From 78373d3549fd31ce5047fb94bed039a571970305 Mon Sep 17 00:00:00 2001
From: Bobby DeSimone <bobbydesimone@gmail.com>
Date: Mon, 8 Jun 2026 18:48:14 -0700
Subject: [PATCH 1/3] docs(guides): add servarr stack guide behind Pomerium
 front-door SSO

Sonarr/Radarr/Prowlarr/SABnzbd behind Pomerium at the front-door
authorization tier. Dual Zero/Core tabs, runnable docker-compose + config
with byte-identical .yaml.md mirrors, request-flow diagram, and sealed E2E
fixtures with seed config.

AI-assisted (Claude Opus); human-reviewed and validated.
---
 .../img/servarr/servarr-gating-matrix.svg     |  80 +++++
 .../guides/img/servarr/servarr-sonarr.png     | Bin 0 -> 35026 bytes
 content/docs/guides/servarr.mdx               | 197 +++++++++++
 content/examples/guides/servarr/config.yaml   |  46 +++
 .../examples/guides/servarr/config.yaml.md    |  48 +++
 .../guides/servarr/docker-compose.yaml        |  76 ++++
 .../guides/servarr/docker-compose.yaml.md     |  78 +++++
 .../guides/servarr/validate/assert.spec.ts    | 175 +++++++++
 .../servarr/validate/compose.validate.yaml    | 187 ++++++++++
 .../servarr/validate/routes.validate.yaml     |  34 ++
 .../servarr/validate/seed/prowlarr.config.xml |  13 +
 .../servarr/validate/seed/radarr.config.xml   |  13 +
 .../guides/servarr/validate/seed/sabnzbd.ini  | 331 ++++++++++++++++++
 .../servarr/validate/seed/sonarr.config.xml   |  13 +
 .../examples/guides/servarr/validate/url.txt  |   1 +
 15 files changed, 1292 insertions(+)
 create mode 100644 content/docs/guides/img/servarr/servarr-gating-matrix.svg
 create mode 100644 content/docs/guides/img/servarr/servarr-sonarr.png
 create mode 100644 content/docs/guides/servarr.mdx
 create mode 100644 content/examples/guides/servarr/config.yaml
 create mode 100644 content/examples/guides/servarr/config.yaml.md
 create mode 100644 content/examples/guides/servarr/docker-compose.yaml
 create mode 100644 content/examples/guides/servarr/docker-compose.yaml.md
 create mode 100644 content/examples/guides/servarr/validate/assert.spec.ts
 create mode 100644 content/examples/guides/servarr/validate/compose.validate.yaml
 create mode 100644 content/examples/guides/servarr/validate/routes.validate.yaml
 create mode 100644 content/examples/guides/servarr/validate/seed/prowlarr.config.xml
 create mode 100644 content/examples/guides/servarr/validate/seed/radarr.config.xml
 create mode 100644 content/examples/guides/servarr/validate/seed/sabnzbd.ini
 create mode 100644 content/examples/guides/servarr/validate/seed/sonarr.config.xml
 create mode 100644 content/examples/guides/servarr/validate/url.txt

diff --git a/content/docs/guides/img/servarr/servarr-gating-matrix.svg b/content/docs/guides/img/servarr/servarr-gating-matrix.svg
new file mode 100644
index 000000000..3926819d6
--- /dev/null
+++ b/content/docs/guides/img/servarr/servarr-gating-matrix.svg
@@ -0,0 +1,80 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 760 420" role="img"
+     aria-labelledby="title desc" font-family="'ET Book', 'Palatino Linotype', Palatino, 'Book Antiqua', Georgia, serif">
+  <title id="title">Which access channels Pomerium gates for each Servarr app</title>
+  <desc id="desc">A matrix with four rows (Sonarr, Radarr, Prowlarr, SABnzbd) and three
+    columns. The Web UI column is gated by Pomerium single sign-on for every app
+    (filled marker). The HTTP API column is reached with each app's own API key, not
+    Pomerium identity (open marker). The Native or mobile client column bypasses the
+    browser SSO flow entirely and must be tunneled separately (dash). Pomerium gates
+    the browser front door; each app's API key remains a separate credential.</desc>
+
+  <style>
+    :root { color-scheme: light dark; }
+    .bg     { fill: #fffff8; }
+    .ink    { fill: #111; }
+    .muted  { fill: #666; }
+    .rule   { stroke: #ccc; }
+    .gated  { fill: #4e79a7; stroke: #4e79a7; }   /* single accent: gated by SSO */
+    .ungated{ fill: none; stroke: #666; }
+    @media (prefers-color-scheme: dark) {
+      .bg     { fill: #151515; }
+      .ink    { fill: #ddd; }
+      .muted  { fill: #999; }
+      .rule   { stroke: #444; }
+      .gated  { fill: #6f9bd1; stroke: #6f9bd1; }
+      .ungated{ fill: none; stroke: #999; }
+    }
+  </style>
+
+  <rect class="bg" x="0" y="0" width="760" height="420"/>
+
+  <!-- Title and subtitle assert the finding -->
+  <text class="ink" x="40" y="44" font-size="20">Pomerium gates the web front door, not the app credential</text>
+  <text class="muted" x="40" y="68" font-size="13" font-style="italic">Each Servarr app keeps its own API key; the *arr apps have no OIDC, JWT, or header identity.</text>
+
+  <!-- Column headers (direct labels, no legend) -->
+  <text class="muted" x="360" y="118" font-size="12" text-anchor="middle" letter-spacing="0.04em">WEB UI (browser)</text>
+  <text class="muted" x="520" y="118" font-size="12" text-anchor="middle" letter-spacing="0.04em">HTTP API</text>
+  <text class="muted" x="680" y="118" font-size="12" text-anchor="middle" letter-spacing="0.04em">NATIVE / MOBILE</text>
+
+  <!-- Header underline (range-frame: spans only the columns) -->
+  <line class="rule" x1="40" y1="130" x2="720" y2="130" stroke-width="0.75"/>
+
+  <!-- Rows: app name + ports on the left, markers in each column -->
+  <!-- Row 1: Sonarr -->
+  <text class="ink"   x="40" y="174" font-size="15">Sonarr</text>
+  <text class="muted" x="40" y="192" font-size="11">TV  .  :8989</text>
+  <circle class="gated"   cx="360" cy="170" r="8"/>
+  <circle class="ungated" cx="520" cy="170" r="8" stroke-width="1.25"/>
+  <line   class="ungated" x1="672" y1="170" x2="688" y2="170" stroke-width="1.5"/>
+
+  <!-- Row 2: Radarr -->
+  <text class="ink"   x="40" y="234" font-size="15">Radarr</text>
+  <text class="muted" x="40" y="252" font-size="11">Movies  .  :7878</text>
+  <circle class="gated"   cx="360" cy="230" r="8"/>
+  <circle class="ungated" cx="520" cy="230" r="8" stroke-width="1.25"/>
+  <line   class="ungated" x1="672" y1="230" x2="688" y2="230" stroke-width="1.5"/>
+
+  <!-- Row 3: Prowlarr -->
+  <text class="ink"   x="40" y="294" font-size="15">Prowlarr</text>
+  <text class="muted" x="40" y="312" font-size="11">Indexers  .  :9696</text>
+  <circle class="gated"   cx="360" cy="290" r="8"/>
+  <circle class="ungated" cx="520" cy="290" r="8" stroke-width="1.25"/>
+  <line   class="ungated" x1="672" y1="290" x2="688" y2="290" stroke-width="1.5"/>
+
+  <!-- Row 4: SABnzbd -->
+  <text class="ink"   x="40" y="354" font-size="15">SABnzbd</text>
+  <text class="muted" x="40" y="372" font-size="11">Usenet  .  :8080</text>
+  <circle class="gated"   cx="360" cy="350" r="8"/>
+  <circle class="ungated" cx="520" cy="350" r="8" stroke-width="1.25"/>
+  <line   class="ungated" x1="672" y1="350" x2="688" y2="350" stroke-width="1.5"/>
+
+  <!-- Direct marker glossary (shape + word, never color alone) -->
+  <line class="rule" x1="40" y1="388" x2="720" y2="388" stroke-width="0.5"/>
+  <circle class="gated"   cx="48"  cy="405" r="6"/>
+  <text   class="muted"   x="62"  y="409" font-size="11.5">gated by Pomerium SSO</text>
+  <circle class="ungated" cx="248" cy="405" r="6" stroke-width="1.25"/>
+  <text   class="muted"   x="262" y="409" font-size="11.5">reached with the app's own API key</text>
+  <line   class="ungated" x1="520" y1="405" x2="536" y2="405" stroke-width="1.5"/>
+  <text   class="muted"   x="544" y="409" font-size="11.5">bypasses browser SSO (tunnel separately)</text>
+</svg>
diff --git a/content/docs/guides/img/servarr/servarr-sonarr.png b/content/docs/guides/img/servarr/servarr-sonarr.png
new file mode 100644
index 0000000000000000000000000000000000000000..b240e25e9eb4ff4f279f3e8e89c80fb87d71c827
GIT binary patch
literal 35026
zcmd42Wl-Ep)Hg_k5Zr>h1b2elCAf#6gFC_9H4tE6aCd@RfS`jzaCZqZgS)#kJGr?}
zy|q<awI6ohs<*#P7j*ak^szp_)2G8fDa)Xv5ThU<AfU_1N`6K_K!kT+PP}~y|M`bP
z{ssK!h0AA|j|i1xq<aVmln8Q?;_9B6hY&AclC65a(|q$fon%`D=!S-}Eq!&uZ)Ep@
zm$d(U1Po1uzLO={Mbv4yff_KdPSi-OA)+MeGO*Ttd)egomG?y#PB9f#4{ZakQ1n($
zIjODz?b4#%(Fuh!=|VEAR}$${JB27k=HwSwi|xrTW5VN^#^&w!jDP5Xx6G5@xfp-D
z2u5s_FW&sy4+I9jCj9$X>X$f1e|x~UvVnhRQBwc^KhV+AY0`FX-)x}|(P@DzPO)>q
zQx6|>k3{ySrB+VtC%ED!wrFMVdc@!_F$f6V+G$n(f*YtxI2R6sD$fQ*!Vzf<zj%c*
zbLw}YrPHoDw%p{e{tgbTB2o^_CmgHNG}q6jvP68s$DFhrUEE>P8NrxGll~(icw4oh
zJ9!aZs|!1+=}}4;^bZG0UAD3G4!=j;d=*NB_LnmVo%50JJI`!mejILyJsxk3u^pMM
z*l+<10-ozj+F+l5Lb&lT|E?EUl_nRMe>Au22Rn?`omeUkIL)=BPkMEL-X}xuliSv&
zmXS&Jv=tUFei8ZY_1`(GHg9l@*fOpt<b*+$THmKrrwFdE_b7aCJ@y--ji5^tznxdu
z$sKGzlhojYcq%m8){t;^3Zy^%x6#+ZxGud)(|SGEy`|tvKzi(V{_{}}(y-C^%(eZ)
z->|E-o}Sywy2LZ6c|FGAecj<5!AhO>kI=*Ssz*_z536=!cWVs?d<)Cj8#>b;^8aJZ
zDG!8cg45UH<|YNTiIjQ~3|k^Fd<Llzn#&sw%-cxmTjCec8P+`qZ5Dj%c`aoU6f|n#
zc5}(gQ(hiDOI}*iuy8o{ZRUkn{GlsPzj4P?Lxq-MQydV^`y0_pN!2g^Zar`Sn|W2F
zl{di6Ix}`{=9)13URtA=d+bm~k?)1Sqxm)_J{<;ZI^)&NJHr|8(Fz3vAK4i<i=Z2w
z4K<bJ3&rhzhdwQ`+r4Ynm5%$GwG_AtwE8NFWOY(L%6Trsw6m`^y3mkg6eM%_+}eB#
z*3=!e-Jd~R(4}O^^Fjy37l|z1KXe49^&3}<E;aMg^ICgG^sX)59zWZI?B0ll2xakI
z@E@L-Gx-+lIZy86))%)kEuC20(jWVK?@{=R7+?s0mlbtdskO>E1Xc<DyzWYBUtq`9
zPe}-TefwAx8SZ`aK+pradkT);fOt2>1^_hIiw=7XVGlh>^z_a4T<NrH&-DU)1wcH~
zsr38yA3p-}pk_I}o&VY#b=-tS%cj}vXE%^4?dSK!0d0+e!aqO<(X3OM;SD+}1(wOI
z0M3C86|cJx<j*UIDZn1Io%`h(SgCD#_-U9T^NV&f@gKmo$n?gmFs%TMYo+xy_JO1G
zpJ4_(3@O_2+yMI&*=Z)bN*ZcRP*(ecL->{<C)&-9$1;~Sl`2~CC#urEtj-<Arr4Wj
zxA$z|o&J_+Qrl@S`aaN|ihk?m9w^1SqM;@^`#XM5oQUsL4T-HC=82&D$k5o>kk@&h
z2Fm;|A(Gga|0?Q8s&>NJS`1Vp6%87Y%v&-yJC7Atqq~t+(<tHRbaX~v+0jcGo$e^N
zAs>lzpTUqSJ>w7G0h=<AT!>Rt)ZXd2E5WT8w_`~`QaN|`QVCW%&P<$5b=~73aMHoD
zZ$)rbhpReRwuKY!dFafhm`wFT)DWVYNJhVTXVD=!V_FTl0?fAC5s1|Aiv51A9sdbu
z<I#D(RHYdrIisq7;k+11pF%rC;+u^6uWC+T1fN%h)f!f<&3I@BsRoQrN}TAq-pz>S
z4GXV2tgp@_^JZJU@7$a8cXp*7(oc1(Ij*}ondW=?m;+wEnQbp5sMBs>hMmcrh!L=k
zoVUcb{$?}~2t4%&;VSj$^mkNDw)SWdvpIa+s~K75m-FM`d!-w7#Op6-|5;N;rWORu
zq&R+FmpD<txqBkmT8YKMJF1!E;al$L$X}3(|5hh6XQ59=AeB&2*|hdt!<%HY`)pv%
z%QR(rhc3f+d_v<jL}OE1B@c|CJE#r~4ZHCu0Rm;?>Nnd!ILR`#QH#eZ!`9I0HGiW&
zy9K^gSV|90vy)QjPQ+cs6?qfo#j#L4Jb#p{kDfn$Xq7(a5;#r!{E)Avme3lYjY|+Y
z<lp8k&sIOU3GLWeH+f{ERUS~J=Y4DGjNJj*+<A$KT~G8wGLh|yo1qiaXQ$gow~kTa
z8tOe6ro{ryrXjM{AYFLUdI#yW>wpCZ1f0}r+6~2PY03dpPB-zqh96Yy{C0*lD8Pi%
z7uoE>4~%;L{*gy*Pf0fve2W6-^i|q5&^hmZB%k?X`?(?(FH<{~7+~Y$mh-%iq3=T*
zrgi%^o$ya4aW1ute|3+tHQZKQBQGB9UThFEwEL)OV>$w^w&b8uGY|5~%O_hE^A@Ll
z)Jq#3kxtH+FahgC?aim|)_(+`KCFxY-?nJrZ<gd0qIId(y`DE~ww-Gc+jkB=pG74k
zpMrlud&+H8^;hP+#g!MY1R{j^3Rb{*Piy1W?U8aVRDHMiD;b!nz{`s9*&_e+luVC;
ztu4q3;RCB6L0tV2uKw7oa|Uw2q2y+rpI77c5icM18J8M6?q1H)%5_$f?8^12_}K-Z
zOZ`MxMm@*1C7k7?)TL4$n+eDvP4P!|)W6dBrIH(%S8c7Ox?DxK3g&Jpax@h!kzXh=
zzqs}UKAKngK7TsiUyE$<#q=q;SU5Vn&H8GrQtm<A1#kmD2hC_B$Jo>e$+XpJW7~N&
zX(V_<Q*2gS?$uUibJpeJvpd}H5^U-<taF1%E(T(%Jk31GL8{`)6~a47!?-C5x4vxH
zac6ZoA!ky)?RMXv4)NIZLDoK~aSWy-k%YN_NJNNRr+9x5(B!kzbKwbm25;su21w><
z|MUY`h_||W%7e{MM@>iR>$&e3R^c{<AEq#LQ~T}fuiQg%%>dih8|f@7(sZv*nBAx#
zGs;~y7+PwjpFsz^N^dnh5?T}T({Mh7J5|0Io*1Rbr+9*7ay|1Fn1e>n?{MH@(XmRi
zt(Fw(d(Di=QorMqe)k-b(ly@RO<(7@yr<RbDD-;_A^m{a!kAm#qEYMGv%6AXYG!O~
zcB-v*$)zRqX?^oQI|#fh=M_1qI$(booHtbF7+*Tzn=LL<vb$R`OnmGr9PYcWG-%_v
zJKCS4$Cy*Ht2R|CPtg!s6_ep143!Q&zY>({eXi!FO$^u~gB=Q8F!=HIyP5<$YR)az
zZhZ4rcn%8CGi<iAx?lWo=hnoiqF1-sW}^W7QvGpg=k+X?8+wJI5FVyp`|i+drwGYb
z7R$-3z2&0H_T+|Z$lPxsc6nVk6I?Cr&vl!3?`s$^gwhox-?2s*q-5OWOGd98h+Q{a
zvsYAmRLbentqtLR&R%ZZWD*$Nl%oH4Z(b#~R+Ba<`bU?1pXLWGI$HOd1K6+Bo*4-h
zHVVh>7%l@WSthT$A`e{DiW@eoi)LTxm2)$i=T%Q<q|bH-SUz8j>w)B2&P|FLB7lt+
zYQDYgh=$n*A`Z6JS1pe9PNAp<654l1^YlWa!8es7jPk@~K^8SahUH&Iq7wAdlTNpj
zdc~d!x{guQEfyBNPWoL}_79ON$7Ht>CQTTtMEp;T+p>1U^?6*K#+doGr4#bobT7`u
z+W?mSja>V2v&>>!ElWbp!*0>Oai7FzIIYvzAl*5$qF$<Fh7LMi9)K908K~1I%bk2W
zfj=9TY(5VGq34yr?l&o3?leJ%#Mv&^lf*t17O8ku-=wgu*YpnugagU7+jhI}uNm1_
z2$(NsRf-?C;ei0Tp-A&c($W#seTn_jJD-O$iu0ONlN-B9U>WZ7f9j2;Cg9nEK|nz*
zhltWDoXe}XAwgsgZ46kaGORn#uZnN7_OhI9IoMD654XZ=3Q?^5s`g}Mav(<*zkk4*
z^1et&Kh9ep9pz~9FF!kABmFC%SlN@k`>jgMR>T~omun}L?W$xs{8@-){tb+)Zzn(=
zhgu{*rtjWWS)qS@*39>aVl;N!bu2V+sG}>Gdp_h0cHW!lZ_GU32wPY7-5K?7Q-<E9
zDiQN>aNM3$VaDhHmn2r)_KI;yMo`^T9$KQ?#V8!^wj;-m-F?b)V2`y!RkMp%dl4z@
zIqQ^vpbi2;>ihlMp8l#1Df;l^=wuQ1?gpzrXY8^=w&$DR(Y3ey{2%zI_g~QES<bPv
zvWVE<=Ct|Uw;Vqx#mH*<%qLhG`o`WK5#Y9JwU|KCh8^_ohk_^V9~8z#gdZ=BsP8{k
zJY4aW2)%3aw7t%$Vv648UV*Jh<VODiR|p8wxQn)Iyu)K7wPEwhd@l@`V(t&NBp|JC
z^7rOrgsbcib`9&6@kw$#Z&9fuqN8;*Q*+XNkIMp~Ml7&nPs5IE;Jve!BT~g=#Z@?R
zgk_HJKWs7Ysaux(M#W;TBGrulp8p6&C`B0vxRW#lW&wso4h`BT0jGQ1M_GL%!qr6~
zrX-3g3U`yq<q8U#KcDbW$_4$;gJBT;Vrxf~p1B@G_}XV@PVkfKlVap${f3=G7O8&P
z+keSNFcReF)LQ;9Dy4o!s3q-^?Q@UkrrYm$?X%EVAM?1M9T};PKO7)XRnT**!1rVA
zEETuk`uDZC&F4_HX#-WSAh~hRHOZY168{D2gywMc(6V%4=aSOaoX5`7pYa5Bgy4BR
zUdm)rl5eHwq$Fe~pC3I-*cNxEHwJpQbZj!&j_gKE{G|qA`ok-U?`=2&_Ip~e57$?A
zurtg`*mIFwo5xAJL`T3Ct8!vb{oTFtcpbSC8g|~@G4n^VmziNT&!>PAi9c%u0zQ}`
zb6^+NX3eAg0PFeOy@Njds%&eC`r)1Yr6}k>%z4TK|4bN>@F7#m#M(7Wl0u^`4E!8z
z?$WeUW*4AudLq5T{+FVW^t8hl<jD-{cEc)7bV3H5S-ZTe;>8b!N+Lq)>B=CxKGXk5
zKjmRY{;Bn@n^7(vZy+DPH)2D|w<(Z{8uC4V$wUa^P&%15EOccNW|J&R_IFC>JPTdt
zf3w$UP7@;j>yN$q-wAX7Ux4$nOF-LoMy&KpY}yVZrN2x?2m}U`8~vs3|04$PL^mNv
zK;U<fk^wn1ZpZiDEue8vvIi}2Io`IUtB8qhy0`3b2*N)VnD*^8A$8WL&Yt0XTGf}i
zfkcF^sUyK6f)}0NX=a?V64GfE<bm#j5R9<lZO7|_ie^!TlHj0={+Iw)^Jr)B&V{_5
zE(P|cP7|_aFl;xo2X3$Vg@t`R{c`-Inx_s<O~N9A(`nKE<F;?`L-TqbB|{_`%wGHU
zZ8>8uW=c;RS;kCmq1+5NPO1jAh9Hmb8`xC|%v49xC7>h`Ib&E(1p~8`wGx`O90*gh
z8tIUbIV3B86RIi~QL{-4Ti>rs6&&&KHGFwMf2GIv(3O<Nf`2d(XA#EzL1v^Egd;=t
zg%m?erK+h^!?NM`N1Umi2(3*G_0o@Iy{*{iqe<DxyHEMG3YHDGF!Rp?re;$N)SoR1
z|A_8wc%hdZYP@ODX`iQ;dSa@fN3#un5DF!2hf_F;oO`GqF)QiARQz&5G~3gjMaAfL
z=0-^nE%t?0h3pO|DWL9j_pCv*jb{cs>Zh$!gzP}ZqE9dN^VjpDwCFEPu?Q01bYiJ>
z(=&vj<q?exUOyVI)pt4rC0N#RRrPGuwPKv?O-ZMU!A$FUzQr79^zT*E6R|2pr#+eh
zB+v6)RGDX<XxLd+C;oewCjwb)9Tz<Vw3tuln&jQ5caH*?Sn%i`i1Thz&EMg3D=jVZ
zDd`4hrn$oBt?K*--q7lWABcmTgUC~AN+K1O_uIV9owO#;h*Cttp%Rj$7(QDyb&kVd
zMWzX5SJTEaEZ^Z60VRo0O)dy9uDti|N8nSuT_u7Qao)v8B33(bn&5-#KkzllSQ2}y
z?6%j*#DJ@Tp2BP~{c)1WpK%J$wK+k(CbimWR!(xrlN$7k-Da|btqGY7u!SSOQ_m3>
z_V(!|%eQX)xdnSu(J4<jsvS@>F2IIKp$o}7c-m@X6tpOG#p6bNk{F*Cshw6*s^L*q
z+Ap+~H!B|(J6{Y=)@txBez!?qOgDJzOXvD^96K)7<5z@h?&@-Svj};<)lWl*t&2vk
zQpd)F_-^AJcEv<#)N&Q~Z*0&>UpUs|82M_mFDM_urTs$=t?TC8Q@H*rs}^^rfa*mk
z5SIpbYl{{uu6wVn%<ANb!b!{yJU3Ip!?>P@LO_2(Xy2;Gb=kGqvClmqVOA?-=UzN$
zJMBtz>ubLq)Od-=Ny@9+X(<ol+E?}{U+O;oXpyQQ3vAi3)a@~$!tP}@p%#9Dk3zS<
zXkM$0I}SHTtdGLv-~tBy)r6g!T}Ak=TQ-*K^}T+0S{a->hGxbyxHT;s$0tR>5A-fp
zq+>p`OySvjT0W~9haV!d3lzL<JhFjQ>kQnRP*kmc8zE`)4g+c`6*@e);nMUIhx|a&
zX2KrW$g}0`@BChC=-}of%$rf$Uflwy7}iZqjb|{g)&>#0N4Z^IL+!-+^zq|zn`P}v
zLfQ8H^!_KAcP4jUfO%hsHpp7XqweQCJzAU*uTKaF9O<+XISGZQ&qt$MCT4kSjCyQK
zLVlhRwEK@8zJqH&weZ<aNBv23>d;4ZPF6m?z$IXwyGnQSOMbPbR1V^%Rh8)YV#Uab
zU*1+&!6*3@lZgG{3I$BsSdni?hgU>57!;u3Q~azL=Fc0Pp1GhDD5BSgn{Q;pQ+v;d
z@Cz4(@Z_m3OQi42`T%c}zJEy4lrHQCQez`W)Hua`nV|l0rM>BJnnA*Xg-2tViaTNC
zD=z_L7JOzQ3HydcK|z{k5^mXZ{)INNCF*b-Y}Kc|IWgE(&YFv%e2Jq#COSbCnj2gX
zu>#ep6Xm57JtC6ArL(|q5fzn-OvWToiB3GX*8+$YgQF~K4XJV7rUtc|#q@8Gv1#cS
z18SLUZfEt(eLJ9Ke4#Zi&I?mBXElcG7-9PAKaEa)sTn&rIDag}26=K$Ra*}GUy}Tw
zS6@p)Q*I8uDrn?&aD$yH?-Y@UP|IP}z8Vos8MgD_huDvo_8p&XpFO0iDeUgE3i(;<
zISCxjm@O=#)__n#qm$tFS*Bd)a{(@F8sz*e#)J7QMOfK=MV}ADvcutVi$)!rCJ!pw
z4G-I%23Ok5!9pMO7sJROHsFT1aqX!ylO9I?l#}v&YEbeDo~t~i(V^Ck70%;3cU6mV
z$R61G84m0<*<x1&;#@=)iLcZY!CA>iZ_M_JoH_LZE2X1$`qP<bNzJ_?M^c>~uci4_
z8pq&L*r+q+X^<^Gw)sxW=UVM8!)lut<z`%^0@tdJnJj904AlVUgI#iW5L;u&Tj3$S
zDN@UjUZWRp3EabMPQFgR6!ma?WIw82#0dB7@uUiyHb>Ea`KYf^e#6;2i6h=BJS5ab
zFOE&dicKy8wP^U=Tu*oML}<&)9ALbjo6nky!b7Upuoe^|uxIG&)|k6D@>^@e#Qf&b
z7W6@INa*}-Jm87G#;}UqE(dBvN8R>oW)=d^^eWPUdTnRF)X~+>nh^b5AoGRZ8A>1`
zP>xvnj4D+Ko~+z~aPsqClj(<YlRZHhhm#B5-bPLeYkOFiY`eIJ`p(qSj&Uy#ovW&$
zi9(uK=9-AKS>}Q^2{k0ZlOIwE1CDvY+G(=na9g-*Vzsv?t^9)gJHwg-Jye6(%A+xw
zRI7?@EORxjlP%?8z^VSk?zgdtJMOB>`>xxU<M-uys3}g*Pn_k31eY&yAX@frOT!B=
z-yHL;&)dC~!woGRzDd(ugtrx$>Nn}5>d=8w%oZ70i2<e9C-0mZ5;_lnC;DP$aD&Sz
zzX5qYhmfeCJmou%_fkYFzVjcxxHPz3_REGa%5hoMad3(Xs;k(dAZh9OQ)P^fDXKho
zlfb@Mk*PvB*)+Z3ishYSsjIaTbU3dS&2`jAp*ObUw1HR6S+mPJZ^#q}q{VTXJQoJ{
zlMygWT%#gjVc5FwoB|@I_vrF|iT9tr121i4i3-1;B`?Bk&0;*Gnf583w)1EtWV5`R
zn(=SrVbeSm5?x*b8Iezy=K?_}#xD=gK51upy%{uXn4PgoW>+F}2u&A^8YHd3C_o-L
z#@d~X$8T(ST&_Pi8NW?Ik&b16M2OGDRs9we87?!;dQ64%U9pUz@1KX2$6d@@#y)j1
zP*ZKRX;|ELAhYRV#|4gWy;;!Pk&hXBJetHmK_3wgRntrDv#15`s;kA^SUMPMzJ^?L
z&;63<4+k1Iigi4NB9`vF;TbGY^;o&<UOT)Q1&c{vAAp9}Sk#NQ%~((EMa-{*Mk3$A
z9far5Vclh&+`P|ggusQ)9jCBy<JR|8uY+86c%f=9*-}J=L&k;16`<~zV%6~jEyu#4
z8_rFIlR=p*y(KOA6|dZ>;mOW?d@ck1)TUn+)zVp6(N8hm7+V{%ebWo3wwezoi?*5v
zg5C9E7GoVaq?MMly_K1Thcz+3AxAGP8uqn$!z~AKR6JORr6iTFvn@lNu~kETo-90c
zaGLG`=!VrDmF8y=`b+FZq3$Zl@%t;={xptHuFOXPq0_sU+}v^WN1t!fO;jRdS+ahV
zK@QWe9c?u^@_VSE=^B81E@-r}pIa78_aeXNk%zzx@Z;Jcrs11L&8E8#Q~CH0y<~g>
z=IG?NQ);HVi{5Qdo$$aSzsDC)$5FRM`f;~A;0PDxt~`R^!fQm|<8if6taSwfVU7cy
zwAjFnz2T}@H|{CAaBoKRp=$+hO)e_XY3StBIqY!LSzuhuEoWc-A_sb3EX&||9o`~A
zMuUJ5OU-6I6T6)#X(hi7+^Lh1L53go+ro7dUu@^-`ebVT$hC-Av3KuT?2exDrDa+m
z+0n{v;MmlYOQ^rX+m?Xvk^+7Se6sJM!{0}%VW0AaeuRqSVypU@#?Z=hlqp&Jj9x{p
zJ$#ABa<l6l(4U8e2?=m_+E#jBTOt7l=bIZ=Hkxf~g_Qi=bLg9^T6;$Y`n*mA#*Tv%
z-79QDGJ!zmv!2ui!{b$Tk2{v$m66Q%$HNh&{zyBcJNzrIUh?4P>9LDp(^V15=%W)n
zP`{sWXBP`%MsGau4mV{R6&c*G25{-~(GB5J8(aGcEXlVidF^WAE18nza}z8g!=#K8
zC(F=yW2sxit@a$Fat$ie@+XS4IC0rWm#+O~Mnzpb4Zk5GM8l^hCaqgIe9no5JAJH=
z7UdA|HaE6;QLmRwA5Z;$XwLbnbBoOZk43pY%X;tdxVepTak)iibgTfb;t87&i%(#i
za`rwkPvP<9E~D{#GXMpsm)dxBae-x2E0ZitByD(EKmn4WPzqysNPyS^N`;EDp5z3E
z<;}{BwAekiw!N*92CYoUprhoop$Si;dKEP5-e%$1Uqs5CF#FTRi_Sg<UTA8?Oqx}@
z**u**ybkHnrOd5e;^!b-R||l9DNVXMZ88zj4c|<*o4um!_f2wWDG4RO<6SQJiO-u6
zJZ_1zk>7pSwM6O(XN+WBnP)Yvyz7d-ZX0gglQO~$!YhOk)Hl=r#MpmnwYQE}WH7qF
zoP$2+VvJnQ5R!M35xUlSV2HT$7?AUnbzeMA|1L}DmqL$m*X)rpw;agOaVt*u{-7V)
zs9n8aa=?eysArE6*5)f$=HMZFR9YFEvrSfh#K0)O!@03-&IW$?9Ujeb_<TkDz#?~|
z<Ymk(iR{?HRzfvlz{XvEMxwmINBg<Cy<@bk=xcgDFk=t;eA_gwtw5kkAD7UVNOS>w
z96h`beHw=xCo#jFKV4<o>?z(u#zpH#gh)IR8qxeo5+#4@vOi(!c|zOOfih3jLuWx#
zToQRoIcal>#*&SwcdOlPVKke>bDktG2#-DH+#P1^!&*AX6&KsT_LD|<nq=&28%*+A
zh?6ZWAuZdi0nM}AvcJE-uTK(l<rOI_c9`Hl@Y`*Nt=!OBvTQgG$PL_^*9|K!pq2MR
zLq`(~Eq;qQ;+2Ddt2!HgjjCmVf+#U>O<>+XoEJjBFQkOObQ&ydVk#MO$Jl*=rK&5_
zv3<DPgvF(6yOp$m=4_O*r0?`Na>|2|+Ag3HsIRQKCGI{u|ASIlLIebEksmz-!+u>C
z)z3-0rwroJm@bTN+8UjB=D1Z>rY7_<UbkSuxD^uZo3h(>l<?zZ3=Z4Rb+iJ6z|vwg
z<!{$imTcg1J0lz$GPklLd#bQ&gDd>Q=fu>UYD!+#_k9oJ#7TXESnCHt04t~N0Os{P
zIC5Rv4`EAbF?5ImVGoaKj)T$AD&FSw*JnQonY2CpBF})dyI-B}FZOjD{|-6ycxk!V
zVtC)}qrB4u0>(3NpVOB9Pc6Wt1m?2N%EbLVS<YL;$71paffQW#n?I=?tT@QAFkCQj
z2)6dfD^8_4kPi>C+KdCoH--v6uFRwW;VQOxKZeySwCE{t+B)FB1G$@Brt8eIq`M-d
z)$BH&8=`1r*Oid50chrZOFCwGp;2EW*sNWoyL<o=SRtj?eYa(BSQLDC@02{{G%`M7
z7k+$I$O3&hyw5f2^3WC;$y~!GX0>a}g7m=wFg&(neQ&`Jx!St+v_23LYLPJPh~_!3
z#KgDh5kq=I`cC5I^Mr?&Ct-~203|&27vQUY9TPJIhu6YJ9{g~0MNM3n`-Fh-4Lf6W
zaK}Y0!K_q{Yh~|GP&AuuVxGs$yZNAue8;dNVASxtU0|veZZN{`UuJON4o(WSe=fzj
zX}LI~9!^j0TNgc3msPJgc=&?6JX1#U@Xz*7o)+Yv{ToDr05E#ZP>0Dpd6r(bRn?B~
zEvCnw&dm)wooJkDf0=iV+N_jhCIseK(J^zC&kTH1(vqxSWID-@nd@ACpSCd5yFlYw
zwXm<lOr<MUzGiwY=L*Y)U536Wo<4GILhBRHnl>T(xnsr%zx0Ycnz;fHr~BNa8>`9!
z=56HU3BC1N+&b-v?oI_AQrJPg>zt%5-8_!Gdt1(v03>lIL47?odLizsXx%D18w%pn
zacWIt@n~6EZPnCai)vil^;SrSGW{|B3xu~()2t#2E(yiA&>~<7+PWh=2vlQU??J6y
zFMQr-YSFV-0$1lYSx(?bi&?e{oca#J)4DuYgo>}=Mg)B**I)C)<oJ`dZVPZSd>D;n
zhj?AZSc&uU%sOHC4%Ot1yh9sg*T&t)8pB3OeH|i+(@Sug_Dei$()M7ExO@NSfJH4A
zeox<!qy?xAP;sH@Pfmw(j?XUtLD#k{)SlX;`pd$)IzFiE;6pBP+~-#6syunT_?YaN
zkL^wV{txI)sKI_ZeI24t&4(*8mIBmp@W9SUCHP)d@H!43*Rg5&h}dtQ|Gk){?%RM3
zxIMusp#3isgeIuC{cFtLG<C-UswQL}+Nv}SPf};6u7-b8tmG1hd#ilpgY4dgqZix0
z*V**azve<48~8h4zj;FjhdXd}lU%k}sci-Wjsm_%yLBGx;ty}+n%4hHN_j<j4rTPa
zArn(n1fud=N|{62pYU98;E3*aa={KQETeWCv9{NOT;Pj+`%jGDHtH8#J~bHpWy&ML
zwG(ix2~b8tU0_G}hmf0?RYeTuUXl+tQ-oAhDjy7vKRtwh_)TT#e*lOGcpe?X&VGZB
zvW#8Jm%m)Fts1-F-_hDr{W}T)NNS&dtv>IFvwiHahjC%%3`G>S9ix_ciT3aRS5sPA
z<dzQnA`=U%8fYFV7<f)zlJm;MnZEsiFk(omD&N4xsysr|(gbd6&s|!ts>|nZqf8-Y
zo}I&zBy33i)};ZUA*bCtE@u^+B{{C=gePFP7mWh41TE_0m%MarP)2ci>8$>IQ~BR-
zUL@1n854tRw`F6JzMTnxlFiWJasSbJ>SP*$85(KTUV2IrP4LccrRa>3<mWBtt-!Jx
zQ;y$!(gWA<rTP0^i^`Mw?e;SGQo?uiJG-|jooPD}I2@daqFp-8+`NR%j_j?SK}Rgq
zm<qA6wH(aKBlRR7l+cyDb6$KfHC&f0++^T3`DT0a&b=?h%b878F7A6?jhnx)um77U
zi0EUZ6o_m6y&hO&#rNKo-jHZ=34SR;owVd#Mm58!IMj;j`TI~N8eX}yUGdCqxBb|v
zfs?OXez3nczaI|lu|icNtH9f$!(nI8PNb`_Ca(O>asA#SohwPOEP6LH{xazBgOx^i
zF76ocXpOYR?~Ax}UE$giF1~o4vvFQsIb$C9Pi4<Y06afz^h`Wa#`Mrrecp46h-ih{
ztWK{Rsh6fmidXOHR^x%8_Acg9!sVjBmDWfmp;At0m3j(HUbWV^vm%>I^uhh%lS)op
zRzhuL)ycHm3~w5Z_XT|A&N~ET4ulac(s1EL$cn?>f&Ko0ebhLs9LTPmr`qb1%er>(
zcw6UsF08h%l~#MTmOrJN$D=wdzj`TbVD3~uiGhwzC%f^Bl<Rbyw1~42LZD;My5qoB
z7pFHN?|^Mazb+v%$B4^kbJgU+YwhAFAP_GB%p_;1F)yIHaJehRJUzlwPc}{RYmjy`
zr2u_Ky^c_LQ`eGzAgKGX;Qf054mGtiM!M^0u})oslQpr5-Y$P5*T4>A1A{2D#-iT*
zqS)%Tj120)p8NE7s3M}(pnkF7C~bI5Vf*o#@7TD4H#f7GKxJF*I4dAFXVgjrYT}4n
z4X^TAp#GxZ4VN!I;CTJ^dHPBOqM58%x#|*58rR|n*Vwl-3d5s{vB<xb%iG%u&muWb
zuK-Sq>%Q(AlgR@<&=>UfPEPU9x2IlYVujx+8_LT7{1m(cj{=|z0jKxWT)bMD+go1X
zQ(@mZ`1MGjaRP(GaE!_-rr=%p=VaqDeG~VJ{ZlKE>RV0#=-lPqy-r1^q0&Y;D%rR^
z(WY1Tq~HEKJ|UZhGCgvE3OYM|iK?)HnZ=3pd=>^}%NC^jMdcf;v$1yLLxrNbH>1?%
zXZs<C;u1b;!M`LvOq83l>r_YjJ!+RT)*bNe^x0CR94mtLnmp^{cgPPNgbH0gNjgv<
z1U6ABvJHeE+mw{@@FO}ADd4j@&&{~qi}0KYI8>L|M34EEtaZ-Ln-9n)TnM!iafs1n
zJJ=q$0rW16f)%$|*j&d=2nC%)EJyIO`NqTld5N||Q(E(dYFrT~Ezs7l;>ryYOs?!|
zVW3==c<>?Z(3T6g`ddVZfYlieIXdwoiE_PTt#l$d>w7#0Hu44zpsjfP)CJd^)DKqo
zX3X36N&o)WGQ$h2r@0T;hP$_iEl;gO49P5@0|A4TBT6UlUpPfq@3zcbuI$5w(``;{
zL^PJHt|FQIe&oo+$WjcNAM@)^bGn;6Ijw}_yD4q)v&Rkl79HQFVXH+d^+)rL8jKkC
zO?durzNIh)#}w*nKt$Hju^aw~K9yGBYlYBk9vFKvu(C<OT}p=qo=W1qU+$|msvq}4
zMZf8)mXs41isa{<x7t(95ruFQR<L}I7DOl1SQE2tAq!sLJK$nd1g&|vE&y+xn>r_;
zJA!;494=pBps9NGA~%<LSAcRpf1;dL&zfnvWmG_UT_KY(;zD}Qk6C+Ki$s9JLW{pI
zG;+4LcFqzyN!C#<fSV($5H|mj=iH(k%P8!6<Anw4JVZ;^so*iuAT};(fL>18J+HQ+
z>`_*#e0J%u2~BrJ^I<gi+_|1cRN~i(4Zmxi&BV-Sg9U2=Eevq$V<I3qi_SbsyOG~O
zxtUy|YK}oU)}@Gm0Ys6&fQy!j)W#EKdZCH8X-3}*gh*HTPjHX*82cNzUAm?9gjb`*
zQEK+V_vj6Lz5KOrL#AD04-p<sQ4fCF+c-a`JNRAy3Vxk~WsH2=Dn8x05a9g-A4z58
z=GnBTDayRZYna2SuM5rIV>IskTuo5*zDu2IGIbiE6x;;^<Mp>Na5_PA5IxZ#ev!i2
zDw2<$0@L%Rry^>^e$q11SyF_|#@I9o7mQ52=~AR=iJaG=lv$TP(K{ZP&XBfxnP{H6
zhm}2JDj@D&ZvES*Pg0i%-Couc-zgluWCMyIH7uGVI}vj8W%Z4~NIwh9ch~~9*Snd%
z=GlS6bTx~OlA^D89}~NIGJOP?IOiZ5e6r-aDOB7_W3C=5g-A)o1G-g|)XwQb2m5sx
zFrFy=XL^i_o3hIO62)lqNK%0oSY2A9<eWjp;2Kr1Q!MjN&1+Q#Kls7QLDA^<Ozveb
zku_Fb3r{ovnv3i~pn=~D*0S;-i^zPHSF!=w8n-uuJl+<$dX7cxyxHXxfJ&!BqO9`b
z`DAPw3s24htLb4=bJCbdhdH8;)kKe(y`26xt41CElrs-jw>?R3TFRJomvKiAb|e=`
z$!)~p*J)!&_Pjo~i|;c;_Q64+eFBX#Dwe(G7E-#zOv=P|L3Me{st#vb7#_FvyWc$H
zzG>-|T|Vo+>pwY8|F{g*W#q3pTvr4`1PqimMB{S87i)=ru7JPjKP|S8Y}T3awp1;A
zq|M@p1Ty;x$AIud-!+gRbn2a=EgrrMk9CE{75-r0H06tGD|Qaz%*;mS#-*l~S-I0(
zTbY53k3~mq3@!MLhGJLU3gu59WFc3Ff3!DLhykQh#&}3ATt-p-e*H{gfjvTw7Or}O
z0HRNyAGgT4b#=ARQV7IDwxWu9Z6rU^_d;A=UeD0wgi<R$ld?8LSHI^yj;whXd6rr$
zrH1XKwygzfVG+|ebirbN-UtN?6PE>BFl5i{!gM_!(TvU^R9GE4r_!`qo7Kt!$g};~
zw14^uVzrRBUgv47wW7Y^vA3i{hB(x7ysr%INbmDUCBr1y(TK?%js;+ySc@EksaL+|
zO!Z$}7CW48;nMt6E>hW&22Wd0)P1N|e6BosyKIkuKxMqY@4jPce$7|6e-!jPlBKjz
zNhA>=Mi@+G(wDqNF+*Y{r}J^Xl)Qz5QE7iyXoGUFL}itsPxCfs$t}}so19F@!ML@&
z+<wNd^?7X9)?38ViMagXHn4w@@B2t}E!gc_9-mQW7(lTVsrwFqhMO%LCdhBN`y$k9
zY<60meoPbphfbFpX8Jwx!MNvxFhsaFew_t-!L_2e#dg!mZhvr?k!{d99W7Xy+WD$3
zE8MWo)2(d!x0ulmmoPrScX%n9kwEwxZUzh4uC;&<>s<c)rTI2p#C?%}_1GjNPib`g
z)2{Meh1H?QdehB)z^v&6QP%p`>=!VKz2eKW#}6Ur;c)=^i$e`ve8X&wpA5r#PVz#7
zIrjtqa>r<L=7W<9H|iYl&uROlE^)Jv5UskyyD97e<?<yqu@-?ee_5;10N556%J?<=
z1?I^F1a_dnF0$*(`{S7A-J+U!=2nQZG%Q{F)N(?A_imaE6NKs3-#0`?Ou9q}$Hq<G
zZc7TX{Nyrxnt9Ngf<3sD1b>y~Jm^L*7|LT&7_CO8K=L&(HAw_bvy@rGVw6(tdYR9e
z%G6!X<Tz15i5MDEpjin?#k!BS^Lt1lxcKBVJ&|hopHIF|sP|@GjrOYO)O?)scmMra
z{o46`mMHX)9DoSfC05Oz<n>lVBk)O#uAmzVAJfZBU|JJY3Kb7sQWJuN*}g*P)V{b_
zwm4QsMhFUJnn2jeC^^i-YYNKVJ`F%ys=H&)A=F#@Rb889sloYVd}bb@4gK!qsEFrE
zy;AYvtcXxw=>v_><br{Qe?gvG?C1sT*Pjr6?S;hmHD9wYKZNo32|xBPtKaDt2p7$&
z+)3Iyh9Eu7&>sqnmzmu2YdQN)OiWJ{xM4??1}Tf`4hpUn5dxGF*|8ET>zBYi@JsoT
z#sN|Ai&XJH;b-XRf)PDz3pbcqc(;nBfR$E*bH~Ibs%)9C1f@CWWiBp@urNsDB^;o1
z-detuAbg3AaDk`$E+;7in`RTM+INUPol%q((DhSW(e>lU4;!#HQ_BqoXH@+DW_Uel
zgFUKlr&tv`W^`GQ=zfaP=Zr3kx>#WV)#lIC-QOh_-sSLUzw<FH0S_Uys*gE`P<`ze
zXKhxB250|9F-o(FOl6J|=dZT5qPe2VT$}^C;*8~8Y<T^A;Asfc1lCK>-4C5!-@+rX
z1uyA@*y-{qGa%ZNGXbIyF?2Y`cJMCYNw>}qKRvr{BQt$DW9;~>h>2sL;E9lb2qpdi
zqv_S^FDkQNR6+#*prk;`?{D${uo_;>^%@R0{%u&;vG7Iyw0|V|S8$B>-rqbP&1RtV
z3E#Q2!e3wfX;@U-0Bjbzn=p3ax{nvd#n~cX(ywc#93CL-bAS%-^=e3z1m@!=lf(TM
z4Px2K<2lV0+H2Ge?-PgdFu}j|`au4Ra-`G@aKk^=mgjSovEvgsUV8)(cRLipP&kX=
zZOrF_=><NXEsHbh^Mk+AHDY;!g+&~G1?Sy4YsU08K!yL`VF-$IzVeR+Qsw99WtN!a
z^6X8H7w;Kco}p`5Y(wp*4M!QE=@1M%8MoqC89!W=o3#n8W6|%ed-q2K8e$C|mp?7N
zpixUzx;Yt?&X;A(H?7a}Om`~ePa!7bZ7LL8Snmz*I=NFkI_?bv${n#1e5O%v`kxOv
z3|P5Gep&pbAh0x5Mx?X4eBR;<GbWGVJrhR5Pz2k^1%{r*c>|>W{mM^RNLcp$XimG6
ztZA49g~L5V^s$J;iE6Q3>(Tiw_H^1M32a<to_po#Y)vNM>f!0WmGwq1<9nIy&!Vj@
z5Rjq0k>RVPKyQ;CwLIHUY{RTN&BNa^uD7Na^e>cks@W=bI@>X*xzx$aEKufloWp^G
z`l<|ekgIEGdV{FaQ{2r>{bD#>s%Ub)9n7$OSE0jw*doVxR`EFfN{+1Mxei=ZtD*+G
zLV9RU0BO?Zl$7O1uIsVA$9p%d;WLbcqToyz!K&V8&7{%XwD8}n7moKA7H?he-xHVt
zak&h<&6gG!lhG0La5XT}BsX_wqmTT^9GWSVulj{<-Yxq)U8BPCh|+r)Ow3y&?L;YL
z?lBm7G-q7E_-3^91PtldVlC|Xr<HhK=W~w*$NTBoL;$6~>`i@tLHoiYkpyIN0QEah
zI{%uByr2c!zSiiSD(m)6NRs;`8!mm-8O;Y_54-OMW8%TQFEj<tNF^mP+9pk^d|)X7
zLbf7&3A1bOG#a4pTOnGyrX=m302$upWMY7TLJr8pt^d+U<=^xJ!pP4%&e!RKZQr#Q
z@9n%|ei@xV7YnIsSdIb=aSlqV%6JR(+Wbt#b!?rF%PLaLPJzHLt$Q0zACB&aMHAGi
zi0^m8X~NJ2=50GZF>c}DW&~_up0v^iQ`O96ei{bN(btn#5>bApsC2@w8m*mCx2Dtk
zPm#YZx5@^F^pYe;q?a-I_Hzpnw`-s?%vZ{~mq5Mjw6ZSq427?DxxrObO8paU?HfuI
zDQZ_8LYQduH5ju(<FK~$rd23?&iydx##RkOeWp$jIPksfi?jBAd0B;|WYiWD>v&1o
zq2tI{`d<U@RQ&Uvsr06*0CuzU3F%ebdil6V=>Ia%Jf#0#G8r}hFP{KMNPoqG{Q?fT
z|84)z&g1{UfgBXSCCK2%0jKYQgw6d@favkBJ3{Ue-nxhj4ES5Ew;t&tF}5rIOA29E
zwb#hWeQg20`|V2&D|JWLF#lqwIZ?XU{D9lRxeVBYpWDF8K&<1CeD)`^gDMX<tT>DL
zU_SWB!iZb~=_l@wBhO%RI<BW9F^Zd2-$;SCFJi22_tFNu7MZBY;8<GLOzg4iI->#l
zxN`C#x~&rMG<3vg*9I>Ki+#OK(9MBHV?t<=oLnV#I^^O&@d<#3XfvPmj=8Y*l9PLH
zS3zvS`=aW(Fzv>8WHsX3Aa5Fe=vs*2x4@u<G47x277w~&B0CbM8NX@49XaSYP@jp8
z|Jf)G-^>eye|BAuy-Y3l)WDnH?&QEG8xGHPPS^Mjs$`k~Isdy?<Is3+pPZLigfZCg
zRUJ8pSG?aE{ofge;~n^dTE}wXfPzQz7Q%{A-Ys4rtAgQ1iM2;49jW~1%vuN`Hwqkh
zFE4K)$Ya=gW_&iSn}mDy@<77}3M=`cQ&B5OXr=ROzr3=eo!@JjPkYAj<k3i_P~Oxr
z_JbVY=UOOh#)Y|Q@?1%6ylgJZ@7As4DEYGqo7pPpwQtk<5K^Vbq5qCiK9$ulYK)!c
z7k81{PGzOZfcA@=UU61hAmJFB`N@VyM+G%C^=yv)%00b_uc&!YeFKI6S#gyHorBl&
zLV4)4#c0QI2ke#pWI)@KA@g{p?D^>U3LUEtEWf)<`ITJ4xxD@39&0a3PE6H<Z~sHi
ze2E)|bhd%-Z1N+rM~W6iS1iCJ=PMAnDC)UdgvoH!x0BtpZTl`^Nv)u2scqw_ruK#H
zVvRw^M!3q4j2v$-UGKmnVJAYG$Xa$fogjUeOAzJ_=_j6jG>mvUW)R;>tGVfYW7Ou@
zC8X-jGTjDG()XL7w)-oe9I-E~jSn%Hi5MLn#{GUBcU_+xA5H@5m3bk&5<Ni41d^y+
z$i+ZFdpTS4Lk!G|mv;DT|A~J-=Sj4f=udmkA#RTj)r5wpm>9c6M6g}I4fxmLC6P@|
ze)|<(mHmTX)A@F>!*~6Y0E7HFfLyv}<8|MXJ&V~45;VX=ODcctAH|xQ%l!-ogB*YN
zxPN8fb$?x4RqcQ4pC+I0!f}4trNp<=z-TFnno3zF$IDv<aA5L}NqBBpzl}0{daep+
zDOYN~o7@4TlRaJ;ig~~ec+?#qE;@ARN!p%@Po>D~zfod_e~p%<8OdKsXXN39wYaTU
zaUi-VW^Agctg2jM&qR|4lq;{L@(u~x;$gkaOl7t|e|}$Dj^f6F#n=FO4E_{`wWoI!
zCMJ*<_oL~cUyi<Aq*QRrz<&~lsQ*Fd#-jzZ-lb+Pz@h18r!4=_qr-cvTw3OEO2bC8
zKtWL{DXc^E)9|}Wfa^6GO$qF3#sQ{dj>QhBZT_MfRNGcm^SB~YCtw4@^^%laeAVHz
zdt+G74Pcg!a8XNZPuPM%4RZ}$*H92+fF%zDl@3ejNBtPHB$DUfdNv<XH48yX#n=9B
zQ;B-sc6$?hMu8!(Bi2Y8{z;BaAFP|N(@jvYZ{LfU!V4Kf3*leYX<39n0$XGRI4|@`
z#n%pVW!>+W>)1H&-6*JyRRZN)4m-iba?ptPsHUa0Qf}w6WVQQ;x-4!EBF~2%`{;_^
zYh@n`N4&jPjvW@s?7?P}p~K11Foi)`69N`JmML;Ak^)4n=iNn+CW}t$Ap|#JSuMF4
zOdfEJn}cwD^6UXxSi{=1{jJA<`ZJ6EEzQ97PfGjD_rGUh-urQUnC_o7Cl~Xk9?hmQ
zg<XwuA^>hql^(-UR<t&}EQb8b9ADFiXs=(=YtGcej7*D}pQfe|CD7%bwpv<L7LxTI
zrlW{j_Zrd?r%nuOnI?t2B!elYpU1I5Etmm?``ZNm4!fIEpYMJ}pWDk&pd(pn9W6Nh
zWWB4&sMMoHc3z5}w+~*}<DL_hsi@x`=-)c>iwf(o+B9PU)G+9q*opb=Z^r4kxh#y0
z&#De}1xXFIwoA_r(j-9y2=qBFl}<!!4wl>@d);BW3^sCWd9HCyN`+;@>c#+HC*#Z;
ziC2<5X??twO1&^A=MlQhpJ&7Pg&EO@Riz>{+HPlgU#JzXGT42W*T-7!w7{F7r@H3B
zfH)aessV}hZ!!gxF|2F1y4;0*+m_%rk0?l@MM~$z^r!UE?>uEx8a3#B6f<BIFF(E#
z=|qTA)bSl2m$%Mlg*{%y$WwH1LdJgqT6V5HY<`^AV~Tq3OfU{4H;akgt1paciLu;v
z==K{VRY7aZ2dO$XzgpUl?qFlvEi`V-cigS7!h}5i*60weZl2GMh-IMH{S=F->shd}
zwivNX_l4-1Q5C~1XLlkDX|E+0Sd&w0_HZC-8vh%^*3B-r!M*5nvMoWYU(HvRRqQI>
z75&EbbSu|03wTY|CmWcp6@rf6ugXZcfwFB6><@xuawOzlmvg=+{nnVm7rP`pp$Nl?
zj0*G2a_V=-UwN&bo1+fGT=E9{4$=Q<UyCc2euK5?PR<^w+P6ZWVtd~4x~1$eP`Rx2
z{8+}Gv{~Tkeri78Z046p%Ryz+hMr7siFEu?K*nopri4Y**2gQU^BO;%FdLTgwk+KA
z{e5K<lsP<*<&ROt&(2O?edh_HX03-*=&615z4C*N3B$_rCfl21WhB$nrI`mWP~(GF
z8a5i1DBbTP>s10sr`%%1yoW!XRKSmG%p-NJxdOwx31*3M(^CJ9XG=`Y<BIBc$@jDv
zQ&UKOHzyJfGlxDNCq@00pI(z_e2N;K&-{>NMNaQE#0u8`eAd$rIU&`)DaSbqJ4q%X
z++tngyFZf4?jl&I>I~~aj+PY<dl%ioBOZWAhrxKN#lOmF7cV9vPX0kU?TZW&yx>8o
zD2n$)2k{%q@ryS=+x4y^aI!qvKDz<z)6tH>>Re5YG?JPlgms6l6LbN#W5ib7nKwr_
z-2n^zz@Qe?Vv9?0frwy2VV!d?v9a9}Q%XsvrVe;9U{kRskUrtiMQe3Y6~fq*W&UFa
z6)d>4LyZ*OEBa{+4{E6+9zP1iDd%7L_pG6yb0TWl4N{1z-c<IgEAd)5Ab8E|?~ruj
zdF}A3#tPY(sQo5r?b0>$JldkS7uHITN=dGw<l6nvP9fw(gY1k)*FxYthc`T^s&8OQ
zMNMrtYRtnKVuRYlJ#RtB+(xM)pXJ8HiXEq~ky|q~Z_k7eI2dZfgI>8sWzn*-C>P7w
zE}bnMC5{eU%dzQr*dIDO8|P*M6G`~ctD^a<{uzvwC?|1Zt72GOZ3zJDCrL;5MG*U)
zsv=JRmQD*U;u_tco$&9h|DRd_Z1#ZRii6F$^eiFKrMo$(GTl?NP$eO~U)Hm@8^iWL
z|H>r+g%K^l#-gAa5pJTwMM~G-2{y$|6Or9rJ1YcBO&1w1DmDHY_>M$KITa3aSTgv0
z^KdTW;H!SW8%0Ee@qq7^5zW9T=Fr2>VqlOPKV&l#r87k2CX$c>&Q&+?S_SR+&jOk&
z3raZH*(Kr(w0EBhYsxjUB%^DJ?U_i(z8Tn13i{}DW-y?mwZ<ZwzLj3B$2gahqtP<k
zWkkUc!XB?Y^Z(|Yxl}@DSK~8Oxi^D7=#sdB-hkn5sbm}R&{ZjLKN;r3q+y-)Yo9Qi
z-+AzB72a#Tkiiqgt>#&|oRcyEJv&By);V&KW$C=Ush4MH4QYexTX;JhNaZ%ftQqgt
zi-xSr>l!c1KH4l8Yc!>wyBsoUkc3B|Bz8NbUN&6Wfz>cvrexwNIjBQ{*x|loOkQXb
zk{BS<AaEhWbm2^qstqueG9M+cI*Ri_$vnMZj+)wOtsz69EWogR1Jz`zviaiN$;YAC
z@6#3hy`zLlAk9?4N0jcBbfb=!UrClE4c7wu>lmLdUpq|@ng@}Q^=M{oa*p1(>;TFG
zCj<=PX@`3mgI4v22N^@LH8eK{gp26L+qorqb#@H&Z`Xdk#?}15o*GpGwq9yZ2{RsT
zpma_{1Zu$bZoUA;(XyJswYbs(QjhF33a>-cRr*JwxLIo_tU*+^6^<g}Zw$MSl)w<h
zcM=>gtFG!2h{|WzC~-iRhY_b{H;LWGZdl=k8*eyhglyy=x}c}e`6@@&xQq&Oc5TX~
zSe#}RzOZ^Ow}~90OD08Q_JS(ilm?sPea9$sHv=~*l5n_lir6U{jSNoF`eDXITuyRS
zm=|FkTxVq7pj|p{I&{D^lW3~J!%t|g3jMS%Xu9NHLl;1sCITI=6SNR0o8V0{>gZTs
zFV`9#zS$+*3RNP))mu$H7U%gMC{rL8@-DQ4hkNGtOW%-J<kNHk6B%p4(pb7~pZn`n
zxBu`ijUJgJ!GG!Gc$7KdtOEu%-9(LVtw)U9|1>I@;$x|IINRa(rFMJ#roA+MItDRS
zWIbugfmNf;^%gWQ#?lV86r{oDhD$nW;KsYUx6A`8yx_TtYS@_<dVkudd*oeT*1X-B
z4cVd)u9{nhU5=v=Nh?Y!_Jx)|rJ!QSJE9Wtg&MK>s906d%g~w-QiFPlZMCc^6Qa_v
z!wIQdOqUTX%q+2${0(<8kC&&VhcYPqO{Nzx8wj7JOe-6Z@E!4rY6w2d%TIe8|6s0~
z6ogw#-g-TvNqPn^H@TC)s$i-5tR1>ylyah0W<QOAxD)yR)!utRHQBW5!a)>Xlp-h~
z(q2J8ML;?jiVBEQRho39_YR>Ypr~|s5$Poe2+~nXfDi)GdkKUZLhqpyN`Rce_kH{9
zefBx$|IhjNIcu-=f6rnqc#>hBd1mgp=f38;W@h)fS5)oSRq9Chg)xo1<cX>{#@{&6
z&%?7)6JVLb*Pkl#FB49OIS;2D*y*LU;qnFiHR6FEVxZ`!;;s#(VDs;;z#2(;eBla?
zGbK@!QD#-Eccbkf-FdoX-$eU1$*e^r&bA8pubL~cw-wDY5l_aD801yWkdOL2g7r@R
zVM7B|OHr5<4?XYZPBH1&+S-9xV5zZAG4B`NyqFqur_CRuyJJfshB(FMxbMs*$kmLt
zO#^-&<CezfTyB0}(tebeSU-l{pfGB07QVbsPc|~X`9gK=F8V`a8ZX~!k(S|yBwuTD
z4)!3CFj7*ty7OvOw=%UIx=k527%#`i9Gy>!bf+Jv*$LfK8L^7f(ZTmVjaSfqWiX8k
zNeY$_g(zO}?Z_$Q=Pz8g+(EE&&wdzIc@92ocz>InhjBh#7L{J(1k{gnf|mcte(m(9
ziiT#!{*Py4+8+pKt8~N#%<aN}CfSK=inYJwH;P#E#MOwIw_i2<qgN-}Iliy|O@g>_
za?3q?Pq}{>-#8I=%JCg}@TcdZ@1=FA?NwPiIe4kikQ*S4vbhB|rOV~zDNz9Kg};$-
zd?gZ1^45hRfr2<1PKdVM_nhI>R^6a^7JKhapMzphXWyxW6dQ>kSbN?2nPx>XiW5<(
zCwfwgs9Yb`^B%bZ{czdfMbNDe^ghLLC`LsC9n6-^TWzSGCk295k!212JuZ7OJEpg|
z2H#+UZG6at&@CK}@yKnoxW!f2xRm4b#XtN_xC*M{b-90@Cct05P#V^3=8YbG^!yWx
zt7)Y12kkptB4WDKBbF!#VZ(XY2l{A6f~xxJ`-2ah;lpb?w+aiMEnH_T;+Fx^y3mey
zSAU7Px{xF1^Qvi{(chotrS97=y%q5|C(pagH))w2l6R{18Ex|jP@7*k4+=YnI=*a0
z#hlW^tz8N89bM-3+#5QNSnpJ*^Mr1eo-I!R9~2D^roxJ*T-Wx;BAu~@oMOkavuX<w
zGWujO|1jTq{_9)(Y+FeZW5H9AY+?adDjhz^<wl9g8+^iK!Mb}sDJM0^uw0VmuwIcZ
zJySe6FqJb@P&8^8PtB-7{HgH#xV7MbSh4#g59ROjNT*8mn!C?J;7N-qYx4Rv7^d#0
zlz@g>E4ov*6zTf{ml<1rinC~mf&5;tKUh(q;QCS;cmhhTES1IE4+lX3IcuE0+gxpp
zx^}OhevaH*EjYjyzeKLC?$=O7X2Z6pl}k@fKQ;n2eM2h#bWwCvj0{-WpC~mU&A@V7
zD1(P7T>`bgv9ff>3Z>{8>vQpDrDDh28i62WEnmOr8$j;H`V(8MZtf^)6|T5uoiYA5
z`ReQ!nJX)-54v<7s~~rxSx<*O+mRayvz_wVCo3>IT_)xSO0-e6wRNox_gq*W|D5n#
z>WSB^Gu%y7CK7C4x_xdh(9zKoTgh=4QJ;l;cyf*EI%#Yu@p51JydL8%h6|X7MYX8>
z%r5_CFl?7T^eAdxeL_%vYn>S?Pk3VS?se@@!Rui$d-f%!Z}NwOh|Pj)8^@?pmD9<!
zuW5<hUnL=@=m;h&_iY`?5^Xg<&2*Z~^)bq!DL?@~D-E~JAJye2ABEpEfQ7xO?(^s|
zuS2pI<FIF0`F|>}_7`YJ>6(YK(H2_$e(ewWaBg+@52nAeygETT4?-$@iu=H}9{tv>
z@g_-p7?1vjdl8?NM?0>n4CenFxYM(Hzg}d)X^nqc1DcGN_F!{@5*OdM4sv~utngY`
zh@#*<?G#w6d#5R0U?%Y_G*u<D)g^y)J5eS0-e$B@i#gXeBh2}MzwN;kOwK^E_9mA)
zE<(oczgpca|MkNQtLwP1y61n`k6iXwW3}R_xZ0D!$KeNi4H*{g!zKxTDy9^*%HV6L
z_sR0q$F3oX>5Ig25Yg>*yf3j${!!Xf3b#KfX*}OEu2UF3Y8-0jv`TPrNI*01q2C&L
zjMzKDJ&Xy62^T|@lb5KZ2RF)VSHqz)>S6hpn~&Zxzh%c$7@1vp^W5?kMUp5vR{oK~
zm2FDy!F@kDzrE=+kMy+wYqs~W5$Tcd2T0%Eq8hrPc-f!DYKoEI-wH7<8vfZ8Mb9K#
zdIN3!e9k`GnEpf?FmM`)fzNWXl;x$k^2GTCt_fv`3qdNZK(*=*si<aX*U%sEgPR>|
zcpAE?)A2zk34zrTN^9(a&ye1lq%2|awbt)FN*hfiu&Wl$Yrf9PQBA1)Zs=stJS5%0
z=YaZc^H7D|Niz@^wk{%IzOz1mC1QSzuj(e$BywL92*MI4FA)U}1TkIQZCe#C)*qb-
z4sAiH%<>LnwQgN`zChTDxkLz0cM^DHeulk>;kr-L@1-8j`f?{dh_zp|f?7g<HK*VU
z4G!?m*?o&<I!;rDoq<*X=%STl7jvBSUHeJRK)LdsS>B~@<r<IkXX-rh1;H)^sOgGJ
zeR>9T->$}*HjL#I<^K=}4J2H0b`znkSqfABfSo#g4Vmf{>0yxbJT84xK&-GNbTkzQ
zVt^^pB0lSyZ+7&YyZibofWHHMGQ>f;Pj-mZ0%uL6;j2*6^DJc8nI&&!y)P@B<3pQ3
zfDyVFo1&i<cYkrKI+ar+y379z2GwOu9PSE=mcNH%M6IYU&ue}IzZY(5YPOGH1s}^i
z%pi7qHs6Z7Zq?aNrEV+QrLxsO^KLD|Nq9uL3LGQ2gK#R`mES8l3h++ue<_btov0L_
zL#e?_^s}6kWc@c_{CviiI!n8}FC+uCdyi&H`wU@nT_vA-l0-M=ZFmEYC#jPAHco8!
z@vI4x5Z#9AP-HuE5o+@Vv-V*8VR`Pgv#XwGdex{+JLW_6QvQ0ow2go>+g^hII7`Wi
z=BGs$5xd+cqJ84tqNSUqCx&Z!cQ)$>FfE=%*)PlL*~v5<f!8XS(kmQaH)rGp5|{}q
z<q8gD-|j&6b(Gg@Lk}@0qaLCTs0~A%OsH^J1ryxN*M5t#PrlNaR~~;jzbeU;A%WFN
zeOaaf9N^>K-&W3YhuYIj8Jsln+ptXJJE4Cmk$cN*Pwf50S?ZIyiEimaIdSoYq`2e<
zEJzl1-Oz*%jN2T71Ob6N13--NCD%{DEz&52u}e8V=@J#fu2Sur$`Bju9S$euWn^Pl
z9`t>Kj6}#2EyjMd>76)+<~6YjzMSf;Q7yleS69}J%I;>L$##Ev7=5`xv|fR`!D+dw
zsghyNWhYkD89KmPvDHB*cb(a4#X>ARbjYU4zurq3g5l0KSMV@u;$GXSx|wdXGvt-{
zA{b&{h|sy=H8Eolc2$C4`yQ+o-NcyppkhRO4bu2N<*RAC>Xj|y`ECMNTZz(?TyHQE
zHUintgGIERS}sand-k}i>O1oqLqdP!3774{Lrg+OsUa^`EvK<&`*qEq0m_$LYXT(6
z%dA&8@6k}Q*%VW;N%%tS)%HJEeA53e5fW**_eO=lUL6iHz{T)P$~=wvMPeP-J1akl
ztG>z<TQ7%uYNa>byy^HQ?mmX?W|6oy8e;R@m&`~8t^jN9Iqc|RSKA+8T;(rDr|qR5
z`BF(z(+IENXG?z-Nl+yR#PA7?mk&es6Oon)H%a(L%}qY__Aq8)y0b-j;rBK>Rf82O
z`%+m)pE<1*<8?2>Hp-e(49@}~%+Exxzd;b^=Y2eeH@bI3N8(1rda(C~xy}~JzEN@W
zJ-2@|diH(q3&!6uf=_d>5azNHPFZnGUE^!1rsMpbNnBid%BYgNRK;^*L$->rakkRj
zxexEUYd)K1_}i(5^_sCedS_k(V^u*NdG%+)STyjD_Ml52Tzs}xSY`aFh<EPyA+J|j
zdHD6#?*+hZ7yFY^H#IakID4OcVt3OvEXT*EK2z>V_FwIInaLiYEy#wA1sF-l-UB$0
zJ40L-dh#S<Hhj*GDtVlufia7W2g%0`vyF{!4AbEF;k{qwwf(Acz7~eauQ`N-!?j`b
z2l9nzSC7B+o6)@s54^3|YPt2jt+XpVww_6|S26$(Mo^TOtI&Ag<k01oKwqoi?u@#v
zn*6gjdask<?kl<uz$3I(PrG0^d^_Ki?(IQy=N{hvN>GFuHM^`u<1!1z_<0Py-vr7I
z<^`g!1}HEW86z`+g5AmsSzDwwSQt>?ZCs^Ipt_b2St+;gnHpa&*vlg7`2J<tImhKm
zxw#=Y9d3E`YK(?jvPh<n4gPzs>G?Me@!u#hm%vAFTXW^&ZfYl2+Ud7$Z<Jinv;E@L
zS8ij13^UIeZ6nAeNlQSwUR@%);MFoOU%DXBo={yjJO4b0;g5#%-vFNLK^GLb%AbE@
z;=eutTx_9t?>*pxd;1?}5b$gYoDFxl$faTK7HQc%>H2^ExBu_Yt%Z{w<SLA3^Q<Sv
z<XY_a^ax;#ugY{xsFv&;)bBpV4g^PHjIROqd^qSDX5NuA38fHcRSVBNeyAu?Q#5r6
z$>K+xpaEw}33);^fCkWTVvD-VhTR^X!9_^e$KMMiy_K1ekU+}V0qJP#?96gwVFI%N
zc+$7nXqf4LAVCurc3bwrS;3Rtq=BZ8X2tV+-_!m=0%go?VaFG0+C&H#epX<x{$aR_
zgT?=4<CM(1Mnis^7CU1-MgYLr-XWu0{MgSo7J{6stE;1)GMO^j83`2g0to>6=X_l+
z`)mtsMubzlocgWeU}}id1g((Itu5415z?<W-&P#97{E^_89%pbW(dndUc4|>Uwv?`
zToPI11nu$AAqVu6vw4V#ZWP{h5z2R(wgv&JwK>?x<l-T~!3pfm+qVNYBo<$nX9Sq#
z1fEs#Xr3$%FjuiX;t_l+Cj0rPJ|Jj3#qi@#)9*gMzT0Jz0Heor(EyjJFH?4@_J%#u
zF(I1i37IyCD#y6tJ6vye@r7i;rYSPgcQ7f#{a*1T^#=e@PmsA4WMNJL8n-rehU`nz
zhEQ`b7=X;cv2#Nlh8wlwH1FfNxN_T@zmDAq3EAIItQ}0-8+PzcT*-qvhb0T!93L*9
z@t)f1YaFjuAmVekH3gABAvQk)pE+umE#B)2JlLm!Ccq8+Q-L-+TdwkmTCUR0zI%Le
zz63qtm_YX<fiE8IY?7l%`{TbWW<^Ub?6`W+=MjJ|ENrzRs$(7$ot+}xjvafo=~_7k
zs*`dk4Gq2Ty`g|=+Le?cgjb@!98PDg?D8?n9yi8H@P+jGEKhAm?~P=%S0-E7oQU~0
zR)j0VB5o0A!+w>3y^ajP(?gWjJ!vL?9jTNkM7;F<)Az+N+A3ygT<x`%4PV4pZ+Auu
z=vMz+Dr)MUK;fU~Dj8B|?hEb%M6?Ie>hvCOD?kHM?r<SZj}}iTIpi&D`1T}-^1H8A
z7QYM0rY0C#yObraPiYA@zB`?eyIrId!@~LI=l(wXk&bx$C({$FrJ4SZhpzN)Xxzjv
zp7Qw@R=yk2C%1bTZr;mMYNHcRbOw7ULwwb(W~QQms_E$_E&8y{bkJaV5&D61>v_)&
z;%F#e1Ei|uCMDgA_+A?NQJGrGf2n3AI>m2$SCSB#cKb5zA2FPcCBGK+#BFEdI0OC^
z>>O;fy-A<nCxbH*kh<4@D|QFYct6j3ST_m0+FKh64Siu2^itjcjQ1S!<I}rvGkZ5P
zXd1x5m!LlLOU0&GUqZ3X=K9Ct<sk6tel~@}6?9xvL&9MVomz?Uu4nzf8#+5z@>VOo
z_It@$nUV2FIP&IN1=YH2%(Y<-knL%350}luvYY4*9ROfix-QVue>!J;?waV{Mu1P-
zbevzJ@3RIwLU?(!Y&o(9fi@Wkjxx~EY7E<5IsR}PlnF}^>l9nGSIB&7uen@v6iuVF
zvFi`7om~Y0=yuly`e~xnHxbCwS1lu4I|p^-#V}bIW{e8)@Dvf?q&@ii{?D0&%>MR6
z7I_5EWR;|B-cyuVV0LII()Y>a=*kUlap4SzedClGVH&u2_jxi{@!D+>9=o%Tq0tGN
zgV#KE*U58xlW#FI-MlSpzW6Z|-TN3p+PZ1^#YvPNLbwBl;H(#j*CjLsmgsNw1PU=%
zr9zab<!*dV<)vBQ8i_{<4(QMIvIJPGU#;%Y#FioOGd+0mPYl4?zSH1dmzsQ4<YPd?
zt_<*!k%_l0Y7rThNX_QDAF=|~zZT(K<Lfw)o{l%`df~4Nl>-^<h<1P@_r1P<8sj&`
zS`RC!{C5V=emm~!S})8X&3zAE`NK)=KsW8g`FeQ0b|M+h^f|1=-)n7B8ul;%QlOn^
z&7>#Q!^P#7cWwmCjbr8xQZZIenB#(|wq97@HT%husn+F&gvl7Tv0*N*s#CrxRv#Vv
zih+Q#mG!oq+A~rU^zGi3g`|Ykp6%9R{e68I&rDw)9#9+}?f+tzU33-u2o};-)W8KC
z*I=2?3Y!(KOo#7xC~ta#r~v)tJ;pX8)Ju{gN5vAbCxm@JvHV1nd65v-CiOS|6?R$)
zq5(gMNrf~i6UJ|}kq-=Euqx?g3A&-*q_0T=;*w(_92b{?i<3dtd8+q=Mn_(#Tuk)j
z4K4_RLwzSsB+)lB_jF==bCVFW<%B4yKkM`2gr<lLl59>7x*UvG#@9?R*>K$4T7SDK
zBwyiDz@(K#ESI$V1YCEh$JYc}2i=D+E^z()n7nAb$;z@UKnrR-yJ1H_Sof@p7T|c&
z#yeU={A5#xx?cZC{T&rcW)hv<d*GdZSoB=6`R1g9NtUUjsmp0~hQH#h!epVuFmu|2
zX4?~`H%~^t-4L=7(@ED&f8io<e;}}Xm?Cb%*aTf>t*I6Nvu92A?ZJzxkvbO@r@Wtp
zqT^lT^pI85%0@!v{l#lCQ~=l8B<Ih(PSl&E%gQbdbHr5aAyke{hL640db7nVt*k<1
z^hmyA`LCEe4>R3*yhD02)#3REnt?eBmcz*E38$+E$iT0}ir`8+KE(j)ce$<N6KhTs
zPAXY}tLg#^o4`&QxtDR5o=Zrf>#*9+TghSt2d8oKEeGs8T(fiROrs}L8FLHD#-HG<
zb1rqO5YsmBL~5_!XEeX3?R4!otRuVA+mrh2)#<Q`N4uxlepXH(&D#rw%)?GUZ0VaM
zog(Y==K?B!-_V3COVI44N<KEzb;1?wE0>R({B|8LjM&J_16yl)5Y%e&L2v4W{X<ai
z`mHhZoOY$eQ-6)r*QsKiSW}Id8V#HAlFz1hkC9@i(nAN?H8TtRQ<$+LwcN`a<gHTd
z4pX4<lgO8IC!3s$e(r%2BWq~QQ;lKgxd5p5s*rq)uq)t6;*J>rvi)5rV~vdzo-yco
zG|IDHvscWqTe^chg!CTZ*A}?mjB1M%!FXQHH`_T4{tC$Av-@eCFLH2uY+}C=-}>PO
zSC-58@O5w^_G2MCk2qJ!;$-Qne97|OxIjF*Hj#MNGyi6T2_E`FbtB_=9q3P-#WR(|
zw-+1}=k~Nbw?+0PKJIxlb9ffn5BA_aa+UQwoSnhmm7!7~4toxkStq6e%EQ)U(l*AU
z2EM4=XISAT(l*p48$P*N!hWwxe+F0Fw;<1J5zoc_=o2SI3&Z6`C*Qh0Yo4mk?>`u8
ztba#H)$~VTn_Y0L_}fcx!6FDC$i@fHVnzzq7El<j!IK^-rwBoJe7DXq70kH8OnyLZ
ziZ>6wIwa6T<D5FtWxn$z<yws;ybl1}KfuEiBSmg**x!?xqqWTQ=)oW7e5)_#P5$tG
z%m7{XuJ4mki5FVaR45KUhVIul1bMuR%`SUUG1ck|yOI+<7(vH!30yJO0k(nK&$%Yk
z;Go4<Dn>@ZVf*BOT8i_S*i&Q8>5;0cSMYMHb;y93aCimpOZniI{x=KD;oEBRb460Y
zI9pZEwEI;>^$lZ-f9bQLN_`2@wPN%huBE;=PM3@e<&&|ElLPE-VnAw&2<Qt+e#Ycd
zT)E@ht`zmQ@^mh)V=5bT?BZ*(DPCm{L|2X7ZrHkus=eDSKXtp(8wgA*qS8<Z0Rc4d
zSp0$j0R3c~o6EPb%Tp%S<q4jM0Y{eyWf3L=N#Nf$<JBeu)<SXmgaIjJ*$s6ToPhHW
zc+2R-bvwLBy6ju~y<dmE$(pA&*XcKf=T5S5G)S!XtSHQ7^+nH672+u?u<oEp3VL0>
z6g^;vK&hq~_l@*^pn%>FLzoBGDSQCiC=t?rR)0G+vv_Z)TH7HeGCDCh0d)V%uJcK0
zCwECHf66b`iu+;pu@Ekb&1ET~?|>Y8N%5%j9PKJ4z{on11Ra8Ct5b01Y6y({(A`Sq
zltDR%hs^Xa2UPS8k<Psc;OXi2nw_;=oe6fEsh<zIxIQVVw~+hGdc*sU57y-5ocf3P
z#aioR7AJ6>f#ZQLl0CKKr;Syu4`7a+_L1pBz{)IdoiRxPd$vLmOLSR~P3b`bFUVIP
zJbtz)Dl~9}=sEt}$Ce)kK_)E<we1`Emmj82Wj5BVHr+s#9H^!Y@sH}QvTywUJy(dY
z@r<RJ(Ck(b!vy9bkz#s!Kx~)$3i~O;0(!#EXwDu+Y7wi&MytPqqRXfm07h961{5oo
zj!45sM_<+4Xi6_%<*GDwR*hzK{by=Pd0_kg&f>8*ioh6Z^%r1zQ21Q4cys17d*ZnH
z>#)l`_Z4fbelQJQA^Ho)7YG@^_`^A{x;b#NpcgeWLXa2l&aA;KSnVUR*}D$~0rx(g
ze?5-sKb$p;!Wb(umj`01?I%DuB{D!SXZe#0HRZnnX;1p*a6AG6Bn)&#5Soy{<U*%O
zpaDEM$8-I=Mpiq{yu^Z>8l_98FB$-@`RDL!Pev=`cB)}BX7abx7RW?ZH3DAqy+&!H
zx)%m_APeG%(I<h(W#3lCBR_wC1o5ENB09mk^#c-BhnRm5H<I4u7sX+@zF`2!Y~wzE
z3ODKYE<G8*^(hI0lEwqTe<0eF!x)n?tS<VuXfIslyeNU2z|viI+4fOPB_OEw{LSvo
zcg^NX9*Ft*hrtqW)gfx(Y@aGBD%c8LObAvA9v)pu_plp+lz^Kp0{x`amj8mpg!qMo
zgo0s-u*8#nPW5y2_#=YU5JAtPrBhfAaL=bq-b^$UF9G_UE*?Xw&szlC^T<C$p8i7%
zU}9n-<3|I)w9oYcQcq5EPh6i_TE6ueeL{bqUtU{V`xv&DP7^grylBAc02$Vx5MvOo
zu0~YxE+6bqivv9_2C({kb84Gf^~&erQkQn(5>m#`>%2Mv8rx<74sT2)(%`UM2(;<H
ziz9jsNhYa5NX>4#F$LRBFZKxha<V*2neY%SK$=~vxd37SsTQq103r2cu_t|dj9I_5
z#ANA*%k|hH{|y!O8bifZb{hV(zwk#TMNkY7)mJ)lw3n;ISM1~8!EHe<SQZ|X^fSyY
zAp%H>LrE*HHMX?@96;-j6AO?v97q!<e0VD$fI3eCg+{EAKysYVsjuha4N-~S^&#`t
zRuGdO_%jwcU#!Gkfff)jHy^~oTCP-L@e|p3P|}2jV7PQ`AFJr81<ewiw6e0RTMPDt
zI3gbGPW*|??-+X>oXfi;zk^pc6<v;FXG!0)3QtYSv~g~yg^Ig-wlf<R_QL-_m@Rxz
z?w$M5W<%Prd>Z%!J|5T+6R88YHx;a%4~wLc%LgU5NwJztF5Yv4PBKf2Yz@5cwUGdJ
z3L(%_27~ud=iwYhzU;T9MWDpZn*H6!D1N`P*M;^Eq}*1N0DuyyjN4?<;o*m%mB8N7
zm8GQ-@AA63*%Su~ukm>4cg@$~UdpW->^x8Bc&Vi-O|P*EAN*{?zJ;65jho7gx+qqg
zo=*WVPnn6d_Lv;tKXh2r3wSrKTE#@-#81waru-fb1ng9dUg1xa5s{dlA7Cv7o)!hU
zMI;1FjEbBkSE@2K6TDuLdeqf04o5L~T^1$5dw5r&wI1;%gr)Y3_F-^e(MvMPqZQVw
z5xKgt`rKFM$_F)p{YL_4mRre>CdKUjTvNQ%0E)}2N3v2+O_}6*WhBP~?>=7DL#A=w
zyg6E%SEElomCkfs%+FELt9Qd3VQu={&g_}F+FIXB0qYHg4h43okpJxV6;;qs>s=u=
z=eM%N8LMPko3rDu{<^snn)}n86Ui<yk(|!-^uj!mYz2&gu^uP$PY>kvGQ82-V3rm?
z%M;s(&`_Q`cP8KUJhWZzgi!#3GTLp^u1|eQ$Gl}+2M$h(8>2a0Xlu|!G;M}Xtq&q<
z;JrXiP4xPz^#s*<D7*>AF|s<zlonh-1`|O?l4c(O(7UXOIW;uUB|SM4mjRZ(f()4d
z1jP`rLPEal1AKx0hh;bdJ-MnXo!8*&7bn$a+;Ef9>-7G;8+AGJ+XIG0R|EyTn_WFt
zS|ve-I4&LdNXcfP>9bd5U#liUOp;FHagEzlPod5(w;n%G>GO4fD&zzQx_ZxBF7>D&
z?%cTth8sa2HDo|DKoFQ38DNXun)V>dx!+XKo|<(Ycz=8gwjL)bnEC;%bwhm{jM$qi
zxdey3emsVK9)akN9Vk7hXg0Yral5Y$R|8A<x-7qFAKZZx6moc5p4TCATwr=xiU~4m
z$xIa{D(_$HKb(7`#(AIwZz|HU)tFn`r*Z1<72JiMXO<n6oL|d*01K@Ms6i}t(bg7=
z;7MbZW~b5O`xNi8jabK0Ur}<kF>xX0%8^llgh!~lH83|hqGd*KG>}UGYsCzB5;K!e
zKfSXPKEORkxV+~KM_Cv8LOM8g>qxAqv4sR><ZU-&JAFPfses?@e-J~zVv9!)@!?T{
zX_Al2`nFQ%)VK`HID1}e;iSg8GvHPoDTsJ>Z!NrC@66WgpG;caGy^mQk?>wdJFm6q
zlUmYe-x88$V!eEqoJl^Gp-!0=|1(}Zp*qzg!f0{JWT05ofTcoTazEPH_VCodvTxmf
z@U;F2k(GUF;|iCb!ri0WQAObQC@7#gVPqE6Q4Uk``1$DP{-MOvChAXCwcPEuoNm%@
z9=ZnKs{B}}r1<Q&xJT4(1-vq?x5AhPf1Q|UO(7>fKtw;K@Myz?haUQbT#?wE^a$uV
zljx&@O^hz5KJL}y2X4<pV-VGvbSzAd_}5Q1iYNd^EHaEi@~4h4Sfgv-`ic$bvGUaW
z#l=NVtcPAiB5A*Dq>P@B!BF$ZO!75oDsi{XkZ8CCcU0aBov|KpSo73+Qnr%%IhNa6
zEnK>-SUnzC9-+X%t8q)X*<?%U+ge&B{G1thM<uBl8uQC*oD`>CNs6)vo@DvtO#d@c
zoat7iMJW^gK#9b8puX<>@P}Q=ajl)!w?Z#`S2P}~UTUW{fn}2@Iw*F6ggfZ{EleMN
zYvw{q=BD)xcz04VCoBI|07D6rFzXG!H7L7d7<-Q0Ec-+syrA0-h%of8nM+o$6tV;s
zQp;(zQV7<d0xdW3aGD$RdLA2k`<$FZ*Kh($C3n;e{thV;3WB3`pu;w!LcVg3NTJhw
zzF}rzp@WG(__PUGt(RgrWkhsdd(%*?b_S6@avP-Ko=bcP#*O~;z)0pO#jrUGf+g2N
zPqhm_Op-_Yx5Zo?uk_fIBOpNCDi0^V8ahR%AED;&w757jxvdIjTbXHxR(5+&4pa#l
zZZPx2Eoq=0z+CRjtv$<2{~lrT%Rk0xd;X=Lmwyx);FbDY&r(-Y1s`|p7<N5BMmXg`
zT5ZR~ymM8$tlo2F!i3h@!Ep>FJ~?5OzZgHyA<%GrIlIT%L)xvnd$#k);0wj^$IG_`
zhNFa-kDI3~BR6p2!tiUfl?Ux5@S3vr*Kh9{xXjf}TzaFt(h@ShRu$ZmJYL#}Gb%^O
z+5OlodYNlxSCt^{IO<_iN)K@Tv^9P8i7Bp&i2Ehqn+lv;VCL*P@_%1h);#TWSn5y@
zz0Nr?IJh&|Rk*uTytLlna@g}T_lpx@+}aXh8&mmiX7sQh2SnHJ^iE30ar)lZN5wGN
zAj%zsb(nuzTQav`4u?u9i~O^2GH<!u15BU0sdz$-fiY=bcSh`N#uRhR^;*9HzgX!#
zR~kW(&LP-SqkvM)OreV`3TZRga6=!|W1@GX4m_-ZDeM%%Et>O@O2LoEv4XHQ1SV=5
zcEq#Klx?V}2of8Cr=?0j+t0kGt6OH6w37M7OGa+yeX~Sv{BRa@J>XznVn=7X6i64#
z?^c2nXdLv*SA5o1{sjx=dc(!{QU*<4<3{=o;gzPlcy=#4uElASUEbq9xNe{bl%<>$
zSZ=K|R0k5<&P?TYet+fE2#vgolzaCh^lLolvFFkTo%~rHF3FYhwuq_k-QDi=k`r;w
zlj{Ah9Yi5?%D?p;!gWIHS{1llr_BBAw^j(7zRP6laMcP-SyNtBv3bSzhfvi9kSHEP
z1~`l!EWwjr8v!aCgRClpK9%>gJo5hQAn{Z0htEMIgj7)PJ{~##)fS5GDA_BWz+&kU
z<FUH7Cku4cZ}_>g^u(+rFRQ)WtF#i2mqKKh?z65r8pUtAv$-e4Y{;T<0sF5aLiyMJ
zlDS<xc9pgF(9KDH^zHQ#;0kZtyhMUnXpL#<eR9Nu2qROy>WP)AAHiS7i)a3l@UC`A
zn>oza`ILO`GQf|ikHU=JZAj8_{6tdI^gDm@hu=-+8z~~0hlq-3n_<!dQhJkZ;pbYF
z+%TNH5q!U>Ai<Pc;`6%8<W@4b_`oJJ>SUoh1Khl@2OP^hJ!R*g1kHB6U!=nBA>R?g
z^uuxqn|lX|i>vla{`!K(insUDRudlCXua1`%$d(b;mIxDC9ieg9G^DYp9!-YA@HcL
zGOqLQ(}Ld3Z0it=YG3$cytm-5;NnBox>oH)@5uU0HU-o-c77dKoKh1nJ<*&M_dBWB
zD4FRrPu|=5m6O?7BtROu#(T461%LB#B2X9}Kv33VNx1_Bui%D8E!@gUg}FF~8c_X&
zgOhB-&2b`;=;IG!zL-H?w$Cu2pgNC8gZQuh&&aKN%@e8y1_rh8t6r5A6+WU=k^oQ6
za~AAsP3JsD?F=W^Bfzk%e2F5+S%JiPJ-PF*K#>)CaB$Yy+0Ho@Sh9;FA)P12Mdasj
z;J?L0LfkGwr0l$w%1p8;S>SLcz$@nSLRChRAW<+GV5s>VXppY|eV*+caQt7%;J4M)
zhUeM%p*cFaqtW2!+1|b-qo2BOFx6GM>l*d(ljf~Rn?e<L-3;1Hk&xznZ2v-S$QX3C
zb<%fL^LW^>E6%+BWk$kFI%K8ynG~u+9W{F7Bze(fQXyURL4<=f{|P!5$J67g4$1w^
zkpmgcq6%H9ZgR?0L)gjZW|~L0DQTnd^z`)5t>v>fI!5c&{q6yOhY+{=FF4NcM$v$@
zlrQshbGw^?#3d~8EG8yK(_UrJH{(a*&G?nmtgI77MKxg(<*(8eK+&dT%f<CHxQQ?t
zp;{<w@c8@%rs2QaP|PoGG5KTqZ_yu3H)$$aHj?L$&_soC;)5rV#PZ!Z_7-2A@%d#k
z1KppBt<-4M5!_xX@IJ40c$XTz!n3_Wf$z1U_eF%Q@Xa&tz^C6!#Q4DbDHyBTP~Vfd
zE|(&#{yOwJD`Sy#=MEMOZpzaUzNXvDiWA~0A3?~vWBT-RCzKuvi!Q2ha$>MKoB~}h
zP1CDjZ<w_#XGxwtB!sXs%;>8Fd7i($$9nPFTle~+0S+me_MOHyo6tCSSZ=x|zU2Oc
z5@BVf%MqH|&%Wxu`76;vpq!e+o?gJ+wOV^VzPkA)@Zj6Z>-dQbu+R1hvmB^d9V(xX
z?I@1|hbXQ9O^nZ$=U8_ts*_Q3YJQEKM|476o>IFbd6VTL7{RPh7nGL)-r<}d)RQZX
zdTH{=Dacm%KHXiqpMmx3+e=WtQ&kMx(6Gw|y*BN>>j=o$$xanW@E*)=Vc5%_;7!w{
zvqCFG|MlaZ7V(=fq(xdc1e2mS>|$&5#I+lsrDONgSWyU5xA)x!<=(YUgC~g#I(eju
zh#gD*>0X2?$Bu{6Z}c<Z+{owUm#<_DBbj8a175VCM?mv>!`e)c?ZosDg&VWn*>fQ&
zs<8SRZe(5VFW1f1^zXf@fqy%h0Mi)^dqR2Tibm?=m7&G088?$zFME&ip_iuXopRpY
zkPVH!FS9DiGI#Ir4jFALL4sc>Wb7XfRabvA2vi=cQlbBM$`bFPWb7EcVmkAQg<|KX
zZcf^`j^RL_%Q?-3d1-fUU_lwp!DNRS#0)fEZpk6U2!;PK@B<_2Fdi<S<24w8`0>O3
zxSwjfQK!b&n?ANPjjN43Omf-p_49l|u6J=ud9B(mFAS4(>^<76m4v=~4$j%_jo11u
zy^o5(cAj`k*cr#Dd0%i{Ro7N74!&@`vO6TuKSIkQV?SS3<)0u(m>aYTbc8Q`j@?!;
z&w9L;&s$n8$YpO<IXs^7e4oJ~mYU5`&RoFxI=wpTB#P@?;^AhIrx`iaJo+-`?-C8F
zM|N4v>pc~8^%ffDU&oXyGVf@8S=0>u>-VG#At>L2xAoJNPtRkLr0-;v3tn_`y~mnY
zrb%J&;-p>&aT8C>aBE`$+7J&adi~rPnRSP{X2_)(`9RAp1Qj-Oet}<Mq02nbx}P{#
z+d;4@#2<^WsO)qPv8EM)l9Wo%y<_i_q!oG5k`c>jFICBTJ8sT^jibsg<{U-w^)8`d
zueDk|7{?=Q_0|!#?hqyXM!!+C;k^3$QNB?eSi8%JTS7AB%LFXZB(EntTovl)SHpL;
zA$~nBW@=@F;XLKNHqzt>aj`}(i>nFfq-*qM@!Q{KO>Dcg$VOL&=-x)i4qco+17PkX
zaibR#H?E)lmvs{V*ZlW?ywrn(x&fxfMwqvtqm2&Vn&dgJHh`3-F=vqf{!Ucrp^49E
zkR539@m<~rD;xKpK7HS8cAnzN!48S6GZ?{3fiwo2sVsV@i17Hparglz^JF@Yck6n`
zTsDEy{*43w_(5Zp7YpNY%MjyrQ3;Lmjb4~>cgL~;G+<8ylz5Ssw6Xl9052k>*p%%A
zq<@U>i$M=nIe&(f6EE4$96VG>w-q#j?R~!zk%+89iHq&mU&+4o*cK;xa>nB#aQj;&
zJYPvot@gC4Iy1ue<#~=l8KrCFTjP?Nv>S+8zth@%!ztog8<%<ca2*micWtAKLGo_J
zJ8VL6GLN!jRrm>xbxL55_3@qF0D7yHEBwqdzbtKfl+yk-DMq`svco}6PN;y;)613p
z+SxkbrU(zswL3e@J@#u$YMx<I?I#4D`t%<(IoI2Hj!&d|A?AQ7IL6_9@aM=VI)O>U
z{D>D#CEu@sDmi{NcPEL013UxcAQcZuW6JSoI7HH=0vXy(nmuawq62g62c-5uOVvQl
zf^U;ok?*#@oHX+#V&5XmN9FHGJb3Hzbpc5@{;b($%w-<VCLh=<pwL8E9{x@UxAN(p
zVWe|uA8BEbKdqmqfBlU&Up5VPnqJ9ya{_*1d|})^Ni+WR!p0MG3Us|RwVe;SxJ!{6
zt!~_<2z&}U`RAlFYywlaJOe#7YZoW^o0F!Oa~4_I-QY{^#IrtH!eAk-_HheV#CP#4
z>*weDn>>}nA<>dyp-ggfv4mF1z_an4sEM<I>-$Y`=N;_PZ&kz2XRWmI_}(<r`h(KX
z-2U>1^AkP1^a{jSn6b^n(d~tqvTYb2b;4kegQW9W&O_HBfw+2*rLt~(NlQ2Qp;f38
zA)Jv&fSuGn4U<$nC^&ZaZ=5mV<_K^!FO_vcRP4AUS52o{PcgXN^KgkTbij%Y=X9S1
zlH`czcCg@i`o|WUPL2h*c${Ee1Mx{~VVL)PjGT<KSYfT^w{VH5sHh4Hi?%<Ved~m&
z@h@L;_AQv+O?n+Rr`)2JF1c88f6T#jtW3zV`|z*u;t0_EgknMcVOMXgP;?X>_A8{G
z=kXfeY3z&sEQ9nf?!X-y;ivDp{MJLiEe;k7t+&I%+GC@D%F#e+U{crpl$JrEA@{>4
z=!E!v;l+Z8l#dtAy`OYs3t;o~fy<_zFW1hV7SW?;nslzwOfM00@+~xyP1tc(JzHrW
z`<>{!S;}e3D(W*>JjXkgw(Jg<QzLe-tV`*vilZZ)NIxk&kTZ*X4;w?Gko>=hHO7Z@
zlPYO}%aKr$QUQ7)*68Vpo*Y&^wVsj_u^JdM%Lo1yS1%Yfb0I)m_9Ybu`s;XqpPcgZ
z*_tU&ajJZVEUuvNl9DCJx>t{|bCswgvx0V8lq2f^Y2JSzh(QvGy&H`(D>IC!RbBa$
z=eY`sim(M6rjaOG+MUwkLJ-Gj^<gpkl#441=*a@PzkvRSmZK={CIe8eK=3qv!J(y%
zE!hXF(6P%GFGteksMe7703`);J8Q@KnVR{>wa0~EU#~XJ3g?ZE&PsM!Uak?v=ZAz;
z^S~`ruB^3^z_VS`ct%s$M6m4Iu8gepA~_6ueXP%Xg<0Hwbw~;sKATnW0g;Sv1a-fR
z6d{B%iCL-)o>0-Jgld6U1jw_WT~bSF*H2x_WnNqyqf|>56&8GWPt0Ah^Wz^DYh(iE
zMsM6Zzy5etjvl9xyr5{FXwEm%Pm2~2cL~Y*HGQ(DUG&@~tirRk=yWKgick!b1o=eE
zf)=j1>+LirM>tdC6OYH6D7|xwN40Y!iVSP-SoO|RLQ_|TqF296f<_WoXMg=GkZ*2P
zi`(nb;B!V7ubE&TgL(z7L7@*w9lgLl$E))D&R)Dj#aFw0A>M=7<7_MG%_2<i)<sCP
zCu5S`rU`dsW|cW4^vUeYI~@e<*tJ3j&klYu_EYsJql}Bm>%P52`nhSZd}&E7qCWI%
z_&Y=+RrsrDN|*O?hIT7~-ZqQ#%x`U`cBdUk2jQJTJNuCB^=Vhqw2=8Rvh}ViYCp#M
z7-Z$F90TE%nMr#W#*Af5^tya_)h3z)`XyklzpOrm<mYVK#w##Zm(BXjF3vJ;SO6Vm
zkk#*uT|>S-+G8e>TIUVjz%97;cOd1-{2#7l{Lec=PtS#EAnNMgXl-!Fd*_svZnO2M
zbUm0lM74eiUdZ@y5qJev$uI<Q|E8RJ?B?j@rCwRQ$ky|@SrH?>kG3kUn+dyM<N&r^
z++?GDeR_)CR+dPD$+2{bQ-J@c4$IXXA=UNBvA8zn1G=Fcv~I;_u+y5zgFV3#=JSf*
z!ho#g$%{T=%kOz*)%air6PX^GoQ-RY^bZl3BCl5eCHN1BCf3Jzfy$SuO4b36VXO?}
zWiDOl?l0UDhDv96noXu-n)K^78ymIf*#cyvm7U*jh~UFlkL46vTSJ&OiiebP-i-`?
zg5Ncp%;NE=bfT*-n-Jtm*zT(nt2rLd(_55yJDZ11l;L_nVwgjAtB~d1aMR9C-|SN*
zOMER%xrA`k=?M?zv2IOUA;lM|dnChODMaCQQ(EO~PM*tV52amaroUHdRl_>66oQrW
zA`P_a@&;)?ty(@`@&_SroR=#|)zc~l0CXRzKl61`+xZobge-o`>By!?Qc{fG?7D~M
zo>L~xf?X`kaIk(Fob-H>fTB0(HH<ksk?eDRK$D)3!eChEe%90_!rptbfB&FJ4HjWL
zBg#<=s!KQ>zk&4Ki|=!=_`<Bl`X|@<Y7L{GZY#Uj0(X1KQ0)W`C`TG{VXUQ3z<1Mi
znJy2@?rTL9y=dlX8KW_>x6K*wh5Qg`ptS-?bS>;PHEY$^Q`^WDowhEc+)P9Dl<VmT
zA9dN%W)DiKdEsV{<qETXENQld-xRZ>G@M*+WjA2a8lvq81}j5!NNPalz%gGbu{&}`
zifLZHoZt*o6D|EOaBkv{@`s>ZZ--=DsMpd|*0EgUH_YDbMKO%qxGhp?m7B;MwrfV7
zFvOChXMgP|q=WKC-ilV~i&ohs93I7d?@f2=@#hKrZ#4KTT(j-Qh#{9n9JdyeI!!_?
zx%A4~ppi}8lYb{4)PSdKFxd5LI)$Y<2w0rA%oDnSeKMcl>e<1UdUPFLm+>rb*v0h?
z4B87Y#KQB`r}h{0lnb0}Bp+$|`LtBj4$~oHSFY0!I2|Rocx49%Uuw~*L)iyDoLQvu
z`&w*f@l93n?p^NyZR2D9u95H<X_4*vkS|M`55RlDsAttChI*SaWp3Ms#q3oZ9=2g1
z&zZH0lO2s>NdurJX*Z`92G6H?Z25BI&VVW#aE7E6x|`BDQD98Tn=10QsCaKFSN0DB
zMWHc7Tb0kwU4$PYVHS-xXs*tQRjB+-3VAi?>FwBCy#CdU_Ukf96l9a#gQ0N5h8cKF
zoh;^-W^vFNDd;nNVVV3!Bb3woti;;sGfr0OC4#5h3^E*Kvse*GqFi>a)bRVxb}LCz
z5LCgq8FC;>*YN>LN%6mm+tVD4GV0x<5<~>{Tju571Xes;O0S%V2@MtJhTq$0&4b9A
zVQ%oFoX+7^PIvOjw1?Jd%WLB=gpK1j#uT0ds(*X`n!4wt^{fl&6qgSJUCi2#DjXdh
zA0KWKjV5&--e7vj;s9P<VUK49$<_A#>tREgxA8Hg?kuQs^oA^yq->{)sB!2FnmrhN
zfxLLR-2raB>dHuUFz@{zA`Yluk#px9Jn71`S&k(etpXp#z(64Si?kdI0eJ-%AzY^N
zx&DB3{To39>HdGLTK_-h>yOW_W&i+x7`;?{s{Q|3L;ruQH2*BYe+HZQXDj@(75;O0
zr~lNJ7(~QE*e}l7{bL8lG5?G7C(}6?2)c5<sL1T;`3j}C*Ud;Z`OlC4SttL$HHc3D
Zsq_vevE<>qq@DnHsidJ;^33eRe*smGP8a|H

literal 0
HcmV?d00001

diff --git a/content/docs/guides/servarr.mdx b/content/docs/guides/servarr.mdx
new file mode 100644
index 000000000..6333b271b
--- /dev/null
+++ b/content/docs/guides/servarr.mdx
@@ -0,0 +1,197 @@
+---
+# cSpell:ignore servarr Sonarr Radarr Prowlarr SABnzbd usenet linuxserver Servarr
+title: Secure Sonarr, Radarr, Prowlarr, and SABnzbd with Pomerium
+sidebar_label: Servarr
+lang: en-US
+keywords:
+  [
+    pomerium,
+    servarr,
+    sonarr,
+    radarr,
+    prowlarr,
+    sabnzbd,
+    media automation,
+    sso,
+    oidc,
+    identity aware proxy,
+    self-hosted,
+  ]
+description: Put a Servarr media-automation suite (Sonarr, Radarr, Prowlarr, SABnzbd) behind one Pomerium front door so every web request is authenticated and authorized before it reaches an app.
+---
+
+import TabItem from '@theme/TabItem';
+import Tabs from '@theme/Tabs';
+
+import Config from '/content/examples/guides/servarr/config.yaml.md';
+import Compose from '/content/examples/guides/servarr/docker-compose.yaml.md';
+
+# Secure Sonarr, Radarr, Prowlarr, and SABnzbd with Pomerium
+
+## What this guide does
+
+The "Servarr" apps are a family of self-hosted media-automation tools that are almost always run together: [Sonarr](https://sonarr.tv/) (TV), [Radarr](https://radarr.video/) (movies), [Prowlarr](https://prowlarr.com/) (indexer management), and a download client like [SABnzbd](https://sabnzbd.org/) (usenet). Each ships its own web interface and HTTP API on its own port, and none of them speak single sign-on (SSO), the [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) protocol, or any header-based identity. Their built-in access control is per-app web UI authentication plus a static API key for HTTP API and inter-app calls.
+
+You'll put the whole suite behind one Pomerium so that Pomerium becomes the single front door for every app's web interface: each request is authenticated against your identity provider (IdP) and checked against your policy before it ever reaches Sonarr, Radarr, Prowlarr, or SABnzbd. The apps keep their own API keys for programmatic and inter-app calls; Pomerium gates the browser surface in front of all of them.
+
+## When to use this guide
+
+Use it when you run a Servarr stack and want one identity-aware front door for the whole suite instead of exposing four separate web UIs, each with its own local login and separate API key for automation. In a typical home or lab deployment these apps run on a separate host or network-attached storage (NAS) box and are only meant to be reached over your private network; Pomerium lets you reach them from anywhere with your existing identity, while keeping their ports off the public internet.
+
+The win is not replacing each app's own access controls. The win is centralized SSO, group-based policy, an audit trail of who reached which app, and shrinking the attack surface to a single authenticated entry point. The trade-off to be honest about up front: because the apps consume no identity from Pomerium, this is a front-door gate, and each app's API key remains a separate credential you still have to protect.
+
+### What Pomerium gates, and what it does not
+
+A Servarr stack is reached through three different channels, and Pomerium only sits in front of one of them. This matrix is the mental model for the rest of the guide:
+
+![Matrix: Pomerium gates each app's web UI; the API uses the app's own key and native/mobile clients bypass the gate](./img/servarr/servarr-gating-matrix.svg)
+
+- **Web UI (browser).** This is what Pomerium gates. Every app's dashboard is reached only after SSO and a policy check.
+- **HTTP API.** Reached with the app's own API key. Prowlarr talks to Sonarr and Radarr this way; once a request reaches an app with a valid API key, the app authorizes it independently of your Pomerium session. Keep these calls on the internal network (see [Security considerations](#security-considerations)).
+- **Native or mobile clients.** Apps like mobile remotes expect a direct connection and do not run a browser SSO flow. Those bypass Pomerium's interactive gate and need a separate path, such as a [TCP tunnel](/docs/capabilities/non-http) or a VPN.
+
+```mermaid
+sequenceDiagram
+    participant User as Browser
+    participant Pomerium as Pomerium
+    participant IdP as Identity Provider
+    participant App as Sonarr / Radarr / Prowlarr / SABnzbd
+    participant Bypass as Native client (API key)
+
+    User->>Pomerium: GET https://sonarr.yourdomain.com
+    Pomerium->>IdP: Redirect for authentication
+    IdP->>Pomerium: Authenticated identity
+    Pomerium->>Pomerium: Evaluate policy (group / email)
+    Pomerium->>App: Forward request (no identity header)
+    App->>User: App web UI
+    Note over Bypass,App: Bypass risk: a client with the app's API key<br/>that can reach the app port skips Pomerium entirely
+    Bypass--xApp: Direct API call if the port is exposed
+```
+
+The dashed line is the reason network isolation matters: keep the app ports off published interfaces and reachable only through Pomerium, or the API key becomes the whole security model.
+
+## Prerequisites
+
+This guide assumes you've completed the [Quickstart](/docs/get-started/quickstart), so you already have Pomerium running and signing users in through the hosted authenticate service.
+
+You also need:
+
+- [Docker](https://docs.docker.com/install/) and [Docker Compose](https://docs.docker.com/compose/install/)
+- A domain you control for the routes (this guide uses `sonarr.yourdomain.com`, `radarr.yourdomain.com`, `prowlarr.yourdomain.com`, and `sabnzbd.yourdomain.com`)
+
+:::tip Prefer to self-host the identity provider?
+
+This guide uses the hosted authenticate service so you don't have to run your own IdP. To run your own instead, follow [Keycloak + Pomerium](/docs/integrations/user-identity/oidc) and swap the `authenticate_service_url` / `idp_*` settings into the config below.
+
+:::
+
+## Configure Pomerium
+
+You'll create one route per app. The routes are plain HTTP front-door gates: Pomerium authenticates the user and proxies the request through without injecting any identity, because the apps have no header or token identity to consume.
+
+<Tabs queryString="type">
+<TabItem value="zero" label="Pomerium Zero" default>
+
+In the [Zero Console](https://console.pomerium.app), create one **Route** per app:
+
+1. **Sonarr** -- **From** `https://sonarr.<your-starter-domain>`, **To** `http://sonarr:8989`.
+2. **Radarr** -- **From** `https://radarr.<your-starter-domain>`, **To** `http://radarr:7878`.
+3. **Prowlarr** -- **From** `https://prowlarr.<your-starter-domain>`, **To** `http://prowlarr:9696`.
+4. **SABnzbd** -- **From** `https://sabnzbd.<your-starter-domain>`, **To** `http://sabnzbd:8080`. On this route, enable **Preserve Host Header**: SABnzbd checks the incoming host against its `host_whitelist`, so it must see the public name.
+
+Set each route's policy to scope access to who should reach the suite (for example, **Any Authenticated User** or a specific group). Zero manages the routes' TLS certificates behind your starter domain.
+
+</TabItem>
+<TabItem value="core" label="Pomerium Core">
+
+Create a `config.yaml`. It defines one route per app and allows a single authorized user. SABnzbd preserves the host header so its `host_whitelist` check passes.
+
+<Config />
+
+Replace each `*.yourdomain.com` host with your domain and `you@example.com` with the email (or switch to a group or domain match) that should be allowed through. Restart Pomerium after saving.
+
+</TabItem>
+</Tabs>
+
+## Configure the Servarr apps
+
+The [LinuxServer.io](https://www.linuxserver.io/) images for these apps generate their config on first start, so there is little to set by hand. The two things that matter for running behind Pomerium:
+
+- **Authentication method.** For Sonarr, Radarr, and Prowlarr, `External` is configured in `config.xml`, not from the normal settings UI. Stop each container, edit its `/config/config.xml` so the top-level auth entries are `<AuthenticationMethod>External</AuthenticationMethod>` and `<AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>`, then restart. Be precise about what this does: it tells the app to skip its own web-UI login for requests that arrive from a local/private network address, on the assumption that a reverse proxy already authenticated the user. The app does not validate a Pomerium identity or a signed header -- it trusts the network position. Pomerium is that reverse proxy, which is exactly why the app ports must be reachable only through Pomerium (see [Security considerations](#security-considerations)). The API key still guards API calls regardless of this setting.
+- **API keys.** Each app shows its API key under **Settings -> General**. Prowlarr uses these keys to push indexer config into Sonarr and Radarr, and any external client uses them too. Treat each key like a password.
+
+SABnzbd is configured the same way in spirit: under **Config -> General**, note its API key, and add your public SABnzbd host to **Config -> Special -> host_whitelist** so it accepts the host Pomerium forwards.
+
+:::caution The API key is a separate credential from your SSO identity
+
+Signing in through Pomerium does not authenticate you to an app's API. The API key is the app's own credential and is not derived from your Pomerium session. Anyone who can present a valid API key to an app, and reach its port, is authorized by that app -- which is exactly why the next sections keep the app ports off the network.
+
+:::
+
+## Run the stack
+
+The Compose file runs Pomerium Core and all four apps together. Pomerium publishes ports 80 and 443; the app containers publish no host ports, so their web ports are reachable only through Pomerium, while the apps keep outbound access so Sonarr, Radarr, and Prowlarr can reach indexers and metadata providers and SABnzbd can reach Usenet servers. For Zero, drop the `pomerium` service and use the `compose.yaml` from the Quickstart with your `POMERIUM_ZERO_TOKEN`, keeping the four app services and the `servarr-internal` network below, and attach the Quickstart's `pomerium` service to `servarr-internal` so it can resolve the apps by name.
+
+<Compose />
+
+Start it:
+
+```bash
+docker compose up -d
+```
+
+The apps take a moment to migrate their databases on first start; watch `docker compose ps` until each reports `Up`, then check the app logs for the listening message if a page is not ready yet. When you're done testing, stop the stack:
+
+```bash
+docker compose down
+```
+
+Add `-v` only if you mean to delete the named volumes, including each app's config and API keys.
+
+## Verify the setup
+
+1. **The route requires authentication.** In a fresh browser, open `https://sonarr.yourdomain.com`. You should be redirected to sign in through Pomerium, not straight into Sonarr. Repeat for `radarr`, `prowlarr`, and `sabnzbd` -- every app is gated.
+2. **An allowed user reaches each app.** Sign in with a user your policy allows. Pomerium redirects you back and the app's own dashboard loads behind the gate.
+
+![The Sonarr web interface reached through Pomerium after single sign-on](./img/servarr/servarr-sonarr.png)
+
+3. **The API answers its own key, not your session.** Pomerium still gates the route, so reach these from your signed-in browser. For Pomerium Zero or Enterprise routes, you can also use a [Pomerium service account](/docs/capabilities/service-accounts) token that your route policy allows; for self-managed Core without service accounts, use an interactive browser session. A plain `curl` with no Pomerium session is redirected to sign in. Past the gate, each app's status API responds to its own API key. The path differs by app -- Sonarr and Radarr use `/api/v3`, Prowlarr uses `/api/v1`, and SABnzbd uses its `mode` query:
+
+```bash
+export POMERIUM_SERVICE_ACCOUNT_JWT='raw-service-account-jwt'
+
+curl -H "Authorization: Bearer Pomerium-${POMERIUM_SERVICE_ACCOUNT_JWT}" \
+  -H "X-Api-Key: YOUR_SONARR_KEY" \
+  "https://sonarr.yourdomain.com/api/v3/system/status"
+curl -H "Authorization: Bearer Pomerium-${POMERIUM_SERVICE_ACCOUNT_JWT}" \
+  -H "X-Api-Key: YOUR_RADARR_KEY" \
+  "https://radarr.yourdomain.com/api/v3/system/status"
+curl -H "Authorization: Bearer Pomerium-${POMERIUM_SERVICE_ACCOUNT_JWT}" \
+  -H "X-Api-Key: YOUR_PROWLARR_KEY" \
+  "https://prowlarr.yourdomain.com/api/v1/system/status"
+curl -H "Authorization: Bearer Pomerium-${POMERIUM_SERVICE_ACCOUNT_JWT}" \
+  "https://sabnzbd.yourdomain.com/api?mode=queue&output=json&apikey=YOUR_SABNZBD_KEY"
+```
+
+Pomerium gates the browser surface; the apps keep their own API keys behind that gate. If you leave Forms or Basic auth enabled instead of `External`, that local login remains as an additional prompt. First-run setup is each app's concern, not Pomerium's.
+
+## Common failure modes
+
+- **`421 Misdirected Request` or a host error from SABnzbd.** SABnzbd's `host_whitelist` doesn't include the host Pomerium forwards. Add `sabnzbd.yourdomain.com` to the whitelist and make sure the route sets `preserve_host_header`.
+- **An \*arr app shows its own login prompt after you sign in to Pomerium.** Its authentication method is still set to a local form login. Stop the container, edit `/config/config.xml` to use `<AuthenticationMethod>External</AuthenticationMethod>` and `<AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>`, then restart. Or leave a form login in place if you want the app's password as a second prompt.
+- **`404` from a status API.** You used the wrong API version for that app. Prowlarr is `/api/v1`; Sonarr and Radarr are `/api/v3`; SABnzbd uses `/api?mode=...`.
+- **Redirect loop or certificate errors.** Make sure DNS for each host points at Pomerium and that Pomerium can obtain a TLS certificate. On the Core path, `autocert` needs ports 80 and 443 reachable for Let's Encrypt; Zero manages certificates for you.
+
+## Security considerations
+
+- **Network isolation is the real boundary.** With **External** auth set to **Disabled for Local Addresses**, each app serves its web UI to anything that reaches it from a local network address, and its API authorizes any caller that presents the key. The app trusts the network position, not a verified identity, so the whole model depends on Pomerium being the only thing on that network path. Keep the apps off published host ports on a Docker network shared with Pomerium, as the Compose file does, so the only way in is through Pomerium. The inbound isolation comes from not publishing host ports, not from cutting the network off entirely; these apps still need outbound access to reach indexers and Usenet, so the network stays egress-capable. If an app is reachable on its own port, a caller from that network skips the web-UI login outright, and anyone who learns the API key bypasses Pomerium entirely. In production these apps often live on a separate host or NAS; reach them only through Pomerium, never by exposing their ports.
+- **Treat each API key like a password.** The keys live in the apps' config and are passed between them (Prowlarr to Sonarr and Radarr) and to any external client. They are not tied to your Pomerium session, so rotate them if leaked. Prefer the `X-Api-Key` header for Sonarr, Radarr, and Prowlarr instead of putting keys in URLs you'd paste into a shared channel.
+- **Scope the route policy.** Limit each route to the users or groups who should reach the suite rather than allowing every authenticated user. The apps have no per-user roles of their own, so Pomerium's policy is your only place to express who gets in.
+- **Front-door gate, not identity injection.** Unlike apps that accept a signed header or JWT from Pomerium, the \*arr apps gain no per-user identity from this setup. If you need the upstream to know which user acted, these apps can't consume that today; Pomerium's audit log is where that record lives.
+
+## Next steps
+
+- [Secure Transmission with Pomerium](/docs/guides/transmission) -- the same front-door pattern for a BitTorrent download client, including its RPC host-whitelist mechanics.
+- [Build policies](/docs/get-started/fundamentals/zero/zero-build-policies)
+- [Non-HTTP (TCP) routes](/docs/capabilities/non-http) -- for native or mobile clients that can't run a browser SSO flow.
+- [Custom domains](/docs/capabilities/custom-domains)
diff --git a/content/examples/guides/servarr/config.yaml b/content/examples/guides/servarr/config.yaml
new file mode 100644
index 000000000..971fb2b0c
--- /dev/null
+++ b/content/examples/guides/servarr/config.yaml
@@ -0,0 +1,46 @@
+# Pomerium Core configuration for a Servarr media-automation suite. Uses the hosted
+# authenticate service, so you don't run your own identity provider. To self-host the
+# IdP, see the Keycloak guide:
+# https://www.pomerium.com/docs/integrations/user-identity/oidc
+authenticate_service_url: https://authenticate.pomerium.app
+
+# Obtain TLS certificates automatically from Let's Encrypt.
+autocert: true
+
+# One route per app. Each app keeps its own API key, so these are front-door gates,
+# not header-trust integrations.
+routes:
+  - from: https://sonarr.yourdomain.com
+    to: http://sonarr:8989
+    policy:
+      - allow:
+          or:
+            - email:
+                is: you@example.com
+
+  - from: https://radarr.yourdomain.com
+    to: http://radarr:7878
+    policy:
+      - allow:
+          or:
+            - email:
+                is: you@example.com
+
+  - from: https://prowlarr.yourdomain.com
+    to: http://prowlarr:9696
+    policy:
+      - allow:
+          or:
+            - email:
+                is: you@example.com
+
+  - from: https://sabnzbd.yourdomain.com
+    to: http://sabnzbd:8080
+    # SABnzbd validates the Host header against its host_whitelist, so forward the
+    # original host unchanged and add sabnzbd.yourdomain.com to that whitelist.
+    preserve_host_header: true
+    policy:
+      - allow:
+          or:
+            - email:
+                is: you@example.com
diff --git a/content/examples/guides/servarr/config.yaml.md b/content/examples/guides/servarr/config.yaml.md
new file mode 100644
index 000000000..fdff30dcd
--- /dev/null
+++ b/content/examples/guides/servarr/config.yaml.md
@@ -0,0 +1,48 @@
+```yaml title="config.yaml"
+# Pomerium Core configuration for a Servarr media-automation suite. Uses the hosted
+# authenticate service, so you don't run your own identity provider. To self-host the
+# IdP, see the Keycloak guide:
+# https://www.pomerium.com/docs/integrations/user-identity/oidc
+authenticate_service_url: https://authenticate.pomerium.app
+
+# Obtain TLS certificates automatically from Let's Encrypt.
+autocert: true
+
+# One route per app. Each app keeps its own API key, so these are front-door gates,
+# not header-trust integrations.
+routes:
+  - from: https://sonarr.yourdomain.com
+    to: http://sonarr:8989
+    policy:
+      - allow:
+          or:
+            - email:
+                is: you@example.com
+
+  - from: https://radarr.yourdomain.com
+    to: http://radarr:7878
+    policy:
+      - allow:
+          or:
+            - email:
+                is: you@example.com
+
+  - from: https://prowlarr.yourdomain.com
+    to: http://prowlarr:9696
+    policy:
+      - allow:
+          or:
+            - email:
+                is: you@example.com
+
+  - from: https://sabnzbd.yourdomain.com
+    to: http://sabnzbd:8080
+    # SABnzbd validates the Host header against its host_whitelist, so forward the
+    # original host unchanged and add sabnzbd.yourdomain.com to that whitelist.
+    preserve_host_header: true
+    policy:
+      - allow:
+          or:
+            - email:
+                is: you@example.com
+```
diff --git a/content/examples/guides/servarr/docker-compose.yaml b/content/examples/guides/servarr/docker-compose.yaml
new file mode 100644
index 000000000..a51c6a720
--- /dev/null
+++ b/content/examples/guides/servarr/docker-compose.yaml
@@ -0,0 +1,76 @@
+services:
+  pomerium:
+    image: pomerium/pomerium:v0.32.7@sha256:e10d1d267af24f581157f485d9b0bc08469e2428675b696a08e42ceb09b2279c
+    volumes:
+      - ./config.yaml:/pomerium/config.yaml:ro
+      - pomerium-cache:/data
+    ports:
+      - 443:443
+      - 80:80
+    # Pomerium bridges both networks: `default` for autocert/Let's Encrypt and the
+    # hosted authenticate service, and `servarr-internal` to reach the apps.
+    networks:
+      - default
+      - servarr-internal
+    restart: always
+
+  sonarr:
+    image: lscr.io/linuxserver/sonarr:4.0.17@sha256:0b3f344388bd7bed4f2f770058de795e76447e4a481b83c8d5f8fed489371fde
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - sonarr-config:/config
+    networks:
+      - servarr-internal
+    restart: always
+
+  radarr:
+    image: lscr.io/linuxserver/radarr:6.1.1@sha256:c0a4335d4249b46102f64cf6fa27ffc3bddfd9138fac1e4ddf238afd37f02d1f
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - radarr-config:/config
+    networks:
+      - servarr-internal
+    restart: always
+
+  prowlarr:
+    image: lscr.io/linuxserver/prowlarr:2.3.5@sha256:2489c6dbaf11e3a6d71aeb2e6980d04193d4af611aa7064a974851222fd41722
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - prowlarr-config:/config
+    networks:
+      - servarr-internal
+    restart: always
+
+  sabnzbd:
+    image: lscr.io/linuxserver/sabnzbd:5.0.3@sha256:3de84922d3b4c5e7062b3cbd1e08f57d8dc113a8be4dc0447d33e2da293bab26
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - sabnzbd-config:/config
+    networks:
+      - servarr-internal
+    restart: always
+
+networks:
+  # The *arr apps publish no host ports, so Pomerium (which shares this network) is
+  # the only way in. Outbound access stays enabled so the apps can reach indexers,
+  # metadata providers, and Usenet servers.
+  servarr-internal: {}
+
+volumes:
+  pomerium-cache:
+  sonarr-config:
+  radarr-config:
+  prowlarr-config:
+  sabnzbd-config:
diff --git a/content/examples/guides/servarr/docker-compose.yaml.md b/content/examples/guides/servarr/docker-compose.yaml.md
new file mode 100644
index 000000000..46aee6e36
--- /dev/null
+++ b/content/examples/guides/servarr/docker-compose.yaml.md
@@ -0,0 +1,78 @@
+```yaml title="docker-compose.yaml"
+services:
+  pomerium:
+    image: pomerium/pomerium:v0.32.7@sha256:e10d1d267af24f581157f485d9b0bc08469e2428675b696a08e42ceb09b2279c
+    volumes:
+      - ./config.yaml:/pomerium/config.yaml:ro
+      - pomerium-cache:/data
+    ports:
+      - 443:443
+      - 80:80
+    # Pomerium bridges both networks: `default` for autocert/Let's Encrypt and the
+    # hosted authenticate service, and `servarr-internal` to reach the apps.
+    networks:
+      - default
+      - servarr-internal
+    restart: always
+
+  sonarr:
+    image: lscr.io/linuxserver/sonarr:4.0.17@sha256:0b3f344388bd7bed4f2f770058de795e76447e4a481b83c8d5f8fed489371fde
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - sonarr-config:/config
+    networks:
+      - servarr-internal
+    restart: always
+
+  radarr:
+    image: lscr.io/linuxserver/radarr:6.1.1@sha256:c0a4335d4249b46102f64cf6fa27ffc3bddfd9138fac1e4ddf238afd37f02d1f
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - radarr-config:/config
+    networks:
+      - servarr-internal
+    restart: always
+
+  prowlarr:
+    image: lscr.io/linuxserver/prowlarr:2.3.5@sha256:2489c6dbaf11e3a6d71aeb2e6980d04193d4af611aa7064a974851222fd41722
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - prowlarr-config:/config
+    networks:
+      - servarr-internal
+    restart: always
+
+  sabnzbd:
+    image: lscr.io/linuxserver/sabnzbd:5.0.3@sha256:3de84922d3b4c5e7062b3cbd1e08f57d8dc113a8be4dc0447d33e2da293bab26
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - sabnzbd-config:/config
+    networks:
+      - servarr-internal
+    restart: always
+
+networks:
+  # The *arr apps publish no host ports, so Pomerium (which shares this network) is
+  # the only way in. Outbound access stays enabled so the apps can reach indexers,
+  # metadata providers, and Usenet servers.
+  servarr-internal: {}
+
+volumes:
+  pomerium-cache:
+  sonarr-config:
+  radarr-config:
+  prowlarr-config:
+  sabnzbd-config:
+```
diff --git a/content/examples/guides/servarr/validate/assert.spec.ts b/content/examples/guides/servarr/validate/assert.spec.ts
new file mode 100644
index 000000000..063de1cfd
--- /dev/null
+++ b/content/examples/guides/servarr/validate/assert.spec.ts
@@ -0,0 +1,175 @@
+import { test, expect } from "@playwright/test";
+import { login, alice } from "../lib/authn";
+import { shot } from "../lib/shot";
+
+// Real end-to-end test for the Servarr suite behind a single Pomerium front door.
+// Pomerium makes the access decision for every app; each *arr app keeps its own
+// API key on top (it has no OIDC/JWT/header identity). This drives the whole
+// chain: an unauthenticated request is bounced to the IdP; an allowed user passes
+// the gate; behind the gate each app's status API answers 200 to its seeded key;
+// and the apps are unreachable except through Pomerium (network isolation).
+//
+// SERVARRTESTKEY0123456789 is the shared, test-only API key seeded into each app's
+// committed config (sonarr/radarr/prowlarr config.xml and sabnzbd.ini). It is a
+// fixture credential for localhost-only containers destroyed after the run, in the
+// same spirit as the harness's committed alice/password123 and pomerium-e2e-secret.
+const BASE = process.env.POMERIUM_URL as string;
+const API_KEY = "SERVARRTESTKEY0123456789";
+
+const RADARR = BASE.replace("sonarr.", "radarr.");
+const PROWLARR = BASE.replace("sonarr.", "prowlarr.");
+const SABNZBD = BASE.replace("sonarr.", "sabnzbd.");
+const KEYCLOAK_HOST = "keycloak.localhost.pomerium.io";
+
+// After the first interactive sign-in, the authenticate + Keycloak sessions are
+// warm, so reaching another app host completes single sign-on silently (no
+// credential prompt). Navigate and wait to land back on the app host; if Pomerium
+// briefly bounces through Keycloak, wait that out too.
+async function reach(page: import("@playwright/test").Page, url: string): Promise<void> {
+  const host = new URL(url).hostname;
+  await page.goto(url, { waitUntil: "domcontentloaded", timeout: 30000 });
+  await page.waitForURL(
+    (u) => u.hostname === host && u.hostname !== KEYCLOAK_HOST,
+    { timeout: 30000 },
+  );
+}
+
+test("unauthenticated request is redirected to the identity provider", async ({ page }) => {
+  await page.goto(BASE, { waitUntil: "domcontentloaded" });
+  await expect(page).toHaveURL(/keycloak\.localhost\.pomerium\.io/);
+});
+
+test("an allowed user passes the gate and every app's API answers its seeded key", async ({
+  page,
+}) => {
+  // Interactive sign-in once, through the Sonarr route. This proves the gate and
+  // warms the SSO session reused for the other three apps.
+  await login(page, BASE, alice);
+
+  // Sonarr (TV). The status API only answers 200 to a request carrying the API key,
+  // so a 200 here proves both that Pomerium let us through and that the seeded key
+  // reached the app. The request rides the browser context, so it also carries the
+  // Pomerium session cookie set by the login above.
+  const sonarr = await page.request.get(
+    `${BASE}/api/v3/system/status?apiKey=${API_KEY}`,
+    { ignoreHTTPSErrors: true },
+  );
+  expect(sonarr.status(), "Sonarr status API should answer 200 to the seeded key").toBe(200);
+  expect((await sonarr.json()).appName, "Sonarr should identify itself").toBe("Sonarr");
+
+  // Radarr (Movies).
+  await reach(page, RADARR);
+  const radarr = await page.request.get(
+    `${RADARR}/api/v3/system/status?apiKey=${API_KEY}`,
+    { ignoreHTTPSErrors: true },
+  );
+  expect(radarr.status(), "Radarr status API should answer 200 to the seeded key").toBe(200);
+  expect((await radarr.json()).appName, "Radarr should identify itself").toBe("Radarr");
+
+  // Prowlarr (indexers). Prowlarr's API is versioned v1, unlike Sonarr/Radarr (v3).
+  await reach(page, PROWLARR);
+  const prowlarr = await page.request.get(
+    `${PROWLARR}/api/v1/system/status?apiKey=${API_KEY}`,
+    { ignoreHTTPSErrors: true },
+  );
+  expect(prowlarr.status(), "Prowlarr status API should answer 200 to the seeded key").toBe(200);
+  expect((await prowlarr.json()).appName, "Prowlarr should identify itself").toBe("Prowlarr");
+
+  // SABnzbd (usenet). Its `mode=version` is public, so assert on `mode=queue`,
+  // which returns "API Key Required" without the key and the queue JSON with it.
+  await reach(page, SABNZBD);
+  const sab = await page.request.get(
+    `${SABNZBD}/api?mode=queue&output=json&apikey=${API_KEY}`,
+    { ignoreHTTPSErrors: true },
+  );
+  expect(sab.status(), "SABnzbd queue API should answer 200 to the seeded key").toBe(200);
+  expect((await sab.json()).queue, "SABnzbd should return its queue object").toBeTruthy();
+
+  // Capture a *arr UI rendered behind the Pomerium gate for the guide. Sonarr's
+  // SPA polls its API continuously, so wait on the rendered chrome rather than
+  // network idle (which never settles). The selector wait is best-effort so a
+  // future UI markup change can't fail the gate assertion that already passed.
+  await reach(page, BASE);
+  await page.waitForLoadState("domcontentloaded");
+  await page.waitForSelector("header, nav, [class*='Page']", { timeout: 10000 }).catch(() => {});
+  await shot(page, "servarr-sonarr");
+});
+
+test("each app's own API key gates its API, independent of the Pomerium session", async ({
+  page,
+}) => {
+  // The guide's load-bearing claim is that signing in through Pomerium does NOT
+  // authenticate you to an app's API: the API key is the app's own, separate
+  // credential. Prove it. Even past the Pomerium gate (authenticated session in
+  // this context), a request that omits the key must be rejected by the app itself.
+  // Sonarr/Radarr/Prowlarr answer 401; SABnzbd answers 200 with an "API Key
+  // Required" error body (its API never uses HTTP status for auth failures).
+  await login(page, BASE, alice);
+
+  const sonarr = await page.request.get(`${BASE}/api/v3/system/status`, {
+    ignoreHTTPSErrors: true,
+  });
+  expect(sonarr.status(), "Sonarr must reject an API call with no key").toBe(401);
+
+  await reach(page, RADARR);
+  const radarr = await page.request.get(`${RADARR}/api/v3/system/status`, {
+    ignoreHTTPSErrors: true,
+  });
+  expect(radarr.status(), "Radarr must reject an API call with no key").toBe(401);
+
+  await reach(page, PROWLARR);
+  const prowlarr = await page.request.get(`${PROWLARR}/api/v1/system/status`, {
+    ignoreHTTPSErrors: true,
+  });
+  expect(prowlarr.status(), "Prowlarr must reject an API call with no key").toBe(401);
+
+  await reach(page, SABNZBD);
+  const sab = await page.request.get(`${SABNZBD}/api?mode=queue&output=json`, {
+    ignoreHTTPSErrors: true,
+  });
+  const sabBody = await sab.text();
+  expect(
+    sabBody,
+    "SABnzbd must reject an authenticated-but-keyless API call",
+  ).toMatch(/API Key Required/i);
+});
+
+test("the *arr apps are not reachable except through Pomerium", async ({ page }) => {
+  // Positive control first: Sonarr IS serving through Pomerium after SSO. This
+  // proves the service is up, so the direct-hit failure below is caused by network
+  // topology, not a dead/typo'd endpoint.
+  await login(page, BASE, alice);
+  const viaPomerium = await page.request.get(
+    `${BASE}/api/v3/system/status?apiKey=${API_KEY}`,
+    { ignoreHTTPSErrors: true },
+  );
+  expect(viaPomerium.ok(), "the route through Pomerium should work").toBeTruthy();
+
+  // Each app's only built-in API auth is a static key, so network isolation is
+  // the real trust boundary and must be real: the apps sit on an internal-only
+  // network shared with Pomerium alone. The test-runner is not on that network,
+  // so direct hits must fail at name resolution / connection, NOT with HTTP
+  // responses. Asserting the specific error keeps a typo or a down service from
+  // masquerading as isolation.
+  const directUrls = [
+    "http://sonarr:8989/api/v3/system/status",
+    "http://radarr:7878/api/v3/system/status",
+    "http://prowlarr:9696/api/v1/system/status",
+    "http://sabnzbd:8080/api?mode=queue&output=json",
+  ];
+  for (const url of directUrls) {
+    let directError = "";
+    try {
+      await page.request.get(url, {
+        ignoreHTTPSErrors: true,
+        timeout: 5000,
+      });
+    } catch (e) {
+      directError = String(e);
+    }
+    expect(
+      directError,
+      `${url} must be unreachable directly; the only path in is through Pomerium`,
+    ).toMatch(/ENOTFOUND|getaddrinfo|EAI_AGAIN|ECONNREFUSED/i);
+  }
+});
diff --git a/content/examples/guides/servarr/validate/compose.validate.yaml b/content/examples/guides/servarr/validate/compose.validate.yaml
new file mode 100644
index 000000000..f1edebe82
--- /dev/null
+++ b/content/examples/guides/servarr/validate/compose.validate.yaml
@@ -0,0 +1,187 @@
+# Sealed E2E validation for the Servarr suite guide. Reuses the shared harness
+# (Keycloak + certs + headless runner) and adds Sonarr, Radarr, Prowlarr, and
+# SABnzbd behind a single Pomerium wired to the in-network IdP.
+# Run with: scripts/validate-guide-fixtures.sh servarr
+#
+# Network isolation mirrors the guide's trust boundary: the *arr apps sit ONLY on
+# the internal-only `servarr-internal` network, shared with pomerium alone. The
+# test-runner is on `default`, so it cannot reach the apps directly (the spec proves
+# this); the only path in is through Pomerium, which bridges both networks.
+#
+# Each app's API key is seeded by a one-shot init container that copies a pristine
+# config into the app's /config volume. The *arr apps rewrite their config on
+# startup (schema migration), so they can't run off a read-only mount; seeding via a
+# volume keeps the committed fixture pristine. The shared test-only key is
+# SERVARRTESTKEY0123456789. Never reuse it anywhere real.
+
+include:
+  - ../../_harness/compose/compose.harness.yaml
+
+services:
+  sonarr-init:
+    image: alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d
+    volumes:
+      - sonarr-config:/config
+      - ./seed/sonarr.config.xml:/seed/config.xml:ro
+    command: ['/bin/sh', '-c', 'cp /seed/config.xml /config/config.xml']
+
+  radarr-init:
+    image: alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d
+    volumes:
+      - radarr-config:/config
+      - ./seed/radarr.config.xml:/seed/config.xml:ro
+    command: ['/bin/sh', '-c', 'cp /seed/config.xml /config/config.xml']
+
+  prowlarr-init:
+    image: alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d
+    volumes:
+      - prowlarr-config:/config
+      - ./seed/prowlarr.config.xml:/seed/config.xml:ro
+    command: ['/bin/sh', '-c', 'cp /seed/config.xml /config/config.xml']
+
+  sabnzbd-init:
+    image: alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d
+    volumes:
+      - sabnzbd-config:/config
+      - ./seed/sabnzbd.ini:/seed/sabnzbd.ini:ro
+    command: ['/bin/sh', '-c', 'cp /seed/sabnzbd.ini /config/sabnzbd.ini']
+
+  sonarr:
+    image: lscr.io/linuxserver/sonarr:4.0.17@sha256:0b3f344388bd7bed4f2f770058de795e76447e4a481b83c8d5f8fed489371fde
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - sonarr-config:/config
+    depends_on:
+      sonarr-init:
+        condition: service_completed_successfully
+    networks:
+      servarr-internal:
+        aliases:
+          - sonarr
+    healthcheck:
+      test: ['CMD', 'curl', '-fsS', 'http://localhost:8989/ping']
+      interval: 5s
+      timeout: 5s
+      retries: 60
+      start_period: 60s
+
+  radarr:
+    image: lscr.io/linuxserver/radarr:6.1.1@sha256:c0a4335d4249b46102f64cf6fa27ffc3bddfd9138fac1e4ddf238afd37f02d1f
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - radarr-config:/config
+    depends_on:
+      radarr-init:
+        condition: service_completed_successfully
+    networks:
+      servarr-internal:
+        aliases:
+          - radarr
+    healthcheck:
+      test: ['CMD', 'curl', '-fsS', 'http://localhost:7878/ping']
+      interval: 5s
+      timeout: 5s
+      retries: 60
+      start_period: 60s
+
+  prowlarr:
+    image: lscr.io/linuxserver/prowlarr:2.3.5@sha256:2489c6dbaf11e3a6d71aeb2e6980d04193d4af611aa7064a974851222fd41722
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - prowlarr-config:/config
+    depends_on:
+      prowlarr-init:
+        condition: service_completed_successfully
+    networks:
+      servarr-internal:
+        aliases:
+          - prowlarr
+    healthcheck:
+      test: ['CMD', 'curl', '-fsS', 'http://localhost:9696/ping']
+      interval: 5s
+      timeout: 5s
+      retries: 60
+      start_period: 60s
+
+  sabnzbd:
+    image: lscr.io/linuxserver/sabnzbd:5.0.3@sha256:3de84922d3b4c5e7062b3cbd1e08f57d8dc113a8be4dc0447d33e2da293bab26
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Etc/UTC
+    volumes:
+      - sabnzbd-config:/config
+    depends_on:
+      sabnzbd-init:
+        condition: service_completed_successfully
+    networks:
+      servarr-internal:
+        aliases:
+          - sabnzbd
+    healthcheck:
+      test:
+        ['CMD', 'curl', '-fsS', 'http://localhost:8080/api?mode=version&output=json']
+      interval: 5s
+      timeout: 5s
+      retries: 60
+      start_period: 60s
+
+  pomerium:
+    image: pomerium/pomerium:v0.32.7@sha256:e10d1d267af24f581157f485d9b0bc08469e2428675b696a08e42ceb09b2279c
+    command: ['--config', '/pomerium/config.yaml']
+    env_file:
+      - ../../_harness/pomerium/validation.env
+    volumes:
+      - certs:/certs:ro
+      - ./routes.validate.yaml:/pomerium/config.yaml:ro
+    depends_on:
+      certs-init:
+        condition: service_completed_successfully
+      keycloak:
+        condition: service_healthy
+      sonarr:
+        condition: service_healthy
+      radarr:
+        condition: service_healthy
+      prowlarr:
+        condition: service_healthy
+      sabnzbd:
+        condition: service_healthy
+    networks:
+      # On `default` for the IdP + test-runner, and on the internal-only network to
+      # reach the apps. This is the only service bridging the two.
+      default:
+        aliases:
+          - authenticate.localhost.pomerium.io
+          - sonarr.localhost.pomerium.io
+          - radarr.localhost.pomerium.io
+          - prowlarr.localhost.pomerium.io
+          - sabnzbd.localhost.pomerium.io
+      servarr-internal: {}
+    healthcheck:
+      test: ['CMD', 'pomerium', 'health']
+      interval: 5s
+      timeout: 5s
+      retries: 30
+      start_period: 10s
+
+networks:
+  # Internal-only: no route to the outside, and the test-runner is not attached,
+  # so the *arr apps are reachable only via Pomerium.
+  servarr-internal:
+    internal: true
+
+volumes:
+  sonarr-config:
+  radarr-config:
+  prowlarr-config:
+  sabnzbd-config:
diff --git a/content/examples/guides/servarr/validate/routes.validate.yaml b/content/examples/guides/servarr/validate/routes.validate.yaml
new file mode 100644
index 000000000..4eb6b8684
--- /dev/null
+++ b/content/examples/guides/servarr/validate/routes.validate.yaml
@@ -0,0 +1,34 @@
+# Routes-only validation config. Shared settings (IdP, secrets, signing key, certs)
+# come from ../../_harness/pomerium/validation.env via env_file in compose.validate.yaml.
+# Each *arr app runs its own auth (an API key), so the route is a front-door gate.
+routes:
+  - from: https://sonarr.localhost.pomerium.io
+    to: http://sonarr:8989
+    policy:
+      - allow:
+          or:
+            - authenticated_user: true
+
+  - from: https://radarr.localhost.pomerium.io
+    to: http://radarr:7878
+    policy:
+      - allow:
+          or:
+            - authenticated_user: true
+
+  - from: https://prowlarr.localhost.pomerium.io
+    to: http://prowlarr:9696
+    policy:
+      - allow:
+          or:
+            - authenticated_user: true
+
+  - from: https://sabnzbd.localhost.pomerium.io
+    to: http://sabnzbd:8080
+    # SABnzbd validates the Host header against its host_whitelist, so forward the
+    # original host unchanged.
+    preserve_host_header: true
+    policy:
+      - allow:
+          or:
+            - authenticated_user: true
diff --git a/content/examples/guides/servarr/validate/seed/prowlarr.config.xml b/content/examples/guides/servarr/validate/seed/prowlarr.config.xml
new file mode 100644
index 000000000..0836142a9
--- /dev/null
+++ b/content/examples/guides/servarr/validate/seed/prowlarr.config.xml
@@ -0,0 +1,13 @@
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>9696</Port>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>False</LaunchBrowser>
+  <ApiKey>SERVARRTESTKEY0123456789</ApiKey>
+  <AuthenticationMethod>External</AuthenticationMethod>
+  <AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>
+  <Branch>master</Branch>
+  <LogLevel>info</LogLevel>
+  <UrlBase></UrlBase>
+  <InstanceName>Prowlarr</InstanceName>
+</Config>
diff --git a/content/examples/guides/servarr/validate/seed/radarr.config.xml b/content/examples/guides/servarr/validate/seed/radarr.config.xml
new file mode 100644
index 000000000..a4ab87cd9
--- /dev/null
+++ b/content/examples/guides/servarr/validate/seed/radarr.config.xml
@@ -0,0 +1,13 @@
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>7878</Port>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>False</LaunchBrowser>
+  <ApiKey>SERVARRTESTKEY0123456789</ApiKey>
+  <AuthenticationMethod>External</AuthenticationMethod>
+  <AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>
+  <Branch>master</Branch>
+  <LogLevel>info</LogLevel>
+  <UrlBase></UrlBase>
+  <InstanceName>Radarr</InstanceName>
+</Config>
diff --git a/content/examples/guides/servarr/validate/seed/sabnzbd.ini b/content/examples/guides/servarr/validate/seed/sabnzbd.ini
new file mode 100644
index 000000000..1b2e1e52b
--- /dev/null
+++ b/content/examples/guides/servarr/validate/seed/sabnzbd.ini
@@ -0,0 +1,331 @@
+__version__ = 19
+__encoding__ = utf-8
+[misc]
+config_conversion_version = 5
+helpful_warnings = 1
+queue_complete = ""
+queue_complete_pers = 0
+bandwidth_perc = 100
+refresh_rate = 0
+interface_settings = ""
+queue_limit = 20
+config_lock = 0
+fixed_ports = 1
+notified_new_skin = 0
+direct_unpack_tested = 0
+sorters_converted = 1
+check_new_rel = 1
+auto_browser = 0
+language = en
+enable_https_verification = 1
+host = ::
+port = 8080
+https_port = ""
+username = ""
+password = ""
+bandwidth_max = ""
+cache_limit = 1G
+web_dir = Glitter
+web_color = Auto
+https_cert = server.cert
+https_key = server.key
+https_chain = ""
+enable_https = 0
+inet_exposure = 4
+api_key = SERVARRTESTKEY0123456789
+nzb_key = deea96e976a44e00bd3b2f48fa544503
+socks5_proxy_url = ""
+permissions = ""
+download_dir = Downloads/incomplete
+download_free = 500M
+complete_dir = Downloads/complete
+complete_free = ""
+fulldisk_autoresume = 0
+script_dir = ""
+nzb_backup_dir = ""
+admin_dir = admin
+backup_dir = ""
+dirscan_dir = ""
+dirscan_speed = 5
+password_file = ""
+log_dir = logs
+max_art_tries = 3
+top_only = 0
+sfv_check = 1
+script_can_fail = 0
+enable_recursive = 1
+flat_unpack = 0
+par_option = ""
+pre_check = 0
+nice = ""
+win_process_prio = 3
+ionice = ""
+fail_hopeless_jobs = 1
+fast_fail = 1
+auto_disconnect = 1
+pre_script = None
+end_queue_script = None
+no_dupes = 0
+no_series_dupes = 0
+no_smart_dupes = 0
+dupes_propercheck = 1
+pause_on_pwrar = 1
+ignore_samples = 0
+deobfuscate_final_filenames = 1
+auto_sort = ""
+direct_unpack = 0
+propagation_delay = 0
+folder_rename = 1
+replace_spaces = 0
+replace_underscores = 0
+replace_dots = 0
+safe_postproc = 1
+pause_on_post_processing = 0
+enable_all_par = 0
+sanitize_safe = 0
+cleanup_list = ,
+unwanted_extensions = ,
+action_on_unwanted_extensions = 0
+unwanted_extensions_mode = 0
+new_nzb_on_failure = 0
+history_retention = ""
+history_retention_option = all
+history_retention_number = 0
+quota_size = ""
+quota_day = ""
+quota_resume = 0
+quota_period = m
+enable_tv_sorting = 0
+tv_sort_string = ""
+tv_categories = tv,
+enable_movie_sorting = 0
+movie_sort_string = ""
+movie_sort_extra = -cd%1
+movie_categories = movies,
+enable_date_sorting = 0
+date_sort_string = ""
+date_categories = tv,
+schedlines = ,
+rss_rate = 60
+ampm = 0
+start_paused = 0
+preserve_paused_state = 0
+enable_par_cleanup = 1
+process_unpacked_par2 = 1
+enable_unrar = 1
+enable_7zip = 1
+enable_filejoin = 1
+enable_tsjoin = 1
+overwrite_files = 0
+ignore_unrar_dates = 0
+backup_for_duplicates = 0
+wait_for_dfolder = 0
+rss_filenames = 0
+api_logging = 1
+html_login = 1
+disable_archive = 0
+warn_dupl_jobs = 0
+keep_awake = 1
+tray_icon = 1
+allow_incomplete_nzb = 0
+enable_broadcast = 1
+ipv6_hosting = 0
+ipv6_staging = 0
+api_warnings = 1
+no_penalties = 0
+x_frame_options = 1
+allow_old_ssl_tls = 0
+enable_season_sorting = 1
+verify_xff_header = 1
+direct_write = 1
+rss_odd_titles = nzbindex.nl/, nzbindex.com/, nzbclub.com/
+quick_check_ext_ignore = nfo, sfv, srr
+req_completion_rate = 100.2
+selftest_host = self-test.sabnzbd.org
+movie_rename_limit = 100M
+episode_rename_limit = 20M
+size_limit = 0
+direct_unpack_threads = 3
+history_limit = 10
+wait_ext_drive = 5
+max_foldername_length = 246
+nomedia_marker = ""
+ipv6_servers = 1
+url_base = ""
+host_whitelist = sabnzbd.localhost.pomerium.io, sabnzbd, localhost, 127.0.0.1,
+local_ranges = ,
+max_url_retries = 10
+downloader_sleep_time = 10
+receive_threads = 2
+assembler_max_queue_size = 12
+switchinterval = 0.005
+ssdp_broadcast_interval = 15
+ext_rename_ignore = ,
+unrar_parameters = ""
+outgoing_nntp_ip = ""
+email_server = ""
+email_to = ,
+email_from = ""
+email_account = ""
+email_pwd = ""
+email_endjob = 0
+email_full = 0
+email_dir = ""
+email_rss = 0
+email_cats = *,
+[logging]
+log_level = 1
+max_log_size = 5242880
+log_backups = 5
+[ncenter]
+ncenter_enable = 0
+ncenter_cats = *,
+ncenter_prio_startup = 0
+ncenter_prio_download = 0
+ncenter_prio_pause_resume = 0
+ncenter_prio_pp = 0
+ncenter_prio_complete = 1
+ncenter_prio_failed = 1
+ncenter_prio_disk_full = 1
+ncenter_prio_quota = 1
+ncenter_prio_new_login = 0
+ncenter_prio_warning = 0
+ncenter_prio_error = 0
+ncenter_prio_queue_done = 0
+ncenter_prio_other = 1
+[acenter]
+acenter_enable = 0
+acenter_cats = *,
+acenter_prio_startup = 0
+acenter_prio_download = 0
+acenter_prio_pause_resume = 0
+acenter_prio_pp = 0
+acenter_prio_complete = 1
+acenter_prio_failed = 1
+acenter_prio_disk_full = 1
+acenter_prio_quota = 1
+acenter_prio_new_login = 0
+acenter_prio_warning = 0
+acenter_prio_error = 0
+acenter_prio_queue_done = 0
+acenter_prio_other = 1
+[ntfosd]
+ntfosd_enable = 1
+ntfosd_cats = *,
+ntfosd_prio_startup = 0
+ntfosd_prio_download = 0
+ntfosd_prio_pause_resume = 0
+ntfosd_prio_pp = 0
+ntfosd_prio_complete = 1
+ntfosd_prio_failed = 1
+ntfosd_prio_disk_full = 1
+ntfosd_prio_quota = 1
+ntfosd_prio_new_login = 0
+ntfosd_prio_warning = 0
+ntfosd_prio_error = 0
+ntfosd_prio_queue_done = 0
+ntfosd_prio_other = 1
+[prowl]
+prowl_enable = 0
+prowl_cats = *,
+prowl_apikey = ""
+prowl_prio_startup = -3
+prowl_prio_download = -3
+prowl_prio_pause_resume = -3
+prowl_prio_pp = -3
+prowl_prio_complete = 0
+prowl_prio_failed = 1
+prowl_prio_disk_full = 1
+prowl_prio_quota = 0
+prowl_prio_new_login = -3
+prowl_prio_warning = -3
+prowl_prio_error = -3
+prowl_prio_queue_done = -3
+prowl_prio_other = 0
+[pushover]
+pushover_token = ""
+pushover_userkey = ""
+pushover_device = ""
+pushover_emergency_expire = 3600
+pushover_emergency_retry = 60
+pushover_enable = 0
+pushover_cats = *,
+pushover_prio_startup = -3
+pushover_prio_download = -2
+pushover_prio_pause_resume = -2
+pushover_prio_pp = -3
+pushover_prio_complete = -1
+pushover_prio_failed = -1
+pushover_prio_disk_full = 1
+pushover_prio_quota = -1
+pushover_prio_new_login = -3
+pushover_prio_warning = 1
+pushover_prio_error = 1
+pushover_prio_queue_done = -3
+pushover_prio_other = -1
+[pushbullet]
+pushbullet_enable = 0
+pushbullet_cats = *,
+pushbullet_apikey = ""
+pushbullet_device = ""
+pushbullet_prio_startup = 0
+pushbullet_prio_download = 0
+pushbullet_prio_pause_resume = 0
+pushbullet_prio_pp = 0
+pushbullet_prio_complete = 1
+pushbullet_prio_failed = 1
+pushbullet_prio_disk_full = 1
+pushbullet_prio_quota = 1
+pushbullet_prio_new_login = 0
+pushbullet_prio_warning = 0
+pushbullet_prio_error = 0
+pushbullet_prio_queue_done = 0
+pushbullet_prio_other = 1
+[apprise]
+apprise_enable = 0
+apprise_cats = *,
+apprise_urls = ""
+apprise_target_startup = ""
+apprise_target_startup_enable = 0
+apprise_target_download = ""
+apprise_target_download_enable = 0
+apprise_target_pause_resume = ""
+apprise_target_pause_resume_enable = 0
+apprise_target_pp = ""
+apprise_target_pp_enable = 0
+apprise_target_complete = ""
+apprise_target_complete_enable = 1
+apprise_target_failed = ""
+apprise_target_failed_enable = 1
+apprise_target_disk_full = ""
+apprise_target_disk_full_enable = 0
+apprise_target_quota = ""
+apprise_target_quota_enable = 1
+apprise_target_new_login = ""
+apprise_target_new_login_enable = 1
+apprise_target_warning = ""
+apprise_target_warning_enable = 0
+apprise_target_error = ""
+apprise_target_error_enable = 0
+apprise_target_queue_done = ""
+apprise_target_queue_done_enable = 0
+apprise_target_other = ""
+apprise_target_other_enable = 1
+[nscript]
+nscript_enable = 0
+nscript_cats = *,
+nscript_script = ""
+nscript_parameters = ""
+nscript_prio_startup = 0
+nscript_prio_download = 0
+nscript_prio_pause_resume = 0
+nscript_prio_pp = 0
+nscript_prio_complete = 1
+nscript_prio_failed = 1
+nscript_prio_disk_full = 1
+nscript_prio_quota = 1
+nscript_prio_new_login = 0
+nscript_prio_warning = 0
+nscript_prio_error = 0
+nscript_prio_queue_done = 0
+nscript_prio_other = 1
diff --git a/content/examples/guides/servarr/validate/seed/sonarr.config.xml b/content/examples/guides/servarr/validate/seed/sonarr.config.xml
new file mode 100644
index 000000000..0b328e2bc
--- /dev/null
+++ b/content/examples/guides/servarr/validate/seed/sonarr.config.xml
@@ -0,0 +1,13 @@
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>8989</Port>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>False</LaunchBrowser>
+  <ApiKey>SERVARRTESTKEY0123456789</ApiKey>
+  <AuthenticationMethod>External</AuthenticationMethod>
+  <AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>
+  <Branch>main</Branch>
+  <LogLevel>info</LogLevel>
+  <UrlBase></UrlBase>
+  <InstanceName>Sonarr</InstanceName>
+</Config>
diff --git a/content/examples/guides/servarr/validate/url.txt b/content/examples/guides/servarr/validate/url.txt
new file mode 100644
index 000000000..caad1e0ec
--- /dev/null
+++ b/content/examples/guides/servarr/validate/url.txt
@@ -0,0 +1 @@
+https://sonarr.localhost.pomerium.io

From da050eea49dc3ebd1d30079c4e5c85c547de0094 Mon Sep 17 00:00:00 2001
From: Bobby DeSimone <bobbydesimone@gmail.com>
Date: Wed, 10 Jun 2026 09:58:15 -0700
Subject: [PATCH 2/3] docs(guides): clean up servarr guide prose and diagrams

Address review feedback: condense duplicated value framing, use
canonical Pomerium terms (front door, route, policy, the From URL),
replace the client-gating SVG with a markdown table, simplify the
mermaid diagram, rewrite double-hyphen and em-dash punctuation per
the guide style rules, reorder config sections, and scope
prerequisites to what each tab actually needs.
---
 .../img/servarr/servarr-gating-matrix.svg     | 80 -------------------
 content/docs/guides/servarr.mdx               | 77 ++++++++----------
 2 files changed, 32 insertions(+), 125 deletions(-)
 delete mode 100644 content/docs/guides/img/servarr/servarr-gating-matrix.svg

diff --git a/content/docs/guides/img/servarr/servarr-gating-matrix.svg b/content/docs/guides/img/servarr/servarr-gating-matrix.svg
deleted file mode 100644
index 3926819d6..000000000
--- a/content/docs/guides/img/servarr/servarr-gating-matrix.svg
+++ /dev/null
@@ -1,80 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 760 420" role="img"
-     aria-labelledby="title desc" font-family="'ET Book', 'Palatino Linotype', Palatino, 'Book Antiqua', Georgia, serif">
-  <title id="title">Which access channels Pomerium gates for each Servarr app</title>
-  <desc id="desc">A matrix with four rows (Sonarr, Radarr, Prowlarr, SABnzbd) and three
-    columns. The Web UI column is gated by Pomerium single sign-on for every app
-    (filled marker). The HTTP API column is reached with each app's own API key, not
-    Pomerium identity (open marker). The Native or mobile client column bypasses the
-    browser SSO flow entirely and must be tunneled separately (dash). Pomerium gates
-    the browser front door; each app's API key remains a separate credential.</desc>
-
-  <style>
-    :root { color-scheme: light dark; }
-    .bg     { fill: #fffff8; }
-    .ink    { fill: #111; }
-    .muted  { fill: #666; }
-    .rule   { stroke: #ccc; }
-    .gated  { fill: #4e79a7; stroke: #4e79a7; }   /* single accent: gated by SSO */
-    .ungated{ fill: none; stroke: #666; }
-    @media (prefers-color-scheme: dark) {
-      .bg     { fill: #151515; }
-      .ink    { fill: #ddd; }
-      .muted  { fill: #999; }
-      .rule   { stroke: #444; }
-      .gated  { fill: #6f9bd1; stroke: #6f9bd1; }
-      .ungated{ fill: none; stroke: #999; }
-    }
-  </style>
-
-  <rect class="bg" x="0" y="0" width="760" height="420"/>
-
-  <!-- Title and subtitle assert the finding -->
-  <text class="ink" x="40" y="44" font-size="20">Pomerium gates the web front door, not the app credential</text>
-  <text class="muted" x="40" y="68" font-size="13" font-style="italic">Each Servarr app keeps its own API key; the *arr apps have no OIDC, JWT, or header identity.</text>
-
-  <!-- Column headers (direct labels, no legend) -->
-  <text class="muted" x="360" y="118" font-size="12" text-anchor="middle" letter-spacing="0.04em">WEB UI (browser)</text>
-  <text class="muted" x="520" y="118" font-size="12" text-anchor="middle" letter-spacing="0.04em">HTTP API</text>
-  <text class="muted" x="680" y="118" font-size="12" text-anchor="middle" letter-spacing="0.04em">NATIVE / MOBILE</text>
-
-  <!-- Header underline (range-frame: spans only the columns) -->
-  <line class="rule" x1="40" y1="130" x2="720" y2="130" stroke-width="0.75"/>
-
-  <!-- Rows: app name + ports on the left, markers in each column -->
-  <!-- Row 1: Sonarr -->
-  <text class="ink"   x="40" y="174" font-size="15">Sonarr</text>
-  <text class="muted" x="40" y="192" font-size="11">TV  .  :8989</text>
-  <circle class="gated"   cx="360" cy="170" r="8"/>
-  <circle class="ungated" cx="520" cy="170" r="8" stroke-width="1.25"/>
-  <line   class="ungated" x1="672" y1="170" x2="688" y2="170" stroke-width="1.5"/>
-
-  <!-- Row 2: Radarr -->
-  <text class="ink"   x="40" y="234" font-size="15">Radarr</text>
-  <text class="muted" x="40" y="252" font-size="11">Movies  .  :7878</text>
-  <circle class="gated"   cx="360" cy="230" r="8"/>
-  <circle class="ungated" cx="520" cy="230" r="8" stroke-width="1.25"/>
-  <line   class="ungated" x1="672" y1="230" x2="688" y2="230" stroke-width="1.5"/>
-
-  <!-- Row 3: Prowlarr -->
-  <text class="ink"   x="40" y="294" font-size="15">Prowlarr</text>
-  <text class="muted" x="40" y="312" font-size="11">Indexers  .  :9696</text>
-  <circle class="gated"   cx="360" cy="290" r="8"/>
-  <circle class="ungated" cx="520" cy="290" r="8" stroke-width="1.25"/>
-  <line   class="ungated" x1="672" y1="290" x2="688" y2="290" stroke-width="1.5"/>
-
-  <!-- Row 4: SABnzbd -->
-  <text class="ink"   x="40" y="354" font-size="15">SABnzbd</text>
-  <text class="muted" x="40" y="372" font-size="11">Usenet  .  :8080</text>
-  <circle class="gated"   cx="360" cy="350" r="8"/>
-  <circle class="ungated" cx="520" cy="350" r="8" stroke-width="1.25"/>
-  <line   class="ungated" x1="672" y1="350" x2="688" y2="350" stroke-width="1.5"/>
-
-  <!-- Direct marker glossary (shape + word, never color alone) -->
-  <line class="rule" x1="40" y1="388" x2="720" y2="388" stroke-width="0.5"/>
-  <circle class="gated"   cx="48"  cy="405" r="6"/>
-  <text   class="muted"   x="62"  y="409" font-size="11.5">gated by Pomerium SSO</text>
-  <circle class="ungated" cx="248" cy="405" r="6" stroke-width="1.25"/>
-  <text   class="muted"   x="262" y="409" font-size="11.5">reached with the app's own API key</text>
-  <line   class="ungated" x1="520" y1="405" x2="536" y2="405" stroke-width="1.5"/>
-  <text   class="muted"   x="544" y="409" font-size="11.5">bypasses browser SSO (tunnel separately)</text>
-</svg>
diff --git a/content/docs/guides/servarr.mdx b/content/docs/guides/servarr.mdx
index 6333b271b..09b284465 100644
--- a/content/docs/guides/servarr.mdx
+++ b/content/docs/guides/servarr.mdx
@@ -32,52 +32,39 @@ import Compose from '/content/examples/guides/servarr/docker-compose.yaml.md';
 
 The "Servarr" apps are a family of self-hosted media-automation tools that are almost always run together: [Sonarr](https://sonarr.tv/) (TV), [Radarr](https://radarr.video/) (movies), [Prowlarr](https://prowlarr.com/) (indexer management), and a download client like [SABnzbd](https://sabnzbd.org/) (usenet). Each ships its own web interface and HTTP API on its own port, and none of them speak single sign-on (SSO), the [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) protocol, or any header-based identity. Their built-in access control is per-app web UI authentication plus a static API key for HTTP API and inter-app calls.
 
-You'll put the whole suite behind one Pomerium so that Pomerium becomes the single front door for every app's web interface: each request is authenticated against your identity provider (IdP) and checked against your policy before it ever reaches Sonarr, Radarr, Prowlarr, or SABnzbd. The apps keep their own API keys for programmatic and inter-app calls; Pomerium gates the browser surface in front of all of them.
+You'll put the whole suite behind one Pomerium so that Pomerium becomes the single front door for every app's web interface: each request is authenticated against your identity provider (IdP) and checked against your policy before it ever reaches Sonarr, Radarr, Prowlarr, or SABnzbd. The apps keep their own API keys for programmatic and inter-app calls; Pomerium protects browser access to all of them.
 
 ## When to use this guide
 
 Use it when you run a Servarr stack and want one identity-aware front door for the whole suite instead of exposing four separate web UIs, each with its own local login and separate API key for automation. In a typical home or lab deployment these apps run on a separate host or network-attached storage (NAS) box and are only meant to be reached over your private network; Pomerium lets you reach them from anywhere with your existing identity, while keeping their ports off the public internet.
 
-The win is not replacing each app's own access controls. The win is centralized SSO, group-based policy, an audit trail of who reached which app, and shrinking the attack surface to a single authenticated entry point. The trade-off to be honest about up front: because the apps consume no identity from Pomerium, this is a front-door gate, and each app's API key remains a separate credential you still have to protect.
+You get centralized SSO, group-based policy, an audit trail of who reached which app, and a single authenticated entry point instead of four exposed ports. The trade-off: the apps consume no identity from Pomerium, so this is a front-door gate, and each app's API key remains a separate credential you still have to protect.
 
-### What Pomerium gates, and what it does not
+### What Pomerium protects, and what it doesn't
 
-A Servarr stack is reached through three different channels, and Pomerium only sits in front of one of them. This matrix is the mental model for the rest of the guide:
+A Servarr stack is reached through three channels, and Pomerium sits in front of only one of them. The same model applies to all four apps:
 
-![Matrix: Pomerium gates each app's web UI; the API uses the app's own key and native/mobile clients bypass the gate](./img/servarr/servarr-gating-matrix.svg)
-
-- **Web UI (browser).** This is what Pomerium gates. Every app's dashboard is reached only after SSO and a policy check.
-- **HTTP API.** Reached with the app's own API key. Prowlarr talks to Sonarr and Radarr this way; once a request reaches an app with a valid API key, the app authorizes it independently of your Pomerium session. Keep these calls on the internal network (see [Security considerations](#security-considerations)).
-- **Native or mobile clients.** Apps like mobile remotes expect a direct connection and do not run a browser SSO flow. Those bypass Pomerium's interactive gate and need a separate path, such as a [TCP tunnel](/docs/capabilities/non-http) or a VPN.
+| Access channel | What gates it | Credential the client presents |
+| --- | --- | --- |
+| Web UI (browser) | Pomerium route policy (SSO and a policy check) before any request reaches an app | Pomerium SSO session |
+| HTTP API, including Prowlarr's calls into Sonarr and Radarr | The app itself, independent of any Pomerium session; keep these calls on the internal network (see [Security considerations](#security-considerations)) | The app's API key |
+| Native or mobile clients | The app itself: these clients can't run a browser SSO flow and need a separate path, such as a virtual private network (VPN) or a [TCP tunnel](/docs/capabilities/non-http) on a device that can run Pomerium CLI | The app's API key |
 
 ```mermaid
-sequenceDiagram
-    participant User as Browser
-    participant Pomerium as Pomerium
-    participant IdP as Identity Provider
-    participant App as Sonarr / Radarr / Prowlarr / SABnzbd
-    participant Bypass as Native client (API key)
-
-    User->>Pomerium: GET https://sonarr.yourdomain.com
-    Pomerium->>IdP: Redirect for authentication
-    IdP->>Pomerium: Authenticated identity
-    Pomerium->>Pomerium: Evaluate policy (group / email)
-    Pomerium->>App: Forward request (no identity header)
-    App->>User: App web UI
-    Note over Bypass,App: Bypass risk: a client with the app's API key<br/>that can reach the app port skips Pomerium entirely
-    Bypass--xApp: Direct API call if the port is exposed
+flowchart LR
+    Browser --> Pomerium["Pomerium<br/>SSO + route policy"]
+    Pomerium -.->|"sign in"| IdP[Identity provider]
+    Pomerium --> Apps["Sonarr / Radarr /<br/>Prowlarr / SABnzbd"]
+    Clients["API / native clients"] -->|"app API key"| Apps
 ```
 
-The dashed line is the reason network isolation matters: keep the app ports off published interfaces and reachable only through Pomerium, or the API key becomes the whole security model.
+Inter-app calls (Prowlarr into Sonarr and Radarr) happen on the internal Docker network with nothing but an API key, and any client that can reach an app's port is authorized the same way. Keep the app ports off published interfaces and reachable only through Pomerium, or the API key becomes the whole security model.
 
 ## Prerequisites
 
-This guide assumes you've completed the [Quickstart](/docs/get-started/quickstart), so you already have Pomerium running and signing users in through the hosted authenticate service.
-
-You also need:
-
 - [Docker](https://docs.docker.com/install/) and [Docker Compose](https://docs.docker.com/compose/install/)
-- A domain you control for the routes (this guide uses `sonarr.yourdomain.com`, `radarr.yourdomain.com`, `prowlarr.yourdomain.com`, and `sabnzbd.yourdomain.com`)
+- For the Pomerium Zero path: a [Pomerium Zero](https://console.pomerium.app) account with its Pomerium instance running locally via the [Quickstart](/docs/get-started/quickstart) Compose file; the routes use the starter domain that comes with it
+- For the Pomerium Core path: a domain you control for the routes (this guide uses `sonarr.yourdomain.com`, `radarr.yourdomain.com`, `prowlarr.yourdomain.com`, and `sabnzbd.yourdomain.com`), with DNS pointed at the host running Pomerium and ports 80 and 443 reachable so `autocert` can provision certificates; the Compose file below runs Pomerium itself
 
 :::tip Prefer to self-host the identity provider?
 
@@ -87,17 +74,17 @@ This guide uses the hosted authenticate service so you don't have to run your ow
 
 ## Configure Pomerium
 
-You'll create one route per app. The routes are plain HTTP front-door gates: Pomerium authenticates the user and proxies the request through without injecting any identity, because the apps have no header or token identity to consume.
+You'll create one route per app. Each route does the same thing: Pomerium authenticates the user, checks policy, and proxies the request through without injecting any identity, because the apps have no header or token identity to consume.
 
 <Tabs queryString="type">
 <TabItem value="zero" label="Pomerium Zero" default>
 
 In the [Zero Console](https://console.pomerium.app), create one **Route** per app:
 
-1. **Sonarr** -- **From** `https://sonarr.<your-starter-domain>`, **To** `http://sonarr:8989`.
-2. **Radarr** -- **From** `https://radarr.<your-starter-domain>`, **To** `http://radarr:7878`.
-3. **Prowlarr** -- **From** `https://prowlarr.<your-starter-domain>`, **To** `http://prowlarr:9696`.
-4. **SABnzbd** -- **From** `https://sabnzbd.<your-starter-domain>`, **To** `http://sabnzbd:8080`. On this route, enable **Preserve Host Header**: SABnzbd checks the incoming host against its `host_whitelist`, so it must see the public name.
+1. **Sonarr:** **From** `https://sonarr.<your-starter-domain>`, **To** `http://sonarr:8989`.
+2. **Radarr:** **From** `https://radarr.<your-starter-domain>`, **To** `http://radarr:7878`.
+3. **Prowlarr:** **From** `https://prowlarr.<your-starter-domain>`, **To** `http://prowlarr:9696`.
+4. **SABnzbd:** **From** `https://sabnzbd.<your-starter-domain>`, **To** `http://sabnzbd:8080`. On this route, enable **Preserve Host Header**: SABnzbd checks the incoming host against its `host_whitelist`, so it must see the public name.
 
 Set each route's policy to scope access to who should reach the suite (for example, **Any Authenticated User** or a specific group). Zero manages the routes' TLS certificates behind your starter domain.
 
@@ -117,14 +104,14 @@ Replace each `*.yourdomain.com` host with your domain and `you@example.com` with
 
 The [LinuxServer.io](https://www.linuxserver.io/) images for these apps generate their config on first start, so there is little to set by hand. The two things that matter for running behind Pomerium:
 
-- **Authentication method.** For Sonarr, Radarr, and Prowlarr, `External` is configured in `config.xml`, not from the normal settings UI. Stop each container, edit its `/config/config.xml` so the top-level auth entries are `<AuthenticationMethod>External</AuthenticationMethod>` and `<AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>`, then restart. Be precise about what this does: it tells the app to skip its own web-UI login for requests that arrive from a local/private network address, on the assumption that a reverse proxy already authenticated the user. The app does not validate a Pomerium identity or a signed header -- it trusts the network position. Pomerium is that reverse proxy, which is exactly why the app ports must be reachable only through Pomerium (see [Security considerations](#security-considerations)). The API key still guards API calls regardless of this setting.
-- **API keys.** Each app shows its API key under **Settings -> General**. Prowlarr uses these keys to push indexer config into Sonarr and Radarr, and any external client uses them too. Treat each key like a password.
+- **Authentication method.** For Sonarr, Radarr, and Prowlarr, `External` is configured in `config.xml`, not from the normal settings UI. Stop each container, edit its `/config/config.xml` so the top-level auth entries are `<AuthenticationMethod>External</AuthenticationMethod>` and `<AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>`, then restart. This tells the app to skip its own web-UI login for requests that arrive from a local/private network address, on the assumption that a reverse proxy already authenticated the user. The app does not validate a Pomerium identity or a signed header; it trusts the network position. Pomerium is that reverse proxy, so the app ports must be reachable only through Pomerium (see [Security considerations](#security-considerations)). The API key still guards API calls regardless of this setting.
+- **API keys.** Each app shows its API key under **Settings > General**. Prowlarr uses these keys to push indexer config into Sonarr and Radarr, and any external client uses them too. Treat each key like a password.
 
-SABnzbd is configured the same way in spirit: under **Config -> General**, note its API key, and add your public SABnzbd host to **Config -> Special -> host_whitelist** so it accepts the host Pomerium forwards.
+For SABnzbd, note its API key under **Config > General**, and add your public SABnzbd host to **Config > Special > host_whitelist** so it accepts the host Pomerium forwards.
 
 :::caution The API key is a separate credential from your SSO identity
 
-Signing in through Pomerium does not authenticate you to an app's API. The API key is the app's own credential and is not derived from your Pomerium session. Anyone who can present a valid API key to an app, and reach its port, is authorized by that app -- which is exactly why the next sections keep the app ports off the network.
+Signing in through Pomerium does not authenticate you to an app's API. The API key is the app's own credential and is not derived from your Pomerium session. Anyone who can present a valid API key to an app, and reach its port, is authorized by that app; that's why the next sections keep the app ports off the network.
 
 :::
 
@@ -150,12 +137,12 @@ Add `-v` only if you mean to delete the named volumes, including each app's conf
 
 ## Verify the setup
 
-1. **The route requires authentication.** In a fresh browser, open `https://sonarr.yourdomain.com`. You should be redirected to sign in through Pomerium, not straight into Sonarr. Repeat for `radarr`, `prowlarr`, and `sabnzbd` -- every app is gated.
-2. **An allowed user reaches each app.** Sign in with a user your policy allows. Pomerium redirects you back and the app's own dashboard loads behind the gate.
+1. **The route requires authentication.** In a fresh browser, open `https://sonarr.yourdomain.com`. You should be redirected to sign in through Pomerium, not straight into Sonarr. Repeat for `radarr`, `prowlarr`, and `sabnzbd` to confirm every app is gated.
+2. **An allowed user reaches each app.** Sign in with a user your policy allows. Pomerium redirects you back and the app's own dashboard loads.
 
 ![The Sonarr web interface reached through Pomerium after single sign-on](./img/servarr/servarr-sonarr.png)
 
-3. **The API answers its own key, not your session.** Pomerium still gates the route, so reach these from your signed-in browser. For Pomerium Zero or Enterprise routes, you can also use a [Pomerium service account](/docs/capabilities/service-accounts) token that your route policy allows; for self-managed Core without service accounts, use an interactive browser session. A plain `curl` with no Pomerium session is redirected to sign in. Past the gate, each app's status API responds to its own API key. The path differs by app -- Sonarr and Radarr use `/api/v3`, Prowlarr uses `/api/v1`, and SABnzbd uses its `mode` query:
+3. **The API answers its own key, not your session.** Pomerium still gates the route, so reach these from your signed-in browser. For Pomerium Zero or Enterprise routes, you can also use a [Pomerium service account](/docs/capabilities/service-accounts) token that your route policy allows; for self-managed Core without service accounts, use an interactive browser session. A plain `curl` with no Pomerium session is redirected to sign in. Once you're signed in, each app's status API responds to its own API key. The path differs by app (Sonarr and Radarr use `/api/v3`, Prowlarr uses `/api/v1`, and SABnzbd uses its `mode` query):
 
 ```bash
 export POMERIUM_SERVICE_ACCOUNT_JWT='raw-service-account-jwt'
@@ -173,7 +160,7 @@ curl -H "Authorization: Bearer Pomerium-${POMERIUM_SERVICE_ACCOUNT_JWT}" \
   "https://sabnzbd.yourdomain.com/api?mode=queue&output=json&apikey=YOUR_SABNZBD_KEY"
 ```
 
-Pomerium gates the browser surface; the apps keep their own API keys behind that gate. If you leave Forms or Basic auth enabled instead of `External`, that local login remains as an additional prompt. First-run setup is each app's concern, not Pomerium's.
+Pomerium protects browser access; the apps keep their own API keys behind it. If you leave Forms or Basic auth enabled instead of `External`, that local login remains as an additional prompt. First-run setup is each app's concern, not Pomerium's.
 
 ## Common failure modes
 
@@ -191,7 +178,7 @@ Pomerium gates the browser surface; the apps keep their own API keys behind that
 
 ## Next steps
 
-- [Secure Transmission with Pomerium](/docs/guides/transmission) -- the same front-door pattern for a BitTorrent download client, including its RPC host-whitelist mechanics.
+- [Secure Transmission with Pomerium](/docs/guides/transmission): the same front-door pattern for a BitTorrent download client, including its RPC host-whitelist mechanics.
 - [Build policies](/docs/get-started/fundamentals/zero/zero-build-policies)
-- [Non-HTTP (TCP) routes](/docs/capabilities/non-http) -- for native or mobile clients that can't run a browser SSO flow.
+- [Non-HTTP (TCP) routes](/docs/capabilities/non-http) for native or mobile clients that can't run a browser SSO flow.
 - [Custom domains](/docs/capabilities/custom-domains)

From 10e965e98a3ea691cb69e906419e7fb9d95baded Mon Sep 17 00:00:00 2001
From: Bobby DeSimone <bobbydesimone@gmail.com>
Date: Wed, 10 Jun 2026 14:33:12 -0700
Subject: [PATCH 3/3] docs(guides): restore real em dashes per style policy
 change

The guide-review style rule now welcomes real em dashes and only
bans double-hyphen fakes, so restore the reviewer's verbatim
suggestion and the em-dash section headings.
---
 content/docs/guides/servarr.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/docs/guides/servarr.mdx b/content/docs/guides/servarr.mdx
index 09b284465..2a6f7f8d7 100644
--- a/content/docs/guides/servarr.mdx
+++ b/content/docs/guides/servarr.mdx
@@ -40,7 +40,7 @@ Use it when you run a Servarr stack and want one identity-aware front door for t
 
 You get centralized SSO, group-based policy, an audit trail of who reached which app, and a single authenticated entry point instead of four exposed ports. The trade-off: the apps consume no identity from Pomerium, so this is a front-door gate, and each app's API key remains a separate credential you still have to protect.
 
-### What Pomerium protects, and what it doesn't
+### What Pomerium protects — and what it doesn't
 
 A Servarr stack is reached through three channels, and Pomerium sits in front of only one of them. The same model applies to all four apps: