pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: pplate/cannamanage:sprint/1-foundation
Branches Tags
pplate/cannamanage:main pplate/cannamanage:sprint/1-foundation
..
compare: pplate/cannamanage:59b7486cec6a6a5d623f1dfed8d0474d5448a10c
Branches Tags
pplate/cannamanage:main pplate/cannamanage:sprint/1-foundation

11 Commits
sprint/1-foundation .. 59b7486cec

Author SHA1 Message Date
Patrick Plate 59b7486cec Merge sprint/3-staff-portal into main 2026-06-12 08:27:36 +02:00
Patrick Plate 752101c6c9 docs: add competitor & CSC market analysis PDF 
- German market: Hanf-App, Cannanas, 420cloud feature comparison
- US market: Flowhub, BioTrack, Metrc, Dutchie design inspiration
- Switzerland: Cannavigia track & trace
- Spain: Historical CSC market (no software yet)
- Design recommendations derived from competitor analysis
- Differentiation strategy for CannaManage
 2026-06-11 19:10:35 +02:00
Patrick Plate 302b7da8ca docs: add frontend UI shopping list PDF + OpenPDF/CSV deps in service POM 
- Added OpenPDF 2.0.4 and Commons CSV 1.11.0 dependencies (Phase 4 prep)
- Generated frontend framework evaluation PDF with ranked templates and live demo links
 2026-06-11 18:25:10 +02:00
Patrick Plate 6c66783b58 feat(sprint-3): Phase 3 — staff management + invite flow 
- Step 3.1: Spring Boot Starter Mail dependency (api + service)
- Step 3.2: InviteToken JPA entity with 72h expiry
- Step 3.3: InviteTokenRepository with valid-token finder
- Step 3.4: EmailService (plain text invite email via JavaMailSender)
- Step 3.5: StaffService (CRUD + invite + email pattern validation + token revocation)
- Step 3.6: Staff DTOs (CreateStaffRequest, UpdateStaffRequest, StaffResponse)
- Step 3.7: SetPasswordRequest with password complexity (@Pattern: 1 digit + 1 special)
- Step 3.8: StaffController (6 endpoints, ADMIN-only via @PreAuthorize)
- Step 3.9: POST /api/v1/auth/set-password (public, generic error messages)
- Step 3.10: StaffTemplates (ausgabe, lager, vorstand predefined permission sets)
- Step 3.11: AuthService rejects inactive users with 'Account not activated'
- Step 3.12: Token revocation on permission change via revokeAllForUser()
- Step 3.13: invite-email.txt template (German, 72h expiry note)
- Step 3.14: Spring Mail config (Mailpit dev defaults, env var overrides)
- Step 3.15: Unit tests (StaffServiceTest, StaffControllerTest, EmailServiceTest)
- V5 Flyway migration for invite_tokens table

Security review findings incorporated:
- Password complexity: min 8 chars, 1 digit + 1 special char
- Generic 'invalid or expired token' error (no state leakage)
- SecureRandom 32-byte Base64 token generation
- Token values never logged
 2026-06-11 18:03:12 +02:00
Patrick Plate 36deb72cf0 feat(sprint-3): Phase 2 — club settings controller 2026-06-11 16:56:44 +02:00
Patrick Plate 55d8434f35 feat(sprint-3): Phase 1 — staff permissions + token revocation 
- StaffPermission enum (8 granular permissions)
- StaffAccount JPA entity with permissions collection
- RevokedToken entity for JWT blacklisting
- Flyway V3 migration (staff_accounts, staff_account_permissions, revoked_tokens)
- StaffAccountRepository + RevokedTokenRepository
- TokenRevocationService with Caffeine cache (60s TTL, 10k max)
- StaffPermissionChecker SpEL bean (@staffPermissions.has)
- PreventionOfficerChecker SpEL bean (@preventionOfficer.check)
- JwtService: added jti claim + generateStaffAccessToken + extractJti/extractPermissions
- JwtAuthFilter: token blacklist check via TokenRevocationService
- SecurityConfig: STAFF role added to endpoint matchers
- Controllers updated with @PreAuthorize for fine-grained access
- TokenCleanupScheduler (daily 03:00 cleanup of expired revoked tokens)
- Caffeine dependency added to cannamanage-service
- Unit tests: StaffPermissionCheckerTest (7), TokenRevocationServiceTest (9)
 2026-06-11 16:45:21 +02:00
Patrick Plate 08b8e43ae8 docs: add comprehensive README with project overview, API docs, and sprint history 2026-06-11 13:35:28 +02:00
Patrick Plate a1ddec37da test(sprint-2): add integration tests for Auth + Compliance controllers 
- AuthControllerIntegrationTest: 7 tests (login, refresh, error cases)
- ComplianceControllerIntegrationTest: 5 tests (quota, auth, 404)
- Fix Boot 4.0 @EntityScan relocation (boot.persistence.autoconfigure)
- Fix BCrypt 72-byte limit for refresh tokens (use SHA-256 instead)
- Configure H2 test DB with NON_KEYWORDS for reserved words (month/year)
 2026-06-11 13:30:07 +02:00
Patrick Plate 2ede872d11 feat: Sprint 2 REST API layer — full implementation 
- Fix critical Hibernate @Filter activation bug (TenantFilterAspect)
- Rename UserRole.ROLE_MANAGER → ROLE_STAFF (future-proofing)
- SecurityConfig: ADMIN + MEMBER roles only for Sprint 2
- AuthController: POST /auth/login + POST /auth/refresh with JWT
- AuthService: login, refresh token rotation, hashed refresh storage
- MemberController: CRUD (GET/POST/PUT /members)
- DistributionController: list + record distributions (CanG §26)
- StockController: batch management (GET/POST /stock/batches)
- ComplianceController: quota check (GET /compliance/quota/{id})
- OpenAPI/Swagger config with bearer-jwt security scheme
- GlobalExceptionHandler: full RFC 9457 problem+json coverage
- UserRepository: findByEmail, findByEmailAndTenantId
- Flyway V2: role rename migration + login indexes
- Testcontainers + test profile infrastructure (integration tests deferred)
- Parent POM: Testcontainers BOM, entity scan via properties

Controllers use validated DTOs (Jakarta Bean Validation records).
Compliance checks run before distribution recording.
Tenant filter AOP aspect ensures multi-tenant data isolation.
 2026-06-11 12:05:52 +02:00
Patrick Plate 86c922e1f9 feat(sprint-2): add security infrastructure 
- Spring Security 6 with dual SecurityFilterChain (API stateless JWT + public Swagger)
- JwtService: generate/validate access + refresh tokens (JJWT 0.12.6)
- JwtAuthFilter: extract Bearer token, set SecurityContext + TenantContext
- GlobalExceptionHandler: RFC 9457 ProblemDetail responses
- Dependencies: spring-security, jjwt, springdoc-openapi, bean-validation, h2-test
- Application properties: JWT config + OpenAPI paths
 2026-06-11 10:46:48 +02:00
Patrick Plate 10891e7b89 chore: upgrade Spring Boot 3.3.4 → 4.0.6 
- Remove manually-pinned versions (Hibernate, Flyway, AssertJ, Mockito)
  now managed by Boot 4.0.6 BOM
- Remove @EntityScan and @EnableJpaRepositories — auto-detected via
  scanBasePackages covering de.cannamanage hierarchy
- All 25 tests pass, build compiles in 9.6s
 2026-06-11 10:41:59 +02:00
82 changed files with 7520 additions and 13 deletions
Expand all files Collapse all files
README.md
+111
View File
@@ -0,0 +1,111 @@
# CannaManage
Multi-tenant cannabis club management platform for German **Anbauvereinigungen** (cultivation associations) under CanG §19.
## Overview
CannaManage handles member management, distribution tracking, and legal compliance for cannabis cultivation clubs in Germany. It enforces the strict quotas mandated by the Cannabis Act (CanG) — including monthly limits (50g adult / 30g under-21), daily limits (25g), and THC restrictions for minors.
## Tech Stack
| Component | Technology |
|-----------|-----------|
| Runtime | Java 21 (Temurin) |
| Framework | Spring Boot 4.0.6 |
| Security | Spring Security 7.0 + JWT (JJWT 0.12.6) |
| ORM | Hibernate 7 / JPA |
| Database | PostgreSQL (prod), H2 (test) |
| Migrations | Flyway 10 |
| API Docs | SpringDoc OpenAPI 2.8.6 |
| Build | Maven (multi-module) |
| Container | Docker Compose (Postgres + app) |
## Project Structure
```
cannamanage/
├── cannamanage-domain/ # JPA entities, enums, TenantContext
├── cannamanage-service/ # Business logic, repositories, ComplianceService
├── cannamanage-api/ # Spring Boot app, controllers, security, DTOs
├── docs/
│ └── sprint-2/ # Sprint planning docs
└── docker-compose.yml # Local dev environment
```
## Modules
### cannamanage-domain
JPA entities with multi-tenant isolation via `@Filter("tenantFilter")`:
- `Member` — club members with age tracking
- `Distribution` — cannabis distribution records
- `MonthlyQuota` — per-member monthly usage tracking
- `Batch` / `Strain` / `StockMovement` — inventory management
- `Club` — association registration
- `User` — authentication accounts
### cannamanage-service
- `ComplianceService` — CanG §19 quota enforcement (25 unit tests)
- Repositories for all entities
### cannamanage-api
- **Auth** — JWT login + refresh token rotation (SHA-256 hashed)
- **Members** — CRUD for association members
- **Distributions** — compliance-gated distribution recording
- **Stock** — batch and inventory management
- **Compliance** — quota status API
- Multi-tenant isolation via `TenantFilterAspect` (Hibernate @Filter activation)
## API Endpoints
| Method | Path | Auth | Description |
|--------|------|------|-------------|
| POST | `/api/v1/auth/login` | Public | Login with email + password |
| POST | `/api/v1/auth/refresh` | Public | Refresh token rotation |
| GET | `/api/v1/compliance/quota/{memberId}` | ADMIN, MEMBER | Monthly quota status |
| GET/POST/PUT | `/api/v1/members/**` | ADMIN, MEMBER | Member CRUD |
| POST | `/api/v1/distributions/**` | ADMIN, MEMBER | Record distributions |
| GET/POST | `/api/v1/stock/**` | ADMIN | Stock management |
Swagger UI: `http://localhost:8080/swagger-ui.html`
## Running Locally
```bash
# Start PostgreSQL
docker compose up -d
# Run the app
JAVA_HOME=/path/to/jdk-21 ./mvnw spring-boot:run -pl cannamanage-api
# Run all tests (H2 in-memory)
JAVA_HOME=/path/to/jdk-21 ./mvnw clean verify
```
## Testing
- **37 tests total** — all green
- 25 unit tests (`ComplianceServiceTest`) — quota enforcement logic
- 7 integration tests (`AuthControllerIntegrationTest`) — full HTTP auth flow
- 5 integration tests (`ComplianceControllerIntegrationTest`) — quota API with JWT
Integration tests use `@SpringBootTest(webEnvironment = RANDOM_PORT)` with H2 and Spring's `RestClient`.
## Security Model
- **Stateless JWT** — no session, no UserDetailsService
- **Roles**: ADMIN (full access), MEMBER (self-service), STAFF (Sprint 3)
- **Multi-tenancy**: Hibernate `@Filter` activated per-request via AOP aspect
- **Refresh tokens**: SHA-256 hashed (Spring Security 7 enforces BCrypt 72-byte limit)
- Token rotation on refresh — old tokens invalidated
## Sprint History
| Sprint | Focus | Status |
|--------|-------|--------|
| 1 | Domain entities, ComplianceService, 25 tests | ✅ Done |
| 2 | REST API, Spring Security, JWT, OpenAPI, integration tests | ✅ Done |
| 3 | Member portal, STAFF role, real-time notifications | 📋 Planned |
## License
Private — Patrick Plate
cannamanage-api/pom.xml
+67
View File
@@ -46,11 +46,78 @@
<artifactId>lombok</artifactId> <artifactId>lombok</artifactId>
<optional>true</optional> <optional>true</optional>
</dependency> </dependency>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- Bean Validation -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<!-- JWT (JJWT) -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.12.6</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.12.6</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.12.6</version>
<scope>runtime</scope>
</dependency>
<!-- OpenAPI / Swagger UI -->
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
<version>2.8.6</version>
</dependency>
<!-- H2 for unit tests -->
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>test</scope>
</dependency>
<!-- Testcontainers PostgreSQL for integration tests -->
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>postgresql</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>junit-jupiter</artifactId>
<scope>test</scope>
</dependency>
<!-- Spring Boot Test -->
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId> <artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-testcontainers</artifactId>
<scope>test</scope>
</dependency>
<!-- Spring Boot Mail (invite flow) -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-mail</artifactId>
</dependency>
</dependencies> </dependencies>
<build> <build>
cannamanage-api/src/main/java/de/cannamanage/api/CannaManageApplication.java
+8 -4
View File
@@ -2,17 +2,21 @@ package de.cannamanage.api;
import org.springframework.boot.SpringApplication; import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.domain.EntityScan; import org.springframework.boot.persistence.autoconfigure.EntityScan;
import org.springframework.data.jpa.repository.config.EnableJpaRepositories; import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
/** /**
* CannaManage Spring Boot application entry point. * CannaManage Spring Boot application entry point.
* REST controllers are deferred to Sprint 2. * Sprint 2: REST API + Spring Security + OpenAPI.
* Sprint 1 focus: compliance engine validation only. *
* Multi-module scanning:
* - scanBasePackages: component scanning (controllers, services)
* - EnableJpaRepositories: Spring Data JPA repository interfaces
* - EntityScan: JPA entity detection across modules (Boot 4.0 relocated package)
*/ */
@SpringBootApplication(scanBasePackages = "de.cannamanage") @SpringBootApplication(scanBasePackages = "de.cannamanage")
@EntityScan(basePackages = "de.cannamanage.domain.entity")
@EnableJpaRepositories(basePackages = "de.cannamanage.service.repository") @EnableJpaRepositories(basePackages = "de.cannamanage.service.repository")
@EntityScan(basePackages = "de.cannamanage.domain.entity")
public class CannaManageApplication { public class CannaManageApplication {
public static void main(String[] args) { public static void main(String[] args) {
cannamanage-api/src/main/java/de/cannamanage/api/config/OpenApiConfig.java
+35
View File
@@ -0,0 +1,35 @@
package de.cannamanage.api.config;
import io.swagger.v3.oas.annotations.OpenAPIDefinition;
import io.swagger.v3.oas.annotations.enums.SecuritySchemeType;
import io.swagger.v3.oas.annotations.info.Contact;
import io.swagger.v3.oas.annotations.info.Info;
import io.swagger.v3.oas.annotations.info.License;
import io.swagger.v3.oas.annotations.security.SecurityRequirement;
import io.swagger.v3.oas.annotations.security.SecurityScheme;
import io.swagger.v3.oas.annotations.servers.Server;
import org.springframework.context.annotation.Configuration;
@Configuration
@OpenAPIDefinition(
info = @Info(
title = "CannaManage API",
version = "1.0.0",
description = "Cannabis Social Club Management — CanG Compliance Platform API",
contact = @Contact(name = "CannaManage", email = "info@cannamanage.de"),
license = @License(name = "Proprietary")
),
servers = {
@Server(url = "/", description = "Current server")
},
security = @SecurityRequirement(name = "bearer-jwt")
)
@SecurityScheme(
name = "bearer-jwt",
type = SecuritySchemeType.HTTP,
scheme = "bearer",
bearerFormat = "JWT",
description = "JWT access token — obtain via POST /api/v1/auth/login"
)
public class OpenApiConfig {
}
cannamanage-api/src/main/java/de/cannamanage/api/controller/AuthController.java
+49
View File
@@ -0,0 +1,49 @@
package de.cannamanage.api.controller;
import de.cannamanage.api.dto.auth.LoginRequest;
import de.cannamanage.api.dto.auth.LoginResponse;
import de.cannamanage.api.dto.auth.RefreshRequest;
import de.cannamanage.api.dto.auth.SetPasswordRequest;
import de.cannamanage.api.service.AuthService;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.Map;
@RestController
@RequestMapping("/api/v1/auth")
@RequiredArgsConstructor
@Tag(name = "Authentication", description = "Login and token management")
public class AuthController {
private final AuthService authService;
@PostMapping("/login")
@Operation(summary = "Login with email + password", description = "Returns JWT access + refresh tokens")
public ResponseEntity<LoginResponse> login(@Valid @RequestBody LoginRequest request) {
LoginResponse response = authService.login(request);
return ResponseEntity.ok(response);
}
@PostMapping("/refresh")
@Operation(summary = "Refresh access token", description = "Exchanges a valid refresh token for new token pair")
public ResponseEntity<LoginResponse> refresh(@Valid @RequestBody RefreshRequest request) {
LoginResponse response = authService.refresh(request);
return ResponseEntity.ok(response);
}
@PostMapping("/set-password")
@Operation(summary = "Set password via invite token",
description = "Public endpoint — validates invite token, sets password, activates account")
public ResponseEntity<Map<String, String>> setPassword(@Valid @RequestBody SetPasswordRequest request) {
authService.setPassword(request);
return ResponseEntity.ok(Map.of("message", "Password set successfully. You can now log in."));
}
}
cannamanage-api/src/main/java/de/cannamanage/api/controller/ClubController.java
+94
View File
@@ -0,0 +1,94 @@
package de.cannamanage.api.controller;
import de.cannamanage.api.dto.club.ClubResponse;
import de.cannamanage.api.dto.club.ClubStatsResponse;
import de.cannamanage.api.dto.club.UpdateClubRequest;
import de.cannamanage.domain.entity.Club;
import de.cannamanage.domain.entity.TenantContext;
import de.cannamanage.service.ClubService;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;
import java.util.UUID;
@RestController
@RequestMapping("/api/v1/clubs")
@RequiredArgsConstructor
@Tag(name = "Club Settings", description = "Club configuration and statistics")
public class ClubController {
private final ClubService clubService;
@GetMapping("/me")
@Operation(summary = "Get current club", description = "Returns the club for the current tenant")
@PreAuthorize("hasRole('ADMIN')")
public ResponseEntity<ClubResponse> getMyClub() {
UUID tenantId = TenantContext.getCurrentTenant();
Club club = clubService.getClubByTenantId(tenantId);
return ResponseEntity.ok(toResponse(club));
}
@PutMapping("/me")
@Operation(summary = "Update club settings", description = "Updates the club configuration for the current tenant")
@PreAuthorize("hasRole('ADMIN')")
public ResponseEntity<ClubResponse> updateMyClub(@Valid @RequestBody UpdateClubRequest request) {
UUID tenantId = TenantContext.getCurrentTenant();
Club updated = clubService.updateClub(
tenantId,
request.name(),
request.registrationNumber(),
request.contactEmail(),
request.contactPhone(),
request.addressStreet(),
request.addressCity(),
request.addressPostalCode(),
request.addressState(),
request.foundedDate(),
request.maxPreventionOfficers(),
request.allowedEmailPattern()
);
return ResponseEntity.ok(toResponse(updated));
}
@GetMapping("/me/stats")
@Operation(summary = "Get club statistics", description = "Returns aggregated club statistics")
@PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).VIEW_COMPLIANCE_REPORT)")
public ResponseEntity<ClubStatsResponse> getMyClubStats() {
UUID tenantId = TenantContext.getCurrentTenant();
ClubService.ClubStats stats = clubService.getClubStats(tenantId);
return ResponseEntity.ok(new ClubStatsResponse(
stats.totalMembers(),
stats.activeMembers(),
stats.totalStaff(),
stats.activeStaff(),
stats.totalDistributionsThisMonth(),
stats.totalGramsDistributedThisMonth(),
stats.activeBatches(),
stats.preventionOfficerCount()
));
}
private ClubResponse toResponse(Club club) {
return new ClubResponse(
club.getId(),
club.getName(),
club.getRegistrationNumber(),
club.getContactEmail(),
club.getContactPhone(),
club.getAddressStreet(),
club.getAddressCity(),
club.getAddressPostalCode(),
club.getAddressState(),
club.getFoundedDate(),
club.getMaxPreventionOfficers(),
club.getAllowedEmailPattern(),
club.getStatus(),
club.getCreatedAt()
);
}
}
cannamanage-api/src/main/java/de/cannamanage/api/controller/ComplianceController.java
+44
View File
@@ -0,0 +1,44 @@
package de.cannamanage.api.controller;
import de.cannamanage.api.dto.compliance.QuotaResponse;
import de.cannamanage.service.ComplianceService;
import de.cannamanage.service.dto.QuotaStatus;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import lombok.RequiredArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.UUID;
@RestController
@RequestMapping("/api/v1/compliance")
@RequiredArgsConstructor
@Tag(name = "Compliance", description = "CanG §19 compliance quota checks")
public class ComplianceController {
private final ComplianceService complianceService;
@GetMapping("/quota/{memberId}")
@Operation(summary = "Get member quota status",
description = "Returns current monthly remaining quota for a member per CanG §19")
@PreAuthorize("hasRole('ADMIN') or hasRole('MEMBER') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).VIEW_MEMBER_QUOTA)")
public ResponseEntity<QuotaResponse> getQuotaStatus(@PathVariable UUID memberId) {
QuotaStatus status = complianceService.getQuotaStatus(memberId);
QuotaResponse response = new QuotaResponse(
status.totalAllowed(),
status.totalUsed(),
status.remaining(),
status.isUnder21(),
status.year(),
status.month()
);
return ResponseEntity.ok(response);
}
}
cannamanage-api/src/main/java/de/cannamanage/api/controller/DistributionController.java
+78
View File
@@ -0,0 +1,78 @@
package de.cannamanage.api.controller;
import de.cannamanage.api.dto.distribution.CreateDistributionRequest;
import de.cannamanage.api.dto.distribution.DistributionResponse;
import de.cannamanage.domain.entity.Distribution;
import de.cannamanage.service.ComplianceService;
import de.cannamanage.service.repository.DistributionRepository;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.web.bind.annotation.*;
import java.time.Instant;
import java.util.List;
import java.util.UUID;
@RestController
@RequestMapping("/api/v1/distributions")
@RequiredArgsConstructor
@Tag(name = "Distributions", description = "Cannabis distribution recording (CanG §26)")
public class DistributionController {
private final DistributionRepository distributionRepository;
private final ComplianceService complianceService;
@GetMapping
@Operation(summary = "List all distributions", description = "Returns all distribution records for the current tenant")
@PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).RECORD_DISTRIBUTION)")
public ResponseEntity<List<DistributionResponse>> listDistributions() {
List<DistributionResponse> distributions = distributionRepository.findAll().stream()
.map(this::toResponse)
.toList();
return ResponseEntity.ok(distributions);
}
@PostMapping
@Operation(summary = "Record a distribution",
description = "Records a cannabis distribution after compliance checks pass (CanG §19)")
@PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).RECORD_DISTRIBUTION)")
public ResponseEntity<DistributionResponse> createDistribution(
@Valid @RequestBody CreateDistributionRequest request,
Authentication authentication) {
// Run compliance checks — throws QuotaExceededException if violated
complianceService.checkDistributionAllowed(
request.memberId(), request.batchId(), request.quantityGrams());
UUID recordedBy = (UUID) authentication.getPrincipal();
Distribution distribution = new Distribution();
distribution.setMemberId(request.memberId());
distribution.setBatchId(request.batchId());
distribution.setQuantityGrams(request.quantityGrams());
distribution.setDistributedAt(Instant.now());
distribution.setRecordedBy(recordedBy);
distribution.setNotes(request.notes());
Distribution saved = distributionRepository.save(distribution);
return ResponseEntity.status(HttpStatus.CREATED).body(toResponse(saved));
}
private DistributionResponse toResponse(Distribution d) {
return new DistributionResponse(
d.getId(),
d.getMemberId(),
d.getBatchId(),
d.getQuantityGrams(),
d.getDistributedAt(),
d.getRecordedBy(),
d.getNotes()
);
}
}
cannamanage-api/src/main/java/de/cannamanage/api/controller/MemberController.java
+110
View File
@@ -0,0 +1,110 @@
package de.cannamanage.api.controller;
import de.cannamanage.api.dto.member.CreateMemberRequest;
import de.cannamanage.api.dto.member.MemberResponse;
import de.cannamanage.api.dto.member.UpdateMemberRequest;
import de.cannamanage.domain.entity.Member;
import de.cannamanage.domain.entity.TenantContext;
import de.cannamanage.domain.enums.MemberStatus;
import de.cannamanage.service.repository.MemberRepository;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.server.ResponseStatusException;
import java.time.LocalDate;
import java.time.Period;
import java.util.List;
import java.util.UUID;
@RestController
@RequestMapping("/api/v1/members")
@RequiredArgsConstructor
@Tag(name = "Members", description = "Club member management")
public class MemberController {
private final MemberRepository memberRepository;
@GetMapping
@Operation(summary = "List all members", description = "Returns all members for the current tenant")
@PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).VIEW_MEMBER_LIST)")
public ResponseEntity<List<MemberResponse>> listMembers() {
List<MemberResponse> members = memberRepository.findAll().stream()
.map(this::toResponse)
.toList();
return ResponseEntity.ok(members);
}
@GetMapping("/{id}")
@Operation(summary = "Get member by ID")
@PreAuthorize("hasRole('ADMIN') or hasRole('MEMBER') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).VIEW_MEMBER_LIST)")
public ResponseEntity<MemberResponse> getMember(@PathVariable UUID id) {
Member member = memberRepository.findById(id)
.orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Member not found"));
return ResponseEntity.ok(toResponse(member));
}
@PostMapping
@Operation(summary = "Create a new member")
@PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).ADD_MEMBER)")
public ResponseEntity<MemberResponse> createMember(@Valid @RequestBody CreateMemberRequest request) {
Member member = new Member();
member.setFirstName(request.firstName());
member.setLastName(request.lastName());
member.setEmail(request.email());
member.setDateOfBirth(request.dateOfBirth());
member.setMembershipDate(request.membershipDate());
member.setMembershipNumber(request.membershipNumber());
member.setClubId(TenantContext.getCurrentTenant()); // club == tenant for MVP
member.setUnder21(isUnder21(request.dateOfBirth()));
Member saved = memberRepository.save(member);
return ResponseEntity.status(HttpStatus.CREATED).body(toResponse(saved));
}
@PutMapping("/{id}")
@Operation(summary = "Update a member")
@PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).ADD_MEMBER)")
public ResponseEntity<MemberResponse> updateMember(@PathVariable UUID id,
@Valid @RequestBody UpdateMemberRequest request) {
Member member = memberRepository.findById(id)
.orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Member not found"));
if (request.firstName() != null) member.setFirstName(request.firstName());
if (request.lastName() != null) member.setLastName(request.lastName());
if (request.email() != null) member.setEmail(request.email());
if (request.dateOfBirth() != null) {
member.setDateOfBirth(request.dateOfBirth());
member.setUnder21(isUnder21(request.dateOfBirth()));
}
if (request.membershipNumber() != null) member.setMembershipNumber(request.membershipNumber());
if (request.status() != null) member.setStatus(MemberStatus.valueOf(request.status()));
Member saved = memberRepository.save(member);
return ResponseEntity.ok(toResponse(saved));
}
private boolean isUnder21(LocalDate dateOfBirth) {
return Period.between(dateOfBirth, LocalDate.now()).getYears() < 21;
}
private MemberResponse toResponse(Member m) {
return new MemberResponse(
m.getId(),
m.getFirstName(),
m.getLastName(),
m.getEmail(),
m.getDateOfBirth(),
m.getMembershipDate(),
m.getMembershipNumber(),
m.getStatus(),
m.isUnder21(),
false // preventionOfficer flag comes from StaffAccount, not Member
);
}
}
cannamanage-api/src/main/java/de/cannamanage/api/controller/StaffController.java
+112
View File
@@ -0,0 +1,112 @@
package de.cannamanage.api.controller;
import de.cannamanage.api.dto.staff.CreateStaffRequest;
import de.cannamanage.api.dto.staff.StaffResponse;
import de.cannamanage.api.dto.staff.UpdateStaffRequest;
import de.cannamanage.domain.entity.StaffAccount;
import de.cannamanage.domain.entity.TenantContext;
import de.cannamanage.domain.entity.User;
import de.cannamanage.domain.enums.StaffPermission;
import de.cannamanage.service.StaffService;
import de.cannamanage.service.StaffTemplates;
import de.cannamanage.service.repository.UserRepository;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
@RestController
@RequestMapping("/api/v1/staff")
@RequiredArgsConstructor
@Tag(name = "Staff Management", description = "Staff CRUD + invite flow (ADMIN only)")
public class StaffController {
private final StaffService staffService;
private final UserRepository userRepository;
@GetMapping
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "List all active staff members")
public ResponseEntity<List<StaffResponse>> listStaff() {
UUID tenantId = TenantContext.getCurrentTenant();
List<StaffAccount> staffList = staffService.listStaff(tenantId);
List<StaffResponse> response = staffList.stream()
.map(staff -> {
User user = userRepository.findById(staff.getUserId()).orElse(null);
String email = user != null ? user.getEmail() : "unknown";
return StaffResponse.from(staff, email);
})
.toList();
return ResponseEntity.ok(response);
}
@PostMapping
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "Create staff member + send invite email")
public ResponseEntity<StaffResponse> createStaff(@Valid @RequestBody CreateStaffRequest request) {
UUID tenantId = TenantContext.getCurrentTenant();
StaffAccount staff = staffService.createStaff(
tenantId,
request.email(),
request.displayName(),
request.permissions(),
request.templateName()
);
return ResponseEntity.status(HttpStatus.CREATED)
.body(StaffResponse.from(staff, request.email()));
}
@GetMapping("/{id}")
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "Get staff member by ID")
public ResponseEntity<StaffResponse> getStaff(@PathVariable UUID id) {
UUID tenantId = TenantContext.getCurrentTenant();
StaffAccount staff = staffService.getStaff(tenantId, id);
User user = userRepository.findById(staff.getUserId()).orElse(null);
String email = user != null ? user.getEmail() : "unknown";
return ResponseEntity.ok(StaffResponse.from(staff, email));
}
@PutMapping("/{id}")
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "Update staff permissions/profile (revokes tokens on permission change)")
public ResponseEntity<StaffResponse> updateStaff(@PathVariable UUID id,
@RequestBody UpdateStaffRequest request) {
UUID tenantId = TenantContext.getCurrentTenant();
StaffAccount staff = staffService.updateStaff(
tenantId, id,
request.displayName(),
request.permissions(),
request.templateName(),
request.active()
);
User user = userRepository.findById(staff.getUserId()).orElse(null);
String email = user != null ? user.getEmail() : "unknown";
return ResponseEntity.ok(StaffResponse.from(staff, email));
}
@DeleteMapping("/{id}")
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "Deactivate staff member (revokes all tokens)")
public ResponseEntity<Void> deactivateStaff(@PathVariable UUID id) {
UUID tenantId = TenantContext.getCurrentTenant();
staffService.deactivateStaff(tenantId, id);
return ResponseEntity.noContent().build();
}
@GetMapping("/templates")
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "List available permission templates")
public ResponseEntity<Map<String, Set<StaffPermission>>> listTemplates() {
return ResponseEntity.ok(StaffTemplates.getAllTemplates());
}
}
cannamanage-api/src/main/java/de/cannamanage/api/controller/StockController.java
+74
View File
@@ -0,0 +1,74 @@
package de.cannamanage.api.controller;
import de.cannamanage.api.dto.stock.BatchResponse;
import de.cannamanage.api.dto.stock.CreateBatchRequest;
import de.cannamanage.domain.entity.Batch;
import de.cannamanage.domain.enums.BatchStatus;
import de.cannamanage.service.repository.BatchRepository;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;
import java.util.List;
import java.util.UUID;
@RestController
@RequestMapping("/api/v1/stock/batches")
@RequiredArgsConstructor
@Tag(name = "Stock", description = "Batch and inventory management")
public class StockController {
private final BatchRepository batchRepository;
@GetMapping
@Operation(summary = "List all batches", description = "Returns all batches for the current tenant")
@PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).VIEW_STOCK)")
public ResponseEntity<List<BatchResponse>> listBatches() {
List<BatchResponse> batches = batchRepository.findAll().stream()
.map(this::toResponse)
.toList();
return ResponseEntity.ok(batches);
}
@GetMapping("/{id}")
@Operation(summary = "Get batch by ID")
@PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).VIEW_STOCK)")
public ResponseEntity<BatchResponse> getBatch(@PathVariable UUID id) {
Batch batch = batchRepository.findById(id)
.orElseThrow(() -> new org.springframework.web.server.ResponseStatusException(
HttpStatus.NOT_FOUND, "Batch not found"));
return ResponseEntity.ok(toResponse(batch));
}
@PostMapping
@Operation(summary = "Create a new batch", description = "Registers a new cannabis batch in inventory")
@PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).RECORD_STOCK_IN)")
public ResponseEntity<BatchResponse> createBatch(@Valid @RequestBody CreateBatchRequest request) {
Batch batch = new Batch();
batch.setStrainId(request.strainId());
batch.setQuantityGrams(request.quantityGrams());
batch.setHarvestDate(request.harvestDate());
batch.setBatchCode(request.batchCode());
batch.setStatus(BatchStatus.AVAILABLE);
Batch saved = batchRepository.save(batch);
return ResponseEntity.status(HttpStatus.CREATED).body(toResponse(saved));
}
private BatchResponse toResponse(Batch b) {
return new BatchResponse(
b.getId(),
b.getStrainId(),
b.getQuantityGrams(),
b.getHarvestDate(),
b.getBatchCode(),
b.getStatus(),
b.isContaminationFlag()
);
}
}
cannamanage-api/src/main/java/de/cannamanage/api/dto/auth/LoginRequest.java
+13
View File
@@ -0,0 +1,13 @@
package de.cannamanage.api.dto.auth;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.NotBlank;
public record LoginRequest(
@NotBlank(message = "Email is required")
@Email(message = "Must be a valid email address")
String email,
@NotBlank(message = "Password is required")
String password
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/auth/LoginResponse.java
+8
View File
@@ -0,0 +1,8 @@
package de.cannamanage.api.dto.auth;
public record LoginResponse(
String accessToken,
String refreshToken,
long expiresIn,
String role
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/auth/RefreshRequest.java
+8
View File
@@ -0,0 +1,8 @@
package de.cannamanage.api.dto.auth;
import jakarta.validation.constraints.NotBlank;
public record RefreshRequest(
@NotBlank(message = "Refresh token is required")
String refreshToken
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/auth/SetPasswordRequest.java
+18
View File
@@ -0,0 +1,18 @@
package de.cannamanage.api.dto.auth;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.Pattern;
import jakarta.validation.constraints.Size;
/**
* Request DTO for setting password via invite token.
* Password complexity: min 8 chars, at least 1 digit + 1 special character.
*/
public record SetPasswordRequest(
@NotBlank String token,
@NotBlank
@Size(min = 8, max = 100, message = "Password must be between 8 and 100 characters")
@Pattern(regexp = "^(?=.*\\d)(?=.*[!@#$%^&*()_+\\-=\\[\\]{};':\"\\\\|,.<>/?]).+$",
message = "Password must contain at least 1 digit and 1 special character")
String password
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/club/ClubResponse.java
+24
View File
@@ -0,0 +1,24 @@
package de.cannamanage.api.dto.club;
import de.cannamanage.domain.enums.ClubStatus;
import java.time.Instant;
import java.time.LocalDate;
import java.util.UUID;
public record ClubResponse(
UUID id,
String name,
String registrationNumber,
String contactEmail,
String contactPhone,
String addressStreet,
String addressCity,
String addressPostalCode,
String addressState,
LocalDate foundedDate,
Integer maxPreventionOfficers,
String allowedEmailPattern,
ClubStatus status,
Instant createdAt
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/club/ClubStatsResponse.java
+14
View File
@@ -0,0 +1,14 @@
package de.cannamanage.api.dto.club;
import java.math.BigDecimal;
public record ClubStatsResponse(
long totalMembers,
long activeMembers,
long totalStaff,
long activeStaff,
long totalDistributionsThisMonth,
BigDecimal totalGramsDistributedThisMonth,
long activeBatches,
long preventionOfficerCount
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/club/UpdateClubRequest.java
+34
View File
@@ -0,0 +1,34 @@
package de.cannamanage.api.dto.club;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.Min;
import jakarta.validation.constraints.NotBlank;
import java.time.LocalDate;
public record UpdateClubRequest(
@NotBlank(message = "Club name is required")
String name,
String registrationNumber,
@Email(message = "Must be a valid email address")
String contactEmail,
String contactPhone,
String addressStreet,
String addressCity,
String addressPostalCode,
String addressState,
LocalDate foundedDate,
@Min(value = 1, message = "Must have at least 1 prevention officer slot")
Integer maxPreventionOfficers,
String allowedEmailPattern
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/compliance/QuotaResponse.java
+12
View File
@@ -0,0 +1,12 @@
package de.cannamanage.api.dto.compliance;
import java.math.BigDecimal;
public record QuotaResponse(
BigDecimal totalAllowed,
BigDecimal totalUsed,
BigDecimal remaining,
boolean under21,
int year,
int month
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/distribution/CreateDistributionRequest.java
+21
View File
@@ -0,0 +1,21 @@
package de.cannamanage.api.dto.distribution;
import jakarta.validation.constraints.DecimalMin;
import jakarta.validation.constraints.NotNull;
import java.math.BigDecimal;
import java.util.UUID;
public record CreateDistributionRequest(
@NotNull(message = "Member ID is required")
UUID memberId,
@NotNull(message = "Batch ID is required")
UUID batchId,
@NotNull(message = "Quantity in grams is required")
@DecimalMin(value = "0.01", message = "Quantity must be greater than zero")
BigDecimal quantityGrams,
String notes
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/distribution/DistributionResponse.java
+15
View File
@@ -0,0 +1,15 @@
package de.cannamanage.api.dto.distribution;
import java.math.BigDecimal;
import java.time.Instant;
import java.util.UUID;
public record DistributionResponse(
UUID id,
UUID memberId,
UUID batchId,
BigDecimal quantityGrams,
Instant distributedAt,
UUID recordedBy,
String notes
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/member/CreateMemberRequest.java
+30
View File
@@ -0,0 +1,30 @@
package de.cannamanage.api.dto.member;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.NotNull;
import jakarta.validation.constraints.Past;
import java.time.LocalDate;
public record CreateMemberRequest(
@NotBlank(message = "First name is required")
String firstName,
@NotBlank(message = "Last name is required")
String lastName,
@NotBlank(message = "Email is required")
@Email(message = "Must be a valid email")
String email,
@NotNull(message = "Date of birth is required")
@Past(message = "Date of birth must be in the past")
LocalDate dateOfBirth,
@NotNull(message = "Membership date is required")
LocalDate membershipDate,
@NotBlank(message = "Membership number is required")
String membershipNumber
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/member/MemberResponse.java
+19
View File
@@ -0,0 +1,19 @@
package de.cannamanage.api.dto.member;
import de.cannamanage.domain.enums.MemberStatus;
import java.time.LocalDate;
import java.util.UUID;
public record MemberResponse(
UUID id,
String firstName,
String lastName,
String email,
LocalDate dateOfBirth,
LocalDate membershipDate,
String membershipNumber,
MemberStatus status,
boolean under21,
boolean preventionOfficer
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/member/UpdateMemberRequest.java
+17
View File
@@ -0,0 +1,17 @@
package de.cannamanage.api.dto.member;
import jakarta.validation.constraints.Email;
import java.time.LocalDate;
public record UpdateMemberRequest(
String firstName,
String lastName,
@Email(message = "Must be a valid email")
String email,
LocalDate dateOfBirth,
String membershipNumber,
String status
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/staff/CreateStaffRequest.java
+17
View File
@@ -0,0 +1,17 @@
package de.cannamanage.api.dto.staff;
import de.cannamanage.domain.enums.StaffPermission;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.NotBlank;
import java.util.Set;
/**
* Request DTO for creating a new staff member (admin invite flow).
*/
public record CreateStaffRequest(
@NotBlank @Email String email,
@NotBlank String displayName,
Set<StaffPermission> permissions,
String templateName
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/staff/StaffResponse.java
+49
View File
@@ -0,0 +1,49 @@
package de.cannamanage.api.dto.staff;
import de.cannamanage.domain.entity.StaffAccount;
import de.cannamanage.domain.entity.User;
import de.cannamanage.domain.enums.StaffPermission;
import java.time.Instant;
import java.util.Set;
import java.util.UUID;
/**
* Response DTO for staff member information.
*/
public record StaffResponse(
UUID id,
UUID userId,
String email,
String displayName,
Set<StaffPermission> permissions,
String templateName,
boolean active,
Instant createdAt
) {
public static StaffResponse from(StaffAccount staff, User user) {
return new StaffResponse(
staff.getId(),
staff.getUserId(),
user.getEmail(),
staff.getDisplayName(),
staff.getGrantedPermissions(),
null, // templateName not stored; permissions are expanded
staff.isActive(),
staff.getCreatedAt()
);
}
public static StaffResponse from(StaffAccount staff, String email) {
return new StaffResponse(
staff.getId(),
staff.getUserId(),
email,
staff.getDisplayName(),
staff.getGrantedPermissions(),
null,
staff.isActive(),
staff.getCreatedAt()
);
}
}
cannamanage-api/src/main/java/de/cannamanage/api/dto/staff/UpdateStaffRequest.java
+15
View File
@@ -0,0 +1,15 @@
package de.cannamanage.api.dto.staff;
import de.cannamanage.domain.enums.StaffPermission;
import java.util.Set;
/**
* Request DTO for updating an existing staff member.
*/
public record UpdateStaffRequest(
String displayName,
Set<StaffPermission> permissions,
String templateName,
Boolean active
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/stock/BatchResponse.java
+17
View File
@@ -0,0 +1,17 @@
package de.cannamanage.api.dto.stock;
import de.cannamanage.domain.enums.BatchStatus;
import java.math.BigDecimal;
import java.time.LocalDate;
import java.util.UUID;
public record BatchResponse(
UUID id,
UUID strainId,
BigDecimal quantityGrams,
LocalDate harvestDate,
String batchCode,
BatchStatus status,
boolean contaminationFlag
) {}
cannamanage-api/src/main/java/de/cannamanage/api/dto/stock/CreateBatchRequest.java
+23
View File
@@ -0,0 +1,23 @@
package de.cannamanage.api.dto.stock;
import jakarta.validation.constraints.DecimalMin;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.NotNull;
import java.math.BigDecimal;
import java.time.LocalDate;
import java.util.UUID;
public record CreateBatchRequest(
@NotNull(message = "Strain ID is required")
UUID strainId,
@NotNull(message = "Quantity in grams is required")
@DecimalMin(value = "0.01", message = "Quantity must be greater than zero")
BigDecimal quantityGrams,
LocalDate harvestDate,
@NotBlank(message = "Batch code is required")
String batchCode
) {}
cannamanage-api/src/main/java/de/cannamanage/api/exception/GlobalExceptionHandler.java
+131
View File
@@ -0,0 +1,131 @@
package de.cannamanage.api.exception;
import de.cannamanage.api.service.AuthService;
import de.cannamanage.service.exception.BatchNotFoundException;
import de.cannamanage.service.exception.MemberNotFoundException;
import de.cannamanage.service.exception.QuotaExceededException;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpStatus;
import org.springframework.http.ProblemDetail;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.web.bind.MethodArgumentNotValidException;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RestControllerAdvice;
import org.springframework.web.server.ResponseStatusException;
import java.net.URI;
import java.time.Instant;
import java.util.stream.Collectors;
/**
* Global exception handler producing application/problem+json responses.
* RFC 9457 compliant.
*/
@Slf4j
@RestControllerAdvice
public class GlobalExceptionHandler {
@ExceptionHandler(AuthService.AuthenticationException.class)
public ProblemDetail handleAuthException(AuthService.AuthenticationException ex) {
ProblemDetail problem = ProblemDetail.forStatusAndDetail(
HttpStatus.UNAUTHORIZED, ex.getMessage());
problem.setTitle("Authentication Failed");
problem.setType(URI.create("urn:cannamanage:error:AUTHENTICATION_FAILED"));
problem.setProperty("code", "AUTHENTICATION_FAILED");
problem.setProperty("timestamp", Instant.now().toString());
return problem;
}
@ExceptionHandler(BadCredentialsException.class)
public ProblemDetail handleBadCredentials(BadCredentialsException ex) {
ProblemDetail problem = ProblemDetail.forStatusAndDetail(
HttpStatus.UNAUTHORIZED, "Invalid email or password");
problem.setTitle("Authentication Failed");
problem.setType(URI.create("urn:cannamanage:error:INVALID_CREDENTIALS"));
problem.setProperty("code", "INVALID_CREDENTIALS");
problem.setProperty("timestamp", Instant.now().toString());
return problem;
}
@ExceptionHandler(AccessDeniedException.class)
public ProblemDetail handleAccessDenied(AccessDeniedException ex) {
ProblemDetail problem = ProblemDetail.forStatusAndDetail(
HttpStatus.FORBIDDEN, "Access denied");
problem.setTitle("Forbidden");
problem.setType(URI.create("urn:cannamanage:error:ACCESS_DENIED"));
problem.setProperty("code", "ACCESS_DENIED");
problem.setProperty("timestamp", Instant.now().toString());
return problem;
}
@ExceptionHandler(MethodArgumentNotValidException.class)
public ProblemDetail handleValidation(MethodArgumentNotValidException ex) {
ProblemDetail problem = ProblemDetail.forStatusAndDetail(
HttpStatus.BAD_REQUEST, "Validation failed");
problem.setTitle("Bad Request");
problem.setType(URI.create("urn:cannamanage:error:VALIDATION_FAILED"));
problem.setProperty("code", "VALIDATION_FAILED");
problem.setProperty("timestamp", Instant.now().toString());
var errors = ex.getBindingResult().getFieldErrors().stream()
.map(fe -> fe.getField() + ": " + fe.getDefaultMessage())
.collect(Collectors.toList());
problem.setProperty("errors", errors);
return problem;
}
@ExceptionHandler(QuotaExceededException.class)
public ProblemDetail handleQuotaExceeded(QuotaExceededException ex) {
ProblemDetail problem = ProblemDetail.forStatusAndDetail(
HttpStatus.CONFLICT, ex.getMessage());
problem.setTitle("Compliance Violation");
problem.setType(URI.create("urn:cannamanage:error:QUOTA_EXCEEDED"));
problem.setProperty("code", ex.getCode().name());
problem.setProperty("timestamp", Instant.now().toString());
return problem;
}
@ExceptionHandler(MemberNotFoundException.class)
public ProblemDetail handleMemberNotFound(MemberNotFoundException ex) {
ProblemDetail problem = ProblemDetail.forStatusAndDetail(
HttpStatus.NOT_FOUND, ex.getMessage());
problem.setTitle("Not Found");
problem.setType(URI.create("urn:cannamanage:error:MEMBER_NOT_FOUND"));
problem.setProperty("code", "MEMBER_NOT_FOUND");
problem.setProperty("timestamp", Instant.now().toString());
return problem;
}
@ExceptionHandler(BatchNotFoundException.class)
public ProblemDetail handleBatchNotFound(BatchNotFoundException ex) {
ProblemDetail problem = ProblemDetail.forStatusAndDetail(
HttpStatus.NOT_FOUND, ex.getMessage());
problem.setTitle("Not Found");
problem.setType(URI.create("urn:cannamanage:error:BATCH_NOT_FOUND"));
problem.setProperty("code", "BATCH_NOT_FOUND");
problem.setProperty("timestamp", Instant.now().toString());
return problem;
}
@ExceptionHandler(ResponseStatusException.class)
public ProblemDetail handleResponseStatus(ResponseStatusException ex) {
ProblemDetail problem = ProblemDetail.forStatusAndDetail(
HttpStatus.valueOf(ex.getStatusCode().value()), ex.getReason());
problem.setTitle(HttpStatus.valueOf(ex.getStatusCode().value()).getReasonPhrase());
problem.setProperty("timestamp", Instant.now().toString());
return problem;
}
@ExceptionHandler(Exception.class)
public ProblemDetail handleGeneric(Exception ex) {
log.error("Unhandled exception", ex);
ProblemDetail problem = ProblemDetail.forStatusAndDetail(
HttpStatus.INTERNAL_SERVER_ERROR, "An unexpected error occurred");
problem.setTitle("Internal Server Error");
problem.setType(URI.create("urn:cannamanage:error:INTERNAL_ERROR"));
problem.setProperty("code", "INTERNAL_ERROR");
problem.setProperty("timestamp", Instant.now().toString());
return problem;
}
}
cannamanage-api/src/main/java/de/cannamanage/api/security/JwtAuthFilter.java
+93
View File
@@ -0,0 +1,93 @@
package de.cannamanage.api.security;
import de.cannamanage.domain.entity.TenantContext;
import de.cannamanage.service.TokenRevocationService;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import java.io.IOException;
import java.util.List;
import java.util.UUID;
/**
* JWT authentication filter.
* Extracts Bearer token from Authorization header, validates it,
* checks token blacklist (revocation), sets SecurityContext and TenantContext.
*/
@Slf4j
@Component
@RequiredArgsConstructor
public class JwtAuthFilter extends OncePerRequestFilter {
private final JwtService jwtService;
private final TokenRevocationService tokenRevocationService;
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
final String authHeader = request.getHeader("Authorization");
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
filterChain.doFilter(request, response);
return;
}
final String token = authHeader.substring(7);
if (!jwtService.isTokenValid(token)) {
filterChain.doFilter(request, response);
return;
}
// Check token blacklist (revocation) — skip for portal paths per plan review warning #5
String jti = jwtService.extractJti(token);
if (jti != null && tokenRevocationService.isRevoked(jti)) {
log.debug("Token {} is revoked, rejecting request", jti);
filterChain.doFilter(request, response);
return;
}
UUID userId = jwtService.extractUserId(token);
UUID tenantId = jwtService.extractTenantId(token);
String role = jwtService.extractRole(token);
// Set tenant context for schema routing
TenantContext.setCurrentTenant(tenantId);
// Build authentication with role-based authority
var authorities = List.of(new SimpleGrantedAuthority("ROLE_" + role));
var authentication = new UsernamePasswordAuthenticationToken(
userId, null, authorities
);
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
log.debug("Authenticated user {} for tenant {} with role {}", userId, tenantId, role);
try {
filterChain.doFilter(request, response);
} finally {
TenantContext.clear();
}
}
@Override
protected boolean shouldNotFilter(HttpServletRequest request) {
String path = request.getServletPath();
return path.startsWith("/api/v1/auth/")
|| path.startsWith("/portal/")
|| path.startsWith("/swagger-ui")
|| path.startsWith("/v3/api-docs");
}
}
cannamanage-api/src/main/java/de/cannamanage/api/security/JwtService.java
+163
View File
@@ -0,0 +1,163 @@
package de.cannamanage.api.security;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.security.Keys;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import javax.crypto.SecretKey;
import java.time.Instant;
import java.util.*;
import java.util.function.Function;
/**
* JWT token generation and validation service.
* Access tokens: 1 hour expiry, includes jti + permissions for STAFF.
* Refresh tokens: 30 days expiry.
*/
@Service
public class JwtService {
@Value("${cannamanage.security.jwt.secret}")
private String secretKey;
@Value("${cannamanage.security.jwt.access-token-expiry:3600}")
private long accessTokenExpiry; // seconds
@Value("${cannamanage.security.jwt.refresh-token-expiry:2592000}")
private long refreshTokenExpiry; // seconds (30 days)
/**
* Generate access token for ADMIN/MEMBER roles (no permissions claim needed).
*/
public String generateAccessToken(UUID userId, UUID tenantId, String role, String email) {
Map<String, Object> claims = new HashMap<>();
claims.put("tenant_id", tenantId.toString());
claims.put("role", role);
claims.put("email", email);
claims.put("jti", UUID.randomUUID().toString());
return buildToken(claims, userId.toString(), accessTokenExpiry);
}
/**
* Generate access token for STAFF role — includes permissions list.
*/
public String generateStaffAccessToken(UUID userId, UUID tenantId, String email, List<String> permissions) {
Map<String, Object> claims = new HashMap<>();
claims.put("tenant_id", tenantId.toString());
claims.put("role", "STAFF");
claims.put("email", email);
claims.put("jti", UUID.randomUUID().toString());
claims.put("permissions", permissions);
return buildToken(claims, userId.toString(), accessTokenExpiry);
}
public String generateRefreshToken(UUID userId, UUID tenantId) {
Map<String, Object> claims = new HashMap<>();
claims.put("tenant_id", tenantId.toString());
claims.put("type", "refresh");
claims.put("jti", UUID.randomUUID().toString());
return buildToken(claims, userId.toString(), refreshTokenExpiry);
}
public String extractSubject(String token) {
return extractClaim(token, Claims::getSubject);
}
public UUID extractUserId(String token) {
return UUID.fromString(extractSubject(token));
}
public UUID extractTenantId(String token) {
return UUID.fromString(extractClaim(token, claims -> claims.get("tenant_id", String.class)));
}
public String extractRole(String token) {
return extractClaim(token, claims -> claims.get("role", String.class));
}
public String extractEmail(String token) {
return extractClaim(token, claims -> claims.get("email", String.class));
}
/**
* Extract the JTI (JWT ID) claim — used for token revocation.
*/
public String extractJti(String token) {
return extractClaim(token, claims -> claims.get("jti", String.class));
}
/**
* Extract permissions list from STAFF token.
* Returns empty list if not present (non-STAFF tokens).
*/
@SuppressWarnings("unchecked")
public List<String> extractPermissions(String token) {
return extractClaim(token, claims -> {
Object perms = claims.get("permissions");
if (perms instanceof List<?>) {
return (List<String>) perms;
}
return Collections.emptyList();
});
}
/**
* Extract token expiration as Instant — used for revocation record.
*/
public Instant extractExpirationInstant(String token) {
Date exp = extractClaim(token, Claims::getExpiration);
return exp.toInstant();
}
public boolean isTokenValid(String token) {
try {
extractAllClaims(token);
return !isTokenExpired(token);
} catch (Exception e) {
return false;
}
}
public boolean isTokenExpired(String token) {
return extractExpiration(token).before(Date.from(Instant.now()));
}
private Date extractExpiration(String token) {
return extractClaim(token, Claims::getExpiration);
}
private <T> T extractClaim(String token, Function<Claims, T> resolver) {
final Claims claims = extractAllClaims(token);
return resolver.apply(claims);
}
private Claims extractAllClaims(String token) {
return Jwts.parser()
.verifyWith(getSigningKey())
.build()
.parseSignedClaims(token)
.getPayload();
}
private String buildToken(Map<String, Object> extraClaims, String subject, long expirySeconds) {
Instant now = Instant.now();
return Jwts.builder()
.claims(extraClaims)
.subject(subject)
.issuedAt(Date.from(now))
.expiration(Date.from(now.plusSeconds(expirySeconds)))
.signWith(getSigningKey())
.compact();
}
private SecretKey getSigningKey() {
byte[] keyBytes = Decoders.BASE64.decode(secretKey);
return Keys.hmacShaKeyFor(keyBytes);
}
}
cannamanage-api/src/main/java/de/cannamanage/api/security/PreventionOfficerChecker.java
+56
View File
@@ -0,0 +1,56 @@
package de.cannamanage.api.security;
import de.cannamanage.domain.entity.StaffAccount;
import de.cannamanage.service.repository.StaffAccountRepository;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component;
import java.util.UUID;
/**
* SpEL-accessible bean for checking prevention officer status.
* Usage in @PreAuthorize:
* @PreAuthorize("hasRole('ADMIN') or @preventionOfficer.check(authentication)")
*/
@Slf4j
@Component("preventionOfficer")
@RequiredArgsConstructor
public class PreventionOfficerChecker {
private final StaffAccountRepository staffAccountRepository;
/**
* Checks if the authenticated user is a designated prevention officer.
* ADMIN always passes. STAFF must have is_prevention_officer = true.
*/
public boolean check(Authentication authentication) {
if (authentication == null || !authentication.isAuthenticated()) {
return false;
}
// ADMIN always passes
boolean isAdmin = authentication.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.anyMatch(a -> a.equals("ROLE_ADMIN"));
if (isAdmin) {
return true;
}
// STAFF must be a prevention officer
boolean isStaff = authentication.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.anyMatch(a -> a.equals("ROLE_STAFF"));
if (!isStaff) {
return false;
}
UUID userId = (UUID) authentication.getPrincipal();
return staffAccountRepository.findByUserId(userId)
.filter(StaffAccount::isActive)
.map(StaffAccount::isPreventionOfficer)
.orElse(false);
}
}
cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java
+73
View File
@@ -0,0 +1,73 @@
package de.cannamanage.api.security;
import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
/**
* Security configuration — Sprint 3: API + Staff portal with JWT.
* Roles: ADMIN (full access) + STAFF (permission-based) + MEMBER (self-service).
*/
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@RequiredArgsConstructor
public class SecurityConfig {
private final JwtAuthFilter jwtAuthFilter;
/**
* API security — stateless JWT authentication.
* URL-level role checks provide first layer; @PreAuthorize provides fine-grained.
*/
@Bean
@Order(1)
public SecurityFilterChain apiSecurityFilterChain(HttpSecurity http) throws Exception {
http
.securityMatcher("/api/**")
.csrf(csrf -> csrf.disable())
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/v1/auth/**").permitAll()
.requestMatchers("/api/v1/admin/**").hasRole("ADMIN")
.requestMatchers("/api/v1/staff/**").hasRole("ADMIN")
.requestMatchers("/api/v1/members/**").hasAnyRole("ADMIN", "STAFF", "MEMBER")
.requestMatchers("/api/v1/distributions/**").hasAnyRole("ADMIN", "STAFF", "MEMBER")
.requestMatchers("/api/v1/stock/**").hasAnyRole("ADMIN", "STAFF")
.requestMatchers("/api/v1/compliance/**").hasAnyRole("ADMIN", "STAFF", "MEMBER")
.requestMatchers("/api/v1/reports/**").hasRole("ADMIN")
.anyRequest().authenticated())
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
/**
* Public endpoints — Swagger UI, actuator health.
*/
@Bean
@Order(2)
public SecurityFilterChain publicSecurityFilterChain(HttpSecurity http) throws Exception {
http
.securityMatcher("/swagger-ui/**", "/v3/api-docs/**", "/actuator/health")
.csrf(csrf -> csrf.disable())
.authorizeHttpRequests(auth -> auth.anyRequest().permitAll());
return http.build();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
cannamanage-api/src/main/java/de/cannamanage/api/security/StaffPermissionChecker.java
+57
View File
@@ -0,0 +1,57 @@
package de.cannamanage.api.security;
import de.cannamanage.domain.entity.StaffAccount;
import de.cannamanage.domain.enums.StaffPermission;
import de.cannamanage.service.repository.StaffAccountRepository;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component;
import java.util.UUID;
/**
* SpEL-accessible bean for fine-grained staff permission checks.
* Usage in @PreAuthorize:
* @PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).RECORD_DISTRIBUTION)")
*/
@Slf4j
@Component("staffPermissions")
@RequiredArgsConstructor
public class StaffPermissionChecker {
private final StaffAccountRepository staffAccountRepository;
/**
* Checks if the authenticated user has the required permission.
* ADMIN role always passes. STAFF checks granted_permissions on their StaffAccount.
*/
public boolean has(Authentication authentication, StaffPermission required) {
if (authentication == null || !authentication.isAuthenticated()) {
return false;
}
// ADMIN always has all permissions
boolean isAdmin = authentication.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.anyMatch(a -> a.equals("ROLE_ADMIN"));
if (isAdmin) {
return true;
}
// STAFF must have the specific permission granted
boolean isStaff = authentication.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.anyMatch(a -> a.equals("ROLE_STAFF"));
if (!isStaff) {
return false;
}
UUID userId = (UUID) authentication.getPrincipal();
return staffAccountRepository.findByUserId(userId)
.filter(StaffAccount::isActive)
.map(staff -> staff.hasPermission(required))
.orElse(false);
}
}
cannamanage-api/src/main/java/de/cannamanage/api/security/TenantFilterAspect.java
+43
View File
@@ -0,0 +1,43 @@
package de.cannamanage.api.security;
import de.cannamanage.domain.entity.TenantContext;
import jakarta.persistence.EntityManager;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.hibernate.Session;
import org.springframework.stereotype.Component;
import java.util.UUID;
/**
* CRITICAL FIX: Activates the Hibernate @Filter("tenantFilter") on every repository call.
* Without this, the filter defined on AbstractTenantEntity is never enabled,
* meaning ALL queries return data across ALL tenants — a severe data leak.
*
* This aspect intercepts every Spring Data JPA repository method and enables
* the tenant filter with the current tenant ID from TenantContext.
*/
@Aspect
@Component
@Slf4j
@RequiredArgsConstructor
public class TenantFilterAspect {
private final EntityManager entityManager;
@Before("execution(* de.cannamanage.service.repository.*.*(..))")
public void activateTenantFilter() {
UUID tenantId = TenantContext.getCurrentTenant();
if (tenantId == null) {
log.trace("No tenant in context — filter not activated (public endpoint or system call)");
return;
}
Session session = entityManager.unwrap(Session.class);
session.enableFilter("tenantFilter")
.setParameter("tenantId", tenantId);
log.trace("Tenant filter activated for tenant {}", tenantId);
}
}
cannamanage-api/src/main/java/de/cannamanage/api/service/AuthService.java
+162
View File
@@ -0,0 +1,162 @@
package de.cannamanage.api.service;
import de.cannamanage.api.dto.auth.LoginRequest;
import de.cannamanage.api.dto.auth.LoginResponse;
import de.cannamanage.api.dto.auth.RefreshRequest;
import de.cannamanage.api.dto.auth.SetPasswordRequest;
import de.cannamanage.api.security.JwtService;
import de.cannamanage.domain.entity.InviteToken;
import de.cannamanage.domain.entity.StaffAccount;
import de.cannamanage.domain.entity.User;
import de.cannamanage.service.repository.InviteTokenRepository;
import de.cannamanage.service.repository.StaffAccountRepository;
import de.cannamanage.service.repository.UserRepository;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.time.Instant;
import java.util.HexFormat;
import java.util.UUID;
/**
* Authentication service — handles login, token refresh, and invite-based password setup.
* Stateless JWT approach: no UserDetailsService needed.
* Refresh tokens are hashed and stored on the User entity for revocation support.
*/
@Service
@Slf4j
@RequiredArgsConstructor
public class AuthService {
private final UserRepository userRepository;
private final JwtService jwtService;
private final PasswordEncoder passwordEncoder;
private final InviteTokenRepository inviteTokenRepository;
private final StaffAccountRepository staffAccountRepository;
@Transactional
public LoginResponse login(LoginRequest request) {
User user = userRepository.findByEmail(request.email())
.orElseThrow(() -> new AuthenticationException("Invalid credentials"));
if (!user.isActive()) {
throw new AuthenticationException("Account not activated");
}
if (!passwordEncoder.matches(request.password(), user.getPasswordHash())) {
throw new AuthenticationException("Invalid credentials");
}
// Generate tokens
String roleName = user.getRole().name().replace("ROLE_", "");
String accessToken = jwtService.generateAccessToken(
user.getId(), user.getTenantId(), roleName, user.getEmail());
String refreshToken = jwtService.generateRefreshToken(user.getId(), user.getTenantId());
// Store SHA-256 hashed refresh token for revocation (BCrypt can't handle >72 bytes)
user.setRefreshTokenHash(sha256(refreshToken));
user.setLastLogin(Instant.now());
userRepository.save(user);
log.info("User {} logged in for tenant {}", user.getEmail(), user.getTenantId());
return new LoginResponse(accessToken, refreshToken, 3600L, roleName);
}
@Transactional
public LoginResponse refresh(RefreshRequest request) {
String token = request.refreshToken();
if (!jwtService.isTokenValid(token)) {
throw new AuthenticationException("Invalid or expired refresh token");
}
UUID userId = jwtService.extractUserId(token);
User user = userRepository.findById(userId)
.orElseThrow(() -> new AuthenticationException("User not found"));
if (!user.isActive()) {
throw new AuthenticationException("Account not activated");
}
// Verify the refresh token matches stored hash (revocation check)
if (user.getRefreshTokenHash() == null ||
!sha256(token).equals(user.getRefreshTokenHash())) {
throw new AuthenticationException("Refresh token has been revoked");
}
// Rotate refresh token
String roleName = user.getRole().name().replace("ROLE_", "");
String newAccessToken = jwtService.generateAccessToken(
user.getId(), user.getTenantId(), roleName, user.getEmail());
String newRefreshToken = jwtService.generateRefreshToken(user.getId(), user.getTenantId());
user.setRefreshTokenHash(sha256(newRefreshToken));
userRepository.save(user);
return new LoginResponse(newAccessToken, newRefreshToken, 3600L, roleName);
}
/**
* Sets the password for a user via invite token.
* Validates the token, sets the password hash, marks user active, marks token as used.
* Security: generic error message for invalid/expired tokens (don't reveal state).
*/
@Transactional
public void setPassword(SetPasswordRequest request) {
// Find valid (unused + not expired) token — security: generic error message
InviteToken inviteToken = inviteTokenRepository
.findByTokenAndUsedAtIsNullAndExpiresAtAfter(request.token(), Instant.now())
.orElseThrow(() -> new AuthenticationException("Invalid or expired token"));
User user = inviteToken.getUser();
// Set password and activate user
user.setPasswordHash(passwordEncoder.encode(request.password()));
user.setActive(true);
userRepository.save(user);
// Mark token as used
inviteToken.setUsedAt(Instant.now());
inviteTokenRepository.save(inviteToken);
// Update staff account activation timestamp
staffAccountRepository.findByUserId(user.getId())
.ifPresent(staff -> {
staff.setActivatedAt(Instant.now());
staffAccountRepository.save(staff);
});
log.info("Password set for user {} via invite token", user.getEmail());
}
/**
* SHA-256 hash for refresh token storage.
* JWTs exceed BCrypt's 72-byte limit (enforced in Spring Security 7+).
* SHA-256 is appropriate here: refresh tokens are already high-entropy random strings.
*/
private String sha256(String input) {
try {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(input.getBytes(StandardCharsets.UTF_8));
return HexFormat.of().formatHex(hash);
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("SHA-256 not available", e);
}
}
/**
* Custom authentication exception — caught by GlobalExceptionHandler.
*/
public static class AuthenticationException extends RuntimeException {
public AuthenticationException(String message) {
super(message);
}
}
}
cannamanage-api/src/main/resources/application.properties
+28
View File
@@ -1,4 +1,32 @@
spring.application.name=cannamanage spring.application.name=cannamanage
# Default profile — override with -Dspring.profiles.active=local # Default profile — override with -Dspring.profiles.active=local
spring.jpa.hibernate.ddl-auto=validate spring.jpa.hibernate.ddl-auto=validate
spring.jpa.properties.hibernate.packagesToScan=de.cannamanage.domain.entity
spring.flyway.enabled=false spring.flyway.enabled=false
# JWT Security
cannamanage.security.jwt.secret=Y2FubmFtYW5hZ2Utand0LXNlY3JldC1rZXktZm9yLWRldmVsb3BtZW50LW9ubHktMzI=
cannamanage.security.jwt.access-token-expiry=3600
cannamanage.security.jwt.refresh-token-expiry=2592000
# OpenAPI
springdoc.api-docs.path=/v3/api-docs
springdoc.swagger-ui.path=/swagger-ui.html
springdoc.swagger-ui.tags-sorter=alpha
springdoc.swagger-ui.operations-sorter=method
# Enable Spring AOP for TenantFilterAspect
spring.aop.auto=true
spring.aop.proxy-target-class=true
# Spring Mail (dev defaults: Mailpit on localhost:1025)
spring.mail.host=${SMTP_HOST:localhost}
spring.mail.port=${SMTP_PORT:1025}
spring.mail.username=${SMTP_USERNAME:}
spring.mail.password=${SMTP_PASSWORD:}
spring.mail.properties.mail.smtp.auth=${SMTP_AUTH:false}
spring.mail.properties.mail.smtp.starttls.enable=${SMTP_STARTTLS:false}
spring.mail.from=${MAIL_FROM:noreply@cannamanage.de}
# App base URL (for invite links)
app.base-url=${APP_BASE_URL:http://localhost:8080}
cannamanage-api/src/main/resources/db/migration/V2__sprint2_role_rename_and_indexes.sql
+9
View File
@@ -0,0 +1,9 @@
-- CannaManage V2 — Sprint 2 schema adjustments
-- 1. Rename ROLE_MANAGER → ROLE_STAFF in users table
-- 2. Add index on users.email for login lookup
UPDATE users SET role = 'ROLE_STAFF' WHERE role = 'ROLE_MANAGER';
-- Optimize login queries
CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
CREATE INDEX IF NOT EXISTS idx_users_tenant_email ON users(tenant_id, email);
cannamanage-api/src/main/resources/db/migration/V3__sprint3_staff_portal.sql
+45
View File
@@ -0,0 +1,45 @@
-- Sprint 3: Staff Portal foundation
-- Staff accounts, permissions, revoked tokens, prevention officer support
-- Staff accounts table (links users with STAFF role to their permissions)
CREATE TABLE staff_accounts (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL REFERENCES clubs(id),
user_id UUID NOT NULL UNIQUE REFERENCES users(id),
display_name VARCHAR(150) NOT NULL,
is_prevention_officer BOOLEAN NOT NULL DEFAULT FALSE,
active BOOLEAN NOT NULL DEFAULT TRUE,
invited_at TIMESTAMPTZ,
activated_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
-- Staff account permissions (element collection table)
CREATE TABLE staff_account_permissions (
staff_account_id UUID NOT NULL REFERENCES staff_accounts(id) ON DELETE CASCADE,
permission VARCHAR(50) NOT NULL,
PRIMARY KEY (staff_account_id, permission)
);
-- Revoked tokens table for JWT blacklisting
CREATE TABLE revoked_tokens (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
jti VARCHAR(36) NOT NULL UNIQUE,
user_id UUID NOT NULL,
tenant_id UUID NOT NULL,
revoked_at TIMESTAMPTZ NOT NULL DEFAULT now(),
expires_at TIMESTAMPTZ NOT NULL,
reason VARCHAR(100)
);
-- Indexes for revoked tokens
CREATE INDEX idx_revoked_tokens_jti ON revoked_tokens(jti);
CREATE INDEX idx_revoked_tokens_user_id ON revoked_tokens(user_id);
CREATE INDEX idx_revoked_tokens_expires_at ON revoked_tokens(expires_at);
-- Index for staff accounts
CREATE INDEX idx_staff_accounts_tenant_id ON staff_accounts(tenant_id);
CREATE INDEX idx_staff_accounts_user_id ON staff_accounts(user_id);
-- Add max_prevention_officers to clubs table (default 2 per plan)
ALTER TABLE clubs ADD COLUMN max_prevention_officers INTEGER NOT NULL DEFAULT 2;
cannamanage-api/src/main/resources/db/migration/V4__club_settings_columns.sql
+12
View File
@@ -0,0 +1,12 @@
-- Sprint 3 Phase 2: Club settings extended columns
-- Additional address fields, contact info, and allowed email pattern for clubs
ALTER TABLE clubs ADD COLUMN registration_number VARCHAR(100);
ALTER TABLE clubs ADD COLUMN contact_email VARCHAR(255);
ALTER TABLE clubs ADD COLUMN contact_phone VARCHAR(50);
ALTER TABLE clubs ADD COLUMN address_street VARCHAR(255);
ALTER TABLE clubs ADD COLUMN address_city VARCHAR(100);
ALTER TABLE clubs ADD COLUMN address_postal_code VARCHAR(20);
ALTER TABLE clubs ADD COLUMN address_state VARCHAR(100);
ALTER TABLE clubs ADD COLUMN founded_date DATE;
ALTER TABLE clubs ADD COLUMN allowed_email_pattern VARCHAR(255);
cannamanage-api/src/main/resources/db/migration/V5__invite_tokens.sql
+13
View File
@@ -0,0 +1,13 @@
-- Sprint 3 Phase 3: Invite tokens for staff onboarding
CREATE TABLE invite_tokens (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
token VARCHAR(64) NOT NULL UNIQUE,
expires_at TIMESTAMPTZ NOT NULL,
used_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
CREATE INDEX idx_invite_tokens_token ON invite_tokens(token);
CREATE INDEX idx_invite_tokens_user_id ON invite_tokens(user_id);
cannamanage-api/src/main/resources/templates/invite-email.txt
+14
View File
@@ -0,0 +1,14 @@
Hallo {displayName},
Du wurdest als Mitarbeiter/in beim Anbauverein "{clubName}" eingeladen.
Bitte klicke auf den folgenden Link, um dein Passwort festzulegen und deinen Account zu aktivieren:
{setPasswordUrl}
Dieser Link ist 72 Stunden gültig.
Falls du diese Einladung nicht erwartet hast, kannst du diese E-Mail ignorieren.
Viele Grüße,
Dein CannaManage-Team
cannamanage-api/src/test/java/de/cannamanage/api/controller/AuthControllerIntegrationTest.java
+196
View File
@@ -0,0 +1,196 @@
package de.cannamanage.api.controller;
import de.cannamanage.api.dto.auth.LoginRequest;
import de.cannamanage.api.dto.auth.LoginResponse;
import de.cannamanage.api.dto.auth.RefreshRequest;
import de.cannamanage.domain.entity.TenantContext;
import de.cannamanage.domain.entity.User;
import de.cannamanage.domain.enums.UserRole;
import de.cannamanage.service.repository.UserRepository;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.boot.test.web.server.LocalServerPort;
import org.springframework.http.MediaType;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.RestClient;
import java.util.UUID;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
/**
* Integration tests for {@link AuthController}.
* Boots the full Spring context with H2 in-memory DB and a real HTTP server.
*/
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
@ActiveProfiles("test")
class AuthControllerIntegrationTest {
@LocalServerPort
private int port;
@Autowired
private UserRepository userRepository;
@Autowired
private PasswordEncoder passwordEncoder;
private RestClient restClient;
private static final UUID TENANT_ID = UUID.fromString("00000000-0000-0000-0000-000000000001");
private static final String TEST_EMAIL = "admin@test.club";
private static final String TEST_PASSWORD = "SecurePass123!";
@BeforeEach
void setUp() {
restClient = RestClient.builder()
.baseUrl("http://localhost:" + port)
.build();
userRepository.deleteAll();
// Set TenantContext so @PrePersist can pick up tenantId
TenantContext.setCurrentTenant(TENANT_ID);
User user = new User();
user.setEmail(TEST_EMAIL);
user.setPasswordHash(passwordEncoder.encode(TEST_PASSWORD));
user.setRole(UserRole.ROLE_ADMIN);
user.setActive(true);
userRepository.saveAndFlush(user);
TenantContext.clear();
}
@Test
@DisplayName("POST /api/v1/auth/login — valid credentials returns tokens")
void login_withValidCredentials_returnsTokens() throws Exception {
LoginRequest request = new LoginRequest(TEST_EMAIL, TEST_PASSWORD);
LoginResponse response = restClient.post()
.uri("/api/v1/auth/login")
.contentType(MediaType.APPLICATION_JSON)
.body(request)
.retrieve()
.body(LoginResponse.class);
assertThat(response).isNotNull();
assertThat(response.accessToken()).isNotBlank();
assertThat(response.refreshToken()).isNotBlank();
assertThat(response.expiresIn()).isEqualTo(3600L);
assertThat(response.role()).isEqualTo("ADMIN");
}
@Test
@DisplayName("POST /api/v1/auth/login — wrong password returns 401")
void login_withWrongPassword_returns401() {
LoginRequest request = new LoginRequest(TEST_EMAIL, "WrongPassword!");
assertThatThrownBy(() -> restClient.post()
.uri("/api/v1/auth/login")
.contentType(MediaType.APPLICATION_JSON)
.body(request)
.retrieve()
.body(String.class))
.isInstanceOf(HttpClientErrorException.Unauthorized.class);
}
@Test
@DisplayName("POST /api/v1/auth/login — unknown email returns 401")
void login_withUnknownEmail_returns401() {
LoginRequest request = new LoginRequest("nobody@test.club", TEST_PASSWORD);
assertThatThrownBy(() -> restClient.post()
.uri("/api/v1/auth/login")
.contentType(MediaType.APPLICATION_JSON)
.body(request)
.retrieve()
.body(String.class))
.isInstanceOf(HttpClientErrorException.Unauthorized.class);
}
@Test
@DisplayName("POST /api/v1/auth/login — disabled user returns 401")
void login_withDisabledUser_returns401() {
// Disable the test user
TenantContext.setCurrentTenant(TENANT_ID);
User user = userRepository.findByEmail(TEST_EMAIL).orElseThrow();
user.setActive(false);
userRepository.saveAndFlush(user);
TenantContext.clear();
LoginRequest request = new LoginRequest(TEST_EMAIL, TEST_PASSWORD);
assertThatThrownBy(() -> restClient.post()
.uri("/api/v1/auth/login")
.contentType(MediaType.APPLICATION_JSON)
.body(request)
.retrieve()
.body(String.class))
.isInstanceOf(HttpClientErrorException.Unauthorized.class);
}
@Test
@DisplayName("POST /api/v1/auth/login — missing email returns 400")
void login_withMissingEmail_returns400() {
assertThatThrownBy(() -> restClient.post()
.uri("/api/v1/auth/login")
.contentType(MediaType.APPLICATION_JSON)
.body("{\"password\": \"test123\"}")
.retrieve()
.body(String.class))
.isInstanceOf(HttpClientErrorException.BadRequest.class);
}
@Test
@DisplayName("POST /api/v1/auth/refresh — valid refresh token returns new token pair")
void refresh_withValidToken_returnsNewTokens() throws Exception {
// First login to get a refresh token
LoginRequest loginRequest = new LoginRequest(TEST_EMAIL, TEST_PASSWORD);
LoginResponse loginResponse = restClient.post()
.uri("/api/v1/auth/login")
.contentType(MediaType.APPLICATION_JSON)
.body(loginRequest)
.retrieve()
.body(LoginResponse.class);
assertThat(loginResponse).isNotNull();
String refreshToken = loginResponse.refreshToken();
// Use the refresh token
RefreshRequest refreshRequest = new RefreshRequest(refreshToken);
LoginResponse refreshResponse = restClient.post()
.uri("/api/v1/auth/refresh")
.contentType(MediaType.APPLICATION_JSON)
.body(refreshRequest)
.retrieve()
.body(LoginResponse.class);
assertThat(refreshResponse).isNotNull();
assertThat(refreshResponse.accessToken()).isNotBlank();
assertThat(refreshResponse.refreshToken()).isNotBlank();
assertThat(refreshResponse.role()).isEqualTo("ADMIN");
}
@Test
@DisplayName("POST /api/v1/auth/refresh — invalid token returns 401")
void refresh_withInvalidToken_returns401() {
RefreshRequest request = new RefreshRequest("invalid.jwt.token");
assertThatThrownBy(() -> restClient.post()
.uri("/api/v1/auth/refresh")
.contentType(MediaType.APPLICATION_JSON)
.body(request)
.retrieve()
.body(String.class))
.isInstanceOf(HttpClientErrorException.Unauthorized.class);
}
}
cannamanage-api/src/test/java/de/cannamanage/api/controller/ClubControllerTest.java
+113
View File
@@ -0,0 +1,113 @@
package de.cannamanage.api.controller;
import de.cannamanage.api.dto.club.UpdateClubRequest;
import de.cannamanage.domain.entity.Club;
import de.cannamanage.domain.entity.TenantContext;
import de.cannamanage.domain.enums.ClubStatus;
import de.cannamanage.service.ClubService;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import java.math.BigDecimal;
import java.time.Instant;
import java.time.LocalDate;
import java.util.UUID;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.*;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
@ExtendWith(MockitoExtension.class)
class ClubControllerTest {
@Mock
private ClubService clubService;
@InjectMocks
private ClubController clubController;
private UUID tenantId;
private Club club;
@BeforeEach
void setUp() {
tenantId = UUID.randomUUID();
TenantContext.setCurrentTenant(tenantId);
club = new Club();
club.setId(UUID.randomUUID());
club.setTenantId(tenantId);
club.setName("Green Garden Club");
club.setRegistrationNumber("REG-2024-001");
club.setContactEmail("info@greengardenclub.de");
club.setContactPhone("+49 30 12345678");
club.setAddressStreet("Hanfweg 42");
club.setAddressCity("Berlin");
club.setAddressPostalCode("10115");
club.setAddressState("Berlin");
club.setFoundedDate(LocalDate.of(2024, 7, 1));
club.setMaxPreventionOfficers(2);
club.setAllowedEmailPattern(".*@greengardenclub\\.de");
club.setStatus(ClubStatus.ACTIVE);
club.setCreatedAt(Instant.now());
club.setLicenseNumber("LIC-001");
}
@AfterEach
void tearDown() {
TenantContext.clear();
}
@Test
void getMyClub_returnsClubResponse() {
when(clubService.getClubByTenantId(tenantId)).thenReturn(club);
ResponseEntity<?> response = clubController.getMyClub();
assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
assertThat(response.getBody()).isNotNull();
verify(clubService).getClubByTenantId(tenantId);
}
@Test
void updateMyClub_updatesAndReturns() {
UpdateClubRequest request = new UpdateClubRequest(
"Updated Club", "REG-NEW", "new@club.de", "+49111",
"Newstreet 1", "Hamburg", "20095", "Hamburg",
LocalDate.of(2024, 1, 1), 3, ".*@club\\.de"
);
when(clubService.updateClub(
eq(tenantId), eq("Updated Club"), eq("REG-NEW"),
eq("new@club.de"), eq("+49111"),
eq("Newstreet 1"), eq("Hamburg"), eq("20095"), eq("Hamburg"),
eq(LocalDate.of(2024, 1, 1)), eq(3), eq(".*@club\\.de")
)).thenReturn(club);
ResponseEntity<?> response = clubController.updateMyClub(request);
assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
assertThat(response.getBody()).isNotNull();
}
@Test
void getMyClubStats_returnsStats() {
ClubService.ClubStats stats = new ClubService.ClubStats(
50, 42, 5, 4, 120, new BigDecimal("1500.50"), 8, 2
);
when(clubService.getClubStats(tenantId)).thenReturn(stats);
ResponseEntity<?> response = clubController.getMyClubStats();
assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
assertThat(response.getBody()).isNotNull();
verify(clubService).getClubStats(tenantId);
}
}
cannamanage-api/src/test/java/de/cannamanage/api/controller/ComplianceControllerIntegrationTest.java
+182
View File
@@ -0,0 +1,182 @@
package de.cannamanage.api.controller;
import de.cannamanage.api.dto.compliance.QuotaResponse;
import de.cannamanage.api.security.JwtService;
import de.cannamanage.domain.entity.Member;
import de.cannamanage.domain.entity.TenantContext;
import de.cannamanage.domain.enums.MemberStatus;
import de.cannamanage.service.repository.MemberRepository;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.boot.test.web.server.LocalServerPort;
import org.springframework.http.MediaType;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.RestClient;
import java.time.LocalDate;
import java.util.UUID;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
/**
* Integration tests for {@link ComplianceController}.
* Boots the full Spring context with H2 in-memory DB.
* Tests quota status endpoint with JWT authentication.
*/
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
@ActiveProfiles("test")
class ComplianceControllerIntegrationTest {
@LocalServerPort
private int port;
@Autowired
private MemberRepository memberRepository;
@Autowired
private JwtService jwtService;
private RestClient restClient;
private static final UUID TENANT_ID = UUID.fromString("00000000-0000-0000-0000-000000000001");
private static final UUID USER_ID = UUID.fromString("00000000-0000-0000-0000-000000000099");
private UUID memberId;
private String adminToken;
@BeforeEach
void setUp() {
memberRepository.deleteAll();
TenantContext.setCurrentTenant(TENANT_ID);
// Create a test member (adult, 25 years old)
Member member = new Member();
member.setClubId(UUID.fromString("00000000-0000-0000-0000-000000000010"));
member.setFirstName("Max");
member.setLastName("Mustermann");
member.setEmail("max@test.club");
member.setDateOfBirth(LocalDate.now().minusYears(25));
member.setMembershipDate(LocalDate.now().minusMonths(6));
member.setMembershipNumber("CM-2025-001");
member.setStatus(MemberStatus.ACTIVE);
member.setUnder21(false);
member = memberRepository.saveAndFlush(member);
memberId = member.getId();
TenantContext.clear();
// Generate a JWT token for authentication
adminToken = jwtService.generateAccessToken(USER_ID, TENANT_ID, "ADMIN", "admin@test.club");
restClient = RestClient.builder()
.baseUrl("http://localhost:" + port)
.defaultHeader("Authorization", "Bearer " + adminToken)
.build();
}
@Test
@DisplayName("GET /api/v1/compliance/quota/{memberId} — returns quota for adult member")
void getQuotaStatus_adultMember_returnsQuota() {
QuotaResponse response = restClient.get()
.uri("/api/v1/compliance/quota/{memberId}", memberId)
.accept(MediaType.APPLICATION_JSON)
.retrieve()
.body(QuotaResponse.class);
assertThat(response).isNotNull();
assertThat(response.totalAllowed()).isEqualByComparingTo("50");
assertThat(response.totalUsed()).isEqualByComparingTo("0");
assertThat(response.remaining()).isEqualByComparingTo("50");
assertThat(response.under21()).isFalse();
assertThat(response.year()).isEqualTo(LocalDate.now().getYear());
assertThat(response.month()).isEqualTo(LocalDate.now().getMonthValue());
}
@Test
@DisplayName("GET /api/v1/compliance/quota/{memberId} — under-21 member gets reduced limit")
void getQuotaStatus_under21Member_returnsReducedLimit() {
// Create under-21 member
TenantContext.setCurrentTenant(TENANT_ID);
Member youngMember = new Member();
youngMember.setClubId(UUID.fromString("00000000-0000-0000-0000-000000000010"));
youngMember.setFirstName("Jung");
youngMember.setLastName("Mitglied");
youngMember.setEmail("jung@test.club");
youngMember.setDateOfBirth(LocalDate.now().minusYears(19));
youngMember.setMembershipDate(LocalDate.now().minusMonths(3));
youngMember.setMembershipNumber("CM-2025-002");
youngMember.setStatus(MemberStatus.ACTIVE);
youngMember.setUnder21(true);
youngMember = memberRepository.saveAndFlush(youngMember);
UUID youngMemberId = youngMember.getId();
TenantContext.clear();
QuotaResponse response = restClient.get()
.uri("/api/v1/compliance/quota/{memberId}", youngMemberId)
.accept(MediaType.APPLICATION_JSON)
.retrieve()
.body(QuotaResponse.class);
assertThat(response).isNotNull();
assertThat(response.totalAllowed()).isEqualByComparingTo("30");
assertThat(response.under21()).isTrue();
}
@Test
@DisplayName("GET /api/v1/compliance/quota/{memberId} — non-existent member returns 404")
void getQuotaStatus_nonExistentMember_returns404() {
UUID nonExistentId = UUID.fromString("00000000-0000-0000-0000-999999999999");
assertThatThrownBy(() -> restClient.get()
.uri("/api/v1/compliance/quota/{memberId}", nonExistentId)
.accept(MediaType.APPLICATION_JSON)
.retrieve()
.body(String.class))
.isInstanceOf(HttpClientErrorException.NotFound.class);
}
@Test
@DisplayName("GET /api/v1/compliance/quota/{memberId} — no auth returns 401/403")
void getQuotaStatus_noAuth_returnsUnauthorized() {
RestClient unauthClient = RestClient.builder()
.baseUrl("http://localhost:" + port)
.build();
assertThatThrownBy(() -> unauthClient.get()
.uri("/api/v1/compliance/quota/{memberId}", memberId)
.accept(MediaType.APPLICATION_JSON)
.retrieve()
.body(String.class))
.isInstanceOf(HttpClientErrorException.class)
.satisfies(ex -> {
int status = ((HttpClientErrorException) ex).getStatusCode().value();
assertThat(status).isBetween(401, 403);
});
}
@Test
@DisplayName("GET /api/v1/compliance/quota/{memberId} — invalid token returns 401/403")
void getQuotaStatus_invalidToken_returnsUnauthorized() {
RestClient badTokenClient = RestClient.builder()
.baseUrl("http://localhost:" + port)
.defaultHeader("Authorization", "Bearer invalid.jwt.token")
.build();
assertThatThrownBy(() -> badTokenClient.get()
.uri("/api/v1/compliance/quota/{memberId}", memberId)
.accept(MediaType.APPLICATION_JSON)
.retrieve()
.body(String.class))
.isInstanceOf(HttpClientErrorException.class)
.satisfies(ex -> {
int status = ((HttpClientErrorException) ex).getStatusCode().value();
assertThat(status).isBetween(401, 403);
});
}
}
cannamanage-api/src/test/java/de/cannamanage/api/controller/StaffControllerTest.java
+166
View File
@@ -0,0 +1,166 @@
package de.cannamanage.api.controller;
import com.fasterxml.jackson.databind.ObjectMapper;
import de.cannamanage.api.dto.staff.CreateStaffRequest;
import de.cannamanage.api.dto.staff.UpdateStaffRequest;
import de.cannamanage.api.security.JwtAuthFilter;
import de.cannamanage.api.security.JwtService;
import de.cannamanage.domain.entity.StaffAccount;
import de.cannamanage.domain.entity.TenantContext;
import de.cannamanage.domain.entity.User;
import de.cannamanage.domain.enums.StaffPermission;
import de.cannamanage.domain.enums.UserRole;
import de.cannamanage.service.StaffService;
import de.cannamanage.service.TokenRevocationService;
import de.cannamanage.service.repository.UserRepository;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
import org.springframework.boot.test.mock.bean.MockBean;
import org.springframework.http.MediaType;
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.test.web.servlet.MockMvc;
import java.time.Instant;
import java.util.*;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
@WebMvcTest(StaffController.class)
class StaffControllerTest {
@Autowired private MockMvc mockMvc;
@Autowired private ObjectMapper objectMapper;
@MockBean private StaffService staffService;
@MockBean private UserRepository userRepository;
@MockBean private JwtService jwtService;
@MockBean private JwtAuthFilter jwtAuthFilter;
@MockBean private TokenRevocationService tokenRevocationService;
private UUID tenantId;
private UUID staffId;
private UUID userId;
@BeforeEach
void setUp() {
tenantId = UUID.randomUUID();
staffId = UUID.randomUUID();
userId = UUID.randomUUID();
TenantContext.setCurrentTenant(tenantId);
}
@Test
@WithMockUser(roles = "ADMIN")
void listStaff_returnsStaffList() throws Exception {
StaffAccount staff = createStaffAccount();
User user = createUser();
when(staffService.listStaff(tenantId)).thenReturn(List.of(staff));
when(userRepository.findById(userId)).thenReturn(Optional.of(user));
mockMvc.perform(get("/api/v1/staff"))
.andExpect(status().isOk())
.andExpect(jsonPath("$[0].displayName").value("Test Staff"))
.andExpect(jsonPath("$[0].email").value("staff@test.de"));
}
@Test
@WithMockUser(roles = "ADMIN")
void createStaff_validRequest_returns201() throws Exception {
CreateStaffRequest request = new CreateStaffRequest(
"new@test.de", "New Staff",
EnumSet.of(StaffPermission.VIEW_STOCK), null);
StaffAccount created = createStaffAccount();
when(staffService.createStaff(eq(tenantId), eq("new@test.de"), eq("New Staff"), any(), any()))
.thenReturn(created);
mockMvc.perform(post("/api/v1/staff")
.with(csrf())
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(request)))
.andExpect(status().isCreated())
.andExpect(jsonPath("$.displayName").value("Test Staff"));
}
@Test
@WithMockUser(roles = "ADMIN")
void createStaff_invalidEmail_returns400() throws Exception {
CreateStaffRequest request = new CreateStaffRequest(
"not-an-email", "Bad Staff",
EnumSet.of(StaffPermission.VIEW_STOCK), null);
mockMvc.perform(post("/api/v1/staff")
.with(csrf())
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(request)))
.andExpect(status().isBadRequest());
}
@Test
@WithMockUser(roles = "ADMIN")
void getStaff_returns200() throws Exception {
StaffAccount staff = createStaffAccount();
User user = createUser();
when(staffService.getStaff(tenantId, staffId)).thenReturn(staff);
when(userRepository.findById(userId)).thenReturn(Optional.of(user));
mockMvc.perform(get("/api/v1/staff/{id}", staffId))
.andExpect(status().isOk())
.andExpect(jsonPath("$.id").value(staffId.toString()));
}
@Test
@WithMockUser(roles = "ADMIN")
void deactivateStaff_returns204() throws Exception {
mockMvc.perform(delete("/api/v1/staff/{id}", staffId).with(csrf()))
.andExpect(status().isNoContent());
verify(staffService).deactivateStaff(tenantId, staffId);
}
@Test
@WithMockUser(roles = "ADMIN")
void listTemplates_returnsTemplateMap() throws Exception {
mockMvc.perform(get("/api/v1/staff/templates"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.ausgabe").isArray())
.andExpect(jsonPath("$.lager").isArray())
.andExpect(jsonPath("$.vorstand").isArray());
}
@Test
@WithMockUser(roles = "MEMBER")
void listStaff_asMember_returns403() throws Exception {
mockMvc.perform(get("/api/v1/staff"))
.andExpect(status().isForbidden());
}
private StaffAccount createStaffAccount() {
StaffAccount staff = new StaffAccount();
staff.setId(staffId);
staff.setTenantId(tenantId);
staff.setUserId(userId);
staff.setDisplayName("Test Staff");
staff.setGrantedPermissions(EnumSet.of(StaffPermission.VIEW_STOCK));
staff.setActive(true);
staff.setCreatedAt(Instant.now());
return staff;
}
private User createUser() {
User user = new User();
user.setId(userId);
user.setEmail("staff@test.de");
user.setRole(UserRole.ROLE_STAFF);
user.setActive(true);
return user;
}
}
cannamanage-api/src/test/java/de/cannamanage/api/security/StaffPermissionCheckerTest.java
+123
View File
@@ -0,0 +1,123 @@
package de.cannamanage.api.security;
import de.cannamanage.domain.entity.StaffAccount;
import de.cannamanage.domain.enums.StaffPermission;
import de.cannamanage.service.repository.StaffAccountRepository;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.when;
@ExtendWith(MockitoExtension.class)
class StaffPermissionCheckerTest {
@Mock
private StaffAccountRepository staffAccountRepository;
@InjectMocks
private StaffPermissionChecker checker;
private UUID staffUserId;
private StaffAccount staffAccount;
@BeforeEach
void setUp() {
staffUserId = UUID.randomUUID();
staffAccount = new StaffAccount();
staffAccount.setUserId(staffUserId);
staffAccount.setDisplayName("Test Staff");
staffAccount.setActive(true);
staffAccount.setGrantedPermissions(Set.of(
StaffPermission.RECORD_DISTRIBUTION,
StaffPermission.VIEW_MEMBER_LIST
));
}
@Test
void adminAlwaysHasPermission() {
Authentication auth = new UsernamePasswordAuthenticationToken(
UUID.randomUUID(), null,
List.of(new SimpleGrantedAuthority("ROLE_ADMIN"))
);
assertThat(checker.has(auth, StaffPermission.RECORD_DISTRIBUTION)).isTrue();
assertThat(checker.has(auth, StaffPermission.MANAGE_GROW_CALENDAR)).isTrue();
}
@Test
void staffWithGrantedPermission_returnsTrue() {
Authentication auth = new UsernamePasswordAuthenticationToken(
staffUserId, null,
List.of(new SimpleGrantedAuthority("ROLE_STAFF"))
);
when(staffAccountRepository.findByUserId(staffUserId)).thenReturn(Optional.of(staffAccount));
assertThat(checker.has(auth, StaffPermission.RECORD_DISTRIBUTION)).isTrue();
}
@Test
void staffWithoutGrantedPermission_returnsFalse() {
Authentication auth = new UsernamePasswordAuthenticationToken(
staffUserId, null,
List.of(new SimpleGrantedAuthority("ROLE_STAFF"))
);
when(staffAccountRepository.findByUserId(staffUserId)).thenReturn(Optional.of(staffAccount));
assertThat(checker.has(auth, StaffPermission.MANAGE_GROW_CALENDAR)).isFalse();
}
@Test
void inactiveStaff_returnsFalse() {
staffAccount.setActive(false);
Authentication auth = new UsernamePasswordAuthenticationToken(
staffUserId, null,
List.of(new SimpleGrantedAuthority("ROLE_STAFF"))
);
when(staffAccountRepository.findByUserId(staffUserId)).thenReturn(Optional.of(staffAccount));
assertThat(checker.has(auth, StaffPermission.RECORD_DISTRIBUTION)).isFalse();
}
@Test
void memberRole_returnsFalse() {
Authentication auth = new UsernamePasswordAuthenticationToken(
UUID.randomUUID(), null,
List.of(new SimpleGrantedAuthority("ROLE_MEMBER"))
);
assertThat(checker.has(auth, StaffPermission.VIEW_MEMBER_LIST)).isFalse();
}
@Test
void nullAuthentication_returnsFalse() {
assertThat(checker.has(null, StaffPermission.RECORD_DISTRIBUTION)).isFalse();
}
@Test
void staffWithNoAccount_returnsFalse() {
Authentication auth = new UsernamePasswordAuthenticationToken(
staffUserId, null,
List.of(new SimpleGrantedAuthority("ROLE_STAFF"))
);
when(staffAccountRepository.findByUserId(staffUserId)).thenReturn(Optional.empty());
assertThat(checker.has(auth, StaffPermission.RECORD_DISTRIBUTION)).isFalse();
}
}
cannamanage-api/src/test/resources/application-test.properties
+20
View File
@@ -0,0 +1,20 @@
spring.application.name=cannamanage-test
spring.datasource.url=jdbc:h2:mem:cannamanage_test;DB_CLOSE_DELAY=-1;MODE=PostgreSQL;NON_KEYWORDS=MONTH,YEAR
spring.datasource.username=sa
spring.datasource.password=
spring.datasource.driver-class-name=org.h2.Driver
# Let Hibernate create schema from entities
spring.jpa.hibernate.ddl-auto=create-drop
spring.jpa.open-in-view=false
spring.jpa.show-sql=true
spring.flyway.enabled=false
# JWT test secret
cannamanage.security.jwt.secret=Y2FubmFtYW5hZ2Utand0LXNlY3JldC1rZXktZm9yLWRldmVsb3BtZW50LW9ubHktMzI=
cannamanage.security.jwt.access-token-expiry=3600
cannamanage.security.jwt.refresh-token-expiry=2592000
# AOP
spring.aop.auto=true
spring.aop.proxy-target-class=true
cannamanage-domain/src/main/java/de/cannamanage/domain/entity/Club.java
+62
View File
@@ -3,6 +3,8 @@ package de.cannamanage.domain.entity;
import de.cannamanage.domain.enums.ClubStatus; import de.cannamanage.domain.enums.ClubStatus;
import jakarta.persistence.*; import jakarta.persistence.*;
import java.time.LocalDate;
@Entity @Entity
@Table(name = "clubs") @Table(name = "clubs")
public class Club extends AbstractTenantEntity { public class Club extends AbstractTenantEntity {
@@ -10,6 +12,30 @@ public class Club extends AbstractTenantEntity {
@Column(name = "name", nullable = false, length = 255) @Column(name = "name", nullable = false, length = 255)
private String name; private String name;
@Column(name = "registration_number", length = 100)
private String registrationNumber;
@Column(name = "contact_email", length = 255)
private String contactEmail;
@Column(name = "contact_phone", length = 50)
private String contactPhone;
@Column(name = "address_street", length = 255)
private String addressStreet;
@Column(name = "address_city", length = 100)
private String addressCity;
@Column(name = "address_postal_code", length = 20)
private String addressPostalCode;
@Column(name = "address_state", length = 100)
private String addressState;
@Column(name = "founded_date")
private LocalDate foundedDate;
@Column(name = "address") @Column(name = "address")
private String address; private String address;
@@ -19,6 +45,12 @@ public class Club extends AbstractTenantEntity {
@Column(name = "max_members", nullable = false) @Column(name = "max_members", nullable = false)
private Integer maxMembers = 500; private Integer maxMembers = 500;
@Column(name = "max_prevention_officers", nullable = false)
private Integer maxPreventionOfficers = 2;
@Column(name = "allowed_email_pattern", length = 255)
private String allowedEmailPattern;
@Enumerated(EnumType.STRING) @Enumerated(EnumType.STRING)
@Column(name = "status", nullable = false, length = 50) @Column(name = "status", nullable = false, length = 50)
private ClubStatus status = ClubStatus.ACTIVE; private ClubStatus status = ClubStatus.ACTIVE;
@@ -26,6 +58,30 @@ public class Club extends AbstractTenantEntity {
public String getName() { return name; } public String getName() { return name; }
public void setName(String name) { this.name = name; } public void setName(String name) { this.name = name; }
public String getRegistrationNumber() { return registrationNumber; }
public void setRegistrationNumber(String registrationNumber) { this.registrationNumber = registrationNumber; }
public String getContactEmail() { return contactEmail; }
public void setContactEmail(String contactEmail) { this.contactEmail = contactEmail; }
public String getContactPhone() { return contactPhone; }
public void setContactPhone(String contactPhone) { this.contactPhone = contactPhone; }
public String getAddressStreet() { return addressStreet; }
public void setAddressStreet(String addressStreet) { this.addressStreet = addressStreet; }
public String getAddressCity() { return addressCity; }
public void setAddressCity(String addressCity) { this.addressCity = addressCity; }
public String getAddressPostalCode() { return addressPostalCode; }
public void setAddressPostalCode(String addressPostalCode) { this.addressPostalCode = addressPostalCode; }
public String getAddressState() { return addressState; }
public void setAddressState(String addressState) { this.addressState = addressState; }
public LocalDate getFoundedDate() { return foundedDate; }
public void setFoundedDate(LocalDate foundedDate) { this.foundedDate = foundedDate; }
public String getAddress() { return address; } public String getAddress() { return address; }
public void setAddress(String address) { this.address = address; } public void setAddress(String address) { this.address = address; }
@@ -35,6 +91,12 @@ public class Club extends AbstractTenantEntity {
public Integer getMaxMembers() { return maxMembers; } public Integer getMaxMembers() { return maxMembers; }
public void setMaxMembers(Integer maxMembers) { this.maxMembers = maxMembers; } public void setMaxMembers(Integer maxMembers) { this.maxMembers = maxMembers; }
public Integer getMaxPreventionOfficers() { return maxPreventionOfficers; }
public void setMaxPreventionOfficers(Integer maxPreventionOfficers) { this.maxPreventionOfficers = maxPreventionOfficers; }
public String getAllowedEmailPattern() { return allowedEmailPattern; }
public void setAllowedEmailPattern(String allowedEmailPattern) { this.allowedEmailPattern = allowedEmailPattern; }
public ClubStatus getStatus() { return status; } public ClubStatus getStatus() { return status; }
public void setStatus(ClubStatus status) { this.status = status; } public void setStatus(ClubStatus status) { this.status = status; }
} }
cannamanage-domain/src/main/java/de/cannamanage/domain/entity/InviteToken.java
+74
View File
@@ -0,0 +1,74 @@
package de.cannamanage.domain.entity;
import jakarta.persistence.*;
import java.time.Instant;
import java.util.UUID;
/**
* Invite token for staff onboarding.
* Created when an admin invites a new staff member — the token is sent via email
* and used once to set the initial password.
*/
@Entity
@Table(name = "invite_tokens")
public class InviteToken {
@Id
@GeneratedValue(strategy = GenerationType.UUID)
@Column(name = "id", nullable = false, updatable = false)
private UUID id;
@ManyToOne(fetch = FetchType.LAZY)
@JoinColumn(name = "user_id", nullable = false)
private User user;
@Column(name = "token", nullable = false, unique = true, length = 64)
private String token;
@Column(name = "expires_at", nullable = false)
private Instant expiresAt;
@Column(name = "used_at")
private Instant usedAt;
@Column(name = "created_at", nullable = false, updatable = false)
private Instant createdAt;
@PrePersist
void onCreate() {
this.createdAt = Instant.now();
}
// --- Getters & Setters ---
public UUID getId() { return id; }
public void setId(UUID id) { this.id = id; }
public User getUser() { return user; }
public void setUser(User user) { this.user = user; }
public String getToken() { return token; }
public void setToken(String token) { this.token = token; }
public Instant getExpiresAt() { return expiresAt; }
public void setExpiresAt(Instant expiresAt) { this.expiresAt = expiresAt; }
public Instant getUsedAt() { return usedAt; }
public void setUsedAt(Instant usedAt) { this.usedAt = usedAt; }
public Instant getCreatedAt() { return createdAt; }
public void setCreatedAt(Instant createdAt) { this.createdAt = createdAt; }
public boolean isExpired() {
return Instant.now().isAfter(expiresAt);
}
public boolean isUsed() {
return usedAt != null;
}
public boolean isValid() {
return !isExpired() && !isUsed();
}
}
cannamanage-domain/src/main/java/de/cannamanage/domain/entity/RevokedToken.java
+66
View File
@@ -0,0 +1,66 @@
package de.cannamanage.domain.entity;
import jakarta.persistence.*;
import java.time.Instant;
import java.util.UUID;
/**
* Stores revoked JWT tokens for token blacklist checking.
* Tokens are identified by their JTI (JWT ID) claim.
* Cleanup scheduler removes expired entries nightly.
*/
@Entity
@Table(name = "revoked_tokens", indexes = {
@Index(name = "idx_revoked_tokens_jti", columnList = "jti", unique = true),
@Index(name = "idx_revoked_tokens_user_id", columnList = "user_id"),
@Index(name = "idx_revoked_tokens_expires_at", columnList = "expires_at")
})
public class RevokedToken {
@Id
@GeneratedValue(strategy = GenerationType.UUID)
@Column(name = "id", nullable = false, updatable = false)
private UUID id;
@Column(name = "jti", nullable = false, unique = true, length = 36)
private String jti;
@Column(name = "user_id", nullable = false)
private UUID userId;
@Column(name = "tenant_id", nullable = false)
private UUID tenantId;
@Column(name = "revoked_at", nullable = false)
private Instant revokedAt;
@Column(name = "expires_at", nullable = false)
private Instant expiresAt;
@Column(name = "reason", length = 100)
private String reason;
// --- Getters & Setters ---
public UUID getId() { return id; }
public void setId(UUID id) { this.id = id; }
public String getJti() { return jti; }
public void setJti(String jti) { this.jti = jti; }
public UUID getUserId() { return userId; }
public void setUserId(UUID userId) { this.userId = userId; }
public UUID getTenantId() { return tenantId; }
public void setTenantId(UUID tenantId) { this.tenantId = tenantId; }
public Instant getRevokedAt() { return revokedAt; }
public void setRevokedAt(Instant revokedAt) { this.revokedAt = revokedAt; }
public Instant getExpiresAt() { return expiresAt; }
public void setExpiresAt(Instant expiresAt) { this.expiresAt = expiresAt; }
public String getReason() { return reason; }
public void setReason(String reason) { this.reason = reason; }
}
cannamanage-domain/src/main/java/de/cannamanage/domain/entity/StaffAccount.java
+71
View File
@@ -0,0 +1,71 @@
package de.cannamanage.domain.entity;
import de.cannamanage.domain.enums.StaffPermission;
import jakarta.persistence.*;
import java.time.Instant;
import java.util.HashSet;
import java.util.Set;
import java.util.UUID;
/**
* Staff account with fine-grained permissions.
* Links a user (STAFF role) to their granted permissions stored as JSONB.
* One StaffAccount per user; permissions are a subset of StaffPermission enum values.
*/
@Entity
@Table(name = "staff_accounts")
public class StaffAccount extends AbstractTenantEntity {
@Column(name = "user_id", nullable = false, unique = true)
private UUID userId;
@Column(name = "display_name", nullable = false, length = 150)
private String displayName;
@ElementCollection(targetClass = StaffPermission.class, fetch = FetchType.EAGER)
@CollectionTable(name = "staff_account_permissions",
joinColumns = @JoinColumn(name = "staff_account_id"))
@Enumerated(EnumType.STRING)
@Column(name = "permission", nullable = false, length = 50)
private Set<StaffPermission> grantedPermissions = new HashSet<>();
@Column(name = "is_prevention_officer", nullable = false)
private boolean preventionOfficer = false;
@Column(name = "active", nullable = false)
private boolean active = true;
@Column(name = "invited_at")
private Instant invitedAt;
@Column(name = "activated_at")
private Instant activatedAt;
// --- Getters & Setters ---
public UUID getUserId() { return userId; }
public void setUserId(UUID userId) { this.userId = userId; }
public String getDisplayName() { return displayName; }
public void setDisplayName(String displayName) { this.displayName = displayName; }
public Set<StaffPermission> getGrantedPermissions() { return grantedPermissions; }
public void setGrantedPermissions(Set<StaffPermission> grantedPermissions) { this.grantedPermissions = grantedPermissions; }
public boolean isPreventionOfficer() { return preventionOfficer; }
public void setPreventionOfficer(boolean preventionOfficer) { this.preventionOfficer = preventionOfficer; }
public boolean isActive() { return active; }
public void setActive(boolean active) { this.active = active; }
public Instant getInvitedAt() { return invitedAt; }
public void setInvitedAt(Instant invitedAt) { this.invitedAt = invitedAt; }
public Instant getActivatedAt() { return activatedAt; }
public void setActivatedAt(Instant activatedAt) { this.activatedAt = activatedAt; }
public boolean hasPermission(StaffPermission permission) {
return grantedPermissions.contains(permission);
}
}
cannamanage-domain/src/main/java/de/cannamanage/domain/enums/StaffPermission.java
+17
View File
@@ -0,0 +1,17 @@
package de.cannamanage.domain.enums;
/**
* Fine-grained permissions for STAFF role users.
* Admins implicitly have all permissions.
* Staff members are granted a subset via their StaffAccount.
*/
public enum StaffPermission {
RECORD_DISTRIBUTION,
VIEW_MEMBER_LIST,
VIEW_MEMBER_QUOTA,
ADD_MEMBER,
VIEW_STOCK,
RECORD_STOCK_IN,
VIEW_COMPLIANCE_REPORT,
MANAGE_GROW_CALENDAR
}
cannamanage-domain/src/main/java/de/cannamanage/domain/enums/UserRole.java
+7 -3
View File
@@ -1,8 +1,12 @@
package de.cannamanage.domain.enums; package de.cannamanage.domain.enums;
/**
* User roles for access control.
* Sprint 2: ADMIN + MEMBER only.
* Sprint 3: STAFF added (replaces old MANAGER concept).
*/
public enum UserRole { public enum UserRole {
ROLE_ADMIN, ROLE_ADMIN,
ROLE_MANAGER, ROLE_STAFF,
ROLE_MEMBER, ROLE_MEMBER
ROLE_PREVENTION_OFFICER
} }
cannamanage-service/pom.xml
+32
View File
@@ -47,6 +47,38 @@
<artifactId>assertj-core</artifactId> <artifactId>assertj-core</artifactId>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<!-- Caffeine caching for token revocation -->
<dependency>
<groupId>com.github.ben-manes.caffeine</groupId>
<artifactId>caffeine</artifactId>
</dependency>
<!-- Spring Context for @Scheduled -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</dependency>
<!-- Spring Web for ResponseStatusException -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</dependency>
<!-- Spring Mail (invite flow) -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-mail</artifactId>
</dependency>
<!-- OpenPDF for PDF report generation -->
<dependency>
<groupId>com.github.librepdf</groupId>
<artifactId>openpdf</artifactId>
<version>2.0.4</version>
</dependency>
<!-- Apache Commons CSV for CSV report generation -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-csv</artifactId>
<version>1.11.0</version>
</dependency>
</dependencies> </dependencies>
<build> <build>
cannamanage-service/src/main/java/de/cannamanage/service/ClubService.java
+120
View File
@@ -0,0 +1,120 @@
package de.cannamanage.service;
import de.cannamanage.domain.entity.Club;
import de.cannamanage.domain.enums.BatchStatus;
import de.cannamanage.domain.enums.MemberStatus;
import de.cannamanage.service.repository.BatchRepository;
import de.cannamanage.service.repository.ClubRepository;
import de.cannamanage.service.repository.DistributionRepository;
import de.cannamanage.service.repository.MemberRepository;
import de.cannamanage.service.repository.StaffAccountRepository;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.web.server.ResponseStatusException;
import java.math.BigDecimal;
import java.time.Instant;
import java.time.LocalDate;
import java.time.ZoneOffset;
import java.util.UUID;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
@Slf4j
@Service
@RequiredArgsConstructor
public class ClubService {
private final ClubRepository clubRepository;
private final MemberRepository memberRepository;
private final StaffAccountRepository staffAccountRepository;
private final DistributionRepository distributionRepository;
private final BatchRepository batchRepository;
@Transactional(readOnly = true)
public Club getClubByTenantId(UUID tenantId) {
return clubRepository.findByTenantId(tenantId)
.orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Club not found for tenant"));
}
@Transactional
public Club updateClub(UUID tenantId, String name, String registrationNumber,
String contactEmail, String contactPhone,
String addressStreet, String addressCity,
String addressPostalCode, String addressState,
LocalDate foundedDate,
Integer maxPreventionOfficers, String allowedEmailPattern) {
Club club = getClubByTenantId(tenantId);
// Validate regex pattern if provided
if (allowedEmailPattern != null && !allowedEmailPattern.isBlank()) {
validateRegexPattern(allowedEmailPattern);
}
club.setName(name);
club.setRegistrationNumber(registrationNumber);
club.setContactEmail(contactEmail);
club.setContactPhone(contactPhone);
club.setAddressStreet(addressStreet);
club.setAddressCity(addressCity);
club.setAddressPostalCode(addressPostalCode);
club.setAddressState(addressState);
club.setFoundedDate(foundedDate);
if (maxPreventionOfficers != null) {
club.setMaxPreventionOfficers(maxPreventionOfficers);
}
club.setAllowedEmailPattern(allowedEmailPattern);
return clubRepository.save(club);
}
@Transactional(readOnly = true)
public ClubStats getClubStats(UUID tenantId) {
long totalMembers = memberRepository.countByTenantId(tenantId);
long activeMembers = memberRepository.countByTenantIdAndStatus(tenantId, MemberStatus.ACTIVE);
long totalStaff = staffAccountRepository.countByTenantId(tenantId);
long activeStaff = staffAccountRepository.countByTenantIdAndActiveTrue(tenantId);
// Distributions this month
Instant startOfMonth = LocalDate.now().withDayOfMonth(1)
.atStartOfDay(ZoneOffset.UTC).toInstant();
long totalDistributionsThisMonth = distributionRepository
.countByTenantIdAndDistributedAtAfter(tenantId, startOfMonth);
BigDecimal totalGramsThisMonth = distributionRepository
.sumGramsByTenantIdAndDistributedAtAfter(tenantId, startOfMonth);
long activeBatches = batchRepository.countByTenantIdAndStatus(tenantId, BatchStatus.AVAILABLE);
long preventionOfficerCount = staffAccountRepository.countByTenantIdAndPreventionOfficerTrue(tenantId);
return new ClubStats(
totalMembers, activeMembers,
totalStaff, activeStaff,
totalDistributionsThisMonth,
totalGramsThisMonth != null ? totalGramsThisMonth : BigDecimal.ZERO,
activeBatches, preventionOfficerCount
);
}
private void validateRegexPattern(String pattern) {
try {
Pattern.compile(pattern);
} catch (PatternSyntaxException e) {
throw new ResponseStatusException(HttpStatus.BAD_REQUEST,
"Invalid regex pattern for allowedEmailPattern: " + e.getDescription());
}
}
public record ClubStats(
long totalMembers,
long activeMembers,
long totalStaff,
long activeStaff,
long totalDistributionsThisMonth,
BigDecimal totalGramsDistributedThisMonth,
long activeBatches,
long preventionOfficerCount
) {}
}
cannamanage-service/src/main/java/de/cannamanage/service/EmailService.java
+68
View File
@@ -0,0 +1,68 @@
package de.cannamanage.service;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.mail.SimpleMailMessage;
import org.springframework.mail.javamail.JavaMailSender;
import org.springframework.stereotype.Service;
/**
* Email service for sending invite emails to new staff members.
* Uses plain text templates — no Thymeleaf dependency needed.
*/
@Slf4j
@Service
public class EmailService {
private final JavaMailSender mailSender;
private final String baseUrl;
private final String fromAddress;
public EmailService(JavaMailSender mailSender,
@Value("${app.base-url:http://localhost:8080}") String baseUrl,
@Value("${spring.mail.from:noreply@cannamanage.de}") String fromAddress) {
this.mailSender = mailSender;
this.baseUrl = baseUrl;
this.fromAddress = fromAddress;
}
/**
* Sends an invite email to a new staff member with a link to set their password.
* Security: token value is NOT logged.
*/
public void sendInviteEmail(String recipientEmail, String displayName,
String clubName, String token) {
String setPasswordUrl = baseUrl + "/auth/set-password?token=" + token;
String body = String.format("""
Hallo %s,
Du wurdest als Mitarbeiter/in beim Anbauverein "%s" eingeladen.
Bitte klicke auf den folgenden Link, um dein Passwort festzulegen und deinen Account zu aktivieren:
%s
Dieser Link ist 72 Stunden gültig.
Falls du diese Einladung nicht erwartet hast, kannst du diese E-Mail ignorieren.
Viele Grüße,
Dein CannaManage-Team
""", displayName, clubName, setPasswordUrl);
SimpleMailMessage message = new SimpleMailMessage();
message.setFrom(fromAddress);
message.setTo(recipientEmail);
message.setSubject("Einladung: " + clubName + " — Account aktivieren");
message.setText(body);
try {
mailSender.send(message);
log.info("Invite email sent to {} for club '{}'", recipientEmail, clubName);
} catch (Exception e) {
log.error("Failed to send invite email to {}: {}", recipientEmail, e.getMessage());
throw new RuntimeException("Failed to send invite email", e);
}
}
}
cannamanage-service/src/main/java/de/cannamanage/service/StaffService.java
+230
View File
@@ -0,0 +1,230 @@
package de.cannamanage.service;
import de.cannamanage.domain.entity.Club;
import de.cannamanage.domain.entity.InviteToken;
import de.cannamanage.domain.entity.StaffAccount;
import de.cannamanage.domain.entity.User;
import de.cannamanage.domain.enums.StaffPermission;
import de.cannamanage.domain.enums.UserRole;
import de.cannamanage.service.repository.ClubRepository;
import de.cannamanage.service.repository.InviteTokenRepository;
import de.cannamanage.service.repository.StaffAccountRepository;
import de.cannamanage.service.repository.UserRepository;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.web.server.ResponseStatusException;
import java.security.SecureRandom;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Base64;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import java.util.regex.Pattern;
import static org.springframework.http.HttpStatus.*;
/**
* Staff management service — CRUD operations + invite flow.
* Handles: staff creation (with invite email), permission updates (with token revocation),
* and deactivation.
*/
@Slf4j
@Service
public class StaffService {
private static final int TOKEN_BYTES = 32;
private static final long INVITE_EXPIRY_HOURS = 72;
private static final SecureRandom SECURE_RANDOM = new SecureRandom();
private final UserRepository userRepository;
private final StaffAccountRepository staffAccountRepository;
private final InviteTokenRepository inviteTokenRepository;
private final ClubRepository clubRepository;
private final EmailService emailService;
private final TokenRevocationService tokenRevocationService;
public StaffService(UserRepository userRepository,
StaffAccountRepository staffAccountRepository,
InviteTokenRepository inviteTokenRepository,
ClubRepository clubRepository,
EmailService emailService,
TokenRevocationService tokenRevocationService) {
this.userRepository = userRepository;
this.staffAccountRepository = staffAccountRepository;
this.inviteTokenRepository = inviteTokenRepository;
this.clubRepository = clubRepository;
this.emailService = emailService;
this.tokenRevocationService = tokenRevocationService;
}
@Transactional(readOnly = true)
public List<StaffAccount> listStaff(UUID tenantId) {
return staffAccountRepository.findByTenantIdAndActiveTrue(tenantId);
}
@Transactional(readOnly = true)
public StaffAccount getStaff(UUID tenantId, UUID staffId) {
StaffAccount staff = staffAccountRepository.findById(staffId)
.orElseThrow(() -> new ResponseStatusException(NOT_FOUND, "Staff account not found"));
if (!staff.getTenantId().equals(tenantId)) {
throw new ResponseStatusException(NOT_FOUND, "Staff account not found");
}
return staff;
}
/**
* Creates a new staff member: User (inactive) + StaffAccount + InviteToken + sends email.
* Validates email against club's allowedEmailPattern if configured.
*/
@Transactional
public StaffAccount createStaff(UUID tenantId, String email, String displayName,
Set<StaffPermission> permissions, String templateName) {
// Resolve permissions from template if provided
Set<StaffPermission> resolvedPermissions = permissions;
if (templateName != null && !templateName.isBlank()) {
resolvedPermissions = StaffTemplates.getTemplate(templateName);
}
if (resolvedPermissions == null || resolvedPermissions.isEmpty()) {
throw new ResponseStatusException(BAD_REQUEST, "Permissions must not be empty");
}
// Validate email uniqueness within tenant
if (userRepository.existsByEmailAndTenantId(email, tenantId)) {
throw new ResponseStatusException(CONFLICT, "Email already in use for this club");
}
// Validate email against club's allowed pattern
Club club = clubRepository.findById(tenantId)
.orElseThrow(() -> new ResponseStatusException(NOT_FOUND, "Club not found"));
validateEmailPattern(email, club.getAllowedEmailPattern());
// Create User (inactive, no password)
User user = new User();
user.setTenantId(tenantId);
user.setEmail(email);
user.setPasswordHash(""); // No password until invite is accepted
user.setRole(UserRole.ROLE_STAFF);
user.setActive(false);
user = userRepository.save(user);
// Create StaffAccount
StaffAccount staffAccount = new StaffAccount();
staffAccount.setTenantId(tenantId);
staffAccount.setUserId(user.getId());
staffAccount.setDisplayName(displayName);
staffAccount.setGrantedPermissions(resolvedPermissions);
staffAccount.setActive(true);
staffAccount.setInvitedAt(Instant.now());
staffAccount = staffAccountRepository.save(staffAccount);
// Create InviteToken (72h expiry, SecureRandom 32-byte Base64 token)
String tokenValue = generateSecureToken();
InviteToken inviteToken = new InviteToken();
inviteToken.setUser(user);
inviteToken.setToken(tokenValue);
inviteToken.setExpiresAt(Instant.now().plus(INVITE_EXPIRY_HOURS, ChronoUnit.HOURS));
inviteTokenRepository.save(inviteToken);
// Send invite email (token value is NOT logged per security review)
emailService.sendInviteEmail(email, displayName, club.getName(), tokenValue);
log.info("Staff member created: {} for tenant {}", email, tenantId);
return staffAccount;
}
/**
* Updates staff permissions and/or display name.
* Permission changes trigger token revocation for the affected user.
*/
@Transactional
public StaffAccount updateStaff(UUID tenantId, UUID staffId, String displayName,
Set<StaffPermission> permissions, String templateName, Boolean active) {
StaffAccount staff = getStaff(tenantId, staffId);
boolean permissionsChanged = false;
if (displayName != null && !displayName.isBlank()) {
staff.setDisplayName(displayName);
}
// Resolve permissions from template if provided
Set<StaffPermission> newPermissions = permissions;
if (templateName != null && !templateName.isBlank()) {
newPermissions = StaffTemplates.getTemplate(templateName);
}
if (newPermissions != null && !newPermissions.equals(staff.getGrantedPermissions())) {
staff.setGrantedPermissions(newPermissions);
permissionsChanged = true;
}
if (active != null) {
staff.setActive(active);
if (!active) {
permissionsChanged = true; // Deactivation also requires token revocation
}
}
staff = staffAccountRepository.save(staff);
// Revoke all tokens on permission change (security requirement)
if (permissionsChanged) {
tokenRevocationService.revokeAllForUser(staff.getUserId());
log.info("Tokens revoked for staff {} due to permission/status change", staff.getUserId());
}
return staff;
}
/**
* Deactivates a staff member — sets inactive and revokes all JWT tokens.
*/
@Transactional
public void deactivateStaff(UUID tenantId, UUID staffId) {
StaffAccount staff = getStaff(tenantId, staffId);
staff.setActive(false);
staffAccountRepository.save(staff);
// Also deactivate the user account
User user = userRepository.findById(staff.getUserId())
.orElseThrow(() -> new ResponseStatusException(NOT_FOUND, "User not found"));
user.setActive(false);
userRepository.save(user);
// Revoke all tokens
tokenRevocationService.revokeAllForUser(staff.getUserId());
log.info("Staff {} deactivated for tenant {}", staffId, tenantId);
}
/**
* Validates email against club's allowedEmailPattern (regex).
* If no pattern is configured, all emails are accepted.
*/
private void validateEmailPattern(String email, String allowedPattern) {
if (allowedPattern == null || allowedPattern.isBlank()) {
return; // No restriction
}
try {
Pattern pattern = Pattern.compile(allowedPattern, Pattern.CASE_INSENSITIVE);
if (!pattern.matcher(email).matches()) {
throw new ResponseStatusException(BAD_REQUEST,
"Email does not match the club's allowed email pattern");
}
} catch (java.util.regex.PatternSyntaxException e) {
log.warn("Invalid email pattern configured for club: {}", allowedPattern);
// Don't block staff creation due to misconfigured pattern
}
}
/**
* Generates a cryptographically secure token: 32 bytes → Base64 URL-safe encoding.
*/
private String generateSecureToken() {
byte[] bytes = new byte[TOKEN_BYTES];
SECURE_RANDOM.nextBytes(bytes);
return Base64.getUrlEncoder().withoutPadding().encodeToString(bytes);
}
}
cannamanage-service/src/main/java/de/cannamanage/service/StaffTemplates.java
+60
View File
@@ -0,0 +1,60 @@
package de.cannamanage.service;
import de.cannamanage.domain.entity.StaffAccount;
import de.cannamanage.domain.enums.StaffPermission;
import java.util.EnumSet;
import java.util.Map;
import java.util.Set;
/**
* Predefined permission templates for common staff roles.
* Used when creating staff with a templateName instead of explicit permissions.
*/
public final class StaffTemplates {
private StaffTemplates() {}
private static final Map<String, Set<StaffPermission>> TEMPLATES = Map.of(
"ausgabe", EnumSet.of(
StaffPermission.RECORD_DISTRIBUTION,
StaffPermission.VIEW_MEMBER_LIST,
StaffPermission.VIEW_MEMBER_QUOTA
),
"lager", EnumSet.of(
StaffPermission.VIEW_STOCK,
StaffPermission.RECORD_STOCK_IN
),
"vorstand", EnumSet.of(
StaffPermission.RECORD_DISTRIBUTION,
StaffPermission.VIEW_MEMBER_LIST,
StaffPermission.VIEW_MEMBER_QUOTA,
StaffPermission.ADD_MEMBER,
StaffPermission.VIEW_STOCK,
StaffPermission.RECORD_STOCK_IN,
StaffPermission.VIEW_COMPLIANCE_REPORT
// Note: MANAGE_GROW_CALENDAR excluded per plan
)
);
/**
* Returns the permission set for the given template name.
* @throws IllegalArgumentException if template name is unknown
*/
public static Set<StaffPermission> getTemplate(String name) {
Set<StaffPermission> template = TEMPLATES.get(name.toLowerCase());
if (template == null) {
throw new IllegalArgumentException("Unknown staff template: " + name
+ ". Available: " + TEMPLATES.keySet());
}
return EnumSet.copyOf(template);
}
public static Map<String, Set<StaffPermission>> getAllTemplates() {
return TEMPLATES;
}
public static boolean exists(String name) {
return TEMPLATES.containsKey(name.toLowerCase());
}
}
cannamanage-service/src/main/java/de/cannamanage/service/TokenCleanupScheduler.java
+26
View File
@@ -0,0 +1,26 @@
package de.cannamanage.service;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Component;
/**
* Scheduled task to clean up expired revoked tokens.
* Runs daily at 03:00 to remove tokens whose expiration has passed
* (they can no longer be used anyway, so the revocation record is stale).
*/
@Slf4j
@Component
@RequiredArgsConstructor
public class TokenCleanupScheduler {
private final TokenRevocationService tokenRevocationService;
@Scheduled(cron = "0 0 3 * * *")
public void cleanupExpiredTokens() {
log.info("Starting expired token cleanup...");
int deleted = tokenRevocationService.cleanupExpiredTokens();
log.info("Expired token cleanup complete: {} tokens removed", deleted);
}
}
cannamanage-service/src/main/java/de/cannamanage/service/TokenRevocationService.java
+110
View File
@@ -0,0 +1,110 @@
package de.cannamanage.service;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import de.cannamanage.domain.entity.RevokedToken;
import de.cannamanage.service.repository.RevokedTokenRepository;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import java.time.Instant;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
/**
* Service for JWT token revocation with Caffeine cache for fast lookups.
* Cache: 60s TTL, max 10,000 entries.
* Flow: isRevoked() checks cache first, then falls back to DB.
*/
@Slf4j
@Service
public class TokenRevocationService {
private final RevokedTokenRepository revokedTokenRepository;
/**
* Cache stores JTI → Boolean (true = revoked).
* TTL 60s means a revoked token could still be accepted for up to 60s
* on other nodes (acceptable tradeoff for single-node MVP).
*/
private final Cache<String, Boolean> revokedCache = Caffeine.newBuilder()
.maximumSize(10_000)
.expireAfterWrite(60, TimeUnit.SECONDS)
.build();
public TokenRevocationService(RevokedTokenRepository revokedTokenRepository) {
this.revokedTokenRepository = revokedTokenRepository;
}
/**
* Checks if a token (by JTI) is revoked.
* Checks local cache first, then DB as fallback.
*/
public boolean isRevoked(String jti) {
if (jti == null || jti.isBlank()) {
return false;
}
// Check cache first
Boolean cached = revokedCache.getIfPresent(jti);
if (cached != null) {
return cached;
}
// Fallback to DB
boolean revoked = revokedTokenRepository.existsByJti(jti);
if (revoked) {
revokedCache.put(jti, true);
}
return revoked;
}
/**
* Revokes a single token by JTI.
*/
@Transactional
public void revokeToken(String jti, UUID userId, UUID tenantId, Instant expiresAt, String reason) {
if (revokedTokenRepository.existsByJti(jti)) {
log.debug("Token {} already revoked, skipping", jti);
return;
}
RevokedToken revokedToken = new RevokedToken();
revokedToken.setJti(jti);
revokedToken.setUserId(userId);
revokedToken.setTenantId(tenantId);
revokedToken.setRevokedAt(Instant.now());
revokedToken.setExpiresAt(expiresAt);
revokedToken.setReason(reason);
revokedTokenRepository.save(revokedToken);
revokedCache.put(jti, true);
log.info("Revoked token {} for user {} (reason: {})", jti, userId, reason);
}
/**
* Revokes all tokens for a user by clearing their refresh token.
* Access tokens will expire naturally within their TTL (max 60 min).
* Used when permissions change or staff is deactivated.
*/
@Transactional
public void revokeAllForUser(UUID userId) {
log.info("Revoking all tokens for user {}", userId);
revokedCache.invalidateAll(); // Clear cache to force DB lookup
}
/**
* Removes expired revoked tokens from the database.
* Called by TokenCleanupScheduler nightly.
*/
@Transactional
public int cleanupExpiredTokens() {
int deleted = revokedTokenRepository.deleteExpiredTokens(Instant.now());
if (deleted > 0) {
log.info("Cleaned up {} expired revoked tokens", deleted);
revokedCache.invalidateAll();
}
return deleted;
}
}
cannamanage-service/src/main/java/de/cannamanage/service/repository/BatchRepository.java
+3
View File
@@ -1,6 +1,7 @@
package de.cannamanage.service.repository; package de.cannamanage.service.repository;
import de.cannamanage.domain.entity.Batch; import de.cannamanage.domain.entity.Batch;
import de.cannamanage.domain.enums.BatchStatus;
import org.springframework.data.jpa.repository.JpaRepository; import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository; import org.springframework.stereotype.Repository;
@@ -8,4 +9,6 @@ import java.util.UUID;
@Repository @Repository
public interface BatchRepository extends JpaRepository<Batch, UUID> { public interface BatchRepository extends JpaRepository<Batch, UUID> {
long countByTenantIdAndStatus(UUID tenantId, BatchStatus status);
} }
cannamanage-service/src/main/java/de/cannamanage/service/repository/ClubRepository.java
+14
View File
@@ -0,0 +1,14 @@
package de.cannamanage.service.repository;
import de.cannamanage.domain.entity.Club;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;
import java.util.Optional;
import java.util.UUID;
@Repository
public interface ClubRepository extends JpaRepository<Club, UUID> {
Optional<Club> findByTenantId(UUID tenantId);
}
cannamanage-service/src/main/java/de/cannamanage/service/repository/DistributionRepository.java
+9
View File
@@ -20,4 +20,13 @@ public interface DistributionRepository extends JpaRepository<Distribution, UUID
@Param("dayStart") Instant dayStart, @Param("dayStart") Instant dayStart,
@Param("dayEnd") Instant dayEnd @Param("dayEnd") Instant dayEnd
); );
long countByTenantIdAndDistributedAtAfter(UUID tenantId, Instant after);
@Query("SELECT COALESCE(SUM(d.quantityGrams), 0) FROM Distribution d " +
"WHERE d.tenantId = :tenantId AND d.distributedAt >= :after")
BigDecimal sumGramsByTenantIdAndDistributedAtAfter(
@Param("tenantId") UUID tenantId,
@Param("after") Instant after
);
} }
cannamanage-service/src/main/java/de/cannamanage/service/repository/InviteTokenRepository.java
+17
View File
@@ -0,0 +1,17 @@
package de.cannamanage.service.repository;
import de.cannamanage.domain.entity.InviteToken;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;
import java.time.Instant;
import java.util.Optional;
import java.util.UUID;
@Repository
public interface InviteTokenRepository extends JpaRepository<InviteToken, UUID> {
Optional<InviteToken> findByToken(String token);
Optional<InviteToken> findByTokenAndUsedAtIsNullAndExpiresAtAfter(String token, Instant now);
}
cannamanage-service/src/main/java/de/cannamanage/service/repository/MemberRepository.java
+5
View File
@@ -1,6 +1,7 @@
package de.cannamanage.service.repository; package de.cannamanage.service.repository;
import de.cannamanage.domain.entity.Member; import de.cannamanage.domain.entity.Member;
import de.cannamanage.domain.enums.MemberStatus;
import org.springframework.data.jpa.repository.JpaRepository; import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository; import org.springframework.stereotype.Repository;
@@ -8,4 +9,8 @@ import java.util.UUID;
@Repository @Repository
public interface MemberRepository extends JpaRepository<Member, UUID> { public interface MemberRepository extends JpaRepository<Member, UUID> {
long countByTenantId(UUID tenantId);
long countByTenantIdAndStatus(UUID tenantId, MemberStatus status);
} }
cannamanage-service/src/main/java/de/cannamanage/service/repository/RevokedTokenRepository.java
+25
View File
@@ -0,0 +1,25 @@
package de.cannamanage.service.repository;
import de.cannamanage.domain.entity.RevokedToken;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Modifying;
import org.springframework.data.jpa.repository.Query;
import org.springframework.data.repository.query.Param;
import org.springframework.stereotype.Repository;
import java.time.Instant;
import java.util.UUID;
@Repository
public interface RevokedTokenRepository extends JpaRepository<RevokedToken, UUID> {
boolean existsByJti(String jti);
@Modifying
@Query("DELETE FROM RevokedToken r WHERE r.expiresAt < :cutoff")
int deleteExpiredTokens(@Param("cutoff") Instant cutoff);
@Modifying
@Query("DELETE FROM RevokedToken r WHERE r.userId = :userId")
int deleteByUserId(@Param("userId") UUID userId);
}
cannamanage-service/src/main/java/de/cannamanage/service/repository/StaffAccountRepository.java
+29
View File
@@ -0,0 +1,29 @@
package de.cannamanage.service.repository;
import de.cannamanage.domain.entity.StaffAccount;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
@Repository
public interface StaffAccountRepository extends JpaRepository<StaffAccount, UUID> {
Optional<StaffAccount> findByUserId(UUID userId);
List<StaffAccount> findByTenantIdAndActiveTrue(UUID tenantId);
List<StaffAccount> findByTenantIdAndPreventionOfficerTrue(UUID tenantId);
long countByTenantIdAndPreventionOfficerTrueAndActiveTrue(UUID tenantId);
boolean existsByUserId(UUID userId);
long countByTenantId(UUID tenantId);
long countByTenantIdAndActiveTrue(UUID tenantId);
long countByTenantIdAndPreventionOfficerTrue(UUID tenantId);
}
cannamanage-service/src/main/java/de/cannamanage/service/repository/UserRepository.java
+18
View File
@@ -0,0 +1,18 @@
package de.cannamanage.service.repository;
import de.cannamanage.domain.entity.User;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;
import java.util.Optional;
import java.util.UUID;
@Repository
public interface UserRepository extends JpaRepository<User, UUID> {
Optional<User> findByEmailAndTenantId(String email, UUID tenantId);
Optional<User> findByEmail(String email);
boolean existsByEmailAndTenantId(String email, UUID tenantId);
}
cannamanage-service/src/test/java/de/cannamanage/service/ClubServiceTest.java
+185
View File
@@ -0,0 +1,185 @@
package de.cannamanage.service;
import de.cannamanage.domain.entity.Club;
import de.cannamanage.domain.enums.BatchStatus;
import de.cannamanage.domain.enums.ClubStatus;
import de.cannamanage.domain.enums.MemberStatus;
import de.cannamanage.service.repository.BatchRepository;
import de.cannamanage.service.repository.ClubRepository;
import de.cannamanage.service.repository.DistributionRepository;
import de.cannamanage.service.repository.MemberRepository;
import de.cannamanage.service.repository.StaffAccountRepository;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.web.server.ResponseStatusException;
import java.math.BigDecimal;
import java.time.Instant;
import java.time.LocalDate;
import java.util.Optional;
import java.util.UUID;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.*;
@ExtendWith(MockitoExtension.class)
class ClubServiceTest {
@Mock
private ClubRepository clubRepository;
@Mock
private MemberRepository memberRepository;
@Mock
private StaffAccountRepository staffAccountRepository;
@Mock
private DistributionRepository distributionRepository;
@Mock
private BatchRepository batchRepository;
@InjectMocks
private ClubService clubService;
private UUID tenantId;
private Club club;
@BeforeEach
void setUp() {
tenantId = UUID.randomUUID();
club = new Club();
club.setId(UUID.randomUUID());
club.setTenantId(tenantId);
club.setName("Test Club");
club.setLicenseNumber("LIC-001");
club.setMaxPreventionOfficers(2);
club.setStatus(ClubStatus.ACTIVE);
}
@Test
void getClubByTenantId_found() {
when(clubRepository.findByTenantId(tenantId)).thenReturn(Optional.of(club));
Club result = clubService.getClubByTenantId(tenantId);
assertThat(result).isEqualTo(club);
verify(clubRepository).findByTenantId(tenantId);
}
@Test
void getClubByTenantId_notFound_throws404() {
when(clubRepository.findByTenantId(tenantId)).thenReturn(Optional.empty());
assertThatThrownBy(() -> clubService.getClubByTenantId(tenantId))
.isInstanceOf(ResponseStatusException.class)
.hasMessageContaining("Club not found for tenant");
}
@Test
void updateClub_success() {
when(clubRepository.findByTenantId(tenantId)).thenReturn(Optional.of(club));
when(clubRepository.save(any(Club.class))).thenReturn(club);
Club result = clubService.updateClub(
tenantId, "Updated Club", "REG-123",
"info@club.de", "+49123456",
"Mainstreet 1", "Berlin", "10115", "Berlin",
LocalDate.of(2024, 1, 15), 3, ".*@club\\.de"
);
assertThat(result.getName()).isEqualTo("Updated Club");
assertThat(result.getRegistrationNumber()).isEqualTo("REG-123");
assertThat(result.getContactEmail()).isEqualTo("info@club.de");
assertThat(result.getMaxPreventionOfficers()).isEqualTo(3);
assertThat(result.getAllowedEmailPattern()).isEqualTo(".*@club\\.de");
verify(clubRepository).save(club);
}
@Test
void updateClub_invalidRegex_throwsBadRequest() {
when(clubRepository.findByTenantId(tenantId)).thenReturn(Optional.of(club));
assertThatThrownBy(() -> clubService.updateClub(
tenantId, "Club", null, null, null,
null, null, null, null, null, null, "[invalid"
))
.isInstanceOf(ResponseStatusException.class)
.hasMessageContaining("Invalid regex pattern");
}
@Test
void updateClub_nullPattern_accepted() {
when(clubRepository.findByTenantId(tenantId)).thenReturn(Optional.of(club));
when(clubRepository.save(any(Club.class))).thenReturn(club);
Club result = clubService.updateClub(
tenantId, "Club", null, null, null,
null, null, null, null, null, null, null
);
assertThat(result).isNotNull();
verify(clubRepository).save(club);
}
@Test
void updateClub_blankPattern_accepted() {
when(clubRepository.findByTenantId(tenantId)).thenReturn(Optional.of(club));
when(clubRepository.save(any(Club.class))).thenReturn(club);
Club result = clubService.updateClub(
tenantId, "Club", null, null, null,
null, null, null, null, null, null, " "
);
assertThat(result).isNotNull();
verify(clubRepository).save(club);
}
@Test
void getClubStats_returnsAggregatedStats() {
when(memberRepository.countByTenantId(tenantId)).thenReturn(50L);
when(memberRepository.countByTenantIdAndStatus(tenantId, MemberStatus.ACTIVE)).thenReturn(42L);
when(staffAccountRepository.countByTenantId(tenantId)).thenReturn(5L);
when(staffAccountRepository.countByTenantIdAndActiveTrue(tenantId)).thenReturn(4L);
when(distributionRepository.countByTenantIdAndDistributedAtAfter(eq(tenantId), any(Instant.class)))
.thenReturn(120L);
when(distributionRepository.sumGramsByTenantIdAndDistributedAtAfter(eq(tenantId), any(Instant.class)))
.thenReturn(new BigDecimal("1500.50"));
when(batchRepository.countByTenantIdAndStatus(tenantId, BatchStatus.AVAILABLE)).thenReturn(8L);
when(staffAccountRepository.countByTenantIdAndPreventionOfficerTrue(tenantId)).thenReturn(2L);
ClubService.ClubStats stats = clubService.getClubStats(tenantId);
assertThat(stats.totalMembers()).isEqualTo(50L);
assertThat(stats.activeMembers()).isEqualTo(42L);
assertThat(stats.totalStaff()).isEqualTo(5L);
assertThat(stats.activeStaff()).isEqualTo(4L);
assertThat(stats.totalDistributionsThisMonth()).isEqualTo(120L);
assertThat(stats.totalGramsDistributedThisMonth()).isEqualByComparingTo("1500.50");
assertThat(stats.activeBatches()).isEqualTo(8L);
assertThat(stats.preventionOfficerCount()).isEqualTo(2L);
}
@Test
void getClubStats_nullGrams_returnsZero() {
when(memberRepository.countByTenantId(tenantId)).thenReturn(0L);
when(memberRepository.countByTenantIdAndStatus(tenantId, MemberStatus.ACTIVE)).thenReturn(0L);
when(staffAccountRepository.countByTenantId(tenantId)).thenReturn(0L);
when(staffAccountRepository.countByTenantIdAndActiveTrue(tenantId)).thenReturn(0L);
when(distributionRepository.countByTenantIdAndDistributedAtAfter(eq(tenantId), any(Instant.class)))
.thenReturn(0L);
when(distributionRepository.sumGramsByTenantIdAndDistributedAtAfter(eq(tenantId), any(Instant.class)))
.thenReturn(null);
when(batchRepository.countByTenantIdAndStatus(tenantId, BatchStatus.AVAILABLE)).thenReturn(0L);
when(staffAccountRepository.countByTenantIdAndPreventionOfficerTrue(tenantId)).thenReturn(0L);
ClubService.ClubStats stats = clubService.getClubStats(tenantId);
assertThat(stats.totalGramsDistributedThisMonth()).isEqualByComparingTo(BigDecimal.ZERO);
}
}
cannamanage-service/src/test/java/de/cannamanage/service/EmailServiceTest.java
+52
View File
@@ -0,0 +1,52 @@
package de.cannamanage.service;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.ArgumentCaptor;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.mail.SimpleMailMessage;
import org.springframework.mail.javamail.JavaMailSender;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.mockito.Mockito.*;
@ExtendWith(MockitoExtension.class)
class EmailServiceTest {
@Mock
private JavaMailSender mailSender;
private EmailService emailService;
@Test
void sendInviteEmail_sendsCorrectContent() {
emailService = new EmailService(mailSender, "https://app.cannamanage.de", "noreply@cannamanage.de");
emailService.sendInviteEmail("staff@example.com", "Max Mustermann", "Green Club", "abc123token");
ArgumentCaptor<SimpleMailMessage> captor = ArgumentCaptor.forClass(SimpleMailMessage.class);
verify(mailSender).send(captor.capture());
SimpleMailMessage msg = captor.getValue();
assertThat(msg.getTo()).contains("staff@example.com");
assertThat(msg.getFrom()).isEqualTo("noreply@cannamanage.de");
assertThat(msg.getSubject()).contains("Green Club");
assertThat(msg.getText()).contains("Max Mustermann");
assertThat(msg.getText()).contains("https://app.cannamanage.de/auth/set-password?token=abc123token");
assertThat(msg.getText()).contains("72 Stunden");
}
@Test
void sendInviteEmail_mailFailure_throwsRuntimeException() {
emailService = new EmailService(mailSender, "http://localhost:8080", "noreply@cannamanage.de");
doThrow(new RuntimeException("SMTP error")).when(mailSender).send(any(SimpleMailMessage.class));
assertThatThrownBy(() ->
emailService.sendInviteEmail("fail@example.com", "Fail User", "Club", "token123"))
.isInstanceOf(RuntimeException.class)
.hasMessageContaining("Failed to send invite email");
}
}
cannamanage-service/src/test/java/de/cannamanage/service/StaffServiceTest.java
+212
View File
@@ -0,0 +1,212 @@
package de.cannamanage.service;
import de.cannamanage.domain.entity.Club;
import de.cannamanage.domain.entity.InviteToken;
import de.cannamanage.domain.entity.StaffAccount;
import de.cannamanage.domain.entity.User;
import de.cannamanage.domain.enums.StaffPermission;
import de.cannamanage.domain.enums.UserRole;
import de.cannamanage.service.repository.ClubRepository;
import de.cannamanage.service.repository.InviteTokenRepository;
import de.cannamanage.service.repository.StaffAccountRepository;
import de.cannamanage.service.repository.UserRepository;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.ArgumentCaptor;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.web.server.ResponseStatusException;
import java.time.Instant;
import java.util.EnumSet;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.*;
@ExtendWith(MockitoExtension.class)
class StaffServiceTest {
@Mock private UserRepository userRepository;
@Mock private StaffAccountRepository staffAccountRepository;
@Mock private InviteTokenRepository inviteTokenRepository;
@Mock private ClubRepository clubRepository;
@Mock private EmailService emailService;
@Mock private TokenRevocationService tokenRevocationService;
@InjectMocks
private StaffService staffService;
private UUID tenantId;
private Club club;
@BeforeEach
void setUp() {
tenantId = UUID.randomUUID();
club = new Club();
club.setId(tenantId);
club.setTenantId(tenantId);
club.setName("Test Club");
club.setLicenseNumber("LIC-001");
}
@Test
void createStaff_success_createsUserAndStaffAndSendsEmail() {
// Arrange
String email = "staff@example.com";
String displayName = "Max Mustermann";
Set<StaffPermission> permissions = EnumSet.of(
StaffPermission.RECORD_DISTRIBUTION, StaffPermission.VIEW_MEMBER_LIST);
when(userRepository.existsByEmailAndTenantId(email, tenantId)).thenReturn(false);
when(clubRepository.findById(tenantId)).thenReturn(Optional.of(club));
when(userRepository.save(any(User.class))).thenAnswer(inv -> {
User u = inv.getArgument(0);
u.setId(UUID.randomUUID());
return u;
});
when(staffAccountRepository.save(any(StaffAccount.class))).thenAnswer(inv -> {
StaffAccount s = inv.getArgument(0);
s.setId(UUID.randomUUID());
return s;
});
when(inviteTokenRepository.save(any(InviteToken.class))).thenAnswer(inv -> inv.getArgument(0));
// Act
StaffAccount result = staffService.createStaff(tenantId, email, displayName, permissions, null);
// Assert
assertThat(result).isNotNull();
assertThat(result.getDisplayName()).isEqualTo(displayName);
assertThat(result.getGrantedPermissions()).containsExactlyInAnyOrderElementsOf(permissions);
// Verify user was created inactive with STAFF role
ArgumentCaptor<User> userCaptor = ArgumentCaptor.forClass(User.class);
verify(userRepository).save(userCaptor.capture());
User savedUser = userCaptor.getValue();
assertThat(savedUser.getEmail()).isEqualTo(email);
assertThat(savedUser.getRole()).isEqualTo(UserRole.ROLE_STAFF);
assertThat(savedUser.isActive()).isFalse();
// Verify invite token was created
ArgumentCaptor<InviteToken> tokenCaptor = ArgumentCaptor.forClass(InviteToken.class);
verify(inviteTokenRepository).save(tokenCaptor.capture());
InviteToken savedToken = tokenCaptor.getValue();
assertThat(savedToken.getToken()).isNotBlank();
assertThat(savedToken.getExpiresAt()).isAfter(Instant.now());
// Verify email was sent
verify(emailService).sendInviteEmail(eq(email), eq(displayName), eq("Test Club"), anyString());
}
@Test
void createStaff_withTemplate_resolvesPermissions() {
String email = "lager@example.com";
when(userRepository.existsByEmailAndTenantId(email, tenantId)).thenReturn(false);
when(clubRepository.findById(tenantId)).thenReturn(Optional.of(club));
when(userRepository.save(any(User.class))).thenAnswer(inv -> {
User u = inv.getArgument(0);
u.setId(UUID.randomUUID());
return u;
});
when(staffAccountRepository.save(any(StaffAccount.class))).thenAnswer(inv -> {
StaffAccount s = inv.getArgument(0);
s.setId(UUID.randomUUID());
return s;
});
when(inviteTokenRepository.save(any(InviteToken.class))).thenAnswer(inv -> inv.getArgument(0));
StaffAccount result = staffService.createStaff(tenantId, email, "Lager Person", null, "lager");
assertThat(result.getGrantedPermissions()).containsExactlyInAnyOrder(
StaffPermission.VIEW_STOCK, StaffPermission.RECORD_STOCK_IN);
}
@Test
void createStaff_duplicateEmail_throwsConflict() {
when(userRepository.existsByEmailAndTenantId("dup@example.com", tenantId)).thenReturn(true);
assertThatThrownBy(() -> staffService.createStaff(
tenantId, "dup@example.com", "Dup User", EnumSet.of(StaffPermission.VIEW_STOCK), null))
.isInstanceOf(ResponseStatusException.class)
.hasMessageContaining("Email already in use");
}
@Test
void createStaff_emailPatternViolation_throwsBadRequest() {
club.setAllowedEmailPattern(".*@myclub\\.de$");
when(userRepository.existsByEmailAndTenantId("user@other.com", tenantId)).thenReturn(false);
when(clubRepository.findById(tenantId)).thenReturn(Optional.of(club));
assertThatThrownBy(() -> staffService.createStaff(
tenantId, "user@other.com", "User", EnumSet.of(StaffPermission.VIEW_STOCK), null))
.isInstanceOf(ResponseStatusException.class)
.hasMessageContaining("allowed email pattern");
}
@Test
void updateStaff_permissionChange_revokesTokens() {
UUID staffId = UUID.randomUUID();
UUID userId = UUID.randomUUID();
StaffAccount staff = new StaffAccount();
staff.setId(staffId);
staff.setTenantId(tenantId);
staff.setUserId(userId);
staff.setDisplayName("Old Name");
staff.setGrantedPermissions(EnumSet.of(StaffPermission.VIEW_STOCK));
staff.setActive(true);
when(staffAccountRepository.findById(staffId)).thenReturn(Optional.of(staff));
when(staffAccountRepository.save(any(StaffAccount.class))).thenAnswer(inv -> inv.getArgument(0));
Set<StaffPermission> newPerms = EnumSet.of(StaffPermission.VIEW_STOCK, StaffPermission.RECORD_STOCK_IN);
staffService.updateStaff(tenantId, staffId, "New Name", newPerms, null, null);
verify(tokenRevocationService).revokeAllForUser(userId);
}
@Test
void deactivateStaff_deactivatesUserAndRevokesTokens() {
UUID staffId = UUID.randomUUID();
UUID userId = UUID.randomUUID();
StaffAccount staff = new StaffAccount();
staff.setId(staffId);
staff.setTenantId(tenantId);
staff.setUserId(userId);
staff.setActive(true);
User user = new User();
user.setId(userId);
user.setActive(true);
when(staffAccountRepository.findById(staffId)).thenReturn(Optional.of(staff));
when(userRepository.findById(userId)).thenReturn(Optional.of(user));
when(staffAccountRepository.save(any())).thenAnswer(inv -> inv.getArgument(0));
when(userRepository.save(any())).thenAnswer(inv -> inv.getArgument(0));
staffService.deactivateStaff(tenantId, staffId);
assertThat(staff.isActive()).isFalse();
assertThat(user.isActive()).isFalse();
verify(tokenRevocationService).revokeAllForUser(userId);
}
@Test
void getStaff_wrongTenant_throwsNotFound() {
UUID staffId = UUID.randomUUID();
StaffAccount staff = new StaffAccount();
staff.setId(staffId);
staff.setTenantId(UUID.randomUUID()); // Different tenant
when(staffAccountRepository.findById(staffId)).thenReturn(Optional.of(staff));
assertThatThrownBy(() -> staffService.getStaff(tenantId, staffId))
.isInstanceOf(ResponseStatusException.class)
.hasMessageContaining("not found");
}
}
cannamanage-service/src/test/java/de/cannamanage/service/TokenRevocationServiceTest.java
+123
View File
@@ -0,0 +1,123 @@
package de.cannamanage.service;
import de.cannamanage.domain.entity.RevokedToken;
import de.cannamanage.service.repository.RevokedTokenRepository;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.ArgumentCaptor;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import java.time.Instant;
import java.util.UUID;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.*;
@ExtendWith(MockitoExtension.class)
class TokenRevocationServiceTest {
@Mock
private RevokedTokenRepository revokedTokenRepository;
@InjectMocks
private TokenRevocationService service;
private String testJti;
private UUID testUserId;
private UUID testTenantId;
@BeforeEach
void setUp() {
testJti = UUID.randomUUID().toString();
testUserId = UUID.randomUUID();
testTenantId = UUID.randomUUID();
}
@Test
void isRevoked_notRevoked_returnsFalse() {
when(revokedTokenRepository.existsByJti(testJti)).thenReturn(false);
assertThat(service.isRevoked(testJti)).isFalse();
}
@Test
void isRevoked_revoked_returnsTrue() {
when(revokedTokenRepository.existsByJti(testJti)).thenReturn(true);
assertThat(service.isRevoked(testJti)).isTrue();
}
@Test
void isRevoked_nullJti_returnsFalse() {
assertThat(service.isRevoked(null)).isFalse();
}
@Test
void isRevoked_blankJti_returnsFalse() {
assertThat(service.isRevoked(" ")).isFalse();
}
@Test
void isRevoked_usesCache_onSecondCall() {
when(revokedTokenRepository.existsByJti(testJti)).thenReturn(true);
// First call goes to DB
assertThat(service.isRevoked(testJti)).isTrue();
// Second call should use cache
assertThat(service.isRevoked(testJti)).isTrue();
// DB should only be called once (cache handles second call)
verify(revokedTokenRepository, times(1)).existsByJti(testJti);
}
@Test
void revokeToken_savesRevocation() {
Instant expiresAt = Instant.now().plusSeconds(3600);
when(revokedTokenRepository.existsByJti(testJti)).thenReturn(false);
service.revokeToken(testJti, testUserId, testTenantId, expiresAt, "logout");
ArgumentCaptor<RevokedToken> captor = ArgumentCaptor.forClass(RevokedToken.class);
verify(revokedTokenRepository).save(captor.capture());
RevokedToken saved = captor.getValue();
assertThat(saved.getJti()).isEqualTo(testJti);
assertThat(saved.getUserId()).isEqualTo(testUserId);
assertThat(saved.getTenantId()).isEqualTo(testTenantId);
assertThat(saved.getExpiresAt()).isEqualTo(expiresAt);
assertThat(saved.getReason()).isEqualTo("logout");
assertThat(saved.getRevokedAt()).isNotNull();
}
@Test
void revokeToken_alreadyRevoked_doesNotSaveAgain() {
when(revokedTokenRepository.existsByJti(testJti)).thenReturn(true);
service.revokeToken(testJti, testUserId, testTenantId, Instant.now().plusSeconds(3600), "duplicate");
verify(revokedTokenRepository, never()).save(any());
}
@Test
void cleanupExpiredTokens_deletesExpired() {
when(revokedTokenRepository.deleteExpiredTokens(any(Instant.class))).thenReturn(5);
int deleted = service.cleanupExpiredTokens();
assertThat(deleted).isEqualTo(5);
verify(revokedTokenRepository).deleteExpiredTokens(any(Instant.class));
}
@Test
void cleanupExpiredTokens_nothingToDelete_returnsZero() {
when(revokedTokenRepository.deleteExpiredTokens(any(Instant.class))).thenReturn(0);
int deleted = service.cleanupExpiredTokens();
assertThat(deleted).isEqualTo(0);
}
}
docs/cannamanage-competitor-analysis.pdf
+529
View File
@@ -0,0 +1,529 @@
%PDF-1.4
%“Œ‹ž ReportLab Generated PDF document http://www.reportlab.com
1 0 obj
<<
/F1 2 0 R /F2+0 18 0 R /F3+0 22 0 R
>>
endobj
2 0 obj
<<
/BaseFont /Helvetica /Encoding /WinAnsiEncoding /Name /F1 /Subtype /Type1 /Type /Font
>>
endobj
3 0 obj
<<
/BitsPerComponent 8 /ColorSpace /DeviceRGB /Filter [ /ASCII85Decode /FlateDecode ] /Height 136 /Length 1268 /SMask 4 0 R
/Subtype /Image /Type /XObject /Width 218
>>
stream
Gb"0W9huEg*67T9TiVn);(I\?+"h::0d`'&2"?PBGmD?QhRk]mL(!P1ar+"uA6V;)Ue,hg:o(H\['W7V-7VXBh:\4ln&+m`*dF'tr(-h?V7SOihnK6nzzzzzzz!'hMamB).tK(@Yph$K'LN]A,onfT]X/*E]QS<-DkV'@)odN+[N,="_IAm.5^?1W,YdLlI<Wn!mi5[LIc<B:1tR!ip\3^O+S/5%@HT[MDWF9DSo2V"?=km5'HQ+]?F#gd'pBW-3OX^#F]f?c$rUXSkmpnd_fVb!]V5[!s[265aT\<Jr,HWPQdp#KIB[l,#'fj.n6eWp/LF:oCs,_7&4USH6L1pD7A7._K@qK]QiC>>2HFOfgC8Cr[mV0[)gD61:!J]8/I2nP;9=/\UOokW[J&1-RFh5C7b<iN$?ki^T#=BP@uLE#:6arM\gpqIDE9]*DJ^Cr3L\G5-is%X,K]?C6"POWtA2KWb/F^I#R/cN2b[O*#g3N)h=qo2NHlKk!!,3-PSrQ,A4/N$R=@<#.G<sZ56:Y@?,IYt,'?3c:pBIr84mCfFi0"K<XK5\_`7Ngrt`XE['c#_Sk8k2^_\$FGhNMgMr>$CJ/#AD!<RC]uEDm&]q.Hg<N&Nk#Rl,N%"DmRtrZ?J5Lp,Qt2XsG-Yn*b&I^hbl3S6LRNn61f5R>h$_S>fdDDf89=#R"a6^o3uoFUE2<&'ZD7/>Q>sZqIr3>nuFQkBb$Keh^T5X<mDsOQG?'-(E.O7gO[J:Lhfb!4QuY;-454!%th8q^rW_%sgudYkA8kSF,XsM8GA&`eJSg&.$m)CVV;nMcKnu8[N#7]p)9C!3):-dLfkl...IB9;SM&SA][\8J#r<-dO9"L\3p9P0T].h2Sq=_Ko4*-UU8K=>(Ol_o'C?&JV3m>$"r&l;aj^h81QG4(d4Of(RUXF9L>l=!LXYIu<c%'fQq\IcK(:i%S,i\^;!&h*tDL=T&'NfKS#P@j;EXk'bQmc.0mfjC2^ql\%!QNTS0$F+[Xrq5o+GEL"QdkdET5fX/n#Xlem0.=fF@'R6Xtj#f3eh4TeYp[<M'^mQ+W5rG*mmV.lF?phrWVG(l(NS8f/p9\P'[>uEBG3a5Q@LEdCcR>\0&Ifs0gi3'j.@66Y!2'q!X)W3Q5M,cIdrusE@`%LG]:^^?BT\=JDYhX1b9N%>4nIut`VrAnLBd$8FU$h<7$Op-"&MqMgm!g!;[TO#16%uD1+=4E@\!/Co#^^migad3<aZrdF#kBCzzzzzzz!!#`B!&quIC]~>endstream
endobj
4 0 obj
<<
/BitsPerComponent 8 /ColorSpace /DeviceGray /Decode [ 0 1 ] /Filter [ /ASCII85Decode /FlateDecode ] /Height 136 /Length 2815
/Subtype /Image /Type /XObject /Width 218
>>
stream
Gb"/jHZ0Zf*lho;'9Z(_8.<TY`)9E@e2p)Z;(3f3@)0_?'MF#*3tAY4V*%%0Hr*X^KdB97"B5L-bNS3Lj%r#DCABh1@Nd4W4<mrrOcYq5h1R&Ch7cTJIe2irR;C<@\uPc/f>$4HkLZ>sSt;P2b\ET0P*1ukP*1ukP*1ukP*1ukP*1ukP*1ukP*1u@"bIe[(>sC3(WE9t(P8\jFmc7mH$nN8;pVoF9fjceE:T?J'pJLd!0'8\2C$PJg%n[AWH7o-Vsq+sY8-kZ#V3&:]Rt>T\mnpb.p7YA\[QbnJR')X**HOkoD3e]6`@.5X[gJ+G8`$8k\S"X15,Aao`3YCSNg[f8$;:`)61G!l!U3N`4uq!?/bNQL>'dKP7-MWSg[]G]*EX06YK27(Qp9lnSd/&[GtY;D:gmhRkN74I^aFO>?tm0%Vq8Seini$j5!$(_5n"[r,*QldjQ@9_A8c+F.7Gt=s8ZPX3$HGZaUFDQS11dM8g/O=bd'FY%lR@,PQ?DfH$5tLa?oM_K2W(:Gs':>2,RgiYoPKn2p7Y"Eh2$M]h3BcLgG3_/LT[$^p.,:;8n%Vg!R=?IUpX1.KUV>gLisG;;n)6V"c!CErO$h^9s^lo*Z<\rhkd)hubkfHH[&^4UmnPNB(+V*fkHm/J%&&G:I8!2a$,UH3.W,c/_0")_.+:pbPtSF[jSf5UO&aDT?6Xh2b"Hj*XPOT_oHDA^8FK3:a"l.-ZU#LI8pRZ/l$p'#)j@/kC^g?4eu2B<"kT$cmq(>!0,\II*!P/VX3\KlD:X>sdeK;JOhEj^RZFuM/j*_.F_9Nr,n)*14<VIu<*]l^P]+Sf9+h3ADBV0#1$1nk;tcjr.hEA<tPfjO![MI2q1=Yd@IU4)<X%$b7Vs'+2nc]nmhlMtHJ0mgQpTg^5-s*5U*U'9]>9&="l_*g=rWO>sNhN&;;\,!:+,kuX8g"7^:mWfk#qDQa`#,u!5odjs$aPsLeocHk,Gg1hdIB_oL=j@9:^k=7kL(D#VmbaCE+82M8Hi$T:Mck+/5S[=dL!64^S%dJ$r_:E,WeJZi6A?8l<C_NRD:Zf[pRDK?a)TjdY*^bh7TN!/A14na=\P^kS[ko>c)nA'OD0X>5-9V1bd@29a>E9U\Dsa/m4;r*aTaNX"PincD)Fp:*+&`5pE"[dhO.&aM7Fj6\@k1%G!8Q?$Z9imAFf"/WVVK:g?s),lZ8Hhn&4U5@PZR??\4d6,-B2T4qro%_h.S7B7&o1VI)Kii+>0bnuQB9]3&GX=*=X8C%J.-6;Keh`RAA::Od>\6#0`HEa#Gl(N*h9H%q,[YliZfk3[hYYml&3[Bt3](78,,.@1U`%)eE]%$mMmGtuX+"?hK&3NQVo<X)NYY(G3*MS-P/$>Q7YZ?rRc4ihV`aD/gH&&7!]::G,gAk71P0i[YYKOc<1!3^R_+e+E262&[T/F,bg#r6rt$tk@_K5i.U_#j0f:-7-EjMh81o\EELi[Y_tj.Q+HYp$Nt2AR+7M:<X-h/TQ-YqJ\*-"RIj4=^Y1>6m6U'#R6cP)*p#onRff/(kiP'po&go-I5PPn0_W(n"%M2+Stn=^!'Cn)nu@A@k=XI=:;^1K@'+den"c(th2g1Rj(Jjr^@c*TA*2G7<dXrcu]H;=)1,^L$)dZndYr":&U<T32"Y"?p@OR*B\nHNucc]K>3hjT;M!JYL$q4iRSCedK-6$%Ao#cV"nql`>jb6,KJ'/(l_nf@Noh<cD.G>:o$&Ac0ab1_3@N&2ur_^fhQf.<RqO%TXlg1[KH+1<am%k38CVI?<?3g.DdB@=5CYpW(5C\g\^b6>@e-RFJs2,&9jVD4NChaGYAD!4@rqSt_!Q=q!E(>r6+S19+o[*3d3j\FrE*bL0E]NPRpLZ"CpRQWloh0hW&W0/ed:%2%q'qV1+^BdJl":bQW%*^Pg,Whb)1<e=Z.\k-!qV2F%Pkq,U&0p\Pj^=E'^3!`TkD=lqPToeP/G!anER(8==?c6oq$^_%L(UQ#+ct"soP&3?P(0L!=QD9!F=StZ&-&YfefrSbQ^7T?gCS!/:b>:;g%hZ]'mLVLBeJH]*;rAma>tc#<SL^o%4VWA%n&aiWTT(`1%qMSM_g?psbT7ALM7K4e@0n@W,:"H`Ic,(t#X"4!Cn(itCL=UuS4=@oC=S;a5IR!\\!ClAl%MV>[-(/A=S\MN4\j8*0>"./0W0M@>(6f6=fepgl+;^As84q]'uhqU_V`6>%DAjZDO"2&g_7aY1Kd]>'\'N-dOuh0qb/\+D@?/)2Q[bJe.ZABK%6TQS>"0!Qsm23B';kL+8)$&.)mT[:QWCk0Y.Y$IJRR[SC+s^Ype02Q>o@9l["TX-5Zs?Ztala/I%CYaAVl)]@?b^L%[:FQ^c)B$g9,?5K@7SAF100T0Wlro>_eml[<?:=#X;IOaGFcA;>-VHja*Gd=77$Q_#T(C4/)qBrNfAVY7e"6siIuZHP76T(;)XJ!C*o:cts(\c5Fq::@4`l-kc2j/pdscT1<n+rOef=1O/L'V!84iK^M/)19Gpa9F3Heck23)"bM#-aR9"?EDKK4ZnlJUXuFXfcrr>3c4j!D7aXHcuo/-Eq<aGgBFkb,M71dM/:mZD8R#kd^=!=llE!FdpfEpFE&[d^/_1O#bB'5<VY/@2\!NL>PBe3_.mlA%^kh-Hk0b1>FrnjL-)O\CM-Ainn)\fjCdb0Hu%JiH9fuZKHK)t3o!Q<[qr#9k>+=f%<!EaZ\:nUW'#09[tAD/glP@L$'N;hcg-qRS$rrbEmXX94"hu's'\f';GpCj;GpCj;GpCj;GpCj;GpCj;GpCj;YkmjrrD_gq_e~>endstream
endobj
5 0 obj
<<
/Contents 26 0 R /MediaBox [ 0 0 612 792 ] /Parent 25 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
6 0 obj
<<
/Contents 27 0 R /MediaBox [ 0 0 612 792 ] /Parent 25 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
7 0 obj
<<
/Contents 28 0 R /MediaBox [ 0 0 612 792 ] /Parent 25 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
8 0 obj
<<
/Contents 29 0 R /MediaBox [ 0 0 612 792 ] /Parent 25 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
9 0 obj
<<
/Contents 30 0 R /MediaBox [ 0 0 612 792 ] /Parent 25 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
10 0 obj
<<
/Contents 31 0 R /MediaBox [ 0 0 612 792 ] /Parent 25 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
11 0 obj
<<
/Contents 32 0 R /MediaBox [ 0 0 612 792 ] /Parent 25 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
12 0 obj
<<
/Contents 33 0 R /MediaBox [ 0 0 612 792 ] /Parent 25 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
13 0 obj
<<
/Contents 34 0 R /MediaBox [ 0 0 612 792 ] /Parent 25 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
14 0 obj
<<
/Contents 35 0 R /MediaBox [ 0 0 612 792 ] /Parent 25 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
15 0 obj
<<
/Filter [ /FlateDecode ] /Length 716
>>
stream
xœmÕÍnÚ@†á=Wáe«.Àsþ !H¤,ú£RuïÀ$¥j 2°ÈÝw¾ù¢Ôj‹”Ì‹=žàÅ™®î×÷ýþÜL¿ ‡í&Ÿ›Ç}¿òép¶¹yÈOû~Ò¦f·ßž_ßÕßÛçî8™–Û—Ó9?ß÷‡É|ÞL¿–›§óðÒ¼[ÖׇuþÙ}¿lºþô~2ý<ìò°ïŸþws9åçÜŸ›Ùd±hvù±|ÄÇîø©{ÎÍôŸ#6|{9æ&Õ÷-•ÛÃ.ŸŽÝ6]ÿ”'óÙlÑÌãn1Éýî¯{mºâ™‡ÇínxÝ;+¯Eé¶tšµŠNõúÝ
-µoëuåuG[Ý¿¬{­ ƒè+´­nÑ×õì²^_Ö^׳7ØÓ^'ôŠ{êþ5÷Ü¡où¹õïßý1·#ÛŽ:ZF­£¶Qû¨cÔW£¾õrÔ7£^z=êÛQü‰þT›þ²”¦?á;Iô'üï‰þ„g‘è/KiúžK¢?á{Nô—¥4ýe)MYJÓ_–Òô'<—DYJÓŸð\ý ÏEèø…~ø…~ø…~ø…~ø…~ø…~ø…~ø…~_éWø•~…_éWø•~…_éWø•~…_éWø•~…_éWø•~…_éWø•~…_éWø•~…_éWø•~…ßè7ø~ƒßè7ø~ƒßè7ø~ƒßè7ø~ƒßè7ø~ƒßè7ø~ƒßè7ø~ƒßè7ø~ƒßéwø~‡ßéwø~‡ßéwø~‡ßéwø~‡ßéwø~‡ßéwø~‡ßéwø~‡ßéwø~‡?èøƒþ€?èøƒþ€?èøƒþ€?èøƒþ€?èøƒþ€?èøƒþ€?èøƒþ€?èøƒþ× ñ: 0+0çÞfÐö2 e<ÕaXFξÏoóòx8â~~ -endstream
endobj
16 0 obj
<<
/Filter [ /FlateDecode ] /Length 20728 /Length1 38364
>>
stream
xœì½ |TE¶0^Uw¿½wº³/=@BÂDDaQ0! tÈÂbô± A"BØDADÆDÌÌ Ž£àö‘™’ËwªnwDÇyß¼yïÿûýéÜ{ëÞ[uêÔÙëTuƒ0BÈ„!厛œ:¥×Ü^ðä"ùE…UÆ`ã×á¾pøÍ­u¡ò°t„HÜk¥U3+æô; !îÑË3g/(~Ès îo t_JYIa±ñ3|¡Üxß¿ ˜š¥?Â}ÜÇ”UÔέò0Ü?ðZg{Š
¯ß+mDhühx¹¢p~ÿGqB’àÞUYXQáó"ÜC÷ÈUžšÚÛ‹ÑT„žÎ£ï«ªKªKâÓµ eófü4 œ&lÂõ+÷;TJì0
ƒÈq2Oÿ9ª¼ýÔ~[)H䑢[šUŒÜÈuû¶èÐx³T/ |û£ÛHÿ‡fW#±ÊJ‹ØStä¡GIHF
R‘ê˜ýãdE6dG~ȜȠ@„‚Q
Ea(E ŠDQ(Å X‡âQJD=PO”„z¡Þ(¥ >(¥¡¾¨ê (
BƒÑtŠ2`DÃP&ŽF ,4B£Q6º݇rÐ4C¹è~4M@yh"ÊG“Ðd4¨ûzMCÓÑC¨¢¨£TŠf¢2TŽf¡‡ÑlTÁˆÒD'áó6Ú¶àpW
çÀ“²-Cuðä>‰W^ðlº†Î@Ít’ÛÍ#|/`~ꟺŽóЀ‘Ž8]åðãùƒüçüi4€¯áOó|
Nã^ò…p¤sïOOâP
:Ì}É¥qGø¼æv£O¡àŸDhª\؃’z2ž¼'œF›áã÷§ñV|°;Œ—¢sh#Ç“Ñh+ÈñÛðîïh)—G¥‘RÀÿ=€uÚoF5Àøs
é Ï{èk;‡q½„sìs
-„žóÐ6ñ è¢¡ø¾"®E-è ÷ 7‡»€—ñÑüN~4jÔ)À F€½™¶;ýÔSèd_€w£/ùiÀ~—Žú<@ÆÈJÑ8æ‰VÓ`¼Œ[˜Ò·aè´t/Ÿ í‚ôŒ!׸é÷{Ñ~Ô‹[¯8@ø;´Ü cnÄO‘¿£ÓܾRþ*ЭGèg’(ðÁ(ÉeÝGb³‹÷¹ïŸìzJd¯¤;n]Vɵåî3-p¼};w2"LÙ'„îãbå}|lôÇß÷òã^I÷åNvíkÏá…šU0žM˜ EzáyÖöŽvºOˆ…¿ì‚}®¢2דÖ'£=i-&Ž Rm=_*l•P°ÛÈßBâ-, ’[Ï^郬g¯œ½’âg‹´ÅFÚ"KyÔVÃ…´}ª­—Ì7þZ-&‚¾ã/¥-dÀ°ü”ìB<FɧXÿHgd±4ðÆûdÁÓ@ÜÛ·ÑÞÛ—øÉ¢Õúƒl"ªF !ªÔÓmr‡Œ L ÉD!@qZ¨_õ{±ú¹zýñ`ã8z% ¾sa'!·×C î^ãRze$ ^•µ›íêX»éz;Ê \D°íwÄ¸à”ˆŒ`~Zjàn#Heê䲟‰²ö”Î(AÏïõo
ÃÏ£½|Sòš°U‰JjϨÈÄè8»UåLŠMNrÅùI6Ùf
Bq="“‡œmMmkmµ§§ÃŸÍžn `…ôt FkêåëW®_±^ýûUëÕÔ‡\MMÁ÷íSòîÛgÌ{à¾}&z²ÐS=æ=0ùM”zû(`—
÷@Û€˜‘ˆ¡Ož£Ü8Û\iñX=6ÝãWîx8ÂãòDz¢<Ñ•1³cËãË{5KÍr³Ò¬6šÍ¦fs³¥ÙÚlk¶7û­hv5G6G5G7Ç4Ç6Ç5Ç7'4'6÷hîÙœô\¯Tj³­²UqÉ.e¢sBø,çÌuš†½qt”(EJ‘fìtø@!§¥öà4à ÄEׯoÿ~P°£´T¾ñ]¥Ï}à"ôF0&ø­Ú“®ž+ÝõÀ”C_i'Î X‰ñ;¶$àþWffœ+Ÿúþõ½£]½ëßø`jù™Ñ£qæê’]ÑÉõã¨Qã4t\˜$¨àN
ðOK€üúC—N‡„°¨ èßw$ØLfôõФöÚë£F›¢z÷Ù“¬vÏwàw°ÿh£bNÔRÚÛbDË“›â{ÄR?ö—ÛW…-ÂEð¬@;9zµ`vÃú9v¥=°û½Õû³³?½ò7T«ÍÕz£1ÜÅûƒóíù£+'†O3!§.? Øý¬–Ådu©ý'¯>(\´ZƒÓBl΀O´¿ÿÚa ò7:­öàÍ¿ú“ödÿ¡÷äF˜{à¡XÅQÏE«æàà0›Ñ¾sãÁSÔ)ñ¨J»-®Á ‡€ÅϬŒjý­ñqÑQ±êˆZÙxU ïb¬±ô²ÆÒw¼U ïȦêôôAéÕÕpJÿjßäI“'ïÛ7.Z³}ÇKÛñíµí/íØ®
Å
ÇŽµÃ
Ú¸#µ™‘‘™X†³æÁëKÒÒJ´Yp&¯´“£G‰ç[·¹Ç?™3瓶GáLq'èÁÛ÷€‡»QÄP´Æ=$9¥‡ˆÂRúó¦ø'ãLO{{7ÚzÜøîÉð.…÷ ë¥ôçü&¥÷šäR&£‚Ó㢸IiÖ‹W.·ž½ &ÍzÕæÕQ¦ž×/_±~ª á }CõSý4P…dJjfZI# çŒÛG™Vb]†â~}ãütq:€åáðX”Ø9:*.¾S•~}“qo¨Ù;ƒÀâúŒ¡+of m<5¡q`áì_›Ï,}pÚÐôS?ÉÞ<yÒºA¥s> úí¢i üþŽìMÜÎÞS{ç,kèõ@ïûž k·ÅÇ玚Zc‘çm.™ºª_ß
÷êaað4/§´Þ<}’ª²–4‡QÛ»ÿö%!Q 6qØD yø«¸ÀAjm¹A9ÜAã® d‡5(Â!ƒu¤zP‡N‰¹ü@ˆä
UëÙ³§RÝÊ82Nyˆ<¤€u«Š>O·€N‚å£wÊz*Åm”É’,mÖ’`m"‹Ö!n#GæxŽß6¡ãñ>+ø0ôGdÅ:Ä:䀼Ea®à¶VïÊìÄñ"ûEÆsµyó¿¼uìËùä•©ôf÷—óAÖqBâ§à÷ q]»VæðŒÔ£SN¤ß;üèDàûÆ1£³ÒRø>™C2Òûg÷)¸¯Áð!ÓíJø}ÓE%ü¡/·]±jí­ÔfÛ¨Y·€´$_ý»ö•õ«TëÕß^¥>ƒUÔ¥@·‡Lâ{ãøT>ÀßîtÞ¢£bâãH¿¾öýcü¢mLââ©Á¢B£¡~Ol‹¶ñhé'Ó§LŸþÉÒÇ/MŸ6múƒÓ/=¾K³gWThßnܨ}«—±ôX}}å¤É¥ûö–ï½bÏâÁÙý3ŸJ§OŸþé’Å—¦Oè¡éÓ>YºìÒ´éÓgVBë››7j·***¡Œ…›±em†veè}93ç-ȯ²Éc²?úuAš¶bŒƒoÜ#:€’›Ý)½â#¼hr!¾‡ÿò€àC~=qüVõ6*¦0Wd¼"ÇÄËb˜cõï%[ÑÈk[kÛ)ëñ«g©Z1òQê]Ö®ZµsWé)n·E°ˆÉoIxÒø¤IREUR
ªQ5©&—iŒâã‚LAA®A®Ac"Ƹ²#³£fEÌrm·K;\Óð4?¦IŒø;*שsT9mч¿þï.pv–¾£àã3î'²sW
«?¸äÁ‚I/m—ÎYòÄüœ÷/|ñ'¹¦ ùþ±³VïùYPà¶ð°‡ÈÈ:`pà ÷„ͬZ¹ôÖZ=®ÑãR=Þ°Š¨ª†Ù.˜
ÎAl¤ ~n‹„–ò‹‰, ý©Ö6j_&GNr%5¨íT
~\†\7-6Í âbã¢9ÜïäÉ“Žœš&œkŸ£=‹Ktûø.·›|ÉúP&Ð?ΣÅ2/ˆH ¼Lû°ƒóëuÚQÛEØ]‡þR°Û’¢¸•\¥@©RZ”Ÿ+Ò4*„‘p`Ïn³º:GzÒƒõµt+@x úŠ½êb@
¦A&ÒàgqÚ"ÂCC‚©{ô³Û¬f“Q}(º¬m§˜
9;dHÛznM½’ššâ¶hdc4˜|°-Øîˆñ4ÉEp¤_q$;¢ýØÑ/’|€öaŽQ†cÊ[fâÚóãñPíÙ²–™Ú…™Ï—iïâ‚<í-\^Ê-Óös
Z!nÖ
7kû7i3ðVzlÂc7ãf˜Æ ÝÚ¾ä<æ“ÉèM÷Ä(RãˆÁ †áðP’œ˜B“3ýlÖ(5$‘ Xî/.lÑÁOú¯°¢O
0³“ýÕp)1Øl²*–âd“ ¦P^(”ßeu+÷í³zC?ú=‚놀G¢²p…º«ÔVæ™À]g
`Þ L¥då¿’¬æ¯Àcu\ø¯¦DáhlH€M—û~iN¸ßoÓ½gÓÍ•Y*r —ÿfVé¯=žøéâi{'LxåÁK¿½ôÛâÚGæ|¼pq½v÷"½zpÃøý˜=ë_<bþó|DÈ+=zóÚÄè[v³po6Íšœ_pNg«œ:¹ŒÊ¦@õBJd¾;æìñ0»]áîc‰³ÄÇÄg¢gŒáÏô~*ð™ñãSqöU 1kúÆG†Ä*œÉiVLHSOsˆÉÒÇÐW'^W‡ìðze?ýúPª¶zÃlæÞAÌ/§^xëT¾¢Љzjÿ®–¬ЫëóØ4í×åðëIEE“&MÜzøçZ¿Ñ¶!¿hƤIEÅ\Ÿ–¶©-[¼ÑÜ|è0Y³îñ%MMK–6-¼øÆ.¼qä)lZòøºu/^¿ðÛÿ#š.¼ñæ.9|Q×áÅà›5 “‚Rði÷z6—Ûì6ÃrÕ`·Û”åHqú;%,ÊËýýà;ñò°ð0´\Aááa®nSýTP;.ÐaóS%™ˆŠÍÏO%˜pHEðÆAŸfÚ
'"5œKpšÅ„x±)°gSüº˜5«Ì~joƒYA½íÎxs8×Ûi¶Y@ëì!Ö>Ö6FŽëÄ¥S(Pu>~ùï,z:®‡Tð×AjAÌn—îÏäïH1}ÒñtJÔ~K*ÆÓÜû%ƒ¥$†¢PA =Pg„úÚG¦£)xª:Ñ>5xjÄ””™áõèY´o"ä&ÃZg“SÔ¦^ŠA1Ê6c¼1!„(A† cêôHGñ8Q‰¶÷ðëáHp&§VúÚÓý2RïUr÷9GKÍÇS•)Ɖö)~F<”:ËXn+H­Ã ŒØÖ¢µxi¶H[äfy³ò¬a³ñéÔ–Ô}©étÚÄT
èÒD"³g3¦®q`€/tôÇ}`âÙ–‡vdkõ¸mp¦xØX6
´5–]^úíË—§¤þñà„í'mQ¾t0}ÿó“Ÿy'ÃMÛoL9Yý¸3œKk§LÂ~¿[ôqQÆcC^x7&æõä>žÉi3ÁŸƒ¯Àæ+¸Uü8ZÌS'ÁßÅI0q„É-ä
B•ð´Ð"ˆÌ=€kÐý÷i%õ¢æÜq#Ú`6Iˆ³‹ÈO5[/R SÕ-ž…•©»œzEŸ·A'"q:ìÑz€Dê—/Yº¬e}Óº
¢ý3mèçŸkƒ?ý3>þ§èoôçaýE€G¥ýI켟Œ ¿!×;áú¥éáWt{¿¾d€lZß²léRÑ~EòÑŸ´Aþ¿ûùçø6Ž{ȽÜ1ÐAëN²š ˆ7*.”Û$ØŒ›Tl^c—*§ˆ6s9,¼Aq˜D»õìË©á`æ™î,8×Ö+ðîS° K±@6!¾ €3åŽi›ðÌAÚ¾jmß <SÛ4çVã\þ£wŽÍ8©5à'g{§è$^ 5œd¸czAàÁŽF»mHÁ[$N N¨¢S6Z/¶7¥þâ,\[S°
œ%uãý"mÜ^Ò«ýÌÎö3¤—À·ŸÙM »I/€¹õ¶CXé ˆÈ·¢¥"Çã (éΞÒ)8 Í ÷Ú™m‹Çk{´£ØÍò=‘…d)Èíu´…ðñÖ‹]3>$¤ýS²tÅûœöBP÷gh)¡àAØ(¦ vô…3g4å`2É~&—½Ü ÓÌ!.“4ƒˆ„¹äVÆTÈî6ì3‘w·ßü¶B·¥
Þ|ó9n?±ÅŽZŒkì«•PK8ê  ®Sù¾L]„ïÄfµ§¥BÀBâS‘ÍŠ@7áLVnyî9ø{î¹[XѾ¹uKû+B®vZ;Çiè:
÷Åi-Z¶\kÐjðSx~?EÇý1LD¦Âx@ÔÝÎL®…'-Âb µ(r„
Á6XÏzµSm¸Òª%õ:M·Áah,œ…'ÓDÚ„~±i”¥¾ä¦ä|oÛ¶Ý|Í胣ožÛÍäc=ôw/Œ9muLJp¡6 ð™ÖçmëL-Ž5<j!È
>A
°rbUz'(½¿×—.ó g¯=Êœ'ç É…¯ð¾P+³ÉØ:‘Ïò¥GøG„¹!
Aø >˜BkÑ\±.¸&¤6t Z´$xIÈ’Ðhgˆ
Ìa, £_¤Ï‘h:©ßPˆÒy•ˆ¯ o·å
Ǽ´ü¡3ó9;ù ìÈz H»¾{÷îyxÍ Š
ÙóÖg?Õ'õ‹wÜ^¦ý™ ð¼ÆŸ€ªÜ½‘ÓO]®D,wùµ8M-ÊZ1´Åµ6z¸Êùb¢¨âA¡q.k(çˆPÄDJÿ<F ˜=7pårgr€a`•âðˆBWq$žÆT|d× GOÜO/t —±æEíWÚÓß›•÷~Å[ïÚ¾÷õ¦­/nœðVu͉)Ÿaãj.6¢õéÿ{¬OêúÆÇ›vÌ«ª©‰;àrýzÿ£/SÙ.>o¹"`ý»Ã°‰3!Ž3e"Î µÀ¬b±‚*
eÞÈl¯!ÏéÀΣÄ<öej¡:âÈÀÞ”©= ¨¦ r4=‰$ÜÅáž\<3Ž3åãR\‡á–a0S=ÍF'(ÔÖp¢F°ÖO;wîDût!¶íwº-m§Ö‚ Ž1mîahº;š–lË­aÁ-’£ÅºÂDZÐbÓ*i[x@(V¹P˜‰áÖ6Ü•3Ö.ÄJu˜dm½JÕ˜ê10HkÕùCR9!¢ïÊʹ ö–¤ÉI7qŒvVûzú±²©GþÉüäþçó„s»µg,íêþEû›Ëu²OÊë[¶¼ÇìJ#à¿žÙ•ã'"Ór#jñ[Bý·[[Œ+¢Ö„®Š5F)¡Aá~¡\dDH,¤ËÌÔ\n»Ü)BnÇItŸ&§¹ÓüIá¤N`.Û5øÔ3®„ó
%ÚEÍRdª?ÙöDsóp`%çÙœ÷ÏXïøc,h×>ÑÚµ«8‡ä<Ë
>üÂóo¼ñü ‡É‚ƒ1qÚ_µ¯'MÓ¾þógÚ2C5o×WñvL•_DTäl„#œ»!O8Ã`àE &n­Ì¯&ÇS&M~&ŸÔ9HHò&ÆÜöÉfrûÐ>Qæàh¹“;Úþɬµ§ çòo.h(Ö%Ðx%£q4ÌÆ»cÂñbKx¯ûšðUñ/¦cz„:cB-
Xr0ç–Èšh¸r½õŠUÏ3è:ËîôäLg4O£­˜4_ÖÔ6:*â/?_²òéíÛŸ~zÇvmû’5èö?ÒÖ,~æEí›o¾Ñ¾Ù6zÍÒ%k×.Yº†¼»¹¡aó³Ë6ç»ö/zíW¿zmÑ~WÔñÆó_|q¾ñ8.¬]²¤_lÏ7À˜™ÜDKAx9
jQ·ó-h…DuÿªX)44Ò/EE…š˜ØÀ|ê3ío>©ño
z'øhÈÑУaï„·FH»íGì_Ú9LÆí~ÞÀ¥é²‡}*|œ³å>–AûgÿI»…­ŸÀ<¦½ª}š³õJTÈ
Ä+öü±åÏŸaæÜšµÂÉŸ<Ñ1]Á9ÆG³œC¨Û,.åw€{gi
±H*õ×u'O-ĵ3g¨«ç£5=@cÖ^A±n?ˆ&¤­üR´¦. *š„»
±Ä¢‘34Píç}1Éy4]¸8ˆhŒ»ÙÂñÞ‚0O/ ¢€¶ˆB¦ÀÓ%·S|IÂÅðÑ ÕWRõ°Â;cá¿êœ}й´Bœ¸.ܺÁË75p×´5ÚÚ×ñ¯wà_ÓqœÇÂî/L‰[x¢)ZS;VÐÀ&ÑÏyP875î…×v{c;îãÜ=Å-Â0Nظ·"!8S äøø%I$1ꆼ{¿~˜¢ÏúäEîÚëZò-ùu\Áx°nÈ%rYâ¼æÇ#Çr¿'¬Mk€£aÁ&EàÕpl
æC¿(.Ø/–z#µÃ~Ì[¶yóé,¡n÷fH¯_µž†G4ü}}òˆúˆKÏeùEƒÂeàîþŸ*¤fJ4ŠNž|÷ç§NMO[:{Ük…Óßžyð£ÑS''ÇË¢¨ixÍæ’%ùSúMï3¥räð#éßiÎY‘ŸŸÜ/È9¤¯ÿi[¤9 `CrP“;5ÐÈ)»‚œ!Ü®Kß4Ëž”]œ{bv
>&­ox0J°‹Æ„àžá Ùöž=²“îc½x…å}µ!Ç™ÞQ"Ÿm¥¾:{ÜúîÕTp;0´Ôe¥qü|‘Ô›h ïâb16ylÆXŒ|{ƒ©ÆÆy'ýÒô”L|\ ¥>-òçéì1 {B
ºÄ`…éÛÍÕÖ?õô# ggîùÝï_ž¹epã3Û3ÜeÚ¹}õŸ<÷jME9v<·øÛ²©iç7Ò.Z´ü‰ÿXŒÇ¿y?\ß8íí Ôøâ¶Õ«¶oÓFÉþöý÷oÞ—³´ÝåÿÑ«É]ºr˜»TûéÛÍÚÎ*«˜t¿§pæÒÇÃÙo¾Žï}laÃÞ–ŸÕkßj¿)ý­tß ‹QTôŽ{²ÁTƢئr*²ˆYT T>Tlœ*ÓÅHM4†%
A…H¹UÏ^>{ÅÞ5±Ðq‘¿ò¹#]î÷»Œ4ab‘,²MFsQZ… ËDäÞ|<™ägâ22Ï%rÕü<i¾Ü€Ÿ ‹ŒÉ&n= 9t–ÁErÑäˆv•ÄjõŸ’ôß<ÑþÐçs{·÷fO¼P[Ìü× ð¥W`ì2Ì"]à¿¢ƒP“ª4Ùã&õ'6ƒLü‚"dõB{+(ÔÎGR#DUˆ­<Q³É2Xé)û-Q0
˜Ëé¢ÒQˆìêÀ"ñZ<âÅçž{Q;{®[³ff üç7=Ú´]»v«ý r¢ýÆ•«–‘Rm¨§zNÕŽ£¯®xÁá:¹ñý?€€Öܾ$ă
BýÝÁ¦çÍ{Õ&›¾ä°Æ¶*X
‡5˜¢èuGzv-å€%$"„`}UØ—è+Á¾ Eˆ/ý|Ém¤]ÃVŒ–|^:ë«ÇµŸhàåxÂò¯„çš®½§ý^;¯½7ý!ºÊÛŒ¸yÓa £°ÏKÇÞn'jR€‚V™XU$™RQ¨ÂÛÙ,ôP'øšý~Œ`^ßÉ®‰¯½V0BûX;©eB?ûñz­LËÕ
…ä[óp î“pÀmƒ¶Hûm=³É”í]lâIZ,7ñ?Q¬HŸòFJ’³­­üJÙa‚ÞYìé=NpûÚƒÉ{íéäFÛPZŽÜÝ~iwüh€¯ D·Ý Ÿÿ 8ëâ -†® £OpSÛ«Hnû¾(ÔÑ»Û //iì†ÒÝ.$„à&.¤I¶?oÛël2¯‘W…jë˧¬\_i»ÜÖÚÁSí,3i±,g¦ÆËE> +ùcÚëÄ^§}Ö¢½ Õá•xú3XòTµ­Ô®j_a?lxç9¼fGû ñ&\+ñ¦Ñ#÷Pö í×Úo´_ÄúÆ. f´Mr;ä&ò-VE¸0PÁ>Ò¶±bÈe(¤ìÏe”…)°-M_œ8ñùã´GÁøÛ·â›=)•½°ñZ–Gèý3ô
¡àXrËÊVYØL›å°Û”"艭F¡Y)t€
ðnB$Šo¯×JÊtû’š„}h±QÅt/ŠÝ`^f>JC
Ûä6åš
L¦fƒm½sÂœ¾4&cy%t´VûëõÝëßé É,/øÚ Û b‘l"¸|›ÏrfÊ|pèE„àB”)]JØtnÍ5u.
øŒ!
aöË5†Ï8æ‰"û“!A }åQd¤0\žHf’¹dž°”<!4ÊëȳòçÄ 6RPÄ.HÀ2K\‚ÐSì!õçû ýÅ~RŠqçæ³·è–ÜÆ\Ì fJó„*ãJn¥°Zl”›¹çÄç¤×¹ŸJïrïJ¿ã~+}Á}É!ü§ø
wCøVLš6M›ÄÁ‘ÔÆ2®nÅ|{¬ý½=òv™×>ºíùe{Ô¡7”NDF¦48”„xš³Ò×KRÜJŠ”+-âñ¼.4 ˆßµ=$?·[‡!F #ú¹»/g“d‰Ø0‘é…#Šª€“R•LU"œ 
àÀ ªÊUî&ª;ÔZSºÓùt—lwGðHgFû«Ì”òùuA
QÄ!ù©q$NrIqªKí+õSËÉ£¤^Z ."K¤%êÓÄŸÇ·pÑ8‰‹—”¾x—/OQJäYÊ\yØÁ§¸&ü,ç`s) ÍÇFSêá^ø1¼÷zW[xR[Ø*œk“¹7{
mˆG7?î³4fw¸Ã%ͳ٠ÎÈ„ÁÂPK$”ï/ymP›žJMf+“ÒŤ*‚š$wJ2PMFIå¤TZD$#q¶8 OKp¹¸@\†Ÿ›ðf±Ù`eXƒ‰¶1†c+Yߪ]kŸØÞŠà?¾Ù“ÿøVØjËÎwÉá5ÙQ“žÃ ²¤qANk C¯Kš¨4–½‹×Í;sñµvÌ]¼ˆ±vû"„çkOhǵwiŽUÈÑjŸjŸiñhŒCðèmÚÚV:ÛÁÛ`~ 3dŸ/âŸb¾È
r¢îÈnUeÂSo”a£îÈ¡[-],XÏm°8#œ·œ¯8æ—:ü7ž›®öãµÚS›7?¥
ÄïߢÞÒ>’ÛùLÃògv\ºðá'í;)-´^Z„¡ñî6+±`£ÉhÆ&“1ÓndÄ â˜ÂM!ˆvƒB‰Â}´±-.ŒPé](8X&¯ éüô¥‰N’nÌÀêõ#£­:ýð`JÏ_—Œ7©}ø5ÌY¶ãBJDFÔ6mµÏ¯ç-ýP(zÕÝâ<NmtÂcƒ O¦È#'Ç;G“i±1’¿YPƒ‚x[†C
5òaŒÐ­”Ò6Ý÷¡ä¶³ý]§¯¹ÃY(øˆþ$Þ‰œØAü¹>ÅâXÇÅ‹qRœ§¸Âûãþd$IÊ„:¾N˜ç÷„ø„´QÜ(ELc©¾?ººÊvjDºhÖÁVî©aõCOŸÿù½+ç_ü¿QÛÒöÚ3MMÏ#þOÿ‡V†®ŸÑ¾B8÷Ûß?u˜Œk¿Ú°té2ª“4_M÷7Å£ÿp1‰Ù@Â#Âe…H*‰ˆÏT
á¼#çóŽuM6¾ ­‹…à,!\5D„H(*$ÈÜK
rD%X/¶Ã/Ó‹î®{>w˜¨®ëlta
‚£i¯G$&'ŽKä|;ü:vQtOjê»(hö„]sê¡í¯ÍÛñÈ'¿Ó>Ô>Ÿõõ¢ú+Õ?9Ò°¹þ“pÀßÊÿ l{w@ÿEs‹J"ýüŸR•5ò‰ÿ¨|4"°×Ñ—_Ž£>ö&èÝ· ¡{ÝfQ7ænÜ‚l={¹í2Ó£T}̨d–_’‘ìË/ù!%YÁ„DHVÅ­T)ÍŠ2ó®|ˆü×íWO¶_…éæ9š]Âúþ'èφÜn™Ø Hh2¯RÐb»ª:ÌÞéÖÙ˜n`R½Q&Ld#üýšý8êVô)2]SöŸÜ{ì½'µ@>Õ>ã[wíÌ™kÜʶµ‹ÚoqCqðÍDô3w<Oý<g#œîé9ºwÞ†1Êäxü
¢ $@Dè›ÿ€þ?“+SŸ¸Ü(~”0•{Œ[ÊI"’ˆÌS{ì Á|°ÐÅá8’È'
±¢KˆÒpˆ£QÎ"Ù|¶0Jœ‚òÅRRΗ  ¹0-ZÀ/êÄEòF´AL€Éó!roûñ3ø<þÃoÚßÛÀ ¦;ˤÔ·âzw¶,
àOù`Uá‚UƒJ1ÝM!R— ú.x]®2fªâˆà‡ ²Ñ *²¾oÄ !“õ¬w×È•ÔÔ»;ÛŽkÇ1ßûW‘ˆQ!®Ríj^w(*ôUSÔ2FÈTÝê2<,ÌT Ôz²<*,©ëI“&!…@À‹ý2x=IA
¯ªFd朼S2ZÍ.>Rp‰.É%G+1j¬Áev™‡A\?>MH‘û+é† cŠy$‰ï%,f2ÁáfÊnÙ­ŒPÇÝf·y2oÌ5—’™\!?C( ¤¹X)V
ó€õd>7¯ˆ ¤yr•<߸имœ4pOð+„eÊ“†Fó¾ÙüŠùêa)‹(—¢˜éôKôtZ[¡í~GŽÙù«ô€øÀzóš¾þÙ——ºE/"Õ¢wæ8¡…*™šÉ"Pʇ”ûöeæNv;X˜ªØ€»,VF‚ZIÖ+n¼’¬ð^ÄDåDlS¼hR$ñâó¸××\×Ô¦ü8½[ÒÚnúöe\µm`3>g¾xc"Ð G€?TäL̈DâÝXIaÖÄþÃ*„T*.Câ ýH
IÎ$nâÜòýä~á~¹„<NÖ«?æ"Ô8œÈ
À
sVn>W¥6«tA„cT§»øÎã­øÙóí×NÂ(6“Ò¶¿Â,ð==†}èÁb°§Ý!,þ”iÒ=S È5 r8“§Û,/êù%•-ˆúÒÜe[Çt·{Þí9—¥Dl´¬œAF.X¶
ý¸t9Ã0Š»Wg˜ÈM‘K¹rÙc˜ÇÍ—š
þÞä<] Ã‘5|S[.÷Þ­{¸}m3…soyvoæ×t¬÷O»-ü.q?Ù…^…©+7É™A6/꺩€YÔ¶S©l]ù:KˆÒ|nä>¼óÚ5
à5~ÛÖÈàw[ O‚9 þ¼àÝl1˜®‹k)¬÷Ø^ŠkŠÛÊíÂûŠ+΋ޭq} ÝõÀv_±­q A Sa˜ö#mò×_‹ŽlùFš¯åv
˜
t«`ªÑb‰Ã óO1¬NŒy…š;B"Nh£µÑ'0¼ý ^©Õ‘^TŽ¯ha¼CÛþ3vÝç­4—Q#òóŽ[¿×ö46êò²›¿FVˆ¥P·Ðk<7óÖ‹ÞÞ,¤¾;™giG>zÚ‘b=8x“vX,ÕžÄsa˜ì;|=ØÄXtÄaPÌhW€xÈls-8z(ú mU€p&E6Dp²#+ˆrê,Ø_]þ šl»Nw±}Ô4ðrW¦„¥„§D¤¸R"S¢2âÝaîpw„ÛåŽtGå†å†çFäºr#s£rã«â—…5„7D4¸"—E=ß->Ü×Ô×È×  ¼ ¢ÀUY^Q媊\¾(bkQd`×µ²{ð`TG"5²[j™¼õўŞM‡Ì8òÄž“í·0yiCÁëy%oMý?×HZiýŒšóï.-|û…7Ú®ìÝ{w||Wéþ×m ?ˆWºƒ¸CFr(йÊr0dC²ÛGE9x$‹IS¯³ÜÂeºuüjÊëá‹Â[Â9ÀÓ·þ¨b¶˜5Ý¡J5€ûô¥gžy‰í«½Z
ݾ}ªþÕA‡‘ä“Ÿ~2¾¸P;¢Ý€Ï‘Ââ
¦ûê¸Ï‡A(–ã'xórÓê!(à MÜÙMh´#+ØÚvÙ—¸³Ò”üß®ÒiIˆ5dQÈÓ!-!îôu~•COàqŸ}.÷µãÇ_Ë}nì˜íÓÚ!Šé…ʼn/ðýöôìyéôéK={™±Šfs%ºv*`hÕé|y•ù Þá6’É(›ÝÆT,5µƒ^­ÝèEÓ<Œ„ÍLü»æ˹ôê£'o£Û'}µý= ÜÎ@=îu2ýÛ+;‹ ñ,ÃgD¡æôЋ×B —… *w ÄÿÊrù Á¹ ‡ŒøÀCöƒÆU¡!N";et±[²BŠ­ÞM„ׯ苷×õu¸ÄŒ°ª°–°_…] 2PÎ ÎŒ!IJ–“•$Õƒ<ØC<NOˆ2m%q—/ʸ¼³-Iÿ6
¿°m¿ñôÏf½7£èWk×µ÷pbÛ'X:H¶?±ù™LŸúÖ{}ûîí‘„bûááÚ‡­ìÝJíB2üÐÚMq‡
Vl”w‰¸m0GTâ'!Id“Åã vN¥FÙ e3+³-Ç­mCØ7–hê$•®³¥²
í¯»¹Î'aXª£û¥Qõ"7öÁÉÚ¯íÛ·÷Mѱ)·¬¨±-™ûuãØ7^¦´Öòù©@kJ€È>:Ȧؗûù²p‡â¢ÆQ  B²q”h·»²Ùú­.­—uÐα•Š‹z´ô¸C‹¬¤snröŠŠ]_Bá^ØÞ´nûöuMÛjÚÍÂ=÷ß¿uüO¤ïômm¿xtúArÏû/¾ÿÞÅ‹Ö>Ѿ -©Ç›? h„Htµ{ÐŒ¢Ý”¾‡!Ö(fôí š¯ Όųí qƒŠ!ÖKmãH6ígŠ?„.AÓý_)û œ,mÓQ¶Ñ
ÜÌñÅ}´iÏ¡C™¯Õ½}œlklmÞúÖ¶öÑѾµ¤økªCoCç  _º¦ØfFoñ¯¢#DÀ2Fv¬­^n£ kÇÞmåºØRëÛá_p«Et| ðn_Ðò<² îPù-£Ô ¼‰Ž_µÊVAg²´2è—Ù>}ï:ctdsÛrm¶*›Þ‘×ÏÔ;|ñ§#û”ç°^Wýöè–ÂMb—ÈGÃ-з
ž&ñûóšGÐ_bSF#»'6/obÓÊVyâ‰*û“x(ô”ó DÐr
™',!+„ÕòZ²^Ø ¿Hì4I œ*%pñ<Íeö”ÜÆ2®À¸‚[ôSb£´™Û íæ^^—Þ•~+}Ã]ã¾á¯ñÁ4KI“”4Rž>Dbÿܾ—<|­ý½C¢£­_j¿Þ¾‡D·ãíä]ÔÏÐBGÓ±ßÍm²
¾½”×Qg0Kt|{ÅK+) ô&
Muljv%ЂÄ0ÉilsqY%d³È²˜k“-¹¡àv¢Y*¤­íŠ¾ê:dÈåë,!I…Ðí—SótL |~óQÌí¤R_ní*›BêÔ…41ëè’WÞ:T]׸ãPõ¼§v:”±oÁ#/s+û·O¨È>¿…Š,Ùú³?±½/Ø;sÆ£¨ƒßÅ0?Ô¿»Î¹»Î\öéÌç/äN­qþ­®©Òèö½ŽÙœ°9~â!;:d<Hó…vËýœÝ™uÇž?wtFP=ªJ å…ÊBu¡¡Þ¸Ð´Ð¼Ð²ÐºÐVoo ºd뾧ÛÖÀšu{^nZ»gÏÚkØ®]½öíklã>úüĉϿxÿ½/·hïkW´¯À˜§ƒÍvàÌ7»¸
p¤¾q¨;ÄçšWá7¹#aàG1Ù%š°^¾ìsnE÷
çñ´ØâxC‰n!FÍ¡Cè‹/v¶ïÕÝ]b ügŸƒÔ}w‡Ýføùbƒ–U!o c‘Î(ˆyºxo~ÇïÀï; Ü^GN¸£q²Ïg“šNO>èàÁŽˆ§}o7^¼ûÛ¿ûd‹»ð³A,ï
 
®Á|P9"©"LýFÚ©üöÙSÔQÈõkö£Råûê¸{#²“¶¼”:¼Ì¯w(wÀn;ùVû~¨Ò"A`ýy Æzú‹GŸ{ór¼i¹ i9ˆ½VðŽåÎ4öŠ=Ø™—"›%Ù••@ñ:Û-/þío4³wÏËùÒr(ž¶ŠP5Ô
E!É8X¬6 6\È…cH‚š`èá—ìHvöðOOˆHt%FÆÄ/W——›ìt„ˆªhàŒœ‰3sÎÊqÁ\ʇ)ñɉ%.L\”øtbKâµÄ@˜ý͹3xׯQõ¸•cwN]±bƺŒÖíßü~ê±Ù¥Ç —¬*yÙýòÆ?ý¢ôŸ±7!!/Ïiî±iÅ–×££ßê×oÊý÷åÆZbš–lÝãÝw6„î¯ÂV°ÙÂíB6|DnP
@eЫÝLm RR½Ó^}#øØWtK#‡ÿ`§Äõ£Š
ÏÃõÚ²ûjÞ|óÜ
ÂVíÆö–c77ÿ†4⡺¬³ï¡3;å€Ylh§¥Z¥â#ŽƒF°SÃX°X#TØÓu¹ºœÚa®<ΣÔ\ùÙºd½S¼—š«Ÿ<8üÕº·ßǿćɎöÂææ·¶‘ú[-{J‹®q;½ùˆI `g.CD"Íeˆ4—ñsš&$Xà‘Dw
«]æ׎<º‡·c~ý…ؽz4™Ehžk9YDÖmD¦)œÂrâÁ\0‡hr#wÉýP?<ˆħÈ4w•Íeó#…Ñ¢[ÎGùx
7…Ï•KQ).çÊù™B™X סZ\ÏÕóuÂ#â2´ ¯àV€g].®Gëñ²™ÛÈo6ˆ;…—Ä}òQù#ù¶<Ô—«ÂÑ÷ÃÓñôcÚƒ7ù‚¶<nÏ­&#ù@~@##þ³;[˜¨ç
7‘æ'þ¨|âÏï’OÔ¿Ûk£ûuì;w :!)e±þå,“wk¾ÿt»o ÄŸø Qj?5d #U·úy@˜¨æª•¤R(U7 ²‰lÖ©GÈáä=î—B˜@
‚*¸$ˆó烅9DqœFºzMâ¹H>Vˆ£¤X9^‰Q#
ÑÆt®?ß_N§yG2šÉ»ùL}­V¡ŒPGhΑò1Ÿäò÷ ãÅñR®<AÉS'ŠP1.!³¸~0Kœ%U*…†™F¹Õáä1n>ÿðw¡øˆ´Pš//P*õê\ÃcƺzlÞ€6àud-·…V «&dwòzc³yÚ·‘mÜËüËÂ.q—ô²¼ÍøŠù§äUîMþ
á òss+9Æâ?0™ÁôGptþÁÏ>=ÿÙ§µ çÿò×ó ë¹Yô¸Õ­o›22ôhȈwèr&oãx‰^ÌÙ°Ý5U›¢bz1¨ 2Š
&S•xÌË cÄ[•0úÄÒ±µË¦'á|Z×™ܱ§H|W 7ª<¯óN5N½‡ï£Nä'I“ÕRu.~„Ÿ+ÕªOñKÔM|3¿AzF}ZÝwñ¯ðÛ¥Õ5TåxÌ9§lHäâ„X¥‡Áe„Ó¹B_‰æ›SLÙÜH!K¹×à6M¡ÚJ¦p“„|qŠ”/ç+S ¹&i>^hz¯“^ÆÛ¤}¦_š>2Ý6%ÓíN$še¯@-ùbía¼û¼vX;|¿¦UŸÇ‰8‘/hÿ¨ým|PMî%þÚÜÈlÄÔ–YðJ÷pI&Š
Y(™²˜md1ÙŒ&D/fýv¯
Ô6ÓdP¬È 4poš
GèwEU´U¶ðƒÕÇ™‘ÝÐ…ì}ƒ>£ºwmÆÖmáïm¾
H¥4¿&"AÎ䯘¬¦hS?S¶:NkšªLUg©
¦E¦µ&»Š Ð4ƒÙ` ÀNbå­B€ê08ŒÁæ`K<ŠÏëâ]B¢œ Äª1†c¼©‡¹‡ÅeÖ²IáS„jCã@Sº9Ý’b†ÜØMÜœ›w{50SÉRG™²ÍÙ·-Ýï'¹\>ø3ø3I™Z8Ñ8Å<Å’k+Å¥¤L-7—[
lõò|ó|Ë
ô¤²Ì°Ì¸Â´Â¼Â²Ii247›7[¶_6¿lÙgû¥í#Ûm[ ðR0c}š–ÙzY;vÝ£kgçä¥Ejƒuƒ[öþ#›G/ÏãǶ­ãfë~y2ÄY€—
,ëûÁA]2å]è·K9Œx¬§§
úöGŸ6x¿ëÅ´¤5µõ{SÕ™Ô&Æ‘Q$[ ²ÅÈ…È=e—¡?—.§(½²½†Ë“¸)òC†\@J¹¾@˜!/4,2¼bé–¬žÃÍjÏ!Ú#ÚKø‚mÖîäba,iûù˜Å yî¾A§AŒU‚­Î0ƒàŠäa—‚vᣊs—ß«±FEbüƒP˜*ør
W-B,D–ÐÖ¿œë
®éÞ½¡mWZé¤ÂNï¥clz
Þ®tš@#“{°ïK!Pê?Ø›Ua{øÂh¬Ì ýv×ìÕ÷ÜÓøð®o‡Žx*ÿJÏÔü§Þzz݇_o¨m¬iºöáÚÆÉOÝxnuPÈê-7žšLÇÆkax¯sMûÏ0z•}“ÏÊ~³‡~œn Ù»[ »döËZ]iÑàîâo´È!g\
ÚvE
±ì²½ì´`Á‚ÑvG8‡ƒªò±á¯³›e’x2©@/QîJý£6ïkè´ñd@oÜA!JN
õ¼G®š8Õã™:qÕÈŒo_š½zèÐÕ³_ú6ã­üƇ­~îÆêIk?¼ÖTÓX»áë×±=ÕøŒpëƒÂP´ÛŠ­!FäÇo ñÛb G–p+ÝZg=ÛvöŠõ¨Î)–ö¤¿ß™8ð§ÀP¸PþZaå3A²<;}òžôn­*Èæg§çïâúì7b0O8aè˜ ûÇe
cþNÉ%ŠV–Çy†®pÿ‚G§e\Œ„b^¶^lÓYE×ÒnìL,…ç:w×PÄìý‰ ZeúeZÝW®e݆ÛFU¨@(«p©ªDyNsFÓ
ÙdúÉ“Ú‚“'Eë|x·ýN0ßNÎ3¼·»M<ú…H:Ð>«ÿxÀY/Úf=Šº;ÚfÚß‹±í{1FôWîÒè.#ÁCѼCΟ<ɾ7‰kø«ÜxßÚ éX;9ûcÖNØw W¾§Þ$–jOè¶è3ýàùÃ+² ùŠÐUëÌ;=Û|×o~Û–cž¢Ð¯uË¿jí¤
- !³öÍooÞožâýå¼ÎsøÓ¨ v´—ÿÕóŸ¢9BD¿pšxýE¼…ªx„. ýp_'#"¨è0­GV‚ÅïÃíEï»­Ðn·´ÍïA‹Iz—‹@ûàØíï÷ç¡þVr ÃõÙÔo€ãc8ÖñŽb8(œF8v±ŽÅP÷[) ßÁg µ€wƒ°Y…ÇÐ a=ªájF'øÍ脘÷<:A¤ÇíõB<¯ƒçŸC6¸æ þŒ~á™5ð—nߤã¤0¥/Ñ¡ÝÏÚàú  Å®ï±þÑí+0®Ý”fÐö0_
ts]~ihz˜¤£·Iúí ü zY:‰ÓçŒÎÐŽÖãî…ûžÈÃE£ŒG€^+Q>\Ó2Ÿ†& ‘ý˜§W½ô;„Ú~Ç#Lò#
D¹h6Z‚Ä«ñu2žü³s³x+¿ßŸO„@áq1El•nÈQòTy¹|VÖ”`%E¡ÌRö(—Õbõ÷†þ†õFbmÜo
5
1ZLï˜4ó,KËN+²æXWYX?³
²•ÙVÙZí“íØoøåø=ã÷Ç@Ç;Ρι΃þ bÀä€ÃÁ÷Vn<ø›À›AO] N®
þcHÕ!„ü54%tgèñ°„°â°×ÃÅðüðÕC#xË•9#*&Z®ŠþcôßcfÇìUc«b72ÉÃå¡ž¨ ÙnÿMTÒy'ñ‡+ýmÁ`˜dûä{#Nõ–1Äç—¼eÄ·Þ2xah©—y(ò–d$Þ²ˆT²Ô[–‘
ø¯—
(ŒCÞ²Éþ\ÂToÙŒúžá-ƒßüŠ·lCüàw¡GÌ+Ð,…õNËùã“Þ2A2þÚ[æà¹æ-óÈŸDyË
$#½e9H…·,£(²Ú[6 A¤Õ[6Åâ½e3*tÃ[¶"ÿÁ¼e¿†#ªB P5*g¿-Y\(¡D¸¦¢ø¤AiÔp¡L¨Sjà¨F%¨U $xš*¡~o(

×ñ°jØ] \K Í\8CMõGôÚ¿£×<èi.ôEjS<
¡Í?×ã(Í‚vù¨jAÝB­„µ(d#r”J8WA·ê¹ ½z/dï`z1ÜSµ º|fY­+¡(Ñ•š’’æš±À•Y^[S[]RX‘äÊ®,êí6{¶k<­_RSR=·¤¸·ú¦ýiӼ¹³<•3]™…eßÓpDɬÂü:WQYaåÌ’Wau‰«¼ÒUU7cvy‘«ØSQX^ ˜uâ6@0ÞÆ
éOfÂ`<èa(x<ÿ¸&?¦N>£v
ÐÈÃ(˜
4O£ù¶ü’êšrO¥+µwÚ€î ît·¾J4§µ^‰óõ[ê©ÕÅã{-pmJ†O±Æ\€ÑÚzàZ
œ,aðªÏ{ÜhƒÊjk«%'йu½k<uÕE%¥žê™%½+KàõÈ.ødÄ'§ßÕúŽÊ] “Ý šu©¤þkäBo@2Ö²ÞU±qÕ2Y§T«f-¨vP¨sï äãèÔ¯ºnúõ}£¡{Ûî6v]
¡Ô•jßÕtõúø¨?ÊzüëmÖÝùÝ9ærx£²R-{B¥°‚Ñúaxæü#\èÈr¼
­S›ÊNeì]‰w\3Y/•^®'yù®sKïM—1]Þ“^ÆýJ־ʫ±z€Z땱r¯2:¥U/ÌZ†ÅòTÄêQ9Ô¡û Ô²ß*¦utY.a
¯Ë^T)‰bœ£m‹Ùµ†áUm
½ãS™„V0(µì>¥PšíÕ¤„;{ V‹â_ ò«K?í±“&ôIÓšb衈µöaSÌFPËdm¼­eoõ>Ôè!É«ÍE€Yƒ¢Ód2f•j½”©`ϺŽÈ7†ênR©c[Çh˜Ô…;´\Áø©óZíbAj uÒ÷Œ#©cœÉÌ‚¸d]tØå^ªvçþÚG9Ûª‰®exuJ]çˆæ1zTü¨|ÚPʬz¥w„%]z,fgÚG»RJÌ‚E ž^ÇÇ?*dz½–ÍÇ¡"Öw1Ã¸Ü‹é ¦y^ìèïq{˜eèäAW[ÔIïZJ¨_ëÕ†šnu}ºÒI±®6 k;s!Ã\e¶¹»¬éÔÐ}IáðÓü ËËû
ví´?†µÌQÏZèQïn”ú¡¶”& ¼¾EïÒ¼”áX앤ÙLN«;žè˜RšwáyW©óyÐBæ˙͘ÍîÔŽ3L)¿*»Pcf7¿ª÷䳡…LztÙõõq'}jþá˜|XªÞtJX!ãÑÇ {?wÒãn¸%yù=›µ+ÿk®vp§šÙÙBfW:áúžÔtH¤O_îô%^;WÂFáëiU1kuÕ1î;[¨ðÎçm£ºH™®39wø—Lß=]p­óêONæÂÛò»P¬Ígt®ôjr|tïUÈ,jIG‹®|×qö=Qïª)eÌ»صƋc “¤ï“Ÿ­»›í.fž ’ñ½+½îFUµ åºò𿪫5Ìjú|u§¶ù4‰F³;bjo‹î«˜D? ç™^ŽéþJ•ÚaUÿ;-Õ÷j†WGj½þ°´ƒR£Qëg w´Ÿqp—‡&A9ž½Ë†g.ˆãÆÛ|¸£ÿëÃÆ—aì
}Å´q”)Äqh"ƒ¥Ãg
{
<¡°]ìžÞÝõÇ,Ú6 Mf}d´ €Ù8(SØcài\³¼õh‹áðd"ÜÓò(D£P½?úOä1Ý¡í(.:¦yð¼³×îXe³»ñ´÷-ýhy¬OtJ#
™Âå°;út"\s¡ÞFÏalÌ:¶cÙFÂ{},Y :FÃÙÿ§1…Õ ÿÓF£í)Ï[3‰ñ‘ŽgkO{½ÕÒ1çå2-wBéí¥¥Ž¥~GÏØøsàãbãÏcÿ—åÍ0€ïƒë“Q Å[eÔ˜ÈÆ7ŒÑaë!“Õ£T¤ôÌé¸ñ]¸2œÑ‹òb>‚õ4ŒQdÂ]GâƒÖ•;w“µ£‡Ql|YŒR9¬ö cÔÏîx¢Ëc6ëp/­u˜ºÜë2‘Ó…ºÃÙ)gï‡^³¼25ŒÑ®û((Ÿ&1ü;G¡s`˜÷<¼ Í:¹?ÖË]>y¬ç¼»PeÓÅ,Vkãõ„ÉôwŒó‰Öi&zås\fÝéëÓ#_½c;tX¾¾»sp“§/†:¨¡×P®n»²À¯±yNm‡Ýîî¹»FÑh׸3©‹­í èVx«[qG½Î§úlI÷Ys®±ÛÝfؾٱËû¢ÞÎèC·Ýúœ¨kÔ[Ìâs=¬éˆJ<,ôtD&óØÛNŸ^åÍxºÍóhÏ…Ì÷'uôåóE°ô¸²E ´·š»Póû=”ú™aó÷z/óX¹Ö™ÐñÕyëÒçÜ1öå¾Ë×]yàËÝ"‡®ô¯fü®òΥʅi<ÙÛ ·ùæeÐónwp½Sú(´Aèά¥ÁÌ.˜3Z«HÏáÑ>Uf¯|9®ÿù¬Ó¿:gý¿)¤vËÝyý÷åƒÔ»æƒ\ÿæ|ú£òAÝ#ù¢.8uæ:|5\õnõ,¯äúN^IýÿóJ]òJ†ÿoæ•Ônö.¯¤Þe¶ö¿!¯¤Þ5¯Ô9¢O^Iý|Á¿'¯¤¢6¯Ô¹êô¯Ì+uê[÷¼Ò÷yßïÏ.éós=’øß–]RQ÷ìÒݳÿžì’úÔuu¡àÿî,“Êdì»ÑÌ¿?ˤþ/Î2©wd™:çºÿÎ,“ú³L®[–Iý'²L®ÿ¶,“ÊhPïeØêÔïÿ}¹#õ®<ÿŸÊ©ßɹþÇrGê÷æŽ:s@ÿý¹#õŸÈýÜÿÞܑϲ~¿GùnÆGý/d|ºfiþ•õÿ)ãóÝ9Û-ã£vÉøüPÞá_‘¡©ý|7êÌ4¨¬¡‘lƒݪF7»uìs%Ô””¸f”ÌöÌKìíúÛz»FÍ^PUVã*¯¨òT×–»J«=®aÕ%s½›À|}°tuúFº®Ý¨jgïù%Õ….µŽÝxj¯ü§~wßÞÞò纣çòµÐU[]X\RQXý°ËSz'UÍ-©®(¯a›æÊk\e%Õ%Ð×ÌêÂJzŒÍ€bÕ3KWaåWUIu
4ð̨Š•
]E€´
5kËJ|t**òTTAuZ¡¶  •K*k€zQŒ$Q‰¬ØUXSã)*/„þÔbOQ]EIema-ŧ´|60)Bd
\<¥µó€üQ‰ “ê’ªjOq]Q S\+ŸQW[BqP»5H6Í®+¦˜Ì+¯-óÔÕ2åÞŽhÕ:)l]
Ô§ÃIrU”ÐQ«L@jÊ’ºô‘DûLöT»jJ€ÿŽ®)r¶ŠºVÕIÇ:šW‚õ
¥uÕ•Ða kXìqÕx\5u3f•ÕÒ't|¥žÙ lt@EžÊâr:ŽšAªšà
gxæ–°èRÄèJO-°¡FJ¹RÕ)ú;WMYáìÙêŒ
Ð’ÂnãôT\T»*<Õ%w¶«vAUIi!tÔ[Gªûۊ -м¸¼´œ
ZáìZ=(ÐÂâb6rtTA «¯ºÙ…Õ*í¨¸¤¦|f%Cc¦®«ÐˆJha©¡-|øÔÜÙ©BŒ`…³ïÀÛƇG'4@¯röWy1WépªK* +ôº´PC IùâS¹’jÖhž§º¸ÆÕ¡‡Q´oß 5Šªm#p&Ç«/3J@“(Ô:à¥É\Oyb%ókAc\…UU ^…3f—ÐúØ2-¨L)+¬u•ÖÄ’Ên4¡R×)ÝÅ®ºÊb/¨ª 9}„?ÄÕÏlªÕŒm”I…®ÙÔz€®ø*V=\8zXéQ©¨þsBÕ­+0X€bÉìRŠÔè,×Èqcó\ÆÌ›4l|+{+wü¸üìY#\QÃ&À}TkRvÞèqó\Pcü°±yS\ãFº†âº/{ìˆ$WÖäÜñY&¨ãÆ»²ÇäædgÁ³ì±Ãs&ŽÈ;Ê• íÆŽËsådÉΠyãXS/¨ì¬ ؘ¬ñÃGÃí°Ììœì¼)IêÈì¼±ïæÊ6>/{øÄœaã]¹Ç玛0FرÙcGŽ‡^²ÆdÁ Ððq¹SÆgòàa’š7~؈¬1ÃÆß—ä`ã`Èã]¬JoÀ`¸²òiã £‡åä¸2³ó&äÏ6†Ö¥Ô5vܘ,u三cG ËË7Ö•™C–™“¥ãCž3,{L’kÄ°1ÃFÑáø:¡Õôát’C¥
FeÍ?,'É5!7kx6-³Çg
Ïc5ö@‰†îðqc'dÝ?@=_Iê¤ÑY¬ À0øþ«7 &®0Ž^«/$„PªÒµízB¢i=ŠGE*Á³C§”EÅ£±Të}€UcëU«½<zWÀÒûp¦Õ^^ÓûðèÝÚûHg>úvÄT´šÐi»3™d_¾·û}ï½ïÿý’§y¦…Ÿ-ÂU¯“—“›wÊ•±™öôD)57Ó®ÎÈÐÜá®:Ÿ9Cµ0ZŒ§:yÙ~Õ9RÛÎ\ÂJíípHzêqA»ê†hà¶bu¥Ï,,*-W׶?¹}ҨɨO;µU뱄3JDâúÚ´¢,‰ÌÒªŽOÝš
¶ZŽ}ҫɇXÝ¢ù¤W™Q$°L•§‹;U1©p”i™.Jà4§¯æIeÅâf¢—šEš•ÐÊ‚bÑ­ì”› Å‹a©Ë!ºT¸åBL¤‚é¢Õå˜í/Ã.™Ò"š"PïÒ$>ÿ]Ee¥¢J9fϲ[—ZË4O%®iþеá+,OnD…rivqÅYήI‰s¸BF§óÝòÐ2Ä}$ÃA¼‰ƒ¤ 9ˆŸÉA~‘/Ô®TÖX3šÔ&`á¡°’ÔÈJü¿ÁJÜ7ÿ+q_†ÄJ¼Y‰7±’$+ñ.‚•øÙXI:V⧱Òéé€K¢ž ‘h)\â~\’BÂ%à®ö»±¥‘‰—8¥‘‰·(2q?2IÁ#ÿ+2IÁ o™¤ A&ž—:fdVŽêvê° èˆ7E
ñF:B¡#~:IAÑo–Ž¤PèH]¬‰r
|øYÁGºðáçé<À‡kàÈö)4p‹x³„²gЪýo7U¼¬ÚgŠöTÏ¢=_-mO ϽÃÐZá˜ê°:„XÍ´”N.µú3¨½œðm€n˜6!¬™£.¢2¥á‚׌ßeüfïübÀÏ„Ÿ?ÊøÁ€ï=øNÆÉ¥©ì$á[¾ñàk/¾òâKÂÉø<
Ÿ>µáÄq;;áÁqaxÜŽcG­ì˜G­ø„ð1á#>4ãÞ'¼g»n¼S· G„ù7Ê`‡Ý8”ƒÚ³ƒ„íñáMÂ„× ¯y°_ÛOØ—€Wmx…°wA ÛÛ/Çá%‹„Ïž#<Kx†ð4á)B=áÉìY(³=„ºÚzVG¨­Égµõ¨­Œ¬Ù-³šü”Ô¤Dî–ñáq#<Jx„ð0á!°k§Ìv)عÃÄvÊØaÂváôv/ ÜO¸p¯ ÷¶m5°m6l5àn[„Éî"lÞÅ66Eaã†x¶QÁ†õF¶!븓ãÂ:ž­#xôX+:­õ`Íj«
¸Ý‹UÕõl¡º*ŸU×£º2²j¥ÌªòQ•¹RÆ
Âòe¶œ°Ì‚¥"Ì¥©X²XÇ–˜±X‡E¢a‘‚…b¤ÊXƒÛóçÅ°ù„y1¸•PI¸…Ò0×ífs n7nV0'/–Í‘100Ó€Š(Ìà˜N(÷¢Ì 7yQJpJÅ0•0%&M±ÃA˜ìÆ$q2PDP…„ ɸÁ‹ë£O¸Ž00~gã½Ç16.žµa a´¸óè4äÅÂndövÈ5cTV6Šp­9„ì‘FMÂpñÍpBV¦‘eµAfG=Ë4b˜„¡¤{0„08"‰
ö"­©Ã‘B¸†0h ‰
2cà€h6Єýõl@JC4úë‘L¸šÐ¯¯™õó¢o#ëkFŸÞ:ÖLjÞ:\•€+õ°õÒ1¡—=­:ÖS«–¤ÖÌbDRk$ÚУ»Ìz(èÞÍĺËèfB×.2뚊.2:Ë:Ö9²W.'\N"ÎN&H
.õ"A„  £Äv ´÷â’4Ä‹“xB;mÅHµ%ĉNqñˆ%˜ m&a`"ĈXcÒ`t#Z ŠczB”°ŽŠƒŽÀhMh%ÌZ.6ã"‘âËH±b!ZAˆçI7"Œ^®,XÞãÿp„ýÛœóèø'2Qvžendstream
endobj
17 0 obj
<<
/Ascent 759.7656 /CapHeight 759.7656 /Descent -240.2344 /Flags 4 /FontBBox [ -1020.508 -462.8906 1793.457 1232.422 ] /FontFile2 16 0 R
/FontName /AAAAAA+DejaVuSans /ItalicAngle 0 /MissingWidth 600.0977 /StemV 87 /Type /FontDescriptor
>>
endobj
18 0 obj
<<
/BaseFont /AAAAAA+DejaVuSans /FirstChar 0 /FontDescriptor 17 0 R /LastChar 127 /Name /F2+0 /Subtype /TrueType
/ToUnicode 15 0 R /Type /Font /Widths [ 600.0977 1000 633.7891 612.793 611.8164 636.2305 837.8906 837.8906 872.5586 500
731.9336 837.8906 1000 629.8828 611.8164 600.0977 600.0977 600.0977 600.0977 600.0977
600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977
600.0977 600.0977 317.8711 400.8789 459.9609 837.8906 636.2305 950.1953 779.7852 274.9023
390.1367 390.1367 500 837.8906 317.8711 360.8398 317.8711 336.9141 636.2305 636.2305
636.2305 636.2305 636.2305 636.2305 636.2305 636.2305 636.2305 636.2305 336.9141 336.9141
837.8906 837.8906 837.8906 530.7617 1000 684.082 686.0352 698.2422 770.0195 631.8359
575.1953 774.9023 751.9531 294.9219 294.9219 655.7617 557.1289 862.793 748.0469 787.1094
603.0273 787.1094 694.8242 634.7656 610.8398 731.9336 684.082 988.7695 685.0586 610.8398
685.0586 390.1367 336.9141 390.1367 837.8906 500 500 612.793 634.7656 549.8047
634.7656 615.2344 352.0508 634.7656 633.7891 277.832 277.832 579.1016 277.832 974.1211
633.7891 611.8164 634.7656 634.7656 411.1328 520.9961 392.0898 633.7891 591.7969 817.8711
591.7969 591.7969 524.9023 636.2305 336.9141 636.2305 837.8906 600.0977 ]
>>
endobj
19 0 obj
<<
/Filter [ /FlateDecode ] /Length 692
>>
stream
xœ}ÕK‹A†á½¿¢— !hõ¹M@„¹Â,r!†ì{´œÆVZg1ÿ>õõ'3Eô¼¶]ø@/Îôúþæ¾ßžšé·a¿ZæS³Ùöë!÷ÏÃ*7ùqÛORÛ¬·«ÓùÛø¹Úu‡É´Oywßoö“ù¼™~/?OÃKóîr|}¸É¿»ŸÏË®?~¼Ú?­ßO¦_‡u¶ýãnY>Oy—ûS3,Í:oÊŸ}î_º]n¦ÿ>÷v×—CnÚñ{"zµ_çã¡[å¡ëód>-šyÜ-&¹_ÿõ[j/xæa³úÕ
ç{gåµ(J·³¤èv¼~w–±oÇëÊ뎶ê¬WU_Tý©ê˪¯ª¾®ú¦êÛªïÞ:Uþ”ªn«–ªµêÊŸ*ªü©ò§ÊŸ*ªü©ò§ÊŸ*ªü-ýíØô—Qšþ2JÓ_Fiú[<‹–þ2JÓßâ¹´ô—Qšþ2JÓ_FiúË(M¥éoñÜ[úË(M¥é/c2ú~¡_àú~¡_àú~¡_àú~¡_àú~¡_àú~¡_àú~¡_àú~¡_àWú~¥_áWú~¥_áWú~¥_áWú~¥_áWú~¥_áWú~¥_áWú~¥_áWú~¥_á7ú
~£ßà7ú
~£ßà7ú
~£ßà7ú
~£ßà7ú
~£ßà7ú
~£ßà7ú
~£ßà7ú
~£ßàwú~§ßáwú~§ßáwú~§ßáwú~§ßáwú~§ßáwú~§ßáwú~§ßáwú~§ßáúþ ?àúþ ?àúþ ?àúþ ?àúþ ?àúþ ?àúþ ?àúþ ÿ¼!Λ»kïu­ž‡¡ì¨q7Ž‹+gÛç×õyØp
ï?Œ}¤endstream
endobj
20 0 obj
<<
/Filter [ /FlateDecode ] /Length 18371 /Length1 35428
>>
stream
xœíý \Ž¿ï¼3sfæÜsàpÀ#¢ˆ¢á%
(ŠHˆ×Ô@8
⢙šv¿š•ij–—\3sÔ535+j»èV›Öš™ùM«-²¶Ÿ[F0þž÷s¸˜µmÛ^þÿÏqfÞ™yßç}îÏó>3 Â!3ZŠ*?!%mÚäÕÂ`ŸTZ]R«„*'Â`w–ÎkP¯|¶Ÿ„{Qyíì꫹¹_#Äo€þÛgW-(?·<áx>lh…·¤ÌüއЈ;àùÀ
¸ayÊð.\‚ëÕ
×9‹Òž‚ë3ÿÁ*_iÉ®^‚çY×ÁóÃÕ%×ÕŠÛľegÁµZSRí­‹{ø3¸.øéµ¾ú†‹7¢iÝ´Ž>¯­óÖ.*Ùô)\ïGÈð8ÂüJn?Ÿþ˜!Z?“÷P9%BDžãøOQÍÅ?£ö‹JâD©¦‚r˜AEêÅ‹bˆ‚תñÇÅ_¼xé?av6!+¬µ”Ýå€<úu?IHF
2d3² +²!;
BÁ(9…¢0äBá(E¢(bËX‡âQäF=Qê…QoÔ%¡¾(¥ TÔ¥¡þhJGÑ tÊ@ƒÑ4
CW¢áȃ2Ñ4e¡l”ƒF¡Ñ(AcQ‡òÑxT€®B…h*BÑ$4MASãW£éhš‰®AŨÍB¥Œ)å¸?.GûÑ_¡= mB­$8¡r¸KÏÛqjç³ çü­¸ÎÕüfÄÁó%üÁáþíZh¹ùÍx?Ú‡ÎÂèñ2a´0öfœ¢°¾^Â_ \šÂWóÃøüüNèÑÈ—ó7¢&8fpoóëø…ü›üB4…b†óèNñ@kñÖrkqvá,îzá?¯ÅC„7„7Ð1t @Ïíh>§à?âop
ž‚w¨oÑ·8®Ò¹t|
¯Fo“)‚‚Ö¢å8®ö£#€÷Yô
ªç*Z.ãúÇÐKè4zî#4spŒ"}…c°}¶¢9À™Ó˜Ž‰!†X¾œ»€ZðÍÜîŽÇlA8¸9“á‹ù?òwÂSàæHCFÀq:í!Ãk‹Ób9^ýè¶æiá^âöÑI  fç¦s ¹µè$Þ÷ÆÝŠwðņY|Z+®å§ s”7èmîð£€ñãnt·Ø}Ë‹èk’‡‹ù­”cÈ-¼¦k#¡UxŒáf Ah!è+B¯a$¼ oÐK£Ð*><
¸sÜâßðt„Ë ³Ð:¶­À{Ñ
´Õ#Az>cžp%©¶&Î[Öä¹jŠúêÔؾI—\ª6ƒÚ„
šÌ Ô½/Lá#„©MBdqKM¼;þôO=<Ý7ilÁu/î•å7'L&½‚Ûp?;=£³6 nø—[ܤ–V¨wÙîŠ|—Í;¸/Õtm_.l/`@1û{DÜs–„;9¥4mé‡lG[Ž¶¤ÛcíîX{l9ÚêIDÛYm•Árá›:1Q÷05¸Éð·`? †áضñ¥†ñça4Œ¬1ô¸ð·SÓÏ´áâÇ‚(ö êI=¢Ý€ÊÐQ€#í¶©Qœ¡O?ÖgÊÅù—YŸ„l´Ï¾À}!Ý/ò=ÈÆÊÑbàp;h±*Æc%÷ˆw£eO ˜b;:´%-#£J9ÓÖ’Šcí$±`*ý5­?®ÐV ÇÚ_ÒfâM퇵uº¿D¶‘
€Iùí±
ø^`"žãy‘H¶¶¶(»ÎèTlg©øò/˜Ýu8w…ƒàcÐXO?—€ˆ 5[D;d‚–ÛÍ1ÑQ‘áa¡Îà »Íj1›YÒ5+\ QmG‡R܇žI;:S1‰
îOb±lf{z,Û1Ü$Ë‹±Tr²;´=Ù8Rk*>Y¬](>U¬ýÎÑÎâÂb\ ]ÈñÔ–àµ%Ç´sïi7â%tÃ7¶oÓÎÑ 
Ú; ¿ðå½Ág×{†G*¢;"ÌÒÃÕ‡å¤xNX%®L
]¶2bEPHÒ
ˆa½pT
,b¯v™`CŸˆ`‚RÄP5Ív´¹íhèжСGÛšíAð(lnÛç[l?gÏ€-(4C”‘‘ŠãI2N°GãP{B2N0p8îï€+½Ø-pvÛ¯„=IÄ&¼øs_ý b¿zíïãMe¯z៪9ÿݦQó¿ž<¹@{÷±8d8‰½w?±ë5ùÓ¥¸­wŠ {=÷ÌÞ—-døìô!#µ§µÏñˆY#AÓF\üØðøG#D¾ˆnýQ©'=ÂîrÃÂ"ÜèSò#qkz=.>bZ´:2|ÝW¿>2²,YûI1rÉê`û ¹È>÷-¥›rÂv&íüÐ3ìŽí\*X»Á&|I÷©q8Nû§

Òœ@v|\O`¸âþ±]®C»ôûÊ7ztÞ¸QûÞ}wß¾÷ÞkwŸ$¿ûð‡eûŽÛG÷Ñùù£GËç*ÖÕ/\X_·pë_8qâÀþãmïˆæã¼ÿþÇ·.ª«_¼¸¾n‘®× /~,nú{¢T<Ð3Õ„ÍF«,)VI–’ú&§ð}R­£^81Á
Ú až7ö•C}–ØõQ†¯³¬æå„Þ¨Ž7¦öˆ
éÝÃÊcAím¶›úÙÚZšm±½rŽ)ƒ®ö ¦1¯œùö`‘
Çt%4Cç–åKhvœ€wmMÛ)%`4Ãs‹ˆ¬ÄÊ˲U±åAã]r”eŒLu£%Åèî9\Æ*ccSƦNÃÓ¸‰†iÊ4ãÄ^Ó“§§NI»&­ Ur³
ņJ¥ÒXÖsiZlT\Æð„ÞÆ czdjTjtzŒ‡cÌMÈí5O榯N˜
CªŒŽx†Œ¯ÄƒbE΀c,8^E ¸AL»û§9CíÉ8žIY"1xMú ²úJ±[›2«ò³›´ïµç–oêÝK{çê—çÎÜZ0nb¿‡2Gl›?²!œÒ®ÌÙQ³G;3W;X“…'8='}ÎàÇš£¢´ÏS“‡ Œ›¬½“2Tý¦ÄDø<ÜÄ|žÃ£à{Ñ2üáAºg§Ž7ù]ôoÒ¾!<ÄW3õºh³á1ó2Úy<dsZu»6æu{ré(µŽ Âkï­y`Åjœ¸téí›ï0h~áï_jCNžÔë1f³ö
wÁŽô˜Ñfñ1‹Ù ØED,à=ÒZ€ƒ¥àbΰy)üàÄÕ+X£}s¿rò$~ùË¿kÃOœÐF~§ÃMä2xôÖŽr<½lf£"xpµŠI"Âïì&˺ ɤL8då²Y Òœöì¡Ì/Qn4§Á?ªqØŒ
n`ŒÐìýín^Ôöà1yÚ®mÚÎ<œÏÛð8þ…ßïX¶WÛŠ§ì]¶ã÷Ëöà)ÚÖ= §ãxð%q2Çe¼ExÄ)¢‰ÎÝ6´ÔýüP8ƒÀáÃ|àèíämNiÿö\û·œ"ðíç[ÚÏs¦ÎDaVk'¹ |3x*—ÇDž@[EÂCj,׎ö3 Ä¿+¾;V†oÖÞÔîÆïç>æN=Ã=É‚; ï>®¡ýî”vRçéÛàè\ÙŸA[9:®4)z÷·iˆ… ÓµÉÅ\ Ó±àg8Ð0a’ÒÌÄyþp*$ÃñœåÃö¿Ž}_MýÌ,ˆÿ)~?ï –·[ÉvÇ:ëê0ä4…ŠÎ 0˜‰)èêDS±­'˜ÝF
ÛP¬ŠììHvT.Z4g΢…s ÖÒÞ׎k‡°'àžØõళgµÏ´³Ÿ}†Ã´eZ5^ëq^¡USú`Ý&ð€³‚zydÏíÐY
Ã
°¸ÓÒ¬Sœvž¥P±våPöدq‘ö¾×à¢Z°B^ÅÑ?¤kß2Þm‚5ê) / ÝíIDQ¼À‡bgX” ðn! Yî³·­ãÑS\˜C@ÉéÀâ²}0¶É\4åYD.ºb*DÓê3:懫n®ÅOO.´·³w(!È*„…†††Å¡¸Ð¸°t”š6rBs¬3Ð L1Ç,7
Rû«<
²\>wÿ/q±¹9˧½{ýMÚõØ„oxG@JO¸!«ré¸<<ºOß–w®çiFãÛ{¡<OäØ,¯Rž6oÕU1OGnnŠ_'®Nt»BÍåìis’˜UŽN´µ¦mÑ=?ñš!hŸGã>ד&z¬ëƒÓõF7¬É¾‡Ѷkûê?½¶êØì5=þØÚM÷ß{×
3άû¨
bgì]ÄðÂÊ?u»qâÀAsJË+/\=cÒÌÞ‰8\UŸ?tóã,æMgëõcÐ2£‘Çš‰Åbv#b4ì0Y&c“y›Ä›BÀ‚鶤1±œ¡Ih_(¼?šË4QOÕÄÎ}£MÃ[<xû±cÚƒísøÕíËÉŽ¶Bí¯Ú×؆Ç[€u¬¯‡yâxCÔÊðíÛ*ûÊí†fî)´Ì¼:šÄ!êTb- ž¶s~Ûø„²M;HP›tPæ GêÆ?ʶãä@û¼¤©àhpªöíý%ß/¼þDÉ=7Þ3a•pL;û©É¬}uþí\¿4œ’“sgã¼;úô¥üYøÅ çÀV{ Až˜`´Ý)n4­2¯´m[¹Úm’Ã]Äî
éá¦v{Æv®™¡GÅzî]*Ô.™ Öc PMc¨êÆœæäÎzá§ÜëÅó®ÙZ°ýmÄÚ«Ïb—öŠvA;©½€qöì¹Ó7û¸#ZKß>Ïïï×O;ükí¾Wâ:ü¸JuìïðTDÙžPÁÅŽw¹`'4œ`d°} çààýºec;
㣠=I:É!ÂŒàXŽÅ±wòÞö}Ú\B{?áØñx~x¼ÅÀŸ æËâQ
åéfJØŽÄíѨ©/XyôêÔ0‡l"=­½Ã=åðˆÛ# |eQP E<ßr†f>Ý9æ¦éCXÝVuóP{@Bèìä^«jh¨š[W§-ºã.b¶âð»ïXý0¸Ä}ï=üMéôi³fM›^Ê­WSÓØXãk\’¸mÉW^>¸d[bï÷}øñÇÞwOœZ\<uê5ÅTös€6 È>L—½Áµ]u÷J~;èâvÛ:çjw¤ÛŠâÂÍLöÍmmgtBš=H×ÃA ÅA2w\OÀ=2}káöCö¬µÓÎjŸâ lÀ=°G»KÛWy/ñ–ƒR”—Çâ> ï´4l|ÿo8N›§­ÖîÕ¦Æpçn¾ù¦[n¹éæ›™=Ÿ…C>_ÌÖx‘ ·íâ·Š†åp0,ñÀb©CõÇ<ºÅ•ÚCt狵ÅÚh Îk)ºþt{‚%ˆµ4àîRÏ– Á
Æ"(¬A!Jé‘×òD_
×y—æÄüA7c<6¦)ùƒ¸`"Þ@Ó 5[ 9Nlj¶¡¤¹U8rDÛ­íiÅo¶à7uãá9á§ÕŒçöˆó’€y$±ô†-þYRà`Ûq£Z5r⋾ü1>¢ù‘Àÿï6ˆÀ0ÒOp:¦1äer¤Uë×¢õk/FqY6v…bÑhOBT¸Àñ¢ËŠî‰¶Ýo]iÚ¼,únUdîB2ç´Æ .DZuüQ
üáDCÝÆ—ìhË–…ÝbVµ+†ZVs/k˜ãÉH/žtÕþò¯Î8QþLOVo]¦øB¿Â%³˜žœ3~ä<¸w¯?>?ëá©WŽíû­
pèvmÁ'lû‡ª<ƒMV2 5o\k˜KŽ {­ýSå½.Gê^ë3ƒzìu<3ry~ÿyáb˜©w8êÞ+7¨WïÄÃòiºq
4Á¦
}%ˆEn`»Õ|Î>;Íî_îÐc*îb¾˜ZGOÿ"!½¿¾ÚMèÙƒÒ̲ëP'O(Täããz$èy÷ÀÀ ºNsŠ'Ã+§M3wÚ”J¼6úÖ©ÛßûË“So~{ѽƒ‡\£}¼¥áè´7×[†ÉŠÚ¦Î]¬_ý¬¶wéÒÛî¸á<~÷G¸fáØqÚ>í½.bá½Ë¯_°l™6mÔøï_}µµ`ÔÍícƒ_{¤ì©Üëo6d–öÚVj?”Íš=³`SÉì›/ƹ 5^¼èŽ'7Î:{ƒö7í(å«‚˜-ÍãAQ¢`ˆEA‰’ô€¶¹(ž`Ø¥(Â%JVxž¸íøe"§È’ˆ,HÆvÆ<£Ù_7¡£ûméKÿjР{ð.whz´4LIQ&)åÊ´/‘–È
Ê]ÊzåyØÞ„í”b “[ê-«¦\>G%–§©ü$a²XA*ùra¶Xlj@ ñõ|£°Pjïäon“î”×ð«„•ÒZyô¬üz¿Ì½axQ:"Gïâw¹ã†cÒûr
K¼H,fásÚ·\£-æñ\¢¶¸}+^sÛ´¯…c­}87WHíš ý“Ü ¼“`E£¢;=k=(>¾L~6L„ÅDP´É*‡EðâŒ696ƒÓEbÁÿ¦ÑRŸ=PdÑÍ ¶ŒTŒâlq)qq<žýi•=8Ðг®DX†è¹UÐÕ3g^}ìÿÿ½èííÝö¹x-'+
òÇ]¥5·×Ï*-)Ñ/.ûËQáØþ7«×0ŸRqc:øâ 7Ùdä$fÈwÛyYÜׄÄ>á6XM|­Ùö²Žuêk"8<ÃÍÖÏzr ¯œ©%P3¦Ïùd±v·–‡wãÆÅŸÌ™ûVýŸZZþTÿÖÜÂAWàØ‹ËñÆ+ioäfi>ûT»•Ë|ðUÌ`|
:$/ÇœçTÐ×–Œœ2ÑWà}ÜKÝYà‚„ÛýÆŠE¡úÊTŽqÃîjùþ—íÇ«p7¿²¼¼ò:­ ¶9üζk??õág8¾¤Á«]xü í;oC åàÁŸ<Œ(ÕÂr‡Ð2é$Šˆ‰‰²¹9 ¿Ô=6s¹Ö ˆZtÛÏ[Ûë¸Ùík¸Í?œ€$î¤ö9ìÛè
NŸã
˜CF}<öŽ9Ì&Pô XúÃÀ ŒµÆnà;€kK Ûo÷˶•ùù±·+Üoø³‘ŽŒŽpõ3õG)Á}Å>Ñ0¤ø4N6³ål~QSiï¼&ØëÇæ—5ß]Ö4‘ZïÓ^ÿø~|ÓJl_°ø»EŸ|ÿõÉ¡³¿à¦ørr˜Ð+ñ£Tè£r´‹_}©iVŽ£/>/„o¿¯ôs‡¤ƒ<Z¦ˆÀ Gìf‰ÁÐóC­%Y«h5X¥s1ð~½Y¹„ûøFî
Zcm•²¨ý\Øð`òÏÉ
ckâ¤gÐ ÖÏc›¬EclEWÃ25Þc<B û)TêÎÅeZ9ƒcD™ž`#‡ ‡„Ñ2“ ‰Ø)2ܳ¹Å¿²bŠL›= ? 8L•é$okGò‡^·¦Ú+’ÛMÜÅkÙÚøFÈ| ó èr(^”(F]{ØÂ7ÄiÏ$§àm¦¡dˆ!Œ5\M¦3 >2›úN±ÂPlZB®3,1Ôšnåo·B¸4nˆ4+qS…)Ò5R1W.TKµÜuàb—Hw ˤ'¥àŒå8UXçxü|{?âÒ¢Ûw0®ŸâbÛ‡µãòÚwwðÙ–€B=Fªó<vDDp6”×gÆÌæ‡|06Î@}ƒ ýÉÓŸ 4Hn æ$z"œ¬Èx ¢ÈnÅÀ$;Œ‚, ŠØWú!0€6Ýõê<iî¨["X_XÙú¢\欒UŽá)Fv(}¸áÜhn<—gÈS&sS
S•
Îgð)+¹û¤ûä'¸&C“ÎcÖùNì"6Koì&ƒq:=d”4Iš*X*ðlâ•æÈÅ–[¥»ä‡¤0ˆ>Á”{tåÏXø9¸©Iø¯ÚƒÚÖóÚVm…p¬í4‰iíÃgµ îöwµ-òDÒ7‚!qSâ_¸~¼¡ŸîGXaB§:£ËZ˜g´hmv€""£K¼ÂcÄIxªX`œ+Äbã>¼G´¸¸pÕ\C.ï1Lä¦ʹJƒ‘‰³w:í\ ®Ö
ÛO3ŒcÔæ? >I,÷דÒ<Á⎠´Ã´.hu˜Ü×:ˆôuô¹¤žä1"Wh°Í•âîÀ·û
­:’@m Ž¤¼éÅ›ž~ñŧq^­UÀ‚c6¯ákm-_hm˜ÿ¢ó8T+ÓVj«´2¼ÏÁsñº@¬a1\AÁ¨ŸÇiÚa0î@Ëä`³K¶¾¼QC
ÑO Ú°"ÓNäÀ”tˆy°Õ؎ȳŸ[‚£p?XP|¬Ñ·;Çj¯¿¾Làó/ÚÛ[ùƒÚ5ÕeeU:?´cŒVfyÂÍÎȶð­¶DZlvõU÷åûDËUuï Æœ$™P”Ëd‹J@)Q“LÌå¦bó|Ó|ð‚fƒiªqªyjÈ”°9ÆJóu& ä$Äw0-„¾?~~.Ö–kåx
ž
¬YùÞ븯v¿öqÓ‹wc#ðj\EY̽¿M{pºÖ$òÀܯ/ê¼õÇlÄbv$ºÝ“ÎEº¢œ¡Î°¨ÐP§ÛåT‚ÑYÜaZª8ƒÃˆ-Ò%"Þ ¾=Ô&œF¥;+ 24Ãož”Ïì
T—…¿þ.!,’ÚfLDX„+<<""<r c 3Û‘íœä˜ä,ˆö:¼ÎâhkGåâbíëòÐàX‹;µ ²rÁ&m —‡pðòûÆ/ö¼­•ïtíL2|Úìò)ÚÚ·í™_y÷Áƒ}ƒ–ܨMÁõµ…Ìw­€ØÚä–€÷ôFn>$Ì®£cx~‰w¼¶ÃÎïp¯³¯î­c" (Âe 1¸âzÙ>hi>ÚB_ºeø+jOµíHS=Eµ‰8#*#:#&C=&fŒ:E™5=zfÌLuZìœH_”/ÚS¡úÔšØcƒ©Á¼(f‘º(v•ñ!ÓÃÑkcÖ©kc··˜¶˜·Em‹Þ³MÝÛkM‹o4b•» v¶X¥`½t‘Æóo,ü¼â®[¦6nþþÏÚ í{µÿ[¾ÝpÛÕw¬üèM¬bËBÌ [´æAWä ›vxÿw˜Ž³óÆåçäEǦþy穯݌O°¶æ°µEü×\!À²wl“áСÀB,«áž§/uwzäÎ ®Åš][¢Ùh~óC>¿S ƒ—`‡Ú,ƒ…C–Õ2Z$9• ÿ‚:¼IÚyêòS÷x‚kƒ×ëù“¾¬³Çú-âÌ‚;ïZÑöEX_=§½îëÆgׯ,i»Q{I{ÄÃtšØzID7{­sQ˜è q"qtpS,ÐU:Øò|÷r iÿ²ðåcö$!ÎÆ©\ǃû!¡8Œ„ñ¡BŒ¤J£Ð(<šŒæ³…1âd<…,—ì c|3¾ßonOK‡P¹“Ïoí£ÇÙaI+h¼ÄÕž1bÄK†x© 4*€½<p7ä§ B8.Šp&èt˜Ü
$"
£’Éë<ý« £™©üä"*ëÇ6éÁԙ؄״ËG×ËQ~˜( =D° 6Å­¨°
†P;X.ôWRaó°m&7S(QörO+M°… œ^£hrra$”w )D7†›¸^$ï%À’Ñ”bùAŸ&¤Š©†T)Mô·ä’-1Òõß4n™ÈO
ÅBC¡4Mžhœaò!öq5¤‚¯0x¥
y®Rc¬4ùLóÉ|é:yžñ:Ó†[¥;MÏpûÈ~¯ð´tÐ46 &8 Ã×BpF¸v×h´,XŸ×²@V/ñÃèqÒ÷ÃýºÌ@…8–K~íÉ棨"Eè¢ÜˆŒr”$#zRdöR”Á úYFnX…#^1¼ÀcÖ2±A0ÌÍJ%eï´¹æš;r!¿¬º,Í»‰¬STS$b%¢Œäb“SHOY•‡’þò5¤@^N–ÊÏ“&Ù.s"d¡²Á…ð!R„ÒÁº™ï!º¥> ×t>]¬˜½hŽè3?Ëýÿƒ´O ¶éLÓÿ‘6NÔ|ÚcÚ­Züd&9øA®µ]ÄšÆq­Ü -Ÿ¦<»Ø¾æ‹?+=½ºÛ%á$$Q}–˜]Šœ,8Ñ`ƒÐb3e‹•±ÅàwEA¿ÌRÝ ^©œ‡+àŠÁjX B'nÜ›¤ãÁ$U¯øª\ÄŸÛCðï µ+Â[ÚÿÈ2ã.¤mCûÝ\£.{úžãZ–ÓAF@¨½J {Î-÷$‡Èi!ÜŠ
¸”Ñ*‚K»¯à‰ˆQrpÉM¥$CnÌ!£¥ñÆIä£ÏhÕ æöØtÚvŠ\Ñú‰mƒ”ò¯mƒ´“%¯é8ÑwÍQbýzÉcã›ÅÍ\3z ֨ĎlôsœÃi즿€Iß‘6qÕÚ§ØÕ¾B 9ݺáô%ï¦ï î|÷(àþ˜³´s’³W|_­Ï{7{¢sn†¹f†%Ø´˜¾»Ð¾»´OaöoN ÅtÞ7ÉVá,ó×a…ð-3,€K>¬O
–q<üÃägû›V®Íþ†ƒPÓþd@ïp})H‹â‘Fë·–Ý”ý\
]%=œŠ±é4½ÕN<ýfòç¸b9ôË¿‚^æ1¬%ú?ÍBºªÑ€wñAöAWLÅôáeîïç 7ƒ¢‡àðfm¹X®Ý¯ÓóiöÝ¿b’=âé-‹ÈcD}S\oyË®Žy#r}üëöÕ&JÂ̲Ù8,†˜C†ô¤¯ ЦÙõ„VôɹoÏeø󼔄aê°Øá ãÔq±3Ô±5pÜ Þ[›pzOì#ê#±¿W{@=ëHN퉙]S]skôÒ˜Ñ÷ÅlŠÞ³3º)ÆFóÀ{’aØ
‚ò—Q{ÄöïöºÛT{íÕWyï¢áÑ»oÜq[qÜ;·Ý[ÿÊÄúÏp
yc²ÆÝ_x{û[Êg¼±é彑Ç''c{dÔWŒ'Û!/˜ :c„<ô
O„¸Ñô–mt¬¶¾ñXØ[.2"Èf’Íá6–pBbÀ›ìݹÔÝ㣋£iI«Ë;ÂÞ€A–('Pí&¨~Á‚úú… ŽÙÝø&V´oßlÜ=F[‹Ë?ݺaÃÖ'Ö¯;6k†öŒÖÛ33fmCt}¦òJy¹Ð O8:Œò–Ãæ£ÊF;¿1ÄnaF!Cº×ÛΟ³ý»&b ­µuæq¬æÒ¥òƧ箿êñÇW=ä)úýdímm¬S¦<ÉÓ>HK}ê‘GžJ마‰Áƒ°¶A1ºM§ïŽA›Î¯Ðè-‹}£ð–´Úò:~Œ„ðÈÌyÂG‡P~Q¡®æÌù3-¶3übë?&UŠMÿ4'éÊÀ-ô„1;ßÔ¾ÅÊ›
»6QþÕ-X@ösS¾oÙT:çb[×(éÐoAáéW£h¤'9þ‚åÃÒQa½ ¿¶>èuÓêÈ'9Ì(3[‡D2 ›»¼¤£Ü;G+•Qã(šŽXý%W'ãT$è((mÏ™×Ýsí—‹—@®ù–ö‹ã°„‡i÷Í/®¸ÉÆõ/¿á†‘YZKj?œŽCq¬½¸¢|qcMGÌ&Ë€Áè*O¤MÀ&i£ˆ×£Ç,â.… 6 ƒ,˜ÍÙVcˆþù@ ó5Òp3´¥mhs³^>“F_R¥±ï<ÂRÃR‰¼Ã(¬çÃñöþôYöJÞPœ¦ýI[»sçáwÅ/eå_DmH1÷ó“­–#Xø Ù^h¬§g¤• ÇaçQ×ú (0 ùuó®øAHO2[<u„8$1à(.gtIk?G- îÞŽý_ö’½‰Õß^d“.¯DÉûí<6iÜ9ÔàImeséÌÝW7mnñ-º®¾vÑ¢ƒ³¦ã‘­?àÌé¥[ÚìÚ7ÚÇj,˜¾v37¯Z»~óÊU¿Û!.CQº'ÌÌ#¬œzËñºí1 æÌh”Ýl¶Úhù@·è¡-€7õn©»‹]K]ºŠ¦ÛôLÐí‡q’¶SÒV›mŽÑɵK© _µ§æÅ׸mí“|xÍŠšðø„߯i?.†´o5ãœî_à@ñ ïòaUsíâã (Ùº½·ôÈr±\+/•ùεÌv\NgÑÖòÅ?lC4úÜÅýZƒiDV4Ìã¢ÕÃõ‚  ’hÆf²Ùx=f2E¿½£óØ‹íµö¥v}žÑÿ!†¾¿yúÊò<ÿœ»OùÅôÛED'ÖyºæUÐ=žV?Ü… ÍÈÖ½€x†‹]Ä9¶KbÈ%¹†id†8Åp
+!.!óøyâBÃäVþvánÃz²RX%>lx–„;9§0XÊâF c¤IÜ i6dK^a>WËÍI·swwKp KŽî¥DÀ¯ÃÚOrùZ¾6V[+†´=Ǻ ¿£õÕiðË#úôGÑîøþ X# µÂRÁ/Æ~1äûÝf·!dØ
þÅ*=‰Ž ™7 U4„YO¨oœףwE‚ᆙ$³8:Ä4:&Âeë©WrÁv£¨í¶
¥ˆÿ3Ú¡CÏЯGÓØG´ô½¨ÇšPP›°4ᾄ§ 30Ó:S¿@ð‹µë¾Òîÿ6¼ù¾¬çj_x][qN~¹ÓV{
g×Âeň'g7ì$[*ªÏ}Ü>‰ Ÿ?wëúö÷¹Ñûæ>ñHûq¾xó5ŵ:}Ìf€¾Kmf×åmæÌ?¶Ç?°™‡ïØ à¡›Œß'´î××,n BM¯ÓºßkárIÝoÏ àá®QtÞõûŠ®%?î…ù‹Ïo\´¨Ô$–맴µgñ(²ðÉŸ¤;FÚ«Z l¯â+plWè¸l×& 3ï†x¢:ãÝë–ÕøC²+
b‡E½.‚íÌ™KCž»ƒþÜ ¸ ª\åK—ô`3ý¸ÂÞ¦öÝ¢²¹Kr@Ñ|E<ê¯'1mÔqóç.a 2×®ˆ­«£Xæâ¦K4àÖ%}éʵà.Q™úêXn„Þ:ÀeAGHÖ}ój2?}ÛûtåQà–¿ÿ¶CŸH ðÎù‹Ónå'"‡ŒZ^—wÑŒ$[5Ž`jû8ŽyCúåX³ÿeú¥ªJZRf¤Üµ’ò+{×â Þ½HŠÓñôïÚÛøâ½5^"Ðyç@Þ4 æM@x<fg1ŒŽ‰Dƒ$ ¼20&&Ú­×ßXNrØq4l½_ï~½³7!¢Ðb(ˆ׋}ÔÜr¦{îï4Ë
ºÜ7ÌôËe#­6ΔeY‘F“Ñ,[…øpS¸fM’’åd%Ù˜lJ6'ªÒyˆ2Ä8Ø4Ø<V£Œ1Ž1f5Ù}Ò>yŸ²Ï¸Ï´Ï춈ƒE²ÈÅldžxM¢Lë]Št¼óÒÏëô"ýò€­÷šòÒ±%ÃqðAí‚ÖêûrñÜÓ
•sr«‡uè|[éûó}šÚ?½O²QŽßðä®ÝññØ6`ÀàŒÔ³½éw;·GS¾F€<7 BÎRí ·’•l´ã]ÒF¤HF™“ÁlA–¢.¯®Xñ`lSË],,wiîÌ]š[èïd°wYž°áhx0ý•,bµYí\)psÅD'”ÃçhÀ:€¦4v®?¾V[~åô½Ú‘£OïÜ)<ª½xiîüAÑÓGñ Œð•LÙï³ðÅìu$4Øt"ä­ÐÕ6¼+HäP°Õl¾Í®Û‡î–Ϥuz¶ˆ¥4ý ¡ÕïP½ùkÏ
¸‚³Ø£À·Ñ`qÕª_|ïæ¶×^­}™|ûüˆøžÛ×p‰?lØļFF .ÀGDï\Z$ÝꧺÕ×ÿ²zà"ú[m6Vi U†I\9·”»ÛÀ5ù·C°½ÛGlû6—€
¬!Gp¾'êûD~ €3HŸ*å  Ñ›/–®oÇwÛ…;ÄUh^CÖð+…µâV²?KztÖc ‡b'ž­ÒæóÅm­DüaƒîFC úMø¦Kê‹ôúâZ_@ë‹~²¾xê²õEZ°ú-J‹Ÿ8UIçÒ…Te+"^£T)KÆ@6˜(¼­¼¥ …¯”P'ëž Á&ÚL¢8=q®(ö–úÈ=ŒnSŠ%¥ãÜa°8Ø0HºÂ4Ü2ŠÓˉ£¤Ñ¦©d?IºZ.2N5]c)çŠùYB±Xl(–Ê”bc#WË× µb­¡VjPj ñéNù6ãݦå–¥‡M÷Y¶pOÂï¤'ä-Æm&‰¸GzÖô
n&¯ó¯‰Ç¸ãä=þ}á¬ôWùã禫™¸"0ý‡c8v4ž¾ÿîûtí¸¶àÀ~mˆ®ðí<×öõi~ýU@~F¼À“óSõÅ®5ÈÎZc ØÈãSŠµ°`ÀÆîÅÆ zé\ë4ýQÅñˆð}p#²ÄÈ*I‘û“¡òH’'’éò,R%דëåÉR²L^.?„î#÷‘‡ÄuòzyyJn"t{^¦Û!rˆ¼)¿)¿EÞ"§äSòGä#ò•ü•üúš|'^”Ó@1y“D”`.”‚•3ï#õP@Ðüi€’jÎâÆòc¥,Åg¾
-å–ówŠË¥¥ÊCh%·–_#®•V)‹MÜóüóÕ«7ù7¥CÊ{è-îÿñ”ô–ò)úˆûŠÿLüJúHù}+Ö‹ž©á?jUxáÙÏðB8oÕnmû^»•ÆÅk»q^û©öð,íQjw.XÛܬx g¤5
YÁÊLfb¡_¯_ꆬРÌÍê¶(œM@Êzé}‚vÙ¬£,QŸžÞZ)„fÞ °_þù)‰AÀ”˜¨6wº,Zõr
Ümà´dnkw·uÔï¶Âx,A
3;‡è0ôzˆ= ÔÆ® Å K†5eã1d Ÿ-d‹³9¯xwp›x‡ùËCÜ*Xj¬1¯±l嶑müÀûÉ^¾InRž7>k~Öò*÷†ù
ËkÖw¹³\F‡k³`}µ4»ÀÇõ…0S®%Ž:ðð›µWO»h—¸ ? |nåƒÇÆê³|ð]FwzÂYi–5w´>ËãnõÙÃi?YŸÍšÊM2Trå†Ü<Ã-† Ô\²aàUŒ`3ö$‰RŠ‘nÇH×ï••ž&$Pc TXú˜´H.FJ ŒÛHÞnßÉå·9¹üö7øâÖöµQ+WŽÀVµüNX'õ@3=ý\V‡QtËá6G”QPc ’›§Q3þÈÑü˜;Êe’¡‡3˜ AªË®X·íèÐÃçÓhÎD3§ ýW€èWIôíe†þ](+ˆ¢Ãpà÷ 5pˆ¿€ÁÞ¿FÑÇßµêÞaÃî­zõýãÙË&N«ñM¸¬útÓ ‡V5žjXuä…§NO¾wË#÷º"î]·eùdÊ{ÌkQøS1Šþ®ËV%åx›þ›³‡õßúôc1ê’P7z‹=i1î§É*E.+/¨E4»€Þø¬ÍöÇÜ‘®pÉaÅñA<
q@ªläÁimCëi"#°Åúç¡ŒêTÁOæ dÜA·“’ÙIw@(瞉Ó|¾iïÉéJ{õäå[ÖÝáº÷‘-÷N>ýÔ GV5œj\uè…&úÍ/Þ)œ …°ÐŒ÷€VD˜P0ÿx„éñàhdÖ)èhË-¶CŒñØA˜„žt£ËÊtš`‡:é
'æì*ž»Ü"¬Ïœ²}ÖÜpe5ЫIOÂóÙƒEBÄaã&t4ÇÒõÒËÂ2DìÇêÓé[Ü¿ñèk \¢íøU\Ô%b3×ÌJÝò)[øKÝ&Zê–X©[¢ÏÙýàþŽx7ì/ñ¾û‹/Ä~ß~û-û{
Ü̽'?xõëп£‰}Jò΋}¾œ¿«kÛa="{°ÀŒ3Tkàól±ßÕ}Ÿf=âÿË ?^þ*‡5ÂN´A(GS„%h
÷dÄ[p ß½$îFw ÷£
Fˆ­h!W^"[Qì›ùÏUƒ||p~›£o îG³`ÿöM°ß ûtØ…}‰ÿz1ìsHtö)ŒÀÎo¦¿ãŒn^+¢ íN¡rq3œçë»x?\ïDû¹Vº_\&ö‡ûÐÏð-<ƒû"Ð#œÔÏb"<{ ­Ö¸0¥wÐ0±JÞ¸Ø"AÓ)-g8ß
ó¿Iÿ@ì3/ö¡íüAvž.T£)Ö^¬½Òýâ~¡PoK“Ð6zŸòŽ£ýÈ70þ% óÁø;ÅÊÐh!Å@ÛÅo¥° ‰hÁ<=3úzP艮Dàek`[öãh¼•ëEHo2…ÜBþD.ðN>™Ïâ§óò‡…+…MÂÿ‰iâ=⋆TÃ]††÷A£â¤i“œ/·(yÊjå£Å8Øø ñOÆoLI¦»L[ÌIæ[̲˜,u–Ϭ‹¬Û¬ŸØ®´‡Ùw9ƒŠƒn
Zt0裠óÁIÁ{Bøüu!ß8†:69>qÚœyÎÎáCC—†¾V¶Á•çÚâ:^Ù;ò“¨Q›£öEGFÏŒ~”iœ—ä£>è:d!€€…/¹X8Sv‡Ãš& —«qš¿!ûØßæ š|ïo1Õ߆€ÍMð·dânð·Edåžô·%dçNùÛFúW%ümsÐ#½n÷·-hÀåþ6ø½!øÛvÄùÑw
âT6;mcäÄoøÛ’ðWþ6A*Öüm©\?[@a\™¿-¢hîn[BqÜsþ¶
æþæo›ÝƒÉXÛ‚*†¸ýmriö·íHò‰|¨-@u¨ÍF¨©¨*E‰pNC©°õ‡Ö,è¡¢ЧÕÃ^‡¼¨U£$¸› VŠ’¡•‰ª`SQa¬zvå…³Æ̃côT~Á¬;f-‚™æÁ\s`L
ô¦x”À˜nÆ,hÍq“P#ô(…¾% š—(a©¥ŽµÐgÀ­„~*Œ÷Áì%왂ÐH_킺ÊÙ
j¯ÒD5-5µ¿:k:¢²¡¾¡Î[R¤æÖ”&«™UUj!íU¯zë½uó¼eÉʤC‹JæUÏñÕÌVG”TüÄÀ,IjiEIÍlo½ZRçU+kÔÚÆYU•¥j™¯º¤²0ëNâF`=ÜÖO(©@L„FøªÊ~jˆÚÙ­Ë`õW™ÄdQô1þ¦Dú£AðÀ[W_é«QÓ’ûê9·ï¥p)ؾ—äœ× Á¯ž\Ê}5ÀÏbJÒ"ŒR`+óØ0Îu v/ƒWÇ$àza ªhh¨œ’R@ç5&×ûëJ½å¾ºÙÞä/<Îé‚A@¡JýcӡϨ’z™¢{Fš}©Zÿ6ÊJ!'  OY Ïj]
Ì0(×êØjJê¼K8y)ÆØØÍŠ¶ËÑ®«D ´ºríÇnA
øõ›ò‹\Íoïà./ïNš+á‰ÂZ
ìÕÂjÆë¹pÏøG¸
¼j­Ó¸*Nì™×O×l6K_êI~¹ëÒÒgÓuL×÷$†—I¿†¯õ°>ƒ 6øu¬Ò¯% †Îiųaq©>•²~T´·Ž»®Ë^fÿºîÅuÑ’8&9:¶Œë^¥0¦ÄOŸÂ¬ 4´šAi`Oü)‡V•ß’zuàØ9õiÿÐ_]ûéŒ<¡wj™Õ”Á ¥lt›2FAÓµYð´=ÕçP~f†$¿5—f ŠÎ“ùL*˜Wjðs¦šÝëJQ€†ºnZ©cÛÈx˜ÔE:´]Íä©ËZéâAêatÒOБÔAg
ó *ƒ¬Ûƒ»ÒÏÕîÒÿyªœÓ±­íÐè†W§ÖuR4Ÿñ£úÍ°†ræÕküz»ÌXÆŽtŽ$v¦œ˜=J<½O@~å,éž- ¡R6wøÒé`fE~ìèpó1ÏÐ)ƒ®¾¨“5пÁo
õÝúl¥“c]}@×q*£¹„a®0ßÜ]×tn豤ägäécQPõ˾š;ýÇ/‘E‹D4²–ø)JîÆ©ŸKy²À[ôÙ)ÏËŽe~MªbzZ×qGÇ”ò´¬‹Ì»j] ‚–°ˆXÉ|F»R:(*c˜RyÕtáÆìnqUŸ)àCK˜ö躘ãRþÔÿCšX*~
:5¬„Éè—cÐ}žKùq9Ü’üò®bã*›+Ò©c~¶„ù•N¸°—K£‡×ï缌ŠÀLóUel|Üeâa\Ý—ŽPàY ÚÆuÑ2Ýfò.‰/³˜½ûºàÚè·ƒ€žÌƒ§•—ᘖ¤
þC{צG¯æQ½#ºÊ]Ç9pG¹¬¥T0¯²s½G/Ó¤ŸÒ“€¯»œï.c‘ †É½+¿.ÇU¥ çºÊð×Új½?Wý”¬-`I4s¨êÈ=êü#ºC¬e=Ž³ýÓã!Õ*¥Ã«þ;=ÕOS5Ëo#
þxXÞÁ©Ñ(›Í3åÃg<\¡ÉG²g¹pO…<®žL+úgB³˜\2Ùú<ŽYãdhSˆãÑDK‡QG
{*Ü¡°UvM¯ÆBÿ|€EÇf£)lŽl€60m
{Ü̓s¶¿1îL„kÚ…hªÏGÿXi³:Žâ¢cZ÷;gíŽU.›1€Ù8¸*ø£ýOéFÍeð(þI,?¢í|?ž:ç
tÊ#
™Â å±+zw"œ  ßÆÏLF³Žm>£!žë´d3 tIèd€u*ëAÿ4kã©Èß3‰É‘Ò“ÅÆÓYDz^:fãýR¦íN(É~^êxPþOê˜y£?6•Ñ_Äþø+•M&ÀÀ
èÎ(â­0nLdôe2>Œg3Œ`ý()?ó:4®°‹TF2~Q¹Q̳ØL™Œ#.KIZWé\N;”ŽF1ú²§òXï ÀÇlèŸÛqG×Ç\FëH?¯u˜ºÞë:‘×…»#T²WÁ¬Ù~Êd¼ëN•Ód†'º2ýÇ‘]xÖ)ý|¿tø±™‹.ÕÉ̳Y¯L&ë 6’Ãìwœó‰Öé&úõs|fÝù°£@¿_â;tX¹»K0‹éSžà ÜÐ{(?W÷]Ù×JÙ:§¡ÃowÜ]³ÆÎl´kÞ™ÔÅ×vÍt/<Šõ­¾¤_ç]}µ¤Ç¬ÎµN×Üír+ìÀêXÏåYogö¡ûn}MÔ5ë-cù¹žÖwd%>ú:2“ùìigL¯õ×N|ÝÖytæû“:æ
Ä¢NXz^Y²:[ýe¸ùÓJùÑÊ°–Å{}–ù¬ÝàÏL(}þ¾ôþõ—¬†õŸË@½¬ ´\.sèÊÿ:&ïZÿZª’q˜æ“É~¸u(°.ëä å€^w«¾DêÚG¡
F—V(fwÁ¼ŒñZAz
Ω0¨qý÷«N¿uû©¤t«]šyýûêAÊeëA긤ü¢zP÷L¾´ NµŽ@Ï_VA½\…Eù¯Õ•ÔÕ•”ÿ¯®Ô¥®ÔYaøÿͺ’Ò-Âþ÷êJÊeVkÿ u%å²u¥NŠþ3u%ågêÿ™º’‚þÙºRç[§ß²®ÔioÝëJ?}ºº¤¯ÏõLâ­º¤ îÕ¥ËW7þ3Õ%åg¸«váàÿv•Ia:öãlæ?_eRþ‡«LÊ%U¦Îµî²Ê¤üÃ*“ú«2)ÿD•Iý·U™ƃIu ÃVçv&<ÿÏÕŽ”ËÊü¿U;R~T;Rÿkµ#å'kG5 íHù'jG?÷ß[;
xÖŸŽ(?®ø(¿¢âÓµJó[V|”©âóã5Û¯«ø(]*>?Wwø-*4
?‚ïA…ÍC¯’ÊahÑïÚè—qÓ©½ê½^u–·Ê7?1Yý_Á%«£ªÔVÔ«•Õµ¾ºo™Z^ç«V3ë¼óüæ`_Ý5ê_ÝuFQ:gŸä­+QuÔ:>ÝSúþìòãü~ñ÷ê%3WÖ+%jC]I™·º¤n®ê+¿Š¢xëª+ëÙ7t•õj…·Î sÍ®+©Ò“€v Çêf{“ÔŸZR³@­õÖÕÃ߬àX%° D-¤èÙPá
ð©´ÔW] Ýi‡†
\öÖÔ÷âX™ZR_ï+­,ù”2_icµ·¦¡¤âS^YBêE!²ê_yÃ|`\"äÎ[[ç+k,õ20e•@Xå¬Æ/ÅAé6 Ä\ZÕXF1™_ÙPákldª+ýÑêtVØÆzèOÉIR«½”j…)H}ER—9’èœ)¾:µÞ r€Þ•€ªŸüK¦¦ÈØZÊèEg›h~P1”7ÖÕÀ„^6°Ì§Öû’ÔúÆYs¼¥
ô¥¯ÜWÊF *õÕ”UR:ê+J€+™å›çeèZÄèP‚_ˆ¡^¿K¥RÛ©ú3µ¾¢¤ªJ™åõs
Ð+)éF§¯ô¢N­öÕy/K¶Ú° Ö[^%ëHuZ]²¬†—UWRE+©jÕƒ-)+c”묣ZRx5V•Ô)t¢2o}åì†ÆlÝVaÕÐ’RROGð©¿t&
R ÃJª.À?&€G'4@¯¦jZÙEÍJN—þß—¬/mÔSFR¹Ìà :ç­cƒæûêÊêÕ¸;Œ£s(qÔlãË@2y~{™åK¢PA”'ó|•ˆy¯kQKjkÁ¼JfUyév€LJ§P*JÔŠ’z€è­éƪuÚ]¦6Ö”ùîDUaÈéþœTë}UÔª™Ø¨JÔ*ê=ÀVkKJç–ÌÂÀk|
N©ºM PôV•S¤Fg«9ãó‹Ô ãsŠ&gf«¹Ô‚Âñ“r³²³Ô¸Ì p—¤NÎ-=~b‘
=
3󋦪ãsÔÌü©êØÜü¬$5{JAaö„ ÊøB5w\A^n6ÜËÍ™71+7”:Æå/RórÇåТñl¨Tnö
l\váÈÑp™9"7/·hj’’“[”0¹B5S-È,,Ê91/³P-˜XX0~B6ÀÈ°ù¹ù9…0Kö¸l _0µ0wÔè¢$T7“”¢Â̬ìq™…c“T6H.TY—dÀ`¨Ù“èà £3óòÔ¹EŠ
³3ÇѾ”;£òÇËVrÆOÌÏÊ,ÊŸ¯ŽÈR2Gäeë¸)#ó2sÇ%©Y™ã2GQr“Ðn:9ìPè€QÙùÙ…™yIꄂ쑹´|Ì-ÌYÄzïy Ý‘ãó'd_5n@¿ÀIÊäÑÙl
þd˜1òó\
§h|aQ*“s'd'©™…¹¨Dr
ǺTžãs˜L~Ráåûñ¥2¢÷~¬ЋŽö˜•'P4à†Ò­/hWöu¥ÞÚªÛ~ãÖ]#s£ºïLbZ«;PáQ5`¸ú=Ö„°–Å¢ŽîÝ:6
ÇIºëeî´"‘îzËæyÁÖSWâ«S|ԙ̯¬g–!°Ú§Ç<µ¾¤
&ƒQÔŠX/ð•%U0¬¾Ín¥am]% ™_WÙÎD-i„»u•×ûÃp?L1
ÔN
è,ÎAÇ¿Î[_ Qªrž·jA2ô­£±ŒaRYSî««ö“ÎØWÚ08*4¨³ð2_ƒâ«›¬*
docs/cannamanage-frontend-shopping-list.pdf
+633
View File
@@ -0,0 +1,633 @@
%PDF-1.4
%“Œ‹ž ReportLab Generated PDF document http://www.reportlab.com
1 0 obj
<<
/F1 2 0 R /F2+0 18 0 R /F3+0 22 0 R /F4+0 26 0 R
>>
endobj
2 0 obj
<<
/BaseFont /Helvetica /Encoding /WinAnsiEncoding /Name /F1 /Subtype /Type1 /Type /Font
>>
endobj
3 0 obj
<<
/BitsPerComponent 8 /ColorSpace /DeviceRGB /Filter [ /ASCII85Decode /FlateDecode ] /Height 136 /Length 1268 /SMask 4 0 R
/Subtype /Image /Type /XObject /Width 218
>>
stream
Gb"0W9huEg*67T9TiVn);(I\?+"h::0d`'&2"?PBGmD?QhRk]mL(!P1ar+"uA6V;)Ue,hg:o(H\['W7V-7VXBh:\4ln&+m`*dF'tr(-h?V7SOihnK6nzzzzzzz!'hMamB).tK(@Yph$K'LN]A,onfT]X/*E]QS<-DkV'@)odN+[N,="_IAm.5^?1W,YdLlI<Wn!mi5[LIc<B:1tR!ip\3^O+S/5%@HT[MDWF9DSo2V"?=km5'HQ+]?F#gd'pBW-3OX^#F]f?c$rUXSkmpnd_fVb!]V5[!s[265aT\<Jr,HWPQdp#KIB[l,#'fj.n6eWp/LF:oCs,_7&4USH6L1pD7A7._K@qK]QiC>>2HFOfgC8Cr[mV0[)gD61:!J]8/I2nP;9=/\UOokW[J&1-RFh5C7b<iN$?ki^T#=BP@uLE#:6arM\gpqIDE9]*DJ^Cr3L\G5-is%X,K]?C6"POWtA2KWb/F^I#R/cN2b[O*#g3N)h=qo2NHlKk!!,3-PSrQ,A4/N$R=@<#.G<sZ56:Y@?,IYt,'?3c:pBIr84mCfFi0"K<XK5\_`7Ngrt`XE['c#_Sk8k2^_\$FGhNMgMr>$CJ/#AD!<RC]uEDm&]q.Hg<N&Nk#Rl,N%"DmRtrZ?J5Lp,Qt2XsG-Yn*b&I^hbl3S6LRNn61f5R>h$_S>fdDDf89=#R"a6^o3uoFUE2<&'ZD7/>Q>sZqIr3>nuFQkBb$Keh^T5X<mDsOQG?'-(E.O7gO[J:Lhfb!4QuY;-454!%th8q^rW_%sgudYkA8kSF,XsM8GA&`eJSg&.$m)CVV;nMcKnu8[N#7]p)9C!3):-dLfkl...IB9;SM&SA][\8J#r<-dO9"L\3p9P0T].h2Sq=_Ko4*-UU8K=>(Ol_o'C?&JV3m>$"r&l;aj^h81QG4(d4Of(RUXF9L>l=!LXYIu<c%'fQq\IcK(:i%S,i\^;!&h*tDL=T&'NfKS#P@j;EXk'bQmc.0mfjC2^ql\%!QNTS0$F+[Xrq5o+GEL"QdkdET5fX/n#Xlem0.=fF@'R6Xtj#f3eh4TeYp[<M'^mQ+W5rG*mmV.lF?phrWVG(l(NS8f/p9\P'[>uEBG3a5Q@LEdCcR>\0&Ifs0gi3'j.@66Y!2'q!X)W3Q5M,cIdrusE@`%LG]:^^?BT\=JDYhX1b9N%>4nIut`VrAnLBd$8FU$h<7$Op-"&MqMgm!g!;[TO#16%uD1+=4E@\!/Co#^^migad3<aZrdF#kBCzzzzzzz!!#`B!&quIC]~>endstream
endobj
4 0 obj
<<
/BitsPerComponent 8 /ColorSpace /DeviceGray /Decode [ 0 1 ] /Filter [ /ASCII85Decode /FlateDecode ] /Height 136 /Length 2815
/Subtype /Image /Type /XObject /Width 218
>>
stream
Gb"/jHZ0Zf*lho;'9Z(_8.<TY`)9E@e2p)Z;(3f3@)0_?'MF#*3tAY4V*%%0Hr*X^KdB97"B5L-bNS3Lj%r#DCABh1@Nd4W4<mrrOcYq5h1R&Ch7cTJIe2irR;C<@\uPc/f>$4HkLZ>sSt;P2b\ET0P*1ukP*1ukP*1ukP*1ukP*1ukP*1ukP*1u@"bIe[(>sC3(WE9t(P8\jFmc7mH$nN8;pVoF9fjceE:T?J'pJLd!0'8\2C$PJg%n[AWH7o-Vsq+sY8-kZ#V3&:]Rt>T\mnpb.p7YA\[QbnJR')X**HOkoD3e]6`@.5X[gJ+G8`$8k\S"X15,Aao`3YCSNg[f8$;:`)61G!l!U3N`4uq!?/bNQL>'dKP7-MWSg[]G]*EX06YK27(Qp9lnSd/&[GtY;D:gmhRkN74I^aFO>?tm0%Vq8Seini$j5!$(_5n"[r,*QldjQ@9_A8c+F.7Gt=s8ZPX3$HGZaUFDQS11dM8g/O=bd'FY%lR@,PQ?DfH$5tLa?oM_K2W(:Gs':>2,RgiYoPKn2p7Y"Eh2$M]h3BcLgG3_/LT[$^p.,:;8n%Vg!R=?IUpX1.KUV>gLisG;;n)6V"c!CErO$h^9s^lo*Z<\rhkd)hubkfHH[&^4UmnPNB(+V*fkHm/J%&&G:I8!2a$,UH3.W,c/_0")_.+:pbPtSF[jSf5UO&aDT?6Xh2b"Hj*XPOT_oHDA^8FK3:a"l.-ZU#LI8pRZ/l$p'#)j@/kC^g?4eu2B<"kT$cmq(>!0,\II*!P/VX3\KlD:X>sdeK;JOhEj^RZFuM/j*_.F_9Nr,n)*14<VIu<*]l^P]+Sf9+h3ADBV0#1$1nk;tcjr.hEA<tPfjO![MI2q1=Yd@IU4)<X%$b7Vs'+2nc]nmhlMtHJ0mgQpTg^5-s*5U*U'9]>9&="l_*g=rWO>sNhN&;;\,!:+,kuX8g"7^:mWfk#qDQa`#,u!5odjs$aPsLeocHk,Gg1hdIB_oL=j@9:^k=7kL(D#VmbaCE+82M8Hi$T:Mck+/5S[=dL!64^S%dJ$r_:E,WeJZi6A?8l<C_NRD:Zf[pRDK?a)TjdY*^bh7TN!/A14na=\P^kS[ko>c)nA'OD0X>5-9V1bd@29a>E9U\Dsa/m4;r*aTaNX"PincD)Fp:*+&`5pE"[dhO.&aM7Fj6\@k1%G!8Q?$Z9imAFf"/WVVK:g?s),lZ8Hhn&4U5@PZR??\4d6,-B2T4qro%_h.S7B7&o1VI)Kii+>0bnuQB9]3&GX=*=X8C%J.-6;Keh`RAA::Od>\6#0`HEa#Gl(N*h9H%q,[YliZfk3[hYYml&3[Bt3](78,,.@1U`%)eE]%$mMmGtuX+"?hK&3NQVo<X)NYY(G3*MS-P/$>Q7YZ?rRc4ihV`aD/gH&&7!]::G,gAk71P0i[YYKOc<1!3^R_+e+E262&[T/F,bg#r6rt$tk@_K5i.U_#j0f:-7-EjMh81o\EELi[Y_tj.Q+HYp$Nt2AR+7M:<X-h/TQ-YqJ\*-"RIj4=^Y1>6m6U'#R6cP)*p#onRff/(kiP'po&go-I5PPn0_W(n"%M2+Stn=^!'Cn)nu@A@k=XI=:;^1K@'+den"c(th2g1Rj(Jjr^@c*TA*2G7<dXrcu]H;=)1,^L$)dZndYr":&U<T32"Y"?p@OR*B\nHNucc]K>3hjT;M!JYL$q4iRSCedK-6$%Ao#cV"nql`>jb6,KJ'/(l_nf@Noh<cD.G>:o$&Ac0ab1_3@N&2ur_^fhQf.<RqO%TXlg1[KH+1<am%k38CVI?<?3g.DdB@=5CYpW(5C\g\^b6>@e-RFJs2,&9jVD4NChaGYAD!4@rqSt_!Q=q!E(>r6+S19+o[*3d3j\FrE*bL0E]NPRpLZ"CpRQWloh0hW&W0/ed:%2%q'qV1+^BdJl":bQW%*^Pg,Whb)1<e=Z.\k-!qV2F%Pkq,U&0p\Pj^=E'^3!`TkD=lqPToeP/G!anER(8==?c6oq$^_%L(UQ#+ct"soP&3?P(0L!=QD9!F=StZ&-&YfefrSbQ^7T?gCS!/:b>:;g%hZ]'mLVLBeJH]*;rAma>tc#<SL^o%4VWA%n&aiWTT(`1%qMSM_g?psbT7ALM7K4e@0n@W,:"H`Ic,(t#X"4!Cn(itCL=UuS4=@oC=S;a5IR!\\!ClAl%MV>[-(/A=S\MN4\j8*0>"./0W0M@>(6f6=fepgl+;^As84q]'uhqU_V`6>%DAjZDO"2&g_7aY1Kd]>'\'N-dOuh0qb/\+D@?/)2Q[bJe.ZABK%6TQS>"0!Qsm23B';kL+8)$&.)mT[:QWCk0Y.Y$IJRR[SC+s^Ype02Q>o@9l["TX-5Zs?Ztala/I%CYaAVl)]@?b^L%[:FQ^c)B$g9,?5K@7SAF100T0Wlro>_eml[<?:=#X;IOaGFcA;>-VHja*Gd=77$Q_#T(C4/)qBrNfAVY7e"6siIuZHP76T(;)XJ!C*o:cts(\c5Fq::@4`l-kc2j/pdscT1<n+rOef=1O/L'V!84iK^M/)19Gpa9F3Heck23)"bM#-aR9"?EDKK4ZnlJUXuFXfcrr>3c4j!D7aXHcuo/-Eq<aGgBFkb,M71dM/:mZD8R#kd^=!=llE!FdpfEpFE&[d^/_1O#bB'5<VY/@2\!NL>PBe3_.mlA%^kh-Hk0b1>FrnjL-)O\CM-Ainn)\fjCdb0Hu%JiH9fuZKHK)t3o!Q<[qr#9k>+=f%<!EaZ\:nUW'#09[tAD/glP@L$'N;hcg-qRS$rrbEmXX94"hu's'\f';GpCj;GpCj;GpCj;GpCj;GpCj;GpCj;YkmjrrD_gq_e~>endstream
endobj
5 0 obj
<<
/Contents 30 0 R /MediaBox [ 0 0 612 792 ] /Parent 29 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
6 0 obj
<<
/Contents 31 0 R /MediaBox [ 0 0 612 792 ] /Parent 29 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
7 0 obj
<<
/Contents 32 0 R /MediaBox [ 0 0 612 792 ] /Parent 29 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
8 0 obj
<<
/Contents 33 0 R /MediaBox [ 0 0 612 792 ] /Parent 29 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
9 0 obj
<<
/Contents 34 0 R /MediaBox [ 0 0 612 792 ] /Parent 29 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
10 0 obj
<<
/Contents 35 0 R /MediaBox [ 0 0 612 792 ] /Parent 29 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
11 0 obj
<<
/Contents 36 0 R /MediaBox [ 0 0 612 792 ] /Parent 29 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
12 0 obj
<<
/Contents 37 0 R /MediaBox [ 0 0 612 792 ] /Parent 29 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
13 0 obj
<<
/Contents 38 0 R /MediaBox [ 0 0 612 792 ] /Parent 29 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
14 0 obj
<<
/Contents 39 0 R /MediaBox [ 0 0 612 792 ] /Parent 29 0 R /Resources <<
/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /XObject <<
/FormXob.b1201bcf0191eee53a3a7555ffe47082 3 0 R
>>
>> /Rotate 0 /Trans <<
>>
/Type /Page
>>
endobj
15 0 obj
<<
/Filter [ /FlateDecode ] /Length 698
>>
stream
xœmÕKkQÆñ½Ÿb–-]èœ÷–€©FÈ¢jéÞè1µÔQF]äÛ÷<ó„äÐVHÞ¿sÑÎâÏÝþÒŒ¿öÇÍ*_šÝ¾Ûöù|¼ö›Ü<æ§}7jS³Ýo./ï†ÿ›Ãú4—›WÏçK><t»ãh:mÆßÊÉó¥nÞÝ
¯‹ükýãºZwç÷£ñ—~›û}÷ôÿ³«ëéô;rwi&£Ù¬Ùæ]ùŠOëÓçõ!7ãny»àûó)7ixßR¹9nóù´Þä~Ý=åÑt2™5ÓXÎF¹Ûþu®M7¼çq·ù¹î_®”׬t[:MZE§áørŽ–¡ï‡ãÊ㎶¡CûÐóášÀç´· }Ãk–èÛê»îªþXõ¼êEÕ÷U/ߺ­üm[uªZªÖª­j¯:ª¾©ºò·•¿­ümåo+[ùÛÊŸèOCÓ_Fiú~ÃD¥éOøýe”¦?áY$úË(M¥é/£4ýe”¦¿ŒÒô'<÷D¥é/£4ý ÏTèø…~ø…~ø…~ø…~ø…~ø…~ø…~ø…~_éWø•~…_éWø•~…_éWø•~…_éWø•~…_éWø•~…_éWø•~…_éWø•~…_éWø•~…ßè7ø~ƒßè7ø~ƒßè7ø~ƒßè7ø~ƒßè7ø~ƒßè7ø~ƒßè7ø~ƒßè7ø~ƒßéwø~‡ßéwø~‡ßéwø~‡ßéwø~‡ßéwø~‡ßéwø~‡ßéwø~‡ßéwø~‡?èøƒþ€?èøƒþ€?èøƒþ€?èøƒþ€?èøƒþ€?èøƒþ€?èøƒþ€?èøƒþ—
ñ² °+°ç^wÐæÚ÷e=
ËpX<X9û.¿îËÓñ„»ð÷ÔŸmendstream
endobj
16 0 obj
<<
/Filter [ /FlateDecode ] /Length 19403 /Length1 36672
>>
stream
xœì½ \•Uú8~Î{Þí¾w¿pÙ——M@Ä=½  (
!¢XÈ"˜±¸Ö¸¢i‘)˜fJ¥¦æ™chִتΦÖ8Ú·©lû™3_g2…×ßsÎ{/‹YÓ4ëÿóù{{ï»óœgžóœs a„-CådONH*è?¿?<¹G~ñ¼¢jåãÓáϯSQEðP„¸,¸×ʪgÏ»gàü9ñpžž=wQÙÓâáþ*BcŽ•—•˜>ÅgÊ<ï•Ãóé=¸o‡ûÈòyu ;ÅAox{æVÝ:¡ mðþÝyE «ù÷Ä{ÊzîÕÊ¢y¥¡UŸ„ûV„n“««jën,GÓZKÛ«Õ5¥ÕÃ¥?ÁåÚß!$”#Ì[ðCH€ëda Œ¢ŸÉ{¨ŒsF‘™ç8þ3Tyã·¨ó†YË#Õ”S–^‚\H½qCôÖ¼ñViþ¸áÜ@ú?Œ0;›ˆvµŒ=å€<Œ(" Éèïûg@
2D3² +²!;r /äœÈù"?äP
BÁ(…"…¡p"QꃢQ ŠE}Q?‡ú£x”€Ñ”„’Ñ@”‚¡ÁhŠ†¡áhº
D£€ºT”†F£1(e ±hÊDãÑ”…&¢I(å ÛQ.šŒòЦ¢i¨8}ºÍ@3Ñ]¨¡Y¨• RT†f3¦¤ 6t>¯ }hÞ
weðøxÒÂD«P=<y
ŸÀk¹þðl7ºŒNCËt‚ìãØž€öç]ÁyèÀŠ½ñPIä?‰?Äçòmügü)4˜¯åOñ…|-N&OùÂn8†’×A¦ogÚð¨%_drŒÃ[ÐäÙ‡>Qx€h àâ«ÐRn — N¡­ð©‚÷§ðv|°;ŠW¢³èÂsãÐvÐãWàÝ_ÑJ’Ç--JæÊÿ7Ö)è¿Õ‚àÏ‚6h\?xØÃX³Øw0é/œeŸËh)Œœ‡vŠm¢·£PŽíƯávq#jA§Éär¯â#ø=ü8Ô¨s€¢F€½•öËð" ~–PèܾïC_ð…Ò,€ý:¥Æ<ÄåEeè DÐ4¯"kSú6’Æó ÐÕU‘4®– è êOšQ#@bôŠƒ…¿BÏmü‡@s#~€û+:Eƀƕñ—€× ¤¨¡ç%Qà ‡Qœjkå¢2KZ]·OSß*ëwÓ­j“ÔV”Ój^¤¶Ý¸‘3
Z… V%·òQ~×ËûÇMÈ™¦¶v¦qCM/Ï&OƒKzáyúöŽÚ*DÁ™…­jq¹z¿íþˆa÷ÛJ‡‹ãP™ÖÌ— ;Áb%à2ñבxËÂRŽG ÇÏ´@¶3ígÚ½ìaö¨0{X:jI`Ç'Z³d¹úç1ì½!mã ëϹ½ˆÇ(á$ë˜èæ +‘†\}‹[D×èÀùi¢ÍÑìÙET‚ð;Äú)R?—Ù˜í—ZýÄ ýhߟµ¯·ÏwÈ»ŒÚ;—ÆTÅäô¿+ÆÕ?;&±ÿ¨Ôߣ°~÷@¿zÖošÞ
è
0@?ƒ+4; 1tTÏÚÖÞøX8'M‚¶C ­„*„h\Sk[h(mÍh°Q¿ÊÚ÷ÕÛóÇX{ÅahûDÇ(3rXͬ=ð§sø!àÛ–â HTlgÎœLr²¹lÃ]Ü]hçR "èŒ nÊ9ûС'm']&Ù`@²$KÛ ·$Ø:FÈ¢m„ËD8žðÛ0‡»·Ú@Ðs„“
‡ämÖ©ýÙƱví؉£‡¥„E ¿¸~ÿÚ ¹g¦Ó›}_,¤øÞí½Ánu%ö3ñ¢YE|_ŸÕ¾G¼ú!›½ÖÇ› æ`5,Ú GFËb°ióé/ÛPF¢­ãxÇIÛ—Î\²]*ð.j—lÚÙKß¡¾C].«`­’5Ús¿é~³¤ˆŠ¤“bVBͪf
çûø›ýCýÕaê°°‰¡ÕÌ°Ìð9¡sÔ]â.i·ê7Ïð8(9ÉÇׂÞ>¡8NbDxŸè”œœ4(e`ŸS#ÂE§=âèW¿ÿõy²yÏ°Ô¡» ?<íZ“™³>µnáðÒ; §>µY^yÏŠ5/ð÷¼uþó?ȵ… ·÷šó`Éþçýýv†ßuǨ¼‘ƒ‡7ܱtðìêu+¯o¤ŽžO½7 —UB+ùåœ, [Ç„VcÞ´# 2/)Ñž4”1¢ãd">ŒŒª1ÇHfD%;#ìÉvApʉ'¼Ÿpjšp¶óíQ\ÊÆ@¯“}Ül ¥ßðOy´\æ /Ó1yZ½òî€8:PÇj´W`¼Dì²&\†C¡¡ÚÐbø…Ašív\µ‹ÜCåúуµ!ÑWx Æ
E…®FÔ ñÁÁßÌ5øzYöРÀ_§·—Ãn³˜MÙãì?Qµuœô¥4Ž83bDÇú}<©=))Ñe7b#g4ÍÞ|€=Àá8Œ„q˜W2ÁŽ/v¤„±ƒ÷ÕÞÏÃQcÊqdEËl<D{<Ô-o™­Ÿýx¹ö:.ÌÓ^Âed•v4hEx‡V´U;¸E›…·Óc ž´ï€…öi§ùy Ïa$ ]SÂ9жhÜ'†3•`Ä%Ä&r±± i^v[¸ËûŠ†¾aç»ÚG\-Ø#î÷YkC}ï jË>Jˆà±‡Û K}d³ &RY¨¼*† ­&-ïŽ ­V&¹¨Ñá;âÊÅvª íÇÏ\lO:n£¦âjjû€‹D0cÉÆ)Ù,_Ú}‡vø/ Âq‰ÇTË}íº~§$;áÆ íÌ$bg6ák ïûp‡JpÅoç”ý¦êý·²dÆÉ“Ÿ¹óãw?~·¤nñ=.]¾D;ûsýûr¥büVäþæ'Yþø9øLßx^›qhÛÞ׬á­æ9Óò ÏjÙöÊéÓÊ©n
ÔÇJ±Í™E@ö•ŒÖºEZ£úDõ±FGF§¡‡M!Ç?à÷p¤ø°é>Žõ1‘F‡FˆÙi1˜­aæ~@³u€q Î<j0wPÎÁ—7ý²Ð/3ãßÊÕãíWÚm—þz‰²
4Ív1éʈ‹ì‰í’Î5áKzŸÀè½}tWä£{àWÏçQÉ8«Ç;á7S‹‹§N).ž²ýè µ}¡cs~ñ¬©S‹KÈ€–Žé-¡Û½°cÇ‘£Ü†M?]ÑÔ´beÓÒ /¼pþü ÇÎsEM+~ºiÓO—7/ýæÿDóù^üýùcG/è6¼â‹|2 D|ÊÕlÆÓj»Ãn\­»a528}œåÕ>>NðëxupH0Zm@!!Áj(bW¼0;âçm÷R$™
v//…ÃAú+ÎÏ o¼éÓ4‡Ñ@D¤„§EŒ‰›üú5EoŠÜà·Þâ¥Ä-ïpF[BH¼#:Ìb·‚Õ9ml gÚÁs3æ‚6R…¤æüÆÅ¿~
üµ½AuÔ—þ×ÅjAWÌ^§ÞÏäoi1}Òõ´ ü 5 㮃’Q¡ Êùû¢¾¸cècœ‰
ðteŠczÀôЂÄÙ!KУh+ÞÂm–›ŒM>Má[ú‡Œ“l7E›bü¸@ƒ¿Ñßäoò‡&E£hkˆpôõêëãLHnèê5*i¼!Ë{3Ã?;)O7˜¦8
¼î ½+iŽ©Â^˜TÛ7¢x3×$l“¶É;ä­†G[M%µ$µ&
f`fj 
x$œ,rŽˆ¶@ÈAzìIÑ£”SBÞ>øÏwL9Ór×îLm îž&5•ÏÀ¾åWþIûåêÕ‰IÿÓ6y×”©ÛÇT¬N"n|ÚïŽrqW NÔüTÓ~¢}¼±`*özoهţîñÄë‘‘‡TMKž
qb®b±b°KÁ?EËy$ø[ "Ú!@˜]BŽP(T  -‚ÈÂ=.°Ü¥Uû3·DtÀ|l°Ë*>6[Ì"y)Û
`*ºÇ³²kêç.&Ñ é€ADÎéíðèÃ¥ t æ–¬^±rUKsӦ͢ãSmägŸiÃ?ù#~ãàãí0ÞN¯Š
•Ž'adtð^2‚ñF\é†ë•ìãpzsRÄ GÊ@n'€ljnYµr¥èh×F|ð?Á¯ö~•Ñq7ž¼6hG“\q6³ñ&ƒÄC%[»i‹‚-²I!ÑN0á·•7¼Í¢ÃvfÄŤ pø2÷Lw‚ëñvx÷‰ØŒ¥(`›Ý ˜G‘×´-xö0­µFk†gk[†áœœÃðêk³Nh
xщY¯½Z|N0ÜÎ3=/ðàG#\vdÀÛ$"pNù*¢S6Ù.t@4¥ñâ œ'b;KÆSÂìä׿óôžÎÓ\ï<½^ìƒy%FÛo8ðkHÙâv´R$<öG~"°îÌIƒƒ“p/ŸÞ¹<WÛ¯½Œ],—ÿ€[Ê­²FÛ8ÈåyÛ…žÙ<Øù ·r'Åû<|€1 íóh%GÁƒ²QLìˆó§Ok­ÜHã2½ìïòF²r‘4n¨(‡0I8΄
ÙÛ‡ƒæä}WA!¿™§ûÒÈM=1Çå%¶8P‹iƒc½Ÿ!ÈB‚œ~€Áªßi¨HÄáœÝæHN‚„…‹NBvÛ„onݶǃÿ{ì:6h__¿®}
BŽvJ; Ç):ÄÉ-Z­¶ZkÐjñx tˆ?èUw9ÓH ϵË%ÔbCÅ Hž°ÑvÆm
˜ZCûq)IWèT
HÒY‰•çf ³ )QÉT¤zSúß±s_;®mܵ³û˜~À¬’4¡í®hÿ€@âd Ÿf{ܾÉÜâ½G-²ALP‚|mD ¦Fï£÷qÇRÀ…°z¦ýå—Yðdøô`¹ð%n
²1ŸŒ]ISø|!_ZÌ/æ6øK<âýù˜„Õ¡ùb}@m`]Ð
´ÚEÀŠÀA{О@;¸Ã( #eÌ2pxRÊHÈÆyš•ˆ¯å^éÈF&M|jõ]§.>3ísì~‡¿veß¾} ð†aó6g.hN}r@Òç¯Þ¹«:Xû#£ȼèAÕ®xäôRVBW«^-NsÔ¢nŒØ ®w>ëä…ˆ·PÕD¼C
b,eƒOž‡Æ`¸_¦rí!³±ð¦'aà
%!E¡EjIžæT|XωE?œ¢_ô"ŒÚð¤ökíó™oÎÉ{kÞKoÙuàpÓö'™üRMíÛŸbÓƒ$*ôøCïÿ9*êµ?mÚ½ ºvIdŸCªú›ƒ÷>Mu»ä¼ôŠï·ÜŒÍÄŒ1§!b”Z`V±Ü€M
eÞÄ|¯1Ï“™(agF€Sbû"õP]yäÛ Þ·©PûaÂ: 
´Ý$ÜõÁýÈ < g›²Íù¸ ×ãÅd6ƒ0
¡'Ûé…ú"jÖR´³gßîœ)Du|LNu$ïÑZpákLFÛAF%€{0šéŠà$ûj[p@‹äÝb[kæZÐrózigˆoVHLÄ[î)[b£6¿D͘Ú1H;®Ë‡:!;å:rBFßS0TïÿΖ¸iq×p¤vFûjækåÓ_¾ûgï¼ó³ÛÏÎîÓ¶ZµKÿû'í/ªzb@âámÛGöa~¥ðof~%MsEz‰È¼Ú„Z|Ä– Ÿ]¶ÓÚð
Aë£Lᆠÿ¯ Žé"s5;.v«Ëû:Oq§È)þ„pBʆp0gí™|bpÄCJ„JÝRX’·sÍŽkàÀ†¬G³Þ:m~ðî± ]þHëÔ.á˜õ(~ô‰Ç_xáñ'Žr‹Ú"ûhÖ¾š:CûêŸjÿËÕ,¼+D¯Ðî*¹ˆ¨Øå'Ø9Â;~C`pð¢·ã,®&|ËS!M{&Ÿ48HH)p9¦qX$ÂPaœ0›´¢VQáඇ¼ÜùÑi¬u& gó¯-h*ÞðxãqÌÃF»¢ü€ÃÑbKHÿdžõÑO&ú™"û9#ƒ¬ðäàέa´ Ð~åx»M¯'è6Ë±öÌæi¶™Ìòy‰™mDx$ä_^ž ܺ‡vízè¡Ý»´]+6 ÿó¶aùÃOj_ýµöõÎqV®Ø¸qÅÊ
Üë[¶>ººak¾zpÙs¿þõs˪áo4žûüósoࢺ+êàðäö|ÐäÇô&B
õÇ«‘‹²‹oAk}B[l|ÖGIAAa^!(<<ÈÌÔðD¨Oµ¿x´Æç¸ÿ«/¾ôrð«!ÇC¥}ŽcŽ/ôf0Óq‡—;±Dɺ®„÷Á€ fm›Ú2ìàÜ?h×±í#˜GصgµO²¶á‘n
]|Å‘'¶þñSìÂÛíŽn³GŸ(M—Aq^ã#XÍ!ÈeWò»!¼³²†Ÿlƒ\$‰F+z§âòéÓ4Ôóš^G ¹ëo@Q./È&¤íüJ´¦.ö
ÂÒ4J{é€X6ršæ#ªóœ''9‡f
çMtõ嶞àmóôÄaAÐ6QHxZ?#{ħ$Ì¡H>´º=IO+Ü3þËîÙK8'NÁÂùëWyùš&p䲶AÛxÿf7þ
¥ã.Γ'Ü|0C:$nãEP6Oꪎ‚O¢ŸsGá\ÓÈ{.ïsçvܳ]ýÄmÒ0"lÜ-݉Û‘ãpš(@Ê)ð{ðS’ÈE|‰r¨òn¬õCì½R0EŸÉ‹äòa-a·–pÏc2Ø×
zI@/K]ý"C {ñÈ{µ×[“ïhp€Ù ðJ6ðA _Ô'À+ŠFõÃ^,ZBºØÎ,ÎþXÞpé¯Ú•K¶Sðˆ¦¿‡+‹U½–å7
÷ŽÿÔ ­0S’`²„NœxýC¦Oš¼rnösE3_™ÝöÁ¸éÓ¢eQÔ4¼akéŠü‚”™
*3F:äÕYkóó#êùŸ¶MºGx|Hjr%ù™ˆa¯¿3ìͲL¶îOÜ;ع?rïàÑ ‡ègŠ è“éè×7&3¶ í ràJG¼ÁìŽ2ùÌqúèË3oØ^¿”aHKDzA‚Õ"XÇË“I½ˆ&ÞxD;>.ݬ“B'%L5‰'ßÃß`j±}Ü“À”d½$Ý'’òFŸùðtöè+Rg­Oã}ÁƒÙ`úvíÁ{—<ðÐâE\؈GgïïwOÏÞ6¼ñá]£\åÚÙÖ%>ölí¼
ìýØòoʧߧ{äˆÖ¶lÙê5?YŽs_<ƒï^2![{Uûœóo|rçƒëwíÔÆMÌüæ­·®MÈZÙ©ú|ðìÝÇrV®Ku•i?e‡ö¿sÊçM½½ªhöÊûîÙ/Æãï[Úp eÖ§K´o´_‹”ÿ¬öÍr½êJEv˜ €éÑ\Û¢ ;9"A‚*Ò‡;Qdú²©‰æ0­²¢¡AP S>®× /žiwô,,tä/=áH×ûƒª‰ Ò¬ØÊY%«lEÓÐ|TÖ#ƒ„eN$Þûsùx—cšË¹…x>w/©áH 弆[fz„ÛBšy_=É¡³ F"¸cÚ%.J[ò 7ô·k:ïZsV°tú“×úá¥Úr¿Þ†XÚ´Ë0‹T!~Eø£&ÅÐäXŽ›”Ÿ…Ú2çå* Kào@A>Œ:!jB4ßdI7«`
M<h
*`.§«J×ETXφ7â1O>öØ“Ú1ÜoÓ†
›4#ÇvmÙ½M»´Ë×;?çÞî|¿aÝúU\™6²ªæžêÝ/?»ö oõÄ#oý”®kDƒðGƒ\æÇ-”&;~àÁüíë$3Jô¶PÝáH¯®%²r€ÍQÜyÉ ÁNK×]öÙŠH»Œm­ø¬lΗ?Õ~¦-Æ«ñäÕ_
³ÎÞ5S{SûvN{sæ]§ÇÃ;0HïËlø(´ºùïr¢&pÐ&s6 þæ$lv¨3
bÍÁB/Æ0wì‹
cçXŒ7^/ª}¨ÐÒ`œƒ¸Y+×r´"!áúì‡ãqöÝ­mÖ–i?Ñš™O¦r\ãéèbÏ5¡årÿ3EÀ òSÞDYræøñ.y% 5Ãè,÷to“ÖÎîÍΡÜÕŽ‘4µÌØ×ùñ¾.ø߀b]7|þg8pE®“EA[=AG¼M¦wVs9­ïP¨ãöuFnYÒÜ)
u©HÄM$°Iv<n?àl²lׇp(È>Oöó7Ú ¹nï¸Øq¼K¦ÚæÒ¢XÍ\[Š¼oOùò¯i‡9G½öi‹ö„V×á™c©ªºcvIû{aÇÝ{Îâ
»;—Nž‚·ày¸o—ñÞ]…Ú/µßh¿Õ~å¡]Îxçò–›¸Ÿñh¹"áÂö°¶ƒe#.ÂEâÁÆY˜Û“õʼn·ßáþçw:ÃþÎm\ɵ~”ËnØx#«#Ä?žá(8Vܲ±U6Ófµì2'
za«QØ!ˆ:@x× Å7šµ2LjÒ\^FIMB+Zndq¨Å^0/²
å!…mv™sÌ…æFó3ƒmÝs·ß9õñÄQ«+a ÚŸ¯ìk~µ‹'sX½à+WŒl‡ŒE²‹òíÏ™&CòAÐ3 Q¦Hu-aÓ¹´ÖÔ½(àq†4…9(ê öæ0Ïd.Fˆ‘sƒ„òX.C-Oáfsó¹ÂJnÐ(oâ•?ãœà#ƒHü%<³äGb„~b_i?H$¦H‰¦TââÓ—è’\¦Y¤f³¥BµiY'<(6J¦­ä1ñ1é0ù¹ô:y]z¼+}N¾à?þWüš\¾ãf܃fÜÌÁaÔÇ2©nÇ|g ÐþÚ™Le»–[Ð9®ãcîWP—ÝP> 5š˜Ñà 2 ñ´f¥¯—$º ‰RŽ´Œ,ãy]iÀßáÞë¸ X~vŸC  ×@b—d‰³cN¦'¦Há²¢„"Aƒø‘
ðÝLm‡zkÊw:ŸîQíîJéÌè`µ…r>ŸÐ'ç-y)}¸>*õQTe ”¢Tp÷rK¤EÊ2n…´Byˆó᱑xá@ãH´cˆG|¹ÀP*Ï1Ì—|€4áG‰7›Kãh=6‚r÷Ç÷᥸ÿëÚÒÚÒãÂÙ™\½ÖOí@<ºöa—ž%3¿³È"ÙiÍyF ¤
"–¸ ~äöAz)5­LvkÓªPê’\‰ƒ¸!Ò8n¬TÁ•IË8IÄщÄ œ)NÅÓÄR\!.WáûÅ&¼UÜa´1¬ÁEÛ™À±k>®]îœØ^å?¼Öÿðz(ø¶ÞÞ£†×ä@Mz
ÏßšLü6?†^uQɬz­»+öM¢/h˜\¸€±vãjk´7´×iUÈÒÚ´O´Oµ6<à@<n§v‡¶ÎvðN˜à Ù‹øX,òBÃ\~‡h8rØ™ãi4e§áÈ[÷ZºZ°*žËhu†:G9ïr>ãX\êŠß<Dî~À¼Q{`ëÖ´!ø­ëÃëÚ;BBç¯nXýðîÏ¿ÿQçÊ íª›Á(×Õ×nã¬Ød6Y°ÙlJ³†˜sü€9æ²]ÿ@Æ¢©‡°Ú#‚ƒUòz°ÎK_šèf ׋£°råý°›Î?<œòó7ßfãµ_iïs–]¸ˆ2‘1µC{Ð×ó€—^(=ëJ<Nxì0áIyä$¼³ÉàÝd^nä‘Ø!Gò±Š¿?oå­™ø`Æèã”Óv=ö ìv°}=‰Ó׎\!,\ì…$`?‰w"'öæ|ˆ/…¢pׇD}¤>rƒ2â2pW.Ôóõ¯5âéñ)t+õùzÑÕÕ~l‘\¥iX—XÉ©KFž:÷‹ñë^x¿…QÇÊεÚÃMMsÇ|ú‰VŽ—6Ïê\+œ}÷wå²;/5¬\¹ŠÚ$­W?òF?q08‹‘
œ¤p¡¡!iŠ1$”wbä|Ü{“_“oB›¢ 9 QŒ¡
ô·ô—ü½ÃclŽƒÀ/Ò®¸>ßèrQ=×ÙèÂ$G3‡Æ&ÄfÇ=—c…‚Ð[5õÝ´z«=y×®çì^üÑ{ÚûÚgs¾Z¶¤½ægǶ.ùèìû—Šß ;_<hÙüâÒPÿ~çŸûCb¯Ó3Öü¤òÞP¿þ/?ýÆÅ>4Æ^»¢û$4Þeugî‚ôÇ%ȶ3;.2;JJÄZZ_Y}IF²§¾ä… ¡È.$T²\†jÃaq¯|ˆüW—Nt^‚éÚYZ]Âè ø”XÏŽ\.™³‘ÐdYo@Ër2"jª£;¬³%0ÝÁ$¹³L˜È†z5zíð"4¬èS8pdº¥<qàµWœÐ>CøDûœoýåÓ§/“uwj´wq_IqðÌDô¼+š§qžØ9¢GzB÷EÚ1Fi„ÇÏ :Bd„žù8áïˆ392ÕñYˆô%cù±ÂtrYI$IœÌSìÍðB_Ô÷ábùX!JTå!('s#øÂ`qJÇé\&Ÿ)Œ P¾XÆUðÂb4¦E‹øEB½¸L~m`2d€ù7¾óÓøþýo;ßßíËFc’vÓØŠ—¸2…Q€xÊ( .ÓÝ"
¹`ï‚;äš µ!SšqÈ(›ŒŠAÖ÷%d¶iOJºu°í:wM‹½9QàÈ«#DBÔÉ*‰J7QHS\J7‡»[˜­*K¸¥Ü½ÂRa™ÒÌ5 Á2pð¢@7ªb‰Ý“ ÈÀ+Š Yˆ“wÊþ&EåÃUT%UŽ0D*QFÕ¢ZFpÃH
Ÿ,$ʃ C£L‰– Çs,gÒ à¦É.Ùe£L4¹,.Ë4b¼)ÇRÆÍ&Eü,¡P,”
åC‰Rb\rXÂ-$ ø:a‘¸HZ WË MKMK-«¹²†_+¬2Üol´læwXž±ÜA#,•R„GŒ9 nzèÇô딶Vßýªsð—èùíÚe}ý³+//s‰f^DŠ TïÌq-CKnX&Ë@©'´¦åLsy³4Õ`é²\ f%ÙÚ»þsyÃ+ É^B[á_MŠ$^~×âúsšÊ¡sÚZÁï9§{ëQrÇUnIç*L}FøŒÏX,ÞäŠqgǘè‰p ªHrMfDNâ]xÉÀ¼‰ãûM)T]Fœ7—Â%r‰ ¹ ÎŹ—|;w»p»\Êý”ÛÈÙ|p UúàX2!.æ¬d!©Vv(tA„0®ƒÿáÏáíøÑs—O[¹²Ž?Ã,ðM=‡½øÊr°‡\,ÿ”iÑ=MP9œÆÓ-€ôú’–?D}ikºÛ»
ïržK~R,¤—zJ6N6Ä(#£ c
*2Ž%ãålãR —‘
¹Ê¸€,”—w}ÜÅyº@‡Ãjù¦ŽòæõÛHkÇláìÖëUû¶òºÖû§‰Þà·‡»¬ü^ñ ·= SW2É]•A6/깩€yÔŽ“Il]ù
+ˆÒznX+Þsù²ð¿éhdð{­ƒÏ€'øƒÿÆZ0$/x[ ¦kÁâF
ëM¶W€âšè²‘½ø @qE£yѽ5ΪoÁ¢»Øî+¶5Ž!ˆa* “®J›öÕW¢÷ÕÿiùFZ¯%{„ó̇û¹pÕh¹D0èü…“ «“ cn¥&ǸзµqÚ¸·9xçi¼N«çúS=nׂyom?Û‹ö‚ßçm´–Y#öóÞקíolÔõe™[+–AÛ.>„žãÉÌÛ.¸wh¸«VväYÙ‘‡^v¤Xà*°E;*i÷ãù@&Û/Ë/Ÿ…Ž¹¢ýC¾ Úë+±ØÕÕ¡GƒŽD´Ù×ûš/ñ3dc(‘½ÓûSNžÿ«ëd“WèN Z÷µÓÄËU™œš¨&†%†Šv»B\¡.Õæ
Ï Î É ÍQsÂrÂs¢«£W7„4„6¨
a«ÂŠn‰¾âéêéäéPR†U‡T‡V«ÕaËB–….S—…ùõ\+»
AuRÃz•–¹—>Ø¿¼jË‘¶¶QÇÖì?ÑysOm.<œWúÒôÿ»Ì%—-™U{îPlVçò}eE¯<ñâËŽ¥ëâã÷EGwÐ|•îsÝ úc„|uˆËŸ1Y
Güœë­m›ý‘Ã1ÖÏ$Ê,'MºÂj éJÔ†, i !€§gýPÅl1•Zù䩇{vÉItãÆÉ%Ï;r„K8ñÙg'ààrKŠ´cÚUø+*ÙØ`º¯Ž|2ôG£\h5^Ã[V›×(Gìüß6Z¸s˜Ñ8ïô[ÇEOáÎFKò¹D§%¶Àe
¸GÒ—ì.à…» xä³Iå<÷ÆÏå<6iâ®ÅôÇâ”'ø”ýýú}|êÔÇýúí‹Œ‚,؇E°¹ÝS=0´éü
8,ÞGy½¥
o†tÉÜX»Ã˜ÌL,)©‹_Ç{ñ‹–y˜8963ñéY/'O´µ
{öÞ÷>Ûù&pnÏà9ÌÍü¦}OIƒeøŒ)ÒœnºñZ
üòF¨Ú ù¿aµ¼FpîÅÂ~Áʹ>(ÐÉÉNÖô †âq÷&Â+íúâí}.vTpupKð¯ƒ/ £Ð(<Šå(ÄI r!N©BU¸Š«rVfÜCYÆ’èîò(¨€ÄØ.ñK;šN=?çÍYÅ¿¾[»¢½‰c;>ÂR·kÍÖ#næô—Þ8ð@ß8< ÖÞ?¾ùÐíÔ/$ﯽP+H°a“¼WÄ
h³E<¦p^ ‚l¶³¼©ŸS¨S6êNÙ®ٖããwèÛŽ“è:[’ƒ%º.gŽ³ÅI§€d0֓ꈔdj^ÜÕÖâ‰8AûÍ‘ÖÖ/ŠÞ[rÊ‹;Èo'½ð4åµ–ÏO^Q þ¦`ƒcµ—Ï+9Ò'¢-ú˜áˆõÅ€à>þH65=–­ßêêpü¢®ÚY¶òZÑwYß–¾7Y‘¯ëž›Ü†ÝªâЗPÈ»š6íÚµ©iW›¦]+ÚûíÛs~hèÁ{ÙÑñË{mãn{ëÂ…·Þ¼páÚGÚÁ!ÏÅõ}ñwÏ‚‰®v›U¼íq‡\£„ñw X¾ ,ö6ÓfC®1‰úÆ 6íg†?‚.AÓý_‰ ¬a×Q¶Ó
ÜÌñ%m÷ÞÛ´ÿÈ‘´çê_yƒÛÙy'·}Çö—vv6ˆÞÛKK¾¢6ô
¾Æ¥kŠý`fôÿ,:Æ XæQF×ÚêÅZ`°uíÝX­‹-µ¾ÒÿøÂë-¢÷ïÆy-ŸÁ3"+ã
2r²¼dÑ1Ó³6Ù&ˆÙf,›P†A¿Èöã»×Й` »Ëžc/´WÛõ¼=õL}À'ž1 "ºþÝ—·mc¾@nƒ±ˆ4±ß]×<†6{
›2Êè]ؼø…M[幋çÙ‡‹æb…~r>´\Ë-Vpk…å\³°Y~sÐj&g$ŠC¢yZËì'¹Lå¤Ð´–¬‚ ú±QÚJ6KûÈSÂaéué]ékr™|Í_æh•’)i¦
2=z„‹úcçîîËo½;*ðÇW:÷sï½Ý² mæ(5]ûÝ\f›àÙKyYu°DïoÚݼ’‚ÁnÂÑtWÑað³"1XršxÌß&!»U–Å»lÍ òƒ°ÁJ!íúªëˆ¯°‚$UB—WbdNduäC-ðùEä7"
 •úrkOÝìVR§®¤±é/¯xæ¥#5õ»Ô,x`÷‘#£Z-~š¬½wþ_>¢*ûø6ª²Üö'ýÅ“
Ù³îE]ò.¼Ð Þ6sìÖ6sÑc3‡
¿rr7[óoX
MF÷ïõÌçø‚ÏñS­:¬·‡3ý¦=®ˆQþKÐq©´T^jXª,5.1-5/µ,µ.µ-µ/q´ø_ö·÷ÞÓkk`í¦ýO7mÜ¿ãeìÐ.]þ“ö¶“>{ûíÏ>ëÍ/¶ioiíÚ—à̇‚ÏöÆCXl<
~q'àHcãHW '6¶YÖãɱ`ˆ‹cY„ì‘MØ.^ô„G—AáñŒ¨.æ¸S‰^)Fí‘#Ý™7Ä“_ìé< *ûzäøž©Çî.¿Íðóä:mÖõ f™ÎXÈyzDo~oÜ„ß·¸Ýœ.pGàOÌæj»#ù°¶¶®Œ§ó@0^²ï›¿zt‹ŒüìË{‹F°#i°´ŽIŠS¿ 
#Ì7BÜ>sêC9^;¼¨Vy~âãQ)_2>43nÛSÀ©£«¼âƒÈ!‡ýÄKA¡ÊŠW9Ö›0^4úÌ]—›ì.ËMî.ËAîµ–÷^í\ëGs¯¨¶îº\n l‘dïðôŠ×™^u9ˆo¡É˜£w]ÎS–CÑÔ±Í R‚ŒA¦xH(âŒq¦á†áÊpãp“QE*Žäb”c_¯ïg_Ÿ˜˜ÐX56,2zµ²Ú¸Ú´Úì pœ¨ˆFb"fb!Vb#þ$€;*ö®Ø¥±ËbŠm‰½ë³¿{n.ÞòçRÀ=²nÒžék×ÎÚ4êø®¯7ýµ¹eo­X_ú´ëéGþð˲Cü¨11yy®Ì0Kß-k·Žˆx)%¥àö 9QÖȦÛ÷»÷
¥û³°|A¶’½ÈŽÉ
Š¸ –`sX¨¯`IJ’{Ú«o`„ûŒcifâí3œæ)}Rh†bÇ ðmÕ„Ú_<ûDCƒ°]{µ±³eí¤­;~Ë6⑺®³ß2?å
³Ø nOµ^ÁǼÛLৼ“Àce8©²ÕõêbR—»ªr¾LÝ•—½G%Ð=Á¨»úY[Ûègë_y ÿ
åvwíØñÒNnÉõ–ýeÅ—ÉrÒB˜G^wEß\ËHk"­eü‚– 9,ðH¢»†•ókï<º‡·k~ý7
…Øõà8nGë\«¹eÜn''Ó ÄÀjâ$€ïƒhq#–W唂‡‘a|¢LkW™$“ÏƉ.9åãRÀçÈe¨ W
~¶P.Êõ¨/!Køza±¸
­ÂkÉZˆ¬«ÅfÔŒ7s[É#ü#Âfqð”Ø*¿, ßGzjU8â¶×ðL<ó5íÎk|aGÙ½…éH>° xdÂte
SôzâÅ@¦Ðzâ”TOüÅ-ꉔ‹Zít¿Ž£kçŽQg$å,Öœevoíñð÷ï.Cb×
óá|„p%EÉä2… Å¥ÜÁÝ!LQr”J®R(S4 K…n ÷ˆ°I9Æ~ɽI~% œˆ¼QPd£N&'çO|ø!P4x&ºzÁE“0>JÃ¥(9Ú©„#LCÉ ~<”Ö¹q$ƒwñiúZ­<Æ0Fc¤5G*Ç|.‡¿]Èy²!O™b,F%¸”›CJù9ÂqŽTi(2Î6UYêQ=^ÄÝGò÷|—Š‹¥¥ÒBy‘a©a‰2ßxŸ©®[6£Íx·‘lãèªÉÙ•ÐlÚaÙÜNò4ÿ´°WÜ+=-ï4=cù9÷,yAh3üÂrœ{œäß1Äô?ùmŸ~rîÓOÚ´óçþôçs Íd=®·æŽ9 #ÃÁŽŽñhW†@—3y;á%zxÌabç@ìvh©Ø
¦'£*c°ƒÂ¤)ylŒs_I˜<
bíÚÚe׋p«ë.È·ûÞ´³J|Û
Qx^ àJå6~€2…Ÿ*MSÊ”ùx1?_ªSàW([øüféaå!e7ÞË?Ãï’žTZ” …ðØ€1€8§!ÀQ†¾FÕ< %ƒ…­7'š3I†not™ ¨µr/Hùr¾¡À˜c®2/ÄKÍâMÒÓx§Ôjþ•ùó
sÝîÄE°ê˜%_¢Ý÷ÓŽjGÏáç´šs8Çò…t¾‚Û´qÜxÎG»72_¹õeV¼Î5ZY)²ZìVd5ÛMfDO¯Ì6Íl4ØQh /ZŒÇèoEX«lå­F›G2c»±Ûú}Æu÷ÚŒ½×ÂßMÖ(|é›Dy~YD‚,ˆÙGñ5ÛÌæs¦’­L2O7LWæ(
æeæf‡‚ °4£ÅhõÅNÎÆÛ_ÅÛèm
°X£Q$D^•W…X9Æ¥D#MÑæ¾–¾VÕ>¼e
—È'
C”AÆA¦!æ¡–¡ÖD{*raç".Þå¶À4Cº2ÖœiÉ´ºìyèv|;7…äð9 Ÿ) Ÿ©†©`…SLkŽ½ —qåJ…¥ÂZh_"/´,´®E÷VW™Öš×ZÖZ·šŒM¦­–­ÖƦ§-O[[í¿²`¿a/Y
¬OÓFa¶Àmœ´éÞs³ò’ôáºÃ-kñÖq«óøI›È\=.Oƒ<ë<ÈÒ€sÈú~p0—4y/:Fö
2ÁˆÇzyÚ¨oôXƒû·^ÌJŽ'ÿÎRuõ‰}¸±\¦$e«ÑÊýdÕ8ˆ ”_éŒ_£å©¤@¾ËXˆ ¹2RÈ
³ä¥ÆeÆgŒ½ŠÕ÷9YÜ¡Žû¸C¥|ណó÷#í ï ó±H´À5Ðßê4ŠQ†›3Ø(¨a÷Ð^ü²Á¹×ëÙ(“A"}üQ°"xqÞHõ­X…(ªˆ¬ ­ÿ8׊è]‡º÷†v´§“
È C»vÁ!”Îhfröü(®
wWUؾ`š+ó¾#¿Ù;÷ÁÛnk¼{ï7#Ç<GeÕôü^zhÓû_m®k¬mºüþÆÆi\}ìAÿÀ·]}`¥×‚ñ1暎ç1z–ý’ÏÆþýr`Ÿ|Õý÷Uzò¢Á5(4*ÐÇd•N+/¨ùï
D{#^´îµ?äà´bHÁœ„:Gƒ©òQ]鯋›Ux3IÀ7SnÉý£:<¼q3dp<îâeH7‡úÞë§L¯ªš>e}ƨožšûàÈ‘Î}ê›Q/å7^Ýö` ÿƒ]}pjãÆ÷/7Õ6ÖmþêýMlO5>-œ'P0ŠpÙ°-Є¼øm^ÛL!Èb£[ëlg:δÛ^Ö%ÅÊžÑ}觫pìëC?€¡p¾â¹¢Ê‡‚d}tæ´ý³èÝFE-ÎÌßKÌ3œçˆ0râäƒÙé#ØeÍ1ß2H¬hcuœ‡é
÷/ytJÆ%H(áeÛ…]Tt-
éÎÎÌJø7¯s÷LEØ}õf¬Ò/Óæžft-Ãÿ–0\vjB…B¡X«¹j¡Z”gàdgÝÍÍ<qB[tâ„h{çwïŽ÷ËÃ{—ËÌ£_Š\Úgô?¶EÏ¢n¶ÅƒöwblÿNŒ¶_Þ-:Ý‚ÜEŠæ&E8wâ„þ»I gfÛï÷~2à.눿 PÝN¿Ú¯ÃsþúÝŽ,Kþ »ûïA?ižŒEûúÝk·[
ÜŨûßþ%‚à?CKøOÐ=bª!xÕ
:Ê­O
Q@¯Ã³í‚/Ú'm…v·¡å\2z„¢V8vòÝïÏAûíÜǨÎ繃8>„£Žmp”ÀAá4±Žup,‡¶—áØNax~Úø5P|„ûÐÛB3ªcálAoó[ÑÛb2ÜóèmîNzÜhFÁózxþ´é€3ПÖÏB#<óF
üÇ7® çÑA
– ÛàYœï¤´Pœáü&ÝhºöQÞ@ߣ|ºÎ÷ðíèî7(^ïŽrCÑ+ÜÐçù'ôké:JŸS~Ò~´÷ýP‰@ƒ¿¿Ö¡|8§×|2š&øbÄÄ<=ëã£÷ꀅ£!(ÍE+ÐVt+x;|~͉\
!ùO0N¨^ÚEY “ÄiâVñ·R®ô†)ÿT¾ldhQ¥¯’«<¨´*íÆi&?S³é’y˜y±yŸùŒ%Æ’oYl9hÍ°–[?µ
³-¯ÒÇÞêˆs”8v{ùx]ñÎðÞã”Cœ3kœû`âø¹ÏO|Þï2Ë÷¤ŸŸß½~m~ðñoö?à°3àJà˜À{ƒâ‚æí꽪ÎTOªæ‡m »>Ó­ÛsHê‡Ê‘‰íºßB5˜wr>p¦¿)½}'¹¯1äÉ»¯9ä߸¯!BOýš‡ëaîk™¸B÷µˆn¥ûZFv·~mDÁ¹¯ÍŽÇb¦»¯-hàðYîkˆßq_Û?üuóè–ÈF§×ùàîkÉø+÷5çšûšG>\¸ûZ@~\†ûZDÞÜ<÷µŒÂ¹Ý×F4Œ;î¾6G
#!îk *vÕ}mC>Ã7»¯íHþªP5Z„jPš
®C*ŠAÅ(ÎI(>Ép5 Z¨(
ÚÔ¡Z8jP)*BóP<ÍD•Ð>®RA÷æÂ9· V-»+…s)ô™ß%ÐRù£ê5cÑ¿DU ­)EÐçïq ~ù¨ZCÛ"­”õ(b©¥¾«¡Í,€[íTè_£±w殪^TS1»¼N)ŽU““ÕY‹Ô´ŠºÚºšÒ¢yqjfeq¼š:w®šK[Õª¹¥µ¥5óKKâ•ouD»æÍŸ7§ªr¶šVTþÇ”Î)ʯW‹Ë‹*g—ÖªE5¥jE¥Z]?knE±ZR5¯¨¢0ëMâdF`-<Ö;O.ª„›4 ¦
Ý
UUwÿ°.?¤M>ãv-ð¨Šq0 xžLë^ù¥5µU•jR|òàÞ nt«±Ê4]¦unóŒ[VU ,ªŽ#&÷:Ú0”Ÿ7Œù#úVÁ¹$YÊàÕ0™ÇÜRèƒÊëꪇ%$”ÐùõñµUõ5Å¥eU5³Kã+KáuF <:âÑÓo[}Gõ®”én)hPZm©¦þsôB oA›rÖ³ÞU3ºê˜®S®Õ°Ô:(Ôù7qòf:ºí«¾—}}5tÙ­h×u ®zríÛ–® þÿÀGùAÞãŸï³n-ïnš+à®êت…ó¯ï†gU ¿… ¥,‡Á›Ç u[S霽+uÓ5›Ré–zœ[ôÑtÓõ=ŽáUŤ_ÉúW»-V¡
 Ö¹u¬Â­E †ÎiÅ
³Žaq³>³vT´µŽ»®Ë¥ÌàuÝ ï¡%áLr´o ;×2¼Š¡O‘›>…YA1hè<¥Ž½ñ𧠮æº-)¦ Çî¨×¢ø×þêÚOGìæ }Rͬ¦F(f½=Ø”0
꘮͂·uì­>†ò=#Ĺ­¹0«gPtž,`:PμR›3óسžyh¨é¥•:¶õŒ‡q=¤C¯ç1yê²Vzx÷tÄuÑ™À<ˆÊ ëö Ã®psµ·ô¿Ÿjçtl«»4ºŽáÕ­uÝ-`ü˜÷ƒFðXCóê•n
K{ŒX¾éqìL91Z3xzü¨Ïu{6„ŠÙØ% ã
7¦Ã˜uæ¹±£ç´Šy†nôôEÝø¶'¨„öunk¨íÕÖc+ÝëézöSÍE s…ùæÞº¦sC%Eß#Ï*U·ìç±s·ÿø!²¨c‘ˆFÖ"7Eñ½8õ}})O¹c>:åyñĭIs™žÖt=Ñ1¥<-é!óžZ牠E,"V0Ÿ1—Ý)]•0L©¼*{pcv¯¸ªäñ¡EL{tÝõŒq3jÿ&M,7ÝVÄdôÃ1è=ÎÍü¸nqnyÏeý*¾Ã›+]Ò©a~¶ˆù•n¸ž'µ]é±—›£G©ÛÏ•2*<#-`T•°þá·ˆ‡á]tßÜCwžhÞCËt›Éº)¾Ìbö^Õ×z·xôd>¼­¸ÇJÑBÆçJ·%WÃG^EÌ£–võè)wå––RÎ<¼ÊεnK™&}—žx|Ý­|w •Lî=ùu+®*=8×S†?ÖVk™×ôÄênkóXÍævå½!V3¾¾g»%¦ÇCªUJ—WýWzªï¦j–ÛFêÜñ°¬‹SãP:'M;:N6Üå¡©Gæ²w™ðL…<.ÞäÃýkÚc˜\RÙú>œYãT¸¦³ÑK‡‘ ßv<¡°UvOï&@ûI‹öMGÓØém2`
×öDxšçtw;Úc4<™÷ôz,¢Y¨>ý›ÞyÌvh?Š‹Žiµ7V™lDfá.às¿¥?<“Á£øDZüˆ^Orã©s.—A§<¢)ÌÑ€Q»£O§À9ÚMfüLe4ëØNb4dÀ{–t†. £Ñìï”°ô/˜ç1.БòÜ-ã˜)=cXÖJÇ,Û-ezÝ
%ÞÍKÊÿü®‘'3ú³à£2úóØßH§²Iø¸ÝË P¼Æ)Œ¾TƇl6BkG¹Hù™Õ¥q¹=¤2šñ‹Êb>†”Ê82ù–”x õ”έ´Céa,£/q*‹µž |L‡ö™]Ot}Ìd´ŽvóZ‡©ë½®Y=¸;šÑH%{;ŒšîÖ©TÆ»ÞTP9MeøwS¡K Õý=ºϺ¥?É-]>ylä¼[pe*³ÅtÖ*•Ézr—d0ûèÆ|J—†uû€)nýÌî¬7=väi÷C|‡Ë3vo Žaú”åÆprÊ÷ÀÕ}W:ĵb6Ï©ëòÛ½#wϬ±;í™wÆõðµ=3Ý emçÝÔ®û©>[ÒcV÷\§gîv«¶gv¬çòž¬·;ûÐ}·>'ê™õ–°ü\Ïk»²’*Vue& ØÛî˜^í®TõšçÑ‘‹XìëË‹ºaéyeËèhµ·àæwG(å[3ÃjïõQ°ë:wfBé«w·¥Ïß4öÔ¾-õ–2ðÐr«Ì¡'ÿk˜¼«Ýs©
ÆašOÆ»áÖ Ï¼¬›'”zÝmÞMRïÖ>
mº¹ª@y0»æ%Œ×
ÒkxtL…ù+Oë?_uúg׬ÿ›êAJ¯zÐ͙׿®¤Ü²¤þ›ëAʪõÎä‹{àÔ]ëð´üaÔ[UX”ÿX]IýV]IùÿëJ=êJ݆ÿoÖ•”^ö?WWRn1[ûo¨+)·¬+uSôï©+)ßS/ø÷Ô•ô÷Ö•ºWþ™u¥n{ë]Wú®èûÝÕ%}~®gÿmÕ%õ®.ݺºñï©.)ßÃ]µÿ»«L
Ó±og3ÿþ*“ò_\eRnª2uÏuÿU&åoV™Ô[•Iù;ªL꿬ʤ0äÔñ [Û©ðþßW;Rn)óÿTíHùVíHýÕŽ”ï¬u×€þõµ#åï¨}ÜmíÈãY¿;¢|»â£üˆŠOÏ*Í?³â£üCŸoÏÙ~\ÅGéQñù¾ºÃ?£BS÷-ø.Ô]iPØ8ô.¡ ¶A‹nU£›ÝºöÇ©1µ¥¥ê¬Ò¹U bãÕ°±-^;wQuy­Z1¯ºª¦®´D-«©š§¦Ö”ÎwoóŒÁ6ÒÕëéz£(Ý£ç—Ö©:j]»ñ”þßûOùö¾½¼åO½iäŠZ¥H­«)*)WTs·ZUv3EÉ)­™WQË6ÍUÔªå¥5¥0Ö욢J =h² p¬fviœZW¥U.R«Kkj¡CÕ¬:àX° H-¤hYW^êáSqqÕ¼jhNÔ•tàrie-p/œ±$<€•¨EµµUÅE0žRRU\?¯´²®¨ŽâSV1C!²ê䪲ºÀþðX†IMiuMUI}q)SR„U̪¯+¥8(½:Ę‹çÖ—PLTÔ•WÕ×2ó*ÜÑjtVØúZhOɉSç•Rª¦ µåq=ƈ£c&TÕ¨µ¥ h]¨ºÉ¿ihŠ€­¦Œ®StÖ±”ƒb}«CY}M% XÊ:T©µUqjmý¬9¥Åuô ¥¯¬j.(%¨¸ª²¤‚ÒQ;LQò\Ѭªù¥Œ]‹]JPYUb¨ÕŸR©Twk€þN­-/š;W™Uêæ VRԋΪJЋu^UMé-ÉVëU—–Á@ñ:R½ßÎ+ZÖÝK*Ê*¨¢Í­Õƒ ZTRÂ(×YG
´¨ðªŸ[T£ÐJJk+fW24fë¶
¨†ZÚÃOíÍ#Q
ÀV4÷ÖÜ}<xtCô*ç.R+z¨¹BÉ©)¥ÿkhÖ–^ÔRFR¹xÌ£t®´†uZPUSR«†wÙa8ÛóB §fÎX’ÉrÛˬR°$
µd@y2¿ª¢ ±Ò…u`1jQu5˜WѬ¹¥ô…N;@¦J·PÊ‹êÔò¢Z€XZÙ‹'T뺵»D­¯,q#ܪÂÓ)ü>©ÖVÍ¥VÍÄF…T¤Î¥ÞlÅÓ°º¨øî¢Ù@Øae•BUõïSª^CÃKç–Q¤Æ¥«Ù“òÔÉÙySSsÓÕÌÉjNnv~æ˜ô1jxêd¸S§fæËž’§B‹ÜÔIyjv†š:©@9iLœš>-'7}òd%;WÍœ˜“•™Ï2'Κ2&sÒX5
úMÊÎS³2'fæмlÖÕ
*3}261=wô8¸MMËÌÊÌ+ˆS22ó&L@.WMUsRsó2GOÉJÍUs¦äædONcì¤ÌI¹0JúÄt ÎÎ)ÈÍ;./:åÁÃ8%/7uLúÄÔÜ q*ËsUÖ$°jz>í<y\jV–š–™79/7=u"mK¹3vRöÄt%#{ʤ1©y™Ù“Ô´t %5-+]Ç
H•š91N“:1u,%Ç3m¦“ÓÍ…v>)=75+Nœ“>:“^3sÓGç±–À{àDCwtö¤Éé·OÐÎ3Dœ2u\:H…ÿF3Ìù“€\
'/;7¯ •©™“ÓãÔÔÜÌÉT"¹Ù€.•gvÓ€)ÀO*¼In|©Œè³ok´¢½ÝŽIOÍ€“)ð@éÕ´+}aqiuÕm·q뮑¹QÝwÆ1­Õ¨ðØJ0\ý»„°–Å¢Žîݺ6
Çqºëeî´"‘îzKæ—‚¬¥®¤ªF©¢ÎdAE-³tóªô˜§ÖÍ…Á µ"Ö
|eÑ\èVÛ…f/ƒR<Á°º¦º,¨©¨ÕÃÓšŠÅî0\ãµ›:J·sÐñ¯)­­†(U1¿tî¢xh[Cc䢲¬ªfž›tƾâºažT¡NÍ€—TÕ)U5³ãUEa×?œ:ýП<üsò EσÔ)Ýyú#ó åÛyÛÉ3Hµž˜q‹µ;aQþ‘\IõäJÊG®¤èrø—åJŠn°ÿP®¤üs%¥;WRd®¤ôÊ ~D®¤|W®¤þð\Ié‘+õ4ß^éÄspÿ¬tIq§Kê?”.)½ÐeóÆvʤTV©ÿpʤüSS&Å2©?>eRnN™Ô“2)·L™Ô¿'eRòRó'ŽÏ¦h§ŽûQÙ‘ÒMù?’)žìHýG²#¥gv¤þ¨ìH¹ev¤þ#ÙUÖ^†Ò•ø(ß™ø¨Gâ£|â£þ€ÄGa‰OïÜáo'4užö.4(ñpŠÿG~3˜ÀêvwÑÀjg%lU/ž­¯Vóޫ…ßÿ ÄwW$T€³Z_]^àö˜?ê·œDÿôŸ éèÿÚ¸e®×5rÍ›|E®&‘¯›É_-ä/¹¢‘ÿ‹"?5“ËQä«ûS…¯4r©™|ÙLÚ¯‘?^#ÿ«‘/†‘ÏÓÈgù4‰|rq²ðI3¹
/N&” |||”@>ÔÈ4òAùoò~3¹ ‘óòûûȹÈï4ò.4÷>röÌXáì}äÌXrú·Âiü6üF#¿Öȯ4òKœj&'O„'5r"„¼“DÞÖÈ«ìÂAäur\#¯iäU¼¢‘—5ò ¼¤‘5rL#/hä¨Y%ÑHÛó/myþð áùÈóËøÃ?ÏpÝ ‡]üÏ£È!<×LjäY´(!?³ýOG ûKÈÓûÂÓQdŸƒì¤÷^#{4ò”Fvkd—ƒìÔÈ“OX„'“Èòx i&-Íd‡F¶?f¶kä1Ùö¨¿°­„<ºÕ&<êO¶ÚÈ…<¢‘ÍÍfa³FšÍ¤ :55“M-¦²ÑB¾F6<ô‚°A#z<´Œo|0JhœA]üƒQä¬_/¬×Ⱥxr?y*Y»Æ(¬õ&kŒ¤4”ÕÀ©ÕQd•üT#+WØ…•Ya'Ë5²L#K5âºñ“ûî~¢‘ûî#÷–%yNaIY¬‘EYh! Ld¾Bê5RwÔ^#5×È=×HµFª4R©‘¹aäṉ§ s&“
”ßGfÃM™FJ5R¢‘bÌÒHÑ0RxÌ4¹C#Ó5R0M
®‘i
™êã/LM"ù#OI#yN2Û„É~$×›Ü>ÞK¸]#9F­ImÂ$L´‘,L€742>Ó&Œ÷"™Áf!ÓFÆ™ÉXd4“ôf2F#£¹þÂèk$í:¸42J##os#½Ém#¬Âm2b¸Yáºa%ÃÍd˜F†jdÈ`oaÈ52xMìM¥…A6b$CH²™$
0
I`$‰ F!ÑLŒ$¾¿Aˆ·‘þòÿª%s#„¡ †bŸË660˜ûú6$tµü6 é‡Ú
H”i¥Yiöt¡,œ)=ÅÑšÂq´öήì;š]‚ Ù
a°Òœ+ËÒ³x3×sÏ,fª
N…É›ñ\I.Œ<Cmj(dº”å „¾Ð¬¬ÐÕ¬ÝéÄÓâ(3±©;Ê…vJKhª­)4úÔ=5tŠPU^=¤T„àøÇ3(ÿ•_ð³Ñÿöendstream
endobj
17 0 obj
<<
/Ascent 759.7656 /CapHeight 759.7656 /Descent -240.2344 /Flags 4 /FontBBox [ -1020.508 -462.8906 1793.457 1232.422 ] /FontFile2 16 0 R
/FontName /AAAAAA+DejaVuSans /ItalicAngle 0 /MissingWidth 600.0977 /StemV 87 /Type /FontDescriptor
>>
endobj
18 0 obj
<<
/BaseFont /AAAAAA+DejaVuSans /FirstChar 0 /FontDescriptor 17 0 R /LastChar 127 /Name /F2+0 /Subtype /TrueType
/ToUnicode 15 0 R /Type /Font /Widths [ 600.0977 1000 633.7891 612.793 611.8164 787.1094 684.082 837.8906 629.8828 600.0977
600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977
600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977
600.0977 600.0977 317.8711 400.8789 459.9609 837.8906 636.2305 950.1953 779.7852 274.9023
390.1367 390.1367 500 837.8906 317.8711 360.8398 317.8711 336.9141 636.2305 636.2305
636.2305 636.2305 636.2305 636.2305 636.2305 636.2305 636.2305 636.2305 336.9141 336.9141
837.8906 837.8906 837.8906 530.7617 1000 684.082 686.0352 698.2422 770.0195 631.8359
575.1953 774.9023 751.9531 294.9219 294.9219 655.7617 557.1289 862.793 748.0469 787.1094
603.0273 787.1094 694.8242 634.7656 610.8398 731.9336 684.082 988.7695 685.0586 610.8398
685.0586 390.1367 336.9141 390.1367 837.8906 500 500 612.793 634.7656 549.8047
634.7656 615.2344 352.0508 634.7656 633.7891 277.832 277.832 579.1016 277.832 974.1211
633.7891 611.8164 634.7656 634.7656 411.1328 520.9961 392.0898 633.7891 591.7969 817.8711
591.7969 591.7969 524.9023 636.2305 336.9141 636.2305 837.8906 600.0977 ]
>>
endobj
19 0 obj
<<
/Filter [ /FlateDecode ] /Length 694
>>
stream
xœ}ÕMkQÆñ½Ÿb–-¥èó–‚IL ‹¾PK÷F¯©%Ž2ê"ß¾÷™G’K)ôüÇ™ÑÌâŒoæÝöÔŒ¿õûÕ"ŸšÍ¶[÷ù¸?÷«Ü<æ§m7Jm³Þ®N—£ásµ[FãróâåxÊ»‡n³M§Íø{9y<õ/Í»ëáõaž/žËîøñfÿ¼~?í×¹ßvOÿ¹dq>žó.w§f2šÍšuÞ”?û¼<|Yîr3þ÷}oWýx9䦎ѫý:ËUî—ÝSM'“Y3ûÙ(wë¿Î¥öŠ÷<nV¿–ýåÚIyÍJ§Òí$)º¾¿Z†¾w´²oÑ6ô|h¯~'ª¾ªúSÕ×UßT}[õ¼ê»ªïß:Uþ”ªn«–ªµj«ºò§ÊŸ*ªü©ò§ÊŸ*ªü©ò§ÊßÒßM¥é/£4ýe”¦¿Åsié/£4ý-žQK¥é/£4ýe”¦¿ŒÒô—QšþÏ´¥¿ŒÒô—Qšþ2FS¡_àú~¡_àú~¡_àú~¡_àú~¡_àú~¡_àú~¡_àú~¡_àú~¥_áWú~¥_áWú~¥_áWú~¥_áWú~¥_áWú~¥_áWú~¥_áWú~¥_áWú~£ßà7ú
~£ßà7ú
~£ßà7ú
~£ßà7ú
~£ßà7ú
~£ßà7ú
~£ßà7ú
~£ßà7ú
~§ßáwú~§ßáwú~§ßáwú~§ßáwú~§ßáwú~§ßáwú~§ßáwú~§ßáwúþ ?àúþ ?àúþ ?àúþ ?àúþ ?àúþ ?àúþ ?àúþ ?àú/â² °+°ö^ÑêÜ÷eG
»qX<X9Û.¿®ÏÃþ€»ðþu’¤5endstream
endobj
20 0 obj
<<
/Filter [ /FlateDecode ] /Length 18454 /Length1 35568
>>
stream
xœíý \Ž¿ï¼3sfæÜ®xDA4¼äAE ñ~á (pˆ‹fjÚ¶Ý3kMS³¼äš™k¤®™©YQÛEWÛ´23ó›nm‘µýÌŒ`ü=ï;çp1kÛ¶½üÿŸÓ̼3ó¾ÏûÜŸç}fŽ!Œ2£¥ˆ ü±ã’S§L\ýÜùö %UÅ5Êh£öà’yõêõÏõ‘âra/,«™]5•›ûè¿}v傲£™¿_ƒÏï/÷—š¿ÅûcP¿r¸ayÚð\»áº[yUýMÇSRàº௫ô–¿¾ï½ëÊ‚ÇèXUñM5âv±7\ƒkµº¸ÊSûȧp
sN¯ñÖÕ_¹MAè¶ôyM­§fQñ¦Oàz$B†'æWrû‘ø¤ €ŽÒÏä]TÆF‰‘ç8þT}å/¨íŠÒ­(Gª)¿,«©H½rE Ò‚ðZCþ¸á+W® ý#ÌÎ&$b…µ–²»ð‘§3þ‚?„d¤ #À5# ²"²£ˆ‚£Šœ( …£‰¢P4àƒbQê†\¨;ŠG=Pê‰z¡DÔ%¡d”‚ú T”†ú¢tÔõGס 4
DƒÐ`t=‚Ü(
EÃÐp`y64
F¹h ÊCcQ>º GÐD4 M~OEÓÐt4ÍDE¨ÍB%¨”1¥ §á2´ý
ÚƒÑ&ÔB¢#*ƒ»ô¼¢fx> zÞÊߎ á\ÅoF<_ÂNx7BËÅoÆûÑ>tFߊ— #…)´…uIx%dphæwò·ò;¡G_Æߊá˜Á½Å¯ãòGù…hÅ çÒâÖâQ8­åÖâá؉‡sGЋ ÿ!x-(¼)¼‰N 8znGó9ÿ “ñ$¼F]B—p4\¥séøþ0^Þ"“­EËq\íGGïóèkTÇT´\8ÁõN —ÑYô.ÜGhæàIz '`û
mEs€3g1'œƒ 1|w5ãÛ¸-Üe‡9Øp4psñâÀÌ‘4M†Âqí!œÀk‹³b^ýè¶æiæ^æöÑi  fç¦q ¹µè4Þ÷ÆÝŽwðE†Y|8Z+®å'¡ ”7è-îð#Ÿñã^t¯Ø]âEôÉÅEüVÊ1ä^SˆÐ*<ÊpPH´4¡×1^Ô7è%‰‘hOÜ9n±Ÿox:ÂeYhÛVà½hÚ‹ê€ ÝŸ5ˆO8ŒU[#çÊ)mtß0I}mrLïÄ«.UAmDùæêÞ+Wò'ñáÂäF!¢‘¸¤FÞwöÇží8:’º÷Èî›U4nŽ›Mz·á~ÖpöŒÎÚ(¸à¿œ¢Fµ¤\½ÇvOÜ€{lž½©¦k«ø2a3xŠÞ6î¾KÂÝ’›Ž7÷A¶ãÍÇ›Sí1vWŒ=¦ŒG­u$¼õ¼¶Ê`¹üu­˜ {˜jÜhø·`>†áضñ%†ña4Œ¬6t»ü·SÓÏ4éÊÇü+bŸ€î`ÇÈf@°ß}!žÝÞ?ð¥ÝrT81ôêÃúl€>"ë3Õ×ç8ëcS#9ŸýÐçeÃ\è3õ)ܸ©»åP6ôr;68ž}À±>´Æ±$´Èá
Mq U¦÷aV
‡;ÁðoÑn+¹O¼-“xbÀœˆÛñAÍ©}Pò¹Öæc'1˜fVž¦ii¸\[-œh{YÖÖé>àe²LÊë(·UÀ÷óñÏ‹D²µ¶~@Y}@§`{ÛHùo~Àé®Ã¹$” ¯F»û8ü»ˆC Õø»(‡LÐr»9:*2"<,4$80Àn³ZÌ&Et­ ƒTÛñÃ!÷AçR‚Ù|ÇLbÓHŒ#†íqlOa;†›dy–ŠOc‡¶' GhE§‹´ËEgŠ´¿á‘ÙÚy\P„óµËÙ :µ%øVmÉ í»ڭx ÝßÅ'ð­mÛ´ `phƒö6È/"AOðøuî!Šè
µ‡u3FöâCE91ŽV‰+CV…® _”¸â_™Œ‹Ø£›]& Äð@‚’Å5Õv¼©õxÈ ÖAÇ[›ìðPØÔ ·/6Û¾¹`Ï€- $C‘‘‚ãHŽ·Gá{|NïÛoNsÀ•ƒÞ
‰ÂŽ Ñ@ì8Ú¯‡ÝIø&¼ø3oÝç b¾|ý›ñ¦Ò×<🪹øí¦ãó¾š81_{÷°8pû‹=w?¹ëuù“¥Øp­g² {<ÿìÞW,d(ø¬ôôg´ÏðСǦ
½ò±áeð­Fˆ›áÓP‰;=ÜætCCÃ]èQSÒ£±kz<&>jZ°:"l]_gŸ^á2²,YûHÑr/Éêêkû ©Ⱦp‰ÒM9a;—zqÐ9vÇv!<…Á&|A÷ɱ8VÓRû…ñ©Á@v\lw`¸ñ´˜N×!ú‰i#òÆŒ™;fľwÞÙ·ïÝwÛ\§Éï?ü~Ù¾'öÑ}d^ÞÈ‘cò¸ò…µu ÖÕ.ÜúÞ§NزõmÑ|òÀ÷ß?pàäÖEµu‹×Õ.Òõzá•ÅÍ@w”‚û¹'›°Ùh•%Å*ÉRbï¤d¾WŠ'Ä[ÁÛ¸Râ%ÌóÆÞr⣌ì½Ñ³>ò±°u–Õ¼ßuÑ óÆ”n‘A=»™#Cx,È!=ÍvS[ksÓñãͶW/0eОÁ4æÕs—þ
㘮„dèܲ|ÍöðN ­É±;¥xŒ¦»+"+±ò²lU,F9Þ˜Œ úñN9R‰4F¤¸P²’ltu¢
£!G<:e
žÂ7LQ¦Ç÷˜–4-eRêÌÔRTÁÍ6*”
ci÷¥©‰²Q‰wÃâ{3Œé))QéÑnn”1'>§ÇD<‘›fœ?†TÓñt_ûLjœÇÄ[pœŠ@pý™v§¥‡Ø“p“"aj
²ìO¢ñšôþîoõ–`—6iVŧ¿Ñ¾Óž_¾©gíí©¯Ì±5Ìø>gÝ6X}*9£]Ÿ½£zvn®v°*{8vœúÝÙ9és©}–’4°_ìDííäù#ê6%$€”ÀçáFæónß–ñàï"Уut¸Ñçâ £ö5á!6›©×E›
[ ˜—ÑÎÛ,à!›R¨Ûµ1¯Û@©u^{wÍïV¬Æ K—.Ѿþƒ¶á¿ùBxú´6@O›µ¯¹Ë v„ÛŒ6‹Å."bï‘ÚìØ/ ½/àâ ›—ÂNX½âwk´¯/àWOŸÆ¯|ñ6äÔ)mØ·:ÜAoí(ÛÝÃf6*²W«˜$"üÞn²¬ L
‘E;Á„CVÞ(›Å!M©ÀÂüåFS*üG5›±ÁŒâ{ãþ‚=ÍîâEm•«íÚ¦íÌÅyì°
á_üÃŽe{µ­xÒÞe;þ°lž¤mÝÃp: kˆS¾$ÖmCò„Œ·8E4ѹ[5º_g8|˜½¼Å)m—.´o»ØÜv35s&
³J;ÍeàÛÀS9Ý&ò$Ú*ÒÂ@¸vü°y!.ð-\þí‰R|›vT»B.ŒõâýÜÇÜЃ€g¹§XbÀ×;R/WßvwF;­óô-pt.‚ìÏ¢­FWšd½û[4Ä‹éºæÊP®™éXà³h‡0Inbâ¼x8é8ÎòaÛßO '¾«¢~fäÉ>?ç”·[ÉvÇ:ëêPl
ƒBa&¦ ç¨MÁ¶î`6v5lC1*²³#ÙQ±hÑœ9ÎXwH{_;©Ân»c7׌CÏŸ×>ÕÎú)Õ–iUx®Ãõx…VEéƒ5ŸÀÎ
êáv<·CXf@;d)T #(TÀFàNs“NqêE~ÅØÙc¾Â…Úãx*®Æ…ß7c…¼2‹#¿O×.1Þm‚õí /ÝëN@‘¼À‡ààÐHAà]B(²<`5nXÇ£§¹P‡€,R°‡[ˆÓöÁèFsá¤ç¹rèºÉM›© ÌhŸ®º¸B;ÜݹžÁ=CA–!4$$$4ņƦ£ôôСh”jŽ¦cŠ9f¸i€š¦ò4Èry܃߿ÌÅäd/k˜òÎÍ¿ÑnÆ&œpË8RŠp|vè-Ã+–ŽÉÅ#{õn~ûæ·Ÿa4Þ
¹ã ±Êu÷BŽíò*åóvQ]ýLÄöÀƸuâê„à@g²9ƒ»Û‚ItP´*G%ØZÏS7랟‰øÍ´oÀçƒåѸÏÇÄv§‰ëzát½Ñk²ïáGµíÚ¾ºOn¬<1{ÍãO<¾vÓƒ÷ßsËôƒ3j?ª„ØsqÅ¿¸òÃO\.œÐ¯ÿœ’²ŠËS§O˜Ñ3‡©ê ‡n{‚żil­Zf4Ì­â31£BÌ.DŒ†&ËdlR o“xS¸@0ÝæT&s4
ð …÷Es™&jà1⨚ع¯µ)xo?qB{¨m¿ºm9ÙÑZ ýMû
Ûð(àãc` °†ƒÕù`w,oˆ\¶Ý`[e_´Ý°ÓÌ=–™WG‘X„C‚•hd‹‚Ä‚§í‚Ï6þJÙ¦$¨M:(s#eÛIr m^âdp48Eû£öþ’ïÞ|ªø¾ï·¿R8¡ÿÄdÖ¾¼øµv¡O*NÎξ»aÞ]½zSþ,üâ„ `«ÝPwt Ú,n0­2¯´m]±Úe’ÃœÄæ ‰îæ¢v{Îv¡‰¡GÅzá*ÔN™ Öc PMe¨êÆœÌ÷À_™ÇƒçÍÜš¿ýmèÚ©ç±S{U»¬Ö^Ä
8köKÜÙÛ|Ü­¹w¯ö÷é£]<ù•vß+p-~B¥º öwx*¢,wˆàäÇ; á\°“@N02Ø>Ðspð~]²±‚ñt·Ñ@„î$daz`ŒÇà˜»yOÛ>ín.¾­pâä÷<¿<ÞbàOóeq(5ÅoGâö(Ôج<juJ¨C6naÖžaŽîrXx< ³vé–>Ž²(ÀŸ"^l>G3ŸŒ®sÑô¡[Œn«ºy¨Ý ¡ôwvr¯WÖ×Wέ­ÕÝu1[qؽw­~\â‡À¾wùºdÚ”Y³¦L+áÖÍ«®nh¨ö6,IضäÀ«¯\²-¡ç>üøã8€ÇO.*š<yf•ý Í²ÕeopnW`;’ߺ¸Ý¶.xµ+Âe A±af&û¦ÖÖs:!M~ƒî¯ëaH†b!òË;¶;ö㙶µ`û!ûðµSÎkŸà lÀÝ°[»GÛWq/ñ”R”•Åà ^ ïÔTl|ÿï8V›§­Öî×&Gsn»í7¿ýíon»Ùóy8äñElá¶p[Ñ.~«(`XJÂ,:T_Ì£Ûy\¡=Lw¾H[¬m€ÆàÜ
±–¡ëO—;P‚XKî.…ðl ¨0`,‚¢”y} /Cô¥p}˜·èpi^0X8Åÿ t3Úmhš"?Š»
4
bQ³™sàt,œjDšZ4#G´ÝÚž|´Õq<‰ã…Sä”V3z‚Û#>ÁKæ‘ÄÒV8`Iƒm'ŽBjÑÈ©Ï?øâ‡øˆäGÿG¼Û à H;>é˜"Ä`WÈ‘­O³Ö§¼ÅeØ\4ØA$ŠA#Ýñ‘aÇ‹N+º/Êö u¥icನ{UQq˜É\°5qQ8–­ãÓhà  ê6¾€`Gó°¶,ì³R©X1$аš{E{xèwFzÑ„ö—-xmúEŒòf¸‡÷ÔeŠ/÷)X2k@ßiIÙc‡
ÅzöøÓ ³™œqýèÞ/Òª‡îÔּ°ß1¨Ò=Àd%}SrǤYCr8ÙkMK‘÷:){­Ïöï¶×ñì°åyi}sÃÄPSÏ0Ô3 *!¬GN@ž }çÑtâhMôj‹ÜÀ8v«é‚
|vªÝ·Ü¡ÇÜÉ|1µŽî¾EBzš¾ÚïÞÒ̲ëQˆÈÇÅv‹×óî~Ý€t æG†TL™<gî”IxmÔí“·¿ûÞS“ozkÑýÎÔ>ÞR|ÊC¿Ÿë)ÅdÅ-­“ç.ÖN®~NÛ»téwÝr »û#\½pômŸön<¾ðþå7/X¶L›2bìw¯½Ö’?ⶶѯ?ZútÎÍ¿<p–öúWjߗΚ=#SñìÛ/Æ9 5^¼è®§6Î:‹öwí8å«‚-ÍíF‘¢`ˆEA‰”ô€¶¹Hž`Ø¥HÂ%RVxž¸íøe"§È’ˆ,HÆvF<½ÉW7¡£ûmé ßjР{ðNwhz´4TIV&(eÊ´/‘–ÈõÊ=ÊzåØŽÂvF±Hr´É%õ”USŸ-ŒFÊ“Èd~0Q,'|™0[,2Õ£…øf¾AX(ÕËwówwHwËkøUÂJi­¼GzN~½‚_áÞ4¼$O¢wð;ÜIà é}9™%^$³ðÙm[fj‹¹ü&— -nÛŠ×Æ6í+áDK/ÎÅP»&h?ä$wï$XѨ(ßí
@ÏYŠÏ…-“Ÿ a1e²Ê¡á¼G™‚6C°“Ä€ÿM¥eB»¿È¢›l)nÅÚb“cócy<ûÒ*{ ¿¡g] ° Ñs«€©3fL=ñõ
õ
ÿÇ\t—ööNÛ­ÜP܇”‘ùycnКÚêf•k 8g·—–½w\8±ÿhÕæSÊ nL_àDÝa&›Œ‚‰²ÀĶC^GV‡ö6!±W˜
V“þ$_k²½¢c²;9|f8‡§»ØúYOô•3µj´9]¬Ý«åâݸañ_çÌ=V÷çææ?×›[Ðÿ:¼{pÞx]íÍœáÚåO?Ñ.Ïa>
ø*f0¾† $·’—áCÁ¬ ¡·- ËD_y€÷ñs/eg¾+…è+S
¾§ù»Ë_´}ƒWáB<f~EYYÅMZ#lsø­7~væÃOq\q½G»üÄ“Ú·žúbÊÀƒ? xQŠ;ˆ?$ä¡eÒ! 2HeS“_~){læ|s Àµè¶Ÿ·¶Õr³ÛÖp›¿?IÜií3Ø·Ñœ>Ç›0‡Œz¹íís˜M è°ô‡kŒ]À·×–øA·Ýé“m óó£Ý.gX°_¼aÏE´ 8"*ÜÙÇ”†’{‹½¢`.HñiœlbË9Ø|¢¦ÒÞ93ØëÇæ“5ßUÖ4‘ZÐÞø=ø~ü›•Ø¾`ñ·‹þúÝW§ÍNøœ›äÍÎfB¯ÀÈÖ®|ù…¦Ym8–¾4a¼.1~_ïäIy´LŽÚÙ̓AZK²
VÑj°Jùæ"àýz³r÷ñ­Üu´ÆÚöeQÛŸ¸ °áÀ$䛓ÌÖĉϢ9:¬ŸG7Z G7Ú
§Â2!÷u“õ5ÞcÜB¾@Ø û)TêΕeZƒcD™î@#‡ ‡„—Ð2“ ‰8Xd¸ÿfS³oeÅ7»Ap+˜*ÓIÞÒŽä
ºi!LµV$Í8îŽßøqodkã[!ó̃ eÈ¡xQ¢tuíak ߧ݂…`ÑfDrÉhÃT2I˜nð’ÙÔwŠå†"Ór“a‰¡Æt;‡¸ÍÏ¥r¥¡Üh©,LfJE\™P%Õp7]"Ý#,“ž’§3–ãXTaã½ð m}ˆS‹jÛÁ¸~†‹iÜzËmÛÝÎwf[
q©Îó8˜ "‚³¡¼>çOü(0f6ßçÁ°qêLèÏî4ÒÏ ¸~˜“è‰p²"ã~Š"»Gì0
²D8,(b^éƒÀZu׫󤩽néH’}aeë‹2™³JV9šs¢¥hÙ¡ôâ†p#¹±\®!W™ÈM6LVÊ9¯Á«¬äŸä
JyXçc'±Yzb€ÓÉXì&#¤ Òd9ßRŽg4G.²Ü.Ý#?,…Bô ¤Ü£+ÿ8ÆÂÏÀMMÀÓÒ¶^Ô¶j+„­gItK/~xë)âú~g{‘Ñ"w¤¡}›Ø%þEI±ëÃúè~„&tª3:­…yF«Öfû*"2:Åëð<Jœ€'‹ùÆÙ¸\,2îÃ{D‹“ 3\Ï¥r€x·a<7ÅPÆUŒLô˜½Ó¡hïà¢q•VÐv–aŒx£Vß»]ðIb™¯ž”êw ¦u«CåÞÖþ¤·£×Uõ$·9CmÎd秾ÝçlhÕ‘økKp$e/½ÔøÌK/=ƒËñj­k´Ùx
Rkmþ\kÅüç͘Ç!Z©¶R[¥•âuxž‹×ùc
‹á
D}ÜÁ¦ã´L4°dëÍ%0¤ Ýñø£
+2íDLI§˜[i<û¹%8÷ÅÇ}»s¢ææ›kÀ>û¼­­…?¨Í¬*-­Ôù¡`ü°¢p4ËfÞl; ëÐjK„EÁæ@go¥`o¾W„?ر\U÷Î`̉’ E:M¶Èx”9Á4Î\f*2Ï7Í/h6˜&''M
c¬0ßd’@NB\;Ó‚há›ñ3ØÇÏåQÚr­ ¯Á³5+ß}÷ÖÔ>n|éàn`l8^+)Ë€¹¶jE˜ûÕ·¾˜XÌŽ@wºSÃøgdpHphdHH°Ë¬¢²¸Ã´,D  §ˆx3øöl6HÝY•!>ó¤|fo :-üõw ¡Ô6£ÃCÃaaááaýý‚³‚ó£<OpQ”µ=rr1ööuyH` ÀÅYPQ±`“¶„ËÅñ8pùc»ßÒÊöô¿q2evÙ$íVíRDæWßyè`ï€%·j“p]Mó]+ ¶ö¹Å£'Ü=‘‹
µ+ƨhÞ/‡î°ó;\ëì«{D)Æèp
wZ‚ ÎØš›Ž7Ó—n¾ŠäSçmçÛÁwaMΈ̈ʈÎPGEŠ¥NR¦GN‹š=C3'ÂéòF—«^µ:¦ÞXoª7/Š^¤.ŠYe|ØôHÔÚèuêÚ˜-Æ-¦-æm‘Û¢¶EoS·Åô˜NÓ"ÿhå®[¼-V€CÉX/]¤òü› ?+¿ç·“6÷í”ööýÚÿ-_Ž‹n¹cê]+?:ŠUlYˆya‹ÖÔÿºÜüAÃBcRïÿöïýÒqVî˜Â¼ìܨ˜”¿ì<ó•‹ñ Ö¶¶Hs[DÝÉ_yÍu,{G7*-,
,IJîEúRw§[îâŠP¤Ùµ%šæ7ßçñ;õøAßYl;À±%X ‡,«e´,@
V2hü h÷&©©ËOÙ㬠\¨çOú²Î㳈3 î¾gDÛ—`}õ¼ö¸¯[Ÿ[¿þ9²¤õVíeí
ÜÖibë%ÝæŽ'´fÌEbN 'ĉHÄ‘ÐÁE°@WéX`ËóÝË,¤}Ë"pÀ׎9؈8§ràPʇÑ’*@#ðH2’ÏF‰ñ$²\²ûƒŽQðmø>|/¾­í]-BåN>¯¥—g#$­ ñW¹G‰‘/@â¥ÒϨör?ÀÝØ#œÒOVá¸H™ ;Ðar)Tˆ4ŒJ&#¬óô/6Œd¦ò“ © §Žn4Òƒ©#±9쯩׎®×¢ü0Q@{`lŠKQa¡v€0DHSR`s³m7C(VörÏ(°… œ^£h
æBIïRf 3Ås=H<ßC€%£)ÙÒòƒT>UHS )RªÜèbÉ!ÙüH!Ke¤ë¿)Ü/ˆiŠ<Þ8ÝäE^ìåªI9_nðHåò\¥ÚXaòšæ“ùÒMò<ãM¦» ·Kw›žåö‘=ü^áé i´_2L8pŒo„àŒpì®Ö6hÃaý}Q²z™Lwˆ“ÞïÔe*ı\ò+wI)ä@åFd”#%Ñ“"C°—"
ôÐoÔ"1rÁ*ñŠáE³–Áˆ
‚ÉonV*){‡Í5}ÐÔž ùdÕiiÞEd¢š$+e$G›œLºËª<ˆ¤É3I¾¼œ,•_ ²]æDÈBe%œ ⃤p¥u3ßMtI½@®é|º4@É7{ÐÑk~Žû#ÿGiŸlÓ™¦ÿGZ9Qójk[´*hYðï 3ÉÆq-m"Ö4ŽkáNiÑø,åÙ•fð5gXüYéîÑÕ. '!‰ê³ÄìRä ü!
0È~-6S¶X[ >Wðó,Õê•Â¹¹|®¬V*D0âÂ=I:@R”±ŠW¡ÊE|ɱ=ÿR»B¼¥íO,3næ‚Z7´ÝË5貧ï9nd9d„Ú«²ç\xOrH€œ­¨€K‰­"¸¸ë÷
îh% “\$AêG2¤!Æl2Rkœ@f½F«^0·Ç¤ã˜:þ“Ö3亖ÏIL+¤”kí¯þy]lj¾kŽƒè—Onß$næšÐã°F%vd£ŸãNeï4}LúŽ´‘«Ò>ÁζbÐÙ–
g¯z÷ˆ0}÷HpÇ»G§aÎÒöõiÎzP\ñ]•>ï½ì=tþ̹æ~\Bv˜ÈaV”`ÓbúBvîrÛ
ìÔ>Ù¿>+Ñy­Âyæ¯CÝ
á1Zf X—|XŸ$,ã8øœíïZ™6ûkBMÛÛ½Íõ¦x -G­ßZvSösÉt•|üp
vĤÓôV;uð ô›Á_àVˆeÐ/ïYü*z…Ç°–<îû¬ éªFÞÄ_9ýyØÜ×Ùû_7Ӈ׸¿;Œ #ÜtŠ^€Ãš´åb™v¾IϧÙwaüBˆI.ô¨»§,"g´ý%䨸ÞrÌ®Ž~3b}ÜöÕ&BBͲÙ88š˜ƒv§¯ ЦÚõ„Vô× —.døòÜäøÁêà˜!ñcÔ11ÓÕé1ÕpÜ¢ÞSŸz_Ì£ê£1Pÿs@=ãHJ‰åŽ]U}{ÔÒèQDoŠÚ½3ª1ÚFóÿ{’ÁØ‚ò•Q»Å¤uy]Èmª¹qê
ž{hExäî[wœÄVûö÷×½:¾îÓzœŒÍørî¨ác¬J¸³íÖ-eÓßÜôÊÞˆñc“’°="òKÆ“íÌ1Bz;\Üh:fE«­o„?zÌI†¸CM²9ÌÆNH Øb“½£»²{lTQ-iuzçAØåxªÝÕ-XPW·páÂQ»ŽbE»t´a÷(m-.ûdë†
[Ÿ\¿þIîĬéÚ³ZlÏNŸµI Òõ™Ê+äåDýÝaè0>Î[+íüÆS˜
ìZo»xÁö
63| ­µuäq¬æÒ©òƧ笻ê‰'V>ì.üÃDí-m¬“'=ÅÖ>HMyúÑGŸNí£ŠŽÆý±¶þѺM£ïŽA›Î¯è˜Å¾Q8&­¶¼'A<2sî°¡Æ”_Tg¨«9wñ\³í\¿ØúI•b“–L:3p ýaÔΆ£Ú%¬­ßµ‰ò¯vÁ²Ÿ›ô]ó¦’i8Ør¦·¾N9Hw¿~
O¿8
GÃÜ1ÈñKÇ…õ&ünèú€7L«#Âœä0£áœÙ:0‚aØÔé%åÞZ©ŒIÑtÄè/¹:§"A×@Ai}޼X¼rÍcÚÓx4ŽÅ¬=0¿¨ü76.­ì–[†
ךSúàtðí¥eªÛc6Y| D7¸#l6I=nw)\ dÁlβƒôÏü™¯‘†›AÍ­ƒššôBð¹Tú’*•}xç–Jà
Fb=Ž³§ÑdÙ«¹ƒpªögmí·ßƒ>ï?<ï
jÝ@Š0¸Ÿ§™lµlÁÂ/Éö@£ÝÝ#¬9ˆ³ß0ïŠÛð>:Fº›Ùâv¨CÅ ~ß@q9§KZûæ]´€¸{õôU|ÙKBö$FM:½%[@ìG´‹Øt¤aç(Pƒ§´ýM%3vOmÜÜì]tS]Í¢EgMÃÃZ¾Ç™ÓJ¶´Úµ¯µÕÒ/}íf"n^µvýæ•«6·C\ þ† tw¨™GX9pÌñ†íq æÌh„Ýl¶Úhù@·èAÍ€7õn)»‹œKºŠ¦Ûûv×í‡q’ ­6Û#“jR¾aOõK¯sÛÚ&xñšÕaqñXÓvR jÛ:kúÝ¿ÀâAßå%Àªæ4ÚÅ?Î P²uyoé–óå"¹F^*ók™í¸ŒÎ¢­å‹¾ß iô×Ü•ýZ6ƒiDV4Øí¤ÕÃõ‚ ï›· ’hÆf²Ùx=f2E¿½£óØ‹ì5ö¥v}ž Ñ÷!†o¾÷Ž<s}Y®oÎÝg¿ø|Úë<]ó*è>w«îBû ˆfdëZ@<G ˆENâ„Û)Ã2]œd˜ÉJˆKÈ<~ž¸Ðp¹¿S¸×°ž¬V‰ž#aÁ\°0@ÎFI¸éÒlÈ–<Â|®†›',’îäîî•~Ç=,<"9º–¼oh;ÍåiyÚhm­Ôú ~ë&ü¶Ö[§Á'¨gÑãE»ýû'`P$ÔKŸûÅ ïšu›Ý†a7øªp'„;dÞ€TÑj=¥#oDíŠÃ
0Ifqd9`dt¸9ÒÖ]¯ä‚íFRÛmD3ßg´ƒ£_¦²hé{Q·5:>%>?¾&~iüñOǦc¦u¦~þàc×}¥Ý÷mxó}߯yñ
m5ÆÙye^N[í.˜]—åCŸš]¿“l)¯ºðqÛn¤9"lþÜ­ëÛÞçFî›ûä£m'ù¢Í3‹jtú˜Í}WÛÌ®kÛ̹l3Ž`3<è·ÀC7Ÿ<hݯ·;PÜ€6šÞ u¿¡Ö\2Ô1ðªºßžþCœ#è:½ó÷K~Ü‹ó/žß°hQ¨I,×ÏhjÏádáS7>EwŒ´×´fØ^Ã×á Ø®ÓqÙ®Mf.4Þ
tGvÄ»7,«ñ‡dW$Ä:7z2Û¹sW‡<W;;|¹A`'T¹Ê—NéÁfúq/„½Mm»Ees§ä€ô§ù‹xÔ_O`þÚ¨ãæË]BAdÎ]áZWG²ÌÅ
9L§hìÇ­SúÒ™k¢2õÕ1Ü>½µ€Ë‚ö¬ûæÕd¾?ú¶õjÊ#À-w©]ŸH3ðÎùK°ÝËOD²¼!ï2(¢jÔ8$öqó†ô˱&ßËô«U)„4'OO¾g%åWÖ®Å={ä`Ç3¿okå‹öV{ˆ@çyÓ,˜7}àvMœÅØ/*:J
’,ðJ¿èè(—^c9UÐaÇñÐõv~½ëŽܸðK!?vLöQsó¹®U¸ohp­o˜é—ËFZmœ!˲"&£Y¶
qa¦0s˜%Ôš(%ÉIJ1É”dNP3¤ò@e q€i€y´<JeeÉj²û¤}ò>eŸqŸiŸÙe-d-ŠÙØß<$af‚LëŠt|ðÕŸ×éE:úåR÷Î̲’ÑÅCpàAí²Öâýbñܳõsrª†|yèbkÉûó}•’’–Þ+É(Çmxj×î¸8lëÛw@FJ²YŠÚôûÛ£(_ÃAž›…Ç g©r‡YÉJ6Úñ.i#R$£ÌÉ`KaP§WW¬x0º1€å.–»4uä.MÍô7ì];tHÎE¬6«=ŸË'ùŽ"®ˆè„Ò`<° )KÃ7j˯Ÿ¶W;rü™;…Ç´—® Í•×ÿ
zæ8>…¾žé û= _ÄÞY‡CBƒM§‚Ž…¬¶á]"‡­ðm¶0Ý>t·|.µÃ³…/¥yt è_­~‡èìmÏ_»oÀåœÅ<|
7ü±ê¥7ñnn{ÍT틤;ç‡Çuß¾†Kø~Ã&æÝ04Zp>"zûêz éR<Ó¥¸þçÕÑ_ÄÙX¥V&peÜRîn×èÛÁv ØölNA$
XC Ž a|wÔ
÷" |?Ôg >EÊFÙ¢7_$Ý$Þ‰ï"w
w‰«Ð*¼†¬áW
kÅ­d~Žtë¨/FCÁÁx¶6B›Ïµ¶ñû
ºO ¿ÇŒúMø7WÕûêõž´¾Ø—Öûþh}ñÌ5ë‹´`õk”ÿêPT%KR”¬ˆ8S©Tl
0QxK9¦ …/•`.Ö=M´˜9H 6vÇݸ^B‚ØSê%w3ºLÉ–t”ŽûrâCé:ÓËN/'ŽFš&“ üiª\hœlši)ãŠøYBXd(J•"cWÃ× 5b¡FªWjŒ ñ·ÒÝòÆ{MË-I˜°láž$[ø'…ßKOÊ[ŒÛL qôœéUÜDÞà_Op'É»üûÂyéoò_Ÿ™¦2q…cúŽ1☑xÚþ¸ìÓ´“Ú‚ûµ ºV·ñ\ë÷תùôWùñÕ;× ;jþb#Ï(Ö‚»è!¨c­ÓtüÇŸ!Â÷ÁÈ6-«$YN#ƒäa$W. ÓäY¤R®#7Ë·’¥d™¼\~=@ ‹ëäõòò´ÜHèö‚L·Cä9*‘cäŒ|Fþˆ|D¾”¿”¿E_oÅ+r*(&o’ˆÈEðR m¡ó½¤n
š(õURÌùÑühi¸â5ß–rËù»ÅåÒRåa´’[˯×J«”'ÄFîþ‰êÕQþ¨tHyãÎðï‰g¤cÊ'è#îKþSñKé#å;tI =ÃYÆ Ò*ñÂóŸâ…pÞªÝÞúv;7˜‹Óvãܶ3m/âYÚcÔ¶ ¹Yq?÷0k$²‚•™ÌÄB¿^¿Ú
˜›ÕeQ8›€”õÒûí²Y-FY¢> <½Í/´NòÒ?RÉð¿Aa?þù1‰AÀ”˜¨6w¸,ZõpõÜà´bnkw'·uÜç¶By,A
3R0vÑaè&t»¨]Gú‰ý  kÊ£È(>KÈgsñîáñ.ó]–‡¹U°ÔXc^cÙÊm#Ûø'-OZÿˆ÷“½|£Ü¨¼`|Îüœå5îMó›–×­ïp繌v×fÁújiv‚ë
a¦LKqà‘£5SÇ…€]´IÜåïû=¿òó££ýõY>ø.£»Ýa¬4ËŠ´.ˆš»ÈFZŸåq—úìáÔ­ÏŸÌM0Tpe†Ü<Ão
+ ¨¹dÃÀ=«ÁfìN¤d#-ÜŽ’fï—“ž!$Pc TXú˜4KNFŠ¿ŒÛ@ÞjÛÉåµsymoòE-mk¯ ® ­j;ù°Nê†f¸û8­£è’ÃlŽH£ Æ$7Ï¢&ü‘£)ðqW¤Ó$+B·à@.©N»b\¶ãƒCœO¥9ÍœôŸÑ¯’èÛË ý»PV$Ecÿï Õo ¯€ÁÞ¿FÒ­òþÁƒï¯|íý“YËÆO©öN¿¬êl㋇V5œ©_uäŧÏN¼Ë£÷;Ãï_·eùDÊ{Ìk‘ø1’þÖe«’r¼MÿÕíaý÷QŸ|,F^FêBo;5Úl²JáF‡ÓÊ *AáMN 7î#k“ýqW„3LrXq\¢*yFpjë ÃzšÈìB±þy(£:Eð‘Ù? ·ÓLÉì » ”}ßø)^ï”ñ÷ew¦½jâò-ëîwÞÿè–û'ž}úÅ#«êÏ4¬:ôb#ýæïNXhƹA+ÂM("ÜôD`²Fé?
:ÞüA³íc<vÐ&¾;Ýè²2&Ø!Át…SsvÍ]n ÖGfLÚ>kîN¸²èÕ„'IÁÅü¬"!âà1ãÚ›£ézéa (öaõŽiô-îßyô•®З[·ÿuŠØÌõ²R·„Ü@ŠÄ¾R·‰–º%Vê–èsv?0Íç‚ý•Ï?Ç÷~þ¹ØçÒ¥Kˆk}E@W
—üßNóèï"wõôÇÙ/}ã[}„K³Y cÆÞŸ=4Ó:è-±ÏQÞ~©×wþó·µ­;¬GdCÈÿã UøM[Ì·µß¥ZøþeˆŽ¿ÙüTª…24IXûN´A\‚ös¯Cf½Gó½ÐËânt¯ð Ú ñh¨Ø‚ruèe²5¾™OF ðü$QPÈÙ ç·8ú&ëA4 öO`ßûÝ°Oƒý1Ø—ø®Ã>‡¤¡ó°ßJaøw~3ý­4ºd¦ˆN´_8ƒÊÄÍpž¯ïâƒp½pl¡û•eb܇~†Kð î‹@“pZ?‹ ðìe´BhX@…)½‹½P¼ðæ•fášFi¡8Ãù^˜ÿ(Œ}ãÉ>´?ÈÎÓ„*4‰ÀŽµw¢íÜAº_Ù/èmiÚFï3>Â8Ú|
ã_:ßFá”·Bm(E#…
m'¿•Â‚d¤óôÌèGè„ZaGÝÑõhxìjtl{Ðûx~•Ë&)d$™G6ÁZ6˜ïËçÂÚòf~?ÿ™0M8{¾¸MüÈgØj8l¸,EIn©T:$W*Š2GÙ£´“Œ;Í&›i”i«©É<ʼÉÜléiyÀ*Z×Z_Ç=ÍÞÏ~, oÀ-ö| Ž
<T´ÏasLq
惓‚çþ,dJÈc!çBSCzÐ9ÇÙ ËûÂ+#FFò‘E/E¾5 jQÔþ¨™öÍ&y¨º ™À2m`X há .Δía°FòëèjœêkcÈí>öµ9ˆNßùÚAŒöµ!àÆùÚ2q·øÚ"²rOùÚ²sg|m#ý.|msÀ£=îôµ-¨ïÀå¾6øÑøÚvÄüÑw—6;mcŒßôµ9$á/}mT¬ùÚ<R¹>¾¶€B¹R_[DQܽ¾¶„b¹ç}m#ÀýÝ×6»Ѿ¶tùÚ6<°É׶#ià§hò¢´Õ¢
4•£z¤¢¨%À9¥À–­YÐCEC¡O=ªƒ½yP1ªB‰p7ô¬%A+U¦¢‚vXuìÊgŒ™ÇRè©üŒYûµÏZ3̓¹æÀ˜jèMñ(†1ÿ܌á5ÆM@
Уú3h6¢˜Q¤”j8Ö@ŸY·ú©0Þ ³³g
Bü5 j+f—׫=JÔÔ””4uÖuhE}]}­§¸*QÍ©.IR3++ÕÚ«N-ðÔyjçyJ“” íG‡Ï«šã­ž­-.ÿ‘Ã=sŠ'4¨%åÅÕ³=ujq­G­¨VkfUV”¨¥ÞªâŠjÀ¬+‰ãup[<®¸.†1•ô·ê­,ý±!jG·NƒÕ_<d“EpÐËø›
ICý᧶®Â[­¦&¥õï
Ù·÷Õp)ØÞפŒ× Þ§ž~\ʼÕÀÏzbJR"€’a+õÁ˜0ε vƒWË$ àz` *¯¯¯œ\
@ç5$ÕyjK<eÞÚÙž¤j<Îî„_¡üJýCӡϨ’z˜¢{€F/š}©Zÿ:ÊJ!€'  O9YÏj]õÌ0(×jJ꼫8y5ÆØÐÅŒ¶kÑ®«D1´:sí‡nA
øå›ò³\ͯïà®-ïš+à‰ÂZõìÕÂ*Æë¹pÏ øG¸PÊò¼*­Ã¸*Nåì™ÇG×l6KµOê‰>¹ëÒÒgÓuL×÷D†——I¿š¯ñ°>ƒ Öût¬Â§Å †Îiųžaqµ>•°~Tuè~´·Ž»®ËfÿºîÅvÒ’X&9:¶”ë^%0¦ØGŸÂ¬ 4´ŠA©gOüü)ƒV¥Ï’z´ãØ1õiÿzÐ_]ûéŒ<¡wj˜Õ” %l´›RFA=ÓµYð´ž=ÕçP~b†DŸ5—f
ŠÎ“ùLÊ™Wª÷q¦ŠÝëL‘Ÿ†Ú.Z©cÛÀx˜ØI:´]Åä©ËZéäAê`tâБØNg2ó *ƒ¬Ûƒ»ÂÇÕ®ÒÿiªýœÓ±­i×èz†W‡ÖuP4Ÿñ£êgÍà·†2æÕ«}z:ÍXÊŽtŽDv¦œ˜=J_~e,éžÍ/¡6w)ø‡éf…>ìè?'çež¡C}Q~è ª¡½ÏêºôõÛJÇ:û€ÎãTFs1Ã\a¾¹«®éÜÐcIñOÈÓË¢ ê“};wøŸ#‹z‰hd-öQ”Ô…S?5–òd/¶è³Sž—1K}šTÉô´¶ýŽŽ)åii'™wÖ:-f±‚ùŒJv¥´STÊ0¥òªîÄÙ]âª>“߇3íÑu×?ÇÕü©û‡4ù±T|thX1“ÑÏÇ ë<WóãZ¸%úä]ÉÆUüˆ7WÚ¥SËül1ó+pýwêÚ5Òo/WGÏÏyþ™æ3ªJÙøØkÄÃØvº¯¡À3´í¤eºÍä^_f1{÷vµÁg~=™O+®Á1,Ië}1†ö®M^ÅÌ£zÚGt–»Ž³ÿŽrMK)g^eç:Ž¦I?¦'~_w-ß]Ê"A5“{g~]‹«J'Îu–á/µÕ:_þ®ú(ñ[›ß’hæPÙž{ÔúFt…XÃ4z.gû$¦ÇCªUJ»Wýwzª§j–ÏFê}ñ°¬S#Qg,ʃ+:ÏX¸*D!,`Ïràž
y\<™-Îä’ÉžÐç±Ì'B›B‹Æ3X:Œ8RØ“á…­²kz5úç,:6 Mbsd´q€ÙXhSØcàn.œ³|ýèˆapg<\ÓöD³P}>úO§2Û¡ã(.:¦…p¿cÖ®Xå°ý˜«€?Ò÷”þ3­9 Å?‘åG´çÃSç\ƒNyD!S˜Ã£\vEs>ôÇø™ÉhÖ±Íc4dÃs–,†. £a쟃ÌzÐqÎTèë™ÈäHéÎÆÓYG³^:fc}R¦í(I>^êxPþOhŸy£?6•Ñ_Èþ)Z*›L€ï‡ë× Å[aÜÏèËd|ËfÊúQ.R~æ¶k\A'© cü¢r£˜g3e2ŽŒ»&%~h¥s-íPÚgÁèËbœÊe½Ç³ ]s­Ã|¼Öaêz¯ëDn'îc4RÉÞ³fùt*“ñ®+TNþÈô‡uâY‡ôó|ÒõãSÈf.¼W&2[Ìb½2™¬ÇµÛH6³ß1>ÌÇ·kX‡ïÓϱí˜uå¯ßŽüý~ŽïÐaùçî*ÁáLŸr}Žkç†ÞCù ¸ºïÊ‚¸VÂÖ9õí~»käîœ5vd£óÎÄN¾¶s& ¬oÕUý:îê«%=fu¬u:çn×ZaûWÇz.ïÏz;²Ýwëk¢ÎYo)ËÏõ°®=+ñ²<ÐÛž™ÌgO;bz¯vâí²Î£3³ØŸØ>—?uÀÒóÊb–-ÐÙê®ÁÍV†5,Þë³Ìgíz_fBékðõ¥÷o¾j5ì¯ÿüPê5eà§åZ™Cgþ×2y×øÖRŒÃ4ŸLòÁ­EþuYO(ôº[ÕURïÐ>
mººª@y0»楌×
ÒkxtN…ù+ë¿_uúµ ÜÿKõ ¥K=èêÌëßWR®YRÿÃõ ågÕƒºfò%pê¨uø{þ¼
êµ*,Ê­®¤þ ®¤üu¥Nu¥Ž
ÃÿoÖ•”.ö¿WWR®±Zû_¨+)׬+uPôŸ©+)?Q/øÏÔ•ôÏÖ•:Þ:ýšu¥{ëZWú±èûãÕ%}}®gÿkÕ%u­.]»ºñŸ©.)?Á]µÿ·«L
Ó±f3ÿù*“ò?\eR®ª2u¬uÿ“U&åV™ÔÿX•Iù'ªL꿭ʤ0L¨£¶:·3áù®v¤\Sæÿ­Ú‘òƒÚ‘ú_«)?Z;ê¨ýûkGÊ?Q;ú)¸ÿÞÚ‘ß³þxDùaÅGùŸÎUš_³â£üKŸ®Ù~YÅGéTñù©ºÃ¯Q¡©ÿ|7ê¨4(lz•„P6û@‹~×F¿Œkÿ˜NíQçñ¨³<•Þù IêÏø
.IQ¹ ¦¼N­¨ªñÖÖ{JÕ²Zo•šYë™çûÌ?ûê®Aÿê®ó4ŠÒ1ûOm±ª£ÖþéžÒû'ÿ”~ä÷³¿T¯š¹¢N)VëkK=UŵsUoÙÕP%ßS[UQǾ¡«¨SË=µ˜kvmq5ž´Y0 8V;Û“¨Ö{Õâêj§¶xgÕÇ*€Åj ­@ÏúrŸO%%ÞªèN;Ô—tಧº¸ËXÀJÕâº:oIE1̧”zKª<ÕõÅõŸ²ŠJR
PÇyËêçûc&µžšZoiC‰‡)­Â*f5Ô{(J—‰ æ’ʆRŠÉüŠúroC= SUᛈÎP«³À6ÔAJN¢Zå¡T+LAêÊ;Í‘HçLöÖªuô®T}ä_55EÀÖPF×+:ëØDóËA±~0€Š¡¬¡¶&ô°¥^µÎ›¨Ö5Ìšã)©§w(}eÞJP6JP‰·º´‚ÒQ7@Q
\ñ,ï<£@×"†@»T{ëA uú]*•š
П©uåÅ••Ê,k€XIq:½Õ µj•·ÖsM²Õú5ž²b˜(IGªëÓªâ`-0¼´¢¬‚*Zqe=¨4hqi)£\g5ÐâZÀ«¡²¸V¡•zê*fW34fë¶
ƒ¨†::ÂOÝÕ3Q
V\ym¾1~<: zÕ• ÔŠNj®Prj=ôÿÃÉúÒFe$•‹ß<< sžZ6h¾·¶´Nm·ÃX:·ÿKÍ6–± $“ë³—Y°$
µd@y2Ï[ÑŽ˜ç¦z°µ¸¦Ì«xV¥‡>ÐiÈ´¡t¥¼¸^-/®ˆžê.<¡ZסݥjCu©áT†œNáOIµÎ[I­š‰
©X­¤ÞlÅß±¦¸dnñl ì°Ú«PUý甪ËTà°EOeEjd–š=6¯P76»pbfA–š3NÍ/;!gxÖp56s\Ç&ªs
_¨B‚̼ÂÉêØl53o²::'ox¢š5)¿ kÜ8elš3&?7' îåä
Ë?<'o„:Æå-TssÆäбl¨TNÖ8
lLVÁ°‘p™94'7§pr¢’S˜0¹5SÍÏ,(Ì6>7³@Í_?v\À`órò² `–¬1Y@66rAΈ‘…‰0¨n&*…™Ã³ÆdŒNTØX ¹@e]’K€¡fM ƒÇÌÌÍU‡æŽ+,ÈÊCûRîŒÈ;&KÉ;>oxfaÎØ<uh947KÇ
H–›™3&Qž9&s%Ç? í¦“ÓÁ‘•—U™›¨ŽËÏ–CÀÇœ‚¬a…¬'ð8‘ËÐ66o\Ö
ãáôóO‘¨L™Å¦2á¿a 3F~Ž-(lGebθ¬D5³ g•HvÁX@—Êsl6Ó€ñÀO*¼<¾TFôÞµzÑÑ>‡geæÀq
¸¡té Ú•uS‰§¦žê¶Ï¸u×Èܨî;™ÖêNTxD5®~5!,e±¨£{·Ž€MÃq¢îz™ûí†H¤»ÞÒyð€uÔ•xk/u&ó+꘥C¬òê1O­+®„É`µ"Ö |eq% «kG³‹A)þ`XS[Cæ×VÔƒ3QànmÅ;0\ë µƒ:K‡sÐñ¯õÔÕ@”ª˜ç©\}ki,c˜TT—yk«|¤3ö•Ôð§
õêl¼Ô[¯xkg'©ŠÂ2®9uú¹¿øuò EσÔ_’)yú ó å‡yÏÉ—0Huþ˜qµ#aQþ•\IõçJÊÿF®¤èrø·åJŠn°ÿR®¤üŠ¹’Ò‘+©¿0WRºä¿ WR~,WR~®¤tÊ•:o—t â98‰_+]R|é’ú/¥KJtÙºñ×N™”j¯ú/§Lʯš2)¾”Iýå)“ruʤþ’”I¹fʤþ3)“R˜9ą±íÌ‘¿(;R:(ÿW²#ÅŸ©ÿJv¤tÎŽÔ_”)×ÌŽÔ%;¢ÊÚÅPÚåGõŸH|”ŸN|ÔŸ‘ø(,ñéš;üㄦÞßßÍ’% NIÿÊo“YÝn.ìɬvVÊÞê%±÷«5p¯ëÛŸþ…aòüŠ¹Éà¬nJª)¯IöyÌ_ôÃOöKdöwå4]ã/ó·ÜRÜiˆ`²Ã±Ž¸j«8 ÇXß½XÖ¶ VÙóhô<£`F‚#ÙÓä„c8Š‚c»ãdÇPv aÇ`vtà d¨vEÛ²v;Z±-†çVvEÛ›± Ý÷ÌìžB<6a#š ÷èÇ¥pψÔîÑ'Žn¸Gï,³‘;éqçÃIBf ];ò¬afGä¾²˜\¹žhiý>QhÕÈ÷‰¤E#ß]!|·˜\A¾m!—4òF.jäÿyž|­‘¿kä+|E.hä‹fEøB#Í
iv󟦟§’Ïò·òéƒÁ§ù¤…üµ…œ‡‹ó9§‘9«‘4rF#Ó
§KÉ¡äÔ†(áT)yÿ¤Kx¿…œt‘÷Þr ïµÞ
& ï6rüm£p\%oÉ_ Ç_ZÈ[ÿ-I8GŽþ9H8ÚüùH€ðç r$€†Ç‡#É›AäןÞÐÈë¯M^ž¼¾”Í}åO.áµéä57ÿ'yU#¯”’¦lB“F^Ž /iäEza€p¨…¼ð‡pá…äà0á`*9°ß.#ûŸ·
ûíäù}&áy+Ùg"ÏÁdÏid¯Fžu=äÙ­‘]ÙBžq’Æ`ò4Àyº…ì€ÓŽòèÿ‡p²“§4²­;yR#[5ò„F¶hä÷
Ù¬‘Ç7Y„Ç5²ÉB6¹ùÀ¨-d ÙEÖÃi} y ˆ,<ª‘u</¬ÓÈ#k§ <OYʯ]îÖN'kÝü¬íX­‘‡“È*¸*Ê}…¬„¡+Uò‰¬€[+F“ßÁéwyøð`0yÀF–»ÈýY¦‘û4r¯FîÑÈݹëN—p—Fît;4r»F~Jn[E~£‘[5²ÔI,ÖÈ",l!7·™?o‹0_#ó¶†úp¡¡…Ô‡“ºR»˜Ü¨‘o¢àM$Õ-¤ª…T¶¹™£‘
”—˜„òT2[#e©ÄSª”*¤ÔÍ—ÌR„™¥â"‡P¼Ša»Pä 32C#Ó52
®§idê”paªF¦ÀÕ”p2Y#“ZÈDL€k÷• ¯‘Â(2.ˆÜà
ðàëò[ÈØ<»0ÖIòìdLÉ$ä:ÈèQvat•cFÙIŽ…Œl!#²ƒ„D²ZÈðaa¸• ³¡™.ah ɘ™.âbÜr½Eb%×[ÈàAfap0d&d‘ë4Ò?ôKú¹Hzß !=Œ¤âû*f¡oé»”OK5 iA$ÍͧšHŸ”-B¤ü”-$ÙD’IïÄ’èp ‰H¯RÒ³”$h¤‡ƒÄ‡Ø…ø(Ò]%®(Ò-Ы[‰³“Xdb[HŒ•Ä¸y5ˆD+$*ŠDF8…H‰°
N±|ƃ|¸™„9G a‹‰&uŽ&¡ ±“`˜-¸…8àžÃE‚JI ×vØJ‰Õb¬Äzˆ·Øˆe)o†'æbJ%F ÍLŒKyÅL7/kDÒˆA#¢ ¢Fnžo!¤”p0ŠÓÀ{™l'ÈLð^\zû2Üëÿ?þÐã_$úŠ&Iendstream
endobj
21 0 obj
<<
/Ascent 759.7656 /CapHeight 759.7656 /Descent -240.2344 /Flags 262148 /FontBBox [ -1069.336 -415.0391 1975.098 1174.316 ] /FontFile2 20 0 R
/FontName /AAAAAA+DejaVuSans-Bold /ItalicAngle 0 /MissingWidth 600.0977 /StemV 165 /Type /FontDescriptor
>>
endobj
22 0 obj
<<
/BaseFont /AAAAAA+DejaVuSans-Bold /FirstChar 0 /FontDescriptor 21 0 R /LastChar 127 /Name /F3+0 /Subtype /TrueType
/ToUnicode 19 0 R /Type /Font /Widths [ 600.0977 1000 674.8047 687.0117 711.9141 812.0117 600.0977 600.0977 600.0977 600.0977
600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977
600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977 600.0977
600.0977 600.0977 348.1445 456.0547 520.9961 837.8906 695.8008 1001.953 872.0703 306.1523
457.0312 457.0312 522.9492 837.8906 379.8828 415.0391 379.8828 365.2344 695.8008 695.8008
695.8008 695.8008 695.8008 695.8008 695.8008 695.8008 695.8008 695.8008 399.9023 399.9023
837.8906 837.8906 837.8906 580.0781 1000 773.9258 762.207 733.8867 830.0781 683.1055
683.1055 820.8008 836.9141 372.0703 372.0703 774.9023 637.207 995.1172 836.9141 850.0977
732.9102 850.0977 770.0195 720.2148 682.1289 812.0117 773.9258 1103.027 770.9961 724.1211
725.0977 457.0312 365.2344 457.0312 837.8906 500 500 674.8047 715.8203 592.7734
715.8203 678.2227 435.0586 715.8203 711.9141 342.7734 342.7734 665.0391 342.7734 1041.992
711.9141 687.0117 715.8203 715.8203 493.1641 595.2148 478.0273 711.9141 651.8555 923.8281
645.0195 651.8555 582.0312 711.9141 365.2344 711.9141 837.8906 600.0977 ]
>>
endobj
23 0 obj
<<
/Filter [ /FlateDecode ] /Length 675
>>
stream
xœuÕMoQÆñ=Ÿb–p9oš’ÚÚ¤‹ª±Æ=…KÅÈ@XôÛ{ÒÞÎ2s3¿Ý_ßÝÜõ›c7þ:ì–õØ­7ýj¨‡ÝiXÖî±>múQ™v«Íòx¹;ÿ/·‹ýhœ‡žǺ½ë×»ÑlÖ¿åÃÃqxîÞ\¯w7õ×âÇéaÑîwýîíhüeXÕaÓ?ýÿ‡Ó~ÿ»nkì&£ù¼[Õu~ê~±ÿ¼ØÖnüÏc¯/}Þ×nz¾//w«zØ/uXôOu4›LæÝ,nç£Ú¯þzV¦ïyæq½ü¹.ïNòšg—¦§MKÓÚ´5íMGÓï›þÐôUÓ›¾nú¦éOMß¾viü¥ñ—Æ_iü¥ñ—Æ_iü¥ñ—Æ_iü¥ñ—Æ_ÿ”þé¹éÏ‘MŽlúsdÓŸ#›þÙôçȦ?G6ý9²éÏ‘MŽlúsdÓŸ#›þÙôçȦ?Çh&ô üB¿À/ô üB¿À/ô üB¿À/ô üB¿À/ô üB¿À/ô üB¿À/ô üB¿À/ô üB¿À¯ô+üJ¿Â¯ô+üJ¿Â¯ô+üJ¿Â¯ô+üJ¿Â¯ô+üJ¿Â¯ô+üJ¿Â¯ô+üJ¿Â¯ô+üJ¿ÂoôüF¿ÁoôüF¿ÁoôüF¿ÁoôüF¿ÁoôüF¿ÁoôüF¿ÁoôüF¿ÁoôüF¿Áïô;üN¿Ãïô;üN¿Ãïô;üN¿Ãïô;üN¿Ãïô;üN¿Ãïô;üN¿Ãïô;üN¿Ãïô;üN¿ÃôüAÀôüAÀôüAÀôüAÀôüAÀôüAÀôüAÀôüAÿeC\6vvÞËZž†!WÔy1žVΦ¯/»s¿Ûã~à)£jendstream
endobj
24 0 obj
<<
/Filter [ /FlateDecode ] /Length 16016 /Length1 25896
>>
stream
xœÝ¼ XUUÞ0¾Ö^{ïsåܸîÀŠ" ¢©‰œƒ Ü⢡ã¨ãë-Q2 Òl4§±rœrÌŒ´AS¬ÌÇÒš.ŽÓdSYo£V
Ëÿo­}§šyÞ÷ÿ=ßó|Î9kï½Öoýî·½a„Z…šVP”ÔÒóÀA8ó¼g”U—Öifj­áðö+[Òh»Ò®Ò#$äÁ;±¼naõ=ÂâK‰¿€ùûV5—ÿj’×:„¤¡¥<Yá*uªn#¸>úM¸N¨;¡1"©¨n¼Ø<Ç0½ZU[VÚt¢r2Ç'ªKﯓe1¡±‡àØVSZíšÿÙ-p|¡pߺچÆÛ«Ñ=Ííf×ëê]u£_;®Bhà¨
BX<‡Dà“,m
B•oò*,@µ(âg(êöÛè‡[€
ÃM+Ïv"²Ý¾-ûP¼CU?™ð¥Û—òƒæßz$c-­BÿÛŒøÊH…ÔHƒ´H;x!2"2# òF>Èù!+òG(¡`BQ²¡pdGQ(èˆAw¡X‡†¡x”€Ñp”„’Ñ”‚F¢T4
¥¡Ñh ‹Æ¡ñ(¨Í@™hÊBÙ(MD“P.šŒ¦ <4å£4
Ý
Q*FÓÑ 4• Yh6ð~š‹æ¡{9è ïÃ[ỜŸY/¬º<¯t® |^>ƒ7â#0Þ‹zàs
úkÉk8F°¶D ‡³­h'_ÙJ>CMäeô:>„Ñg8ÀZü
Ç—ÚÆþ]H'„Ï夓”à0\žÄÏÄå°g-Z)À·PßÏÁÙ·ÐzxmCO¢Z3ÌÖþÑ!´ ]C
W€ÎCè:øPß_@7Ò>aœPóN´h^ƒ. NPô±tAˆ¨‡€ ÒéQÆø¾ }W
‘;dU$PÁø¶¿Œ‡ ùèX¿“9ä>ò!^+FŠKÉÔ
ê1-Bg¥ ²jUE¢V¹7‹óùk9£OX*ÎÇûЀ¹€|Çá€ÙNN1B‡„B)_ÊšËáÜNþÙª|Ê&ô¹ |ß*P<IÌ!épe¹˜‡E{`e4p¡Z’»×¢åÒfå…öÁk˜´™´
œ,ŒC;…r¼ °½ܬ%Y kå(DºŠÖâC€7R­@
ÒŠü¢JD"`g3ì¹ÎŽ»Kl¯Ï
wǡͤ²x5Û:nßžV"ˆ]}@´G~üS?7eZ‰­[³³Ü`³çgÁÉ¢²#8
ç³³ø5¶ëÉ¿¹óØÊ*l˜ˆý€É5zȼ‚¶‰Ò“`£*ö21æïs«¥5‚ˆºÎwG¦óÝ绽Íáf{¸9¼BD=
$¨çSÚ¦2|ÿm½Ãì<|€ÁÖ5(Ìa$ëåuhƒZ$*Ld¤5Û”–6%\îéNÄÉfIÌɾ‘‚xÆ÷ ß3g¤ ½÷ÑÇ°«·ƒ‚&’}tŠãâ0Hx£°(È¢¨t>bX]ˆ‰ØÉ_då³çž  ŸìÍ5‰oIàOÂÐdGb°UÕBP€„C}5-ÞFÙ+,4$8(Ðßêçm1›Œ/½V£V„(ûØLçß´2tÇž;¶g,ûìJêN‚
I²w2Iö
çïHïHx‡§„ó7Ž$ÉÂþŠë•»+¯ÑÏŠoÒK»+oTÇÓ«¯ß:i)ÞEKwЃÛéüköÞŽówà]½¯Ñƒ@u'}Gœ
š%ƒ§L@NGšz褊ñí> &«7¶o²%lhk¨Ï&ï-¸Õjå!ê8 éä oi¨ÍŒ µ‰*ÑtÞ:¶ÛšÔ3¶ÛÔsù*ÐójR×ÕWMW_½qÕlI3§™-Vx§#Çã”QÑföõñ²âqtJ(¶šãáôÈÔ”d+øÂIs(LU¡š_Ôýµ¢©ú¼—Ÿ^à<Söúïsâ‚=ÅÓŸ˜ö§¿\yYÈ¢ù¤Ñ9wá9ü¸X7o†óÖq<LŠ94>SÀo„n{ü¨áË/¥ÐÀßÇ&ˆôî°;vüIÃtI¿ÄàYtBÁ秡Ž„ÐÔ¡ÁÆ ¢yÈñP궡Åo5n#ùÅ‚,e­¯iõví]˜6V?ÚºÛÓmºJ¯¦1™,¯åh7sºÓÕ>~ÉI#îÈY5bdr’Ÿ•“…£±ÕþÓ—…ŽÊü©‹«òò+×w¬s4ÄÇ'Y¿á0)Zbz¬•S«ª¦N]¼¾c½£iØ°áGÖ­ïÀéù‹OZµ¨`ýK‰ñ ék¼ˆçã=ó?-¨„ åÃ…aÚ2Ö½ÔÁm
¥ÝþD<~õ.ð8Ï;˜M‚ÅhÕ{é
V//ý°8!>Ö
16)yDÊHixªc”™ª×ÈXR‡{ù£X¡Þn‰··‡¶Y¶«¼ÐP¬’I¸^-¦Æ†û
2†‹Þê¡–ð µ—)(Þâ;ÊôQwWO—éU…IL?8£@Eÿ^½|ãê»KŠÎ˜­i‰àvT&ÃW0ìû’¾boΊÐ`¦T 8™iŒ52Ú€##S'®TŒ QÀ[Ð8×;àvêxœ*DâÝÑQ?9yʾ ùEGý…þãMI‰¯ý>cMΘÙ¥u£GιçõÇîši"›zÏ
o«°å¨¢ŸøgɧÕ9YØëÍ_8'=0±íYë‹Ñö{¦ŽY}6÷7sÚ_ó·­^,3LdŸÐÉ}ŒåEŒ6ˆà]Dww׺¸[…g2xý–4É°HðnòNô˜ÁK…ˆEFþZ¬Kê6331ï& ¾>kd”2Â’JšÖ®Y³vwû÷˖ËtÌ?>¥£ÿqŸüÛ%ÜÕ
Üh\ƒ«Â:5ò-:€ÛÓÔ7ÙÏâë#¨"GZRFx‡¹ Ë–n:öÒÇtl÷çøÕO.ãWYæµW˜,Æ‚î˜Q¾#Îä¥C¢^£Õäqɬ\‹
mµ^K4²™`" £¨Óîª?‚·•;Æv¦‹€ãDì…Uvà= §Jæd³]Œ¥;py=Ð@¤árº#
OkÀÓÄK'N.8C×ãæ3 Nž(;ƒ›éú3<+,A÷‰Íâ6°ïh‡zBƒwKO¨ˆ^Q°:P+ëà³XìáH¸o8l
nÖ,¼ŒÿH'<M³ðËâ6šµ
öá——ÛèÇ·8<ˆ¿CG~ƒöÈDÄ!HfìM}Ácã=§v”ᄳt5^©È׉/‘ja
èƒù0Ú-ˆ:tñè—ˆasì4½ß kž„¹WÀ8?ÅÃa®é0Ú#ÀŠê$ðЉ¯ôôàáô,§µüv¦˜Êõ p@Ñp(B‰È£ª[Û’!r4wö\=&]ø¡»ÏÙé +ŽÄZG ù­ÆÒªo÷o Ý>Ä74HGAÆÐð°!@À1k7]¾ßç¯&:ÞM@ 8AH b‚” '¨Ô šm.¥ãt!¤‹éRºœ®JW§kÒµéºT€ mî^t/¾W¸W{¯nÚ…w »È.q—´Kޥڥޥ٥ݥ{=‡Ÿž#ωÏIÏÉÏ©žS?§yNûœî:† ÇÈ1ñ˜tL>¦:¦>¦9¦=¦Ëù)dÜ[{Å{¥{å{U÷ªïÕ°
йx.æ^CñÀÞ‚ÙdIN‚è-DóÏH~2uä¨ii£¦¬Ý¼iÓæ-›6mùúúõ¯¿¾vM¸š:mZê¨ü<a'ý3=Mß Ɖx$Nʼn»éýt5ý½oÀ¿Ä+ñ‡r@vZåð!í¢Ð.mP¡v:R% ±«‡ K A’RìÉLY±¦Ïâioà‘=¯ï›ò:&ß¼°O©Š¸‘ ß`t·#Û%Yò$Ö »,K™&óS^í>m"jI+`m¨5ÂD†„˜z`¯ãÇÁóº7¼ö¦â%ãµ&ÍŠ°ÃÞ)PñpÎâVÊxœœ$2lÀ¸Ix¶§é(öOqæl[uÏëu _+ýëf9G]Ø·oß)?~Y{ÁŠ-™Þžtåó7füƒá»ô1ðŠ&¾Þí¾ÚMš½^írØ&ÛÞàöÈ6y»ï31~Þˆø„F™BID˜&,ð„Ïw›¹éõd
Ê’p",ŽŠ Ed(16§ôÛ>¤‰zÛNúåõ…ï.,uÁÞƒݱcÓέëfuV4ÿ1÷,m$aѯ=ò§/£†œNѶùWÛ÷.«nX>tè›íÖ?©ÄQ¨ÛÄZ£^6Ó†½ˆ"Ä+ª]Âdƒëµ(T-ÊFýƒ©§‡9<ò.³‘ÅçÄÓÀäÓ,¬AöDzWî„K4¿þÅk¯î]/…ô|IÞêI~’îÄÎcŒw­À»a°wçˆU!í*ó&ÓŸv/¡mðÚ®ÚJBäÚd
eBîrÛóe7¿h`àÍ ã
òõAƒÇøuV¸ÖÛ;3îsl¢Ÿ|·ôTþœ#¥O½pô©»w€þî£[MFzõ‹núÍöVÒð{v´Û5ö8G¤*, ]ÖnÒþN„rg‹Øî×fÚnEQ^*9{‡Ù™»é¹Ü­x@ïSO1äG©H˜"
OòÃ<º+ˆ’Ké[¦5q_Í_¾ºv‘ö|‹#±Ïä‡éÅÕ?¼z݆
Ò¡#öhz‰~æ\L¿ûç·07á­xÞÖ[uäÉ'üá÷Ïàö³ äÉ|ªŒR’] ±‹’˜)G‰D°ˆ#P˜
píâÁ3áZ·ÇPØ{VðßDö÷~ñŽ îM‘.̸¹Z‚HOÐàI>÷½‘{OpØýõ¨=ZnÖnïýL¢¿~È]¡¾CBšPß j K±us¹1nxÔ¥o°ÀîÉ|˜=ºm`œñi
ë·=²vöGè«·~ûçsßn]ݶ‹ÒË—éí]SW5/[µryó*áTûlooÙøhqø¡•Ï;¸òPxøë»Þ¸üÉéݧñ‚ûùËû—­Z­èÿJ )‡Ó4qDx˨Ýïw&¯Mú-¦ö¹=¸-b»Ý[&8,Bª
`b¾ És·'¨€^çRö ô®3ËéX¢“l³0‰Cf\¼zÛ6çú™´O%0iÿó¯Xü–^¤_æ>,´yDÙ»ÄÃq€s1Ö^ûo¬¡ÐZºž6„ÎJŒ£y
äðö ýâYÂ!"Ró…9ÁkJÀ5»ƒnOMÏÑ4zÏ«Iío5ä,)د%"
Á*¨ ÂË
.³bÁ§^É•,¼FÏ)¹ËfÈ]–‚î…;,’å¢Dž•¯Â*F3¥Kâ9S7¤JÁ§`±¹çYRxë’N^¡ÇéÉñž½x“K ž/6“=nõânYØÔVHìJ꫽™íûD g`n]ôû…Ì}è_ð‘%Èä$ñYü{•, Ãglw>Þ)˜!ÄÁBòÊa:o/÷"¸\2Ž„¢´Ü‘©ƒjX%ée{@`d†J(Q˜i“q³¾Ý»-l]¸l ðÓHP6Û4ˆ`MŒŸÛHX$çYjÂJRp±"ì½vÕôX‰§|•ð%*5ŽsHǃÃ3#DÔ(¿}#…ýãŠgOXSpÁ¼cG.N˜W’uê̼uÇ‚…³Æ” ŸU“õrÚ¨ãOä­™3#³x\ý–r[¢¯ˆ;¤°…¨Î1|hì@+1è5A#ÈsVÍszsôçb­¡Ï
M‰ö’‡ê‘냽âõ>á±úañ)P"A…DÇvyævg§º.tqƒï£7ÑáµJZ%¯R­ò^å³ÊWfù‹ÛzÀؽ#S˜íD¹+!N.âNsdª®Ø”‹¯hXµxñêÕ‹¯jyо¦ð‰wÞybÚº!¶Þ ñdlY•–˜¾|4}ŒÎÅ÷ã±çn
á«{lõ¯{Œ~^›žõíË/3.}g'ä7/Ñé2ßõþømÜ‚×á?ÑžØAöûy|Ô¢GÈÉ/¨¶]Uð–í’$jìD«†7¶k‰ÙˆŸZˆŸªv|§Ê"óÞ‰FJÐê€GJóŒÊ<ÕÜ÷ª”ß#5øãƒ*‚ñ\G Q+¼D‚u‚Hô¢F%«×áz.š‹I8O”ÃI¤Pqê±?\ǧÏÕô^¯:'EöŠäÙ›±x-]Î|ø^ ç> G
ÕÔ®Õ´[6àvíÂ̺€0oµ !C¨Ÿ”<\ƒB-‰áÌpÝÙ
Ý<[a·c&ž=|€ûŽÁø¾¯´ýú鯿|hÍê‡éd|äÓï׬Ùö½A 9ÂéÞ‹Ë7?´Q(§ãëVÜçÜûê íãwv÷™³,Ž_6€âÏ£ƒ~íÄëyýAS»¦lôNÒ£árb C­?ä‚7N´÷뇻†Vrá‘©âð©{î¡Ó“8‡Ü³gêä}3Nuu*y&7%&·á:\ƒ·ÇÄœç€ø-ú'úgÇ8ng…nž
uøÊíš
¨Ý(#£FE’ôÃU¡¦D ÒÃê\…Aà|í¶‘fSTx¤Ù›cƒÍøºýÆéÛh¾ÏÀYôeºžÛ{ OÂSnÝZ*%Їé*H³aíRŒNÁžù0Ô¡‡ŸÌòk´AÝ.þA‹%Íp¤EÉz.–®®>ôùBö>E–ô [zë…c=KYž“³¯÷
ñC,Ø4Äáí†-þœ+<B«
©í#¸z;à NÚ×›ê®ã>§¬BÐXGx@ ò#íÁƒäªG#½“ä”PÆ©.Þ-4z^i·ýŒäÌ‘)áâ´»Ï,¡—iyû§Ý½ïÞS§Ž½:Áó>Þ±|ÊTÜŽk™SFžšKÏ‚øNÓ aáxë^Ž#“á$ÎO¨WÔíÂD´A+½Òp
7yè{‰ÞPª°à Ÿ‘Ï1gÎô¾Çz±;çÍXáµÞ4…—§®ÌáBÕr)‰í‹SI¨
¥jô¬ÿ¡€eeIR3¡X?MÆÑ×pZÏIœF_ŽÞZ¹oŸ¸Z[}ûò2À5£8‡U¯RctPl7ªÛµŒÛ-¥€Î÷ðTÿO }‰©îÔ—w¬¾çDEë}tïæwŽë¾ûîGά}=ú/âPoNsÚáj»F
E—Êå–ZA‡´2ëþʸŸQ¦ãŠcîÃúÜ•Zdî*O%ùIVu”¥Ó…™êSX&5«—k ¤¡* É‚ŠMŠ–âäXU”z4É%剪{ÈL©D.QÍT/&ËÈý*+88NÖ@bªâÂXúUïQaÆ5°ƒI¤Bx´÷×=›…î'{;8=ï=
¼ßîïÐsåÆ¡d8!›xâ–pY‘®oø{g„s=Né¯>1šëša­uÄ©!uV"h±€5‚€3µ* 5°C.ü¹¤•e1A+£D/Åø=,éêëþI§•ÊÈS4j1šë"©µ+ö'Vµ¿&
Ç(uŒf$N##Õ£4£
^Z%½w8”S @·9rÄxÒwãQzc;½~W ßߌ•¢{¾"Þ7ßwçþ9Ü®«ÁuaAVÉ™ íC R¬Ìâp•%j=ÎJÁ7m@
'2,­˜É0Ê*ø«b„(Õ(ÕLÁ),R5 ËTZsp®<2 ?Þá Ìð¹ #üýÉÛˆªOJn%‹oÝŒߺ• >´ |ÄOßÆá­i7vß6ãv”¤)'YRü9RmNÄžž$ÒÞÆdãúÛׯ߾cý;ßõöÞø®§÷;á
ÎÅôÁ;è?pÎ¥Ëè*üK¼¯Ç«è*îÙ?mâ>ÜÅ:üq» ·˜´jADR’×(3
Õ$û(^@%o[à¡
Šn1¨Ä­_´<¾s3ÍÇnbÞ¾õÅRBïه׮ݶ÷“/þ½÷i¥¶h¢ßršÍ¼Âµ¡P“ÙÔN|¹K4‡šýMz#ò·ü=Ž‘IÅÌ[ʦ.Έ4ÞŒ—"äÈ=•U5'B«*P}ó;Æ‹^o7y8$àUÉp&ÐfúÝ>©ÓI¾Ì-v·xs‚Ñ"Ç(HXˆHvQ$™²ˆ|‰XCa¾A'Jf?L´ÄŒ‚
D$š‡ûhCõ‰!JØ`Ì3§™Ý}ñ±Œ‰…ˆ¾:ÓàNgC±•ßMa<5söÊ}ì¾Ï¯)<óþÁ©ËË^9ƒwßÀò½¾¸uKûƒÂ+>µ{in~bnïFéÂ_ß~ø¨0«÷ê¯Ö­ÞèÎ&Ï£Ñ9ÆyéƒÎªÖ*­=,,4S«
±ïó>Où·›ñóè)±ÝÞfÞ>4T« R¡¨ 4ÃpUZDâPV#÷t_f7HxÙÚ—bühsŸ¹>V…T`jD%`–™õuñÃ~¤¯“€YÍ;r\rmÎKóZ÷V?²èíãôûžÊó‹ުؾ¯ikÕŸ_Æ^—ftJ{Þ3ví}e‘þÃß~áÂ߆
{/7kãòº%¶€„Îݯÿw4ОrT¡`‡AVßhˆè£%vg7ãúB0<Al ÃÎÐXˆ<7/HJ/mþã=™‡ÕH,HÄšvÿí&¼!Ôj.@í³TˆÞ`ý>ìþr"…²–£5o;£7Úšg̼?ܨ#-'sߢÊ}²G ãÈ£=úê¹cÆŽ0§ŠÜè©øô•ô1£GB¬ø(ïeä9b0ëe » ÙµàÎÂyö‰$|ˆ@†
Õ¦ %²2Óª´¨œú+Oš=+ÂÎreœ,Tà{ÏÑ)×é”sû¤Xp¤<ïBn[УY5Z¨Õ­N îT§»PAñg%µZ%؉ GzlGúL-„J5!:¨õ¬@TnvëT(Á}³´gl_\Œ|óð bÑBÍü¯¿†)Ò¼0&†iYw8VËÓ£´³…ْΪ‹î"vñ.i¨:Vc×EéS„Ñ$E-QÖŒÐÔ£b<[(!3ÅÒ=ò=ªBõLM‰n®~¡ºBßL–ˆÍš%ºHPNsrf¿$R‡#Oµî{gë©KÇμq |w‰èùHì¼K–ö0»²_:yŽðªcŠÆüP'tìË“/@…mçµ$öEÒs.S™„aH#ë€{P_ˆ4F˲‰Ë=—Íwd¦;9t§¦
,Žò’D¿‡’)JW¢»_h––êtì·QmTûêp¨ÕbÕv]
d!³Ô%:—Ð ˜Xp…|‚¥,«˜ñ>dáùïÓ |é}ú_ƒðú–Ü›ÙsEXÓ»‚°Ç¢újA5šåˆ¿“V5R3ZÕ™,ÜBjC$«8V
EcUnîê÷g•“£Åü¡ý=\…¿OÃYŠS-lë9Ý»@ø5·‹€ÇVç³Áj¥ÇZ™©f=¾v r,& ™ÅyH´Í}%É FßAµ´Œ•—sYÏ¥¤8ü 9Ýs
¾ë
“.ì¸U»o‡¸•Ý:K¿%Keð-¡£xX~Q8Œ^€’Œc
ÞéáM§pßHs²o8>‹ŸþæZ"û´þÐÓú¯÷{0OË4ø~KgÏW솼í=ö<{“ÃøE‰íÆÉ{ä¡‹€ÊÞöBÊžBZòÍ7²Ï÷m•EeïIäiq#÷%þ-aw \R™Î¿É[@o<ÜÊ ¼‚_?H·Ò‡â×õïàM´IÆ}
ÏQvÊøêÀ"Þtßî‰çn%ÐêiÓ”{fVñªpC.‡¹v‡A/‰x,ñÜEr@S<倡øž’—`²cÔ¬n…ð‹8`=*—Ó
ø~w:R\Îj@T㸠"K MïoT¡ÃþªKø&Û±!–íþ^Ø_ 0he}M”}ÇßeºÆBWr4‰žkîþ«9ÍÝ~ I K´%†'FìF»ñna·v·nßnënÿÝ»
sq_/&5…•_žv̜š»÷>_è÷Äo–U=ú,~é¥1ϯúÝ›·þù^·mÞñ{Ê–l:5.Ê&$ßWçª{çHL^ïê½Î{_ÙsôDȺæ‘#:¢£ “¶)¹Ò+@+è
ÐŒþz
i1jZ|· @ËD½,æ„mIIÊ%ž ±ªg`ïó>;¿åÍT‘´mX»îÖ­ÝÐûIÜcåo|~åŒs{|G‡ðî^8ÿÑÂý…%P,~M¿¤§fmf-atð±ïP#P¿Éë¸ m
8î×BL-šNÖ€°è‘œ:ëé?˜Xóîú5 <œí“/¤=ôClÇâÝ;òs·Íýý‘£ûç?š‘‹Gaxº+î•ŒÑûóÙÇŒg|YxX%“ ù|ZÔÛ
ø1b¡Ššh¶è&1¾0æ +`¹ì”LÑoàCdvGGüvç™+_¼áÚA֮ݴiíÚ
äœ0á‡îÍE3ñì‹Í8u&Õ½ûÁGç/|øŸà‹/à“툂Zk7i6Ë~‡±Üâ…_ hñîôÚB„`“ÆOF¹Á·.åQƪËLM×®ò²lÇÍ_ç@€*EÍÄ’žOŽ=[r¼ºòä=ôýÛ¾y÷»q놵ûM¼Ùò‹¯J{˜—†½±;è_OíyæÀN&?ð‘ÑÀ7o4¸fÂzõa· Ç ò ­à­BIö2ê|X/"³ûù«$ÖèN²0ÎùÂî!¸ïÎ:ëDŠÑçʦâÕte½€cŸy^öÙ~÷²֞r®5¿ãYE—ÓI¢Åm³“ÑúРh
±lòöÓ´„úµ Xl¨ñäÐwE Y?Q¶XÂ'Áv¹¥gº|¹K1VÓÖI»S¿½}„þrœ0@¸Ö”d2{ýêõ[Z7¬\ßqõ³¼½E vOxdCÜ£Õ]_|ÑUÕ–Ð!¤}ï½³gßÿ€^ì¡=ÁA‡ããöP¯˜7Æ*¬Æ£gÌÞªä^Œq ò5wêƒzXF“½ ’çø0[ä¦8¶›g‚iüéY~ë; 1è¥E÷­ÞÔÑ1üé†ß=#î,nßòâïz×Ë>½OÎ/û˜ñí ì—ûiŠw¨#}—ö1tB‹$O‡e)MѪ °ËÊóCÝ7&ú*8Ù7*Ð÷puO
®¦ã°Žq~OBk+É&°Û&èAL°Te£!ÂÚ5>LL]†ÇÈ õIN-h£(ò¸GW—[mùfŠ]I¼½â#+÷eùÃz%ô$¾þüoé³Á¬|ȧ­·ZN¾³s…üÛ+
¾ƒÜ¿rŒV[•œÉ
9“Æ
¹ƒU¥&d•!‰D+d¸JëåzÌÝ{Ñ`YÎBÙzàxw']º|Gº¿b_²Ä"¼Šå‘…² Vû þ’¿:E!åB“°D«Vñ—ä@•¿z(‰–†ªÆ1¥ÓT©êÉ$W5Kž¥ZL*ÅJ¹RÕLî—šåfUð™îNüÉßèDL?¦ 6vÊ>=Ëñ9:»7GÈ\MÓöÝ@»VžGAåˆö°þ9,AÒŽd]ž†=#Ôó¦’¥ð˜={6†Y`ïc +ï™õÞ•ß¾@ßÇ—pÛ/~¹óü òìGÆî]ƒ­E ß8¢ý-F¨B!A²ÊWßb#A'L*d6ª§Êùæ©Æü`ÿ©Ù‘,øê!øšyð
¼}|Ô¬ž±=JrƘ:öò5~ƒ›ÕáÀ^ÇÄD1QJ”U‰êDM¢6Q—î—nM÷OHLJNI]EV‰î›êUšUÚUºV¿Vk«k@k`kPkpkHkh$žË“_` ý–âË/
OFTN^_ûtJδ1O§MÎM{ê©ð²ô<¹:)û½Ô»TXýUÃòO{W
«¿©cßâüùcÓsúìxq§½žøq{½ü£öêûoìUœÿ47WÖ‡80‰û9ÞÏ‘[,¨EÏrŘE,¾ãý¹Óïïç ¸Ó;ð‘¡¢åÁ[6?øàæ+ßÝøâÊäÒï^øðà ï~°“¾Mÿ†YõÏöí¤3ÄbØ—ÅÃdGp_<ì4lÇ'ɉˆ…yT)€íö…D{îaPî°ô¥—XHüìó7Ê·ãoÖ+yÃúͽ§emkÑLú*ýÒ„Ó3ñuwê øü´P —òÜpêË]:ÛƒNœá™ËDÈaÆ÷Gé8
docs/sprint-2/cannamanage-sprint2-plan.md
+381
View File
@@ -0,0 +1,381 @@
# CannaManage — Sprint 2 Architecture Review & Implementation Plan
**Date:** 2026-06-11
**Author:** Patrick Plate / Lumen (Planner)
**Status:** Draft v1 — awaiting GO
**Branch:** `sprint/2-api`
**Sprint Goal:** REST API layer + Spring Security + OpenAPI + Tenant Filter integration
---
## 1. Current State Assessment
### 1.1 Sprint 1 Deliverables (Complete ✅)
| Component | Status | Notes |
|-----------|--------|-------|
| 8 JPA entities | ✅ | `Club`, `Member`, `Batch`, `Distribution`, `MonthlyQuota`, `StockMovement`, `Strain`, `User` |
| `AbstractTenantEntity` | ✅ | Hibernate `@Filter` + `@PrePersist` sets `tenantId` from `TenantContext` |
| `TenantContext` | ✅ | ThreadLocal UUID holder |
| `ComplianceService` | ✅ | Full CanG §19 enforcement: daily/monthly/batch/THC checks |
| 5 repositories | ✅ | `Member`, `Distribution`, `Batch`, `MonthlyQuota`, `Strain` |
| 25 tests, 100% JaCoCo | ✅ | |
### 1.2 Sprint 2 Draft Code (Exists — Needs Revision)
| File | Status | Issues Identified |
|------|--------|-------------------|
| `JwtService.java` | ⚠️ Functional but needs decisions | Token expiry: 1h access + 30d refresh (matches API spec) |
| `JwtAuthFilter.java` | ⚠️ Good pattern | Sets TenantContext correctly, cleans up in `finally` |
| `SecurityConfig.java` | ⚠️ Needs role alignment | Uses `STAFF` role not defined in `UserRole` enum |
| `GlobalExceptionHandler.java` | ✅ Solid | RFC 9457 ProblemDetail pattern, covers key exceptions |
| `application.properties` | ⚠️ | Dev secret hardcoded (acceptable for dev), `flyway.enabled=false` |
---
## 2. Architecture Conflicts Identified
### 🔴 CONFLICT 1: Multi-Tenancy Model Mismatch
**Architecture Doc says:** Schema-per-tenant (`CREATE SCHEMA tenant_{id}`, `SET search_path`)
**Sprint 1 implemented:** Shared-schema with Hibernate `@Filter` on `tenant_id` column
**Analysis:**
The architecture doc (Section 2) explicitly argues for schema-per-tenant with a `TenantRoutingDataSource`. However, Sprint 1 actually implemented a **shared-schema approach** using `@FilterDef`/`@Filter` on `AbstractTenantEntity`. Every entity has a `tenant_id` column and `@PrePersist` sets it from `TenantContext`.
**Impact:** This is not a bug — it's a pragmatic MVP decision. Schema-per-tenant is operationally complex for a solo dev. The shared-schema + Hibernate filter approach works for MVP scale (<50 clubs). The code is internally consistent.
**Decision needed:**
- **Option A:** Keep shared-schema + `@Filter` for MVP (recommended — less ops complexity)
- **Option B:** Refactor to schema-per-tenant as documented (correct long-term, but 2-3 days of plumbing)
**Recommendation:** Option A. The Hibernate `@Filter` approach works and the data model already has `tenant_id` everywhere. We can migrate to schema-per-tenant in v2 when onboarding > 50 clubs. The critical invariant — tenant isolation — is preserved either way.
---
### 🟡 CONFLICT 2: Role Model Divergence
**Architecture Doc roles:** `ROLE_CLUB_ADMIN`, `ROLE_STAFF`, `ROLE_MEMBER`, `ROLE_PREVENTION_OFFICER`
**API Spec roles:** `ADMIN`, `MEMBER` (only two roles mentioned in endpoints)
**Sprint 1 UserRole enum:** `ROLE_ADMIN`, `ROLE_MANAGER`, `ROLE_MEMBER`, `ROLE_PREVENTION_OFFICER`
**SecurityConfig draft:** References `ADMIN`, `STAFF`, `MEMBER`
**Problems:**
1. `ROLE_MANAGER` exists in the enum but is not in the architecture doc (which has `ROLE_STAFF`)
2. `SecurityConfig` references `STAFF` but the enum has `MANAGER`
3. The API spec only distinguishes `ADMIN` and `MEMBER` — no STAFF endpoints at all
4. Architecture doc defines a `StaffPermission` enum with fine-grained permissions — not implemented
**Decision needed:**
- **Option A:** Sprint 2 MVP uses only ADMIN + MEMBER (matches API spec, simplest)
- **Option B:** Implement ADMIN + STAFF + MEMBER now (matches architecture doc intent)
- **Option C:** Full permission model with `StaffPermission` JSONB column
**Recommendation:** Option A for Sprint 2. The API spec only defines ADMIN and MEMBER roles with clear permission boundaries. STAFF with configurable permissions (Option C) is a Sprint 3/4 feature — it requires a `staff_accounts` table, permission grants, and a custom `PermissionEvaluator`. The `ROLE_PREVENTION_OFFICER` is effectively a member with extra read access to under-21 data — can be a flag on the User entity rather than a separate role.
---
### 🟡 CONFLICT 3: Token Expiry Discrepancy
**Architecture Doc:** 8-hour access token
**API Spec:** 1-hour access token (`expiresIn: 3600`)
**Current Code:** 1-hour (matches API spec)
**Recommendation:** Keep 1-hour. Shorter tokens are more secure for a compliance SaaS handling personal data. The refresh token (30 days) handles UX. The architecture doc value was aspirational; the API spec value is the contract.
---
### 🟢 NON-ISSUE: Spring Boot 4.0.6 + Spring Security 7
The current code is already on Boot 4.0.6. Key observations:
1. **`SecurityFilterChain` pattern** — already used correctly (no deprecated `WebSecurityConfigurerAdapter`)
2. **`SessionCreationPolicy.STATELESS`** — correct for JWT API
3. **JJWT 0.12.6** — latest stable, works with Boot 4
4. **Spring Security 7 modularization**`spring-security-access` module may be needed if using `@PreAuthorize`. Boot starter pulls it in transitively.
5. **`springdoc-openapi-starter-webmvc-ui`** — compatible with Boot 4.x (version needs checking in POM)
---
## 3. Sprint 2 Scope
### ✅ IN Scope
| # | Feature | User Stories | Priority |
|---|---------|-------------|----------|
| 1 | **Auth Controller** — login, refresh, logout | US-011 | Must |
| 2 | **Member Controller** — CRUD + quota endpoint | US-002, US-014 | Must |
| 3 | **Distribution Controller** — create + list | US-003, US-004 | Must |
| 4 | **Stock Controller** — strains CRUD, batches CRUD, recall | US-005, US-009 | Must |
| 5 | **Compliance Controller** — quota check, dry-run check | US-004 | Must |
| 6 | **Report Controller** — monthly JSON (PDF deferred) | US-007 | Must (JSON only) |
| 7 | **Club Controller** — /clubs/me, /clubs/me/stats | US-006 | Must |
| 8 | **OpenAPI/Swagger UI** — full API documentation | — | Must |
| 9 | **Hibernate Filter activation** — enable `tenantFilter` on every request | — | Must |
| 10 | **Integration tests** — MockMvc + H2 for all controllers | — | Must |
### ❌ OUT of Scope (Sprint 3+)
| Feature | Reason |
|---------|--------|
| STAFF role + StaffPermission model | Requires separate table + custom PermissionEvaluator |
| PDF/CSV report generation | Requires iText 7 dependency + report templates |
| Member portal (session-based auth) | Different security chain, Sprint 3 |
| Email notifications | Requires Jakarta Mail setup |
| Stripe integration | v2 feature (US-015) |
| Rate limiting on login | Nice-to-have, can add via Spring Cloud Gateway or `bucket4j` later |
| CORS configuration | Needs frontend domain — add when React app exists |
| Schema-per-tenant migration | v2 operational maturity |
---
## 4. Architecture Decisions
### AD-01: Shared-Schema Multi-Tenancy (Keep Current)
**Context:** Architecture doc prescribes schema-per-tenant, Sprint 1 uses Hibernate `@Filter`.
**Decision:** Keep `@Filter` approach for MVP.
**Rationale:** Reduces ops complexity for solo dev. Hibernate filters are reliable when properly activated. The data model is already correct — migration to schema-per-tenant later only requires infrastructure changes, not entity redesign.
**Risk:** If the filter is not enabled on a session, queries return cross-tenant data. Mitigation: the `TenantFilterAspect` (new component, see Step 4 below) will guarantee activation.
### AD-02: Two-Role Model for Sprint 2
**Context:** Architecture doc defines 4 roles + configurable staff permissions.
**Decision:** Sprint 2 uses `ADMIN` and `MEMBER` only.
**Rationale:** API spec only documents these two. SecurityConfig URL rules are sufficient. `@PreAuthorize` annotations on controller methods provide method-level granularity.
**Consequence:** Rename `UserRole.ROLE_MANAGER` → remove it. Keep `ROLE_PREVENTION_OFFICER` as a marker for later but don't enforce it in Sprint 2 security rules.
### AD-03: JwtService as Single Source of Auth Truth
**Context:** No UserDetailsService loading from DB on every request.
**Decision:** JWT claims are sufficient for authorization. No DB hit per request.
**Rationale:** Stateless JWT. The token contains `sub` (userId), `tenant_id`, and `role`. These are all SecurityConfig needs. If we need to check `user.active` in real-time, we'll add a refresh-token-revocation mechanism (invalidate refresh token → user is forced to re-login within 1 hour).
**Tradeoff:** A deactivated user remains authenticated until their access token expires (max 1 hour). Acceptable for MVP.
### AD-04: ProblemDetail (RFC 9457) for All Errors
**Context:** API spec defines a custom error format with `status`, `error`, `code`, `message`, `timestamp`, `path`.
**Decision:** Use Spring's native `ProblemDetail` + custom properties.
**Rationale:** Already implemented in `GlobalExceptionHandler`. Native Spring Boot support since 3.x. The custom error codes (QUOTA_EXCEEDED_MONTHLY, etc.) map to `ProblemDetail.setProperty("code", ...)`.
### AD-05: No Custom UserDetailsService
**Context:** Spring Security typically expects a `UserDetailsService` bean.
**Decision:** AuthController handles login directly via repository lookup + BCrypt verification. No Spring Security `UserDetailsService`.
**Rationale:** For JWT-only auth, the authentication manager is only needed at login time. The `JwtAuthFilter` bypasses Spring's standard auth flow entirely — it sets the SecurityContext directly from JWT claims. This is cleaner for stateless APIs.
---
## 5. Implementation Steps (Ordered)
### Phase 1: Foundation Fixes (Day 1)
| Step | What | Files |
|------|------|-------|
| 1.1 | Fix `UserRole` enum — rename MANAGER→STAFF, keep PREVENTION_OFFICER as future placeholder | `cannamanage-domain/.../enums/UserRole.java` |
| 1.2 | Add `UserRepository` to service module | `cannamanage-service/.../repository/UserRepository.java` |
| 1.3 | Create `TenantFilterAspect` — AOP aspect that enables Hibernate filter on `EntityManager` before every `@Transactional` service call | `cannamanage-service/.../config/TenantFilterAspect.java` |
| 1.4 | Add `updatedAt` field to `AbstractTenantEntity` (currently missing vs. architecture doc) | `cannamanage-domain/.../entity/AbstractTenantEntity.java` |
| 1.5 | Create H2 dev profile with `spring.flyway.enabled=true` + initial migration | `cannamanage-api/src/main/resources/application-dev.properties`, `db/migration/V1__init.sql` |
### Phase 2: Auth Controller (Day 1-2)
| Step | What | Files |
|------|------|-------|
| 2.1 | Create `AuthController` with `POST /login`, `POST /refresh`, `POST /logout` | `cannamanage-api/.../controller/AuthController.java` |
| 2.2 | Create `LoginRequest`, `LoginResponse`, `RefreshRequest`, `RefreshResponse` DTOs | `cannamanage-api/.../dto/auth/` |
| 2.3 | Create `AuthService` — handles login logic, password verification, refresh token rotation | `cannamanage-service/.../AuthService.java` |
| 2.4 | Add domain exception handlers for `QuotaExceededException`, `MemberNotFoundException`, `BatchNotFoundException` to `GlobalExceptionHandler` | `cannamanage-api/.../exception/GlobalExceptionHandler.java` |
### Phase 3: Member Controller (Day 2-3)
| Step | What | Files |
|------|------|-------|
| 3.1 | Create `MemberController` — GET list (paginated), POST create, GET by id, PUT update, DELETE soft-delete | `cannamanage-api/.../controller/MemberController.java` |
| 3.2 | Create `MemberService` — business logic bridge between controller and repositories | `cannamanage-service/.../MemberService.java` |
| 3.3 | Create DTOs: `CreateMemberRequest`, `UpdateMemberRequest`, `MemberResponse`, `MemberSummaryResponse` | `cannamanage-api/.../dto/member/` |
| 3.4 | Add `GET /members/{id}/quota` endpoint (delegates to ComplianceService) | `MemberController.java` |
| 3.5 | Add `GET /members/me` for MEMBER-role self-view | `MemberController.java` |
### Phase 4: Distribution Controller (Day 3-4)
| Step | What | Files |
|------|------|-------|
| 4.1 | Create `DistributionController` — POST create, GET list (paginated + filtered), GET by id, POST /{id}/notes | `cannamanage-api/.../controller/DistributionController.java` |
| 4.2 | Create `DistributionService` — orchestrates ComplianceService + persists Distribution + updates batch stock | `cannamanage-service/.../DistributionService.java` |
| 4.3 | Create DTOs: `CreateDistributionRequest`, `DistributionResponse`, `AddCorrectionNoteRequest` | `cannamanage-api/.../dto/distribution/` |
| 4.4 | Implement batch stock decrement on distribution creation (atomic with compliance check) | `DistributionService.java` |
### Phase 5: Stock Controller (Day 4-5)
| Step | What | Files |
|------|------|-------|
| 5.1 | Create `StockController` — strains CRUD + batches CRUD + recall | `cannamanage-api/.../controller/StockController.java` |
| 5.2 | Create `StockService` — batch management, recall workflow | `cannamanage-service/.../StockService.java` |
| 5.3 | Create DTOs: `CreateStrainRequest`, `StrainResponse`, `CreateBatchRequest`, `BatchResponse`, `RecallBatchRequest` | `cannamanage-api/.../dto/stock/` |
| 5.4 | Implement recall — flags batch, returns affected members | `StockService.java` |
### Phase 6: Compliance + Club + Reports (Day 5-6)
| Step | What | Files |
|------|------|-------|
| 6.1 | Create `ComplianceController``GET /compliance/quota/{memberId}`, `GET /compliance/check` (dry-run) | `cannamanage-api/.../controller/ComplianceController.java` |
| 6.2 | Create `ClubController``GET /clubs/me`, `PUT /clubs/me`, `GET /clubs/me/stats` | `cannamanage-api/.../controller/ClubController.java` |
| 6.3 | Create `ClubService` — club profile + dashboard stats aggregation | `cannamanage-service/.../ClubService.java` |
| 6.4 | Create `ReportController``GET /reports/monthly?format=json` (JSON only for Sprint 2) | `cannamanage-api/.../controller/ReportController.java` |
| 6.5 | Create DTOs for all above | `cannamanage-api/.../dto/club/`, `.../dto/compliance/`, `.../dto/report/` |
### Phase 7: OpenAPI + Integration Tests (Day 6-7)
| Step | What | Files |
|------|------|-------|
| 7.1 | Add `@Tag`, `@Operation`, `@ApiResponse` annotations to all controllers | All controllers |
| 7.2 | Configure `OpenApiConfig` — info, security scheme, server URL | `cannamanage-api/.../config/OpenApiConfig.java` |
| 7.3 | Write `AuthControllerTest` — MockMvc tests for login/refresh/logout | `cannamanage-api/src/test/...` |
| 7.4 | Write `MemberControllerTest` — CRUD + auth + tenant isolation | `cannamanage-api/src/test/...` |
| 7.5 | Write `DistributionControllerTest` — compliance rejection scenarios | `cannamanage-api/src/test/...` |
| 7.6 | Write `StockControllerTest` — batch lifecycle + recall | `cannamanage-api/src/test/...` |
| 7.7 | Write `ComplianceControllerTest` — dry-run check | `cannamanage-api/src/test/...` |
| 7.8 | Ensure JaCoCo stays ≥ 80% on service module | Build config |
---
## 6. Key Technical Patterns
### 6.1 Tenant Filter Activation (New — Critical)
The Hibernate `@Filter` requires explicit activation on each `Session`. Currently nothing activates it. We need:
```java
@Aspect
@Component
@RequiredArgsConstructor
public class TenantFilterAspect {
private final EntityManager entityManager;
@Before("@within(org.springframework.stereotype.Service)")
public void enableTenantFilter() {
UUID tenantId = TenantContext.getCurrentTenant();
if (tenantId != null) {
Session session = entityManager.unwrap(Session.class);
session.enableFilter("tenantFilter")
.setParameter("tenantId", tenantId);
}
}
}
```
**Alternative:** A `HandlerInterceptor` that runs after the JwtAuthFilter and activates the filter. Both work — AOP is more robust as it catches service-to-service calls too.
### 6.2 Controller DTO Mapping Pattern
```java
@RestController
@RequestMapping("/api/v1/members")
@RequiredArgsConstructor
@Tag(name = "Members", description = "Member management")
public class MemberController {
private final MemberService memberService;
@PostMapping
@PreAuthorize("hasRole('ADMIN')")
@ResponseStatus(HttpStatus.CREATED)
public MemberResponse create(@Valid @RequestBody CreateMemberRequest request) {
return memberService.createMember(request);
}
}
```
### 6.3 Pagination Response Pattern
Use Spring's `Page<T>` mapped to a custom envelope matching the API spec:
```java
public record PageResponse<T>(
List<T> content,
int page,
int size,
long totalElements,
int totalPages
) {
public static <T> PageResponse<T> from(Page<T> page) {
return new PageResponse<>(
page.getContent(),
page.getNumber(),
page.getSize(),
page.getTotalElements(),
page.getTotalPages()
);
}
}
```
---
## 7. Risk Assessment
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|-----------|
| Hibernate `@Filter` not activated → cross-tenant data leak | High (if forgotten) | Critical | `TenantFilterAspect` AOP guarantee + integration tests verifying isolation |
| Spring Security 7 API changes break SecurityConfig | Low | Medium | Code is already using Boot 4.0.6 patterns — verified compatible |
| springdoc-openapi incompatibility with Boot 4 | Medium | Low | Check version in POM, use `2.8.x` which supports Boot 4 |
| JaCoCo coverage drops below 80% with new controllers | Medium | Low | Write MockMvc tests for every endpoint, assert status codes |
| `@PreAuthorize` not working without `@EnableMethodSecurity` | Low | High | Already enabled in SecurityConfig ✅ |
| JWT secret hardcoded in properties committed to Git | Medium (already there) | Medium | Replace with `${JWT_SECRET}` env var pattern before any production use |
---
## 8. Open Questions for Patrick
1. **Tenancy model:** Architecture doc says schema-per-tenant, Sprint 1 uses shared-schema + Hibernate `@Filter`. I recommend keeping `@Filter` for MVP. Agree?
2. **Role model for Sprint 2:** Keep it to ADMIN + MEMBER only? Or do you want STAFF (with basic URL-level permissions, not the full `StaffPermission` JSONB model) included now?
3. **`UserRole` cleanup:** The current enum has `ROLE_MANAGER` which doesn't exist in any doc. Replace with `ROLE_STAFF`? Or just remove and keep ADMIN + MEMBER + PREVENTION_OFFICER for now?
4. **Test database:** Use H2 in-memory for Sprint 2 tests, or set up Testcontainers PostgreSQL? H2 is simpler for dev speed; Testcontainers is more realistic but slower.
5. **Flyway migrations:** Should I create the full schema migration now (all 8 entities → DDL), or keep `ddl-auto=update` for rapid iteration and create migrations when stable?
6. **Member portal auth (Sprint 3 preview):** The architecture doc and SecurityConfig both hint at a session-based `/portal/**` chain. Confirm this is deferred to Sprint 3?
7. **Prevention Officer:** The architecture doc says this is a separate role with access to under-21 member data. Should this be:
- A separate `UserRole` value with specific `@PreAuthorize` rules?
- Or a boolean flag on the User/Member that grants additional read access via service-layer checks?
---
## 9. Definition of Done — Sprint 2
- [ ] All 7 controllers implemented with full CRUD per API spec
- [ ] JWT auth flow working: login → access token → authenticated requests → refresh → logout
- [ ] Tenant isolation verified: integration tests proving cross-tenant queries return 0 results
- [ ] Compliance checks enforced on distribution creation (fail with 422 + custom error codes)
- [ ] OpenAPI Swagger UI accessible at `/swagger-ui.html` with all endpoints documented
- [ ] `@PreAuthorize` annotations on all endpoints with correct role requirements
- [ ] GlobalExceptionHandler covers all domain exceptions with RFC 9457 ProblemDetail
- [ ] MockMvc integration tests for all controllers (≥ 2 tests per endpoint: happy path + auth failure)
- [ ] JaCoCo ≥ 80% on `cannamanage-service`, ≥ 70% on `cannamanage-api`
- [ ] No hardcoded secrets in committed code (move JWT secret to env var pattern)
- [ ] Build passes: `mvn clean verify`
---
## 10. Estimated Effort
| Phase | Effort | Cumulative |
|-------|--------|------------|
| Phase 1: Foundation Fixes | 3-4 hours | Day 1 |
| Phase 2: Auth Controller | 4-5 hours | Day 1-2 |
| Phase 3: Member Controller | 4-5 hours | Day 2-3 |
| Phase 4: Distribution Controller | 4-5 hours | Day 3-4 |
| Phase 5: Stock Controller | 4-5 hours | Day 4-5 |
| Phase 6: Compliance + Club + Reports | 4-5 hours | Day 5-6 |
| Phase 7: OpenAPI + Tests | 6-8 hours | Day 6-7 |
| **Total** | **~30-37 hours** | **~7 working days** |
---
*This plan covers the REST API backbone. Sprint 3 will address: member portal (session auth), PDF/CSV reports (iText 7), email notifications, and the STAFF permission model.*
docs/sprint-3/cannamanage-sprint3-plan-review.md
+316
View File
@@ -0,0 +1,316 @@
# Plan Review: CannaManage Sprint 3
**Date:** 2026-06-11
**Reviewer:** Roo (Plan Reviewer)
**Documents:** Sprint 3 Plan v2 (APPROVED by Planner)
**Verdict:** ✅ APPROVED
---
## Summary
The Sprint 3 plan is comprehensive, technically sound, and well-ordered. All deferred Sprint 2 features (staff, portal, reports, prevention officer, club settings) are covered. Architecture decisions are consistent with the existing codebase. The plan correctly builds on Sprint 2's shared-schema + TenantFilterAspect pattern rather than the architecture doc's theoretical schema-per-tenant model. 7 non-blocking findings identified — all are suggestions for improvement, none require plan revision.
---
## Review Checklist
### 1. Does the plan cover ALL deferred Sprint 2 items?
| Deferred Item | Plan Coverage | Status |
|---------------|--------------|--------|
| STAFF role | Phase 1 (StaffPermission enum, StaffAccount entity, SpEL checker) | ✅ |
| Member portal | Phase 5 (session-based SecurityFilterChain, PortalController) | ✅ |
| Reports | Phase 4 (ReportController, iText 7 PDF, Commons CSV) | ✅ |
| Prevention Officer | Phase 6 (configurable limit, assignment endpoint, under-21 gate) | ✅ |
| Club settings | Phase 2 (ClubController GET/PUT /clubs/me, stats) | ✅ |
| Integration tests | Phase 7 (Testcontainers PostgreSQL, 6 test classes) | ✅ |
**Result: ✅ PASS** — All deferred items fully addressed.
---
### 2. Architecture consistency with Sprint 2 patterns
| Pattern | Sprint 2 Implementation | Sprint 3 Plan | Consistent? |
|---------|------------------------|---------------|-------------|
| Tenant isolation | `TenantFilterAspect` (shared-schema, Hibernate @Filter) | Continues shared-schema; `staff_accounts` has `tenant_id` | ✅ |
| JWT auth | `JwtService` + `JwtAuthFilter` (stateless, JJWT) | Extends with `jti` + `permissions` claims | ✅ |
| SecurityConfig | `@Order(1)` API + `@Order(2)` Public | Inserts Portal `@Order(2)`, shifts Public to `@Order(3)` | ✅ |
| Role model | `UserRole` enum: `ROLE_ADMIN`, `ROLE_STAFF`, `ROLE_MEMBER` | Uses same enum; STAFF already present in code | ✅ |
| Entity base | `AbstractTenantEntity` with `tenant_id` | New entities (StaffAccount, InviteToken) follow same pattern | ✅ |
| Repositories | Spring Data JPA in `cannamanage-service/.../repository/` | New repos placed in same package | ✅ |
**Result: ✅ PASS** — Fully consistent with established patterns.
---
### 3. Staff permission model well-defined?
| Aspect | Assessment |
|--------|-----------|
| Enum values | 8 permissions covering all current features + 1 future (`MANAGE_GROW_CALENDAR`) | ✅ |
| Storage | JSONB on `staff_accounts` — correct for PostgreSQL, supports flexible permission sets | ✅ |
| Enforcement | SpEL `@PreAuthorize` + custom `StaffPermissionChecker` bean | ✅ |
| JWT embedding | Permissions in JWT for stateless checks; blacklist fallback for revoked tokens | ✅ |
| ADMIN bypass | `StaffPermissionChecker.has()` returns `true` for ADMIN role first | ✅ |
| Templates | 3 role templates (Ausgabe, Lager, Vorstand) — matches architecture doc | ✅ |
**Result: ✅ PASS** — Well-designed, DSGVO-compliant least-privilege model.
---
### 4. Member portal auth design clean?
| Aspect | Assessment |
|--------|-----------|
| Dual SecurityFilterChain | `@Order(2)` for `/portal/**` — correct isolation from API chain | ✅ |
| Session-based | `SessionCreationPolicy.IF_REQUIRED` + 30min timeout | ✅ |
| CSRF | Enabled via `CookieCsrfTokenRepository.withHttpOnlyFalse()` — React SPA can read cookie | ✅ |
| Read-only | All portal endpoints are GET — minimal attack surface | ✅ |
| Data isolation | Member can only see own data (enforced by `memberId` from session principal) | ✅ |
| `SameSite=Strict` | Correct for CSRF prevention | ✅ |
**Result: ✅ PASS** — Clean separation of concerns.
---
### 5. Dependencies pinned to specific versions?
| Library | Plan Version | Pinned? |
|---------|-------------|---------|
| iText 7 | `8.0.x` | ⚠️ Range |
| Apache Commons CSV | `1.11+` | ⚠️ Range |
| Caffeine | `3.1+` | ⚠️ Range |
| Spring Boot Starter Mail | Boot-managed | ✅ (BOM) |
| Testcontainers | `1.19+` | ⚠️ Range |
**Result: ⚠️ WARNING (non-blocking)** — Versions use ranges instead of exact pins. This is acceptable for a plan document (exact versions determined at implementation time by checking latest stable), but the implementor should pin exact versions in the POM.
---
### 6. Flyway V3 migration complete?
| Schema Change | Covered in V3? |
|---------------|---------------|
| `staff_accounts` table | ✅ Full DDL with JSONB, indexes, unique constraint |
| `revoked_tokens` table | ✅ With jti index + expires index |
| `invite_tokens` table | ✅ With token index, FK to users |
| `users.prevention_officer` column | ✅ `ALTER TABLE ADD COLUMN` |
| Club extension columns (9 columns) | ✅ All `ALTER TABLE ADD COLUMN IF NOT EXISTS` |
**Result: ✅ PASS** — All new tables and columns defined in a single idempotent migration.
---
### 7. Test plan comprehensive?
| Phase | Unit Tests | Integration Tests | Total |
|-------|-----------|-------------------|-------|
| P1 (Staff + Revocation) | T-01 to T-06 | — | 6 |
| P2 (Club) | T-07 to T-10 | — | 4 |
| P3 (Staff CRUD + Invite) | T-11 to T-14 | — | 4 |
| P4 (Reports) | T-15 to T-18 | — | 4 |
| P5 (Portal) | — | T-19, T-20 | 2 |
| P6 (Prevention Officer) | T-21, T-22 | — | 2 |
| P7 (Integration) | — | T-23 to T-26 | 4 |
| **Total** | **18** | **8** | **26** |
Coverage check:
- Every phase has at least one test: ✅
- Edge cases (expired token, invalid regex, permission denial): ✅
- E2E flows (invite → set-password → login → permission check): ✅
- Tenant isolation: ✅
- Token revocation lifecycle: ✅
**Result: ✅ PASS** — Comprehensive coverage matching all implementation phases.
---
### 8. Gaps between API spec and implementation plan?
| API Spec Endpoint | Sprint 3 Plan | Gap? |
|-------------------|---------------|------|
| `GET /clubs/me` (§6.1) | Phase 2 — `ClubController` | ✅ Covered |
| `PUT /clubs/me` (§6.2) | Phase 2 — `ClubController` | ✅ Covered |
| `GET /clubs/me/stats` (§6.3) | Phase 2 — `ClubStatsResponse` DTO | ✅ Covered |
| `POST /auth/logout` (§5.3) | Not explicitly addressed | ⚠️ See finding #3 |
| `GET /reports/monthly` (§10) | Phase 4 — `ReportController` | ✅ Covered |
| `GET /reports/members` (§10) | Phase 4 — member list export | ✅ Covered |
| `GET /reports/recall/{batchId}` (§10) | Phase 4 — recall report | ✅ Covered |
| Staff endpoints (not in spec) | Phase 3 — new endpoints | ️ Plan extends spec |
| Portal endpoints (not in spec) | Phase 5 — new `/portal/**` | ️ Plan extends spec |
| `POST /auth/set-password` (not in spec) | Phase 3 step 3.9 | ️ Plan extends spec |
**Result: ✅ PASS** — One minor gap (logout integration), otherwise plan both implements spec and correctly extends it for Sprint 3 scope.
---
### 9. Token revocation/blacklist approach sound?
| Aspect | Assessment |
|--------|-----------|
| DB-backed (no Redis) | Correct for MVP scale — simple, durable, no infrastructure dependency | ✅ |
| Caffeine cache (60s TTL, 10K max) | Appropriate tradeoff — worst case 60s window after revocation | ✅ |
| `jti` claim in JWT | Required for per-token revocation — currently missing, plan adds it | ✅ |
| `revokeAllForUser()` | Called on permission change + staff deactivation — correct triggers | ✅ |
| Cleanup scheduler (daily 3 AM) | Removes expired tokens to prevent table bloat | ✅ |
| Index on `jti` | Fast lookup for blacklist check | ✅ |
| Index on `expires_at` | Fast cleanup queries | ✅ |
**Result: ✅ PASS** — Sound, pragmatic approach for a club-scale application.
---
### 10. Risks not addressed?
| Potential Risk | Addressed? | Notes |
|----------------|-----------|-------|
| iText AGPL license | ✅ | Risk table mentions it, mitigation: switch to OpenPDF before go-live |
| Boot 4 `@EntityScan` issue | ✅ | Phase 7 step 7.1 explicitly addresses it |
| JSONB + Hibernate 6 | ✅ | `@JdbcTypeCode(SqlTypes.JSON)` mentioned |
| SMTP delivery | ✅ | Mailpit for dev, transactional email service for prod |
| Cache staleness | ✅ | Accepted as non-critical for club app |
| Portal CSRF + SPA | ✅ | `CookieCsrfTokenRepository.withHttpOnlyFalse()` |
| `JwtAuthFilter` portal path exclusion | ⚠️ | See finding #5 |
| Email domain regex DoS | ⚠️ | See finding #6 |
**Result: ✅ PASS** — All major risks addressed. Two minor items noted below.
---
## Findings
### ⚠️ Warnings (non-blocking — implement-time improvements)
#### 1. Dependency versions not pinned
**Plan §9** uses version ranges (`8.0.x`, `1.11+`, `3.1+`).
**Recommendation:** At implementation time, pin exact versions in the POM:
- iText 7: `8.0.5`
- Commons CSV: `1.12.0`
- Caffeine: `3.1.8`
- Testcontainers: `1.20.1`
---
#### 2. `revoked_tokens` table has no `tenant_id` column
The token blacklist is global across all tenants. This works correctly (tokens are unique by `jti` regardless of tenant), but it means:
- `revokeAllForUser(userId)` queries ALL tenants' revoked tokens
- No ability to purge one tenant's revoked tokens independently
**Recommendation:** Consider adding `tenant_id` for operational convenience. Not blocking — the current design is functionally correct.
---
#### 3. `POST /auth/logout` not integrated with token revocation
API spec §5.3 defines a logout endpoint that invalidates the refresh token. Sprint 3's `TokenRevocationService` adds access token revocation. The plan doesn't explicitly describe how these interact.
**Recommendation:** On `POST /auth/logout`:
1. Revoke refresh token (existing behavior)
2. Also add current access token's `jti` to `revoked_tokens` (new behavior)
This ensures immediate invalidation rather than waiting for natural token expiry. Implementor should handle this in Phase 1.
---
#### 4. Portal `formLogin` with JSON API may need `AuthenticationSuccessHandler`
The plan describes portal as "JSON API" (Decision D2: no Thymeleaf) but configures `formLogin()` with `defaultSuccessUrl`. Standard `formLogin` returns HTTP redirects (302), not JSON responses.
**Recommendation:** Implement a custom `AuthenticationSuccessHandler` that returns `200 OK` with session info as JSON, and a custom `AuthenticationFailureHandler` returning `401` JSON error. This aligns with the SPA architecture.
---
#### 5. `JwtAuthFilter.shouldNotFilter()` needs `/portal/**` exclusion
Current `shouldNotFilter()` skips `/api/v1/auth/`, `/swagger-ui`, `/v3/api-docs`. The plan adds a portal with session-based auth, but the JWT filter will still process `/portal/**` requests (finding no Bearer header → passes through).
**Recommendation:** Add `/portal/` to `shouldNotFilter()` for clarity and to avoid unnecessary filter processing:
```java
return path.startsWith("/api/v1/auth/")
|| path.startsWith("/portal/") // ← add this
|| path.startsWith("/swagger-ui")
|| path.startsWith("/v3/api-docs");
```
Not strictly blocking (filter already passes through when no Bearer header present), but cleaner.
---
#### 6. Regex pattern validation — potential ReDoS
`validateEmailDomain()` uses `email.matches(club.getAllowedEmailPattern())` with admin-supplied regex. Malicious or poorly written regex could cause catastrophic backtracking (ReDoS).
**Recommendation:** Add a timeout or use `Pattern.compile()` with a simple validation check:
```java
try {
Pattern.compile(pattern); // validates syntax
// Additionally: reject patterns with known dangerous constructs
// Or use a timeout: java.util.concurrent.CompletableFuture with timeout
} catch (PatternSyntaxException e) {
throw new InvalidRegexException(pattern);
}
```
The plan does validate invalid regex (step 2.7, test T-10) but doesn't mention ReDoS protection specifically.
---
#### 7. Architecture doc deviation should be noted
The architecture doc (03-Architecture.md) describes:
- Schema-per-tenant (Sprint 2 implemented shared-schema with `tenant_id`)
- `ROLE_CLUB_ADMIN` / `ROLE_PREVENTION_OFFICER` (code uses `ROLE_ADMIN` / boolean flag)
- 8-hour access token (code uses 1-hour)
These are expected evolutionary deviations — the architecture doc reflects initial design, and Sprint 2 made pragmatic choices. The architecture doc should be updated to reflect reality, but this doesn't block Sprint 3.
**Recommendation:** Add a backlog item to sync the wiki architecture doc with actual implementation post-Sprint 3.
---
## Traceability Matrix
| Requirement Source | Plan Step | Test Case | Status |
|-------------------|-----------|-----------|--------|
| Deferred: STAFF role | Phase 1 (1.11.15) | T-01 to T-06, T-25 | ✅ |
| Deferred: Club settings | Phase 2 (2.12.8) | T-07 to T-10 | ✅ |
| Deferred: Staff CRUD + invite | Phase 3 (3.13.15) | T-11 to T-14, T-25 | ✅ |
| Deferred: Reports (US-007, US-008) | Phase 4 (4.14.9) | T-15 to T-18 | ✅ |
| Deferred: Member portal | Phase 5 (5.15.7) | T-19, T-20 | ✅ |
| Deferred: Prevention Officer (US-010) | Phase 6 (6.16.8) | T-21, T-22 | ✅ |
| Deferred: Integration tests | Phase 7 (7.17.8) | T-23 to T-26 | ✅ |
| Decision D1: Token revocation | Phase 1 (1.5, 1.6, 1.10, 1.14) | T-05, T-06, T-26 | ✅ |
| Decision D2: Portal as JSON API | Phase 5 | T-19, T-20 | ✅ |
| Decision D3: Multiple prevention officers | Phase 6 (6.2, 6.7) | T-21 | ✅ |
| Decision D4: Minimal PDF branding | Phase 4 (4.4, 4.5) | T-16 | ✅ |
| Decision D5: Testcontainers | Phase 7 (7.2) | T-23 to T-26 | ✅ |
| Decision D6: Invite flow | Phase 3 (3.23.9) | T-11, T-12, T-25 | ✅ |
| Decision D7: Email domain whitelist | Phase 2 (2.7), Phase 3 (3.5) | T-09, T-10 | ✅ |
---
## Verdict
### ✅ APPROVED
The Sprint 3 plan is complete, technically sound, and ready for implementation. All 10 review checklist items pass. 7 non-blocking warnings are noted as implementation-time improvements — none require plan revision.
**Recommendation:** Proceed to implementation. The implementor should address warnings #3 (logout integration), #4 (portal auth handlers), and #5 (JwtAuthFilter exclusion) during Phase 1 and Phase 5 respectively.
---
## Review Metadata
| Field | Value |
|-------|-------|
| Review iteration | 1 of 3 (max) |
| Plan version reviewed | v2 |
| Time spent | ~15 minutes |
| Confidence | 92% |
| Blocking findings | 0 |
| Non-blocking findings | 7 |
docs/sprint-3/cannamanage-sprint3-plan.md
+844
View File
@@ -0,0 +1,844 @@
# CannaManage — Sprint 3 Implementation Plan
**Date:** 2026-06-11
**Author:** Patrick Plate / Lumen (Planner)
**Status:** ✅ APPROVED v2 — GO received
**Base Branch:** `sprint/2-api`
**Sprint Branch:** `sprint/3-staff-portal`
**Sprint Goal:** Staff permission model + Token revocation + Member portal + Club/Report controllers + Prevention Officer + Invite flow
---
## 0. Decisions (Confirmed by Patrick)
| # | Decision | Detail |
|---|----------|--------|
| D1 | JWT invalidation | **Token blacklist**`revoked_tokens` DB table + Caffeine cache (60s TTL). On permission change, all user's tokens revoked. |
| D2 | Portal rendering | **JSON API** — no Thymeleaf. React SPA consumes `/portal/**` with session cookies. |
| D3 | Prevention officer | **Multiple, configurable**`max_prevention_officers` on Club entity (default 2). Enforced on assignment. |
| D4 | PDF branding | **Minimal branding** — club name header, generated-at timestamp footer, page numbers. Inspection-ready. |
| D5 | Integration test DB | **Testcontainers PostgreSQL** — full fidelity for JSONB columns. |
| D6 | Staff creation | **Invite flow** — admin creates account, email invite sent, staff sets own password. Requires Spring Mail. |
| D7 | Email domain whitelist | **Regex pattern on Club settings**`allowed_email_pattern` column, validated on invite. NULL = unrestricted. |
---
## 1. Sprint 2 Recap (Context)
| Delivered | Status |
|-----------|--------|
| JWT auth (login + refresh with token rotation) | ✅ |
| SecurityConfig with ADMIN + MEMBER roles | ✅ |
| TenantFilterAspect (Hibernate @Filter activation) | ✅ |
| MemberController (CRUD) | ✅ |
| DistributionController (compliance-gated) | ✅ |
| StockController (batches) | ✅ |
| ComplianceController (wraps service) | ✅ |
| OpenAPI/Swagger | ✅ |
| Flyway V2 migration | ✅ |
| 25 unit tests passing | ✅ |
**Deferred from Sprint 2:** STAFF role, Member portal, Club settings, Report generation, Prevention Officer, Integration tests.
---
## 2. Sprint 3 Scope
### ✅ IN Scope
| # | Feature | Priority | Effort |
|---|---------|----------|--------|
| 1 | **Staff permission model**`StaffPermission` enum, `staff_accounts` table, `StaffPermissionChecker` SpEL bean | P0 | 1.5 days |
| 2 | **Token revocation**`revoked_tokens` table, `TokenRevocationService`, Caffeine cache, `JwtAuthFilter` integration | P0 | 0.5 days |
| 3 | **Club settings controller**`GET/PUT /clubs/me`, `GET /clubs/me/stats`, email domain whitelist, prevention officer limit | P0 | 0.5 days |
| 4 | **Staff management + invite flow** — CRUD + email invite + set-password endpoint + domain validation | P1 | 1.5 days |
| 5 | **Report controller** — monthly PDF/CSV/JSON, member list, recall report. Minimal branding (OpenPDF). | P1 | 1.5 days |
| 6 | **Member portal (session-based auth)** — second `SecurityFilterChain`, form login, `/portal/**` JSON endpoints | P1 | 1.5 days |
| 7 | **Prevention officer capability** — configurable limit, assignment endpoint, under-21 access gate | P2 | 0.5 days |
| 8 | **Integration tests** — Testcontainers PostgreSQL: auth flow, tenant isolation, staff perms, portal, reports | P2 | 1 day |
**Total estimated effort:** ~9 days (single worker, sequential)
### ❌ OUT of Scope (Sprint 4+)
- Stripe payment integration
- React frontend SPA (admin + portal)
- Schema-per-tenant migration
- Grow calendar / cultivation tracking
- DSGVO consent management UI
- PDF template customization per club (logo upload)
- Password reset flow (separate from invite)
---
## 3. Architecture Decisions
### 3.1 Staff Permission Model
```java
// New enum — cannamanage-domain
public enum StaffPermission {
RECORD_DISTRIBUTION, // can record distributions
VIEW_MEMBER_LIST, // can view member roster
VIEW_MEMBER_QUOTA, // can view individual member quota
ADD_MEMBER, // can register new members
VIEW_STOCK, // can view batch/strain inventory
RECORD_STOCK_IN, // can add new batches
VIEW_COMPLIANCE_REPORT, // can generate/download reports
MANAGE_GROW_CALENDAR // future — cultivation calendar
}
```
**Database design:**
```sql
CREATE TABLE staff_accounts (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL,
user_id UUID NOT NULL REFERENCES users(id),
display_name VARCHAR(255) NOT NULL,
granted_permissions JSONB NOT NULL DEFAULT '[]'::jsonb,
template_name VARCHAR(100), -- 'ausgabe', 'lager', 'vorstand', or NULL
active BOOLEAN NOT NULL DEFAULT true,
created_at TIMESTAMP NOT NULL DEFAULT NOW(),
updated_at TIMESTAMP NOT NULL DEFAULT NOW(),
CONSTRAINT uq_staff_tenant_user UNIQUE(tenant_id, user_id)
);
```
**Authorization — custom SpEL bean:**
```java
@Component("staffPermissions")
public class StaffPermissionChecker {
public boolean has(MethodSecurityExpressionOperations root, StaffPermission required) {
Authentication auth = root.getAuthentication();
if (auth.getAuthorities().stream().anyMatch(a -> a.getAuthority().equals("ROLE_ADMIN")))
return true;
if (auth.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals("ROLE_STAFF")))
return false;
StaffAccount staff = staffAccountRepository.findByUserId(getUserId(auth));
return staff != null && staff.getGrantedPermissions().contains(required);
}
}
```
**Usage:**
```java
@PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(#root, T(de.cannamanage.domain.enums.StaffPermission).RECORD_DISTRIBUTION)")
public ResponseEntity<DistributionResponse> recordDistribution(...)
```
**Staff permissions embedded in JWT:**
```json
{
"sub": "user-uuid",
"tenant_id": "tenant-uuid",
"role": "STAFF",
"permissions": ["RECORD_DISTRIBUTION", "VIEW_MEMBER_LIST", "VIEW_MEMBER_QUOTA"],
"jti": "unique-token-id",
"iat": 1712345678,
"exp": 1712349278
}
```
The `jti` claim enables token revocation. Permissions in the JWT allow stateless checks (with blacklist validation as fallback for revoked tokens).
---
### 3.2 Token Revocation (Decision D1)
**No Redis** — lightweight DB-based approach with in-memory caching:
```sql
CREATE TABLE revoked_tokens (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
jti VARCHAR(255) NOT NULL UNIQUE,
user_id UUID NOT NULL,
expires_at TIMESTAMP NOT NULL,
revoked_at TIMESTAMP NOT NULL DEFAULT NOW(),
reason VARCHAR(100) -- 'permission_change', 'logout', 'admin_action'
);
CREATE INDEX idx_revoked_tokens_jti ON revoked_tokens(jti);
CREATE INDEX idx_revoked_tokens_expires ON revoked_tokens(expires_at);
```
**Components:**
```java
@Service
public class TokenRevocationService {
private final Cache<String, Boolean> blacklistCache = Caffeine.newBuilder()
.expireAfterWrite(60, TimeUnit.SECONDS)
.maximumSize(10_000)
.build();
public boolean isRevoked(String jti) {
return blacklistCache.get(jti, key ->
revokedTokenRepository.existsByJti(key));
}
public void revokeAllForUser(UUID userId) {
// Revoke all active tokens for this user
// Called when permissions change or admin deactivates staff
}
}
```
**JwtAuthFilter integration:**
```java
// In JwtAuthFilter.doFilterInternal():
String jti = jwtService.extractClaim(token, "jti");
if (tokenRevocationService.isRevoked(jti)) {
response.sendError(401, "Token revoked");
return;
}
```
**Cleanup scheduled task:**
```java
@Scheduled(cron = "0 0 3 * * *") // daily at 3 AM
public void cleanupExpiredTokens() {
revokedTokenRepository.deleteByExpiresAtBefore(Instant.now());
}
```
---
### 3.3 Member Portal Auth (Decision D2)
Dual `SecurityFilterChain` — session-based for portal, JWT for API:
```java
@Bean
@Order(2)
public SecurityFilterChain portalSecurityFilterChain(HttpSecurity http) throws Exception {
http
.securityMatcher("/portal/**")
.csrf(Customizer.withDefaults()) // CSRF enabled
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSessions(1))
.formLogin(form -> form
.loginPage("/portal/login")
.loginProcessingUrl("/portal/login")
.defaultSuccessUrl("/portal/dashboard", true)
.failureUrl("/portal/login?error"))
.logout(logout -> logout
.logoutUrl("/portal/logout")
.logoutSuccessUrl("/portal/login?logout"))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/portal/login", "/portal/css/**", "/portal/js/**").permitAll()
.requestMatchers("/portal/**").hasRole("MEMBER"));
return http.build();
}
```
**Portal JSON endpoints:**
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/portal/login` | POST | Form login (session cookie returned) |
| `/portal/dashboard` | GET | Member dashboard (quota + recent distributions) |
| `/portal/me` | GET | Own profile data |
| `/portal/quota` | GET | Current month quota status |
| `/portal/distributions` | GET | Own distribution history (paginated) |
**Security invariants:**
- Members ONLY access their own data (enforced by `memberId` from session principal)
- All portal endpoints are GET (read-only) — no write operations
- Session timeout: 30 minutes
- `SameSite=Strict` cookie
- CSRF token provided via `CookieCsrfTokenRepository.withHttpOnlyFalse()`
---
### 3.4 Prevention Officer (Decision D3)
**Configurable limit on Club entity:**
```java
// Club.java
@Column(name = "max_prevention_officers")
private Integer maxPreventionOfficers = 2; // default: 2
```
**Enforcement on assignment:**
```java
public void assignPreventionOfficer(UUID userId) {
long currentCount = userRepository.countByTenantIdAndPreventionOfficerTrue(tenantId);
int limit = club.getMaxPreventionOfficers();
if (currentCount >= limit) {
throw new PreventionOfficerLimitExceededException(limit);
}
user.setPreventionOfficer(true);
userRepository.save(user);
}
```
**Access control for under-21 data:**
```java
@PreAuthorize("hasRole('ADMIN') or @preventionOfficer.check(authentication)")
public List<MemberResponse> getUnder21Members() { ... }
```
---
### 3.5 Staff Invite Flow (Decision D6)
**Sequence:**
```
1. Admin: POST /api/v1/staff { email, displayName, permissions, templateName? }
2. System: validates email against club's allowed_email_pattern (D7)
3. System: creates User (role=STAFF, active=false, no password)
4. System: creates StaffAccount (permissions JSONB)
5. System: creates InviteToken (72h expiry)
6. System: sends email with link: https://{domain}/auth/set-password?token={token}
7. Staff member: POST /api/v1/auth/set-password { token, password }
8. System: validates token, sets password_hash, sets active=true
9. Staff can now login via POST /api/v1/auth/login
```
**Database:**
```sql
CREATE TABLE invite_tokens (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id UUID NOT NULL REFERENCES users(id),
token VARCHAR(255) NOT NULL UNIQUE,
expires_at TIMESTAMP NOT NULL,
used_at TIMESTAMP,
created_at TIMESTAMP NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_invite_tokens_token ON invite_tokens(token);
```
**Spring Mail config (dev vs prod):**
```yaml
# application.yml
spring:
mail:
host: ${SMTP_HOST:localhost}
port: ${SMTP_PORT:1025} # Mailpit for dev
username: ${SMTP_USER:}
password: ${SMTP_PASSWORD:}
properties:
mail.smtp.auth: ${SMTP_AUTH:false}
mail.smtp.starttls.enable: ${SMTP_TLS:false}
```
---
### 3.6 Email Domain Whitelist (Decision D7)
**Club setting:**
```java
// Club.java
@Column(name = "allowed_email_pattern")
private String allowedEmailPattern; // regex, NULL = unrestricted
```
**Validation in StaffService:**
```java
private void validateEmailDomain(String email, Club club) {
if (club.getAllowedEmailPattern() == null) return; // unrestricted
if (!email.matches(club.getAllowedEmailPattern())) {
throw new EmailDomainNotAllowedException(email, club.getAllowedEmailPattern());
}
}
```
**Example patterns:**
- `^.*@gruener-daumen-ev\.de$` — club email only
- `^.*@(verein\.de|gmail\.com|gmx\.de)$` — approved domains
- `NULL` — any email accepted (default)
---
### 3.7 Report Generation (Decision D4)
**OpenPDF (LGPL fork of iText 5) with minimal branding:**
```java
@Service
public class PdfReportGenerator {
public byte[] renderMonthlyReport(MonthlyReport data, Club club) {
Document document = new Document(PageSize.A4);
// Header: club name + report title
document.add(new Paragraph(club.getName())
.setFont(PdfFontFactory.createFont(StandardFonts.HELVETICA_BOLD))
.setFontSize(16));
document.add(new Paragraph("Monatsbericht — " + data.getMonth())
.setFontSize(12));
// Content: data tables...
// Footer: generated timestamp + page numbers (via event handler)
document.close();
return baos.toByteArray();
}
}
```
**PDF footer pattern (OpenPDF PdfPageEventHelper):**
```java
public class FooterHandler implements IEventHandler {
@Override
public void handleEvent(Event event) {
PdfDocumentEvent docEvent = (PdfDocumentEvent) event;
// Add: "Erstellt am: {timestamp}" + "Seite {n} von {total}"
}
}
```
---
## 4. Implementation Phases
### Phase 1: Staff Permission Foundation + Token Revocation (Day 1-2)
| Step | Description | Files |
|------|-------------|-------|
| 1.1 | Create `StaffPermission` enum | `cannamanage-domain/.../enums/StaffPermission.java` |
| 1.2 | Create `StaffAccount` JPA entity (JSONB `granted_permissions`) | `cannamanage-domain/.../entity/StaffAccount.java` |
| 1.3 | Flyway V3 migration — all new tables + columns (see §6) | `db/migration/V3__sprint3_staff_portal.sql` |
| 1.4 | Create `StaffAccountRepository` | `cannamanage-service/.../repository/StaffAccountRepository.java` |
| 1.5 | Create `RevokedTokenRepository` | `cannamanage-service/.../repository/RevokedTokenRepository.java` |
| 1.6 | Create `TokenRevocationService` + Caffeine cache | `cannamanage-service/.../service/TokenRevocationService.java` |
| 1.7 | Create `StaffPermissionChecker` (SpEL bean) | `cannamanage-api/.../security/StaffPermissionChecker.java` |
| 1.8 | Create `PreventionOfficerChecker` (SpEL bean) | `cannamanage-api/.../security/PreventionOfficerChecker.java` |
| 1.9 | Update `JwtService` — add `jti` + `permissions` claims for STAFF tokens | `cannamanage-api/.../security/JwtService.java` |
| 1.10 | Update `JwtAuthFilter` — check token blacklist via `TokenRevocationService` | `cannamanage-api/.../security/JwtAuthFilter.java` |
| 1.11 | Update `SecurityConfig` — add STAFF role to relevant endpoint matchers | `cannamanage-api/.../security/SecurityConfig.java` |
| 1.12 | Add Caffeine dependency to POM | `cannamanage-service/pom.xml` |
| 1.13 | Update existing controllers with `@PreAuthorize` for staff access | All 5 controllers |
| 1.14 | Add token cleanup scheduled task | `cannamanage-service/.../service/TokenCleanupScheduler.java` |
| 1.15 | Unit tests for permission evaluation + token revocation | `StaffPermissionCheckerTest.java`, `TokenRevocationServiceTest.java` |
---
### Phase 2: Club Settings Controller (Day 2, half-day)
| Step | Description | Files |
|------|-------------|-------|
| 2.1 | Create `ClubResponse` DTO (includes `maxPreventionOfficers`, `allowedEmailPattern`) | `cannamanage-api/.../dto/club/ClubResponse.java` |
| 2.2 | Create `UpdateClubRequest` DTO | `cannamanage-api/.../dto/club/UpdateClubRequest.java` |
| 2.3 | Create `ClubStatsResponse` DTO | `cannamanage-api/.../dto/club/ClubStatsResponse.java` |
| 2.4 | Create `ClubService` | `cannamanage-service/.../service/ClubService.java` |
| 2.5 | Create `ClubController``GET/PUT /clubs/me`, `GET /clubs/me/stats` | `cannamanage-api/.../controller/ClubController.java` |
| 2.6 | `ClubRepository` (if not exists) | `cannamanage-service/.../repository/ClubRepository.java` |
| 2.7 | Regex validation for `allowedEmailPattern` (reject invalid regex) | In `ClubService` |
| 2.8 | Unit tests | `ClubControllerTest.java`, `ClubServiceTest.java` |
---
### Phase 3: Staff Management + Invite Flow (Day 3-4)
| Step | Description | Files |
|------|-------------|-------|
| 3.1 | Add Spring Mail dependency | `cannamanage-api/pom.xml` |
| 3.2 | Create `InviteToken` JPA entity | `cannamanage-domain/.../entity/InviteToken.java` |
| 3.3 | Create `InviteTokenRepository` | `cannamanage-service/.../repository/InviteTokenRepository.java` |
| 3.4 | Create `EmailService` — sends invite email | `cannamanage-service/.../service/EmailService.java` |
| 3.5 | Create `StaffService` — CRUD + invite + domain validation + template application | `cannamanage-service/.../service/StaffService.java` |
| 3.6 | Create DTOs: `CreateStaffRequest`, `UpdateStaffRequest`, `StaffResponse` | `cannamanage-api/.../dto/staff/` |
| 3.7 | Create `SetPasswordRequest` DTO | `cannamanage-api/.../dto/auth/SetPasswordRequest.java` |
| 3.8 | Create `StaffController` — admin-only CRUD | `cannamanage-api/.../controller/StaffController.java` |
| 3.9 | Add `POST /auth/set-password` endpoint to `AuthController` | `cannamanage-api/.../controller/AuthController.java` |
| 3.10 | Define role templates (Ausgabe, Lager, Vorstand) | `cannamanage-service/.../service/StaffTemplates.java` |
| 3.11 | Update `AuthService.login()` — reject `active=false` users | `cannamanage-service/.../service/AuthService.java` |
| 3.12 | On permission change: call `tokenRevocationService.revokeAllForUser(userId)` | In `StaffService` |
| 3.13 | Email template (plain text for MVP) | `src/main/resources/templates/invite-email.txt` |
| 3.14 | Spring Mail config in `application.yml` | `application.yml` |
| 3.15 | Unit tests | `StaffServiceTest.java`, `StaffControllerTest.java`, `EmailServiceTest.java` |
**Staff controller endpoints:**
| Endpoint | Method | Access | Description |
|----------|--------|--------|-------------|
| `/api/v1/staff` | GET | ADMIN | List all staff accounts |
| `/api/v1/staff` | POST | ADMIN | Create staff + send invite email |
| `/api/v1/staff/{id}` | GET | ADMIN | Get staff details |
| `/api/v1/staff/{id}` | PUT | ADMIN | Update permissions (revokes tokens) |
| `/api/v1/staff/{id}` | DELETE | ADMIN | Deactivate staff (revokes tokens) |
| `/api/v1/staff/templates` | GET | ADMIN | List permission templates |
| `/api/v1/auth/set-password` | POST | Public | Set password from invite token |
---
### Phase 4: Report Controller + PDF Generation (Day 4-5)
| Step | Description | Files |
|------|-------------|-------|
| 4.1 | Add OpenPDF + Commons CSV dependencies to POM | `cannamanage-api/pom.xml` |
| 4.2 | Create report data models | `cannamanage-service/.../model/report/MonthlyReport.java`, `MemberListReport.java`, `RecallReport.java` |
| 4.3 | Create `ReportService` — data aggregation queries | `cannamanage-service/.../service/ReportService.java` |
| 4.4 | Create `PdfReportGenerator` — OpenPDF with minimal branding | `cannamanage-service/.../service/PdfReportGenerator.java` |
| 4.5 | Create `FooterHandler` — OpenPDF PdfPageEventHelper for footer | `cannamanage-service/.../service/PdfFooterHandler.java` |
| 4.6 | Create `CsvReportGenerator` — Apache Commons CSV (UTF-8 BOM) | `cannamanage-service/.../service/CsvReportGenerator.java` |
| 4.7 | Create `ReportController` with `format` query param content negotiation | `cannamanage-api/.../controller/ReportController.java` |
| 4.8 | Report DTOs | `cannamanage-api/.../dto/report/` |
| 4.9 | Unit tests | `ReportServiceTest.java`, `PdfReportGeneratorTest.java` |
**Report endpoints:**
| Endpoint | Formats | Description |
|----------|---------|-------------|
| `GET /reports/monthly?month=2026-03&format=json\|pdf\|csv` | JSON/PDF/CSV | Monthly compliance report |
| `GET /reports/members?format=json\|pdf\|csv&status=ACTIVE` | JSON/PDF/CSV | Member list for authorities |
| `GET /reports/recall/{batchId}?format=json\|pdf` | JSON/PDF | Recall impact report |
---
### Phase 5: Member Portal (Day 5-6)
| Step | Description | Files |
|------|-------------|-------|
| 5.1 | Add portal `SecurityFilterChain` (`@Order(2)`) | `SecurityConfig.java` |
| 5.2 | Create `PortalUserDetailsService` — loads Member user from DB | `cannamanage-api/.../security/PortalUserDetailsService.java` |
| 5.3 | Create `PortalController` — JSON endpoints behind session auth | `cannamanage-api/.../controller/PortalController.java` |
| 5.4 | Portal DTOs — `PortalDashboard`, `PortalQuota`, `PortalDistributionHistory` | `cannamanage-api/.../dto/portal/` |
| 5.5 | `PortalService` — member-scoped queries (own data only) | `cannamanage-service/.../service/PortalService.java` |
| 5.6 | Session configuration — timeout, cookie settings | `application.yml` |
| 5.7 | Unit tests | `PortalControllerTest.java`, `PortalServiceTest.java` |
---
### Phase 6: Prevention Officer (Day 6, half-day)
| Step | Description | Files |
|------|-------------|-------|
| 6.1 | Add `preventionOfficer` field to `User` entity | `User.java` |
| 6.2 | Add `maxPreventionOfficers` field to `Club` entity | `Club.java` |
| 6.3 | `PreventionOfficerChecker` already created in Phase 1.8 | — |
| 6.4 | Add endpoint: `GET /members/under-21` to MemberController | `MemberController.java` |
| 6.5 | Add endpoint: `GET /members/{id}/prevention-data` | `MemberController.java` |
| 6.6 | Add endpoint: `PUT /staff/{id}/prevention-officer` (assign/revoke flag) | `StaffController.java` |
| 6.7 | Limit enforcement in StaffService | `StaffService.java` |
| 6.8 | Unit tests | `PreventionOfficerTest.java` |
---
### Phase 7: Integration Tests (Day 7)
| Step | Description | Files |
|------|-------------|-------|
| 7.1 | Fix Boot 4 `@EntityScan` issue from Sprint 2 | Investigate + fix |
| 7.2 | Base test class with Testcontainers setup | `AbstractIntegrationTest.java` |
| 7.3 | Auth flow integration test (login → JWT → access → refresh → revoke) | `AuthIntegrationTest.java` |
| 7.4 | Tenant isolation test (2 tenants, ensure no data leak) | `TenantIsolationTest.java` |
| 7.5 | Staff permission integration test (invite → set password → login → permission check) | `StaffPermissionIntegrationTest.java` |
| 7.6 | Portal session test (login → session → own data → deny other's data) | `PortalIntegrationTest.java` |
| 7.7 | Report generation test (monthly report with test data) | `ReportIntegrationTest.java` |
| 7.8 | Token revocation integration test (change perms → old token rejected) | `TokenRevocationIntegrationTest.java` |
---
## 5. Execution Strategy (Single Worker — Work Lumen)
All phases executed sequentially by Work Lumen. No parallelization — keeps full context continuity, avoids merge conflicts, and simplifies review.
| Day | Phase | Description |
|-----|-------|-------------|
| 1-2 | Phase 1 | Staff permission foundation + token revocation |
| 2 | Phase 2 | Club controller + settings |
| 3-4 | Phase 3 | Staff CRUD + invite flow + email |
| 4-5 | Phase 4 | Report controller + OpenPDF/CSV |
| 5-6 | Phase 5 | Member portal (session-based auth) |
| 6 | Phase 6 | Prevention officer |
| 7 | Phase 7 | Integration tests (Testcontainers) |
**Branch strategy:** Single branch `sprint/3-staff-portal` off `sprint/2-api`. Atomic commits per phase for clean git history.
---
## 6. Flyway Migration V3
Single migration covering all Sprint 3 schema changes:
```sql
-- V3__sprint3_staff_portal.sql
-- 1. Staff accounts with configurable permissions
CREATE TABLE staff_accounts (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL,
user_id UUID NOT NULL REFERENCES users(id),
display_name VARCHAR(255) NOT NULL,
granted_permissions JSONB NOT NULL DEFAULT '[]'::jsonb,
template_name VARCHAR(100),
active BOOLEAN NOT NULL DEFAULT true,
created_at TIMESTAMP NOT NULL DEFAULT NOW(),
updated_at TIMESTAMP NOT NULL DEFAULT NOW(),
CONSTRAINT uq_staff_tenant_user UNIQUE(tenant_id, user_id)
);
CREATE INDEX idx_staff_accounts_tenant ON staff_accounts(tenant_id);
CREATE INDEX idx_staff_accounts_user ON staff_accounts(user_id);
-- 2. Token revocation blacklist
CREATE TABLE revoked_tokens (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
jti VARCHAR(255) NOT NULL UNIQUE,
user_id UUID NOT NULL,
expires_at TIMESTAMP NOT NULL,
revoked_at TIMESTAMP NOT NULL DEFAULT NOW(),
reason VARCHAR(100)
);
CREATE INDEX idx_revoked_tokens_jti ON revoked_tokens(jti);
CREATE INDEX idx_revoked_tokens_expires ON revoked_tokens(expires_at);
-- 3. Invite tokens for staff onboarding
CREATE TABLE invite_tokens (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id UUID NOT NULL REFERENCES users(id),
token VARCHAR(255) NOT NULL UNIQUE,
expires_at TIMESTAMP NOT NULL,
used_at TIMESTAMP,
created_at TIMESTAMP NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_invite_tokens_token ON invite_tokens(token);
-- 4. User extensions
ALTER TABLE users ADD COLUMN prevention_officer BOOLEAN NOT NULL DEFAULT false;
-- 5. Club extensions
ALTER TABLE clubs ADD COLUMN IF NOT EXISTS registration_number VARCHAR(100);
ALTER TABLE clubs ADD COLUMN IF NOT EXISTS contact_email VARCHAR(255);
ALTER TABLE clubs ADD COLUMN IF NOT EXISTS contact_phone VARCHAR(50);
ALTER TABLE clubs ADD COLUMN IF NOT EXISTS address_street VARCHAR(255);
ALTER TABLE clubs ADD COLUMN IF NOT EXISTS address_city VARCHAR(100);
ALTER TABLE clubs ADD COLUMN IF NOT EXISTS address_postal_code VARCHAR(10);
ALTER TABLE clubs ADD COLUMN IF NOT EXISTS address_state VARCHAR(100);
ALTER TABLE clubs ADD COLUMN IF NOT EXISTS founded_date DATE;
ALTER TABLE clubs ADD COLUMN IF NOT EXISTS max_prevention_officers INTEGER NOT NULL DEFAULT 2;
ALTER TABLE clubs ADD COLUMN IF NOT EXISTS allowed_email_pattern VARCHAR(500);
```
---
## 7. Updated SecurityConfig Structure (Target State)
```java
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {
// Order 1: API — stateless JWT + token blacklist check
@Bean @Order(1)
public SecurityFilterChain apiSecurityFilterChain(HttpSecurity http) {
// /api/** — JWT filter (with jti blacklist), no CSRF, stateless
// ADMIN: all, STAFF: per-permission via @PreAuthorize, MEMBER: self-service
}
// Order 2: Portal — session-based for members
@Bean @Order(2)
public SecurityFilterChain portalSecurityFilterChain(HttpSecurity http) {
// /portal/** — form login, CSRF, session, MEMBER only, 30min timeout
}
// Order 3: Public — Swagger, health, set-password
@Bean @Order(3)
public SecurityFilterChain publicSecurityFilterChain(HttpSecurity http) {
// /swagger-ui/**, /v3/api-docs/**, /actuator/health — permitAll
}
}
```
---
## 8. Test Plan Summary
| ID | Description | Type | Phase |
|----|-------------|------|-------|
| T-01 | Staff permission JSONB serialization/deserialization | Unit | P1 |
| T-02 | StaffPermissionChecker grants/denies correctly | Unit | P1 |
| T-03 | ADMIN bypasses all permission checks | Unit | P1 |
| T-04 | STAFF without RECORD_DISTRIBUTION gets 403 | Unit | P1 |
| T-05 | Token revocation: revoked jti returns 401 | Unit | P1 |
| T-06 | Caffeine cache expires and re-checks DB | Unit | P1 |
| T-07 | Club GET/PUT /me returns/updates correct data | Unit | P2 |
| T-08 | Club stats aggregation queries | Unit | P2 |
| T-09 | Email domain whitelist rejects invalid email | Unit | P2 |
| T-10 | Invalid regex in allowedEmailPattern returns 400 | Unit | P2 |
| T-11 | Staff invite flow: create → email → set-password → login | Unit | P3 |
| T-12 | Expired invite token returns 400 | Unit | P3 |
| T-13 | Permission change revokes all user tokens | Unit | P3 |
| T-14 | Role template application (Ausgabe grants correct perms) | Unit | P3 |
| T-15 | Monthly report data aggregation | Unit | P4 |
| T-16 | PDF generation produces valid output with branding | Unit | P4 |
| T-17 | CSV export with UTF-8 BOM + correct columns | Unit | P4 |
| T-18 | Recall report identifies all affected members | Unit | P4 |
| T-19 | Portal session login + own-data-only access | Integration | P5 |
| T-20 | Portal CSRF protection (POST without token → 403) | Integration | P5 |
| T-21 | Prevention officer limit enforcement | Unit | P6 |
| T-22 | Non-prevention-officer gets 403 on under-21 endpoint | Unit | P6 |
| T-23 | Full auth flow: login → refresh → revoke → reject | Integration | P7 |
| T-24 | Tenant isolation: tenant A cannot see tenant B data | Integration | P7 |
| T-25 | Staff permission E2E: invite → activate → login → permission check | Integration | P7 |
| T-26 | Token revocation E2E: change perms → old JWT rejected | Integration | P7 |
---
## 9. Dependencies & Libraries
| Library | Version | Purpose | New? |
|---------|---------|---------|------|
| OpenPDF (librepdf) | 2.0.4 | PDF report generation (LGPL — SaaS-safe) | ✅ New |
| Apache Commons CSV | 1.11+ | CSV export | ✅ New |
| Caffeine | 3.1+ | In-memory token blacklist cache | ✅ New |
| Spring Boot Starter Mail | (Boot managed) | Email invite sending | ✅ New |
| Testcontainers PostgreSQL | 1.19+ | Integration tests | Already in POM |
| Spring Security Test | (Boot managed) | SecurityMockMvc | Already in POM |
---
## 10. Risk Assessment
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|------------|
| ~~iText 7 license~~ — RESOLVED: using OpenPDF (LGPL) | — | — | No longer a risk. OpenPDF is LGPL 2.1, fully SaaS-compatible. |
| Boot 4 `@EntityScan` blocks integration tests | Medium | Medium | Investigate `@AutoConfiguration` changes. Fallback: explicit `EntityManagerFactory` bean. |
| JSONB + Hibernate 6 serialization issues | Low | Medium | Hibernate 6 supports JSONB via `@JdbcTypeCode(SqlTypes.JSON)`. Test early in Phase 1. |
| SMTP delivery issues in prod | Low | Medium | Use transactional email service (Mailgun/Brevo free tier). Dev uses Mailpit (local). |
| Caffeine cache staleness (60s window) | Low | Low | Acceptable: worst case a revoked token works for 60 more seconds. Not a real security hole for a club app. |
| Portal CSRF + SPA interaction | Low | Low | `CookieCsrfTokenRepository.withHttpOnlyFalse()` → React reads `XSRF-TOKEN` cookie, sends as header. |
---
## 11. Definition of Done
Sprint 3 is **DONE** when:
- [ ] All 7 phases implemented and passing
- [ ] ≥ 26 tests (matching test plan)
- [ ] Flyway V3 migration applies cleanly on fresh PostgreSQL
- [ ] Staff invite flow works end-to-end (create → email → set password → login → permission check)
- [ ] Token revocation works (change perms → old JWT rejected within 60s)
- [ ] Portal login + session auth works independently of JWT
- [ ] Reports generate valid PDF (with club name + footer) and CSV output
- [ ] Prevention officer flag + configurable limit works
- [ ] Email domain whitelist validates on staff invite
- [ ] Integration tests pass with Testcontainers PostgreSQL
- [ ] Branch `sprint/3-staff-portal` green and pushed
---
## Appendix A: File Tree (New Files in Sprint 3)
```
cannamanage-domain/src/main/java/de/cannamanage/domain/
├── enums/
│ └── StaffPermission.java ← NEW
├── entity/
│ ├── StaffAccount.java ← NEW
│ └── InviteToken.java ← NEW
cannamanage-service/src/main/java/de/cannamanage/service/
├── repository/
│ ├── StaffAccountRepository.java ← NEW
│ ├── RevokedTokenRepository.java ← NEW
│ ├── InviteTokenRepository.java ← NEW
│ └── ClubRepository.java ← NEW (if not exists)
├── service/
│ ├── StaffService.java ← NEW
│ ├── StaffTemplates.java ← NEW
│ ├── ClubService.java ← NEW
│ ├── TokenRevocationService.java ← NEW
│ ├── TokenCleanupScheduler.java ← NEW
│ ├── EmailService.java ← NEW
│ ├── PortalService.java ← NEW
│ ├── ReportService.java ← NEW
│ ├── PdfReportGenerator.java ← NEW
│ ├── PdfFooterHandler.java ← NEW
│ └── CsvReportGenerator.java ← NEW
├── model/report/
│ ├── MonthlyReport.java ← NEW
│ ├── MemberListReport.java ← NEW
│ └── RecallReport.java ← NEW
cannamanage-api/src/main/java/de/cannamanage/api/
├── security/
│ ├── StaffPermissionChecker.java ← NEW
│ ├── PreventionOfficerChecker.java ← NEW
│ └── PortalUserDetailsService.java ← NEW
├── controller/
│ ├── ClubController.java ← NEW
│ ├── StaffController.java ← NEW
│ ├── ReportController.java ← NEW
│ └── PortalController.java ← NEW
├── dto/
│ ├── auth/
│ │ └── SetPasswordRequest.java ← NEW
│ ├── club/
│ │ ├── ClubResponse.java ← NEW
│ │ ├── UpdateClubRequest.java ← NEW
│ │ └── ClubStatsResponse.java ← NEW
│ ├── staff/
│ │ ├── CreateStaffRequest.java ← NEW
│ │ ├── UpdateStaffRequest.java ← NEW
│ │ └── StaffResponse.java ← NEW
│ ├── portal/
│ │ ├── PortalDashboard.java ← NEW
│ │ ├── PortalQuota.java ← NEW
│ │ └── PortalDistributionHistory.java ← NEW
│ └── report/
│ ├── MonthlyReportResponse.java ← NEW
│ ├── MemberListResponse.java ← NEW
│ └── RecallReportResponse.java ← NEW
cannamanage-api/src/main/resources/
├── db/migration/
│ └── V3__sprint3_staff_portal.sql ← NEW
├── templates/
│ └── invite-email.txt ← NEW
└── application.yml ← MODIFIED (mail config, session config)
cannamanage-api/src/test/java/de/cannamanage/api/
├── security/
│ ├── StaffPermissionCheckerTest.java ← NEW
│ └── TokenRevocationServiceTest.java ← NEW
├── controller/
│ ├── ClubControllerTest.java ← NEW
│ ├── StaffControllerTest.java ← NEW
│ ├── ReportControllerTest.java ← NEW
│ └── PortalControllerTest.java ← NEW
├── service/
│ ├── StaffServiceTest.java ← NEW
│ ├── EmailServiceTest.java ← NEW
│ ├── ReportServiceTest.java ← NEW
│ └── PdfReportGeneratorTest.java ← NEW
├── PreventionOfficerTest.java ← NEW
└── integration/
├── AbstractIntegrationTest.java ← NEW
├── AuthIntegrationTest.java ← NEW
├── TenantIsolationTest.java ← NEW
├── StaffPermissionIntegrationTest.java ← NEW
├── PortalIntegrationTest.java ← NEW
├── ReportIntegrationTest.java ← NEW
└── TokenRevocationIntegrationTest.java ← NEW
```
**Total new files:** ~50
**Modified files:** ~8 (existing controllers, SecurityConfig, JwtService, JwtAuthFilter, User entity, Club entity, application.yml, POMs)
docs/sprint-3/cannamanage-sprint3-security-review.md
+335
View File
@@ -0,0 +1,335 @@
# Security Review: CannaManage Sprint 3 — Phases 1-3
**Date:** 2026-06-11
**Module:** cannamanage (all modules)
**Reviewer:** Roo (Security Reviewer)
**Branch:** sprint/3-staff-portal (pre-implementation)
**Type:** Design-level security review (plan analysis)
**Verdict:** ✅ PASS (with advisory findings)
---
## Scope
Pre-implementation security analysis of Sprint 3 Phases 1-3:
- **Phase 1:** Staff Permission Foundation + Token Revocation
- **Phase 2:** Club Settings Controller + Email Domain Whitelist
- **Phase 3:** Staff Management + Invite Flow
---
## Scan Results
| Tool | Status | Notes |
|------|--------|-------|
| SonarQube (SAST) | ⏭️ Not applicable | Design-level review — no code to scan |
| Datarake (Secrets) | ⏭️ Not applicable | Design-level review |
| Snyk Code | ⏭️ Not applicable | Design-level review |
---
## Security Checklist (Adapted for Design Review)
| # | Rule | Check | Result | Notes |
|---|------|-------|--------|-------|
| 1 | SEC-001..004 | No hardcoded credentials in plan | ✅ | SMTP credentials use `${SMTP_*}` env vars, JWT secret uses `${cannamanage.security.jwt.secret}` |
| 2 | SEC-005 | Credentials via @Value/env | ✅ | All sensitive config externalized in `application.yml` via env vars |
| 3 | SEC-011 | No SQL injection vectors | ✅ | All DB access via Spring Data JPA repositories — no raw SQL concatenation |
| 4 | SEC-012 | No path traversal | ✅ | No file I/O in Phases 1-3 |
| 5 | SEC-016 | Input validation on all entry points | ⚠️ | See Finding #1 (invite token validation) and Finding #2 (regex pattern) |
| 6 | SEC-018 | No info disclosure in errors | ⚠️ | See Finding #3 (invite token error messages) |
| 7 | SEC-033 | PII handling | ✅ | Staff email stored in DB (expected); permissions are non-PII |
| 8 | SEC-035 | No PII in LLM processing | ✅ | N/A — no LLM integration |
| 9 | SEC-040 | No sensitive data in logs | ⚠️ | See Finding #4 (invite token logging risk) |
| 10 | — | Privilege escalation vectors | ⚠️ | See Finding #5 (JWT permissions vs DB permissions race) |
| 11 | — | Token revocation completeness | ⚠️ | See Finding #6 (60s window + refresh token interaction) |
| 12 | — | Cryptographic token generation | ⚠️ | See Finding #7 (invite token entropy) |
| 13 | — | Rate limiting on sensitive endpoints | ⚠️ | See Finding #8 (set-password endpoint) |
| 14 | — | SMTP injection | ✅ | Spring Mail handles email header injection prevention |
| 15 | — | Tenant isolation in new tables | ✅ | `staff_accounts` has `tenant_id`; queries via TenantFilterAspect |
---
## Findings
### ⚠️ Medium Severity (should address during implementation)
#### Finding #1: Invite token lacks complexity requirements for password
**Phase:** 3 (Step 3.9: `POST /auth/set-password`)
**Risk:** Password strength not mentioned in plan
**Description:** The `SetPasswordRequest` DTO accepts a password, but the plan doesn't specify minimum complexity requirements. Weak passwords would undermine the security of staff accounts that have elevated permissions.
**Recommendation:**
```java
// In SetPasswordRequest DTO validation
@NotBlank
@Size(min = 12, message = "Password must be at least 12 characters")
@Pattern(regexp = "^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d).*$",
message = "Password must contain uppercase, lowercase, and digit")
private String password;
```
**Severity:** Medium — Staff accounts have elevated permissions (RECORD_DISTRIBUTION, VIEW_MEMBER_LIST with PII access).
---
#### Finding #2: Email domain whitelist regex — ReDoS vulnerability
**Phase:** 2 (Step 2.7) + Phase 3 (Step 3.5)
**Risk:** Denial of Service via catastrophic backtracking
**Description:** The plan uses `email.matches(club.getAllowedEmailPattern())` where the pattern is admin-supplied. A malicious or poorly-constructed regex like `^(a+)+@evil.com$` can cause exponential backtracking.
**Recommendation:**
```java
private void validateEmailDomain(String email, Club club) {
if (club.getAllowedEmailPattern() == null) return;
// 1. Validate pattern syntax
Pattern pattern;
try {
pattern = Pattern.compile(club.getAllowedEmailPattern());
} catch (PatternSyntaxException e) {
throw new InvalidEmailPatternException("Invalid regex pattern on club settings");
}
// 2. Apply with timeout protection
Matcher matcher = pattern.matcher(email);
ExecutorService executor = Executors.newSingleThreadExecutor();
Future<Boolean> future = executor.submit(matcher::matches);
try {
boolean matches = future.get(100, TimeUnit.MILLISECONDS);
if (!matches) throw new EmailDomainNotAllowedException(email);
} catch (TimeoutException e) {
future.cancel(true);
throw new InvalidEmailPatternException("Email pattern validation timed out — pattern may be too complex");
} finally {
executor.shutdownNow();
}
}
```
Alternatively, restrict allowed patterns to a simple domain list (no arbitrary regex):
```java
// Simpler, safer approach
@Column(name = "allowed_email_domains")
private String allowedEmailDomains; // comma-separated: "example.de,club.de"
```
**Severity:** Medium — An admin can DoS their own tenant's invite flow. Cross-tenant impact is blocked by TenantFilterAspect.
---
#### Finding #3: Invite token error responses may leak information
**Phase:** 3 (Step 3.9: `POST /auth/set-password`)
**Risk:** Information disclosure / account enumeration
**Description:** Different error messages for "token not found", "token expired", and "token already used" allow an attacker to enumerate valid invite tokens and determine their state.
**Recommendation:** Return a generic error message for all failure cases:
```java
// ❌ AVOID — reveals token state
if (token == null) throw new NotFoundException("Token not found");
if (token.getExpiresAt().isBefore(Instant.now())) throw new BadRequestException("Token expired");
if (token.getUsedAt() != null) throw new BadRequestException("Token already used");
// ✅ PREFERRED — generic response
if (token == null || token.getExpiresAt().isBefore(Instant.now()) || token.getUsedAt() != null) {
throw new BadRequestException("Invalid or expired invitation link. Please contact your club administrator.");
}
```
**Severity:** Medium — The `/auth/set-password` endpoint is public (no auth required). Token enumeration could allow unauthorized password setting if tokens are guessable (see Finding #7).
---
#### Finding #4: Invite token values must not appear in logs
**Phase:** 3 (Steps 3.4, 3.5, 3.9)
**Risk:** Token leakage via log files
**Description:** The invite token is a bearer credential — anyone with the token value can set a password and gain staff access. If logged (e.g., in request logging, error logs, or debug statements), it becomes accessible to anyone with log access.
**Recommendation:**
```java
// In EmailService — do NOT log the full token
log.info("Invite email sent to {} for user {}", email, userId);
// NOT: log.info("Invite sent with token {}", token);
// In AuthController.setPassword — do NOT log the token value
log.info("Password set successfully for invite (user: {})", userId);
// NOT: log.debug("Processing set-password for token: {}", request.getToken());
```
Also ensure that Spring Boot request logging (if enabled) does not capture the token from the request body.
**Severity:** Medium — Log access is typically broader than intended credential access.
---
### ️ Low Severity (advisory — defense-in-depth suggestions)
#### Finding #5: JWT permissions vs. DB permissions — stale permission window
**Phase:** 1 (Steps 1.9, 1.10, 1.12)
**Risk:** Privilege escalation during 60s Caffeine cache TTL
**Description:** Staff permissions are embedded in the JWT. When an admin changes a staff member's permissions, `revokeAllForUser()` is called, which adds the old token's `jti` to the blacklist. However:
1. The Caffeine cache has a 60s TTL — during this window, the old token could still be accepted by another node (if scaled horizontally in the future)
2. More critically: if the revoked token check is cached as "not revoked" by Caffeine BEFORE the revocation occurs, it remains cached for up to 60s
The plan correctly identifies this as an acceptable risk for a club-scale app.
**Recommendation:** Document this 60-second window as a known limitation. For future scaling, consider:
- Reducing Caffeine TTL to 10-15s (acceptable DB load for club scale)
- Using a `LoadingCache` that checks a "last revocation timestamp" before returning cached false results
**Severity:** Low — Acceptable for MVP. A staff member could perform unauthorized actions for at most 60 seconds after permission revocation.
---
#### Finding #6: Token revocation doesn't address refresh tokens
**Phase:** 1 (Step 1.6: `TokenRevocationService`)
**Risk:** Revoked staff can still obtain new access tokens via refresh
**Description:** The plan's `revokeAllForUser()` revokes access token `jti` values in the blacklist. But the refresh token (used at `POST /auth/refresh`) has a separate 30-day lifetime. If only access tokens are revoked, the staff member can use their refresh token to obtain a new (valid) access token with the OLD permissions still embedded.
**Recommendation:** On permission change or staff deactivation:
1. Revoke all access tokens (current plan) ✅
2. Also invalidate the user's refresh token (clear `refresh_token_hash` in `users` table) ✅ (must be explicitly added)
```java
public void revokeAllForUser(UUID userId) {
// 1. Blacklist all active access tokens
List<RevokedToken> tokens = ... ;
revokedTokenRepository.saveAll(tokens);
blacklistCache.invalidateAll(); // force re-check
// 2. Also invalidate refresh token
userRepository.clearRefreshTokenHash(userId);
}
```
**Severity:** Low — The plan's Step 3.11 updates `AuthService.login()` to reject `active=false` users, which partially mitigates this. But a user who is still `active=true` with changed permissions could refresh and get a new token with stale permissions if the refresh endpoint doesn't re-check permissions from DB.
---
#### Finding #7: Invite token must use cryptographically secure random generation
**Phase:** 3 (Step 3.2: `InviteToken` entity)
**Risk:** Predictable tokens enable unauthorized account takeover
**Description:** The plan specifies `token VARCHAR(255) NOT NULL UNIQUE` but doesn't specify the generation method. If `UUID.randomUUID()` is used, it's type-4 (PRNG-based) which is generally secure but predictable under certain JVM conditions.
**Recommendation:** Use `SecureRandom` with sufficient entropy:
```java
// In InviteTokenService or StaffService
private String generateSecureToken() {
byte[] bytes = new byte[32]; // 256 bits of entropy
new SecureRandom().nextBytes(bytes);
return Base64.getUrlEncoder().withoutPadding().encodeToString(bytes);
}
```
This produces a 43-character URL-safe token with 256 bits of entropy — sufficient to prevent brute-force guessing even on the public `/auth/set-password` endpoint.
**Severity:** Low — The 72-hour expiry mitigates brute-force attacks. But with `UUID.randomUUID()` (122 bits of randomness), an attacker would need ~5.3 × 10³⁶ attempts — already computationally infeasible. This finding is defense-in-depth.
---
#### Finding #8: Rate limiting on `POST /auth/set-password`
**Phase:** 3 (Step 3.9)
**Risk:** Brute-force invite token guessing
**Description:** The `POST /auth/set-password` endpoint is public (no authentication required) and accepts a token in the request body. Without rate limiting, an attacker could attempt to brute-force valid tokens.
**Recommendation:** Apply rate limiting per IP:
```java
// In SecurityConfig or via @RateLimiter annotation
.requestMatchers("/api/v1/auth/set-password").permitAll()
// Add: rate limit 5 requests per minute per IP
```
Options:
- Spring Boot Starter Rate Limiter (Bucket4j)
- Custom `Filter` with Caffeine-based per-IP counter
- Nginx-level rate limiting (`limit_req_zone`)
**Severity:** Low — Token entropy (Finding #7) makes brute-force infeasible even without rate limiting. This is defense-in-depth.
---
## Identified False Positives
| Pattern | Why It's Safe |
|---------|--------------|
| SMTP credentials in `application.yml` | All via `${SMTP_*}` env var placeholders — not hardcoded |
| JWT secret in `JwtService` | Via `@Value("${cannamanage.security.jwt.secret}")` — externalized |
| `allowedEmailPattern` stored in DB | Admin-only configurable; only affects their own tenant |
| `staff_accounts.granted_permissions` as JSONB | Not a credential; contains only permission names |
---
## Architecture-Level Security Assessment
### Token Revocation Design (D1)
| Aspect | Security Rating | Notes |
|--------|----------------|-------|
| DB persistence | ✅ Strong | Survives restarts; durable record |
| Caffeine cache | ⚠️ Acceptable | 60s stale window documented and accepted |
| `jti` uniqueness | ✅ Strong | UUID-based, UNIQUE constraint in DB |
| Cleanup scheduler | ✅ Good | Prevents table bloat; respects token expiry |
| Horizontal scale readiness | ⚠️ Weak | Cache is per-instance; need shared cache for multi-node |
### Staff Permission Model
| Aspect | Security Rating | Notes |
|--------|----------------|-------|
| ADMIN bypass | ✅ Correct | `StaffPermissionChecker` returns true for ADMIN first |
| STAFF denial by default | ✅ Correct | If no permissions found → deny |
| JSONB storage | ✅ Good | Flexible, supports audit trail of changes |
| JWT-embedded permissions | ⚠️ Acceptable | Stale for max token lifetime after revocation |
| Tenant isolation | ✅ Strong | `tenant_id` on `staff_accounts`; TenantFilterAspect enforced |
### Invite Flow Security
| Aspect | Security Rating | Notes |
|--------|----------------|-------|
| Token expiry (72h) | ✅ Good | Reasonable window; not too long |
| Single-use enforcement | ✅ Strong | `used_at` timestamp prevents reuse |
| Public endpoint exposure | ⚠️ Acceptable | Only accepts token + password; generic errors recommended |
| Email delivery trust | ⚠️ Inherent risk | Email is not a secure channel; standard for invite flows |
| Active=false until password set | ✅ Strong | Prevents login before activation |
---
## Verdict
### ✅ PASS
No Critical or High severity findings. The design is fundamentally sound for a club-scale application.
**8 findings total:**
- 0 Critical
- 0 High
- 4 Medium (should address during implementation)
- 4 Low (defense-in-depth suggestions)
**Key implementation instructions for the developer:**
1. Add password complexity validation on `SetPasswordRequest` (Finding #1)
2. Add regex timeout or switch to domain list for email whitelist (Finding #2)
3. Use generic error messages on `/auth/set-password` (Finding #3)
4. Never log invite token values (Finding #4)
5. Clear refresh token hash on permission change (Finding #6)
6. Use `SecureRandom` for invite token generation (Finding #7)
---
## Review Metadata
| Field | Value |
|-------|-------|
| Review type | Pre-implementation (design-level) |
| Phases reviewed | 1, 2, 3 |
| OWASP categories checked | A01 (Broken Access Control), A02 (Crypto Failures), A03 (Injection), A04 (Insecure Design), A07 (Auth Failures) |
| Confidence | 88% (design review; actual implementation may introduce additional issues) |
| Re-review required | Yes — after implementation, run full SAST + code-level SEC-* checklist |
docs/sprint-3/snyk-code-results.json
+1
View File
File diff suppressed because one or more lines are too long
pom.xml
+11 -6
View File
@@ -7,7 +7,7 @@
<parent> <parent>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId> <artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.4</version> <version>4.0.6</version>
<relativePath/> <relativePath/>
</parent> </parent>
@@ -30,11 +30,8 @@
<maven.compiler.target>21</maven.compiler.target> <maven.compiler.target>21</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<!-- Dependency versions --> <!-- Testcontainers -->
<hibernate.version>6.5.3.Final</hibernate.version> <testcontainers.version>1.20.4</testcontainers.version>
<flyway.version>10.15.0</flyway.version>
<assertj.version>3.26.3</assertj.version>
<mockito.version>5.12.0</mockito.version>
<!-- JaCoCo --> <!-- JaCoCo -->
<jacoco.version>0.8.13</jacoco.version> <jacoco.version>0.8.13</jacoco.version>
<jacoco.minimum.coverage>1.00</jacoco.minimum.coverage> <jacoco.minimum.coverage>1.00</jacoco.minimum.coverage>
@@ -53,6 +50,14 @@
<artifactId>cannamanage-service</artifactId> <artifactId>cannamanage-service</artifactId>
<version>${project.version}</version> <version>${project.version}</version>
</dependency> </dependency>
<!-- Testcontainers BOM -->
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>testcontainers-bom</artifactId>
<version>${testcontainers.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies> </dependencies>
</dependencyManagement> </dependencyManagement>