From b7af1066d55de0590976b5940f3dcf7ea6c6b906 Mon Sep 17 00:00:00 2001
From: Raven95676 <raven95676@gmail.com>
Date: Thu, 14 May 2026 19:48:45 +0800
Subject: [PATCH 1/7] feat: add TOTP two-factor authentication for dashboard
 login

---
 astrbot/core/config/default.py                |  11 +
 astrbot/core/db/po.py                         |  15 +
 astrbot/core/utils/totp.py                    | 210 ++++++++++++
 astrbot/dashboard/routes/auth.py              | 220 +++++++++++--
 astrbot/dashboard/server.py                   |  46 +++
 .../mdi-subset/materialdesignicons-subset.css |  10 +-
 .../materialdesignicons-webfont-subset.woff   | Bin 18772 -> 18896 bytes
 .../materialdesignicons-webfont-subset.woff2  | Bin 15112 -> 15164 bytes
 .../src/components/shared/AstrBotConfigV4.vue |   2 +
 .../components/shared/ConfigItemRenderer.vue  |  12 +
 .../shared/DashboardTotpDisableDialog.vue     | 159 +++++++++
 .../shared/DashboardTotpManageDialog.vue      | 101 ++++++
 .../shared/DashboardTotpManager.vue           | 210 ++++++++++++
 .../shared/DashboardTotpRecoveryDialog.vue    | 101 ++++++
 .../DashboardTotpRotateRecoveryDialog.vue     | 143 ++++++++
 .../shared/DashboardTotpSetupDialog.vue       | 309 ++++++++++++++++++
 .../src/i18n/locales/en-US/features/auth.json |  28 ++
 .../en-US/features/config-metadata.json       |  44 +++
 .../src/i18n/locales/ru-RU/features/auth.json |  90 +++--
 .../ru-RU/features/config-metadata.json       |  44 +++
 .../src/i18n/locales/zh-CN/features/auth.json |  36 +-
 .../zh-CN/features/config-metadata.json       |  44 +++
 dashboard/src/main.ts                         |  10 +
 dashboard/src/router/index.ts                 |  10 +-
 dashboard/src/stores/auth.ts                  |  33 +-
 .../authentication/authForms/AuthLogin.vue    | 202 +++++++++---
 .../authForms/stages/AuthStageAccount.vue     |  72 ++++
 .../authForms/stages/AuthStageRecovery.vue    |  80 +++++
 .../authForms/stages/AuthStageTotp.vue        |  80 +++++
 pyproject.toml                                |   1 +
 requirements.txt                              |   1 +
 31 files changed, 2201 insertions(+), 123 deletions(-)
 create mode 100644 astrbot/core/utils/totp.py
 create mode 100644 dashboard/src/components/shared/DashboardTotpDisableDialog.vue
 create mode 100644 dashboard/src/components/shared/DashboardTotpManageDialog.vue
 create mode 100644 dashboard/src/components/shared/DashboardTotpManager.vue
 create mode 100644 dashboard/src/components/shared/DashboardTotpRecoveryDialog.vue
 create mode 100644 dashboard/src/components/shared/DashboardTotpRotateRecoveryDialog.vue
 create mode 100644 dashboard/src/components/shared/DashboardTotpSetupDialog.vue
 create mode 100644 dashboard/src/views/authentication/authForms/stages/AuthStageAccount.vue
 create mode 100644 dashboard/src/views/authentication/authForms/stages/AuthStageRecovery.vue
 create mode 100644 dashboard/src/views/authentication/authForms/stages/AuthStageTotp.vue

diff --git a/astrbot/core/config/default.py b/astrbot/core/config/default.py
index 3e5dee89c8..67a1c05239 100644
--- a/astrbot/core/config/default.py
+++ b/astrbot/core/config/default.py
@@ -252,6 +252,11 @@
         "host": "0.0.0.0",
         "port": 6185,
         "disable_access_log": True,
+        "totp": {
+            "enable": False,
+            "secret": "",
+            "recovery_code_hash": "",
+        },
         "ssl": {
             "enable": False,
             "cert_file": "",
@@ -4180,6 +4185,12 @@
                         "type": "bool",
                         "hint": "启用后，WebUI 将直接使用 HTTPS 提供服务。",
                     },
+                    "dashboard.totp.enable": {
+                        "description": "启用 WebUI TOTP 双因素认证",
+                        "type": "bool",
+                        "hint": "启用后，登录 WebUI 需要额外输入验证码。",
+                        "_special": "dashboard_totp_manager",
+                    },
                     "dashboard.ssl.cert_file": {
                         "description": "SSL 证书文件路径",
                         "type": "string",
diff --git a/astrbot/core/db/po.py b/astrbot/core/db/po.py
index 0d3b9822a3..acc4df4589 100644
--- a/astrbot/core/db/po.py
+++ b/astrbot/core/db/po.py
@@ -382,6 +382,21 @@ class ApiKey(TimestampMixin, SQLModel, table=True):
     )
 
 
+class DashboardTrustedDevice(TimestampMixin, SQLModel, table=True):
+    """Trusted dashboard device token used to skip TOTP for a limited time."""
+
+    __tablename__: str = "dashboard_trusted_devices"
+
+    id: int | None = Field(
+        default=None,
+        primary_key=True,
+        sa_column_kwargs={"autoincrement": True},
+    )
+    token_hash: str = Field(max_length=64, nullable=False, unique=True, index=True)
+    totp_secret_hash: str = Field(max_length=64, nullable=False, index=True)
+    expires_at: datetime = Field(nullable=False, index=True)
+
+
 class ChatUIProject(TimestampMixin, SQLModel, table=True):
     """This class represents projects for organizing ChatUI conversations.
 
diff --git a/astrbot/core/utils/totp.py b/astrbot/core/utils/totp.py
new file mode 100644
index 0000000000..31a1b5bff9
--- /dev/null
+++ b/astrbot/core/utils/totp.py
@@ -0,0 +1,210 @@
+from __future__ import annotations
+
+import asyncio
+import base64
+import datetime
+import hashlib
+import hmac
+import secrets
+
+import pyotp
+from sqlmodel import col, delete, select
+
+from astrbot.core.db.po import DashboardTrustedDevice
+
+TOTP_TRUSTED_DEVICE_COOKIE_NAME = "astrbot_totp_trusted_device"
+TOTP_TRUSTED_DEVICE_MAX_AGE = 30 * 24 * 60 * 60
+RECOVERY_CODE_GROUP_COUNT = 4
+RECOVERY_CODE_GROUP_LENGTH = 8
+RECOVERY_CODE_LENGTH = RECOVERY_CODE_GROUP_COUNT * RECOVERY_CODE_GROUP_LENGTH
+_RECOVERY_CODE_KDF_ITERATIONS = 600_000
+_RECOVERY_CODE_KDF_SALT_BYTES = 16
+_RECOVERY_CODE_KDF_ALGORITHM = "pbkdf2_sha256"
+
+_last_totp_timecode: dict[str, int] = {}
+_totp_replay_lock = asyncio.Lock()
+
+
+def _get_totp_config(config) -> dict:
+    totp_config = config.get("dashboard", {}).get("totp", {})
+    return totp_config if isinstance(totp_config, dict) else {}
+
+
+def is_totp_enabled(config) -> bool:
+    """TOTP is fully configured and operational (enable + secret + recovery hash all present)."""
+    totp_config = _get_totp_config(config)
+    if not totp_config.get("enable", False):
+        return False
+    secret = totp_config.get("secret", "")
+    if not isinstance(secret, str) or not secret.strip():
+        return False
+    recovery_code_hash = totp_config.get("recovery_code_hash", "")
+    if not isinstance(recovery_code_hash, str) or not recovery_code_hash.strip():
+        return False
+    return True
+
+
+def _get_verified_totp_timecode(secret: str, code: str) -> int | None:
+    code = code.strip()
+    try:
+        totp = pyotp.TOTP(secret.strip())
+        now = datetime.datetime.now()
+        for offset in (-1, 0, 1):
+            candidate_time = now + datetime.timedelta(seconds=offset * totp.interval)
+            if hmac.compare_digest(str(totp.at(candidate_time)), code):
+                return int(totp.timecode(candidate_time))
+    except Exception:
+        return None
+    return None
+
+
+async def consume_totp_code(secret: str, code: str) -> bool:
+    global _last_totp_timecode
+    timecode = _get_verified_totp_timecode(secret, code)
+    if timecode is None:
+        return False
+    secret = secret.strip()
+    async with _totp_replay_lock:
+        if _last_totp_timecode.get(secret, -1) >= timecode:
+            return False
+        _last_totp_timecode[secret] = timecode
+    return True
+
+
+async def consume_configured_totp_code(config, code: str) -> bool:
+    if not is_totp_enabled(config):
+        return False
+    secret = _get_totp_config(config).get("secret", "")
+    return await consume_totp_code(secret, code)
+
+
+def _hash_totp_trusted_device_token(config, token: str) -> str:
+    jwt_secret = config["dashboard"].get("jwt_secret", "")
+    if not isinstance(jwt_secret, str) or not jwt_secret:
+        return ""
+    return hmac.new(
+        jwt_secret.encode("utf-8"),
+        token.encode("utf-8"),
+        hashlib.sha256,
+    ).hexdigest()
+
+
+def _hash_totp_secret(config) -> str:
+    secret = _get_totp_config(config).get("secret", "")
+    if not isinstance(secret, str) or not secret.strip():
+        return ""
+    return hashlib.sha256(secret.strip().encode("utf-8")).hexdigest()
+
+
+async def is_totp_trusted_device_valid(config, db, cookie_token: str) -> bool:
+    if not cookie_token:
+        return False
+    token_hash = _hash_totp_trusted_device_token(config, cookie_token)
+    totp_secret_hash = _hash_totp_secret(config)
+    if not token_hash or not totp_secret_hash:
+        return False
+
+    await _cleanup_expired_totp_trusted_devices(db)
+    async with db.get_db() as session:
+        result = await session.execute(
+            select(DashboardTrustedDevice).where(
+                col(DashboardTrustedDevice.token_hash) == token_hash,
+                col(DashboardTrustedDevice.totp_secret_hash) == totp_secret_hash,
+                col(DashboardTrustedDevice.expires_at)
+                > datetime.datetime.now(datetime.timezone.utc),
+            )
+        )
+        return result.scalar_one_or_none() is not None
+
+
+async def issue_totp_trusted_device(config, db) -> str | None:
+    """Issue a trusted device token, save to DB, and return the raw token for cookie."""
+    raw_token = secrets.token_urlsafe(48)
+    token_hash = _hash_totp_trusted_device_token(config, raw_token)
+    totp_secret_hash = _hash_totp_secret(config)
+    if not token_hash or not totp_secret_hash:
+        return None
+
+    expires_at = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(
+        seconds=TOTP_TRUSTED_DEVICE_MAX_AGE
+    )
+    async with db.get_db() as session:
+        async with session.begin():
+            await session.execute(
+                delete(DashboardTrustedDevice).where(
+                    col(DashboardTrustedDevice.token_hash) == token_hash
+                )
+            )
+            trusted_device = DashboardTrustedDevice.model_validate(
+                {
+                    "token_hash": token_hash,
+                    "totp_secret_hash": totp_secret_hash,
+                    "expires_at": expires_at,
+                }
+            )
+            session.add(trusted_device)
+    return raw_token
+
+
+async def _cleanup_expired_totp_trusted_devices(db) -> None:
+    async with db.get_db() as session:
+        async with session.begin():
+            await session.execute(
+                delete(DashboardTrustedDevice).where(
+                    col(DashboardTrustedDevice.expires_at)
+                    <= datetime.datetime.now(datetime.timezone.utc)
+                )
+            )
+
+
+async def revoke_user_trusted_devices(db) -> None:
+    async with db.get_db() as session:
+        async with session.begin():
+            await session.execute(delete(DashboardTrustedDevice))
+
+
+def generate_recovery_code() -> tuple[str, str]:
+    raw = secrets.token_bytes(20)
+    recovery_code = base64.b32encode(raw).decode("ascii").rstrip("=")
+    salt = secrets.token_hex(_RECOVERY_CODE_KDF_SALT_BYTES)
+    digest = hashlib.pbkdf2_hmac(
+        "sha256",
+        recovery_code.encode("utf-8"),
+        bytes.fromhex(salt),
+        _RECOVERY_CODE_KDF_ITERATIONS,
+    ).hex()
+    kdf_hash = f"{_RECOVERY_CODE_KDF_ALGORITHM}${_RECOVERY_CODE_KDF_ITERATIONS}${salt}${digest}"
+    parts = [
+        recovery_code[i : i + RECOVERY_CODE_GROUP_LENGTH]
+        for i in range(0, len(recovery_code), RECOVERY_CODE_GROUP_LENGTH)
+    ]
+    return "-".join(parts), kdf_hash
+
+
+def verify_recovery_code(config, code: str) -> bool:
+    """Verify a recovery code against configured recovery_code_hash (PBKDF2)."""
+    cleaned = "".join(char for char in code.upper() if char.isalnum())
+    if len(cleaned) != RECOVERY_CODE_LENGTH:
+        return False
+    totp_config = _get_totp_config(config)
+    stored_hash = totp_config.get("recovery_code_hash", "")
+    if not isinstance(stored_hash, str) or not stored_hash:
+        return False
+
+    parts = stored_hash.split("$")
+    if len(parts) != 4 or parts[0] != _RECOVERY_CODE_KDF_ALGORITHM:
+        return False
+    try:
+        iterations = int(parts[1])
+        salt = parts[2]
+        expected_digest = parts[3]
+    except (ValueError, IndexError):
+        return False
+
+    candidate = hashlib.pbkdf2_hmac(
+        "sha256",
+        cleaned.encode("utf-8"),
+        bytes.fromhex(salt),
+        iterations,
+    ).hex()
+    return hmac.compare_digest(candidate, expected_digest)
diff --git a/astrbot/dashboard/routes/auth.py b/astrbot/dashboard/routes/auth.py
index 20195a8582..66913120eb 100644
--- a/astrbot/dashboard/routes/auth.py
+++ b/astrbot/dashboard/routes/auth.py
@@ -3,6 +3,7 @@
 import os
 
 import jwt
+import pyotp
 from quart import current_app, g, jsonify, make_response, request
 
 from astrbot import logger
@@ -13,6 +14,18 @@
     validate_dashboard_password,
     verify_dashboard_password,
 )
+from astrbot.core.utils.totp import (
+    TOTP_TRUSTED_DEVICE_COOKIE_NAME,
+    TOTP_TRUSTED_DEVICE_MAX_AGE,
+    consume_configured_totp_code,
+    consume_totp_code,
+    generate_recovery_code,
+    is_totp_enabled,
+    is_totp_trusted_device_valid,
+    issue_totp_trusted_device,
+    revoke_user_trusted_devices,
+    verify_recovery_code,
+)
 from astrbot.dashboard.password_state import (
     get_dashboard_password_hash,
     is_password_change_required,
@@ -41,6 +54,9 @@ def __init__(self, context: RouteContext, db) -> None:
             "/auth/setup-status": ("GET", self.setup_status),
             "/auth/setup": ("POST", self.setup),
             "/auth/setup-authenticated": ("POST", self.setup_authenticated),
+            "/auth/totp/setup": ("POST", self.totp_setup),
+            "/auth/totp/verify-setup": ("POST", self.totp_verify_setup),
+            "/auth/totp/disable": ("POST", self.totp_disable),
             "/auth/account/edit": ("POST", self.edit_account),
         }
         self.register_routes()
@@ -61,6 +77,81 @@ async def setup_status(self):
             .__dict__
         )
 
+    async def totp_setup(self):
+        is_rotation = is_totp_enabled(self.config)
+        if is_rotation:
+            post_data = await request.json
+            if not isinstance(post_data, dict):
+                return Response().error("Invalid request payload").__dict__
+            code = post_data.get("code")
+            if not isinstance(code, str) or not code.strip():
+                return Response().error("当前 TOTP 验证码是轮换所必需的").__dict__
+            if not await consume_configured_totp_code(self.config, code):
+                return Response().error("当前 TOTP 验证码无效").__dict__
+
+        secret = pyotp.random_base32()
+        return (
+            Response()
+            .ok(
+                {
+                    "secret": secret,
+                }
+            )
+            .__dict__
+        )
+
+    async def totp_verify_setup(self):
+        post_data = await request.json
+        if not isinstance(post_data, dict):
+            return Response().error("Invalid request payload").__dict__
+
+        secret = post_data.get("secret")
+        code = post_data.get("code")
+        if not isinstance(secret, str) or not secret.strip():
+            return Response().error("Invalid request payload").__dict__
+        if not isinstance(code, str) or not code.strip():
+            return Response().error("Invalid request payload").__dict__
+
+        if not await consume_totp_code(secret, code):
+            return Response().error("TOTP 验证码无效").__dict__
+
+        recovery_code, recovery_code_hash = generate_recovery_code()
+
+        return (
+            Response()
+            .ok(
+                {
+                    "recovery_code": recovery_code,
+                    "recovery_code_hash": recovery_code_hash,
+                },
+                "TOTP verified",
+            )
+            .__dict__
+        )
+
+    async def totp_disable(self):
+        post_data = await request.json
+        if not isinstance(post_data, dict):
+            return Response().error("Invalid request payload").__dict__
+
+        code = post_data.get("code")
+        if not isinstance(code, str) or not code.strip():
+            return Response().error("Invalid code").__dict__
+
+        if not await consume_configured_totp_code(
+            self.config, code
+        ) and not verify_recovery_code(self.config, code):
+            return Response().error("凭据无效").__dict__
+
+        self.config["dashboard"]["totp"] = {
+            "enable": False,
+            "secret": "",
+            "recovery_code_hash": "",
+        }
+        await revoke_user_trusted_devices(self.db)
+        self.config.save_config()
+        return Response().ok(None, "TOTP disabled").__dict__
+
     async def setup(self):
         if not self._can_skip_default_password_auth():
             return Response().error("Setup without password is not enabled").__dict__
@@ -131,6 +222,12 @@ async def login(self):
         req_password = (
             post_data.get("password") if isinstance(post_data, dict) else None
         )
+        totp_code = post_data.get("code") if isinstance(post_data, dict) else None
+        trust_device_flag = (
+            post_data.get("trust_device_flag") is True
+            if isinstance(post_data, dict)
+            else False
+        )
         if not isinstance(req_username, str) or not isinstance(req_password, str):
             return Response().error("Invalid request payload").__dict__
 
@@ -138,39 +235,92 @@ async def login(self):
             password, req_password
         )
 
-        if login_verified:
-            change_pwd_hint = False
-            legacy_pwd_hint = is_legacy_dashboard_password(password)
-            password_change_required = await is_password_change_required(
-                self.db,
-                self.config,
+        if not login_verified:
+            await asyncio.sleep(3)
+            return await self._error_response(
+                "用户名或密码错误",
+                401,
             )
-            if (
-                storage_upgraded
-                and username == "astrbot"
-                and is_default_dashboard_password(password)
-                and not DEMO_MODE
+
+        totp_verified = False
+
+        if is_totp_enabled(self.config):
+            cookie_token = request.cookies.get(
+                TOTP_TRUSTED_DEVICE_COOKIE_NAME, ""
+            ).strip()
+            if not await is_totp_trusted_device_valid(
+                self.config, self.db, cookie_token
             ):
-                change_pwd_hint = True
-                legacy_pwd_hint = True
-                logger.warning("为了保证安全，请尽快修改默认密码。")
-            if password_change_required and not DEMO_MODE:
-                change_pwd_hint = True
-            token = self.generate_jwt(username)
-            payload = Response().ok(
-                {
-                    "token": token,
-                    "username": username,
-                    "change_pwd_hint": change_pwd_hint,
-                    "legacy_pwd_hint": legacy_pwd_hint,
-                    "password_upgrade_required": not storage_upgraded,
-                },
-            )
-            response = await make_response(jsonify(payload.__dict__))
-            self._set_dashboard_jwt_cookie(response, token)
-            return response
-        await asyncio.sleep(3)
-        return Response().error("用户名或密码错误").__dict__
+                if not isinstance(totp_code, str) or not totp_code.strip():
+                    response = await make_response(
+                        jsonify(
+                            {
+                                "status": "error",
+                                "message": "需要 TOTP 验证",
+                                "data": {"totp_required": True},
+                            }
+                        )
+                    )
+                    response.status_code = 401
+                    return response
+                if len(totp_code) == 6 and totp_code.isdigit():
+                    if await consume_configured_totp_code(self.config, totp_code):
+                        totp_verified = True
+                    else:
+                        return await self._error_response("TOTP 验证码无效", 401)
+                elif verify_recovery_code(self.config, totp_code):
+                    self.config["dashboard"]["totp"] = {
+                        "enable": False,
+                        "secret": "",
+                        "recovery_code_hash": "",
+                    }
+                    await revoke_user_trusted_devices(self.db)
+                    self.config.save_config()
+                else:
+                    return await self._error_response("恢复码无效", 401)
+
+        change_pwd_hint = False
+        legacy_pwd_hint = is_legacy_dashboard_password(password)
+        password_change_required = await is_password_change_required(
+            self.db,
+            self.config,
+        )
+        if (
+            storage_upgraded
+            and username == "astrbot"
+            and is_default_dashboard_password(password)
+            and not DEMO_MODE
+        ):
+            change_pwd_hint = True
+            legacy_pwd_hint = True
+            logger.warning("为了保证安全，请尽快修改默认密码。")
+        if password_change_required and not DEMO_MODE:
+            change_pwd_hint = True
+        token = self.generate_jwt(username)
+        login_data = {
+            "token": token,
+            "username": username,
+            "change_pwd_hint": change_pwd_hint,
+            "legacy_pwd_hint": legacy_pwd_hint,
+            "password_upgrade_required": not storage_upgraded,
+        }
+        payload = Response().ok(login_data)
+        response = await make_response(jsonify(payload.__dict__))
+        self._set_dashboard_jwt_cookie(response, token)
+
+        if totp_verified and trust_device_flag:
+            raw_token = await issue_totp_trusted_device(self.config, self.db)
+            if raw_token:
+                response.set_cookie(
+                    TOTP_TRUSTED_DEVICE_COOKIE_NAME,
+                    raw_token,
+                    max_age=TOTP_TRUSTED_DEVICE_MAX_AGE,
+                    httponly=True,
+                    samesite="Strict",
+                    secure=AuthRoute._use_secure_dashboard_jwt_cookie(),
+                    path="/api/auth",
+                )
+        return response
 
     async def logout(self):
         response = await make_response(
@@ -225,6 +375,8 @@ async def edit_account(self):
             set_dashboard_password_hashes(self.config, new_pwd)
             await set_password_storage_upgraded(self.db, self.config, True)
             await set_password_change_required(self.db, self.config, False)
+            if is_totp_enabled(self.config):
+                await revoke_user_trusted_devices(self.db)
         if new_username:
             self.config["dashboard"]["username"] = new_username
 
@@ -266,6 +418,12 @@ async def _is_setup_required(self) -> bool:
             dashboard_config.get("pbkdf2_password", "")
         )
 
+    @staticmethod
+    async def _error_response(message: str, status_code: int):
+        response = await make_response(jsonify(Response().error(message).__dict__))
+        response.status_code = status_code
+        return response
+
     def _can_skip_default_password_auth(self) -> bool:
         if not self._env_flag_enabled(SKIP_DEFAULT_PASSWORD_AUTH_ENV):
             return False
diff --git a/astrbot/dashboard/server.py b/astrbot/dashboard/server.py
index 1211d4f750..187f49d78c 100644
--- a/astrbot/dashboard/server.py
+++ b/astrbot/dashboard/server.py
@@ -3,6 +3,7 @@
 import logging
 import os
 import socket
+import time
 from datetime import datetime
 from pathlib import Path
 from typing import Protocol, cast
@@ -39,6 +40,37 @@
 
 # Static assets shipped inside the wheel (built during `hatch build`).
 _BUNDLED_DIST = Path(__file__).parent / "dist"
+_RATE_LIMITED_ENDPOINTS: frozenset = frozenset(
+    {
+        "/api/auth/totp/disable",
+        "/api/auth/totp/setup",
+        "/api/auth/login",
+        "/api/auth/totp/verify-setup",
+    }
+)
+
+
+class _AuthRateLimiter:
+    def __init__(self, capacity: int, refill_rate: float):
+        self.capacity = capacity
+        self.refill_rate = refill_rate
+        self.tokens = float(capacity)
+        self.last_refill = time.monotonic()
+        self.lock = asyncio.Lock()
+
+    async def acquire(self) -> bool:
+        async with self.lock:
+            now = time.monotonic()
+            elapsed = now - self.last_refill
+            self.tokens = min(self.capacity, self.tokens + elapsed * self.refill_rate)
+            self.last_refill = now
+            if self.tokens >= 1:
+                self.tokens -= 1
+                return True
+            return False
+
+
+_rate_limiters: dict[str, _AuthRateLimiter] = {}
 
 
 class _AddrWithPort(Protocol):
@@ -241,6 +273,20 @@ async def auth_middleware(self):
             await self.db.touch_api_key(api_key.key_id)
             return None
 
+        if os.environ.get("ASTRBOT_TEST_MODE") != "true" and request.path in _RATE_LIMITED_ENDPOINTS:
+            limiter = _rate_limiters.get(request.path)
+            if limiter is None:
+                limiter = _AuthRateLimiter(capacity=3, refill_rate=1.0)
+                _rate_limiters[request.path] = limiter
+            if not await limiter.acquire():
+                r = jsonify(
+                    Response()
+                    .error("验证尝试过于频繁，系统可能正在遭受暴力破解")
+                    .__dict__
+                )
+                r.status_code = 429
+                return r
+
         allowed_exact_endpoints = {
             "/api/auth/login",
             "/api/auth/logout",
diff --git a/dashboard/src/assets/mdi-subset/materialdesignicons-subset.css b/dashboard/src/assets/mdi-subset/materialdesignicons-subset.css
index a3507d2ab7..99b2f7463c 100644
--- a/dashboard/src/assets/mdi-subset/materialdesignicons-subset.css
+++ b/dashboard/src/assets/mdi-subset/materialdesignicons-subset.css
@@ -1,4 +1,4 @@
-/* Auto-generated MDI subset – 263 icons */
+/* Auto-generated MDI subset – 265 icons */
 /* Do not edit manually. Run: pnpm run subset-icons */
 
 @font-face {
@@ -592,6 +592,10 @@
   content: "\F0309";
 }
 
+.mdi-key-variant::before {
+  content: "\F030B";
+}
+
 .mdi-label::before {
   content: "\F0315";
 }
@@ -904,6 +908,10 @@
   content: "\F0CC8";
 }
 
+.mdi-shield-key::before {
+  content: "\F0BC4";
+}
+
 .mdi-shuffle-variant::before {
   content: "\F049F";
 }
diff --git a/dashboard/src/assets/mdi-subset/materialdesignicons-webfont-subset.woff b/dashboard/src/assets/mdi-subset/materialdesignicons-webfont-subset.woff
index 7549c05d40fdc4a562d4084e2f74307b83774ce1..b24c4997757e6f9e49c68914f404045d05c249d2 100644
GIT binary patch
delta 16956
zcmV)UK(N2mk^#_@0Tg#nMn(Vu00000Nzecb00000h2W7COMjpM01CVsnSJzUY<Xq?
z00tBQ06?Aq0CZUR{S$d;Wnp9h07kR`001fg001^&B0zv>Xk}pl07l>d001BW001Nd
z#sR-*ZFG1507n1-000vJ00I~S0001NZ)0Hq07n!600I^O00I_>e{3;rVR&!=07)zW
z0018V001BYK^_5xZeeX@002o$0001V0002O45uT>aBp*T002qAk^Fsskd$Qrhw*23
zk307E?!HrC0YwKD8^*D~WOVGnMr<7v>;SP)8M_e`9J>oUutgmeJ29{eyF0O-@9)k0
z?s;c!Z})rOeZK&zK#O`)qdo2LH|^8;|7R|Re=qWyimgZae+5ef{%65bL0-E|Ko7fK
zK&u@Q&}O#@=xKKj^4<r3h6iBh1~lx)fk#*Hc|fQACZNmy6!^QS4Av0G-FA7ckhv9=
zH8tFE)2^j;9QU(Z1Prj-1}tQ^*A9*swtEH)w0j3EVkZPFY9|LQW~T%UvQq;Vw|55R
z`c-BIENLGK%C)S_3Rv2{p|>2nu2t8rT7FMMtn;b%aqRr6{k4F9;}z|IfR*i_fT4DY
zfMIs2fK}{}fK}~E0jt?f0#>(MX=}%8Sl6dI%JFb}M1X5qb&l0(j@PzV2draf2dryf
z56XQ}eJ5aj`)9xg_AmYIcteU>Yrw{~9^i4+8UdTyK0&#^YR<j3u;b0_z<@2S^REqa
z>^y3#2IU^C4G$Q9Y1a;LezlDPM%irwwzE5`+^g=3+O7dR*)c)6muq_m>|*x|C|~P7
zsU6~YH~U<`Xgf#cn(S`p29)pjallynRe*c2_G`di6fLy?KeMGhU?1BjU|+jffXC9}
zUTG=Mh5hZC0ln<-pgjLtwg@=Ljtm%QcL*47PY*cQP7ZK?el1f14zW`M4z-sB9A@ti
zINZ(*a38fi95B(o5OAb@Dc~ska=_8{ZI%0HlKnK`7>XY40ms?}1CFzs2OMv=3OK>;
z9B`r?6L69}AmC&>Dc}@4E#OppS-@#_dVp)w<DP&s?5qISsmC*V*72EkPQY3At$?%b
z2l~+QId)!ufS>7UP_$MYpKCh<&a(>yoNv9pw3g@i1$J=2MRvJ>i|y!uOYGQyOYMXJ
z=hQka;BtF?z!mnkfGh3HfUE3F0iO4*a|5oip9Wk@(N+(*&JGK3&DzEU%x@10@H5-S
z2i#!q3AoYT7jP3r&%WyC_-4C8z^!&%fXCbOf`Hq9?R5cn*are;*f{}So9i6`ciH6w
z?zV>pcr5jE1MamK1$bQb=>hKX`V#?uPJMQOYgT_h;6eLYfY<)I_p<u8jy(_R{{%cj
z(cTvDs2vgTm>nD7{%W5X@Hj<dSb(43@H*aD!|{`LY=C>PaYVqg_Q(LQNsTE1&)Zo6
zo{NotR|8(O9|ZWFcZ?2jejR%Sc#d{l9`K62GQjufxI5rA`&58y-|=C9_lJ(Z1HA8b
z9u@GWeLBE%rSruAuK}HN0=%DeeiiU8Mb|O`@7citu6@@v0nVfA7TxOD&+oc3;3NA_
zP(F7Q0|P#>I|jI~iwOaKhsEbX`D{|m3;2S6qI=nZFYV9(kFk4?fUm8`*In)hzyIzZ
z0=}b|@AZK1Ddry);NN>~9q^;QFesmWdfglFGez%4z%O>b0Ph>Urw06H{|CQQ^ywS$
zhy6FedvdcG;GCK(1$cjM4h`_TYOWRFnl(2G@I9In!^cMJdDry3sQ3)oyd$W1@9H~$
zFsS(4*l*FG;&WqvU(<hvWAFb1mJKRCD-IYLRO<f$#PWB&c$}5J3v?sbc_vsF1yrH%
z1`1V$2U!GA0E(<4!6rbUT1~PW-C}o3t(Mf11?cVRv?Ey}^sqN>*_Q3Nq$svLj-70L
z(6Ps3kH!;6cH=nf#E&_f&6&WCj%Pi8&Lpw3q$lxY<9IT=Gfiil-H9_ZCkcB0|K0)!
zuv>DLB<gXiaO>86{Qvhq$@w_=Ap_Fmf}9LTbu}%Ns_QMSu9JCEY_1<Cgfr^(GxfSr
zySp~JTDzO{>Syclx2Kt!ZNrA+c#gY%jqH&tT!PDT7ROaeRdd~GIjy>;YN`@{BmB5x
zrxf$0bzl9suen}>y3K7RlP=8H<_qbJvTf!ol~$#ax9;976gKa^4|ca)s#XeeG8TlN
zSW+%j$ZDlotu`xd?*`ae$1dGMTLEvd53S%ikqbd9jAlcDPoT&X#e$#f9NF9N_l9<l
z^ru^m_h%07=O=Akuld+Fm8lkg!EWI0*+e-w#~tUNJm1F!IEjnG8DHe(qN6mLB76w9
z56}PSqkr`aP$TJ&dZaztA9lO0ZNshf+n=W+!O4xJqlu=Y?OV_3pZ~o69O+%>F5}VV
z@tp(mB;Hw3iu6X2490itdfyq}`8jr{qZCEWF-5II4&OL__7k*5BS|ZNG~vzJb%jix
z&F0J3h|A4$RX8feh+=4t0rLcAOgcu4k}0Z<`f&oIE3Q{dLRzi22)F*gdb`tYFK*wv
zy|}o&w7RITpM<jY2c&E{3xC9gvrcCTufi>PeR2JPCmvWIrto5xKKJ_Hk>4gCfPPKE
zb2U*XqS;b4u|}}5FqJ-kr9Yqa$37^xvcFm|g(v>mO8Ff5fc|{8C4VsHPyTM<TzTc6
zJrP(O&yxYX1CG0MFz${~HKBv5B@uc_5Dldv%oEruX$`hIskfX)(`aoG*f!VA2C=*F
z<8H<?hQ1ot<Ey%niEpm>Y}>c8ncO(Dk@QZ6wrjb$grV1XzNQ<0iJTRc6kCxZ_Pk-t
z+Yx#a9rx}&%z*?~gd?#r-J{J$5xTii*PN>1^*iZz+NBMnFt=c>!SZa6`qO9K4pBPB
zMk&6KhttVHr!($@uaN;9<+%mugJQF2LMIrCQ4*A7T5S~Tt!8q)YLh1R1WeaGVzsZ@
z3Jgh#Sh!V`UeCUNcEz^sY-+SOF1Po4hwC??{$^2;8%m?DLgj){ELEZM)&{(k(h%XJ
z82Ioeea<!Z5LTsPU){0VZTPdVT_f)7qwEjk1#3Lhhvarxd7Ok(!XZOk5cmIp*lh2$
z>3_gIJX@V`lUc#BCI)Pzck1sXU;6V07v4p<ck3@Nd<M>cKlFnKp^(#G*6|4w8i(_K
zib8O+#DVk=5e7PY*>@wbZh$)0$YjCH5*rT2r*`)vxT($7s(8h)A?~3Ej929gT%1zz
z;_MKL$zl@w^<d;+EZv!o#KGmJ>IrZP^bdBU);v_(?v8%`Gx}6*ogNe{^rq|cYWfgq
zLrq~gg8p@XR((i+$cJ>-)i3FEOG<QiiEhWwzcT)oj8y1^59!-GU-wIF<Xs}+$jcgj
z<<s;Uk?3wbH*Tl3aur<R8o8Zbd-Kd4U3SL_N>Kjg^bO-@sO&mYQTB{?vg`cR`0894
zp27$qtkSej<ht%l$9x8iI`C7Ura%*$HydeWW3X#~UQE30W}|(}rDJ&G&f9LuZ;#t_
zg>=3Cg|~w4#SZT4?|kR@k2q5&GxIQm+@8)rHXF5r8XUqwOK!RJ4%~e3&O7z-AL)CA
zu-Ta^=Vp2!%T;ci<Jb|bQ{rU$K~ueO@J!xu^zq+JPaHhnow~*A3#6NQn6(Db762MZ
zDpf^)CrVlX8b&#vvwv~zbbTp$p>d*HSv$J;TuJYA^pdiD#5yUhZQXyu?^G6#exit_
zMQ=6^VKwO77R;>@a09Fhi5MKIK)iqrRE;|22$Mo2pzOwG1KQCjRkw)I958~3Tg%F(
zQd!Hrp#;}t2ljMp@8Fdk`zA$R%l5|Wq=E~7Ra_->W;<_r3rxvhpxZZli-gT`z$e$Q
z!?#|5(ULih1Hx26$}mfk8#0jORnpMZbetGuFuF>*$!s<`x{BLj@5`Odvx0DD%O)Ja
zsm}DOAMM(9w{u2Jif7o2*!4Jo%*}CJ(MST{WVB?1Fj`_#+R{iCN&nilYgi9%?!C@`
zC80MsVq5UsU0S`J%y!{fyTqRG7F>4`E(gaHvjMn7kSWiQE7IQGZ8K1L;W{^NDB(Jz
zJ%%Eu-r#`#xPS|iSg&aS?<<mVgQ1z{)E)I4u}1sZ)YViLdZ4E$_GsU$V1g}PfR@d1
z%M2k+roO1K!!2*w&6C;l>E-ap2lIY^dIf0as;SY9+t%<%W4rri&M3F~kK}vglQ7O4
z%-E(T0&8!GCJcdMA|N#!jVQf`AMTxb_~A3&p0uaWa6j&oHsL5*;$+0Kz^#XF2QVz>
zy0$fWYi=L#V-iQC!o~unfWrsS;S}+?GdmCHrDk?sy*9<ftlo(jal--OZdOHq?`991
z8fPBm1P8EBg+d>#2SW?2u;X_6iam7Q{uCw?fDQovP!JIYaHSM+$s5gLvIt9ttst`B
z9S%n>P6k-7Fg-X}z&P=S9Y88JZDgw5zRtDVDa5s7ndPV84HaCGgdt{N+Oq^y5Gnq|
zIpWDk^K0|-YsYXif44g~=YAT0H-y7$t;)c=1RD~5@a)+K@k1%VHF%l}bVKC~ZXG!$
zk}!a~3M`qrqX~>nnF|D;h$Rj|VNgkn8b01A!T#^IEBSv^^i}erSkyAmfSn^DCp+if
zy|#Q?e)NIgf|B6zdIk!XmufQMZsqepX+$w!@f9O*G4qi%Y5Bz22UBN%^W^ys6r|<j
zOPgmOjMsu5C;21tF~Dd^Xe9>-4Oqqr{KF{($Giw<<Wn{MS1%RJ&+01|Q_ZTp^w2l7
z=BM><tmvOL3zvRXuNiW+nOb^iG-_&}*2frZK&3N8a80c;O(;Oxd2aM$wv1C*=*P>K
z`(vU9)0{)jKlS}I@K2zBX{3Raa*BG&u&^}m12sO^AGmD%vnJ3+%j(!L2QC*}q;OC%
zP}Y&_x`RR28=L9+Z&EwVQ3TSnHGgMFN%5g-2e#coxzazubhv)Q$RR6K)@h;?({K)<
zJ7QnC(%yp~YZ~F%wguJQ1mR)5UY(|BIA%k08sZIgK4h=1+NV!{)2%yQ?>+bQdhi(@
zuG#B}C`Gd~0tsJCg0w*F!FZ@(k@Z2GKNu_MiY`bX!i0Orp?wu@m204^cLO%29Nj?n
zt!RvC!%@TVBodTO3==*x`1#+bBWj@)N$<$fW-}^x3-HtaFo;8{I*Y5n5|wRNj<%yR
zY?XrT7TRs)KstJV0p4&P(UQ}EwcT1bYXsqie261!*d{ptc2moRWjUP9JY0S4Ktg(a
zEv>1k&jdq>Q>l=&M`lE%;hmX+GL7t!FR{_0g9U##4A&h6+b%T9MN7AeWo>%AUU_Bj
z75KSfCIGMbD>@U39vT5Wf`HOgRH3v=s!r1|s{qJ~KuO|%glueX>YH0SY_~QaB+-;$
z2Yuu{0bf)kwixvV-s6W$8yk4T=H{P#E*ym$Lht*Om<okb;-|)VeGh0daA|pJerypG
zSa;p=D##`Wq~|S@)b3=~?on!v8XsH&fDM7s&sKt>{f;`Y4{B<+JMEpmJzW`_sXhWT
zHOX+u;c5bZ20dvO$?jE~0zLvbE<4(WdWbu6Ne>Xtq(XbN3%F;hjXX+WD492JY#;?@
zGY#CeZ*1Kz<y;CKm$YV#rEZO))hb{U4cQ({b^x$VqWHd!)w%W{nVmnqVO+66>TcUo
z)LUxV)O%CLMidL%_GE=!q?83Ue^e(V7nPy{M5=Ospi3MdOqceFjc9JvkEK$1S&p*Z
zod+ePW4V^~6*(uvpUZY%v8*OL^5`1MKZt>oh;wARW*yY!00G9;OP8?H+i6=vszlgn
zU)iys;`R<bg7cfzQ=#>kv>sa92Bi=Rv8O7!wqx~aJ=a)0h`9cmN<eR7`T=05nhIkj
zm{oIst!h?b8LT%PDAU$p<Fp(oYpy%hW))UHl(y=?U|VoeOp7Y8TS24(1;{bYiIU--
zlcHEr!n|Mf2mHZ6AQ~2YQ6-x2g_qR@)$a=m!Ehp#J(|tQA%D>4R~IxpCI;L0jMWm>
znP*iZ2Fk%yFdPmFJTC}@gaZM^M+7+(kaJFdF(ZXjvR{aZV$$y;aw;rkibu0@AeuiG
z5Q+Ni8H?&P@O}R~l_r4t2jCs)>rkOf!!3mj0{jwg;dI_kYYVNyTs@Vl&lOq=TH4N^
z7Uz!7EtgCa&NJzB2CkcCX?gDWv^1$f?aPP(pe7iDb-)0qR8$Ovlkk8UZ7tO(pOmA2
z0ny6lq5$-)`k8urR(X5Nr9VtZ!!b2%Wb+ZkiAKF{%>AzxIjl||(-@Z`#3o%KCUAq@
z?heWn3UKY=a4@E<gG2aG13C)y8w9}y#fOH%mM+kht5^5fGNlrf&6d{9;o%J$YT{`s
z&7Y{D2H?5p4sX;@PwGPrV+Get(~w_(S0Ba0)qSY@b+u9_PzbO`*Ir*aH5$4T4BZBl
z3*5&U%W4!)Quzq^A0tA2pg=}8`*`%!Qfb35HcCsUqPKP1eFojTl_SQnGslc0l}@MY
z_0JH-2<b1<9+-TdDiIZ@NOLB5y3w4d8DA+J34Np8J`<|zi${+xMv<V%KB`K8Y!la*
zZ@1g?#?cE$+l<!iQ}yGN_JqmKRAFhDh?sp%)_*V~&G7@tZl~Qol9F?)Wx2Eg)KvH-
z_G)b`7t-a`EW91OqnvsSi;e7L&UGn5MKC~B2~_$#LCCv=RG10L;gs+wxmA*~$-QJ&
zl77zn<}UO^9C|@4;x8a&2avrjBlkeK42}LQMv95ckBMiKuYL{Q@@(zwz16A#ZGmC&
zM(8U2ej48G1n@Gzh?74QGJo;SkjhtS?ilifWD!YU1DO}B1)&7wLZibDvIdYwn1C(R
zY~zFw0M0BBxEml($!sH^d`yhQ)7klQC?)X1C8?On7bD@U6bVVexReiOQ<?clNR?s%
zF&fsQ_>B|sU?`t|?|Y&lfe*!!>Aa>!!(o3wib?TQJeIejVaYG@LVqHpGR?@JLBD?(
zIGD+u=I)}FFs8(zDjhsPJr43td<BsWGKfy*xR`3n>2>dmICM_E#cUwt<2l2~eOwYA
zDQ6$amdn|<<&0BeFc_7B|NiDzV!<FOl(Y9_%R;P-<ri>s%il>UQ4&IuY2+^C4AHxk
zGvLzSLhlHvkhdzXz<)edVV<rrJs-S+IC%}Kh$K9fTCqe%a{{m{Sb&t<fRMSgy;#yC
zk}E~@(&Dz}Mx?G3X@jU%p6kw)=hsMoaeJw9GQB26BGOv=WCgx3>M07Gl6Syug=VzT
zh&BswIGzuHOt}=aX%Q#@RsDNwpB`1wwBi^FMY>eSMl~jHGL!BV7&|F<$rP;alG*Z3
z8T$Ee<eTI}Onc`b>;Qb-a@K&O>OLV(TBd`e6DL9%4V5~9vKXoPV5te3hy#q=#*;x7
z6$0r}lUNoUe?-;uspeVn^{&W5${WD}834U3aW?8bym{oX*@dD3n|2=InI|S=Hb8eg
zMaVBBrC@MSp?%WJSKNxHeHl{9K{qy4B+T2rO5V2f6>cJl;?pBQRadD!mr-nlaO5A}
zhG$SNeWP}Os7bgtXbYoDUj>w*Aa|8LO+*7#=#=tOf7SJv<bJEtt`vpjPGLtd8`XBD
z(yju1zi{*@apACG3UDPU6f5mJ+7%niFC3lB&68A4EFs=z@5R(RX`ur00qV;{6NGQ3
zB_jWF^vjV{Dng!t?dbQH*bmu+&GB|B@)}-)&E{S8`du&A>o0F_Z=V@U;*2VyEV{uY
zagAz`e}Q-yWAhs`I#R<U5}yVGA9c_0C{pPiWZ>T3UdPTRsca5ihi15g6M)XP>vs0K
zH@W7W;2j6Fy6x!)7=HJDDe;|r0QLh&@pw&-+sDxXQLo?Y?e}_PsjN+?e)<G4cYD1K
zmLKrVD7D>EantdHO};25izv(_vmI3Of*k)^PmXk{K<{=C93``(y&TDLQ|KiM{9XZh
z<4|1zXt73h8qJw1N3S8$8Vm*<oQ^Y9_d&er*aw<lv|p4a)SpcR4N#E?V*^~i0mz7&
zV#ivzlR_9Nf2$3*hy9L{9kZ(rtSJc{_2o=Qb67C%&8lSv)?h{upR&#e5tYN#5$W7T
zrAc!}fHa7G{@ePuZF{uW?@z3N#I>RDe19|`)<lcYAM3t;0PWVHcdCHMkHE;+2+&7V
z$^o;6KcJpU8i*;%`yll=Yl;)lnr5IW3Z??nL9{_&e<|?dtASYH^8&x%_Xm~m=kX*Q
z{?_|PKXhGU?S#Xr4@5q&7f6an1^!XL|IL1(B_;!rov83;I1{4J3BU5uvtPRXmu~yT
z?c;&K-S59sy>r~YA+%4X62k&#pu9V2%(~Y~1#LhEH3iXzDP%Zq0ox51-)D{9Z~g2^
zY>azxfBewl_~5L1d*-Zm`|siNfAO|oVp7m9c>!o8x^N({p%V7N^g-ayBzD^UZ2D{w
za<P84URYj;q@o4b!AYuUX9~>%Y5%xfua`+kEfm!6BXj-Mx739N_4`;l`kRbhOch#%
zACJe{C0(YMuQZYd4<BN8I)hHfW_s+YStW5Xe>iHbLx%v%(*jDvG0ATULLE4md13U0
z3qQO-EI6(UaQY=Uqg?1Z{caG}Z5^Kh9NAD1W3vMtNUvFq6ZFAoq4-xt*rU+5WLk<g
zQuKVKW3NB34hTVAEJvl)mD{yd$q%n~hZJ!h|G;hVmP4famHhgH4SR9>9TC5@s@=Y_
ze=0@Gi`WIXec*A2-tAf8T^Q*&YH!e*(NM&({-UGqsrIv_XNLpJ8UQGDC!PUU$eXY)
z<fJpWM(%}4KWjg&c-{v{X-VJ3Z@L5AjAfTUf;C0`B!Kif?9&kGM>OaMu!|@|$<HLZ
z!Hx!>xE*)n_RQIe>Z%>vg%Rp_J2aqpfA6#pb7+;Wdxj*dln+pb>OmrEab$CgF#{@P
ze5H_0b{Ccxy2)%IQ!HlS^q$g@(mikrQ)su#_UcrzcNcyM-+jW9M4+n`Zi!m~%-G~^
z0n~I7HIq!EB965o*hgdSC{?fEAfOhB$2;M2#oLSCzHQqu9Cin|4Kg5LJY7_Sf8#k6
zj0U*v;AYpl+5uvW!Yrz;@#8`lb<ome<7O8(v$p1W=56+R@~b#)eR~7v3hTg_@&<ku
zI|oLU123!|;u10=$WqypHVKs>Ab65@XO0{6;kAv2<IAyAOHA_1)l#RgkXy7oecWwF
zD@RHjXEsV{D4o&~^RRMJvjDvxe`q?CkO66v4>Je%75nma?sL4vS9$((-=9_Aw_fG>
zia+T8+^lxkdyB8ZDhR>qXaZe?7FW&cZohxe|FoED94B0--@m_k^x+LaFw(@P8;7;9
z>Y<nu+^yVM#0|5!Q2PnzGF`mv!+Rcb`00=?uKCeb+`i87I~4lU!MS3Qe?e60;H8cf
z9Z)%iZU(e~ULu^mYwg;kL#N_Zo9Zs%O;CGfPQOEiD*qLOiA6{eJV9j!5!!@5{BGWR
zm}5^rMU^7`K5Yl?)GG%saAkP-MesH3sAOSlVPhS<4zUm3rvq<rm9-wnVF;}sa0%c$
zP1^ob+!^j1O0M#xmCV@Ne<Gqef$F9)IRdHM2~2L)@W|xpdzjO&;tj`-Y`<lS<R9mi
z(HHUj5ADz5u40Gz<vH>^9&fv^Ns-lWD@r24-pLyn%l22L(UH7D&)6F+^P%ND6DnO8
zsB8^~DE?dH7xXaWw_%M3x${%<2O3F0enW*poWL7+97hyHvkCx2e*hpNq%|={7Kje;
z1WrBMz0-0u712u7B;3OC^6}+mmyi{n_-qpNH&dyg;P3i{U@F!02Z`+?{L0NP%gOQO
z%UH$n<yIsWF?i8`j^}+!Og!oj1pG(EnBwF4bAFLGZgx2s9bfji%lCl(rl@`o%_h+I
z4o)Zv^czK#bqvybe;fR4Y_3>^!tmnh;l^lq5l&7M_agkXH&>S2VS5NWPs%{OrR3pc
zu4qzoKa6Yuh_~r|h}&tmJMbBGcVW4AI(zU3qvq1Tsd@yU4KYOS74#oSHV7;b87RL(
z&0<)EHM+99+v#8>9aQUEgw}JTY=OwUsT7+i$h4`c&ZYKGf2(KP*SU!oEYfzE;}y+x
zR$-hqk#H{=@A$;#<|p1^T)1%MvFJxW5`F9nH?fpl0R%|#zyd)(Gx`-rgMlu;`K<Eu
z?0YZ0WW4iVcZ0_t{xbVE)HC&ciDGWiF;9@gbzD%+zPUVG(Yw|j*$Q^M!L3K8Dw}wT
zwHdYtvBpJtf1`ci7c!(a9Xcizv??^sqK93S#ufqT1@XX88C_Kr5be;w)9%>49xzJR
z-LuCQodI3<MaK7<>yC+t3kJn8w+Iq&&sfj&I8$Dqory1Kd)7;IA3oDXGaPmf@Br#n
zr{y7mibDj%Ayk4nqBEf?^u7VpbN=#H&0g8E0NZ}^e_{1OWI1j!i~OgDVqPzmy|Q{X
zxV#)ZyNWvaOAp-zm;|qMQ)5{VIZcEsaAnjP&2V|yshZ-1>7qnNHM~@VM3q;br}5Kz
zJg#St7pbrD6Aw1j-?0#EC`;S-oL*c!eb4q1i7q6g3u%pBZamN|ZoR|3GLZ-`QC|r}
zh}46Tf4cr@gxf}+s%^U6q}$i%cG`nTV0Ht#?!;zM8RGKTC05Vv_uVeixQN%wOwWSy
ztU)C!L|$jOyU~s$Glhz$0iaW5y=nyTgdszOf#YIos#ZL|G`uG;KB0(>>Mf!4RyhwC
z3{aVslShAvR>_aaIU8NAK#Cva<wcwHtkE!=f3od;)E5lfgqG5uMLF-b+aMI?<d4BA
z$c#NG%UQP4Zuj73i&linh4E}1!uti#PRq=~CiQ{Rj{COAZbx@MqPxTT1FhBr^-foJ
zenB5}-D6LkkHyYEb<CaBm>~U#GhZg;QX=(UKqm{3>j%5IA+SnD?(VK@?@rd+dw~X~
zf2nO&fq4V-7GWXL)~lv+oK%#CmK2Fy+uW>K+ori4p3h|FN8j)CdgMLJvAciz?$~mu
zb=O08wSHr+78!(VkGMVRTY$6kKag+0n<3q>sb7HzuQnzh>_`(^Iswi^b&41afoHl;
ztMO)x=)M+tPfI>}RBml++DDCOxe_&&f8#NKFc}DhBTLUbbMM^TQZyD!M~Q#o^h1%_
z{o7TaE@w{M*CkI{Cr$ID<!iUE<m_zL&H=sMAu&0a2rtdg-}}rnOVLn3NJzDZP8X`a
z>UOtQ?A&)E10*gqS=os873i4)$n!Noa<>3_;3~jg8;CAjP9p|jp}OwCsaQ1|e}ZWo
zCypRCR1Ks(EC)X8sG8BzjH;;<ld6y>CaFhx{x(5)Mh>4ytQtSf^FPfu=c4yU-wvmG
z>W&kUl)hRNgxh%jQ7r!AiLk7%zQo*LJ;03yA8k>4&REKuPr*U9{PCsb<-NQaD(>3F
zka?PxWp|-)dC3Twk9qE~V_TQxe_6i=)YirPbr>aCW}e^9v}{26EfmVIyiMvTCn9h+
z0&sj@uj(JAfc*?^UT(KHs(Kav^mkj<&%^%FHqdy>T7r`Q$GZtOed|}@8WEuMy=~Z3
zU$TbnvBqGZ{5th*GFu>|0D~7)O(%d*>L<u?LjL0G@#NM6<|FMl%khGKf1&bqF)6G8
z?D%@+!d5)>Nc$1<{(_#2e_a&U1bIqQ5IK$d+EZDUVQWvWrRO*L`b_`q%t{O>t>J36
zW}Q7e-hfdq8R$=gdQ{W62<Av2z+^F0=HF}ZfM2u*tb3r>#L1kvVqN)>wlbf#GmB5_
zy;C2uFWQ;MGWN$y#`~LOJL@idV7p#0o69|Y=hVm13cB;?qaGFbe<>E!K<-$g{Alc3
zfB{A{QVCa>1C!N6h^P}lgvUwM9D2b^laV7iKUz=G8e3t~F;Z7&X7=;boNAvMXJ@9i
zbs&ej_MUrfcIJ-U0}0f_!7Qc;y-7vIsg!`G;3!fLXN_6gHP1t}lL;hGCcMW}hdf((
zO5CUY#vh|$0@EJjqah6xIOHq7aJZ%!HjnFY#vT2Wek2)xr&SHDk(IjUDOsqCzNcnE
zURi}Fn@q)GXcL=<a-ba|eRPIlb`0ve{c6hC_)?`+aofz|@yFCRX5c$@V9cPF4RojJ
z=PQ-GJ!F;-h5FXCXCft}aeM;R<b8<xZ37QxZrli$Ct5%6ZW$Mvxj~W!i$oaOAP&)^
z>j#>z9*u=K6HUiJ*E!Q6eOJHpNA_!XqHp+}gxkAQpK#h9tY{NB+A6gJj5R&uPjO63
z#ve_YK$9jku<iX^lTIZZG@pcNH-tmJuu8*o{}8BONMjwAf`iuB{Tuusrq)``s9VtS
z!9Xk}My!xf5JL5~O{_!y3X`5CCVzjF77VJPQ-Cd2nLiq{-K@8YZyX{piIFtM2aWMT
z&x;VS<Z#pr8X%iD#1Hg93Qt8M=W!Q}eo2Z(;f%QBuz^4*oSeiG+$5~vI)`6NMW(mh
zlwT?$(^K3Xh{Q#74rbc!^_GL802>ehSkPz(9fc<)_&YYx@#BMu$&M(ibAM?usZ^TP
zj4WrW&59-$npHI+BvmNOrUiNK%j|_Dw)?m2z50oW94yGVq|!z4H^pMwJA8X48Ii?8
z8m%yDDNs_29riB7X0K&?ug3J-{|9-QD*@i#fqBP}8q6gvhER<lM`<EQ)=3O_i6J<;
zFXl5*-3=I4MgCHaQ=JOl0)OwRwan^qA6}#E2kwj!bY>7W73#+NG^hG!@zr%(4a8%M
zDv9N#gtXjBNWOOwsW2xc3v>Sa{U6O+X`yf=m#Ieb!CZW9Sv2O7@stxtY9w3C5F#z5
zzZ??uwT2az_;5}nLb$P(4oh<Iq%RnnFC;>-XlyNEtEyi=vaZT1z<<(sRBJ7SwP;c$
zzBoKcml84c=lR0w`jW!)Sve6+`1oSe=6!<nc($ndGRauz4$;XrEJZA2)S4WRF2r(*
z(#R?if6pI-r|5;C$X|$0ui^yIS;SehF>>N`sFA3gAT%8Ib(gBSqgsc<=&XZv*}dB7
zT)jGNSww_)=!vMEIDhnn9iXCzYVEsTqzZBf5hM(Zmxx1mogil1M|YZcO8WU@$MX4&
zjlXI>_goV`uXyKVu#u;S0b1N_UZ%zQJVQ(0hq~Y8c^7gr66_O%ML<#R_7N&dzL|-W
zU${$u>RaTUOuD2+=f7~b{`9w|aaWz&;I^rak}f#vYS$Pm@_&@EQgR}aLx+P9NEhT}
z9X2M*k4t4EA$9TeqJr8-g<(B*425balD$h^SXf?IxXN~DJ&mLT`K9fph}4!MD$+-l
z9zsz*kd7p?*9vgsa)E8xDE$xMEiZbpaRyL_m`_KUsM$z+0@87xsyQMHjT`>Y8}oOb
zKbB4(JAdcAZGXq&`N~_~a(ga&?$V{ov9FwqKm4CI=N0*u^XG3#r{|WpN`{%MWV5$l
zx^!DESKjPBw32gnJdXB9z|qk1m7)3);DJniE<)cMP0ITlO{aR`v-Jncvf`KgdHy>u
zEWfY}6VmObH3lL71zh6!ykB|`T<T-+`%=fZ$710paeo{aX&n7LcMwVM)K#D+r7Dnv
zaR^6Am;`YgL~cBtd;DFG=WsKQ;kY=C+jymQ;zSER-h4;v7mL28K0Pe5aEoXLvow07
zSDd&Wx#hWpZmRQZb31LIuXAN+aEGaANPE5}e!{a(_j*V&KOxq1W37Id7b-L3%e92w
zMAVn-AAjPywMsn4V(LZk7eC2sYh|ZUso<TrzM;3)dkdfZ<QND2FXYQC+7Nmh{dbVp
zn2w4hylSF_(scM5P;&vjZbg{vrQ=#r(~5bsVut2gN+y}iq>f~Iz2}#r^MzDYPiWBs
z>E*QI0}mARXe40sayonR)@)L~)Y}<dS^AlJ!GE}CJ|WrBNo@TSXiGqe%h3$dcHjEy
zt8Y~XufFPC|10W!O?^rZJg=3a;uK-llm2MP{H^<`?5JNOPaW}V%EZ@tcktC%%Bu%`
z%tIKpf{w)vnw7y~G?DZyk9LlGWk_S>BGf*rRLpTCpE4Nz*nMb6lAe4RaHs3;NO|c=
zj(;H;&zF9l`h+gs%#)q>tbI71B8oilhrSkMFzth$>{@$!R<~<+Sg1>T+9UlsXWP59
z9MwYyQb2~<8>!s_!yas4q|8mtb5{qfpfx-&1igmf&tVEbW}d+3zIeA73`-F_9?q40
zRwNh>hd_?8gkW4Y91F=7Hso#rNELJaIDePXBq^MV1*Akm3I{|jrsh9<5HW)@9{p9Q
z)ps^(1l=jL2`#13A-#j(LVL9LUpD(}eSdN|oC*j*eYdswAY0vThsLN(Nt7XYo{CR%
zprcV+FKdP)HV)k9$4}fJxSdY>^0muL_nv3|O^YfexUaxqbjao5Gq-k_cazP?@PC1(
z{C$A$0oxNamY`KPMm#hFJ$eGYi(wBd2@@)4(=o+TDo=#Xw#2s#r4%Xz7Lt)9k=ok<
zzEw^ep@KjCJNoA4!q(OT#%z$geOhYEe#)rvJ|$U5CInuIK4G8q&LfH6V6h)Gz+*x?
zdqAf()HYLmDNv!F`jw9<nYfC8i+|1pD)a&!hu0u&D%+DT%Jv0DtA8^ZDuq*Xas=*B
z!s&c6QVR8@a8g0HG9?+7Y(}@+VW|+)%sD9-l=6#OtRQ)<`3|6g9B?bT77jeKSnMiD
zK1Hf>)n*wA=_|IEAYo?*J!lq@WrW7u1d#Y7Rf2s@0p$Isip^Nc^DkIG=YL@+X7fsN
zZ{prQ#YMCO1YK=Hmxuz!6SOc^-9$f};{Z|MjH%!ipmt8n^T~k`#F(2HSw;UwpvycO
z%S27Up@n-IXc=?N7R`LIdXVjfiL+Zj*(CM`mp6iDu8~-YMpqK+xoWTwtmf9)X(ML_
ziNf?Q7GpKnxmnAZqP&q^?SJr9;vNm^>Rho}E#*}`cofg_MYCF*!!u6{@PE_3MH%LO
z(>|4&8YhC+JwSPIma+b&-CLdX?o{VO-$K{kPz7wDg61laF#7c^f?sbTd|ZbwFZjma
zByUo6eOcFkz7X)w`-Mt4CiwYHfe6t^g%1#&4=fO}5a4wZ;49GxTs7F_{diG;+XDqM
z`n{Me&!y8H#pjcK{!H9Y{MCRzk@3SRpHB0%G~o|a;X<62`V?r0y#Rlc=`B$K&XYSX
zM?J)$O?-r2%XYH|enPq5{_WgBdtK^-mtj`C!}%{Te}R_{WlCfEz76ZxHG9f!4okmr
zzHxp`<-bSzG`eV$zb=7)?P73VR-Xkz)B1pT;ZtZD8dwzw`<O3{f*F0@<m<LUO3)ok
z1Msi66g_vwTz|09c#!7vc@y77pD)YNVW%kzIh`i;xrxsyQHo7;QEZ||<Z$F7+oTSs
zXca!l@A5%%mS!?C9To@kmCcu*{L$^VY`%Q%M^7>t^zX?ZlYhdKzb`og#W<7tFX#a!
zljAU30(l6NKrs{(eg_O5l3CJ+rt4*Ru&-Wyg(ZEHXE7mv8Xlk_7KU42xiKLRH;x#e
z(!oW&=gdCEq#2YZdB)sH82g~#qc5;C9U$#mz5Q`?IHK?o^_=xGmQ`5ZG5n*N_fHwa
zq4B99{5=2s^Xu=)_xt(ne!u^Z;D<xM(}{J0dEI)t<EgwN7|TK31dVYtv*%H$L8<5+
z<C-V5*?sGOszn`=?cs12eHLJ|)9v;ccxE6T?L-X2cX~Zr>Ggn4*kcU|>!mc+<IF^k
zi`0QpGn?8}^!SI{O@PwRO?S^#^or?UzC5K}TBbfo;|Q9GZ)Vl=!Sn)uj-wPx6)`#y
z#}|z8-Jboq!R{iv<++JRrjRL>GD0?a(r+EL{3nxt*}3vgAu7w!LQl@gJ<JhS3)kEA
zaP5^jdVTx_@B4FQtPH-riMO+FdSAfrjx)auXq=ov<8(P0Rr-@mEHtj5k)-~b$SsFG
zm0B&--e7MJ752oPWH|xM+8*s+!zsbxI=lX#$tzTfbGS2HhkG0M5_g6B9P~b;g94CM
zAizkI1v3`{qhpgEGaM63C02_j;KORDn)U4Oa0A{?18}oVGa>;3TMUzNG#(Oi{$QX=
zmqx3g<@w;-G;-g|ypy3c7k@0yf~ux6(|Ppzuzc5;M5Z+9@03(GO|^+NEzfxgkOsT9
zHHD>e9CwfwkxuhCMG7qb&NFKsGs|jD$t04ILOewB3%6V%Ztbo|@2Z7Tkr04zQqbkN
zwpCoctHw=v<>kCsj5m6MHhwesyzbLJOFQOupE+dS0aIL4pniokx_`uMG#!H`fYi`?
zP07}3S<Ic&?{sJnb=+FbwcUPyXpb{O4XM9V8vPUwq+5)zsrj~ugK8Bo5)r2bRr3&z
z*|omO9EE`H<SQ8&+AL=(M8PYmNPFTn)a@#jyiycivaMC2sN^e*OZhk|`$f0}a4Czc
zVLXGwo?cfm@nI6JyMM{C_S|%u%->fmDx#(oO>c&I`Giz-Zbj7=hEpNapm|8LS;FlO
z2CnO6Gx}ZE9d%uobeM7oo!)W()@=5zL+JCdhtz*2zYcS8iF$*e+VYS;NNZg*QA19p
zbV~j-@`JC%6ME(GrF->zb+Iykq55?pC9H{OznNZHUWk!X4}YDq7n0Fn?3?!2tM};T
zAl!D((&J@45u-jM$^5^G3(-O~ed^&;K0UdzlK!Tb&4Fc|V7^vasx$XI92DwYX5esp
zOhX=L$3k}5cioPAb(gyMscp5Rv<cU<cVUpagMr0TcqyuC&031GFoTyod1GR@(QYt<
zY9M+vVr;z}SbuMdu&(o|)XOYe!~>O$=$}M4&>LXdnZm_u`4rp!o26oLY1(RpS&%#$
zWwIoFrJ8U3xNjF#l(XUVNWXSoKd)n&#?s%6qRmu1P2LU%?9WiU!;d<UO#LiEo1g)M
z9Fm>Ma{B8siGf^y!Nka(?hh~gkZ|d*$>bC*!swoDD1Vz?i(x900=k(jK^~p+n4jJ%
zp>7?+$;vZNFZKINr~TA*Z+B|ZjRxWN1GOhloqDqNK>Hl^<(uxGAV%v|yexc*Jl!Wm
zxkLZipVjX;)F17^9s2v<uir5sokM*gQt$WQB*PiZ*%)W&!!?7E=BTz=MZG2fjkT(V
zUeAbaQGe?Rdmb~?z$pD+Vki^|EE)c=pWhJtywMPXzQF$$==5IN)HmN|+b_UQhrhti
z4iQ7*UyBl7yi@Y!`KWMbh)6O2r~Gr4_3W0u^-}NmVM`MFmVS?g$cP(fR>tfE=-b((
zz5<*xQ5_#7`|=JZ0pkZHH{3iq*kwkXx6Wid`+qNNcWa7X+h%8PWoK_?Ul_7<10A-z
z%1GMmt}}B>*OQzAbk=;A;(Zl*zltu~6w6cB62)nn6D6tHaGFNN3sx}!iotw!23N0I
zoqo@DDFE+S_sctgHT-itudFBm|BEXx4sDlod#CJWmm%_woM{L0{t&Oi4fnwfV_o)-
zsDEVzW|bp0iwFXyEfyz;Saganu3++?zGt6k$2ETKq0xScDEot5YGFaToQi#Q;4;1n
zJfaI@Wl~QEYSS58tXWzKkuoK7I@ad|X^3M#p#v-8&@HFV-G~0i_nk}qMZ06Qzw3`U
zB^JkCaw7hx_wtpB1F#)9n;eO>+tpR-uz$Q-b(OXiFPPN9$SlNdW-RE0(_#2K&`@2W
zR?Xbuh`v>FkV&_R(S2)TQZVls4er^$`{Oi=1+j%BZ~!R$jeGv`p8HwOi&@!8rn!fw
z^Nux8jxmxBb#GygDO!`*;{;?NN%i`Ds>V%4B+{SBZnobWUEQ;Lbmj?fKm4Tp>wi4S
zq+G{2^o-r+<;%^R)Nhx|y-MY9-MPaOAj=&lQst3&IEC22ZoBpkdBk=>!t79<^>4}l
z335JKC}<wB3iUriPJJlNh|*BUd6rnb5Y3rKJtG~2VRtMZji1tQ)$*8mM5RXZ-?RP3
zd&d}3K3-ldJ=Kl`UfmlWU7XWS>3^r<%#wrlcg0>Sk8$WgH&jbeY4&horiJK5-lXy6
zuhUACwybJ4p+_dorI}M2lf2hAYw6$MlN0&T-bG2q7H{tDJ(WwfSN--)+PV)-%q88?
zUPfk31^|@E*@;A$^Wv}e=}6@!ab#SjC?*f$tehkZS1MxuGtAbv)?h2`27fCcy6-m8
zr39u%2c}>f*43r%H4LCqr0D3ixsnx0g(VP;Y#|s=84e9FbUTCwTJ1{_ceLA$NXjsB
zDVLQ(k#tN5ClkOJf|+=B{tCKqUSWBDVNSgO5=fZQ9+?3n<_tG>!JxLgT}A0A3I#qW
zi4gRswK03Oo67EC-2FH*w|@&OIgK_ylz>5$F`Y>eo;fI=uOB;Ztv)!8#(UyNvKX!<
z=T`gUpuG5jOmLD$<=He+_izpa#u>-PTqDrL#BZp8F_nhN!d_=`8hij`K0kQ|x1-<i
z@*DiS<FJ`ZZ}3CG{~F!^n=fLP1I%`C>dYC+_5YT*)PAa>oKTJVbbo?T&yD6JO)KHD
z$CkwT)={J5g^LjP&tu}!vAP<s&F^(a11~4e7(<}EwmRYQEDg)pB8|ZhUZez-b;j4B
z9NjWg`^l`ezi-i?6MKK(rX{e(2i`%uy^paBF6LgMF%Q|~K1!T{i4O^8u&vNl#nEIC
z==RpaOzbALRXPWZe1GgTIx!8#QK~WQt1m9j6*u+5%8`YtonN?Wp#8C4X7B!=#%?G4
zAH1;au5{W<ny3bY!9s$B!b#<CnYGeoU2>aeH4O33y<ok_9nuamkJ_8jJ#5kffsN@L
zCVpRD&fj)h{%3B>udL*6pn)G<&Yy)VXY<P|`NL16a@0+qmVZXm1}5rqm~Q+aZ5Jxy
z4mY433}pObK@y@NzaZ!20x-QJg&UgEiG@W)fb|&-hJpbxgra?}T7AAynD`TXoW{}E
zG-p_8mC)==RCGc!hN!9Oijan30eEOuM3C(qfX#oP12i6m!b&+K2+n#dy;PL>zZXW2
z2m)TYyh#Gxntxrht+*}-f6vRsrF3iE5rj-x35P~PDg!scm3M6YR}1c{b*H5qq{l^!
zQYKTeO6U+rg&UC3(Oug_A1#y3oftXrcLvCNnaVdL^}Aioj8sw^rEbA1nRq@^frm;u
zIr*xVR`gPv$~>uYW(4MIo#)Ej3gunv)B%gya-4}*9)B8o%(2KNjz!~x=8?g%i;vx&
zHoNN>K0W>De@rDY`AOD-E0cx}*Slu=_Qx(Bn@a8tZ)CIk3hY}iYH4-e81wG$(p-uL
zjbZ@aC7M8}RH}6a!9k{m8YZaV0;~s6bqo_}aK-v$G9KQnh|6uwm|rB8wY&^8d%iUK
zZnxWk1%GZ0ZxNHBcr2YD)toh_ZY?b?E^VoB>+sq^j#T$RzfNZSUqm*iF&`-UytH?x
z^z_3WYj3Z8WlDj+yGyK{uH9q4B-j5N$XOqvQQRf;Zg6P+7GSm-rBLu*#+Y^iBg2nl
zdJfjWTl&CxjxNO)ec3-<*h-=9+g9v<zTopAe}6$aHDQTCpk0s7w}IVuyT7Qu`~2tU
z+sJLG58U-XCI5l^3phd_xDusajwy>?icY6uI?NN%6C)8wwlDnf!dD-9wyHGs1$ANc
zhtED#ZEEWa3+i8uvqfBhJ4S!^(6bf1MbY2$>_Z^hHFaIpJaBnoyaK*I@w;FD|L=EC
zTYvczJ??-1v5jo${6E0sKJZvOQ}VKfAXe&8{)Bq8D#n_QK@x>bV=+ud!z2xuEh<K}
zB$9tRMno5mUSv);AI1n);@ZaDr4<hV0T#+K48%;BmbGKss_Mo5xHKXT=7Fp<`2AkL
z*LQ&&j&_;6{MY2qVIGF5AIw1>RflI`oqy~<e`w;()QRWxm6~3IzZHGuov_~gbA{4|
z;nQx=_&vRVx2!DGY6~l*UAt>FDaYZ?G`X3^(KpE^CQ$nj%Y*26iI8lo4e$m;h>nX&
zKits%{V~mHEm2=clWWtlSD^7?vt^?6K#v_fr6*bw&(U|BucJ6nGVvTfaSX#xVt;B(
zayd7bE^U^p)g>pN$D@l|#^TZJd}gJzbaH+Dq-mbFf`V^p>*Tt9uDKTQi+10(KN=_m
zlyY)0iTk@0BNZqLgTDzCeq11h!swfRkzjTVAAp@(3cy7IUS$2(Kxz+DOGy#4h7=Vl
zp9EenA#;axkxvoj^5y<j*GuW@<$q=Fja-`TwN3Lgk8{9|2F$dF+Kij(3En7&x^_c}
z{145uezU?i%EA83%o#b9pq<VRq%fa_xq+Sop0E$V$I;MH0=<e%5jieW8On9ZHzSeF
zS2v^OaJ8+sJNo9zroK_wj7F;+y;FtaO`Q~AxAAM6k%$Sme1_fvzfmK??th7H&U>EK
zn89J0JIOtOv9{E`R-wY_n8MKXa#au`Od5>=q^9NIGIwa)7!4qymnce+9lGXeE=n(b
zBtSgH&D?tKRzN4Q)HskN9Q2WDA(xD|&Vg92DCTyLp2m~8!uj#RuT>L30@SD)EK7DC
zy{fX=uWm*YiD-lPpJmzl@dAHnlVm|c5!*1`4UIY`oRx3--VB|w1n`r$K_~(iUz6cM
zCNB>ozV-LWza#$?#vbJ_jO1!Hl_to88cG-IEIa*iQeo-r7YM)vg}u6$*Iw~5w39YM
zAOS~{S3)Fzf4czh=KTYPShSsId}c^vgb;fj;U43j0a`MNV}kZ*lSaWLZLT}(<9`I<
zmC?w)I_9x5%xUMe5_K+Xn$@P$YG};2j5(&&74$??%<+HT>Kp`3e8I<FNDu~-flS?Q
zhaM$F_4#v2KTm9*KOhCOeqQnUGZ~-4`?JXaraSR}i_xrzg{yKlozBX{*1Z2hp_zZ=
zy|k)?K19gWzoDqEeu*a)pA?>h3g-A=*jMKLNhRqElzrjw96WChF8a#8KvIcDuv&TY
z9}1Wc<gMKO)b8$CX~sfUK>3N04u@hR0JW{tbgC3}psxg=xXVnO8hYYq`R3sd<%9SL
z+r~71l=EwIHadD;X5Y)QS_+3^Ax<x{SO^v^v3PnZqO&AJ^Oo9fdvkdo=CVPfIc`JF
z3N1F*QJ5{EVeMw`0VMT?mu`VPCy&QlGj&4tL&0s#2JI$i+b`!8DRl6HmBQ2c&oG$s
zqRne=8%F3f@v8;$!r``mET8s|U(LKV{d9hR^e0Rqq}z$iG}a4pi!jq$Q==wQ{nDXC
zkzV?7k^WOKCK?7<sHe?%QQ9AQ^&n#;;J#=wdYx;#fcuDezLec~%w;U-eQJ6pb7VGo
z%I7<U&NB%8zH?_O(|&9!26TaHcQ=t+6qVNN<580zqtS^VG!+Hv5)Rrki%KK@`w^6X
zdIrKF4Fgs7urY^lsSK!z!qPr_gL}O|&`Bmrocl#e-6qj;-v5$Pwdue*pmgS>)FUgj
zlqUZ0*f-6VY|JaNRzFkMWM$rP0U91VqMECW3M{Hej@@#}^Nq3%xEa2YDo0EevvOq2
zP&u*r-%)hSm$kbn*?9C$t(-?$j`r(+AJBd+0|)*ojG>c7n%jV7PQ?VPuw_<F;5Go~
zaI3NZ;{j|4U%_E#+Ux9DOkMyj+|7EcSwTrvf%$Uf4p?_*9(~ks6A3;LOeFlGAVi{O
zg7+tu6HVS9Uy1XQz;Da4u0<ms#N$i4i#u1}!QH#{^Yko#_O>R7qU1$mqqKN`baamH
zNcRro(KnxlrR_pRem)45`UCMoB<c?b{PB3p?@!ctL4x|5DP27={{g=!(FZ`8t3Qcn
z?^-xd&p_O5-gY+saZIstba9XE#{LXXkuGXO9gqhBSYPSbot^!EMSiDu!}TVJZX&(@
zEA0BgtY&d*=zF$6Fk$nFaRi%xgU5iqcyB-SBG;PA>Z$^tp%=lHA4jtFya={9y{ss<
zcX{;5jeKrnBbT52uQU~rD^`jR{Ew`HW8b6OWBLCNL3p5y0066)lbn!}kid}SyDc~V
z@z30SMg_)(3!47}tFYvxL>sP@B7=sdjJLTsq~L08KKy53W}aN?CeJPkJYm3rfqC+5
zw>kC4d7kjH@M`lm^S<IU=F8<f&CkUjz~9KfO@L8AN<dA(NFYq0MPP@(QGw@z!h*?y
z3k2^9eh}gliV!Lksuh|jbV!&%I7)b~@L3TC5pj_kk=vp^q6b7@it&o+i+PB}i`9!Q
z6WbzoU7TCoN4!^jh4?-RJqdq_9EsTyKO}P{ch*Zjl9H4PlA0!UL0U}OO1e<`p!5yt
zcQPz8jxuv(1!e2xROI62n&dXfU6nVI&y`;ye_cUPAx2@Y!diuk3eOc86>Sx}6!$BB
zQF2o1R63?yqN1;orqZsmNtH#_S~Wy9O)XumN^QQ{WpxI1dG$2)KK0KU3Ywal=9*!e
zm71$G>u+d@YME&jY3<i$)wa~G(w?t<Mf;DAzD|_RT3vD7DBTv_8+t5ymU`)Wll7kH
z+vrc%->d(~K+7P|px@w;p`>A|;TppaMy^K9MjMRY8|xZZ8E-c}ZX#%+Wzu1C&{V-R
z*7UYnnAtjW5A!`1$`-{I$1LS7_gS8^yk{k81w4U49vYKRlGdbLNM&GDQ+USY#Mbsd
Q!H$_hGK=x#<ntb_0C=R@lK=n!

delta 16794
zcmV)jK%u|TlL6F{0Tg#nMn(Vu00000NmKv}00000gy@kJOMjOD01BiUU0y_IY<Xq?
z00s;I06;AO0CRr0OzjV7Wnp9h07g6j001fg001^&B0zv>Xk}pl07hs4001BW001Nd
z#sR-*ZFG1507i%a000sI00I;O0001NZ)0Hq07jeu00I&K00I(J>^8e?VR&!=07$R^
z0018V001BYKOO;vZeeX@002nP0001V0002O45uT>aBp*T002ouk^FsstW|XY$MNsI
z_XYRWc?$0WiVRy3<}5If>9Ca<fY?qZh%plju{#(zumf9+*@}T36R`ukuyuB~-}Ccr
zpZERmy&LEJ&;JBa1)9`{8f|HZziFGv|34p4`2QlWsn~jy?<-g-@SO##1bOY?fM&aC
zK#Lt6&}zp9^s>7L`Rs##!VR#C1KRD!fm>Jbc|fQAI-tw`82G!W4AD@>-F6MFnSCoN
z8)~HEhTTY`9QU)^1q`q|1}tND)-H|*+I<2B*?j|+wNnC?v(p2Xw=)7(u(JYIw08yN
z{8i=$tZW|&%DJpO5wNO#LvJ~DUaQVswLDHkt@~5$aqRw8`)etG$7|UE0qfWm0*2X@
z0*2dF0@k%d1J<)^2dr<m4%oo%pfQd|Sm&oY-tkC#bbxbNbswv<9dB%}2^eKx3fRQH
z9+c~%`cA-R_K$$g?O*!a@fH-dmVm8nJ;3d%^#p8V-QU_k$F8s1pa73&&3&#7cf7q_
zFJO!v8I)_VwsF9JIJ;$l`&SzqFy8K}a((V(_Y5fiHZfo~yKhjg<=O!Odsx>-?QqBC
z`<@Nh%Pvwm4-@R-fW7U<0p(|Z6)?&E65twass&88Z2^9NQ%}HtcKLw)t?Q$yT>oxY
z(}n@P?Z|)w?RG(V{xyvYIN0tIaELuS;7~g~;4nKQz<q6hniX)kofB|`y+7bcJ3rtk
z`*48ksOkBDsrJQyW9-WT)9l+S*UYi@(}3eCn%e?SuuBJ=XtxbG$?gzvvfVx46gx5C
zRC{2+Y4*5))9vhlGwhszGws}fv+TS8=c)OLfOG6KTIkq0YhD!KoHf4{Fw=USZT`^l
zx%STh=hCHrU$j&l`~5AQ0q5JL0xqy#Q(DUN`a(M-;9|Raz$JD<z@>Ilz-4wyz~y#!
zfcw{SL%<dGwty?`{D7<Mivd^L#Q~o8EuRKlOVL^nxXum_xZX|-SkfLG;9RyI8sPW0
z&I`EF-WPBaMX$c<=lEv3X231>kbqn5MFDPmuj>PUZnqBv++i05+(}XI2=LlmUnAgd
zdqluJ_PhYMtA0tqy>@PZ+gN`p!1Z2#DZuZnzaQZI)jtb((0c!>f8*F|fBm0;M=07_
z10J=b10J)J0v@+h16*tE!vmhQUc1{zICfjwCj~69M+dkb+m8uYXlDd?eQJL-;5qw2
zfahg@$Ao|v?BoECf5#O8?rX<Y0iLfN_XNCRpAPV|J3b6}&Hf$Wap;^D;QgU<L4fzY
z&KCmSw2J~fZ#usU@OscSIKcZ!*N}jB?X>~#S=UF`t&TkoU3UezEnWWv<+DaHDBvTz
zYfwIS6jK5|v7ZOH#*04#Jf7XF1?96z_ppF}FYMj{Us|`LyIccqd-wN2`TVlP>jB?T
zEIB^lTZ-Oe0=}~s2l&3;_Xhkx(WgBqpMCl)5%80p74WnDHNbmFPu~Fl*7I+`ZxoG2
z!0&eL0Po3-VFB)IW1|4?&yB4EJcf;_0nTN^bFERH3x0Ovj-cXmW8XnR#plL;%LNsG
z?_>RaP5(O```kESwV>iXf55n)()u5x2X(Umc$}5J3zQqzc_vsF1yrH%1`1V$M|U-V
z0#Mym-Doz@KvC>&5~P}>L{SnY3((uc(2*=P^sqOkY|D0BQXE+x$4)jrVC?bOqw&O%
zO&n*P_%Ua*ITP5?@vO(0BzCsjlX$X!aXgvb8MZUd?!=jylLXxVzqfz}nv|Sv0`<66
zxOMA3{{Q=*<a`|bkpby(K~9FFx|$YB)%BKE*U3C7HrJ06!Ws4YnR?x*-CY}9t=&y}
z^|N*O>}jTE+pys{p5v}xBYWfum*BFT#c`EV)m(R4POGk|nySPIKd#s*#e8Xh-B&;E
zYp&OzZgX47qzm)4`9eCQY@7K?rB$iqt-Ci1h0VL~gWWBcs+EGAj0NE@mXr$>vRY|Y
ztIbN=y8(9Au}inmR=^wVLo0Yr<U-I2quEg48z}NbvEc7INA~vny`kMB{pnWY{h5RN
z`AHksYd-c%WvWH68@PKmQ4Y?3amV>5&-ZZwPU50)#us_H=qQb*2w%eO!}I_7=wJN;
z)JXcH9%+yEhuyAg+i)xW_2=nGaB?H*Xrk$8`_^;%=RdDMM|#(}%XoBoeCL2XiFa0%
zBE3;0gYg}^-fzZtevaMgC`D0oOi}BQ!#9qf{RFMiNYV;Tcyo4LA(Ll+v-$Eh;&Ss`
z6^=?Vq8OTEz&wE&la3LiWQuB|ew@JQitE*qkXGw0!mU5B-tKhUi`(~ZFD`B`tuE^8
zC!uWp0V!L~!iTtU*6A$aRk$UuFRnlE!~^TY6kg2I=U)Fi^4sJk=+_iHR}*z2nk`im
zYXln$Q|VLs^GSc~gK{f>`>O?0c;cU}l+Tfu^yjlJ`GYZk@^=g8$}9iuiNNA`o($j}
zaNM1Pad(WW2^~}|iO@@eXebR~p1@W~Yp~Txz2!8TMr(_}wz+OLh~0%hcQc+b^wqc?
zU)7CFd~?NT+rE{}<i?qeq<1p3UCYfS486wlHQh+$tf-{eiWISb=M7`tj?k0nxOewq
z4kWlD9EpwT9&I*?(9Mmy=2Q)@-$}pIE^Qcvxdm$tmS=m^pFZn$h|)1OO7Vp}oK6lp
zopB$0jSS!@&n-Y76q`j8I>AtklAt8hYNJ?hHIwUAn>4W}V7l%Rt9{j0U`SHL!mXn8
zdiJ#|wryuqqrGu|xxL>zT)zqRH;angP#Sd=Di@4msS1_1HsGa{h6rE9z=t>KbFQ(6
zuqqY%>W<ZJ!^ggMjkvRqvOkO$tno}AlG|bBaS~1mhYWE+-2Ve&v%S}*{{i>#Y<0p-
zW(CKZ7_gDvslSta>CYcrco*T`t-rkR894vY4<3X<PJdZ{$0tl^9M1bG3c<}12hu-8
z80hR}zm34U0qR&IlLa$NY&aO7+TD-frZ!uv;uXV&xQ8AvUX?F!aZ1IDvqLB*i%IO)
zgOP)=bZ0se2bY_wC%`GtKiG|0^H6QOJNo(0=u@?IdQh;?o378R=|iLqHHF~_`qx?Y
zA^jmA(p^`7zogSGDbd{}x*b3N%J^3@QlS$*q;Kzh-5;@$cZq}}FKhUdPt$8eqPy|j
zxSiI@Rd9uC<aT=P%`<m&*&Qb+LHU={H;kX5vg=4i*)!hBuJcplt8-;|3L}89O4B-#
z>$)!;^BFMez)yXe0!?h*Y^0Hm!LE5R@wS_d_AQq@j^T|vZ@VSGJ#Nz#()Icm-U_-G
zJGigE^PS@lai&gY=3xf8J)MDUHfjeoID~_i+;Zt1xcT6nck1I0lPe1$e`lsA4j%7L
z-Qx8H(#<@~S_5bc01YISs-hDmEdULpoX^?6xOTd}6ur<m(XFf<U3{*jcRG4W**;>O
zl-9QHKjC*Oi$_0E#L}WS8;7tObZ!ggRtdNP)`dh2j#MCCzy_*DopOXpAreq_W3vJ6
zXq2j3#Apr}!Njd)WmBoFf92j#f@`t^d%CrE@XC&TlOnHWd*gLd!G$WW5<0V;x4Z?W
z<S)?eo4rNCW;x)K>(}8|FTiNYoW=oRsvu>UCCLpLNb)LaXlgo63^Ev9CEa8;n;c!m
z?XdUd&gNM`IJ0FF4&YR0dex71ZM)k!BPPW&Y)0&Q96;vgIId_Ue}Qi@TCzbHEiox=
zX(WrJf9={etOqyuUgwg~8yvAMc<wH(-cDw_@T^^8Pk0Niy9k$qV~W`TTq4MnXUG+4
z@9wr4sJw8U8#k12ozWgckyCGQK!04o1xc*eG=TRN$+*GL%ya6FdX8A5{cP%LDhoZ(
zQxto&?^Q6t7B4`{f9AMlhL9#xUsTxPmbdKY$?W;`a`@wec|W}ZG;`I|=*Depc%-r2
zeKTj2Tm47!J@QEyXAWj;Qxk!;H$)SLKrs=J8jePk-op>~&OH3^8E;S8(`UFJ_eq;@
z6fJQwVp-tUL$?DMmUCU(n!Gi)5BM>OBT`{wfl|QX1L$yyfB4*)od@(%Gdr(dn_^;C
z??jBa;ec>AtD<+ahfR$$k8*+o*r!6FkJf{s1y<N`JAK6-x^908lL<fvfPW~62m`oM
zin!#BW-(cWCBs$_+3yaABNrzFtXG&G94ug*c*71L6`M9P)ox$s+U*qL+Of>?Q}Big
zu1LZVGcfI0e*!9q6o29z@nod=wfXtAW4M{W+nt+pKaCs0;k8y};9Y_Z2|sxD?1T8F
z6yO>>%>}xlat61K91}?xz+DBFOx@80#-_{#f=|Q}hoCU1q(u!MZ<JvFciWZxKPvhv
zc~LBC8EC-Hk&u&}bMIbTzAZm`>9?RHc)Xs0g5{-}e@wVr`8-e>QOs9-#Ry!?d}K{p
zK5_QJ)Y&|Fz5@km`S{Z2*$3mbpvOu6h<pq%S`u2x0YU?oaRNU$h2WSM;f#E$rvK`t
zg85l}<zlK?m6sm+hSvPF{*4v=vu5Gauj(~Jt~OIk4~<4m?bG@ggAJ&3h6t{yRi+6A
zNITDse}2rCaViV_c=>XFO!Q!ybIAFpexC;Z2{er~kWx-jPZ<`L=6#{Y=lTPejephz
z+GtrF8|J{}f{PRmDhA3ra$R>Y=z3!_UH?sLhdGKsdbZ~83@Ir-RPDgFJ1AHBCzuY`
zZx}gbg~~cjlwumrA#_LVD_7ck@MldUJlnRQf4Z9>JgnEN(-aNIY-mnHyrIsA?A2BK
z^l7?vr|Z4vo?Z{W!^1UuJrSj7c19rKi%F0ch&>n&6)dtoi1P<y1zphv2}GE1?>Mxt
z!mV-*l=W`F#+0KQ$i5YgF>N?%7@kCevWa2BcLqQI`*cJtv?A#pIofPS<!%A~+8+jS
ze@InlarIZCvhB*zc2tI~Qn1}ZyR95ZM=!t|&LdiK8nCuo>t>B0ypRuZWDVN{=ihE>
zxv(sUvzdphuN_E8kFTXQHT9WbC~+zklJ>}qh%~%2Q&6UnJ@O?sT6D1BbHi}mQLybo
zqg=Fft60{i$Lp0>_FjR%8)gFVn!lnmf1&815x^q|C{0BbN~@&mG!3%~fUF3VBu>c2
z=BB>6rNee>^Fb0#33kv&-V^XeMPiFlU*J7{xU{i>H*9YH$>+jRxFPhuPl>5eC?$Ss
zjMw*oCIgq2r{>2NL4kGG9j}6HazJ|CGD+=DX6+uO=BV+(B>>nE82xM|DBAC+e*^oV
zrgpp2-s#)Zm9d%XBQR5w42K-9CScH$W|8b(wJG2ufa9{GZK#L1BbW35;Y=#DN4tP~
zrrOA(6o!&{^Tq~JU^dghUHit??NZLA&~Zs?##rjsC|a!oHqnsn!DI&j+a!wb>sXy@
z50csW(;LPW8>H^GEk(VhmQB4ke`Rb$v9N7VR@g;KSy1ywbwYAcDJnpuDhIm6@xgRy
zpV)}zM*UbSm6zox+ueCkLOPafSznQJGJIUN`-){X*^x)rQ2s#-oJ5=>(>3d$E(ZuO
zu3ox?mEKO<8d4>~PW#G^1r@h<=n<UXtey(3$E5Yp+BPVKP>4NM(X}0`e^2YV#_B=D
z_19DadK1$R07KPO7%Rc7nrl_F3d>-<;Xs+T1{<g4Kv{F$sWz*y`k}N{2L{`Mi(*<-
zf!zus6(~TCX-<?3_nZ{PiW27iqCemd1_IHr;EO8JgfG0TE~tKAPzZ(-sqE2gP7e8l
zKEJx4*)cKLzGtkKu+BWIe-bfJ4yJ<Pa8TfRK_Da?2q-=x$f1CobBY-$oRa-QL==;L
zACXgGDN{U}l>^cIv4BX_XU|wvr-ASL->EbK)IR|4NMDBvT^epFWDwvV;TBHk?X<Sg
zD$LbWsrp=@wV<W#{AqFS_}p^IG~qmxPG{h{X_l7fj!#RI8q~gwe;5F2f-zVJ41h{S
z#XvX-517%`QjPLSIT{eHY%U5w&#IrPw`Y~Nw_N(ebTk}O!$vkAL7ZsR>&D#wYLUb0
z<S~tLDMD=06=DK6*zNA1OrZeR9u5a%$~riN4>h2pK)*o{Y*2h?C~WBhUAcO7k1bOw
zLD_6+-5eg?prIz7f2Pv>i5hAEo_p@_Mh*3(KGZN)aLqIg`E~VCJY3y}x?fi-bpnL|
zdvxvfl~bdkJHgOxK)JwuoUyD%@g$XxkpD3v)CUS=WV4S)Pc4-;3}d6TbSipVx7}yZ
zy<0hA96NK&I8y0!x?cYbVT_ReBJF|6=cy7=af&o&f~OnJe~Fs$mBNwGH`?tpp}M|!
z^yp#~35x8as>C*Njrn%FJ#QSnaJ0>6%|2B>PG&@x;zwlFRM4lg;R!<CC8WYkgbk;J
zN6D>{luhm>vy$|4-Y<8dopETRSj2yTV;#WVj@$#$FEskI7%3($KPH|{zWOz2!`a%|
zd#hEW({4kj4tf1|mHs{rbL<3g8bEN9fD|%+(Z`TVKWXk5QtV_A2~z`E3(QoZ1dCat
zg94HO5H6S=Ez~>Xa0vi576{x8fTU!$k&8VhM&jx0d^wa7c;S*%%;bxaa8`<hq+ndi
z2eYZnd?chwv49v2Yf=2giFh!S&%gIQ(U8E0V##z~Q={RqKOn`Vcq$&tThXxO7kMFn
z5mK4n;?JPpKMefE<W6&UQ9Bh=u~3Bz9-x*5IUBx$$i^H58*^Mt_1N^f_d^^yr`}=~
z3i9!sVdOq836GSsk7Uc`?Avn2DKQv~O2L1B^DD7nkQB<<d$MIAR>txRxVh!;q?9NL
zA;~my7jlN^UCJ47>2INTgjC3zvsYjt4XPmTtuZYeyn;A+4XP$2Je4W2L`G#lFcVlF
zlox;qxRcQp6G<Rdp6kw)=hsMoaeJw9GQB26BGOv=WCeaO>M07Gl6Syug=VzTh&Bsw
zIGzuH8@Uv;X%W^ZRm^)UlO9#k@ZlH=#i3LKM)et!EfyM58Fa}MtnQN8@=h5x`ETT#
z<U>ri<{&5l^xJaQfZyppAx>JRgQF8CLK@A8I)Snnsrg{337UuljJ&|CuKz%Yqy!}v
zQ|?e4XE7d67l;%B*-w+1794*B$@8h^S@HF*$U@2+!2uZnH7jv8Y9+jR<gnR=z@1II
zCL^o!#AK`haGR&5_+_LN46G@%PkQ-^Tk&)wLrOX5#-?KayxpthZ98A#CUPP^Jpwdu
zm0DXFJw<>;{^4zS2BpR~Y6l2{gnNUwFuL?rzyJ#JKH1X~G*H29QcZsXDwf9-_*<2B
zr6?qK3Oj<?sJ1JWb`_}ag`-D_3x^F;fGbI%SZUwUuGm<9;pk*;o}^M-3DGcnFQ$A+
z3l%``sLc{h5RI7*hy2UYFGo_T2zds!qu*a*e`FIj$J?pMYj_Pdn|IagcfDM%zr4M@
zeP%2tGpdM^;s%qGHL8E(1>#|hjbqFtNX>#sd>RZI)IGDHNM&n~P<wlO9Xp$(k~4H2
z8p#e$0NC2D+u7^h<eGPacO1~_wkN$abnX44#CP%qP!15n<25~QA4dlSv3{?&-|LNK
zrZ%D4;}gW(?e#iXeqa-bQp+k81|3fn<cngmh@wU^+d&m9NZC=Z<w%!`+inM;OENp!
z%aI&6g)O4MjTMjv4%HQa7Hd@F(447q^cv!z!C=tA={Qq$AB2yNeV~^`>q2Ql{n<p&
z0JDfNHZ@<f0l0-4O2;~~lYtm1f13)ohy9Ln7qfZ}tSR{!wb@LAa#(Ec%_>a>)?h|V
zp0b?>5i`To5$W7Tl}2+$yfcV>{@ePuZF{uW?@w%W#I>RDe19|`)<nkdk2O<2fOhN9
zJ5|8TM_}Y@1n48G%z#<L2dJl#24afRILIW<n&JesrWt68f~mlC5N!}Ae+s<#Y9JQ)
zyudH`{Xr%Cc{~Y+zxDpn4_%j7JK=EZrN~Qrfuwj;;2-t--|QD!Vloifi3)FqGa>q%
z@GBoZ`=#4|>9$|oJ{}0%{r)@EJIC!CLi=Qj=NC8wrO`=a*1c9LXrVEvp@ue0A;WPC
z*lxJ^K5O)T>t|15W8915e}@jo2WQpWGiSBie-EGki?{s}lTmib3qUK;!2*E|m46SW
z55jULPt)#a(`Sp2i}kbh!tz2S6)nIHPEtiXQ)m`Q`^V*ay-Y%Cp`d;rnd`T{r7kR}
z-^bF?-(>7!s?aL@cs$lF=`yW(rI9pv_!7I*8FV@}(=t!ZDv681e^F~4Is{mr7El_F
zNq$QZ>cGLw3!^Vw_~8X&!Es%H(=Wjp<wDo#Z-cOI>-Y@d$cBOlm>uXqdd+H_poc^Y
zg|jNc9)-Ro(;>8xqUS3ed;NiRKnUt$IV!EL+^(%ket5Mzq=@tQOSi#W4w33t^6L*a
z?8WVOMEugKcKgbze-te*Vi(-@(&G-j+q03oFw$|<t)Q);p@?JcLPy<G?Pp8R4hNPs
z08r{q?Dkj4o3JnBq%*ii?uAJ|Yu&7Pz5z&SN#Dg^x&z#dC5u0THATG`fb=@-+Ysqj
zH0T$wizq|M&m_9Rjt1Yj9e3mQ%-M?SsvX;f5$bq5G;etCf3y#CXqB#eh9s+$4^W2c
zK_Y4oWOIu#17vyRD}`*byRf{_O=b(3Vle}!_mqy5?txR7Lc3kISEq`-yYNT&?h~FQ
z0$r_eOWX=z#wK?Qpr(_kH)Q$_ajdJrJ{s#TsqzB{0d+h)-U*j0-d^<fZQF+7usgtQ
zkO2YX>7tSvf6t*{G{9{KH@nu=4iIA$HBqsQUl+QlgLWVrH@mo*wFJ*IU$EDcF2!lv
z*c-S$SO=z#H}HbkIWTz~_(=5-myj7TlS+oPNvNs-v5>qwbKIa0uWdXWUyhwx0;v;Z
z&s;5a`U<&4%hSi*cC>P&v~gyml!nqN4K5EW7v+BFfBityp@a-bn|zo#xUblkuXCT{
zCBDk@pZor-a=rB`&sY3G|L10Px87TP4OT%2R!0-)BDA<_R(JdTd;X`zRO2||I{p6r
z&7%)*0D_Sw7S}keg;fv5oZxQd&LVD@#f92WIG5?-WnbR&U&C*QbaBm(uHyD}j^Cls
zzYfk7e~S#FQU@<}r09UkDReWS1@sc(>|JZuCLKBzui8|z2ycSAC3E^6DpWPE7)&fe
zir@(<Gl<Y8{NZ==-oqUG;VG&V>Gx?naHn25c!4X!!!LrbVMiqkTMHZO;B|<7@ID=Q
zgR89dI1WQ-{eVjV-)YkJpW@DN=TLH$C#__rf7lig%?VUDjmZ&6-A-U~tA<A=Pv66w
zeid&xeq{SCQzZX5uZ+Hk=YME_7Izgp%rDQ8=ka*keNBq2ep^uz3HDCjz*x4wDvgfh
z6?(?rXqgW!=b2FH!a!wfI7IQ^8o!{28NUr{Jjk7&l0VRd0rDFv4B`adz~eZgAevPG
ze;@(?5h1OKF|t5(fG2S3S=ODFqp65iswUwUmY0t&FS~@S@Wf}6pud?)1qFZCF9cJm
zrawq*AK_PSc3Do2FJHzgjxV<&sffXg{&PI<Q)1##e<0vLD#jEa&!6*)ym7P3!RYw1
z$6dY$^fyJdZ)ntjzISj!QJ~)_qO4<(f8N{RZ)0=CDinqnPY*Xn!;5fonz$F?uf4gl
z<PO_I*m+V0Y8539Cv!!U8slMP13<h@?@QcHyWN5BsJjcxz0=u)4~&{iKU4JxKpSF+
z+$(6^Pc{fF5E&@HLXB2fg*CdeyW8ntB^^|{TZGngqili5yr~qMD9E&_A<d=Me@Uxn
z+t;~?k1Eo3nBx`AbXH-UHIZ;1Fy8Tr&CO4|!?<wa%45-wd?fnV6>eh3xB>`};(-N%
zUSRYmjs^o=e)C!7=h^Q*@B!nU|GFDI{_vOCuc4l)-%Av8i;j7M9IoSna`w&T*^1t^
z_Q+PS+YN3#GF92chpWx7J%}|ff65!}1FwxCwYbnRsi4lkX%;=~qBOP$NH2&7hRW!w
zqJU_J=9hNI?)89Cy6&DmwzmxEx-T-m*Iai@L|iZ^j=4pUfP1ENrpKA`$?Qx#HQTd3
zocr*dE}G%6bASg>>p3kC2~->+AP%7t%n_XlRiXC{n1c0}w`%svmIc`Mf13}h4<gHP
zlUd|HJrwhLsqB^2v%%%%;MrBwkY9S}F2E#srJEYdddO)aT!Aa2&S-|q%TCo4CrlS5
zGOB;28YHT`^8A3G*5h$Kd%Q?JfuDG=q5h7AU_)8jzUTDf;^}*~mq>IW8C^(g^m5~Y
zW^wBs?v;r|c!_#4AVQ@6e}&XBPb1tmdOU5@?Izv6Mz_=cJp$9}({(2{i^>p}$1bsY
zZolt#k;X;5US@h0lxGbpSt0T|!`+Qm9+@drJPiPyD(h7vfF}$YA`BcCQ$w=id5z&c
zf$<4NY*cRvrMJp?z+iyNteiahOSBn&OwQTp2nAC7ATKZ4q-TwWf7z66@1wq8*e0};
z{w>ORx7`MzFeiTuPC;huL0QhSm3F%aH(RtKR4$BX>k!^AfL2syv^A-Rl6Ks;MRq&7
z^AX)0)*ooK9;kP^y7LSApz9uc>U=DA{;6Z`ti}ZCN1S;YA(s-VZvnbMfLuS=#SMW~
zGIDo!U3+)3-rfr|e=togrwYs)n70TEiMC!fmE)wMG_<5h?AqpL&Du82?eKgiGe7!%
zr`IFzS&rTP(|5;~L#?|Wx~ugYbG67ITzkarQOiHh&i_EZ0dIzM!=_e$5ngRfKG=~a
zwsZoViRu(FQ~}R)pH}0|7}0$#@}8D_^r+n0*0hfr(Q+kfe=Nsi{$Mf?2uGHldFI}^
zxus|<n2r+v!s&-1wfncLK3&e7xUWl|v`(7lNz2!6U&-0otepdTyF+4fFcDswpTGB+
zXO^O&fRK=C51lSlebw!5t=PHmL<UG)XtJ^q?JLkT1(4@!faGog^uSesy*3bCwwy)`
zz(RH1fm5++e>McuI8GcvY^WMYdsq&9)=@R1r5ROICni-PPYgzn^89Ur@QfTjkytf;
zn&*F-Z_Y*UjlLaD_0%0FA}M{fC<wRl{G(X>#S>v!U;O}cPW1pcnq#y@?Kxv9Z$1SF
z+49GimY4VPW~jJp7enT0T9(~~!sR6+WIpCOuZ}HIf0AdL9#BgZ^QK{xWSRM8JJYfO
z<+o5M!}2z%8=Hv0-3Y+(dA+KClmhlMxOutV-l*zT_~`Gpte=Pdqivw^mbC;W|BrVQ
zZ2H!(!Zjj5>3iF-seZs3w#OQSee&zn^T=$0kOB-|P&J(ZLaCo1#|in1ug8;H515a%
z-z>)qfBJ>W*Ttl;2C(Dnl?z+()FbUj%=-&^GX8Z@TodFeNkQZ^>IqL}S%$4Wxt5;a
z=!rA^w=*j-ptOdo*_w65@OT5ppk$yw4eIYqqZXK%Ux3MCsLcD;-~qpA4OsU;uZfd6
zamBjwBW-0qZD$sr)_bQuWM8y1k7ewSmyGu}JjvEw_`r6(U^bU~`p&73qm6Rs(MLTh
z@c&XQsDa$EMETL!@{i#^G>!;Ym;;m5M2M&pK!nFh)f{@EMU&4XIX~Jq(N<bv(lJt3
zXJ+>E)0}Fbnoeh?wsjzfy7r!XZFc64+ye>J!@(@#2z@<8#i^8lrr;=2|6`5W!Zpu-
zw3A09PbPf3Q-}Occ}m=;y}BQxPW;pU+@m3N<3Hrdy>Pgu88(mWaK>5ule{Due;-s0
zt&x?w<|$dI1HGqaL0(yfC!0*gVrUbahjO4DB7JmKVRj7aSp90s*!WVVRdL(Q;_=7S
zb7kN=bzsb(mJM`v>E|nzygg)=4~2TZv}fWNq;d2B)#QDMdQ}4tW=_@!mnT|3?`|0v
znz=!e28$CI+8_?mqw5EnuO5w5I1^3BK*u)IA$?cB^GEh;ccSO^orK%FQ=f3!9;|2+
zINB<;1B^92<8N_HOU7SKnLv{!G_dXcU6YI@95j!CX(xe0o~la2bIuT`*G6L<mV$%U
z*!>&46sFc%&8S<@@xeeWB}S}}P!K}(woR-<-UO4}B_@9zlokxCp;Le@R++aLv)!z>
zif`<|KZ#&8#s`h@LC^Ewx8!itbLl6WH+c8=KnhPqBIj`zjebdrM&XROW2gQ=D4d*l
z`rpLq|2l_1OGT!)+?3ZSBGXgc9f-t5blqjz?)8>~q5vBZ09epy2i<rlCHQY_pyS5}
z6O$cLR_A}xVp6Fzs~K6&RGSq|E;OrZLP)AmmQ4%t+?Ux4No@CT*?aX95jj|paY?0%
z;%|z@w0HRSOfn*ig)~}W)KZ|N7CY=+h|ONh_Fj$YxBn0FGFJk;y#w=(AvKswS`48Y
zL5|Wyj;xay@Df9CbYIM8qPiO}tcv`l8mBrHyaj*WQ)`*k<37Ab*$><qBk0T^YAV!?
z^=VG^&*H1=wi<}X7F80<O9^SYm5_YzB2r;aN*3n)_xnGZx6(r4NG?;2<b%2R+_GrQ
zCF3b4kkm-Fm?1=3N`E;d=xYrtEb-x-NQ7`>EghER;7MOFG+#)BV$s-I!d6wkeq>#h
zRe*n`@u=2X2y4-#N_=s6kS--+>d*6q)%7KX=d*Gmn(*<(rp@~V>G5n)^JS8;&>f<a
zZCHv}$fz|r9$kp#6s3_>BL1E~22aroL6N@@pI*fYptFdxW+T|d=|CV+IYDT!>gz65
zb4Rrf2f0}X>#}>b)46(e+OmiU@6Z!bJ8^&L2|GYV57pXty*Lu&5F$tz7|jre?m9ut
zxR35M@09fO$ByOm8ykPseD1j>d|&a-$zUT-4+FHg*}P1P^Ld7rz7KW3%k%x?WF*)p
z2#Zgm-0dS&lzcN2C%<r){?xa~JDGGzi_U-HZvE+RP2;XQx4~^w8zo(E)Df;RR^)#v
zW2NLoB!><MA&@S}$vSLImLHeOMndZ1=|u&#j|#(j>=+8wP$YYoy0EakuyB>_(0Uq4
z2l7kXOA)CpMO37ZDm{dvd>|c3X0H|C#^nOrvQhdUz*}DQBG(L{4l$pOGEuXU_5`Hk
zK2>u>7PvP2pEu_3Jbx^mK6d`jdE0-E#q*W7yyf;>_S~gQm1AEy7k~IaZO$w5E$7eQ
zl1|SpZ<P!)SIK5?zjW!gT&}#?duS!+?06jQkAS10<tsz=CBOrj`doy*H=309H=0h>
zoOH(@D9egp^5^;Qys-SjGE7Lfo7NbF{1<SE=ktE)J#eXyq3KH<-yVxppG1FIT%=L%
z^V~t4yHi(znv|+Q4#oi%C1Da`aS&JWbnfwYJ)XnOIKtxMII7~6)`=4>_<HjltzRrQ
zn)>vxxW6r;8O+k?kzR4)dgPYp61u6*ug&eWfxga_p}`%dq9N`1n)nINI^F9b$^3*^
z(~Y(IU0xu|j4#&`dJ|D!u77`s>((mq+<vJS!C(9&udS7xLZyOt-ui~#TJJ4<@{?m6
z^uLfVvsggrZS>zkUSm2clJKgD7E06MYe3Bf^obQ=vX_o)MNKQ_&59YCYblvzGLt%z
z>Ghspiq02OQ9YqW3#6CRiVr+c(4&!n&CBWR$y>8Y`BHCZbY<yh>IHw}p814iM<<c*
zPoOOUB`!xZNZWnutFOLQ8NB+ccm1!ZZ#4BOIq-{Cii%T&Sx@?-A@hdrr?R7djXZV4
zuPGBx=-t6rV=1p5^Z*ZGObNREHfYWSi_t{Vvpm{4?v){pV2e=us8TV<adygJ^kes-
z9Z7ofVZfcPyCdbLCpmwHWIRvzdFrvbbTdD5-m~`Mc#0_Uzz2OT$Y9z-JlVDO_N;E#
z?yx|V_O!qFb<VbTX*sHg4y1q#wKr0`1qLP9z(|>!n&(UoSV3!eU<i5*!Joqve#|_9
z&wcT3F&LI2cs!gd`>aSX91ejTV+p~yY&aH@Eo{i$0+1@^`f-0Qqe)UY6$?m-gcJ^l
zT1?G<_#mDIXFU3=P^<53Ob5DCXcJmWV>fySp?~&h@4syJ+4}zEa5xpNf%<N1^Fg+{
z-42Z)nUW|&@H`ct=0HcIwqDi@M{FE8w~wE=KX5yp_T_7rm+n2!{F@e4N^oC+!RV07
z!)I>oFz+Utk>P&>P5Ju(-vhQMXe>diZj5+n272@a`u@TmRuZN=(554PrBt2>n{A12
z8A>Ts2rMKcNg}nk1AMETHbMn|`gior&4sP41&pX5cl)%|mi?4b<9$l9kW2`?5`Drx
z>77Rszri9iX!ym1cJ_cyYp89e_)?%kJ@xt?Q!;TC0T+Lr2~_9>Iu5Tv+ElhDU6kz$
zj8^|<G*k+w=Hv+6p@h@<WTX`8OW~w~Ze>a`EZK~1x5H8)rkQh6Fev30wOB#&TJs%1
z13BPUbS)fsX0gapkbH_%<*Lmx6w+60FMYwz4tmfmBFhMkxd|ZgNg@OLngYoCPZgW7
zl;>Zte$IcxP|W6)<le-+eTs`{2MD^_gf0;U^!9IIB)N%xIL85^z!_7)D?sg>mgkcL
zBZv_(F|vyOjX;-qG?s~)fI|!SG|)2Um@S%@V)Y;w3lnFzezHmI4K8m4&0Hg~5{<4T
z)^pWhAz00=v(rY-3=)OuT`b0Gu5+`NGevnLyV`%@tHeDT)YZ9SwOY!ndhjTo<%?#u
zIEQDR7U2J;eTy>8`=)&=H8oBIuX}*<;4EYPOS`u^>D{T$g}#NZy`c)&Kn2ZJAYt_9
zTLgdJLio52KVI;Se@Wh?>iV*-|9m0fpZ5!ua7^&?n*tG{kqRFmIv-ddWFf%oB*0gq
z5x6z5$@}r50JjGUWb}J6S)NO$JBrUI`}~=>pZKc*e<I_DQ$C&MX=%bAsKSLfE%hnT
z5PJbWlP4}w0Sc3OE=K`klff<;BH1Z0yMULhWJ+WDz76ZxHG9f!4okmrzHxp`<-bSz
zH1=nc{Vsuji(+tI&YcB9lkR|c;Ztam7+4hu`<O3{g86pd<m<LUO3)ok1Msi66g_vw
zTz|09c#vk>c@y77pD)YNVW%kzIi055xrxsyQHo7;QEZ||<Z$F7+oTSsXca!lzVbnG
zmgX5U9TuhXmCcu*{L$^VY`%Q%M^7>t^zX?ZlYhdK{VzEJMIe(nFz5jzlOZu%DOmyl
zMNG-K$YS<Ak%phxXeDX`<D5zM1q|(xSxSbc>*ZgtuU>tHrDT((F(H4F9H1c<218%D
zF<lNfj_01z!9~62%s$1W`Hd!7z}!iY`JmsUFR(KmzU*4P{c-FzqVN&*ob~dFRajOq
z{7}vNr;Opy_|y>oo`3%N_4nla{rq;n-~UJO$D!Zp#5%#eZav-cRMroS<)ChY#yHm4
z^C;AyRP>H<%@f+}zIA`qq7KRSaJY*;3$WSgc6$swGZ2q<B8K5Ry`HV~dO#=av4({8
zQkv><X5zX<>cFU(O>HW+`@`)fK<VeEyXPu;#q=*<p3*KYQy-*p1kJ=Zv+DU^dVxR3
zQ3|Ds7@dgY3&!|v&;HzCcah!l+{7bO$dpPMA)7quw~ku=lgWSVTzRJumE~xmC+FlI
zX7H+o>+O2D_R1W+KK_CC`?)e!2EX3K+u1L@AK-7td07TDicO(Ww4978{Yjn_8duOr
zQh!b4mcyP(trlu;u(yW_d*V)VkN{?FkM^(Ol;CikUH{MI6)MF!+!?OJy^Z?-cZK^L
z^gg450+3Z8z(|urGZzA5SCd>b91}++R*NR!!)mCS_3ZC(1Kv-=W3!7hA^`%I3zM%j
z9uhM0V4zBuMysIZ`QX<yuHMUwlixHKf6C2*s;2VBdGz|QeAk#nrZnllDXDInY7=W(
zp7YWZ4R&p73QOfU?jUI)o#t_h6j=P7XVyGsmerh+NhBkMc!=Z|Zn;F<+Fg&{RSTse
zApqf|pv!S>tGIesjhphy%XzUFZ}bFh{ATcd-KTw)cFgNObI7~{rnsg+{R(Mxe~H;>
zItES8sG;|olC9OUnAxV^>ChhPxV4&VyZ!#q_PB+QqcT{8O8~d9xEjV4I84T^tC$`z
ziB{I+Sc`2sP3Cti78Oxbil#TxUe+BIolH^1gkeocylJ+MY?g4lgMsUMIe&iFbw^#-
zB^{=uLFaSazcrhE>k!_3?5Xshf61@IoLHh>8K^!y<d@M}7fsYuQ)!u!A&vatYw?6$
zd3@<!{a#(H%wMQ}T}TOQ;@NMeSC$uI<kUl_?1f}B82hIE_3Ax(IS9Aiv-EgbPsFJ2
zMl%0z;zG1gO`m%Bluu8ttfar`<vd`y8JN#gmg=rOPXmQIc^TO49`TmPe>tR(ZS`HZ
z<6hmRu6Al$?I>-+_3T|3;O<~xu|!vjs#>!an=H(vB@g#c3@F+S=12`hfJThX+XE{~
z5!P2em3o=wRCu7W5&e_s23qB(of=%cmQS(mzga34m!_>Zm@CMm6(&n%SE~8ekNb8}
zRX7`Tj&x+_^|K$QX~g->e<;gL#nWWwa9H~c)j9mA0}0X3BBco$638JLmMo{gE|VC@
z*B4BTu<8Er!Vd|T{+diq(ISkp*@m)l4m0$T3scz;PzFeZHQyFYIv$<mn7`aAq3#u)
zs~m7%^Yl``zjWG9UFdcvE_2=PXb^5cP<!&!sV8d>w9iqWy6OH2e`3^J#miNv$kTm7
zlsojF{aO8vL;cYn+@Zh!{rVjP(mB)@BK1Q5O){LpevNS+J6tmu@r~+}Rn#v6!(Xdv
z=zWYB6Sa@9=P{29jMD!lhC-3RlHm{g`3=F(8x0}o3;b_^PVWPo`sUkg`vutP@Coef
z5HTeFwJ7n$J0)M9e~$`xhKLmNf66~+S<i0iTOa8CK5R)s-_q}~5TS76{KFW-k3N=7
zYP08@i3;~1C6;$E3EVy?x#8x?!7ekVymclo*neTWTT}GfHamMOJ9{hp!4Nk_w!?N;
z8A+Snb!KkqdJ;^4&YJI1+^s_ISJ8EvVruH*p*T%*qO3F<e@@e=ctIm3Kq8p0&fw}*
ztJCk<E(O9J>wb9$c)ov*=am&D;D2%D#i8wzZts-6>@sBBku&W;-XG#sxZysyVXRaB
z5w&o@ta8L=5t;F{<=_Mni%#*y6-<%S_v{4ixW=zNG}<o_Wq+_sEgeXgQ?aiOT*lvk
zM|5GVOzLq!e{Cyc%P~v7AX0UXIURFzf;7ajzs`X*Z|Ig&=k7y4;QP*{{-WKn+TZm@
zoDz#CFF6ta(|h?!#R2#XBBUINwA<BH>Nvbwb(OXiFPPNP$1KEcrnK*b(_#1=Xo{{-
z>tgP3WZfz`$T!=>D7!T=DVX<+2KVgW{c)P>f!IP4e>eaX{>D9jdC&bUGsLV6Bhw7M
z)7iNiC{Gwkhq{?C2NA7F>~WedkZ5}SK2@itA`<D(<N(|6jjrz5Jv#G*w;z5|{&k*Y
zQm*41dd6<^^5y1D>bJ|~UZrxl?%ZKXjAhsosS-y#oM>xcw_W>&Y+Jh^>2)a2`nTl&
z1bG`Re+4w#R)zWjA*Vi+j6-Rt<7`AMZii-;qaKP5!l64BkH$~ww`zIJ&!JLd_3zn!
z<Go`nCm$~_mY!-y0<Z23k1oz>r}R^CW>G;qxMHuB$9Qm{8>*$KG{?3u(?ay-ZqhjK
z*J-6mTUIrj&?A%P()=QgNp|R)we)ZB$%*`EfA69sV~aQU_MXb6+N*y1CT-n^Cgzgv
zXfGqPCIbLU<m^Nu%z1H8`*fsolXxz!QWTR1@lH;Xg$)%kOBm*~TWheDc7rtz-DsQW
z+5uCe15>aK>*`YX8U`{cQgrm%T*->0!V-umwh)Y`42K5#xgA0Sp7y1PJKF6=BxM-6
zf0WBgp-4I=gp&zi48cr1JAVaTDX*|>xG<+)07)RsXphW*5pzl#yFySK+ODE>6ompG
zln4m=wc42D*-d5lF#dfUA=`zOoJQLlN}?cAn9d{^&K#7_*N+{yRv#Qk#Xa#OSq#^b
zbF2Mva9sQVo1di7aW;*ZJ)BE`amKMxf7J*yF+Cb8LQJJ$vhdTH+yXCw?ByrV;CA#I
zUY>z}cN{iTX$F2M_+P^tVDm-HHh@_NPMtYJx&Gf0m)bE^#Ou|VPbV0C+-OdcnG!C0
zY)PDN9W^>$*amU`JSHw3tE=(a{9b1?V610?Ay95wo$z>;4rOc^#vlYQVu8vWf8*;=
zj_#4E{bbhK-?wP+hrPdV(-K(Y1Mi^S-p7~%7c&&m*n@0xA0@xQ#Fqo}yjJL{;%HI^
zbU$lhzH*b=44nf;K6c)mnCRjJZFKh47Z>M>n|fj8$U@c5FI+Xy4p=X<cmGdg_YeLL
zURZWlI_)J*RD;1_Awfdnr1H1Se`@HmF1gLK-i7$*Ua(%|4r%F_XY0-A9yV!#z{YeA
z6TdGn=Wn|$|1-DcS61>j(7=x_=g-2Gv-#zf{NbljIqIfQOQVSa(^)x8M}3go3Ke39
z8_*60GJdfj3DJ;WkaKbYnBI}X4Nd99!lEL;`iurc!GIV-5j$6{K3^zIf9(1nr|~Q{
z&8$^gMFqSkI-xm1)YNoENW-uIJTxmJ$aW6E=0DH@8jnI@rJNB2XT6nPD$4xd3!_H_
z0k2%%B!O<tuGv;x7lgm(<>FGhweAQ)rmTcRBO#T6o8Zbjw*IRHch$PnQV!DNB1Q|7
zshA;jOrydL$jaz8ZKAJ~f63-fj2!qK1LVC-<r|Xv-L7UvDyfZ9x8RjbJdmltLnWP@
zd{s*;dZ|rip42!)0rPpzb7gLY@~(C22t{ow&cr(o4KC(b<PyiC@j>&*;Mm2-Zcm%t
zbqr&ke)K=4l9>D?Yr&OCLx<~KGkyDG7mrP)z=k)n*?k4}s~5Gje>!iBdG~i|#zBKd
z69DfLO(0Y%)qaBDAX9@06I5^k)&r=*g^4t{Vtq0h4{uh)<+f(bFA~dIUIv;yUmAV4
z+wH&tw}!Wf$xu9&PLOKOnp3xy78jScRJe6`?I4q=d!XkgGkz!{o70#z6MawGyHon|
z;f}Sp*S<2PNZ;Khf7VXd?lGT^>;DbptPjy>>JoYxI5dw6Fk6jMD0nYpOuK-Q;ny)e
zM`z$Iec(Jtm*R`Q?4K@drBDZLEA~HM@cEFxpq!ep#30bFN9WtXZoA!IRNsC6^Yd-w
zHq;mG`k#{jK>h_Bp)XpAQZL7pMK6)1Q!yRp5$K7L2qfDVe|~u3s}DU}Rhs&Ox-j~~
zXCJCIwe^Js^{>WR8!o^dqrZFT*$UpG=<j*<ArS4Fx~^&-xV$i40pFkazpwxQ_kX9Y
z{E43LzyH`qwsig<;Q1bSteq)&SvwFb^(cQreO47?KF1)5LZ-18CZmCn2CfzrqgoQl
zKOG~Y3r8<9f9IDEV<ahYZR76JiU)uI3uPGwVx~mP+Ocg_^<r>b8kq+3Kvo+3ey`u_
zyFd;{yG&mGYx3tX55v?S<sjRr!?W;8_WxsO;?2~0=k%4DUW3nyzVc33Z~nPLX~Xbo
zH)!6TUcg&c7HYMH71FNVwVIUUaA%s_O!McPWc3oLf1QS93v|4MM7GricmpCt$3^8E
zZfO7hm}Y*Ks86EFwdvR^(0H-gGEsV<#}1y-6RnBo=)=v|Q5-0lcn;q<hQlW@fh4({
zn@g8A%hl?Vlh5PP#Vup;Xm&ocQd&B>zJAg)&s#ykx3qO~-9Fb`3;0F5Z`&UY6aq>)
zxtPTLe_e`^3KWIG--HT3E|5ZD^i97=FiV9Gz|JiN;35Gp!u@L?wTG$2qKMf$iVBra
z0<V|0xI?<gr-*X-a{sF9B|i1C7xzXk&57EkS&YY-Qbz-3Vnc1lP4xtClxbYMp+x?N
zW+T5@;TvTte`e;497<zOX9rT4&%)e53%)1pe*^GwG;~-%?;cY`j*C==a$WMxNM!TX
z&1gAXZR_ohzPYlgZxlA8(P~HURH1lNCk5DT{Mu$DV!|z-p|`-ls1afJL^tO>4`<Az
zu*{w09>ADa>gK9Y;dD%4XqvYwh!G}@iU3m6a&VbDG=7T)a?nc@rN|Cl^E6|lmt+wj
zMV{hjZasG^pp#f?9MBOC`bf2qOU7I0KrB}jbGt`R<H=m%{P^J4stF(gYE%uDB|DGa
zP1)>MH=~I}v_bsOvYht#KTVU~K|&E@Fx?G}I;LfnZ~ER0ov}3OlQBXl0@_}aTS6u;
zFCo75_sG8^{}jd^<u8n=YBiN6$b%Y67wasC`*BiXN#7R;zyyW8x|jW3@iL{8utFdK
z3zN}8B!B;$0N%~}Zwg}3cAoK>A&u2R>~(~DjC%%X$t0c#+M`Vx1(US7?yQghy9BR{
zM%dLcpOj%vJBgL3lULKMHl0>OV?JKYL9DKzN0?%c|9`5^LGZ#CeC&k;VK5oU)a`cY
zQ9@LoKbQ3L#P<0EQZVc16`wzo@hQANn+#yu5r4lJ&5BsKDreK_tW0dp`@b4A^N+lj
zR+Z3)2$}lN8mg;b;z`9Ph3BAxIX)Qnm3e<sN%{h1UpPDm&zpmbzOpZnRH6~AR-WYX
zXTFHHa`#jFw`Zjp3t0i>Cq^6`ictX6wocQUQq+My3xMJ-GjVF@iJ#@0har>?;uLHf
z(|<wEug%%$aCMpeF3V~u9EwRey~tt`Sk%Je>7|IylKsqEYP;>t<$ajT292t?4LK{c
z*jz_pwuA<*o4p5+)Ei#91@fFc9&gRm3E2+?w=rk3o1AUGoL8jK!3$OjPv<|wV9JX&
zueog)q0_{#7RU>S+y1e9+CP3Z^Vam!`G3)$FolqACo<DmFUT#zOm9t%nn?9ahY~h=
zNxDV)UuQAVFu+1CZN`hz{>ZBbnHvH3MU&C%T-ycQN5u1`?8aj*V?pmz(=!<yv&mCF
z-zjurLFo6LJ4>1NV^gu13sk$iiQJ;7v|b;Nn*11zP6VN;XiS%I(4JXT8u8zcpnude
z5DsZLrm}~PIfP4PKur{u_SqZU>jh*^GD70qFH-6@iCXji$0b#p4sZiXXHH5zvO-H~
z0uGOT)11P_ydrD$Gj&Z?<_#C1;jtsCxyq=(qI%@mEtfnWCEI|T;TNfL#8fdmM#c=4
z6Py1XMYnueyNi;INAJ|id6ea7zkmJ#?bkAJ;Ge=+Hd&-O23Q7DOmqrcX4M3418@$v
z8vEZafDPd*IP6S&ojr?<3!tUBS#LEfD5)wiU#{E%>+Z~>j~Z?w!3TnggkKbdNYqU5
z{={;k$@}9gab6PmZCTc}Xyk)<d`Wk4=juDSd$)d`p5@Qp)&x<Myl8Bc7JrY9&e0v|
z-eElY=F_mWU8u;<2cc4bAYO<>{o#N=9&h>mi5f3RP=7O}t0(4P@{1CE0F=4<lX&*7
zh4b_b#NFm?XY(J&R3}Fl_t<XiSMU_+qBhh4c@Tj0m5$xn+5cDMcX~HmZ-VG1((Av%
zt{=>57C(kQU<(8jC!ZKcl7BgP4A_hJ_Cqg%tf{Q7D)1e8k!1OCL|M;^B#YC_ieh`0
zN1xot=QcKS`N{t%rXq61O7VgJkyUW)dvtp&|NjB;?0gsi004NLV_;-pU;ttv&h^&u
z{5D@1xS1Hx!T<mN_c5_B9tAQv7{Jm1w*3c1004NLV_;-pU_9{u0F&!RAqN2f1~dQz
z0Fx6(oPV<n(+v6zQVqEd0uDS5nhx0y9}iFug%8jV=@0b~0T3k+QxJy`ln}NM;t?_t
zZxO5!zY*OMClWvsOcG!ckrK}nDHCiHoD<Iz<`hd5sudd*j}^ET+!g*77ZxrSP8M|*
zg8@7N!~Pbg7TOmZ7hD&27mXMF7#<iq7-|^D89W(?8L@vE=o%p!Wg4Fv<r@hbKpT)7
zryIQ+(;N^SYaHMmO&#+dE*?=He;%YC0Utacb04N3;2<j?Y#@9fpdhv&&>;*VSs{)g
z!y*wPSR$1pLnHnqH6&Iffh5x<3MC^YH6}JDNhWS4q9)HK?k6=TT_?gP?<n{w1}P;e
zNGW+KrzwBrDg`Q1DwrzFD-A0$D`zW@E5a-7EI=%(EbT29Eo&{8EzB+YE+#H_F3&G2
zFHkRaFTF41Fd{H@Fsv~6F+VYbG1xK|GD9+gGQcwpGfFdBGo&-UG#fNjG_y4DHEuQO
zHbFMqH%~XVI0iUbII=lWIbk_*IjlLq004NLV_+L(U|{56tYpw-00AZ-<^n<nhW}tb
N0{|H`0mqX|Nre&yz{LOn

diff --git a/dashboard/src/assets/mdi-subset/materialdesignicons-webfont-subset.woff2 b/dashboard/src/assets/mdi-subset/materialdesignicons-webfont-subset.woff2
index a749e1d378d226a9cc632e6beb904552829c81cb..a4127b9f65064e6872befd933d2846ce345f3236 100644
GIT binary patch
literal 15164
zcmV-CJHy0xPew8T0RR9106RPY3jhEB0EYko06OUa0RR9100000000000000000000
z0000SC<ayll{^Z8>Ue>`TnmI200A}vBm;yP1Rw>0LI)rl32!CJ?IXqQ0P^MJ?RF$0
z*f@d=#^zB-Cl@O^`~R=WjUgg6Fte>c$Z4##YB$a*(W6)7Kse#cVhV?uRJ^RsEh<ro
zN=#|i2}{u%Hwe9k{UFn&$M)D4FE=Fo#!}Oq=(sDT2@V=b$Wt!Tq9yplizIiO3jJp2
zKMbRICO-q*$<YWo;s5{lYx_K#@r#&-MzkbW3C&W`5-E|CXCdOBf3VxXOWPg?65a|l
z3`1^+*Udj9jIbn+BtQZZ5?1a42qcV^7ZSph<$I4I7GoJEL8S^JYMbYdV+S17B2IW|
zzq3pDCRptdbSKu<*f9l1hpWppz`t3+0Du6_bvhjoR}z0_4&_vJ>F?D31csJnTe6BE
z7=jfaY|+?*&)50d-vdL-0#lPg0eOCDdp2+{o4n2DA}9I<5iJ>tlBPn@4cE-IOe55h
ziibQHa^-4UVV?WGs?~?w0c3Y6m6ClijJ>JNUJ&q(nwjCgr>3P^sofNEd#M8e1pe>q
zkJdxACmZ7Vw_y@og7~Dpn@odCFx}{b&8Om0Zo}-OyJg;-`qEX}(GVDrgB@`C0Z_8D
z`Lo}DzFeiNbsa<E48c(1q^%`Iz?G_13a+!<d!L<mmH%)0;RWd@L31!7fEgGPBqab`
z=}5{fNXmeqUJFvjZ%LHSQRjX1)<6_jMNwyD&X8}ci_TcRHPO~ZAH-jugdb*4{~z~c
znhqs|QwQVnAoA<lECrC)|C}m~I+v~h6^5VyTtG^oPkzZi_2>Dsjs?ho<&sS7v>PQU
zk=r;PmIsCfqZma08#)=<x#;3jM8q%oB~L`8xo*qMk;Iu3&>BKwg27<_x9#KCV>qoQ
zZ(V*%Q;T?YaR}TUgf0gGMMmnYJ!iG$1i-d7I~RZ;00KZ30OWv<2AcKw695+Gd4D_j
zIid%B)|D4F1H2L*_UubT50wbX{YW>lQ5^3Mk>c^mTf?p<QV>R=;4nrS9%F3XZ9*er
z%oUI@77NH>Y!r~k*c^DfT?G^|YK;=cX`_sB*{ERLHL4gduVI*EPvTZ5MXDxw^0mOJ
zwW(623x(3HUW1;sDWDJ17tjxN7BB#9DF&f!#SpZs7>3RkBhW}O3Y{;;po_=2FMahf
z@#TEJogbQsxOh^86G#&wf<lZK>Egu6kRU;(M2WJ<$z>~3CP$5#a#3pK>(K+Zi-pP&
zN2uL!gT@_q6z-lwyT2Vp{`KES@jp**M=3V8GXDIP<KdYh!ZZ~`M5?9BP$NqgLcV+?
z6%|T}6150~I<w4HuSt_eEn3W`r}x_0y$uL^Iz3%6$GCBGIo<L4zV|kOYCpPYHEB}Y
zo~r@#OiPyMq36es0S}Lnghaa(spiX*Cq%w{3stGofkb*kg9eLivdQ9YQOJ;BTSJCj
z4F&oS)j8*AMvTze*ciL2VZ!x>1vd}d*Y0ulvxdj{9hI#lB(zGUN~_hVvBqq(t<|E%
zItwhYes4L<EG#zY*KeaigEsllhc>(DqAe~Pvz3$6_I>5p;alI?xqrMGU@<Md!Q(-%
zK!J7>5ZEJDoV{dZ-j*!cesj%rK&w{o=+vp7g~dTbh74fyq?3F`jPSeey1>5I2$G*0
zA)bANWylcGqJ^kKhp0ssiTTin;``WZB!ti>jHFbl(tE>^vDaQ%#~qh5Y*>CyjRFQ7
zMJZC0EU`pcuU-{zdt23@LA8CVQO6sN27c3M;x9+bBagNBO6gLc(xWpPecIX>&}EIG
zm~o6`%QarB#!T#K%*Ex6g}AM;6fZVb;_b#-{I;=Sa~oSWud!nXkG(?<IrzW_j{98W
z#J+2s*?;9CtvIf}@P(UeuDNq^dTdhTsfWjljLh3nM}7Ry314TO_1`O<5pl{yjWaf@
zfOFPazy<sD9cKS%T&Y7B*V3iC(X836`@V6v-!&f8-)TH*s4d`0<ILmPKKs1vBgLyG
z|Kkk@$NP3UK7KVmHHS97G`q{U7XI-=PVQH_bboNTe`U&KTjmc4jvJ(%R`S4FMNI)%
zoA@<FVC|=Wo&l7Ab)h4VME(^3)9;_f|G6fR?*|Rf0!**tq2P6X>%Xn~$J2n+4dGHf
zo73xpW8%IHVPfMeoNM?viiCQ=<V?sk-DZ*@aU)x3El9X6ki_Wm0j)Y~O5BGikhsuE
z#DYOWS!p#-u<jJP!x^Ob^}&EHWDE^4!Wif3&MAJw8HJ6)fP_B28?Yi{dN}qFX!H~2
zV6#g=iMEHJgA3{L*maQ9pTRNqN$J0j3>-qNtUwonwbKG!>`G;}e5@5KNHc*LR8uXG
zBHBz%ECEpLyxn963{M8iWFIt@a)9z72i~ttQ4X3KT-SRZ$ljkBC{}uLr~-WnDVLa=
zZ;fcPZ3@=E8|%MwMUDOkWB|$3#j(*=)>0hm^Q&IDXdTdQH||H^nm@Cc$44LyNaD_e
zY1SHt8|i|v+<~|G>Zte9*%@|7Ry<rd)pSEFv1|r?X|#IiDNmQ=-$4{a?|}wY_8MxH
z5crXjA|CWaFBz(0A;I2D`)Wagljr7&w6hg0p_DCj%t3*g@G40P(QDw8hvL)3W;*XT
zI^h#*Po6$qn;j|wGP3qB<W1Bm8TCp$54-s}f^C<9ZPOt~1hBXMr<OS%>c~G={^sW)
zx*{m90VYrLy7;I6XjFuv_5w=4?~g~H=-%BM-8{FPkFhnGwx)U<7(nLG1_Fa0-PG2l
zp^{$eR9$pt!g}IiE8*eWw9aTVsa>s?J}^P^nKQuJ1ost8+h_$-Xe`Bi&vhM5AUXjK
z&^)kfko}b@liC_n4RPGFsOmM)@?2*GvB%!)9^KgWX*2uz-L$-zb~A%MOL_WMo1e$0
zD=*qTNO01)ZO^`v=SX<?p>XfC<2oBf8+?-rnF0jrbL~Z{wb;(<xo}cv3~m&sM9PvV
z<N1+JF)El`mqKr9Xr%%~0&dZ`{yA;k4<fdq{B9@nP;dw-FV#xr4I(q#LP$0FI4Ghv
zl+;y{Cpx9JVmuTD;N;wEEu>_H73DqqDX#oHxl)A3QIGY-AZ*b1Mv3IJO*B#4Db{CP
zR_A=G7S=rx8G-F5B?vhJupB@!&6}%Y*uKR1I0RIq-cmc2GO>bEvo9vFK!tvKnA;uq
z65{bi%z>hTiNQk;RHcvCIDoT{5lI=6DWDa|*zcUwL)#F?2Ut`K$|`t6gQUybLOsn$
zD>HR~r`Lk<bRG60rS#a7StQ(&JT*2KCQewa0nY4jitvn(*K@`*jHZ;Tal)@>b3EW~
zEE^yUHzz6zCZ#XX$%;{dq7*bGHZ=w5BLceVsKF4rMLa${)+y9gfU?J1!&`PIzbxyh
z(KMskeA5+Le3~atX<P}Ou7ff{q`6B_6ULn$K<OdkY(?qgG9_Zv!9L@DXauj7OG5ns
zCx(LNjHqSzaCs7{t|Xq%W0*-g$_xY}PlWdA7EyN^4VlEliL4HMbOcQICwFMaQ&>a9
z!<z&`OM1dm)hp+jBH;5QgD6Q6sSMbT5JE|b;{i1}V2)j$HdqCm`+?}QUKG3Mq9<WJ
zo@$L0a*ak)wt6QUzm_ai1DHY;NiYeYf;S{A6*<qyu=JEaTNaB?*yDv$Q9;VYdqVRl
zbxd^58JNkywfzK1E3~`g{U-<enYiy`_fLERdS@y{&yT!Q_M?6ttkuy$_Q#lpbShHT
z@W^-He@Uk;khZWHmIeLDa&(;(;`BVu3Og~J0tzAQLk|`5N{4pbl>N-jx~QBUHtc(-
zVIq(gqNLJPrgI^E@L5Fo$R$z^!Dypg#(Q?oTjDMvq^&CEjTA*p*ag^e##zU~<t%D8
zji{b)7>=HftU%a+?bxMr^pG<b3>1%+;1ol0z7I#qdGT}Ma1i>3zo`^DR$*Gz9uyNY
z-KqKK0&pu@nV^ut5C{pi5djpjRZ$9kALXDv6v352oL*JoMF`oo**5!TVNY^AkS_Gh
zIfy4MVS%tiSSH6iH$`3Gq{Ho@eXccuZVULYs-wxBTsYIZ?5v^GHpZYdMn^e7Ib%Q8
zuoEsxTkl%e_Afy{TgF{%P8U>-)yHNZj7YAT!2na=cIAwb54hhH>!6T1YRq{|@B}06
zrh=n}NotIWHV{Iw3dF$YpJ57H&%XDV_)y;_-R2GtaSP{r=M>7y1e^R@lXgIF9@Fw4
zg>hm9&C24ZGo8+3vM0e!@-^rki{vrhW)GpKhhlXSloDA}2>&tBKKB6C>aQ4$HGZ~I
zqpE!gHF@jq{Dt}@O!C$4y=!4wk1Mq{R>6;&9CrZ0D5oP!Sh)WN_Z_q)YKAz=&*7S`
zxQo(bCU<mha&{V}@>e$nC<$UYgY~X+$jBwf8gmF8PPh7qbI@nq1-wIuXa0@MAp!7x
z5GV}IDm;+!hEh&96K5fA%@Xap3uUkde^_`7%A}(RU7v=2y5!LWiMOKc$>N8ad7ur3
zoVE!v>hiO-$eEn#oZP(C27Y^fHobAZVGk?jlxI-`jhJ^_nByAW`pjH5P}S{~wGm52
zn@)L4a1Sg3OuhRdd~mDxAS~ja27tYUZ>?mNd|xRA#HD@-ehwe#YN`qN;0nsx6rUb`
z*cq{PvB@`rWa7#u{vYkw_2}m9I~nZ0jY*P-L>GRjk^n<2EG$DpW890XOdUbk)?r(G
zgQa<LBN}&<eDN^dP_KxW!arj)vEf4$+bYCmTb-7Pm7@yNv$ZLx@}U2s*a>7sGi9z_
zE`(@96`@rS!rV3=?8h$JyQEzq#|!4>4u0OSlwu$jSwuh_@d&<=$TmrjSc>~6s1+jh
zNi4vA$A@4D6BNrp2f&NCA6tkp3X1L6EN|?;5sg4q9;9y`7i3%}yyE)0<J_7Tk>TNA
zAZ}Uur%PyzDV1KSS5+x#bX*wTCAB}4)=}8BQ^RRcWIq`^2TKxs*Bub7aoFa{vrLF8
zqfMN@w04W`{tWJ57rc^knX+6AkNu4rjS0yoVSq8Jp@{1uOJ3u_jK~mVXhP&sgk;Hj
zEFVZ)_Ewz)1Qkg;!!4>UjF*s%$79*P2c9WvE)=ESG?7Y~x2Z}ML40|uP+a=19%-Uc
zeyV;`{x>;O9xB?Fx1~Qv&r$c5V4b!OAq{4kX%;Z=&`2`p!8nDCbAa1ed2OY#p%pF`
zS@?D><o|Vjdl+j0oo-<T?yqCj(m1pr`Aqv@ExR1~sNQi7VT4i|L<sG(th%wTe2SvP
z`a&=bF|PZpt$U2=m~->Xw6dYi)moI=l-EAztsy0h68sCR^r$bl`GRPx>MubKtOYO{
zh-7%j21#a-EM-=i$YBAuV1j^wVww<XBd)8tnQBs}lw!jP^5Rt&asQLbVG>=acasGL
zL(wRpkw2_WL09WD&=3;CjVcz4Ce>N)XGNcPVNMpMrQi~Vf?{!9@KWdbW{qxuJ$`#&
z+06{mv}QjgES@-;GNuGm2a&#dr&2^Kyc;;40FSy5c}~z4w-&z_E8+QxhOk-78z)f#
z$HQf4w^>9Rf}ZcqU(RbSbch5y)v=AZ!&CWE^f}@A0#g34rd)sYA0$n*+nx6A_Pzeo
z4!nQO!TswF?pwD8$vYPeW?U)IRQh9SuVZJ7!_s-Tol|vepA~Xl>fjQus3%zoE$>iI
zBrc!gRWQlD?dlm->U3V85jndr%Ur)|Cs>)D-UiQ8KDR$jT>?8Aq_j1|I)xo}F`VX8
zYxKUW&D|ibdk%pRUD*C}pys1zJ3n5%gBx~7HplV==E82uOZ^R7oE~P6_<U?h*I0h|
zx`Se9X@Bs^t^M%fhZOOdI;;Go{-ByC9YpJ~v(52xjqT})^WI(72!^~uugc<sU|Fjc
zH}g<If1YXGI<nG`z_*6IXBu<m4Bqp3T<5Hl>nM)5pjR=k)#jd|6nj_PI-dE|ly*t<
z7?-1K-ypKAG0mgNh}EY{QiuYW)p?6g4_!9g#7Xo|0guO++h$U6o0J|WiBy~kq$901
zi&t^yQ5FrUMvhNQ5E4|VV=E61(v6OQ2)WEcQDa)7^@^k^r>4BJ;9V~x*b%^`Eo2Dr
zN>u&eb(pTg*v8rAJ!i|Jg!^r3?^ef33h5XO^jci5fow@Qne@z3rlQA{<!s_=K5WnA
zLlE-9ejENzn)WW-yR>wwJiJ^hvPA2hxOl%T%Yd3PANNN|X22dzFP=U=yHL$8m1;cI
z)9a_MRWr>ZFq31`v*QBOa83rNmLK1(7W;<_RXH>Uj~---{fdrs-b=E<(3E<XsrVkJ
zeW2bj2yl@&b_B#R9=-eiv(JCn_2n0;nv%Pv^H8hG5Udtq^*xC7rOJ6j5qK+$xZq$R
zCr%dawZ@`j7oi6P(#v?C9q_?hsu(ea0qyHhW$WPv=K$9#KWrjB%{p=&xKfx7XT;|S
z(olfR7Qg1gN!iou@g5QSjDjnKC#W6yR{<Zkv-T?Ga_>3mH;`Cakb=0DK@=quIhe%^
zlP3rgA(vmac3f;;l|^TC^vv;f>2iCjRcrDV4fEAIb;Oy;CU;h60dw$c=0H^Q13c=H
zo=+7(Kmm0JP_U)R83zkXMAl(&7Euzgkjh9KX?ui<Fd8s%7ad-g)n*(w*lF<5Y&oF!
z^eur<7t{!i2ULr~ss<8ZO0smH#IBN<n(`qjJ3g-UO6ygyo>@7by{)+YJ9Rm*DJ1dp
z!(-{2vMuh?sfMg-YdCtQF#?Fxw<gEW?XNIYaaD+AT(Ty7fP2T3_Y@8fX|Rs=m&`9!
z{T7X4tpKeFh1-X!lMH7enT=WXGbRioq#2gVfe<E@QvW=!ZTe?K&Gh>komRe-T*sVg
zUa{bFt|7*ZFA{5go56+kXY4Nu{^2!V@yqd^4eF-z?&sy;*xIo4*<|m=7H;C56a043
zx|eCIWiyMhRv5b(TXzc6HO#smuuDpPk2Kd^FBZx5edQ55xMu6WC1)zkW}~VV7FJL)
zEM{y~Z>|Aw@Y_VZVwM+0OfTv+#ca8$rPmZ=3IdX`p=mJe$d%j*#19H_>D<OMAZS2N
zLDCa_XLP4Z2RxN>>+#|X@VC~xPb%dWKQu3&KsN|Je*mL}jp@e4PiITpvHkQ*_$<^T
z)AyCyS-6Yo6R_@DYT0ACOot#)Rb8DFeCb+-RL0bwSw+$lV9@9vWc3)RCjP`rOQk`1
zZ9{i>xibCVk!ts1F}=Cwh|LLaYbN~J`v0AD2@Eb-e3?JH51(p=*gL2SizSMO$MtR`
zpqRld(ANjj^fdzDa<(~33W>(F^Lse&F(b2>)^7LpRK2fin5TMwT*)t&ho;0O%^{1T
z8yXcEHGK2o@gjTmN%7R8WDYp7uCy4n>T~k&j*+l^bQm?&IX8Y4?tdWi7bc!elk0V{
z4B}IMEnEZj5t5MfIF=5Og1ID&Qf6`}{n@F{q69#NwC4~a2vtw#N*N>wqgPXct$dpt
z4YT6vB%9c)On8T4wWkF`^vJ5vwVA4+w|49BFfFl0g`UH;Otf#igkcN}VGiN6{FfJ6
z>lavCusB2O75lz;GJ`Xtq<^+{zNVkqo1HM|9qktn8ddM^JHJmvoHH$Xv-e({$j+gP
zJEO|o!s51eUy?FvC00~xt=6$v`c~V02G6^4P^R!;<xT^=p*XZq88>U^%UxE{xC5Y1
zk-;;=21O)kjT??5VG2}ZvmQ=wpksmM+musf@5o9lW@*#%&}_p@o~m^w>P=~e*y`Uw
z)&iBBjYHijAhz;`K#vB#n8R`qo^(h+dEm5RgRVc)#Dq(4xrhs<iUeIXi!4Hw%An3l
z)Q%GEc@XFgwysH!z5T;=abj1Vzl^U|F}3H-@s-OZ+-i0>1<JeG8Kp1X27-dEw94sI
zWwh^2hqdkMnU!x{Hq(m`&7sZsl`wV;ThK(1Iu!*Cl@*jQwULFQuAXBRj9aLSVZtqd
zmx?Rx^<1OV0OgFZL(K6)zND)Brx*S#mH@{n3G86gC?-MgiG^8Y3skP#%kF*~;q+#l
zYn+JOlx?@HMBIUG!2V>*WCl3*VZ`Xo@~JYpE5&*^O6aF-ih`?}TKG;O3k&;@YJF(=
zV6dhp?9*Y@RF#s;uEaT(u4jsw?{0>=WJdBeIx7dG0&fMb85-ORniKoX5LCIms#!Dr
z9+a?65+sz{As0X7X;|}jrdw+$9r)%GB?=~#hPv^FoN9qk$;l?LVe4q*O2Z&}ryO*m
z42gP`fgnpH8PEKuf`B9*ALKkDi<FoH$8;kk`b`XeG916W{c(w!7F4xU*i~TS`UPvO
zAG4u{WXG<&(%W}Jj9orfi)%B<^(Tw-IfT#(Q6T~0Z(%HB@Z)#fJy3d?!;l}nT224{
zUH!ap+;hieD%pd;GRbiSK%&Nc{E8xTqje0UX*f52SgaVV7uo>#wlKv552$t#(wCE3
zH|cvE4{sk{twzn|^%rj*fMQ_I{yV}<hYOp|XT_Qys*XY_L>ZV(Fqg{k@VazxI>h?%
zp)KcoL9f&xQwUfpAJY|rTeR%57nv}?5sCS{$_8pA=_&>J6aBTYC!XS_<@QAK!L@7(
zI<I&C5t|ZTGQ?zU_QYJpyaKypw~k;10D79{G~0+>6A*Z7TJDhAHmB*>j{6(&dE=na
z?sins^%1(9`LxyeQCAp&O%R-7^<V3c;8#(H!WOd1Ge2}Z-wwQbxL{~dOW9D&ErE}%
z{znYVLXxZ4_0drV->Cy$e{>li1#0o)LX@7Ne1rcJr^fNQfd=7Hi7d-|owIPh-bi2e
zs|e08t4$;4L=C@%sq5grJv_>c205r~bu^s@nl^$agEAO1)h@*E!>ZRQxGIINE5~si
z&}WJmBJ=bbu})RsP|Iop;$P`>J3&$24?(gxGm^cDcOJL%dVX@7_;%6Y(joQ4>q0l1
zuHx5rUwsVm^2@$@uLZ8kW9D@|p8I=UTUf%+E_@nN8@PAWu}ey~WN;e}Dl13*d;oKK
zA}AevU;o#@43yPl(K(gDOnd778I-efx*oalVy=Zu2i&L7fL=NU?e&Iu&ix4YH7*^Q
zv6-R6Di9N<q*@(fVY*-{pm-gA)naGB$6W91f)-o(^_>(s=v<r-yMq5x`?0hEwA19n
zh)XvJB1uL$Z3xsM_@oJ>xqDLA*%dn4#Qpxx4$}qi-`(AllVvy%#j<bXSY#NhL;=Dt
zv`t;u5p{|<-XU8~RTdWhtVb!lI1%4U`>8dZquSi23}Ra;K<k!#+GTQ=k8iuAv@$wd
zE|VeCCvOVrRQ)kyhziU649JVZ`_d3bWHiQPn|LZ?pfPJW(_0mKHXFyz8x?9p>GrSh
z`=l^#!mo+qt2u@daKSG?%!PhaMB9{9&3r%Vie#BtiOD(HwW+0LX(=VebrVv%;-{}N
z-A=+O;%NCBCUzuM@SUNELZQwIKF}`l>X^!qj=UG2C4KfHuOp;V9TS%%)F=wm3l*9Z
zup(+Ws)C5B7=BS=y)u}csncZwE6@n-5J9)WIbpFUc}PR&99(X6Jkfy45ZKi!4{{4O
z*(gX!O$Z{8ItYr3T!W5xrQX0t2#ShN0g3<`U(?!%`O5Ozw6t0|uIjhq(s;Exz9v8<
zHBOc^d6_Fi70AycptP?IGso<H+Q5-@uAUxW#m#l=5@*tfFSz4MX12-Rc}LbJFNp^b
zC`8c|q)evV2PU!W(f8B7f8-LI9^}Hr2sRHP#A6E+QEtE??V*5Nlqhun=|&_1u>^rj
z1OpP$`N#WGk}47tE0S>IstQRE1Q37|P}z%^ba%$g7_>|t;!YS%5J>+PCmxs<fPEPK
zMu_9f6@UP4cW0-IqQ3hMG#Xg4#1;M$o;H8`U0vOy?j>&Rajjqf2&j|`wRgrhB1EOp
zxps-B$TuSl?`XpW5JC`1Z*Y~B4Gi2j1|`A94la}HcIkAHI%iH$;-MXFq(gjqBQSR1
z>a8#AKUy;R$L<HSb(xvEY&c&+uJ35d{ClCA2GYm1#Et$R1u79qXB}5M9etg?+!b*B
zpV)23P2D}k)Y|I$s28MmPKri79j4%Bdu48#lBASs@7RRyge7}}U4+Va1q08R86!(O
z0(njxB5064xDN)1=%8Mp&%(L7xdqg;DRSB$cmT7^OyZPEghSb@w?Sk?XGns`)fQ45
zs<1E*>`l=GoM`iicVZJfn$xREFpN6w5TjJbOovj+CvIFxfa=Z%#^Oo|15wHjd?jVv
z25>Xy2_!pzq(-~_OA{V?s)RZ-5$;T2(P-2*xY=m!7zj$kP69RoYU^{DI8F;tH=l!J
z8oK~zA%apHNjsCYSU?JS1a60R+yr0G12S-g0|OR(o&{8en)F?N0TUTu&$b6-PplDs
zm8LqO769aT))w$5b%Ez>hVZpukkv3HeRLo%=R{s)n11tbdyHEnl&DNORitHldOjvR
z)7(X_u;q)du57C-9vr!O&vp2SF3ugNJ95}{rAdq_NJX@{zW$O&v-ZFN7qHsZ)#+!c
zS`W|x^MzS*4oj5PWCCo+Z$g|2(TFrbD<l|1p$MzHK_EMF69^;*s1No1?SxL`i%N-B
zZq6l?R0Uq7G5DRLCR>b~fLI^vy#WQb*JxxZtNZ$FU}^v#iRkoz)Ihy5P#mbB6-$f~
z@kGwo`j^5tM)7c-LCNRw!IP7U(A`7H1<^z1uvyNyPx7gVwb*8)aN9%#2F8;J_Isx&
z)e$4=m-bJS5R1p~Un6Hg-Qi)^xy!E0%EyN5?hg8mV<giZ{-(#W{aVf!KFH?_j`n>R
zL`N4AB#&dGtN;+FND9~Mc@`@Z<QvwRAzD$;W?6T97$UUuJkXE^9w`TfQgm5hM_icb
zG-Jg@R*V)Ng1rGa!awXl2th>ifW^)RVFFAj7Kj5(j#_@!bDKN?92xo!!=^XbCn$R%
z?OWUwfcS5Iuz7+LB0p_VTeSe^&1v<DDN-GWV8Aj(L28$`7j9<=F1Rtw{tO#BTk{|z
zx;E3Fv&h@`@H64M%yru(JEntz*8Z8b(V4%_J#tT&?bX`xtZIQ4ilG`BOltD1)|A$G
z(NC|5B0@t#LL)@4{UnNSO=&>03K;rWGG02L5B(+PePbQ<Hw}Xlj+P^dP<{j<<SOMA
zmuP8<Hdyi7HlM()09y1r#y|#lywI#d1f7tET$>OiY54WX<%!Pu^OcZ>K!jtCF-y2Y
z3wcqMEEOM;YNdz7(s#9s#Uw@I6gbYJKlXo$|65SIADfoYUDa(06bt58^Oz9*HXKAG
z$tde|XNCxVNJ|Qr2nGrVpd_SvTQkQjnb<(-@VYR6UcS@G`NsN()itgHjsvyg1JQxn
z=&9A6vCXk_i-L(`O1o021Ui-q^<VXN_MsA|ziF5D;X?`X(o|2YiLBok3qOninWpLH
z`~@FA;D%oou83J4xECYE^}0aXGfe0g${%4iu0Fdb$m~0H>%d!Eu&~Q;WMAECXF*Hw
z7yhA_!2WguNqBX*M6kzui+5v8cv^U)_EZTSn=8mt{o}I~TM}sY_FMXOoIot70+@Om
zpS^<A(trE(U|m67SPxK<Lce*WvC;Ug6!tKi#z4xg6^(_3Nxp?g^D3SqRk@g<)+LgU
zq)}-ja#5r`089_URv{&&A_GolpA3l1P-fS9F_5v5zo({$)C%67B(V{UQahb$Fn)r1
z!Gi9ef0n!b%zMQOQX#H7qZJie>h}a@eZ(XNltfKrhpj{;U`Kf<viER_L<WOUBSbV>
zM#g=A&sRD@t-2Gq-{aV)m2qj_BuB4z2a`k2NsIeRlvO@$s7Yv-11{i#08YR~-C#RY
zaw=A?tdN?e3Pe0dE!7xHULkPg6kdWvZ{e6Z=(<95)J#$cI~Y0_Akv7&X~>Y`KvDxn
zL8OiDg&H<!f?$9=;P*IKn!8s(dDWC-0g3TwMOK0Ui7{>wYJ{|)FuhPf=hx;Fw%DnI
z3Kdi-2B*eCp0{fuFVf#03B*GPf%8u2lrlod!l?ZEbyskdqh3fr*c(TNLQw;N7oE8F
zMeN*Tjp`uv;Ov>PKc!FaEHeZiRqWpyj|MI|dbtm5uhE8_HWhC-6-l>h^m#{)RC3;0
zTmF8yF$jy}O|?(0Hf`66;@z(fb@jbjjE}APZ9lbb2aEAp45x?_<HvW)p76hA4`XBO
zG0_<RmF#hWeOD1C04H-qmCr=a000R|Mv4J&S?U<cQO?%N%9_(vRg;s+02mqt7*Gok
z0whnXt4)=oR<bJI;)I+}%#S}UE^dEp&OMXB9%h&Efa3JEEiG%)i%&mCK*7p~PRO@1
za3L+G7ee5t!3P!~o~GePE+}kCP|HZZNozp_0*0OeU79jC&qPB4oQtAL&89^BC$cB}
z<E5)bVII>x!bH`t3!WZ~!YjX$y#g2!M9dH*Aw!b+BFH2~5JIFQ5}7!KAgMv?gozwT
z5HwAfrH?sh+wG%Eb*>@R!?||>%K9z&N|O3DHYul}=oi^-RkBnvAkYd1B!XKUji#>;
zFdbyN+>n0!n3ydlB)*d4$G?HKFCLY&xF=9s{f4}o(*W}d0eOl&!Y0|2FBv1g%zUJU
zE?8fQ9V=(CI}`C7JV=lTA^wT9#s{TCISwrFCyZX$8<(5h3?KI0;O^LcHn?nDOk}4F
z<uu~Kj{Rhag&?bC-iB+8rpn!XojICxP^|TkbogA4X`0lSOrJ0*8vf||W8O^gt8;m#
zwJ2&hf454L!XNX$AodP{B~uoqXd?ODEP_R8Yd1eqld@>a*1Zbx7GDV8A0N;O94~B|
zy5l*+<9kH3$Yz^^7g{|BpHn&t!Ac@<Cl2h=ZAc0o@U{u|LJM?~5D59|2<nCIAfy{L
z)4i}4pa)>`5*nG@D-jKJ%IZpS@8ae?0XdsJERdmi6+lZqlaRB0w0YcyHD`S3>X=TT
zrIpjUv$VN=7-5%}oy(n7kr5aG+(?tO9dQj*h$9~DEO@l&6r!37NCpHF(d6Tyl%$53
zg%cz}Oil{m-ge-DW5$fqKn0EwGw<k4&eh(LA=zh9O@_*$L6XmP4fVVk^?;MmZLcf_
z)JoL}@#^Y$jdEqDrn*c*d%*o~AKqW>j9w#_vfRA7)YMu<bmRHOkcLEWvG4=Os0*n#
zsy}gBL2z_)PmuI&vfQ=dKE#U&{RV?0+nNxvF9b8;YeIA2&RrpULw1D$#yAtu=me(E
z4;^6O00S3?xYB?qsfs3JFq|5Z4MH4(NCfF>-Mq<VVr(Rxonovln?1X>EUhM+29{|n
z&6unX>+RcC+KQwDK!wbeQ_&nQ<dW@GE8=D}K&<3<GUCc|>#{3RvuM&_puhntme*tW
zk|kVAz1m~p!Y#eh%bCTOr6(WU_0)F+78IR0XPzIS-dtTRod1n8kKgT7T=UJFR<F_2
zN4<Z8idCy)$;j&%5jykn%uo^o3nU>Xp_odb=68t)m4E*%Ha5p4#5Hf^$ajA<Rx{S&
z5cAy)F1@Wh7ku|;k!DCJ9#$J~2bd?2a!}letZvqCj3b}+p3vPzy0-krn5g#Cy553A
zJp1sLPR4q50!x<{I$RSe&)T>ehqybe9K46o(I0~=$7_Rhvu3#$&Wa17+%KmDS2W7B
zawt$-2LPde0?n8WW4o}PM1ASo)HH+q>={bb2O;c3PZo||OGll{+YK&*UZpbcMosR-
z)M7%r_0f&uMi5AzN4qbK__nBiXvb3lqLAR}j-mQXSN^PZ_Z&^Spf_xYFh&^6(KkY>
zeaAN-Wtcvz2j9Y+QWM9w01<uDM5u>7B>vQ=DwEa9!W&kEi9hsdD%W7boMWJ_NBtX;
z5wJ%TE){AxGelKBA1H_#o0Yn+i3HA^b@Nx9=DT@QtBW8R28d^m7Qi@(2kflJBMRZ6
z(-tJ@e-x!^<7!`WiQkQIuu(xaY{HE|VoEw(5c^D!m%~+F{sbho7gdf6umf2`;V}hm
z3iDlY!)=`BDSu*s6v>Vv6_b-MU|S-Ta3qlG{E<0<J%x884JQRKcz^9bbq7Ku9N<`M
z^-vfybeW^ox&past_*{_@h~>xL&N2J%Q!Z6hCQZ`>w5#NB-?W4`c#GpH3~w=?T9-a
z*TEGM3XPCEC+>|GinywOYP_4cf<gr;;IEWd$DTYx<e>XPwt)nnrg50re`8<4Pd}x-
z*QEaGW>;0v_5W>tzV>{>^UcBhZjiC{<;iV<FKv0XiY;pn_2<ug`E=)^y3;3C^nZ8y
zWHUVN@l#lOix+1eSf9}inr}!bO+S;qr{*pzuK)Pj#6$122hAReVWkePL5p!i$eaDw
z{`#-~&Zjr0SH4o*&bW8+0*xaXJ;5Uw$fQ#B7Ma{Cp4qo=XlOB?u;g7`hLK}i>+c-e
z6c`r<TUD)s8r0d5Un~<ZS@!O`Gb&uh_RE)nYMGV{IAam=6Eq3&YAKIB#>P3q<7*Zb
zzKfUkpl?aw3oT~?9vL$p@Sn&Y`^G2C-W`O`JFMg7+%jxWNEz^Zw0n8Tm^BZHZ~i=_
znHvVq;^J^!n69Kq7eDiG_1k9+4JEP%4e18(=#*wylgdtIB<vf@XnL5YWxc~3eQ7C4
zr0^Zak5PKM8JaY6miGSMmi(nb?EU&$0LI9?5BBn&yB6{z{ZB?3^#)u(DhdUAKggRV
z2`=IgGYCA!!`J<X0`zN@EjNfnZ^!xz19jrNtsrZ5g{kkgmo@J@U87zaj0YFk*dJkY
z4Q{pi9=$nW(Wn~>sJiE#cllp{mbSJXb3JW9EUpbgl;zk)M<Uan{C=JesDla`5sH1Q
z1>B1JncQ>Upx2v)=6UmG0goD{YQb&_LF9BeA%ql30BZ(@2r1}ei5QAlZdFA^i?2U>
zn2l4Y>{GIpL}c(G`y*d}20PIC@>(!tH+23S7sQ9@8<Snrv0``#D1?uPEp=7k+-I_r
zc90&oI<E<miz+)iZ4;gI6AEg|2#WfJTgHDZdm?koUV%mxoMRr1xd`_)if4;e-0g1s
ziPvdXfNvX)G%URKrl!QW<tWdebPW$b8XtSKfPD%8MO4RZe=0;25<cC|)cxHQ{<)`=
zm-j@y$B!Ql3CL`#E%xU!3EuyY+5?1n2pMM_24t9kJVe^;_<Ndj8nItZV|x02Os|pw
zwLO+BWz0o$-GH??i#3~M@E0rF)ZKO<_8<GDOQU})4%Bvwx@!+8{<eR5$^K95fwpci
zy*K|px-a8jg*CA+)$&i|)fIyd$}`O~*V~)A^ihRK<#8)U{cBL*uj<&FQ&ghLFV5C_
zdFOhjO{u;3ab>mQf<pZ=Fl{hM93hEFi%2CxD=|zIlCt#IEKgRP7c1-K(v%PpCRVcj
zl+huc7k`<_@`_`5X8!u_LpYUe;FvIzUKCw<8P{9Br*N-2Kn;3r+rM9-pmC7onJ#V^
zp++_c;0hs`;b&{brR=huS!ENziU)KQr;BIK=&7mcL%p*Kl3MFh<TGc=XL;gYzW2+2
z+7?ZF;c&s(8<A~o_b9dc&9~&mO)FiOW+)fk3wsV7zz!6qYHBc&oR`qVCroSE+d55}
zFn66sY3}bWjEtAprKMU35PyY1Ktv;OC9&f)q`|p<!|T`UOP@R`(SuuOe9QA+nXW!#
zseCx^UA(CKGdR-33Z{Sj$T!roXX*Lt8=s8sE@Yj(6~xzFe|gx0n<q42+effrcF=)E
zPYb}56PSlr)EwV2Y|NK_;Opl#^4N2Y@0}^%H~E6PIY7u%U;}gcYcy#56*#-HO4a#U
z0a;I8+`4^!s}Hq4Db9b9sp|Qv9&=i#7yn4FZ%Br&!^<b3`c6t!<}S(eBL)3q-<Qt%
z*!Nv}&NPW1dkh=Kw5eX~%Rtjcc{yM($n;{ogXvce)F`MDIg3ckW#go7<U|e<I-!F=
zeF(5w!JU!z8jX_xJYvw$E@QB2&;84w&Eiji`_(qf?$>(qKyYBC;U1~jhLVPmfl%kN
z6SQ8Eup8~S4J0B7u8}m}R_2G*Lkdv_18wtZ-0f5lC6$)0u1*k-M`WE*sSeKS9mbi?
z3G*I(w5xJ<W$wyREmCK)^f@9mYDb{RXxu!tq|4EG^yQ?acQG7$Hwgsh84+LlT9U^{
zMjoSd@|^I29oZrO{|Ac)A3ALI@2II;zQNz8mip*!>B4s;qhS&Ef0Hk|a3WtQ2u+t4
zRyRF1S3YbxH}B$Kho)zoIGtJbnl9>6mu~VpXZ-BZk3ZnBrlfR8miK||x&`3CRB5y>
zYxOISn4;55TD)(FGc50~8PNH5MzGHKcpQ8^E%3g!z3Xhj;*^-QnpU-fCvm@+X*^R_
zO?r6Lc|6L0%u`|b^c^UDzb&kzY3kenRrSCh)jJRU@wpUa>^busL_o-joFD)q(cqs%
zPYEje3}jKDI4}sJf{?xhMq<dZc_C+|I0SUSi4!Pi>k>0(%nlIOkR6{@{dP&$pB^XO
zk9G$gdl;SUGuhzC5gUp?(_;clbhyhEP7{zuj9$V9vw&LmFt)qq=So5sw2_d{6>5aM
zj@UIYk63bS2d``b4ldhx7idT`R)hdGu8m|EvMH7x0LwO-+dvFfWQF+E`WEb?KTWMt
zKQ=8sTdJ#F)m2}5x2UgFPMtkEN?{aO(poF{{EPfcBTpQjDph@hN;U8ZJgB<$`R4!~
ziAYB;>_s%93DQbiholY%hN@p!7>|pSWFZcLaSK^-icEpgLa`7N&IW@x5#B?iYrlvc
zw0~tEEX8XD^|IYW%6FFB$R!d@8?}do1ghA&L)xlFOpxly$<-}@5Wiy=!k|$m)F$aI
zDj(1%Whf$^C0N@DELuxTU2nccyer*0E0?(8%04#m+3WMvXHP%@EiTXWXGJqLxv{wp
zY1Pt5^|}3E1PP%Lu3j+W8d<m+84-OY2O_8PP#3Gp01Y69!418Yz|a%Z$QdeU<<WR^
zfkz^%<KWmhok9Y*JRcauNKK?Mvb%thnM@34<)oCT6^9u-l`Q!=iJ!P|T%+-vxpHM<
zBHO{LRK_@roQwlgPZOW2OPv0GJ;RGO@jyTtkKvUh5pSpP#LC9|k;VzG@uurezO7X}
z>|htS+VbZ+AS{|ML!K@d66|x_b0Hi6mw|9<+p8d3tEz~T)zuRZE2?%=LqOLA8L};p
zxlNNsV=rZKAZUELdxZt8eIv@p<~CHvbQ!y1HKy55fw>I{+(;WC0mg@f?u3Y+RVr73
zYJo5TnjsY}g75EojEm58$qN4P8*NRz8I!<khxpmTV<zN8DMQaDVh{T3APwQ1_2Mkl
z9Ac=sdV7C3j*^wZ{s=GwA`*Q1n3=TcOo${W(1nKVy!big=pw?y0W|&?vvRkr{o5Xl
z{AP9j5;`?pmfj0x6MZzIJ5ZWO^AP#Two3;46Cs@hgfs;HXGnUPU*z_D81cByqM@Cm
zEojgrqi2#uvM#c;zz$cO7(gM?!Ib2ec`B*aKMkP#-IhMHew2JGG15tr3}Kuj*c*o?
zIhM)6AwFrax{K|RLpZtsY6zs0<+47)8R@D}pRNyma__jW{f??<4*obK*`i&e#FTN{
zFGZSj)F|dBzS<@4&BvydiB;@&X3H>Bq%A697RlnhVaCRpI8Q)H1TE8cD)a#&?&jJr
zcFQThUK9<+XvsYyS2uXn!bM`_fB)|E=cRVk&1^}d6l;AXJb&rG|B=|?&^8L&z|O@Z
ztUpL8axpF>CG{p8R}6QW7+@tfc43GLZ9Suj91v6P77vEAK0gldL7qi6#WjZ%7l$;*
zHIZ3zQe5Ofw*E!TW<uc&kgcW#;(1YlGstT1$}GKw5r_UAfhWw&VU)d6JKUG)&GCEe
zpF87qn=)1}iR|&`@89#`hkN$(BX`@y2{vki0?3Zq?&g5EA+#F|QqrkDC8ePc^#O?x
z!CsiTacXc6-xp!#dyNmTVfFm65Cti;t*{4`9~^ubHKi%G830Zhys7lQXMO#G1%yW9
zdQ3b@UiOAHsB*3HM~}!Se3C;25A_^vz0oti!fI|lv7S>_4i4vbL(s{Dh^8>U2*_S}
zx)A^;VI?%_U-O~ZN*+krXn|H<7L3ckf90O*-o5*-EBD8jDEoC=GAH%CNIdX7i#h#&
z8n_qss?`rkP55DXP_#{ORwNha%44c(=?vkK`M0TQMqZ5Mjm+?i(Ooj;dAL-ie5O>z
z$3>O*XRwxd2d~XjDNmFtyi}|fR@RB$6DI&UnnGIZXTnu>b#_{!7?TOSWs$x?Ks)>a
z%Vd5URNOY-J-$-|xYKSV=G?hsM~BB^td#qu5(BQ`@nM(szvc6ljFAN4A_#Ik=H20Y
zfY0ZyD41GWFm*-Rbf2J*g>N@)a;`hce^IDM+>1W{U%jW-m--K-7VzTL9K(B;xq-j>
z^}Q^A+2=>=@$Y+aG>UZRK9N1<2R8J?tbbQXVgI$vW(uUq?}OA1ujwgX0=(~eZaW?{
zog<#Z-k`e8dpou2OY?A`BHwl=_H#t}+l6nbRIZ&$!i{dU9N3qi%F8(x7P`?@`ev{(
zlXYi*XX$M#l67xkRH_oTpy#f~P7S}4j|Zf=I&l_MzToqrF?iq#w+93dA|=~5e)r~-
zD3|mmd47!9!vi1T_eGw{D^5awji)_40kvlB@yqcLd!Q+4WvjY3vZB>kS_iL#<E4&f
zZS*T+d83XqNB8+gpDAjN+${PqKoXu7o*FI&MMbQz(H7=hJ4uw9>Wvyryb`0_Iw3w@
z6MqlE$o~>R?*p_(Ld4gU{v`n^<G%aeP-{F`{3m=?u!-iRd=IdljC!@-trm!nDfqL!
zof(Mb7dGf4S4J|)Z2*3fmJV5=ICH!^kJ-T&Dj4OA7JyoG(`Xd%zHu$VS%0Fr8L)MN
zkcn`G_S5MUT<kMgu3@XzCyzjk%gu)p=}zrVsa86wMy>pJZU%(4O4Zkp=>@xfS6RBh
zXSOEI&_wp0omjqP=HFRtcYd&UW@)K7tTAkMp{6l@1H>lNtHf85f^K)NJFWS(rs46|
z|Bgv}C3{sUNqds`NX#bLVzpYVh<3GH9a*<l!lp`Ak<I!7MP2%N?$efb-!Ci6V6<2f
zrs2oXGAnnB;UTdop*!JyhvNeFrsVl|eLSanL*CX`q;1f8CMqg^{Bas-L+z(oX=Vl&
zVn#m(Ki;CXkDYD{Fm<up-h!-*@d?g8`!Xi`R1B3NMsKC(pz%ZI9gWg&{%^y&5Yn+U
z`ubMw?InZ1CaFXsq`y-74e<3oPh+#hHp<oKQ~cY9q83iHOXsZioI9>eT?f}yntf8O
z`s^oPzwL4G)+UK4yM4Jst1fi~tF*th>l~}TqE1~Kc2VGBzva*vRfyS{huB?5&Nc^4
zf@uAzd)Z%!%AC1>#E4RHyMkGC%qm4kEE$Cm_l<7S))yL4`TAnIA!oCiAnk)3O+^8{
ziqlvE#Z?Q(rceKs6CpVB`_O^CM#YsW=V=sbbC<+u%Kl80yhX*y*bIpv%u^dxbHM<;
zvm<xjh<W^)mSQpq>NZ8%M|%wbsi2WsADLVGz(wscLmgMZ;txKhP)DvX{r}bO`egTy
zQix0JoFZ@eb=vxBH}6?L2U;YQ<|&$W8#niDcWLVQ7jad|Car37N}J{Uc*5D<w>po%
zg_=jmDw^Ts*47gJH+utbB3!@0UqVVXCN=v1*S)2`U9SjV{=4q$MTe8+Ub6L9r4o!<
zr|up;^al>=Bg$=t%Aj^yY7!}->Rv>U+dmKfhp2rHkl55$6;G$xTc}pN6FPl@@@k+}
zC8t(%@rwH^%~7MaQms=_1q=UpErD8Tr~co$C#TUn?uFa%?DE55_4uuo3zX9K<I`_S
z?W53Va|wEbjUs?{NBM2<prhaW)136RFZbWrKG2HD#Y}Q3N3|T*$~C*Cote=gcFIs0
zV8HWpI<dFSZkp;n3z`Bhn5@kC!Q+z1vx<?blm8&ZT`~U_0Sd<<|7&(U2+}=8j~<X%
zBL|8Uw`Y%*SmKES8;A+suhSe=W~O@A)F4lbv~UVZ%^!<&I<;6tpY?Vc^eoP8vp|X0
qElf~S%8Oh`<%+mjTzn0^P1lK=*I7g|U35NGbRPEP;q6BN0002>(-j{8

literal 15112
zcmV+jJNLwQPew8T0RR9106Pc(3jhEB0EPqr06Mh*0RR9100000000000000000000
z0000SC<ayll_Uy*=^TN-BnyNR00A}vBm;yL1Rw>0LI)rlHEt8`Fl-!v7(d>46s4He
zqmX`4P7h@Nrv!4u2v-}W|AM5^q_Ml?nNCDE#fz23Y#tA+KHnhI6owXtm_g0NXl5r1
zY0Ldx;9b7+e@#HK2LN1hgeIqmN%!ITZT`7Lsu!^u8{9Vw)J2;t(x@D+gJr7A@Nc*d
zT(--86tX)RKTjlqL?Dq6CigG^2sBE-T5GD!s{7kr_iGx-u0tTnie_>mj@(VoQ&;(X
z;R|0#MkO-l8yOd9hDfJ17*RxDH9!I*B#L%MbcxcmLPE6S-37N``6!m;mIRDR+jUo*
z(j;6`h&!y3cTX{VBpf@%;8di<cV4GdgG)+v?yL>~F!~Q}$POQv)&KeTIZMx?3w+=2
zB20`4Tyb_Q@kXxhf<c!#N#|-}yjT;o(Di$5_WiAPRwZT2VAxM=SdQ4Qr1G0i{6>3D
zC#jT5=>RPtXCKK{+R9*CBlSqU1b6=ifY9Y2bQ1Z;oW557P5Qf)LAF1FVF-33*y?fV
za!szuReB1I4WV(84iM(woLM`wSn|q|wJvtf>GikUUb#hcsVP2xKKz;g`7<zpG&3wR
zpfrHO0J01y96{O#NKVK(R~G|9+I<poP;ihg#8f#%T@2MeS69^cuDrTC>OU@0uPq_m
z8jQ==t!I~Qso#$zs<X)edWN_VOpDK3{^9cf_Dh=wIrq#t)F##-qM^u=Cn6v{zxNQ&
zjE<@{r;1MLJ_`hZ2yW`D&5B#UWJt$aQ3N9Z00#gV1^^Hi$m|9nak2t>vgiD(H69kY
zZ0yb$-`z8y{03z6x^rT$tIAo&SUM7>*bp(h0T2+)7TF(4IBuf=0fn#t3lwez*r4zj
z<R*s#Tu^i`zyn490(?*;7Z8AA#GrP?P(TEV#|1Gco)!#1@v>kDinj$LP<(y@1tnf@
zw}XT)Kc*r@F{c#EQoMM!)YR+@F_itXp@1Vwatk=2q@sWfB{K@nD4A7oLCL&=D@t}3
z+)&b9a7W4Ef(J^DAMkY3?T`G2#s6iAbYselFDusk*|HVLg$wB*S+WGv&<K$uM<^Yg
zFio0->$F4!T9+szMkqbUMdh%=VtwpmaX#~z?ykD3$L_#^p8o59pI-m$a5&J1kWgPz
zQvIY@tUo2Cc*RO2C{rd$wQ9+Xj8ZgcphhAMg7`2a4BjaC0@Y>0k>PUX8lgaekt$Rg
z<-GG!>2*rmV<=>x?5AH)yDlhXq3mykY?Q-3l0!r!ml-p8oH@(q%TIwwkxWF1QY2oy
zVkuIT7;30e(@ayg8Bi!kIkO5CC}-Y*N-M2Y<)DMAwQE=7h$Cuu5ejuE=W?MQ<y<|`
z;EuZ*_Z$jiP_F2Jh7B9d1{!EA;ZB{#S!t#5`t+G#z4a#U5jZf3i_2tV#!NA8+*Gf7
z-82_mFx@3HW(WwFwSU8b*}n9ZIr|5m0`o)$54<5@zF4ue<m490lw}buttIm0S!%V_
zmg(1Txj}<gaB*3Qj$5=?WxMTGYu9d#%Pw2H$52=&-t)qG@r4IA2o`LkOqrxgl-Q(9
znHKx()4Bujgf<B*UQ4i<A3s}H3J11XY_aV&+GvME4%s<96n05ya9}rIzV@h6Wv>Mm
z*k`Gw_S<BW13L+YgA!gT9Fp)sp<Tik2mbfgJBRlV3Ob4S1v(_^U*M=jSp|+sR9E1*
z#K8wn2ovGtvY@~jiE9g-mAJmZIf-W#&P#l~a6#gSg^MysJ8(&k9G9)K$`xy@an)XX
zUE66WT$jP4!VMYxE$C&~aG=u}XWVqjCAaA5-Ch?I?#M`f;4Uv-?pbfW`?lKVf!%g{
zw0}@|Eb3U`iRiEbPem&VJQICccrN<8@In&BftP{=c_l-J*Y10uYagNTR>qx$cajb&
z@LncK2R>M0iI3Y4g-<dSANb6eu`inkg|9OGUic<6ivr(e#uR?Y-2A{#0RsFIB*<?{
zN`Lg#*I#w&{Ik&}%yvQ%0&3w{5EiJV><PjKwc7c27lZ?9t2n@uBE@;@eBil5uo6oG
zux$aC1+T-dQ!xBJEM@Os%K@RRD&kRcR9MtToE*$2uOB&FMi;oI6!t)<uyXU1(f%#~
zh6=RKQ>s7_UqMAELJ*-^DWBmdty)G`q#vtvX!;9a$#^Xvt`J}`RfR>yi5cpG(88K&
zgsf`?U^RxqkP<fC%O6w`4<Vx%O=<c{kY-msYgff6LmtwO_T|Bd&I)myBJ6gKjP#Wi
z=z_O)TB56aQ3-sk6$?-c0uipUmKZ2P&DbPF1TuWwZqflpBm+ujavDqdf^wGyYZpc@
zUz+Mnm%IoR{+=Evp(M#r1yXTwYcMt28qucE7FgHoSpOXhs<%HtdJxSPI5dV@ia~vT
z>BU)Vk9NCp`vN?2CzfFG5zqo8F>7y}w8s8Mx?sq6;%%-P>b-Q~klQB<cIS^Z-r$Qb
zHqe($tGnLfyBPoWqTsdyP@!tNhFT>E;y^JG3wokkj;aJ1Z?ZCV2~M1mW2hp&+Nx$(
z%IZ31r$CK(6(xq?<@msT{;6g&9`_ra^og}6PoJL64iyeLS^pRECTf)QdJ)gv7VPA~
z_L`n`)jmTEKyTwuL*}%rA^%+b&Ck6zMNmw`mprxW!k_-rsBlG1f|P_mKI(n6dv|Z@
z=DFp(53R|#R@HsS0a~l0w{tt1sjiaCqIImsn-GNcu#<5I$Z=_%&?ZuwT9Onvr`gOI
zz}g7&;f?F)5<#K9lwcE=WiTFZ1aJV&9h*8iRv9y?t@TrbA9@y5y&Ua41e}CNYt{9y
z?2_K(G`$<=7h^Zs>9d%}Z>9Npc)D=W?oL7`1K0K0SMnZlyB`Wi;J#him+rN5W3;FV
z;Hb1?tFm+@Q>cZfWJ(vj5q7qw-Edn@`(-t}{BMq~{@3E09TmnBlYqO_?>$%SiGc`T
z|G(cfk}o@hkn(c9bT(mP#`odESR5G=UMEtFix`h|D(#X<4MT7+E^*wVC}&o#@6cay
zlb>f{OiRtJ*j2AyoUrb&Ad0;d>#;kM>u08{&G;-CIv%(rpnfV~$N|8*3z;+DJo7Fx
zON5UhK{G0p3@Ul^lxvcHsKG+w%Fe~stGFK_Grow)k&j?vaIJtYSFvw(I4U*7qzp;q
z&<mth8z)qdtF=fS3zd?x3T|nT40c<jg_+pjxUq+)kE+Sz>bJ@mE&ecT3{HFe(S#eB
z!der=O)pLvp9yh3Yck_(Dy5nP{Ph$KcbP@O7(fW!tQv+niu#6`IlTNYSH{RRxY-4S
z>jWC6y#|KJJEH!fzLo`E6=^)W8@h9SeQG_9qe&^A?Uqcz#i!ZvMvPkoKD`3@5-}}Y
z!6so+tpMZ-Vm!N%tJqD^8fx_+!#6s>jj~Co)N!prL6b!^TK7<C<hsEn{N+c9QNp23
z81_688q&jrnvc<tksnWFGxFgCsLVgy$pcUE7{fo)#^ZX@8+KETXge*Y<M|_llpCST
zTA-X!giui8xJ#q#iiRUBY_keDmAY58D{jqPyDb3cQl#6HOFkM5Df&Cv{<FkmHIB)3
zo&*o!Q?P2oZhCE}rPt#HXYs^4nz!c;J8P)BNwkD!ff^>#g#t54xbc39q!kwPfvbOc
z)=rl8E_aXkjpiT=@$WzTk8yqF7lpaQM%f=@8p^)cv^7sW`Qu0AbRUI%+>Dq6`+Ro{
z{w~DfSfVDC7)B0`ke)=Is+p&QdL$~_otrdKs4NETd#G+CkPxD}r>RV9DI91O5T3Y1
z+#yBUE|WIN7fu=`5JP&e;sPWT86qrzEz!>{Tw2fK(j<z<yHUiU@6rHx#PO)NOb-gW
z2}^oQD8`Uv??X{AUf!-=toZ)nE0tWrs!nyih0I|?+hp;%0KDa%ZU$m71VTc+hXZ-+
zdz4~46>w-C70HxA9L}on!iU7OMVr|~h;kxi9pkVJ>60{26m|kN9el0k#Fo&hqWKm-
zPWNER06a^O#%ZPSl)h>j>k!JM3$oUEr2%rl{~S{yTsBPqOMmv{Em#&$a63x%SLlt+
z9}V8?=xMBo0!$_2nv9VPxZHSGAnQ4*XdaVHaMBx9Flo4;){xW2L&$fI82Gs|O!b(u
z@3|0PPTOP?-2Pe%;auxEhU)2N-kR6gUDQLZDb5te$tlXp?vFE_?$q=i178~c@t{L_
zz_Iu%CKL5HomQ_JZ^as{H#5G4+=_$TcIDbK4tsv1vG<*`Lr&vXhs4OfOM&vnI&N=Z
zp^%)0l2gWwb72D2ip^<dN^{!wQI(EsO@Q1$oC7RRI@cD}X=7<^NLu~cD6b4l$y|Wl
zhj`^`W!46O^?`tLaMlnZBbt@{YP1CDty!Qq-jGz*k*|kyAa5y_(Ca&}EF4>Eyu?>Q
zd;X|UTh@a#7?P9;V(Q6aBXVfdYI`H28DwuC?0q{tq|uf%(|1~~#!SpQ_PA~dc71pM
zyMa1xU7YOLO)n!&G!2f0GDMqNvkMAop8P`b(Ex~6IL=CI5bv!)4zizfzMX9$zc)p~
zSfFb@LG^sQ>|89Wm-dx+<6IZox&3`2|Iq^vy@vSy2N}t{he^U52w%9~ibTPXBbp6;
zLV$9l$~4lYRYM48=TWm@#vP*{v(-cV=EkS|OX;668j|cj^1Tbu&^9;n=IPHZrq9l|
zN%C}c8FvB`%}gmOFII%;L|Q@{H_PImxx{wV!(TSMLk<<Lxr@4sY+9Kx<x&BV4lIIg
z1H~((2h=jVf$a-eX=4HL*ZejPe!-*+40uBeqnm&t@kbY&xI*k3d+lC=E>Abt%>^<d
zBi``VhGU2Bf=fL9Jj7y>vT%&hnuZj{-c6$@)GQG1BlaXT^kwMV@#=#dWkGKl=A`hb
z`yiM{&`@XT9UpW?j~L&2JW}+?oA6FH$qJT+RESatTwV=<(7O*m0KgFnqbfYg^BBvC
zjF}3a>5j;uNWqf5SPo$O{T7{ukLlKWhH6w#@vUP7;6#zV5Aj7<azWN;J;ewmUJ<2&
zAU>F?mMFijMH;9@AOC;-|NfH%>QIq;zBQ$6OvC2Q5S_9IA@wGi2?^MAXiPH4W0XS1
zIe=fq@@g^UNJVfgvRpd2H2;sC_kJu(JRAZVxG&tQG2Hr=BA<$DUS$J`k7yk`G&E%@
zphO<blj~*WQ@kye9|oT=6>z??IZyc<*8%@XrmU3%T#Dj%7V1N~HpENxm@72Y*DGHT
ztyN>i$<y-y`{*TdymLz|MkGPV`9|`LfO{|@K~FG2@U)FvH(HFUL5)I)&I!24qsCS2
zE1ulQo7Eno=oA`7BZo?EJ>RC1a0Z|vL}8H%R?usPV887|-M#5ThAe30&`1~zijEtE
zrpAvpDXf6Q{j5o8HG?=TR2Fm{PmC%VQ^B!;Tb}xWl1Fcyod!>WhfRoVC*V7(Ev`iZ
zd~+cQ=}IYYCxQZwhg6svXR(|Jc6@Jm<PW=@G$6FxRBr)C2Yecx6#X30d;vq5Nm{SZ
z{s##o9Uco$JZ4YW&o1&COSf*U+`7K9#LRd%QRI`5%>VCJhChb`(vF<{<}usCErT%n
z*Z+3u+>ywsEwH!ml9PtXXHEi4{k=QnLNz*Xs{>u0eVn(<Wz9}(QNDQ_KX34JPqL<o
zPz$|~o=NCPzaq6=?3C^Eu-`cgH%J`M7Gxu`q&~B-`sgV>Ki>S;Jc{o`sczK4wa1rC
zue}j2C(ptdO&5o;#`@a78z}M}Q$P6Vtta@y_c7qpHCFi<`3Z>@IEL=mqg3~Kotb{e
ziS@3n1uaLCpGM(4cspiOW5!ceJD!S78CmV1u>C3zwTT?yYl{Qil#x=z(fxJ}dIh7`
zk`tey8p@~M%I10ONjE6D$ZTQho1p74m#J}@SY0^wLKMKPfw!EUi>QY?Ik^5Zn0Q2}
zQ=)X-2T9`uk&Y9=c%wVck~@rZK}21u{M%CkgalsH;?lq#Ho;3EPA)kUMN(4FV!WyI
z<{^0Jdaj^`gr(;-3h<Pu*uiU2e~UmH+5*ej<&@E&6^|@bITf-h7#LAzRrK17b29Uk
zY`rapGbWMO=0a_4;2#1ZcMe*O|D>&xwf&8m(M0QwI;X}+eR%yKVG_u$HIvou%Gd<O
zC)TU$(?e5h$$UfF(c@g!9&IIavMF$_4c3>df+D;y&qilY_P!JweZscsrOo5R55$Ht
z#in%E*hEh+Z#W6(v0^S>7z%TV#W#Qk<B^9SKlsp3E<f_Hs)k?|!?dqgsRM}~0-pnQ
zUp#jaOW>_6?gGO?>`o3^;#h=^dSI#R@LtA)^a5Xci-rHx3gc#<L&>+=n&AMh`+tiP
z<6$<C#(`@*&epbW3x=tNAhXL}GvTCc@phs`#5hLD6w-&Ny?l>>SgfbXR_?1Tp?ZS?
zO9636ueBgWl65~=zzowT2uz^IFI(S^QlCcQuRE`X*_G@h(~sG-w}B9C^BsF>52BP-
z7V`od@T(_>L~|X?>p>+?1we3th7t+(nVJ$rm+8I^hck$hfTfTJdXLKktO&zNcn6KT
zCX#9#A<74b#+y35ryDwi1}749JgqE=K>Q6b8O+grU{eWNO@3c#he+|Yim*z+dU2Y~
zHzc<)u9`Y8F^N5Y@j6=<DNGns2CV6ReKpiN0G>*^mmNR(f(6$^zh?R)+H>l-jdNyF
zPI!=}a+AkCKkMuk^=_?-Q4*^62en1Lmf#(E@<COi0?K?izYsu)m!`};RHz&O8DTa3
zzTTcGkC=et+9%%Jtgi#YlusW{<<+u}_HG+$56}AT+uqzG-Pdd6&XdeT3&AUQ!ubb#
z+4X(gBu;LK7ex0pMHYQC3ta|!MX~h~@b2`CqsLt~W$vosSGE_vS##I(%UsliPQ93%
zyPG>>Y){TUS>X-Sn~I)OZ`eU}k9b~0wq_P8BFxQA?I`Z-jW?$fOhG_0wl!2jW7jw|
zfbSGy-gyeokYECGsuB<MozVwX2H?{uy6M&MGyEam-SIkO@xPBvKJH*&s679avnAzn
z`{Kv5x9)KI>*w@Ykte2COV(-9j+*n}b?`V%yU}xEfTOOs2FTgkScG^wos#EBk4GV+
z-<_wUCz<-=H)f<}VtuVl>y6TnQwFznG26QRlBUhWx@Pi;HuZlaA)&Jk*({5n_QBDN
zLbjO%S&ae80ax1yP?#ziwe_Ad?>7mlB=Sf3n2-`hPG0Mv%cr@lNZIb@GW=Xq@8mew
zs4B&qM2k1Z4U@L0l$ySdsHwrHh*#MvPl_dak_F&ITxc!o#c{GV9r>`ma2<`pIKF)a
zX1`(LcU)MA8jQC^K8QoPST-m1k%C}4F2?auXqRZDkhC03e`YEzw*jD%)Mp=J5UQTH
zB^T%jgReGqY~{GbG|Y-ux9m;Xny_DZXTv=h!V{}P+vYl_wXQcDkW}sn^^_(XnLOJK
z=ya0;-$HLEzO#T%Hv~o01L#;?Y`hOGu6cU>mF{KrMAe7c{DvXFd9){@O4GfLlMeX#
zFz`tlX1_~9b{Y6+x1xOe`KQ;~LD|fMo2k61Ro$t|YCO`Z?<@3q#`LHZyad0~(El3^
zw4{ui>Pe#J7c}1hVAsvynPaESNYbryoDWk#QC#<6*+3^xEcc<BCfSah%1WN>Ct7@O
zf!CSpVj40;(bxep4+t3te@LJj{#=1rlT9#nBpA5X5G_NlWJ2yV#<u0-enK$oO@AhN
zdieVra`gDh(n@V0!DakB)$Q*S_<nUlDPZ0qV<?sN%zoA03&lLBj0Pi(dVYsooSscN
zhD@Y72j5Cx+~P4((u83exCa`t5LDMzW)8!Le~&3d7B-(_5QIl)#3ufIgoA2Z{r2is
zA0P)FA99UX@(2YLA6Uc^Hb6%P3F4(mbeSZ5M)zhhb(FX{%jTd}$8s2+E3qNI7wV(n
z>GolT;#ayvnITTLi4ZH5YbcYMk}qEc&OFXb=8Qw?;&(zHS9*+8jdj;G&2#>5RJ%yb
z5T)9(=}8uoaLQuX?Ivgl;U7n3pffNE@D||4t))+tj~Sl~A5b;kswPJHJrFn*DRQ>G
zkQd)KRY=hL4SMSw)f|SL2of>UP&3}7vovy@oTdPaP(}l<Xo1W-B&Q>mBWQII+*mwG
z3;t7HKoZ^Vp$n2gO0^zq(*TKVi9k(~;TQjY|7Yr4O3tQwWF}Gh0%s(9rJyaz0}thu
zxc@;&)Ps-K<F(z!(EQQC_mG4(NC_H#R}B+tybG73<^j{=8VHwBt2JZG8}-Cf+;P@d
zk}YT}>pA8DA4(oe7Zh0po5P$<!@1Jy!kMT_=mA`KCyCk%VCf>djV5Es(eXMIHf9DA
zacTYf^7=H$glqf11Dmt8$IIQMnEN3ybV&(4AU(nLF2Z$9xYfVF^3#L1bX5w4u|e*?
zl1ODmLx|L9IqDZ#*MND6#dJys8cD*d)Z$O{m$O%sK5k91yxDl~v(`2&ZMF7~J7jc{
zKBmZK(FMVx0EcSkIK~A4ke`IYY#ozEA+XxC(q)Y+yJS<_eNosV8Y!~5?N`)1O4l=A
z?pJ;kn8BC>!X!b~+PDXQ<>n;rA)7SwL)-Id;5p%53xX=-EhsmK>o@I+JB4$Yap!td
ztiem=(AOV)jK`9+=;?e0eTM2+_)E02y*&{?kUq*`WVxzZf}^i55+CO~55q94E5XUB
z25hSvb9>IG77uL_iAyYMM#+xYGzv-#l%Z^nPa(byYwk$&YUIVLb&Q*WN{bOb7*<{<
zmNN<0WS#^_e-b&*q^L6M3XU{wlT=O@=Qw<!7Qe6H?82bYK60{l(an@=*=yZbUW4@I
z=Oyu78oe65p7}g}JNNgx@jxM;o&OwC7Vzv-xhs_0u<$kn<<nPwQHQxa9#nJu``!MS
zE0E7#$79xlnGUP|5Y?&0Vl{S?N;~$VW;=PAv0{Xr!D5vFI-Y-+_ha0QW|K1t-LpAM
zIJkLrvq~6D7fk_*c6|3vH~`mc-Btr#)cWN=N#sJ~!cOdR{!7`5k$jq~@_xk6jUn(P
z3E3y2(jdf|rjX{Y^|7P2(3cVJQ+w8LEOmA7?pi+;aeztC-{X#4f*ec$?(^-6E@>={
zJdPV=*O|2U<jT5$$-*wa+bG-TQlgqV&+-Vh6hQacV#m~Sm%M%cBR0y&o&A{Pn7w`z
zMo!(WG(!;ROxI(2gnfm8;gaZ<+;&fk5Z1LdyFV()soB{5oKDF8{r}zUg@5V9solW+
zwui4K>LoD2FOWnN`jsWxhoBmx?R{6LEiKE*t0?a(Y-}njXsGWdOi0&8%s(XujWbq<
zS@;{K^5?e70*Q!5iGfxb;9l;gj5hJcsy|Qt_wJvOCE_+yMpmxEtgkJu)tisQ*0jmA
zRx+)1@=eL@>R@@P)mjQ9K?n3f1cOFD@3JRY$il!J5=nDJG{7_j>{<;kOKKkT(vZd(
z1QGBCg0fP6+=+Y|32X>KY1uV^8bHI<rEHkX7|>Nz)TJZ7!nYE5w#k&;89*eRMH-&>
z0AFIP71t1;M5I^h%-H|5f%Yx@$Vg=1Cp&lMEMX6w5BBc8WI+4UOWFZlLpA_MBbucl
z%`lbM85Mu?>&0K+<W<b|N|=)(lp=(rLPZX$j5*ljU`zzcQB?nQQ*r=Fk|fmf18U`4
zxAqt0w&vut<`Rxg6N)5BKmg~V!Hu|XcN95A@MubrWZq%CfZ8`Zf1OzY9L3poLxNbZ
z0yqfrU<FUpUws7<S66M~!(YNv&M&{}?!Gy^Daa%DcI~<en1+SQo{1|EL}f*B&2pH=
zH$ez{v~6+-Aqch2&Nnq3IB?BT7X#b7@r)bdt=3d)F()X$p>-stBD%f-n7n-RrpJ%%
zD4)LBV_><pwA5M-m&@pE8+%Ic6vwiF2JxF*;VB518j`^=t_&9XPFu69!k?z5w`Av`
zMNEG`f7mMUa#exZln)CCr?0KD$UxBsQ@E>UShHzg0#B-3J^@%1IYrc92cWcwKm_g5
z0r$cV5nDF`3|hY0x*DO*$5QE7U;!);^EEao0gPsA_d?`Arzw)GwA9iVU0YiP8a$eZ
z^K}t%n`mA{b9x5_hGEc76487=#c#mV#0}d>;O<-?=9@;+PBz8^M^3q_0R|I~Cok~B
zR<PdB86xpoNi1d}tI0qrhr_bW&BnsQz%dJLB<uuws?Wh-MHgVRoC9N^4loiTh<hp4
znUu=~Jmips5BdlO+Q)+=0uex9MddWWtcWY#kCk(&F}^TgOc=4+Mzt~B3JU;`U)oy0
zpPOPrXOk57B!Ikx6pOHe!h#z)c1gC!e_E9PWP=861t;q)+{nnA<jsWSK0fKe)mK;h
zB%cl1FI?ph9kyl#d#4^g#9!`FiS(2{-MMt>#gGiki!bs(a#`hI)O^?SKnI8mSAG^(
znulS4AoxwlVi1cc26`aLAsRJU+s7pGp`ccPK!6@aqj&W30P;0)a*~^iHOg%VJ2Kl{
zMNP&laU&p)S?>+7hz$-$Oj+B1&cyn~$dHmPjwy__8DdqjdRD)NX{A)@9JPNbVt1O9
zklGD0sSMmcpikU0kyn#G;Y?Z{$a-7NlA=CuOMzrSNs7Q!t%PGfQ(5TGP>$haizSG)
zGh}vT4U3sP#GkvwFRP!K?7lJ{bzVww!^sba)V*NA-j7g3yl-sT`$1?}ltAMB+vNeE
z2%4e^n@#HSaCMGhott141yfe2MkXObo#%jsEU=39)2PFs1Yyc~qO+U_5Ax7-?Lp{{
zQ6l1y3P>Y}*c5QEGjUS6NTHIeVwgg0K6A5G7X?P!=MKYbv$Nw2Zb(O0HwHj_+jZMK
z&LTf;(9*u1kgn<vbEz{PgJ9SieNEv|IG6Boqy(HF<NICOa;EcoNqSdlG<ILO;Lul_
ziKRQARzH&uinF3iyV6U4Tz&YeqCBjB<L~iB7MO=N5x)>u<?$5sXDh$EN12i+7AK}C
z@A*!d-Cs}v)h1x{E%j{UIvI>sJNM57>Tj9|sxb?uPBFXzA(R;2uG9%7OS5(lG3WJB
z!UJGJzhfNa2><g<GALjGvQXm9g2aojLy0tZ&R=bSECfWDGsCIoCHklf#ynhg5Vzn5
zRrucQLOn%O1P%6~@|R^NiQR&h7etFS!|lUNtW3VVO2~ZfPbEOb*zTn0G~E`!zOm7k
z-7B^NgRwnSFQ&&@(&IY@GkY^v*Cmig4L*ax0C=)GF?#FL@`DY5=rPY(Zro6#FmuP^
z&eWy5Gx3KJC}df-w|f2S*Col96c1%Q7`s?Xsg_z}HEc^oRHAH(+r90~-nhvE`sC_I
zo)9Hnf>Zmuw*_kY65fxtxColM$koXm$!huD@EN?}8OcS-D>UCOZM<AXneiWfjc8Ns
zWS(gAf3oB%c{_lq-6D>b7dF1buN4i&Rf<Lc6aKz#9y~Lh__RPcDb%3H_tO*2e9sq?
zxumSL5Y?nc-ybcvq|{9n(M3}_WvVX*bDg4JLF064%!#lQF?Jis)4Rf2<(!xLU0y8M
zEM6a=L{lQ#6bP8W)M=*m>xaMpUKdPuE>`I&y{Z^U*SA{e-&0tOQc)tnI*$aN@eT+B
zEGR{(GeaFaWVb8K3dEu{U-tdI&JX|(m|N7pikZI+bSny{Fq<tHOpIDpl=Ttq+xFYg
zQ3Cf_;J8{JV;plqJ6UEyMeCL=t+*3cKtw7`xY<~$YJt%KVJ9i{M$Cz!YYWjuV{iyN
zIW`+8#UhqqA%heF<n0&)q5h#;qK6HZB%_-M_&rX*EBDFiTbrtIfk0U0K^~F>fe;KS
z%nDXsTU;w=w^!%m-pu&%KqEBj$Kze0G@LJ%rbheh09gnjFg5@KIG158h?+n8hz}Xf
z$PGyd-7#MXvP}TEKS)^qbWJ<D!W0)fzH&+Ccg6XGP4?LJO8C3UBe7LSE{%e{^%n6d
zrv7QB4u8^Yt2%tR4SQrq^Vx7i;8x0&>!|fekD-U^_uTzzaP;ANVrDBo^|QIB!AkYJ
zi*X&65hV*o-pjre9+J)o&pFP>?s~n;5O)npa&VwP+4j5RR{&6u;&AkUQ&JaEn9A&L
zYwJAK-oCJq44|A>00Yzlq#Wsry1NQ>Xp*c+dcUUPZRf3b>g(6ua#o(!2q%Sod0emJ
z9esT}itDdGM`-7f!2pzbIJkjTu^S+;bKrFsAj`7wkPS*QlIaI18KbqhWCR>L1A1v{
zgSlf^h=QY`(y8gRQg&N=TXwm4hcYQ7KO{-n(Vmc>0L7oiU9W#oA%cjTfE45?3L?bd
z2tw#*gc@&Wpb?}fq>~IaAdw3kN(bYjb#DKDj=36cd$0B`P&s7Nztx>zWpgW*)%~EI
zGv?vy19FS}fLi`3W;TzG0@N>aLqP~Sc2p%)k?KhGv14Dr(H9AM{(Sd1x;pOF4P(n-
zRV~n#7Pbph;*=v9?Sj^2{t><qxJ)RORUXV$Nc~bsAQ3XR6MV#b@rf-0B*-R=1#-76
zCO2UYM>X7)P<sTfJIcxXDHDqF3_I}q7J&i^`qn)9A!lx{hAy`rX*<Eya}b|AH^R_Z
z9K*cLrJ&W#kIcM@gu4e-Cb-mLvU<NpMjtJTJ}(Ow!-hp=1?E)Qupn8W*4AoSs=464
zMOXJo9IiSqJ~lgM02tiRL+cY2le2r3tkUaUMbuiof>@Pj)PnVzBmx8o>v|J7^usv@
zx}ggOC<sV%bp&lf_mlX=rdc<117!h-!hl6ga6MuH&l=aJa^K&(HzxdX4_2^&>=ghm
zKc%KtM)atXEZcsXOSeg80<IXCFIjG>Y=aSDz4uDV@+DCL0WeBKu|6cR(;<SSY#<ZS
zs?&(BF5rAXu2wGGnkdNi#597WNOFNxA#PiN1<WaO@RDjL<`6lbapzT9KGP!YyH?GE
zU;Io^zh_;xRNAui-6UbB-l8JF($l2LHg#m1zc^_#cPye=8*~5RjceNi>0206R$9|t
zSlFdcU-8!ckcFfh7jgI)<v)aXnBFeBfitYXM=5rW8g^~06??a4-rxwxtQzrtv4|ng
zgiXK$&x!YmpA!KLWAo7AB(5z^e8ItSb_oFqgB^X|RMCP2hiwvhAtWFOHA(UPk3YsU
zoR?zD3mjcdD_3?krL~l^KqBj5ImYAn%*}aN50V)Gs<nJYYi~Fouia<TXSFN?ajB>i
zwwE9DJa9Q}IZN5?G-QD4wM#|BrcH7)OHCog8=i3EmrCm|;U}(N3C-OY8&h}uoO4}@
zdP7HtV%;~+IeTSL|6ye0;-zNu(zLT5)0rkyCYAb;h)i5^Ye^y{0?SB~p{b`e^tvI{
zxZ%!onWHyLlhu2XrQ7qyOy|r-znJe<LgSp_T*8&_mF6L-epp>GS7RPWhH+ITu&s9i
z>7s=1IdWQGp5mYQNi$JP*SgC^K%)H6l}=@bH9VUi%yhUtRi1IhHUbhsw|ejvrl-G6
zXq)YdOI^M^xO`Yv936Z<Frl@wNIyn{vS@%tKN8DG52Jo{8$tTgXV>?FqWl&E8if#!
zqT3s$KP*Or53aTIcAL@Y+=F_8!I(Y<?Xjh=P^|z?`|9xb3!|D-E}eMhH){or<iE{n
zS$gsEuY;KW9l7Ui_D543DRyW2$Knp(_XY3>!Dn^-EX;{B2HygRY(4W~E5a7pI}!1v
zf_{N=*+WUH*CR$Xn?;I>qacQqzahafdmWQ;g&Av6wnyw`e>!>%ver~q&Rn+hS6meN
z__ThWq&N<c6?VkHI3@*l)?+EP@Zc#IlHxDLz*}79a|x-t0RgtNU+**@3=oL&ZZpL9
zAkjO6Z*IN~f(I8=77x&XywUJG1-(_5%|+~Ugw#{nodLWeG79b{r+<M{a-bShLmKl(
z#$rcmucX>f$YH_@UH=STE>>f}pdj^Nm@#n)6Ra*rC5M${4<=1Yr@U{nd0?3p&72mV
zQ*iEk10>~nD^^Dg6f4YnQX$!xbt-G4L_zA!3dyRhd;bh{YyT&aH%cO})l+iW7F|c?
ziPK~bdZb)vKmteSEX?e`u`l4e?}}dSF@5*RP<!0vt&jgP;qbCQrb}eQAZq51?XzNk
zcq6;?Pi#LpR=wn}FVB{BpE~}~*jJ}c^ukji&n%1k!i?8|tx?q=ZHh-@@#*5domT{I
zW5;&n9DHeQ+=z(`LE-pzbU$GiKRou~-+#wC-}xlJ?Jg@j<G!coX%@xVNGZudE|qF?
z`Q%oz-2VL&6RUY!5HK`kI34P1V}lcy66gG2H;*crKwX*I6SR24rdM8RY2_VjFI@sG
zAT1kndcH!YF>A6-xKubJRC2&fCK@WTIT3GxwnZaTxK78sl3K3IZfkG(j@#UzK5!qO
z@ys?$nnZiWO(5>o^_#^ro+_mJ<ogNp>LkdluTQonSsUuC@iR|0J%7f&tU-HyS+O15
zJZPRY7YYkGweaIQmYrl-tviG<n#C!yK<01RD3IW0=n>s4YscJu)tiIc-TPVqRH;?3
z?UVj-uUM8EeZtORvlDVkUn}4DTGe88LLEl7kaL8Gul+YQ=+~-!(5_TIpXtvJ*vPK*
zgS>@H#BV8R>fL{;)3iB(NT{*lUo6w?ZmqTvn=__tI+$(Hel@uE?0=yo>lrxeh6eyi
zLg;~%<-iVq4!1V%Y?T$Tk+Uyu==QA=2oDi8#y#uHY&NIDxn|9BV3l~(EFri+0a3so
zfDqCY39LEjBXQ6t5HYynVq05V`y$1{NuiQPWuKC_A*DnHg>MMNob<)Pzb;9jaM|GZ
zS#dI0ygS*|4YIzIfI)t1($!rAnfn<Z<pX}7$JrT39n>&5=$#*2r>W^|A}Q(@?g7~?
z?QLx^@(+mvu%jWvD-jWyuUe@xN}di9@56R-3?c^zWELn(dtpIFy^83!PVkeHH)m&V
zuE0JCph(%xJ^h=Ff<}tpX18|VsS5wxlZH!s(_WQjPl{to2fFH`O*u{Y|2ymjgi?fB
zUNY>+J`bgcvgz4Z&F9RjsFKFjj((Hfss$`9mW*rWnw3GoT3f(*nC9v)Rv0rp@M7ja
zx)T?t?*uOI8deT>y{NyVJ9*LfkL&V*VK8@~>>9eJ<zI#EnSaFwyshhK9rx3r{-KrO
z;q=8fT9w9-Yc8fA;|za{&HQAMO4;`QnXWKiWoXf&t_yFrb?DFQO@A5skH^VU)G0+N
zg=AuzNTd`OZ2qw<RFD-WDEq6%SF9AN48kZwx_IG*{|e!RWeGw{e|-01tW5}mgqgTe
z^wJMV!gYIV_nBg1!GJw4yr9=p2_$*C3y)6GQ;$mEsv)1@XX~Mh<xS6)HO&J_A##6x
zv1&=nNN49LaxbsR?e8woEm@*l9;yrzT<iDUQ|WA&60Se<aq7UpRoY~F_z_)w&ldh-
zi{ZYjNq@+102u^~cXo;>>al@2TeG-tU;koU^H_H=ZN9dzHZ@z<T~ug60P$BCIE7dQ
zP6s}Mg)BHaWOCOoTjTB94K{G`aAd#gyJIf?&QV1ezk1<<^;d}<BapD)z7c8R+PnF!
zk9Oal-cu{seJ#%1`q5u&iD{L>E_!-OG$}NCvFx`P%-Sys2}@fQc}_YLsd*JC3Y&Tt
zI$qGpdORu;G2y_;EFpwA`#BvX-Nupi?Z(E>3i59MdF}dJPe!PB<z_|S$F%=3w$@pc
z7$!UHjx;H;ZVcmVIzB6CFMUq^$GVuYnXem{zZtn%vud$AN;o5(6j=(xgqOg+QeFZO
zT3bf6T0b{t2*N0+5OG9swQL_A4D`rP!2tA=XcPf#GpNtuZiiz5fJGdd=yG-|_h0q^
z^t${>@CB3Cb>uxGIlvjPUSPjeLPbeH$U!K%w1KQ;NuR?vXQvQFN*t79&ageC4bq5i
z4bXNTB3zrEY-n%|4Gn^DUrO0&BX@Ada7!#7OA0R>ry47sD}AoQ_!K`~W~)$gq<yhU
zhvV(Z<z7lB(l6!az9J$-ujB%UQU{WGU&~5m$RXtn0cikU_aPtT|Nmg+$b*NR(IuVT
z4?Y^r@1ozh(zxLz^>k9owVwjY&L6K<$P<fowH-aToNYJy&aJud_Zpv)<EKj7@3E#`
z9I`Hagw38g^5$!pU{S$F^@F1zKc)sW&&JcOW!vr&m%3A%`ogcsN?d2RAFxJNqzF#)
z$;;_QvDbR69XeBUe?dl3XTM1=RR@0@$A$WCT?irFA#bB@NsS^R{~1*Lf;VYnPkdU8
zs^h>f33Ctra@rF_E!y=5LO{ra0>A;HP+*U-_XJ(~B!$XYRcw%y8KIUExDiJcH-$Kg
zV<hy$yG+0sX3Z&WSs6fFM|pNx$MX$Czmo0D&AD+K-lXR(neOVqVK0h+_Xh-0v&lT4
z%#x5rjCRrsJAnbeDbn*SWVt9ng7VWtaU4~#8Xo{_wmSzv=sd^+(Wvz`_@=*$k5@l7
zeGxMfI{1$E&%-lKm)qh;Oi$Ay8m!8)$lrUv`r_1Wf2hj1beYk3;3l|U`{{e{0c9ve
z`Q6ZsSj3W)hxJV0e!mDKKfgp$2|-b{1O$R1>XE5rVx1H!g-9{$jWdp5pPb(He&)FE
z-@b8`Tq9`n)TW}WSxPo;5ODtvpI97g6bgZ~pB0Q!riF!<8v_^OV6T_*bx6C}py|rB
zxs2Xp%iTa02yH;lnLsK}V<Z3YBP8<amU$%P4p;X+p1+U(C1R0546AA`jTWSHot2r}
z7V!4Xsit!;fN@#@9dO(FDSm3hHsnC;<;{~C&$+xH-VW^`bixGu)%!^i@fjW1gqoF`
zx3(HyEt}$?*eIPs!Lc0cIK<%$)owUc!)X~tf2^Lu$u3orJv3UNJEx9P)y|sDp-Ee|
z<m7NF*x<FC-(i+8G<u3ed}>bq*`=H`osj~kSRzB(kV{@iB9f;R>9;IFO4?ZlKdbik
ztAYrrs(x?vIzI$C^Ofj|bqZ2=(Da;`J>V1&thBuXs=vLRJkilHf1|a14;`$zI#6(R
zaZwPv91b__@+0Utx_cyw*-^U5$7T+iGKL&OndVm1Pl20*B;jBkkOWhmW>}N*z0t_m
z7}qN_KnpUi5RAX;83{u9>W3QpZ?q@plMIb?EhNs=9%WDfrS$#&I`)LWS7{(zwM&(S
zT0sVdo39;9CQzOsAsPWhpfv?09n5v5q%w%2=COi?eA4(ig<DgSlK~{XDfLL6*l|ZE
zK~c*Ge@Ki^))u>gX>^oDYy(P2St+8rLcQcfe<D<Xgph^6eis)vMcF-F4O4D)yX4k6
z2I4{>Nh1q_6v1(3MScH(<KYm3hel$bR~d1Oe-eQ4(G#Oi+cfn^PHKRnII{GrK-pH`
z0v4GV0f_~J*ek)l`Uo@w$hnd(sAXfC;P9=95ks#>M0^&!^}%5X_wu(Bek%O!P%|0#
z{7`2;M|8qbst<<bJ$aMal2gR>PCqfp)miH5xcjv6o^Ug>T%5;YAmi#RgL+$xqvY|f
z_xI@ND4PgFD_Y)&(rp>sOuv^RqW<^iS+QB+#_lD3MYMiLgtIgn|L<Q)dML3D*KOnA
z{ZoQZlqcdj9^sS-f{mhokkNok2}S28=*0fh=F|f!I+*_Au#H7wz&c$S)sxjLuCEvO
zX7x~II*ME4#d0ylU9N@vk3zkgkgL|D#Xf*db#KYiUYm08-w{|Xa$=mpjr-vK(r_&5
zmN=s2UtU9|O`SRtZT`aE*I(cJf-H59Po?qF^E6QCFYWdGa1KJB-HuZM^(h(bqi7UR
z2oZF{(%tcr5m_V>Ij^p`@u8@kKN_MTjh?C<LCr6Z-$+|j6?^PJ%?iaVbvAU!()H^}
zvzfm|-pqSo2WOxb>(|}9N!^xF7@ZKf+2112)4nXo=sms*Yib5<k!A>VOq0@+BoiL(
zT~DXN*%+*cjO{%i%50MYj}8~~@QPqc(Y4E0`Kwp2@t3d7ZZcTu=R+P=_?A+20IJ2S
zta$>^4c#pHKAa&&D}&NK@-s@Es#2HH-o=(E4nKaIdRnS7)c2MqUq~O)a(`HP8V$ck
ztFp7wn#W26o5CeKs*Hx?jruU7AX5-}+<p8w(1xXv1pRa*hM~bhR~pAK;ChI}$0YQ@
z|C&taUp%$F>*h-jHvukpnaVhK?&y)pnG6pde9q|A{N(H;@A=>Q`Ko6qlH^H}n$37+
z@+!b%l@Ha#_o<0*D9VqB6K}W<X-8ngxzYC}hGhMz6~E;9ENzT#@vD($n=t#Uv)P6(
zMcN<zerQFs5wZ6BdIu^Pd9S@Ci(NL7vFjBDA^q2KI%(j8pEs$W3G*oklM|zVL=+Hl
zKA38iaEfX-?`?eh=g!I4z<hi4((hB$pQ?DoXyl(Y&}X=#l|W-rp|s*?QsQpD@!<qV
zCL1pQ%H<xY(+)qu8I27>>yaxVbK_)#GGawSVpWwvE(J|b&LCnNf);2v5SG`!;VYjk
z+T^0)lr)N)972e^WnbiYX?-q=T5&3b4Rn@ZuP8i36@nHOHEkW<EpRf4iZ)6&VqvCq
z!ERAs0S`4YE3EJBj$oNEojK@@80X}o<icbXC@s~69p0qjHB+atPOmeYvy}|4>bUG|
zb7TvGssHB>gZtff5XofEza+pT5xJz)WDeoTZp#D-42z|F52Vj>rfpHXS|B^4=GTG(
z?m(vOVgr5IEva1I0DymwCBzTuPakW}MH~1+HPhI14S1k}>(PxT{NqOhY}fJLUVt(H
z)=b4H^qwlF;nOj8*VVio;&2}RTWK9s<Ih^2#Vz=>3H8gajv1HKkDES3%%A%DU6ony
zBxU8c$ciIZ<}`0wawk;p&JP;qH#Vx0RwS*gHLr-@02RaB?e@<(W;hsO`e)qJGdcUO
zJ1+irz5aD~F1np_QzfK?GLuQAPv`qSnA*8REu?dSmllG!fP%bjP4$$`!`GUck~oW~
zPGsgsv2a`VsNg}BQZuYM>o4kn22Z{9vX`>ix7NlQ&U}X%ZEgMbTMBsLcbTTVm)pND
zCQWeQ-IIyZLAM4VZw><sk~WeL1mlUGXv=%)BHFV6q=n?Sw~<`7iM6+o9D4`RT#ES%
z+sQ;3rs>M^MU`!|T}OIzKV7;oAeqW$XrDrqE!uVs5whN8Ma`=;S8=miqE?MfV#U${
zuLnJzk(yKa4O49zrUlwYPkN?1mbNRQy{*p_D$BLDBT7?s1F&h@ubH=(Hrk>zpVz9x
z1ev0IutClz@Xiq?xLkh2=CaY)V2oP6@INY>u~PK5&n6#Bsw@L&(IA!V24SsC5VbK6
z=rmbHtC~}sh57D%Q^Yop8AN5TZHh_-qBbSV$DS%l3DaaPt<}R0xq>~G<#q6P#F};9
zP(zKe!ni`wsH{xFkX=)yboscVAsD+t-HO`RU_zMlI%GS$(nYz0DP{!}sV+sBM#OZk
zN0?%4u#fMSCWw$JR0joEOAT=2CpxKu-mn$1%B?=z(pCP+6_|(1g(?a|y+xyFeYP-F
zU6qB<fPb5=&}3T5H2z_Ejc(~Dv9T_5g{U&xwFNeZw%MKXY&q<MtU_dLiZZ=vrCkqF
zWn)Sxzv^O0?1fA*AHzO+^LH$u`XoJZ;IAu|q@ZKbRXl~XG5?CVVD~mRle*8sywWOK
zrm(GwioyRnrF;_mP{6S1W?tEfP3e?hrtvu}0$JBiy3i2_>y&lB$FPHi5XH8XWN&#v
z_cbdwd{b#AEow;xH~NhY1>_^8Ro}ecBAa&a<iGP%68H4PS`vDw%@jnarX2d>E1guU
zf_}{%C?zNz7$C~8XAe_G@UcF#6Yl7yWjE9rAqZ<+7uH!2YKSVA%3TH2tWYLZ%^U>a
zXLVbBE$g8XUj@-DY&d3-!{(3^fdF+J5&j>QinVZmT)*+o%{u)r86={I1*Eoa{;^90
z(c#P^@h|`zgd+rjT%XG+EEpl8oXsoez$sjqbCY;#exScp6*85{-Sh%+$d_klE7DuK
q;skQ47Q!0DY)8KS<0G+>oUKxU)J{<)m5%Fj$F-l0-J9nE000306!mNX

diff --git a/dashboard/src/components/shared/AstrBotConfigV4.vue b/dashboard/src/components/shared/AstrBotConfigV4.vue
index b08357e85b..5ec9542c3d 100644
--- a/dashboard/src/components/shared/AstrBotConfigV4.vue
+++ b/dashboard/src/components/shared/AstrBotConfigV4.vue
@@ -280,6 +280,7 @@ function getSpecialSubtype(value) {
               v-else
               v-model="createSelectorModel(itemKey).value"
               :item-meta="itemMeta || null"
+              :config-root="iterable"
               :show-fullscreen-btn="!!itemMeta?.editor_mode"
               @open-fullscreen="openEditorDialog(itemKey, iterable, itemMeta?.editor_theme, itemMeta?.editor_language)"
             />
@@ -360,6 +361,7 @@ function getSpecialSubtype(value) {
                     v-else
                     v-model="createSelectorModel(itemKey).value"
                     :item-meta="itemMeta || null"
+                    :config-root="iterable"
                     :show-fullscreen-btn="!!itemMeta?.editor_mode"
                     @open-fullscreen="openEditorDialog(itemKey, iterable, itemMeta?.editor_theme, itemMeta?.editor_language)"
                   />
diff --git a/dashboard/src/components/shared/ConfigItemRenderer.vue b/dashboard/src/components/shared/ConfigItemRenderer.vue
index 5211f8a2ec..f791dd540c 100644
--- a/dashboard/src/components/shared/ConfigItemRenderer.vue
+++ b/dashboard/src/components/shared/ConfigItemRenderer.vue
@@ -45,6 +45,13 @@
     <template v-else-if="itemMeta?._special === 't2i_template'">
       <T2ITemplateEditor />
     </template>
+    <template v-else-if="itemMeta?._special === 'dashboard_totp_manager'">
+      <DashboardTotpManager
+        :model-value="Boolean(modelValue)"
+        :config-root="configRoot"
+        @update:model-value="emitUpdate"
+      />
+    </template>
     <template v-else-if="itemMeta?._special === 'get_embedding_dim'">
       <div class="d-flex align-center gap-2">
         <v-text-field
@@ -242,6 +249,7 @@ import PersonaSelector from './PersonaSelector.vue'
 import KnowledgeBaseSelector from './KnowledgeBaseSelector.vue'
 import PluginSetSelector from './PluginSetSelector.vue'
 import T2ITemplateEditor from './T2ITemplateEditor.vue'
+import DashboardTotpManager from './DashboardTotpManager.vue'
 import { computed, ref } from 'vue'
 import { useI18n, useModuleI18n } from '@/i18n/composables'
 import { usePluginI18n } from '@/utils/pluginI18n'
@@ -277,6 +285,10 @@ const props = defineProps({
   showFullscreenBtn: {
     type: Boolean,
     default: false
+  },
+  configRoot: {
+    type: Object,
+    default: null
   }
 })
 
diff --git a/dashboard/src/components/shared/DashboardTotpDisableDialog.vue b/dashboard/src/components/shared/DashboardTotpDisableDialog.vue
new file mode 100644
index 0000000000..fc62e8b071
--- /dev/null
+++ b/dashboard/src/components/shared/DashboardTotpDisableDialog.vue
@@ -0,0 +1,159 @@
+<template>
+  <v-dialog
+    :model-value="modelValue"
+    max-width="520"
+    @update:model-value="onVisibilityChange"
+  >
+    <v-card>
+      <v-card-title class="d-flex align-center pa-4">
+        {{ tm('system_group.system.dashboard.totp.disableTitle') }}
+        <v-spacer></v-spacer>
+        <v-btn icon variant="text" size="small" @click="onCancel">
+          <v-icon>mdi-close</v-icon>
+        </v-btn>
+      </v-card-title>
+      <v-divider></v-divider>
+      <v-card-text class="pa-4">
+        <template v-if="showRecovery">
+          <div class="totp-dialog-subtitle mb-3">
+            {{ tm('system_group.system.dashboard.totp.disableRecoverySubtitle') }}
+          </div>
+          <v-text-field
+            v-model="recoveryCode"
+            :label="tm('system_group.system.dashboard.totp.disableRecoveryCode')"
+            variant="outlined"
+            density="compact"
+            class="totp-code-input"
+            :error-messages="errorMsg"
+            :loading="verifying"
+            hide-details="auto"
+            prepend-inner-icon="mdi-key-variant"
+            @keyup.enter="confirmDisable"
+          ></v-text-field>
+          <div class="d-flex justify-end ga-2 mt-4">
+            <v-btn
+              variant="text"
+              :disabled="verifying"
+              @click="showRecovery = false"
+            >
+              {{ tm('system_group.system.dashboard.totp.disableUseCode') }}
+            </v-btn>
+            <v-btn
+              color="error"
+              variant="tonal"
+              :loading="verifying"
+              :disabled="!recoveryCode || recoveryCode.length < 5"
+              @click="confirmDisable"
+            >
+              {{ tm('system_group.system.dashboard.totp.disableConfirm') }}
+            </v-btn>
+          </div>
+        </template>
+        <template v-else>
+          <div class="totp-dialog-subtitle mb-3">
+            {{ tm('system_group.system.dashboard.totp.disableSubtitle') }}
+          </div>
+          <v-text-field
+            v-model="code"
+            :label="tm('system_group.system.dashboard.totp.disableCode')"
+            variant="outlined"
+            density="compact"
+            class="totp-code-input"
+            maxlength="6"
+            :error-messages="errorMsg"
+            :loading="verifying"
+            hide-details="auto"
+            prepend-inner-icon="mdi-shield-key"
+            @keyup.enter="confirmDisable"
+          ></v-text-field>
+          <div class="d-flex justify-end ga-2 mt-4">
+            <v-btn
+              variant="text"
+              :disabled="verifying"
+              @click="showRecovery = true"
+            >
+              {{ tm('system_group.system.dashboard.totp.disableUseRecovery') }}
+            </v-btn>
+            <v-btn
+              color="error"
+              variant="tonal"
+              :loading="verifying"
+              :disabled="!code || code.length < 6"
+              @click="confirmDisable"
+            >
+              {{ tm('system_group.system.dashboard.totp.disableConfirm') }}
+            </v-btn>
+          </div>
+        </template>
+      </v-card-text>
+    </v-card>
+  </v-dialog>
+</template>
+
+<script setup>
+import { ref } from 'vue'
+import axios from 'axios'
+import { useModuleI18n } from '@/i18n/composables'
+
+const emit = defineEmits(['update:modelValue', 'disableCompleted'])
+const { tm } = useModuleI18n('features/config-metadata')
+
+const code = ref('')
+const recoveryCode = ref('')
+const showRecovery = ref(false)
+const verifying = ref(false)
+const errorMsg = ref('')
+
+function resetState() {
+  code.value = ''
+  recoveryCode.value = ''
+  showRecovery.value = false
+  verifying.value = false
+  errorMsg.value = ''
+}
+
+function onVisibilityChange(val) {
+  if (!val) {
+    resetState()
+  }
+  emit('update:modelValue', val)
+}
+
+function onCancel() {
+  resetState()
+  emit('update:modelValue', false)
+}
+
+async function confirmDisable() {
+  const inputCode = showRecovery.value ? recoveryCode.value : code.value
+  if (!inputCode) return
+  verifying.value = true
+  errorMsg.value = ''
+  try {
+    const res = await axios.post('/api/auth/totp/disable', { code: inputCode })
+    if (res.data.status !== 'ok') {
+      errorMsg.value = res.data.message || tm('system_group.system.dashboard.totp.disableError')
+      return
+    }
+    resetState()
+    emit('disableCompleted')
+    emit('update:modelValue', false)
+  } catch (error) {
+    errorMsg.value = String(error || '') || tm('system_group.system.dashboard.totp.disableError')
+  } finally {
+    verifying.value = false
+  }
+}
+</script>
+
+<style scoped>
+.totp-dialog-subtitle {
+  font-size: 0.9rem;
+  color: rgba(var(--v-theme-on-surface), 0.68);
+}
+
+.totp-code-input {
+  max-width: 240px;
+  margin: 0 auto;
+}
+</style>
diff --git a/dashboard/src/components/shared/DashboardTotpManageDialog.vue b/dashboard/src/components/shared/DashboardTotpManageDialog.vue
new file mode 100644
index 0000000000..8bacbb52f0
--- /dev/null
+++ b/dashboard/src/components/shared/DashboardTotpManageDialog.vue
@@ -0,0 +1,101 @@
+<template>
+  <v-dialog
+    :model-value="modelValue"
+    max-width="520"
+    @update:model-value="val => emit('update:modelValue', val)"
+  >
+    <v-card>
+      <v-card-title class="d-flex align-center pa-4">
+        {{ tm('system_group.system.dashboard.totp.configuration') }}
+        <v-spacer></v-spacer>
+        <v-btn icon variant="text" size="small" @click="emit('update:modelValue', false)">
+          <v-icon>mdi-close</v-icon>
+        </v-btn>
+      </v-card-title>
+      <v-divider></v-divider>
+      <v-card-text class="pa-4">
+        <div class="totp-dialog-subtitle mb-3">
+          {{ tm('system_group.system.dashboard.totp.activeSubtitle') }}
+        </div>
+        <div class="text-center">
+          <QrCodeViewer
+            v-if="totpProvisioningUri"
+            :value="totpProvisioningUri"
+            alt="TOTP QR Code"
+            :size="220"
+          />
+          <div class="totp-current-secret-wrap mt-3">
+            <code class="totp-secret">{{ totpSecret }}</code>
+          </div>
+        </div>
+        <div class="d-flex justify-center ga-3 mt-4">
+          <v-btn
+            color="primary"
+            variant="tonal"
+            @click="emit('rotate')"
+          >
+            <v-icon class="mr-1" size="16">mdi-shield-key</v-icon>
+            {{ tm('system_group.system.dashboard.totp.rotate') }}
+          </v-btn>
+          <v-btn
+            color="secondary"
+            variant="tonal"
+            @click="emit('rotate-recovery')"
+          >
+            <v-icon class="mr-1" size="16">mdi-key-variant</v-icon>
+            {{ tm('system_group.system.dashboard.totp.rotateRecovery') }}
+          </v-btn>
+        </div>
+      </v-card-text>
+    </v-card>
+  </v-dialog>
+</template>
+
+<script setup>
+import { computed } from 'vue'
+import QrCodeViewer from './QrCodeViewer.vue'
+import { useModuleI18n } from '@/i18n/composables'
+
+const props = defineProps({
+  modelValue: {
+    type: Boolean,
+    default: false
+  },
+  configRoot: {
+    type: Object,
+    default: null
+  }
+})
+
+const emit = defineEmits(['update:modelValue', 'rotate', 'rotate-recovery'])
+const { tm } = useModuleI18n('features/config-metadata')
+
+const totpSecret = computed(() => props.configRoot?.dashboard?.totp?.secret || '')
+
+const totpProvisioningUri = computed(() => {
+  if (!totpSecret.value) return ''
+  const label = encodeURIComponent(props.configRoot?.dashboard?.username || 'AstrBot')
+  const issuer = encodeURIComponent('AstrBot')
+  return `otpauth://totp/${label}?secret=${encodeURIComponent(totpSecret.value)}&issuer=${issuer}`
+})
+</script>
+
+<style scoped>
+.totp-dialog-subtitle {
+  font-size: 0.9rem;
+  color: rgba(var(--v-theme-on-surface), 0.68);
+}
+
+.totp-current-secret-wrap {
+  background: rgba(var(--v-theme-on-surface), 0.04);
+  border: 1px solid rgba(var(--v-theme-on-surface), 0.12);
+  border-radius: 8px;
+  padding: 10px;
+}
+
+.totp-secret {
+  word-break: break-all;
+  font-size: 0.8rem;
+  font-weight: 500;
+}
+</style>
diff --git a/dashboard/src/components/shared/DashboardTotpManager.vue b/dashboard/src/components/shared/DashboardTotpManager.vue
new file mode 100644
index 0000000000..70414c3cdd
--- /dev/null
+++ b/dashboard/src/components/shared/DashboardTotpManager.vue
@@ -0,0 +1,210 @@
+<template>
+  <div class="totp-manager">
+    <v-switch
+      :model-value="modelValue"
+      @update:model-value="onTotpToggle"
+      color="primary"
+      inset
+      density="compact"
+      hide-details
+    ></v-switch>
+    <div v-if="modelValue" class="totp-manager-actions">
+      <v-chip
+        size="small"
+        :color="isTotpInitialSetup ? 'warning' : 'success'"
+        variant="tonal"
+      >
+        <v-icon start size="14">
+          {{ isTotpInitialSetup ? 'mdi-alert-circle-outline' : 'mdi-check-circle-outline' }}
+        </v-icon>
+        {{ isTotpInitialSetup
+          ? tm('system_group.system.dashboard.totp.statusPending')
+          : tm('system_group.system.dashboard.totp.statusEnabled') }}
+      </v-chip>
+      <v-btn
+        color="primary"
+        variant="tonal"
+        size="small"
+        @click="openTotpDialog"
+      >
+        {{ tm('system_group.system.dashboard.totp.manage') }}
+      </v-btn>
+    </div>
+  </div>
+  <div v-if="modelValue && isTotpInitialSetup" class="totp-setup-hint">
+    {{ tm('system_group.system.dashboard.totp.setupRequiredHint') }}
+  </div>
+
+  <DashboardTotpSetupDialog
+    v-model="setupDialogVisible"
+    :config-root="configRoot"
+    :mode="setupDialogMode"
+    @setup-complete="onSetupComplete"
+  />
+  <DashboardTotpRecoveryDialog
+    v-model="recoveryDialogVisible"
+    :recovery-code="pendingRecoveryCode"
+    @close="recoveryDialogVisible = false"
+  />
+  <DashboardTotpManageDialog
+    v-model="manageDialogVisible"
+    :config-root="configRoot"
+    @rotate="onStartRotate"
+    @rotate-recovery="onStartRotateRecovery"
+  />
+  <DashboardTotpDisableDialog
+    v-model="disableDialogVisible"
+    @disable-completed="onDisableCompleted"
+  />
+  <DashboardTotpRotateRecoveryDialog
+    v-model="rotateRecoveryDialogVisible"
+    :config-root="configRoot"
+    @rotated="onRecoveryRotated"
+  />
+</template>
+
+<script setup>
+import { computed, ref } from 'vue'
+import DashboardTotpSetupDialog from './DashboardTotpSetupDialog.vue'
+import DashboardTotpRecoveryDialog from './DashboardTotpRecoveryDialog.vue'
+import DashboardTotpManageDialog from './DashboardTotpManageDialog.vue'
+import DashboardTotpDisableDialog from './DashboardTotpDisableDialog.vue'
+import DashboardTotpRotateRecoveryDialog from './DashboardTotpRotateRecoveryDialog.vue'
+import { useModuleI18n } from '@/i18n/composables'
+
+const props = defineProps({
+  modelValue: {
+    type: Boolean,
+    default: false
+  },
+  configRoot: {
+    type: Object,
+    default: null
+  }
+})
+
+const emit = defineEmits(['update:modelValue'])
+const { tm } = useModuleI18n('features/config-metadata')
+
+const setupDialogVisible = ref(false)
+const recoveryDialogVisible = ref(false)
+const manageDialogVisible = ref(false)
+const disableDialogVisible = ref(false)
+const rotateRecoveryDialogVisible = ref(false)
+const setupDialogMode = ref('setup')
+const pendingRecoveryCode = ref('')
+
+const totpSecret = computed(() => props.configRoot?.dashboard?.totp?.secret || '')
+const totpRecoveryCodeHash = computed(
+  () => props.configRoot?.dashboard?.totp?.recovery_code_hash || ''
+)
+const isTotpInitialSetup = computed(
+  () =>
+    props.modelValue === true
+    && (!totpSecret.value || !totpRecoveryCodeHash.value)
+)
+const isTotpFullyActive = computed(
+  () =>
+    props.modelValue === true
+    && !!totpSecret.value
+    && !!totpRecoveryCodeHash.value
+)
+
+function emitUpdate(val) {
+  emit('update:modelValue', val)
+}
+
+function clearTotpConfig() {
+  if (props.configRoot?.dashboard?.totp) {
+    props.configRoot.dashboard.totp.enable = false
+    props.configRoot.dashboard.totp.secret = ''
+    props.configRoot.dashboard.totp.recovery_code_hash = ''
+  }
+}
+
+function writeTotpSecretToConfig(secret, recoveryCodeHash = '') {
+  if (!props.configRoot?.dashboard) return
+  if (!props.configRoot.dashboard.totp) {
+    props.configRoot.dashboard.totp = {}
+  }
+  props.configRoot.dashboard.totp.enable = true
+  props.configRoot.dashboard.totp.secret = secret
+  props.configRoot.dashboard.totp.recovery_code_hash = recoveryCodeHash
+}
+
+function onTotpToggle(val) {
+  if (!val) {
+    if (isTotpFullyActive.value) {
+      disableDialogVisible.value = true
+      return
+    }
+    clearTotpConfig()
+    emitUpdate(val)
+    return
+  }
+  // Toggle on: auto-open setup dialog
+  setupDialogMode.value = 'setup'
+  setupDialogVisible.value = true
+  emitUpdate(true)
+}
+
+function openTotpDialog() {
+  if (isTotpInitialSetup.value) {
+    setupDialogMode.value = 'setup'
+    setupDialogVisible.value = true
+    return
+  }
+  manageDialogVisible.value = true
+}
+
+function onSetupComplete({ secret, recoveryCode, recoveryCodeHash }) {
+  writeTotpSecretToConfig(secret, recoveryCodeHash)
+  pendingRecoveryCode.value = recoveryCode
+  recoveryDialogVisible.value = true
+}
+
+function onStartRotate() {
+  manageDialogVisible.value = false
+  setupDialogMode.value = 'rotate'
+  setupDialogVisible.value = true
+}
+
+function onStartRotateRecovery() {
+  manageDialogVisible.value = false
+  rotateRecoveryDialogVisible.value = true
+}
+
+function onRecoveryRotated({ recoveryCode, recoveryCodeHash }) {
+  if (!props.configRoot?.dashboard?.totp) return
+  props.configRoot.dashboard.totp.recovery_code_hash = recoveryCodeHash
+  pendingRecoveryCode.value = recoveryCode
+  recoveryDialogVisible.value = true
+}
+
+function onDisableCompleted() {
+  clearTotpConfig()
+  emitUpdate(false)
+}
+</script>
+
+<style scoped>
+.totp-manager {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  flex-wrap: wrap;
+}
+
+.totp-manager-actions {
+  display: inline-flex;
+  align-items: center;
+  gap: 8px;
+  flex-wrap: wrap;
+}
+
+.totp-setup-hint {
+  margin-top: 6px;
+  font-size: 0.8rem;
+  color: rgba(var(--v-theme-warning), 0.95);
+}
+</style>
diff --git a/dashboard/src/components/shared/DashboardTotpRecoveryDialog.vue b/dashboard/src/components/shared/DashboardTotpRecoveryDialog.vue
new file mode 100644
index 0000000000..f908387c84
--- /dev/null
+++ b/dashboard/src/components/shared/DashboardTotpRecoveryDialog.vue
@@ -0,0 +1,101 @@
+<template>
+  <v-dialog
+    :model-value="modelValue"
+    max-width="520"
+    persistent
+    @update:model-value="val => emit('update:modelValue', val)"
+  >
+    <v-card>
+      <v-card-title class="d-flex align-center pa-4">
+        {{ tm('system_group.system.dashboard.totp.recoveryTitle') }}
+        <v-spacer></v-spacer>
+      </v-card-title>
+      <v-divider></v-divider>
+      <v-card-text class="pa-4">
+        <div class="totp-dialog-subtitle mb-3">
+          {{ tm('system_group.system.dashboard.totp.recoverySubtitle') }}
+        </div>
+        <v-alert
+          type="warning"
+          variant="tonal"
+          density="compact"
+          class="mb-3"
+          :text="tm('system_group.system.dashboard.totp.recoveryWarning')"
+          hide-details
+        ></v-alert>
+        <div class="totp-recovery-card">
+          <code class="totp-recovery-text">{{ recoveryCode }}</code>
+        </div>
+        <v-checkbox
+          v-model="acknowledged"
+          :label="tm('system_group.system.dashboard.totp.recoveryAcknowledge')"
+          color="primary"
+          density="comfortable"
+          hide-details
+          class="mt-2"
+        ></v-checkbox>
+        <div class="d-flex justify-end mt-4">
+          <v-btn
+            color="primary"
+            variant="tonal"
+            :disabled="!acknowledged"
+            @click="onClose"
+          >
+            {{ tm('system_group.system.dashboard.totp.recoveryClose') }}
+          </v-btn>
+        </div>
+      </v-card-text>
+    </v-card>
+  </v-dialog>
+</template>
+
+<script setup>
+import { ref } from 'vue'
+import { useModuleI18n } from '@/i18n/composables'
+
+const props = defineProps({
+  modelValue: {
+    type: Boolean,
+    default: false
+  },
+  recoveryCode: {
+    type: String,
+    default: ''
+  }
+})
+
+const emit = defineEmits(['update:modelValue', 'close'])
+const { tm } = useModuleI18n('features/config-metadata')
+
+const acknowledged = ref(false)
+
+function onClose() {
+  acknowledged.value = false
+  emit('close')
+  emit('update:modelValue', false)
+}
+</script>
+
+<style scoped>
+.totp-dialog-subtitle {
+  font-size: 0.9rem;
+  color: rgba(var(--v-theme-on-surface), 0.68);
+}
+
+.totp-recovery-card {
+  background: rgba(var(--v-theme-on-surface), 0.04);
+  border: 1px solid rgba(var(--v-theme-on-surface), 0.12);
+  border-radius: 8px;
+  padding: 12px;
+  text-align: center;
+  margin: 8px 0;
+}
+
+.totp-recovery-text {
+  font-size: 1rem;
+  font-weight: 600;
+  letter-spacing: 1.3px;
+  word-break: keep-all;
+  user-select: all;
+}
+</style>
diff --git a/dashboard/src/components/shared/DashboardTotpRotateRecoveryDialog.vue b/dashboard/src/components/shared/DashboardTotpRotateRecoveryDialog.vue
new file mode 100644
index 0000000000..e11518d07e
--- /dev/null
+++ b/dashboard/src/components/shared/DashboardTotpRotateRecoveryDialog.vue
@@ -0,0 +1,143 @@
+<template>
+  <v-dialog
+    :model-value="modelValue"
+    max-width="520"
+    @update:model-value="onVisibilityChange"
+    @click:outside="onCancel"
+  >
+    <v-card>
+      <v-card-title class="d-flex align-center pa-4">
+        {{ tm('system_group.system.dashboard.totp.rotateRecoveryTitle') }}
+        <v-spacer></v-spacer>
+        <v-btn icon variant="text" size="small" @click="onCancel">
+          <v-icon>mdi-close</v-icon>
+        </v-btn>
+      </v-card-title>
+      <v-divider></v-divider>
+      <v-card-text class="pa-4">
+        <div class="totp-dialog-subtitle mb-3">
+          {{ tm('system_group.system.dashboard.totp.rotateRecoverySubtitle') }}
+        </div>
+        <v-text-field
+          v-model="code"
+          :label="tm('system_group.system.dashboard.totp.rotateRecoveryCode')"
+          variant="outlined"
+          density="compact"
+          class="totp-code-input"
+          maxlength="6"
+          :error-messages="codeError"
+          :loading="verifying"
+          hide-details="auto"
+          prepend-inner-icon="mdi-shield-key"
+          @keyup.enter="confirmRotate"
+        ></v-text-field>
+        <div class="d-flex justify-end ga-2 mt-4">
+          <v-btn
+            variant="text"
+            :disabled="verifying"
+            @click="onCancel"
+          >
+            {{ tm('system_group.system.dashboard.totp.rotateCancel') }}
+          </v-btn>
+          <v-btn
+            color="primary"
+            variant="tonal"
+            :loading="verifying"
+            :disabled="!code || code.length < 6"
+            @click="confirmRotate"
+          >
+            {{ tm('system_group.system.dashboard.totp.rotateRecoveryConfirm') }}
+          </v-btn>
+        </div>
+      </v-card-text>
+    </v-card>
+  </v-dialog>
+</template>
+
+<script setup>
+import { computed, ref } from 'vue'
+import axios from 'axios'
+import { useModuleI18n } from '@/i18n/composables'
+
+const props = defineProps({
+  modelValue: {
+    type: Boolean,
+    default: false
+  },
+  configRoot: {
+    type: Object,
+    default: null
+  }
+})
+
+const emit = defineEmits(['update:modelValue', 'rotated'])
+const { tm } = useModuleI18n('features/config-metadata')
+
+const code = ref('')
+const codeError = ref('')
+const verifying = ref(false)
+
+const totpSecret = computed(() => props.configRoot?.dashboard?.totp?.secret || '')
+
+function resetState() {
+  code.value = ''
+  codeError.value = ''
+  verifying.value = false
+}
+
+function onVisibilityChange(val) {
+  if (!val) {
+    resetState()
+  }
+  emit('update:modelValue', val)
+}
+
+function onCancel() {
+  resetState()
+  emit('update:modelValue', false)
+}
+
+async function confirmRotate() {
+  if (!totpSecret.value) {
+    codeError.value = tm('system_group.system.dashboard.totp.rotateRecoveryMissingSecret')
+    return
+  }
+  if (!code.value || code.value.length < 6) {
+    return
+  }
+  verifying.value = true
+  codeError.value = ''
+  try {
+    const res = await axios.post('/api/auth/totp/verify-setup', {
+      secret: totpSecret.value,
+      code: code.value,
+    })
+    if (res.data.status !== 'ok') {
+      codeError.value = res.data.message || tm('system_group.system.dashboard.totp.rotateError')
+      return
+    }
+    emit('rotated', {
+      recoveryCode: String(res.data.data?.recovery_code || ''),
+      recoveryCodeHash: String(res.data.data?.recovery_code_hash || ''),
+    })
+    resetState()
+    emit('update:modelValue', false)
+  } catch {
+    codeError.value = tm('system_group.system.dashboard.totp.rotateError')
+  } finally {
+    verifying.value = false
+  }
+}
+</script>
+
+<style scoped>
+.totp-dialog-subtitle {
+  font-size: 0.9rem;
+  color: rgba(var(--v-theme-on-surface), 0.68);
+}
+
+.totp-code-input {
+  max-width: 240px;
+  margin: 0 auto;
+}
+</style>
diff --git a/dashboard/src/components/shared/DashboardTotpSetupDialog.vue b/dashboard/src/components/shared/DashboardTotpSetupDialog.vue
new file mode 100644
index 0000000000..c94361a7ae
--- /dev/null
+++ b/dashboard/src/components/shared/DashboardTotpSetupDialog.vue
@@ -0,0 +1,309 @@
+<template>
+  <v-dialog
+    :model-value="modelValue"
+    max-width="520"
+    @update:model-value="onVisibilityChange"
+    @click:outside="onCancel"
+  >
+    <v-card>
+      <v-card-title class="d-flex align-center pa-4">
+        {{ step === 'verify' ? verifyStepTitle : dialogTitle }}
+        <v-spacer></v-spacer>
+        <v-btn icon variant="text" size="small" @click="onCancel">
+          <v-icon>mdi-close</v-icon>
+        </v-btn>
+      </v-card-title>
+      <v-divider></v-divider>
+      <v-card-text class="pa-4">
+        <template v-if="step === 'verify'">
+          <div class="totp-dialog-subtitle mb-3">
+            输入当前认证器应用中的验证码以验证身份。
+          </div>
+          <div class="text-center">
+            <v-text-field
+              v-model="verifyCode"
+              label="当前验证码"
+              variant="outlined"
+              density="compact"
+              class="totp-code-input"
+              maxlength="6"
+              :error-messages="verifyError"
+              :loading="verifyingIdentity"
+              hide-details="auto"
+              prepend-inner-icon="mdi-shield-key"
+              @keyup.enter="verifyIdentity"
+            ></v-text-field>
+          </div>
+          <div class="d-flex justify-end ga-2 mt-4">
+            <v-btn
+              variant="text"
+              :disabled="verifyingIdentity"
+              @click="onCancel"
+            >
+              取消
+            </v-btn>
+            <v-btn
+              color="primary"
+              variant="tonal"
+              :loading="verifyingIdentity"
+              :disabled="!verifyCode || verifyCode.length < 6"
+              @click="verifyIdentity"
+            >
+              验证
+            </v-btn>
+          </div>
+        </template>
+
+        <template v-else>
+          <div class="totp-dialog-subtitle mb-3">
+            {{ dialogSubtitle }}
+          </div>
+          <div class="text-center">
+            <v-alert
+              type="info"
+              variant="tonal"
+              density="compact"
+              class="mb-3 text-start"
+              :text="tm('system_group.system.dashboard.totp.rotateCodeHint')"
+              hide-details
+            ></v-alert>
+            <QrCodeViewer
+              v-if="totpProvisioningUri"
+              :value="totpProvisioningUri"
+              alt="TOTP QR Code"
+              :size="220"
+            />
+            <div class="totp-new-secret-wrap mt-3">
+              <code class="totp-secret">{{ newSecret }}</code>
+            </div>
+            <v-text-field
+              v-model="code"
+              :label="tm('system_group.system.dashboard.totp.rotateCode')"
+              variant="outlined"
+              density="compact"
+              class="totp-code-input mt-3"
+              maxlength="6"
+              :error-messages="codeError"
+              :loading="verifying"
+              hide-details="auto"
+              prepend-inner-icon="mdi-shield-key"
+              @keyup.enter="confirmSetup"
+            ></v-text-field>
+          </div>
+          <div class="d-flex justify-end ga-2 mt-4">
+            <v-btn
+              variant="text"
+              :disabled="verifying"
+              @click="onCancel"
+            >
+              {{ tm('system_group.system.dashboard.totp.rotateCancel') }}
+            </v-btn>
+            <v-btn
+              color="primary"
+              variant="tonal"
+              :loading="verifying"
+              :disabled="!code || code.length < 6"
+              @click="confirmSetup"
+            >
+              {{ confirmLabel }}
+            </v-btn>
+          </div>
+        </template>
+      </v-card-text>
+    </v-card>
+  </v-dialog>
+</template>
+
+<script setup>
+import { computed, ref, watch } from 'vue'
+import axios from 'axios'
+import QrCodeViewer from './QrCodeViewer.vue'
+import { useModuleI18n } from '@/i18n/composables'
+
+const props = defineProps({
+  modelValue: {
+    type: Boolean,
+    default: false
+  },
+  configRoot: {
+    type: Object,
+    default: null
+  },
+  mode: {
+    type: String,
+    default: 'setup',
+    validator: (v) => ['setup', 'rotate'].includes(v)
+  }
+})
+
+const emit = defineEmits(['update:modelValue', 'setupComplete'])
+const { tm } = useModuleI18n('features/config-metadata')
+
+const step = ref('new_setup')
+const loading = ref(false)
+const newSecret = ref('')
+const code = ref('')
+const codeError = ref('')
+const verifying = ref(false)
+
+const verifyCode = ref('')
+const verifyError = ref('')
+const verifyingIdentity = ref(false)
+
+const verifyStepTitle = computed(() => '验证当前 TOTP')
+
+const dialogTitle = computed(() => {
+  return props.mode === 'rotate'
+    ? tm('system_group.system.dashboard.totp.rotateTitle')
+    : tm('system_group.system.dashboard.totp.setupTitle')
+})
+
+const dialogSubtitle = computed(() => {
+  return props.mode === 'rotate'
+    ? tm('system_group.system.dashboard.totp.rotateSubtitle')
+    : tm('system_group.system.dashboard.totp.setupSubtitle')
+})
+
+const confirmLabel = computed(() => {
+  return props.mode === 'rotate'
+    ? tm('system_group.system.dashboard.totp.rotateConfirm')
+    : tm('system_group.system.dashboard.totp.setupConfirm')
+})
+
+const totpProvisioningUri = computed(() => {
+  if (!newSecret.value) return ''
+  const label = encodeURIComponent(props.configRoot?.dashboard?.username || 'AstrBot')
+  const issuer = encodeURIComponent('AstrBot')
+  return `otpauth://totp/${label}?secret=${encodeURIComponent(newSecret.value)}&issuer=${issuer}`
+})
+
+watch(
+  () => props.modelValue,
+  (visible) => {
+    if (visible) {
+      if (props.mode === 'rotate') {
+        step.value = 'verify'
+        return
+      }
+      step.value = 'new_setup'
+      void fetchNewSecret()
+      return
+    }
+    resetState()
+  }
+)
+
+function resetState() {
+  step.value = 'new_setup'
+  newSecret.value = ''
+  code.value = ''
+  codeError.value = ''
+  verifyCode.value = ''
+  verifyError.value = ''
+  verifyingIdentity.value = false
+}
+
+function onVisibilityChange(val) {
+  if (!val) {
+    resetState()
+  }
+  emit('update:modelValue', val)
+}
+
+function onCancel() {
+  resetState()
+  emit('update:modelValue', false)
+}
+
+async function fetchNewSecret() {
+  if (loading.value || newSecret.value) {
+    return
+  }
+  loading.value = true
+  try {
+    const res = await axios.post('/api/auth/totp/setup')
+    if (res.data.status !== 'ok') {
+      return
+    }
+    newSecret.value = res.data.data?.secret || ''
+    code.value = ''
+    codeError.value = ''
+  } finally {
+    loading.value = false
+  }
+}
+
+async function verifyIdentity() {
+  if (!verifyCode.value) return
+  verifyingIdentity.value = true
+  verifyError.value = ''
+  try {
+    const res = await axios.post('/api/auth/totp/setup', { code: verifyCode.value })
+    if (res.data.status !== 'ok') {
+      verifyError.value = res.data.message || '验证失败'
+      return
+    }
+    newSecret.value = res.data.data?.secret || ''
+    step.value = 'new_setup'
+  } catch {
+    verifyError.value = '验证失败'
+  } finally {
+    verifyingIdentity.value = false
+  }
+}
+
+async function confirmSetup() {
+  if (!code.value || code.value.length < 6) return
+  verifying.value = true
+  codeError.value = ''
+  try {
+    const res = await axios.post('/api/auth/totp/verify-setup', {
+      secret: newSecret.value,
+      code: code.value,
+    })
+    if (res.data.status !== 'ok') {
+      codeError.value = res.data.message || tm('system_group.system.dashboard.totp.rotateError')
+      return
+    }
+    const recoveryCode = String(res.data.data?.recovery_code || '')
+    const recoveryCodeHash = String(res.data.data?.recovery_code_hash || '')
+    const secret = newSecret.value
+    resetState()
+    emit('setupComplete', {
+      secret,
+      recoveryCode,
+      recoveryCodeHash,
+    })
+    emit('update:modelValue', false)
+  } catch {
+    codeError.value = tm('system_group.system.dashboard.totp.rotateError')
+  } finally {
+    verifying.value = false
+  }
+}
+</script>
+
+<style scoped>
+.totp-dialog-subtitle {
+  font-size: 0.9rem;
+  color: rgba(var(--v-theme-on-surface), 0.68);
+}
+
+.totp-new-secret-wrap {
+  background: rgba(var(--v-theme-on-surface), 0.04);
+  border: 1px solid rgba(var(--v-theme-on-surface), 0.12);
+  border-radius: 8px;
+  padding: 10px;
+}
+
+.totp-secret {
+  word-break: break-all;
+  font-size: 0.8rem;
+  font-weight: 500;
+}
+
+.totp-code-input {
+  max-width: 240px;
+  margin: 0 auto;
+}
+</style>
diff --git a/dashboard/src/i18n/locales/en-US/features/auth.json b/dashboard/src/i18n/locales/en-US/features/auth.json
index 23651a52f3..7410b4c59e 100644
--- a/dashboard/src/i18n/locales/en-US/features/auth.json
+++ b/dashboard/src/i18n/locales/en-US/features/auth.json
@@ -3,6 +3,23 @@
   "username": "Username",
   "password": "Password",
   "defaultHint": "If this is your first login, check the logs for the default password.",
+  "totp": {
+    "code": "Verification code",
+    "verify": "Verify",
+    "trustDevice": "Trust this device for 30 days"
+  },
+  "recovery": {
+    "title": "Recovery Code Login",
+    "subtitle": "Lost access to your authenticator app? Use a recovery code to log in.",
+    "code": "Recovery Code",
+    "submit": "Log in with Recovery Code",
+    "useRecoveryCode": "Can't use TOTP?",
+    "backToLogin": "Back to Login",
+    "savedWarning": "If lost, account access cannot be restored through normal means.",
+    "continue": "Continue",
+    "acknowledge": "I have saved my recovery codes",
+    "totpDisableWarning": "Using a recovery code will disable two-factor authentication."
+  },
   "setup": {
     "title": "Set Up Account",
     "subtitle": "Create the account used to manage AstrBot",
@@ -11,6 +28,17 @@
     "confirmPassword": "Confirm new password",
     "passwordHint": "Use at least 8 characters with uppercase, lowercase, and a number.",
     "submit": "Complete Setup",
+    "totp": {
+      "code": "Verification code",
+      "qrAlt": "TOTP QR code",
+      "title": "Complete TOTP Setup",
+      "subtitle": "Scan the QR code with your authenticator app to enable two-factor authentication.",
+      "step2Hint": "Scan this QR code with your authenticator app (e.g. Google Authenticator, Authy) and enter the code below.",
+      "verify": "Verify & Complete",
+      "verifyError": "Unable to verify the code. Enter the latest code from your authenticator app.",
+      "disableError": "Unable to disable TOTP. Please try again.",
+      "back": "Back"
+    },
     "validation": {
       "usernameRequired": "Enter a username",
       "usernameMinLength": "Username must be at least 3 characters",
diff --git a/dashboard/src/i18n/locales/en-US/features/config-metadata.json b/dashboard/src/i18n/locales/en-US/features/config-metadata.json
index bfb46ab6a0..6cfa700437 100644
--- a/dashboard/src/i18n/locales/en-US/features/config-metadata.json
+++ b/dashboard/src/i18n/locales/en-US/features/config-metadata.json
@@ -1105,6 +1105,50 @@
             "description": "SSL CA Certificate File Path",
             "hint": "Optional. Path to CA certificate file."
           }
+        },
+        "totp": {
+          "enable": {
+            "description": "Enable WebUI TOTP",
+            "hint": "When enabled, a TOTP code is required during dashboard login."
+          },
+          "manage": "Manage",
+          "configuration": "TOTP",
+          "statusPending": "Setup required",
+          "statusEnabled": "Enabled",
+          "setupRequiredHint": "TOTP is enabled but not yet configured. Click Manage to complete setup.",
+          "setupTitle": "Set up TOTP",
+          "setupSubtitle": "Scan this QR code in your authenticator app, then enter a verification code.",
+          "setupConfirm": "Verify and continue",
+          "activeSubtitle": "Use this QR code or secret to add another authenticator device.",
+          "rotateTitle": "Rotate TOTP Secret",
+          "rotateSubtitle": "Generate a new secret, then enter a code from your authenticator to confirm the replacement.",
+          "rotate": "Rotate",
+          "rotateRecovery": "Rotate Recovery Code",
+          "rotateRecoveryTitle": "Rotate Recovery Code",
+          "rotateRecoverySubtitle": "Enter a verification code from your authenticator app to generate a new recovery code.",
+          "rotateRecoveryCode": "Verification Code",
+          "rotateRecoveryConfirm": "Generate New Recovery Code",
+          "rotateRecoveryMissingSecret": "TOTP secret is missing. Please complete setup first.",
+          "rotateConfirm": "Confirm Rotation",
+          "rotateCancel": "Cancel",
+          "rotateCode": "Verification Code",
+          "rotateCodeHint": "Enter the code from your authenticator app to confirm the new key.",
+          "rotateError": "Invalid code, please try again.",
+          "recoveryTitle": "Recovery Codes",
+          "recoverySubtitle": "This recovery code is shown once. Save it before continuing.",
+          "recoveryWarning": "If lost, account access cannot be restored through normal means.",
+          "recoveryAcknowledge": "I have saved my recovery codes",
+          "recoveryClose": "Done",
+          "disableTitle": "Disable TOTP",
+          "disableSubtitle": "Enter a verification code to disable two-factor authentication.",
+          "disableRecoverySubtitle": "Enter a recovery code to disable two-factor authentication.",
+          "disableCode": "Verification Code",
+          "disableRecoveryCode": "Recovery Code",
+          "disableConfirm": "Disable",
+          "disableCancel": "Cancel",
+          "disableError": "Verification failed. Please try again.",
+          "disableUseRecovery": "Can't use TOTP?",
+          "disableUseCode": "Use verification code"
         }
       },
       "timezone": {
diff --git a/dashboard/src/i18n/locales/ru-RU/features/auth.json b/dashboard/src/i18n/locales/ru-RU/features/auth.json
index 8465dea5a9..37ee445d45 100644
--- a/dashboard/src/i18n/locales/ru-RU/features/auth.json
+++ b/dashboard/src/i18n/locales/ru-RU/features/auth.json
@@ -1,34 +1,62 @@
-{
-    "login": "Вход",
-    "username": "Имя пользователя",
-    "password": "Пароль",
-    "defaultHint": "Если это ваш первый вход, проверьте пароль по умолчанию в логах.",
-    "setup": {
-        "title": "Настройка аккаунта",
-        "subtitle": "Создайте аккаунт для управления AstrBot",
-        "username": "Новое имя пользователя",
-        "password": "Новый пароль",
-        "confirmPassword": "Подтвердите новый пароль",
-        "passwordHint": "Минимум 8 символов, включая заглавную букву, строчную букву и цифру.",
-        "submit": "Завершить настройку",
-        "validation": {
-            "usernameRequired": "Введите имя пользователя",
-            "usernameMinLength": "Имя пользователя должно содержать минимум 3 символа",
-            "passwordRequired": "Введите пароль",
-            "passwordMinLength": "Пароль должен содержать минимум 8 символов",
-            "passwordUppercase": "Пароль должен содержать хотя бы одну заглавную букву",
-            "passwordLowercase": "Пароль должен содержать хотя бы одну строчную букву",
-            "passwordDigit": "Пароль должен содержать хотя бы одну цифру",
-            "confirmPasswordRequired": "Подтвердите пароль",
-            "passwordMatch": "Пароли не совпадают"
-        }
+{
+  "login": "Вход",
+  "username": "Имя пользователя",
+  "password": "Пароль",
+  "defaultHint": "Если это первый вход, проверьте пароль по умолчанию в логах.",
+  "totp": {
+    "code": "Код подтверждения",
+    "verify": "Проверить",
+    "trustDevice": "Доверять этому устройству 30 дней"
+  },
+  "recovery": {
+    "title": "Вход по коду восстановления",
+    "subtitle": "Потеряли доступ к приложению-аутентификатору? Используйте код восстановления для входа.",
+    "code": "Код восстановления",
+    "submit": "Войти по коду восстановления",
+    "useRecoveryCode": "Не можете использовать TOTP?",
+    "backToLogin": "Назад к входу",
+    "savedWarning": "При утере этого кода восстановить доступ к учётной записи обычными средствами будет невозможно.",
+    "continue": "Продолжить",
+    "acknowledge": "Я сохранил(а) коды восстановления",
+    "totpDisableWarning": "Использование кода восстановления отключит двухфакторную аутентификацию."
+  },
+  "setup": {
+    "title": "Настройка аккаунта",
+    "subtitle": "Создайте аккаунт для управления AstrBot",
+    "username": "Новое имя пользователя",
+    "password": "Новый пароль",
+    "confirmPassword": "Подтвердите новый пароль",
+    "passwordHint": "Минимум 8 символов, включая заглавную букву, строчную букву и цифру.",
+    "submit": "Завершить настройку",
+    "totp": {
+      "code": "Код подтверждения",
+      "qrAlt": "QR-код TOTP",
+      "title": "Завершить настройку TOTP",
+      "subtitle": "Отсканируйте QR-код в приложении-аутентификаторе, чтобы включить двухфакторную аутентификацию.",
+      "step2Hint": "Отсканируйте этот QR-код в приложении-аутентификаторе (например, Google Authenticator, Authy) и введите код ниже.",
+      "verify": "Проверить и завершить",
+      "verifyError": "Не удалось проверить код. Введите последний код из приложения-аутентификатора.",
+      "disableError": "Не удалось отключить TOTP. Пожалуйста, попробуйте снова.",
+      "back": "Назад"
     },
-    "logo": {
-        "title": "Панель управления AstrBot",
-        "subtitle": "Добро пожаловать"
-    },
-    "theme": {
-        "switchToDark": "Перейти на темную тему",
-        "switchToLight": "Перейти на светлую тему"
+    "validation": {
+      "usernameRequired": "Введите имя пользователя",
+      "usernameMinLength": "Имя пользователя должно содержать минимум 3 символа",
+      "passwordRequired": "Введите пароль",
+      "passwordMinLength": "Пароль должен содержать минимум 8 символов",
+      "passwordUppercase": "Пароль должен содержать хотя бы одну заглавную букву",
+      "passwordLowercase": "Пароль должен содержать хотя бы одну строчную букву",
+      "passwordDigit": "Пароль должен содержать хотя бы одну цифру",
+      "confirmPasswordRequired": "Подтвердите пароль",
+      "passwordMatch": "Пароли не совпадают"
     }
+  },
+  "logo": {
+    "title": "Панель управления AstrBot",
+    "subtitle": "Добро пожаловать"
+  },
+  "theme": {
+    "switchToDark": "Перейти на темную тему",
+    "switchToLight": "Перейти на светлую тему"
+  }
 }
diff --git a/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json b/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json
index 9f593fc503..b8eade166a 100644
--- a/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json
+++ b/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json
@@ -1106,6 +1106,50 @@
                         "description": "Путь к сертификату CA SSL",
                         "hint": "Опционально. Путь к сертификату CA."
                     }
+                },
+                "totp": {
+                    "enable": {
+                        "description": "Включить TOTP для WebUI",
+                        "hint": "Когда включено, TOTP-код требуется для входа в панель управления."
+                    },
+                    "manage": "Управление",
+                    "configuration": "TOTP",
+                    "statusPending": "Требуется настройка",
+                    "statusEnabled": "Включено",
+                    "setupRequiredHint": "TOTP включен, но ещё не настроен. Откройте «Управление», чтобы завершить настройку.",
+                    "setupTitle": "Настройка TOTP",
+                    "setupSubtitle": "Отсканируйте QR-код в приложении-аутентификаторе и введите код подтверждения.",
+                    "setupConfirm": "Подтвердить и продолжить",
+                    "activeSubtitle": "Используйте этот QR-код или секрет для добавления нового устройства-аутентификатора.",
+                    "rotateTitle": "Смена секрета TOTP",
+                    "rotateSubtitle": "Сгенерируйте новый секрет и подтвердите его перед заменой текущего.",
+                    "rotate": "Сменить",
+                    "rotateRecovery": "Сменить код восстановления",
+                    "rotateRecoveryTitle": "Смена кода восстановления",
+                    "rotateRecoverySubtitle": "Введите код из приложения-аутентификатора, чтобы сгенерировать новый код восстановления.",
+                    "rotateRecoveryCode": "Код подтверждения",
+                    "rotateRecoveryConfirm": "Создать новый код",
+                    "rotateRecoveryMissingSecret": "Отсутствует TOTP-секрет. Сначала завершите настройку.",
+                    "rotateConfirm": "Подтвердить смену",
+                    "rotateCancel": "Отмена",
+                    "rotateCode": "Код подтверждения",
+                    "rotateCodeHint": "Введите код из приложения-аутентификатора для подтверждения нового ключа.",
+                    "rotateError": "Неверный код, попробуйте снова.",
+                    "recoveryTitle": "Коды восстановления",
+                    "recoverySubtitle": "Этот код показывается один раз. Сохраните его перед продолжением.",
+                    "recoveryWarning": "При утере этого кода восстановить доступ к учётной записи обычными средствами будет невозможно.",
+                    "recoveryAcknowledge": "Я сохранил(а) коды восстановления",
+                    "recoveryClose": "Готово",
+                    "disableTitle": "Отключить TOTP",
+                    "disableSubtitle": "Введите код подтверждения для отключения двухфакторной аутентификации.",
+                    "disableRecoverySubtitle": "Введите код восстановления для отключения двухфакторной аутентификации.",
+                    "disableCode": "Код подтверждения",
+                    "disableRecoveryCode": "Код восстановления",
+                    "disableConfirm": "Отключить",
+                    "disableCancel": "Отмена",
+                    "disableError": "Ошибка проверки. Попробуйте снова.",
+                    "disableUseRecovery": "Не можете использовать TOTP?",
+                    "disableUseCode": "Использовать код подтверждения"
                 }
             },
             "timezone": {
diff --git a/dashboard/src/i18n/locales/zh-CN/features/auth.json b/dashboard/src/i18n/locales/zh-CN/features/auth.json
index c6cc4efe32..00b1b511ee 100644
--- a/dashboard/src/i18n/locales/zh-CN/features/auth.json
+++ b/dashboard/src/i18n/locales/zh-CN/features/auth.json
@@ -2,18 +2,46 @@
   "login": "登录",
   "username": "用户名",
   "password": "密码",
-  "defaultHint": "如果是第一次登录，请留意日志输出的默认密码",
+  "defaultHint": "如果这是首次登录，请在日志中查看默认密码。",
+  "totp": {
+    "code": "验证码",
+    "verify": "验证",
+    "trustDevice": "信任此设备 30 天"
+  },
+  "recovery": {
+    "title": "恢复码登录",
+    "subtitle": "无法使用认证器应用时，可通过恢复码登录。",
+    "code": "恢复码",
+    "submit": "使用恢复码登录",
+    "useRecoveryCode": "无法使用 TOTP？",
+    "backToLogin": "返回登录",
+    "savedWarning": "若恢复码丢失将无法通过常规途径恢复账户访问权限。",
+    "continue": "继续",
+    "acknowledge": "我已保存恢复码",
+    "totpDisableWarning": "使用恢复码登录将禁用双因素认证。"
+  },
   "setup": {
     "title": "设置账户",
     "subtitle": "创建用于管理 AstrBot 的账户",
     "username": "新用户名",
     "password": "新密码",
     "confirmPassword": "确认新密码",
-    "passwordHint": "长度至少 8 位，且包含大写字母、小写字母和数字",
+    "passwordHint": "长度至少 8 位，并包含大写字母、小写字母和数字。",
     "submit": "完成设置",
+    "totp": {
+      "code": "验证码",
+      "qrAlt": "TOTP 二维码",
+      "title": "完成 TOTP 配置",
+      "subtitle": "使用认证器应用扫描二维码，以完成双因素认证配置。",
+      "step2Hint": "使用认证器应用（如 Google Authenticator、Authy）扫描此二维码，然后输入验证码。",
+      "verify": "验证并完成",
+      "verifyError": "验证失败，请输入认证器应用中的最新验证码。",
+      "disableError": "无法关闭 TOTP，请重试。",
+      "back": "返回"
+    },
     "validation": {
       "usernameRequired": "请输入用户名",
-      "usernameMinLength": "用户名长度至少3位",
+      "usernameMinLength": "用户名长度至少 3 位",
       "passwordRequired": "请输入密码",
       "passwordMinLength": "密码长度至少 8 位",
       "passwordUppercase": "密码必须包含至少一个大写字母",
@@ -31,4 +59,4 @@
     "switchToDark": "切换到深色主题",
     "switchToLight": "切换到浅色主题"
   }
-} 
+}
diff --git a/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json b/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json
index 59c0104de2..b22c8ffdab 100644
--- a/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json
+++ b/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json
@@ -1107,6 +1107,50 @@
             "description": "SSL CA 证书文件路径",
             "hint": "可选。用于指定 CA 证书文件路径。"
           }
+        },
+        "totp": {
+          "enable": {
+            "description": "启用 WebUI TOTP 双因素认证",
+            "hint": "启用后，登录 WebUI 需要额外输入验证码。"
+          },
+          "manage": "管理",
+          "configuration": "TOTP",
+          "statusPending": "需完成设置",
+          "statusEnabled": "已启用",
+          "setupRequiredHint": "TOTP 已开启但尚未完成配置，请点击“管理”完成初始化。",
+          "setupTitle": "设置 TOTP",
+          "setupSubtitle": "请使用认证器应用扫描二维码，然后输入验证码。",
+          "setupConfirm": "验证并继续",
+          "activeSubtitle": "可使用此二维码和密钥添加新的认证器设备。",
+          "rotateTitle": "更换 TOTP 密钥",
+          "rotateSubtitle": "生成新密钥并完成验证后，将替换当前密钥。",
+          "rotate": "更换密钥",
+          "rotateRecovery": "更换恢复码",
+          "rotateRecoveryTitle": "更换恢复码",
+          "rotateRecoverySubtitle": "请输入认证器中的验证码以生成新的恢复码。",
+          "rotateRecoveryCode": "验证码",
+          "rotateRecoveryConfirm": "生成新恢复码",
+          "rotateRecoveryMissingSecret": "TOTP 密钥缺失，请先完成初始化。",
+          "rotateConfirm": "确认更换",
+          "rotateCancel": "取消",
+          "rotateCode": "验证码",
+          "rotateCodeHint": "输入认证器应用中的验证码以确认新密钥。",
+          "rotateError": "验证码无效，请重试。",
+          "recoveryTitle": "恢复码",
+          "recoverySubtitle": "恢复码仅展示一次，请在继续前妥善保存。",
+          "recoveryWarning": "若恢复码丢失将无法通过常规途径恢复账户访问权限。",
+          "recoveryAcknowledge": "我已保存恢复码",
+          "recoveryClose": "完成",
+          "disableTitle": "关闭 TOTP",
+          "disableSubtitle": "输入验证码以确认关闭双因素认证。",
+          "disableRecoverySubtitle": "输入恢复码以确认关闭双因素认证。",
+          "disableCode": "验证码",
+          "disableRecoveryCode": "恢复码",
+          "disableConfirm": "确认关闭",
+          "disableCancel": "取消",
+          "disableError": "验证失败，请重试。",
+          "disableUseRecovery": "无法使用TOTP?",
+          "disableUseCode": "使用验证码"
         }
       },
       "timezone": {
diff --git a/dashboard/src/main.ts b/dashboard/src/main.ts
index 61cf487ab4..ce5514207c 100644
--- a/dashboard/src/main.ts
+++ b/dashboard/src/main.ts
@@ -128,6 +128,16 @@ axios.interceptors.request.use((config) => {
   return config;
 });
 
+axios.interceptors.response.use(
+  (response) => response,
+  (error) => {
+    if (error.response?.status === 429 && error.response?.data?.message) {
+      return Promise.reject(error.response.data.message);
+    }
+    return Promise.reject(error);
+  }
+);
+
 // Keep fetch() calls consistent with axios by automatically attaching the JWT.
 // Some parts of the UI use fetch directly; without this, those requests will 401.
 const _origFetch = window.fetch.bind(window);
diff --git a/dashboard/src/router/index.ts b/dashboard/src/router/index.ts
index 32f138ddb6..85a99f65ff 100644
--- a/dashboard/src/router/index.ts
+++ b/dashboard/src/router/index.ts
@@ -17,7 +17,12 @@ export const router = createRouter({
 interface AuthStore {
   username: string;
   returnUrl: string | null;
-  login(username: string, password: string): Promise<void>;
+  login(
+    username: string,
+    password: string,
+    code?: string,
+    trustDeviceToken?: boolean,
+  ): Promise<void | 'totp_required'>;
   logout(): void;
   has_token(): boolean;
 }
@@ -41,7 +46,8 @@ router.beforeEach(async (to, from, next) => {
     if (authRequired && !auth.has_token()) {
       auth.returnUrl = to.fullPath;
       return next('/auth/login');
-    } else next();
+    }
+    return next();
   } else {
     next();
   }
diff --git a/dashboard/src/stores/auth.ts b/dashboard/src/stores/auth.ts
index bb8b331c16..7550497db2 100644
--- a/dashboard/src/stores/auth.ts
+++ b/dashboard/src/stores/auth.ts
@@ -6,7 +6,7 @@ export const useAuthStore = defineStore("auth", {
   state: () => ({
     // @ts-ignore
     username: '',
-    returnUrl: null
+    returnUrl: null,
   }),
   actions: {
     async finishAuthenticatedSession(data: any): Promise<void> {
@@ -46,13 +46,26 @@ export const useAuthStore = defineStore("auth", {
         router.push('/welcome');
       }
     },
-    async login(username: string, password: string): Promise<void> {
+    async login(
+      username: string,
+      password: string,
+      code?: string,
+      trustDeviceToken = false,
+    ): Promise<'totp_required' | void> {
       try {
         const res = await axios.post('/api/auth/login', {
           username: username,
-          password: password
+          password: password,
+          code: code,
+          trust_device_flag: trustDeviceToken,
+        }, {
+          validateStatus: (status) => (status >= 200 && status < 300) || status === 401
         });
-    
+
+        if (res.status === 401 && res.data?.data?.totp_required) {
+          return 'totp_required';
+        }
+
         if (res.data.status === 'error') {
           return Promise.reject(res.data.message);
         }
@@ -62,13 +75,17 @@ export const useAuthStore = defineStore("auth", {
         return Promise.reject(error);
       }
     },
-    async setup(username: string, password: string, confirmPassword: string): Promise<void> {
+    async setup(
+      username: string,
+      password: string,
+      confirmPassword: string,
+    ): Promise<void> {
       try {
-        const setupEndpoint = this.has_token() ? '/api/auth/setup-authenticated' : '/api/auth/setup';
-        const res = await axios.post(setupEndpoint, {
+        const endpoint = this.has_token() ? '/api/auth/setup-authenticated' : '/api/auth/setup';
+        const res = await axios.post(endpoint, {
           username: username,
           password: password,
-          confirm_password: confirmPassword
+          confirm_password: confirmPassword,
         });
 
         if (res.data.status === 'error') {
diff --git a/dashboard/src/views/authentication/authForms/AuthLogin.vue b/dashboard/src/views/authentication/authForms/AuthLogin.vue
index a17649ec8c..14635bce9d 100644
--- a/dashboard/src/views/authentication/authForms/AuthLogin.vue
+++ b/dashboard/src/views/authentication/authForms/AuthLogin.vue
@@ -1,60 +1,141 @@
 <script setup lang="ts">
-import { ref, useCssModule } from 'vue';
+import { ref } from 'vue';
 import { useAuthStore } from '@/stores/auth';
-import { Form } from 'vee-validate';
 import { useModuleI18n } from '@/i18n/composables';
+import AuthStageAccount from './stages/AuthStageAccount.vue';
+import AuthStageTotp from './stages/AuthStageTotp.vue';
+import AuthStageRecovery from './stages/AuthStageRecovery.vue';
 
 const { tm: t } = useModuleI18n('features/auth');
+const authStore = useAuthStore();
 
-const valid = ref(false);
-const show1 = ref(false);
-const password = ref('');
 const username = ref('');
+const password = ref('');
+const totpCode = ref('');
+const trustTotpDevice = ref(false);
+const recoveryCode = ref('');
 const loading = ref(false);
+const apiError = ref('');
+const stage = ref<'account' | 'totp' | 'recovery'>('account');
 
-/* eslint-disable @typescript-eslint/no-explicit-any */
-async function validate(values: any, { setErrors }: any) {
-  loading.value = true;
-
-  const authStore = useAuthStore();
-  // @ts-ignore
-  authStore.returnUrl = new URLSearchParams(window.location.search).get('redirect');
-  return authStore.login(username.value, password.value).then((res) => {
-    console.log(res);
-    loading.value = false;
-  }).catch((err) => {
-    setErrors({ apiError: err });
-    loading.value = false;
-  });
+function resetTotpStage() {
+  totpCode.value = '';
+  trustTotpDevice.value = false;
 }
 
-</script>
+function goToAccountStage() {
+  stage.value = 'account';
+  apiError.value = '';
+  resetTotpStage();
+}
 
-<template>
-  <Form @submit="validate" class="mt-4 login-form" v-slot="{ errors, isSubmitting }">
-    <v-text-field v-model="username" :label="t('username')" class="mb-6 input-field" required hide-details="auto"
-      variant="outlined" prepend-inner-icon="mdi-account" :disabled="loading"></v-text-field>
+function goToTotpStage() {
+  stage.value = 'totp';
+  apiError.value = '';
+}
 
-    <v-text-field v-model="password" :label="t('password')" required variant="outlined" hide-details="auto"
-      :append-inner-icon="show1 ? 'mdi-eye' : 'mdi-eye-off'" :type="show1 ? 'text' : 'password'"
-      @click:append-inner="show1 = !show1" class="pwd-input" prepend-inner-icon="mdi-lock" :disabled="loading"></v-text-field>
+function goToRecoveryStage() {
+  stage.value = 'recovery';
+  apiError.value = '';
+  recoveryCode.value = '';
+}
 
-    <div class="mt-2">
-      <small style="color: grey;">{{ t('defaultHint') }}</small>
-    </div>
+async function submitAccountStage() {
+  if (!username.value || !password.value) {
+    return;
+  }
+  loading.value = true;
+  apiError.value = '';
+  try {
+    // @ts-ignore
+    authStore.returnUrl = new URLSearchParams(window.location.search).get('redirect');
+    const res = await authStore.login(username.value, password.value);
+    if (res === 'totp_required') {
+      goToTotpStage();
+    }
+  } catch (err) {
+    apiError.value = String(err || '') || 'Login failed';
+  } finally {
+    loading.value = false;
+  }
+}
 
+async function submitTotpStage() {
+  if (!totpCode.value) {
+    return;
+  }
+  loading.value = true;
+  apiError.value = '';
+  try {
+    await authStore.login(
+      username.value,
+      password.value,
+      totpCode.value,
+      trustTotpDevice.value,
+    );
+  } catch (err) {
+    apiError.value = String(err || '') || 'Verification failed';
+  } finally {
+    loading.value = false;
+  }
+}
 
-    <v-btn color="secondary" :loading="isSubmitting || loading" block class="login-btn mt-8" variant="flat" size="large"
-      :disabled="valid" type="submit">
-      <span class="login-btn-text">{{ t('login') }}</span>
-    </v-btn>
+async function submitRecoveryStage() {
+  if (!recoveryCode.value) {
+    return;
+  }
+  loading.value = true;
+  apiError.value = '';
+  try {
+    await authStore.login(username.value, password.value, recoveryCode.value);
+  } catch (err) {
+    apiError.value = String(err || '') || 'Recovery login failed';
+  } finally {
+    loading.value = false;
+  }
+}
+</script>
 
-    <div v-if="errors.apiError" class="mt-4 error-container">
+<template>
+  <div class="mt-4 login-form">
+    <AuthStageAccount
+      v-if="stage === 'account'"
+      :username="username"
+      :password="password"
+      :loading="loading"
+      @update:username="(value) => (username = value)"
+      @update:password="(value) => (password = value)"
+      @submit="submitAccountStage"
+    />
+
+    <AuthStageTotp
+      v-else-if="stage === 'totp'"
+      :username="username"
+      :code="totpCode"
+      :trust-device="trustTotpDevice"
+      :loading="loading"
+      @update:code="(value) => (totpCode = value)"
+      @update:trust-device="(value) => (trustTotpDevice = value)"
+      @submit="submitTotpStage"
+      @back="goToAccountStage"
+      @use-recovery="goToRecoveryStage"
+    />
+
+    <AuthStageRecovery
+      v-else
+      :code="recoveryCode"
+      :loading="loading"
+      @update:code="(value) => (recoveryCode = value)"
+      @submit="submitRecoveryStage"
+      @back="goToTotpStage"
+    />
+
+    <div v-if="apiError" class="mt-4 error-container">
       <v-alert color="error" variant="tonal" icon="mdi-alert-circle" border="start">
-        {{ errors.apiError }}
+        {{ apiError }}
       </v-alert>
     </div>
-  </Form>
+  </div>
 </template>
 
 <style lang="scss">
@@ -64,7 +145,8 @@ async function validate(values: any, { setErrors }: any) {
   }
 
   .input-field,
-  .pwd-input {
+  .pwd-input,
+  .recovery-code-field {
     .v-field__field {
       padding-top: 5px;
       padding-bottom: 5px;
@@ -122,19 +204,47 @@ async function validate(values: any, { setErrors }: any) {
     }
   }
 
-  .hint-text {
-    color: var(--v-theme-secondaryText);
-    padding-left: 5px;
-  }
-
   .error-container {
     .v-alert {
       border-left-width: 4px !important;
     }
   }
-}
 
-.custom-divider {
-  border-color: rgba(0, 0, 0, 0.08) !important;
+  .account-stage-header {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    padding: 6px 0 4px;
+  }
+
+  .account-stage-user {
+    font-size: 0.95rem;
+    font-weight: 600;
+    color: rgba(var(--v-theme-on-surface), 0.85);
+  }
+
+  .recovery-code-section {
+    .recovery-code-label {
+      display: block;
+      font-size: 0.9rem;
+      font-weight: 500;
+      margin-bottom: 8px;
+      color: rgba(var(--v-theme-on-surface), 0.85);
+    }
+
+    .recovery-code-field :deep(input) {
+      text-align: center;
+      font-size: 1.05rem;
+      font-weight: 600;
+      letter-spacing: 1.5px;
+    }
+
+    .recovery-hint {
+      display: block;
+      margin-top: 6px;
+      color: grey;
+      font-size: 0.8rem;
+    }
+  }
 }
 </style>
diff --git a/dashboard/src/views/authentication/authForms/stages/AuthStageAccount.vue b/dashboard/src/views/authentication/authForms/stages/AuthStageAccount.vue
new file mode 100644
index 0000000000..2464525394
--- /dev/null
+++ b/dashboard/src/views/authentication/authForms/stages/AuthStageAccount.vue
@@ -0,0 +1,72 @@
+<script setup lang="ts">
+import { ref } from 'vue';
+import { useModuleI18n } from '@/i18n/composables';
+
+const { tm: t } = useModuleI18n('features/auth');
+
+const props = defineProps<{
+  username: string;
+  password: string;
+  loading: boolean;
+}>();
+
+const emit = defineEmits<{
+  (e: 'update:username', value: string): void;
+  (e: 'update:password', value: string): void;
+  (e: 'submit'): void;
+}>();
+
+const showPassword = ref(false);
+
+function onSubmit() {
+  emit('submit');
+}
+</script>
+
+<template>
+  <v-text-field
+    :model-value="props.username"
+    :label="t('username')"
+    class="mb-6 input-field"
+    required
+    hide-details="auto"
+    variant="outlined"
+    prepend-inner-icon="mdi-account"
+    :disabled="props.loading"
+    @update:model-value="(value: string) => emit('update:username', value)"
+    @keyup.enter="onSubmit"
+  ></v-text-field>
+
+  <v-text-field
+    :model-value="props.password"
+    :label="t('password')"
+    required
+    variant="outlined"
+    hide-details="auto"
+    :append-inner-icon="showPassword ? 'mdi-eye' : 'mdi-eye-off'"
+    :type="showPassword ? 'text' : 'password'"
+    @click:append-inner="showPassword = !showPassword"
+    class="pwd-input"
+    prepend-inner-icon="mdi-lock"
+    :disabled="props.loading"
+    @update:model-value="(value: string) => emit('update:password', value)"
+    @keyup.enter="onSubmit"
+  ></v-text-field>
+
+  <div class="mt-2">
+    <small style="color: grey;">{{ t('defaultHint') }}</small>
+  </div>
+
+  <v-btn
+    color="secondary"
+    block
+    class="login-btn mt-8"
+    variant="flat"
+    size="large"
+    :loading="props.loading"
+    :disabled="props.loading || !props.username || !props.password"
+    @click="onSubmit"
+  >
+    <span class="login-btn-text">{{ t('login') }}</span>
+  </v-btn>
+</template>
diff --git a/dashboard/src/views/authentication/authForms/stages/AuthStageRecovery.vue b/dashboard/src/views/authentication/authForms/stages/AuthStageRecovery.vue
new file mode 100644
index 0000000000..376b0664eb
--- /dev/null
+++ b/dashboard/src/views/authentication/authForms/stages/AuthStageRecovery.vue
@@ -0,0 +1,80 @@
+<script setup lang="ts">
+import { useModuleI18n } from '@/i18n/composables';
+
+const { tm: t } = useModuleI18n('features/auth');
+
+const props = defineProps<{
+  code: string;
+  loading: boolean;
+}>();
+
+const emit = defineEmits<{
+  (e: 'update:code', value: string): void;
+  (e: 'submit'): void;
+  (e: 'back'): void;
+}>();
+
+function normalizeRecoveryCode(code: string): string {
+  return code.toUpperCase().replace(/[^A-Z2-7]/g, '').slice(0, 32);
+}
+
+function formatRecoveryCode(code: string): string {
+  const normalized = normalizeRecoveryCode(code);
+  const groups = normalized.match(/.{1,8}/g);
+  return groups ? groups.join('-') : '';
+}
+
+function onCodeInput(raw: string) {
+  emit('update:code', formatRecoveryCode(raw));
+}
+
+function isRecoveryCodeComplete(code: string): boolean {
+  return normalizeRecoveryCode(code).length === 32;
+}
+
+function onSubmit() {
+  emit('submit');
+}
+</script>
+
+<template>
+  <div class="account-stage-header">
+    <div class="account-stage-user">{{ t('recovery.title') }}</div>
+    <v-btn variant="text" size="small" color="primary" :disabled="props.loading" @click="emit('back')">
+      {{ t('setup.totp.back') }}
+    </v-btn>
+  </div>
+
+  <div class="recovery-code-section mt-2">
+    <v-alert color="warning" variant="tonal" icon="mdi-alert" class="mb-4" density="compact">
+      {{ t('recovery.totpDisableWarning') }}
+    </v-alert>
+
+    <label class="recovery-code-label">{{ t('recovery.code') }}</label>
+    <v-text-field
+      :model-value="props.code"
+      class="recovery-code-field"
+      variant="outlined"
+      hide-details
+      :disabled="props.loading"
+      density="comfortable"
+      maxlength="35"
+      prepend-inner-icon="mdi-key-variant"
+      @update:model-value="(value: string) => onCodeInput(value)"
+      @keyup.enter="onSubmit"
+    ></v-text-field>
+  </div>
+
+  <v-btn
+    color="secondary"
+    block
+    class="login-btn mt-4"
+    variant="flat"
+    size="large"
+    :loading="props.loading"
+    :disabled="props.loading || !isRecoveryCodeComplete(props.code)"
+    @click="onSubmit"
+  >
+    <span class="login-btn-text">{{ t('recovery.submit') }}</span>
+  </v-btn>
+</template>
diff --git a/dashboard/src/views/authentication/authForms/stages/AuthStageTotp.vue b/dashboard/src/views/authentication/authForms/stages/AuthStageTotp.vue
new file mode 100644
index 0000000000..ae11926d6f
--- /dev/null
+++ b/dashboard/src/views/authentication/authForms/stages/AuthStageTotp.vue
@@ -0,0 +1,80 @@
+<script setup lang="ts">
+import { useModuleI18n } from '@/i18n/composables';
+
+const { tm: t } = useModuleI18n('features/auth');
+
+const props = defineProps<{
+  username: string;
+  code: string;
+  trustDevice: boolean;
+  loading: boolean;
+}>();
+
+const emit = defineEmits<{
+  (e: 'update:code', value: string): void;
+  (e: 'update:trustDevice', value: boolean): void;
+  (e: 'submit'): void;
+  (e: 'back'): void;
+  (e: 'useRecovery'): void;
+}>();
+
+function onSubmit() {
+  emit('submit');
+}
+</script>
+
+<template>
+  <div class="account-stage-header">
+    <div class="account-stage-user">{{ props.username }}</div>
+    <v-btn variant="text" size="small" color="primary" :disabled="props.loading" @click="emit('back')">
+      {{ t('setup.totp.back') }}
+    </v-btn>
+  </div>
+
+  <div class="mt-2">
+    <small style="color: grey;">{{ t('totp.verify') }}</small>
+  </div>
+
+  <v-text-field
+    :model-value="props.code"
+    :label="t('totp.code')"
+    class="mt-6 mb-2 input-field"
+    required
+    hide-details="auto"
+    variant="outlined"
+    prepend-inner-icon="mdi-shield-key"
+    :disabled="props.loading"
+    inputmode="numeric"
+    @update:model-value="(value: string) => emit('update:code', value)"
+    @keyup.enter="onSubmit"
+  ></v-text-field>
+
+  <v-checkbox
+    :model-value="props.trustDevice"
+    :label="t('totp.trustDevice')"
+    color="secondary"
+    density="comfortable"
+    hide-details
+    class="mt-1"
+    @update:model-value="(value: boolean | null) => emit('update:trustDevice', !!value)"
+  ></v-checkbox>
+
+  <div class="text-center mt-2">
+    <v-btn variant="text" size="small" color="primary" :disabled="props.loading" @click="emit('useRecovery')">
+      {{ t('recovery.useRecoveryCode') }}
+    </v-btn>
+  </div>
+
+  <v-btn
+    color="secondary"
+    block
+    class="login-btn mt-8"
+    variant="flat"
+    size="large"
+    :loading="props.loading"
+    :disabled="props.loading || !props.code"
+    @click="onSubmit"
+  >
+    <span class="login-btn-text">{{ t('totp.verify') }}</span>
+  </v-btn>
+</template>
diff --git a/pyproject.toml b/pyproject.toml
index 593160d394..4739cc9398 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -65,6 +65,7 @@ dependencies = [
   "pysocks>=1.7.1",
   "packaging>=24.2",
   "python-ripgrep==0.0.8",
+  "pyotp>=2.9.0",
 ]
 
 [dependency-groups]
diff --git a/requirements.txt b/requirements.txt
index e667c67559..36ed53fb57 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -54,3 +54,4 @@ shipyard-neo-sdk>=0.2.0
 packaging>=24.2
 qrcode>=8.2
 python-ripgrep==0.0.8
+pyotp>=2.9.0

From 02e1323a9a0f636eaf126d60a2cbd961de19033f Mon Sep 17 00:00:00 2001
From: Raven95676 <raven95676@gmail.com>
Date: Thu, 14 May 2026 20:14:46 +0800
Subject: [PATCH 2/7] fix: ensure TOTP verification uses UTC for accurate time
 comparison

---
 astrbot/core/utils/totp.py  |  2 +-
 astrbot/dashboard/server.py | 35 +++++++++++++++++------------------
 2 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/astrbot/core/utils/totp.py b/astrbot/core/utils/totp.py
index 31a1b5bff9..05dcab1c56 100644
--- a/astrbot/core/utils/totp.py
+++ b/astrbot/core/utils/totp.py
@@ -48,7 +48,7 @@ def _get_verified_totp_timecode(secret: str, code: str) -> int | None:
     code = code.strip()
     try:
         totp = pyotp.TOTP(secret.strip())
-        now = datetime.datetime.now()
+        now = datetime.datetime.now(datetime.timezone.utc)
         for offset in (-1, 0, 1):
             candidate_time = now + datetime.timedelta(seconds=offset * totp.interval)
             if hmac.compare_digest(str(totp.at(candidate_time)), code):
diff --git a/astrbot/dashboard/server.py b/astrbot/dashboard/server.py
index 29417d8aa2..b3a33f18be 100644
--- a/astrbot/dashboard/server.py
+++ b/astrbot/dashboard/server.py
@@ -42,14 +42,12 @@
 from .routes.subagent import SubAgentRoute
 from .routes.t2i import T2iRoute
 
-_RATE_LIMITED_ENDPOINTS: frozenset = frozenset(
-    {
-        "/api/auth/totp/disable",
-        "/api/auth/totp/setup",
-        "/api/auth/login",
-        "/api/auth/totp/verify-setup",
-    }
-)
+_RATE_LIMITED_ENDPOINTS: frozenset = frozenset({
+    "/api/auth/totp/disable",
+    "/api/auth/totp/setup",
+    "/api/auth/login",
+    "/api/auth/totp/verify-setup",
+})
 
 
 class _AuthRateLimiter:
@@ -98,15 +96,13 @@ def _match_registered_web_api(registered_web_apis, subpath: str, method: str):
         if request_method not in allowed_methods:
             continue
 
-        url_map = Map(
-            [
-                Rule(
-                    _normalize_plugin_api_route(route),
-                    endpoint="plugin_api",
-                    methods=allowed_methods,
-                ),
-            ]
-        )
+        url_map = Map([
+            Rule(
+                _normalize_plugin_api_route(route),
+                endpoint="plugin_api",
+                methods=allowed_methods,
+            ),
+        ])
         try:
             _, path_values = url_map.bind("").match(
                 request_path,
@@ -279,7 +275,10 @@ async def auth_middleware(self):
             await self.db.touch_api_key(api_key.key_id)
             return None
 
-        if os.environ.get("ASTRBOT_TEST_MODE") != "true" and request.path in _RATE_LIMITED_ENDPOINTS:
+        if (
+            os.environ.get("ASTRBOT_TEST_MODE") != "true"
+            and request.path in _RATE_LIMITED_ENDPOINTS
+        ):
             limiter = _rate_limiters.get(request.path)
             if limiter is None:
                 limiter = _AuthRateLimiter(capacity=3, refill_rate=1.0)

From e1d0501515f3a9532ea0bf695975aec5231b9f8f Mon Sep 17 00:00:00 2001
From: Raven95676 <raven95676@gmail.com>
Date: Thu, 14 May 2026 20:20:05 +0800
Subject: [PATCH 3/7] fix: update recovery code validation logic for disabling
 TOTP

---
 .../components/shared/DashboardTotpDisableDialog.vue   | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/dashboard/src/components/shared/DashboardTotpDisableDialog.vue b/dashboard/src/components/shared/DashboardTotpDisableDialog.vue
index fc62e8b071..2019be0cc3 100644
--- a/dashboard/src/components/shared/DashboardTotpDisableDialog.vue
+++ b/dashboard/src/components/shared/DashboardTotpDisableDialog.vue
@@ -42,7 +42,7 @@
               color="error"
               variant="tonal"
               :loading="verifying"
-              :disabled="!recoveryCode || recoveryCode.length < 5"
+              :disabled="!isValidRecoveryCode"
               @click="confirmDisable"
             >
               {{ tm('system_group.system.dashboard.totp.disableConfirm') }}
@@ -91,7 +91,7 @@
 </template>
 
 <script setup>
-import { ref } from 'vue'
+import { computed, ref } from 'vue'
 import axios from 'axios'
 import { useModuleI18n } from '@/i18n/composables'
 
@@ -104,6 +104,12 @@ const showRecovery = ref(false)
 const verifying = ref(false)
 const errorMsg = ref('')
 
+const isValidRecoveryCode = computed(() => {
+  if (!recoveryCode.value) return false
+  const normalized = recoveryCode.value.replace(/[^A-Za-z0-9]/g, '')
+  return normalized.length === 32
+})
+
 function resetState() {
   code.value = ''
   recoveryCode.value = ''

From 280f255926142908cef019226dc3dfabff057384 Mon Sep 17 00:00:00 2001
From: Raven95676 <raven95676@gmail.com>
Date: Thu, 14 May 2026 20:42:42 +0800
Subject: [PATCH 4/7] test: add unit tests for TOTP functionality and recovery
 code validation

---
 tests/test_dashboard.py       | 347 ++++++++++++++++++++++++++++++++++
 tests/unit/test_totp_utils.py |  98 ++++++++++
 2 files changed, 445 insertions(+)
 create mode 100644 tests/unit/test_totp_utils.py

diff --git a/tests/test_dashboard.py b/tests/test_dashboard.py
index 86bdf455ef..41c7cda29c 100644
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@@ -12,6 +12,7 @@
 from types import SimpleNamespace
 from urllib.parse import parse_qs, urlsplit, urlunsplit
 
+import pyotp
 import pytest
 import pytest_asyncio
 from quart import Quart, jsonify
@@ -28,6 +29,10 @@
     verify_dashboard_password,
 )
 from astrbot.core.utils.pip_installer import PipInstallError
+from astrbot.core.utils.totp import (
+    TOTP_TRUSTED_DEVICE_COOKIE_NAME,
+    generate_recovery_code,
+)
 from astrbot.dashboard.password_state import (
     get_dashboard_password_hash,
     is_password_change_required,
@@ -356,6 +361,348 @@ async def test_auth_login_secure_cookie_override(
     assert "SameSite=Strict" in jwt_cookie_header
 
 
+@pytest.mark.asyncio
+async def test_auth_login_requires_totp_when_enabled_and_not_trusted(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+):
+    original_dashboard_config = copy.deepcopy(
+        core_lifecycle_td.astrbot_config["dashboard"]
+    )
+    test_client = app.test_client()
+    _, recovery_code_hash = generate_recovery_code()
+    secret = pyotp.random_base32()
+
+    try:
+        core_lifecycle_td.astrbot_config["dashboard"]["totp"] = {
+            "enable": True,
+            "secret": secret,
+            "recovery_code_hash": recovery_code_hash,
+        }
+        response = await test_client.post(
+            "/api/auth/login",
+            json={
+                "username": core_lifecycle_td.astrbot_config["dashboard"]["username"],
+                "password": _resolve_dashboard_password(core_lifecycle_td),
+            },
+        )
+        data = await response.get_json()
+        assert response.status_code == 401
+        assert data["status"] == "error"
+        assert data["data"]["totp_required"] is True
+    finally:
+        await _restore_dashboard_password_state(
+            core_lifecycle_td,
+            original_dashboard_config,
+        )
+
+
+@pytest.mark.asyncio
+async def test_auth_login_accepts_valid_totp_code(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+):
+    original_dashboard_config = copy.deepcopy(
+        core_lifecycle_td.astrbot_config["dashboard"]
+    )
+    test_client = app.test_client()
+    _, recovery_code_hash = generate_recovery_code()
+    secret = pyotp.random_base32()
+
+    try:
+        core_lifecycle_td.astrbot_config["dashboard"]["totp"] = {
+            "enable": True,
+            "secret": secret,
+            "recovery_code_hash": recovery_code_hash,
+        }
+        response = await test_client.post(
+            "/api/auth/login",
+            json={
+                "username": core_lifecycle_td.astrbot_config["dashboard"]["username"],
+                "password": _resolve_dashboard_password(core_lifecycle_td),
+                "code": pyotp.TOTP(secret).now(),
+            },
+        )
+        data = await response.get_json()
+        assert data["status"] == "ok"
+        assert "token" in data["data"]
+    finally:
+        await _restore_dashboard_password_state(
+            core_lifecycle_td,
+            original_dashboard_config,
+        )
+
+
+@pytest.mark.asyncio
+async def test_auth_login_rejects_invalid_totp_code(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+):
+    original_dashboard_config = copy.deepcopy(
+        core_lifecycle_td.astrbot_config["dashboard"]
+    )
+    test_client = app.test_client()
+    _, recovery_code_hash = generate_recovery_code()
+    secret = pyotp.random_base32()
+
+    try:
+        core_lifecycle_td.astrbot_config["dashboard"]["totp"] = {
+            "enable": True,
+            "secret": secret,
+            "recovery_code_hash": recovery_code_hash,
+        }
+        valid_code = pyotp.TOTP(secret).now()
+        invalid_code = str((int(valid_code) + 1) % 1_000_000).zfill(6)
+        response = await test_client.post(
+            "/api/auth/login",
+            json={
+                "username": core_lifecycle_td.astrbot_config["dashboard"]["username"],
+                "password": _resolve_dashboard_password(core_lifecycle_td),
+                "code": invalid_code,
+            },
+        )
+        data = await response.get_json()
+        assert response.status_code == 401
+        assert data["status"] == "error"
+    finally:
+        await _restore_dashboard_password_state(
+            core_lifecycle_td,
+            original_dashboard_config,
+        )
+
+
+@pytest.mark.asyncio
+async def test_auth_login_with_recovery_code_disables_totp(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+):
+    original_dashboard_config = copy.deepcopy(
+        core_lifecycle_td.astrbot_config["dashboard"]
+    )
+    test_client = app.test_client()
+    recovery_code, recovery_code_hash = generate_recovery_code()
+    secret = pyotp.random_base32()
+
+    try:
+        core_lifecycle_td.astrbot_config["dashboard"]["totp"] = {
+            "enable": True,
+            "secret": secret,
+            "recovery_code_hash": recovery_code_hash,
+        }
+        response = await test_client.post(
+            "/api/auth/login",
+            json={
+                "username": core_lifecycle_td.astrbot_config["dashboard"]["username"],
+                "password": _resolve_dashboard_password(core_lifecycle_td),
+                "code": recovery_code,
+            },
+        )
+        data = await response.get_json()
+        assert data["status"] == "ok"
+        assert core_lifecycle_td.astrbot_config["dashboard"]["totp"] == {
+            "enable": False,
+            "secret": "",
+            "recovery_code_hash": "",
+        }
+    finally:
+        await _restore_dashboard_password_state(
+            core_lifecycle_td,
+            original_dashboard_config,
+        )
+
+
+@pytest.mark.asyncio
+async def test_auth_login_sets_trusted_device_cookie_when_flag_true(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+):
+    original_dashboard_config = copy.deepcopy(
+        core_lifecycle_td.astrbot_config["dashboard"]
+    )
+    test_client = app.test_client()
+    _, recovery_code_hash = generate_recovery_code()
+    secret = pyotp.random_base32()
+
+    try:
+        core_lifecycle_td.astrbot_config["dashboard"]["totp"] = {
+            "enable": True,
+            "secret": secret,
+            "recovery_code_hash": recovery_code_hash,
+        }
+        response = await test_client.post(
+            "/api/auth/login",
+            json={
+                "username": core_lifecycle_td.astrbot_config["dashboard"]["username"],
+                "password": _resolve_dashboard_password(core_lifecycle_td),
+                "code": pyotp.TOTP(secret).now(),
+                "trust_device_flag": True,
+            },
+        )
+        data = await response.get_json()
+        assert data["status"] == "ok"
+        set_cookie_headers = response.headers.getlist("Set-Cookie")
+        trusted_cookie_header = next(
+            (
+                value
+                for value in set_cookie_headers
+                if TOTP_TRUSTED_DEVICE_COOKIE_NAME in value
+            ),
+            "",
+        )
+        assert trusted_cookie_header
+        assert "HttpOnly" in trusted_cookie_header
+        assert "SameSite=Strict" in trusted_cookie_header
+        assert "Path=/api/auth" in trusted_cookie_header
+    finally:
+        await _restore_dashboard_password_state(
+            core_lifecycle_td,
+            original_dashboard_config,
+        )
+
+
+@pytest.mark.asyncio
+async def test_auth_login_skips_totp_when_trusted_cookie_valid(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+):
+    original_dashboard_config = copy.deepcopy(
+        core_lifecycle_td.astrbot_config["dashboard"]
+    )
+    test_client = app.test_client()
+    _, recovery_code_hash = generate_recovery_code()
+    secret = pyotp.random_base32()
+
+    try:
+        core_lifecycle_td.astrbot_config["dashboard"]["totp"] = {
+            "enable": True,
+            "secret": secret,
+            "recovery_code_hash": recovery_code_hash,
+        }
+        first_login = await test_client.post(
+            "/api/auth/login",
+            json={
+                "username": core_lifecycle_td.astrbot_config["dashboard"]["username"],
+                "password": _resolve_dashboard_password(core_lifecycle_td),
+                "code": pyotp.TOTP(secret).now(),
+                "trust_device_flag": True,
+            },
+        )
+        first_data = await first_login.get_json()
+        assert first_data["status"] == "ok"
+
+        second_login = await test_client.post(
+            "/api/auth/login",
+            json={
+                "username": core_lifecycle_td.astrbot_config["dashboard"]["username"],
+                "password": _resolve_dashboard_password(core_lifecycle_td),
+            },
+        )
+        second_data = await second_login.get_json()
+        assert second_login.status_code == 200
+        assert second_data["status"] == "ok"
+    finally:
+        await _restore_dashboard_password_state(
+            core_lifecycle_td,
+            original_dashboard_config,
+        )
+
+
+@pytest.mark.asyncio
+async def test_auth_totp_disable_by_totp_code(
+    app: Quart,
+    authenticated_header: dict,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+):
+    original_dashboard_config = copy.deepcopy(
+        core_lifecycle_td.astrbot_config["dashboard"]
+    )
+    test_client = app.test_client()
+    _, recovery_code_hash = generate_recovery_code()
+    secret = pyotp.random_base32()
+
+    try:
+        core_lifecycle_td.astrbot_config["dashboard"]["totp"] = {
+            "enable": True,
+            "secret": secret,
+            "recovery_code_hash": recovery_code_hash,
+        }
+        response = await test_client.post(
+            "/api/auth/totp/disable",
+            headers=authenticated_header,
+            json={"code": pyotp.TOTP(secret).now()},
+        )
+        data = await response.get_json()
+        assert data["status"] == "ok"
+        assert core_lifecycle_td.astrbot_config["dashboard"]["totp"] == {
+            "enable": False,
+            "secret": "",
+            "recovery_code_hash": "",
+        }
+    finally:
+        await _restore_dashboard_password_state(
+            core_lifecycle_td,
+            original_dashboard_config,
+        )
+
+
+@pytest.mark.asyncio
+async def test_auth_totp_verify_setup_with_valid_code_returns_recovery_code(
+    app: Quart,
+    authenticated_header: dict,
+):
+    test_client = app.test_client()
+    secret = pyotp.random_base32()
+    response = await test_client.post(
+        "/api/auth/totp/verify-setup",
+        headers=authenticated_header,
+        json={"secret": secret, "code": pyotp.TOTP(secret).now()},
+    )
+    data = await response.get_json()
+    assert data["status"] == "ok"
+    assert isinstance(data["data"]["recovery_code"], str)
+    assert isinstance(data["data"]["recovery_code_hash"], str)
+    assert data["data"]["recovery_code"]
+    assert data["data"]["recovery_code_hash"]
+
+
+@pytest.mark.asyncio
+async def test_auth_totp_disable_by_recovery_code(
+    app: Quart,
+    authenticated_header: dict,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+):
+    original_dashboard_config = copy.deepcopy(
+        core_lifecycle_td.astrbot_config["dashboard"]
+    )
+    test_client = app.test_client()
+    recovery_code, recovery_code_hash = generate_recovery_code()
+    secret = pyotp.random_base32()
+
+    try:
+        core_lifecycle_td.astrbot_config["dashboard"]["totp"] = {
+            "enable": True,
+            "secret": secret,
+            "recovery_code_hash": recovery_code_hash,
+        }
+        response = await test_client.post(
+            "/api/auth/totp/disable",
+            headers=authenticated_header,
+            json={"code": recovery_code},
+        )
+        data = await response.get_json()
+        assert data["status"] == "ok"
+        assert core_lifecycle_td.astrbot_config["dashboard"]["totp"] == {
+            "enable": False,
+            "secret": "",
+            "recovery_code_hash": "",
+        }
+    finally:
+        await _restore_dashboard_password_state(
+            core_lifecycle_td,
+            original_dashboard_config,
+        )
+
+
 @pytest.mark.asyncio
 async def test_legacy_md5_dashboard_password_keeps_legacy_auth_until_edit(
     app: Quart,
diff --git a/tests/unit/test_totp_utils.py b/tests/unit/test_totp_utils.py
new file mode 100644
index 0000000000..2a8ae83c04
--- /dev/null
+++ b/tests/unit/test_totp_utils.py
@@ -0,0 +1,98 @@
+import pyotp
+import pytest
+
+from astrbot.core.db.sqlite import SQLiteDatabase
+from astrbot.core.utils.totp import (
+    consume_totp_code,
+    generate_recovery_code,
+    is_totp_enabled,
+    is_totp_trusted_device_valid,
+    issue_totp_trusted_device,
+    verify_recovery_code,
+)
+
+
+@pytest.mark.parametrize(
+    ("totp_config", "expected"),
+    [
+        ({}, False),
+        ({"enable": False, "secret": "abc", "recovery_code_hash": "hash"}, False),
+        ({"enable": True, "secret": "", "recovery_code_hash": "hash"}, False),
+        ({"enable": True, "secret": "abc", "recovery_code_hash": ""}, False),
+        ({"enable": True, "secret": "abc", "recovery_code_hash": "hash"}, True),
+    ],
+)
+def test_is_totp_enabled_requires_enable_secret_and_recovery_hash(
+    totp_config: dict,
+    expected: bool,
+):
+    config = {"dashboard": {"totp": totp_config}}
+    assert is_totp_enabled(config) is expected
+
+
+@pytest.mark.asyncio
+async def test_consume_totp_code_prevents_replay_same_timecode():
+    secret = pyotp.random_base32()
+    code = pyotp.TOTP(secret).now()
+    assert await consume_totp_code(secret, code) is True
+    assert await consume_totp_code(secret, code) is False
+
+
+def test_generate_and_verify_recovery_code_roundtrip():
+    recovery_code, recovery_code_hash = generate_recovery_code()
+    config = {"dashboard": {"totp": {"recovery_code_hash": recovery_code_hash}}}
+    assert verify_recovery_code(config, recovery_code) is True
+
+
+def test_verify_recovery_code_rejects_malformed_or_wrong_length():
+    recovery_code, recovery_code_hash = generate_recovery_code()
+    config = {"dashboard": {"totp": {"recovery_code_hash": recovery_code_hash}}}
+    assert verify_recovery_code(config, "abc") is False
+    assert verify_recovery_code(config, recovery_code[:-1]) is False
+
+
+@pytest.mark.asyncio
+async def test_issue_and_validate_trusted_device_token(tmp_path):
+    db = SQLiteDatabase(str(tmp_path / "trusted-device.db"))
+    config = {
+        "dashboard": {
+            "jwt_secret": "test-jwt-secret",
+            "totp": {
+                "enable": True,
+                "secret": pyotp.random_base32(),
+                "recovery_code_hash": "hash",
+            },
+        }
+    }
+    try:
+        token = await issue_totp_trusted_device(config, db)
+        assert isinstance(token, str) and token
+        assert await is_totp_trusted_device_valid(config, db, token) is True
+    finally:
+        await db.engine.dispose()
+
+
+@pytest.mark.asyncio
+async def test_trusted_device_invalid_after_totp_secret_change(tmp_path):
+    db = SQLiteDatabase(str(tmp_path / "trusted-device.db"))
+    old_secret = pyotp.random_base32()
+    new_secret = pyotp.random_base32()
+    config = {
+        "dashboard": {
+            "jwt_secret": "test-jwt-secret",
+            "totp": {
+                "enable": True,
+                "secret": old_secret,
+                "recovery_code_hash": "hash",
+            },
+        }
+    }
+    try:
+        token = await issue_totp_trusted_device(config, db)
+        assert isinstance(token, str) and token
+        assert await is_totp_trusted_device_valid(config, db, token) is True
+
+        config["dashboard"]["totp"]["secret"] = new_secret
+        assert await is_totp_trusted_device_valid(config, db, token) is False
+    finally:
+        await db.engine.dispose()

From 0f6a059c7da3977f9826a4ca0681e3c8e6769532 Mon Sep 17 00:00:00 2001
From: Raven95676 <raven95676@gmail.com>
Date: Thu, 14 May 2026 20:43:19 +0800
Subject: [PATCH 5/7] chore: format

---
 astrbot/dashboard/server.py | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/astrbot/dashboard/server.py b/astrbot/dashboard/server.py
index b3a33f18be..80643057a8 100644
--- a/astrbot/dashboard/server.py
+++ b/astrbot/dashboard/server.py
@@ -42,12 +42,14 @@
 from .routes.subagent import SubAgentRoute
 from .routes.t2i import T2iRoute
 
-_RATE_LIMITED_ENDPOINTS: frozenset = frozenset({
-    "/api/auth/totp/disable",
-    "/api/auth/totp/setup",
-    "/api/auth/login",
-    "/api/auth/totp/verify-setup",
-})
+_RATE_LIMITED_ENDPOINTS: frozenset = frozenset(
+    {
+        "/api/auth/totp/disable",
+        "/api/auth/totp/setup",
+        "/api/auth/login",
+        "/api/auth/totp/verify-setup",
+    }
+)
 
 
 class _AuthRateLimiter:
@@ -96,13 +98,15 @@ def _match_registered_web_api(registered_web_apis, subpath: str, method: str):
         if request_method not in allowed_methods:
             continue
 
-        url_map = Map([
-            Rule(
-                _normalize_plugin_api_route(route),
-                endpoint="plugin_api",
-                methods=allowed_methods,
-            ),
-        ])
+        url_map = Map(
+            [
+                Rule(
+                    _normalize_plugin_api_route(route),
+                    endpoint="plugin_api",
+                    methods=allowed_methods,
+                ),
+            ]
+        )
         try:
             _, path_values = url_map.bind("").match(
                 request_path,

From 2d12187a953b0bd1d8803597421c100a126a8a75 Mon Sep 17 00:00:00 2001
From: Raven95676 <raven95676@gmail.com>
Date: Thu, 14 May 2026 21:26:55 +0800
Subject: [PATCH 6/7] feat: add trust_proxy_headers switch for auth rate-limit
 IP source

---
 astrbot/core/config/default.py                |   7 ++
 astrbot/dashboard/server.py                   |  25 ++++-
 .../en-US/features/config-metadata.json       |   4 +
 .../ru-RU/features/config-metadata.json       |   4 +
 .../zh-CN/features/config-metadata.json       |   4 +
 tests/test_dashboard.py                       | 102 ++++++++++++++++++
 6 files changed, 144 insertions(+), 2 deletions(-)

diff --git a/astrbot/core/config/default.py b/astrbot/core/config/default.py
index b768f94f24..5379c31643 100644
--- a/astrbot/core/config/default.py
+++ b/astrbot/core/config/default.py
@@ -252,6 +252,7 @@
         "host": "0.0.0.0",
         "port": 6185,
         "disable_access_log": True,
+        "trust_proxy_headers": False,
         "totp": {
             "enable": False,
             "secret": "",
@@ -2971,6 +2972,7 @@
                 "options": ["DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"],
             },
             "dashboard.ssl.enable": {"type": "bool"},
+            "dashboard.trust_proxy_headers": {"type": "bool"},
             "dashboard.ssl.cert_file": {
                 "type": "string",
                 "condition": {"dashboard.ssl.enable": True},
@@ -4213,6 +4215,11 @@
                         "type": "bool",
                         "hint": "启用后，WebUI 将直接使用 HTTPS 提供服务。",
                     },
+                    "dashboard.trust_proxy_headers": {
+                        "description": "信任代理请求头获取客户端 IP",
+                        "type": "bool",
+                        "hint": "关闭时忽略 X-Forwarded-For/X-Real-IP，仅使用连接地址。",
+                    },
                     "dashboard.totp.enable": {
                         "description": "启用 WebUI TOTP 双因素认证",
                         "type": "bool",
diff --git a/astrbot/dashboard/server.py b/astrbot/dashboard/server.py
index 80643057a8..3f7941c0f3 100644
--- a/astrbot/dashboard/server.py
+++ b/astrbot/dashboard/server.py
@@ -283,10 +283,11 @@ async def auth_middleware(self):
             os.environ.get("ASTRBOT_TEST_MODE") != "true"
             and request.path in _RATE_LIMITED_ENDPOINTS
         ):
-            limiter = _rate_limiters.get(request.path)
+            client_ip = self._get_request_client_ip()
+            limiter = _rate_limiters.get(client_ip)
             if limiter is None:
                 limiter = _AuthRateLimiter(capacity=3, refill_rate=1.0)
-                _rate_limiters[request.path] = limiter
+                _rate_limiters[client_ip] = limiter
             if not await limiter.acquire():
                 r = jsonify(
                     Response()
@@ -345,6 +346,26 @@ async def auth_middleware(self):
             r.status_code = 401
             return r
 
+    def _get_request_client_ip(self) -> str:
+        trust_proxy_headers = bool(
+            self.config.get("dashboard", {}).get("trust_proxy_headers", False)
+        )
+        if trust_proxy_headers:
+            forwarded_for = request.headers.get("X-Forwarded-For", "").strip()
+            if forwarded_for:
+                first_ip = forwarded_for.split(",", 1)[0].strip()
+                if first_ip and first_ip.lower() != "unknown":
+                    return first_ip
+
+            real_ip = request.headers.get("X-Real-IP", "").strip()
+            if real_ip and real_ip.lower() != "unknown":
+                return real_ip
+
+        remote_addr = request.remote_addr
+        if remote_addr:
+            return str(remote_addr)
+        return "unknown"
+
     @staticmethod
     def _extract_dashboard_jwt() -> str | None:
         auth_header = request.headers.get("Authorization", "").strip()
diff --git a/dashboard/src/i18n/locales/en-US/features/config-metadata.json b/dashboard/src/i18n/locales/en-US/features/config-metadata.json
index ff2b20c7ea..0c28949461 100644
--- a/dashboard/src/i18n/locales/en-US/features/config-metadata.json
+++ b/dashboard/src/i18n/locales/en-US/features/config-metadata.json
@@ -1088,6 +1088,10 @@
         "hint": "When disabled, AstrBot will not upload anonymous usage statistics."
       },
       "dashboard": {
+        "trust_proxy_headers": {
+          "description": "Trust Proxy Headers for Client IP",
+          "hint": "When disabled, ignore X-Forwarded-For/X-Real-IP and use the connection address only."
+        },
         "ssl": {
           "enable": {
             "description": "Enable WebUI HTTPS",
diff --git a/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json b/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json
index ef3ff792e3..72be45161d 100644
--- a/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json
+++ b/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json
@@ -1089,6 +1089,10 @@
                 "hint": "После отключения AstrBot не будет отправлять анонимные данные об использовании."
             },
             "dashboard": {
+                "trust_proxy_headers": {
+                    "description": "Доверять прокси-заголовкам для IP клиента",
+                    "hint": "Если выключено, X-Forwarded-For/X-Real-IP игнорируются и используется только адрес соединения."
+                },
                 "ssl": {
                     "enable": {
                         "description": "Включить HTTPS для WebUI",
diff --git a/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json b/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json
index b3c8202436..0ca796cd31 100644
--- a/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json
+++ b/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json
@@ -1090,6 +1090,10 @@
         "hint": "禁用后，AstrBot 将不再上传匿名使用统计数据。"
       },
       "dashboard": {
+        "trust_proxy_headers": {
+          "description": "信任代理请求头获取客户端 IP",
+          "hint": "关闭时忽略 X-Forwarded-For/X-Real-IP，仅使用连接地址。"
+        },
         "ssl": {
           "enable": {
             "description": "启用 WebUI HTTPS",
diff --git a/tests/test_dashboard.py b/tests/test_dashboard.py
index 41c7cda29c..bb0b9db412 100644
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@@ -18,6 +18,7 @@
 from quart import Quart, jsonify
 from werkzeug.datastructures import FileStorage
 
+import astrbot.dashboard.server as dashboard_server
 from astrbot.core import LogBroker
 from astrbot.core.core_lifecycle import AstrBotCoreLifecycle
 from astrbot.core.db.sqlite import SQLiteDatabase
@@ -361,6 +362,107 @@ async def test_auth_login_secure_cookie_override(
     assert "SameSite=Strict" in jwt_cookie_header
 
 
+@pytest.mark.asyncio
+async def test_auth_rate_limit_uses_client_ip_bucket_across_paths(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+    monkeypatch: pytest.MonkeyPatch,
+):
+    monkeypatch.setenv("ASTRBOT_TEST_MODE", "false")
+    dashboard_server._rate_limiters.clear()
+    original_value = core_lifecycle_td.astrbot_config["dashboard"].get(
+        "trust_proxy_headers", False
+    )
+    core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = True
+
+    try:
+        test_client = app.test_client()
+        headers = {"X-Forwarded-For": "198.51.100.10"}
+        await test_client.post(
+            "/api/auth/login",
+            json={"username": "wrong", "password": "wrong"},
+            headers=headers,
+        )
+        await test_client.post("/api/auth/totp/setup", json={}, headers=headers)
+
+        assert len(dashboard_server._rate_limiters) == 1
+        assert "198.51.100.10" in dashboard_server._rate_limiters
+    finally:
+        core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = (
+            original_value
+        )
+
+
+@pytest.mark.asyncio
+async def test_auth_rate_limit_separates_different_client_ips(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+    monkeypatch: pytest.MonkeyPatch,
+):
+    monkeypatch.setenv("ASTRBOT_TEST_MODE", "false")
+    dashboard_server._rate_limiters.clear()
+    original_value = core_lifecycle_td.astrbot_config["dashboard"].get(
+        "trust_proxy_headers", False
+    )
+    core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = True
+
+    try:
+        test_client = app.test_client()
+        await test_client.post(
+            "/api/auth/login",
+            json={"username": "wrong", "password": "wrong"},
+            headers={"X-Forwarded-For": "198.51.100.10"},
+        )
+        await test_client.post(
+            "/api/auth/login",
+            json={"username": "wrong", "password": "wrong"},
+            headers={"X-Forwarded-For": "198.51.100.11"},
+        )
+
+        assert len(dashboard_server._rate_limiters) == 2
+        assert "198.51.100.10" in dashboard_server._rate_limiters
+        assert "198.51.100.11" in dashboard_server._rate_limiters
+    finally:
+        core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = (
+            original_value
+        )
+
+
+@pytest.mark.asyncio
+async def test_auth_rate_limit_ignores_proxy_headers_by_default(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+    monkeypatch: pytest.MonkeyPatch,
+):
+    monkeypatch.setenv("ASTRBOT_TEST_MODE", "false")
+    dashboard_server._rate_limiters.clear()
+    original_value = core_lifecycle_td.astrbot_config["dashboard"].get(
+        "trust_proxy_headers", False
+    )
+    core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = False
+
+    try:
+        test_client = app.test_client()
+        await test_client.post(
+            "/api/auth/login",
+            json={"username": "wrong", "password": "wrong"},
+            headers={"X-Forwarded-For": "198.51.100.20"},
+        )
+        await test_client.post(
+            "/api/auth/login",
+            json={"username": "wrong", "password": "wrong"},
+            headers={"X-Forwarded-For": "198.51.100.21"},
+        )
+
+        assert len(dashboard_server._rate_limiters) == 1
+        assert "198.51.100.20" not in dashboard_server._rate_limiters
+        assert "198.51.100.21" not in dashboard_server._rate_limiters
+    finally:
+        core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = (
+            original_value
+        )
+
+
 @pytest.mark.asyncio
 async def test_auth_login_requires_totp_when_enabled_and_not_trusted(
     app: Quart,

From 918edf30b08396178bb487150f992e4419d2b6ee Mon Sep 17 00:00:00 2001
From: Raven95676 <raven95676@gmail.com>
Date: Thu, 14 May 2026 21:36:07 +0800
Subject: [PATCH 7/7] feat: make dashboard auth rate-limit configurable via
 system settings

Add auth_rate_limit config block to dashboard settings with enable
(default: true), average_interval (default: 1.0s), and max_burst
(default: 3) options. The dashboard auth middleware now reads from
config instead of using hardcoded values. The average_interval and
max_burst fields are conditionally shown only when rate limiting is
enabled.
---
 astrbot/core/config/default.py                | 25 ++++++++++++
 astrbot/dashboard/server.py                   | 38 ++++++++++++-------
 .../en-US/features/config-metadata.json       | 14 +++++++
 .../ru-RU/features/config-metadata.json       | 14 +++++++
 .../zh-CN/features/config-metadata.json       | 14 +++++++
 5 files changed, 92 insertions(+), 13 deletions(-)

diff --git a/astrbot/core/config/default.py b/astrbot/core/config/default.py
index 5379c31643..a3b5429328 100644
--- a/astrbot/core/config/default.py
+++ b/astrbot/core/config/default.py
@@ -253,6 +253,11 @@
         "port": 6185,
         "disable_access_log": True,
         "trust_proxy_headers": False,
+        "auth_rate_limit": {
+            "enable": True,
+            "average_interval": 1.0,
+            "max_burst": 3,
+        },
         "totp": {
             "enable": False,
             "secret": "",
@@ -2973,6 +2978,9 @@
             },
             "dashboard.ssl.enable": {"type": "bool"},
             "dashboard.trust_proxy_headers": {"type": "bool"},
+            "dashboard.auth_rate_limit.enable": {"type": "bool"},
+            "dashboard.auth_rate_limit.average_interval": {"type": "float"},
+            "dashboard.auth_rate_limit.max_burst": {"type": "int"},
             "dashboard.ssl.cert_file": {
                 "type": "string",
                 "condition": {"dashboard.ssl.enable": True},
@@ -4220,6 +4228,23 @@
                         "type": "bool",
                         "hint": "关闭时忽略 X-Forwarded-For/X-Real-IP，仅使用连接地址。",
                     },
+                    "dashboard.auth_rate_limit.enable": {
+                        "description": "启用登录验证速率限制",
+                        "type": "bool",
+                        "hint": "关闭后将不对登录、TOTP 等身份验证接口进行速率限制。",
+                    },
+                    "dashboard.auth_rate_limit.average_interval": {
+                        "description": "登录验证速率限制平均间隔(秒)",
+                        "type": "float",
+                        "hint": "两次身份验证请求之间的最小平均间隔时间。例如设置为 1.0 表示每秒最多处理 1 个请求。",
+                        "condition": {"dashboard.auth_rate_limit.enable": True},
+                    },
+                    "dashboard.auth_rate_limit.max_burst": {
+                        "description": "登录验证速率限制最大突发数",
+                        "type": "int",
+                        "hint": "允许的瞬时最大突发请求数。例如设置为 3 表示在短时间内最多连续处理 3 个请求。",
+                        "condition": {"dashboard.auth_rate_limit.enable": True},
+                    },
                     "dashboard.totp.enable": {
                         "description": "启用 WebUI TOTP 双因素认证",
                         "type": "bool",
diff --git a/astrbot/dashboard/server.py b/astrbot/dashboard/server.py
index 3f7941c0f3..c53ed922a0 100644
--- a/astrbot/dashboard/server.py
+++ b/astrbot/dashboard/server.py
@@ -283,19 +283,31 @@ async def auth_middleware(self):
             os.environ.get("ASTRBOT_TEST_MODE") != "true"
             and request.path in _RATE_LIMITED_ENDPOINTS
         ):
-            client_ip = self._get_request_client_ip()
-            limiter = _rate_limiters.get(client_ip)
-            if limiter is None:
-                limiter = _AuthRateLimiter(capacity=3, refill_rate=1.0)
-                _rate_limiters[client_ip] = limiter
-            if not await limiter.acquire():
-                r = jsonify(
-                    Response()
-                    .error("验证尝试过于频繁，系统可能正在遭受暴力破解")
-                    .__dict__
-                )
-                r.status_code = 429
-                return r
+            rl_config = self.config.get("dashboard", {}).get("auth_rate_limit", {})
+            rl_enabled = rl_config.get("enable", True)
+            if rl_enabled:
+                average_interval = float(rl_config.get("average_interval", 1.0))
+                max_burst = int(rl_config.get("max_burst", 3))
+                if average_interval <= 0:
+                    average_interval = 1.0
+                if max_burst <= 0:
+                    max_burst = 3
+                refill_rate = 1.0 / average_interval
+                client_ip = self._get_request_client_ip()
+                limiter = _rate_limiters.get(client_ip)
+                if limiter is None:
+                    limiter = _AuthRateLimiter(
+                        capacity=max_burst, refill_rate=refill_rate
+                    )
+                    _rate_limiters[client_ip] = limiter
+                if not await limiter.acquire():
+                    r = jsonify(
+                        Response()
+                        .error("验证尝试过于频繁，系统可能正在遭受暴力破解")
+                        .__dict__
+                    )
+                    r.status_code = 429
+                    return r
 
         allowed_exact_endpoints = {
             "/api/auth/login",
diff --git a/dashboard/src/i18n/locales/en-US/features/config-metadata.json b/dashboard/src/i18n/locales/en-US/features/config-metadata.json
index 0c28949461..332d5745da 100644
--- a/dashboard/src/i18n/locales/en-US/features/config-metadata.json
+++ b/dashboard/src/i18n/locales/en-US/features/config-metadata.json
@@ -1092,6 +1092,20 @@
           "description": "Trust Proxy Headers for Client IP",
           "hint": "When disabled, ignore X-Forwarded-For/X-Real-IP and use the connection address only."
         },
+        "auth_rate_limit": {
+          "enable": {
+            "description": "Enable Login Rate Limiting",
+            "hint": "When disabled, authentication endpoints (login, TOTP, etc.) will not be rate-limited."
+          },
+          "average_interval": {
+            "description": "Rate Limit Average Interval (seconds)",
+            "hint": "Minimum average interval between authentication requests. For example, 1.0 means at most 1 request per second."
+          },
+          "max_burst": {
+            "description": "Rate Limit Max Burst",
+            "hint": "Maximum number of consecutive burst requests allowed. For example, 3 allows up to 3 requests in a short burst."
+          }
+        },
         "ssl": {
           "enable": {
             "description": "Enable WebUI HTTPS",
diff --git a/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json b/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json
index 72be45161d..a92b2d6355 100644
--- a/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json
+++ b/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json
@@ -1093,6 +1093,20 @@
                     "description": "Доверять прокси-заголовкам для IP клиента",
                     "hint": "Если выключено, X-Forwarded-For/X-Real-IP игнорируются и используется только адрес соединения."
                 },
+                "auth_rate_limit": {
+                    "enable": {
+                        "description": "Включить ограничение скорости входа",
+                        "hint": "Если выключено, конечные точки аутентификации (вход, TOTP и т.д.) не будут ограничены по скорости."
+                    },
+                    "average_interval": {
+                        "description": "Средний интервал ограничения скорости (сек)",
+                        "hint": "Минимальный средний интервал между запросами аутентификации. Например, 1.0 означает не более 1 запроса в секунду."
+                    },
+                    "max_burst": {
+                        "description": "Максимальный всплеск ограничения скорости",
+                        "hint": "Максимальное количество последовательных всплесков запросов. Например, 3 допускает до 3 запросов за короткий всплеск."
+                    }
+                },
                 "ssl": {
                     "enable": {
                         "description": "Включить HTTPS для WebUI",
diff --git a/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json b/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json
index 0ca796cd31..7244be8d60 100644
--- a/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json
+++ b/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json
@@ -1094,6 +1094,20 @@
           "description": "信任代理请求头获取客户端 IP",
           "hint": "关闭时忽略 X-Forwarded-For/X-Real-IP，仅使用连接地址。"
         },
+        "auth_rate_limit": {
+          "enable": {
+            "description": "启用登录验证速率限制",
+            "hint": "关闭后将不对登录、TOTP 等身份验证接口进行速率限制。"
+          },
+          "average_interval": {
+            "description": "登录验证速率限制平均间隔(秒)",
+            "hint": "两次身份验证请求之间的最小平均间隔时间。例如设置为 1.0 表示每秒最多处理 1 个请求。"
+          },
+          "max_burst": {
+            "description": "登录验证速率限制最大突发数",
+            "hint": "允许的瞬时最大突发请求数。例如设置为 3 表示在短时间内最多连续处理 3 个请求。"
+          }
+        },
         "ssl": {
           "enable": {
             "description": "启用 WebUI HTTPS",