From d67a86595f0866927815e0945bff032a35c76da9 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 23 Aug 2021 12:10:04 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 GITALY_SERVER_VERSION                         |   2 +-
 app/controllers/groups/runners_controller.rb  |   2 +-
 .../groups/settings/ci_cd_controller.rb       |   2 +-
 app/finders/ci/runners_finder.rb              |  18 +-
 .../resolvers/ci/group_runners_resolver.rb    |  26 +++
 app/graphql/resolvers/ci/runners_resolver.rb  |  15 +-
 .../types/ci/runner_membership_filter_enum.rb |  18 ++
 app/graphql/types/group_type.rb               |   6 +
 app/helpers/ci/pipeline_editor_helper.rb      |   1 -
 ...yml => create_vulnerabilities_via_api.yml} |  12 +-
 .../dast_runner_site_validation.yml           |   8 -
 ...0210731132939_backfill_stage_event_hash.rb | 115 ++++++++++
 db/schema_migrations/20210731132939           |   1 +
 db/structure.sql                              |   6 +-
 doc/api/graphql/reference/index.md            | 103 ++++++++-
 doc/user/application_security/dast/index.md   |   6 +-
 .../img/vulnerability-check_v13_4.png         | Bin 25832 -> 0 bytes
 .../img/vulnerability-check_v14_2.png         | Bin 0 -> 23147 bytes
 doc/user/application_security/index.md        |  18 +-
 doc/user/infrastructure/index.md              |  54 ++++-
 locale/gitlab.pot                             |  10 +-
 qa/qa/resource/issue.rb                       |   7 +-
 qa/qa/runtime/search.rb                       |   6 +-
 .../1_manage/import_large_github_repo_spec.rb |  39 ++--
 spec/finders/ci/runners_finder_spec.rb        | 126 +++++++----
 .../ci/group_runners_resolver_spec.rb         |  94 +++++++++
 .../resolvers/ci/runners_resolver_spec.rb     | 199 ++++--------------
 .../helpers/ci/pipeline_editor_helper_spec.rb |   5 -
 .../backfill_stage_event_hash_spec.rb         | 103 +++++++++
 .../runners_resolver_shared_context.rb        |  22 ++
 30 files changed, 757 insertions(+), 267 deletions(-)
 create mode 100644 app/graphql/resolvers/ci/group_runners_resolver.rb
 create mode 100644 app/graphql/types/ci/runner_membership_filter_enum.rb
 rename config/feature_flags/development/{dast_meta_tag_validation.yml => create_vulnerabilities_via_api.yml} (53%)
 delete mode 100644 config/feature_flags/development/dast_runner_site_validation.yml
 create mode 100644 db/post_migrate/20210731132939_backfill_stage_event_hash.rb
 create mode 100644 db/schema_migrations/20210731132939
 delete mode 100644 doc/user/application_security/img/vulnerability-check_v13_4.png
 create mode 100644 doc/user/application_security/img/vulnerability-check_v14_2.png
 create mode 100644 spec/graphql/resolvers/ci/group_runners_resolver_spec.rb
 create mode 100644 spec/migrations/backfill_stage_event_hash_spec.rb
 create mode 100644 spec/support/shared_contexts/graphql/resolvers/runners_resolver_shared_context.rb

diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index c742253cb00..9d553e5d555 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-de019fc19eeb8bc6a65a6dbd8bf236669c777815
+2ed9a2c78ec556eb8d64e03203c864355ea5a128
diff --git a/app/controllers/groups/runners_controller.rb b/app/controllers/groups/runners_controller.rb
index dbbfdd76fe8..ff3a09a2d2d 100644
--- a/app/controllers/groups/runners_controller.rb
+++ b/app/controllers/groups/runners_controller.rb
@@ -59,7 +59,7 @@ class Groups::RunnersController < Groups::ApplicationController
   private
 
   def runner
-    @runner ||= Ci::RunnersFinder.new(current_user: current_user, group: @group, params: {}).execute
+    @runner ||= Ci::RunnersFinder.new(current_user: current_user, params: { group: @group }).execute
                                                                                             .except(:limit, :offset)
                                                                                             .find(params[:id])
   end
diff --git a/app/controllers/groups/settings/ci_cd_controller.rb b/app/controllers/groups/settings/ci_cd_controller.rb
index 0f40c9bfd2c..a290ef9b5e7 100644
--- a/app/controllers/groups/settings/ci_cd_controller.rb
+++ b/app/controllers/groups/settings/ci_cd_controller.rb
@@ -17,7 +17,7 @@ module Groups
       NUMBER_OF_RUNNERS_PER_PAGE = 4
 
       def show
-        runners_finder = Ci::RunnersFinder.new(current_user: current_user, group: @group, params: params)
+        runners_finder = Ci::RunnersFinder.new(current_user: current_user, params: params.merge({ group: @group }))
         # We need all runners for count
         @all_group_runners = runners_finder.execute.except(:limit, :offset)
         @group_runners = runners_finder.execute.page(params[:page]).per(NUMBER_OF_RUNNERS_PER_PAGE)
diff --git a/app/finders/ci/runners_finder.rb b/app/finders/ci/runners_finder.rb
index d34b3202433..8bc2a47a024 100644
--- a/app/finders/ci/runners_finder.rb
+++ b/app/finders/ci/runners_finder.rb
@@ -7,9 +7,9 @@ module Ci
     ALLOWED_SORTS = %w[contacted_asc contacted_desc created_at_asc created_at_desc created_date].freeze
     DEFAULT_SORT = 'created_at_desc'
 
-    def initialize(current_user:, group: nil, params:)
+    def initialize(current_user:, params:)
       @params = params
-      @group = group
+      @group = params.delete(:group)
       @current_user = current_user
     end
 
@@ -48,10 +48,16 @@ module Ci
     def group_runners
       raise Gitlab::Access::AccessDeniedError unless can?(@current_user, :admin_group, @group)
 
-      # Getting all runners from the group itself and all its descendants
-      descendant_projects = Project.for_group_and_its_subgroups(@group)
-
-      @runners = Ci::Runner.belonging_to_group_or_project(@group.self_and_descendants, descendant_projects)
+      @runners = case @params[:membership]
+                 when :direct
+                   Ci::Runner.belonging_to_group(@group.id)
+                 when :descendants, nil
+                   # Getting all runners from the group itself and all its descendant groups/projects
+                   descendant_projects = Project.for_group_and_its_subgroups(@group)
+                   Ci::Runner.belonging_to_group_or_project(@group.self_and_descendants, descendant_projects)
+                 else
+                   raise ArgumentError, 'Invalid membership filter'
+                 end
     end
 
     def filter_by_status!
diff --git a/app/graphql/resolvers/ci/group_runners_resolver.rb b/app/graphql/resolvers/ci/group_runners_resolver.rb
new file mode 100644
index 00000000000..e9c399d3855
--- /dev/null
+++ b/app/graphql/resolvers/ci/group_runners_resolver.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Resolvers
+  module Ci
+    class GroupRunnersResolver < RunnersResolver
+      type Types::Ci::RunnerType.connection_type, null: true
+
+      argument :membership, ::Types::Ci::RunnerMembershipFilterEnum,
+               required: false,
+               default_value: :descendants,
+               description: 'Control which runners to include in the results.'
+
+      protected
+
+      def runners_finder_params(params)
+        super(params).merge(membership: params[:membership])
+      end
+
+      def parent_param
+        raise 'Expected group missing' unless parent.is_a?(Group)
+
+        { group: parent }
+      end
+    end
+  end
+end
diff --git a/app/graphql/resolvers/ci/runners_resolver.rb b/app/graphql/resolvers/ci/runners_resolver.rb
index 1957c4ec058..07105701daa 100644
--- a/app/graphql/resolvers/ci/runners_resolver.rb
+++ b/app/graphql/resolvers/ci/runners_resolver.rb
@@ -34,7 +34,7 @@ module Resolvers
             .execute)
       end
 
-      private
+      protected
 
       def runners_finder_params(params)
         {
@@ -47,6 +47,19 @@ module Resolvers
             tag_name: node_selection&.selects?(:tag_list)
           }
         }.compact
+         .merge(parent_param)
+      end
+
+      def parent_param
+        return {} unless parent
+
+        raise "Unexpected parent type: #{parent.class}"
+      end
+
+      private
+
+      def parent
+        object.respond_to?(:sync) ? object.sync : object
       end
     end
   end
diff --git a/app/graphql/types/ci/runner_membership_filter_enum.rb b/app/graphql/types/ci/runner_membership_filter_enum.rb
new file mode 100644
index 00000000000..2e1051b2151
--- /dev/null
+++ b/app/graphql/types/ci/runner_membership_filter_enum.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Types
+  module Ci
+    class RunnerMembershipFilterEnum < BaseEnum
+      graphql_name 'RunnerMembershipFilter'
+      description 'Values for filtering runners in namespaces.'
+
+      value 'DIRECT',
+            description: "Include runners that have a direct relationship.",
+            value: :direct
+
+      value 'DESCENDANTS',
+            description: "Include runners that have either a direct relationship or a relationship with descendants. These can be project runners or group runners (in the case where group is queried).",
+            value: :descendants
+    end
+  end
+end
diff --git a/app/graphql/types/group_type.rb b/app/graphql/types/group_type.rb
index fbf0084cd0e..baf0fa80fc3 100644
--- a/app/graphql/types/group_type.rb
+++ b/app/graphql/types/group_type.rb
@@ -155,6 +155,12 @@ module Types
           complexity: 5,
           resolver: Resolvers::GroupsResolver
 
+    field :runners, Types::Ci::RunnerType.connection_type,
+          null: true,
+          resolver: Resolvers::Ci::GroupRunnersResolver,
+          description: "Find runners visible to the current user.",
+          feature_flag: :runner_graphql_query
+
     def avatar_url
       object.avatar_url(only_path: false)
     end
diff --git a/app/helpers/ci/pipeline_editor_helper.rb b/app/helpers/ci/pipeline_editor_helper.rb
index 4dfe136c206..9bbc326a750 100644
--- a/app/helpers/ci/pipeline_editor_helper.rb
+++ b/app/helpers/ci/pipeline_editor_helper.rb
@@ -16,7 +16,6 @@ module Ci
         "ci-config-path": project.ci_config_path_or_default,
         "ci-examples-help-page-path" => help_page_path('ci/examples/index'),
         "ci-help-page-path" => help_page_path('ci/index'),
-        "commit-sha" => commit_sha,
         "default-branch" => project.default_branch_or_main,
         "empty-state-illustration-path" => image_path('illustrations/empty-state/empty-dag-md.svg'),
         "initial-branch-name" => initial_branch,
diff --git a/config/feature_flags/development/dast_meta_tag_validation.yml b/config/feature_flags/development/create_vulnerabilities_via_api.yml
similarity index 53%
rename from config/feature_flags/development/dast_meta_tag_validation.yml
rename to config/feature_flags/development/create_vulnerabilities_via_api.yml
index 50ef18df45a..0a3f9fa73f8 100644
--- a/config/feature_flags/development/dast_meta_tag_validation.yml
+++ b/config/feature_flags/development/create_vulnerabilities_via_api.yml
@@ -1,8 +1,8 @@
 ---
-name: dast_meta_tag_validation
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/67945
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/337711
-milestone: '14.2'
+name: create_vulnerabilities_via_api
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68158
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/338694
+milestone: '14.3'
 type: development
-group: group::dynamic analysis
-default_enabled: true
+group: group::threat insights
+default_enabled: false
diff --git a/config/feature_flags/development/dast_runner_site_validation.yml b/config/feature_flags/development/dast_runner_site_validation.yml
deleted file mode 100644
index e39a8a6d1e3..00000000000
--- a/config/feature_flags/development/dast_runner_site_validation.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: dast_runner_site_validation
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/61649
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/331082
-milestone: '14.0'
-type: development
-group: group::dynamic analysis
-default_enabled: true
diff --git a/db/post_migrate/20210731132939_backfill_stage_event_hash.rb b/db/post_migrate/20210731132939_backfill_stage_event_hash.rb
new file mode 100644
index 00000000000..2c4dc904387
--- /dev/null
+++ b/db/post_migrate/20210731132939_backfill_stage_event_hash.rb
@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+class BackfillStageEventHash < ActiveRecord::Migration[6.1]
+  include Gitlab::Database::MigrationHelpers
+
+  disable_ddl_transaction!
+
+  BATCH_SIZE = 100
+  EVENT_ID_IDENTIFIER_MAPPING = {
+    1 => :issue_created,
+    2 => :issue_first_mentioned_in_commit,
+    3 => :issue_closed,
+    4 => :issue_first_added_to_board,
+    5 => :issue_first_associated_with_milestone,
+    7 => :issue_last_edited,
+    8 => :issue_label_added,
+    9 => :issue_label_removed,
+    10 => :issue_deployed_to_production,
+    100 => :merge_request_created,
+    101 => :merge_request_first_deployed_to_production,
+    102 => :merge_request_last_build_finished,
+    103 => :merge_request_last_build_started,
+    104 => :merge_request_merged,
+    105 => :merge_request_closed,
+    106 => :merge_request_last_edited,
+    107 => :merge_request_label_added,
+    108 => :merge_request_label_removed,
+    109 => :merge_request_first_commit_at,
+    1000 => :code_stage_start,
+    1001 => :issue_stage_end,
+    1002 => :plan_stage_start
+  }.freeze
+
+  LABEL_BASED_EVENTS = Set.new([8, 9, 107, 108]).freeze
+
+  class GroupStage < ActiveRecord::Base
+    include EachBatch
+
+    self.table_name = 'analytics_cycle_analytics_group_stages'
+  end
+
+  class ProjectStage < ActiveRecord::Base
+    include EachBatch
+
+    self.table_name = 'analytics_cycle_analytics_project_stages'
+  end
+
+  class StageEventHash < ActiveRecord::Base
+    self.table_name = 'analytics_cycle_analytics_stage_event_hashes'
+  end
+
+  def up
+    GroupStage.reset_column_information
+    ProjectStage.reset_column_information
+    StageEventHash.reset_column_information
+
+    update_stage_table(GroupStage)
+    update_stage_table(ProjectStage)
+
+    add_not_null_constraint :analytics_cycle_analytics_group_stages, :stage_event_hash_id
+    add_not_null_constraint :analytics_cycle_analytics_project_stages, :stage_event_hash_id
+  end
+
+  def down
+    remove_not_null_constraint :analytics_cycle_analytics_group_stages, :stage_event_hash_id
+    remove_not_null_constraint :analytics_cycle_analytics_project_stages, :stage_event_hash_id
+  end
+
+  private
+
+  def update_stage_table(klass)
+    klass.each_batch(of: BATCH_SIZE) do |relation|
+      klass.transaction do
+        records = relation.where(stage_event_hash_id: nil).lock!.to_a # prevent concurrent modification (unlikely to happen)
+        records = delete_invalid_records(records)
+        next if records.empty?
+
+        hashes_by_stage = records.to_h { |stage| [stage, calculate_stage_events_hash(stage)] }
+        hashes = hashes_by_stage.values.uniq
+
+        StageEventHash.insert_all(hashes.map { |hash| { hash_sha256: hash } })
+
+        stage_event_hashes_by_hash = StageEventHash.where(hash_sha256: hashes).index_by(&:hash_sha256)
+        records.each do |stage|
+          stage.update!(stage_event_hash_id: stage_event_hashes_by_hash[hashes_by_stage[stage]].id)
+        end
+      end
+    end
+  end
+
+  def calculate_stage_events_hash(stage)
+    start_event_hash = calculate_event_hash(stage.start_event_identifier, stage.start_event_label_id)
+    end_event_hash = calculate_event_hash(stage.end_event_identifier, stage.end_event_label_id)
+
+    Digest::SHA256.hexdigest("#{start_event_hash}-#{end_event_hash}")
+  end
+
+  def calculate_event_hash(event_identifier, label_id = nil)
+    str = EVENT_ID_IDENTIFIER_MAPPING.fetch(event_identifier).to_s
+    str << "-#{label_id}" if LABEL_BASED_EVENTS.include?(event_identifier)
+
+    Digest::SHA256.hexdigest(str)
+  end
+
+  # Invalid records are safe to delete, since they are not working properly anyway
+  def delete_invalid_records(records)
+    to_be_deleted = records.select do |record|
+      EVENT_ID_IDENTIFIER_MAPPING[record.start_event_identifier].nil? ||
+        EVENT_ID_IDENTIFIER_MAPPING[record.end_event_identifier].nil?
+    end
+
+    to_be_deleted.each(&:delete)
+    records - to_be_deleted
+  end
+end
diff --git a/db/schema_migrations/20210731132939 b/db/schema_migrations/20210731132939
new file mode 100644
index 00000000000..f032b0fadad
--- /dev/null
+++ b/db/schema_migrations/20210731132939
@@ -0,0 +1 @@
+97d968bba0eb2bf6faa19de8a3e4fe93dc03a623b623dc802ab0fe0a4afb0370
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 860b2d6f287..0710dc312c2 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -9102,7 +9102,8 @@ CREATE TABLE analytics_cycle_analytics_group_stages (
     custom boolean DEFAULT true NOT NULL,
     name character varying(255) NOT NULL,
     group_value_stream_id bigint NOT NULL,
-    stage_event_hash_id bigint
+    stage_event_hash_id bigint,
+    CONSTRAINT check_e6bd4271b5 CHECK ((stage_event_hash_id IS NOT NULL))
 );
 
 CREATE SEQUENCE analytics_cycle_analytics_group_stages_id_seq
@@ -9146,7 +9147,8 @@ CREATE TABLE analytics_cycle_analytics_project_stages (
     custom boolean DEFAULT true NOT NULL,
     name character varying(255) NOT NULL,
     project_value_stream_id bigint NOT NULL,
-    stage_event_hash_id bigint
+    stage_event_hash_id bigint,
+    CONSTRAINT check_8f6019de1e CHECK ((stage_event_hash_id IS NOT NULL))
 );
 
 CREATE SEQUENCE analytics_cycle_analytics_project_stages_id_seq
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 6600901e187..4af7b8e9077 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -4459,6 +4459,39 @@ Input type: `VulnerabilityConfirmInput`
 | <a id="mutationvulnerabilityconfirmerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
 | <a id="mutationvulnerabilityconfirmvulnerability"></a>`vulnerability` | [`Vulnerability`](#vulnerability) | The vulnerability after state change. |
 
+### `Mutation.vulnerabilityCreate`
+
+Input type: `VulnerabilityCreateInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationvulnerabilitycreateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationvulnerabilitycreateconfidence"></a>`confidence` | [`VulnerabilityConfidence`](#vulnerabilityconfidence) | Confidence of the vulnerability (defaults to `unknown`). |
+| <a id="mutationvulnerabilitycreateconfirmedat"></a>`confirmedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to confirmed (defaults to creation time if status is `confirmed`). |
+| <a id="mutationvulnerabilitycreatedescription"></a>`description` | [`String!`](#string) | Description of the vulnerability. |
+| <a id="mutationvulnerabilitycreatedetectedat"></a>`detectedAt` | [`Time`](#time) | Timestamp of when the vulnerability was first detected (defaults to creation time). |
+| <a id="mutationvulnerabilitycreatedismissedat"></a>`dismissedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to dismissed (defaults to creation time if status is `dismissed`). |
+| <a id="mutationvulnerabilitycreateidentifiers"></a>`identifiers` | [`[VulnerabilityIdentifierInput!]!`](#vulnerabilityidentifierinput) | Array of CVE or CWE identifiers for the vulnerability. |
+| <a id="mutationvulnerabilitycreatemessage"></a>`message` | [`String`](#string) | Additional information about the vulnerability. |
+| <a id="mutationvulnerabilitycreateproject"></a>`project` | [`ProjectID!`](#projectid) | ID of the project to attach the vulnerability to. |
+| <a id="mutationvulnerabilitycreateresolvedat"></a>`resolvedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to resolved (defaults to creation time if status is `resolved`). |
+| <a id="mutationvulnerabilitycreatescannername"></a>`scannerName` | [`String!`](#string) | Name of the security scanner used to discover the vulnerability. |
+| <a id="mutationvulnerabilitycreatescannertype"></a>`scannerType` | [`SecurityScannerType!`](#securityscannertype) | Type of the security scanner used to discover the vulnerability. |
+| <a id="mutationvulnerabilitycreateseverity"></a>`severity` | [`VulnerabilitySeverity`](#vulnerabilityseverity) | Severity of the vulnerability (defaults to `unknown`). |
+| <a id="mutationvulnerabilitycreatesolution"></a>`solution` | [`String`](#string) | How to fix this vulnerability. |
+| <a id="mutationvulnerabilitycreatestate"></a>`state` | [`VulnerabilityState`](#vulnerabilitystate) | State of the vulnerability (defaults to `detected`). |
+| <a id="mutationvulnerabilitycreatetitle"></a>`title` | [`String!`](#string) | Title of the vulnerability. |
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationvulnerabilitycreateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationvulnerabilitycreateerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
+| <a id="mutationvulnerabilitycreatevulnerability"></a>`vulnerability` | [`Vulnerability`](#vulnerability) | Vulnerability created. |
+
 ### `Mutation.vulnerabilityDismiss`
 
 Input type: `VulnerabilityDismissInput`
@@ -10004,6 +10037,27 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | <a id="groupprojectssearch"></a>`search` | [`String`](#string) | Search project with most similar names or paths. |
 | <a id="groupprojectssort"></a>`sort` | [`NamespaceProjectSort`](#namespaceprojectsort) | Sort projects by this criteria. |
 
+##### `Group.runners`
+
+Find runners visible to the current user. Available only when feature flag `runner_graphql_query` is enabled. This flag is enabled by default.
+
+Returns [`CiRunnerConnection`](#cirunnerconnection).
+
+This field returns a [connection](#connections). It accepts the
+four standard [pagination arguments](#connection-pagination-arguments):
+`before: String`, `after: String`, `first: Int`, `last: Int`.
+
+###### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="grouprunnersmembership"></a>`membership` | [`RunnerMembershipFilter`](#runnermembershipfilter) | Control which runners to include in the results. |
+| <a id="grouprunnerssearch"></a>`search` | [`String`](#string) | Filter by full token or partial text in description field. |
+| <a id="grouprunnerssort"></a>`sort` | [`CiRunnerSort`](#cirunnersort) | Sort order of results. |
+| <a id="grouprunnersstatus"></a>`status` | [`CiRunnerStatus`](#cirunnerstatus) | Filter runners by status. |
+| <a id="grouprunnerstaglist"></a>`tagList` | [`[String!]`](#string) | Filter by tags associated with the runner (comma-separated or array). |
+| <a id="grouprunnerstype"></a>`type` | [`CiRunnerType`](#cirunnertype) | Filter runners by type. |
+
 ##### `Group.timelogs`
 
 Time logged on issues and merge requests in the group and its subgroups.
@@ -13261,6 +13315,7 @@ Represents summary of a security report.
 | <a id="securityreportsummarycoveragefuzzing"></a>`coverageFuzzing` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `coverage_fuzzing` scan. |
 | <a id="securityreportsummarydast"></a>`dast` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `dast` scan. |
 | <a id="securityreportsummarydependencyscanning"></a>`dependencyScanning` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `dependency_scanning` scan. |
+| <a id="securityreportsummarygeneric"></a>`generic` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `generic` scan. |
 | <a id="securityreportsummarysast"></a>`sast` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `sast` scan. |
 | <a id="securityreportsummarysecretdetection"></a>`secretDetection` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `secret_detection` scan. |
 
@@ -14141,7 +14196,7 @@ Represents a vulnerability.
 | <a id="vulnerabilitynotes"></a>`notes` | [`NoteConnection!`](#noteconnection) | All notes on this noteable. (see [Connections](#connections)) |
 | <a id="vulnerabilityprimaryidentifier"></a>`primaryIdentifier` | [`VulnerabilityIdentifier`](#vulnerabilityidentifier) | Primary identifier of the vulnerability. |
 | <a id="vulnerabilityproject"></a>`project` | [`Project`](#project) | The project on which the vulnerability was found. |
-| <a id="vulnerabilityreporttype"></a>`reportType` | [`VulnerabilityReportType`](#vulnerabilityreporttype) | Type of the security report that found the vulnerability (SAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST, SECRET_DETECTION, COVERAGE_FUZZING, API_FUZZING, CLUSTER_IMAGE_SCANNING). `Scan Type` in the UI. |
+| <a id="vulnerabilityreporttype"></a>`reportType` | [`VulnerabilityReportType`](#vulnerabilityreporttype) | Type of the security report that found the vulnerability (SAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST, SECRET_DETECTION, COVERAGE_FUZZING, API_FUZZING, CLUSTER_IMAGE_SCANNING, GENERIC). `Scan Type` in the UI. |
 | <a id="vulnerabilityresolvedat"></a>`resolvedAt` | [`Time`](#time) | Timestamp of when the vulnerability state was changed to resolved. |
 | <a id="vulnerabilityresolvedby"></a>`resolvedBy` | [`UserCore`](#usercore) | The user that resolved the vulnerability. |
 | <a id="vulnerabilityresolvedondefaultbranch"></a>`resolvedOnDefaultBranch` | [`Boolean!`](#boolean) | Indicates whether the vulnerability is fixed on the default branch or not. |
@@ -14435,6 +14490,16 @@ Represents the location of a vulnerability found by a dependency security scan.
 | <a id="vulnerabilitylocationdependencyscanningdependency"></a>`dependency` | [`VulnerableDependency`](#vulnerabledependency) | Dependency containing the vulnerability. |
 | <a id="vulnerabilitylocationdependencyscanningfile"></a>`file` | [`String`](#string) | Path to the vulnerable file. |
 
+### `VulnerabilityLocationGeneric`
+
+Represents the location of a vulnerability found by a generic scanner.
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="vulnerabilitylocationgenericdescription"></a>`description` | [`String`](#string) | Free-form description of where the vulnerability is located. |
+
 ### `VulnerabilityLocationSast`
 
 Represents the location of a vulnerability found by a SAST scan.
@@ -15626,6 +15691,15 @@ Status of a requirement based on last test report.
 | <a id="requirementstatusfiltermissing"></a>`MISSING` | Requirements without any test report. |
 | <a id="requirementstatusfilterpassed"></a>`PASSED` |  |
 
+### `RunnerMembershipFilter`
+
+Values for filtering runners in namespaces.
+
+| Value | Description |
+| ----- | ----------- |
+| <a id="runnermembershipfilterdescendants"></a>`DESCENDANTS` | Include runners that have either a direct relationship or a relationship with descendants. These can be project runners or group runners (in the case where group is queried). |
+| <a id="runnermembershipfilterdirect"></a>`DIRECT` | Include runners that have a direct relationship. |
+
 ### `SastUiComponentSize`
 
 Size of UI component in SAST configuration page.
@@ -15872,6 +15946,20 @@ Possible states of a user.
 | <a id="visibilityscopesenumprivate"></a>`private` | The snippet is visible only to the snippet creator. |
 | <a id="visibilityscopesenumpublic"></a>`public` | The snippet can be accessed without any authentication. |
 
+### `VulnerabilityConfidence`
+
+Confidence that a given vulnerability is present in the codebase.
+
+| Value | Description |
+| ----- | ----------- |
+| <a id="vulnerabilityconfidenceconfirmed"></a>`CONFIRMED` |  |
+| <a id="vulnerabilityconfidenceexperimental"></a>`EXPERIMENTAL` |  |
+| <a id="vulnerabilityconfidencehigh"></a>`HIGH` |  |
+| <a id="vulnerabilityconfidenceignore"></a>`IGNORE` |  |
+| <a id="vulnerabilityconfidencelow"></a>`LOW` |  |
+| <a id="vulnerabilityconfidencemedium"></a>`MEDIUM` |  |
+| <a id="vulnerabilityconfidenceunknown"></a>`UNKNOWN` |  |
+
 ### `VulnerabilityDismissalReason`
 
 The dismissal reason of the Vulnerability.
@@ -15933,6 +16021,7 @@ The type of the security scan that found the vulnerability.
 | <a id="vulnerabilityreporttypecoverage_fuzzing"></a>`COVERAGE_FUZZING` |  |
 | <a id="vulnerabilityreporttypedast"></a>`DAST` |  |
 | <a id="vulnerabilityreporttypedependency_scanning"></a>`DEPENDENCY_SCANNING` |  |
+| <a id="vulnerabilityreporttypegeneric"></a>`GENERIC` |  |
 | <a id="vulnerabilityreporttypesast"></a>`SAST` |  |
 | <a id="vulnerabilityreporttypesecret_detection"></a>`SECRET_DETECTION` |  |
 
@@ -16573,6 +16662,7 @@ One of:
 - [`VulnerabilityLocationCoverageFuzzing`](#vulnerabilitylocationcoveragefuzzing)
 - [`VulnerabilityLocationDast`](#vulnerabilitylocationdast)
 - [`VulnerabilityLocationDependencyScanning`](#vulnerabilitylocationdependencyscanning)
+- [`VulnerabilityLocationGeneric`](#vulnerabilitylocationgeneric)
 - [`VulnerabilityLocationSast`](#vulnerabilitylocationsast)
 - [`VulnerabilityLocationSecretDetection`](#vulnerabilitylocationsecretdetection)
 
@@ -17351,3 +17441,14 @@ A time-frame defined as a closed inclusive range of two dates.
 | <a id="updatediffimagepositioninputwidth"></a>`width` | [`Int`](#int) | Total width of the image. |
 | <a id="updatediffimagepositioninputx"></a>`x` | [`Int`](#int) | X position of the note. |
 | <a id="updatediffimagepositioninputy"></a>`y` | [`Int`](#int) | Y position of the note. |
+
+### `VulnerabilityIdentifierInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="vulnerabilityidentifierinputexternalid"></a>`externalId` | [`String`](#string) | External ID of the vulnerability identifier. |
+| <a id="vulnerabilityidentifierinputexternaltype"></a>`externalType` | [`String`](#string) | External type of the vulnerability identifier. |
+| <a id="vulnerabilityidentifierinputname"></a>`name` | [`String!`](#string) | Name of the vulnerability identifier. |
+| <a id="vulnerabilityidentifierinputurl"></a>`url` | [`String!`](#string) | URL of the vulnerability identifier. |
diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md
index 7455915761c..9a83b077f4e 100644
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -1049,11 +1049,7 @@ When an API site type is selected, a [host override](#host-override) is used to
 #### Site profile validation
 
 > - Site profile validation [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/233020) in GitLab 13.8.
-> - Meta tag validation [enabled on GitLab.com](https://gitlab.com/groups/gitlab-org/-/epics/6460) in GitLab 14.2 and is ready for production use.
-> - Meta tag validation [enabled with `dast_meta_tag_validation flag` flag](https://gitlab.com/gitlab-org/gitlab/-/issues/337711) for self-managed GitLab in GitLab 14.2 and is ready for production use.
-
-FLAG:
-On self-managed GitLab, by default this feature is available. To hide the feature, ask an administrator to [disable the `dast_meta_tag_validation` flag](../../../administration/feature_flags.md). On GitLab.com, this feature is available but can be configured by GitLab.com administrators only.
+> - Meta tag validation [introduced](https://gitlab.com/groups/gitlab-org/-/epics/6460) in GitLab 14.2.
 
 Site profile validation reduces the risk of running an active scan against the wrong website. A site
 must be validated before an active scan can run against it. The site validation methods are as
diff --git a/doc/user/application_security/img/vulnerability-check_v13_4.png b/doc/user/application_security/img/vulnerability-check_v13_4.png
deleted file mode 100644
index 3e38f6eebe76cb038f782f45fa103e586feca269..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 25832
zcmZ^~1ymiuvp0BgcXto&?i$>JJHg%E-5r8E!QI_LAQ1H8?sjpzxNZLLeY@W~`|b9r
zIn!NLzpC!8?m2U6dSX<SWl#_a5di=Iikz&J8UO$R1^^)C;GzC;>{_`K|J|Ui#FfMW
zfTkp*HxrnDZ3s6t83{oBH1Wy527<G!t{VV=OY@%#LQakP`X3zDMnlJ4M@dn@%*lbp
z#N5f$g2mgx`JXlbAmlCZuj*joZbI(uVDIQA;4Mt~Um61c>i=Q0Qj-6dio2aKrH+y+
zxulb;1vxhh7YiGu2qHN-xsa>5rGT20^#6kYYY9_YySqCJu(Eo2d9iqLvN*X~v9j~?
z^Ru#XuySxP|I=W0^Ko=H@n&{(qxx?n|F<0}3pX=Y8)tVLCr9%C*flYA@^BZXr2LPg
z|EK(SKP|j%{<kMbxBoS)e*<LwkA#(-g^l(93+8TP`Tqm^kL15$|23}vb|>^7V*;u+
z-WK+{QZ^12j&A?DCc@6a%_H<*e*O>9|L*Dkfa?4YC>t-=|AhVz(f@${r!N93t~M6`
zrs+SEA;K=i`hW2Lm%b3|e`e}`%-ny6<-fT9;v#}5#QOilSOhWZzVyq#74fdBsPXml
z^Yiuf_1_|RdwY9%dD-3FMT?Nt)zw8trg;B&|5qL#9}f=?_xASg?(QBQ9`^V54GavT
zqN0|TmW+*!<>cfnEv;N#UG?<zo}QkhrKQ1OFclRQJ^|hF@v)JS(ev}m?d|Qw#l_Ll
zk&23nmX_AR!GWfx=JoZpp`qdZ{r&UHGXWu^j*bo>fb0G9V|QnFd3kwmZjLZY;pXNB
z2n5EKrAkRj0XzscHZ~?FC$FxqdU|>?GBR3PTBxH{!otGT)zwEvMlLTeO-)THV^k6o
z6UWEL2L=Z8_4P+bN88%kP*ExC>+8?Y&p$st&(6-ieEAX)8TswoxA?gD-@kvCmzSrc
zq%15fh>MGxB|2ADR@T<mE-o%sS64?zM+XN7pPrr;6clW4Z~OcEpPZb?$jCT5J7;BO
zm6n#y%*<d#$T2Z7eSCiA<mA}e+EP$ZY;A3&rKPd6vnwkrD<~+eudmb7(>ppkzQ4T-
z2nhWB`*&?^jf;!R-rinRRJ5q5$lJ#UKT<v~FK>E!`q!^teSLj^5K%%xLJtp*&d$!&
z)zzk^rvCnZ78VvnL^4=7I4mqIUtizu?ruChyyoU+K0ZESVd0^np{}kj7#I?Ba|^R1
zXMhKUySsZyNeK@R4?=`YYHDgnM~9-Kc4K4X;nAU-yap;Ns*sRSY-}vR4H*-Y8hj51
zgi8T@sfZ&LNJ&XcewHXHDFp=u0fPC7iHQRP1FfyC0p0{QHa7n@w5XUuT1}2&xFtoD
z62PBPT1KrMICye<2>=iPtN_?JU&zT>7@}1GPJpe`{hLQ{)o9!P)k(v6S8Q_zYl0R(
z|JMuf&7ZZYfyGhbB!jMrzL5H4LMADX$|%P|KX!KE)#I(?_B^d@r=LR&k8iIgMLvq@
z*7V%6FK@4f1JyY_WqA1XYDs1^G@Ofv>k!d$Q(N<Q&ky&nPslW)vwJJ1*)Ff2A8#M;
z0CMrW2QWYbu(!9XtEX!eW(mL+QBqc7W)XOMeXAa*FLQ_d_nagL$VrK7c(0x3ZmVFe
z<Bn=;D~v0q_`)E<Ydy~*qDWCB!y-x{VT|mRVWUHm21e8I3WsVjLqI4k?0mKU1`YLh
zmX3A^f%PLA^Dts~kaMPgYxqfYBdX^?k+BWgXp)<^_?%VF%5th;imk9O@LU+Cq|39E
znA2F>2)4Bs<TfTPb6smT57R%AR}?JTPlEV9e@pz$*yP~&<NYrMS~$7?c6^v*k_L#e
z#yIA6!wRAMcV-LSFVD%^qbFj0iO-?ptM4GzV=c@6=~?N}%j>#&CeG7ge;*6>Jb_2>
zSa5%D@1?%J(e^d?p1-7DcJg?s;{nWSNBn{sSrArOV)gd)Oavy7e#bHsxeL3V77n15
zH2!>B&20Jb;Rgtd1thR19Yt)^kDZ90GR98&P~h<|zADPzPuI>$8K(HiDu0d_U!D8B
z+;U7U@)o5v$OPR#V`sU6QUHcVDL;2UTpgb$U@c|9v^1i}yTTlmuc);!tuLD|xsqM)
zxDgwt5cT<`izC5-8<RIsphWJ2SSgqc^YkJ?+?%N=T`28R8{C^<6@qRv9R0ZkLLBXI
zxu1mjBgBQ2U~VRu`mu%dMa?KocX`lr(a{VoBn|xOW7dB313z{VZ|Gp5s+7D(ym(UL
zN6EnnWsnF4%H~ak-%EXp03hGex+awmYzQs9MvFw;jPFjmMa9<}g=k6r?8*n0eE>so
z7DLw5o_QxmJ<3KHohda&BDR(*I@I&<_VXtGCmOG{tKodwL~p^=^W4nzBI%Mz2B23o
zTS*wbi?-i##J<o9<e*g(V49*+Vy@z910Q(v;6$!`a?&o!hoYmV2+Nan%Ztq2Xv_sf
zg!%PG@F#gJ#c|*bIl_gIqD<g3Yuuo(5<29%1GcMPPS>nZfP%_rknqJef5&Hb4+jg4
zis(JBT7)`6ci&-0E|Db!Vy-a=((sIwd*iu{H*fh(r-5%6I$C%$d9-CF$pa(~8x5X+
zl3jsyKWnLq_$Z%pT7_<$qFRET3MH4IXIWWczgR180<YspkheF^0NJSEWkOSESH$2E
z#BXh$O(6);Cn&u2`t=YmT4TiRQ{Zw3XPtIAX{@c`aN>QPx#CM9!PKE5dz!&462f|g
z+yqc6x!Fc$U&X&K^TahkX@>_!a%J#RSfc-Mo$mN`P5Wh~->#qHCz48<(v5Gu7+3Ac
zDpE3U^i=gl_@nyjWx4M7$*#u_U@Qw>BD<h42>T~Y!QL+>0qnW;U#STlp>#0%e+anO
zPr={`R#3K5*)l|_f~9PGW$~B%hhcXrLHbkhTmsD*H@K?jyP}z7En$=e=v*z}55>0z
zGq2KF+AwyAi4})RyZFC@`@J0Z2WBf)WPc*B;aa~^WFC;zuYiZX0`|Ew@&-FF?`kJ-
z=5Zb>vJ3&}%bxz7ZH=@5!{FRk11g04=YwR))rZvmr7}xOx4C<shJ~Exrd0B!Y(m1k
z4sJG}&(!*S3M#v#T)c^ru_L#&@}pu`i_>aw5$`Is*R<%{^{kBjq#%y5l+0$m7MrIW
zu*T6V0ZsFa&x0nWs6i6Ui`1B(SHH+0fk&?ZUXCxeVm-Sm0ncETd+8A!%qEhJ8gjTp
z)W?&5Nv^{vaUP~=t5H{PY)4h+loGUNa7Jf05>k>;kJihzMcAkRvhkHEQa?J({H=03
zSY$BA?1tpW*3Gg>gmZD+kRb4W8fIAQqt5W~gb!Pp1w3m1p?0St2B%5nIYi3(oJB~w
z>utJ`z(dT7Q|UDG*q>P4+#Lp7cYew{RmN)%T~%5%To7%BLpU-!SLw3~WZSZf#qsl{
z)njzZy9(&g`0<cS#41kU8waT06Hg$xu@^tLV8xYCK=-9l)>UAbkHyd(=Z_Oc_9e)B
zoL(-NZR@nbchT0q1^3biK@!^Xl$~5i;*r~;UqPyt@IkA_&9egzM`;x^Jkc)ATKJKV
zz;D$*TO}{Z{|L^>{1tG57Tkf@gA$NS^oPp0{*H*WjpZ^Z;C>RX?2mlN!T@6j8%zI~
z)IY=!DncBdNVDJ!xFLRrpuL6)`^fSo-h#^cAw|eV+%2Iz@Qh4^m{`24__V(Y+1(Q(
zjyG^sio8kNfStZKMhChytI+#yRI!N1j}U`s`v6z`dls(D0k3Wa$`Y;VTZjd2((K}N
zUu$8K4w^96jr#n^jlkNEqGQC~k#%?5RM?R2>Yhsz|4&%=l%jbAC44XkXwW3=*Y&U1
zAmY6RoD6=U73Sa%e67}~t_D+z3ME&Da4)5qH@=CP_Z4It*jmlm=ZUNuJ1Il}Wgb5<
z^3}n7maXA;ARPUDY|$$e7CnTYsm_?o9#Uw(%J-(7-veW&qksK7qxKIM`OG2o(G<X1
z1TP)eBCd(jGG)l`_UOJOsKztyeY2#Ot<Ip_VmwpciL<{~6$zgK1=B^W)Zvm9)*(jf
zrpDW<^HN_C4;{iH?XTFEG53Gry6*NFA#?+dFlysC^w#Kl(<;2szv$zMRODSI{j|K7
zUCk*{|BZUiK&t@dX%RddYu2`a=601DANsb%26AzKJvi}M&?jQ~3(RF-&oYf;mQ~r0
zPd8tZb>XNB@Y^-?W1#oH$Y)OWxm&=E>xOuL)^Jl&%OUYT<}Sl_=Qp%eO@E;QQF1A(
z0pRvMh#_0%_q!l~Y$1ypeM#=8e^b<Hr!d{y7bGp&a^57d3sj0IAgZ$b66<xo|Jv)x
zV-cTu+_zvrFDMqDJ~0E8J{Okn2Xe#J_Fl8t+qXjq^S(tO(L~V%m9&O(oPxJQDZ%ld
z9=PhSXqG9XDBUcZGK?bW=xu&#oVgP(GJpQg`&Br<ovv#%tjiW`g|}qxZR)^POTD0r
zEr%7<EZ$s2HxO1g+T51N2M6te-&2n}gZg6;`@#X>7?-0xUBkZ14sGFv4UIl4wJllp
z9f`+H<>54;Zm0Y1uP!6EQ4Lxnz?Yz4X0Nyf$z}w<d3uC2mUfc?6t&ZpkJbI#wH~o~
z{<%>auBOxX273VzGc3aaM_~(Az)8{Uo{T5!k%%QIU~(|SPgT!Ju7`Q*%y<_Il(D>}
zyJYpLLkk=vXBHmj4V|3{9o|BlWc#E&esv2I?@C^O6EO@H_Vg=y7_e!mVDfdZJ#?&n
z{!5ZGV1uZleM~kU<VpkV1btP|be&C;&>Bl9OXn)&N@L929g4VHTui4YkB+!MJ^+0)
zSaRl-@2_kcFBp*y4J_(D?=72i4F7o#^;fNh&@cV%h~{+UEVZ_8p{c*QfEl9<J5#vN
z3w!4(??9z)?QJ2Gjt4ok$Q(tKhgG$TC0nX`D~fYSFk}kWWWw<`^MKP0N95VEI9`8%
z?$<3W>c7U0#g(kY7{keUHRc$LpC(r?K{@j6PbXatlN)PGwB&y3>W&i~<CbO$*6?`p
z!92i-=rXlICcR|S6nn81nAPR+G<b8ELZ7&8v)c`8MXkU)1%Ii}{72FA20=F`{UUNC
zz1j$V_6<L)Bju|}t7)t0e8B>!FVd@!6W<F}8bfh4kji4KN5+m`bP2z)&Iwx0iRQm4
zrLL9#Oh2T%tSP@*Oop$Yrmtdkx=GiB(;jai12etB{UNc0U@`8Y7>$@0#6uPMN14AJ
z#$0wIiSd-L4ER9*q0WC&B3A>xKDX7hayMXCxf8&U_EI-|hM6{+ADbf63;y*XP2ZN!
zs7Dw?<2BSy0hI|wS0CF|l0@JdKz`OmEHxX^c^?Rpig%Vw)W0Hj@24D%X!z%Z@t@KE
zmxtXVxBt*T_m2M*z|$6F;>TvDUiR`L4Rn8LK&KDYl8|7_Wj<q7<)FjJysdiC#;gh)
zCM0s5$sV5Qil~lLkB1%~w8%VsM|*n%dFoM7j6pXJ)M}zCY;Kwv?nf0V#mHm1$Ylzj
zi05lG*rWZY5(PKwwwRE`vmg3Q?5n5u=4~f`*}k40%9;q<gTAn@GSh486}>~<B0XJ0
zx#hO88v_nyXx5Pj{Cx4=p6;;sHr+!*lUj=)%+H`(`C|^UVaP+_-aP@lJk-A_lcz4I
z2<DkrSvb>iyN<`sv76uB>zs%;vjX*m+pR<+e_e{>#pUL^mYnDGl~2J{U@fxEynP6)
zLCLfoyQ}2x?-KfIEu)jdviUImbfKz3WgD2!XGUrlk}xzkI_U!-2-N-(8sKBD{jJ9x
zv}^|9vta4)C`)dH-#p3a?oYk3lp)Zl!HPSU{G9+HNemN(Sv+`25Ves(fpm(#?<}-y
z3PtlL%KUjXi-D~}4W2L-AS^b!lks~=14I4Ma+4}Q7E%~u`!PB=+fty*yQv&yT`aGM
zA#sj{zB6)iUGR|dS;~Q8FWwM5_ruOn&l%Mv-AGY0_!!6Zfh-_Mob{*VS^`AnQ=~|b
zwsKSY1xH_ATB!FKf@#{fr}}5%5>fc3GrJWttA0l~u&@qF{=k$T75MZJy4I+!>CZK4
zeYP&mX3*13YFD_Wu!RZM^$SDfq1U%y8m7kY&=UBP4e45mykEUTR@!bOxC7E4DF3kJ
zhK{SS-aAwVuV_e#J5g+N3zh=OCbe5yLuc}h&Rgn5GB;LGRBlp#;v~KLvWbzt1T3X*
z=lg_p!v}PNAp%$g3bsvqp1)jpeS-?%Qey`HT=yZxv$4BMCFr#l4bv_{kddFtbe{Ev
zC4y~&tCW7C^g0yj6+hYBNMw!1G!<9=4qd3Jk+9Rek~G1?#I=xa($oLICkEBcyn>Xr
zVrWA8+k!7_UYv<*F})&C2rn|vIj+l~K0gW<_C<^tM%XBXF)rlGQ3=7p%8zuOHWc%Y
zW^grv<9GV-S*5na6qKJRA<23S#$p4(q*xE#>`aC~<#l4yPPDC~WC(us6A}a9OSHXR
zl_PV4a1@-#R>Y4*DMMOn<V5vR8)jkuK$c;!{yG(QgPd@}v$o$I5eL5i1o`YBKKRk4
zsW$GvL={tm>VUDozYD1?V04B**64zAA`RwxRQ>zjc{EKBU+9v{?~vW``q8HDeRZD}
zovf6zPq-R%-kzpDKYojK{Gvkig<w(KNek)Pl9MF0d4Z9?WMzv@il?=S6KseWKKLP$
zH1Nk1*<IjJyZG@lf)-j$bFV{sqGr%Y#17hR7Wrhb`-ToVFzEva(YJI0ZqdD7u&h5x
zX$vW|p}F0LWv-e|BcLcDgcL$YG4x{^p}(rCJbh8CEP;Wa`@ogIVs!j#^d1c2i&<qu
zEw<3g<xhWT5wzUe1D)b*Ti?Ra8IvbXSr}nO-B{ah5*h2!s<K-cFyz|2+K(K@p<Gwa
zw!<KRohs+Z4c!|NQl8;)UTYig@Z*5mIuccQ2+Op`>i6j8&=W(aWk_hyfirfY#AE);
zG)4BDPw=<=M@`z~8#ie-U*g55oT@+r5o1NVs~Yf@-yFirDo4hZLAfNX;}JG^2##9=
zYH93S?+aJtF-%0eDKhQVCssC@ch_}ucK^tf%8uebp|lN=yiE%d==_Pe+vWVBXU#un
zzGg9+n)L+97VhJ5QpG!7d95sd&uK??#skb3G{75pNUfaaQhRPw-WV@hYbt*d<dWE&
z+Zc)_Ku^D63!c9b34UPfH}sCPjq;=-5l&+3=1O!7K=9R9QS<l+?whGMErdx@m#inP
zY_F|+4$QL;7)3tJBXBjV!$tSCtf1&!+VG~K{-W$X=-PCkBzx$vIc0>zR7e+$I`HXo
zX6OA@j3uOk%*I6ocb0xN(XDVd>PyS!Qk~Ra%=qyQo$yaCTt*0Z@&zAspO&taWQL^-
z=E=b82-y;ST@l>^97xxsY^`A072E+G)s^!?T87?J+saho4E*gX^3?>fw9ooUEW$+D
zL^RJKDx)=g1wl^&OBxUMCVyxGKv5rbX2XN$8aF~Do|`hh`i`1bUB@E3^9&AM${qck
z<b<5d_~8z?+!6lBVYzzo>8Z1Dt+162XnR>}%6*^0_HzkJ7aKsV5}Kc`Kef6Pj}tvF
z`r}9RnT;Pumbd;csfg*ByOE#lXYj3>OL~JfF#q-hFQ18bkGO9<m}ABfkqzhCW_-No
z<T>uWAW#r68yiom;3<0ikT@}vy{G#-xt$5PDFoYis52!Q3eTVTe+YC;wVc6T5VE1d
zJ@+(M=e^5LVnO~fnecqPu!_1-!j4jXBJEOH2yDhHS!YZ+ziYV@b~Tvi2NAn(i4wcB
zY$WfeR!GzF9=P7*6!L<VSyTIu&2<MZwb=HV_Ejt+nXXRTksBg%Sr3zrEHwu5uYPN+
zZJSbztzx`uSMvL1%_oc^!{Xg>oVZrWOdXcy6y-OX-EzItrkCSbrcRr8!7@{%7u3(U
z6=%4op9rY6b*E~UlTyB$+os$XZXM|+$_YLy0KbpNDol$il~)VF8j@CviWP92MR{&0
zi5L`9>84gADD)G$LfebG2K$es?kKOj(MaMt=)5+)aUUpZZHnK<*li)i=GZ%~ED^|V
z&Gr0cAjSkDESS5EMiqn=kmXE^9~Y5*0gfO8EtId|Ai%-||HhBT**8JJXf~IKojjRN
z<NGq(+?+E#Zl9T{4@7{=_snX%8C>G>@(o-5#mZ1X2`|u|r1hgCbPSi#rrRjk!3b$!
zlgEQhT(k$l-8I8b;DR;IaAd_)#bc*Z;f?N8z)VQi&7%0OetyG|hvx?(rMW2!;_plH
zS%gIIbe5Jcy4NEuqAllo^Cz=R#J-ZsUm|(u#nL@?=u<Q@@N!;%$u4Hz2n)-)rq-=S
z5y(03(aEMllM*-YeuIlF)|<5{lvW#NMU`&&eA~|=cu7V@mzzl8GR;g#79&bI*uZy%
zuH7mbwqkz^VLNbl-8DWpd{x0(#S^_FKT=kRYlm#1xxZ~(aGabgM>*jPDElg_8y<>o
zO%Du3H}&za8k$3dh~JUG*4C8>mEPwacOr_<x!+zD-Fw~N%5HD%2YMh_4+u+I`W|oj
zMgDtZ>^knBCV)m@_=yq>y*bTBg}VFtJv^JfWH_c7F9XyfWq~y^gHLoXmcpckltVTy
z#u)Oea;IEU^)1^|qQaeijj0t4Y^7P+KM1x`%N`jr4T7DtGLsTirKLE5mwz}L{oD*(
z4^_Pqs?FDIy0#-(B*|dAorUgo8RYcZxoG2wR5y+@S`_opzQYn+W@`f}1bYPaJvuaC
zz{0kjmPQ%^-Md+ovR^l%)le9MN2PuU+R%%8ty<)Hc^K)Qm+Fjfk~W#d6Q0L;qEP!T
zBwuGIxr09A#Dmz@marI@<UR?3>}psP$9;x7mGdsm47@)CzlR$&C&=*4Oh)^ae$#(H
zZSM2gNy6y3``R|k-3PqwC5g1QvDX`)H#_ovR-fUfL4wtziWY)Vz>x~T(j1)nY;Wn4
z%5s_yK<!2wzx;aTXLANLbAS?#Rr!-VA7a%F-wlM7sTbROrrt<8<4d1l4enn@``#6G
zRah2G;y5HnB-Zu=;!IlNRtOorg!@!<0owh|8(CUT_pS!Eu_H{AL|s37S%i8G!a0fs
z;&O(i{YGSPT=H*fD&(rBl4Sk>)xYF%F^j(b?I$Am5v7Z)<z-Wt`AVtjJL58Ya{vZd
zgUmU0J@xv@(l!lM_6RJ?A&9HAnFX8}?SZf(ds%D+2m}QnXXJ(dO$_ThiQK9lFD0p$
zik6FxNvL&dRa1PGuop6FIxFLzW=U=V#MtP`y+^1FCsS!dfJ1HP2W+KKIoAr(iPiy+
zUI%&R($MeHWJQ;L{!gu@tIid5-J`)kd=ehrRNuc2SZv&y<y@ewV3Cz1Z|7cOqNNfY
z(=nz9I60E8pAK_Vj|<LuZpCd3=*^(1R1o)IUM!~y*f9Z8q>4rVSICD4m8%ePqH#R?
z_hLJ_-$Jl1bLDV=h%ervb+Cqoy2~q5zvfL4-`ph%>@&rX9MY95&D_-Th{GaC5SpF@
zSeOAbDOS#TIi$nH+n+=QWDm{;pP1(>5ZDm)5%}I|uW1(g944ZyK@vqBj`Xn(-GJ_b
z0tq3rx~rHUSbPQ$s-6%WKxqcqLLYYGv`v~h!<VPMaxco#*IhOL6i13kgSs4+eH$dE
zd3jEm)e|3dEmTY_)aR4C{`UzAQ2*w*3#;7n#a6D;ufx$J>F`9gn4UJE%vsWkFY7yp
zB<in!xjV!5#|6JK*@_>TXxYxi2Vb~l1P<#Mm7rcAN|Rk*I3jPesEM6)?k2<>ui5Yy
z>wEO?NjEOoSB~h**Gkp0%~v#j??@d3;0!CCY8@hX2hNg~*3m7v$LPm}<XoC?atWH^
z9qret;cCQ3cAB8W{;kb@ls}<q;9a-$XJ`)_fgoP@l?4WPsD{vs5r{B3$mC>7y3|x`
zTsSi}+M{NhOcWhr?+P7?sIjD`nErJ26`hUuLIS@}f*4IXDi+jRRf2x_!e|QZWc8X0
zG((SP=;N=|q5-dciSkwP&)-jx?|RvGaz3!EevgstT3JprrR5e#OiVSKAaF3gK6%lu
zHWPFF?9xRQvTT8BIcKkWM6+B~H3?Cs?yI=<7qM9IJ1jnZhliJR5qV$#b~V}-4T&fI
z>51I6H%_2oK&1`cca7Y|n&GbGVX3m6L`L(VPH=_uI^_BpP9L`&6zToZXt3q*r;`7m
zZLHK;qbCP_NA0PA`ke$=R~9eU(sF{t-#jp4e#w!m4I&o|I7n?d;TWRNbWs(~%$v%S
z`@1oJyK4SXC4}4ZoD}%@VV^<ps9p7t+%d#GmUxL%v)*qE6gN~;=hMIx1h<Vvt+i^o
zqQ7|2)@V_E-DU@=*0B)3<WaXc$lOyi4|>7)&c4fv&xyK;h9X9Zd|D=6$Zfa#er_nd
zm`@*{;f`DhLcb46g5h4p`?<cXQw-t_#5iHPt0g}+l1XM!w`yH-=H)EM75fipN+wP`
zx5)V1@W3dx8sgl?G53=Hm})4TIx1e=QUAD#CmjZ+`mjv3REs+oOqUvPWaU}i-bd(U
zV^Qf;BZnGCLurG)3K&UVVx>lj;pXdiAJ#N;mNv}yml2O$pjFX}E-z!MC`+)=0UjY*
zvaknF-lJvQo7|Z<Awd<b9q*K;qqSQEpNlma@sLg+62-UM9dZ_viOz&zj&2i3>q`H<
z)5(x6!!}4&+#4uFlr=&2;8~uwBEY#dWF^Uuy~gd^()KR7t=8^!{k7E!NY6SNqAiUM
zk$VtoD~opk4?jqzu$CaMl8hAu52@*A#UhGhmW}M;F7+XVCko%aXj~78DDO7}NbH^)
z5k4xKdoy68Za>MNPhp%#DvF!DuefAssmKGsu2JV!4KxZI#M@Q$R^3V=)d8l!ZHk&a
zofbj4z3N1)Ds2i(L{*&g-!w7q_n}F|9nA2v%I2lTzdlZ9e+RisrN?lWta&s`z3T0Y
zCz54{!X@w@D{3rj-G(|5XgK-f2X5ZNi^JJH_*(R61F*3u^1WJc*?-YV|1u=`!3{gu
z$Ii+FfLGj~`cAwWmKvoZ-mkw4;T6#Z|KdXE3NOK#QgrpF6B~c{No{cuhSB|GaC=bZ
z=a6kXp_3@JW1?+)+S#h3Ab<MG`Tc(6%E(BO(@odkB`R2xrGzJVkXMffr(vlfXnPpF
zb|=Kukwbg`cCrFo<j4wg^YO8{rPne1S;C%)s%KQX&whYT*G|gKtD6xaZs#~&1M{b=
zdi+Sq1Gy;J!d?K-=Ycm}Ft8Gcu3IggrM<9y9_Jxs<9Pepw$3{dPLouPAwFjVDFC4k
zAc4`A%e-2OrzD-`@Idb94C=_rYA!{;xxwh7HHnQTY4FvaVFF|kyZ)I2Bx>8Om4Egw
zeald5O6V}?&~}=MpUhg-@MBsM=ro4pXj^d_@L2y7X1Y&6M9VBjNzN<e73_PHB7{j+
zltI|zaUWU=XKdE0Z3IPr-(NcbCD4X{Hsu@u(>eXcx^p$+`iz8r<%i_~t6bDL!`uzN
ztKG7CO)JSH_{-SKu_e#Xnsf9EY>ONu+H~dReyG6WWw|*iFYza}1mKGw57~CK;|TXo
z&<(HO@kiR9_K}-INC`^-y{5|U_u9G=J_LRVaw%vic?~wz8-#Dev?6;qI?T5I8bmf`
zH4a5}4mn@ys!kGw|GxiPKLQ`UnLRG|MBRK{TzVL0=+=hckLR?0n$&ykSw3&;=m~mF
zQ``{oQ4+8VoeK7|MBm?7!oLCg4OmAjcA7ynQ5`Kv^tDm99c%-^eWKSG8X^YXbQ3Xz
zThO+;`~oNHMTI#jNcFEwOk<>Jq}pa|On$s{^D7C0aafVdf6l`me{}HPOCdPldjJc%
zN$`Qotjy~OL6w!K;8d2}$uqm;<jXgMiVo0X@RN8}p7~vDaLqasgg5sp0C>~Egd;la
z(SJ`b@@HW?Gvwe~g|_rZXNqmtKbPw>6Rm#;u^-UPY~W)0gH#(cJHLJO^-~SaH}g+w
z&sVQman?hkdpwfrG_f&vDEJiSBy(0S%J>STObf|mc)vDQtZ-@}yqe~iI5rK@OMEPB
z8~01bZTj?gQuSrO8wM6`PW68Li7pxhib|M@r`b5g$nP#Jc-Y%URX?iVxaa>;Ut>z|
zh8oS>OWRM^b|eif`g3W=B>h13sc0cjVNJJEh!WsW(b~MHcEaZUHb!t%il#Uq3Rb1I
zf)H-{moy#OH)aJ2=TlH%KNE<neECy1J9m=a;3Lq6^yMHmCdtBr3~OChP$qM9zT;2K
zkGMU)h`{VMuuHy%#fX1t+>Idz$Oqx{Bon2(o1Z_ib!GP!zN^kZe{IJnrS$Y2(?>vr
z7P#2G8pM}^+ol*w+Dtemou3Oo$MZfXrd<_YVGmKg#fs)07E)grcoM#WhRdclVXjgE
zq<6Q)7HEq@&3~A$O8)72G9)O<l#1VnVV$dd0V!!U=+rX2PvsH^y8<Sl@s#1Zb7D{<
zQTe~m0@SL`W~JFd%wCEezd!ahO9$%j)#FYVdm2R$Bh}IABsrrEhD=S5|E3)4`i+Ox
zq8fGYY~ChOO(?yhu|s%$R;DUADv_AR#ZufMgX*i!M^q$DkqU-TH~N)a2=HZcmFR;w
z;}3*|BwDhFAc7bUuw<!)c4M=Ktz@!7VtO;joWxPU5F=aDP0OR?yK?Zw*@Ep<>D}x`
z><jtg9=nbq8j!OfNyN_wfyNf=wDO~(<BaVF`5=au<vcFUxF1;pubsSGUQB`K3D?mq
z4Q^IB;&+$U6{UBQ^q6Nm-5w~sgHOHAJCgZs0)PHb)5K@A_cNyF1Hx{=e*Xm(Dp#VZ
zOd~rceTV%f44DXb`z~gexB!FgEcK}B*@pQ!Y*}D|aDE7P9-OoRC0WyS^!gYIfEfgL
z!%D^nx5e9@DoCM>in!YcRYdCG>o3DHnL3eBW^0M^T4Y%k;b+JIRX4@@iv<9Os|q@X
z?cQ~kPNXU5N6cYY<ofhrw!?1-rfV*Sh>o|V0wv1BW&Vo8-TB>vqW{d`;e>*)PdUqG
zdRLiiNTt28VqMkr5cibYwyp!irdV7^Mp5xVd~qVJGqP2iJAjG_Lfrb60K{*0H4Crk
zd_$Zpmdnb9%!D9htEZjK8w0ONSk(XU?uK;ieQI$&3L|yw&!qDPeHH^}5-Muqenu6y
zlxp%|hQH&&p~hya4yhpW@M}B>m2;<t8B&)n@3vv|D;55(YlqF_dAz><jN&Y3pR@>o
z?&b%gc*c8MIU6NjL1fT@?;tme^b|=CPa1F;#1^{PE<sng&w<Po?qSMab{Fn6Lj7s}
z&65zvI!}`wCmGhi=gsS35O2GKO{$IR`9ws`jS_Ih+t+_Z3)KBxF;le{g1U}?r2}&Y
zJ2G?1K4YlCnn00~`dYtLvgq#)JfGw@w-l=)L=aDibyiE1YM=1|vW;`)dz~YyR2Cua
zzDx;E*gP3J@I>?9VnX~ph?_|dqzOvIe^Mz%o(A}GE&n_kmGITDP0t}isW~ckB73z?
z=TA=3|LUKnBDH?$k7*nk3BI^wfoi3DwvRASZ}xE&kjlbSf#oqMP=ohD7IJ^gIAP1y
z?*V!m3!f#{Bkq1*t7TJs(O~z}hQAA8f8C&e<NS8T_iln~HIaj*QoFvdh6jRH@hU7`
z389>j>iJqUTA#`6NMHo5(Nz{Bluv#j>n($o=Uj&M!fk2bEyI0MOk<#u8uA8+?8g#l
zLq@rRZ97H{5h02DBa+eWS(Mac!@T}AvLBS9{8474cv_!1-7Ww4a>Ce}@o&Qir4A(c
zFc^Nf!@l!ip`cnO{@G@a*R8btRdR|nOb^d6KJ{_m?P`G~HJMS}#~WC!(Rcc*!XEnt
zrr5u7qWv%h(W5%@AFpWybpR^5(xQaq)^K*QHx0D}9Z&XOlYTO)NMD7IjiY9x@GCQx
z5`EP(=8N2D9~v0=hh37nM&(Ts2!YMPaL%DQinGbb@BV-UTHwGFNXy9Mw`qck2;>*a
zm#6@qEXx!ZQa`&b5NM!URwn<Hq~$<-8Bo?7`y1QeM$Di;{0%u9e~W;PclEndO53*Q
zvX&Y7+uoPP$;>p2^Y|*$XPBkVOdbKeUn-C8ccM|#65K{+^Oj#$d?uQ59&;UzD*qTg
zvn#WkQ@RHSR@lZu-*ty9@nAjaBS9Q2>K<6a_fX%zWr1S9k2qsYdU;Gi;a9{vBt4%-
zrX(tfTE`tL{^sfa@^GT2eAh*W>pBSmLjFNbt?dWl$RbOnWKAT7B=(9-2H|RC<P|8*
z+FIN*P((__Yz-x2>I~n|yfcWPtybSv@7caDpmg$qef<hVJO2#S8LNU3<T9`&6F}<k
zVaps132cYj*%Wpb5bMD|Cc4w~hi%kAK0^uwV7d6nFoSvA*g{wDtf8~#3(}WS8<z}Z
zoAPr0%0HEBt5d$@RMemmf}k1KMMQe>x=8{j+=v!*5&&n*MVDb?rc+0`uKUy>!Z>4r
zR|mATjm#*=OGD_zwOO?rZ%(IookB!|(TSG6$}=O{WJ>Jh?e@6mBhQjRNzzU6Fw<Y|
zG1u%sgtfZm2Dm%gA`bbYS5nNc{oPzC42ry%_oz7Yyh}ZQnN@q(!5}5(cqM?WG$Ze)
z?1?XnbkXt&h^l9vvuw(!xM?L})X#SwN&80p)zjOm$V=J=w?o;=Y7`#aR>8z1v$2Z}
zrk^VabHWhFh2KgS02~)Ko|EIvEQLRZK6KRWnU-uhSS-w|%r0`bzjVR<X+Y`%Uw<&)
zD+`=d>F)ioK4yal-sI5KUd5^>^dX@1nLPnANFk|Cr|-B;px3D0-b}s%h1V97?o6pW
zLcJvAgx@u)))OW}s!h81FU~$b;)$W4M1;2kwf#m=paA@j1Y_ehnB!_lq>O8k_Q+Y)
ze-r!dO4be{_=*kGEnv$wn-<`5VENw)`_4Y)?EdbNA(nRGL2EF5#YBY6NX<f|XD3JR
zhe4-2d`3ZGpwn6Cm0djL*<03;TUfKVH!3WT>6vwJ*)$JY&1tjw%zu~kJSute=vcI!
ze<a1)@0%3nbUX65oaX0zoJKac3+3S9jp^o^GV&OE;GS<x3W*vYt6QPpi_@YoW;0Po
z<rOvR;Q_Ax);t>N(#8!_5maEDRd^kA6<wLzYAVC2FB?6)&i_7;tzDBuZ9)GDMA?bu
zbVd98)Ngm4c`p_ph|#XGaCi?3W9iSpV>!I;(Y&$%eu9c7#_#9{4DVUGQmIDCs~O|2
zcnPIW)VEm;hEmMVJigfQzdeMGWr=W>_74YM*&Ftq#}!Lxp=u-JEGudw+S1n}`|`gT
z4Oxf<={Q0M0e}OJWL<aaoHFd&JT|`#mWQ`9)eR-xM1-6#eOsyS+Tx9?S|{?`Ubx8v
zM_2iec9VFxUiuTBdn&yMS@?uhTs;-AWOL)R3r~so_80SCm2-}J#w+F(@9-+p75_Nl
znkyn$FMLrt7XWa{e?~!1W8^sEyTdk{ywq*poT<MY{rGBH(z)$7i~nTGq@~q0;wbd{
z_Ag18N`n`_kMP?J@de?`yIM!3%Pj(Z)hrovh90p}Wn0w7PAFs|2bHG5R3RS}7)1ZL
z)PX-rIj1G00H({tG#>1Nlt=Q++Lx5lUD&)W>AFZ?RG6XVPk&IPDaMFP#KL10Y644P
zPc+iQSr|StY3Z>H@00=+7Bttjby?i$fqqV1(-#{vC5(ZlI#C}c<fU|Klc&neL0yA-
z?0BF~N!$AX?&+*CaGy0j>+K`Ix3yxd6xxircj=F()$7$;1p~IP<%XAWtG!}(1<Jlm
zqatM0c5uKATE22W|1F7@WFd7t!M`^MrJ?e>CzX=GiV`cDKY5-MJ4QXaGKnFcv;`E1
z>(&`-lD1+FY3{x;lvl2|bs}Om=|Br~O~)Q<i}}vOfbda?&{?pjj)yn-VC+vwbZxE%
zXqrKH#fwJkB6b;>zMWhWEqe1accln|wd)4~q_&U;0u3%Ldxdg27feP%dXP<2elGe^
z(h+V=`n8W_^UoMl8EbfJ>@(t@gnu~1sO@hs<O6vs{S2p~DjTNlLg+h}n8ogDXL~Sd
zaQv~EN(tWPcGt(qnyZ@l;32k!RQo842F?UX_DA*+o{rjz;HMVn@F><uxwS@_(pC4R
zSKvQtZLHaHljQCFua`+!rHBJ@?mdc&5aN~kjL^UPQ#plumW_PH&%n9WF!<w7f%5Ii
z$S!AOTS6*_Dc-1o{W%9}^XDZa`WnP~vZV9~E%iybWb236h;-Ii|3#Z)&sFm)kFljR
z>Vsg@xZ~hnl|0E?8yZG{zH0$!Ck0_lKV&vrK%(Vv2G(@<VWD2AM&g0yp#bGrNJJ0j
ztng9r=-hj`0AZ{}`fdMNt=A@${pGz2W6L#7y}z_|dNCy1DWPwM-^vJAoHobIb&JGs
z^Gn@9m4*(%S98aq0m;KM;vcNcwhZ7xC^rh_p+tR>svNG2`>M@HGd^-ct2Zl(nBy|k
z3`owfXzu6jdRan-C_A`W!xl2{KtFf^AD-t5FCEU(FKe5G<K@l2_w7{>xe$N9Wu<D2
zz0Iq=Y0_$oHCQQrXqg$wc0X>rOP)HqeB=O@ECob-hkGk5?O2Wr+C{#ZbbYyeW-6Yf
zb+m#^uVK*eam6BB&h0F*AkP3>Nx=8T&TLnOJvp|YR{h4yw4#Jp_N?WJE)Gmqu)MTa
z)fz@qqklBV&v!a%X+PD^9yCXfSzC~D2u>O@keQ~Ed{bxmXgO<6+@VR_lqy0BQ~v&t
zfTWWb^+?OemHQinNDj_}JLd2zat&2=pN^+0@Az#v7zVF13aFFlAOU&(X15A^Fk;O6
z5P+xc;U>fLY3y%^(z-O=_NDkh$8uu#o=v1cgL_es7*%n=fJUL*bug=?MX{tGI=NqD
z%fhCgURRgVooaw0`IH#C3bXjNviw~l2*)Bf^P9CvL2FeGVla!8??ybea9Y&(mDu2v
z<aJuPYE9&MO!m<lKX))FikWGI+n{X9$F#l~(zW7cC&E=FwSao@bHdGj@{T-rZbVjj
zd{D4|BeXX(!ovvo$beEvslw@o;h2kp;od6u?Pd$nNE4tJAZ&VJIhZfT@mG?Mc8`1I
z8f1j-EWqAd6@I^+&()UGUX|Iw&5Bztr%koz#!TTF1ZWX9-8Uf3;rkohsu8u}F1Nr6
z*|$pxB#>I~n^TtLtR@15MiOE*Z6FT?QbXbcwdqhS>jm90uq6Z!j*5cc9he^Cb<jj7
zu^pYfI(Oy25%~_nVjkq2r@zEpTGvrNrYM2GG<gkDwm0!SWRTE>7Oc>mMuSmSz?3Fo
z<{D%!IG!Li#A_|V-I`ihjYlQ}DxIWS2UJs^Y#nlyzMXm)vOcbY2Kbco7RI?R?284A
zc2tjT?eZK4)^UxbzNsOY^*n67&*W`ZHyGFK?eQwVB+ts-dOa^y!-fPz!H+3gz<L_J
z_9eddlju$(57_tc_(OU|=4%G7#z2i!WiiCVZz(jX)M;Bhtr+t?+$sk3-@=M?MH4Tp
zWQT8_2dO*KjtOP;CbRN=30zt?*)M9*Rk2}|`<5~74*g16L@SJX&+pH?Vc&;CFxwRM
z;ep?wow0DN(?(gkI6q;EI-Fmj3JuQ(zt_mH4|JnTcNF5Mx%Bb;fI#!)#|%#@{p~N~
zMhI4fsB&O?FqBL@I~m{_(WeK=rB+{OlUdUYZT>rPLR0hzC%X{|*$hkNViJn<_k%qM
z0n7)JFI#exEo-fMC>$fDJuI*AGE<EQl|GEd7Es!}kLH(mmGSRLBeF!i$0DzDq2FE0
zu+5<Dn8rMOR$*t4w9uLjzt6#zSz)$#5}+(GuN>a3Idd2pm6QJxFKkGn$irJx%ISGG
zI8a8w0X;=o=gf`eJ`sF%(pyNEiSAN_L<fpfp8k2XKw76`PUhgJVc6(zN(eJ`vEQh8
zPup$a8M8f(!|L-r(x;k{eGjn)J6xAX-TlB;_G(UfalOTy5C0@)V4XRXrBBe|(|j+u
zyzcLpq`(%cWj4*%-OG!f+kwY?mjhJk4}x?iZ4=L1n5xjI)f|e;#pYbpRrF~-KYE|p
zOf=>ch6<iaU)sO~`7839^4H-g<#V&1d~cW6uuqFCy`VY0_9xRK3L-t#8eCh+U$MB3
zvLn{;I0(_=z@l4K1r2PyDlUWSO1SwYZJ~ln&3%0$EN<?CR;A0RwQ{9XGEdRXgZe%j
z#-f6i`8?>eTC|qOBX+-sH_N)`sWm&xqIb^f$_{be=pv_+Mm4|k;O#!YpD_L_M9WAN
zbP5kAE{ehsTzgtK>Fd?EF2rhZIC-lD`LMq-rK#_UY7yahVF6na-yy{tmJCA9c*{)<
zI1hw}C|8j+KW{$pb{gS`YK=`dq?N85!~aTBm-h5(lR^iS7L)<+tlPetoh2{$p~n}o
z^CpaS>9_`$&u%wt`i81h;<`UH?jv-$5TB&~%!oSb+m#*6d5pv)mM7I{jPT-5`S<ON
z9IdI#aZs&8DYUK#dmN?m_Xwh81q$=udL3KtP}3E7)oiE&{EV?euB%AB;8zp5_gdms
zj}_i2GI3h1cCKxF#T~;A+`+IM5!DrF%&i#=eh<-@@$l0r@P&}`8+TYNBy02#h(ur1
zxgpf-?I-;~eQ=edeNs}CTk63w#sxa-!9MHg!|qMLwcoi9xxIOAz$>22!EY)y6g}L%
z+(RIqqnDziT^wR{V_A}tV;_rH!J53pSUhsW(V|w0DHv7XsfRBdR=s34Pqa1wH2THG
zuiN2--zt2MW`6R{dhj6Mv?=}4KQA%iK^#R(;bz@c)fe`DV+OjVJ8S<0wSh0Bl3R%L
z%4wj^-v?`b+MHGc<uYf1aYsM`xY))78d09fka56j(muaa9Q%MrPHH;po9k8^5F{ps
z7c~-<ofL0aHnO{c+ihFp5<h(=Qu*GkjPTf}_PkFL)%S^LwfS&M?D?sgl{YGLv&bxk
zTeDMNFN4N@6>8^0Rv<-HLxY?0c4ChM{Z?~i4Pe-yP@f?m-BKvT=_cIvB<KIbqpf~y
zO|%^XKZjjc3~Ae2E;$EiIU954t#NQ1O>#e@<u=SGkK<VV!{L*R`r@(t$%X?L=*O>x
z(Y$<XviQ@fp-QZ7V`!#ABres=?B?SPm&z87%Lq;#kIUo97QFFUBk1pD==S|VxaqMk
z*zZBChP4Dx6}Q>f!uP%KdyJ<Cv`Y%_3nbdn*Yx}ip`6!w`-a!?<yjAMR?n)UF?%bg
z@u}7rV)^3g@&L_g8*qMd1J1-;FmBmc1g=w`>hxl`^|tk`$BG!vAOzX=?)rt^@<X@t
zirJ7qn7yY9zFH9=bSKF|^tF^^VuTZony9IC-m2bO!?hqx(s&a7Whj%vkCE_t4q=;u
zq1HW-Ik|`vE<Qo1lZO>nzaroiF;iRSHNX!U1xR+jM5pKG7k|NVf1`!ou(mI|QB*Ut
z6|Lo1bcJ(Gd~wm{JrSGJ85l=J-wtIq?5O7YY<l09TVor(oifMJG|dLpPRM2k58FC7
z7FP&mc>HB{BbE1^x=%&)!OiOs*M+LHD;?X|Q0}72e6KXkY%8tz)HDB*-DLWrbDD3;
z{gulhcRqGFFQ3HiftL2Ff^|3lZMSdUb+CW>aT#qDnLwGM(@SLZZRXim1<ufn+%c8k
zTp>dVnpLZDW@x`vxT_hz;B?e1)ag*^t|D;Y#Wx|NoAtS2g}8J&;yEJ#QzX(v&C5yg
z9mFRo>y=slZ2VRAGN3}Zz!PfnrXYEn(+Xdf+0>SQehZs}emi=wlS-MDD=qcgDSe;`
zYMHS4U5A-8O~Cs%PB!}bbtf2=x{`$xiP5sRU3y6?>z6NG9!I!_LN>Rk<NLw!lo8RJ
z&$~h;Z!Zs$wQp9&-f}p-K}Ux;#(p36hq?sf{)8!J;$$*PS1-l#6GH$b!aEm7rH=Yy
zpMjX7vzh9)G$#do#OD#%0B4(je~;An(Q-*&-UchH&RZyd5^j3lVTN3i84{)=Sp3EY
z8*3_4xGH;O6DE1Q8!q%36Dr{$T5w&y--amD3aSFD3>bj)DLqV5iM9gVR~mGn|Du$i
z5;4R$wp&&I6#kJpZOTu<S~W_ULyj!3m~SZ>Px1IW3w&EwzlLf1OI#tu@j~J@`jM(q
zmS_{R8EJ@(RTo$(LCDdC(g=d08Z;1^SYj<wkeCmZeMpO55V0$5k!|OCVy3y6SsCPN
zkYy;P;=!ji40?;YNZsf5l(eCl)H_aa=!(9m(Sl!abV)s?srN8f7L}6u&WXla0IjK7
z==XgnYg+L9FIalNd;C1s+8?P+%Bu^QZ=C`Qb_G-B|BjcCbvn~$-wnUH_wrFQyQrbu
zVsOmaQm|O23Kcx0@PMdjSj>d8YiFpCMuy?iiCTK|%Oa2M%o@dDy%=rftam(G^Yot1
zXTi=QHM<-vO)PliAgz24S)GohboM3{+eR_rDwvxD6|bW1BIP+rd2#L^GvUz~MY-V6
zanYeOqqI{wNu(G!zt^!vJ<s2Ua3_rEu_u?Sy3j8LnzUGY6X6nV+Sd65u*EMKeyhyA
z*&><*Gc~e-2@&2q#t{)h7@yX%Z5*Y0cZqMQ=+y(>`sEf`?6m4CV3v|@<;eH_?whE#
zQbeh7dI?MtdA(I#sO|`G5W}n#ud4;k#8Pvc2|jM1uW0E9n<PgjSrtVFPTYN(1Q(AE
z@>dJOMHvmpCe^V*N+t5<+Ep<FwK460*aV#&3Vv*D*o0o@TWI_co+pl^h51a+Rj6)?
zWnpi@U!fn7Pyv#imOyJBJWemqM&@Z#DmDzPc=WiYr1M+ReRe6+l?uET9w8$_%KTsl
zsGeZTWBmY|0`<ArBFUeA3UhyN0vU8A4jyX55Kxd_R58IWoAJL+{CQ55&*r~g6Yn00
z+YC`Yt69+=n9*?B1;~t*qDXKm0Vm^_FfcPAHM-6kQIN-gr5!_DNWRYD=$NVMl$l?T
z0$iA@<!0U62*qdad#pHCda5%GVN$jis7ZS$KvNjO-@mFaq=r%5jvIM0c)LyfHuAh-
zGXnl$hH!HTCTV9}5k-&>IxD-(W`f+rs$Z8>+U}{N*Vz+8L&`+yk~mwvn}@MwR2at>
z-!(mKs!5RB*5JKo@Ci)P@_ev<X<>`8<;g&dbfN$`A&ONfhv#=25LEFwJY#6Bo}E1-
zo6^1XiLd6hJIb7fQaon;_$pL+CA>cQ`e&<hp3tzTExWNAi!7CtKbyB#(d;1bo5_>U
z{xioCt9rTH=?ad-Kxn;kGMrVt6oveJ00Z6(Kh~1}eRoBlbIM@>ia<INTKDb(IpQY5
zwqUw3Jh;WE?m->MN(SOGIK}(o$|ap>`(k`CC|eVk<Hax_0#a0;=4QZCy?g`KkDsu+
z@*`I1FqFIgl49r=EPC;iN({k;X^X?t7(RR(u-S4e{hK~DKr^+C#YY8^WBzqWOd9&-
zS$yCj=wbS*!htDnf7GR9)+0Eaqeh8`DhCk4rG|}3Q;nHg3H^gi>R+l7fr`#>h$C0Z
z!Sj2!hPqA_<6O0R(OUKIAGW0@bU&IU)}k)tU%6QCjIXE31{KJ(UR#%yCGybq<mo9N
z_%S^j8v+{MZ}=b2?2L`MyA{K>G9{1YitR9be@g_tLjd`~?tjH-Y0+Ih!&$Pg9Yr0z
z2NHmXIu$|q?)H;u#O~*QOopJ1S&#0I&B=r>y<evBz)5(n3Tag_IDGgBNyNx;+N2~i
zX>)f_nTYyYfBI_Vm<VN6dciwElzPY`nUxAeF`nU`#P^p1Dalw7UXY1MDMvdvUiY$@
znv$|COpL`J&Kc0Bb?8?m{X&%lc=1K<Pg0L3GK(iQ>;gA0@c4MQdO5Ne@H1>hTG@G|
zY`(XBOiX>})^6R<f0+BWA>ESz)_uHBA#7GHs8G(EP}NKmOyR=zO@Eg-E(>7TJkSo-
zBkToR+;WV{x>qH<s*J~KbiVt3A~?4p2w3XpIlNgn<QrKbsfkii$n2On=KNm)XCs*0
z<-51(6Y0Rt7+C!2SZEEVcT&r4eZs#QkAWwhSWV@GVUZV-dVrS?Ae@Y){C(h#Z{5$i
zxP*T>V2!0;goasukKKjDa6Ahu@l?vgZ{)r?Jdp@lrsJvQtR|BVBsYm6Gy@RHz@k5~
zm0PxeI~jNr8bRvEf!^f$*cLeg1DW`nG3uD%`y8}~MqFVfsOB|&AvZ^nn4mK~qP;l>
zR=+SH^c=0;VJb|Ld0@jG)_D)WWCW%r)zH491=k|q*^S9Orl3O_ZM-;~wW*K?&X+WG
zgt7$2at4}o&X{Wk2o8gLX9hH>2;{~9@|_6%j9TPwgK{Rgd~+OP3GdL*r~~@4i)(4i
zK+*)<BtMwC8az2Ykg2c$eVK<o1isMP5(}RB;E;DBrJl$FXx`+4T0xxkCEIBwQE1nu
z83B5C!3r=EGL85xblV_Zvbv#6t0?qI@Mfq&3}?7t+~;7B`KN4=6W8g4|Hb)IZ0yb0
z+Q#BQb7&&sqtFW$V5f@Xs4t|{z!jl;mW|Z6DY&I||8k3Gek~FiYSUBbw0g)-h1Qk8
zL!SnspKsFg*NOmL1JDsNU8VH_p%)Abn-7g;=n0mC>`Mkb0e^ZHsh?5fj56b-Q@0-?
zlXTv#-&_Ugop%lJZb>U$&_A^F^3W%}JapB(36!ZYbaSBgd;3DPTIjpVPPq92xaroT
zSNYJ8^U|Mji;BNM=>M(|%^^ZPJxzD{nC7DQkF#ldleoDB*(6=I6@w-Q*wh+AKdTnG
zq0z{~#?2uZNv=Dmk|t+pXy|^ZuVb{2#^l0q_T{{BVV**N6Xc;=(-ZF1KP*Bn)wWUS
zg~#*Wu~9E9Q_9n$0mo|2$|rK(919m-z)C@16!YPoz+}d6nvT<5PKVarnUoa*{;V%P
z4B1e^8{6rIOnN+6SVHJ$)*{z7oEg4B*S0@feK-JYe#_S!G#J+SJF;otR>TGEK^nEa
z9wAnDZmv4=D`1Ii#i;&PdRGGu;1*SU6o0(s>nLJdi3PkyXdh!rO*7gDOCyE8mWXhZ
z_iX(Em7j*laM+Ot@8rsQj7ECH*j8WxiJp~^6WUp88&B%Cq`(oWj#zQ<lZnyjA53fN
zr4J{tS>}v{T=k>X%BO(s;s)4C`zfjZSV6hXRoo0)X=|-)W-nhe&g62+?<s%YLe$L5
zfqR`5xB8-;QJsDU*5aAd)L+BlR|q8vonQn%cS7zA3W~A&bfM!rawz2Ry?5zDuX^Be
z`}qCSwQ8(n8x{I{d$`z&cJXWM%O({w_A)ilFSpvn26u|qqqtGiYqhyuujji#9-8Qn
znCMSsLT4X1(c`2tp=Z!EQ~fyoHaq%5{~fWtW8j|YW))fkT6L8Hxc~qkN=ZaPRJWlf
z+#mHxv3djdph?8=^CPlQa)+Sf*QL<Y-!axInlv0AJzaig$2uLuJ3>e3cz#gGp`nmN
zLm`KTbvl|fpyL-K8*}mzLJs|2enO4_YiL1hKvSPs$PqC0b~m9lo^`64xRciD))_rU
z#>TYS&XYkG-l!yKjc5SPniB~*{7h&A3pc@GPax#5vqM8e$IcFNhmIpVAasN-Tj;iP
z&}$X#l%c;z$VH?4Sn4%HX%mDlX(8A3@9UKM;P*E$yvruMo3AOJQ0SKx<2Z1SRG_~;
z7WC-zrwS)Rmy@U8YQ6sSUkV(eOFlx5hkogIiZ2v+%O)QoCwTgE3f+mfZ1M{4&lT6G
zkV8+G4fIDsc)zA_AavP4|M~CK)4OVg9ENvE3pvI2^={b^x}=5Ny(gu{87GE!*@Smp
z&-H#fAAE$(u#$oP{&CrK^&Yq&bV+-<=+P=dmy3`)>TOtrE@2^uZ_dcEPDki+tkV&?
zoT1~RRe1|JY>`7DhlX`J8bU`qXV9BmClYd4r#CqClL$HVbQE%ESf`^QbhL8@{dHrE
zwTgDio{mBeg<M@vw;^=dg?F6}p-WoGT`FM~rUG<bwEsH3BPV6(!U&8yT~9wHZnH%x
zbe;K|r;l!72S({YuWpe8_R9Vx9`oM*?rvA>_U<q6nJs$x(O=9zRCjB_cjTnx>7!rL
zIz9U9?kn@&?xpSj?Fr%ivmWzT=;>00ew)4U)kOib+5F3{Zu@NyAKtsJ{p0Jq2wloT
zjzZVH+I_pb%R{$O=+Rr(`gOlS=n_}&(Y-yh?$@%XNAKS4>3V{nACc63dX<nHy?n6<
z{W|sZS3;d0z4Pel7xxs{*+H_Neq~<>@B90^dwaU=eL=`Y&0Xft|AXOOqR<I@;Y;B@
z-PUjWueo)5-zK!k>7v+yQPOp~px%pJRa>{;n(={)T-1BXbUoWP?Cc;-=tn<VrC}XC
zU7G4$WVMf0ZP>#_Zs8qYqL7PvN9gG3M+iA=oRO@MLr<5Zki&1zppZjPM<ItMFCmBb
z=_uq%Ta(JP-kOgqDyh4xQ`qw{vVM0i?^#=!pG9Fm+|xg{*D5)+a-A#BC{7O{`w)h9
z2?)8v;hlhfNr)P%PAGXs<r)t^ET5sO6D9tK*x%vE1h@d7KLKXTQ#t>1=F3AVzSt{>
z?4r|L-l4rFQjqfRgT$gW_Nrn`k3IGfsNKGtAs8pRtDi+x6}&HF5ehz=QJO+?Rb?kN
z*F*IwvR8)&ak;DJ<mj_TKDCe|p#1X{dhiR1Fn<cfX*tM!SBh^{UQB8b9FS<rSr4F)
z;$o#O034mGFK-C*(qi~iMmXU_v=372rs5T)&C35*5))FDSafoOiow4ratwqgEBg@s
zHa3MH8iltuIEivpDcXesI}}z+Yg>5-<=kpWmA2sym4k@NFD~t&;=;i(*2$v0`h=e!
zsdJysK{MrT9E{VoCM8{<WauxYa15C^7=-kU#R$a6??}l~A2F56MU$Ht!J+Av1l-@x
zmP&4D5oQ`S{Pr15XE1U<4$-;BP+V+<(aB=5loq-nF@lorlHqgbj5NXT=~ZH(>p3MT
z4gBG;pw<-gbJ6@;^aqK#;(v4v=c3oIg*iCTmcJ$#7^jDJ|3@WFrJ<_{%YZ=x{y(xD
zO`yK#02c?Go+}+R^<Co92qiSZ$j`ID&zrw7frbzzFvWwW<zR(Ogn}}(G*H?`C<i@F
zG$W&hEn~Fuhx{#5Jdb=T28{dxtLbva#Fv9V23E=MRa45`S{M7Nen*aj#1n2!F#?XC
zJ|BERAm;<ne%AqnLjNf-XdZ+A^LDL0X>M6~v0sb<<V7q>sRmJmqKO$G7y=>zA&L+P
zC>IHcC|Hyj5w(`_T2pJp%gOOpH6}{hG^r-%L#<I`|J<zoI-O55$s}{meBzS5*IsKq
z>sim*FEK*DOx7NOxf66q{sMN|-G^$<>Ub(veX)XcD7oERkRN(=;h~kPi*-szUBLLA
z?nG$^6w#pue?u=Qu4K|!BM9tH+1>^PT>u~3W$u1xy|Hf$4T>xU9l%i^{hpudl;w)B
z=s3!0=2+PJ;B#w|3`BdvZ9!#L)|>);Aqe1cKwwbTej*T#f4D4(tZvyw{uh%1B#*DV
zuHMt3wGqLsruni8jOp>p{$6G1rx+J>yiJBRIX#5!h}-1|b=;DZR{MFN8+C5%t*b$q
zcHSk;jU5|eHhr?;ywL%Z)VTeVoakxGE)Y!mpe8GQnc{=`&MiFx!PR88LDAbTdmQ1!
zft_q_?{mRO`gUobZfbRC%IAY)?8enX0wN9WLLNlfU4Z2}IP0-<F$Nt2)wle=dXU5L
z+hXw@7z@p5_en1lq5u|bZU}mk_?6?tWm=5}eZ*y}7r`=-SczAezEDxKX%eX|R|}P7
zrskaFg}(Jo9o?1~S`oKR!an(!xglHNCtgdMEW_0GuHG5Lwri`JBV5<lhE4*hdz0(i
z<L)p?h(aD<WGN5|!5Z=g2W7BAN(SS05BNx*{*2flMoui<o!P2>;^S4efai`vA*;5c
z({i#UR)6#9-Y<0gGhSwpOc{|gy1B<iUjM9hB3pty88rr6gBw*M8uja@h<?K?+-t+I
zj#)Z*<VKZN(glvV!6+kRP<pv&eYGlKiKXShZ5TPe0vm}`p%Ywz{2l~h`91u6aP<>|
zpt?@!C7a+N=VCG0cTG0)=%TsP7mKg6c<zlcK&#-;xoDJ<i560@240Ypnp;xK!(Cvj
zha(csL@-;UrJ(V?|KCvkPaNbpsvAj~556~8Uo)3bP5=~FCpf0du|HksfzMa8&Kud;
zT^Q|wY!6Q)e*SBzyGdmEtm52>9qRKTEXG;xFd-vi5;?dW$KCf^P`wA>B39wLjnD7@
z7Cf8*P{hB|_AX>p3MDDFgt`E(vM`<naZ?R7ffjh)Q(lo|0D8YGY_r%5uL{r?1F#;r
z0KU9|L>a{2#<ZlU;-k|!bXrO53R*G0`g?MKyz{HzD-I@qr}pAZR}=1q+wil<RD9Gg
zqmC@X;0I2Z7`}+T@U<fDC=5C+u>h@dcB#mINBxf;!qY8k)h7=0Vg*5en1aG#H)hH}
zYDK)*9o)UA<A6;C3?=&50d|`VaSd-ba$>C{*cQ7;kfoNx4)n#H6#Ry#d0xWNJW68p
z0vt~P0Wkl?v-kh`iJa4ecsqax=Wf`*{AGUQK)<R3f#gRXl4e;MGm%cHJ{g3Cx24CD
znfrHdSwDilDoNa-rh3}J5a-GnGPzgs`ZViAF7lqXMC+R<oSjzPC)wIl!+^Np!PSlw
zWx6UFcgsn}6vrGyv#@*rhdsxI=L)YE27d5XR)a{X@5=KvRCQ0apl=Gmeu3&|T~&z>
z*rNh?$=YK{Q^#ETFj2NQ+iOPj`&YoKngoeJO3px_Zhg(&#%$I%Vy%tWabAilBN*^Y
z8*HRRpPsW6X?uN1_AS!^0QIcSSYd@w+?KGb#g=JAE9DSsY`_;>COOboDd@MbSU9e?
zgNI;JoME_2q94BX*-Hamvl1EuL2z4djPtmu-*7sH2vjCmq6dD%9_FEMhBuFe;n9Gv
zjNbINfmXh4_KQF$_|u-q{U^{h`v86!o|7m5#sr3@F$(%E7Ng|VaGrFTT7TPw-g0ld
z3d-XO7u!vzmS@oC6(<e&ekunq%qAKtUmBZGB;?E^8seL`1Z`-%W7?{k_i!5vDGWg7
zr<^=GFtEyBpx*&=ahA1lTHn)LEAgH(7NSOGAi8F3LSNl*gFK2{W6wT|GlGI=@EnG>
zs~UAJEy6O&#os_xHG{hJoFVNI6~^3WNFmcl3tEYHU6?ns6!h@(^j^VfMY0-!j~gGG
zRrIQ*Cm&rc%{xlU!y?g9jYGyu*oviP8ihCY00m^a<kKFFQXj&uAx9~M2@hF*LA0#N
zWP)^xrdyHeJ9golnr|z#0gV|?`P`A5Wg}&J1_bFI{O)o}IBmpA?u4BMT;m&H=v5QN
z@Bi@ADv}aIwuvlc4`S|Cog>77enmky4@VBv%n31q&VBtA9h}zkmLG!uV)}eXhIm8<
za*o%&E{d4MoDyi?{)E)AUg9VF&=ap|yuvZM?n$Sx_X+G|QDi4R3VPBU;7^e%(=`SC
z0bu94-Nm^(dZ=n~EHOnA(*-ULQSbZ`{dN@U5cJlAsSb5LO2pQ?h9I!(Q+(H)4|15M
zmD~z!lA4YyB?YCHBsx@GD3bQ3S}51?yARiyO*3VB)Y(ei?D(-zCA$4R0Nt{tJ+9OY
zWLL0EzJTm!cOXpyJad>;mX0OtyrtzG1^o~;y;nPlzN7sh@u;lCuSlOm_w>2yAju1a
zZIH!^9?4}OLWd#{Udmmjo7b>;`aGEl<<jDabbE|49hVF%ykrEbKTEVjPq0N&k_<@*
zNBu(f#}s(K2>#+Haxmb*s6DgN&}RkI)|+LqPHvF9twYcky7;+Jd$=B@CrWCtX~vq|
z#LhjMNMj8c;x0J4Z+<t!2lfGnEzHLmah47rK$5=i9Lya-w|x5b%~~%6*5aB_KS=7n
zJ4e_2w1KrY%r}SQ8PgjIdKxg1J<oSO%j%m3hm^k(zv*0hsfH8jpmX-F5pL-1KEI@?
zWKsWGXD9KKVM!AoP{U6ILNeI&6!K%~dAas|Miw4PkK!NfU3*MZSsFjIU~>vo>Ht&0
z6nT_~3DgJLL9$a3akd({Ja!z3t7zCoV_^a#j1w{rV|PtaXNejjn@qZ)yBUKqwx}tY
zX0r>Cn8=$TEYS!e5n_C7#@S@E``?~(`=GZEUa~6pejnuY-g{p6p5Ohx^E=-;_g-{0
zr}aWsYgF_adC&>gykDr-u<SkZv*_ZgPl!3bC1QyL3OX*56h-et)#Wk&`Sa~Cbf_*W
za<^)OtT`*bg*ER)73=DMICq#$eNZI19DR_G%;;-JGSSwPx|Zmp=m@cHvNMg*h36eG
zeXpr0E<@XEf*r8M{;J`tA8M4cs*OZZZ#6|Wk$d&`7mL3sJ%-N9OOw_e*?`W9c4_{U
zfOgb|dXc$hpIXhOqhOR-eUz4cBP(B;%Z^25ndI)w4JBqX5mSS{Hkb8B{WdGrkuCEE
zxd#%6MM|wMpgGq&-3R$uH-fXtjUE;ul@VhsjtIl?q+W4y^=f+mCq_u=K%RO7%ak}b
zSeiiEL`KTYuiET%S;(q$r3q+LOm=?RdSYD8h$E7T+00~z{~OAbR4-9BJFE?@ju0c9
z%93{F*9qiMf^)E*x_P^jO`p60WoBjLT=m)nwyTRzUQa7Ykj9s>kNF=z=kgzhg^1~y
ztqv(bv;|_za!D$3dh8j-rlRmHGRRKa%idH-Sr$war+yj68jfmmhBz~p#wC88?ecs@
zgge`fb$5JFupU*n9!2@ot%35ZvsnU@B@0SGdw(OP*N9R4m&vs1__s5)iaB1!fG&0H
z{}6+{U5yy|`NiBd9h_1=iTbOU6LElyo9O7`a2ob17W+9H26;OU*--7z@8&UdN%-9R
zBg8o1RKiZt{yj$;3w*8td!C2?O?GQX`!D}cS1R@P!cp1hyha>o5@XqkoNJ=Z{o~;U
z#<NG%uEU-VZOqN-Q37>^W6xX3oeXgkI*T}eID6J#Nh5OigtA*9Td{|)8gqQq&KR}F
zw)>)_c-9w+XB!yL&c%?;#Lu^SWWgS(J#x8fKT&k-cVX^g+=<<DdfYSgIwfM3K0bH(
z<5175ch?efg42i?|KEw+dp0%pwuO01C#epcA1|O*Uapbzng0$j8NbYkFQ#;i-{@qB
z?Flr=KX0+HMh=!s!5TRsf)1bP5(Ma1;b8}%YdU<{0n9smjE}eG9f%xgIy~$k1kjg4
z<lq5DAaWo;<UrnU(7Eg0fyjZT!|O+Y$boqWA_vU}L=I$yf(}FuG##c^`3d?}AaX+2
z^hz-A0@3uP5V=YKU3lyrG+ls14*GNf5;@RxAaWqkr-K0KAS-yt21JfOnhrz`h#Z)A
z=+nXX4xodk^BwebAaa5ua`e;6py|9HvT=x<qPR9k0iX-Qyt_0#U3cYTj1C@a62y=#
zQbFyyLMPE(Ybw`)rVBvROG`A@R4MhRPis{2x=UQpVT~Mr`gG3)G2+sbRgF1St*5Fk
zHK!5Kp-<<(reksG&2=#<O|7o>W}}XPu7c%Kyl3xZ$R?^NmM7JpZmeQK2Td13pI#)o
zqN{DFx>D!RbUA=70MK`cqT=eC>e9;FPZIVXl>$VLhoFaLauhgdhe#!_ZD=oC*K|sL
zMHG_`nl1!QuSk<9YOmGTlxP%D%}L;#5dwQ(QywRg=va~H<O+D$K?s_@Mw3Qo*V2jj
z%(8)b=jD(M*2oD((_xLAu+2NHkrQU04xmGy4xkHM(}Bndo5;a99f%wV5IK;Q26_PV
zUI?HIhrO#DlGc6*UI@%vB3GhQd5S0Kpy_-ia^9f(H}AmSfyjaIlgI(+!qjwFBgY^1
z4le{2JduMw9n3p`&QJ3WL{9LUULL1l1&AE4LHF{=DN<Nbfu;+F$Q9M)B(YMH1fUDg
zycZ|ISCxeVy2ef9YE%l)bb$@o6iF$HIli?TmWnVDgc%wjXHZFYX)F!MA%+IdT}L+3
zg<uAG>^cL6Mj&S}dyEuNiCm?TNE*1av0Lmh8hWI2RYX&`6Ep5DOiHd~)Xp<idz}Vy
z)a0rSJ1>Dv!Z4h~400CA;MoZ5sMCFwY!Z5iL2N2+YamW*(AHyI*|7T<<1EvC35>H8
z#+?p(l)^Bc#bZak^cds3l#tb&o4{kp<_kJU(^pr6s;^98l!=H-<mS?J4(KR;V{%wB
z`S%IJ0t8{p5+rlC=B{WN>*Y(392Szu1rjX+bR>?I$z-wQ&nt)x5X3_8J_NG0-m1R{
z&>1k4JP}{e)9C}t5=oq|raSn9i^EmA0~8=Y5WF9OH;BGOPOgxXAH}Z15B%l;S@GhB
z$hDkm$x$eBN<;?$bitVSijwvQmFi{%fG!}=qaqcx3eBa+3NY`&0sZ2-<`j8L>uI9t
zQfMDux@CQd-0ixCCRJTSlIRd<x?qT0`mQ8Vag<00=3PMMz5R64DV3z+CJ;FRfv%~G
zQ7I(pH2}JRK$pwqbdNe`fXE4j$g!`Elt|*LpidW$rn@Ix4k57=V=4K=7y|wTQXCNU
zxW==}jUgaBl#LN*q5`a(Dcp?K27~ZX))oa^F0~0dKc0%TbYTl4LHNbq7ra~wg#YXv
zG#xY@gh!gLnI&>6&~$-ldU>SdSvEyZ(wq-4g78Hu#YN4kVpfuBQ~<hA%)1NpoOxbK
zAb6v=46BgU_}z(r^FGf@2|$+NzIi_?_k2_tG<_~fO^#Ta6iD68{`4Q)-jPfX&!WDF
zPjm@fl;N=(mL|$@2kL4h-geje(K`|A-Dml3I2Z9AIbn+|{0;7xqsZ|z`N-X&Jgqj5
z$lDG&hPt;^Vm}@^Fz<8phssp?HiM;bIE>bZJ9qx}QJ#6#yAi$R?>CSd%==<NU$O*;
zxIn+IeMgwDG8q5s1|0$D3)l3O4LVoT{eR9Q?k0fF1)bpw=yb>?=YHA2@hZU-c>_G*
z!c)*IXWtm<6d-a7Fz*Y{1`ik5yrAn1PGs~;1JpO0!Qc;c9MHT&pB?~owR?{!gA~81
zrt9x%om5_LH0m9{mZhNXFPqOHFY_J)9=XM7I{g*TtL?F|bAzt8n5-RU$JVoF6eIFG
zx&+kyWqaXs$XnBay)UXy$0+u@%U>O&HvwHn&c43Tq4$nm`a|N5f9q~Of1v9vLnG4^
zb$#BDedKv(n?ZZe*fU_F3G`ZRo}NVLJG5<NuY>GwF`Kt^Y|$FbZCY)cSx+`-yt#wK
z=xvV%Xu0}4gSO3(NAhb8FS`0nT9U0TP@fLYnMG+jM)BXT`}N+a+qsVB!Q77CITt5I
zyT6zd^gQbz8a9yLTyM8`-|y+v8ttZx{yV07tIP(o-DEcyELMxvl+mU)c9MNthdv`C
z!(`LiuA4Hn7CY$=NTBUBT{m_ZNj5FHi>yXdhRsUQ@3iTA2fBwWBx#4)kEVl1Zt<Y+
zZ!I9!yZH-*lsoq%AQWDZ_~`}ORArwYSWntaxpQkMLZAI&PSCaXm&3i|)_X?%c;D2W
zN1e9Ond#9Uf}Xj}W*+Ywe_<OP92$K5Aj3E{mNzr~I>Y$z!IQoxritmt53Qr)Q%3X9
z;FNu=Z+a@jLbK^Dqk~h^V-tgBy=CmRv3I~^9G!Xmu(J)!`*IMuAk}wBEJewO&{@%s
zaV_C!cg{D*MEelhFFJPV!%VbObgU#g744oAbc1npa{T#EcI~Q1sK2Z0xqV`IvcIdB
z*lE3SwEyQG^po}BQxbvty2pD-#N^oB5p{3x*n@u!cd2J=uSV?F88k71`d{_F?xdRD
zmhtdu?_}RV@ICVjf;iFiiQ!lM=&@Z3MDC3>9i!a3?WAF7U%vN`2z_`9?XJy7e<=*w
zB-)A+%XhAB*n@(8{B|DDwWi1aw9QOTbq}C1(;#}@{c>``)Q9@)6up;E{ym5$o-sW`
z*84x_jiLLUFM7JV@1Sv;Ww^&ej{UE_vkz^fjN|yTwrhx+L-A$7L9N=&bt6|?#k%Qs
zR&eYE=U7Ccf4J_2wQzRRc0$=dlMD?`{l|$Y^qjZ<G?+WVW1RooamPV&c_o)7q~x`<
zrKCwnTUHQ3d@fC!wQJh6&1}~`-@^6oxqF_LeDeD}zxzGUJ;#dvF>5NqrlYb@6Lb`y
z19glH-h<F#hwk*qsnhgSFw<`_qg%Gs26B3Ey64c0HGF#Piz_$4*&6_S-Lvnb4p{PP
z&4KT4e);xABe=5|bb_H3g$QTka!PU79k~c61ssgUueo=gZXOP*6Uou8D9OeW-f$v@
zk<qMAbko?l-b=EBS#NA2jAw@(v^N;c&O+CRISsmP%&$Qw{Yo$x0MWvqoEONoG#c~L
z8IYxyW9jv#o0@yy@_Y5=s*5*T&x7AS2jG>ST_3b-#o)vrN4r0~d~0#&%~*0W;dFwC
zBNgHLIW@vc9@=Nq=<z}*;moC)lB0SrX7A68gflTS8_EodiiJ%MX=Tp1>=wOQpIw=V
zsMWL3heDVJ9k*$g?qZ$pbS|w9V9Wx6+?gL*ujbXzilCPj$aP-Y2Y<I8-V6OXXzv8?
z--eccZP&4ncL4C_!R=Lb0KBmsba$49PT9%e{%|<y>FQUVn8V^vIh2UQ5o_{rxZR=N
z<EFx0$x#rL<!Dzj45G3uW(84UEu)hjS@uqZWsj6f%b~9D6q%WYo`BFj8H+raa9N>y
zm((el9`F_J*XOzSf~D(rH<*xnUpkP}gHzXxKOSnYI=H3b?xD+7o#4+-0G_JayY0Cv
zCk|H~0C!tX9D#A&nWLql6I5*`En8^&q!<Ira0FWX2uR1>K(yL%(gQ@7A0$VICIhZ&
zh4eOU^N1iI2i&Zk3&3-U2x}S4!dM_V6d6%K&><E2^bn1OL2g(9E;136<3JtuOLO}4
zrU!1>495H%Xk_V2WaRYVTz8}CtqZVAzx(XFCvSmoz6IckJ1>B`?!Uf+w!iE4mENDK
z!I7J#p*OSRN=UHdf|w?~ZolXXU~F8HTmcwt6U11+?~dn^ef!0TKRrlBC70VD7~|q9
z%h+t9B&j}&oet#83^pQ3qWUkX4%0XTn;gJ!%mtfKN9f!Lt+kj+V*KK_Z0ND3@<!R<
zr&13cy!JYgx!2^4L_afMX0hBmVdE@XQcVzWffKBPK$tn2whEY5XyXKq6NGVnNM=bJ
z?REMbnAOH$0zna!l@>@?l@U0q)=a|#nl;mfY8IlF-~^h}ideIm<5-eqsKqmK=mEwu
zN7=Lim+Aa#{tYsPT`;rzSf2h8qik9t6>b>{#~GaGDFSY^3~N3M%kb~m+3~CwIs-fH
zm0}hgCn$!`pW~T)RUU_ZwRXTW6kn*O_1^H9hZp2?wY(W`rfQdK=?MCQ(B}|c@hIC8
zqWG8{24RHFH)y7a6;6y>dcXy__p&l_%h!sa6BL^dya^jiRet6Sa_`Hx^#1{RZ7o9-
z5;+x{IfE>H-9vwv)1{E5Zw}~xFF5ZVL4PRF^`L%h@nMIxf}Vfa0lD|(Y44tu*F9BN
zpzo1=&1)mGj}A}H{zJ&Um#6pk)YY$WslFF4)D)m^8<1ISO~k%#i4-UKAxkgUOP_mu
zg{yMDR5R=7?~U}ewYBwWKiZ~k`e?dfdbhBd-7TDLyZ`cHNwJlg!x_zKuCK4}HKj-s
z1#-*bzUn0)w0zy#sOkR6d?=7BS4|c9+N@dkG<W$C<lZ-(kbB>R-4wEPWa-G#H;JW}
zew_z`zF{pLx%W+H>1SI?So$aEU8@^4-B8_rsf4Bfavps?8&q3cX4VIt2VG~leq=}W
z7NiZQnuA{zR|%aD-PrT=&pRK!Iy!oLdpkOIB9*J&RaU>=(r7FJU1xaSbm<wS^`~D~
zSN$_Xk@*AAb-LqEBCSK2jyJBVzOKl80q98UQ3jLAP%-VkYSba<kARE~4KG(nt^a86
z?Lp8V1+_L*NTxh<1pSfl@D<bCl_-!lkq~qQ9SK24LeP;AbR+~F2|-6%xB3sWh=dw&
SZ<6W&0000<MNUMnLSTaFRYL{<

diff --git a/doc/user/application_security/img/vulnerability-check_v14_2.png b/doc/user/application_security/img/vulnerability-check_v14_2.png
new file mode 100644
index 0000000000000000000000000000000000000000..655e43221c77383255cb9f89acd0e0d5e1c322fd
GIT binary patch
literal 23147
zcmb5V1yoyI*Di{sP=dCQ0L9%B+$m0h;uM!+#oZ~iMT5J$YYP;24esvl?i8mS-tYVW
z@BHW7JH{P1V~>%Ym9<vpT<dw}eCFOe!Ac5JnCL|42nYz6GSU(%2na|(1O(&;G~}0-
ztg8fW1O&tdB{@~e=jZ49`+Gh<K0!gj_wV16xeT_owJk0#va+%U1O)K%@^W)?o0^(F
zJv~`iScr;>+S}W^ySsOFb;ZWU9vvMeCMI%na!yT6t*orT;czD>r`_FM9P>687nlD2
z{>;qGii!$rYwPddznhtvt*@_dZEelX&5e$ZMny&W`ue7&rFnXK4h|0b`}?!AvyYFD
zr=+CV*w~z&o*o<=Y;SKD7Z*!QOAikZ|M~N$v9YnPuCAx2=i=fbH#avcD=Q=<WM*b2
zG&FR7e?L4t{MWBvrKP2pmzTeP|JK*nzq`9LGBQ$ES65L{Nls1<3JR*JsVOWhl$V#+
z($ezs^2*Q8|M>A^b93|U?QK<6m87JkqN1XopWpTM^~uSJj*iaF&5gLYI2#+==H}-4
z`T5n=74V<eTXI%`t<$^e>S~eTNqQ~;0e&bk7V!4r?}zXyH#fJ6(PIJvB0LNnGE&l?
zgGWDpuk&-#vQiVNCd~2&j5`;vvhfSxQ?e2g(->zivXH$!`SXZDz`zS7zr1}KTDxkS
zI}dNze&^6lP5{p8-k;q1Q#)}Q-?|%6y}{-^%EiymK!~|=c&nQ_PsqSa?=j5B$GNa~
zW0Sv(`G)l1;-PcloDRb3S+@4nltPYxpeZLKA*$-WaI~!V>5VdR@A-43z%|vvj6}k8
zPbIY<J2OXI*whp|_3PLnQn|sD{jy?cqeVe6&zS59bJIKNH}lB(4-fpEerA!MZ_m^8
z>_1efz5;$tNS&hAd_=noRIXA=Z2v>y&t-t)hat8UAusxfI)$?%h&<6uyT?q;Wz5>;
z>Fl_O2O1bUjuk>Jh5!ME6lH7altJs)nwmkL#3evmxLEr72cUH!Ku@!1(!%GvnP?#_
zs_?KCkPd=pP>KM<KyziFsqYe+MWOU4)$Qg!$F>w=Knj*O#ad$)J`EseZG(SW$B`bq
zASE@V1~w0gpjY6)E-PCGXxnPTAEQIWne_t@Ws?psHt(A&G^UL|I8GN2=^rYl5g^V&
zl50{R4;%82K-8adrYfqj$#P7<iaA>ll+w448$z7NE~SeRdr$_0MY0GT8FiExO}G0N
zd8i-h)|h51)yOv5t$!UKAX;XK-YWh{vPd5)?a|$5Yib)L7-46<Fr9Zr%3;(^$c8ER
zYtuW}K;=nFXj-4IBr~D2o=MSL$jiXdV-kvq{!k^~NMOn1S!s_{kqR!Spybdh(gpsq
zzl4}`tI8H&<fw~Lqt*=%vSZb4wt!TxgNVgtwumt}l2q&LiGF&@gQ_L#^>D9u+1&B8
zwcO8*>S{bhMvx+;c}f@xi<r$ppg<|es;^ww4HTiX3}EJr?E1UXzM~<vyV}aIV?Ww+
z>{Kx>&hHm`0G>muP;m!5Ce}HH8AFV0|GR%$xo~7h{@4P1ux?^W8%6I#2p6m+wIHA`
zjrbmO7ubJQfibqLjl+ks6%X^57XDZU!^LG|Wh(PCi)9-U9?khB#8AE_Y+gBreK=Jt
zX&|SG%3M89b#eAH=yiz)NCBbK1&FQmYp^N{Q9}^upqT;i+M#D<M6Op2$eyO-(g`xC
z>3~x<+oBzAk)E4q0GH2XLwtZ4FvB&=WibHq>`bK(Y*QrBY@IaW;1FIdP3TUmR~~p)
zWH@2Ld{SN>Az>hj>1-^Mq!BnmqN6hxvA$JfHJd@)lZHXgokXMr8j@EnRGGE|u@~He
z3esl#BA9?r3K}TM?eO<|cfo;0K}m<uUjZ_MV^YJffRd^)xdXmD<>+5xIIv^jsw6E1
zk5`f@jK~p13KVn^q`FdZ?|xH35nNF+0CjTqB!-1Zz!jG+^~4}*@Aw{>ujDfZ6t@%K
zSK23O>h<t;W*TNwgiakv#*Z^Qe<R7rU~1~z5Afk8Gk&O4uaI5J7}>G*{9fcrQemi5
zWmN_XF|m`AHV{>L@~}Sle`ehI)gxm{Sx1Qp%2TTNGeFZzR?nwVL&c;4b17)|{rmSA
zco!ZAI3J*(uoj-V{ec4U7tl6X)mdBRg1!H5%H#q*yzq+v!us!qyC(?nbjcsq=vGq?
zWj(?D&sRT&#lS!pT`<87+W#?N9O<7Kh9W_lIFNF3Z3EHjc3*QJz&H}{z892s_|*`#
zrbR2rSbI+NI1tnbSuD#?7#HKc&xR4#)*@`OL;Q2NLH9$1$d?y5RP5pPX6qLsU*0>(
zFI_Mtv?Oy&>Tp(0e~o^4_o24ZgVP9KV(ZAL#Bl<zR^QT0G(+<R^)#BVpm&G<Hi$sV
z!v+@vvG<W$2p9$*d$6g@a>=dRrh3H6j5-gN4GnR`cQzR#P(42&iBm3Y-2$jBM->ef
z?%9|Mr!U2e&=*;1DzXN`2eE+4Q~bD^Nn$c(>As8yi+$3Fy?H2gCA8L=Q?`+N$ORG~
z_wGy$K}-&6jODDpffs1q7hhN5d`q!S1W`0sy=sDnb38Rw<jeHQj(F!OFqFn^(9EZt
z^ym*j@p>A!ROYnaG5LmhrWey@e5+uhS_s_617f5>miX<JEXU<Iz3WE#{l3OjRyKOz
z7cZ?uBeK7w1j{cj^o1tZzPZ?Hj$TfC@#Z)>K0FTOsu{JuVb}!sl4|kV@ci_j&H5)6
z{%2#`MzrS?_yXsAhGc9``{A`5wFMQ(^9xB;Enr|VTR6#FkBVo-+S1INkInFWC`_D4
zpq(V=zfe&=qSc3OC2Z}UcU<wO!1d`fT_fjp>GPbJhs1-S-{s1a#742_(Xjy4LTm!{
z2A%e|*XpNU753X{JL(aq^YF7~x1-0fnZ&Ua?ZbvD!Mc<jSms_^1uIcYwyj;^>FK=K
z)7&X!srB9PDD`0VSn-06`{WAz+Bvh)C1<mEFR5Vp;>T<zcw^Aw=F<4m>6}zv7Jp*U
zq?E4Zo3cEKT$)bnX3=}fV=X1&lU8$1?N&9Vx9A!zPgDn|MCZ3hM{s$0PmgCN0k_Eo
zdYoPd!M4zgwwaK|N?KGa8fJnwgWU4gY4X-*Yt(@gCln^x!%XzwpGzXGm)j@A$(Amj
ziNpI%T8HGKlrK>|4O&4PX5;X?D9@r6Szsi~JPS1yLMm=X9V>-YO`iz=($CdApHoV8
zz50xX&nIkW>Acag>OgIR6+*|rMVOD6b8tvPQQ_ZL^<&|hO$hf|Yu%E-U+Y*USELZZ
z9jmTS>zR<EFI0cbylQZeX05tHzdMu?To2$kOr!i()Pd}En@x1SA0FMkeE%3~<|!rH
ziCj$Ix)!Zhiu)-%GqR@H1gMw~9s(8@wCA210#mK%sq^!GEc=e@Tjr@lO6pJ{<O}VD
zM)GkrI;?24{lv!+oOrK%<;oMVjz|zCWn=N}6=Pk2lV}NcyR>RR3Wn_Y>L`go2=9-^
z79X1wy85t;8l1Pf7e~65(-7T=4;ltFC)M_HK3CoXD%jerKN(sqDWVV#K(5+W;r8FQ
zuHl+V^uvADHD@AN=xk3#GeH%tfL|_!fD-=<q&>3$qEheidA&)ol>Ne=PD?|;ghLSI
zN{vc8;xcr*rQ5#Ad5f_9!{w*AAAj;U2ze|gk+=twiISwNn3en}3+>mv)%d4;WjMBI
zqw(f(ajXjEfdq77Vep>-UZUV56b0HZU#QwNS9GxIHds)-<v&eb^Y91nDFW+4SpH-^
ziW1^O+TZjV<YU#GS(ZtlU9a<xiMhAQw+nqn)$WskKVvp#Aw$X|)<6Vx?e&0bMo7{(
z-;=jZTz42Gzryr{bOuwZYQF7cOq-qD=@Eym4#MjJJrGt~9|vHVj=>VrCP*{43X%qR
zf1T-B3ToAC;lcUg;z?&3`DA)};t?Bw#2Y5O6voWAn^zu_5aSz<g`S&DLWFXyay{ej
zlT=<#V<|WFuI(8d<=Y(OWXeWidEexdD$KL{y1HfEu*tdu{Q7BByC_p&-9!S8Z#=`U
z!RIm+Cn$E~+<bL9PFB$bLa#|4BCBBq4SNi}{p#IbNyAhz$q_R9_+bG~<vI`7c>__~
zkYM^WSgea(*_!|8v#a^3zM(pPIWZI@6j`mSnB$r4DvQ^MkZ+06*WTb`96zmHl7@=#
zi|}`fp*y$mJ<y@AeHQK`<hl8pVxYmZuLxQU5wI2=Y44zs$G-BYrK{W$?<5E@>xp;w
zffn@41@A(nSAXHFCBjpSOmX;V+gmP)vZyXtNiVKr;yE6WG>7w^o2{!gAgYgjdqX+|
zB&4lvB)$x`(l(3xf5ZUJyHoqDH)V>S{Yu87XX3WXlYVN*09|&mQm96lN&u%xlV#CT
zCRmce`LWqVCR)Q74u~Z>^az(A1)th`>EEK3gIGFfy0g<htwBDD878pvW|;B1@3Zwd
z9M(q*Spw#(x@4B|pAM)2g`5`fYtFci^s7uWibHfqJh<CzDK@L=o2mcAlIXLv`^-d1
zHyJd>N&<P{{!i}XVp2&m!0*2}bN&9R;NL>AI1n1?Rd8SHRA$pQ4r&QYZDd_20a1J~
zFjaJ1SK;jkbNYNBS`0GtY+b#_4<&8SnB#`oc|8dD$J6OmyN$N;64p@)UVK&>yQz~r
zIuH~@k>TP%LKWe~{rCAl%rMRQ$nv-b8pDr4zOLi^u%3>JG(i?APqIF#9hX0YHxFn=
z4yM)EKamGQe@VBA$$UYyE&R}=#g$lfXGJL9rR-1zYn?erVXZ)x7UHZiNgPeNA0>Ko
z%{28b-?6(CB*@e}EF!?OMvIo-Lm^s3Tl%Ns`2BBm7Np-IM#Qb$lCQ}#itO7)9DDk$
z-Cw_#o$uUq0iFW0)%@R&E9kh->0e;*^OdZ!ONPpu=v;gWfXF=Uky-mx@P}wMHSPrG
z5t1B7-;WE=BhlTlzoS;n6PS5lY~!T?EPj?=fb+QSC%u%U2!=|}GeTv6F9=|J#Q$;l
zIQi6z=#oQOUn(+&VEVAlTRR8TjJX*#b*!9Nv6yBFt8-hF4*`@)we<W3j0HT)f1dSg
zfH7Z&wdG%Pj+&)uNu_g)oRJu4Wpv`ywFlG#xH)|w%`PNJgM{T4yK`b&vQpJdZ-^nv
z1lWDp+{bC!ytZ%kl)xjPIzirb&|hQ)$d-)6l%g_1Q^5o}lBNY(sXvsaLXuzIRDcpZ
zZULnG(!osQO$0M=;K4gaxV;tmq+LkyseXrDX?Fpd4?=j9*GhUo$l>bNRf|sM!M7m`
zPU|~=JgVodTca5GSZ*CNUJ#0~Bmvz%(*g1mzE>uwCU<M1A7{SC`-m(JJV?>c%E0Zf
zOo?Co?12_6eW{`&7H;~bF^GIKKP~G`h(yX8LCWzx2jJ$$64Hjmg)6%Gr#D*sBC$q4
zorNagpb<9n4s3F<0f!i(a_cB{Z-4m-p>_0_lxsBcn4r&k19+0*OP1+x+~t0_7ll)D
zk<0wL5(A8mMua;7=|^54FsG^Lw}?2S51IoBED$l#53aBhE{XdqH0BCW%fHR^#Z>Bu
zgmWK*vUJ)kV}_%SK;AB*rU|IqJ-rP8^4Q!iEM>{rKR;dMIwq)BOF<c!+M4<9p@QZ4
zip^7Tj8C8hOy!lE35zxuf6GzbTH#wxbD6p#KM)Su+w&Es7ms|2wA)Q$jryX?D67m!
zp4zcYW!k2F6=b8ltJiZt)}D#dp8Zv_=_b0{45)p=7V8Y9#|CDIejq3fip;Bb*t?({
ziC5#2q)if^lacz~G??xv(;P6Y)|87)T^9K8<zSbW5-ig){64Bu8Afw2ZZdt$gGq`8
zxGJ~WcAVPm>|t07rs-&Yo5FP*#x$s6h?}t@pTb}8Ec%-<Ho`5XEu!^yhq7FZ5};Gb
z&}=42{v@rQa@d_<bTxx6T<!g*Q6nk)5cH8xeCG-OZ&z3ItMB5H$vYhd)2r5o#p1p^
zb{U_&s$g7(7XgHy!hUOU{Erm!@6@BHquGbLYz!V^@#d>f1WmMVzYkkpsbs<2SrgLk
zYwM73@66=eS^J@lrqK6pB#%7F@4?*A2+AoxBz)nu`S1MI11a~K7OTNPU4nDoPl8B?
zHxrz3c<NycSA!6VLyilrv22(G_+JgbAbF;wjggOEZP$gbe?dx=P`>-5{91okP2SDF
z(1D*Nbjnb=iGrKn9%GFLL2*A2`;}9|5KeiP%@Ddk8D(t&cV1<FYuR5G<($I+iPyQ+
z+q9%G?o!oUaj(0?-<EHKK_*Ft-XqkSVTCqHSHI8TL{Jk5di7qqX=f=F(fT$<aT|#=
z6Mwms7RM3rT`~Ns&V;lsq*aluI(JVNLu~_)h4b4U=tigkENUFOpiwGDwuD;MMX{@U
z>tPDy@ZS?q5K?Fw*}O&;z-!;6A^(W$|HWWbjRZRR%y(7h|1Li8T#VvxlurF(y>`1o
zZLy>>k3SAxm5y{w`Iv(@WiEu=bO_b^?9*Jt$QCjFL){&N<O3w@?pys(7EHQVP_Q>@
zT6F22@x=ln9iVshOuM!Fc%?yIxv0>Cr;A@kd*woRO*jpsVeKkBXI+0(zfLJ@D+`w3
z^)eoy8}DIi$@z*2@T1kfj;+?)-}j?}?{Vl8K{V`mVh%?0vdArdA9Vm{DhRg~uyuAn
z5Ho`YJ{4OR@Nwy!XUPe8cWZiX!x9$u#uZgor2A@ZUaq)4)89o<cOHUb&gG6G0+GsH
z5BL+vvedD`{~jCVhqd89zndvg&a(84^t`EOT8z9Tc&Q4n{PU-+#t>;HESb~bYoU@{
z(<H*Zg&{=m$pri9S)W-hwp^-3Zr$P8IvoNihk5o(;7%W9=#BU-&-Q<!^KXC2kiYfR
za20#RiCKWH*bc$hfRXX<!!ru)?~zAmR(#A(=5bEDJ6;4-e9NWR$HkYhojT%|C6hvq
z6O?FxhQmsU^2J*{RMPM|)Yfvk)U~#3F}-ea*>(~8;WBY+y~8_IUtKTx`{%Z;lm1JY
zl}x(dG}*8SxUPXx5)cF3$wxF92b`g5MPT;zt($nRudKw(`T17FX-U;$;Y0a!r~l=t
zZqjDvy04AZI}tfw#UZTqT&2l+2~F{+6knb4R#x7iN9A<oGFd60RR5)eE>N#cjHGV+
zuU_AI)9i1}klz4xIT^H@6Zl6^ox#m*EfhtdsRdYlb`2f-^VVf4;lVBYrzQMY!y2xO
z@K+I9FP8`8Vxxq344=q;aKj3cP;+S8_^p}Ff&ggU<r%ru>XOi@X8N)XuQcCXpBNxI
zxX1O-lb=#YF&O5~`}5YIhMDh|xf-U+XYX%v7}C-T6++I2laTaFmPQcmuTr!06OIjE
z&mJ!A6Jrxe0UlzlL`>s#|D8T+Z+GQ5w=d+?`NfBY<}_a%GIeuF#%+;WFy&Q8VN3$z
zw!I7tXF*_+eT3Wfc<MTs2!Dz{-bBTiPcG>0c3X^D7=OCjYkzVg%f#+UqON%dA}ei;
zgfpX>%PhjH(d`(-%y1lS+sn@sC*ktPR&Q>(eO3=4xpHDDDuaASGoI`7xjM$Yu|XY*
zS2y~dSrB1k44YL3@atdJ{LFUAF{(!A2wtzEBcksjpEZmwBHY>|RKPj;rrHZ#qF~J(
zt0KHON4GuSGzQH@Q7|(V@qPlzDu6HZ_qbzZNJDX#M<?#r(zl<m&9P<y9Z;476T;ht
zTE+{XcSR)1YZrd8MOVWiiRD#R(9iQ)!*gMrT|~NX1k!zxvUQpBx_6}cWB&0pET#76
zw?{|A;p9?IrzyZh<*ArJCK!v`JMQ-vO`8H|gHQabM$R%8k<J1W$ysHEjCTSqqUA1I
zcYN-@f^BR<mmqJIy}G$`+pUeS6o?!rR%$sMg{|?Hy}zz0S&L#Jn>BBc;e>eNy<7|r
zarbv6Bux<2J1eBzgQtGY8e#Fnnsls}0OJsxTe)$?bSl~<J3JGfcN`(G#iLy84I)Ja
z$M|f(<I}k^kbKF2iX7C(xaDVzNfFc(Fy|7pgDXNd_4@5}5-`;NsVW*#wd+&$cbeTQ
z3IsYM{_?zPsYa50<}YO{e>ig1tdYkd8%UtWE?6~#I}?b_3y0e3sJOB1&_-M_f0#&6
z`!FT%B+7gA7HwZ$fDYB#%DagPpFL$RDX`p1fQaQW7U;{+c!s{m3JDC2{$SAcTaQx)
zOZX`SV-<#WN=D7;Z0On%YK!)_T@<Y0GQ-uf0IBEfE|f>?T^S!TXC;vlL*Lg7iF^z0
z0rt;7_rszpg8YAf(W}C)i{3c&p~-(gacpjux+8XCtJil%nj!+#E09*FF}-D?HD8Z&
zXRkHd{_4fVoRE&D`|}~a3g!d+(;?~G%x=Fv+mSEJd^JQo5s@KG?34}BuO}xRZ6L-4
z`)+$1bcsk60r4|lco0NmI3NCVr~%FE6u#3FpN?<VvOsqh#3M1wI{hvPbuyYdFDfGc
z)@%w^0XKR@s&I6wD^kPAi!P{u&DA8On<e|vGjFkCMCJA0GpHUfJG?=+tljNVmToTf
zi`vY<md%6vZoPo}O~yMXL>$*|+f_~NkL`eE>d~NjEea^TDM?T;L{q_&Op^%-#s+pi
zpK_xpMa*ZUH{{YhQ5hj;6`Kv*I#Vb(8*Bx>=fJ=|Kx&XR8_0s{PHTx{ts}vH>-@Dv
z`L~VfL52r#O~X#mnvq?2L)JY5FkpL(<2ucGFbt63yaXFew{Y9{wYA1>94uP@s8&K{
zI>OXj5CQUP4o@kHo(#+b(2zJALK9SuUg^G}p{YA*P%6!v<`RJ(4m+xoL(#Tl@MDR*
zvxscg#>SltKZ{t@ayzg4MHkVl5F}U_M%&RR2;KJ8=5Sgx^yV}ab0+Si>5;{Bdbx!y
zco^!vn#psOiqtL994>Ao(VBV*FrlGU2@?TQC9w<a!e|d#EpLCkla`8&663GkuLcJG
zL%gM=8b<WmJm+=tJ+brfN^Rt8F3MP=ZRc^gkMmqGNi+?Kn_)FaHc9YMYscO1>?X(T
zB=6p`s`LukjUOmMgp$4b1;z|m&2K!<EEYa|6<8DN;Lf)ktaF~ht>NM^P<Fu*^KPaJ
z?XDw-X59=ZJ^1dHyHT%;aOGEehcxp$Bc_+o$K(5(R(acoY9kAMSJN)s7HYJy1d(JP
ziaXxYS(VD>G`~XoE?@lz2#yL3xu7fpYPbe0MbO*a(v|RUwCYU%;{U)v_HU<XOU!d-
zj`bL+rH+g}m)W)~+hN;9hK1g&`aV)RTs5t0rW*1B3jb`=_=tze_&jgt`Er9ucH+n=
zVb(J`&zJhEi|0+IVOz6U@0{1S?kB4-y03cto>9=K5g|UYpT_!i+HW`DIp#X<QPA7;
z?;aZg9$~5Nt!?cFP*(aOz$;iodloC00B;A$@4ph^!1snIT}Q;ts(=;n(lG`>CKn>O
zpyRg05X$<JCSUqB{4+KQ7^b)nKUlym%P)^dGNx=m2Ja-Szul;(t55h{|J*UVB&1m8
zD7uAas4E#K%L*n%(P&tsjwP;(lM8Ubw@U(I`&(t;dM<&K+|TJ7W>JV%g%wUHt_~LS
zdq?rJo`;7%FF19WticDj4q3B8S83aZhP`6HQA5O|J`1PZeMHP^lNS2yr01UYZTXe)
zMSU=^cz^cOlImzn*koi|uMp3rQGkwUs*cBSi-s<^p!LCa4L*d|>%uw+X_2iZ`t-Yy
zZ{^*0!QmDxiXn$cQ>?Ri;oufw1#%t-Q5;J%&!rqMPhq{C74X@T%X*E##M-q~2CjqX
z=EpLiqC-fOQY3Yv*h=hXAj1e;wv66ip~Vkvv;n|M8<AQ+_O-vE`a3vk=QG@C9kP4*
z?dZE<H_5p!!U&lYl*?|a)VhxM1oB-!X*<V2j+n<`U7)PGQc4faiRByEgSd`OK%fbB
z5d^$ky6J*7<Zs=daNf+2(Og<h!BB2qg#~ZYLa7@BRS(2MJlk%!0Cm1B4O)nUi%Hw6
z{zbq-eFx<Y-|p|P<&?pXcdxU0b(3^$*L-gd?1T!S?dyW-W4rbH3<^FY4yOf&T`)I}
zrChTv7~SNO+m1>*>{ajkdofd}9Q4Jgp<5%11E!btSBA&6ZejUc4{i;8M%DC6d!z-3
z*tg0lgfifO%Nu#Bu12ge_1YiZ`g;Y2VEx<IUawl1vxK_w+uhBVR$wjrEU`<Z1lSRa
zO=pL7{j>RX27<hEH(-Jn<T?3t=o-90@8$Ht2IBX$lW~6byt)(iK)xKdIso&qwtW|d
z+JCKE^5Y#iWwhPBT+nKz2Ud;H<3|(M8V)=P#K2Br{oj-H6xvg?zz%Pf(vXcS>%rhk
z#xmpNP;WM^Z(%@m4HKv!xlj+_Zn=(P2j00(rCUT-%A$_&?a7hxP7VFq31QUj8@Tl=
z+hyfz`cX2vRfDJVq0s4dPVz^+i<-)z2I08kO5xr#Y9Tlbw(EXREOPxYeYPT7Z5Dx(
zB6Owa{^+7DyTc|-GQ(8V1v)MUr3YL+oLD{|v)_CiWv=k@-HcUctnpSacBX@(t)@}I
zxBK39Y&f=j!AQRmjxzJFYYM$%!0|{ED_r;VybZ&#VHLuqX`Ql+zio0bJRfH`dtz?5
zu;T-c=JL8D9w1p8uff-EKIuFD>a>{D5eMhc5@e!{B98_NICSg?w&FjAE^UCu-RTIr
zf#5G0^-<a%@luu;(`kpU0-?^Ce&?^V*m3ZMR$#IFAF`FkSfK1eg6N}~;^2r@$Q!VF
z3<A>Rwe=2MV(j8G;Yk;4dH+-Wkx3w!aNKV7b^Dr4%rm8eF1@{)<m>veAFJUtR4*I9
zso!KEeWvN|%<oJAcUiyu;}&Upix&hmZ~p9YRq2#HG{7T!3V-QH^{x9RYgM1)YuXCu
zL*m`vQGd1`PYvHM7y6IiC9;jp4IU#Kn%Yu5?xYWW&V>WMd;JF`J?V{6SU%?l4a;^W
zDK4y}%%drFk2a7d4nd{n)tSoGB@WxGRL>qW%>RLjr~0!z?M~jo)cSWs__~yp5njEH
zWV0&CUBU)W<<m_Te_eM!HL~^!cLEk?xV@85GLuN)QrQI#!Q}zuTmT-Qyv77MBr;?h
z?LDi<uL`N1_+#6RKbS{*?Naoyp6Q@lx66lm(&sfImNXPgO+cpk*G?T)jr)7W+AW%$
zYA<~SxzC}hYV!3Bz_`&-K;&<;^-B@GqF`JLToHGD_C_ZW>YpJG_^U8}eFXGxqjvtg
zRYAeE<{HxX<;)9T>#HjR8h`kI)_7ZkkEmINY4L=j36ULP)K(Ku2a}V%MSc_WsRUbZ
z&RKT%F|-U84D^`Ue}k&A#8LL5c72%#Y_jUIgAW>T`am2Z5jv6TVxXJ-YH6)Mxkh)z
zMFr8yY7S;tLh?FG{m8{-jAa0<Bg&HE4_a9y7?WtbKQ*zw%9|}IG5w{fuFOeC?pYi@
z4RVczf=lUQrFz9sBebcZVLNuejAR<(^b<&o*SA{#-=w^*$Th(n1h*J?XJ%`u*Pp~S
z3KR57ns~DJB^}Rq>bes*ncYLaXnYgv){N{L*N6k*nw+4;YHVlM7tha%YZ3=<$#pDX
zH5w4EOV?4~Li_H%g(rA+l}e{Zy6^5ErG)xevsL{bN^NW^BvIb0PWq$_S}Ni)tDP94
z_*BU_{@q=5=m*Vuy*z<B1wL=N>_6gsp+ho7eqSlL!!0{$^hOZOxKr@v5YhPf?;17Z
z_bRc3&>3vn$Ox0EYPIdn#LL1s=@0xwqbwTudhhGaz$iLW8JSdW<2E*fc7(x2r*Koe
zB%3fHDlvtHMb}3m`tY1Z8B$(6oxjINVH$llS`LxEN$x7Rkz>%#PWB?;UsV)6cMj~S
zJCiX(?Fd9W^}eqmK=8cuMh*MCc;R@FPNhgDE<-C;VmjdWp}Y!+w|wv$H;T8b$YffO
zg$Gd^-6(7i2`%^dx~0k_=Sze6`(#1>84ef6thPZfc%kpzzLt8mr)%~<!o5^96{r`(
zY=fQw#Jxlnt^A<Z{<o|S^L;$G)tPyzRZOEe|JNR=KETXKKjI?M+Q~;)7%le>#nD1U
z5Ab=**B}JijKnWDxbCQ~s#d5t;xv{&Z~ik$^m@#K^WX@n2>AYjtS$Cc6oU#l03Yfy
zEVT6M*t>uNE4<MlPn5tSF%4ph_SbRzzGEx80*|Z^8n$hhK$ComayePWoN{v{7H~6$
zG9g>QE4R}?{x7w@BldM=6+P6XSAX%~$F8;EnpnDGba%AIE9fJCeNr$iBUyZ5{4&rO
zTD=VfcWv?|Qf-Kp6Wb<8FxCm%8#+-%g)bbQW>1<=8JX_EarM1Jao@T4sJo|;TDnHQ
ztlwie(ANzI$>ydKSp9?b>lfy3VJc|Yu0D6<DCIZ0q|A(b`08(<)Cb<gLHyf@McK8P
z2K8&b_VW=3x3gj++aZ9++<E%&3DPAp*f~~^YQxmzER6L~M9#Xyap9p|8<#$;AuF`7
z6=;D;uO|BXSBGQP4q*kGvyW+R@f(xMK!sf8ceSiLVw`WyIqeO^Mr9_k%u^Bw-?<@f
zW1vwT#|U^7$h{yhwm;XH&M2voHANqcc$RMP_jv%YJV%;0{Qs2Yuyx!RP@MA^tU>c*
z#XEbMxVWXpU9p-N^;v|55}v{Nj_?oki6u!>2q@F$$bk_Vz)Pf$RW;c_vM>qBXn46C
zF!Y;v#Z`w?IetDL^9|M+V+<2OH*5ZJwgmYzh36h85tr?dHa^XsuL&uWTHyyh0`+=&
zbp<eFp@Vh!Um`oazTDiFaoEJ5WI5%N3wV@rQ1TG<B{XoSyRJt?>JNDJWbUebGh-HZ
z$<8NT$pm(z2)d>phv~h!p#o>x+cS6jXc$HQz~LBJL<FPPGN|d;2aodS)b6;dsHXej
zke~J$okO0aS3OONz9Y6L{D0|hQdlMZz<%}%nJ7*AAMoV<!6~DoK+Y6){aPlK$EyQ)
zIXu5KMO*)0(e3+m^`<DeS+Bqpar1a5C#P9D@!yLN523YOUfF&$oOiBlsCc|N5yM#k
z>QR1t#<xW|_SaqW3^Z+WvR(BN4ECCIxPc1xA5P5szid}{gZ(O$Iiwc$+QpFbos-Xh
zvX<K>JhScT?`EXIw;2rG+wESmWMHNM82WgP`l74F!9VVkTUZ{uTbKWEVg?uzw>3hK
zENhB+H9m*c_ou}sQX&?jy(7=zE#UpKCt?tkM8L(it{OJZ;vGy!`$Kav0;?l<a;?((
zM%c&ixFIq_|Na6+Td;yW7$CzeZ6x~h>HS7(vsAUaV=K8DpZ=WB)I|TKFExm|f;>G8
zK$Wu8ejeV+@9F-vv{bJR?MkBHtZ-xeT~vhXbDO?W-)mz1q*(hyR+hNL8`R$jyHbct
zubJ0x!ktKyjNkp8GQJjd{8<Py>=|fky2S=16eT92Cj0cDdE54Mi6OhC!2sHBh+D~b
zs6e+^o9%7Ae#pyHIsA0uM%g|BBXIe2MIRI%yHz95+q?~%lerv=_?TC$jucAG{D|U%
z#Xf-px?|8K2S}b=%TrlXO$NZuQ)7RN?L2TSu~KDry#U|F$zziam|db4LceE11Pr4b
z)-*ZLt+NGn`|3Y2XQg+FB(?B<p^zJ-Hp?EG#Bd})Csd84F9_Mf^zV-u=8%G*Xs8PU
z|BkVj-l@#Pn^Zb>{E&gU{4S38gtg+E<SP#SnPOoHG8JnYQozmX+9<QDBAATCTqwO~
zxEUbhM(7*T_RbzT6`B)Hu>6XU5e1UF-`_DwtanOl1@ybQL!_GZT^t`!c~}CIdIfi*
z%?gF_3#Wr!|25r*kScLio*y-=BgC8@f85E8C_m5*KY*Byifyym<I0oTY}@;j_$1lg
z3@Ca{c-wlSjJ|zZ4&%^Iw%lwMWFb~n1lIR7h+4L@&tmHktf3b)5V(dULQ2@1#!hwU
z%MYVqqN`#iXe4YGjA^!PT#Fjha7LE%luHi1WJ_ZOW@1$hAQi}k)|=v|P8pzcN3|RN
z9<-?h&9%->yg4&p6?=D#>t?mQy>cBekJ<e&K(?SV)=i#vKNpGPM3D8BOsjzD1}!b$
zW~JI1OSK>)_PtTZ?^e*5f+-?B!vSqExzzWmx~wgkNurfHoPvyDPmn@<pG7^WdAkfo
zTA3GF@Ap?pVl=-VtI%QL@NlT%#Bt1gHADx)eHMeJ&$Y{(D4yXemPVHOc6u6)!}qFi
zEG-{ALa?Vfi@%CAbMNPB;js#jRhz`xGG(hRS||=%*E&mR0!6Wvek&B%!_NQYYR`*R
zm+xz`&1H~nPh_=xk5I6~%u#|+KL8lIpkVx@L@BAGcjW8Lc}K?oLK1JysK+kfEjkc&
z+q1DKK5(KH#`8iP&D&cWMdoUc#YM6e0Z{AFfJ^rF=5Ae61guWKTWk=F_U&;?bM7ky
zq}`f+Y%>clY_SB1?GqlOq{;-6bJ?yQvy{Q~YC>QVj(Y%wa<F(mN?w4?GwFF_3Ty~Z
zp}rU+FW~s0z)4T3LSq;{^gYdf)RdgddU27(&CBgo>3Y}X%O@;EwSP$b1{k9m)%C*K
zyk{fPaa9gxP)b7zgnGKdbB3y7tZUj*RGFjwizqXvLyfjHE28sxnx^@R<qNoQv-~J3
z#+s)s*Gn|b@3%-Po}Q|ViINh`dQHo&-3Hb)RaY2N8{7D-&;u}ECh8}w{#RrO2JE8>
zxLG5KpdpBkL0kQL-wXkMl|S=iNQhGbI+BUFTPBgTMSyAM6tiRV1A>Ot2I9RxVZuKc
ztW~Y8esk-TH+W?zzTBw-js4Tj91$`$$C0>F?L&`F#{EG$BYHSDLT|n+iKo6tsVf&2
zg(ITpuS!WNEwA>cqQC6fOKowJiRX3r&jLxUD{I=?-3&gr9oaPhXXeLQ4ug)#bF%}_
zHoKC@v-+6eFONk7O>|$pEMxZ>{<ePDH)|KG@b2war_Ef;#(263t189gmoJZrC<_po
zr2SE>5F17opLf!)pqyFOn;It<by7#gFL(d<JHxzR`PvQv!r+}a=v8a{-wPB_HBxBA
zExfbdUnH@~3yviDo*Ia~fJ>sXIvNG|dX5KL*+mfa0q`493;a>k%qj{r^{FoGH0y)E
zzCi*0d2LUtK^~7MT*%|jgo&p^c1ug3{P_VB(|wci?>iKu-hgF7BuTA=UW61U1Q=~S
zVDDqK{NSh9cXb%I9@#}y0fwU6@4_%hiJ~3UaivN=5}>Nbo}m<z>)*sP`M;6uLV|o2
zL}YX%ojZ!sPU^XO>q}HtriO4+^=Znmmpg*c{&Qt`V)@6vj~Lkj9e=Kf1{?Z^*^p@=
zI>{?az42Ujm<TR(X!P_yTBMlKe(j~n%aoH_zm}HSE=5Ne&rTw}9)`-7fz0zN=OR^5
z1AZ(E;Q&LUFV3-m-EuAlj4=ru1R()iF7DWR4}#0PdU(spGokkySE5vJ<%%>IWf5!y
z0H&J4RZ)p`RkDScJ2Sud$xvo<s{^PYda7mpw^%^S{0U5+NObf=Ej4j^WeMi74Xsqs
z#Kn4tpYE$azaHRg4%+CH8LWSH#f>*1Le}F$oieJqE;E(g|LP}cuVW$GfGKX3c#W=9
zsI9Ii?)*5-;?C6DIZf;iaa&j8a#MKmDN~DFr$bC~g;a|NK_bw|W9|mNI&x3Usgj%|
zQoPFByD-3q2kaZ3Cjp_i=c6}Aw3(JVT`3|Id|Y?QQ`AKrA;xsx46vdX=xkzE_4eQ}
zKPNK(EHP_T_D!P4O_RPmRSG~SDUm~I<O3QFtc$xjJDTD#d-Vl#DowD3>e_5}i-Ua7
z4i50a?iEq|5w7{vh}N*(xpxQVv$fA>&r0&?{mtfx`_uF-5YA{wQGrik>L~P8YV4}y
zO*I9g4Hi+coLtsacz>I_RI~e^gX!Jx%*|YR56qg}XEJ3W>GU&fZoIn}NX}O#4X7d{
zezpdGNqY<3+u_s10(?a->})_}4drb@!c!9;^jD8x+P(9n%cGcAh&qY6#zrYf672c7
z)J2((MupfBQE(*RjieQQ6wg|pQVpv?`$}8b?UPiO!#Il)RiiaPx^_iyRJonX{(uks
z@-9$1oql)uJ#*Z4RS@F8ZFIf<U3tdmz1AJ7|E$~IP9`8yCe4f{_sRK7I^RJ<qR)zN
z#NRzc;NodX1>o^W4>Y34#tmO+uK#g-)SCBpvxQj+@#6bugrXo#Y0zn=`jFMivUCRo
zQesHOVQ6S~J${p^wbpbt&IJ!noli6!5>pf`eDxNjWDZSdcV7KzeOke)BFY>Eff?A$
zDhhweX1vJ>FNhxKLiuQOi2AtffS9!=(Eg<*6BhS1qBTXVXe&Mn;1Q8nUcS|MiEj=e
zEmw-wr;Mtv<@N5mH3LzLmyo0Tb2gwdQi5W-Cr9q^3YiK+^QpQo_1^*?s;m^S`+80h
zIQhxrp+1`~#1puqms4w$9#Zup!(=wzG9*PS#vL1(lpyC=>sZN-845Xvz%DV3+82|Q
z<Hk`wrZ@1i0+*uz@}GyV9+>N^7IeRc3XV=!E5niQKi1CJYdInV1W*mK_okTu=39+j
zNQ-eL$ydtOm*BhFZ*c@t%vU=2Me8@$n(zDrRHM>KAZd2eA-=)cY~~IH7euv>DD4u2
z!zG-W1tw~RzOa`0<i#SB_#e&dHVwb0nQ_~);|nQ(B#Jz=-Ur&qb$C2;e*_jriV=s(
zrP^oe24aSCn4Mi$k9-Rm-dHL?YH2{9O(Uz-$wZbYD!e1+XB^W$e0=+$Y^m5fAt)TW
zcv{?9?p;dt*O5c9$xSorqfllWiqdDNZB9Oq@_0ji=C{0Jah3=x^51oi5i;%rG}|jT
z7sEpg5MvH*^VtcdJRNrwa{g)ruw!BtXKh}}zx!`TN*?iq20R`WyAuEyh3Fb|Xf?tQ
z7jSNM<`sKQi0w5lW9DT8-)pfM%x6YGkyZSxu!`R{hDI(uuoY!4ew`i~TIpS4N>f%(
zq|%^bEz7K`6EQ)EghN8hyd;N7WjrZuVI=$!)9&qULB&JH{qy{kD2;bMvXFPJCHr5M
z(aox2vZG~rMIvQ_?sKQ;c3k2bLW0t8b8q#$SD(IGlxD?zz)RxJNhT;t&}_1PD=acO
z`Z-IGg3WLtPljV^x2_?Sujy{r_B8jBMMwI$tYBs^$_d?OJ#yF{SX0wYSNO_NAsbSJ
zYa{yl|IZPeY(Wt(*u(iN@Ik5L@&@wFVVUtB`}vWODye4&SM}_+Hmc>6|MPOYMx3rp
z)B=3y(rSHx%5J{XZVF3z>g6e;ACTsP*cu@_MBd{rmJB05Lh?};yjk((W5$xNZqTca
zsA)>nn7ehi)R({DxP}fP6DCx+fKIJ7+q8qKH)Ru*5I1JU;+WrI996BIyV49Ki3X$=
z4Ck}zcSNl>EY-t4pFRS_UqM>qL0{ZPFyzAWRl@KCYm|YKfh{BNRlRR(ylvPYZL!bl
z{n%O7&$CYPY`K#w%H9jTQ}_Pm07NK(x}}`MGpfm(-lQMm>E$I$#H|#;^q?(1KIk~B
zAp7#8^3?iuX&@h|WWD#-h`bLFg9)UFBv}W<3E!i$;AsBU&TXX*44pj<f)TZBq%YdQ
z996?s(HWaXp$@hdPDQ0%*!!sT>L_vu0@KlyRzNkmz*N$8l4PpYwKtbFVs|84qX!#G
ze?5$BRb0Pq9np%zM<9_;)m(?3%ZEE%6S?rn)G)(%!j~eK)q9Z73|kyBLoPr~9B9@q
zYf5BJ9ks=t;zr+7WQPUlSG*p1;)!Mq*<7`FO^nXbZ07w+8-4r9)@K5$`B65r)@XI%
z*wtnFrF<Kg@EYs7O%+Zdc>Aog+X0DFE75LLJ*7)cKiW<kY}ozbYU*m}>Iwb!*iTj;
zMLzJhrNl7Ryhj543~L;T+&P%o(V`u26n)GNNW%eS8|ObVh9dh)TzcylG;f-`b)mH4
zeO^JFzm+tKA=vg6c4kO*9YQ!jtvp_KF)&HlK*%tYyGxzP0+Jo|7l6i+vk{y#P|Yft
zv5KON!6M)6KAen*%kh7kNB+9wftmJtBLevR1{YmT(msP8dmrAPFSocRs75*gSPkn$
z9f{qJ0H!^2eFy(|BK+5T!4HI8uVHUsrr%}T&J5u1_ul9CO8_i4pH98CM=Ef0jrZMa
zoT9HCgr_&)gr%w`cci0{#>95QU%(nnL0oRjwXkVed+gniGMYDsI(W#PT`*gP4t#<X
z*wnrbwXX-JIW&|{clliiR{IEN<F7#<DPlLo`d}0ZNcAj>dWh@TtU;MZw{MAcmSD<)
zt-#<Gi%Ay)f8hR&z5bFY?ggWpA-w)KaNDBkZb;){7Rp)=jP3odhgQ|1;#zRM8~_x%
zm~ePR#|h=BbsL?OxDryWe5f?e0N5_N`nW-T6jxItdc3baIk29aUq=NOiD=pE>;?dt
zw~=k8#MlyY8qO5dglg=;AI^fH%)7Cas@$dvH3>H2ZtJCGd`dM)$NRB0HhGGW1R8{#
zO<vscauJqkZzc4d<c~A0EIEx)Ty0}|=Gx3~A8hH<s!OEQhc%n52@{4CAc$W%f`4!P
zV<`etG01IwxZb<8*!EI9s|Gb_I%G$TkL*<~$zGq1-z*x1F!mMl@Ao)zrbnLM*nN=)
z0tn7vbwujlJ}RLN?J6+>B6-~^oM3o$m=MI%(uBrj7b@5c%=CJif3GW2=(r|rz``=f
zPQwMRr2aM5AXXs?jv8vhTY7bW9bMCcbLmmy*#|q4{cX<90oMG;{rm`n482U}|NfIB
zGRCxD+`TcZ>1+-9?Q*(B7r}o|C@)CA`&WY!d7Zu_^BAS-P7;tFrMLsB2Kb!)HfOl-
z$ua-bSKdjqxrE*^@Wnid-kD?>gBOQ!4o?+mUYRJVt=$0a#sGOX=4t@*Z^e34jAOT~
zZJ6;P$aU^eJLHPfrjlR6fm!2j9ocjbuHTed!M2~YucK-*9jgHN4s?EqgepvrE4Z5u
z>rMNkUiap4z#7%>HkY)%COTcj<_M)_fQJ2^1!d5|IdyYO&Y12RhWDHtHRVH{4{tKt
z>vqPPrJY<vFy+I^9Sw7T;`{8rn+<N7zY_&lpRUto|9&+&uI_#&X8Zi(ud>_v!@gbX
z{SQ^Y_#pAJodJ<=y`~FqaXone9Zpo4q@wTnFP2T*i6?szGTN9FkGt)V&xZ=^HY_z-
zEimiX+G<_!$*B{wH#s1y1#2E&<lVaIqpp_)V;m<hx9wl96)p4Vf4`t5I(mIRT0jfS
z0FrrK)9RjSM-*%>!DO;`eQoaL>&qG4h95Z&gR^(x)jROFwr6h{T^#ot&IsLnE@3<H
zn_E~@``ztB@xGn#&Z@)aV|Nw1;!ft?_UJ&^B5Wb{>&Iwe@f)<!8KGbfWUtz5AHB8F
zrRUT2XJMNErXTSMl36oUkST#}=z^9s;3ML1LyL{ow@n0{11CDmze-2MYyEMH+AP4P
z$M5#4Qs)3`u429ExM#o7UY!x`;JjjBx_!qv*&?I+Y-tiUKK<wIX{Gti28-d7&Q+wX
zOs3KOxNgvV<ljc)AD&;cj6)QOn}EN7x9^Dc9zTKS22M`JgwHeU+wT*t<+6a?2GWlY
zB&n=m@4_wL0f|PX1m+QDgv$z!i3|YqOqR3mm_Y59NMr|3DgFB8R)o5^Xm&uZlWAg{
zmjA$j81<Z>R3S->*e}YlK8dtpCIiSWbE#oI!RwJwdp&}|KYX(N`HL{SpT$-81%X2!
z>N<h>*8%Ik_Ys&0WwDx3>=ldA1x#;b^egyxzIpR7G+^m@m*b;z>l<|M#zcg_=Z|CO
z%9=!%=}_#BW)eRtk5fS~pNvnVYY(&&&~tIf;#Uuj?(6Z7RbjQbX-%mAQfD4xUC!IW
zr2QOY>7i*AN<N(gbo-<U>E_hguGizWTu<lrZb(zH;>+yN`-n&6DtSl%f_mrTT}5<*
zdDbHQ;~UJioD9c*>|pDQN@D21M-<m<G8v?zZQ7?*m&(L#;4UUI)diM_yR-@m?UgNI
zV!Hh`c6#>1-EW)xpwyJ6vH~;*(0UMfkXbJmXIXVAeGyl~c$q}d(4`0(l&s60=7f0q
z<qcpqSX*g1M`XJ*=65*>#2mkjOtOkfLp{P;n^A?3v9<G0JrY}D7;4^vflJHBFbQsM
zFa~vq>*--IFcWD9Bb1{tr|Il^V`ExImMP1)o;3|_$xtxQ*n8xg^!nE+C$Kbi4%3Fv
zOg2;PbglsZO!Xu~2Bsn+P`1iPrXFKi2=?Ky06;m;eDucY{BuT->YUZ0MwCZIsc;RU
zd)Wle>rY<|`dcx$hbFR(<c$p^M&F|oy6jEU<$Qi3I%jOes`v8{<zIv<W0n&k_h0qJ
ztF0hOw7e8oW~!c8d8?!)3cvhmDk~H?hstopgHr<+1S)uQnHqtZ!*=_C0|o*pMq#;j
zh(+xHTN4h;G13f#K(b&l0O(Ux<TCW;Ny(Y^#1*4gYC+k3ut6)J=Of3~O97w0Qmzw*
ziS^x5P7@pPK=ucPintZ&hH?R3WvJJVFG0MjYUCWNY~V*~Zy((EJny&;#(wF$h`Mzc
z&C=o8>Ye4)Oi<+r*-!Ko#n<F&pMX>?Cv>=Q!3);PhXyX%G|bWAcgLT1;7U0(3-jS!
zT1!ztF>0VbtihfKHl5ShuFhu)-Z>(o7^ioHS~z!;j0?~P4E@-*EHZBR`b2N)L<3X}
z={+RN^Mo@0;eK5<odMLpt{q7{kuXM!gNK@lL#On<gY!bQ;+=NHgh_CyY|C+X#5zU}
zk}e4olJqQ#L%4%)d!g2~AIg~b#~m|8J9VN}JAD_t-OBk(-z4<)JYHk|V;lj-R2pUI
zJ4eLs98Hyf<N7DiI)2k-UC=0^+sNUe@pE3%JZIxX-#$ra_qt@0+v$6OEhKW%g6v9r
zl%X44G^ubae;(~UJ*pg8ZyjyX997|0L^9+;TVk3X*-bcTh{coyJ8K4wA8oOasfGZ#
zSjWS750xikbd~`<r9ho~E=trLcu~BXF48^yb-w>!_WNnV_;LwuSDNHxpm=ambtqk(
z!*_7Vy@+58{p%rEHlDgH+ps#{XD~c^dF5cocSlTF+gE`9x2{B|W`+Jy4l^vQ2Ysaa
z4S}=a%&`W0PgNBI&CHZ8JqW4e)!G2essXkV{9!2njjb8r=V3Izy*hgD&`%(P;@u2P
z16N<vAtgG9HmXJ=PJ*Dvu1PJwXM(G8Tt2^c=tC0l1Ic|$F4x-#9zBsxEq!dAduW`j
zq>JS19e7{-R~kjJV)4$Flhu&cH<4iY;m$7dbj3eJtJV71J9@M-`}SN^HN>a;kDjKB
zsnw4)-Y?QQHDBmq(<=SU*Xr}v;ghgDwg+VkH)w231jJh)hI!wn(cZ(SE+5O;GFjTz
ztsUl0d%#>K(tXGvlO3?I|E1iS5}`~yG49)n4i~?jl<y*?H^heaoSML8M*>gRst#)K
zUDR<04=n>go)#^Jzh{k_KKz5fdNwB;<((mvz-7;_cEb5%*(-9}z&yG7QzRqx{&;|s
z;no0-KwKIGm$5s>ISs(ytwLSHt3>jvOZtoPhNU!mjlgd@q?sGUghjXY0S)w52vscz
zn58u03?&KSx}BQaNqPq5r5p!GRZrX}Qf+_A3eRCCE+(<wZ{D0Ege}9&LJfCOpJl*d
z@huJ#&mKKt<8nbjEr!^3uL;0+6FX8nYImQuop3MH;X4+%-kLp__rEpj|9z@}{h~cP
z^wwU4BJryi6}twtCs6DJcvVGs1>=}|bEMF%`v$JSTjtaFI}V3pFh+9Wx>1*RkFw1Q
zK7E3wU|+m-s2mE5+UqZOilaaZ%7-Mqvo@1|+H!y6%HG)~K6>v7#urkuW&JIa5wZ!w
zDMg+96i9DYP{?5-9rr3n71venZgMySxc^hP6v3cEHoJImibLc~^)liRVI`M&g))+~
z`RHJQSW5b6uF;9oemow#9vC@d4i4G69H$`1;j`wfLBXCUmawsD=S;`DmPyzbaSzPF
zF*PSloR-Z=X>Bp1K3z43UKx|nG9vO(2FmRVKuatxQ4`FH7(XEcAihm!b78Kcg8!?I
z>i}x%YxcCzu5?HMLAn%4P&x_-h|-%Ngb+H?I|@>y8VFJqM35F~(n|=v2Q@Tl(gXwo
z(yJmxr9A$A-@NzcoA>6PIdgVrckelKcJAz+-?>`|kJnvgMCY_k@s+jvIKF(1Bh4Bz
zu0vLio=EnZ+1@01_G+2y*Uw@Fu~<e7-Y$P}T=WyHqd<nMV+F5FVXLZFH!O-wRgM2^
zj!$=&Y!c_{zN%<>+3DPvc8$Dxl+Rn!ROaJsUc+~BHL>U$J{iqyOk(1u!dw{glea)8
zsmnLiQ_1~5D1s9X;24c%pJ~#*6%Fhf!Fg2l{kpVGr7u8ayC=DaiIPeXj5_-MQwZW`
zrG}7W(bH}exi3RgwSg*BefHhW0OAP8Ha?DHqy5P0^$)9vo@>z}AckeeFs<5;XIM9i
zR&4q6ND+@EZY*9yKSYFArKla4dBhP_O%3#hI*8E4D&B!Ph)k;z%D4lXfTT~(5YzSh
z6o!Q?5f?ccj-FveFDI+*l#M<<Sc6wnn&FAFW0j8SSZsNFMwFN(xlN5Fe+-iBP_vy+
z+g>NT&z}J5&<!N?7x`!TctfsajKJjA8O5N@U^M+VW2uF=rS=~WN*g-%qKk^utVm>h
zx5!p^Z~ZW)vS3W1x6Xef_sZ@mWKYq)Zyp!^uy>`gKw5o1VXLu{p)ve;E`BzfDpe^H
zNf)t?j`xq~s!utEj*?@(N_bzT`&UXeZ~cEc|9&wH&grp9KI#eY%s}32Vl)6-5lI6d
zXnyR<fZuBxMiR(t=O~=)IF{9dAq)c#E@#C)Oa)98<xRb>g8wI1y9gF9;zo{qpbUGF
z6x<39n4FeokM=pyw%Di}OV?^4c#I-EzE`jpmOYSL1@P%^6^`&ncN@g=sDrj*(F?+i
z?}yy>@3V3FVAR|zd46Jq6oSr@V`KxQ`sruY9xfO`2XKujhFw3exvMbbFYgPwz7h4h
zDs(b3stA$pLFGy6YCBN^G6M3z>d>Api{szsP=}c$urJR6_oMpLG5qDaWRH1^VK3v1
zcNY?91Y;d<nDn)M3erz~4$mCdzS-2)5h@oYria}<N?lg0ep++=W9hG)tLj)}@n6$|
zMPLVQXiq94S+tJV_#BI>O4j{Tf-*?fH3qN-fLC(4c}HY;9gaRj_0JA>3Xft)7NulV
z=x6+0Y%y4p-;;P+fC@N%@Jg}#FV%k*Okf*2YNEzq-CJ&{0!dFlCs`E#xhgjwA$422
zDMfE#+P~}4B=@7l-$F;q(-k4@;~!rvlv7G94LJ7RCSv>@2#+!^zndLh;}_I>S;h3a
zvAUBqJVhE7cm<+0`5uadUGlgReYaU?#njNTS7_G;dTi6XF~WXWLFL|w{jxr_#aWrJ
z>*ZcapT4^c;d6O86)ELV+lv>Fb^-gOt_oL~?opEVn=3dd_VZWmdic^moKt_{_%J~U
zZkqkozokDYW<@LEY1Secy$}19x)_00(*B47EjvKQle`6a_eGm?$FTkPKcU3B{#gHE
zvW;0fGmbkj5R}A^i-dg8_VtIE))-~-9JVW{{%;eUf)AK2oNqj0zI*r%ip;F{o|Tf@
znF-;nukQO)jAC*#0wD6#k?Gwx4d}k8C-pDW2)mM&Dg98sSU6&;c0K8ya$BDt7F<7U
zx8ymC=kSkEn^OBw@`J0dHT?6?6Gd0spahi<?4JDce&m<g)S)I^vqZ^%bm7a1<e2^#
z=NI<f`*3O8*J9MBtOlKgdlxLZ!SE{K$|_Tx%|U*fK(+1!Q`UOZkmq}-ds7?PklLtV
z2`Z5Ox=&_HHQ2xP<dE6hz09Hc0mVeU&RnC<IR76<I7Q!9^Wg}@2Pii2YjOp3vNZ>g
zX3b#}tdlI9o92%3R|NIWPR>x?9gNhb=4bZ*_}SVOxqtcaU(cJLYRLu5MO;r@>Oe9F
zrR&hBGmUkd*it*7qdoKJnIGMuzoV#$jY(7Smw0;ag*of5M0wgm5H5$ma>(+BJ}_`F
zsbf`MfHrawXuZ?e=3X2}N3UA>0LhphI9)6>4)mGgac#zmg}C!?vqmD>sW9-9n8YwH
z{EyCaaYKg)eqd}5+&+Ujdv}%xN@~Ax6n5Zw@uPJyw=f_#77WeGrs__&a3DqpRiO+e
zMp(DhKSori7BWyU#7cLyU*&ho5qIb^Y8Vgb^r3SsbtN6pAA9obv^n+KvkYCuvFt>(
zPaKSFYBHZ+SDGm7CffT6B?>RtkR=7ty1o1MJU?5@Ym>p5FHQE&cnZ2)Q;|4V9pcf&
zqBzU%>j<g(t<)61Y&nnD<(Qy2MzXh_#KR@j=w<4USsw>F7U)x?E)BDj9<R8|8=UOO
z&uArxht(|54C*~~aU6Am#o)qCSkGwCNRs7Ck2B_XfZz<PBkGlcr@($BseEs>dBOp!
z&FGz(yAq@ZJ5@_I!k6H`wtWOLCMb{NKp>m8GRM(ed?&a%w;~lqWnSo^%b-ou(xws-
z+KTAhaGS^5-ygU~{n(G$t@4I@;3dOVVG_Hxr}fnei>}0*xSwHl$$g$zWePyyr#;?N
z;$`i8=3Y?`oNUXMoPb|k35kt0;UoN_gBG7&Kgb5TPX>Lr0CtW8z_Lp@AOoD#I^A{z
zv=f5XjxN3BLF(y56l}{u`TrV4kPPxG^>b|81j4g1&o>FyN7S`z=2JRVUj+s%haxiq
zq*Un~yCf4NTzpl;=_##ATs=VMPNYS($BPL;;A#tww=I-%k+I)C{TAHXfq>H<_cRA<
z?37Rsf!q6i<XN&o>U~S*gPnD!LKV;+h1~w$$5&<2Q8xJwb~)ke`tq<l={iP5*&s(@
zY~!v4+H$=-M7%U*%fBrPH+hWAUeh-UumT>|LV$&gp7C+A+E?&gQgP;tMuWZgs)AC|
zQtK{93&HPiqeYXhJZzgL)Og>n#n&_n096MO;uIO)$ha#$9n(};l~V<*ilqQ>`%9Dk
z<#1JA>PTM)g#enL)&evZWE9RtsQI5c&JoTLmdclJP7i;X7=7%q<Knjqq1uGR@F*Qm
zKKpN+8UxDve;(g@)GCjJ*_*A|8=m;<tl_rKR6!(hEDnQ8zVW;$lt0a@p5eT5BneGy
zciJ*kZ=i=UY@Y3;f9P;QtitS^ZvJVQ@<2oNT%qF!ei;|JSmNmItW^t5mk)M@(jLUU
z!1Yy&;w@TW!bA$%nvekwX=!!N%mB~T845x%Ae_pe<5`6k02=)_oPNRjH?~dzWyGmG
zc>v5bS6V<>A7Wd#1tPa6+6{T7$o^6M9|Rr)iUd<5c%38ubI@9j+MIff5Yetj*@m4D
zs~KUT@eMpudE#Hd`qmBBP*$NZ|5kbpDC_bUrNshN-Z!WBZQMA+)Dxw}sqH#LRxiB^
zeE;vO&Zcg)tQ16uT<UnHJM}Ueo~+`n(q3S4-4rlE=M@jL=CLA5O?2Xdma@;!wR;ZZ
zRY$((Pm~6FW@Re{A7-Tx97P}pd&s^2-FOutiqu0O2E1Qa)CHgS>>h;dZWeh!9KqYU
zG759Byugd{;w>Z^q8DHKGQkS&p0Ep#_P*3M2hrPcQdCHwmkU9jQN}afa+(grYO^T2
z+aH9!wIb1%sYrHWNA|smvNO$(V8}lh%I(d5ZJ_P95hQuchekmHQhj3%Bs(5_UJ6Wz
zRPf-22q>Mtrlx8(#ZHSFTA@<P$+;gi%Nc(B6?C`=irI#!jWf5gJd!b4yR>1zUO%w-
zCMh+18lxN#Q6r$N(vjRxF5&rWe0UbsR+9`AsXDoA(|)bJ`{{Z97-;xuB8T3Cos7;y
z^>KIZ#>~rZOPjQN-$aT(8u2)rl6b)bJuR;6CY{uZhg2~$pIlowE;1m^dUY>*)?iHf
zGT%pdw@(*mZxdms%vi=_jKZ*fd5#xA_V)^ut-$Xn<r_0o1he?zD2KrjZC`3g+V2B&
z@=B~IX(Y|;skhT4^B8owl^s$oI_Gh~%KG8(t&$NKNqzX~0<kUZ_{u2f<Hm-rtsry>
z&p?0Gu<))CN5vOPlZOS2pH65hBonxl9@3jdluxHASJRH(Gf85188%0>+z~F4#u>e~
z?t~~lx?<gkWZvb2YW}8_GO}eD$n>Qse%L=6tDLY#V+$NgVQz-AmZzBo)6VO_OR%w0
z_nPQQtT-P_>O7cW(xxOEwDOp$I!a`n9A|TB>#ct=Iq_3T2AH>j?=mz2V^UY6qBDRd
zOX}(<c*lMn!nyOyTaHk2!^jVzJ)n&=U#n!GCF&M}V;3izoVx+Q(4CbX2?`aL9&O9K
zxr1vCzh4$f_Dq&v03@RKMBtg=Qsv0%E_yC{UmsJ8^GES#l1!Ml=cB$m{|0B#$0@w#
zy`lQhYAnJ(_gu3<J6uvM&zUp>9K^Ih7q{Q$IdMA28C#)PEd7op$Mrk6QN~7`S$+UF
z1J(2W#N;A2o1_*MrObV<YXGd^c*Z*rD!mYxPoHX2!{Zy#ysRM62YU8}lhHnqq%JeJ
zg(R58>xhu&O1!(r_*JAiy2zz`jlL&!1u%abapw!yF<~Ge^FbrvI~{oVC~czB&`F)(
z&i$2*>*w`VZ~lq&UI~}W&!w^zXI5%irb)1TsR>Ig3We;`m%uB*F^D5WQeuiP;?+?4
zP4h)E*GWq=h-9glI%6N+hv-Ph3n^Y*Vb5(@*nIwh07t~Rb$%lgf^WqjF`j{gfFJ3-
zAghhbRvXz{c|f<wgnO+aHe7vuN`yBxcBpZK_IMQaPVM$y_%Fv(KS-p<+19#vh3L-#
zRB(CxM#)Rj9|rOxc-f|EmT#Y%y6i&yySSBa-Syyku6#FfkY#=;xES~Cnm3b7VxUWF
zN+B#u`Ol*|N&VSS2aRO&C73k96Y^weWLg;V47Ws<`r8n0jR5GTmj9Wa@JF#kU<^7G
zcq1$&8M)?st247Ck!}-!Bzlq=0m;v(WQR+Ct?`0bHE5H$`3D!hpS&XP8<-p^y*NC7
zc{})~jvMXc3-Bh{;oVU*WjJz*{m1&xgoY6R6lTn&9FmIhZ?wZYuu#G4=Ap!Wy#djL
z05zE4#YK2B-SbBW;LOv{2^jdyV<dHLCj|EM-J}Za68|hnrAAxF&4(@>iJ^!)b-$6)
zqVn}e7UYK<O)m)dp1VZOgwc_ywrx!fFAJChdnH|04PQvTJhSOSLHS(ny<_(OAhR#(
z$VHu?5j+r+H>}HDP5Y?cZbR+O;OI2BHq7Q>NU6=e2#=3;evo)gdDovtwmb#(%|5cX
zTsUP?@b;MNuk2N#>hSl^-Mxg_u5kt!pRtDr$8y)+FtWZ?_+7sTwR!fN=&|~C`<+#y
z`10rR=Wmc<V{tb9xhVr$;68^v<+_eF{7#SLCi#w<QOFwv6O#d9z{t%U>iu^~xd&1;
zn<bu+&4pQIu|SAMC&VbKH*kbOzwYyn{ZW2<8WZlb8OihM8{v^cah4yr!}02uWk|T_
zBfC=qu@<F#^lT!Ngz5DSOBJk)50>s?2h2p8!byV3Vm5jhw=^`V{P2ymCUDJz`RT%Q
zuY?z}qBb83R>i5NT{hi!qcC3{7d&GRUvk$ouA&&!UdqmD8rC{C;PyLm!#2)GY;OE8
zOwsV*Z5IRl*%~_}`ts=-fPE!f8>j254%W$TJcd`;?S7nL5euBxn^b6&H{XqppJ?b^
zd@(Aop7rk*-RwHX&OiB1b^HfY7KXlNE>4877&g4#_=CQ!N;J9}dwYS*^7K?uvqFxJ
z<~AU-hddUmPu@DAfvj!puDoZCYLgD-)Lv*>h|oEH`ix+mv>F-nw-GcBcNnQ6*r~hM
zpp86ajN#^**TXTi4Ux&o-f)v;lNU1Qe+Ktn4#tZDcB<lQNnn@(IIk3n`y7KR)&^ph
zmip983Q_f6Gay*b6Ctb<Us)eM4%H|I)XMQ!j%>--GLGB4o1GG^<(z%<#=_XtbNIpx
z8dSpzejf>E{KsZ7Au{N1r(-T}@HqihE(RR!1|2vO33J>_(w8V~+3P;@8tpQLa99g4
z7m#ow7s%wkkrk*e)|<eD@l1Jp=W`s&+liAO)I}|x+~yiYpnWS)=713{{8l6sn$BH2
z27O|!xl}>(pW%lo!ln@Pw>#@R{JMfb-`|oAfKm8r{70B_R)$IeFQ(q2sbkatoFnEN
z_GF<K!u5M6*r^9^3SDiRLPDAauqIH&klPs$ya}{be-I_T-0Gc^77SG{=@3{Uq=56r
zpdpr9O+$<Gta5eN<GEX8=q(V=74{8?nNhVccm3#W&Y7C|QMJhiVxlD{V&2jt!uek}
z6)_-BXWJcg5h!%3<qkKcEiXy85~(NU<Zy$^*yMLX7G1sTF*}#O2zd1(BEO`iiYL#W
zD|P3#d>g0{*n5j|v4Iu8KA$yUKn%m`yj$pT7)w{8?>o>z8h8+g;f98T_bO1Fr4?R!
zWaG}HI1&WO1xp3MfQHHbk}7IIk25I;bir$);}fW~Ei6+C61v%15obQ%YnSL5=HsZ5
zN~<@MY4>!7LhBx+?DVeOs2U&7z|}4t=A>l&wP;NMwbkp+Z^~@O9hHv~4n8`ZmS&~$
zJ~8`Rbx%ml>gGEUk;V5qY^{26a;<JWCh3@kVJevw;xpb7K_j*6F1#+6^~z%_{#Yv=
z;2s;lf6{T<&Tz{@e{L`)`{DN6c{oRVt)%&}89%^kj_D!03+}-iR9|m9b%V;+v)7Sy
z)W93|Qnu*Lk3WIw=YJyr=$&{vP{$26lM_KpVc_<V+PXuVWR2^O7`StgC3erOt|zj!
zBFJ&$xP6_+R`u0aO7r6~gaa{8TBu#2DQJ0|v$O8E`ts<<uE_by0e$>$C`+yIawHgU
zn#?ye08jM>Omjust8K(|*Y~=1YX(%~|13JW3lBUn+BaXsfUf3Ix@OhnjIe?4HAr`p
z((A!{q^hc3qIf)seL{@e)-3@;?=QLMmc8;CBQ4s=uCQzsn1|OLAeZ4c0L!8HjM!qy
zuP#3uQG&idG~v};wd7Z)bC%eX^FRr>?rHRM+nZmf+!Q>%bcw5E88G@u1w_37`Shy+
ziE>_t`TXGH)rps=Meq(R#s^ZMHPudIgP11u3l2B4x<Ov;q;muCkDMB1>Q>)kN_2-#
z3*^yH@7VOMf~A!|*qLymr>@M}A5R@JWqNS2%4&e$LjkBdX#>cW6d3K7Gq8SLoOe-%
zYHelqJyXfy9G=^S(=>}}j<V!_iOK47^EE28=%(FgM(|DAM5wb~!)hH0WB~@7T#o@N
z7%C;DmmB+a<LN&5oeo(fb1;nZ2ft4tFyy8dM}lFNOiLd(qO&z(z>WoNKl<W2XWD`U
zb`AM}wDhc1oj)a@!iTP3ddOJ77xCd8<cFN?Ms!e`>qR}rcm^;W^P~ChA^OjewUUGp
z2%43Ah{r6koh?U!8u<>XT?8)OH0xALc2WFFs2_dm#Ru|m;G<-zxs9_?$E(34rUm%l
zS69WLwWw|!_o%H&ObPtV8)7<nJq=(Dr|`>7uPzsPR+eq2((CHOs=c@7zSI%YdJkrj
zTw~<!G$GFNP=YEs<fdB(+0v4Xr-E{HAgU&)aa<!vL6clz75s?cpFmV2<P28bM86r3
z9u(1$>0S+u+?i6N-5y&3<JG&l@MFDk${NF0jHbv2w%%00+U`en*NzJve6|O?Pl66S
zId<I5n-@1EMJh_ddLwDxJV~cE+?JBa)QG1`5{*tzU^jNhnSb8=&H=osg!sn*32%l{
zxdKC<g<#iftkCR@6H{dVLFE^D9)0{WO|FEU>dQIU+YavY;mIO*vv{y`$6{T{ABLPZ
zjFUE2<=l-Qa3D(5@a7#!oZR^L$;)q~vCz$HcVZK-6i7W9J9hVo9h|uTXeH<OP|##0
z_Y5y%w;{XfmPrxD9(_%uQrR+WGfPAyT#G$T{<#*TZfCG{3Mf>x-l1N_8Y*I;BAn+Q
zF-3OjO2qC4)RR=!?LEmcXnjZufzFyd*`@Y$CcdHOw7}G$kQRn#ObhDsP;Y+<Ib3Hp
zGt!N3^#?3A9GatstG-HBe+Yi=GRLesy`q(m;*64)y2Z#S#j+|o2Ii-98X%2klPq9_
zvW~JxB;N}L^n>Z#7w3Da9xEWc5i}7aIrtF^8@gfy4G|>vxw12%Eg|opid|ZF_0=oY
HY$E>)Cxjax

literal 0
HcmV?d00001

diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md
index 3b0725021ef..50fd727b892 100644
--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -194,14 +194,19 @@ merge request would introduce one of the following security issues:
 When the Vulnerability-Check merge request rule is enabled, additional merge request approval
 is required when the latest security report in a merge request:
 
-- Contains a vulnerability of `high`, `critical`, or `unknown` severity that is not present in the
+- Contains vulnerabilities that are not present in the
   target branch. Note that approval is still required for dismissed vulnerabilities.
+- Contains vulnerabilities with severity levels (for example, `high`, `critical`, or `unknown`)
+  matching the rule's severity levels.
+- Contains a vulnerability count higher than the rule allows.
 - Is not generated during pipeline execution.
 
 An approval is optional when the security report:
 
 - Contains no new vulnerabilities when compared to the target branch.
-- Contains only new vulnerabilities of `low` or `medium` severity.
+- Contains only vulnerabilities with severity levels (for example, `low`, `medium`) **NOT** matching
+  the rule's severity levels.
+- Contains a vulnerability count equal to or less than what the rule allows.
 
 When the License-Check merge request rule is enabled, additional approval is required if a merge
 request contains a denied license. For more details, see [Enabling license approvals within a project](../compliance/license_compliance/index.md#enabling-license-approvals-within-a-project).
@@ -219,16 +224,19 @@ Follow these steps to enable `Vulnerability-Check`:
 1. Go to your project and select **Settings > General**.
 1. Expand **Merge request approvals**.
 1. Select **Enable** or **Edit**.
-1. Add or change the **Rule name** to `Vulnerability-Check` (case sensitive).
-1. Set the **No. of approvals required** to greater than zero.
+1. Set the **Security scanners** that the rule applies to.
 1. Select the **Target branch**.
+1. Set the **Vulnerabilities allowed** to the number of vulnerabilities allowed before the rule is
+   triggered.
+1. Set the **Severity levels** to the severity levels that the rule applies to.
+1. Set the **Approvals required** to the number of approvals that the rule requires.
 1. Select the users or groups to provide approval.
 1. Select **Add approval rule**.
 
 Once this group is added to your project, the approval rule is enabled for all merge requests.
 Any code changes cause the approvals required to reset.
 
-![Vulnerability Check Approver Rule](img/vulnerability-check_v13_4.png)
+![Vulnerability Check Approver Rule](img/vulnerability-check_v14_2.png)
 
 ## Using private Maven repositories
 
diff --git a/doc/user/infrastructure/index.md b/doc/user/infrastructure/index.md
index b2d75a22615..f3f9f648e5a 100644
--- a/doc/user/infrastructure/index.md
+++ b/doc/user/infrastructure/index.md
@@ -6,9 +6,53 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 # Infrastructure management **(FREE)**
 
-GitLab provides you with great solutions to help you manage your
-infrastructure:
+With the rise of DevOps and SRE approaches, infrastructure management becomes codified,
+automatable, and software development best practices gain their place around infrastructure
+management too. On one hand, the daily tasks of classical operations people changed
+and are more similar to traditional software development. On the other hand, software engineers
+are more likely to control their whole DevOps lifecycle, including deployments and delivery.
 
-- [Infrastructure as Code and GitOps](iac/index.md)
-- [Kubernetes clusters](../project/clusters/index.md)
-- [Runbooks](../project/clusters/runbooks/index.md)
+GitLab offers various features to speed up and simplify your infrastructure management practices.
+
+## Generic infrastructure management
+
+GitLab has deep integrations with Terraform to run your infrastructure as code pipelines
+and support your processes. Terraform is considered the standard in cloud infrastructure provisioning.
+The various GitLab integrations help you:
+
+- Get started quickly without any setup.
+- Collaborate around infrastructure changes in merge requests the same as you might
+  with code changes.
+- Scale using a module registry.
+
+Read more about the [Infrastructure as Code features](iac/index.md), including:
+
+- [The GitLab Managed Terraform State](terraform_state.md).
+- [The Terraform MR widget](mr_integration.md).
+- [The Terraform module registry](../packages/terraform_module_registry/index.md).
+
+## Integrated Kubernetes management
+
+GitLab has special integrations with Kubernetes to help you deploy, manage and troubleshoot
+third-party or custom applications in Kubernetes clusters. Auto DevOps provides a full
+DevSecOps pipeline by default targeted at Kubernetes based deployments. To support
+all the GitLab features, GitLab offers a cluster management project for easy onboarding.
+The deploy boards provide quick insights into your cluster, including pod logs tailing.
+
+The recommended approach to connect to a cluster is using [the GitLab Kubernetes Agent](../clusters/agent/index.md).
+
+Read more about [the Kubernetes cluster support and integrations](../project/clusters/index.md), including:
+
+- Certificate-based integration for [projects](../project/clusters/index.md),
+  [groups](../group/clusters/index.md), or [instances](../instance/clusters/index.md).
+- [Agent-based integration](../clusters/agent/index.md). **(PREMIUM)**
+  - The [Kubernetes Agent Server](../../administration/clusters/kas.md) is [available on GitLab.com](../clusters/agent/index.md#set-up-the-kubernetes-agent-server)
+    at `wss://kas.gitlab.com`. **(PREMIUM)**
+- [Agent-based access from GitLab CI/CD](../clusters/agent/ci_cd_tunnel.md).
+
+## Runbooks in GitLab
+
+Runbooks are a collection of documented procedures that explain how to carry out a task,
+such as starting, stopping, debugging, or troubleshooting a system.
+
+Read more about [how executable runbooks work in GitLab](../project/clusters/runbooks/index.md).
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 886e476df0b..934f51254db 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -29472,7 +29472,7 @@ msgstr ""
 msgid "Security report is out of date. Run %{newPipelineLinkStart}a new pipeline%{newPipelineLinkEnd} for the target branch (%{targetBranchName})"
 msgstr ""
 
-msgid "SecurityApprovals|A merge request approval is required when a security report contains a new vulnerability of high, critical, or unknown severity."
+msgid "SecurityApprovals|A merge request approval is required when a security report contains a new vulnerability."
 msgstr ""
 
 msgid "SecurityApprovals|A merge request approval is required when test coverage declines."
@@ -29508,7 +29508,7 @@ msgstr ""
 msgid "SecurityApprovals|Requires approval for decreases in test coverage. %{linkStart}More information%{linkEnd}"
 msgstr ""
 
-msgid "SecurityApprovals|Requires approval for vulnerabilities of Critical, High, or Unknown severity. %{linkStart}Learn more.%{linkEnd}"
+msgid "SecurityApprovals|Requires approval for vulnerabilities. %{linkStart}Learn more.%{linkEnd}"
 msgstr ""
 
 msgid "SecurityApprovals|Test coverage must be enabled. %{linkStart}Learn more%{linkEnd}."
@@ -37184,9 +37184,6 @@ msgstr ""
 msgid "Vulnerability|Request/Response"
 msgstr ""
 
-msgid "Vulnerability|Scanner"
-msgstr ""
-
 msgid "Vulnerability|Scanner Provider"
 msgstr ""
 
@@ -37199,6 +37196,9 @@ msgstr ""
 msgid "Vulnerability|The unmodified response is the original response that had no mutations done to the request"
 msgstr ""
 
+msgid "Vulnerability|Tool"
+msgstr ""
+
 msgid "Vulnerability|Unmodified Response"
 msgstr ""
 
diff --git a/qa/qa/resource/issue.rb b/qa/qa/resource/issue.rb
index c45ab7593b6..d20813e9f2a 100644
--- a/qa/qa/resource/issue.rb
+++ b/qa/qa/resource/issue.rb
@@ -18,12 +18,14 @@ module QA
                  :iid,
                  :assignee_ids,
                  :labels,
-                 :title
+                 :title,
+                 :description
 
       def initialize
         @assignee_ids = []
         @labels = []
         @title = "Issue title #{SecureRandom.hex(8)}"
+        @description = "Issue description #{SecureRandom.hex(8)}"
       end
 
       def fabricate!
@@ -34,7 +36,7 @@ module QA
         Page::Project::Issue::New.perform do |new_page|
           new_page.fill_title(@title)
           new_page.choose_template(@template) if @template
-          new_page.fill_description(@description) if @description
+          new_page.fill_description(@description) if @description && !@template
           new_page.choose_milestone(@milestone) if @milestone
           new_page.create_new_issue
         end
@@ -64,6 +66,7 @@ module QA
         }.tap do |hash|
           hash[:milestone_id] = @milestone.id if @milestone
           hash[:weight] = @weight if @weight
+          hash[:description] = @description if @description
         end
       end
 
diff --git a/qa/qa/runtime/search.rb b/qa/qa/runtime/search.rb
index f7f87d96e68..2a5db97cdad 100644
--- a/qa/qa/runtime/search.rb
+++ b/qa/qa/runtime/search.rb
@@ -8,6 +8,10 @@ module QA
       extend self
       extend Support::Api
 
+      RETRY_MAX_ITERATION = 10
+      RETRY_SLEEP_INTERVAL = 12
+      INSERT_RECALL_THRESHOLD = RETRY_MAX_ITERATION * RETRY_SLEEP_INTERVAL
+
       ElasticSearchServerError = Class.new(RuntimeError)
 
       def assert_elasticsearch_responding
@@ -85,7 +89,7 @@ module QA
       private
 
       def find_target_in_scope(scope, search_term)
-        QA::Support::Retrier.retry_until(max_attempts: 10, sleep_interval: 10, raise_on_failure: true, retry_on_exception: true) do
+        QA::Support::Retrier.retry_until(max_attempts: RETRY_MAX_ITERATION, sleep_interval: RETRY_SLEEP_INTERVAL, raise_on_failure: true, retry_on_exception: true) do
           result = search(scope, search_term)
           result && result.any? { |record| yield record }
         end
diff --git a/qa/qa/specs/features/api/1_manage/import_large_github_repo_spec.rb b/qa/qa/specs/features/api/1_manage/import_large_github_repo_spec.rb
index 385908f2176..69222a23275 100644
--- a/qa/qa/specs/features/api/1_manage/import_large_github_repo_spec.rb
+++ b/qa/qa/specs/features/api/1_manage/import_large_github_repo_spec.rb
@@ -133,7 +133,7 @@ module QA
       it 'imports large Github repo via api' do
         start = Time.now
 
-        imported_project # import the project
+        Runtime::Logger.info("Importing project '#{imported_project.full_path}'") # import the project and log path
         fetch_github_objects # fetch all objects right after import has started
 
         import_status = lambda do
@@ -221,32 +221,39 @@ module QA
       # @return [void]
       def verify_mrs_or_issues(type)
         msg = ->(title) { "expected #{type} with title '#{title}' to have" }
-        expected = type == 'mr' ? mrs : gl_issues
-        actual = type == 'mr' ? gh_prs : gh_issues
 
         # Compare length to have easy to read overview how many objects are missing
-        expect(expected.length).to(
-          eq(actual.length),
-          "Expected to contain same amount of #{type}s. Expected: #{expected.length}, actual: #{actual.length}"
-        )
+        expected = type == 'mr' ? mrs : gl_issues
+        actual = type == 'mr' ? gh_prs : gh_issues
+        count_msg = "Expected to contain same amount of #{type}s. Gitlab: #{expected.length}, Github: #{actual.length}"
+        expect(expected.length).to eq(actual.length), count_msg
+
         logger.debug("= Comparing #{type}s =")
         actual.each do |title, actual_item|
           print "." # indicate that it is still going but don't spam the output with newlines
 
           expected_item = expected[title]
 
+          # Print title in the error message to see which object is missing
           expect(expected_item).to be_truthy, "#{msg.call(title)} been imported"
           next unless expected_item
 
-          expect(expected_item[:body]).to(
-            include(actual_item[:body]),
-            "#{msg.call(title)} same description. diff:\n#{differ.diff(expected_item[:body], actual_item[:body])}"
-          )
-          expect(expected_item[:comments].length).to(
-            eq(actual_item[:comments].length),
-            "#{msg.call(title)} same amount of comments"
-          )
-          expect(expected_item[:comments]).to match_array(actual_item[:comments])
+          # Print difference in the description
+          expected_body = expected_item[:body]
+          actual_body = actual_item[:body]
+          body_msg = <<~MSG
+            #{msg.call(title)} same description. diff:\n#{differ.diff(expected_item[:body], actual_item[:body])}
+          MSG
+          expect(expected_body).to include(actual_body), body_msg
+
+          # Print amount difference first
+          expected_comments = expected_item[:comments]
+          actual_comments = actual_item[:comments]
+          comment_count_msg = <<~MSG
+            #{msg.call(title)} same amount of comments. Gitlab: #{expected_comments.length}, Github: #{actual_comments.length}
+          MSG
+          expect(expected_comments.length).to eq(actual_comments.length), comment_count_msg
+          expect(expected_comments).to match_array(actual_comments)
         end
         puts # print newline after last print to make output pretty
       end
diff --git a/spec/finders/ci/runners_finder_spec.rb b/spec/finders/ci/runners_finder_spec.rb
index 599b4ffb804..10d3f641e02 100644
--- a/spec/finders/ci/runners_finder_spec.rb
+++ b/spec/finders/ci/runners_finder_spec.rb
@@ -18,6 +18,13 @@ RSpec.describe Ci::RunnersFinder do
           end
         end
 
+        context 'with nil group' do
+          it 'returns all runners' do
+            expect(Ci::Runner).to receive(:with_tags).and_call_original
+            expect(described_class.new(current_user: admin, params: { group: nil }).execute).to match_array [runner1, runner2]
+          end
+        end
+
         context 'with preload param set to :tag_name true' do
           it 'requests tags' do
             expect(Ci::Runner).to receive(:with_tags).and_call_original
@@ -158,6 +165,7 @@ RSpec.describe Ci::RunnersFinder do
     let_it_be(:project_4) { create(:project, group: sub_group_2) }
     let_it_be(:project_5) { create(:project, group: sub_group_3) }
     let_it_be(:project_6) { create(:project, group: sub_group_4) }
+    let_it_be(:runner_instance) { create(:ci_runner, :instance, contacted_at: 13.minutes.ago) }
     let_it_be(:runner_group) { create(:ci_runner, :group, contacted_at: 12.minutes.ago) }
     let_it_be(:runner_sub_group_1) { create(:ci_runner, :group, active: false, contacted_at: 11.minutes.ago) }
     let_it_be(:runner_sub_group_2) { create(:ci_runner, :group, contacted_at: 10.minutes.ago) }
@@ -171,7 +179,10 @@ RSpec.describe Ci::RunnersFinder do
     let_it_be(:runner_project_6) { create(:ci_runner, :project, contacted_at: 2.minutes.ago, projects: [project_5])}
     let_it_be(:runner_project_7) { create(:ci_runner, :project, contacted_at: 1.minute.ago, projects: [project_6])}
 
-    let(:params) { {} }
+    let(:target_group) { nil }
+    let(:membership) { nil }
+    let(:extra_params) { {} }
+    let(:params) { { group: target_group, membership: membership }.merge(extra_params).reject { |_, v| v.nil? } }
 
     before do
       group.runners << runner_group
@@ -182,65 +193,104 @@ RSpec.describe Ci::RunnersFinder do
     end
 
     describe '#execute' do
-      subject { described_class.new(current_user: user, group: group, params: params).execute }
+      subject { described_class.new(current_user: user, params: params).execute }
+
+      shared_examples 'membership equal to :descendants' do
+        it 'returns all descendant runners' do
+          expect(subject).to eq([runner_project_7, runner_project_6, runner_project_5,
+                                 runner_project_4, runner_project_3, runner_project_2,
+                                 runner_project_1, runner_sub_group_4, runner_sub_group_3,
+                                 runner_sub_group_2, runner_sub_group_1, runner_group])
+        end
+      end
 
       context 'with user as group owner' do
         before do
           group.add_owner(user)
         end
 
-        context 'passing no params' do
-          it 'returns all descendant runners' do
-            expect(subject).to eq([runner_project_7, runner_project_6, runner_project_5,
-                                   runner_project_4, runner_project_3, runner_project_2,
-                                   runner_project_1, runner_sub_group_4, runner_sub_group_3,
-                                   runner_sub_group_2, runner_sub_group_1, runner_group])
+        context 'with :group as target group' do
+          let(:target_group) { group }
+
+          context 'passing no params' do
+            it_behaves_like 'membership equal to :descendants'
           end
-        end
 
-        context 'with sort param' do
-          let(:params) { { sort: 'contacted_asc' } }
+          context 'with :descendants membership' do
+            let(:membership) { :descendants }
 
-          it 'sorts by specified attribute' do
-            expect(subject).to eq([runner_group, runner_sub_group_1, runner_sub_group_2,
-                                   runner_sub_group_3, runner_sub_group_4, runner_project_1,
-                                   runner_project_2, runner_project_3, runner_project_4,
-                                   runner_project_5, runner_project_6, runner_project_7])
+            it_behaves_like 'membership equal to :descendants'
           end
-        end
 
-        context 'filtering' do
-          context 'by search term' do
-            let(:params) { { search: 'runner_project_search' } }
+          context 'with :direct membership' do
+            let(:membership) { :direct }
 
-            it 'returns correct runner' do
-              expect(subject).to eq([runner_project_3])
+            it 'returns runners belonging to group' do
+              expect(subject).to eq([runner_group])
             end
           end
 
-          context 'by status' do
-            let(:params) { { status_status: 'paused' } }
+          context 'with unknown membership' do
+            let(:membership) { :unsupported }
 
-            it 'returns correct runner' do
-              expect(subject).to eq([runner_sub_group_1])
+            it 'raises an error' do
+              expect { subject }.to raise_error(ArgumentError, 'Invalid membership filter')
             end
           end
 
-          context 'by tag_name' do
-            let(:params) { { tag_name: %w[runner_tag] } }
+          context 'with nil group' do
+            let(:target_group) { nil }
 
-            it 'returns correct runner' do
-              expect(subject).to eq([runner_project_5])
+            it 'returns no runners' do
+              # Query should run against all runners, however since user is not admin, query returns no results
+              expect(subject).to eq([])
             end
           end
 
-          context 'by runner type' do
-            let(:params) { { type_type: 'project_type' } }
+          context 'with sort param' do
+            let(:extra_params) { { sort: 'contacted_asc' } }
 
-            it 'returns correct runners' do
-              expect(subject).to eq([runner_project_7, runner_project_6,
-                                     runner_project_5, runner_project_4,
-                                     runner_project_3, runner_project_2, runner_project_1])
+            it 'sorts by specified attribute' do
+              expect(subject).to eq([runner_group, runner_sub_group_1, runner_sub_group_2,
+                                     runner_sub_group_3, runner_sub_group_4, runner_project_1,
+                                     runner_project_2, runner_project_3, runner_project_4,
+                                     runner_project_5, runner_project_6, runner_project_7])
+            end
+          end
+
+          context 'filtering' do
+            context 'by search term' do
+              let(:extra_params) { { search: 'runner_project_search' } }
+
+              it 'returns correct runner' do
+                expect(subject).to eq([runner_project_3])
+              end
+            end
+
+            context 'by status' do
+              let(:extra_params) { { status_status: 'paused' } }
+
+              it 'returns correct runner' do
+                expect(subject).to eq([runner_sub_group_1])
+              end
+            end
+
+            context 'by tag_name' do
+              let(:extra_params) { { tag_name: %w[runner_tag] } }
+
+              it 'returns correct runner' do
+                expect(subject).to eq([runner_project_5])
+              end
+            end
+
+            context 'by runner type' do
+              let(:extra_params) { { type_type: 'project_type' } }
+
+              it 'returns correct runners' do
+                expect(subject).to eq([runner_project_7, runner_project_6,
+                                       runner_project_5, runner_project_4,
+                                       runner_project_3, runner_project_2, runner_project_1])
+              end
             end
           end
         end
@@ -278,7 +328,7 @@ RSpec.describe Ci::RunnersFinder do
     end
 
     describe '#sort_key' do
-      subject { described_class.new(current_user: user, group: group, params: params).sort_key }
+      subject { described_class.new(current_user: user, params: params.merge(group: group)).sort_key }
 
       context 'without params' do
         it 'returns created_at_desc' do
@@ -287,7 +337,7 @@ RSpec.describe Ci::RunnersFinder do
       end
 
       context 'with params' do
-        let(:params) { { sort: 'contacted_asc' } }
+        let(:extra_params) { { sort: 'contacted_asc' } }
 
         it 'returns contacted_asc' do
           expect(subject).to eq('contacted_asc')
diff --git a/spec/graphql/resolvers/ci/group_runners_resolver_spec.rb b/spec/graphql/resolvers/ci/group_runners_resolver_spec.rb
new file mode 100644
index 00000000000..89a2437a189
--- /dev/null
+++ b/spec/graphql/resolvers/ci/group_runners_resolver_spec.rb
@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Resolvers::Ci::GroupRunnersResolver do
+  include GraphqlHelpers
+
+  describe '#resolve' do
+    subject { resolve(described_class, obj: obj, ctx: { current_user: user }, args: args) }
+
+    include_context 'runners resolver setup'
+
+    let(:obj) { group }
+    let(:args) { {} }
+
+    # First, we can do a couple of basic real tests to verify common cases. That ensures that the code works.
+    context 'when user cannot see runners' do
+      it 'returns no runners' do
+        expect(subject.items.to_a).to eq([])
+      end
+    end
+
+    context 'with user as group owner' do
+      before do
+        group.add_owner(user)
+      end
+
+      it 'returns all the runners' do
+        expect(subject.items.to_a).to contain_exactly(inactive_project_runner, offline_project_runner, group_runner, subgroup_runner)
+      end
+
+      context 'with membership direct' do
+        let(:args) { { membership: :direct } }
+
+        it 'returns only direct runners' do
+          expect(subject.items.to_a).to contain_exactly(group_runner)
+        end
+      end
+    end
+
+    # Then, we can check specific edge cases for this resolver
+    context 'with obj set to nil' do
+      let(:obj) { nil }
+
+      it 'raises an error' do
+        expect { subject }.to raise_error('Expected group missing')
+      end
+    end
+
+    context 'with obj not set to group' do
+      let(:obj) { build(:project) }
+
+      it 'raises an error' do
+        expect { subject }.to raise_error('Expected group missing')
+      end
+    end
+
+    # Here we have a mocked part. We assume that all possible edge cases are covered in RunnersFinder spec. So we don't need to test them twice.
+    # Only thing we can do is to verify that args from the resolver is correctly transformed to params of the Finder and we return the Finder's result back.
+    describe 'Allowed query arguments' do
+      let(:finder) { instance_double(::Ci::RunnersFinder) }
+      let(:args) do
+        {
+          status: 'active',
+          type: :group_type,
+          tag_list: ['active_runner'],
+          search: 'abc',
+          sort: :contacted_asc,
+          membership: :descendants
+        }
+      end
+
+      let(:expected_params) do
+        {
+          status_status: 'active',
+          type_type: :group_type,
+          tag_name: ['active_runner'],
+          preload: { tag_name: nil },
+          search: 'abc',
+          sort: 'contacted_asc',
+          membership: :descendants,
+          group: group
+        }
+      end
+
+      it 'calls RunnersFinder with expected arguments' do
+        allow(::Ci::RunnersFinder).to receive(:new).with(current_user: user, params: expected_params).once.and_return(finder)
+        allow(finder).to receive(:execute).once.and_return([:execute_return_value])
+
+        expect(subject.items.to_a).to eq([:execute_return_value])
+      end
+    end
+  end
+end
diff --git a/spec/graphql/resolvers/ci/runners_resolver_spec.rb b/spec/graphql/resolvers/ci/runners_resolver_spec.rb
index 5ac15d5729f..bb8dadeca40 100644
--- a/spec/graphql/resolvers/ci/runners_resolver_spec.rb
+++ b/spec/graphql/resolvers/ci/runners_resolver_spec.rb
@@ -5,185 +5,70 @@ require 'spec_helper'
 RSpec.describe Resolvers::Ci::RunnersResolver do
   include GraphqlHelpers
 
-  let_it_be(:user) { create_default(:user, :admin) }
-  let_it_be(:group) { create(:group, :public) }
-  let_it_be(:project) { create(:project, :repository, :public) }
-
-  let_it_be(:inactive_project_runner) do
-    create(:ci_runner, :project, projects: [project], description: 'inactive project runner', token: 'abcdef', active: false, contacted_at: 1.minute.ago, tag_list: %w(project_runner))
-  end
-
-  let_it_be(:offline_project_runner) do
-    create(:ci_runner, :project, projects: [project], description: 'offline project runner', token: 'defghi', contacted_at: 1.day.ago, tag_list: %w(project_runner active_runner))
-  end
-
-  let_it_be(:group_runner) { create(:ci_runner, :group, groups: [group], token: 'mnopqr', description: 'group runner', contacted_at: 1.second.ago) }
-  let_it_be(:instance_runner) { create(:ci_runner, :instance, description: 'shared runner', token: 'stuvxz', contacted_at: 2.minutes.ago, tag_list: %w(instance_runner active_runner)) }
-
   describe '#resolve' do
-    subject { resolve(described_class, ctx: { current_user: user }, args: args).items.to_a }
+    let(:obj) { nil }
+    let(:args) { {} }
 
-    let(:args) do
-      {}
-    end
+    subject { resolve(described_class, obj: obj, ctx: { current_user: user }, args: args) }
 
-    context 'when the user cannot see runners' do
-      let(:user) { create(:user) }
+    include_context 'runners resolver setup'
+
+    # First, we can do a couple of basic real tests to verify common cases. That ensures that the code works.
+    context 'when user cannot see runners' do
+      let(:user) { build(:user) }
 
       it 'returns no runners' do
-        is_expected.to be_empty
+        expect(subject.items.to_a).to eq([])
       end
     end
 
-    context 'without sort' do
+    context 'when user can see runners' do
+      let(:obj) { nil }
+
       it 'returns all the runners' do
-        is_expected.to contain_exactly(inactive_project_runner, offline_project_runner, group_runner, instance_runner)
+        expect(subject.items.to_a).to contain_exactly(inactive_project_runner, offline_project_runner, group_runner, subgroup_runner, instance_runner)
       end
     end
 
-    context 'with a sort argument' do
-      context "set to :contacted_asc" do
-        let(:args) do
-          { sort: :contacted_asc }
-        end
+    # Then, we can check specific edge cases for this resolver
+    context 'with obj not set to nil' do
+      let(:obj) { build(:project) }
 
-        it { is_expected.to eq([offline_project_runner, instance_runner, inactive_project_runner, group_runner]) }
-      end
-
-      context "set to :contacted_desc" do
-        let(:args) do
-          { sort: :contacted_desc }
-        end
-
-        it { is_expected.to eq([offline_project_runner, instance_runner, inactive_project_runner, group_runner].reverse) }
-      end
-
-      context "set to :created_at_desc" do
-        let(:args) do
-          { sort: :created_at_desc }
-        end
-
-        it { is_expected.to eq([instance_runner, group_runner, offline_project_runner, inactive_project_runner]) }
-      end
-
-      context "set to :created_at_asc" do
-        let(:args) do
-          { sort: :created_at_asc }
-        end
-
-        it { is_expected.to eq([instance_runner, group_runner, offline_project_runner, inactive_project_runner].reverse) }
+      it 'raises an error' do
+        expect { subject }.to raise_error(a_string_including('Unexpected parent type'))
       end
     end
 
-    context 'when type is filtered' do
+    # Here we have a mocked part. We assume that all possible edge cases are covered in RunnersFinder spec. So we don't need to test them twice.
+    # Only thing we can do is to verify that args from the resolver is correctly transformed to params of the Finder and we return the Finder's result back.
+    describe 'Allowed query arguments' do
+      let(:finder) { instance_double(::Ci::RunnersFinder) }
       let(:args) do
-        { type: runner_type.to_s }
+        {
+          status: 'active',
+          type: :instance_type,
+          tag_list: ['active_runner'],
+          search: 'abc',
+          sort: :contacted_asc
+        }
       end
 
-      context 'to instance runners' do
-        let(:runner_type) { :instance_type }
-
-        it 'returns the instance runner' do
-          is_expected.to contain_exactly(instance_runner)
-        end
+      let(:expected_params) do
+        {
+          status_status: 'active',
+          type_type: :instance_type,
+          tag_name: ['active_runner'],
+          preload: { tag_name: nil },
+          search: 'abc',
+          sort: 'contacted_asc'
+        }
       end
 
-      context 'to group runners' do
-        let(:runner_type) { :group_type }
+      it 'calls RunnersFinder with expected arguments' do
+        allow(::Ci::RunnersFinder).to receive(:new).with(current_user: user, params: expected_params).once.and_return(finder)
+        allow(finder).to receive(:execute).once.and_return([:execute_return_value])
 
-        it 'returns the group runner' do
-          is_expected.to contain_exactly(group_runner)
-        end
-      end
-
-      context 'to project runners' do
-        let(:runner_type) { :project_type }
-
-        it 'returns the project runner' do
-          is_expected.to contain_exactly(inactive_project_runner, offline_project_runner)
-        end
-      end
-    end
-
-    context 'when status is filtered' do
-      let(:args) do
-        { status: runner_status.to_s }
-      end
-
-      context 'to active runners' do
-        let(:runner_status) { :active }
-
-        it 'returns the instance and group runners' do
-          is_expected.to contain_exactly(offline_project_runner, group_runner, instance_runner)
-        end
-      end
-
-      context 'to offline runners' do
-        let(:runner_status) { :offline }
-
-        it 'returns the offline project runner' do
-          is_expected.to contain_exactly(offline_project_runner)
-        end
-      end
-    end
-
-    context 'when tag list is filtered' do
-      let(:args) do
-        { tag_list: tag_list }
-      end
-
-      context 'with "project_runner" tag' do
-        let(:tag_list) { ['project_runner'] }
-
-        it 'returns the project_runner runners' do
-          is_expected.to contain_exactly(offline_project_runner, inactive_project_runner)
-        end
-      end
-
-      context 'with "project_runner" and "active_runner" tags as comma-separated string' do
-        let(:tag_list) { ['project_runner,active_runner'] }
-
-        it 'returns the offline_project_runner runner' do
-          is_expected.to contain_exactly(offline_project_runner)
-        end
-      end
-
-      context 'with "active_runner" and "instance_runner" tags as array' do
-        let(:tag_list) { %w[instance_runner active_runner] }
-
-        it 'returns the offline_project_runner runner' do
-          is_expected.to contain_exactly(instance_runner)
-        end
-      end
-    end
-
-    context 'when text is filtered' do
-      let(:args) do
-        { search: search_term }
-      end
-
-      context 'to "project"' do
-        let(:search_term) { 'project' }
-
-        it 'returns both project runners' do
-          is_expected.to contain_exactly(inactive_project_runner, offline_project_runner)
-        end
-      end
-
-      context 'to "group"' do
-        let(:search_term) { 'group' }
-
-        it 'returns group runner' do
-          is_expected.to contain_exactly(group_runner)
-        end
-      end
-
-      context 'to "defghi"' do
-        let(:search_term) { 'defghi' }
-
-        it 'returns runners containing term in token' do
-          is_expected.to contain_exactly(offline_project_runner)
-        end
+        expect(subject.items.to_a).to eq([:execute_return_value])
       end
     end
   end
diff --git a/spec/helpers/ci/pipeline_editor_helper_spec.rb b/spec/helpers/ci/pipeline_editor_helper_spec.rb
index 3183a0a2394..874937bc4ce 100644
--- a/spec/helpers/ci/pipeline_editor_helper_spec.rb
+++ b/spec/helpers/ci/pipeline_editor_helper_spec.rb
@@ -42,7 +42,6 @@ RSpec.describe Ci::PipelineEditorHelper do
           "ci-config-path": project.ci_config_path_or_default,
           "ci-examples-help-page-path" => help_page_path('ci/examples/index'),
           "ci-help-page-path" => help_page_path('ci/index'),
-          "commit-sha" => project.commit.sha,
           "default-branch" => project.default_branch_or_main,
           "empty-state-illustration-path" => 'foo',
           "initial-branch-name" => nil,
@@ -69,7 +68,6 @@ RSpec.describe Ci::PipelineEditorHelper do
           "ci-config-path": project.ci_config_path_or_default,
           "ci-examples-help-page-path" => help_page_path('ci/examples/index'),
           "ci-help-page-path" => help_page_path('ci/index'),
-          "commit-sha" => '',
           "default-branch" => project.default_branch_or_main,
           "empty-state-illustration-path" => 'foo',
           "initial-branch-name" => nil,
@@ -97,10 +95,7 @@ RSpec.describe Ci::PipelineEditorHelper do
       end
 
       it 'returns correct values' do
-        latest_feature_sha = project.repository.commit('feature').sha
-
         expect(pipeline_editor_data['initial-branch-name']).to eq('feature')
-        expect(pipeline_editor_data['commit-sha']).to eq(latest_feature_sha)
       end
     end
   end
diff --git a/spec/migrations/backfill_stage_event_hash_spec.rb b/spec/migrations/backfill_stage_event_hash_spec.rb
new file mode 100644
index 00000000000..cecaddcd3d4
--- /dev/null
+++ b/spec/migrations/backfill_stage_event_hash_spec.rb
@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+require_migration!
+
+RSpec.describe BackfillStageEventHash, schema: 20210730103808 do
+  let(:namespaces) { table(:namespaces) }
+  let(:projects) { table(:projects) }
+  let(:labels) { table(:labels) }
+  let(:group_stages) { table(:analytics_cycle_analytics_group_stages) }
+  let(:project_stages) { table(:analytics_cycle_analytics_project_stages) }
+  let(:group_value_streams) { table(:analytics_cycle_analytics_group_value_streams) }
+  let(:project_value_streams) { table(:analytics_cycle_analytics_project_value_streams) }
+  let(:stage_event_hashes) { table(:analytics_cycle_analytics_stage_event_hashes) }
+
+  let(:issue_created) { 1 }
+  let(:issue_closed) { 3 }
+  let(:issue_label_removed) { 9 }
+  let(:unknown_stage_event) { -1 }
+
+  let(:namespace) { namespaces.create!(name: 'ns', path: 'ns', type: 'Group') }
+  let(:project) { projects.create!(name: 'project', path: 'project', namespace_id: namespace.id) }
+  let(:group_label) { labels.create!(title: 'label', type: 'GroupLabel', group_id: namespace.id) }
+  let(:group_value_stream) { group_value_streams.create!(name: 'group vs', group_id: namespace.id) }
+  let(:project_value_stream) { project_value_streams.create!(name: 'project vs', project_id: project.id) }
+
+  let(:group_stage_1) do
+    group_stages.create!(
+      name: 'stage 1',
+      group_id: namespace.id,
+      start_event_identifier: issue_created,
+      end_event_identifier: issue_closed,
+      group_value_stream_id: group_value_stream.id
+    )
+  end
+
+  let(:group_stage_2) do
+    group_stages.create!(
+      name: 'stage 2',
+      group_id: namespace.id,
+      start_event_identifier: issue_created,
+      end_event_identifier: issue_label_removed,
+      end_event_label_id: group_label.id,
+      group_value_stream_id: group_value_stream.id
+    )
+  end
+
+  let(:project_stage_1) do
+    project_stages.create!(
+      name: 'stage 1',
+      project_id: project.id,
+      start_event_identifier: issue_created,
+      end_event_identifier: issue_closed,
+      project_value_stream_id: project_value_stream.id
+    )
+  end
+
+  let(:invalid_group_stage) do
+    group_stages.create!(
+      name: 'stage 3',
+      group_id: namespace.id,
+      start_event_identifier: issue_created,
+      end_event_identifier: unknown_stage_event,
+      group_value_stream_id: group_value_stream.id
+    )
+  end
+
+  describe '#up' do
+    it 'populates stage_event_hash_id column' do
+      group_stage_1
+      group_stage_2
+      project_stage_1
+
+      migrate!
+
+      group_stage_1.reload
+      group_stage_2.reload
+      project_stage_1.reload
+
+      expect(group_stage_1.stage_event_hash_id).not_to be_nil
+      expect(group_stage_2.stage_event_hash_id).not_to be_nil
+      expect(project_stage_1.stage_event_hash_id).not_to be_nil
+
+      expect(stage_event_hashes.count).to eq(2) # group_stage_1 and project_stage_1 has the same hash
+    end
+
+    it 'runs without problem without stages' do
+      expect { migrate! }.not_to raise_error
+    end
+
+    context 'when invalid event identifier is discovered' do
+      it 'removes the stage' do
+        group_stage_1
+        invalid_group_stage
+
+        expect { migrate! }.not_to change { group_stage_1 }
+
+        expect(group_stages.find_by_id(invalid_group_stage.id)).to eq(nil)
+      end
+    end
+  end
+end
diff --git a/spec/support/shared_contexts/graphql/resolvers/runners_resolver_shared_context.rb b/spec/support/shared_contexts/graphql/resolvers/runners_resolver_shared_context.rb
new file mode 100644
index 00000000000..aa857cfdb70
--- /dev/null
+++ b/spec/support/shared_contexts/graphql/resolvers/runners_resolver_shared_context.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.shared_context 'runners resolver setup' do
+  let_it_be(:user) { create_default(:user, :admin) }
+  let_it_be(:group) { create(:group, :public) }
+  let_it_be(:subgroup) { create(:group, :public, parent: group) }
+  let_it_be(:project) { create(:project, :public, group: group) }
+
+  let_it_be(:inactive_project_runner) do
+    create(:ci_runner, :project, projects: [project], description: 'inactive project runner', token: 'abcdef', active: false, contacted_at: 1.minute.ago, tag_list: %w(project_runner))
+  end
+
+  let_it_be(:offline_project_runner) do
+    create(:ci_runner, :project, projects: [project], description: 'offline project runner', token: 'defghi', contacted_at: 1.day.ago, tag_list: %w(project_runner active_runner))
+  end
+
+  let_it_be(:group_runner) { create(:ci_runner, :group, groups: [group], token: 'mnopqr', description: 'group runner', contacted_at: 2.seconds.ago) }
+  let_it_be(:subgroup_runner) { create(:ci_runner, :group, groups: [subgroup], token: 'mnopqr', description: 'subgroup runner', contacted_at: 1.second.ago) }
+  let_it_be(:instance_runner) { create(:ci_runner, :instance, description: 'shared runner', token: 'stuvxz', contacted_at: 2.minutes.ago, tag_list: %w(instance_runner active_runner)) }
+end