From 02f3c1cb19b18f8fbcef2d172c6d3e23fc5b2781 Mon Sep 17 00:00:00 2001
From: WeebDataHoarder <57538841+WeebDataHoarder@users.noreply.github.com>
Date: Sun, 6 Apr 2025 12:51:27 +0200
Subject: [PATCH] Rearranged wasm challenge utils

---
 cmd/go-away/main.go                           |   9 ++-
 cmd/test-wasm-runtime/main.go                 |  21 ++---
 .../js-pow-sha256/runtime/runtime.go          |  20 ++---
 .../js-pow-sha256/runtime/runtime.wasm        | Bin 234047 -> 234056 bytes
 lib/challenge.go                              |  17 ++--
 .../{ => wasm/interface}/interface.go         |   2 +-
 .../wasm/interface/interface_generic.go       |  10 +++
 .../interface/interface_tinygo.go}            |   2 +-
 .../{utils_generic.go => wasm/runner.go}      |  75 +-----------------
 lib/challenge/wasm/utils.go                   |  72 +++++++++++++++++
 lib/http.go                                   |  20 +++--
 lib/state.go                                  |  26 +++---
 12 files changed, 149 insertions(+), 125 deletions(-)
 rename lib/challenge/{ => wasm/interface}/interface.go (99%)
 create mode 100644 lib/challenge/wasm/interface/interface_generic.go
 rename lib/challenge/{utils_tinygo.go => wasm/interface/interface_tinygo.go} (99%)
 rename lib/challenge/{utils_generic.go => wasm/runner.go} (57%)
 create mode 100644 lib/challenge/wasm/utils.go

diff --git a/cmd/go-away/main.go b/cmd/go-away/main.go
index 261d866..fce74cb 100644
--- a/cmd/go-away/main.go
+++ b/cmd/go-away/main.go
@@ -82,7 +82,9 @@ func main() {
 	socketMode := flag.String("socket-mode", "0770", "socket mode (permissions) for unix domain sockets.")
 
 	slogLevel := flag.String("slog-level", "WARN", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
-	debug := flag.Bool("debug", false, "debug mode with logs and server timings")
+	debugMode := flag.Bool("debug", false, "debug mode with logs and server timings")
+
+	clientIpHeader := flag.String("client-ip-header", "", "Client HTTP header to fetch their IP address from (X-Real-Ip, X-Client-Ip, X-Forwarded-For, Cf-Connecting-Ip, etc.)")
 
 	policyFile := flag.String("policy", "", "path to policy YAML file")
 	challengeTemplate := flag.String("challenge-template", "anubis", "name or path of the challenge template to use (anubis, forgejo)")
@@ -110,7 +112,7 @@ func main() {
 		leveler.Set(programLevel)
 
 		h := slog.NewJSONHandler(os.Stderr, &slog.HandlerOptions{
-			AddSource: *debug,
+			AddSource: *debugMode,
 			Level:     leveler,
 		})
 		slog.SetDefault(slog.New(h))
@@ -182,11 +184,12 @@ func main() {
 
 	state, err := lib.NewState(p, lib.StateSettings{
 		Backends:               createdBackends,
-		Debug:                  *debug,
+		Debug:                  *debugMode,
 		PackageName:            *packageName,
 		ChallengeTemplate:      *challengeTemplate,
 		ChallengeTemplateTheme: *challengeTemplateTheme,
 		PrivateKeySeed:         seed,
+		ClientIpHeader:         *clientIpHeader,
 	})
 
 	if err != nil {
diff --git a/cmd/test-wasm-runtime/main.go b/cmd/test-wasm-runtime/main.go
index 805709d..f57ce9e 100644
--- a/cmd/test-wasm-runtime/main.go
+++ b/cmd/test-wasm-runtime/main.go
@@ -5,7 +5,8 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/challenge/wasm"
+	"git.gammaspectra.live/git/go-away/lib/challenge/wasm/interface"
 	"github.com/tetratelabs/wazero/api"
 	"os"
 	"reflect"
@@ -18,7 +19,7 @@ func main() {
 	makeChallenge := flag.String("make-challenge", "", "Path to contents for MakeChallenge input")
 	makeChallengeOutput := flag.String("make-challenge-out", "", "Path to contents for expected MakeChallenge output")
 	verifyChallenge := flag.String("verify-challenge", "", "Path to contents for VerifyChallenge input")
-	verifyChallengeOutput := flag.Uint64("verify-challenge-out", uint64(challenge.VerifyChallengeOutputOK), "Path to contents for expected VerifyChallenge output")
+	verifyChallengeOutput := flag.Uint64("verify-challenge-out", uint64(_interface.VerifyChallengeOutputOK), "Path to contents for expected VerifyChallenge output")
 
 	flag.Parse()
 
@@ -32,7 +33,7 @@ func main() {
 		panic(err)
 	}
 
-	runner := challenge.NewRunner(true)
+	runner := wasm.NewRunner(true)
 	defer runner.Close()
 
 	err = runner.Compile("test", wasmData)
@@ -44,7 +45,7 @@ func main() {
 	if err != nil {
 		panic(err)
 	}
-	var makeIn challenge.MakeChallengeInput
+	var makeIn _interface.MakeChallengeInput
 	err = json.Unmarshal(makeData, &makeIn)
 	if err != nil {
 		panic(err)
@@ -54,7 +55,7 @@ func main() {
 	if err != nil {
 		panic(err)
 	}
-	var makeOut challenge.MakeChallengeOutput
+	var makeOut _interface.MakeChallengeOutput
 	err = json.Unmarshal(makeOutData, &makeOut)
 	if err != nil {
 		panic(err)
@@ -64,7 +65,7 @@ func main() {
 	if err != nil {
 		panic(err)
 	}
-	var verifyIn challenge.VerifyChallengeInput
+	var verifyIn _interface.VerifyChallengeInput
 	err = json.Unmarshal(verifyData, &verifyIn)
 	if err != nil {
 		panic(err)
@@ -75,7 +76,7 @@ func main() {
 	}
 
 	err = runner.Instantiate("test", func(ctx context.Context, mod api.Module) error {
-		out, err := challenge.MakeChallengeCall(ctx, mod, makeIn)
+		out, err := wasm.MakeChallengeCall(ctx, mod, makeIn)
 		if err != nil {
 			return err
 		}
@@ -90,13 +91,13 @@ func main() {
 	}
 
 	err = runner.Instantiate("test", func(ctx context.Context, mod api.Module) error {
-		out, err := challenge.VerifyChallengeCall(ctx, mod, verifyIn)
+		out, err := wasm.VerifyChallengeCall(ctx, mod, verifyIn)
 		if err != nil {
 			return err
 		}
 
-		if out != challenge.VerifyChallengeOutput(*verifyChallengeOutput) {
-			return fmt.Errorf("verify output did not match expected output, got %d expected %d", out, challenge.VerifyChallengeOutput(*verifyChallengeOutput))
+		if out != _interface.VerifyChallengeOutput(*verifyChallengeOutput) {
+			return fmt.Errorf("verify output did not match expected output, got %d expected %d", out, _interface.VerifyChallengeOutput(*verifyChallengeOutput))
 		}
 		return nil
 	})
diff --git a/embed/challenge/js-pow-sha256/runtime/runtime.go b/embed/challenge/js-pow-sha256/runtime/runtime.go
index 82711ef..3931869 100644
--- a/embed/challenge/js-pow-sha256/runtime/runtime.go
+++ b/embed/challenge/js-pow-sha256/runtime/runtime.go
@@ -4,7 +4,7 @@ import (
 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/binary"
-	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/challenge/wasm/interface"
 	"git.gammaspectra.live/git/go-away/utils/inline"
 	"math/bits"
 	"strconv"
@@ -31,8 +31,8 @@ func getChallenge(key []byte, params map[string]string) ([]byte, uint64) {
 }
 
 //go:wasmexport MakeChallenge
-func MakeChallenge(in challenge.Allocation) (out challenge.Allocation) {
-	return challenge.MakeChallengeDecode(func(in challenge.MakeChallengeInput, out *challenge.MakeChallengeOutput) {
+func MakeChallenge(in _interface.Allocation) (out _interface.Allocation) {
+	return _interface.MakeChallengeDecode(func(in _interface.MakeChallengeInput, out *_interface.MakeChallengeOutput) {
 		c, difficulty := getChallenge(in.Key, in.Parameters)
 
 		// create target
@@ -63,24 +63,24 @@ func MakeChallenge(in challenge.Allocation) (out challenge.Allocation) {
 }
 
 //go:wasmexport VerifyChallenge
-func VerifyChallenge(in challenge.Allocation) (out challenge.VerifyChallengeOutput) {
-	return challenge.VerifyChallengeDecode(func(in challenge.VerifyChallengeInput) challenge.VerifyChallengeOutput {
+func VerifyChallenge(in _interface.Allocation) (out _interface.VerifyChallengeOutput) {
+	return _interface.VerifyChallengeDecode(func(in _interface.VerifyChallengeInput) _interface.VerifyChallengeOutput {
 		c, difficulty := getChallenge(in.Key, in.Parameters)
 
 		result := make([]byte, inline.DecodedLen(len(in.Result)))
 		n, err := inline.Decode(result, in.Result)
 		if err != nil {
-			return challenge.VerifyChallengeOutputError
+			return _interface.VerifyChallengeOutputError
 		}
 		result = result[:n]
 
 		if len(result) < 8 {
-			return challenge.VerifyChallengeOutputError
+			return _interface.VerifyChallengeOutputError
 		}
 
 		// verify we used same challenge
 		if subtle.ConstantTimeCompare(result[:len(result)-8], c) != 1 {
-			return challenge.VerifyChallengeOutputFailed
+			return _interface.VerifyChallengeOutputFailed
 		}
 
 		hash := sha256.Sum256(result)
@@ -95,9 +95,9 @@ func VerifyChallenge(in challenge.Allocation) (out challenge.VerifyChallengeOutp
 		}
 
 		if leadingZeroesCount < int(difficulty) {
-			return challenge.VerifyChallengeOutputFailed
+			return _interface.VerifyChallengeOutputFailed
 		}
 
-		return challenge.VerifyChallengeOutputOK
+		return _interface.VerifyChallengeOutputOK
 	}, in)
 }
diff --git a/embed/challenge/js-pow-sha256/runtime/runtime.wasm b/embed/challenge/js-pow-sha256/runtime/runtime.wasm
index 2c0ca761f7e21a831d22948ca11d55cbc5c45976..cb5051891ed9a3b7954cef66b6d5fe4bc1382090 100644
GIT binary patch
delta 23338
zcmeHvdt8;p_V+XM?7i7s-6$fW$lfRl-py-XdCUu@DP^b9G)2V=nis@N7Xv+B&@9mh
z9Xff+iWHL)L*1m7l%{CZp;ANhl$n_&B^DMM>ib>uJR7#8o!{^MoPXZW=e5tnTC-+m
z&CHrLYu2op-Ts`Q;+&xTS5?+Ue@$%>x$`qytfF*R6(`f2$=W`zWK6PlP(QD>?we;4
z9Zr;T*tCP6*_?_NmP{2Dh3X*b@Fc+zNxLVRS1{c2o!TwuGg}N-23q1YaMPR)i+1y-
zIwwj2VG~v8#ua}Jh59c}$G;+_JEe2=Y4-ljN<OnWtXeLrQ7KJvDgI6$r(d$migrp0
zj@ZwtcI1LRQUw9CnU%`s7Q_S%V(j1gta`tPR()a9@WrZ1fA%y6t6c!$g8sB4Y*Ym>
ze8_StZ&DtQ(=MDKZccumB~Fd&r^G2*+MqyA<bD`vYLx5;SWqElM4;mD?_~A-we(X~
zEzr>gNkx0^%YvUA?X0X&ZxTAP{iZcGEq$fMQ4fPE7dEZ9*j9sIFz~NpRQ|LhjX$I9
z)i;KQ+4Fw34uWvX^?jjD(#lVeOj&Z21rh*Oal)3YRVqCd^w#(f#NQRFu(8<Yq*5Bw
zvWso_n_gyfDB)B^`-N%*F!Vw4<H=E0gWqN1Cv%+^@EIJ)AZ8|cQHkkwm|?g^7p@RP
zBv`VG5nrlg@K$U3`U~+k3R+Fxcj%*JtH0kU<WYl%rKW$s5|8g>V@CfhHGQkowE)#$
ziee~+z-oHqB{{ugShKV{bU+H}o4*v2%)PCU>U5+=M&*B&QQGZ=WR(1$2#Lh;YYpGp
z8LcBRqljllY0xyA8Vk8qH5C6SsFXgwafqpC)|$zytQEY`FZE6e7QjjHWtlc8A*{qi
zV<JkcNQ<4U$U{iKWDv04qC)yBBT2>OYC{)(SNaXbGBYM0Q^pMCl*-<Y6wO=5DYK5q
zu~_a3pWnjZ=Tg)-Qxm*cde)C#65g@#owT4_cQlJ+<$Bj9v;RxX)T-xgdiN$y{lTUW
z{C8Nk)O$5a{_n7gWZ8PhW>3Y`%8jRSLv}ELwbNnRiVFSnW^JYH3}w1im&*09$X3Cp
z*P3cD$xwr8Js~ohozv$>#*&J`Zp!JV*}m-}C9P{Cts6B@-7!1#pDf%F&*H7MM0KoO
znk-VYf@>GWE#s(Jy+7Y(mBF@|swr)oQN(-M-cC2=B4f$jM${Vc^RlztV~(+SP4$%K
zPUgb48s_-Ux?1jR{y&x}ts*X`^#9A$*xqipRhAcwi5jEA0K5~uJQ(^1GXiT=qy7mk
zqyIwv9nC`YS6enp!<H{CANdF@hFct?jHR&g1=}DnJe_SDlmfWVggZ@`Wx}N<tQJN&
zcnz|Ai3tyyaGwb`nlQ_Rqn4UT^#-G2r3uSTc-n-=Oju&V91~V#8TATv17@4BRA1Yw
zd0M(LieqLkOH6psgn1^+F=3_InR6yQZNk+ay4mPK6P{adj@InNQWI9M10DN`-Z`cv
z=4W(Fq};KrG(U1lS`EKME=g%LXjyuU#_g6RxkW#Cj0VlMRfECsp`FL7Nw-Mm)~rK#
zpK=GJ614rKdHGnh0m{wF*vLt1TnhF@xJ8OIqgKshI;@&B9Y#SPxyFs1^)`LP_Kv>%
zt{5(jhZ9CjeMm!=Y_p?W+Ax#eBlh&ttCP~lsru81rR6b4EOVW*SCF-(b_};MLO$eN
z!h-47W82lPm6~m~SL>+TP-nJo91dPum2{-*II89PE3I8k<+8*0FnEU_yyjTPqmZOT
z%L~409mATEPkm;E;ZrjgyboT_-w`aG?=n5At((2ApK2S=m#olRw2O+)SZQ(D1L~uc
z<^#z&e534`4DH#KmKa6prYKIkma$Ub(XOGM-Yy_|jVv8pxAZ!%(rc)6*LMF{Y3ZOS
zy}-a<+fbA3ui28Fs*_jyA;Uta9_I4VUez14AH-hKN4FosUe$Bj4`n%eMf<Mob-iVW
zc{nL-?682nsE2gy4a)r;LxVTVUikVugEcnYRbP8gU)Zq^E7Ny(?90juu5{dJV;c(A
zb>E<Z7Tc>U{*LR_hHclM?KObq>!rO~cdmQZs4~tP5CU90LkN~+ZPQ9iJ4Nnuc5S2H
zuJ?23%ii9JR$05i)u#&!CbY~vw2<I06in`$$y_ggY1QgG9#Q;XurNzna~zJQM_F1Z
znvYA>vX)z1TzAE_7YS3CpFSe4b=ulrtu7t_by1Q3BIO4(_SY;(yd)E0{+bnuS7oA+
zk=P;=p++K4CK?)bcF07Ck+VxC8bI)1utz598;K&B2u30eS%+lG;jfiQ1gEyoB@*PX
zosvkPzvhc_-^fIOzvhR;k22wJ@H_Ym4Z_b~3qnq%%<(lkv}6U1$ZjxLE)zb+Sl7tJ
zSewz;buwi&66KePoyFiFWR7YING4!DXh<)~1T29CM{Dw@?M_P!4~Sx<TqMC9{g^g{
z?a-U`|Hi&{wcOUKb)S27VJ_dj=Wnb^Z!lm4@QDKw@%O_46Yw`?;CcM5H)#5#qGyc?
z0(+f2n9>|)Jp1PZE71#YL$9l7-UnP07afQ5M*5XOcQr12!Iq3|5k3|H<K!qA=y8J!
z?Nw%9*2TYWuU=yg<jwfc4RzF)4SC3Za+N_Y_;$$i%>HjPr9UzBK`V7Iv*5F#eoUej
z`ZvRt+KkcY)9*{MAMzCb?!FBe{L{mq$6x;uD<3^-W<Ug-MBr#t=d4al@-zP|k^tBe
ztfy|=f@NiJadIcaiqazI^i=FxwSH+tXv5p*geNSspY?QUOTw4-D$j^l-GA8rp(zS|
z)B`WrKl2p3_P}UXq5o}U4|Z99eq?lD<r<F-W7_3{qLHJx6jg=Z?4cO@bq|Z-4=uN6
zdGz8m5{EpA<cH_mzxE_9Je(6%^<0fMNKt6sLnpjUf9sKy;JVaez0;^h_8VqpJz>=1
z*fZv6JVO05CqtkI^ve(T)9)TVHtL7}SVJ!y9pxl1DiE$LL{6R*wkb7`W3P~VKG*i?
z*G6{^$~bE^Z8OuBp4InHY^WzZ>d$uSV;*hH-qGhj+B@XZRjUg-zRQBm#jKm9A9}PE
zZ0XOBE{&yZ8|~mhE{nD#%i>~akX*As8<jSlXpSj<aZDuJpzj^y8n}6#$C_HPRJE7Z
zS&TRtHs%dpcraG6xk0FbSZwRSJRlG|4lU>nx@)YfX)PyO^j@4SDDc?Wmfg0Xk`1fh
z>hy`>ZC#u|j7ybcK}WHsq+|vL202x@poX!?*7uBcb$Dx)*)7fCBE@wiYq=g0l4x#|
zS2A1odn`O{_bQ{0QtTx)%<D<HqZ0X~G!p{@9ptlM8tM|rOTDE8xvO&Wf&&~>gS=L=
z0Cm|BCB@Mg(l5L^*a``u6zBmiY_3{k9GI~97($U+=~b(_hcOyU@l~rSbw*<;@=6x!
zKR(u^KDotS4Jlfl-e_Dawn^_dE~06^S8>$N^-6Bi7mjnWO8p<>nq!ZBZ(MZK{g-ZO
zs?aN$uiqRO?mB$QP$Kl0oNuGm1~B=gLLi>jdya2A@SCev(-V=>KUvcz*FN>aLz0~~
z?ebNtlQnT#$-Mvz>0tP|nD(8%ZG3dZPggx^&$aJ7Ri)Tyls}E1+uftq)B)KAIs_Q~
z3M26<hS)<O_OH-+77#{rlc$Tsp7;F%0@s>C%d7~)#_;h_AEq@;j#8x^#8j-Rs2vHW
zVo8NZK5}5!YUIPUU-V`ZI`QW#^!q0`BVMYhrqYycsHvuEDDnIR7c0^8Cq(+^{$WW*
zZ&<2UqMw?O@KE~Kp5aPGsQSv&oK%DguOzr$@JgQX!lP>3HDjzfdiumpe>NZpqv9kI
z*a+>@xhT*N2px<98v`j_XB!+C#?zcC1-JbAf2%wKnfh(P?%>_$@JSCm^55<=e5EK%
z)*1caq_%J^FHb6Nd%{c382G=ul2AxvaY&`GV`9HcS_*AWp6vQ-ZQe3DhGpudlVh8{
z<Y9qvgL}4DGE;9jWeVG@FPgH5ZPEXj5*@Mql4oslZHuR5P1}8@rm-*dcc(@NzUO6e
zcI%g>KF7A{i>5^fZeQo|vAMQQ-##ri==mB$%3(S6^V9O#`?^Rz%r5EUrmy2L_P<Uq
zXix%8F^z%`JZPt%_ObrXjObhGszJXzBb<G#2Rt6x;A8JvHp(s0`_`q~r#pQ?pZ$2M
z)2qB)<I|)3v?3hUxHA9=XCMk$X7&N={xf4(Nx}4)#f%-+yUc!w9WHowb}wel!Z|3b
z;G;RsEkWc1RhUlpbEgWb=WVeY*`l9?y9$mxvx~D!1!;>{tBta*!)QBIjXOec7h=&Y
z^R;?&w8MJTvJPPXz_NLW=@l<)5B&FK6Y6j9Ds9yQ=A+>B<x`OP`Ev9_Z@pq9{ywwf
z2s^FEXLJfZ{hXB?Gbe_jVr}zO&5{BuwI(BhmFQ<O?!w;&E8~3AmsyiLFr1V1gp6=~
z{>re1CS?dlkLY`<##6NPW%_F?`?6B~?8;bHS`e@*-!~@xh^-qB!G4JCpc{8Mtxn#J
z2LSkW<93h%ECAc}b9yK2)}dL8*fBjT>mhh*7qfJhUy!!`jLJ3^jDMkp1z_1f7cpnf
zO^b9U{iHq1Gg47jO&J!5iyYhrMZMg>;%BzZam?xWS_F<tV_zF0xsKLZj)o<Ww*KCN
z=W-rnXt4bC`S=^OH9}9{+#UnizS#vY`qRzf_*=et67uff(gfXmd`mmO3}Zw%!t4Kh
zBf`G@cXFTtY<l9husV5Y(>FJRozd6jK83$QTZdvrjouo~iuClY;rRRF)+x=-ykK+O
zqbb<eEwSoCmmg5o39llZ!8h2cJKtzqhpVSWew!BSnZ3b5x*=TJo%)eCTA|yQ-{{ea
zf=*=i>BDAAe?l|}2YQGRLAi!#Y|cP9R;oN%Yg_fv+al{U-N0Z!Kr#Qh?Ap$Pf^7>~
zeZ#MHQuxf{2={q&N`1qR^(GhWelvj8H+=nD=*Qj)Wu`BCY5Q3I+$nu{{)XEW)PKu=
z#WS}w2e0giU`O=*JNnci+K<#uOv7jm!^h@@+sG8{8{Bc-WOKCeAy9dhMo$__yvpAu
zUVneP<vq1TLv2;Mj|{*uACqlISzl6HRWsT!m{Z8FF1HY)fPa6*<pVdVe;OhKJN1YH
z&0DZj3nJ{F$<8A0xq=y(uxkZPo6yWahs~LRW@D=~TK!D#wDbO3hZ|bYljmWyV`s<z
zRK&5X5!<TA?3(O6_JR#_$y`BjC!LmeT@5s-C1NPJ<|EHPQ-5pMw1Dg?+{9H`ob{V%
z=L(wdj#cHU>w<p&J6(Ck(SnS3Hgi^0&|%+sE{_WpSB>+NJUZwt_xFpC$BC+1YKB*d
z3;L4%oh8Gff<61kStXiZ(Cowg+`0)3AJ)$v-fdt7|12J1!@~UOllyTt>i4f5vg{`P
z%D<wps>4cugauYVZ2`*_^JzTrIiI$MHQxBCuOAYdzif%b$6sFH>_oxtuTC&4$vLxN
z?U|1m`#>LeHUhE6MQ0;qB#Tq5k(M{CN`=1dtm`kXk-j_IqBb;NrHrt|838O$NLhv~
z&6uGd;&(E#c$)|y1rO!rxBnQ%<>evyXmmB;xuBsd*eF<01%{Wxfle9DL5XHH(ND_#
z^M%>wZy%_aS1fO2pwIERHO(m)e{mp#Cw$*`adorw@fRBx?E0=PYqN>2nYDmqC%iw$
z-G-R}E(3aX_{mDq-#26tvJ%QaMqvy`atj3!J33}dB`A3K!ZlvEK~G;cmyhveS*V*9
zbTjxT+0BQ4?pilX5B@2<VAszfG>W5_THcaPk&@t_Iu>-OXvos2L)Z|LX$x}nq%bS>
z%ISlCk*%bDRh_hY!U5S<=4S@ER0O#)%W%DpS?i}Dyh{%X(!Ye&04k@~kqX@5<H8rN
zVUvdyWGQC0d__RGmUoICL-@)U1t<YmD*v1{meacmBy&ADkJFZx$w{(d2Usmpc;Ojk
zy5*O}AsJ<eSr9vvamp^NE-QH9mj<js;VF}_4~RU}7wP+dZ5maIX6fie(}i|^{&B~*
zHUvSnW1!QJaKgX->w_$d9FItSPGtv{Rq#q>8M_yX=utfiM^ltms-8-W%trz8s+N=!
zdyCX)%KWqD9r*33zr4ScEa_f)!tcg)<L%ivnl;voeqZ??Z!c@u&8hk;cDt*3+URn_
z5~t_?(M4~4H5B$lyV?)i{o<<+0WZ5cvgs`m7f<vhz($9p5`FNsR_vfY>sma^(+h#;
zpyEAx^FJD(a`!(*M*KzPN}+#qt-t<*EPMTrzijB7KBGDc4%?dQM7~<+zf?a_|D17(
zV*>*jZ9F)T>x-^8MhC?8WL&=T8*O0!+TUoymuBgY-iTt=`ZG6L_*`B?QA?(Gs*bD^
zN;-bSYLnY<srcH$p0Q`Il`2&2PO`FZ8M`Wm_%J8?he-Be1KB2#@53Vg6cj2GU-__d
zBX%eLWoJ`OhP{1Rl0kKE_GSGzD{`OrXUmQKqfpGL$DU;e#r1k@7b_J74z>dzDVU|Q
zQunD~X6fXMD<)_zPNm}e{_Hxd5Z~Ry5D{}X8^97-O_<NUVjzn(eF(8@5IZ63`N(=%
zgV}vvY<?Wf#<EKyKAttlU}nU#!CvA}w9D?Icy=kkh$UWh@A@0-Wnr1(@+j7tWxAV=
zW^dXZIpv;{FFbO@4aCU_>>|r?e>jmfWh_seoy1y2pZU>>wU<WfqG;!kup)u8G&Xa`
zGKR1K)={-+pTxphnHZA9nueQ?C={pd1C627b7raZOCl|ag@u(Hk1UX{5fe{#mDmm@
zVHxM-i;KFs+2Wfd*0`&AQ(re1mXAC`Y;suc^aq}e<9V~)bE3m!*0|n{i&o9%SXD!O
zcrx3@irwlI7R{YY%RR?%uGLG{bgv|g-0E@>KaD*VS}QOv1y(K(isHU$tcj?c#<~W1
zgw>GL`JCvU%r1t#Tuw4uM8Pse`$KU&jbJ>m7u`LlGhLNRRpI_@CfmZiCd9{>kd?F9
z&YGyQd*B>)uj=^lq9=fW^Hj2SSiGFd`m$p2RVurS<%r;UtPN6q=CLjSDf8G(R_IQd
z&z3Rvvb$;lt1!Z?#p0(Y*@_@f=j1b_9I@mnwnn-lneNc1S&2>JrS9*Suy<9*ix)jI
z@*&Irnz)g{BHW)YXA#`7#VgMzS$oTkym8F&b`4pcyZ5*sU&RhE$J!dQjX1sFj$6%w
znB&T=<m>Loo@1+-V_yx~PNfgJuRYJYc?*k4VY%Zn+0TrXxjU?5p*#d5GXqpoxnHBX
z63+-0?w*^)f*EFh*?RUo!4QGRV33t7n}xEIqDMBih;!~Iv)Nl5)Yuo9E3NpV)v=fb
z1kl7e5ed~Ol5$SbOgbLanRE{N*&4c>Xj$GakH2PdT#=c@9VlK^Q`~+Fy-d+g8qNB+
zkG#m@RP@d7WlZ%+_mG!aOX}O~S7eV@yu!w&A)JE{Gx*5>4<Rz-Lx>Cl5ki;cvJBmx
zON1h65~2HbiBQZ>B6I^U5sE!Zgrc1ip)jaK;CLFyzHT0jqN*~FBCZmlxUNL1J%|iR
zQ-`v|$2lzA&j^nreOkQxDx3WO@>rVGjwKuMHN=%wx@>6+@S_OKVPn$hQGgT&y%I1a
z<w58jfuzvG0*TNbDUsD4*`4+v=R63#R*+@r`GQ2~J%dCJdJuZ?ASvnL@+tzd#$$-V
zfjBFv8ho%}0G9-Roh@`0pE5i*O}Q5)6%N+)C?Bmv5)oiQ)chZ>v+w|va>{21I6sS`
z*Rf7Fiu*RR&TOApyqQJFDTIG2pO0A0=Ob40`G}QHn|K~#)v`=T3PEYo5Q3yK1WAVo
zl2Q@eXTpspBt;}TX(mBZRf3gqCPLaw1X6E;#`6&{Hq*2sh;BR|vC1_=>1;7}3p?de
zM5HNdN^dO8MP<~G6mwA-JSD|kR7R_kVlFCl4DCsZxu}e;ONzOuWSGe)vu`wpCG*Th
zWeCLJ=*c3HNs76s453O2Nm(NFYDXfba-wI#v6a2;2fnyV!UgVDQL>dS2tO#N*`@M0
z%~S*FE@S@1*f-dS@SO-HD6m)N<ZCEzywNNXhu&aOgUm|Y&>c>?qt@sS96ZS$s-~vm
zP>Nj|cR&CNV!^~x`n(qCQ~PbKA1e_vx3T9vUBU&Hr%S3l(xOYDdAD{+x_i_mc_u9p
zX?gHtwz@awu?>tb749x?vA;8xEef}@_H4iSeml!xhs5lBc7Nc344Vrcj=Y*UBtFS!
z;oVRC-DY0L$&0a1{w`mh<Dg^J4te4Aal_%X$d?lg?*q$3<PNYccjxZF7+|t5yv<$$
zSW$q@=AsDQ$+G#%r6PYP+r^hJ6H|7vk?a$(cNgm9h)4IZaPin~xKfKnCgE{=SfJRn
z8;loci0!-C33gd5ceACeK=>E3$Jqh#L?N5Zz7l5&SpgFw>mBTjXT(SEu+i4#%WYaS
zF>VhFB{tzG3-(>uE5x}A-;^Q7>|rfMIa+}Kcx?|R`m*S~mpx)#xzwh$HY#r4i;C|X
zeQCT8_%~koS<z)5dy+3-F7o%WHSibX-eoflkSHAQfv+SbiZqG4pL>t_u|}USp(7t;
zhG<V0x?ytpz{r$~xAwEAP@#1ZivWl(f<TUmPm5S}uvr5KHq^k*SuVbMpY0EZk)uGC
z#kkA15Q`7s3s;KIK43T76ko;}8G)x60eI~YgR>(dXB7UjXt%8wVWVdXTBSSkARKU3
zD29B<s-yl@d&$mf-Wl9-sV=4*V%_8^qU<+$@HT=2;;lpMWc`|!(6R+Br(Y4<KVVIL
zDpaGbeTUgc)K<n3w$3=bHYaeD;b{^gI;Cc8o$z9@=qPJq-?7d((uhq*+2Emc-p^cR
z1fyt(h_KTTamX-4!^yJKZE5-y`5F*m?k+r_yXv49egklE3suf!vM=JUkJ#Wlb~wW*
z<bLZT)_}p#e^A0ENY}7T#D2_5;9&mtF<W6Vk4;NHW9#e5F62{OJQwel@<q$f*|d7+
zo=1mriC6*8^+)m2=d5q6jHZ~vlSB1-x8squEF-MPaE{9pKOAF+0?Mvf>7v`n*n6Bs
z_XIj9CCax6^a;!Giq+}c#9v+vqPb0+Mu{*2jE!c|WaI!>Elng|Cc;m!PFMuPPO$Mt
z#|x>Ch3Ml>vG)Xf+#GAWFW5xWJ6`_<Tgc?R=T;i?E@w<MJITWMib_#>k~IukRq1g-
zeKpV?J;@@`{ijaCL9Y~BPO?`2xunaV>`jp=|9+=fJyMtvU$TZW6q&uIHWXRrjf=%!
zvWT{&&y%`183ba6wDGdR(BwZW*wHU>pez(Ir`ao*(4(i>T;m<pEpKDo!@pv?nIR9i
z?-`au-FfR9)<?=BeVx%ALu0GIVXoU8u-l(yi!lDYvuv&8lPmgv%eot=`<ZXqM2_6E
z-?0wuXmShB8u6@}_?D42VqM<2=zE^s1Mx07&l1f^x^SL#=k<*TItZEBYJ||~2R6k#
z&HwWUc7U7XNh)WYJEi7kSe(AJnwA1;Qf<=-!~O74vEpZz?~<jeRFr}jR0(L5svxWw
zigQ#va*5pwAN{pUtfk+2`H~DTvet^vFR>v;?F&>JHtk$Z?K6bs%G!M@SPP?DVsZs5
zX)W6;qZ(-MSWS&m!ZtCq_ls3KtRPV;5-+ia?m3rP95ZSao3#$s)G8vZ)Vo%ZtR*Ub
zVJjfRg}<^0k1<d+=n!2Lto>EYy26?T)C)&tQzONvzp^-^l|r+Xoi(lG6PEAYO1{xb
zLM7{ZNA^L)zR<Kv?^m*o9z!qvRO-k<G4l$d7?t9MD{ODKgI`<e)-<Z2(;q<dB<rO(
z{c$|@CN(CKYLMKke#5a9x|>_Y`t>J8yT#O)@1}@;;W;mzHcS&<b-)|Jj9_U>V++4E
z_A0yAVc0hsb~+|;=`Z5%SFuTN5|^*C#<w3vr098#`C}}DuCeBKD)NF+<n?PT&d{7q
zBx`8S#u`~?6P778$M#2!=5+Xj#TojXY1UX>QzL^gJbySU*8IVuOjX<c2P>$Z8M%9?
z+InN+{ex*{IvU$WPBr^TuAnm_^*VdozRi4)CEDL$OYW|yeUWASaO@5O#(}zy7=O6I
z9yEHKZuYpEqg5%`D#GxizoTO8P1fN~-4y$7!p*1@hi|e7xwqVDVsD|Z59IB<>@|nI
zULVh!vAp$Dco$Z=ek1RFr|ekKo^hJOo{aapbD@unLSHZ*g%x&<@gAtsne&-ajHO~T
z=gnGGo`TG)7)8clRp5^p{y2gs(u2X2lOK^MF2YWMOMuD;*mo|5bI;(xKcaGSo#v~&
zC)|h~DkpE^xXP#1`W6!{{0o-n?q%gIj3{HVdy<XsWvs&OwDTz(FvE{0+u3>XYkmHc
zw&bQ<T!V4TXw@QU>0tf+-J96VBrf$PMw-NBH-#&NPXf2)ArRwvu{VTw0Js>!JG1ld
z$cB6*Lvn5?pT)ix--hzu0M15SV;97PM(9_bXcor9L(5;FSB?+j+6Jc>xHCK+p7t>@
zJdDppkq^T7V$+((H|F;<Lo*a-7-BAXp#TGvC$@$2HvOaxy@ie?T+bPXgNUPtqo))y
zch)m}rau=J4V&<ta-o!pPnux<%7jl-{tD!|wJAc5j>8!?8n??AQ-lW&huz;a<4y2<
z!hJoG2Qii_0$jWk+ba4J$Q84V)T=Ij0fTrpia*oHY_r8c46{XT@7>Pk{1;DDxKT8}
z57FnOXs%jOZ(3`P_s`<@*1R85-P`c=W?oJdgvF-&yQGnFAyf<9aUXBPOU=m_Z?xmX
zp&eJ-k*>HS+VlOaMs?h*Bky1hg9^$u$}}h%W}&MSPSip;M)6&FH;g8&E8k!1qT^o2
zaM4F}!`x(v1Kp$+evb%<xygog=Purs48koQv*7^JH5NMQq+2a39y`lo?xef<t5%!`
z?frOXXUPfqj02$+sNyF^LcSq{hT;uJo_Mq$?-G*t8eWVC!P|@SaaxDL(+z|V`dUA}
zq`p^9Jj4vTyL%j;Nb&9$HJ%WJCUGRj(`VVXxT^7mrg5C#AIh62HuvZMFtuRdJ^XG~
z=1#kZ`*Kz-Ru1H`gI842^Eny!F<<W6=;eN`FKB~p@%V){yzZySARQlR;MJGmsLMl&
zxH=H#r&5Fs!cwhv_Zh@3JQRl-ylz9RmN|+T-dHfle*7#*JRHxPo6=2-=Si$y1(^}@
z?qNlGYZc<xA$*~|_?p$Q6Lat74-P~T=@)|Pv|v&Z9qmX50=&r7K$9z;9%<5@KU`;M
zCXx8SK*R<lYZ&4@cfe5oI7#lwVSJ3S1jU!b_=G<lUrNRB`}j7q#Etv-GbXxtIB!#*
z1Z^H;VBitq%@gkpui+Otf~TT|tPwo1wgs1HlE4?4>3=5h*Zwr*5%=@H0W?TRf^G{8
zCBK_)HYv=2yHnaghe1XdZ8sh-7e5?jTKsajvKmB$0t$8M%Kf}sBz3h&Hynbk`1y2w
z`uQ~dibHD41##~Kd{CoO+%n>&p>(}{G^D^&TdIpK5Ac80-1LZNM)EZd+^3j9YFu#Q
zxt}}YLH-ak-V7r0hBt%mXa2^q{mU1521S4})qU|{-kk+vTF_gM57J>2ABvl$r$)gx
zT^2h>@dTu-qh+e^Xr6-94kPvBXkO<bwrKh&FY~%V!rN@Y#_+trtv|^vAdt?HTituc
z@bp?shp4t;>FyoJlbPd->z>ib>ya<T!SQ?r?BB3N3?aPsB9Uvj#52ZCci8`SkDmz3
z?+4*xBH*JHx;Ib4j(}MYoy;dALceG-KgZ=SXe!Ld{2>ls7o<#c*aAQO$rFpFVd|C&
zv1=M{1+V+x(|BjQVNT(kg(dSRf;|JVI)m`w%LjvbHJPj4y_T0QUy5DRWv~0p;OA?H
zipQhIP&?1!-_or?qd9z!g|EILKA*?0hUQ+ECv0CVAz!B*WwWvE<chQNc}ycu9@fq+
znXUyq4EsRO1^h(}^~3^xHw_?oA>SewbEbHAAwTN<epHk^!NWz~6TD$v>Tp?O)0W65
zxhjubrE6;sh83dYBK{9_`J+Yr1_EJUi;vQHJA&8Jcr-y*I*%mSKb<cpcr=|y5&Suw
zcP7|;F~4FM7!k2V&dAaw++U3~MkbezA1yQsULR)Okdm-N5_YE_B!LB;DGHbI4z2&H
zI0?tAeDHD}8*B;=@u6-!44g8>(B=F+$jWa8^-G9;D?F3k*qy$DPj}&lvpkm%f}(fc
z%5$;*;6VU(w%u=VKi0t9pYdJ*%NpwqTeOJS#{1oxVeH*v);8WT@cLR$%um&R6M5Ts
z<9grYCq#W{)ob<eg84UbY#WaadUl<s9MhJq6aINH!n&A~$D`w3TW5n$AloEKyy#U@
z_u&3`gd1eOzYW@ghca@tBOr(MFHYp~l?V-vf0Ix4e|??J#riXB6g$MHZ}RnlZ?3b|
zTynkcp8FPtj`-%D?K~V&n&aDf2HW9&ET11>&I{6$#M@pO)hD+g3L!H|q@OjP6WZH6
zJQ}6sy9;_Xb;hhg5BwDu{aOKQ6$jwcBK>Ws$7&&R-sVr5GL9g_N*0d{D^}uElwD2l
z&L#mlEyfk_7GYS9+UYem$59wn`Yn(J7ymFIr`<0W@bS#^>P0^5p;s^CFE(<!cEMG`
z0czxK-nU+j!Ij3g2ysy!jX>+6-F!D)Z7<r(`@(PBx0mk@yKJ~(Q8vvnLi(<ZJTsWI
zRr`2SV>6fXX#1pJOvr~$g>L)1+=qwO%rU+8A(zB|^(VZGJ9<BlVXR0DFG8oPMS2nM
z9=K@*Q@U7~Vp+wMpWO$GU{I`<fO}?55*yy<EyNG+^T41E3lir(-eKCz)TETji4#Tj
z`~27XO0LS3&WfTuiLd-wrZ_en;LRi2g4I~g6g#L4pNIW%;0_UYfJd@EV*CO4A>%~m
z0X_xc>#74-0~Nw~kS}0UMD{`CWs2g1*d2;De8_)iyG7N9d>pGU9y!EEut!DiA$W?L
z#DzorVeV@e+F{<3^$=4Jqr!Nx>9EW^a~NF8grk`EvTj7@#)yPs9vQLFmnj$6t-VVJ
zje0jmtS;vFuopyWF|A2=RWbK%l6Lcm#h;}s+M1()n-uM3g2jrqo!~V^dk>JuZB(>R
z2uV1gXkQW1qEgX*0-~mG$X2xLggN)UhyP2-N5EpH|Ey^LB<w0*kDmwtv&6aY*@GV^
z6Y6;V*aiHbRS0dJ_WjbeiuNUNYkH;g{4PbiNcg5sTgQEiyLiGa`;RnvUeTT{0sdk8
zeXs6Nw0{7%#m(<I-Tx~^dxH`eR$7`LUZrSzC@~@L!;1^wRJ0>V_@qDC$ldY_x~ipA
zX5P%Z7A{|*Xg^SD=fiftexXyhD%w@I&v*Pxh_%aVrlgAUt30yZrd~|Rhb+S&JJp=&
zT+nF7<Dmfw3z&jCUMbsD(c>DQ&Q6J(YkV;4D9W#4dd7>Ue_+ls#e;vqO)u`vlorDI
z2aj#g>8>6Vrlls#TF|K@_|m^Bagd7k5Y+@`ySr4wwS?-7yw1N%%fD&y-`tm!&EdzS
z(h(jEoC6Zx062A#(xF~>W8fB(9s%46oXSOc;jMt%OnN)uKESC?7Z09>L@y*r<0<1F
z;Jzk43^*KP$@n2Jd^~V}lRh1I0B~w#ffxRF;DIJR6L=7CYWyWHJP&wUJu_o35)Kpp
z2zW4X>eOj3{3qb`P5MpX4S-W;>-*Q@(ZEAY`rW`A0;fR?_rfOv4>jm%$`eR5G7Dt_
zCyk)d<$B>oz#E(Nlfc7))2M&-!UF@C(!`|40B;JMBrw1W9}hgjq%Q*AOo9BV(2Gb!
z0+N{ac;P33J5Bmk;4a`KvGBlJych5&lRg%BbKoS&bT9lh;4Mu0Vc^jwUj8>ES|UN>
zt{+s3_W<6?q>lrRZBB}Qg%`dZIDQ!->1DuM1E(qB_1t!*KGwAUnRl)Je%H~LoA`?S
z72NMEj8K0FbRC#sOiW5r;*1%yCiZkrn>jym#<WS!*|VgbKI2}}M#c4Ad-n%z)kwzT
z+-KXVUo&2BjyTXk?aSf>@2GZ2OP^zmii~*3YNnJT9fCzWd2aiJ#MG$+Q&MK7AWIpI
zuiDJ>UhsaP(Sm=d&VnaCxO-HN;&Y@JM!*jE5z<aG9hSn<6bllxM2l9@U+HHkJD-L1
z0KE{_W%A>x?Pt%%bRlo2Ny`LI3b_wy$J0zXy^twoz|VolSAgaC&f{wf3-m~;0VkPo
zjtLh@7|E0jAiYsA3y`(}Y8W@fN)9?PNeu6#wn@wbYMEQxAM{B%g(7h#Z47WS9aM$-
z6AwC$)5;?m&<3z2*p`~X*V$}__+3MtserS^sZMH>B&tSiO8{x;v@YqRVH^XE;5R0`
zWWwJ~c*BG?u%~iCCTwWJ2(#JQV)R|=tcD3lF2uAA0Q*URH1OWytGm>ZqxNAC2a)X&
z{(_Xm*&a0*jbazfJm{mer!@OTiw$#MVYWi`6?;+&sZLLP2f;H;tm>>b(R$A_Sd)Pv
zbL^=;4D<o`s3&27vie+@Yos4RnsyV)8z#<oR@<;?qJ9_kRr`^0tN(b2O1$4i?IIF_
zRI3=<RgLD_5z(}(I%8}XvlfYjIK>0fY{>BfPlfJH1)Pnq0sNWv=rbui<x`6f0xkrk
zG?h67m|>>V#dlrR7p<un+c2@Lo7#Lx2K2Be=ABkL>4V$}pJ7TS=qaG5qvnU`Ez!R)
z;T6#3xKJh)h9@7eP+ab&HW^OUr~^fSRHP7)25}6KRGw(XfK=w3nI?K-N=o7rpizD`
z(!&8O7mC0>YBRC0yP6)H_k_WK`ay*@3f~^;0v`0FSkgnCV0{oH+9`hMp|)yW`lK-;
z+D2%7QkPCIGHUHa9%*njpyesi^KP|SL>X{W;jpI+d1~3eS^eK>PK}_*yt~z&!A@k6
z+emt`8Z9jqMR%)_eFnhzknG6j(-yoB#q#mZz<L^wF9YAx_yU#w^CnMDl17PG3;>JM
zqG?aHNtzwm;b1|kMJ!0MX*tq_<1L^PgRdz*>dk4eR+I_zCSw<xH5q>$GZN>fK9H0+
zNm0H<PCUvb;3Iw$o=8oa+a88?(g+wLL$1W@0Psglekj`)7Ib!M%CMyQNi!7XFfvok
zOd5j{hP;tUNi#vGeJ~p|3p(MM$P7{0Q++Mi0^#;RHhnXIr;6NOYUH$dpk#KRHf5g*
z_$1O}F#25JB)R0dvu3uxFEM5A)WjJ{DaMi=jWWl~e2>}o%pvJ_Tht>h_}1i`D?0X8
zn^>2EZBvoZTWysV2mK}PBve|jWMkt&qgqbTNtjKMwkQuJ&X|`ZH;Si`rZWKT?=%tT
z!0y;=^c3{30kgs5dqAq20NN?QO=caM7W&9K;V2j?3oS+F10d!DQY8eU`=}kPPlNAH
z5!Xj;6Wt}v=q5Eu-6XO0294&vKOog|h|E6fl-MOmlD85S)l)8~LZpk#B6)zMRi^>Z
z31?rmQ5t21gA|``v=9%RHXjl|0%)XV4+Bzqq6udMlF4}nkoK0PfF$<SCVia=Ujn45
z-2zBGJcqUvWoF{zNw9we`adCd_f<!YDno%Y_-f{PZfeTBiK&C8CC!)wBPlEIL_T#i
zV6joovkYiVA)vLz*TjSa0I9(<VroA%GPpOAG-MhBk=u&werjjy49GW2l%hm*Axco=
zb*(;`v`?5(E6W`cr*^ldRV_zZaH#-{0mtpAH_mf-OoEC|Pr3&>IwNW3l%yduXU|JT
zS?c&0v#b-i1s_TF80Ien@DkcMvyv&*fJDD;svhwtn>ZVgR0h3IlLd-FOg9KJL#{cb
zX^5U-665<(F4rtabShT_Sd7n8E+4owyk0cQms18vgFOuxg3fN|kmH?3J7Qj{94?JE
zUKTbCo@cZPppnMrVsxI-QYY>*M@tP@lmUsUiHh<8c#KDyI^o&UW+UB`*7;N*oABKt
zdhzujwb2l2yTr`$7~8s%ru05@R*8*88Ja{pN(sJmNK>1qMciO@y5BJ92q}R@6}twj
zQQ9P=smnE*I(**a6JV~NRG>@9+i2Q(X|3pw>04YtehKmyim-UKx%C*(d=VF~M#i2d
zDmaowNlBVKBWYsljA^M!?T1dA31h8b53)!Lvs7fDxU~|+6GR?Rn+0uQ+xawJjj{#+
zUnr`;+t$<|yN0OE(pmsd$9D#!HJP_J44J{WE%GMS$xlgK@Zb}(laz8a+#7kPA(7$e
z+}tPTPJ~*w$B1UmLdTB7%+NM=979Wh?h?$v26-G7YN<51YMS!2nK65@QJ@9P1Qk3Z
zO&wDzWWh$tc#~1KS-yual{0)`g5>iahu6_VLayXUSBxuF62hmD^{i5@h(CpUjw@-6
zl^BU2ECToExH3o?W~Rr;`G;#H)7Y>iRF!;q_Qzq?$zeaP#LErgI2;!X<W3_?=ta<?
zw2<jW%2L_!#!`yJpQKG4AVoNpfP%wJ@p>#jb*RNmhMi=P@}QYVW}Wh>b0ye0Mk6%_
zd8B0?--PzFY7sD0ZDzwSDgD=X6di}EVS)DNm@)-*=}UG0ZK(QXNMOY)#`%rTaHZ}(
z<JIomclI`F0DHJtG(l~3|0pY|y`pr47-$b0i!}LkoslMbu+5-%N1A$oqn13KS72W1
zBaLvaJc{PcFm{_Fab<$qmSP3;&jHg&T&4q3?KLLM1@u$2)kkgq5&xk~3CgJU6?5^^
zF<=dsEo1UnI}#k|?EMZPUW#RZbW0v=lUHULGWn1b_)!dyz(J@%2WcTWXgMW+rkw*#
zo49t=@YqesD2WXjtx}yVv-Q`^^dj(}Ia>*61KbNpn`YXFKvYG`|Jdf=^?zI0tXqM)
zvHRIiIp8P%9YLeSd=4Nr=4UqgHlPn;YM(%uW|_1*6{<#|PWG*<7SXKGzsq1odqF!e
zA=<l0lVh>pY-}#*n5p7_+5Dsbhh;NLZE5~mi-{Mr*j*IDfUbcF#Vfi3Quv^g+1R&e
zgy@eUP2w#Eq?pCGfB|^=R|@I<U)4=hw5(4thifK0_R8c3j({cnAhXeyfD~VfhNYmn
zTVQtLb3oemUqwEN_Y0#FXTYcH|F*7=QTebta<Up6tM0ONad%#$cHv^qTJ@9v114M`
A$N&HU

delta 23333
zcmeIadw5hu(m#Hx&&*`V1tt(e2!zZ8g5eHwm1_<P1W`b7RS<;$;Svxq1jP#`D3^f9
z?EoFt?25`_6x3*di5MlTs6nC&3W&(70ntT?fD$y^zn|)JCK&>{@AE$U&+mDD_?)Tg
zTXl7Hb#--h$I=aTcWkIz@S;v#&6o5R@f$vOwbHciy5=Rrn{I3lN+zWnTg)Hy)_wEr
zOph0}JT7C)=Ps{i#H4dWP2)C5dICvMMA98d<`oWge6M#~{kbbiXagL{2B;ZckHfff
zMSmzkL&gej&`oGz1}gQRmyLfVT6a$8np52Un-zcV@;HrLG~-%^=F`HwA>Pn*pA-EQ
z7w&Q&)!irsd87)%XOffa<`yQ^9Z2-4Iiue1(Z|1Z8TeZ1T7P;1gEbB!<DmJ3CuU?h
zFnlQTYOisbNHz{0U}|1*yCYdo?x!VdM%KUx!P)&V(98tI2S{)wZCHdB7UrdTVaDmN
zoJNGF3zC{~=}_U%o_0>kH=9I{Xuo2)%Q&6m@YKVg4ojC&RO+h64_f#)NxFE#lO>)s
zHko<RG48yR&VdllVY4{8N!H;5EK^EPa6kgU$`82GjY_Sj25znYkomjD4VIR=yj;s5
zBd64b-_u{ZJX$O_F@EJ1;RGHOJ&~T^wCEjSdaBgx0G&Y*1TmAM#WkkZB8K5wESzP6
zNKm?um@YT6XzSIy9%b5AMW;>s4|r5$&3`tEy3eBFsOIlGrt!V%%;L{c&08(j!u2pE
ziXj*RRdW+0IkRI-v#dX0Kndx{p9)EpUROx97^#*~#kDfZy1tOCn*SRiu{h3D)2*4&
zS`xFW1ZI>6&9iAx)YYn?g(X0x%(0E5Y(;ZcPu{T_!CQRkf23gHf(2i?!UZLSl^AbL
zL`fBEv6o5$8K;$6dkO0;A*#PNf>m6tHn8x!)^7-wnKk*CGP0CYDSJCsv|t_Q!dfE7
zV!1K);T9G>pQb0<nh-=Xuzt+4*p7|=NDB^|o@ViM*zDS5=6{KpetenB?B2v{-qrNZ
z{}M@2^_|(R$&CLJHOetNHhVm&Msy-eSmJ{XteFwpT$Gz%G;6EGXX(?`>U7wQiN7JT
zY^ALU6D&=rFo(w{(mwOy_*SfCFr8|~dBU%|PFeBVC<DjcGdngz|H;Vh3asB6V^qt~
zWvMFFi@0W8Ts4mB1$^>43k~MY)=p*KtSZ4P_j>B7))}RD8&+e(e^AVdfJMgowKY^(
zJXH$wYFXqzR@Vw|^Z&I>c_9fkrT@Q7tsU-qyXE1+(Fvn<*nqba7e+$=U`b$*s?~pZ
z%fvrXe^0Y0^Tn2pvastb<Hv3SB?*UTq_q^5u5%3p!LnS}zzo36Hr!yt`8KSSR(XXD
z;W()J#Wvhx!_78aYQy<999g;6CSb#3Hau*@G8^u+VX+NY+pv7K)jr>}V2%w-%#}AZ
z&pHh@!TnB~+hQATv0<JKSKIKI&DA~|mf7&4-Pt}HZV9B<*rT<XsI)t;ScQCSDQ4%S
zmYAPWN%3maa`ODBCF!(W6SX9j(connFdElemh2h*7%&<<*G>ZlBZM~}r=dI}Ra(6c
z;ee`5kZbS`lojM=@gAu5D{C)jt?_Bt8sQmf%8WXVfa!1=%5+#2L)03#HrMO$h#elh
z{H|GEO@I<c%sgbFNcGuKEp3>|;1LJ73}RBbIaSw;SXmx>#H!S*xPq)5HDkDr5ei}d
z5*Ez7)T&+0TB+V?d$mruPVV&9jblN}s8YUkEnoGp`9f=7Q?=|cJ`COy3dgyX=RQbM
zp@$2<X`Mt(*{$BQ$a1U62M0vd3-d%O|GU&oXzQmJ%|mTd#F>R=i*^Z#RXGlyJG?$>
z86l9Ir%r+!lVM!QaU^M4H%;@pjj9~;&2|mV>~`UaS5)oD+O?lrTvPiB*Y4VG$zn$b
zP3r{$VaCGh;xNON?$y2GVkin6eDEP(h_T9S(0(ATG)J``OsmWd?T656^K|>Jw8m`N
zVKxp6c^w|1XUwRMy^(WA$LPqli<##-VctlCruym|ubXo^_MuX9TgSdsT6nf&o{JV1
zuIj#4M_#L5UGY1nR~vfXe5ThewBFp)t99qv$BpCGaRWktmuCsVk#4M5>}aQ{ea>wx
zHQV)m7QDREJJqRL7y9~ip-4tc?Q;tY{$Sz6zAMPL{A;IC-*c}Pw$4G0tmZf$O-*pL
z(2NkDZY)^n@CnnG++Gf!M4{%e<kng9&NzJ{9O|N@d?}ZQHx4r#NGw;0m@vbMgsBpZ
ztVFI#L|ci!sYFAo&5J4#WtD7Hi3Sin2y9Y``c~pim54+l3q^jF@`M@hDg+0&oeHTN
zX6#l-M3_+r^*&dL@Gv73iLX^6%%ZpDR~|%Ym{Auc->Z^37DH!L!fg@wT_r-Sv1Tvg
zvEJ{pczs%>oL1uSFHFv1QOHpxx-B4;fcfAdEmsLx0tZgl>{7eEjwBJDK&)IW!8PVS
zV=%p7HtT=HJ#VSn)+)@9o3~;v-@W-Sblhxk%P`>MZ%M`PhqsKwZ_<Dt@LO--)CmR8
zSPdlhI(0VXIj&lA?U|MH^PjmkzqX<UpK)zmb{r}inP&&y*f@WkD;?V+d@Kgm;ZYGV
zlLr;KkK4SgO8JMoV!1t#*HXT))X`ip_-^;EC02IfcY~La`%^n*K04$sCo`B``1z1f
zQfRq(<hJ=PYc%H6+cVtT0+qkNeJuw6#L#8<4I8%jzU_7aL?BoMo<_Bf>r7<*ife}+
z4qJlt)J-_BtSl;C;U%mnBmSYDn%k%_PYsK1c>R*t;S1cK2UvP}_}A{^fe|mc<74+$
zTNLKVJJ-424^%sU=O`*S|1zQn9Wj@UNQ^kPJYbc`I8s<LVx&-_DmR<mo#g&GKw{|K
z3*GYrdT|(uZGlAkJrBG86-XSvXG6mAXREbAiNXjTI^(70>-T0v*3K<5JB@7QK4~{L
zhmV}sYL7jdfKaccWC`>G^Ot-2nKzBPKjEwY*upFtmEdJBDgv%7M9!WRwkbVAV6RYn
zzA!eM=SOv}TXn=~+h#H<kC;2gH#CRe7e*V*(f2i`SImd+>mBv&Ij0XhzR!Wp#cn&_
z{OG<LU`tQlH@_7ZyLbn$>vI^tnhqbKLw3y~TwL3Bq6Mb-xzX{o(0pgKZ@}7B0c+~S
zQZ<&Xa#*1<Y|IOT@JOs;dxOv;u-I0Dcz6VM9A3~1P2c^#rZtp!(Faj-puz+9x9lcY
zIeadxey2AiNwoC|21!0$jRlNiO)1F?h^Xt;;euMmBFEf*zpumJm)L9>9v>^NC*8;m
zWFd*}Rs<z;%+Lp7vo<cVcvNC9t|nej$sLW@C*_$K5aD5;1=CPFgT2(NYOuSiCNDDF
z!!6irwJR{oo&+V1#*lvgxj{}y2(^$O?!)G4G{%7mi;obEG)m4n?LCZmEJf#>w$zEo
zQV^8PH-CDdN&SkeJJO6iv(cCvXocBtOkC6TLDkVZHz>KnoHNEp$IQQuX^uViy)lVR
z-#B$uSNTE7_2!i^u|EGPONqcSJKxsu8o=bU3L&%1>^ZjWfW7COwkM*bzpJ`WVf-@)
zk4pEtj3eiqUTWfXvU>p%%E1Wrk+I+0G&V8rf6fKeUKslWO_kVqls}K1)jgor%z$En
z4*?cmF)Uuq5_=TH{u!93@ED$(JX5Cjy!|LLgwYgQ=0qemNsNX1kkK?fL05JVQ*r)O
z%}6j6zg7!G4eY0&<WaNPxK85oDf5nT-neC_1I=`vvW2GuV$}`QST@c_#b&{{_^{jy
zj&yKCnMSdBXx#9-Pk$2_u2O{K-vrtzMJNwSg6hGb<enfrq1s)u#=6?f9^dI&1A<5@
zP9zbH&_ADxB0_=i!6>3JkdjrdK@l+`%d2yIE42T2+P#oz=*!q0f_aXeaOb`MZJyyP
zC1A4lm^&x5g=_iCgwnPj1<4r$-w~9ALRyPMDTNyo`+eGcXmk2R-=Ayq%M+6*+uSp;
zRnuhw5*RnA=L99Q&4!aE(OPrvq`4%`3zHJ#o<9{>o5GNRn$>;xnVdx*o9|9ejCeiB
z;%qceO@5Z1Gv`i8jCg)kz{eKGbLJaUTGhS0GGJ5%ET{RylmdFwl<6PSx8|6ss|1Yw
znW=>hilHgCQ3!zt?F}{FHQ%0=cy+#R<^M7*mfkhPAB=DCZg49Xmlm6SYv;SCdg~y6
z=7X8up!#k@Oic(iN^n#Y-f$$m5vb&t-Up=nPfw!a!l~0siTq}lnRk=F@R^yt$T=V9
zp!tQnA8PKX%RW%K?POp2s_^3Mm)%ye?B@`^!d*{p74&Uk*1V;9qxqL$w7t3^JW;p~
zaTtz=jd~9meluY~2avyW!ED6zN*A;T{`-P)^%n-!b{gRiqvF(slTi4@Lhxa>UNi!~
zPcGU;WoAlFr|7b0o$Q!-F$^7RTVxuJ3|Oh<Im4;gEYG<SzYP{A*Ev1kncjhLPBw?<
z#F`H;j%jG;494gYfX_5UhH-kn`O@OPRAL@o+=@yH!<Q7)NjhEX>L#MFA7VS`COlrJ
zS9BBM0HNK48`%I3falF)W+&{{(W~duPIL9@yWy#wSZ&h!!mKsrIxQ_6yRL-;V8P$!
zl6UnLhjJ!El|9R|QVC8&yDb8DIk*r?c)o!n)b3f}nA7j2I2@Jke`&CyI?ALC29`k9
znp+E>-S7aR!-{`AjNiJi#F^O}+hYK4Z1lm4-n%gtzZDxNpzMy9n}EFsUv3v#WsL}j
z8uM?j#<`#WogJufmzlaLrdApHtdpNZd(2h&kK?!QD?_lNM!k|q1!nduvG{%Nl}XL^
ztaEv8HZ<((j#l~{Uno%B3$G%Z;2Uf(y|1>dMK#c)xK5AtY;JInZU~olgSqR~8^HE2
zulDG~K_@o*{9&`@pC|*ufgWN+P_DrSJv0E0m99?K#yWG<rubT2H?YXxqS^m^Zev4X
z;ifrcZg?${D$G8wO{#CXu3j820xogkw%5X`zUAIumA~)xXtLecQ*YcaE`4PVEm(V<
ziso+xF9fEO#s0#ZarCyi<IO&`GTm?2%tgaQ10%+Mg*(U$;|OlHuFyk9>|kiQ&I4wp
zWLgz(F|DWHYI$=_rlqMm-$I7tWRLlEqi!A6RNb)pu!wV%uQs(Pt3p_R%@+dCsDBoM
z0UOM?LL*p~lMCbA?<;0e_H5xa%+dM6rcHP<ptkm8K$)>STD`t+cG_~s)x(Xh7bpu5
zdUH$1|5U}ZwGpi|leSLu?p)`>^pUSFJV>wOU0(wOnurhtF8A2k&o*D*Iwd@(3ioeS
z4sZP?#=gSl+gj=Bpmor^<L$1ZYFA;-+ZzQPFYHkKgHR`g@^jXaNu3tVmOJ{zsS`w1
zO>R{Xe$aesM`uN_pm6(+F;0c9FKqVV4&hvZj{WA*kGEM^;onM!xv&<0{_GAMhx+~N
zO;vY=dG=okSjaJZeuB}}_qKqsO4^$O{Gq+AVSw}Y)(J&o<JT>b`1I@Jf<7wT_RRru
zvYfLESC)TD^p-j1XdJ?ebC1TU;FaL;BClu|l5%s?QQx0j9({kbMNKrmN*m@#wqjO+
zD6)!D+F`;_gzQu>@j5|2ju)yc@37G%)RiH-WqcbDxRc?F*8~_&4YrmefL;~BL5*hB
z0Z%Ty_L^+tcX!syD^-^;(B~A~m98!vdtv~=`Mv%7<l05%*b|Klw|?K2+N|KqWg|S@
z3y05hlVurzs~BD_da6<4zZ+7VYJ~a^aOA?1-a<o=j!)J~2@3ByeqPk>Fu=>kiqU~0
z2eat_n~^^&Ht#vvwRVvi`EzXH){{{@ice0pysB6?R-?FMVTaQVDT^7x9+=L%j;AL_
zR+%er2>4?2$b23D${C0N<T@$Tj%(?NYh@qAr8;J<pN5DoKO;DO2v!5AnqE&Pa8HO2
zU#x+B9p;WQ>|*tHfN>-55I=#aquvpq2E3>B$DFMMzotMkH-L*|qf$LGNN~aEUsNa@
z@2W3N$FK9Es=h>+g2|zdSFv#M%ffZPHlPOihwO~aK-4+Dz}#`BX+jCQ<<k;R7y3E*
z)0^M95cf28BA<tZL;a;QchP+IHR8>ODm&2p!WSwJ(ydU$fa-Asngg>+^>ij=KLt=1
zw5*)iPLxJ-;kBCg!EcZM>6N7-$+ywtez$HIuTRF)tg%`0`{Mt2VOdS?p{hS4x2>wD
zi|;cW$!5WYE@ta<(Xc1RxqjH;=bgJ7_`!1{nqC!T2?SiiU3@MoHV2)*fwq`4&ZkhG
zSp<AF8s2O+zt8}UyI&X)_a}{yN%P40{^pOW?xhQV+R;99+QkI;Xv;6Aii>N_UoSpd
zpD#|Zd((gj;*AGqaC7dZ#$Z5RO2>VxxZDQzul?mVqS7?)yPSai_{qyHLXIrwa3q<X
zF2>i29__#EbgAvPM1Jd_C*3(Kl?qk()134j(T{R)2zhCVOb?*}v_ckyP~0_fpi=ow
z2vu0&I{7a*O|}X4u0v^7u76`4>L;kc|3erpwDymD`A|K2hPKE{^=K=V$U+aj36K^^
znN;FG6iJRwb#SW$&BZ}f{<}Y2qH_8D&4eJBzu7I6O4X4)|DplZ%Jw1T)`4_DwF^=0
zRu7`vgUI|ei0-FvWl9P)$6%(V(4Zi3XvPtLNeZ0`x59@%`M3UsdO0Xt{xXtUQ?|e9
zD0<E9SzQr0wZaKUs6c)-j!w{O|A*tLDN&w0I)QFT-1CzYYcGq{MKksx;Y0$*XKd!4
z1%yZd)=`CQpGL7%DhH=g(^&iIgywa<ZxCudYu7q`Qf8%5Ow3{HX$8s+CK4z<F5du=
zn5ys8!;9LbIr2yvHSTI(&etx5<zrRCCWqzDKk#fk%j|yl$qo~#alMl#oQBJ@q&oAS
ziL{A|{Q4wH6yC}cfs?l|>ZKb`SJWh7<Sw3&DO2e2=o*0uC9n#0Hk7wdp(e6&3U#d;
z5LQE0=Y6t!I-Q7FUcoY(%keSIxS)BSK>QupGya}a$<&onmHR)RPA^l?goIcVvUnzK
zsSYIj2RuZ#>YlA90x<&|q0$Y%d_I%<Qjz>7lWwHdGIBPxL8{Me>H?54o32p4KjUFq
zK(yRn^$4A|BCJL7=f`MK-2ijy@zHAe)Z?^Vxgy#A=qISmrSKB}zn`Lab<Z=^G74eK
zZ_3L#6zAW&km7_#29<@R8-MqsYz%o`tj<<P?N|K|E};*|Gp{<^#grENlb2Fm@_c`F
z_RszYo~5Pa*<79N=Gt5Q=a*5pU}2FGmOps~og^ytcUVQyA_^n3V^T`FO`a?Hq@-B?
ztko1rnE3^3Xc@yOi6>x?l`of~X_xGgi!EZG|FK+pT_CsBbL7h^I^p!pqwsK^I4^>q
z1_w`$X@;GTXLNSHK>pF{d^ORkzFVDm?drG{v#Wbhy{fvp`>Ondnz763HpIW{IZD>S
zTj=wc>RtZ9&r?h0ZRQJ#<3%sf{aJ|MAgT;{DyGATit;d`;y#S5hQ(EN_`+Nv96VD9
zU#TmE!+Z+iOLv8ExKSY-;8X}lJ{1DT(?T|P4`3WfRb?DxRS1W26;csER1}&Snx89+
zH&EkHD<qDLGWqU{H1Yq_gK1JTm|O(a5KPwjhNUgQAsMlOMrZL$03{H98eqwaBXcZ}
zeRw>ekSzgO^De1!_`QKb$^v5C7eM%lf-2%S3ku;!3<}{_4GQ6B4hlIP8^G`aVo(H5
zOS%Cs>^6XJrT7QU@fICYUK7motuU%^v8E=37{w|RQ5A&B|N0M#4M#1ndTW3~vn=@s
zR_aoD`$p<ao8`QX6sP789;$jX;<Vq4IPEthPCjqqO^6d3U_n+1PP2|MWTj!qTEvjm
zis5D(F0~=6BImPiGGt|Ccr4jQSf4qA6`Y~<W(0)o^lBSgZ$_MI)o{HWdH>6FD4>Z*
zTXSVqfFSX7!J0H@U|Cr-Rgt}{tX@@)y{y0(`cpafva(oLIrg$ru_dd{=1~})D&z4h
z#9mgGge*dVB9@^=$eLkG$|{GS>L|okPH-kYuh3hepo<G6+}f^_Wv|d9v0KzM`*e|P
z*lM60X3W35|5X|my8*!j4HnCud;|5Zx0%KAqgN?mpxsDVx+7S3^lIIKi>Js#)$~jp
zOR-Pm;s-!O0GLTCuh#*6YQKs4QL&u9iIxRe!mU++C0!kA!BX_*t65SGAG4%RrNuI9
zGd!7f{=Ch!mPF-Rf0x(kX`&oi^ai!3H{`$Hpd8vJXBN;M5rsJ}AAB5jAF)k-RzR`c
zKYH3_-@&Qdu=k!;FV1n)aT?o#@cOvc@H*6U3BsemQW^gy$R76RzlkxxXdi!z{tmFH
z5ZleyGI|T;igQoPf-SUF{5D@s+DaqnJ^9X7v{^0h+fK3afo&8kepx72Zl}gFc{@eO
z_1i%Cmqqf8ZFGQ+$c28IPcO-^B6^St<)cM3kv@~<MN~+O<m$JvIqs3W-=<N{-xj!x
zW^&ASie@sgs0;dCXr){MAXena(c7t|tUwQNA<u8eOdpZG-=TY*=bm;Mt*wS{yn}{s
za*J5mxET1}ApCRLrI;QQzb%jj#k3qQWAeK+-2$o7^B(A`tW=q$aR0OKQ7AR~;3+=!
zL1+m0bm4m?UkI$sVfp$FdK?W}mrxu)N(m&gQ|>LHi;;E<oY~L<o9AKq%|B^JB&;0A
zvK-b8wu4E$4|n*O{QP~o(x&Ja9Fq}ynucd6MiP#X2%d2S%wb%&U7U*_Cm6^4@jKyz
zQ@$MhAze(^QFFCU)vpV#x=NRmKB8{wAW{08I(u930r~nz^i}=pp3t)cJ)f?WZ@f=U
zLr&{fU&SBOZtg2*7p=0+ugw{JLU@pbpiYS$QD?kJ&i#a%xL;UhooeLzPiW8(KJsVV
zZyk7uh^zAuan7(rBiOX_9qH*x^#%~Z?Jgp`yYAt4eYfDc7P`EG6fg3|-8ASA8P2gP
z`Cs2n4G5P0{W2P-yu(u2>QgF%kNMlDw8&wfoSyoe*3?rh6mT>=AFq|x%a&izlzRJ?
zfuVfPJPqgdko@}>)VGxisMx|&Lk)VZ6Ogs4Bc1zjl*^Mp?xT;wOV2v_dfO^^XFnzO
z1UfJyp-vO%6V~Bbr?*a%Fm)Y>?$!$)B_av1HipAc!2?{dG*Nh|j6Fb|un2BDKw~Y&
zi<rkE@VG&~bATSS$J*{o8gDzuYrdp8q~<-h(wcWQW3t&-6eE5=Blmno4eOpi6YxUo
z7|6TtD~bpEkADRp{g{0DE4tx7*Yt(4!6~uj-|rCBV}%*^H8oVx$eiUh(a6$ZT+aKN
z;@XxhV|DQo1Y*DFz<UNuldn~<Prk;PGG8VgrWY`wpB$!H*6XRFU^Vm){f4$#FH}nX
zb;@Z2v-A29>Z4?FdZopVrLh-}kncKY?Dj`#F2=w4D6Le&%$5DWqwW^!fATvTFHm~)
zd+N}RCpZ7771F8>aan0A+!c(=zCX~-5bskzP^vvi$A6&iqQ3Pk2T?OuwGcY}NR#XX
z{oj714-lb6Po@5}3KGJrG&jfLt;4HnKA@r0Hk&cr3U8N-PEvtS)vD4_3vN&)pjGQM
zW2I1>?egAJbSvESmrha3&;{!K7~WyclV6;o!B*?z+!{9RSas`i#`0C`KBuXL#g?3S
zn#x+M{tj{r^tZ3N#U94i6Z-qrX?(09u}7w!qK5v5exYQtT9w+Zc2>74VQf!us}j{p
zp8k~<L56eAP+Y(m=mvC%?+WIfku%Oxv+#PcXl!ew+<S(StzL@kUba;CQovY2a4!W`
zFT*RT>mQP@%jAn}tMt!G$_p5J<)|_vTjcb!2xJ_S>(0_U-L`z|<h#;@hTbp$Bap0@
z;SIwHIXJ5^XX#d!f5~q+xk7jItEgXpp8l&$js04R^AA27q|???z*`QuBbX5^O=WE1
zxVAb+w|Xr5#>39WBv$?+pFW38dWHPu95ufFFydv;^Av`$3_MTG|ES73tI9vlQ?jKw
z>si*&oV;pT=Q6fJX^!hcwdQoVK*^RqudrJzt!|OS7#=-rm&-3uf~{)XE>L03%&6T1
z?;)*;4~yiP>1b^i8!pmrwSxA@%uDo^`#Jj=mTZ5Sp1P^L<{g&x7h``QV4SIIiSftF
zbeF|(w$1THfnJqhs~E#y`)!x^U!e|v#HK910ypEB{P+sRslDZoCibfQH4&m+ki8bL
z*K1NlGs;^tNpzuOYw|?zKPqk|+mqla>`9{6A6MFKRr-=d0#?|05<SqQvk=pj7)#_v
zA)4KAjHB{Z#KAFG75F2TLyq`~@?bFK>__Cu6R=aD60VC|+#BY>yC=Bt_v(UOr-yaX
z6K=$tx?pc&zb>ZK_!i?G;!Dc&_i~CBR-m!SKfxv5Au9KK-C~je%n23gZaN^()E7S+
zzg||0YY;9Pokkol9jw1I!I{nM%*x=*csuj#W$B9&6F_ZY6vTKyz7r)n0Gx;to#}u-
zzM&XFNY08DGw4hCU9{*8;B6!fIw;3A0$+KuS&WE{KD>_KHr|Ds8ysT<7FP;f?VWOH
zjF^Qg@5hLFwlz;_EbbsnGc<1u!Y;VzfC0*rn_@+qe#(Ykm5(J{&l`i2h^L3ArxLR8
z*0X%3Yb(o!O~e+pP)g)yO)!6@GNh?^0rGsMDWZ-Ze~ydC?W=<+!m|dy|41{@1dk^C
zm*PcTqFfp76P;+C?8_im&a_f5`owVz;+X{TWFx!J76UNM7B$@az0Jk1fxvL1L~%O;
z&}oT6ccR^t)&j4d<?pRUKcu?15!uaxoG1v3riS^Hk@6v03*GVWZzJ~DlP_OwCx${h
z&b4D*@yE3nJE&T9{M1o&aK=Cd)fy!OiiTO}>V*?E2aZunSJ4fl$?7V0)VS!l+Ob^p
zVcjq{^W_KKlotLQArO0$jp;6YqOIC+gFR*o=bJ1r>E(+pC!RQ~YW}pF#EVWG2;Kce
zXK(QV^>_oZ6{zBSRzkfTgofhfMxMN{pXd^m_Y&TT*M+y25aM;-22VEvKIlvR#8dTy
zN>U(Z<omlPi}4)te$EiX>!M4XiSgiB^)1gCVvcPbAMOw3&66AZi@(}hFyLl!6P5b2
zZWeU}RmjByM5{r+W2<-ZD?&Z+Uf;#<^=o`V7i>$wFLa>}2M785$OEtV1&+Epq{wpv
zV1ACtn1NWT75+X0g+oN+P=hyZ2-lLQgz&P0JUj5mK=Pgx(cG49R*FcYdgW|J*t>@n
z>1~wDGlRt(chPyLWhZ9cD()J9D#|ZJuGfJ{MS!#;9|-Uc(?FhD@%%KCul?aVLo+!`
z42VE*K#_(a&hv*45f8HD9=lD9ww9p$`Zh7{n&V4}9D2LhWY@TSyLi$@=M5EY>a(Ej
zV+;&Dg1mY1y`k0g;)jV$^ssuENUiC?Cz}ixbM5rshKrZ38S=0@MBi{8BqYHX29}cF
z#Fv{KXTbF-Z=kn9Mi^~3k)jqq9A#eoYPhNyMC3F|HD>AT9im%2vsz$U4#B!Z{3itX
zyJ`O04W%sy<*j#$fsIOV(TMkj%JmL0kOEDka+Q4fPVukm%O3gU2(jFQD-}CVjXO>}
z^7F^tCGIBcr659Ycq!<A@-G70zj}vf<w)dA_Mf;%bf*YR3%CvVARR`EA-G(6d?aks
z5xHfg7><;4luGp-B{GnD(@Om`O4NFOEt}pa4hCH!;YGHj(PDGNx}Vh+5W(ljb^h(6
zMRtv)LtxvobhnNX>E!wNQeZUdhGe(gIaVx!{kts{Lx`=pOB4p~@vL$4HTI|evEyO+
zLm^yD1bno7|HcW}5isk~6U9UX>E})q$AtR3nR5FHf0U<=4^rkiY=J-c$&+)ZVCpK@
z%B@qx4e+}EXNu_Tw#+G<vzT=8Xk=g@PH$a2^9sRWUQ8EyFxTqdWw+cqRdL;Cn)sn+
zsCY7J4Yl(O@f}|rG<ryEcZiFZ<QKEWx#-+W>V#bfOQ??5jk>wmc5>y>hecAOKpED~
zRfWDsL=5(Uo{xy<Fw_H&h?{r-k#oe$YB6Wacjt&tf?tiwvPVU%-2A9$SUY#9YO&(w
z_{W5<j$9@7NsJY?Ty~r*{tA|N&lQ&u3HwIw&Jyhyp3f4A41L)mo?-uNv5?^>*&>1A
z$!yV?Ve@(7tYu(i+*4{s=07FE^j6l$)Y1v%h33GU!|cmS5^hMs?G1$_u%NSL(E`z-
z^`BK|;RMx>Tqs&a+JZxTsGEoZrEEE5p?D9n3SGo}t(E;21tz<(KYNjw>cb^xMZOpa
zMeqEI$jAPJHv!n$w!JDsse!#e<H-P)HP#!pXc@Oj^t-yi+Pme9O`>DO&np8#Ki&92
zZr&ss*ZUHGIMjz%y-^SEmVc1@Hi=esFI3kf<LpWqwi!nFY5CA*k(g|*a=|B1eX=B;
zSrwp2#?t{j3{P+C+OKZwzKpjrYPBOEhxIQHY!-_V8yx$Zm>9NZmCHx{2^+-=a_?(m
zO~l_;xvKBE*7#?=j-eyKx%~|hizv<hH$)D-;D4Y%d_dlV%9F&4UKQ47w;%x_GnL7I
z%)Cz;Z;9AM)KX6`_~FzZy9Gb%*Z9`mdUAr;arRqKkBe*NhPT9Hwv6N0u(HKt!-|zS
z8SDDuTFl!7AZ2n)p=c3<<!F>GcX>X6QRTk?a^UVC2BggYT%j0Cfrl^ZWe-1m8GE9U
z-?tU65)M!!wu!#=stv9(wgrfbibO<OKiVd?@$L59cSK+Kjm7VXZ81kIS1iG0c!nw8
zmDn?bNn27Z(i+>PT*lic|DA+->y+<zzbisSboCtbgCBND!p?mvy807$h$Nx{IkW^!
zRmkiT(LG|tBGT}dQ>$D|+PD6lB`_%Rvww;XF3k~s^Na~H?0s=2a-B|EXHC-{!*}=@
z(lqJ$Ks1kQigx!4(%i^KrWT;JAGjume<0$iot*groQ`2~{Rd(ag4OPwP<X88o#GL?
zN9ONDS++d56I(%%^n56Or;XD6kr+clPX0&?qam{BBlv|YWYtIF9&s*2-tn<$Nl9|f
z$7nHJ7JRG<Pk#(DrP5m}dO4SZz1!s2QV}0FxejT^>1y_7B9Ga-P3Dz~n`yBuFXa{J
zckdE)nq-~Y<p`r}&A7sFy=E-`1h7;yo@aPoGhPQ2$$6Ub9wWm)(2UO*X;G;e{{uwN
zUYn~KKQrbneh>dM62_9Ip45zIcLO^o)@Vi^Fh{cg=I!_cWJW#z*moTN0~JPFXZ?Hr
zO3l~}+?ieJ{b8$Se9id!POpslPBTt0?%1)b$ueBTGyY-w;uqi4j3s4`Fjw-!J*S3!
zqZxnY#PP+B<{vN7j8{1^Zu5sH=DemEZzB<s{a7P^%P;wEmQyP>Prq@_!bO_#6{oh`
z;|}c?J^2;Q_|f0!dr=<cY_XKI3G(7O5#Me_FVYGi%NWQ`$H!Bhi#&!YP=Vw}NW-PB
zlI;YUa$ZcOPvn;KVi0-d#q*e+;j--o%vrXaZ~;zvQEzCS?07-6YS8J%9^<BD4xjNz
zr;eb@|BlOjTs29CUj!KIzvUtvN$Ae_OXB;i^;aBW8~d`hX`!UFj&U5AHNg;{4xCx!
zv?~b5>qE_9=SKi{a$S7&gYZVcU3PvP@DSkKrbPhHLZS^4tnysY8F(EV?+qMoup&G#
z2p<kS%+9|LcsOwGWKs}53wVT`pAEb&aPE9r5S|A-tDar32?>vlzXLoHI5Slig#Qol
z`gZ;);0=H?vpDQm;|+mF+4-%2Hw4au=o^HO03L1SXK7QAXk=H)2F@D6qstA#3xGGa
z^LGJ{1<s@XE(pH_yosG36HZ!F;4FbILHKasad!TLz?*51KUaDNiFiO3)2l)FF5q4}
z|3~0H;4HDwh#I^N@B};mcHqr{vm|E*;U@4FcD^5YqKzN^3lc4nU~%J2T#Y9IzroHQ
z1{|B368$4V`18Q=*B>gs6nJakJSD%@^~aF@K-2nr-gSnBUIH&y@RfvVxXsCl(|?Tc
z;YqTZn2fa4Y13wm@9CW~{o&MUQzm$4&X_ViGc99}e^nbDw{^|@pSRWHi8}g!ZKr=r
z;>t|<MF+hvb(Hlx>K(FXK4guG&A4MJX(dQUVbM;U)qZ$t=Hvkx88b3aq>aK?VV4Cj
z`13QZ1%G#~1<!PF)u?^KjWaAGP=&nRNP6tFJA<;cN@Vg9Em*?8%B#>eJOk^2N=2|P
z6CccMKXaz0^ksvcw*vK8AvYtfJwaO89MVdG?*om`01x9kfUhYmP)eo+@3LX44Ifl6
zp0qhY+M?ooK;8zpV_XPptHH!w@_|lzo76m@mB<e81D>=)sM2wkl{XqVn+|Tm{PaLR
z4$oRj4i*W>GHlA-;A?Jo!}QLh&Aq5QR{qpUZ<5B%m~634me(bJJdB;lW4PCb-`eos
zHauy=-)wl<hE8<H?IP@M$IA2@^%)J5k(>-WeGACn1;_($D^K32j~KZbgV=)Nz+fNA
zNSzr_1J;6rb{X_h*;6+61@kO(UvBrp?KO8=2CGg_d|N=%E&tkCZ(_8aZINaJ!{#{9
zyf^Z@;A2kQfU5Z{O&OUKq<J^tvflEy&UzafDHFQrFS_5ZaE6VAmdL$b^e%F2UEL`k
z?5ZaU<89ftt3K`i7IrHZ0h_BHfIJ&&yudS|d-np4#pi%W(;hst!gD$Ico*PgKu&X=
zj{xV`>6!9uSN%EX1dOe>T+>Z&K6noFuqWo7S32thkFCd(q-7&N1Nk%2@<VXT`Cr=b
z2jr`9p-v_Y&w9XoN!|4(L%A6<PyonP@&S1eI{{hcIj;zi>+G}BoS&MJk@_g|xV!@C
zp@7Hc$hbawGnvy}&yLJ{)FQxqaHXZPaS#0warsfXs)s(#c?(9gL7wZO-_W|`F>6G;
zjbKjHNXq6~tu~;HHMjz>@-cbqO?tDqQsAt@?#C^88acl?!`^ProuJBsoAjQM9u%?T
z$a?Vvddif0ZqnoXbb;|<*|E*%EqF7kt;aVS>uET?IrygGi_rSdo;Wd086_ss1tiL3
z+n#!ptSVHG1qoIyCc%o$%aJGC1sH=b93OL2hPs+IZuUg%LNg}f*E213R_2{)sS~gz
zp`-`uCF5gy;~vdSo7EnMcET_iB1^7J>jU5^Ha*nst7%a)Gc#^WdpK>HrhSaU33efm
zL5o4zh_tln$me}92YHo{R$wCMNJlUIrN~NT_dqd!qao-CvZ$9HKcxpyHoMbo*-rp`
z4C&i2`dr{Fx%62xrnkR6HDlJ~)M;rM){-5CIy>$1fZ1lX;yGmfZi{xT1z#Y|V#$@s
zz4a!}OppziV|(j2WOao8GIbUzuUEFQtkc}ei+pYsj<iF&J9XOZG__GoLz)i(yub5A
z>;t)-*eG(5|1ZEC(D)LN+a@FL5a0^C4NnVyY@KlMi&m8~QFtdZ*8^H?HtnN#a83i=
z4RUxNy-i|^EQ?L<lG$XjwnZM#{f&U!N|WpR=#yGyAj#fJLPAfqobr(_u&d+&vR0J=
z?vow+>W#9vC>B{gvaKFcfb-_V0!T(4YuO+`PLHtRSU@&8(*b#J$pmDvKVj!TWy58F
zJhc*#IoyZ7G;Mn7gK1bo4EjGRKkBQG99fDAd+=4y^Q_E_+2b<@PDz_K0Y*|a-hgsu
z^rBraunc%ij(K1RUziQM0CI<W<eYwbd}LcBdB{8l&TcC6`{|vXqaok<vK%!M^HGC4
zuWj|&q<uzKtNH#G$$EEZ*71dw5X%8$KrtWf#zQHmrA?od1`VB>c5@&#c>2uQndne4
zew$s_i!?jZEZLoyzd3-X(8nH}M=t_${z+T)m_FOYv4E^H;66)LC`IN>D?=5iHHS10
zF)&Ofd<W{~+Vwb}>lFYN;S1DT4_q1Epgb;DQwFFs2G9X!^9AJi2csP}JJTAj(kE5f
zGI)W}CL@nE_8>+V7%ek#qdi*gz@goenwhF;?}O3dNHY_GEp05)Jz2N!1+oHPu;}IK
zfqJ7`m86U9qJXijEon{{+q24K9NLgH-cic%?L(UTER(|r=~F{{Lq}K%&I<YAAU(mj
z3u$J#T2qJ4esCPj^<x@z31v%dJFl!2|Jc68ag-OMe6mbR(VIJW0$neMr|9t=%QzPl
z*`j2mO`MiCK6BcX%(V7Hrc8&i*02XTl!aj<!FA-kNqU1&bU08uhNj7~7*t%9K(PfK
zNzoIW7n!1T57wKz!od!*I}O&GWkms>iLV?Zw>xTY88xeurYO6sR(VG1BX>PIGfk@i
z6Kzpe2I&k16SE$jH69w@9;2H+15ECR$>A++KZcnMJ!Uuu=6^q|Ri-k&dX_fLE*Lw{
zst^T}!4>x?vj@gh#YWn2n^2BjKdBDav;1L(?EmhE2a=?q&{iwAOlZdygjT3_PNiZ@
zp94MnwXDWk3=A`89E2;hAM)#Mr$;MYfSaV!*t`_fwe@h`_rt`q^S)n8QJcelI5Cwf
zEwtobobS-0AaIsIreeIYk|NV*X>)(96o-bRVsBf#fn9(ZikeQ?RR(Ie*kx?uxty6R
z#x61nsoPM-8W-?WcyFtaO^4{sT=+A}u+tr6@(?{Hq6*a}p)G$C{Aok<ucIQ$U$D+{
ze4Z=u-#%9FF6xZk#2vs2$!EvuH{3DU$x8tKKE%NL+3iTPf7cml&L@|Z-yLb@0LLzM
zQZL86)JOVPKt7h{O|y2M0_hyDx6Lx%-Q@~v3M0uh?gQkuSvJfC3`M-?KUXRK#1*Ey
z7tO*SjR9*odjYBQ?ad&-hwxVb@jxtRckMEcTiAuAC=`Pa;Ll-zM07(7K2a}H6pYnn
z*XHd*o-uyq$f2#)r=uozX7tK!=G(oScKSik;0b#a&;_^&kay3m3vu?-HDmp!uCT8E
zhsNBt9Bo_epr1E@p8EGTI%VRifZW-68@`B6Ll9j1%oP?_QwMhXI+ZF=sgwJaC3AUF
z_}>u_;Y}e9L^$s?q}juG1CTo#uSR4P{mT`W_`j@Mg}O$ItnnvS(~TU<fTDp2Ye*s>
z#}RyXXJ4Qb&L4_2i?;}ngBM=_hU3NG9!T&1*mi!_UU0E|+ygI6ymJ>wA_!r38V$&S
zriL&JJa?09CO!b<{eKn8S#lp+OzZ)juK$O&4iMk#zj2}-*-GEx=;|N1T<;=6ySUp=
Q!2Z_0QxEyrO8v9{2Q@YN0RR91

diff --git a/lib/challenge.go b/lib/challenge.go
index 5eba175..208f8fa 100644
--- a/lib/challenge.go
+++ b/lib/challenge.go
@@ -25,12 +25,17 @@ type ChallengeInformation struct {
 	IssuedAt  *jwt.NumericDate `json:"iat,omitempty"`
 }
 
-func getRequestAddress(r *http.Request) net.IP {
-	//TODO: verified upstream
-	ipStr := r.Header.Get("X-Real-Ip")
-	if ipStr == "" {
-		ipStr = strings.Split(r.Header.Get("X-Forwarded-For"), ",")[0]
+func getRequestAddress(r *http.Request, clientHeader string) net.IP {
+	var ipStr string
+	if clientHeader != "" {
+		ipStr = r.Header.Get(clientHeader)
 	}
+	if ipStr != "" {
+		// handle X-Forwarded-For
+		ipStr = strings.Split(ipStr, ",")[0]
+	}
+
+	// fallback
 	if ipStr == "" {
 		parts := strings.Split(r.RemoteAddr, ":")
 		// drop port
@@ -44,7 +49,7 @@ func (state *State) GetChallengeKeyForRequest(name string, until time.Time, r *h
 	hasher.Write([]byte("challenge\x00"))
 	hasher.Write([]byte(name))
 	hasher.Write([]byte{0})
-	hasher.Write(getRequestAddress(r).To16())
+	hasher.Write(getRequestAddress(r, state.Settings.ClientIpHeader).To16())
 	hasher.Write([]byte{0})
 
 	// specific headers
diff --git a/lib/challenge/interface.go b/lib/challenge/wasm/interface/interface.go
similarity index 99%
rename from lib/challenge/interface.go
rename to lib/challenge/wasm/interface/interface.go
index bdd4b14..4630ca6 100644
--- a/lib/challenge/interface.go
+++ b/lib/challenge/wasm/interface/interface.go
@@ -1,4 +1,4 @@
-package challenge
+package _interface
 
 import (
 	"encoding/json"
diff --git a/lib/challenge/wasm/interface/interface_generic.go b/lib/challenge/wasm/interface/interface_generic.go
new file mode 100644
index 0000000..a43ef83
--- /dev/null
+++ b/lib/challenge/wasm/interface/interface_generic.go
@@ -0,0 +1,10 @@
+//go:build !tinygo || !wasip1
+
+package _interface
+
+func PtrToBytes(ptr uint32, size uint32) []byte   { panic("not implemented") }
+func BytesToPtr(s []byte) (uint32, uint32)        { panic("not implemented") }
+func BytesToLeakedPtr(s []byte) (uint32, uint32)  { panic("not implemented") }
+func PtrToString(ptr uint32, size uint32) string  { panic("not implemented") }
+func StringToPtr(s string) (uint32, uint32)       { panic("not implemented") }
+func StringToLeakedPtr(s string) (uint32, uint32) { panic("not implemented") }
diff --git a/lib/challenge/utils_tinygo.go b/lib/challenge/wasm/interface/interface_tinygo.go
similarity index 99%
rename from lib/challenge/utils_tinygo.go
rename to lib/challenge/wasm/interface/interface_tinygo.go
index f75ffa5..82546de 100644
--- a/lib/challenge/utils_tinygo.go
+++ b/lib/challenge/wasm/interface/interface_tinygo.go
@@ -1,6 +1,6 @@
 //go:build tinygo
 
-package challenge
+package _interface
 
 // #include <stdlib.h>
 import "C"
diff --git a/lib/challenge/utils_generic.go b/lib/challenge/wasm/runner.go
similarity index 57%
rename from lib/challenge/utils_generic.go
rename to lib/challenge/wasm/runner.go
index eac9ee4..7c74fae 100644
--- a/lib/challenge/utils_generic.go
+++ b/lib/challenge/wasm/runner.go
@@ -1,10 +1,7 @@
-//go:build !tinygo || !wasip1
-
-package challenge
+package wasm
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"github.com/tetratelabs/wazero"
@@ -123,73 +120,3 @@ func (r *Runner) Instantiate(key string, f func(ctx context.Context, mod api.Mod
 
 	return f(r.context, mod)
 }
-
-func MakeChallengeCall(ctx context.Context, mod api.Module, in MakeChallengeInput) (*MakeChallengeOutput, error) {
-	makeChallengeFunc := mod.ExportedFunction("MakeChallenge")
-	malloc := mod.ExportedFunction("malloc")
-	free := mod.ExportedFunction("free")
-
-	inData, err := json.Marshal(in)
-	if err != nil {
-		return nil, err
-	}
-
-	mallocResult, err := malloc.Call(ctx, uint64(len(inData)))
-	if err != nil {
-		return nil, err
-	}
-	defer free.Call(ctx, mallocResult[0])
-	if !mod.Memory().Write(uint32(mallocResult[0]), inData) {
-		return nil, errors.New("could not write memory")
-	}
-	result, err := makeChallengeFunc.Call(ctx, uint64(NewAllocation(uint32(mallocResult[0]), uint32(len(inData)))))
-	if err != nil {
-		return nil, err
-	}
-	resultPtr := Allocation(result[0])
-	outData, ok := mod.Memory().Read(resultPtr.Pointer(), resultPtr.Size())
-	if !ok {
-		return nil, errors.New("could not read result")
-	}
-	defer free.Call(ctx, uint64(resultPtr.Pointer()))
-
-	var out MakeChallengeOutput
-	err = json.Unmarshal(outData, &out)
-	if err != nil {
-		return nil, err
-	}
-	return &out, nil
-}
-
-func VerifyChallengeCall(ctx context.Context, mod api.Module, in VerifyChallengeInput) (VerifyChallengeOutput, error) {
-	verifyChallengeFunc := mod.ExportedFunction("VerifyChallenge")
-	malloc := mod.ExportedFunction("malloc")
-	free := mod.ExportedFunction("free")
-
-	inData, err := json.Marshal(in)
-	if err != nil {
-		return VerifyChallengeOutputError, err
-	}
-
-	mallocResult, err := malloc.Call(ctx, uint64(len(inData)))
-	if err != nil {
-		return VerifyChallengeOutputError, err
-	}
-	defer free.Call(ctx, mallocResult[0])
-	if !mod.Memory().Write(uint32(mallocResult[0]), inData) {
-		return VerifyChallengeOutputError, errors.New("could not write memory")
-	}
-	result, err := verifyChallengeFunc.Call(ctx, uint64(NewAllocation(uint32(mallocResult[0]), uint32(len(inData)))))
-	if err != nil {
-		return VerifyChallengeOutputError, err
-	}
-
-	return VerifyChallengeOutput(result[0]), nil
-}
-
-func PtrToBytes(ptr uint32, size uint32) []byte   { panic("not implemented") }
-func BytesToPtr(s []byte) (uint32, uint32)        { panic("not implemented") }
-func BytesToLeakedPtr(s []byte) (uint32, uint32)  { panic("not implemented") }
-func PtrToString(ptr uint32, size uint32) string  { panic("not implemented") }
-func StringToPtr(s string) (uint32, uint32)       { panic("not implemented") }
-func StringToLeakedPtr(s string) (uint32, uint32) { panic("not implemented") }
diff --git a/lib/challenge/wasm/utils.go b/lib/challenge/wasm/utils.go
new file mode 100644
index 0000000..b9482b7
--- /dev/null
+++ b/lib/challenge/wasm/utils.go
@@ -0,0 +1,72 @@
+package wasm
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"git.gammaspectra.live/git/go-away/lib/challenge/wasm/interface"
+	"github.com/tetratelabs/wazero/api"
+)
+
+func MakeChallengeCall(ctx context.Context, mod api.Module, in _interface.MakeChallengeInput) (*_interface.MakeChallengeOutput, error) {
+	makeChallengeFunc := mod.ExportedFunction("MakeChallenge")
+	malloc := mod.ExportedFunction("malloc")
+	free := mod.ExportedFunction("free")
+
+	inData, err := json.Marshal(in)
+	if err != nil {
+		return nil, err
+	}
+
+	mallocResult, err := malloc.Call(ctx, uint64(len(inData)))
+	if err != nil {
+		return nil, err
+	}
+	defer free.Call(ctx, mallocResult[0])
+	if !mod.Memory().Write(uint32(mallocResult[0]), inData) {
+		return nil, errors.New("could not write memory")
+	}
+	result, err := makeChallengeFunc.Call(ctx, uint64(_interface.NewAllocation(uint32(mallocResult[0]), uint32(len(inData)))))
+	if err != nil {
+		return nil, err
+	}
+	resultPtr := _interface.Allocation(result[0])
+	outData, ok := mod.Memory().Read(resultPtr.Pointer(), resultPtr.Size())
+	if !ok {
+		return nil, errors.New("could not read result")
+	}
+	defer free.Call(ctx, uint64(resultPtr.Pointer()))
+
+	var out _interface.MakeChallengeOutput
+	err = json.Unmarshal(outData, &out)
+	if err != nil {
+		return nil, err
+	}
+	return &out, nil
+}
+
+func VerifyChallengeCall(ctx context.Context, mod api.Module, in _interface.VerifyChallengeInput) (_interface.VerifyChallengeOutput, error) {
+	verifyChallengeFunc := mod.ExportedFunction("VerifyChallenge")
+	malloc := mod.ExportedFunction("malloc")
+	free := mod.ExportedFunction("free")
+
+	inData, err := json.Marshal(in)
+	if err != nil {
+		return _interface.VerifyChallengeOutputError, err
+	}
+
+	mallocResult, err := malloc.Call(ctx, uint64(len(inData)))
+	if err != nil {
+		return _interface.VerifyChallengeOutputError, err
+	}
+	defer free.Call(ctx, mallocResult[0])
+	if !mod.Memory().Write(uint32(mallocResult[0]), inData) {
+		return _interface.VerifyChallengeOutputError, errors.New("could not write memory")
+	}
+	result, err := verifyChallengeFunc.Call(ctx, uint64(_interface.NewAllocation(uint32(mallocResult[0]), uint32(len(inData)))))
+	if err != nil {
+		return _interface.VerifyChallengeOutputError, err
+	}
+
+	return _interface.VerifyChallengeOutput(result[0]), nil
+}
diff --git a/lib/http.go b/lib/http.go
index edc08e2..2fc9cf2 100644
--- a/lib/http.go
+++ b/lib/http.go
@@ -125,10 +125,10 @@ func (state *State) addTiming(w http.ResponseWriter, name, desc string, duration
 	}
 }
 
-func GetLoggerForRequest(r *http.Request) *slog.Logger {
+func GetLoggerForRequest(r *http.Request, clientHeader string) *slog.Logger {
 	return slog.With(
 		"request_id", r.Header.Get("X-Away-Id"),
-		"remote_address", getRequestAddress(r),
+		"remote_address", getRequestAddress(r, clientHeader),
 		"user_agent", r.UserAgent(),
 		"host", r.Host,
 		"path", r.URL.Path,
@@ -136,6 +136,10 @@ func GetLoggerForRequest(r *http.Request) *slog.Logger {
 	)
 }
 
+func (state *State) logger(r *http.Request) *slog.Logger {
+	return GetLoggerForRequest(r, state.Settings.ClientIpHeader)
+}
+
 func (state *State) handleRequest(w http.ResponseWriter, r *http.Request) {
 	host := r.Host
 
@@ -145,7 +149,7 @@ func (state *State) handleRequest(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	lg := GetLoggerForRequest(r)
+	lg := state.logger(r)
 
 	start := time.Now()
 
@@ -153,7 +157,7 @@ func (state *State) handleRequest(w http.ResponseWriter, r *http.Request) {
 	env := map[string]any{
 		"host":          host,
 		"method":        r.Method,
-		"remoteAddress": getRequestAddress(r),
+		"remoteAddress": getRequestAddress(r, state.Settings.ClientIpHeader),
 		"userAgent":     r.UserAgent(),
 		"path":          r.URL.Path,
 		"query": func() map[string]string {
@@ -259,7 +263,7 @@ func (state *State) handleRequest(w http.ResponseWriter, r *http.Request) {
 								if rule.Action == policy.RuleActionCHECK {
 									goto nextRule
 								}
-								GetLoggerForRequest(r).Warn("challenge passed", "rule", rule.Name, "rule_hash", rule.Hash, "challenge", challengeName)
+								state.logger(r).Warn("challenge passed", "rule", rule.Name, "rule_hash", rule.Hash, "challenge", challengeName)
 
 								// we pass the challenge early!
 								r.Header.Set(fmt.Sprintf("X-Away-Challenge-%s-Verify", challengeName), "PASS")
@@ -374,15 +378,15 @@ func (state *State) setupRoutes() error {
 					state.addTiming(w, "challenge-verify", "Verify client challenge", time.Since(start))
 
 					if err != nil {
-						GetLoggerForRequest(r).Error(fmt.Errorf("challenge error: %w", err).Error(), "challenge", challengeName, "redirect", r.FormValue("redirect"))
+						state.logger(r).Error(fmt.Errorf("challenge error: %w", err).Error(), "challenge", challengeName, "redirect", r.FormValue("redirect"))
 						return err
 					} else if !ok {
-						GetLoggerForRequest(r).Warn("challenge failed", "challenge", challengeName, "redirect", r.FormValue("redirect"))
+						state.logger(r).Warn("challenge failed", "challenge", challengeName, "redirect", r.FormValue("redirect"))
 						ClearCookie(CookiePrefix+challengeName, w)
 						_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusForbidden, fmt.Errorf("access denied: failed challenge %s", challengeName))
 						return nil
 					}
-					GetLoggerForRequest(r).Info("challenge passed", "challenge", challengeName, "redirect", r.FormValue("redirect"))
+					state.logger(r).Info("challenge passed", "challenge", challengeName, "redirect", r.FormValue("redirect"))
 
 					token, err := state.IssueChallengeToken(challengeName, key, []byte(result), expiry)
 					if err != nil {
diff --git a/lib/state.go b/lib/state.go
index 1f69158..72818a7 100644
--- a/lib/state.go
+++ b/lib/state.go
@@ -12,7 +12,8 @@ import (
 	"errors"
 	"fmt"
 	"git.gammaspectra.live/git/go-away/embed"
-	"git.gammaspectra.live/git/go-away/lib/challenge"
+	"git.gammaspectra.live/git/go-away/lib/challenge/wasm"
+	"git.gammaspectra.live/git/go-away/lib/challenge/wasm/interface"
 	"git.gammaspectra.live/git/go-away/lib/condition"
 	"git.gammaspectra.live/git/go-away/lib/policy"
 	"git.gammaspectra.live/git/go-away/utils/inline"
@@ -44,7 +45,7 @@ type State struct {
 
 	Networks map[string]cidranger.Ranger
 
-	Wasm *challenge.Runner
+	Wasm *wasm.Runner
 
 	Challenges map[string]ChallengeState
 
@@ -101,6 +102,7 @@ type StateSettings struct {
 	PackageName            string
 	ChallengeTemplate      string
 	ChallengeTemplateTheme string
+	ClientIpHeader         string
 }
 
 func NewState(p policy.Policy, settings StateSettings) (state *State, err error) {
@@ -118,7 +120,7 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)
 		if proxy, ok := backend.(*httputil.ReverseProxy); ok {
 			if proxy.ErrorHandler == nil {
 				proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
-					GetLoggerForRequest(r).Error(err.Error())
+					state.logger(r).Error(err.Error())
 					_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusBadGateway, err)
 				}
 			}
@@ -186,7 +188,7 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)
 		state.Networks[k] = ranger
 	}
 
-	state.Wasm = challenge.NewRunner(true)
+	state.Wasm = wasm.NewRunner(true)
 
 	state.Challenges = make(map[string]ChallengeState)
 
@@ -429,12 +431,12 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)
 					if ok, err := c.Verify(key, result); err != nil {
 						return err
 					} else if !ok {
-						GetLoggerForRequest(r).Warn("challenge failed", "challenge", challengeName, "redirect", r.FormValue("redirect"))
+						state.logger(r).Warn("challenge failed", "challenge", challengeName, "redirect", r.FormValue("redirect"))
 						ClearCookie(CookiePrefix+challengeName, w)
 						_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusForbidden, fmt.Errorf("access denied: failed challenge %s", challengeName))
 						return nil
 					}
-					GetLoggerForRequest(r).Warn("challenge passed", "challenge", challengeName, "redirect", r.FormValue("redirect"))
+					state.logger(r).Warn("challenge passed", "challenge", challengeName, "redirect", r.FormValue("redirect"))
 
 					token, err := state.IssueChallengeToken(challengeName, key, []byte(result), expiry)
 					if err != nil {
@@ -476,7 +478,7 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)
 			c.MakeChallenge = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				err := state.Wasm.Instantiate(challengeName, func(ctx context.Context, mod api.Module) (err error) {
 
-					in := challenge.MakeChallengeInput{
+					in := _interface.MakeChallengeInput{
 						Key:        state.GetChallengeKeyForRequest(challengeName, time.Now().UTC().Add(DefaultValidity).Round(DefaultValidity), r),
 						Parameters: p.Parameters,
 						Headers:    inline.MIMEHeader(r.Header),
@@ -486,7 +488,7 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)
 						return err
 					}
 
-					out, err := challenge.MakeChallengeCall(ctx, mod, in)
+					out, err := wasm.MakeChallengeCall(ctx, mod, in)
 					if err != nil {
 						return err
 					}
@@ -508,21 +510,21 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)
 
 			c.Verify = func(key []byte, result string) (ok bool, err error) {
 				err = state.Wasm.Instantiate(challengeName, func(ctx context.Context, mod api.Module) (err error) {
-					in := challenge.VerifyChallengeInput{
+					in := _interface.VerifyChallengeInput{
 						Key:        key,
 						Parameters: p.Parameters,
 						Result:     []byte(result),
 					}
 
-					out, err := challenge.VerifyChallengeCall(ctx, mod, in)
+					out, err := wasm.VerifyChallengeCall(ctx, mod, in)
 					if err != nil {
 						return err
 					}
 
-					if out == challenge.VerifyChallengeOutputError {
+					if out == _interface.VerifyChallengeOutputError {
 						return errors.New("error checking challenge")
 					}
-					ok = out == challenge.VerifyChallengeOutputOK
+					ok = out == _interface.VerifyChallengeOutputOK
 					return nil
 				})
 				if err != nil {