
zQ{GO<_s42I5S#C#sab@pvY`t&_@i%?YBi%b2n%?oSHgQsh+DHfs|CGjsjhW%zh%a`
zlsPAh1#so+QD}C5?>$}uzK3(~jtR4-Swpyv$P$1bYp?;G-*om0Tg>BzCKwjI$=fT*
z(60gU%N#aQfFPb~o*HNW+==E0XfgBaW_+`W%EqW}(a86^8y>$qR}A>EVk4Lr*Uo`B
zJj(wwP(`b0hE{+HxKmgM81{gYFm1I4PqR6i9#aojWNaKf96UTQTSTb+3J5HAk_H39
zzz2WQPW^NsjPlwoTcvy6_a%MzBVr~IK8}aFL?oj;Hes@w7W8YoSoq62!xmHY&p>m-
z&o=9pN*xfvSa|DK4?XWkSJ1l?kK|ce<N7{?^lYf;9&h<dT%*2IL}*V>FN4^!*1DEU
zm`+d8z%o2Ap9A_@dgjZkn{Zw$I4ipSJ=idM25+3QC?syGG`U5EVY3yZCfmWhFaB_a
zC#i{E792HVb3;~QVG(~HqHt2ndH*zQviYpD>I;Ka3ZA*vQt8|EuI94E(dDj?i&r*U
zVz2xnc)MSXgq2ucKlLtcclMgcARlyw(ATbvOW3E(u)(T-rW)>JNDuHD6JvI9*~BzB
z0Ruxh{YS>@2{@yDeY^mmI=_$JOjv^8wf_E2OnLI}M)#S2&9wk)u~Kk9Y~aT_9dCS4
zot;1$Kel;6q%3`q8fntKc!?NsJ+>r|hZ@NX$_6(8-%q(9&Fc%5a*O`g99bb7f;?P5
z?lbVw;#_{O_K5I>w8<6F&O)Jwb^J=Z>j~P(yN0KQUlvK*sAiMbd1pX1`VRMBZ3V0v
zP8NIsH;;PRRk1uFQ`s)PUdG84qRfqkoQjyq+YcUtpB~)r=n62W9Asnw&X==Bno5l_
zr7)+4eKe!Gy3BP$?$M?6JT2NNTho7X0&E?PHw-%cmaiW>zL4oC55%0e#W9ZxV<Szx
zYL{tpaxQRlZ0g$J-&M|-$eX^uQVWA%`7&gFMPb06^yl1cm>p2z|MHkCo@)4tqRRGC
z$Xcy&9((M~S~b4FhI{8P*FtMxl1V0O{a(k5cr0MjM$zr<QiWh=K&)#JK@iHFnKn!;
ziwy!b5e4~JqJh)G#XSR_0Zup7%(AmZSc8w$8Lh`S`dGF1P*70lPiPm3$4{8wPa;cU
zy)1g_G$?X8_&4RJy=FUGQ#Jm~XI$CGNY25DSMo4g?DSHxYURPexXBbIiu1D{L0HJX
z)7ks83=r>mz6zOeGk1e`jHqQg(E9nx5jdxAUjCs9&1#9RB^F=3PUKtztcufwV=cdD
zmu&oQf9U%A8u4G_fq(>;?6Nk;C?{f@pv6zAwoY}_nI!BjS~|t0V5+tPHgO}QuB+SY
z>lvVox__U}SzKhL`o-L-ORm=v`#?l#K$l%CPbGktZ2k~D2Ph`fWoSj}><4}ZcLD^Z
zoypFF3$wUk^SihL?F+}dvb=mKok?1Iw+sV3oN0Z0KFkeXrd&ZS3zdYDj<ER#vev1Y
zT~NrNqbc>0#-d|y9k0y`{43tA&{a37;mwKKL<xkBZq9BmAAMP}U?GdQ2VSEql;(eH
zs0~?M<vG%yhW|_Q>d~VkPK?k`K8fL*y?oReO1^dvm}83zdqE=Cllz1EFC({IXzRH-
z6*?TRV^E4YbVeE2g$Zc1IJsXPsdx=f6+!@Zc_4PjsufhDBlUSJwLCsC&$U+b88khj
z65=d6GBak}GuI-kq(MpeH)Sv_M%>$wPSw&)Ru02_$7;)a-T|u_dX|QIjeD}-=|e&k
zm{+W~PGHgK;oTi{i<zh2Cj`Um@$&6>3MF8PXOB%J5i<sUUkApDMl*E2iMf?Nr#zeR
zwcFry59mV+bQS7IJDH;OmfT)IFwW0?1*mF72Gla`Pv*3ht&Pz5`PJ>>xw~0Wke&iX
zWfl!5yyVDqHN<b$|B^3=f}e+%m$m{qt({9wrS&fkLOy+|A*fHs;9Y0##ZsXjdJ*t3
zefaZNP1M83cMpVyQp~PwqE`Zz%}kc}uj7XXtru*&+_KUcZN8K4K+-@E*>V)c^H|r|
zD+Zjc`#m(~#XB6#&_Bjo5RW4Ot^;5gQuAZaZu6(`hR?8R0~v<p>N?z5?Fv#3Eh8c-
z+-nDAVWPfeb8TaRw!Kn^t&xO-*ru0E?z^v)&fLXQ#h}~Y&D~!DS_^9}%;hYa4Nay4
z`eD4DbXn+u-WHswCZ2IvdSFOuDnRAA_C9p}*PJj`n;93Yp@}N}Ey)2{P|?Zq#j0bc
z|J^VqAo26GSf&_g0rQD~SyzJXQCAoru~uxbsZf=JU^{5Pu=9pQXAAz}^HtmPdGL7o
z`OiAj<Pey=rgFt@ZuzUpT*jt~4TF}*Rh%atrLq9XFvyK3@5#x0d9`PI4FQ=jlSNTc
zG2rd^^ziTyY_bi_HYF6RBo2;d!3*PsPiOQQ0rBn+99a__F)Xvz;JhoxWWyJH?syz7
z2^u)6GA~H{1MnwMG>WrJ3oDCO+gyl3*_C#lR?qY!hZF-oW@ubmV!ucZ<4ItvT+)~C
zVw6kd#B_J|j?0^SpB<no9Z*ar`@NSs@nqn^fQ<<3#4Z$f2mD8Hliz(9wFPOWPp(%I
zKYz2jT*^={K{uM7vj3#S`0xQsM8DRc8^je{b52zlKP`<CKrQaPT5^+}+$c>N)@|s4
zy5D&gv9zrUTb`p)2XYMr11~`+gw%tDLLEdj*E7~#9`k@#FKrtHtrviBE@s*r0nEQ9
z4^tWm177Dd-H5jg@21$F-?TyNa4NAAWb#M5@y#l?B|t9LSpf}E21Bm$dku2gHmFc@
z1AyT2FhMYo7okyn$@<M-Y}%2fqUye++NCwMPZBSjOwr*c0CH#FQCB{7!&5x43s@?M
zMF|z5!&v>~eaN9=BU_h)T&n;dXlRE(qaM9|)D49eF4zwQ8%Z^UcT#J=ev=H&n45Ac
z*rf^k#Hjv+PMN)7gu!l8Jf@y(h11%Ym(x^+cgsQOKzIs%CcKKYsyRD&+RLj4a$k@Q
zZKhdAfx|Z|<&wsc`1Twbn$67^Ml<rx)hYN0K4UvoTHl!^2cTtqm^3s1kqMl><5nVg
zIu)k(pbYe?rM$9MXK78-nXOM5fVp)F17<MsVb9hx8bSgcl5WVHC0^hmh+``y<>TTz
zd+M0dT#w~j&H5hc)@hGMTjelb`aYOs1Xy{$M|;0IBeJ~~_>=Hp7=p9mM>=Nz``24*
zsG-r)99y?;q*k>PhUpedr8k}m&nAQC_*t2k02y_A-W|L>6ofB5klm8*Ro-(U*Eltu
zu4CBR_vq-)>NBriy~aOvAD>T5&=+}<ag;sVCCb|G$oRpxZq51B$4S~r2}D0^NyFK+
z#iH85SOY0~65stAf)Uhy>pOQIcmu+)D6l5dQKpUh3z1KWx`Ozi2EbfNZOkZW8GBzw
z%jK0GG2-|<Gfz`ZQj1CHr$}k4uDMNaTu0i(6%{zOk}v-obqZEivE@Q_8O-82_?zE8
z-8WnY!4=|<7*t$Vu4!&ROG=&gp(Ox48ZSwxk`&+-+l2Ph=!QcnfStKbHyyE5jQTrN
z2&h=6%A6(MCpU*hLLFK&>c!n=dts{i=I5VZWd*0&eJxE{Kf16kKepB4CY&1-5FdPy
z`D?e<R0>;AN>*tUTR<o#(!&!n9C}U?+`Ro(X__ao-X{^1@fw&Jys?ulS=zBUzw58N
z@X?Ob|2=ApMI2~@p~zH_j1)iodl#>osJw<q%AdUCF&F}vy=<{ljg}kNFW(+c8U5d>
z6;SSnlO_xONhMBG*FzrBVd8BlxLZWCHcK82Y9o5w!0pe9u@Q(tTlOqlMWG%;gNUqz
zRkLPRs1tBkZl15Y6@o6583vIlkB6n-PhO9naySFBe~`^>N<_defUq@?$F7<UtZ3DA
zaoyN8y6qv6hW5XKg~}%<t+FX3SS2)>^u?=@>Q=9Jc8r*A>i~9<_DwZlOPO3E{gE|K
zKIz4(uExs@nd$|bSs-To$S8IPY;5=?9DM@=1K~&{AUwHtnYT?a{;82kYH91{)j_al
zdrp`TwkTqP(ntv7zHsu;a?H61Z43p88vJ?PJy~P1ERCifeNpo6aWg*gwCEU@$cuZg
zasd;(WLF>c;2}lgF8da;NjpCR2Vf4FjRkO1n*$%)A%S``h@I<v{k~`R1#e_VR<N3L
zGadl(?W9k%kMjmpeHPfzmMZ?&Qqbx4AFz_HNZ*s7X6p}SOm&5Ns{{^c&Q!}w&R_6-
z)>YOVmnL<qxH8o4Jb6$fSho0WEWlNTl_nES1@>@Q!Kje=Tdq9(0s_E>d}TG`+Sa@+
z)c2e*CvzMbzdp#Ed<blE3Oo<N)YLX*mzKdC!w#94wAuH|uP*##6~FSd{BAt6g^RxF
zW&?WwM&BHTQznbaK8dh%Ua~z#SQY0*WU2F+STKw3-797N_itN>At4jg33O+^Z3Rdm
zjoMwiW?dO+{fUGP!wVY^Tbv0YVKKNf+ShR{{02RV9bZr^$W<~!*%&*lO=F9Zx7hhj
zUyhgV8cZ5h`yX>y-`d@q>uaJw5EL7Z9FUM<ugh%fZ%{$Yq8O0Z3fL4ryiQ7(H(JyE
z8eY8mb3UYqh&VrqLE<6TpfB<!Lp=4X&uYMSl^@6M^Hvo7O>ZM*nBR~HO?7I6C~|=D
za4Q^3h!w~nvR<7eB4Ho;=f6qD{)7V#$$QPK1ZMJKm|mdZ5FZ$bLxS6!-}Sqh>_C<E
z9rHt3MKo!Mhad`Y3#=Q`-06JFG#wpr^QjzV)OKt+vu#&m>7d57QS3oU^m|zeok>#T
z6HB-&0Uy=&i=rLpHnBBa$hgoPg;WDnL+2??&@ptyhV9>o_J0C3lXVfXGwW)@HQDSK
z(`>_n6mh<ALa;r*wXHvS{>`pw5x4Yv1wP+i+OiQ$yBI%I0vQ8!ki;b<YJ<h+AuG0!
z?{}^lw;{T8$Eq%=^u71zLKC`JCjtrme=h)DxZ|x&K589K)Qb)zbq!8Nwfym)HP`R!
zzM!@kVBzJ9W)FAoFJa7M+Uf|Qmj)-3l4_1;-%Hom+|_)dzmux%<62#4GgyEz87qcq
zVk!`Z?~$MF*|&72==o~4j~Md@Q#?FO;~Skz7*30mueUoO0Qrrc?-Y4-eRX46tV~#o
z&wTD-xnu=f2M>AR7EElqcroxLn8}##lp8(bZ|XkEQ5(1IQG5x$)E`_A&R>fFLRVec
zxChhG5ps<E6qsYotraV;yO;~lO*gSnN*wob1CxRHyg!YsnN3Dz=YwZd3q)S1m(j5)
zkkwp}V7UM;vo~in(=$ZV5i{?ZTf+68B9>C3qEfk7@5jI3b|oH(-mC*vOCT_0t(u!c
zH;xk8KXZ*>P9$zj4!Wu4+EBXg99=%mnvN7NaR?m_rP_#6+!K<eqeyxEAg@GFH@SYk
z{<h97*Zm9a$$b?z9u1*x(Qc6W8Pe|-5voTTp%GLs>=h~5<BOoHa3INAYE7-B#SONE
zB3sz()|xAnn&*_)Ifm|4vbS?*q2=ml<#3?xhMhB{%7WL)i$xDIVL3TYeSEd?{4xWe
z6aW6CY=aM+oT?KNR+$yP0gSmv!l0C6V#J*G7d-y@1X*6TTEK@aYgzF%;*cdeV}(H(
z6`fX7x77cmPS4x5=Y=@-YAN()x*hCS+T#MXRX3iYt(YcMWtlhX#(po(Y_yGbZPLK~
zT{=PA>|x*dhrQDG4&idQlY{HWsjI844d5_(U0<a9GALWM+P&{wj*21w8`uxx`UF@5
zYcpnITw~FF{q6^Rb_7C^^)Ex`(@fLM_!)=6Z>a`AfsfIy(<>_{_Z=fmU`D9_?)KC8
z=<MhPqvr32hqeJsFSQ8?1)tZGl=mC74NjGHOkiox2nd01Py>dyXQ^&*fu!e%-n?kS
zp*fI+?P?x5HSNJjj>~U=pfWJZ&>Mb*2Gbbi<K1<shb3--w@XH?qokUGc6lujh&%CC
zK`_b(kwBy#Jw?uMP-vp>$D_xm3sXnbz2JdHg~8;ce+o#lGMLZlEt{=yq-H&7)@`x7
zzu7gr>!a%<c}ufJUyGN6-<ZurOzaXr*j?dn)%sG&q$g6*f74CVCFzrLpXu<J@A&3Y
z4|=zZT;pCQ?3vkd;pcnkZ(VBIEBX>OuEx?)>c_4F7A}2#y}e;R<LdrFhuh!}HJ|p%
zsT8^I^}!bAo)`g@MTXVHju}Toiv(C$)HODuI<jIb+@&1TOuc(=r$!ME(CN};kWM9M
zm#lA-(xnx)bPtzH{vO#Qy@lnLj0|k$;^iHD{BvN?m4{t}30pik7*Y%wk*5Glg~&zN
zE)4I4$lB!H*~y!yz+3WKxs}N2cJ(ej=HF9Dbh3;-oEhl%$Sf`Ow_@<2-9=Nq6ZO!h
z<x{PyP0{Y%xClS`M#&(5<Yaepzpi{y4h$v^XJrJlm7@%Z1T7*eia`~_F+eP!zCOYH
zf43jo4T{B~7Z-V7NuU*Xi_$v!$?9nI1e9xctwkpL9^teXnU?)9Ye7A#waguD8$CL8
zzW-|jE~gl-LU|pIGQr8BQGC4GKflWb$Q+_KXLL<$q^a?9=<)7v=v$=vsFA^gfFfx7
zdEa_=_?Uwzs3oR9w!i3Z{gX&2yUX~X)OvS=2n)>K@jE(}>#aew`gY}%OkE{{a$0$u
zCuyKMYN$2b`i~%mT-b0xg0p5aq=U<)b_5v2TA{Zv0H;sD`duiMvExbcgU~^Go%4hs
zu90zQ!-l<xJ$jJ^dG$Zs%+VC{hc^(HAqmvL(ER&BB;K=9D~(6t0L`ss`qWwb=BZJ3
zQcm_lS5H5CUHUAMr+hRXBy->a0e*gNUfwT?w`^}zV~Qe`@2hR<DEb1sG29x@$n6q8
zPc|bh){b$<A9@|Yk%4xatDfk-yDLzvVCflqh2`e=`|JvN9H`@3Av|pv`t&|k>e)o6
zrHBW+z#ppgjRrt8Lls(_M_+Yci0mb^1$$j9F=3qT%VT3ULX3GyhIsACiu|TePJ0yc
z!4;;zEF}fCFfwpbIkVumt;ZF6T*XBECK4363vLZ4R4@>TakoL)rX76-Yl@X%YPI_u
zp{oy6-IDo4MT3e5!6gN?DWdN4j5!r^g&l<vyR7fSUDSjLtpm0P1XU7YVF_ShZ^nZE
zyPTh>stKI+AHHZGk}?k$7Z(rDr8{rntkx2!8$U=uKmg)Fu@vZP8aNe(bZ3Y~J(5Pb
zM)y9VlJOl2uq!uCJmsNPc${AJzi5x?Vi;rc<|+59M8xast(g_~4A41rGTN9s$<2FM
zfw1M7OlWlge0hm+%1Gw->vHEnRy<X9+0y6)x!q;4?tfP^4yG_#89W4;O8F`=+zFmg
zE{RGs09rZaxP7E^xapT;_XFNMZq!Y`D{$>PdW3qz5i`7FawSv@Uu{J<Z9q3x2z{KQ
zLrQQG(asF*5R{PvA_5{2ir8oWpJuyXUL5pOKPdu;lj-TQvSkTM;9xiQt~F<ehZ8Ae
z?Hye_{9%1#!-tXy?hyQyauT-_<i97ILmH%{faj$gL+8=}%`-%TKJAUXX$h08mQDZK
z-Hmm?OwCU4)<~PP5&h!t4nu6O=R%6u0@>jH?fpNLa&TEg?e1cnjt#Zp_V9Y^;fGh~
z5g}$nnf_Q_-6_dM=36tQ_>%Vq`L{9WJWmrIIIJq8fB=txfZk;o>5PS9sK(1C9YjJr
zeosfRB=;P7{SnEloy>`Tmpb(Cr!+-B2yzT%hU9ZI0X&eITvKHnu=SM8nn2V(wn}Zk
z)~2-6r8(kk5N(H#^uz)*zh*BBxNTB!$5P^$Gf`>$WA@U56e=9+X5&svESK^Pi1Sf2
zZ0$>tF<=2Fk75xK71YOWDr@DfE@|igzt7b**YDC6p(ZjB+<fZLxEf_k(Ug&Q+lYGr
zjPlzAH#*pYEI$tzB5N5i7PzaOoEuw8m*9k{{Z0M(7E01RLGVLTv4D64#Gu4B8}c8H
z!(vLpjC-rltr4&uS=VExxVp<cDP>bDp018ytaVSmbGHqa<ZSSUm?7kLE6rCRrDix~
zjB~??KK-lfXF%aoonG6#Y7L&}zI5KaaW(dUe)_5LG7@Rc(IB4Tnqz$AiA|ZIb{zSL
zE>ns<VXgdoN63?RlDfiG^B8Z=Pa!KT8BO?*3%J4-;)gL~TR!U>m#co_ohjP>ZzluZ
zIZ95w5S`+HU1M)+Yip;bW!t2DCB0$iL0_<mTr!$T2qxy>xEThc>NN@&lu+_Oo1X5t
z{`6AXZ(Gy|dCuHHJ^Lg?!j9gQwD`jEt$WvqePk;AiF)XjDUvAoSmHmSO?!^~rPn%4
zwox7vm%k|^MSum4r`Wl*dZlfEG)!Arb9Zfl5|kpTNvvC6t-1LcDKkLu5#zbW^^`-9
z9iKpCF|c`Kb+H^_xyKDHrYJm7mZO|WAdPgHetTn)EF8`M*_#8QuW#%G1t!`fardY{
z%=h#;T;NrEH|HmSL&G_JN|zmfi2|I4`{)P*F&p1JxpHGE$NPIuCNIh>FDM{l>NDX7
zR*_&qV}Y4q6?D=mkyjMoZh4`;U?izH^i?Gd+ie9iflgyyFX4_SQEg8`(DNMQeUH=T
zTX1I-@%ylFK@O{(PJtAjGiV?U+<<Sb>r3JfTiJZtu@Zrvnj04hFX0*{C)tGa4BFJa
zyA4`bpAu16kE+Y#v=>8bpg86i`{mV%e6xmRRW=2~v8an_P4r=<dEPh@!YkeO=tSL1
z9U)7$`jpkZwK};vd=4Li5W-$9=Ub6$iQGtq#FdDu0_RG5q_y~<B4xLgBf=LsV3Fae
zD^8t#Mnp|tR<mgaMs{k|PgN#l`}hb4P{Y~lauMTT9oGpwd^yrLy=!|K=oXWr>l2HM
z?9r}WHvqwG|L03UJeL6|!b8R0&Se`2z(j*D-REcM`bl(2i~CgGrXq^jUq<pbav#TU
z9RpAo9==x}bW5sdKmx<EtV0B-cOb76DmTM~umLh4Q?)mz-BNd9b8&ds%1<~ZnKG;{
zK1jA1<3(N!w{?CuXZ`dpl=%LGM)^E!R*lUAongDko|cGstuzh3*lYtrp<GAAM2xDg
zMS%7mu1^az%BXy@y1_@i6yl0PdQ%<ccG#8}s0Xn0<p1>k<jPSzqug9fX;s_$B&Y!z
z1}8*g-nJ&DYsbYPi9Gz}G6?UpT{GVL-QGCg?^F?D21jn&!y9EPjg!c-@4DeX%+Yiu
zY#a@*A=y6SZ?nRr6}LT8@=Mbiw4sYW>K7*E3<Xq3Il5O6;cSL>wrK~i2tx(G=(H!W
z3;V*a5)SVe;m=iETjJta+EA`?(!N7unz_GEQfJzT5WKse`#H6}-#BAXm<bgJAvqlN
z$MSf=X<)9yK(a}VQ+bO5Yf^Oh#h~%L?)*JmhEu0PC&sVijn)FKU43Yt%Eo9{j;g0f
zmX+kIb8bBNfk{={b>HHu)8Fol#1i8ug$@ewiZcrTN7FTURrYq_Y`e*}ZCjIFH%(2p
z?TItlHQC+VWE+!h+tzpIx7PO`oORCop1t?8ACOr?meBIN6r<gx5HT?8qQBP-QPWAn
z-6iKtd^<cmMEmLca_3Ylke@)Rx#<SWE~|<4%uT092?}&L>dEAB05c;ZBnEA6!IY&+
z)@SC;>I=_WHEra8`ldPi1tWL!W7=0C>5Hs#9Id~Yz4b5i0T=$?(9D441XWT5b_yO!
z;3TJDF+R!ixT+fYrBUq+{+`-~yqC^%(4v%oU@9bfuh27pYlSzp@$*B=QSm;C>7GTu
z(LSUoW2|eSe^6I}gWh&eIX-6>x&MF@rl__sHmd>(ix)8iwK{-yNLOMTP~zgGM6}w*
z&TN1swGs~O!fsr$X)YLwC-J+z=K;l_K!4S3cF9^)i8k;F%3)^H88)e9Re^^RF04_A
zKnAbdc61FxT1bGx-Kzn>ZNY8rm>!zhp2RF$$bLhH2^0is><rqbAVh)JQ7i8p+ak1a
z631_=@Tz9Covod_>-_#Pnrgr_CM#w6jL}&9)fS=K;F&5STJhX=j+f&5A3}WTZE#f`
zM>%jSVQ<j#J8`J{5PZqBhY8Dbb|&ejeP0;c7GCA=5<AN*sEtrQKYK%RXN)sDcZMo5
zz}EDRejU(6PC^&43`SHLM+ohCr1F5$)17bX_(`zoO@r!oPq?tLDS3)NrnpM~eL(MG
zjuV18KHo-?i>8yIm{VV`+<ucpcjOx;9t)H(qqKr6zPI~z-=II_e{kf3QGo`lcaQ6;
zedCXMRa(b0Gi?K6XQ#-%JJ@yxCl=@1iljDeyUdz#nW#U!Ez4O)?1X9HM%^rF#{g}U
zxVHm>yc&O0)n4T`zi2$8puY<)G4zPjz6$!V;!~;6-7k4pqYw&t3Nwr(DwY%)*0Plg
z2Q@)DrG^_6W+{+HK!iC%o7z&#eF!T8(%KzLv7jo}P_OKK^UEzLCp^Vg#YzphrBOK6
z0{})>!2huTtE6H#KJ{Hs!B?4kNL+_PV^OIKFq6i5NL;K7$4EL6pBJPH{5COggED5d
zY)|Z%M!as?jQLsx>}%O>FGcFaZL}*YZqINJx<&)-TW<s}qxvR~X0NEm0+&$-Cycbj
z4h9{56ZEnwKQ!hThKW}qX8&wEvp}lHz?l`8-LjaZXa4e5F~b1cqm8JRJF!#!a50<A
zD<Q`5AkD)D`Ic<fX4E&Fb8D+8><pEQIj)Dve}`AIG6vH02x>6Q^G~6tF1FrPj9QRz
z9UgaKI}T~L?*jF$&>1f#zzw@x!y4=EHuQd+&5?#qdZ2WdY3Mid9Xi1wt@^W&WlQ25
z_W~~XOUU!h)zucNRY2&lO7rUNyM8{D%Q@fA{Ipsqsy`GVQs^^l8dtitSF365-$kCC
zM>xj<X(3vz*t3~;mryUh(&<{DqXFF7(C|Znfa+U6MY$E5W<72<?^$B3PjZ;r<X~b&
z1)xaZG@frjWodIBL=XH1!zDy;Mid?%_2yrEus|ua*`?080b5!HJoOPAOlVoEFm&s<
zjZ^8gc@ja8bmuy8NVP(<(%cL!)*+1iG2Q|K>Nrts_~Go%R{X_0&D-JnXVEzQkAqCr
zXQs3TO%jl3D%_hHc6xr(37So0OL@O9a(<57>%8L8%=t8zE9IyE@`)<SlBy}h0R*dW
z=nxRL*`YbQmo2n?i_zgMsea=5CsNXJSn=lChJS6Ei}m8kh99eCd2PJ;KZLQtdQ>W*
zaBHTo(99Lbv+m?VD<VsYk5iw|(Hw{efL`Lj57f7oZ0~=Dgot2lgPtX5xn#u%7X#%B
zUuJFAUjOC3(s57O$}&n*2iNFfM4cwzM0|L7=zKZx_<T41e9is1qe<hj+ltxozPFlQ
zf9QSJNv6x4H&C6LpUs$`(sp+BzrSm+z$vX-{Q#eRw&LZFpnJcu7EFg2T1xnh9KY5(
zm15r*m;r8nh6EE>xkWGHe|L1W1)M#33eDlkt|VWV`Rf)TCktMX+7Ew*5PAmY*Jl}c
z3;nxU?d`ZK_BW(M4vhv_YQeOpoCn3Nq9!~fwO!OY^KW2?4lzGccR&N{;rL^&px4dS
zw#1fIqm)#WMO1lK<jFWop=NaiPao-U!rk7})BWk<><FcTdNwXNLq)d5Z7ovC`N;ij
ztABguX6=xPJf}Ex<`Q#w!^ih7rhd&(XDYdI0uA`;qpD%{zsCz_FG`&%c(utjda!!E
z2NYiy3=t5)Fb+_VgW)RNOB$Oa=t6lBbdzy(UprrSxtsGSlLd6HeYqi-aljT%uvx{|
zq91<68k+t4T=tVSz0z(RSksfY?P<2$8M^P~ejWA*ChAM)_b4b2CX{Whgw`Fda&?h~
zI^4n>>7>Z?&v9$*1cQ<U?0`jeXT(32D!JlTXuTn#QlfKU5#oyZJvoaGJ!K=ohnSQc
zFd8zU3kbbnnUDum0;c_|=53qbaA@CsTKdt3(qd>*wY3Aw9v?iS)(Z45AZrkdE3~lg
zUqkx(B(@BR34a5nu%wl*{5YmeANwGfLIv6A0EUKY(pdMq62D~`1w3Wy-L|nD7g~D1
zL7@GhAad9uNKuofZP9bXmv_|sFfk`%2rh4T%)PtX5RMej6Nx7k94)UB=k*m|WuEe>
z6|nas1P?QId{Ca61W^ibZuvHFxJ|~5lJirhY+bz<7Fq21G2<j$1a@)+^p(c|`gP?&
zzlr7vb(*0wQsDM>Ik5qC<xH<)iuSv;j4(-rTMb2dlIqVUU~AZ;Dd!j6Zg;j(DS!4S
z7cWrwjrj&(Q^%l@elH!cPp$JAdT~z}=F|@gbNuVO-FCr)%Z~v`5rL{1J#e4)gR&VB
z?P6V@_m=?yUQS%uVBTZoS2uqq>L+!U1d;rZppLWT-}Zb6^K|=u08t!i;fr5OmD?cK
z`f@+s4g+3pb8`j#8w8FJ%N_gE!}u@WquMd$tCEv#iGAn;x50{Gq3QMQ^6a8UR<Rno
zeRveOe{Ov9g*NHkW>q42Z@ng7iVN(|1v4_&MG(YkfAIUvu)BReWP$V;2n)7Xsosi$
zQ?uc`X!2Fz3F#q*T)KDQ>}`1I-jo1e;zu>zHEm>NF0Q&Q0S|-Q{u$H;!D9M%Xpe(H
zjR83QfGF?52hC6h|6<EFR6ZDu2$+-A5+(DY$!2EBjb#VbyZ1jI(r%k%T0a}eVkSB%
zn6Oz)t(%XQ5BCTZy~tzA>@!cf@hmlyTBCMfJrDXn;BifhX`uI=NKD@35;?oqzFxh0
zQzEsk_8qK!yzp6MfS4dJ{$a3l55&n%DRDHIaQssT94)aEty5;|S6^J+a{m>JWUZ$`
zC}7>b^N(l9F<!a)K>7Ctc7_XXPDgx|w%O;KF&2=uv;W64l_Z&oWVne>dSSnbl|4yF
zYy{n9C?e9pD`)Ci7>8f;s@L7oHp%CcOeB*3{k*n7DKFXqH`Tz)^^W#30_PTz4QUNP
zYp}4$9(EX$;%+D{O4d}~re)@^^wbOd>A;)X`84WkN3J{iAMKqLb6g9IgzlH`*iG*V
zGM=QKj#1z=UEb_Lv;qP;M6y)*z7aSbo@bPYc~awqoXk@HckWDyG_16GqZ&k~8B>nc
zOJ{mptd!oMCsIQ8wN+r>x=|{p+ZgFCvg6Q4^ptoObD&HpChK0|t9a^f1RL`|pT+&>
znr-{K^j9PRft0|T(qR;Pc=!-7>8bY{{G@7&pRT398inO=#+Hipm~(AxG#<}uc9aTK
z++ubX^;`s8HgO0X;{>jT17k?UBwu?VTY`rHUi4Fq%MDVx#%8f=l;9jn5y*W9%gf8h
z$8>8NXvjZ#i@h=z7MJ{*U;tcNZ0d73>5OBCSe!w;+s?HbMB~3OID1>eqLZHVYlxvK
z>sjG)1pU07yzbXMHc@3Hu1I$&RTEZ1wy$Ig1dtxnxetU;MWLO=Rbh~>1^sXK0-i5F
zU#33aHb34<L_|EFx>0*M$40ntn{2jHd~vmxH1TamqQ2L@KpPPsFr_8*I7ojFF(UaH
z%S3KG@~mTc+s31O49)82jHFsNJ3!8y%y%hU(6a%d0}{C-wj{f|d;AH#3a=8_>lZ|5
zc}+YH)hI(df$!l{6R-b!ARxY)6(p6(LkJE_3+W-C_yeS*l0hW}Wn@_BcB`&CGr_^!
z0tc7z2(-kvUOl>Ai3D-%DoGgsR3xt!V?@{c>>7=6P7Ecoed{wcQl`OF{4lGNnllT&
zp!L7EBQwlZk|6x;{(=-niX{p5%e%)zmQV-hYP7P3W(rYLjo^rqS>XqhIP9e{Y{dy;
z@)l|s;7IqIrr(|cWB`!kX<ggc?{<QxTeue+sYM@hHa^*`<9VUrIx!<%9*-Nu&Y*f5
z|E3OAmK46U<S_9ia9(Gk5(Sk`2%<UzvPa0cTX4~OJ5SwY$gsMHNXAnRSrg^qkpv{W
zxjR+|&?!$T<Bm~TOnu2HaUL<Dc-|lq%)$ejq6a7R09ZXi{(qp`5fSjd81TMJ(&csc
zWYV>0wva0qCl08Umaam36MV09C2n%YELJ=s3t{6y=woKr5!$K+jPqzNE_Jj+$KNc3
zV}`)=V&GM}d;=0{YW&%0)<xYA1}i5P<PGiuGsp6dBbdjId1diP7j%Ra{fd<J0Z;n+
zoaG~E7Gktr_+ukXmtR)vDoO|v5vz~<pt2oj5U)PUOTh{%OFeFx+Yt*5$<EC8`4{E7
zYHe(rsiZDAES6t=ksXkJj<T&iIPqs8otb>IQ2nt^ldogNEg%^em=OmVY|$RSqWtP#
zK_tY>4?&U_%bXI?k(^+Dfn+qxVM99{Cq<g}#(Xjrwgz1HfZ%Q-dG&U!Gl;^s8FlBu
zsE2{%?G{M@g~>L`#Y&y(XH7Sj%<~#U!+^E;238w&c>n3|Q8IdL9K5LE0z2ig)OY(G
zlZamkghi9hdW|tfR{pWH6Ct0&Y-zGa9VKHziv0xsjp6m9r|09+{}cP^7&jF+?JYE&
zpFId*UQESvui0c}&D8!77t^q_jpujf86TYgdHVSh@R=I$;b820J+R&5k6VIyA$ca}
zQMgic)*4E$d;WvWp4U5PcB}@F;Dgr<6@FDtB<4DS6NL{e)DQb5g0BITF+v5#!a8YE
z*pm5|e7>hBP}0N0y_AyJYGi!(?@jUj-;VI~8AeCwW*KR(9>+1&2>G~Xw2-j$C%v>s
znuu6S0khihYrG2yUj)JLn29l`7<3HQ(ymT|YKAgdzg=3Q0V^;FP?Mr~p=UH}2h*Ze
z3i*Lsq21--+?Xf>@*qaJmH+6*>_m4_5E@!T)K}O3EA#Hm5V22CXAEL6f8N|L8cRSS
z(;BsKqP6)wW3;3j8?}3iISPtpOvwMC<)t7Nn`wLG^1h_5!sw_XE9%|OTRa!`c|ck#
z|5r_4Lpu92xrZ1Oh%zctYbt3=Kk4M7Dh-^4^}BVw?@zc$zg4;|X{?fdX}bgsd9M!6
zW4W0dsrv@91yvJce_GBw1kSZ6&uE~)ZKV^?GuJpMxZ5Ytl)p-|#;i}}2!+Z1JzcCJ
z<An~<OE6Cgi&7E?q%}d3*%jh-Eew@l*F`ql$P5OPiF%XrtZ`2&L&Ld|^8dYF3HjKX
zE{OPioBF)#dV352zp%FKwvgNhZ;4||hA+S%>iC9H_E*HF5Jv`HD256IClC@7_lgD_
z!{RG7JgBwEX=*`)&6j(&`PEyjW^NeI7Bi=g!KpyD^F}<)%>yG6lzR+&m?jnR+~EO_
zV20Rh^G&k9X!!+qC&~K7W?cDWQx!D2O|4WBM@H_6oHIQcLWDxCxWqFnDg>2U_TpzC
zVi6<S+R|_=vzY8?q`w~>+?eRa`A)8FHi`J2pZ3ta6_p)7nbwL*Jy$S5c|DAe=o^G(
z#`)iVIU8yCEskU27-NPOnx^(JfcyCZvUJ$|SQY8vz-ZKK@xe`%iI91HeH91+AtghO
zz2EBbp8!iFL;xpcbHbGVI!4CR?{vbN#iZnRiaL?ylhL#eSc6IThlch-&bnlf=Q!mM
zM!t$oHRKD3wBUtqSdHD7o=;ccR|_E6Vqkk4d_Z(e_D;*u;17k;{Q*S|!DO#*Csfz<
z-CdG5q`8jB$&J2)*}<Y(Lad)P=xh7f&!pLL=nrt!vwRP~T0?_ouF{*t6#>zmzy@<V
zI{dq8u<D8U{9!YT<SjU`*8<h6%fs6}+re0JdsQIPGvR!i{qE;4!8&@H<Kk5kJYy0B
zR=Q=8yX;W$<rBD=J(}{|&8aBz<tb{x>Ti7G+f4pWT2M#dVh#Gt-QRu1Ot|+0n<XS7
z20eM|zmxj$G*t6>b)O3RDlo@eqodE}pP|M(oF7asHUv(+4fE1F+jwNvR|bTv{{@O}
zi?%d2FhUM^x(4Ma4|uXe{|pj{z!%NvEMB@EL~0tB@9y)-!pMAoI{QBsFeuk%x<1ZT
zFLBNdq*2#xLKAlp5e}$rYkr(qG;Yi{Yz;YCrkSZ6Ux?d4&zkP_LAreE7sSrg%_aTb
zm<Dypu&RWICnc&aO5ybM<8UWypJ6mF+dw42j)|})9-uvmo};j|v;RDBb<?}|{m8}V
zJ6V>1>Yto^Fr8AS9lFTdgr89BF8Zwy%X@d^UkwPMsx+WIgUG0PvnK+{A?E60QvXaw
zA9zt2Gx87*#a_)so(!N}7^R@4rGP;|l^NBdLR|JuEZR4MHUXVaJIf%sZ5wEG0YrYK
z^Q;cM2e-N(s4w|^Q~3k|LT7tVd!X0|5cv<374wU2t-A~ig59KykykD%arD?|RChZ_
z8cC&ml*4qC;#Z15L#II)7jxVk)>S<%1gRYSOz)!a>}XwBU@iZ%mozfo_VT5uDB6*A
zrPcE;iHEytMriY~0qY97%j|JsHZA!{P|3k}XJ==mz4<F^IF$19ciY0USjYi96Yi?E
zS|3y7?$#;lXeZa(*8$_?M>-Zw9SDX9tLam12P0wM=LivBKhKs+Gd42IP{+|o$`Q9i
zmyDBf8lH)e2V^`jGOd=bX4E(e#iFS0FO1y8N-fOUZa~5;_5r=oAg#*hO3JW2TLHaH
zM3d8j^E~8$UB;R7rn27(k5^k;%d?hUpX-<ZdMFUi;OWu4Np2w<jT?(5rNsYI{6Nb0
zE48Q8b$Mv!JV%G-BD4}n+&;FiLl8zLsX!tk4vLp6@U%6J?pyOd{~Uxdfg({wmtGTB
zTI;Pe|F!+a=R`>$dy1?Y-2S~F0@WQ>K;G_Vcb__qdMQL3dpuv!k9q|Nd+{R67#Mhr
zI=@(~)hT#rL2FM{<Mug*?|r|XIkDc62A%?m&ylW(8~q1aU!itTU^p4qvHv&1nn0sn
zN?XH=L+w<fB~^(cFXeQ2AM|~gd47qwV0AV$ox?A`j++jCqi@K5CI)=L+cfxVKkb|A
zIgT#RA@WXcBXnNAgopS)ZUHVwc4c;_)w^}N&4hffZuaotGe<ljR5<H?a<n8LIEwV`
z_Z_I$<(-pGmea?D)8%5)RVXDFGGbmnwPB}9YfP0@&#~Stvu8BS78X@KtLyx!2{x*E
zznTuAQOWha-%ss&UB4uKdEUD=3mopfIW+(;E2pW*i(S{UKAhJ$V&rubz3K43g^@C~
ztdH5R8MU$N=O45_`}nv2tw>Kgi!=-4^UN20lfXh1)WGAnyoF6;z!LLC)nSI;aE~)|
zy&$bVr>h}q1gyxawre24K>iSBLx6)8U4HGkJrq&p;3eKNh!)*o!HxZuY;V6XGM|+f
zeZ#HMMBNiMS(kN)^vydkm0W`o@Ci~t<p}$|?57$-w2GVGUL9?R_;u@d`<PrHzpV8>
zYG~rlJTLPG?|hWdk^j&d+pHG*%0<y6Jq+~wT7g`f#*!lxVs+-p2~(rpa$Lx(I4<1_
z;T;c-q$Q!sbC%5c%h&{_2plShIfIAP08w(~_;|ovF#55cmQswit<56`gVC)~h*u3D
zna}l8g1m8xuB7?)$6`$N__;%av5Bu1+r49LBsdLHMB+ytN$90hC?^UtUgmotUp0d2
zO2syI9%joAX!+G@(N+&Wwwiro%+~zkh)kTOE>!`FD{&U<2%iwK!|lF;&CiR+?l!}(
zzxoFTo|l)OkC*8HH7-dvdi;Sw0IUm>+)^re-Z41I9htW*cAtLLo1G1JHjx6vY41Z_
z*^?I;d|SdD4dGvlKPIc9sg!D0S$i8+w|9q7$#$L(MLv%+Mc%-PKePS2*6qO?4S^Q+
zZ51VX;T6^>;m|=q)GNZ+K@LaNxcK-~IdVjJp5F+#m9?93|F~os*R-M;%i;|EIyy%l
z-rinbZ0U-CD+Drkap)x-&xYR$L&)FA68_@t1e20-MO{O}kp)^3_V}RLfZ>qIsr3-?
zDN<=`B|PfKI%!Zia2LXgXbB|28l0FwJlXxVmO6KD2mqqCAV83S8bGQ*1~|V9q;A!C
z(o(ot{Kl1mM$<<h2<P(3pB_#T)*B3uY@DaTrJD95Iz9O}luPkQDQso52tkyARs+ui
zR6oIYM<_??$baW72Hr-H2gk9*0tO^^*HN|&9bB=(3k_?>*vDf^XlQn?IpZ)l4<EX^
zHVUK5?Tz~f15_dCm8An&wva&5=!O{)9TD_Ur@3x`zqh-SyFWez9x9}EpEjmgVoFN;
z{dyNntaU%*J0vNY(V(aglH6GmpP)sE)qwoQ=JL<R_d1sGCJSun9o4nM*^|fDh}VdC
zV&>{<X`OH{H+Uoba?zg8!$U`|9x}NdJYK#^m~LJkcJr$>079VZ16#>f=WTu=w-g2J
zZjOCQXz3XY{LmjL_LqE`vM<{8FwpJC1$gpM@pzgDkD$rp=_cAT;BA+r^W)`l%k=#G
zLX8-LXN*pZ$w3Y=>V*%&l`DM`OdCYtzIl409K=ysV5k_bv9-u1Xbbqa6OiYSj2+H*
zCwM=`q76vO6>JM^k!qe@$i`7VT|(glsvlOx&U%`hiw2tnV34Nx@*Uj=mrT8M^h|G0
zZ*25<Z2En^J;&qXrt)cZS(c5qkVTY2L5BUbh~fzr?E5Vyfvi&6r2{5GfBz&AT(x>G
z?0L0yy*o73>G^VYoJgZWa#@fCD4Dlz)R)Z$AD`wlq?iBO?LPZQOE2`dj9-ANFe#NX
z^fxT}P>rOmApL$>90)3v6yz{P^y#F0+K|c#&AlE42_KXeXOEJ9dKv>m<N)7~*@69{
z9A!+?oBk@WQ32MRRzRHYI4%thjYC|#OaYlA>bd)skqkTm40Sq#B;GX!13ue;0Na}I
z2wW=IzSYmiZ;{m;kZ<^so^kOcVpx?TM+mCl>t(2IyuR+!EZ!=pr8It7h@pcM{DGbH
z?8qAoiwqcbmB+yTCec@j-Fx#MGUbdos97efeLhOED}<yHW!*PhTQBfL?$;iZTE7et
z9GbX{#Y_Xn1aJ*p1YhFHiAhBqpAE(aU*1c+lL${Zk<ITF&}kY&Z3K!)ISnD8N2!qX
zld#>Qa$nX93sB!!2r|Oalm7^;4Oj3IeKrsHm?a@49ma>adcv(e#D1|hyWVoIM}(w?
zF@L_9ugDE}etz1+Qx*sRqz8@W*Y|@LzyICo8Asag2EAW$_UtNa($%=PR4w`4pCrV@
ztjH)56ewY8OIVZo@wY2D-%O&>4<fspq4M)q&l`g}QTv2NtHe;>L`X57U=Q?^AU63v
z)Q^->b^-T1m4rV@NXt<^7JEj$HbZnM`yoI-?VGdZdeG@7CO&Iiu_NYD6*Y*e+bgX^
zVCROGT;-rBn?x~i3d>UOpPLRRbg75oH@uM&^J4Yna^<%A@-@(aM3~q6;S5v;QG-}w
zdiJN-dFb`&l^sPSQ}Ab+n0|QTQqw&RBR~PSN6fvYf{_!C8x|cv+D~uZi%pNZ=iod5
zOtdS;Af1Bf^hWZloaOGj7y=T=dJr%nYj-E8{PiHIcK%h`L&q<L`VcQmD3cc=o&mM`
zbLYPFqRP%<pt!VXBCJBFhZs(>KO8Lw(L1vFN)ZAc@lh?S7n-O~j0l7zyj_7iZ)^9J
zO@s|mmsFC&3@OB9Gm~#=T;(md48`h7@Eh!ul~O<e7#&N89Za_Q#}NX_EG$_;WFtYS
z%k!(P<@%C<r#_x71E+j!;ogLLR68(re&~o3@MxyTKe|598|xLIh}QO}<2@*reCALG
z?xS69!3BrjfAGlnJ@kWdJg+bHKUr-M_Q|Qfehksj7{6aI;9UULLPx%;vUuxrTW<Fu
z4`O<ySR$si##~t`?rAs$+JJ~&BEGk;At4|=%?pO~USgs;5^I)Ww<D4w4ivHpnlh#&
zaaO*VsqRtBjQrmK<ex412OJ$6Am*u7!sVIx8w47`S4pr|J-bkY%DHj%;$rF6w22r}
zm|jkpNGMTu@FrL>NBA7>6tN!S7hy%Ht?0gl?uZ^O;BduJSCa)fCr>s`ur7pEZO8h@
zZbXDAkSI4xT*IQ)K!XB@)dTQ?Ys<znkd9R+9^4*A_I?Pf=i~SeeeYk)e>*m|J^!(7
zUvuK$#y6kOK({%MC8o|Z-pCCb4W7c*Y}9eeL$lF~wD3LQD+E+)3#O@R-ou0Ca*~cL
zPEm94p|`o+46iUBc>W>sSz!0-D&~%av}~0e#h!dm31>B7zN8K}smhU<9F9zCQOl1A
z?BMSEV49gI-^kv8>$~ZHKt+a<WdVE&IzZb_G03>L$5~)+pZ#DFj+v=$2F29LWQ%^V
z_en&s^zIC@iK4FuEa%S8ng%szo*4=J%Ie<xT$x})rc>~WNh1|o3GOwn97CtE+@dYZ
zf*diAE(#S0;qgMTgen42yf>qb(0-fDQx~M(CG-!bFZwg+sHKqsVVq_I4TR}NDQ@kH
z@d3h4^WZ6#4I^gTuHsZB<f}3G=q*DPYh&34x?OvsNYEqdLwocL_=3RUWxC?gU=`Fp
zHgHB)=WSfY4li(^Bj8>lW_4S1><9r_dd5Ehq`<YbEQ!eeSYZkd;oj?i)dOmpCdaZ}
zFv)lH){7w+et}2@Db!?~tM8|$(a)I2#O7vQ%+F&G;yg60@YElonZoVN2lTctE>Qm3
zIw*r2#FVLL<q}j!JN9yza+GAJxpmXlT}`UfUl(fvorW$-(RsfA>JIGHFo;U-{vjRd
z#8oKVD4v9#kzZZ`XKZ9v9O)dzq=3@~mq@4B%uz{})hnq$Mybwdrj=4HvwwEN6D;JV
zZ3U&M#vlB2G>^8wJi`blxWGowt?>hU!)el>#G8&WIzAfX_W5k$bkV^GvRf~s5z;?^
zdhwIfLWoGNHgd;^4l;zHy$Trot?n=5SI;r}@xZ&FykwszbiuY;DM1<1F!8Hs=#Orj
zmb<{JZD>(U&xzKDm>OG5;zg7ER^6MjEqo*_?wnqyK;+d}5~A*1)Je@|SXXzRUO<=T
zwBvFDH0BsPMN?Lz8ogB(XAIR49n%c0yms?%H9hop)H{N+=P4F{|9`~k@G)q|+)=EC
z%xAR4+FF&r|6TBeLAq_hxhx15);1L~D`)2yYX{uHI8a7L1Zw<S_gJYb?Cq=}Yc0RV
z81gi9rXX}4Z4~7xjNItAs!0LSao4tUTBHYe7*OVkU|0{&V871jjI2`u<G_fnY0iMo
zQJ?9IFPbSo1ApBWgJ~)^91yzJw6|!D?IY8r-zjoHQ*EpJ5#XxAfxOwx-7J4H$B4tG
z*eW6v@NxP1-~eP`&H30y9Z4)vc~RZ8(Es6WobHU1VzU%`45pO~#FxFpg<{SX_VM<1
zdfrLJ70owKL}JBJ)|6izWr(wBxs{t;(Sk0$KTglD&rq8X%w(*A7lJS;JEEk^b(`D@
zg>3D09|J|;j_U@hI(ns&-eZ$;E&m@2fGHc}I0@7ksP#DBZk(-cRp^zs@5T=2K+?}r
zwsiD1B*JGgn_}8D!x}D9Zvp>eyArr|XYbTe&XD(olQ;O-wKob9>^{lb3|HB!&%K`-
zif-}NUhx_nSN4l_X^hj!wE4@}m^O$@WJDe^z_)mr`mhyPVGxkIB)P;l7ZWxV_0sOb
zX@K*$_38YE>(@1Q*sO*@6Mfo{m1i3=Rvl`LTFUv%?D&+cGFKs8pu$tt;y4yVRhES{
zJo?W{qB<R6`a`lZl#m1^o1suS0l~Sxfa1{i1gcjZZiOp58w#HlKFX*;iSa1R!9G>;
zL;X!?PO_X2kY#mq*V}%Lh|ni|9-rI=^cIfkkZtX;md#nS$-iByX_G+3eVbL}kW=y-
z2Qph5$PeHQ^1c%?#z&^*?)=`XNRl<#W6e~pY@Tq2T&K4WA0-vxs1%L6KG!DGYyZPd
zXx3IhH@+`)DP9YGw2nM~hF%(8Il;8a7(tcdRf<mmcZ017`FEu|<&_mg&&(-^F)-Wp
z`<<v5YNhn#-bXZ<?XljOn4#vUI314Tv$YntLdwgp78h0qFt&%M>w=K?cb*PnD5bC9
zGf9@f9AfgA7RXi%6!oYbgH?}gh09=nM{<*10%UN2VZM%NMwuQ)LPz`H!~nFlVb?{4
zevN*uprS4-0ht45JA^!i#mneLYGvR81jeu?l!J$g{Yt5>kGj2oE~k8{hABKRYN<M@
zZYg5P=LL-{|FVG&*f^u0X?J|@lq2V;>_=3R{M-<k2ppbCM?}L;nZ|LDH$IB2!cYj#
zF?jJHtb;yVK8dLK7G)>{34VeJWS!vHSRiT1fiAmT61qS$w-l<ty?t>+m!7lkSw5p~
z#r=CC_vn-d7P3#VbLOpIel!x0{#?l>q6E?&`%3T=5p7}f14U8fr?X=|tA3p)V4tYL
z_Dh?}zxI1!g1@XgdCA*)TsV$}g{AZJ!-sSow7+j}Za$=FD}a(wv6iFqSjYQdt`jqK
z1>?{+dH+o^+-+%DM|*f6LWdwW$`e{`&K1-<k;}X^q_y0UyggZ|GVWel{LnX6Utj+Z
zp?y0w{=9iBIb5>qQ#WDozI$Th>al|)UQ2m1YqA(wG0B+Be8p<t$nKfk1_Ady;Fb8_
zJZ{b^+HSSJCGOLWjY_|;I)oRQ{gFe5FMT1lbrU2uG%^(3g47`dYZHaWP~=Q1u?Y2z
zc-FRJtyfFUAhUkAu@g>NWl3)f^Rz(1q=Bk}(UHab;bA==$!753i7%n^1j?t~vQ0Ta
zgHF|vMF$gu#Fg*rf{D@hP$B2(-*#w48Z}kfw&rJywNOlt8MvJBP$(ZZIZB|d=rm4)
zwh~2s#!8^PXW3^L9JAU$2-}a`72nUssZ%jv!&$n{%fI?cRO+eyhlX$DyXp(Lmpzc7
zl0SZ;?eDevxZyInO~T*E-2o8G?c+K=0Ib#fV^)PD(jF2U*9_)&KIX8_T>I2c%%HID
zzmiK33(Ih}V5-g;mOg>o)&6E-X?gX!`H5ol?*3AxrEt`%jkUwSdC$)f94giD!<hEV
zTsPZ%bw-zL%wK!a$EE1xiXstgmbpr@s`(H@a1(=NSoDz*bNIFSkr9x4v)|+T<7UUx
z^I^p{T==NA!^Rm2A#rXNAtCY4PXo7X2an<8ScT?U1V~z@t#cSKvo^y>r*1|WcKzV`
zp^XJf1qCZ*M$BqH3XJc3W32~;H78=cIC<EI-YS;ro0~zNh<=oIlV9oL8gU|B!CUmd
ziTtwe&>dte56a4g^a;(ISz5b!Nk~4WZDuVb=yKBE{qq+rtVxGCNb!pbwTz5U^XEk@
zV!9F{Q_6KF4^53R$<#N*^5prbK6@Sa-$Vkmn<MBOgN0)cO@4?C6Xrb5_tZ)A0i&Gb
z<jphSRS6$!O;Ti8w2=G^p+-qQ)%!RWQNeE2fAt4j&O`|wFr`q#O?hl2EA>;$O6Ym{
z*Y^uCdix96A8w)Ki@{M;K)#rt*M0GzH-rjzX=G&htFE+%Ig3`hVC{R-fuBLips?4!
z&%?F4bR5&b&n9pPN@s~U6cPTYkull|c=xG%>N|7Z^dVsHTblb$;MQGj(d*(8Wnob0
z>b2cKHiOY<tcv}y-a|)#!Px#SdOd16y@X!<$LY0!y;%;DfMBF%hyVLa$)Skf>pRGX
zW}5_5@lY_Ue|tIbOZ>S7HRB|Ngbn#xct1CuQ;1zF95kkq8B=%m?z?fThH1X{M>bZO
zq=>mD+bE;Ee6MG|ePE{9c$skr){Lvm5+1xsOdQ`(%GELc5gm46!;gjSAa+YENd7t6
z#aY3TWSH8%s%Uyv8A)}aBj({Om^r1oCR>eAx-fb?Iw^U9re$pVc8eqJ_S#K0alm2g
zB}7PlylWHawZD(7-P=2$Bo(By@%b_Vs$C`Zd?zSBg_&#r#IfnwU^S3`|2Q2N!o7cI
z6duSJB?Nwx4;#qQE5fq-z_H}vuY&9Y=Q0m=-jngGIqFv59DQ*KIwa<*{2JWP5k*;E
z=={r<jyv1*bqgWxvPw$?fnib8cX7Lxev4ynKQW=`s$HFPGp)`i7>zq%v!&5G^y{-}
zXJFa`s)*p{nDOV!xyNSkDRjvgA{MH;eT_YI8$nymzu#YVb3zVzty0p-^XlejHElr_
zRk2`=#WPHUvC!74XaN@VvP1M!3;|#CR&IZ_9cSq+H)755Z-ybgsxu@=C~3U9gV~!1
zdz?OEv9bN*<71F}!qsCJC|(D2ue|RO3bf@ErKHH?F!5B3JH6dx7f6tP4y}}XcKRz9
zW+t4)>1gbX-VNVsCV6~I(mRYCr?#!{96;Wr7;w*OO3G}0Vv35v(`PEW#Zq6rx8){6
z{x#qQ&@3z5YWFo$NpTfWpD=f+VT^BVvP|}40J0vC@xeq#4F|%N-XIT7M$PZCXU4tQ
zU4<L65%WcHG0N<sSNvQQW^UGG{qB(_iFi|pFqx1BJR7h`D0E!!u@p;-&M(m|3h${r
zJ6a_=Iboi!A(B3kyN@mR*!D<)Zt|Hs`L)v4vP0hz(WFzdQMbH;e$5&pnC`rMl*GQp
z8fEafQ$BSyDssQhp;n2e{msw8lV+6DQ=Q*-jr<pu;a^mUZusrj+xpvFqxQgS@FNDW
zAw<QF-YF!DU*wZ&I2HKUzZ<!~yh>L7qu&C;-$r>S16AOI(Zcmb39krDb<oH|S#c1^
z5z7rfG}Cov8oOAT2RJ?Cs_tshnz&G(5^@~j=PPd}`j`VUDZb}J0J*)}cceL-*^E2A
z-oN~v2OWY%kncCTRr0l`_*q;b$im%&J6jpF^T%e@>H2(mM5VRP+Z&{v9AuJLx6wZ>
zcAvu=OLYp@!{Tk;c9=O*n};)j<{f3S^x-Iy?Lj<)IM$U}Z}j2hQzBgRg!PQp*kVT@
zCqg43j4wg!>s>R8S>ECj9Z-)0(-ZNtU{S2aJe_}=&o1#uOH5=t0L1dbMmNym)oA5+
zd^>ge6Wf_77vlm1Q&gdYXDB*lI<5EGN4t<$wbjAXugv3|LqZ{J;}0V{>vP68tNeRg
z<XfR7)m%^Cnvewp?_msrb-+ALw0EEyw|UQ<sQ{MKNz8F^)`rQnYC}B6xb=hI$yyO=
zEooI3`YY<VgUL3QG{HCevGndno;uf-7WTiV3d!>p#X3bh$x)KmIzgpDB@Aa+=L)qL
z(T-k?v3!0we4=bnw}Vkmy1`!!cRS?e(&<NI9u2GdmcU2H`Z0qp(q_J<SD;d*==DmR
zLdMu@*bO9ny>QEYcM)V$<gl-rA_}DO4}^G&7^7VM>?%~>I@vTXY*-!MonV4Lva4+K
zSgtBX399<J>e@0KCA>YETWkgzfj^zXzNf5%U(g#-4>`nrBEn2|y(2GGfPB`*4_&Mc
zLi#ZVslSKaLQ^+`bh91)F73@-sFr=V@21Tb_q2;&#o)n;1mGL)soZxmvvLgc^m@#*
zD3@a6oC}Z4Gj0%z^Q#)YZc0ZmlPVLajA+NC;TTLORQ2e_Dgr+lNKXO>1t4D!PB-Tl
znTfVQ2bz?+_D0*{5kaeuNfZ}B{A=R!+l@1vEXrgccT-w29XkbK9K&LhU2kU<n^Tj;
zV0|E+LjAKX3LGL38laG?V621=GT<p+Ziuq0&`L((2rfr%F-7-heMW*;I19I}5Co!*
z3#4T<i(Hz<PWL=Md%-%2=#P^z`n$V#cELVA<y<yfxbdmZ6$67q$|zH!*(W;I@^n|r
zRx-1mHHG7)qcjgj#9ojq91-VyE07PX*=PRj^vcWoU&GDD(mabL&Uqxy>DN)}=49vi
zeZGr)oOXS{hy+%H5m?e%hEzw84aWLt>GR>Ij=9N@ZY=o$VF2&aRTqLO5`f0J!FPpp
zWewJxCC49xD#ZcMrvZh!D;I!(%mP@M&c%YJ?t~t+3dm~vWU3fi;|9X5*f9>L<WHLs
zMfdT+`4#+i`M+Ob!VAwGR|ML}i}aD>KlM_<qI>ORBYt}*?u*YYWQ2=jz0cGiBNZn)
ze14pNesp~XbiF_5i{eH<8+hf6HA?*;%JKu+7&&{pZ#*AEOTx8w7*(vpP{%Wrm+O8$
zG|=nD)Xe29a37I65&P1Vz({r{cKAM@JjaWC-0VOj?Z^=pNM!G);ZRj7s<@%FY`<hE
zx!|3{TmC`B?d*o3$RI;D>LAB}dYg#G6(J(J_}u)c`BWIL`X$LUyIeWmoDb)lqF;r3
znduzd?2L%On*h=o-|rl1&pu<6LXAHZn9h)|=?hgVDdHO&I8CJM1h|ahQ@SZq;dAl+
zy0*Y5q3=zyuq&J>NO3P%&2Sox^${%sN2+=Lo51;}y;ZP_7dA31_Gej`N4Pk2xGP4e
zuaD=z>sQO{rgQ6iJ5qI;#O0CYWze?DO(5I8S?I{4h<1J|cJ?}Wx7NCCaG`xz4c&sG
zl>T8zBfXwJ3ZrpUbcL*Ww7fzK-1s47=)?^1N-OS<H<9@tdBl1Hz2JtS0o))4SbW<c
zST0z50#GW|yTfPh=Xu*@XG9A#(1-Ty(2Mb4fR%wJUq_pGE@NnZ$zkwI;QcCB{X=S{
zw+C0Eq$erVwsZ{`OPq>wFRSO%mKa`WDdfvm>EgMhi4|t8n;S;O6@S>Fe&xzw!qa;!
zJd=B6<?Bi&9TbWVn`a$EgG(Nxi?R}5dxChIa-FTPF<7TbRZZ9D`y~j=7XoBIo1!2(
za^>zJp${D2)Ak_LQ^Ww#BnXk*K{RM`48DP4|4MezVtOtm@fJ=to+><yFyrE5-&&}T
zgNe*Ul8<YOQ0gFp5Im^ZneqK4pq!VuQu2Z>56XZhSq`0YBhaNCxnzYXX@7ZNmgTKm
z6NVW%4&B!^?V|v!&7eU37u{4>m;yG+Z*N>p^n@}e-6vSfR3=Qufnbuf3Io$rs%ph-
zD>nVDnLAF>!~bIeO7*FK_S<GQjxd6Qzeg#-)9kVx#|$m)GXo!0=yIoI73_^}2Z?sn
zD`I0y#Q=9VCntpWgE&B`1)34(MU><06B;}3je&!EbuB`A!HK_{o*%m^OlQBq?ywub
zp+cHv)8In5qq?PUwU9ke`t_|0?y_@@`!cmK4u7XG;MkX!FRmb6vp$84Efa(sWa=%@
zm0#)YHYXt=`PYYhf>>wI|5_4I>JQc`U4juFJU{OdlP+b7STTCBn0D8Hb4HjU2a8UH
zMc~1KH7|%a_(GuAv2<rz3sUJ^PXZ!ZMRD<U8H_Cl;Y!dJbVZjfrkHD(_9?A}KL_z`
zPdk5i!Otn?l!Vr{#QZ37bF7|mzZvY1=z)lxmq5D<eUA{u6D<NQh$1fG^$ZP-RDZj5
zEAfLVtEPlwg<X)jv)+LRzunDFRcR3fhk^lf1bxw5`E`rw<~1F8WVHQhqNIhGTi_4H
z7<XNHzkq8#oXnr%viO69{?Ah)pT15`;E=7PCQkIH1#7xPed%9ZK{2!IN##2br1?5b
z0nuHygd_moa5r$yvH2r_11uWlHAC8fh0Dv2>e3DVlx(`KRNWq(m@Bv<G#}UoT2cKc
zxx}P4@7w*~kTtg?$@q62cqXPhQvh-3VF6+knb{FnHrT*@v&c0W?nF<cknDU`n{#bv
z#X<=>xLy<%mTE8)%RlGlMvh%1bPli;kS^s#p`^#p%g_e!@}5)0iOc^eD(ma(oC;fd
z`Gl+ws#h%<rpZPI6a?@F)s*zrs(JgltHN~*&2IikwLf{ZwGeAQsOqs3$40MH+UtN%
zU%%$?UvREnML%O4S%VT9UoYCaKJIHkd14s$+MB37>%-{&PBcvI)}<qQo13fgfY^1B
z|DapDino=1BGO^7!w*oNF{WeRY*y<Ji}+k~fe`S}F?k(TwqqSaRea|xRC?{T4L$zZ
z2`y5QlX#m(2T$fTyrS-3#L|PyuKrwvAaBf%w;fA7A+j$JqL!S5x^&72admp6F!x`D
zMbpI(=5B*pA#Jgws`?6Gv)xNpzr(8bqaiHjHPk?eEuRk3@2;Xni2{Ojg+<Xj`20a&
zy0#-V_!4N1!6zb;t85AUCW3U#NN?y=&NG4gZFO14>-$+yjo$zjOid-Y-y>(HVsXu8
zmY}aEg4kCPI3~qCtEkEzXY~y+iv%ZR!(^YpR2awtX_Z67%DlE#`BL{^oS{&X2#W*y
z6QkFa{+^ky4|)`OQ%z9hPKJ3G%&ZjlaIh#M!50ww7-bjyb~jk|`dg&!+_%d&XM{F1
zK@1i<QGEsO``ik?u}H0}s_*i<8(fYsNFEctcl~(G)1cLMffm#h@7lRzK!P+@eMJ$a
zIMu*coJBhYUd;vLF)r7}^i%qE@W)Jh*0CV=S64(=O>_H<opD5(BWPZNi;-=|x0eaF
z7}PDl_p4phe_paz*28WzDUBGTI#p5hz_t%!r%73}$Cdx6s7-f9Yy{m2Sgap8EG$7C
z8IxeeF@RzynYUAi&YrlyoV*9)M%K^?Td=N8Iu}zESVtU<dJ01d;Fl=Yor53a=(IY<
zDomw91LbMFraN<ac9-ZYmCl@<Ia4@jN1^DqBA>e=CTG6yFI<7}cx*!B?A&v{ie>}{
zrO=z*#0_2-(Sf7%eE0JqbWUuUU3|iziK#1AuL>kqaCZRvC4OaA&kNgIN%R8L{~iY$
zx2Z;s#5yK(Xv(kO{s!$huL3;A1tpgrOkB^;JN^-s$ZZJ~8WhLWt&_UfSZlnkb?(_4
z?czZ`y%=*`!JxnJ`FMlw7ez%u5$Fi|Y4js3`Y0k(Z%v!wC__CN5$fA#cb6)wP~7$;
zpRf>L7q0|1(jX5QFm0q#)vS5-`Q_J|g^9A#m}*(>3uL!Fb4oPN&=72d%zIDX?C}Bo
zA|PLy=OOSw`B2*SN4=enNV7ZCUE~(_)|k0Bgu6S!*UZ+EHpLhA7uv=8waxv8c4|_<
z?*z?r*wAe8JhVx<49bG*r~B(`Q0~|B1dnmR^%)(Qeb5(79hWbj!p+^~XxhFGOVphD
zte>OXwi4Q>eW>8Hr~>r2xodkt8hY1r;BA#nYBKx$%eXVj%JUbf5;Rr1why3y@fT1O
z7muhmO^N01G~Sw==%>bh^cNh_9k(_iJhpCQ@km=aAcUb^I|uzG55(nvhhnL`s?E>&
z);LhL4$pUm6B332Iv@+ftkz?jePi?7qb-mbViIGYMWfeXh7NXx6a#k<J{7}!eQPzZ
z;v|Q{Z{P<eA*SR`*%D*2v<Zn>-WuR2l<xfQ4oO-CkN;l}28a*uBO^rYe+7!`tBXTh
z4w~)It0OYPMs?BY$SQ>bE1i*yBlw=KcS}qv-jAjs(|quT(^~~`-%w>4()+rF{N7(C
zL^?l*K&=><iJ0RrGB{YgxCB1h6#!RR)Izi~vX7AqbPb=)w^wbgu0pv*6G71L<(35u
z2%@M}_>)krlhOA}O2u}SJGi@%D9&3n=TfExL2Xap-bP1Xn+H=}Fpnw8{y`Rqs%q#L
zNUuoy=q7;wHa_hMG1OUK|GGDV`DB-_Wt_KE4o%i&S|JK&;!p6Eg4MFi|8|fYI2)dM
zY%!NMfaAWl{SY8S4U!G-A}=vqbSl~|ATiH_=p2?M$TiiVc)(yVH>b92dj<rdi*h3)
z^Y7T73V0?x5$!=M=!?G@+EOk4ra5qTJfpP0m{onjm=c}qc>?M{2nD#gJs<4h4Mudm
z-Pbr0pw(nSx)x9!Pjl*h8OV4QEXLQZqBIgoxnIoRuDz)Bf{pLQid|Pv^a!Tmsgcq8
z*dei?VsmjEVq4?R&U5|iTw6$oQEaj)8jARxQjDHGT(4f9`J&!&;2?O+G_Ddx_5v8P
zVA8~-)o}V#y2{meRBcEoUCDB2h-L~zN+9{X&iy?6d=>#k#qNUmOkJNu!J^#+zb>$l
zYS^BNlazx5!!Kch5R=aXjXgF!t%rq>QNJV&&-i?%LVA>IRzrTk`fs62Y{<i($V3aI
zP~u;4eLjO)jNH$U)PGw6P}qnN6cwlh7SHn0i(wKMeUVser_O<7#fKD<@*?9eVdinY
zXwLqrcMwsTQ#{I-JdcX_0DLer;4$624H`b)ae|&p{hE>wRI6Oa!;xAQQR14@?BvT)
zCS!d8fnb4rNco{z`%FjOM7LyG)P=G5Dr&Y>pa6mQDZdaCCBD?q-_^X_R7ibS%k?Y|
z?vJb`aj!pooL@%{iPl><mP$}j2vJ;lGv01a?l(aPJK$qKpws&qVUl&ea=Gd@QQV^7
z65Yg3(7`~ZB<ot(3c<^)Y2Oq?Gn$;5+-UcLjA1e6YBkTXYd&LpXm|{#C9%_84W8Jn
z+2m-J(hd#@D!xf0Fn>AY2xfP1e%Ja%kOTG#C)=hRTmItsmBqL-H1kH}V^`##P2cP0
z#{&-@8=hg1i5O~>A^LG#2qFq2pW2-7V^pIA+Wl)&6XfOX4fn%!l?m`m+cJGa-{=*T
zutzrrY_wFC1#X}!K>SNQ$WwD~dA6dUpa9fO_;;<^HwXVkm5`6L;D);`Vat*kDH}~m
z!hY7BckW#c{V~dCsG1s=#fHG7fF0m8uK6gM3Nm73*^2+Txn&U*0D+AN2AYaB+xcAM
zhtQIRLREZuk?>vkrV=;mcG9>-IRL&6GABl{l?z-;+)ba&zGm-rVaBHV+0%wq%8AJ1
zJKdDtJt*71`};?SxGbNb+45ocmSnTt-^DF#iJ5wY!5T|PQ6x)E?d0We53if1F!JU2
zed96(1Ksc&hF9@eg|SiR%ST%PSQ7-ZWk3LKwUsDF>9~0nOi0D$Dn)|E3~D4*A05IW
zy&q`(7$5NVG^@h0MG58udr1Kdq}sP;$U^<*o=~jzbxA2r%R~em+W&Rk<H`iJ3Q<HA
zD=!CnA=&;&oNf^eCs)qEGNWgnSn0q)dD7qagYet+Y@)iOJY3FGF>4#k&AQ=^e&)Sh
zOVeV?F?>R47$(LnB+4B&fN^Vs)Zg35|M~7X5oCXJae3LdeC)bnBFRY8LJdAzOm2-;
zmk(`b8!Mr!LuQjfeRnyE4D=^{ng&8R&3OAXtgf~E`A8n!()2e!iu(HT!7jJea&SAa
zzrWAGiHB#@)o)xQQ=l3b0`aOE>@o>w0y!NkOkPYS`>lPkCUxzmwRSV~A7w^Aoq)$0
zEV@3qh^CAijbWWSQ8%Nbx8d*N5GwIMzxwNXP{Q2Hx;E<v2oMSVwKKy-Y6@r<?}TeZ
z++D)}$i>k&sUDnbgm2KV=@AK5;NQ&bg^y4w&nXS=UN6(hf9qvQ!vX{Jkg(cAWMY@#
zC#Z4Cn|+e(KZDmG3xMS-WC%P<=EtL9$)iJ|*J*$G!H?RP*Ajkg`!UAC(vupNjv=l9
zBG8>p_eG%TLViG+miA4fNuTE$zrFRvPZ@vQob2tH^Aa+pAXeUK8KFrF4-i4ieM!&?
z-1ejkqjWq?K#3{k!XUuRH!AW!l$F3%;F}I>Ov9qe68nlBtowOe6OgS~V(fRnpE#rv
z7l#5W44mM%SkUPfT#;uo34VU8wwp}`;|I5NKixFk5&FA5HvJL7PIq>kg^hdZu(c4h
zs%SjMs_3{b$6JC?xv`|sH~DnLnsh+Kw3pBO&$ocjr(Ko!ksM*KwbMr^amUg7Yb}*7
zGlw;6LuJ7%=@x7j<{A)3-MC}$6)i2HqJoT<R@9@H&wNF3$!G{V4u@o>{MfJ8!u$tB
zGg@zi0$(OepdOJ5>kKjvpWs#mY(yKHw3M9MlLxG_Dhc^$h(FY}vj@i&j4dG90iUX>
zFuM|kIay2^E3A1wn{ktq@NcqaAvGd^R+5ihXG_2Tg^h|icj^Ewr?aJ%Uql2J_?j^Y
zi$^D2z$Q42*!#|mH=>)B6e3F`&Q-R7D8E9{=+U!3?baFf_|&o45$hNH59_wKk*<tK
zFZx1?tK65CSvX7eL*3Xgc5<p_lBJqCg5t`FM38rF{oJk9q=d+Ag$b|Bxk79Ie?+}y
zSX@mLEjqZn6WrY)xCM6^WU$}_cbDKU!7aG^;7)LN*8suYf<tm9?>*nS|7Z5IyLWYU
z)vBts{Praa3MNg#%_~F8Ue07(F`O&7XB3Loo3hV^L#Cn;H_0xHKS}a(zxNU%qb@_{
z+suWbOyR?zkO2I{y|fyL8{Q+h=<E_~Kl$VppH@H8P0-+1QTJlweu_=UJobhQxiE)T
zTDtztsbCD#8w{rY#v`85xBC98ED!1^u>q);D=Sq|+OIQqD@UZ;rfF_~xP*(Nb-&-0
zT4VTmUC>x5Lk)@ul0B-r+Bpe9=%d60h0iH^nd$;5`ZQug#|wQ6cQccr@Qo4LXq*h&
z;LwImr`dNx#iiicl3Py3`Xg&h#Bcsg-QYm2ytx99JqTAzcfY_A+$354awz+x2)&4I
z(0+aoK=~WI0hs<dbU>@L5BmspfB`kEZim*s1=P%tSI{yBHjF~O{0|Gb!{TSDM?N)o
z{+m3>;z5RRia_S!)wbg_J<UGD&gSVESak`ZX*|EWx;VeY>>xhBxPaazkO^$i6F)B0
zAZd=!QK72!x&^W8f*dPUvK+a`<g>%cF;O-)XN^TTg*xQI<H377^DJo@7GX;Q$&60|
zZipOQJ9q-pLPQC}{G$0uJxLZ#S+dYwS=9}Fo{#IIQD}SSA+-U?bbp_|K7WlIzO0b%
zgIl;_dw%RtRUF*&CF5h1@>e+ruAaCVuZjq-f4w&TyG#8f;Pd+$Qi~;n#Wn6ds1tH`
zH**ghHEuv>90WTjhY?h{tAB}rIXCC>mWOv1&luX7!CJ>Gbw}LqQ%#~1Ah>V;BB2Z#
zUp`S!#in(2>X)5<LoTy`>-|Vn>BF5-Ok0siq>xYw7Cyh5Ha?mw8rc~cfMvnFn+u$F
z!mwq<dRD(hCilAlOYPbSrH#|RDyl1ez^gORKBOcNOW}=EupVDpUR+^*9Hzs_1|ihm
zhb+K>8#YcPXuix|eVSY;`-V?nSWkhKUlqxf)65DOjg7HpQpgIYHStm8Ut?9?<%y*?
z^SVg<!`sqw*ju|l-)_@&)A1}HeIcOh+5QN6RK&DpsJJRF_Tf>9wQb$#opzJU7RSWJ
z2@hT2E9OiEOhn$smVw|C)hML#QQxf?h9xvKGM0w=F;_{DuyP~b&%vbTpsk1Li>$kr
zArcGVrhr?}ZfIyqR)hw=`l^i?LJbGvuEG7QNU*^xMtnS(m=EmW(a%3dKUVBbFcY8b
z2K*YAFQ1t@&~I}nTFgze`gffkoiZN})Z(3gp|of+ws6Yc1C5oSeo4Mz@B;x_fUJ?d
zIXBUP(iqMbqshkDmC<ejkZa7P>o^&0ozi-&2-yp&#dH+wI@rb6suV(q_VIyHZ@`$>
zqkF8GVB-(Vh)rd0e|S4UQl<#0Yr!T=$Ppd^K?sBFLd4JO8W6rw1f#MJNKcy&_h(tg
zk;abwWj&l=rdpADaa$bklS_1{I*6pSY@OTp7WOxRf$$L-u*@!&mj@Y_<f8||Oz1jW
zOaPGxjH>#XO|+!q)cCqe<kBTvy{4(VQZe~%8Foos?@JzvM;e3ze;Omhp~7WL`y(Jz
z;X=q~Z)!meCL-|^(SfnxHweokUf}panO51bO~d8Zc?V=%kRV~4iPF^aH|}A^jaPq4
z*1}LzBq5ugTx@&`zd-AKwh}BSugP}>nq2%gC#3JDKf;zu38UtGH1Q`Q?*7C)Cw;!l
zb6et3>gqK{i_p=9H@UkBqels()p=-B%JJysFN6Q8>mvik3#4NS3;qmy$X{>RM&cUk
zDbw}Q$^FAdIMQ)xle*uh)KYO2)&tYA6z+x$ASHAFA_Z%&E&?nB%<@J}c!$tEPUo-K
zw*rC-6c~qfVeF_?N@4<f@nDq<eQWtu$9YN49EyWq4^2%JwdOD(bfuWH^chbGu-slC
zr^kMGVF3aE`%^ps3x!%A0*n=-*@=*-6cDlWXK<It%gEv2nvhgy>1TX<9gQO?v$%R*
z)MfvcR!eZpl)dd$-7WbjG?wJ8wF)msAavf6&FckvY`YOA)3t+V&iyNlal0O?oh_k>
zCb}2eo+F|e?{M62h5l5f#5VvszzKDj%ET{}V%n55WLsQI`I>i53P>1<Bc9e@EC*9A
zMAR?|Zss-#vL!?!%w_6=Hl`G%c7QP&FhJp!D_aQ)1E}=fUO>PD=^B<CYTc$!_5IHS
z&7G9rOX_LV)Gk$!Na7g3ArfS}l4o<NQQ5Mf3!F3?5Sb~wtC=}W7-xQ{6}pT1{?!!G
zs+TdUA5l~(S!yAOU)*j0R6JmGtiPJ@4My?TcXPe=^OUrYDRS}isH4krQ8wg23Py9v
z6=!C*`&vSl^e++aS;Okt#I7|N@>+wz`-~U#M|-bs5!H8J;Sw~4>r2Ke^f?Z^D4i8=
z5d`u+T23%PXqKU^WcEUE<Vpr#>usm??}_TZOZuv60|`hH_o4m5z77Uy`j7~FW$k)j
zc~C%j4-@4W|E^uQBZNQ=<0HH~v~CO^^@Q<OzMZS9Q>~EbS}FoPhkoY6{*+fs;F(lw
zh~ZHW;y#pFH#_%)HClG@;uRDS$d0Z5$j!o0pvKGp*{Ko_MXAj!eG#8|M61Nlx>}{H
zLAs|JDBBsWmF(e{KYyZJ_FD#i!cOpSod3f=YAE|g{i3R7Pkurg@7%!?gr87?D3+x|
zZqfcfdwmfwp~Y<iLBziPr~>X-K=oSq*e(v(0b9apIbGZ4CnB#(fw){HT#1Y*7oS7T
zXn09P8QcQK+h76PP_7>2q#7x$`_vdFN{P>de5329YBzK0gW~FZRd)qgBD$5IT$H#!
z*`=%h)fv~N12I-QEyf0z^VWx)@G#TZR3ZsW;y!o688b-+;e&`KMv$J-84}i)cm|uG
z%m=Ca9c0{AiFxICVdxYU*0v^)usU;TqtUbU8l9t2{qVBoT{GZTX58Rdjn}G@x?aJX
zsm6iQ$XmnME-5Qh49S0{+BEXelRT5BWu)~Q8Y-Km=*k$xLnA`2@KbMvwB3|by7GUE
z24gRW(|7oNP7!9_@(MQ#mtG?uX+cAp#Ug|w{y;W1=cV*T9$OD>y@pTt4<eYu-qsTU
zsIuDC0Zih5hs&cb69wzRHdms{*Xyfbr~JNfVR@9!fJ?!PMF7eLg$;;<cAq#t2j95|
z1R$}4|6o-8{dN;B61p{PBfHIY{MNSSpz;=ogJ^k=+0lrmSbpt}{eX2?2DIbS6!2xf
za)i}I>*%2W7n%JGamGaK65JO)2llrY@^y~OUC&r8z`^Q=57euA|7yaFF9-gzZw^QP
z)y*+2Usmc)!VpTCboPf)JmW}M7Wr&VBgAH4%i01fh=mG$*jd!$ppd2&S#-Fqt{x^v
zEQgOBV+64p#xa5`vI)FUhH#}X1^0>Dg3WanM-Drle?Rq`R6RYe52yRDFwdVrLdJT^
zSj)sQA#}z})0pDE(Yv??k>fX0N;B&6;-CA!IbE0sB?3fLGBi3@DOICa#feJ#zdduW
zr*z3Ce!VlP=@lfpQNpaP3^d-m-4>zCd@@&5nCMxOr%#LVPK4viPpiYmBaUhs4Fikl
z8<5SHS-~AM2bD0xrHmU2k0HebIp?fkz2>(Dt42>J_QD*y9_HQb)vDFRn}v%OF{k<D
z<MJxSZUexf&MrT^#u`{CGg4hW=lE3^;FY6btW{PsLSN7n+HIDj#_Xx+=->`PiQkQF
zZD~rAiB)eXP5X?|AHCUhVNtG}>{KXW8}B1$nv6bxS6iU#TBA649x5PQn3s(LKTfvd
z=gxkvt_z)yDm+{gv9E?+6cT)(jWd10RjQN3O%-j)+Bh&6Mf2-CxU!&y)r?C+(v&Bm
zwbR12Rg5>*U9(s@{<-)HlN!Jfmy)%Fa~=Sa9HZv7%GQw@-wU5hZR#}VH%u?D)w7@|
z6nltmwymrWaQOIU_)DCTiSe>(V!XzvVf8KSRDDGhR6-+7Ypxv#+%4ou%XOI@T?#{%
zg+tP?NP)%YRoCW=2sfkAuF8GfuBT{y+-tpo`4#V~gLTDq0O~b!&z$N?>Hc`3Vaffs
zmr=;{oqArQNHn#)a6eiqb$>J;Yo7KF^Xxf5{qW(=va)WnG$Hz{!Kfkdv4tg~<f-Dm
z@`<f~yPYBt|0wW!ArP8@EiC2>bFdyR^KW|w4}URM(-oF_88`xBwI!EKaF^uGjv9_U
z`GIk98SkUr5$SIhBx`;UCd@WN?@rRi);-H5`uJ?aV;LK{gNIA4qF&vzbN@xgX2<o0
z(F=T=znd*!S>)qgJp8c_+r)Y@v(8^hgu3!S$>%R7wa_@1xWd15b=~1S^jO!R>YcxR
zt3CI>XmlCJiOp&=1RcZx3oN0uZmQt%&)nrTZq%KywMb(!xvUfkWgV_pjQhTCw?vT+
z^{s>Sag9y)IIpXyVC0QF@g~eFu*mT2EC<I$9rY((wxu(aj1wv7|Cj>Rg!KBAVJ!!~
zPw1v<wr#!vXJOv5%#;{@>z#|rDmkY6Yh7M;W-DR#B=OPZ=NlaIt#_Hg97KKoE3PeC
z$11sxpr%6-I&NQ%W%aeM2P#BmJz@%dScunkA*$-i&)!>fm{^y?@&JgZ2P|zn7^@j$
zWmHs~A5Itf6U$Y>k*84Fo>Ec0TH4Kwy%pmd%SCw8hsN~U4>ly4Z{@~CE)^tJFg6aP
zRX)fqajulJW+(GV7t2TaIo(J`B!*?V*VeSP?~d+-2lzX_(c3kEP*mUf&#r%TzvFmx
zCv@JRxbRYIWha3XTVgg&Tg?+$>}t1yOJr-;{0^l3WgQIKahFncFb3?GsvSx;|8gyB
zz9k(brSAR6&G^Pf5LJ4bU8>87>|kp#Hicl#S7UNEUZv$;nMK?p`J)Cp>UL9~PYq~d
z`!0o~rT&Yf+4}(f;nEVj(-&@t;q3M6-J|q7?2=^1!Q6+RQuVXzroTcm+TS-UhloJ$
ztL-u$YCL>Tm&)YuAES%-p5yhbIobjubi`QKuMn%RfLcdm&V|4LGg$^}19qUbf|vP<
zes@4Bw$T|E@H^s3y#HCRTJ?N@K|Gt*h}JRz&PKvZi^ml4hgXjO+-y{)K6|h0gu82p
zR~75{XAv^3Ws0ABZNP$=<?2uhVS&wCInh;fB}<3*!@7D5UzRxkFMG0|(|W>nVH`g6
z?Bg4Ol(3;)>y+_~x3DTk?e9w)P@xIiJDl!~ZTPQi6F%L~5=*&#{nx<M&D{CkcKyJ8
zys_7~QT_Kl&h2B}^TLB@w!n^Hm4;KP0LWHbObl+KJ@IP|8}qW!2Sot_*i<!rGSbEq
z_pP%HFsr)b=la`@4oOY@8qTUJP_ujS>J#4Mzn=V6E1M~=#nm#~X5$4BuIKppGL?6O
z<j^K`DJeV*0du-mmiC60xH=sV#pM;sGe-w#eGBo%CtuQ^nYNyFP`Zx`|B6Xwal8+g
zHI%irt$4YPQ!UaMiY!#NpHo{YTIzn#tpF-sUfYPZW{M18beV~wZ-<q)1H?YO+WlJ^
z?=s}i{;*X?W?M^yF$~VG$U5%Nwry3XNw<e9mN-^)tvka)BxWJ?mkIwst8DvE4*ib(
z+6hmF2Me2regUJKISKCmV(D+ikIn(2>1KaZlpMTejXJy9A0U-*I3agUC8x98>J4S#
zElXRDWs!OaL5>IWD+8L4Xr(>>jwk=lmY1m5_0EfW?UfZz(B}Oc5R@6WZBI8Nw4R2z
z!*^Jb#qZ7>U0oSt^5Zqipy<O@$^Y%9ZEdzx@M?Xi$eB5OF>>@gAP?B`{IFquiw|4a
zm1fVi@>LV}6sS>+sMr2OyRAI+eJx|R=Vod+;L|_jA-1iqhdieft;5H+YNt$})96eR
zbwwM?LEq})B0RUl@&Ee~{Hf>m|FD4SdQa;(^yQ0-(zli~uDqY_4x9G3CCC0L#w*#y
zV5Yj(es=Y>@eW?ksqO~IBLD4cw^?VMpzhT`%Mo5Gxm;uB$oiY1tI(qRhf*6ndM(j!
zp3u5WKO8nYQz^^_?EGv0_hO!oXiXj6TQu12hAB>@%426OniK`6SEkI(`<2n-Z^K$O
zPKJ1~v^qd=OReOnt#R&J%K6gj(SL+>^^m2Vb2lo``Je??@1+(x=TC%jWjBdSlUA-R
zIXIB$ebQcfV~VI>elTfXt-pn%jCPo>%GAG7`1qqf;XhH0|DLeGyVsUGF2qM<17|#z
zdR4<@ar4-utLV}&c0tPuSBI;EPYkMI*;lo&C|UG&+G5Jy49%SkmtIL{+P3zpo|*r@
zM!CF7Z=W{F30K~y<Vqba6GXeQFKX##@#O!?3#*`q-J4_!I^vxStK<0r3X@eC?;A}@
zTL0GFGb|N#dbt8lZO;s<8scoVG37-(*KGQ~o67r8kzL^`pjAv+`KC>pFBemC{83FA
z8!BycP(VJMMLM!>HH%S<wbkG7auJ!h3aopd&~nn}XxdbZfzNk*iqri6o+F?ehUh|3
zAx<{Ge4k1&%AX%9HW&l~)1Lb2*5|qhl#grH<P(CnD^54yh%DQg87J2tN$)J9{nJv*
zkH*)DUzH$?TaP1rhw^;?KK2%M)$;oZQ&OM9N4|@36LznG4CuSwTQ~++u;nL!Q<2sJ
zSlf%P-DEB4pt2gM-AfS$A2+1i)CDT4^ZMIjQXSs>f(kj2kAvnV(4{9j{|@z*z8PUy
zq?BSN$`dOIHSIyiwB${CJ-<A1nF;Ms3y`Va$XvHiw)sYT@uT&2B0kqzm(QDiC2~70
zV_o(6tXXV~ds-FGQuE#VxLt!~%HRJU-?yJ7v~>ON;II1gPFG6?(z-lVApAyb<%p5`
zHnG@4k9__svh>#ga)Q=Q@w!Y7QTse`$L;)_X$HcTF`)#rvRj&4c0G9p)mBfI=jY4a
zG*au?rKA5QM*g#$#(Js-I>P`wN>+7OZpFa^qnL53G&HUyw+cxr#bsv9En?C$izf?t
zS}o5SY_UNOirN(8G<*%BPBesb<k&BvYk{>=P#=_e6;|`BX2$-X9UYmZZaPs{QlY_#
za)uE?A9cZ0s=pBj#x4(sBUiOwBl<Q~$eB|za1BdxQ!@dk=5-t<?i0pIflU(9Z<$=R
z-jr0V*?tMH!L#y2T0s6==j$x%JZrT6luSt2{xbRhdqNp)N?+6h%wS4<omB60{7N-%
z%8YrLGQkx+>K*m|em1%cfL`V%U{Z2(&p3_Kz+ZRq5%0KGuZ|%mO_0x_y!bbOQvU4*
z^Ak}fN|bFxT(8Q0;GOZO_M~ByVhuj>iPb>L2>x9|49_`JUUj=Oo$sZ?qG|setLj7+
zNyERh>%-i%1sRw`ZzV$b8d@*bOO7=e^cQm&vs&IYnHqOK)Z{yVTE4mWn>sOwmQmP5
zSVCMLsJT8tksm{-{dYJ^dOlPQHI*lyR{00f^lpcGR7_#=Q(akHSi}=b8(Rt7-@_ue
zvnobUUYcdAf0T*mI1Q!v4UjL_879DlpqUMOWXxz@zyn2)WcyK%IGrOb13ARGprnFD
z$U*`Sn!E;}<J})Z{`oogcM7U7`)x`DNwO0(ru1nlu6tmZP=RuMDL0r$bzV4(e5WdK
zNFzu?6u`&m5BGs0040(|7oDG%ZXIzNNtIF3Tgqn+K9;kVRF$^5r+%gn@}*ZdHtsRH
zv05M6wKY(Q$*Lf4Ri#&RTDKn`Xx0Cejji1Y)f*!jIP_!J-v{c436TXr*c(vb_fjJ~
z6G6U<fc^EA3sIPyGYwf7uiq*OCaT$vxgF`0!Wh~w70PZr88(3HEeEPJ#L-vAt6iJe
z6FHOTDb@0sYldqQr4jhOhHJkxvLqb#P8Y4^<?WwEY^_z=x0!>A8<+NL))*L>q$gF@
zOaE;ZLCYnl7MY_C7rlc)49YZKMg&h8B#TTG|0x?KjJX~{p3Inhmq5QGJMdair>8z^
z9kJz5wGdyJwrvAflSVEh&I;uZ2T+9SMGmx1YS>@2?bo60VoIS5#fu#g_UZKzBmh}9
z80_oyI|hO#X!6(>)>v{?jvBp%KU+eEf%4^3CeemrgO2CHZE0y9W?8YCqYUiT9Ye#S
zD3GZ8z24?wemDY5cinK(S(qluG<2HX@b<c#C~U3C<ESRz!me~6ZDIS*0d#{;7g)~f
zV$`xL*zJ~o7*}^en_$P@9L$?*>?6-<LBtb*bSZQ|!QbZl&jrEcq>OV9QbKAM496aY
zMs-^!Qh~MWtYS8B5)7$U3{ngNQjtT!>(WO`_J3nYJlo@u7+)1NPgCi}nFh$A0JeOp
zWsO5#EM?qZTSiM2A+A9fi?g?G5`d@(FhNQt3bbmcJ&f#0YB^CEF!Q&B+=VkgzcWoT
zJ!*c%j7#?5WVYYiBGzq|#zj<KUQxG`O5q)-8ra@A|2zEn;h(7lXwt<sMV+ef^mXIk
zn*=tN^K+AOBJD6?6lfi0vwZU|Hm6tX9wm3{&v8Hr7&sGs3nl9!f8h$<4ni>3!jwZq
z@e$R2m7gBzCodBjsyJ(sUPl?$CmC;4_FBgNaLsOjQleq4lo1hWR^Dl}o-ofNH}8-H
z{aph9t}R`2%8Iuf`+}cPHUauRqBkr+!I}fOp_8(~BaJo^U-6oa^LP2To(<$h&Aotg
zl!)}=C7<1KvvC;KE%vgdk;zVGv9u2@#_k|5+i<)j<+ZZHWrq7K(%J;+6?8n8n1N*{
zJxGA(oz?Y++ah`{_8Sgz^9NkDUR0){azeEoM1Xo5Y7}#-Z|;LX)=TLDWPF!mcI5#s
zznrbNLL0mg1rb*O=)R||By<G?=Dle68Zec^g0+Dfk(v6#rDI3Ho(SK4ANci#L5&~d
z-^y$%pJw7KTJV~8k|g%)X+lY0o|tDT-zrdHVdK)XjT1-bgvqCG=U7Npe(my;%q)Ox
zO6xNReUSIHvp#ik4kWJOD75#v-jier<=$Any&3;o`J_W~xiQu^kAv~!G^{3#7MoQz
zO=A{&e`#1<G6Fgj^)ZoeK!I563|-A?7NrK;Y5NH+?*X<Ae|_qr+KL!P!sh!ud;XeX
z;@8b{OSckKdha48yxEVEraKr1Rr9d$$YR(22S`fvGh8{nWj%S#lDx;^Ar4Ioa1?k@
z<)_VWMzBh$E4O&CutEhk&s6=GCO?y`Bgb?zC2M141f|4>@8j44P{_`TZ=@*y>;N0U
z{OTG7h2TO^n4MHXwX_lmDVmFFCKn?tM>F^W!I>pZ0vCRZLiqeSW-*UdKN;jHJQIHR
zW|~BnfN!<8s<Z(6D`vQ;*(dB*dfS%Qm-i#(<=8xONZYOZb}TuQepE0X&tzdpXLv|j
z|0clf>4solex1{mR-P!~2ct4;c1%0-tC`a#7Td-Aycx4lJr?x1jYVwp=RIYu#;JdC
z>&%pPo^e?$o3)=r05SqwRFD{LP=!LX0+cnJjCYn<B<9zNez}L&zG;fpE$fR1A>Vg4
zK(!Gw;Ii@qbO&|;ZV*?{e9xqR@~a@4(yvS@6S+CLGkM}NZi{h`(BjY0OnOhE1H=T0
zG_fV23sZ&UC}0ljn8gi?%r=v3N<F&jYdsU(`#5C%hLU$M0er~lwr#|M1^@SKBOx@3
zXvPDocq`{q6O&@A$N7wV;f>Dth^eRNK8QQbtFN(Q$BP~~ckN>cq{h`=Hr9p`G$Tu8
zL8+?lKTo-h^rFW=N`{Z69YwL<zrS$Vif;p@4)I{PK$076JzgvMT2mIpwZvmwXcodY
z;Z%g4hutkTDBILB*Tf?Lf4_LM{-3^p$F;_gq5-42vqvG5I#MVLI9=qlxGs`@XVDdG
z?2cPhiqyr0sQD;dB5p<DZ+O1i5q_9Sno=LV9XO*Y^)8vxtDhYd0xb;XG*jtn8swHz
zv;n%g%e|_su}CyB{6%RtV+?BZj}(QgHZbKKgv#NKlj+fw*v+4G4t?0b^{OL~*6Q}G
z&D(DRvPff07!#?QpAUK*g+I%Y<AuB0EPXpDZ;SYX@?;g1hh%*aB2XhvK-0hi7j5k}
zSi&;sQq$RzU%vFHNaep!_Fs7Rv7OINOB_vW+aw;_E0}}Ho9bF==Rh=UwOFY{0Y=rW
z5WErv|GpeD@Q2{@`Q??nUZNcw*KG-cn@%{aRyj$BWE}ikoQcF+keZncZA5(5dPiPH
zk#x*~@E4-p{@@2Vv}6mq00~xW1wV$qz2R$8e|2UB_M$h`6UNU_qCkzX#O)}{%#&{P
z{(9ZQejUpu$J&kEVNvOScMOk9Q6OPN5S=wb$AShH9_5i>%mR&kBmc|-i7=OHcJHY8
z1V_4HdVop|71%H&nXN@`)aekPpfSH6yvsQ<e;5x}mkFvH=WF=I{?l9ralsf2Ioy+W
z?*#`zQnk?4*ooK2#>Sz++ku5ts$o6B0CLk(zlsIv{i9C*<{um0PGC>)#x`k_C;Z&B
z%3?GCp(HYshb5B`S{J$MF;<o^Mne_~``~xTCSg=!v|jd)^_`&t5oHoBqcs!FM|wk%
z0wM8}G@jNViP3~Haqryg=4;m?7i1<t*iu^1k>{i7)>X6qoLfVn$p;TT^=#`pEZ4uW
z|6=nI?SU{!gxpJbmsSFji)Mr^OfUBwtGgjTzR#2RH&oN<L}{=i?JB5gFt$oPl0&<N
zt)2Ce(XZXMD>6N^EnK!CDi)6XlWi>thc!`E;jcE;^{N|{0YE5;eGm8vHSPAB5~xFY
zYvT+J)uDp)7HHDu?%A{78@Em$`PUHwn>!)ulkWX0itv=7Slk7gAr0_P`Wd)iD0Pvp
z@5vgTMh`R-G2T7If;H7_U+Fd>rA`A^)~&K(phsIrS2fA0{VqlT8WJO7l<5tYMKDw`
z%$G>_MD>05btp`COr-m?On@IPGZ18!7X=~bY;47=F-Z>(tMBU75qe)<D4JgROd={u
zg4)4KXhD~J^M$8}M5UJQZcdm;eQTU%?)dK-e#P}hQAFnaHX}jM0!lICxOpYvgniFx
zd(9CN(1N7J%cS)LZ#$L~a+PIfXl`-apjo!Vop<sZJ?GlJ_N3FE_@y1U6VTaPyg(?$
zc6ZkHwg$G!SGc<6JoE#Y)q>Ii?IjJ1;ct=Y8cZXi0&)hF9WI-xwH|>+q*;?Kb|^wg
z>np=(s(7_kdN>zG<1S;iHNoqsaOAF^kPHPpLeN9wMM^eU>$Z@g#U3=M{l}0RR3r;~
zT9yoL&yyh&GX6icW6>JIYgbVL)e?30JH|&b5wEJ~2wS6fN-gK3pqawnz`6fn0pt$@
zyG^bFhPkR~BLf!v%Hc7S#hJ^D*Gn2NGCq7~i*o6=jE0mZtOLD;Ozql=ZCrLs1JEB3
zc&S(Ro6Jcwc{jBnpo@w&Ht=_FRVs*5qEmD@Whx30NpxByks(z&X!RsQ*0*mDVaqDv
z<+CW+IY#iP;-@IVLR_3s^8G3fGg8fIv;oHIch?`J&LxH;<~r;QxM#&e_tVWxUs|sQ
zPqWAM4G>sYp4nnHSoVGdySJd~Wn3v-_(y8*b@_(1e~#jes%uc$xN3nR_Z6qsE$&(=
z{O08TmZGoXZ$>@`xv3n{a$9Hb5V|k_s5rK6TR&4}8(QZyiL9MebgMWfHjPZ2yLBDs
zDeE1XIrELrTa=o}-Gq`O5vl#~1a5OLR^|5pCBy%arGc&{C}|64m}$!mH+lGONS<L(
ze%rzRFI~<{Ni84f`PShFRwwI2@yqbx5p>I<eO1%snOWeE63M)BTbjF^ZX9_pOYl)8
z_jp7wqL<S%!X8~EsBqMn(a_HPMii5XE$Ez&d^czR(k>AxC8xsOp}`T{ht6;wR-~38
z13qgj;D+-<(En&_Pf1xQX+2eKDa7AxF;-*mFbFANf`JYsrbQ16$o--H6Pi${X(yfo
z0qn@Q-}JyA+Jipv<w7`%kxNL$R%(d2#R?%uA|R`YQiM=CC80)9Bv2YeHX)4e&py~;
zH5Uae!wW3{7%?LTUXJUtI&*@i=MAb*yDEi05>+tRVvFD-XR<PuXGkXz<BxUA>6<oA
zg>+EfcehLuhgg_%OY$tQT3IoJb}cYtItZA{Bo0!_F^w&d6>}GiCVc%?Uw_?9>&$or
z^$4!sbgCo6q?h4r)ATxe(`m_pOy+%>bI_T+T&(k4l5!{8^xxg9w{DD=izHCbN;%=8
zA3{%9K?#>cDJD9R=-zeGjQdCUOs7uEittmVjq2RLE@*TZJ1V8&o-`&{La0+4@G7(s
zeIs2izkjlfRbHul%*BuM&w@m7uXa0kgA;C?3479oFznYm2=1oE@pn975x69!62*%W
zRV!#17%z@&^kU?Bc?kp)29tYsJ#y*C0z~GUT8Nag*3cyA#R-@AQP9})E<xk&332bj
zAkxov8sWOH!G`8xbzJ&V(H|BephsRuW`~$`Hx=y3#X&zl8TY(oN>W(R+L@H<W5>3i
z^V3rD7CnYf2pgaflsgIC4*Mi6h?0q;01i=vsKy4T#uXz?1Crw{(iz$T4s?>t)c$ei
zUHfbT4adP|Kc-)!y--WUl`HytEkwezbr;=im^=vD1~TNG4O>J=F@M7%W-!>9l#49(
zj$<0Dr^!Ga6Th<jbNmYo<j7wbxbv*`<b{b@JB(IQt`oIZ{h@PrS3lX13e$;Q>(``h
zpS5&C+FjOua%8YHLL6iKUDRTuMVk3$PK=;5*rmRt!Asv}g8K86YI%3<li!LgL?5dd
z0z=9&D;O!!qD?IC%B6I==mzP{0;X?DPCP>BU%Ttbe&>l03$Hq&bySib(#gKV(YDbN
z(0ZE@qDxv!5;q%t`_hJ8rt$QtHXoNI*8zIJHgp6@SEYT+Ni;)0!eYOo7vZbj>f9w;
z>quWQryvP)<PfExOpL8Nza=+@qbhbuxQT=4SZ~pjcDR`C+vte}!vXF0aR&M%dp(`x
zu=_EHocCo-Uowi+on4xtA)D&P0wQ>!HWHv^QiFC4lAEyd4rkrx)WL-Vb@d#>hRFKb
zi|eHC4SA0U{YWAhIPuCI@=iJyMi4}SCzye|90#g4^PY~pYV6imLWQ`<n{i7?KmVz$
zYtehr?Ak`9hFlF5nZ?FAZma$A1W%hb3hW%qIw72J5h)zNSKlo$zxU&_qMr_mt$xO9
z1c5c{46X-fxV}eULKVm)X!n>h4Shu^bKJ=Hm=#hQ%Hw4Tbh$XNGrYF>Qd<V`tiG(7
z`>Myv!tMv^o5o7lxVOQfw}h33&qiwj;&y)f)gXRl?3}91T$)phymg!Pb(7n_X`o<o
zkhIMq%<)-`oy}qRNLOpj66~36Y{<<Q0EEOrM>b363fXGbo3=g#@bx?^jotwV?5dJT
zb8jAt(Ny`>V0NK5x~+ZOT+<oAS+2wz$M0a39klhIMjuztU|$WNkW_{Go}HWpl<5?^
zCzDf(BY5NC3i@*&day;2zEq6=Og)H|!F|R$=*gavr7^5M@p+N_2lWfAM+=77s}H#Q
zx6{o60925A>W{_+0l{?v!PBNmVN69z4MJUxJAFyHIci4NDBkJeQn${ZcM2&bd>&Pc
z9K;1Uc2o#OsGdq5;^bH-Ua-LREJi{WGX;1QcvcI)8Lw*?Gm?Da1gR<tw<C4EszLyD
z^HdP|e2na~*JQc)ZIu$bzR(BeuN!ad&|x%@$mQ{b9l|hmeD}r+Jqk``q{gXLDTM8H
zA4ZlS`CrDr{BKnW%OhF(YcIALWk|`8@K_yPJ3IDvOs7AV2Ne+m2|W!&HT*hpYR8r%
zI5c-WF>2gz<_yqlBb)F5pFHr}kN>N?=*!9dbN0lTQyMZNAv6mPloUlAVhJjv`oc#G
zXB2AInA%WMjN<a<<Z@@7Aw_lPKg33rkfUX`7fSVt%Y8?)1s4B~WgNj0q|OuzTzv3-
z&tJJ}S~tObDY*8JJ?QH#)=c4l<iaARcUAfnWshpul*bOhzp)gAa}f=>50T9nmd`2%
zWu5Zy9#dEX8qLx9QJi$95fyRRxTIB}>)^jB<5qI0N#qyy#uNgKUVH4CyHrLJBr#&b
za9gP-)wghSW;R_(jVmbKrn^U&qCq5?O-{)w2-Xs6!NjtJyCVaaU_r$_VMYIK6qrQI
zNW@H^4Zj{~v%K$+d*`l&DZ!%XI({m61P^nTYXK+OG`{!;YNz1cy5hwZ(wuFD8r<;2
zwW6Lb5)rgMR9A1m<mW15dgK?A*>Dr-W0n1!IQ#)=VMW(S!u~>jjWyygpE7kP3yM@K
z*ch3$pcG4U<0-1PxQh?kFJwPdIscbp_7(efh`b~N(im;vGg-!APlGi~$WQD_dshLa
zqZD-T9B@^(=5%QS4N^p~D2X(Z+R^Z&1>Wa#^BS7Ne4k{H5hZP{v&;dNxBT)u2!Ch-
zOE~AC!dc@0ib7sm6MYTg$XdCQfpEu6*HFe#g|`E}D1K0Ys*U>%)&wvCmwsRqG$U2X
zdajMPQ6vY;k`Iz_+6Y&fig*mV5xzZUj%27zLi#E5#p@UFSCGofObImpFftQx<5Zw7
z)Afs^=E&BnFQm@oZ`m?^2J~i8zZGkvK~=8ca3yRxyc^s{;qEbL`Jn`_>ULB>j<$XQ
z@B@=<2`aPZ2Sq+c3F^pAl?luO;U~~Twp4!Li3+TX5UHqy@9oW9+u+Y6n`Z_ml*>=R
z_v~mEd9#F;%6wiF%vvPLSoj5PlYXi|o`r4fOjTK(Ld|txLCgffr9{2C&+6G<zcAD9
zv9b0h)qZYBhno~fLL)r3$;gE}c{VBAvnYs~TPy0hg~q{hk(47M+$p6QgA(XdjSora
z-Hw$COp-(l*JT}x>I>d}3J7;XZm!4Fqoixh)W`c#M`q0IQYoBT;1k?mY5mqmATVpI
zPNA20-lSDV>Q*nz0R7h$vrq2is%bz%*3^&FkRd0GEc}Y3oJ&PQt>)?5aY4f@g+eqo
zdXYPTHqG==clGZq+nATry<N<PVfrtp?AhH2NN~J`ps(mTm?)nFApf?AWK2sK{)>fl
zsGfkHDLdPo(Fen0qw@m17ttd}Yg|nOC&`4luS&HNN0hpg8`eYq48aP?+(H6I&K`lS
zR?}s7H^O<7lWsO?iiFRw8dqSvbG!=_iwZmY2qsV*;W}mE?MLbX;tnSB-E4(^NLt7e
zXO6|<tmPH7Z!ty^03M2)FHQy^GU;1RRMiJ~`{lCI^{C($F%u&Neo<ijnO@=@3}9B&
z@XI-X|Av!KKd6gX<TCD!S#A?}rH+oTdEO<KrmVwv@Y7nq9oHGO=H5r6-5gTTe<~6v
zru(bR92)m)SxH9@czeR<qIl)@v12YIN4o(B>EKav2FHj(0IO#-#%T_&l~hyFyY;f%
zWS7ks*DYTFElVMb3mMFH>IhJhiCpJrJ{?(EeQkwo9ghAz5LGCO@ck~Z6nTC4&NS74
zZGPzH+J>_`>!HW5>F#wT0s{e1uctxdEet<C5#sgZSC+W;(L(09KMAAjWbo>Ze$LO!
z9x;Q`B5R)jBJv-(Xv!_HR;;SuCL@%Y2(=_Dj8iCwSR&bw$un80nI}CmUziMCI;(rA
z|2xXVE%TGKic_M=%19$S<o(sLLz43N5-LYG80<!*uj?O)EF3wX(LN!#A1_Er9KbWW
z`Y3-w?!!XM^J&-4fT6vPz_rjdz#VYl$pul>%w8~O{lv9K(%LsM$Se{8XfR6ap`@m#
zgOVm_5;RDMK)x+@5ugo%*DWWHS!E92LRxs2kI~Q=g;0v}Oxn^*g)uk^nhG{^;E{+B
z2|ySJXGEYSF@0by5Av+$uj+5Dq{P{|HF?1hulHva+4_8#8*u|_Fq&dHU5=>C2bZ1R
zxeE|a+Exl^JKw?dVu7JxYAR$)2^yzqAKX_yfHLj>^~p(=n;o~tVR0tpJ!ti;xKrY_
zk|2S8&5Ibr3WCnExf&n#`A()Fx#I2jBaD_bm01UJNl$kU=t|kkmuXR-$<lnFeS{dD
z`9;UtPyFgHt@-t{(E;WcydhBSN_UO?J^d>DG|WQ+=Pkfl-VggGL2y#?#~EVtwe<0&
zFCyV~unOiwwpE`POlwX<RA|xi&d^KPaOrTl<iZuowCL1Jp{QUcq*z_>hN(2XN$7z-
z<)2EZ@gTC_kNR9wPN?{su<8qe>31>=T9Tcmkx3GiWm@~hJ!R?6#3PtTJl}sRAe&0(
z+>fh)Y*j3^`(fhzX&_NZH!oc%PsJ0_{x>xc?Gol(f?3WXrU0%cEqk(e&*lYrb4YHq
z-?rj!jScP3q4sS!BB;0$u&UMR>>`NNK7|A?TjlPHSN`u5S#kHz&%gKme!u*_{cYnT
z5N{>_J&KT_P6_t9NI73!P(U2Y0(b8A+S6V)Ih9|sCP@~UvYBlTsiwcW*$FM2GcZp~
zaSU@c<kzVQCqsv^tjoV=M3rhF#S`W>aj7QVm)Vthzf9G@tdSS7z{Zyn*>g+8l}x7W
zi-xq+H4c$9d`oQb)q~TO0b&xCO{0X{@?C8*P}QRz7QJ2@>CZyZ@K^UinFl0&MosSB
zXU)8Sn-0mz{Sqb#e_763LtmDtOmJa<WyF|3UC=(L0?z0~1~B8rSU`v|W}7}`UZQpy
zc&kSVE<>f2lLF1iAyA#WV@>%Il!r)BR)!M1xOEwwvZnRn4nLhnLSxu;y5RPO$hkCA
zz9{zKpl`XG#TVGQl&h!?^xR08{Reu2WbFT80jbxpE$pzCcC(NHwT~$wvu+_>+esm5
z#MATMmT7`9aZ$=?S^NtCuw)GtD|K8*iY<YCp8s?h81%v>J<*X=2q`GN4k{T5Id&!>
z!z*G|m}?c;VMxT(vTT^j_4D&O;4)OuYk@z`!;hsbtTj?c(MfC4fORotTta{+vs&#!
z^K^~rC-Ux8<#Mpi_q;N=f|qTqam=vA19)G*mq+hW9egi~5zb|~m7_Bh+qfFHn4dy(
z#~a95ylnGYvHop#4=?XsM+j50sMCj<25r!+dpKc{dw>Xz1)1!`meXj<F*<1Ktga$J
zl#RCZ_hdjcr&ew<4FTfCRkP)}98i!^!$#E6QUQ)RJ$6^`HW&u$vZdSlIT0yTO)_K=
zrBuKpNBI3SS6uOflhTAR4#GMLXW14GDJhv$$ittI_vvRZXVI*@1pEPSuDCl;(&R6e
zWu|m>HZBs2C`InH!NLM;eJTDhPqUlU`cDy<rmn0?{{mp7EFQ~LrCmF?BGRZ53s&`P
zoSDqs8xjvwA9>0jX2k=#4x<#)$Wb)gBLP!Ql&VN83bU1$MA=eo7k@46ryky}6ySYI
z=1l67zblRl7V;@ofIn4@hGHCZEUyVq*A7oi)PL09m)}M~ymh{_w%)Z=e+wy7SZ`Sz
zo;S$gM~R%8;7T2&Q=!<*cge=}W#-OCFRf4br)-cn{MJ$W^FF-IdnyXB&lV&WYQcD-
zF;bzFEIt#MHeWH8lq+yN>VTVQP|p)}_9@6+xHl}(tNxk+PV<BiCLpi_ysRc;xMnLY
zWcam?{1T(ETf$8M6l;02<mSyAML*$|c}9b<Xz9d~gyq2vT)dZLsya6vCE{&4qrB5^
zIgw6|gk;d<%hit5mzL;BxbCin<-V?{+90KKpDn_%7Zq6c*eUvk3x{$TbXrEDKT4|>
zwC>YE5>h@68_bx4l`^R(a>JG+gk}!HTp!{G=S8$B?#p#}G_S@BxTQifpo3s^qBV@x
zKNq_Q&(PhuA@xC@Gb($Z4bujJ;%ipLl4>a*lf1dcopeC8^FUe-VJl3*!9)XGT1mGC
zrm>3B(^$T}eR@cfNe6^-En6c?JZ)z;j;0oM;TF*ph~DIpm4mhb5kki(OTLN!mQb?t
zp@}lBjH3*<hoYiUDi`Wz{~6gSojwXZ<cRFdoy%#5Y8N3_HW<AD557Adf(MhaCsmF8
z^5YM1h0oSCP?<-nTrhS>)385jEhb=KF-H%*ZQAL<=lW<s9tyY0-}^#lGB}I}si$CA
zExlEK9wXPGg|mZCF)Gnn#VU>?jKL`OfD#|$pGX~GEG)a`K1)>piS53Hb$<;?Y+__)
zlw-T^E!C`%NOU(Z<o`;>J>!gc`z3~?au0r9n5EB&kRpJK!^0x;CfQ&L2T3f7j!ofZ
zbXn7}uiv`5SO)wz<~LpiN4^c*^&6mO_Ic{vAml?8zx7f|yN(Mj?{*uE{c)A*IK)SZ
zO+Cvc*=WSZ4019i450gjM&`e<sFs3~hE7cJVQTQ21u?Pwzz7B@HqR2}sEpeO*kC-o
zgKrRxkg0s3ES!rx#zBdovcO-relxbxKl4AF)BSPKxo}geOTD`9zf0`-zMsC}m%E=S
zR}oC?OTjb<lnAF?2GR~9)l9$dqeYkQw?RVKlqG1h->(m<dG*_RpLF0lK-(%o!FECi
zRL!IAE2b~Q(43Ua@>$;YskKbA0XDcF{aQwL8v0rk6@ZVi+Z4HxsbcMzYHRbBosq=?
zJYX!f-GdC7(j<dkRd}-M!7MUp-Q4;c3C%4;Y0-*3p4P>BfZ`w$EP`}aU-_}-J1-1N
zjBlKN9Igd{o(bPrHy^`U5kxWKvK|lUfuz>Pj9-e)uv05ycURpl{Kz586hEY8Iyh!7
z`u8O!qzt1YLI}!9=~~HGAv`xh4@4Bjk#F2U`8SF3!+kP>)x5F(yxP1YMU(K{?R!Ag
zqj4*5+}+LQcl6{uRXXvEDbx1IdPD(kq*-H3fkmR{NUCqg*Cxzb<gYnNm?obfO<t=<
zW~Jj8THg5j#0=(81yVQb1rbvfn{6ugiYOIMV1th%TezR_cHL^8UZsNdkLDGexnf$z
zOQN`#t5)^X3ug4W`5?6V(TVBuig-DgSP_&<u%Gae{N{Rxs51%^<0b&iPYYB$dxc*+
z#MO6>*^>RRj&RAPoZv~shKW9+h0OCXR_4|I!zT3@H=-_e5*1D%a)1xXZXNE&+)&wQ
z-;;97toc;Afb>&fPZj#JDu;Y2O!0j5{;+m!L3&;@JE~pp!GuJZG|f|7_f&*wl5&>(
zE@3>TH8e_0qP`cas8v$)t(G5RO5w?NJj%lhUWvy_^q2ynBFcR_jqQju%?Pg)<}Zwv
zc$)#juN<#`DlSyb9=Ay}+AbHOwTSA8Qx7QAf@*bR3K$&fK?cM3J9~cD$SAZZT^gw!
z8il<;Jfm?&n0ZGC!Q{Pc5!I5sw<ce=;d(Wj8OTE)WmMpe1KkDvtICpahQ_cNO+x47
zzPb&|yMFBmx<7<&Eik=AJS0LooB?Im-mKXC&iHHPKcw=D%(9o$hCdmS14ckGW%~H)
zBugddA=Q3KkgiE}1c)uX(V|QD0blka!nfeE9JSmgq{b<*RD&y!-x&7CP8|!kKs+lh
z-+pb00Q{en5iIFnZzb&Ysp%_^9XVSOvWI?6T_mh*5qG;Zxs$gi!cem8LA+~rAtbH@
zU&>rI59tS8b>OTVw3ajtM-K~YW6yt;dMg;U!n=+zh*Q%&WUd(|+gx_M*)LP`)w&8f
zYYgI9+%uOVcFko2JE#P_4f!wBhWd4eh*`>i@nLoxyV_|}U==Y>N6@nrp%iO{&nwN9
zL`cS*CG3W~swJ5>hdFCWRj#FCyQeWGn-Ey1C8cYh19gJP55@QyMn7ACstdnzld`J4
zlm|A;dCTFB%WknUAz^Eq+-K$d<eB7oNc;zG&e#y)mJ~&tz@+?=`jPX7iY_Z>y2njI
zxCbL^ktBtIb6#XKPXijXKKcSk6kR|vFYgBsIY+WH4P1Orq?oXe4m&)>x6v+eWxkeu
zHYNkGeGZpcy#v<ObR@2xl)ndX5Yy`v5hB*yOir2+l`##OenKQAwsW+>Z5egKf>oy>
zOQ|g}z>o%hH*0)ZTW_!A?{{~6>{#&iP1gU@g*MEU%2@f-vDp-*e~0+%C9%C;b)i;v
z*AYU(a8{Ak<s8*at7F99Wu|Wqx;B9fn$;SDRdHv>b;YR}j&+Qg_oRq6(@8x`P}Ef>
z>=Fgb3;qaGB~sz>9c;E0l|w_c!l`J3ZkW6)ZWCE5Ul7HxZn;}TM-+VJm!-5CqH8ni
zlg2ATYK3>)z%sp~C<B*N)AJ;qoi34TOwrOd-oAOKhFb`6?>3Mi+`l!I5ibUzc~?EA
zTW&v3-7Z|FS?w5evkb)dF`0iNVj+__et<qA#|ooEwzDQjg&A=+T}c`J5>NONDqyLo
zpKwutjyMJ((?E~(gFz>TSPyxmTS1xqZdJ=lj9$XSON?$T-N_Pvdz(V-Fe4b0>@Auz
zbVrjW)oPO2_}j&X++-r-B7r09N?%$>1t9`sne9N-&C!)9vQi17@;J@LM)XDBEYbbr
zSLTG~j?MK}b9=PqT5|gjEK92q9E}1lT7GJjB@mqj(I4|CIL6CKsa-BhJg7xLbu$JQ
z<ofGTegOh?e#6p0ZFCZKHdyHkC8`6-XsL{9n)=Ohs?cQP9VO&FkRWQh#t>9H0qPI_
zSY0fvgMu(MQq)+oSa<kjc}CyAe7%SSu#YZ@hcUpi@H0$%;xt%~?aiCawB<O5^CDds
zaKHykiHJqEA3@z5V{GKNGsrj%p|a!XR5MK~cYawkjB2_!T=K5x>UCVZ7=jYV0|ZXW
zWQ7d71-<xGEF|!FRT7Aol6ATe8AL4M&%3iF%C%BtaFj@cUe*&EQE%NIZQIi_A$G!3
zGB`U;heaR=FI6K?jx9SM6K_U>wEb7yUH(aW3w2Q;L<NU9N<$T9EB-I&w5y!CoW;BF
zRc>z%a_+TtBI>11`OKrg*YA8A>pp*W!FzB3eRY@mTn4)=)?pcQR%H*rrMj)nkLVg>
zYv1DcsG>A{igt3D(dj~kzPpItXBThk5}nLPrnRfPX#tDUrsfN*vZW>MU<z>ho%DUY
zcx|lcK{$LM?6|N%RJqdpJTvTyHmI&o9aVA$qxa&@#3`82Km~*>Z&MzuI^vuL1wWAW
z!CKugk!xrmz5o?*!)`>E0CP!I1S9hg2d)H#@U~NM$5fB!jrvpxfR91WrIL_rN&NGP
zMP=E9S5|L)q=9z|Kjm4O`sNK2&x7+nZ?IK89=jh4Rn_;4=jzL#$5!`KbMf?a5ByUS
zqQG?83609F#dnnaCc1jj^{dPKjc#q+FiQR~?_6=71b-=$`VR{1+&LGCK=QG%<KQHW
z;%VjZF)dJOQ(cOU`&+j*^V(xtRMuqD#P07m8xJ3W?hKj%xL)D<MQjg>Aqj0F_Sx|n
zwMPtJEwCJFytS_9=#=3FzoO4fDaCn>TiC9%vc_7AEbVgi?;<Vd@$Z^;lf>}rwFLEC
zwswP`EbZmhkwhY2igodBK%l#q>=k{B7_G_zXFD;<&O<#Q)J;xcz;jubKBWVx;gSQn
zrZ;P?A%f0oqG*|ao7;gy-OszpQXHi@77-=%yb);iRSY#8_V^2PHQwPu96y8{7NXw0
zgsgl$D~@s+I+zs60dxVw;!ml*g6NA}zteIkt{&fVa+WV0euy1=`ihr&c2PuYa+0vu
z$;3>|VGrju#>nUHFW#wHTO0CHlQOH=moctD=gD3_`@!n&<i6xa>*bz5ZKXw1?MCSJ
z1rC*jpZ9PI@5TBGb4fp`QJP>Nd@nt*OEjFKqjs{7lY&61&Pq{u==#fbU*d-9ez0d(
zSO06^?)a*mS$y$nWDpH|Ev?a{T?qa|aoYK+r_FhMsCH;h0b>~;AM+O_6yZc~V56M$
z_ll69k6&Kxw`JFfNe4+%CE(=IlY6+t$<EiqPC!i-)YiSleRBEX41PiLU0l~RXyUwK
zFhGYlY1K>5-$o<nP4_=XJF_z9Bop@h@Q+;W+F=NpRpat7KOf@w)<LE>AB~(T`QrwL
z$Hx(~1uMOsT4nXQwDu2dG^3gIZ+`^vtv#o-X6-NA=WudmYiq!{x}5RW)ZFoH7=oU8
zeV110zi1T)><z7Zm2D}x{Iu3_7%`Jq{G5smH}psC5Sv+hiSeV;Z)5SBS#B!+RDFtm
zUcu-j4BRtbT~B3d=paXVn-;h~WND-$GR4;_6jBUYuz#|Hx9Kz*NCBrvuOjuWIOiAc
z503~TIYwm*X!`aCtw}(m`=SXWw`EX^zpD8fUM1})Fgw_uNn<X|*+i1SK#C>GJ!D){
zg86zwf<7h4F{6)d$PM;?Simn%X@!xm&U`)llCsO*M_e=jT_O(M6T9~BL-MA20`g0Q
z>AKnit*srD#IJ4t1uI%QLw)d|lY9d<b@hAZ9&zzV1n9IN^?HyIRL7Xv&dgDaUp>#n
zYH?@xmcuNPo`ys(M^Hv#Ai0vl#~@tsAO8o%Ksvu;=dCP-_hHz;%0o)VqI?C6R4U4R
zM-L82agvHRGJ)8mAIX*{`tA1Kz<)e9<E0$V^7HZHVl=-T&nAm_nJ0@pLEqM3L!Uqe
z1_^%UdB|F2S&Dk_tU$qGLxpfFg>g%3B)Sy-aF-rza{-|PdoFA~Ma8*Z_2V5f6Vhy@
z3O4;&ylE;PeB}yRRHucw>6+d!puUr7w6Tw3cSX$C+xwn*<?R5Lv=z+7o6^$9f*&H%
zqjIb)QaNGZ1Hj54JO{>VdmakE5Wj9S%blE*?H-L82s)z@LU@sSG6B*j6e5xUutdlA
zdr>rKg@aCKrz>{*W~VQA2L7NQ_Ij-_0Pur=%w$Vn1YXDQc&&b`1z!PV_Bx!L4i}T9
zW+70)O}w~XNZ1{hB<`+UpF(&6Ls2{QT4Cg4Q!$}zuBeo*mb=KW$I@zSVj)v-VlzO8
zeunK@MVgx>jJA26A!pAmf^0MA>UrlA*@$3$%GLm^`($RzYx<jnT&zD^TdY{pVlSHK
z!7YT?e;`SqB>|!-1?U0>UKO}@ewHeoK^#$;ULZm*FeF?mEN!ldqoVaNV?@~$CZnzS
zoWx4SLWaN(c1pyrV0DiN76z&nsdhUU#A+7Hy@lQ#cn3TF<=7w1mXl>V#-D7KWXl}z
zRE8Z6VPI7eX+)$N0Txp3$ZElF%#o)wRK?0)IOs{^^l2nfTLtsajC$pSR3?Wt0CubM
zFDtadIsqmtyg<E>aYIUM@%4?<o2>jUmTz3#PuxDt^!WC-!NySaH5-)HbEsuyyCf<K
z-%Dv*6Iz@?|K+T?DX}rVRc%*=G)gH<<+7oWXNO0gTS_RCOOwOE)Ka1s2EEYl1YW-t
z?e;pm-PUd|*y+kaSNFQ2*HxXCj6(3hbdn@6g5(CmaZx+!_QDpRv9{+)l2e{9(?ybM
z>x!~58LnLM3=>gWT4jbjfcRi5=tSsZa%)w0@Y1~~&Z6XoWPqen?8T}wt>VlqQyr&y
zObkE87%+y&=dx6hH_kO{>=U*IV13qhO*W6UIytpYw5(3{JPK&Rof~kR0|MR{U+d6-
zM+sw5lIH0=O;nzGc?tl@SAB@``Jn=LF;GAy0fA-WG+P38iF}3s;Tm&fvk(C>vMIP6
zLH)!e$?{2bCAmSp=e1R!Xo&JXwbKiqJZLYo-N_=o952qtv(w@1Vm!Z^EGCQj0{ATH
z2Vn;tLajA-X4NP>!J``TRbiN8??uI(C{V112fxzOwq7)kTUHgi(lg9bfySm{h|QN{
zQ{YdU+B)ppY7-<96@VpbYh&CiSJ1F~vDuAnhTl)y?x10INA5~)dH+}1+I|{Y^s#YE
z)Z^FX4atNJzir%~NITi?GMq9_*dfbx5@+B81zzYyzON{2Tx;$0Jl$$6vcX<kdTI1h
z>lnTbUQ!@*D9oT8JnV&sgZBQQb1>-b@AP+iQMaX9VeWg&Fi4}&1Rl`p2~gfrq#j8q
zgXiUWf%Jkr5~1?*v^8I}j?cZJ2LzMM1lPxqL+Bo8oBz&oR<`k18hBo}?ROx`s8|}X
z92QoKpo#XvFej@0DWSql1dAk}Ei;HsrfCj`r)e|<UW~c+QjJt>wUxm@iYEK&qgey6
zK6f+q7uS#$W^G}y0<au^BbmR}L^b7@03Kp-AbOsujD;C%4Fq;FO_nB0biCKz1HQc_
zVN?n%osVN5j*WsTafR7jtPoKE2U%h)qRPRQ1CK4I#8rXG7#?P3iO58OhYeMw$|a0G
zKJffIJ@`@kBM&&O;dIH0@Y*bJ9K_!Diu~Uk_R<hKgdip$KOV@nDdn6?T|(;?BA&Cw
zmCWi}@KuaxPWez6v-Mikd8`8R%4!>s0$SByoAt|ND(`H(xay|a*IXO2Z0vKf+h8nH
zS<<Y1_t#x+xtYE))wktF=@9$K)b3sjuw<1r<}wsSTN-=FW9cy_eq#v=elKT5PushO
zpAkvil}UtIdUENjG*YJPd%Yk8;%dLwetghB+Uf1}+Pl5hpdWSHK@>v74oE3*=Tcwf
z9@6hP+IZ+A8W?$CeDm@Jpc&zLKtt_zyg|or1(Zx`gOdi)9+l4!G0()7v3j8>-kvG}
z084b*s@+nY0ihX>DPcP;7K#n5@rC1*q|E+M`YrHU=gAxZR+7>CC{cm5J`Ahco}^n{
z#_E00*hjPmVBHTZXp;3gzOqbp=3aAZ+&B5rm&BQPRR|zd;Q8pTfsd7^`Fu7RkLJUx
z@x@{1>BGU{ZfDT-I}w&3q8=&cpQ{9&%gmS5Jq**HY&&|U+a-y#3v|)&JNRajK_n8v
z7=j_-+Wk)GfpeMW%RI;8XIx3!v;%*CFql6W%$7L>4KJ={=U0>Si^*(}YUSn1qtsMj
z%#d==sG+@9p^<^XOfUpn9;IgyvrmYNMr~JADJeUb87;+S*zOe7riv}u4=b0zl*3(>
zB(o;n<Wz|j7T>k$8r6$q>g#7rrmmepH@zzxboB|C&8xdTa<X6BzRX9srgBRxTNXZv
z5cSGI<HBl$(X?A0o=ng4BFPJ6KuWRHf|au}F6oNjVKfuNvmSYQCr~@>@MzFG>UST&
zZy>Jv?S2bfG~mCD?=O9^pklmO=X0RDw8%VVLTpg)1%a=ng7GEGQ={iuW?-~1SqLLV
z=n0P{0<G3OV=O_1JTyWWU4e`lw!KGyrP`5fMT!(}G6Y$+s7S6dSfnYM<7o(0(2+q;
zCt{Y&X0V$Y#RW0!iG)82mO5Qkd3)Nkv5#&Iz`9Rnw!FU0GIHfz3im5*2T)7`!1^8R
zrUgzJgb9;4!Gx@3oGjvGndQ@Ea<J3h?T397YKNd9sWs$wbqeBuxCLy|qg{@8AvEQX
zjb;}R`EtyE%{&jAK4a`K&yhkGp|64<^g1ED8Knk*l$tK0tA23N^G@3msH`NF%fu}B
zC(AKcR0GSF0^<%oq9T~30BKQ@yT(K<S;p|#lQ!HB+eilnOW<RxfW%Fc**dzq##U&p
z^-s;F^;b9H`hv)HB4OL^HR$RSu`1VKZn31;a;uozJ^ptvw@>SA$mVy}f{3DCbzAoh
z7*jb9L6Vq@z|cL%4Jo%<kgPkWv10>N4Uh#!A#nSEbMieM1)>!}>@OO$fVFBp+#Ng^
zbPv1jy>1Baw7`J^z=GLLDFp8zhG>BC%44A6v1KX{-NwTzM~`Y{2>0a3Pi01=)Jo8^
z(pSZ(;1u*M%3-40rs`w%l@j1gW)RziaAYUKd<7w_yt^z<YBAvOI;lCB473Qf31>-q
zIZ1{Sh?Gjqb6}MlBa6aje$L(Lx2X(uCHlrbA!`6uWA5oUwRf}~`#h_JEWOOI4i!A^
zf%2kUq_K&wmdoU7Im@!k>HNW7_u)bJ(P7`H5NK_1NJAi@L}1KP8>}UyYz0!BD!OSA
zNuyEyB_r9Y498F|Sw`L~gSa4!w2|Tt(3l7hoP90=l#dWWro6V2gD`wF*#GA7?qr@`
zjh3THJeg<XMKYep(`7bG%`C-?_}HX5jIAV#BXjzVHHZ-~bF9}Ox%GwNnsBRiQ<Zzy
z6b2B&hBt0=YVX2Q{0ig2U6xFkta4-9zqMfkZbs*iWb#gM+<s^69dpwHce5&pGwXX*
zO!30*zax6fC2d@7)ftebz=4(EBc&-Cav)5XE)f!iK<HpmAAAghKngg?<cTM<K!T5j
zZdMz-thPVswf8YUp*83PyPasi)9M9YOJpszjI<6+?xBbS3M8XUGUj(?#><T|TxE>%
zf0*om=~YyZ>;rN`wi^dIkz>|qj+yRSYMU)aytiO28zt>2D3aWBU*@68+JQkQv!#3w
zv$Aka!b;W`kE(Ut&};P-jAq)8bG3~1#UwdCpPpXL<}vJOV0D^pK#|Y6s_Ds;LrW!Y
zdmFm5u@7Pmz`9Q+>u&Cft^3OBX%n^S8E0=EMQm>!bl|8dJp762O%PqfY<3;b^CkFR
z0Al7zx=iy$(s{Vs(p|5M@I_%S9^q4`d0mN37TlG=K`dkbp9}sB`K*|RE``-%MzJlD
z<?>M|2lLc(3H&<vsU9Y*b^tK7=1YCq3C8_sy3~_JI-W1bi*yp_qeXT(OQx}2=E*Wo
zV`^Cq5ddK#O2slHhe(YtEWmOJsA4s<HW%B@{6;hNb1QE#HJa@Nm|VMX#RRspe(By6
zw_rO&GYo%hTj6-FU+j95?-pHEc&u7Ws`~P!lwQGFIT)Z<)+|cx2G(292v!V->oWx|
zkV!D{6NU_c9!LwNo|pMv+6qLk6Li}_uN`z-LA&Me^rM5lE+()?UN`i6A&dsvhv-_K
z`X=#As!S$1{T#+CRO_S)K+>MFkxk9IfWTsf!V3+0Zhor0d7KZ&$!IcPl2}4cb<TpT
z{v<n`vdGHd2CP8R1D=Zl(~bntSFKQ328)sqD$JL1-{J~MOkf8FE79IK(Li6FkCwwJ
zFjy^(!=8_=%*rp9SEh1Z7-+eH%82@9Y98&6X$`=-A0{g^uesGj<#2<WwF?JG7CbgD
zpskx`OIWnk4a6J-N=OJ}t<zMbbAT`N$$W8kHGDekr(ZqLqN_V94+8KzeN+%+jw&zn
zRfUsP=L%=~Z73FCY|4eP+2*(>@I@GHsh|dnYqV#`-L!)gpe~3Xdfq_obh@eV!7rUB
zdWP!r+4*Go=3;U-nqN(qKx-)o8Ujl6+gfQ%y+AQ{pOh(#(*?65sH*tq94=TL;p(q8
zooDIt(5vleW$iN5R=f_dDxj*+01}(B?&J!nl1+8tr)}oiKi3w%O);2#mfyLVie}!X
z5r*Dl>0Y;tDDK`BVLmBbkd5~iQ#3immb84JdjMu7D$RhfRuBjDbtjaAw!c4U9qkVe
z_j>y~-A*g;Ro)6@r{x2ug_%z>Z2{FS1V9|$&r!PpvjdhK5Crcm@X^uBiH4^~qi8q?
z;X&{NJJO4k40SH&X?8JL{&IZz>SQ*V<w>eCN^D2MNm&BkrVg;@NrLh)I{BXI0Mu)H
zQ3(5h0ZptCBmsK&d{=U)Xh@-^(^Nm0d*eC82jkH^o5PMv+v7(H+lWz-UWF`A_ePV~
ze%jcFwgzB*?pAd*%}wY^R%UDW!h$MM(*rCq7XD}}1#fiWbuzD|{0vptHS+IS7V8u|
zztJp9vdj;HEZ6g$Xt(2cL$4ipkskua!u$quD=Q9}MK+FsVQ{0l{f;69XS-Xh@&NP|
zg&UE%2lC6JAOu*R=Lf9-wHTzt3@t5|S-8l|?kwu}{JmjF$`13<Yzf#a6M2%yF)EOH
zSSiWdVX%kr5v##nsXPDx5CBO;K~$KeZ33+*6sJlR_}flls{AokdZ~(~WbOKhD#5qT
z^;eLYOa2h6nJ!iIrfwpu8VC2&v74@iv5>^9E?niU-_->*o8B?y{kF1wMpsg-@o=Vc
z<KjnBIx#6sHn436Db)x<Y+2x^zQ{b2g<jqcR3{30Ew$4P_IlC5PWy1Dd$7~p8*~82
zc&LexQx|8{kHN1C6BtsC$8lyUL?R`4QasvlhNW%XMS}_~=o4iH#8u0fc9uu6@y4+}
zpC)fEmoLvI#}|v)!iV>%3z(wPM%GoAs~{4qkG1cc4h(l4zZJ^B<0j8}<q36t-szWR
zumIsHK!`z_tKoEcIa*8>`4V>7qjo`+p+l}--1Q42S3S3?Z`Rnyum)g#*0%0Ps+*jf
za#8!HTpI)JYaT*e$3lLWTkcrRbAf^gG7yNE;6;i;Q$S{=MvfEn%lUXZe{$G=xYs@0
z?d<g<6=3$1$!0)5kqVBG3|X*yv*Iz2LUKh;E9XMxHj~4R7>0dbl7WEns|e^RtoZSL
z675U!xzZ|tcYMDcMcq!cw-Y{n*av7eoGvcMGk{sBp*2qzu>r0t)iQ&KBgF!8P03dh
zWxar+$37ekzgR`}_GYUET`x8xYnKL3sIFfQQv+C{4#-Tgb?NZ2jdpMm)8>7!8Ctc?
z)Is?TgKwjt^FHlvGoQ5h3e8+M*S`IPYS!-60$phf>$h#htjjRDJ6N)ufd*D7&0>L7
zEQllmY$Yl~r6XlJ5bXyZC{QR6+HdXm+xvs|ZWsKtpc|@4=@x((xd5^Xh$|R)(ggE6
zeQX@hiVt~~W+`=*0QeR7@Bm{eG~hYXMMsS-VL9(W7(h;8E?Sw6GSiyp-f*ceX35ED
z`SaQ0<z;+6$!1xQVG=s_e!zCjvbYG9XUFPz<-QL=%y7_)+AS~i0XpS~?d<82t86k+
zXtY`cSV^ugNAvU14CpJYh4#4Sx(KIA`<h0;Tcvc$23>u8YXH`LvK5l!c4mY4TZxTY
z%z+yk+CP~$3UR<f8FxYw2F3NnGR^Y&VwujD*>sW369Yb3W;}340~BA-o-ht9U`o3o
z63fXtE5c7!DTh2xZK0njV1#sK+s4Th!l0Q`YCf)kvRJ7+#|vPHh0S&%f6xIxSWb8R
z$zC{|Mi)cW(3&l>MGP*ZStfe91V+mw*eh09)h;6csqzu`nmXQNvc0JQQB#L0rZ|Dp
zFhoQ>AA7jQ5mN;dP>uK1qk$Y2FwF3Yf>snowyS+ro9ayM-|O#$cgS`$_D)P*`<bkC
z7+7<b<W1ql?US<E@=ldyEjBD{0gSG{T~m0YrHWyL0Tw;2m>vKRDKOB95ep%+&{t9D
zwOT;=cr9Oc1Gy6hgUIVg-VQiLgU(*Bz1MB^+kV#vk4LLK_JQ0ICPdyzqNr8AG$!-N
zQOj)?`3##zP_`sV90+Pu$TIBY@L=*NuvQTeSBS1eE7s9M2Uqj_%`iS0&Q8YDH<$6n
zR7_JZr91>ogp#Vr+pk|28yLlY&q`8?Skw*`X6WarERV%HCF(Sya#ooahtmNdak@wW
zU=62n0;4FF-2}9&p2cC7%Hr=fPS0m!4Zyl*c2{&IMM+tg-@nE~a==2eRuom$_}FO>
z%b~#yLkO}o5}-<w#(=J1$QaGj(ITD3+0kya*HxV`L@hz2pkP#@+zZlsA-~e{ScJNW
zvBANM!U%=7CsS^gq-RbIX*G&tW)wz2r<jGJVZhDw%;d0F*w3fy$yQe#^g78wd-||H
zna7hUaPrA~nNH{FWSY!o*?gHVmLiUIlBKDJ0Xxq$<!ZpFr@_;v@vbt|y6h)eoHu(?
zi)yKA#kyctiIX-=HSA*ZRf`KEc$QK$g4fkVZJ0<FwU{-8CyUd>i6$#ov%-os_UV|}
zc17xMQonLzAJ_HiUbt?5W_|57Zgl12wT+tUNA_N$wk=%dVKKhD^DOsl(}nmQS?0O3
zFGO?>iA5QagnsOM2AH01SM|Cc5I?=h-)RSjKvuQ!HT-m2K_~El)(XT@0x=Fi3W9(V
z<r8pcH11N!+2T1FRu)r{AgQ0j?;J&_s4YD9^70K9$^;sTEBI;U63|sUmF-0q3}bmb
zN`8DZetAB+m@bElbe@OsxEq9G0e(@s%3=46JFNwm1PY5v*$u;9D~Nm#jt+G~S#QEU
zb8Zbx|D%WvpsPh@MoD}zT3%3m(0FY>f}MnDr_U}c=NL#kUKrCnxSx+T0PDA4a{Id*
zYEL#SZEPJ(Id?n0nsoRKrYmtS6eb<uz>EEr^JJOkv5sQ_xW$Z?$#C9&dI+??-w9+C
zgdx)40AUhr(F&s{b3qn%C}X(KM8yquEy#+&PI3=3>)Fx7LxZnJ>M@3u2{~gPJ3}j!
zW%dIvK+b=!6E3@Q))lj*zlbxSvZk|iw$Ss~%ob)k*YJCh2>28GTf@QRDK=7+;F@9~
zw|2q~+J-Pmx2HURiWn?SWr^B`T8mH%iBlNiR0^dwV(mH@29m}RR?-z1@WIj=O=Zrk
zu#Cnkno40Cxs?~PT)we)X6q;OU2zPu289c{lm3xK=uK4mBha7gB!^WC5miscE?uJZ
z@<60m;lxaFi+OH0w2NIax}vlui>tUKCU?5!IrWeM2H3!p7X&6m0hdlIQoWAf>xP4V
zyVnjoks7pocq#{x-wsp+<dz5Qv-UIqrxaxxOir?&g4!)mK{5$Fpv$6(prSWe7L*?~
zZ8Q%j$|j7X)UZ&I6m5W6iH_!3FirH;Y;inFU!6~XI>zqK<2YMnB8BK7%2WAR0fP*^
ztet4Csirp2;2(O(a+^qc{TB9$4m={%P|pvB3gYBBw8xV4t~>?4oeM9{<<&GkA1<z@
z>2zr_L#oI*0xbNY`WxrMm6wiBaWPn|+=O!NMPnbu8h~}*ZHs3tYjHn%$CTe#8C+#0
zORFSm=na?TBi&d}7zgERU`R?*kxh+BXW1wjzrGy3xq#T*;Ms%jgT2l^MC{rf9ES`r
zOiLOnGL&+b;J7J#8?!a?3b*by&Jze%Az1}JE=DxA9#K*rEec8CXXNi<tusO`80%r+
zOH-t|(BstImd*m1b;C4|lH9`|9n6+uI7x@oWHbfdetCX1yBaS>GZ^IoqICthztY2A
zwJwEKlV7hXlxGyll+ymtFqpeYCJp<_Hrt^ASCf-VgqC!$NmNKe;_~Qpdo0r`xJw6L
zEmN>x#U(9XFs@Q&b*3x|#@`hJ_|4lk=IO3yc!OS=Tm@LPgs_;V@-aV?R!60vMK^C_
zrTVnorgZBr(Rp=G&=hB-V^dOzwSG1<#`3|M^2XtZJPuqYl`8jvHc}9<OMPWpzUsAu
zK`+`JwD)&A@S@lDdz}C<7G{M*#8By$XF`>GGPTqVBQ}Wk2b_pN4?Ct_3T;I=JvszU
zCB}io^mam9xwa>V_$(xtv_~FROL=VpKRSwIb+yc1olkx~o&0n>Iv&R3rI}|k(SB;Y
zoS~KRi1)Ji2De3t3K*CN(i~;7kbw7%27bG(yxmTB(CPX>q#-EG0Q)IQdVsH@7>&*l
zar&6n4}TNzi{gd47*7${E%JE^;X+jILR}kR?tsT~HOTh5O6wQf`=D@n89NtFvlNwN
zg~mRbH2~{=+s){z;=j6gYVME`^#qIBdQ73k%ulyX<R*}V;~~m{$}CRvX_ERPo+ojx
z^)gB4G5nTk7Ia&_r@^5G$J9s7W$;B&-AY&tLB6mZJSa9t{x^HmxN&V9p(RS@hh0S%
zMl@Us=tw3>%FfbpVx*SrVN)PdeDE_&dW{yD8V~eno{c8SWk1~MdKaSrVx5Z^DE$yf
z{LEm-=oID<jTs*hNlbA_7bNJTaCk)ghS{~$Q!VF-5BEWH&9;^<P)IEwUE7e7hmytI
zDH)1sWBZv2mO7No-dU7Iop+6m87ilc%6U7oPFR?d32E%pGWQ@klk1<lW&`e>B5G80
z^wXk<+^s&Z#+L9Ew~VRQw``n<%MUpGN58E`C=yqwmy$`HdwJ$@Uq6&t7eH14J?#fF
zYzZG5Q<*RnKvV7XTKiN9cz~U?!geIvp#mx^P?Q^hAP8fKlDY)i<}kcPMbwqC1d@?O
z<lU8$P)i$nMsi0e3o4_byaTOr2=t3Ui4Ft@m#IHV^!X%vbGi8GWccD_{NiMCIn6T}
zWiq6p0IQO%&Zm%-97$8Sb5@8L_8`xJY3ulYKZ5vR)DC?gQ_T!{nilo)j$7<%xUZl`
z*wbI;Vm!~`XOYSjdwc<WRK7$ZFk2tvMq%SHFkhJ>?rTa_oyyH3w~YRceL!mfR%5Fi
zN97Gu4Aun`Qd!nH&*f{+j);OG5RG@p%;$;};DLMp<zzOS#>3I#a)0)4fAL_if4JKn
zw0m9%G<&MkMS>aU$h!N|SESTu!-Pe<2*MU9NMiuLWtuxmL+H=L27}t<1*s$5Ar$Uh
zMSq>$e&c$f;dly=$rC9A2b33v{jk@G_WI%BUgz<H!E~t?u^CUZ%i(e|OXJimlWZO*
zi!@up54fr**9^!C(G|=shE$<p|4GXp<+e~58g-%JCqqO<F;!*fI6kw=F>=ajSdjN?
z6e?Wja8@X@gvyRQDjG+MFV7f!)d>$Px8p`$&f2M7<?^~WWY$~RI`bsWuLrM{waJyl
zDa%%}`@m{W4q7>mnQ!<a8NQm&#}yY<{<8957hC5qIAHJ62i>!eN(vGap>*is{Ew9&
z1|C3gI}(La{v0q?<jZz|Dxh76`gOc^SG8IK!h)TazuRx`^xE*d-wxZMjC=#El_wMI
zHkx588-<;+SQ<2E&&eH7)!ndiolg6-a0e}2g+7zw-d@;K#~}Vu@W`d;r-Yv9EK_wp
ziBE^i*H;SwSg$YVr{iRjsYLkzuz)Mml2fW|wk2aCcL{8FYAVbz@N@^cQb`tg8uRh{
zofa0=U<1U!ryhbR*_RQb!X5Jc0EOK#T}*2aNwOrD%hW7V5d%y`#Zh6nVJoF|Igu9&
zu6Z9S&SbGqLdeEp`V_4JSohmjec~<4)SgXQ#``LGWE;9NZW!l5P%0AQ^Bl}#j79x*
zgoM##oFrJIotVWepHA}GG)oeh?R9rMK?^VkN;&7?7Q@g2&YLGWqn3*bdHi%+;~w>#
zVv3`lcC(6hu`{>*3TLwx_F#Y|u>#TLwt5lUYvh41q9DMaM$6mldr79!+?&qx^NYoJ
znk?gdzD%YIZ?;tP#G5B-o@Q~D6PuN%5FW^r9Q=7N^D(Rv&|zqlfH1frAt))to+GF7
zj57+y6O1gG1DZr>cxFf5Qd+`Nb#A^f)r{ipRMqO8Q06JG-4l)7+Nw{PdFzu`ARi-3
z=)mh_HE~*oCViWE&M1TO(1mMA>Aq|oiNf2c#|evsDPeJnO>B~uB4!FyFpUImPwqn;
zU+DlNXTS)h5c|~{@(ut15CBO;K~ys;@q;Xa=fzW@=e0u*JQF}y-HzYu`Mtj1ZmBTP
z?Z^lC(eH%aR@egPN#rPGr4zta0+=IBYE@3xz}VVY_l#B`l!bki#Ym%#aiMU-dY%*#
zlqmFxO|g6!OOS6i3f!i|cnL)R=ke?F@vHOc>x<dxXn8ryC$U`UAXC6z`?i-?=~Oym
zynLiAqJ>A%_f>$75lWsy(DML5R?7qT%0oX32Qe`4tk4N0-$@~<FLMoE9Jpa989!U<
z$vm4bQk0Cxw0)0%U>~$7yNi}Ed5x%Ad&aB#*$`MC*&2X#-)$Q~VK%%H&TqDg%v;wa
z-Dq5Ygk|+p<ubBOnP3Z!r5^yun9ed_erA)=WSjuTnjG#tKI-pwgGhS53{k8dWo>}O
zLiu7FBcKt@CACwI1&l+!@<{*zWo~qWPPSD8H8oeyY^Y;5rDs}v#Lha*99f<wFn$Io
zK#v_2bpWn#u-Eb*^m@x!EC^uD7V&JE%;RiMJ%Z+O3V%-L%kgXhBjyaXOy?$_!$?ZW
zR_t6;loJ2PBoqFF_Ei}hN^mh8ybhe;2FK)ueu%*iO4--gv@PREsj^{1A<96JGDTHF
zCAoRs%230m&nwl4jooCms=K#Er#4T#HnkR{R6$R2(40Tx%g<L_yGjtg9SVxdO~ib=
z+25o)XPXq@hec@FmafrFOYb1M3S=Jo#s^T9$5JOAN`vYkG`&`^Hvo331<(rX0XtzU
zggaJu+G@}bTkupPQ>6n>gkBn`44wxMTq)F5plG1BT^uZ?l*(bum3z;fThe4G2wIjJ
zcCs#5FDN`u!vG?&YYsq}TzWY$O@1_4=;O=T>x;>&(=q%$zMPNd`BM9-2vIX$F?D3&
zt6&$7Lxk=su;-%aba|8~1#lC-+G%@-2ff3?Ubh?gA!;uGz3#3|<*M3%V?Z!2N-}RW
zjW4l%>U;*=eTHneqR^qJLAvrnmvE|bQP=Mu`)$!Yz8~2dfc0Cj+m86Mbe-2eT0>XG
z%2zN-0n(`S#=6mlHLZ}bM~){;<JhG0dA3~4mkTqSrL%c_wA<N*z+6kU{4i9oWS%J;
zatKzTtf=C~r;<vXC21#EPKzs*Qm5@8#R`#bQ^MEIi<B-(W*nQ9DUx>(m<WPHHKj@r
zT`vQvA`!Lou9qa<G6@&4S|mZ7>SdP4nVDlLVmzKMhLd1CiziDxOY((I6P<9sSu7f&
zA8zj>T&5H$R6x9iMJjw-9aQeGrUVqL55{x@<?(7(&sMduSXLsWYLg_PDdq|L`=+{Y
z(+twLvSRLg8-Qgh&tR2#wZOuD$eK*TGRTf&vXgP8ysR2J6ta+BD@ZIG&9sHEws#CC
z@mZB|dxLriu(C+$t`DI-^gtl=-3mf%y4>;ys9Dt>^ja7eYyoA3?P~y3wL;PB`e9&f
zz9eRAX@%ZKuJA`&bY~edJF+mSD+Z(T^cJyKrtbKdWC61%v5{i**vkPTgAiL60G_-!
z7fX0Z)A($(eDP-Z>I_Q-FMzw6W{VWQ;u{Yog@xm;%3;H1f$<ntTp(j<GOnEzSs3Kq
zPO!Jz+S_Th+lG2PV_Ig8bpV<h7}{<SKw@M3G7=)dT+dYg|Ji%<1~+bG%NIayBx{po
z`}Uo=?~nQZ-|4-XJMFeDsrKTQ8}K3mKqiu8l}b{oE!pSS)#VbGWM+~~97F_8+&*kR
z-fr%n_Pc%Gb^Nf*NaL^RLQv<@G^ld;M*bi`V1a=C@`2P%>rRFU);RI@mu@Td;2bdT
z=_;7Ds%g7!w_iUzZa-Y#{^RG1|Mg$L{Nv}#tBZvwrY3i7k@1vHQ7S=oB1vQb$o!H#
zE@`4*jvqO)Fh7(uK`e$%_V9SGeGtyXy$ub6jC8m*!Lq*hi9Ievr;xuc^L&--f&y$+
zscEq3mZY3`fi~qMI;(bVzpI<=PQqHPy?)yM^W(?6^|rRI>1;!Z!`3#u(^>|v%nxKL
z)O>K2z1ZgXtfzOr@xvv>tQu>>szA;(D4s#<P;evt(6q0l=V3<4+Ac{Kx#Y<8IOtAn
zicY`pF{mMDQsavL9PY(`e%_|^D2c*%N{6a;rN(TamQSXUr1Q9xA#TBjrvx3~On8f<
zYso0xY%Bq^-gCisrpm;0fd2MhHxpv5l+kOKMqQTq)p>Dwwz#@jzPq}(x>!--Z&l?K
z;VmfZW!R*O(&Bl>uA4>PSJ^&e`zvmcWvzFrqOVi$g70T=(vu|{vBc7;B;cH0Si&qK
zM5rZ-=j+BrU9qm}6}P>j)EkMao^(x7HO@TN_09eEkL#!3uAhGWu)cX}DW|{dD7AS;
z(Pfr9x{$e_pT6ngOEK<)m$Knsp;q1Sx3bo1UlsOzrLQjXi}P$zwpqre5;W%`jYX#}
z&sa8Dc3?IQo5|CxZAnwL-Yqu!`orz!{q^Gm?b6=x>K?il<h<^t2{sH$siDm5Fl!0E
ze;}{`lg<@C6<SX3ch77oQCAXi@(GMytcxwrTsgQ-(xkI>(>A-NecIK#hAzOxrg87y
ztS-)q)xxbRvs#oz&U%X7rwm)~`9<Ko6elPSZmkp6Li2Ujx>rRJh8f||F3?}Y{O=GA
z@;N)P<nq_mKIc)PWJyG6h%A#8<i@8p=nuNGHyua*=}JnM_?vZpxoobV@_lD_O}DSP
z(t;vhb?dkktrz9S7hmhg9JZjA)B;<`%MMsI46A*pW|QC1>?cSi6+1<GH53YQed(J{
z5B4yyp`SlHN5TP@^<!KTxcXXjk{tBgObgg!>_(D*p_hOW<!@q+INa~Tx)3j|_=6-t
zS-&-3Wf*dU;%E>Sv1Vf6$pzZRvO|DzrJ-!S@jr!OC304(w-?2m^MbO0Z!TAFug)*e
zSLe%$CLHWDOeyi;3)LIhPDZmRM=_$73$3{NFqo1kFWr1_TAPsd)G7(L9emp2!F$m;
zM)o*B)N`LMEkAj$%idJ2&39Jsd(-T@r)_tAzy5IZ^!xSW``g{ehvuo)ovPU5%1~yo
zRNRY@=16gh6(edfbTtWmd#$6z<dkApH1Q)jbylgX^PB|M`N|YI#o8N3KYT)ZUl+hv
zFKLiU@{(Jo7Rz3h+uA&=yPJpI-Q#{+>$cD6UdN_cd{yD=WSB7}>P`<G3Grq8F@V4V
zC(5)A7e%Rqp!67+nmi$hE|ZMU{x2>tlGS>2X)~D!A(M4%^unEXnpU@}Z$3OyPVM?%
zA0OUaF5bOe{m0Mezr0)hq^mQ!YU!-Vtj?r~J+I5zcXda4jm7|8&uru#JyagN((Kr)
zE1qN~O$J>Y=Ts0C>{2gVl%8gWc9mbn#FakUMYA3&k*Jcp&hmVpj`X}T@6O+Cnk$NC
zk-(zJ)~@dA#;!Nb-Th`mH_4Q~?MQ4nifrwByCaclb2b}v(z(qS^BZIGQX5~K5gMZT
z1K_HSP%6&_TEVx1=k${A(5aLf(~iFGDtXUNpRbsgaGz?z_;<M6yXS9oGcCm&yv>+c
zAvgZv-?#96^eyT1kiIfQm`g-VFMdrvpk=)oruP2~?rMG!B6pYJ=&w;+AVt3oTcs~@
zMRS|81x2bV3Q$q*Z&hWb=~tz@TA3B)$#YfarYzbrTNiFaU*)i*aWopWyk*;2-IA^l
z4|k4NaqQU`J?1sT$8|a<3da;8uFr_qkjPhBez+;BGYglkoLO31w4J+O?|-|#|KsDs
z@7MRYkNeHutsA}V%f=L)DlJJdu7WRulc(rB<I=FMJ9TLk?WN@axr(4EvYyn{+pB^E
z)@n&Is<w7#xX*MiX7a|L6)Q6__Qhheu0_*w_0`QoefQKp?MaJqZya{i@-Fm-qhrC@
z%txY!>0k1tji*nmaYxg;!JiKV7C6mh-uBY{`oyEW#`3jLF~=bnei1a@&_+uWWpVSf
zuBIz-T{oMid)RfioA!3oJnY)XUAt+|-(8lgg<e&~O6R=xPL^;}gov)-IbWpX$l;BV
zgW1(|XHVw`bxb+NUV(b7Ng8|M_$5_g9!sy%$__*)PbpLn)#?0o(mpFAK3CbQ$gfsK
zZL59nxKyiQb=7w2X;a^v7bLT27@(hq0$QD_d$VcvW3A{n{Y_`2?mCiSt>t`B##8iy
z17<-;hV_|xtfg^-Y~sw3>)mJoJ%km5VoJwsJw^o5cUKR=u2b=>mrw3rl@~SE3|o&X
zBUai?lewW(P>1%D{%x~KI?Fc|W*;f}i1z+VA-{W$DzWtmXVTfHO6CjViOUm|GS3!;
z;f8<(DJQio)%hYjU*;EQ)g}KdmK7U;E(&|GP*uh?SjNdq_~}KI{7JUb$&x_YnKm{&
zc5!{8|4+#6@k6bfsQs}1_^3Ow^2PVkfJRB|ijOw$O>Q$%OWd%zZHv0skNfWWsrln}
z{p<UO-#<Q3lKyGewW?@U*{Vub3l=1FL|}1t-W#JBe?F5LNqk3!X#G&O=u7fDu1m}9
z)p_;iqF9y`v}=^Dm8$u`jqjrxmN$#{ouTis)kV{1o4vZZuRq@I?$?yBq*GaF!?Q&`
zoxK#MNyOYH`GQl|*`xC_&X;CU{NQVWzyhBj1gAdZ3+peiW*B?MxCu|-q(!`zh0BA@
zi&Pn9+=iy2SLz$PziV!v_8)E^@18FI@$>o5;{0yUxzK}ss(K22RXJbGZJf%=tesz?
zQ)5OU-6wsxlflGKCl{u}YLDm`6b3Qvd`~u=#OlMOHwsA=Rs~Atg3_AC7BqxWmh+7M
zqydWiMw@-T`p4CZ(uHipO2<PQtJh6$o@#sj)RM&9)ctzbJZ-n@UA?XAjt2pn{T9AO
zPv~425<b3uCgfVAp4Rv#vQpp`1(q)yRz{5;;9+>vCt?JAcy<`=!LuX|lyhutTyU#h
zlGJla-A!0zC)qLo^1bp)N_jB^C+4`wo2CKm)!B=46-xnS+f31CQBl6H;$~5%$aGZ}
ztL0+3C@BwrwkXffq(r?k%Tg~Ywa8tWInrAN<->JLv6<3vqvb-`O!9pyd?|un@+oU?
zBjODn3>TgI<ex-X86W84B)8E%ZWI<{xHNV==&ewHq?41Zc}t?MdQEBi(&Y<Xteh?D
zy?NN!n}_uux7&ZdfBbO2d)T%lt=4tX*s{|_$A&2ddol1IxwzkDzSz<D8per|8Q$ZN
zrJoeHDL%KEYOCD5xu~wr@=VvZr!%uRiY@H5UvLv_khQeP$#h;)bggOB-Ba`aX8qxI
z^T4KhT9rkXFA55!_j$*2D$-zL)U1QPbKzQpZ{rUJ1Qz&mLh?|j>Lk4a=;<T<)i^09
zXRnuRNPDn@vEr(AZ9CO)iecN(wMKE5z-_nL*xi+Sb5>E_ZJAXScO|3wVq^Q3l5BLb
z%|hoh6|I~PcXYDq+v%kA%Egs;E_SW)8p(!Q4B10bS8|O@@^0D%`yr=eZq9E=Lj6`E
zSw`i#EJai%_s=0vM=}5a5CBO;K~z{3*;%!uP*!hE-*aUKr&1__)wo}_-6IRE?rFP!
z+T>5We6ug>p1qw(Io7@9>e;UCxbKGai{@Zq&`dhmg2|dhFSEif`HQphzV&I%nVJmV
z;~N(XdBYOTlLOD+kK>P&8nyTgI5n((6~h76&bklH{>FWX!A1WZH$0bpq)gWtHgfAS
z5nF7nt|&a>axblN5>GiPs%2S_%p!rcTvm&U1=ea&o~=k=74+4r3RUD3?qUJK5>4}J
zICiHKr-odDVcwxP?#;9|C|C@;A%vzvrqacZ=HBqls&F-MG4LEO5g{n1RA?=z#(be~
zi^J85rgNm378JN@nqpn6`-kTGo`lQx_v_8CAJ%v4wzgSK=|WOh&ey-2Xd*f~e5n`$
zPTmAPd4H47emqDH3TEP#N6Ax)U|pQicf58zU5NIYvZ6fA)3MKj4suXloxbU73erF9
zKHO|>?swao@`E{>w(C60XaZ(h`f5`Y%l82axzlLG;`OF`;q#;B`!s?XfWQJ@$6%wB
z76DBDP?KAHPC)w!qjxQr8umP=Yi3PXC~g)_b3K}5Q)aDyf7@)fk9YU`>&wl5yxsoi
zyUYLj`7*y;uBx+AHLhNF-Ntt8$D<4Oeh)9C?NOFcABMEtFf;Des1cp?2Xry_W?hmR
zFy3Y=<PWt<hZY~!3d5sHO3SSeCvc9Smo7P+Rm{t*DD#|)*|~{_?nPZ*+WbG>R&B32
zpV)T0n#=zwxv`_a+itzDA2*wa_2&MGZ|`}?<1QVp&v~29Pn3PtycUh+8%j&rnv;q#
z&OvY{Q$}T@hRB>c@xF#-1AbMPR)2eeb$s{-8tdyBBBn~Ip_HnR1x(}1#a;=)4TZhm
z#Hob7KyAI#wk-=sX+Ca5Ly5n_P;~0e`PuohTvplHqPkcu&z2R}rsuqVLyKXiG+;KQ
ztJp(|<D{(8I7lN+nloOwTGE%yb$gzJj8Y@4unVVX5F$>xLdiN@9oL{x8jP!p{IlW#
zy5Upk{Yw10+PFGW4S_D7QFOimpr(*rV~sSnT5a0=_No1NUw^pXUEl6+9@@L7{$Z2t
z+oI!CU>?2#HadREI$bGLH^Y0U58lV9vD}HtN6=VwT9##Yv8vu&E-pBNwRina<+Y}X
zpOSiYDQF0haLMNOPVXCg|JdBzZLe?E_m6ek)3>thdM<7k6D*^BBb_9Q?$xL9S0$&%
zdRKSyGYNI|9RYy_z5<=hr*vx1lEnEF;>FDC82<>r_|F@PX6#=eR_0c&gVwe+FTU&c
z`+B#t+pXPgZP%z~*LRnT%Tkw=!Qi=m&h?{wP3}Zwv?47IE<bvbC3NZTxiJu+;|eV=
zOZ@yZHng!(k*V0VBZ=;4ZzL3znwG$W4Z$qF;Kp1d2fb*vN-0F{<jVGjGOk#j)mv_M
zt!SD{6WM}dTCJ@b=k^^1^V-MV?*2(XtkwOK+SV;ih3UH7G?Y`|W*|K3Sj$%Ne7oy<
z+wtE{I_dD0U6O{BWGqF5WkYUOpMIx&48mX4Lk?#=bCXZN-;-ek>_01rHN>9uxSeF1
zgCnk%{&|X>(=)$L){Q|{o|G7xP3SEA@X~%>=Rsea#?a(sRq55jTr4S2N-4kMVp(1B
zaz6@OnPruqRTagns*-(t`;LuM*gYzvtdtG)=ON+V%lce)o6EcnN(e)RAkW|>G3>pX
zo*%KfiYZQBi4xaJgv=MW*bG|6D|kH^?J8NHt7KiU=rXZPXU`O8TMAq|RXek7^7X#I
z+jW23?myh_K3?zcAKUd#Z)>yf%GR>L>U1U_e#K99((YY_@24K#xOfm@E)_rP;hhL^
zBNu{QK0WKYEO)Cazc?!{Rt4o%If?Jsn4Wjpr4dJO%B5SU8|x_hf4{D8ANLQNZrji)
zE}be{ZoTLVUkMibRU}4bZal}(Pd^k8Sl}CR5E+S+?o`c$z!3`zuBxC>KU??;6Ve8J
z@!=bn&b1_;+{V?-ezR%s@7C|H7XS6`{C~bZ|Hqrv+q0{pp!5d~2DMc?xdbaNOwlfu
za=SR&)1&SiXR7{ce&9pur`O?f=7JOB!2@EQ?x?POS*ky9I~<^ig}qh=n9PZf5$&jJ
zln>yE+{vWoShuXwjARq5T)Y!CFVbpNvG4TeO}1-R6x?bkSJ>-)t+!jZuT|SB_A_l-
z3T(A(ebH@qHT|wT`e)a0BSXhmc`oejdhhx(T4{{$lpE59TGBW?#m{6)J(hobuD}`!
zy?z`u<|ZGJ7akT(2VOJsC7(u@n2@<?W@r2{QtDJtDvEP+*2LG+TuP-EWl0gJA~!{0
zs*;0GRj!u#;;g(Rb+st<*&;t*7OSeDoFHWbWrd*f77V#=Gt*`gP37;3j}Q$L1vh9c
z$?;j~=qwp&zc$dsR#byP8D>qxNr+BSN;;p%`IL?NOeZ;Nr4p}^Ft@RxOQ@H76xS(=
zd`aI4ZWQWVZF~Bv?_GYgY5&j1$KUUE*N@HpWB0V~cMZjZtIm}zg@tt9Qk2VbdQOs*
z8CPwwg0Ws34vPkqN<(kK3qLp<`%k{V4ETAU*O`5ntDZuG7proypm)KAb(&6x!ZQ~-
z-uT{vl%s6u``fz5U4OS}?swg`qc3%-@|AOCy{GROB|N3zz~nyQrxV9A72X;ft~h_&
zdCiXo1lHe?7|@^L@y;dbwefnDJ}=2_#L1zH+w&J&=k2F`y@m1D>R#Daht7OCJ2SNX
zzHN8=X1%GO*1PSd-fS9fS@Y)X?Rj;+q``(uRXL8sSH&(CbcD5aL&wxOIgN9~V9}Y3
zsZOW+t8_4IOk~J-=wtXQ+?U!S1hF-w;=&>*8ABwl<W);1{jg0~i7lf|=Iur~u$S@5
zBerEVtJ0kn8O5}ERd!ZUl#2w`Zl_3KbtJG_+csV61y<c|cJ+QwH}nmuv6gP;vW|vJ
zQgZs;Qk2X3uCpBUayBgPcTxX3QCD0BqI2)!GlU#R9dW8Q%bog!L=F1vV^Z|E@!@s8
z&3NJt{u6^3M`}slMSb+yc5>ndjWr30y5lW`MW?~f(}#bCAdqiT9^#^$FXEsP#hA{r
zY+>?Tah;BlpG<lTQ(UU5a#B|Xmr{|0GG(UDN^{9kD_s?8QBWK!=ezPO=kJtMXmJAE
zD&G*(c>$B0T^H3=w15gNm&EA7`>Z8K25vB53t9D4FNROMmYi33h8xT?{rAC0U`Q<9
zy|D7OqfVSnIo8CJt=#FNH<dNZp3-ktZQFjcYoB&KDV0C&>i_Te?H~8M$F1Ges;Nm%
zQ81fgUF^a@u`9NSh${o7>e82X*?6Tg2ewkNEu*|Kypz6c(eJ;nR+RUSuTBjK*2`6K
zd0tf&1=u89Y^4V@uOHxmowUT^rtj8qKg4~n*Nwf~bnhSbAJ@&A!q42Au;ehC>a8-q
z-rfb1JLkLhSmoa@7edM^`q2y@EOl_*O)p2_PX+?(Z;E^78~9uW<+G0;91ITC)X{S%
z%hkdPHa)a_i2<h2LeEEjc%^g3^{m=<uIo5=*0PMCDQvrb*zDimJ^gaE`p=&(etCEH
z)4RoLStwI-1qog8v^Am8hpc+`PJ$uMKV&nV8q`&om&b)Wej01V8r}GXMnmat*vrWg
zk5_FKW}7OOhdY0oyp;5%=%iVK!;Or^z4kMDzX4zWC9`KPcai1xvKJJ3aw0_)S1(g0
zXp!}K-mh{t-{!hoiHlJ(Li}4va&>gpdXii{*U?i-rBe_4{;BR+nAYufx7+PIQe!PW
zg8LgvkVITnC6z)4Ov<nD&4T0@VmW_&>v@QZg=b02Bpuq~C1H(Wt>rVHk>nGl<J+%-
z<bF<IeVOobv5q|Mi1UNL8>6c(mcaz*)0D;fp>ZQ(JVu#V|L7>f!oAjuR^?AyXzj-)
z>9*&0OHyxMNQuh_y+M@q>ZOgI%5qIHs=}DdYVjWz7gr1JAWZS9vZSA^<fs*ebWC2*
zgEfh-oL8%|M`&s6BIDn(c(u(*mg|P!JnMp$NeHrvi-^zk1zU6#7p6w3<K@0mvGI;m
zAwm=0Z8fN?A>6C|0uejBKl1F%w=m}fpBvV+db=*MqnA1@|JvR%g1+;8?>~XG?}f{j
zq^|aEQTN$XZ7D^5^U%J(-T(e^{r-M`z3v|OG;^SQIxh+2FqQM>3-LHJj?;z9OZ1Z(
z-<a@)*5mxj2kxA|MYiU=xc1Sbo>dN8e6<Ucy}jT9tg2+uMspRK#?a@)k)kcC%&?Um
zU9x)KA475DeXkyC_i@wwdbj!gVgJx&ds1MQtMB>kbX+trc<uAdCY)A(KCS<}>#%0n
ze{he5RJ{HqpKtId0)h4S<@npDzu@uiRS$R5zlWk}7guSkpghLM=pZ#R=_=EE!yUft
za!EKzf^J)P_nYQ+y}#WwzpVGaY*%luvemhzh<!=f6E;p1Q&Vn#CN?zUjXbT*(uwW6
zS64n(Wx^_J5foagdR^c9dj_ePY$ygWLL^KlHw~dJ|69idiHnc6N!-hCOAkxCja*;D
zx_mAD(#9ekE?Q@W<DD0rpPox!4vKGedGA*mTCT^U2{K*lSzy)uy0+Vf1=eo2pokzz
zF-j&j9WPDntZOM)NHUg-xBS{hFT89F^o1Ik&~@0KHK)9wkbjz>!@}te>S`3>E{$j^
zb#jRCF-NV{Q0hEBK7HgD3M{|h`aod0@W-&&ZFoWY?Bv!Q*6{H&SlId@Q2TQ1aHq8@
zc9RolP2)Y^C@5uYDRv30igH6*iWC(`dH8XT)e`Ba(vXTGQFT!+e>uOptd>hdF{+$G
zRwS@UUD0!6WRnA(hF1&nz|Vm$*XLZB-bdjO;<!E^9AczV9_h(j5zm0~5v*vqppxWf
z6k#D}CVrbSEaih(!?Fths4Qw~ktJgwPlfYi{kE*%qSUizya+>lMkxH#smi))-(*is
z|FCOs9-Hfj`orz+!`<%v?e=bCw_VmaHec|5q0YBDP&%$f8LPtMhsY$eAf=`etay%w
zytcm-_><>9l-xCl3*&TmUgqyE7H=;Wi-OD4BpAr1?UaMHeL;aMdWYm2%&Qk$N8zjX
z{r&d0o2QRY^?mJX3S4C+dqyZ(U(B8n!^hE|reWG*lO0abM}N43+x4?EWAJYQ0t@_G
zafj7RdJtRFD@bgira~dP4vYOHlq3eBJnQf6wr%e=_y4+iy!e;->8I-d`F}1cly$bs
z&KGR$Q*nf)6B8*}vZQ-4%^FfO@jt_hN$SF1+E}e{zdzCrBt0l@#{I!G4RKj^N{jj-
zXZ$;jlBAL@E>O}c6lD$Lpg%uBXvz|HZT)cMqkT@>afkVQI7#$y9}*b`ygKyT<V(Ks
z$s1|J<9NuuRM}g%Xebb<q&7v;8l=5QU2XTxzHVyD!#3@%Y3O&|+Fjjkw)MW@o<8*d
zZpbO}UdS-XW%WkD!0G@15CBO;K~#LZM8K@5gk0h^LmFd@<i$efcpg*;)Quy!KV3od
z9z;fmQ#{YC+)M@~r^Xi>lURcw<o#>?+ZH8P2sKJ*)35##85JWTzH@;WqF!KWR##fB
zGFDED+)(mvvB=9Rqt7TQr%L_~>Z-~XbZ=Hv6p!t6=}f7lq+QgQG2+`Py<vhI6z8pa
zqx+1;eoe!FNI}LUj7whK<U|Igl^kfAd(timVvX-vRABKjPNz49wIK0i4qs}?i#ngB
z*V3IQ<fCm&FN#W&@2cf`b~<7wR#mOb_f3Ac?SH%7{C2(h*T<(n?shla?uOowMXRdT
zH@y*4D-~q(crkJ5g(Vz~QOR4I>}NPrG+hN(TV2<z3tFsDoZ?>Gp~YQ-y9SE8Tk+!V
zRwM+1YtZ0Oyto91;O@?s=UeMt>;8gskIbGuGkY&M=6VEMOPFvL2w_xc|GSu}eszvm
zU*c<Xbsc5VOo}LH&`%gFC33?9LI0&^c~deh@t#*LJzv}NJU_zk98+C05_4h@l(e7v
zC1@RUyZ!p(>=&sYKeiQa-@5&3`mfv{?ey7g>Tgu_r<GTeaY`gDSncHfVZ}}ib+py%
zbJdP%t0C3XOe<nKxGb8#*b?DB8UbEzef4&(7;EZ%4<tDQ$hCbFFt=<Mw3=ct<|a!K
z_=3*>HPce|3oNGsZgm+I<O&3<O8Gk+cjBFW^T7*k@OW2fKBQ?Hyf7nf)TG6M7pzm|
zbAchsc7)R>)C+>n;AXL5Jxk$FXaKa7`0H7&6l7jSzS0rU(9xe<@KxxtR+0M|>E}3C
zWtxmYr{t^ezU^0ZipS;HXjB;f8H}gwc!M}V#AQs52mUrOwLQkCMmznMn}44FPojw{
z<{QhY@7=3}Vu@kan3j@!0>A)#+iVkTmL(G{>_az+*0=LzR%YD3+cz_6Ou%}8d4f5K
zeQ+15L3J%-#M~PTVc;N4XKdL2chT>pUel4EWZ0=6KgSusE#n;E+aDsaj1p=3-7)9W
z;X<<Ehfa1mCcH+@Wd)If(@73KoFnNwC0Mpf?yX_BXnc2i5Fuct#>UMnMl4ln0NXro
zW_X{qylZb!`NP)nNRO<0p4#+$0(M|#pU@%w>p35vV*kg++e7p7`@_&cEldG9z8|V8
zXmObzby!>n7oC@~E@+>8f5|-)MLq)ibvFnL=ny)r5l4qLHwdfKA;kI!r1%2%=a`(R
z`W#!48hBYo>>cBKoV`4==eM*hcmn8$_nX7Zbt0O95@c6`&Xyz3E>f3kNv{a^q+Y#3
z^})-H`rfh`U)jouhI(E|o`*kawvs7|8&meH09AG9F#ndl$jj?{s{7+I1nhNx-+#4~
zi5RoLH(V}ucX=zw%KEuCqAkC<%e@bgCoomeD6XI0DX*g;$2Xen=vfl=hm$x3W+u*O
zaoLHc)$S1}>>3lAH0aUQ=T#RsM{v$#IW^K-SEM@7!$Y;djxJfToPN6eFFnaE<g+Er
zNwbwrPhI+~z-1|-ODA-;q9o!g;DP{KOaGG=Zkb8?^dRQPvKUSJiCn#73E4<9?XeWx
zjbHuhX1<0{;`c;~5!m|5?njoh|LjX8`Tl~_oI2K7*CbL!8tZ(9npp9*_{aZtDsVj|
z;sScHWSzg!(?$5y>wWeVo{wpyRTiY=iAmkX!wrPUdi_)(crwzC(ZPGW1kku>4{VTo
z6^V~H=NDGQGSAv7c#}Is$MKg&1wancwIi83y?eELS9)vw@a1E6LT|Iai6-nhqR!}x
zY*`d5-rc5@U7RWom#0gmU>8IsoBDKXO-))^o77&^W#(;wM03P_^k<W>(y%y?_|y8f
z;!sqmQ&kx^L#c)WYek;YVSmd~f6HOm{nDkW@8gt^O}R_FPR&3#i(12<k3pMn3{Uay
zvGr_(dT4VClgICe51s1u@vg}1Q=iYlk-4mp(ga$%3-p1_#S@e7y|#qj7H-+rdWHhd
z(4(izr(GzfQl=1SX{dsgpLPq&i%IsizYKX*$LzYnb=oYXbW@6+t88^<Ej6WRT>FD1
z-^b41tY2rdxtEGc$e=FFNWsI@q3`u1@R1|Dd}t3G`QVhyimLDU5E{lp5_qP8c{FcO
zf_B8ws@|@O{reBwuSY7gRn1-MN5uZUb!hWiWq9A2e=b^Tv?H;0Q@Lbn<)`WhdIoJT
zn#&)s#F$FsSX00bNY&w0yh0prmU16=<bjcl3a;X9{QB;F**^Q|r<&sY4)y&4?ZO|v
zYNf}n@aE>Cs63RnY>w``@%LUzv9hsAh08gb<<R@la7ls*B%F+4vg_WEvh0-^_?c8F
zETCI#DsRq9CaZKXt|ghMypHRj_VG-GJl@66O|m@^`kf()*LbR?<4iJ}TFC5^R?N~{
zEn@^#&7j~mS-D)bC)Zjn^(ig&=M{>`L&~7+GL5)F2W>s$E;wPEY4YVOx%<yd6fI!U
z^dv>#BWkt!^@IMdNNYU&&wLn@x<|VS)4y4pUOIK@GQ^@btsg;QFo0>T7okd(SDCT?
z*1e5kzhZ7C1J-`Me{=_X+Sr&3gCF+aFD(_pr@ZXXmy?9DMF*1sWkb?zE%xsqFf7Go
zN?P_(ZoAy-KFHYMgUCwub8PNtZ$zcD?|<7DJEB)GH#aIUmao?ZT952h_%GV|`##_F
zUtU@6TV;IIv7DvUudU-YgkZShBI*Afxo@wLq)_Jh-Q09i)dB4c9v_bfF`bC@Rs?_&
z!3lUTW)j4%+fref@&3MXzOCKBkm*t>b^7@M@!<bB3x7VH+}ms290xcvgn|nzxE5nm
zD9sevzi61e7-d}@_2_jy!7CKl6XvY^wzcB`J9xzt{zZC}rDrm<90QM;|6)kP)I}*>
z`H`?oGpJ*oT#9Zi0pzhhSxoQUd2UUJR`y1+Zjs8m8}vu3&uU=S0Y~DHc9VppAyL-T
z?^52xU~zKvI(efm=1sR#Nx|A5&DnDRAFVHG*y}ZH?uMwHu#L}_MmiQ&3BZ_C-_Yc&
zyu~c&v8aY)PtD0*@7IT+)AW|C0&?@eziyY#$cpnAm?}Wd7jr;$MB;}O=*niCVTCP=
zojGiIuxGQZawGxYxa9?*;(Ys{GDciX;YL|W9qI)ZJxejbZD;8))SdfpSmPkKS`PeY
z&~iTj@?)f#oM?LJ?I>$8qx;^=A3bve8WNr%O%WI^`|Bke)E*K$TNU-_mOtPFFYo2S
z=xx??KI&Iir&ZO@cPBS%ZvOXkOM;xxYwy7_p~C~@(iWz7`zKE~;f7`ktBqvde*I3N
zazN{7T=CUfaJK+rQ*gQ5$gg>*t^O37%ldSBR5rB;$<_zVH3qbIwHcyXHOk~Olr~rR
zx3@isw68qht?hQ}pEq*cv+OrQ+D_ilu`Fzsj8XQ~gA>_KmXPeRBn-@I-5S{V&+hAH
z+u}FNt*H-~#sI?u(d&%X0>{dsg@z?=*P{$tS;m8A-)?l&+=j~*IlCb*gI#J?_expP
z!-XjC3Yi;8y+9^i`YZO@Efk{T2=e_S1Yt%xx%uMws2}OkPsU}yj*)W-D40z8l1i8j
z!bsAs>B8h2<?y={<GpAUkHZN4tvR#d6uSHOwFna1chLyZhJR3|si4I#lJ+H3GXuJ8
zZ`gZ6IuJ2E`0tr(dbFZKC-V1ExD%u8K}vRx-n`kDov~~vWsO-Q&k?M{C*I%V%PS`|
z(fU(reCqUnd+$ZU!hk2;`ZlB;K(!z)YiXzONw1u@_JxgO6xyX5q9{+&xAFY$#C`*t
zNgke?qPb3|{1Y0{z!}RqmR6IU;xf#9Z3^>r;#>igH~uW9p)SP%YU9g27Dv;Kt{<se
z2!he<(^V!6mAVSjMHFdwhZXPN(4y`aX)1s-N2ki+^<3eQ=lgr45`~1myg%A^;i4tu
z>@N^3YyEjKxFf`Em%?p(N`|9B=~PrrNvS=}uX%z#<*$PI!k`P|A&cgG3nMIH6XH0M
z;|)IZ9x;4rN6C!1#VxW@d#a)hs7Fd%wz_@2+tqcOImam+kVA4p4(}pYD1{z%Mf_QB
zCXrwgN7!Bc7#co$uVP-@J2+7|_iZ_tH(>M9Wtf5?gV(BI6yTzwfv4b`+g#CRdz9n%
zywbkMgFiiHukn04iBPiFv}c7xs@D(Sv+tvd5k_LGnotz~Y*-i^ZpPPrlVe}=z^?t5
zgr;}4TlpeAMLu!6&)II{7vdqIbUac0C^|&bvXvo<#qNa7Vf6a#Kq$l{hU72HHL*2=
z+E2Z5X;ywRRAX0A*F<~OukqfBna)sIrC8<CxiPaj5&MCk8-OQy>Q|9<(gttZtLcba
zb$P-ZTi;808DL8Y{l=@L%(|a&_!&VwxjK3b2;kz|c0>=}#L+D%%FC?!FJ4Y*ZMgU(
z1?@d{?N2~)MIdT$)(f(lvlxVM@wOp9)dI~%5viNZ5xRcblrwF2yTHIMaY&1>*J}87
z(KE3ue4}4%e(hTj@iZWV;36<M>G3)=uy+wN!g;Vp=NB_ITFG9ks^=0!!J2IL@X^%y
zy0OJ`(NN?-M0g5Q7ekxNcG-<dL+{7R&%v^k19$R@vpko9VANmUTi<flfIpmh*Qy1H
z)_Mt&c35ic)aRhdp6<!ntgaFPO)xiK=5;M=yIlh-F}4PX3Zj8aiAy){Y2W<$sls<I
z(>E7dQRnr8Jri9+G`kC`EUK)zf{MK0<Hnjbe1kNVq!@*w{P<^*`waq~BFJj_1W#ny
zRnB$X=%3=`(gyEg%h1QiW_q%g$o{*n@S=pHZ3QXW{SgVr`ibpi9Vc*n*|7ZRJVe8S
zGo!)Iq2(%{3isC~fSLo>%9EM*XTUb5wdf}_T2c@4h6h_Q8*7hXA_M*VG!0Joi1PJN
zj%{EHuSEn|0ymo)WdN1p3&L;_&vC0DC2?u(9KuAz<)xWRD*jN<zrUz?Owp+5L@1}}
zDp{6n={|O8;W|3~9NeWDvx)eGfi7W3%H2Vibcfyg%LqL(R<jS=!pN?5>DW_r(Y8uQ
z2<F_U0yVehJQw%HDUR%CH}L0UCB+m{6Jx`xWY^QBs9fgU@Qe5Onwk+rX;|JyEF+o+
zBq@<^aeWIouipdP6(+Be@VNyHD0WDBmPp)%m&eC0yN~Q91&@|s90_mAwA4Z*0uw&F
z)Ld{CAFeqIk1`uLlCz=`3JDn;mXG>~3UK(^-AR-z8zkGa4pE1E<$AlppEFc_z_XsL
z0r8nHby_jMZh4A@FNuhh@wwHj!W)Y9=OZ5?>TiE26!bi@q9GgoM+E(xPhouOTZiww
zE%8h~^4C3nDD8_zHf##VP-CB{NOa%}ch&xLA`fmYFhN%TW+s16)khcYHa^zM(a)(C
z(-8nE(1;D#7AaEBJm=*uGcLpuuK+VlQDV06ZVn_AkJN^75qFPA@BZGI5V<7KQ}Iel
z88;k^ePUzhjDg9#O(aEGNc6oBzEipVJ$&Y;s9gbKMzxUiR-~r^bW;mtRCse5IP^G(
zZi%{33V)~VZef`Z_52?fpctc3D)u_S@mx{FKNLp#*xCnBjRvXK^LlOs_Q;SOJ%d$a
z!<EOmf;U3_UUd_9MS~gKm{BYiSoc22%+vkt`^<Bs{n5v#Zm(8xb%3Xrwo8rhJ9=gk
z4J!*SBGS2to^G|ylBvJq48pVc$8vUo_Q-9x6Vd|SGKP!%3*OH2++=ry9-jGD(pv$~
zKr?unFx^QfvM-jXwv8qAY-i(6Nf-9nZ=e>3g_|N7fTbPO^+qTCMf{tgam^4f=X&JF
zME^}{_N6I8HCIJT(PtAili5qxPC(A<^!agn#Q*upqott*2BDWzq#w2ET)yc1Da=`|
zY_%-*Vg(C%*oMMOf|LZeIKm`yrDY{KxnvYe)=VmKN^?%6K9ME(4VF(igv9(x|Gd&=
zH|uiks(G|9UDV_^Xg7msiQGH9U0(uTPbPm&cQpW(w(6Nlbb=_$ihEGAw@S+0-G0}D
zB%|;1F?v(@h2Qs6&O{Pgdr1dz6B2((LV2f&EqZdfD<f#@brdRY^{=pGB0T;BR~mIw
zl`?=~tWi)pA^d$Fa;R8;rtgK^Fqey$)go#xGG%~Tr=LW~Ncci+x9v|gHnsDgK|R4d
z2HAY^nV2&N4=2u!+~0^2n@Edq!P36QDT-yv1z%$tekPixk*;Vu-GonfV#!GnO%w}0
z%1X_g6lpG-MDOnrT3Dq{&$vX-*W0yGN=z@8XJ+<iyq#&*KVF&~t#E&Yjg!cHYUn^*
z@k**FR(*1Iw(X@7^1HC*b&`>a5Su@UT3{oEo>9B>HA<+r`a1hvZZWaeX>HIux^Gig
z7gq2~S&kf(I6`Ab$avs}&mMOhUM-f9q0@LE0eW)H>fO}i!b0%@OPtDlFlKM|!>>TH
zHy@Zz)LWO|?{hSK2}Sq)W<;Gz&O;J9X}uojK0c8X90|!kH}8{MCsFW$XCKnbR3F{L
z56xYXC#sgmVj8JJZEqENMz$aPVf>WS^$bYtvshnbf3vWxvivVu@^eNALy}8n4$01@
zqVpasyf5Mo=+wxc7SOEnbn{o=rv}wT?aZqaeZqb+_**j3Xbc%04Qr)|aSN-{wh@Uy
zjr;PRYOOxb*wQos0Z|Uv<hE9}hErn@+NS<X*jUcf#{}cpso!E1j>S-MvG%EGDWH##
z)W1r~_~myKj8ZYzKd9*n&)^6X`CD@J1Fy1aapPV{7t@r0rKQ0q;?=IvV2L2%?#zSh
z&K%O^RmCMAa_>n@DIL9Z0*;;VJTSh_#EN8!tTcypNn7e=PU~+9L+)sr&eK!7^ZrYu
za{Ta6^;|k1G6SDE@V*<5X5NiwpnO!3ZdcIP)mH6l;_GH9UvMvJNIFW@<8cqY82Vlg
zt#J-(d3FtE48KBpdOp@ewUq*vdh>nGulDx#zA_dX^RJ9)U?ue*xYk2&Ct>$DQ;&C!
z=att=WJgz+x>A;%%S>MMe)w|g{37M&_;E(04*&{lhV#4%Ki>aJSN7*wKZ4i`txo<n
zFaARe7I0#`eetKQpFU`$zcqG&cG=cT?lA&iMH=o!T}xYAeD@GwP+jj*(IaAHep(wg
zY?Iu?FodF>P|V=L(eN+Z#lPVcR7QC2rWlRdNz>1PSk2m%5mt(BqRWmtlUb$oEIfzq
zZCdbZKQX2KkVGpfOY;XXaHm{xqc8S}-(h%VzWE{>Eo<dydK%aII!K%Vb+fOp&N26L
zAl}!fU~xQLMz*%Sx<huQB)m`76#t1;=p8rB&gKY8fzv;Ae#v6d_yp3~I}%xF<8N}l
z#UIN1Jy$->=dz$70WcgDQ#p6yacn7hZ+RfI@)0>eR5T$OU2(8no~HMp&1(Ll-I^cn
zVzt5rpAoV-Kvs@n@R9p{aAw%!#*7`&67OI}dY?ISNJ-C6t|7+kYHIot9~1)JfkgAO
zQ^ebdyj&1ES%((I4lCYnMqv7fSB#tQNT7KY5R-bntn!rUe1J_WxalJ=PxUDMg9d!P
zL}ONI#D2Er`5xYFPc{=v1U;5juj)8U|3MUi(M?R%=u~_Y;zN49j`r3EiZnzVC+!p`
z2IGqgweWwY3x9Hw`MI)<*P56Y){^tjRSyjV56&?SITXn8KMy>4vV<0~t<GLwi|A_{
zv*6pa4)QFHxq8Bk$f$M$#;+po<G;)fHCnb6xSuGXb%u6I(UzEMB&P3i#up}3vwR^@
zLeG^EiZukW;M|CNDj2X`j=OC9%+#X2l|3*r=rNU%JmVl^*`@iZo%&a5JJdG%{f5b?
zT0#(iXw%dXOC0!J4CRkoW`fZk7YAo6wP-t?kNC-(&MlAxa39}~#Vq0UgDJ}chM!y_
zjwg&P<@Q{3+%IQH-rb45F?0GZtMIv~DX5(`RxO<LLKm%N=e#xXtzFQ<HL8$@OgZXj
z4R(DtD#{cMVEsO{VSdK0<@hQZX_$LlS)sS8UqPxE?0LMQ*78f5<qSHiDx&3UoJ9CG
z>8+g839v+kZb^#>Sl)qor_{(2Ve@FNl%q>x#Z2o%{kF%&9~E;=!clj{{O{TZ5TEK|
zq+6hNdJvvBE?Bs|LntxsR4qL+Ti&eij#QmI-#+d7KYQJ;!RD_~fhjgh$0n>+;rw?f
z{O1F#{f(5$nj#Fy$IH79Q`_&vi9fw6cGmBDqLu58JHrFLL98U97{wGsBq^8Lx;&%b
zVtsd60fSFLm0C*g&kli?S5}vk@Ta}j=Hi<3!7KzK@P4$q{56q`rR7n-28iU@4R%;@
zc3R#E8jO}ZTIBqT`^3kRq$(V}J%RISBz9tM=8vn*H_3^OpOs+8KNp;y<M^pT=*FM+
zXJ={6<!GiJ=eo<ZK1?@Sk}Cu{bZe2sUU9wdsI_0-jT@Jje>1cD=*UpLmf%I}d$Y=^
zEg)!JcS5j?M{>aX9=)9Q2P@v9i@Ha4l}dG!Q{vq8$7EbF!>5AIA>K=eEti_qyPl>f
zdKo+mRyzkWRQvlzdi$D=5#KuF_g=m4%-c591B4WK_@^(fEN6vn_xdmG+N|B{?>$<c
zkNt%f1*gziNejOzEw=;;Nw`j1%c5?LN|Pj?x@kAj4Z^OwB<1R&Mz+f$mheF11uEfU
z@Ds_Lb!QQQ_p#U2?4I^XkimzM>GhFmJ|aA4!BS49(B0o>zNsQd(<7$$PZdv>-7#Oa
zW-$*ZHA?c;=DSKn-_q*j8YR=Dgtxk}9*sq&LbtC3h2ET4yh6&o1boiuKVPBc?|C!`
zV~~SczOm(Wg!hqGJ+zL8y|x)Mm5t90Kc#TzoH}^wx7AtbJ1X}rzCND4oPRtz^Ky2D
z{ZXD#!XL_I)x^is=e=iljucgIVu&752OkPMGrJd=TC3snSM!!IUq`kTB#V6ot*=pq
zemD)>>w7t8$;Hf$IySo;SM0ppC<``?mLsiP-!h4?0vIHzVbb$BzQ7z>RY$XX(;s#M
z7Cx;2={{b7d<9pPgtvyq$70)py0U#5FnS6V?fI88Pi<NT%I&^_0^P7inBm{LSHI+t
z&b(1nuZ}z-Hg6OoYpubc78D-ar;6I)N+EKJQOv!G=)o<@k?wwpaCdtcPblUHxzIEh
zfuuNj7BcJ9SF~KhmZs35jq_92N&<J<_Hg}D9)bHtHgD*j%x^P3(8Qcga`cjnx#M6|
zYMGOYAQXLvFhOI&ARc|Yt10#Ab^axYZZWheNCD*`w^n*Q_j;EvO)5B+AIiK(Vj+B<
z|8Tnv6?yj2{#=$K`xM(SGZo#u0*S>OX%{~7Z`pF2n#EjNX3<lWs&=WkIOQfOod-Rd
z9O-66uwy<s8{@}Zt&kjV4SD;yKwtTj{&xb!mDXP!-54M+%+JU4r22MSRUG*Uo<-6k
zA{hhDKvGHefA~1{l{jPxk8Jy$&)b;YFHM$mMH)0M4&jkk;K(B@Z6@UJ{DwcYZjxR;
zXp?RM%Igdp+D?9`Qg-%r`R)ocj))1;N?1KbExh3U8!HKUqVT#H!#H2^5JDIiMUvRL
zun*sxHW+J>NE8dW=7bU164!)IrmH!HWETCX*$vMTyh89Gb}UyuJU$#cUi*k1ZHk4d
zr;pi<-ip?B!+j^NzK1qzQB-bt^PvcOM$Ejo7(-{{%pMHkJtolP-1%f{idp-O%Mr)5
z*YD|lV7El1G9npTMhrx!Qw>mFCzyG6_sVUkUL%A(QZiEkZcoIxw)_+zKHc1=3&qU5
zGKLG=W%i>3KbDJ^*Nkek{bsmg!M|4F&T|!p5<rh<-(St#d5L7-dG$KfhOa^X5O3(j
zu5FZKsGXr^Y@`+R3ncf%-jv~bx_KhC`g<e!H8y=p6!zf#86i6)^NMWmUgaLUw<EQi
zIn7`p-)BbpIaZLa$((ixQKYCGjlmj6{^VFE$Nl-8kVvcM57Wo+|K2&=$C7`2wEOsd
zmhCZIoCd*-Y&I15wv>vRPddk`;^S1wsD^Y^)0}SbCa|wNbos%tR@<B>iO$E_pshvk
z>FnwNJcP(RU*9Y9sMXng8?6%U%0*4I>p9xM`IBIu-R>?En04vU`UzrcQ8J7M%W*7k
zA{r6fVDQQ1BXs&+V=^Sc^;uk<6|3oliifm?NHIVl<0ce8s?x<LW+E*5ZO_pp_?`n&
zgh4%jF*-&_W*DWG4P(=fDoOkYw}9Ds%$V&Pe39advzcpm-kMs@!S?VeAW7ac6UADo
zFZm+*&=IVjh2&=e{E29N-8mu9#cSU>y<dkWyqxFA#PW&1IU8RDu*^cZA{8v`x#39c
zaoBxzWcgfWc{F=5S#j+)yXy<yXF<*`pYP}j&H0v21T#E~cDBT2rI()C?e9`ZaaTN+
z!_e+!JumaX8kW#H_y9g<GGrMW9kuk5peU)ZhKGu}3wSH+?Rh<q#lrpdk1NUG3I+SH
zKfg&nGPM^u{r<RTTw3;dnl5K)v*r9t?)U2^e(Z-9q=iC+v{FTLvY*VN?%~`Q)6zc#
zHPN-2rk)}A)H_GpJ*#DIM#$oYehbsZYlTVo^5Tle%-Z!OiQ7pD*J{q>YV{%p)y={T
zX>k=vDl|_?+$^S69v5BO_v9qpK8*a8fnA*3eGH2Zg+Gi2d}gB@>G9rbu`daGK7j3s
zLJzAWwi)|N!asRT7qkoA^%7l@TUjjT{%GkfzvJg4F_WmWl_v8yq3s5|^8NIcC_n1%
zJ1hi0W<vHZc|W}39Gy%7%`oH}$c5J7DQqHANQ8P)dqDqFV*qrQd1a14RiL)^up9Px
zQ`G`nSzfFp%emV3y{_A*6KS-@)zq#wekl>i=eNOFTIhJAw!EuG9M!)qRxNq!vsz5~
z_z|_dePq+6(0(Oq=ifPP@NpgQRqeiIE|;K!6EjeP=kZbXvH$RCHa72Q&#{uQA7m-p
z<*L}rE{WHLc+#Q@$ZX=Bl*9k-GrE1Er9bjO|IQHUT)G)z*KX!Xf%5Xuv&G@i|BnlZ
zA{&fQ&ob!m;~m5lVydNEnQe-3CZ;J(_Aax`X>RvkU~zWW*c}4){V1zFJLL0DfwgJn
zFb}eqGDN5X4-Ws$Yh1UD``YQLs4Yg#&qRpo9sHhrKa~6J#XW)gH=>AIgX9a?7mU9C
z2FU<WOo5VV-PW7;ucuFxt|Myi2mx3R!1z3}&)~Yu97%kWSXGWk3j%d}Li4DXl0qMj
zf-G*7LSj@(DFUh6Ysm>(C!F%KjmP$H3V#G7wv!Bf07fwBs!W-$H2Y2-TVX5VX73$A
zN5aAm51Y3HS1Yvbt&r-96n5Zk1Dh?F&!E>*{Av6EmjN&Q38eqEK<#dgXuZK}IG5ge
z{l}eh`~L3sRV|G^>$+*2B#q=m?jKbJTQai!O!#31x#JYn_57ml*`fC7(foej^>A8!
zY1_tFDNh)yzq3M9o@U)RLO1Ogvg-4Ktt?bUO!}HG=Cb*CbiciGb>%&B?e{qbn0C5(
zBT=Cs_h91uDJ$*tpsO}p&yRTM1e^hf2e5sYl}$)Fdke!w?^nuz%OjK9s~TT-AZyBW
z&EK)l(+KuTCj+}QYuzepidhtk=F8H-!u!f8NXx%(b5VULj-RGwT)m<!qOnlRl}3QH
zR8mQcPH8g}yBmhEqK&&p8H`DgSnFSlW{lC*s;cDiF&hU05V+w!taHBeW>J1R+2=-7
z$qq+>T(r|@pRQ=o7sPMDpX#bVQ(tt%Yt^z;zi%sM3~^mrDc@hQ=ef=_pKbEBwnov`
z9><Bu0eKr>6W~M+K6_XuqpPM`7EVX|OR@487H<Y>_gpv*h)h#;Tpr-AM@oOSopGlu
z?191K8y{|z>7ZusKW5m^_g@~x#>OHGOEOZg7=7)dbUFosdM3;2ftu}2A<RDPzFYj?
zso6n7%DLCflkW}fe5BfOkVU2;v53cQ#;S~h)LojxTI_5$l^Z$gr}7#S=u5|Sb%j)2
zdxBn7f5K>fnaVUItpQ)OWkR5)02>(2c(yH`Pmf3*g-avUlPggg3L6^6ttx@K^Kl&O
zTmEf&)(R8BW)F^u`lLe0oQ~vWp^u3@d$G!K<x6=T6a5y$*}{pkzJ8z&9zvG4-db<4
z^f>kYvY*kK-7tae)Pq(5Y!t;l-c*jIXX?s|(f-#p;`we6m82(1ON9U2t#g~T$g+@-
z;559?E1;etV0sQI{B1vkGKaLV(^sGIwMC)lp(sYe=@_$O`}m)oj4kqo<z3VTZIay_
zBVG+QiSPHHOm}kB=NQUGsYqhzxi^4I)SfTu?vIh~Cod1ZB;u6<=f-(1GP@ikdxi8m
zrZ6y4bL?!(JLY<b&Ggn;OsLV5s`L7N$Zw}Xf|<&0XRH@I>9l*NKkQm1-i73C5B;$*
zEBqrzmAQPv+gUzSXf}A#niX1{1qe&&(#8E)Wd(<rOd^_@qjfgt5fL<xTZf)vul7x}
z4YD*X<Z9`b^8Z47v@^<PlQ@Q>?Rq7LCL+_SG)+T7&(O27p{)s6KRM~qnjMLgmw2n)
z?Xvj7sG|m{UG)=jl5P|NXR&Aev#~QfTYY`Z806~tnNcz7oQQqfvd(1o8xI2B@GY_E
z$7Q3ABm_z&Vch<pFS<7P6O*7}pzmlKw?$YIHKo3Bv0UPN+`zp3lHQ=+ei1eqo4M6}
zIN9C247E}k_#ulm<2KuD3wF1iX{;jI-DmO?>V+rmeb>;+(~7`}$A-j9^;Q0Pt{zzN
z^94%V$E*OrNx~?#klk6h0Ev&=U&(f#T+(e?zn82~jWQx{=k}$;%&$C)t+b3g!;8XP
znL4f$Tj`p8(ziu&8n41U@}FhFOYsl=KXx0boVvglGXsoSvMg3d$VnV4#7Mp?^()Ci
zO!v3&_ZuF%ceyvZ_ZS?baIG&S`}sEjYtTr{7PhOM-A;5vcprdw$b3C0xfV*U@9$1#
z-@;I!?b8maaktkHX&1UjY)2X{XFs30fg(9<-TSzb*oIwF<D(`QizR6~^wJQMH~=5w
z1y-VVmt{;F(`z7!H_4uhVwq?_-A+{;n-flYiDUMoPMx25om=8j;&^r^^{X4B#mMgF
z9F#IPQ(`88LXliHpbXp|UUVqE<czw>G$e0hM%e-sHIEzlrZ79c*ufK?kE=OQv9B>c
z218mjx3-MEou6HN?>(*?b&v0CH>|iZ5H7~n^qkhsuvH^wnNlVmhFHfE0+p}Y(~ezo
zUIbyGs5&9og=wi%Y;Jh=IfYN5V+amw<~qd!ZQ0(j`)#Wbe9h%uDw6|XnTu~#{?(oS
z@q&<rMtvR`{K^WRnUe5457?b>(%hpcCSGnf!@S&K0ry?cpbI1)nKsu}E<JAto{teT
z!S0_w|95*tyKwU$=#t$S;#Svd!>kRn+(Wx`@dLHK@C>Zgtaeos)|55R4J^qX#WF8B
zTac+IHsw_Gspr|vUXDyYxlJw#PrL7*N2+U>`KIeOmkytQb#8hfux-08xl(v#X_ka{
zVZ6*rBV~Ruin7K?q8YZ^eIQ5BZA0L-5#O|CaH765S+M#sOEH=ggVc=}7D4lKO^o19
zg5SWGFrrxJwwkHQlkaUN{oE%<l>=eKVUZRAmj+k1`J_BbV*-1v*9!gM3*p0-u#u-N
zV})1yp%a1okLFSn0qeB~n^VsBf~M+6{#guJ1NAPx$h{?b&IC-1dCNfa<U+TP5kQ<d
z{Qe=mM#Z&pw<N9T740@#&L3l;Eo+fpBor$M#>#xhm&oZq5jtDwa0_I0Ch1SMDEi}U
z(t|$)B_J+vw7TJssobA<{d+~>^2^s#(Bm_4`R)7<krN;iXt#d^Pfxqh&vY_<yV{-X
zCRimqmIHg(#63hNQ)>&3rd4STUoIr{ttT%*SfiNbV2FU4Z?kaB>&#veq?e<Gm$8Cn
zurzXS&&d<UR0?2)*k}WR@rW-#3bpv%z<k3{>Qv)^X-gE`zgAw1CM;V-^2$0Tz_p9t
zS*Vy!-Szrm<ExvlS0UJp;AaDTb9^0>y)o~Uha7QPUzo=G!#~siCMDm-r#v{*rJPgC
zspwdq-mXfktY}Rvk@&LE@%4Tw)!TmS%YLuuNZ0G66Ia)c*fbiAY08Eld9!G))Mx6~
z+TJy*$HK2RmNMSVR2=Tj%rM)=P0WBsQ03ZPjpx01&J8raRymE^3MUEdytdEZ-2e=R
zT;$dm1Iu!$<<CHCru$=d#kc~$ONa+B@WqT&vF>a?kp5XV3Q;t-07)l|R;eh!-E1s=
z+-kWs7SxWr2+dm6JVuNm;8cNS>&gA{DS%L|t=bi;Dc&b8WPjLSAt%;!ppE|_#xHSl
zdsmt8D_0Akfv7oq$I(&4BkPo>W$u^KD+vR8m95bHx5OsjTB%^$6xF->V|bc{St*eR
zXZfwIS_b-8+oe|8h*F6Lovp%ZX&YuaF@L6^G6re$Ciz;_)bVVZ^j^ftSvO=z>TO^_
zj4++b7dK9pa85@=f}(fS&W7qqIL<wx-%pY)shic-%A&h%yfGoqgZ%13d0D0V*H&Eb
z1d<|T7z|W8d;MA&q9@dZ1F4r$W~#%Py*cPt64E&15GhQ2JSZ+jpf`s5dnsyaD{gKp
zjS5SZ?j$@Yi`*C9n%4@IGWPl__A}mh%8-9J|8N(Zv?Dv#i`9PzXdAYJigHkQ&t}#H
zsM{Z|`$M_kj4CAl8n~XIeh!xr6N<Lz<-q1l;di`evf3m!+DbSfg4S=f`p7u$hQite
z-Pcz?D+KTS@STkSlk~SVQU}jwu$)dR5o@#^p=@b+IT*h5SNQMBNZEz(xVu#5@?mQ7
z;+Kk*U8yi0+TuUrP0F-}1p_L4-m+m5rn7Rg1#P$u>-}Ed^K@8WE39998~jAqC}#sJ
z)GRWZl5AS)TRv#nGj5@SBLYFw`4goKy3A*h>YXG-sfhUmvlIifqT!keWzjBWX{JQ3
z%hsA4E{$9?qsdZN!PkDA?#tKu(YAZ*^18l6e4O;WDk5)2LB_+C@_C9IpYkg%RxK;~
zoYybm;(Pb~(mm3jGZW@&%pD3ZcNw>Bt@t4Gr7<ooqa3w=s%G5AboQP~JoRQX_3!I!
z$#`t)tE@>Lr=qRBKid{oU-?c07~%});!NUTLl+-e#T5}0E%>cv`BJS!I0j-9ixw5O
zaiKqqWNsqVjBf6z!pc-twl2s^dIY|H^Z?yi-o%mmC2S?q+4%@`K|?LR*^~jQ>egL*
zlFr7wKWmLjgUK35xJV2cd^p~iiuFwPH!ZCi+V@cvMrinS<9&FLK$eF7z@q$aYUn-{
zB6XA4r;s73<u_`<R8E+;e(O=_Nzm}U*atbxw={rXM_E_zFonWuveb&4u><h+E*C0M
z5AG!i&kpD%fkUmO5wKyBkTSX?SJ*JC=14EQh;AAOK>w{kMvnSc)-l6piS*3n_jSA!
zUk+A*to5?Q`HzANw=U5<OYCfAfBGl?C~ZCF%<3N{CzG2_Zj6z<Su&Q?^!;cmvtaDA
zzB4^_p#siV&J_-J33dz1H@JJ#!|juJ`I#axxv2Oyei3iZF*&v;j*5?NFQ~TnLM&Vq
zC49keg{!3q2^~U-XrKxOP%6mGqWi6-uIg&UMBs(@Y-8w%_*~3lvysXudYV{`wpCN1
z${&x)Z3EP1WhS!d)eQlWl%n^~A2vkvI~S?2w1}st#at6*6$?~MX<T?cDNYaT<ZuE9
zG%xD%Gvo@Ra^DE4C5_*IR}tc$t|)jgOp!w+W{jSpm$C+47A1Pdtn@l?{S)*5t!C7_
z=Laq*m>(D;ypekm@b+mvYw8utqiVl#=Sp0ey=*Q!UCjkIXo7qA2~oHw4#{L<eK%#}
zr*76%_Ncm^F%mIEi>ELrI|;X)%@jhs^adybi=-`?ozxKxg9iyy>LnGUNSu;0IVR%Q
z?B%S&EUOSZRWZ#}`_StDLG9M)`#*Ij4-Idk50-J}>xT@?>$#&K!z|5QQtX)Ep*j+I
zkM;2sMJJ{}gXKINu?o`1;TTGly9<M0Cu^Z5>V}s4;0~v7(HbjxvC<O?4z@r<$k0jk
z>BdnV0!xG)KUp=QBSDnT@K>)VG)8r#p?dM$N%xp+=J0WH>&emkS$RchZluB9TPnS?
zxn4nujCtv*2<!d$GLVF)W5Dd5#w;e;@aaz<s3u0ZEZuF{;KxK#5W&QTCn2Xsk}3mk
zv}N}2j|3jOGc0NBd^<svHNh~?QRBZ>WtL8~W9=Csp9~V90j6V;_&^E!UGsKZnG*mp
zUx7V#=8CI+D!truQ3of~yNZGBDf-nQXwQl_>VoKv>t*U&q(Q+$egjbH`*3P&*SIc)
zKg!!5V=$LUYkfGu>;LevcWAJZQ1%1Occ<ETkiQQ!dcS;gppWrmMbfdZt$?X-&o6z_
z#v@txrX$%&Ryp@3hGXu#6u*Y~X-_%N?uagZKGqK(TK~rd5cOE}$>wnw-tvugmkwrq
z1b!>4GqVBr<l~AA0i-Z=8;d)-T)cjN+1c#bQMFjccPZ&EjF2Ns$l5*~sgWY`4wyVX
zu@0krT>PGOw6NQfAh<>lhlQ8dhB{5fz4gFqyOHtH5Qcx5f=^vN3F3w5%3w4REMtk4
z#DzwN9NO4+z{q@O;8D!q%dPHnrabo>vu|=lHT0qO_m_UpCv|>W_M|y(?y(~y`t3`#
zwV<BnsN^&HiXwK2GWFCz29k_u+I?L0{405v36%Et*PJ{;{u{9|?2K-n5!Fq*C9VS^
z*$ObJCo#M`)}q`rO`j2wYuS@8@qd*G{!oke`Y~Vlt^sNDVTHJnM?=wB83w}KG%l#w
zn{N`CX|bCA6kR^tKSvyXpMDfTKD;7SmDTRIW<ADCuQUggi^J{+MDFXtp><ybYt%D5
zrmWaq-Y}BE7Mu*ZlP~!R_(~nZ()ElH5;8bn8W@?lzz<$_qupZM&>si3v)qrPko)HQ
z%PYszG1v6cu8ZwtPj795vIq%FjUkgJNJ^4GVJ-tJYNAX(GJ}C^kh_{olR~7fQ(hyZ
zdOwB8&!Z!D=@<1-iAl4wylJC{5iBS!^Fx_fZtfa!lShTV{1e)k=V#xC-vx63LHL-E
zW~|p3U3uS<OxWGp{MsZrp7;jNMs};BVR$mQ!+Ov~Yk~YoX_QAT!K#3u*HI5lS-D#3
zDqbe-E^zG8$0sa9p{m6=#7I~iw)$DKo^evE9(3JiOwlX(=iXcsdf%{gkcn);)Y|Vi
ztne&V*flyTAeqI=!~78^`!@`C%S8NUc7LyBB8xU{8jZ{ZTB9idpzfSfHg`|*c(pi<
zZrvkSfRFcN`oPJ_X`dh3V~oTv7Qc$As(7`$#(&Ai*w28ypHPF<Cf=R#{=b<_Rc~L1
zpta;o)BrU$7gCSzYm?|JJH4Lo{9XY~lI*3+Nn0!As1TjW8(cm`-|m`aP;O+A4|(k1
zsf1|zI@=^IFGA5Es0U12$RN)^7-J49(E9K$GI5sLaUGt(i!fNgzY5_*O0eRYS`4(Y
z*isPsEA$4*mA){GAw1qb*QUME&v)RVy|XC&wbV!-*BPc135h+c&UVy6iW;`UK@XCz
zs8C?h*javlW)tq;2);IG#paLhzkz%>KrluSDCQ-z5JB?YRun99{nNoXLxX_h)2|*3
zt}Ha7d?I#XznUX6!d8OODk4*vkNwb|sO1|o1Pu?yeQ6@r3i_QU*gi!wY{9c&_MgD$
z^)VN$Siy#)wRxi8Fi~81vC)l5yy|C<xdn$`idEA~95_JR&S78=Qrmp2KRe%Wtb+`o
zyRNfupn?#}zHNY$;OoTaFC1j_kK|~+a*L@6&{yij;a1&o1@6)^`p%~i>3)tFBo*J*
z!s60j!H*Tmfd<9iT@?84ZN}>RVUQxp4RjOq-0;npfc71XvxvlPpYrb>Bgx&zvVYmH
z0ZlpKYtuV1*e;NRDuJ7Sklhj@LrrTQz6Mr4?7szM?~s-7wIo^W>>9@HY$riwkw3BB
z+RmVRmB${UZT022G+p8BvSMe*o~yy!&d^*pz!yc~60!lh6M$N_eBGDf1kPt{CYiUB
zsxqI|3=a+}bC&8T|7JAY+Okr4^6_(1!3$Y`CloUNMJR1u_d&NOwAO}ZjpT(WENpv!
znNRowGiBdd#Rf3JhDT%*<&wb5!B1iF(?d-)&2Z*=OHkhJs)7Sjahy5))OIyK&_3y3
z6qBq%6Fp;?MSyNf30CR0>+46W#LlWz<D5u3|4Pp^^pcK++k$?09dMmeppX~Nlbg@<
zkT$%6ExT4|kLIpwY&|G1JB0@d);-)gmej+eldrFAS%NLuStqC>VZqdhdHYH|vkct?
zfC+rlKSAbN%3q;AR;I+8vA9>G3Hn*q1(`#z=X9<?`FVq+xU<=Yd0~8eo{AWkcQ~&)
zNFEMjOq1UmHU@3)&$iFZt^<~E)xm_%L_lwb#p#P<i^^}Sl}JAL#hCtCj*1$qU1wWe
z_V(#CX@XZ3g-l71@Fc8)T1RoP*nX~y6WVb26U~kZ%8nMfHeb&;<nm(=G8`GmsiDG5
zSD4J|<g9WjlD!)V(Ie1DXiLNnpqG?G{-)rbu5-n-UB_RS{F6^m*FG4dEMaTcO!{ms
zW9m6O*{x^H#2QP@ZDN-9J}f}S_TtkiFF_~<T3f<7zjoF(O?SE6>qt`?K&&=3kK21v
z4ToNpZyJA^2KGZwCkeN6ZPa-`Y)58gsnyE>lP4w7(XI5he1&;u`j=unWURL3_g&zL
zq5!>sWjBRxD@#N8A&lBpA|4_n1tCn(z7GvlABm~)#~lYO$3=@8*3?ZCVra`KeXq#a
z&ed~CZVamNPyS+^*GI|MIZok!NAK)VEQMhj2ex~dlo9zkNhG{+_u@(8yV1)Nk~Kj4
zWwCJIZ?PS=^+IoqkXRRMF_tmSs1u%yE~7<e<{_&T@zxId+NQjud<J#ZlFP0%b?q{U
zPZM2gWEo`mR{M6#s!3-n2|(4R{@F7=eS)CD$V#9heoF`UZq3g<RJ90qXD}N`$r5hV
zyWD2XmK7<-C>DuNkIo%r8!XE?<NPtX<aCRm#|b9@Z=H-K+&wx%;R$C*zfbiGj_D+T
zX*-)kG`fi}`n3--TUc=JZKWMEXr*bWN3v5!?u)(bkZAg|IhdWkZtpH<nFgSl+1&2A
zD0HNwq2>x*n)dz-fWaUI|B_OHZDTmPF=ki#TLl&--o44{#M$fD-y_!b>FP{qhh-wa
zgOW1G$WVsELl^JhNYL1E9ay>L&`G$AQztg8*vOWJbBx6tA7X;|#F0OhRCsBU^BeJk
zHc@XG4uDG>eU>m(Cn+h-SF<R67*Q8%kL*eY6%o-FsRN6?D$KM@sIap!)-a9P<|GcI
zq@?N8?y&a>7`)4-92#5PStU8o^vhQNr)7r*j80FTI^s;$wCvQNV^n&Rl9SYM8)Zn?
zJaO8<sm7hPZ7jE}0)Kx%Bl#Mzbu2!5XHivAzib}Vt=UQ!JIV+ZOHucmx!rTUTic_1
zLRz$8yG@TPUMq$o4Y9frY9%BVuQP@4%dbtE6f;5O#+~Mt>8A|^dQ@Z6j%}xW3fk{>
zTE~M@S_{i?%mVOG+S%QU)n2~vC;X)K!iQFRNA~kQe0RbYtTq8<NgA}`o?Fi#E%$C0
zUvygR_8z?do^Wc?-MeX=cTqzpQ0_hoSPd@Snym-e8q6Uk)Ig(7WStYh3K^sFnuD*b
zn%XLavNTSk@g{oO6_Hs)G!r78O<$?M$^mq;usH!k)I-HK4p&#qyC#!K1Uo2ugKsKP
z%)g@K;Ak;;;i7}rzZ;<=V<JC_xohF$yfWM%5jNvWBP1YN*IFBe9cLEpwkT?lIp{&I
zQD1n&ub4q6I<mJaZk3jN`%+F2ijPQc2Wguw%;lHcZaGp|!dJ+RgoEo0jyUX|rH;K=
zU}!dlqnEm87^*ros#JFRtWL-f$Q}~TNEWmOudwUtB7?BIJC|qV(qR8bJ&R>%Ij{Jx
zbsHO38kTXVu#n7rZrYT|&okT2y=p7w%j<!m(s1&r8r!y2!p|(aB7jN*I_2Ab^%@Kd
z^Qf*X2=CPKn;gDD>@7Z?begq>;hLcu>;NELpt=KYB&F7clsZCP+ao|dp<~eFk^hl_
zeZrRkC+JmyZ#K_!wx_9_VGhF7&gC+%gTQ`_`0q>4sPVg<?9H!db%$pzz^y-E$!O|)
zj&dJN9)St@nNYK`*e?ly-Le!{&j}@#48XtRiv7JJnlBR9E)B;!{%uL>)nQ;7*Xf1`
zwJDhGoP1j?Q^P_-e1CXfjqSGd$W>Mc;$5JrV>7-?!V?k7CMYFxBTie(`)6Be%H|vT
zLZA<S%{9p%?LI;-b8fL><$$r({${6N|Nl0oc2VyS!7Pdry3lnxOABQDlu4%O(S^le
z`AdCZc$z^L69|<V=k_!-bW_I_(13Uk+>oc3p7%X&`6zd(Jd-eE^irH~-%pCZmj>Us
z8*~)f&G_Z{=Z1eRS5jq5K3x=pj9)e3Bwy-SCf#2;taL=W+JLi8e1Z}GtXDifeq^8@
z5f8n5UYJT*RB77-TTe0GQbOkDRggO$pVHHT&XI(8xPZ6vccnnfc3QqES@8&ov<r^)
z;^mE^d6lw3tEOx$u9<pfDTs86>lx*CMz;j9Pfe#=r>wd1Ud2vWLiHDWLoa~NarRgP
zfdpL^p~6^LRN-vkc<@YnWJ1V=j3zS-^UTQ9^b@17CMM7(%n7?S)Y6#jMeTnDs+G?(
z{$Kn-vqibsOaIJI|D24K6;Wzio6m;s%pP3B+gj^H4%8~eLRILGNme84#i)kgMmknM
zN0e@uQ5gTUrW?B~Xoc$GKEGwg7UiES>DpoE_zH2FP%KQk=?{ZMP1%O`nFJ)`;R98H
zO|0aEs|yb*Mok3al(tgvf!^q!IuyA%ZOTr44k)qf(hb+z(`%dwI}3;IU#rS^obbAp
z^m&k~q(j~P#9sg#VB5bv?{H7Ye`8m$H;hR`)+!nWuUqQg$I=UeP2^xFSLp;@kwEK`
zZxhvBQPe3{cE|Z3mkEiE5SyZ&3enxUlT%*h!`0f3FRwXX|98vw<f(cR|3b##rq{uh
z#Wv-V;>&h7UL-eisr;0cjoHkhaOZ{vhXXerh?C3aV=FiBx9N|Kk2j2}bC%wZiH-@a
z?8iBq>q`Yjacab?;tm4O3S2F08GE&|p4Q1z?9nNy*YkFESJUcMWWKSN;c&ucbTQF!
z`<)R*+S7A?7tqH`t5wK}JY@(5y`)(8H<Xy7&I|~jW%Ok4@Iy>IcKf&c=F(8OL1%+3
zjfpZ6X|w7zHLMG%y-yq_YaJv{i!MtW$_HEnXzzoRQ$s4asylx*I)tXyIs%IbMW{C{
z#02Qxy?ByGCi336Cu;b#dfXd3eY<6oy6Y;%u-~1>EIrDaRV*M+x0!seV&ie9)q}f`
zvopZB`?ISe=-C_1a3Ff!TJdE~O5H~ZaLuwA36Er<2OgaNVgi+Cv$+hKWW-U~V4(}X
zsDJd&&L~olavwIvTR+{E^QtM%^L64)@IbjJRt`c06(Xo`dm<97hi#?D($|E>VF7V$
zV#j~TL$ZiWLOc7In2tDpxbDWGU&V5lAu!ziAFk;d9u8aSEt|8@Bbhb;!~ePlXt?i9
z(zvt0rz3uf7Htj!g<oF$*N=bU|B9A>rzr?tpCb<O2{u7v-rZpH`boEKQeMj|+*3pB
zT_#g>X~5s?v7dKZ|M?b_NP_Z35@#q(Jk9cGhPLRHw$fOYiq%dPX{=lES?`UkiR1)G
zs(Bq4BR)sIyJ)0>@KH!mFX$i)bXYsaCutKawnaOk4%=-j7q?E|S?s+RT>#fExWV9#
zQx-q|+?oe6+;LfN5d4n|@S%?QCf*d-ake*j+hLgS^1?nK_|^R%W6=z@R@BoX%lj9*
z_!Tq_2cziR&th@1R|C?tB0|DEw__X;yTOVf&997T{`-5*yrg~W9U11$7^)VNFTH(2
zbEvM@W0k;`T%H<tdlYSjm^ny;LtO+4omL%Y4r=&|3-llv)24qSX>y68-2x=2YoOB1
z`Uad5EcEqhm)_N%ulE-JdH+K#t3I;%7c)@exS<_|P@wG<<xIS0AA%aEwEfB6kaa_`
z_%hE`(R(eaqZ9J9s6(r$$`651Xcj*}I_6@&eICBmcM>+HSA68gid50}3@I^1W)zwx
zaC=U6d%CL_m57V-mv(z~b-Uk6kb_^`NdAZS^jFt!gqE=xEHUa;d>+y`<(#DkV$Wd9
zCc(hIU=1}%7A$}<E*bpA{y<mVw?@o#{!}$v%N1YA$WtJxYT^SK(bQ{DV}u~3HkQ?(
zzJ=`=NXbQ$=4;<Bl~v-6e<;2~P?a)+Hf4GifzXsB2#eT%HomcLQMoBm)``AJ(>R=p
zT0>WgFb+e(XMa8+0$;dK{jFGPSL5IqN$Z@}-cfx#=9^|C|Gh%12#$hfrDd}GX^O9i
zG3PqSY~GFS-KYSU*BYGsZ`a2#M}hxq=i1+)TKD)uE}JqDLau3>w#sF@jTuIw9D8yp
zmq|G&B%HG4ZZ1jM*<{AXo?M1Wj7!Sp2qR3yxKyqqQ8YAC$c&hYW-w<>Kb$||Jm&}R
zFKa#Tv)1?WKA+F~{jPU?-xpvV5N9TkZoS?T#+AD#zUwExLM47Vd@{HBdVF|gwPJQx
z#G@>Nre(TL+w0yAZ|ojXJS}2^Qu5DCVkmX8s<Wj1-td`!4Bj4161d)c?04ELbN$9*
zOULvJMUBV&s+_+zQN71WK1_h+Fpv%Rc~Gx{8#||UKIon4H;=6Ox8yguh8aC3kX(3d
z{T8or*`bgic|@i#yP>?NC|W<=!tBz@dNg(a{%4q<4;Y*~SSNE}e6Fp)!aQ$I_yO)t
zC772Q6(8P8@5mJ@K1Z{<kibeNxFR#-9-1rd=6=g0{Cu8{Oey{})R2AcZqVdhoUWu<
zlHB<{>kK`gv5O0rnmVbd>QY)7BCW`k*tvuV%ZJJ2JQ~mB`y$WC!s87uuk?I=9i6&W
zbjaL0TcdE(x;uRo+MC53CKF?It<kyW2CJ^?U*7gRKW>rm*h_MQTfF=w4FfyoyGj*!
zy4b4Y|F}YCb`{HfWCwUbxVO3fFs&13RV$qHZFL@l;g{+B9btO{5|2GtW=S?&|HPpC
zd!TDa(g5s`7-d_g-Su9YG5Oht6^aH$OsA3pB)Z|DOAgV~)pS~FMB^ehPBtE4PrD=G
z=l*D{QSrUs`LK8o+aBL~npuv{)KZVfJtL}FV9Z9aU2z9n5pMj&zmHLHv<9_%)@q69
zs%S_4V5XrF<gp;bCK2A3@1>=;a!x6!`|SG6j!UojnLyx@GY<H$f3h*<!O~{ikr&g{
zl>wHV+);q;$cs^-5N-;NdsWRT3C7B^mrqA(S;wnqXa>KsC?`2JDK_mxtkJp#FgE3l
za5~#tOAffldEupTXyh@o);v|JF*<C}bdpowMY>VqDWQL?(*_qK9BKXa)J)2*)2PAh
zHSVQUS8e)eux`-(l@|4(Q1YB(z6_8D5o@>RIn>R?I^IX}c@pcJs5YAJ9p(9!P*)2I
zCJqyj?56tiW+fa)hNq5CMMKUS|8<jX;Qr82^+Rk$lk#X4WkN`kwj__3rT(4nOU-_B
z<61T6^ZIPH9rTI&HHAg_<Vdhe2Vkl8_ielqbcUHO2KOzNt-!|5nJ*Jr+j~QzI4n;j
zyZFdg0>j5Rtf90=P^K4N%(r<nbo&|7QLi{RXlUB9kD9~%SRJ4@IkWUlMJ!WZEE8%X
zoA2L8!<`LmzZ_`SvbA5Dr1|LhoeTbJ-L=oPwNV9?G4M(KXRCwXH^vnzj#Hj4M8qRA
z&n)o9^Bl;P)$Z+YBi`GmL4oZU@q9WvJcO#gWl!MZj9YoHzD=7q>+a)aXjAx+elk`T
z&t^qXrAKA=UBX#+v<eXINngD>C&_nx(YQknvdF}@9x&++A^=)tuO^6=L@%_<!uYOD
zwUEd>CCZ#oYkK~VfG}Fb*&w8{n*Gx^XfvEnQp~@+!w&L!@7wB%_ELm~4h}$v9|%<7
zvg1<ZFLkz@eVP%AesI$Hg|humm=z!YjQg#KSC@AzIOdC*P&yTuZitrv=u%?S>l2LW
ztJkMO{{4c>7}+|~Ec#G-`8Wm7*aunhrF}9Qr?jGUo!L)D!4o{vLsy)pCqltm=FKSZ
zb=@DHZ=}rhhN`weAqiKnW+ASB5|BbpxIA2@75Edq(a<F(Rq>@=^RW93&%}i5I10iz
z7L#Zo53ET2_$KX-IC!deP{E{T6@guW25e<Ciz0`C3bwmoSlMFWYbMH|5fQ??A26|s
zj`}e6x$A;k@vq%gz(y4KBWeb7@|ocn@3%>w@1jv636XZW{kpIhi>TVW%X8!1Le*{y
zM>4AQOrUmUb?0-`Kq_LpqL@y?fAgha%7+^u$=rQn0EbRhaAGNI8zu>S-zL%3*RT63
zYaXb_l-7WS=ix@wO@nq6sdxg8)gCH>RTNuF+Ks6F<Zu+gpA$Q;|9dU{Yew@o21J;X
z;8LL#GNX<=XTUvWS57_p@=vFX*}6nU`{{vCNg_MUVZ5^nFw-j~sgSID`&RfhzKuaG
zhH-2$P{?7F%`7!p-Lq0x#yMMSb9%>u_4}otdimWpK&kCsq<w#)yrjyXuNc2z*se(A
zj8i816qJlDPtEvCChbn<N`h|SVZ8l&9#Ce3ZR87v613N!$I%I46E0Mjwoj?$2yA!~
zdjZqCx~ASe%E^eckF~Z-_`6??DVJZk$$$0IP*H^=eNq9;UgITxfH1%+g>JYSl_acX
zhV;G@sTtt1>4j6US%$V-kXP9Da;o=pbn|Is6%5?2x8|OM#|u5s0M<l2QCiRPHJ5}_
z+x=+U5-9!fqE+PN>xSKleNIQ{YO>3_Iv~<w4e|l@9rz`E0ShWYURSY;5{533Zrz{|
zt_-9U8o}iZf$dSTFh|qq#tmyWtFpehIa?sOI#^jVpPt^yl~2}H0G$R`jGMExvdn;F
zUog@DV9V3^(aj)UXyuJQWemw$`T^KCVqW0&@V|SP5Zh?<7)KC&I51ZS0Fj%=N9hih
zcmTncoDYKPzfyKOcE)1|4j>DDaB7DQJ8alt!~X#r%5~-;pcyGHP7YrG>v)ArOsoQR
r13(9MQv_Z_qC-GuCU_$wwnhqw+DZlPC@WnMKjL!I&8g-@V9I|0MzJlJ

literal 0
HcmV?d00001

diff --git a/frontend/public/icons/github.svg b/frontend/public/icons/github.svg
new file mode 100644
index 00000000..1c233af3
--- /dev/null
+++ b/frontend/public/icons/github.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 98 96">
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M48.854 0C21.839 0 0 22 0 49.217c0 21.756 13.993 40.172 33.405 46.69 2.427.49 3.316-1.059 3.316-2.362 0-1.141-.08-5.052-.08-9.127-13.59 2.934-16.42-5.867-16.42-5.867-2.184-5.704-5.42-7.17-5.42-7.17-4.448-3.015.324-3.015.324-3.015 4.934.326 7.523 5.052 7.523 5.052 4.367 7.496 11.404 5.378 14.235 4.074.404-3.178 1.699-5.378 3.074-6.6-10.839-1.141-22.243-5.378-22.243-24.283 0-5.378 1.94-9.778 5.014-13.2-.485-1.222-2.184-6.275.486-13.038 0 0 4.125-1.304 13.426 5.052a46.97 46.97 0 0 1 12.214-1.63c4.125 0 8.33.571 12.213 1.63 9.302-6.356 13.427-5.052 13.427-5.052 2.67 6.763.97 11.816.485 13.038 3.155 3.422 5.015 7.822 5.015 13.2 0 18.905-11.404 23.06-22.324 24.283 1.78 1.548 3.316 4.481 3.316 9.126 0 6.6-.08 11.897-.08 13.526 0 1.304.89 2.853 3.316 2.364 19.412-6.52 33.405-24.935 33.405-46.691C97.707 22 75.788 0 48.854 0z" fill="#24292f"/>
+</svg>
diff --git a/frontend/public/icons/jira.svg b/frontend/public/icons/jira.svg
new file mode 100644
index 00000000..7757cd70
--- /dev/null
+++ b/frontend/public/icons/jira.svg
@@ -0,0 +1,15 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 256 256">
+  <defs>
+    <linearGradient id="a" x1="98.03%" y1="0.22%" x2="58.89%" y2="40.76%">
+      <stop offset="18%" stop-color="#0052CC"/>
+      <stop offset="100%" stop-color="#2684FF"/>
+    </linearGradient>
+    <linearGradient id="b" x1="100.97%" y1="0.49%" x2="55.9%" y2="44.14%">
+      <stop offset="18%" stop-color="#0052CC"/>
+      <stop offset="100%" stop-color="#2684FF"/>
+    </linearGradient>
+  </defs>
+  <path d="M244.658 0H121.707a55.502 55.502 0 0 0 55.502 55.502h22.649V77.37c.02 30.625 24.841 55.447 55.466 55.502V10.666C255.324 4.777 250.55 0 244.658 0z" fill="#2684FF"/>
+  <path d="M183.822 61.262H60.872c.019 30.625 24.84 55.447 55.466 55.502h22.649v21.868c.02 30.597 24.798 55.408 55.395 55.502V71.93c0-5.891-4.776-10.667-10.56-10.667z" fill="url(#a)"/>
+  <path d="M122.951 122.489H0c0 30.653 24.85 55.502 55.502 55.502h22.72v21.868c.02 30.597 24.798 55.408 55.396 55.502V133.156c0-5.891-4.776-10.667-10.667-10.667z" fill="url(#b)"/>
+</svg>
diff --git a/frontend/public/icons/slack.svg b/frontend/public/icons/slack.svg
new file mode 100644
index 00000000..75b14013
--- /dev/null
+++ b/frontend/public/icons/slack.svg
@@ -0,0 +1,6 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128">
+  <path d="M27.2 80c0 7.3-5.9 13.2-13.2 13.2C6.7 93.2.8 87.3.8 80c0-7.3 5.9-13.2 13.2-13.2h13.2V80zm6.6 0c0-7.3 5.9-13.2 13.2-13.2 7.3 0 13.2 5.9 13.2 13.2v33c0 7.3-5.9 13.2-13.2 13.2-7.3 0-13.2-5.9-13.2-13.2V80z" fill="#E01E5A"/>
+  <path d="M47 27.2c-7.3 0-13.2-5.9-13.2-13.2C33.8 6.7 39.7.8 47 .8c7.3 0 13.2 5.9 13.2 13.2v13.2H47zm0 6.8c7.3 0 13.2 5.9 13.2 13.2 0 7.3-5.9 13.2-13.2 13.2H14c-7.3 0-13.2-5.9-13.2-13.2 0-7.3 5.9-13.2 13.2-13.2h33z" fill="#36C5F0"/>
+  <path d="M99.9 47.2c0-7.3 5.9-13.2 13.2-13.2 7.3 0 13.2 5.9 13.2 13.2 0 7.3-5.9 13.2-13.2 13.2H99.9V47.2zm-6.6 0c0 7.3-5.9 13.2-13.2 13.2-7.3 0-13.2-5.9-13.2-13.2V14c0-7.3 5.9-13.2 13.2-13.2 7.3 0 13.2 5.9 13.2 13.2v33.2z" fill="#2EB67D"/>
+  <path d="M80.1 99.9c7.3 0 13.2 5.9 13.2 13.2 0 7.3-5.9 13.2-13.2 13.2-7.3 0-13.2-5.9-13.2-13.2V99.9h13.2zm0-6.6c-7.3 0-13.2-5.9-13.2-13.2 0-7.3 5.9-13.2 13.2-13.2h33.1c7.3 0 13.2 5.9 13.2 13.2 0 7.3-5.9 13.2-13.2 13.2H80.1z" fill="#ECB22E"/>
+</svg>
diff --git a/frontend/src/App.tsx b/frontend/src/App.tsx
index 87fea899..57fa2491 100644
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@@ -4,6 +4,7 @@ import { WorkflowBuilder } from '@/features/workflow-builder/WorkflowBuilder';
 import { SecretsManager } from '@/pages/SecretsManager';
 import { ApiKeysManager } from '@/pages/ApiKeysManager';
 import { IntegrationsManager } from '@/pages/IntegrationsManager';
+import { IntegrationDetailPage } from '@/pages/IntegrationDetailPage';
 import { ArtifactLibrary } from '@/pages/ArtifactLibrary';
 import { McpLibraryPage } from '@/pages/McpLibraryPage';
 import { IntegrationCallback } from '@/pages/IntegrationCallback';
@@ -79,6 +80,7 @@ function App() {
                     <Route path="/secrets" element={<SecretsManager />} />
                     <Route path="/api-keys" element={<ApiKeysManager />} />
                     <Route path="/integrations" element={<IntegrationsManager />} />
+                    <Route path="/integrations/:provider" element={<IntegrationDetailPage />} />
                     <Route path="/webhooks" element={<WebhooksPage />} />
                     <Route path="/webhooks/new" element={<WebhookEditorPage />} />
                     <Route path="/webhooks/:id" element={<WebhookEditorPage />} />
diff --git a/frontend/src/components/workflow/ParameterField.tsx b/frontend/src/components/workflow/ParameterField.tsx
index 44e4c7ea..f1b31ec1 100644
--- a/frontend/src/components/workflow/ParameterField.tsx
+++ b/frontend/src/components/workflow/ParameterField.tsx
@@ -18,10 +18,11 @@ import type { Parameter } from '@/schemas/component';
 import type { InputMapping } from '@/schemas/node';
 import { useSecretStore } from '@/store/secretStore';
 import { useIntegrationStore } from '@/store/integrationStore';
-import { getCurrentUserId } from '@/lib/currentUser';
+// D17: getCurrentUserId no longer needed for connection fetching
 import { useArtifactStore } from '@/store/artifactStore';
 import { env } from '@/config/env';
 import { api } from '@/services/api';
+import type { IntegrationConnection } from '@/services/api';
 import { useWorkflowStore } from '@/store/workflowStore';
 import {
   Dialog,
@@ -65,12 +66,12 @@ export function ParameterField({
   const fetchSecrets = useSecretStore((state) => state.fetchSecrets);
   const refreshSecrets = useSecretStore((state) => state.refresh);
 
-  const integrationConnections = useIntegrationStore((state) => state.connections);
-  const fetchIntegrationConnections = useIntegrationStore((state) => state.fetchConnections);
+  const fetchMergedConnections = useIntegrationStore((state) => state.fetchMergedConnections);
   const integrationLoading = useIntegrationStore((state) => state.loadingConnections);
   const integrationError = useIntegrationStore((state) => state.error);
 
-  const currentUserId = useMemo(() => getCurrentUserId(), []);
+  // D17: merged connections from both user-scoped and org-scoped endpoints
+  const [mergedConnections, setMergedConnections] = useState<IntegrationConnection[]>([]);
   const hasFetchedConnectionsRef = useRef(false);
   const autoSelectedConnectionRef = useRef(false);
 
@@ -89,18 +90,27 @@ export function ParameterField({
   const isRemoveGithubComponent = componentId === 'github.org.membership.remove';
   const isProviderGithubComponent = componentId === 'github.connection.provider';
   const isGitHubConnectionComponent = isRemoveGithubComponent || isProviderGithubComponent;
-  const isConnectionSelector = isGitHubConnectionComponent && parameter.id === 'connectionId';
+  const isGenericCredentialResolver = componentId === 'core.integration.resolve-credentials';
+  const isConnectionSelector =
+    (isGitHubConnectionComponent || isGenericCredentialResolver) && parameter.id === 'connectionId';
   const isGithubConnectionMode = isRemoveGithubComponent && authModeFromParameters === 'connection';
 
   const currentBuilderWorkflowId = useWorkflowStore((state) => state.metadata.id);
   const isWorkflowCallComponent = componentId === 'core.workflow.call';
   const isWorkflowSelector = isWorkflowCallComponent && parameter.id === 'workflowId';
 
+  // D17: use merged connections (combines user-scoped and org-scoped)
   const githubConnections = useMemo(
-    () => integrationConnections.filter((connection) => connection.provider === 'github'),
-    [integrationConnections],
+    () => mergedConnections.filter((connection) => connection.provider === 'github'),
+    [mergedConnections],
   );
 
+  // All connections for the generic credential resolver (no provider filter)
+  const allConnections = useMemo(() => mergedConnections, [mergedConnections]);
+
+  // Pick the right list depending on the component
+  const connectionOptions = isGenericCredentialResolver ? allConnections : githubConnections;
+
   const [workflowOptions, setWorkflowOptions] = useState<{ id: string; name: string }[]>([]);
   const [workflowOptionsLoading, setWorkflowOptionsLoading] = useState(false);
   const [workflowOptionsError, setWorkflowOptionsError] = useState<string | null>(null);
@@ -182,10 +192,13 @@ export function ParameterField({
       return;
     }
     hasFetchedConnectionsRef.current = true;
-    fetchIntegrationConnections(currentUserId).catch((error) => {
-      console.error('Failed to load integration connections', error);
-    });
-  }, [isConnectionSelector, fetchIntegrationConnections, currentUserId]);
+    // D17: fetch merged connections (user-scoped + org-scoped, deduped)
+    fetchMergedConnections()
+      .then((merged) => setMergedConnections(merged))
+      .catch((error) => {
+        console.error('Failed to load integration connections', error);
+      });
+  }, [isConnectionSelector, fetchMergedConnections]);
 
   useEffect(() => {
     if (!isConnectionSelector || integrationLoading) {
@@ -200,8 +213,8 @@ export function ParameterField({
       return;
     }
 
-    if (githubConnections.length === 1 && !autoSelectedConnectionRef.current) {
-      const [firstConnection] = githubConnections;
+    if (connectionOptions.length === 1 && !autoSelectedConnectionRef.current) {
+      const [firstConnection] = connectionOptions;
       if (firstConnection) {
         autoSelectedConnectionRef.current = true;
         onChange(firstConnection.id);
@@ -214,7 +227,7 @@ export function ParameterField({
     }
   }, [
     isConnectionSelector,
-    githubConnections,
+    connectionOptions,
     integrationLoading,
     currentValue,
     onChange,
@@ -224,7 +237,8 @@ export function ParameterField({
 
   const handleRefreshConnections = async () => {
     try {
-      await fetchIntegrationConnections(currentUserId, true);
+      const merged = await fetchMergedConnections();
+      setMergedConnections(merged);
     } catch (error) {
       console.error('Failed to refresh integration connections', error);
     }
@@ -361,7 +375,6 @@ export function ParameterField({
           onChange={(event) => {
             autoSelectedConnectionRef.current = true;
             const nextValue = event.target.value;
-            console.log('Selected GitHub connection ID:', nextValue);
             if (nextValue === '') {
               onChange(undefined);
               if (isRemoveGithubComponent) {
@@ -379,10 +392,12 @@ export function ParameterField({
           className="w-full px-3 py-2 text-sm border rounded-md bg-background"
           disabled={disabled}
         >
-          <option value="">Select a GitHub connection…</option>
-          {githubConnections.map((connection) => (
+          <option value="">
+            {isGenericCredentialResolver ? 'Select a connection…' : 'Select a GitHub connection…'}
+          </option>
+          {connectionOptions.map((connection) => (
             <option key={connection.id} value={connection.id}>
-              {connection.providerName} · {connection.userId}
+              {connection.displayName ?? connection.providerName} · {connection.provider}
             </option>
           ))}
         </select>
@@ -393,9 +408,11 @@ export function ParameterField({
 
         {integrationError && <p className="text-xs text-destructive">{integrationError}</p>}
 
-        {!integrationLoading && githubConnections.length === 0 && (
+        {!integrationLoading && connectionOptions.length === 0 && (
           <p className="text-xs text-muted-foreground">
-            No active GitHub connections yet. Connect GitHub from the Connections manager.
+            {isGenericCredentialResolver
+              ? 'No active connections yet. Add a connection from the Integrations page.'
+              : 'No active GitHub connections yet. Connect GitHub from the Connections manager.'}
           </p>
         )}
 
diff --git a/frontend/src/config/env.ts b/frontend/src/config/env.ts
index a9eb9fa5..7c167b37 100644
--- a/frontend/src/config/env.ts
+++ b/frontend/src/config/env.ts
@@ -9,6 +9,7 @@ interface FrontendEnv {
   VITE_ENABLE_CONNECTIONS: boolean;
   VITE_ENABLE_IT_OPS: boolean;
   VITE_API_URL: string;
+  VITE_APP_URL: string;
   VITE_OPENSEARCH_DASHBOARDS_URL: string;
 }
 
@@ -20,6 +21,7 @@ export const env: FrontendEnv = {
   VITE_ENABLE_CONNECTIONS: import.meta.env.VITE_ENABLE_CONNECTIONS === 'true',
   VITE_ENABLE_IT_OPS: import.meta.env.VITE_ENABLE_IT_OPS === 'true',
   VITE_API_URL: (import.meta.env.VITE_API_URL as string | undefined) ?? '',
+  VITE_APP_URL: (import.meta.env.VITE_APP_URL as string | undefined) ?? window.location.origin,
   VITE_OPENSEARCH_DASHBOARDS_URL:
     (import.meta.env.VITE_OPENSEARCH_DASHBOARDS_URL as string | undefined) ?? '',
 };
diff --git a/frontend/src/pages/IntegrationCallback.tsx b/frontend/src/pages/IntegrationCallback.tsx
index 18ba1574..018dde5e 100644
--- a/frontend/src/pages/IntegrationCallback.tsx
+++ b/frontend/src/pages/IntegrationCallback.tsx
@@ -55,7 +55,7 @@ export function IntegrationCallback() {
     const authCode = code;
     const authState = state;
 
-    const redirectUri = `${window.location.origin}/integrations/callback/${providerId}`;
+    const redirectUri = `${env.VITE_APP_URL}/integrations/callback/${providerId}`;
     let cancelled = false;
 
     async function exchangeCode() {
@@ -75,9 +75,7 @@ export function IntegrationCallback() {
         setStatus('success');
         setMessage(`Connected to ${connection.providerName}. Redirecting…`);
         setTimeout(() => {
-          const target = env.VITE_ENABLE_CONNECTIONS
-            ? `/integrations?connected=${connection.provider}`
-            : '/';
+          const target = env.VITE_ENABLE_CONNECTIONS ? `/integrations/${connection.provider}` : '/';
           navigate(target, { replace: true });
         }, 1200);
       } catch (error) {
@@ -114,7 +112,9 @@ export function IntegrationCallback() {
         {status !== 'pending' && (
           <Button
             variant="outline"
-            onClick={() => navigate(env.VITE_ENABLE_CONNECTIONS ? '/integrations' : '/')}
+            onClick={() =>
+              navigate(env.VITE_ENABLE_CONNECTIONS ? `/integrations/${provider}` : '/')
+            }
           >
             {env.VITE_ENABLE_CONNECTIONS ? 'Return to connections' : 'Return home'}
           </Button>
diff --git a/frontend/src/pages/IntegrationDetailPage.tsx b/frontend/src/pages/IntegrationDetailPage.tsx
new file mode 100644
index 00000000..91f6f008
--- /dev/null
+++ b/frontend/src/pages/IntegrationDetailPage.tsx
@@ -0,0 +1,1283 @@
+import { useEffect, useMemo, useState } from 'react';
+import { useParams, useNavigate } from 'react-router-dom';
+import {
+  ArrowLeft,
+  Plus,
+  Trash2,
+  RefreshCcw,
+  CheckCircle,
+  XCircle,
+  ExternalLink,
+  Loader2,
+  Shield,
+  MessageSquare,
+  Copy,
+  Check,
+  ChevronDown,
+  Info,
+  ChevronRight,
+  Hash,
+  Terminal,
+  Send,
+  Eye,
+} from 'lucide-react';
+
+import { env } from '@/config/env';
+import { useIntegrationStore } from '@/store/integrationStore';
+import { api } from '@/services/api';
+import type { IntegrationCatalogEntry, IntegrationConnection } from '@/services/api';
+import { useToast } from '@/components/ui/use-toast';
+import { cn } from '@/lib/utils';
+
+import { Button } from '@/components/ui/button';
+import { Badge } from '@/components/ui/badge';
+import { Input } from '@/components/ui/input';
+import { Label } from '@/components/ui/label';
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+  DialogTrigger,
+} from '@/components/ui/dialog';
+import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/components/ui/tabs';
+import { Skeleton } from '@/components/ui/skeleton';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function formatTimestamp(iso: string | null | undefined): string {
+  if (!iso) return '\u2014';
+  try {
+    return new Intl.DateTimeFormat('en-US', {
+      month: 'short',
+      day: 'numeric',
+      year: 'numeric',
+      hour: '2-digit',
+      minute: '2-digit',
+    }).format(new Date(iso));
+  } catch {
+    return iso;
+  }
+}
+
+const PROVIDER_VISUALS: Record<string, { logo: string; gradient: string; borderAccent: string }> = {
+  aws: {
+    logo: '/icons/aws.png',
+    gradient: '',
+    borderAccent: 'border-orange-200 dark:border-orange-800',
+  },
+  slack: {
+    logo: '/icons/slack.svg',
+    gradient: 'from-purple-50 to-pink-50 dark:from-purple-950/20 dark:to-pink-950/20',
+    borderAccent: 'border-purple-200 dark:border-purple-800',
+  },
+};
+
+function credentialTypeBadge(type: string) {
+  const labels: Record<string, string> = {
+    api_key: 'Access Key',
+    iam_role: 'IAM Role',
+    webhook: 'Webhook',
+    oauth: 'OAuth',
+  };
+  return (
+    <Badge variant="outline" className="capitalize">
+      {labels[type] ?? type}
+    </Badge>
+  );
+}
+
+function healthBadge(connection: IntegrationConnection) {
+  const status = connection.lastValidationStatus ?? connection.status;
+  if (status === 'active' || status === 'valid' || status === 'ok') {
+    return (
+      <Badge variant="secondary" className="gap-1">
+        <CheckCircle className="h-3 w-3" />
+        Healthy
+      </Badge>
+    );
+  }
+  if (status === 'expired' || status === 'invalid' || status === 'error') {
+    return (
+      <Badge variant="destructive" className="gap-1">
+        <XCircle className="h-3 w-3" />
+        {status === 'expired' ? 'Expired' : 'Unhealthy'}
+      </Badge>
+    );
+  }
+  return (
+    <Badge variant="outline" className="gap-1">
+      {connection.status}
+    </Badge>
+  );
+}
+
+/** Renders step text with inline `code` segments styled as <code> elements. */
+function renderStepText(text: string): React.ReactNode {
+  const parts = text.split(/(`[^`]+`)/g);
+  if (parts.length === 1) return text;
+  return parts.map((part, i) => {
+    if (part.startsWith('`') && part.endsWith('`')) {
+      return (
+        <code key={i} className="rounded bg-muted px-1.5 py-0.5 text-[0.8em] font-mono break-all">
+          {part.slice(1, -1)}
+        </code>
+      );
+    }
+    return <span key={i}>{part}</span>;
+  });
+}
+
+// ---------------------------------------------------------------------------
+// AWS Connection Form
+// ---------------------------------------------------------------------------
+
+interface AwsFormProps {
+  onCreated: () => void;
+  onCancel: () => void;
+}
+
+function AwsConnectionForm({ onCreated, onCancel }: AwsFormProps) {
+  const store = useIntegrationStore();
+  const { toast } = useToast();
+  const [step, setStep] = useState<1 | 2>(1);
+  const [submitting, setSubmitting] = useState(false);
+  const [result, setResult] = useState<{ ok: boolean; message: string } | null>(null);
+  const [loadingSetup, setLoadingSetup] = useState(true);
+  const [setupInfo, setSetupInfo] = useState<{
+    platformRoleArn: string;
+    externalId: string;
+    setupToken: string;
+    trustPolicyTemplate: string;
+    externalIdDisplay?: string;
+  } | null>(null);
+  const [copied, setCopied] = useState(false);
+  const [whyOpen, setWhyOpen] = useState(false);
+
+  // Form fields
+  const [displayName, setDisplayName] = useState('');
+  const [roleArn, setRoleArn] = useState('');
+  const [region, setRegion] = useState('');
+
+  useEffect(() => {
+    store
+      .getAwsSetupInfo()
+      .then(setSetupInfo)
+      .catch((err) =>
+        setResult({
+          ok: false,
+          message:
+            err instanceof Error ? err.message : 'Failed to load setup info. Please try again.',
+        }),
+      )
+      .finally(() => setLoadingSetup(false));
+  }, []);
+
+  const handleCopyPolicy = async () => {
+    if (!setupInfo) return;
+    try {
+      await navigator.clipboard.writeText(setupInfo.trustPolicyTemplate);
+      setCopied(true);
+      setTimeout(() => setCopied(false), 2000);
+    } catch {
+      toast({
+        title: 'Copy failed',
+        description: 'Please select and copy the policy manually.',
+        variant: 'destructive',
+      });
+    }
+  };
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    if (!setupInfo) return;
+    if (!displayName.trim() || !roleArn.trim()) {
+      setResult({ ok: false, message: 'Display Name and Role ARN are required.' });
+      return;
+    }
+    setSubmitting(true);
+    setResult(null);
+    try {
+      await store.createAwsConnection({
+        displayName: displayName.trim(),
+        roleArn: roleArn.trim(),
+        region: region.trim() || undefined,
+        externalId: setupInfo.externalId,
+        setupToken: setupInfo.setupToken,
+      });
+      toast({ title: 'AWS connection created' });
+      onCreated();
+    } catch (err) {
+      setResult({
+        ok: false,
+        message: err instanceof Error ? err.message : 'Failed to create connection.',
+      });
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  if (loadingSetup) {
+    return (
+      <div className="flex items-center justify-center py-8">
+        <Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
+        <span className="ml-2 text-sm text-muted-foreground">Loading setup info...</span>
+      </div>
+    );
+  }
+
+  // Setup info failed — show error + cancel only
+  if (!setupInfo) {
+    return (
+      <div className="space-y-4">
+        {result && (
+          <div className="flex items-start gap-2 rounded-md border p-3 text-sm border-red-200 bg-red-50 text-red-800 dark:border-red-800 dark:bg-red-950 dark:text-red-200">
+            <XCircle className="h-4 w-4 mt-0.5 shrink-0" />
+            <span>{result.message}</span>
+          </div>
+        )}
+        <DialogFooter>
+          <Button type="button" variant="outline" onClick={onCancel}>
+            Cancel
+          </Button>
+        </DialogFooter>
+      </div>
+    );
+  }
+
+  return (
+    <div className="space-y-5">
+      {/* Step indicator */}
+      <div className="flex items-center gap-3">
+        <button
+          type="button"
+          onClick={() => {
+            setStep(1);
+            setResult(null);
+          }}
+          className={cn(
+            'flex items-center gap-2 rounded-full px-3 py-1.5 text-xs font-medium transition-colors',
+            step === 1
+              ? 'bg-primary text-primary-foreground'
+              : 'bg-muted text-muted-foreground hover:bg-muted/80',
+          )}
+        >
+          <span className="flex h-5 w-5 items-center justify-center rounded-full border text-[10px] font-bold border-current">
+            1
+          </span>
+          Configure Trust Policy
+        </button>
+        <ChevronRight className="h-4 w-4 text-muted-foreground shrink-0" />
+        <button
+          type="button"
+          onClick={() => setStep(2)}
+          className={cn(
+            'flex items-center gap-2 rounded-full px-3 py-1.5 text-xs font-medium transition-colors',
+            step === 2
+              ? 'bg-primary text-primary-foreground'
+              : 'bg-muted text-muted-foreground hover:bg-muted/80',
+          )}
+        >
+          <span className="flex h-5 w-5 items-center justify-center rounded-full border text-[10px] font-bold border-current">
+            2
+          </span>
+          Connection Details
+        </button>
+      </div>
+
+      {/* ── Step 1: Trust Policy ── */}
+      {step === 1 && (
+        <div className="space-y-4">
+          <div className="space-y-3">
+            <Label className="text-sm font-semibold">Configure Trust Policy</Label>
+            <p className="text-sm text-muted-foreground">
+              Create an IAM role in your AWS account and set its trust policy to the JSON below.
+              This allows ShipSec to securely access your account using a unique External ID &mdash;
+              without you sharing any access keys.
+            </p>
+            <div className="relative">
+              <pre className="rounded-md border bg-muted/50 p-4 text-xs font-mono overflow-x-auto whitespace-pre-wrap leading-relaxed">
+                {setupInfo.trustPolicyTemplate}
+              </pre>
+              <Button
+                type="button"
+                variant="ghost"
+                size="sm"
+                className="absolute top-2 right-2 h-7 gap-1.5 text-xs"
+                onClick={handleCopyPolicy}
+              >
+                {copied ? (
+                  <>
+                    <Check className="h-3.5 w-3.5" /> Copied
+                  </>
+                ) : (
+                  <>
+                    <Copy className="h-3.5 w-3.5" /> Copy
+                  </>
+                )}
+              </Button>
+            </div>
+          </div>
+
+          {/* Collapsible: Why IAM Role Assumption? */}
+          <div className="rounded-md border bg-blue-50/50 dark:bg-blue-950/20 border-blue-200 dark:border-blue-800">
+            <button
+              type="button"
+              onClick={() => setWhyOpen((v) => !v)}
+              className="flex w-full items-center gap-2 p-3 text-left text-xs font-medium text-blue-700 dark:text-blue-300 hover:bg-blue-50 dark:hover:bg-blue-950/30 rounded-md transition-colors"
+            >
+              <Info className="h-3.5 w-3.5 shrink-0" />
+              <span className="flex-1">Why IAM Role assumption instead of access keys?</span>
+              <ChevronDown
+                className={cn(
+                  'h-3.5 w-3.5 shrink-0 transition-transform duration-200',
+                  whyOpen && 'rotate-180',
+                )}
+              />
+            </button>
+            {whyOpen && (
+              <div className="px-3 pb-3 text-xs text-blue-700/80 dark:text-blue-300/80 space-y-2">
+                <p>
+                  <strong>IAM Role assumption with an External ID</strong> is the AWS-recommended
+                  approach for granting cross-account access. Here is why it is safer than sharing
+                  access keys:
+                </p>
+                <ul className="list-disc pl-4 space-y-1">
+                  <li>
+                    <strong>No long-lived credentials.</strong> Access keys are permanent secrets
+                    that can be leaked or stolen. Role assumption uses temporary security tokens
+                    (STS) that expire automatically.
+                  </li>
+                  <li>
+                    <strong>Scoped permissions.</strong> The IAM role you create defines exactly
+                    what ShipSec can do. You control the permission boundary, and can revoke access
+                    at any time by deleting the role.
+                  </li>
+                  <li>
+                    <strong>External ID prevents confused-deputy attacks.</strong> The unique
+                    External ID in the trust policy ensures that only ShipSec &mdash; and
+                    specifically your organization &mdash; can assume this role. No other party can
+                    reuse this trust relationship.
+                  </li>
+                  <li>
+                    <strong>Full audit trail.</strong> Every role assumption is logged in AWS
+                    CloudTrail, giving you complete visibility into when and how ShipSec accesses
+                    your account.
+                  </li>
+                </ul>
+                <p className="pt-1">
+                  For more details, see the{' '}
+                  <a
+                    href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                    className="underline font-medium"
+                  >
+                    AWS documentation on External IDs
+                  </a>
+                  .
+                </p>
+              </div>
+            )}
+          </div>
+
+          <DialogFooter className="gap-2">
+            <Button type="button" variant="outline" onClick={onCancel}>
+              Cancel
+            </Button>
+            <Button type="button" onClick={() => setStep(2)} className="gap-1.5">
+              Next
+              <ChevronRight className="h-4 w-4" />
+            </Button>
+          </DialogFooter>
+        </div>
+      )}
+
+      {/* ── Step 2: Connection Details ── */}
+      {step === 2 && (
+        <form onSubmit={handleSubmit} className="space-y-4">
+          <div className="space-y-3">
+            <p className="text-sm text-muted-foreground">
+              Enter the details of the IAM role you created in Step 1.
+            </p>
+            <div className="space-y-2">
+              <Label htmlFor="aws-display-name">Display Name *</Label>
+              <Input
+                id="aws-display-name"
+                value={displayName}
+                onChange={(e) => setDisplayName(e.target.value)}
+                placeholder="e.g. Production AWS Account"
+                disabled={submitting}
+              />
+            </div>
+            <div className="space-y-2">
+              <Label htmlFor="aws-role-arn">Role ARN *</Label>
+              <Input
+                id="aws-role-arn"
+                value={roleArn}
+                onChange={(e) => setRoleArn(e.target.value)}
+                placeholder="arn:aws:iam::123456789012:role/ShipSecAuditRole"
+                disabled={submitting}
+              />
+            </div>
+            <div className="space-y-2">
+              <Label htmlFor="aws-region">Region (optional)</Label>
+              <Input
+                id="aws-region"
+                value={region}
+                onChange={(e) => setRegion(e.target.value)}
+                placeholder="e.g. us-east-1"
+                disabled={submitting}
+              />
+            </div>
+          </div>
+
+          {result && (
+            <div
+              className={`flex items-start gap-2 rounded-md border p-3 text-sm ${
+                result.ok
+                  ? 'border-green-200 bg-green-50 text-green-800 dark:border-green-800 dark:bg-green-950 dark:text-green-200'
+                  : 'border-red-200 bg-red-50 text-red-800 dark:border-red-800 dark:bg-red-950 dark:text-red-200'
+              }`}
+            >
+              {result.ok ? (
+                <CheckCircle className="h-4 w-4 mt-0.5 shrink-0" />
+              ) : (
+                <XCircle className="h-4 w-4 mt-0.5 shrink-0" />
+              )}
+              <span>{result.message}</span>
+            </div>
+          )}
+
+          <DialogFooter className="gap-2">
+            <Button
+              type="button"
+              variant="outline"
+              onClick={() => {
+                setStep(1);
+                setResult(null);
+              }}
+              disabled={submitting}
+            >
+              Back
+            </Button>
+            <Button type="submit" disabled={submitting}>
+              {submitting ? (
+                <>
+                  <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                  Creating...
+                </>
+              ) : (
+                'Create Connection'
+              )}
+            </Button>
+          </DialogFooter>
+        </form>
+      )}
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Slack Connection Form
+// ---------------------------------------------------------------------------
+
+interface SlackFormProps {
+  onCreated: () => void;
+  onCancel: () => void;
+}
+
+function SlackConnectionForm({ onCreated, onCancel }: SlackFormProps) {
+  const store = useIntegrationStore();
+  const { toast } = useToast();
+  const [tab, setTab] = useState<string>('webhook');
+  const [submitting, setSubmitting] = useState(false);
+  const [result, setResult] = useState<{ ok: boolean; message: string } | null>(null);
+
+  // Webhook fields
+  const [whDisplayName, setWhDisplayName] = useState('');
+  const [whWebhookUrl, setWhWebhookUrl] = useState('');
+
+  const resetForm = () => {
+    setWhDisplayName('');
+    setWhWebhookUrl('');
+    setResult(null);
+  };
+
+  const handleWebhookSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setSubmitting(true);
+    setResult(null);
+
+    try {
+      if (!whDisplayName.trim() || !whWebhookUrl.trim()) {
+        setResult({ ok: false, message: 'Display name and Webhook URL are required.' });
+        setSubmitting(false);
+        return;
+      }
+
+      const conn = await store.createSlackWebhookConnection({
+        displayName: whDisplayName.trim(),
+        webhookUrl: whWebhookUrl.trim(),
+      });
+
+      // Auto-test
+      try {
+        const testResult = await store.testSlackConnection(conn.id);
+        if (testResult.ok) {
+          setResult({
+            ok: true,
+            message: 'Webhook connection created and test message sent successfully.',
+          });
+        } else {
+          setResult({
+            ok: false,
+            message: `Connection created but test failed: ${testResult.error ?? 'Unknown error'}`,
+          });
+        }
+      } catch {
+        setResult({
+          ok: true,
+          message: 'Connection created. Test message could not be sent automatically.',
+        });
+      }
+
+      toast({
+        title: 'Slack webhook connection created',
+        description: 'The webhook has been stored.',
+      });
+      resetForm();
+      onCreated();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Failed to create Slack connection.';
+      setResult({ ok: false, message });
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  const handleOAuthConnect = async () => {
+    setSubmitting(true);
+    setResult(null);
+    try {
+      const redirectUri = `${env.VITE_APP_URL}/integrations/callback/slack`;
+      const response = await api.integrations.startOAuth('slack', { redirectUri });
+      window.location.href = response.authorizationUrl;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Failed to start Slack OAuth flow.';
+      setResult({ ok: false, message });
+      setSubmitting(false);
+    }
+  };
+
+  return (
+    <div className="space-y-4">
+      <Tabs value={tab} onValueChange={setTab}>
+        <TabsList className="w-full">
+          <TabsTrigger value="webhook" className="flex-1">
+            Webhook
+          </TabsTrigger>
+          <TabsTrigger value="oauth" className="flex-1">
+            OAuth
+          </TabsTrigger>
+        </TabsList>
+
+        <TabsContent value="webhook" className="mt-4">
+          <form onSubmit={handleWebhookSubmit} className="space-y-4">
+            <div className="space-y-2">
+              <Label htmlFor="wh-display-name">Display Name *</Label>
+              <Input
+                id="wh-display-name"
+                value={whDisplayName}
+                onChange={(e) => setWhDisplayName(e.target.value)}
+                placeholder="e.g. Security Alerts Channel"
+                disabled={submitting}
+              />
+            </div>
+            <div className="space-y-2">
+              <Label htmlFor="wh-webhook-url">Webhook URL *</Label>
+              <Input
+                id="wh-webhook-url"
+                value={whWebhookUrl}
+                onChange={(e) => setWhWebhookUrl(e.target.value)}
+                placeholder="https://hooks.slack.com/services/T.../B.../..."
+                autoComplete="off"
+                disabled={submitting}
+              />
+              <p className="text-xs text-muted-foreground">
+                Create an incoming webhook in your Slack workspace settings.
+              </p>
+            </div>
+
+            {result && tab === 'webhook' && (
+              <div
+                className={`flex items-start gap-2 rounded-md border p-3 text-sm ${
+                  result.ok
+                    ? 'border-green-200 bg-green-50 text-green-800 dark:border-green-800 dark:bg-green-950 dark:text-green-200'
+                    : 'border-red-200 bg-red-50 text-red-800 dark:border-red-800 dark:bg-red-950 dark:text-red-200'
+                }`}
+              >
+                {result.ok ? (
+                  <CheckCircle className="h-4 w-4 mt-0.5 shrink-0" />
+                ) : (
+                  <XCircle className="h-4 w-4 mt-0.5 shrink-0" />
+                )}
+                <span>{result.message}</span>
+              </div>
+            )}
+
+            <DialogFooter className="gap-2">
+              <Button type="button" variant="outline" onClick={onCancel} disabled={submitting}>
+                Cancel
+              </Button>
+              <Button type="submit" disabled={submitting}>
+                {submitting ? (
+                  <>
+                    <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                    Creating...
+                  </>
+                ) : (
+                  'Create Connection'
+                )}
+              </Button>
+            </DialogFooter>
+          </form>
+        </TabsContent>
+
+        <TabsContent value="oauth" className="mt-4 space-y-4">
+          {/* Main CTA */}
+          <div className="flex flex-col items-center text-center py-2 space-y-3">
+            <div className="flex h-12 w-12 items-center justify-center rounded-xl bg-gradient-to-br from-purple-50 to-pink-50 dark:from-purple-950/30 dark:to-pink-950/30">
+              <img src="/icons/slack.svg" alt="Slack" className="h-7 w-7" />
+            </div>
+            <div>
+              <p className="text-sm font-medium">Install ShipSec into your Slack workspace</p>
+              <p className="text-xs text-muted-foreground mt-1">
+                You&apos;ll be redirected to Slack to authorize the app.
+              </p>
+            </div>
+            <Button
+              onClick={handleOAuthConnect}
+              disabled={submitting}
+              className="gap-2 bg-[#4A154B] hover:bg-[#3a1139] text-white"
+            >
+              {submitting ? (
+                <>
+                  <Loader2 className="h-4 w-4 animate-spin" />
+                  Redirecting to Slack...
+                </>
+              ) : (
+                <>
+                  <img src="/icons/slack.svg" alt="" className="h-4 w-4 brightness-0 invert" />
+                  Add to Slack
+                </>
+              )}
+            </Button>
+          </div>
+
+          {/* Permissions breakdown */}
+          <div className="space-y-1.5">
+            <p className="text-xs font-medium text-muted-foreground uppercase tracking-wider px-1">
+              Permissions requested
+            </p>
+            <div className="rounded-md border divide-y">
+              {[
+                {
+                  icon: Eye,
+                  scope: 'channels:read',
+                  label: 'View channels',
+                  desc: 'List public channels in your workspace',
+                },
+                {
+                  icon: MessageSquare,
+                  scope: 'chat:write',
+                  label: 'Send messages',
+                  desc: 'Post messages to channels the bot is in',
+                },
+                {
+                  icon: Hash,
+                  scope: 'chat:write.public',
+                  label: 'Send to any channel',
+                  desc: 'Post to channels without being a member',
+                },
+                {
+                  icon: Terminal,
+                  scope: 'commands',
+                  label: 'Slash commands',
+                  desc: 'Respond to /shipsec commands',
+                },
+                {
+                  icon: Send,
+                  scope: 'im:write',
+                  label: 'Direct messages',
+                  desc: 'Send DMs to users for alerts and notifications',
+                },
+              ].map(({ icon: Icon, scope, label, desc }) => (
+                <div key={scope} className="flex items-start gap-3 px-3 py-2.5">
+                  <Icon className="h-4 w-4 mt-0.5 shrink-0 text-muted-foreground" />
+                  <div className="min-w-0 flex-1">
+                    <div className="flex items-center gap-2">
+                      <span className="text-sm font-medium">{label}</span>
+                      <code className="text-[10px] text-muted-foreground font-mono bg-muted px-1 py-0.5 rounded">
+                        {scope}
+                      </code>
+                    </div>
+                    <p className="text-xs text-muted-foreground">{desc}</p>
+                  </div>
+                </div>
+              ))}
+            </div>
+          </div>
+
+          {result && tab === 'oauth' && (
+            <div
+              className={`flex items-start gap-2 rounded-md border p-3 text-sm ${
+                result.ok
+                  ? 'border-green-200 bg-green-50 text-green-800 dark:border-green-800 dark:bg-green-950 dark:text-green-200'
+                  : 'border-red-200 bg-red-50 text-red-800 dark:border-red-800 dark:bg-red-950 dark:text-red-200'
+              }`}
+            >
+              {result.ok ? (
+                <CheckCircle className="h-4 w-4 mt-0.5 shrink-0" />
+              ) : (
+                <XCircle className="h-4 w-4 mt-0.5 shrink-0" />
+              )}
+              <span>{result.message}</span>
+            </div>
+          )}
+
+          <DialogFooter>
+            <Button type="button" variant="outline" onClick={onCancel} disabled={submitting}>
+              Cancel
+            </Button>
+          </DialogFooter>
+        </TabsContent>
+      </Tabs>
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Main Page
+// ---------------------------------------------------------------------------
+
+export function IntegrationDetailPage() {
+  const { provider } = useParams<{ provider: string }>();
+  const navigate = useNavigate();
+  const { toast } = useToast();
+
+  const store = useIntegrationStore();
+  const {
+    catalog,
+    orgConnections,
+    loadingOrgConnections,
+    loadingCatalog,
+    fetchOrgConnections,
+    fetchCatalog,
+    validateAwsConnection,
+    testSlackConnection,
+    disconnect,
+    error,
+    resetError,
+  } = store;
+
+  const [dialogOpen, setDialogOpen] = useState(false);
+  const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
+  const [deleteTarget, setDeleteTarget] = useState<IntegrationConnection | null>(null);
+  const [deleting, setDeleting] = useState(false);
+  const [validatingId, setValidatingId] = useState<string | null>(null);
+
+  // Fetch catalog and connections on mount
+  useEffect(() => {
+    fetchCatalog();
+  }, [fetchCatalog]);
+
+  useEffect(() => {
+    if (provider) {
+      fetchOrgConnections(provider, true);
+    }
+  }, [provider, fetchOrgConnections]);
+
+  // Show store errors as toasts
+  useEffect(() => {
+    if (error) {
+      toast({ title: 'Error', description: error, variant: 'destructive' });
+      resetError();
+    }
+  }, [error, toast, resetError]);
+
+  const catalogEntry: IntegrationCatalogEntry | undefined = useMemo(() => {
+    return catalog.find((c) => c.id === provider);
+  }, [catalog, provider]);
+
+  const connections = useMemo(() => {
+    if (!provider) return [];
+    return orgConnections.filter((c) => c.provider === provider);
+  }, [orgConnections, provider]);
+
+  const visuals = PROVIDER_VISUALS[provider ?? ''];
+
+  const healthyCount = useMemo(() => {
+    return connections.filter((c) => {
+      const s = c.lastValidationStatus ?? c.status;
+      return s === 'active' || s === 'valid' || s === 'ok';
+    }).length;
+  }, [connections]);
+
+  // ---- Actions ----
+
+  const handleValidate = async (connection: IntegrationConnection) => {
+    setValidatingId(connection.id);
+    try {
+      if (provider === 'aws') {
+        const result = await validateAwsConnection(connection.id);
+        if (result.valid) {
+          toast({
+            title: 'Validation passed',
+            description: `${connection.displayName} credentials are valid.`,
+          });
+        } else {
+          toast({
+            title: 'Validation failed',
+            description: result.error ?? 'Credentials are invalid.',
+            variant: 'destructive',
+          });
+        }
+      } else if (provider === 'slack') {
+        const result = await testSlackConnection(connection.id);
+        if (result.ok) {
+          toast({
+            title: 'Test passed',
+            description: `Test message sent via ${connection.displayName}.`,
+          });
+        } else {
+          toast({
+            title: 'Test failed',
+            description: result.error ?? 'Could not deliver test message.',
+            variant: 'destructive',
+          });
+        }
+      }
+      // Refresh the connections list to pick up updated lastValidationStatus
+      fetchOrgConnections(provider, true);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Validation request failed.';
+      toast({ title: 'Error', description: message, variant: 'destructive' });
+    } finally {
+      setValidatingId(null);
+    }
+  };
+
+  const confirmDelete = (connection: IntegrationConnection) => {
+    setDeleteTarget(connection);
+    setDeleteDialogOpen(true);
+  };
+
+  const handleDelete = async () => {
+    if (!deleteTarget) return;
+    setDeleting(true);
+    try {
+      await disconnect(deleteTarget.id);
+      toast({
+        title: 'Connection removed',
+        description: `${deleteTarget.displayName} has been deleted.`,
+      });
+      setDeleteDialogOpen(false);
+      setDeleteTarget(null);
+      fetchOrgConnections(provider, true);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Failed to delete connection.';
+      toast({ title: 'Delete failed', description: message, variant: 'destructive' });
+    } finally {
+      setDeleting(false);
+    }
+  };
+
+  const handleConnectionCreated = () => {
+    setDialogOpen(false);
+    fetchOrgConnections(provider, true);
+  };
+
+  // ---- Loading state ----
+
+  if (loadingCatalog && !catalogEntry) {
+    return (
+      <div className="flex-1 bg-background">
+        <div className="container mx-auto py-8 px-4 space-y-6">
+          <Skeleton className="h-8 w-48" />
+          <Skeleton className="h-4 w-96" />
+          <Skeleton className="h-40 w-full" />
+          <Skeleton className="h-64 w-full" />
+        </div>
+      </div>
+    );
+  }
+
+  // ---- Unknown provider ----
+
+  if (!loadingCatalog && !catalogEntry) {
+    return (
+      <div className="flex-1 bg-background">
+        <div className="container mx-auto py-8 px-4">
+          <Button variant="ghost" className="gap-2 mb-6" onClick={() => navigate('/integrations')}>
+            <ArrowLeft className="h-4 w-4" />
+            Back to Integrations
+          </Button>
+          <Card>
+            <CardContent className="py-12 text-center">
+              <XCircle className="h-10 w-10 mx-auto mb-3 text-muted-foreground" />
+              <h2 className="text-lg font-semibold mb-1">Provider not found</h2>
+              <p className="text-sm text-muted-foreground">
+                The integration provider &quot;{provider}&quot; is not available in the catalog.
+              </p>
+            </CardContent>
+          </Card>
+        </div>
+      </div>
+    );
+  }
+
+  // ---- Render ----
+
+  const hasSetupSections =
+    catalogEntry?.setupInstructions?.sections && catalogEntry.setupInstructions.sections.length > 0;
+
+  return (
+    <div className="flex-1 bg-background">
+      <div className="container mx-auto py-8 px-4 max-w-6xl space-y-8">
+        {/* Navigation */}
+        <Button variant="ghost" className="gap-2" onClick={() => navigate('/integrations')}>
+          <ArrowLeft className="h-4 w-4" />
+          Back to Integrations
+        </Button>
+
+        {/* ── Provider Header ── */}
+        <div className="flex items-start justify-between gap-6">
+          <div className="flex items-center gap-4">
+            {visuals ? (
+              visuals.gradient ? (
+                <div
+                  className={cn(
+                    'flex h-16 w-16 items-center justify-center rounded-xl bg-gradient-to-br flex-shrink-0 p-3',
+                    visuals.gradient,
+                  )}
+                >
+                  <img
+                    src={visuals.logo}
+                    alt={catalogEntry?.name ?? provider ?? ''}
+                    className="h-full w-full object-contain"
+                  />
+                </div>
+              ) : (
+                <img
+                  src={visuals.logo}
+                  alt={catalogEntry?.name ?? provider ?? ''}
+                  className="h-16 w-16 rounded-xl object-cover flex-shrink-0"
+                />
+              )
+            ) : (
+              <div className="flex h-16 w-16 items-center justify-center rounded-xl bg-gradient-to-br from-gray-50 to-gray-100 dark:from-gray-900 dark:to-gray-800 flex-shrink-0 p-3">
+                <Shield className="h-8 w-8 text-muted-foreground" />
+              </div>
+            )}
+            <div>
+              <h1 className="text-2xl font-bold tracking-tight">
+                {catalogEntry?.name ?? provider}
+              </h1>
+              <p className="text-sm text-muted-foreground mt-1 max-w-xl">
+                {catalogEntry?.description}
+              </p>
+            </div>
+          </div>
+
+          <div className="flex items-center gap-2 flex-shrink-0">
+            {catalogEntry?.docsUrl && (
+              <Button
+                variant="outline"
+                size="sm"
+                className="gap-2"
+                onClick={() => window.open(catalogEntry.docsUrl, '_blank', 'noopener noreferrer')}
+              >
+                <ExternalLink className="h-4 w-4" />
+                Docs
+              </Button>
+            )}
+
+            <Dialog open={dialogOpen} onOpenChange={setDialogOpen}>
+              <DialogTrigger asChild>
+                <Button className="gap-2">
+                  <Plus className="h-4 w-4" />
+                  Add Connection
+                </Button>
+              </DialogTrigger>
+              <DialogContent
+                className={cn(
+                  provider === 'aws' || provider === 'slack' ? 'max-w-2xl' : 'max-w-lg',
+                )}
+              >
+                <DialogHeader>
+                  <DialogTitle>Add {catalogEntry?.name ?? provider} Connection</DialogTitle>
+                  <DialogDescription>
+                    Configure a new connection to {catalogEntry?.name ?? provider}.
+                  </DialogDescription>
+                </DialogHeader>
+
+                {provider === 'aws' && (
+                  <AwsConnectionForm
+                    onCreated={handleConnectionCreated}
+                    onCancel={() => setDialogOpen(false)}
+                  />
+                )}
+                {provider === 'slack' && (
+                  <SlackConnectionForm
+                    onCreated={handleConnectionCreated}
+                    onCancel={() => setDialogOpen(false)}
+                  />
+                )}
+                {provider !== 'aws' && provider !== 'slack' && (
+                  <div className="py-6 text-center text-sm text-muted-foreground">
+                    No connection form is available for this provider yet.
+                  </div>
+                )}
+              </DialogContent>
+            </Dialog>
+          </div>
+        </div>
+
+        {/* ── Connection Cards ── */}
+        <div>
+          <h2 className="text-lg font-semibold mb-4">
+            Connections
+            {connections.length > 0 && (
+              <span className="text-sm font-normal text-muted-foreground ml-2">
+                ({connections.length})
+              </span>
+            )}
+          </h2>
+
+          {loadingOrgConnections ? (
+            <div className="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-3 gap-4">
+              {[1, 2, 3].map((i) => (
+                <div key={i} className="rounded-lg border p-4 space-y-3">
+                  <Skeleton className="h-5 w-32" />
+                  <Skeleton className="h-4 w-20" />
+                  <Skeleton className="h-4 w-24" />
+                </div>
+              ))}
+            </div>
+          ) : connections.length === 0 ? (
+            <div
+              className="border-2 border-dashed rounded-lg p-8 text-center cursor-pointer hover:border-primary/50 hover:bg-muted/30 transition-colors"
+              onClick={() => setDialogOpen(true)}
+            >
+              <div className="flex h-12 w-12 items-center justify-center rounded-full bg-primary/10 mx-auto mb-3">
+                <Plus className="h-6 w-6 text-primary" />
+              </div>
+              <h3 className="text-base font-medium mb-1">No connections yet</h3>
+              <p className="text-sm text-muted-foreground">
+                Click to add your first {catalogEntry?.name ?? provider} connection.
+              </p>
+            </div>
+          ) : (
+            <div className="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-3 gap-4">
+              {connections.map((conn) => {
+                const isValidating = validatingId === conn.id;
+                return (
+                  <Card key={conn.id}>
+                    <CardContent className="p-4 space-y-3">
+                      <div className="flex items-start justify-between gap-2">
+                        <h3 className="font-semibold text-sm truncate">
+                          {conn.displayName || '\u2014'}
+                        </h3>
+                        {healthBadge(conn)}
+                      </div>
+                      <div className="flex items-center gap-2">
+                        {credentialTypeBadge(conn.credentialType)}
+                      </div>
+                      <p className="text-xs text-muted-foreground">
+                        Created {formatTimestamp(conn.createdAt)}
+                      </p>
+                      <div className="flex items-center gap-2 pt-2 border-t">
+                        <Button
+                          variant="ghost"
+                          size="sm"
+                          className="h-8 gap-1.5 text-xs flex-1"
+                          disabled={isValidating}
+                          onClick={() => handleValidate(conn)}
+                        >
+                          {isValidating ? (
+                            <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                          ) : (
+                            <RefreshCcw className="h-3.5 w-3.5" />
+                          )}
+                          {provider === 'slack' ? 'Test' : 'Validate'}
+                        </Button>
+                        <Button
+                          variant="ghost"
+                          size="sm"
+                          className="h-8 gap-1.5 text-xs text-destructive hover:text-destructive"
+                          onClick={() => confirmDelete(conn)}
+                        >
+                          <Trash2 className="h-3.5 w-3.5" />
+                          Delete
+                        </Button>
+                      </div>
+                    </CardContent>
+                  </Card>
+                );
+              })}
+            </div>
+          )}
+        </div>
+
+        {/* ── Two-column bottom: Setup Instructions + Info Sidebar ── */}
+        <div className="grid grid-cols-1 lg:grid-cols-5 gap-6">
+          {/* Left column: Setup Instructions */}
+          {hasSetupSections && (
+            <div className="lg:col-span-3">
+              <Card>
+                <CardHeader>
+                  <CardTitle className="text-lg">Setup</CardTitle>
+                  <CardDescription>
+                    Choose a scenario that matches your environment.
+                  </CardDescription>
+                </CardHeader>
+                <CardContent>
+                  <Tabs
+                    defaultValue={catalogEntry!.setupInstructions.sections[0]?.scenario}
+                    className="w-full"
+                  >
+                    <TabsList className="w-full h-auto flex-wrap">
+                      {catalogEntry!.setupInstructions.sections.map((section) => (
+                        <TabsTrigger
+                          key={section.scenario}
+                          value={section.scenario}
+                          className="flex-1 text-xs"
+                        >
+                          {section.title}
+                        </TabsTrigger>
+                      ))}
+                    </TabsList>
+
+                    {catalogEntry!.setupInstructions.sections.map((section) => (
+                      <TabsContent key={section.scenario} value={section.scenario} className="mt-4">
+                        <ol className="space-y-3">
+                          {section.steps.map((step, stepIdx) => (
+                            <li
+                              key={stepIdx}
+                              className="flex gap-3 text-sm text-muted-foreground leading-relaxed"
+                            >
+                              <span className="flex h-6 w-6 shrink-0 items-center justify-center rounded-full bg-primary/10 text-xs font-semibold text-primary">
+                                {stepIdx + 1}
+                              </span>
+                              <span className="pt-0.5">{renderStepText(step)}</span>
+                            </li>
+                          ))}
+                        </ol>
+                      </TabsContent>
+                    ))}
+                  </Tabs>
+                </CardContent>
+              </Card>
+            </div>
+          )}
+
+          {/* Right column: Info Sidebar */}
+          <div className={hasSetupSections ? 'lg:col-span-2' : 'lg:col-span-5'}>
+            <div className="space-y-4">
+              {/* Documentation link */}
+              {catalogEntry?.docsUrl && (
+                <Card>
+                  <CardContent className="p-4">
+                    <a
+                      href={catalogEntry.docsUrl}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                      className="flex items-center gap-3 text-sm font-medium text-primary hover:underline"
+                    >
+                      <ExternalLink className="h-4 w-4 flex-shrink-0" />
+                      View {catalogEntry.name} Documentation
+                    </a>
+                  </CardContent>
+                </Card>
+              )}
+
+              {/* Connection stats */}
+              <Card>
+                <CardContent className="p-4 space-y-3">
+                  <h3 className="text-sm font-semibold">Connection Summary</h3>
+                  <div className="grid grid-cols-2 gap-3">
+                    <div className="rounded-md bg-muted/50 p-3 text-center">
+                      <p className="text-2xl font-bold">{connections.length}</p>
+                      <p className="text-xs text-muted-foreground">Total</p>
+                    </div>
+                    <div className="rounded-md bg-muted/50 p-3 text-center">
+                      <p className="text-2xl font-bold text-emerald-600 dark:text-emerald-400">
+                        {healthyCount}
+                      </p>
+                      <p className="text-xs text-muted-foreground">Healthy</p>
+                    </div>
+                  </div>
+                </CardContent>
+              </Card>
+
+              {/* Auth methods */}
+              {catalogEntry?.authMethods && catalogEntry.authMethods.length > 0 && (
+                <Card>
+                  <CardContent className="p-4 space-y-3">
+                    <h3 className="text-sm font-semibold">Supported Auth Methods</h3>
+                    <div className="flex flex-wrap gap-2">
+                      {catalogEntry.authMethods.map((method) => (
+                        <Badge key={method.type} variant="secondary" className="gap-1.5">
+                          <Shield className="h-3 w-3" />
+                          {method.label}
+                        </Badge>
+                      ))}
+                    </div>
+                  </CardContent>
+                </Card>
+              )}
+            </div>
+          </div>
+        </div>
+      </div>
+
+      {/* Delete confirmation dialog */}
+      <Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
+        <DialogContent className="max-w-sm">
+          <DialogHeader>
+            <DialogTitle>Delete Connection</DialogTitle>
+            <DialogDescription>
+              Are you sure you want to delete &quot;{deleteTarget?.displayName}&quot;? This action
+              cannot be undone. Any workflows using this connection will stop working.
+            </DialogDescription>
+          </DialogHeader>
+          <DialogFooter className="gap-2">
+            <Button
+              variant="outline"
+              onClick={() => setDeleteDialogOpen(false)}
+              disabled={deleting}
+            >
+              Cancel
+            </Button>
+            <Button variant="destructive" onClick={handleDelete} disabled={deleting}>
+              {deleting ? (
+                <>
+                  <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                  Deleting...
+                </>
+              ) : (
+                'Delete'
+              )}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+    </div>
+  );
+}
diff --git a/frontend/src/pages/IntegrationsManager.tsx b/frontend/src/pages/IntegrationsManager.tsx
index b7d2c6ae..3ca79ca8 100644
--- a/frontend/src/pages/IntegrationsManager.tsx
+++ b/frontend/src/pages/IntegrationsManager.tsx
@@ -1,887 +1,249 @@
-import { useEffect, useMemo, useState } from 'react';
-import { useLocation, useNavigate } from 'react-router-dom';
+import { useEffect, useMemo } from 'react';
+import { useNavigate } from 'react-router-dom';
+import { ArrowRight, Plug, CheckCircle2, Circle } from 'lucide-react';
 import { Badge } from '@/components/ui/badge';
-import { Button } from '@/components/ui/button';
-import {
-  Dialog,
-  DialogContent,
-  DialogDescription,
-  DialogFooter,
-  DialogHeader,
-  DialogTitle,
-} from '@/components/ui/dialog';
-import { Input } from '@/components/ui/input';
-import { Label } from '@/components/ui/label';
-import { useToast } from '@/components/ui/use-toast';
-import {
-  AlertCircle,
-  Check,
-  Copy,
-  KeyRound,
-  Loader2,
-  ExternalLink,
-  Plug,
-  RefreshCcw,
-  Trash2,
-} from 'lucide-react';
-
-import type { components } from '@shipsec/backend-client';
+import { Skeleton } from '@/components/ui/skeleton';
 import { useIntegrationStore } from '@/store/integrationStore';
-import { getCurrentUserId } from '@/lib/currentUser';
-import { api } from '@/services/api';
-import { env } from '@/config/env';
-
-type IntegrationProvider = components['schemas']['IntegrationProviderResponse'];
-type IntegrationConnection = components['schemas']['IntegrationConnectionResponse'];
-
-function formatTimestamp(iso: string | null | undefined): string {
-  if (!iso) {
-    return '—';
-  }
-
-  try {
-    return new Intl.DateTimeFormat('en-US', {
-      month: 'short',
-      day: 'numeric',
-      year: 'numeric',
-      hour: '2-digit',
-      minute: '2-digit',
-    }).format(new Date(iso));
-  } catch (error) {
-    console.error('Failed to format timestamp', error);
-    return iso;
+import { cn } from '@/lib/utils';
+
+/** Static metadata for the two D5 providers (AWS + Slack). */
+const PROVIDER_META: Record<
+  string,
+  {
+    logo: string;
+    route: string;
+    gradient: string;
+    borderAccent: string;
+    badgeClass: string;
+    category: string;
   }
-}
-
-function getProviderConnection(
-  providerId: string,
-  connectionMap: Map<string, IntegrationConnection>,
-): IntegrationConnection | undefined {
-  return connectionMap.get(providerId);
-}
+> = {
+  aws: {
+    logo: '/icons/aws.png',
+    route: '/integrations/aws',
+    gradient: '',
+    borderAccent: 'hover:border-orange-300 dark:hover:border-orange-700',
+    badgeClass: 'bg-orange-100 text-orange-700 dark:bg-orange-900/30 dark:text-orange-400',
+    category: 'Cloud Security',
+  },
+  slack: {
+    logo: '/icons/slack.svg',
+    route: '/integrations/slack',
+    gradient: 'from-purple-50 to-pink-50 dark:from-purple-950/20 dark:to-pink-950/20',
+    borderAccent: 'hover:border-purple-300 dark:hover:border-purple-700',
+    badgeClass: 'bg-purple-100 text-purple-700 dark:bg-purple-900/30 dark:text-purple-400',
+    category: 'Notifications',
+  },
+};
+
+/** IDs of the providers shown on this page, in display order. */
+const VISIBLE_PROVIDERS = ['aws', 'slack'] as const;
 
 export function IntegrationsManager() {
   const navigate = useNavigate();
-  const location = useLocation();
-  const userId = getCurrentUserId();
+
   const {
-    providers,
-    connections,
-    fetchProviders,
-    fetchConnections,
-    refreshConnection,
-    disconnect,
-    upsertConnection,
-    error,
-    resetError,
-    loadingProviders,
-    loadingConnections,
+    catalog,
+    orgConnections,
+    fetchCatalog,
+    fetchOrgConnections,
+    loadingCatalog,
+    loadingOrgConnections,
   } = useIntegrationStore();
-  const { toast } = useToast();
-
-  const [configProvider, setConfigProvider] = useState<IntegrationProvider | null>(null);
-  const [connectingProvider, setConnectingProvider] = useState<string | null>(null);
-  const [refreshingConnectionId, setRefreshingConnectionId] = useState<string | null>(null);
-  const [deletingConnectionId, setDeletingConnectionId] = useState<string | null>(null);
-  const [customScopes, setCustomScopes] = useState<Record<string, string>>({});
 
   useEffect(() => {
-    fetchProviders().catch((err) => {
-      console.error('Failed to load providers', err);
-    });
-  }, [fetchProviders]);
+    fetchCatalog();
+    fetchOrgConnections();
+  }, [fetchCatalog, fetchOrgConnections]);
 
-  useEffect(() => {
-    fetchConnections(userId).catch((err) => {
-      console.error('Failed to load integrations', err);
-    });
-  }, [fetchConnections, userId]);
-
-  useEffect(() => {
-    if (!error) {
-      return;
+  /** Map provider id -> number of org-scoped connections. */
+  const connectionCounts = useMemo(() => {
+    const counts = new Map<string, number>();
+    for (const conn of orgConnections) {
+      counts.set(conn.provider, (counts.get(conn.provider) ?? 0) + 1);
     }
+    return counts;
+  }, [orgConnections]);
 
-    toast({
-      title: 'Integration error',
-      description: error,
-      variant: 'destructive',
-    });
-  }, [error, toast]);
-
-  useEffect(() => {
-    const params = new URLSearchParams(location.search);
-    const connectedProvider = params.get('connected');
-    if (connectedProvider) {
-      toast({
-        title: 'Connection established',
-        description: `Successfully connected to ${connectedProvider}.`,
-      });
-      params.delete('connected');
-      navigate({ pathname: location.pathname, search: params.toString() }, { replace: true });
-    }
-  }, [location.pathname, location.search, navigate, toast]);
-
-  const connectionByProvider = useMemo(() => {
-    return new Map(connections.map((connection) => [connection.provider, connection]));
-  }, [connections]);
-
-  const parseAdditionalScopes = (input: string | undefined): string[] => {
-    if (!input) {
-      return [];
-    }
-    return Array.from(
-      new Set(
-        input
-          .split(/[\s,]+/)
-          .map((scope) => scope.trim())
-          .filter(Boolean),
-      ),
-    );
-  };
+  /** Catalog entries keyed by id for quick lookup. */
+  const catalogById = useMemo(() => {
+    return new Map(catalog.map((entry) => [entry.id, entry]));
+  }, [catalog]);
 
-  const buildRequestedScopes = (provider: IntegrationProvider): string[] => {
-    const baseScopes = provider.defaultScopes ?? [];
-    const extraScopes = parseAdditionalScopes(customScopes[provider.id]);
-    return Array.from(new Set([...baseScopes, ...extraScopes]));
-  };
-
-  const handleConnect = async (provider: IntegrationProvider) => {
-    resetError();
-
-    if (!provider.isConfigured) {
-      setConfigProvider(provider);
-      return;
-    }
-
-    setConnectingProvider(provider.id);
-    try {
-      const redirectUri = `${window.location.origin}/integrations/callback/${provider.id}`;
-      const response = await api.integrations.startOAuth(provider.id, {
-        userId,
-        redirectUri,
-        scopes: buildRequestedScopes(provider),
-      });
-      window.location.href = response.authorizationUrl;
-    } catch (err) {
-      const message = err instanceof Error ? err.message : 'Failed to start OAuth session';
-      toast({
-        title: 'Could not start OAuth flow',
-        description: message,
-        variant: 'destructive',
-      });
-    } finally {
-      setConnectingProvider(null);
-    }
-  };
-
-  const handleConfigureProvider = (provider: IntegrationProvider) => {
-    resetError();
-    setConfigProvider(provider);
-  };
-
-  const handleRefresh = async (connection: IntegrationConnection) => {
-    resetError();
-    setRefreshingConnectionId(connection.id);
-    try {
-      await refreshConnection(connection.id, userId);
-      toast({
-        title: 'Token refreshed',
-        description: `${connection.providerName} token has been refreshed.`,
-      });
-    } catch (err) {
-      const message = err instanceof Error ? err.message : 'Failed to refresh token';
-      toast({
-        title: 'Refresh failed',
-        description: message,
-        variant: 'destructive',
-      });
-    } finally {
-      setRefreshingConnectionId(null);
-    }
-  };
-
-  const handleDisconnect = async (connection: IntegrationConnection) => {
-    resetError();
-    setDeletingConnectionId(connection.id);
-    try {
-      await disconnect(connection.id, userId);
-      toast({
-        title: 'Connection removed',
-        description: `${connection.providerName} credentials have been deleted.`,
-      });
-    } catch (err) {
-      const message = err instanceof Error ? err.message : 'Failed to disconnect';
-      toast({
-        title: 'Disconnect failed',
-        description: message,
-        variant: 'destructive',
-      });
-    } finally {
-      setDeletingConnectionId(null);
-    }
-  };
-
-  const handleManualReconnect = (connection: IntegrationConnection) => {
-    const provider = providers.find((item) => item.id === connection.provider);
-    if (!provider) {
-      toast({
-        title: 'Provider unavailable',
-        description: 'The provider is no longer configured.',
-        variant: 'destructive',
-      });
-      return;
-    }
-    handleConnect(provider);
-  };
-
-  const handleProviderConfigCompleted = (
-    action: 'saved' | 'deleted',
-    provider: IntegrationProvider,
-  ) => {
-    setConfigProvider(null);
-
-    fetchProviders().catch((err) => {
-      console.error('Failed to refresh providers', err);
-    });
-
-    const title =
-      action === 'saved'
-        ? `${provider.name} credentials saved`
-        : `${provider.name} credentials removed`;
-    const description =
-      action === 'saved'
-        ? 'You can now start a new OAuth flow for this provider.'
-        : 'The provider will now rely on environment credentials if available.';
-
-    toast({
-      title,
-      description,
-    });
-  };
-
-  const handleConnectionComplete = (connection: IntegrationConnection) => {
-    upsertConnection(connection);
-    toast({
-      title: `${connection.providerName} connected`,
-      description: 'Credentials stored successfully.',
-    });
-  };
+  const isLoading = loadingCatalog || loadingOrgConnections;
 
   return (
     <div className="flex-1 bg-background">
-      <div className="container mx-auto py-8 px-4">
-        <div className="mb-8">
-          <p className="text-muted-foreground">
-            Manage OAuth tokens for external providers. Connections are encrypted and can be
-            refreshed or revoked at any time.
-          </p>
-        </div>
-
-        <section className="mb-10">
-          <div className="flex items-center justify-between mb-4">
-            <div>
-              <h2 className="text-lg font-semibold">Active connections</h2>
-              <p className="text-sm text-muted-foreground">
-                Tokens are refreshed automatically when possible. You can also refresh or disconnect
-                manually.
-              </p>
-            </div>
-          </div>
-
-          {connections.length === 0 ? (
-            <div className="border rounded-lg p-6 text-center bg-muted/30">
-              <AlertCircle className="h-10 w-10 mx-auto mb-3 text-muted-foreground" />
-              <h3 className="text-lg font-medium">No active connections yet</h3>
-              <p className="text-sm text-muted-foreground">
-                Connect a provider below to start using OAuth-protected APIs in your workflows.
-              </p>
+      <div className="container mx-auto py-10 px-6 max-w-5xl">
+        {/* Page header */}
+        <div className="mb-10">
+          <div className="flex items-center gap-3 mb-3">
+            <div className="flex h-10 w-10 items-center justify-center rounded-xl bg-primary/10">
+              <Plug className="h-5 w-5 text-primary" />
             </div>
-          ) : (
-            <div className="overflow-x-auto border rounded-lg">
-              <table className="min-w-full divide-y divide-border text-sm">
-                <thead className="bg-muted/40">
-                  <tr>
-                    <th className="px-4 py-3 text-left font-medium text-muted-foreground">
-                      Provider
-                    </th>
-                    <th className="px-4 py-3 text-left font-medium text-muted-foreground">
-                      Status
-                    </th>
-                    <th className="px-4 py-3 text-left font-medium text-muted-foreground">
-                      Scopes
-                    </th>
-                    <th className="px-4 py-3 text-left font-medium text-muted-foreground">
-                      Expires
-                    </th>
-                    <th className="px-4 py-3 text-right font-medium text-muted-foreground">
-                      Actions
-                    </th>
-                  </tr>
-                </thead>
-                <tbody className="divide-y divide-border">
-                  {connections.map((connection) => {
-                    const isRefreshing = refreshingConnectionId === connection.id;
-                    const isDeleting = deletingConnectionId === connection.id;
-                    const provider = providers.find((item) => item.id === connection.provider);
-                    const canRefresh = connection.supportsRefresh && connection.hasRefreshToken;
-
-                    return (
-                      <tr key={connection.id} className="bg-background">
-                        <td className="px-4 py-3">
-                          <div className="font-medium">{connection.providerName}</div>
-                          <div className="text-xs text-muted-foreground">{connection.userId}</div>
-                        </td>
-                        <td className="px-4 py-3 whitespace-nowrap">
-                          <Badge
-                            variant={connection.status === 'active' ? 'secondary' : 'destructive'}
-                            className="uppercase tracking-wide"
-                          >
-                            {connection.status}
-                          </Badge>
-                        </td>
-                        <td className="px-4 py-3">
-                          <div className="flex flex-wrap gap-2">
-                            {connection.scopes.map((scope) => (
-                              <Badge key={scope} variant="outline" className="text-[11px]">
-                                {scope}
-                              </Badge>
-                            ))}
-                            {connection.scopes.length === 0 && (
-                              <span className="text-xs text-muted-foreground">(none)</span>
-                            )}
-                          </div>
-                        </td>
-                        <td className="px-4 py-3 whitespace-nowrap text-sm text-muted-foreground">
-                          {formatTimestamp(connection.expiresAt ?? null)}
-                        </td>
-                        <td className="px-4 py-3 text-right">
-                          <div className="flex items-center justify-end gap-2">
-                            <Button
-                              variant="ghost"
-                              size="sm"
-                              className="gap-2"
-                              disabled={isRefreshing || !canRefresh}
-                              onClick={() => handleRefresh(connection)}
-                            >
-                              <RefreshCcw className="h-4 w-4" />
-                              {isRefreshing ? 'Refreshing…' : 'Refresh'}
-                            </Button>
-                            <Button
-                              variant="ghost"
-                              size="sm"
-                              className="gap-2"
-                              disabled={isDeleting}
-                              onClick={() => handleDisconnect(connection)}
-                            >
-                              <Trash2 className="h-4 w-4" />
-                              {isDeleting ? 'Removing…' : 'Remove'}
-                            </Button>
-                            <Button
-                              variant="outline"
-                              size="sm"
-                              className="gap-2"
-                              onClick={() => handleManualReconnect(connection)}
-                              disabled={
-                                connectingProvider === connection.provider ||
-                                !provider?.isConfigured
-                              }
-                            >
-                              <Plug className="h-4 w-4" />
-                              Reconnect
-                            </Button>
-                          </div>
-                        </td>
-                      </tr>
-                    );
-                  })}
-                </tbody>
-              </table>
-            </div>
-          )}
-        </section>
-
-        <section>
-          <div className="flex items-center justify-between mb-4">
             <div>
-              <h2 className="text-lg font-semibold">Available providers</h2>
-              <p className="text-sm text-muted-foreground">
-                Connect a provider to issue OAuth tokens and reuse them across your workflows.
+              <h1 className="text-2xl font-bold tracking-tight">Integrations</h1>
+              <p className="text-sm text-muted-foreground mt-0.5">
+                Connect external services to enable cloud security scanning, notifications, and
+                more.
               </p>
             </div>
           </div>
+        </div>
 
-          <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
-            {providers.map((provider) => {
-              const connection = getProviderConnection(provider.id, connectionByProvider);
-              const isConnecting = connectingProvider === provider.id;
-              const requestedScopes = buildRequestedScopes(provider);
-              const additionalScopesValue = customScopes[provider.id] ?? '';
-              const configuredBadge = provider.isConfigured ? (
-                <Badge variant="secondary">Configured</Badge>
-              ) : (
-                <Badge variant="outline">Setup required</Badge>
-              );
-
-              // Get colored logo URL using Logo.dev (recommended alternative to Clearbit Logo API)
-              // Reference: https://clearbit.com/blog/the-future-of-clearbits-free-tools
-              const getLogoUrl = (providerId: string) => {
-                // Map provider IDs to domain names for Logo.dev
-                const domainMap: Record<string, string> = {
-                  github: 'github.com',
-                  zoom: 'zoom.us',
-                  // Add more providers as needed: 'provider-id': 'domain.com'
-                };
-
-                const domain = domainMap[providerId.toLowerCase()];
-                if (!domain) return null;
-
-                // Logo.dev provides colored brand logos via CDN (free alternative to Clearbit)
-                // Read public key from environment variable
-                return `https://img.logo.dev/${domain}?token=${env.VITE_LOGO_DEV_PUBLIC_KEY}`;
-              };
+        {/* Loading skeleton */}
+        {isLoading && (
+          <div className="grid grid-cols-1 md:grid-cols-2 gap-5">
+            {VISIBLE_PROVIDERS.map((id) => (
+              <div key={id} className="rounded-xl border bg-card p-6 space-y-4">
+                <div className="flex items-start gap-4">
+                  <Skeleton className="h-14 w-14 rounded-xl flex-shrink-0" />
+                  <div className="space-y-2 flex-1">
+                    <Skeleton className="h-5 w-40" />
+                    <Skeleton className="h-4 w-full" />
+                    <Skeleton className="h-4 w-3/4" />
+                  </div>
+                </div>
+                <div className="flex items-center justify-between pt-2">
+                  <Skeleton className="h-6 w-28" />
+                  <Skeleton className="h-9 w-24" />
+                </div>
+              </div>
+            ))}
+          </div>
+        )}
 
-              const logoUrl = getLogoUrl(provider.id);
+        {/* Provider cards */}
+        {!isLoading && (
+          <div className="grid grid-cols-1 md:grid-cols-2 gap-5">
+            {VISIBLE_PROVIDERS.map((providerId) => {
+              const meta = PROVIDER_META[providerId];
+              const entry = catalogById.get(providerId);
+              const count = connectionCounts.get(providerId) ?? 0;
+              const isConnected = count > 0;
 
               return (
                 <div
-                  key={provider.id}
-                  className="border rounded-lg p-5 bg-card flex flex-col gap-4 relative"
+                  key={providerId}
+                  className={cn(
+                    'group relative rounded-xl border bg-card transition-all duration-200 cursor-pointer',
+                    'hover:shadow-lg hover:-translate-y-0.5',
+                    meta.borderAccent,
+                  )}
+                  onClick={() => navigate(meta.route)}
                 >
-                  <div className="flex items-start justify-between gap-4">
-                    <div className="flex items-start gap-3">
-                      {logoUrl && (
-                        <div className="h-10 w-10 flex-shrink-0 rounded-full bg-white dark:bg-muted flex items-center justify-center p-1.5 mt-0.5 border border-border/50 shadow-sm">
+                  {/* Gradient accent top bar */}
+                  <div
+                    className={cn(
+                      'absolute inset-x-0 top-0 h-1 rounded-t-xl bg-gradient-to-r opacity-0 group-hover:opacity-100 transition-opacity',
+                      meta.gradient.replace('from-', 'from-').replace('dark:', ''),
+                    )}
+                    style={{
+                      background:
+                        providerId === 'aws'
+                          ? 'linear-gradient(to right, #f97316, #f59e0b)'
+                          : 'linear-gradient(to right, #a855f7, #ec4899)',
+                    }}
+                  />
+
+                  <div className="p-6 flex flex-col h-full">
+                    {/* Logo + Info */}
+                    <div className="flex items-start gap-4 flex-1">
+                      {meta.gradient ? (
+                        <div
+                          className={cn(
+                            'flex h-14 w-14 items-center justify-center rounded-xl bg-gradient-to-br flex-shrink-0 p-2.5',
+                            meta.gradient,
+                          )}
+                        >
                           <img
-                            src={logoUrl}
-                            alt={`${provider.name} logo`}
-                            className="h-full w-full object-contain rounded-full"
-                            onError={(e) => {
-                              // Hide logo container if image fails to load
-                              e.currentTarget.parentElement!.style.display = 'none';
-                            }}
+                            src={meta.logo}
+                            alt={entry?.name ?? providerId}
+                            className="h-full w-full object-contain"
                           />
                         </div>
+                      ) : (
+                        <img
+                          src={meta.logo}
+                          alt={entry?.name ?? providerId}
+                          className="h-14 w-14 rounded-xl object-cover flex-shrink-0"
+                        />
                       )}
-                      <div>
-                        <h3 className="text-lg font-semibold">{provider.name}</h3>
-                        <p className="text-sm text-muted-foreground">{provider.description}</p>
+                      <div className="flex-1 min-w-0">
+                        <div className="flex items-center gap-2">
+                          <h3 className="text-lg font-semibold tracking-tight">
+                            {entry?.name ?? providerId.toUpperCase()}
+                          </h3>
+                        </div>
+                        <p className="text-sm text-muted-foreground mt-1 leading-relaxed">
+                          {entry?.description ?? 'Integration provider'}
+                        </p>
                       </div>
                     </div>
-                    {configuredBadge}
-                  </div>
-
-                  <div className="flex flex-wrap gap-2 text-xs text-muted-foreground">
-                    {requestedScopes.map((scope) => (
-                      <Badge key={scope} variant="outline" className="text-[11px]">
-                        {scope}
-                      </Badge>
-                    ))}
-                  </div>
 
-                  <div className="space-y-2">
-                    <Label
-                      htmlFor={`additional-scopes-${provider.id}`}
-                      className="text-xs font-medium"
-                    >
-                      Additional scopes
-                    </Label>
-                    <Input
-                      id={`additional-scopes-${provider.id}`}
-                      value={additionalScopesValue}
-                      placeholder="repo delete_repo"
-                      onKeyDown={(event) => {
-                        if (event.key === 'Enter') {
-                          event.preventDefault();
-                          const normalized = parseAdditionalScopes(additionalScopesValue);
-                          if (normalized.length > 0) {
-                            setCustomScopes((prev) => ({
-                              ...prev,
-                              [provider.id]: normalized.join(' '),
-                            }));
-                            toast({
-                              title: 'Scopes added',
-                              description: `Queued ${normalized.join(', ')} for next connection attempt.`,
-                            });
-                          }
-                        }
-                      }}
-                      onChange={(event) =>
-                        setCustomScopes((prev) => ({
-                          ...prev,
-                          [provider.id]: event.target.value,
-                        }))
-                      }
-                    />
-                    <p className="text-xs text-muted-foreground">
-                      Separate scopes with spaces or commas. Press Enter to normalize them. Default
-                      scopes stay included automatically.
-                    </p>
-                  </div>
-
-                  {connection ? (
-                    <p className="text-xs text-muted-foreground">
-                      Last updated {formatTimestamp(connection.updatedAt)}
-                    </p>
-                  ) : (
-                    <p className="text-xs text-muted-foreground">
-                      No active token stored for this provider.
-                    </p>
-                  )}
-
-                  <div className="flex items-center gap-2 mt-auto">
-                    <Button
-                      onClick={() => handleConnect(provider)}
-                      disabled={isConnecting}
-                      className="gap-2"
-                    >
-                      <Plug className="h-4 w-4" />
-                      {isConnecting ? 'Starting…' : connection ? 'Reconnect' : 'Connect'}
-                    </Button>
-                    <Button
-                      variant="outline"
-                      size="sm"
-                      className="gap-2"
-                      disabled={isConnecting}
-                      onClick={() => handleConfigureProvider(provider)}
-                    >
-                      <KeyRound className="h-4 w-4" />
-                      Manage credentials
-                    </Button>
+                    {/* Status + Action */}
+                    <div className="flex items-center justify-between mt-5 pt-4 border-t border-border/50 mt-auto">
+                      <div className="flex items-center gap-2">
+                        {isConnected ? (
+                          <>
+                            <CheckCircle2 className="h-4 w-4 text-emerald-500" />
+                            <Badge
+                              variant="secondary"
+                              className="bg-emerald-100 text-emerald-700 dark:bg-emerald-900/30 dark:text-emerald-400 border-0 font-medium"
+                            >
+                              {count} {count === 1 ? 'connection' : 'connections'}
+                            </Badge>
+                          </>
+                        ) : (
+                          <>
+                            <Circle className="h-4 w-4 text-muted-foreground/40" />
+                            <span className="text-sm text-muted-foreground">Not configured</span>
+                          </>
+                        )}
+                      </div>
+                      <div className="flex items-center gap-1.5 text-sm font-medium text-primary opacity-0 group-hover:opacity-100 transition-opacity">
+                        Configure
+                        <ArrowRight className="h-4 w-4 transition-transform group-hover:translate-x-0.5" />
+                      </div>
+                    </div>
                   </div>
-
-                  {/* Docs button - absolute bottom right */}
-                  {provider.docsUrl && (
-                    <Button
-                      variant="ghost"
-                      size="sm"
-                      className="absolute bottom-2 right-2 h-8 w-8 p-0"
-                      onClick={() => window.open(provider.docsUrl, '_blank', 'noopener noreferrer')}
-                      title="View documentation"
-                    >
-                      <ExternalLink className="h-4 w-4" />
-                    </Button>
-                  )}
                 </div>
               );
             })}
           </div>
-
-          {(loadingProviders || loadingConnections) && (
-            <p className="text-sm text-muted-foreground mt-4">Loading provider catalog…</p>
-          )}
-        </section>
-      </div>
-
-      <ProviderConfigDialog
-        provider={configProvider}
-        open={configProvider !== null}
-        onClose={() => setConfigProvider(null)}
-        onCompleted={handleProviderConfigCompleted}
-      />
-
-      {/* Hidden portal slot to inject new connections from callback */}
-      <IntegrationCallbackBridge onConnected={handleConnectionComplete} />
-    </div>
-  );
-}
-
-interface ProviderConfigDialogProps {
-  provider: IntegrationProvider | null;
-  open: boolean;
-  onClose: () => void;
-  onCompleted: (action: 'saved' | 'deleted', provider: IntegrationProvider) => void;
-}
-
-function ProviderConfigDialog({ provider, open, onClose, onCompleted }: ProviderConfigDialogProps) {
-  const [loading, setLoading] = useState(false);
-  const [saving, setSaving] = useState(false);
-  const [clientId, setClientId] = useState('');
-  const [clientSecret, setClientSecret] = useState('');
-  const [hasStoredSecret, setHasStoredSecret] = useState(false);
-  const [configuredBy, setConfiguredBy] = useState<'environment' | 'user'>('user');
-  const [updatedAt, setUpdatedAt] = useState<string | null>(null);
-  const [error, setError] = useState<string | null>(null);
-  const [copiedRedirect, setCopiedRedirect] = useState(false);
-
-  const callbackUrl = provider
-    ? `${window.location.origin}/integrations/callback/${provider.id}`
-    : '';
-
-  useEffect(() => {
-    if (!open) {
-      setClientSecret('');
-      setError(null);
-      setCopiedRedirect(false);
-      return;
-    }
-
-    if (!provider) {
-      return;
-    }
-
-    let cancelled = false;
-    setLoading(true);
-    setError(null);
-    setClientId('');
-    setClientSecret('');
-    setHasStoredSecret(false);
-    setConfiguredBy('user');
-    setUpdatedAt(null);
-
-    api.integrations
-      .getProviderConfig(provider.id)
-      .then((config) => {
-        if (cancelled) {
-          return;
-        }
-        setClientId(config.clientId ?? '');
-        setHasStoredSecret(config.hasClientSecret);
-        setConfiguredBy(config.configuredBy);
-        setUpdatedAt(config.updatedAt ?? null);
-      })
-      .catch((err) => {
-        if (cancelled) {
-          return;
-        }
-        const message =
-          err instanceof Error ? err.message : 'Failed to load provider configuration.';
-        setError(message);
-      })
-      .finally(() => {
-        if (!cancelled) {
-          setLoading(false);
-        }
-      });
-
-    return () => {
-      cancelled = true;
-    };
-  }, [open, provider?.id]);
-
-  useEffect(() => {
-    setCopiedRedirect(false);
-  }, [callbackUrl]);
-
-  const handleDialogOpenChange = (nextOpen: boolean) => {
-    if (!nextOpen) {
-      onClose();
-    }
-  };
-
-  const handleSubmit = async (event: React.FormEvent<HTMLFormElement>) => {
-    event.preventDefault();
-    if (!provider) {
-      return;
-    }
-
-    const trimmedClientId = clientId.trim();
-    const trimmedSecret = clientSecret.trim();
-
-    if (trimmedClientId.length === 0) {
-      setError('Client ID is required.');
-      return;
-    }
-
-    if (!hasStoredSecret && trimmedSecret.length === 0) {
-      setError('Client secret is required.');
-      return;
-    }
-
-    setSaving(true);
-    setError(null);
-    try {
-      await api.integrations.upsertProviderConfig(provider.id, {
-        clientId: trimmedClientId,
-        ...(trimmedSecret.length > 0 ? { clientSecret: trimmedSecret } : {}),
-      });
-      onCompleted('saved', provider);
-    } catch (err) {
-      const message = err instanceof Error ? err.message : 'Failed to save provider credentials.';
-      setError(message);
-    } finally {
-      setSaving(false);
-    }
-  };
-
-  const handleRemove = async () => {
-    if (!provider) {
-      return;
-    }
-
-    setSaving(true);
-    setError(null);
-    try {
-      await api.integrations.deleteProviderConfig(provider.id);
-      onCompleted('deleted', provider);
-    } catch (err) {
-      const message = err instanceof Error ? err.message : 'Failed to remove stored credentials.';
-      setError(message);
-      setSaving(false);
-    }
-  };
-
-  const canRemove = configuredBy === 'user' && hasStoredSecret;
-  const isBusy = loading || saving;
-
-  const handleCopyRedirect = async () => {
-    if (!callbackUrl) {
-      return;
-    }
-
-    try {
-      await navigator.clipboard.writeText(callbackUrl);
-      setCopiedRedirect(true);
-      setTimeout(() => setCopiedRedirect(false), 2000);
-    } catch (err) {
-      console.error('Failed to copy redirect URL', err);
-      setError('Unable to copy redirect URL. Please copy it manually.');
-    }
-  };
-
-  return (
-    <Dialog open={open} onOpenChange={handleDialogOpenChange}>
-      <DialogContent className="max-w-lg">
-        <DialogHeader>
-          <DialogTitle>
-            {provider ? `Configure ${provider.name}` : 'Configure provider'}
-          </DialogTitle>
-          <DialogDescription>
-            Provide the OAuth client credentials required to start authorization flows for this
-            provider.
-          </DialogDescription>
-        </DialogHeader>
-
-        <form onSubmit={handleSubmit} className="space-y-4">
-          {configuredBy === 'environment' && (
-            <p className="text-xs text-muted-foreground">
-              This provider currently uses credentials from the server environment. Saving values
-              here will override them for ShipSec Studio.
-            </p>
-          )}
-
-          {loading && (
-            <p className="flex items-center gap-2 text-xs text-muted-foreground">
-              <Loader2 className="h-3.5 w-3.5 animate-spin" />
-              Loading current configuration…
-            </p>
-          )}
-
-          {updatedAt && (
-            <p className="text-xs text-muted-foreground">
-              Last updated {formatTimestamp(updatedAt)}
-            </p>
-          )}
-
-          <div className="space-y-2">
-            <Label htmlFor="provider-client-id">OAuth client ID</Label>
-            <Input
-              id="provider-client-id"
-              value={clientId}
-              onChange={(event) => setClientId(event.target.value)}
-              placeholder="e.g. github-client-id"
-              autoComplete="off"
-              disabled={isBusy}
-            />
-          </div>
-
-          <div className="space-y-2">
-            <Label htmlFor="provider-client-secret">OAuth client secret</Label>
-            <Input
-              id="provider-client-secret"
-              value={clientSecret}
-              onChange={(event) => setClientSecret(event.target.value)}
-              placeholder={
-                hasStoredSecret ? 'Leave blank to keep existing secret' : 'Enter new client secret'
-              }
-              type="password"
-              autoComplete="off"
-              disabled={isBusy}
-            />
-          </div>
-
-          {callbackUrl && (
-            <div className="space-y-2">
-              <Label htmlFor="provider-callback-url">Authorized redirect URL</Label>
-              <div className="flex flex-col gap-2 sm:flex-row sm:items-center">
-                <Input
-                  id="provider-callback-url"
-                  value={callbackUrl}
-                  readOnly
-                  className="sm:flex-1"
-                />
-                <Button
-                  type="button"
-                  variant="outline"
-                  onClick={handleCopyRedirect}
-                  className="gap-2"
-                >
-                  {copiedRedirect ? <Check className="h-4 w-4" /> : <Copy className="h-4 w-4" />}
-                  {copiedRedirect ? 'Copied' : 'Copy'}
-                </Button>
-              </div>
-              <p className="text-xs text-muted-foreground">
-                Add this exact URL to the provider&apos;s allowed redirect list to avoid callback
-                warnings.
-              </p>
-            </div>
-          )}
-
-          {error && <p className="text-sm text-destructive">{error}</p>}
-
-          <DialogFooter className="gap-2 sm:justify-between sm:flex-row">
-            <div className="flex flex-col gap-2 sm:flex-row sm:items-center">
-              {canRemove && (
-                <Button
-                  type="button"
-                  variant="destructive"
-                  onClick={handleRemove}
-                  disabled={isBusy}
+        )}
+
+        {/* Coming soon section */}
+        {!isLoading && (
+          <div className="mt-12">
+            <h2 className="text-sm font-medium text-muted-foreground uppercase tracking-wider mb-4">
+              Coming Soon
+            </h2>
+            <div className="grid grid-cols-2 sm:grid-cols-3 md:grid-cols-4 gap-3">
+              {[
+                { name: 'GitHub', icon: '/icons/github.svg' },
+                { name: 'Jira', icon: '/icons/jira.svg' },
+              ].map((item) => (
+                <div
+                  key={item.name}
+                  className="flex items-center gap-3 rounded-lg border border-dashed border-border/60 bg-muted/30 p-3 opacity-50 grayscale"
                 >
-                  Remove stored credentials
-                </Button>
-              )}
-            </div>
-            <div className="flex gap-2">
-              <Button type="button" variant="outline" onClick={onClose} disabled={isBusy}>
-                Cancel
-              </Button>
-              <Button type="submit" disabled={isBusy}>
-                {saving ? (
-                  <>
-                    <Loader2 className="mr-2 h-4 w-4 animate-spin" />
-                    Saving…
-                  </>
-                ) : (
-                  'Save credentials'
-                )}
-              </Button>
+                  <div className="flex h-8 w-8 items-center justify-center rounded-lg bg-muted/50 flex-shrink-0 p-1.5">
+                    <img
+                      src={item.icon}
+                      alt={item.name}
+                      className="h-full w-full object-contain dark:invert-[0.5]"
+                    />
+                  </div>
+                  <span className="text-sm font-medium text-muted-foreground truncate">
+                    {item.name}
+                  </span>
+                </div>
+              ))}
             </div>
-          </DialogFooter>
-        </form>
-      </DialogContent>
-    </Dialog>
+          </div>
+        )}
+      </div>
+    </div>
   );
 }
-
-interface IntegrationCallbackBridgeProps {
-  onConnected: (connection: IntegrationConnection) => void;
-}
-
-function IntegrationCallbackBridge({ onConnected }: IntegrationCallbackBridgeProps) {
-  useEffect(() => {
-    const listener = (event: Event) => {
-      const detail = (event as CustomEvent<IntegrationConnection>).detail;
-      if (detail) {
-        onConnected(detail);
-      }
-    };
-
-    window.addEventListener('integration:connected', listener);
-    return () => {
-      window.removeEventListener('integration:connected', listener);
-    };
-  }, [onConnected]);
-
-  return null;
-}
diff --git a/frontend/src/services/api.ts b/frontend/src/services/api.ts
index 31f063a2..e41b5f86 100644
--- a/frontend/src/services/api.ts
+++ b/frontend/src/services/api.ts
@@ -23,10 +23,6 @@ type IntegrationProviderResponse = components['schemas']['IntegrationProviderRes
 type IntegrationConnectionResponse = components['schemas']['IntegrationConnectionResponse'];
 type ProviderConfigurationResponse = components['schemas']['ProviderConfigurationResponse'];
 type OAuthStartResponseDto = components['schemas']['OAuthStartResponseDto'];
-type StartOAuthRequest = components['schemas']['StartOAuthDto'];
-type CompleteOAuthRequest = components['schemas']['CompleteOAuthDto'];
-type RefreshConnectionRequest = components['schemas']['RefreshConnectionDto'];
-type DisconnectConnectionRequest = components['schemas']['DisconnectConnectionDto'];
 type UpsertProviderConfigRequest = components['schemas']['UpsertProviderConfigDto'];
 type WorkflowVersionResponse = components['schemas']['WorkflowVersionResponseDto'];
 type CreateScheduleRequestDto = components['schemas']['CreateScheduleRequestDto'];
@@ -55,6 +51,38 @@ export type IntegrationProvider = IntegrationProviderResponse;
 export type IntegrationConnection = IntegrationConnectionResponse;
 export type IntegrationProviderConfiguration = ProviderConfigurationResponse;
 export type OAuthStartResponse = OAuthStartResponseDto;
+
+// Catalog types (from backend integration-catalog.ts)
+export interface IntegrationCatalogEntry {
+  id: string;
+  name: string;
+  description: string;
+  docsUrl?: string;
+  iconUrl?: string;
+  authMethods: {
+    type: string;
+    label: string;
+    description: string;
+    fields: {
+      id: string;
+      label: string;
+      type: 'text' | 'password' | 'select';
+      required: boolean;
+      placeholder?: string;
+      helpText?: string;
+      options?: { label: string; value: string }[];
+    }[];
+  }[];
+  supportsMultipleConnections: boolean;
+  setupInstructions: {
+    sections: {
+      title: string;
+      authMethodType: string;
+      scenario: string;
+      steps: string[];
+    }[];
+  };
+}
 export interface ArtifactListFilters {
   workflowId?: string;
   componentId?: string;
@@ -83,7 +111,10 @@ function resolveApiBaseUrl() {
     }
   }
 
-  return 'http://localhost:3211';
+  // Default to empty string (relative URLs) so API calls go through the same
+  // origin that served the page. This avoids CORS/mixed-content issues when
+  // accessed via ngrok or custom domains (nginx proxies /api/ to the backend).
+  return '';
 }
 
 export const API_BASE_URL = resolveApiBaseUrl();
@@ -343,43 +374,187 @@ export const api = {
       return (response.data ?? []) as IntegrationProvider[];
     },
 
-    listConnections: async (userId: string): Promise<IntegrationConnection[]> => {
-      const response = await apiClient.listIntegrationConnections(userId);
-      if (response.error) throw new Error('Failed to load integrations');
-      return (response.data ?? []) as IntegrationConnection[];
+    // D16: userId is now derived from auth context server-side
+    listConnections: async (): Promise<IntegrationConnection[]> => {
+      const headers = await getAuthHeaders();
+      const res = await fetch(`${API_V1_URL}/integrations/connections`, { headers });
+      if (!res.ok) throw new Error('Failed to load integrations');
+      return res.json();
+    },
+
+    // D6/D17: org-scoped connection listing
+    listOrgConnections: async (provider?: string): Promise<IntegrationConnection[]> => {
+      const headers = await getAuthHeaders();
+      const params = provider ? `?provider=${encodeURIComponent(provider)}` : '';
+      const res = await fetch(`${API_V1_URL}/integrations/org/connections${params}`, { headers });
+      if (!res.ok) throw new Error('Failed to load org connections');
+      return res.json();
     },
 
+    // D5: Provider catalog (AWS + Slack definitions)
+    getCatalog: async (): Promise<IntegrationCatalogEntry[]> => {
+      const headers = await getAuthHeaders();
+      const res = await fetch(`${API_V1_URL}/integrations/catalog`, { headers });
+      if (!res.ok) throw new Error('Failed to load integration catalog');
+      return res.json();
+    },
+
+    // D16: userId removed from OAuth payloads
     startOAuth: async (
       providerId: string,
-      payload: StartOAuthRequest,
+      payload: { redirectUri: string; scopes?: string[] },
     ): Promise<OAuthStartResponse> => {
-      const response = await apiClient.startIntegrationOAuth(providerId, payload);
-      if (response.error || !response.data) throw new Error('Failed to start OAuth flow');
-      return response.data;
+      const headers = await getAuthHeaders();
+      const res = await fetch(
+        `${API_V1_URL}/integrations/${encodeURIComponent(providerId)}/start`,
+        {
+          method: 'POST',
+          headers: { ...headers, 'Content-Type': 'application/json' },
+          body: JSON.stringify(payload),
+        },
+      );
+      if (!res.ok) throw new Error('Failed to start OAuth flow');
+      return res.json();
     },
 
     completeOAuth: async (
       providerId: string,
-      payload: CompleteOAuthRequest,
+      payload: { redirectUri: string; state: string; code: string; scopes?: string[] },
     ): Promise<IntegrationConnection> => {
-      const response = await apiClient.completeIntegrationOAuth(providerId, payload);
-      if (response.error || !response.data) throw new Error('Failed to complete OAuth exchange');
-      return response.data;
+      const headers = await getAuthHeaders();
+      const res = await fetch(
+        `${API_V1_URL}/integrations/${encodeURIComponent(providerId)}/exchange`,
+        {
+          method: 'POST',
+          headers: { ...headers, 'Content-Type': 'application/json' },
+          body: JSON.stringify(payload),
+        },
+      );
+      if (!res.ok) throw new Error('Failed to complete OAuth exchange');
+      return res.json();
     },
 
-    refreshConnection: async (id: string, userId: string): Promise<IntegrationConnection> => {
-      const payload: RefreshConnectionRequest = { userId };
-      const response = await apiClient.refreshIntegrationConnection(id, payload);
-      if (response.error || !response.data) {
-        throw new Error('Failed to refresh integration connection');
+    // D16: userId removed, derived from auth context
+    refreshConnection: async (id: string): Promise<IntegrationConnection> => {
+      const headers = await getAuthHeaders();
+      const res = await fetch(
+        `${API_V1_URL}/integrations/connections/${encodeURIComponent(id)}/refresh`,
+        {
+          method: 'POST',
+          headers: { ...headers, 'Content-Type': 'application/json' },
+        },
+      );
+      if (!res.ok) throw new Error('Failed to refresh integration connection');
+      return res.json();
+    },
+
+    // D16: userId removed, derived from auth context
+    disconnect: async (id: string): Promise<void> => {
+      const headers = await getAuthHeaders();
+      const res = await fetch(`${API_V1_URL}/integrations/connections/${encodeURIComponent(id)}`, {
+        method: 'DELETE',
+        headers,
+      });
+      if (!res.ok) throw new Error('Failed to disconnect integration');
+    },
+
+    // AWS setup info (generates trust policy + external ID + setup token)
+    getAwsSetupInfo: async (): Promise<{
+      platformRoleArn: string;
+      externalId: string;
+      setupToken: string;
+      trustPolicyTemplate: string;
+      externalIdDisplay?: string;
+    }> => {
+      const headers = await getAuthHeaders();
+      const res = await fetch(`${API_V1_URL}/integrations/aws/setup-info`, { headers });
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.message || 'Failed to load AWS setup info');
       }
-      return response.data;
+      return res.json();
     },
 
-    disconnect: async (id: string, userId: string): Promise<void> => {
-      const payload: DisconnectConnectionRequest = { userId };
-      const response = await apiClient.disconnectIntegrationConnection(id, payload);
-      if (response.error) throw new Error('Failed to disconnect integration');
+    // AWS connection management (IAM role only)
+    createAwsConnection: async (payload: {
+      displayName: string;
+      roleArn: string;
+      region?: string;
+      externalId: string;
+      setupToken: string;
+    }): Promise<IntegrationConnection> => {
+      const headers = await getAuthHeaders();
+      const res = await fetch(`${API_V1_URL}/integrations/aws/connections`, {
+        method: 'POST',
+        headers: { ...headers, 'Content-Type': 'application/json' },
+        body: JSON.stringify(payload),
+      });
+      if (!res.ok) {
+        const err = await res.json().catch(() => ({}));
+        throw new Error(err.message || 'Failed to create AWS connection');
+      }
+      return res.json();
+    },
+
+    validateAwsConnection: async (id: string): Promise<{ valid: boolean; error?: string }> => {
+      const headers = await getAuthHeaders();
+      const res = await fetch(
+        `${API_V1_URL}/integrations/aws/connections/${encodeURIComponent(id)}/validate`,
+        {
+          method: 'POST',
+          headers: { ...headers, 'Content-Type': 'application/json' },
+        },
+      );
+      if (!res.ok) throw new Error('Failed to validate AWS connection');
+      return res.json();
+    },
+
+    discoverOrgAccounts: async (
+      id: string,
+    ): Promise<{
+      accounts: { id: string; name: string; status: string; email?: string }[];
+    }> => {
+      const headers = await getAuthHeaders();
+      const res = await fetch(
+        `${API_V1_URL}/integrations/aws/connections/${encodeURIComponent(id)}/discover-org`,
+        {
+          method: 'POST',
+          headers: { ...headers, 'Content-Type': 'application/json' },
+        },
+      );
+      if (!res.ok) throw new Error('Failed to discover AWS organization accounts');
+      return res.json();
+    },
+
+    // Slack connection management
+    createSlackWebhookConnection: async (payload: {
+      displayName: string;
+      webhookUrl: string;
+    }): Promise<IntegrationConnection> => {
+      const headers = await getAuthHeaders();
+      const res = await fetch(`${API_V1_URL}/integrations/slack/connections`, {
+        method: 'POST',
+        headers: { ...headers, 'Content-Type': 'application/json' },
+        body: JSON.stringify(payload),
+      });
+      if (!res.ok) {
+        const err = await res.json().catch(() => ({}));
+        throw new Error(err.message || 'Failed to create Slack connection');
+      }
+      return res.json();
+    },
+
+    testSlackConnection: async (id: string): Promise<{ ok: boolean; error?: string }> => {
+      const headers = await getAuthHeaders();
+      const res = await fetch(
+        `${API_V1_URL}/integrations/slack/connections/${encodeURIComponent(id)}/test`,
+        {
+          method: 'POST',
+          headers: { ...headers, 'Content-Type': 'application/json' },
+        },
+      );
+      if (!res.ok) throw new Error('Failed to test Slack connection');
+      return res.json();
     },
 
     getProviderConfig: async (providerId: string): Promise<IntegrationProviderConfiguration> => {
diff --git a/frontend/src/store/integrationStore.ts b/frontend/src/store/integrationStore.ts
index 83e363f5..0c082721 100644
--- a/frontend/src/store/integrationStore.ts
+++ b/frontend/src/store/integrationStore.ts
@@ -1,88 +1,160 @@
 import { create } from 'zustand';
-import type { components } from '@shipsec/backend-client';
 import { api } from '@/services/api';
-
-type IntegrationProvider = components['schemas']['IntegrationProviderResponse'];
-type IntegrationConnection = components['schemas']['IntegrationConnectionResponse'];
+import type { IntegrationConnection, IntegrationCatalogEntry } from '@/services/api';
 
 interface IntegrationStoreState {
-  providers: IntegrationProvider[];
   connections: IntegrationConnection[];
-  loadingProviders: boolean;
+  orgConnections: IntegrationConnection[];
+  catalog: IntegrationCatalogEntry[];
   loadingConnections: boolean;
+  loadingOrgConnections: boolean;
+  loadingCatalog: boolean;
   error: string | null;
   initialized: boolean;
+  orgInitialized: boolean;
 }
 
 interface IntegrationStoreActions {
-  fetchProviders: () => Promise<void>;
-  fetchConnections: (userId: string, force?: boolean) => Promise<void>;
-  refreshConnection: (id: string, userId: string) => Promise<IntegrationConnection>;
-  disconnect: (id: string, userId: string) => Promise<void>;
+  // D16: userId removed — derived from auth context server-side
+  fetchConnections: (force?: boolean) => Promise<void>;
+  // D6: org-scoped connection listing
+  fetchOrgConnections: (provider?: string, force?: boolean) => Promise<void>;
+  // D17: merge-and-dedup from both endpoints
+  fetchMergedConnections: () => Promise<IntegrationConnection[]>;
+  refreshConnection: (id: string) => Promise<IntegrationConnection>;
+  disconnect: (id: string) => Promise<void>;
   upsertConnection: (connection: IntegrationConnection) => void;
+  // AWS setup info
+  getAwsSetupInfo: () => Promise<{
+    platformRoleArn: string;
+    externalId: string;
+    setupToken: string;
+    trustPolicyTemplate: string;
+    externalIdDisplay?: string;
+  }>;
+  // New connection creation (IAM role only)
+  createAwsConnection: (payload: {
+    displayName: string;
+    roleArn: string;
+    region?: string;
+    externalId: string;
+    setupToken: string;
+  }) => Promise<IntegrationConnection>;
+  createSlackWebhookConnection: (payload: {
+    displayName: string;
+    webhookUrl: string;
+  }) => Promise<IntegrationConnection>;
+  validateAwsConnection: (id: string) => Promise<{ valid: boolean; error?: string }>;
+  testSlackConnection: (id: string) => Promise<{ ok: boolean; error?: string }>;
+  discoverOrgAccounts: (
+    id: string,
+  ) => Promise<{ accounts: { id: string; name: string; status: string; email?: string }[] }>;
+  fetchCatalog: () => Promise<void>;
   resetError: () => void;
 }
 
 type IntegrationStore = IntegrationStoreState & IntegrationStoreActions;
 
-function sortProviders(providers: IntegrationProvider[]) {
-  return [...providers].sort((a, b) => a.name.localeCompare(b.name));
+function sortConnections(connections: IntegrationConnection[]) {
+  return [...connections].sort((a, b) => {
+    const providerCmp = (a.providerName ?? a.provider).localeCompare(b.providerName ?? b.provider);
+    if (providerCmp !== 0) return providerCmp;
+    return (a.displayName ?? '').localeCompare(b.displayName ?? '');
+  });
 }
 
-function sortConnections(connections: IntegrationConnection[]) {
-  return [...connections].sort((a, b) => a.providerName.localeCompare(b.providerName));
+/**
+ * D17: Merge connections from user-scoped and org-scoped endpoints, dedup by id.
+ * Org-scoped takes precedence if the same id appears in both (shouldn't happen).
+ */
+function mergeAndDedup(
+  userConnections: IntegrationConnection[],
+  orgConnections: IntegrationConnection[],
+): IntegrationConnection[] {
+  const byId = new Map<string, IntegrationConnection>();
+  for (const c of userConnections) {
+    byId.set(c.id, c);
+  }
+  for (const c of orgConnections) {
+    byId.set(c.id, c); // org-scoped takes precedence
+  }
+  return sortConnections(Array.from(byId.values()));
 }
 
 export const useIntegrationStore = create<IntegrationStore>((set, get) => ({
-  providers: [],
   connections: [],
-  loadingProviders: false,
+  orgConnections: [],
+  catalog: [],
   loadingConnections: false,
+  loadingOrgConnections: false,
+  loadingCatalog: false,
   error: null,
   initialized: false,
+  orgInitialized: false,
 
-  fetchProviders: async () => {
-    if (get().loadingProviders) {
+  fetchConnections: async (force = false) => {
+    const { loadingConnections, initialized } = get();
+    if (loadingConnections || (!force && initialized)) {
       return;
     }
 
-    set({ loadingProviders: true, error: null });
+    set({ loadingConnections: true, error: null });
     try {
-      const providers = await api.integrations.listProviders();
+      const connections = await api.integrations.listConnections();
       set({
-        providers: sortProviders(providers),
-        loadingProviders: false,
+        connections: sortConnections(connections),
+        loadingConnections: false,
+        initialized: true,
       });
     } catch (error) {
       set({
-        loadingProviders: false,
-        error: error instanceof Error ? error.message : 'Failed to load providers',
+        loadingConnections: false,
+        error: error instanceof Error ? error.message : 'Failed to load integrations',
       });
     }
   },
 
-  fetchConnections: async (userId: string, force = false) => {
-    const { loadingConnections, initialized } = get();
-    if (loadingConnections || (!force && initialized)) {
+  fetchOrgConnections: async (provider?: string, force = false) => {
+    const { loadingOrgConnections, orgInitialized } = get();
+    if (loadingOrgConnections || (!force && orgInitialized)) {
       return;
     }
 
-    set({ loadingConnections: true, error: null });
+    set({ loadingOrgConnections: true, error: null });
     try {
-      const connections = await api.integrations.listConnections(userId);
+      const orgConnections = await api.integrations.listOrgConnections(provider);
       set({
-        connections: sortConnections(connections),
-        loadingConnections: false,
-        initialized: true,
+        orgConnections: sortConnections(orgConnections),
+        loadingOrgConnections: false,
+        orgInitialized: true,
       });
     } catch (error) {
       set({
-        loadingConnections: false,
-        error: error instanceof Error ? error.message : 'Failed to load integrations',
+        loadingOrgConnections: false,
+        error: error instanceof Error ? error.message : 'Failed to load org connections',
       });
     }
   },
 
+  fetchMergedConnections: async () => {
+    // D17: call both endpoints, merge, dedup
+    const results = await Promise.allSettled([
+      api.integrations.listConnections(),
+      api.integrations.listOrgConnections(),
+    ]);
+
+    const userConns = results[0].status === 'fulfilled' ? results[0].value : [];
+    const orgConns = results[1].status === 'fulfilled' ? results[1].value : [];
+
+    if (results[0].status === 'rejected' && results[1].status === 'rejected') {
+      throw new Error('Failed to load connections from both endpoints');
+    }
+
+    const merged = mergeAndDedup(userConns, orgConns);
+    set({ connections: userConns, orgConnections: orgConns });
+    return merged;
+  },
+
   upsertConnection: (connection: IntegrationConnection) => {
     set((state) => ({
       connections: sortConnections(
@@ -90,15 +162,21 @@ export const useIntegrationStore = create<IntegrationStore>((set, get) => ({
           ? state.connections.map((item) => (item.id === connection.id ? connection : item))
           : [...state.connections, connection],
       ),
+      orgConnections: sortConnections(
+        state.orgConnections.some((item) => item.id === connection.id)
+          ? state.orgConnections.map((item) => (item.id === connection.id ? connection : item))
+          : [...state.orgConnections, connection],
+      ),
     }));
   },
 
-  refreshConnection: async (id: string, userId: string) => {
+  refreshConnection: async (id: string) => {
     try {
-      const refreshed = await api.integrations.refreshConnection(id, userId);
+      const refreshed = await api.integrations.refreshConnection(id);
       set((state) => ({
-        connections: sortConnections(
-          state.connections.map((connection) => (connection.id === id ? refreshed : connection)),
+        connections: sortConnections(state.connections.map((c) => (c.id === id ? refreshed : c))),
+        orgConnections: sortConnections(
+          state.orgConnections.map((c) => (c.id === id ? refreshed : c)),
         ),
       }));
       return refreshed;
@@ -110,11 +188,12 @@ export const useIntegrationStore = create<IntegrationStore>((set, get) => ({
     }
   },
 
-  disconnect: async (id: string, userId: string) => {
+  disconnect: async (id: string) => {
     try {
-      await api.integrations.disconnect(id, userId);
+      await api.integrations.disconnect(id);
       set((state) => ({
-        connections: state.connections.filter((connection) => connection.id !== id),
+        connections: state.connections.filter((c) => c.id !== id),
+        orgConnections: state.orgConnections.filter((c) => c.id !== id),
       }));
     } catch (error) {
       const message = error instanceof Error ? error.message : 'Failed to disconnect integration';
@@ -123,6 +202,60 @@ export const useIntegrationStore = create<IntegrationStore>((set, get) => ({
     }
   },
 
+  getAwsSetupInfo: async () => {
+    return api.integrations.getAwsSetupInfo();
+  },
+
+  createAwsConnection: async (payload) => {
+    try {
+      const connection = await api.integrations.createAwsConnection(payload);
+      get().upsertConnection(connection);
+      return connection;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'Failed to create AWS connection';
+      set({ error: message });
+      throw error instanceof Error ? error : new Error(message);
+    }
+  },
+
+  createSlackWebhookConnection: async (payload) => {
+    try {
+      const connection = await api.integrations.createSlackWebhookConnection(payload);
+      get().upsertConnection(connection);
+      return connection;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'Failed to create Slack connection';
+      set({ error: message });
+      throw error instanceof Error ? error : new Error(message);
+    }
+  },
+
+  validateAwsConnection: async (id: string) => {
+    return api.integrations.validateAwsConnection(id);
+  },
+
+  testSlackConnection: async (id: string) => {
+    return api.integrations.testSlackConnection(id);
+  },
+
+  discoverOrgAccounts: async (id: string) => {
+    return api.integrations.discoverOrgAccounts(id);
+  },
+
+  fetchCatalog: async () => {
+    if (get().loadingCatalog) return;
+    set({ loadingCatalog: true, error: null });
+    try {
+      const catalog = await api.integrations.getCatalog();
+      set({ catalog, loadingCatalog: false });
+    } catch (error) {
+      set({
+        loadingCatalog: false,
+        error: error instanceof Error ? error.message : 'Failed to load catalog',
+      });
+    }
+  },
+
   resetError: () => {
     set({ error: null });
   },
diff --git a/worker/package.json b/worker/package.json
index bc75fb3d..e829e7dc 100644
--- a/worker/package.json
+++ b/worker/package.json
@@ -22,7 +22,9 @@
     "@ai-sdk/google": "^3.0.13",
     "@ai-sdk/mcp": "^1.0.13",
     "@ai-sdk/openai": "^3.0.18",
+    "@aws-sdk/client-organizations": "^3.987.0",
     "@aws-sdk/client-s3": "^3.975.0",
+    "@aws-sdk/client-sts": "^3.987.0",
     "@googleapis/admin": "^29.0.0",
     "@grpc/grpc-js": "^1.14.3",
     "@modelcontextprotocol/sdk": "^1.25.1",
diff --git a/worker/src/components/core/aws-assume-role.ts b/worker/src/components/core/aws-assume-role.ts
new file mode 100644
index 00000000..802db33f
--- /dev/null
+++ b/worker/src/components/core/aws-assume-role.ts
@@ -0,0 +1,133 @@
+import { z } from 'zod';
+import {
+  componentRegistry,
+  ConfigurationError,
+  defineComponent,
+  inputs,
+  outputs,
+  parameters,
+  port,
+  param,
+} from '@shipsec/component-sdk';
+import { awsCredentialSchema } from '@shipsec/contracts';
+import { STSClient, AssumeRoleCommand } from '@aws-sdk/client-sts';
+
+const inputSchema = inputs({
+  sourceCredentials: port(awsCredentialSchema(), {
+    label: 'Source Credentials',
+    description: 'AWS credentials to use when assuming the target role.',
+    connectionType: { kind: 'contract', name: 'core.credential.aws', credential: true },
+  }),
+});
+
+const parameterSchema = parameters({
+  roleArn: param(
+    z.string().min(1, 'Role ARN is required').describe('ARN of the IAM role to assume.'),
+    {
+      label: 'Role ARN',
+      editor: 'text',
+      description:
+        'The ARN of the IAM role to assume (e.g. arn:aws:iam::123456789012:role/MyRole).',
+    },
+  ),
+  externalId: param(
+    z.string().optional().describe('Optional external ID for cross-account role assumption.'),
+    {
+      label: 'External ID',
+      editor: 'text',
+      description: 'Optional external ID required by the trust policy of the target role.',
+    },
+  ),
+  sessionName: param(
+    z.string().default('shipsec-session').describe('Session name for the assumed role session.'),
+    {
+      label: 'Session Name',
+      editor: 'text',
+      description: 'Name for the assumed role session. Defaults to shipsec-session.',
+    },
+  ),
+});
+
+const outputSchema = outputs({
+  credentials: port(awsCredentialSchema(), {
+    label: 'Assumed Role Credentials',
+    description: 'Temporary assumed role credentials',
+    connectionType: { kind: 'contract', name: 'core.credential.aws', credential: true },
+  }),
+});
+
+const definition = defineComponent({
+  id: 'core.aws.assume-role',
+  label: 'AWS Assume Role',
+  category: 'process',
+  runner: { kind: 'inline' },
+  inputs: inputSchema,
+  outputs: outputSchema,
+  parameters: parameterSchema,
+  docs: 'Assume an AWS IAM role using STS and return temporary credentials. Useful for cross-account access and least-privilege workflows.',
+  ui: {
+    slug: 'aws-assume-role',
+    version: '1.0.0',
+    type: 'process',
+    category: 'cloud',
+    description:
+      'Assume an AWS IAM role via STS to obtain temporary credentials for cross-account or scoped access.',
+    icon: 'Shield',
+  },
+  async execute({ inputs, params }, context) {
+    const sourceCreds = inputSchema.parse(inputs).sourceCredentials;
+
+    if (!sourceCreds.accessKeyId || !sourceCreds.secretAccessKey) {
+      throw new ConfigurationError(
+        'Source AWS credentials (accessKeyId and secretAccessKey) are required.',
+        { configKey: 'sourceCredentials' },
+      );
+    }
+
+    const roleArn = params.roleArn;
+    const sessionName = params.sessionName ?? 'shipsec-session';
+
+    context.emitProgress(`Assuming role ${roleArn}...`);
+
+    const stsClient = new STSClient({
+      credentials: {
+        accessKeyId: sourceCreds.accessKeyId,
+        secretAccessKey: sourceCreds.secretAccessKey,
+        sessionToken: sourceCreds.sessionToken,
+      },
+      region: sourceCreds.region ?? 'us-east-1',
+    });
+
+    const command = new AssumeRoleCommand({
+      RoleArn: roleArn,
+      RoleSessionName: sessionName,
+      DurationSeconds: 3600,
+      ...(params.externalId ? { ExternalId: params.externalId } : {}),
+    });
+
+    const response = await stsClient.send(command);
+
+    if (!response.Credentials) {
+      throw new ConfigurationError(
+        `STS AssumeRole did not return credentials for role ${roleArn}.`,
+        { configKey: 'roleArn' },
+      );
+    }
+
+    context.logger.info(
+      `[AWSAssumeRole] Successfully assumed role ${roleArn} (session: ${sessionName}).`,
+    );
+    context.emitProgress(`Assumed role ${roleArn} successfully.`);
+
+    return outputSchema.parse({
+      credentials: {
+        accessKeyId: response.Credentials.AccessKeyId ?? '',
+        secretAccessKey: response.Credentials.SecretAccessKey ?? '',
+        sessionToken: response.Credentials.SessionToken,
+        region: sourceCreds.region,
+      },
+    });
+  },
+});
+
+componentRegistry.register(definition);
diff --git a/worker/src/components/core/aws-org-discovery.ts b/worker/src/components/core/aws-org-discovery.ts
new file mode 100644
index 00000000..12dfa131
--- /dev/null
+++ b/worker/src/components/core/aws-org-discovery.ts
@@ -0,0 +1,106 @@
+import { z } from 'zod';
+import {
+  componentRegistry,
+  ConfigurationError,
+  defineComponent,
+  inputs,
+  outputs,
+  port,
+} from '@shipsec/component-sdk';
+import { awsCredentialSchema } from '@shipsec/contracts';
+import { OrganizationsClient, paginateListAccounts } from '@aws-sdk/client-organizations';
+
+const inputSchema = inputs({
+  credentials: port(awsCredentialSchema(), {
+    label: 'AWS Credentials',
+    description: 'AWS credentials with permissions to list organization accounts.',
+    connectionType: { kind: 'contract', name: 'core.credential.aws', credential: true },
+  }),
+});
+
+const accountSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  status: z.string(),
+  email: z.string(),
+});
+
+const outputSchema = outputs({
+  accounts: port(z.array(accountSchema), {
+    label: 'Accounts',
+    description: 'List of AWS Organization accounts',
+    connectionType: { kind: 'list', element: { kind: 'primitive', name: 'json' } },
+  }),
+  organizationId: port(z.string().optional(), {
+    label: 'Organization ID',
+    description: 'AWS Organization ID',
+  }),
+});
+
+const definition = defineComponent({
+  id: 'core.aws.org-discovery',
+  label: 'AWS Org Discovery',
+  category: 'process',
+  runner: { kind: 'inline' },
+  inputs: inputSchema,
+  outputs: outputSchema,
+  docs: 'Discover all accounts in an AWS Organization using the provided credentials. Paginates through all accounts automatically.',
+  ui: {
+    slug: 'aws-org-discovery',
+    version: '1.0.0',
+    type: 'process',
+    category: 'cloud',
+    description: 'List all AWS Organization accounts to enable multi-account workflows.',
+    icon: 'Cloud',
+  },
+  async execute({ inputs }, context) {
+    const creds = inputSchema.parse(inputs).credentials;
+
+    if (!creds.accessKeyId || !creds.secretAccessKey) {
+      throw new ConfigurationError(
+        'AWS credentials (accessKeyId and secretAccessKey) are required.',
+        { configKey: 'credentials' },
+      );
+    }
+
+    context.emitProgress('Discovering AWS Organization accounts...');
+
+    const client = new OrganizationsClient({
+      credentials: {
+        accessKeyId: creds.accessKeyId,
+        secretAccessKey: creds.secretAccessKey,
+        sessionToken: creds.sessionToken,
+      },
+      region: creds.region ?? 'us-east-1',
+    });
+
+    const accounts: { id: string; name: string; status: string; email: string }[] = [];
+
+    const paginator = paginateListAccounts({ client }, {});
+
+    for await (const page of paginator) {
+      if (page.Accounts) {
+        for (const account of page.Accounts) {
+          accounts.push({
+            id: account.Id ?? '',
+            name: account.Name ?? '',
+            status: account.Status ?? 'UNKNOWN',
+            email: account.Email ?? '',
+          });
+        }
+      }
+    }
+
+    context.logger.info(
+      `[AWSOrGDiscovery] Discovered ${accounts.length} accounts in the organization.`,
+    );
+    context.emitProgress(`Found ${accounts.length} AWS Organization accounts.`);
+
+    return outputSchema.parse({
+      accounts,
+      organizationId: undefined,
+    });
+  },
+});
+
+componentRegistry.register(definition);
diff --git a/worker/src/components/core/integration-credential-resolver.ts b/worker/src/components/core/integration-credential-resolver.ts
new file mode 100644
index 00000000..f7c08a14
--- /dev/null
+++ b/worker/src/components/core/integration-credential-resolver.ts
@@ -0,0 +1,222 @@
+import { z } from 'zod';
+import {
+  componentRegistry,
+  ConfigurationError,
+  defineComponent,
+  inputs,
+  outputs,
+  parameters,
+  port,
+  param,
+  DEFAULT_SENSITIVE_HEADERS,
+  fromHttpResponse,
+  type ExecutionContext,
+} from '@shipsec/component-sdk';
+
+const inputSchema = inputs({
+  connectionId: port(
+    z.string().trim().optional().describe('Integration connection ID to resolve credentials from.'),
+    {
+      label: 'Connection ID',
+      description: 'Integration connection ID. Wire from Entry Point or set as a parameter.',
+      connectionType: { kind: 'primitive', name: 'text' },
+    },
+  ),
+  regions: port(
+    z
+      .string()
+      .trim()
+      .optional()
+      .describe('Comma-separated regions to scan. Falls back to the connection default region.'),
+    {
+      label: 'Regions',
+      description: 'Optional region override. If not wired, uses the connection default region.',
+      connectionType: { kind: 'primitive', name: 'text' },
+    },
+  ),
+});
+
+const parameterSchema = parameters({
+  connectionId: param(
+    z.string().trim().optional().describe('Integration connection ID to resolve credentials from.'),
+    {
+      label: 'Connection ID',
+      editor: 'text',
+      description:
+        'Select an integration connection to resolve credentials from. Overridden when wired from an upstream node.',
+    },
+  ),
+});
+
+const outputSchema = outputs({
+  credentialType: port(z.string(), {
+    label: 'Credential Type',
+    description: 'The type of credentials (oauth, api_key, iam_role, webhook)',
+  }),
+  provider: port(z.string(), {
+    label: 'Provider',
+    description: 'The integration provider (aws, slack, github, etc.)',
+  }),
+  accountId: port(z.string().default(''), {
+    label: 'Account ID',
+    description:
+      'Provider account identifier (e.g. AWS 12-digit account ID). Empty when not applicable.',
+    connectionType: { kind: 'primitive', name: 'text' },
+  }),
+  regions: port(z.string().default(''), {
+    label: 'Regions',
+    description:
+      'Regions to scan. Uses the input override if provided, otherwise falls back to the connection default region.',
+    connectionType: { kind: 'primitive', name: 'text' },
+  }),
+  data: port(z.record(z.string(), z.unknown()), {
+    label: 'Credentials Data',
+    description: 'Resolved credentials data',
+    allowAny: true,
+    reason: 'Credential payloads vary by provider and credential type.',
+    editor: 'secret',
+    connectionType: { kind: 'any' },
+  }),
+});
+
+const definition = defineComponent({
+  id: 'core.integration.resolve-credentials',
+  label: 'Integration Credential Resolver',
+  category: 'input',
+  runner: { kind: 'inline' },
+  inputs: inputSchema,
+  outputs: outputSchema,
+  parameters: parameterSchema,
+  docs: 'Resolve credentials from an integration connection. Calls the internal credentials endpoint and returns the provider, type, and credential data.',
+  ui: {
+    slug: 'integration-credential-resolver',
+    version: '1.0.0',
+    type: 'input',
+    category: 'core',
+    description:
+      'Resolve credentials from an integration connection for use by downstream components.',
+    icon: 'KeySquare',
+  },
+  async execute({ inputs, params }, context) {
+    // Prefer input port value (wired from upstream), fall back to parameter (static config)
+    const connectionId = (inputs.connectionId || params.connectionId || '').trim();
+
+    if (connectionId.length === 0) {
+      throw new ConfigurationError('Connection ID is required.', {
+        configKey: 'connectionId',
+      });
+    }
+
+    context.emitProgress(`Resolving credentials for connection ${connectionId}...`);
+
+    const payload = await fetchConnectionCredentials(connectionId, context);
+
+    context.logger.info(
+      `[IntegrationCredentialResolver] Resolved credentials for connection ${connectionId} (provider=${payload.provider}, type=${payload.credentialType}).`,
+    );
+
+    // Regions: prefer explicit input, fall back to the connection's default region
+    const resolvedRegions = (inputs.regions || payload.region || '').trim();
+
+    return outputSchema.parse({
+      credentialType: payload.credentialType,
+      provider: payload.provider,
+      accountId: payload.accountId ?? '',
+      regions: resolvedRegions,
+      data: payload.data,
+    });
+  },
+});
+
+async function fetchConnectionCredentials(
+  connectionId: string,
+  context: ExecutionContext,
+): Promise<{
+  credentialType: string;
+  provider: string;
+  data: Record<string, unknown>;
+  accountId?: string;
+  region?: string;
+}> {
+  const internalToken = process.env.INTERNAL_SERVICE_TOKEN;
+
+  const baseUrl =
+    process.env.STUDIO_API_BASE_URL ??
+    process.env.SHIPSEC_API_BASE_URL ??
+    process.env.API_BASE_URL ??
+    'http://localhost:3211';
+
+  const normalizedBase = baseUrl.endsWith('/') ? baseUrl.slice(0, -1) : baseUrl;
+
+  if (!internalToken) {
+    context.emitProgress({
+      level: 'warn',
+      message:
+        'INTERNAL_SERVICE_TOKEN env var not set; requesting credentials without internal auth header.',
+    });
+  }
+
+  const sensitiveHeaders = internalToken
+    ? Array.from(new Set([...DEFAULT_SENSITIVE_HEADERS, 'x-internal-token']))
+    : DEFAULT_SENSITIVE_HEADERS;
+
+  const response = await context.http.fetch(
+    `${normalizedBase}/integrations/connections/${encodeURIComponent(connectionId)}/credentials`,
+    {
+      method: 'POST',
+      headers: internalToken
+        ? {
+            'Content-Type': 'application/json',
+            'X-Internal-Token': internalToken,
+          }
+        : {
+            'Content-Type': 'application/json',
+          },
+    },
+    { sensitiveHeaders },
+  );
+
+  if (!response.ok) {
+    const raw = await safeReadText(response);
+    throw fromHttpResponse(
+      response,
+      `Failed to resolve credentials for connection ${connectionId}: ${raw}`,
+    );
+  }
+
+  const payload = (await response.json()) as {
+    credentialType?: string;
+    provider?: string;
+    data?: Record<string, unknown>;
+    accountId?: string;
+    region?: string;
+  };
+
+  if (!payload.credentialType || !payload.provider) {
+    throw new ConfigurationError(
+      `Connection ${connectionId} returned an incomplete credential response.`,
+      {
+        configKey: 'connectionId',
+        details: { connectionId },
+      },
+    );
+  }
+
+  return {
+    credentialType: payload.credentialType,
+    provider: payload.provider,
+    data: payload.data ?? {},
+    accountId: payload.accountId,
+    region: payload.region,
+  };
+}
+
+async function safeReadText(response: Response): Promise<string> {
+  try {
+    return await response.text();
+  } catch (error) {
+    return `<<unable to read body: ${(error as Error).message}>>`;
+  }
+}
+
+componentRegistry.register(definition);
diff --git a/worker/src/components/index.ts b/worker/src/components/index.ts
index 714c92e2..3c0cea3c 100644
--- a/worker/src/components/index.ts
+++ b/worker/src/components/index.ts
@@ -22,6 +22,9 @@ import './core/array-pack';
 import './core/artifact-writer';
 import './core/file-writer';
 import './core/credentials-aws';
+import './core/integration-credential-resolver';
+import './core/aws-org-discovery';
+import './core/aws-assume-role';
 import './core/destination-artifact';
 import './core/destination-s3';
 import './core/text-block';
diff --git a/worker/src/components/security/prowler-scan.ts b/worker/src/components/security/prowler-scan.ts
index 78077771..207bdf77 100644
--- a/worker/src/components/security/prowler-scan.ts
+++ b/worker/src/components/security/prowler-scan.ts
@@ -705,14 +705,17 @@ const definition = defineComponent({
         }
       }
 
+      const { findings, errors } =
+        rawSegments.length > 0
+          ? normaliseFindings(rawSegments, context.runId)
+          : { findings: [] as NormalisedFinding[], errors: [] as string[] };
+
       if (rawSegments.length === 0) {
-        throw new ServiceError('Prowler did not produce any ASFF output files.', {
-          details: { volumeName: outputVolume.getVolumeName() },
-        });
+        context.logger.info(
+          '[ProwlerScan] Prowler produced no ASFF output — likely 0 findings for the selected severity/region.',
+        );
       }
 
-      const { findings, errors } = normaliseFindings(rawSegments, context.runId);
-
       const generatedAt = new Date().toISOString();
       const severityCounts: Record<NormalisedSeverity, number> = {
         critical: 0,
diff --git a/worker/src/temporal/utils/component-output.ts b/worker/src/temporal/utils/component-output.ts
index 6601b97d..91aef639 100644
--- a/worker/src/temporal/utils/component-output.ts
+++ b/worker/src/temporal/utils/component-output.ts
@@ -37,6 +37,9 @@ function maskSecretPorts(secretPorts: { id: string }[], data: unknown): unknown
  */
 function getSecretPorts(ports: ComponentPortMetadata[]): { id: string }[] {
   return ports.filter((port) => {
+    if (port.editor === 'secret') {
+      return true;
+    }
     const connType = port.connectionType;
     if (!connType) {
       return false;

From ab9863ef136b682752b003bcce67d55fa6597b39 Mon Sep 17 00:00:00 2001
From: Aseem Shrey <LuD1161@users.noreply.github.com>
Date: Wed, 11 Feb 2026 23:09:53 -0500
Subject: [PATCH 2/5] feat(integrations): improve Slack OAuth flow, validation,
 and connection cards

- Fix OAuth callback spinner stuck in React 18 strict mode by removing
  the cancelled cleanup pattern (exchangeStartedRef is sufficient)
- Remove userId from completeOAuthSession input; derive from state record
  since the exchange endpoint is @Public()
- Add Slack auth.test validation for OAuth connections and fix valid->ok
  field mapping in testSlackConnection controller
- Add team:read scope and team.info API to fetch workspace icons
- Enrich connection metadata with workspace icon during OAuth and on
  test/validate (best-effort backfill for existing connections)
- Redesign connection cards with workspace icon/initials, green health
  badge, scope count, and hover effects
- Add dashed "Add Connection" card to the connections grid
- Fix toast text: "connection is healthy" instead of "message sent"

Signed-off-by: Aseem Shrey <LuD1161@users.noreply.github.com>
---
 .../src/integrations/integration-providers.ts |   1 +
 .../integrations/integrations.controller.ts   |   3 +-
 .../integrations/integrations.repository.ts   |  20 +--
 .../src/integrations/integrations.service.ts  |  64 +++++++---
 backend/src/integrations/slack.service.ts     |  75 +++++++++++
 frontend/src/pages/IntegrationCallback.tsx    |  29 ++---
 frontend/src/pages/IntegrationDetailPage.tsx  | 118 ++++++++++++++----
 7 files changed, 241 insertions(+), 69 deletions(-)

diff --git a/backend/src/integrations/integration-providers.ts b/backend/src/integrations/integration-providers.ts
index eca03797..af56baa7 100644
--- a/backend/src/integrations/integration-providers.ts
+++ b/backend/src/integrations/integration-providers.ts
@@ -49,6 +49,7 @@ export function loadIntegrationProviders(): Record<string, IntegrationProviderCo
     'chat:write.public',
     'commands',
     'im:write',
+    'team:read',
   ];
 
   return {
diff --git a/backend/src/integrations/integrations.controller.ts b/backend/src/integrations/integrations.controller.ts
index 4aa861d8..8c226bc1 100644
--- a/backend/src/integrations/integrations.controller.ts
+++ b/backend/src/integrations/integrations.controller.ts
@@ -372,7 +372,8 @@ export class IntegrationsController {
     }
 
     await this.integrations.assertConnectionOwnership(id, auth);
-    return this.integrations.validateConnection(id);
+    const result = await this.integrations.validateConnection(id);
+    return { ok: result.valid, error: result.error };
   }
 
   /* ------------------------------------------------------------------ */
diff --git a/backend/src/integrations/integrations.repository.ts b/backend/src/integrations/integrations.repository.ts
index 80aebdae..b85fea6c 100644
--- a/backend/src/integrations/integrations.repository.ts
+++ b/backend/src/integrations/integrations.repository.ts
@@ -217,17 +217,19 @@ export class IntegrationsRepository {
       lastValidatedAt: Date;
       lastValidationStatus: string;
       lastValidationError?: string | null;
+      metadata?: Record<string, unknown>;
     },
   ): Promise<void> {
-    await this.db
-      .update(integrationTokens)
-      .set({
-        lastValidatedAt: health.lastValidatedAt,
-        lastValidationStatus: health.lastValidationStatus,
-        lastValidationError: health.lastValidationError ?? null,
-        updatedAt: new Date(),
-      })
-      .where(eq(integrationTokens.id, id));
+    const setClause: Record<string, any> = {
+      lastValidatedAt: health.lastValidatedAt,
+      lastValidationStatus: health.lastValidationStatus,
+      lastValidationError: health.lastValidationError ?? null,
+      updatedAt: new Date(),
+    };
+    if (health.metadata) {
+      setClause.metadata = health.metadata;
+    }
+    await this.db.update(integrationTokens).set(setClause).where(eq(integrationTokens.id, id));
   }
 
   async updateLastUsedAt(id: string): Promise<void> {
diff --git a/backend/src/integrations/integrations.service.ts b/backend/src/integrations/integrations.service.ts
index 80a2797f..be1000e9 100644
--- a/backend/src/integrations/integrations.service.ts
+++ b/backend/src/integrations/integrations.service.ts
@@ -310,7 +310,6 @@ export class IntegrationsService implements OnModuleInit {
   async completeOAuthSession(
     providerId: string,
     input: {
-      userId: string;
       state: string;
       code: string;
       redirectUri: string;
@@ -321,21 +320,19 @@ export class IntegrationsService implements OnModuleInit {
       `[completeOAuth] Starting exchange for provider=${providerId}, redirectUri=${input.redirectUri}`,
     );
     const provider = await this.resolveProviderForAuth(providerId);
-    this.logger.log(`[completeOAuth] Provider resolved: ${provider.id}`);
     const stateRecord = await this.repository.consumeOAuthState(input.state);
-    this.logger.log(`[completeOAuth] State consumed: ${!!stateRecord}`);
 
     if (!stateRecord) {
       throw new BadRequestException('OAuth state is missing or has already been used');
     }
-    if (stateRecord.userId !== input.userId) {
-      throw new BadRequestException('OAuth state does not match the requesting user');
-    }
     if (stateRecord.provider !== providerId) {
       throw new BadRequestException('OAuth state does not match the provider');
     }
 
-    const organizationId = stateRecord.organizationId ?? `workspace-${input.userId}`;
+    // userId derived from the state record (created during startOAuth with auth context).
+    // The exchange endpoint is @Public() — the one-time state token is the proof of identity.
+    const userId = stateRecord.userId;
+    const organizationId = stateRecord.organizationId ?? `workspace-${userId}`;
     const scopes = this.normalizeScopes(input.scopes, provider);
 
     this.logger.log(`[completeOAuth] Requesting tokens from ${provider.tokenUrl}`);
@@ -346,19 +343,31 @@ export class IntegrationsService implements OnModuleInit {
       codeVerifier: stateRecord.codeVerifier,
       scopes,
     });
-    this.logger.log(
-      `[completeOAuth] Token response received, keys: ${Object.keys(rawResponse).join(', ')}`,
-    );
+
+    // For Slack, extract workspace name from the token response for a better display name
+    const displayName = rawResponse?.team?.name ?? rawResponse?.team_name ?? providerId;
+
+    // For Slack, fetch the workspace icon via team.info (best-effort, non-blocking)
+    if (providerId === 'slack' && rawResponse?.access_token) {
+      try {
+        const teamInfo = await this.slackService.getTeamInfo(rawResponse.access_token);
+        if (teamInfo.ok && teamInfo.icon) {
+          rawResponse._teamIcon = teamInfo.icon;
+        }
+      } catch {
+        // Non-critical — icon will simply be absent
+      }
+    }
 
     const persisted = await this.persistTokenResponse({
-      userId: input.userId,
+      userId,
       organizationId,
       credentialType: 'oauth',
-      displayName: providerId,
+      displayName,
       provider,
       scopes,
       rawResponse,
-      previous: await this.repository.findByUserAndProvider(input.userId, providerId),
+      previous: await this.repository.findByUserAndProvider(userId, providerId),
     });
     this.logger.log(`[completeOAuth] Connection persisted: ${persisted.id}`);
 
@@ -600,8 +609,35 @@ export class IntegrationsService implements OnModuleInit {
       const creds = JSON.parse(decrypted);
       const webhookResult = await this.slackService.testWebhook(creds.webhookUrl);
       result = { valid: webhookResult.ok, error: webhookResult.error };
+    } else if (record.provider === 'slack' && record.credentialType === 'oauth') {
+      // Validate the OAuth bot token by calling Slack's auth.test API
+      const authResult = await this.slackService.authTest(decrypted);
+      result = { valid: authResult.ok, error: authResult.error };
+
+      // Best-effort: enrich metadata with workspace icon if missing
+      if (authResult.ok) {
+        try {
+          const existingMeta = this.coerceMetadata(record.metadata);
+          const payload = (existingMeta.providerPayload ?? {}) as Record<string, any>;
+          if (!payload._teamIcon) {
+            const teamInfo = await this.slackService.getTeamInfo(decrypted);
+            if (teamInfo.ok && teamInfo.icon) {
+              payload._teamIcon = teamInfo.icon;
+              const updatedMeta = { ...existingMeta, providerPayload: payload };
+              await this.repository.updateConnectionHealth(connectionId, {
+                lastValidatedAt: new Date(),
+                lastValidationStatus: 'valid',
+                metadata: updatedMeta,
+              });
+              return result;
+            }
+          }
+        } catch {
+          // Non-critical — icon enrichment failure doesn't affect validation
+        }
+      }
     } else {
-      // For OAuth or other types, we cannot generically validate; treat as valid.
+      // For other types, we cannot generically validate; treat as valid.
       result = { valid: true };
     }
 
diff --git a/backend/src/integrations/slack.service.ts b/backend/src/integrations/slack.service.ts
index e2ade5fe..beab2949 100644
--- a/backend/src/integrations/slack.service.ts
+++ b/backend/src/integrations/slack.service.ts
@@ -38,6 +38,81 @@ export class SlackService {
     }
   }
 
+  /**
+   * Test a Slack bot token via auth.test. Returns workspace info.
+   */
+  async authTest(
+    botToken: string,
+  ): Promise<{ ok: boolean; error?: string; teamName?: string; teamId?: string; url?: string }> {
+    try {
+      const response = await fetch('https://slack.com/api/auth.test', {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${botToken}`,
+          'Content-Type': 'application/json',
+        },
+      });
+
+      const data = await response.json();
+
+      if (!data.ok) {
+        this.logger.error(`Slack auth.test failed: ${data.error}`);
+        return { ok: false, error: data.error || 'auth.test failed' };
+      }
+
+      return {
+        ok: true,
+        teamName: data.team,
+        teamId: data.team_id,
+        url: data.url,
+      };
+    } catch (error) {
+      this.logger.error('Network error calling auth.test:', error);
+      return {
+        ok: false,
+        error: error instanceof Error ? error.message : 'Unknown network error',
+      };
+    }
+  }
+
+  /**
+   * Fetch workspace info (name + icon) via team.info. Requires team:read scope.
+   */
+  async getTeamInfo(
+    botToken: string,
+  ): Promise<{ ok: boolean; icon?: string; name?: string; id?: string }> {
+    try {
+      const response = await fetch('https://slack.com/api/team.info', {
+        method: 'GET',
+        headers: {
+          Authorization: `Bearer ${botToken}`,
+        },
+      });
+
+      const data = await response.json();
+
+      if (!data.ok) {
+        this.logger.warn(`Slack team.info failed: ${data.error}`);
+        return { ok: false };
+      }
+
+      // Pick the largest available icon (image_230 > image_132 > image_88 > image_68)
+      const icons = data.team?.icon ?? {};
+      const icon =
+        icons.image_230 || icons.image_132 || icons.image_88 || icons.image_68 || icons.image_44;
+
+      return {
+        ok: true,
+        icon: icons.image_default ? undefined : icon,
+        name: data.team?.name,
+        id: data.team?.id,
+      };
+    } catch (error) {
+      this.logger.warn('Failed to fetch team.info (non-critical):', error);
+      return { ok: false };
+    }
+  }
+
   /**
    * List Slack channels using a bot token
    */
diff --git a/frontend/src/pages/IntegrationCallback.tsx b/frontend/src/pages/IntegrationCallback.tsx
index 018dde5e..63f4c3c6 100644
--- a/frontend/src/pages/IntegrationCallback.tsx
+++ b/frontend/src/pages/IntegrationCallback.tsx
@@ -1,11 +1,10 @@
-import { useEffect, useMemo, useRef, useState } from 'react';
+import { useEffect, useRef, useState } from 'react';
 import { useNavigate, useParams, useSearchParams } from 'react-router-dom';
 import { Button } from '@/components/ui/button';
 import { Loader2, CheckCircle, XCircle } from 'lucide-react';
 
 import type { components } from '@shipsec/backend-client';
 import { api } from '@/services/api';
-import { getCurrentUserId } from '@/lib/currentUser';
 import { env } from '@/config/env';
 
 type IntegrationConnection = components['schemas']['IntegrationConnectionResponse'];
@@ -16,10 +15,12 @@ export function IntegrationCallback() {
   const { provider } = useParams<{ provider: string }>();
   const [searchParams] = useSearchParams();
   const navigate = useNavigate();
-  const userId = useMemo(() => getCurrentUserId(), []);
 
   const [status, setStatus] = useState<CallbackStatus>('pending');
   const [message, setMessage] = useState('Exchanging authorization code…');
+  // Ref guard prevents double-execution in React 18 strict mode.
+  // Do NOT combine with a `cancelled` cleanup — strict mode unmounts between
+  // the two dev-only mounts, which would cancel the in-flight fetch.
   const exchangeStartedRef = useRef(false);
 
   useEffect(() => {
@@ -52,25 +53,16 @@ export function IntegrationCallback() {
     }
     exchangeStartedRef.current = true;
 
-    const authCode = code;
-    const authState = state;
-
     const redirectUri = `${env.VITE_APP_URL}/integrations/callback/${providerId}`;
-    let cancelled = false;
 
     async function exchangeCode() {
       try {
         const connection = await api.integrations.completeOAuth(providerId, {
-          userId,
-          code: authCode,
-          state: authState,
+          code,
+          state,
           redirectUri,
         });
 
-        if (cancelled) {
-          return;
-        }
-
         broadcastConnection(connection);
         setStatus('success');
         setMessage(`Connected to ${connection.providerName}. Redirecting…`);
@@ -79,9 +71,6 @@ export function IntegrationCallback() {
           navigate(target, { replace: true });
         }, 1200);
       } catch (error) {
-        if (cancelled) {
-          return;
-        }
         const description =
           error instanceof Error ? error.message : 'Failed to exchange authorization code.';
         setStatus('error');
@@ -90,11 +79,7 @@ export function IntegrationCallback() {
     }
 
     exchangeCode();
-
-    return () => {
-      cancelled = true;
-    };
-  }, [navigate, provider, searchParams, userId]);
+  }, [navigate, provider, searchParams]);
 
   return (
     <div className="min-h-screen flex flex-col items-center justify-center bg-background px-6">
diff --git a/frontend/src/pages/IntegrationDetailPage.tsx b/frontend/src/pages/IntegrationDetailPage.tsx
index 91f6f008..3ffdf632 100644
--- a/frontend/src/pages/IntegrationDetailPage.tsx
+++ b/frontend/src/pages/IntegrationDetailPage.tsx
@@ -96,7 +96,7 @@ function healthBadge(connection: IntegrationConnection) {
   const status = connection.lastValidationStatus ?? connection.status;
   if (status === 'active' || status === 'valid' || status === 'ok') {
     return (
-      <Badge variant="secondary" className="gap-1">
+      <Badge className="gap-1 bg-emerald-100 text-emerald-700 dark:bg-emerald-950 dark:text-emerald-400 border-emerald-200 dark:border-emerald-800">
         <CheckCircle className="h-3 w-3" />
         Healthy
       </Badge>
@@ -495,7 +495,7 @@ interface SlackFormProps {
 function SlackConnectionForm({ onCreated, onCancel }: SlackFormProps) {
   const store = useIntegrationStore();
   const { toast } = useToast();
-  const [tab, setTab] = useState<string>('webhook');
+  const [tab, setTab] = useState<string>('oauth');
   const [submitting, setSubmitting] = useState(false);
   const [result, setResult] = useState<{ ok: boolean; message: string } | null>(null);
 
@@ -579,15 +579,28 @@ function SlackConnectionForm({ onCreated, onCancel }: SlackFormProps) {
     <div className="space-y-4">
       <Tabs value={tab} onValueChange={setTab}>
         <TabsList className="w-full">
-          <TabsTrigger value="webhook" className="flex-1">
-            Webhook
-          </TabsTrigger>
           <TabsTrigger value="oauth" className="flex-1">
             OAuth
           </TabsTrigger>
+          <TabsTrigger value="webhook" className="flex-1">
+            Webhook
+          </TabsTrigger>
         </TabsList>
 
-        <TabsContent value="webhook" className="mt-4">
+        <TabsContent value="webhook" className="mt-4 space-y-4">
+          {/* Main CTA */}
+          <div className="flex flex-col items-center text-center py-2 space-y-3">
+            <div className="flex h-12 w-12 items-center justify-center rounded-xl bg-gradient-to-br from-purple-50 to-pink-50 dark:from-purple-950/30 dark:to-pink-950/30">
+              <img src="/icons/slack.svg" alt="Slack" className="h-7 w-7" />
+            </div>
+            <div>
+              <p className="text-sm font-medium">Send alerts to a Slack channel via Webhook</p>
+              <p className="text-xs text-muted-foreground mt-1">
+                Paste an incoming webhook URL to post messages directly to a channel.
+              </p>
+            </div>
+          </div>
+
           <form onSubmit={handleWebhookSubmit} className="space-y-4">
             <div className="space-y-2">
               <Label htmlFor="wh-display-name">Display Name *</Label>
@@ -631,20 +644,30 @@ function SlackConnectionForm({ onCreated, onCancel }: SlackFormProps) {
               </div>
             )}
 
-            <DialogFooter className="gap-2">
-              <Button type="button" variant="outline" onClick={onCancel} disabled={submitting}>
-                Cancel
-              </Button>
-              <Button type="submit" disabled={submitting}>
+            <div className="flex justify-center pt-2">
+              <Button
+                type="submit"
+                disabled={submitting}
+                className="gap-2 bg-[#4A154B] hover:bg-[#3a1139] text-white"
+              >
                 {submitting ? (
                   <>
-                    <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                    <Loader2 className="h-4 w-4 animate-spin" />
                     Creating...
                   </>
                 ) : (
-                  'Create Connection'
+                  <>
+                    <img src="/icons/slack.svg" alt="" className="h-4 w-4 brightness-0 invert" />
+                    Add to Channel
+                  </>
                 )}
               </Button>
+            </div>
+
+            <DialogFooter>
+              <Button type="button" variant="outline" onClick={onCancel} disabled={submitting}>
+                Cancel
+              </Button>
             </DialogFooter>
           </form>
         </TabsContent>
@@ -853,12 +876,12 @@ export function IntegrationDetailPage() {
         if (result.ok) {
           toast({
             title: 'Test passed',
-            description: `Test message sent via ${connection.displayName}.`,
+            description: `${connection.displayName} connection is healthy.`,
           });
         } else {
           toast({
             title: 'Test failed',
-            description: result.error ?? 'Could not deliver test message.',
+            description: result.error ?? 'Connection test failed.',
             variant: 'destructive',
           });
         }
@@ -1087,20 +1110,56 @@ export function IntegrationDetailPage() {
             <div className="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-3 gap-4">
               {connections.map((conn) => {
                 const isValidating = validatingId === conn.id;
+                const meta = (conn.metadata ?? {}) as Record<string, any>;
+                const providerPayload = meta.providerPayload ?? {};
+                const teamName = providerPayload?.team?.name ?? conn.displayName;
+                const teamId = providerPayload?.team?.id;
+                const teamIcon: string | undefined = providerPayload?._teamIcon;
+                const connVisuals = PROVIDER_VISUALS[conn.provider];
+
                 return (
-                  <Card key={conn.id}>
+                  <Card
+                    key={conn.id}
+                    className={cn(
+                      'overflow-hidden transition-shadow hover:shadow-md',
+                      connVisuals?.borderAccent,
+                    )}
+                  >
                     <CardContent className="p-4 space-y-3">
-                      <div className="flex items-start justify-between gap-2">
-                        <h3 className="font-semibold text-sm truncate">
-                          {conn.displayName || '\u2014'}
-                        </h3>
-                        {healthBadge(conn)}
+                      <div className="flex items-start gap-3">
+                        {teamIcon ? (
+                          <img
+                            src={teamIcon}
+                            alt={teamName}
+                            className="h-10 w-10 rounded-lg flex-shrink-0 object-cover"
+                          />
+                        ) : (
+                          <div className="flex h-10 w-10 items-center justify-center rounded-lg flex-shrink-0 bg-muted text-muted-foreground font-semibold text-sm">
+                            {(teamName ?? '?').slice(0, 2).toUpperCase()}
+                          </div>
+                        )}
+                        <div className="min-w-0 flex-1">
+                          <div className="flex items-center justify-between gap-2">
+                            <h3 className="font-semibold text-sm truncate">{teamName}</h3>
+                            {healthBadge(conn)}
+                          </div>
+                          {teamId && (
+                            <p className="text-xs text-muted-foreground truncate mt-0.5">
+                              {teamId}
+                            </p>
+                          )}
+                        </div>
                       </div>
-                      <div className="flex items-center gap-2">
+                      <div className="flex items-center gap-2 flex-wrap">
                         {credentialTypeBadge(conn.credentialType)}
+                        {conn.scopes && conn.scopes.length > 0 && (
+                          <span className="text-[10px] text-muted-foreground">
+                            {conn.scopes.length} scope{conn.scopes.length !== 1 ? 's' : ''}
+                          </span>
+                        )}
                       </div>
                       <p className="text-xs text-muted-foreground">
-                        Created {formatTimestamp(conn.createdAt)}
+                        Connected {formatTimestamp(conn.createdAt)}
                       </p>
                       <div className="flex items-center gap-2 pt-2 border-t">
                         <Button
@@ -1131,6 +1190,19 @@ export function IntegrationDetailPage() {
                   </Card>
                 );
               })}
+
+              {/* Add Connection card */}
+              <Card
+                className="overflow-hidden border-2 border-dashed hover:border-primary/50 hover:bg-muted/30 transition-colors cursor-pointer"
+                onClick={() => setDialogOpen(true)}
+              >
+                <CardContent className="p-4 h-full flex flex-col items-center justify-center gap-2 min-h-[160px]">
+                  <div className="flex h-10 w-10 items-center justify-center rounded-full bg-primary/10">
+                    <Plus className="h-5 w-5 text-primary" />
+                  </div>
+                  <span className="text-sm font-medium text-muted-foreground">Add Connection</span>
+                </CardContent>
+              </Card>
             </div>
           )}
         </div>

From fcfc1de6e9f6b94106b092722a16a1b504205801 Mon Sep 17 00:00:00 2001
From: Aseem Shrey <LuD1161@users.noreply.github.com>
Date: Wed, 11 Feb 2026 23:11:25 -0500
Subject: [PATCH 3/5] docs: update Slack OAuth scopes and add integration
 documentation

- Add team:read to default Slack OAuth scopes in .env.example and
  integrations.md
- Include integration docs, core component docs, and README updates

Signed-off-by: Aseem Shrey <LuD1161@users.noreply.github.com>
---
 README.md                    |   9 ++
 backend/.env.example         |   2 +-
 backend/README.md            |  31 +++-
 docs/components/core.mdx     |  73 +++++++++
 docs/components/overview.mdx |  15 +-
 docs/docs.json               |  15 +-
 docs/integrations.md         | 280 +++++++++++++++++++++++++++++++++++
 7 files changed, 407 insertions(+), 18 deletions(-)
 create mode 100644 docs/integrations.md

diff --git a/README.md b/README.md
index 0c8600d0..d817b135 100644
--- a/README.md
+++ b/README.md
@@ -91,8 +91,17 @@ Native support for industry-standard security tools including:
 
 - **Discovery**: `Subfinder`, `DNSX`, `Naabu`, `HTTPx`
 - **Vulnerability**: `Nuclei`, `TruffleHog`
+- **CSPM**: `Prowler` for AWS cloud security posture management
 - **Utility**: `JSON Transform`, `Logic Scripts`, `HTTP Requests`
 
+### Cloud & Platform Integrations
+
+First-class integration support with encrypted credential management:
+
+- **AWS**: IAM Role connections with STS AssumeRole, Organization account discovery, cross-account scanning
+- **Slack**: Incoming Webhooks and OAuth App connections for notifications and alerts
+- **Credential Resolution**: Workflow components that securely resolve connection credentials at runtime
+
 ### Advanced Orchestration
 
 - **Human-in-the-Loop**: Pause workflows for approvals, form inputs, or manual validation before continuing.
diff --git a/backend/.env.example b/backend/.env.example
index c4a7b2fb..a33f4711 100644
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -75,5 +75,5 @@ LOG_KAFKA_BROKERS="localhost:19092"
 # Slack OAuth integration (required for Slack app installation into customer workspaces)
 SLACK_OAUTH_CLIENT_ID=""
 SLACK_OAUTH_CLIENT_SECRET=""
-# Override default scopes (comma-separated); defaults: channels:read,chat:write,chat:write.public,commands,im:write
+# Override default scopes (comma-separated); defaults: channels:read,chat:write,chat:write.public,commands,im:write,team:read
 # SLACK_OAUTH_SCOPES=""
diff --git a/backend/README.md b/backend/README.md
index 1b44f794..b6385498 100644
--- a/backend/README.md
+++ b/backend/README.md
@@ -62,9 +62,13 @@ bun run test
 
 #### Integrations Module
 
-- **OAuth Provider**: Multi-provider OAuth orchestration
-- **Token Vault**: Encrypted storage of access tokens
-- **Connection Management**: OAuth lifecycle and refresh handling
+- **Provider Catalog**: Static integration catalog (AWS, Slack) with auth methods, setup scenarios, and configuration
+- **OAuth Provider**: Multi-provider OAuth orchestration (GitHub, Slack, Zoom) with PKCE support
+- **Token Vault**: AES-256-GCM encrypted storage of access and refresh tokens
+- **Connection Management**: Full lifecycle management -- create, validate, refresh, disconnect
+- **AWS Service**: IAM Role connections with STS AssumeRole, Organization account discovery, trust policy generation
+- **Slack Service**: Webhook connections with test messaging support
+- **Credential Resolution**: Internal API for worker components to resolve typed credentials at runtime
 
 #### Logging & Events Module
 
@@ -134,12 +138,27 @@ INTEGRATION_STORE_MASTER_KEY=your-32-character-integ-key!!!!!
 - `GET /api/v1/files/{id}/download` - Download file
 - `GET /api/v1/files/{id}/metadata` - Get file metadata
 
-### Secrets & Integrations
+### Secrets
 
 - `GET /api/v1/secrets` - List secrets
 - `POST /api/v1/secrets` - Create secret
-- `GET /api/v1/integrations/providers` - List OAuth providers
-- `POST /api/v1/integrations/{provider}/start` - Start OAuth flow
+
+### Integrations
+
+- `GET /integrations/catalog` - List integration provider catalog
+- `GET /integrations/connections` - List user connections
+- `GET /integrations/org/connections` - List organization connections
+- `DELETE /integrations/connections/{id}` - Remove a connection
+- `POST /integrations/connections/{id}/refresh` - Refresh connection tokens
+- `GET /integrations/providers` - List OAuth providers
+- `POST /integrations/{provider}/start` - Start OAuth flow
+- `POST /integrations/{provider}/exchange` - Complete OAuth exchange
+- `GET /integrations/aws/setup-info` - Get IAM trust policy and external ID
+- `POST /integrations/aws/connections` - Create AWS IAM role connection
+- `POST /integrations/aws/connections/{id}/validate` - Validate AWS connection
+- `POST /integrations/aws/connections/{id}/discover-org` - Discover AWS Organization accounts
+- `POST /integrations/slack/connections` - Create Slack webhook connection
+- `POST /integrations/slack/connections/{id}/test` - Test Slack connection
 
 ## Project Structure
 
diff --git a/docs/components/core.mdx b/docs/components/core.mdx
index 3ad0c765..6941c97a 100644
--- a/docs/components/core.mdx
+++ b/docs/components/core.mdx
@@ -155,6 +155,79 @@ Outputs data to workflow logs for debugging.
 
 ---
 
+## Integrations & Cloud
+
+### Integration Credential Resolver
+
+Resolves credentials from an integration connection at runtime. This component bridges the [Integrations](/integrations) system with workflow execution, enabling workflows to securely access cloud provider credentials without hardcoding secrets.
+
+| Input | Type | Description |
+|-------|------|-------------|
+| `connectionId` | Text | Integration connection ID. Wire from Entry Point or set as a parameter. |
+| `regions` | Text | Optional comma-separated region override |
+
+| Output | Type | Description |
+|--------|------|-------------|
+| `credentialType` | String | Type of credentials (`iam_role`, `oauth`, `api_key`, `webhook`) |
+| `provider` | String | Integration provider (`aws`, `slack`, etc.) |
+| `accountId` | String | Provider account identifier (e.g. AWS 12-digit account ID) |
+| `regions` | String | Resolved regions (input override or connection default) |
+| `data` | Object | Resolved credential payload (varies by provider and credential type) |
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `connectionId` | Text | Static connection ID. Overridden when wired from upstream. |
+
+**Example use cases:**
+- Resolve AWS IAM role credentials for Prowler scans
+- Fetch Slack webhook URLs for notification workflows
+- Multi-account workflows with per-account connection IDs
+
+---
+
+### AWS Org Discovery
+
+Lists all accounts in an AWS Organization using the `organizations:ListAccounts` API. Paginates through all accounts automatically.
+
+| Input | Type | Description |
+|-------|------|-------------|
+| `credentials` | AWS Credentials | AWS credentials with `organizations:ListAccounts` permission |
+
+| Output | Type | Description |
+|--------|------|-------------|
+| `accounts` | Array | List of `{ id, name, status, email }` objects |
+| `organizationId` | String | AWS Organization ID |
+
+**Example use cases:**
+- Discover all member accounts before running multi-account CSPM scans
+- Build inventory of active AWS accounts for compliance
+
+---
+
+### AWS Assume Role
+
+Assumes an AWS IAM role via STS `AssumeRole` and returns temporary credentials (1 hour TTL). Essential for cross-account access patterns.
+
+| Input | Type | Description |
+|-------|------|-------------|
+| `sourceCredentials` | AWS Credentials | Credentials used to call STS |
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `roleArn` | String | ARN of the IAM role to assume (required) |
+| `externalId` | String | Optional external ID for the trust policy |
+| `sessionName` | String | STS session name (default: `shipsec-session`) |
+
+| Output | Type | Description |
+|--------|------|-------------|
+| `credentials` | AWS Credentials | Temporary assumed-role credentials |
+
+**Example use cases:**
+- Cross-account Prowler scans using a central management account
+- Assume least-privilege roles for specific scan tasks
+
+---
+
 ## Storage Destinations
 
 ### Artifact Writer
diff --git a/docs/components/overview.mdx b/docs/components/overview.mdx
index ba42b9d7..f11c27d6 100644
--- a/docs/components/overview.mdx
+++ b/docs/components/overview.mdx
@@ -9,10 +9,10 @@ Components are the building blocks of ShipSec Studio workflows. Each component p
 
 <CardGroup cols={2}>
   <Card title="Core" icon="cube" href="/components/core">
-    Triggers, file handling, data transformation, and outputs
+    Triggers, file handling, data transformation, cloud integrations, and outputs
   </Card>
   <Card title="Security" icon="shield" href="/components/security">
-    Subdomain discovery, port scanning, DNS resolution, secret detection
+    Subdomain discovery, port scanning, DNS resolution, secret detection, CSPM
   </Card>
   <Card title="AI" icon="brain" href="/components/ai">
     Provider configurations and autonomous agents
@@ -69,6 +69,17 @@ Manual Trigger → TruffleHog → OpenAI Provider → AI Generate Text → Notif
 4. **AI Generate Text** – Analyzes and prioritizes findings
 5. **Notify** – Alerts team via Slack, Discord, or email
 
+### AWS Cloud Security Posture (CSPM)
+
+```
+Entry Point → Credential Resolver → Prowler Scan → Analytics Sink
+```
+
+1. **Entry Point** – Collects AWS connection ID and regions
+2. **Integration Credential Resolver** – Resolves AWS IAM credentials from the [Integrations](/integrations) system
+3. **Prowler Scan** – Runs cloud security posture checks (severity high/critical)
+4. **Analytics Sink** – Indexes findings into OpenSearch for dashboards and alerts
+
 ## Execution Context
 
 Components receive an `ExecutionContext` with access to:
diff --git a/docs/docs.json b/docs/docs.json
index 046e4014..c7cce05a 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -15,18 +15,15 @@
         "groups": [
           {
             "group": "Getting Started",
-            "pages": [
-              "index",
-              "quickstart",
-              "installation",
-              "command-reference"
-            ]
+            "pages": ["index", "quickstart", "installation", "command-reference"]
           },
           {
             "group": "Architecture",
-            "pages": [
-              "architecture"
-            ]
+            "pages": ["architecture"]
+          },
+          {
+            "group": "Integrations",
+            "pages": ["integrations"]
           },
           {
             "group": "Components",
diff --git a/docs/integrations.md b/docs/integrations.md
new file mode 100644
index 00000000..e95738b1
--- /dev/null
+++ b/docs/integrations.md
@@ -0,0 +1,280 @@
+# Integrations
+
+ShipSec Studio provides first-class integrations with cloud providers and communication platforms. Integrations allow workflows to securely resolve credentials at runtime without embedding secrets directly into workflow definitions.
+
+## Overview
+
+The integrations system consists of three layers:
+
+1. **Backend** -- Manages connection lifecycle, encrypted token storage, and credential resolution via REST API.
+2. **Frontend** -- Settings UI for connecting providers, managing connections, and viewing setup instructions.
+3. **Worker Components** -- Workflow nodes that resolve credentials from connections at execution time.
+
+---
+
+## Supported Providers
+
+### Amazon Web Services (AWS)
+
+Connect AWS accounts for cloud security posture management (CSPM), compliance scanning, and resource discovery.
+
+**Auth Method:** IAM Role with External ID (cross-account trust policy)
+
+**Supported Scenarios:**
+
+- Single AWS Account
+- Cross-Account via STS AssumeRole
+- AWS Organizations (multi-account discovery)
+
+### Slack
+
+Send workflow notifications, security alerts, and scan results to Slack channels.
+
+**Auth Methods:**
+
+- **Incoming Webhook** -- Simple webhook URL for posting messages to a channel
+- **OAuth App** -- Full Slack App integration with scopes: `channels:read`, `chat:write`, `chat:write.public`, `commands`, `im:write`, `team:read`
+
+---
+
+## Setting Up AWS
+
+### Step 1: Navigate to Integrations
+
+Open **Settings > Integrations** in the ShipSec Studio dashboard. Click the **AWS** card.
+
+### Step 2: Create an IAM Role
+
+The setup page displays a pre-generated **External ID** and an **IAM Trust Policy** JSON document. Use these to create an IAM role in your AWS account:
+
+1. Go to the AWS IAM Console > **Roles** > **Create Role**.
+2. Choose **Another AWS account** as the trusted entity.
+3. Paste the trust policy JSON from the ShipSec setup page.
+4. Attach your desired permissions policy (e.g., `ReadOnlyAccess`, `SecurityAudit`, or a custom policy).
+5. Name the role (e.g., `ShipSecStudioRole`) and create it.
+6. Copy the **Role ARN** (e.g., `arn:aws:iam::123456789012:role/ShipSecStudioRole`).
+
+### Step 3: Add the Connection
+
+Back in the ShipSec UI:
+
+1. Paste the **Role ARN** into the connection form.
+2. Optionally set a default **AWS Region** (defaults to `us-east-1`).
+3. Click **Connect**.
+
+ShipSec will validate the credentials by calling `sts:GetCallerIdentity`. If successful, the connection appears in your connections list.
+
+### Step 4: Discover Organization Accounts (Optional)
+
+If the IAM role has `organizations:ListAccounts` permission, click **Discover Accounts** on the connection detail page to list all member accounts in your AWS Organization.
+
+### Using AWS Connections in Workflows
+
+Wire the **Connection ID** (visible on the connection card) into a workflow's **Entry Point** runtime input, or configure it directly in the **Integration Credential Resolver** node parameter.
+
+The resolver will call the backend's internal credentials endpoint, assume the IAM role via STS, and output temporary credentials for downstream components like **Prowler Scan** or **AWS Org Discovery**.
+
+---
+
+## Setting Up Slack
+
+### Incoming Webhook
+
+1. Go to [Slack Incoming Webhooks](https://api.slack.com/messaging/webhooks) and create a webhook URL for your channel.
+2. In **Settings > Integrations > Slack**, select **Incoming Webhook** as the auth method.
+3. Paste the webhook URL and click **Connect**.
+4. Click **Test** to verify the connection sends a message to your channel.
+
+### OAuth App
+
+1. In **Settings > Integrations > Slack**, select **Slack App (OAuth)**.
+2. You'll be redirected to Slack's authorization page.
+3. Authorize the ShipSec app for your workspace.
+4. The connection is created automatically on successful authorization.
+
+> **Note:** OAuth requires the Slack provider to be configured by an admin (client ID and secret via `SLACK_OAUTH_CLIENT_ID` / `SLACK_OAUTH_CLIENT_SECRET` environment variables or the provider config API).
+
+---
+
+## API Reference
+
+### Provider Catalog
+
+| Method | Endpoint                | Description                                                                |
+| ------ | ----------------------- | -------------------------------------------------------------------------- |
+| GET    | `/integrations/catalog` | List all integration providers with their auth methods and setup scenarios |
+
+### Connection Management
+
+| Method | Endpoint                                | Description                                                            |
+| ------ | --------------------------------------- | ---------------------------------------------------------------------- |
+| GET    | `/integrations/connections`             | List connections for the authenticated user                            |
+| GET    | `/integrations/org/connections`         | List organization-scoped connections (optional `?provider=aws` filter) |
+| DELETE | `/integrations/connections/:id`         | Remove a connection                                                    |
+| POST   | `/integrations/connections/:id/refresh` | Refresh connection tokens                                              |
+
+### AWS Endpoints
+
+| Method | Endpoint                                         | Description                                         |
+| ------ | ------------------------------------------------ | --------------------------------------------------- |
+| GET    | `/integrations/aws/setup-info`                   | Get External ID and IAM trust policy for role setup |
+| POST   | `/integrations/aws/connections`                  | Create an AWS IAM role connection                   |
+| POST   | `/integrations/aws/connections/:id/validate`     | Validate an AWS connection's credentials            |
+| POST   | `/integrations/aws/connections/:id/discover-org` | Discover AWS Organization member accounts           |
+
+### Slack Endpoints
+
+| Method | Endpoint                                   | Description                                  |
+| ------ | ------------------------------------------ | -------------------------------------------- |
+| POST   | `/integrations/slack/connections`          | Create a Slack webhook connection            |
+| POST   | `/integrations/slack/connections/:id/test` | Send a test message via the Slack connection |
+
+### OAuth Flow
+
+| Method | Endpoint                           | Description                                         |
+| ------ | ---------------------------------- | --------------------------------------------------- |
+| POST   | `/integrations/:provider/start`    | Initiate OAuth session (returns `authorizationUrl`) |
+| POST   | `/integrations/:provider/exchange` | Complete OAuth token exchange                       |
+
+### Internal Endpoints (Worker-to-Backend)
+
+These endpoints are called by worker components at runtime and are protected by the `X-Internal-Token` header:
+
+| Method | Endpoint                                    | Description                                                         |
+| ------ | ------------------------------------------- | ------------------------------------------------------------------- |
+| POST   | `/integrations/connections/:id/token`       | Issue raw connection token                                          |
+| POST   | `/integrations/connections/:id/credentials` | Resolve typed credentials (provider, type, data, accountId, region) |
+
+---
+
+## Workflow Components
+
+Three new core components support integrations in workflows:
+
+### Integration Credential Resolver
+
+**Component ID:** `core.integration.resolve-credentials`
+
+Resolves credentials from an integration connection at runtime. This is the bridge between the integrations system and workflow execution.
+
+| Input          | Type | Description                                                           |
+| -------------- | ---- | --------------------------------------------------------------------- |
+| `connectionId` | Text | Integration connection ID (wire from Entry Point or set as parameter) |
+| `regions`      | Text | Optional region override (comma-separated)                            |
+
+| Output           | Type   | Description                                                 |
+| ---------------- | ------ | ----------------------------------------------------------- |
+| `credentialType` | String | Credential type (e.g., `iam_role`, `oauth`, `webhook`)      |
+| `provider`       | String | Provider name (e.g., `aws`, `slack`)                        |
+| `accountId`      | String | Provider account identifier (e.g., AWS 12-digit account ID) |
+| `regions`        | String | Resolved regions (input override or connection default)     |
+| `data`           | Object | Raw credential payload (varies by provider)                 |
+
+### AWS Org Discovery
+
+**Component ID:** `core.aws.org-discovery`
+
+Lists all accounts in an AWS Organization using `organizations:ListAccounts`. Paginates automatically.
+
+| Input         | Type            | Description                                    |
+| ------------- | --------------- | ---------------------------------------------- |
+| `credentials` | AWS Credentials | AWS credentials with Organizations permissions |
+
+| Output           | Type   | Description                                   |
+| ---------------- | ------ | --------------------------------------------- |
+| `accounts`       | Array  | List of `{ id, name, status, email }` objects |
+| `organizationId` | String | AWS Organization ID                           |
+
+### AWS Assume Role
+
+**Component ID:** `core.aws.assume-role`
+
+Assumes an IAM role via STS and returns temporary credentials. Useful for cross-account access patterns.
+
+| Input               | Type            | Description                         |
+| ------------------- | --------------- | ----------------------------------- |
+| `sourceCredentials` | AWS Credentials | Credentials to use when calling STS |
+
+| Parameter     | Type   | Description                                   |
+| ------------- | ------ | --------------------------------------------- |
+| `roleArn`     | String | ARN of the IAM role to assume                 |
+| `externalId`  | String | Optional external ID for the trust policy     |
+| `sessionName` | String | STS session name (default: `shipsec-session`) |
+
+| Output        | Type            | Description                                     |
+| ------------- | --------------- | ----------------------------------------------- |
+| `credentials` | AWS Credentials | Temporary assumed-role credentials (1 hour TTL) |
+
+---
+
+## Sample Workflows
+
+Two pre-built workflow templates are available in `docs/sample/`:
+
+### AWS CSPM -- Org Account Discovery
+
+**File:** `docs/sample/aws-cspm-org-discovery.json`
+
+```
+Entry Point → Resolve Credentials → Org Discovery
+                                  → Assume Role
+```
+
+Resolves AWS credentials from an integration connection, discovers all member accounts in the AWS Organization, and optionally assumes a cross-account role.
+
+**Runtime Inputs:**
+
+- `connectionId` (required) -- AWS integration connection ID
+- `targetRoleArn` (optional) -- Cross-account role to assume
+- `externalId` (optional) -- External ID for the trust policy
+
+### AWS CSPM -- Prowler Scan to Analytics
+
+**File:** `docs/sample/aws-cspm-prowler-to-analytics.json`
+
+```
+Entry Point → Resolve Credentials → Prowler Scan → Analytics Sink
+```
+
+End-to-end CSPM workflow: resolves AWS credentials, runs a Prowler security scan (severity high/critical), and indexes the results into the Analytics dashboard via OpenSearch.
+
+**Runtime Inputs:**
+
+- `connectionId` (required) -- AWS integration connection ID
+- `regions` (optional) -- Comma-separated AWS regions (default: `us-east-1`)
+
+### Importing Sample Workflows
+
+**Via the UI:** Go to **Workflows** > **Import** and upload the JSON file.
+
+**Via the API:**
+
+```bash
+curl -X POST http://localhost:3211/api/v1/workflows \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Basic $(echo -n admin:admin | base64)" \
+  -d @docs/sample/aws-cspm-prowler-to-analytics.json
+```
+
+**Via the seed script:**
+
+```bash
+cd backend
+bun run seed:aws-workflow
+```
+
+---
+
+## Environment Variables
+
+| Variable                        | Description                                   | Required         |
+| ------------------------------- | --------------------------------------------- | ---------------- |
+| `INTEGRATION_STORE_MASTER_KEY`  | 32-character encryption key for token storage | Yes (production) |
+| `SHIPSEC_PLATFORM_ROLE_ARN`     | Platform IAM role ARN for AWS STS operations  | Yes (AWS)        |
+| `SHIPSEC_AWS_ACCESS_KEY_ID`     | Platform AWS access key for STS calls         | Yes (AWS)        |
+| `SHIPSEC_AWS_SECRET_ACCESS_KEY` | Platform AWS secret key for STS calls         | Yes (AWS)        |
+| `SLACK_OAUTH_CLIENT_ID`         | Slack OAuth app client ID                     | For Slack OAuth  |
+| `SLACK_OAUTH_CLIENT_SECRET`     | Slack OAuth app client secret                 | For Slack OAuth  |
+| `INTERNAL_SERVICE_TOKEN`        | Shared token for worker-to-backend auth       | Recommended      |
+
+> **Dev Fallback:** In development, `INTEGRATION_STORE_MASTER_KEY` falls back to a hardcoded key with a console warning. Do not use the fallback in production.

From 0ea37c0ccc3efebc7a561b3a9ada91f0a26c6e79 Mon Sep 17 00:00:00 2001
From: Aseem Shrey <LuD1161@users.noreply.github.com>
Date: Wed, 11 Feb 2026 23:15:59 -0500
Subject: [PATCH 4/5] docs: add AWS Prowler to Slack summary sample workflow

Add a new sample workflow JSON that chains AWS credential resolution,
Prowler security scan, and Slack notification via webhook. The Slack
message includes a formatted summary with finding counts by severity.

Signed-off-by: Aseem Shrey <LuD1161@users.noreply.github.com>
---
 docs/integrations.md                          |  18 ++-
 .../aws-cspm-prowler-slack-summary.json       | 139 ++++++++++++++++++
 2 files changed, 156 insertions(+), 1 deletion(-)
 create mode 100644 docs/sample/aws-cspm-prowler-slack-summary.json

diff --git a/docs/integrations.md b/docs/integrations.md
index e95738b1..5c6c9418 100644
--- a/docs/integrations.md
+++ b/docs/integrations.md
@@ -209,7 +209,7 @@ Assumes an IAM role via STS and returns temporary credentials. Useful for cross-
 
 ## Sample Workflows
 
-Two pre-built workflow templates are available in `docs/sample/`:
+Three pre-built workflow templates are available in `docs/sample/`:
 
 ### AWS CSPM -- Org Account Discovery
 
@@ -243,6 +243,22 @@ End-to-end CSPM workflow: resolves AWS credentials, runs a Prowler security scan
 - `connectionId` (required) -- AWS integration connection ID
 - `regions` (optional) -- Comma-separated AWS regions (default: `us-east-1`)
 
+### AWS CSPM -- Prowler Scan to Slack Summary
+
+**File:** `docs/sample/aws-cspm-prowler-slack-summary.json`
+
+```
+Entry Point → Resolve Credentials → Prowler Scan → Slack Message
+```
+
+Resolves AWS credentials, runs a Prowler security scan (severity high/critical), and sends a formatted summary of findings to a Slack channel via an Incoming Webhook.
+
+**Runtime Inputs:**
+
+- `connectionId` (required) -- AWS integration connection ID
+- `regions` (optional) -- Comma-separated AWS regions (default: `us-east-1`)
+- `slackWebhookUrl` (required) -- Slack Incoming Webhook URL for the target channel
+
 ### Importing Sample Workflows
 
 **Via the UI:** Go to **Workflows** > **Import** and upload the JSON file.
diff --git a/docs/sample/aws-cspm-prowler-slack-summary.json b/docs/sample/aws-cspm-prowler-slack-summary.json
new file mode 100644
index 00000000..5d1aa772
--- /dev/null
+++ b/docs/sample/aws-cspm-prowler-slack-summary.json
@@ -0,0 +1,139 @@
+{
+  "name": "AWS CSPM – Prowler Scan to Slack Summary",
+  "description": "Resolves AWS credentials from an integration connection, runs a Prowler security scan (high+critical severity), and sends a summary of findings to a Slack channel via webhook.",
+  "nodes": [
+    {
+      "id": "entry-1",
+      "type": "core.workflow.entrypoint",
+      "position": { "x": 300, "y": 50 },
+      "data": {
+        "label": "Entry Point",
+        "config": {
+          "params": {
+            "runtimeInputs": [
+              {
+                "id": "connectionId",
+                "label": "AWS Integration Connection ID",
+                "type": "text",
+                "required": true,
+                "description": "The ID of the AWS integration connection. Find this in Settings > Integrations > AWS."
+              },
+              {
+                "id": "regions",
+                "label": "AWS Regions",
+                "type": "text",
+                "required": false,
+                "description": "Comma-separated AWS regions to scan. Defaults to us-east-1.",
+                "default": "us-east-1"
+              },
+              {
+                "id": "slackWebhookUrl",
+                "label": "Slack Webhook URL",
+                "type": "text",
+                "required": true,
+                "description": "Slack Incoming Webhook URL to send the scan summary to."
+              }
+            ]
+          },
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "resolve-creds-1",
+      "type": "core.integration.resolve-credentials",
+      "position": { "x": 300, "y": 280 },
+      "data": {
+        "label": "Resolve AWS Credentials",
+        "config": {
+          "params": {},
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "prowler-1",
+      "type": "security.prowler.scan",
+      "position": { "x": 300, "y": 510 },
+      "data": {
+        "label": "Prowler Security Scan",
+        "config": {
+          "params": {
+            "scanMode": "aws",
+            "recommendedFlags": ["severity-high-critical", "ignore-exit-code", "no-banner"]
+          },
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "slack-1",
+      "type": "core.notification.slack",
+      "position": { "x": 300, "y": 770 },
+      "data": {
+        "label": "Slack Scan Summary",
+        "config": {
+          "params": {
+            "authType": "webhook",
+            "variables": [{ "name": "scanSummary", "type": "json" }]
+          },
+          "inputOverrides": {
+            "text": "🔒 *Prowler Security Scan Complete*\n\n📊 *Summary*\n• Total findings: {{totalFindings}}\n• Failed: {{failed}} | Passed: {{passed}}\n• Regions: {{regions}}\n\n🔴 Critical: {{critical}} | 🟠 High: {{high}} | 🟡 Medium: {{medium}} | 🟢 Low: {{low}}\n\nGenerated at {{generatedAt}}"
+          }
+        }
+      }
+    }
+  ],
+  "edges": [
+    {
+      "id": "e-entry-to-resolve",
+      "source": "entry-1",
+      "target": "resolve-creds-1",
+      "sourceHandle": "connectionId",
+      "targetHandle": "connectionId"
+    },
+    {
+      "id": "e-entry-to-resolve-regions",
+      "source": "entry-1",
+      "target": "resolve-creds-1",
+      "sourceHandle": "regions",
+      "targetHandle": "regions"
+    },
+    {
+      "id": "e-resolve-to-prowler-creds",
+      "source": "resolve-creds-1",
+      "target": "prowler-1",
+      "sourceHandle": "data",
+      "targetHandle": "credentials"
+    },
+    {
+      "id": "e-resolve-to-prowler-account",
+      "source": "resolve-creds-1",
+      "target": "prowler-1",
+      "sourceHandle": "accountId",
+      "targetHandle": "accountId"
+    },
+    {
+      "id": "e-entry-to-prowler-regions",
+      "source": "entry-1",
+      "target": "prowler-1",
+      "sourceHandle": "regions",
+      "targetHandle": "regions"
+    },
+    {
+      "id": "e-entry-to-slack-webhook",
+      "source": "entry-1",
+      "target": "slack-1",
+      "sourceHandle": "slackWebhookUrl",
+      "targetHandle": "webhookUrl"
+    },
+    {
+      "id": "e-prowler-to-slack-summary",
+      "source": "prowler-1",
+      "target": "slack-1",
+      "sourceHandle": "summary",
+      "targetHandle": "scanSummary"
+    }
+  ],
+  "viewport": { "x": 0, "y": 0, "zoom": 1 }
+}

From 95d961d9b6f3b2754832bfec157f875e5561769f Mon Sep 17 00:00:00 2001
From: Aseem Shrey <LuD1161@users.noreply.github.com>
Date: Thu, 12 Feb 2026 16:22:36 -0500
Subject: [PATCH 5/5] feat: enhance prowler scanning, slack notifications, and
 AWS components

Refactor prowler-scan with shared utilities, improve slack notification
formatting, enhance AWS assume-role and org-discovery with integration
credential resolver support, update opensearch indexer, and improve
frontend workflow parameter handling and integration detail page.

Signed-off-by: Aseem Shrey <LuD1161@users.noreply.github.com>
---
 backend/package.json                          |    5 +-
 .../src/components/utils/categorization.ts    |   24 +
 backend/src/integrations/aws.service.ts       |    2 +-
 .../src/integrations/integration-catalog.ts   |    2 +-
 backend/src/integrations/slack.service.ts     |    8 +-
 bun.lock                                      |   19 +-
 docker/docker-compose.full.yml                |    2 +
 docker/docker-compose.infra.yml               |   54 +-
 docker/opensearch-init.sh                     |   47 +-
 docs/components/security.mdx                  |   61 +-
 docs/integrations.md                          |   31 +-
 docs/sample/aws-cspm-org-discovery.json       |    2 +-
 .../aws-cspm-org-prowler-to-analytics.json    |  125 ++
 .../aws-cspm-prowler-slack-summary.json       |   78 +-
 .../sample/aws-cspm-prowler-to-analytics.json |    2 +-
 docs/user-guide.md                            |   15 +
 .../src/components/workflow/ConfigPanel.tsx   |    1 +
 .../components/workflow/ParameterField.tsx    |   35 +-
 frontend/src/pages/IntegrationCallback.tsx    |    4 +-
 frontend/src/pages/IntegrationDetailPage.tsx  |  136 +-
 frontend/src/schemas/component.ts             |    1 +
 frontend/src/store/integrationStore.ts        |   24 +-
 packages/backend-client/src/client.ts         |   10 +-
 packages/component-sdk/src/types.ts           |    6 +-
 worker/src/components/core/aws-assume-role.ts |   88 +-
 .../src/components/core/aws-org-discovery.ts  |   67 +-
 worker/src/components/core/entry-point.ts     |   12 +-
 .../core/integration-credential-resolver.ts   |    9 +
 worker/src/components/notification/slack.ts   |  218 ++-
 .../src/components/security/prowler-scan.ts   | 1602 +++++++++--------
 .../src/components/security/prowler-shared.ts |  506 ++++++
 .../activities/run-component.activity.ts      |   15 +-
 worker/src/temporal/utils/component-output.ts |   20 +-
 worker/src/temporal/workflow-runner.ts        |    3 +
 worker/src/utils/opensearch-indexer.ts        |   64 +-
 35 files changed, 2295 insertions(+), 1003 deletions(-)
 create mode 100644 docs/sample/aws-cspm-org-prowler-to-analytics.json
 create mode 100644 worker/src/components/security/prowler-shared.ts

diff --git a/backend/package.json b/backend/package.json
index c8e9b629..dfb194a2 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -19,6 +19,8 @@
     "seed:aws-workflow": "bun scripts/seed-aws-cspm-workflow.ts"
   },
   "dependencies": {
+    "@aws-sdk/client-organizations": "^3.750.0",
+    "@aws-sdk/client-sts": "^3.750.0",
     "@clerk/backend": "^2.29.5",
     "@clerk/types": "^4.101.13",
     "@grpc/grpc-js": "^1.14.3",
@@ -30,8 +32,6 @@
     "@nestjs/platform-express": "^10.4.22",
     "@nestjs/swagger": "^11.2.5",
     "@nestjs/throttler": "^6.5.0",
-    "@aws-sdk/client-organizations": "^3.750.0",
-    "@aws-sdk/client-sts": "^3.750.0",
     "@opensearch-project/opensearch": "^3.5.1",
     "@shipsec/backend-client": "workspace:*",
     "@shipsec/component-sdk": "workspace:*",
@@ -48,6 +48,7 @@
     "bcryptjs": "^3.0.3",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.3",
+    "cookie-parser": "^1.4.7",
     "date-fns": "^4.1.0",
     "dotenv": "^17.2.3",
     "drizzle-orm": "^0.44.7",
diff --git a/backend/src/components/utils/categorization.ts b/backend/src/components/utils/categorization.ts
index f3081054..70b9d465 100644
--- a/backend/src/components/utils/categorization.ts
+++ b/backend/src/components/utils/categorization.ts
@@ -18,6 +18,9 @@ const SUPPORTED_CATEGORIES: readonly ComponentCategory[] = [
   'notification',
   'manual_action',
   'output',
+  'process',
+  'cloud',
+  'core',
 ];
 
 const COMPONENT_CATEGORY_CONFIG: Record<ComponentCategory, ComponentCategoryConfig> = {
@@ -84,6 +87,27 @@ const COMPONENT_CATEGORY_CONFIG: Record<ComponentCategory, ComponentCategoryConf
     emoji: '📤',
     icon: 'Upload',
   },
+  process: {
+    label: 'Process',
+    color: 'text-slate-600',
+    description: 'Data processing and transformation steps',
+    emoji: '⚙️',
+    icon: 'Cog',
+  },
+  cloud: {
+    label: 'Cloud',
+    color: 'text-sky-600',
+    description: 'Cloud provider integrations and services',
+    emoji: '☁️',
+    icon: 'Cloud',
+  },
+  core: {
+    label: 'Core',
+    color: 'text-gray-600',
+    description: 'Core platform utilities and credential management',
+    emoji: '🔧',
+    icon: 'Wrench',
+  },
 };
 
 function normalizeCategory(category?: string | null): ComponentCategory | null {
diff --git a/backend/src/integrations/aws.service.ts b/backend/src/integrations/aws.service.ts
index 351f1a24..552bf918 100644
--- a/backend/src/integrations/aws.service.ts
+++ b/backend/src/integrations/aws.service.ts
@@ -171,7 +171,7 @@ export class AwsService implements OnModuleInit {
       return { accounts };
     } catch (error) {
       this.logger.error('Failed to discover organization accounts', error);
-      throw new Error(error.message || 'Failed to discover organization accounts');
+      throw new Error((error as Error).message || 'Failed to discover organization accounts');
     }
   }
 }
diff --git a/backend/src/integrations/integration-catalog.ts b/backend/src/integrations/integration-catalog.ts
index 929a1846..fe63ebc8 100644
--- a/backend/src/integrations/integration-catalog.ts
+++ b/backend/src/integrations/integration-catalog.ts
@@ -50,7 +50,7 @@ export const AWS_PROVIDER: IntegrationProviderDefinition = {
       type: 'iam_role',
       label: 'IAM Role',
       description:
-        'Create an IAM role in your AWS account with a trust policy that allows the ShipSec platform to assume it. No customer secrets are stored.',
+        'Create an IAM role in your AWS account (IAM → Roles → Create role → "Custom trust policy") that allows the ShipSec platform to assume it. No customer secrets are stored.',
       fields: [
         {
           id: 'roleArn',
diff --git a/backend/src/integrations/slack.service.ts b/backend/src/integrations/slack.service.ts
index beab2949..3b0ca30b 100644
--- a/backend/src/integrations/slack.service.ts
+++ b/backend/src/integrations/slack.service.ts
@@ -53,7 +53,7 @@ export class SlackService {
         },
       });
 
-      const data = await response.json();
+      const data: any = await response.json();
 
       if (!data.ok) {
         this.logger.error(`Slack auth.test failed: ${data.error}`);
@@ -89,7 +89,7 @@ export class SlackService {
         },
       });
 
-      const data = await response.json();
+      const data: any = await response.json();
 
       if (!data.ok) {
         this.logger.warn(`Slack team.info failed: ${data.error}`);
@@ -126,7 +126,7 @@ export class SlackService {
         },
       });
 
-      const data = await response.json();
+      const data: any = await response.json();
 
       if (!data.ok) {
         this.logger.error(`Slack API error: ${data.error}`);
@@ -166,7 +166,7 @@ export class SlackService {
         }),
       });
 
-      const data = await response.json();
+      const data: any = await response.json();
 
       if (!data.ok) {
         this.logger.error(`Failed to send message: ${data.error}`);
diff --git a/bun.lock b/bun.lock
index bd31553e..12285b42 100644
--- a/bun.lock
+++ b/bun.lock
@@ -60,6 +60,7 @@
         "bcryptjs": "^3.0.3",
         "class-transformer": "^0.5.1",
         "class-validator": "^0.14.3",
+        "cookie-parser": "^1.4.7",
         "date-fns": "^4.1.0",
         "dotenv": "^17.2.3",
         "drizzle-orm": "^0.44.7",
@@ -355,13 +356,13 @@
 
     "@aws-crypto/util": ["@aws-crypto/util@5.2.0", "", { "dependencies": { "@aws-sdk/types": "^3.222.0", "@smithy/util-utf8": "^2.0.0", "tslib": "^2.6.2" } }, "sha512-4RkU9EsI6ZpBve5fseQlGNUWKMa1RLPQ1dnjnQoe07ldfIzcsGb5hC5W0Dm7u423KWzawlrpbjXBrXCEv9zazQ=="],
 
-    "@aws-sdk/client-organizations": ["@aws-sdk/client-organizations@3.986.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/credential-provider-node": "^3.972.6", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.986.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-t3uDpFtbUm4gW92EUJd0eEJW2K5FAeePBgbiAHg88mNTaKzLvHj3C96Kxc3yUg1xHH6XNKjEm+8yCuQ7LDrdPw=="],
+    "@aws-sdk/client-organizations": ["@aws-sdk/client-organizations@3.987.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/credential-provider-node": "^3.972.6", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.987.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-fz9OOrZj+ywtcCh4rVnCd38epnRQ7xg/khPi0l4CXQX4vorrSajOEzM0G89MlP1E0g5tId8Frbe/SlRvkpsSng=="],
 
     "@aws-sdk/client-s3": ["@aws-sdk/client-s3@3.980.0", "", { "dependencies": { "@aws-crypto/sha1-browser": "5.2.0", "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.5", "@aws-sdk/credential-provider-node": "^3.972.4", "@aws-sdk/middleware-bucket-endpoint": "^3.972.3", "@aws-sdk/middleware-expect-continue": "^3.972.3", "@aws-sdk/middleware-flexible-checksums": "^3.972.3", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-location-constraint": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-sdk-s3": "^3.972.5", "@aws-sdk/middleware-ssec": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.5", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/signature-v4-multi-region": "3.980.0", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.980.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.3", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.0", "@smithy/eventstream-serde-browser": "^4.2.8", "@smithy/eventstream-serde-config-resolver": "^4.3.8", "@smithy/eventstream-serde-node": "^4.2.8", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-blob-browser": "^4.2.9", "@smithy/hash-node": "^4.2.8", "@smithy/hash-stream-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/md5-js": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.12", "@smithy/middleware-retry": "^4.4.29", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.8", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.28", "@smithy/util-defaults-mode-node": "^4.2.31", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-stream": "^4.5.10", "@smithy/util-utf8": "^4.2.0", "@smithy/util-waiter": "^4.2.8", "tslib": "^2.6.2" } }, "sha512-ch8QqKehyn1WOYbd8LyDbWjv84Z9OEj9qUxz8q3IOCU3ftAVkVR0wAuN96a1xCHnpOJcQZo3rOB08RlyKdkGxQ=="],
 
     "@aws-sdk/client-sso": ["@aws-sdk/client-sso@3.985.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.985.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-81J8iE8MuXhdbMfIz4sWFj64Pe41bFi/uqqmqOC5SlGv+kwoyLsyKS/rH2tW2t5buih4vTUxskRjxlqikTD4oQ=="],
 
-    "@aws-sdk/client-sts": ["@aws-sdk/client-sts@3.986.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/credential-provider-node": "^3.972.6", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.986.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-MKL3OSaUXJ4Xftl+sm7n7o8pJmX5FQgIFc/suWPoNvKEdMJOC+/+2DYjjpASw5X89LL4+9xL2BHhz0y32m5FYw=="],
+    "@aws-sdk/client-sts": ["@aws-sdk/client-sts@3.987.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/credential-provider-node": "^3.972.6", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.987.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-zDqUCxS/6oUgQjIoDRfijHRgCkUTO3bnC+Hvi1Jh8s0Hj6cGpaUTCWYjwksV3bJGfS+HcloUtUseGO26Pcbeeg=="],
 
     "@aws-sdk/core": ["@aws-sdk/core@3.973.7", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@aws-sdk/xml-builder": "^3.972.4", "@smithy/core": "^3.22.1", "@smithy/node-config-provider": "^4.3.8", "@smithy/property-provider": "^4.2.8", "@smithy/protocol-http": "^5.3.8", "@smithy/signature-v4": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/util-base64": "^4.3.0", "@smithy/util-middleware": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-wNZZQQNlJ+hzD49cKdo+PY6rsTDElO8yDImnrI69p2PLBa7QomeUKAJWYp9xnaR38nlHqWhMHZuYLCQ3oSX+xg=="],
 
@@ -415,7 +416,7 @@
 
     "@aws-sdk/util-arn-parser": ["@aws-sdk/util-arn-parser@3.972.2", "", { "dependencies": { "tslib": "^2.6.2" } }, "sha512-VkykWbqMjlSgBFDyrY3nOSqupMc6ivXuGmvci6Q3NnLq5kC+mKQe2QBZ4nrWRE/jqOxeFP2uYzLtwncYYcvQDg=="],
 
-    "@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.986.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-Mqi79L38qi1gCG3adlVdbNrSxvcm1IPDLiJPA3OBypY5ewxUyWbaA3DD4goG+EwET6LSFgZJcRSIh6KBNpP5pA=="],
+    "@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.987.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-rZnZwDq7Pn+TnL0nyS6ryAhpqTZtLtHbJaqfxuHlDX3v/bq0M7Ch/V3qF9dZWaGgsJ2H9xn7/vFOxlnL4fBMcQ=="],
 
     "@aws-sdk/util-locate-window": ["@aws-sdk/util-locate-window@3.965.4", "", { "dependencies": { "tslib": "^2.6.2" } }, "sha512-H1onv5SkgPBK2P6JR2MjGgbOnttoNzSPIRoeZTNPZYyaplwGg50zS3amXvXqF0/qfXpWEC9rLWU564QTB9bSog=="],
 
@@ -1561,6 +1562,8 @@
 
     "cookie": ["cookie@0.7.2", "", {}, "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w=="],
 
+    "cookie-parser": ["cookie-parser@1.4.7", "", { "dependencies": { "cookie": "0.7.2", "cookie-signature": "1.0.6" } }, "sha512-nGUvgXnotP3BsjiLX2ypbQnWoGUPIIfHQNZkkC668ntrzGWEZVW70HDEB1qnNGMicPje6EttlIgzo51YSwNQGw=="],
+
     "cookie-signature": ["cookie-signature@1.2.2", "", {}, "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg=="],
 
     "cookiejar": ["cookiejar@2.1.4", "", {}, "sha512-LDx6oHrK+PhzLKJU9j5S7/Y3jM/mUHvD/DeI1WQmJn652iPC5Y4TBzC9l+5OMOXlyTTA+SmVUPm0HQUwpD5Jqw=="],
@@ -3293,10 +3296,6 @@
 
     "@shipsec/studio-frontend/ai": ["ai@5.0.124", "", { "dependencies": { "@ai-sdk/gateway": "2.0.30", "@ai-sdk/provider": "2.0.1", "@ai-sdk/provider-utils": "3.0.20", "@opentelemetry/api": "1.9.0" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-Li6Jw9F9qsvFJXZPBfxj38ddP2iURCnMs96f9Q3OeQzrDVcl1hvtwSEAuxA/qmfh6SDV2ERqFUOFzigvr0697g=="],
 
-    "@shipsec/studio-worker/@aws-sdk/client-organizations": ["@aws-sdk/client-organizations@3.987.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/credential-provider-node": "^3.972.6", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.987.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-fz9OOrZj+ywtcCh4rVnCd38epnRQ7xg/khPi0l4CXQX4vorrSajOEzM0G89MlP1E0g5tId8Frbe/SlRvkpsSng=="],
-
-    "@shipsec/studio-worker/@aws-sdk/client-sts": ["@aws-sdk/client-sts@3.987.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "^3.973.7", "@aws-sdk/credential-provider-node": "^3.972.6", "@aws-sdk/middleware-host-header": "^3.972.3", "@aws-sdk/middleware-logger": "^3.972.3", "@aws-sdk/middleware-recursion-detection": "^3.972.3", "@aws-sdk/middleware-user-agent": "^3.972.7", "@aws-sdk/region-config-resolver": "^3.972.3", "@aws-sdk/types": "^3.973.1", "@aws-sdk/util-endpoints": "3.987.0", "@aws-sdk/util-user-agent-browser": "^3.972.3", "@aws-sdk/util-user-agent-node": "^3.972.5", "@smithy/config-resolver": "^4.4.6", "@smithy/core": "^3.22.1", "@smithy/fetch-http-handler": "^5.3.9", "@smithy/hash-node": "^4.2.8", "@smithy/invalid-dependency": "^4.2.8", "@smithy/middleware-content-length": "^4.2.8", "@smithy/middleware-endpoint": "^4.4.13", "@smithy/middleware-retry": "^4.4.30", "@smithy/middleware-serde": "^4.2.9", "@smithy/middleware-stack": "^4.2.8", "@smithy/node-config-provider": "^4.3.8", "@smithy/node-http-handler": "^4.4.9", "@smithy/protocol-http": "^5.3.8", "@smithy/smithy-client": "^4.11.2", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.29", "@smithy/util-defaults-mode-node": "^4.2.32", "@smithy/util-endpoints": "^3.2.8", "@smithy/util-middleware": "^4.2.8", "@smithy/util-retry": "^4.2.8", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-zDqUCxS/6oUgQjIoDRfijHRgCkUTO3bnC+Hvi1Jh8s0Hj6cGpaUTCWYjwksV3bJGfS+HcloUtUseGO26Pcbeeg=="],
-
     "@shipsec/studio-worker/@googleapis/admin": ["@googleapis/admin@29.0.0", "", { "dependencies": { "googleapis-common": "^8.0.0" } }, "sha512-lujnbfmDn1aetoJBDeExH4IDKniMZs7Ga8hGagN/lecO8hd0fy9hu+osROp0HFk6u2wCAiA89oXi5qHVXupbOQ=="],
 
     "@shipsec/studio-worker/@types/node": ["@types/node@25.2.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-DZ8VwRFUNzuqJ5khrvwMXHmvPe+zGayJhr2CDNiKB1WBE1ST8Djl00D0IC4vvNmHMdj6DlbYRIaFE7WHjlDl5w=="],
@@ -3375,6 +3374,8 @@
 
     "concat-stream/readable-stream": ["readable-stream@3.6.2", "", { "dependencies": { "inherits": "^2.0.3", "string_decoder": "^1.1.1", "util-deprecate": "^1.0.1" } }, "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA=="],
 
+    "cookie-parser/cookie-signature": ["cookie-signature@1.0.6", "", {}, "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ=="],
+
     "cssstyle/lru-cache": ["lru-cache@11.2.5", "", {}, "sha512-vFrFJkWtJvJnD5hg+hJvVE8Lh/TcMzKnTgCWmtBipwI5yLX/iX+5UB2tfuyODF5E7k9xEzMdYgGqaSb1c0c5Yw=="],
 
     "data-urls/whatwg-mimetype": ["whatwg-mimetype@5.0.0", "", {}, "sha512-sXcNcHOC51uPGF0P/D4NVtrkjSU2fNsm9iog4ZvZJsL3rjoDAzXZhkm2MWt1y+PUdggKAYVoMAIYcs78wJ51Cw=="],
@@ -3703,10 +3704,6 @@
 
     "@shipsec/studio-frontend/ai/@ai-sdk/provider-utils": ["@ai-sdk/provider-utils@3.0.20", "", { "dependencies": { "@ai-sdk/provider": "2.0.1", "@standard-schema/spec": "^1.0.0", "eventsource-parser": "^3.0.6" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-iXHVe0apM2zUEzauqJwqmpC37A5rihrStAih5Ks+JE32iTe4LZ58y17UGBjpQQTCRw9YxMeo2UFLxLpBluyvLQ=="],
 
-    "@shipsec/studio-worker/@aws-sdk/client-organizations/@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.987.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-rZnZwDq7Pn+TnL0nyS6ryAhpqTZtLtHbJaqfxuHlDX3v/bq0M7Ch/V3qF9dZWaGgsJ2H9xn7/vFOxlnL4fBMcQ=="],
-
-    "@shipsec/studio-worker/@aws-sdk/client-sts/@aws-sdk/util-endpoints": ["@aws-sdk/util-endpoints@3.987.0", "", { "dependencies": { "@aws-sdk/types": "^3.973.1", "@smithy/types": "^4.12.0", "@smithy/url-parser": "^4.2.8", "@smithy/util-endpoints": "^3.2.8", "tslib": "^2.6.2" } }, "sha512-rZnZwDq7Pn+TnL0nyS6ryAhpqTZtLtHbJaqfxuHlDX3v/bq0M7Ch/V3qF9dZWaGgsJ2H9xn7/vFOxlnL4fBMcQ=="],
-
     "@types/express/@types/express-serve-static-core/@types/node": ["@types/node@25.2.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-DZ8VwRFUNzuqJ5khrvwMXHmvPe+zGayJhr2CDNiKB1WBE1ST8Djl00D0IC4vvNmHMdj6DlbYRIaFE7WHjlDl5w=="],
 
     "@typescript-eslint/typescript-estree/minimatch/brace-expansion": ["brace-expansion@2.0.2", "", { "dependencies": { "balanced-match": "^1.0.0" } }, "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ=="],
diff --git a/docker/docker-compose.full.yml b/docker/docker-compose.full.yml
index 48314ea0..e2e14cea 100644
--- a/docker/docker-compose.full.yml
+++ b/docker/docker-compose.full.yml
@@ -207,6 +207,8 @@ services:
     depends_on:
       opensearch-dashboards:
         condition: service_healthy
+    environment:
+      - DEFAULT_ORGANIZATION_ID=${DEFAULT_ORGANIZATION_ID:-local-dev}
     volumes:
       - ./opensearch-init.sh:/init.sh:ro
     entrypoint: ['/bin/sh', '/init.sh']
diff --git a/docker/docker-compose.infra.yml b/docker/docker-compose.infra.yml
index 1e9e619c..c23c6751 100644
--- a/docker/docker-compose.infra.yml
+++ b/docker/docker-compose.infra.yml
@@ -9,12 +9,12 @@ services:
       POSTGRES_MULTIPLE_DATABASES: temporal
     # Internal only - use docker-compose.dev-ports.yml overlay for local dev access
     expose:
-      - "5432"
+      - '5432'
     volumes:
       - postgres_data:/var/lib/postgresql/data
       - ./init-db:/docker-entrypoint-initdb.d
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U shipsec"]
+      test: ['CMD-SHELL', 'pg_isready -U shipsec']
       interval: 5s
       timeout: 3s
       retries: 10
@@ -35,7 +35,7 @@ services:
       - POSTGRES_SEEDS=postgres
       - AUTO_SETUP=true
     expose:
-      - "7233"
+      - '7233'
     volumes:
       - temporal_data:/var/lib/temporal
     restart: unless-stopped
@@ -49,7 +49,7 @@ services:
       - TEMPORAL_ADDRESS=temporal:7233
       - TEMPORAL_CORS_ORIGINS=http://localhost:5173
     expose:
-      - "8080"
+      - '8080'
     restart: unless-stopped
 
   minio:
@@ -60,13 +60,13 @@ services:
       MINIO_ROOT_USER: minioadmin
       MINIO_ROOT_PASSWORD: minioadmin
     expose:
-      - "9000"
-      - "9001"
+      - '9000'
+      - '9001'
     volumes:
       - minio_data:/data
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      test: ['CMD', 'curl', '-f', 'http://localhost:9000/minio/health/live']
       interval: 30s
       timeout: 10s
       retries: 5
@@ -75,12 +75,12 @@ services:
     image: redis:latest
     container_name: shipsec-redis
     expose:
-      - "6379"
+      - '6379'
     volumes:
       - redis_data:/data
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
+      test: ['CMD', 'redis-cli', 'ping']
       interval: 30s
       timeout: 10s
       retries: 5
@@ -90,13 +90,13 @@ services:
     container_name: shipsec-loki
     command: -config.file=/etc/loki/local-config.yaml
     expose:
-      - "3100"
+      - '3100'
     volumes:
       - ./loki/loki-config.yaml:/etc/loki/local-config.yaml
       - loki_data:/loki
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3100/ready"]
+      test: ['CMD', 'wget', '--no-verbose', '--tries=1', '--spider', 'http://localhost:3100/ready']
       interval: 30s
       timeout: 10s
       retries: 5
@@ -115,13 +115,13 @@ services:
       - --check=false
       - --advertise-kafka-addr=localhost:9092
     expose:
-      - "9092"
-      - "9644"
+      - '9092'
+      - '9644'
     volumes:
       - redpanda_data:/var/lib/redpanda/data
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:9644/v1/status/ready"]
+      test: ['CMD', 'curl', '-f', 'http://localhost:9644/v1/status/ready']
       interval: 30s
       timeout: 10s
       retries: 5
@@ -134,7 +134,7 @@ services:
     environment:
       CONFIG_FILEPATH: /etc/redpanda/console-config.yaml
     expose:
-      - "8080"
+      - '8080'
     volumes:
       - ./redpanda-console-config.yaml:/etc/redpanda/console-config.yaml:ro
     restart: unless-stopped
@@ -145,7 +145,7 @@ services:
     environment:
       - discovery.type=single-node
       - bootstrap.memory_lock=true
-      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
+      - 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m'
       - DISABLE_SECURITY_PLUGIN=true
       - DISABLE_INSTALL_DEMO_CONFIG=true
     ulimits:
@@ -158,13 +158,13 @@ services:
     # Ports exposed only within Docker network (not to host)
     # Use docker-compose.dev-ports.yml overlay for local dev access
     expose:
-      - "9200"
-      - "9600"
+      - '9200'
+      - '9600'
     volumes:
       - opensearch_data:/usr/share/opensearch/data
     restart: unless-stopped
     healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:9200/_cluster/health || exit 1"]
+      test: ['CMD-SHELL', 'curl -f http://localhost:9200/_cluster/health || exit 1']
       interval: 30s
       timeout: 10s
       retries: 5
@@ -185,12 +185,12 @@ services:
     # Use docker-compose.dev-ports.yml overlay for local dev access
     # Production uses nginx reverse proxy at /analytics
     expose:
-      - "5601"
+      - '5601'
     volumes:
       - ./opensearch-dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml:ro
     restart: unless-stopped
     healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:5601/analytics/api/status || exit 1"]
+      test: ['CMD-SHELL', 'curl -f http://localhost:5601/analytics/api/status || exit 1']
       interval: 30s
       timeout: 10s
       retries: 5
@@ -202,10 +202,12 @@ services:
     depends_on:
       opensearch-dashboards:
         condition: service_healthy
+    environment:
+      - DEFAULT_ORGANIZATION_ID=${DEFAULT_ORGANIZATION_ID:-local-dev}
     volumes:
       - ./opensearch-init.sh:/init.sh:ro
-    entrypoint: ["/bin/sh", "/init.sh"]
-    restart: "no"
+    entrypoint: ['/bin/sh', '/init.sh']
+    restart: 'no'
 
   # Nginx reverse proxy - unified entry point
   # DEV MODE: Uses nginx.dev.conf which points to host.docker.internal for PM2 services
@@ -216,14 +218,14 @@ services:
       opensearch-dashboards:
         condition: service_healthy
     ports:
-      - "80:80"
+      - '80:80'
     volumes:
       - ./nginx/nginx.dev.conf:/etc/nginx/nginx.conf:ro
     extra_hosts:
-      - "host.docker.internal:host-gateway"
+      - 'host.docker.internal:host-gateway'
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost/health"]
+      test: ['CMD', 'wget', '--no-verbose', '--tries=1', '--spider', 'http://localhost/health']
       interval: 30s
       timeout: 10s
       retries: 5
diff --git a/docker/opensearch-init.sh b/docker/opensearch-init.sh
index 1d9d97b1..c58d0854 100755
--- a/docker/opensearch-init.sh
+++ b/docker/opensearch-init.sh
@@ -61,36 +61,43 @@ if [ "$SECURITY_ENABLED" = "true" ]; then
   exit 0
 fi
 
-# Check if index pattern already exists (insecure mode only)
-echo "[opensearch-init] Checking for existing index patterns..."
-EXISTING=$(auth_curl -sf "${DASHBOARDS_URL}${DASHBOARDS_BASE_PATH}/api/saved_objects/_find?type=index-pattern&search_fields=title&search=security-findings-*" \
-  -H "osd-xsrf: true" 2>/dev/null || echo '{"total":0}')
+# Helper: create an index pattern if it doesn't already exist
+create_index_pattern() {
+  local PATTERN_ID="$1"
 
-TOTAL=$(echo "$EXISTING" | grep -o '"total":[0-9]*' | grep -o '[0-9]*' || echo "0")
+  EXISTING=$(auth_curl -sf "${DASHBOARDS_URL}${DASHBOARDS_BASE_PATH}/api/saved_objects/index-pattern/${PATTERN_ID}" \
+    -H "osd-xsrf: true" 2>/dev/null || echo '')
 
-if [ "$TOTAL" -gt 0 ]; then
-  echo "[opensearch-init] Index pattern 'security-findings-*' already exists, skipping creation"
-else
-  echo "[opensearch-init] Creating index pattern 'security-findings-*'..."
+  if echo "$EXISTING" | grep -q '"type":"index-pattern"'; then
+    echo "[opensearch-init] Index pattern '${PATTERN_ID}' already exists, skipping creation"
+    return
+  fi
 
-  # Use specific ID so dashboards can reference it consistently
-  RESPONSE=$(auth_curl -sf -X POST "${DASHBOARDS_URL}${DASHBOARDS_BASE_PATH}/api/saved_objects/index-pattern/security-findings-*" \
+  echo "[opensearch-init] Creating index pattern '${PATTERN_ID}'..."
+  RESPONSE=$(auth_curl -sf -X POST "${DASHBOARDS_URL}${DASHBOARDS_BASE_PATH}/api/saved_objects/index-pattern/${PATTERN_ID}" \
     -H "Content-Type: application/json" \
     -H "osd-xsrf: true" \
-    -d '{
-      "attributes": {
-        "title": "security-findings-*",
-        "timeFieldName": "@timestamp"
+    -d "{
+      \"attributes\": {
+        \"title\": \"${PATTERN_ID}\",
+        \"timeFieldName\": \"@timestamp\"
       }
-    }' 2>&1)
+    }" 2>&1)
 
   if echo "$RESPONSE" | grep -q '"type":"index-pattern"'; then
-    echo "[opensearch-init] Successfully created index pattern 'security-findings-*'"
+    echo "[opensearch-init] Successfully created index pattern '${PATTERN_ID}'"
   else
-    echo "[opensearch-init] WARNING: Failed to create index pattern. Response: $RESPONSE"
-    # Don't fail - the pattern might be created later when data exists
+    echo "[opensearch-init] WARNING: Failed to create index pattern '${PATTERN_ID}'. Response: $RESPONSE"
   fi
-fi
+}
+
+# Create index patterns (insecure mode only)
+# Generic pattern for all findings
+create_index_pattern "security-findings-*"
+
+# Org-specific pattern for local dev (matches the frontend's org-scoped dashboard links)
+LOCAL_DEV_ORG_ID="${DEFAULT_ORGANIZATION_ID:-local-dev}"
+create_index_pattern "security-findings-${LOCAL_DEV_ORG_ID}-*"
 
 # Set as default index pattern (optional, helps UX)
 echo "[opensearch-init] Setting default index pattern..."
diff --git a/docs/components/security.mdx b/docs/components/security.mdx
index 38c39655..edd03ddd 100644
--- a/docs/components/security.mdx
+++ b/docs/components/security.mdx
@@ -227,20 +227,65 @@ Scans for leaked credentials across repositories, filesystems, and cloud storage
 ### Prowler Scan
 
 <Info>
-[GitHub](https://github.com/prowler-cloud/prowler) · Docker: `ghcr.io/shipsecai/prowler`
+[GitHub](https://github.com/prowler-cloud/prowler) · Docker: `ghcr.io/shipsecai/prowler:5.14.2`
 </Info>
 
-Cloud (AWS, Azure, GCP) security posture management. Best practices auditing.
+Cloud security posture management. Supports single-account scanning and **org-wide multi-account scanning** for AWS Organizations.
+
+**Component ID:** `security.prowler.scan`
 
 | Input | Type | Description |
 |-------|------|-------------|
-| `credentials` | Object | AWS credentials |
-| `checks` | Array | Specific checks to run |
+| `accountId` | String (optional) | AWS account ID to tag findings with. Required when `orgScan` is false. |
+| `credentials` | AWS Credentials (optional) | AWS credentials from the Credential Resolver. Required for AWS scans. |
+| `regions` | String | Comma-separated AWS regions (default: `us-east-1`). |
+
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `scanMode` | Select | `aws` | `aws` for single/org account scan, `cloud` for multi-cloud overview. |
+| `recommendedFlags` | Multi-Select | severity-high-critical, ignore-exit-code, no-banner | Pre-selected CLI flags. |
+| `customFlags` | Textarea | — | Additional CLI flags appended verbatim. |
+| `orgScan` | Toggle | `false` | Enable org-wide scanning (discovers and scans all member accounts). |
+| `memberRoleName` | String | `OrganizationAccountAccessRole` | IAM role to assume in each member account. Visible when `orgScan=true`. |
+| `externalId` | String | — | Optional external ID for cross-account trust policy. Visible when `orgScan=true`. |
+| `continueOnError` | Toggle | `true` | Continue scanning if a member account fails. Visible when `orgScan=true`. |
+| `skipManagementAccount` | Toggle | `false` | Exclude the management account from scanning. Visible when `orgScan=true`. |
+| `maxConcurrency` | Number (1-5) | `1` | Number of accounts to scan in parallel. Visible when `orgScan=true`. |
 
-| Parameter | Type | Description |
-|-----------|------|-------------|
-| `severity` | Array | Filter by severity |
-| `services` | Array | AWS services to audit |
+| Output | Type | Description |
+|--------|------|-------------|
+| `scanId` | String | Deterministic scan run identifier. |
+| `findings` | Array | Normalized findings (severity, resource, remediation). |
+| `results` | Array | Analytics-ready results. Connect to **Analytics Sink**. |
+| `rawOutput` | String | Raw Prowler output for debugging. |
+| `summary` | Object | Aggregate counts, regions, and per-account summaries (org mode). |
+| `command` | Array | CLI arguments used during the run. |
+| `stderr` | String | Standard error output from Prowler. |
+| `errors` | Array | Errors encountered during scanning. |
+
+#### Org-Wide Scanning
+
+When `orgScan` is enabled, the component:
+
+1. Discovers all active accounts via AWS Organizations (using the management account credentials).
+2. For each member account, assumes the configured IAM role via STS.
+3. Runs a full Prowler scan per account.
+4. Aggregates findings across all accounts with per-account status summaries.
+
+Failed accounts are recorded with their error message and scanning continues to the next account (when `continueOnError=true`).
+
+```
+Management Account Credentials
+    ↓
+Org Discovery (ListAccounts)
+    ↓
+For each member account:
+    AssumeRole → Prowler Scan → Collect Findings
+    ↓
+Aggregate Results → Analytics Sink
+```
+
+**Sample workflow:** [`docs/sample/aws-cspm-org-prowler-to-analytics.json`](/docs/sample/aws-cspm-org-prowler-to-analytics.json)
 
 ### Supabase Scanner
 
diff --git a/docs/integrations.md b/docs/integrations.md
index 5c6c9418..ebdb0d09 100644
--- a/docs/integrations.md
+++ b/docs/integrations.md
@@ -209,7 +209,7 @@ Assumes an IAM role via STS and returns temporary credentials. Useful for cross-
 
 ## Sample Workflows
 
-Three pre-built workflow templates are available in `docs/sample/`:
+Four pre-built workflow templates are available in `docs/sample/`:
 
 ### AWS CSPM -- Org Account Discovery
 
@@ -243,21 +243,44 @@ End-to-end CSPM workflow: resolves AWS credentials, runs a Prowler security scan
 - `connectionId` (required) -- AWS integration connection ID
 - `regions` (optional) -- Comma-separated AWS regions (default: `us-east-1`)
 
+### AWS CSPM -- Org-Wide Prowler Scan to Analytics
+
+**File:** `docs/sample/aws-cspm-org-prowler-to-analytics.json`
+
+```
+Entry Point → Resolve Credentials → Prowler Scan (orgScan=true) → Analytics Sink
+```
+
+Resolves AWS credentials for the organization management account, discovers all member accounts via AWS Organizations, assumes a cross-account role in each, runs Prowler per-account, and indexes aggregated findings into the Analytics dashboard. Failed accounts are recorded and scanning continues.
+
+**Runtime Inputs:**
+
+- `connectionId` (required) -- AWS integration connection ID for the management account
+- `regions` (optional) -- Comma-separated AWS regions (default: `us-east-1`)
+
+**Key Parameters:**
+
+- `orgScan: true` -- Enables organization-wide scanning
+- `memberRoleName` -- IAM role to assume in each member account (default: `OrganizationAccountAccessRole`)
+- `continueOnError: true` -- Record errors per account and continue scanning
+
 ### AWS CSPM -- Prowler Scan to Slack Summary
 
 **File:** `docs/sample/aws-cspm-prowler-slack-summary.json`
 
 ```
-Entry Point → Resolve Credentials → Prowler Scan → Slack Message
+Entry Point → Resolve AWS Credentials → Prowler Scan ─┐
+           └→ Resolve Slack Credentials ───────────────┴→ Slack Message
 ```
 
-Resolves AWS credentials, runs a Prowler security scan (severity high/critical), and sends a formatted summary of findings to a Slack channel via an Incoming Webhook.
+Resolves AWS credentials, runs a Prowler security scan (severity high/critical), resolves Slack credentials from an integration connection (OAuth or webhook), and sends a formatted summary of findings to a Slack channel.
 
 **Runtime Inputs:**
 
 - `connectionId` (required) -- AWS integration connection ID
 - `regions` (optional) -- Comma-separated AWS regions (default: `us-east-1`)
-- `slackWebhookUrl` (required) -- Slack Incoming Webhook URL for the target channel
+- `slackConnectionId` (required) -- Slack integration connection ID (OAuth or webhook)
+- `slackChannel` (optional) -- Slack channel to post to (required for OAuth, ignored for webhook; default: `#general`)
 
 ### Importing Sample Workflows
 
diff --git a/docs/sample/aws-cspm-org-discovery.json b/docs/sample/aws-cspm-org-discovery.json
index 227ebb4f..1688aeeb 100644
--- a/docs/sample/aws-cspm-org-discovery.json
+++ b/docs/sample/aws-cspm-org-discovery.json
@@ -45,7 +45,7 @@
       "data": {
         "label": "Resolve AWS Credentials",
         "config": {
-          "params": {},
+          "params": { "provider": "aws" },
           "inputOverrides": {
             "connectionId": "{{entry-1.connectionId}}"
           }
diff --git a/docs/sample/aws-cspm-org-prowler-to-analytics.json b/docs/sample/aws-cspm-org-prowler-to-analytics.json
new file mode 100644
index 00000000..2963e20f
--- /dev/null
+++ b/docs/sample/aws-cspm-org-prowler-to-analytics.json
@@ -0,0 +1,125 @@
+{
+  "name": "AWS CSPM \u2013 Org-Wide Prowler Scan to Analytics",
+  "description": "Resolves AWS org credentials, scans all member accounts with Prowler, and indexes aggregated findings into Analytics.",
+  "nodes": [
+    {
+      "id": "entry-1",
+      "type": "core.workflow.entrypoint",
+      "position": { "x": 300, "y": 50 },
+      "data": {
+        "label": "Entry Point",
+        "config": {
+          "params": {
+            "runtimeInputs": [
+              {
+                "id": "connectionId",
+                "label": "AWS Org Connection ID",
+                "type": "text",
+                "required": true,
+                "description": "The ID of the AWS integration connection for the organization management account."
+              },
+              {
+                "id": "regions",
+                "label": "AWS Regions",
+                "type": "text",
+                "required": false,
+                "description": "Comma-separated AWS regions to scan. Defaults to us-east-1.",
+                "default": "us-east-1"
+              }
+            ]
+          },
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "resolve-creds-1",
+      "type": "core.integration.resolve-credentials",
+      "position": { "x": 300, "y": 280 },
+      "data": {
+        "label": "Resolve Org Credentials",
+        "config": {
+          "params": { "provider": "aws" },
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "prowler-1",
+      "type": "security.prowler.scan",
+      "position": { "x": 300, "y": 510 },
+      "data": {
+        "label": "Org-Wide Prowler Scan",
+        "config": {
+          "params": {
+            "orgScan": true,
+            "memberRoleName": "OrganizationAccountAccessRole",
+            "continueOnError": true,
+            "scanMode": "aws",
+            "recommendedFlags": ["severity-high-critical", "ignore-exit-code", "no-banner"]
+          },
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "analytics-sink-1",
+      "type": "core.analytics.sink",
+      "position": { "x": 300, "y": 770 },
+      "data": {
+        "label": "Analytics Sink",
+        "config": {
+          "params": {
+            "dataInputs": [
+              {
+                "id": "input1",
+                "label": "Org Prowler Results",
+                "sourceTag": "prowler-org"
+              }
+            ],
+            "failOnError": false
+          },
+          "inputOverrides": {}
+        }
+      }
+    }
+  ],
+  "edges": [
+    {
+      "id": "e-entry-to-resolve",
+      "source": "entry-1",
+      "target": "resolve-creds-1",
+      "sourceHandle": "connectionId",
+      "targetHandle": "connectionId"
+    },
+    {
+      "id": "e-resolve-to-prowler-creds",
+      "source": "resolve-creds-1",
+      "target": "prowler-1",
+      "sourceHandle": "data",
+      "targetHandle": "credentials"
+    },
+    {
+      "id": "e-resolve-to-prowler-account",
+      "source": "resolve-creds-1",
+      "target": "prowler-1",
+      "sourceHandle": "accountId",
+      "targetHandle": "accountId"
+    },
+    {
+      "id": "e-entry-to-prowler-regions",
+      "source": "entry-1",
+      "target": "prowler-1",
+      "sourceHandle": "regions",
+      "targetHandle": "regions"
+    },
+    {
+      "id": "e-prowler-to-analytics",
+      "source": "prowler-1",
+      "target": "analytics-sink-1",
+      "sourceHandle": "results",
+      "targetHandle": "input1"
+    }
+  ],
+  "viewport": { "x": 0, "y": 0, "zoom": 1 }
+}
diff --git a/docs/sample/aws-cspm-prowler-slack-summary.json b/docs/sample/aws-cspm-prowler-slack-summary.json
index 5d1aa772..17726896 100644
--- a/docs/sample/aws-cspm-prowler-slack-summary.json
+++ b/docs/sample/aws-cspm-prowler-slack-summary.json
@@ -1,6 +1,6 @@
 {
   "name": "AWS CSPM – Prowler Scan to Slack Summary",
-  "description": "Resolves AWS credentials from an integration connection, runs a Prowler security scan (high+critical severity), and sends a summary of findings to a Slack channel via webhook.",
+  "description": "Resolves AWS credentials from an integration connection, runs a Prowler security scan (high+critical severity), and sends a summary of findings to a Slack channel via an integration connection (OAuth or webhook).",
   "nodes": [
     {
       "id": "entry-1",
@@ -27,11 +27,27 @@
                 "default": "us-east-1"
               },
               {
-                "id": "slackWebhookUrl",
-                "label": "Slack Webhook URL",
+                "id": "slackConnectionId",
+                "label": "Slack Integration Connection ID",
                 "type": "text",
                 "required": true,
-                "description": "Slack Incoming Webhook URL to send the scan summary to."
+                "description": "The ID of the Slack integration connection (OAuth or webhook). Find this in Settings > Integrations > Slack."
+              },
+              {
+                "id": "slackChannel",
+                "label": "Slack Channel",
+                "type": "text",
+                "required": false,
+                "description": "Slack channel to post to (e.g. #security-alerts). Required for OAuth connections, ignored for webhook connections.",
+                "default": "#general"
+              },
+              {
+                "id": "dashboardBaseUrl",
+                "label": "Dashboard Base URL",
+                "type": "text",
+                "required": false,
+                "description": "Base URL of your deployment (e.g. https://your-domain). Used to build the analytics dashboard link in the Slack notification.",
+                "default": "http://localhost"
               }
             ]
           },
@@ -42,11 +58,23 @@
     {
       "id": "resolve-creds-1",
       "type": "core.integration.resolve-credentials",
-      "position": { "x": 300, "y": 280 },
+      "position": { "x": 450, "y": 280 },
       "data": {
         "label": "Resolve AWS Credentials",
         "config": {
-          "params": {},
+          "params": { "provider": "aws" },
+          "inputOverrides": {}
+        }
+      }
+    },
+    {
+      "id": "resolve-slack-creds-1",
+      "type": "core.integration.resolve-credentials",
+      "position": { "x": 100, "y": 550 },
+      "data": {
+        "label": "Resolve Slack Credentials",
+        "config": {
+          "params": { "provider": "slack" },
           "inputOverrides": {}
         }
       }
@@ -54,7 +82,7 @@
     {
       "id": "prowler-1",
       "type": "security.prowler.scan",
-      "position": { "x": 300, "y": 510 },
+      "position": { "x": 450, "y": 510 },
       "data": {
         "label": "Prowler Security Scan",
         "config": {
@@ -74,11 +102,14 @@
         "label": "Slack Scan Summary",
         "config": {
           "params": {
-            "authType": "webhook",
-            "variables": [{ "name": "scanSummary", "type": "json" }]
+            "authType": "credentials",
+            "variables": [
+              { "name": "scanSummary", "type": "json" },
+              { "name": "dashboardBaseUrl", "type": "string" }
+            ]
           },
           "inputOverrides": {
-            "text": "🔒 *Prowler Security Scan Complete*\n\n📊 *Summary*\n• Total findings: {{totalFindings}}\n• Failed: {{failed}} | Passed: {{passed}}\n• Regions: {{regions}}\n\n🔴 Critical: {{critical}} | 🟠 High: {{high}} | 🟡 Medium: {{medium}} | 🟢 Low: {{low}}\n\nGenerated at {{generatedAt}}"
+            "text": "🔒 *Prowler Security Scan Complete*\n\n📊 *Summary*\n• Total findings: {{totalFindings}}\n• Failed: {{failed}} | Passed: {{passed}}\n• Regions: {{regions}}\n\n🔴 Critical: {{critical}} | 🟠 High: {{high}} | 🟡 Medium: {{medium}} | 🟢 Low: {{low}}\n\n📈 <{{dashboardBaseUrl}}/analytics/app/data-explorer/discover/#?_a=(discover%3A(columns%3A!(_source)%2Cinterval%3Aauto%2Csort%3A!())%2Cmetadata%3A(indexPattern%3A'security-findings-*'%2Cview%3Adiscover))&_q=(query%3A(language%3Akuery%2Cquery%3A'shipsec.run_id.keyword%3A%22{{runId}}%22'))&_g=(filters%3A!()%2CrefreshInterval%3A(pause%3A!t%2Cvalue%3A0)%2Ctime%3A(from%3Anow-1y%2Cto%3Anow))|View Findings in Dashboard>\n\nGenerated at {{generatedAt}}"
           }
         }
       }
@@ -99,6 +130,13 @@
       "sourceHandle": "regions",
       "targetHandle": "regions"
     },
+    {
+      "id": "e-entry-to-slack-resolver",
+      "source": "entry-1",
+      "target": "resolve-slack-creds-1",
+      "sourceHandle": "slackConnectionId",
+      "targetHandle": "connectionId"
+    },
     {
       "id": "e-resolve-to-prowler-creds",
       "source": "resolve-creds-1",
@@ -121,11 +159,18 @@
       "targetHandle": "regions"
     },
     {
-      "id": "e-entry-to-slack-webhook",
+      "id": "e-slack-resolver-to-slack",
+      "source": "resolve-slack-creds-1",
+      "target": "slack-1",
+      "sourceHandle": "data",
+      "targetHandle": "credentials"
+    },
+    {
+      "id": "e-entry-to-slack-channel",
       "source": "entry-1",
       "target": "slack-1",
-      "sourceHandle": "slackWebhookUrl",
-      "targetHandle": "webhookUrl"
+      "sourceHandle": "slackChannel",
+      "targetHandle": "channel"
     },
     {
       "id": "e-prowler-to-slack-summary",
@@ -133,6 +178,13 @@
       "target": "slack-1",
       "sourceHandle": "summary",
       "targetHandle": "scanSummary"
+    },
+    {
+      "id": "e-entry-to-slack-dashboard-url",
+      "source": "entry-1",
+      "target": "slack-1",
+      "sourceHandle": "dashboardBaseUrl",
+      "targetHandle": "dashboardBaseUrl"
     }
   ],
   "viewport": { "x": 0, "y": 0, "zoom": 1 }
diff --git a/docs/sample/aws-cspm-prowler-to-analytics.json b/docs/sample/aws-cspm-prowler-to-analytics.json
index 69a4cb9f..4ff7b85e 100644
--- a/docs/sample/aws-cspm-prowler-to-analytics.json
+++ b/docs/sample/aws-cspm-prowler-to-analytics.json
@@ -39,7 +39,7 @@
       "data": {
         "label": "Resolve AWS Credentials",
         "config": {
-          "params": {},
+          "params": { "provider": "aws" },
           "inputOverrides": {}
         }
       }
diff --git a/docs/user-guide.md b/docs/user-guide.md
index 752e3e61..ae54bbb2 100644
--- a/docs/user-guide.md
+++ b/docs/user-guide.md
@@ -190,6 +190,21 @@ Once complete, visit **http://localhost** to access ShipSec Studio.
   - Output formats
 - **Use**: Web application vulnerability scanning
 
+#### Prowler Scan
+
+- **Purpose**: AWS cloud security posture management
+- **Features**:
+  - Single-account AWS security scanning
+  - Org-wide multi-account scanning (discovers and scans all member accounts)
+  - Normalized ASFF findings with severity, resource ID, and remediation
+  - Analytics-ready output for dashboards
+- **Configuration**:
+  - Scan mode (AWS account or multi-cloud overview)
+  - Org scan toggle with member role name, concurrency, and error handling
+  - Recommended flag presets (severity filter, ignore exit codes)
+  - Custom CLI flags
+- **Use**: AWS CSPM, compliance scanning, org-wide security posture assessment
+
 #### TruffleHog
 
 - **Purpose**: Secret detection in code
diff --git a/frontend/src/components/workflow/ConfigPanel.tsx b/frontend/src/components/workflow/ConfigPanel.tsx
index 2278fedb..c6fa5f3c 100644
--- a/frontend/src/components/workflow/ConfigPanel.tsx
+++ b/frontend/src/components/workflow/ConfigPanel.tsx
@@ -884,6 +884,7 @@ export function ConfigPanel({
                         parameters={manualParameters}
                         onUpdateParameter={handleParamValueChange}
                         allComponentParameters={componentParameters}
+                        nodeLabel={nodeData.label}
                       />
                     </div>
                   );
diff --git a/frontend/src/components/workflow/ParameterField.tsx b/frontend/src/components/workflow/ParameterField.tsx
index f1b31ec1..2baf2ed8 100644
--- a/frontend/src/components/workflow/ParameterField.tsx
+++ b/frontend/src/components/workflow/ParameterField.tsx
@@ -42,6 +42,7 @@ interface ParameterFieldProps {
   componentId?: string;
   parameters?: Record<string, unknown> | undefined;
   onUpdateParameter?: (paramId: string, value: any) => void;
+  nodeLabel?: string;
 }
 
 /**
@@ -55,6 +56,7 @@ export function ParameterField({
   componentId,
   parameters,
   onUpdateParameter,
+  nodeLabel,
 }: ParameterFieldProps) {
   const currentValue = value !== undefined ? value : parameter.default;
   const [jsonError, setJsonError] = useState<string | null>(null);
@@ -105,11 +107,29 @@ export function ParameterField({
     [mergedConnections],
   );
 
-  // All connections for the generic credential resolver (no provider filter)
-  const allConnections = useMemo(() => mergedConnections, [mergedConnections]);
+  // For the generic credential resolver, filter by explicit `provider` param or infer from node label
+  const credResolverProviderFilter = useMemo(() => {
+    if (!isGenericCredentialResolver) return undefined;
+    // 1. Explicit provider parameter takes priority
+    const map = (parameters ?? {}) as Record<string, unknown>;
+    const explicit = typeof map?.provider === 'string' ? map.provider.trim().toLowerCase() : '';
+    if (explicit) return explicit;
+    // 2. Infer from node label (e.g. "Resolve AWS Credentials" → "aws")
+    const KNOWN_PROVIDERS = ['aws', 'slack', 'github'];
+    const label = (nodeLabel ?? '').toLowerCase();
+    return KNOWN_PROVIDERS.find((p) => label.includes(p));
+  }, [isGenericCredentialResolver, parameters, nodeLabel]);
+
+  const filteredConnections = useMemo(
+    () =>
+      credResolverProviderFilter
+        ? mergedConnections.filter((c) => c.provider === credResolverProviderFilter)
+        : mergedConnections,
+    [mergedConnections, credResolverProviderFilter],
+  );
 
   // Pick the right list depending on the component
-  const connectionOptions = isGenericCredentialResolver ? allConnections : githubConnections;
+  const connectionOptions = isGenericCredentialResolver ? filteredConnections : githubConnections;
 
   const [workflowOptions, setWorkflowOptions] = useState<{ id: string; name: string }[]>([]);
   const [workflowOptionsLoading, setWorkflowOptionsLoading] = useState(false);
@@ -567,6 +587,7 @@ export function ParameterField({
       );
 
     case 'boolean':
+    case 'toggle':
       return (
         <div className="flex items-center justify-between">
           <label htmlFor={parameter.id} className="text-sm font-medium cursor-pointer select-none">
@@ -1082,6 +1103,7 @@ interface ParameterFieldWrapperProps {
   parameters?: Record<string, unknown> | undefined;
   onUpdateParameter?: (paramId: string, value: any) => void;
   allComponentParameters?: Parameter[];
+  nodeLabel?: string;
 }
 
 /**
@@ -1121,7 +1143,8 @@ function isHeaderToggleParameter(
   parameter: Parameter,
   allComponentParameters: Parameter[] | undefined,
 ): boolean {
-  if (parameter.type !== 'boolean' || !allComponentParameters) return false;
+  if ((parameter.type !== 'boolean' && parameter.type !== 'toggle') || !allComponentParameters)
+    return false;
 
   // Check if any other parameter has visibleWhen referencing this param
   return allComponentParameters.some((p) => p.visibleWhen && parameter.id in p.visibleWhen);
@@ -1139,6 +1162,7 @@ export function ParameterFieldWrapper({
   parameters,
   onUpdateParameter,
   allComponentParameters,
+  nodeLabel,
 }: ParameterFieldWrapperProps) {
   // Check visibility conditions
   if (!shouldShowParameter(parameter, parameters)) {
@@ -1268,7 +1292,7 @@ export function ParameterFieldWrapper({
   }
 
   // Standard parameter field rendering
-  const isBooleanParameter = parameter.type === 'boolean';
+  const isBooleanParameter = parameter.type === 'boolean' || parameter.type === 'toggle';
 
   return (
     <div
@@ -1300,6 +1324,7 @@ export function ParameterFieldWrapper({
         componentId={componentId}
         parameters={parameters}
         onUpdateParameter={onUpdateParameter}
+        nodeLabel={nodeLabel}
       />
 
       {/* Description after field (toggle control) - for boolean parameters */}
diff --git a/frontend/src/pages/IntegrationCallback.tsx b/frontend/src/pages/IntegrationCallback.tsx
index 63f4c3c6..360bdaed 100644
--- a/frontend/src/pages/IntegrationCallback.tsx
+++ b/frontend/src/pages/IntegrationCallback.tsx
@@ -58,8 +58,8 @@ export function IntegrationCallback() {
     async function exchangeCode() {
       try {
         const connection = await api.integrations.completeOAuth(providerId, {
-          code,
-          state,
+          code: code!,
+          state: state!,
           redirectUri,
         });
 
diff --git a/frontend/src/pages/IntegrationDetailPage.tsx b/frontend/src/pages/IntegrationDetailPage.tsx
index 3ffdf632..86d84b82 100644
--- a/frontend/src/pages/IntegrationDetailPage.tsx
+++ b/frontend/src/pages/IntegrationDetailPage.tsx
@@ -145,7 +145,7 @@ interface AwsFormProps {
 function AwsConnectionForm({ onCreated, onCancel }: AwsFormProps) {
   const store = useIntegrationStore();
   const { toast } = useToast();
-  const [step, setStep] = useState<1 | 2>(1);
+  const [step, setStep] = useState<1 | 2 | 3>(1);
   const [submitting, setSubmitting] = useState(false);
   const [result, setResult] = useState<{ ok: boolean; message: string } | null>(null);
   const [loadingSetup, setLoadingSetup] = useState(true);
@@ -286,6 +286,22 @@ function AwsConnectionForm({ onCreated, onCancel }: AwsFormProps) {
           <span className="flex h-5 w-5 items-center justify-center rounded-full border text-[10px] font-bold border-current">
             2
           </span>
+          Attach Permissions
+        </button>
+        <ChevronRight className="h-4 w-4 text-muted-foreground shrink-0" />
+        <button
+          type="button"
+          onClick={() => setStep(3)}
+          className={cn(
+            'flex items-center gap-2 rounded-full px-3 py-1.5 text-xs font-medium transition-colors',
+            step === 3
+              ? 'bg-primary text-primary-foreground'
+              : 'bg-muted text-muted-foreground hover:bg-muted/80',
+          )}
+        >
+          <span className="flex h-5 w-5 items-center justify-center rounded-full border text-[10px] font-bold border-current">
+            3
+          </span>
           Connection Details
         </button>
       </div>
@@ -296,9 +312,10 @@ function AwsConnectionForm({ onCreated, onCancel }: AwsFormProps) {
           <div className="space-y-3">
             <Label className="text-sm font-semibold">Configure Trust Policy</Label>
             <p className="text-sm text-muted-foreground">
-              Create an IAM role in your AWS account and set its trust policy to the JSON below.
-              This allows ShipSec to securely access your account using a unique External ID &mdash;
-              without you sharing any access keys.
+              In your AWS account, go to <strong>IAM &rarr; Roles &rarr; Create role</strong> and
+              select <strong>&ldquo;Custom trust policy&rdquo;</strong> as the trusted entity type.
+              Paste the JSON below as the trust policy. This allows ShipSec to securely access your
+              account using a unique External ID &mdash; without you sharing any access keys.
             </p>
             <div className="relative">
               <pre className="rounded-md border bg-muted/50 p-4 text-xs font-mono overflow-x-auto whitespace-pre-wrap leading-relaxed">
@@ -398,12 +415,101 @@ function AwsConnectionForm({ onCreated, onCancel }: AwsFormProps) {
         </div>
       )}
 
-      {/* ── Step 2: Connection Details ── */}
+      {/* ── Step 2: Attach Permissions ── */}
       {step === 2 && (
+        <div className="space-y-4">
+          <div className="space-y-3">
+            <Label className="text-sm font-semibold">Attach Permissions</Label>
+            <p className="text-sm text-muted-foreground">
+              After creating the IAM role with the trust policy, attach the following AWS managed
+              policies to define what ShipSec can access in your account.
+            </p>
+
+            <div className="space-y-2">
+              <p className="text-xs font-medium text-muted-foreground uppercase tracking-wide">
+                Required Policies
+              </p>
+              <div className="space-y-2">
+                <div className="flex items-start gap-3 rounded-md border p-3 bg-muted/30">
+                  <div className="flex h-5 w-5 items-center justify-center rounded bg-primary/10 text-primary shrink-0 mt-0.5">
+                    <Shield className="h-3 w-3" />
+                  </div>
+                  <div>
+                    <p className="text-sm font-medium">SecurityAudit</p>
+                    <p className="text-xs text-muted-foreground">
+                      Read-only access to security configuration data. Required for compliance
+                      scanning and security posture assessment.
+                    </p>
+                  </div>
+                </div>
+                <div className="flex items-start gap-3 rounded-md border p-3 bg-muted/30">
+                  <div className="flex h-5 w-5 items-center justify-center rounded bg-primary/10 text-primary shrink-0 mt-0.5">
+                    <Eye className="h-3 w-3" />
+                  </div>
+                  <div>
+                    <p className="text-sm font-medium">ViewOnlyAccess</p>
+                    <p className="text-xs text-muted-foreground">
+                      Read-only access to list and describe resources across AWS services. Used for
+                      resource discovery and inventory.
+                    </p>
+                  </div>
+                </div>
+              </div>
+            </div>
+
+            <div className="space-y-2">
+              <p className="text-xs font-medium text-muted-foreground uppercase tracking-wide">
+                For Organizations (management account only)
+              </p>
+              <div className="flex items-start gap-3 rounded-md border p-3 bg-muted/30">
+                <div className="flex h-5 w-5 items-center justify-center rounded bg-primary/10 text-primary shrink-0 mt-0.5">
+                  <Shield className="h-3 w-3" />
+                </div>
+                <div>
+                  <p className="text-sm font-medium">OrganizationsReadOnlyAccess</p>
+                  <p className="text-xs text-muted-foreground">
+                    Read-only access to AWS Organizations. Only needed on the management account to
+                    discover and list member accounts.
+                  </p>
+                </div>
+              </div>
+            </div>
+
+            <div className="rounded-md border bg-amber-50/50 dark:bg-amber-950/20 border-amber-200 dark:border-amber-800 p-3">
+              <p className="text-xs text-amber-700 dark:text-amber-300">
+                <strong>Tip:</strong> In the AWS IAM console, search for each policy name in the
+                &ldquo;Add permissions &rarr; Attach policies directly&rdquo; step and check the box
+                to attach it. These are AWS managed policies &mdash; no custom policy JSON is
+                needed.
+              </p>
+            </div>
+          </div>
+
+          <DialogFooter className="gap-2">
+            <Button
+              type="button"
+              variant="outline"
+              onClick={() => {
+                setStep(1);
+                setResult(null);
+              }}
+            >
+              Back
+            </Button>
+            <Button type="button" onClick={() => setStep(3)} className="gap-1.5">
+              Next
+              <ChevronRight className="h-4 w-4" />
+            </Button>
+          </DialogFooter>
+        </div>
+      )}
+
+      {/* ── Step 3: Connection Details ── */}
+      {step === 3 && (
         <form onSubmit={handleSubmit} className="space-y-4">
           <div className="space-y-3">
             <p className="text-sm text-muted-foreground">
-              Enter the details of the IAM role you created in Step 1.
+              Enter the details of the IAM role you created and configured in the previous steps.
             </p>
             <div className="space-y-2">
               <Label htmlFor="aws-display-name">Display Name *</Label>
@@ -459,7 +565,7 @@ function AwsConnectionForm({ onCreated, onCancel }: AwsFormProps) {
               type="button"
               variant="outline"
               onClick={() => {
-                setStep(1);
+                setStep(2);
                 setResult(null);
               }}
               disabled={submitting}
@@ -822,7 +928,7 @@ export function IntegrationDetailPage() {
 
   useEffect(() => {
     if (provider) {
-      fetchOrgConnections(provider, true);
+      fetchOrgConnections(undefined, true);
     }
   }, [provider, fetchOrgConnections]);
 
@@ -887,7 +993,7 @@ export function IntegrationDetailPage() {
         }
       }
       // Refresh the connections list to pick up updated lastValidationStatus
-      fetchOrgConnections(provider, true);
+      fetchOrgConnections(undefined, true);
     } catch (err) {
       const message = err instanceof Error ? err.message : 'Validation request failed.';
       toast({ title: 'Error', description: message, variant: 'destructive' });
@@ -912,7 +1018,7 @@ export function IntegrationDetailPage() {
       });
       setDeleteDialogOpen(false);
       setDeleteTarget(null);
-      fetchOrgConnections(provider, true);
+      fetchOrgConnections(undefined, true);
     } catch (err) {
       const message = err instanceof Error ? err.message : 'Failed to delete connection.';
       toast({ title: 'Delete failed', description: message, variant: 'destructive' });
@@ -923,7 +1029,7 @@ export function IntegrationDetailPage() {
 
   const handleConnectionCreated = () => {
     setDialogOpen(false);
-    fetchOrgConnections(provider, true);
+    fetchOrgConnections(undefined, true);
   };
 
   // ---- Loading state ----
@@ -1133,6 +1239,12 @@ export function IntegrationDetailPage() {
                             alt={teamName}
                             className="h-10 w-10 rounded-lg flex-shrink-0 object-cover"
                           />
+                        ) : connVisuals?.logo ? (
+                          <img
+                            src={connVisuals.logo}
+                            alt={conn.provider}
+                            className="h-10 w-10 rounded-lg flex-shrink-0 object-contain bg-muted p-1"
+                          />
                         ) : (
                           <div className="flex h-10 w-10 items-center justify-center rounded-lg flex-shrink-0 bg-muted text-muted-foreground font-semibold text-sm">
                             {(teamName ?? '?').slice(0, 2).toUpperCase()}
@@ -1151,7 +1263,7 @@ export function IntegrationDetailPage() {
                         </div>
                       </div>
                       <div className="flex items-center gap-2 flex-wrap">
-                        {credentialTypeBadge(conn.credentialType)}
+                        {credentialTypeBadge(conn.credentialType ?? 'unknown')}
                         {conn.scopes && conn.scopes.length > 0 && (
                           <span className="text-[10px] text-muted-foreground">
                             {conn.scopes.length} scope{conn.scopes.length !== 1 ? 's' : ''}
diff --git a/frontend/src/schemas/component.ts b/frontend/src/schemas/component.ts
index 8d0ccec2..6bf9c358 100644
--- a/frontend/src/schemas/component.ts
+++ b/frontend/src/schemas/component.ts
@@ -100,6 +100,7 @@ export const ParameterSchema = z.object({
     'textarea',
     'number',
     'boolean',
+    'toggle',
     'select',
     'multi-select',
     'file',
diff --git a/frontend/src/store/integrationStore.ts b/frontend/src/store/integrationStore.ts
index 0c082721..f5cf85b7 100644
--- a/frontend/src/store/integrationStore.ts
+++ b/frontend/src/store/integrationStore.ts
@@ -2,6 +2,18 @@ import { create } from 'zustand';
 import { api } from '@/services/api';
 import type { IntegrationConnection, IntegrationCatalogEntry } from '@/services/api';
 
+interface AwsSetupInfoCache {
+  platformRoleArn: string;
+  externalId: string;
+  setupToken: string;
+  trustPolicyTemplate: string;
+  externalIdDisplay?: string;
+  fetchedAt: number; // Date.now() when fetched
+}
+
+// Setup token TTL is 30 min on the backend; use 25 min as a safe margin
+const AWS_SETUP_INFO_TTL_MS = 25 * 60 * 1000;
+
 interface IntegrationStoreState {
   connections: IntegrationConnection[];
   orgConnections: IntegrationConnection[];
@@ -12,6 +24,7 @@ interface IntegrationStoreState {
   error: string | null;
   initialized: boolean;
   orgInitialized: boolean;
+  _awsSetupInfoCache: AwsSetupInfoCache | null;
 }
 
 interface IntegrationStoreActions {
@@ -91,6 +104,7 @@ export const useIntegrationStore = create<IntegrationStore>((set, get) => ({
   error: null,
   initialized: false,
   orgInitialized: false,
+  _awsSetupInfoCache: null,
 
   fetchConnections: async (force = false) => {
     const { loadingConnections, initialized } = get();
@@ -203,12 +217,20 @@ export const useIntegrationStore = create<IntegrationStore>((set, get) => ({
   },
 
   getAwsSetupInfo: async () => {
-    return api.integrations.getAwsSetupInfo();
+    const cached = get()._awsSetupInfoCache;
+    if (cached && Date.now() - cached.fetchedAt < AWS_SETUP_INFO_TTL_MS) {
+      const { fetchedAt: _, ...info } = cached;
+      return info;
+    }
+    const info = await api.integrations.getAwsSetupInfo();
+    set({ _awsSetupInfoCache: { ...info, fetchedAt: Date.now() } });
+    return info;
   },
 
   createAwsConnection: async (payload) => {
     try {
       const connection = await api.integrations.createAwsConnection(payload);
+      set({ _awsSetupInfoCache: null }); // clear so next connection gets a fresh ExternalId
       get().upsertConnection(connection);
       return connection;
     } catch (error) {
diff --git a/packages/backend-client/src/client.ts b/packages/backend-client/src/client.ts
index eb9be187..c45dc293 100644
--- a/packages/backend-client/src/client.ts
+++ b/packages/backend-client/src/client.ts
@@ -2686,9 +2686,15 @@ export interface components {
             provider: string;
             providerName: string;
             userId: string;
+            credentialType?: string;
+            displayName?: string;
+            organizationId?: string;
             scopes: string[];
             tokenType: string;
-            expiresAt?: string;
+            expiresAt?: string | null;
+            lastValidatedAt?: string | null;
+            lastValidationStatus?: string | null;
+            lastUsedAt?: string | null;
             createdAt: string;
             updatedAt: string;
             /** @enum {string} */
@@ -2696,7 +2702,7 @@ export interface components {
             supportsRefresh: boolean;
             hasRefreshToken: boolean;
             /** @description Provider-specific metadata saved alongside the connection */
-            metadata?: Record<string, never>;
+            metadata?: Record<string, unknown>;
         };
         StartOAuthDto: {
             /** @description Application user identifier to associate the connection with */
diff --git a/packages/component-sdk/src/types.ts b/packages/component-sdk/src/types.ts
index 571b3057..3a674fd0 100644
--- a/packages/component-sdk/src/types.ts
+++ b/packages/component-sdk/src/types.ts
@@ -323,6 +323,7 @@ export type ComponentParameterType =
   | 'textarea'
   | 'number'
   | 'boolean'
+  | 'toggle'
   | 'select'
   | 'multi-select'
   | 'json'
@@ -374,7 +375,10 @@ export type ComponentCategory =
   | 'it_ops'
   | 'notification'
   | 'manual_action'
-  | 'output';
+  | 'output'
+  | 'process'
+  | 'cloud'
+  | 'core';
 
 export type ComponentUiType =
   | 'trigger'
diff --git a/worker/src/components/core/aws-assume-role.ts b/worker/src/components/core/aws-assume-role.ts
index 802db33f..6e14164c 100644
--- a/worker/src/components/core/aws-assume-role.ts
+++ b/worker/src/components/core/aws-assume-role.ts
@@ -12,6 +12,55 @@ import {
 import { awsCredentialSchema } from '@shipsec/contracts';
 import { STSClient, AssumeRoleCommand } from '@aws-sdk/client-sts';
 
+/**
+ * Reusable helper: assumes an AWS IAM role via STS.
+ * Exported for use by other components (e.g. prowler org scan).
+ */
+export async function assumeRole(
+  sourceCredentials: {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken?: string;
+    region?: string;
+  },
+  roleArn: string,
+  options?: { externalId?: string; sessionName?: string },
+): Promise<{
+  accessKeyId: string;
+  secretAccessKey: string;
+  sessionToken?: string;
+  region?: string;
+}> {
+  const stsClient = new STSClient({
+    credentials: {
+      accessKeyId: sourceCredentials.accessKeyId,
+      secretAccessKey: sourceCredentials.secretAccessKey,
+      sessionToken: sourceCredentials.sessionToken,
+    },
+    region: sourceCredentials.region ?? 'us-east-1',
+  });
+
+  const command = new AssumeRoleCommand({
+    RoleArn: roleArn,
+    RoleSessionName: options?.sessionName ?? 'shipsec-session',
+    DurationSeconds: 3600,
+    ...(options?.externalId ? { ExternalId: options.externalId } : {}),
+  });
+
+  const response = await stsClient.send(command);
+
+  if (!response.Credentials) {
+    throw new Error(`STS AssumeRole did not return credentials for role ${roleArn}.`);
+  }
+
+  return {
+    accessKeyId: response.Credentials.AccessKeyId ?? '',
+    secretAccessKey: response.Credentials.SecretAccessKey ?? '',
+    sessionToken: response.Credentials.SessionToken,
+    region: sourceCredentials.region,
+  };
+}
+
 const inputSchema = inputs({
   sourceCredentials: port(awsCredentialSchema(), {
     label: 'Source Credentials',
@@ -84,49 +133,22 @@ const definition = defineComponent({
       );
     }
 
-    const roleArn = params.roleArn;
-    const sessionName = params.sessionName ?? 'shipsec-session';
+    const roleArn = params.roleArn as string;
+    const sessionName = (params.sessionName as string) ?? 'shipsec-session';
 
     context.emitProgress(`Assuming role ${roleArn}...`);
 
-    const stsClient = new STSClient({
-      credentials: {
-        accessKeyId: sourceCreds.accessKeyId,
-        secretAccessKey: sourceCreds.secretAccessKey,
-        sessionToken: sourceCreds.sessionToken,
-      },
-      region: sourceCreds.region ?? 'us-east-1',
+    const credentials = await assumeRole(sourceCreds, roleArn, {
+      externalId: params.externalId as string | undefined,
+      sessionName,
     });
 
-    const command = new AssumeRoleCommand({
-      RoleArn: roleArn,
-      RoleSessionName: sessionName,
-      DurationSeconds: 3600,
-      ...(params.externalId ? { ExternalId: params.externalId } : {}),
-    });
-
-    const response = await stsClient.send(command);
-
-    if (!response.Credentials) {
-      throw new ConfigurationError(
-        `STS AssumeRole did not return credentials for role ${roleArn}.`,
-        { configKey: 'roleArn' },
-      );
-    }
-
     context.logger.info(
       `[AWSAssumeRole] Successfully assumed role ${roleArn} (session: ${sessionName}).`,
     );
     context.emitProgress(`Assumed role ${roleArn} successfully.`);
 
-    return outputSchema.parse({
-      credentials: {
-        accessKeyId: response.Credentials.AccessKeyId ?? '',
-        secretAccessKey: response.Credentials.SecretAccessKey ?? '',
-        sessionToken: response.Credentials.SessionToken,
-        region: sourceCreds.region,
-      },
-    });
+    return outputSchema.parse({ credentials });
   },
 });
 
diff --git a/worker/src/components/core/aws-org-discovery.ts b/worker/src/components/core/aws-org-discovery.ts
index 12dfa131..e8ff4486 100644
--- a/worker/src/components/core/aws-org-discovery.ts
+++ b/worker/src/components/core/aws-org-discovery.ts
@@ -10,6 +10,47 @@ import {
 import { awsCredentialSchema } from '@shipsec/contracts';
 import { OrganizationsClient, paginateListAccounts } from '@aws-sdk/client-organizations';
 
+/**
+ * Reusable helper: discovers all accounts in an AWS Organization.
+ * Exported for use by other components (e.g. prowler org scan).
+ */
+export async function discoverOrgAccounts(
+  credentials: {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken?: string;
+    region?: string;
+  },
+  region?: string,
+): Promise<{ id: string; name: string; status: string; email: string }[]> {
+  const client = new OrganizationsClient({
+    credentials: {
+      accessKeyId: credentials.accessKeyId,
+      secretAccessKey: credentials.secretAccessKey,
+      sessionToken: credentials.sessionToken,
+    },
+    region: region ?? credentials.region ?? 'us-east-1',
+  });
+
+  const accounts: { id: string; name: string; status: string; email: string }[] = [];
+  const paginator = paginateListAccounts({ client }, {});
+
+  for await (const page of paginator) {
+    if (page.Accounts) {
+      for (const account of page.Accounts) {
+        accounts.push({
+          id: account.Id ?? '',
+          name: account.Name ?? '',
+          status: account.Status ?? 'UNKNOWN',
+          email: account.Email ?? '',
+        });
+      }
+    }
+  }
+
+  return accounts;
+}
+
 const inputSchema = inputs({
   credentials: port(awsCredentialSchema(), {
     label: 'AWS Credentials',
@@ -65,31 +106,7 @@ const definition = defineComponent({
 
     context.emitProgress('Discovering AWS Organization accounts...');
 
-    const client = new OrganizationsClient({
-      credentials: {
-        accessKeyId: creds.accessKeyId,
-        secretAccessKey: creds.secretAccessKey,
-        sessionToken: creds.sessionToken,
-      },
-      region: creds.region ?? 'us-east-1',
-    });
-
-    const accounts: { id: string; name: string; status: string; email: string }[] = [];
-
-    const paginator = paginateListAccounts({ client }, {});
-
-    for await (const page of paginator) {
-      if (page.Accounts) {
-        for (const account of page.Accounts) {
-          accounts.push({
-            id: account.Id ?? '',
-            name: account.Name ?? '',
-            status: account.Status ?? 'UNKNOWN',
-            email: account.Email ?? '',
-          });
-        }
-      }
-    }
+    const accounts = await discoverOrgAccounts(creds, creds.region);
 
     context.logger.info(
       `[AWSOrGDiscovery] Discovered ${accounts.length} accounts in the organization.`,
diff --git a/worker/src/components/core/entry-point.ts b/worker/src/components/core/entry-point.ts
index 0957ac20..bd7b2dd1 100644
--- a/worker/src/components/core/entry-point.ts
+++ b/worker/src/components/core/entry-point.ts
@@ -34,6 +34,7 @@ const runtimeInputDefinitionSchema = z.preprocess(
       .describe('Type of input data'),
     required: z.boolean().default(true).describe('Whether this input is required'),
     description: z.string().optional().describe('Help text for the input'),
+    default: z.unknown().optional().describe('Default value when not provided at runtime'),
   }),
 );
 
@@ -142,7 +143,16 @@ const definition = defineComponent({
     const outputs: Record<string, unknown> = {};
 
     for (const inputDef of runtimeInputs) {
-      const value = __runtimeData?.[inputDef.id];
+      let value = __runtimeData?.[inputDef.id];
+
+      // Apply default when value is not provided
+      if (
+        (value === undefined || value === null || value === '') &&
+        inputDef.default !== undefined
+      ) {
+        value = inputDef.default;
+        context.logger.info(`[EntryPoint] Using default for '${inputDef.id}': ${inputDef.default}`);
+      }
 
       if (inputDef.required && (value === undefined || value === null)) {
         throw new ValidationError(
diff --git a/worker/src/components/core/integration-credential-resolver.ts b/worker/src/components/core/integration-credential-resolver.ts
index f7c08a14..c1f8186c 100644
--- a/worker/src/components/core/integration-credential-resolver.ts
+++ b/worker/src/components/core/integration-credential-resolver.ts
@@ -46,6 +46,15 @@ const parameterSchema = parameters({
         'Select an integration connection to resolve credentials from. Overridden when wired from an upstream node.',
     },
   ),
+  provider: param(
+    z.string().trim().optional().describe('Filter connections by provider (e.g. aws, slack).'),
+    {
+      label: 'Provider Filter',
+      editor: 'text',
+      description:
+        'Optional: restrict the connection dropdown to a specific provider (e.g. "aws", "slack"). Leave empty to show all.',
+    },
+  ),
 });
 
 const outputSchema = outputs({
diff --git a/worker/src/components/notification/slack.ts b/worker/src/components/notification/slack.ts
index f344d088..52da9cc5 100644
--- a/worker/src/components/notification/slack.ts
+++ b/worker/src/components/notification/slack.ts
@@ -19,12 +19,13 @@ const inputSchema = inputs({
 });
 
 const parameterSchema = parameters({
-  authType: param(z.enum(['bot_token', 'webhook']).default('bot_token'), {
+  authType: param(z.enum(['bot_token', 'webhook', 'credentials']).default('bot_token'), {
     label: 'Connection Method',
     editor: 'select',
     options: [
       { label: 'Slack App (Bot Token)', value: 'bot_token' },
       { label: 'Incoming Webhook', value: 'webhook' },
+      { label: 'Integration Connection', value: 'credentials' },
     ],
   }),
   variables: param(
@@ -49,6 +50,29 @@ const outputSchema = outputs({
   }),
 });
 
+/**
+ * Recursively flatten nested plain objects so that all leaf values
+ * are available as top-level keys.  For example:
+ *   { summary: { totalFindings: 5, severityCounts: { critical: 1 } } }
+ * becomes:
+ *   { summary: {...}, totalFindings: 5, severityCounts: {...}, critical: 1 }
+ *
+ * Later keys win when there are collisions, which gives inner objects
+ * higher specificity than outer ones (desirable for templates).
+ */
+function flattenObject(
+  obj: Record<string, any>,
+  result: Record<string, any> = {},
+): Record<string, any> {
+  for (const [key, value] of Object.entries(obj)) {
+    result[key] = value;
+    if (value && typeof value === 'object' && !Array.isArray(value)) {
+      flattenObject(value as Record<string, any>, result);
+    }
+  }
+  return result;
+}
+
 /**
  * Simple helper to replace {{var}} placeholders in a string
  */
@@ -104,6 +128,109 @@ const slackRetryPolicy: ComponentRetryPolicy = {
   nonRetryableErrorTypes: ['AuthenticationError', 'ConfigurationError', 'ValidationError'],
 };
 
+// ---------------------------------------------------------------------------
+// Execution helpers (one per auth mode)
+// ---------------------------------------------------------------------------
+
+async function executeWebhook(
+  body: any,
+  webhookUrl: unknown,
+  context: any,
+): Promise<z.infer<typeof outputSchema>> {
+  if (!webhookUrl) {
+    throw new ConfigurationError('Slack Webhook URL is required.', {
+      configKey: 'webhookUrl',
+    });
+  }
+  const url = typeof webhookUrl === 'string' ? webhookUrl : String(webhookUrl);
+  const response = await context.http.fetch(url, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(body),
+  });
+  if (!response.ok) {
+    const responseBody = await response.text();
+    throw fromHttpResponse(response, responseBody);
+  }
+  return outputSchema.parse({ ok: true });
+}
+
+async function executeBotToken(
+  body: any,
+  slackToken: unknown,
+  channel: unknown,
+  thread_ts: unknown,
+  context: any,
+): Promise<z.infer<typeof outputSchema>> {
+  if (!slackToken) {
+    throw new ConfigurationError('Slack token missing.', {
+      configKey: 'slackToken',
+    });
+  }
+  body.channel = channel;
+  body.thread_ts = thread_ts;
+
+  const token = typeof slackToken === 'string' ? slackToken : String(slackToken);
+  const response = await context.http.fetch('https://slack.com/api/chat.postMessage', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify(body),
+  });
+
+  const result = (await response.json()) as any;
+  if (!result.ok) {
+    if (result.error === 'invalid_auth' || result.error === 'token_revoked') {
+      throw new AuthenticationError(`Slack authentication failed: ${result.error}`);
+    }
+    return outputSchema.parse({ ok: false, error: result.error });
+  }
+  return outputSchema.parse({ ok: true, ts: result.ts });
+}
+
+async function executeWithCredentials(
+  body: any,
+  credentials: unknown,
+  channel: unknown,
+  thread_ts: unknown,
+  context: any,
+): Promise<z.infer<typeof outputSchema>> {
+  if (!credentials || typeof credentials !== 'object') {
+    throw new ConfigurationError(
+      'Credentials are required. Wire the "Credentials Data" output from an Integration Credential Resolver.',
+      { configKey: 'credentials' },
+    );
+  }
+
+  const creds = credentials as Record<string, unknown>;
+
+  // Auto-detect credential type from the resolved data shape
+  if ('accessToken' in creds && creds.accessToken) {
+    // OAuth bot token — delegate to the bot token flow
+    context.logger.info('[Slack] Using OAuth bot token from resolved credentials');
+    if (!channel) {
+      throw new ConfigurationError(
+        'Channel is required when using OAuth credentials. Set it as an input override or wire it from an upstream node.',
+        { configKey: 'channel' },
+      );
+    }
+    return executeBotToken(body, creds.accessToken, channel, thread_ts, context);
+  }
+
+  if ('webhookUrl' in creds && creds.webhookUrl) {
+    // Webhook URL — delegate to the webhook flow
+    context.logger.info('[Slack] Using webhook URL from resolved credentials');
+    return executeWebhook(body, creds.webhookUrl, context);
+  }
+
+  throw new ConfigurationError(
+    'Unrecognized credential format. Expected credentials with "accessToken" (OAuth) or "webhookUrl" (webhook).',
+    { configKey: 'credentials' },
+  );
+}
+
 const definition = defineComponent({
   id: 'core.notification.slack',
   label: 'Slack Message',
@@ -116,7 +243,7 @@ const definition = defineComponent({
   docs: 'Send dynamic Slack messages with {{variable}} support in both text and Block Kit JSON.',
   ui: {
     slug: 'slack-message',
-    version: '1.2.0',
+    version: '1.3.0',
     type: 'output',
     category: 'notification',
     description: 'Send plain text or rich Block Kit messages with dynamic template support.',
@@ -145,6 +272,22 @@ const definition = defineComponent({
         reason: 'Webhook URLs are secrets.',
         connectionType: { kind: 'primitive', name: 'secret' },
       });
+    } else if (params.authType === 'credentials') {
+      inputShape.credentials = port(z.record(z.string(), z.unknown()), {
+        label: 'Credentials',
+        description:
+          'Resolved credentials from the Integration Credential Resolver. Accepts OAuth (bot token) or webhook credentials.',
+        allowAny: true,
+        reason: 'Credential payloads vary by provider and credential type.',
+        editor: 'secret',
+        connectionType: { kind: 'any' },
+      });
+      inputShape.channel = port(z.string().optional(), {
+        label: 'Channel',
+        description:
+          'Slack channel ID or name. Required when credentials resolve to an OAuth bot token.',
+      });
+      inputShape.thread_ts = port(z.string().optional(), { label: 'Thread TS' });
     } else {
       inputShape.slackToken = port(z.unknown(), {
         label: 'Bot Token',
@@ -169,12 +312,17 @@ const definition = defineComponent({
     return { inputs: inputs(inputShape) };
   },
   async execute({ inputs, params }, context) {
-    const { text, blocks, channel, thread_ts, slackToken, webhookUrl } = inputs as Record<
-      string,
-      unknown
-    >;
+    const { text, blocks, channel, thread_ts, slackToken, webhookUrl, credentials } =
+      inputs as Record<string, unknown>;
     const { authType } = params;
-    const contextData = { ...params, ...inputs };
+    // Include execution context metadata so templates can use {{runId}}, {{workflowId}}, etc.
+    const contextData = flattenObject({
+      ...params,
+      ...inputs,
+      runId: context.runId,
+      workflowId: context.workflowId ?? '',
+      workflowName: context.workflowName ?? '',
+    });
 
     // 1. Interpolate text
     const finalText = interpolate(text as string, contextData);
@@ -192,67 +340,25 @@ const definition = defineComponent({
         finalBlocks = undefined;
       }
     } else if (Array.isArray(blocks)) {
-      // If it's already an object, we'd need a deep interpolation,
-      // but typically users will pass a JSON string template for simplicity.
-      // For now, let's stringify and interpolate to support variables in objects too!
       const str = JSON.stringify(blocks);
       const interpolated = interpolate(str, contextData);
       finalBlocks = JSON.parse(interpolated);
     }
 
-    context.logger.info(`[Slack] Sending message to ${authType}...`);
+    context.logger.info(`[Slack] Sending message via ${authType}...`);
 
     const body: any = {
       text: finalText,
       blocks: finalBlocks,
     };
 
-    if (authType === 'webhook') {
-      if (!webhookUrl) {
-        throw new ConfigurationError('Slack Webhook URL is required.', {
-          configKey: 'webhookUrl',
-        });
-      }
-      const url = typeof webhookUrl === 'string' ? webhookUrl : String(webhookUrl);
-      const response = await context.http.fetch(url, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify(body),
-      });
-      if (!response.ok) {
-        const responseBody = await response.text();
-        throw fromHttpResponse(response, responseBody);
-      }
-      return outputSchema.parse({ ok: true });
+    // 3. Dispatch based on auth type
+    if (authType === 'credentials') {
+      return executeWithCredentials(body, credentials, channel, thread_ts, context);
+    } else if (authType === 'webhook') {
+      return executeWebhook(body, webhookUrl, context);
     } else {
-      if (!slackToken) {
-        throw new ConfigurationError('Slack token missing.', {
-          configKey: 'slackToken',
-        });
-      }
-      body.channel = channel;
-      body.thread_ts = thread_ts;
-
-      const token = typeof slackToken === 'string' ? slackToken : String(slackToken);
-      const response = await context.http.fetch('https://slack.com/api/chat.postMessage', {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          Authorization: `Bearer ${token}`,
-        },
-        body: JSON.stringify(body),
-      });
-
-      const result = (await response.json()) as any;
-      if (!result.ok) {
-        // Slack API returns ok: false with an error code
-        // Check for common auth errors
-        if (result.error === 'invalid_auth' || result.error === 'token_revoked') {
-          throw new AuthenticationError(`Slack authentication failed: ${result.error}`);
-        }
-        return outputSchema.parse({ ok: false, error: result.error });
-      }
-      return outputSchema.parse({ ok: true, ts: result.ts });
+      return executeBotToken(body, slackToken, channel, thread_ts, context);
     }
   },
 });
diff --git a/worker/src/components/security/prowler-scan.ts b/worker/src/components/security/prowler-scan.ts
index 207bdf77..72ecf50e 100644
--- a/worker/src/components/security/prowler-scan.ts
+++ b/worker/src/components/security/prowler-scan.ts
@@ -1,11 +1,9 @@
 import { z } from 'zod';
-import { spawn } from 'node:child_process';
 import {
   componentRegistry,
   ComponentRetryPolicy,
   ConfigurationError,
   runComponentWithRunner,
-  resolveDockerPath,
   ServiceError,
   ValidationError,
   defineComponent,
@@ -22,69 +20,47 @@ import {
 import type { DockerRunnerConfig } from '@shipsec/component-sdk';
 import { awsCredentialSchema } from '@shipsec/contracts';
 import { IsolatedContainerVolume } from '../../utils/isolated-volume';
-
-const recommendedFlagOptions = [
-  {
-    id: 'quick',
-    label: 'Quick scan (removed in v4 — ignored)',
-    description: 'Kept for backwards compatibility; Prowler v4 ignores this option.',
-    args: [],
-    defaultSelected: false,
-  },
-  {
-    id: 'severity-high-critical',
-    label: 'Severity filter: high+critical (--severity high critical)',
-    description: 'Limit findings to high and critical severities.',
-    // Prowler v4 (argparse) accepts multiple choices in one --severity
-    // Example: --severity high critical
-    args: ['--severity', 'high', 'critical'],
-    defaultSelected: true,
-  },
-  {
-    id: 'ignore-exit-code',
-    label: 'Do not fail on findings (--ignore-exit-code-3)',
-    description: 'Treat exit code 3 (findings present) as success so flows do not fail.',
-    args: ['--ignore-exit-code-3'],
-    defaultSelected: true,
-  },
-  {
-    id: 'no-banner',
-    label: 'Hide banner (--no-banner)',
-    description: 'Remove the ASCII banner from stdout for cleaner logs.',
-    args: ['--no-banner'],
-    defaultSelected: true,
-  },
-] as const;
-
-type RecommendedFlagId = (typeof recommendedFlagOptions)[number]['id'];
-
-const defaultSelectedFlagIds: RecommendedFlagId[] = recommendedFlagOptions
-  .filter((option) => option.defaultSelected)
-  .map((option) => option.id);
-
-const recommendedFlagIdSchema = z.enum(
-  recommendedFlagOptions.map((option) => option.id) as [RecommendedFlagId, ...RecommendedFlagId[]],
-);
-
-const severityLevels = ['critical', 'high', 'medium', 'low', 'informational', 'unknown'] as const;
-type NormalisedSeverity = (typeof severityLevels)[number];
-
-const statusLevels = [
-  'FAILED',
-  'PASSED',
-  'WARNING',
-  'NOT_APPLICABLE',
-  'NOT_AVAILABLE',
-  'UNKNOWN',
-] as const;
-type NormalisedStatus = (typeof statusLevels)[number];
+import { discoverOrgAccounts } from '../core/aws-org-discovery';
+import { assumeRole } from '../core/aws-assume-role';
+import {
+  severityLevels,
+  recommendedFlagOptions,
+  defaultSelectedFlagIds,
+  recommendedFlagIdSchema,
+  recommendedFlagMap,
+  runnerPayloadSchema,
+  normalisedFindingSchema,
+  normaliseFindings,
+  mapToAnalyticsSeverity,
+  buildScanId,
+  buildMemberRoleArn,
+  listVolumeFiles,
+  setVolumeOwnership,
+  splitArgs,
+  type NormalisedSeverity,
+  type NormalisedFinding,
+  type RecommendedFlagId,
+} from './prowler-shared';
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const PROWLER_IMAGE = 'ghcr.io/shipsecai/prowler:latest';
+const SINGLE_ACCOUNT_TIMEOUT_SECONDS = 900;
+const _ORG_SCAN_TIMEOUT_SECONDS = 7200;
+const FLUSH_THRESHOLD = 5000;
+
+// ---------------------------------------------------------------------------
+// Inputs
+// ---------------------------------------------------------------------------
 
 const inputSchema = inputs({
   accountId: port(
     z
       .string()
-      .min(1, 'Account ID is required')
-      .describe('AWS account to tag findings with (required for AWS scans).'),
+      .optional()
+      .describe('AWS account to tag findings with. Required when orgScan is false.'),
     {
       label: 'Account ID',
       description: 'Account identifier forwarded from the AWS Credentials component.',
@@ -114,6 +90,10 @@ const inputSchema = inputs({
   ),
 });
 
+// ---------------------------------------------------------------------------
+// Parameters
+// ---------------------------------------------------------------------------
+
 const parameterSchema = parameters({
   scanMode: param(
     z
@@ -164,80 +144,97 @@ const parameterSchema = parameters({
       description: 'Any extra CLI flags appended verbatim to the prowler command.',
     },
   ),
+  orgScan: param(
+    z
+      .boolean()
+      .default(false)
+      .describe('When enabled, discovers all org accounts and scans each one.'),
+    {
+      label: 'Org-Wide Scan',
+      editor: 'toggle',
+      description:
+        'Enable to scan all accounts in an AWS Organization. Credentials must belong to the management account.',
+    },
+  ),
+  memberRoleName: param(
+    z
+      .string()
+      .default('OrganizationAccountAccessRole')
+      .describe('IAM role name to assume in each member account.'),
+    {
+      label: 'Member Role Name',
+      editor: 'text',
+      description:
+        'Name of the IAM role to assume in each member account. Supports full ARN templates with {accountId} placeholder.',
+      visibleWhen: { orgScan: true },
+    },
+  ),
+  externalId: param(
+    z.string().optional().describe('Optional external ID for cross-account role assumption.'),
+    {
+      label: 'External ID',
+      editor: 'text',
+      description: 'Optional external ID required by the trust policy of the member role.',
+      visibleWhen: { orgScan: true },
+    },
+  ),
+  continueOnError: param(
+    z
+      .boolean()
+      .default(true)
+      .describe('When true, continue scanning remaining accounts if one fails.'),
+    {
+      label: 'Continue on Error',
+      editor: 'toggle',
+      description: 'If a member account scan fails, record the error and continue to the next.',
+      visibleWhen: { orgScan: true },
+    },
+  ),
+  skipManagementAccount: param(
+    z
+      .boolean()
+      .default(false)
+      .describe('When true, skip the management account from org-wide scanning.'),
+    {
+      label: 'Skip Management Account',
+      editor: 'toggle',
+      description: 'Exclude the management account (the one providing credentials) from scanning.',
+      visibleWhen: { orgScan: true },
+    },
+  ),
+  maxConcurrency: param(
+    z
+      .number()
+      .int()
+      .min(1)
+      .max(5)
+      .default(1)
+      .describe('Number of accounts to scan concurrently (1-5).'),
+    {
+      label: 'Max Concurrency',
+      editor: 'number',
+      description:
+        'Number of accounts to scan in parallel. Higher values scan faster but use more resources.',
+      visibleWhen: { orgScan: true },
+    },
+  ),
 });
 
-const prowlerFindingSchema = z
-  .object({
-    Id: z.string().optional(),
-    Title: z.string().optional(),
-    Description: z.string().optional(),
-    AwsAccountId: z.string().optional(),
-    Severity: z
-      .object({
-        Label: z.string().optional(),
-        Original: z.string().optional(),
-        Normalized: z.number().optional(),
-      })
-      .partial()
-      .optional(),
-    Compliance: z
-      .object({
-        Status: z.string().optional(),
-      })
-      .partial()
-      .optional(),
-    Resources: z
-      .array(
-        z
-          .object({
-            Id: z.string().optional(),
-            Type: z.string().optional(),
-            Region: z.string().optional(),
-          })
-          .passthrough(),
-      )
-      .optional(),
-    Remediation: z
-      .object({
-        Recommendation: z
-          .object({
-            Text: z.string().optional(),
-            Url: z.string().optional(),
-          })
-          .partial()
-          .optional(),
-      })
-      .partial()
-      .optional(),
-  })
-  .passthrough();
-
-type ProwlerFinding = z.infer<typeof prowlerFindingSchema>;
-
-const runnerPayloadSchema = z.object({
-  returncode: z.number().int(),
-  stdout: z.string(),
-  stderr: z.string(),
-  command: z.array(z.string()),
-  artifacts: z.array(z.string()).default([]),
-  parse_error: z.string().optional(),
-});
+// ---------------------------------------------------------------------------
+// Account summary schema (for org mode)
+// ---------------------------------------------------------------------------
 
-const normalisedFindingSchema = z.object({
-  id: z.string(),
-  title: z.string().nullable(),
-  accountId: z.string().nullable(),
-  resourceId: z.string().nullable(),
-  region: z.string().nullable(),
-  severity: z.enum(severityLevels),
-  status: z.enum(statusLevels),
-  description: z.string().nullable(),
-  remediationText: z.string().nullable(),
-  recommendationUrl: z.string().nullable(),
-  rawFinding: z.unknown(),
+const accountSummarySchema = z.object({
+  accountId: z.string(),
+  accountName: z.string(),
+  findingCount: z.number(),
+  status: z.enum(['scanned', 'failed', 'skipped']),
+  error: z.string().optional(),
 });
 
-type NormalisedFinding = z.infer<typeof normalisedFindingSchema>;
+// ---------------------------------------------------------------------------
+// Outputs
+// ---------------------------------------------------------------------------
 
 const outputSchema = outputs({
   scanId: port(z.string(), {
@@ -271,6 +268,7 @@ const outputSchema = outputs({
       scanMode: z.enum(['aws', 'cloud']),
       selectedFlagIds: z.array(recommendedFlagIdSchema),
       customFlags: z.string().nullable(),
+      accountSummaries: z.array(accountSummarySchema).optional(),
     }),
     {
       label: 'Summary',
@@ -292,714 +290,812 @@ const outputSchema = outputs({
   }),
 });
 
-const recommendedFlagMap = new Map<RecommendedFlagId, string[]>(
-  recommendedFlagOptions.map((option) => [option.id, [...option.args]]),
-);
-
-async function listVolumeFiles(volume: IsolatedContainerVolume): Promise<string[]> {
-  const volumeName = volume.getVolumeName();
-  if (!volumeName) return [];
-
-  const dockerPath = await resolveDockerPath();
-  return new Promise((resolve, reject) => {
-    const proc = spawn(dockerPath, [
-      'run',
-      '--rm',
-      '-v',
-      `${volumeName}:/data`,
-      '--entrypoint',
-      'sh',
-      'alpine:3.20',
-      '-c',
-      'ls -1 /data',
-    ]);
-
-    let stdout = '';
-    let stderr = '';
-
-    proc.stdout.on('data', (data) => {
-      stdout += data.toString();
-    });
+// ---------------------------------------------------------------------------
+// Retry policy
+// ---------------------------------------------------------------------------
 
-    proc.stderr.on('data', (data) => {
-      stderr += data.toString();
-    });
+const prowlerRetryPolicy: ComponentRetryPolicy = {
+  maxAttempts: 2,
+  initialIntervalSeconds: 10,
+  maximumIntervalSeconds: 60,
+  backoffCoefficient: 1.5,
+  nonRetryableErrorTypes: ['ConfigurationError', 'ValidationError'],
+};
 
-    proc.on('error', (error) => {
-      reject(error);
-    });
+// ---------------------------------------------------------------------------
+// Shared helpers (internal to this file)
+// ---------------------------------------------------------------------------
 
-    proc.on('close', (code) => {
-      if (code !== 0) {
-        reject(new Error(`Failed to list volume files: ${stderr.trim()}`));
-      } else {
-        resolve(
-          stdout
-            .split('\n')
-            .map((line) => line.trim())
-            .filter((line) => line.length > 0),
-        );
-      }
-    });
-  });
+type ParsedInputs = ReturnType<typeof inputSchema.parse>;
+type ParsedParams = ReturnType<typeof parameterSchema.parse>;
+
+interface PreparedScan {
+  regions: string[];
+  selectedFlags: Set<RecommendedFlagId>;
+  resolvedFlagArgs: string[];
 }
 
-/**
- * Sets ownership of volume contents for the Prowler container.
- * Prowler runs as user 'prowler' with UID 1000, so we need to chown
- * the output directory to allow Prowler to create subdirectories.
- */
-async function setVolumeOwnership(
-  volume: IsolatedContainerVolume,
-  uid = 1000,
-  gid = 1000,
-): Promise<void> {
-  const volumeName = volume.getVolumeName();
-  if (!volumeName) return;
-
-  const dockerPath = await resolveDockerPath();
-  return new Promise((resolve, reject) => {
-    const proc = spawn(dockerPath, [
-      'run',
-      '--rm',
-      '-v',
-      `${volumeName}:/data`,
-      '--entrypoint',
-      'sh',
-      'alpine:3.20',
-      '-c',
-      `chown -R ${uid}:${gid} /data && chmod -R 755 /data`,
-    ]);
-
-    let stderr = '';
-
-    proc.stderr.on('data', (data) => {
-      stderr += data.toString();
-    });
+function prepareScan(parsedInputs: ParsedInputs, parsedParams: ParsedParams): PreparedScan {
+  const parsedRegions = parsedInputs.regions
+    .split(',')
+    .map((region: string) => region.trim())
+    .filter((region: string) => region.length > 0);
+  const regions = parsedRegions.length > 0 ? parsedRegions : ['us-east-1'];
+
+  const selectedFlags = new Set<RecommendedFlagId>(
+    parsedParams.recommendedFlags ?? defaultSelectedFlagIds,
+  );
+  const resolvedFlagArgs = Array.from(selectedFlags).flatMap(
+    (flagId) => recommendedFlagMap.get(flagId) ?? [],
+  );
+
+  return { regions, selectedFlags, resolvedFlagArgs };
+}
 
-    proc.on('error', (error) => {
-      reject(new Error(`Failed to set volume ownership: ${error.message}`));
-    });
+function buildCommand(
+  scanMode: 'aws' | 'cloud',
+  regions: string[],
+  resolvedFlagArgs: string[],
+  customFlags?: string,
+): string[] {
+  const cmd: string[] = [scanMode];
+  if (scanMode === 'aws') {
+    for (const region of regions) {
+      cmd.push('--region', region);
+    }
+  }
+  if (!resolvedFlagArgs.includes('--ignore-exit-code-3')) {
+    resolvedFlagArgs.push('--ignore-exit-code-3');
+  }
+  cmd.push(...resolvedFlagArgs);
+  if (customFlags && customFlags.trim().length > 0) {
+    try {
+      cmd.push(...splitArgs(customFlags));
+    } catch (err) {
+      throw new ValidationError(`Failed to parse custom CLI flags: ${(err as Error).message}`, {
+        cause: err as Error,
+        fieldErrors: { customFlags: ['Invalid CLI flag syntax'] },
+      });
+    }
+  }
+  cmd.push(
+    '--output-formats',
+    'json-asff',
+    '--output-directory',
+    '/output',
+    '--output-filename',
+    'shipsec',
+  );
+  return cmd;
+}
 
-    proc.on('close', (code) => {
-      if (code !== 0) {
-        reject(new Error(`Failed to set volume ownership: ${stderr.trim()}`));
-      } else {
-        resolve();
-      }
-    });
+function buildAwsEnv(
+  credentials: { accessKeyId: string; secretAccessKey: string; sessionToken?: string },
+  regions: string[],
+  scanMode: 'aws' | 'cloud',
+): Record<string, string> {
+  const awsEnv: Record<string, string> = {};
+  awsEnv.AWS_ACCESS_KEY_ID = credentials.accessKeyId;
+  awsEnv.AWS_SECRET_ACCESS_KEY = credentials.secretAccessKey;
+  if (credentials.sessionToken) {
+    awsEnv.AWS_SESSION_TOKEN = credentials.sessionToken;
+  }
+  awsEnv.AWS_SHARED_CREDENTIALS_FILE = '/home/prowler/.aws/credentials';
+  awsEnv.AWS_CONFIG_FILE = '/home/prowler/.aws/config';
+  awsEnv.AWS_PROFILE = 'default';
+  if (scanMode === 'aws' && regions.length > 0) {
+    awsEnv.AWS_REGION = regions[0];
+    awsEnv.AWS_DEFAULT_REGION = regions[0];
+  }
+  return awsEnv;
+}
+
+function buildAnalyticsResults(findings: NormalisedFinding[]): AnalyticsResult[] {
+  return findings.map((finding) => ({
+    scanner: 'prowler',
+    finding_hash: generateFindingHash(
+      finding.id,
+      finding.resourceId ?? finding.accountId ?? '',
+      finding.title ?? '',
+    ),
+    severity: mapToAnalyticsSeverity(finding.severity),
+    asset_key: finding.resourceId ?? finding.accountId ?? undefined,
+    title: finding.title,
+    description: finding.description,
+    region: finding.region,
+    status: finding.status,
+    remediationText: finding.remediationText,
+    recommendationUrl: finding.recommendationUrl,
+  }));
+}
+
+function computeSeverityCounts(findings: NormalisedFinding[]) {
+  const severityCounts: Record<NormalisedSeverity, number> = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    informational: 0,
+    unknown: 0,
+  };
+  let failed = 0;
+  let passed = 0;
+  let unknown = 0;
+
+  findings.forEach((finding) => {
+    severityCounts[finding.severity] = (severityCounts[finding.severity] ?? 0) + 1;
+    switch (finding.status) {
+      case 'FAILED':
+        failed += 1;
+        break;
+      case 'PASSED':
+        passed += 1;
+        break;
+      default:
+        unknown += 1;
+    }
   });
+
+  return { severityCounts, failed, passed, unknown };
 }
 
-// Retry policy for Prowler - AWS security scans
-const prowlerRetryPolicy: ComponentRetryPolicy = {
-  maxAttempts: 2,
-  initialIntervalSeconds: 10,
-  maximumIntervalSeconds: 60,
-  backoffCoefficient: 1.5,
-  nonRetryableErrorTypes: ['ConfigurationError', 'ValidationError'],
-};
+// ---------------------------------------------------------------------------
+// Single-account scan (existing behavior)
+// ---------------------------------------------------------------------------
+
+async function executeSingleAccountScan(
+  { inputs, params }: { inputs: unknown; params: unknown },
+  context: any,
+): Promise<Output> {
+  const parsedInputs = inputSchema.parse(inputs);
+  const parsedParams = parameterSchema.parse(params);
+
+  if (!parsedInputs.accountId) {
+    throw new ConfigurationError(
+      'Account ID is required for single-account scans. Provide it via the accountId input port.',
+      { configKey: 'accountId' },
+    );
+  }
 
-const definition = defineComponent({
-  id: 'security.prowler.scan',
-  label: 'Prowler Scan',
-  category: 'security',
-  retryPolicy: prowlerRetryPolicy,
-  runner: {
+  const { regions, selectedFlags, resolvedFlagArgs } = prepareScan(parsedInputs, parsedParams);
+
+  if (parsedParams.scanMode === 'aws' && !parsedInputs.credentials) {
+    throw new ConfigurationError(
+      'AWS scan requires credentials input. Ensure the previous step outputs { accessKeyId, secretAccessKey, sessionToken? } into the "credentials" input.',
+      { configKey: 'credentials' },
+    );
+  }
+
+  const tenantId = (context as any).tenantId ?? 'default-tenant';
+  const awsCredsVolume = parsedInputs.credentials
+    ? new IsolatedContainerVolume(tenantId, `${context.runId}-prowler-aws`)
+    : null;
+
+  const awsEnv = parsedInputs.credentials
+    ? buildAwsEnv(parsedInputs.credentials, regions, parsedParams.scanMode)
+    : {};
+
+  context.logger.info(
+    `[ProwlerScan] Running prowler ${parsedParams.scanMode} for ${parsedInputs.accountId} with regions: ${regions.join(', ')}`,
+  );
+  context.emitProgress(
+    `Executing prowler ${parsedParams.scanMode} scan across ${regions.length} region${regions.length === 1 ? '' : 's'}`,
+  );
+
+  const cmd = buildCommand(
+    parsedParams.scanMode,
+    regions,
+    resolvedFlagArgs,
+    parsedParams.customFlags,
+  );
+  context.logger.info(`[ProwlerScan] Command: ${cmd.join(' ')}`);
+
+  const dockerRunner: DockerRunnerConfig = {
     kind: 'docker',
-    image: 'ghcr.io/shipsecai/prowler:latest',
+    image: PROWLER_IMAGE,
     platform: 'linux/amd64',
-    command: [], // Placeholder - actual command built dynamically in execute()
-  },
-  inputs: inputSchema,
-  outputs: outputSchema,
-  parameters: parameterSchema,
-  docs: 'Execute Prowler inside Docker using `ghcr.io/shipsecai/prowler` (amd64 enforced on ARM hosts). Supports AWS account scans and the multi-cloud `prowler cloud` overview, with optional CLI flag customisation.',
-  toolProvider: {
-    kind: 'component',
-    name: 'prowler_scan',
-    description: 'AWS and multi-cloud security assessment tool (Prowler).',
-  },
-  ui: {
-    slug: 'prowler-scan',
-    version: '2.0.0',
-    type: 'scan',
-    category: 'security',
-    description:
-      'Run Toniblyx Prowler to assess AWS accounts or multi-cloud posture. Streams raw logs while returning structured findings in ASFF-derived JSON.',
-    documentation: 'https://github.com/prowler-cloud/prowler',
-    icon: 'ShieldCheck',
-    author: {
-      name: 'ShipSecAI',
-      type: 'shipsecai',
+    network: 'bridge',
+    timeoutSeconds: SINGLE_ACCOUNT_TIMEOUT_SECONDS,
+    env: {
+      HOME: '/home/prowler',
+      ...awsEnv,
     },
-    isLatest: true,
-    deprecated: false,
-    examples: [
-      'Run nightly `prowler aws --quick --severity-filter high,critical` scans on production accounts and forward findings into ELK.',
-      'Use `prowler cloud` with custom flags to generate a multi-cloud compliance snapshot.',
-    ],
-  },
-  async execute({ inputs, params }, context) {
-    const parsedInputs = inputSchema.parse(inputs);
-    const parsedParams = parameterSchema.parse(params);
+    command: cmd,
+    volumes: [],
+  };
 
-    // Helper: split custom CLI flags honoring simple quotes
-    const splitArgs = (input: string): string[] => {
-      const args: string[] = [];
-      let current = '';
-      let quote: '"' | "'" | null = null;
-      let escape = false;
-      for (const ch of input) {
-        if (escape) {
-          current += ch;
-          escape = false;
-          continue;
-        }
-        if (ch === '\\') {
-          escape = true;
-          continue;
+  let rawSegments: string[] = [];
+  let commandForOutput: string[] = cmd;
+  let stderrCombined = '';
+  const outputVolume = new IsolatedContainerVolume(tenantId, `${context.runId}-prowler-out`);
+  let outputVolumeInitialized = false;
+  let awsVolumeInitialized = false;
+
+  try {
+    try {
+      if (awsCredsVolume && parsedInputs.credentials) {
+        const credsLines = [
+          '[default]',
+          `aws_access_key_id = ${parsedInputs.credentials.accessKeyId ?? ''}`,
+          `aws_secret_access_key = ${parsedInputs.credentials.secretAccessKey ?? ''}`,
+        ];
+        if (parsedInputs.credentials.sessionToken) {
+          credsLines.push(`aws_session_token = ${parsedInputs.credentials.sessionToken}`);
         }
-        if (quote) {
-          if (ch === quote) {
-            quote = null;
-          } else {
-            current += ch;
+
+        const cfgRegion = regions[0] ?? 'us-east-1';
+        const cfgLines = ['[default]', `region = ${cfgRegion}`, 'output = json'];
+
+        await awsCredsVolume.initialize({
+          credentials: credsLines.join('\n'),
+          config: cfgLines.join('\n'),
+        });
+        awsVolumeInitialized = true;
+        context.logger.info(
+          `[ProwlerScan] Created isolated AWS creds volume: ${awsCredsVolume.getVolumeName()}`,
+        );
+
+        dockerRunner.volumes = [
+          ...(dockerRunner.volumes ?? []),
+          awsCredsVolume.getVolumeConfig('/home/prowler/.aws', true),
+        ];
+      }
+
+      await outputVolume.initialize({});
+      outputVolumeInitialized = true;
+      await setVolumeOwnership(outputVolume, 1000, 1000);
+      context.logger.info(
+        `[ProwlerScan] Created isolated output volume: ${outputVolume.getVolumeName()}`,
+      );
+      dockerRunner.volumes = [
+        ...(dockerRunner.volumes ?? []),
+        outputVolume.getVolumeConfig('/output', false),
+      ];
+
+      const raw = await runComponentWithRunner<Record<string, unknown>, unknown>(
+        dockerRunner,
+        async () => ({}) as unknown,
+        {},
+        context,
+      );
+
+      if (raw && typeof raw === 'object' && !Array.isArray(raw)) {
+        const parsed = runnerPayloadSchema.safeParse(raw);
+        if (parsed.success) {
+          const result = parsed.data;
+          if (result.parse_error) {
+            throw new ValidationError(`Failed to parse custom CLI flags: ${result.parse_error}`, {
+              fieldErrors: { customFlags: ['Invalid CLI flag syntax'] },
+            });
           }
-          continue;
-        }
-        if (ch === '"' || ch === "'") {
-          quote = ch as '"' | "'";
-          continue;
+          if (result.returncode !== 0) {
+            const msg = result.stderr.trim();
+            throw new ServiceError(
+              msg.length > 0 ? msg : `prowler exited with status ${result.returncode}`,
+              {
+                details: { returncode: result.returncode },
+              },
+            );
+          }
+          rawSegments = result.artifacts.length > 0 ? result.artifacts : [result.stdout];
+          commandForOutput = result.command;
+          stderrCombined = result.stderr;
         }
-        if (/\s/.test(ch)) {
-          if (current.length > 0) {
-            args.push(current);
-            current = '';
+      }
+    } catch (err) {
+      const msg = (err as Error)?.message ?? '';
+      const isFindingsExit = /exit code\s*3/.test(msg);
+      if (isFindingsExit) {
+        context.logger.info(
+          '[ProwlerScan] Prowler exited with code 3 (findings present); continuing to parse output.',
+        );
+        stderrCombined = msg;
+      } else {
+        throw err;
+      }
+    }
+
+    if (rawSegments.length === 0) {
+      try {
+        const entries = await listVolumeFiles(outputVolume);
+        const jsonFiles = entries.filter((f) => f.toLowerCase().endsWith('.json'));
+        const contents: string[] = [];
+        for (const file of jsonFiles) {
+          try {
+            const fileMap = await outputVolume.readFiles([file]);
+            contents.push(fileMap[file]);
+          } catch {
+            // Skip files that can't be read
           }
-          continue;
         }
-        current += ch;
+        rawSegments = contents;
+      } catch {
+        // Fall through to check if rawSegments is empty
       }
-      if (current.length > 0) args.push(current);
-      return args;
-    };
-    const parsedRegions = parsedInputs.regions
-      .split(',')
-      .map((region) => region.trim())
-      .filter((region) => region.length > 0);
-    const regions = parsedRegions.length > 0 ? parsedRegions : ['us-east-1'];
-
-    const selectedFlags = new Set<RecommendedFlagId>(
-      parsedParams.recommendedFlags ?? defaultSelectedFlagIds,
-    );
-    const resolvedFlagArgs = Array.from(selectedFlags).flatMap(
-      (flagId) => recommendedFlagMap.get(flagId) ?? [],
-    );
+    }
+
+    const { findings, errors } =
+      rawSegments.length > 0
+        ? normaliseFindings(rawSegments, context.runId)
+        : { findings: [] as NormalisedFinding[], errors: [] as string[] };
 
-    // Validate creds when running AWS scans
-    if (parsedParams.scanMode === 'aws' && !parsedInputs.credentials) {
-      throw new ConfigurationError(
-        'AWS scan requires credentials input. Ensure the previous step outputs { accessKeyId, secretAccessKey, sessionToken? } into the "credentials" input.',
-        { configKey: 'credentials' },
+    if (rawSegments.length === 0) {
+      context.logger.info(
+        '[ProwlerScan] Prowler produced no ASFF output \u2014 likely 0 findings for the selected severity/region.',
       );
     }
 
-    // Prepare AWS environment and optional shared credentials/config files
-    const awsEnv: Record<string, string> = {};
-    const tenantId = (context as any).tenantId ?? 'default-tenant';
-    const awsCredsVolume = parsedInputs.credentials
-      ? new IsolatedContainerVolume(tenantId, `${context.runId}-prowler-aws`)
-      : null;
-
-    if (parsedInputs.credentials) {
-      awsEnv.AWS_ACCESS_KEY_ID = parsedInputs.credentials.accessKeyId;
-      awsEnv.AWS_SECRET_ACCESS_KEY = parsedInputs.credentials.secretAccessKey;
-      if (parsedInputs.credentials.sessionToken) {
-        awsEnv.AWS_SESSION_TOKEN = parsedInputs.credentials.sessionToken;
-      }
+    const { severityCounts, failed, passed, unknown } = computeSeverityCounts(findings);
+    const scanId = buildScanId(parsedInputs.accountId, parsedParams.scanMode);
+    const results = buildAnalyticsResults(findings);
+
+    const output: Output = {
+      scanId,
+      findings,
+      results,
+      rawOutput: rawSegments.join('\n'),
+      summary: {
+        totalFindings: findings.length,
+        failed,
+        passed,
+        unknown,
+        severityCounts,
+        generatedAt: new Date().toISOString(),
+        regions,
+        scanMode: parsedParams.scanMode,
+        selectedFlagIds: Array.from(selectedFlags),
+        customFlags: parsedParams.customFlags?.trim() || null,
+      },
+      command: commandForOutput,
+      stderr: stderrCombined,
+      errors: errors.length > 0 ? errors : undefined,
+    };
 
-      // Hint to SDKs where to find the shared files
-      awsEnv.AWS_SHARED_CREDENTIALS_FILE = '/home/prowler/.aws/credentials';
-      awsEnv.AWS_CONFIG_FILE = '/home/prowler/.aws/config';
-      awsEnv.AWS_PROFILE = 'default';
+    return outputSchema.parse(output);
+  } finally {
+    if (outputVolumeInitialized) {
+      await outputVolume.cleanup();
+      context.logger.info('[ProwlerScan] Cleaned up output volume');
     }
-
-    if (parsedParams.scanMode === 'aws' && regions.length > 0) {
-      awsEnv.AWS_REGION = awsEnv.AWS_REGION ?? regions[0];
-      awsEnv.AWS_DEFAULT_REGION = awsEnv.AWS_DEFAULT_REGION ?? regions[0];
+    if (awsVolumeInitialized && awsCredsVolume) {
+      await awsCredsVolume.cleanup();
+      context.logger.info('[ProwlerScan] Cleaned up AWS creds volume');
     }
+  }
+}
 
+// ---------------------------------------------------------------------------
+// Org-wide scan (new)
+// ---------------------------------------------------------------------------
+
+interface AccountScanResult {
+  accountId: string;
+  accountName: string;
+  status: 'scanned' | 'failed' | 'skipped';
+  findingCount: number;
+  error?: string;
+  findings?: NormalisedFinding[];
+  results?: AnalyticsResult[];
+  rawSegments?: string[];
+  flushedToStorage?: boolean;
+}
+
+async function scanSingleOrgAccount(
+  account: { id: string; name: string },
+  managementCredentials: {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken?: string;
+    region?: string;
+  },
+  parsedParams: ParsedParams,
+  regions: string[],
+  resolvedFlagArgs: string[],
+  context: any,
+): Promise<AccountScanResult> {
+  let awsVolume: IsolatedContainerVolume | undefined;
+  let outVolume: IsolatedContainerVolume | undefined;
+  const tenantId = (context as any).tenantId ?? 'default-tenant';
+
+  try {
+    const roleArn = buildMemberRoleArn(parsedParams.memberRoleName, account.id);
     context.logger.info(
-      `[ProwlerScan] Running prowler ${parsedParams.scanMode} for ${parsedInputs.accountId} with regions: ${regions.join(', ')}`,
+      `[ProwlerScan:Org] Assuming role ${roleArn} for account ${account.id} (${account.name})`,
     );
-    context.emitProgress(
-      `Executing prowler ${parsedParams.scanMode} scan across ${regions.length} region${regions.length === 1 ? '' : 's'}`,
+
+    const memberCreds = await assumeRole(managementCredentials, roleArn, {
+      externalId: parsedParams.externalId,
+      sessionName: `shipsec-org-prowler-${account.id}`,
+    });
+
+    const awsEnv = buildAwsEnv(memberCreds, regions, parsedParams.scanMode);
+    const cmd = buildCommand(
+      parsedParams.scanMode,
+      regions,
+      [...resolvedFlagArgs],
+      parsedParams.customFlags,
     );
-    // Build the prowler command entirely in TypeScript.
-    // Note: prowler image entrypoint already invokes `prowler`,
-    // so only pass the provider subcommand (aws/cloud) and flags.
-    const cmd: string[] = [parsedParams.scanMode];
-    if (parsedParams.scanMode === 'aws') {
-      for (const region of regions) {
-        cmd.push('--region', region);
-      }
-    }
-    // Ensure flows do not fail on findings by default even if older saved
-    // workflows didn't have the updated default for the flag.
-    if (!resolvedFlagArgs.includes('--ignore-exit-code-3')) {
-      resolvedFlagArgs.push('--ignore-exit-code-3');
-    }
-    cmd.push(...resolvedFlagArgs);
-    if (parsedParams.customFlags && parsedParams.customFlags.trim().length > 0) {
-      try {
-        cmd.push(...splitArgs(parsedParams.customFlags));
-      } catch (err) {
-        throw new ValidationError(`Failed to parse custom CLI flags: ${(err as Error).message}`, {
-          cause: err as Error,
-          fieldErrors: { customFlags: ['Invalid CLI flag syntax'] },
-        });
-      }
+
+    awsVolume = new IsolatedContainerVolume(tenantId, `${context.runId}-prowler-aws-${account.id}`);
+    outVolume = new IsolatedContainerVolume(tenantId, `${context.runId}-prowler-out-${account.id}`);
+
+    // Initialize AWS creds volume
+    const credsLines = [
+      '[default]',
+      `aws_access_key_id = ${memberCreds.accessKeyId}`,
+      `aws_secret_access_key = ${memberCreds.secretAccessKey}`,
+    ];
+    if (memberCreds.sessionToken) {
+      credsLines.push(`aws_session_token = ${memberCreds.sessionToken}`);
     }
+    const cfgRegion = regions[0] ?? 'us-east-1';
+    const cfgLines = ['[default]', `region = ${cfgRegion}`, 'output = json'];
 
-    cmd.push(
-      '--output-formats',
-      'json-asff',
-      '--output-directory',
-      '/output',
-      '--output-filename',
-      'shipsec',
-    );
-    context.logger.info(`[ProwlerScan] Command: ${cmd.join(' ')}`);
+    await awsVolume.initialize({
+      credentials: credsLines.join('\n'),
+      config: cfgLines.join('\n'),
+    });
+
+    await outVolume.initialize({});
+    await setVolumeOwnership(outVolume, 1000, 1000);
 
-    // Prepare a one-off runner with dynamic command and volume
     const dockerRunner: DockerRunnerConfig = {
       kind: 'docker',
-      image: 'ghcr.io/shipsecai/prowler:latest',
+      image: PROWLER_IMAGE,
       platform: 'linux/amd64',
       network: 'bridge',
-      timeoutSeconds: 900,
+      timeoutSeconds: SINGLE_ACCOUNT_TIMEOUT_SECONDS,
       env: {
         HOME: '/home/prowler',
         ...awsEnv,
       },
       command: cmd,
-      volumes: [],
+      volumes: [
+        awsVolume.getVolumeConfig('/home/prowler/.aws', true),
+        outVolume.getVolumeConfig('/output', false),
+      ],
     };
 
     let rawSegments: string[] = [];
-    let commandForOutput: string[] = cmd;
-    let stderrCombined = '';
-    const outputVolume = new IsolatedContainerVolume(tenantId, `${context.runId}-prowler-out`);
-    let outputVolumeInitialized = false;
-    let awsVolumeInitialized = false;
+    let _stderrForAccount = '';
 
     try {
-      try {
-        // Initialize AWS credentials volume if provided
-        if (awsCredsVolume && parsedInputs.credentials) {
-          const credsLines = [
-            '[default]',
-            `aws_access_key_id = ${parsedInputs.credentials?.accessKeyId ?? ''}`,
-            `aws_secret_access_key = ${parsedInputs.credentials?.secretAccessKey ?? ''}`,
-          ];
-          if (parsedInputs.credentials?.sessionToken) {
-            credsLines.push(`aws_session_token = ${parsedInputs.credentials.sessionToken}`);
-          }
-
-          const cfgRegion = regions[0] ?? 'us-east-1';
-          const cfgLines = ['[default]', `region = ${cfgRegion}`, 'output = json'];
-
-          await awsCredsVolume.initialize({
-            credentials: credsLines.join('\n'),
-            config: cfgLines.join('\n'),
-          });
-          awsVolumeInitialized = true;
-          context.logger.info(
-            `[ProwlerScan] Created isolated AWS creds volume: ${awsCredsVolume.getVolumeName()}`,
-          );
-
-          dockerRunner.volumes = [
-            ...(dockerRunner.volumes ?? []),
-            awsCredsVolume.getVolumeConfig('/home/prowler/.aws', true),
-          ];
-        }
-
-        // Initialize output volume
-        await outputVolume.initialize({});
-        outputVolumeInitialized = true;
-        // Set ownership to prowler user (UID 1000) so Prowler can create subdirectories
-        await setVolumeOwnership(outputVolume, 1000, 1000);
-        context.logger.info(
-          `[ProwlerScan] Created isolated output volume: ${outputVolume.getVolumeName()}`,
-        );
-        dockerRunner.volumes = [
-          ...(dockerRunner.volumes ?? []),
-          outputVolume.getVolumeConfig('/output', false),
-        ];
-
-        const raw = await runComponentWithRunner<Record<string, unknown>, unknown>(
-          dockerRunner,
-          async () => ({}) as unknown,
-          {},
-          context,
-        );
+      const raw = await runComponentWithRunner<Record<string, unknown>, unknown>(
+        dockerRunner,
+        async () => ({}) as unknown,
+        {},
+        context,
+      );
 
-        // If the container returned our previous JSON payload shape, keep supporting it
-        if (raw && typeof raw === 'object' && !Array.isArray(raw)) {
-          const parsed = runnerPayloadSchema.safeParse(raw);
-          if (parsed.success) {
-            const result = parsed.data;
-            if (result.parse_error) {
-              throw new ValidationError(`Failed to parse custom CLI flags: ${result.parse_error}`, {
-                fieldErrors: { customFlags: ['Invalid CLI flag syntax'] },
-              });
-            }
-            if (result.returncode !== 0) {
-              const msg = result.stderr.trim();
-              throw new ServiceError(
-                msg.length > 0 ? msg : `prowler exited with status ${result.returncode}`,
-                {
-                  details: { returncode: result.returncode },
-                },
-              );
-            }
-            rawSegments = result.artifacts.length > 0 ? result.artifacts : [result.stdout];
-            commandForOutput = result.command;
-            stderrCombined = result.stderr;
+      if (raw && typeof raw === 'object' && !Array.isArray(raw)) {
+        const parsed = runnerPayloadSchema.safeParse(raw);
+        if (parsed.success) {
+          const result = parsed.data;
+          if (result.returncode !== 0 && !/exit code\s*3/.test(result.stderr)) {
+            const msg = result.stderr.trim();
+            throw new ServiceError(
+              msg.length > 0 ? msg : `prowler exited with status ${result.returncode}`,
+              { details: { returncode: result.returncode } },
+            );
           }
-        }
-      } catch (err) {
-        const msg = (err as Error)?.message ?? '';
-        const isFindingsExit = /exit code\s*3/.test(msg);
-        if (isFindingsExit) {
-          // Prowler uses exit code 3 to indicate checks failed (findings present).
-          // Treat this as a successful run for parsing purposes; keep stderr for summary.
-          context.logger.info(
-            '[ProwlerScan] Prowler exited with code 3 (findings present); continuing to parse output.',
-          );
-          stderrCombined = msg;
-          // Do not cleanup here; we still need to read the mounted output directory.
-        } else {
-          throw err;
+          rawSegments = result.artifacts.length > 0 ? result.artifacts : [result.stdout];
+          _stderrForAccount = result.stderr;
         }
       }
+    } catch (err) {
+      const msg = (err as Error)?.message ?? '';
+      if (/exit code\s*3/.test(msg)) {
+        _stderrForAccount = msg;
+      } else {
+        throw err;
+      }
+    }
 
-      // If we didn't get JSON from the container, read ASFF files from the mounted folder
-      if (rawSegments.length === 0) {
-        try {
-          const entries = await listVolumeFiles(outputVolume);
-          const jsonFiles = entries.filter((f) => f.toLowerCase().endsWith('.json'));
-          const contents: string[] = [];
-          for (const file of jsonFiles) {
-            try {
-              const fileMap = await outputVolume.readFiles([file]);
-              contents.push(fileMap[file]);
-            } catch {
-              // Skip files that can't be read
-            }
+    // Read ASFF files from volume if needed
+    if (rawSegments.length === 0) {
+      try {
+        const entries = await listVolumeFiles(outVolume);
+        const jsonFiles = entries.filter((f) => f.toLowerCase().endsWith('.json'));
+        for (const file of jsonFiles) {
+          try {
+            const fileMap = await outVolume.readFiles([file]);
+            rawSegments.push(fileMap[file]);
+          } catch {
+            // Skip
           }
-          rawSegments = contents;
-        } catch {
-          // Fall through to check if rawSegments is empty
         }
+      } catch {
+        // Fall through
       }
+    }
 
-      const { findings, errors } =
-        rawSegments.length > 0
-          ? normaliseFindings(rawSegments, context.runId)
-          : { findings: [] as NormalisedFinding[], errors: [] as string[] };
-
-      if (rawSegments.length === 0) {
-        context.logger.info(
-          '[ProwlerScan] Prowler produced no ASFF output — likely 0 findings for the selected severity/region.',
-        );
-      }
-
-      const generatedAt = new Date().toISOString();
-      const severityCounts: Record<NormalisedSeverity, number> = {
-        critical: 0,
-        high: 0,
-        medium: 0,
-        low: 0,
-        informational: 0,
-        unknown: 0,
-      };
-
-      let failed = 0;
-      let passed = 0;
-      let unknown = 0;
-
-      findings.forEach((finding) => {
-        severityCounts[finding.severity] = (severityCounts[finding.severity] ?? 0) + 1;
-        switch (finding.status) {
-          case 'FAILED':
-            failed += 1;
-            break;
-          case 'PASSED':
-            passed += 1;
-            break;
-          default:
-            unknown += 1;
-        }
-      });
+    const { findings, errors: parseErrors } =
+      rawSegments.length > 0
+        ? normaliseFindings(rawSegments, context.runId)
+        : { findings: [] as NormalisedFinding[], errors: [] as string[] };
 
-      const scanId = buildScanId(parsedInputs.accountId, parsedParams.scanMode);
-
-      // Build analytics-ready results (follows core.analytics.result.v1 contract)
-      const results: AnalyticsResult[] = findings.map((finding) => ({
-        scanner: 'prowler',
-        finding_hash: generateFindingHash(
-          finding.id,
-          finding.resourceId ?? finding.accountId ?? '',
-          finding.title ?? '',
-        ),
-        severity: mapToAnalyticsSeverity(finding.severity),
-        asset_key: finding.resourceId ?? finding.accountId ?? undefined,
-        // Include additional context for analytics
-        title: finding.title,
-        description: finding.description,
-        region: finding.region,
-        status: finding.status,
-        remediationText: finding.remediationText,
-        recommendationUrl: finding.recommendationUrl,
-      }));
-
-      const output: Output = {
-        scanId,
-        findings,
-        results,
-        rawOutput: rawSegments.join('\n'),
-        summary: {
-          totalFindings: findings.length,
-          failed,
-          passed,
-          unknown,
-          severityCounts,
-          generatedAt,
-          regions,
-          scanMode: parsedParams.scanMode,
-          selectedFlagIds: Array.from(selectedFlags),
-          customFlags: parsedParams.customFlags?.trim() || null,
-        },
-        command: commandForOutput,
-        stderr: stderrCombined,
-        errors: errors.length > 0 ? errors : undefined,
-      };
-
-      return outputSchema.parse(output);
-    } finally {
-      if (outputVolumeInitialized) {
-        await outputVolume.cleanup();
-        context.logger.info('[ProwlerScan] Cleaned up output volume');
-      }
-      if (awsVolumeInitialized && awsCredsVolume) {
-        await awsCredsVolume.cleanup();
-        context.logger.info('[ProwlerScan] Cleaned up AWS creds volume');
-      }
+    if (parseErrors.length > 0) {
+      context.logger.warn(
+        `[ProwlerScan:Org] Parse errors for account ${account.id}: ${parseErrors.join('; ')}`,
+      );
     }
-  },
-});
-
-function buildScanId(accountId: string, scanMode: 'aws' | 'cloud'): string {
-  const timestamp = new Date()
-    .toISOString()
-    .replace(/[^0-9]/g, '')
-    .slice(0, 14);
-  const safeAccount = accountId.replace(/[^a-zA-Z0-9-]/g, '-').slice(0, 32);
-  return `prowler-${scanMode}-${safeAccount}-${timestamp}`;
-}
 
-function normaliseFindings(
-  rawSegments: string[],
-  runId: string,
-): {
-  findings: NormalisedFinding[];
-  errors: string[];
-} {
-  const findings: NormalisedFinding[] = [];
-  const errors: string[] = [];
-
-  rawSegments.forEach((segment, segmentIndex) => {
-    const candidates = parseSegment(segment, segmentIndex, errors);
-    candidates.forEach((candidate, candidateIndex) => {
-      const parsed = prowlerFindingSchema.safeParse(candidate);
-      if (!parsed.success) {
-        errors.push(
-          `Segment ${segmentIndex + 1} item ${candidateIndex + 1}: ${parsed.error.message}`,
-        );
-        return;
-      }
-      findings.push(toNormalisedFinding(parsed.data, findings.length, runId));
-    });
-  });
+    const analyticsResults = buildAnalyticsResults(findings);
 
-  return { findings, errors };
+    return {
+      accountId: account.id,
+      accountName: account.name,
+      status: 'scanned',
+      findingCount: findings.length,
+      findings,
+      results: analyticsResults,
+      rawSegments,
+    };
+  } finally {
+    await awsVolume?.cleanup();
+    await outVolume?.cleanup();
+  }
 }
 
-function parseSegment(segment: string, segmentIndex: number, errors: string[]): unknown[] {
-  const trimmed = (segment ?? '').trim();
-  if (trimmed.length === 0) {
-    return [];
+async function executeOrgScan(
+  { inputs, params }: { inputs: unknown; params: unknown },
+  context: any,
+): Promise<Output> {
+  const parsedInputs = inputSchema.parse(inputs);
+  const parsedParams = parameterSchema.parse(params);
+
+  if (!parsedInputs.credentials) {
+    throw new ConfigurationError(
+      'Org-wide scan requires AWS credentials for the management account.',
+      { configKey: 'credentials' },
+    );
   }
 
-  try {
-    const parsed = JSON.parse(trimmed);
-    if (Array.isArray(parsed)) {
-      return parsed;
-    }
-    if (parsed && typeof parsed === 'object') {
-      const record = parsed as Record<string, unknown>;
-      if (Array.isArray(record.Findings)) {
-        return record.Findings;
-      }
-      if (Array.isArray(record.findings)) {
-        return record.findings;
-      }
-      return [parsed];
-    }
-  } catch (_error) {
-    // Fallback to NDJSON parsing
-    const ndjsonResults: unknown[] = [];
-    trimmed
-      .split(/\r?\n/)
-      .map((line) => line.trim())
-      .filter((line) => line.length > 0)
-      .forEach((line, lineIndex) => {
-        try {
-          ndjsonResults.push(JSON.parse(line));
-        } catch (innerError) {
-          errors.push(
-            `Segment ${segmentIndex + 1} line ${lineIndex + 1}: Unable to parse JSON (${(innerError as Error).message})`,
-          );
-        }
-      });
+  const credentials = parsedInputs.credentials;
+  const { regions, selectedFlags, resolvedFlagArgs } = prepareScan(parsedInputs, parsedParams);
 
-    if (ndjsonResults.length > 0) {
-      return ndjsonResults;
-    }
+  context.emitProgress('Discovering AWS Organization accounts...');
+  const allAccounts = await discoverOrgAccounts(credentials, regions[0]);
+
+  // Filter: active accounts only
+  let accounts = allAccounts.filter((a) => a.status === 'ACTIVE');
 
-    errors.push(`Segment ${segmentIndex + 1}: Unable to parse Prowler output as JSON.`);
+  // Optionally skip management account (the one that owns the credentials)
+  // The management account's ID is in the credential's accountId input, if provided
+  if (parsedParams.skipManagementAccount && parsedInputs.accountId) {
+    accounts = accounts.filter((a) => a.id !== parsedInputs.accountId);
   }
 
-  return [];
-}
+  context.logger.info(
+    `[ProwlerScan:Org] Found ${allAccounts.length} total accounts, ${accounts.length} to scan.`,
+  );
+  context.emitProgress(`Found ${accounts.length} accounts to scan`);
+
+  if (accounts.length === 0) {
+    const scanId = buildScanId(parsedInputs.accountId ?? 'org', parsedParams.scanMode);
+    return outputSchema.parse({
+      scanId,
+      findings: [],
+      results: [],
+      rawOutput: '',
+      summary: {
+        totalFindings: 0,
+        failed: 0,
+        passed: 0,
+        unknown: 0,
+        severityCounts: { critical: 0, high: 0, medium: 0, low: 0, informational: 0, unknown: 0 },
+        generatedAt: new Date().toISOString(),
+        regions,
+        scanMode: parsedParams.scanMode,
+        selectedFlagIds: Array.from(selectedFlags),
+        customFlags: parsedParams.customFlags?.trim() || null,
+        accountSummaries: [],
+      },
+      command: [],
+      stderr: '',
+      errors: undefined,
+    });
+  }
 
-function toNormalisedFinding(
-  finding: ProwlerFinding,
-  index: number,
-  runId: string,
-): NormalisedFinding {
-  const primaryResource =
-    Array.isArray(finding.Resources) && finding.Resources.length > 0
-      ? finding.Resources[0]
-      : undefined;
-  const accountId = finding.AwsAccountId ?? extractAccountId(primaryResource?.Id) ?? null;
-  const region = primaryResource?.Region ?? extractRegionFromArn(primaryResource?.Id) ?? null;
-  const resourceId = primaryResource?.Id ?? null;
-  const severity = normaliseSeverity(finding);
-  const status = normaliseStatus(finding.Compliance?.Status);
-  const remediationText = finding.Remediation?.Recommendation?.Text ?? null;
-  const recommendationUrl = finding.Remediation?.Recommendation?.Url ?? null;
-
-  return {
-    id: finding.Id ?? `${runId}-finding-${index + 1}`,
-    title: finding.Title ?? null,
-    accountId,
-    resourceId,
-    region,
-    severity,
-    status,
-    description: finding.Description ?? null,
-    remediationText,
-    recommendationUrl,
-    rawFinding: finding,
-  };
-}
+  const accountResults: AccountScanResult[] = [];
+  const allErrors: string[] = [];
 
-function normaliseSeverity(finding: ProwlerFinding): NormalisedSeverity {
-  const label = finding.Severity?.Label ?? finding.Severity?.Original ?? '';
+  // Scan accounts (sequential for maxConcurrency=1, batched otherwise)
+  const concurrency = parsedParams.maxConcurrency ?? 1;
 
-  if (typeof label === 'string' && label.trim().length > 0) {
-    const lowered = label.trim().toLowerCase();
-    if (lowered.startsWith('crit')) return 'critical';
-    if (lowered.startsWith('high')) return 'high';
-    if (lowered.startsWith('med')) return 'medium';
-    if (lowered.startsWith('low')) return 'low';
-    if (lowered.startsWith('info')) return 'informational';
-  }
+  for (let i = 0; i < accounts.length; i += concurrency) {
+    const batch = accounts.slice(i, i + concurrency);
+    const batchPromises = batch.map(async (account, batchIdx) => {
+      const globalIdx = i + batchIdx;
+      context.emitProgress(
+        `Scanning ${globalIdx + 1}/${accounts.length}: ${account.name} (${account.id})`,
+      );
 
-  const normalisedScore = finding.Severity?.Normalized;
-  if (typeof normalisedScore === 'number' && Number.isFinite(normalisedScore)) {
-    if (normalisedScore >= 90) return 'critical';
-    if (normalisedScore >= 70) return 'high';
-    if (normalisedScore >= 40) return 'medium';
-    if (normalisedScore >= 1) return 'low';
-    return 'informational';
-  }
+      try {
+        const result = await scanSingleOrgAccount(
+          account,
+          credentials,
+          parsedParams,
+          regions,
+          [...resolvedFlagArgs],
+          context,
+        );
 
-  return 'unknown';
-}
+        // Flush per-account results to storage if they exceed threshold
+        if (context.storage && result.findings && result.findings.length > FLUSH_THRESHOLD) {
+          try {
+            await context.storage.uploadFile(
+              `${context.runId}/org-scan/${account.id}.json`,
+              'findings.json',
+              Buffer.from(JSON.stringify(result.findings)),
+              'application/json',
+            );
+            context.logger.info(
+              `[ProwlerScan:Org] Flushed ${result.findings.length} findings for account ${account.id} to storage`,
+            );
+            return {
+              ...result,
+              findings: undefined,
+              results: undefined,
+              rawSegments: undefined,
+              flushedToStorage: true,
+            } satisfies AccountScanResult;
+          } catch (flushErr) {
+            context.logger.warn(
+              `[ProwlerScan:Org] Failed to flush findings for ${account.id}: ${(flushErr as Error).message}`,
+            );
+            // Keep in memory if flush fails
+          }
+        }
 
-function normaliseStatus(status?: string): NormalisedStatus {
-  if (!status || status.trim().length === 0) {
-    return 'UNKNOWN';
-  }
-  const upper = status.trim().toUpperCase();
-  if (upper.includes('FAIL')) return 'FAILED';
-  if (upper.includes('PASS')) return 'PASSED';
-  if (upper.includes('WARN')) return 'WARNING';
-  if (upper.includes('NOT_APPLICABLE') || upper === 'NOTAPPLICABLE') return 'NOT_APPLICABLE';
-  if (upper.includes('NOT_AVAILABLE') || upper === 'NOTAVAILABLE') return 'NOT_AVAILABLE';
-  return 'UNKNOWN';
-}
+        return result;
+      } catch (err) {
+        const errorMsg = (err as Error).message ?? String(err);
+        if (parsedParams.continueOnError) {
+          context.logger.warn(
+            `[ProwlerScan:Org] Account ${account.id} (${account.name}) failed: ${errorMsg}`,
+          );
+          allErrors.push(`Account ${account.id} (${account.name}): ${errorMsg}`);
+          return {
+            accountId: account.id,
+            accountName: account.name,
+            status: 'failed' as const,
+            findingCount: 0,
+            error: errorMsg,
+          };
+        } else {
+          throw err;
+        }
+      }
+    });
 
-function extractAccountId(resourceId?: string): string | null {
-  if (!resourceId) return null;
-  const accountMatch = resourceId.match(/arn:[^:]*:[^:]*:([^:]*):(\d{12})/);
-  if (accountMatch && accountMatch[2]) {
-    return accountMatch[2];
+    const batchResults = await Promise.all(batchPromises);
+    accountResults.push(...batchResults);
   }
-  return null;
-}
 
-function extractRegionFromArn(resourceId?: string): string | null {
-  if (!resourceId) return null;
-  const match = resourceId.match(/arn:[^:]*:[^:]*:([^:]*):/);
-  if (match && match[1]) {
-    const region = match[1];
-    if (region && region !== '*' && region !== '') {
-      return region;
+  // Aggregate results
+  const allFindings: NormalisedFinding[] = [];
+  const allAnalyticsResults: AnalyticsResult[] = [];
+  const allRawSegments: string[] = [];
+
+  for (const result of accountResults) {
+    if (result.flushedToStorage) {
+      // Read back flushed results
+      try {
+        if (context.storage) {
+          const content = await context.storage.downloadFile(
+            `${context.runId}/org-scan/${result.accountId}.json`,
+          );
+          const flushedFindings: NormalisedFinding[] = JSON.parse(
+            typeof content === 'string' ? content : content.toString(),
+          );
+          allFindings.push(...flushedFindings);
+          allAnalyticsResults.push(...buildAnalyticsResults(flushedFindings));
+        }
+      } catch (readErr) {
+        context.logger.warn(
+          `[ProwlerScan:Org] Failed to read flushed findings for ${result.accountId}: ${(readErr as Error).message}`,
+        );
+      }
+    } else {
+      if (result.findings) allFindings.push(...result.findings);
+      if (result.results) allAnalyticsResults.push(...result.results);
+      if (result.rawSegments) allRawSegments.push(...result.rawSegments);
     }
   }
-  return null;
-}
 
-/**
- * Maps Prowler severity levels to analytics severity enum.
- * Prowler: critical, high, medium, low, informational, unknown
- * Analytics: critical, high, medium, low, info, none
- */
-function mapToAnalyticsSeverity(
-  prowlerSeverity: NormalisedSeverity,
-): 'critical' | 'high' | 'medium' | 'low' | 'info' | 'none' {
-  switch (prowlerSeverity) {
-    case 'critical':
-      return 'critical';
-    case 'high':
-      return 'high';
-    case 'medium':
-      return 'medium';
-    case 'low':
-      return 'low';
-    case 'informational':
-      return 'info';
-    case 'unknown':
-    default:
-      return 'none';
-  }
+  const { severityCounts, failed, passed, unknown } = computeSeverityCounts(allFindings);
+  const scanId = buildScanId(parsedInputs.accountId ?? 'org', parsedParams.scanMode);
+
+  const accountSummaries = accountResults.map((r) => ({
+    accountId: r.accountId,
+    accountName: r.accountName,
+    findingCount: r.findingCount,
+    status: r.status,
+    error: r.error,
+  }));
+
+  const output: Output = {
+    scanId,
+    findings: allFindings,
+    results: allAnalyticsResults,
+    rawOutput: allRawSegments.join('\n'),
+    summary: {
+      totalFindings: allFindings.length,
+      failed,
+      passed,
+      unknown,
+      severityCounts,
+      generatedAt: new Date().toISOString(),
+      regions,
+      scanMode: parsedParams.scanMode,
+      selectedFlagIds: Array.from(selectedFlags),
+      customFlags: parsedParams.customFlags?.trim() || null,
+      accountSummaries,
+    },
+    command: [],
+    stderr: '',
+    errors: allErrors.length > 0 ? allErrors : undefined,
+  };
+
+  return outputSchema.parse(output);
 }
 
+// ---------------------------------------------------------------------------
+// Component definition
+// ---------------------------------------------------------------------------
+
+const definition = defineComponent({
+  id: 'security.prowler.scan',
+  label: 'Prowler Scan',
+  category: 'security',
+  retryPolicy: prowlerRetryPolicy,
+  runner: {
+    kind: 'docker',
+    image: PROWLER_IMAGE,
+    platform: 'linux/amd64',
+    command: [], // Placeholder - actual command built dynamically in execute()
+  },
+  inputs: inputSchema,
+  outputs: outputSchema,
+  parameters: parameterSchema,
+  docs: 'Execute Prowler inside Docker using `ghcr.io/shipsecai/prowler` (amd64 enforced on ARM hosts). Supports single-account AWS scans, org-wide multi-account scans, and the multi-cloud `prowler cloud` overview, with optional CLI flag customisation.',
+  toolProvider: {
+    kind: 'component',
+    name: 'prowler_scan',
+    description: 'AWS and multi-cloud security assessment tool (Prowler).',
+  },
+  ui: {
+    slug: 'prowler-scan',
+    version: '3.0.0',
+    type: 'scan',
+    category: 'security',
+    description:
+      'Run Toniblyx Prowler to assess AWS accounts or multi-cloud posture. Supports single-account and org-wide scanning modes. Streams raw logs while returning structured findings in ASFF-derived JSON.',
+    documentation: 'https://github.com/prowler-cloud/prowler',
+    icon: 'ShieldCheck',
+    author: {
+      name: 'ShipSecAI',
+      type: 'shipsecai',
+    },
+    isLatest: true,
+    deprecated: false,
+    examples: [
+      'Run nightly `prowler aws --quick --severity-filter high,critical` scans on production accounts and forward findings into ELK.',
+      'Use `prowler cloud` with custom flags to generate a multi-cloud compliance snapshot.',
+      'Enable org-wide scan to discover all member accounts and run Prowler across the entire organization.',
+    ],
+  },
+  async execute({ inputs, params }, context) {
+    const parsedParams = parameterSchema.parse(params);
+
+    if (parsedParams.orgScan) {
+      return executeOrgScan({ inputs, params }, context);
+    }
+    return executeSingleAccountScan({ inputs, params }, context);
+  },
+});
+
 componentRegistry.register(definition);
 
 // Create local type aliases for backward compatibility
diff --git a/worker/src/components/security/prowler-shared.ts b/worker/src/components/security/prowler-shared.ts
new file mode 100644
index 00000000..226de744
--- /dev/null
+++ b/worker/src/components/security/prowler-shared.ts
@@ -0,0 +1,506 @@
+/**
+ * Shared types, schemas, and utility functions for the Prowler scan component.
+ * Extracted to allow reuse across single-account and org-wide scan modes.
+ */
+import { z } from 'zod';
+import { spawn } from 'node:child_process';
+import { resolveDockerPath } from '@shipsec/component-sdk';
+import type { IsolatedContainerVolume } from '../../utils/isolated-volume';
+
+// ---------------------------------------------------------------------------
+// Severity & Status enums
+// ---------------------------------------------------------------------------
+
+export const severityLevels = [
+  'critical',
+  'high',
+  'medium',
+  'low',
+  'informational',
+  'unknown',
+] as const;
+export type NormalisedSeverity = (typeof severityLevels)[number];
+
+export const statusLevels = [
+  'FAILED',
+  'PASSED',
+  'WARNING',
+  'NOT_APPLICABLE',
+  'NOT_AVAILABLE',
+  'UNKNOWN',
+] as const;
+export type NormalisedStatus = (typeof statusLevels)[number];
+
+// ---------------------------------------------------------------------------
+// Recommended flags
+// ---------------------------------------------------------------------------
+
+export const recommendedFlagOptions = [
+  {
+    id: 'quick',
+    label: 'Quick scan (removed in v4 \u2014 ignored)',
+    description: 'Kept for backwards compatibility; Prowler v4 ignores this option.',
+    args: [],
+    defaultSelected: false,
+  },
+  {
+    id: 'severity-high-critical',
+    label: 'Severity filter: high+critical (--severity high critical)',
+    description: 'Limit findings to high and critical severities.',
+    args: ['--severity', 'high', 'critical'],
+    defaultSelected: true,
+  },
+  {
+    id: 'ignore-exit-code',
+    label: 'Do not fail on findings (--ignore-exit-code-3)',
+    description: 'Treat exit code 3 (findings present) as success so flows do not fail.',
+    args: ['--ignore-exit-code-3'],
+    defaultSelected: true,
+  },
+  {
+    id: 'no-banner',
+    label: 'Hide banner (--no-banner)',
+    description: 'Remove the ASCII banner from stdout for cleaner logs.',
+    args: ['--no-banner'],
+    defaultSelected: true,
+  },
+] as const;
+
+export type RecommendedFlagId = (typeof recommendedFlagOptions)[number]['id'];
+
+export const defaultSelectedFlagIds: RecommendedFlagId[] = recommendedFlagOptions
+  .filter((option) => option.defaultSelected)
+  .map((option) => option.id);
+
+export const recommendedFlagIdSchema = z.enum(
+  recommendedFlagOptions.map((option) => option.id) as [RecommendedFlagId, ...RecommendedFlagId[]],
+);
+
+export const recommendedFlagMap = new Map<RecommendedFlagId, string[]>(
+  recommendedFlagOptions.map((option) => [option.id, [...option.args]]),
+);
+
+// ---------------------------------------------------------------------------
+// Prowler finding schemas
+// ---------------------------------------------------------------------------
+
+export const prowlerFindingSchema = z
+  .object({
+    Id: z.string().optional(),
+    Title: z.string().optional(),
+    Description: z.string().optional(),
+    AwsAccountId: z.string().optional(),
+    Severity: z
+      .object({
+        Label: z.string().optional(),
+        Original: z.string().optional(),
+        Normalized: z.number().optional(),
+      })
+      .partial()
+      .optional(),
+    Compliance: z
+      .object({
+        Status: z.string().optional(),
+      })
+      .partial()
+      .optional(),
+    Resources: z
+      .array(
+        z
+          .object({
+            Id: z.string().optional(),
+            Type: z.string().optional(),
+            Region: z.string().optional(),
+          })
+          .passthrough(),
+      )
+      .optional(),
+    Remediation: z
+      .object({
+        Recommendation: z
+          .object({
+            Text: z.string().optional(),
+            Url: z.string().optional(),
+          })
+          .partial()
+          .optional(),
+      })
+      .partial()
+      .optional(),
+  })
+  .passthrough();
+
+export type ProwlerFinding = z.infer<typeof prowlerFindingSchema>;
+
+export const runnerPayloadSchema = z.object({
+  returncode: z.number().int(),
+  stdout: z.string(),
+  stderr: z.string(),
+  command: z.array(z.string()),
+  artifacts: z.array(z.string()).default([]),
+  parse_error: z.string().optional(),
+});
+
+export const normalisedFindingSchema = z.object({
+  id: z.string(),
+  title: z.string().nullable(),
+  accountId: z.string().nullable(),
+  resourceId: z.string().nullable(),
+  region: z.string().nullable(),
+  severity: z.enum(severityLevels),
+  status: z.enum(statusLevels),
+  description: z.string().nullable(),
+  remediationText: z.string().nullable(),
+  recommendationUrl: z.string().nullable(),
+  rawFinding: z.unknown(),
+});
+
+export type NormalisedFinding = z.infer<typeof normalisedFindingSchema>;
+
+// ---------------------------------------------------------------------------
+// Normalisation helpers
+// ---------------------------------------------------------------------------
+
+export function normaliseFindings(
+  rawSegments: string[],
+  runId: string,
+): {
+  findings: NormalisedFinding[];
+  errors: string[];
+} {
+  const findings: NormalisedFinding[] = [];
+  const errors: string[] = [];
+
+  rawSegments.forEach((segment, segmentIndex) => {
+    const candidates = parseSegment(segment, segmentIndex, errors);
+    candidates.forEach((candidate, candidateIndex) => {
+      const parsed = prowlerFindingSchema.safeParse(candidate);
+      if (!parsed.success) {
+        errors.push(
+          `Segment ${segmentIndex + 1} item ${candidateIndex + 1}: ${parsed.error.message}`,
+        );
+        return;
+      }
+      findings.push(toNormalisedFinding(parsed.data, findings.length, runId));
+    });
+  });
+
+  return { findings, errors };
+}
+
+export function parseSegment(segment: string, segmentIndex: number, errors: string[]): unknown[] {
+  const trimmed = (segment ?? '').trim();
+  if (trimmed.length === 0) {
+    return [];
+  }
+
+  try {
+    const parsed = JSON.parse(trimmed);
+    if (Array.isArray(parsed)) {
+      return parsed;
+    }
+    if (parsed && typeof parsed === 'object') {
+      const record = parsed as Record<string, unknown>;
+      if (Array.isArray(record.Findings)) {
+        return record.Findings;
+      }
+      if (Array.isArray(record.findings)) {
+        return record.findings;
+      }
+      return [parsed];
+    }
+  } catch (_error) {
+    const ndjsonResults: unknown[] = [];
+    trimmed
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter((line) => line.length > 0)
+      .forEach((line, lineIndex) => {
+        try {
+          ndjsonResults.push(JSON.parse(line));
+        } catch (innerError) {
+          errors.push(
+            `Segment ${segmentIndex + 1} line ${lineIndex + 1}: Unable to parse JSON (${(innerError as Error).message})`,
+          );
+        }
+      });
+
+    if (ndjsonResults.length > 0) {
+      return ndjsonResults;
+    }
+
+    errors.push(`Segment ${segmentIndex + 1}: Unable to parse Prowler output as JSON.`);
+  }
+
+  return [];
+}
+
+export function toNormalisedFinding(
+  finding: ProwlerFinding,
+  index: number,
+  runId: string,
+): NormalisedFinding {
+  const primaryResource =
+    Array.isArray(finding.Resources) && finding.Resources.length > 0
+      ? finding.Resources[0]
+      : undefined;
+  const accountId = finding.AwsAccountId ?? extractAccountId(primaryResource?.Id) ?? null;
+  const region = primaryResource?.Region ?? extractRegionFromArn(primaryResource?.Id) ?? null;
+  const resourceId = primaryResource?.Id ?? null;
+  const severity = normaliseSeverity(finding);
+  const status = normaliseStatus(finding.Compliance?.Status);
+  const remediationText = finding.Remediation?.Recommendation?.Text ?? null;
+  const recommendationUrl = finding.Remediation?.Recommendation?.Url ?? null;
+
+  return {
+    id: finding.Id ?? `${runId}-finding-${index + 1}`,
+    title: finding.Title ?? null,
+    accountId,
+    resourceId,
+    region,
+    severity,
+    status,
+    description: finding.Description ?? null,
+    remediationText,
+    recommendationUrl,
+    rawFinding: finding,
+  };
+}
+
+export function normaliseSeverity(finding: ProwlerFinding): NormalisedSeverity {
+  const label = finding.Severity?.Label ?? finding.Severity?.Original ?? '';
+
+  if (typeof label === 'string' && label.trim().length > 0) {
+    const lowered = label.trim().toLowerCase();
+    if (lowered.startsWith('crit')) return 'critical';
+    if (lowered.startsWith('high')) return 'high';
+    if (lowered.startsWith('med')) return 'medium';
+    if (lowered.startsWith('low')) return 'low';
+    if (lowered.startsWith('info')) return 'informational';
+  }
+
+  const normalisedScore = finding.Severity?.Normalized;
+  if (typeof normalisedScore === 'number' && Number.isFinite(normalisedScore)) {
+    if (normalisedScore >= 90) return 'critical';
+    if (normalisedScore >= 70) return 'high';
+    if (normalisedScore >= 40) return 'medium';
+    if (normalisedScore >= 1) return 'low';
+    return 'informational';
+  }
+
+  return 'unknown';
+}
+
+export function normaliseStatus(status?: string): NormalisedStatus {
+  if (!status || status.trim().length === 0) {
+    return 'UNKNOWN';
+  }
+  const upper = status.trim().toUpperCase();
+  if (upper.includes('FAIL')) return 'FAILED';
+  if (upper.includes('PASS')) return 'PASSED';
+  if (upper.includes('WARN')) return 'WARNING';
+  if (upper.includes('NOT_APPLICABLE') || upper === 'NOTAPPLICABLE') return 'NOT_APPLICABLE';
+  if (upper.includes('NOT_AVAILABLE') || upper === 'NOTAVAILABLE') return 'NOT_AVAILABLE';
+  return 'UNKNOWN';
+}
+
+export function extractAccountId(resourceId?: string): string | null {
+  if (!resourceId) return null;
+  const accountMatch = resourceId.match(/arn:[^:]*:[^:]*:([^:]*):(\d{12})/);
+  if (accountMatch && accountMatch[2]) {
+    return accountMatch[2];
+  }
+  return null;
+}
+
+export function extractRegionFromArn(resourceId?: string): string | null {
+  if (!resourceId) return null;
+  const match = resourceId.match(/arn:[^:]*:[^:]*:([^:]*):/);
+  if (match && match[1]) {
+    const region = match[1];
+    if (region && region !== '*' && region !== '') {
+      return region;
+    }
+  }
+  return null;
+}
+
+/**
+ * Maps Prowler severity levels to analytics severity enum.
+ */
+export function mapToAnalyticsSeverity(
+  prowlerSeverity: NormalisedSeverity,
+): 'critical' | 'high' | 'medium' | 'low' | 'info' | 'none' {
+  switch (prowlerSeverity) {
+    case 'critical':
+      return 'critical';
+    case 'high':
+      return 'high';
+    case 'medium':
+      return 'medium';
+    case 'low':
+      return 'low';
+    case 'informational':
+      return 'info';
+    case 'unknown':
+    default:
+      return 'none';
+  }
+}
+
+export function buildScanId(accountId: string, scanMode: 'aws' | 'cloud'): string {
+  const timestamp = new Date()
+    .toISOString()
+    .replace(/[^0-9]/g, '')
+    .slice(0, 14);
+  const safeAccount = accountId.replace(/[^a-zA-Z0-9-]/g, '-').slice(0, 32);
+  return `prowler-${scanMode}-${safeAccount}-${timestamp}`;
+}
+
+/**
+ * Constructs an IAM role ARN from a role name and account ID.
+ * Supports both plain role names and full ARN templates with {accountId} placeholder.
+ */
+export function buildMemberRoleArn(roleNameOrTemplate: string, accountId: string): string {
+  if (roleNameOrTemplate.startsWith('arn:')) {
+    return roleNameOrTemplate.replace('{accountId}', accountId);
+  }
+  return `arn:aws:iam::${accountId}:role/${roleNameOrTemplate}`;
+}
+
+// ---------------------------------------------------------------------------
+// Docker volume helpers
+// ---------------------------------------------------------------------------
+
+export async function listVolumeFiles(volume: IsolatedContainerVolume): Promise<string[]> {
+  const volumeName = volume.getVolumeName();
+  if (!volumeName) return [];
+
+  const dockerPath = await resolveDockerPath();
+  return new Promise((resolve, reject) => {
+    const proc = spawn(dockerPath, [
+      'run',
+      '--rm',
+      '-v',
+      `${volumeName}:/data`,
+      '--entrypoint',
+      'sh',
+      'alpine:3.20',
+      '-c',
+      'ls -1 /data',
+    ]);
+
+    let stdout = '';
+    let stderr = '';
+
+    proc.stdout.on('data', (data) => {
+      stdout += data.toString();
+    });
+
+    proc.stderr.on('data', (data) => {
+      stderr += data.toString();
+    });
+
+    proc.on('error', (error) => {
+      reject(error);
+    });
+
+    proc.on('close', (code) => {
+      if (code !== 0) {
+        reject(new Error(`Failed to list volume files: ${stderr.trim()}`));
+      } else {
+        resolve(
+          stdout
+            .split('\n')
+            .map((line) => line.trim())
+            .filter((line) => line.length > 0),
+        );
+      }
+    });
+  });
+}
+
+export async function setVolumeOwnership(
+  volume: IsolatedContainerVolume,
+  uid = 1000,
+  gid = 1000,
+): Promise<void> {
+  const volumeName = volume.getVolumeName();
+  if (!volumeName) return;
+
+  const dockerPath = await resolveDockerPath();
+  return new Promise((resolve, reject) => {
+    const proc = spawn(dockerPath, [
+      'run',
+      '--rm',
+      '-v',
+      `${volumeName}:/data`,
+      '--entrypoint',
+      'sh',
+      'alpine:3.20',
+      '-c',
+      `chown -R ${uid}:${gid} /data && chmod -R 755 /data`,
+    ]);
+
+    let stderr = '';
+
+    proc.stderr.on('data', (data) => {
+      stderr += data.toString();
+    });
+
+    proc.on('error', (error) => {
+      reject(new Error(`Failed to set volume ownership: ${error.message}`));
+    });
+
+    proc.on('close', (code) => {
+      if (code !== 0) {
+        reject(new Error(`Failed to set volume ownership: ${stderr.trim()}`));
+      } else {
+        resolve();
+      }
+    });
+  });
+}
+
+/**
+ * Split custom CLI flags honoring simple quotes.
+ */
+export function splitArgs(input: string): string[] {
+  const args: string[] = [];
+  let current = '';
+  let quote: '"' | "'" | null = null;
+  let escape = false;
+  for (const ch of input) {
+    if (escape) {
+      current += ch;
+      escape = false;
+      continue;
+    }
+    if (ch === '\\') {
+      escape = true;
+      continue;
+    }
+    if (quote) {
+      if (ch === quote) {
+        quote = null;
+      } else {
+        current += ch;
+      }
+      continue;
+    }
+    if (ch === '"' || ch === "'") {
+      quote = ch as '"' | "'";
+      continue;
+    }
+    if (/\s/.test(ch)) {
+      if (current.length > 0) {
+        args.push(current);
+        current = '';
+      }
+      continue;
+    }
+    current += ch;
+  }
+  if (current.length > 0) args.push(current);
+  return args;
+}
diff --git a/worker/src/temporal/activities/run-component.activity.ts b/worker/src/temporal/activities/run-component.activity.ts
index 94c19658..aabb2efd 100644
--- a/worker/src/temporal/activities/run-component.activity.ts
+++ b/worker/src/temporal/activities/run-component.activity.ts
@@ -200,6 +200,10 @@ export async function runComponentActivity(
     agentTracePublisher: globalAgentTracePublisher,
   });
 
+  // Resolve dynamic port schemas (from resolvePorts) so secret masking covers them
+  const resolvedPortSchemas =
+    typeof component.resolvePorts === 'function' ? component.resolvePorts(params) : undefined;
+
   // Record node I/O start (using raw inputs/params from workflow)
   await globalNodeIO?.recordStart({
     runId: input.runId,
@@ -207,7 +211,11 @@ export async function runComponentActivity(
     workflowId: input.workflowId,
     organizationId: input.organizationId,
     componentId: action.componentId,
-    inputs: maskSecretInputs(component, { ...inputs, ...params }) as Record<string, unknown>,
+    inputs: maskSecretInputs(
+      component,
+      { ...inputs, ...params },
+      resolvedPortSchemas?.inputs,
+    ) as Record<string, unknown>,
   });
 
   context.trace?.record({
@@ -514,7 +522,10 @@ export async function runComponentActivity(
         runId: input.runId,
         nodeRef: action.ref,
         componentId: action.componentId,
-        outputs: maskSecretOutputs(component, output) as Record<string, unknown>,
+        outputs: maskSecretOutputs(component, output, resolvedPortSchemas?.outputs) as Record<
+          string,
+          unknown
+        >,
         status: 'completed',
       });
 
diff --git a/worker/src/temporal/utils/component-output.ts b/worker/src/temporal/utils/component-output.ts
index 91aef639..63015cbb 100644
--- a/worker/src/temporal/utils/component-output.ts
+++ b/worker/src/temporal/utils/component-output.ts
@@ -56,9 +56,15 @@ function getSecretPorts(ports: ComponentPortMetadata[]): { id: string }[] {
 
 /**
  * Masks inputs containing sensitive information (secrets) based on component port schemas.
+ * When a component uses `resolvePorts`, pass `resolvedInputsSchema` so that dynamically
+ * created secret ports (e.g. credentials) are also masked.
  */
-export function maskSecretInputs(component: RegisteredComponent, input: unknown): unknown {
-  const inputPorts = extractPorts(component.inputs);
+export function maskSecretInputs(
+  component: RegisteredComponent,
+  input: unknown,
+  resolvedInputsSchema?: unknown,
+): unknown {
+  const inputPorts = extractPorts((resolvedInputsSchema ?? component.inputs) as any);
   const secretPorts = getSecretPorts(inputPorts);
   let masked = maskSecretPorts(secretPorts, input);
 
@@ -119,9 +125,15 @@ export function maskSecretParameters(component: RegisteredComponent, params: unk
 
 /**
  * Masks outputs containing sensitive information (secrets) based on component port schemas.
+ * When a component uses `resolvePorts`, pass `resolvedOutputsSchema` so that dynamically
+ * created secret ports are also masked.
  */
-export function maskSecretOutputs(component: RegisteredComponent, output: unknown): unknown {
-  const outputPorts = extractPorts(component.outputs);
+export function maskSecretOutputs(
+  component: RegisteredComponent,
+  output: unknown,
+  resolvedOutputsSchema?: unknown,
+): unknown {
+  const outputPorts = extractPorts((resolvedOutputsSchema ?? component.outputs) as any);
   const secretPorts = getSecretPorts(outputPorts);
 
   if (secretPorts.length === 0) {
diff --git a/worker/src/temporal/workflow-runner.ts b/worker/src/temporal/workflow-runner.ts
index 166e99fc..393de2de 100644
--- a/worker/src/temporal/workflow-runner.ts
+++ b/worker/src/temporal/workflow-runner.ts
@@ -526,6 +526,9 @@ function extractFailureMessage(value: { success: boolean; error?: unknown }): st
 function maskSecretOutputs(outputPorts: ComponentPortMetadata[], output: unknown): unknown {
   const secretPorts =
     outputPorts.filter((port) => {
+      if (port.editor === 'secret') {
+        return true;
+      }
       const connectionType = port.connectionType;
 
       if (connectionType.kind === 'primitive') {
diff --git a/worker/src/utils/opensearch-indexer.ts b/worker/src/utils/opensearch-indexer.ts
index ad033875..f131af5a 100644
--- a/worker/src/utils/opensearch-indexer.ts
+++ b/worker/src/utils/opensearch-indexer.ts
@@ -377,10 +377,10 @@ export class OpenSearchIndexer {
         }
       }
 
-      // Refresh index pattern in OpenSearch Dashboards to make new fields visible
+      // Refresh index patterns in OpenSearch Dashboards to make new fields visible
       // Skip when security is enabled - patterns are created per-tenant by the provisioning service
       if (!this.securityEnabled) {
-        await this.refreshIndexPattern();
+        await this.refreshIndexPattern(orgId);
       }
 
       return { indexName, documentCount: documents.length };
@@ -407,13 +407,12 @@ export class OpenSearchIndexer {
   }
 
   /**
-   * Refresh the index pattern in OpenSearch Dashboards to make new fields visible.
-   * Two-step process:
-   * 1. Get fresh field mappings from OpenSearch via _fields_for_wildcard API
-   * 2. Update the saved index pattern object with the new fields
+   * Refresh index patterns in OpenSearch Dashboards to make new fields visible.
+   * Ensures both the generic `security-findings-*` and org-specific
+   * `security-findings-{orgId}-*` patterns exist and have up-to-date field mappings.
    * Fails silently if Dashboards URL is not configured or refresh fails.
    */
-  private async refreshIndexPattern(): Promise<void> {
+  private async refreshIndexPattern(orgId?: string): Promise<void> {
     if (!this.dashboardsUrl) {
       console.debug(
         '[OpenSearchIndexer] Dashboards URL not configured, skipping index pattern refresh',
@@ -421,8 +420,21 @@ export class OpenSearchIndexer {
       return;
     }
 
-    const indexPatternId = 'security-findings-*';
+    const patterns = ['security-findings-*'];
+    if (orgId) {
+      patterns.push(`security-findings-${orgId.toLowerCase()}-*`);
+    }
+
+    for (const indexPatternId of patterns) {
+      await this.ensureAndRefreshPattern(indexPatternId);
+    }
+  }
 
+  /**
+   * Ensure a single index pattern exists in Dashboards and refresh its fields.
+   * Creates the pattern if it doesn't exist, then updates field mappings.
+   */
+  private async ensureAndRefreshPattern(indexPatternId: string): Promise<void> {
     try {
       const headers: Record<string, string> = {
         'Content-Type': 'application/json',
@@ -442,19 +454,43 @@ export class OpenSearchIndexer {
       const fieldsResponse = await fetch(fieldsUrl, { method: 'GET', headers });
 
       if (!fieldsResponse.ok) {
-        console.warn(`[OpenSearchIndexer] Failed to get fresh fields: ${fieldsResponse.status}`);
+        console.warn(
+          `[OpenSearchIndexer] Failed to get fresh fields for ${indexPatternId}: ${fieldsResponse.status}`,
+        );
         return;
       }
 
       const fieldsData = (await fieldsResponse.json()) as { fields?: unknown[] };
       const freshFields = fieldsData.fields || [];
 
-      // Step 2: Get current index pattern to preserve other attributes
+      // Step 2: Check if index pattern exists
       const patternUrl = `${this.dashboardsUrl}/api/saved_objects/index-pattern/${encodeURIComponent(indexPatternId)}`;
       const patternResponse = await fetch(patternUrl, { method: 'GET', headers });
 
       if (!patternResponse.ok) {
-        console.warn(`[OpenSearchIndexer] Index pattern not found: ${patternResponse.status}`);
+        // Pattern doesn't exist - create it
+        console.debug(`[OpenSearchIndexer] Creating index pattern: ${indexPatternId}`);
+        const createResponse = await fetch(patternUrl, {
+          method: 'POST',
+          headers,
+          body: JSON.stringify({
+            attributes: {
+              title: indexPatternId,
+              timeFieldName: '@timestamp',
+              fields: JSON.stringify(freshFields),
+            },
+          }),
+        });
+
+        if (createResponse.ok) {
+          console.debug(
+            `[OpenSearchIndexer] Created index pattern ${indexPatternId} (${freshFields.length} fields)`,
+          );
+        } else {
+          console.warn(
+            `[OpenSearchIndexer] Failed to create index pattern ${indexPatternId}: ${createResponse.status}`,
+          );
+        }
         return;
       }
 
@@ -480,16 +516,16 @@ export class OpenSearchIndexer {
 
       if (updateResponse.ok) {
         console.debug(
-          `[OpenSearchIndexer] Index pattern fields refreshed (${freshFields.length} fields)`,
+          `[OpenSearchIndexer] Index pattern ${indexPatternId} fields refreshed (${freshFields.length} fields)`,
         );
       } else {
         console.warn(
-          `[OpenSearchIndexer] Failed to update index pattern: ${updateResponse.status}`,
+          `[OpenSearchIndexer] Failed to update index pattern ${indexPatternId}: ${updateResponse.status}`,
         );
       }
     } catch (error) {
       // Non-critical failure - log but don't throw
-      console.warn('[OpenSearchIndexer] Failed to refresh index pattern:', error);
+      console.warn(`[OpenSearchIndexer] Failed to refresh index pattern ${indexPatternId}:`, error);
     }
   }