From f68f34980aa710530fdbe85fe659281548c617e2 Mon Sep 17 00:00:00 2001
From: dyzulk <66510723+dyzulk@users.noreply.github.com>
Date: Tue, 30 Dec 2025 12:11:01 +0700
Subject: [PATCH] First commit
---
.editorconfig | 18 +
.env.example | 112 +
.env.production.example | 112 +
.gitattributes | 11 +
.gitignore | 27 +
README.md | 41 +
.../Commands/NotifyCertificateExpirations.php | 84 +
app/Helpers/UuidHelper.php | 18 +
.../Api/Admin/LegalPageController.php | 178 +
app/Http/Controllers/Api/ApiKeyController.php | 106 +
.../Api/CertificateApiController.php | 241 +
.../Controllers/Api/DashboardController.php | 160 +
.../Controllers/Api/InquiryController.php | 118 +
.../Controllers/Api/LegalPageController.php | 42 +
app/Http/Controllers/Api/MailController.php | 64 +
.../Api/NotificationController.php | 70 +
.../Api/PasswordResetController.php | 96 +
.../Controllers/Api/ProfileController.php | 356 +
.../Controllers/Api/PublicCaController.php | 171 +
.../Controllers/Api/RootCaApiController.php | 69 +
app/Http/Controllers/Api/TicketController.php | 241 +
.../Controllers/Api/UserApiController.php | 157 +
.../Api/VerificationController.php | 62 +
app/Http/Controllers/AuthController.php | 377 +
app/Http/Controllers/Controller.php | 8 +
app/Http/Controllers/NavigationController.php | 161 +
app/Http/Controllers/ServiceController.php | 35 +
app/Http/Controllers/TwoFactorController.php | 195 +
app/Http/Middleware/AdminMiddleware.php | 24 +
app/Http/Middleware/CheckApiKey.php | 57 +
app/Mail/CertificateExpiredMail.php | 55 +
app/Mail/CertificateExpiringMail.php | 57 +
app/Mail/InquiryReplyMail.php | 55 +
app/Mail/TestMail.php | 57 +
app/Models/ActivityLog.php | 36 +
app/Models/ApiKey.php | 55 +
app/Models/CaCertificate.php | 42 +
app/Models/Certificate.php | 82 +
app/Models/Inquiry.php | 38 +
app/Models/LegalPage.php | 32 +
app/Models/LegalPageRevision.php | 35 +
app/Models/LoginHistory.php | 41 +
app/Models/SocialAccount.php | 40 +
app/Models/Ticket.php | 45 +
app/Models/TicketAttachment.php | 25 +
app/Models/TicketReply.php | 40 +
app/Models/User.php | 189 +
.../CertificateExpiringNotification.php | 68 +
app/Notifications/CertificateNotification.php | 76 +
app/Notifications/NewInquiryNotification.php | 82 +
app/Notifications/NewTicketNotification.php | 85 +
.../PendingEmailVerificationNotification.php | 50 +
app/Notifications/TicketReplyNotification.php | 96 +
app/Notifications/VerifyEmailNotification.php | 28 +
app/Providers/AppServiceProvider.php | 24 +
app/Services/OpenSslService.php | 407 +
app/Traits/CanTrackLogin.php | 118 +
app/Traits/LogsActivity.php | 23 +
artisan | 18 +
banner.png | Bin 0 -> 166542 bytes
bootstrap/app.php | 24 +
bootstrap/cache/.gitignore | 2 +
bootstrap/providers.php | 5 +
composer.json | 97 +
composer.lock | 10812 ++++++++++++++++
config/app.php | 128 +
config/auth.php | 115 +
config/broadcasting.php | 82 +
config/cache.php | 117 +
config/cors.php | 36 +
config/database.php | 183 +
config/filesystems.php | 93 +
config/logging.php | 132 +
config/mail.php | 133 +
config/openssl.php | 29 +
config/queue.php | 129 +
config/reverb.php | 95 +
config/sanctum.php | 90 +
config/services.php | 55 +
config/session.php | 220 +
database/.gitignore | 1 +
database/factories/UserFactory.php | 48 +
.../0001_01_01_000000_create_users_table.php | 78 +
.../0001_01_01_000001_create_cache_table.php | 35 +
.../0001_01_01_000002_create_jobs_table.php | 57 +
...025_12_23_000000_create_api_keys_table.php | 32 +
...09_create_personal_access_tokens_table.php | 35 +
...12_23_123907_create_certificates_table.php | 43 +
...23_123913_create_ca_certificates_table.php | 39 +
...23_202750_create_login_histories_table.php | 37 +
...25_12_23_234051_create_inquiries_table.php | 34 +
...2_23_235609_create_notifications_table.php | 31 +
...12_24_000001_create_legal_pages_tables.php | 51 +
...025_12_24_001231_create_tickets_tables.php | 43 +
...004303_create_ticket_attachments_table.php | 32 +
...27_080201_create_social_accounts_table.php | 37 +
...2_27_113948_create_activity_logs_table.php | 32 +
...81926_add_pending_email_to_users_table.php | 28 +
database/seeders/DatabaseSeeder.php | 51 +
.../vendor/cloudflare-turnstile/ar/errors.php | 12 +
.../vendor/cloudflare-turnstile/en/errors.php | 12 +
package-lock.json | 2573 ++++
package.json | 19 +
phpunit.xml | 35 +
public/.htaccess | 25 +
public/favicon.ico | Bin 0 -> 178553 bytes
public/images/logo/auth-logo.png | Bin 0 -> 5108 bytes
public/images/logo/auth-logo.svg | 41 +
public/images/logo/logo-dark.png | Bin 0 -> 3149 bytes
public/images/logo/logo-dark.svg | 41 +
public/images/logo/logo-icon.png | Bin 0 -> 1541 bytes
public/images/logo/logo-icon.svg | 32 +
public/images/logo/logo.png | Bin 0 -> 3316 bytes
public/images/logo/logo.svg | 41 +
public/index.php | 20 +
public/robots.txt | 2 +
public/test-api.php | 10 +
resources/css/app.css | 11 +
resources/js/app.js | 1 +
resources/js/bootstrap.js | 12 +
resources/js/echo.js | 14 +
.../emails/certificate-expired.blade.php | 26 +
.../emails/certificate-expiring.blade.php | 31 +
.../views/emails/inquiry_reply.blade.php | 84 +
.../views/emails/password-reset.blade.php | 90 +
resources/views/emails/test.blade.php | 110 +
resources/views/emails/verify-email.blade.php | 89 +
.../vendor/cloudflare-turnstile/.gitkeep | 0
.../components/scripts.blade.php | 1 +
.../components/turnstile.blade.php | 45 +
resources/views/welcome.blade.php | 277 +
routes/api.php | 126 +
routes/channels.php | 7 +
routes/console.php | 11 +
routes/web.php | 42 +
storage/app/.gitignore | 4 +
storage/app/private/.gitignore | 2 +
storage/app/public/.gitignore | 2 +
storage/framework/.gitignore | 9 +
storage/framework/cache/.gitignore | 3 +
storage/framework/cache/data/.gitignore | 2 +
storage/framework/sessions/.gitignore | 2 +
storage/framework/testing/.gitignore | 2 +
storage/framework/views/.gitignore | 2 +
storage/logs/.gitignore | 2 +
tests/Feature/ExampleTest.php | 19 +
tests/Feature/InquiryNotificationTest.php | 53 +
tests/TestCase.php | 10 +
tests/Unit/ExampleTest.php | 16 +
vite.config.js | 18 +
150 files changed, 22717 insertions(+)
create mode 100644 .editorconfig
create mode 100644 .env.example
create mode 100644 .env.production.example
create mode 100644 .gitattributes
create mode 100644 .gitignore
create mode 100644 README.md
create mode 100644 app/Console/Commands/NotifyCertificateExpirations.php
create mode 100644 app/Helpers/UuidHelper.php
create mode 100644 app/Http/Controllers/Api/Admin/LegalPageController.php
create mode 100644 app/Http/Controllers/Api/ApiKeyController.php
create mode 100644 app/Http/Controllers/Api/CertificateApiController.php
create mode 100644 app/Http/Controllers/Api/DashboardController.php
create mode 100644 app/Http/Controllers/Api/InquiryController.php
create mode 100644 app/Http/Controllers/Api/LegalPageController.php
create mode 100644 app/Http/Controllers/Api/MailController.php
create mode 100644 app/Http/Controllers/Api/NotificationController.php
create mode 100644 app/Http/Controllers/Api/PasswordResetController.php
create mode 100644 app/Http/Controllers/Api/ProfileController.php
create mode 100644 app/Http/Controllers/Api/PublicCaController.php
create mode 100644 app/Http/Controllers/Api/RootCaApiController.php
create mode 100644 app/Http/Controllers/Api/TicketController.php
create mode 100644 app/Http/Controllers/Api/UserApiController.php
create mode 100644 app/Http/Controllers/Api/VerificationController.php
create mode 100644 app/Http/Controllers/AuthController.php
create mode 100644 app/Http/Controllers/Controller.php
create mode 100644 app/Http/Controllers/NavigationController.php
create mode 100644 app/Http/Controllers/ServiceController.php
create mode 100644 app/Http/Controllers/TwoFactorController.php
create mode 100644 app/Http/Middleware/AdminMiddleware.php
create mode 100644 app/Http/Middleware/CheckApiKey.php
create mode 100644 app/Mail/CertificateExpiredMail.php
create mode 100644 app/Mail/CertificateExpiringMail.php
create mode 100644 app/Mail/InquiryReplyMail.php
create mode 100644 app/Mail/TestMail.php
create mode 100644 app/Models/ActivityLog.php
create mode 100644 app/Models/ApiKey.php
create mode 100644 app/Models/CaCertificate.php
create mode 100644 app/Models/Certificate.php
create mode 100644 app/Models/Inquiry.php
create mode 100644 app/Models/LegalPage.php
create mode 100644 app/Models/LegalPageRevision.php
create mode 100644 app/Models/LoginHistory.php
create mode 100644 app/Models/SocialAccount.php
create mode 100644 app/Models/Ticket.php
create mode 100644 app/Models/TicketAttachment.php
create mode 100644 app/Models/TicketReply.php
create mode 100644 app/Models/User.php
create mode 100644 app/Notifications/CertificateExpiringNotification.php
create mode 100644 app/Notifications/CertificateNotification.php
create mode 100644 app/Notifications/NewInquiryNotification.php
create mode 100644 app/Notifications/NewTicketNotification.php
create mode 100644 app/Notifications/PendingEmailVerificationNotification.php
create mode 100644 app/Notifications/TicketReplyNotification.php
create mode 100644 app/Notifications/VerifyEmailNotification.php
create mode 100644 app/Providers/AppServiceProvider.php
create mode 100644 app/Services/OpenSslService.php
create mode 100644 app/Traits/CanTrackLogin.php
create mode 100644 app/Traits/LogsActivity.php
create mode 100644 artisan
create mode 100644 banner.png
create mode 100644 bootstrap/app.php
create mode 100644 bootstrap/cache/.gitignore
create mode 100644 bootstrap/providers.php
create mode 100644 composer.json
create mode 100644 composer.lock
create mode 100644 config/app.php
create mode 100644 config/auth.php
create mode 100644 config/broadcasting.php
create mode 100644 config/cache.php
create mode 100644 config/cors.php
create mode 100644 config/database.php
create mode 100644 config/filesystems.php
create mode 100644 config/logging.php
create mode 100644 config/mail.php
create mode 100644 config/openssl.php
create mode 100644 config/queue.php
create mode 100644 config/reverb.php
create mode 100644 config/sanctum.php
create mode 100644 config/services.php
create mode 100644 config/session.php
create mode 100644 database/.gitignore
create mode 100644 database/factories/UserFactory.php
create mode 100644 database/migrations/0001_01_01_000000_create_users_table.php
create mode 100644 database/migrations/0001_01_01_000001_create_cache_table.php
create mode 100644 database/migrations/0001_01_01_000002_create_jobs_table.php
create mode 100644 database/migrations/2025_12_23_000000_create_api_keys_table.php
create mode 100644 database/migrations/2025_12_23_061409_create_personal_access_tokens_table.php
create mode 100644 database/migrations/2025_12_23_123907_create_certificates_table.php
create mode 100644 database/migrations/2025_12_23_123913_create_ca_certificates_table.php
create mode 100644 database/migrations/2025_12_23_202750_create_login_histories_table.php
create mode 100644 database/migrations/2025_12_23_234051_create_inquiries_table.php
create mode 100644 database/migrations/2025_12_23_235609_create_notifications_table.php
create mode 100644 database/migrations/2025_12_24_000001_create_legal_pages_tables.php
create mode 100644 database/migrations/2025_12_24_001231_create_tickets_tables.php
create mode 100644 database/migrations/2025_12_24_004303_create_ticket_attachments_table.php
create mode 100644 database/migrations/2025_12_27_080201_create_social_accounts_table.php
create mode 100644 database/migrations/2025_12_27_113948_create_activity_logs_table.php
create mode 100644 database/migrations/2025_12_30_081926_add_pending_email_to_users_table.php
create mode 100644 database/seeders/DatabaseSeeder.php
create mode 100644 lang/vendor/cloudflare-turnstile/ar/errors.php
create mode 100644 lang/vendor/cloudflare-turnstile/en/errors.php
create mode 100644 package-lock.json
create mode 100644 package.json
create mode 100644 phpunit.xml
create mode 100644 public/.htaccess
create mode 100644 public/favicon.ico
create mode 100644 public/images/logo/auth-logo.png
create mode 100644 public/images/logo/auth-logo.svg
create mode 100644 public/images/logo/logo-dark.png
create mode 100644 public/images/logo/logo-dark.svg
create mode 100644 public/images/logo/logo-icon.png
create mode 100644 public/images/logo/logo-icon.svg
create mode 100644 public/images/logo/logo.png
create mode 100644 public/images/logo/logo.svg
create mode 100644 public/index.php
create mode 100644 public/robots.txt
create mode 100644 public/test-api.php
create mode 100644 resources/css/app.css
create mode 100644 resources/js/app.js
create mode 100644 resources/js/bootstrap.js
create mode 100644 resources/js/echo.js
create mode 100644 resources/views/emails/certificate-expired.blade.php
create mode 100644 resources/views/emails/certificate-expiring.blade.php
create mode 100644 resources/views/emails/inquiry_reply.blade.php
create mode 100644 resources/views/emails/password-reset.blade.php
create mode 100644 resources/views/emails/test.blade.php
create mode 100644 resources/views/emails/verify-email.blade.php
create mode 100644 resources/views/vendor/cloudflare-turnstile/.gitkeep
create mode 100644 resources/views/vendor/cloudflare-turnstile/components/scripts.blade.php
create mode 100644 resources/views/vendor/cloudflare-turnstile/components/turnstile.blade.php
create mode 100644 resources/views/welcome.blade.php
create mode 100644 routes/api.php
create mode 100644 routes/channels.php
create mode 100644 routes/console.php
create mode 100644 routes/web.php
create mode 100644 storage/app/.gitignore
create mode 100644 storage/app/private/.gitignore
create mode 100644 storage/app/public/.gitignore
create mode 100644 storage/framework/.gitignore
create mode 100644 storage/framework/cache/.gitignore
create mode 100644 storage/framework/cache/data/.gitignore
create mode 100644 storage/framework/sessions/.gitignore
create mode 100644 storage/framework/testing/.gitignore
create mode 100644 storage/framework/views/.gitignore
create mode 100644 storage/logs/.gitignore
create mode 100644 tests/Feature/ExampleTest.php
create mode 100644 tests/Feature/InquiryNotificationTest.php
create mode 100644 tests/TestCase.php
create mode 100644 tests/Unit/ExampleTest.php
create mode 100644 vite.config.js
diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..a186cd2
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,18 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.{yml,yaml}]
+indent_size = 2
+
+[compose.yaml]
+indent_size = 4
diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..11a4e91
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,112 @@
+APP_NAME=TrustLab
+APP_ENV=local
+APP_KEY=
+APP_DEBUG=true
+APP_URL=http://localhost:8000
+
+APP_LOCALE=en
+APP_FALLBACK_LOCALE=en
+APP_FAKER_LOCALE=en_US
+
+APP_MAINTENANCE_DRIVER=file
+# APP_MAINTENANCE_STORE=database
+
+# PHP_CLI_SERVER_WORKERS=4
+
+BCRYPT_ROUNDS=12
+
+LOG_CHANNEL=stack
+LOG_STACK=single
+LOG_DEPRECATIONS_CHANNEL=null
+LOG_LEVEL=debug
+
+DB_CONNECTION=sqlite
+# DB_HOST=127.0.0.1
+# DB_PORT=3306
+# DB_DATABASE=laravel
+# DB_USERNAME=root
+# DB_PASSWORD=
+
+SESSION_DRIVER=database
+SESSION_LIFETIME=120
+SESSION_ENCRYPT=false
+SESSION_PATH=/
+SESSION_DOMAIN=localhost
+
+SANCTUM_STATEFUL_DOMAINS=localhost:3000,127.0.0.1:3000,trustlab.dyzulk.com,trustlab.pages.dev
+
+BROADCAST_CONNECTION=reverb
+FILESYSTEM_DISK=local
+QUEUE_CONNECTION=database
+
+CACHE_STORE=database
+# CACHE_PREFIX=
+
+MEMCACHED_HOST=127.0.0.1
+
+REDIS_CLIENT=phpredis
+REDIS_HOST=127.0.0.1
+REDIS_PASSWORD=null
+REDIS_PORT=6379
+
+MAIL_MAILER=smtp
+MAIL_HOST=lab.dyzulk.com
+MAIL_PORT=587
+MAIL_USERNAME=noreply@lab.dyzulk.com
+MAIL_PASSWORD=
+MAIL_ENCRYPTION=tls
+MAIL_FROM_ADDRESS="noreply@lab.dyzulk.com"
+MAIL_FROM_NAME="${APP_NAME}"
+
+MAIL_SUPPORT_MAILER=smtp
+MAIL_SUPPORT_HOST=lab.dyzulk.com
+MAIL_SUPPORT_PORT=587
+MAIL_SUPPORT_USERNAME=support@lab.dyzulk.com
+MAIL_SUPPORT_PASSWORD=
+MAIL_SUPPORT_ENCRYPTION=tls
+MAIL_SUPPORT_FROM_ADDRESS="support@lab.dyzulk.com"
+MAIL_SUPPORT_FROM_NAME="${APP_NAME} Support"
+
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_DEFAULT_REGION=us-east-1
+AWS_BUCKET=
+AWS_USE_PATH_STYLE_ENDPOINT=false
+
+VITE_APP_NAME="${APP_NAME}"
+
+FRONTEND_URL=http://localhost:3000
+
+BROADCAST_CONNECTION=reverb
+
+REVERB_APP_ID=
+REVERB_APP_KEY=
+REVERB_APP_SECRET=
+REVERB_HOST="localhost"
+REVERB_PORT=8080
+REVERB_SCHEME=http
+
+VITE_REVERB_APP_KEY="${REVERB_APP_KEY}"
+VITE_REVERB_HOST="${REVERB_HOST}"
+VITE_REVERB_PORT="${REVERB_PORT}"
+VITE_REVERB_SCHEME="${REVERB_SCHEME}"
+
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_REDIRECT_URI=${APP_URL}/api/auth/github/callback
+
+GITHUB_DEV_CLIENT_ID=
+GITHUB_DEV_CLIENT_SECRET=
+GITHUB_DEV_REDIRECT_URI=${APP_URL}/api/auth/github/callback
+
+GITHUB_PROD_CLIENT_ID=
+GITHUB_PROD_CLIENT_SECRET=
+GITHUB_PROD_REDIRECT_URI=${APP_URL}/api/auth/github/callback
+
+
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_REDIRECT_URI=${APP_URL}/api/auth/google/callback
+
+TURNSTILE_SITE_KEY=
+TURNSTILE_SECRET_KEY=
\ No newline at end of file
diff --git a/.env.production.example b/.env.production.example
new file mode 100644
index 0000000..b8f2f78
--- /dev/null
+++ b/.env.production.example
@@ -0,0 +1,112 @@
+APP_NAME=TrustLab
+APP_ENV=production
+APP_KEY=
+APP_DEBUG=false
+APP_URL=https://trustlab-api.dyzulk.com
+
+APP_LOCALE=en
+APP_FALLBACK_LOCALE=en
+APP_FAKER_LOCALE=en_US
+
+APP_MAINTENANCE_DRIVER=file
+# APP_MAINTENANCE_STORE=database
+
+# PHP_CLI_SERVER_WORKERS=4
+
+BCRYPT_ROUNDS=12
+
+LOG_CHANNEL=stack
+LOG_STACK=single
+LOG_DEPRECATIONS_CHANNEL=null
+LOG_LEVEL=error
+
+DB_CONNECTION=mysql
+DB_HOST=127.0.0.1
+DB_PORT=3306
+DB_DATABASE=trustlab
+DB_USERNAME=trustlab
+DB_PASSWORD=
+
+SESSION_DRIVER=database
+SESSION_LIFETIME=120
+SESSION_ENCRYPT=false
+SESSION_PATH=/
+SESSION_DOMAIN=.dyzulk.com
+
+SANCTUM_STATEFUL_DOMAINS=trustlab.dyzulk.com
+
+BROADCAST_CONNECTION=reverb
+FILESYSTEM_DISK=local
+QUEUE_CONNECTION=database
+
+CACHE_STORE=database
+# CACHE_PREFIX=
+
+MEMCACHED_HOST=127.0.0.1
+
+REDIS_CLIENT=phpredis
+REDIS_HOST=127.0.0.1
+REDIS_PASSWORD=null
+REDIS_PORT=6379
+
+MAIL_MAILER=smtp
+MAIL_HOST=lab.dyzulk.com
+MAIL_PORT=587
+MAIL_USERNAME=noreply@lab.dyzulk.com
+MAIL_PASSWORD=
+MAIL_ENCRYPTION=tls
+MAIL_FROM_ADDRESS="noreply@lab.dyzulk.com"
+MAIL_FROM_NAME="${APP_NAME}"
+
+MAIL_SUPPORT_MAILER=smtp
+MAIL_SUPPORT_HOST=lab.dyzulk.com
+MAIL_SUPPORT_PORT=587
+MAIL_SUPPORT_USERNAME=support@lab.dyzulk.com
+MAIL_SUPPORT_PASSWORD=
+MAIL_SUPPORT_ENCRYPTION=tls
+MAIL_SUPPORT_FROM_ADDRESS="support@lab.dyzulk.com"
+MAIL_SUPPORT_FROM_NAME="${APP_NAME} Support"
+
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_DEFAULT_REGION=us-east-1
+AWS_BUCKET=
+AWS_USE_PATH_STYLE_ENDPOINT=false
+
+VITE_APP_NAME="${APP_NAME}"
+
+FRONTEND_URL=https://trustlab.dyzulk.com
+
+BROADCAST_CONNECTION=reverb
+
+REVERB_APP_ID=
+REVERB_APP_KEY=
+REVERB_APP_SECRET=
+REVERB_HOST="trustlab-api.dyzulk.com"
+REVERB_PORT=443
+REVERB_SCHEME=https
+
+VITE_REVERB_APP_KEY="${REVERB_APP_KEY}"
+VITE_REVERB_HOST="${REVERB_HOST}"
+VITE_REVERB_PORT="${REVERB_PORT}"
+VITE_REVERB_SCHEME="${REVERB_SCHEME}"
+
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_REDIRECT_URI=${APP_URL}/api/auth/github/callback
+
+GITHUB_DEV_CLIENT_ID=
+GITHUB_DEV_CLIENT_SECRET=
+GITHUB_DEV_REDIRECT_URI=${APP_URL}/api/auth/github/callback
+
+GITHUB_PROD_CLIENT_ID=
+GITHUB_PROD_CLIENT_SECRET=
+GITHUB_PROD_REDIRECT_URI=${APP_URL}/api/auth/github/callback
+
+
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_REDIRECT_URI=${APP_URL}/api/auth/google/callback
+
+TURNSTILE_SITE_KEY=
+TURNSTILE_SECRET_KEY=
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..fcb21d3
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,11 @@
+* text=auto eol=lf
+
+*.blade.php diff=html
+*.css diff=css
+*.html diff=html
+*.md diff=markdown
+*.php diff=php
+
+/.github export-ignore
+CHANGELOG.md export-ignore
+.styleci.yml export-ignore
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0ccd425
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,27 @@
+*.log
+.DS_Store
+.env
+.env.backup
+.env.production
+.phpactor.json
+.phpunit.result.cache
+/.fleet
+/.idea
+/.nova
+/.phpunit.cache
+/.vscode
+/.zed
+/auth.json
+/node_modules
+/public/build
+/public/hot
+/public/storage
+/storage/*.key
+/storage/pail
+/vendor
+Homestead.json
+Homestead.yaml
+Thumbs.db
+*.sql
+*.sqlite
+.env.testing
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..38f84d7
--- /dev/null
+++ b/README.md
@@ -0,0 +1,41 @@
+# TrustLab API
+
+
+
+**TrustLab API** is the robust backend engine powering the TrustLab ecosystem. Built on Laravel 12, it provides secure authentication, comprehensive role-based access control, and specialized services for CA (Certificate Authority) management and user support.
+
+## 🚀 Key Features
+
+### 🔐 Advanced Authentication & Security
+- **Multi-Guard Auth**: Powered by Laravel Sanctum for secure SPA (Single Page Application) authentication.
+- **OAuth Integration**: "Mirror Callback" system handling Social Login (Google, GitHub) via Laravel Socialite.
+- **Role Hierarchy**:
+ - `Owner` (Supreme): Full control, manages Admins and Customers.
+ - `Admin`: Manages `Customers` only. Cannot modify Owners.
+ - `Customer`: Standard user access.
+- **Email Verification**: Fully integrated verification flow with rigorous middleware protection (`verified`).
+- **Turnstile Protected**: Endpoints designed to work with frontend-only Cloudflare Turnstile gatekeeping.
+
+### 📜 Core Services
+- **Certificate Management**: Logic for handling Certificate Authority operations (CSR, Keys, Signing).
+- **Ticket System**: Complete support desk backend with attachment support and admin-user communication channels.
+- **User Management**: Administrative endpoints for managing the user lifecycle (Ban, Promote, Verify).
+- **Inquiry System**: Public contact form handling with database persistence and notification triggers.
+
+## 🛠️ Technology Stack
+
+- **Framework**: Laravel 12.x
+- **Database**: MySQL / MariaDB
+- **Authentication**: Laravel Sanctum
+- **Permissions**: `spatie/laravel-permission`
+- **Social Auth**: `laravel/socialite`
+- **Testing**: PHPUnit
+
+## 📂 Project Structure
+
+- `app/Http/Controllers/Api`: Core API logic separated by domain (Admin, User, Public).
+- `app/Models`: Eloquent models with strict typing and relationship definitions.
+- `routes/api.php`: Centralized API route definitions grouped by middleware and version (`v1`).
+
+---
+© 2024 TrustLab. All Internal Rights Reserved.
diff --git a/app/Console/Commands/NotifyCertificateExpirations.php b/app/Console/Commands/NotifyCertificateExpirations.php
new file mode 100644
index 0000000..28c2c0f
--- /dev/null
+++ b/app/Console/Commands/NotifyCertificateExpirations.php
@@ -0,0 +1,84 @@
+', $now)
+ ->where('valid_to', '<', $now->copy()->addDays(30))
+ ->with('user')
+ ->get();
+
+ foreach ($certificates as $certificate) {
+ $user = $certificate->user;
+ if (!$user || !$user->settings_certificate_renewal) {
+ continue;
+ }
+
+ $daysRemaining = $now->diffInDays($certificate->valid_to, false);
+ $daysRemaining = (int) ceil($daysRemaining); // Ensure integer
+
+ // Check if we already sent a notification TODAY for this certificate to avoid spamming
+ $alreadyNotifiedToday = $user->notifications()
+ ->where('type', 'App\Notifications\CertificateExpiringNotification')
+ ->where('data->certificate_id', $certificate->id)
+ ->where('created_at', '>=', $now->copy()->startOfDay())
+ ->exists();
+
+ if ($alreadyNotifiedToday) {
+ continue;
+ }
+
+ // Send Notification (Handles both Database/Bell and Mail channels based on days remaining)
+ $user->notify(new \App\Notifications\CertificateExpiringNotification($certificate, $daysRemaining));
+
+ $this->info("Sent notification to {$user->email} for certificate {$certificate->common_name} (Expires in {$daysRemaining} days)");
+ }
+
+ // 2. Check for ALREADY EXPIRED certificates that haven't been notified of expiration yet
+ $expiredCertificates = \App\Models\Certificate::where('valid_to', '<', $now)
+ ->whereNull('expired_notification_sent_at')
+ ->with('user')
+ ->get();
+
+ foreach ($expiredCertificates as $certificate) {
+ $user = $certificate->user;
+ if (!$user || !$user->settings_certificate_renewal) {
+ continue;
+ }
+
+ if ($user->email) {
+ \Illuminate\Support\Facades\Mail::to($user->email)->send(new \App\Mail\CertificateExpiredMail($certificate));
+
+ // Mark as notified so we don't spam
+ $certificate->update(['expired_notification_sent_at' => $now]);
+
+ $this->info("Sent EXPIRED email to {$user->email} for certificate {$certificate->common_name}");
+ }
+ }
+
+ $this->info('Certificate expiration check completed.');
+ }
+}
diff --git a/app/Helpers/UuidHelper.php b/app/Helpers/UuidHelper.php
new file mode 100644
index 0000000..efe7e8f
--- /dev/null
+++ b/app/Helpers/UuidHelper.php
@@ -0,0 +1,18 @@
+ function ($query) {
+ $query->orderBy('major', 'desc')
+ ->orderBy('minor', 'desc')
+ ->orderBy('patch', 'desc');
+ }])->get();
+ return response()->json(['data' => $pages]);
+ }
+
+ public function show($id)
+ {
+ $legalPage = LegalPage::findOrFail($id);
+
+ // Manual load latest revision
+ $latestRevision = $legalPage->revisions()
+ ->orderBy('major', 'desc')
+ ->orderBy('minor', 'desc')
+ ->orderBy('patch', 'desc')
+ ->first();
+
+ $legalPage->setRelation('latestRevision', $latestRevision);
+
+ return response()->json(['data' => $legalPage]);
+ }
+
+ public function store(Request $request)
+ {
+ $request->validate([
+ 'title' => 'required|string|max:255',
+ 'content' => 'required|string',
+ 'status' => 'required|in:draft,published',
+ ]);
+
+ $slug = Str::slug($request->title);
+
+ // Check if page exists
+ $page = LegalPage::where('slug', $slug)->first();
+
+ if ($page) {
+ // Smart Versioning: If exists, increment Major version automatically for "Create" flow
+ $maxMajor = $page->revisions()->max('major') ?? 0;
+ $major = $maxMajor + 1;
+
+ // Auto-Archive Logic: If new version is published, archive others
+ if ($request->status === 'published') {
+ $page->revisions()->where('status', 'published')->update(['status' => 'archived']);
+ }
+
+ $page->revisions()->create([
+ 'content' => $request->content,
+ 'major' => $major,
+ 'minor' => 0,
+ 'patch' => 0,
+ 'status' => $request->status,
+ 'published_at' => $request->status === 'published' ? now() : null,
+ 'change_log' => 'Created via New Page (Auto-increment Major)',
+ 'is_active' => true,
+ 'created_by' => auth()->id(),
+ ]);
+
+ return response()->json(['data' => $page, 'message' => 'New major version created for existing Legal Page'], 201);
+ } else {
+ // Create New
+ $page = LegalPage::create([
+ 'title' => $request->title,
+ 'slug' => $slug,
+ 'is_active' => true,
+ ]);
+
+ // Initial create is always 1.0.0
+ $page->revisions()->create([
+ 'content' => $request->content,
+ 'major' => 1,
+ 'minor' => 0,
+ 'patch' => 0,
+ 'status' => $request->status,
+ 'published_at' => $request->status === 'published' ? now() : null,
+ 'change_log' => 'Initial creation',
+ 'is_active' => true,
+ 'created_by' => auth()->id(),
+ ]);
+
+ return response()->json(['data' => $page, 'message' => 'Legal page created successfully'], 201);
+ }
+ }
+
+ public function update(Request $request, LegalPage $legalPage)
+ {
+ $request->validate([
+ 'title' => 'string|max:255',
+ 'content' => 'required|string',
+ 'version_type' => 'required|in:major,minor,patch', // 'major', 'minor', 'patch'
+ 'parent_major' => 'nullable|integer',
+ 'parent_minor' => 'nullable|integer',
+ 'status' => 'required|in:draft,published',
+ 'change_log' => 'nullable|string',
+ ]);
+
+ if ($request->has('title')) {
+ $legalPage->update(['title' => $request->title]);
+ }
+
+ // Calculate Version
+ $major = 0; $minor = 0; $patch = 0;
+
+ if ($request->version_type === 'major') {
+ $maxMajor = $legalPage->revisions()->max('major') ?? 0;
+ $major = $maxMajor + 1;
+ $minor = 0;
+ $patch = 0;
+ } elseif ($request->version_type === 'minor') {
+ if (!$request->parent_major) return response()->json(['message' => 'Parent Major required for Minor version'], 422);
+ $maxMinor = $legalPage->revisions()
+ ->where('major', $request->parent_major)
+ ->max('minor') ?? -1;
+ $major = $request->parent_major;
+ $minor = $maxMinor + 1;
+ $patch = 0;
+ } elseif ($request->version_type === 'patch') {
+ if (!$request->parent_major || is_null($request->parent_minor)) return response()->json(['message' => 'Parent Major and Minor required for Patch'], 422);
+ $maxPatch = $legalPage->revisions()
+ ->where('major', $request->parent_major)
+ ->where('minor', $request->parent_minor)
+ ->max('patch') ?? -1;
+ $major = $request->parent_major;
+ $minor = $request->parent_minor;
+ $patch = $maxPatch + 1;
+ }
+
+ // Auto-Archive Logic: If new version is published, archive others
+ if ($request->status === 'published') {
+ $legalPage->revisions()->where('status', 'published')->update(['status' => 'archived']);
+ }
+
+ $legalPage->revisions()->create([
+ 'content' => $request->content,
+ 'major' => $major,
+ 'minor' => $minor,
+ 'patch' => $patch,
+ 'status' => $request->status,
+ 'published_at' => $request->status === 'published' ? now() : null,
+ 'change_log' => $request->change_log ?? 'Updated content',
+ 'is_active' => true,
+ 'created_by' => auth()->id(),
+ ]);
+
+ return response()->json(['data' => $legalPage, 'message' => 'Legal page updated with new revision']);
+ }
+
+ public function getHistory($id) {
+ $legalPage = LegalPage::findOrFail($id);
+ $revisions = $legalPage->revisions()
+ ->orderBy('major', 'desc')
+ ->orderBy('minor', 'desc')
+ ->orderBy('patch', 'desc')
+ ->get();
+ return response()->json(['data' => $revisions]);
+ }
+
+ public function destroy(LegalPage $legalPage)
+ {
+ $legalPage->delete();
+ return response()->json(['message' => 'Legal page deleted']);
+ }
+}
diff --git a/app/Http/Controllers/Api/ApiKeyController.php b/app/Http/Controllers/Api/ApiKeyController.php
new file mode 100644
index 0000000..3f7fc4a
--- /dev/null
+++ b/app/Http/Controllers/Api/ApiKeyController.php
@@ -0,0 +1,106 @@
+json([
+ 'data' => $request->user()->apiKeys()->orderBy('created_at', 'desc')->get()
+ ]);
+ }
+
+ /**
+ * Create a new personal access token.
+ */
+ public function store(Request $request)
+ {
+ $request->validate([
+ 'name' => 'required|string|max:255',
+ ]);
+
+ $key = ApiKey::generate();
+
+ $apiKey = $request->user()->apiKeys()->create([
+ 'name' => $request->name,
+ 'key' => $key,
+ 'is_active' => true,
+ ]);
+
+ return response()->json([
+ 'message' => 'API Key created successfully',
+ 'token' => $key,
+ 'key' => $apiKey
+ ], 201);
+ }
+
+ /**
+ * Revoke a personal access token.
+ */
+ public function destroy($id)
+ {
+ $apiKey = Auth::user()->apiKeys()->where('id', $id)->first();
+
+ if (!$apiKey) {
+ return response()->json(['message' => 'API Key not found'], 404);
+ }
+
+ $apiKey->delete();
+
+ return response()->json(['message' => 'API Key revoked successfully']);
+ }
+
+ /**
+ * Toggle the active status of an API Key.
+ */
+ public function toggle($id)
+ {
+ $apiKey = Auth::user()->apiKeys()->where('id', $id)->first();
+
+ if (!$apiKey) {
+ return response()->json(['message' => 'API Key not found'], 404);
+ }
+
+ $apiKey->update([
+ 'is_active' => !$apiKey->is_active
+ ]);
+
+ return response()->json([
+ 'message' => 'API Key status updated successfully',
+ 'is_active' => $apiKey->is_active
+ ]);
+ }
+
+ /**
+ * Regenerate the contents of an API Key.
+ */
+ public function regenerate($id)
+ {
+ $apiKey = Auth::user()->apiKeys()->where('id', $id)->first();
+
+ if (!$apiKey) {
+ return response()->json(['message' => 'API Key not found'], 404);
+ }
+
+ $newKey = ApiKey::generate();
+
+ $apiKey->update([
+ 'key' => $newKey,
+ 'last_used_at' => null,
+ ]);
+
+ return response()->json([
+ 'message' => 'API Key regenerated successfully',
+ 'token' => $newKey
+ ]);
+ }
+}
diff --git a/app/Http/Controllers/Api/CertificateApiController.php b/app/Http/Controllers/Api/CertificateApiController.php
new file mode 100644
index 0000000..aead3ff
--- /dev/null
+++ b/app/Http/Controllers/Api/CertificateApiController.php
@@ -0,0 +1,241 @@
+sslService = $sslService;
+ }
+
+ /**
+ * List user certificates.
+ */
+ public function index(Request $request)
+ {
+ $perPage = $request->input('per_page', 10);
+ $search = $request->input('search');
+
+ $query = Certificate::where('user_id', Auth::id());
+
+ if ($search) {
+ $query->where(function($q) use ($search) {
+ $q->where('common_name', 'like', "%{$search}%")
+ ->orWhere('serial_number', 'like', "%{$search}%")
+ ->orWhere('san', 'like', "%{$search}%");
+ });
+ }
+
+ $certificates = $query->latest()->paginate($perPage);
+
+ return response()->json([
+ 'status' => 'success',
+ 'data' => $certificates,
+ 'ca_status' => $this->getCaStatus()
+ ]);
+ }
+
+ /**
+ * Generate a new certificate.
+ */
+ public function store(Request $request)
+ {
+ $validated = $request->validate([
+ 'common_name' => 'required|string|max:255',
+ 'config_mode' => 'required|in:default,manual',
+ 'organization' => 'nullable|required_if:config_mode,manual|string|max:255',
+ 'locality' => 'nullable|required_if:config_mode,manual|string|max:255',
+ 'state' => 'nullable|required_if:config_mode,manual|string|max:255',
+ 'country' => 'nullable|required_if:config_mode,manual|string|size:2',
+ 'san' => 'nullable|string',
+ 'key_bits' => 'required|in:2048,4096',
+ 'is_test_short_lived' => 'nullable|boolean',
+ ]);
+
+ if (!empty($validated['is_test_short_lived']) && !Auth::user()->isAdminOrOwner()) {
+ return response()->json(['status' => 'error', 'message' => 'Unauthorized for test mode'], 403);
+ }
+
+ try {
+ if ($validated['config_mode'] === 'default') {
+ $defaults = Config::get('openssl.ca_leaf_default');
+ $validated['organization'] = $defaults['organizationName'];
+ $validated['locality'] = $defaults['localityName'];
+ $validated['state'] = $defaults['stateOrProvinceName'];
+ $validated['country'] = $defaults['countryName'];
+ }
+
+ $result = $this->sslService->generateLeaf($validated);
+
+ $certificate = Certificate::create([
+ 'user_id' => Auth::id(),
+ 'common_name' => $validated['common_name'],
+ 'organization' => $validated['organization'],
+ 'locality' => $validated['locality'],
+ 'state' => $validated['state'],
+ 'country' => $validated['country'],
+ 'san' => $validated['san'],
+ 'key_bits' => $validated['key_bits'],
+ 'serial_number' => $result['serial'],
+ 'cert_content' => $result['cert'],
+ 'key_content' => $result['key'],
+ 'csr_content' => $result['csr'],
+ 'valid_from' => $result['valid_from'],
+ 'valid_to' => $result['valid_to'],
+ ]);
+
+ $this->logActivity('issue_cert', "Issued certificate for {$certificate->common_name}");
+
+ // Notify User
+ try {
+ Auth::user()->notify(new CertificateNotification($certificate, 'issued'));
+ } catch (\Throwable $e) {
+ \Illuminate\Support\Facades\Log::error('Failed to send certificate notification: ' . $e->getMessage());
+ }
+
+ return response()->json([
+ 'status' => 'success',
+ 'message' => 'Certificate generated successfully',
+ 'data' => $certificate
+ ], 201);
+ } catch (\Throwable $e) {
+ \Log::error('Certificate generation failed: ' . $e->getMessage(), [
+ 'exception' => $e,
+ 'trace' => $e->getTraceAsString()
+ ]);
+ return response()->json([
+ 'status' => 'error',
+ 'message' => 'Failed to generate certificate: ' . $e->getMessage()
+ ], 500);
+ }
+ }
+
+ /**
+ * Show certificate details.
+ */
+ public function show(Certificate $certificate)
+ {
+ $this->authorizeOwner($certificate);
+
+ return response()->json([
+ 'status' => 'success',
+ 'data' => $certificate
+ ]);
+ }
+
+ /**
+ * Delete a certificate.
+ */
+ public function destroy(Certificate $certificate)
+ {
+ $this->authorizeOwner($certificate);
+ $commonName = $certificate->common_name;
+ $certificate->delete();
+
+ $this->logActivity('delete_cert', "Deleted certificate for {$commonName}");
+
+ // Notify User
+ try {
+ Auth::user()->notify(new CertificateNotification($certificate, 'revoked'));
+ } catch (\Throwable $e) {
+ \Illuminate\Support\Facades\Log::error('Failed to send certificate revocation notification: ' . $e->getMessage());
+ }
+
+ return response()->json([
+ 'status' => 'success',
+ 'message' => 'Certificate deleted successfully'
+ ]);
+ }
+
+ /**
+ * Initialize CA (Admin only).
+ */
+ public function setupCa()
+ {
+ if (!Auth::user()->isAdminOrOwner()) {
+ return response()->json(['status' => 'error', 'message' => 'Unauthorized'], 403);
+ }
+
+ // Allow setup if any of the required CA types are missing
+ $status = $this->getCaStatus();
+ if ($status['is_ready']) {
+ return response()->json(['status' => 'error', 'message' => 'CA already fully initialized'], 400);
+ }
+
+ if ($this->sslService->setupCa()) {
+ return response()->json(['status' => 'success', 'message' => 'CA successfully initialized']);
+ }
+
+ return response()->json(['status' => 'error', 'message' => 'Failed to initialize CA'], 500);
+ }
+
+ /**
+ * Download certificate files.
+ */
+ public function downloadFile(Certificate $certificate, $type)
+ {
+ $this->authorizeOwner($certificate);
+
+ $content = match($type) {
+ 'cert' => $certificate->cert_content,
+ 'key' => $certificate->key_content,
+ 'csr' => $certificate->csr_content,
+ default => abort(404)
+ };
+
+ $extension = match($type) {
+ 'cert' => 'crt',
+ 'key' => 'key',
+ 'csr' => 'csr',
+ };
+
+ $filename = Str::slug($certificate->common_name) . '.' . $extension;
+
+ return response($content)
+ ->header('Content-Type', 'text/plain')
+ ->header('Content-Disposition', "attachment; filename={$filename}");
+ }
+
+ protected function getCaStatus()
+ {
+ $root = CaCertificate::where('ca_type', 'root')->exists();
+ $int2048 = CaCertificate::where('ca_type', 'intermediate_2048')->exists();
+ $int4096 = CaCertificate::where('ca_type', 'intermediate_4096')->exists();
+
+ return [
+ 'root' => $root,
+ 'intermediate_2048' => $int2048,
+ 'intermediate_4096' => $int4096,
+ 'is_ready' => $root && $int2048 && $int4096,
+ 'missing' => array_keys(array_filter([
+ 'root' => !$root,
+ 'intermediate_2048' => !$int2048,
+ 'intermediate_4096' => !$int4096,
+ ]))
+ ];
+ }
+
+ protected function authorizeOwner(Certificate $certificate)
+ {
+ if ($certificate->user_id !== Auth::id()) {
+ abort(403);
+ }
+ }
+}
diff --git a/app/Http/Controllers/Api/DashboardController.php b/app/Http/Controllers/Api/DashboardController.php
new file mode 100644
index 0000000..e89b728
--- /dev/null
+++ b/app/Http/Controllers/Api/DashboardController.php
@@ -0,0 +1,160 @@
+user();
+
+ // Helper to calculate percentage change
+ $getTrend = function($current, $previous) {
+ if ($previous == 0) return $current > 0 ? 100 : 0;
+ return round((($current - $previous) / $previous) * 100, 1);
+ };
+
+ // Basic Stats
+ $currentMonth = now()->startOfMonth();
+ $previousMonth = now()->subMonth()->startOfMonth();
+
+ // Certificates (Scoped to User)
+ $totalCertificates = Certificate::where('user_id', $user->id)->count();
+ $prevCertificates = Certificate::where('user_id', $user->id)->where('created_at', '<', $currentMonth)->count();
+
+ // Active Certificates (Scoped to User)
+ $activeCertificates = Certificate::where('user_id', $user->id)->where('status', 'ISSUED')->where('valid_to', '>', now())->count();
+ $prevActiveCertificates = Certificate::where('user_id', $user->id)->where('status', 'ISSUED')->where('valid_to', '>', now()->subMonth())->where('created_at', '<', $currentMonth)->count();
+
+ // Expired (Scoped to User)
+ $expiredCertificates = Certificate::where('user_id', $user->id)->where('valid_to', '<', now())->count();
+
+ // Tickets (Role Based)
+ $ticketQuery = Ticket::query()->whereIn('status', ['open', 'answered']);
+ if (!$user->isAdmin()) {
+ $ticketQuery->where('user_id', $user->id);
+ }
+ $activeTickets = $ticketQuery->count();
+
+ // Previous Tickets (Role Based)
+ $prevTicketQuery = Ticket::query()->whereIn('status', ['open', 'answered'])->where('created_at', '<', $currentMonth);
+ if (!$user->isAdmin()) {
+ $prevTicketQuery->where('user_id', $user->id);
+ }
+ $prevActiveTickets = $prevTicketQuery->count();
+
+ $stats = [
+ 'total_certificates' => [
+ 'value' => $totalCertificates,
+ 'trend' => $getTrend($totalCertificates, $prevCertificates),
+ 'trend_label' => 'vs last month'
+ ],
+ 'active_certificates' => [
+ 'value' => $activeCertificates,
+ 'trend' => $getTrend($activeCertificates, $prevActiveCertificates),
+ 'trend_label' => 'vs last month'
+ ],
+ 'expired_certificates' => [
+ 'value' => $expiredCertificates,
+ 'trend' => 0,
+ 'trend_label' => 'vs last month'
+ ],
+ 'active_tickets' => [
+ 'value' => $activeTickets,
+ 'trend' => $getTrend($activeTickets, $prevActiveTickets),
+ 'trend_label' => 'vs last month'
+ ],
+ ];
+
+ // Admin only stats
+ if ($user->isAdmin()) {
+ $totalUsers = User::count();
+ $prevUsers = User::where('created_at', '<', $currentMonth)->count();
+
+ $stats['total_users'] = [
+ 'value' => $totalUsers,
+ 'trend' => $getTrend($totalUsers, $prevUsers),
+ 'trend_label' => 'vs last month'
+ ];
+
+ // Inquiries - trend calculation for "Pending" is hard, so we just wrap value to keep consistent structure
+ $stats['pending_inquiries'] = [
+ 'value' => Inquiry::where('status', 'unread')->count(),
+ ];
+
+ // CA Certificate Downloads
+ $caDownloads = \App\Models\CaCertificate::select('ca_type', 'download_count')->get();
+ foreach ($caDownloads as $ca) {
+ $stats['ca_downloads_' . $ca->ca_type] = [
+ 'value' => $ca->download_count ?? 0,
+ 'label' => str_replace('_', ' ', strtoupper($ca->ca_type)) . ' Downloads'
+ ];
+ }
+
+ $stats['recent_users'] = User::latest()->take(5)->get(['id', 'first_name', 'last_name', 'email', 'created_at']);
+ }
+
+ // Recent Activity
+ $activityLogQuery = ActivityLog::with('user:id,first_name,last_name,email,avatar')
+ ->latest()
+ ->take(10);
+
+ if (!$user->isAdmin()) {
+ $activityLogQuery->where('user_id', $user->id);
+ }
+
+ $recentActivity = $activityLogQuery->get()->map(function($log) {
+ return [
+ 'id' => $log->id,
+ 'user_name' => $log->user ? $log->user->first_name . ' ' . $log->user->last_name : 'System',
+ 'user_avatar' => $log->user ? $log->user->avatar : null,
+ 'action' => $log->action,
+ 'description' => $log->description,
+ 'created_at' => $log->created_at->toIso8601String(),
+ ];
+ });
+
+ // Chart Data (Certificate Issuance Trend - Last 7 Days)
+ $chartData = [];
+ for ($i = 6; $i >= 0; $i--) {
+ $date = now()->subDays($i)->format('Y-m-d');
+ $countQuery = Certificate::whereDate('created_at', $date);
+ if (!$user->isAdmin()) {
+ $countQuery->where('user_id', $user->id);
+ }
+
+ $chartData[] = [
+ 'date' => $date,
+ 'day' => now()->subDays($i)->format('D'),
+ 'count' => $countQuery->count()
+ ];
+ }
+
+ return response()->json([
+ 'status' => 'success',
+ 'data' => [
+ 'stats' => $stats,
+ 'recent_activity' => $recentActivity,
+ 'chart_data' => $chartData,
+ 'server_time' => now()->toIso8601String(),
+ ]
+ ]);
+ }
+
+ public function ping()
+ {
+ return response()->json([
+ 'pong' => true,
+ 'time' => microtime(true),
+ ]);
+ }
+}
diff --git a/app/Http/Controllers/Api/InquiryController.php b/app/Http/Controllers/Api/InquiryController.php
new file mode 100644
index 0000000..a4da1c7
--- /dev/null
+++ b/app/Http/Controllers/Api/InquiryController.php
@@ -0,0 +1,118 @@
+all(), [
+ 'name' => 'required|string|max:255',
+ 'email' => 'required|email|max:255',
+ 'category' => 'required|string|max:255',
+ 'subject' => 'required|string|max:255',
+ 'message' => 'required|string|max:5000',
+ ]);
+
+ if ($validator->fails()) {
+ return response()->json(['errors' => $validator->errors()], 422);
+ }
+
+ $inquiry = Inquiry::create($request->all());
+
+ try {
+ // Notify all admins
+ $admins = User::where('role', 'admin')->get();
+ Notification::send($admins, new NewInquiryNotification($inquiry));
+ } catch (\Exception $e) {
+ // Log the error but fail silently to the user, as the inquiry was saved.
+ \Illuminate\Support\Facades\Log::error('Failed to send NewInquiryNotification: ' . $e->getMessage());
+ }
+
+ return response()->json([
+ 'message' => 'Your message has been sent successfully. We will get back to you soon!',
+ 'inquiry' => $inquiry
+ ], 201);
+ }
+
+ /**
+ * List all inquiries (Admin).
+ */
+ public function index(Request $request)
+ {
+ $search = $request->query('search');
+ $status = $request->query('status');
+
+ $query = Inquiry::query();
+
+ if ($search) {
+ $query->where(function($q) use ($search) {
+ $q->where('name', 'like', "%{$search}%")
+ ->orWhere('email', 'like', "%{$search}%")
+ ->orWhere('subject', 'like', "%{$search}%");
+ });
+ }
+
+ if ($status) {
+ $query->where('status', $status);
+ }
+
+ $inquiries = $query->orderBy('created_at', 'desc')->paginate(10);
+
+ return response()->json($inquiries);
+ }
+
+ /**
+ * Show a specific inquiry (Admin).
+ */
+ public function show(Inquiry $inquiry)
+ {
+ return response()->json($inquiry);
+ }
+
+ /**
+ * Delete an inquiry (Admin).
+ */
+ public function destroy(Inquiry $inquiry)
+ {
+ $inquiry->delete();
+ return response()->json(['message' => 'Inquiry deleted successfully.']);
+ }
+
+ /**
+ * Reply to an inquiry (Admin).
+ */
+ public function reply(Request $request, Inquiry $inquiry)
+ {
+ $request->validate([
+ 'message' => 'required|string|max:5000',
+ ]);
+
+ try {
+ // Send email using the support mailer
+ Mail::mailer('support')->to($inquiry->email)->send(new \App\Mail\InquiryReplyMail($inquiry, $request->message));
+
+ $inquiry->update([
+ 'status' => 'replied',
+ 'replied_at' => now(),
+ ]);
+
+ return response()->json(['message' => 'Reply sent successfully.']);
+ } catch (\Exception $e) {
+ return response()->json(['message' => 'Failed to send reply: ' . $e->getMessage()], 500);
+ }
+ }
+}
diff --git a/app/Http/Controllers/Api/LegalPageController.php b/app/Http/Controllers/Api/LegalPageController.php
new file mode 100644
index 0000000..c33607b
--- /dev/null
+++ b/app/Http/Controllers/Api/LegalPageController.php
@@ -0,0 +1,42 @@
+where('is_active', true)->firstOrFail();
+
+ // Robustly fetch the latest active revision that is published
+ $latestRevision = $page->revisions()
+ ->where('is_active', true)
+ ->where('status', 'published')
+ ->orderBy('major', 'desc')
+ ->orderBy('minor', 'desc')
+ ->orderBy('patch', 'desc')
+ ->first();
+
+ if (!$latestRevision) {
+ return response()->json(['message' => 'Content not available'], 404);
+ }
+
+ // Manually attach for response structure if needed, or just build response
+ return response()->json(['data' => [
+ 'title' => $page->title,
+ 'content' => $latestRevision->content,
+ 'updated_at' => $latestRevision->created_at,
+ 'version' => $latestRevision->version,
+ ]]);
+ }
+
+ public function index()
+ {
+ $pages = LegalPage::where('is_active', true)->select('title', 'slug')->get();
+ return response()->json(['data' => $pages]);
+ }
+}
diff --git a/app/Http/Controllers/Api/MailController.php b/app/Http/Controllers/Api/MailController.php
new file mode 100644
index 0000000..da993fb
--- /dev/null
+++ b/app/Http/Controllers/Api/MailController.php
@@ -0,0 +1,64 @@
+validate([
+ 'email' => 'required|email',
+ 'mailer' => 'required|string|in:smtp,support',
+ ]);
+
+ $mailer = $request->mailer;
+ $recipient = $request->email;
+ $host = Config::get("mail.mailers.{$mailer}.host");
+
+ try {
+ Mail::mailer($mailer)->to($recipient)->send(new TestMail($mailer, $host));
+
+ return response()->json([
+ 'success' => true,
+ 'message' => "Test email successfully sent via {$mailer} mailer.",
+ ]);
+ } catch (\Exception $e) {
+ return response()->json([
+ 'success' => false,
+ 'message' => "Failed to send email: " . $e->getMessage(),
+ ], 500);
+ }
+ }
+
+ /**
+ * Get current mailer configurations (excluding passwords).
+ */
+ public function getConfigurations()
+ {
+ $configs = [
+ 'smtp' => [
+ 'host' => config('mail.mailers.smtp.host'),
+ 'port' => config('mail.mailers.smtp.port'),
+ 'encryption' => config('mail.mailers.smtp.encryption'),
+ 'from' => config('mail.from.address'),
+ ],
+ 'support' => [
+ 'host' => config('mail.mailers.support.host'),
+ 'port' => config('mail.mailers.support.port'),
+ 'encryption' => config('mail.mailers.support.encryption'),
+ 'from' => config('mail.mailers.support.from.address'),
+ ],
+ ];
+
+ return response()->json($configs);
+ }
+}
diff --git a/app/Http/Controllers/Api/NotificationController.php b/app/Http/Controllers/Api/NotificationController.php
new file mode 100644
index 0000000..aa6d771
--- /dev/null
+++ b/app/Http/Controllers/Api/NotificationController.php
@@ -0,0 +1,70 @@
+user();
+ $query = $user->notifications();
+
+ // Filter by state
+ if ($request->has('filter')) {
+ if ($request->filter === 'unread') {
+ $query = $user->unreadNotifications();
+ } elseif ($request->filter === 'read') {
+ $query = $user->readNotifications();
+ }
+ }
+
+ // Search in data (JSON)
+ if ($request->has('search')) {
+ $search = $request->search;
+ $query->where('data', 'like', "%{$search}%");
+ }
+
+ $notifications = $query->latest()->paginate(10);
+
+ return response()->json($notifications);
+ }
+
+ /**
+ * Mark a specific notification as read.
+ */
+ public function markAsRead(Request $request, $id)
+ {
+ $notification = $request->user()->notifications()->findOrFail($id);
+ $notification->markAsRead();
+
+ return response()->json(['message' => 'Notification marked as read']);
+ }
+
+ /**
+ * Mark all notifications as read.
+ */
+ public function markAllAsRead(Request $request)
+ {
+ $request->user()->unreadNotifications->markAsRead();
+
+ return response()->json(['message' => 'All notifications marked as read']);
+ }
+
+ /**
+ * Remove the specified notification.
+ */
+ public function destroy(Request $request, $id)
+ {
+ $notification = $request->user()->notifications()->findOrFail($id);
+ $notification->delete();
+
+ return response()->json(['message' => 'Notification deleted']);
+ }
+}
diff --git a/app/Http/Controllers/Api/PasswordResetController.php b/app/Http/Controllers/Api/PasswordResetController.php
new file mode 100644
index 0000000..32985df
--- /dev/null
+++ b/app/Http/Controllers/Api/PasswordResetController.php
@@ -0,0 +1,96 @@
+validate(['email' => 'required|email']);
+
+ $user = User::where('email', $request->email)->first();
+
+ if (!$user) {
+ // We return a "success" message anyway to prevent email enumeration
+ return response()->json(['message' => 'Jika email tersebut terdaftar, kami akan mengirimkan link reset password.']);
+ }
+
+ // Generate a token
+ $token = Str::random(64);
+
+ // Store token in password_reset_tokens table
+ DB::table('password_reset_tokens')->updateOrInsert(
+ ['email' => $request->email],
+ [
+ 'token' => Hash::make($token),
+ 'created_at' => Carbon::now()
+ ]
+ );
+
+ // Send Email
+ $resetUrl = config('app.frontend_url') . '/reset-password?token=' . $token . '&email=' . urlencode($request->email);
+
+ Mail::send('emails.password-reset', ['url' => $resetUrl, 'name' => $user->first_name], function ($message) use ($request) {
+ $message->to($request->email);
+ $message->subject('Reset Password - TrustLab');
+ });
+
+ return response()->json(['message' => 'Reset link sent to your email.']);
+ }
+
+ /**
+ * Reset the given user's password.
+ */
+ public function resetPassword(Request $request)
+ {
+ $request->validate([
+ 'token' => 'required',
+ 'email' => 'required|email',
+ 'password' => 'required|min:8|confirmed',
+ ]);
+
+ $reset = DB::table('password_reset_tokens')
+ ->where('email', $request->email)
+ ->first();
+
+ if (!$reset || !Hash::check($request->token, $reset->token)) {
+ return response()->json(['message' => 'Invalid or expired token.'], 400);
+ }
+
+ // Check expiry (e.g., 60 minutes)
+ if (Carbon::parse($reset->created_at)->addMinutes(60)->isPast()) {
+ DB::table('password_reset_tokens')->where('email', $request->email)->delete();
+ return response()->json(['message' => 'Token has expired.'], 400);
+ }
+
+ $user = User::where('email', $request->email)->first();
+
+ if (!$user) {
+ return response()->json(['message' => 'User not found.'], 404);
+ }
+
+ $user->forceFill([
+ 'password' => Hash::make($request->password),
+ 'remember_token' => Str::random(60),
+ ])->save();
+
+ // Delete token
+ DB::table('password_reset_tokens')->where('email', $request->email)->delete();
+
+ return response()->json(['message' => 'Password reset successful.']);
+ }
+}
diff --git a/app/Http/Controllers/Api/ProfileController.php b/app/Http/Controllers/Api/ProfileController.php
new file mode 100644
index 0000000..3754b49
--- /dev/null
+++ b/app/Http/Controllers/Api/ProfileController.php
@@ -0,0 +1,356 @@
+user();
+
+ $validated = $request->validate([
+ 'first_name' => 'nullable|string|max:255',
+ 'last_name' => 'nullable|string|max:255',
+ 'email' => 'nullable|email|max:255|unique:users,email,' . $user->id,
+ 'phone' => 'nullable|string|max:20',
+ 'bio' => 'nullable|string',
+ 'job_title' => 'nullable|string|max:255',
+ 'location' => 'nullable|string|max:255',
+ 'country' => 'nullable|string|max:255',
+ 'city_state' => 'nullable|string|max:255',
+ 'postal_code' => 'nullable|string|max:20',
+ 'tax_id' => 'nullable|string|max:50',
+ 'facebook' => 'nullable|string|max:255',
+ 'twitter' => 'nullable|string|max:255',
+ 'linkedin' => 'nullable|string|max:255',
+ 'instagram' => 'nullable|string|max:255',
+ 'settings_email_alerts' => 'sometimes|boolean',
+ 'settings_certificate_renewal' => 'sometimes|boolean',
+ 'default_landing_page' => 'sometimes|string|max:255',
+ 'theme' => 'sometimes|string|in:light,dark,system',
+ 'language' => 'sometimes|string|max:10',
+ ]);
+
+ // Handle Email Change Logic
+ if (isset($validated['email']) && $validated['email'] !== $user->email) {
+ $pendingEmail = $validated['email'];
+
+ // Basic check to avoid duplication with other pending_emails if necessary,
+ // but unique:users,email already covers the main one.
+
+ $user->pending_email = $pendingEmail;
+ $user->save();
+
+ // Send notification to the NEW email
+ $user->notify(new \App\Notifications\PendingEmailVerificationNotification);
+
+ // Remove email from validated so it doesn't update the primary email yet
+ unset($validated['email']);
+ }
+
+ // Sanitize social links to store only usernames
+ if (isset($validated['facebook'])) $validated['facebook'] = $this->extractUsername($validated['facebook'], 'facebook.com');
+ if (isset($validated['twitter'])) $validated['twitter'] = $this->extractUsername($validated['twitter'], ['twitter.com', 'x.com']);
+ if (isset($validated['linkedin'])) $validated['linkedin'] = $this->extractUsername($validated['linkedin'], 'linkedin.com/in');
+ if (isset($validated['instagram'])) $validated['instagram'] = $this->extractUsername($validated['instagram'], 'instagram.com');
+
+ // Log the update attempt for debugging
+ \Illuminate\Support\Facades\Log::info('Profile Update Request:', ['user_id' => $user->id, 'payload' => $validated]);
+
+ $user->update($validated);
+
+ return response()->json([
+ 'message' => 'Profile updated successfully.',
+ 'user' => $user,
+ ]);
+ }
+
+ /**
+ * Update the user's password.
+ */
+ public function updatePassword(Request $request)
+ {
+ $validated = $request->validate([
+ 'current_password' => ['required', 'current_password'],
+ 'password' => ['required', 'confirmed', Password::defaults()],
+ ]);
+
+ $request->user()->update([
+ 'password' => Hash::make($validated['password']),
+ ]);
+
+ return response()->json([
+ 'message' => 'Password updated successfully.',
+ ]);
+ }
+
+ /**
+ * Update the user's avatar.
+ */
+ public function updateAvatar(Request $request)
+ {
+ $request->validate([
+ 'avatar' => 'required|image|mimes:jpeg,png,jpg,gif,svg|max:5120',
+ ]);
+
+ $user = $request->user();
+ $file = $request->file('avatar');
+
+ $extension = $file->getClientOriginalExtension();
+
+ // Requirement 1: URL avatar yang sedang digunakan adalah clean uuid
+ // Output: avatars/{user-uuid}.{ext}
+ $newFilename = "{$user->id}.{$extension}";
+ $newPath = "avatars/{$newFilename}";
+
+ // Requirement 2: Jika ganti, pindahkan lama ke trash/{user-uuid}-{trash-random}-{original-filename}
+ if ($user->avatar) {
+ $oldPath = $this->getRelativePath($user->avatar);
+
+ if ($oldPath) {
+ // If it's on R2, move it to trash
+ if (Storage::disk('r2')->exists($oldPath)) {
+ $trashRandom = Str::random(10);
+ $oldBasename = basename($oldPath);
+ $trashPath = "trash/{$user->id}-{$trashRandom}-{$oldBasename}";
+
+ // S3/R2 copy + delete is more reliable than move in some environments
+ Storage::disk('r2')->copy($oldPath, $trashPath);
+ Storage::disk('r2')->delete($oldPath);
+ }
+ // If it's still on local storage (migration case), just delete it
+ elseif (Storage::disk('public')->exists($oldPath)) {
+ Storage::disk('public')->delete($oldPath);
+ }
+ }
+ }
+
+ // Upload to R2
+ // Upload to R2 with Cache-Control to prevent long caching
+ $path = $file->storeAs('avatars', $newFilename, [
+ 'disk' => 'r2',
+ 'CacheControl' => 'no-cache, no-store, max-age=0, must-revalidate',
+ ]);
+ $url = Storage::disk('r2')->url($path);
+
+ $user->update(['avatar' => $url]);
+
+ return response()->json([
+ 'message' => 'Avatar updated successfully.',
+ 'avatar_url' => $url,
+ ]);
+ }
+
+ /**
+ * Helper to extract relative path from full URL
+ */
+ private function getRelativePath($url)
+ {
+ if (!$url) return null;
+
+ $baseUrl = config('filesystems.disks.r2.url');
+
+ // Strip query string if any before processing
+ $urlWithoutQuery = explode('?', $url)[0];
+
+ if (str_starts_with($urlWithoutQuery, $baseUrl)) {
+ return ltrim(str_replace($baseUrl, '', $urlWithoutQuery), '/');
+ }
+
+ // Handle legacy local storage URLs if any
+ if (str_contains($urlWithoutQuery, '/storage/')) {
+ return 'avatars/' . basename($urlWithoutQuery);
+ }
+
+ return $urlWithoutQuery;
+ }
+
+ /**
+ * Get Login History (Last 1 month, max 10)
+ */
+ public function getLoginHistory(Request $request)
+ {
+ $history = $request->user()->loginHistories()
+ ->where('created_at', '>=', now()->subMonth())
+ ->latest()
+ ->limit(10)
+ ->get();
+
+ return response()->json($history);
+ }
+
+ /**
+ * Delete user account
+ */
+ public function deleteAccount(Request $request)
+ {
+ $user = $request->user();
+
+ // Optional: Perform any cleanup here (delete avatar, certificates, etc.)
+ if ($user->avatar) {
+ $oldPath = $this->getRelativePath($user->avatar);
+ if ($oldPath && Storage::disk('r2')->exists($oldPath)) {
+ $trashRandom = Str::random(10);
+ $oldBasename = basename($oldPath);
+ $trashPath = "trash/deleted_user_{$user->id}-{$trashRandom}-{$oldBasename}";
+ Storage::disk('r2')->move($oldPath, $trashPath);
+ }
+ }
+
+ // Revoke Social Tokens
+ foreach ($user->socialAccounts as $account) {
+ // Re-use logic or call external helper? For simplicity/speed, implementing inline revocation or calling AuthController logic if possible.
+ // Better: Iterate and manually revoke to ensure clean slate.
+ try {
+ if ($account->provider === 'google' && $account->token) {
+ \Illuminate\Support\Facades\Http::post('https://oauth2.googleapis.com/revoke', ['token' => $account->token]);
+ }
+ // GitHub revocation is more complex inline without config access handy, but we attempt basic cleanup
+ } catch (\Exception $e) {
+ // Continue deletion
+ }
+ }
+
+ $user->delete();
+
+ return response()->json([
+ 'message' => 'Account deleted successfully.',
+ ]);
+ }
+
+ /**
+ * Get active sessions from database
+ */
+ public function getActiveSessions(Request $request)
+ {
+ $sessions = DB::table('sessions')
+ ->where('user_id', $request->user()->id)
+ ->get()
+ ->map(function ($session) use ($request) {
+ $info = $this->parseUserAgent($session->user_agent);
+ return [
+ 'id' => $session->id,
+ 'ip_address' => $session->ip_address,
+ 'browser' => $info['browser'],
+ 'os' => $info['os'],
+ 'device_type' => $info['device'],
+ 'last_active' => $session->last_activity,
+ 'is_current' => $session->id === $request->session()->getId(),
+ ];
+ });
+
+ return response()->json($sessions);
+ }
+
+ /**
+ * Revoke a specific session
+ */
+ public function revokeSession(Request $request, $id)
+ {
+ // Don't allow revoking current session via this endpoint for safety
+ if ($id === $request->session()->getId()) {
+ return response()->json(['message' => 'Cannot revoke current session.'], 400);
+ }
+
+ DB::table('sessions')
+ ->where('user_id', $request->user()->id)
+ ->where('id', $id)
+ ->delete();
+
+ return response()->json(['message' => 'Session revoked successfully.']);
+ }
+
+ /**
+ * Simple User Agent Parser (Copied from AuthController for consistency)
+ */
+ private function parseUserAgent($agent)
+ {
+ $os = 'Unknown OS';
+ $browser = 'Unknown Browser';
+ $device = 'Desktop';
+
+ if (!$agent) return ['os' => $os, 'browser' => $browser, 'device' => $device];
+
+ // OS Parsing
+ if (preg_match('/iphone|ipad|ipod/i', $agent)) {
+ $os = 'iOS';
+ $device = 'iOS';
+ } elseif (preg_match('/android/i', $agent)) {
+ $os = 'Android';
+ $device = 'Android';
+ } elseif (preg_match('/windows/i', $agent)) {
+ $os = 'Windows';
+ $device = 'Windows';
+ } elseif (preg_match('/macintosh|mac os x/i', $agent)) {
+ $os = 'Mac';
+ $device = 'Mac';
+ } elseif (preg_match('/linux/i', $agent)) {
+ $os = 'Linux';
+ $device = 'Linux';
+ }
+
+ // Browser Parsing
+ if (preg_match('/msie/i', $agent) && !preg_match('/opera/i', $agent)) {
+ $browser = 'Internet Explorer';
+ } elseif (preg_match('/firefox/i', $agent)) {
+ $browser = 'Firefox';
+ } elseif (preg_match('/chrome/i', $agent)) {
+ $browser = 'Chrome';
+ } elseif (preg_match('/safari/i', $agent)) {
+ $browser = 'Safari';
+ } elseif (preg_match('/opera/i', $agent)) {
+ $browser = 'Opera';
+ }
+
+ return [
+ 'os' => $os,
+ 'browser' => $browser,
+ 'device' => $device
+ ];
+ }
+
+ /**
+ * Helper to extract username from social media URLs.
+ */
+ private function extractUsername(?string $value, $domains): ?string
+ {
+ if (!$value) return null;
+
+ $value = trim($value);
+ if (empty($value)) return null;
+
+ // If it doesn't look like a URL, assume it's already a username
+ if (!str_contains($value, '/') && !str_contains($value, '.')) {
+ return ltrim($value, '@');
+ }
+
+ $domains = (array) $domains;
+ foreach ($domains as $domain) {
+ // Clean domain for regex (e.g. linkedin.com/in)
+ $safeDomain = str_replace('/', '\/', preg_quote($domain));
+ $pattern = "/(?:https?:\/\/)?(?:www\.)?{$safeDomain}\/([^\/\?#]+)/i";
+
+ if (preg_match($pattern, $value, $matches)) {
+ return $matches[1];
+ }
+ }
+
+ // If it's a URL but doesn't match the expected domain, just return the last part or the value itself
+ // to avoid losing data if the user inputs something slightly different
+ $parts = explode('/', rtrim($value, '/'));
+ return end($parts);
+ }
+}
diff --git a/app/Http/Controllers/Api/PublicCaController.php b/app/Http/Controllers/Api/PublicCaController.php
new file mode 100644
index 0000000..d2599a3
--- /dev/null
+++ b/app/Http/Controllers/Api/PublicCaController.php
@@ -0,0 +1,171 @@
+get(['common_name', 'ca_type', 'serial_number', 'valid_to', 'cert_content'])
+ ->map(function ($cert) {
+ return [
+ 'name' => $cert->common_name,
+ 'type' => $cert->ca_type,
+ 'serial' => $cert->serial_number,
+ 'expires_at' => $cert->valid_to->toIso8601String(),
+ ];
+ });
+
+ return response()->json([
+ 'success' => true,
+ 'data' => $certificates
+ ]);
+ }
+
+ /**
+ * Download certificate in various formats.
+ */
+ public function download(Request $request, $serial)
+ {
+ $cert = CaCertificate::where('serial_number', $serial)->firstOrFail();
+ $cert->increment('download_count');
+ $cert->update(['last_downloaded_at' => now()]);
+ $format = $request->query('format', 'pem');
+
+ if ($format === 'der') {
+ // Convert PEM to DER (Base64 decode the body)
+ $pem = $cert->cert_content;
+ $lines = explode("\n", trim($pem));
+ $payload = '';
+ foreach ($lines as $line) {
+ if (!str_starts_with($line, '-----')) {
+ $payload .= trim($line);
+ }
+ }
+ $der = base64_decode($payload);
+
+ return response($der)
+ ->header('Content-Type', 'application/x-x509-ca-cert')
+ ->header('Content-Disposition', 'attachment; filename="' . $cert->common_name . '.der"');
+ }
+
+ // Default PEM
+ return response($cert->cert_content)
+ ->header('Content-Type', 'application/x-pem-file')
+ ->header('Content-Disposition', 'attachment; filename="' . $cert->common_name . '.crt"');
+ }
+
+ /**
+ * Download Windows One-Click Installer (.bat)
+ */
+ public function downloadWindows($serial)
+ {
+ $cert = CaCertificate::where('serial_number', $serial)->firstOrFail();
+ $cert->increment('download_count');
+ $cert->update(['last_downloaded_at' => now()]);
+ $store = $cert->ca_type === 'root' ? 'Root' : 'CA';
+ $filename = preg_replace('/[^a-zA-Z0-9_-]/', '_', $cert->common_name);
+
+ // Convert CRLF to ensure batch file works
+ $certContent = str_replace("\n", "\r\n", str_replace("\r\n", "\n", $cert->cert_content));
+
+ $script = "@echo off\r\n";
+ $script .= "echo Installing " . $cert->common_name . "...\r\n";
+ $script .= "echo Please allow the security prompt to trust this certificate.\r\n";
+ $script .= "set \"CERT_FILE=%TEMP%\\" . $filename . ".crt\"\r\n";
+ $script .= "((\r\n";
+ foreach(explode("\r\n", $certContent) as $line) {
+ if(!empty($line)) $script .= "echo " . $line . "\r\n";
+ }
+ $script .= ")) > \"%CERT_FILE%\"\r\n";
+ $script .= "certutil -addstore -f \"" . $store . "\" \"%CERT_FILE%\"\r\n";
+ $script .= "del \"%CERT_FILE%\"\r\n";
+ $script .= "pause\r\n";
+
+ return response($script)
+ ->header('Content-Type', 'application/x-bat')
+ ->header('Content-Disposition', 'attachment; filename="install-' . $filename . '.bat"');
+ }
+
+ /**
+ * Download macOS Configuration Profile (.mobileconfig)
+ */
+ public function downloadMac($serial)
+ {
+ $cert = CaCertificate::where('serial_number', $serial)->firstOrFail();
+ $cert->increment('download_count');
+ $cert->update(['last_downloaded_at' => now()]);
+
+ // Extract Base64 payload
+ $pem = $cert->cert_content;
+ $lines = explode("\n", trim($pem));
+ $payload = '';
+ foreach ($lines as $line) {
+ if (!str_starts_with($line, '-----')) {
+ $payload .= trim($line);
+ }
+ }
+
+ $uuid = \Illuminate\Support\Str::uuid();
+ $identifier = 'com.trustlab.cert.' . $serial;
+ $name = $cert->common_name;
+
+ $xml = '
+
+
+
+ PayloadContent
+
+
+ PayloadCertificateFileName
+ ' . $name . '.cer
+ PayloadContent
+
+ ' . $payload . '
+
+ PayloadDescription
+ Adds ' . $name . ' to Trusted Root Store
+ PayloadDisplayName
+ ' . $name . '
+ PayloadIdentifier
+ ' . $identifier . '.cert
+ PayloadType
+ com.apple.security.pkcs1
+ PayloadUUID
+ ' . \Illuminate\Support\Str::uuid() . '
+ PayloadVersion
+ 1
+
+
+ PayloadDisplayName
+ ' . $name . ' Installer
+ PayloadIdentifier
+ ' . $identifier . '
+ PayloadRemovalDisallowed
+
+ PayloadType
+ Configuration
+ PayloadUUID
+ ' . $uuid . '
+ PayloadVersion
+ 1
+
+';
+
+ return response($xml)
+ ->header('Content-Type', 'application/x-apple-aspen-config')
+ ->header('Content-Disposition', 'attachment; filename="' . $name . '.mobileconfig"');
+ }
+}
diff --git a/app/Http/Controllers/Api/RootCaApiController.php b/app/Http/Controllers/Api/RootCaApiController.php
new file mode 100644
index 0000000..d68b658
--- /dev/null
+++ b/app/Http/Controllers/Api/RootCaApiController.php
@@ -0,0 +1,69 @@
+sslService = $sslService;
+ }
+
+ public function index()
+ {
+ $this->authorizeAdmin();
+
+ $certificates = CaCertificate::all()->map(function($cert) {
+ $cert->status = $cert->valid_to->isFuture() ? 'valid' : 'expired';
+ return $cert;
+ });
+
+ return response()->json([
+ 'status' => 'success',
+ 'data' => $certificates
+ ]);
+ }
+
+ public function renew(Request $request, CaCertificate $certificate)
+ {
+ $this->authorizeAdmin();
+
+ $days = (int) $request->input('days', 3650);
+
+ try {
+ $newData = $this->sslService->renewCaCertificate($certificate, $days);
+
+ $certificate->update([
+ 'cert_content' => $newData['cert_content'],
+ 'serial_number' => $newData['serial_number'],
+ 'valid_from' => $newData['valid_from'],
+ 'valid_to' => $newData['valid_to'],
+ ]);
+
+ return response()->json([
+ 'status' => 'success',
+ 'message' => 'Certificate renewed successfully.',
+ 'data' => $certificate
+ ]);
+ } catch (\Exception $e) {
+ return response()->json([
+ 'status' => 'error',
+ 'message' => 'Renewal failed: ' . $e->getMessage()
+ ], 500);
+ }
+ }
+
+ protected function authorizeAdmin()
+ {
+ if (auth()->user()->role !== 'admin') {
+ abort(403, 'Unauthorized action.');
+ }
+ }
+}
diff --git a/app/Http/Controllers/Api/TicketController.php b/app/Http/Controllers/Api/TicketController.php
new file mode 100644
index 0000000..00502a2
--- /dev/null
+++ b/app/Http/Controllers/Api/TicketController.php
@@ -0,0 +1,241 @@
+user();
+ $query = Ticket::with(['user:id,first_name,last_name,email,avatar', 'replies.user:id,first_name,last_name,avatar', 'replies.attachments']);
+
+ // Only show all tickets if user is admin AND explicitly asks for all
+ if ($user->isAdmin() && $request->has('all')) {
+ // No additional where clause needed
+ } else {
+ // Everyone else (including admins in personal view) only sees their own
+ $query->where('user_id', $user->id);
+ }
+
+ $tickets = $query->latest()->paginate(10);
+
+ return response()->json($tickets);
+ }
+
+ /**
+ * Store a newly created ticket.
+ */
+ public function store(Request $request)
+ {
+ $user = $request->user();
+
+ $validator = Validator::make($request->all(), [
+ 'subject' => 'required|string|max:255',
+ 'category' => 'required|string',
+ 'priority' => 'required|in:low,medium,high',
+ 'message' => 'required|string',
+ 'attachments' => 'array|max:5',
+ 'attachments.*' => 'file|mimes:jpg,jpeg,png,pdf,doc,docx,zip,txt|max:10240',
+ ]);
+
+ if ($validator->fails()) {
+ return response()->json(['errors' => $validator->errors()], 422);
+ }
+
+ try {
+ return DB::transaction(function () use ($request, $user) {
+ $ticket = Ticket::create([
+ 'user_id' => $user->id,
+ 'ticket_number' => Ticket::generateTicketNumber(),
+ 'subject' => $request->subject,
+ 'category' => $request->category,
+ 'priority' => $request->priority,
+ 'status' => 'open',
+ ]);
+
+ $this->logActivity('create_ticket', "Created ticket #{$ticket->ticket_number}: {$ticket->subject}");
+
+ $reply = TicketReply::create([
+ 'ticket_id' => $ticket->id,
+ 'user_id' => $user->id,
+ 'message' => $request->message,
+ ]);
+
+ // Handle Attachments
+ if ($request->hasFile('attachments')) {
+ foreach ($request->file('attachments') as $file) {
+ $path = $file->store('ticket-attachments', 'r2');
+ $url = Storage::disk('r2')->url($path);
+ TicketAttachment::create([
+ 'ticket_reply_id' => $reply->id,
+ 'file_name' => $file->getClientOriginalName(),
+ 'file_path' => $url,
+ 'file_type' => $file->getClientMimeType(),
+ 'file_size' => $file->getSize(),
+ ]);
+ }
+ }
+
+ // Notify Admins
+ try {
+ $admins = User::where('role', 'admin')
+ ->where('id', '!=', $user->id)
+ ->get();
+ if ($admins->isNotEmpty()) {
+ Notification::send($admins, new NewTicketNotification($ticket->load('user')));
+ }
+ } catch (\Throwable $e) {
+ // Log error but don't fail the request
+ \Illuminate\Support\Facades\Log::error('Failed to send ticket notification: ' . $e->getMessage());
+ }
+
+ return response()->json([
+ 'message' => 'Ticket created successfully',
+ 'ticket' => $ticket->load(['user:id,first_name,last_name,email,avatar', 'replies.user:id,first_name,last_name,avatar', 'replies.attachments'])
+ ], 201);
+ });
+ } catch (\Throwable $e) {
+ \Illuminate\Support\Facades\Log::error('Ticket creation failed: ' . $e->getMessage());
+ return response()->json(['message' => 'Failed to create ticket: ' . $e->getMessage()], 500);
+ }
+ }
+
+ /**
+ * Display the specified ticket with replies.
+ */
+ public function show(Request $request, $id)
+ {
+ $user = $request->user();
+ $ticket = Ticket::with(['user:id,first_name,last_name,email,avatar', 'replies.user:id,first_name,last_name,avatar', 'replies.attachments'])->findOrFail($id);
+
+ if (!$user->isAdmin() && $ticket->user_id !== $user->id) {
+ return response()->json(['message' => 'Unauthorized'], 403);
+ }
+
+ return response()->json($ticket);
+ }
+
+ /**
+ * Add a reply to the ticket.
+ */
+ public function reply(Request $request, $id)
+ {
+ $user = $request->user();
+ $ticket = Ticket::findOrFail($id);
+
+ if (!$user->isAdmin() && $ticket->user_id !== $user->id) {
+ return response()->json(['message' => 'Unauthorized'], 403);
+ }
+
+ if ($ticket->status === 'closed') {
+ return response()->json(['message' => 'Cannot reply to a closed ticket'], 422);
+ }
+
+ $validator = Validator::make($request->all(), [
+ 'message' => 'required|string',
+ 'attachments' => 'array|max:5',
+ 'attachments.*' => 'file|mimes:jpg,jpeg,png,pdf,doc,docx,zip,txt|max:10240',
+ ]);
+
+ if ($validator->fails()) {
+ return response()->json(['errors' => $validator->errors()], 422);
+ }
+
+ $reply = TicketReply::create([
+ 'ticket_id' => $ticket->id,
+ 'user_id' => $user->id,
+ 'message' => $request->message,
+ ]);
+
+ $this->logActivity('reply_ticket', "Replied to ticket #{$ticket->ticket_number}");
+
+ // Handle Attachments
+ if ($request->hasFile('attachments')) {
+ foreach ($request->file('attachments') as $file) {
+ $path = $file->store('ticket-attachments', 'r2');
+ $url = Storage::disk('r2')->url($path);
+ TicketAttachment::create([
+ 'ticket_reply_id' => $reply->id,
+ 'file_name' => $file->getClientOriginalName(),
+ 'file_path' => $url,
+ 'file_type' => $file->getClientMimeType(),
+ 'file_size' => $file->getSize(),
+ ]);
+ }
+ }
+
+ // Update ticket status & Notify
+ try {
+ if ($user->isAdmin()) {
+ $ticket->update(['status' => 'answered']);
+ // Notify Customer
+ $ticketUser = $ticket->user;
+ if ($ticketUser && $ticketUser->id !== $user->id) {
+ $ticketUser->notify(new TicketReplyNotification($ticket, $reply, true));
+ }
+
+ // Also notify OTHER admins
+ $otherAdmins = User::where('role', 'admin')
+ ->where('id', '!=', $user->id)
+ ->get();
+ if ($otherAdmins->isNotEmpty()) {
+ Notification::send($otherAdmins, new TicketReplyNotification($ticket, $reply, true));
+ }
+ } else {
+ $ticket->update(['status' => 'open']);
+ // Notify All Admins
+ $admins = User::where('role', 'admin')->get();
+ if ($admins->isNotEmpty()) {
+ Notification::send($admins, new TicketReplyNotification($ticket, $reply, false));
+ }
+ }
+ } catch (\Throwable $e) {
+ \Illuminate\Support\Facades\Log::error('Failed to send ticket reply notification: ' . $e->getMessage());
+ }
+
+ return response()->json([
+ 'message' => 'Reply added successfully',
+ 'reply' => $reply->load(['user:id,first_name,last_name,avatar', 'attachments'])
+ ], 201);
+ }
+
+ /**
+ * Close the ticket.
+ */
+ public function close(Request $request, $id)
+ {
+ $user = $request->user();
+ $ticket = Ticket::findOrFail($id);
+
+ if (!$user->isAdmin() && $ticket->user_id !== $user->id) {
+ return response()->json(['message' => 'Unauthorized'], 403);
+ }
+
+ $ticket->update(['status' => 'closed']);
+
+ $this->logActivity('close_ticket', "Closed ticket #{$ticket->ticket_number}");
+
+ return response()->json([
+ 'message' => 'Ticket closed successfully',
+ 'ticket' => $ticket
+ ]);
+ }
+}
diff --git a/app/Http/Controllers/Api/UserApiController.php b/app/Http/Controllers/Api/UserApiController.php
new file mode 100644
index 0000000..160d1cb
--- /dev/null
+++ b/app/Http/Controllers/Api/UserApiController.php
@@ -0,0 +1,157 @@
+authorizeAdminOrOwner();
+ $query = User::query();
+
+ // Search by name or email
+ if ($request->has('search')) {
+ $search = $request->input('search');
+ $query->where(function($q) use ($search) {
+ $q->where('email', 'like', "%{$search}%")
+ ->orWhere('first_name', 'like', "%{$search}%")
+ ->orWhere('last_name', 'like', "%{$search}%");
+ });
+ }
+
+ // Filter by role
+ if ($request->has('role')) {
+ $query->where('role', $request->input('role'));
+ }
+
+ // Sort
+ $sortBy = $request->input('sort_by', 'created_at');
+ $sortOrder = $request->input('sort_order', 'desc');
+ $query->orderBy($sortBy, $sortOrder);
+
+ return $query->paginate($request->input('per_page', 10));
+ }
+
+ /**
+ * Store a newly created user in storage.
+ */
+ public function store(Request $request)
+ {
+ $this->authorizeAdminOrOwner();
+
+ if (auth()->user()->isOwner()) {
+ $roles = [User::ROLE_OWNER, User::ROLE_ADMIN, User::ROLE_CUSTOMER];
+ } else {
+ // Admins can only create Customers
+ $roles = [User::ROLE_CUSTOMER];
+ }
+
+ $validated = $request->validate([
+ 'first_name' => 'required|string|max:255',
+ 'last_name' => 'nullable|string|max:255',
+ 'email' => 'required|string|email|max:255|unique:users',
+ 'password' => 'required|string|min:8',
+ 'role' => ['required', Rule::in($roles)],
+ ]);
+
+ $validated['password'] = Hash::make($validated['password']);
+
+ $user = User::create($validated);
+
+ return response()->json([
+ 'message' => 'User created successfully',
+ 'user' => $user
+ ], 201);
+ }
+
+ /**
+ * Display the specified user.
+ */
+ public function show(User $user)
+ {
+ $this->authorizeAdminOrOwner();
+ return $user;
+ }
+
+ /**
+ * Update the specified user in storage.
+ */
+ public function update(Request $request, User $user)
+ {
+ $this->authorizeAdminOrOwner();
+
+ // Permission check: Admins cannot modify Admin/Owner accounts
+ if (auth()->user()->isAdmin() && $user->role !== User::ROLE_CUSTOMER) {
+ abort(403, 'Admins can only manage Customer accounts.');
+ }
+
+ $validated = $request->validate([
+ 'first_name' => 'sometimes|required|string|max:255',
+ 'last_name' => 'nullable|string|max:255',
+ 'email' => ['sometimes', 'required', 'string', 'email', 'max:255', Rule::unique('users')->ignore($user->id)],
+ 'password' => 'nullable|string|min:8',
+ 'role' => [
+ 'sometimes',
+ 'required',
+ auth()->user()->isOwner() ? Rule::in([User::ROLE_OWNER, User::ROLE_ADMIN, User::ROLE_CUSTOMER]) : Rule::in([$user->role])
+ ],
+ ]);
+
+ // Admins cannot change roles (already handled by Rule::in([$user->role]) above for safety, but let's be explicit)
+ if (auth()->user()->isAdmin() && isset($validated['role']) && $validated['role'] !== $user->role) {
+ abort(403, 'Admins cannot change user roles.');
+ }
+
+
+ if (!empty($validated['password'])) {
+ $validated['password'] = Hash::make($validated['password']);
+ } else {
+ unset($validated['password']);
+ }
+
+ $user->update($validated);
+
+ return response()->json([
+ 'message' => 'User updated successfully',
+ 'user' => $user
+ ]);
+ }
+
+ /**
+ * Remove the specified user from storage.
+ */
+ public function destroy(User $user)
+ {
+ $this->authorizeAdminOrOwner();
+
+ // Permission check: Admins can only delete Customer accounts
+ if (auth()->user()->isAdmin() && $user->role !== User::ROLE_CUSTOMER) {
+ abort(403, 'Admins can only delete Customer accounts.');
+ }
+ // Prevent deleting yourself
+ if (auth()->id() === $user->id) {
+ return response()->json(['message' => 'You cannot delete your own account.'], 403);
+ }
+
+ $user->delete();
+
+ return response()->json(['message' => 'User deleted successfully']);
+ }
+
+ protected function authorizeAdminOrOwner()
+ {
+ if (!auth()->user()->isAdminOrOwner()) {
+ abort(403, 'Unauthorized action.');
+ }
+ }
+}
diff --git a/app/Http/Controllers/Api/VerificationController.php b/app/Http/Controllers/Api/VerificationController.php
new file mode 100644
index 0000000..981c6d3
--- /dev/null
+++ b/app/Http/Controllers/Api/VerificationController.php
@@ -0,0 +1,62 @@
+user();
+
+ if ($user->hasVerifiedEmail() && !$user->pending_email) {
+ return redirect(config('app.frontend_url') . '/verify-success?already_verified=1');
+ }
+
+ // If there is a pending email, promote it to the main email
+ if ($user->pending_email) {
+ $user->email = $user->pending_email;
+ $user->pending_email = null;
+ }
+
+ if ($user->markEmailAsVerified()) {
+ event(new Verified($user));
+ }
+
+ return redirect(config('app.frontend_url') . '/verify-success?verified=1');
+ }
+
+ /**
+ * Resend the email verification notification.
+ *
+ * @param \Illuminate\Http\Request $request
+ * @return \Illuminate\Http\JsonResponse
+ */
+ public function resend(Request $request)
+ {
+ $user = $request->user();
+
+ if ($user->hasVerifiedEmail() && !$user->pending_email) {
+ return response()->json(['message' => 'Email already verified.'], 400);
+ }
+
+ if ($user->pending_email) {
+ $user->notify(new \App\Notifications\PendingEmailVerificationNotification);
+ } else {
+ $user->sendEmailVerificationNotification();
+ }
+
+ return response()->json(['message' => 'Verification link sent.']);
+ }
+}
diff --git a/app/Http/Controllers/AuthController.php b/app/Http/Controllers/AuthController.php
new file mode 100644
index 0000000..749b3dc
--- /dev/null
+++ b/app/Http/Controllers/AuthController.php
@@ -0,0 +1,377 @@
+validate([
+ 'email' => ['required', 'email'],
+ 'password' => ['required'],
+ ]);
+
+ $user = User::where('email', $request->email)->first();
+
+ if (!$user || !Hash::check($request->password, $user->password)) {
+ throw ValidationException::withMessages([
+ 'email' => ['Invalid credentials.'],
+ ]);
+ }
+
+ // 2FA Check
+ if ($user->two_factor_confirmed_at) {
+ // Return Temporary Token with "2fa" capability
+ // We DO NOT call Auth::login() here to prevent session cookie creation
+ $tempToken = $user->createToken('2fa_temp_token', ['2fa-required'])->plainTextToken;
+
+ return response()->json([
+ 'two_factor_required' => true,
+ 'temp_token' => $tempToken,
+ ]);
+ }
+
+ // Standard Login - Establish session and issue token
+ Auth::guard('web')->login($user, $request->boolean('remember'));
+
+ $token = $user->createToken('auth_token')->plainTextToken;
+
+ $this->recordLoginHistory($request, $user);
+ $this->logActivity('login', 'User logged in to the dashboard');
+
+ return response()->json([
+ 'message' => 'Login successful',
+ 'token' => $token,
+ 'user' => $user,
+ ]);
+ }
+
+ /**
+ * Handle Registration Request
+ */
+ public function register(Request $request)
+ {
+ $validated = $request->validate([
+ 'fname' => 'required|string|max:255',
+ 'lname' => 'nullable|string|max:255',
+ 'email' => 'required|string|email|max:255|unique:users',
+ 'password' => 'required|string|min:8',
+ ]);
+
+ $user = User::create([
+ 'first_name' => $validated['fname'],
+ 'last_name' => $validated['lname'] ?? null,
+ 'email' => $validated['email'],
+ 'password' => Hash::make($validated['password']),
+ ]);
+
+ Auth::login($user);
+
+ $token = $user->createToken('auth_token')->plainTextToken;
+
+ $this->recordLoginHistory($request, $user);
+ $this->logActivity('register', 'User registered a new account');
+
+ return response()->json([
+ 'message' => 'Registration successful',
+ 'token' => $token,
+ 'user' => $user,
+ ]);
+ }
+
+ /**
+ * Redirect to Social Provider
+ */
+ public function socialRedirect(Request $request, $provider)
+ {
+ // Store context (signin, signup, connect) in session
+ $context = $request->query('context', 'signin'); // Default to signin if missing
+ session(['social_context' => $context]);
+
+ // Secure Link Flow: If a link_token is provided, verify it and store the user ID in session
+ if ($context === 'connect' && $request->has('link_token')) {
+ $token = $request->query('link_token');
+ $userId = Cache::get("link_token_{$token}");
+
+ if ($userId) {
+ session(['social_auth_user_id' => $userId]);
+ Cache::forget("link_token_{$token}"); // Consume token
+ }
+ }
+
+ $driver = Socialite::driver($provider)->stateless();
+
+ if ($provider === 'google') {
+ $driver->with(['prompt' => 'select_account consent', 'access_type' => 'offline']);
+ } else {
+ // Attempt to force consent for others
+ $driver->with(['prompt' => 'consent']);
+ }
+
+ return $driver->redirect();
+ }
+
+ /**
+ * Generate Link Token for Secure Connection
+ */
+ public function getLinkToken(Request $request)
+ {
+ $token = Str::random(40);
+ // Cache user ID for 2 minutes
+ Cache::put("link_token_{$token}", $request->user()->id, 120);
+
+ return response()->json(['token' => $token]);
+ }
+
+ /**
+ * Handle Social Provider Callback
+ */
+ public function socialCallback(Request $request, $provider)
+ {
+ try {
+ $socialUser = Socialite::driver($provider)->stateless()->user();
+ } catch (\Exception $e) {
+ return redirect(config('app.frontend_url') . '/auth/callback?error=' . urlencode($e->getMessage()));
+ }
+
+ $context = session('social_context', 'signin'); // Default to strict signin if session lost
+ // request()->session()->forget('social_context'); // Optional: Clear it, but typical session lifecycle handles this.
+
+ // ---------------------------------------------------------
+ // CASE 1: CONNECT ACCOUNT (User is already logged in)
+ // ---------------------------------------------------------
+ // Explicitly check context or Auth::check()
+ // If context is 'connect', they MUST be logged in.
+ if ($context === 'connect' || Auth::check() || session('social_auth_user_id')) {
+
+ // Debug Logging: Trace why connection flow might be failing
+ \Illuminate\Support\Facades\Log::info('Social Callback Connect Flow:', [
+ 'context' => $context,
+ 'auth_check' => Auth::check(),
+ 'session_user_id' => session('social_auth_user_id'),
+ 'provider' => $provider
+ ]);
+
+ // If strictly unauthenticated but we have a session user ID from the link token
+ if (!Auth::check() && session('social_auth_user_id')) {
+ Auth::loginUsingId(session('social_auth_user_id'));
+ }
+
+ if (!Auth::check()) {
+ return redirect(config('app.frontend_url') . '/signin?error=login_required_to_connect');
+ }
+
+ $currentUser = Auth::user();
+
+ // Check if this social account is already linked to *any* user
+ $existingAccount = \App\Models\SocialAccount::where('provider', $provider)
+ ->where('provider_id', $socialUser->getId())
+ ->first();
+
+ if ($existingAccount) {
+ if ($existingAccount->user_id === $currentUser->id) {
+ return redirect(config('app.frontend_url') . '/dashboard/settings?error=already_connected');
+ } else {
+ return redirect(config('app.frontend_url') . '/dashboard/settings?error=connected_to_other_account');
+ }
+ }
+
+ // Link the account
+ $currentUser->socialAccounts()->create([
+ 'provider' => $provider,
+ 'provider_id' => $socialUser->getId(),
+ 'provider_email' => $socialUser->getEmail(),
+ 'avatar' => $socialUser->getAvatar(),
+ 'token' => $socialUser->token,
+ 'refresh_token' => $socialUser->refreshToken,
+ 'expires_at' => isset($socialUser->expiresIn) ? now()->addSeconds($socialUser->expiresIn) : null,
+ ]);
+
+ return redirect(config('app.frontend_url') . '/dashboard/settings?success=account_connected');
+ }
+
+ // ---------------------------------------------------------
+ // CASE 2: SOCIAL SIGN IN / SIGN UP (Guest)
+ // ---------------------------------------------------------
+
+ // 1. Check if SocialAccount exists (Already Linked)
+ $socialAccount = \App\Models\SocialAccount::where('provider', $provider)
+ ->where('provider_id', $socialUser->getId())
+ ->first();
+
+ if ($socialAccount) {
+ // Account linked -> ALWAYS ALLOW LOGIN
+ // (Even if context=signup, we can just log them in, or strictly say "Already registered")
+ $user = $socialAccount->user;
+
+ // Auto-verify if not verified (Social provider already verified the email)
+ if (!$user->hasVerifiedEmail()) {
+ $user->markEmailAsVerified();
+ }
+
+ Auth::login($user);
+
+ $token = $user->createToken('auth_token')->plainTextToken;
+ $this->recordLoginHistory($request, $user);
+
+ return redirect(config('app.frontend_url') . '/auth/callback?token=' . $token);
+ }
+
+ // 2. Check if User with this email exists (BUT NOT LINKED)
+ $existingUser = User::where('email', $socialUser->getEmail())->first();
+
+ if ($existingUser) {
+ // ERROR: Account exists but not linked
+ return redirect(config('app.frontend_url') . '/auth/callback?error=account_exists_please_login');
+ }
+
+ // 3. HANDLE NEW USERS
+ // STRICT CHECK: If context is 'signin', DO NOT register new user.
+ if ($context === 'signin') {
+ return redirect(config('app.frontend_url') . '/auth/callback?error=account_not_found_please_signup');
+ }
+
+ // 4. REGISTER (Only if context == 'signup')
+ $nameParts = explode(' ', $socialUser->getName() ?? '', 2);
+ $firstName = $nameParts[0];
+ $lastName = $nameParts[1] ?? '';
+
+ $user = User::create([
+ 'first_name' => $firstName,
+ 'last_name' => $lastName,
+ 'email' => $socialUser->getEmail(),
+ 'avatar' => $socialUser->getAvatar(),
+ 'email_verified_at' => now(),
+ // Password is null initially
+ ]);
+
+ $user->socialAccounts()->create([
+ 'provider' => $provider,
+ 'provider_id' => $socialUser->getId(),
+ 'provider_email' => $socialUser->getEmail(),
+ 'avatar' => $socialUser->getAvatar(),
+ 'token' => $socialUser->token,
+ 'refresh_token' => $socialUser->refreshToken,
+ 'expires_at' => isset($socialUser->expiresIn) ? now()->addSeconds($socialUser->expiresIn) : null,
+ ]);
+
+ Auth::login($user);
+ $token = $user->createToken('auth_token')->plainTextToken;
+ $this->recordLoginHistory($request, $user);
+
+ // Redirect to Set Password page
+ return redirect(config('app.frontend_url') . '/auth/callback?token=' . $token . '&action=set_password');
+ }
+
+ /**
+ * Set Password for Social Users
+ */
+ public function setPassword(Request $request)
+ {
+ $validated = $request->validate([
+ 'password' => 'required|string|min:8|confirmed',
+ ]);
+
+ $user = $request->user();
+
+ // Security check: Only allow setting password if it's currently null
+ // or provide a way to override if we want to allow simple password resets from this endpoint (unlikely for security)
+ if ($user->password && !Hash::check('', $user->password)) { // Check if password is not empty string/null effectively
+ // If user already has a password, they should use the update-password endpoint which requires current_password
+ // However, for this specific flow "set password after social login", we can allow it IF implementation allows.
+ // Stricter: Only if password is NULL.
+ }
+
+ if ($user->password !== null && $user->password !== '') {
+ return response()->json(['message' => 'Password already set. Use update password.'], 403);
+ }
+
+ $user->update([
+ 'password' => Hash::make($validated['password']),
+ ]);
+
+ return response()->json([
+ 'message' => 'Password set successfully.',
+ 'user' => $user,
+ ]);
+ }
+
+ /**
+ * Handle Logout Request
+ */
+ public function logout(Request $request)
+ {
+ Auth::guard('web')->logout();
+ $request->session()->invalidate();
+ $request->session()->regenerateToken();
+
+ return response()->noContent();
+ }
+
+ /**
+ * Disconnect Social Account (Revoke Token)
+ */
+ public function disconnectSocial(Request $request, $provider)
+ {
+ $user = $request->user();
+
+ $account = $user->socialAccounts()->where('provider', $provider)->first();
+
+ if (!$account) {
+ return response()->json(['message' => 'Account not linked.'], 404);
+ }
+
+ // 1. Revoke Logic
+ try {
+ if ($provider === 'google' && $account->token) {
+ // Google: Revoke via POST to oauth2.googleapis.com
+ Http::post('https://oauth2.googleapis.com/revoke', [
+ 'token' => $account->token,
+ ]);
+ }
+ elseif ($provider === 'github' && $account->token) {
+ // GitHub: Revoke via Basic Auth with Client ID/Secret
+ // Requires client_id:client_secret base64 encoded
+ $clientId = config('services.github.client_id');
+ $clientSecret = config('services.github.client_secret');
+
+ if ($clientId && $clientSecret) {
+ Http::withBasicAuth($clientId, $clientSecret)
+ ->delete("https://api.github.com/applications/{$clientId}/grant", [
+ 'access_token' => $account->token
+ ]);
+ }
+ }
+ } catch (\Exception $e) {
+ // Log error but proceed to delete local record
+ \Illuminate\Support\Facades\Log::error("Failed to revoke {$provider} token: " . $e->getMessage());
+ }
+
+ // 2. Delete Local Record
+ $account->delete();
+
+ return response()->json(['message' => 'Account disconnected successfully.']);
+ }
+}
diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php
new file mode 100644
index 0000000..8677cd5
--- /dev/null
+++ b/app/Http/Controllers/Controller.php
@@ -0,0 +1,8 @@
+user();
+ $menuGroups = [];
+
+ // 1. Admin Management (Admin or Owner)
+ if ($user && $user->isAdminOrOwner()) {
+ $menuGroups[] = [
+ 'title' => 'Admin Management',
+ 'items' => [
+ [
+ 'name' => 'User Management',
+ 'icon' => 'users',
+ 'route' => '/dashboard/admin/users',
+ ],
+ [
+ 'name' => 'Root CA Management',
+ 'icon' => 'certificate',
+ 'route' => '/dashboard/admin/root-ca',
+ ],
+ [
+ 'name' => 'Ticket Management',
+ 'icon' => 'support-ticket',
+ 'route' => '/dashboard/admin/tickets',
+ ],
+ [
+ 'name' => 'Legal Page Management',
+ 'icon' => 'pages',
+ 'route' => '/dashboard/admin/legal',
+ ],
+ [
+ 'name' => 'Inquiries',
+ 'icon' => 'inbox',
+ 'route' => '/dashboard/admin/inquiries',
+ ],
+ [
+ 'name' => 'SMTP Tester',
+ 'icon' => 'smtp',
+ 'route' => '/dashboard/admin/smtp-tester',
+ ],
+ ]
+ ];
+ }
+
+ // 2. Main Menu (Common)
+ $mainItems = [
+ [
+ 'name' => 'Dashboard',
+ 'icon' => 'dashboard',
+ 'route' => '/dashboard',
+ ],
+ [
+ 'name' => 'Certificates',
+ 'icon' => 'certificate',
+ 'route' => '/dashboard/certificates',
+ ],
+ [
+ 'name' => 'API Keys',
+ 'icon' => 'api-key',
+ 'route' => '/dashboard/api-keys',
+ ],
+ [
+ 'name' => 'Support Tickets',
+ 'icon' => 'support-ticket',
+ 'route' => '/dashboard/support', // Assuming support.index maps to /support
+ ],
+ ];
+
+ // "My Services" for Customers ONLY
+ if ($user && $user->role === \App\Models\User::ROLE_CUSTOMER) {
+ // We can insert "My Services" if we want to keep that feature for customers
+ // As per user request "ikuiti app-beta", but we also added "My Services" previously.
+ // Let's keep "My Services" as it's a nice dedicated page for them, inserting it after Dashboard.
+ array_splice($mainItems, 1, 0, [[
+ 'name' => 'My Services',
+ 'icon' => 'layers',
+ 'route' => '/dashboard/services',
+ ]]);
+ }
+
+ $menuGroups[] = [
+ 'title' => 'Menu',
+ 'items' => $mainItems,
+ ];
+
+ // 3. My Account (Common)
+ $menuGroups[] = [
+ 'title' => 'My Account',
+ 'items' => [
+ [
+ 'name' => 'User Profile',
+ 'icon' => 'user-profile',
+ 'route' => '/dashboard/profile',
+ ],
+ [
+ 'name' => 'Account Settings',
+ 'icon' => 'settings',
+ 'route' => '/dashboard/settings',
+ ],
+ ]
+ ];
+
+ return response()->json($menuGroups);
+ }
+
+ public function debug()
+ {
+ // Simulate a User instance for admin view
+ $user = new \App\Models\User(['first_name' => 'Debug', 'last_name' => 'Admin', 'role' => 'admin']);
+
+ // This is a bit of a hack since $user->isAdmin() might be a real method,
+ // but for JSON structure debugging, we'll just replicate the logic or mock it.
+
+ $menuGroups = [];
+
+ // 1. Admin Management (Simulated Admin)
+ $menuGroups[] = [
+ 'title' => 'Admin Management',
+ 'items' => [
+ ['name' => 'User Management', 'icon' => 'users', 'route' => '/admin/users'],
+ ['name' => 'Root CA Management', 'icon' => 'certificate', 'route' => '/admin/root-ca'],
+ ['name' => 'Ticket Management', 'icon' => 'support-ticket', 'route' => '/admin/tickets'],
+ ['name' => 'Legal Page Management', 'icon' => 'pages', 'route' => '/dashboard/admin/legal'],
+ ['name' => 'Inquiries', 'icon' => 'inbox', 'route' => '/dashboard/admin/inquiries'],
+ ['name' => 'SMTP Tester', 'icon' => 'smtp', 'route' => '/dashboard/admin/smtp-tester'],
+ ]
+ ];
+
+ // 2. Main Menu
+ $mainItems = [
+ ['name' => 'Dashboard', 'icon' => 'dashboard', 'route' => '/dashboard'],
+ ['name' => 'Certificates', 'icon' => 'certificate', 'route' => '/dashboard/certificates'],
+ ['name' => 'API Keys', 'icon' => 'api-key', 'route' => '/dashboard/api-keys'],
+ ['name' => 'Support Tickets', 'icon' => 'support-ticket', 'route' => '/dashboard/support'],
+ ];
+
+ $menuGroups[] = [
+ 'title' => 'Menu',
+ 'items' => $mainItems,
+ ];
+
+ // 3. My Account
+ $menuGroups[] = [
+ 'title' => 'My Account',
+ 'items' => [
+ ['name' => 'User Profile', 'icon' => 'user-profile', 'route' => '/dashboard/profile'],
+ ['name' => 'Account Settings', 'icon' => 'settings', 'route' => '/dashboard/settings'],
+ ]
+ ];
+
+ return response()->json($menuGroups);
+ }
+}
diff --git a/app/Http/Controllers/ServiceController.php b/app/Http/Controllers/ServiceController.php
new file mode 100644
index 0000000..f9dbdb9
--- /dev/null
+++ b/app/Http/Controllers/ServiceController.php
@@ -0,0 +1,35 @@
+json([
+ [
+ 'id' => 1,
+ 'name' => 'SSL Certificate - Standard',
+ 'status' => 'Active',
+ 'expiry' => '2026-12-23',
+ 'domain' => 'example.com'
+ ],
+ [
+ 'id' => 2,
+ 'name' => 'Code Signing - Pro',
+ 'status' => 'Pending',
+ 'expiry' => 'N/A',
+ 'domain' => 'N/A'
+ ],
+ [
+ 'id' => 3,
+ 'name' => 'Wildcard SSL',
+ 'status' => 'Expired',
+ 'expiry' => '2025-01-10',
+ 'domain' => '*.web.dev'
+ ]
+ ]);
+ }
+}
diff --git a/app/Http/Controllers/TwoFactorController.php b/app/Http/Controllers/TwoFactorController.php
new file mode 100644
index 0000000..de737a6
--- /dev/null
+++ b/app/Http/Controllers/TwoFactorController.php
@@ -0,0 +1,195 @@
+user();
+
+ if ($user->two_factor_confirmed_at) {
+ return response()->json(['message' => '2FA is already enabled.'], 400);
+ }
+
+ $google2fa = new Google2FA();
+
+ // Generate secret if not exists or if re-enabling
+ $secret = $google2fa->generateSecretKey();
+
+ // Save encrypted secret (or plain if you trust your db, but encrypted is better)
+ // For simplicity with this library, it often expects raw secret.
+ // We will store it encrypted but decrypt it when needed if we were using a trait
+ // But for manual implementation, lets store it temporarily in the session OR save it to DB directly?
+ // Let's save it to DB but encrypt it.
+
+ $user->forceFill([
+ 'two_factor_secret' => encrypt($secret),
+ 'two_factor_recovery_codes' => null, // Reset codes
+ ])->save();
+
+ // Generate QR Code Object
+ $qrCodeUrl = $google2fa->getQRCodeInline(
+ config('app.name'),
+ $user->email,
+ $secret
+ );
+
+ return response()->json([
+ 'secret' => $secret,
+ 'qr_code' => $qrCodeUrl,
+ ]);
+ }
+
+ /**
+ * Confirm 2FA: Verify initial OTP
+ */
+ public function confirm(Request $request)
+ {
+ $request->validate(['code' => 'required|string|size:6']);
+
+ $user = $request->user();
+ $google2fa = new Google2FA();
+
+ try {
+ $secret = decrypt($user->two_factor_secret);
+ } catch (\Exception $e) {
+ return response()->json(['message' => '2FA not initiated.'], 400);
+ }
+
+ $valid = $google2fa->verifyKey($secret, $request->code);
+
+ if (!$valid) {
+ throw ValidationException::withMessages([
+ 'code' => ['Invalid 2FA code.'],
+ ]);
+ }
+
+ // Generate Recovery Codes
+ $recoveryCodes = [];
+ for ($i = 0; $i < 8; $i++) {
+ $recoveryCodes[] = \Illuminate\Support\Str::random(10) . '-' . \Illuminate\Support\Str::random(10);
+ }
+
+ $user->forceFill([
+ 'two_factor_confirmed_at' => now(),
+ 'two_factor_recovery_codes' => encrypt(json_encode($recoveryCodes)),
+ ])->save();
+
+ return response()->json([
+ 'message' => '2FA enabled successfully.',
+ 'recovery_codes' => $recoveryCodes,
+ ]);
+ }
+
+ /**
+ * Disable 2FA
+ */
+ public function disable(Request $request)
+ {
+ $request->validate(['password' => 'required']);
+
+ $user = $request->user();
+
+ if (!Hash::check($request->password, $user->password)) {
+ throw ValidationException::withMessages([
+ 'password' => ['Invalid password.'],
+ ]);
+ }
+
+ $user->forceFill([
+ 'two_factor_secret' => null,
+ 'two_factor_recovery_codes' => null,
+ 'two_factor_confirmed_at' => null,
+ ])->save();
+
+ return response()->json(['message' => '2FA disabled successfully.']);
+ }
+ /**
+ * Verify 2FA during Login Challenge
+ */
+ public function verify(Request $request)
+ {
+ $request->validate(['code' => 'required|string']);
+
+ $user = $request->user();
+
+ // Check 2FA Secret
+ try {
+ $secret = decrypt($user->two_factor_secret);
+ } catch (\Exception $e) {
+ return response()->json(['message' => '2FA configuration error.'], 500);
+ }
+
+ $google2fa = new Google2FA();
+ $valid = $google2fa->verifyKey($secret, $request->code);
+
+ // Check Recovery Code if TOTP failed
+ if (!$valid) {
+ $recoveryCodes = $user->two_factor_recovery_codes ? json_decode(decrypt($user->two_factor_recovery_codes), true) : [];
+
+ if (in_array($request->code, $recoveryCodes)) {
+ $valid = true;
+ // Remove used recovery code
+ $recoveryCodes = array_diff($recoveryCodes, [$request->code]);
+ $user->forceFill([
+ 'two_factor_recovery_codes' => encrypt(json_encode(array_values($recoveryCodes))),
+ ])->save();
+ }
+ }
+
+ if (!$valid) {
+ throw ValidationException::withMessages([
+ 'code' => ['Invalid code provided.'],
+ ]);
+ }
+
+ // Success!
+ // 1. Establish session (for web/inertia/sanctum cookie flows)
+ Auth::guard('web')->login($user, $request->boolean('remember'));
+
+ // 2. Revoke the temp token
+ if ($user->currentAccessToken()) {
+ $user->currentAccessToken()->delete();
+ }
+
+ // 3. Create new full access token
+ $token = $user->createToken('auth_token')->plainTextToken;
+
+ // 4. Record History
+ $this->recordLoginHistory($request, $user);
+
+ return response()->json([
+ 'message' => 'Login successful',
+ 'token' => $token,
+ 'user' => $user
+ ]);
+ }
+
+ /**
+ * Show Recovery Codes
+ */
+ public function recoveryCodes(Request $request)
+ {
+ if (!$request->user()->two_factor_confirmed_at) {
+ return response()->json(['message' => '2FA not enabled.'], 400);
+ }
+
+ $codes = json_decode(decrypt($request->user()->two_factor_recovery_codes), true);
+
+ return response()->json(['recovery_codes' => $codes]);
+ }
+}
diff --git a/app/Http/Middleware/AdminMiddleware.php b/app/Http/Middleware/AdminMiddleware.php
new file mode 100644
index 0000000..fe35337
--- /dev/null
+++ b/app/Http/Middleware/AdminMiddleware.php
@@ -0,0 +1,24 @@
+user() || !$request->user()->isAdminOrOwner()) {
+ return response()->json(['message' => 'Unauthorized. Admin access required.'], 403);
+ }
+
+ return $next($request);
+ }
+}
diff --git a/app/Http/Middleware/CheckApiKey.php b/app/Http/Middleware/CheckApiKey.php
new file mode 100644
index 0000000..b3ec072
--- /dev/null
+++ b/app/Http/Middleware/CheckApiKey.php
@@ -0,0 +1,57 @@
+header('TRUSTLAB_API_KEY');
+ $keyString = $headerValue ? trim($headerValue) : null;
+
+ if (!$keyString) {
+ return response()->json([
+ 'success' => false,
+ 'message' => 'API Key is missing. Please provide it in the TRUSTLAB_API_KEY header.'
+ ], 401);
+ }
+
+ $apiKey = ApiKey::where('key', $keyString)->first();
+
+ if (!$apiKey || !$apiKey->is_active) {
+ return response()->json([
+ 'success' => false,
+ 'message' => 'Invalid or inactive API Key.'
+ ], 401);
+ }
+
+ // Update last used timestamp
+ $apiKey->update(['last_used_at' => now()]);
+
+ // Optional: Dispatch stats update event if needed in the future
+ // \App\Events\DashboardStatsUpdated::dispatch($apiKey->user_id);
+
+ // Put the user in the request context
+ $user = $apiKey->user;
+ $request->merge(['authenticated_user' => $user]);
+ $request->setUserResolver(fn () => $user);
+
+ if ($user) {
+ Auth::setUser($user);
+ }
+
+ return $next($request);
+ }
+}
diff --git a/app/Mail/CertificateExpiredMail.php b/app/Mail/CertificateExpiredMail.php
new file mode 100644
index 0000000..7d7c764
--- /dev/null
+++ b/app/Mail/CertificateExpiredMail.php
@@ -0,0 +1,55 @@
+certificate = $certificate;
+ }
+
+ /**
+ * Get the message envelope.
+ */
+ public function envelope(): Envelope
+ {
+ return new Envelope(
+ subject: 'URGENT: Certificate [' . $this->certificate->common_name . '] Has Expired',
+ );
+ }
+
+ /**
+ * Get the message content definition.
+ */
+ public function content(): Content
+ {
+ return new Content(
+ view: 'emails.certificate-expired',
+ );
+ }
+
+ /**
+ * Get the attachments for the message.
+ *
+ * @return array
+ */
+ public function attachments(): array
+ {
+ return [];
+ }
+}
diff --git a/app/Mail/CertificateExpiringMail.php b/app/Mail/CertificateExpiringMail.php
new file mode 100644
index 0000000..2e458db
--- /dev/null
+++ b/app/Mail/CertificateExpiringMail.php
@@ -0,0 +1,57 @@
+certificate = $certificate;
+ $this->daysRemaining = $daysRemaining;
+ }
+
+ /**
+ * Get the message envelope.
+ */
+ public function envelope(): Envelope
+ {
+ return new Envelope(
+ subject: 'Action Required: Certificate [' . $this->certificate->common_name . '] Expiring in ' . $this->daysRemaining . ' Days',
+ );
+ }
+
+ /**
+ * Get the message content definition.
+ */
+ public function content(): Content
+ {
+ return new Content(
+ view: 'emails.certificate-expiring',
+ );
+ }
+
+ /**
+ * Get the attachments for the message.
+ *
+ * @return array
+ */
+ public function attachments(): array
+ {
+ return [];
+ }
+}
diff --git a/app/Mail/InquiryReplyMail.php b/app/Mail/InquiryReplyMail.php
new file mode 100644
index 0000000..c383002
--- /dev/null
+++ b/app/Mail/InquiryReplyMail.php
@@ -0,0 +1,55 @@
+inquiry = $inquiry;
+ $this->replyMessage = $replyMessage;
+ }
+
+ /**
+ * Get the message envelope.
+ */
+ public function envelope(): Envelope
+ {
+ return new Envelope(
+ subject: 'Re: ' . $this->inquiry->subject,
+ );
+ }
+
+ /**
+ * Get the message content definition.
+ */
+ public function content(): Content
+ {
+ return new Content(
+ view: 'emails.inquiry_reply',
+ );
+ }
+
+ /**
+ * Get the attachments for the message.
+ */
+ public function attachments(): array
+ {
+ return [];
+ }
+}
diff --git a/app/Mail/TestMail.php b/app/Mail/TestMail.php
new file mode 100644
index 0000000..85c8a64
--- /dev/null
+++ b/app/Mail/TestMail.php
@@ -0,0 +1,57 @@
+mailer = $mailer;
+ $this->host = $host;
+ }
+
+ /**
+ * Get the message envelope.
+ */
+ public function envelope(): Envelope
+ {
+ return new Envelope(
+ subject: '[TrustLab] SMTP Connection Test Successful',
+ );
+ }
+
+ /**
+ * Get the message content definition.
+ */
+ public function content(): Content
+ {
+ return new Content(
+ view: 'emails.test',
+ );
+ }
+
+ /**
+ * Get the attachments for the message.
+ *
+ * @return array
+ */
+ public function attachments(): array
+ {
+ return [];
+ }
+}
diff --git a/app/Models/ActivityLog.php b/app/Models/ActivityLog.php
new file mode 100644
index 0000000..6c98cf2
--- /dev/null
+++ b/app/Models/ActivityLog.php
@@ -0,0 +1,36 @@
+id)) {
+ $model->id = UuidHelper::generate();
+ }
+ });
+ }
+
+ public function user()
+ {
+ return $this->belongsTo(User::class);
+ }
+}
diff --git a/app/Models/ApiKey.php b/app/Models/ApiKey.php
new file mode 100644
index 0000000..fccc285
--- /dev/null
+++ b/app/Models/ApiKey.php
@@ -0,0 +1,55 @@
+id)) {
+ $model->id = \App\Helpers\UuidHelper::generate();
+ }
+ });
+ }
+
+ protected $fillable = [
+ 'user_id',
+ 'name',
+ 'key',
+ 'last_used_at',
+ 'is_active',
+ ];
+
+ protected $casts = [
+ 'last_used_at' => 'datetime',
+ 'is_active' => 'boolean',
+ ];
+
+ public function user()
+ {
+ return $this->belongsTo(User::class);
+ }
+
+ /**
+ * Generate a unique API Key.
+ */
+ public static function generate()
+ {
+ do {
+ $key = 'dvp_' . Str::random(56); // Prefix (4) + Random (56) = 60 chars
+ } while (static::where('key', $key)->exists());
+
+ return $key;
+ }
+}
diff --git a/app/Models/CaCertificate.php b/app/Models/CaCertificate.php
new file mode 100644
index 0000000..8c69c01
--- /dev/null
+++ b/app/Models/CaCertificate.php
@@ -0,0 +1,42 @@
+ 'datetime',
+ 'valid_to' => 'datetime',
+ 'last_downloaded_at' => 'datetime',
+ ];
+
+ protected static function booted()
+ {
+ static::creating(function ($model) {
+ if (empty($model->uuid)) {
+ $model->uuid = UuidHelper::generate();
+ }
+ });
+ }
+}
diff --git a/app/Models/Certificate.php b/app/Models/Certificate.php
new file mode 100644
index 0000000..0f2b736
--- /dev/null
+++ b/app/Models/Certificate.php
@@ -0,0 +1,82 @@
+ 'datetime',
+ 'valid_to' => 'datetime',
+ 'expired_notification_sent_at' => 'datetime',
+ ];
+
+ protected $hidden = [
+ 'expired_notification_sent_at',
+ ];
+
+ protected $appends = [
+ 'ssl_status',
+ ];
+
+ protected static function booted()
+ {
+ static::creating(function ($model) {
+ if (empty($model->uuid)) {
+ $model->uuid = UuidHelper::generate();
+ }
+ });
+ }
+
+ public function user()
+ {
+ return $this->belongsTo(User::class);
+ }
+
+ public function getSslStatusAttribute()
+ {
+ if ($this->valid_to && $this->valid_to->isPast()) {
+ return 'EXPIRED';
+ }
+ return 'ACTIVE';
+ }
+
+ public function toArray()
+ {
+ $array = parent::toArray();
+ $ordered = [];
+
+ // Define the preferred order of keys
+ $paramOrder = [
+ 'uuid', 'user_id', 'common_name', 'organization', 'locality',
+ 'state', 'country', 'san', 'status', 'key_bits', 'serial_number',
+ 'ssl_status', // <--- Inserted here (before content)
+ 'cert_content', 'key_content', 'csr_content',
+ 'valid_from', 'valid_to', 'created_at', 'updated_at'
+ ];
+
+ // Reconstruct query based on paramOrder
+ foreach ($paramOrder as $key) {
+ if (array_key_exists($key, $array)) {
+ $ordered[$key] = $array[$key];
+ unset($array[$key]);
+ }
+ }
+
+ // Append any remaining keys (that weren't in our explicit list)
+ return array_merge($ordered, $array);
+ }
+}
diff --git a/app/Models/Inquiry.php b/app/Models/Inquiry.php
new file mode 100644
index 0000000..39f203f
--- /dev/null
+++ b/app/Models/Inquiry.php
@@ -0,0 +1,38 @@
+ 'datetime',
+ ];
+
+ protected static function booted()
+ {
+ static::creating(function ($model) {
+ if (empty($model->{$model->getKeyName()})) {
+ $model->{$model->getKeyName()} = \App\Helpers\UuidHelper::generate();
+ }
+ });
+ }
+}
diff --git a/app/Models/LegalPage.php b/app/Models/LegalPage.php
new file mode 100644
index 0000000..92f723a
--- /dev/null
+++ b/app/Models/LegalPage.php
@@ -0,0 +1,32 @@
+hasMany(LegalPageRevision::class);
+ }
+
+ public function latestRevision()
+ {
+ return $this->hasOne(LegalPageRevision::class)->latestOfMany('created_at');
+ }
+
+ public function currentRevision()
+ {
+ return $this->hasOne(LegalPageRevision::class)->where('is_active', true)->latest();
+ }
+}
diff --git a/app/Models/LegalPageRevision.php b/app/Models/LegalPageRevision.php
new file mode 100644
index 0000000..15de683
--- /dev/null
+++ b/app/Models/LegalPageRevision.php
@@ -0,0 +1,35 @@
+major}.{$this->minor}.{$this->patch}";
+ }
+
+ public function legalPage()
+ {
+ return $this->belongsTo(LegalPage::class);
+ }
+}
diff --git a/app/Models/LoginHistory.php b/app/Models/LoginHistory.php
new file mode 100644
index 0000000..e9856ce
--- /dev/null
+++ b/app/Models/LoginHistory.php
@@ -0,0 +1,41 @@
+id)) {
+ $model->id = \App\Helpers\UuidHelper::generate();
+ }
+ });
+ }
+
+ protected $fillable = [
+ 'user_id',
+ 'ip_address',
+ 'user_agent',
+ 'device_type',
+ 'os',
+ 'browser',
+ 'city',
+ 'country',
+ 'country_code',
+ ];
+
+ public function user()
+ {
+ return $this->belongsTo(User::class);
+ }
+}
diff --git a/app/Models/SocialAccount.php b/app/Models/SocialAccount.php
new file mode 100644
index 0000000..8ec53f8
--- /dev/null
+++ b/app/Models/SocialAccount.php
@@ -0,0 +1,40 @@
+id)) {
+ $model->id = \App\Helpers\UuidHelper::generate();
+ }
+ });
+ }
+ protected $fillable = [
+ 'user_id',
+ 'provider',
+ 'provider_id',
+ 'provider_email',
+ 'avatar',
+ 'token',
+ 'refresh_token',
+ 'expires_at',
+ ];
+
+ protected $casts = [
+ 'expires_at' => 'datetime',
+ ];
+
+ public function user()
+ {
+ return $this->belongsTo(User::class);
+ }
+}
diff --git a/app/Models/Ticket.php b/app/Models/Ticket.php
new file mode 100644
index 0000000..46190e2
--- /dev/null
+++ b/app/Models/Ticket.php
@@ -0,0 +1,45 @@
+belongsTo(User::class);
+ }
+
+ /**
+ * Get the replies for the ticket.
+ */
+ public function replies()
+ {
+ return $this->hasMany(TicketReply::class);
+ }
+
+ /**
+ * Helper to generate a unique ticket number.
+ */
+ public static function generateTicketNumber()
+ {
+ return 'TKT-' . strtoupper(bin2hex(random_bytes(3)));
+ }
+}
diff --git a/app/Models/TicketAttachment.php b/app/Models/TicketAttachment.php
new file mode 100644
index 0000000..c9a36be
--- /dev/null
+++ b/app/Models/TicketAttachment.php
@@ -0,0 +1,25 @@
+belongsTo(TicketReply::class, 'ticket_reply_id');
+ }
+}
diff --git a/app/Models/TicketReply.php b/app/Models/TicketReply.php
new file mode 100644
index 0000000..8b1f93f
--- /dev/null
+++ b/app/Models/TicketReply.php
@@ -0,0 +1,40 @@
+belongsTo(Ticket::class);
+ }
+
+ /**
+ * Get the user that wrote the reply.
+ */
+ public function user()
+ {
+ return $this->belongsTo(User::class);
+ }
+
+ public function attachments()
+ {
+ return $this->hasMany(TicketAttachment::class);
+ }
+}
diff --git a/app/Models/User.php b/app/Models/User.php
new file mode 100644
index 0000000..b77d59c
--- /dev/null
+++ b/app/Models/User.php
@@ -0,0 +1,189 @@
+ */
+ use HasApiTokens, HasFactory, Notifiable;
+
+ public const ROLE_OWNER = 'owner';
+ public const ROLE_ADMIN = 'admin';
+ public const ROLE_CUSTOMER = 'customer';
+
+ /**
+ * The channels the user receives notification broadcasts on.
+ */
+ public function receivesBroadcastNotificationsOn(): string
+ {
+ return 'App.Models.User.' . $this->id;
+ }
+
+ /**
+ * Get the API keys for the user.
+ */
+ public function apiKeys()
+ {
+ return $this->hasMany(ApiKey::class);
+ }
+
+ /**
+ * Get the login history for the user.
+ */
+ public function loginHistories()
+ {
+ return $this->hasMany(LoginHistory::class);
+ }
+
+ /**
+ * Get the tickets for the user.
+ */
+ public function tickets()
+ {
+ return $this->hasMany(Ticket::class);
+ }
+
+ public $incrementing = false;
+ protected $keyType = 'string';
+
+ protected static function booted()
+ {
+ static::creating(function ($model) {
+ if (empty($model->{$model->getKeyName()})) {
+ $model->{$model->getKeyName()} = \App\Helpers\UuidHelper::generate();
+ }
+ });
+ }
+
+ /**
+ * The attributes that are mass assignable.
+ *
+ * @var list
+ */
+ protected $fillable = [
+ 'first_name',
+ 'last_name',
+ 'email',
+ 'pending_email',
+ 'password',
+ 'avatar',
+ 'role',
+ 'phone',
+ 'bio',
+ 'job_title',
+ 'location',
+ 'country',
+ 'city_state',
+ 'postal_code',
+ 'tax_id',
+ 'settings_email_alerts',
+ 'settings_certificate_renewal',
+ 'default_landing_page',
+ 'theme',
+ 'language',
+ 'email_verified_at',
+ ];
+
+ /**
+ * Get the social accounts for the user.
+ */
+ public function socialAccounts()
+ {
+ return $this->hasMany(SocialAccount::class);
+ }
+
+ /**
+ * Check if user is owner.
+ */
+ public function isOwner(): bool
+ {
+ return $this->role === self::ROLE_OWNER;
+ }
+
+ /**
+ * Check if user is admin.
+ */
+ public function isAdmin(): bool
+ {
+ return $this->role === self::ROLE_ADMIN;
+ }
+
+ /**
+ * Check if user is admin or owner.
+ */
+ public function isAdminOrOwner(): bool
+ {
+ return in_array($this->role, [self::ROLE_OWNER, self::ROLE_ADMIN]);
+ }
+
+ /**
+ * Get the avatar URL with cache busting timestamp.
+ */
+ public function getAvatarAttribute($value)
+ {
+ if (!$value) return $value;
+
+ // If it's already a full R2 URL, append timestamp
+ if (str_contains($value, 'cdn.trustlab.dyzulk.com')) {
+ $separator = str_contains($value, '?') ? '&' : '?';
+ return $value . $separator . 't=' . ($this->updated_at ? $this->updated_at->timestamp : time());
+ }
+
+ return $value;
+ }
+
+ /**
+ * The attributes that should be hidden for serialization.
+ *
+ * @var list
+ */
+ protected $hidden = [
+ 'password',
+ 'remember_token',
+ ];
+
+ /**
+ * Get the attributes that should be cast.
+ *
+ * @return array
+ */
+ protected function casts(): array
+ {
+ return [
+ 'email_verified_at' => 'datetime',
+ 'password' => 'hashed',
+ 'settings_email_alerts' => 'boolean',
+ 'settings_certificate_renewal' => 'boolean',
+ ];
+ }
+ /**
+ * Send the email verification notification.
+ *
+ * @return void
+ */
+ public function sendEmailVerificationNotification()
+ {
+ $this->notify(new \App\Notifications\VerifyEmailNotification);
+ }
+
+ /**
+ * Route notifications for the mail channel.
+ *
+ * @param \Illuminate\Notifications\Notification $notification
+ * @return array|string
+ */
+ public function routeNotificationForMail($notification)
+ {
+ if ($notification instanceof \App\Notifications\PendingEmailVerificationNotification) {
+ return $this->pending_email;
+ }
+
+ return $this->email;
+ }
+}
diff --git a/app/Notifications/CertificateExpiringNotification.php b/app/Notifications/CertificateExpiringNotification.php
new file mode 100644
index 0000000..72eb4a8
--- /dev/null
+++ b/app/Notifications/CertificateExpiringNotification.php
@@ -0,0 +1,68 @@
+certificate = $certificate;
+ $this->daysRemaining = $daysRemaining;
+ }
+
+ /**
+ * Get the notification's delivery channels.
+ *
+ * @return array
+ */
+ public function via($notifiable)
+ {
+ $channels = ['database'];
+
+ if ($this->daysRemaining < 7) {
+ $channels[] = 'mail';
+ }
+
+ return $channels;
+ }
+
+ /**
+ * Get the mail representation of the notification.
+ */
+ public function toMail($notifiable)
+ {
+ return (new \App\Mail\CertificateExpiringMail($this->certificate, $this->daysRemaining))
+ ->to($notifiable->email);
+ }
+
+ /**
+ * Get the array representation of the notification.
+ *
+ * @return array
+ */
+ public function toDatabase($notifiable)
+ {
+ return [
+ 'type' => 'certificate_expiring',
+ 'certificate_id' => $this->certificate->id,
+ 'common_name' => $this->certificate->common_name,
+ 'days_remaining' => $this->daysRemaining,
+ 'valid_to' => $this->certificate->valid_to,
+ 'message' => "Certificate '{$this->certificate->common_name}' expires in {$this->daysRemaining} days.",
+ ];
+ }
+}
diff --git a/app/Notifications/CertificateNotification.php b/app/Notifications/CertificateNotification.php
new file mode 100644
index 0000000..921b681
--- /dev/null
+++ b/app/Notifications/CertificateNotification.php
@@ -0,0 +1,76 @@
+certificate = $certificate;
+ $this->action = $action;
+ }
+
+ /**
+ * Get the notification's delivery channels.
+ *
+ * @return array
+ */
+ public function via($notifiable)
+ {
+ return ['database', 'broadcast'];
+ }
+
+
+
+ /**
+ * Get the array representation of the notification.
+ *
+ * @return array
+ */
+ public function toDatabase($notifiable)
+ {
+ $title = $this->action === 'issued' ? 'Certificate Issued' : 'Certificate Revoked';
+ $message = $this->action === 'issued'
+ ? "New certificate for {$this->certificate->common_name} has been issued."
+ : "Certificate for {$this->certificate->common_name} has been revoked.";
+
+ return [
+ 'certificate_id' => $this->certificate->getKey(),
+ 'common_name' => $this->certificate->common_name,
+ 'title' => $title,
+ 'message' => $message,
+ 'type' => get_class($this),
+ 'icon' => $this->action === 'issued' ? 'check-circle' : 'trash-2',
+ 'url' => '/dashboard/certificates',
+ 'sender_name' => null,
+ 'sender_avatar' => null,
+ ];
+ }
+
+ public function toBroadcast($notifiable)
+ {
+ $db = $this->toDatabase($notifiable);
+
+ return new BroadcastMessage([
+ 'title' => $db['title'],
+ 'message' => $db['message'],
+ 'url' => $db['url'],
+ 'type' => get_class($this),
+ 'data' => $db
+ ]);
+ }
+}
diff --git a/app/Notifications/NewInquiryNotification.php b/app/Notifications/NewInquiryNotification.php
new file mode 100644
index 0000000..3348e2f
--- /dev/null
+++ b/app/Notifications/NewInquiryNotification.php
@@ -0,0 +1,82 @@
+inquiry = $inquiry;
+ }
+
+ /**
+ * Get the notification's delivery channels.
+ *
+ * @return array
+ */
+ public function via($notifiable)
+ {
+ return ['database', 'broadcast'];
+ }
+
+
+
+ /**
+ * Get the array representation of the notification.
+ *
+ * @return array
+ */
+ public function toArray($notifiable)
+ {
+ return $this->toDatabase($notifiable);
+ }
+
+ /**
+ * Get the database representation of the notification.
+ */
+ public function toDatabase($notifiable)
+ {
+ return [
+ 'inquiry_id' => $this->inquiry->id,
+ 'name' => $this->inquiry->name,
+ 'email' => $this->inquiry->email,
+ 'subject' => $this->inquiry->subject,
+ 'title' => 'New Inquiry: ' . $this->inquiry->subject,
+ 'message' => 'Received from ' . $this->inquiry->name . ' (' . $this->inquiry->email . ')',
+ 'type' => get_class($this),
+ 'icon' => 'inbox',
+ 'url' => '/dashboard/admin/inquiries',
+ 'sender_name' => $this->inquiry->name,
+ 'sender_avatar' => null,
+ ];
+ }
+
+ /**
+ * Get the broadcastable representation of the notification.
+ */
+ public function toBroadcast($notifiable)
+ {
+ $db = $this->toDatabase($notifiable);
+ return new BroadcastMessage([
+ 'title' => $db['title'],
+ 'message' => $db['message'],
+ 'url' => $db['url'],
+ 'type' => get_class($this),
+ 'data' => $db
+ ]);
+ }
+}
diff --git a/app/Notifications/NewTicketNotification.php b/app/Notifications/NewTicketNotification.php
new file mode 100644
index 0000000..37d00a3
--- /dev/null
+++ b/app/Notifications/NewTicketNotification.php
@@ -0,0 +1,85 @@
+ticket = $ticket;
+ }
+
+ /**
+ * Get the notification's delivery channels.
+ *
+ * @return array
+ */
+ public function via($notifiable)
+ {
+ return ['database', 'broadcast'];
+ }
+
+
+
+ /**
+ * Get the array representation of the notification.
+ *
+ * @return array
+ */
+ public function toArray($notifiable)
+ {
+ return $this->toDatabase($notifiable);
+ }
+
+ /**
+ * Get the database representation of the notification.
+ */
+ public function toDatabase($notifiable)
+ {
+ $user = $this->ticket->user;
+ $userName = $user ? trim($user->first_name . ' ' . $user->last_name) : 'Unknown User';
+ if (empty($userName)) $userName = 'Unknown User';
+
+ return [
+ 'ticket_id' => $this->ticket->id,
+ 'ticket_number' => $this->ticket->ticket_number,
+ 'subject' => $this->ticket->subject,
+ 'title' => 'New Ticket #' . $this->ticket->ticket_number,
+ 'message' => "Subject: {$this->ticket->subject}. From: {$userName}",
+ 'sender_name' => $userName,
+ 'sender_avatar' => $user ? $user->avatar : null,
+ 'type' => get_class($this),
+ 'icon' => 'support-ticket',
+ 'url' => '/dashboard/admin/tickets/view?id=' . $this->ticket->id,
+ ];
+ }
+
+ /**
+ * Get the broadcastable representation of the notification.
+ */
+ public function toBroadcast($notifiable)
+ {
+ $db = $this->toDatabase($notifiable);
+
+ return new BroadcastMessage([
+ 'title' => $db['title'],
+ 'message' => $db['message'],
+ 'url' => $db['url'],
+ 'type' => get_class($this),
+ 'data' => $db
+ ]);
+ }
+}
diff --git a/app/Notifications/PendingEmailVerificationNotification.php b/app/Notifications/PendingEmailVerificationNotification.php
new file mode 100644
index 0000000..4a307f4
--- /dev/null
+++ b/app/Notifications/PendingEmailVerificationNotification.php
@@ -0,0 +1,50 @@
+verificationUrl($notifiable);
+
+ return (new MailMessage)
+ ->subject(Lang::get('Verify Your New Email Address'))
+ ->view('emails.verify-email', [
+ 'name' => $notifiable->first_name . ' ' . $notifiable->last_name,
+ 'url' => $verificationUrl,
+ ]);
+ }
+
+ /**
+ * Get the verification URL for the given notifiable.
+ *
+ * @param mixed $notifiable
+ * @return string
+ */
+ protected function verificationUrl($notifiable)
+ {
+ return parent::verificationUrl($notifiable);
+ }
+
+ /**
+ * Set the recipient to the pending email.
+ *
+ * @param mixed $notifiable
+ * @return array
+ */
+ public function via($notifiable): array
+ {
+ return ['mail'];
+ }
+}
diff --git a/app/Notifications/TicketReplyNotification.php b/app/Notifications/TicketReplyNotification.php
new file mode 100644
index 0000000..501d2bd
--- /dev/null
+++ b/app/Notifications/TicketReplyNotification.php
@@ -0,0 +1,96 @@
+ticket = $ticket;
+ $this->reply = $reply;
+ $this->byAdmin = $byAdmin;
+ }
+
+ /**
+ * Get the notification's delivery channels.
+ *
+ * @return array
+ */
+ public function via($notifiable)
+ {
+ return ['database', 'broadcast'];
+ }
+
+
+
+ /**
+ * Get the array representation of the notification.
+ *
+ * @return array
+ */
+ public function toArray($notifiable)
+ {
+ return $this->toDatabase($notifiable);
+ }
+
+ /**
+ * Get the database representation of the notification.
+ */
+ public function toDatabase($notifiable)
+ {
+ $sender = $this->reply->user;
+ $senderName = $sender ? trim($sender->first_name . ' ' . $sender->last_name) : 'Support Team';
+ if (empty($senderName)) $senderName = 'Support Team';
+
+ // URL determines based on recipient role
+ $url = ($notifiable->role === 'admin')
+ ? '/dashboard/admin/tickets/view?id=' . $this->ticket->id
+ : '/dashboard/support/view?id=' . $this->ticket->id;
+
+ return [
+ 'ticket_id' => $this->ticket->id,
+ 'reply_id' => $this->reply->id,
+ 'ticket_number' => $this->ticket->ticket_number,
+ 'title' => 'Reply to Ticket #' . $this->ticket->ticket_number,
+ 'message' => $this->byAdmin
+ ? 'Support replied: ' . $this->ticket->subject
+ : $senderName . ' replied: ' . $this->ticket->ticket_number,
+ 'sender_name' => $senderName,
+ 'sender_avatar' => $sender ? $sender->avatar : null,
+ 'type' => get_class($this),
+ 'icon' => 'support-ticket',
+ 'url' => $url,
+ ];
+ }
+
+ /**
+ * Get the broadcastable representation of the notification.
+ */
+ public function toBroadcast($notifiable)
+ {
+ $db = $this->toDatabase($notifiable);
+
+ return new BroadcastMessage([
+ 'title' => $db['title'],
+ 'message' => $db['message'],
+ 'url' => $db['url'],
+ 'type' => get_class($this),
+ 'data' => $db
+ ]);
+ }
+}
diff --git a/app/Notifications/VerifyEmailNotification.php b/app/Notifications/VerifyEmailNotification.php
new file mode 100644
index 0000000..7e12008
--- /dev/null
+++ b/app/Notifications/VerifyEmailNotification.php
@@ -0,0 +1,28 @@
+verificationUrl($notifiable);
+
+ return (new MailMessage)
+ ->subject(Lang::get('Verify Email Address'))
+ ->view('emails.verify-email', [
+ 'name' => $notifiable->first_name . ' ' . $notifiable->last_name,
+ 'url' => $verificationUrl,
+ ]);
+ }
+}
diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
new file mode 100644
index 0000000..452e6b6
--- /dev/null
+++ b/app/Providers/AppServiceProvider.php
@@ -0,0 +1,24 @@
+ 0) {
+ return false;
+ }
+
+ $rootConfig = Config::get('openssl.ca_root');
+ $int4096Config = Config::get('openssl.ca_4096');
+ $int2048Config = Config::get('openssl.ca_2048');
+
+ // Create a basic temporary openssl config for CA extensions
+ $configContent = "[req]\ndistinguished_name = req\n[v3_ca]\nsubjectKeyIdentifier = hash\nauthorityKeyIdentifier = keyid:always,issuer\nbasicConstraints = critical, CA:true\nkeyUsage = critical, digitalSignature, cRLSign, keyCertSign";
+ $configFile = tempnam(sys_get_temp_dir(), 'ca_conf_');
+ file_put_contents($configFile, $configContent);
+
+ try {
+ // Root CA (4096-bit)
+ $rootKey = openssl_pkey_new([
+ 'private_key_bits' => 4096,
+ 'private_key_type' => OPENSSL_KEYTYPE_RSA,
+ 'config' => $configFile
+ ]);
+ if (!$rootKey) throw new \Exception('Failed to generate Root Key: ' . openssl_error_string());
+
+ $rootCsr = openssl_csr_new($rootConfig, $rootKey, ['digest_alg' => 'sha256', 'config' => $configFile]);
+ if (!$rootCsr) throw new \Exception('Failed to generate Root CSR: ' . openssl_error_string());
+
+ // Generate a random serial
+ $serial = $this->generateSerialNumber();
+
+ $rootCert = openssl_csr_sign($rootCsr, null, $rootKey, 10950, [
+ 'digest_alg' => 'sha256',
+ 'x509_extensions' => 'v3_ca',
+ 'config' => $configFile,
+ ], $serial);
+ if (!$rootCert) throw new \Exception('Failed to sign Root Cert: ' . openssl_error_string());
+
+ if (!openssl_x509_export($rootCert, $rootCertPem)) throw new \Exception('Failed to export Root Cert');
+ if (!openssl_pkey_export($rootKey, $rootKeyPem, null, ['config' => $configFile])) throw new \Exception('Failed to export Root Key');
+
+ $rootDetails = openssl_x509_parse($rootCertPem);
+
+ // Prefer serialNumberHex if available (PHP 8.0+)
+ $serialHex = isset($rootDetails['serialNumberHex'])
+ ? $this->formatHex($rootDetails['serialNumberHex'])
+ : $this->formatSerialToHex($rootDetails['serialNumber']);
+
+ CaCertificate::create([
+ 'ca_type' => 'root',
+ 'cert_content' => $rootCertPem,
+ 'key_content' => $rootKeyPem,
+ 'serial_number' => $serialHex,
+ 'common_name' => $rootDetails['subject']['CN'] ?? 'Root CA',
+ 'organization' => $rootDetails['subject']['O'] ?? null,
+ 'valid_from' => date('Y-m-d H:i:s', $rootDetails['validFrom_time_t']),
+ 'valid_to' => date('Y-m-d H:i:s', $rootDetails['validTo_time_t']),
+ ]);
+
+ // Intermediate CA 4096-bit
+ $int4096Key = openssl_pkey_new([
+ 'private_key_bits' => 4096,
+ 'private_key_type' => OPENSSL_KEYTYPE_RSA,
+ 'config' => $configFile
+ ]);
+ if (!$int4096Key) throw new \Exception('Failed to generate Int-4096 Key: ' . openssl_error_string());
+
+ $int4096Csr = openssl_csr_new($int4096Config, $int4096Key, ['digest_alg' => 'sha256', 'config' => $configFile]);
+ if (!$int4096Csr) throw new \Exception('Failed to generate Int-4096 CSR: ' . openssl_error_string());
+
+ $int4096Cert = openssl_csr_sign($int4096Csr, $rootCert, $rootKey, 10950, [
+ 'digest_alg' => 'sha256',
+ 'x509_extensions' => 'v3_ca',
+ 'config' => $configFile,
+ ], $this->generateSerialNumber());
+ if (!$int4096Cert) throw new \Exception('Failed to sign Int-4096 Cert: ' . openssl_error_string());
+
+ if (!openssl_x509_export($int4096Cert, $int4096CertPem)) throw new \Exception('Failed to export Int-4096 Cert');
+ if (!openssl_pkey_export($int4096Key, $int4096KeyPem, null, ['config' => $configFile])) throw new \Exception('Failed to export Int-4096 Key');
+
+ $int4096Details = openssl_x509_parse($int4096CertPem);
+ $serialHex4096 = isset($int4096Details['serialNumberHex'])
+ ? $this->formatHex($int4096Details['serialNumberHex'])
+ : $this->formatSerialToHex($int4096Details['serialNumber']);
+
+ CaCertificate::create([
+ 'ca_type' => 'intermediate_4096',
+ 'cert_content' => $int4096CertPem,
+ 'key_content' => $int4096KeyPem,
+ 'serial_number' => $serialHex4096,
+ 'common_name' => $int4096Details['subject']['CN'] ?? 'Intermediate CA 4096',
+ 'organization' => $int4096Details['subject']['O'] ?? null,
+ 'valid_from' => date('Y-m-d H:i:s', $int4096Details['validFrom_time_t']),
+ 'valid_to' => date('Y-m-d H:i:s', $int4096Details['validTo_time_t']),
+ ]);
+
+ // Intermediate CA 2048-bit
+ $int2048Key = openssl_pkey_new([
+ 'private_key_bits' => 2048,
+ 'private_key_type' => OPENSSL_KEYTYPE_RSA,
+ 'config' => $configFile
+ ]);
+ if (!$int2048Key) throw new \Exception('Failed to generate Int-2048 Key: ' . openssl_error_string());
+
+ $int2048Csr = openssl_csr_new($int2048Config, $int2048Key, ['digest_alg' => 'sha256', 'config' => $configFile]);
+ if (!$int2048Csr) throw new \Exception('Failed to generate Int-2048 CSR: ' . openssl_error_string());
+
+ $int2048Cert = openssl_csr_sign($int2048Csr, $rootCert, $rootKey, 10950, [
+ 'digest_alg' => 'sha256',
+ 'x509_extensions' => 'v3_ca',
+ 'config' => $configFile,
+ ], $this->generateSerialNumber());
+ if (!$int2048Cert) throw new \Exception('Failed to sign Int-2048 Cert: ' . openssl_error_string());
+
+ if (!openssl_x509_export($int2048Cert, $int2048CertPem)) throw new \Exception('Failed to export Int-2048 Cert');
+ if (!openssl_pkey_export($int2048Key, $int2048KeyPem, null, ['config' => $configFile])) throw new \Exception('Failed to export Int-2048 Key');
+
+ $int2048Details = openssl_x509_parse($int2048CertPem);
+ $serialHex2048 = isset($int2048Details['serialNumberHex'])
+ ? $this->formatHex($int2048Details['serialNumberHex'])
+ : $this->formatSerialToHex($int2048Details['serialNumber']);
+
+ CaCertificate::create([
+ 'ca_type' => 'intermediate_2048',
+ 'cert_content' => $int2048CertPem,
+ 'key_content' => $int2048KeyPem,
+ 'serial_number' => $serialHex2048,
+ 'common_name' => $int2048Details['subject']['CN'] ?? 'Intermediate CA 2048',
+ 'organization' => $int2048Details['subject']['O'] ?? null,
+ 'valid_from' => date('Y-m-d H:i:s', $int2048Details['validFrom_time_t']),
+ 'valid_to' => date('Y-m-d H:i:s', $int2048Details['validTo_time_t']),
+ ]);
+
+ return true;
+ } finally {
+ if (file_exists($configFile)) unlink($configFile);
+ }
+ }
+
+ /**
+ * Generate a domain certificate (Leaf).
+ */
+ public function generateLeaf($data)
+ {
+ $keyBits = $data['key_bits'] ?? 2048;
+ $issuerType = (int)$keyBits === 4096 ? 'intermediate_4096' : 'intermediate_2048';
+
+ $intermediate = CaCertificate::where('ca_type', $issuerType)->first();
+ if (!$intermediate) {
+ throw new \Exception("Intermediate CA ({$issuerType}) not found. Please setup CA first.");
+ }
+
+ $dn = [
+ "countryName" => $data['country'],
+ "stateOrProvinceName" => $data['state'],
+ "localityName" => $data['locality'],
+ "organizationName" => $data['organization'],
+ "commonName" => $data['common_name']
+ ];
+
+ $cn = $data['common_name'];
+ $userSan = $data['san'] ?? '';
+
+ // Parse user input: split by comma, trim, filter empty
+ $entries = array_filter(array_map('trim', explode(',', $userSan)));
+
+ // Always include CN as the first DNS entry
+ array_unshift($entries, $cn);
+
+ $sanArray = array_unique(array_map(function($entry) {
+ if (str_starts_with($entry, 'IP:') || str_starts_with($entry, 'DNS:')) {
+ return $entry;
+ }
+ return filter_var($entry, FILTER_VALIDATE_IP) ? "IP:$entry" : "DNS:$entry";
+ }, $entries));
+
+ $sanString = implode(', ', $sanArray);
+
+ $configFile = null;
+ try {
+ $configContent = "[req]\ndistinguished_name = req\nreq_extensions = v3_req\nprompt = no\n[req_distinguished_name]\nCN = $cn\n[v3_req]\nsubjectAltName = $sanString";
+ $configFile = tempnam(sys_get_temp_dir(), 'openssl_');
+ file_put_contents($configFile, $configContent);
+
+ $keyBits = $data['key_bits'] ?? 2048;
+ $privKey = openssl_pkey_new([
+ 'private_key_bits' => (int)$keyBits,
+ 'private_key_type' => OPENSSL_KEYTYPE_RSA,
+ 'config' => $configFile
+ ]);
+ if (!$privKey) throw new \Exception('Failed to generate Private Key: ' . openssl_error_string());
+
+ \Log::debug("Generating Leaf with SAN: " . $sanString);
+
+ $csr = openssl_csr_new($dn, $privKey, [
+ 'digest_alg' => 'sha256',
+ 'req_extensions' => 'v3_req',
+ 'config' => $configFile
+ ]);
+ if (!$csr) {
+ $err = openssl_error_string();
+ \Log::error("CSR Creation Failed: " . $err);
+ throw new \Exception('Failed to generate CSR: ' . $err);
+ }
+
+ $serial = $this->generateSerialNumber();
+ \Log::debug("Signing CSR with serial: " . $serial);
+
+ $days = 365;
+ if (!empty($data['is_test_short_lived'])) {
+ $days = 1; // Minimum allowed by OpenSSL, will override DB record later
+ }
+
+ $cert = openssl_csr_sign($csr, $intermediate->cert_content, $intermediate->key_content, $days, [
+ 'digest_alg' => 'sha256',
+ 'x509_extensions' => 'v3_req',
+ 'config' => $configFile,
+ ], $serial);
+
+ if (!$cert) {
+ $err = openssl_error_string();
+ \Log::error("Certificate Signing Failed: " . $err);
+ throw new \Exception('Failed to sign Certificate: ' . $err);
+ }
+
+ // Verification: check if serial was actually applied
+ $certInfo = openssl_x509_parse($cert);
+ $actualSerialHex = isset($certInfo['serialNumberHex'])
+ ? $this->formatHex($certInfo['serialNumberHex'])
+ : $this->formatSerialToHex($certInfo['serialNumber']);
+
+ \Log::debug("Certificate signed. Embedded Serial: " . $actualSerialHex);
+
+ if (!openssl_x509_export($cert, $certPem)) throw new \Exception('Failed to export Certificate');
+ if (!openssl_pkey_export($privKey, $keyPem, null, ['config' => $configFile])) throw new \Exception('Failed to export Private Key');
+ if (!openssl_csr_export($csr, $csrPem)) throw new \Exception('Failed to export CSR');
+
+ $validTo = isset($certInfo['validTo_time_t']) ? date('Y-m-d H:i:s', $certInfo['validTo_time_t']) : null;
+
+ // Override for testing: 30 seconds expiration
+ if (!empty($data['is_test_short_lived'])) {
+ $validTo = date('Y-m-d H:i:s', time() + 30);
+ }
+
+ return [
+ 'cert' => $certPem,
+ 'key' => $keyPem,
+ 'csr' => $csrPem,
+ 'serial' => $actualSerialHex,
+ 'valid_from' => isset($certInfo['validFrom_time_t']) ? date('Y-m-d H:i:s', $certInfo['validFrom_time_t']) : null,
+ 'valid_to' => $validTo,
+ ];
+ } finally {
+ if ($configFile && file_exists($configFile)) {
+ unlink($configFile);
+ }
+ }
+ }
+
+ /**
+ * Generate a unique serial number.
+ */
+ protected function generateSerialNumber(): int
+ {
+ try {
+ return random_int(1, PHP_INT_MAX);
+ } catch (\Exception $e) {
+ return time();
+ }
+ }
+
+ /**
+ * Format a hex string (from serialNumberHex).
+ */
+ public function formatHex($hex)
+ {
+ $hex = strtoupper($hex);
+ return implode(':', str_split($hex, 2));
+ }
+
+ /**
+ * Fallback format a decimal serial number to hex string.
+ */
+ public function formatSerialToHex($decimal)
+ {
+ $cleaned = preg_replace('/[^0-9]/', '', (string)$decimal);
+ if ($cleaned === '') $cleaned = '0';
+
+ if (function_exists('bcdiv')) {
+ $hex = '';
+ $value = $cleaned;
+ if (!preg_match('/^\d+$/', $value)) $value = '0';
+
+ while (bccomp($value, '0') > 0) {
+ $mod = bcmod($value, '16');
+ $hex = dechex((int)$mod) . $hex;
+ $value = bcdiv($value, '16', 0);
+ }
+ $hex = $hex ?: '0';
+ } else {
+ $hex = dechex((int)$cleaned);
+ }
+
+ if (strlen($hex) % 2 !== 0) $hex = '0' . $hex;
+ return strtoupper(implode(':', str_split($hex, 2)));
+ }
+
+ /**
+ * Renew (re-sign) an existing CA certificate using its existing private key.
+ */
+ public function renewCaCertificate(CaCertificate $cert, int $days)
+ {
+ $configFile = null;
+ try {
+ // 1. Prepare Config
+ $configContent = "[req]\ndistinguished_name = req\n[v3_ca]\nsubjectKeyIdentifier = hash\nauthorityKeyIdentifier = keyid:always,issuer\nbasicConstraints = critical, CA:true\nkeyUsage = critical, digitalSignature, cRLSign, keyCertSign";
+ $configFile = tempnam(sys_get_temp_dir(), 'renew_ca_');
+ file_put_contents($configFile, $configContent);
+
+ // 2. Get Private Key
+ $privKey = openssl_pkey_get_private($cert->key_content);
+ if (!$privKey) throw new \Exception('Failed to load Private Key');
+
+ // 3. Get Subject DN from existing Cert
+ $certInfo = openssl_x509_parse($cert->cert_content);
+ $dn = $certInfo['subject'];
+
+ $dnMap = [
+ 'CN' => 'commonName',
+ 'O' => 'organizationName',
+ 'OU' => 'organizationalUnitName',
+ 'C' => 'countryName',
+ 'ST' => 'stateOrProvinceName',
+ 'L' => 'localityName',
+ 'emailAddress' => 'emailAddress'
+ ];
+
+ $newDn = [];
+ foreach ($dn as $key => $value) {
+ if (isset($dnMap[$key])) {
+ $newDn[$dnMap[$key]] = $value;
+ }
+ }
+
+ // 4. Generate New CSR
+ $csr = openssl_csr_new($newDn, $privKey, ['digest_alg' => 'sha256', 'config' => $configFile]);
+ if (!$csr) throw new \Exception('Failed to generate Renewal CSR: ' . openssl_error_string());
+
+ // 5. Determine Signer (Issuer)
+ $issuerCert = null;
+ $issuerKey = null;
+
+ if ($cert->ca_type === 'root') {
+ // Root signs itself
+ $issuerCert = null;
+ $issuerKey = $privKey;
+ } else {
+ // Intermediate is signed by Root
+ $root = CaCertificate::where('ca_type', 'root')->first();
+ if (!$root) throw new \Exception('Root CA not found for signing intermediate renewal.');
+ $issuerCert = $root->cert_content;
+ $issuerKey = openssl_pkey_get_private($root->key_content);
+ }
+
+ // 6. Sign CSR
+ $serial = $this->generateSerialNumber();
+ $newCert = openssl_csr_sign($csr, $issuerCert, $issuerKey, $days, [
+ 'digest_alg' => 'sha256',
+ 'x509_extensions' => 'v3_ca',
+ 'config' => $configFile,
+ ], $serial);
+
+ if (!$newCert) throw new \Exception('Failed to sign Renewal Cert: ' . openssl_error_string());
+
+ // 7. Export
+ if (!openssl_x509_export($newCert, $newCertPem)) throw new \Exception('Failed to export Renewal Cert');
+
+ // 8. Parse new details
+ $newInfo = openssl_x509_parse($newCertPem);
+ $newSerialHex = isset($newInfo['serialNumberHex'])
+ ? $this->formatHex($newInfo['serialNumberHex'])
+ : $this->formatSerialToHex($newInfo['serialNumber']);
+
+ return [
+ 'cert_content' => $newCertPem,
+ 'serial_number' => $newSerialHex,
+ 'valid_from' => date('Y-m-d H:i:s', $newInfo['validFrom_time_t']),
+ 'valid_to' => date('Y-m-d H:i:s', $newInfo['validTo_time_t']),
+ ];
+
+ } finally {
+ if ($configFile && file_exists($configFile)) unlink($configFile);
+ }
+ }
+}
diff --git a/app/Traits/CanTrackLogin.php b/app/Traits/CanTrackLogin.php
new file mode 100644
index 0000000..eff328b
--- /dev/null
+++ b/app/Traits/CanTrackLogin.php
@@ -0,0 +1,118 @@
+header('User-Agent');
+ $ip = $request->ip();
+
+ // For local development testing (if IP is local, use a real one for fallback)
+ $lookupIp = ($ip === '127.0.0.1' || $ip === '::1') ? '8.8.8.8' : $ip;
+ $location = $this->getLocationFromIp($lookupIp);
+
+ $info = $this->parseUserAgent($userAgent);
+
+ LoginHistory::create([
+ 'user_id' => $user->id,
+ 'ip_address' => $ip,
+ 'user_agent' => $userAgent,
+ 'device_type' => $info['device'],
+ 'os' => $info['os'],
+ 'browser' => $info['browser'],
+ 'city' => $location['city'],
+ 'country' => $location['country'],
+ 'country_code' => $location['country_code'],
+ ]);
+ }
+
+ /**
+ * Get Location from IP
+ */
+ protected function getLocationFromIp($ip)
+ {
+ try {
+ $response = Http::get("http://ip-api.com/json/{$ip}")->json();
+
+ if ($response && $response['status'] === 'success') {
+ return [
+ 'city' => $response['city'] ?? 'Unknown City',
+ 'country' => $response['country'] ?? 'Unknown Country',
+ 'country_code' => $response['countryCode'] ?? 'UN',
+ ];
+ }
+ } catch (\Exception $e) {
+ // Fallback silently
+ }
+
+ return [
+ 'city' => 'Unknown City',
+ 'country' => 'Unknown Country',
+ 'country_code' => 'UN',
+ ];
+ }
+
+ /**
+ * Helper to parse User Agent
+ */
+ protected function parseUserAgent($agent)
+ {
+ $os = 'Unknown OS';
+ $browser = 'Unknown Browser';
+ $device = 'Desktop';
+
+ // OS Parsing
+ if (preg_match('/iphone|ipad|ipod/i', $agent)) {
+ $os = 'iOS';
+ $device = 'iOS';
+ } elseif (preg_match('/android/i', $agent)) {
+ $os = 'Android';
+ $device = 'Android';
+ } elseif (preg_match('/windows/i', $agent)) {
+ $os = 'Windows';
+ $device = 'Windows';
+ } elseif (preg_match('/macintosh|mac os x/i', $agent)) {
+ $os = 'Mac';
+ $device = 'Mac';
+ } elseif (preg_match('/linux/i', $agent)) {
+ $os = 'Linux';
+ $device = 'Linux';
+ }
+
+ // Browser Parsing
+ if (preg_match('/msie/i', $agent) && !preg_match('/opera/i', $agent)) {
+ $browser = 'Internet Explorer';
+ } elseif (preg_match('/firefox/i', $agent)) {
+ $browser = 'Firefox';
+ } elseif (preg_match('/chrome/i', $agent)) {
+ $browser = 'Chrome';
+ } elseif (preg_match('/safari/i', $agent)) {
+ $browser = 'Safari';
+ } elseif (preg_match('/opera/i', $agent)) {
+ $browser = 'Opera';
+ } elseif (preg_match('/netscape/i', $agent)) {
+ $browser = 'Netscape';
+ }
+
+ // More specific
+ if ($os === 'iOS' && $browser === 'Safari') $browser = 'iOS Safari';
+ if ($os === 'iOS' && $browser === 'Chrome') $browser = 'iOS Chrome';
+ if ($os === 'Android' && $browser === 'Chrome') $browser = 'Android Chrome';
+ if ($os === 'Android' && $browser === 'Firefox') $browser = 'Android Firefox';
+
+ return [
+ 'os' => $os,
+ 'browser' => $browser,
+ 'device' => $device
+ ];
+ }
+}
diff --git a/app/Traits/LogsActivity.php b/app/Traits/LogsActivity.php
new file mode 100644
index 0000000..aa0b9b9
--- /dev/null
+++ b/app/Traits/LogsActivity.php
@@ -0,0 +1,23 @@
+ auth()->id(),
+ 'action' => $action,
+ 'description' => $description,
+ 'ip_address' => Request::ip(),
+ 'user_agent' => Request::userAgent(),
+ ]);
+ }
+}
diff --git a/artisan b/artisan
new file mode 100644
index 0000000..c35e31d
--- /dev/null
+++ b/artisan
@@ -0,0 +1,18 @@
+#!/usr/bin/env php
+handleCommand(new ArgvInput);
+
+exit($status);
diff --git a/banner.png b/banner.png
new file mode 100644
index 0000000000000000000000000000000000000000..85b197adf02491c33851fe579e05e6ad8e328926
GIT binary patch
literal 166542
zcmaI8by$;c_%=Qor4d286p=={JCsrZX%ImH0qGntNpHLVJa404=xUJNWw;9hfyka|s=fk&2o*sfyl`Sd
z;L4>AIuG~@$K#cTGN@{pX&ZQfZ>OZA1OnA0kla`k0I%=3YMOX}K;&JwPn>$-vigZ_y`n;eD3EQ9{v2!6gguzJ*U;+q9&v7sEqJWzGJV@s{qcL<+>~E8HP6
zE8Ij%nr*v}poBp-On)FYPW{lRHv%d89zkKzhmX3!7qZDvhNw!lx(^6-3(
zS{WIC^)Dl1O)v0u-h@Jfd1#OY`bz1-7zXdqT0`eXjp(TV9{uJ%U{xzyGfgW+)&KV}
z*lq+V|G$^2hLI#}|DTrzUjP4ZzZ7UaQf|E*a_Rj963_-JERfuB=~NXa@`K(yAc0dJ~tJir_m&fTFcONea#6R`tI(7FE*R
zdUG;(#X%O>cDo7_Uq|q}@Cs7iuI-mbH}v#~)C3LbRa91rFM$8|LklJsSw`t*dqotv
zL|NVx{aEuDx60J}-?4L~`!<4}S|1177k>Apdzx-+W+r{l&hqgRob-PugNl9?w?Di~
zB}|Fykoi2nd8=V~OQ|P6$5AHXPvP>HKT8b%eN-OX7;JZ~Ybh-1`6pmaabBVYA(OCA
zlcmiUW?s%@|9#lYnk|Z%47q-0w5+LIR6mJ8ur~KiA-%yQ%&rVVQf}t858Ihb|IpQ@
zayxVb|0}$Mn-*E)Myse+N>gdN&sWN2;x`2Jwv!D$WiBzAuNMXBCfmGHqQK#|lk-`V
zk}_JADn6WwJd!=UlTsNMU&&vO_cKR#1+j335?8VkSC*1=7H;>4OPR@aFmmB0F+oMhz^v(6fzVB9UdXNX~^j^W69&YrBxnK8hYF{J$WJ^Kc^I!P#qokp1(_`{?w
zNv-sdK}|YMnI}zEI%Pt_LdmHWB4M&6B=D%=E)-GICizw(zU1jPonlqng{h~HkK-TE
z%1EwC<9_|T=sRE#{s9hSG3t(^;(m8bxrWqLY#w*6K1jSqs5{@7ZIfKix1KB@5j}G#
zZLa8!ko>Lv*)W?vOI04JytrzH$p$ssqGn*=;9VZ7{|26f+2S$V-c4UkiY3Jvq_Z6{<6VXVYad&ckByEd__f`G)0~yRq>3`?$^z(lCi$d{A|RU@p0@~
z&$m^~qgC^xCMQ67QQceIPt(}o83SN%B}L~&KJAQa`QJKi=2lub6CP&?lE1EH9xyMJ
zSHD^XbC=2Q5G4A*t{3e;d>ET3CnF_YAyPnvoXDlRJ9HZVT8sNGj`+Jk5;7VS@-pqr
zE_5{KuKK&n?$*Y%TJg8%%?(@6c|XZAUJ>cYUTrFR${i^}$kjb=g|d&YB)jDdgrL7?F8_X`K*3%}f6OlDG%WKy!w=lrmpm&?a0tS}=8-ji^5O#IxPZ}AMQ
zosIE-r?4Ty!&%1iI)+uK1jt1?#N&3($||R#+YH$|8V3n#+q(;prs;%MFLySr@4!H24ei-|J9>otzg(S#}?ILg_gCZx$-|
zO6A4n+)gaz%e(qUF&u24-7Cc{$AhZuZ%A~|e`oF38Oj+GC`9E``|rqG{g-GzR~A)~
zAEz_eQs1!+Y^6{WPf_JcQfw_E6!S_s$u{J*G>Um48Jm>b@x?ryCwbtFtvzL~>x1Lw
zAAF$?_=5gDmuaq6nx$wD=GEs?0bjFSBOEnb
z0i6>O&QSArA_cD0k;Pr@D8@`ranRhg@wD$h)){W2RHMpQQ6c{1j%0emd)kwb-aPxg
zX-j0zzsy*KE)ckpTK0Z$Rt%e}UnA(1*H%j|Y(i>CoU->)U6
zj_IL_RuvYPt*GWnt68;HzK6xv
z18`pSC)jbxj+prN0XkQzixXQxIw&H!ka?Udm7$91Qn_kwdY2y5_^z8yl_&C#|B~U9
z{Vm`qnbVZuCi?XZ`*FiUQ#>t{O*4?lM3PCp6-sWy+4V^7R7HJj;;^j9_{MQrXv*X&~sj=X4Ih6GOPxNrad
zQnWcejn))p*ka7@b9794K>uVwPT}r=?NiOz*srKp##1q@!NJe;1*XDZoF`sX{?6%8
zqvRkH2sR+YP>Uq{s7Gu#k)o#&!h^JWJ->SN*@@e~#uM_HEj*E<^(vbaksj9p*ga+Gk=Y7Z`f_onKf~gVqr%*89#kf%MRKG16{>I!3F@3VwGm=;T!H+}9!smLDhJ
zlC?K$KN*ByQW{Qq)Vr&jlJV>|DFON5pCK@$Sg$h-mSwC&wma
z7u_EaKt|q<85EEbk1%$QhNllOAF*I1kUq6+KkBWsrN5ME0u^WSEzzf>5fIN2p?j=LzM8R&mBFmbF{Yrv
ztaEYmLD!k?)fB?1WiRSDd9eLfCAcXrUhCp@4Gq?RzLKvC`#mS((mQDXH?Z%QV7kub
z)e%%vUS6%@=tu&Li!x6AY%-fTG`Km!UsOyYx2Cj)R3ex2Fcf_=S^mFUcti~$Y&$-D
z=y=@Fa@dPTF2y*TSxp%EebKR_j7z-;hNjr_MSM+2C2ZL^pI%F!wkj9&=1UiZiJ=G>Q64dG07{S|0T8pB~#OV>pPH>&Ch{etQad2H}7E6ALTJobl}F
z6BXfVV~c7YR}Og>Ba>1qCy(xFaou+`db6GP1QbkXB^?hB+Wz>&QUZNq!t}i6#y|PG
z^S3M#ZH2vIbr0ug=k%reXgN-M#EaA!#nK+liJVPvLTm9KnKt+vUDHrFNp{mfdT@H{;h;U9EnniJA|O&NDvt=7tfS
zTN~7bUQ^R9BpLD!O9C0rusC9a7O1#$sme4yd>9b5)8Q=y4zqL-(4)WEm#F+X4a1PljPtGKub2AvPii>|BJ
zcmwMa@r{=B;(S|PZ9B3RkEV>1s);d4IT*A}nkYsmR~c7a_G{gxoc(<*Ws;%XbOFWk
z^PDb21?)|b0QG$%pKBCRQ8f(XualL;=+gS~GF=OHUjw#oor!#GC&cqjGOg3*o|WuSYS`Ei-i8lA#5P7r3Cb!9RYrfek#Wrkvf
zxs!^tOu6$u=>N?Tcc}={cp>asA01WFxOOaAq>~k~QS?6We$&LlL~N;k@iCt>$*QKR
ze~!_cpI;`W(&BA^swtObdG|9!4Kuu*=#I68IO4-ctuF65{nhe8{nT{@v#7HBa8N1t&HBGy
zDY^jdD`lUe2+xg(sDb^s#`U6U+$L}UpNXWJ$&IAj2jasPOuTu7v|gQryH$yvXo{t=
z=lUG>*?v^J73Su!i5e`>d}KZ`H3g!iO6WPxrD!Gcu!E~UP3cU9T{!Q_xV|u@qzcIr
zJnX2lxIWYQy0B}7HEl&ZyF_q*MvW#wBCN1iKIvB!0V{!$*w)&@+SiyTT;v^9UrWO_!zMCz}G0Z?GUXMky7PdB((jP((q+>}b5Hib{Z(MeHjTdAt-DQU5
zXFU(->3b>_8VMpPSf`AnIEZnjrMWnhb@Mkp6QKT`zRTBGdXe|T6Lfg;L+5`|%8!~I
zt2){sEkwvga5dCl+1}Zq$I!?suIY4xo#qQU8#y`o>Js>%H$Oo>kHV+Y`4wYl60vT!
z?CQ>&sw7|8`1)tgTf4hG{aYo_W~Xn}#vw*lZjTrk89|^~Ct8^Xm%i$tOD)m_QpB7@
zD-{VX-`UNLnEu`cnx?u`Ns`(t087!<(1ytRE(R74a^J0-X>h5A&egmSjnJ0`d+K;({lJy|S`$rq)iPUiO>@w4wkzF?90VDQ*2k
z)$&$Mj1nK`&N77DurHc#7^BEdio;&fbTn}6%WC0EdsH+H8s|!2wP9r-41x$AB`*>OibgpP=JWyw;UhQWfR;WQWWhXCsMg_i?2hlP4`eL2k$;$oZeg+{3xdLy?7Kz
zGJH9?WLAY+)kf-T{rITbYINGaVcli7pjP1*{WkWbSjUhxYu$v+ptLm;hq}ta9;T$P
zg;VJNl2haT-=(kM#Z*iBa|sq~cjR#2zj(sik_2jx5F1ZvZZP-B*hwHB*pzn@u4;0p
z7ih7i+Sz?8>Gy%y3VpNQxcB9g?@3zN1Nx+otz16&X0!vm%XPa-k2>S!z(||T;l-II
z4~h$B$#5+}dDg|naiMRTE4&gxbQD;kw=L8FEP{4%3
z4&Dw4I`)|H-SAiKq*BD+5d5BC1U;cPck5Y~{0UKrXI2OyW1O;{s-Oo2N3sUtYs52+
zJJlvlJ*#ZI+9^N!)_~>&TH+6_J12ub{f8Jx$tYG)HHbeMy{->qy&R|Wyk7B+ZIfm%
z{URuTUEMjqd`aGVHCf$za(_@rQZzjIvF=vOkIz(l%LyGU7Gi6$`VL}ZV%F#Bbz9p~
zpDG2RKfX?PJN|sXZ(8u`iR|USd+C|cZ?}KFvv+jtLL|sVr1~6mFUf&_`oLNCmfA?b
z-iJzm5JMj_GSZLZecDKXF#rD3BX%JKf#{33KFpT0|L{?rE4c^w)z6D9-j`3Ov$FJS
zdnkO&x%80Q@eDWW2e^dcNKnwZ9MR04k5L;{_j|Y3la5X<$
z-T*^n8Mg$<)kBYPsqgGRvRO2(camBKYnEmcAIjf^qsxX|K-H)9Jrs?*>Pfmg4QQmqI%_lmfkebbt83ZYvT`+f&uL
z!(;A0`%W_G?7`L5)z_Yc>%%rWxcn|WatI%XvXiPHuoW4>2=qe*`cG_YO#)N+!54eI
zaz4v(b91HvM=GqnUmj_VNIOuQKGx|>uXC(>SF*#t?Vq
zUrimoBJ8(S%5(>(Z>p&yVMxH<#JWW2|8(kmpuS3e;ZcL;u+UT+IWDv;|Iv
zm^CjW%ZTko3(caj#(g87weINT^w`p@EZ=FFrKo3>{9B9<+6}Ay?pwNTzyDn?ih%np
zM+RP#ubm7E^rTPnj=Zo+fGwSZE)G+N6Td(8d%ASiTRu8A7K_0I-JDl}lXQ#SE{e!d
zQ$toAp_g`SEHOL~bDa;)y-k}Rl^q>RQ!LuG4Z-&yvqI%v^f+i$H-}HRGugR4>1B1Yzyk!qg;A%nyV9&{@
zTAf0KEzUzGa-03;bKiAd!LFT2M@njCNpEdwS5qsagj#WDT(-B9Ws{AlFIoVGpkb2r
z1)XjT^_5pQ;%a>p=-JL@8R}@RsuE~j`!(naP)d2_UCT>16%mJXek-w
zrYp<$V%F{_82J&{zl_(&eSLEK`ug8%U$g{!F6o?lGn+g{m#2$op;yiR=B^#@ouEe?
zd{$80{Cu0+3;|rtY;xm#Kb#&1P(=|}{=a|!e)|K)YUex`J~tcdAN-C#AE!J$T)`47oU0w>vU15gtZFAuY{j!l#kI@^Zr)
zV5f;cDK{c6=4+hiU%#u8k(PFyU9awx+RTobt=(MNO5#l4e5P;1DbR|d1_r0hXWpoJ
zDl1|Ndf8B%AmMS`lSy#GtZHiZcVjqzf=zA`b#k=fa3
zZRxmyF2iJ)x4Y^|M*sgZ>D!Av|b
zm7<~(2+faXU8_RkS%KsN(0|l?maX`BczDK5?u93{AH`tmB-{Ya=EM~P1P4H?c7DD;
z=r-`Ex;<0M<1|S3&m&7SJmF;TGo^hSjfBs%RlJFa+8~Ww3Q`@N;#M^lr3D?>!PJsKhS-VG2}pZrD?yt4~Dyd
zeQ*T836sV4%xy*euroO}ezsQhhZW~)Jj*(INgLXqyC9)bdSAr-F=U+^8!xWbFo=*a
zM89mls=^pQvxVgW6Co6HZzUD-g_e4XpGf*K9-d13-p4nyxDGf#`K29ZRw%c;D
zCR*|&aGfPUpc7)B$MCxNll}B%5h~X*oe2SD*8OR16B`Wnu_9?*oow&1!#nqC*J|nQ
zYq1wNf@6tqy2^t^jBxU8+Cyi1%s^7jhp#VXDZ*-H+~HJM
zKkS3ICk9>S$cn|9h;Uh7{C#Hp%l)Z7*@
z&#Tg}fbj5dfVpwQE0vQe{)gj^fv4`aqKk`y|Mj&SauK<@lAGV?dMah?+G`Htz?`Lm
ze?qYAAVn~kvC4O{Fe`=T%-Z+s
zoz}?6iv*F4p^m9k?-kTQa+F#gaiq%kiMhK`?Sn1eh~vlEy$2THqZ<#wyoPEDM)8WS
zza}D}mwW(iW@Z$FM31)!`?(W=R$P!v35Nkl+P&FYBB1|K6{YSt+g_Zhv3cz8ugl34
z{pMBy5-q(SN~s(eD97UW@8yCATuw9g(a5A28D&V-!S)Q)nKvRL;@sku+5lGS&X+d{
zRdcTOrJ{QR!QBYARy6Zrckcr0Zd_cPah<
zGLxCAw4%V_AS5Jm+vc^3E-F%=nCKREo)evznp`_tRq@^5tpb|mmlu5iGH~noM7IX0
z8j{|74=llxhQ@90$$u>(kPXxq9O>TYpIpw>IkAP*s
zDgltB7Qdyyo6mQt;(CtG^!1+DQC66?F}V26&kF$+qG0^V-)uRe-RWu#c&Wam+Zz7+
zq3k#x=ylt75j*iOr4Ng|ysXg?B1zARfl$G;5+nlc(F*gSKShyl*5{hhm)aRqpU&;F
z9sIadfifuoTN9h{9F{5~qFO#(+7$vHn9HIk^g|@KVi%V8Q!RNGVFw95OVLTARE1Tr
zY6?zHPRXDf$#^EIP~dZohY>fIB(9f0jeR%x`bT9OS*|Ow);GSM-&F#83sAi3*1e~m
zp1(P1V*nQCiM@kE#}u7qyWeJ3LU|RGq0Y;zzd+ykx4rN;KC=jC!H;SjNiQy3>^2Q<
z^KYgUiQ`n25(J_k&8627LB}2RbsG#9QkyGw3TT(TSvlwn
z8FBFlfOq<9L94~x7-gneQQv!NTxS3|+{i++2l6kIC{rp^vY~*1pEaSOA}7?OW9oV*vfz^Y4{m=p>p$ohS_OAKyu7lNcQ^$oA4Lux5i~vB
zT;y-i$v&(6=gRp68+S0?umV^h$gA%Z6g;p`=8J8CcLKfRqzMzQ?s@D=OM^TiXv@C3
zZ?f7XLccho#`*eArq2bFIdWLUqlOTz1=O}V6O!;W$zS$YQU$@yM1(E;faBdD9X(=m|E
z!e=Z*@i;!K-3RK!%MySZT~NmZy3CgW*Ygc4K-(pMvBwNkc$UkbI5|0O13zd38g{|#
zzyrUV4GCD!w!WP2Np!L6wAJCaUWU8YuRq3){FQK>w(vn1HK3{C3fD|Q=yEGW(`Ggi
zJ|MailF+5D=sFwVdgtgEpi$;O#?s{M#FxN}3QrOwpqE2`>h^Ko%$}@&7q%hH_CI;H
zfSRmc8MM0M$cAA2{$?n!^1iNku|`OE*TUtAR$Yl3mabG5ZqBO_;AOP9y1GVZQK
z0!kjZ`JVx^?tvwF4GnY(s3jj95bJgKow_E~%Y&)i*C+}{*`X_i=KznybSw#g8dOnolh8nTX
zln-RE!d7ED8=ydzf78+VX$I!P`tfEb^>`@5r8ft2M)bSB{_X7N`{`&fFj;Zf=3_?`
z1__O^eHteMUx)(W80A4D+8dCn7a+@R|4m{S#Vq>B@OW>rmIy9)%_Lpyy=Iex!pEE^
zVPLWvXPdNQ&X@1rg84uov%e!0Mpvmc3XipO;wsaNC$NG05B->iN1Ks?x5o3^KpQ*&Z_%
zX({{^A`wVD15uS8T%+^BHL@hS(ecSBB+9|hp5@`^Xg#>!UJWH!xO((v+;p4ttDV)C
zgUaL7h3aOzdYn`!S>v`wyOd+$G4v-MDv|;hi{by_LbzLzJKOx+ETBW~SHhR%N%{0
zWFnsCcr9kWCNOfeN1{%m_f^UU^ueLE>l;ciQj>%ZAbU`#KKWoR!8S^ZMg7~J2tnrJ
zOSE*<>$A40fGy0FTXM>^o*VHvp$WP;#r6Q#)PT5k0sI`f<&F%)u$6$nISN*3yQNv<
zy~*w^Y*_3AOAcfKHDmzvdajyK4=w594vf~5SkCEH6JBQ2CY3LBqDM{C3>n_|A2sIE28X0
zLkF0dzfVlX1DNEtuS_*}f3lI~Mo1m~u*g$a$wno=40&=VvTN)6Ldfv2?)oUe>i~Sb
zCxBv9IYIz1+xIBd{Ig;CYt9tSA6{b*J%86Ba*0^G=`e`XnXArI<6pLSfCkRc{^JLL
zm{k&G824G%1ki+c8y{N7z+M1o!Fts-My0%X0F1UPWYbG}gBg}N?!lsD>z(I|T%=$8
zbC&Tu0+F*O9dNY(%ovkYz=O(UF6*hkCR>@(_vMOptpWdx;=!Bc;VhY3y5e9Pf$U8t
zBPYiV4L%)KVBMXn?mIdXf}Z49b?OD3*aVhD%yLBeA9ro7*ihO&H7Vei4-r(z+5d|;
zSZw*aj1#7!GFJRcrMKEJOeG98CE?PGbh%{V()rNkx0#c0pZ7I86S-p$MG5jSS0(bO
z%>_aNyMbXn0$wy4sJ`rWalw*7Z+ZmRs$dubph*WB%12e##YjZDWA%`XrmWu|ns9s^
zfWbDZcet*vjF4FNehTxCOknCbit-fqbvbkZgc{e95)Gahb?9avv<-ZG&gi1*sKsk}
z+FX7@t8~kt0Szt#uTkaHSEH7t@#1qe0y--&7)(a@2~Y3Rk7uzZaZnH>f02FMr_lDS
zd2hVp0?bWlz?43uDt6;z~yQ`Ja`nj#zPj7h^@CH*cr
ziCKPT=ihqpij5_OW!x~5f-oYuFB?a9T|tM2mkuY{w4f)e+0;Qsq7vt+$u_lRZ4qAb
zeBt);)h|!3!4S?d4xRcESh`0}_b315dsK9aB|C9Bfw>rItlKZU2ND6>ENng-8XDlh
zC60bn8rv8`0tUu`T`tBv|Lb)qd9UFHCEWTOfp6*4^U55Z{;nD0Wz&C+r;5o}MgQbd
zyZ<@mYH(wT^k1^o!@7Oq6NRQ@JjJJJofJW5B4_94c%i|UryDEFnDZ`Fj~*nr1rs0x
zz20Z637CCLyhAsCQ&jiQJwtG0)R>gcB7hyUyKB{hgkhNjFv~9O8Ot|>d?vp%8F)Pd
z*Tn?^gH_rD)KBMO@7JrTDOy#;5_!ps#F8A}*Lv+I#8dWV7DpEfhBE~w{~(OeS7fh*&%il(oyV!VzR_ixU>W1TGaV^
z$VouIlqTr7HpjZ}f*J4~(qp#K*jS+Bq&xoB03|#2HDA_dd*msx$jrdu#Y`;zg69smOK%34`#ml)n#WuWzqdjT&fzpP;@Gp1W?n{3#_*N6$
z)}{=rmEQQ96$6w(pe;5_-aPa9wz8&u|FFO>DS=Kh>#@wM(ghC1IM3+EAQU37-3Ur?
zbJj4nUTPb6K8D@YCK@*7mwWH^OxQX@V(=l{#aA
zl7B1A1hV)~a#-;!A!)xgS6}Ogd2VQl;#OEbh01w}jp6F?NkiMx_I#I)h!gqOQbY;^
zD`c)CqktkcDTtkJ^W;%pS`~WPJ)p1RyR2~l0%bxjm;f#Vfr&(dng{?v`i8>`7qk)r
zI~?T;4cN)2Tl>cPEQZacZK{n`NH1`wh)vu<_4_2bLSX~0+G-$+1
z=Nn+L)8^+~0b86o-G@O~Iwo272eaCQ9Kg2NTZq#Vu2!X
zE9ZDa0*z-12+6XtpZi$AOaR=pxq)Lb%P3<*oo9<$wFTIGL7I5(jOFF!$lo7B!pq`X
za%$h+nX->6`A&F61hj=CqrxUnb`P@SePts;f;J@{>K2b{7LVWJEqQDc<53f%d<-0N
zKp23OS?<7M*61EE{ef+&CluVAKm78
z7-n7YcvcT`R|10G1<2Aump?CL#W5if>FLrsS(dp?f8W;{L){4g!ueSM#v`YPEay@*
z+xJG8&$tn^JLNJWLB}0kga2g!pR2B(2ZE<&Bdnda5Mui@q$339;XRv@@@fqa{n{@Q
zfmfuqPaR0N1g`NxB(ws`vMhc4%V+`2{=J;`+kktuO#^s?IRFNGr|YzYPARk%g##+J
zr3Q+SioX86*OgO2%0Y7z4#xEXkD6PWg(XG*`LgVP7x!WqmOBh!Qt&3tx!$uo>Jhw=
zVQIzU*m@wdgy&#hb#;IkyA)Sm?I*{PR8rOR#<Pcue_*B5;~swCeK;-i5Xw0A>PZsbMi3+!Jf6J^De+15{1t235LqL9tJ+2
zz08ovZ>Xm8SqPE=mY6w*fFm3~DsQL%V_K96m2&@lZlzp{570&}HUh4T541{vYIG}$
zs{#H2Kn4BE)%S#*CUk3816v2bv)!`rl3dC1tUqNIawU23kEH!re@sqjYP~AF(WBba
zq~t(X5iJ#x+$6%o0#=v4hxoG_%m~E^I4vGCq4%yZf4HcK9`h)u#@XKcOy~0)iAtnn
zj%~f5{sAuYgv3v`v7-9vLgam5*=~DZJrQTB)Q#sxWA&}8SRAWs_M^%iTpziIi&*@`
zk4FL-;`C9fy)Z!nB|maaIK{Tsd2(Kq9%Wwe(FKo^TCbII(2L>v5ruznrL8~f*IykY{Y)FAb%KMy_DdB`^eJX(tw8RxPUmy>kI_}D)p>scp
z+-*GtwGt^GK15fp@RLfLGe6(=_!FH_X(d@|+m7MZ&Q2#mh6Eyv6(dv?uky!BQ)OPt?FWs?ig=m3J|oQ&+dPcOZF#zX`FNQ5Ov66i(j-gbnl-F7J7
z1Vk={p6li|#rD|D{5<9}4;&J^z3IFpZjMoIe0G#eq3(HR=TaM3IIx%Wc3ih#{w~!j
z{t2LGf{_ADa^5t8&fq)ATsocijVz;YskB?l{V-O<_1_T{pw>{PIT7Y@=QR})4CxGg
z7jvYwJpMCyls*lmB|9gJ3g;x2kwtL}hTg1zm&x|lBKH7Nl>X!?UAPCUs`}{Z!<~w5t`+~jr*ucj^!HZ>`7tK8@GajuT5dLtpq~>q
z1*VbzSzUxS4Y+ASjVlr`n{DuEh@c3skBcWMYFDM*7*`U^f3y#OmKxT)t>5mqi*wE}
zi-12z-Zg>YqWW8ckvDip14ta!pkmKc*MGy`$UcRLX$4b2$&3qRo^00G6<*u_Zop*?
zlsFoId|}Cuz*V-tiP)a4IAiZS(A`%5mzqhY>K@6F&RAG0w&cY>GRv;B{O{SA3FG^-
z{h=M)>}7#P!GAkOAeW}+a|e3nM6JlU_OIS6O{oCEl@b#I0mBSn(4&DbEbA9;2Pj=j
zsZsp<|2ZG5G}qrFUkJ?#I}Xn_&C-DW<*@KVss$E(e$YXnU?Pks(!2FH8b8~AgAx+}
zC%?HoVD@$BbJJk~0b1%&0+ucC?S=x>Ul1R37}#`}~5|H8A+P%u*d22HiCew-}BWixJKhs*K8$Ov%kSVmCZWltXF$QXLl
z72)+=Osly!iaq8-MiYg`V4w6o@-;}|6Xt9d@4SJi0b
zD2it&`S{RPHDA^J$!NY6v6}3108@AGT%F^nbm{#(;=kEqBtUd3L0lBRRhx$l3PK)%
zZ~*rW63~4^r-KSVP*p6~p4bC6-7-=g9UXvP=LggW>)n{KLJ^!FT$W*Cj?)||&sPT?
z=O{v~6e0+TYJ88WE0%w<0IiEM;9EF6Y{irDIS_TSyY)bP{Mb9LC-(_xDu;(ljazN+
zTpTQh1%i=pm$T)*Pl=H^PFMCth)CqMv@qWKe_VplyteK+l!C>DgWq!7+L+<8ZEDRf
z;lmj8^~l&*C?Gzp{*AMao{Wq!bjK
z!qO3+Naz3pOU>T?L#GwyOasu>ZGf4RJPalI`QiLS!7GQGbwNmHuF4$V^y}WYf;`V+Zo`P|4kXC>NaTz5qZ-!^
zjta{bLc6~?34JVnG&=k`#*Ow=!!0Yg6=pE<7Vmvr(BDikBEiFjkjO*WO4G7n%1{BU1^NM-yY~+38n%Iig$fsy>xSF{LAx+cxDq7u>7Il@4LYl
zeE@C1YU1w@Ko-`245R|~*16aDmRukM61~roDGUiYkr^MpDJ$It{X=82xW6e&MSdQv_ITx|8<`?alm$DY$3F_NPTaiMkVL1
zW|V4@PI2Nh$7Qo`rrb;sY{XT4{~7+6s`|*egHI@
z1ke}a5YN>1E#^5tqzwZ+V|{6Q=kZFH?QajV!ULL|m98u)Z-v=l%A(<*P2X%i?>(GX
z4sVvUw}Y5GinK^*A`|f7hahP#oCGHvmZ0a&suMR-?VU~SYkp&LiU*f6fKNSUI9XXW3Cs=Z59@eRR^!U3Lz(uaKlK{epmZC1%ks
z>z!LyPNoKHpuwf7{kD03PK4sBwV=Ws&@c>jFWqFw3?$484=m5T{(-itGFR2mz=L9P
zstG|0L7OqY4x7(z<~0iR;I{y5SK*TA5gujA#lH&(_8PvqlLZ)vdjx}S_?;Gh(yDNB
z`tFMzc9RHxaOrLG9N<{Eh&jwHDk4mft06dSKInSDJPMsPuX+0<=mzb=MjgjJ%>e(*
z0a%cz;#Aqgm1j=QYEh7B$Xx*H-#S%}^$r6y4#r-Y#Ky;S(8P04le6=F2EqjOm&~d&
zKS3S`1b_u;=v9i~4=9xU?Q4Ij;rD7ceRR;+$JsNX6ahzoe{!L=Fm=m`HjmiWBX#J@
zq1i9zc`ek=G&KI=!aLx^O5yWWFCoCW)zrLvNbLX^3-VzQ(6$pHzm87-XO1B7HM8#u
zhRAL4dMU;aFh8a|x3RUQAtO8Y+gG@lv1tUj53&g*Ql69*C@Gxgb#~leIGIgvXtVlPzT3dR5E1U4xmnoU6ZuM-N
ztFv*e6lZ7hJzprDB?LUrI?Hq-c+5#BK-rh-(Cq*26=_Q@u4fHa3
zg@uzRen$3K!jvqjEcrm`rK<~{m5G65)GP!m(MxU9cy_XK&}@wq+b
z#gJg_sR>@@Z^4}MTJ?M@&VDrvQaTtj8d-dR28@^;YIIhyf{^W)DtS?(`H^4)j%d&4
zU^olXpihvGPEnaMT!<~4O8G&#INfSV%b%a}AIKA)UQbLO{Eark#G{=559+>69*-?N*1?)~Zq
zy(P^1p0tFGGI4mR+Vr~7Q(OJY@*B1#mD|2~zOS0q2Yo*6xD&hJi-`L(EsOW?#c!gO
z0Y*P@JGh*NS(P+GMGo<*sf5pYi%yn}cnr7smB5euHWn-F$$e08s&{6)3k1u7S-u`t
z540eCtVf3E%0Y!~#3meP_s!2XjiXuj5O%@Z{H}!k>%@^maFCSS+QX}BBG-+GTi_98cvAVh@32_dVfFo-rd3T!s^%xXf`)~{P?Lb2AJ=Xirm<1hg
zlk`Lh-PS#zn}5L_YApL%g@^*N;SxkbbaBx4=RPkxF>bxfayE=vm3MpqHn{6
zCMzooIGgsRm;E#9I*bC50K;;QIV@qrLO)gC4MN1e64JDj&`g~=Q{l<#U0Gp!^-i96
z{WVu|$I8f$?U2RQRqI%3*&i7LwnCz!Tc|LyPaE!@o-|10R@Riy>r|{NXc9OWQs?k~Z{!N={3M9guq$-#V
zYl%_TngEW(LJ`FPN%hNb4KU`mz&6wspxr&r@nzDJKbFk)-4h15M8FYn|JFcMW215I
zzyO%;xtY}78Z`e=l6u#}_hEN8$^BBq2dHB<^HY`Szl^Mo87fR#XwB+lmytH`?8U~-
zgBFXdCN5&!4?DZU;%l1$rI;!)3(%cs8Uo>z;V+1BJHJa`Gb8-eTv3gly%AS?cQ_*x
zv|?~9gWjE=Jqz5I;mbO=){y2u->q}0OM2-*`hI>vfqQZgiT|X?1`Hu3Zrb&F0uu^A
z^(fJRWbq1kj()`EOw=}AQg1hBJ#8A^i=`OCjr!1`B9M5>)i8}HT1aC(dE56`!5xQ|
z|9h;yTo>x-F^0QmmsZx+UB+kWQp#D4UM-JGR7^~nMve5$3^wp(QerBfi#C$@jjini
zoBRXJktYw$-CSrcOYRF|fcD@lgZV1wQhxa0C?x�M10B;0U3SRpblqSfKD13@Usp
zP5-B$7y57}zg#u*C2(NrIcJUqXE;778TqAmgwCTV;3OGSJlpQ^UdXB7OzbH@w=*{^
zXZz$Ne*5hf$$g@LHy1Fr8+nJ&gF#9GU-ph%HSrJPE_UCFT8Cmla|@uHG~;
zCBc@Z+hmD9`oAY1sy8Yq1%cCj97){jk&9V{Z~rdgMg>!{g%=V~3WpkIu(H7O%TE6W
z+Nr2Y`@D<$eFlxR3x1Ju}@&%ZkPVbd*5Qi};&)6)bVY
zo46tdS8?Fn8IKM}QhQRqhAZl5^-kR_en~#e@;6wsHEm;~NFNLV1)p6J*dO@0xug}yB9yPi|{{@a^RrnqiE}S5PJ$r-e&85Wf
zK}XpQF6~+}y0^^E5t>yYJ{hnsxCRli_}f-{!YM3TwS(y68b9Qa2|Wj@{iuQTFc&Za0xMA#4dC>r1D(X0xc>BSrqkD01O1C!J=~bxUKk9i
z-`u
zn}Y2hD#8pT=#GjaaaQe8d}-~nShkiSVrz+YZ3fD!qDuQ#950GKs{e$A%|OhTBJuMV
zuo8#Szgc~SyU&X6al!t2z;3)AJN-MD%Kc1VJqpPHPYNYO-sI(ND_*{4V7yeuc9(1r
zr9At|Wrh7sJhjC`W|s)8a;RX6CL3^A{T~7?U@Frmc*wWAN62um{Qz$)pRPUj(-zFs`E%EX-%^Orasm{so*TXm
zST0M@qM`yQ^_1@Y+*05WdKuWC?J%3=8xl0o5~&g5tCJ~iq-)TJJZGMwNR7fB+IPtt
zBfi)I#uU|GUXw%>#XyeH#g50AU3vFU7yMXM
zy9p@EXe=?FQeN(<`2?ONGnFZ~k2Gb7*3R{_9taHs>5bFN)
zQT(Yv=b3r?A3fZKj^-*w<*f{+vDNrCK#4&wmhb+}VwW@Zc-O*$^XfEY=)Cz2=$HZF
z{hU8d8%TP&MN4lIAHCAIN&wg=Ti~=+Kw^SIe`IH&S|Z{aLMYt8rktWjQ!5F@+BF^i
zY6{GPXn(fnK;RM+WKVa!)QE3=<60EaG0Skm@#+6i^%YQ2c2T>uBOu)!(%s!DohqHu
z-9tA>BhuXn(hUPhcT0DdAdU2W(eJm;*^js%rbz
z2afCO&UYJ1HbY7de^SCPo!76$m=9>!KPJ4OHEsR)Z)b-#V6Z@*n531J;0oT#NOk#-
zRuL+prw`16uOF;vSnWf(xh*jA^9Rg0N^C9sRk}FDfC^Dt3D}wi1y*LCLSY1EasDcD
zvv@qdaLQIq9*5irH`5y);MbCjoqWCfb#c(kDvRy)XVZV%23`LG)4J2=l#2V=qcnfS
z#$J*q&>
z5dqMqwDWz^(s6i%61*fbw1+1)ai*Jb0HayAh}J7b;z*=p6z`kweM;IjVZJ&Y
zKNq-3CO9RY**iZX{y3O^<@gLMq7kNOe6TXL0-0)45b-zx3vAvnH~4Gkk82oQ*xuG>dknVjGV^;!=vLX@(D3;VmG9@D@{S^1QB0B`FC~E1tU%uAv)0U`Xiak?_xVjT>TwKD$z2+4O3M=E
z(A=DXUt7`GKs3*4iTCK5164OALwf4=tK$fsKJs&)0d{q6W`Cc4S*x{5=|
zV-M?_VRBE~s(cP28cZkJfKcQeQb$k#i^j^%8m>Sc?eHBTK8+wak1e>%2$cKK0Sbxp
z2ddg^Ucuhd}xT5
z#{`IS@AUb1GZV+~(5CnK?r0znBON)iT6;fEx|
zw>Jk9Uypv{f4SGb(+HVt6ZTi24w)8uRb{@0>ESeN@9=A0>9MLb86r_mf<<)a)BUK<
z)gB8!=EYElb@8>}eEqKzE}D=b;DZvjv;51?Q^x1@Uy;W&ww!zl|AQP%&x0;duT)!K(rsamQeB
zHmd9)$q|Z7k{|P@c9)qD(*ElQsN&dX>;nxJNj7*>j%LEeJ?4NA8@oXXU*TO5mJ4~n
z=Buy#0TY>Lx+VdD0K)H5?@@U}Y+?h(Ux-f%@P5GoT?eHk-iZ#h^O!ilCgI=wZL&ih
z8e;A1Uvyo2)eHY7!xL|*5u#&2WD#$H3>@Ldf5ZYRHd9>)fD=w&Z_?Q9A>lHR4Dfu=
z5P_etmvHE_bi7hgoE&w$64jMr^2c0wwA&+<6ZVfVaOB9MqOu@ZaiA##Tp(Hi+K^Ci
zI9C3HNHR@h;brQ5$F9%wAJ9O`<%n8aze>9X%f|sEJPIL7OI9#!sX82g-n!L;BGx&I9vhbm<
zFqiSzGY)a5G7vuW8V;x5tgt$jYHR|xl6Guvu>+pGT8IHFF^$>T7p
zV^4ARq0CGcAke!=VR1ZBJ80Q(S;uC0w1d^d^H1glz1Wt-rVr5_13^#~pq3lFsZ^PB
z*ydW1IGvF=W>+c}4_R|?K_N#H=M7Z+ILu(C5X{vADbRXJlatvWj=%u)3vpKg-dQ8y
z$2W3(11Uy0d#6C2Jh`p~$`_SFrrO3fE`TKIgU`64MFtSvu|fUhDB1EWk!;}VJTJ_p
zBMu_Wgo1o}O^$Ja8G4C*-X&uxgVUL`aLDFwbbt~C1wE{)E6eMh)5ekvOEO}OWajL*W*p71$5TR7JvIbd
zZ18O9t#iRC;@s)t+zc~xsBBc3pAAn3c288N?0z*C5oa2MSfp$pSM6m~72(nSJLt6iKs47AHe7<2H6tsFMg?j7X
z9CzPAt0(QPwyq%g67jH2%zXw0Hb93@zP
z1d)(W5MP*_CztGprb9nTvQN@M^yRK^eo+d*5&G6m@&se(z^lVV*t4mw@Q1jqev?0}
zz5^FloPLYX@{z>n8N1if-XduEy{M*%ZRM*sa<6ekEMT@^WL3{jzhIA{psRw%xl0GQi0Zd6CSh@sP!h*|
zAcc^Me6)Xx!&RX^ln^0Z4D)0zY)vtwmzvg_ee-(Xb
zo%cBaiL8AKx?-r;M@F)@Z;j*cdT;Zrh}rHiqTw+I$|g5YW%0#zpiwY|0_VedtiGv?
zU?WK_qUs0bnA8%~qvvg~#;#@@u3+Cy07SVDSJ6skRoBC+sEagQh3U@Yat_($|9JcLBdj
ztinky^A_bZ`MA1W#pMNEHc*aNSZg0QddvY{8$cp0tradvL?MhMz5D%{8U<+8rug>U
z7W5NnhB7IFd+Yu7Wf>{XOC~7751$X^4R=t!?=gkaA`zblxX(xkt5gb}<0}495&7x-
zi8VXz_QP-3m98+zAEPSeXk3wSYVMZ@VhJ`WB>Io5|9uoiY!t3oA8LFViSdbl^MY}>
zca@&AivHt7cJGg{$FM=c-CaHX)3|5C*wMAvp(ifg2UdE@G~OntO$L%?K+BctduIY|
zVgT9571+-d@Tef7og)@a#^LYVDhN81e%{Hhk8?+WB?Y5C3hszpJ|E!9o-chRY4%IR
z6Ut`?dgK7>yk7r;B5H*8UCh5Cz{>k4Q$V&t$eX$U8_M@1)b=ItJpY6U8|m1dW~0dY
zb^IZNYQ;1M15Fx`db5d-8i)p1IYIBof8#K8K+|>25qfrL2@89I5+-d9v(i6jAQt*s
z$!SZ#27Ji_Sgn7H1awHL-|pT;a6uwpl=bAK`tQaY~qD)Z7o9{nCPp
zacp%onl~VPd-$Q=;DGD=H}h69w0MP)RVWRE$GG9*_`m!Eg?NMk!w
zq8bL@{`AAyI!{DBwoa=esdX(+Yb)vUw&+h@vvm-}F`wlA$W`JST@&HldxL;P>+0v$
z!idKz=0E~)(t?7+GssfhSs7JW?%JWJ^XY9`4onl2acBQcnJ_n3C%g@{51;7%2f~mg
zM=YbtK^TBT;?+yzs_sU&{4BBkhPrp9P9lu2%tbp^sEwX#@M2lKEkr6`A6n(EMEjS42
zi@Jys6z1Gero3LPiovKupY7znoeF=w;t@G|%B4>dbZ4YW%$c+`{b3hAW#nCTN>nG0
za9z1&mnTq0;dxCtdOHz{s>o~G!@t-v8>fjl4s%wau=2OD6x9~=mEl(2t9Tt~;3Ny&
zZ>RPvX?*l{U@!h#`i0L~cgDqThB@9v88HiDtQf%gvU-$;T!+{b?Al}T?RLdJl^pFN
zREDc=jm{r|&{QfT?LHO)EJBr{Mjbp}s=YgNcp3FujEe|m2xV62JtS)~pB8g0;a}`Y
z{E4UlX(t#BAgm1#matRPCHQnKxc-nvn7w$mQ^TsiM4R!OR=g@v#eWY0c>tC{dg=Yo
z$Fxhm9D-|YI=ZDTIy}?XLJC^54w9u2!X#I(*?M*_)m_MLckvqd)SS^j_E;mIeJt8?
zuIQglmXy?_5=A0Ih&X*(_D#5^eBAh7EG`Q7=0n@BkM6pSp+J0vOZI0nT#0S5j^f6A
zvQmURz}On{1dlDoc6X7hsMzAF^S@~MjD5VZ(6b((FDxB{sh-PjqYaCgqJ5bnU^G90
zPJqUap4}%GeT%kZb{UFe>CRd4{bAG)9yQ)IRY1g$0_PBrv2qo=cei~JFF%m=m@!~?
z&t798i*6(#M?lyP`Y~f|t<=hwsw)x~BH8!2*0QNHxHkcww!T@6t{uHW2(pH;rT<4S
zURxAL)aCa`mNa;Zo4pI8
zeYeqqSX~pvTxaN-+L98jTFAiJ^Fyv(HwbO@#qa9v`di+cu?%IP-s-1AdE3@0SVIwa@#DhfI
zS1(0z^S*`TnBjQ-YnDPQXUXZ~`Nu3ml`~c{#WXPCE|=AH-UxW~Cja&Qn~yTubDnBF
zMP(#=N@1A)%#z0F5ClpsjVJTktD5v6GuG!Io&CPx`@3qc7yCgumUlsWK(cgJ;IKA}
zUaEa0id2F526VENpuXeMibUE>akW6wTS#JY=5?Wb&{uwGyqGDLI|+2M%F@gF@}|i~
zKEZ4?6dVmG>&=0yV=(BNuqvjmg3B~1&(D@4(z$o853y=4xs6ujYsHH}1zve-3>Prr
zh--ehA2dfQ=b}%)81T;Vi)&gFTZlWPTXcQWxigyA`V-f|G?*7wT1#=GpGm%@r6W?yAYi-3_GQC(y%VP|KhF>
zvMoLYATJ2vJ7u}GB7Wh4!BLd4?nQkyBD-p%PPFsCe#08kLrqY5Y6UkLQdVx_&fLWS
z0zg9|Bp#!UW-BeFv-}gmWp7~vYa61vqET$hU|sp76`N=pckRn&hM#YTtlz1}eXxG;
zW&_pk@^%JBx}9^+r+}jkAlGOGQfN;37S7srq5otoJdhF(iR{yd02$~@iCI4i90axo
zd>Vq}G)J6F8I`BAoTl3btB}9|1YN3Bhxr)c<$cixPw$r8J07QIDnIS?`G@pj$a_wB
zaDCr6X@9pvhGCbXcgVJFHroY()&|I0c-zaiOAK~5ewQmLYU;8QEX@}1AwHr{hM-mgf|J}
z52;%a9L~|*nO%`&BKP0G1d|&^oJXxqLnyxkGFJThHw;@iOdwC+dh~xQTf+X;68f#I
z{Z0@kPWsCnWmxEH!^z3$dtH99&paxe
zO-t703OfdsVm(4zHLDTlmtFN0Y~&@}GktjW+#!j*@qJU9Xy$rcmTg|q;s&r+CI-Vk06D04w-Is{ha-42cw>7sbQAldpMP?dC|jx$m%C
zdD^B>92Y&jR*a}2_h43V4kG=Yw<{xAH)^ldu1_luTnCP(yqgovPJ2^IzXpNYP7pTmA74mab7qVJhrzt;HYr`z0|Bq-MuhV18$*NXftp({!YgIkW#C5C1N(`WVMDotnsxN_;!@i$*sAAt#z!*kp%OIz1jea(+?dt;btL`rHqmYw&ar~ju8z+4X(pl
zF^l^^_DUUn#dx!qRz}(9qruQL8-z
zi#**#y;g&~G2ci%x;}4#gQVm3o$E>)z+#cb(+jQ|qKw!TFhX;8D)m1!X<&Cisa+wq
z?J;Zo_K#IeRp&ojOkeUo64a@m6$6mG4LWh!`3mWcePDUhUO%`qk9@m;v#_@ZX|-lx
zkx@Aemqp+{@lJ|eg%IVln%pqW5=-Wa*v~q-EqfoGc(C%7x|T6O0g|o
zhOtmy6vkWizxy|cQb{UZsMkY;{W($Hp+8V&c7D9z*uP)5(aDGZWYJMPW>_#c#oPx}
zQ4@8$kc4~AJH(en7A3a3$D7fZh+9sl;-gL#N!GhnIIdf9M6FAM^FcK16C-WVn<3u+
z3;~30117v9@NpIb%AfYjn{max{d`L$r7{Z}NIPE%E(b@~W9$yn0UZ_5h|E(iYMFSp
zpN54{IK=R?vmXTjmZ||P?Yp3=UOwd+Z_+6LyM9b!H+_0|$v6ed(;a4ad3d&WlueXn
z+!>aCrz9?Xp|Y>je(aUXGORl_613Bc
zelwO=4onX7{C#qnAIp%Co5+3r+WS?UJ)eAf2OsY6vbW}7@Ya~QZYiL7QVd
zaVBw9xTH8i*JjpQda1APBi66q!ZN%XAU?`|kf2mM?iWu{&6JXn*jAS`{7o2rjg3WkX!r61FF
z$FWs9t!5I~eqy}S2*Uy~@jW&%_M0&bnEPIvcVt3j6$1{_zpw=I8glP`Ih`_Ko|DJS
z`t!5;w|T&yDcO(|*(JIET!vCfBr+_?F%(kj}u_vvtUodBB!2XC6hG_2^N3(
zG98+J&fSXGUnS@erh^lL;y^?svzZFy*j)aD0~>&1a1CKg3a
zGJ+Z0pl+qF4q@O3wY^T03R2z6-xO3S%eLXI--(n5G2hVqyA7g5?W-ZQDMj16OCy~b
z#XoMhW!_`jZa8oLI98#OIG5u$W-xG7)V&C%SXPdRXvMIm&ryzM|772TMRx?55S-Yp
z+C|myptwYH6Mnw0Fr2LOjz{3~X}-_Btp&x!lm>hZt{4$~8SjWX&}Q#k{$acDO1Gkn
z`WMYYtV=+0=eZ$;EyG`pi>{fE!RWt#+Qx~U8Ag-3rP2SI59J*05!z9&;>g4c@K9e1
z*BMFcpQs=(WI)b?Iv>4F
zQ<3)qiUGmvB8cKJ!$1Fkq7+X`A1e2pUD(1%*Q&?YwB2bNXN-Z!D0wM~XdB+@OyV@f
zUc6Z_LH>|~a+|!Al;3QIBDh8nFMf*A2qJdkVv_eR)QxB`H>?AQ0>N_9Jse;)=t1s)o8()L)8=lvY%Gvr(qytBQj!P|5*z}ha<^J-2jfnaHh
z>1Sfgbe_B(64~a-x7-<>I38ZAgTVX~n7jxwU{BP^Yv4Q7O8TelRRIC}K5(eB@MW%D
zS0jAfL%{T33S%o#v1|qen$6Fy?+EE_@=3{4J~EAAVMlWoAE$l3WCMv@IF
z9H=@2a&?1K6eX~x(R!nV(_ZjNT>@OMaej3*XHfZ#!)Ys;hu#3!61wLhryTbr%`tf=
z3e{&o5s%6Dhazs@>%KziUouueq{iGl%9N3eyKyKANhg{g$Nbr^;lfvHZ`-g->y(jB
zBoN`%5Un+xShH_b#287Qcdm@yWI3lFLru>@^&#gLpP|PsCni#Gg(AES=aswR~!+*mvN?{)_!GOj3N^Ki|0*!2uB5q~@^
zY_kkg-BNQF`dA?9{j#*&1-?bML+xvQSCdM)A6r;*9@WA4!*`pPhmX5S+oq=f`;MH!
zp9zL>aoK8Z_vwl@BE_!@JYW&)_cpIen+DJm{pzIP7b1uDxKY(AjxM`C@1pN=6-BAh
zpD?2B9Se-d1$VoK_h_SkZV(m4OC13LgEOri)D2!rD#P9j8n7oP4^$~Y*>HfBWQ%qw
zMLpQIG-ao}Q+WYfnkaiGmIw&@GHf5d6u58Ex)CFg%;zweu5llOYGY94Tm-&7nF
zxD=y`SwQVwvl9c66In_^-1ze*xlK7S`^38c`LZ0`TiJ>T7=?z&TZ-9*(
za`hjq9_v=L7*27th|}4`7yOixJV#viguy}|Qb&zFoyND#9!ue0d^vi*A$&ohOC0B(
zu;pI_p5f^;z%dkg!3IO%*xG-C)mJBJ
z+84cP9n?p<&U@G?9Perlp%mO4o#28akFv1AusSk_75}L9hm3-r22B2z&kc*hfAJ1z
z@3UBN|4;Yvtpi&;CuE|ZNHIa7a;Xx^TQ2Fps4F%2s
z9X^f(xNr~Sx_kJac9s@MU&7QwV1IU(s?pkAO)s^}UhzKq9opco#l9i2HMB6ZdfrOrFw
zX`*(ru#(6*;fT6FoJ`2+`9jXFYhMAO*qcCY0lb3psOxDdpNl+nwEuItZi`wbX_$*2
zcKB=Z(=vl{r5l{PDFHV7$P@-z@p~o9p4iFGPlO@PoaoYPSdVHSnVsaW1&~P2A*WNt$-0TJ
zy*Vx&ns6pR3QT>|_rXS2&H2>JIW;&902v)+?x5`NHrDx{DkzK|o(C}^^;;}gZe8L6
z2I1fNPSb&-M4j6|YPL)quk-4bxAzx_N+8ki*@j%OK=h(2LZz7oOZ1CcaPhEFS(WUH
zl<+!ror=Iv5K%b7BgyDjYa&a+E1`R>o7HZ4D9;uxWsAe&M&Dj(qTKQT@mVW?;M5V;
z&3g4K&A-?Hdw+zQr0eq9py1TfKYYV3aNk|f#4ER`74yOw>@%oL6R^Y}cFE9%IP$_@
z)=FyN)JPq{4wuO%gxt?Ajl
zh*c!UwdHIg;1a_*$*~XF9k^=joqv{#*o7t^#vmex!8PU6Is(ODd>w_
z&N(S2aX{jd22w90Eg%OBbPfM^O;Jk}B0l?BaHtP(s`X->(YD~W)P%fL!Mem52`@IR
z__G67AH^={5O%PcNVBx<{VyrY=0Vlzopdhqi|?qP%gH28IA$I!dqqfmvG+WzJEh%n
zAJgX~^#dgA&XM*kD8AY|8CdvABUKZZY*NS&jaMhzve0KQ2_EBR(q)*F80nh~FzTvk
zru6b|%2QHj)Z1baM>pm-_>xG6UGJ9(;{B!rW_5k3G?Fp`zKK@wXH!aeV3T
zDC6;Z=4DB17V3nVlo?n3LyMFoOPI`Iq&$P~+OcVxFZqJf42Mu7KA
zB-Dnx&`L^8eJSv+55<(j^74j6V|UbM37Xb~Gg5UtHVdMd>Vg5=78Zxi0p$v8F5u_EvF1ZPejCF#iT`yktO`3KKS+Mv}#?ZaS#N(SxC7Q3wfBQ(z&^>Iiwnx*^IHJfAh#X4n
z%$k6cJ2bNiBY0`aqKvs?6{X~C(}#4Iui7lA>A8`FD6{RHKsmjm%|(S%@?jp4eOp+4
zw=HDq^whc;Ya!&?RUZ=!kJ2<)KQ{T3eyv3A!uNgoJj#e80V*yMnFH3h9rp1n7!cyM
zrM|Vk$q=nn8x%|eo{S)mVW-xT^kn^&GdkiN86P$A`gPb(bscMt_bdXibNX&1+J`jc
zB$0-Fkt{jj;rGjz%kqEvs;>R3wS6RBjkR3n%SNHBPqscIeftT@o8-5F{OJy#*%tcS{9j*bV<27-K1aske38?-v8x
zN+K<@NAX?gH-Cn3HB#)_jiL^p+8U|2x-}0JSt?%NK|-s;<|)!XUxS2}EbG+Ispyjh
zLRRZe_!9fH!1!EsUdRpGuO+a^o#!>Ie+{uGO{`7#*3Aks)VxFIs|hySYBe5yZvvXw
z_F&5UEXnb+OtkpX$oNlF?*y-YxI3QD%a`)CqUtm*BjD9BO^+>z?CdHKD8E$;8q^zR
z_3AWJIM7Fd+83%PY;9Z($$!;AmPjyDSMRWsn9{h74X|PJ%&Q|Hpk2bhw*gkA&jKeu
zi&O}lE*+-4b>?N?H}QiFN>p7Qm)quvY_nc5^mcmBrmN=4-k;X&?6O;==d63&`mjGc
zo#ymsP~&!1`qjM0Sr}TSZ6BrIW5n*Q${H`cx&9yMpR!>7V$y7~P)r=<%?c9xo@ygOSZ{
zi~m0R(GJLI{iL+xLl9#zzDTey6fE<*{q?t>Rpqvd)Y6MCrk|&c{?*{;STO^8)G|fG
zT-I_ULL-My5{1E$L%3g7u;qysa45zCD*O-5bAS8B8LR)%=~Yf?UOqnc{Tzf
zLp3{wbxqaDv9Gj$*?gCt+>nK>IY9TRHYZLNM&)cVv$nC@Zz=$fyvHHRqYS`S-p$t)mImiYGfbwN;QWQKQ;S^&)^8@h`U)?{p1Q*%e|Cx2;q5PW!l_
zV+Ye1hbi}6LfL4H;dbGY#q`%DLFY7_M8HDN`|5Yw#l@r(6)#_J0GiY~5SRI`F2R_l
z@5>%S1U*&+WqQ4Sl!MX_t`EBYJo?r68=MnsB7q5d@>L?UA(;KjTg_S*)g0+FG~h3z
zrmS8YW-czw6CbpO%)WTsZIEtOta)pIiIy))gcZ7#l-T)#!=BGSEnlR^Zhm{!9$CGi
zpHclwGllaOSux{#zB60V_)2hRd$-4*af2?Oj%Vbjr#Y6b%Wo?d7HMhjTE#)Fq@8*l
zx8djW=Mzk6o|aLKF9hIFAI>iDPDCPRulX!SnRac!`#8&2>9OkvVfIqo2|WjxEL$)C
z=GVG~$?NLfTEryex^ynl@mS-)8xg`_5R|rv^ULEzY5AtruiMAnmp~x}yK-r}HfUS+GG2>;tjD_IxH#R7o#xb#QL}!`TaW?}mr~4h0kgE7?G@Ec
z7``QnFz#Dc957=CP#@cu#H?`eWh_a|jwHFF73hmYJS4b!->SS-Xl^ItWP_Ga%rrBS
zpXu{fT#{2e(z13|!r$LRk+Nv)
zc^0n7FR5r}0v3(|4%#X2yR{O1ax6sF9YOUmha^p{4Ey|Ai#C`Ar^JN?ve0j#A>6#9
z3`CWmRoVxAjE-)ZYO%K!r83|*-Are}v-R6wf$LT$vwOoqa3f{kx))RRnhw7x$|3`G
z^$~gHt{6$uv4)PnIBUMK+TE_L9jXfv?hA#>^2UUe8H9a2v3ac%jJ8-bA~QEqzn|8O
zlR5o?BJbYRmqc%@4!=w_|GuuBk-^N-;iZ
zFH{&P;KO)nx}&dwsYBdJ!z^w%yCCLu
zw(0N}SBfj@F`z&m$YM_X5U&(7i|%K~oNIHz^o#tshB-H6`kuRP!Q$vH<9wLp*Wxx_N4Hl5ezCqJqs#>GMJszslK)3{9(SDiW2Up!M%K%I$0irCz#Rd_;QDOqfq
z0*ZPxqd|Glz^1OYyq8KGbVj}Z5-pgH?!d@eqR8<6?gdK^?uWfsOPZx&~+QouK1t5I3?os)`p=xhG5xdy8FlAXv@xKvR~DGaU{=SbJ+
zkPw|*KEK_)L+Tzo6WV3vV8AMldC+hq4qW)DIkc&X1cUJEYDgty!)g78V~_q~QpEw8{&z6;zpZ_?|w+ufYU1ak&z{*^Ue75A6Gd}#zC9Pvcixp#h(Bk)lFWHY^
zPxr~v2D0Bh6x}i!EUwD<@yzP`+Jo5Nx6reX1+#;{P^KJIp#Ng1n-6xJKoc^QL`%^4
zz1wo^Ba29iyTmWRF{<*tc=fe^UP(mCIDXD{ikokdZ%(s_jLeLUHiFhfXUEPbz
z(QbQu;i||P2c;kFb5FbiGI?t2I2;u6HF57S%LDX_OJ-vS&8)u^1&Aj_DxRdlxbS7x
zV&q3f*rHK_4#q^ikX;$&5ixRc!K}&kZ=;zvWOgeKW67&KX$*C?RB%V&nvA#})k|g4*
zlES31wmP02Ip|8PoC%v>oHZVbIQVk&?gbKw{W~z>L&3M{wQz)orAQy%k(>ve70YUueWvsCX%nw1<=kN$)^fS36(PN*ykcaZ>Al-~Ju-!i
zWb2S-PHeB6&M;#iMzxjXt%+_P(6r+gsk_}Q>sawNvxy=C|9}yVRCh`c-#j0|71mOr
z)t+#7<%u@UU^&Er7J&`3t9HqKL*SWV#UH|oo|giYnbBt3Br~6x2qvd0VCXbHAP!cG
zF@C(ZlFaKff4l#AffMBzj3toWf%)=oZFqtQ{_X>8kf!$m>xHi@a_J-ZIB|0}(k&wX
zeBg7(D#eQ>1t|g^-Mc?Q=fed>#>WkXPC<|+K)(G%go`F_ej_)c?I3(eKx4hBOymm<
zJOOscaeXI@^9m|X0olm3F#UUY;Uo{*ep2ack!GPf$
z$?y|416tDNQ~L0_{-W~1(_S>oD|aUEu|de>c%R$mOb&#`MJ|;its3}HKs;=-a(=Yz
ze4z;*AC-L@b8s;hKo+c`!}Ho1#{fokB(L2P5ilH?))E4-xeiz_%4oG2?IO7Y(HTd-
zWcfG3kn^ST(6#*d6=Dfizp^-$7T^c6Onxzg}NJy$;Q1HmK$J#N5C5zpPMkS
z!lR3h(KQutK6vrs4^S)XL`=p{^E#TAakK7i$Ct}eg%-*qDe8rX_R(2nx1bSn`#~Lz
zd5I9{6j^OfAFv_6A<`sCt#cEuS-{Hjd%$gazRB)=ag7k}WAjWFjX60jmmE#J$9%(!
zNuS8|JvMQRoVmH#{ikW%a*Hb9Yj?B5ijtT)>s^eVA{eR;recjwzQ~h-fc`e<3fZl|
zy}VfY-9muh3|s9XadMOjIIIQsi)y*IZ0v#_h{Z9s5?*`ab*{`mK6j7rWyZro>DBU(
z=}(7mbYfcAWQ79u5}0TJuxFu=SuIV9LOVX%k=Jbde$`pMg=d%u;3+vqxtR66O%zHt
zf~4Utq!t}T=3Pg>E_cEbMv^qmc?TSlKjz)Vs>iJ?dmg$&uuNXlVr+z1<#xvh8f1HM&BHgh>VD(q!Gt6
zUCXf(6nv^DFKA+oa^KipL|JN2^Bh~C_s|tb$Mg$~zQxWT}G;f0)=7zks
z9&bab_JBqC?L!3c{SFK22cUP*+i2V=v98V2qk_ea7`0ugxb?l;&Qqp@e7min!h5W$
z&%e7HZc&kT_C<;S_Zzv{w;|EQ+D-Qi#*l)cU%3fIwS=N%G~YfOErjxHjf_5{y1qH)
ztvVvl5X=+8%&oODW_Qlh~4oIkdWq1*dq@NLyauZVHZZ&sZ0b^->T
zHq4hd63`a0^Qn9Owu>}=v}h98L{o41U<_!o*vDh)<>#>RjVBRrlouyCZ<4@ee5GU=
zwHt-zf^yi5WB&O(Xi7Pp*7$iCb(hIT%H%3V*d24~8=K(cDQcpl@bkQK{HPhL&#Kmt
z;!?dN-vYGLHs9yOZcV(OPqdQ^)3g0Oc*mumu>bj=px8@v>g?@g!rve(@=
z=RTNM)jg4&5TI;a=5i}!FUO=6-)x$oK0vohXRdkQUw+mD0DxX*Dd{62zXm7t=&6oo0H-vjsq@d_xE336lvWfFeB#ejf|R&6jI!V6_#nI59ygcWup
z91y?p5HxV+L3v0>vvoPR!kgC0A}+tgXgc+}0Hb@LAYo{0d(svU*ey|!<-efh;|_MQ
z!b)|433?2x_FB^OI5;pM%xZ>#T2Md~l4+#GC>pYB#Hz)bU>FQEaHkpdO0oJ-RatoX<3
zxOq3*%)h*!Ztw_?rGTiY$Aa`Qy@)J9Y2#1sUYuO??r8SqGLgCv52+Y+rs&PDD*$0t
zTg?KKbG0n)*Xr3W-^x_re1z^<=iPbjN%E`tFEc#wy&9k21E&S9t2}*$N1&d&9^6INHyDWfZG29RA=ppwp5lWFR#5({&9!C
zPxoe)cgm@0z1XHeZs|*oP~288yw=%y9r`WOn^_`w+?Wp^%2<4MJlt_(@b=!mA0<;}
zX1|LzM6*--7za)QzrhZgjNxXe?goVA?v(wu8usEJb~`jH9B7{8L)->vd2&
zVDSiuIrz`k9pZjrweB%>8ySQeoN1T>d&&GAg(J8Ho+?F)Vd4!4}aA^hlgyg+hG5-$l$^MovzqR*#wX?dwY($y|hI?=$1u2bOsYW
zeik~j2nhM035(q3+xLpe<}*=7C7OYJ7mODK^f+65Jk0go>o#!^7|m2wJ*bZ;!!T?7$ST)5`K(s+ogP7mvh<^eBOxmG~R~j
z?QFXBU|O>{xfrr^ww5`ut3fk0&E_@=$pW=}*+OY@eqF3Q$8*87OhryrDT-*cU^I;U
zJ|4%vrEZ6tJIHAEH&Apid;P>2=DaWW(`tIug-{|lD=<(W$7P^Q?0LA>pOdVO25{26
zRx+M(0f(B5vw^U$Lby}SQ|DBw@yFX7EsgRrrO>XN6%3LM3=^##d98aV7pGr%F9%2nJe+QuEUo?>$LNk~E&SLB9Pb_uzq&Nj
zQREq;qlv$r4cwkr1rF(64h2YF{r1jm8>CL>Ek~gDP`g9|(T6maIt0772>)C=?6*TZ
z1o{*W*vs`oia56?6Yo`(`W{<}wQh05GOA9xYu-OQtEn{Bo{e1t!GzbDp
zHww}v(p>`5(%necm5vJtNQWRLDc#*IjdVy$OLsRsi+;ZU`OQ4cFkFVqeea&#Q?FCf
zZ7>&(a`@#mn8l5QnMT-AUDKN)k7*U3jjt^!GJc?bwtN=BX<&T{^Y*ai&7(c5qVXM1
zIGLOtlB%dCaq(c^RY$t2M2=HzNNLOKkhsdeKpm|
zea2`NT9^!-Qye<_c44DqS-eCMbiW~vog8lgj$=ooU+ZofYCKa2n|oycZB;3%;f>v7
zQ}^>ly+WC;8P~NZqPT<(;;yhP8^!KODIKs&K3VlcAaXRt1wzmOr)i7B6
zLm2ejYJb*GVk+S!^Rib`uX;4W#>GKoA|;r5HQ?2@8hF#`@q`d|yqF54yFWff
z?AB-Rh7!eVG1Q@Cn5mkDenm>|-0l@RK}@10_`do=@BMwcQDKEe9G4`{I05ktS`gt|
zBPNv3s}1icGLErcyuc|Cc{K?aWD$mb@R>H}%<%8dbKpS2o=z-jc-f$9W4H|T1y1n?
z_|G@=B#O3O{5KsoR(NjIXk5ObU6^eZG$)BGWn^;c+tCc%slKq{2EWsiqCmBAuWYIx
z)_4)z@Ab9us#kwv5h9vLXF`v~qx8fEv^h%iZTD;WlH?2=UAaKM%3Gsilt3#tPCyt@
zKp2oN0$9P?RQ6goR&KN7(d-CfR6T@4;aR<33UbKa?SGQHO8<;SU7PF&Qag<%{>@ItVb%_-YQO+UPR`|L88;(2TYjEL4H$`mDul?3;gkK>Ap?Ga@@
z=HCJz`gfq?W|q*Y$&Ww6{!-=2kC{v#(t5xk_v@sB?HwC7dG^P6T@7
z<5o(9Z(8AY#b+YND+$83+UAf;H1{8L1oCPg>Q+l{z1Y95~}?|
zi{j&Y&5KAuR0OpBU`_g*ASe3PnP04mk1GdP)i%SHD@sNb#Rmp7mGOajNg_t8;s^4A
z^8e78jEP-8eY}Z@2LHb{F}mq!FNWBXPo@I}n?X~9D=G;P$*ya03{Gll2OE^f6ShWP
zpAN!5?cwh3F{Yezj_H&t8Zdf&T<7F8MomaXPzg$=&LlqxqN=Ee`L<@GAzl7x!aPaz
zgzLO@{klQ<-IkxFABl$NvvIYUV%NqU^J|b1-eub4#qYNGtsFmljT-q1dBBD)*_gyo
zN9&7V@d}>sQXOXDrhOeolsQ{_l!S25pNz^eh4O?^q$ExgEyXqJZD;IyN)$sFIMH<4
zif;&SwnVa&p}i&&r|FN^oLvMoD5K>EeY`F{z;<%~tWz1*ixCAU)+U$gB=2QY@~XAn
zfA2>!+|kGCv6dIE6T!2hMW~gkC)dBX}9vO-Lb`?gl2A-NhX)PTA$KlAa8
z91`0v#-Z~~?GR~yK;l;Hfoaq}$g@Ing#{PW#~g(LNV3}hTU+r66?%+I(
zd#6M5U%|q2#WlJcxL$vpQ%VfqV}&PmTRn0Sx}0;9*P7kot-gDfS2SbLN12iC+IbFFkUz7eY2J-%?4zCjU*n8D9j`YW~sgCa!@e!J2tGW@_&^)qi;=&VNEiY
zlg`G}JpjqGQQnHQWB_k_JQ$znK)M_xz1DTNGuXA(JkVaB*IR5n7jS`#J{p70hG
zFZ6}D*&AvBssYocc8eyi&mIgUB3{cn|EiIm$0})pLcdN!7=7D}ZAoJJx~*Zk2$`D3
z3R3gPE?7-(kB{StT{GmSYwNf~>x%0fL;15~wK`gY?D!
zwz1}$sm)1TMYxX1l~Vuns6FuB(+wT7W_wZeQ5XSn)Z5npvm%SwEM7}gpsHJsXl~st
z#>#vaI9}s$R5Nak++aM}^wT$7*K|;8f;%@+MktBOIMMCgp*?)=4YSjaU7p?gWl?MA
zC3ohOZoa5RXD=y2M9bH_YQ~iXXvrZ&jQ>tuaa3gl4kcgpK0VyXPUQJ47tgaDI|XJf
zY{rkWg|ZCRhtY-cR{g`&q|f1wY2mZAg>Ej!;-pHXSYdWHTIjfVx@EQBT!@Fcg}ozY?2-=fD%8
zM2e{HV>w6mk60N?px?;S8aeGxmh_6Ux;=@Xbwt9;uU1i3l|UB;gfqYQ5%Q$89hWit
zx4T@e#kW|L=NareS(j44RQSlYfZm<`*9HLcku}B!wsYp?6SL7ztgyDJ+Ywhy1XBd@
zi4H_|ejlZXb8Y4xm#vi5|3Dx~5a00ikv3>p((~z(RAi-Nv1!ot+E{&~PQ4h3C@;KM
z&Z{Q%m%=(o3_^mfZwDKk+Y6?rKHjX>kpD%*fi0-nR|6vot3)R$81hD*I6Tom0q1M>
z@1j`iV}B)QH3TY>)-k!@>q3egHdC#1Q116gzLEd8ZHfX79T-KGxhMjzIpqQp
zDsM$|1r#STylJ2A0tv`I?ANE%qNxKR)Znr-Pr`CteCXV
z_h3*lbM5^*ZFM3#>{Y-7#P>x33@TCUViseiH7WOuGaeWlkYppSHeTjd&ep6f)Lo%f
zC5_2T$%(+deQRX3p#O8DA+0d&7klE}PcX77_VLV8_(IRMSv^=x=VD6|9FzxYig^xZ
z+ydRT0s%O{5hzQgkfi??Gd
zCfF87X1;%KAuS3cp73S2&B{^>(D!at#54|gEHP)t>h+wr=BS62=}!i7c~laQG6igi
zowXdD2pM|_omcm|qd10EJKLcD^!M8}!*UqWlHfJZOuI_EB*WOYpWWQSs*rCIdiG;?
z9rcVnQ_B0VMy0HO%q-x{eY$7ZvEoyu7Bu_E2YumaFFtj04G2HWN#BJ>>3p`^k3JdC
zdNYP%arrt|8e6bRmHrcf|K4V;`;4hFNAsFiyr#LvWzDBa9taOYTDZ
z(0m)K@5>%%iJetH5z#f&>kF3bu%JyFw-iy7VNVne(fjvQTA$xckL`VGFt(>rKjxsw
z;VIabrS|OB!_xPzk}!Z0f4c09rxOyHoT5RXodQ1W-)o@A1MEB;>RS)})hDl+nJR@b
zEHjq=#A9qUSi^Cjt&6=W{q~Id@^2#@@P1WzW}h!;BE0l}Oc*(h#IMkZ%f&aWpNiJA
zc&{n5sla;9P0a@EvTG;y8{mrBKJ7aoV36TopiOoJ*oAz&ad3DJwK8MW><-!9pFOZfa
zKU#-~r{Sq0TG1fLw{>k}A#4#Tys
zWKZkUHs@FzI5B;9`t{w`BtyNbMD{OPFTAQ)hvcndJqU|lBy66%9<6On=DzrMFe>iU
zpikLEclW3GjD?2|kt7V!=96?b@s=w@mkT(RenvIAu>Xg`yntCmpgwQ^
zjAHRIn*FS(c*l5Ml}C?dCV;xubQ`-NA;7f+LZOok8yfuQOtcS|-C)`FgpB4rBkw76dmu1BbG>tB$O2Gpc-yux2ns;_t3LHUvids_8Y=NKz%vK!nO@7|}mJ#aLC
zL2vNx5I<0bm`Q~30@sSzx@u<|X;a<^v@6PaU(>IzS|FVeEKOj1H1qBAk`7Y8R8swP
z#R5vR#$KEfhxKD`p~o-Wq&B#qpCX7~SDp+{xgAxrR`eUqG8NpaOQpEUUZlg~_l@Ri
zuMrgX2nyufjQBuBw)!ffLwb6GFUs=^jCfi8U$+=>!!j7rmgSpUih`J*#W4_G#o)P4
z)_4i3i25(mGda?PW{4}l{wrlv1?>*sKd@@`2c|GUD?`-TOWVzf@xT-Ugxc
z0ZgmUl(%c;LXlhU&WUJ4AIhw0m1~Jgx|isKgN_f){&hLX`?bsDb9k4?IwTVdsSr!)
zoLzEo=u&2dA1o&;b+WO*Aro5;GRXgObS)@LgU%bA{bO~Xz1!{IEy;i>tA!Coz_~J)
zD4%5>DKYS3TY>uq=4!Tuq*Mxp)eoM;(I5TxfuDqGPQ|G$m*YenM)tJuXE(|?KU5mT
z*PhE&iWf?2w!y@QOfZN1=KM#^=TT4{m~Ul$ECR&j;(?|HS0t@>4U%#Fdq4EBBJUiCy(@rxUTwKS~5k;tW&
zwOK_y7P{JcpL^7}L4AUNdea}?mpJJR#OSjqkkY(xnx__bv+aPQ8pd!Wp7`q?#cPj3bmyPIOCQ4$4j7RrW4L@X~L-$$gU8$N=piUv-#k*$-u
z{|E2pz!&}vfbMR@XSgRCt3=E`(^Tk<_7M<&h=mA7kNH3(XOTv&oh~uIT43+veoC8H
zM3WsREeBErNaf_vgWewF3;qJrqNX+AdLk|i`q{LPavRCo$?tD{1ZBG{5jc6Ybl&$5
z_p|)$L3}nHi5u&E94euJ%U7_r1T>X>eBB@
zE(6OA9B6r5$q{I_i(g~g6Oqzbjf?F&_l=s5h-ka~s!0xvN*h(j{WUig*|=ZsuKS7t
zHPx!L1y28F%xq-jeQD_%r_*VO&IQXu2r{{stUfLZ+WK%;1y$%XjJZ~WpZ$&JD_dsz
zj~SDSxWHkdVV>iXUWE$^aVvtL;|uRb2k3J501LY6MW8YJx+Jk$(Ohi_I@#UJihyh0
zraLC}l{0nS5H|-?Zg(+*w>aWp(rAbNfg8f&&9cq((Xk-Zf8PV2go!zCZDTF|59oEh
z+Y{0!bk&tpWL2Hq2^zMnbgH);+PU6n>qVBeY3iE-I)Y)D>P@Q+w?cUHVMcAY^_N|d
zt-BCoq2zcvCvZwdfpG?9u>QeHFe)b1|-6!}-VCtB8YTJ}xNgc#bo`C27Cg-W@!2w7>_RcEy457CDuZ
ztE#0<@ATLD8W*mS1`~WBN8eM7*2v9biHK*wmCdmqWMW2ZFmHK
z4li7y%y6C_%KBFTsB%Aw0>lvpWoLirt;kk&Q1$|Q
zI(TqTpshcf&rKv2R(ciF`<^&;_BgpEq_~b65jgJ2MVK>FeN3{#Tr}d(1ea^^ZOShqs_|;P!@z>=$fhp6UC~AxhU_*Q}
zf~G?pWn5gQ;2LjgR`2iYj`mZC4~9bLYhRN$4-9>C7)nk$X#Q5u_7utQxmFp*GbFz@
z6xQpDt+1m~{xB^gKO54cAL)X=z`D%1Q-Ab_{Yo
zrRj>>n#g3kKHY{(3g5T-voCOSIPr`89jo8-XYP(WZ#ndv$ROpcn=_egbf&N2K*c?`
z&giIpJ)`aDXiyLe&HQVESl{twVMoW9^9J^r_KuEsTwqac1}b!ptvZB{>r)}(C<@%@
z{;iz71Mv?GT<(sFU;Re2PaR6|R3hkTCd)!&uY(xZMvJQ_j~KdxKWSj-!hjU^0~NQk$YAGQPN-l#-3J(czMEW@Tk`Wk55Fg(LhE4zxh8K
z7IMN&;I(L&UCx8Q!-m7Vayqc9I