From b6bc4bfe99e3d7a5b67ee3cd5bb4db31ac0adb4d Mon Sep 17 00:00:00 2001
From: Eirik Dahlen <dahleneirik@gmail.com>
Date: Wed, 10 Jul 2024 13:22:50 +0200
Subject: [PATCH] IS-2523: Setup app

---
 .editorconfig                                 |   4 +
 .gitattributes                                |   9 +
 .github/dependabot.yaml                       |  21 ++
 .github/workflows/codeql.yaml                 |  19 ++
 .github/workflows/dependency-submission.yaml  |  15 ++
 .github/workflows/dispatch.yaml               |  20 ++
 .github/workflows/main.yaml                   |  11 +
 .gitignore                                    |   7 +
 .nais/naiserator-dev.yaml                     |  76 ++++++
 .nais/naiserator-prod.yaml                    |  76 ++++++
 CODEOWNERS                                    |   2 +
 Dockerfile                                    |   8 +
 README.md                                     |  48 ++++
 build.gradle.kts                              |  99 +++++++
 gradle/wrapper/gradle-wrapper.jar             | Bin 0 -> 43462 bytes
 gradle/wrapper/gradle-wrapper.properties      |   7 +
 gradlew                                       | 249 ++++++++++++++++++
 gradlew.bat                                   |  92 +++++++
 settings.gradle.kts                           |   1 +
 src/main/kotlin/no/nav/syfo/App.kt            |  76 ++++++
 .../no/nav/syfo/ApplicationEnvironment.kt     |  41 +++
 .../kotlin/no/nav/syfo/ApplicationState.kt    |   6 +
 src/main/kotlin/no/nav/syfo/BackgroundTask.kt |  42 +++
 src/main/kotlin/no/nav/syfo/api/ApiModule.kt  | 135 ++++++++++
 .../nav/syfo/api/auth/AuthenticationPlugin.kt |  58 ++++
 .../kotlin/no/nav/syfo/api/auth/JwtIssuer.kt  |  13 +
 .../nav/syfo/api/endpoints/MetricEndpoints.kt |  14 +
 .../no/nav/syfo/api/endpoints/PodEndpoints.kt |  38 +++
 .../kotlin/no/nav/syfo/domain/Personident.kt  |  10 +
 .../kotlin/no/nav/syfo/infrastructure/Util.kt |   6 +
 .../clients/ClientsEnvironment.kt             |  14 +
 .../clients/HttpClientCommon.kt               |  37 +++
 .../clients/azuread/AzureAdClient.kt          |  68 +++++
 .../clients/azuread/AzureAdToken.kt           |  13 +
 .../clients/azuread/AzureAdTokenResponse.kt   |  17 ++
 .../clients/azuread/AzureEnvironment.kt       |   8 +
 .../ForbiddenAccessVeilederException.kt       |   6 +
 .../clients/veiledertilgang/Tilgang.kt        |   5 +
 .../VeilederAPIAccessPipeline.kt              |  31 +++
 .../VeilederTilgangskontrollClient.kt         |  97 +++++++
 .../clients/wellknown/WellKnown.kt            |   6 +
 .../clients/wellknown/WellKnownClient.kt      |  13 +
 .../clients/wellknown/WellKnownDTO.kt         |  14 +
 .../syfo/infrastructure/database/Database.kt  |  60 +++++
 .../database/DatabaseEnvironment.kt           |  10 +
 .../infrastructure/database/DatabaseModule.kt |  25 ++
 .../nav/syfo/infrastructure/metric/Metric.kt  |   8 +
 src/main/kotlin/no/nav/syfo/util/DateUtil.kt  |  10 +
 .../no/nav/syfo/util/ObjectMapperConfig.kt    |  14 +
 .../kotlin/no/nav/syfo/util/PipelineUtil.kt   |  30 +++
 .../migration/R__grant_to_cloudsqliamuser.sql |   3 +
 .../V1_1__create_user_cloudsqliamuser.sql     |   7 +
 .../V1_2__create_user_isyfoanalyse.sql        |   7 +
 src/main/resources/logback.xml                |  21 ++
 .../no/nav/syfo/ExternalMockEnvironment.kt    |  32 +++
 .../kotlin/no/nav/syfo/TestEnvironment.kt     |  35 +++
 src/test/kotlin/no/nav/syfo/UserConstants.kt  |   9 +
 src/test/kotlin/no/nav/syfo/api/JWTUtil.kt    |  62 +++++
 .../kotlin/no/nav/syfo/api/TestApiModule.kt   |  24 ++
 .../syfo/api/TestApplicationEngineUtils.kt    |  66 +++++
 .../no/nav/syfo/api/endpoints/PodApiSpek.kt   | 102 +++++++
 .../infrastructure/database/TestDatabase.kt   |  43 +++
 .../syfo/infrastructure/mock/AzureADMock.kt   |  13 +
 .../infrastructure/mock/MockHttpClient.kt     |  22 ++
 .../nav/syfo/infrastructure/mock/MockUtils.kt |  19 ++
 .../mock/TilgangskontrollMock.kt              |  14 +
 src/test/resources/jwkset.json                |  13 +
 67 files changed, 2181 insertions(+)
 create mode 100644 .editorconfig
 create mode 100644 .gitattributes
 create mode 100644 .github/dependabot.yaml
 create mode 100644 .github/workflows/codeql.yaml
 create mode 100644 .github/workflows/dependency-submission.yaml
 create mode 100644 .github/workflows/dispatch.yaml
 create mode 100644 .github/workflows/main.yaml
 create mode 100644 .gitignore
 create mode 100644 .nais/naiserator-dev.yaml
 create mode 100644 .nais/naiserator-prod.yaml
 create mode 100644 CODEOWNERS
 create mode 100644 Dockerfile
 create mode 100644 README.md
 create mode 100644 build.gradle.kts
 create mode 100644 gradle/wrapper/gradle-wrapper.jar
 create mode 100644 gradle/wrapper/gradle-wrapper.properties
 create mode 100755 gradlew
 create mode 100644 gradlew.bat
 create mode 100644 settings.gradle.kts
 create mode 100644 src/main/kotlin/no/nav/syfo/App.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/ApplicationEnvironment.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/ApplicationState.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/BackgroundTask.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/api/ApiModule.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/api/auth/AuthenticationPlugin.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/api/auth/JwtIssuer.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/api/endpoints/MetricEndpoints.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/api/endpoints/PodEndpoints.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/domain/Personident.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/Util.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/ClientsEnvironment.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/HttpClientCommon.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdClient.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdToken.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdTokenResponse.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureEnvironment.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/ForbiddenAccessVeilederException.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/Tilgang.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/VeilederAPIAccessPipeline.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/VeilederTilgangskontrollClient.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnown.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnownClient.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnownDTO.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/database/Database.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/database/DatabaseEnvironment.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/database/DatabaseModule.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/infrastructure/metric/Metric.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/util/DateUtil.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/util/ObjectMapperConfig.kt
 create mode 100644 src/main/kotlin/no/nav/syfo/util/PipelineUtil.kt
 create mode 100644 src/main/resources/db/migration/R__grant_to_cloudsqliamuser.sql
 create mode 100644 src/main/resources/db/migration/V1_1__create_user_cloudsqliamuser.sql
 create mode 100644 src/main/resources/db/migration/V1_2__create_user_isyfoanalyse.sql
 create mode 100644 src/main/resources/logback.xml
 create mode 100644 src/test/kotlin/no/nav/syfo/ExternalMockEnvironment.kt
 create mode 100644 src/test/kotlin/no/nav/syfo/TestEnvironment.kt
 create mode 100644 src/test/kotlin/no/nav/syfo/UserConstants.kt
 create mode 100644 src/test/kotlin/no/nav/syfo/api/JWTUtil.kt
 create mode 100644 src/test/kotlin/no/nav/syfo/api/TestApiModule.kt
 create mode 100644 src/test/kotlin/no/nav/syfo/api/TestApplicationEngineUtils.kt
 create mode 100644 src/test/kotlin/no/nav/syfo/api/endpoints/PodApiSpek.kt
 create mode 100644 src/test/kotlin/no/nav/syfo/infrastructure/database/TestDatabase.kt
 create mode 100644 src/test/kotlin/no/nav/syfo/infrastructure/mock/AzureADMock.kt
 create mode 100644 src/test/kotlin/no/nav/syfo/infrastructure/mock/MockHttpClient.kt
 create mode 100644 src/test/kotlin/no/nav/syfo/infrastructure/mock/MockUtils.kt
 create mode 100644 src/test/kotlin/no/nav/syfo/infrastructure/mock/TilgangskontrollMock.kt
 create mode 100644 src/test/resources/jwkset.json

diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..da04062
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,4 @@
+root = true
+
+[*.{kt,kts}]
+ktlint_disabled_rules=import-ordering,no-wildcard-imports,trailing-comma-on-call-site,trailing-comma-on-declaration-site,multiline-if-else
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..097f9f9
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,9 @@
+#
+# https://help.github.com/articles/dealing-with-line-endings/
+#
+# Linux start script should use lf
+/gradlew        text eol=lf
+
+# These are Windows script files and should use crlf
+*.bat           text eol=crlf
+
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
new file mode 100644
index 0000000..b78aa3d
--- /dev/null
+++ b/.github/dependabot.yaml
@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "07:00"
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: gradle
+    directory: "/"
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    groups:
+      minor-and-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
new file mode 100644
index 0000000..bafc9f6
--- /dev/null
+++ b/.github/workflows/codeql.yaml
@@ -0,0 +1,19 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: '0 7 * * 1'
+
+jobs:
+  monitor:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: navikt/isworkflows/.github/workflows/codeql.yml@master
+    with:
+      languages: "[ 'java' ]"
+    secrets: inherit
diff --git a/.github/workflows/dependency-submission.yaml b/.github/workflows/dependency-submission.yaml
new file mode 100644
index 0000000..25b2d46
--- /dev/null
+++ b/.github/workflows/dependency-submission.yaml
@@ -0,0 +1,15 @@
+name: Gradle dependency submission
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "**.gradle.kts"
+  workflow_dispatch:
+
+jobs:
+  dependency_submission:
+    permissions:
+      contents: write
+    uses: navikt/isworkflows/.github/workflows/gradle-dependency-submission.yml@master
+    secrets: inherit
diff --git a/.github/workflows/dispatch.yaml b/.github/workflows/dispatch.yaml
new file mode 100644
index 0000000..cd7a0ba
--- /dev/null
+++ b/.github/workflows/dispatch.yaml
@@ -0,0 +1,20 @@
+name: Deploy to dev-gcp
+
+on:
+  workflow_dispatch:
+    inputs:
+      gitCommit:
+        description: "Complete git commit to deploy"
+        required: true
+        default: ""
+
+jobs:
+  deploy-dev:
+    name: Deploy to NAIS Dev-gcp
+    permissions:
+      contents: read
+      id-token: write
+    uses: navikt/isworkflows/.github/workflows/manual-deploy-dev.yml@master
+    with:
+      git-commit: ${{ github.event.inputs.gitCommit }}
+    secrets: inherit
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
new file mode 100644
index 0000000..6d2d83b
--- /dev/null
+++ b/.github/workflows/main.yaml
@@ -0,0 +1,11 @@
+name: main
+
+on: push
+
+jobs:
+  build-and-deploy:
+    permissions:
+      contents: read
+      id-token: write
+    uses: navikt/isworkflows/.github/workflows/kotlin-build-deploy.yml@master
+    secrets: inherit
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d0dea12
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+.idea
+# Ignore Gradle project-specific cache directory
+.gradle
+
+# Ignore Gradle build output directory
+build
+
diff --git a/.nais/naiserator-dev.yaml b/.nais/naiserator-dev.yaml
new file mode 100644
index 0000000..6fa5ac1
--- /dev/null
+++ b/.nais/naiserator-dev.yaml
@@ -0,0 +1,76 @@
+apiVersion: "nais.io/v1alpha1"
+kind: "Application"
+metadata:
+  name: ismanglendemedvirkning
+  namespace: teamsykefravr
+  labels:
+    team: teamsykefravr
+spec:
+  image: {{ image }}
+  port: 8080
+  replicas:
+    min: 2
+    max: 4
+    cpuThresholdPercentage: 70
+  startup:
+    path: /internal/is_ready
+    periodSeconds: 5
+    timeout: 5
+    failureThreshold: 30
+  liveness:
+    path: /internal/is_alive
+    periodSeconds: 5
+    timeout: 5
+    failureThreshold: 3
+  readiness:
+    path: /internal/is_ready
+    periodSeconds: 5
+    timeout: 5
+    failureThreshold: 3
+  leaderElection: true
+  prometheus:
+    enabled: true
+    path: /internal/metrics
+  resources:
+    limits:
+      memory: 512Mi
+    requests:
+      cpu: 100m
+      memory: 384Mi
+  accessPolicy:
+    inbound:
+      rules:
+        - application: syfomodiaperson
+    outbound:
+      external:
+        - host: "login.microsoftonline.com"
+        - host: "pdl-api.dev-fss-pub.nais.io"
+        - host: "dokarkiv.dev-fss-pub.nais.io"
+      rules:
+        - application: istilgangskontroll
+  gcp:
+    sqlInstances:
+      - type: POSTGRES_15
+        databases:
+          - name: ismanglendemedvirkning-db
+        diskAutoresize: true
+  azure:
+    application:
+      allowAllUsers: true
+      enabled: true
+      claims:
+        extra:
+          - "NAVident"
+  kafka:
+    pool: nav-dev
+  observability:
+    autoInstrumentation:
+      enabled: true
+      runtime: java
+  env:
+    - name: KTOR_ENV
+      value: "production"
+    - name: ISTILGANGSKONTROLL_CLIENT_ID
+      value: "dev-gcp.teamsykefravr.istilgangskontroll"
+    - name: ISTILGANGSKONTROLL_URL
+      value: "http://istilgangskontroll"
diff --git a/.nais/naiserator-prod.yaml b/.nais/naiserator-prod.yaml
new file mode 100644
index 0000000..9201b69
--- /dev/null
+++ b/.nais/naiserator-prod.yaml
@@ -0,0 +1,76 @@
+apiVersion: "nais.io/v1alpha1"
+kind: "Application"
+metadata:
+  name: ismanglendemedvirkning
+  namespace: teamsykefravr
+  labels:
+    team: teamsykefravr
+spec:
+  image: {{ image }}
+  port: 8080
+  replicas:
+    min: 2
+    max: 4
+    cpuThresholdPercentage: 70
+  startup:
+    path: /internal/is_ready
+    periodSeconds: 5
+    timeout: 5
+    failureThreshold: 30
+  liveness:
+    path: /internal/is_alive
+    periodSeconds: 5
+    timeout: 5
+    failureThreshold: 3
+  readiness:
+    path: /internal/is_ready
+    periodSeconds: 5
+    timeout: 5
+    failureThreshold: 3
+  leaderElection: true
+  prometheus:
+    enabled: true
+    path: /internal/metrics
+  resources:
+    limits:
+      memory: 512Mi
+    requests:
+      cpu: 100m
+      memory: 384Mi
+  accessPolicy:
+    inbound:
+      rules:
+        - application: syfomodiaperson
+    outbound:
+      external:
+        - host: "login.microsoftonline.com"
+        - host: "pdl-api.prod-fss-pub.nais.io"
+        - host: "dokarkiv.prod-fss-pub.nais.io"
+      rules:
+        - application: istilgangskontroll
+  gcp:
+    sqlInstances:
+      - type: POSTGRES_15
+        databases:
+          - name: ismanglendemedvirkning-db
+        diskAutoresize: true
+  azure:
+    application:
+      allowAllUsers: true
+      enabled: true
+      claims:
+        extra:
+          - "NAVident"
+  kafka:
+    pool: nav-prod
+  observability:
+    autoInstrumentation:
+      enabled: true
+      runtime: java
+  env:
+    - name: KTOR_ENV
+      value: "production"
+    - name: ISTILGANGSKONTROLL_CLIENT_ID
+      value: "prod-gcp.teamsykefravr.istilgangskontroll"
+    - name: ISTILGANGSKONTROLL_URL
+      value: "http://istilgangskontroll"
diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 0000000..2d8e723
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1,2 @@
+* @navikt/digisyfo
+* @navikt/teamsykefravr
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..5ed4948
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,8 @@
+FROM gcr.io/distroless/java21
+WORKDIR /app
+COPY build/libs/app.jar app.jar
+ENV JDK_JAVA_OPTIONS="-XX:MaxRAMPercentage=75 -Dlogback.configurationFile=logback.xml"
+ENV TZ="Europe/Oslo"
+EXPOSE 8080
+USER nonroot
+CMD [ "app.jar" ]
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..79b2a99
--- /dev/null
+++ b/README.md
@@ -0,0 +1,48 @@
+![Build status](https://github.com/navikt/ismanglendemedvirkning/workflows/main/badge.svg?branch=main)
+
+# ismanglendemedvirkning
+
+Applikasjon for å lagre vurderinger i henhold til §8-8 i folketrygdloven rundt manglende medvirkning til oppfølging fra NAV.
+
+## Technologies used
+
+* Docker
+* Gradle
+* Kafka
+* Kotlin
+* Ktor
+* Postgres
+
+##### Test Libraries:
+
+* Kluent
+* Mockk
+* Spek
+
+#### Requirements
+
+* JDK 21
+
+### Build
+
+Run `./gradlew clean shadowJar`
+
+### Lint (Ktlint)
+
+##### Command line
+
+Run checking: `./gradlew --continue ktlintCheck`
+
+Run formatting: `./gradlew ktlintFormat`
+
+##### Git Hooks
+
+Apply checking: `./gradlew addKtlintCheckGitPreCommitHook`
+
+Apply formatting: `./gradlew addKtlintFormatGitPreCommitHook`
+
+## Contact
+
+### For NAV employees
+
+We are available at the Slack channel `#isyfo`.
\ No newline at end of file
diff --git a/build.gradle.kts b/build.gradle.kts
new file mode 100644
index 0000000..9f72954
--- /dev/null
+++ b/build.gradle.kts
@@ -0,0 +1,99 @@
+import com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar
+
+group = "no.nav.syfo"
+version = "0.0.1"
+
+val flywayVersion = "10.15.2"
+val hikariVersion = "5.1.0"
+val postgresVersion = "42.7.3"
+val postgresEmbeddedVersion = "2.0.7"
+val logbackVersion = "1.5.6"
+val logstashEncoderVersion = "7.4"
+val micrometerRegistryVersion = "1.12.2"
+val jacksonDatatypeVersion = "2.17.2"
+val ktorVersion = "2.3.12"
+val spekVersion = "2.0.19"
+val mockkVersion = "1.13.11"
+val nimbusJoseJwtVersion = "9.40"
+val kluentVersion = "1.73"
+
+plugins {
+    kotlin("jvm") version "2.0.0"
+    id("com.github.johnrengelman.shadow") version "8.1.1"
+    id("org.jlleitschuh.gradle.ktlint") version "11.6.1"
+}
+
+repositories {
+    mavenCentral()
+    maven(url = "https://packages.confluent.io/maven/")
+}
+
+dependencies {
+    implementation(kotlin("stdlib"))
+    implementation(kotlin("reflect"))
+
+    implementation("io.ktor:ktor-client-apache:$ktorVersion")
+    implementation("io.ktor:ktor-client-content-negotiation:$ktorVersion")
+    implementation("io.ktor:ktor-serialization-jackson:$ktorVersion")
+    implementation("io.ktor:ktor-server-auth-jwt:$ktorVersion")
+    implementation("io.ktor:ktor-server-call-id:$ktorVersion")
+    implementation("io.ktor:ktor-server-content-negotiation:$ktorVersion")
+    implementation("io.ktor:ktor-server-netty:$ktorVersion")
+    implementation("io.ktor:ktor-server-status-pages:$ktorVersion")
+
+    // Logging
+    implementation("ch.qos.logback:logback-classic:$logbackVersion")
+    implementation("net.logstash.logback:logstash-logback-encoder:$logstashEncoderVersion")
+
+    // Metrics and Prometheus
+    implementation("io.ktor:ktor-server-metrics-micrometer:$ktorVersion")
+    implementation("io.micrometer:micrometer-registry-prometheus:$micrometerRegistryVersion")
+
+    // Database
+    implementation("org.postgresql:postgresql:$postgresVersion")
+    implementation("com.zaxxer:HikariCP:$hikariVersion")
+    implementation("org.flywaydb:flyway-database-postgresql:$flywayVersion")
+    testImplementation("io.zonky.test:embedded-postgres:$postgresEmbeddedVersion")
+
+    // (De-)serialization
+    implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:$jacksonDatatypeVersion")
+
+    // Tests
+    testImplementation("io.ktor:ktor-server-tests:$ktorVersion")
+    testImplementation("io.mockk:mockk:$mockkVersion")
+    testImplementation("io.ktor:ktor-client-mock:$ktorVersion")
+    testImplementation("com.nimbusds:nimbus-jose-jwt:$nimbusJoseJwtVersion")
+    testImplementation("org.amshove.kluent:kluent:$kluentVersion")
+    testImplementation("org.spekframework.spek2:spek-dsl-jvm:$spekVersion")
+    testRuntimeOnly("org.spekframework.spek2:spek-runner-junit5:$spekVersion")
+}
+
+kotlin {
+    jvmToolchain(21)
+}
+
+tasks {
+    withType<Jar> {
+        manifest.attributes["Main-Class"] = "no.nav.syfo.AppKt"
+    }
+
+    create("printVersion") {
+        doLast {
+            println(project.version)
+        }
+    }
+
+    withType<ShadowJar> {
+        mergeServiceFiles()
+        archiveBaseName.set("app")
+        archiveClassifier.set("")
+        archiveVersion.set("")
+    }
+
+    withType<Test> {
+        useJUnitPlatform {
+            includeEngines("spek2")
+        }
+        testLogging.showStandardStreams = true
+    }
+}
diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
new file mode 100644
index 0000000000000000000000000000000000000000..d64cd4917707c1f8861d8cb53dd15194d4248596
GIT binary patch
literal 43462
zcma&NWl&^owk(X(xVyW%ySuwf;qI=D6|RlDJ2cR^yEKh!<L)kv!^b;wzjN=MbLPE6
z#Qs54Mb(a4xpF<3xwf(#I0QP#moHyHKtM=7umAmr3<3k9AfYb8AfqVBBrhW-p{ORI
zp$-WG`qx|5b@g0VIWYsKzV}*LSf1fX%5<DxH2bTXmT7RMuqAb62#S(Z1H@42g>@I-
zp9QeisK*rlxC>+~7Dk4IxIRsKBHqdR9b3+fyL=ynHmIDe&|>O*VlvO+%z5;9Z$|DJ
zb4dO}-R=MKr^6EKJiOrJdLnCJn>np<Vr_Xn3)te~Xt>?~vU-1sSFgPu;pthGwf}bG
z(1db%xwr#x)r+`4AGu$j7~u2MpVs3VpLp|mx&;>`0p0vH6kF+D2CY0fVdQOZ@h;A`
z{infNyvmFUiu*X<?lkm_Rwc7`N28EaGe!}kzj7nfhW^@lTVlH-#Uo^46(tYuSUgOx
zQr0fsq(~O?24S?tV(okgsek@TWWcu+UvB}S%m>G}RNMNwXrbec_*a3N=2zJ|Wh5z*
z5rAX$JJR{#zP>KY**>xHTuw?|-Rg|o24V)74HcfVT;WtQHXlE+_4iPE8QE#DUm%x0
zEKr75ur~W%w#-My3Tj`hH6EuEW+8K-^5P62$7Sc5OK+22qj&Pd1;)1#4tKihi=~8C
zHiQSst0cpri6%OeaR`PY>HH_;CPaRNty%WTm4{wDK8V6gCZlG@U3$~JQZ;<Vs5#qH
zEVy+t;!5@Xu1$jID=`9nIoF+Jc9_az6+@ZeQX+!p62E#%NU_ikW&7u6D)sZpOG{u|
z={bCQI06wwYzSWO$q~5IHw{K<h(x`GAQV}I+HC2mJ9);BffzPtNZV^JzK+Q*#E)sp
z_;y^CR19xFFVGX1#sx$S&@R1md`SKw94gSZefoLMIz1SgFUJeHlDdu>HPvDJcT1V{
z?>H@13MJcCNe#5z+MecYNi@VT5|&UiN1D4ATT+%M+h4c$t;C#UAs3O_q=GxK0}8%8
z8J(_M9bayxN}69ex4dzM_P3oh@ZGREjVvn%%r7=xjkqxJP4kj}5tlf;QosR=%4L5y
zWhgejO=vao5oX%mOHbhJ8V+SG&K5dABn6!WiKl{|oPkq(9z8l&Mm%(=qGcFzI=eLu
zWc_oCLyf;hVlB@dnwY98?75B20=n$>u3b|NB28H0u-6Rpl((%KWEBOfElVWJx+5yg
z#SGqwza7f}$z;n~g%4HDU{;V{gXIhft*q2=4zSezGK~nBgu9-Q*rZ#2f=Q}i2|qOp
z!!y4p)4o=LVUNhlkp#JL{tfkhXNbB=Ox>M=n6soptJw-IDI|_$is2w}(XY>a=H52d
z3zE$tjPUhW<B7^QI+mzDc0r|3FgQFs!Jsdf2mD!`%+)SGMT!&dDeNq8Wnr~TJ=;SJ
zCjA5AMnKC>WS+5h=KVH&uqQS=$v3nRs&p$%11b%5qtF}S2#Pc`IiyBIF4%A!;AVoI
zXU8-Rpv!DQNcF~(qQnyyMy=-AN~U>#&X1j5BLDP{?K!%h!;hfJI>$mdLSvktEr*89
zdJHvby^$xEX0^l9g$xW-d?J;L0#(`UT~zpL&*cEh$L|HPAu=P8`OQZV!-}l`noSp_
zQ-1$q$R-gDL)?6YaM!=8H=QGW$NT2SeZlb8PKJdc=F-cT@j7Xags+Pr*jPtlHFnf-
zh?q<6;)27IdPc^Wdy-mX%2s84C1xZq9Xms+==F4);O`VUASmu3(RlgE#0+#giLh-&
zc<QGvU&1r_Xz58P7NkF*I*90qex!^xxfEgH#K;#C|KMCf;CA5Qt-NV8mGe5b-lG!j
zRL`7OWA4AJCL!FWu3g%<l7t>xm3_e}n4<JRr%rS6Swi_EMqL;`T8Bl3(r42Q<|~(Y
zc;e@g+fVh%OUP%og+-&}AUrto$4spr+PoQd2Zp+clpMO`)?XEs_x|w9_1so-38=4Y
zn`D1h2@&{Ai|aMqEbZDK1O5PGO%pa3=lgn}`i!wzdMR^A4OKHJ)Gs9YZ1vnbkiv-D
z$-P%T9AC{vA3^Up7DULFj^rOQ`7gHyAFny;2s;Lb$MDVB@Qs!<`=}5GFJ_Xz>{%|X
zJp{G_j+%`j_q5}k{eW&TlP}J2wtZ2^<^E(O)4OQX8FDp6RJq!F{(6eHWSD3=f~(h}
zJXCf7=r<16X{pHkm%yzYI_=VDP&9bmI1*)Y<!NUzHwGU;+XI38Q(`+NB8>XZeB}F?
z(%QsB5fo*FUZxK$<e}vt0yO7dH1jD~7>oX~X^69;x~j7ms8xlzpt-T15e9}$4T-pC
z6PFg@;B-j|Ywajpe4~bk#S6(fO^|mm1hKOPfA%8-_iGCfICE|=P_~e;Wz6my&)h_~
zkv&_xSAw7AZ%ThYF(4jADW4vg=oEdJGVOs>FqamoL3Np8>?!W#!R-0%2Bg4h?kz5I
zKV-rKN2n(vUL%D<4oj@|`eJ>0i#TmYBtYmfla;c!ATW%;xGQ0*TW@PTlGG><@dxUI
zg>+3SiGdZ%?5N=8uoLA|$<tQF__q{Hb+omJ>4isK$aJ%i{hECP$bK{J#0W2gQ3YEa
zZQ50Stn6hqdfxJ*9#NuSLwKFCU<kW<Z$>Gk@c=(igyVL;;2^wi4o30YXSIb2g_ud$
zgpCr@H0qWtk2hK8Q|&wx)}4+hTYlf;$a4#oUM=V@Cw#!$(nOFFpZ;0lc!qd=c$S}Z
zGGI-0jg~S~cgVT=4Vo)b)|4phjStD49*EqC)IPwyeKBLcN;Wu@Aeph;emROAwJ-0<
z_#>wVm$)ygH|qyxZaet&(Vf%pVdnvKWJn9`%DAxj3ot;v>S$I}jJ$FLBF*~iZ!ZXE
zkvui&p}fI0Y=IDX)mm0@tAd|fEHl~J&K}ZX(Mm3cm1UAuwJ42+AO5@HwYfDH7ipIc
zmI;1J;J@+aCNG1M`Btf>YT>~c&3<N>j~Qi@Py5JT6;zjx$cvOQW@3oQ>|}GH?TW-E
z1R;q^QFjm5W~7f}c3Ww|awg1BAJ^slEV~Pk`Kd`PS$7;SqJZNj->it4DW2l15}xP6
zoCl$kyEF%yJni0(L!Z&14m!1ur<bj#167-*(B|jp)F*o{Q;Hn)6)_<P63qS{7s)%O
z``Aek8i5TJj-mjjYtt1A_~`C%@M}|?ur(!4Oz?<A^)?FLyfSWzL9}|;jFV^_SWWx7
zZqoBj%8Zht{DR?*BSX3Fo`9QF2<={td!w9oLBkZ!>Xh6Btj_5JYt1{#+H8w?5QI%%
zo-$KYWNMJVH?Hh@1n7OSu~QhSswL8x0=$<8QG_zepi_<zlB#8m+hcE7gc<MZ-I}wy
z>`y_79=nK=_ZP_`Em2UI*tyQoB+r{1QYZCpb?2OrgUw#oRH$?^Tj!Req>XiE#~B|~
z+%HB;=ic+R@px4Ld8mwpY;W^A%8%l8$@B@1m5n`TlKI6bz2mp*^^^1mK$COW$HOfp
zUGTz-cN9?BGEp}5A!mDFjaiWa2_J2Iq8qj<W!S?C&KT9grEb&=%wm;aC1~>0mXzk;
z66JBKRP{p%wN7XobR0YjhAuW9T1Gw3FDvR5dWJ8ElNYF94e<ioutKi#n7!$mwZ7cG
z1bc^4#{Lo^rv1yy&HM`wbm`jfSY+G{qjDC1m?i9np*9^ecJ6!CKPZ;Z?_@`Nrs+nA
zB6#eGiAgK!RqyysJp%o~7rj*4vtuR7j|$OCbL9xyI9^gP(08>F3ebu+QwKjtvVu4L
zI9ip#mQ@4uqVdkl-TUQMb^XBJVLW(-$s;Nq;@5gr4`UfLgF$adIhd?rHOa%D);whv
z=;krPp~@I+-Z|r#s3yCH+c1US?dnm+C*)r{m+86sTJusLdNu^sqLrfWed^ndHXH`m
zd3#cOe3>w-ga(Dus_^ppG9AC>Iq{y%%CK+Cro_sqLCs{VLuK=dev>OL1dis4(PQ5R
zcz<j+gH(MtWYW4^8ed>)>DjEkfV+M<e_sEdzrS<1AHM%agf4oS_E5Eo5a@5bZSJRE
z-3LG-!nD1<2E1K6xQ;KRI>O;~>VUlYF00SgfUo~@(&9$Iy2|G0T9BSP?&T22>K46D
zL*~j#yJ?)^*%J3!16f)@Y2Z^kS*BzwfAQ7K96rFRIh>#$*$_Io;z>ux@}G98!fWR@
zGTFxv4r~v)Gsd|pF91*-eaZ3Qw1MH$K^7JhWIdX%o$2kCbvGDXy)a?@8T&1dY4`;L
z4Kn+f%SSFWE_rpEpL9bnlmYq`D!6F%di<&Hh=+!VI~j)2mfil03T#jJ_s?}VV0_hp
z7T9bWxc>Jm2Z0WMU?`Z$xE74Gu~%s{mW!d4uvK<j&<1yHv!7+02LGZ>Cx@WD+gPUQ
zV0vQS(Ig++z=EHN)BR44*EDSWIyT~R4$FcF*VEY*8@l=218Q05D2$|fXKFhRgBIEE
zdDFB}1dKkoO^7}{5crKX!p?dZWNz$m>1icsXG2N+((x0OIST9Zo^DW_tytvlwXGpn
zs8?pJXjEG;T@qrZi%#h<Ub!eG-{OloH-RpCzw35}x@i|jcqI|*S)Mk#vJASbW?htA
zkoiPl104oY;UP=8R1euujt$?djSOx?y-rqs2lMK%Qb9yZr^vF%!MGNK6X7qcO{3$l
z`SpE|3;1<tJDRMxF=rVtiibsxjcy7ac&I!rJ(vX~wSh6hna0U?6s6xBR8R}cWK=Mr
z0w`kyzSZL7v262fj&Zs-DwNn*X?a01@1FD@>93?FP$!&P4JA(&H61tqQi=opRzNpm
zkrG}$^t9&XduK*Qa1?<l%^7R<o*-c=iC4sk-`i4!S6!9X4fSx+qbvvgrLLuj@E8FE
zq?-x^MET$9MfCquFDi&A%1BD6sWU1_{+DLFRrob7FUP<*gCNI1JNawshbr?t+t&Wg
zFNRT>355wd8G2CI6QEh@Ua>AsD;7oRUNLPb76m4HG3K?)wF~IyS3`fXuNM>${?wmB
zpVz;?6_(Fiadfd{vUCBM*_kt$+F3J+IojI;9L(gc9n3{sEZyzR9o!_mOwFC#tQ{Q~
zP3-`#uK#tP3Q7~Q;4H|wjZHO8h7e4IuBxl&vz2w~D8)w=Wtg31zpZhz%+kzSzL*dV
zwp@{WU4i;hJ7c2f1O;7Mz6<tj2!R+wyuceauj<?kVu{wyl=%JHPkLzkWmg+Z?RG$#
zRU+Lf6+%iJNryt(CfbHrg5cMQPHCKXNZUXf@5VtUpcIZ(1nKR6v)V%+OF~*L&Q2bo
zXdQmkq&Da<4ZR}a$I6XIt`dd!z6Ld%&o(8?bghVIHa*@Mm4a2#r;SUX#A+KRSH^xk
zTs2!r=Ribpu&~Zx#mw!4jE91^t<FzpP{8m$mj$1xwQ{_Z*|&XtH^s|T`GZmEqGKAk
zj@Xz#kk3*eWc-B>qRKeASoIv0_bV=i@NMG*l<#+;INk-^`5w@}Dj~;k=|}qM1vq_P
z|GpBGe_IKq|LNy9SJhKOQ$c=5L{Dv|Q_lZl=-ky*BFBJLW9&y_C|!vyM~rQx=!vun
z?rZJQB5t}Dctmui5i31C_;_}C<yrm%u8E>En}_W%>oSXtt>@kE1=JW*4*v4tPp;O6
zmAk{)m!)}34pTWg8{i>($%NQ(Tl;QC@J@FfBoc%Gr&m560^kgSfodAFrIjF}aIw)X
zoXZ`@IsMkc8_=w%-7`D6Y4e*CG8k%Ud=GXhsTR50jUnm+R*0A(O3UKFg0`K;qp1bl
z7``HN=?39ic_kR|^R^~w-*pa?Vj#7|e9F1iRx{GN2?wK!xR1GW!qa=~pjJb-#u1K8
zeR?Y2i-pt}yJq;SCiVHODIvQJX|ZJaT8nO+(?HXbLefulKKgM^B(UIO1r+S=7;kLJ
zcH}1J=Px2jsh3Tec&v8Jcbng8;V-`#*UHt?hB(pmOipKwf3Lz8rG$heEB30Sg*2rx
zV<|KN86$soN(I!BwO`1n^^uF2*x&vJ$2d$>+`(romzHP|)K_KkO6Hc>_dwMW-M(#S
zK(~SiXT1@fvc#U+?|?PniDRm01)f^#55;nhM|wi?oG>yBsa?~?^xTU|fX-R(sTA+5
zaq}-8Tx7zrOy#3*JLIIVsBmHYLdD}!0NP!+ITW+Thn0)8SS!$@)HXwB3tY!fMxc#1
zMp3H?q3eD?u&Njx4;KQ5G>32+GRp1Ee5qMO0lZjaRRu&{W<&~DoJNGkcYF<5(Ab+J
zgO>VhBl{okDPn78<%&e2mR{jwVCz5Og;*Z;;3%VvoGo_;HaGLWYF7q#jDX=Z#Ml`H
z858YVV$%J|e<1n`%6Vsvq7GmnAV0wW4$5qQ3uR@1i>tW{xrl|ExywIc?fNgYlA?C5
zh$ezAFb5{rQu6i7BSS5*J-|9DQ{6^BVQ{b*lq`xS@RyrsJN?-t=MTMPY;WYeKBCNg
z^2|pN!Q^WPJuuO4!|P@jzt&tY1Y8d%FNK5xK(!@<w&%9D$8VsECTj#p>`jO2aEA*4
zkO6b|UVBipci?){-Ke=+1;mGlND8)6+P;8sq}UXw2hn;fc7nM>g}GSMWu&v&fqh<p
z##88~l{cY%DBl|WjH>iViYT=fZ(|3Ox^$aWPp4a8h24tD<|8-!aK0lHgL$N7Efw}J
zVIB!7=T$U`ao1?upi5V4Et*-lTG0XvExbf!ya{cua==$WJyVG(CmA6Of*8E@DSE%L
z`V^$qz&RU$7G5mg;8;=#`@rRG`-uS<w08Td3B}9G%N}FK9HR~!f^Cj{`y^tJfREum
z*~gqwb#dcwc-QI{m8GKpLpC4_K%Vfi)$F_F!#pL|shy<Q%NAC^CU`RL!|-5srD#ZO
zn{I~O)p%c{5m;d<;UUXgV+yNvL<rtSIQngc|6F6>18$0WPN@!v2d{H2sOqP|!(cQ@
zUHo!d>>yFArLPf1q`uBvY32miqShLT1B@gDL4XoVTK&@owOoD)OIHXrYK-a1d$B{v
zF^}8D3Y^g%^cnvScOSJR5QNH+BI%d|;J;wWM3~l>${fb8DNPg)wrf|GBP8p%LNGN#
z3EaIiItgwtGgT&iYCFy9-LG}bMI|4LdmmJ<aSE*uYY8*ef191mD07amYtQ+>t@V@%
zb6B)1kc=T)(|L@0;wr<>=?r04N;E&ef+7C^`wPWtyQe(*pD1pI_&XHy|0gIGHMekd
zF_*M<adlI3H~C+q^IzcHq+zQxXN(?TC=A;~jCHxB64cks3Odw>4yi6J&Z4LQj65)S
zXwdM{SwUo%3<O37{DHPAG$A+a&Uh?}DLaiJmVVmFZ1SIa$#%_k^;QaeeZ7P1{c?b9
zC=eLHcdO3e<gc?V;V!z6HlJL{r#Zyj=E&V_!6PB!qLm)(8_YSrHh0%Boz_*kUx6mK
zb|)@dlgu8i#ZFeI!mo!f$fZhLo%K}Hqt2m#>SbPwFsHgqF@V|6afT|R6?&S;lw=8%
z3}@9<sV<+=?Zw{9R&#fEo?wO?NZ(DJrAWh4NL*AP6WG<pY>B=#JI3@B*#4s!O))~z
zc>2_4Q_#&+5V`GFd?88^;c1i7;Vv_I*qt!_Yx*n=;rj!82rrR2rQ8u5(Ejlo{15P%
zs~!{%XJ>FmJ})H^I9<JZ=qNB8Uvp_IODk79lcQ%6N8nJ<layarnSw*wERT@1y+@T9
zbCRk63Z9EFi*?65Y?t(rNyKH`R2OmS8*97sR}##9$$k=`zv4t1*Bd!||1<$^?K3bV
zch~R<>bn^Re&38H{xA!0l3^89k(oU;bZWXM@kn$#aoS&Y4l^-WEn<v2GMB&`=$+t{
zsqH-Hrg^zC-u%NR+$BDUf%Zr&u$O+4nJ{Bn;W>-fH39Jb9lA%s*WsKJQl?n9B7_~P
z-XM&WL7Z!PcoF6_D>V@$CvUIEy=+Z&0kt{szMk=f1|M+r*a43^$$B^MidrT0J;RI`
z(?f!O<8UZkm$_Ny$<xT<$ZIyDj(fr1FYD^^at+o!IT*&wJZ2YcAjrNtR7B|~_E5=s
zOz!Ci^%eTS=@CxD@zJ?@F7iX3EI*kkt`>Hth1J#^4ni+im8M9mr&k|3cIgwvjAgjH
z8`N&h25xV#v*d$qBX5jkI|xOhQn!>IYZK7l5#^P4M&twe9&Ey@@GxYMxBZq2e7?`q
z$~Szs0!g{2fGcp9PZEt|rdQ6bhAgpcLHPz?f-vB?$dc*!9OL?Q8mn7->bFD2Si60*
z<SxIYe5*?<(^};SmYZJUE5uTQgi>!O%y)fCdMSV|lkF9w%x~J*A&srMyYY3{=&$}H
zGQ4VG_?$2X(0|vT0{=;W$~icCI{b6W{B!Q8xdGhF|D{25G_5_+%s(46lhvNLkik~R
z><gHECVNA9lSE@px%4b)MU9AlX-3O&uNmc}yl!RiOZVkYH*st9io|}a-%W^-z%%sS
zBRKzv>nr(&C#5wwOzJZQo9m|U<;&Wk!_#q|V>fsmj1g<6%hB{jGoNUPjgJslld><h
z0D4sDtR`m}US*Y@1-q?v_8uo!>xmODzGjY<PkPw{-%~Z34UsBBxRhv{JbTqaVf$5q
z{S2pJqjiGYd2`{L@&>c?7JSuA?A_QzjDw5AsRgi@Y|Z0{F{!1=!NES-#*f^s4l0Hu
zz468))2IY5dmD9pa*(yT5{EyP^G>@ZWumealS-*WeRcZ}B%gxq{MiJ|RyX-^C1V=0
z@iKdrGi1jTe8Ya^x7yyH$kBNvM4R~`fbPq$BzHum-3Zo8C6=KW@||>zsA8-Y9uV5V
z#oq-f5L5}V<&wF4@X@<3^C%ptp6+Ce)~hGl`kwj)bsAjmo_GU^r940Z-|`<)oGnh7
zFF0Tde3>ui?8Yj{sF-Z@)yQd~CGZ*w-6p2U<8}JO-sRsVI5dBji`01W8A&3$?<gda
z?BZWzCe?!+Mzz3|voidco80@c=7!Ur=?8_d@M{njoqdXf;HO=-j8&nJI$X=2*nR5b
zdkQR1yvkj-(Jw_Mm=h7q^yxfjEp7^;bcyq6D@_K&VWKp^Sop&nM1y{dpIssXCy2i4
z=LyazjEE+1j0KJwbLD2TWETW$BXbT?w}d!pg$Bwi+bH5Fd+>}lxBaC&vn0E$c5tW*
zX>5(zzZ=qn&!J~KdsPl;P@bmA-Pr8T*)eh_+Dv5=Ma|XSle6t(k8qcgNyar{*ReQ8
zTXwi=8vr>!3Ywr+BhggHDw8ke==NTQVMCK`$69fhzEFB*4+H9LIvdt-#IbhZvpS}}
zO3lz;P?zr0*0$%-Rq_y^k(?I{Mk}h@w}cZpMUp|ucs55bcloL2)($u%mXQw({Wzc~
z;6nu5MkjP)0C(@%6Q_I_vsWrfhl7Zpoxw#WoE~r&GOSCz;_ro6i(^hM>I$8y>`!wW
z*U^@?B!MMmb89I}2(hcE4zN2G^kwyWCZp5JG>$Ez7zP~D=J^LMjSM)27_0B_X^C(M
z`fFT+%DcKlu?^)FCK>QzSnV%IsXVcUFhFdBP!6~se&xxrIxsvySAWu++IrH;FbcY$
z2DWTvSBRfLwdhr0nMx+URA$j3i7_*6BWv#DXfym?ZRDcX9C?cY9sD3q)uBDR3uWg=
z(lUIzB)G$Hr!){>E{s4Dew+tb9kvToZp-1&c?y2wn@Z~(VBhqz`cB;{E4(P3N2*nJ
z_>~g@;UF2iG{Kt(<1PyePTKahF8<)pozZ*xH~U-kfoAayCwJViIrnqwqO}7{0pHw$
zs2Kx?s#<e4dK%3b&+)k6Y|;S4DL85-WyrKVIj_j{{6I$&%2Do^b$2hE@5=a;FpA#?
zj?ue-OJN&$@J%?YKM$eGC(JtcZy!B$NWApB@di<X3W1e<da}udYMoeI3o7_<JF=Zh
zYpeXWvB)_@QIIYWL@3|7rB4|sFVTbw@}gXInS&gjZDpG1DvPM{2=+Ykc&(i5ifc$_
zh}LZ8qwN(P?@iKtl~(pPzWr%^DDJwnMm5!z?#c5FjG;&ZIUT6z@~tYZ+k;3g@lXUv
zc!5>vQr7XZ264>5RNKSL8|Ty^=PsIx^}QqOOcfpGUU4tRkUc|kc7-!Ae6!+<d3LhN
z&XzYh?Io|}4gfQtnbqxLyJD!7AFApf16JvF_cy6Y`x$Llw|Gfz;B@D2LO~qGw&vqe
zsH^CM_BX(-!fK<Eo8IYbMVZ6+S7(ZE0!FE(^I(-o-1+IZ<U0&RNxqDrwiyUBYR)d<
z#!m|@8#oaZv2FVRDr{+-;DajT%LpK4DvrtxtKBx!-{g~??&MQ(9~5@mIpt?Y@cvL%
zN}LG<11t5Cf)G^&gR<1lgJ{-R<J>B{o~7nFpm3|G5^=0#Bnm6`V}oSQlrX(u%OWnC
zoLPy&Q;1J<Q=Rw7zP0W`<I7X@-?=Nf;Xee%N*w}vJKiE|cD<4a=^PO7MQlM02j-+$
zKCm^lM#p{(Wj}5i#kBavYT-0#nTBp`m_35(`HY&Y@4YUMZTiPw%I|bpPk6PK|CYyI
z`Xes=050k(L_<N^Jv(Mpm{{2H2c!?vIl%96&k^E-?K&Vk`$KkeX~Jw~Fsfk(d16L!
z-bf)Sz$PAGgB&vJhQ}eDyRs{2lK?Gq>ui&7ST0~#+}I^&?vcE*t47~Xq#YwvA^6^}
z`WkC)$AkNub|t@S!$8CBlwbV~?yp&@9h{D|3<UyWg7|l{^glZ5Dp<R^T02<&bDDly
zL;vF_RkK%`Q$`P93~`T9H0DLwoQ7TLazhh0=(S3=G6^=$?i+3C_*1LCvRZO39g|43
z<9HQ9$%`iR2>z-vJXgzRC5^nYm+PyPcgRzAnEi6Q^gslXYRv4nycsy-SJu?lMps-?
zV`U*#WnFsdPLL)Q$AmD|0`UaC4ND07+&UmOu!eHruzV|OUox<+Jl|Mr@6~C`T@P%s
zW7sgXLF2SSe9Fl^O(I*{9wsFSYb2l%-;&Pi^d<d5gZY$ouXkSxh!i;YM~orayzvd9
z$>pv!{)C3d0AlNY6!4fgmSgj_wQ*7Am<LG|<(H6ae*!sIhw}*%cn8L{G&Qz)Il&k~
zdUB%q=yN3Oz|C{wnn*7=Y}H`Tp)^(dl#`ZFq_B51Ks``*Lp3oxGdwsr3V(Qn1t<fg
ziSMz83x=Ap$h4F(3LJRw8rYw8Xe?}PuG+VUk_bdjjrHLOpBsF^D$Ey0j+dIBQyzkk
z^3ERO0R}UDBy9?czbAa9qFbE3)`4Z5^?OXpH_#GiC*r#QhzMY=jT%oM-$ku0=Z=SS
zPUHZ>7&$z;Jg&wgR-Ih;lUvWS|KTSg!&s_E9_bXBkZvGiC6bFKDWZxsD$*NZ#_8bl
zG1P-#@?OQzE<T`h^Ta9L)yZGSKEF-RZ;~y;F=H0>D7@jlMJTH@V!6k;W>auvft)}g
zhoV{7$q=*<qV(a={b8n4s4yhm_oFzSM6cYhPn}4ss!6ccUzX#rKA~T>;=l{O>Q4a@
ziMjf_u*o^PsO)#BjC%0^h>Xp@;5$p{JSYDt)zbb}s{Kbt!T*I@Pk@X0zds6wsefuU
zW$XY%yyRGC94=6mf?x+bbA5CDQ2AgW1T-jVAJbm7K(gp+;v6E0WI#kuACgV$r}6L?
zd|Tj?^%^*N&b>Dd{Wr$FS2qI#Ucs1yd4N+RBUQiSZGujH`#I)mG&VKoDh=KKFl4=G
z&MagXl6*<)$6P}*Tiebpz5L=oMaPrN+caUXRJ`D?=K9!e0f{@D&cZLKN?iNP@X0aF
zE(^pl+;*T5qt?1jRC=5PMgV!XNITRLS_=9{CJExaQj;<KOp}Ss$xf3w95Awwovm~a
z$iUieZ+;LRH(+2InXK7*7kZ|*f#fpjzjcGEbKAy*9*Q%Ik>lt!&pdzpK?8p>%Mb+D
z?yO*uSung=-`QQ@yX@Hyd4@CI^r{2oiu`%^bNkz+Nkk!IunjwNC|WcqvX~k=><-I3
zDQdbdb|!v+I<k8C-8h1&l^p%~4R~&So2|v->z01$w@aMl!R)koD77Xp;eZwzSl-AT
zr@Vu{=xvgfq9akRrrM)}=!=xcs+U1JO}{t(avgz`6RqiiX<|hGG1pmop8k6Q+G_mv
zJv|RfDheUp2L3=^C=4aCBMBn0aRCU(DQwX-W(RkRwmLeuJYF<0urcaf(=7)JPg<3P
zQs!~G)9CT18o!J4{zX{_e}4eS)U-E)0FAt}wEI(c0%HkxgggW;(1E=>J17_hsH^sP
z%lT0LGgbUXHx-K*CI-MCrP66UP0PvGqM$MkeLyqHdbgP|_Cm!7te~b8p+e6sQ_3k|
zVcwTh6d83ltdnR>D^)BYQpDKlLk3g0Hdcgz2}%qUs9~~Rie)A-BV1mS&naYai#xcZ
z(d{8=-LVpTp}2*y)|gR~;qc7fp26}lPcLZ#=JpYcn3AT9(UIdOyg+d(P5T7D&*P}#
zQCYplZO5|7+r19%9e`v^vfSS1sbX1c%=w1;oyruXB%Kl$ACgKQ6=qNWLsc=28xJjg
zwvsI5-%SGU|3p>&zXVl^vVtQT3o-#$UT9LI@Npz~6=4!>mc431VRNN8od&Ul^+G<O
z&+UaGr()Me%6V)8@*Bx3oT4=TBj_vjymMyd8nWP{_ePd?ZpLR5y@P!PwPSnq@b%?+
z-3jAw7s2p_He|nVH%u;ROIVANf3n6TyT+w(2_c_sy)MF$<SLbp^<>_kHC`G=6WVWM
z%9eWNyy(FTO|A+@x}Ou3CH)oi;t#7rAxdIXfNFwOj_@Y&TGz6P_sqiB`Q6<Z9`{@I
zG)gW^Bs^4xVzBtFwh6KfO16ddPYr(3GPqiVlbqYNdp{z1`WEdF){s~pqbp&T6o|uZ
zd@{Wd+K`h(<$gjo>Lxy|Q{`|fgmRG(k+!#b*M+Z9zFce)f-7;?Km5O=LHV9f9_87;
zF7%R2B+$?@sH&&-$@tzaPYkw0;=i|;vWdI|Wl3q_Zu>l;XdIw2FjV=;Mq5t1Q0|f<
zs08j54Bp`3RzqE=2enlkZxmX6OF+@|2<)A^RNQpBd6o@OXl+i)<H_i&N`daO9#gRD
zbNRiucg54Gy(2fGrWtv`LB0NuWCH3@RHOJamGJ+B#lKG`{v$j0pO8><bNM_W{ENJH
zS2a-j%gz<EZJA$~1=AFf&`NH0`}A|!jr|e^sYu1)OS{vLFWmU*j55~$42^zF3vE?V
zDx)gAg1%Glt~U?HFUqs}9{v)ryb$pHbibYndMV|B@l;eyS(h=KEpcIvczVDE78@Xj
zSAm;1J^1Dwm>zO%D4iGiQNuXd+zIR{_lb96{lc~bxsBveIw6umhShTX+3@ZJ=YHh@
zWY3(d0azg;7oHn>H<>?4@*RQbi>SmM=JrHvIG(~BrvI)#W(<iZ@?A1TuACNgdXURW
z+)gvyNh;kbU(liR<_1NHe=TW&=0kt+K?wKELV`s)-;TebXWQlc!-`aY6o(nMsy+|=
z(E4T?*-uU}N^Du>EAeO6fS+}mxxcc+X~W6&YVl86W9WFSS}Vz-f9vS?XUDBk)3TcF
z8V?$4Q)`uKFq>xT=)Y9mMFVTUk*NIA!0$?RP6Ig0TBmUFrq*Q-Agq~DzxjStQyJ({
zBeZ;o5qUUKg=4Hypm|}>>L=XKsZ!<FKQ_ntYAcXmoND))pw_T3pH%fHY!pNqk5cuV
zOHA2*8nP`0K~OlwGy0SH3EWaDB-i#4%#|`_{yB={(lcN;3!10+Pxox-HkRohVDL0|
z8{E!B)=^(A?$N_ctiS3J)!iY`)ts!F9ODnu96)<93qPUBnzlYuy=Jt+bF8r45!B4r
zWzRGHHPnO9ti}*NAt&~?DFW+%!bE>F$yNTDO)jt4H0gdQ5$f|d&bnVCMMXhNh)~mN
z@_UV6D7MVlsWz+zM+inZZp&P4fj=tm6fX)<V@r2uJW+0vvpHTeeFv#Sgo7s}BAm4K
zjGGF<Q!n^&4xvzX0>SG5H>OsQf_I8c<Dg8clrV~^w3Z*%r!X6dX4x@j9;{JD(8l7}
z(Qgx)wY{>~uGCig$GzuwViK54bcgL;VN|FnyQl>Ed7(@>=8$a_UKIz|V6CeVSd2(P
z0Uu>A8A+muM%HLFJQ9UZ5c)<?oM~-8FHMf~w|t%VP|2Tazr<2Sjx#;msM?}B)jn`T
z*pYak+6)TB+ee7iYW3p=zQkY>BSAv_zH#1f02x?h9C}@pN@6{>UiAp>({Fn(T9Q8B
z^`zB;kJ5b`>%dLm+Ol}ty!3;8f1XDSVX0AUe5P#@I+FQ-`$(a;zNgz)4x5hz$Hfbg
z!Q(z26wHLXko(1`;(BAOg_wShpX0ixfWq3ponndY+u%1gyX)_h=v1zR#V}#q{au6;
z!3K=7fQwnRfg6FXtNQmP>`<;!N137paFS%y?;lb1@BEdbvQHYC{976l`cLqn;b8lp
zIDY>~m{gDj(wfnK!lpW6pli)HyLEiUrNc%eXTil|F2s(AY+LW5hkKb>TQ3|Q4S9rr
zpDs4uK_co6XPsn_z$LeS{K4jFF`2>U`tbgKdyDne`xmR<@6AA+_hPNKCOR-Zqv;xk
zu5!HsBUb^!4uJ7v0RuH-7?l?}b=w5lzzXJ~gZcxRKOovSk@|#V<jQ-(2_xKpDYt{m
zs6<ysaM*D{ARcUnlk4D!8f*k1G{Ip@*-dFQ!bhc3zg>+MuX%Y+=;14i*<yct;~?4+
z8a$HdaeCZdGnM?f>%{)_gSW9(#4%)AV#3__kac1|qUy!uyP{>?U#5wYNq}y$S9pCc
zF<Mndv5MKme1!JVgsoWscJ<knfP)Xe)2}9N1^EiWQ;6~WJPU`LW&2l%<A5V5ht~*^
zy?4tqc_+c^CwHLPg-(Ehm=L2yf~2Mxlz*2rKsp2n_Y-esI>c~4mgSC*G~j0u#qqp9
z${>3HV~@->GqEhr_Xwoxq?Hjn#=s2;i~g^&Hn|aDKpA<n^4$fC$Kuspwq}<LNwu8C
zbf6;H40RGwOB}XjobHn85?fmF9ub`bI+IQM@Py%7F9WcE4R&_4B5<%dGT-3U#$8JL
z+9W_t43rJ$Gf^G?+|wOo&KIwqf2&OR?zMoHUZhcc%t4i);VELMxvn-h%aEuLgl_t^
zn}SzihDXMuweFhp8a#vz8k>>Oc%HlW(KA1?BXqpxB;Ydx)w;2z^MpjJ(Qi(X!$5RC
z*P{~%JGDQqojV>2JbEeCE*OEu!$XJ>bWA9Oa_Hd;y)F%MhBRi*LPcdqR8X`NQ&1L#
z5#9L*@qxrx8n}LfeB^J{%-?SU{FCwiWyHp682F+|pa+CQa3ZLzBqN1{)h4d6+vBbV
zC#NEbQLC;}me3eeYnOG*nXOJZEU$xLZ1<1Y=7r0(-U0P6<g54#mo~h%m97FKEIHpA
zi1;stE`DWrPG;ZcvR%GkPkplBUD5E>-AqwMAM`a(Ed#7vJkn6plb4eI4?2y3y<C7^
zMN|!317AP-8b+h`frBg^oc&CV#@gdFKbOG_+V@md3_}H++3*0>OTGmmDQ!z9`wzbf
z_OY#0@5=bnep;MV<TyaesE-ymV~)h1zKx)bzGTLWVIp8Jc0Xjtfz?g}02XS&L-sgn
zz+J7FV@}%gTsBPancF*aFOCi$QUrJa8Ibmw3#H6HwLunm!~S7uJfJF*x^4TdZ((BQ
z!OA8ez?xzj5&N>0X_;;<l|1-%NB+RStv%4V3*k9dM&8$D*6KHj&I{f#=G0sJycjJ9
zsbnF%tPoJ^)WY9aH4DzA@Up>SJJWEf^E6Bd^tVJ9znWx&Ks8t*<NkWUjNZuHXm?wX
z&k+-16-gZ2l39lpjw5PGa}Nvw$IGx#fYlU<*{);MA3*W3V0a83>B>AM@?;D4oWUGc
z!H*`6d7Cxo6VuyS4Eye&L1ZRhrRmN6Lr`{NL(wDbif|y&z)JN>Fl5#Wi&mMIr5i;x
zBx}3YfF>><oG8>8EC(fYnmpu~)CYHuHCyr5*`ECap%t@y=jD>!_%3iiE|LN$mK9>-
zHdtpy8fGZtkZF?%TW~29JIAfi2jZT8>OA7=h;8T{{k<t+bcx0feOM-&l9hI?Xmy(z
z-fq}pe2pf8j{{(B0xe64n-!77hMklQf7$y)E8W+2Z@Tt{aWpu0WCZ>?c2`nCEx9$r
zS+*&vt~2o^^J+}RDG@+9&M^K*z4p{5#IEVbz`1%`m5c2};aGt=V?~vI<yv(rk2~bL
zj=};pL9GggLHjow%gVWrUmkyePLZ<Qj(q4u0~rKInZFBgS5;8-hpCcg={gcFHnWum
zMonS>M}ZdPECD<VzUqoNT#)>I)47|CWBCfDWUbxBCnmYivQ*0Nu_xb*C>~C9(VjHM
zxe<*D<#dQ8TlpMX2c@M<9$w!RP$hpG4cs%AI){jp*Sj|*`m)5(Bw*A0$*i-(C<so-
zb=dYmBN5sxWooS6f<r|QIT;nm(*5IP;!0gq<>A5#%>a)$+jI2C9r6|(>J8InryENI
z$NohnxDUB;wAYDwrb*!N3noBTKP<UImuz_p@!@WwtKs6Oq=w->pPN}~09SEL18tkG
zxgz(RYU_;DPT{l?Q$+eaZaxnsWCA^ds^0PVRkIM%bOd|G2IEBBiz{&^JtNsODs;5z
zICt_Zj8wo^KT$7Bg4H+y!Df#3mbl%%?|EXe!&(Vmac1DJ*y~3+kRKAD=Ovde4^^%~
zw<9av18HLyrf*_>Slp;^i`Uy~`mvBjZ|?Ad63<fPCD(QY8B|u!l)brK@3#~ULtEdK
zqfCRe>yQa#YK`4+c6;pW4?XIY9G1(Xh9WO8{F-Aju+nS9Vmv=$Ac0ienZ+p9*O%NG
zMZKy5?%Z6TAJTE?o5vEr0r>f>hb#2w2U3DL64*au_@P!J!TL`oH2r*{>ffu6|A7tv
zL4juf$DZ1MW5ZPsG!5)`k8d8c$J$o;%EIL0va9&GzWvkS%ZsGb#S(?{!UFOZ9<$a|
zY|a+5kmD5N&{vRqkgY>aHsBT&`rg|&kezoD)gP0fsNYHsO#TRc_<dLhZf-oCe<uor
zVn+D3J+?dI`OPTIwX%7HL4coV@n&0F`$sgzfV#jy^Nxhx;htyfm`2*%2*E<EEua3X
z>$n6Lf1Z{?+DLziXlHrq4sf(!>O{?Tj;Eh@%)+nRE_2VxbN&&%%caU#JDU%vL3}Cb
zsb4AazPI<wjJ5Xm?P>{>8H&d=jUaZDS$-0^AxE@utGs;-Ez_F(qC9T=UZX=>ok2k2
ziTn{K?y~a5reD2A)P${NoI^>JXn>`IeArow(41c-Wm~)wiryEP(OS{YXWi7;%dG9v
zI?mwu1MxD{yp_rrk!j^cKM)dc4@p4Ezyo%lRN|XyD}}>v=Xoib0gOcdXrQ^*61HNj
z=NP|pd>@yfvr-=m{8$3A8TQGMTE7g=z!%yt`8`Bk-0MMwW~h^++;qyUP!J~ykh1GO
z(FZ59xuFR$(WE;F@UUyE@Sp>`aVNjyj=Ty>_Vo}xf`e7`F;j-IgL5`1<e8<5GZ9t_
zSKJ;j#8L2sA)KLlG+guS4jf40SgEe!dKKK0Hbs4NAYj<w(>~-#70$9_=uBMq!2&1l
zomRgpD58@)YYfvLtPW}{C5B35R;ZVvB<<#)x%srmc_S=A7F@DW8>QOEGwD6suhwCg
z>Pa+YyULhmw%BA*4yjDp|2{!T98~<6Yf<Ht&p|`G9M?uugEk_wVc(bM<s*XMD&4B1
z!i3%8q|snVIZ`!_i1*YyreC8Lohwejbmzog)&}vE7Rz1dcR%OnN}_3vj`{K=-3O~_
zu1c5_k};f^gB06dul({<`Lcpka0Ph<!;#yPQz#pwe?I#d5?HpUA@y)AJdD~*W6*^J
z9IAb}`aqXze3Z5+o@S&yu8d^LhgI0a?q{$=xrJP?yBJszi{*k);E$b`3mcYPuTL=d
zCCNFg0QG16+KKF$c43P(5eJVL61PLUzK~wHo_6%n7f<5cmB2yHn6OgGuGvm#^QB$O
zIXl<)?hk{+{p_;>d(wo1mQ!KWwq0eg+6)o1>W~f~kL<-S+P@$wx*zeI|1t7z#Sxr5
zt6w+;YblPQNplq4Z#T$GLX#j6yldXAqj>4gAnnWtBICUnA&-dtnlh=t0Ho_vEKwV`
z)DlJi#!@nkYV#$!)@>udAU*hF?V`2$Hf=V&6PP_|r#Iv*J$9)pF@X3`k;5})9^o4y
z&)~?EjX5yX1<xGQ%1@{UCW^23>2O(BsFy-l6}nYeuKkiq`u9145&3Ssg^y{5G3Pse
z9w(YVa0)N-fLaBq1`P!_#>SS(8fh_5!f{UrgZ~uEdeMJIz7DzI5!NHHqQtm~#CPij
z?=N|J>nPR6_sL7!f4hD_|KH`vf8(Wpnj-(gPWH+ZvID}%?~68SwhPTC3u1_cB`otq
z)U?6qo!ZLi5b>*KnYHWW=3F!p%h1;h{L&(Q&{qY6)_qxNfbP6E3yYpW!EO+IW3?@J
z);4>g4gnl^8klu7uA>eGF6rIGSynacogr)KUwE_R4E5Xzi*Qir@b-jy55-JPC8c~(
zo!W8y9OGZ&`xmc8;=4-U9=h{vCqfCNzYirONmGbRQlR`WWlgnY+1wCXbMz&NT~9*|
z6@FrzP!LX&{no2!Ln_3|I==_4`@}V?4a;YZKTdw;vT<+K+z=uWbW(&bXEaWJ^W8Td
z-3&1bY^Z*oM<=M}LVt>_<PFYrPfhFhSu%npt;+8<VSwjlcQC8wPbX!R<;Rgr<C++E
zby{kGH;!C6486yrVIwy8>j+p=2Iu7<ee5Yzkv)1V_(^OyjiyljyAy{*({<c49<wJ_
zD`WoEKZ35Gv<M<<pCYpQZ?|m!#mlmG_*_DC0N62ESbuImD+AoD)Lj4`<}R)PJ25MB
zQ(JSFe<_~3nt|(_B)R}zmNZN0*RPG}Ru~x4q$U+I`RU|gs%W~s18LSc)J(SC3~+Y<
zk0lr!;49KA_>pZmbXrhQ_k)ysE9yXKygFNw$5hwDn(M>H+e1&9BM5!|81vd%r%vEm
zqxY3?F@fb6O#5UunwgAHR9jp_W2zZ}NGp2%mTW@(hz7$^<W>+a`A?mb8|_G*GNMJ)
zjqegXQio=i@AINre&%ofexAr95aop5C+0MZ0m-l=MeO8m3epm7U%vZB8+I+C*iNFM
z#T3l`gknX;D$-`2XT^Cg*vrv=RH+P;_dfF++cP?B_msQI4j+lt&rX2)3GaJx%W*Nn
zkML%D{z5tpHH=dk<tahvnnE?`>sQ*gzc|}gzW;lwAbxoR07VNgS*-c3d&8J|;@3t^
zVUz*J*&r7DFRuFVDCJDK8V9NN5hvpgGjwx+5n)qa;YCKe8TKtdnh{I7NU9BCN!0dq
zczrBk8pE{{@vJa9ywR@mq*J=v+PG;?fwqlJVhijG!3VmIKs>9T6r7MJpC)m!Tc#>g
zMtVsU>wbwFJEfwZ{vB|ZlttNe83)$iz`~#8UJ^r)lJ@HA&G#}W&ZH*;k{=TavpjWE
z7hdyLZPf*X%Gm}i`Y{OGeeu^~nB8=`{r#TUrM-`;1cBvEd#d!kPqIgYySYhN-*1;L
z^byj%Yi}Gx)Wnkosi337BKs}+5H5dth1JA{Ir-JKN$7zC)*}hqeoD(WfaUDPT>0`-
z(6sa0AoIqASwF`>hP}^|)a_j2s^P<w)m}Rj^15uY<n!4_%<!d#{vZ=Z_P}@eeW-Ox
z;JQLPzZSHN-l$$DLG%r}N3ZZZvwUxH+BWNXE{dS!hk|G5x)?-llV>Qn*qVC{Q}htR
z5-)duBFXT_V56-+UohKXlq~^6uf!6sA#ttk1o~*QEy_Y-S$gAvq47J9Vtk$5oA$Ct
zYhYJ@8{hsC^98${!#Ho?4y5MCa7iGnfz}b9jE~h%EA<g+BN#3fNo`|_hPZ+|%)bb7
zIn_D<^wYb`{#zL<_<s|myPLHg(|`4wmJ7hi$=pTU+V#^hHu-$b(Luw-PR!Bav-v(-
z@?W|xOvONHUKm|~3~s1|_Dl38>Av~Qxu)_rAV;^cygV~5r_~?l=B`zObj7S=H=~$W
z<UmLzInv1Ql%M`_G9-u94*9n+0oO@^hhKgl*ZXu|6{=bN1o_txgnax72@;~Z7?^Oq
z7?^&}>PtI_m%g$`kL_fVUk9J<CtwAz7a!$Q&-Jh3I_W5n|1(dhB)p#U+Wl>@>EiBH
zOO&jtn~&`hIFMS5S`g8w94R4H40mdNUH4W@@XQk1sr17b{@y|JB*G9z1|CrQjd+GX
z6+KyURG3;!*BQrentw{B2R&@2&`2}n(z-2&X7#r!{yg@<!&3xwQWd$^>Soy}cRD~j
zj<Og|6*w}HqZTw8{Il!Ft=<O5!dlKfOz|j$Z^w5&_=~)z5Z-}bt_7jqebZL&Vjmk}
z(RA*=wrL0UL*<vcZEZprIhH<3JJLr)CAtGH+&D8sC~U9fHYR9L!BM()S6a1mtsI!E
z--M=*g<DRnwm1hG$L!!=946pI4AzFaqTKQdn(cd9nxm|_%Tp(UbUJVdmn&m&OV5sT
zjBA&CZ;!B-hP7XTLul+iNP4Dg{KGjcnsK_H51vQ)!>9@UBW+N|4HW4AWapy4wfUI-
zZ`gSL6DUlgj*f1hSOGXG0IVH8HxK?o2|3HZ;KW{K+yPAlxtb)NV_2AwJm|E)FRs&&
z=c^e7bvUsztY|+f^k7NXs$o1EUq>cR7C0$UKi6IooHWlK_#?IWDkvywnzg&ThWo^?
z2O_N{5X39#?eV9l)xI(>@!vSB{DLt*oY!K1R8}_?<kMv(YfJ|7amweKbCcwmp-oP{
zR^MH3r^g&R=wr#qxEEp(KK<zYcr_;1=X$Imnu<Z`RiZwY8*iRY{cWxHh1c@XJZ&pv
zV{U_Z%$qRKL70X;eBqb*t1O=8k$SB(oK)NPT~SfHMOv=9#+69sQt>%+0^C{d9a%N4
zoxHVT1&Lm<qomrTXsCPGIz?rb+qQLuzE?D*s2JcateF>|uDX%$QrBun5e-F`HJ^T$
zmzv)p@4ZHd_w9!%Hf9UYNvGCw2TTTbrj9pl+T9<ayV5<}<wvT;Sn~c<QFT@1O08w<
zkEzBm=w)jYybjnZrhSE(k<3uFR)#=txys^{+XA;N)s*?BH^)|A82SR=)(_iGhC7T3
z6;In+x<8Dm5KW<GS7?86#S~&}Tl{Cy3IDd}BL8#I#Xpxf?HmDS<l^QQ0CzjL|Nnnw
z7e`AMb5~dSPx>%-_-}L(tES>Or-}Z4F*{##n3~L~TuxjirGuIY#H7{%$E${?p{Q01
zi6T`n;rbK1yIB9jmQNycD~yZq&mbIsFWHo|ZAChSFPQa<(%d8mGw<NE-PqxpYmaZY
z>*V3fh|yFoxOOiWJd(qvVb!Z$b88cg->N=qO*4<Ju1L$F55Eg|&pd*ih%*g;pO{D%
z0by!&Tpi~?D_*9Y{Y99`;u%i~<7J9|%7CE#RGy9%il*j9uH#6qR8ZZ3+-)Oz_wKW(
z^pYp_3KlClW0cl`;)I55^HEmIrxSK3i7Y3l?;+5qj8LrRLEa*uvXRuegx26kvwYL_
zb#;U>k~6;R==|9ihg&riu#P~s4Oap9O7f%crSr^rljeIfXDEg>wi)&v*a%7zpz<9w
z*r!3q9J|390x`Zk;g$&OeN&ctp)VKRpDSV@kU2Q>jtok($Y-*x8_$2piTxun81@vt
z!Vj?COa0fg2RPXMSIo26T=~0d`{oGP*eV+$!0I<(4azk&Vj3SiG=Q!6mX0p$z7I};
z9BJUFgT-K9MQQ-0@Z=^7R<{bn2Fm48endsSs`V7_@%8?Bxkqv>BDoVcj?K#dV#uUP
zL1ND~?D-|VGKe3Rw_7-Idpht>H6XRLh*U7epS6byiGvJpr%d}XwfusjH9g;Z98H`x
zyde%%5mhGOiL4wljCaWCk-&uE4_OOccb9c!ZaWt4B(wYl!?vyzl%7n~QepN&eFUrw
zFIOl9c({``6~QD+43*_tzP{f2x41h(?b43^y6=iwyB)2os5hBE!@YUS5?N_tXd=h(
z)WE286Fbd>R4M^P{!G)f;h<3<yF&*^O7$OuoRrI)h{eq;PvnVS@*1~LuT)USkQaNv
zOM$`oAtUE4j7%H>Q>Fipuy+d2q-)!RyTgt;wr$(?9ox3;q+{E*ZQHhOn;lM`cjnu9
zXa48ks-v(~b*;MAI<>YZH(^NV8vjb34be<!O&B^}ixjt}bVWn%lGLAylA+d{-I3Ov
zYGthSdKw$ke{f2yKKz!}A?+JRYrVrnNgphJxf8a2-SUbcd-<f$tEQ|wN=!zhIVy6o
z{e*aA58OB1vmh4GpWd_ASE)%_0rN^UY7rBTo&!Y1@Ctrd$H;scFhnl=M`1%EsufNC
z-OLaEwV5;h{|wOY5$Wp2@8oFu?G`jM&~vo;?-m}Z`0Z8WNBRVdp)MQ|2K`3!%98{%
zdNe?VYC=$}mLx4b>E<_cwKlJoR;k6lJNSP6v}uiyRD?|0w+X@o1ONrH8a$fCxXpf?
z?$DL0)7|X}Oc%h^zrMKWc-NS9I0Utu@>*j}b@tJ=ixQSJ={4@854wzW@E>VSL+Y{i
z#0b=WpbCZS>kUCO_iQz)LoE>P5LIG-hv9E+oG}DtlIDF>$tJ1aw9^LuhLEHt?BCj&
z(O4I8v1s#HUi5A>nIS-JK{v!7dJx<eVzUtPaTI7fl_Lc9Q7H|gBw|{WKmed^JnGV(
zu>)^Yg%XjNmlkWAq2*cv#tHgz`Y(bETc6CuO1VkN^L-L3j_x<4NqYb5rzrLC-7uOv
z!5e`GZt%B782C5-fGnn*GhDF$%(qP<74Z}3xx+{$4cYKy2ik<NlkqF%3WflOIsu<r
zJ1Ia^)U`#vAWMh>xI7B2N+2r07DN;|-T->nU&!=Cm#rZt%O_5c&1Z%nlWq3TKAW0w
zQqemZw_ue--2uKQsx+niCUou?HjD`xhEjjQd3%rrBi82crq*~#uA4+>vR<_S{~5ce
z-2<NdSzF&R56UcB$b`5iPf1tk$#inbE+bN7x7fQ!g0(-tUeP$5mD|<oEEQs$_4x-D
zh0c}WhYdr7ofXz6ohh@zpmk*n(FlBp!zEgxx$uEo2H<WsrEGtxER628jLj$t%l9)Q
zpgsl-$*Z~WylJ9&D{WG%{31lN8lbCEKy<E~v-RJ-A&Im)1f}cclb5D<{1Q#Vu%0dO
zWKBG_7m(=clSMuCN`u^GxdNe&YF`-TUb|;%bmJ`YPw4~vsx(y)NXfrJ;zl=TdJvdM
zgjB=Fy{n+66I+(Z4-Ri^DAN$}Va@@|i(LY(Ta%N-!9$yT@Di8@Q|ICHs-$>EIl?~s
z1=<moH2Vo(ywx9NJa$4J-?u#55cOFdV)B}0g(o*O*fidd5c?ici{Ux!YWxH)lJBu&
zebpoNCFHe!@Sp-PDw*l@?whO<W~J*cdfDfxv>GVL{NxP1N3%=AOaC}j_Fv=ur&THz
zyO!d9kHq|c73kpq`$+t+8Bw7MgeR5~`d7ChYyGCBWSteTB>8WAU(NPYt2Dk`@#+}=
zI4SvLlyk#pBgV<A2?oY=e+fBwTE4;jq%tyXWMQiSYYYO}#)dHPJlDLuJulo6SGjK1
z`gH3!=BMJnht1ob+aBAuUFTlcx2QPoAUzlvdTgFMd@}Q&V?T*GzNthb2P4Otx?F}b
zQU!B?T171=l1DVswq8U{dUopH<i_9aHNW4O!%Ue4mI5N4Rk3KVw;&F(OhCj^%kuG+
z8MtBDbnF(k2oZuHMNq<)Iaf2h9OF2sY%r9g4<_CbzLUIxWdSMTHg+tXTNiq(CW|G{
zGd*nwn$nSQ3yn2F)sHm_LxN&3a)|o1Bxxow1q4-amB&cP3_zydal7X0#bqu|rbi}z
za?8dV(p~@OkF-Z^V2VNz4r_~<b6L?KbFZxteo)3x8MUXZIB5k|m&5ONIJ2mEmpJ8+
zS^3scTkT>igEe`?NG*vl7V6m+<}%FwPV=~PvvA)=#ths==DRTDEYh4V5}Cf$z@#;<
zyWfLY_5sP$gc3LLl2x+Ii)#b2nhNXJ{R~vk`s5U7Nyu^3yFg&D%Txwj6QezMX`V(x
z=C`{76*mNb!qHHs)#GgGZ_7|vkt9izl_&PBrsu@}L`X{95-2jf99K)0=*N)VxBX2q
z((vkpP2RneSIiIUEnGb?VqbMb=Zia+rF~+iqslydE34cSLJ&BJW^3knX@M;t*b=EA
zNvGzv41Ld_T+WT#XjDB840vovUU^FtN_)G}7v)1lPetgpEK9YS^OWFkPoE{ovj^=@
zO9N$S=G$1ecndT_=5ehth2Lmd1II-PuT~C9`XVePw$y8J#dpZ?Tss<6wtVglm(Ok7
z3?^oi@pPio6l&!z8JY(pJvG=*pI?GIOu}e<i-gr8K;Jwm`jb9}cg?7%k?$ozkvP<q
z^_0<VPv%dHn>^EB6QYk$#FJQ%^AIK$I4epJ+9t?KjqA+bkj&PQ*|vLttme+`9G=L%
ziadyMw_7-M)hS(3E$QGNCu|o23|%O+VN7;Qggp?PB3K-iSeBa2b}V4_wY`G1Jsfz4
z9|SdB^;|I8E8gWqHKx!vj_@SMY^hLEIb<lAtPrMWpQ?Gx@0V+>SMCuE?WKq=c2mJK
z8LoG-pnY!uhqFv&L?yEuxo{dpMTsmCn)95xanqBrNPTgXP((H$9N${Ow~Is-FBg%h
z53;|Y5$MUN)9W2HBe2TD`ct^LHI<(xWrw}$qSoei?}s)&w$;&!14w6B6>Yr6Y8b)S
z0r71`WmAvJJ`1h&poLftLU<!Z5k{sKI&`B$86NJr<vepFmH?(W7PH*&i|mr?Ft$yK
zlQ2hYqAhr7MyE%yewrikAeSqlmaqf6`n)*-iF$8(XN#mJ2C<)bI6Vjy(bW4=>S6Ir
zC$bG9!Im_4Zjse)<TV^7Y-skQbZaPLqlJGP?6u?Ar53a`=TEMdV9Pz$A~Oa(Rc*59
zlP6c&tH(X*j_BPct#psJ_4ej*FB0-ZmxrgT1go#{dSJYBN5b(ilJd0C{DrQAlZa_y
z_`$lr_=xcxo6aRz`CVouz-G0iMAr=_WWB~^j&$tY`E*!!JHXJsUn?rao*@+eB&qDA
zW99F#`#iK!JA{ggeYTsjHg%UzJKlG}4g|0~H1^LtyCeCE^d_K<#AGK3JmN+YTaC5S
z91&>#K=oJM9mHW1{%l8sz$1o?ltdKlLTxWWPB>Vk22czVt|1%^wn<WkC7-mZ1~!CF
z*?s-mfPHuh>N@*!l)}?EgtvhC>vlHm^t+ogpgHI1_$1ox9e;>0!+b(tBrmXR<YSIe
z+ujWarO6U*;i)~AxpZt4t`{u9*(+s;XcKm*(c~N9u#mFIlYU2WORAXM_UYQcUg$Ee
zx5S=-_TAMk8a1Q-)f_5{=PkrVgJA;Ro116-3NLM9UpBJ!h?qkH2BSize2e<I)M16H
z`{Y|kfSkRI?YvZ4;f|#JKgvo95q7X$@!Rjljd&2-g(yOk)xl#i>B`PY1vp-R**8N7
zGP|QqI$m(Rdu#=(?!(N<WmSu~%G3p+kgCkb(yT{~ITG_cvZ}c9BIo-Bx{A8PA+JSS
zM`u{@ucuz=u?fnE^32?!>}G9QhQ%o!aXE=aN{&wtGP8|_qh+7a_j_sU5|J^)vxq;#
zjvzLn%_QPHZZIWu1&mRAj;Sa_97p_lLq_{~j!M9N^1yp3U_SxRqK&JnR%6VI#^E12
z>CdOVI^_9aPK2eZ4h&^{pQs}xsijXgFYRIxJ~N7&BB9jUR1fm!(xl)mvy|3e6-B3j
zJn#ajL;bFTYJ2+Q)tDjx=3IklO@Q+FFM}6UJr6km7hj7th9n_&JR7fnqC!hTZoM~T
zBeaVFp%)0cbPhejX<8pf5HyRUj2>aXnXBqDJe73~J%P(2C?-RT{c<cL>3NjE`)om!
zl$uewSgWkE66$Kb34+QZZvRn`fob~Cl9=cRk@Es}KQm=?E~CE%spXaMO6YmrMl%9Q
zl<Oi>A3Q$3|L1QJ4?->UjT&<QWaf5;5SDgEG|O+++eQ`L7IecmPP{~vvxpw+mh_w?
z)_nm*UV;|XpG)3akT+?)#!p)ksH$g>CBd!~ru<az8{#I2>{Ih^in&JXO=|<6J!&qp
zRe*OZ*cj5bHYlz!!~iEKcuE|;U4vN1rk$xq6>bUWD*u(V@8sG^7>kVuo(QL@Ki;yL
zWC!FT(q{E8#on>%1iAS0HMZDJg{Z{^!De(vSIq&;1$+b)oRMwA3nc3mdTSG#3uYO_
z>+x;7p4I;uHz?ZB>dA-BKl+t-3IB!jBRgdvAbW!aJ(Q{aT>+iz?91`C-xbe)IBoND
z9_Xth{6?(y3rddwY$GD65IT#f3<(0o#`di{sh2gm{dw*#-Vnc3r=4==&PU^hCv$qd
zjw;<UDv>>i&?L*Wq#TxG$mFIUf>eK+170KG;~+o&1;Tom9}}mKo23KwdEM6UonXgc
z!6N(@k8q@HPw{O8O!lAyi{rZv|DpgfU{py+j(X_cwpKqcalcqKIr0kM^%Br3SdeD>
zHSKV94Yxw;pjzDHo!Q?8^0bb%L|wC;4U^9I#pd5O&eexX<SpYMUi;NrGyaua!-+-%
z(b6a1gZ;D+I4*J4ZzM0c^5vOx!1kF+S*rg^EpYq4Q$8Zv`)iCLe*9oY_%}BDzxap$
zLASmGRxF(y%$&cS<d#PK1_s~QhLoPQp2`0OZ5YXZBV6=I+(qKW;)rW-X|QN4Rtu+O
zUSe{k6uD&;e7|DG*7jRd*&ewJO@NTU@h#Yzt1=3xB&wH^G8Ykks+&HQ<6Vd9>+Im{
z?jKnCcsE|H?{uGMqVie_C~w7GX)kYGWAg%-?8|N_1#W-|4F)3YTDC+QSq1s!DnO<W
zN9@pSmktp>ML3@d`mG%o2YbYd#jww|jD$gotpa)kntakp#K;+yo-_ZF9qrNZw<%#C
zuPE@#3RocLgPyiBZ+R_-FJ_$xP!RzWm|aN)S+{$LY9vvN+IW~Kf3TsEIvP+B9Mtm!
zpfNNxObWQpLoaO&cJh5>%sl<u+Ou}Gr38*?+PIrbJtKK2C4@@i^3b)w#L5cfzsc$p
zGS#mh6Pugtp<?+N{dA+4Q%bSY%c7pXA|R9VW%COsIn2Bo=M^XtO8d8nsr~aAmv2eX
zu1Bz3botI2)|TFV6HCJkzYB4<>ZnHl_Q~(-Tfh!DMz(dTWld@LG1VRF`9`DYKhyNv
z2pU|UZ$#_yUx_B_|MxUq^glT}O5Xt(Vm4Mr02><%C)@v;vPb@pT$*yzJ4aPc_FZ3z
z3}PLoMBIM>q_9U2rl^sGhk1VUJ89=*?7|v`{!Z{6bqFMq<nxEmclgCD+90@&@li(W
z@s`8&MDulaH_%E?T~GV|zVm+MR`OB^kjC~xrEgb}MlNn^7GQ&p?tO;j2-%IuU~fD(
z0>(mYiA?%KbsI~JwuqVA9$H5vDE+VocjX+G^%bieqx->s;XWlKcuv(s%y%D5Xbc9+
zc(_2nYS1&^yL*ey664&4`IoOeDIig}y-E~_GS?m;D!xv5-xwz+G`5l6V+}CpeJDi^
z%4ed$qowm88=iYG+(`ld5Uh&>Dgs4uPHSJ^TngXP_V6fPyl~>2bhi20QB%lSd#yYn
zO05?KT1z@?^-bqO8Cg`;ft>ilejsw<PFMVi?0Z@%ZV7rUN23RZ3KB-HQ4YJB9u)4=
za)vbs@fTDRfs8YOO9lTq9t(nMd5S}gTT;muT}2|Lp9^&=2z~`<$j8jb{Rm0Lj+(J;
zBs1-Ce%8FDmkdHi5cJ6Wi^?0Snek8_6eCPHqaWM%UBUa}9l;;Shpu<^ueJT0tU&6s
zM}#unAgS&xl(DwgfMw$=1QcnDcIW6g!~<;08&1lIeTOvuGw?sf1Lf^Kz4~1^b^i*7
zQv6%-{2%J%9~}I@Dko75!V~i_(Z_~qE@Eg*k5ZaIz;BO8D2h5gAVv@$PDearM7jpi
z&t7+EZUrTlNkkN39;K<FA&>@2%RR7;`$Vs;FmO(Yr3Fp`pHGr@P2hC%QcA|X&N2Dn
zYf`MqXdHi%cGR@%y7Rg7?d3?an){s$zA{!H;Ie5exE#c~@NhQUFG8V=SQh%UxUeiV
zd7#UcYqD=lk-}sEwlpu&H^T_V0{#G?<Ioj?HL)KBNR`OQ7)HFN^?vHg<3bOCMy{-_
zoJlS{0I_uDhHNKG64k_@&-j<$nist8llO}aD}1PO>lZMxL7ih_&{(g)MWBnCZxtXg
znr#}>U^6!jA%e}@Gj49LWG@*&<lmaA<6<$*MXpyYdp&6c<H(Q`F-~?W^X9RVJSh6?
zS8Z8DnkwU?#%B!h%)j^e-VAuVDAU!JK1md@BbHM`aL3Du8QeW#u5Ow!LJ{cJE;g7g
zfS6lhpcAG^4%Z7tD(JDejR@8=mF27gB&U9t&uA8@v6X<1)e#$W_^iPrw&Q6FYe!O;
z;mr4?<{+g_EB>t0V>Cxc3?oO7LSG%~)Y5}f7vqUUnQ;STjdDU}P9IF9d9<$;=QaXc
zL1^X7>fa^jHBu_}9}J~#-oz3Oq^JmGR#?GO7b9a(=R@fw@}Q{{@`Wy1vIQ#Bw?>@X
z-_RGG@wt|%u`XUc%W{J<m*s=4j2#hKvp}Xrwm)9{h;W6E2ZrwT0V)(gGD?GnU0RwM
z#HcK41SrivBddca)fHXF?z{gCQT_P@wx-H|POi8hsVAB%nToV4iMN+KZh1=!UMaa>
z>iSeiz8C3H7@St3mOr_mU+&bL#Uif;+Xw-aZdNYUpdf>Rvu0i0t6k*}vwU`XNO2he
z%miH|1tQ8~ZK!zmL&wa3E;l?!!XzgV#%PMVU!0xrDsNNZUWKlbi<KaWZPRa*yQzPD
z?-!`siNqS2^Ar7FQc!m$_+UxWcy|gEk+B~FLt>OjzH-1Uoxm8E#r`#2Sz;-o&qcqB
zC-O_R{QGuynW14@)7&@yw1U}uP(1cov)t<bZtw#(M)(XiJYfL8BvaF25ezUn8smY%
zIL-I&o$OIFs>wxeLus0s|7ayrtT8c#`&2~Fiu2=R;1_4bCaD=*E@cYI>7YSnt)nQc
zohw5CsK%m?8Ack)qNx`W0_v$5S}nO|(V|RZKBD+btO?JXe|~^Qqur%@eO~<8-L^9d
z=GA3-V14ng9L29~XJ>a5k~xT2152zLhM*@zlp2P5Eu}bywkcqR;ISbas&#T#;HZSf
z2m69qTV(V@EkY(<qXx5YNic%z2;It?O+T%icQRw=w~P}(cE?O$<=1P^LjThO*$J$+
z*<@biHe!q%g+LQ{F#~S5QTZUfOZ3GP3D<=D3j0f!9E7HkjxKc_g)z1!o;_rP|9bAk
z`BjEQCx<KIvi^GM1jRkNM0nRs6P0hPcy|5t18}ZQi<ZQS>1Dk3`}j)JMo%ZVJ*5eB
zYOjIisi+igK0#yW*gBGj?@I{~mUOvRFQR^pJbEbzFxTubnrw(Muk%}jI+vXmJ;{Q6
zrSobKD>T%}jV4Ub?L1+MGOD~0Ir%-`iTnWZN^~YPrcP5y3VMAzQ+&en^VzKEb$K!Q
z<7Dbg&DNXuow*eD5yMr+#08nF!;%4vGrJI++5HdCFcGLfMW!KS*Oi@=7hFwDG!h2<
zPunUEAF+HncQkbfFj&pbzp|MU*~60Z(|Ik%Tn{BXMN!hZOosNIseT?R;A`W?=d?5X
zK(FB=9mZusYahp|K-wyb={rOpdn=@;4YI2W0E<s2&%i8x7RnmR_dIeK2wKPtVA?`W
z&(y5N6Uhf;St!k{QtA^2hklC0F0jNQ1^WG!Djrw#gypMTn;8cIm2IT14W4+8Zfd?P
z(RlNsG)S|I($<XQ_wo(zU~QxgZ&c8}J!LwJ+gC5c>cbMKyo~-#^?h`BA9~o285%oY
zfifCh5Lk$SY@|2A@a!T2V+{^!psQkx4?x0HSV`(w9{l75QxMk!)U52Lbhn{8ol?S)
zCKo*7<MT2Z&#yn*rVnwZQkr>R(z!uk<6*qO=wh!Pul{(qq6g6xW;X68GI_CXp`XwO
zxuSgPRAtM8K7}5E#-GM!*ydOOG_{A{)hkCII<|2=ma*71ci_-}VPARm3crFQjLYV!
z9zbz82$|l01mv`$WahE2$<xD1<`ujC!7ijORpLN)M&U@lEiyOfPgz+#&<j+G)Ve@{
z49uhDM!il+f+1Ohddi`=p(=u!h7sLm7yGqK4%#ZKd%YvUI(=BCzpn|IbHf!`E?jjq
zNkN-}Pa3AG2My;G@zYOnXl4g(LduE~%FKPJPA6{M4Z@(IC6iu#g0fgCkY2yVR!o7w
zSAe0_FH9n8VszXsaA+KDe(<8VA=dXe;@Mvzyql~A=eKPoX4qg$E{b4p|B|j96u7YW
zNCPo=y&#Ttz?U7fK~W6j?Kuo=wXeV4?w*;OO9xZst|SP^Q4kbKqBIl8hkGC7OOt_I
zzHTK9Aly><gDl|FkR~>=fAGWkd^X2kY(J7<hlY%A5J0#uldARym;T+|d;|>iz}WGS
z@%MyBEO=A?HB9=^?nX`@nh;7;la<vP=GJ_DWqB#{#!`KAdu6%FTU8VbENgD#KJ^CI
z);B^q)Y@yF(YlyL5A}rZXOX1<`Dd>Ajs+fbo!|K^mE!tOB>$2a_O0y-*uaIn8k^6Y
zSbuv;5~##*4Y~+y7Z5O*3w<R;J{o5i>4qgI5V^17u*ZeupVGH^nM&$qmAk|anf*>r
zWc5CV;-JY-Z@Uq1Irpb^O`L_7AGiqd*YpGUShb==os$uN3yYvb`wm6d=?T*it&pDk
zo`vhw)RZX|91^^Wa_ti2zBFyWy4cJu#g)_S6~jT}CC{DJ_kKpT`$oAL%b^!2M;JgT
zM3ZNbUB?}kP(*YYvXDIH8^7LUxz5oE%kMhF!rnPqv!GiY0o}NR$OD=ITDo9r<LYGN
z?2+*it!7d=84FF3EQ!5V&5166oc{Z1O8<?lF+=(kiua&7_M#TrD_|it=_mE6Cz1eX
zwfacTRHwa2jO`w@vfr7ByY*=K7se2@f$`RJFOlykOa!$prgR<-&f{zzV_tCE6E=v(
zZk!PdC3n<fkSRL#m(DteyDn?OK=a6ita@qk4DQ*rtk@>%4E>E0Y^R(rS^~XjWyVI6
zMOR5rPXhTp*G*M&X#NTL`Hu*R+u*QNoiOKg4CtNPrjgH>c?H<b@rgzW2`xq%+zxdV
zGQjVif3BBaXojc?{FLuym0L2fO1Nh(c42RW12b^>i4MUG#I917fx**+<zC5r06AVA
zs!KCNuuLq&Z|e$b{bN7-`NGtKU0>pJfOo!z<a0Lrf~l|OU$j3PPNH#8yRT5C5cWK;
z4Ck57(G?59g@;(s9m49`EtaF2lDH|dGl0xCg>FM&*da&G_x)L(`k&TPI*t3e^{crd
zX<4I$5nBQ8Ax_lmNRa~E*zS-R0sxkz`|>7q_?*e%7bxqNm3_eRG#1ae3gtV9!fQpY
z+!^a38o4ZGy9!J5sylDxZTx$JmG!wg7;>&5H1)>f4dXj;B+@6tMlL=)cLl={jLMxY
zbbf1ax3S4>bwB9-$;SN2?+GULu;UA-35;VY*^9Blx)Jwyb$=U!D>HhB&=jSsd^6yw
zL)?a|>GxU!W}ocTC(?-%z3!IUhw^uzc`Vz_g>-tv)(XA#JK^)ZnC|l1`@CdX1@|!|
z_9gQ)7uOf?cR@KDp97*>6X|;t@Y`k_N@)aH7gY27)COv^P3ya9I{4z~vUjLR9~z1Z
z5=G{mVtKH*&$*t0@}-i_v|3B$AHHYale7>E+jP`ClqG%L{u;*ff_h@)al?RuL7tOO
z->;I}>%WI{;vbLP3VIQ^iA$4wl6@0sDj|~112Y4OFjMs`13!$JGkp%b&E8QzJw_L5
zOnw9joc0^;O%OpF$Qp)W1HI!$4BaXX84`%@#^dk^hFp^pQ@rx4g(8Xjy#!X%<A@Ix
z5U>+X5Jd@fs3amGT`}mhq#L97R>OwT5-m|h#yT_-v@(k$q7P*9X~T*3)LTdzP!*B}
z+SldbVWrrwQo9wX*%FyK+sRXTa@O?WM^FGWOE?S`R(0P{<6p#f?0NJvnBia?k^fX2
zNQs7K-?EijgHJY}&zsr;qJ<*PCZUd*x|dD=IQPUK_nn)@X4KWtqoJNHkT?ZWL_hF?
zS8lp2(q>;RXR|F;1O}EE#}gCrY~#n^O`_I&?&z5~7N;zL0)3Tup`%)oHMK-^r$NT%
zbFg|o?b9w(q@)6w5V%si<$!U<#}s#x@0<ZXLbXYKvlKR0q_0uaLFS0K_yZx{oRI6O
zi*Yz=QW(i&SHEhi(35LX5YAi{vy`;KnIJ$O_Y#C4gG~=hcxXw*NH*okugRb;j#&_y
z)}Rg9+nz^&!aY|=fJZ?L&1;1?%7EYHgT5ryT&e6MH~EPzrS<7r*22}w^{P@eQei1e
zd>aX-hP>zwS#9*75VXA4K*%gUc>+yzupTDBOKH8WR4V0pM(HrfbQ&eJ79>HdCvE=F
z|J>s;;iDLB^3(9}?biKbxf1$lI!*Z%*0&8UUq}wMyPs_hclyQQi4;NUY+x2qy|0J;
zhn8;5)4ED1oHwg+VZF|80<4MrL97tGGXc5Sw$wAI#|2*cvQ=jB5+{AjMiDHmhUC*a
zlmiZ`LAuAn_}hftXh;`Kq0zblDk8?O-`tnilIh|;3lZp@F_osJUV9`*R29M?7H{Fy
z`nfVEIDIWXmU&YW;NjU8)EJpXhxe5t+scf|VXM!^bBlwNh)~7|3?fWwo_~ZFk(22%
zTMesYw+LNx3J-_|DM~`v<!_@4wF#cHZ_E9}9+lbenMh?8-P99`3uA4wl$95cN^e{4
z^f$@0?%=HSAz>93yXe=jPD{q;li<xOVXMn1yKMTqv6XhqrnsCUXSTSsjJ{x^XFo@J
z{WA$2#dyTq?%~VAg|L)nty{-VrW88Lu82|x7td?b;LG2_DA_BpkSSx!@P8<G?h<XX
zNw7xGt`p+BMOcS|$jn%|wK)WAaS99%p8&_kFrLJVp7_Jg4yOpvWS`>;5PD?Dyk+b?
zo21|XpT@)$BM$%F=P9J19Vi&1#{jM3!^Y&fr&_`toi`XB1!n>sbL%U9I5<7!@?t)~
z;&H%z>bAaQ4f$wIzkjH70;<8tp<T&Yl>UoxzKrPhn#IQfS%9l5=Iu))^XC<58D!-O
z{B+o5R^Z21H0T9JQ5gNJnqh#qH^na|z92=hONIM~@_i<m8HDcej!764)8GxDF)RMg
z!DFoaWC9)+nME7X6Bjpkb{QXd4;jG|u8$8kw{X8T%Z{fASla5Kj43Dc#xwsm?e^ow
zcpj5R3LQeCN@Z#}!7^cGYJ3aEd-Gp-Jj@_K{U*}A((dH-)nN*GjCV>uOi|F>jBh<M
zWxy1uqU)B}MVkHZ;j2o<4&9z0o{ro;0~$*^2bQ$8Q;vmWoz6BD$xqze?6Q)tzTZs7
zG{RspTbUAmB!P|sU1Q@1do~tC7@>-?aA20}Qx~EpDGElELNn~|7WRXRFnw+Wdo`|#
zBpU=Cz3z%cUJ0mx_1($X<40XEIYz(`noWeO+x#yb_pwj6)R(__%@_Cf>txOQ74wSJ
z0#F3(zWWaR-jMEY$7C*3HJrohc79>MCUu26mfYN)f4M~4gD`}EX4e}A!U}QV8!S47
z6y-U-%+h`1n`*pQuKE%Av0@)+wBZr9mH}@vH@i{v(m-6QK7Ncf17x_D=)32`FOjjo
zg|^VPf5c6-!FxN{25dvVh#f<C2j|FW^wcEVOx|0?I*o1i)tbC%E;daCUUqnT*va?<
z#^@&RTCo<xj8b($3`PD<adop6xc~jgfA19=fzjFXxO)$!??RO(s_s88E>og=NNpXz
zfB$o+0jbRkHH{!TKhE709f+jI^$3#v1Nmf80w`@7-5$1Iv_`)W^px8P-({xwb;D0y
z7LKDAHgX<84?l!I*Dvi2#D@oAE^J|g$3!)x1Ua;_;<@#l1fD}lqU2_tS^6Ht$1Wl}
zBESo7o^)9-Tjuz$8YQSGhfs{BQV6zW7dA?0b(Dbt=UnQs&4zHfe_sj{RJ4uS-vQpC
zX;Bbsuju4%!o8?&m4UZU@~Z<l{fpuI7gBNBuLonV&UnEv8Mm+}6y;;iZ7)_U-2H6P
zik(*@ZnhVtEFTNE*=&MLnOTGYcGC{O?!<?O$^7><Ix|i$iDSBHQSY+=yJ@Z(hm=j8
zLng0c8d`c!aP=6?o|-71!|y*rlW^s|L>ZjeFF6ex2ss5_60_JS_|iNc+R0GIjH1@Z
z=rLT9%B|WWgOrR7IiIwr2=T;Ne?30M!@{%Qf8o`!>=s<2CBpCK_TWc(DX51>e^xh8
z&@$^b6CgOd7KXQV&Y4%}_#uN*mbanXq(2=Nj`L7H7*k(6F8s6{FOw@(DzU`4-*77{
zF+dxpv}%mFpYK?>N_2*#Y?oB*qEKB}VoQ@bzm>ptmVS_EC(#}Lxxx730trt0G)#$b
zE=wVvtqOct1%*9}U{q<)2?{+0TzZzP0jgf9*)arV)*e!f`|jgT{7_9iS@e)recI#z
zbzolURQ+TOzE!ymqvBY7+5NnAbWxvMLsLTwEbFqW=CPyCsmJ}P1^V30|D5E|p3BC5
z)3|qgw@ra7aXb-wsa|l^in~1_<?%wr8cBwUUhaLFkF#>fm{7bS9jhVRkYVO#U{qMp
z)Wce+|DJ}4<2gp8r0_xfZpMo#{Hl2MfjLcZdRB9(B(A(f;+4s*FxV{1F|4d`*sRNd
zp4#@sEY|?^FIJ;tmH{@keZ$P(sLh5IdOk@k^0uB^<vY$Teo5@@0*v8p)6|Qc!#V-V
z19rz;O<~HzAD{>BWr@pk6mHy$qf&~rI>P*a;h0C{%oA*i!VjWn&D~O#MxN&f@1Po#
zKN+<Mx&_V;mQ6by$gOOv@*=130y8ws;u!(S9My%BQ_xyRTms3Q+kzSy&vNnQacNo>
zrGrkSjcr?^R#nGl<#Q722^wbYcgW@{+6CBS<1@%dPA8HC!~a`jTz<`g_l5N1M<n^b
zu`mSxZ+unU+QCuJ((?b36-TN-d1@FTfBA^ddw8UCuT`zjb=Fz?S6Qufs*9jSR|1nK
zFf2vJS;<?+uRmFfTer5Vv1$_#5QG8wt@)CbC^|w;&`=|x<yh14$tmJUYy0g0%PA`M
zOgeNCX{{Nxe0ra@9=~<n^L&fj)_rb#gMU)NmxDTM+6}H9CM!Fi?NW<y$)i_5yC^Lw
z2UV(8qc395hk@%W59BzlhhVt(<xJvm!~c3l+ocXQq>@9wn9GOAZ>nqNgq!yOCb<ux
z3a7GGof9{?JXCwFGGvl~3dP~BNs%SovKoTvXW8FuXj`m7Bnn?jUZ$?pzzIRqprlp7
z2WeoTGz*SooG8Jko3Cp>Z@1z`U_N`Z>}+1HIZxk*5RDc&rd5{3qjRh8QmT$VyS;jK
z;AF+r6XnnCp=wQYoG|rT2@8&IvKq*IB_WvS%nt%e{MCFm`&W*#LX<V7)65J}gDBN(
zk<mMjk3Ksz1;V7!3@X8he*FSaSG=@7E0@=@yHKsO4iF;tj3{tU-4xewSJc&$#1UMZ
zuOWXXn?>c|HrD?nVBo=(8*=Aq?u$sDA_sC_RPDUiQ+wnIJET8vx$&fxkW~kP9qXKt
zozR)@xGC!P)CTkjeWvXW5&@2?)qt)jiYWWBU?AUtzAN}{JE1I)dfz~7$;}~BmQF`k
zpn11qmObXwRB8&rnEG*#4Xax3XBkKlw(;tb?Np^i+H8m(Wyz9k{~ogba@laiEk;2!
zV*QV^6g6(QG%vX5Um#^sT&_e`B1pBW5yVth<mfskR&uj=IULHb38<tse=w*}Q<7Qz
z3<|`SLDlf5BpLb9#iQyjF6U}7JJ`^RZ>~xUs#0}nv?~C#l?W+9Lsb_5)!71rirGvY
zTIJ$OPOY516Y|_014sNv+Z8cc5t_V=i>lWV=vN<QPmtSpXv;kT!7hs-HH@i&RiI&9
z!dO2CvGs>u#!58y9Zl&G<qC8KlC>sMEW#pPYPYGHQ|;vFvd*9eM==$_=vc7xnyz0~
zY}r??$<`wAO?JQk@?RGvkWVJlq2dk9vB(yV^vm{=NVI8dhsX<)O(#nr9YD?I?(VmQ
z^r7VfUBn<~p3()8yOBjm$#KWx!5hRW)5Jl7wY@ky9lNM^jaT##8QGVsYeaVy<knK7
z-|ItZG@v_5HqwNL*X;&)fE*o2En9}_QSQ~Sxpo=`)<(LLcGS!($DADohdab0N6KTw
zF9i4%@WsNPJ2f@Kf&OK)$mJTfFx16uGFyQhd(9)Ota05_m2b4&e^Iw3r!jC#Hp$0t
zt!S{)s#CdvfKjo>wmpv>X|Xj7gWE1Ezai&wVLt3p)k4w~yrskT-!PR!kiyQlaxl((
zXhF%Q9x}1TMt3~u@|#wWm-Vq?ZerK={8@~&@9r5JW}r#45#rWii};t`{5#&3$W)|@
zbAf<Wd~LF&Fa+z%sLq|a7`8BxH;x+F8(HU&VXoK6B>2yDNe0q}NEUvq_Quq3cTjcw
z@H_;$hu&xllCI9CFDLuScEMg|x{S7GdV8<&Mq=ezDnRZAyX-8gv97YTm0bg=d)(>N
z+B2F<g3)ia(W`M0HCo-hfSmEqFQ$W5j$wJ;?r7W^?`K&S(*5L=PU?;K=%mT~AoyLc
zmB9dB0BfY<$42H7qp*b&gqwjPG@?GHqEWMaXbG2l^~e?yEl$rb2e+7tNeQjQi!%mG
z!n&myqi%P$bT;(Jy7TA*2tP}NXfszN-aSbAw)CRWi!Y&moQuMP!ZIYY+|-Hi;nfsw
zSAibHD0K*Rx488O94=w;IYZ)nc%KdXcP-D4kAzBYZwl}PDc(ZIiFm=)7;@JjuDF@@
zh({Ks)K#T@$U#?|cc5wW7j|#<s#)XeeNmP*9S3P%QoJ+84!)t-Q3y&LB4VHT${%s|
zTG3XIg~2`B_RVw|0J-Nqqo+Pe*FeW61Sh*R7{v~e$s_}74Z{>cqvI9>jGtnK%eO%y
zoBPkJTk%y`8TLf4)IXPBn`U|9>O~WL2C~C$z~9|0m*YH<-vg2CD^SX#&)B4ngOSG$
zV^wmy_iQk>dfN@Pv(ckfy&#ak@MLC7&Q6Ro#!ezM*VEh`+b3Jt%m(^T&p&WJ2Oqvj
zs-4nq0TW6cv~(YI$n0UkfwN}kg3_fp?(ijSV#tR9L0}l2qjc7W?i*q01=St0eZ=4h
zyGQbEw`9OEH>NMuIe)hVwYHsGERWOD;JxEiO7cQv%pFCeR+IyhwQ|y@&^24k+|8fD
zLiOWFNJ2&vu2&`Jv96_z-Cd5RLgmeY3*4rDOQo?Jm`;I_(+ejsPM03!ly!*Cu}Cco
zrQSrEDHNyzT(D5s1rZq!8#?f6@v6dB7a-aWs(Qk>N?UGAo{gyt<fmzm5NzZ|fs&#}
zncD~rYY0$e-KIJ+=Op({4j(9PIkXkc_SkA;(m*CznUsh<u&YaQ2?WX;ffj?q#rkaD
zhgb+R9A8jgPt^w}K)OK@H5E_#!Z=VQBe3%qPvYY%REdJYYg39A`{$NP_M^}lrMFR7
z+z-hJlg#zeS)0^WAq|DzTPsJlg*U_m2#Hg-0Wmz@?iH!<yiUNaD#c-kYUp!%4RSKq
z{aEO|^oK+y2EtPt%bwO#VBE9DxJ9N@ufrh+8SIe+8$#E{7>lh$%_IhyL7h?DLXDGx
zgxGE<S);`7Ye2u;8Dq575#~501>BQoCAWo-$LRvM=F5MTle`M})t3vVv;2j0HZY&G
z22^iGhV@uaJh(X<Ji#4pfqzo+6CV|xa;=Mz*tzH^bNhkjCY|vEWb}4_nF}mp3zj6F
z<RK*`vdncONn`be@hcYCs`Fx)%bT8wV$T8!b%e<R8G~jKI85M<1J$4NY<nL0CutfG
z<0HvW$c5I*1#_hw)1(15*aH)~KVw0;{Zp_ZQI?8k=6OO?W$jqY0waZgj%rb>yyY%}
zd4iH_UfdV#T=3n}(Lj^|n;O4|$;xhu*8T3hR1mc_A}fK}jfZ7LX~*n5+`8N2q#rI$
z@<<NwLoApZ<e3!J$+qrZqXhfixi{}uCew+VjVR``fj1Lf`2I-jD>_2VANlYF$vIH$
zl<)+*tIWW78IIINA7Rr7i{<Y3K#4WL2gwP{V}$lxr|)k#^h4W{mX@Le*u!g#hfAGO
zCeSa;u(-xw0ZspUEBo+8Ru(%}-m6Ro%1{7aEL$_dA#RWFH+pZ@3`vn|LIY-BbZ`xA
z;0Hf*V6m6EEIJ?MTj|I!l!v*XnqWfITy`ve|BDjjbn-XMEaj|oNyd!_<K^Ti36kh1
z(%3QLBv(><;#^yzxoLNkXL)eSs=%<Gis)1JtKs|A*=kDqutu=D>|P>$YQIh+ea_3k
z_s7r4%j7%&*NHSl?R4k%1>Z=M9o#zxY!n8sL5>BO-ZP;T3Gut>iLS@U%IBrX6BA3k
z)&@q}V8a{X<5B}K5s(c(LQ=%v1ocr`t$EqqY0EqVjr65usa=0bkf|O#ky{<C<t3zu
z`hM@H`e*c^To>j3)WBR<Rk0XEu3I97LQj|W=oPZA>(((L^wmyHRzoWuL2~WTC=`yZ
zn%VX`L=|Ok0v7?s<AoD@n8D7kz^e<8kpe+<X#n2|WDSoR5^oCGt<jgs)X#u5@PWV+
z<b`lm>>IHg?yA<ed=nI4vx^O}jp~R0s4CS5p`R9jtX~z7xF-Z5gJMA(5vqNQrH2}B
zLEIs&NxKWPrwn0(*pI+NhLe0_cU!>rBcync5rG#^+u)>a%qjES%dRZoIyA8gQ;StH
z1Ao7{<&}6U=5}4v<)1T7t!J_CL%U}CKNs<r5fMyAUKFZK{y9U{q!s_ZSKXqW%qBRr
z?bu0a7Zic(_|KEJWkFJk=&bobT<sZBi;dXUmO?)}m$)B<s0Nr7^=$mY+Dr7ke?^*x
z4Vt?Ovyz0Mk+fmZjXJTAv@hijH2y5Cf|5J3ryKO57~3?_EAxOUYF##HdjopeNH4%@
zuGqW!`j7vRX*U7T5B1|m8}h%c4gNobJO8sb_&>-0xWoTTeqj{5{?Be$L0_tk>M9o8
zo371}S#30rKZFM{`H_(L`EM9DGp+Mifk&IP|C2Zu_)Ghr4Qtpmkm1osCf@%Z$%t+7
zYH$Cr)Ro@3-QDeQJ8m+x6%;?YYT;k6Z0E-?kr>x33`H%*ueBD7Zx~3&HtWn0?2Wt}
zTG}*|v?{$ajzt}xPzV%lL1t-URi8*Zn)YljXNGDb>;!905Td|mpa@mHjIH%VIiGx-
zd@MqhpYFu<g)7l4&_bNaog=DANE?ZcfM)*NEMkm~{>4_?y5N4xiHn3vX&|e6r~Xt>
zZG`aGq|yTNjv;9E+Txuoa@A(9V7g?1_T5FzRI;!=NP1Kqou1z5?%X~Wwb{trRfd>i
z8&y^H)8YnKyA_Fyx>}RNmQIczT?w2J4SNvI{5J&}Wto|8FR(W;Qw#b1G<1%#tmYzQ
zQ2mZA-PAdi%RQOhkHy9Ea#TPSw?WxwL@H@cbkZwIq0B!@ns}niALidmn&W?!Vd4Gj
zO7FiuV4*6Mr^2xlFSvM;Cp_#r8UaqIzHJQg_z^rEJw&OMm_8NGAY2)rKvki|o1bH~
z$2IbfVeY2L(^*rMRU1lM5Y_sgrDS`Z??nR2lX;zyR=c%UyGb*%TC-Dil?Si<D{nTD
zMw8K;)%(lo#`W8jOV@qoJ#X}Mwbyz4a;PcPaSBZqr;F)uJhh<vQG%Y4Mw<phKlLRw
zIw!C3k>hkjrQy~TMv6;BMs7P8il`H7DmpVm@rJ;b)hW)BL)GjS154b*xq-NXq2cwE
z^;VP7ua2pxvCmxrnqUYQMH%a%nHmwmI33nJM(>4LznvY*k&C0{<x1=XMzKZ~Bs`;;
zzjN;>8f*%?zggpDgkuz&JBx{9mfb@wegEl2v!=}Sq2Gaty0<)UrOT0{MZtZ~j5y&w
zXlYa_jY)I_+VA-^#mEox#+G>UgvM!Ac8zI<%JRXM_73Q!#i3O|)lOP*qBeJG#BST0
zqohi)<I-A(NiPhXic7WGcd${Bs6q40O%lhVI#-EDK6jPHL9qSG))QSk?b4HNO46Kt
zq~AhM!n=+cMgd8rvaDcAUqe9_Py+)1zbv_Wy{}+a|F1es@~Qc9kW@MgedI!i{HhtJ
z!kAvsCV6n8=$My(7M_90IyH+8**uSL-iyt^&8vOeIRo?HTA5+#Xr^9U=2eV`Xlmc$
zFjy%l4c$~))iDJkH$oB2LfNc)TX?BjEeaRo@~X+PeGiiD85sGHqRqi@$1TzmJ+rd3
zVg^Gn@P5KfN#t5@T7Lvq5F&=Y)v)n4Cjfha{J2+Jic#JjOH^ggzd<;^a<68vsD0fr
zC*U$7*i1uw{BlNp8mMWqc46bk3VHJ?|MSSFbx~ox6ZBjsfPa3I5EWvc##{^VJo^EN
z<}Cr>O!|$|2SeJQo(w6w7%*92S})XfnhrH_Z8qe!G5>CglP=nI7JAOW?(Z29;pXJ9
zR9`KzQ=WEhy*)WH>$;7Cdz|>*i>=##0bB)oU0OR>>N<21e4rMCHDemNi2LD>Nc$;&
zQRFthpWniC1J6@Zh~iJCoLOxN`oCKD5Q4r%ynwgUKPlIEd#?QViIqovY|czyK8>6B
zSP%{2-<;%;1`#0mG^B(8KbtXF;Nf>K#Di72UWE4gQ%(_26Koiad)q$xRL~?pN71ZZ
zujaaCx~jXjygw;<Ay^b{e7rQ>rI!WB=xrOJO6HJ!!w}7eiivtCg5K|F6$EXa)=xUC
za^JXSX98W`7g-tm@uo|BKj39Dl;sg5ta;4qjo^pCh~{-HdLl6qI9Ix6f$+qiZ$}s=
zNguKrU;u+T@ko(Vr1>)Q%h$?UKXCY<ELeH%x_-+;N!NPjI@5|c>>3se%&;h2osl2D
zE4A9bd7_|^njDd)6cI*FupHpE3){4NQ*$k*cOWZ_?CZ>Z4_fl@n(mMnYK62Q1d@+I
zr&<rzyB}9!OG>O))G4hMih<XQCmlZu^@8%Z@1T|FyI_m%FM=cL3%T#%II(MZ`FKla
zpXXu4TSaVkB7;tYPyY<uMC(fA=<j-47<k>gBqRIAJkLdk(p(D~X{-oBUA+If@B}j&
zsHbeJ3RzTq96lB7d($h$xTeZ^gP0c{t!Y0c)aQE;$FY2!mACg!GDEMKXFOPI^)nHZ
z`aSPJpvV0|bbrzhWWkuPURlDeN%<qMpCcxwvwqRMaqc9@{O;iK_N2snE#x<P5c1;#
zmjI^QLBwgKbA!596SF19-xAg`j~Dtp%yL%PsIy-Iy#n3_juW-DvzXBY7{iAZ@^xZK
z@xr2R*rSktAvjWK{FY-U0t8|bspU3(%@64Udl&2uFK6|JrwGTmi+3cF9F%O9@lnIC
zs=6lONtdy$oHQyWIz$zmM@0(12^Y0f!FDBU-xO1sA%B@8>VT8tndV8?d)eN*i4I@u
zVKl^6{?}A?P)Fsy?3oi#clf}L18t;TjNI2>eI&(ezDK7RyqFxcv%>?oxUlonv(px)
z$vnPzRH`y5A(x!yOIfL0bmgeMQB$H5wenx~!ujQK*nUBW;@Em&6Xv2%s(~H5WcU2R
z;%Nw<$tI)a`Ve!>x+qegJnQsN2N7HaKzrFqM>`6R*gvh%O*-%THt<rb___hz1Q*?5
z6WlWA+_DZ_V%@(Z;W6IiWcwb%0tQS@7FVT8L%H@;-K!LOiZIstqiCW*I~5y<2j59v
z*;R0rbBXIxu3n@3a3wxbyp;2oPnr)69p#+<DwNc<oL?vCKSPPJA(K9!1O*f4{YL62
zn|Sj8G%K~6J)K=!JP_YX8V=PjLK~TW_=@Nh@Cw-!NlZLY;2_j0TFoobFt-2R;qd|Z
z5LA6AxE3z?^1m|nTtbf_LVu#lgMMaoQSi!)(ir+k@yiKNqZa8D=pY1qBEL59w8xB>
zrB$Nk;lE;z{s{r^PPm5qz(&lM{sO*g+W{sK+m3M_z=4=&CC>T`{X}1Vg2PEfSj2x_
zmT*(x;ov%3F?qoEeeM>dUn$a*?SIGyO8m<CDx(PoF9Z7P(-Vz@5G~R_9zlbonzZYL
z!@f`rWC1aNE3{SDF~{lPR$(P=;{QgE*BcIk`ok>806J1W1o+4HRhc2`9$s6hM#qAm
zChQ87b~GEw{ADfs+5}FJ8+|bIlIv(jT$Ap#hSHoXdd9#w<#cA<1Rkq^*EEkknUd4&
zoIWIY)sAswy6fSERVm&!SO~#iN$OgOX*{9@_BWFyJTvC%S++ilSfCrO(?u=Dc?CXZ
zzCG&0yVR{Z`|ZF0eEApWE<q~aV-3QaRPuwFB`iCbViORA{tX~ST{rFw+In$j?7gLL
zT8ETr1QUOZxkIpI@5JqQk|b^xG*nZ910-;>o#s9osV>F{uK{QA@BES#&;#KsScf>y
zvs?vIbI>VrT<*!;XmQS=bhq%46-aambZ(8KU-wOO2=en~D}MCToB_u;Yz{)1ySrPZ
z@=$}EvjTdzTWU7c0ZI6L8=yP+YRD_eMMos}b5vY^S*~VZysrkq<`cK3>>v%uy7jgq
z0ilW9KjVDHLv0b<1K_`1IkbTOINs0=m-22c%M~l=^S}%hbli-3?BnNq?b`hx^HX2J
zIe6ECljRL0uBWb`%{EA=%!<byF4eC4KX4aZdAqSwE!&>i^4sMcj+U_TaTZRb+~GOk
z^ZW!nky0n*Wb*r+Q|9H@ml@Z5gU&W`(z4-j!OzC1wOke`TRAYGZVl$PmQ16{3196(
zO*?`--I}Qf(2HIwb2&1FB^!faPA2=sLg(@6P4mN)>Dc3i(B0;@O-y2;lM4akD>@^v
z=u>*|!s&9zem70g7zfw9FXl1bpJW(C#5w#uy5!V?Q(U35A~$dR%LDVnq@}kQm13{}
zd53q3N(s$Eu{R}k2esbftfjfOITCL;jWa$}(mmm}d(&7JZ6d3%IABCapFFYjdEjdK
z&4Edqf$G^MNAtL=uCDRs&Fu@FXRgX{*0<(@c3|PNHa>L%zvxWS={L8%qw`STm+=Rd
zA}FLspESSIpE_^41~#5yI2bJ=9`oc;GIL!JuW&7YetZ?0H}$$%8rW@*J37L<XFjIr
zWJ?$CMV^YggN$kCs0w8InCxL-qk`fNzT7&VA*&~~T=_(uA$CzC9vrKbN28^=3?MLv
zFoK23^axE9-(UuJp6l-WH~flb#LWz<-GZXz4PS*&{c?IaOs6}Rx>-~Rsx!)8($nI4
zZhcZ2^=Y+p4YPl%j!nFJA|*M^gc(0o$i3nlphe+~-_m}jVkRN{spFs(o0ajW@f3K{
zDV!#BwL322CET$}Y}^0ixYj2w>&Xh12|R8&yEw|wLDvF!lZ#dOTHM9pK6<Y!obdB7
zJ?!B#A1=BS7Ka=6k6_mfjXh1lGwLZR4PT*9n^^MB#jyfEy~L|)^EN8(11T8rrN7f?
z?@)HsizJFWKFr(u1x(=}jA~A*@;u9iCG}YS49mN9degGJEr@RQbFX&wZoBr{H3Nr7
z?H=$Zj>@Nm-@9Lnng4ZHBgBSrr7KI8YCC9DX5Kg|`HsiwJHg2(7#nS;A{b3tVO?Z%
za{m5b3rFV6EpX;=;n#wltDv1LE*|g5pQ+OY&*6qCJZc5oDS6Z6JD#6F)bWxZSF@q%
z+1WV;m!lRB!n^PC>RgQCI#D1br_o^#iPk>;K2hB~0^<~)?p}LG%kigm@moD#q3PE+
zA^Qca)(xnqw6x>XFhV6ku9r$E>bWNrVH9fum0?4s?Rn2LG{Vm_+QJHse6xa%nzQ?k
zKug4PW~#Gtb;#5+9!QBgyB@q=s<UxAOfSGI17`#WQPoP8A+0%MXyAyK3J=T4^Kbj7
zlt}Oe#L`UOUU8o&zkUW`eBtn39$xzlz~(3x_>k9=$S{4T>wjFICStOM?__fr+Kei1
z3j~xPqW;W@YkiUM;HngG!;>@AITg}vAE`M2Pj9Irl4w1fo4w<|Bu!%rh%a(Ai^Zhi
zs92>v5;@Y(Zi#RI*ua*h`d_7;byQSa*v9E{2x$<hp}Q26jsc}%C<*BjhE^Jt66tP1
zKtKU0Q9$V-l~zCy7`juGR=*kVy&nUYi+t;Q*P6xR{P8}s&pC7U+3()_`4tk8P7SO*
zts+C&EBA;W!X3G&`&E+LxzU~6Q<emFH@kgR*8?20u2XLWT3aI!YMwas1=TsetFPnK
zg5`qHR`D=R<(><-_=5Z<7{%)}4XExANcz@rK69T0x3%H<@frW>RA8^swA+^a(FxK|
zFl3LD*ImHN=X<Tm`8DfC>DUkrR<xW<(jZxC)!wKS)92Mp`by<@CGgeKED~ZJ3Jy$+
zjW_5$gXkQl+$Z+QJ~I#o6Pp!?bb78VSX!(@(92a;u-;wW%qe9fMiUm=#PwkrAbXT5
zVo>hp6RY5$rQ{bRgSO*(vEHYV)3Mo6Jy3puiLmU&g82p{qr0F?ohmbz)f2r{X2|T2
z$4fdQ=>0BeKbiVM!e-lIIs8wVTuC_m7}<Ui;+XED-5oBiR>y4A_%ikI;Wm5$9j(^Y
z(cD%U%k)X>_>9~t8;pGzL6L-fm<ULs+oY32iJK8t`MZXpBuoD$6OMAKyL46!gYNWE
zud<`{zju@c#T_7EyRG#xA7t1QT}ZgtiYwog7J*c#?<fNv<K7Htr4Bz79uv2x*w)<k
z=a;7q%vaAz-hD(kAxqWM%g9t=$}0NKb?)GaBa8K156rk8wWyI)MB=&^_{THh+}COk
zUzRKn7T0APWWnx<r&J-F&{b%n+JRIgYHuv;^|;Hor$0q~|8BI{QjuMG8JYxvYF}Gn
zy*In4ANN}0dpJx*JPO@eiJFX7bD|1WV+M;rfsj3PIBa@gpsi3FnkV~X3nx%2?_ypI
zh}S3zV-DKR|K!F9Z3-RZumjj)P_`}W2J~q|bB0)a9xHmA&%h{<vyYF9&zIJ>QO@K;
zo&vQzMlgY95;1BSkngY)e{`n0!NfVgf}2mB3t}D9@*N;FQ{HZ3Pb%BK6;5#-O|WI(
zb6h@qTLU~AbVW#_6?c!?Dj65Now7*pU{h!1+eCV^KCuPAGs28~3k@ueL5+u|Z-7}t
z9|lskE`4B7W8wMs@<RoRq4K_1jQ|2oJg$O-rP`~;Bzz?@Jlrn0Z@<=ZmJTM3jjq_~
zRZ}mS?n&K}m}#OA-nYs)kQ@R^-(uFAD{$CgCv6|t>xJa{#bsCGDFoRSNSnmNYB&U7
zVGKWe%+kFB6kb)e;<v}cel^QYVzboCh<hrVzAa>TyHfqtU6~fRg)f|>=5(N36)0+C
z`hv65J<$B}WUc!wFAb^QtY31yNleq4dzmG`1wHTj=c*=hay9iD071Hc?oYoUk|M*_
zU1GihAMBsM@5rUJ(qS?9ZYJ6@{bNqJ`2Mr+5#hKf?doa?F|+^IR!8lq9)wS3tF_9n
zW_?hm)G(M+MYb?V9YoX^_mu5h-LP^TL^!Q9Z7|@sO(rg_4+@=PdI)WL(B7`!K^ND-
z-uIuVDCVEdH_C@c71YGYT^_Scf_dhB8Z2Xy6vGtBSlYud9vggOqv^L~F{BraSE_t}
zIkP+Hp2&nH^-MNEs}^`oMLy11`PQW$T|K(`Bu*(f@)mv1-qY(_YG&J2M2<7k;;RK~
zL{Fqj9yCz8(S{}@c)S!65aF<=&eLI{hAMErCx&>i7OeDN>okvegO87OaG{Jmi<|}D
zaT@b|0X{d@OIJ7zvT>r+eTzgLq~|Dpu)Z&db-P4z*`M$UL51lf>FLlq6rfG)%doyp
z)3kk_YIM!03eQ8Vu_2fg{+osaEJPtJ-<V*830?$46vO`8Mw##QM*`Rr?w|#MyZ6A&
z_}pwQU2m8=Sp54^L})3wA`G=0rsaz56>s36R+5_AEG12`NG)IQ#TF9c@$99%0iye+
zUzZ57=m2)$D(5Nx!n)=5Au&O0BBgwxIBaeI(mro$#&UGCr<;C{UjJVAbVi%|+WP(a
zL$U@TYCxJ=1{Z~}rnW;7UVb7+ZnzgmrogDxhjLGo>c~MiJAWs&&;AGg@%U?Y^0JhL
ze(x6Z74JG6FlOFK(T}SXQfhr}RIFl@QXKnIcXYF)5|V~e-}suHILKT-k|<*~Ij|VF
zC;t@=uj=hot~*!C68G8hTA%8SzOfETOXQ|3FSaIEjvBJp(A)7SWUi5!Eu#yWgY+;n
zlm<$+UDou*V+246_o#V4kMdto8hF%%Lki#zPh}KYXmMf?hrN0;>Mv%`@{0Qn`Ujp)
z=lZe+13>^Q!9zT);H<(#bIeRWz%#*}sgUX9P|9($kexOyKIOc`dLux}c$7It4u|Rl
z6SSkY*V~g_B-hMPo_ak>>z@AVQ(_N)VY2kB3IZ0G(iDUYw+2d7W^~(Jq}KY=JnWS(
z#rzEa&0uNhJ>QE8iiyz;n2H|SV#Og+wEZv=f2%1ELX!SX-(d3tEj$5$1}70Mp<&eI
zCkfbByL7af=qQE@5vDVxx1}FSGt_a1DoE3SDI+G)mBAna)KBG4p8Epxl9QZ4BfdAN
zFnF|Y(umr;gRgG6NLQ$?ZWgllE<HJXYDr?-K8^D!ZlPa8ZG&+c+DJy(x5;Feg3L)*
zvdpRL&@{hyOZBRzTt*TCk9hewUpi`*Kt|w8q}nwi%?T`D?1ox^RZSRut44vMd{LO!
z5<xD{qy<T%oDMUy9H#9$W-Wu8GwxNdV(5T7B?RP@ZWH6Jt?*TpR4hY26nALXC@f!D
z_AE{^bi`q0U%atoVV5-5alLF?pA>eeq~z^ZS7L?<(~O&$5|y)Al^iMKy}&W+eMm1W
z7EMU)u^ke(A1#XCV>CZ71}P}0x)4wtHO8#JRG3MA-6g=`ZM!FcICCZ{IEw8Dm2&LQ
z1|r)BUG^0GzI6f946RrBlfB1Vs)~8toZf~7)+G;pv&XiUO(%5bm)pl=p>nV^o*;&T
z;}@oZSibzto$arQgfkp|<o4}2aWyA-u@g@X@*3Qq>z4Z($P>dTXE{4O=vY0!)kDO*
zGF8a4wq#VaFpLfK!iELy@?-SeRrdz%F*}hjKcA*y@mj~VD3!it9lhRhX}5YOaR9$}
z3m<U!dsnGfk?KY|+&M@U4to6WN5Fr~Z2Y~S6z;ugWov!c#T4Pid7?1x8wY`#cM-K&
zXZ31E^^+4l<8TS_eV}PTTl9cUjRQB-789L;;mi28ms9Ok_n}yunSfm?pRC6bk9iMK
z{Me@L*Hx9gKeGtG68!~RS?gRYfl2zINnyRg@p)U*X(<_ksV`=o%2XWE5-Y+=UYL-Y
ztqFc{r$bTOOr%6GK_kGlR5`+;tTS|8zSb;+levJ}UbU#B1Mej>S%$2Be7{l(+MVx3
z(4?h;P!jnRmX9J9sYN#7i=iyj_5q7n#X(!cdqI2lnr8T$IfOW<_v`eB!d9xY1<?8m
zc=9ctC~_znEmY{3do4Y&tSr#K8MEwV*K>P=2q&WtOXY=D9QYteP)De?S4}FK6#6Ma
z=E*V+#<o63M9PbR(KQau)lC&KzK0v*^~#=c>s8>L;8aVroK^6iKo=MH{4yEZ_>N-N
z`(|;aOATba1^asjxlILk<4}f~`39dBFlxj>Dw(hMYKPO3EEt1@S`1lxFNM+J@uB7T
zZ8WKjz7HF1-5&2=l=fqF-*@>n5J}jIxdDwpT?oKM3s8Nr`x8JnN-kCE?~aM1H!hAE
z%%w(3kHfGwMnMmNj(SU(w42OrC-euI>Dsjk&jz3ts}WHqmMpzQ3vZrsXrZ|}+MHA7
z068obeXZTsO*6RS@o3x80E4ok``rV^Y3hr&C1;|ZZ0|*EKO`$lECUYG2gVFtUTw)R
z4Um<0ZzlON`zTdvVdL#KFoMFQX*a5wM0Czp%wTtfK4Sjs)P**RW&?lP$(<}q%r68Z
zS53Y!d@<WHAUBA*8bUiRbm%Z;gZhfNqOZBHucO1A@&fFR43kejZro_v)VLcPwS7}~
zK5k!0!+rSL*HKlXVA@0UZ>&~ne9O)A^tNrXHhXBkj~$8j%pT1%%mypa9A<G!EKb<E
z`}8*o7Vl;U@K#TU5!9`Os$JU!y8FCud{w+#5g>W5E&s9)rjF4@O3ytH{0z6riz|@<
zB~UPh*wRFg2^7EbQrHf0y?E~dHlkOxof_a?M{LqQ^C!i2dawHTPYUE=X@2(<D?FV&
zcM@&VpBXA?L{0tb_j)NYM}%xYbEn~9R`f?;g|efm#wA%S{AP`lHyTMh8%rB%5P`TA
z^U37=Hfa1dqP}{-l>3<=OOxs8qn_(y>pU>u^}3y&df{JarR0@VJn0f+U%UiF=$Wyq
zQvnVHESil@d|8&R<%}uidGh7@u^(%?$#|&J$pvFC-n8&A>utA=n3#)yMkz+qnG3wd
zP7xCnF|$9Dif@N~L)Vde3hW8W!UY0BgT2v(wzp;tlLmyk2%N|0jfG$%<;A&IVrOI<
z!L)o>j>;dFaqA3pL}b-Je(bB@VJ4%!JeX@3x!i{yIeIso^=n?<yGgTTZ!PNB?9gX<
zIb-Mwo=t8!k;=1f5ke{{mjD;8+drvc=j_XPyvGfArKBJEaX2!s2-K1+v_zbm8v7BT
za`|K1N2}$TyJ@nhBOHb0du-5xRz>fDX`3bU=eG7sTc%g%ye8$v8P@yKE^XD=NYxTb
zbf!Mk=h|otpqjFaA-vs5YOF-*GwWPc7VbaOW&stlANnCN8iftFMMrUdYNJ_Bnn5Vt
zxfz@Ah|+4&P;reZxp;MmEI7C|FOv8NKUm8njF7Wb6Gi7DeODLl&G~}G4be&*Hi0Qw
z5}77vL0P+7-B%UL@3<Hx#GB2%vG%0rC1(94hq216=?s(ssfs{vDgp`%$+N_!WRy9C
za}K<}u;;Pqc=!2V0k{Hgo5p0-m1!D$f?OU9<FJ2<5oh^cbOGSGfdj2^%OxwDfU-z~
z(XR@2k_uf5r(>n1&JPxW^d@vVwp?u#gVcJqY9#@-3X{ok#UfW3<1fb%FT`|)V~ggq
z(3AUoUS-;7)^hCjdT0Kf{i}h)mBg4qhtHHBti=~h^n^OTH5U*XMgDLIR@sre`AaB$
zg)IGBET_4??m@cx&c~bA80O7B8CHR7(LX7%HThkeC*@vi{-pL%e)yXp!B2InafbDF
zjPXf1mko3h59{lT6EEbxKO1Z5GF71)WwowO6kY|6tjSVSWdQ}NsK2x{>i|MKZK8%Q
zfu&_0D;CO-Jg0#YmyfctyJ!mRJp)e#@O0mYdp|8x;G1%OZQ3Q847YWTyy|%^cpA;m
zze0(5p{tMu^lDkpe?HynyO?a1$_LJl2L&mpeKu%8YvgRNr=%2z${%WThHG=vrWY@4
zsA`OP#O&)TetZ>s%h!=+CE15lOOls&nvC~$Qz0Ph7tHiP;O$i|eDwpT{cp>+)0-|;
zY$|bB+Gbel>5aRN3>c0x<ruzyyQ%Zy5vf6}`4)t?d-C#9!GHs<@Hns>)4U=|X+z+{
zn*_p*EQ<B%95agq4hNqm^)z*%GD}I4q^^7sH5Hy)x3mf2i}!E6)Yg(THpWRZ7O-FM
zN0W_>oquRL+=+p;=lm`d71&1NqBz&_ph)MXu(Nv6&XE7(RsS)^MGj5Q?Fwude-(sq
zjJ>aOq!7!EN>@(fK7EE#;i_BGvli`5U;r!YA{JRodLBc6-`n8K+Fjgwb%sX;j=qHQ
z7&Tr!)!{HXoO<2BQrV9Sw?JRa<KG5emNB(T<y(NWmqssKxUatWWx*DdyYw_kOIJd)
z;k&Pys2Tnf4Po((JL<eVe)|O!Lv`GXH>LXV8HrsNevvnf>Y-6|{T!pYLl7jp$-nEE
z#X!4G4L#K0qG_4Z;Cj6=;b|Be$hi4JvMH!-voxqx^@8cXp`B??eFBz2lLD8RRaRGh
zn7kUfy!YV~p(R|p7iC1Rdgt$_24i0cd-S8HpG|`@my70g^y`gu%#Tf_L2<gJMO);m
zEk>1-k?sRRZHK&at(*ED0P8iw{7?R$9~OF$Ko;Iu5)ur5<->x!m<Z%nn+oUd>93Eb
zFYpIx60s=Wxxw=`$aS-O&dCO_9?b1yKiPCQmSQb>T)963`*U+Ydj5kI(B(B?HNP8r
z*bfSBpSu)w(Z3j7HQoRjUG(+d=IaE~tv}y14zHHs|0UcN52fT8V_<@2ep_ee{QgZG
zmgp8iv4V{k;~8@I%M3<#B;2R>Ef(Gg_cQM7%}0s*^)SK6!Ym+~P^58*wnwV1BW@eG
z4sZLqsUvBbFsr#8u7S1r4teQ;t)Y@jnn_m5jS$CsW1um!p&PqAcc8!zyiXHVta9QC
zY~wCwC<otwTnmD(e1ezd?<0DwVxo}=Fub>F0U%xiQPD_INKtTb;A|Zf29(mu9NI;E
zc-e>*1%(LSXB`g}kd`#}O;veb<(sk~RWL|f3ljxCnEZDdNSTDV6#Td({6l&y4IjKF
z^}lIUq*ZUqgTPumD)RrCN{M^jhY>E~1pn|KOZ5((%F)G|*ZQ|r4zIbrEiV%42hJV8
z3xS)=!X1+=olbdGJ=yZil?oXLct8FM{(6ikLL3E%=q#O6(H$p~gQu6T8N!plf!96|
z&Q3=`L~>U0zZh;z(pGR2^S^{#PrPxTRHD1RQOON&f)Siaf`GLj#UOk&(|@0?zm;Sx
ztsGt8=29-MZs5CSf1l1jNFtNt5rFNZxJPvkNu~2}7*9468TWm>nN9TP&^!;J{-h)_
z7WsHH9|F%I`Pb!>KAS3jQWKfGivTVkMJLO-HUGM_a4UQ_%RgL6WZvrW+Z4ujZn;y@
zz9$=oO!7qVTaQAA^BhX&ZxS*|5dj803M=k&2%QrXda`-Q#IoZL6E(g+tN!6CA!CP*
zCpWtCujIea)ENl0liwVfj)Nc<9mV%+e@=d`haoZ*<oI1yD0)ode<2{}h3=ee3^GUp
zK^Zv;a(K^#^f3JYFh@>`B7+PNjEbXBkv=B+Pi^~L#EO$D$ZqTiD8f<5$eyb54-(=3
zh)6i8i|jp(@OnRrY5B8t|LFXFQVQ895n*P16cEKTrT*~yLH6Z4e*bZ5otpRDri&+A
zfNbK1D5@O=sm`fN=WzWyse!za5n%^+6dHPGX#8DyIK>?9qyX}2XvBWVqbP%%D)7$=
z=#$WulZlZR<{m#gU7lwqK4WS1Ne$#_P{b17qe$~UOXCl>5b|6WVh;5vVnR<%d+Lnp
z$uEmML38}U4vaW8>shm6CzB(Wei3s#NAWE3)a2)z@i{4jTn;;aQS)O@l{rUM`J@K&
l00vQ5JBs~;vo!vr%%-k{2_Fq1Mn4QF81S)AQ99zk{{c4yR+0b!

literal 0
HcmV?d00001

diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
new file mode 100644
index 0000000..1af9e09
--- /dev/null
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,7 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.5-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
diff --git a/gradlew b/gradlew
new file mode 100755
index 0000000..1aa94a4
--- /dev/null
+++ b/gradlew
@@ -0,0 +1,249 @@
+#!/bin/sh
+
+#
+# Copyright © 2015-2021 the original authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+##############################################################################
+#
+#   Gradle start up script for POSIX generated by Gradle.
+#
+#   Important for running:
+#
+#   (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+#       noncompliant, but you have some other compliant shell such as ksh or
+#       bash, then to run this script, type that shell name before the whole
+#       command line, like:
+#
+#           ksh Gradle
+#
+#       Busybox and similar reduced shells will NOT work, because this script
+#       requires all of these POSIX shell features:
+#         * functions;
+#         * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+#           «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+#         * compound commands having a testable exit status, especially «case»;
+#         * various built-in commands including «command», «set», and «ulimit».
+#
+#   Important for patching:
+#
+#   (2) This script targets any POSIX shell, so it avoids extensions provided
+#       by Bash, Ksh, etc; in particular arrays are avoided.
+#
+#       The "traditional" practice of packing multiple parameters into a
+#       space-separated string is a well documented source of bugs and security
+#       problems, so this is (mostly) avoided, by progressively accumulating
+#       options in "$@", and eventually passing that to Java.
+#
+#       Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+#       and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+#       see the in-line comments for details.
+#
+#       There are tweaks for specific operating systems such as AIX, CygWin,
+#       Darwin, MinGW, and NonStop.
+#
+#   (3) This script is generated from the Groovy template
+#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       within the Gradle project.
+#
+#       You can find Gradle at https://github.com/gradle/gradle/.
+#
+##############################################################################
+
+# Attempt to set APP_HOME
+
+# Resolve links: $0 may be a link
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
+    [ -h "$app_path" ]
+do
+    ls=$( ls -ld "$app_path" )
+    link=${ls#*' -> '}
+    case $link in             #(
+      /*)   app_path=$link ;; #(
+      *)    app_path=$APP_HOME$link ;;
+    esac
+done
+
+# This is normally unused
+# shellcheck disable=SC2034
+APP_BASE_NAME=${0##*/}
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD=maximum
+
+warn () {
+    echo "$*"
+} >&2
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+} >&2
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "$( uname )" in                #(
+  CYGWIN* )         cygwin=true  ;; #(
+  Darwin* )         darwin=true  ;; #(
+  MSYS* | MINGW* )  msys=true    ;; #(
+  NONSTOP* )        nonstop=true ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD=$JAVA_HOME/jre/sh/java
+    else
+        JAVACMD=$JAVA_HOME/bin/java
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD=java
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+fi
+
+# Increase the maximum file descriptors if we can.
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+    case $MAX_FD in #(
+      max*)
+        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        MAX_FD=$( ulimit -H -n ) ||
+            warn "Could not query maximum file descriptor limit"
+    esac
+    case $MAX_FD in  #(
+      '' | soft) :;; #(
+      *)
+        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        ulimit -n "$MAX_FD" ||
+            warn "Could not set maximum file descriptor limit to $MAX_FD"
+    esac
+fi
+
+# Collect all arguments for the java command, stacking in reverse order:
+#   * args from the command line
+#   * the main class name
+#   * -classpath
+#   * -D...appname settings
+#   * --module-path (only if needed)
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if "$cygwin" || "$msys" ; then
+    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+    JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    for arg do
+        if
+            case $arg in                                #(
+              -*)   false ;;                            # don't mess with options #(
+              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
+                    [ -e "$t" ] ;;                      #(
+              *)    false ;;
+            esac
+        then
+            arg=$( cygpath --path --ignore --mixed "$arg" )
+        fi
+        # Roll the args list around exactly as many times as the number of
+        # args, so each arg winds up back in the position where it started, but
+        # possibly modified.
+        #
+        # NB: a `for` loop captures its iteration list before it begins, so
+        # changing the positional parameters here affects neither the number of
+        # iterations, nor the values presented in `arg`.
+        shift                   # remove old arg
+        set -- "$@" "$arg"      # push replacement arg
+    done
+fi
+
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
+
+set -- \
+        "-Dorg.gradle.appname=$APP_BASE_NAME" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
+        "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+#   readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+#   set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+        printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+        xargs -n1 |
+        sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+        tr '\n' ' '
+    )" '"$@"'
+
+exec "$JAVACMD" "$@"
diff --git a/gradlew.bat b/gradlew.bat
new file mode 100644
index 0000000..93e3f59
--- /dev/null
+++ b/gradlew.bat
@@ -0,0 +1,92 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo.
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega
diff --git a/settings.gradle.kts b/settings.gradle.kts
new file mode 100644
index 0000000..a3b6fa5
--- /dev/null
+++ b/settings.gradle.kts
@@ -0,0 +1 @@
+rootProject.name = "ismanglendemedvirkning"
diff --git a/src/main/kotlin/no/nav/syfo/App.kt b/src/main/kotlin/no/nav/syfo/App.kt
new file mode 100644
index 0000000..fd0fc3c
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/App.kt
@@ -0,0 +1,76 @@
+package no.nav.syfo
+
+import com.typesafe.config.ConfigFactory
+import io.ktor.server.application.*
+import io.ktor.server.config.*
+import io.ktor.server.engine.*
+import io.ktor.server.netty.*
+import no.nav.syfo.api.apiModule
+import no.nav.syfo.infrastructure.clients.azuread.AzureAdClient
+import no.nav.syfo.infrastructure.clients.veiledertilgang.VeilederTilgangskontrollClient
+import no.nav.syfo.infrastructure.clients.wellknown.getWellKnown
+import no.nav.syfo.infrastructure.database.applicationDatabase
+import no.nav.syfo.infrastructure.database.databaseModule
+import org.slf4j.LoggerFactory
+import java.util.concurrent.TimeUnit
+
+const val applicationPort = 8080
+
+fun main() {
+    val applicationState = ApplicationState()
+    val environment = Environment()
+    val logger = LoggerFactory.getLogger("ktor.application")
+
+    val wellKnownInternalAzureAD = getWellKnown(
+        wellKnownUrl = environment.azure.appWellKnownUrl,
+    )
+    val azureAdClient = AzureAdClient(
+        azureEnvironment = environment.azure
+    )
+    val veilederTilgangskontrollClient = VeilederTilgangskontrollClient(
+        azureAdClient = azureAdClient,
+        clientEnvironment = environment.clients.istilgangskontroll,
+    )
+
+    val applicationEngineEnvironment =
+        applicationEngineEnvironment {
+            log = logger
+            config = HoconApplicationConfig(ConfigFactory.load())
+            connector {
+                port = applicationPort
+            }
+            module {
+                databaseModule(
+                    databaseEnvironment = environment.database,
+                )
+
+                apiModule(
+                    applicationState = applicationState,
+                    environment = environment,
+                    wellKnownInternalAzureAD = wellKnownInternalAzureAD,
+                    database = applicationDatabase,
+                    veilederTilgangskontrollClient = veilederTilgangskontrollClient,
+                )
+            }
+        }
+
+    applicationEngineEnvironment.monitor.subscribe(ApplicationStarted) {
+        applicationState.ready = true
+        logger.info("Application is ready, running Java VM ${Runtime.version()}")
+    }
+
+    val server = embeddedServer(
+        factory = Netty,
+        environment = applicationEngineEnvironment
+    ) {
+        connectionGroupSize = 8
+        workerGroupSize = 8
+        callGroupSize = 16
+    }
+
+    Runtime.getRuntime().addShutdownHook(
+        Thread { server.stop(10, 10, TimeUnit.SECONDS) }
+    )
+
+    server.start(wait = true)
+}
diff --git a/src/main/kotlin/no/nav/syfo/ApplicationEnvironment.kt b/src/main/kotlin/no/nav/syfo/ApplicationEnvironment.kt
new file mode 100644
index 0000000..1994505
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/ApplicationEnvironment.kt
@@ -0,0 +1,41 @@
+package no.nav.syfo
+
+import no.nav.syfo.infrastructure.clients.ClientEnvironment
+import no.nav.syfo.infrastructure.clients.ClientsEnvironment
+import no.nav.syfo.infrastructure.clients.azuread.AzureEnvironment
+import no.nav.syfo.infrastructure.database.DatabaseEnvironment
+
+const val NAIS_DATABASE_ENV_PREFIX = "NAIS_DATABASE_ISMANGLENDEMEDVIRKNING_ISMANGLENDEMEDVIRKNING_DB"
+
+data class Environment(
+    val database: DatabaseEnvironment = DatabaseEnvironment(
+        host = getEnvVar("${NAIS_DATABASE_ENV_PREFIX}_HOST"),
+        port = getEnvVar("${NAIS_DATABASE_ENV_PREFIX}_PORT"),
+        name = getEnvVar("${NAIS_DATABASE_ENV_PREFIX}_DATABASE"),
+        username = getEnvVar("${NAIS_DATABASE_ENV_PREFIX}_USERNAME"),
+        password = getEnvVar("${NAIS_DATABASE_ENV_PREFIX}_PASSWORD"),
+        url = getEnvVar("${NAIS_DATABASE_ENV_PREFIX}_JDBC_URL")
+    ),
+    val azure: AzureEnvironment =
+        AzureEnvironment(
+            appClientId = getEnvVar("AZURE_APP_CLIENT_ID"),
+            appClientSecret = getEnvVar("AZURE_APP_CLIENT_SECRET"),
+            appWellKnownUrl = getEnvVar("AZURE_APP_WELL_KNOWN_URL"),
+            openidConfigTokenEndpoint = getEnvVar("AZURE_OPENID_CONFIG_TOKEN_ENDPOINT")
+        ),
+    val electorPath: String = getEnvVar("ELECTOR_PATH"),
+    val clients: ClientsEnvironment =
+        ClientsEnvironment(
+            istilgangskontroll = ClientEnvironment(
+                baseUrl = getEnvVar("ISTILGANGSKONTROLL_URL"),
+                clientId = getEnvVar("ISTILGANGSKONTROLL_CLIENT_ID")
+            ),
+        ),
+)
+
+fun getEnvVar(
+    varName: String,
+    defaultValue: String? = null
+) = System.getenv(varName) ?: defaultValue ?: throw RuntimeException("Missing required variable \"$varName\"")
+
+fun isLocal() = getEnvVar("KTOR_ENV", "local") == "local"
diff --git a/src/main/kotlin/no/nav/syfo/ApplicationState.kt b/src/main/kotlin/no/nav/syfo/ApplicationState.kt
new file mode 100644
index 0000000..4fe0f8f
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/ApplicationState.kt
@@ -0,0 +1,6 @@
+package no.nav.syfo
+
+data class ApplicationState(
+    var alive: Boolean = true,
+    var ready: Boolean = false,
+)
diff --git a/src/main/kotlin/no/nav/syfo/BackgroundTask.kt b/src/main/kotlin/no/nav/syfo/BackgroundTask.kt
new file mode 100644
index 0000000..5a12797
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/BackgroundTask.kt
@@ -0,0 +1,42 @@
+package no.nav.syfo
+
+import kotlinx.coroutines.*
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
+import java.util.concurrent.Executors
+import kotlin.coroutines.CoroutineContext
+
+private val log: Logger = LoggerFactory.getLogger("no.nav.syfo")
+
+fun launchBackgroundTask(
+    applicationState: ApplicationState,
+    action: suspend CoroutineScope.() -> Unit,
+): Job = GlobalScope.launch(Dispatchers.Unbounded) {
+    try {
+        action()
+    } catch (ex: Exception) {
+        log.error("Exception received while launching background task. Terminating application.", ex)
+    } finally {
+        applicationState.alive = false
+        applicationState.ready = false
+    }
+}
+
+/*
+Use Dispatchers.Unbounded to allow unlimited number of coroutines to be dispatched. Without this
+only a few will be allowed simultaneously (depending on the number of available cores) which may result
+in cronjobs or Kafka-consumers not starting as intended.
+*/
+val Dispatchers.Unbounded get() = UnboundedDispatcher.unboundedDispatcher
+
+class UnboundedDispatcher private constructor() : CoroutineDispatcher() {
+    companion object {
+        val unboundedDispatcher = UnboundedDispatcher()
+    }
+
+    private val threadPool = Executors.newCachedThreadPool()
+    private val dispatcher = threadPool.asCoroutineDispatcher()
+    override fun dispatch(context: CoroutineContext, block: Runnable) {
+        dispatcher.dispatch(context, block)
+    }
+}
diff --git a/src/main/kotlin/no/nav/syfo/api/ApiModule.kt b/src/main/kotlin/no/nav/syfo/api/ApiModule.kt
new file mode 100644
index 0000000..bc5b88b
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/api/ApiModule.kt
@@ -0,0 +1,135 @@
+package no.nav.syfo.api
+
+import io.ktor.client.plugins.*
+import io.ktor.http.*
+import io.ktor.serialization.jackson.*
+import io.ktor.server.application.*
+import io.ktor.server.metrics.micrometer.*
+import io.ktor.server.plugins.*
+import io.ktor.server.plugins.callid.*
+import io.ktor.server.plugins.contentnegotiation.*
+import io.ktor.server.plugins.statuspages.*
+import io.ktor.server.response.*
+import io.ktor.server.routing.*
+import io.micrometer.core.instrument.distribution.DistributionStatisticConfig
+import no.nav.syfo.ApplicationState
+import no.nav.syfo.Environment
+import no.nav.syfo.api.auth.JwtIssuer
+import no.nav.syfo.api.auth.JwtIssuerType
+import no.nav.syfo.api.auth.installJwtAuthentication
+import no.nav.syfo.api.endpoints.metricEndpoints
+import no.nav.syfo.api.endpoints.podEndpoints
+import no.nav.syfo.infrastructure.NAV_CALL_ID_HEADER
+import no.nav.syfo.infrastructure.clients.veiledertilgang.ForbiddenAccessVeilederException
+import no.nav.syfo.infrastructure.clients.veiledertilgang.VeilederTilgangskontrollClient
+import no.nav.syfo.infrastructure.clients.wellknown.WellKnown
+import no.nav.syfo.infrastructure.database.DatabaseInterface
+import no.nav.syfo.infrastructure.metric.METRICS_REGISTRY
+import no.nav.syfo.util.configure
+import no.nav.syfo.util.getCallId
+import no.nav.syfo.util.getConsumerClientId
+import java.time.Duration
+import java.util.*
+
+fun Application.apiModule(
+    applicationState: ApplicationState,
+    environment: Environment,
+    wellKnownInternalAzureAD: WellKnown,
+    database: DatabaseInterface,
+    veilederTilgangskontrollClient: VeilederTilgangskontrollClient,
+) {
+    installMetrics()
+    installCallId()
+    installContentNegotiation()
+    installStatusPages()
+    installJwtAuthentication(
+        jwtIssuerList =
+        listOf(
+            JwtIssuer(
+                acceptedAudienceList = listOf(environment.azure.appClientId),
+                jwtIssuerType = JwtIssuerType.INTERNAL_AZUREAD,
+                wellKnown = wellKnownInternalAzureAD
+            )
+        )
+    )
+
+    routing {
+        podEndpoints(applicationState = applicationState, database = database)
+        metricEndpoints()
+    }
+}
+
+fun Application.installContentNegotiation() {
+    install(ContentNegotiation) {
+        jackson { configure() }
+    }
+}
+
+fun Application.installMetrics() {
+    install(MicrometerMetrics) {
+        registry = METRICS_REGISTRY
+        distributionStatisticConfig =
+            DistributionStatisticConfig.Builder()
+                .percentilesHistogram(true)
+                .maximumExpectedValue(Duration.ofSeconds(20).toNanos().toDouble())
+                .build()
+    }
+}
+
+fun Application.installCallId() {
+    install(CallId) {
+        retrieve { it.request.headers[NAV_CALL_ID_HEADER] }
+        generate { UUID.randomUUID().toString() }
+        verify { callId: String -> callId.isNotEmpty() }
+        header(NAV_CALL_ID_HEADER)
+    }
+}
+
+fun Application.installStatusPages() {
+    install(StatusPages) {
+        exception<Throwable> { call, cause ->
+            val callId = call.getCallId()
+            val consumerClientId = call.getConsumerClientId()
+            val logExceptionMessage = "Caught exception, callId=$callId, consumerClientId=$consumerClientId"
+            val log = call.application.log
+            when (cause) {
+                is ForbiddenAccessVeilederException -> {
+                    log.warn(logExceptionMessage, cause)
+                }
+
+                else -> {
+                    log.error(logExceptionMessage, cause)
+                }
+            }
+
+            var isUnexpectedException = false
+
+            val responseStatus: HttpStatusCode =
+                when (cause) {
+                    is ResponseException -> {
+                        cause.response.status
+                    }
+
+                    is IllegalArgumentException, is BadRequestException, -> {
+                        HttpStatusCode.BadRequest
+                    }
+
+                    is ForbiddenAccessVeilederException -> {
+                        HttpStatusCode.Forbidden
+                    }
+
+                    else -> {
+                        isUnexpectedException = true
+                        HttpStatusCode.InternalServerError
+                    }
+                }
+            val message =
+                if (isUnexpectedException) {
+                    "The server reported an unexpected error and cannot complete the request."
+                } else {
+                    cause.message ?: "Unknown error"
+                }
+            call.respond(responseStatus, message)
+        }
+    }
+}
diff --git a/src/main/kotlin/no/nav/syfo/api/auth/AuthenticationPlugin.kt b/src/main/kotlin/no/nav/syfo/api/auth/AuthenticationPlugin.kt
new file mode 100644
index 0000000..b4725b4
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/api/auth/AuthenticationPlugin.kt
@@ -0,0 +1,58 @@
+package no.nav.syfo.api.auth
+
+import com.auth0.jwk.JwkProviderBuilder
+import io.ktor.server.application.*
+import io.ktor.server.auth.*
+import io.ktor.server.auth.jwt.*
+import net.logstash.logback.argument.StructuredArguments
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
+import java.net.URL
+import java.util.concurrent.TimeUnit
+
+private val log: Logger = LoggerFactory.getLogger("no.nav.syfo.application.api.auth")
+
+fun Application.installJwtAuthentication(jwtIssuerList: List<JwtIssuer>) {
+    install(Authentication) {
+        jwtIssuerList.forEach { jwtIssuer ->
+            configureJwt(
+                jwtIssuer = jwtIssuer
+            )
+        }
+    }
+}
+
+private fun AuthenticationConfig.configureJwt(jwtIssuer: JwtIssuer) {
+    val jwkProvider =
+        JwkProviderBuilder(URL(jwtIssuer.wellKnown.jwksUri))
+            .cached(10, 24, TimeUnit.HOURS)
+            .rateLimited(10, 1, TimeUnit.MINUTES)
+            .build()
+    jwt(name = jwtIssuer.jwtIssuerType.name) {
+        verifier(
+            jwkProvider = jwkProvider,
+            issuer = jwtIssuer.wellKnown.issuer
+        )
+        validate { credential ->
+            val credentialsHasExpectedAudience =
+                credential.inExpectedAudience(
+                    expectedAudience = jwtIssuer.acceptedAudienceList
+                )
+            if (credentialsHasExpectedAudience) {
+                JWTPrincipal(credential.payload)
+            } else {
+                log.warn(
+                    "Auth: Unexpected audience for jwt {}, {}",
+                    StructuredArguments.keyValue("issuer", credential.payload.issuer),
+                    StructuredArguments.keyValue("audience", credential.payload.audience)
+                )
+                null
+            }
+        }
+    }
+}
+
+private fun JWTCredential.inExpectedAudience(expectedAudience: List<String>) =
+    expectedAudience.any {
+        this.payload.audience.contains(it)
+    }
diff --git a/src/main/kotlin/no/nav/syfo/api/auth/JwtIssuer.kt b/src/main/kotlin/no/nav/syfo/api/auth/JwtIssuer.kt
new file mode 100644
index 0000000..4322387
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/api/auth/JwtIssuer.kt
@@ -0,0 +1,13 @@
+package no.nav.syfo.api.auth
+
+import no.nav.syfo.infrastructure.clients.wellknown.WellKnown
+
+data class JwtIssuer(
+    val acceptedAudienceList: List<String>,
+    val jwtIssuerType: JwtIssuerType,
+    val wellKnown: WellKnown
+)
+
+enum class JwtIssuerType {
+    INTERNAL_AZUREAD
+}
diff --git a/src/main/kotlin/no/nav/syfo/api/endpoints/MetricEndpoints.kt b/src/main/kotlin/no/nav/syfo/api/endpoints/MetricEndpoints.kt
new file mode 100644
index 0000000..627288e
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/api/endpoints/MetricEndpoints.kt
@@ -0,0 +1,14 @@
+package no.nav.syfo.api.endpoints
+
+import io.ktor.server.application.*
+import io.ktor.server.response.*
+import io.ktor.server.routing.*
+import no.nav.syfo.infrastructure.metric.METRICS_REGISTRY
+
+const val podMetricsPath = "/internal/metrics"
+
+fun Routing.metricEndpoints() {
+    get(podMetricsPath) {
+        call.respondText(METRICS_REGISTRY.scrape())
+    }
+}
diff --git a/src/main/kotlin/no/nav/syfo/api/endpoints/PodEndpoints.kt b/src/main/kotlin/no/nav/syfo/api/endpoints/PodEndpoints.kt
new file mode 100644
index 0000000..d98c394
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/api/endpoints/PodEndpoints.kt
@@ -0,0 +1,38 @@
+package no.nav.syfo.api.endpoints
+
+import io.ktor.http.*
+import io.ktor.server.application.*
+import io.ktor.server.response.*
+import io.ktor.server.routing.*
+import no.nav.syfo.ApplicationState
+import no.nav.syfo.infrastructure.database.DatabaseInterface
+
+const val podLivenessPath = "/internal/is_alive"
+const val podReadinessPath = "/internal/is_ready"
+
+fun Routing.podEndpoints(applicationState: ApplicationState, database: DatabaseInterface) {
+    get(podLivenessPath) {
+        if (applicationState.alive) {
+            call.respondText("I'm alive! :)")
+        } else {
+            call.respondText("I'm dead x_x", status = HttpStatusCode.InternalServerError)
+        }
+    }
+    get(podReadinessPath) {
+        if (applicationState.ready && database.isOk()) {
+            call.respondText("I'm ready! :)")
+        } else {
+            call.respondText("Please wait! I'm not ready :(", status = HttpStatusCode.InternalServerError)
+        }
+    }
+}
+
+private fun DatabaseInterface.isOk(): Boolean {
+    return try {
+        connection.use {
+            it.isValid(1)
+        }
+    } catch (ex: Exception) {
+        false
+    }
+}
diff --git a/src/main/kotlin/no/nav/syfo/domain/Personident.kt b/src/main/kotlin/no/nav/syfo/domain/Personident.kt
new file mode 100644
index 0000000..a1685d4
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/domain/Personident.kt
@@ -0,0 +1,10 @@
+package no.nav.syfo.domain
+
+@JvmInline
+value class Personident(val value: String) {
+    init {
+        if (!Regex("^\\d{11}\$").matches(value)) {
+            throw IllegalArgumentException("Value is not a valid Personident")
+        }
+    }
+}
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/Util.kt b/src/main/kotlin/no/nav/syfo/infrastructure/Util.kt
new file mode 100644
index 0000000..dad57d8
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/Util.kt
@@ -0,0 +1,6 @@
+package no.nav.syfo.infrastructure
+
+const val NAV_CALL_ID_HEADER = "Nav-Call-Id"
+const val NAV_PERSONIDENT_HEADER = "nav-personident"
+
+fun bearerHeader(token: String) = "Bearer $token"
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/ClientsEnvironment.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/ClientsEnvironment.kt
new file mode 100644
index 0000000..98f294a
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/ClientsEnvironment.kt
@@ -0,0 +1,14 @@
+package no.nav.syfo.infrastructure.clients
+
+data class ClientsEnvironment(
+    val istilgangskontroll: ClientEnvironment,
+)
+
+data class ClientEnvironment(
+    val baseUrl: String,
+    val clientId: String,
+)
+
+data class OpenClientEnvironment(
+    val baseUrl: String,
+)
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/HttpClientCommon.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/HttpClientCommon.kt
new file mode 100644
index 0000000..3cf6076
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/HttpClientCommon.kt
@@ -0,0 +1,37 @@
+package no.nav.syfo.infrastructure.clients
+
+import io.ktor.client.*
+import io.ktor.client.engine.*
+import io.ktor.client.engine.apache.*
+import io.ktor.client.plugins.*
+import io.ktor.client.plugins.contentnegotiation.*
+import io.ktor.serialization.jackson.*
+import no.nav.syfo.util.configure
+import org.apache.http.impl.conn.SystemDefaultRoutePlanner
+import java.net.ProxySelector
+
+val commonConfig: HttpClientConfig<out HttpClientEngineConfig>.() -> Unit = {
+    install(ContentNegotiation) {
+        jackson { configure() }
+    }
+    install(HttpRequestRetry) {
+        retryOnExceptionIf(2) { _, cause ->
+            cause !is ClientRequestException
+        }
+        constantDelay(500L)
+    }
+    expectSuccess = true
+}
+
+val proxyConfig: HttpClientConfig<ApacheEngineConfig>.() -> Unit = {
+    this.commonConfig()
+    engine {
+        customizeClient {
+            setRoutePlanner(SystemDefaultRoutePlanner(ProxySelector.getDefault()))
+        }
+    }
+}
+
+fun httpClientDefault() = HttpClient(Apache, commonConfig)
+
+fun httpClientProxy() = HttpClient(Apache, proxyConfig)
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdClient.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdClient.kt
new file mode 100644
index 0000000..219b759
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdClient.kt
@@ -0,0 +1,68 @@
+package no.nav.syfo.infrastructure.clients.azuread
+
+import io.ktor.client.*
+import io.ktor.client.call.*
+import io.ktor.client.plugins.*
+import io.ktor.client.request.*
+import io.ktor.client.request.forms.*
+import io.ktor.client.statement.*
+import io.ktor.http.*
+import no.nav.syfo.infrastructure.clients.httpClientProxy
+import org.slf4j.LoggerFactory
+
+class AzureAdClient(
+    private val azureEnvironment: AzureEnvironment,
+    private val httpClient: HttpClient = httpClientProxy(),
+) {
+    suspend fun getOnBehalfOfToken(
+        scopeClientId: String,
+        token: String
+    ): AzureAdToken? =
+        getAccessToken(
+            Parameters.build {
+                append("client_id", azureEnvironment.appClientId)
+                append("client_secret", azureEnvironment.appClientSecret)
+                append("client_assertion_type", "urn:ietf:params:oauth:grant-type:jwt-bearer")
+                append("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer")
+                append("assertion", token)
+                append("scope", "api://$scopeClientId/.default")
+                append("requested_token_use", "on_behalf_of")
+            }
+        )?.toAzureAdToken()
+
+    suspend fun getSystemToken(scopeClientId: String): AzureAdToken? {
+        val azureAdTokenResponse = getAccessToken(
+            Parameters.build {
+                append("client_id", azureEnvironment.appClientId)
+                append("client_secret", azureEnvironment.appClientSecret)
+                append("grant_type", "client_credentials")
+                append("scope", "api://$scopeClientId/.default")
+            }
+        )
+        return azureAdTokenResponse?.toAzureAdToken()
+    }
+
+    private suspend fun getAccessToken(formParameters: Parameters): AzureAdTokenResponse? =
+        try {
+            val response: HttpResponse =
+                httpClient.post(azureEnvironment.openidConfigTokenEndpoint) {
+                    accept(ContentType.Application.Json)
+                    setBody(FormDataContent(formParameters))
+                }
+            response.body<AzureAdTokenResponse>()
+        } catch (e: ResponseException) {
+            handleUnexpectedResponseException(e)
+            null
+        }
+
+    private fun handleUnexpectedResponseException(responseException: ResponseException) {
+        log.error(
+            "Error while requesting AzureAdAccessToken with statusCode=${responseException.response.status.value}",
+            responseException
+        )
+    }
+
+    companion object {
+        private val log = LoggerFactory.getLogger(AzureAdClient::class.java)
+    }
+}
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdToken.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdToken.kt
new file mode 100644
index 0000000..9b6c431
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdToken.kt
@@ -0,0 +1,13 @@
+package no.nav.syfo.infrastructure.clients.azuread
+
+import java.io.Serializable
+import java.time.LocalDateTime
+
+data class AzureAdToken(
+    val accessToken: String,
+    val expires: LocalDateTime,
+) : Serializable {
+
+    fun isExpired(): Boolean =
+        expires < LocalDateTime.now().plusSeconds(60)
+}
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdTokenResponse.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdTokenResponse.kt
new file mode 100644
index 0000000..8ad0c33
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureAdTokenResponse.kt
@@ -0,0 +1,17 @@
+package no.nav.syfo.infrastructure.clients.azuread
+
+import java.time.LocalDateTime
+
+data class AzureAdTokenResponse(
+    val access_token: String,
+    val expires_in: Long,
+    val token_type: String,
+)
+
+fun AzureAdTokenResponse.toAzureAdToken(): AzureAdToken {
+    val expiresOn = LocalDateTime.now().plusSeconds(this.expires_in)
+    return AzureAdToken(
+        accessToken = this.access_token,
+        expires = expiresOn,
+    )
+}
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureEnvironment.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureEnvironment.kt
new file mode 100644
index 0000000..464675b
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/azuread/AzureEnvironment.kt
@@ -0,0 +1,8 @@
+package no.nav.syfo.infrastructure.clients.azuread
+
+data class AzureEnvironment(
+    val appClientId: String,
+    val appClientSecret: String,
+    val appWellKnownUrl: String,
+    val openidConfigTokenEndpoint: String,
+)
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/ForbiddenAccessVeilederException.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/ForbiddenAccessVeilederException.kt
new file mode 100644
index 0000000..ddb7dc7
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/ForbiddenAccessVeilederException.kt
@@ -0,0 +1,6 @@
+package no.nav.syfo.infrastructure.clients.veiledertilgang
+
+class ForbiddenAccessVeilederException(
+    action: String,
+    message: String = "Denied NAVIdent access to personIdent: $action"
+) : RuntimeException(message)
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/Tilgang.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/Tilgang.kt
new file mode 100644
index 0000000..b749d24
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/Tilgang.kt
@@ -0,0 +1,5 @@
+package no.nav.syfo.infrastructure.clients.veiledertilgang
+
+data class Tilgang(
+    val erGodkjent: Boolean,
+)
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/VeilederAPIAccessPipeline.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/VeilederAPIAccessPipeline.kt
new file mode 100644
index 0000000..677a7b4
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/VeilederAPIAccessPipeline.kt
@@ -0,0 +1,31 @@
+package no.nav.syfo.infrastructure.clients.veiledertilgang
+
+import io.ktor.server.application.*
+import io.ktor.util.pipeline.*
+import no.nav.syfo.domain.Personident
+import no.nav.syfo.util.getBearerHeader
+import no.nav.syfo.util.getCallId
+
+suspend fun PipelineContext<out Unit, ApplicationCall>.validateVeilederAccess(
+    action: String,
+    personident: Personident,
+    veilederTilgangskontrollClient: VeilederTilgangskontrollClient,
+    requestBlock: suspend () -> Unit,
+) {
+    val callId = call.getCallId()
+    val token = call.getBearerHeader() ?: throw IllegalArgumentException("Failed to complete the following action: $action. No Authorization header supplied")
+
+    val hasVeilederAccess = veilederTilgangskontrollClient.hasAccess(
+        callId = callId,
+        personIdent = personident,
+        token = token,
+    )
+
+    if (hasVeilederAccess) {
+        requestBlock()
+    } else {
+        throw ForbiddenAccessVeilederException(
+            action = action,
+        )
+    }
+}
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/VeilederTilgangskontrollClient.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/VeilederTilgangskontrollClient.kt
new file mode 100644
index 0000000..99cd529
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/veiledertilgang/VeilederTilgangskontrollClient.kt
@@ -0,0 +1,97 @@
+package no.nav.syfo.infrastructure.clients.veiledertilgang
+
+import io.ktor.client.*
+import io.ktor.client.call.*
+import io.ktor.client.plugins.*
+import io.ktor.client.request.*
+import io.ktor.client.statement.*
+import io.ktor.http.*
+import io.micrometer.core.instrument.Counter
+import net.logstash.logback.argument.StructuredArguments
+import no.nav.syfo.domain.Personident
+import no.nav.syfo.infrastructure.*
+import no.nav.syfo.infrastructure.clients.ClientEnvironment
+import no.nav.syfo.infrastructure.clients.azuread.AzureAdClient
+import no.nav.syfo.infrastructure.clients.httpClientDefault
+import no.nav.syfo.infrastructure.metric.METRICS_NS
+import no.nav.syfo.infrastructure.metric.METRICS_REGISTRY
+import org.slf4j.LoggerFactory
+
+class VeilederTilgangskontrollClient(
+    private val azureAdClient: AzureAdClient,
+    private val clientEnvironment: ClientEnvironment,
+    private val httpClient: HttpClient = httpClientDefault()
+) {
+    private val tilgangskontrollPersonUrl = "${clientEnvironment.baseUrl}$TILGANGSKONTROLL_PERSON_PATH"
+
+    suspend fun hasAccess(
+        callId: String,
+        personIdent: Personident,
+        token: String
+    ): Boolean {
+        val onBehalfOfToken =
+            azureAdClient.getOnBehalfOfToken(
+                scopeClientId = clientEnvironment.clientId,
+                token = token
+            )?.accessToken ?: throw RuntimeException("Failed to request access to Person: Failed to get OBO token")
+
+        return try {
+            val tilgang =
+                httpClient.get(tilgangskontrollPersonUrl) {
+                    header(HttpHeaders.Authorization, bearerHeader(onBehalfOfToken))
+                    header(NAV_PERSONIDENT_HEADER, personIdent.value)
+                    header(NAV_CALL_ID_HEADER, callId)
+                    accept(ContentType.Application.Json)
+                }
+            Metrics.COUNT_CALL_TILGANGSKONTROLL_PERSON_SUCCESS.increment()
+            tilgang.body<Tilgang>().erGodkjent
+        } catch (e: ResponseException) {
+            if (e.response.status == HttpStatusCode.Forbidden) {
+                Metrics.COUNT_CALL_TILGANGSKONTROLL_PERSON_FORBIDDEN.increment()
+            } else {
+                handleUnexpectedResponseException(e.response, callId)
+            }
+            false
+        }
+    }
+
+    private fun handleUnexpectedResponseException(
+        response: HttpResponse,
+        callId: String
+    ) {
+        log.error(
+            "Error while requesting access to person from istilgangskontroll with {}, {}",
+            StructuredArguments.keyValue("statusCode", response.status.value.toString()),
+            StructuredArguments.keyValue("callId", callId)
+        )
+        Metrics.COUNT_CALL_TILGANGSKONTROLL_PERSON_FAIL.increment()
+    }
+
+    companion object {
+        private val log = LoggerFactory.getLogger(VeilederTilgangskontrollClient::class.java)
+
+        const val TILGANGSKONTROLL_PERSON_PATH = "/api/tilgang/navident/person"
+    }
+}
+
+private class Metrics {
+    companion object {
+        const val CALL_TILGANGSKONTROLL_PERSON_BASE = "${METRICS_NS}_call_tilgangskontroll_person"
+        const val CALL_TILGANGSKONTROLL_PERSON_SUCCESS = "${CALL_TILGANGSKONTROLL_PERSON_BASE}_success_count"
+        const val CALL_TILGANGSKONTROLL_PERSON_FAIL = "${CALL_TILGANGSKONTROLL_PERSON_BASE}_fail_count"
+        const val CALL_TILGANGSKONTROLL_PERSON_FORBIDDEN = "${CALL_TILGANGSKONTROLL_PERSON_BASE}_forbidden_count"
+
+        val COUNT_CALL_TILGANGSKONTROLL_PERSON_SUCCESS: Counter =
+            Counter.builder(CALL_TILGANGSKONTROLL_PERSON_SUCCESS)
+                .description("Counts the number of successful calls to istilgangskontroll - person")
+                .register(METRICS_REGISTRY)
+        val COUNT_CALL_TILGANGSKONTROLL_PERSON_FAIL: Counter =
+            Counter.builder(CALL_TILGANGSKONTROLL_PERSON_FAIL)
+                .description("Counts the number of failed calls to istilgangskontroll - person")
+                .register(METRICS_REGISTRY)
+        val COUNT_CALL_TILGANGSKONTROLL_PERSON_FORBIDDEN: Counter =
+            Counter.builder(CALL_TILGANGSKONTROLL_PERSON_FORBIDDEN)
+                .description("Counts the number of forbidden calls to istilgangskontroll - person")
+                .register(METRICS_REGISTRY)
+    }
+}
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnown.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnown.kt
new file mode 100644
index 0000000..afc19d6
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnown.kt
@@ -0,0 +1,6 @@
+package no.nav.syfo.infrastructure.clients.wellknown
+
+data class WellKnown(
+    val issuer: String,
+    val jwksUri: String,
+)
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnownClient.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnownClient.kt
new file mode 100644
index 0000000..cd66802
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnownClient.kt
@@ -0,0 +1,13 @@
+package no.nav.syfo.infrastructure.clients.wellknown
+
+import io.ktor.client.call.*
+import io.ktor.client.request.*
+import kotlinx.coroutines.runBlocking
+import no.nav.syfo.infrastructure.clients.httpClientProxy
+
+fun getWellKnown(wellKnownUrl: String): WellKnown =
+    runBlocking {
+        httpClientProxy().use { client ->
+            client.get(wellKnownUrl).body<WellKnownDTO>().toWellKnown()
+        }
+    }
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnownDTO.kt b/src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnownDTO.kt
new file mode 100644
index 0000000..c707ede
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/clients/wellknown/WellKnownDTO.kt
@@ -0,0 +1,14 @@
+package no.nav.syfo.infrastructure.clients.wellknown
+
+data class WellKnownDTO(
+    val authorization_endpoint: String,
+    val issuer: String,
+    val jwks_uri: String,
+    val token_endpoint: String,
+)
+
+fun WellKnownDTO.toWellKnown() =
+    WellKnown(
+        issuer = this.issuer,
+        jwksUri = this.jwks_uri,
+    )
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/database/Database.kt b/src/main/kotlin/no/nav/syfo/infrastructure/database/Database.kt
new file mode 100644
index 0000000..6366457
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/database/Database.kt
@@ -0,0 +1,60 @@
+package no.nav.syfo.infrastructure.database
+
+import com.zaxxer.hikari.HikariConfig
+import com.zaxxer.hikari.HikariDataSource
+import com.zaxxer.hikari.metrics.prometheus.PrometheusMetricsTrackerFactory
+import org.flywaydb.core.Flyway
+import java.sql.Connection
+import java.sql.ResultSet
+
+data class DatabaseConfig(
+    val jdbcUrl: String,
+    val password: String,
+    val username: String,
+    val poolSize: Int = 4,
+)
+
+class Database(
+    private val config: DatabaseConfig
+) : DatabaseInterface {
+    override val connection: Connection
+        get() = dataSource.connection
+
+    private var dataSource: HikariDataSource = HikariDataSource(
+        HikariConfig().apply {
+            jdbcUrl = config.jdbcUrl
+            username = config.username
+            password = config.password
+            maximumPoolSize = config.poolSize
+            minimumIdle = 1
+            isAutoCommit = false
+            transactionIsolation = "TRANSACTION_REPEATABLE_READ"
+            metricsTrackerFactory = PrometheusMetricsTrackerFactory()
+            validate()
+        }
+    )
+
+    init {
+        runFlywayMigrations()
+    }
+
+    private fun runFlywayMigrations() = Flyway.configure().run {
+        dataSource(
+            config.jdbcUrl,
+            config.username,
+            config.password,
+        )
+        validateMigrationNaming(true)
+        load().migrate().migrationsExecuted
+    }
+}
+
+interface DatabaseInterface {
+    val connection: Connection
+}
+
+fun <T> ResultSet.toList(mapper: ResultSet.() -> T) = mutableListOf<T>().apply {
+    while (next()) {
+        add(mapper())
+    }
+}
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/database/DatabaseEnvironment.kt b/src/main/kotlin/no/nav/syfo/infrastructure/database/DatabaseEnvironment.kt
new file mode 100644
index 0000000..ca7730c
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/database/DatabaseEnvironment.kt
@@ -0,0 +1,10 @@
+package no.nav.syfo.infrastructure.database
+
+data class DatabaseEnvironment(
+    val host: String,
+    val port: String,
+    val name: String,
+    val username: String,
+    val password: String,
+    val url: String,
+)
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/database/DatabaseModule.kt b/src/main/kotlin/no/nav/syfo/infrastructure/database/DatabaseModule.kt
new file mode 100644
index 0000000..c0e8545
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/database/DatabaseModule.kt
@@ -0,0 +1,25 @@
+package no.nav.syfo.infrastructure.database
+
+import no.nav.syfo.isLocal
+
+lateinit var applicationDatabase: DatabaseInterface
+
+fun databaseModule(
+    databaseEnvironment: DatabaseEnvironment
+) = if (isLocal()) {
+    applicationDatabase = Database(
+        DatabaseConfig(
+            jdbcUrl = "jdbc:postgresql://localhost:5432/ismanglendemedvirkning_dev",
+            password = "password",
+            username = "username",
+        )
+    )
+} else {
+    applicationDatabase = Database(
+        DatabaseConfig(
+            jdbcUrl = databaseEnvironment.url,
+            username = databaseEnvironment.username,
+            password = databaseEnvironment.password,
+        )
+    )
+}
diff --git a/src/main/kotlin/no/nav/syfo/infrastructure/metric/Metric.kt b/src/main/kotlin/no/nav/syfo/infrastructure/metric/Metric.kt
new file mode 100644
index 0000000..da09080
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/infrastructure/metric/Metric.kt
@@ -0,0 +1,8 @@
+package no.nav.syfo.infrastructure.metric
+
+import io.micrometer.prometheusmetrics.PrometheusConfig
+import io.micrometer.prometheusmetrics.PrometheusMeterRegistry
+
+const val METRICS_NS = "ismanglendemedvirkning"
+
+val METRICS_REGISTRY = PrometheusMeterRegistry(PrometheusConfig.DEFAULT)
diff --git a/src/main/kotlin/no/nav/syfo/util/DateUtil.kt b/src/main/kotlin/no/nav/syfo/util/DateUtil.kt
new file mode 100644
index 0000000..adfa386
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/util/DateUtil.kt
@@ -0,0 +1,10 @@
+package no.nav.syfo.util
+
+import java.time.*
+
+val defaultZoneOffset: ZoneOffset = ZoneOffset.UTC
+val osloTimeZone: ZoneId = ZoneId.of("Europe/Oslo")
+
+fun nowUTC(): OffsetDateTime = OffsetDateTime.now(defaultZoneOffset)
+
+fun LocalDateTime.toOffsetDateTimeUTC(): OffsetDateTime = this.atZone(osloTimeZone).withZoneSameInstant(defaultZoneOffset).toOffsetDateTime()
diff --git a/src/main/kotlin/no/nav/syfo/util/ObjectMapperConfig.kt b/src/main/kotlin/no/nav/syfo/util/ObjectMapperConfig.kt
new file mode 100644
index 0000000..2483149
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/util/ObjectMapperConfig.kt
@@ -0,0 +1,14 @@
+package no.nav.syfo.util
+
+import com.fasterxml.jackson.databind.*
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule
+import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
+
+fun configuredJacksonMapper() = jacksonObjectMapper().configure()
+
+fun ObjectMapper.configure() =
+    this.apply {
+        registerModule(JavaTimeModule())
+        configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false)
+        configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, false)
+    }
diff --git a/src/main/kotlin/no/nav/syfo/util/PipelineUtil.kt b/src/main/kotlin/no/nav/syfo/util/PipelineUtil.kt
new file mode 100644
index 0000000..e80de4d
--- /dev/null
+++ b/src/main/kotlin/no/nav/syfo/util/PipelineUtil.kt
@@ -0,0 +1,30 @@
+package no.nav.syfo.util
+
+import com.auth0.jwt.JWT
+import io.ktor.http.*
+import io.ktor.server.application.*
+import no.nav.syfo.domain.Personident
+import no.nav.syfo.infrastructure.NAV_CALL_ID_HEADER
+import no.nav.syfo.infrastructure.NAV_PERSONIDENT_HEADER
+
+const val JWT_CLAIM_AZP = "azp"
+const val JWT_CLAIM_NAVIDENT = "NAVident"
+
+fun ApplicationCall.getCallId(): String = this.request.headers[NAV_CALL_ID_HEADER].toString()
+
+fun ApplicationCall.getPersonident(): Personident? =
+    this.request.headers[NAV_PERSONIDENT_HEADER]?.let { Personident(it) }
+
+fun ApplicationCall.getConsumerClientId(): String? =
+    getBearerHeader()?.let {
+        JWT.decode(it).claims[JWT_CLAIM_AZP]?.asString()
+    }
+
+fun ApplicationCall.getNAVIdent(): String {
+    val token = getBearerHeader() ?: throw Error("No Authorization header supplied")
+    return JWT.decode(token).claims[JWT_CLAIM_NAVIDENT]?.asString()
+        ?: throw Error("Missing NAVident in private claims")
+}
+
+fun ApplicationCall.getBearerHeader(): String? =
+    this.request.headers[HttpHeaders.Authorization]?.removePrefix("Bearer ")
diff --git a/src/main/resources/db/migration/R__grant_to_cloudsqliamuser.sql b/src/main/resources/db/migration/R__grant_to_cloudsqliamuser.sql
new file mode 100644
index 0000000..83ce7c3
--- /dev/null
+++ b/src/main/resources/db/migration/R__grant_to_cloudsqliamuser.sql
@@ -0,0 +1,3 @@
+REVOKE ALL ON ALL TABLES IN SCHEMA public FROM cloudsqliamuser;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO cloudsqliamuser;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO "isyfo-analyse";
diff --git a/src/main/resources/db/migration/V1_1__create_user_cloudsqliamuser.sql b/src/main/resources/db/migration/V1_1__create_user_cloudsqliamuser.sql
new file mode 100644
index 0000000..bb4c102
--- /dev/null
+++ b/src/main/resources/db/migration/V1_1__create_user_cloudsqliamuser.sql
@@ -0,0 +1,7 @@
+DO $$
+BEGIN
+  CREATE ROLE cloudsqliamuser WITH NOLOGIN;
+  EXCEPTION WHEN DUPLICATE_OBJECT THEN
+  RAISE NOTICE 'not creating role cloudsqliamuser -- it already exists';
+END
+$$;
diff --git a/src/main/resources/db/migration/V1_2__create_user_isyfoanalyse.sql b/src/main/resources/db/migration/V1_2__create_user_isyfoanalyse.sql
new file mode 100644
index 0000000..a14997c
--- /dev/null
+++ b/src/main/resources/db/migration/V1_2__create_user_isyfoanalyse.sql
@@ -0,0 +1,7 @@
+DO $$
+BEGIN
+  CREATE USER "isyfo-analyse";
+  EXCEPTION WHEN DUPLICATE_OBJECT THEN
+  RAISE NOTICE 'not creating role isyfo-analyse -- it already exists';
+END
+$$;
diff --git a/src/main/resources/logback.xml b/src/main/resources/logback.xml
new file mode 100644
index 0000000..9baf8df
--- /dev/null
+++ b/src/main/resources/logback.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<configuration>
+    <appender name="stdout_json" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder class="net.logstash.logback.encoder.LogstashEncoder">
+            <provider class="net.logstash.logback.composite.loggingevent.ArgumentsJsonProvider"/>
+            <jsonGeneratorDecorator class="net.logstash.logback.mask.MaskingJsonGeneratorDecorator">
+                <valueMask>
+                    <value>\d{11}</value>
+                    <value>\d{6}\s\d{5}</value>
+                    <mask>***********</mask>
+                </valueMask>
+            </jsonGeneratorDecorator>
+        </encoder>
+    </appender>
+
+    <logger name="no.nav" level="INFO"/>
+
+    <root level="INFO">
+        <appender-ref ref="stdout_json"/>
+    </root>
+</configuration>
diff --git a/src/test/kotlin/no/nav/syfo/ExternalMockEnvironment.kt b/src/test/kotlin/no/nav/syfo/ExternalMockEnvironment.kt
new file mode 100644
index 0000000..53d74a8
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/ExternalMockEnvironment.kt
@@ -0,0 +1,32 @@
+package no.nav.syfo
+
+import no.nav.syfo.infrastructure.clients.azuread.AzureAdClient
+import no.nav.syfo.infrastructure.clients.wellknown.WellKnown
+import no.nav.syfo.infrastructure.database.TestDatabase
+import no.nav.syfo.infrastructure.mock.mockHttpClient
+import java.nio.file.Paths
+
+fun wellKnownInternalAzureAD(): WellKnown {
+    val path = "src/test/resources/jwkset.json"
+    val uri = Paths.get(path).toUri().toURL()
+    return WellKnown(
+        issuer = "https://sts.issuer.net/veileder/v2",
+        jwksUri = uri.toString()
+    )
+}
+
+class ExternalMockEnvironment private constructor() {
+    val applicationState: ApplicationState = testAppState()
+    val database = TestDatabase()
+    val environment = testEnvironment()
+    val mockHttpClient = mockHttpClient(environment = environment)
+    val wellKnownInternalAzureAD = wellKnownInternalAzureAD()
+    val azureAdClient = AzureAdClient(
+        azureEnvironment = environment.azure,
+        httpClient = mockHttpClient,
+    )
+
+    companion object {
+        val instance: ExternalMockEnvironment = ExternalMockEnvironment()
+    }
+}
diff --git a/src/test/kotlin/no/nav/syfo/TestEnvironment.kt b/src/test/kotlin/no/nav/syfo/TestEnvironment.kt
new file mode 100644
index 0000000..beff663
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/TestEnvironment.kt
@@ -0,0 +1,35 @@
+package no.nav.syfo
+
+import no.nav.syfo.infrastructure.clients.ClientEnvironment
+import no.nav.syfo.infrastructure.clients.ClientsEnvironment
+import no.nav.syfo.infrastructure.clients.azuread.AzureEnvironment
+import no.nav.syfo.infrastructure.database.DatabaseEnvironment
+
+fun testEnvironment() = Environment(
+    database = DatabaseEnvironment(
+        host = "localhost",
+        port = "5432",
+        name = "ismanglendemedvirkning_dev",
+        username = "username",
+        password = "password",
+        url = "jdbc:postgresql://localhost:5432/ismanglendemedvirkning_dev",
+    ),
+    azure = AzureEnvironment(
+        appClientId = "ismanglendemedvirkning-client-id",
+        appClientSecret = "ismanglendemedvirkning-secret",
+        appWellKnownUrl = "wellknown",
+        openidConfigTokenEndpoint = "azureOpenIdTokenEndpoint",
+    ),
+    clients = ClientsEnvironment(
+        istilgangskontroll = ClientEnvironment(
+            baseUrl = "isTilgangskontrollUrl",
+            clientId = "dev-gcp.teamsykefravr.istilgangskontroll",
+        ),
+    ),
+    electorPath = "electorPath",
+)
+
+fun testAppState() = ApplicationState(
+    alive = true,
+    ready = true,
+)
diff --git a/src/test/kotlin/no/nav/syfo/UserConstants.kt b/src/test/kotlin/no/nav/syfo/UserConstants.kt
new file mode 100644
index 0000000..bf359cc
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/UserConstants.kt
@@ -0,0 +1,9 @@
+package no.nav.syfo
+
+import no.nav.syfo.domain.Personident
+
+object UserConstants {
+    val ARBEIDSTAKER_PERSONIDENT = Personident("12345678910")
+    val ARBEIDSTAKER_PERSONIDENT_VEILEDER_NO_ACCESS = Personident("11111111111")
+    const val VEILEDER_IDENT = "Z999999"
+}
diff --git a/src/test/kotlin/no/nav/syfo/api/JWTUtil.kt b/src/test/kotlin/no/nav/syfo/api/JWTUtil.kt
new file mode 100644
index 0000000..6f6156c
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/api/JWTUtil.kt
@@ -0,0 +1,62 @@
+package no.nav.syfo.api
+
+import com.auth0.jwt.JWT
+import com.auth0.jwt.algorithms.Algorithm
+import com.nimbusds.jose.jwk.JWKSet
+import com.nimbusds.jose.jwk.RSAKey
+import no.nav.syfo.util.JWT_CLAIM_NAVIDENT
+import java.io.IOException
+import java.nio.charset.StandardCharsets
+import java.nio.file.Files
+import java.nio.file.Paths
+import java.text.ParseException
+import java.time.LocalDateTime
+import java.time.ZoneId
+import java.util.*
+
+const val keyId = "localhost-signer"
+
+// Mock of JWT-token supplied by AzureAD. KeyId must match kid in jwkset.json
+fun generateJWT(
+    audience: String,
+    issuer: String,
+    navIdent: String? = null,
+    subject: String? = null,
+    expiry: LocalDateTime? = LocalDateTime.now().plusHours(1)
+): String {
+    val now = Date()
+    val key = getDefaultRSAKey()
+    val alg = Algorithm.RSA256(key.toRSAPublicKey(), key.toRSAPrivateKey())
+
+    return JWT.create()
+        .withKeyId(keyId)
+        .withSubject(subject ?: "subject")
+        .withIssuer(issuer)
+        .withAudience(audience)
+        .withJWTId(UUID.randomUUID().toString())
+        .withClaim("ver", "1.0")
+        .withClaim("nonce", "myNonce")
+        .withClaim("auth_time", now)
+        .withClaim("nbf", now)
+        .withClaim("iat", now)
+        .withClaim("exp", Date.from(expiry?.atZone(ZoneId.systemDefault())?.toInstant()))
+        .withClaim(JWT_CLAIM_NAVIDENT, navIdent)
+        .sign(alg)
+}
+
+private fun getDefaultRSAKey(): RSAKey {
+    return getJWKSet().getKeyByKeyId(keyId) as RSAKey
+}
+
+private fun getJWKSet(): JWKSet {
+    val jwkSet = getFileAsString("src/test/resources/jwkset.json")
+    try {
+        return JWKSet.parse(jwkSet)
+    } catch (io: IOException) {
+        throw RuntimeException(io)
+    } catch (io: ParseException) {
+        throw RuntimeException(io)
+    }
+}
+
+fun getFileAsString(filePath: String) = String(Files.readAllBytes(Paths.get(filePath)), StandardCharsets.UTF_8)
diff --git a/src/test/kotlin/no/nav/syfo/api/TestApiModule.kt b/src/test/kotlin/no/nav/syfo/api/TestApiModule.kt
new file mode 100644
index 0000000..e1c6fa5
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/api/TestApiModule.kt
@@ -0,0 +1,24 @@
+package no.nav.syfo.api
+
+import io.ktor.server.application.*
+import no.nav.syfo.ExternalMockEnvironment
+import no.nav.syfo.infrastructure.clients.veiledertilgang.VeilederTilgangskontrollClient
+
+fun Application.testApiModule(
+    externalMockEnvironment: ExternalMockEnvironment,
+) {
+    val database = externalMockEnvironment.database
+    val veilederTilgangskontrollClient = VeilederTilgangskontrollClient(
+        azureAdClient = externalMockEnvironment.azureAdClient,
+        clientEnvironment = externalMockEnvironment.environment.clients.istilgangskontroll,
+        httpClient = externalMockEnvironment.mockHttpClient,
+    )
+
+    this.apiModule(
+        applicationState = externalMockEnvironment.applicationState,
+        environment = externalMockEnvironment.environment,
+        wellKnownInternalAzureAD = externalMockEnvironment.wellKnownInternalAzureAD,
+        database = database,
+        veilederTilgangskontrollClient = veilederTilgangskontrollClient,
+    )
+}
diff --git a/src/test/kotlin/no/nav/syfo/api/TestApplicationEngineUtils.kt b/src/test/kotlin/no/nav/syfo/api/TestApplicationEngineUtils.kt
new file mode 100644
index 0000000..afc99c7
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/api/TestApplicationEngineUtils.kt
@@ -0,0 +1,66 @@
+package no.nav.syfo.api
+
+import no.nav.syfo.UserConstants
+import io.ktor.http.*
+import io.ktor.server.testing.*
+import no.nav.syfo.infrastructure.NAV_PERSONIDENT_HEADER
+import no.nav.syfo.infrastructure.bearerHeader
+import org.amshove.kluent.shouldBeEqualTo
+
+fun TestApplicationEngine.testMissingToken(url: String, httpMethod: HttpMethod) {
+    with(
+        handleRequest(httpMethod, url) {}
+    ) {
+        response.status() shouldBeEqualTo HttpStatusCode.Unauthorized
+    }
+}
+
+fun TestApplicationEngine.testMissingPersonIdent(
+    url: String,
+    validToken: String,
+    httpMethod: HttpMethod,
+) {
+    with(
+        handleRequest(httpMethod, url) {
+            addHeader(HttpHeaders.Authorization, bearerHeader(validToken))
+        }
+    ) {
+        response.status() shouldBeEqualTo HttpStatusCode.BadRequest
+    }
+}
+
+fun TestApplicationEngine.testInvalidPersonIdent(
+    url: String,
+    validToken: String,
+    httpMethod: HttpMethod,
+) {
+    with(
+        handleRequest(httpMethod, url) {
+            addHeader(HttpHeaders.Authorization, bearerHeader(validToken))
+            addHeader(
+                NAV_PERSONIDENT_HEADER,
+                UserConstants.ARBEIDSTAKER_PERSONIDENT.value.drop(1)
+            )
+        }
+    ) {
+        response.status() shouldBeEqualTo HttpStatusCode.BadRequest
+    }
+}
+
+fun TestApplicationEngine.testDeniedPersonAccess(
+    url: String,
+    validToken: String,
+    httpMethod: HttpMethod,
+) {
+    with(
+        handleRequest(httpMethod, url) {
+            addHeader(HttpHeaders.Authorization, bearerHeader(validToken))
+            addHeader(
+                NAV_PERSONIDENT_HEADER,
+                UserConstants.ARBEIDSTAKER_PERSONIDENT_VEILEDER_NO_ACCESS.value
+            )
+        }
+    ) {
+        response.status() shouldBeEqualTo HttpStatusCode.Forbidden
+    }
+}
diff --git a/src/test/kotlin/no/nav/syfo/api/endpoints/PodApiSpek.kt b/src/test/kotlin/no/nav/syfo/api/endpoints/PodApiSpek.kt
new file mode 100644
index 0000000..19111c0
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/api/endpoints/PodApiSpek.kt
@@ -0,0 +1,102 @@
+package no.nav.syfo.api.endpoints
+
+import io.ktor.http.*
+import io.ktor.server.routing.*
+import io.ktor.server.testing.*
+import no.nav.syfo.ApplicationState
+import no.nav.syfo.infrastructure.database.TestDatabase
+import no.nav.syfo.infrastructure.database.TestDatabaseNotResponding
+import org.amshove.kluent.shouldBeEqualTo
+import org.amshove.kluent.shouldNotBeEqualTo
+import org.spekframework.spek2.Spek
+import org.spekframework.spek2.style.specification.describe
+
+object PodApiSpek : Spek({
+
+    val database = TestDatabase()
+    val databaseNotResponding = TestDatabaseNotResponding()
+
+    describe("Successful liveness and readiness checks") {
+        with(TestApplicationEngine()) {
+            start()
+            application.routing {
+                podEndpoints(
+                    applicationState = ApplicationState(
+                        alive = true,
+                        ready = true
+                    ),
+                    database = database,
+                )
+            }
+
+            it("Returns ok on is_alive") {
+                with(handleRequest(HttpMethod.Get, "/internal/is_alive")) {
+                    response.status()?.isSuccess() shouldBeEqualTo true
+                    response.content shouldNotBeEqualTo null
+                }
+            }
+            it("Returns ok on is_alive") {
+                with(handleRequest(HttpMethod.Get, "/internal/is_ready")) {
+                    response.status()?.isSuccess() shouldBeEqualTo true
+                    response.content shouldNotBeEqualTo null
+                }
+            }
+        }
+    }
+    describe("Unsuccessful liveness and readiness checks") {
+        with(TestApplicationEngine()) {
+            start()
+            application.routing {
+                podEndpoints(
+                    ApplicationState(
+                        alive = false,
+                        ready = false
+                    ),
+                    database = database,
+                )
+            }
+
+            it("Returns internal server error when liveness check fails") {
+                with(handleRequest(HttpMethod.Get, "/internal/is_alive")) {
+                    response.status() shouldBeEqualTo HttpStatusCode.InternalServerError
+                    response.content shouldNotBeEqualTo null
+                }
+            }
+
+            it("Returns internal server error when readiness check fails") {
+                with(handleRequest(HttpMethod.Get, "/internal/is_ready")) {
+                    response.status() shouldBeEqualTo HttpStatusCode.InternalServerError
+                    response.content shouldNotBeEqualTo null
+                }
+            }
+        }
+    }
+    describe("Successful liveness and unsuccessful readiness checks when database not working") {
+        with(TestApplicationEngine()) {
+            start()
+            application.routing {
+                podEndpoints(
+                    ApplicationState(
+                        alive = true,
+                        ready = true
+                    ),
+                    database = databaseNotResponding,
+                )
+            }
+
+            it("Returns ok on is_alive") {
+                with(handleRequest(HttpMethod.Get, "/internal/is_alive")) {
+                    response.status()?.isSuccess() shouldBeEqualTo true
+                    response.content shouldNotBeEqualTo null
+                }
+            }
+
+            it("Returns internal server error when readiness check fails") {
+                with(handleRequest(HttpMethod.Get, "/internal/is_ready")) {
+                    response.status() shouldBeEqualTo HttpStatusCode.InternalServerError
+                    response.content shouldNotBeEqualTo null
+                }
+            }
+        }
+    }
+})
diff --git a/src/test/kotlin/no/nav/syfo/infrastructure/database/TestDatabase.kt b/src/test/kotlin/no/nav/syfo/infrastructure/database/TestDatabase.kt
new file mode 100644
index 0000000..1bf85c4
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/infrastructure/database/TestDatabase.kt
@@ -0,0 +1,43 @@
+package no.nav.syfo.infrastructure.database
+
+import io.zonky.test.db.postgres.embedded.EmbeddedPostgres
+import org.flywaydb.core.Flyway
+import java.sql.Connection
+
+class TestDatabase : DatabaseInterface {
+    private val pg: EmbeddedPostgres = try {
+        EmbeddedPostgres.start()
+    } catch (e: Exception) {
+        EmbeddedPostgres.builder().start()
+    }
+
+    override val connection: Connection
+        get() = pg.postgresDatabase.connection.apply { autoCommit = false }
+
+    init {
+
+        Flyway.configure().run {
+            dataSource(pg.postgresDatabase).validateMigrationNaming(true).load().migrate()
+        }
+    }
+
+    fun stop() {
+        pg.close()
+    }
+}
+
+fun TestDatabase.dropData() {
+    val queryList = emptyList<String>() // TODO: Add queries to drop data
+    this.connection.use { connection ->
+        queryList.forEach { query ->
+            connection.prepareStatement(query).execute()
+        }
+        connection.commit()
+    }
+}
+
+class TestDatabaseNotResponding : DatabaseInterface {
+
+    override val connection: Connection
+        get() = throw Exception("Not working")
+}
diff --git a/src/test/kotlin/no/nav/syfo/infrastructure/mock/AzureADMock.kt b/src/test/kotlin/no/nav/syfo/infrastructure/mock/AzureADMock.kt
new file mode 100644
index 0000000..6a71e9a
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/infrastructure/mock/AzureADMock.kt
@@ -0,0 +1,13 @@
+package no.nav.syfo.infrastructure.mock
+
+import io.ktor.client.engine.mock.*
+import io.ktor.client.request.*
+import no.nav.syfo.infrastructure.clients.azuread.AzureAdTokenResponse
+
+fun MockRequestHandleScope.azureAdMockResponse(): HttpResponseData = respond(
+    AzureAdTokenResponse(
+        access_token = "token",
+        expires_in = 3600,
+        token_type = "type",
+    )
+)
diff --git a/src/test/kotlin/no/nav/syfo/infrastructure/mock/MockHttpClient.kt b/src/test/kotlin/no/nav/syfo/infrastructure/mock/MockHttpClient.kt
new file mode 100644
index 0000000..67f93b8
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/infrastructure/mock/MockHttpClient.kt
@@ -0,0 +1,22 @@
+package no.nav.syfo.infrastructure.mock
+
+import io.ktor.client.*
+import io.ktor.client.engine.mock.*
+import no.nav.syfo.Environment
+import no.nav.syfo.infrastructure.clients.commonConfig
+
+fun mockHttpClient(environment: Environment) = HttpClient(MockEngine) {
+    commonConfig()
+    engine {
+        addHandler { request ->
+            val requestUrl = request.url.encodedPath
+            when {
+                requestUrl == "/${environment.azure.openidConfigTokenEndpoint}" -> azureAdMockResponse()
+                requestUrl.startsWith("/${environment.clients.istilgangskontroll.baseUrl}") -> tilgangskontrollResponse(
+                    request
+                )
+                else -> error("Unhandled ${request.url.encodedPath}")
+            }
+        }
+    }
+}
diff --git a/src/test/kotlin/no/nav/syfo/infrastructure/mock/MockUtils.kt b/src/test/kotlin/no/nav/syfo/infrastructure/mock/MockUtils.kt
new file mode 100644
index 0000000..c1fe6ce
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/infrastructure/mock/MockUtils.kt
@@ -0,0 +1,19 @@
+package no.nav.syfo.infrastructure.mock
+
+import io.ktor.client.engine.mock.*
+import io.ktor.client.request.*
+import io.ktor.http.*
+import no.nav.syfo.util.configuredJacksonMapper
+
+val mapper = configuredJacksonMapper()
+
+fun <T> MockRequestHandleScope.respond(body: T, statusCode: HttpStatusCode = HttpStatusCode.OK): HttpResponseData =
+    respond(
+        mapper.writeValueAsString(body),
+        statusCode,
+        headersOf(HttpHeaders.ContentType, "application/json")
+    )
+
+suspend inline fun <reified T> HttpRequestData.receiveBody(): T {
+    return mapper.readValue(body.toByteArray(), T::class.java)
+}
diff --git a/src/test/kotlin/no/nav/syfo/infrastructure/mock/TilgangskontrollMock.kt b/src/test/kotlin/no/nav/syfo/infrastructure/mock/TilgangskontrollMock.kt
new file mode 100644
index 0000000..ed4369a
--- /dev/null
+++ b/src/test/kotlin/no/nav/syfo/infrastructure/mock/TilgangskontrollMock.kt
@@ -0,0 +1,14 @@
+package no.nav.syfo.infrastructure.mock
+
+import io.ktor.client.engine.mock.*
+import io.ktor.client.request.*
+import no.nav.syfo.UserConstants.ARBEIDSTAKER_PERSONIDENT_VEILEDER_NO_ACCESS
+import no.nav.syfo.infrastructure.NAV_PERSONIDENT_HEADER
+import no.nav.syfo.infrastructure.clients.veiledertilgang.Tilgang
+
+fun MockRequestHandleScope.tilgangskontrollResponse(request: HttpRequestData): HttpResponseData {
+    return when (request.headers[NAV_PERSONIDENT_HEADER]) {
+        ARBEIDSTAKER_PERSONIDENT_VEILEDER_NO_ACCESS.value -> respond(Tilgang(erGodkjent = false))
+        else -> respond(Tilgang(erGodkjent = true))
+    }
+}
diff --git a/src/test/resources/jwkset.json b/src/test/resources/jwkset.json
new file mode 100644
index 0000000..d5ed397
--- /dev/null
+++ b/src/test/resources/jwkset.json
@@ -0,0 +1,13 @@
+{
+  "keys": [
+    {
+      "kty": "RSA",
+      "d": "MRf73iiXUEhJFxDTtJ5rEHNQsAG8XFuXkz9vXXbMp1_OTo11bEx3SnHiwmO_mSAAeXWNJniLw07V1-nk551h5in_ueAPwXTOf8qddacvDEBZwcxeqfu_Kjh1R0ji8Xn1a037CpH2IO34Lyw2gmsGFdMZgDwa5Z0KJjPCU6W8tF6CA-2omAdNzrFaWtaPFpBC0NzYaaB111bKIXxngG97Cnu81deEEKmX-vL-O4tpvUUybuquxrlFvVlTeYlrQqv50_IKsKSYkg-iu1cbqIiWrRq9eTmA6EppmZbqHjKSM5JYFbPB_oZ9QeHKnp1_MTom-jKMEpw18qq-PzdX_skZWQ",
+      "e": "AQAB",
+      "use": "sig",
+      "kid": "localhost-signer",
+      "alg": "RS256",
+      "n": "lFTMP9TSUwLua0G8M7foqmdUS2us1-JOF8H_tClVG3IEQMRvMmHJoGSdldWDHsNwRG3Wevl_8fZoGocw9hPqj93j-vI4-ZkbxwhPyRqlS0FNIPD1Ln5R6AmHu7b-paRIz3lvqpyTRwnGBI9weE4u6WOpOQ8DjJMNPq4WcM42AgDJAvc6UuhcWW_MLIsjkKp_VYKxzthSuiRAxXi8Pz4ZhiTAEZI-UN61DYU9YEFNujg5XtIQsRwQn1Vj7BknGwkdf_iCGJgDlKUOz9hAojOMXTAwetUx6I5nngIM5vaXWJCmKn6SzcTYgHWWVrn8qaSazioaydLaYN9NuQ0MdIvsQw"
+    }
+  ]
+}