<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 4.0.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-carr-sygil-protocol-00" category="info" submissionType="independent" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.33.0 -->
  <front>
    <title abbrev="Sygil Protocol">The Sygil Protocol: A Cross-Domain Personal Data Schema and Query Grammar for AI Agents</title>
    <seriesInfo name="Internet-Draft" value="draft-carr-sygil-protocol-00"/>
    <author initials="E." surname="Carr" fullname="Evan Carr" role="editor">
      <organization>Sygil PBC</organization>
      <address>
        <postal>
          <region>CO</region>
          <country>US</country>
        </postal>
        <email>evan@sygil.id</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Applications and Real-Time</area>
    <workgroup>Independent Submission</workgroup>
    <keyword>personal data</keyword>
    <keyword>schema</keyword>
    <keyword>vault</keyword>
    <keyword>agent</keyword>
    <keyword>cross-domain</keyword>
    <keyword>content-addressable</keyword>
    <abstract>

<t>This document specifies the Sygil Protocol, an open schema and query
grammar for cross-domain personal data designed to make user data
interoperable across systems, vendors, and AI agents. The protocol
defines a content-addressable record envelope, a reverse-DNS namespace
identifier scheme, a deterministic JSON canonicalization rule, an
optional vocabulary of proof objects for conveying provenance and
other trust evidence on the wire, a minimal query grammar, and three
adoption tiers from envelope-shaped data through queryable surfaces to
vault-certified runtimes. The protocol is runtime-neutral: it
specifies what travels on the wire, not how implementations store,
encrypt, authorize, or audit records. This separation lets independent
systems produce, consume, and exchange Sygil-shaped data without
depending on any specific vault infrastructure.</t>
    </abstract>
  </front>
  <middle>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Personal data -- calendar events, financial transactions, health
observations, messages, location history, identity attributes,
documents, preferences -- is fragmented across hundreds of vendor
systems, each with its own data model, identifier scheme, access
mechanism, and trust posture. AI agents operating on behalf of a person
must today perform brittle, ad-hoc translation between these systems to
reason across domains. There is no shared schema framework comparable to
what FHIR <xref target="FHIR-R4"/> provides for clinical data, what iCalendar
<xref target="RFC5545"/> provides for scheduled events, or what the Financial Data
Exchange API <xref target="FDX"/> provides for financial transactions, that spans
these domains together.</t>
      <t>This document specifies the Sygil Protocol, an open schema and query
grammar designed to fill that gap. The Protocol defines:</t>
      <ul spacing="normal">
        <li>
          <t>A record envelope with a small set of required base fields and a
larger set of optional reserved fields covering subject scope,
derivation lineage, retention, soft-delete state, and language.</t>
        </li>
        <li>
          <t>A content-addressable URI scheme (<tt>sygil://</tt>) that identifies a record
version by a hash of its canonical serialization.</t>
        </li>
        <li>
          <t>A logical-identity scheme (<tt>sygil-stable:</tt>) that identifies a record
across versions.</t>
        </li>
        <li>
          <t>A reverse-DNS namespace identifier scheme (NSID) that allows the
ecosystem to extend permissionlessly while keeping core namespaces
stable.</t>
        </li>
        <li>
          <t>Deterministic JSON canonicalization per RFC 8785 <xref target="RFC8785"/>, the
basis for reproducible content hashes.</t>
        </li>
        <li>
          <t>A minimal query grammar of six required primitives plus optional
trust-dimension filters.</t>
        </li>
        <li>
          <t>An optional vocabulary of proof objects (<tt>sygil.proof.*</tt>) for
conveying provenance, capability, consent, attestation, and audit
evidence alongside records. Integrity is implicit at every tier via
the content-addressed <tt>id</tt>.</t>
        </li>
        <li>
          <t>Three adoption tiers ranging from Sygil-shaped data (Tier 1) through
Sygil-queryable surfaces (Tier 2) to vault-certified runtimes (Tier
3).</t>
        </li>
      </ul>
      <t>The motivation for this work -- why translation at the language-model
layer cannot supply the provenance, consent, audit, portability, and
conformance guarantees that agents operating on personal data require,
and why a shared semantic substrate is the layer where those guarantees
can hold -- is developed at length in the Sygil Protocol Whitepaper
<xref target="SYGIL-WP"/>.</t>
      <section anchor="scope">
        <name>Scope</name>
        <t>The Protocol specifies what Sygil-shaped data is on the wire. It does
not specify:</t>
        <ul spacing="normal">
          <li>
            <t>A storage substrate. Records may be stored in any database, file
system, or in-memory representation.</t>
          </li>
          <li>
            <t>An encryption-at-rest scheme. Storage encryption is a runtime concern.</t>
          </li>
          <li>
            <t>A specific authorization mechanism. The Protocol defines a vocabulary
for capability and consent proofs but does not require any specific
authorization framework (OAuth, UCAN, OpenFGA, Cedar, ODRL, or any
other) to underlie that vocabulary.</t>
          </li>
          <li>
            <t>A federation protocol. Multi-vault synchronization, cross-user record
sharing, and replication are runtime concerns.</t>
          </li>
          <li>
            <t>A transport protocol. Records may be carried over HTTP, the Model
Context Protocol <xref target="MCP"/>, or any other transport.</t>
          </li>
          <li>
            <t>An identity provider. The Protocol uses Decentralized Identifiers
(<xref target="W3C-DID"/>) to identify data subjects but does not issue, verify, or
resolve them; resolution semantics are bound by DID method.</t>
          </li>
        </ul>
        <t>These boundaries are load-bearing. The Protocol is useful precisely
because it can be adopted without committing to any specific vault,
authorization framework, or transport. Sygil-shaped records can be
produced by a connector wrapping a third-party API and consumed by a
local-first application, with no intermediary vault, no authorization
server, and no network protocol shared between producer and consumer
beyond the medium that carries the bytes.</t>
      </section>
      <section anchor="relationship-to-vault-implementations">
        <name>Relationship to vault implementations</name>
        <t>Sygil distinguishes the Protocol -- the schema and query grammar
specified by this document -- from vault implementations, which
operationalize storage, encryption, authorization, audit, and trust
enforcement on top of Sygil-shaped data. The Protocol/vault relationship
is analogous to the relationship between the Linux kernel ABI and a
specific Linux distribution: the kernel ABI is the open standard that
multiple distributions share; each distribution makes its own opinionated
runtime choices. Conformance to the Protocol does not require adoption
of any specific vault implementation, and competing vault distributions
are expected.</t>
      </section>
      <section anchor="status-of-this-document">
        <name>Status of this document</name>
        <t>This document is an Internet-Draft submitted as an Independent
Submission. Its intended status is Informational. It specifies a data
protocol -- a schema, identifier and serialization conventions, an
optional proof-object vocabulary, and a minimal query grammar -- rather
than a transport protocol or interaction model (see Section 3.2 for
the classification rationale and prior-art comparison). The document
documents an open schema and query grammar developed by Sygil PBC and
published under the IETF Trust Legal Provisions to facilitate community
review, alignment with related IETF work (including OAuth 2.0
<xref target="RFC6749"/> extensions, DID resolution, and JSON canonicalization), and
eventual standards-track follow-on work in relevant working groups.</t>
        <t>A narrative companion to this specification, the Sygil Protocol
Whitepaper <xref target="SYGIL-WP"/>, sets out the motivation, the history of
cross-domain personal-data standardization, the design principles, and
the conditions that motivate the Protocol. That document is
informational background; this Internet-Draft is the normative
specification, and where the two differ this document governs.</t>
        <t>This document does not obsolete or update any existing RFC.</t>
      </section>
      <section anchor="conventions">
        <name>Conventions</name>
        <t>The key words "<strong>MUST</strong>", "<strong>MUST NOT</strong>", "<strong>REQUIRED</strong>", "<strong>SHALL</strong>",
"<strong>SHALL NOT</strong>", "<strong>SHOULD</strong>", "<strong>SHOULD NOT</strong>", "<strong>RECOMMENDED</strong>",
"<strong>NOT RECOMMENDED</strong>", "<strong>MAY</strong>", and "<strong>OPTIONAL</strong>" in this document
are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.</t>
        <t>Throughout this document, the terms "Producer" and "Consumer" refer to
the party that creates a Sygil record and the party that receives it,
respectively. The terms "Subject" and "Vault" refer to the data subject
the record is about and to a runtime that stores and serves Sygil
records on a Subject's behalf, respectively. Section 2 defines these and
other terms normatively.</t>
        <t>Examples in this document are non-normative and use the example
identifiers and domain names reserved by <xref target="RFC2606"/>.</t>
      </section>
    </section>
    <section anchor="conventions-and-terminology">
      <name>Conventions and Terminology</name>
      <t>The conformance keywords are defined in the Conventions section of
the Introduction (Section 1.4).</t>
      <t>This section defines the terms used normatively throughout this
document.</t>
      <dl>
        <dt>Agent:</dt>
        <dd>
          <t>A software entity, typically an AI model or AI-driven application,
that produces or consumes Sygil records on behalf of itself or of a
Subject. Agents are external to the Protocol and are mentioned here
only because the Protocol's design goals are oriented toward
agent-native consumption (Section 3).</t>
        </dd>
        <dt>BCP 14 keywords:</dt>
        <dd>
          <t>The conformance keywords defined in <xref target="RFC2119"/> and <xref target="RFC8174"/>.</t>
        </dd>
        <dt>Canonical serialization:</dt>
        <dd>
          <t>The deterministic JSON serialization specified in Section 4.5,
conforming to <xref target="RFC8785"/>. Sometimes referred to as "JCS" (JSON
Canonicalization Scheme) by the name of the specification it
follows.</t>
        </dd>
        <dt>Connector:</dt>
        <dd>
          <t>A Producer that imports records from an upstream non-Sygil source
system (for example, a calendar provider, a financial data
aggregator, an electronic health records system) and produces Sygil
records representing that data. Connectors are external to the
Protocol; this document mentions them only because some Protocol
fields (<tt>source_system</tt>, <tt>connector_id</tt> in <tt>sygil.proof.provenance</tt>)
refer to them.</t>
        </dd>
        <dt>Conformance:</dt>
        <dd>
          <t>The state of an implementation that satisfies the requirements of
one of the three adoption tiers defined in Section 6 for at least
one Sygil namespace. Conformance is asserted per (namespace, tier)
pair; it is not asserted at the implementation level as a whole.</t>
        </dd>
        <dt>Consumer:</dt>
        <dd>
          <t>A party that receives a Sygil record. Consumers are responsible for
schema validation, reference handling, and (where applicable) proof
verification per the rules in Section 7 (Failure Semantics) and
Section 8 (Security Considerations).</t>
        </dd>
        <dt>Content hash:</dt>
        <dd>
          <t>The cryptographic hash of a record's canonical serialization (with
hash exclusions per Section 4.5), used to construct the record's
<tt>id</tt> URI. The hash algorithm is BLAKE3 <xref target="BLAKE3"/>; the hash output
is encoded as a base64url string without padding, of the form
<tt>blake3-{base64url}</tt> (Section 4.5.3).</t>
        </dd>
        <dt>DID:</dt>
        <dd>
          <t>A Decentralized Identifier as defined in <xref target="W3C-DID"/>. Sygil uses
DIDs to identify Subjects and other principals. The Protocol treats
DIDs as opaque except for the method tag (Section 4.9); resolution
is delegated to the DID method.</t>
        </dd>
        <dt>Envelope:</dt>
        <dd>
          <t>The set of base fields common to every Sygil record, defined in
Section 4.2. The envelope distinguishes Sygil-shaped data from
arbitrary JSON.</t>
        </dd>
        <dt>Implementation:</dt>
        <dd>
          <t>A software system that produces, consumes, or both produces and
consumes Sygil records. An implementation MAY be a Tier 1, Tier 2,
or Tier 3 implementation per Section 6, and MAY assert different
conformance tiers for different namespaces.</t>
        </dd>
        <dt>JCS:</dt>
        <dd>
          <t>JSON Canonicalization Scheme <xref target="RFC8785"/>, the canonicalization rule
specified in Section 4.5.</t>
        </dd>
        <dt>NSID (namespace identifier):</dt>
        <dd>
          <t>A reverse-DNS-style identifier of the form
<tt>sygil.v1.{domain}.{type}</tt> for core namespaces, or
<tt>{publisher.domain}.{type}</tt> for third-party namespaces. NSIDs
identify the type of a record and govern the schema the record
validates against. NSID structure and rules are defined in Section
4.3.</t>
        </dd>
        <dt>Producer:</dt>
        <dd>
          <t>A party that creates a Sygil record. Producers are responsible for
emitting only valid records per the rules in Section 7.</t>
        </dd>
        <dt>Proof object:</dt>
        <dd>
          <t>An optional object attached to a record's <tt>_proofs</tt> array that
conveys evidence of integrity, provenance, capability, consent,
attestation, or audit. Proof objects are vocabulary; their
interpretation and verification are out of scope for the Protocol
and are addressed by vault implementations (Section 5).</t>
        </dd>
        <dt>Projection:</dt>
        <dd>
          <t>A view of a record produced by a Vault implementation according to a
privacy classification policy (Section 4.2.5). The wire-time
envelope field <tt>redaction_state</tt> (Section 4.2) labels the projection
level the served record represents.</t>
        </dd>
        <dt>Record:</dt>
        <dd>
          <t>An instance of a Sygil namespace. A record is structurally a JSON
object <xref target="RFC8259"/> with the envelope fields defined in Section 4.2
plus namespace-specific fields defined by the record's NSID.</t>
        </dd>
        <dt>Reverse-DNS namespace pattern:</dt>
        <dd>
          <t>The naming convention used for NSIDs, proof object types, connector
identifiers, and community-extension namespace publisher identifiers
(Section 4.2.5) throughout the Protocol. Names read in reverse-DNS
order -- most-significant component first (<tt>sygil.v1.calendar.event</tt>,
<tt>sygil.community.acme.example.com.media.album</tt>) -- to ensure
publisher-controlled namespacing without central coordination. The
convention follows <xref target="RFC6648"/>'s recommendation against
<tt>X-</tt>-prefixed extensions.</t>
        </dd>
        <dt><tt>sygil://</tt> URI:</dt>
        <dd>
          <t>The content-addressed URI scheme used as a record's <tt>id</tt>. Defined
in Section 4.4.</t>
        </dd>
        <dt><tt>sygil-stable:</tt> URI:</dt>
        <dd>
          <t>The logical-identity URI scheme used as a record's <tt>stable_id</tt>. All
v1 records carry both identifiers, including inherently immutable
records (which carry <tt>version: 1</tt> and never increment). Defined in
Section 4.6.</t>
        </dd>
        <dt>Subject:</dt>
        <dd>
          <t>The natural or legal person whom a record is about. Identified by a
DID. The Subject's DID appears in the <tt>sygil://</tt> URI prefix and may
also appear in optional envelope fields (<tt>subject_did</tt>,
<tt>subjects[]</tt>).</t>
        </dd>
        <dt>Tier 1, Tier 2, Tier 3:</dt>
        <dd>
          <t>The three adoption tiers defined in Section 6. Tier 1
implementations produce or consume Sygil-shaped data without any
runtime services. Tier 2 implementations expose a Sygil-queryable
surface. Tier 3 implementations operate as vault-certified runtimes.</t>
        </dd>
        <dt>Vault:</dt>
        <dd>
          <t>A runtime that stores Sygil records and serves them under access
control on a Subject's behalf. The Protocol does not specify how a
Vault operates; it specifies only what records look like on the wire
between a Vault and other parties. Vault operation is addressed by
separate vault-implementation specifications.</t>
        </dd>
        <dt>Vault-private metadata:</dt>
        <dd>
          <t>Information a Vault may attach to records for its own purposes
(storage hints, access logs, internal indices) that is not part of
the Sygil envelope or any Sygil namespace. Vault-private metadata
MUST NOT be emitted on the wire under the <tt>sygil.*</tt> or any other
Sygil-specified field name.</t>
        </dd>
      </dl>
    </section>
    <section anchor="architecture">
      <name>Architecture</name>
      <t>This section describes the shape of the Protocol so that the rest of
the document is comprehensible. Wire-level normative requirements are
specified in subsequent sections.</t>
      <section anchor="goals">
        <name>Goals</name>
        <t>The Protocol is designed to satisfy four goals. The architectural
commitments behind these goals -- in particular the decision to compose
from existing standards rather than replace them, and to keep the
Protocol orthogonal to storage, authorization, and runtime concerns --
are discussed further in <xref target="SYGIL-WP"/>.</t>
        <t><strong>Cross-domain coverage.</strong> The Protocol provides a single coherent
schema framework that spans identity, calendar, messages, finance,
health, location, documents, preferences, media, tasks, commerce,
claims, and channels (the v1 namespaces; see Section 4.7). Records in
any namespace share the same envelope structure, the same identifier
scheme, and the same canonicalization rule, so that Consumers reasoning
across namespaces can do so uniformly.</t>
        <t><strong>Standards alignment.</strong> Each namespace declares mappings to existing
external standards where they exist (vCard <xref target="RFC6350"/> for identity,
iCalendar <xref target="RFC5545"/> for calendar, FHIR <xref target="FHIR-R4"/> for health, FDX
<xref target="FDX"/> for finance, Internet Message Format <xref target="RFC5322"/> for messages,
Schema.org <xref target="SCHEMA-ORG"/> for general entity vocabulary). Sygil does
not replace these standards; it composes them under a uniform envelope
and identifier scheme.</t>
        <t><strong>Runtime neutrality.</strong> A developer with a JSON Schema validator, an
HTTP stack, and the canonicalization rule from Section 4.5 can produce
and consume Sygil-shaped data without any vault, authorization server,
or other runtime infrastructure. This is enforced architecturally:
nothing in this document describes how a Vault stores, encrypts, or
authorizes records.</t>
        <t><strong>Agent legibility.</strong> Sygil records are designed to be legible to AI
agents without out-of-band context. Stable, predictable record types
(NSIDs); predictable resource identifiers (<tt>sygil://</tt>); declared
relationships between records; typed fields with documented semantics;
a minimal, predictable query grammar; and optional proof metadata that
agents can consume without verifying -- these properties together let
an agent that has never encountered a particular Sygil-shaped record
identify its type, parse it, follow its references, and reason about
it.</t>
      </section>
      <section anchor="protocol-nature-and-classification">
        <name>Protocol nature and classification</name>
        <t>This document specifies a <strong>data protocol</strong>: a schema, a set of
identifier and serialization conventions, an optional proof-object
vocabulary, and a minimal query grammar. It does not specify a wire
protocol in the sense of a request/response interaction model, a
session lifecycle, or a transport binding. Sygil records are carried
over whatever transport the deployment chooses (HTTP, the Model
Context Protocol <xref target="MCP"/>, file-based exchange, others); the Protocol
is what makes a JSON object recognizably and validatably a Sygil
record on either side of that transport.</t>
        <t>This classification is consistent with prior IETF practice for
data-protocol specifications:</t>
        <ul spacing="normal">
          <li>
            <t><xref target="RFC8259"/> (The JavaScript Object Notation (JSON) Data Interchange
Format) specifies a syntax and semantics without specifying any
interaction model.</t>
          </li>
          <li>
            <t><xref target="RFC5545"/> (Internet Calendaring and Scheduling Core Object
Specification, iCalendar) specifies a record format, a set of
property and component definitions, and conventions for cross-system
exchange -- without specifying a wire protocol per se. (iCalendar
Transport-Independent Interoperability Protocol, RFC 5546, is a
separate document.)</t>
          </li>
          <li>
            <t>HL7 FHIR <xref target="FHIR-R4"/> (referenced informatively here, as it is not
an IETF specification) follows the same shape: a resource model
with normative wire format, with REST and other transport bindings
defined separately.</t>
          </li>
        </ul>
        <t>Sygil follows the same shape. The wire format (envelope, identifier
scheme, canonicalization, namespace declarations, proof object
vocabulary) is normative; transport bindings, request/response
patterns, and runtime composition are out of scope. A future Sygil
specification may define a transport binding; this document does not.</t>
      </section>
      <section anchor="non-goals">
        <name>Non-goals</name>
        <t>The Protocol explicitly does not require, and rejects any attempt to
require:</t>
        <ul spacing="normal">
          <li>
            <t>A specific storage substrate.</t>
          </li>
          <li>
            <t>Encryption at rest.</t>
          </li>
          <li>
            <t>A specific transport protocol.</t>
          </li>
          <li>
            <t>A specific authorization mechanism, framework, or policy language.</t>
          </li>
          <li>
            <t>A specific federation primitive, replication scheme, or
cross-Vault synchronization protocol.</t>
          </li>
          <li>
            <t>A specific identity-provider relationship beyond the use of DIDs.</t>
          </li>
          <li>
            <t>Witness cosigning, transparency logs, or other trust infrastructure
beyond the optional <tt>sygil.proof.audit</tt> and <tt>sygil.proof.attestation</tt>
proof objects, whose verification is out of scope.</t>
          </li>
        </ul>
        <t>The Protocol MAY define fields and proof object types that allow
these systems to express output (for example, <tt>sygil.proof.capability</tt>
references a capability token by ID and hash; <tt>sygil.proof.attestation</tt>
references an attestation report by URI). It does not require those
systems to exist or to be used.</t>
        <t>This document does not specify how a Vault implementation computes an
authorization decision, derives a proof object from underlying policy
state, or evaluates trust across multiple proof objects. These are
runtime concerns. The Protocol specifies only the on-the-wire
vocabulary by which the result of such a computation may be conveyed.</t>
      </section>
      <section anchor="major-components">
        <name>Major components</name>
        <t>A Sygil-shaped data system is built from five components, each
specified in subsequent sections of this document. This subsection
introduces them at the conceptual level so that subsequent sections
have an established vocabulary to reference.</t>
        <section anchor="the-envelope">
          <name>The envelope</name>
          <t>Every Sygil record carries a small set of base fields that identify
it, locate it in the namespace ecosystem, and bind it to its
canonical content. These are the required fields (<tt>@type</tt>, <tt>id</tt>,
<tt>stable_id</tt>, <tt>version</tt>, <tt>created_at</tt>, <tt>updated_at</tt> -- required for
all v1 records, including inherently immutable records which carry
<tt>version: 1</tt> and never increment), and a defined set of optional and
reserved fields covering subject scope, derivation lineage, retention,
soft-delete state, and language. The envelope is what makes a JSON
object a Sygil record. Section 4.2 specifies the envelope in full.</t>
        </section>
        <section anchor="the-namespace-and-the-nsid">
          <name>The namespace and the NSID</name>
          <t>Each Sygil record's type is identified by an NSID -- a reverse-DNS
identifier such as <tt>sygil.v1.calendar.event</tt> or
<tt>sygil.community.acme.example.com.media.album</tt>. The NSID names the
schema the record validates against. Core Sygil namespaces use the
<tt>sygil.v1.</tt> prefix and follow a release-tagged versioning scheme
(<tt>sygil.v1.*</tt>, <tt>sygil.v2.*</tt>) in which constraint sets are immutable
once published. Third parties define their own namespaces under the
<tt>sygil.community.{publisher}.*</tt> prefix per the NSID extension pattern
(Section 4.2.5). Section 4.3 specifies NSID structure and rules;
Section 4.7 enumerates the v1 namespaces.</t>
        </section>
        <section anchor="the-identifier-scheme">
          <name>The identifier scheme</name>
          <t>Sygil uses two identifier forms. The <tt>sygil://</tt> URI is a
content-addressed identifier whose final component is the BLAKE3 hash
of the record's canonical serialization (with defined exclusions); it
identifies a specific <em>version</em> of a specific record. The
<tt>sygil-stable:</tt> URI identifies the <em>logical</em> record across versions,
for record types that mutate over time (calendar events, financial
transactions that may be updated). The two forms together let a
Consumer verify integrity (<tt>sygil://</tt> is a hash) while still tracking
record evolution (<tt>sygil-stable:</tt> survives updates). Section 4.4
specifies <tt>sygil://</tt>; Section 4.6 specifies <tt>sygil-stable:</tt>.</t>
        </section>
        <section anchor="the-proof-object">
          <name>The proof object</name>
          <t>A record MAY carry zero or more proof objects in its <tt>_proofs</tt> field.
Each proof object asserts a specific kind of claim about the record:
that it was sourced from a named upstream
system (<tt>sygil.proof.provenance</tt>), that the access producing it was
authorized by a capability token (<tt>sygil.proof.capability</tt>), that the
access was covered by a consent receipt (<tt>sygil.proof.consent</tt>), that
the record was produced inside a trusted execution environment
(<tt>sygil.proof.attestation</tt>), or that the access was logged in an
audit log (<tt>sygil.proof.audit</tt>). Integrity is implicit at every tier
via the content-addressed <tt>id</tt>; no separate proof object is required
because any party with the record can canonicalize and hash it to
verify against the <tt>id</tt>. Proof objects are wire vocabulary;
the Protocol specifies their shape and meaning but not how they are
produced or verified. Section 5 specifies the proof object vocabulary.</t>
        </section>
        <section anchor="the-conformance-tier">
          <name>The conformance tier</name>
          <t>The Protocol defines three adoption tiers. Tier 1 is Sygil-shaped
data: records carry valid envelopes, validate against schemas, and
canonicalize reproducibly. Tier 2 adds a queryable surface
implementing the six required query primitives. Tier 3 adds vault
runtime semantics -- proof attachment under Agent access, audit log
operation, per-Subject isolation. Each tier is a strict superset of
the previous. Conformance is asserted per (namespace, tier) pair: an
implementation can be Tier 2 for <tt>sygil.v1.calendar.event</tt> while
silent for <tt>sygil.v1.health.observation</tt>. Section 6 specifies the
tiers.</t>
        </section>
      </section>
      <section anchor="reference-architecture">
        <name>Reference architecture</name>
        <t>The Protocol contemplates four roles that interact through Sygil-
shaped records:</t>
        <artwork type="ascii-art" name="reference-architecture"><![CDATA[
            +------------+        produces        +-----------+
   Subject  |  Producer  | ---------------------> |  Vault    |
   (DID)    | (Connector,| <- - - - - - - - - - - | (storage, |
            |  Agent,    |    optional sync       |  access   |
            |  Subject   |                        |  control) |
            |  herself)  |                        +-----+-----+
            +------------+                              |
                                                        | serves
                                                        v
            +------------+         queries        +-----------+
            |  Agent     | <--------------------- |  Consumer |
            |  (LLM,     | ---------------------> | (Agent,   |
            |  app, ...) |        records         |  app, or  |
            +------------+                        |  another  |
                                                  |  Vault)   |
                                                  +-----------+

   Wire boundary: Sygil records (envelope + namespace fields + _proofs)
   Out of scope:  Vault internals, transport, authorization computation
]]></artwork>
        <t>The wire boundary -- what crosses between parties -- is the subject of
this document. What happens inside the Vault to produce records served
to a Consumer is the subject of vault-implementation specifications.</t>
      </section>
      <section anchor="composition-with-external-standards">
        <name>Composition with external standards</name>
        <t>The Protocol composes with existing standards in three ways.</t>
        <t><strong>Aligned namespaces</strong> (Section 4.7) declare their primary external
binding. A <tt>sygil.v1.calendar.event</tt> record aligns to iCalendar
<xref target="RFC5545"/> and Schema.org <tt>Event</tt>; a <tt>sygil.v1.health.observation</tt>
record aligns to FHIR <tt>Observation</tt> <xref target="FHIR-R4"/>; a
<tt>sygil.v1.identity.person</tt> record aligns to vCard 4.0 <xref target="RFC6350"/> and
Schema.org <tt>Person</tt>. Implementations are not required to emit external
forms; the alignment exists so that Consumers already speaking the
external vocabulary can map Sygil records into it via published
JSON-LD contexts (Section 4.7).</t>
        <t><strong>Referenced vocabularies</strong> (Section 5) appear in proof object types.
The <tt>sygil.proof.consent</tt> proof object refers to consent receipts that
may follow the W3C Data Privacy Vocabulary, ISO/IEC TS 27560:2023
<xref target="ISO-27560"/>, or other consent-receipt schemes. The
<tt>sygil.proof.capability</tt> proof object refers to a capability token by
identifier and hash; the token format itself is unspecified by the
Protocol but is commonly UCAN, OAuth 2.0 access token, or a similar
construct.</t>
        <t><strong>Informative comparators</strong> include the AT Protocol repository format
<xref target="ATPROTO"/> (whose Lexicon discipline inspires the Sygil NSID
immutability rule), W3C Verifiable Credentials <xref target="W3C-VC2"/> (which the
reserved <tt>sygil.v1.credential.*</tt> namespace will adopt verbatim when
specified), and the Model Context Protocol <xref target="MCP"/> (a common transport
for agent-mediated record retrieval). None of these are normative
dependencies of this document.</t>
        <t>The Protocol does not require any specific authorization framework.
Implementations are free to compose policy frameworks (OAuth 2.0
<xref target="RFC6749"/>, OAuth 2.0 Demonstrating Proof of Possession <xref target="RFC9449"/>,
OAuth 2.0 Rich Authorization Requests <xref target="RFC9396"/>, capability tokens,
authorization engines such as OpenFGA or Cedar, or policy languages
such as ODRL <xref target="W3C-ODRL"/> or the W3C Data Privacy Vocabulary) as best
fits their deployment; the Protocol's role is to define the vocabulary
by which the result of such authorization (a proof object) travels
with a record. How the proof object was derived is a runtime concern.</t>
      </section>
      <section anchor="architecture-boundary">
        <name>Architecture boundary</name>
        <t>The boundary between Protocol and runtime is enforced throughout this
document. Anywhere this document slips into runtime specification --
storage, encryption, authorization computation, audit log structure,
Vault federation -- the text is wrong and should be moved to a
vault-implementation specification.</t>
        <t>The reverse holds for vault-implementation specifications: anywhere
they specify the on-the-wire shape of a record, identifier, hash, or
proof object, they are duplicating this document. The Protocol is the
single source of truth for wire format; vault specifications are the
single source of truth for runtime behavior.</t>
        <t>The table below makes the boundary explicit. For each Sygil-relevant
concern, the table indicates whether the Protocol defines it, defines
vocabulary for it without specifying behavior, or treats it as
out-of-scope. The latter two columns are not normative for this
document; they are shown to make the runtime delegation auditable.</t>
        <table>
          <thead>
            <tr>
              <th align="left">Concern</th>
              <th align="left">Protocol</th>
              <th align="left">Vault implementation</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Personal data schemas</td>
              <td align="left">
                <strong>Defines</strong></td>
              <td align="left">Implements</td>
            </tr>
            <tr>
              <td align="left">NSIDs</td>
              <td align="left">
                <strong>Defines</strong></td>
              <td align="left">Uses</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil://</tt> URIs</td>
              <td align="left">
                <strong>Defines</strong></td>
              <td align="left">Resolves</td>
            </tr>
            <tr>
              <td align="left">
                <tt>stable_id</tt> format</td>
              <td align="left">
                <strong>Defines</strong></td>
              <td align="left">Uses</td>
            </tr>
            <tr>
              <td align="left">Canonical serialization (JCS)</td>
              <td align="left">
                <strong>Defines</strong></td>
              <td align="left">Uses</td>
            </tr>
            <tr>
              <td align="left">Query grammar</td>
              <td align="left">
                <strong>Defines minimal semantics</strong></td>
              <td align="left">Enforces access; executes</td>
            </tr>
            <tr>
              <td align="left">Proof object types</td>
              <td align="left">
                <strong>Defines vocabulary</strong></td>
              <td align="left">Produces, verifies</td>
            </tr>
            <tr>
              <td align="left">Privacy classification</td>
              <td align="left">
                <strong>Defines descriptive metadata</strong></td>
              <td align="left">Enforces projection policy</td>
            </tr>
            <tr>
              <td align="left">Storage substrate</td>
              <td align="left">Out of scope</td>
              <td align="left">Implements</td>
            </tr>
            <tr>
              <td align="left">Encryption at rest</td>
              <td align="left">Out of scope</td>
              <td align="left">Implements</td>
            </tr>
            <tr>
              <td align="left">Authorization runtime</td>
              <td align="left">Out of scope (vocabulary only)</td>
              <td align="left">Implements</td>
            </tr>
            <tr>
              <td align="left">OAuth, UCAN, capability tokens</td>
              <td align="left">Optional proof reference only</td>
              <td align="left">Implements</td>
            </tr>
            <tr>
              <td align="left">ODRL, W3C DPV</td>
              <td align="left">Optional proof vocabulary</td>
              <td align="left">Implements, enforces</td>
            </tr>
            <tr>
              <td align="left">Audit log structure</td>
              <td align="left">Optional proof reference</td>
              <td align="left">Operates log</td>
            </tr>
            <tr>
              <td align="left">TEE attestation flows</td>
              <td align="left">Optional proof object</td>
              <td align="left">Produces, verifies</td>
            </tr>
            <tr>
              <td align="left">Connectors</td>
              <td align="left">Out of scope</td>
              <td align="left">Implements</td>
            </tr>
            <tr>
              <td align="left">Transport (HTTP, MCP, etc.)</td>
              <td align="left">Out of scope</td>
              <td align="left">Implements</td>
            </tr>
            <tr>
              <td align="left">Federation between Vaults</td>
              <td align="left">Out of scope</td>
              <td align="left">Implements (where present)</td>
            </tr>
            <tr>
              <td align="left">Cross-Subject record sharing</td>
              <td align="left">Out of scope</td>
              <td align="left">Out of scope (typically)</td>
            </tr>
          </tbody>
        </table>
        <t>A row that says "<strong>Defines</strong>" in the Protocol column means the
specification for that concern lives in this document; vault
implementations use what the Protocol defines. A row that says "Out of
scope" means this Protocol will reject any attempt to specify the
concern; the vault implementation's specification is where it belongs.
A row that says "Optional proof vocabulary" or "Optional proof
reference" means the Protocol defines a way for the result of the
runtime concern to be carried on the wire (as a proof object or proof
field) without specifying the runtime concern itself.</t>
      </section>
    </section>
    <section anchor="data-model">
      <name>Data Model</name>
      <t>This section specifies the wire format of Sygil records. It is the
normative core of this document.</t>
      <section anchor="record">
        <name>Record</name>
        <t>A Sygil record is a JSON object <xref target="RFC8259"/> carrying the envelope
fields defined in this section plus namespace-specific fields
defined by the record's NSID.</t>
        <t>Record identity is defined strictly by the <tt>id</tt> URI (Section 4.4):
two records with the same <tt>id</tt> are the same record version, and two
records with the same <tt>stable_id</tt> (Section 4.6) are versions of the
same logical record. Semantic equivalence beyond identity -- whether
two records "represent the same thing" in some application sense
when their <tt>id</tt> URIs differ -- is out of scope for this Protocol.
Applications and Consumers that need semantic equivalence relations
construct them outside the Protocol.</t>
        <t><strong>Identity entails deduplication.</strong> Records with identical <tt>id</tt>
URIs represent the same canonical content; differences in fields
excluded from the content hash (<tt>_proofs</tt>, <tt>updated_at</tt>, <tt>version</tt>,
<tt>supersedes</tt>, <tt>obsolete</tt>, <tt>obsolete_reason</tt> -- see Section 4.5) MUST
NOT be treated as creating distinct record identities for caching,
deduplication, storage, or transport purposes. Two encounters with
the same <tt>id</tt> are encounters with the same record, even if the
encounters differ in proof attachments.</t>
        <t>This rule prevents a class of implementation divergences in
storage and transport layers. An implementation that stored two
records with the same <tt>id</tt> separately because their <tt>_proofs</tt>
arrays differed would be holding what the Protocol considers one
record as two; downstream Consumers retrieving via either copy
would receive divergent views of the same canonical content. The
current text makes this explicit so that storage, caching, and
deduplication implementations align on what counts as one record.</t>
        <t>A Consumer that needs to track multiple proof variants of the same
record (for example, an audit log that records every proof
attachment seen for a given <tt>id</tt>) MUST use a separate
implementation-private metadata structure keyed on the <tt>id</tt> URI;
it MUST NOT model these as separate records under the Protocol's
identity rules.</t>
      </section>
      <section anchor="envelope">
        <name>Envelope</name>
        <section anchor="required-base-fields">
          <name>Required base fields</name>
          <t>Every Sygil record MUST carry the following fields:</t>
          <table>
            <thead>
              <tr>
                <th align="left">Field</th>
                <th align="left">Type</th>
                <th align="left">Semantics</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">
                  <tt>@type</tt></td>
                <td align="left">string</td>
                <td align="left">NSID of the record type. Format defined in Section 4.3.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>id</tt></td>
                <td align="left">string</td>
                <td align="left">Content-addressed <tt>sygil://</tt> URI for this version of the record. Format defined in Section 4.4.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>created_at</tt></td>
                <td align="left">string</td>
                <td align="left">ISO 8601 timestamp with timezone <xref target="RFC3339"/>, indicating when the record was first created in any system.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>updated_at</tt></td>
                <td align="left">string</td>
                <td align="left">ISO 8601 timestamp with timezone, indicating when the record was last modified.</td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="additional-required-identifier-fields">
          <name>Additional required identifier fields</name>
          <t>Every v1 record MUST additionally carry the logical-identity and
versioning fields below. These are REQUIRED for all record types,
mutable and immutable alike:</t>
          <table>
            <thead>
              <tr>
                <th align="left">Field</th>
                <th align="left">Type</th>
                <th align="left">Semantics</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">
                  <tt>stable_id</tt></td>
                <td align="left">string</td>
                <td align="left">Logical record identity that persists across updates. Format defined in Section 4.6.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>version</tt></td>
                <td align="left">integer</td>
                <td align="left">Monotonically increasing integer per <tt>stable_id</tt>, starting at 1.</td>
              </tr>
            </tbody>
          </table>
          <t>For inherently immutable record types (a logged event, a cryptographic
attestation captured at a point in time), <tt>stable_id</tt> and <tt>version</tt> are
still REQUIRED. Such records carry <tt>version: 1</tt> and never increment it,
and their <tt>stable_id</tt> is computed exactly as for mutable records
(Section 4.6). Requiring both identifiers uniformly on every record --
rather than conditioning them on a per-type mutability flag -- lets
validators, indexes, reference resolution, replay and export pipelines,
generated types, and policy code treat every record the same way, with
no special case for the immutable subset. The namespace specification
declares whether records of a given type are mutable, which governs
whether <tt>version</tt> is ever expected to advance, not whether these fields
are present.</t>
        </section>
        <section anchor="optional-base-fields">
          <name>Optional base fields</name>
          <t>The following optional fields MAY appear on any record:</t>
          <table>
            <thead>
              <tr>
                <th align="left">Field</th>
                <th align="left">Type</th>
                <th align="left">Semantics</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">
                  <tt>supersedes</tt></td>
                <td align="left">string</td>
                <td align="left">
                  <tt>sygil://</tt> URI of the immediately preceding version of this record (i.e., the record with the same <tt>stable_id</tt> and <tt>version - 1</tt>).</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>subject_did</tt></td>
                <td align="left">string</td>
                <td align="left">DID of the data subject. Defaults to the DID encoded in the <tt>id</tt> URI prefix; explicit when the relationship needs to be unambiguous.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>issuer_did</tt></td>
                <td align="left">string</td>
                <td align="left">DID of the party that produced this record (e.g., a connector, a Vault, an Agent).</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>source_system</tt></td>
                <td align="left">string</td>
                <td align="left">Identifier of the upstream non-Sygil system the record was derived from (e.g., <tt>google_calendar</tt>, <tt>plaid</tt>, <tt>apple_health</tt>).</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>_proofs</tt></td>
                <td align="left">array</td>
                <td align="left">Array of zero or more proof objects per Section 5.</td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="reserved-envelope-fields">
          <name>Reserved envelope fields</name>
          <t>The following fields are part of the v1 envelope, are optional, and are
reserved for runtime semantics that the Protocol does not itself define.
v1 implementations are not required to populate them or to enforce
behavior based on them. Producers MAY emit them. Consumers MUST preserve
and pass them through unchanged when forwarding or re-emitting records,
per Section 6.5.1 (Forward compatibility).</t>
          <table>
            <thead>
              <tr>
                <th align="left">Field</th>
                <th align="left">Type</th>
                <th align="left">Default</th>
                <th align="left">Semantics</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">
                  <tt>subject_scope</tt></td>
                <td align="left">enum</td>
                <td align="left">
                  <tt>sole</tt></td>
                <td align="left">Whether the record's subject set is sole, bilateral, multilateral, observed, or claim. v1 implementations handle <tt>sole</tt> only. Other values are reserved for the multi-party data story (group messages, Subject-claims-by-others, observation records).</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>subjects</tt></td>
                <td align="left">array</td>
                <td align="left">
                  <tt>[]</tt></td>
                <td align="left">Array of peer subject DIDs for non-sole records. Empty for <tt>sole</tt>.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>derived_from</tt></td>
                <td align="left">array</td>
                <td align="left">
                  <tt>[]</tt></td>
                <td align="left">Array of derivation-reference objects describing records this one was derived from (calendar event extracted from email; transaction-category claim derived from a bank transaction; AI inference output). Each entry is an object whose <tt>source_record</tt> field carries the <tt>sygil://</tt> URI of the source record; the object shape is defined immediately following this table. Distinct from <tt>supersedes</tt>, which is single-record version history. For each entry, the record referenced by <tt>source_record</tt> MUST have a <tt>created_at</tt> value strictly earlier than the deriving record's <tt>created_at</tt>; this temporal constraint prevents derivation cycles. Producers emitting <tt>derived_from</tt> MUST verify the temporal ordering before emitting.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>expires_at</tt></td>
                <td align="left">string</td>
                <td align="left">absent</td>
                <td align="left">ISO 8601 timestamp at which the record's content should be considered expired by retention policy. Required when <tt>retention_policy</tt> is present.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>retention_policy</tt></td>
                <td align="left">string</td>
                <td align="left">absent</td>
                <td align="left">Reverse-DNS identifier of the governing retention policy. The Protocol does not define policy semantics; the field is a runtime hook. When <tt>retention_policy</tt> is present, <tt>expires_at</tt> MUST also be populated; a record carrying <tt>retention_policy</tt> without <tt>expires_at</tt> is malformed.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>obsolete</tt></td>
                <td align="left">boolean</td>
                <td align="left">
                  <tt>false</tt></td>
                <td align="left">Cross-namespace soft-delete flag. Per-namespace <tt>status</tt> fields keep their domain-specific meanings; <tt>obsolete</tt> is the uniform "no longer current" signal.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>obsolete_reason</tt></td>
                <td align="left">enum</td>
                <td align="left">absent</td>
                <td align="left">Required when <tt>obsolete</tt> is <tt>true</tt>. One of <tt>superseded</tt>, <tt>user_deleted</tt>, <tt>source_deleted</tt>, <tt>expired</tt>, <tt>corrected</tt>, <tt>withdrawn_consent</tt>, <tt>unknown</tt>.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>language</tt></td>
                <td align="left">array</td>
                <td align="left">
                  <tt>[]</tt></td>
                <td align="left">Array of BCP 47 language tags identifying the human-readable languages present in the record. Empty array indicates no language assertion. Multiple tags are valid for records carrying content in multiple languages (a calendar event with English title and Japanese description, an identity record with native-script and romanized name forms).</td>
              </tr>
            </tbody>
          </table>
          <t>Each entry in <tt>derived_from</tt> is a derivation-reference object (<tt>@type</tt> =
<tt>sygil.common.derivation_ref</tt>) with the following fields:</t>
          <dl>
            <dt><tt>source_record</tt> (string, REQUIRED)</dt>
            <dd>
              <t>The <tt>sygil://</tt> URI of the source record this record was derived from.</t>
            </dd>
            <dt><tt>derivation_method</tt> (string, REQUIRED)</dt>
            <dd>
              <t>Identifier of the method used to derive this record from
<tt>source_record</tt> (for example, an extraction, inference, or
transformation method).</t>
            </dd>
            <dt><tt>derivation_at</tt> (string, REQUIRED)</dt>
            <dd>
              <t>ISO 8601 timestamp with timezone indicating when the derivation
occurred.</t>
            </dd>
            <dt><tt>derivation_agent</tt> (string, OPTIONAL)</dt>
            <dd>
              <t>Identifier of the agent or skill that performed the derivation.</t>
            </dd>
            <dt><tt>derivation_model</tt> (string, OPTIONAL)</dt>
            <dd>
              <t>Identifier of the model used during the derivation, when applicable.</t>
            </dd>
            <dt><tt>derivation_confidence</tt> (number, OPTIONAL)</dt>
            <dd>
              <t>Confidence score in the range 0.0 to 1.0 assigned to the derivation.</t>
            </dd>
          </dl>
          <t>An earlier draft modeled <tt>derived_from</tt> as a bare array of <tt>sygil://</tt>
URI strings. The object form is normative for v01: the source-record
URI is carried in <tt>source_record</tt>, and the remaining fields capture the
derivation method, time, agent, model, and confidence that constitute
the derivation's provenance.</t>
          <t>The forcing function for reserving these fields at v1 rather than
adding them in a later release is that envelope changes after v1 lock
are catastrophic: they cascade through every namespace, every
connector, every conformance test, every running record store. The
cost of reserving the field names and shapes now, with v1
implementations only required to handle the trivial case (<tt>sole</tt>
subject scope, no derivation, no retention, not obsolete, no language
assertion), is bytes; the cost of needing them later is years.</t>
          <t><strong>Envelope interaction rules.</strong> The following rules govern how envelope fields combine and are normative for v01 implementations:</t>
          <ul spacing="normal">
            <li>
              <t><strong><tt>obsolete</tt> and <tt>expires_at</tt>.</strong> A record MAY carry both: <tt>obsolete: true</tt> with <tt>obsolete_reason: expired</tt> and a populated <tt>expires_at</tt> is the canonical form for retention-driven obsolescence. A record with <tt>obsolete: false</tt> and <tt>expires_at</tt> in the past is legal (the obsolescence pipeline has not run yet); Consumers SHOULD treat such records as effectively obsolete for query purposes but MUST preserve the field values verbatim when forwarding.</t>
            </li>
            <li>
              <t><strong><tt>retention_policy</tt> requires <tt>expires_at</tt>.</strong> Producers MUST NOT emit a record with <tt>retention_policy</tt> populated and <tt>expires_at</tt> absent; doing so is malformed. Consumers receiving such a record SHOULD log the malformation but MUST preserve the record per the lenient-input discipline of Section 7.</t>
            </li>
            <li>
              <t><strong><tt>derived_from[]</tt> cycles.</strong> Each entry's referenced record MUST have a <tt>created_at</tt> strictly earlier than the deriving record's <tt>created_at</tt>. This prevents cycles by construction (no record can be its own ancestor). Consumers performing derivation traversal MAY rely on the temporal constraint to bound traversal depth.</t>
            </li>
          </ul>
          <t>Earlier drafts of the v1 envelope reserved four additional fields --
<tt>jurisdiction[]</tt>, <tt>provenance_quality</tt>, <tt>redaction_state</tt>, and
<tt>_extensions</tt> -- that did not survive the v0.3 reconciliation that
produced this v01 increment. Jurisdiction binding was determined to
be properly a runtime concern derivable from <tt>subject_did</tt> and source
content, contradicting the Protocol's regulatory-agnostic stance.
<tt>provenance_quality</tt> substantially overlapped with the trust
dimensions (<tt>cooperation_mode</tt>, <tt>freshness</tt>, <tt>completeness</tt>,
<tt>verifiability</tt>) already conveyed by <tt>sygil.proof.provenance</tt> (Section
5.4); the proof-object form is the canonical home. <tt>redaction_state</tt>
was relocated to the query response envelope (Section 4.10), since
the same record content can be served as different projections in
different responses; the projection state belongs to the response,
not the record. <tt>_extensions</tt> was replaced by the NSID extension
pattern (Section 4.2.5), in which custom record types live under
<tt>sygil.community.{publisher}.*</tt> community-namespace records rather
than as embedded extension bags. The <tt>language</tt> field was changed
from a single BCP 47 tag (string) to an array of tags, since
multilingual records are common in practice.</t>
        </section>
        <section anchor="reserved-field-name-conventions">
          <name>Reserved field-name conventions</name>
          <t>Two prefix conventions in the envelope are reserved by the Protocol:</t>
          <ul spacing="normal">
            <li>
              <t><strong>Field names beginning with <tt>_</tt></strong> are reserved for Sygil-defined
metadata excluded from the content hash (Section 4.5). The field
currently using this prefix is <tt>_proofs</tt> (Section 5).
Implementations MUST NOT introduce arbitrary leading-underscore
field names; third-party metadata MUST use the NSID extension
pattern (Section 4.2.5).</t>
            </li>
            <li>
              <t><strong>The <tt>@type</tt> field name</strong> is reserved at the top of every record
and every supporting object. The leading <tt>@</tt> aligns Sygil records
with JSON-LD (Section 4.2.6). Implementations MUST NOT use other
<tt>@</tt>-prefixed field names; the <tt>@</tt>-prefix space is reserved for
Sygil-defined or JSON-LD-defined keywords.</t>
            </li>
          </ul>
        </section>
        <section anchor="the-nsid-extension-pattern">
          <name>The NSID extension pattern</name>
          <t>Implementations needing record-shaped data not covered by the v1
namespace set MUST use the NSID extension pattern rather than embedding
extension data in records under the core <tt>sygil.v1.*</tt> namespace. The
pattern has two components: a publisher namespace and a community-
namespace prefix.</t>
          <section anchor="publisher-namespace">
            <name>Publisher namespace</name>
            <t>Implementations identify themselves with a reverse-DNS-shaped publisher
identifier. Publisher identifiers MUST be valid DNS labels joined by
dots; common shapes include:</t>
            <ul spacing="normal">
              <li>
                <t>A controlled domain (e.g., <tt>acme.example.com</tt> for a publisher at
<tt>acme.example.com</tt>)</t>
              </li>
              <li>
                <t>A versioned product identifier (e.g., <tt>vendor.product.v2</tt> for a
publisher's specific product line)</t>
              </li>
            </ul>
            <t>Publisher identifiers MUST be globally unique across all Sygil
implementations. Implementations operating under a controlled domain
SHOULD use the domain itself or a sub-component as the publisher
identifier; implementations without a controlled domain SHOULD register
their identifier through the Sygil NSID Extension Registry (Section
10).</t>
          </section>
          <section anchor="community-namespace-prefix">
            <name>Community namespace prefix</name>
            <t>Records published outside the core <tt>sygil.v1.*</tt> namespace set use the
prefix <tt>sygil.community.{publisher}.</tt> for the NSID. The grammar:</t>
            <sourcecode type="abnf"><![CDATA[
nsid           = core-nsid / community-nsid

core-nsid      = "sygil." version "." namespace "." record-type
                 ; e.g., "sygil.v1.calendar.event"

community-nsid = "sygil.community." publisher "." namespace "."
                 record-type
                 ; e.g.,
                 ; "sygil.community.acme.example.com.media.album"

publisher      = label *( "." label )
                 ; reverse-DNS publisher identifier
]]></sourcecode>
            <t>Records under <tt>sygil.community.{publisher}.*</tt> are valid Sygil records
and travel through the same envelope, canonicalization, identifier, and
proof object infrastructure as core records. Consumers process them
using the unknown-NSID rule (Section 4.3): preserve the record verbatim,
log if unknown, do not reject. A Consumer that recognizes a particular
community namespace MAY interpret records under that namespace as that
publisher's specification dictates; a Consumer that does not recognize
it treats records as opaque.</t>
          </section>
          <section anchor="migration-to-core-namespaces">
            <name>Migration to core namespaces</name>
            <t>When a record type that has been used widely under
<tt>sygil.community.{publisher}.{namespace}.{record-type}</tt> formally lands
in the core <tt>sygil.v1.*</tt> namespace set in a future Protocol version,
the corresponding community-namespace records can be migrated. The
Protocol does not specify a migration mechanism; vault implementations
and tooling provide the migration path. The community-namespace record
type and the core record type MAY coexist during the migration period.</t>
          </section>
          <section anchor="why-the-pattern-is-normative">
            <name>Why the pattern is normative</name>
            <t>Without an explicit extension pattern, implementations needing custom
record types had three options: (1) abuse a top-level <tt>_extensions</tt>
envelope field (the reservation pattern that earlier drafts of this
Protocol had reserved and that v0.3 reconciliation removed), (2) emit
records under the core <tt>sygil.v1.*</tt> namespace with custom fields (which
would fragment the namespace), or (3) emit records under arbitrary non-
Sygil-prefixed NSIDs (which would lose the Sygil envelope and proof
infrastructure). The NSID extension pattern provides a fourth option
that preserves the envelope and infrastructure while clearly marking
records as community-extension rather than core-Protocol.</t>
          </section>
        </section>
        <section anchor="privacy-classification-framework">
          <name>Privacy classification framework</name>
          <t>Each field in each Sygil namespace declares a default <strong>privacy
classification</strong> as part of its schema definition. The classifications
are descriptive metadata; the Protocol does not enforce them. They
exist to give Vault implementations a consistent input for projection
policy decisions.</t>
          <t>Three classes are defined:</t>
          <table>
            <thead>
              <tr>
                <th align="left">Class</th>
                <th align="left">Semantic</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">
                  <tt>public</tt></td>
                <td align="left">The field may be exposed by default in any projection that includes the record.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>redacted</tt></td>
                <td align="left">The field may be replaced with a placeholder, masked, or null in low-trust projections, and included verbatim in high-trust projections.</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>invisible</tt></td>
                <td align="left">The field may be omitted entirely from low-trust projections; included only in high-trust projections with explicit consent.</td>
              </tr>
            </tbody>
          </table>
          <t>The classifications belong in the Protocol (rather than in
implementation-private policy) because field sensitivity is intrinsic
to the field, not to the deployment. A health observation is
sensitive everywhere; a calendar event location is sensitive
everywhere. Encoding the classification in the schema gives every
conformant implementation the same input to operate on, supports
federation across trust boundaries (both sides agree on what is
sensitive), and enables consistent agent behavior across runtimes.</t>
          <t>The <tt>redaction_state</tt> envelope field (Section 4.2.4) is the wire-time
counterpart: it labels which projection level the served record
represents (<tt>original</tt>, <tt>redacted</tt>, <tt>summary</tt>, <tt>hash_only</tt>). The
classification governs which fields a Vault may include or omit at
each projection level; <tt>redaction_state</tt> records which level was
served. Per-namespace specifications declare the classification for
each field.</t>
          <t>The Protocol does not define what specific projections look like or
how a Vault decides which projection to serve. Those are runtime
concerns. Common projection patterns include:</t>
          <ul spacing="normal">
            <li>
              <t>A <tt>free_busy</tt> projection for calendar availability checks (time and
availability fields only).</t>
            </li>
            <li>
              <t>A <tt>summary</tt> projection for typical Agent context (<tt>public</tt> plus
<tt>redacted</tt> with placeholders).</t>
            </li>
            <li>
              <t>A <tt>full</tt> projection for user-authorized full access (all fields
including <tt>invisible</tt>).</t>
            </li>
            <li>
              <t>An <tt>audit</tt> projection for compliance review (all fields plus audit
metadata).</t>
            </li>
          </ul>
          <t>These are illustrative, not normative. A Vault implementation MAY
define any number of projections; this Protocol commits only to
labeling which level was served in <tt>redaction_state</tt>.</t>
        </section>
        <section anchor="json-ld-compatibility">
          <name>JSON-LD compatibility</name>
          <t>Sygil records carry <tt>@type</tt> on every record and on every supporting
object. This is a deliberate design choice: it makes Sygil records
JSON-LD-shaped at the syntax level without committing to JSON-LD as
the canonical form.</t>
          <t>Sygil records do not carry an inline <tt>@context</tt> field by default.
The canonicalization rule (Section 4.5) operates on the JSON form,
not on the JSON-LD-expanded form; adding inline <tt>@context</tt> to records
would require either including context URLs in the canonicalization
input (binding context resolution to record identity) or excluding
them (creating a new exclusion rule). Keeping contexts external
avoids both.</t>
          <t>Per-namespace <tt>@context</tt> files are published as external generated
artifacts (Section 6.4), at stable URLs under the Protocol's
publication infrastructure. A Consumer that already understands a
target vocabulary -- Schema.org <xref target="SCHEMA-ORG"/>, W3C Verifiable
Credentials <xref target="W3C-VC2"/>, FHIR R4 <xref target="FHIR-R4"/> -- can fetch the
appropriate context and apply it at processing time, mapping Sygil
field names to the target vocabulary's URIs without a custom Sygil
parser.</t>
          <t>Adoption of the published contexts is OPTIONAL for Sygil-native
Consumers. Sygil-aware implementations do not need contexts to
interpret records; they already know the schema. The contexts exist
for the asymmetric interop case: a Schema.org-aware tool reading a
Sygil record. The reverse direction -- a Sygil-native Consumer reading
an arbitrary Schema.org record and treating it as a Sygil record --
generally requires connector logic, not just context publication.</t>
        </section>
      </section>
      <section anchor="nsid-namespace-identifier">
        <name>NSID (namespace identifier)</name>
        <t>NSIDs use reverse-DNS structure to distinguish core Sygil namespaces
(prefix <tt>sygil.</tt>) from third-party namespaces (prefix is the
publisher's reverse-DNS domain).</t>
        <t>Examples:</t>
        <artwork><![CDATA[
sygil.v1.calendar.event
sygil.v1.identity.person
sygil.v1.finance.transaction
com.example.customapp.myrecord
]]></artwork>
        <t>The reverse-DNS pattern is consistent with prior practice for vendor
extensions, including the AT Protocol Lexicon system <xref target="ATPROTO"/> and
the recommendation in <xref target="RFC6648"/> to use reverse-DNS or domain-prefixed
naming for vendor extensions to existing protocols.</t>
        <section anchor="rules">
          <name>Rules</name>
          <ol spacing="normal" type="1"><li>
              <t><strong>Versioning is at the namespace level, not the record level.</strong>
                <tt>sygil.v1.*</tt> is a stable, frozen series. <tt>sygil.v2.*</tt> is a separate,
independent series. The two series coexist indefinitely; there is no
transition deadline.</t>
            </li>
            <li>
              <t><strong>Once published, an NSID's constraint set is immutable.</strong> Adding
optional fields in a minor schema release is permitted. Removing
fields, changing types, adding required fields, or tightening
constraints requires a new NSID. This rule is enforced by
implementation tooling (continuous integration in the reference
schema repository); it is also a normative wire rule: a Producer
MUST NOT emit a record whose NSID is published but whose fields
violate the published constraints for that NSID.</t>
            </li>
            <li>
              <t><strong>Unknown NSIDs MUST be passed through unchanged.</strong> A Consumer that
does not recognize a record's <tt>@type</tt> MUST NOT reject the record on
that basis alone. The Consumer MAY log unknown NSIDs and MAY route
the record to a generic-record handler that preserves base envelope
fields and treats namespace-specific fields as opaque, per Section
7.2.</t>
            </li>
          </ol>
          <t>The immutability rule borrows from the AT Protocol Lexicon discipline
<xref target="ATPROTO"/>. The reasoning is the same: in a federated ecosystem with
no central coordinator, breaking changes cannot be coordinated to every
Consumer. Immutability is the only discipline that keeps the ecosystem
self-consistent. The cost is namespace verbosity (every breaking change
spawns a new NSID); the benefit is that fragmentation, when it comes,
is explicit rather than silent.</t>
        </section>
      </section>
      <section anchor="sygil-uri-scheme">
        <name><tt>sygil://</tt> URI scheme</name>
        <t>The <tt>sygil://</tt> URI scheme is the content-addressed identifier scheme
used as a record's <tt>id</tt>. Its grammar is:</t>
        <t>The grammar of the <tt>sygil://</tt> URI, in ABNF <xref target="RFC5234"/>, is:</t>
        <sourcecode type="abnf"><![CDATA[
sygil-URI    = "sygil://" subject-did "/" nsid "/" content-hash

subject-did  = "did:" method-name ":" method-specific-id
                 ; structure governed by [W3C-DID];
                 ; method-specific-id is opaque to this Protocol
                 ; (see Section 4.9)
method-name  = 1*( ALPHA / DIGIT )
method-specific-id = 1*( unreserved / pct-encoded / ":" )

nsid         = label *( "." label )
                 ; reverse-DNS structure (see Section 4.3)
label        = ( ALPHA / DIGIT ) *( ALPHA / DIGIT / "_" / "-" )

content-hash = algorithm "-" 1*base64url-char
algorithm    = 1*( ALPHA / DIGIT )
                 ; v1 implementations MUST emit "blake3"
base64url-char = ALPHA / DIGIT / "-" / "_"
                 ; base64url alphabet per [RFC4648] Section 5,
                 ; encoded WITHOUT padding ("="). A BLAKE3-256
                 ; digest (32 octets) encodes to exactly 43
                 ; characters.

unreserved   = ALPHA / DIGIT / "-" / "." / "_" / "~"
pct-encoded  = "%" HEXDIG HEXDIG
]]></sourcecode>
        <t>ALPHA, DIGIT, and HEXDIG are the core rules defined in <xref target="RFC5234"/>
Appendix B.1.</t>
        <t>Example:</t>
        <artwork><![CDATA[
sygil://did:web:vault.example.com/sygil.v1.calendar.event/blake3-Cn8vJk2qR7sT1uV4wX9yZ0aB3cD6eF8gH1iJ2kL4mN5
]]></artwork>
        <section anchor="semantics">
          <name>Semantics</name>
          <ul spacing="normal">
            <li>
              <t><strong>The DID component is the Subject DID.</strong> It identifies the data
subject -- the person the record is about. The Vault operator, the
issuer, and the source system are separate concerns and MAY be
expressed in the optional <tt>subject_did</tt>, <tt>issuer_did</tt>, and
<tt>source_system</tt> envelope fields.</t>
            </li>
            <li>
              <t><strong>The content hash is BLAKE3 <xref target="BLAKE3"/> over the canonical
serialization of the record body</strong> (Section 4.5), encoded as a
base64url string without padding, of the form <tt>blake3-{base64url}</tt>.
The hash MUST be reproducible by any conforming implementation given
the same record body.</t>
            </li>
            <li>
              <t><strong>The URI is implementation-neutral.</strong> It does not encode hostname,
port, path, or API surface. Where to fetch the record is a discovery
concern, addressed by Vault implementations or by the carrier
protocol (e.g., MCP <xref target="MCP"/>); it is not encoded in the identifier.</t>
            </li>
          </ul>
        </section>
        <section anchor="why-subject-did-not-vault-did">
          <name>Why subject DID, not Vault DID</name>
          <t>A record about a Subject typically involves multiple parties: the data
Subject, the upstream source system that authored the original data,
the Vault operator that hosts the record, and the connector or Producer
that produced the Sygil record from the upstream data. The Protocol
puts the Subject DID in the URI because the Protocol is
personal-data-centered: the record's identity is bound to the person
the record is about, not to any specific operator or producer.</t>
          <t>The other parties are recorded, when relevant, in the optional
<tt>subject_did</tt> (redundant with the URI but allowed for clarity),
<tt>issuer_did</tt>, and <tt>source_system</tt> envelope fields.</t>
        </section>
        <section anchor="provisional-uri-scheme-registration">
          <name>Provisional URI scheme registration</name>
          <t>The <tt>sygil</tt> URI scheme is to be registered with IANA as a provisional
URI scheme per <xref target="RFC7595"/>. See Section 10 (IANA Considerations).</t>
        </section>
      </section>
      <section anchor="canonical-serialization">
        <name>Canonical serialization</name>
        <t>Content-addressed identifiers require deterministic serialization.
Without a precise canonicalization rule, two implementations can
produce different <tt>id</tt> values for the same logical record, and the
content-addressing model collapses.</t>
        <t>Sygil mandates JSON Canonicalization Scheme (JCS) per <xref target="RFC8785"/>.</t>
        <section anchor="jcs-rules-applied">
          <name>JCS rules, applied</name>
          <ol spacing="normal" type="1"><li>
              <t><strong>UTF-8 encoding</strong> with no byte-order mark.</t>
            </li>
            <li>
              <t><strong>Object key ordering</strong> by code-point order.</t>
            </li>
            <li>
              <t><strong>No insignificant whitespace</strong> between tokens. Whitespace inside
string values is preserved.</t>
            </li>
            <li>
              <t><strong>String escaping</strong> uses only <tt>\"</tt>, <tt>\\</tt>, <tt>\b</tt>, <tt>\f</tt>, <tt>\n</tt>, <tt>\r</tt>,
<tt>\t</tt>; all other control characters use <tt>\u</tt> escapes.</t>
            </li>
            <li>
              <t><strong>Number serialization</strong> per <xref target="RFC8785"/> number-serialization rules:
integers as integers (no <tt>.0</tt>), non-integer numbers in shortest
round-trip representation.</t>
            </li>
            <li>
              <t><strong>Null preservation.</strong> <tt>null</tt> is preserved; it is not equivalent to
"field absent."</t>
            </li>
          </ol>
        </section>
        <section anchor="hash-inputs">
          <name>Hash inputs</name>
          <t>The <tt>id</tt> content hash is computed over the canonical serialization of
the record with the following fields excluded:</t>
          <ul spacing="normal">
            <li>
              <t><tt>id</tt> (cannot include itself).</t>
            </li>
            <li>
              <t><tt>_proofs</tt> (proof objects may be added or removed without changing
record identity).</t>
            </li>
            <li>
              <t><tt>updated_at</tt> (mutable metadata).</t>
            </li>
            <li>
              <t><tt>version</tt> (mutable metadata).</t>
            </li>
            <li>
              <t><tt>supersedes</tt> (mutable metadata).</t>
            </li>
            <li>
              <t><tt>obsolete</tt>, <tt>obsolete_reason</tt> (soft-delete flags can change without
changing the underlying record content).</t>
            </li>
          </ul>
          <t>The following reserved envelope fields <strong>are</strong> included in the hash
input (they are part of the record's content identity):</t>
          <ul spacing="normal">
            <li>
              <t><tt>subject_scope</tt>, <tt>subjects</tt>.</t>
            </li>
            <li>
              <t><tt>derived_from</tt>.</t>
            </li>
            <li>
              <t><tt>expires_at</tt>, <tt>retention_policy</tt>.</t>
            </li>
            <li>
              <t><tt>language</tt>.</t>
            </li>
          </ul>
          <t>Hash exclusions are organized in three tiers. The base-tier
exclusions above apply to every record. A second, mixin-inherited
tier applies to records whose <tt>source</tt> object extends the
<tt>source_provenance</tt> mixin (the cross-namespace provenance mixin
shared by every namespace's <tt>source</tt> object): the fields
<tt>source.imported_at</tt>, <tt>source.cooperation_mode</tt>, and
<tt>source.mode_transition_history</tt> are excluded, because they are
operational metadata that changes on re-synchronization without
changing the record's content. (The <tt>source.source_updated_at</tt>
field is by contrast <strong>included</strong> in the hash: it carries a
content-change semantic -- producers advance it only when upstream
content actually changes, not on operational re-emission -- and is
therefore content, not operational metadata.)</t>
          <t>Per-namespace specifications MAY exclude additional fields from the
hash input (the third tier); any such exclusions MUST be documented in
the namespace specification. For example, the social namespace
excludes the aggregate <tt>engagement_counts</tt> subobject on posts, because
platform-computed engagement totals change as a post accrues
interaction without changing the post's content.</t>
        </section>
        <section anchor="hash-algorithm">
          <name>Hash algorithm</name>
          <t>The hash algorithm is BLAKE3 <xref target="BLAKE3"/>. The 32-octet BLAKE3-256 hash
output is encoded as base64url without padding (<xref target="RFC4648"/> Section 5),
prefixed with <tt>blake3-</tt>, and used as the content-hash component of the
<tt>sygil://</tt> URI. A BLAKE3-256 digest therefore encodes to exactly 43
characters, and a complete content-hash component has the form <tt>blake3-</tt>
followed by those 43 characters.</t>
          <t>The choice of BLAKE3 over alternatives (SHA-256, SHA-3) reflects
performance characteristics relevant to high-record-volume
implementations and is consistent with prior content-addressable
systems' direction. Implementations MUST emit <tt>blake3-</tt> hashes for v1.
Future major versions of the Protocol MAY introduce alternative
algorithms; v1 implementations are not required to support them.</t>
        </section>
      </section>
      <section anchor="stableid-logical-identity-uri">
        <name><tt>stable_id</tt> (logical-identity URI)</name>
        <t>Every v1 record carries a <tt>stable_id</tt>, which identifies the record
across versions; for mutable record types it is the stable handle that
successive versions share. Its grammar, in ABNF <xref target="RFC5234"/>, is:</t>
        <sourcecode type="abnf"><![CDATA[
sygil-stable = "sygil-stable:" nsid-short ":" logical-hash

nsid-short   = label ":" label
                 ; the last two dot-separated components of the NSID,
                 ; with the dot replaced by a colon
                 ; (e.g., "calendar:event", "identity:person")

logical-hash = algorithm "-" 1*base64url-char
                 ; algorithm, base64url-char, and hash format identical
                 ; to those used in content-hash (Section 4.4)
]]></sourcecode>
        <t>(<tt>label</tt> and <tt>algorithm</tt> are as defined in Section 4.4.)</t>
        <t>Example:</t>
        <artwork><![CDATA[
sygil-stable:calendar:event:blake3-3a4b5c...
]]></artwork>
        <section anchor="logical-hash-inputs">
          <name>Logical-hash inputs</name>
          <t>The logical-hash is computed over a stable subset of the record's
identifying fields, declared per namespace. The rule that holds across
all namespaces:</t>
          <ul spacing="normal">
            <li>
              <t>The logical-hash MUST NOT include any field that mutates as part of
normal record updates.</t>
            </li>
          </ul>
          <t>For example, <tt>sygil.v1.calendar.event</tt> declares the logical-hash inputs
to be <tt>(subject_did, source_system, source_record_id_hash,
recurring_master)</tt> -- fields that uniquely identify the logical event
regardless of how its title, description, attendees, or start time
change.</t>
          <t>The per-namespace declaration of logical-hash inputs is part of that
namespace's specification.</t>
        </section>
      </section>
      <section anchor="reference-resolution-semantics">
        <name>Reference resolution semantics</name>
        <t>Sygil's two URI forms -- <tt>sygil://</tt> (content-addressed, identifies a
specific version) and <tt>sygil-stable:</tt> (logical-identity, identifies a
record across versions) -- present different resolution properties.
This section specifies the resolution model the Protocol expects of
Consumers, while remaining silent on the <em>mechanism</em> by which
resolution is performed (mechanism is a runtime concern).</t>
        <section anchor="resolution-states">
          <name>Resolution states</name>
          <t>A Consumer attempting to resolve any Sygil URI to a record body MUST
distinguish four resolution states:</t>
          <ul spacing="normal">
            <li>
              <t><strong>Resolved.</strong> The URI was resolved to exactly one record body, and
the Consumer is granted access to that body.</t>
            </li>
            <li>
              <t><strong>Unresolved.</strong> The URI is well-formed but no record body could be
retrieved. The record may not exist, may have been deleted, may be
held by an unreachable Vault, or may be unknown to the resolver.</t>
            </li>
            <li>
              <t><strong>Forbidden.</strong> The URI was resolved to a record body but the
Consumer is not authorized to access it. The Consumer learns the
record exists but not its contents.</t>
            </li>
            <li>
              <t><strong>Ambiguous.</strong> The URI was resolved to more than one record body
(see "Stable-ID resolution" below). This state applies only to
<tt>sygil-stable:</tt> URIs and is described further below.</t>
            </li>
          </ul>
          <t>The four states form a partition: every resolution attempt MUST end
in exactly one of them.</t>
          <t>A Tier 2 surface returning a collection that contains references to
other records SHOULD include a per-reference resolution state in the
response envelope, so that downstream Consumers can distinguish
"resolved successfully" from "deliberately omitted" from "denied
access."</t>
          <t>A Consumer MUST NOT fabricate referenced record data when resolution
fails. Returning a stub marked unresolved or forbidden is correct;
returning a synthesized record without indication is a Protocol
violation.</t>
        </section>
        <section anchor="content-hash-resolution-sygil">
          <name>Content-hash resolution (<tt>sygil://</tt>)</name>
          <t>A <tt>sygil://</tt> URI is content-addressed: the URI uniquely identifies a
specific record body, and any two records resolving to the same
<tt>sygil://</tt> URI MUST be byte-for-byte identical after canonicalization
(or the implementation has a Protocol violation per Section 7.6).</t>
          <t>Content-hash resolution properties:</t>
          <ul spacing="normal">
            <li>
              <t><strong>At most one record body per URI.</strong> Distinct record bodies have
distinct hashes; therefore distinct URIs.</t>
            </li>
            <li>
              <t><strong>Resolution is exact-match.</strong> A Consumer that retrieves a record
body claimed to satisfy a <tt>sygil://</tt> URI MUST verify the hash
before treating the body as resolved. If the hash does not match,
the resolution result is <strong>Unresolved</strong> (not <strong>Resolved</strong> with a
hash-mismatch flag); fabricating resolved-state for a record body
whose hash does not match its claimed URI is a Protocol violation.</t>
            </li>
            <li>
              <t><strong>Resolution is location-independent.</strong> A Consumer MAY resolve the
same <tt>sygil://</tt> URI through any number of intermediaries and MUST
obtain the same record body; the URI does not encode location.</t>
            </li>
          </ul>
        </section>
        <section anchor="stable-id-resolution-sygil-stable">
          <name>Stable-ID resolution (<tt>sygil-stable:</tt>)</name>
          <t>A <tt>sygil-stable:</tt> URI identifies the <em>logical</em> record across
versions. Multiple <tt>sygil://</tt> versions of the same logical record
share a <tt>sygil-stable:</tt> URI; this is the URI's purpose.</t>
          <t>Stable-ID resolution requires additional rules because the relation
between a <tt>sygil-stable:</tt> URI and a record body is one-to-many
across the lifetime of the record.</t>
          <ul spacing="normal">
            <li>
              <t><strong>Resolution returns the current version by default.</strong> A Consumer
resolving a <tt>sygil-stable:</tt> URI without further qualification MUST
receive the version the resolver considers current -- typically the
highest-<tt>version</tt> record under that <tt>stable_id</tt> whose <tt>obsolete</tt>
field is <tt>false</tt>. The criteria for "current" are runtime concerns;
the rule the Protocol specifies is that the resolver returns
exactly one version unless the resolver enters the <strong>Ambiguous</strong>
state below.</t>
            </li>
            <li>
              <t><strong>Resolution to a specific version requires the <tt>sygil://</tt> URI.</strong> A
Consumer that wants a specific version of a record MUST use the
<tt>sygil://</tt> URI for that version, not a qualified form of the
<tt>sygil-stable:</tt> URI. The Protocol does not define a stable-ID
qualification syntax.</t>
            </li>
            <li>
              <t><strong>The Ambiguous state arises in three scenarios.</strong> A resolver
reports <strong>Ambiguous</strong> when, despite best effort, it cannot
identify a single current version: (i) two or more records share
the same <tt>stable_id</tt> with the same <tt>version</tt> value (a Producer
bug); (ii) two or more records share the same <tt>stable_id</tt> with
different <tt>version</tt> values, none marked <tt>obsolete: true</tt>, and the
resolver lacks enough context to choose (a coordination failure
between Producers); (iii) the resolver holds records under the
<tt>stable_id</tt> from multiple Vaults that disagree on the current
version. In all three scenarios, a Consumer encountering
<strong>Ambiguous</strong> state MUST NOT pick one record arbitrarily; it MUST
surface the ambiguity to its caller.</t>
            </li>
            <li>
              <t><strong>Resolution lifetime.</strong> A Consumer MAY cache <tt>sygil-stable:</tt>
resolution results. Such caches MUST honor the <tt>version</tt> field's
monotonicity: a cached result with <tt>version</tt> N MAY be invalidated
on receipt of a fresher result with <tt>version</tt> &gt; N for the same
<tt>stable_id</tt>. A cached result MUST NOT be returned in preference to
a fresher one observed via any channel.</t>
            </li>
            <li>
              <t><strong>All-obsolete edge case.</strong> When the only records under a given
<tt>stable_id</tt> available to the resolver have <tt>obsolete: true</tt>, the
resolver MUST return the highest-<tt>version</tt> such record (the
"most-recent obsolete version") with the <tt>obsolete</tt> flag visible
to the Consumer. The resolver MUST NOT return <strong>Unresolved</strong> in
this case; the record exists, the Consumer is entitled to learn
it exists, and the obsolete flag carries the runtime semantics
the Consumer needs to decide whether to act on the record.
Consumers performing audit, recovery, or regulatory operations
legitimately require visibility into fully-obsolete histories;
treating all-obsolete as Unresolved would hide that visibility.
A Consumer that wishes to filter obsolete records out of its
view applies the filter on its own (<tt>obsolete: false</tt>) and is
not dependent on resolution-state hiding to do so.</t>
            </li>
            <li>
              <t><strong>Resolved does not imply valid or current.</strong> Successful
resolution of a <tt>sygil-stable:</tt> URI returns exactly one record
body to the Consumer; it does not assert that the record is
current, valid, or usable for any specific purpose. Consumers
MUST inspect the record's <tt>obsolete</tt> field, <tt>expires_at</tt> field
(if present), and any other usability-relevant envelope state
before treating the resolved record as currently authoritative.
This is particularly important after the all-obsolete rule
above: a <tt>sygil-stable:</tt> URI under which every version is
<tt>obsolete: true</tt> resolves successfully (the most-recent obsolete
version), but a Consumer that does not inspect the <tt>obsolete</tt>
flag could mistakenly treat the record as current. Resolution
is identity retrieval, not validity assertion.</t>
            </li>
            <li>
              <t><strong>Version monotonicity violation handling.</strong> Records under a
given <tt>stable_id</tt> carry monotonically increasing <tt>version</tt>
values; this is a Producer obligation (Section 4.6). When a
Consumer encounters a <tt>version</tt>-monotonicity violation -- a
record with <tt>version</tt> N arriving after the Consumer has already
observed a record with <tt>version</tt> &gt; N for the same <tt>stable_id</tt> --
the Consumer MUST treat the lower-version record as <strong>stale</strong>:
              </t>
              <ul spacing="normal">
                <li>
                  <t>The lower-version record MUST NOT be treated as a current
candidate for <tt>sygil-stable:</tt> resolution.</t>
                </li>
                <li>
                  <t>The lower-version record MUST NOT replace any cached resolution
result that points at a higher-version record.</t>
                </li>
                <li>
                  <t>The lower-version record MAY be retained for audit, forensic,
or historical-reconstruction purposes; its <tt>version</tt> value
locates it in the version sequence regardless of arrival
order.</t>
                </li>
              </ul>
              <t>
This rule prevents three implementation divergences: (i) one
implementation accepting the late-arriving lower-version record
as current while another rejects it; (ii) one implementation
reordering its cache by arrival time while another respects
<tt>version</tt> ordering; (iii) divergent results when the same
<tt>stable_id</tt> is resolved through two implementations after the
same out-of-order delivery.</t>
            </li>
            <li>
              <t><strong>Envelope-state conflict resolution.</strong> When the Consumer
observes two records sharing an identical <tt>id</tt> URI but
differing in any envelope field excluded from the content hash
(<tt>_proofs</tt>, <tt>obsolete</tt>, <tt>obsolete_reason</tt>, <tt>updated_at</tt>, etc.,
per Section 4.5), the Consumer MUST treat the situation as a
Producer or relay bug and MUST surface a warning to its caller.
The Consumer:
              </t>
              <ul spacing="normal">
                <li>
                  <t>MUST NOT silently pick one envelope variant over another and
treat the chosen variant as authoritative.</t>
                </li>
                <li>
                  <t>MAY apply a runtime-defined reconciliation policy (e.g., last-
written by <tt>updated_at</tt> if the Consumer has reliable arrival
ordering and the <tt>updated_at</tt> values differ; preference for
the variant whose <tt>obsolete</tt> flag is <tt>true</tt> when conservative-
deletion semantics are required) provided the policy is
documented and the warning is still surfaced.</t>
                </li>
                <li>
                  <t>MUST NOT treat the differing envelope states as creating
distinct record identities (per Section 4.1's identity-
entails-deduplication rule).</t>
                </li>
                <li>
                  <t>MUST NOT, when applying any reconciliation policy, produce a
result that contradicts an explicitly restrictive envelope
state. A reconciliation that resolves <tt>obsolete: true</tt> vs.
<tt>obsolete: false</tt> by selecting <tt>false</tt> is forbidden, because
doing so silently overrides a soft-delete signal; a
reconciliation that resolves a stricter <tt>redaction_state</tt>
against a looser one by selecting the looser projection is
forbidden, because doing so widens disclosure beyond what
the more-restrictive variant claimed. The general rule is
that reconciliation chooses the more-restrictive envelope
state when the variants disagree on a restrictive-vs-permissive
axis.</t>
                </li>
              </ul>
              <t>
Envelope-state conflict is structurally analogous to the
Ambiguous resolution state above (Section 4.6.1's third
Ambiguous scenario): the Consumer cannot mechanically determine
the correct envelope state, and the Protocol's response is to
surface the ambiguity rather than to mandate a single
reconciliation. In well-behaved deployments this case does not
arise -- Producers generating new envelope state generate a new
record with a new <tt>id</tt> -- so the rule exists for failure
detection, not common-case behavior.</t>
            </li>
          </ul>
        </section>
        <section anchor="unresolved-and-forbidden-states">
          <name>Unresolved and forbidden states</name>
          <t>Both <tt>sygil://</tt> and <tt>sygil-stable:</tt> URIs may resolve to <strong>Unresolved</strong>
or <strong>Forbidden</strong> states. The two states are distinct:</t>
          <ul spacing="normal">
            <li>
              <t><strong>Unresolved</strong> means the resolver could not retrieve a record body.
The Consumer learns nothing about whether the record exists or
whether the Consumer would be authorized.</t>
            </li>
            <li>
              <t><strong>Forbidden</strong> means the resolver retrieved a record body and
determined the Consumer was not authorized to see it. The Consumer
learns the record exists but not its contents.</t>
            </li>
          </ul>
          <t>The distinction matters in trust models. A Vault implementation that
collapses the two states (returning Unresolved when it actually means
Forbidden, to avoid existence-leaks) is making a deliberate
trade-off; the Protocol allows this collapsing but does not require
it. A Vault that distinguishes the two states is providing more
information to the Consumer at the cost of revealing the existence of
forbidden records.</t>
          <t>The Protocol does not specify which Vaults should collapse and which
should distinguish; this is a deployment-policy concern and is
addressed in vault-implementation specifications.</t>
        </section>
        <section anchor="resolution-failure-handling">
          <name>Resolution failure handling</name>
          <t>A Consumer that receives an Unresolved or Forbidden result for a
required reference (i.e., a reference whose absence breaks the
Consumer's intended use of the parent record) SHOULD treat the parent
record as having a missing relation, not as invalid. Records carrying
unresolved or forbidden references in optional fields remain
structurally valid; how the Consumer surfaces the missing relation in
its UI or downstream output is a Consumer concern.</t>
          <t>A Consumer that receives an Ambiguous result for a <tt>sygil-stable:</tt>
reference SHOULD treat the parent record as if the reference were
unresolvable for downstream purposes; the Consumer MUST NOT
arbitrarily pick a candidate version. This is the load-bearing rule
that prevents silent ecosystem fragmentation under multi-version
disagreement.</t>
        </section>
      </section>
      <section anchor="references">
        <name>References</name>
        <t>Records reference other records by <tt>sygil://</tt> URI. Two reference
patterns are defined.</t>
        <section anchor="typed-reference">
          <name>Typed reference</name>
          <t>A field holds a <tt>sygil://</tt> URI pointing to another record of a declared
type. Used when the referenced record has independent identity.</t>
          <sourcecode type="json"><![CDATA[
"organizer": "sygil://did:example:user/sygil.v1.identity.person/blake3-abc..."
]]></sourcecode>
        </section>
        <section anchor="inline-embedding">
          <name>Inline embedding</name>
          <t>A sub-object is embedded directly in the parent record. Used when the
sub-object has no identity outside the parent.</t>
          <sourcecode type="json"><![CDATA[
"attendees": [
  {
    "@type": "sygil.v1.calendar.attendance",
    "person": "sygil://did:example:user/sygil.v1.identity.person/blake3-xyz...",
    "response_status": "accepted"
  }
]
]]></sourcecode>
          <t>The namespace specification declares which pattern applies per field.
Mixing patterns for a single field is not permitted.</t>
        </section>
      </section>
      <section anchor="did-handling">
        <name>DID handling</name>
        <t>DIDs appear throughout the Protocol: in the <tt>sygil://</tt> URI prefix, in
the optional <tt>subject_did</tt>, <tt>issuer_did</tt>, and <tt>subjects[]</tt> envelope
fields, and in foreign references in namespace-specific fields. Because
DID methods proliferate (<tt>did:web</tt>, <tt>did:key</tt>, <tt>did:plc</tt>, <tt>did:ion</tt>,
<tt>did:ethr</tt>, <tt>did:cheqd</tt>, others), any conforming implementation will
encounter unfamiliar DID methods over time.</t>
        <section anchor="opaque-string-with-method-tag-rule">
          <name>Opaque-string-with-method-tag rule</name>
          <t>DIDs in identifier-bearing fields are <strong>opaque to Consumers</strong> except
for the <strong>method tag</strong> -- the segment between the first two colons in
<tt>did:METHOD:identifier</tt>. Specifically:</t>
          <ul spacing="normal">
            <li>
              <t>Consumers MAY parse the method tag to determine resolution strategy.</t>
            </li>
            <li>
              <t>Consumers MUST NOT parse the method-specific identifier (everything
after the second colon). The internal structure of <tt>did:web</tt>,
<tt>did:plc</tt>, <tt>did:key</tt>, and other methods is method-defined and not
Protocol-defined.</t>
            </li>
            <li>
              <t>Consumers MUST pass through unknown DID methods unchanged. A record
whose <tt>subject_did</tt> is <tt>did:newmethod:identifier</tt> MUST NOT be
rejected solely because the Consumer does not understand
<tt>did:newmethod:</tt>.</t>
            </li>
            <li>
              <t>Consumers SHOULD log unknown DID methods to support ecosystem-drift
detection.</t>
            </li>
            <li>
              <t>Producers MUST emit DIDs in the <tt>did:METHOD:identifier</tt> format. DIDs
that do not parse as <tt>did:METHOD:identifier</tt> (bare strings, non-DID
URIs in DID-typed fields) are protocol violations and SHOULD be
rejected by validators.</t>
            </li>
          </ul>
        </section>
        <section anchor="did-method-commitments">
          <name>DID method commitments</name>
          <t>Conformant Tier 2 and higher implementations (Section 6) MUST be able
to resolve the following DID methods:</t>
          <ul spacing="normal">
            <li>
              <t><strong><tt>did:web</tt></strong> <xref target="DID-WEB"/> -- DIDs anchored to a domain name, resolved
by fetching <tt>https://{domain}/.well-known/did.json</tt> (or the path
indicated by the DID). Suitable as a primary identifier for entities
with stable web presence.</t>
            </li>
            <li>
              <t><strong><tt>did:key</tt></strong> <xref target="DID-KEY"/> -- DIDs that encode a public key directly
in the identifier. Resolution is local; no network required.
Suitable for ephemeral or self-sovereign cases.</t>
            </li>
          </ul>
          <t>Conformant Tier 2 and higher implementations SHOULD be able to resolve:</t>
          <ul spacing="normal">
            <li>
              <t><strong><tt>did:plc</tt></strong> <xref target="DID-PLC"/> -- Public Ledger of Credentials, used by
AT-Protocol-aligned ecosystems for portable identifiers.</t>
            </li>
          </ul>
          <t>Conformant implementations MAY resolve any other DID method, including
<tt>did:ion</tt>, <tt>did:ethr</tt>, <tt>did:cheqd</tt>, and others. Tier 1 implementations
have no resolution requirement; for Tier 1 purposes, DIDs may be
treated as opaque strings throughout.</t>
        </section>
      </section>
      <section anchor="v1-namespaces">
        <name>v1 namespaces</name>
        <t>The v1 schema, specified canonically in the companion Sygil Protocol
Schema document referenced in Section 11 (Informative References),
defines a namespace set structured as 10 production-depth namespaces,
2 minimal-shape namespaces, and 3 NSID-reserved namespaces. The
production-depth ten are specified at full depth in the Schema
(every field, enum, supporting object, normalization mapping, and
conformance test resolved). The minimal-shape two ship in v1 with a
single record type each at minimal-but-extensible depth. The NSID-
reserved three commit reverse-DNS namespace identifiers in v1 without
committing internal structure; full specification awaits a v1.x
patch when forcing functions accumulate.</t>
        <table>
          <thead>
            <tr>
              <th align="left">Namespace</th>
              <th align="left">Depth</th>
              <th align="left">Primary external binding</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>sygil.v1.identity</tt></td>
              <td align="left">Production</td>
              <td align="left">Schema.org <tt>Person</tt>/<tt>Organization</tt>; vCard 4.0 <xref target="RFC6350"/></td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.calendar</tt></td>
              <td align="left">Production</td>
              <td align="left">iCalendar <xref target="RFC5545"/>; Schema.org <tt>Event</tt></td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.message</tt></td>
              <td align="left">Production</td>
              <td align="left">Internet Message Format <xref target="RFC5322"/> (with extensions for channels and rooms)</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.preference</tt></td>
              <td align="left">Production</td>
              <td align="left">(Sygil-original; weak external alignment)</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.document</tt></td>
              <td align="left">Production</td>
              <td align="left">Schema.org <tt>CreativeWork</tt> family</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.location</tt></td>
              <td align="left">Production</td>
              <td align="left">Schema.org <tt>Place</tt>; geoJSON; trip and movement extensions</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.finance</tt></td>
              <td align="left">Production</td>
              <td align="left">FDX <xref target="FDX"/>; ISO 20022; FIGI/ISIN identifier vocab for positions</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.health</tt></td>
              <td align="left">Production</td>
              <td align="left">FHIR R4 <tt>Observation</tt>/<tt>Condition</tt>/<tt>Medication</tt> <xref target="FHIR-R4"/>; IEEE 11073 device-data references</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.social</tt></td>
              <td align="left">Production</td>
              <td align="left">AT Protocol (Bluesky) Lexicon; ActivityPub (Mastodon); closed-platform export formats deferred</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.conversation</tt></td>
              <td align="left">Production</td>
              <td align="left">No standard exists; canonicalizes the two flagship LLM-export shapes (ChatGPT node-graph, Claude flat list); ImportOnly</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.media</tt></td>
              <td align="left">Minimal v1.0 (<tt>media.item</tt> only)</td>
              <td align="left">Schema.org <tt>MediaObject</tt> family; EXIF</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.task</tt></td>
              <td align="left">Minimal v1.0 (<tt>task.task</tt> only)</td>
              <td align="left">Schema.org <tt>Action</tt> (informal alignment)</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.commerce</tt></td>
              <td align="left">NSID-reserved</td>
              <td align="left">(deferred) Schema.org <tt>Order</tt>; ISO 20022 commercial credit transfer for commerce-to-finance bridge</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.claim</tt></td>
              <td align="left">NSID-reserved</td>
              <td align="left">(deferred) W3C Verifiable Credentials data model <xref target="W3C-VC2"/> when verifiable; otherwise Schema.org <tt>Claim</tt> (informal)</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.v1.channel</tt></td>
              <td align="left">NSID-reserved</td>
              <td align="left">(deferred) Schema.org <tt>Organization</tt> (workspace-level abstraction)</td>
            </tr>
          </tbody>
        </table>
        <t>The <tt>sygil.v1.credential.*</tt> namespace is reserved for a future
specification that will adopt the W3C Verifiable Credentials data model
<xref target="W3C-VC2"/> verbatim.</t>
        <t>The <tt>sygil.v1.social</tt> namespace models the data subject's social
presence: content the subject deliberately published to a public
audience (posts, replies, reposts, quote-posts) and the relationships
and actions the subject owns (follows, blocks, mutes, likes, lists,
and list memberships). It is scoped to subject-authored-and-subject-
owned data; third-party statements about the subject (tags, mentions,
posts by others) and identity-level inbound engagement (the identities
of accounts that interacted with the subject's posts) are out of v1
scope. Two classes of social-platform data route to other namespaces
rather than to <tt>sygil.v1.social</tt>: profiles map to
<tt>sygil.v1.identity</tt> (a profile is an identity record; the platform
handle is carried as an identity attribute), and direct messages map
to <tt>sygil.v1.message</tt> (a direct message is structurally a message).
The social namespace is the first to use the intent-posture
classification axis described in Section 9 (Privacy Considerations).</t>
        <t>The <tt>sygil.v1.conversation</tt> namespace models the data subject's
archive of conversations with AI models: threads and turns (core),
plus standing instructions, persisted model-held memory, and projects
(extended). It is an ImportOnly namespace -- the major LLM providers
expose conversation completions over their APIs but not the subject's
conversation archive, so the only acquisition path is the provider's
self-serve data export, and the subject's upload of that export is the
grant event (Section 7 cooperation modes <tt>export_only</tt> and
<tt>user_mediated_capture</tt>; no new mode is introduced). A thread is the
subject's archived artifact (<tt>subject_scope</tt> sole); a turn carries the
archival subject explicitly and represents authorship separately, via
a role and an author-kind plus an optional model slug, so that
non-human turns are owned by the subject without being authored by the
subject and the model is never modeled as a person. No conversation-
archive standard exists; the two flagship export shapes (a branch-
capable node graph and a flat ordered list) both normalize to turns
plus a parent-turn edge, with branch state preserved. Content blocks
use a closed type enumeration for query stability plus an open subtype
and a lossless source-native escape hatch, so that block types a
future model product invents are preserved rather than dropped. Every
conversation record is highly sensitive by default (Section 9).</t>
        <t>The Protocol does not require implementations to support all v1
namespaces. Conformance is asserted per (namespace, tier) pair
(Section 6.2). For minimal-v1.0 namespaces, conformance is against
the single record type that v1 specifies; for NSID-reserved
namespaces, no v1 conformance surface exists until the full
structure ships in a v1.x patch.</t>
        <section anchor="permissionless-extension">
          <name>Permissionless extension</name>
          <t>Third parties MAY define their own namespaces using the NSID extension
pattern (Section 4.2.5): records are emitted under
<tt>sygil.community.{publisher}.{namespace}.{record-type}</tt>, where
<tt>{publisher}</tt> is a reverse-DNS-shaped publisher identifier the third
party controls (e.g.,
<tt>sygil.community.acme.example.com.media.album</tt>). Records in
community-extension namespaces travel through the same envelope,
canonicalization, identifier, and proof object infrastructure as
core records. Consumers process them per the unknown-NSID rule in
Section 4.3.</t>
          <t>Third parties MUST NOT use the <tt>sygil.v1.</tt> prefix or any other
<tt>sygil.</tt> prefix outside the documented <tt>sygil.community.</tt> extension
namespace. The <tt>sygil.</tt> namespace outside <tt>sygil.community.</tt> is
reserved for the Sygil specification's change controller.</t>
        </section>
      </section>
      <section anchor="query-response-envelope">
        <name>Query response envelope</name>
        <t>A query response wraps zero or more records in the following envelope:</t>
        <sourcecode type="json"><![CDATA[
{
  "type": "sygil.v1.calendar.event",
  "cursor": "opaque-pagination-cursor",
  "records": [ /* zero or more records */ ]
}
]]></sourcecode>
        <t>Optional fields:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Type</th>
              <th align="left">Semantics</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>total</tt></td>
              <td align="left">integer</td>
              <td align="left">Total number of matching records. MAY be omitted; SHOULD be omitted when counts leak privacy-sensitive information or are expensive to compute.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>partial</tt></td>
              <td align="left">boolean</td>
              <td align="left">
                <tt>true</tt> if the implementation returned a subset due to authorization restrictions, rate limiting, or other runtime constraints.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>redaction_state</tt></td>
              <td align="left">enum</td>
              <td align="left">One of <tt>original</tt>, <tt>redacted</tt>, <tt>summary</tt>, <tt>hash_only</tt>. Describes the projection level the response represents. Default <tt>original</tt> when omitted. The same record content can be served as different projections under different access policies; <tt>redaction_state</tt> labels the projection level the Consumer is seeing in this response, not the underlying record. Vault implementations producing projections SHOULD set this field accurately and SHOULD enforce that projections actually omit the excluded content.</td>
            </tr>
          </tbody>
        </table>
        <t>Per-record proof objects travel inside each record's <tt>_proofs</tt> field.
The query response envelope itself does not embed authorization
metadata, aggregate proof information, or audit information; aggregate
runtime concerns are not part of the Protocol.</t>
      </section>
      <section anchor="query-grammar">
        <name>Query grammar</name>
        <t>This section specifies a minimal, portable query semantics that any
Tier 2 implementation MUST honor. The grammar is deliberately small --
its purpose is to define a stable interoperability surface, not a full
query language. Implementations MAY expose richer query surfaces
(GraphQL, MCP tool primitives, multi-hop traversal, full-text
ranking, aggregation) on top of the Protocol's grammar; those richer
surfaces are out of scope.</t>
        <section anchor="query-syntax">
          <name>Query syntax</name>
          <t>A Sygil query is encoded as a sequence of key-value parameter pairs
in the application/x-www-form-urlencoded form, in the same shape used
for HTTP query strings. The following ABNF <xref target="RFC5234"/> specifies the
abstract syntax. Transport bindings determine how the syntax is
carried on the wire; the syntax itself is transport-independent.</t>
          <sourcecode type="abnf"><![CDATA[
query        = parameter *( "&" parameter )

parameter    = type-param
             / time-range-param
             / equality-param
             / reference-param
             / text-search-param
             / pagination-param
             / quality-param

type-param   = "type=" nsid
time-range-param = ( "start_after="  iso8601 )
                 / ( "start_before=" iso8601 )
                 / ( "end_after="    iso8601 )
                 / ( "end_before="   iso8601 )
equality-param = field-name "=" field-value
reference-param = field-name "=" sygil-URI
text-search-param = "q=" 1*VCHAR
pagination-param = ( "limit=" 1*DIGIT )
                 / ( "cursor=" opaque-token )

quality-param = freshness-min-param
              / completeness-min-param
              / verifiability-min-param
              / cooperation-mode-in-param

freshness-min-param = "freshness_min=" freshness-value
completeness-min-param = "completeness_min=" completeness-value
verifiability-min-param = "verifiability_min=" verifiability-value
cooperation-mode-in-param = "cooperation_mode_in="
                            mode-value *( "," mode-value )

freshness-value = "realtime" / "hours" / "days" / "weeks" / "unknown"
completeness-value = "authoritative" / "best_effort" / "partial"
                   / "known_incomplete" / "unknown"
verifiability-value = "source_signed"
                    / "sygil_signed_after_ingestion"
                    / "unsigned" / "disputed" / "unknown"
mode-value   = "native_sygil" / "cooperative_api" / "restricted_api"
             / "export_only" / "user_mediated_capture"
             / "manual_subject_assertion" / "unknown"

field-name   = 1*( ALPHA / DIGIT / "_" )
field-value  = 1*VCHAR
                 ; URL-percent-encoded if necessary
nsid         = label *( "." label )
                 ; per Section 4.3
iso8601      = 1*VCHAR
                 ; an ISO 8601 timestamp per [RFC3339]
sygil-URI    = "sygil%3A%2F%2F" 1*VCHAR
                 ; URL-percent-encoded form of a `sygil://` URI
                 ; per Section 4.4
opaque-token = 1*VCHAR
                 ; an implementation-defined cursor; treated as
                 ; opaque by the Consumer
]]></sourcecode>
          <t><tt>ALPHA</tt>, <tt>DIGIT</tt>, and <tt>VCHAR</tt> are the core rules from <xref target="RFC5234"/>
Appendix B.1.</t>
        </section>
        <section anchor="required-primitives">
          <name>Required primitives</name>
          <t>Tier 2 implementations MUST support the following six primitives.
Each implementation MUST recognize the parameter form, MUST evaluate
the primitive's match semantics deterministically, and MUST NOT
silently ignore any of the six parameters.</t>
          <table>
            <thead>
              <tr>
                <th align="left">Primitive</th>
                <th align="left">Parameter</th>
                <th align="left">Match semantics</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Filter by namespace</td>
                <td align="left">
                  <tt>type</tt></td>
                <td align="left">A record matches if its <tt>@type</tt> value is exactly equal to the parameter value.</td>
              </tr>
              <tr>
                <td align="left">Filter by time range</td>
                <td align="left">
                  <tt>start_after</tt>, <tt>start_before</tt>, <tt>end_after</tt>, <tt>end_before</tt></td>
                <td align="left">A record matches if the namespace-declared time field (typically <tt>start.datetime</tt> for events; per-namespace declared elsewhere) lies in the parameter-described half-open interval.</td>
              </tr>
              <tr>
                <td align="left">Filter by field equality</td>
                <td align="left">
                  <tt>{field}={value}</tt></td>
                <td align="left">A record matches if the named field's value is exactly equal to the parameter value, where equality is JSON-value equality (string identical bytes; integer identical numeric value; etc.).</td>
              </tr>
              <tr>
                <td align="left">Reference traversal (one hop)</td>
                <td align="left">
                  <tt>{reference_field}={sygil-URI}</tt></td>
                <td align="left">A record matches if the named reference field's value is exactly equal to the parameter URI, byte-for-byte after URL-decoding.</td>
              </tr>
              <tr>
                <td align="left">Text search</td>
                <td align="left">
                  <tt>q</tt></td>
                <td align="left">A record matches by an implementation-defined text-relevance function over a namespace-declared set of searchable fields. The relevance function is not specified.</td>
              </tr>
              <tr>
                <td align="left">Pagination</td>
                <td align="left">
                  <tt>limit</tt>, <tt>cursor</tt></td>
                <td align="left">The implementation returns at most <tt>limit</tt> records (default and maximum implementation-defined). When more records exist, the response carries a <tt>cursor</tt>; supplying that cursor on a subsequent call returns the next page.</td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="evaluation-order">
          <name>Evaluation order</name>
          <t>When a query carries multiple parameters, evaluation is conjunctive:
a record is included in the response if and only if it matches every
parameter present in the query. The Protocol does not specify the
order in which the implementation evaluates the parameters; the
implementation MAY reorder them for performance.</t>
          <t>Three rules constrain implementations to deterministic behavior:</t>
          <ul spacing="normal">
            <li>
              <t>An unsupported parameter (a parameter recognized by name but not
understood by the implementation, or a parameter whose value does
not parse) MUST cause the query to fail with a structured error;
the implementation MUST NOT silently ignore unsupported parameters.
This is consistent with Section 7 (Failure Semantics).</t>
            </li>
            <li>
              <t>Conjunction is the only logical operator. Disjunction (<tt>OR</tt>) and
negation (<tt>NOT</tt>) are out of scope. Implementations exposing richer
surfaces MUST NOT use Sygil parameter syntax for non-conjunctive
semantics.</t>
            </li>
            <li>
              <t>The text-search relevance function (<tt>q</tt>) is implementation-defined.
Two conformant implementations MAY return different records or
different orderings for the same <tt>q</tt> value; this is the only
Protocol-permitted source of non-determinism in query evaluation.</t>
            </li>
          </ul>
        </section>
        <section anchor="determinism">
          <name>Determinism</name>
          <t>Apart from the text-search exception above, query evaluation is
deterministic: given the same record set and the same query
parameters, two conformant implementations MUST return the same
records in the same order, where order is determined by the
namespace-declared default sort field (typically the time field used
in time-range parameters; per-namespace declared elsewhere) breaking
ties on <tt>id</tt>. An implementation MAY return records in a different
order if the query specifies an alternative ordering primitive (none
specified in this Protocol; future versions may add an <tt>order_by</tt>
primitive).</t>
          <t>The Protocol's determinism guarantee is <strong>partial</strong>: it applies to
queries containing only non-text-search predicates, and to the non-
text-search portion of mixed queries. Specifically:</t>
          <ul spacing="normal">
            <li>
              <t>A query containing no <tt>q</tt> parameter is fully deterministic across
conformant implementations.</t>
            </li>
            <li>
              <t>A query containing <tt>q</tt> is <strong>not</strong> required to be cross-
implementation identical. Two implementations evaluating the same
<tt>q</tt>-containing query against the same record set MAY return
different result sets and different orderings, because text-
search relevance is implementation-defined (Section 4.10.3).
Mixed queries (combining <tt>q</tt> with other predicates) inherit this
non-determinism in both result membership and ordering: the
deterministic predicates are evaluated conjunctively against
whatever records the text-search portion selects, but the text-
search portion itself is the source of cross-implementation
variation.</t>
            </li>
          </ul>
          <t>Implementations MUST NOT introduce non-determinism for any predicate
other than <tt>q</tt>. A Consumer needing fully-deterministic results
across implementations MUST construct queries containing only non-
text-search predicates.</t>
          <t>Determinism (in its partial form above) is the basis of cross-
implementation interoperability for queries: two Vault
implementations holding the same records and receiving the same
non-<tt>q</tt> query produce identical responses, modulo records the
implementation's runtime authorization filters out (which is
communicated by the <tt>partial</tt> flag in the response envelope; see
Section 4.9).</t>
        </section>
        <section anchor="query-evaluation-against-projections">
          <name>Query evaluation against projections</name>
          <t>Query evaluation operates on the <strong>projection view</strong> of records
that the implementation would return to the requesting Consumer,
not on the canonical (<tt>redaction_state: original</tt>) records as
stored. This rule resolves an interaction between the query grammar
(Section 4.10) and the privacy classification framework (Section
4.2.5) that would otherwise leak determinism.</t>
          <t>Two consequences follow:</t>
          <ul spacing="normal">
            <li>
              <t><strong>Fields excluded by the projection's redaction policy evaluate as
non-matching for equality predicates.</strong> A query of the form
<tt>?email_hash={value}</tt> MUST NOT match a record whose <tt>email_hash</tt>
field is omitted from the projection the implementation would
serve, regardless of whether the field is present in the
underlying canonical record. The Consumer's view of the record is
the projection; queries evaluate against the Consumer's view, not
against the canonical content the Consumer would not be permitted
to see.</t>
            </li>
            <li>
              <t><strong>Fields masked by the projection's redaction policy do not match
on the masked value.</strong> A field served as a placeholder
(<tt>[redacted]</tt>) or hash-only marker MUST NOT match a query for the
unmasked value. A field served at <tt>redaction_state: hash_only</tt>
MAY match a query for the hash value if and only if the query
parameter explicitly carries a hash; equality between an unmasked
query value and a hashed served value is non-matching.</t>
            </li>
          </ul>
          <t>This rule applies symmetrically across implementations: if two
implementations would serve the same Consumer the same projection
of the same record, they MUST evaluate the query identically with
respect to that projection's contents. Different projections served
by different implementations to the same Consumer (e.g., one
implementation serves <tt>original</tt>, another serves <tt>summary</tt>) are not
errors; they are implementation-policy differences that the Protocol
explicitly allows. The <tt>partial</tt> flag and the <tt>redaction_state</tt>
field in served records communicate the projection difference to
the Consumer.</t>
          <t>A Consumer that needs to query against unmasked content MUST request
a projection level that includes the unmasked fields, through a
mechanism the runtime defines (the Protocol does not specify
projection-selection mechanisms). A Consumer querying with no
projection-level signal receives whatever projection the
implementation's default policy provides; equality predicates that
match <tt>original</tt>-projection content but not the served projection
return zero results, not an error.</t>
          <t><strong>Range predicates against partial-precision fields.</strong> When a range
predicate (<tt>start_after</tt>, <tt>start_before</tt>, <tt>end_after</tt>, <tt>end_before</tt>)
is evaluated against a field whose served projection has lower
precision than the predicate requires, the field MUST evaluate as
non-matching, regardless of whether the underlying canonical value
would match.</t>
          <t>The canonical example: a Consumer issues <tt>start_after=2026-04-26T10:
00:00Z</tt>, and the served projection of the target record's
<tt>start.datetime</tt> field is redacted to date-only precision
(<tt>2026-04-26</tt>). The Consumer's predicate requires hour-level
precision to determine inclusion. Three behaviors are defensible
without normative guidance -- exclude the record, include the record,
return an error -- and the v03 text was silent on which to choose.
v04 selects exclusion: the record MUST evaluate as non-matching.</t>
          <t>The exclusion rule aligns with the equality rule above (excluded
fields evaluate as non-matching for equality predicates). It avoids
both the false-negative risk of including records that may not
actually match and the divergence risk of two implementations
choosing differently. A Consumer that needs records whose served
precision is insufficient for its predicate MUST request a
projection level that includes finer precision, through the same
runtime-defined projection-selection mechanism that applies to
unmasked-content queries.</t>
        </section>
        <section anchor="quality-aware-filter-primitives">
          <name>Quality-aware filter primitives</name>
          <t>Tier 2 implementations SHOULD additionally support four quality-aware
filter primitives that operate on the trust-dimension fields defined
in <tt>sygil.proof.provenance</tt> (Section 5.5):</t>
          <table>
            <thead>
              <tr>
                <th align="left">Primitive</th>
                <th align="left">Parameter</th>
                <th align="left">Match semantics</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Minimum freshness</td>
                <td align="left">
                  <tt>freshness_min</tt></td>
                <td align="left">Threshold filter; see ordering below.</td>
              </tr>
              <tr>
                <td align="left">Minimum completeness</td>
                <td align="left">
                  <tt>completeness_min</tt></td>
                <td align="left">Threshold filter; see ordering below.</td>
              </tr>
              <tr>
                <td align="left">Minimum verifiability</td>
                <td align="left">
                  <tt>verifiability_min</tt></td>
                <td align="left">Threshold filter; see ordering below.</td>
              </tr>
              <tr>
                <td align="left">Cooperation-mode set membership</td>
                <td align="left">
                  <tt>cooperation_mode_in</tt></td>
                <td align="left">Set membership; see below.</td>
              </tr>
            </tbody>
          </table>
          <t>The three <tt>*_min</tt> primitives are threshold filters operating on
enums with documented orderings. A query at threshold V returns
records whose field value is at or above V in the ordering. Records
whose field value is <tt>unknown</tt> are excluded from any <tt>*_min</tt> filter
at a non-<tt>unknown</tt> value (they are returned only when the filter is
absent or is set to <tt>unknown</tt> explicitly).</t>
          <t>The orderings are:</t>
          <ul spacing="normal">
            <li>
              <t><tt>freshness</tt>: <tt>realtime</tt> &gt; <tt>hours</tt> &gt; <tt>days</tt> &gt; <tt>weeks</tt> &gt; <tt>unknown</tt></t>
            </li>
            <li>
              <t><tt>completeness</tt>: <tt>authoritative</tt> &gt; <tt>best_effort</tt> &gt; <tt>partial</tt> &gt;
<tt>known_incomplete</tt> &gt; <tt>unknown</tt></t>
            </li>
            <li>
              <t><tt>verifiability</tt>: <tt>source_signed</tt> &gt; <tt>sygil_signed_after_ingestion</tt>
&gt; <tt>unsigned</tt> &gt; <tt>disputed</tt> &gt; <tt>unknown</tt></t>
            </li>
          </ul>
          <t>The fourth primitive, <tt>cooperation_mode_in</tt>, is a set-membership
filter. The cooperation modes (Section 5.5) are not orderable --
Mode 1 (native integration) is more cooperative than Mode 5
(user-mediated capture), but the modes do not lie on a single
quality axis. <tt>cooperation_mode_in</tt> accepts a comma-separated list of
mode values and returns only records whose <tt>cooperation_mode</tt> is in
the list.</t>
          <t><strong>Missing proof fields under quality-aware filters.</strong> When a
quality-aware filter is applied to a record that lacks the
referenced proof field -- either because the record carries no
<tt>sygil.proof.provenance</tt> proof at all, or because the proof is
present but does not populate the specific trust dimension -- the
record's value for that dimension MUST be treated as <tt>unknown</tt> for
filter evaluation, and the record MUST be excluded from any
threshold filter at a non-<tt>unknown</tt> threshold (per the threshold
rule earlier in this subsection). For
<tt>cooperation_mode_in</tt>, missing values MUST be treated as <tt>unknown</tt>
and included only when <tt>unknown</tt> is in the comma-separated list.</t>
          <t>This rule replaces the v03 text that allowed implementations to
choose between treating-missing-as-unknown and returning-all-
matching. The v03 text was explicitly non-deterministic; v04
selects the deterministic behavior. The rule aligns the missing-
proof case with the unknown-enum-value case: both are evaluated
the same way, both are excluded from non-<tt>unknown</tt> threshold
filters, and both can be retrieved by querying with <tt>unknown</tt> as
the threshold or by including <tt>unknown</tt> in the set-membership
list.</t>
          <t>The implication for Producers is that records intended to be
visible under quality-aware filters MUST carry a populated
<tt>sygil.proof.provenance</tt> proof with the relevant dimensions set.
Records without such a proof are protocol-valid but quality-filter-
invisible. This is the trade-off Producers explicitly make when
they decline to populate provenance trust dimensions.</t>
        </section>
      </section>
    </section>
    <section anchor="proof-object-vocabulary">
      <name>Proof Object Vocabulary</name>
      <t>The Protocol defines a vocabulary of proof objects that MAY accompany a
Sygil record to convey evidence of provenance, capability, consent,
attestation, or audit. This section specifies the shape and meaning of
each proof object type and the rules for their composition.</t>
      <t>This section does not specify how a Producer derives a proof object, how
a Vault implementation computes the underlying authorization or
provenance state, or how a Consumer cryptographically verifies a proof.
Those are runtime concerns. The Protocol's role is the on-the-wire
vocabulary by which the result of such computation may be conveyed.</t>
      <t>Note: earlier drafts of this Protocol specified a sixth proof type,
<tt>sygil.proof.integrity</tt>, that explicitly carried the BLAKE3 content
hash. v01 removes this proof type because the content hash is already
encoded in the <tt>id</tt> URI and any party with the record can verify
integrity by canonicalizing and hashing -- no separate proof object is
needed. Sections of this document that refer to integrity-verification
responsibilities (notably Section 5.1 Role of proof objects, Section 7
Failure semantics, Section 8.2 Integrity) describe the verification
procedure against the <tt>id</tt> directly.</t>
      <section anchor="role-of-proof-objects">
        <name>Role of proof objects</name>
        <t>Proof objects are <strong>optional vocabulary</strong>. A record without any
<tt>_proofs</tt> is structurally valid. Consumers MAY ignore proof objects
entirely; doing so does not invalidate the record. The presence of a
proof object on a record asserts that the Producer claims the relevant
property (provenance, capability, consent, attestation, or audit);
whether the claim is correct is a separate question that
verification (an out-of-scope runtime activity) determines.</t>
        <t>The expectation that proof objects are populated rises with the
adoption tier (Section 6):</t>
        <ul spacing="normal">
          <li>
            <t><strong>Tier 1</strong> records do not require any proof objects.</t>
          </li>
          <li>
            <t><strong>Tier 2</strong> records sourced from upstream systems SHOULD carry
<tt>sygil.proof.provenance</tt>. Records imported from a connector
classified by the runtime as authoritative MUST carry it (Section
5.4).</t>
          </li>
          <li>
            <t><strong>Tier 3</strong> records served under agent access carry capability and
consent proofs, with provenance baseline and attestation and audit
proofs added as their respective trust claims are made. Integrity
is implicit at every tier via the content-addressed <tt>id</tt>; no
separate proof type is required.</t>
          </li>
        </ul>
        <t>The Protocol's vocabulary establishes consistent shapes for these
claims so that Consumers across implementations can recognize them
without per-implementation parsing.</t>
      </section>
      <section anchor="common-proof-object-structure">
        <name>Common proof object structure</name>
        <t>All proof object types defined in this section share a common shape.
Each proof object is a JSON object carrying:</t>
        <ul spacing="normal">
          <li>
            <t>A required <strong><tt>@type</tt></strong> field whose value is the proof type's NSID
(<tt>sygil.proof.provenance</tt>, <tt>sygil.proof.capability</tt>,
<tt>sygil.proof.consent</tt>, <tt>sygil.proof.attestation</tt>,
<tt>sygil.proof.audit</tt>, or a third-party reverse-DNS extension).</t>
          </li>
          <li>
            <t>A required <strong><tt>@type</tt>-specific body</strong> of fields whose semantics are
defined per type in Section 5.4 through Section 5.8.</t>
          </li>
          <li>
            <t>Where applicable, an <tt>issued_at</tt> field (ISO 8601 timestamp with
timezone, per <xref target="RFC3339"/>) indicating when the proof was issued by
the producing party.</t>
          </li>
        </ul>
        <t>The Protocol does not require proof objects to carry signatures
inline. A signed proof object MAY embed a signature (typically as a
JWS-shaped <xref target="RFC7515"/> field over the canonical serialization of the
remaining fields), MAY reference an out-of-band signature, or MAY
remain unsigned. The choice is per-type and per-deployment; signed
forms allow Consumers to verify the proof against a public key, and
unsigned forms are useful when the binding to the record's
content-addressed identifier is sufficient.</t>
        <t>The proof object's binding to the record is positional: the proof
appears in the record's <tt>_proofs</tt> array. The record's <tt>id</tt> URI binds
the proof to the record's content-addressed identity (because the
<tt>_proofs</tt> array is excluded from the content hash, the proof can be
added or removed without changing the <tt>id</tt>; the proof's claim is
about the record identified by that <tt>id</tt>, not about the bytes
including the proof).</t>
        <t>A proof object MUST NOT depend on its position within the <tt>_proofs</tt>
array; arrays are ordered but the order is not significant for any
proof type defined in this document.</t>
        <t>The remaining subsections specify the type-specific body for each
defined proof type. Section 5.3 first specifies the interpretation
model that applies across all types.</t>
      </section>
      <section anchor="proof-semantics-and-interpretation-model">
        <name>Proof semantics and interpretation model</name>
        <t>This section specifies the wire-vocabulary semantics that apply to
proof objects across types: how a Consumer interprets multiple proofs
on a record, how proof types compose, what conflicts mean, and what
minimum behavior the Protocol expects.</t>
        <t>The Protocol does not specify how a Consumer evaluates trust given
the presence or absence of proofs -- that is a runtime, deployment,
and trust-anchoring concern. The Protocol does specify the structural
rules a Consumer follows to read the wire vocabulary correctly.</t>
        <section anchor="proof-independence">
          <name>Proof independence</name>
          <t>Each proof object on a record carries an <strong>independent claim</strong> about
the record. A <tt>sygil.proof.provenance</tt> claim asserts upstream source
and trust dimensions; it asserts nothing about integrity, capability,
consent, attestation, or audit. (Integrity is verified independently
of any proof object: a Consumer canonicalizes the record body per
Section 4.5 and compares the BLAKE3 hash to the value encoded in the
record's <tt>id</tt> URI. A record's provenance proof can be intact even if
the content hash does not verify; a Consumer obtains integrity
assurance only by hash verification against the <tt>id</tt>, not by
inference from any proof.)</t>
          <t>The independence rule means a Consumer evaluating one proof type
MUST NOT infer properties associated with other proof types. The
absence of a proof object MUST NOT be interpreted as a positive claim
about the absent property; it is simply absence of evidence.</t>
        </section>
        <section anchor="composition">
          <name>Composition</name>
          <t>A record's <tt>_proofs</tt> array MAY contain multiple proof objects of
distinct types. The Protocol places no a priori limits on which
combinations are sensible; producers and runtimes may attach any
combination they consider appropriate.</t>
          <t>When a record carries multiple proofs, the Consumer's evaluation of
each proof is independent per the rule of Section 5.3.1 -- each
proof's claim succeeds or fails on its own, and a proof's verification
result asserts nothing about properties associated with other proof
types.</t>
          <t>For Consumer trust aggregation, the Protocol distinguishes two
operations:</t>
          <ul spacing="normal">
            <li>
              <t><strong>Conjunction over present proofs.</strong> When a Consumer aggregates
trust across multiple proofs that are present on the record, the
aggregate result is the conjunction of the individual verification
results. A record carrying a <tt>sygil.proof.provenance</tt> proof and a
<tt>sygil.proof.consent</tt> proof is fully trusted with respect to
<em>both</em> properties only if both verifications succeed. Failure of
one verification does not invalidate the other; it simply means
the corresponding property is not established.</t>
            </li>
            <li>
              <t><strong>Absence is silence, not failure.</strong> A proof's <em>absence</em> from a
record's <tt>_proofs</tt> array MUST NOT be interpreted by the Consumer
as a positive claim that the corresponding property fails or is
unsupported. A record carrying only a <tt>sygil.proof.provenance</tt>
proof and no <tt>sygil.proof.consent</tt> proof asserts nothing about
consent -- neither that consent was obtained nor that it was not.
A Consumer that requires consent for a particular access pattern
obtains that requirement from its deployment policy and treats
the absence of a consent proof as policy-failure, not as a
Protocol-level negative claim by the Producer.</t>
            </li>
          </ul>
          <t>The conjunction rule and the absence rule together prevent two
common Consumer-side errors. The conjunction rule prevents the
"present-but-unverified" error in which a Consumer attaches weight
to a proof object's mere presence without verifying it. The absence
rule prevents the "missing-proof-implies-failure" error in which a
Consumer downgrades a record's overall trust because some proof
type is absent, when in fact the absence carries no information.</t>
          <t>A Consumer that requires specific proof types for specific access
patterns (e.g., "I will not act on records lacking
<tt>sygil.proof.consent</tt>") is making a deployment policy choice, not a
Protocol-level interpretation. The Protocol allows such Consumer
policies; it does not specify them.</t>
          <t>A record MAY carry multiple proof objects of the <em>same</em> type. A
record might carry both a <tt>sygil.proof.provenance</tt> proof from the
original Producer and a second <tt>sygil.proof.provenance</tt> proof from
a relay vouching for the integrity of its forwarding (these are
distinct claims by distinct parties about the same record's
provenance).</t>
          <t>When multiple same-type proofs appear, evaluation is <strong>per-issuer</strong>,
not blanket-conjunctive. The Protocol distinguishes:</t>
          <ul spacing="normal">
            <li>
              <t><strong>Per-proof verification.</strong> Each individual proof object's
signature is verified against the public key of its issuer. A
proof whose signature does not verify against its claimed issuer's
key is failed (per Section 5.3.4) for that issuer; the failure
asserts nothing about other issuers' proofs of the same type.</t>
            </li>
            <li>
              <t><strong>Issuer-keyed Consumer judgment.</strong> The Consumer's aggregate
judgment with respect to a proof type is keyed by issuer: the
Consumer's deployment policy specifies which issuers it trusts
for which trust property, and the Consumer's overall judgment is
the conjunction of the verified proofs from issuers whose claims
the Consumer's policy treats as load-bearing for the property in
question.</t>
            </li>
          </ul>
          <t>The issuer-keyed rule prevents a specific divergence: implementation
A treating multiple same-type proofs as requiring all-of-them-verify
(strict-conjunctive), implementation B treating any-one-verifies
from a trusted issuer as sufficient (issuer-selective), both reading
v03's ambiguous "conjunction over same-type proofs" text and arriving
at incompatible behavior on the same record. Under v04's rule:</t>
          <ul spacing="normal">
            <li>
              <t>A Consumer MUST NOT require all same-type proofs to verify when
some of those proofs come from issuers the Consumer's policy does
not treat as load-bearing.</t>
            </li>
            <li>
              <t>A Consumer's policy specifies the load-bearing issuer set for each
proof type and trust property; what counts as load-bearing is a
deployment concern.</t>
            </li>
            <li>
              <t>The default behavior, in the absence of explicit policy, is for a
Consumer to treat any-one-issuer's-verified-proof as sufficient
for the corresponding trust claim, while preserving all proofs
on the record for downstream forwarding (per Section 6.5).</t>
            </li>
          </ul>
          <t>The default is permissive because the alternative (strict
all-issuers-verify default) would silently fail records whose
relays or transit-time vouchers happened to break, which is exactly
the case relays are supposed to make resilient.</t>
          <t>The order of proof objects in <tt>_proofs</tt> is not significant. A
Consumer MUST NOT treat order as carrying information.</t>
        </section>
        <section anchor="conflict-handling">
          <name>Conflict handling</name>
          <t>Two proofs are said to <strong>conflict</strong> when both claim a property of the
record but make incompatible assertions. The Protocol identifies
three meaningful conflict cases at the wire-vocabulary level:</t>
          <ul spacing="normal">
            <li>
              <t><strong>Provenance-provenance conflict.</strong> Two <tt>sygil.proof.provenance</tt>
proofs name different <tt>source_system</tt> values for the same record's
origin. This is internally inconsistent -- a record has one upstream
source, even if multiple parties vouch for that source -- and is a
Producer bug. A Consumer encountering provenance-provenance
conflict SHOULD treat the record as having unresolved provenance:
no proof's <tt>source_system</tt> claim is sustained; the Consumer's
trust judgment with respect to provenance falls to whatever it
would be in the absence of any provenance proof.</t>
            </li>
            <li>
              <t><strong>Hash-content conflict.</strong> A record's recomputed BLAKE3 content
hash does not match the value encoded in the record's <tt>id</tt> URI
(per the rules in Section 4.5). This is a hard failure per
Section 7.6: the record is corrupt or has been tampered with.
The Consumer MUST treat the record as integrity-failed.</t>
            </li>
          </ul>
          <t>For all other apparent disagreements between proof objects, the
Protocol takes the position that each proof's claim stands or falls
on its own merits. Two <tt>sygil.proof.consent</tt> proofs referencing
different consent receipts, for instance, are not in conflict: a
record may legitimately carry multiple consent receipts covering
different aspects of the access. A <tt>sygil.proof.capability</tt> proof
that authorizes access overlapping with a <tt>sygil.proof.consent</tt>
proof's purpose is similarly not in conflict.</t>
          <t>The Protocol does not specify a precedence ordering among proof
types. A Consumer that requires all of provenance, capability,
consent, attestation, and audit to be verified -- alongside the
implicit integrity check against the <tt>id</tt> -- is making a stronger
trust demand than a Consumer that requires only integrity; either
is permissible per the Protocol.</t>
        </section>
        <section anchor="minimum-evaluation-expectations">
          <name>Minimum evaluation expectations</name>
          <t>The Protocol specifies minimum evaluation expectations conditional
on the trust claim a Consumer makes:</t>
          <ul spacing="normal">
            <li>
              <t>A Consumer that <strong>claims to verify integrity</strong> of a record MUST
recompute the content hash and compare to the record's <tt>id</tt> URI.
Acceptance without verification is a Protocol violation per
Section 7.6.</t>
            </li>
            <li>
              <t><strong>Integrity-first ordering for content-acting Consumers.</strong> A
Consumer that intends to <strong>act on the content</strong> of a record --
applying its values, treating it as authoritative for any
application purpose, or surfacing its values to a downstream
caller as record content -- MUST verify integrity (per the rule
above) <strong>before</strong> performing any other proof evaluation that
would feed into the content-acting decision. Integrity failure
short-circuits content-acting evaluation: a record whose
recomputed hash does not match its <tt>id</tt> URI MUST NOT be acted on
for content purposes regardless of which other proof objects it
carries or whether they would otherwise verify.  </t>
              <t>
This rule prevents a class of evaluation-order divergences in
which one implementation filters records by provenance (e.g.,
<tt>verifiability_min=source_signed</tt>) and then verifies integrity,
while another implementation verifies integrity first and then
filters: the resulting record sets would otherwise differ on a
corrupt record whose provenance proof was intact.  </t>
              <t>
Non-content-acting uses of a record -- audit logging, forensic
analysis, attack investigation, debugging -- are exempt from the
integrity-first ordering rule. A Consumer that processes a
record solely to record that it was received, without acting on
its content, MAY evaluate its proofs in any order. The exemption
is narrow: the moment a Consumer's processing influences any
downstream content-acting decision, the integrity-first rule
applies.</t>
            </li>
            <li>
              <t>A Consumer that <strong>claims to act on provenance</strong> of a record (e.g.,
filtering records by <tt>cooperation_mode_in</tt> per Section 4.10.6, or
treating a record from an authoritative connector as
authoritative) MUST verify that the <tt>sygil.proof.provenance</tt>
proof's <tt>connector_id</tt> matches the connector identity the Consumer
trusts. The Protocol does not specify how connector identity is
trust-anchored (out-of-band exchange, registry, deployment-time
configuration); it specifies only that acting on provenance
requires the proof to be present and the <tt>connector_id</tt> to be
validated.</t>
            </li>
            <li>
              <t>A Consumer that <strong>claims to act on capability or consent</strong> (e.g.,
treating the access producing the record as authorized) MUST
retrieve the referenced capability token or consent receipt and
verify it under whatever trust framework the deployment expects.
Acting on capability or consent based solely on the proof's
presence -- without retrieving and verifying the referenced
artifact -- is not a Protocol violation but is documented as
insufficient: the proof object identifies the artifact, it does
not contain it.</t>
            </li>
            <li>
              <t>A Consumer that <strong>claims to verify attestation</strong> MUST verify the
attestation report referenced by the proof's <tt>attestation_report_uri</tt>
against the trust roots applicable to the named <tt>tee_type</tt>.
Acceptance without report verification is documented as
insufficient.</t>
            </li>
            <li>
              <t>A Consumer that <strong>claims to act on audit evidence</strong> MUST verify
that the referenced log entry exists and is consistent with the
record. The Protocol does not specify how the log is operated;
acting on audit evidence requires whatever verification the
deployment's audit infrastructure prescribes.</t>
            </li>
          </ul>
          <t>The minimum expectations above are conditional: a Consumer that does
<em>not</em> claim a particular trust property is not required to do
anything with the corresponding proof type. This is the
Protocol-level expression of the principle that proof objects are
evidence of <em>assertion</em>, not of policy correctness; the Consumer
chooses which assertions to credit and at what verification depth.</t>
        </section>
        <section anchor="out-of-scope-wire-vocabulary-concerns">
          <name>Out-of-scope wire-vocabulary concerns</name>
          <t>For clarity, the following are not specified by this Protocol and are
out of scope for the wire-vocabulary semantics here:</t>
          <ul spacing="normal">
            <li>
              <t>The cryptographic verification procedure for any specific proof
type beyond the integrity proof's hash recomputation. (Other
proof types' verification depends on out-of-band signing
infrastructure, which is not specified here.)</t>
            </li>
            <li>
              <t>Revocation of proof objects after issuance.</t>
            </li>
            <li>
              <t>Trust establishment between Consumers and unfamiliar issuers of
proof objects.</t>
            </li>
            <li>
              <t>The lifetime of a proof object's claim and the relationship of
that lifetime to the record's <tt>expires_at</tt> envelope field.</t>
            </li>
          </ul>
          <t>These are runtime, deployment, and governance concerns addressed by
vault-implementation specifications and by deployment-specific trust
documents.</t>
        </section>
      </section>
      <section anchor="sygilproofprovenance">
        <name><tt>sygil.proof.provenance</tt></name>
        <t>Attests the upstream source from which the record was derived,
including trust dimensions describing how the data was acquired.</t>
        <sourcecode type="json"><![CDATA[
{
  "@type": "sygil.proof.provenance",
  "source_system": "google_calendar",
  "source_record_id_hash": "blake3-source-id-hash...",
  "connector_id": "sygil.connector.google_calendar.v1",
  "imported_at": "2026-04-26T10:14:00Z",

  "cooperation_mode": "cooperative_api",
  "freshness": "hours",
  "completeness": "authoritative",
  "verifiability": "sygil_signed_after_ingestion",
  "mode_transition_history": []
}
]]></sourcecode>
        <table>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Required</th>
              <th align="left">Type</th>
              <th align="left">Semantics</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>@type</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">Always <tt>sygil.proof.provenance</tt>.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>source_system</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">Identifier of the upstream source system.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>source_record_id_hash</tt></td>
              <td align="left">Recommended</td>
              <td align="left">string</td>
              <td align="left">BLAKE3 hash of the source-system record identifier. Hashed rather than raw to avoid leaking source-side opaque identifiers; deterministic for deduplication and reconciliation.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>connector_id</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">Reverse-DNS identifier of the connector that produced the record.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>imported_at</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">ISO 8601 timestamp with timezone -- when the record was imported.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>cooperation_mode</tt></td>
              <td align="left">Recommended</td>
              <td align="left">enum</td>
              <td align="left">One of <tt>native_sygil</tt>, <tt>cooperative_api</tt>, <tt>restricted_api</tt>, <tt>export_only</tt>, <tt>user_mediated_capture</tt>, <tt>manual_subject_assertion</tt>, <tt>unknown</tt>. Source-cooperation mode (Section 5.4.1). Documented ordinals 1-6 (and unknown) are preserved for cross-reference with v0.x-era integer-form examples; the canonical wire form is the string.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>freshness</tt></td>
              <td align="left">Recommended</td>
              <td align="left">enum</td>
              <td align="left">One of <tt>realtime</tt>, <tt>hours</tt>, <tt>days</tt>, <tt>weeks</tt>, <tt>unknown</tt>. Expected staleness ceiling.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>completeness</tt></td>
              <td align="left">Recommended</td>
              <td align="left">enum</td>
              <td align="left">One of <tt>authoritative</tt>, <tt>best_effort</tt>, <tt>partial</tt>, <tt>known_incomplete</tt>, <tt>unknown</tt>. Whether the record is the authoritative copy.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>verifiability</tt></td>
              <td align="left">Recommended</td>
              <td align="left">enum</td>
              <td align="left">One of <tt>source_signed</tt>, <tt>sygil_signed_after_ingestion</tt>, <tt>unsigned</tt>, <tt>disputed</tt>, <tt>unknown</tt>. Whether content ties cryptographically to the source.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>mode_transition_history</tt></td>
              <td align="left">Optional</td>
              <td align="left">array</td>
              <td align="left">Past cooperation states for this record's <tt>stable_id</tt> lineage. Each entry: <tt>{mode, started_at, ended_at, reason}</tt>.</td>
            </tr>
          </tbody>
        </table>
        <section anchor="cooperation-modes">
          <name>Cooperation modes</name>
          <t>The <tt>cooperation_mode</tt> enum identifies the integration posture of the
upstream source system.</t>
          <table>
            <thead>
              <tr>
                <th align="left">Value</th>
                <th align="left">Ordinal</th>
                <th align="left">Semantics</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">
                  <tt>native_sygil</tt></td>
                <td align="left">1</td>
                <td align="left">Native Sygil integration (the source system speaks Sygil directly).</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>cooperative_api</tt></td>
                <td align="left">2</td>
                <td align="left">Cooperative API (the source system has a documented machine-readable API the connector uses).</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>restricted_api</tt></td>
                <td align="left">3</td>
                <td align="left">Restricted API (the source system has an API but with significant rate limits, scoping limits, or undocumented behavior).</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>export_only</tt></td>
                <td align="left">4</td>
                <td align="left">Authorized export (the source system supports user-initiated bulk export, e.g., via data-takeout features).</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>user_mediated_capture</tt></td>
                <td align="left">5</td>
                <td align="left">User-mediated capture (the connector observes the source system through a user-initiated flow such as browser instrumentation, screen capture, or print-to-PDF).</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>manual_subject_assertion</tt></td>
                <td align="left">6</td>
                <td align="left">Manual subject assertion (the Subject typed the data into a Sygil-aware interface; no upstream system involved).</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>unknown</tt></td>
                <td align="left">--</td>
                <td align="left">The connector cannot determine the cooperation mode.</td>
              </tr>
            </tbody>
          </table>
          <t>The ordinal column is informative; producers and consumers SHOULD use
the named string on the wire.</t>
          <t>Cooperation mode affects what a Consumer can rely on. A
medication-reconciliation Agent might reasonably refuse <tt>user_mediated_capture</tt>
(captured) health data; a casual lifestyle Agent might accept it. The
Protocol exposes the trust envelope; the Consumer decides what is
acceptable per use case.</t>
        </section>
        <section anchor="conditional-rule-for-authoritative-sources">
          <name>Conditional rule for authoritative sources</name>
          <t>The conditional rule of this subsection has two branches, depending
on whether the Consumer has a local trust signal for the named
connector. Both branches are normative; a Consumer encountering a
<tt>source_imported</tt> record MUST follow whichever branch applies.</t>
          <t><strong>Producer obligation.</strong> A Producer that the runtime has classified
as authoritative MUST attach a <tt>sygil.proof.provenance</tt> proof to
every record it produces. The proof's <tt>connector_id</tt> field MUST
match the connector's actual identifier; the proof's
<tt>cooperation_mode</tt> field SHOULD be populated. The classification of
a connector as authoritative is a runtime concern; the
Protocol-level Producer rule is conditional on that classification.</t>
          <t>This Producer obligation applies to the <strong>original Producer</strong> of a
record -- typically a connector ingesting data from an upstream source
system into Sygil form. It does not apply to relays. A Vault
forwarding a previously-produced record, or a Consumer re-emitting a
received record to another party, is not a Producer in this sense
and is not required to attach a fresh <tt>sygil.proof.provenance</tt> proof.
Such relays MUST preserve the original Producer's
<tt>sygil.proof.provenance</tt> proof unchanged (per the unknown-proof-types
rule in Section 6.5).</t>
          <t><strong>Consumer obligation, authoritative-connector branch.</strong> When a
Consumer encounters a record whose <tt>connector_id</tt> (in any attached
<tt>sygil.proof.provenance</tt> proof, or in the envelope <tt>source_system</tt>
field if the proof is absent) names a connector locally known to the
Consumer as authoritative:</t>
          <ul spacing="normal">
            <li>
              <t>If the proof is present, the Consumer MAY rely on the
authoritative classification per the Consumer's deployment
policy.</t>
            </li>
            <li>
              <t>If the proof is absent or the proof's <tt>connector_id</tt> does not
match, the Consumer MUST treat the record as carrying a
<strong>provenance-warning state</strong> and MUST NOT silently treat the
record as authoritative. The provenance-warning state is a
propagating signal, not a logging artifact:
              </t>
              <ul spacing="normal">
                <li>
                  <t>The Consumer MUST surface the warning to its caller (the
Agent, application, or downstream system on whose behalf the
Consumer is operating). Logging the warning while still
serving the record as if no warning had been raised is a
Protocol violation.</t>
                </li>
                <li>
                  <t>The exact form the warning takes -- a flag in a response
envelope, an exception, an out-of-band notification -- is
Consumer-implementation-defined; what is normative is that
the warning propagates rather than being absorbed.</t>
                </li>
                <li>
                  <t>Downstream Consumers receiving a record that arrived with a
provenance-warning state SHOULD propagate the warning further
when they re-emit the record. The warning is part of the
record's runtime context, not part of its content; a Vault or
relay that strips the warning silently is making a deployment
decision that the Consumer further downstream cannot detect.</t>
                </li>
                <li>
                  <t>The provenance-warning state is independent of any
<tt>_proofs</tt> array content; a record may carry the state because
a proof is missing, not because a proof is present and
failing.</t>
                </li>
              </ul>
            </li>
          </ul>
          <t>The propagating-signal rule prevents the implementation divergence
earlier drafts left open: an implementation that "flagged" a suspect
record by logging quietly while still treating it as authoritative
satisfied the prior text but defeated the rule's intent. The current
text closes that hole by requiring the warning to reach the
Consumer's caller.</t>
          <t><strong>Consumer obligation, non-authoritative-connector branch.</strong> When a
Consumer encounters a record whose named connector is not locally
known to be authoritative:</t>
          <ul spacing="normal">
            <li>
              <t>The Consumer MUST NOT infer authoritativeness from the
<tt>sygil.proof.provenance</tt> proof's presence alone. The proof's
<tt>source_system</tt> and <tt>connector_id</tt> fields tell the Consumer the
record's claimed origin; they do not tell the Consumer the source
is trustworthy.</t>
            </li>
            <li>
              <t>The Consumer MAY still accept and use the record under whatever
trust posture its deployment policy specifies for unknown
connectors. The Protocol does not require Consumers to reject
records from unknown connectors.</t>
            </li>
            <li>
              <t>A <tt>sygil.proof.provenance</tt> proof, if attached, MAY be inspected
for the <tt>cooperation_mode</tt>, <tt>freshness</tt>, <tt>completeness</tt>, and
<tt>verifiability</tt> trust dimensions, which are useful inputs to a
Consumer's deployment policy independent of authoritative
classification.</t>
            </li>
          </ul>
          <t>The two-branch structure prevents two implementations from
diverging on the common case (encountering a record from a connector
neither implementation has a strong opinion about). Earlier drafts
of this Protocol only specified the authoritative-connector branch,
leaving the non-authoritative case underspecified; the current text
closes that gap by stating Consumer obligations in both branches.</t>
          <t>(The earlier drafts also keyed the conditional rule on the envelope
field <tt>provenance_quality: source_imported</tt>. That field was removed
in the v0.3 reconciliation that produced this v01 increment; the
trust signal it conveyed is now carried entirely by the
<tt>sygil.proof.provenance</tt> proof object, which is the canonical home
for source-imported trust dimensions.)</t>
        </section>
      </section>
      <section anchor="sygilproofcapability">
        <name><tt>sygil.proof.capability</tt></name>
        <t>Attests that the access represented by this record was authorized by a
capability token.</t>
        <sourcecode type="json"><![CDATA[
{
  "@type": "sygil.proof.capability",
  "token_id": "ucan:blake3-tokenid...",
  "token_hash": "blake3-tokenhash...",
  "issued_at": "2026-04-26T10:14:00Z"
}
]]></sourcecode>
        <table>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Required</th>
              <th align="left">Type</th>
              <th align="left">Semantics</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>@type</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">Always <tt>sygil.proof.capability</tt>.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>token_id</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">Capability token identifier. The format is token-format-specific (e.g., a UCAN content-id, an OAuth <tt>jti</tt>).</td>
            </tr>
            <tr>
              <td align="left">
                <tt>token_hash</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">BLAKE3 hash of the token itself, not the token. Lets a Consumer verify that a token retrieved out-of-band is the same one referenced by the proof.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>issued_at</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">ISO 8601 timestamp when the token was issued.</td>
            </tr>
          </tbody>
        </table>
        <t>The Protocol does not specify the capability token format. UCAN, OAuth
2.0 access tokens with rich authorization requests <xref target="RFC9396"/>, custom
capability formats, and other constructs are all permitted. The proof
identifies a token by ID and hash; verification -- fetching the token,
checking signatures, evaluating caveats -- is a runtime concern.</t>
      </section>
      <section anchor="sygilproofconsent">
        <name><tt>sygil.proof.consent</tt></name>
        <t>Attests that a consent receipt covers the access that produced this
record.</t>
        <sourcecode type="json"><![CDATA[
{
  "@type": "sygil.proof.consent",
  "receipt_id": "rcp:blake3-receiptid...",
  "dpv_categories": ["dpv:Schedule", "dpv:Communication"],
  "purpose": "scheduling_assistance",
  "legal_basis": "dpv:Consent",
  "issued_at": "2026-04-26T10:14:00Z"
}
]]></sourcecode>
        <table>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Required</th>
              <th align="left">Type</th>
              <th align="left">Semantics</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>@type</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">Always <tt>sygil.proof.consent</tt>.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>receipt_id</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">Identifier of the consent receipt.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>dpv_categories</tt></td>
              <td align="left">Recommended</td>
              <td align="left">array</td>
              <td align="left">DPV (Data Privacy Vocabulary) terms describing the data categories covered by the consent.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>purpose</tt></td>
              <td align="left">Recommended</td>
              <td align="left">string</td>
              <td align="left">Free-form or DPV-aligned purpose statement.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>legal_basis</tt></td>
              <td align="left">Recommended</td>
              <td align="left">string</td>
              <td align="left">DPV-aligned legal basis (<tt>dpv:Consent</tt>, <tt>dpv:LegitimateInterest</tt>, etc.) or other vocabulary equivalent.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>issued_at</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">ISO 8601 timestamp when the consent receipt was issued.</td>
            </tr>
          </tbody>
        </table>
        <t>Consent receipts MAY follow the W3C Data Privacy Vocabulary, ISO/IEC
TS 27560:2023 <xref target="ISO-27560"/>, or other consent-receipt schemes. The
Protocol specifies the proof-object shape; the receipt format itself is
a runtime concern.</t>
      </section>
      <section anchor="sygilproofattestation">
        <name><tt>sygil.proof.attestation</tt></name>
        <t>Attests that the record was produced inside a verifiable execution
environment.</t>
        <sourcecode type="json"><![CDATA[
{
  "@type": "sygil.proof.attestation",
  "attestation_report_uri": "sygil://did:web:vault.example.com/sygil.v1.attestation.report/blake3-...",
  "tee_type": "amd-sev-snp",
  "issued_at": "2026-04-26T10:14:00Z"
}
]]></sourcecode>
        <table>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Required</th>
              <th align="left">Type</th>
              <th align="left">Semantics</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>@type</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">Always <tt>sygil.proof.attestation</tt>.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>attestation_report_uri</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">URI of the attestation report. The report is referenced rather than embedded because attestation reports can be large. The URI MAY be a <tt>sygil://</tt> URI to an attestation-report record, or any other URI scheme.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>tee_type</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">Identifier of the trusted execution environment (<tt>amd-sev-snp</tt>, <tt>intel-tdx</tt>, <tt>arm-cca</tt>, etc.).</td>
            </tr>
            <tr>
              <td align="left">
                <tt>issued_at</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">ISO 8601 timestamp when the attestation was issued.</td>
            </tr>
          </tbody>
        </table>
        <t>The Protocol does not mandate that a record carry an attestation
proof, nor that Consumers verify one. Attestation verification is
typically tied to specific TEE platforms and trust-anchor management
disciplines (RATS <xref target="RFC9334"/> provides the architectural framing) and
is out of scope for this document.</t>
      </section>
      <section anchor="sygilproofaudit">
        <name><tt>sygil.proof.audit</tt></name>
        <t>Attests that the access generating this record was logged in a per-user
audit log.</t>
        <sourcecode type="json"><![CDATA[
{
  "@type": "sygil.proof.audit",
  "log_entry_uri": "sygil://did:web:vault.example.com/sygil.v1.audit.entry/blake3-...",
  "logged_at": "2026-04-26T10:14:00Z"
}
]]></sourcecode>
        <table>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Required</th>
              <th align="left">Type</th>
              <th align="left">Semantics</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>@type</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">Always <tt>sygil.proof.audit</tt>.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>log_entry_uri</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">URI of the audit log entry referencing this access.</td>
            </tr>
            <tr>
              <td align="left">
                <tt>logged_at</tt></td>
              <td align="left">Required</td>
              <td align="left">string</td>
              <td align="left">ISO 8601 timestamp of the log entry.</td>
            </tr>
          </tbody>
        </table>
        <t>The structure of audit log entries, the cryptographic protections of
the log (signed records, transparency log integration, witness
cosigning), and the rules under which entries are produced are runtime
concerns and out of scope for this document.</t>
      </section>
      <section anchor="composition-and-extensibility">
        <name>Composition and extensibility</name>
        <t>A record's <tt>_proofs</tt> field is an array of zero or more proof objects.
Multiple proof objects of the same <tt>@type</tt> MAY appear (for example, a
record with both a subject-attested integrity proof and a
Vault-attested integrity proof). The order of proof objects in the
array is not significant.</t>
        <t>Proof object types are extensible. A Producer MAY define a new proof
object type using the reverse-DNS pattern (e.g.,
<tt>com.example.custom-proof-type</tt>). Unknown proof types MUST NOT cause a
Consumer to reject the record. Consumers MAY ignore unknown proof
types; doing so does not invalidate the record. Consumers MUST preserve
unknown proof types when forwarding records.</t>
        <t>The <tt>sygil.proof.*</tt> namespace is reserved for proof types defined by
the Sygil specification. Future Sygil-defined proof types will appear
in this namespace; third-party extensions MUST use the third party's
own reverse-DNS prefix.</t>
        <t>A Sygil Proof Object Types registry is to be established with IANA per
Section 10 (IANA Considerations) to track the Sygil-namespace proof
types and provide a stable reference for extensions registered through
the Specification Required policy.</t>
      </section>
      <section anchor="what-this-section-does-not-specify">
        <name>What this section does not specify</name>
        <t>For clarity, this section does not specify:</t>
        <ul spacing="normal">
          <li>
            <t>How a Producer decides whether to issue a proof object.</t>
          </li>
          <li>
            <t>How a Vault implementation composes underlying policy frameworks
(OAuth 2.0 <xref target="RFC6749"/> and its extensions <xref target="RFC9449"/> <xref target="RFC9396"/>,
capability tokens, authorization engines, policy languages such as
ODRL <xref target="W3C-ODRL"/>, and so on) to derive the state that a proof
object describes.</t>
          </li>
          <li>
            <t>How proof objects are revoked.</t>
          </li>
          <li>
            <t>How trust is established between a Consumer and an unfamiliar
Producer of a proof object.</t>
          </li>
          <li>
            <t>The cryptographic verification procedure for any specific proof type
beyond the integrity proof's hash recomputation.</t>
          </li>
        </ul>
        <t>These are runtime, deployment, and governance concerns addressed by
vault-implementation specifications and by deployment-specific trust
documents.</t>
      </section>
    </section>
    <section anchor="conformance">
      <name>Conformance</name>
      <t>This section defines the three adoption tiers, the per-namespace
conformance model, the compatibility rules that apply across all
conformant implementations, and the normative behavior for invalid
input.</t>
      <section anchor="tiers">
        <name>Tiers</name>
        <t>The Protocol defines three adoption tiers. Each is a strict superset of
the previous.</t>
        <section anchor="tier-1-sygil-shaped-data">
          <name>Tier 1 -- Sygil-shaped data</name>
          <t>A Tier 1 implementation MUST:</t>
          <ul spacing="normal">
            <li>
              <t>Emit records carrying valid <tt>@type</tt> (NSID format per Section 4.3),
valid <tt>id</tt> (<tt>sygil://</tt> URI per Section 4.4), <tt>created_at</tt>, and
<tt>updated_at</tt>.</t>
            </li>
            <li>
              <t>Emit <tt>stable_id</tt> and <tt>version</tt> for every record. Records of
immutable types carry <tt>version: 1</tt> and never increment it
(Section 4.2.2).</t>
            </li>
            <li>
              <t>Emit record bodies that validate against the schema artifact for the
declared namespace.</t>
            </li>
            <li>
              <t>Compute content hashes via JCS canonicalization <xref target="RFC8785"/> and
BLAKE3 <xref target="BLAKE3"/> per Section 4.5.</t>
            </li>
            <li>
              <t>Preserve unknown fields when reading records (Section 6.5).</t>
            </li>
            <li>
              <t>Pass through unknown NSIDs (Section 6.5).</t>
            </li>
          </ul>
          <t>A Tier 1 implementation is NOT required to:</t>
          <ul spacing="normal">
            <li>
              <t>Implement any specific access control, encryption, audit, or
transport.</t>
            </li>
            <li>
              <t>Verify content hashes, signatures, or any proof object.</t>
            </li>
            <li>
              <t>Resolve DIDs or <tt>sygil://</tt> references.</t>
            </li>
            <li>
              <t>Expose a query surface.</t>
            </li>
          </ul>
          <t>Tier 1 covers use cases such as a calendar application exporting
Sygil-shaped events as a portability format, a research tool ingesting
Sygil records from various sources, or a local-first application
storing Sygil records in a local database.</t>
        </section>
        <section anchor="tier-2-sygil-queryable-data">
          <name>Tier 2 -- Sygil-queryable data</name>
          <t>A Tier 2 implementation MUST satisfy all Tier 1 requirements, and MUST
additionally:</t>
          <ul spacing="normal">
            <li>
              <t>Implement the query grammar of Section 4.10 (six required
primitives).</t>
            </li>
            <li>
              <t>Return records in canonical JSON encoding.</t>
            </li>
            <li>
              <t>Resolve DID-based resource identifiers per Section 4.9 (required
methods: <tt>did:web</tt> <xref target="DID-WEB"/>, <tt>did:key</tt> <xref target="DID-KEY"/>; recommended:
<tt>did:plc</tt> <xref target="DID-PLC"/>).</t>
            </li>
            <li>
              <t>Support an implementation-defined access mechanism. OAuth 2.0
<xref target="RFC6749"/> is RECOMMENDED but not required.</t>
            </li>
          </ul>
          <t>A Tier 2 implementation SHOULD support the quality-aware filter
primitives of Section 4.10.6.</t>
          <t>Tier 2 covers personal-cloud services exposing user data via the Sygil
query surface, connectors wrapping third-party APIs and serving them as
Sygil records, and enterprise systems exposing employee data under
Sygil namespaces with internal authorization.</t>
        </section>
        <section anchor="tier-3-vault-certified">
          <name>Tier 3 -- Vault-certified</name>
          <t>A Tier 3 implementation MUST satisfy all Tier 2 requirements, and MUST
additionally:</t>
          <ul spacing="normal">
            <li>
              <t>Operate as a vault implementation that satisfies the proof, audit,
and isolation invariants applicable to vault implementations.
Specific runtime choices (storage substrate, encryption posture,
authorization framework, federation primitive, transparency log
technology, attestation platform) are not specified by this document
and are addressed by vault-implementation specifications.</t>
            </li>
            <li>
              <t>Attach <tt>sygil.proof.capability</tt> and <tt>sygil.proof.consent</tt> to records
served under Agent access where the Vault's runtime semantics
produce capability- or consent-derived state.</t>
            </li>
            <li>
              <t>Operate a per-Subject audit log (the <tt>sygil.proof.audit</tt> proof
object's <tt>log_entry_uri</tt> MUST resolve to a real entry).</t>
            </li>
            <li>
              <t>Generate <tt>sygil.proof.attestation</tt> for records produced inside a
trusted execution environment, when applicable.</t>
            </li>
          </ul>
          <t>Tier 3 is the boundary at which vault specifications take over.
Multiple Tier 3 implementations are anticipated and welcome; conformance
to this Protocol does not require adoption of any specific vault
implementation's runtime choices.</t>
        </section>
      </section>
      <section anchor="per-namespace-conformance">
        <name>Per-namespace conformance</name>
        <t>Conformance is asserted per (namespace, tier) pair. An implementation
that supports <tt>sygil.v1.calendar.event</tt> fully but does not support
<tt>sygil.v1.finance.transaction</tt> at all is conformant for calendar and
silent for finance. There is no requirement to implement the full v1
namespace set to claim Tier 1 conformance.</t>
        <t>An implementation MAY claim Tier 1 conformance for one namespace and
Tier 2 conformance for another. The conformance assertion is
fine-grained.</t>
      </section>
      <section anchor="schema-language-and-generated-artifacts">
        <name>Schema language and generated artifacts</name>
        <t>The Sygil schema is authored in LinkML <xref target="LINKML"/>, a YAML-based
schema modeling language with multi-target code generation. LinkML
serves as the single source of truth for namespace structure; from
the LinkML source the Protocol's specification maintainers generate
the artifacts implementations consume directly:</t>
        <ul spacing="normal">
          <li>
            <t><strong>JSON Schema 2020-12</strong> (<tt>{namespace}.schema.json</tt>) -- the wire
validation artifact. Records validate against the JSON Schema for
their declared NSID; this is the artifact the Tier 1 schema-
validation conformance test category references.</t>
          </li>
          <li>
            <t><strong>JSON-LD context</strong> (<tt>{namespace}.context.jsonld</tt>) -- the
vocabulary-mapping artifact described in Section 4.2.6. Optional
for Sygil-native Consumers; the path to interop for tools speaking
Schema.org, W3C VC, or FHIR vocabularies.</t>
          </li>
          <li>
            <t><strong>GraphQL SDL fragments</strong> (<tt>{namespace}.graphql</tt>) -- informative;
for Tier 2 implementations exposing GraphQL surfaces.</t>
          </li>
          <li>
            <t><strong>SHACL shapes</strong> (<tt>{namespace}.shacl.ttl</tt>) -- informative; for
semantic-web consumers requiring shape constraints.</t>
          </li>
          <li>
            <t><strong>SDK type definitions per language</strong> (<tt>{namespace}.types.ts</tt>,
<tt>.py</tt>, <tt>.go</tt>, <tt>.rs</tt>, <tt>.swift</tt>) -- informative; convenience
artifacts for application authors.</t>
          </li>
          <li>
            <t><strong>Example record corpora</strong> (<tt>{namespace}.examples.json</tt>,
<tt>{namespace}.invalid.json</tt>) -- the test fixtures referenced by the
conformance test categories below.</t>
          </li>
          <li>
            <t><strong>Normalization rule documents</strong> (<tt>{namespace}.normalization.md</tt>)
-- informative; mappings to and from external source systems.</t>
          </li>
        </ul>
        <t>The JSON Schema artifact is normative for conformance: a Tier 1
implementation that emits records claiming to be of a given NSID
MUST emit records that validate against the JSON Schema for that
NSID. The other artifacts are informative; their availability is a
deliverable commitment of the Protocol's specification maintainers
but their use is not required for any tier of conformance.</t>
        <t>The artifacts are byte-reproducible from the LinkML source: the
specification maintainers operate continuous integration that
regenerates artifacts on every schema source change and rejects
commits where committed artifacts diverge from regenerated artifacts.
The byte-reproducibility property lets implementations rely on the
artifacts without re-running the LinkML generator locally.</t>
      </section>
      <section anchor="conformance-test-categories">
        <name>Conformance test categories</name>
        <t>A claim of Tier 1 conformance against a namespace means passing the
schema validation, identifier, canonicalization, and proof-object
preservation tests for that namespace. A claim of Tier 2 conformance
adds the query tests. Tier 3 conformance is asserted against a separate
test suite, specified by vault-implementation documents, that exercises
proof attachment, audit log presence, and per-Subject isolation.</t>
        <t>The test categories are:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Category</th>
              <th align="left">Tier</th>
              <th align="left">What it tests</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Schema validation</td>
              <td align="left">1</td>
              <td align="left">Records validate against the schema artifact for their declared NSID; invalid records fail with the expected error.</td>
            </tr>
            <tr>
              <td align="left">Identifier</td>
              <td align="left">1</td>
              <td align="left">
                <tt>sygil://</tt> URIs parse correctly; content hashes reproduce; <tt>stable_id</tt> persists across updates.</td>
            </tr>
            <tr>
              <td align="left">Canonicalization</td>
              <td align="left">1</td>
              <td align="left">JCS canonicalization is byte-stable across implementations.</td>
            </tr>
            <tr>
              <td align="left">Proof preservation</td>
              <td align="left">1</td>
              <td align="left">Unknown proof types are preserved; multiple proofs per record are allowed.</td>
            </tr>
            <tr>
              <td align="left">Query grammar</td>
              <td align="left">2</td>
              <td align="left">All six query primitives behave per spec; pagination works; response envelope is correctly shaped.</td>
            </tr>
            <tr>
              <td align="left">Quality-aware query</td>
              <td align="left">2 (SHOULD)</td>
              <td align="left">Threshold and set-membership semantics on trust-dimension filters.</td>
            </tr>
            <tr>
              <td align="left">Tier 3 invariants</td>
              <td align="left">3</td>
              <td align="left">Proof attachment under Agent access; audit log presence; per-Subject isolation.</td>
            </tr>
          </tbody>
        </table>
        <t>Test fixtures, expected outputs, and the test harness itself are
deliverables of the Sygil Protocol companion documents and are out of
scope for this Internet-Draft.</t>
      </section>
      <section anchor="compatibility-policy">
        <name>Compatibility policy</name>
        <t>The compatibility rules below apply across all conformant
implementations.</t>
        <section anchor="forward-compatibility">
          <name>Forward compatibility</name>
          <ol spacing="normal" type="1"><li>
              <t><strong>Unknown optional fields.</strong> Consumers MUST preserve unknown
optional fields when reading records. When forwarding or re-emitting
records, Consumers MUST pass these fields through unchanged.
Stripping unknown fields silently is a Protocol violation.</t>
            </li>
            <li>
              <t><strong>Unknown NSIDs (whole record types).</strong> Consumers MUST pass through
unknown NSIDs. Consumers MUST NOT reject a record solely because its
<tt>@type</tt> is not recognized. Consumers MAY log unknown NSIDs and MAY
route them to a generic-record handler that preserves the envelope
and treats namespace-specific fields as opaque.</t>
            </li>
            <li>
              <t><strong>Unknown enum values.</strong> Consumers SHOULD treat unknown enum values
as equivalent to the enum's <tt>unknown</tt> member for purposes of
querying, filtering, and rendering, while preserving the original
value verbatim in stored records.</t>
            </li>
            <li>
              <t><strong>Unknown proof types.</strong> Consumers MUST pass through unknown
<tt>_proofs</tt> entries unchanged. Consumers MAY ignore unknown proof
types when evaluating trust; doing so does not invalidate the
record.</t>
            </li>
            <li>
              <t><strong>Unknown major Protocol versions.</strong> A Consumer that supports
<tt>sygil.v1.*</tt> records and encounters a <tt>sygil.v2.*</tt> record handles
it under rule 2 (unknown NSID): pass through, log, do not reject.
Major versions coexist indefinitely; there is no transition
deadline.</t>
            </li>
          </ol>
        </section>
        <section anchor="backward-compatibility">
          <name>Backward compatibility</name>
          <ol spacing="normal" type="1"><li>
              <t><strong>Constraint immutability.</strong> Once an NSID is published in a
release-tagged Sygil schema version, its required-fields set, type
constraints, and enum members are frozen. New optional fields MAY
be added in a minor schema release; nothing else changes within an
NSID. Constraint changes require a new NSID
(e.g., <tt>sygil.v2.calendar.event</tt>).  </t>
              <t>
The immutability rule decomposes into three operational sub-rules:  </t>
              <ul spacing="normal">
                <li>
                  <t><strong>6a -- No tightening.</strong> A v1.x patch MUST NOT introduce
validation rules that would reject previously-valid records.
Specifically: a field that was optional MUST NOT become required;
a type that accepted <tt>string | null</tt> MUST NOT become <tt>string</tt>-
only; an enum that had value <tt>"other"</tt> MUST NOT remove <tt>"other"</tt>;
a regex pattern MUST NOT become more restrictive; a field-length
limit MUST NOT decrease.</t>
                </li>
                <li>
                  <t><strong>6b -- No semantic redefinition.</strong> A field's meaning, once
specified, MUST NOT change in a v1.x patch. Specifically:
<tt>expires_at</tt> always means "time at which this record's validity
expires"; <tt>subject_scope</tt> enum values always carry their
originally-specified semantics; <tt>cooperation_mode</tt> integers
always carry their original meaning.</t>
                </li>
                <li>
                  <t><strong>6c -- No identifier reinterpretation.</strong> Identifier formats
(NSIDs, DIDs, <tt>sygil://</tt> URIs, <tt>sygil-stable:</tt> URIs) MUST NOT
have their parsing rules changed in a v1.x patch.</t>
                </li>
              </ul>
              <t>
These sub-rules apply only within a major version. Major-version
bumps (v1 to v2, etc.) MAY break any of them, but only via the
migration-table mechanism out of scope for this document and
addressed in subsequent Sygil specifications.</t>
            </li>
          </ol>
        </section>
        <section anchor="producer-and-consumer-responsibilities">
          <name>Producer and Consumer responsibilities</name>
          <ol spacing="normal" type="1"><li>
              <t><strong>Producers</strong> MUST emit only field values, NSIDs, enum values, and
proof types that are declared in some published Sygil schema
version. Producing arbitrary or undocumented values is a Protocol
violation, even though Consumers must tolerate them under the
forward-compatibility rules above.</t>
            </li>
            <li>
              <t><strong>Consumers</strong> SHOULD log when they encounter unknown NSIDs, unknown
enum values, or unknown proof types, so that ecosystem-wide drift
becomes detectable. Logging is recommended, not required.</t>
            </li>
          </ol>
          <t>These rules together produce the Postel's-law stance the Protocol
depends on: be strict in what you produce, lenient in what you
accept, and never silently drop information you do not understand.</t>
        </section>
        <section anchor="deprecation">
          <name>Deprecation</name>
          <t>A schema version MAY be deprecated when its successor has been
published and adopted. Deprecation is non-breaking by design.</t>
          <ul spacing="normal">
            <li>
              <t>Records emitted under a deprecated version remain valid forever.</t>
            </li>
            <li>
              <t>Consumers MAY warn users when they encounter records under a
deprecated version.</t>
            </li>
            <li>
              <t>Consumers MUST NOT reject deprecated-version records.</t>
            </li>
          </ul>
          <t>A schema version is <strong>retired</strong> only when the Protocol's specification
maintainers determine that no implementations remain that produce or
consume it. Retirement is a documentation update, not a runtime
breaking change. Retired versions remain published; Consumers
encountering a record under a retired version SHOULD log it for
ecosystem-drift monitoring but MUST NOT reject it.</t>
        </section>
      </section>
    </section>
    <section anchor="failure-semantics">
      <name>Failure Semantics</name>
      <t>A protocol that specifies what valid records look like but not what
implementations should do with invalid input is incomplete. This
section specifies normative behavior for seven failure modes.</t>
      <section anchor="invalid-records-schema-validation-failure">
        <name>Invalid records (schema validation failure)</name>
        <t>A record is invalid when it fails to validate against the schema for
its declared NSID.</t>
        <ul spacing="normal">
          <li>
            <t>Producers MUST NOT emit invalid records.</t>
          </li>
          <li>
            <t>Consumers MUST reject records that fail schema validation against
their declared NSID. Acceptance of an invalid record is itself a
Protocol violation.</t>
          </li>
          <li>
            <t>Tier 2 surfaces SHOULD return a structured error envelope identifying
which constraint failed.</t>
          </li>
          <li>
            <t>Consumers MUST NOT attempt to repair invalid records by inferring
missing fields, coercing types, or substituting defaults.</t>
          </li>
        </ul>
      </section>
      <section anchor="unknown-namespaces">
        <name>Unknown namespaces</name>
        <t>Covered by compatibility rule 2 above.</t>
      </section>
      <section anchor="malformed-references">
        <name>Malformed references</name>
        <t>A reference is malformed when it does not parse as a <tt>sygil://</tt> URI
(Section 4.4) or a <tt>sygil-stable:</tt> URI (Section 4.6).</t>
        <ul spacing="normal">
          <li>
            <t>Consumers MUST treat malformed references in required fields as
invalid record content. Records containing such references fail
schema validation.</t>
          </li>
          <li>
            <t>Records containing malformed references in optional fields SHOULD be
accepted with the malformed reference field elided from the
Consumer's view; the malformed value is preserved in implementation-
private metadata for diagnostic purposes.</t>
          </li>
          <li>
            <t>Consumers MUST NOT silently substitute a default value (e.g., <tt>null</tt>
or a placeholder URI) for a malformed reference.</t>
          </li>
        </ul>
      </section>
      <section anchor="unresolvable-references">
        <name>Unresolvable references</name>
        <t>A reference is unresolvable when its URI is well-formed but the
referenced record cannot be retrieved.</t>
        <t>The Protocol does not specify how references are resolved; resolution
is a runtime concern. The Protocol does specify how Consumers represent
the result:</t>
        <ul spacing="normal">
          <li>
            <t>Consumers SHOULD distinguish three resolution states: <strong>resolved</strong>
(the referenced record was retrieved), <strong>unresolved</strong> (well-formed
reference, no record found or accessible), and <strong>forbidden</strong> (the
reference resolved but access was denied).</t>
          </li>
          <li>
            <t>Consumers MUST NOT fabricate referenced record data when resolution
fails. Returning a stub marked unresolved is correct; returning an
empty record without indication is not.</t>
          </li>
          <li>
            <t>Tier 2 surfaces returning collections containing unresolved
references SHOULD include a per-reference resolution status in the
response envelope.</t>
          </li>
        </ul>
      </section>
      <section anchor="unsupported-enum-values">
        <name>Unsupported enum values</name>
        <t>Covered by compatibility rule 3 above.</t>
      </section>
      <section anchor="hash-mismatches">
        <name>Hash mismatches</name>
        <t>A hash mismatch occurs when a record's <tt>id</tt> is supposed to equal
<tt>BLAKE3(JCS(record_body))</tt> (with the standard exclusions from Section
4.5) but does not.</t>
        <ul spacing="normal">
          <li>
            <t>Tier 1 implementations are NOT required to verify hashes.</t>
          </li>
          <li>
            <t>Any implementation that claims to verify integrity (whether by
recomputing the BLAKE3 hash and comparing to <tt>id</tt>, or by any other
explicit integrity check) MUST treat hash mismatch as a hard
failure: the record is corrupt or has been tampered with.</t>
          </li>
          <li>
            <t>A Consumer that detects a hash mismatch MUST NOT silently use the
record as if it were valid. The minimum acceptable response is to
mark the record as integrity-failed in any output that includes it.</t>
          </li>
          <li>
            <t>A Consumer that asserts integrity to its own callers (e.g., emits
a "verified" flag, returns content as authoritative, persists the
record under its <tt>id</tt>) MUST verify the content hash before doing
so.</t>
          </li>
        </ul>
      </section>
      <section anchor="unsupported-schema-versions">
        <name>Unsupported schema versions</name>
        <t>A Consumer that supports <tt>sygil.v1.*</tt> and encounters a <tt>sygil.v2.*</tt>
record handles it under the unknown-NSID rule (compatibility rule 2):
pass through, log, do not reject. The Consumer SHOULD log the
unsupported version specifically so that operators can detect when
their implementation is lagging the published schema. A Consumer
asked to interpret a <tt>sygil.v2.*</tt> record as if it were <tt>sygil.v1.*</tt>
MUST decline. There is no implicit version downgrade.</t>
      </section>
      <section anchor="failure-mode-summary">
        <name>Failure mode summary</name>
        <table>
          <thead>
            <tr>
              <th align="left">Failure mode</th>
              <th align="left">Producer responsibility</th>
              <th align="left">Consumer responsibility</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Invalid record</td>
              <td align="left">MUST NOT emit</td>
              <td align="left">MUST reject; SHOULD return structured error</td>
            </tr>
            <tr>
              <td align="left">Unknown namespace</td>
              <td align="left">(cannot produce)</td>
              <td align="left">MUST pass through; MAY log</td>
            </tr>
            <tr>
              <td align="left">Malformed reference</td>
              <td align="left">MUST NOT emit</td>
              <td align="left">MUST treat as invalid in required fields; MAY elide in optional</td>
            </tr>
            <tr>
              <td align="left">Unresolvable reference</td>
              <td align="left">(runtime concern)</td>
              <td align="left">SHOULD distinguish resolved/unresolved/forbidden; MUST NOT fabricate</td>
            </tr>
            <tr>
              <td align="left">Unsupported enum value</td>
              <td align="left">MUST NOT emit</td>
              <td align="left">MUST preserve verbatim; SHOULD treat as <tt>unknown</tt> for query</td>
            </tr>
            <tr>
              <td align="left">Hash mismatch</td>
              <td align="left">MUST NOT attach integrity proof if hash fails</td>
              <td align="left">If verifying, MUST treat as hard failure</td>
            </tr>
            <tr>
              <td align="left">Unsupported schema version</td>
              <td align="left">(n/a)</td>
              <td align="left">MUST pass through; SHOULD log; MUST NOT downgrade</td>
            </tr>
          </tbody>
        </table>
        <t>The "MUST NOT emit" Producer rules describe the strict-output side of
the Postel's-law stance from Section 6.5. The Consumer rules describe
the lenient-input side, with the constraint that leniency does not
extend to silent corruption -- unknown content is preserved and
surfaced, never dropped or fabricated.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This section addresses security considerations applicable to the
Sygil Protocol, structured per the threat-model framing of <xref target="RFC3552"/>.</t>
      <section anchor="threat-model">
        <name>Threat model</name>
        <t>Per <xref target="RFC3552"/>, the threat environment includes deployment across the
global Internet across multiple administrative boundaries without
assuming that firewalls are in place.</t>
        <t>For Sygil, the threat model assumes:</t>
        <ul spacing="normal">
          <li>
            <t>Producers, Consumers, Vaults, Subjects, and any intermediaries are
each individually capable of being honest, compromised, or
adversarial.</t>
          </li>
          <li>
            <t>Network paths between parties are fully adversarial: an attacker can
observe, drop, modify, replay, and inject traffic.</t>
          </li>
          <li>
            <t>Endpoint compromise is in scope: a Producer's signing key, a Vault's
storage, or a Consumer's verification logic may each be compromised.</t>
          </li>
          <li>
            <t>Pervasive monitoring <xref target="RFC7258"/> is in scope: an attacker capable of
observing large volumes of traffic across the Internet is part of
the adversary class.</t>
          </li>
        </ul>
        <t>The Protocol does not assume any specific transport-layer security
posture. Implementations carry Sygil records over transports of their
choosing (HTTP, MCP <xref target="MCP"/>, others); transport security is the
transport's responsibility.</t>
        <section anchor="threat-model-summary">
          <name>Threat model summary</name>
          <t>The table below summarizes the principal attack classes considered in
this Section, the Protocol-level mitigations (where any), and the
sections that address each in detail. Implementations adopting Sygil
SHOULD use this table as a starting point for their own deployment-
specific threat-model documents; the table is not exhaustive.</t>
          <table>
            <thead>
              <tr>
                <th align="left">Attack class</th>
                <th align="left">Protocol-level mitigation</th>
                <th align="left">Detailed in</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">In-flight record modification</td>
                <td align="left">Content-addressable identifiers; integrity proof (Section 5.4)</td>
                <td align="left">Section 8.4</td>
              </tr>
              <tr>
                <td align="left">In-flight metadata modification</td>
                <td align="left">None at Protocol level (excluded fields are not hash-protected)</td>
                <td align="left">Section 8.4</td>
              </tr>
              <tr>
                <td align="left">Record-body forgery (synthesized record from non-Producer)</td>
                <td align="left">Provenance proof signature; trust-anchored connector identity</td>
                <td align="left">Sections 8.5, 8.8</td>
              </tr>
              <tr>
                <td align="left">Capability-token forgery</td>
                <td align="left">Out of scope (token format-specific; runtime concern)</td>
                <td align="left">--</td>
              </tr>
              <tr>
                <td align="left">Proof-object forgery (synthesized proof claiming a record property the Producer did not assert)</td>
                <td align="left">Signature on proof object; trust-anchored issuer identity</td>
                <td align="left">Section 8.8</td>
              </tr>
              <tr>
                <td align="left">Replay of recorded responses</td>
                <td align="left">
                  <tt>expires_at</tt> envelope field; nonce binding via out-of-Protocol mechanisms</td>
                <td align="left">Section 8.6</td>
              </tr>
              <tr>
                <td align="left">Trust downgrade via provenance manipulation (downgrading a record's apparent quality to evade authoritative-source rules)</td>
                <td align="left">Conditional MUST on authoritative connectors (Section 5.5.2); provenance-warning propagation rule</td>
                <td align="left">Section 8.9</td>
              </tr>
              <tr>
                <td align="left">Cross-domain correlation (re-identification by joining records across namespaces sharing a <tt>subject_did</tt>)</td>
                <td align="left">None at Protocol level; Subject DID is by-design linkable</td>
                <td align="left">Sections 8.10, 9.4</td>
              </tr>
              <tr>
                <td align="left">DID-method spoofing (attacker emits records with unfamiliar <tt>did:</tt> method that Consumer cannot verify)</td>
                <td align="left">Opaque-method-tag rule; required-methods commitment (Section 4.9.2)</td>
                <td align="left">Section 8.5</td>
              </tr>
              <tr>
                <td align="left">Hash collision against the <tt>id</tt> URI</td>
                <td align="left">Cryptographic strength of BLAKE3 (<xref target="BLAKE3"/>)</td>
                <td align="left">Section 8.4</td>
              </tr>
              <tr>
                <td align="left">Algorithm-confusion attacks (e.g., Consumer accepts a <tt>blake2-</tt> URI as if it were <tt>blake3-</tt>)</td>
                <td align="left">Algorithm tag is part of the URI; v1 implementations MUST emit and accept <tt>blake3-</tt> only</td>
                <td align="left">Sections 4.5, 8.11</td>
              </tr>
              <tr>
                <td align="left">Side-channel leakage (timing, power) on integrity verification</td>
                <td align="left">Out of scope (general implementation hardening concern)</td>
                <td align="left">--</td>
              </tr>
              <tr>
                <td align="left">Pervasive monitoring; traffic analysis</td>
                <td align="left">Mitigations are transport-layer; Protocol envelope reveals Subject DID and record type</td>
                <td align="left">Section 8.12</td>
              </tr>
              <tr>
                <td align="left">Producer key compromise</td>
                <td align="left">Out of scope at Protocol level; key rotation is DID-method-specific</td>
                <td align="left">Section 8.13</td>
              </tr>
              <tr>
                <td align="left">Vault compromise (records served are not authoritative for the apparent Subject)</td>
                <td align="left">None at Protocol level; mitigated by Producer-level authenticity and DID-method cryptography</td>
                <td align="left">Section 8.14</td>
              </tr>
              <tr>
                <td align="left">Denial of service via pathological inputs</td>
                <td align="left">None at Protocol level; size, depth, and rate limits are runtime concerns</td>
                <td align="left">Section 8.15</td>
              </tr>
            </tbody>
          </table>
        </section>
      </section>
      <section anchor="what-the-protocol-does-and-does-not-protect">
        <name>What the Protocol does and does not protect</name>
        <t>The Protocol provides:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Structural integrity</strong> of records, via content-addressable
identifiers (Section 4.4) and a deterministic canonicalization rule
(Section 4.5). A Consumer that recomputes a record's content hash
detects any modification that occurred after the Producer computed
the original hash, modulo the standard hash exclusions.</t>
          </li>
          <li>
            <t><strong>A vocabulary for trust evidence</strong> in the form of proof objects
(Section 5). The vocabulary is sufficient for a Producer to claim
integrity, provenance, capability, consent, attestation, or audit
properties about a record, and for a Consumer to recognize and
preserve those claims.</t>
          </li>
        </ul>
        <t>The Protocol does NOT provide:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Confidentiality of records on the wire.</strong> The Protocol does not
specify any encryption mechanism. Confidentiality is delegated to
the transport (TLS for HTTP transport, encryption inherent to the
transport for other carriers) and, where applicable, to Vault-level
encryption-at-rest.</t>
          </li>
          <li>
            <t><strong>Authenticity of unsigned records.</strong> A <tt>sygil://</tt> URI is
content-addressed, not signed. A record carrying no proof object is
structurally valid but does not assert anything about who produced
it. Authenticity comes from proof objects (notably
<tt>sygil.proof.provenance</tt>) and from the underlying signing
infrastructure that produces them.</t>
          </li>
          <li>
            <t><strong>Authorization decisions.</strong> The Protocol's proof object vocabulary
conveys evidence of authorization; the Protocol does not specify how
a Vault decides to grant or deny access. Authorization is a runtime
concern.</t>
          </li>
        </ul>
      </section>
      <section anchor="confidentiality">
        <name>Confidentiality</name>
        <t>Records on the wire are not confidential by Protocol design. A
deployment requiring confidentiality MUST employ a transport that
provides it (e.g., HTTPS with TLS 1.2 or later) or wrap records in an
application-layer encryption envelope before transmission.</t>
        <t>The hash exclusions in Section 4.5 do not affect confidentiality of
the excluded fields: a record's <tt>_proofs</tt>, <tt>updated_at</tt>, <tt>version</tt>,
<tt>supersedes</tt>, <tt>obsolete</tt>, and <tt>obsolete_reason</tt> fields all travel on
the wire alongside the rest of the record. They are excluded from
the <em>content hash</em>, not from the serialization. (The query response
envelope's <tt>redaction_state</tt> field, defined in Section 4.10, is
similarly visible on the wire; it is not part of the record envelope
at all.)</t>
        <t>The query response envelope's <tt>redaction_state</tt> field (Section 4.10)
signals that a served record is a projection (<tt>redacted</tt>, <tt>summary</tt>,
or <tt>hash_only</tt>) rather than the full original. Vault implementations
that produce projections are responsible for ensuring that projected
records do not inadvertently include redacted content; the Protocol
provides the labeling but does not enforce the redaction.</t>
      </section>
      <section anchor="integrity">
        <name>Integrity</name>
        <t>Integrity protection is provided by content-addressable identifiers.
A Consumer that verifies hashes detects post-Producer modification of
the canonicalized hash inputs.</t>
        <t>Integrity is verified by recomputing the BLAKE3 content hash over the
canonical serialization of the record (with the hash exclusions from
Section 4.5) and comparing to the value encoded in the <tt>id</tt> URI. No
separate proof object is required; the content hash is the integrity
guarantee.</t>
        <t>Integrity verification is OPTIONAL at Tier 1. Implementations that
accept records without recomputing hashes are exposed to in-flight
modification; the trade-off is a runtime decision. Implementations
that claim to verify integrity (whether at Tier 1 by choice, or at
Tier 2/Tier 3 as a baseline expectation) MUST treat hash mismatch as
a hard failure per Section 7.</t>
        <t>The hash exclusions in Section 4.5 mean that a malicious party can:</t>
        <ul spacing="normal">
          <li>
            <t>Add, remove, or modify proof objects without changing the content
hash.</t>
          </li>
          <li>
            <t>Update <tt>updated_at</tt>, <tt>version</tt>, <tt>supersedes</tt>, <tt>obsolete</tt>, or
<tt>obsolete_reason</tt> fields without changing the content hash.</t>
          </li>
        </ul>
        <t>Consumers that depend on the integrity of these fields MUST obtain
their assurances from elsewhere -- typically from a <tt>sygil.proof.audit</tt>
proof object referencing a tamper-evident audit log, or from
transport-layer signatures, or from a Vault implementation's
out-of-band integrity guarantees.</t>
      </section>
      <section anchor="authenticity">
        <name>Authenticity</name>
        <t>A bare Sygil record asserts no authenticity. The producing party is
implicit in the <tt>id</tt> URI's Subject DID (which identifies the data
subject, not the producer) and in the optional <tt>issuer_did</tt> envelope
field (which identifies the producer if populated, but is not signed
by the Protocol).</t>
        <t>Authenticity is conveyed by proof objects:</t>
        <ul spacing="normal">
          <li>
            <t><tt>sygil.proof.provenance</tt> (Section 5.5) asserts the upstream source
and connector that produced the record. A Consumer that has a trust
relationship with the named connector and that verifies the
connector's signature on the proof can attribute the record to that
connector.</t>
          </li>
          <li>
            <t><tt>sygil.proof.attestation</tt> (Section 5.8) asserts that the record was
produced inside a verifiable execution environment.</t>
          </li>
        </ul>
        <t>The Protocol does not specify how proof objects are signed. Common
choices include JWS <xref target="RFC7515"/> over the canonicalized record with the
proof object as the payload, or detached signatures referenced by URI.</t>
        <section anchor="did-method-authenticity">
          <name>DID method authenticity</name>
          <t>The opaque-string-with-method-tag rule for DIDs (Section 4.9.1) means
that a Consumer that does not understand a particular DID method MUST
NOT trust assertions tied to that DID more than it would trust an
assertion tied to an opaque string. A record whose <tt>subject_did</tt> is
<tt>did:newmethod:identifier</tt> is structurally valid; whether the Consumer
can resolve and verify that DID is method-specific.</t>
          <t>A Consumer that resolves DIDs via the required methods (<tt>did:web</tt>,
<tt>did:key</tt>) and the recommended method (<tt>did:plc</tt>) per Section 4.9.2
inherits the security properties of those methods. <tt>did:web</tt> depends
on the security of the served DID document and the TLS connection that
delivers it; <tt>did:key</tt> depends on the key being correctly encoded and
the algorithm being supported; <tt>did:plc</tt> depends on the PLC operator
and the directory's integrity.</t>
        </section>
      </section>
      <section anchor="replay">
        <name>Replay</name>
        <t>A <tt>sygil://</tt> URI is content-addressable: the same record body
produces the same URI. A Consumer cannot distinguish a replayed
delivery of a known record from a fresh delivery solely from the URI.</t>
        <t>Where replay matters (e.g., a <tt>sygil.proof.capability</tt> proof should
not authorize the same access twice), Consumers MUST rely on
out-of-Protocol mechanisms: the capability token's own nonce or
expiry, the audit log entry referenced by <tt>sygil.proof.audit</tt>, or
transport-layer freshness signals (e.g., DPoP <xref target="RFC9449"/> when OAuth
2.0 is in use).</t>
        <t>The envelope <tt>expires_at</tt> field (Section 4.2.4) signals retention
expiry, not authentication freshness. A record whose <tt>expires_at</tt> has
passed should be treated as expired by retention-aware Consumers but
this is not a defense against replay of an authentication artifact.</t>
      </section>
      <section anchor="limits-of-protocol-level-guarantees">
        <name>Limits of Protocol-level guarantees</name>
        <t>The Protocol's proof object vocabulary is sufficient for a Consumer to
verify <em>what</em> a Producer claims:</t>
        <ul spacing="normal">
          <li>
            <t>The claim's structure is valid (the proof object validates against
its <tt>@type</tt> schema).</t>
          </li>
          <li>
            <t>The claim is correctly bound to the record (the proof appears in the
record's <tt>_proofs</tt> array).</t>
          </li>
          <li>
            <t>The record's integrity can be verified locally against the
canonicalized record by recomputing the BLAKE3 content hash and
comparing to the value encoded in the <tt>id</tt> URI; this verification is
performed without any proof object.</t>
          </li>
        </ul>
        <t>The Protocol's proof object vocabulary is NOT sufficient for a
Consumer to verify <em>whether</em> a Producer's underlying claim is correct
under any specific runtime policy. A Producer could be configured with
a permissive runtime authorization policy and issue technically-valid
<tt>sygil.proof.capability</tt> proofs for records that would not pass a
stricter Consumer's policy. Protection against this -- typically by
trust-anchoring Producers to a known issuer infrastructure, by
verifying the underlying capability token, or by maintaining a
Consumer-side policy that filters records by Producer trust -- is a
deployment and trust-establishment concern, not a Protocol concern.</t>
        <t>Consumers SHOULD NOT treat the presence of a proof object as evidence
of underlying policy correctness. Proof objects are evidence of
<em>assertion</em> by the Producer; verification of the assertion is a
separate, runtime-defined activity.</t>
      </section>
      <section anchor="proof-forgery">
        <name>Proof forgery</name>
        <t>A proof object asserts a property of a record. The mechanism by which
a Consumer concludes the assertion is genuine is signature
verification: the proof's signature, computed over the proof's
canonicalized body, must verify against the public key of the issuing
party. The Protocol does not specify the signing mechanism; common
choices include JSON Web Signatures <xref target="RFC7515"/> over the canonical
serialization of the proof object body and detached signatures
referenced by URI.</t>
        <t>A proof forgery occurs when an attacker produces a proof object that
appears valid but is not signed by the party it purports to come
from. The Protocol's defenses are:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Connector identity verification.</strong> A <tt>sygil.proof.provenance</tt>
proof's <tt>connector_id</tt> field names the connector that produced the
record. A Consumer that acts on provenance MUST verify the
<tt>connector_id</tt> matches the connector's known identity per the
minimum evaluation expectations of Section 5.3.4. Without that
check, an attacker that knows a connector's identifier can mint
forged provenance proofs at will.</t>
          </li>
          <li>
            <t><strong>Issuer signature.</strong> A signed proof object binds the proof's
contents to the issuing party's signing key. Forgery requires
compromise of the signing key (Section 8.10) or a cryptographic
break in the signature scheme.</t>
          </li>
          <li>
            <t><strong>Independence rule.</strong> The Protocol's proof-independence rule
(Section 5.3.1) means a forged proof of one type does not infer
properties associated with other proof types. Forgery of a single
proof type does not yield record-level forgery of all properties.</t>
          </li>
        </ul>
        <t>A Producer MUST NOT attach a proof object whose underlying claim it
cannot defend; doing so is a Producer-side Protocol violation (a
Producer that emits forged proof objects is a malicious Producer).
The Protocol cannot prevent malicious Producers from emitting
syntactically valid records; defense is at the Consumer side, by
trust-anchoring the Producers and Vaults the Consumer is willing to
accept proof objects from.</t>
      </section>
      <section anchor="trust-downgrade-attacks">
        <name>Trust downgrade attacks</name>
        <t>A trust downgrade attack is one in which an attacker manipulates
trust-bearing fields on a record to lower the apparent trust level
the record claims, in a way that lets the attacker substitute a
lower-trust record for a higher-trust one without triggering Consumer
protections.</t>
        <t>Three concrete attack patterns are addressable at the Protocol level:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Provenance downgrade.</strong> An attacker substitutes a
<tt>cooperation_mode: "user_mediated_capture"</tt> (user-mediated capture)
provenance proof for a <tt>cooperation_mode: "native_sygil"</tt> (native
integration) one, hoping the Consumer's quality-aware filter
(<tt>cooperation_mode_in=native_sygil,cooperative_api</tt>, Section
4.10.6) will exclude the record from results -- denying the
Consumer access to a record it was entitled to. Defense: the
provenance proof is signed; substitution by a non-issuer fails
signature verification.</t>
          </li>
          <li>
            <t><strong>Authoritative-source bypass.</strong> An attacker emits a record from
a connector locally known to the Consumer as authoritative, but
without attaching a <tt>sygil.proof.provenance</tt> proof, hoping the
Consumer will treat the record as authoritative without examining
whether the proof is present. Defense: the conditional rule of
Section 5.4.2 requires authoritative-source records to carry the
proof; the Consumer MUST treat missing-proof cases as carrying a
provenance-warning state and MUST propagate the warning to its
caller, and MUST NOT silently treat the record as authoritative.</t>
          </li>
          <li>
            <t><strong>Verifiability downgrade.</strong> An attacker claims <tt>verifiability:
source_signed</tt> on a <tt>sygil.proof.provenance</tt> proof to mislead the
Consumer's quality filter, while the underlying record is not
source-signed. Defense: a Consumer that acts on the
<tt>verifiability</tt> claim (e.g., requires <tt>verifiability_min=
source_signed</tt>) MUST verify the source signature is actually
present and verifies; the proof's claim alone is insufficient
per the minimum evaluation expectations of Section 5.3.4.</t>
          </li>
        </ul>
        <t>The general principle is that trust claims at the wire level are
<strong>evidence of assertion</strong>, not of correctness; a Consumer that needs
correctness MUST verify the underlying cryptographic or external
property, not rely solely on the proof's stated value.</t>
      </section>
      <section anchor="cross-domain-correlation">
        <name>Cross-domain correlation</name>
        <t>Sygil's design intentionally enables cross-domain reasoning: an Agent
holding records under <tt>subject_did = did:web:user.example.com</tt> for
calendar, finance, health, location, and message namespaces can join
across them by <tt>subject_did</tt>. This is a feature; it is also a
re-identification surface.</t>
        <t>The attack scenario is direct. An adversary who obtains records from
multiple namespaces under the same <tt>subject_did</tt> can construct a
profile far more identifying than any individual namespace's records
provide. A calendar event for a doctor's appointment, a financial
transaction for a copay, a health observation for a diagnosis, and a
location record for a clinic -- joined by <tt>subject_did</tt> -- disclose
information no individual record discloses.</t>
        <t>Mitigations are deployment-level and policy-level, not Protocol-level:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Authorization scoping.</strong> A Vault implementation SHOULD scope
Consumer authorization per-namespace (or finer); a Consumer
authorized for <tt>sygil.v1.calendar.event</tt> SHOULD NOT thereby be
authorized for <tt>sygil.v1.health.observation</tt> under the same
Subject. The Protocol's tier definitions (Section 6) require
per-namespace scoping at Tier 2 and beyond.</t>
          </li>
          <li>
            <t><strong>Per-context Subject DIDs.</strong> Subjects MAY adopt distinct DIDs for
distinct contexts (e.g., a <tt>did:key</tt> per Consumer relationship);
records under different DIDs are not joinable. The Protocol does
not require this practice but allows it; the trade-off is that
unlinkable records cannot be joined by Agents that should
legitimately reason across them.</t>
          </li>
          <li>
            <t><strong>Quasi-identifier discipline.</strong> Even with Subject DID concealed,
envelope fields (<tt>created_at</tt>, <tt>updated_at</tt>, <tt>language[]</tt>,
<tt>connector_id</tt>) and per-namespace fields can themselves identify
a Subject by joining attributes. A serious privacy posture
requires Vault implementations to apply data-minimization at the
projection layer (Section 4.2.6) and consider quasi-identifier
exposure when serving cross-namespace results. Earlier drafts
also listed an envelope <tt>jurisdiction[]</tt> field as a strong
quasi-identifier; that field was removed in the v0.3
reconciliation, but runtime systems that derive jurisdictional
binding from <tt>subject_did</tt> and source-system content should be
aware that the same quasi-identifying signal exists in those
derivations and should be handled with the same care.</t>
          </li>
        </ul>
        <t>The Protocol does not provide an in-band correlation-prevention
mechanism. Section 9 (Privacy Considerations) addresses
re-identification and linkability further; the formal Privacy
Properties subsection (Section 9.1) makes explicit which protections
the Protocol does and does not provide. Section 9.5 (Derived data
amplification) addresses a related concern: derived records may
disclose information beyond what their source records disclose
individually, even before any cross-namespace join.</t>
      </section>
      <section anchor="algorithm-agility">
        <name>Algorithm agility</name>
        <t>The Protocol pins:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Hash algorithm:</strong> BLAKE3 <xref target="BLAKE3"/> for v1.</t>
          </li>
          <li>
            <t><strong>Canonicalization:</strong> JCS per <xref target="RFC8785"/> for v1.</t>
          </li>
        </ul>
        <t>Algorithm agility is provided by major-version protocol bumps
(<tt>sygil.v2.*</tt> may select different algorithms). Within v1, all
implementations MUST agree on BLAKE3 and JCS; mixing algorithms within
v1 produces non-reproducible content hashes and breaks the
content-addressing invariant.</t>
        <t>Implementations preparing for post-quantum-relevant changes should
note that:</t>
        <ul spacing="normal">
          <li>
            <t>BLAKE3 is a hash function; post-quantum cryptanalysis affects
preimage and collision resistance and current consensus is that
hash-function security degrades less than asymmetric primitives
under quantum attack. BLAKE3 is acceptable for the v1 Protocol
horizon.</t>
          </li>
          <li>
            <t>The Protocol does not specify any asymmetric primitive. Signatures
on proof objects, transport-layer authentication, and DID-method
cryptographic primitives are all out of Protocol scope. The
cryptographic agility of these is the responsibility of the runtime
layer that uses them.</t>
          </li>
        </ul>
      </section>
      <section anchor="pervasive-monitoring">
        <name>Pervasive monitoring</name>
        <t>Per <xref target="RFC7258"/>, pervasive monitoring is an attack on confidentiality
and on user privacy at scale. Sygil records, if observed in transit,
reveal:</t>
        <ul spacing="normal">
          <li>
            <t>The Subject DID (in the <tt>id</tt> URI prefix).</t>
          </li>
          <li>
            <t>The record type (<tt>@type</tt> NSID).</t>
          </li>
          <li>
            <t>The record contents (the body and the <tt>_proofs</tt> array).</t>
          </li>
        </ul>
        <t>The first two are revealed even when the body is encrypted, because
they are part of the URI and the JSON envelope. Implementations that
require subject-DID confidentiality on the wire MUST employ a transport
or application-layer scheme that conceals them; the Protocol does not
provide concealment for identifying envelope fields.</t>
        <t>The proof-bearing response shape arguably increases traffic-analysis
revelation compared to opaque-blob protocols, because each record
carries its own metadata trail. Implementations sensitive to traffic
analysis (high-stakes journalism, source protection, regulated
populations under surveillance) SHOULD employ transport-layer
mitigations (mixing networks, padding, dummy traffic) and SHOULD
consider whether the Protocol's tier of detail is appropriate to their
threat model.</t>
      </section>
      <section anchor="producer-key-compromise">
        <name>Producer key compromise</name>
        <t>A Producer's signing key (used to produce signed proof objects) is the
hinge of authenticity for that Producer. Compromise of the key allows
an attacker to forge proof objects asserting any property under that
Producer's identity.</t>
        <t>The Protocol does not specify a key-rotation, revocation, or
key-compromise-recovery mechanism. These are runtime concerns,
typically addressed by the underlying DID method's key-rotation
support (where present) and by Vault-level revocation and re-issuance
discipline.</t>
        <t>A Consumer that detects a compromised Producer key SHOULD invalidate
or downgrade trust in records carrying proofs signed by that key,
through a Consumer-side policy outside the Protocol's scope.</t>
      </section>
      <section anchor="subject-impersonation-and-vault-compromise">
        <name>Subject impersonation and Vault compromise</name>
        <t>The Subject DID in a <tt>sygil://</tt> URI is the identifier of the data
subject; it does not authenticate them. A malicious party can mint
records with any Subject DID and emit them as syntactically valid
Sygil records. Defenses are:</t>
        <ul spacing="normal">
          <li>
            <t>Producer-level authenticity (the Consumer trusts only records
carrying proof objects from known Producers).</t>
          </li>
          <li>
            <t>Vault-level authentication (the Consumer obtains records only via a
trust relationship with a Vault that is expected to authenticate
Subject access).</t>
          </li>
          <li>
            <t>DID-method cryptographic primitives (e.g., signed Subject statements
derived from the Subject's DID-controlled keys, as in Verifiable
Credentials <xref target="W3C-VC2"/>).</t>
          </li>
        </ul>
        <t>A compromised Vault can produce records that appear to be authoritative
for any Subject the Vault hosts. Consumers relying on a Vault as a
trust anchor inherit the Vault's compromise. The Protocol does not
specify Vault attestation; vault-implementation specifications may
specify it via <tt>sygil.proof.attestation</tt>.</t>
      </section>
      <section anchor="denial-of-service">
        <name>Denial of service</name>
        <t>The Protocol specifies content hashes (computationally bounded by
serialization size), schema validation (computationally bounded by
schema size), and reference resolution (potentially network-bounded).</t>
        <t>A malicious Producer can emit records:</t>
        <ul spacing="normal">
          <li>
            <t>With pathologically large bodies, increasing canonicalization and
hash cost.</t>
          </li>
          <li>
            <t>With many cross-references, increasing resolution cost on the
Consumer.</t>
          </li>
          <li>
            <t>With deeply nested structure, stressing JSON parsers.</t>
          </li>
        </ul>
        <t>These vectors are general JSON-processing vectors and not
Sygil-specific. Implementations SHOULD apply size limits to record
bodies, depth limits to JSON parsing, and rate limits to reference
resolution. The Protocol does not specify limits because they depend on
deployment.</t>
      </section>
      <section anchor="privacy-considerations">
        <name>Privacy considerations</name>
        <t>Privacy considerations specific to personal data carried by the
Protocol are addressed in Section 9.</t>
      </section>
    </section>
    <section anchor="privacy-considerations-1">
      <name>Privacy Considerations</name>
      <t>The Protocol carries personal data by design. This section addresses
privacy-specific considerations that complement the security
considerations in Section 8.</t>
      <section anchor="privacy-properties">
        <name>Privacy properties</name>
        <t>This subsection makes explicit what the Protocol does and does not
guarantee at the privacy level. The framing is deliberately
formal: privacy guarantees that are not stated here are not
provided. Implementations seeking specific privacy properties beyond
those listed here must obtain them from runtime, deployment, or
policy mechanisms outside the Protocol.</t>
        <section anchor="what-the-protocol-guarantees">
          <name>What the Protocol guarantees</name>
          <t>The Protocol commits to the following privacy properties at the wire
level:</t>
          <ol spacing="normal" type="1"><li>
              <t><strong>Per-field sensitivity classification.</strong> Every namespace
specification declares a privacy classification (<tt>public</tt>,
<tt>redacted</tt>, <tt>invisible</tt>) for each field (Section 4.2.5). The
classification travels with the schema, not with individual
records, so two implementations classifying the same field
inconsistently is a Protocol violation detectable by inspection.</t>
            </li>
            <li>
              <t><strong>Wire-level projection labeling.</strong> Query responses carry a
<tt>redaction_state</tt> field in the response envelope (Section 4.10)
labeling the projection level the served record represents in
that response. A Consumer can distinguish an <tt>original</tt> record
from a <tt>redacted</tt>, <tt>summary</tt>, or <tt>hash_only</tt> projection without
out-of-band signaling. The same record content can be served as
different projections in different responses; the projection
state belongs to the response, not the record.</t>
            </li>
            <li>
              <t><strong>Soft-delete semantics with reason.</strong> Records carry <tt>obsolete</tt>
and <tt>obsolete_reason</tt> envelope fields. A Subject's withdrawal of
consent is communicated by <tt>obsolete: true</tt> with <tt>obsolete_reason:
withdrawn_consent</tt>, providing wire-level visibility into the
reason without Consumer guesswork.</t>
            </li>
            <li>
              <t><strong>Wire-level consent evidence.</strong> When a record is served under a
consent-bearing access, the <tt>sygil.proof.consent</tt> proof object
(Section 5.6) carries consent-receipt evidence on the wire
alongside the record. The Consumer learns <em>that</em> consent was
asserted and <em>what</em> receipt was referenced; the underlying receipt
itself is referenced, not embedded.</t>
            </li>
            <li>
              <t><strong>Wire-level provenance evidence.</strong> The <tt>sygil.proof.provenance</tt>
proof (Section 5.4) carries upstream-source identification and
trust dimensions, so a Consumer reasoning about whether to trust
a record for a given purpose has wire-visible inputs to that
reasoning.</t>
            </li>
            <li>
              <t><strong>Subject-protective defaults.</strong> Default values across the
envelope (<tt>subject_scope: sole</tt>, <tt>obsolete: false</tt>, empty
<tt>language[]</tt>) are chosen so that records constructed without
explicit privacy decisions make minimal claims, reducing the
risk of overstated trust assertions to Consumers (Section 9.12).</t>
            </li>
          </ol>
        </section>
        <section anchor="what-the-protocol-does-not-guarantee">
          <name>What the Protocol does not guarantee</name>
          <t>The Protocol does NOT provide the following, even where they may
appear suggested by the structure of the wire format. Implementations
requiring these properties must obtain them elsewhere.</t>
          <ol spacing="normal" type="1"><li>
              <t><strong>Confidentiality of records on the wire.</strong> Records are not
encrypted by Protocol design. Confidentiality depends on the
transport (typically TLS over HTTP, or transport-inherent
encryption for other carriers); the Protocol does not specify a
cryptographic envelope.</t>
            </li>
            <li>
              <t><strong>Confidentiality of identifying envelope fields.</strong> Even when
record bodies are encrypted, the Subject DID (in the <tt>sygil://</tt>
URI prefix), the record <tt>@type</tt> (NSID), and metadata fields like
<tt>created_at</tt>, <tt>language[]</tt>, and <tt>connector_id</tt> are visible to
any party that observes the URI or the JSON envelope.
Implementations requiring concealment of identifying envelope
fields MUST employ a transport or application-layer scheme that
conceals them.</t>
            </li>
            <li>
              <t><strong>Unlinkability of records about the same Subject.</strong> Records
about the same Subject share a <tt>subject_did</tt> by design and are
linkable across all records about that Subject. The Protocol does
not provide an unlinkability primitive; implementations requiring
unlinkability for specific records or Subjects MUST employ
per-context Subject DIDs at the cost of cross-namespace
joinability (Section 8.10).</t>
            </li>
            <li>
              <t><strong>Resistance to cross-domain correlation.</strong> A party with access
to records across namespaces under the same Subject DID can join
them. The Protocol provides no in-band defense against
cross-domain correlation; defenses are at the Vault and
deployment level (Section 8.10).</t>
            </li>
            <li>
              <t><strong>Quasi-identifier protection.</strong> Envelope and per-namespace fields
collectively form a fingerprint that may identify a Subject even
when explicit identifiers are concealed. The Protocol does not
defend against this; implementations requiring k-anonymity or
differential privacy guarantees MUST apply such transformations
at the Vault layer.</t>
            </li>
            <li>
              <t><strong>Forgetability of record existence.</strong> A record's <tt>id</tt> is a
content hash; the same canonicalized body always produces the
same <tt>id</tt>. Erasing a record from a Vault's storage does not
remove the URI from any cache, log, or downstream Consumer
that observed it. The <tt>obsolete</tt> field provides soft-delete
semantics, not cryptographic forgetting.</t>
            </li>
            <li>
              <t><strong>Consent enforcement.</strong> The <tt>sygil.proof.consent</tt> proof carries
evidence that consent was asserted, not that consent is being
honored. A Vault may emit consent proofs against access patterns
that are inconsistent with the underlying receipt; the Protocol
provides no mechanism for the Consumer to detect such
inconsistency. Enforcement is a Vault responsibility.</t>
            </li>
            <li>
              <t><strong>Audit log integrity beyond reference.</strong> The
<tt>sygil.proof.audit</tt> proof references an audit log entry by URI;
the Protocol provides no guarantee that the referenced log
entry exists, is consistent with the record, or has not been
altered. Such guarantees are properties of the audit log
infrastructure (transparency log, witness cosigning) operated
by the Vault implementation.</t>
            </li>
            <li>
              <t><strong>Semantic correctness of asserted content.</strong> A record can be
structurally valid (validates against its declared schema, has a
reproducible content hash, is well-formed in every wire-level
sense) while making misleading or incorrect semantic claims about
the Subject's life -- a transaction record with the wrong
merchant category, a calendar event with a misleading title, a
health observation with an incorrect value. The Protocol provides
structural guarantees only. Records that are subject-asserted
(typed in by the Subject) or that result from inference rather
than direct source-system import are particularly exposed to
this: no upstream system signs them, and no proof object exists
that a Consumer can verify to establish content correctness. The
<tt>sygil.proof.provenance</tt> trust dimensions (<tt>cooperation_mode</tt>,
<tt>freshness</tt>, <tt>completeness</tt>, <tt>verifiability</tt>) and the
<tt>derived_from[]</tt> envelope field collectively let a Consumer
distinguish source-imported records from subject-asserted or
derived ones, but they do not establish content correctness for
any class. Consumers that act on the content of records without
further validation inherit the Producer's correctness, whatever
it is. The Protocol provides no defense against semantically-
misleading-but-structurally-valid records; defense is a
deployment, trust-anchoring, and Producer-vetting concern.</t>
            </li>
          </ol>
        </section>
        <section anchor="explicit-non-goals">
          <name>Explicit non-goals</name>
          <t>The following are explicit non-goals and are not within the scope
the Protocol claims:</t>
          <ul spacing="normal">
            <li>
              <t><strong>Differential privacy or k-anonymity guarantees.</strong></t>
            </li>
            <li>
              <t><strong>Onion-routed record retrieval or other transport-anonymity
primitives.</strong></t>
            </li>
            <li>
              <t><strong>Multi-party computation or secure aggregation of records across
Subjects.</strong></t>
            </li>
            <li>
              <t><strong>Zero-knowledge proof of record properties without revealing the
record.</strong></t>
            </li>
            <li>
              <t><strong>Private set intersection, encrypted query, or other
query-time-confidentiality primitives.</strong></t>
            </li>
            <li>
              <t><strong>Forward secrecy of past records given current key compromise.</strong></t>
            </li>
          </ul>
          <t>These are areas of active research and engineering; the Protocol
takes the position that they are best provided as composable layers
above or below Sygil-shaped data, not as Protocol-level mandates.</t>
        </section>
      </section>
      <section anchor="data-minimization">
        <name>Data minimization</name>
        <t>The Protocol does not enforce data minimization on records. A
namespace specification declares which fields a record may carry; a
Producer chooses which optional fields to populate.</t>
        <t>Two Protocol features support data minimization at the runtime level:</t>
        <ul spacing="normal">
          <li>
            <t><strong>The <tt>redaction_state</tt> envelope field</strong> (Section 4.2.4) labels a
served record as <tt>original</tt>, <tt>redacted</tt>, <tt>summary</tt>, or <tt>hash_only</tt>.
Vaults producing projections for less-trusted Consumers SHOULD use
these labels and SHOULD enforce that projections actually omit the
excluded content.</t>
          </li>
          <li>
            <t><strong>Per-namespace privacy classification.</strong> Each namespace
specification declares default privacy classes (<tt>public</tt>, <tt>redacted</tt>,
<tt>invisible</tt>) for individual fields. These are descriptive metadata
for runtimes; the Protocol does not enforce them.</t>
          </li>
        </ul>
        <t>Implementations SHOULD apply data minimization at the projection
layer: records served to Agents performing narrow tasks should carry
only the fields necessary for the task. The Protocol provides the
labels that make this discipline possible; the Vault implementation
applies it.</t>
      </section>
      <section anchor="subject-consent-and-control">
        <name>Subject consent and control</name>
        <t>The <tt>sygil.proof.consent</tt> proof object (Section 5.7) carries
consent-receipt evidence on the wire alongside a record. Consent
receipts MAY follow the W3C Data Privacy Vocabulary, ISO/IEC TS
27560:2023 <xref target="ISO-27560"/>, or other consent-receipt schemes; the
Protocol specifies the proof shape but not the receipt format.</t>
        <t>The presence of a <tt>sygil.proof.consent</tt> proof object asserts that the
Producer claims a consent receipt covers the access. As discussed in
Section 8.7 (Limits of Protocol-level guarantees), the proof's
presence is evidence of assertion, not of correctness. A Vault
implementation is responsible for actually obtaining, recording, and
honoring consent; the Protocol provides the wire vocabulary for
referencing the resulting receipt.</t>
        <t>A Subject's withdrawal of consent is reflected in the envelope via
<tt>obsolete: true</tt> with <tt>obsolete_reason: withdrawn_consent</tt>. Runtime
cascades -- propagating the withdrawal to derived records, to caching
Consumers, to downstream Agents -- are runtime concerns and not
specified by the Protocol.</t>
      </section>
      <section anchor="re-identification">
        <name>Re-identification</name>
        <t>Sygil records carry rich personal data and explicit cross-namespace
references. A record's <tt>subject_did</tt> is by design stable across all
records about the same Subject; this enables interoperability but also
makes cross-domain join attacks straightforward for an attacker with
access to records across namespaces.</t>
        <t>The Protocol's <tt>subject_did</tt> is intentionally linkable. Implementations
that require unlinkable Subject identifiers MUST employ a different
identifier scheme outside the Protocol; the trade-off is that
unlinkable records are not interoperable across namespaces, which
defeats much of the Protocol's purpose.</t>
        <t>Specific re-identification considerations:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Cross-namespace joins.</strong> A <tt>subject_did</tt> shared across calendar,
health, and finance records yields a much more identifying profile
than any single namespace's records. Implementations serving records
across namespaces SHOULD apply per-namespace authorization and
SHOULD NOT serve unrestricted cross-namespace queries without policy
controls.</t>
          </li>
          <li>
            <t><strong>Quasi-identifiers in metadata.</strong> Envelope fields such as
<tt>created_at</tt>, <tt>updated_at</tt>, <tt>language[]</tt>, and the <tt>connector_id</tt>
and <tt>imported_at</tt> fields of <tt>sygil.proof.provenance</tt> can
themselves be quasi-identifying. A record claiming language
<tt>["pt-BR"]</tt> and import via a specific Brazilian banking connector
identifies the Subject's locale and banking relationship even if
the Subject DID is concealed. Earlier drafts also included a
<tt>jurisdiction[]</tt> envelope field which would have been a strong
quasi-identifier; that field was removed in v01, but runtime
systems that derive jurisdictional binding from <tt>subject_did</tt> and
source-system content should be aware that the same quasi-
identifying signal exists in those derivations and should be
handled with the same care.</t>
          </li>
          <li>
            <t><strong>Reference graphs.</strong> The <tt>derived_from[]</tt> lineage and inline
references between records form a graph that may be more identifying
than any individual record. Anonymization of records does not
anonymize the reference graph.</t>
          </li>
          <li>
            <t><strong>Social graphs are strong quasi-identifiers.</strong> The <tt>sygil.v1.social</tt>
namespace carries the Subject's follow, block, mute, and like edges.
A social graph is among the strongest quasi-identifiers in the
Protocol: an individual's set of follows is frequently near-unique,
and block and mute lists reveal conflict, estrangement, and private
judgment that the Subject specifically chose not to make public. The
Protocol classifies follow and like edges as <tt>redacted</tt> and block and
mute edges as <tt>invisible</tt> by default for this reason (the social
namespace's privacy classification hints), but implementations should
treat the aggregate social graph as more sensitive than any single
edge, and should be aware that joining a Subject's social graph with
their public posts (which the Subject deliberately published) is a
powerful correlation surface even though the posts themselves are
public.</t>
          </li>
        </ul>
      </section>
      <section anchor="intent-posture-and-deliberately-published-content">
        <name>Intent posture and deliberately-published content</name>
        <t>The <tt>sygil.v1.social</tt> namespace introduces content that is <strong>public by
the Subject's deliberate act</strong> -- posts, replies, reposts, and
quote-posts the Subject broadcast to a public audience. This is a
different privacy posture from every other namespace in the Protocol,
where the default is protect-unless-told-otherwise. To represent it,
the Schema defines a second field-classification axis, the <strong>intent
posture</strong> (<tt>public_by_intent</tt>), orthogonal to the sensitivity axis
(<tt>public</tt> / <tt>redacted</tt> / <tt>invisible</tt>).</t>
        <t>The intent posture makes a narrow assertion: that re-exposing content
the Subject deliberately published is <strong>not a new disclosure of
originally-private data</strong>, because the content was never private. It
does <strong>not</strong> assert that the content is safe to surface in any
context -- re-surfacing appropriateness remains the joint product of
the sensitivity axis and the projection context. A Subject can
deliberately publish sensitive content (a public post disclosing a
medical condition); such a field is <tt>public_by_intent</tt> (the Subject
broadcast it) and may also warrant <tt>redacted</tt> sensitivity handling
(an implementation should not casually re-surface it in unrelated
contexts). The two axes are independent; neither is derivable from the
other.</t>
        <t>The posture attaches only to content the Subject authored or
affirmatively published. It does not attach to content that is merely
about the Subject, merely visible on a public platform, or merely
retrievable through an API. In particular, a Subject's social graph
(follows, blocks, mutes, likes) is <strong>not</strong> <tt>public_by_intent</tt> even
when a platform exposes it publicly: platform exposure is the
platform's decision, not the Subject's act of publication. This
distinction is what prevents the publicness of a post from leaking
onto the surrounding graph -- the most sensitive social data -- when an
implementation reasons about social records.</t>
        <t>The intent posture is descriptive classification metadata that runtime
projection policy consumes; it does not override projection. The
authorship constraint (the posture is invalid for records where the
Subject is referent rather than author) is enforced by the social
namespace's validation rules in the companion Schema. Implementations
processing <tt>sygil.v1.social</tt> records SHOULD honor the intent posture
as an input to projection decisions and MUST NOT treat it as a
blanket license to re-surface published content without regard to the
sensitivity axis and the projection context.</t>
      </section>
      <section anchor="conversation-archives">
        <name>Conversation archives</name>
        <t>The <tt>sygil.v1.conversation</tt> namespace carries the data subject's
archived conversations with AI models. These are among the most
sensitive payloads the Protocol can carry -- often more candid than any
other source, because subjects reason out loud with an assistant in a
way they may not with any person. A conversation archive routinely
contains health, legal, financial, relationship, and other intimate
disclosures; political and religious views; and unfiltered first-draft
thinking, including abandoned branches the subject may consider more
private than the conclusion they reached.</t>
        <t>Two properties of the data class warrant specific note. First, the
content frequently concerns <strong>other people</strong> who were not party to the
conversation and did not consent to its archiving -- a subject
discussing a colleague, a family member, or a third party. The Protocol
does not represent this as a <tt>subject_scope</tt> distinction (the turn
remains the subject's archived artifact regardless of whom it
discusses); it is handled by the sensitivity axis, with every
conversation record classified highly sensitive (concealed) by
default, so that third-party content within a transcript is concealed
along with everything else. Second, the content commonly contains
<strong>embedded secrets</strong> -- pasted credentials, private keys, proprietary
source. The Protocol treats conversation content bodies as opaque
highly-sensitive material; an implementation MAY scan for secrets on
import, but any such scan result is implementation-private and is not
part of the Protocol's record shape, and scanning MUST NOT silently
alter content (which would break the record's content-addressed
identity).</t>
        <t>Because the namespace is ImportOnly, the Protocol's revocation model
for it is purge rather than token revocation: the subject's grant is
the act of uploading an export, and revocation is the deletion of the
materialized records. Implementations SHOULD treat conversation
content bodies as ineligible for any informational log stream and
SHOULD retain raw uploaded archives only as long as parsing requires.</t>
      </section>
      <section anchor="derived-data-amplification">
        <name>Derived data amplification</name>
        <t>Sygil's <tt>derived_from[]</tt> envelope field (Section 4.2.4) captures the
case where a record was produced by combining or transforming other
records. This case is common -- an agent producing a weekly health
summary from daily wearable observations, an inference engine
extracting a calendar event from an email thread, an analyst
aggregating financial transactions into a quarterly cash-flow
projection.</t>
        <t>The privacy concern this subsection addresses: <strong>a derived record
can have higher sensitivity than the records it was derived from</strong>.
The classic example: ten individually low-sensitivity location
records (a coffee shop, a gym, a grocery store) aggregated into a
single record may reveal a home address with high precision. Ten
individually low-sensitivity transaction records may aggregate into
a record that discloses health conditions through inference (a
sequence of pharmacy charges, copay amounts, and lab fees). Each
source record carries its namespace's standard privacy
classification; the derived record's classification is not
mechanically derivable from the sources.</t>
        <section anchor="protocol-level-position">
          <name>Protocol-level position</name>
          <t>The Protocol provides the mechanisms by which derived records
declare their lineage:</t>
          <ul spacing="normal">
            <li>
              <t><tt>derived_from[]</tt> carries derivation-reference objects whose
<tt>source_record</tt> fields hold the <tt>sygil://</tt> URIs of the source records.</t>
            </li>
            <li>
              <t><tt>sygil.proof.provenance</tt> (Section 5.4) carries the source-system
trust dimensions for source-imported records. Records produced
by inference or aggregation rather than direct source import
generally do not carry a provenance proof in the same form;
Producers SHOULD instead document the derivation lineage through
<tt>derived_from[]</tt> and through a derivation-specific proof type if
one is registered (the <tt>sygil.proof.derivation</tt> proof type is a
candidate for future registration but is not specified by this
document).</t>
            </li>
            <li>
              <t>The privacy classification framework (Section 4.2.6) lets the
derived record's namespace declare per-field classifications
that may be more restrictive than the source records'.</t>
            </li>
          </ul>
          <t>The Protocol does NOT provide:</t>
          <ul spacing="normal">
            <li>
              <t>Automatic re-classification of derived records based on source
classification. The Protocol does not specify a derivation
arithmetic -- a record derived from <tt>public</tt> sources is not
automatically <tt>public</tt>, nor is a record derived from <tt>redacted</tt>
sources automatically <tt>redacted</tt>. Per-field classification on
the derived record is the namespace specification's
responsibility.</t>
            </li>
            <li>
              <t>Detection or prevention of sensitivity amplification through
inference. The Protocol cannot, in general, determine whether a
derived record discloses information beyond what its source
records disclose individually.</t>
            </li>
          </ul>
        </section>
        <section anchor="implementation-guidance">
          <name>Implementation guidance</name>
          <t>A Producer creating a derived record SHOULD classify the derived
record's fields independently of the source records' classifications.
If the derivation method is known to amplify sensitivity (statistical
aggregation across many source records, machine-learning inference
across heterogeneous source records, joins across sensitive
namespaces), the Producer SHOULD apply more restrictive privacy
classifications to the derived record's fields than the average
source record carries.</t>
          <t>A Vault implementation serving derived records SHOULD apply
projection policies appropriate to the derived record's
classification, not policies inherited from the source records. A
weekly health summary aggregating daily observations is a health
observation in its own right; serving it under the daily
observations' policy understates its sensitivity.</t>
          <t>A Consumer receiving a derived record (a record carrying a non-empty
<tt>derived_from[]</tt> array) SHOULD treat the derivation as a sensitivity
signal independent of any individual proof object: derived records
may carry higher sensitivity than the source records the Consumer
might otherwise be authorized for, regardless of the trust
dimensions on any source-system provenance proof.</t>
        </section>
        <section anchor="wire-level-handle-derivedfrom-is-query-filterable">
          <name>Wire-level handle: <tt>derived_from[]</tt> is query-filterable</name>
          <t>A Consumer concerned about derived-data sensitivity has a wire-level
handle to control its exposure: the <tt>derived_from[]</tt> envelope field
(Section 4.2.4) is filterable via the standard reference-traversal
predicate (Section 4.10.2). A Consumer that wishes to exclude
derived records altogether can issue queries that filter on the
field's emptiness; a Consumer that wishes to receive only records
derived from a particular source can issue a query traversing the
specific source URI. The Protocol does not provide a "not-equal" or
"is-empty" predicate, so finer filters require runtime-side
post-processing; nonetheless, the reference-traversal primitive on
<tt>derived_from[]</tt> is the wire-level mechanism by which a Consumer's
sensitivity policy can be expressed at query time. The
<tt>sygil.proof.provenance.cooperation_mode</tt> query filter
(<tt>cooperation_mode_in=...</tt>, Section 4.10.6) provides an additional
trust-dimension handle for filtering by the source-system's
cooperation posture.</t>
          <t>This is the explicit linkage between the privacy classification
framework (which describes per-field sensitivity intrinsic to
namespaces) and the query mechanism (which lets a Consumer's
deployment policy filter records by their derivation lineage and by
their source-system cooperation mode).</t>
          <t>(Earlier drafts of this Protocol surfaced derivation kind as an
envelope-level enum field, <tt>provenance_quality</tt>. That field was
removed in the v0.3 reconciliation that produced this v01 increment;
its semantics now distribute across <tt>derived_from[]</tt> for lineage and
the trust dimensions of <tt>sygil.proof.provenance</tt> for source-import
quality. A future Protocol revision MAY introduce a
<tt>sygil.proof.derivation</tt> proof type to carry derivation-specific
trust dimensions; this document does not specify it.)</t>
        </section>
        <section anchor="why-the-protocol-does-not-enforce-this">
          <name>Why the Protocol does not enforce this</name>
          <t>A protocol that mechanically prevented derived records from being
served at lower sensitivity than their sources would either:</t>
          <ul spacing="normal">
            <li>
              <t>Require the Protocol to specify an arithmetic of sensitivity
classes (which would constrain runtime privacy policy in ways
that vary substantially across deployments), or</t>
            </li>
            <li>
              <t>Require runtimes to refuse to serve derived records at all
whenever amplification might be present (which would defeat the
use case of derived records).</t>
            </li>
          </ul>
          <t>The Protocol takes the position that derivation arithmetic is a
deployment policy concern: the namespace specification declares
per-field classifications, the Producer applies a derivation
discipline, the Vault applies a projection discipline, and the
Consumer applies a use-policy discipline. The Protocol provides
the labels and the structural framework; the discipline lives at
the runtime layer.</t>
        </section>
      </section>
      <section anchor="linkability">
        <name>Linkability</name>
        <t>By design, records about the same Subject share a <tt>subject_did</tt> and
are linkable. This is a deliberate trade-off; it enables cross-domain
agent reasoning, which is the primary use case the Protocol exists to
serve.</t>
        <t>Implementations that require unlinkability for specific records or
specific Subjects MUST employ separate Subject DIDs (e.g., per-context
<tt>did:key</tt> identifiers) and accept that records under those identifiers
are not joinable to records under the Subject's primary DID. The
Protocol does not provide an in-band linkage-control mechanism beyond
this segregation.</t>
      </section>
      <section anchor="subject-rights-and-erasure">
        <name>Subject rights and erasure</name>
        <t>Most jurisdictions in which Sygil is likely to be deployed (EU GDPR,
US state-level CCPA-equivalents, Canadian PIPEDA, Brazilian LGPD,
others) recognize Subject rights including access, rectification, and
erasure. Sygil's content-addressable identifiers complicate naive
erasure: the <tt>id</tt> URI is bound to the canonicalized record body and
the same body always hashes to the same URI, so an erased record's URI
remains a stable referent.</t>
        <t>The Protocol provides:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Soft-delete via <tt>obsolete: true</tt></strong> with <tt>obsolete_reason</tt> (Section
4.2.4). The original record's <tt>id</tt> URI remains stable, but the
record is marked as no longer current. Runtimes that honor
soft-delete filter <tt>obsolete: true</tt> records out of query results by
default.</t>
          </li>
          <li>
            <t><strong>The <tt>obsolete_reason: withdrawn_consent</tt></strong> value specifically
signals consent withdrawal, supporting GDPR Article 17 erasure
flows.</t>
          </li>
          <li>
            <t><strong>The NSID extension pattern (Section 4.2.5) and <tt>_proofs</tt>
extensibility</strong> allow vault implementations to attach
erasure-specific metadata. Deletion-receipt records can be
published under the implementation's community namespace
(<tt>sygil.community.{publisher}.deletion_receipt.*</tt>); retention-
honoring audit log entries are referenced via <tt>sygil.proof.audit</tt>
per Section 5.8. Neither requires modifying the canonical record
being soft-deleted.</t>
          </li>
        </ul>
        <t>Hard erasure -- actually removing the record from storage -- is a Vault
runtime concern. The Protocol does not specify how a Vault implements
erasure under regulatory requirement; vault-implementation
specifications address this.</t>
        <t>The <tt>expires_at</tt> envelope field and <tt>retention_policy</tt> reverse-DNS
identifier (Section 4.2.4) support retention-driven expiry. Records
whose <tt>expires_at</tt> time has passed are signaled as expired; how a
Vault implements expiry-driven deletion is a Vault concern.</t>
      </section>
      <section anchor="reserved-invariant-on-canonical-content-addressing">
        <name>Reserved invariant on canonical content addressing</name>
        <t>A reserved invariant of the Protocol, surfaced during the v0.3
reconciliation that produced this v01 increment, is that all v1
records are canonical self-contained Sygil records. Every record
carries a complete envelope; the <tt>id</tt> is hash-over-canonical-form
(per Section 4.4-4.5); content addressing is byte-stable across
implementations.</t>
        <t>Any future transmission optimization that omits fields from
individual records on the wire -- for example, a token-efficient
batch projection that strips repeated subject DIDs across a batch
of records returned to an Agent -- MUST preserve <tt>id</tt> as
hash-over-canonical-form. The optimization can transmit fewer
bytes; the records' identity must remain hash-equivalent to what
canonical-form transmission would produce.</t>
        <t>This invariant is normative for the Protocol's evolution: future
specification increments that introduce batch optimizations,
columnar projections, agent-shaped formats, or any other
non-canonical wire forms MUST specify how each form maps back to
a canonical Sygil record before content-hash verification. v01
does not specify any such optimization; the invariant exists to
preserve the design space.</t>
        <t>The Protocol's regulatory-agnostic stance (a value preserved
across all v1 increments) means that jurisdictional binding,
cross-border data transfer rules, and similar regulatory-routing
concerns are runtime, deployment, and legal concerns, not
Protocol-level concerns. Earlier drafts of this Protocol reserved
a <tt>jurisdiction[]</tt> envelope field for jurisdictional binding; v01
removes the field per the v0.3 reconciliation because runtime
derivation from <tt>subject_did</tt>, source system, and record content
is the more honest model. Implementations operating across
jurisdictional boundaries SHOULD ensure that runtime policies
honor jurisdiction-specific requirements; the Protocol does not
provide a wire-level mechanism for declaring or enforcing
jurisdictional bindings.</t>
      </section>
      <section anchor="identifier-privacy">
        <name>Identifier privacy</name>
        <t>A Subject DID embedded in every <tt>sygil://</tt> URI for that Subject's
records is, by design, a stable identifier of the Subject. Where DID
methods support pairwise-pseudonymous identifiers (e.g., generating a
fresh <tt>did:key</tt> per relying party), Subjects may employ them to limit
cross-relying-party correlation; the Protocol does not require or
prohibit this practice.</t>
        <t>The <tt>source_record_id_hash</tt> field of <tt>sygil.proof.provenance</tt> (Section
5.4) hashes rather than embeds the upstream source-system identifier,
to avoid leaking that identifier to downstream Consumers.
Implementations MUST NOT include un-hashed upstream identifiers in
this field.</t>
      </section>
      <section anchor="query-based-inference-and-side-channels">
        <name>Query-based inference and side channels</name>
        <t>The Protocol's query grammar (Section 4.10) lets Consumers retrieve
records by namespace, time range, field equality, reference
traversal, text search, and quality dimensions. Even when individual
records are appropriately classified, redacted, and projected, the
<strong>queries themselves</strong> can leak sensitive information through side
channels that the Protocol does not defend against.</t>
        <t>The principal classes of query-based inference attack:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Presence/absence inference.</strong> A query like <tt>?q=specific_term</tt>
returning zero results vs. one or more results discloses that
the queried term does or does not appear in any record visible
to the querying Consumer. For sensitive terms (medical
conditions, legal proceedings, particular relationships),
presence/absence is itself disclosure, even when the underlying
records would have been served redacted.</t>
          </li>
          <li>
            <t><strong>Count inference.</strong> A query returning a specific count discloses
how many records of a given shape exist for the Subject. Counts
across queries can be combined to infer attributes the records
themselves are redacted to conceal (e.g., counts of records in
pharmacy, lab, and clinic namespaces over a time range can imply
health conditions even when the records are individually
hash-only or summary-projected).</t>
          </li>
          <li>
            <t><strong>Timing side channels.</strong> The latency at which a Vault responds to
a query can disclose whether the query traversed an index, hit
a cache, was filtered by an authorization rule, or required a
cross-namespace join. A Consumer measuring response timings can
infer record existence, projection level applied, or
authorization policy structure.</t>
          </li>
          <li>
            <t><strong>Pagination cursor leakage.</strong> Opaque pagination cursors may
encode position information that, in aggregate, discloses
ordering or count properties of the underlying record set.
Cursors that round-trip through Consumer storage can also
unintentionally persist record-existence signals.</t>
          </li>
        </ul>
        <t>The Protocol does not provide defenses against any of the above.
Mitigations are runtime concerns and depend on properties of the
Vault implementation, the transport, and the deployment posture:</t>
        <ul spacing="normal">
          <li>
            <t>Constant-time response policies that pad to a deployment-defined
minimum response latency.</t>
          </li>
          <li>
            <t>Differential-privacy-style noise injection at the count- or
histogram-aggregate level for queries known to be at risk of
inference.</t>
          </li>
          <li>
            <t>Authorization rules that refuse queries whose result-set size
would itself disclose information (e.g., refusing queries that
would return exactly zero or exactly one record).</t>
          </li>
          <li>
            <t>Cursor formats that contain only opaque identifiers and no
position information, sized identically across the cursor space.</t>
          </li>
        </ul>
        <t>These mitigations are deployment-level engineering choices, not
Protocol-level mandates. The Protocol's position is that query-
based inference is real and material, that the wire format does
not defend against it, and that Consumers needing protection
against these attack classes obtain it from the Vault implementation
and the transport, not from the Protocol.</t>
        <t>This subsection complements Section 9.1's "What the Protocol does
not guarantee" list, where wire-level confidentiality, quasi-
identifier protection, and unlinkability are also stated as
non-guarantees. Query-based inference is the active counterpart of
those static non-guarantees: a Consumer with access to the query
surface has more inference power than a Consumer reading static
records would have, and the Protocol does not constrain the query
surface to remove that power.</t>
      </section>
      <section anchor="implications-of-proof-bearing-responses">
        <name>Implications of proof-bearing responses</name>
        <t>The Protocol's proof-object vocabulary means that records served to a
Consumer carry metadata about their provenance, the consents that
authorize their access, and (where applicable) the audit log entries
referencing the access. This is by design -- agents reasoning about
trust need this metadata -- but it has privacy implications:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Proof objects increase the data footprint of each record on the
wire.</strong> A <tt>sygil.proof.consent</tt> proof carrying DPV categories and
legal basis reveals more about the access pattern than a record
served without provenance metadata.</t>
          </li>
          <li>
            <t><strong>Audit log URIs are themselves data.</strong> A <tt>sygil.proof.audit</tt> proof
with <tt>log_entry_uri</tt> reveals the existence and location of an audit
log entry; in some threat models this metadata is sensitive.</t>
          </li>
        </ul>
        <t>Implementations sensitive to these leaks MAY omit specific proof types
from records served to less-trusted Consumers; doing so does not
invalidate the records (proofs are optional). The trade-off is that
Consumers cannot then verify the corresponding trust property.</t>
      </section>
      <section anchor="subject-protective-defaults">
        <name>Subject-protective defaults</name>
        <t>Implementations producing records on behalf of a Subject SHOULD apply
subject-protective defaults:</t>
        <ul spacing="normal">
          <li>
            <t><tt>subject_scope</tt> defaults to <tt>sole</tt> (the most restrictive interpretation).</t>
          </li>
          <li>
            <t><tt>obsolete</tt> defaults to <tt>false</tt> (no soft-delete by default).</t>
          </li>
          <li>
            <t><tt>language[]</tt> defaults to empty (no language assertion until one is
needed).</t>
          </li>
          <li>
            <t><tt>derived_from[]</tt> defaults to empty (no derivation lineage until
one is asserted).</t>
          </li>
        </ul>
        <t>The defaults are conservative: a record produced with default values
makes minimal claims, which limits the Consumer's exposure to overstated
trust assertions.</t>
      </section>
      <section anchor="data-privacy-vocabulary-alignment">
        <name>Data Privacy Vocabulary alignment</name>
        <t>The <tt>sygil.proof.consent</tt> proof's <tt>dpv_categories</tt>, <tt>purpose</tt>, and
<tt>legal_basis</tt> fields align to the W3C Data Privacy Vocabulary (DPV),
which provides standardized terms for consent records, processing
purposes, and legal bases under GDPR and equivalent frameworks. This
alignment is informative; the Protocol does not require the use of DPV
terms, but recommends them where applicable.</t>
        <t>ISO/IEC TS 27560:2023 <xref target="ISO-27560"/> consent record information
structure is similarly aligned with DPV via the W3C DPV community
group's published implementation guidance. Implementations using
27560-shaped consent receipts as the substrate for
<tt>sygil.proof.consent</tt> proofs are encouraged to populate the DPV-aligned
fields for cross-system interoperability.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests three IANA actions: the provisional registration
of the <tt>sygil</tt> URI scheme, the registration of the
<tt>application/sygil+json</tt> media type, and the establishment of a Sygil
Proof Object Types registry.</t>
      <section anchor="registration-of-the-sygil-uri-scheme-provisional">
        <name>Registration of the <tt>sygil</tt> URI scheme (provisional)</name>
        <t>This document requests the provisional registration of the <tt>sygil</tt> URI
scheme per <xref target="RFC7595"/>.</t>
        <dl>
          <dt>URI scheme name:</dt>
          <dd>
            <t>sygil</t>
          </dd>
          <dt>Status:</dt>
          <dd>
            <t>Provisional</t>
          </dd>
          <dt>Applications and/or protocols which use this URI scheme name:</dt>
          <dd>
            <t>The Sygil Protocol, an open schema and query grammar for cross-domain
personal data, as specified in this document.</t>
          </dd>
          <dt>Contact:</dt>
          <dd>
            <t>Evan Carr &lt;evan@sygil.id&gt;</t>
          </dd>
          <dt>Change controller:</dt>
          <dd>
            <t>Sygil PBC, until such time as a community-governed entity (e.g., a
W3C Community Group, an IETF working group, or an independent
foundation) assumes change control. Subsequent changes will be
recorded in updates to this registration.</t>
          </dd>
          <dt>References:</dt>
          <dd>
            <t>This document.</t>
          </dd>
          <dt>URI scheme syntax:</dt>
          <dd>
            <sourcecode type="abnf"><![CDATA[
sygil-URI    = "sygil://" subject-did "/" nsid "/" content-hash
subject-did  = "did:" method-name ":" method-specific-id
               ; per [W3C-DID]
nsid         = label *( "." label )
               ; reverse-DNS, per Section 4.3
content-hash = algorithm "-" 1*base64url-char
algorithm    = "blake3"
               ; v1 uses BLAKE3; future major Protocol versions
               ; may register additional algorithms
base64url-char = ALPHA / DIGIT / "-" / "_"
               ; base64url alphabet per [RFC4648] Section 5,
               ; without padding (see Section 4.5.3)
]]></sourcecode>
          </dd>
          <dt>URI scheme semantics:</dt>
          <dd>
            <t>A <tt>sygil</tt> URI identifies a Sygil record by the cryptographic hash of
its canonical serialization. The URI is implementation-neutral; it
does not encode hostname, port, or path. Resolution to a record
representation is a separate concern handled by the carrier protocol
or by Vault implementations.</t>
          </dd>
          <dt>Encoding considerations:</dt>
          <dd>
            <t>The URI is composed of US-ASCII characters. The DID component, NSID
component, and content-hash component are all already restricted to
US-ASCII per their respective specifications.</t>
          </dd>
          <dt>Interoperability considerations:</dt>
          <dd>
            <t>All v1 implementations of the Sygil Protocol use BLAKE3 as the
content-hash algorithm and JCS <xref target="RFC8785"/> as the canonicalization
rule. Implementations that produce or consume <tt>sygil</tt> URIs MUST
agree on these or interoperability fails.</t>
          </dd>
          <dt>Security considerations:</dt>
          <dd>
            <t>See Section 8 of this document.</t>
          </dd>
        </dl>
      </section>
      <section anchor="registration-of-the-applicationsygiljson-media-type">
        <name>Registration of the <tt>application/sygil+json</tt> media type</name>
        <t>This document requests the registration of the
<tt>application/sygil+json</tt> media type per <xref target="RFC6838"/>.</t>
        <dl>
          <dt>Type name:</dt>
          <dd>
            <t>application</t>
          </dd>
          <dt>Subtype name:</dt>
          <dd>
            <t>sygil+json</t>
          </dd>
          <dt>Required parameters:</dt>
          <dd>
            <t>None.</t>
          </dd>
          <dt>Optional parameters:</dt>
          <dd>
            <t>None.</t>
          </dd>
          <dt>Encoding considerations:</dt>
          <dd>
            <t>Binary; UTF-8 only. Records are serialized in canonical JSON per
<xref target="RFC8785"/> (Section 4.5 of this document).</t>
          </dd>
          <dt>Security considerations:</dt>
          <dd>
            <t>See Section 8 of this document.</t>
          </dd>
          <dt>Interoperability considerations:</dt>
          <dd>
            <t>Records labeled with this media type MUST validate against the
Sygil envelope specified in Section 4.2 and against the schema for
the namespace declared by the record's <tt>@type</tt> field. The canonical
serialization rules of Section 4.5 apply.</t>
          </dd>
          <dt>Published specification:</dt>
          <dd>
            <t>This document.</t>
          </dd>
          <dt>Applications that use this media type:</dt>
          <dd>
            <t>Implementations of the Sygil Protocol; storage systems handling
Sygil records; Vault implementations; Consumer applications
(including AI Agents).</t>
          </dd>
          <dt>Fragment identifier considerations:</dt>
          <dd>
            <t>None defined by this document.</t>
          </dd>
          <dt>Additional information:</dt>
          <dd>
  </dd>
          <dt>Magic numbers:</dt>
          <dd>
            <t>None.</t>
          </dd>
          <dt>Deprecated alias names:</dt>
          <dd>
            <t>None.</t>
          </dd>
          <dt>File extensions:</dt>
          <dd>
            <t>.sygil, .sygil.json</t>
          </dd>
          <dt>Macintosh file type code:</dt>
          <dd>
            <t>None.</t>
          </dd>
          <dt>Person and email address to contact for further information:</dt>
          <dd>
            <t>Evan Carr &lt;evan@sygil.id&gt;</t>
          </dd>
          <dt>Intended usage:</dt>
          <dd>
            <t>Common.</t>
          </dd>
          <dt>Restrictions on usage:</dt>
          <dd>
            <t>None.</t>
          </dd>
          <dt>Author:</dt>
          <dd>
            <t>Evan Carr</t>
          </dd>
          <dt>Change controller:</dt>
          <dd>
            <t>Sygil PBC, until such time as a community-governed entity assumes
change control.</t>
          </dd>
        </dl>
      </section>
      <section anchor="sygil-proof-object-types-registry">
        <name>Sygil Proof Object Types registry</name>
        <t>This document requests the establishment of a new IANA registry named
"Sygil Proof Object Types" per <xref target="RFC8126"/>.</t>
        <dl>
          <dt>Registry name:</dt>
          <dd>
            <t>Sygil Proof Object Types</t>
          </dd>
          <dt>Description:</dt>
          <dd>
            <t>Identifiers for proof object types that may appear in the <tt>_proofs</tt>
array of a Sygil record (Section 5).</t>
          </dd>
          <dt>Registration policy:</dt>
          <dd>
            <t>Specification Required (per <xref target="RFC8126"/> Section 4.6).</t>
          </dd>
          <dt>Designated expert review criteria:</dt>
          <dd>
            <t>Designated experts are responsible for ensuring that:</t>
            <ul spacing="normal">
              <li>
                <t>The proposed <tt>@type</tt> value follows the reverse-DNS pattern (e.g.,
<tt>sygil.proof.{name}</tt> for proof types defined by the Sygil
specification, or <tt>{publisher.domain}.{name}</tt> for proof types
defined by other parties).</t>
              </li>
              <li>
                <t>The <tt>@type</tt> value does not collide with an existing registration.</t>
              </li>
              <li>
                <t>The proof object's intended semantics, field set, and verification
procedure are documented in a published specification.</t>
              </li>
              <li>
                <t>The registration includes a stable contact and change controller.</t>
              </li>
            </ul>
            <t>Experts SHOULD reject registrations whose <tt>@type</tt> value uses the
<tt>sygil.proof.*</tt> prefix unless the registration is made by the Sygil
specification's change controller.</t>
          </dd>
          <dt>Required information for registrations:</dt>
          <dd>
  </dd>
        </dl>
        <ul spacing="normal">
          <li>
            <t>Proof object type identifier (<tt>@type</tt> value).</t>
          </li>
          <li>
            <t>Brief description of the proof's semantics.</t>
          </li>
          <li>
            <t>Reference to the specification defining the proof object's field
set and verification procedure.</t>
          </li>
          <li>
            <t>Change controller (party responsible for future changes to the
registration).</t>
          </li>
          <li>
            <t>Contact information.</t>
          </li>
        </ul>
        <dl>
          <dt>Initial registry contents:</dt>
          <dd>
  </dd>
        </dl>
        <table>
          <thead>
            <tr>
              <th align="left">@type</th>
              <th align="left">Reference</th>
              <th align="left">Change controller</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>sygil.proof.provenance</tt></td>
              <td align="left">Section 5.4 of this document</td>
              <td align="left">Sygil PBC</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.proof.capability</tt></td>
              <td align="left">Section 5.5 of this document</td>
              <td align="left">Sygil PBC</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.proof.consent</tt></td>
              <td align="left">Section 5.6 of this document</td>
              <td align="left">Sygil PBC</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.proof.attestation</tt></td>
              <td align="left">Section 5.7 of this document</td>
              <td align="left">Sygil PBC</td>
            </tr>
            <tr>
              <td align="left">
                <tt>sygil.proof.audit</tt></td>
              <td align="left">Section 5.8 of this document</td>
              <td align="left">Sygil PBC</td>
            </tr>
          </tbody>
        </table>
        <dl>
          <dt>Change procedures:</dt>
          <dd>
            <t>Once registered, a proof type's <tt>@type</tt> value, semantics, and field
set are immutable per the Protocol's compatibility policy (Section
6.5). Additional optional fields may be added in successor
registrations under a different <tt>@type</tt> (e.g.,
<tt>sygil.proof.provenance.v2</tt>); no in-place modification of an existing
proof type is permitted.</t>
          </dd>
        </dl>
      </section>
      <section anchor="sygil-nsid-extension-publishers-registry">
        <name>Sygil NSID Extension Publishers registry</name>
        <t>This document requests the establishment of a new IANA registry named
"Sygil NSID Extension Publishers" per <xref target="RFC8126"/>.</t>
        <dl>
          <dt>Registry name:</dt>
          <dd>
            <t>Sygil NSID Extension Publishers</t>
          </dd>
          <dt>Description:</dt>
          <dd>
            <t>Identifiers for publishers of records under the
<tt>sygil.community.{publisher}.*</tt> extension namespace (Section
4.2.5).</t>
          </dd>
          <dt>Registration policy:</dt>
          <dd>
            <t>Expert Review (per <xref target="RFC8126"/> Section 4.5) for publisher
identifiers not under controlled domains. Publisher identifiers
identical to a domain controlled by the registrant MAY be
registered without expert review, subject to verification of
domain control by the change controller.</t>
          </dd>
          <dt>Designated expert review criteria:</dt>
          <dd>
            <t>Designated experts are responsible for ensuring that:</t>
            <ul spacing="normal">
              <li>
                <t>The proposed publisher identifier follows the reverse-DNS
label-dot-label grammar.</t>
              </li>
              <li>
                <t>The publisher identifier does not collide with an existing
registration.</t>
              </li>
              <li>
                <t>The registrant has a credible affiliation with the namespace
they propose to publish under (e.g., they control the domain,
they operate the product, they are the maintainer of the
open-source project).</t>
              </li>
              <li>
                <t>The registration includes a stable contact and change
controller.</t>
              </li>
            </ul>
          </dd>
          <dt>Required information for registrations:</dt>
          <dd>
  </dd>
        </dl>
        <ul spacing="normal">
          <li>
            <t>Publisher identifier (the reverse-DNS-shaped value).</t>
          </li>
          <li>
            <t>Brief description of the publisher and the records they
intend to publish under
<tt>sygil.community.{publisher}.*</tt>.</t>
          </li>
          <li>
            <t>Change controller (party responsible for future changes to
the registration).</t>
          </li>
          <li>
            <t>Contact information.</t>
          </li>
        </ul>
        <dl>
          <dt>Initial registry contents:</dt>
          <dd>
  </dd>
        </dl>
        <t>(none -- the registry opens empty)</t>
        <dl>
          <dt>Change procedures:</dt>
          <dd>
            <t>Publisher identifiers are immutable once registered. To change
an identifier, register a new one and migrate; the old
registration MAY be marked deprecated but MUST NOT be reassigned.</t>
          </dd>
        </dl>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8785">
          <front>
            <title>JSON Canonicalization Scheme (JCS)</title>
            <author fullname="A. Rundgren" initials="A." surname="Rundgren"/>
            <author fullname="B. Jordan" initials="B." surname="Jordan"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <date month="June" year="2020"/>
            <abstract>
              <t>Cryptographic operations like hashing and signing need the data to be expressed in an invariant format so that the operations are reliably repeatable. One way to address this is to create a canonical representation of the data. Canonicalization also permits data to be exchanged in its original form on the "wire" while cryptographic operations performed on the canonicalized counterpart of the data in the producer and consumer endpoints generate consistent results.</t>
              <t>This document describes the JSON Canonicalization Scheme (JCS). This specification defines how to create a canonical representation of JSON data by building on the strict serialization methods for JSON primitives defined by ECMAScript, constraining JSON data to the Internet JSON (I-JSON) subset, and by using deterministic property sorting.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8785"/>
          <seriesInfo name="DOI" value="10.17487/RFC8785"/>
        </reference>
        <reference anchor="RFC3339">
          <front>
            <title>Date and Time on the Internet: Timestamps</title>
            <author fullname="G. Klyne" initials="G." surname="Klyne"/>
            <author fullname="C. Newman" initials="C." surname="Newman"/>
            <date month="July" year="2002"/>
            <abstract>
              <t>This document defines a date and time format for use in Internet protocols that is a profile of the ISO 8601 standard for representation of dates and times using the Gregorian calendar.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3339"/>
          <seriesInfo name="DOI" value="10.17487/RFC3339"/>
        </reference>
        <reference anchor="RFC8259">
          <front>
            <title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
            <author fullname="T. Bray" initials="T." role="editor" surname="Bray"/>
            <date month="December" year="2017"/>
            <abstract>
              <t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data.</t>
              <t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="90"/>
          <seriesInfo name="RFC" value="8259"/>
          <seriesInfo name="DOI" value="10.17487/RFC8259"/>
        </reference>
        <reference anchor="RFC5234">
          <front>
            <title>Augmented BNF for Syntax Specifications: ABNF</title>
            <author fullname="D. Crocker" initials="D." role="editor" surname="Crocker"/>
            <author fullname="P. Overell" initials="P." surname="Overell"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>Internet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="68"/>
          <seriesInfo name="RFC" value="5234"/>
          <seriesInfo name="DOI" value="10.17487/RFC5234"/>
        </reference>
        <reference anchor="RFC4648">
          <front>
            <title>The Base16, Base32, and Base64 Data Encodings</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <date month="October" year="2006"/>
            <abstract>
              <t>This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4648"/>
          <seriesInfo name="DOI" value="10.17487/RFC4648"/>
        </reference>
        <reference anchor="W3C-DID" target="https://www.w3.org/TR/did-1.0/">
          <front>
            <title>Decentralized Identifiers (DIDs) v1.0</title>
            <author>
              <organization>W3C</organization>
            </author>
            <date year="2022" month="July" day="19"/>
          </front>
          <seriesInfo name="W3C" value="Recommendation"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC9449">
          <front>
            <title>OAuth 2.0 Demonstrating Proof of Possession (DPoP)</title>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="D. Waite" initials="D." surname="Waite"/>
            <date month="September" year="2023"/>
            <abstract>
              <t>This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9449"/>
          <seriesInfo name="DOI" value="10.17487/RFC9449"/>
        </reference>
        <reference anchor="RFC9396">
          <front>
            <title>OAuth 2.0 Rich Authorization Requests</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Richer" initials="J." surname="Richer"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <date month="May" year="2023"/>
            <abstract>
              <t>This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9396"/>
          <seriesInfo name="DOI" value="10.17487/RFC9396"/>
        </reference>
        <reference anchor="RFC7515">
          <front>
            <title>JSON Web Signature (JWS)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7515"/>
          <seriesInfo name="DOI" value="10.17487/RFC7515"/>
        </reference>
        <reference anchor="RFC7595">
          <front>
            <title>Guidelines and Registration Procedures for URI Schemes</title>
            <author fullname="D. Thaler" initials="D." role="editor" surname="Thaler"/>
            <author fullname="T. Hansen" initials="T." surname="Hansen"/>
            <author fullname="T. Hardie" initials="T." surname="Hardie"/>
            <date month="June" year="2015"/>
            <abstract>
              <t>This document updates the guidelines and recommendations, as well as the IANA registration processes, for the definition of Uniform Resource Identifier (URI) schemes. It obsoletes RFC 4395.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="35"/>
          <seriesInfo name="RFC" value="7595"/>
          <seriesInfo name="DOI" value="10.17487/RFC7595"/>
        </reference>
        <reference anchor="RFC6838">
          <front>
            <title>Media Type Specifications and Registration Procedures</title>
            <author fullname="N. Freed" initials="N." surname="Freed"/>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <author fullname="T. Hansen" initials="T." surname="Hansen"/>
            <date month="January" year="2013"/>
            <abstract>
              <t>This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="13"/>
          <seriesInfo name="RFC" value="6838"/>
          <seriesInfo name="DOI" value="10.17487/RFC6838"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC6648">
          <front>
            <title>Deprecating the "X-" Prefix and Similar Constructs in Application Protocols</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="D. Crocker" initials="D." surname="Crocker"/>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="June" year="2012"/>
            <abstract>
              <t>Historically, designers and implementers of application protocols have often distinguished between standardized and unstandardized parameters by prefixing the names of unstandardized parameters with the string "X-" or similar constructs. In practice, that convention causes more problems than it solves. Therefore, this document deprecates the convention for newly defined parameters with textual (as opposed to numerical) names in application protocols. This memo documents an Internet Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="178"/>
          <seriesInfo name="RFC" value="6648"/>
          <seriesInfo name="DOI" value="10.17487/RFC6648"/>
        </reference>
        <reference anchor="RFC7258">
          <front>
            <title>Pervasive Monitoring Is an Attack</title>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="May" year="2014"/>
            <abstract>
              <t>Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="188"/>
          <seriesInfo name="RFC" value="7258"/>
          <seriesInfo name="DOI" value="10.17487/RFC7258"/>
        </reference>
        <reference anchor="RFC3552">
          <front>
            <title>Guidelines for Writing RFC Text on Security Considerations</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="B. Korver" initials="B." surname="Korver"/>
            <date month="July" year="2003"/>
            <abstract>
              <t>All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="72"/>
          <seriesInfo name="RFC" value="3552"/>
          <seriesInfo name="DOI" value="10.17487/RFC3552"/>
        </reference>
        <reference anchor="RFC5545">
          <front>
            <title>Internet Calendaring and Scheduling Core Object Specification (iCalendar)</title>
            <author fullname="B. Desruisseaux" initials="B." role="editor" surname="Desruisseaux"/>
            <date month="September" year="2009"/>
            <abstract>
              <t>This document defines the iCalendar data format for representing and exchanging calendaring and scheduling information such as events, to-dos, journal entries, and free/busy information, independent of any particular calendar service or protocol. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5545"/>
          <seriesInfo name="DOI" value="10.17487/RFC5545"/>
        </reference>
        <reference anchor="RFC5322">
          <front>
            <title>Internet Message Format</title>
            <author fullname="P. Resnick" initials="P." role="editor" surname="Resnick"/>
            <date month="October" year="2008"/>
            <abstract>
              <t>This document specifies the Internet Message Format (IMF), a syntax for text messages that are sent between computer users, within the framework of "electronic mail" messages. This specification is a revision of Request For Comments (RFC) 2822, which itself superseded Request For Comments (RFC) 822, "Standard for the Format of ARPA Internet Text Messages", updating it to reflect current practice and incorporating incremental changes that were specified in other RFCs. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5322"/>
          <seriesInfo name="DOI" value="10.17487/RFC5322"/>
        </reference>
        <reference anchor="RFC6350">
          <front>
            <title>vCard Format Specification</title>
            <author fullname="S. Perreault" initials="S." surname="Perreault"/>
            <date month="August" year="2011"/>
            <abstract>
              <t>This document defines the vCard data format for representing and exchanging a variety of information about individuals and other entities (e.g., formatted and structured name and delivery addresses, email address, multiple telephone numbers, photograph, logo, audio clips, etc.). This document obsoletes RFCs 2425, 2426, and 4770, and updates RFC 2739. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6350"/>
          <seriesInfo name="DOI" value="10.17487/RFC6350"/>
        </reference>
        <reference anchor="RFC2606">
          <front>
            <title>Reserved Top Level DNS Names</title>
            <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
            <author fullname="A. Panitz" initials="A." surname="Panitz"/>
            <date month="June" year="1999"/>
            <abstract>
              <t>To reduce the likelihood of conflict and confusion, a few top level domain names are reserved for use in private testing, as examples in documentation, and the like. In addition, a few second level domain names reserved for use as examples are documented. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="32"/>
          <seriesInfo name="RFC" value="2606"/>
          <seriesInfo name="DOI" value="10.17487/RFC2606"/>
        </reference>
        <reference anchor="RFC9334">
          <front>
            <title>Remote ATtestation procedureS (RATS) Architecture</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="N. Smith" initials="N." surname="Smith"/>
            <author fullname="W. Pan" initials="W." surname="Pan"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9334"/>
          <seriesInfo name="DOI" value="10.17487/RFC9334"/>
        </reference>
        <reference anchor="W3C-VC2" target="https://www.w3.org/TR/vc-data-model-2.0/">
          <front>
            <title>Verifiable Credentials Data Model v2.0</title>
            <author>
              <organization>W3C</organization>
            </author>
            <date year="2025" month="May" day="15"/>
          </front>
          <seriesInfo name="W3C" value="Recommendation"/>
        </reference>
        <reference anchor="W3C-ODRL" target="https://www.w3.org/TR/odrl-model/">
          <front>
            <title>ODRL Information Model 2.2</title>
            <author>
              <organization>W3C</organization>
            </author>
            <date year="2018" month="February" day="15"/>
          </front>
          <seriesInfo name="W3C" value="Recommendation"/>
        </reference>
        <reference anchor="ISO-27560" target="https://www.iso.org/standard/80392.html">
          <front>
            <title>Information technology - Privacy technologies - Consent record information structure</title>
            <author>
              <organization>ISO/IEC</organization>
            </author>
            <date year="2023"/>
          </front>
          <seriesInfo name="ISO/IEC" value="TS 27560:2023"/>
        </reference>
        <reference anchor="BLAKE3" target="https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf">
          <front>
            <title>BLAKE3: one function, fast everywhere</title>
            <author initials="J." surname="O'Connor">
              <organization/>
            </author>
            <author initials="J." surname="Aumasson">
              <organization/>
            </author>
            <author initials="S." surname="Neves">
              <organization/>
            </author>
            <author initials="Z." surname="Wilcox-O'Hearn">
              <organization/>
            </author>
            <date year="2020"/>
          </front>
        </reference>
        <reference anchor="ATPROTO" target="https://atproto.com/specs/repository">
          <front>
            <title>AT Protocol Repository</title>
            <author>
              <organization>Bluesky PBC</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="MCP" target="https://modelcontextprotocol.io/specification">
          <front>
            <title>Model Context Protocol Specification</title>
            <author>
              <organization>Anthropic</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="FHIR-R4" target="https://hl7.org/fhir/R4/">
          <front>
            <title>HL7 FHIR Release 4</title>
            <author>
              <organization>HL7 International</organization>
            </author>
            <date year="2019"/>
          </front>
        </reference>
        <reference anchor="SCHEMA-ORG" target="https://schema.org/">
          <front>
            <title>Schema.org Vocabulary</title>
            <author>
              <organization>Schema.org Community Group</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="SYGIL-WP" target="https://doi.org/10.5281/zenodo.20707202">
          <front>
            <title>The Sygil Protocol: A Cross-Domain Personal Data Schema and Query Grammar for AI Agents (Whitepaper)</title>
            <author initials="E." surname="Carr" fullname="Evan B. Carr">
              <organization>Sygil PBC</organization>
            </author>
            <date year="2026" month="June" day="15"/>
          </front>
          <seriesInfo name="DOI" value="10.5281/zenodo.20707202"/>
          <refcontent>Zenodo</refcontent>
        </reference>
        <reference anchor="FDX" target="https://financialdataexchange.org/standards">
          <front>
            <title>Financial Data Exchange API Standard</title>
            <author>
              <organization>Financial Data Exchange</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="DID-WEB" target="https://w3c-ccg.github.io/did-method-web/">
          <front>
            <title>did:web Method Specification</title>
            <author>
              <organization>W3C Credentials Community Group</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="DID-KEY" target="https://w3c-ccg.github.io/did-method-key/">
          <front>
            <title>The did:key Method</title>
            <author>
              <organization>W3C Credentials Community Group</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="DID-PLC" target="https://github.com/did-method-plc/did-method-plc">
          <front>
            <title>did:plc Method Specification</title>
            <author>
              <organization>Bluesky PBC</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="LINKML" target="https://linkml.io/">
          <front>
            <title>LinkML - Linked data Modeling Language</title>
            <author>
              <organization>LinkML Project</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
    

<section numbered="false" anchor="document-history">
      <name>Document History</name>
      <section numbered="false" anchor="draft-carr-sygil-protocol-00">
        <name>draft-carr-sygil-protocol-00</name>
        <t>Initial version. Defines the Sygil protocol: the record envelope and
content-addressed identifier scheme, the NSID namespace grammar, the
v1 namespace ladder (10 production-depth, 2 minimal-shape, and 3
NSID-reserved data namespaces, plus infrastructure-reserved prefixes),
the canonicalization and hash-input rules, the cooperation-mode and
provenance vocabulary, the query and conformance model, and the
privacy considerations including the sensitivity axis and the
social-namespace intent posture.</t>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The author thanks the contributors to the AT Protocol specification
for the Lexicon discipline that informs this document's NSID
immutability rule, the LinkML project for the schema-language tooling
that underlies the Sygil schema toolchain, and the W3C DPV community
group for the consent-receipt vocabulary that informs the
<tt>sygil.proof.consent</tt> proof object.</t>
      <t>This document benefits from prior published work on Verifiable
Credentials, Decentralized Identifiers, JSON Canonicalization, BLAKE3,
and the OAuth 2.0 family of specifications. The composition framing
of the Protocol -- runtime-neutral schema and query grammar over
existing standards -- is informed by the Linux/distribution
relationship in the open-source operating system community and by
prior personal-data work in the Solid project, the MyData community,
and the OpenPDS research lineage.</t>
      <t>Errors of omission or commission in this document remain the author's.</t>
    </section>
    <section numbered="false" anchor="contributors">
      <name>Contributors</name>
      <t>The Sygil Protocol specification and the companion Schema document
referenced in this Internet-Draft are the work of Sygil PBC
Contributors to those specifications are acknowledged in the
respective documents.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA7S9e3fbVpIv+j8+BZZ63RvSTdK2/EginT7rOLLdcY8de2wn
6Tk9vSyIhCS0SYINkFLUjuezn/rVY+/aACgnc+7NTCcUCexn7dr1/NV0Os2u
jvIH2aKer4tVeZQvmuJ8O50XTTNtby6q5XTT1Nt6Xi+n9+5l22q7pGcO3l+W
+Tv8mr/RX4/yJ/lJU7ft9Gm9Kqp1/qZs2npdLPOnxbbI380vy1WRF+tF/u+7
srnJ/9wUq1XR5Od1kz95kT+5KNfb9iArzs6akgaUNp7Ni215UTc3R3m1Pq+z
dne2qtq2qtfbm02JLxflpqR/rbdZtWmO8m2za7eH9+59e+8wK5qyoNFtNsuK
mqF3Wh7G27JYTt9XqzK7rpuPF0292xzlL2JD+bvQSfaxvKGHFkdZnk/zjU1s
QRPjb1qeHH+8KnbLLX8qMCP+NOdlWfCyyBc0bvpxWiwWTdm2xdmyzNotDepD
sazXJQ+/zDbVUf43mv4kb+tm25TnLX26WeHD37Os2G0v60ZGVK3bo/zZLD+h
TaMv8lx28tlVsY7f1c1Fsa7+xSsQ1ve7E/6NRl/RDpb0wv/iTZ9VC/6hqbHd
5aLa1tLKvN6tt9iHH9/JA+UFt3fyOsvWdbOi5q9KjOrt85PD+/e/1Y/f3P/6
oX38+ptH+vHBgwfhgcNH9vHR4QN79uHjh9/g488PTqZPXzw94i63RXNRbo/y
y+120x7dvXt9fT27fjCj+d19//buolpM78/u3ZVHhVyflnNa7qZYVv8qF/kL
7G51XtE25iNqtR3nV/QGvxBXFf9MsWhH6J2/oP2mxg7vHR5O7309vf8tf9mW
TVW2oEp7ix4/Iuqa16sVURKvd5bhgXR1Hn/90Gb87cP48cG3j/Xj14/uPwof
v7WPj7958E1Y1EN79rEuFJ49fGQfHzx6dGiL+uihtfDowaF9+/jBo3u2WY/v
PQ5jkA3Aqv90cvhbVv1qPsVpmK7qRbmcHnbW/ydao/MKZE4souTlL5atMIZX
eCO/OvxdG/Boeu/R9P6j37EBMpvXT9++/C3TqRfNUuaSzAOvE4vQnazXOvjD
2eFvH/v9b6b3Dn/v2F+8ez09/PrR43v7B1+1NY+e+UjRLO5+c+/Bt4ezy+1q
6adw4Ie/LeeX63pZX9zQaN801VUxv4lf0sjo6xPil+CGDY2pWeSVe70lNjXf
7pryYP/0aeR3XzzrbN+DPZPXh4/y9+9yma4+/N3LJ//27MHw5C+q7eXubEYr
dlcem27LInxuN+W8vXu2rM/urop2Wzb0ufhYPphtFufJumgXOfHf/Hy3nmOG
k/yc3iG2SBfW9WW5b6LMfv8yy19/RYu1Vkbpfpi+meVPdtR9y5vpfns3y3+g
1tv02/89y3+ulvP6l+nrr74vi2adrh4OypP3b96+fv96eEWKLV/ZvCQy/6bc
1C14+I2f85P34YIlkkueGNzL75a7sv14o7fGq5M3w93zueEr7petyQ6zquah
EBuYG1GHccgpOpE34pDe9Z4fHNWT9fayqTfVnL5+/v2Lt9O3D4fHdbn8mk/I
+WXV3H37MDnZB9+//JrfpoVYlkVb5g9vIWo8/IJG26x5bMUyPeG4GN6dfP/s
1ZPp67d/Hh6MiAw8Hj+Od+Hr/Kd6XpztlsVtO+IePyGOsVtXW0hWJMpgCP/x
5xcvpz/v2aVFXXHv9+/NHh1+c//uv8p1vahnh/e+vvc1EVmyOP8/SXv56OfL
altuCpKoxrccLS/Z4B8n3XzX+UlWJZFtwrl5PL33eD/jffr6xVF+22KQ3KVy
G51Q/h0E9/Svw8t7Xq2L9ZyuOVyL5S/zy2J9USYMuvVL/Nwel/V7pi/kT968
yN/pC/vJYM/b9BCJN9Ofn32359p4MJ/O5xcz5aB0RCE8rUrqYTG9Ls/SE0K/
HdGX+Sv+PT2dt5wVutCSS79Ppxjjvz37j//GGEksv9sjVIyTftBx/l+P7M3L
ky/eO25Im+W882dvEem737uIKed9+eKHf3u1R45ZVuuPK2a3vt+X9O2rl9Qa
PpAIvAiSV7W+yF8SsewKppc9/ev7dPr/Uc63WTadkn5zRvd/gb/eX1ZtTvrj
bgVBQdk8CQ/bHtuYEEvIa1KwVGViDvFPcIjswnEIrzCl6la+oFN7saYpbOt8
RRd5vqOjLJpYBY5MjTcsaBbcCClMdOmvSHO6InGqbtoJd0ksiNWzdpaDZOyW
yhYlnVsaeTGkopkIVK6vyiX1Q03RVyQbtOX06Q/vmC21m2JeZlXQMGSe/Oii
pOGtqnXVbqt5/pd3r3/I58W6XtPuL1Uty5vdEs+us3ojF0t+FW6BvD7HQOnf
9Rl2oZWlqmk0N9hF+o3mSHygxBSzmla/ET2YBBiMiH6AzEfzva4aHhJGs6JO
eAdy3QFZIbpTyzIrFjIQoiNoS+dNvQrTn7aXxLiVlnAF7y4upSVerHbXnNNa
EBXUGSvF03nZ8KIsaJq0PLRY6ernREX6y3Rd7qCvkWa/zSJBXV8WW5pSQQNo
07ms621+WV/n1WqzLEGGqui3JNGUk4wm39xsthOlblIDJ0TY9BcptrqtPBga
QUv3USO7sSxpkb1pQYkJI17s5tQGrX674+2lJTMuLzSfLM818Yp6t82kKewW
NV+sb+ywzMVuAOm6KYJYPZODtqoWi2WZZX+AzME9i0r5JjkY9CAREnSGBgIr
0TZJr+FeoEVbtwW/SN9flsVye5nVZ3R2rgr9cgUyvyjp07IWhpTTekAinORC
0MQZi+22qc52W3ossxNPb2zociTxeI39poFUIJXiAj/SCuhJvNyt6SgtWtCx
HMYsHM6ymF/yItF+0wPXa5kTS5LWe3qc5tRVm61KLHnVrpRomdpJkOXVi6c8
Z66w1XU/Ky+L5TmGUShzyVZ4b1sviht8Aw0nP2uq7ZZP42J6Wc9lBZeyLmfl
9rosmf5IUjSqIEJvSHTEzsqMhYEJlTclVmVd50QWtArG/2iZViXsT0RKKxAe
jg41xJTO8uinTyrUfv7MR5wWQ08+8W7wDl6qiZyN6kRJIPv0SZX+7mvoeEFs
ZhGohL6Ug0WnKZUkskQOoZE8/Wu3uX0ktkWLxA3XbSarpItBk6P7itZj9v/x
veEvhvNquZQRXBQbYTJBq1AWf0Rni2TYDksXGizylrjikljBFlTSlP/cVdiz
M+gFNMLlQiyIsPgtcf829mhg23Rn0NGid/TxOfHmBvTX7ph50zxwg1ADixJ6
t/AbGhgR7IText3DCmhbn2+ndAroG2JmJMoKpS/1yp7xLIYuqx/fvtDTko9O
2aZH0sHpWJYlnKiW7zCsAQ0FVxmTN53z/LJoLzElHMhwT7HcHK4r6RyWAvpp
GnhE2uuURk3jObq9az0xOoJ2ppszcLn2uUE++uHdi6faPO1bfc0kRK1S63I4
QRSkW9LRwPlWq+6Slmp5Q7Rf0XJ9LMsN9ofGU8bOIKPL+DGip7/hBqfmYULL
YeXM+RDi0+fPEx0S0VAlJ4d0cmbmFXZLd5BXvdTpD97O2JK2+iUS5aapVhXM
inQtLXdtIEHqi9nhdEH36Zr3lY4FTUBaX+e/ScTQTZzxt7M7tInnbN8YEjvo
Oiw2xVm1JCKQq5FmNMGVUbZyHwvt8q2L3TGpBEbvi5b+iFcxtOuLBtREq4VL
vZrTTV2oLYbFkfyqwgEEs+jQP63KabU4xTzfQ4zJO2IMMaoLDJ3Fmf5lPXqP
1u+PTaiBKs0PDQg38uzhGAS2T8qRh6iVB2NmeiXda1s786CELfggXwJ0d15f
3iR3jTJmO/BilcyWxQ31S9QHwafdbTZEyFuRpeJuhB3AgtMlXTfbsD0QEekB
NuZhD6hx6nRbMvvFORq4OFNJXClwkmFPMeoi3G3Eodc4IsTsoCNs+e6TWWDY
bEqjv+vW95vRbEiGWy5UgliUwpMXWAK61S4gHawHLoc8WhHo2jOrx+fPtNh/
+EP+DoxWlj280JEo+yRQJeIlkeOW7ikaIq82v3yjFwgEJFqrONUZW2+JiEk9
uSFJQURQGE5Z4EPzuEcgnC3BEIRB8S1crUltXJHAxbyhbE2M1QOrQix9MS22
U/p9qwxwlr/TUcRHMIXCSBCkQHSpDDvInCYMC6EFWWr4wqTWrrxFikWQcN75
YCvBCQtpcxITedVYOFdqSYTeLO8MIUpDo9dP6JdJ/uPJkx8m+Wu6+Z//+ckk
PykXUFBghxcBfo2hsKrDR5BEzLJZVqXQcByvTPycdH0V7YNdMn9Fh7aaivjd
3qzndObNSzZRRZRVzHBVgcjpQAgvo40yr2JOtN9dcOXkfJ5x/Fy/HSqBvxVM
A3JC/v3792/4whAdnTrtGUc/fXp18gbXiqxCbuqedqQkE+5kldmazt7SzNr9
3jHqd/Tpk/rePn/mFdbbVwjZpJnOXtP1uiuhcTf0IEaYwXrW1ssrbEy5Opa/
duJEUGbR8vqd1bSFEECox1xsKMIzW/2taFhyoEeXNUnmZyVvRmdaRPs0s/Pd
EorJvGrL5U12Vs4L+pLkGbBNLDnfCjRjVc4ggdNNysyOJtrXzibZHmrlTYhL
n/ITvdK000xVx4UIWUQma1o/SOBNsWEBBLp01SympAzQvkHutqNFYrK8lkFB
W07Pq4ZYQBH92hMRX0nJYFMIPV7hUpfB4+tk/BlLqKru049rUmpw9II6rtzc
lB0deePH09Cy3tRsLqBbjfrbreToCTkL0z+72UKkATN+W8qt1l5Wm3BldpX2
LBP+voCcRbdeBZGIWwobTDcE/u4qAyYkBZMBr9c2UTPoVb73B7uGGlXNSTPe
KKPgQ2FMfuL46yRdzHDJBjU0K3G5zrlxvkzqDcSr3l2Tku5dGVbj1ikDJ6eB
1Bf1DuoTz9w/4NVRWOp2v5A026zLZf7kuxeqqARKlt+xtKzHs+8e77k39K4W
dUttz7yrpCYTr6QFS95vhVCORYn3v7CBrg0qfU30jSWlM5cFPnlZV3MYgk6c
LKJzjDdQ7xJReS6DDj9gRUk2daIEu9qUfLblmWQGCBEh/YBaobGp2EAv79hW
kZBPV2nlvVFfULmdPkXsTM7RKVs2fejP0YQUg0ogVbR8UumXBSt31CE16Dy0
xZJljyivFGLq3LiDUOgxSOwkmHKiq4nEvlYq9xZGvq2nIvC7K1Nl9T1aCPVL
B4SuHNLuaYbFwBUnEg0tjNgExJiTj1qSx9+V8tWD2SHrEyzDLwtaFrOF53b8
2JgJJadupsQR1UxSkRw6lpMTdiaYo/baCvJoKzDRkthD8BaxTLzZnS3BcBYi
SzAhvnj2/nn+nm1LL8uLgiXPq4oVVbY2FHPIQBBz5+ZCyEh3rcprWsRldbFm
UmHezOcWtyyaFEmnWs+XO7YJssyTIxKCFUcEiHz+LHprK/uGWzHenbJFg3ro
WCR8NvHsoLeb02kKm/1HWnXoyVNaaB4ECac0MoT/bPkLjIYjosC3n5A+3DQc
uiLLv2ZVqpaTkXh1JwPieRbF89yL5xMYTeiE7UTBiTqRNKK2RzqB2aA7YCoC
iM4rsGG8KqYgEM16DnYlRv9MNUVi07JzuKe01zJhOCCsYusPeVb5M0lK/JwD
xtaLY1mEDgNQDhriobLOIonGJEoQ/e+6JnZ0fl42navqAsIgZMgO0wn8sD4j
UoBliI7abgNHJ7PD8he5OWGIEG52Eg+/qEJwkF2zXHJw586rH9+9v3PnYGKf
8x9eh7/fPvv3H1+8ffbU/n73/ZOXL/FHZn/4p999//rHl0/Tv9LWTl6/evXs
h6fSINqgX/PO1zyOJ//BH7FU9OfrN+9fvP7hCXoWJdDzZHBvIkcS6ZjfbGA+
Y95LhDAnJi/a13cnb/L7D8Umg8g0Olpin7n/9cPPnzPaD92Zes1WoVKo6QYS
FkmZrMAtl9B56KwvQVO4+XCxYSd5k9hcIATtxidECYGMVvuNSlEHMrMTlaMO
cragw/TLajwLfyJJNSXtKzi/HCu1WBYqdLkn6ZeS7UAkhxD/Ac2B+JY3wih1
AO9EZNf+f8JlGDuX4+Mk+0yEDQn9oUGcYXbcd+3USzH2Qs9t7ebBOHjAmQnA
0JBy7f2rVq3wsHX6gdrNcBjUTrEeO48WTyMcLXopy579UuDKb3ukwYoCccZp
eJ7HBz0AEyvlPeevk/Erq2EzYDTl0l0hxPP43mO2LmTJweI337OBkEOq5KB5
G4tGkYr6IvNbmEnDN9TqIhDr4+vHeX3yka3Q/dnDsXEGe8Gtma7TDsYwt1hm
0zIiDbcm+DxMPkcZQjtgdb5moYjVR6Lgmw1ulyUUffhV5DLnYI7poqGm14ki
wna5Yms6Q5uLpxKk3iZ03KYOGRIVS3xiMyese0ovM4sYEUGNI2+WPTmRBZYG
iggvJM0cJxMGApxoUwD9K1+1dllc1AgBwNsk04vfaltfS9QF28Kma7sBMY1N
uhls2VMGY7uMldxLAW73PUPCDBxTokZPhk3v1viAUzkV+6ImRF3ZcB/OHk3E
iIuRqcLrjNV0DmtSvishf2INjfhViOMd/OXk3UE+Qk8wS3TN3xz4U45F7RJD
usjQZSoo5GwBFikEF9yJKcJCf8Yl1WWwgmDZBpJh/Y3okMSTLXHHFZ9woaq2
3pHOFcxq+QhmKj3m8HgHF6kZRPBl9GFpRHdxcdGQoEfDYccTSUbzLcxCc/Wc
hpFIL2OVUZXWhe3l4aFgzOOFZsmC9b4w50GypgaMSo87TG1ljALGlJS4W9q3
KHnl5n4ancrCfJABn07y02B6+FAtTkEciaU/2pFPxzyVeD+sZLuMpo0S2TnF
x3bdUcD0eqDPbXDvqSYn8np9zmc0UMp2yGjvToyR8WM2QrJ1uGi32obQQfDg
pJolrrCWDgiON+TRUXhuwt1grpuiao5hJqpEyAovqCW+M7kldAlW9EhmqOEo
yuxSF1oeuqHTy5zHyG8IJeBKpC/YMSTuFtVkruigLVSGDB73nBSwxTJYJEci
WCo3pibGouGJfy8ewI0qNwg5af2qfp2PnhfVctdAT1PbHFM42LE+8w2zvh07
aDD2ygyr7VjmH5xZgQvCblKTAra5xDFS56J5AL/a62Ok+ZDeRF3zK+UvpCuJ
4oXxO35GCg/fdUSj4NAcQpFH4eUrGDPhFIJfVOQhbrBYXhC/316usNsSAkyM
UD58/nwsmggPdrfd7EBj9Byter1Q7Z6dwo8f7hroWOzhNXPiplgseFeUqkGE
GITEH08/hRc/n8aLhGYy48uEsx1APvussyLfulsk2GnVAMnGXQliaxPL7Tsz
2rKwy0KVqkp0BXYsqeCv29BKAYdQQbo0NqLcbNV7VaqlNt8WF34q3469pVfW
Dq7si0KuV341MfQ+Uz98YCriVveOd6jYon6KK9AfpIlbEUetD2eHMq3g5k9N
i33/D24Y3APNWUVLT73gvqPxvUjOfkdWMlezF3xCiJDEWZzRcseLQs7UsFw0
Y/N9ympIJ2K7dS4Oyon89xBXObXNfzzovuOPyWPhEGhGmJqqnZKn5OUUDfei
VsMTzilOC0FSAGbPAsceIaDn/R4OdwN32yOjUD/w7Dsu7UxcY1l9FyMwbbc3
yyQ+oHPy5IK7uj/7JAL+59knpI/R+ZNIusTzr36L009mEWpmQ295Y71boRwD
x7kJp44vNnrPsz3eDtHyvT07si0wbeH5IJcLBNBspe2YfCF+KObiHb1Cl5Ia
eTh7QItpUlXvXhrWMWdBDNt3LZXmL2EZhEcapJ7994uMJAQZ8GhcOIJaIovt
tkCokmqadk2cfhDv4mkOm5SMP8QjtC7S8ZyNARxDMPlikALOug9TsNhAXgIX
DoFliCZSvh4qLESwO6gnkHYkuWxZr9gxL+PAn8A4nahm2ksMYji7GfZSRB77
aCyL+Q/5WzYWhseEylKf008DTSKejp401xekIM0G6phlNzVJFTeeyR/S3Svc
Fa7yKZQGUIZxWuba+SkpEGIG/sByYnLjHY7zZXGGkE6NYPhHoFsRrvhoiA6u
MwoiNXiReFKVjHBCCiWAoi8MPnHGDDtBotbmqtIo+QnzOnwErYwtt1t/f+hd
NCCTPuRcMI7ECd1Og3+i855qSYG4cbB5QkNxTxtQaBM0P/pB4pXMbiDyDwiL
ec8kieRh1iO3kUj9kTWB1QcfiVivp8Hm7Ps3PuhfhIs4pYXUwuCNqj+oOaVY
iL05TJLvLxjbEexat9spNHKmubUY/Emup0/i7xxFNm7K3IzN3KeTyOPDTGbF
fFXOVAHE1zP2is6K5dludTpmRyJJEnQDs6EgzHGKkKKG1FOYT3QJvHCnMhmN
jo+NhGlgX4wXrTW6R8LRxJ7/+OE3nz9/JXpsTO8zvo7R/3V6OkUsbfUL4jOD
4Z9oIobwQYJ1toVO4JML+2N6KNqEeyIsikRKJj/mW45wH4ZuQsye76sX5/eF
rqSND9zjkyU43NV95w1vSKpicSghw+gMqdaXLHfQ2axoM7kxp1SP2FGr7Zxq
3OBRfv9U3NkgLjQmKuY4zLkrGD6mOas8HA8W8wTcAUv29ojHAdrdKvJUM4bO
okiuznmWlYUjRmsnpFyxI7dm8Ut3NJdt59GvCkS1kDBeO9tzuB+7TIgOhHTz
YUFrLYdAJfy//f2UbYSpuKiSos33N2vbM5U7QTedC0lvGGfm2x8Er0E7ZjsG
YxcXsAyv13b5ywaBYkU3CA+Co4ThzYZlX4teK0GZe1MQsowvRJUmBwzaqbnS
mbfZ+iJeQg1H57MPtjFs7O4GVpkbRyPKOIEB9CM3tA6+ZVtE9ACrd6IIeQt0
MOuP+bL6mKR3INRUwwLsynfqHol+FZbc92RBY078wBJLOkSpC9gRGxKbXljL
KQsPW1YLC2w9FtfnHduIEPskch64cDDvwXGsMQObXYPd53vGQu0uKw5blzUH
W2K+ocazar0ANVmwsSww5itWpuieDMdIA6h6osLwVKgNc5FBFyvV0e9W3jmO
9Ta6c5pEaYV40qj3iJSEzsWt8KSZw2nK8n3Pxi8+LZGW+HyZnhPjG2uZvggX
7dY8CT5sAfdqU16WItAj45ikN5G3orMkMdORcJolqhpiHukBDt6X0WmYz59h
TO/EXFZtEqIv5sAb2uxdI8Z3OR1FnHmxzCQkS7qnM1SJ0wtho2yuR6DoWqh5
Dolcvb9z9s2LKWgF8skkccncosEZrjEMOccwIJQPcg6O9cR8XAgLZ2vsmxjV
QFzsolZDbYgM6kYDrRe9WEAaLrsqF1U73/EJO9813D/bb5LA1Tt3TrzTm9MH
EO5/507KQ0IuRpG3NDWOJJd7M+tlmMSUjBAXOAkGcZ//I/bwcpKJtTsmBE3y
4ZyfCcd+FaTlF+1HljJJvGnQAqkP1crES1rlNcT8EbaJhIGoLx/nPizk4ezr
cQyQpBsbRycKohxuJNQP90I4yEEjnsQfo3CRhdQh9Zzy73sy8OwARbusZPbQ
EmeaqhAHz6F9ixovkcwJLsdOyTt33gU6C1Eg2MBn4HdxOkSvRLolIkE5ArCV
ZAWh1Sx4BSLRhsgB9fTno6sThGiJkPng0T1SWZiH2iZnIS0o92lBEsFr299L
NsLPRgDPn/41s/SfmPVDC2WBD/kroZ78OfMO7efB4aG+EIgrcynrRPMhS16f
uyjXZcNCDouYUdcem1UzxGG789qWcXn4utRzn97RtjuBYjhyvZdOwlv3Vs+u
5iFCk6CdexIihxrLFGIL2LvEPC9eowxBvBjW/GOkuUFy0zyEaPdiglKRKnPR
lrfLVBbnmQapapBnBpcq8xrjSp1UQ0l+ZOM2hy0uUk68vDnCol+KZN7xR8Ur
iSUYvdxFfAoxk2JQC/mXwZvHy83eXYjblVhmsNgduaspk/uD7l5+nNPl8icv
Mk1YsAWh/03r8+mZLh+CpxEmD8GRWRdJCVuf1Mv6ccaZRO34uPOEOM+8ppLk
VB3bGV5kPi6zDRKYTuKYewk5YUxBtogubaI9zkLYXTrWJIrtWAS6JIwviCli
F9M1ATkZCdn6SHA2tlNiaVu2vGxKFgxDkh5SYDPE9/H+MEu8JGFa1Cu4QXY4
/yAWfwsPxD9nwQ4KyQ7LMMEbHI89UTWZf/KXigTYS0YldK2s2op8Ea4/1tXE
ApoaqvYnFxb5nTu8QhaneOfOkYuhLNTnkP2eYMp8MJgy+43BlCG9JFEGChHj
Y3K0mohJYAs2ZGqm3d5Vu2zZj7acIPK35GhTUhDOy/nNfKmZzy5g86zilOTZ
wInTrISMsxKgdPDGx1dF3tos6xte5fllzVx31E1g2J++gCyYKfw7MX96IpwK
xzAxkVaariNRxcp61byFQV8gb+NsKbkoyovl7yQSCbJ6WTF1c84ZC8+SV265
E0I8HdMny8wkLbfbEM3JYakSy7nhhZ+LZZyhsDadbCNVkjhvyFsXRxDo/lJc
Fe+IiW62+WuZ0Q+16lgcazEWZA++bgO4h9y144S42xvSzX5RkrXMCjv0Sluc
ZsBKeI9iZjY4lRFG4YI3EUJeXvCdt9gxfsQJPCcybOg2aaxjkD3ScepeiE7o
jl1ubMhSisz6xxaJKhy5hT+DDjRCnHCwQFvqMnLqBuYvulrYpA0n8c7yUUyh
zvP3RhJTjwv4IuJMSO5TzFJG5iet3OMJa9JefQ5xVmNa4QA25OWtUWB9DmWL
Y7Yg73G4YQhKYHeBEF5CXeNgcQwSLrPhI15xvcZWmlOkySKm6/F62H7wb2+f
kaIbrQY9jtFy+rIYimyiLPoKIxkeSvQVaGf5KAJqDIjrXZFp0hOdLXXD27sd
7x3Lmuk0jwemMemx0kyN7W1Xk1sxStaQSwe+hfMdX0fCbdJ4J5g6ZK2GeG83
wsduA7nufqjX04sBlbr8RfJiiUS6KRJ2eZqjn+0s5WqzFZQCfsYyGM050U9l
pN+fxYxCNjm1204S4UBu22/KMpx08qfUs5QmtkfHiU/d04TnSZJ9Z/Qi6cnM
C34aSurbN0zTlqYWGdbNsQl5Tju5gBERgTZ+rrZrGKLmNbstEPEha1LgMN+o
gSrI34JRkUrfbKwL7QdhIonIYn+kWLfT76Pf8lS4Z/RXIp0JttPEF1m1Kd12
iArRAUqoDuqg70vKY7q9IjxEHAxQJoyIGjXTicJLhh+9saeZAxEpfG7ptv5Y
MioBjOg0GATkHN+yCr6dtXfsgmD41LHzYpwKXpZcxHnJWTIZKNl1o2oHfB37
Q/ITW+6wrxVcZMfu9nUno9BMVxNBheB1SFaeNUVJcpXkez40mQJDYJFJ7tmx
L1/oTI0VIXErIQ9mxTCtEwX2EldTO1PH/sxkup7Sf6YspToIgbMbyaEz4yMb
mInWdvNLTnjE3CNLPCvVdW95V6+Kf7ATQa/9FuknfbVXQ20qJJ5WS12Xc0tQ
kTcFVeaLFsteipfhAOFR8UNXGoBt9gS1rPJSbTi9RuymZjUa6CW7LDj2PC/Z
LSYZRm7V2PytVMsL8YckYCnLnvWCnUKOZQeuxAdLecSNmwyqFpvyOAtWFYp4
mwa0DLk8cDXhOYSObTk7X+Pz1OnoqMeHdC6iX+p/gVEg1pT9Us4hOAkeO45E
5eiTxYdii78kj4X/4iyz0CqsBzTL6ET8krcwaDLOVZh90VVoqloUbFJkFwRt
/UZ0ly9gu2RfwnZJY9aG1J/MgmU6gTvOJd/B1YnNrUlcWS4dsUVKMHMVrCFE
erBX+va/Eg2eoTlS5+daYpM4K9E7+L2RjRlBm+914+MG/31ufFko7llSNmCw
78VSDUVSsebS8fy0lh6SxSGeevesWisKTpmjwzbdFhcX5cLAa5gOWBjJXKzC
ndNw8V0dMpBKtTbC5HhVGtFWMuJwoKLLG0wmxCUsmDkhpEc8eHZTcxwSO8z8
NMwP1V/OGNT2Gd4pnZyFbPFKxhAQlYWzXtBP/PuBo7J90WnHmbPvEx3Cri43
Vdcb4GiyZ5015YKRC5A5556APqEXV8e5ztpYP1jCvSuCEuzaS6d0aiKfBgZD
7sjU1/bb4pYDF4mBy2MYqOOBYPZtMugdJaE7YuAJ39uxfh/2MonQ8JhKGNsd
DdW4E8IMU3SlSSb4Q9HwqcmQO4nhZxsPhIHRfkS5zMN96etynysD16AwbBHv
S2JTpN0w14paImO0njetCooJ1n2sOE3tlrG9kMQK94jhd10ZnEQXdQoxAlcs
Ssm42oRuHzpwwdjrsQ8QybtPhKYdmSaqZxaCzCBLS4TKv8qmhny2qpuOEAY+
AMNnDGzkS2UmbDeR/iRoN6GYj7ik6Qn2s2l6XiTPo0wEgG1+jWRFVv8Xmj7D
520RcmgyS5jZmwYyiT5ldb0rfhWuX+4hWvcN3qIrw4/2yf6u9Uxbx5D5YnVg
GYZEXsJQ1mlMfrWWfOIiWgoxkBVnK7ASTgIyH81yLrRDd2NFiiLnlI72qhdj
gfvorAX6oGN3YUg/mWBL0ledcYoeN/5NEFfZVVWYqDkAcHXMeIJmYUpIBVCa
KjkF5BNYASToNwQ0Bkly7e0sZdCyRP7L9IjqtSmhDRzX1Y+OZcOOC5HNtsNq
hNxYEr7AMU9lwTcngGQMzJNdnEXjQFNqZRdV6YScRx0RJ1kIjwEUjms31L2j
Asc0yn5klAVBYYW9XsI236NOfJtERJvIBRBaFUHCUoqUognqyRY4eLibEBtF
+4/j3wMiy4KKKTlmZYoRJ+6GiBQXAqa4PSlZEuOxzGpMUpwspYTosJ4rMoW4
64TyFfkElB5hUyaQJaYa/0RLVS81QpKZGqO3MWdHysycAcwgKoY4lQ3QE+pd
+zuTtzh16wiHr6txC+CPLiIuv/3SJ18zWUv/Wm87j4o3fOZgU09nLhktocJM
qEVRbyxVq+jE9Tii4yNOw2aRiKNiUHvFVDi101twrZJelmIMHWXZf/3Xf9Ei
zasKYBlZ7v7549T980f7NuSiDDz1R7xve5j/msesTPpjOvTP/8RTYvOgf37F
+yiwMua/8lFIeJz8mv+PaT70f7+GMK+JvB/+oZaZ7Cb6Rx5VMlj44lPKkPP+
+2Eu8v7QP7+GEL5x/304pcrl+fiW92X9/hjX7wvrv2cU2e2/3/KmBif+txu4
+i2DBj+pbiEaNxzlFfLH/xikGjwVpMHeoo9evnw10T/2Et0okEbv/WKzmeSz
2WwcN82YdPepuum+/9s2De+vxbr739o6OzTj3vh/2z/p+qMBBPMZXtrNUcex
G/wt+R+dzq+mjD/mKociFTZ/7QzFR3a0LdaynUTjfzfsxNn5wJOyT8SWG8YX
m6LLPx0Ea9fU88SDz8IVr/34BRWT05RIiyljWIUpwYIXybeennC+RxKb3s8S
u7DZlAh/ExkQb8iUtnUIYQ6p3WzhyTj7KFBnr5vfGBbLECzRd8TyVz+yq3cj
aBCTPt6LXmQLHkSU6+JG42iWEiATdek7d3yCxtdjC1VRAQwyAZbYBpOFYIAn
t9yRplaiN8ktHcSdNjexhnudPuO3j2lBb71Ts17z7Cs9fe2e8Z5TatCZasyP
M5Ow/YHBSrTcw9m9JGIOApgfrKCr0wX/ohNULpAi2yhdwUVAglVcQ9Z3JXgh
wj/x/rUDkYXFEikxDGJWfFTxLYb9ORsxpJhVsemcZjqNMNACDTeaiTIYB6cv
n1roU5sSgYS4RXdz6KRKCebR2CUg9F1AsyyaWjpaWPo0H/bWcrOdDifiTQbL
gVrVsGgozMHhDlaS6icXSKM1ojoloj59CiWyFBRT+LH2NzWdUYxIrTel9JXR
fYMfdEp1A4XEOYVpyBPq5FZkEyBTrjvohC64GNpPZTnOyxuDPzVcMJNtuGWN
42lJqKeVyULWO2/uixhAYMjyAJqgzRWbuTA/XwAqlojSIdOaapUpBCeIfewl
UfEcjqqqBbIWTI/ESzdVk6C2s9lYLZiyWDAAkt6Mjd1TC07y1386OZTO1IEU
Le2OGYW3YLqMF9g1DEOsrEFHPKO5rxjFKXqAxjEQc0/JKQ1LykdFyDO3G45t
ZoIEw7bnrc9GJDUGnjfS6n+IOBbqG4koYBZCMmc/Wtft1FVCb0PO3YebO8uG
uNU57ogYDW+u9vBWq3C7Xeg5T3lPy5WYqfkOUr3/PH/DNzKbiflFVDKkF7P4
4lts5ZNkuG8l2kLT4lDxEH11z1bbxVstgdpdtsGDoKjAOAaKC9wPI2iz8DRq
9wmV4SNtsqbg3sJtxnjxjIaanXPYIl+ZMd4tjU9DYl+9FKjr2hnmPWzyrc7R
ZLKj1PM7trInmcYdm0n4e+WZCcu6ZmwIeJAXe3CgIZH4JJMgbAkVBtHLRK0E
YymEELto4b24UvmT9Y1FrCcRmUtEyPLtFUwPScTMlNTbL+KuekHTWSJcLoCk
JPkAEgWP5ZMPp1pTa0hbS8NfAvA2X9VXmnmefVnA05Or/i6GMJeItN8gG8Ja
IcuTsbXLwgc6DvaY52M772OlJnzpcOiLJwODr0Pk9E4DZVi86Di70yQd9p1J
KonGi4FTNTjOmJML3DrW7PR0RuYPvq0R23CkxV1VdaMrKF7bsxJygHg5t54W
LdxphsBHQZsVM4hBV2ZK3gq4x61xPhjbVGiVNdlnwNQH17h+9sEMkoo2FD9o
Q1fsZ6Ck4MmizTTyXIPCMK8lO9DYFUJ97lZOiIzhd1YIIJyc47h9AjNoFa+Y
d+gKKpwKh2eB+KVURfYrrjYsBemWYa6/Doej/Jr9Snpj+B+9mxYWUhMlvX7n
jmTRQoz4NcrFLZqQpPPeQz9Cf8HPqUOu/+BbwQe3h0OogMlPexveA5CWj/5y
8m68/7V/TwBh3WMhRjsYQvnFZ8LoWhXBjtVtoK296YdH+SYjRXFbbwI4jBqz
rZFByAXfkGRabJhgLNQ/HV6ET7CrEE2/64b20Stet+9vZz/u74uvpJe8UWjn
rZGvNkIi7rjfTgL935MK0GCa8xCRsFhm7rfH1QL4mn/zU/91NyD/6sTuNptc
72q5bST4Sd3beActvH/2LIlFO+fg2F4bSkR7qcShxn1pQ0L4sgXkk3BL09rO
2Rh2+7vP431pMgBzj9t7VfAxBecYy4A5FtNsryoyaxGFfmMpsQTYSTQFvypL
O4wmd8PQteFsH1g8kzOfgNWyY0lvtUS8ODcnnl4a+VKwUzvJTXrJZd3UcjjU
QtWs7nXCOCPpUGVeGc/rIAyKOgrvsv4iEbudgF0vFdgdJ7LnEDzMVx1MZgkc
4gJkW75c1xekufcHuO9UHOCG6/wcQyzjXAZLhlwXNwHrJsq7rNmlIqkGV4Yy
GC6felT04iDrRsfBVsvx0AXtb0nrQ5RwSbGOxcc7CdapM9EHqht8f8ToemEh
ItnaqdtNOaTdsSOIc6EspNFjSSTZLD49hD2JNqEQD9gHoNn6OdyOP5N9EX9G
hmVAH1XsSBx2yxt71SD1vH3p4fgog6wTwu/M28xJAPxGksBr4VkSnaI6+nWd
7XnfyQau08djAWfSEBejMn5Fw2FcdJzWJ4JmfQXL5by0AOwwaTY6s8SYTOYg
QA/FIXFaJDMght90QLiSrsXY0qo92oK1BvktxusBcCjHG+i4xjYlIDvaD/kM
r0tfd8nPK0SxRwuRRLFSl8EKHjuC7ciWABylWmLzg/5A2g7JG2/9zsiKYX0x
t4znNrBIvfjR44AtNxe+q8TJoVILi1Nx0Q8SkTAKgTJpsKiPKc1O1aNM8hJ+
MJx0//mDZBZykGmafP5ozBAPmUI8bCU8FaYAjlTFWRT8wHidKdVUWhRxTroJ
EgGyZOUmES3A14sJGBekLFzXMatSljfrH5zOE92DNOFgrbySA+AeVoILptzo
1g8Q85yODO+7AD6IKMpYaqnOsCBG11zYzpmersVPbF5c7GsQyDDCq9x60jHh
mFfkAZxxkIwMMgaCs+mhno9p8dDEGbSpd0/PFbMU4exl8DdwQCGRJSlbCizs
8//ZxscFRKrCEgjpuN5k0p9iu4al2TIOmzGiPWdA7NDzXcMIi2yRMMW3aoPC
GwPLjX6MwNhrkRBZDwOHPRA54xexsLPjneWJG0PEhRRcXIGdSK0ZrhbRSR+4
ItmtEODeMDdbxA7g8trZZAwCl7dagpzkEnfxJW0pJnOivQtGFQcRyHlkkasI
BNGRyHpALU5O/4j0AhMpjAEfZzSsAOUieOZqtG1jUJUNN2K6RHNfFu4Kjm+V
K/5ZiNj/A1/4/dKhg7H8PBAJGkIn4gzhGoX8zhFU+ucMEkNi/Q1LygGcd0CD
19B7hANsVc7msNwkeJUV1ZkhNgxi2T2YiT6ONXNtnfTD0dJ423CDWUnRpOPb
+3yofbq0AN/3i3ev828e37vPEaokC6w2yjboz3+BqFl4evDgARuw1fwjXEBL
JLmoQIGU056sRJ9EQuoofDrC7xjFF3smxorqIwuNZftV6OXJQqqTsLCipOMD
nBMCCpkQQj1FeHd540ipB9sGluFC1VWSZKubT+mwwh9yGpdLTzTtJLMcC4bQ
CBkXBWCofjexOonOLfHLRGqLgpng62ICcCFoaLMG995OWY91T01OoE446hhh
J6QKrOlgr7XKAeeDFK2klsgjCDlLcljoc8P7S/3d5y18ziWP9maiqGVoVFik
KN+zDEvv0bEzbyWYFxvwMEYfJyWoRpYApH2is/EkWTrODAxTY7AmjpW2jSS5
F26GNELxS+kwXEtEnWZVMn/DkNpJDG3BWkEh8k8nASdL5PSZckW2onYAACOA
DmfpM5nr2k2nmUdrCoV8VDVaCeQawg45N8U5H8+XBaNcoJx7FjBaOH1oUf5S
th5L3RdXYoAZSUMHBh0ktWpTwulJ9C9ANYxjLcianCUpFjegg4vYmE4hyAGk
FUuKdbZW5R4iAV8RqitH0uFkMrXTOwwkr+FnAULIbNyhuMZ5uEh5Vbg6xk5R
UMQTpUWGMns1klAlt3QojMb+kMWVAP/AeO0s6vF2K6L9RyNug+kguQTfJ9dc
iOVTdsQY1RJ6UAtXtoj238tboiLgmUvnvtLriVZdXLvLG64cWbL4mNxhlQHX
5KNqVs4mCV/fq6j6s5lP6ayNlRV56EY/vqfxsvbleBjHUsxwDj7d8OirVMLR
tJ7jKEe6i8ilNgdhD8kbRGJn1cWOg2/l6kcxz+a2ATog6RConSxUObuYTXy1
y4mlxrKEyLF7YUGSOhXJldvD9R6q/2EY7Mlla75Q1ih1OKcXdX1B22OxTdAN
6bxLdiJU+PKDxCaFvQoJGr8q9vSv+RP+Lw3nlvwOj8D+KNz0by2woQPn2T0Y
loPdlIZiKIa/+3lETWAoAj1AE8ORdkmKzuMWo7u3feNlqN8qsSpyh84y6qun
VAzEQG3qzW6ppdRWmi6tJvTMvGW5IL2IKL7yAOM48BxFJT9ExYtlm41Ohq+i
DXRS7sSioXdrwfpYCIVTn6jcw3wFvHAacMotczRLYPFnj2b389FzeUvCZbYK
RDWeDTAcPYO3sZ7IfuR8s2EHlIO8N+Y/9ZL//tl5JYMdLqSRlmxfxLOTnAZU
IAqctpj1sfCXxM6VCzYrcCLQLB/YMy4TUlrPcJXM8tfcN3LGy4DxHokGY+Ku
FN9e1SqECI24OqDDDFT7/lQA/6ZnN1MB8bHhWf49r3+H+yVH6vRvfz/1J2tT
ctKoLAhXocDQcOIxkWiKfbbabG80YB8z1C706H/A0b+tm5iqO3X+JD3CCnDm
KEgYHNSNPn9Jk+YQFojQffuZKKZaKgqJpM9N4Z++wKpKFlfSGgqMrD/6x49R
f6tahzEyxMJYUyuow+ZGq5JaMAhHbhljlfFrkllSpnf4SlT3vbwmTgdtV0IS
nG3Y356RgfFCiV86f2pmM55aaqQTaQTUznED09QqbOUgne+fp5rcvw5A5+ym
N2NmJJKGnyqXTP7Rsk0yx7IyMZMvYOxH3HtgW7vXFboFvppaEMFDNm8wpLk8
cIbgaj3nC8ypQ6s8Xs28kngV7YGx0iUG4RzXjTWgFE+3PeLxuhprccb22EHV
tdgmYUmW2apm1xgWY2Yzlvg3lWbmhYx2lX9n0ezB7Pg0PPBBHmDR0mREGXT/
kaGhe2D8fpkPkWRlo7ojGg6t0yAtFdsj/p7YYPiEJOFTl3X9EaHkX5rUJN0F
Uc8B531WhmtycRxRsIKPZ6BVc20lLVZAC11CUxLjwa/Oxk3rdFbTxwKhA6fn
1C9/J25Yp0E48AFoSDOEfbjfT6Ug8alJIIaEiwg4BqWNXiXN3aN1c6PQUHnD
3DwgTQeuRxhNxdx5kAMvBxWOk/EHu3y4K932J2SV9HW6bXZg+q8l/DLyFpbn
di1EWJ4s/62swX2j9CyV0Wh8c/0ey79oiuv1BwttRnPrj+v6em13jAUb3na/
oDjgw69DXCJKJQX0hODeu9wRBU4RDs6qXwhiNLoyCd/MaHLnSZcx0Akrbd1I
whyn3r0yIy53zc4yTk+MueBtJEQ7+9RhMP7G4YxcIT255Fj1eUaMu2phBNuq
ZegvxaZYQzkMgSvi4IvWHK86SYXFqTwpkYZEaWvOJ+ZKghxYz8JD5m+7dZd1
8qG95UYP2CT5nzw2Aq1SfIno8Px0HHW6AZNs94YZCceaBJPLWCH2f8PVmmhM
XZkChRncyKRc1p7++mqSFuey8mjScNKflrvqzadry1dRhjcxSCAKucUSSoR4
l07HnZGDdw2P+ktW3SFzamwYFUTmzFcW3R4vOB0hdGqFhIeXSnBOadbtR4YZ
UFOjMNpOn91NgQfhN3ck/gbeksWusfMfm5vILGMVv05vyGCWSkfUJbHJM0SB
+i5PwgNwKjdlYB2MiXhvdg+kcB8pBW0E1e1N8Mk6iEMLrmzN44a9Pz1wWgkP
UerG8CLNZ1wohJdF0TkMzQoXgwfnk6jZe/eP3PlQQTBTGA8LEOGClQm5xuD+
BjK2N26rEZUdok4WExqdMJFNZO8nAThVECZtDS1SiOTX7W5bZulKfdW6ClMz
U+EbhkY4J+U0BByJeqXbHWGaqG0Y86N5M5PagaLlwi2Rs7ZniDNyucK8aMYD
0X+ppXM8Ro0t6/nHTCBctwCaq2FZPpKQ0nnRzgv2/Iv6LEZKl03NX2TOXCNP
JGnzdErtexKP1lE+FseuejZrLj6QzttVO9B6GtAkQAbXCjx5db8Xb8Whfd7c
oOosS8aQz82COhL1L+tAMa3r5HStawfElNRSn/j7Mwv355ghPc9uuCCHBCXI
1GA9C1slu0QP3qDSC0dTPIuASxFrVRyGCuYfbxaplaYF4YCA0K31QrfUGUNI
aq2w3snpav2M8XjnjpOV2BTpZEnBNe8BlsAyfxRlrKOc5SvZnq6sdmTawKli
ZwUZtye18soFLzgzADkXuhdWTFp6aOeMhxbHl3Z/lKt0252TMbsNnGzUq9Tx
GYnyGhsO9nwBtYY9a7emrduOj50BSqvYiz2/9S4Ueqk8Py+1eHmgIJ6RQi5o
aAcndiWWLHcQ1PySJC05G9ZMdrCvGehpaHvb6axq5t9m01qRLmO/xbhvvRUV
IRzBEZyDWndUEB8ogTgIAUObx0wVW0YJBCjtXY0wHVwdq16n1jGSN1GYe1qt
ASnpMtAQlhdrC/Ji+dsJgrhq3VZ8geXGrxzYeEjl2msk+O+aBxRNMJgCZCRQ
m0M4Fkerr+uoDDJYhVXAAbcFRx37RVaZhEOR4n3GKUJNWwiIZ1OKFy2xHTjr
BAz+SK1wry3KzfYSZVj9nd8O2Jy9nXDXONezMarpNDv9Bwk2LbDr6RfaBNjX
wyX54Z87rqqAb7u1ASWq5fRDrH92Kjk78OtWC4HZFFQnGde92QNevPW8WlYx
wihLvRHMHc2vOcv/4kZnMLwqeEtJdb5msjPDxWcc8W5AqSz+mdVwSN05fLVJ
PXJVpyYCLlFwt3oZ+vSx8gLHr25upsXFuuaS7lLNcJYNrZ2E8xecC4m9pl1c
wmnmPFEMcpQtaMyyknQ9zusA08JCK7bgnPbzEii2ov/iDqHx8t+MmMgZm4rU
FBKWDbhTjG3DqFEhRDN7NHuogO4eIz/IgOnFcFmviO33KCPD/hBdM4ZlkFiF
1QYU/ECjzut8/x7d3y3tfhnj6ey4qaarx07Jumhd5duYU8HRbvEH67MNE7Pc
C6mGrtHWNlB7fML1S7winxK7zJKrm4QY3RSTz/Cpu8UXJw5VkDaeSDKJPECI
u4QyfRESMNaCjCYhu/dEUM2YA+IOJO1jsfAFC0kVMFHfGUfktmNYL/HWZGrh
1kwxNZFwEWlRF8bscl5HpQKmC9tIcYKginPRKVogmbsc5yig/LOOz41HwhPz
KPIkt1/XhoXo0eVVmgiElThKdH/sGKvA9dyJuGflRSUCsty7H07pHuo5WySV
bRFKM4Y4ti/Fw/rAVVlznh5QsMXQRqxh1wZTvM6v8ohzST3ZvId4EKSIAITr
KmOTQgLWOWWyYlWTWnASPtvHQ4nkMKsQ0TdA3Hm+h7zldmeyUvtN7Aip7W1c
UnVubusN6MaHYWipXfmq3W0Q2cGuQvWwv2dZgydF3ZwacEQS+W/o+QazkIwT
IS57l5DBw7dSBY5aj9U+O0tWul9zrX3dJhQTysiZ/4WISMcTvvpY3lxrkR3D
PtsD7tlLHDe9RmacoC+DezlkPpENMmdaLre37W/YXR/PI0zEKl7Jc9xZFbyG
LgiTLRoeXNUX7oPiaV1cSlCvg4VGKYRYyjbFvC0c23PzkV2QNfxD/qb/cn/1
fNnvVVtyZmPI3HYVy2VVw3gcmMTMdeQjpHhhz8x4C0+IFk/+R605Hdmi3hIN
KRtU5VphHxTz31W31QpzFhXRBdo91WjcuGRcb7v/3JgbVnddaUWnt95PY30Q
Y13UzUyfmF0daie+AK/LYgpNQdofZ9nt63KxrM9YHKJtJMnAAgQRwSh1GToa
cv+sqnhEtG+Fw3rLlak2YwSui6iBE4LLsTubRiDZQqEJBzb6uOepD0W9BvZJ
OyZREYVocAnDI+MW2Yw66C7CceTPwql6y682sYh3RtKREfeJ0X/eJX9LC2oj
ykySQnLLkWSGYKDKytJulT9OQ/gBZyQx39JUXcO4O1ufZ3BGOhisP/EYpvzt
XS/A0BdZFn/Thw9kBAfBxXxAn+OY8ZfyPlw1fViu41zI+WAPTNJBlqVjiH3G
WR+4g9Xrv9/nbxnQ0A+9fm/D06aBx0HpYjGPye+MeJDyx3ioI8fcBguGMxhY
oCQ5X18SRaOrKr2DC9NdlwnRJ0Uhh+rHeOAEaJopcGpSmIOTfurGhZk4Hbyp
BYyHOHxmAhbEa/YNTvnUcT6NEw4ejI8GbRxm+5lksI9U59YKCm5qoJUIJ91E
Dat7JaUiQgm2SHmOomAUYCMkjWDbu1SR9REvQwVmGmLHlgE030p14qIzJAdc
o2NDpoVCJDjTWb0piD8b43lVXWi6MQPVNC7YlQRzdrkXXpnJQzG6M6SMsCfl
mnaWGf8XFZxPoXH67A7VZ8UbwP1BigsRmcr+X+JubKPX8j8hzsAyGjNtQfS/
hfhX96tXqomueEVKhf3uBy/EQnGrsHahus7xYGqwnpm65rJdWuhGzHGhCZKc
LmeKkrtvjJkEE1tRy3hAZGvYilxL2RTn3XJ9lE1VL2zrf768UWutyGzeI0Rb
HypcxjjWnig56d2hJr6KGpwlavBlwXg1pUVNkkw4uj+mO0UyjEhn0ELIiVqe
pcZ4MSfLWQ4rx+MXz8yACa1q4zZiDFFZ4ZWEF2jAlNWUjEZDuv3ocMyG3Ox3
CcQid6o5wGpzsI1AM9eI4V2sLFczvCYw16MH0mWHXUT1D4F4AskfVRmBAlEU
L+ljWauk1Cm+HWoLZSnjHc9uUVZ81WPYH2l6spGZBiGXsUJ72lWHuwuk/HyJ
zSLdtGgcpnwrvN+OQBxEmoVAQoVLnmX9YBjGI6BtaeyChhetHZDNUFFgLkTC
R/nOnY20nKUtw5jQhuBgmI219EWsmKfnOXlNIvWHAEVSWKvIcDSYVyN0qcWb
TM44cWzkGAzCy7QK3K5lE8V4fy75+2osyzT+yqofSTYqjiePuLTir6zScgLA
CaelxvBbH32LgBzm9HPE3wRziFUnQCaHFLcPC6tpX856p5jLrDG1iaFOg9UW
HNA52EEw3Km6x38hExXixqpoP2qg7nq35KKey/p6KrWanJlxotSqlp/gGqoQ
CHlx2X/BgvXXVxXXcx8cWq3F6iH+sHeALUqDAziOnbPndW/HBk6qnFmDpDhE
Z4Dm1CLaw+oY+UNVdfG7Q26nEMo4ZALL7JBjD1xzg9Jfw3bYVvNMza78lDh5
Q4yDQbhBopIw/yROmTi1tVqKpYgRNI7zXuCTlUbnyFV7JYuvzICkU5uHuFdT
VIu6yoG9YASS4HwXX3sPrynIuHKWaEqisAL+ZmIGrTZzgGeqAsveKZwWon5H
nH7VCie94PtQ04T9/BU1sVzDz5HUQJVomRDbr92oj6TVOIieET/v3qPedvZw
bM4AAG9M0VCmCezgcEfAMFF7h1wv7tTKnc3LI9eqCisBjADej7qpLlDkJTqe
NCJwB+2S/VEwq34A1Z+ONYoh3TTNmNIBWAiHcr8Vh+IJxCZQSNnvus3KYmCs
xwOLE1LhuXGZEkpryJS6QZod6DWH7du7fupGBqHVRfaATWpELBOBt7+E476s
6485sjwR9eWL3IF7L8qBbQF+DQaPtaw1uVRpxMBsWK9ia5WHr9ISnB3TFXxV
5QcS1QSn1Z72xezz4qqolpb+R2drDohLdtxB38vT33UDGYxKakIGYuh2oHBE
immu2LpEVHbfAHYFxrF4QUiZ4HgFtNYFam/12keY6tQVUcFDhvk6ggVLc4Ry
V/nM8Xxpe52faq3I7vLAr1cVkuYIcALfpkDG8IvO+TAWQtFdq5b0DEOAXmkG
YJDTwUcH0eVIF8is7ildshKqxnkd/rJJkZAgdbH7m0sN1hkfeIn8Sw6FnfNq
3T9IKoxFHGSX1GM1pDqpsOpS6CaecgHcdc9fkEV/AS4dkdSW1ZmwYilVj4LY
1bxkriW4DqkFw8z1agZWn4WWcNZpqvojayJe4zpMixhDP6Jm1p2f2hBkmnzB
ctzE6f9SCjY3SpSJBNm5azrpmTMeje3uaS3SgGGMMApxcrpvMVGSE2g5xX9B
OqpGufXHsw2AOwFdQ0BwFXcjkr8dwh/fvgyOuu64M7kpR+blt3dism/sMEQm
j7mc5i/aT8bhXaMAAFOQgnkdq3oJwPEs/7ey3Lge2ogJXlzVFdLsaw6w6ITa
+41YqrwbraxFbCYPaccZbD3nxdxDez+m63OSM04IxyTwmgwiVwjDMhnE60R9
E5O5+8XBB/B5FFPbFs1F6cvrIETD4ad/+vTu5Ptnr55MX7/9M4AYUujnbA/0
80Sg3t8+TCpjU8uwiZyXW0WFLjaIyWiQaxQ2k/03mw1kVa6ipOY5PjAc37mi
X/GXeAF8DKJKhb0pfdUKUpOzx4sWLU2QQEIMCFGyViHIEmLD1gU6IP5g0bnO
2ysB76EUGl2D8n1xLTUAU0VKjzFDPYWGiT32bHqGHKobB0uiEzPNuBMotGoF
3JoDoNub1QpQN3MxFdYbjqqE0yxuro4PdqS8UU9pkfAc6cMQcRdVoxTKhSH9
3COtaUMZu/vNuuAIynHjrZ1CBlztFL9E6JGckmWMGG1j7rEAYsj19Q8IxEZA
7kxo2W0YH2KRIWc3HmeZ2DighHiTdzQtINBeCjbskBIxHyo0mY1SZ8jp2Hz8
0WHu6jmOouueHSnONuvHII4i3NzPxL6vdYGyPX6K+H2ndEL8Qar+lTOXhQgL
c3Qg8LGg8zVb3ajQzXZ+RwTiEYgWPqdGiIzUVGwUkIANCWdlN2H0BycFX0Gs
Hr7ekOk1Adxj10PmMx2eiJtmbrqXYJ0/fvgNPUUb1t3NOqQ6mWkLTmEO6g7D
i9apWCtajas8MHO9v0Vob5bdn+V37vwU0Veq1m79SGd88au+Gl0E/O3szh14
XRJDnxbSEkwHop9/lWuGwkWWoa84qg8qshG7iQCAIZD02/AK9gwec/k72HHx
KJuTyuUN85emFEMt2mG6kNImCzrGS04bzw4x19dJ+dKJlYiV9EJX9lSK4Ck2
BcckSzRAnvewIdjWTttQN6Y4u7D4DWL3tmw2fwvDqbYhr04k8ojpR1E7Fhrk
kNQuFoC26uKStlYbiKNtI1MRKcB8lIaf5mHRz254nTsavBrgR2A91RpgC1r+
MrEKhOhUNBFmalUauI4o7ykSCwsXCs6QlRgJuLbFAqONfdHArJYxt6u8dxdR
uVYWVdWOnBR9y/FPr7mwOAFXVcEkH4AKfhR3llqGzVWPRP4IHR+z+CUkPZFC
0HffsRTmgKBbFd/DJBVK1R0hDi2SwZ0VLS9dvVaM7tAbnBdwwu2SIePa4aDa
Gtkf3Er0eWD5+cqp5pa2LNkJuhLRIM0IKAHEM9BlvNVuQe2MPrOJx5RAK1/P
DlWj71XdIImzaQA0HKLHhrhmjKb2VT/sFkeMvzIrMz4dqcdLjEywKVrx8IBr
M0eUNYcc14hjLziR5KzRIjeWsEKCHbaUk4v1OS2pw2Yw2xZEabiZ6UhYQXSR
4LzaSFRV07+NKUNYxjReOSYCSXZA5Lyws+J43eQjUfc6w83oseu1P/ca0npG
u39ebUNejrlUfC4XW0dXwA7y0H7e8ClFB0X46KQMWvHj9/1sQvkpxNDeVuRY
W2FnKQtO8fRwOc8XRH8GiV5BbHCBFybcpr1zwOmT7354Lnfpo8MHDxl2rfVx
GlI2F2N1gRfUwoHhOkwR1n1Af3OYBD7YNLjkcuYfQwP036MDTd+SMM6D+Lcd
m2m1GIpQiCKa2PHEF/A3qCBPXzz9+/HQO/2WGbOVD6NoD858MdTAKEUY/Xac
+cHTlO7fGeVPXr75/kl+N3/64s8v3ufhEd+rPLhbB8/h3XxD62IAQHd5HUg6
TSJj/nvRG3GdOoN/MBaDTGy+N/S8Nxsa2YcD/HvK4/PbSw0Uy4u6Ibax4t/v
3wGbfPxw1yyndO6aLP6c71urgckMQKDw3cCX38HZsvhYPjjI0q6o9d64pwcy
+qE+wts0hc0lrQqni+Z/o6PwkMTKv0fgn8GwHNu3n1+8//71j+/pQhRxZHTw
p4MxNHEpPD49fPR46PVFdQFc/tGDw7yeb8ttO9YWVRQVTLaHD4bexWxho+Qs
NUdQ+f4lmB3Ebfyvg8wTHg7l/3OQf//sr/SO/kdUAG5rIk2JI0EfCnbqWqWV
BM3acRNgH5OMSorPd7P7UavxSg3xErCE6/LsiMMefGTT3T1qz12hgOnJ+pur
v3w8/Ofbr9v393c/Pbz+67c3//te8d2D+dPH5fNvLr6/X/3l8OPLh6sfHsmM
IM0H3J8sRCQDEKtXOP5dxK2BUPPChUPKAzCy0vZYsqKWphH9y8sYEFZQ3Ftu
LrG0iukNtyrUQZIyGakrpsFqfrley1xHxGBNze4e5JozNECXkt0Z0nmQvJPE
lkkCCjZRm3oXuauTuhhDt5PodZqX0DjtuHxAYaYri2owQx6WKKnukQKZntWL
m7TQIVIhjDhx01ED8awqsIiZdfTUTaxRTkk5VfL4FF77fIrYeMyAR25CrKvT
XHKd8nVIlGWZKRX9GYsvy6MTz80gLpHmOne8oOtyB4FKCcm55RlvkAT1LW4T
MBqpyIlIHtZknrx5YYWiGb1EzBPBnOZpjKWpmkWv3KiEtSQlDJrgsJcf2F43
umnI0IbCsQnuXYmUfHXyxiqsBe0lziBQnYuBltOGACGHACWqsQyD/uS6EGoc
OhMznR27UD6Cmr6S8jIRyliKhx7FY6hvCaRQwJZLT5FYRNlDo4AA5lDkNiTU
Kz2eGqlWt1sfSjBx4VNmmaL/D+paF06vTI1cQZoP40T3Kc5Nttlte2zIFhkk
5gC1fQmobKP1f6Zocwo5HqH+R270X7URwQNp0ZJHWDvmlQ0wr+CDT0rZhXWS
oBCevmozUsPRyrwWIcwMhgSWqa3y06TLsbI0FW9E44fb26xNYQVALsi+1iQc
uE9h+59kPRb3ZQan0T/1FUexEEU46VzitUW/91J8T4SvhadIdLdFkbx48sOT
3KpgWPOZexNCB1+ZXz/69hEUt3dOZLt/Lx9xCycK3yRHdqx1aYfrJ2VZH+TZ
h9ubQ8ayJSvJVvRNzGLsHqNpVu0el9KEDU5djkKPWgany8VjcEvNmDaj9UCR
h3C8so5CBJ4s4BtE7Mti03KggpytFQrrwpfFTqyT7lDfyVpLYamw4t98/Q1W
XN2NJ+9ElpkIdEe5UJPfj++fT78RRkcjIA4ugDc1IwpMGdGL489majWT8/qx
vAloX/TOmUDLTgUFmH+YiX3lh5prGl+s2eG/ZjivrSi1eE8L+EgBJVwB9qNW
QmYDk1yKurSGZcVBB9lD9PFOHijbebGR8ezaUp20p/95ALHgP/+T/33G/z7n
f6/5380py7+n/8nlf5fLWJ0V6Q1OGGUb7Ol/7k6lH2zOI56g+I0T+qIRdHZB
3cvTVFbgDTkSeydDObMpJXxG6vXp7N7peMLBjAb3LE2xtbElbg+8CzTRgNVN
aSk2eYgrUWp/LANdLm3pQr2M0zV7+/2iJveflesAc0QnB+Kdkpz72YHQ1vcs
L8GTqSChfBS60lSAZO4LUT0RyvPovThHIf+Q4y+4z5EabSzORdJeOPrA5RSm
KKgaglZwoigjPkiNxeDfVsNsluddRyy363HYR4aN7MIUpg64eM/vHgp4zyO3
FgoZdSHTJFRbTEM2EYhNwcZ8qdm2yxsHj6I7Np51oV6bPZCwRFV09cXSvUFQ
YuOI+ra3VivQo8T2oPzCmspmpuikEwfIyauRYPzwNw4RYjIAIMHPhIRfmiDT
bPCSyxVeNxeK6RXql28rdn5iOSBuT/F35l87q69K9e6aaTB4Gp+g6lG9Jpa/
qn6pcICJtVRwkW+5JjPz4daFFKSImKeW+cGOnIX41uyu95ns3LpEfc87WHrx
MXkqQ3kzkZY72DowtaX9jo9ikGJrHc8q4DXEyjb67UDqPkMl6M/46kP0xXxQ
zEytGqPHeOLFPiaZLDRKPCIk6ArikVppOQx92t6s55cNMRPlIEbyCcF3aW6W
j0TckTHqwrrjnAWgRQHF2CIagWjeqJ0JP9A7x9IYbGkRbnc9hKECEinSm4CC
oqDleJNvKxYdTXC2JnK6gHZSO0EmrbBA69wvj4AJS8FjOLMRpcsxOI1gcQag
B353YF1n4270RyeGj4GQZa8GcDVM7s8uw20gJMk+Yz5IpFqxfA30FXeGTF+1
imR8/rLU85iWtRWoVYN/E4sCI9XHvFcdqGgZxcVFg2KktNnl+oI4ALr5IBVn
GKvCircBlrNFhUWlxGyzLLZQmKexoEBogA7uFlEiusMiBcNyX8znDYkqmcdV
6t4mopDQ044e3W0aDIvCii+T7wZtE8KkHhxO2eDm7HPCjAWMVzyAwfgQDQ8d
i0M+YtnloTigYw7+JAupFIIYoLYIVUTMfO/N/Tz0aH7S6meprT41KJr1MNLu
sO0wymaTmCPN+CD7Or/UsSV2FDrmtSpabCcAB374IDVDsnWII+YYMVPWnuWY
YsnxT1sOkB69+/4JZjDJ8eHBGI7SJW6tTGFx+LCHllkzaYOqyNhhCGXXtK8r
lInsVhNq9WTvCVPo6BQc0SRqYftVjHbZgwLA9uewLEw3qstc3Z9lzyWHbFX8
g0MMkmp2UUnXVD4DY4irE23l7aAFfAi4XWMaJa9DnU+uxl6vgAyR0rhfgybw
5LRIisI6p1ZPjRHRgHGb5fFA7RDN2KqCRVVD2wL6W7FFhXeO9Lpy5f/4Ak4c
Wr/DU6V9mKdK/z4S99SUtQF2tNjKiJPK/Rh9LvwYPg3Z4DEfrgME9XdRb6dm
n104vALbe3gbB50IQXJf8L5G2Bic1KU4iLvvqEHuwEziR5KxTN/YLh+JGeeA
dtpP88vOmoHewhuTPH1YOAq3qyU2QzHBwfWqlXHs1EadMKCkAqWY6kenvPYK
EBeGIQJRkTgcfP2p8aCTwcggXbMjPcgPiodnj+az2Sw6CV76dfOKW7KgPZ3N
gnm08ktXljfkgJuook0s8F/A0lIoDIkCUBskhxHwqcughcfgMtYHemNzwC8q
kKw1Xl4axFmFvSTmn9G2cSBKMFRaYSYpjhSkidM9XpnTmPm27a2ULKGYyE5H
zsA3yRPbXPhTxkCM6AMamCCzb9fAivFhVcC+NmZgMRWteEYCGgGDsQPwCLYl
iZeDkNMQ95HKiMiBQLA6gx5POkDHW6gUZSkBRVwvKpe8BxZm9MrbJOKgzD94
OQZWgO0IQcsjBui1i1SE06qz/epGEexcjV9fCU6KFm9bAcHNu/pHvbiCiWfq
RSiubCx4rDZTf3IGLpNOK2bHTy+GsYjzAoGdoG/ZbASiDVbi2W3FfN0boeBf
vFSlzhE2NUbkTjRHNELKSpCGBbbfCRnXbJ6TtFrXTdU6/OBReDiFlVc/yzjC
VIVd4vOV1GfUstCaCMBdXcnBFCMmdpAjkpxnSeqZ+nhUhu1ruh0peNVbaXRh
AKVoUjDJ5HsvIcYyktyTeQO3PqSq4kuYVQ5NZtlqQcvo9vpx3Qz0itLV5XI5
1QWEuT4CJfLM5lqbgO1GXKKzDNHH/BQMT2xkQxjjhP9kfEeGDVAA+Imap6iR
S02EKNYcZlHQhoEXa7UiyCdiyLLwsAjthsE3MhlidWfVggj7thVMdwhTEzeu
XzYM3OUD4S1ZwGrbCVtDDrPWOQ8WNJ5yq6vGZX3sxlR37JNQ6+mWcXJJI45P
6uw1dcShIQfv+HhPgXcRKOpAKgqONTBS8PDMFmOJPXmPQXC8vcreWnWF86Aa
thdLkUKzm+0aJVvRNBT/Ap0fBRNRIHCrpi4iONEoMq8dDcstu+JaqO9hNzo0
lynoaid1JViiWvokYawnMQYHJcoh+WLeNnuTYvaES5Q5/lDNOV0mMXdkPUTD
SSgEO1iiFsZId8azg7CLKiEjnezmQGwIBzFZCSsgMbPxtzVcF0JrsD87/hNk
gvPirOGKA3kfRpUtSOqhs8ll5ygmjbDcuJztdnfGfg96dRc4AI7ZuR0hEZC4
IsNx5rcCaVKkOfHBcEZs6NcGFi8MuIgeUQlftZvxD6GQKd+ubh9G8eobY/ad
kLuq7aqA5h7Fr10ZonNBdrkl825fYlyWQRm8+bc6unww57D/iBZrig+uFrcA
gfcyoUahvmASlnBZ+GXKwzIlxcu+BrJd9At21yzewXqNPAFcPECyU7bBbcIc
QTznaaeONv1eMUDHFdhYqLItOvKxs1WEn8AwZvHWCrcun+0pqRTzy4Fw4nBX
xCBIRIjwhYIaTKoY0xq0jLAytPiuNA8rgLnV4wnpKRwZijYdRyWd9Dy8E4M4
eKCTLO+KKfSRoy3a5IpErAveile1eRQR6IKWpyuSMtAmOyrGx+G0qqOBX5oK
uxGAt5Sxi4l8YIxyi+ga6VkYopyhPbFc+anLO+hsjgAXi0wjd5nWUkzW3yLG
04xSNgQyjpUYItYC54zaEGdg0oNBN8fh2HYDamy0yiqGLjnjE+H+cswiudO6
BpA7KgffyROJ1+rytq5ai5t61xw04PcWz0Og2GQQmmarhhT6AmULBKAcLvCh
+cVMB1eYmGP1fOyIVZPMzNE82L1aDz0nkBJq021NB3V9Y/Yg1riq85Jl47Rw
dNalKrkQ1BaqZdQNz82lsyZExgKSsdjhodpFYoIHIy6HXHqlqkYrvqNv69PL
gq7KvA0N8X0hJknoG7bIst1Oo/vSNOcIzOXtceq8Cp7KgLYKRFfBw9fwdjjB
mqrg830Qii659PsQBnhsjGe37EQDRf3JQtuTGeryc+xglKVsMXbrpQKkxTc4
mEgPQZQ/Oa0pYiZf97gHy8tdHTOS57YXmM5b7qVpHvw1l60faIkL5XoMeIMr
zLu8J+S3GLqXCOlGIprbbBb4QQn3C+XIzABEZ5HeT0lPcsNjpGBYQZOwm6ot
2+hZRaED+q5urcyDbANTL+OEpLvAMhsbMTYV7wVd3+X5OYcTst8Nfn+Empp1
JIA3dw7fUT6qxizVWFFUk26YQfkIyIS40wq64UhIib5Rks50tsO9Nqpu62d/
LyxehKCitCN2/a1LE0y7RTBibFEe6XpZAGSiXPO9ZCmlgLK7rHFeUTHL8luw
j5CFd7wOxjND0QaZFGblz43Y7nrAX0xgcWYsvocQx5+0UrAA57cB4sUxS3pf
506CyZpDczqEM/EAf7gaGYxFIjVS2hEKDPoBsbmPXvazrN4KCYTV1rioaVns
QeTWuMh7LYIGDciUascN7HYYEB7mpLGX3UNnG+VlqlbrofML6pq5rNcqH0eK
YOb6FVjcyirEwzzOSEDzS9Y9WEQTT1147QcNq0bkqZQcZ1Rv7p6ujc1WWA4D
7zMjHWrkf+Y/JEFu6W7Dn5eOIaz9mWmtYtzeRGWTte7YL6u+Wj+WhLdCwpdJ
2V+XS7URLJfTUNmkXFyUnBCOlf/Z6nBpbZ4EIC5EOidlsAV3ZVl2zSZikukf
tM4h4/nJxESG7t2drj4L+8Xp7QMoIfD2sdnOZqJvHLgKb65IDpeMV1gV8Ko6
MWiZfcmPSjIOeWQdSb2SeG+uXdWWxz7iWgw0k561jG2jS1FC2LADlrsNj1vk
cCw4g+H6Wq69cs9dk1yo+S2wPbGUOyxMwbppUlc+XHqE0WIm/BTMLROJ67Ia
FjH8Ab0vywsSIFdibrDgUV5hzehbIyQdBopIbRK/QnNi+SRAb3iCJM0qLrZi
DV4KqCWu6NA+5tDVAa8r9ryi3woe1LieRssQAQVTD3wSiDkhmohDduStdajV
MuqVJhpbiEiuN7ylW9feNKKKGA1ctf4FKZ/1LDHGuvLcK8RBCSJuHcpp4kS+
C3aelOMxqxmSc0187ltzTR3ukD5z7jASqY7l5UKN947FByYyUKaNXSulUqBv
+ghwU0IilWWarFyt8ZBvHAFU7pwKtFtSqciqH4yqc3MajKOhRSxzGAnTxTSE
BYSgO96LPdp8oDS701pXZEENtVsBROJckSo4awSXF0YhjuxCj2Ki4XvPkzSE
cPBoxLwd7dk3YbLiWxdTpwmyvPa9sl067jaxBErg0BB3jFIBrRzHyO/D+PUb
lOokzJL4PK7oGBcfS7b5chEtRypxAWfO78HJTL5GKBtrCgVFYILC97G4KZ8U
hVVI7mlnyuKQAdTTooOSAlDDaMLXVXJZCVxSaEzTSIAAxEHk4c7BYrHUGPXr
KKfSki6rCxmAc1CjRIRgGnsVJUhXHEVh7U/3zAfhZ9HW3xM/cBuIhhvILHTE
5j5Bh2HriMHQ7mmsK4YkyzSddu8WPrlxpxH000yjymb7fucOtbIs79xBaLY5
nwce9ULNVgprSRRYFGFzaCYLFrK0Anx6ZCIrnP3GvjSOQsShIGNF8sxN5JI8
nZqhD5AaJDJJt+EvdSuiItF5wfEIzCHlcgUPApilhH7Q93opwonKQMGxhpgV
mzvm+6ij0/DrUjhJwmnWid2ipRtZnRHeuc1EpMEYmm9gfI1tBaGsmSgNHavy
gs5Uc8FOEdEH6XrJemgY8DJsAocFusQ00O7QaoE3RouKuGeLtXlcJNq82qpm
yKVjk/74yFhShSoZUBnObmy27KLvNcx8jplrWFhrxRQ2m+/WVIxYqrYvvWs5
F3WzGX79QB5MOL9mDCWpZIoCWpw0AjcOLgBhgVZsUgUK5CEuq7l3lSeCu7OI
KRNoE08EdGhmIWvnWeAUAE2eClq0wLjxcenAe95evgj3dMgZmNwegD9JsgAm
ebmdc7UD76OQzM/b2FFbbXdKeJIXGlk111eFe3d3EazHQT8t8utCXE8d3TRP
HLHCzAIfkWgBujmCNhyW54rWFmKABP0onYn3PHfjncPetw5PY9BdOWPKDETC
40NUQagB1IETV7BljQBD+NmUe7xu4AJkq2mSbFGd9+8OWiaGcevzB6EWUU+S
ZjSvSKjl2GukUspI7hCbZdfIKeJEKPMu54qxhjnL5qqUObA7P4lu0aRBCXYc
G3C4jE9XgiWm3MdF2wRsw9l/jXrQSgvKzsMmx82KhyEVJwVMXCVJ6a7j+VJh
h2F5U4K+75ItZZrgDdWypR1e7DYBx08gCJORuSrSN7IzN8PkMLFoeT4R6eUW
Sxa2HoSf1TipiskgyQ7URuZsZVs7VRmjLNqTUq/aGb/eL/BKRNmW7HiH5KVf
Vm30EsdYctlLLVIajh8OWaOQ8T6NBzlzxfI4TPuW4RZaAxQVS3qFCfF2cYFI
AMgAS9j8xLiSjFzEIf7NYbMqAfbnEueByhZAAKza+bJuESB8Vt7U6wUD9YbT
A/vn1G+KHSf112khHQHHM6wqfVtribjZi+WyHW65v93xrtNe28TmWHhqmV61
Uwbq4qhdWbxfqpaFi31XGB9CgSRhUbygfasvYPkWFRUKfjCG90IqJIPIS+B8
rjhrInnT7J6alhPYnqa8aQSXaAOhUqhKwBqm0Dn70V6TlPrU2A7O+d1rBvXo
QAjFkQTVYHXPuiTLRlyOmGJUblgNAtR5G41QQX+DLAWPAZSJWDVYQUZBe4xy
mkwnQJAKClJHAxFkpFNRDCRcRd1KGowE0TYav7GC823wokjJsikP0WDF1f3q
rDxYzhgeYiFy3wHL3PlqhsIPOboIAVzBxVx3rHUZDc/Fb5lV2+PiKT93QQga
75BY/VZlse64vkQbluh7iT5I3aFdUcJiuiAaMPdmdINgqeuaEXO+R/3PoaFr
DZJzsWSdQLXhEYeIuo7fVqQUXyg36a0YClxDpFg3ao3tgha31pnNcNQah37Z
urOyz5CS4vFifHsO7Gz34lFzwGxI/eZ+3a6OYoCRNysqfFfIEOOlyp5Hhg2z
KQB+ZfAQa6Y0sY/tWMpkfxRPcwy5ynCjliTFn3eKbTAYgZ1UGSXexWI4+DsW
Z7JqG2dpPh4L/upPjZOPIf1IBjzeX8cK3B0zn4FSWpF7qHnF0q6wMEmEysaT
qFrDXmx5K1gkZit1TrWXTJu2I3xsJYpWf3GT8gaWyNemKsepM9sMrg62YC3F
kKYdUkgT7/rBt8qmguEoCYOzG7PklCRizz8m4WvP3aqwKCUFDkPaTRR/R9Ws
nE34gNlXIv1y9jf9xRh0EtlpvX8l6euMpM0FRRV3uNC4aOzDOC1cH3/PogkG
HJYpk29ijgxaFpEdc5Y8W9tmwWLGVjEsxr5wPRcIWa172J0SR50lNzn3cMyB
9AkN6pWoEkhnhFwlhOjnxxcC0xriIWMKnjNaKm3Mbt/CRH4Im9ZzJsaN2rPC
zshVWfhK2Fv6b1i7YA53449WnL4WSyJ95tyoolQWzvgVfLnvXaTPsi4WJA+I
Ks/WZUOlFNuNRrRHBMcEvVBtpOxUNktMZpLdKuAVhiSDNpb3i7NO42FDvfCY
mfierQ6GdxpKP7jCP1bC9mbjjw82VOwMmtzSDddg05xq7dGYI3Cg58xHJHOG
S5rN8h9b4/fJtgWD/yWfiejGCZDJkkT2DyDfHFiGe3NwFMEOAVCm6S9HqPMQ
cck6sMsGTFacIZ3oIOYTvRCY/Fgpl+aOKqNWudBV4pYcRKnb06PLziwz18Yl
X93R8u4LfEobyURDfgtN9G90mX9iUf6AkVjD3JMkH3kDCZoHYtE80Dyz/5uV
+uXmX1gpbdBEa1bNdhjagZgYywUw/D5nf4/g1HtSn2MSklYzUdxq8/5BQdc6
Kq+Q738Ri5UIy9CgmBCYBW4akYn5wACLKd4sTxlkdrOhU2rGwFoyAmJlcdvM
LoVzrvDEsrl/M2ZbRHv4298jmlFmKWVSgIrtz6hkkbL1vSC1s/w71cMxP0Gw
ZMEDIRusNYxOFaoPY8LHj+WNfdws5/YRBtZJxh+pkca+nl+W/8T4+SC37Ne7
DW7tulous+BWIVZ2XqygKzW5H55ApSCeRA7aawb2nAoizhR6zVSxOFGbnjmo
bFi1dphIgcUaXG+DELcIEhqcmyRrl7+AIAPq/p070j7q29OvigLYllKWL8D3
sM+50XxRzu3EEGSRXj17//3rp0dxOKez/J3RNN2yrKNELz4Mhly/QC7X0LuE
BKhcn6rR2L0LtjO7ZkKwT6etSBdJ/WdYqlmZgeIZ/FKC3yEz0sJ/HMsLKo4w
pMSuI+nAlt6hGKEjrtbCXN52FxK4jMksonhGlF87W9NwyfRmB5DqPEJUS9aP
p54IW50bEF0IoE5RyGC/xEhJRZaX/XZ5Pxcr1XgPuRv1EiETPt42CAVBtI61
OWxhYh+n6aRUZvEQ1342Lh88CATTRVOdb726jiajvSCmtdupYDY1TJaa6Tvj
Z7Pc/MnCIpmKinbvu6MzhrHkgylRegDtpVZYs694KlzI1ZDcx4KJ0wtPl/Bw
XYt0wc9UIkUQi2kFcYW0EA8bVDgXwqq0adIQJzSzC7DnyIl1WsYhfYOhA1we
H5/xgAjkNkZtDOEEEJv49Amz/fnZd1IiRa4QIsa6sQQzrRnOsJDB2YTQhhtB
f2Rr6uV2u2npNvkkT3++O2MDEpMG7uLZPwT9SHkVUCWz3FJsDM6B8U/HCKmr
JHlZ0eoq1NHyPAAszyzdOCYwGmm+M01LAzbm5SzOFuc6zPbfnv2Hm61UWpVw
fS1RP2fQNJN/eKA8PAcq6XU8zUpYHkPsWROjrZuPwV8Ag0yYEA98AwQ4GE+R
zgtM8RZ3B1+QMFq1s99JEoEAc4uK013y2w0eFxbgzcsTWYA3MtuXCMnj9AdX
UmciGfJcfODJ+1CgdEpkfbH2YO0ir3BACvp3AH/pTHpAyi5NI0bVRHJ1lTqy
eJ3ne6/zwLVhaMOq9ZArMo4QXNdpICfvEx4S7Ah91VSoiVCJ5na62AG9lJWP
OIFLRLOr+0nxadxH9JVUYJiEkPhFzK6KgjbXGVtjcJKNGzLP3mlNVvUyedXC
oQ/cv5+PXphZhuYbtarxRMuoMfp8Uns6XJE8t/v31JfDgWWkqQBnMMxmkh2i
dAYdy6VUHfO/8TY8YKSJaQAji79LMcRe43AaMlcO6wIAfMDgye+6MrIAmQLr
a+BWud6tJq6ommJiTRREwICmtHSTJBfPjSxhLUeAujE2FR3S6bEF7LLasBXo
viVJqXzuMEakDC8wDfT1s93Wiv7iaPBcYlHiaRYWSEIf5FrIPYL6UOWg1o2D
obNiWbe+yHMsy5iqJsV1UXEOA+lDv0BTRo1lqHKoOMLi526ttRpJ7dmtEI0J
wfbX/Icwnl/zp7w1v6JYMXPoUGDMaqS5irpWVbenhp1yA0YOqMcbyzWdvmEV
7fTu6WvRhnn0p8f51UlBS/5wdk+r7zx4dI8YWtqBqYu9DqoTK/EoIC6PHj76
/Pk46feZwEikDa6A0nNR9tp7wWtOZ+iVPAC7HWBIpPUHh4c0tJFWuA1lfhgo
VkKkRYxo6npFkkbaZfRw93odSQUsQw4+ppuv+Bi3gLk0mES3SWMet677CXuZ
r8qf6SYjYQv6zk2nHctsu33/EP9E+3VR1oBDPc4Z8xLTBXAj8zC3JmkHWi+q
1/7zp39FYbenf8WmvXj3Oj+8d+/w8Dh//uLPL+6+ePfiBy8pcB02vZ8E0K7b
jRTu7feiJeROX8eKvkSHdJ1JDht9flVagvCprzRHg3r27Blx4XtfP6ATf1WR
gsupzE77TYcgiGi9IfgaK6PvEPnw8WZs1VaO8ydzKVdMd3g+elW023pBms9x
DuduuZgaHBoXq262KjEzXE3ZgM13Tku9BtMZ3tIf2AGAI2OelWOfFez8BIxo
CU758uWrqfbMPJQk1xMStP785j2x5UU5vWiKzeUERbiRzU6vbfMlNUzjf8Gx
ra/XPYrjrEyM7ZVwVzCve/nolL+fVYynzAVYO0SIfSoEDNdo+Th/9tcXzzvt
b4v240Dz+Fp/G2r9yVyWbKSekFuOHlcOa4Sk0/uRjrPtyzhp/TXiYU4dnefa
CCD05vQ4XRcM1niuYrH1gXxIPUH5WVMh5aIzGLjzvzCStN6iFw4lOV/wT1zp
RblErsIrxyKQXcM7nPAX6TysWW+lhDP+roVyFwSxW2JcYluSCqjFGWwPvFVj
KyvuugsTQ4kzd+WyEV96FpvcOSOrZeltqokAKLOLIo58GH7T0mV+6aw++6w7
OmMPcVzinpRgITSmBgIg9/CzmWlARyFOjk0kiuCeoDbEAlys7Yn+kyFwVDxL
irKIWNaqlA/yzT939RYw0i1Khlh0gnlWwAPajOPlVY7wA4CjIh+JigoER7pL
PtJ/V7stekBhaP4PuuE28JGUAsZSRsPjGVfBQKBFvTH8OanuY7D6U3pval9m
1GEpgBLHuS+MyG5NiWsQx7gf5WhbwD6AnzGDScZzhaqqhkMxb1pUlRBatRYc
e4c9OYqqIyuscBnMBdFSSMfAJ0uHoBy31Fa4KS2V5Op+xhMXjwfX6C450lZ2
P7J+uXZQbYwrvLN+5ZSSTmBIj+KOoARIMVkSnhFiMiS+jQp7jP1lax9yD8lY
fFA2pkxB96pWc40kDtu9VWxJSCDB2WrGixqeq/TFQ8mS0Qa5bFR0Hu7H+9gv
YylO3MUiNW+XWkhry+AVT+mWqR3nv1MXHXFHDmnG6WLf5qM3iG6c3wwA53eY
UHID/4bDnhXN/BIKHu28f1lqzeZPXuirR6xdFFYhjnN1RqiYA4zQpWT9rrWG
cggEb7k+HMNWLqSdKaMa0SmsG8Uc0fCzlvSxX8SRHA4mbai7x+Nk1CotyJQk
I1gwZdNmkBbaMpmJoYTypAyLvOJaJDG2IzktWfK6LtDEYog4x7CYk8KvhSZh
h7I9t5FQI2KVAd+XJRdBxhXFCYdzt4Fj1EDUTNbS4qqMVyV4b9Fu93XuAJh5
ZVtOPaL3PmB8p4LGDJ/VB5ZsEPw6Lzagu1O1MF3ze5zeYvidCy71JBtt/cdh
6kIgf1YKPgN0IsHtZhMxUH+ZQHweoJIZdMqdgVyH6E3WXAzC3qKKWQA0GMol
EctVVWRgRMtSU6j0wenHCmTEReOdm1/Eina5uwhgRRmstJe7FTjVzpy6wtXV
dGiDM9SFs1KyC7XKijxlSxJ2UrqCcw06t/xpqSHiH5xB+vVUNQ3nricT96Tg
jgRckCgG4+o0ow1luQCycM6ysCJbsCTMUdCl3HtjLvcdbBmS9cp4CbJu6lKd
8rbBjjeR4y89abhdLMNgaEV66aKMH5z/rDOoDWMNG79mmNeAreCa9aFsYtwu
BM7tzvCS3PQ5tdJy1odAJ1p5ZqnCkF8yPE2An+IBKDRrkZ0rZC3vh5qHEDgi
ZNW4KSTxjIum3mwwLUaSTU9/LBwDw+kSMbQMan5VOlSPeDC/He8NOrJU064F
0/k5kPRO97I3dJ04GxNYIieaKbxmrAg9Ebxt2saqyVwV9sOxYGebKYm1EW9n
m3eal8DhTNITepYpSWW9H7E4xNiZSNeZb54YDT3uO7HoUo2tQ4aAgB/CwJRF
HxuLaFLaE+alnM1LVtlGA3ZrQfUIyj9WHtjjVqYHtmFFshCWDxeTK2O9ay2O
jEvOxnbMy+6idA9nj8ZHIW6EYezFhy4eLxNqoDnt1ggM+BSqYn+efQqd0mdF
e8aCfmZYYsThnLrHtT6yM+CJBXERxOzGWyeYX3D0sIijWsqk1cSK/siK+ar0
delEJ54Vy7Pd6nQcA6wqLq0tL03D4vgFJG3oirErNWfIsvICTFzWhf1yKJtN
uP9DcQ7q8hyY+0YEBa7iiKTh0nLx2lwhXVZ8GNC5uhGnvJ0SVb7OXL3IWY9C
zNNpIlqUpE41nCHXHGEWfG0x448uLMXlbfTW/NRRVwcVNzQZBRxrdaCZqs0S
bZIN2mzgT9TJrwJMvZLDUmuY5f++UzzCFNEPITz/TH+6phulzf9VNn1IE7Wk
R/+gNXPkgnIQg3OwPwBHgZ7x0HxHlyTHKIk/hBSrC8Unmepv/Jx2jxif/O6d
4aHduZv/PfssgTWv05i/I9ien3MkzK8cvgUrTMjPGbAzM+A/7AdWiodew1cO
6ouhyGJNFeBlSQqlAhkeO8+afmU5Q6y7ITgX3klI99N4t/iIWBAgl83Y4GeJ
FVeg5pmYPJicZaRnNQlIBextmqCkcX+dcJSAyVEYuPNCYkMsVNoe00wJluU5
amZZ0SykSGFj0XQRxMmKb+vAutkpNCxIBvSf14J0eWqmZ6nismAFVuq/ACqd
43GQnSdS7Sx/qvpRkLYtdUUUZ40ZF/qNIiXek4s69ie7UFuJ9vfGu9LaOAxl
eQbvluQlW94Yfoq9W/p2/E3BUTkgmO/J/lIwIPgt8/AwHG1Zal4jxx3bFCdB
d+kV95ntqY6oJSIRKOaGrzQKOuAOtOrTnA6fGHhcjIJWlM+tLmBoJASlY1E1
PFszLkMFll+l5oguclqYSW8TKQQmXrCItBCqOWm0G/brn8OsTKtAORg9BCOm
lJ1ZFZSJKxYiw3FHj2mc05/9t8fxlayLXxbKGvjiRyYLegastQCyfSDRhcls
k+gUVyE6cCwpAbm+ydS93znjEUhI061CPe3UeNeuIHdOpxzFrB5rrQDYwQET
IxMrnirHqzhn0GMsxMkwrfjSQO0JrivDvRBvEVA7nphGWWejP0OX+feXUqdz
SxyN4zeYM7KFDwHAl/VGKIYkdVok9DwF1FVGKstHcdHqLrG5ljMLNt0d+SoU
ZYDeFUeUhYhvZzETc5mIoLKJgoGGq1OuYJlHWnOliBnt1MbH8mYqEGJQbFeI
b2OhHcVjJONqE/Io7/4yvb6+ZsTp6a5ZWpv4O1SZZJYl/mUEWnAc3/fv378J
ChfHFcj+x9u6W3wiBSfPzM5tGG/5ezgHWENRp2zrQvMsWl4ehoBiNjnF7rmu
GgUbskfkfFateB3QcALE6cpgyDT0nz+5RUMJ8f/3wH0xzrL4Bz8M0WPK32VJ
+Ya7HGE5bSAeDf9eMtQdSb2DvwYX3J7GiQjpJod+P/yAE24Gf087z+I0eFYs
Uf1JKoBk3YlwCfQDhvf/wFGN9CCtc/3N43v3h2qT342PC8gMPf+lx2mTYttf
bh2Ph7b94+ki08iZs0sd+gN6Vv4UyIjOkvcflsSIH9++yHrLjzX7559QH+Sn
k++fvM26yy9rxmINP7W3kDtPR8RRelAlVa5kCeLrzQa4ZmsSAqZ0SoY2mtqz
+kVfeMxcYYITdFtzwSY4hQ1kGp7MBkaDdQlff6CvsebhMVn34QHiTf+Lvpw8
LO/vGTkaSH7SFtLHbQh7JiWjSMvQfUAz/Z1z/3ATwoHBQiYH/puxXyj56k/Q
OoolDhqXm7+siQD406K4kQ/XZflRPqn+eZD1lwINJXAJ/AJgLT8IrCX/rYL8
4BToZ26d5mjNp50OrB5XDtKCJBxwN7w4d1U/+z/Mvf1zHNeRJfp7/RUVnNgg
gOhu80OUZCD83qMlea0ZfXBE2YrZCQdRQBeAMhvdcFc3KNjS/743z8nMm7eq
mqRnN+JNxO5YRFfdup958+PkSX2Ixzt9R8pypak9+NJ+ra1iProetWPKToXZ
hfSiN+8NPocnfQnTX5u7Dn8zs0O6kv40FJCPgqebX5vyc49fS3pTOqRvzGft
pE1lj6sgWqTLT9M+efnNqz++TE9RNqSn3zxKmyVIKD5IATOaqbP6Tz98I2nm
Qm019xrjV/W6FSshmTko2eTPW8km2aALrdo0JZDOBoQjzyuTrtrMe3oksZXX
39d4WjZ3ugRu79Defya14Pnz57/9S+VCla1xj/yP5y//x7M/pP/36J8dsLHR
DjOjPjywT6pC2n5oYINq9Qa2p+g+C9RNU+8rIlMDAp4fDH/COfaB2KTYCJa9
gr6wlBORl9tWuanBNBMUrerlnSg53c/17xdPPc9TMzGzjltNa/S98cB4lbSg
0/Wp0dzCovpK7Kcpi0Bsqus1ggA3UQ2lXkkEvexpJAfDONVGH/dKvJ4tkKLm
tth+s0xXIymCznqRxITMChxpShku/bWP94AFvrIvCXTI+/VL/e3gq2NPzR9I
gHgRo4TiAXm4g8/BsiHY/xbJkGCm+v/4BI9wl9kHoZt4GXnvCp6jayN/EfYf
dDD5ZNC94MYIupX825Un+4f+dKCTu5gZNvfaWvgkbfSjzOLNjy0k/VIeOCdQ
HMGPs8nSToK/XvUtPNDHNfLJcpYehzzPAembZnU1R7wGVmCai+FMKM2SakIy
G//An3793T8wc79+aJhL47j951ZEnej5yx0Lp6to9j8faWXxzCAlpSqEpUzd
e/kHhK+ElVtaOAPB0zGHm2tYufVZH21gB90dY8yurL6x0bsg/YgZCHRE/+Rc
pPZngyoczGwSYZxWHAXfOYgfhROaSrJ0+W+T3WLtoQPCFGq2UlZKXxXqa4Xj
JjatVpDjV5nIoIl6PxLzM2yqi8n6nTjppOuvXH2XnkNtl7NE4S7j+PGQtxO0
eKgDoq+5z/jI4ngAlTY/d7f72wMDN7rEwuesFZ0K72OoQql9O4PkppOOfEb4
Ozlp4IUVP8EOdF51LCewltW6gy/lF94ZX1FA0zss4aeKHI5q9tu3nX87C9qZ
CXed4cvN+q+YcMn0cG4NgALKEt+ZJ+aKSRICg4Ac9Q0DQH2wwq1QmraAvh1i
nDdKBvE/kE8uvcWc1wn3tV1QfXkEGD2vhrceUkTYKMJFQPLmAq2ICglynne2
e7GnIrXFhefMMMiReSkJ6no3t8twLo+a8A+/fZd2WxkGJSkjmjy32TggoewC
/ZGhNeb2UUDIVCq5L7LXNLUrJ+txbwjJcNOtjCQnpGy0221Sj5RBaEpzKGjk
9EafHHIfOWeHhWszhuXoD8pr4UGYY80Q/GuQAY65sfoitBfEq/ll1/uTR+ff
/0CSY5mE1phOz1Onz4/HbryRVxIeSfjP6QGsM+tDESWkpy8vgfq0ZE8JvCSc
J2nCBrbQopbBOzEl8o6SKAZTy7TwwbQi4/YD+VDAccT6hMoiva1isQHjyesH
nKp/O7d7L5ZpkTWIiaqeRa5ADZnbNfpqR+RWzjB3XRY6lseYn6qSVizecqdl
jJPE/GTgsIQ4azZqTxyOxak8VQZdH4/KNLl/HHslf0dLVRSNuw/M7YD0HVSa
g5AoeTFlYk0rUWnWR5YiBRJN3JJ2E/WA2w9VPMxOVv7g8pUPuxuwkIUf1vnA
6CKpcTsWwwNf1kJE2aQMxcjDgJu8mUxoXwVRE6IZ61gaOhM0um0hVaTWDom2
WydNmm23M0VN59JDkkzXLAEEO0eDby4ezitvcQjEeRytldv6et+gEGTLilbq
eDk5OQW9knGrb+CA7ngr7LTuJoSR7PS4T++2TOSw5DXVzuSxqnhus+W1fVXf
oq66fmAiR94C8uHT6w1OZ5Y+EqvbRwY4XkxaxKl+z25eTH9BmseMpHvk5KSO
1bkvpJJPanY+Zs51xZlo4uHBsdOqaBujoP3b+Tx8mV0x6sKp05s3YSHGlCIn
PdEr1nck4DKRIdYCknkggw8K3YgCevpk8RzMlt/GtRMg7O1Fnj9ccwyN522R
xPo6/aVjhBUX9UhWAqSnw8lIdapbOhSQAQbKM653/gyhAqoeLaN6t/LJBSlA
+vk+MOEM5a7tU1JG9jMrCzqcQHsuxHQAibYbgTtmRHwMZka9DiZr07PWs9WV
H86VEff7uLXOJeB8aQkWscSCVJhgOqLUdCgnTumRreDXpMR3auv6fcKgmpYG
aXzhqpNkFXgeVN5ovVC52Y5t7i6avuvz1A212VEI1uCVUu4QNxgC/9VwKMJK
FA9gxrIBfSvcU8X5lDHJZuaxNFLWbCGbPSAB2fTbahO30uDrQjOpgfISX8LC
FSxvcURtX+KHxDsVSf0Z40IC3oFRYrH/M4FKBMjXb4+LgG1QG0zQBARDVY2e
oq7Ju3EHfpSA1ZA6HElGgpUOQ6+8/sSQ/QUEcqY6WMWZNLVglPOtOqtEe7e6
SAadS1rhADxyWjuM5TivY18JHzvBLEaLnjlj154hIh2KTC5/KwAJhbTLOTkK
UaoHSQtXchGBqsDeq4iV1HwmjDunbwHtFA6y3NHUuSxI3qtLU2kH/kAGGweS
6G7IiwAGU50c41E28UcPr2xkR2nBJWb+oHBKUb6JE6H+SeSZpEvq/xWeuBXK
tmc3losoOkRzuQJyreRXiqJ4hv9yRTfspUObBpJ2ew/WjMiHH9k1/QOlwW0G
JT0OeTsZQOjH4N8WN5NUlSmKHJKTt+zomQvBPMvhyh60NzNq1/BI7khMKxsw
hMo5uGgzU1VVK3PnotgXt03/9mN3hTK7YMWq2k6ZtkDPLnYBZzMDvpoaBRhE
fsIsPDr/TwOq/SUdv82WZU5xEaBO23a8Pbiz1MrCuhTfHX11N8KLndYZBif6
R1KFJhtnpVR1GZaeGj/rwlTvGmTIw8guK2nkLB8Ur6a59p5XtX6XnyJ0H9Vx
fRTut4wncKGIJ0gn07P7h9tbIXilkTN9F59iCO82o4uNG4aJNn65BWpF/Uve
HFUsWsqdDt/dQxn8CLLRb73UO5Ts0yIMXj2+2HnOEVt/OYkVVJy8pA/47xOu
pvFYlClfDKUhgSgrJkQ0pVEM2k8GqDw2iFoFfw9dZg/440D/tXOjnST/ZVNS
wVUxjQeZmApqLq9rJ+If0ZWr7FrbprHbLOgAQ1GZOyQGWhQeE6yaXl6sNC/8
AJoMUtseV3LVTCEykWOJa6hXyKU2YTx1Xgu4Um7unlLeVB9jTTmKEzjygFb5
03Pla5cUL2uxPy50W4xKxDtsjvUmvs2Ok1c+s4u65l9ePmONzTwRug00s60/
m7o/MT0VBVLehPPwCZvnIuGOSx5OpmpIAHaraq7QwjXdk2mFT05+oKcj2Dym
y3HTpe+mqeypYCLEYKVGGgbqKn9XUtj+axG746rrg6GVKfe5o6kJjEYIXkvU
kqlyJ5k7exOGZHa3VuRjk6V0SrpNlKvv0w8mtQCiayg8bzW55sfiejbmy0hf
C+rGvghz/u7Zk2efzp98Mn/26Y9Pn5xWT56cPnnyv85DouNoElQApzauW/NO
Pu6rcQDTFBu7cOGCl7o8uNN8Bquj89yJ8+ORajOe11pwPDwhcSEi5SAOu3HY
SnjAvP1OBquMPJVlC66dLel634FaVFJVVXcNepVxUhV/s71vOx1VtXQG7588
h90NQnMlyd14eMRKuy6q+yefmMHOz7IAbtDohntofDe3+U29pIWJos9J5X78
+SvLGZiCrqSdBz9xSAFnzi+Yy/sKbhDseymvMacz/16wuf1blldXRq9gckpo
r3nAvZbJ0akg6STmGlDe0ESRowpzKW375bx6WIwqNvJasc/Hwx62E6Jo/f7q
SnIA1iRxhvHv2zHeOune+MCtI9fHNu/6fONkZ/Sg4s777xIFkGdnp11pc5PW
5pw0G5oQx+adHAAtOvkRqBVNHMiV2wV0riCWq3QOHfGKhqtRw+ynmuKmuINj
f75Mo10HSW8czeIV1+wpoPrl/963ygXkJu4LSer7P0OegOdlf5uRkxKVLmCV
jEnLX5IFobMGN0V2g7PSeB3biwhCaXKIt/yvtVpABKXZEQrzn2v3iwE4E27a
4LlEx0cQzXPkXcUH+QVvGGKIbGbnJ+xV2A3EWZVd7K3GK1xylSQZqcgKWXnu
Dl64sQ911pr6s0Xdq/Jg8xpycwa51Sr4/myeKGvb0yeryXfPFWZ4rildsSKZ
ODRtuBxVhTp+8MT5e1qA3JV2z+TCleiE4XqIpPzARU9fOBOJYLTk5rL+bgGT
HBVMzcMNk/fz+amo8ITDSjXGc8Bh8V8Ch8V/AA6L/7KPSBNx/0orBRYWTwcs
LP7tFsT/I26YIfR19IFiJ8sXCtwrHn8fxlWMarQYnjdEa/mtirkU++3uJu/K
2fRGnzGVN836PG92FXDUUsY8DoV08nwirApQM/N59a0ctaeS/63Jgrv2equJ
LkIyLIH5gKulgomXXlRHApadG1i2VrDscXbwsxfqLUk3g+JTWObHbm4USTpw
uMlxjrqYyYhr5kbioBQ8myuAgq0OG93PBLsU5bvVlzb8xDmvVdh90h4sgm+1
JgMzuPQqYE7e3yYurWAQVFO/Y9VwLSqhkSXByz20ai61CEZgzgwfhs7XQfmO
VMmWV6g+lrXz4IzvJzbWgA8AkI/Yjiap9ZU5+4qKLHebO9AsUiUw5mvWo8l3
JQlUKs+uo0yhB6mJDxo5cGAszaJDyuXpfGWPeVb7o8Z5MSHrqqEMryekXX7m
yJK8/U8Vqzk121VHuBACxgBSkaML3AfVgYNpZTx0G75vpBUZ6LX/Wc7mbnYe
/5/a8oXPS+u59qViT01MHCgS+x45g6iVttltrwX85jqKedPPjUM7Hyj8sFrN
K1fwIXIKayL4b8ogW9J3ztKjn1RmUECHnoQ/KYIvGAuQI9q1ijsWpbTciLBM
fbmoFaYpD5wyBFrEMCt3hL1rHmbhgWJDHdg2ukE1KI93NaM3V5S6eBi4UcIl
3VfFlsNhfAgGSNgCiv8oRb0vP71rHjZJ7WTW8k413Iys0Io6CLpXqB2/at8n
zwzqJXWiGxcCyw+JGF8Orz3uRx+qwsILqJiJ2+/hclYJFQjN56wCL8LIesi+
zZMqriMoi8F44akwE2E33jZvWcmvgqoj6BUQeWyyjMsDGko4sViqf5GGUzfJ
2lj/WVg8pfT5w5ChxdmM7/0RsQ4H2cmyQqhueklq5TTTFcFgdjsoxY8EoMRj
zAB47uSsBmEPFJQZY17r3awSrpE+4vsk31inapwXjD2GfE9gVduGUeirCvnS
BZkGKFtcGjMfYWPsVzIGJTNdDJKQR5hMyfAMhcRFPWQZyvi5mTxWNdO1zpSu
wByn7o4qo8EbcYr5kmrJQomv4Pu5hNL24W63Ad+R+uSp++UuSXo4Cldt23qY
oV0CUCVQtFm1GeM2T/8zl4zVKmyGi4cARVV8hiAJ5TBwaMYO/QCUDHYByqt8
t5HQjd1Ry23SOnu6vwK2KRJWS17EzhZSVnBWHmLqeqLizmpjCyvjN1zv33/z
8t++em5u10oiM4skzp+m7gtrrhZ2y58pdIxYFxm6kFZo99Qlratg9ZfJx/VQ
k4AmSBVVeZTN86Hy3suUBm4YK9YrH5T/TgrKeuPsXwOOmL4S74vEuV9bSMVm
1EnNVZ4KoakUSbbPzrlTKIUrRQ90OJLA8aRdn3Tshzqr4E/rH2R/DMXBLMNY
K0Oxupsg//j54hmYnfHxY2f3490fuwI6myU4b0KoFBNsFQS0utVUb6rqVSGr
rOALvS1BrJ2c5NIgLtNFF8v8CkO2Q626VhZsUfBv2QmJkaWL5OEsV4t1UaLV
20wzjSFooxlFalhVLPVmnXVvZuuVISjKI5DQ9sU9Js0knU9yPj4kf+tJ+Xt8
VkUPOj5BMDMLq6pZp/uTQA6r6RgXtj4SkjOWSQfwOANhlHn5OLuce3fASnAx
0MLejVbXr3jxZbbZO1uBPBYvos5NLvShgAoWJgCyjze7GnrGTkZUVfjcIr/2
LLxG61qVr/2dloyzWg7q8YNCItb7ATUkcE3dKoac1oGszjp9HYBlg5zkQL/P
4aAEeVSDuszKltp4sfjkOIzkeRwJwxPUrprrwN7ChvKmUXC57hxOU69MeeHi
ukiKLHQViMW8u/hv2V0SgMfL4hOlscFbWePKsNmh0ejeliW/TerSIksTAWH2
qlQKZHXH9Auu+33XREE+zyUoRaQIASRwJYV4xS2AWIvVHBniZ8ON2IIQhOU9
A8BfOQpVzejBcSr9N7q+LEUOAO7krigSFG89uiJo5oFaIXkOjFskyfgFSvaW
d4VnN1TVy9VqrB65vzibj6Zx3cicN1oImAPTpMrBbZQekmQz+4OVpVQIrwNo
T0402zBtvRgidNdgNu7lsTTdwmIGvMmB0zMrz1XepyxKVfzGLTt8JWzO8TvY
qeeachL5jmNlCWc1O14cGG6uvyUFewmXUweNhU3Mu95oJWaNXYjsxZ5ch/v4
Ew965L99Lt/+CWB7pU9JxsYMwHDEK5dvmp0FE48msp4B6ajxh79v1i1Ia5m1
K3nQv/56bDWGYCGah1VNKCnDiI+wyI3+YhxLMmEfZIQcGBobFTyI3MvmFXIY
EShyd9M9We5BEOqQ4yi/FNMGRE5W//qT8whibJ+9ePri1191WowXN4R/k1zs
cuEThmwrVk3NteWOZ4rKNkRGvu4uRNx5d7CP0qPaQm2OVvWC3mw6YrDllLvh
cocEVCuve6aDF5IbkYniLQkSJc0btcywOjkqn0sysXaLfb/WxrYg0Lnar/IC
WwESx2tqmHosVAMbIzxQFvHTlY+Llc71ZLsYuxpkzeo0j6FiLcY+Q15HlFhp
tzQPlkZpv5puLl/rqyBcytFMXBFOon0UbIJq8Dnmo0YPzNBwmIV1oM+l4m23
2aoRklVQcBUa/JhXlL8sfVT1q8r86jZrNvOqGwhyDmUlARrxp5HnW2W3jTd+
DMhQeZoMvEdConqjiG1dHPTZDCCbkwpzcsapUdIopd81t7qnAcGyTnsPOqJG
hUUFD7fw8FIys0b3Uz6E2dnZxwxKUh8VgpeB93R9VSE2rN9bBFn6XGnLS48D
oMNJUVf8Pgl2i+ix3ueSuoqLlXcyzZIg4eFIjW1pDYNDNGjycbHG50H3GBKg
SU6t+EgHWjI7hM6cDl0I3oeYI4ulrILNAZdGmKdevSZIOJf83c36KgkVaaRt
1PP9DkAoDbeag7SAzKl6/+Hq5IM+h5xXqIbIctODbRbU1mt1m4nY09nfqKai
mvMsVC1ndQSG01m0D0AhrVM9ka4bN1o2FSt6mEKHtTQDa8k1S1/LqEeqPaXW
rW2YTAYmdZXHSle0Cx20uk46RyyIDKGR9A1IgSpanS8PQwMoaczWzHYNrJ08
UcHTeIaEMX1BMJfwZUDyuNuhsDyr91ueC6m7Zl6StGbq21rGYs+rB9R/GJhq
BVBrXFlH5wvCIF2sIUniBXYuvJpbfVjdR3AA6Y2hZAqFC6ga3TfZvwDclRtF
8R6QiRF6OeGmqLurauRy8qPAC/0sDmxzIak3fZ7cKk3+fouPIDST7gFioKMZ
PvSq8IK4EI+U0y1YDJ674li99mErMsQhZ72fOJiEHkQdvgqZTFdEXIpTAru1
R9UIr9Zh2WIualjiLpzm5sAtdRGkswPWN0oji+0cbk3FAph3BHtX5K7YVQ9R
dpgHW4/lF9lbLPflIR0EuqAmRw0Eq8vlpNEsJXy0NhNsIGI0OrbesGpnkkak
nO0d8VYx204tRhT8UyTemeUpbTWuTGmnuaK7HQrrrR9iAzWiC5daVkMukzQ3
kpsmQzfMaClpBjcG9ZyANozpQ4VfvisrtltAE7sq/Rwu4cVTRJHlui51oH5/
eQnoWRIXksbfm3qyeacXUONa09DXCYKLSUH1cRuzsotdGOUzHA7yMHBtzsrb
jot9vaevQAD8Ho21UrIx4X9zH4gjOMEBvetfdQZWZKiwC7zwB6ujOoJx/689
vSoA/5GgYiSwOlFqkF/GrimTctLe0+kQCpZihmtDLAcXqzkDnPPqcLRflu6Q
2Z73D5N9MWBboZyLkF4/kRDnSVxQy/5A7DN2uLfNtKjNg53WuIYMK2TnIScu
tgZEiMoPSEa1gXGxi3t9qbgMumNV/83uo6Um9LxU2dMpwNU4Za/YNabm2M4+
UUl1okIbc39IJB0QlEOCr3pKdGZv84Hx6BncMlUqkGFMbQJWjjm4E8wrqFXB
37sVJs9x8E1KAEVBKDtVVfF3cVfwBm3lG/prxx9SY5LbPMS6OmbaGrkyFpKk
hIsa52zXLJsge0gv6fg+4jJYrw4VBE3/tAQDKldts7MtVFx+hdNVlopvzXV/
qMHXYy+Y7NEMCMcPc0l14S18YLD3cNCJZNDAqfUCf9xtrlsViKzII/JMXYQ2
aXPSVyO5xjBeg7b1baKIHqlgQp3X/dr0vUcKA3canCj9cJWJ27/trm92FYuu
lV6G23YbLAMztKlQgQRrx87p+KpRx+pHhuBAy/C9JoFiMz7uXxWqwb9bX0t4
v/fb8zFrL8E+hLg230K/uW3D/QIz5YL6MTwxqX3UGoprkUFUkZd7IvvHt67b
wtGak33sP3APW+kPq55RP/qaRfmwvWh6WOBAgGAoKz11Th8RiQd2DeHJGG13
urx031aDLVvayAMNiXlWjD67+MpM891uklXpdpE1N+ppcDIe1NIw4SeCuzlR
J8HLygjCZNPp+4TjfOh2MwdRZblBOXpHnSVZ/pv18mOaAUnVKgn2+80+pxSY
k4Jm04b0fumHd80WAvsI4Qh4mF371NgE8vD0T1YXJNTxy0mCj/sATzg29dAn
UJ6k69JiO3DcDQm3Tk4QyBCX8fbkhBnfF6tm/bbdRfKgoeEdtShVm4RIn/MS
r2u5Kcn9mPWUUjRI6Me9xNHCjEZSKGGvs8kuyzawe0r9997WwGzz9uRtTLbY
jWgFnZC2RaVJ8qRVfF9UgT85zohEvkWnoMofXNhTyiw1Vr7RP7bFiDmf2M6c
w6/x2PytwDWy7PjrfnkNf1uayx9L5T5T/9f+2FAPc2FsAo3NC3AMnzMOj9Ds
WD5kH5jxImBANWq1JgEqMyjzo8AUyFRTSzIIM3zCxK/3usu62kjJ9T2h08d7
W7vAdefx0SZishX7z6u8Rrpbs5xfpKMQD2vWCNdMJe4ditTqh3RVyoupyRI7
J/ScDuKISdAZQvJ959Nindg7q5UELURQzhWsckQS4ngqj2dDZNPv85eSZTlP
yvPc0EiVxrJNW+eo5LMhJ+hIx6rpOfiE0sA0Irmq+yfPZdslg/V6v9n3Qpg8
sJaGA3tEdCcEa7onhdajYhqReHh2wBK6Z3IzIspa1H9CKPz+ySePiVnVUKYf
D1epHTQgteGH05vjMUDx1bzpsb9k++hTl/LHYndNb6fAbocJH26sRdHF/F7p
Si62oq6HpES4c7yOJze7+7LDRB2/qN0z3Nsd1c9wls2LquxvllJrs+9lHKLn
RfFcOgBkEEDhDgIDLjnOgu45E6u2+ZZzV5TzZlOJMTZnAtZAtK5u5ZXy9GiY
c7wurWc0J8qeuknjhRvF+aeLF5ZdYlPAUB80zPsSfBaJwvQIVnI6dX/o6bSG
ji3/33gJQW5Y5BBU0BdgpaHeRLebAz0CBUJ23I3c1GvF2woj2sxlrnGu0kfZ
9CxOrCEeGHs93wNcNc1ZtwqBP8Z8RlBSyU2LeKtBREiu2PFZ43qzxabPRmWp
ANNZx7BEjSq5cvpBsmJSTzredOj0yYmFMNJFB22bCGk6wbOM9uAvPcj7HYdb
SBRnUx869DxE11dM6VLQqsRa7fOY2r5WW3sY8IFObEqPa2Dz4F22dnBhv9t8
0MTuybyZ+Rc8WwgApnPLCih4EV0LrJV+J+OZoa8zsVEmxfEwksNrZ0Uyv8W3
YkEFSET56Mwc4QVfK/RQbNGsBimtlmYGd27tUpO+2F8Xiariqt9Lx9RjMZ43
JYjDCihki9ssHPFGzgfkwH6tbELL0NophLJ7Zobz6MC5PkkYeB3OBgLe/XcH
tamwzldpinGzOIsBwFQUAXDwjDwHdOgXYQjV/f4otC1e5yvsoODglv8AdHk5
RNTWg1AFk40PBUrGgXlB9kQPcB9xLp+IwPTdJcQqImzVS3cHb5XjTxefFhne
ClLc3+2UmibNiwAamts7xKNldknP2g5u9Kmlz8hZqunq/ZUrgXp2Ep0oHSsW
SpNUYy2EbokqheCjs9UFwy7JEIU9WWydiGb3mGe3txTJVad32gFVdnqLn6MT
n+vo2Jces94xKiIQ88E3vxL4Me6kj8jSXssX5Wha/l239i1ymo6dU2WLdLpO
nb9lLa2BUT1sPf3hHucx9KDBRncLhX6IUZAyoLvMWwLHtgLoEYGHE04+sEqr
4tkszfS0eGAhVPzqu9suSVzkAhVD/mCsukFaeqtZD5Yp3NxuLClPgweHnYvY
UgfTJQ4ETR1RqfyUbraIiFylj1txzsqBktlLkC7/y7djvHV6NXpukrBO7aQj
p4FfAR8gE7CIR5Rjoc/dPnSm6YBV0HnkxrTT/yqWh/sXz9UOboMACO4HK5H1
29v3vydrafn3Vcyh9+veByOXez9U+jHCpDAo2NqVex8moX1+3YlIUb88BOgI
HxSDziNUkoeTxR+NfNJm5Ma0+AQkpE9I0qtXig4dykmz+bNMA9TFt6ucfIdD
XRbMfGSIK1RwUjNIplZPXUrdg2GcgymZC29mYxTwIsCoZsyyDdntxqBmAwjV
sTicHVsAB8hUXTZKP0RWzuWub6QMLO3eoshl2vK4AYZLWt5Q0gEyVZ6ckAQn
jU951NX+LeLYYSMCF2/39FWLa1GXfDDhSyW3CEjn4PHpb6RW3GW3vdzDqVS+
mz94OqDkixtxOXlxoxyIYeZizIi8M4jvhf1h09+PaHfEboiz4Eo/wjPquIbf
xtMLHkY8iVyItF/rwOUYfCCAxNfFHM9pGmSnSE/XivZoPaIXtNRBs5UuCkVJ
i0fXExQRvysz650jcp3zsDLyhT1APEUdc2Uvxq8oAM0aBYEiempqjgRZM/kL
eX+HE8jrFUAhKLlUiAqWxhE45R31nQbXXV1/Rzb3uMH2suDlidbrZ7W5vgYL
kxyLpP5fymFJkvYhWQIzxmveohJ9v+ssTL5sk8Z+relOzGhtb+8yD7og/A+J
KtkQ48v0jkWx2z6ERJPRsGoBkCuy2DXkp7Rgy1nOBro0Eo26DmeMOF+n9SGN
DfQq4QGXky9do+nHcTAmLuZt2vSbd1y92w1U/Kbw1LDXasyulAaUEi84Fw4I
ilnp+9eJMnlFdOLiQ3eZiu68JQaS208Dt2KkHkrHZpoGoSxh9fTJ4tMZCfiz
w9DdKIQeDeS+58CQx7T48bgQ2B6l/pDdKzerN/tGxJ3V7lBRrB90CPAgRE7P
84dqeAhwcaKtzm09xRmK1z+CxdufWbMcXGbJgt4+RJwinDZqsXbXe+W7IP7A
lSBoXtSMbR+HVcWhUB1tFxHRFxke4lSF5TwxFbuuDQGx/Ng9FdKHeH30VAx8
S/l2yNp/yCAozTFX95fHWcFiHrs+6YwU4busmpa/buaI5jPZrb/THCi3rake
ZorfHfx37tx0HKuoaDbZk8NFSpRLok3In4D971HqJAdNDOmwLDE0x63LYcq5
2O46RIipuLMQ8YQ6KG6rgKW2AnCRoSvA7j2/x71XXB/92MzCrOqTNtBbt/vg
vrDgWLZj0m4oTzNEV0gc27bgygqre/EQ57A+D0+/4dNv9tvufEC9ywVN7+z6
kCnjtQpQf+p817ZvkLlzQPfWzgxV8PfN68eeFd6lhj0spwWBJvdP+ESki7dO
X5CUNCnC1JtnLDjhPDfSrsSPkV+MFsCnr8RjSymNk6VK2dcsV/z0FBO0U9J+
OzwS0rG64tvG09RwFFjgXk1ut+qiKUfuqQYsP27UnY7sUexPFHLILt0M2ikj
G3Z0YsGH5aZKtzBjq57UPQJCeRJBIHcY4hlS7yW5JAQY79IlegkfyXSGaxU5
FE7cuXxCwIQ4ChRGQQC50EqVnkWlTLHwaXZPI8FKGPg0RLZjTKeEvKVNf6P2
+Pcxe3fomjZWAbrFpMAK4N6IU3tpRvMh5TR/HN/IAMBgXVvFGkXufT6cACE5
bzDUATOKvAjleO48vdwqJ5SAGDlcJAF42Oj9l/VxEzIwm8yMUmDK0fc7FksK
uJrHo7mEjbwZZ4aJI6weHIEQeynnTMa6OE5j/aGVubBo9WDnXO00+M/KXmlm
sM0dcIiby7yTIR11LRnAV81turoaRw8QEFl8wUJ5q+4KJKVjaLY7LTMREm8g
MOJxrsEjZS2MfB/ptIgoQdaiFTZgvh2FQslsUeRy4KPX4gP0wAj2Z53Tuy4e
qnuJnA2TaW1HmIxZY5sG/aukk6pM4Guqz0HVs3qJu0m5P8qMCmq+kVuDBlrT
K8vIchaztgapF8anIL+ZzE66WYP3m0tPY5Zq8n/tkznyjzT3j5CW+uhUy9mO
OvxIdLJHRRhDHr7ebK5X7ZvLZpU2c7MtnmKvk5oIyn95+mLVvG2fz/n7vFvO
wb+xWPC1qFnmjvhfF4NvLe6f8j1Lkk8bQ14reXeffiK0u+lBfqE0SOTxYaFl
NOnMfvIEa1trFzNdn/xUlq7GI4VfwIdxqIQ0XoFtpDFY6VoSgWm88vJ//qX6
lTV2paCoZKT+kgvj/lL/KMLpl1wnbkjEqWScVs+1eFeLfv5Sv1y9k8jtYTIC
NDEIYE039XVO+NT7bLix+X7ZZrlP2LaAR0n2FJqP2TcGXOJWYrOj7MdkeP+R
3Ptpgb0QzrZ5B+VKWHVReoOsHGxIHONa6zg3k+7QkuILAf50c2S/o5aLSXJF
RCVvAQyytJem5+2HkDrejeYw24ymE0hgM7LJ6afCQTi4QtNp3p7kDVvDMn2D
2LGmfVBD9sHhogmDWfqf79e4Cs5jffPzyArJUyd/Kqubg1Y81zOXf06WM5cf
DhUwx0tKRLaoX3OFh8ySkVjyk8XT40X9ZUGNKrDMvn46/1Q4S5bG0HaccydA
kwEfKAoT5ZxvTOz9k8XP8/Q9K6Y7R2kj5RBX3SwnlyMPEE9Yxagd2VMx65lv
9EPT7WSkM+MinSkV6cyYSIu5+QpqtNiiO5GuYPlou1X+dMFT+qGvlySms5LD
dJYpTGcT/KVFt34KXDM5jguDc+ASunvQjpZ8px/qaemynX2AC3UWiFBngQd1
ss/mEQdgYczNZZUs0AHt+4F7QEbxvZEW/aL5G0LILEGqsJvBDGbgjK4PmhO0
vBYCSAgTUDIXYFiYiKf1+T/k07MaRPOQH7MaM4b/SpspaQm/nnuZ3S+G5Ky0
ySakAqZ74CsItKwS4d4xwwbm0YHbQm6/PwM9kCaCJ/J9t55MZSFv0sNP0///
jpuF5HSxF0d5JfSTovU1b3t91qimjofST4VXavtZHVif00devvp6qtkbJNME
n8BtI2Dtdi6wRjgd5MVS6It33b48kJHpo8+xxe2v7/3uGr+KvweSKSbbg++G
+YQzWFlyW9i/pQ/r0GeD6VmnophOvflEdAp3yNX8dXKOmRTU16DeTVfrjgl2
yZx7q6+lbYh0AyHuERV2LuAIMQavWlKAWB+m74bUkxfp//9pitqXPcrTvLnQ
kjDjjnoFk2FPr4Rqg9yPfX2x3bzrW4IktvtQnDgp42JV6Xcxn2Lm7+a7zfzV
l3+wIRy8xdIIPgXpuvxe6+/ZcudAXu8zfc8yq/yIJzbcx8qNCVCWVPAVvqMh
R5UEY4Bl8ok1Is9fRDX4xRJ3dNLS5hFrNFeH4JyW4sGpy/U2TQ+s9rdaB+DK
ikMMk1Qv3QhVCFaa+yr741SjUaep3JtJTAwFU7J7r2D/wpVRpoGL/SlOV4EV
3rLwgIQLSx2ufgniK2Z2UA6CCC9d8oLLPLDtqiP9r+VxMs/TTXyDxZB87cum
l0UUI7ffPch5Dx8gQ7SlIGVEEGowt0YPCrvd6/pF3w6CP0t1toEXhG5KQ1Xs
e4I1MyDSnGSMpMIJUlysPAe954KVzxu9YKbbgKCR8hEXknl+IzF8+jnEpYFE
5Xyhe68pFFcbUYA4PC3OY44erHiVDcH69wLHtE+oH8m3UXMA6tdUdt2bMmuV
7ulPpWOKVjc8lfxACJYBZklQ4eZipQFLIuP8h+yMVTI2GV2maqumudksCftD
mT67TUU6M9OG3BzojTVwMpyVK+VUGZDnj4jXFcVBgvFRMM2MyaKtST2bF4F6
T5P7yoKIQthTRO4GsxBZOMw7czblMvWJxg7sCvxObVC58uNG5DqxeKHKB8Z7
cjLKxNKQZ5VD24FAKsbzqCZKCFYEr8Uuh1wZLmbTF6ldiAREmRd3uBt1i4Kq
JaDN4qUBSA5kWbqF9/3qYe4moWVvIxPVj8G2nbdSL5CnwGLbHvfeOAgBvFyz
IlzEGcs0cOuefB8TfnHfxLBTPrCVF9XrPQsNi/MBh8CsKazEaB1QCOm9h2O/
Zpw0kKIbnzYeQBpGz4zOACpVFD7y7Y1LY+VohGKbzvNyUzgEwvyx0OnrYQHM
8lAeKURA01Y/REuNVVXYrLs/B34Zqxt3lU9vzhw9hiDti10LqZs2GznSeQry
UIbHFD71rweNa4S45HtQ+jMPaw4D9UP5cDe4FIrcL3E2I6yxmPh8ruOxOyz/
7GilliD/hp09hPPNRAVCInAS0OLpHJJqSowuodNZLzM+yrMuvM2MOxnOqcvt
yZYNzS7xqOaaAXHejpoiaxAbD8EK8nw+AWMmGI6Hyz4hHMCCZSEA7oj9rKmT
zCKsDnsvgE5UiuFGJwH/TbO6qq0B/3IXCtAkjfIb7WvsA2FQSXKuVnjX0mvK
hUg7Oimr9s5NsyR8e9t0oGbjJNUT8e2FTwdSVuhcKeYAcGtkJFgJ5aa2Aspo
1A4bqBPbn0WlUpRtEblJy5H3M4LuxVwM4gpWi+rMlLVQJk2J7/F67KptAoHX
BX/mRcssz36zvRDHvgz4y7xWOZqz9XLWZekOpMMZbwYn8uB+1Avfu1J08Eqq
vyDuVbsX8cGun8Jf+WN4q2Pdb3MCyMs50SCrBJK9x01vTwcclqh9pFjfbLUF
SYZmekgyFe76oqN+QKeT0dGCIamySufbWsdZwLCyJXS5y5vufec6kt4wJQPf
HTJ1hBEGeD0R9XQRSnuaKoYWmiwdlatAeZ00nawZCW+FvNTAlHZe8i5InbkV
zBzxIQziZRlpWQ343VftFcqVCQx1PXwNk/xITuC1kDw0khkjPknPrnpwSZc0
jnaHYiMuOd6LFK769D/9lVHAgz2JuaCoEdNesbTJTvG8j7XShBJBXO63ko+A
Ovbp1lJDLHX2RijHLx5CsuxAtG6RsREv1Mcmaw/rG1Kw4/+mzkFrOaip1Nv0
3q/83r9oJ6768S2SWbuKp+ExDgDN92syj23fCTHqarNuC9sFr5fRJhGvUxZN
WolWFv+mrGxcBQFiCfbUJ7Wqr5J7T75sijowmjBH3yVj8eZhMZqPpOFw86nd
jvBAWdaoRI55Tpe5PacZXzJs7wquN6wREX6cgINIQ0s8ziIf21AcQz4nuk5W
Fic0CjDSh3RQKZ6t+iqxr0gv6xk+CJm0Y4txFgMYs0FIYaYSaOi/H8a2DQYR
iGm79d2e/MAxF3iSPGAocQspUU+Zja14M+bqCSjwSCoAx6UyScdBMRhcVEqH
g2TZo9IxUeJdA8m7cRUNZCUdJszAqcVXC0tWWB6Oxa8fhW41KqoBKGiGj4yC
KSN5M6tWbeMq2Ug+cUTY6N6qhrUoOSFqqyg5r5s7EZwA5oVkkiAHAZ++iF6e
tBpH0OLKO6VZ9RvlkdhNuqhKe0nto/O8sd9oWZ7TeugckkOWOquk5ACFg523
Uhvs/sni+SDkOwrQCo3Ik6eS/EqiJ7o0CidXt/PCKBTO77xgSauVIxTW+CH7
1wrOOFCojC3ebG7bCtw+Cr+w2gKjIkHHY+RKyLOLyBVVjBSeu21VnQhQrhBD
zihd+bWphlDcj4Ok5LcInsCrihjZp9GeKsgEf++Wji7hcwMkCv5YgFCcGf0g
lOT/H0RGWAD1zNvAD7XyxRDpHGERP94wzkzTA7/P+e+MZ1Kqp6b+0xcvv/M8
g24Jy+d7CfHU53/ddefHRYcyhmPcpQkAh3Zt17erq5mXQOd+qL9pdwWlaMT1
N/pqLlgWjTELn0uCusAaDmCEDTiR6fA/HjZhKAl2IxPee7jjMJKWB3OwPJz+
BWZ7xvmtni2e2OHCQ1rRZIsrsCgSpdWSe5LY//b5bz/99ddZEsH9Ll1G4Vv8
ihZ+21ikmjcbXengtZBwzs6duQRDhjiuTX6ay6+/9BJFZyXCMdnAV63Wt/aJ
mlXIL3U/BqJ4s0gWe9ncgyKHuPWRV3gCVue5u6Vkyux4BuxHmnEfRdZYYKvB
8ZHCiB+g6NCvqCzaXt6ZKNIfgjBa3t2/kUrX1xvJexOgl/zp9LWoVenaejTD
I6dSu2O/1vl89Be8qhl26AkfT5Mm0cKOudn8wKq9blZvLpr0V3mSjYW+/rcV
c7qUHu+2Kf14yNlg0bWlcsbHwBBDVXz56s/10ZfiwX+17e6bpDTmAnnHtYQ5
C3ylB1pz29xlWdBof7QfunzvQbn9Ydu2RAmluzp1Z47ikcIuoRnpMPhvc5Nh
rd/TbGwJb9R4oz46D5sDsJb0z288eV/STQV1kH5JZ3lxLJ2i2Ihlb9K63Atw
aPd/Q6AOT+1AtH4xJA8QK0SDd/L6T8+/qA8s4Ey++5uvv/qi+vF1/eyzF58+
OU17/3mSmenvc/xBpKYPUXtiB7iWA3drJNQTueZ+r8yt0I4UFjkzixBt2K2L
Gw9B2o+QcLEizYT+FZQsl2UdqJuleqNaVCtkIF7ukYGYFOIumQ9aPeEjJF3o
ASXIdGqNv3b6m98su+Xpu/biFLDqhULe0gm//Q0bvn8aW12wkd+ozMx6m+bd
AG57u5z37f28X9/99xZjcb30SBxIRTrQqKRbG/PFKOPJapoAWNP1UbmJfmHU
vlkCsKN+v1FLvVHPp9NxrW4YZHrTsLd4dFpMZoAjVhjbmXsOVg48er67vMEj
Yxqi5VB9tDA3kjjfuXXYuUl2hR0hskscd6v5bvmz/KPZ3s4vLxuTXP83RFOc
wY/S+IQVg15yKCSR+ngwk5U6WJx9ODtxVO2Fo+xl6MEg16zKgemdluh2Xf7H
r74SCvmdlvUZVLaQbjbXuFOEB1QSkFD69eiHl0lQqkb5/JNff4U/GxATzMY2
KXfi75ZCF0iIlDAPPDkS+Bnn7JQ1W0ZCDpW1DpuX1+1aQ0kj01JcwyQValAd
SXA5laegf6SEk8dVe9pcvwE08r8i0lCtAm+PZBm7+d9QXGHmTZ2Ig/8Y+WTT
rAmHgVCI62TUPdb69T97/PRD/gk/b9khB29e7EfXagWCMv0rjXeXq6NW1uyR
Vr1SF+mMjHigcLp8YMJjxouCFEC8ltXlRtO1jkN9d5BWmeO3U5Btpzglv55D
plKVs5HWy486NqHuRM0McZSbo4l3oBKFIgOAA6Wym77y93a7EZl9Oypbuqi+
fS8FMixr22mo/wxa3/oInJE8GLMMm4HZqqTIimCcU/iR9CTm1CnpP8J5Bx86
5mV1mEpQHGZekmtIJVhWhlXea3JN7LRoxiKiumSADNim/q9brX5UxYrS+z5H
rXM2h/JmW1q7OL2z2IBxHrAp4kn5k/rlQ+JgjrzoNZ7jPu7eL4Kr+eYIRWn3
sWHSTv0TFWlDkxGqU+0nuovbMkCV9FCpP70QPCfnxKTcNZdaZDPkU8Q2rTrX
BSkniZwqUvMW9R/2EAXEuo7LefVkLOc+rQzR5J8XLT0Xc/QCjjpgi+vgGeKk
HveVjLxY7ST7up/BKM4ecpdppfUf0QnjcKDfTbSsUPWB5+Trl9+9LGoRPX1S
H+GPX2hBFjrJj0l4KhwqPinzPJ9hpVk2kHc3QgcwB3KqCg+tD5l9hBGr2GfO
epzvLLwNmyOS6Sfe2e8pmz5KCX7PswhC/nFYZt0wrgol3VALG6SbLvzNg5XX
EZAIVdc1SOTEDhKJPKKfU/xwUIM+/eyT3yY1CC7GXR/njFrSJ/g5+uBAb1S6
+vrZwHnXSpU/ubC0C6tmfb1PCllv4PLUyPdf/vBNajhZt3P5T7FTkS+c5Pca
G4GZoQESoDqnZTKrsFrmTHrO0CjHXLZ06ubSHmB8QEhfw0a1XOFYfgHlzkO+
cBVYOEf5wIv/8/RsVpOq/+n07P+m2cIVOWrFP4ACb0XtP8ozxYCDL7Yoaa3K
jui+LgBEr7DWWE9wZpFIsNNyR1JfCSUDc8nC3MDw/PRZ38mwJSfPJlUk7pEK
0VnKBikxPeTpy8MaD0lzlDoNdgoba7+/E2G7M93NMLCKaGcVb/EcUxZqXVdx
0IlM1p8HSybyHYLmKwEpWZDckX8Yhms6R1J92Hw4JZXR8+OZEeGQMu1oYDyX
j39yLDHwLbAnog57BHx/t7S/LaxXMYMLYAi5c5AbAskdIOG5djgOfXd7u6ew
10qNsDzt9dP6KdtbkzTWwpRkZTvKnX22eHa8KKdIKuZ1tnNcZ4i0KjD9m0xE
o9AAEH6I/JdSO7ZXpfEvlBExsiEK2W/X1P/6xetYuo8LByn7+Wefv6BATu1q
fOkf/+B/iL1azPkL+cwrgxmb7uJllxFNaqLOEirFAyU8l6y73i5Fb0E2xejZ
gxsubejAEi92OnG19lQp6azoepqU7WYleXmQmApOTiaP02eJxSLeodTWn+kx
KGdyVkRcVKIORfIP5DKuv5QRpWfCHnZ1AVfHV0hKSUfzb3vZfQovFdnKQWus
xXJO/CpDEgwz+AviRiZ8SZ5IcXaN249FqLa7Mo41I1azFU9Emkeh1TYYPpsp
QS/3SemQYgGa1qI4eWChlCAt9KiS5EvZC2VD8DEwWUXkykXOp8HAn2Xpg4nB
2SsE0LMpAVQTo/aA6JvOYCgQpfIWCRzpElKIw+phsHHk1HE50n16e9tsY/08
IVsTQ/dn33nAFUuSX5Le/TFXP+2OdRxrxg+gmjvomzvWFQhbZU4mKyHCRuJc
SJ0fHMHf1kfh87dJh9ss+1NJpoVn5TwdXmnvp69+LxoO/vy2fbA//9tX//Hr
r2e8zhniELgznrpbXdpTr7754tdfMZ7XTDEc4w3dPtDjddtK7kDX3y5q1/hS
y1HnS8f2h6+++P7bb7/67suvvgR2MGZALA4vsGJmNd9RVwmoE03JI31elRdj
uG4gadXG9WDJRSibYH652uyXhE0LQSCSxZSVccvYlEhQNxCq4rzOAgCsfrdV
guRoCb189TX1mADMllKw5fni/mxZn0mYJgndC91pb0UHajVcBrVbm/BLQKPb
xhpfKsnxkD2XQ0b/wKUkQSKzyqb/+cedr2cffb6+J9EVZdD9lDVBmLGiTEMY
yCQ0WC/F+WKka6IdbbtmPSIcm2oeVHJme+VgEQpl9VILYrNNtgKy8HbS0XhH
GNRwlhMw9PZ0M2dWX7VmUmZ5MHaByR2TTsl6k/77oSCcds/y8Xs4nUzT1bkA
0iCo0/VHqNNAKDLJ6CAJeDMsl2UR5cz0iUpPdDPQTcccTJUE74RQCUuIDRYw
6M4vxXwMsWuCaTcPxH5zZemhIbaIewgquiXrZpclcngnfLID6008egP/LHa3
ViAgubGQP9BRChn4P+k2HzYfIlTQzEzmjwKIhlo9FIXRgnR5H5uoem4onIvN
Xq77B5KKiUuU23xgLEkmBnjag+9x8kQrTkXWorsDdhslxtuVVM05q4PZUyGj
KcIfR1hZtzm0KoIrXuhjVX45ZiTw/GlB92h3FR2ogkkHUwZp2+I1kYwbf2cG
k+e4vms6qSU2vK7Iau8J8+cebXAyJOhJ51oIFbh296XwrSq/lG4+0IDhhDeX
3ANi/yXZyIxKs/pAa+LaWtKxmTiBv1srYsWzYtp6E2UqPDOFaiKdq++fVnmm
xJQT3jkQg7ni6BMmd+ooUwBF+g68gI4J3it/QnrtN2f5oKY9ejVK/zHn1nd9
JXrCPOlToi5wtV/TsDEvDd0FesqWbu+oqauuSr7SGQqSwapvuvXbb8Wr883X
3/3bt/Tp1P/x8ttvqE9V+hZsdzAy2BdxT6KcwnwnkVuBNqWzahEy8Yay7UpJ
DRrFw6VWVk5vIB6UrSg7MhlhUSyqckYos7yoPdUXd8GEf9yX57i+bTqQfoqS
YrNSMVyoEzM6zprr70QbWtQGGqdO9rMnz57Mnz4Thtjzf3hff11wihYS2zs/
RnbuDekAMiktoiT67WweT5qs8YtXNKtu2m6bDVax9M4oUoyJxsxb+YfuSHZq
XnYhbjCRvQYZehgYVhz3PCmMmvQ0GrP+HYNeLX3Y8jmHusxvVZfz/pnjb1lW
VHmWdEunl1EAv3mS4dZx17+mhDdCF7Whlra5o1WfLK+enCnkLuQULjbb6xnw
OH/+ArbWH/749Q+5j52N93+K8+/fv6lff/mNqCUod9OPRg0X4d9WHG4kjtBO
T+reQQG1r6jmq99+/ceXX3xDnM74k+nPl6vFbjfxUd0ephPMk+0SKCtyThBa
VoilHAz77Jf/xrAR7JCOXZUrwY74qC8sFLLrz8E+v7gDJdbieoP/IcHTon/X
Xe0m+gqA+bpryfWczyGEYLDBKZu0i18xTOWYhc02XSPNqF9GZcUjiM7Fn9UP
ODig2P9X3c/wRYzBuUpnPXVaRL++aFebd+zkd/KMe4QA+XeX6qir6/jw4jad
HMnTG8yVnhsmlKw1KUP8/DBJCmIYC2lFqeHHrcjo1BIJNiLhpKWoqKYsCcmW
zAUIcNdpStmFEmteS84VhFEF/a+NrsvDHrmBeMOTlbSiwVQEVPL2IFtMmBsK
w+a+6Vbmh0HqrVxPUkbzYsU8l253qyk2H3tTVBcsLNuRpWTILmD+/51Cg0od
4cficpFeXzzshFOJuiyqylhyWnmTseTo4ftLOY4hibs1Ck1G4ijM37a1W64P
vRAdGW5ZvcN145ChQNkCEXGpOGFmePBfhR5hKZUcQ/5ceGSBORiMmgt0Z0zG
q3bi5o0p+vmDmdN6ntTdtQW2der0+5k9wEAJB0+s2OZU2dLaTWhttkeboIVI
OTxJDO4trm7aUL5SZ8HPNBv5h2cW9HQ4ZqVha108gIy8iFx2RdfDzhaao/gH
+uBpQzMLM1QuD2j7eYR9m2xqqEQyR/2+E4O9MJcnLWGXajOVET+328uub/tK
MROwizV85WalpVnqXATT030RluY2kLENGJQli0SVlF84xF8Y4pV0bszfmHvt
9XCZlH7tvYrXgVjBWPXS+yT7daWupbNwt8ZjiCLshBwFUCE7UoZlkHzet8aY
vXo4GwYg7EQlARjjMOKAI7U6A2aM2yjO6YthsIKfnoxjdD1PrkbltbmhDwjN
Ek9QbGM2PAUbKRgqzwYlzaltGMEC0z4274zg898LJzLp7V5KNdvuZ932wVeJ
uB8ZpmQfn6UJFeoWgiQljn7mfAqZuETr8WHGqST5p6NnlB+TDhzRi3oMDjLJ
I92sluqX3M1vBeu6BZN0ZgGXMw6Qo6e2Wckcfsl8C9kXRzq9V4MDNeElOps4
Y2cHzhfAalHfmeVtmoSsJK/maCqO4U2zRUK1YsRRnT3fsA7BcogJPRsI664L
WeGeNoLKqgGoDNj+dZq+LyWZMkPLcnCYeASj/xqHjaGJjeLGwYNQjVyZ8OL+
geigss2qerpIKp1t5Y1RXjI+J2nvB1BIIUd6+NZkVG/B/PkAUdoUJEmVM1Ck
lRl+k/E/gQ9YCroHA5V+SNy19WshnYABNggzRuqJqYIcaYaexWnQ2OI70A0Y
a4ec7+OpGQnRSelFEaAcobgYhaQn0prWYiQGGe9QUN3D366XXW6u15LJOQSb
yYEoo6Lwq7/8D8zpRgve3dJRCUUi2U5eCXa9XOWaTW3gY/T83bpW8DJSxPzO
zrAKnWUpKgsW5zSdz+N0gpGUpeDK+SsKve7HT+PTfUh1Mc4weUb8ss6USGFE
CJuVQ4MPl9KM9bCsYNJMdcH1Uv85qjO9u8lsWNII66gmYXCR9oswidUSAcjg
1TTiT+KIw5XwgR0Tz1EGjhp8Ne/vjwEY1nVEA4b0PojkDyMP8xlM43kRx3Pb
/DXNbD44hDKwEuGg0oc5TDEgd3+enLv2wKBV4M6wp57lp3RfohEvBgRLM11K
ca8fnxazOZPDMDOuCZ4ziIZvMQDrd5KBKNECcgL4AlrRQXbBqZopgSvw0jRS
vtqizr9vLt9OydJPZc6+cL+DIUHwq8zV91C82XMwwewN2tWxOpzYBm3Tt/Md
OFlKR6b2flbTUqWZNjcR1wobGLFZ0fVhQcJ0pvTCxuWUzJq/S7bvd+27kfhW
yXGBYJEh/JM1LGns7In2UshMWZKlXfVmZ9GSAc2atEJLN8yJPeWxAGB7YVan
xzX/OW+JgbP9GPXwYDnHyVUvROsQQ63pKAAnp8Qgkesct+gpmhFvxqeNuCO+
S08LH2grhhe3ddq1P4vn7fIm0rDsqJaCuCfq2wHSxQKAKuQDY2ChRC/YgsM7
JfApdFhAjLMZyFPteCgDKQEXX/4zNtPQsaXVxoQZRconOb5/vV+tzkdt6O/n
c7YhJBVnoNuSzUK6nWapou/8ERwVj87jLSbUDPkX74pYyz87Cnv4VcDejVNZ
yUMx6nla6OvdDVsBD3J+N62sMMG2i7xsF7pspnumNrNfjyuIZh/3VuV9Vm/W
tnJu/M0C0pt+Amz3vPiLco34elEXpWF2B43nRwhUedCtJAXHDhBJgUa0jUdi
4igBMZTF83gFWuvOPdVtdbn0ekobK1uyroifTTGDKx1+rws1ajgTQOqMhem+
1OkOpRK2bUfsQasYzzTpwfDTrHd+DBi+JIy+xP8dWIP2B7XGTvnXY18ZNgGD
h/0U67HT0pN9bQyUw4UzSdG3+dyr3gxCFpNTerupeF3wrpjrPyEJ97d3SR28
fwq0wDPLykXCXtqWb5l+BwPhdoZAINpXCIi0cNup+2pOe9OhLx9IPTGOsBy1
F9VDqH+TWpN+nsDkm7rvKGCR/4GWFEYhbyx4iT6TO8se7q3QGZybGAUlklUH
1mUMG9QwlIUZrBR3bfYkSL/l+OcrL95t0LFs/l95xcFme9Gla2P7MOJD18NR
6PNoxFT6GVBstfjUkpKVladbwVXvksK9bUwvpnahK6UGynzK8kKtszS9n9s1
jybTlKkeK4p4puBzHadUzmdR4yvmMRNPxbmcicJG99Plhj7w+TsBCSy33dWO
F7UI1l558IAGcNZHlT4K3JoN0VM8HXp3ba6J7jecBfzIm/TB1eN+vmre1SQ7
KPzLVS6pdSoag2KGuzUpFh82e2suqWYIhxQ/Klv2LABi3VZbSqTLXeHpipXG
VLMj9VHqzlJ3+5dCg6MYwurlQGOy1NqlPiQ5HzdkQBGEpDgXNqTEFoLLKm9R
mPKCVRAFPHyCOuJ6jtMv0wy8uSA9UV7QvG6tepW5wZr4fetZukSlViNVAynY
CyjGfKDtC8EdsGX95P4yzVq/A7Dv8EuDRgemaH5+nntmls1oOtPoT06S1JdN
JFTNEKaWrnso8lBFH38krxc/8JjQSycmcoUI5tai1h2iyjuDPXSxxAOXiK5B
Y2y1tD9fMV4a1sgymwb6Yd8EZ3naqmkKMVvebdlUlAodvKtVPsE4vEkXSuoK
Aa9yawxXBRU8JUXhD6w6nrNQZVHuzBqj2eWECO88FOUbY7XZvE0q1dvWEZTy
0NBPJCXNRXNNZ0wxgWwF6QQkzzT+OFZYrCxRIn/8QGZCD2GsxdNZvwTJF/9S
fz3wLR+NIg722nFOsmRn+KKeZDzFoqbv8XXLIpAAMDi4cWb9BsyrgDtw4Pue
OEa6WEUkEB7y8Ui0R9MQh0WscApg1ODjGLW6J6tp3t25BU8s4G6bcEuQcZOB
JuqvD95hqm4PdMZRfc2GJIbE/KQJMSK6vtQLB95P8FSjmMHFAzkst2xeOVLV
5BRErIRWxFXBO0/2jGAru91eS2xfSYRGoV/mlsgoVsF8OQPM+O5OM2KXd3r9
22YltwrcN4YC4eay3DxQ1NpDtsPca8LgRZN9F6bJVkcx14RI9wnVNmZ5fHqM
7TeYU3rEbif6KbdnDtGa402yTsq9ovGUjL25ZFlgeIDIAu9NytIKrmK4Xxfh
LguvH+rW0I/gdQoE/2BGqYeNJlpRXbNN32+Xkdo0EEzed+27s0EDNFGNWRcg
024EPifw/l4Ew20yWFgwQBi2u+Z6vUGFOfMcHtjkrpn4zmxxqWNnaifMfwGL
WyCksgXuVmmLSuyE/BzHDK1PzYBtb2JLy4TR8Rbdx+dco5ENln58165Wc21f
A/1VJC0xVow1WYpr53RbfIhJTepbhpVn9iKwsMsz/hf5biaZxCZYVGO7kThb
iQ0r5kT3aZJPy6OiG2zZIflkn65rdfnkTmiBrlMoLOzjyYnkWbHR4XSQclIn
4niW3rI5hqZzFCYV5K76/owwTBKKCvAW6w7FUoAQylRwcpLevOiWSc5KWzsl
zbUFte9gtQwYjeqjSW1eHh/YlFfNxVY0rKnRsAApgzG+KuSb7head0JNpt/t
L9J+3L6Ftuo9yQHDM71B8Lg0IuLeS6IYdqFbL7uoIe+mbqTcUNoBKyOGCPIl
dyDOjy83i7AarHswf3nR985IUI9DoXbO1FndLouowwfukufxLpFal3KbocQB
z+hN/FO9ubzcm95uKqOELiScjTo+dyJzwBzTSoZKdc5EuqN//eL1kZbpvNgs
H46Pz9P+M+kJ20c80O3PaTaouUJg6s1SfbJ4cVxgknHNTCbH8QgP0uOMAIfx
eGQBrB8mczBG5eRzPvCRJYxfPFS1JwRbgCUyU7L6VJrqraKuZH6gBghtqbEb
VXCarbpLKGb2FZAbHseLs1wBXNQ3abJ07yfl5zQQLdgu39+hooWZgbXQoGAX
yKQvJqrG095m4/F74wtDmQyqWJCiEy79JKXT1BOtB8loNdZDFSnfvCAvEN0p
ndPY/6bPkzGnmlZrmRPGutldPTc9zIrxaAibCU1ZpQowVoNBvbfrDWA5udWt
9K7QxwuP/ExPt9cIGBHDzzKGo5gRGlHyPVl5XU3nHi0TVNP6iKnMeJYoLpvx
eS5NVpzL6ThVGaR6b3DKiFU0OJUjU9JBK3uD2A7kxNGUHnp8Wn0wYFVyngcz
UmZsHwZplmYfPNTuLqL3V3LMhG+MmxViqKLxMc6QlUIAdjizE0TR3mHDVE3/
lkLCHcAHwnjlPo8zTQylGEDdepDPIB3DEbfhScmH622zVJH7h2BGpmUUuMwD
2Jvi338JVauiz/MBRSOnvKEPE7iq0jqVgoCFcfhLtADPBrbWyNKSBkeWS2rj
SJUwdXMcW7Nxn5x5pF9amTBgDvWNArHpgzU/tB/YNrTuQo1nf6dUUen0QLGT
Xk/oY3aT/yZf6r9xLehsSo3hV6cu5kNDdEiKxefPSmBBE4EConorwCl9qLi9
Y/taV2vIkpQ2MwQQnQ2/SGEkyiiEl8oJlxvHXR7DUQ08amk+179pDqx8FgBh
wvxMGC/Xo2JuHpVF25w/1bhKxEs719uB9bdJ7jDl7416heTZD+RT2T7pvejp
ndNzJO3PsuEXfAqQU3z48iEXjALDC7n0mPqk13NHguNQRmGnzr9s+CFhiqqm
uLvhUhZPsuS1izPK9tmS5B9pWHusb8nyMyACsfAL/sLnL4vnBxmlIqdLpNgs
igMrvCXGSrObI9XIqPzE84MM6OcvXjz79Vdl8bihP0AerKpX6fXwyCy0VTA1
+oUfijIoYEw6eL3aXKRTboA0+8khi82Spde1uq4mFHatQ5XTNZB2AC8MkPZv
23fpBjIMO83eBbmHMBtFTzlqNIFwfHDBBQDYjBmh6X8V5KeABlFucPmgEKih
Z0U/5LFddvfdco/7EOmirJzJqk03m3Xb72bQN9PWlmpWyufQLOVACjJxJSrS
d63UIXmL9Jve2XdQSVvtXqb+hddOlWGyuXzbouQp0kixN2fYhzMZeBIYoiml
CXrgcLo1CcW2zVW6xkH1sF7ebYCX8F7S68lQ4WmgZxJPOynxpCrDzOiXUNVF
E5UH1Qkf9yXpTxIt3SVKHGH6Lto4N2DgEOhrL9sguKyxBz979uJzJuqHrhVT
YLPvM8GsOgHX30tRWgVXcuhhg+admYtV0XPqE/7A8iEHPRbcXWWKqXN2JBH3
IPEmPdGVZm0vMreDZcohQl4yUoiBmJsyeGi3rS5vNkx9Ovrjjz++SnfCF6/S
RKX/C5JjMWL647P8ZhYoTG2r/JfH/UA9sWT8eHxc+wGcHBNNeCh/6P7umfFJ
GHR3kt+PheG8tb2LMZgMFWLPKulnRTRHK4EK/NiqhRwxeSJNbmZitIiARYAp
N+1QihKa7sPxDDMf2Gg/qlx8mNFwxWiTk6gBYUnNw5Eh63IhBMqnKq93FLKO
0qULkQ0rwLL9+abZ9ygPKNrkyzBR1CanJ0JovjEsWl1TOuT8aqXFjFlKTASA
HT1ooyjyoJPFLmUuj7OREuLe4xfiZP7Fr+bPF5/U5Qfd0Tn45HeSrpvWx08M
B3UEZ8IyOJaVWUB0nrnSeEqB5fE36Saei6NCFuVaFKyj/mEtqF1UH4nldiR0
asLrmHOrZVV0hM6Zc1ZQ5rZFUS1MEfT517bpPl+8mKX/87mmAzhNgBd7uCay
/fsIujiKpSAc1Ho29FweazVuywgwuvHJ0XIYnkXmoUJPDNKzpfR63dLEVfoR
02sTUG8MDMDPjSYEPHxTs+Hz8APuGRkvO0HOGLgUZGMXUCYPBmEDCL5PFuWi
QzFpAFq04IfvHEey9MWnPyXan1VuXFWVBnINHWFA7lDAWN45ssfihD2GZtWg
pJHSt8BRdi+tlSWUNNkL2ugxj5WXJYJq7LmWXkQps7CEI/Vi8ez4bKqG4J0V
5rOkxzje33LLyd01X24QQYbn1Aa3bed2pvUUXjzUf93Q4enIWN59gZulv2k0
1uwQsSXcI4fO8JkXpf+SENOLhzmRCXUytN9CuBQH5umTWf1bPcTC40N2oHRd
pj2Ha8xv8jJDEup8ph0kH9C5kgvVBZm2BRloKUnfvwdMXL8lWFdM6FkGtSpH
UUxsDDGz36YlKmb/RTbmxKfMEpIx/AtvqwRGZI0i96FUkhTUoRwP9UceZSqz
KUn3ciXZWrubWynadbXnpzBH7h7L7Izw4sGNBFrqZ3P2YuAWUcpqLKs3X8u0
lGU65d2z+n7sv82QLejGLI3nzRKgEVb9E4rJp08xoNdpY87lEK9b2UTNWyE7
ONpBcgk75jsR0uDPsWuo0B2H0pSZiqtx/bTtslWv/0ieTmiXZ1kjTCf4Qapm
JOM4qB9yNw10ubN8GFyQCaKmSTZJPBZE/3tWR7HIT5+ZiKdsThp1VMEHo504
f/JC+pM71fKhygkTxQef44NkTA1fOrKTZoat3sWlDLPSfy4ldZzvkxCquzC+
YQNVvUZab0HysnvAPAWZEFhDy3vmqYqPtL5SEP7KiLEo75PxtIGB0XjdwMN9
k+sTvKC7G83SEJ8Q0MB95A7N/KBFR0QQBErcoU0gDeYoPvWZge1gZPtKh/Fa
rXb0Xfc/q9N7spIM8nKsw0lIPjCylcgAHFNHQXWIPo9yFEUmlpSQL44XI7+9
RVXaPt6a0V0OPJiGKpIlVOiC9BRfomxg6tLVTl0Tvv+18aVaXo4QloZhy+5X
mzIiBQdZDkuRM+BlLF2DTQvVoJW5TguZplQr/LEIz4BbPM7CC2UhD+0hjCay
ojOenMBdbFQ3gEjoCs7C/T4LfFIzI5MqqLZoPEvuIUmoRIPrCAfd5ywubter
ws42/ivkbSlO1r2VO9SKZfRs0oIVX55uR92Nku7NTUVVKG9DK7ooLCyCw560
h6vaY+2yEQJjWaDiG35D0MitFC9C2cKN7oNswB79+M1rDFvs3fz3ghCtW4up
6OlbkTmT7EEIErIEY7KPZaZmmpufHWszeZsEdBAW4uzxT8wbqRjU73S3RSmW
Jmm/LmsNMD1gQBWL2uGDg2yQWb4uhy9WE5HbbL0ptipb6V1qCAwcbveCHoqK
viwC02e4k97dbJwJTHbrLn0vDoQoX1hQJX/0UWozzZDEWA+VqzzOvBoMVjkD
t7qOcDyutk0u7xChl/Ai3ObJzZR2VrG7H+46FBwOE5PPK6f5vn3o/fyHyrBs
92xCeg8wKIg/8to0fvK0QdL1tEYcN7X74GUwyj5HYAo7k0tADbZ/Vf0wPmB+
F1+Gh/UyNYplgIHrl1XwvWaCmsvBGVP9TZ6UVB4/G+C6sBtJ9EVVMOWovaYK
Lqfv6eKZjDjZGlDVtiCVdMnAVKxAOaOOr3A+XVvSwCp6AIiecxUMpHrJZ/TC
AphJY5O1Ho5PgwsD98JpgYew3MdZwcY8y7TLs+pcqajTZMgPmwtJnN21pHHO
/34jqUKg2FMvBmqVN6LegNXNFnG1WV8j9qEAI1ezjdX5R4FZs0KFddy4uU7i
BXtCIeGnKx3uLnPe1Kihy5iTGd6VzbiMPN28JIR7A7CS9nvm9ReKqRZ7TZC3
SSNKZwlZJsAYxf15Jlulc6ziYFw5sZf0c1J6dtzD+sM9jJrJ0yfHFYvreiFI
1VszyAK2/1/1lSNttBWYx7n6MdMaC/2xzOkbMVqS2IrFtXbGZ2dayGKy0EBf
Fajx/FHHqtGrutIaDOmu3noUQ59OEtjOj27t9D3xOu80kVxBSDYIuzhKuZXP
LqJizQUp5Yq7oJUMh0vbhDrPC8VGq75SVV9HH6BW02HgCx9QqNJ7HYmLEQRC
sRu9kW6YliiecHfQlfqinuSgq7aq8VG1X8SudhZmYP8O4H8KZAf96klFyBzI
xWkabOUMiBrKJ5zUqDmPIUbyGgPLYFjmSYvegkUyUyrjjhle8zkFc4xPUZo6
1zer630j91LbFvMzqCVWf//qx6+//+7lN2IYEak1dpXjSlALP/piSB2UJ1iX
lNLLEWaduYaruKpnptIt2/nm6qosAWsX/KgrVUZ/vR/85aPBJgWFJ1XqnZJE
/kZZQeDhFxZGwYQoYQe+9V5wV9WUofbIff3Zx91eku5oYkvYyi7BWE4uZilv
Ldr3y+VypjmvM5ZvkjDeQBOzlUB2ie1z3RpVjW6IEvUnXHAHL7r68EWHMOXB
m+59n9ePex2j3kBskr9lt0dePZ6zzLhBF+qFYDQVPyTBNSkUbzqp5IBTZxfC
OS+Lh9+ayapzxYmKJcwaBd/NqR8G0l5MPW/hYRyv5NnXz07dD1JEKJat9jH7
KdU0g6h9C4DsorFSRxnfRNBcsgKi58QrOGseI3dSurYd2jSQNI9LB9WRlpPP
xZ/lYTDaqxs4l+2+80AKB0Mz3TA8LL24hdc4X/x6fU9+xdoTD+XdBu55sYIu
9q5S0BiqLh6Kuw7VF6K5QlbbpOZT+hcHBSfqkK1SeOOPfY5ht9yJw7a5VWo3
5bXOQaFhaemsyw3vvhsIGxaEAe0ChZqwGfmdIo742DqDnPHi3BlvIp/QSLxH
bnZGSg4IXrPbbbuLfVHli/dQs4utLIZzU/BGh8n5PE7OqCxtZsz+QGHauixM
+2Hwfynz5FCYfSzFs5OObTzppiX9609a0fKzF0+lcojd8gM9Itatk5kt5IOy
6d41D6tNw6qnEk6+BETRz35d8lrKJa4JoulYqR+zKY71jzguiEeQD2Eu3x/G
JqApfllUHJE4xNNjpv1XenkMAMI2eTldVZRgiWBfiiUcOwUafPH40DHmbMi9
1xVFk3hjQ+scSUkkm9CX1lVmUbbXmrUOT8s9BifGO3igisiSCCmEctbtO/bs
NKuQBKyPfBtnuS5YwIWJBmfwP5wcB/M2Hpwa+MUXY5SuNtBz7q2oggMYLU50
5LUsZpXXrzjO9SFDeW6d7yMvYHE8rJaxeFbBYdWp0HGIRvD94XqU2dMeLEI1
DU2JrlQA+OtWxZF2kUxBTPPHb2LNqxww76zRkIn9fxaKc+TEa7wpYQfCmzLF
m6m14nhEkMBjS3zS4YhnoZzHoN1X33zhSOLKuknO6M324XHAi/POZLRZFnLk
XpsyUAjER2HLXOLooYpuJ/4KdfzlKKYYsaaNQqrS3aRz9kDmVsIFIwKhSf/T
plf8OaXgchOeguMnqDNsNSmGu13AwDeH6yEoiAHZtFWI2fy9zePRBJ/duyQo
j0eMZ0oRWh2Otp+q/Cyr3D0mXJ9he0k4ltj+A6E8h2rGUlJO6GfQNodqFuYN
THlm7ut8fPlq86ooyIeMFxR2qaSUHxFi+7491jvGnU4FAmHkWXgm8RL71raV
DST5LTYym14IdM0Xti6ORV38UtIAAMWX+4OJz4KOZXEwsI7hWbVc9bPKkJhX
K13nlTGTM9N8maZV/CcWft46/KJZD3vqDOk4Ot8wypWeHICNsl5a3s6HXayT
IZEQlahUGJ9IHvhJDJcwHgH9TD6Ffz7uQ9XfTmlsmEJXfl8zr/uQ6IyMDmWy
I+j5eBHbLkkpATI129xs/Pwd1hEtErtGNXdRf9a/4Q+EdCFWX3fPhBLqRryA
aGNTmslHOjEY6PnnfA1KcD8sL17L5WR5yGrdjUuI/RO7AnlJg51R1LbNOwN3
etwcj4vSncPlq5QHIYItzYmg5Upjed9LO3JwFl/vLdOqQl4fnM/3Odxb1tHR
kp2s7yN1SFEkhwYnabaq9wvnvii/Eli76DIVSs2KIPnU04CatXG8yk64vG3S
VBSWr9TNDWAtmbPMMgAyRl5MBuEqwi8zlLu03IJh0GYo9y1Tzjg2YET7ss6h
/OukKVYbnKwxOz8HTKFLCkU7acYzdtwr2HtR0lui8xE/MaoNv6xyXGWUsktF
t23MhCWb67hgKeSwxogqBPKGlWN181HcvxoZJiHAVJ24cnxSX5QQvLPy4FmV
9VCSRDaEegJntitDQbNdd+8qEHuhuEBl6ogjosXWZDAghh2CDoEe6uKBTAxV
EN8yrwT2jzp53a734jvrgiFaxaGdZps0Gqszj/Nn20wfqkpJKOrZjCxKKiki
zgpZY5dQRnUOZXNLeBEukKns72hcQjtSKLvPwRlQYFNWpTDr/9ReZLRk/wEr
s5r0JRfLAwQrcCJj47KaMi5teQ0HWuT7BiC8q7SDHU6Hrl5sOVZc+Fpsu6of
aUemAtj9G4SFK1FcF8P4q6oiRiyuCIIhfjZujxgYHztmqtp3zrl7K8DLTa0N
wEXzOR7yyPitPfbJGIl/gIgO0kDF+Vl+WfOuy6+mDqpotUHeOcOXZdgaPepm
HT3NRRXAF4vni08W9U9675qfRtKNZ8XaovfyRVTaDL0IbHmidqRv71g55Zog
4QL23IM2sFutGGf/mteCbz+ujW6Ics9262VfnFkHMvSmfOg5tDLqMWNkIdTQ
1wz+wa7uVXtRJJrZrfmNrJ8LgFSJToqi0qkFUuOpmpPdYlACWx3imtYm8/f3
qxF0xXSZeTd8soAEpXUyT0zdhOmVKbpCbSrWfcm0t1dIJo9gnr7fXHaNU5QQ
knIXeHx9liCuWdWpirR3uf0HHAduc9Xhr8LLq1X4MkSIX77DBMSBsKAZM1bC
dpXZw3Lkl4Hq1xjyCPKDIuDy14mD6qOmyvd/LodSzqReq2gxR0nsveNF6Tn0
pFYQt068YGEDIwAX/LxcpJcBNaP6yZlbVR0OSfQzaXrhhLIVL3hi/5hLVr4u
VCnpzFFPt8haOWIIVybiDQDtCvyVJdxN/iTNy/4D551426PYcPx7OnHs/EVL
i0GDLptMGSHnWIoFDOCe/CrxUMFmohU3IyXmu0a1PlQjwevWg8hkU6H5OVt0
MhM52Tfd9Y3/IqMxSyRpyNfXZENzt1+OTxPVJnwsorGIDW2TotywfaxIyRyf
AWoTA9Or61UWlzkhXGTiemo8PTiyRiSop/Uj4dF7g7RBCb0lTVrE0qPz+kh+
mNsPtf5wzCNe5qdwWqYaZ/2uN7hApU3+27GHGs1MczirbzZ3tkuDhTFZpDbJ
utHH3nTr38WvzfyB9JfmrjufORdIrfVsj7HTDc0SbWytctPjeCTVX8BTVgKm
LvHsfW8VL4nrIFExrtkVPM7ClIjDeqqvj6ZPtVPxO2aSL6ZENEgOUosIWdYC
p/PLo9BVIhqtTAK5eBAbbrg5KNOaOGZgyLKyYq4AKg96c+bRj6gsxPtTZ7sc
ItvSNQ7Etu5YozYvfpxfLE+2izKJQgn6tg9KGbBubXxt2QXvs6wMSuWKyHg9
MwaxDeRVhqSyhdfp7Q8k2ZjhvMn0wXYVnpWTFunMyPk2t4hYzxqJDqVsir3i
eTeAHHmpYE/D4f61h8hVAr+NMJXk0sIlEcsH55ab6s8aJaOFfVDaKPPN+X18
/BSEJDJNb7jJzynG378jZABpflZtsxxsiiwTVBpYuYKBSyDjrBTpiz7MLTLn
O2AYpDKlW7XrYiznql+oi9c3RfnUm7QJfzca9ZjCxeq4+WmWy/xyhyxtA0ar
m8ECrGeFucrOCG5Pc6GzI4uOMjz9Tyv4dJ9Z3oqmyjIvlGFV3Hu62Lp9gCDU
lIlkYp+cFEhW9zMoMhDV09xPcTZag3XbLqUomT8ymruo8hUJTAJg00J5lTkU
jOZ35XGNGIuGN7dxEmWFvR7IXKvIYwBjEllk3Vpd4RCUaQ+jOs5lfJ2glNRV
ZIKjhE8l7Hcx1Y2+whh6rH9XawTtVC5iq3G4SIYIWDsqqwQwsyq4SYq2zWoH
Dp3LUH7sVrSJ6zbm0YnxJdl2VU4vv2XUI8Q+SWpK/faq1fxTIimbVVKlm2qc
xadUE1YQj+pNf5nmZdtB+WaoDOWFc9a6IL2JpckuOFxHTr4Q+p4phhA4KsO1
MjASauzFtyRb4EqEw1WzZZw4sHoyZkzmBONHyB967F0x1CKKslkhYmrxVHyW
GzVvkxoqadhaAU3XpUs7MVQ51ncuk9QGNwHXTKkAmvCEEjF2xvBQ2aqWyqgQ
BnVgo5cFteBVnBPRX7r+cpVMpSryRwu1UB64ceTpk6KsDtPLQj65HnUp6Aa/
I//Ag1ZGa1RbLRHnki3mhSWmMEnmGEVaWaFylY7voub1EStCJ9sripQqV53X
Ko6HS1dHd6zEOi8elK7zUANcvUVYvfPBBhVVgqsx8kehkmQsvuoWfFJN9XKh
IA+D1KlzFOEzrMJF+7BZL3lbSyHwS5bnjSgq6H/GGgKKI9AMaMhYn9GSsv43
bSdGeT3ifhdiAQVi6PjMnVp2XJfd1RVTXvAVSxiQLUuC9pEjNDURS6QjnHC3
hUFM2mYUiyMKYDeEa6prar/2JF/rTib4zMcFIlkvN41S1+kyu06rko6K3BcU
4YGMQ3M//n3f9N08eLXk+CSBJRxeaba/EpZnuE8img1xgLTxljOk7MQMc0Fu
XDLkqiDIEhJplXn/8y+sclv4/o69wGLeLdrqJdHit30L8IgJQaj71rWQgO3I
LISMxUkM/KfQxV4+1EoMgjVWBWgSdg67COUlBKk3hx5iB7fZZR3ZIPAMqBeh
7k8NpkxWDtH8ivkmAeKmF+0JHmbjU+EFnOdBbblF/VWzXWGhpNwcOPvkKlul
/Q5gSIjC/3W/7fplh86k+VafrrJubDewMob9ObNwkjxK8lQByHp08/7J4rme
jXQxrDq9pWU7W2RPy/oqYipNfTJwYldQgMsYCGCnltIe5QhV10VTHov1qL6M
Gua0o+RwkxaD8VyoRgxk8BNiDHKJ1OyX3QzrCBggF2DgNUbTyaZpD0Lp9Hol
wTcxqEHjmqvHTJSvkJZnu+S39dEr3ZclZdVxZqma0FPkI5QNtGmu9lsR+BQl
uCKFqwrtiifQvKIoNaIJG94D+Fqbt22fyTjp2wqun2o3Gvow+ZYqRm71RX30
JZafxLWVqH8+gDA6WPCrRpMuJMJ4qvsms43fNg+V3exFDQneG+TI3wHGPDBp
g+aQOaS0mIhmR4kGNTxvIkkUNOwgq+Zay4IV2yBdZpZcDMICB2WdJgGqaILM
QIDrN927DN4MMoTlDaluemeEYJ9/9vmL8E416sswZeQ2lrrJFQVQ8KY6Khgd
hR0qiVORnPly8873x4yTSC2LpzO5q0bVBWDSNNcoybW2kcqmSEOQpPSfIYm9
QS3PU90/zaEz8Q0VFaYj7EK3GMIOROYO8Gaoh2KFRyURY9DBO6Gup/tVyghK
EkwSEevd/nYuBc/um1C9LIO7KFWwojqmzilhr/brSyZYxNZowTmtAXPmCNdt
0wWspaozkUXqe6dUfPhBcrUZdu8ld6kPCgCIeuyrGXm4bOG/6NMlj+tczID+
4fZWmK4vQ1lZqBB676CnNGgWcWSZmNa4B9IKecJT6oLojVqL4L3BXjlGU71Y
hHiucIaVBDhSi3kASStBVbMBbYH4hAqLOVTR1Rq8VoTJ+wotHDra6G07SJ4f
obk+AypRS1PyJFN2FRfQvvd8WsAFJtgvAskfCdZAmzumYJMFMYeUzNQg8RKA
zQ1Lx7g6I0qf2AGLktJsJoB/parj/c0KiLOKFBoOCSsSFQYoJtnCV93PA/gV
o2NHBgND3cbBEx6uBNrLg/BoewTtgkC96rYCOni30aS+e6iYFNRejAYNdb3l
uiKRgVVW5YJicueAYMW/C3iBE4ZPJ2KZtq4ayVzV3TL5NSQOH0j0lazHcYIu
I6XcM6pDc98cSI42u90evjWLPao4A/1bJ5NBVos+eQ4oakSnSUo6+AWTHlGF
rzdulrkJMewRjSUS90bwuQLrL1abC79del8D8sJxB1TM/u+dctq5y4QrdIIz
TmQfjjH89OxP5UL1SGJWUnRD1JS/pis+/ZD0qJld91lVEbfmNbNcKs13QfsU
hEnTvm+71Uqk77GZy7qAAzlUFeR4ep+tSSGZxnyXbiEw6iz3t7cP1mPq+2y3
crU/OvOH9nPaqaTRw+G/E5/ftoM7fEONpooEm45ImmKziZHnEhKAYBhWUO/e
KdxBUjmVtFCCHp7D7wlAVwb/sG8gP2SAKpCP0bKtCkTFhsHnYa4JPasoQuB4
/Af3QKQTGcZj4I8P5rQ00ou5kfbIhrh3h+JmW8mPedJQORmY8aCd/4irYIqf
ZlZlQGCu4ncx8urmVBABr4TuVIrSN75FdZNz46R2AiNG6LhyHCGSJnu3Cob6
OMsiM9kH3s9y13jxBQP5iszK0W76yLt18DtoVEehLRHIJGCZ9mFWWQnk7Lsq
kIrpVvb0/HAKeDljX3vhd0kW7DfrPPQhnRK3QMGNloMyMUcBWJns39BdGlPv
zopaQEH5YDlB8SBM5JAS+1Owp8kWHtJSgcQL3ulkTE8gIqrizvawToZ4OdRj
gs/pqIjMYcl6koOZ57cerFsBgdCwqEMqcIfH7TdAt5efG/q7vURmAzoYgg6G
WXiWwMkCBr0GcjSxKcx8djpqjBp9m+auKlVA9fPp9rRGECABUagZ/6EgkT31
mOReorpspZLJUna1eK/hOvizZ9qJO1eK00IjEIjiT8+/mP/5i2e//oqcyeLM
6b5t1i54C5AycYIy+osB/2EF73jYUdJRtnaTbI+iEL1EhkA1vfYJFjdPZVlk
AqCpNQUqtwNWKevpASRnZSJVW82Ji2dp/8pOGbi9y9KlsNutCSkA0A0Th0Mm
JEXAiHRsIOxzabqBrXhExGvjsSzkHkBEDWCiwkl2PJso5/beJvi0vktpPFGp
5uhus+PGSK+rsjDXZrg7xsApbA8ICt0bOPhifRdka6lBsiwnJbhrAQaC+kb8
+IBrjCkLN2RQJI0SGrzNzo5ciadoKgxG3syhZNtv3taybe8wSvgeA9Jdcnpp
nkPnRnm1be/lSe9bknTK9WpRWnlQgASX+qI/swaGn2IyJxaOtEe9zuiulUUy
jrmdFXKqbNpARhd+9j5Cmxty1OF9nagqz82HkM/6tinGME48NT+A8E2foylX
ktAno3Hy74H7elPrRblicSgq3aaPVN6/gMsqCWh+S9r8aRdkNUQAUqMvP5lL
pdbTHPuVGqqZLnEwHDWIbEXpdTUW78Gzoeufl3OXEZhG9p99nSPv5gfZBDPD
hyEEzNzG1cjlN4p/Uqp1F6hBvHqo6H899VdyvlfthZSxWRi2Jy8a/2Y233LK
QGpR6dSn8W40cnWHVkxl1aAAmgfAn1c21REixKjczkJkFBqyKmyBC3hKd9NM
7DE346H8NqV/dQzz1UYMBSono6EEYEZlgdinCw0PMkBhJiOywITXu8C9fwWl
3l26Va4Sf+lUZ1Ktkwh+PWhFK/XRORMgEKwy2iQyHCXFmURN5yz/B9N3ItlR
6Q3l/UHjpLDqQ6QBVwxj0Fqw1VzW8rr7daQg0LtxhV1t3tOLELhAj+RtqfW6
Fr+j8h3FQtsBOJxrTrPCp8wYwXnVM5n8n9JyqHZYRL7IhCTT/u8F7ZSx7Tdh
Arsh75Q6nUZUVUNCqrrOnEsKf/EeoEuUHJGmyqsOiuiQBiwLHV8aZiCX6cfr
+tyIqawAkrRgBCiTfFd1yXcVu2hVNlITka6EMSok8v84SJ02DUczHI04VnTY
4LO/C3xYwsnvP/ganA1mC0cBKDwpLrC+7nOGJt/IbCSa2lFVz2X1X2+udnNh
j9xJb7R2MfcqI8yyAX6IFmMgu5GvTvO6DX1YaVWySi6tL7fNOyiFOEak9GSm
4u3tfs36L8CNWNOnYoGk/YWuDT8oiD5vdv1G2zufaSRFdte7vM1xzDXYsna+
S4uoG3TTd9H1Pl16ovWlOftkcGKs54Ytk9n6KdYRBJKWq5xrf9tr7s6jRcQk
8DItUkdS2HrSQsis+PTY73FrN3277e52IbcuezixaANivZzX5qNepa6l7Xey
Q/qxjZOkJerkIW+BZSjbNxljtiysswkQpDwGAcZKyV18nvu0vb1ol0tUAHox
llEGVY6T/uNw5sqkKJ2/si6DzZpR1hh2dhyYhZhh9kC6XNdgqILUbiLcRDF1
zhWqHsKNc9gEZDOAUteduMK1pi34brBLjS9QqZgz/0z+RpqYT3F81attztL7
NtdhTrPyZax828fSQnXAeRx5uF6rw8jZiqxWp/VVMovlT6gpCsEfcB/HUHUu
RUNZe2079zIZ9C2nR+PjprnZPe0spVDtCBFNAsLSJJJoJlGTHdauf4vMoXvQ
tsDhMKJl2QSLOgbHnx0fVHRc7XeN5wO8v6XaM/PoxlZNBLGX1SfQ76+vaVmp
czGn7KsTCxEIhsLHZG6ZnJRhraBZjXRBZ/paqIr18bzEJuxNfa3rHJuZZFAd
Nl3Sk/DoOBVxdrUKkQryP1mFZxOK9cyNjTh83FCIAyLiD7HQUtwWrqVQYfbZ
gal5XzjGQVRSp9GVODXhmdGcQ1nBF1VG49yrKU2EsNwsQt8tHHeEeJxBZ60y
NnFUq+4t5ngA0oqwLN7RZVKm9NPkDCij6a5vWPlEGMcZZ+w96Kah5DLmJi8O
rZqCRNejXAdmFepX4K+boNj9UORNL9QcfDPd5k/riKcJO54C2jVqA0PmzY/5
mHwI9T7aYbWPbDITGMtb1pF+Kncljj3sQrObxmIa4HAIR9oXY3Iv6dnIdvBV
kEbKt+QYZf4HkwLbgMTMK4G78wB60ww6OpWuhogbeZVoSn62zEg1ZeqHDJ2Q
XJUDIHfCcrk96XaGxgThssmTOqrOMkBmF5hHA5zDhGgHudk25yx3qhiwAXEM
Rct0h8+K1G6bKfW5UqEIvA1a3Gk4QdB9RoDOHBiFLDLxdAhpyePBMt73YFAS
/n5Awa+lMqxXeRT4kB3RAMKUCw3qtai1ubZzKJyA298QpIfczhiwZL4WdBzv
2bf127m4QB9ucXi3hYXUMQtk6IohfokOw30y3iFDHFnGUx0XAqLEVCnkDu9G
0oJQQ1Mzja0olAc3hd4912cRZDgkZkhC4F3z0Bes7TDekDiAFIevtnTbFmlw
uWSgFQwsppagTpfVfEP8wkKQMHNaTokGKj1jwKIXAn8JVnuo027nqVHvR6LP
RiP6bnYjlffytkWMGOnDaaI/0/uWNhNpleEzndLgB7aPautQCcysMeCF2SZu
mJi5G36WSkutysObzVpKcy0c6o/CiuKvt6c1Jmp7VdMqLSvWJ411NLMfJrt+
xibPgHiaRonLmEwoYqCtSPmjtaFlVw9cP8J181WeSbqBOKhRccLPF0h7MJKx
TLikmEs3w3Q9oFeMWcd0QXK0gbxZJXcZ2TfOVLpOy9XskQ3kmM7fkdqi/ifN
EfA7U4660WxbgQ+tDk88PeVWIxl5stavRSQEaQFk0YAvMHCwcZ6LegtHVEok
r1vcxnKoUg+QDZbuQGIzjpWLDwUiTNGfAqOn9fgtTDg9PTH/LKeoZd7yKH7U
f0Svz6iQxdGI5QuQHXWOLt0rCYJVSo8DgE3M97t2tZorwVW65Fo4YbM7hRIg
nZpjzXpM9hvYYZgriSjmFjsWw3Np4el6F2oSlnHbVXcFmmLVBDVTacA/Wr9T
1Hs6Pls5P+JZS5t6s0Ui0yA1SuPVoWPIiJ5xEiaynhQDEDrPfLxpTaFcjbjT
xHG4cMPKBYdB0myl4dcRjR/zrFvHq0UZVId5AxTxYMlgwBIk/CqX1prTNkDd
p/0n+rQh6shwKimCzj7O97v+VE5nZvLl67LBqWDPNIhXMl/wiGbRWPphLVNy
Uzs1VfaGRoaoKbkTk3GHfpiJxHt17jvLoBhEjEalz+m/yyxaJyLFiwoneCNz
LHkWpQlYalOrdldmdhUeZ10AznxAv2P1hutvWo6CGaQGMhMxGGtkkYP3zp7m
SvHqR93d4AGxXGIz+O39YBgFB42mH8RgesQbBBBX+P4MgTiREPTvJfHxHrV6
yMNokgEccTjUflLnaRrmUdTN38M+UirXs3rAOsLd6yice2onRY2Zf6m/MkVX
AO3Xm2RaKqbVA1zK2z94yuw/D/kYuw6yBoubMPA4npx8OaXapiMfleBAfn5y
gre+X4tFvN3sdzE+skt60r04181bkh0r3hiw7Aaxsea+ldzWuQKiMnBCGkL0
VpbqetteOzdXaXhliI+3+L/a7WYuoKRkGWSooOvW4frNFRIEJpw9feqc1vYQ
GkaoYsfi4r1BRLOPClVSZj565ESlv8zBBzeE/o4nIdkB76RYQWo5fRuWwF3T
Z4cmnbYG8S/hmtJGlZGGjfhrcZfTNStxq2YLihmp8XLdrdtWKylGzZCQWAR4
Nn3HyKLqR8RDX0glHE8SaYj62ZCfBTZNX6Vb9b4F5SCKTSvYQsDCzN1RKsB+
VDVZSsTtjF7/S1QmDllyh3CaViJlOXyh9ktbgkBVSBqdDtwyTcnKAtk+EfUc
waezOtAgoZC3v+OE+vqyICmUHF9wKu82uduaOt4bvfJEt00dVaxozBuGoTKK
e5Z3RNLVhgS5iHNSOpUBzbQIOSo5+7gopDjelCrpLtcwCGFDMSIklYSUQOlj
I4LHPdLm6Eq2vjnQOdS8acp4pNFB1BvFQSLhUYsvmarqSb95vafj8fBgSJw9
eo0ObA0NbJQtCUzMQ/px7iQXdRjRD7nlFpfMhzVdSpfbZKYhf0OdrFVNFlLu
gv6QszkUCLqdyFoqkEwHt1oI5uIMn7rE0e2SNrSmBSvhLNDr6VSk871r+reW
8sSTUgG9ieAEz8O6FRPWiztKfnJ66dD1LAuru0KdQ2814znDlEU8YXrPDho5
LGqGnIESD2x2tubSCjyTsuXD4c8YxfvMo3jVx8Q+Q+Az03mqP6LSF5mIznse
L/70/AsKQsMl/dnpemf116+//83XX31R//i6evbZi0+fnD578kyyA9Pf5/iD
JAblsMWgj/Ric19laFcGRO4s8UPzPEQZDHF8tKHhIssSiTytHzGXw+oUQbqq
eeZLZR8Etl5Zyqx4H7fFXrFoVXZkflYffQRptoY97pQb0UfRDeoPWmxvirPF
nTmDtEbGl8uCYlmIXSgX70y3g+mHFVxEqhfK8AdnPx4Ubq2yemoVi+UoEEO0
q+wOAnT0ACgiOq1SQysiqlWV9Jvmvmuqj8RHTIAjkkGqqW+XTX+J3MNkbt9Z
CXXtdugW3FBFEu+M9FJg1MoMwvhr8DSq0BJbfqo6sOFBbdcvA/NvBqUl63mQ
MF2VQHsFp2yR5VzAGaFsmaI+jFFkJ9aicO4OKm6EAE+/G8R0PGVgOmKktOHG
wwOtFeaqeppJHNFvKkIai4CCxCe8dHkvaVbXN7srVVAJJ88JOaTmdv63g0GR
MRn5aLQlhZDFsQ7UF7MMu0Bt4VkfIUpQhvfclV+FyIYG9aaQiYcYNSb4NMz6
CjOd1ytPw0xpm8VybHYSQ7+8MSdgmBtFZ6RJe51DZsPc/RLSakS+EwnoXtc2
TjhCikvroZMoVbWzJ6EyLCmVfJgPpiOj4yMmoTvSDFXqEALnOwhRp/iEpqCp
ZK3IaSfj4Fqh15Shp5IThwGvwGTD8sr7tZT0BIX7cpSuLzZbtAsJYK1q0xb6
aboTAOZMfSviY6oGITAEFNNH05rkPNcihl4p+M2cO7k4Bi67gw6sy2ZNxdu4
Ty4miC5iIWO5iGUtrE/S9/98dLeb//6HR38hvYa69pCsk2O7v982fxdKj3V9
0azf6mXGAVT1sKpYcL0KxyIDivZekfcDiEt3VRUuWysYFAKBJbEJaU2UGXxJ
7s8hocnA0UbDjrT/N819C5/+f5Xs5P7J04LWRAyNDxKbfIDWpKo/RGzyHlqT
vATvYTY5zGuCZJDDzCZzxNbNPYxonBeAHjk4RZs3VoNOJCo9Lx7fuWh372Tq
3X3JEDJazcHji3YkhqL4GTF7CeUa3FF/HzmUQmxTXVZ/N6xiMSSO87XwQq90
kHStY4eM9kc/CDTeP12AU3olhznLHgMGlseCJkHaQ+l8vBWCfakzQNaWZBuJ
f6sXs/xl3YfuwCF5uzEAN7ol3ptRz3LFFLt8Thl6sEmTyG8LpZcdAanElVy+
xH+nFdzO9+su/Xumogk9JWpov2P2QK8ONuTAJ4kqVeBFsUi9Uo44gRHQy5Za
+et+ea0ZHLqBHQdjRrpoCMD+0TLZ0FSkSW7e/OjzhPXf2nQOJhDOEDfiy0Gk
djCM/GC276mf0T9A8xaaMwC9SHLkmsRVftwf8EnUSZ3diUkCkv/hvWhkXJmn
1HyibbnwqYM4DSELvryIxXGShjIb0BUFgeHkV2EXFt+Aygcx3G2tsoPwmPRW
OTKuWExo4cP9Tbs8Npf5nXBLX+1XEcVi5IkU+XIRX9+YY5JE1XaHEfKkq+6l
kSWQTmouLdiQezD3Hnj11WryZIZz2cnNT9iECVpLOz050eELy3hxbPNHxexL
51+snA2CyVL4CQlk6T/4F9lmf9tvdu3cR5jZyLabZnkprmCwK+v3JF6MkHmm
pqwikr8gKFM+ddY9g0cgDq5QPWeVg0h9Z5MaSJAA6aDTu7dZLedo6R1TPjc5
P6IWZhAMgImOLIUCsjAh+9Ia7/PB5m9+7hSIfnJCM6DSzotPU11tby4e3vDH
82Nxb6SdcY3rUrMOYhqPNFi5j67+TTzfvyl8dGqYdOXGoVnUmKfLfQCnFg6d
I36p2g06/OFdzy3Dajjr9p1xShGKW5k3VnapBhxEnRSu2JD+53tQFI21LKoJ
zqRO7ypcYfhGmjj2OktRe1WyA5orQN/sqHWQEZUB7tJuTUPkj5AFmU8CEb+k
4SBpW1oVeWGlPHZWCHy4Fq7NhkQW/VhI04CWOjV3QZ7ZII6aKHtsLskXLWTt
l7xuyGh9fKYquGUKJTk+2lSU2dqVKh+8TkkVRNuAOvlOCGdSF8KeiuOFgiRq
yJFcpYO85hsvJ5XapjvIZ7qtWQFYTBQSjxjtJJO/yGrzs6JIcumLZO2v2w4n
GymEsh/gdNLE9Apn1Zx1JhrBSq44AdaLMeGW9zEtKgaJhZcEoLb7YlPLtgu0
ByxPUTRHWXnbSnp5ld0Vr61iMX9xYDCyz21p0zSI2sfK2mzBQo0AERtTxLp+
+err1JV1ABnMDl5h1ZFqM6pX9VSs0v+IUkD+EjtEE/sE4EQW8vEeKp6hZxUe
eWP1cDr4VbmtZUXsB1wVzEHIyVK50wicX2mDjSUMJ9FmxKTqanzHgAkQJ+rA
xSsO6+EhwYZYtYDKVJu1yc19knF7Why84f93b9fa3cZ1Xb/fXzGLX0SqAGzZ
sqyKdRualGyltsVlyemHJkscEkMSEQggGIAyYzu/vffs87wzA8qu02atNrGJ
ed3Hueexz94kV3ZNfjXq47rzZASR3sq/ECWjbuKT/R/NS8k1GvEP2lqsWS+D
dI4G5/uB4ZUwKpgRE/xCJrAtaTgoa7wGd4hdwO4hr2xEltwsQgppoino7yW0
JoUqnJ2QyRJO1ku0EUiMeF14xgETTaFY400Y7BlGvzBgHoh9X31z5k2ikrsc
qf2EWOh37zsy+tqSCEGGGfctZyHVLXv+q+1G+H10gL1JpiDPZ190JhwR5/Mc
tOdIIc8FIBHIBZpd67ldofJ+VavcdZN+y7HB/OSkJL5uxYtYX1yDrq7j012E
H53tiLiwxFrdeEluhfe1a6VF8eglcygVhTwPt2jXJN81Ikzdlpl88HMjd5x3
0vIyDwn77fnfE+e5Ou1suSXcdz+gVcy8BBs0kPPldmrYMdpBhG/HcVInVnrh
viBvC0bvBZLWYPQeGMmKQB7ZfZuzZ4Aj37jV88TNR87tPSrSNRxf8NvPFswf
nNzfaQ+xbQG7ERKMefZ+iM3idta8Jyr8BfUusrIBcawQq9sYOR3SVUV+aCR5
He5+yxcswSS0JsyNSgTLDkUpX1m0aKCTulgYaXGO8s1axj00oDommTep4vch
m8yTQLbK/AFLgRH946R6Qe8Mr1YZJ2PkbKWIhw9FU6pZ5m2dTxxigX/fSD5Z
mmOWepswRxTbzMSXkMoNy13I9NG4AMsoo5CkWsbBHfBk9dW2AUN7fTObU6P+
zTkJSaBPMA8zgWX6+nzJrKt7/Qh9wQlctvWdVfGkgnnN1maRogPZ+nGnu04F
cMU8zOUYyyMDUSst+1EnFhPxa1JKzWvHjox4xSMGKkfR052cIphC1Yiw/LaD
9y27eECBnsRFI2s6xEAZgMnNG5ikgILC2VbkKRNqwuGtNhCIoQ46cN9mx3VU
+OysdcjrBhuRtCWkYZVRQ5tWwsy65dS2UQuNNEQQIiL25fO5mgeDTUunIA/T
3pYmQV9EW85aIfFLPF5jHy/a68STc1j1/V+qcrdk/C4Z3kWvTUwmnErm7AeS
FeSttyIVL1FoeSsLkljtlUkvAmVjqKbIHKOaLYkPoj+nAe9JwSQgtz3KiNlg
Vq7bGPL7QU+6PE+ssstRYPlliNtCzN3SCZ4/99ViLhrcxcsaVxtOGRA48SJf
bYm2J3oYEHkNlzzrbKgr2KUZ0y6LM7ld0XnEXHnwS9cbJSKyJwvhGbotJElK
9kdnNmgfD1RxxNNg/yCuodRfQ3S4ZMNvJXJkbK15Jh8OhO2Xki6lSeTe6wZd
p+v6vXwObAaf/hzQ1FRRoG9slZNHS4aKMguc0lXBKe3aJh/C5HbRVqINJizD
dduIs2iQMgraVyp6eQ4Q3zln27QTVSE2jCK0MUaaB3cUuoL8ULLtpDPcWPjN
lv1907zLI8AHdRIwF/v+05rM/Pum5vJkgJ0jDRWg3QwUTNnRgtYAHxkd0Q/u
96nIlBNnRp6kKetfgm1zkwy3CeU68RMisr5lKoSaEtPrDXWu0Ddejy9zbBZc
fIOZGIsRnZx85gR2HmMKepbP1LoDGyAhRC7nsGpdcUSYE6DOsqiXRYa3hw9Z
yJBPiotKdGjyjmtiwpwq18v343h31Suxkv0+nb6Xlw0RqS7JVaqu7m7wX+TI
57miZqvmwHO8UxmnJMXUAFCUxHqdHfsb42bic4U+lIJC9t7zGspR670v2u95
aDnpYblmeo3k0oOoYKlQivYyWNKltfDcl9U+ySWTC8TYmtV1nbc6zek1UZK1
I9aDIW86B3qi+DKvz6tLwutMgNpLBTN7FflhYzhF7u+0Xk912aQyrjwUAxfX
yIO2G3zKuSJtUlx26OdXxD9vBcXdARwpnLbL9x6xPIEhSZWdu7CXJJBEybtL
8QxV/56Z0jHxMp6ztBl143vRMDgTfS5+jhWTSZmJ688FF6b5vyU/PpXEdtae
hwkw/CZSx0x9ugt2E4bbGby3RS1qqphsyL50XUDH48FZtKpIITtfLjRyc2t8
ENahAa3Chdc+yWYfcsFJREWNFTV/V01sYBdboyTzSbEKqOyTNNAFwgGw8qGG
CQ30XSY0i/K4qKDlz6Z+NQqe9n0aZXb8PmfF9VyU4SCU9jsN/+UW2RC+31rk
EoISdYmgmoEZU77X2Lx31LyI+Kwhkpue2olKkqaqv0fdk9ItsTIqr/IBbar6
hWKFf1hxrL+aHwxSAwf+DWy7o+1mSX4KsDmdLwMbc6k9cV636K+RZ6UukdeH
qADj7FOpFXIIzYY1r8wmF6SkVv8QA+UqgLW+Oxa7Y5kpOTRrd93O8t0GQWi7
d7KfTKrTHbNSLQWK0hki9Tp3wPUhX93tLh1nP0760mm7u0YKM3+GKDB6eGHD
mbXoDD/rI0EpV4zCCP2w5J01RrNT99ZnOA936YvQSWVroKsvUrgScqCUDnZ1
tc2bk2gko0A0YEXspnVeSGyR0rrFgU+2p8Toh5rC/G7Y0j/o7rFJennZNWzC
rjtrXTKVJ+CumJR9cLa2WDwpmmqBfYFltHz8KP9Lgn5SH6hofNoUqorfNc3T
kqaNEkrd64GI0ydY1OqpWMUF29AWiLOeCRl2L4wKrWe9tFFELU92Samxftir
AVx3UBdOoXJdKxNftpclR9DVo4bvvWPnW7gwYTeQhrxIfNzxBaqjVMQglcYg
MSDgUCRGICKQwmFL7IjNe1DZ/9eERT20r89+upNt4I7xwrxWpTiAH6Fnhh3F
sAhL2nPApG8H99F+HSeHlWnRgsf0VP2TG6oUZTTc2SYsouXvkgSOFbYhqjcl
jilC6XsSR8m6lu4NdLqCvdfe+Z9uaIwrq+8HSmnR/Rt10nLI6oFtLHhuS0Gd
FEi1rhuljFjOtMaJvGd9R2jWSkcd54RBoB1nTqJCSgSg8iTXjzmxX5RnadRD
Kzk/UmuW62z8aYloxY5TKh/IBKRuJoBQUvaeQEgyEktiEvPGx2DvXLdQaUXV
etOhq5x8clDQS8KfeT8DVzX1NXMXVOragbyJsgXcXEsjNJSzDd4qeEVkuoQw
C5+RzRMt5tmwGq0/lHdJU3LEF65CHeqwutj8PWqeyko+XvsuzaWVC3K4scsp
MnKiai//47ghKeQ9qlLvzVrekHuVDShStRDElI9WwhdrDIC+ACAngTz6kHY3
DeHcaBIH5s2bOcmvGVq2G2nW0GZH49ywUM9HOhvfuFa1tsnEnXlJCvNyvdER
zC/PBc0d0dek16YuV4qE/LCA/GQycZ14U4m3kLVGskW0wpkefmxbX7Ywxw54
CM3vedR6FnNAJ40/XCuRE+FdlpGzJgpA7om2XGChm51xRQpxhcbSlIM/Z9Lp
AdZfwnhlrwBU2NETsPojj5lPndwXYUoxe4FfSSZP9pmFAXcSwQ/EgSzdkTZB
gM4xvj5QNEuUXt7vYJ1himfeXavonml81rvZgtUbF0ltmCzMZrG9YXM2yhGB
raC3IjMOHeSIc04Doo74TJd0rLSTkzOeeLvbjx8xTzwN0mHi41g5YLO3iIoR
y26ql9bbVWg09UFLdgLF3MF9cPheXiHJV5KtlYjXhjEHFay4RtULgwNm5//X
xNRoVqLjeCB2T913lrYdyxf0gsDZZnKgLJJlw9JQY2gOxvMRubKyDkLhmMuS
eKmZ9vxIWHGmLlK+YKoxv9/hUNh6baVWwngkxMnfm3RtLDEtg+BbDGbLuE2j
5KYtSzGG2bDWLgc9YtflvxDllSYAbsn9pFwxFcVZVUHWlm/YFqjC8MLagSvk
/VuGNXAbSe+8hRBvYsYywPLKiJOdqnPT6Sk/h9uBJOFBz0Gqv59EOOgmJnZ1
7Ucn08eWcaI9C3Whcpn3RN/WEZ12Jls6YZM24RZ5C+/j5V8LN539NMJOwk+V
J8UcEr8ij9ZYviNoGe0gy6FHhrZz9smMPMeODUkOe8/xnGUBGeRp7flC5JY3
4zdOdJjSl9q1N/LV8VtoHcmg0b/3DjjXnw+4YmtLQw1cO/1iJ1/i2pDx90rz
mZ6s5LjQtrD1VmxQaQnJ5yEW/ECH+WAf3r1kj+7hDbE+5p2VnUb6tILvUZR4
Ah9kcu3t0MvAhzXrUOq7XQTpbe5sCRekrvp2bGD0sNLReDpg+bXY57rHL3UN
X/FbVA8o+n+qsgC6bst+lD3riHh5ueZ5p4gkpW8JmBd7hgAW48nl/tQZc7Qy
svNcJespF/z8h+qrk9PvR+mH10zeLqf/8fHpEfnReadSJTzv5uN6UU+pj+v0
5enzk6NR6Oz65qvTkxGDk9oDjNnVgpplOi8d8DnCNU5Z95BYoKUuXyWyk/2a
OmYm9qyAVIkjpUVNqRu5g0RqKjlJ/bMEa9QsR0mL6AS6d+ZBYG9GvkSRBFKc
JP0535k5uBeYjpjZyX8yXEutHbsKDOwabjVJ0rYZGfGhbtTpsCZY0FCPtRdX
8sHBsSfbPkWTh+5iHRh9R35DI3uyZCTQuvX6HbO8LJYopFMcyewz1sItFgCI
QiSE/RPE5+31iZspYGHVv6nGAzhFzu+QTQW6ZuKkJ7+iqzyPDjjSiv4geiWk
U4yhPvSVj5SFhRYn7YfqiMLVPGGPPrd9VlVUiG79XYgRORvGjQQ6QszYFerg
Bk1VJwVTCa5g20i4fPQg3e7UigeGmq7j9/BSj7WYVieCzDBSB29IF44+h1y6
KSsf9sCEDzalvokKPNtfJz/p3da/TBQU8lYpBR6eHRwSIoMT79RhaDQGJT+j
UlUHusW+khfIHhP4fyuvGz6dVN8JxF1hHBQGBZkS295a8K/YfY3rktB8X1P+
RUYWlRNlZUA048QJToKq1Kf5x85zmTqUAh+q3lxTF0k3lduq6ZI5EsXRJTYF
vhIx0qBEWircs9ZK/3SaiLE5y7EzjRR6hDvQFaxRm7S37EGdAU6wzh7VyXev
Y498N72lFEY+69M1GKrwRKcdTCgyly+CUbsGLodzGetGNiobHP7t9JCHLHWH
TB6hDzSIUqAgjaRq+U1MulgkviGIbKtFMUkuBk4x03rgqhJXNgrR9VYJ8hED
p98YA4+UVwBc3bePnNphHZc1yVaMBf1HkoSl4COrFBnWhUvsdaUEhDb9h35I
zviAGxNGfmzPAelm2o/b7/Hk8fhxNmyHA4PFNBXZiygYKroi75RkX9xpYA2c
yc2shRElBi1rxmVOYDC3SJ2EdmDqNfEW+gG0MSGdxIgcAtIAFzduSEl3Rr1Z
5/WGGDo8uMCDKM2wolzgCi35hhZmmnGh2qhwbQptwnnRb5Fo3sANANMIvQNc
2ZWsHB7iuk27hliO6fj1ZLtlbDbVZZNj7URDKwxQVn9ThCELMPBpzjPp7hu9
GxUbU/nQcug59pSVaWk3W/AoFkvHj9E3BaRicysids9kYkuT5AtcVrdnTng6
4re3o5Rvur1Z1OtI/DVieJtyyHE9tWWA8kK6GRPVYHybmJqFxBbRALO4Fo3D
Tb2iivzFuwqAJr88bqt8gFwu14bBHUMGkSk8tWSfN3IaVLAHgDV+IU+ij67H
V7ZkuDrEfC90FPc5U/yAGNdXiyVVTivhsd+vxQfS201TUAC4DfYme+w3Ta0B
3DD1QJ4OBJLneRgowSiC24v2ko4pak8RIG3+PkrxhxfjnoGr5Fw7nkopFeIQ
HVEbgasiA57QAVDpH3vcDr18p3/5B1keaD0Pf/ohJpVzmxwoCxG5OFFDaU5t
zND2pJB+6XM4mNg4p3YVfHsRpLqShOioNl8TJ6vqdvfQtpIWRowF09v9KoqB
ahwHxrIHlyP2U1l1lxmoipEZh0DefJJdrHSmNV8Plzxo2DmTJKBXTlbSehme
DUHrvoxKBFxwdyIrsIAYGN7YojsiziY7bgG9HbTUIHDuWRsL3vqCzyab8V8A
9uYHJ8Y6OK3jqp6hbjpetc12SjQShEKIAaxkNBhXwlOXQBtceWJjBXeQqdzR
WnAw8qQJE8ez2DwJ72RjD6HQpIqsuM5aEoI+xHDGWJM4JNm4Xl7nSEU6OlYA
/5olKqGCb2fTt2QSlan/vny7RamAAEpcHQF5mD5e9E4BXRJJ2wiOEp28t8vZ
VJsZ5YDx6SrJwIwlbNJLYlkDgHDEZE8cdp7iJn2PkjCD8zX4ZF6bUCocM7zL
wYdsHackUVUvFs287Rlzjn6v1jWBIzoahVxZcvpMaXptbMmeh5BtxD41+DRG
MhmN1DNGHm0lq1nmC6jLm3lh2f7Iz0MtYuKKQ1FBMjqnAUsyvws9NFDOAgxM
qT1woos2UXr40AvRyuWQw2Jyf2g+Q+tNhFApChKlWh3Uyprb+6u6VP5wEHm2
26t6bnUFzUP0ZxAcZ5KgORV2wI/qc2EJXATZgiOZTHCKnP3H375Qm/mWEGNn
SK2Q00hL9e/Nemk5j9s8zATYXK4NWYR/7ygyERvSIiQBLeme/JlQ19DWa9b7
4k5+PU+kqTpVmsTCe9Jr6NqaVC+W68gX0pDrtC8t9Ex9JXhuafqrUCJvYJ1H
sc4fGwDbgxHYnruj1qoAnzcDunwZ+/QuYhHwcV0+JmOz5XXGOZpjQo0Pz4yP
f6CqusDvbayRuXjPqDOLMy5NMo/ZMOG3mTts5wEeHRjLdIVL6Z4bPThmwPvR
6uIiZxu9+5Kji5Ml/IWCT6H2MT1A8PptZDCCsJCC6kdU6uANeDGfLagv0WnU
IIJWB8PB8IybFRJnfSh/OUXRCETAYqokpCRgCC0rBn6NzQAcSDKNucUK+6gs
ScR8QEoXhDgRdERUFgHJMo2zTKzIrTJ40uQPrWQvNg+qkcBV/TiqrmeAwKpO
DXV6WKPpOdcjCyY58ncRc8g5yTxiXe44qiIUSJ3sZLecGTBF2g2+uxU2Nl4I
647iz6ivR8vVLiiNMHY3vJzUvkwvRGiQa8r+clS5XbfgZa6pDEGj/AqNe3nn
dn4DxyJB/G45DRXF0grXjIq1ppBRsYEQL4hvx9ur3zpbqtSgNa/ZEIvVsbwG
u6bkuI4pRDfTb0OrKTmafNBYktpYyR9Jnc0zY1Af2/BqUngQ4h1LOC6lpXI8
C4PEguh8kr7N43Ol+bddNKMm194fiW5yS6oijGYQ9nwnAiwKt4DK4GyiQaGq
9pj3si41w2ty+qnmdEW4yZipecBwRczQ2xu/WPYg8NVBI2BsEuybO+J0XM4A
WNbFajQzeRjGvFazqwRVppuxNxHxmiYLqkbSQMLnEC0Tmc0Cnc14+86mtBok
avNG3oicI5+kY2Iva2d/pxOQj5Dy+CldDLGruN8MTG6Ol7Mb8ElC2aYLAknj
OOfsE/6ZTnNec7B1vKQ1c1GpOBTaF9lK8mYspM1ATgt2rP4OHOFzpnLBRYQy
YPD5eSF/0JKuablOwyJQ6I/JAhCt2gxMpQOhuBH1Vx1f1t9UvpFdqtT1qZgg
bS58OtxNOnInLkiRshZh348jginZEvUmeMgL9kiCUF1yzTewNMCdc7ePhUtn
G4cxD3OJy+4LG5Jeyi4KhMFvOg2JnHzlDFgQgs3DtTesAZsKDdg9cOeNpIf0
faH/HOUkRkrtOCjXNxIqhVieh+9OTEYiYlu3SKIFqY8dQc1MGbiFimlLbLfS
dZ24wA5I/0VV3u9ZBJMGKcXCK03KFnKtLHb+YPDEcaRYqh9jzvmZqe8ruvHs
23mHEPXfAEAAEbcj60lPl0TEjYmCwooj1DVJbZNK7wV7/DvhPw+s3SET12fe
rx3wwhgyI8MxQMlsHUDVRhnQWtY1GXRbfq2VeBqYfWlPZqHTHCcc8PR2q3Y9
XnGlYFdgihNVU0WNqbc70tSCdaNtyrkF+5Z8CfrJNlwVEhzXLAy0xWAOfG85
n6mwFRanXS43LC2Zf4Zcr7gXS2W5VLnhow+K/sE7OTn9k0p7oZwCOkiOgfLO
mCmtpaxWB/mUwn26bK0uKRNsJMMOircCL77XRfPQeCnNnxocKNfw0W61vFQJ
aiDf4y3N5d3b7JCe2WszvlYdI6Rjl97Apvp69M2qsHdIrl+7hAguOhqYCacz
o7PQWDMAHArB5lKMM3mnrIEAhY+B5sY2weT2N8mw4Mhh3uhc/fXcpLA5Me2L
BzH7K5FdXDem56KEaz3qbz9wuEOM7uQ6Y9h9awlUsFmw6MXxuyuQPUPy6f2x
8sb+UPk6b67r+SXHppoDLRp/2t2P4I7hLkmL/JHG8wxC7Nw0Cgaw2O0EevMV
0S/Q68HDCYqdxW1Yvb3aXywLaIhzpvLVgfO6uB4gflytv3AWxor87Ll0uhK9
ajYqElv2oMLD9xwAX+Oe3j+r+mgKubT7iPCsdBndNs+8W9KKvNh1SqCJskwr
TPtdiXnBkbNaxSa04TzwFhR6dZecT13J+aCa1BcLyed8Nss3XabTIbsHwovV
7Vu3eMRJLlT0TEiezmD93sL6Was4HqFH+T3CJdV+NqgHxDE642qsCLtKVwzc
Wk4/XS5NtsQb97wzI8lLtbGGRL6K4vaA6AFkziuihu6UcyvZyDDT26XWOj+U
JUcIy/Dc/D0Jbywk3w1BZqBDj7x893glW2jSLdUu6ZbOl0fnP7ksKNlYLr7N
ZZJ13dGppR1HmA06xRTKk65yKL2CxICxkg63l/ZLTQiKWHFGK7IdmRZwugAr
R1DrtbSQp3sWnYnXL7cU0U+jghbulN9+LJ+XFBNAqwPZFy0NdOQt8jin7Kod
fcfZGBdJEB/d8PWg42LK3XXT8BVCTfJMMLJLxv4DeuAd8EkSAfxlXGBiIQlt
FArd8hLsnwVB+Y9w3b/8FRA+yrXWOOTcXzXFRdWxr7k0ndgJesVG/w0djPqw
OwW89B498Jo49fTTDu4Zl91jMHDzJDen6tVPP33/4vjzz/71s19+yS8Wnkwp
s3wKPatwXUqv8/ratvg3p/6olI5WwdXO4/LRcm29DKq/xuxKs7Yauj/ZO67n
O2inJsQJJXOZnphLH7EO44tLQNRVqewyoiXupAcz4aHRocufekzh/cUGr/D8
Nj/wOPuT1Z//rcn/+w+8E2bTP/97/uE1J14ZGDxHu8QzfeMvj0dyzLGqOCV3
aoH08FYeX9GhQNte8CCSvqDkJO37YwP3fUV7Ht/+8vmbFxUZQSb7xL9mRZfQ
cwoBMqoa44ynk4aINZGo9dclaeNz5nLZyJ+Id2Y+Z/gh2y4eIBa5kGDPqCnW
CnY2wYBWZq0czjCz7V0e2R/xq3/84x/Z4V5cQlCBZAbpZ/k/X1R7WvbdM61T
osnby/9MpgD/IyI66A7hd3QHqsLuSRM7MrzVnv+z+qbjGbRzy/8cYun/dx7+
8cnLk7+Qb0LP1P98wd0H1cP9am+yJ/9wMHSbAMQbVSUY69NUlZCUL7L9pwN7
c31T7Y33qkcP6Sx88ni7no+JWIdyxvYDHqPzefZGPt0bevLtI9pVbfXlN0f/
+fzTQwVt3dR/zQvFTkX0bYq8ffcOzEvE9COhUdBfgq4qXzG/09E3p18fVR9V
Jy+/evkm/zd9Sf7/bwdf0q7ON11d52Hc8MBnk/P4yeOnf3Ho6Gjocgu96O3y
Tthvs/X3Ef5s8ilNSl5j5fLTNjWswKPCqgZdk7oDIpK4oBCox7xxinPTFiA/
5lcLjCCCZe+w3y2abd5Bc+r9AOGK9X4hdX+d/XZat3npIGNFlrPeXBMusxXQ
FqeDLSY1KkcjPqq9H0MZtzosiwwzdKOM9D/9cSiRRm7qc3o7lTcrpIuexU9l
YdEGiIIfXo+PXh+/fAmGKCqErSX5SJgP/HABLBFBs7Ev7N+oyJ9tE/ub5L9o
7VAG6c4iHJWjtocK5me2RmZHIqkSeEs+XVdda+DzjgSE1UXvCKykOKVwqvH2
E3+qu+N9O9NX/vH4NZ+2Tz9/mk9b9cFCw4OSxlDSvO/XRYBqJZ53tr5xfTNQ
ggzJFTlKnFBpGxZZ73z9ZT1DeeU1qffuGI7XYb89NSBXsPq7HJkP+1D3+jL/
S7/MHZonTz99CoeGXC93NcItEvFCb4q/+k3ptJMaIu2tG2Iq4RH5Li/NfNtX
Kig7/Of7dtCXs0VNGZof3rwYP+3IvwNk7dyNs4iA/uPrV9/RB+bZjasoAFI+
683Qwe+d31+zZ/TlcUy64hAyTTYzAPBYXiek/PPn8LYy5F/htQVEOzeO+ZXq
HLKu+aZoipQ2SLOB3l7zB3odiYnZRNkQc87PDbsUr/KwxDFG6iYPzalFZoWl
GXSOCh8Z+9g8Yh8jXNnDDQ5ZnkOrrKpKlYkZVCXi/HDYyB96cj5sCTrv970Z
7OilyDPSKnqRH8dBuFcvBtYCrX8REzGmsWIg3M0I8TIuTfnp39ZXVJTYEr8x
3bCqbEtV1QmdfRdcCZnPamEY6/7qxWzeePOP/nmCvT2S/57wHqfnXRBXYkuq
0tRYSCuVTubypqcILDhRARJNa+JgLhJibGUKtvWGmbTLL7s3uoAUDnng25aJ
Ap8hIhCXW1J6wtTiP5E341pr+ZB/fsAikQWdbmVswXlSXZq74t17Lf1AAE2a
Kwjx9QaY6Gna2/WkPbf7Tx998gR2//t4bfz+3tUpnaisgczXy1DkveRo1kVx
keSujK7O4Vw490I7GYiFQkpAHU2nWTzw94wgEX7bAqNvp9F+50uDZXpCtztB
eQd7pPmRktlgRcgDekFcUNm24ea9XymGqVTCBQJZYZvYEkoTuGTHT40pI9pV
eoztrcVF3n+HuBd+fpFp+omm6JezMNQ8xoUZEROIqwt7y+rn3vk24XzAL7tu
izuEWwurew3Ax8HEPrL8tlCOnM8JdqIU/qjLcN4/RsthqGzpPBDtVKYClxhF
gaBtI75wbFzAuyKfOoUWDGECZBfx6ViH/GAxKv4GhSsl6NnQ+Kr2C254127A
oD6XFWKcztw6HG6rWI5yyLZto05xMd0PKaWYx//HinWq+g4fGlunTXfiOzSD
g69rGyXiRVgWJLyvnTfj6rS7t+MBt198kSyOL3MwdelSKO70anbe5pZ/70KL
2qDcIWy4ZGrpTX+5MGkVlnyz6a0OXxn8oJ7Zz9YC0PLuvpZUgWaDRLWAHhNH
ST5X0mRxQOEXzjYzTzQao74P7c+2HH4OQ/DzwFv+TL8ej8f2f3z1Loz6z6Hf
9HHPZ6U/60FXDdzpol6JK1veqe87f/BOmiCPt3nym29DxrHdCCFNvNXnv/1W
XFOON+k79Z2bqLNga4ln8BWrCSs37Yg5P8SGBjcaG2MUzVmt4nFJVi0VQbJn
weZGu3MC5ALCORtpu1acZGiXfzL5jKjV3HHU4q/WtYQ1tta2kuzXUAEKUUFp
prjqFASm7TvsbNrFz3X7CbVPLwgWPF7NKcRAX/OsqMPrYQBIdaTrXREh6YY7
m81lQpv6c2tT13hi/X/mOe184G9xoHbe5Ff4Uf6FAQxtfe8++sMd7fng8KZ+
D/U6zAr3elV8lmV7BJ/oHmfqs4PyjVNVQP/IE+D3NjtG9NEgbJj4mBQ0JpVj
AQXjyTru4Q4WrPLb52klqIUk6o0nWrOihYM3srbYfO/ilED6snyWZQYHTtD/
Xw9yNTBUuxxJnFBIMoyny82Ys/JSDwoe19AdP+i+9U6/vgO12AgnJUm24AtJ
ak9bC01mOTI0ICtxp1+LmqkIJfLikUoQfqRTA5gUZmvkd+DuwUZ9BJJwlMsE
bVTRBWg51x44XEw1tLG0MQpc/eB3uIa45+/0t4amZ78z01q2/nVul91Ri7KB
LvUOr8xud2/8Yyiyy+T8XtdK5/Cf6VrtE+Glqv/Zz2iumRj07mDXsT5omTpH
9LI8+qEba9NPFUhv8AvlI5w99FqADM+uaLkyQmM5n3YOYrFqyl4z9bwOoTOs
1e+8ATixBaggD8yYEIj1xTsCDZzokfg1IdfzSfnTM84aNdMv9gBp2vsFRy16
kMdUAhlzAVKrIOOPPx6+SMdfSmdE4sLauJ6H03s8C8vN85cEwOkJDsXlHhEI
OE79MBNzxg14t4/CX+bk3+R19+hjtQBUX8pjRypvnyhgaRzUkz5NdPOxcWQA
8+e9RaNqNd8CUbOuDa/iv+YYjWi201CVAk9AExFrEUqzOUPrjANzTLhDDEhA
TzqsduSYXq0DYScs2L1q5k4pF1RlQs4xUFchstqhS5hYZTF0AZWqiuSVVUcX
1N8wJ9ltJn0ZXB1vrpVmGXjRd61ieblNDG0xHOYdvQkMnzHkS9qV9k0+fS4K
Cr1KGBiYGKHw27OnjOKZbFT2lrnlCfeaLd59+40aeWt84xT52LB5m+USaWLO
QaPBZ1Ysbcmp0+/ypp8tHOqyA6Nkj5J4yKiOAnq681XNfUgjiX4nXd/3vFnk
BbkRysu8HIJ7NgVWgjKkf4LnA9bp46isdpJfakGVWNRVgmM64rrKcWd5j6Sw
N7LGgleUa60+mXysKnzEgFmWGLmagKood1kQlg0ariUnDXSbhdFYCsS7gS6U
i02WZVIQXis0Rzyo7jrmZbD98SOjZp1BzsjbPTVPGf0CZyYwDlsFpAjRrQy2
wGuYqhsDLnd7vSTxVVl6vBy/vQO40G4VxjE/+vTkNUggqK9ZgZ1UNVuvlxwb
LI12Zo17yD91UTzKqrKxTfkAMEucrLofd+/jTjm3zMvo+3Z1Xe3hKfBj6Yuh
XLZoNuMTOnbMOePVeemBdzruGQw0ZXS4oijn51ZJGXxTKHLry+TP/h9TVTuJ
9mYDAA==

-->

</rfc>
