From 5e5d8da70a398ddbbbcd1d84960bcffc83b45e25 Mon Sep 17 00:00:00 2001
From: "publish-envoy[bot]"
 <140627008+publish-envoy[bot]@users.noreply.github.com>
Date: Wed, 3 Sep 2025 01:25:33 +0000
Subject: [PATCH 01/10] [release/v1.34] repo: Release v1.34.6 (#40940)

Created by Envoy publish bot for @yanavlasov




**Summary of changes**:

* Security fixes:
- Fix for OAuth cookie issue
[CVE-2025-55162](https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh).
- Fix UAF in DNS resolution
[CVE-2025-54588](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw).

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.34.6
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.34.6/
**Release notes**:

https://www.envoyproxy.io/docs/envoy/v1.34.6/version_history/v1.34/v1.34.6
**Full changelog**:
    https://github.com/envoyproxy/envoy/compare/v1.34.5...v1.34.6
---
 VERSION.txt                        |   2 +-
 changelogs/1.32.11.yaml            |   7 +++++++
 changelogs/1.33.8.yaml             |   7 +++++++
 changelogs/current.yaml            |  16 +---------------
 docs/inventories/v1.32/objects.inv | Bin 179103 -> 179132 bytes
 docs/inventories/v1.33/objects.inv | Bin 181750 -> 181790 bytes
 docs/inventories/v1.34/objects.inv | Bin 186689 -> 186737 bytes
 docs/versions.yaml                 |   6 +++---
 8 files changed, 19 insertions(+), 19 deletions(-)
 create mode 100644 changelogs/1.32.11.yaml
 create mode 100644 changelogs/1.33.8.yaml

diff --git a/VERSION.txt b/VERSION.txt
index 99742f6f2431d..6fef6c580852c 100644
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.34.6-dev
+1.34.6
diff --git a/changelogs/1.32.11.yaml b/changelogs/1.32.11.yaml
new file mode 100644
index 0000000000000..935f1c45a820e
--- /dev/null
+++ b/changelogs/1.32.11.yaml
@@ -0,0 +1,7 @@
+date: September 2, 2025
+
+bug_fixes:
+- area: oauth2
+  change: |
+    Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a
+    Secure attribute (`CVE-2025-55162 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh>`_).
diff --git a/changelogs/1.33.8.yaml b/changelogs/1.33.8.yaml
new file mode 100644
index 0000000000000..ec53a9b62b5cd
--- /dev/null
+++ b/changelogs/1.33.8.yaml
@@ -0,0 +1,7 @@
+date: September 2, 2025
+
+bug_fixes:
+- area: oauth2
+  change: |
+    Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a
+    Secure attribute.
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
index a7bce22d88548..58aba7edbc15c 100644
--- a/changelogs/current.yaml
+++ b/changelogs/current.yaml
@@ -1,13 +1,6 @@
-date: Pending
-
-behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
-
-minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
+date: September 2, 2025
 
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: oauth2
   change: |
     Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a
@@ -16,10 +9,3 @@ bug_fixes:
   change: |
     Fixed an UAF in DNS cache that can occur when the Host header is modified between the Dynamic Forwarding and Router
     filters.
-
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
-new_features:
-
-deprecated:
diff --git a/docs/inventories/v1.32/objects.inv b/docs/inventories/v1.32/objects.inv
index 767ecc6c090aa0bd8f36d5307f44c26bd4c5c17a..1f2821c4608ff8a1cfbee922545b1f7e9c8e7986 100644
GIT binary patch
delta 4900
zcmYLKc|6qH`!|z`jIA0omlAFfu1VIIt_;#<H<rR!;?5oWPS(#zvXrF=8OtbZ82i4H
zE!!kx8)K&!TOrwhrThAQ|2ePoI<NDb_j8{2`~5s=+iZ2)Y%w=MQbFn=>Y#FUa8wT9
zkaX@^)K&lO!X_!jrh%R*nS{7*b7M2tWaL^+vMEAK^^A46&5v~K!QK>c?M`s}GkUj)
zh~Ms_P>>Lspi>Hi!ZaK+TkmxId0y~*<tt9Lv+*yOE`H@aiDMPhxD&L#l>J5~?76xP
zVLh;BNT8(8#VtPeM8{rpj$UO!$)0x<Fc6B}uF>z7Zyb&cvZiKwe@{Iv*T3dzEvWmY
z-s!xiPWzO@`ZC>3F!092lXc?gWAFn$o6~a#>&bt96r8)imes2G#QHQRca#Y%^u?)X
zcbHzdJe#>H`wy?!RehY^`I9&ap%X1GE|$6c(*K@T6m+wr^WTC?ykWXIT@X6xr(Fny
z3A^0$r8^e>-RoF`rBp4{EZ!`Iu5!!67&WGT7Q61%;n)4>j@xTy-)=0MEEdGCn4%`j
z&5G)C(l};yTcz2rvX}RphYp;TQaCF!VMsp;M5Z*ayMGmtd3Snu4UfATpLw5f{~?5r
z1r<L<m`dcqpMPBx#>{=H6dZXG1AhU4|I9Qdxjt%llb*8KXOm^`f1u5oocwncFAG8<
zlj)wyh0*818u9wzOdBry<i*33;7zOHc?y1XA)!^uMS{;vUs!Lw(xdAn_tQyS$MmKd
zyEd+FVX|>QSG!o^J-GFoU;EYZ;`1!$J63sHr=Db9Lf;)xvi>8vBn~FJIG|(=1b*Z@
z0g81^3vHz&|1;OrS<TgIg>RN-vxL!w4Evbw!F9owRWL(4X4=8^ghsB~EBZ!1$-48C
ztol^X-kjU4t(L9&?7Hl=9g)F{U4JBN`5F5I&tx|^xmlcs@67$U#rgDRBMq()k5zlx
z9F?g+Qt;*Ay>(ea1f<zgAk+#_;{M5Kx^w$h`&H@q7odw5hhnVE`oL~XbI_rfoqt@|
znN?K+61gsF!1cfn>qOE-!@kF7RY&GR`HY)wP#>4iC_LfttnkM9Do3O$^g6Af5@~<d
zl8PxFsE-cmY9qRMzuCd6Si4sh2+ZdS#ua?NEKyt5bdg)$ASqyPX?zrbHKS;Gy6&~N
z5wb(CbuK3rxU-&HS}q)s&o01K^o;7%3oR!d>~64RXE;l8^sKaCDL=$vpTcn#Awmv0
zpK4>`MMEkkGkcNDSjv68VhX;3BIF=iw&}&>*}W9X7iCF)!r+&QZ66|B_KV;yvgv<N
zJpZmZwZgga%!5XG=MF%mA<`M~rC@&P?GP#T1&T=y8MkQw70oovk$lBzRof*^wgn-}
z*tXgzLU`o|EeNDwL>B2*5Z{;}k`$FyWYlajCWa&dM#T+Gs3+xgjUJzL$P)@|Sk$bQ
z_yz*|2pbkRt8L;(3Pxr%X@jm0h#*NXvPj`zErrH1!u=%RVHTT=aO5ZOJ6pCSG0Jmy
zU1(>v7>;~(L)gd;6jXNaJI{bn3B${zPXbAb%c{CH%{L&26nvdUG72*3yMZL7WF=}_
zp$2Xv1>gLBR;`?nl=SOW>`Xp9#t<{7DfF*~#1MGbE+YA_x#VpVC~JY3Q@RUu!UHLo
z2^dv3#G~G8)leT!7$HfyS&6r-_y#PHg5=)_cqFOhH-altu<|zoqnxn%A3`&n+wvHp
zj@J|&uI1_;LM$aafC|d*ZM6*v*^R9fh?Q4n^-L_~ky|xO-xH9ehOAB_A)2tZ1Bh2%
z-HQzv{TlB8Qj%}ef;qMLmO`G4!sHBd#Qq(C$C&47TKMrl#L?q5M~fh`Bd{US`=w3M
zNWu23CL@sPL?V*(A*)Jz8a0%T6ztE+30Kup$g3b|6Mua^Q;7z?=fK0zC{`P(qs1s1
zR}d}{XZS+w;UlGxvQgNGxMlZl8RRA~2BV4@bnsR{2FGABdWol2#^Ds}y!#e0{4H=g
zyzS9(N>ovU)}%5B?B`{1gYKGgNXGB5(F%wx?RVHDoZA^QqS=gtJ|72vbKqHKl&VdY
z&>~J9r}UT)Vu$aqAXpMxP!I+@u@VwTgDL1WodOs$@E8}&ph0?8a*8P#<;byks{BOL
zsx))@DE#WfJoIEZzp7V4nSx;j;Uckx4`L7REQRDBf1nnfjhy;;EGwfTq~*}>63kZ+
z?2k(zEIbbW?s%-KK{x1+Dlt46?XEwFoEkJrZ!o;hyh3J)Edd-s-STa6Y{L>1XXv9!
zu_D8!cpf)sVwKoCOimQW16oxrhI@1Mto|6%l95Hq1#8`ntRyrNALH0$O$EQhU0m`k
zCtLWz+iAtmlTDjGXz4|&$|aLcDW7^(%Bz!1ho+D@s|!s_9vsLmc##jrGS3B>y8~bM
z!{}zC`Na+a_|-rR<z|pb2Af$ENLvL1Ng8l-0sW;A(hGB_KqIb9oyu;i2KV^{RS^`E
zXW(p=_en5>OE_jqAC!=9W7fn%)(^P&C~S=0*&NmaVV{N#it4K6wL(&+&l?j9s)ZeA
z9`m_I<!O%;J$6+oRbZ*$8!72?1&u1SQH$a$V*u!v4ly#ODr);Bl(kFD>5a?T34<#n
z(d??+7A-_oHzZ>orhsYUwU<Fq5;22j=?fW?W@ra(6)41{sNEezRa8gv*ma>O5RZ9r
zDk45KhaQQ_=rBWDYP&|Z$kmOS>Du-MmGcr!jl8bl6+bsE#r1-ZstG@mRZT-2d@cet
z1h$kJR0spEFaVkRa;yn^Ed(X=SP~hxv1pREiVP&F80QJfM5*`k*!9&6K`t?1<+?eL
ze=QIcGNwo0Dn26`i%ub{2Ke~0j?rV(QB;V{(s2(m9fE8voxe{kuEq+QBV@_$4xU4}
zpl4Wgi*|Z}YDET+f<<?0tE7NE^9!-)L2bRWAxSYOy+NMWAzD264=6gsW)&uf$>Fv4
zK~QRs3y{2xMgP#2f`&YZ5qSiH{0%|!;P2K<Lu6OQ2NBhwBzj~>+$0vgto=(0`CqZ<
zEp5F5)$-&M=IBFhsgxFv3?6edi;l`!NK#BH@Cc;x_c0W4783Urb`4X-yY><h(}@{3
zn_j5Hnxp^HafODM#x(eV<m%YA=GTSr-ZYWf=ZKg#jP6@Bhw}>rr2}L3Q&wxQ5ZoUy
zX4x+M&PfQ}9?ba7X^{*+b2Lilm#RwSeL);b>b)?#_MJt@`%RdPaiXGaK7fen&eOG!
z6nO0A-S%?G2Soq-mmAhE_<}%6ZRKpkFLAygVI_zs+h8%-7j#!iT?=N{GRlCIZNX#=
z6U7!w5!|B~ie?Z_gMAxp=l83}`iF0rqjd^j2B-vtjni2)eHoA^TfZm5GKA;*e{57D
z%EsIsfM0a1nd^G=7Z<cwXuy7eSN$Ri(vf0qh@$CZkK}eC)@P3`lCNOVl&GVJ2}yDj
z4*-SUXzPLDZhhE-<nO{{jY*2RG{pKchN2n-*I?cUF9bxGiO;!(zqBB825>At*gP?^
z+8*yy*+4jHF~9TYK6i0#O4_$s02=mH?44fDQ@I7`yKjp5@}}+@8k>-no%0V;iqq?N
z!Kwjl4m{*}%{_2LK*S;}>mq#*JP^Q^BuaTw_7#f%A%=g4{v;e22$E7(?}NEjydRMy
zEoFCBtM>VXHWKR6epz;^;1G-gB22}{-GV+_pt}km2Z#Zz;|ET`uD}-b&aPOF9tjs-
zZ=p-;PcJ|9(<)yiEx%<~88wdyM*yHo<)3q6^y>fsqA4GbiAoUn`VnT_U^)xRcY@V}
znbh<e+&5wb0xN+<?Z~?B6+Q&?FjIty=-^|!%Yu~K1l4%9k~uzh)=jYP>%eOS?$SLh
z=jbIg={i#z@QZB66U=)M7fZ+Xh4{5gf+MN~wY*q)jU*_m2M=k)NX4{)PC%!DA{elr
zeT{%7Z7@N!VJ<Bdm$<*Eqkqv+qQ%Bsb5?gyGaY9@0|x~{VA94hio=~~QZT4Z0)|tm
zkmvqli&oKqn7r)eoEu9)Tl*fI0>59q<p8|14>F^%<8KyzL=#5nHl5`HG4_p29E+ap
ztb(<*_{1AvH=ZMVw9bJ5lh^QU_){h~M+kboN47r(37%Wp944evm6?{w7W!nM`ooUg
zo9xeA+_is6W|UcwYXTqJX1#v;=|^|zG;&X6#NB;n<Zu3aj`tG|4eUN;$Ttr{<A9ym
zQQ8Nss!hn7-L8G?&h#!KXW;S%O}>$1!9wssYR}r({*^=^NZ3;v7+BDGyn|5SxxA6>
zcqp5wJnQHkyHhF;z<bg*R!h6~eTd3j3zCl{sWyjidM%hY66)UKrGe1}Nwpm$<6_di
z38%egt;s98Tv|Bigp=pY_?E#|K$p#-mu*pVX7iOI4$Xx%^VD@l=~O~S><%rn`DDV$
z+No=I|F<{a?%H1&ung7+#=0DR`TxkO1AA$pR(51+z!G|B{_1~sKDz&RJ~g62#B^bc
zK-Ffo!5E7H9b6-aH%EefEr4A*NAB7e8GmX_PLa-yE$`ZwA6LPozLxY)hhRm0&Ma$O
z?(gxgp~zl|LveV$jQw}P)bz_Y_`MW}X=9hn230~92hHpYrjO0N-Z|u{NeR(MG{f=V
zdi?v@4!TrxyUDhr*;Jo{qS49jrJ`5Xp2qxn^qOz6!#ZvKtGN0}fbO{F{Pgs!0RO`u
zjaA_dBD?j#526lr_U(Q(4H)ZM_@~l$j69!<DwNOL_>k?H*zM{`{;T1EW2&)dYHy@;
zgCvPFj7F&93cKC3w&ng&nfUpQK+Wejz*fJNl{c-!-81f!k0&`E9%4NS8&u-;4o^=M
zpmn_ETA4jMoNc56yZ*ZipIV<e=;*JcZcDno^CGUSnqTPq99%F-!g$`;$)pz?dY9%N
zR*g>%yIv~|-W$7MKC>d`)H-uR;^&h3b+1*UOi6t$DJ&;C?C|T?*}Ze;JcR%*;~F{@
zGgffn+=Nx*b;E8(08us9mo=)e&T>V~Ot!r~scC+&NO=<Ax3Or9W`r)~4v0I0({utX
zNe%K?v)gTZyD4h}J|QbyhNVi>%oXpCz>L6lhfdyX*4X>C=)H{w^0o)rh=>Oe2L%ER
z%D4Jyo;=rTH|+8c7uBQox~pH(4<)?!x}DVOrkq)PFpqr0Y1y;8i&fpD!-tz^%KL9_
z$>{C%OahHNb&Axy*5aC6<8bQyevz_MzvSeFF<bO7S~#EaN6!3?#$H;ZZ~m5-`=Hct
zSS9lx{F)7bfBtp{&alAi^K6fQ%SRAi!M=*%`|Q9!zICa}7u7pG+5U7Y=(&&wzrjk9
z4tvV3_%d?cGnG4Uf`2<<wq`&taL{xhPlE5x1z?+Dcp%jYI{0F{o|kV2+PciGh-EdT
z#Bf#jcF=kctIXw^djSTYG0|5~X*v4y)wDm{3WB?$w~{S5sl6C?v@Sobx7e56Sc-R~
zxN%ZhiK?+s+aJ2igExJCST{zuFxocUOjw&d*dNXj@YP==9(=N^on>npAwT7!7Mq6v
zZx>z(xQG|*I20%kb0%zrt2OXW_15nQMg`iX85Yw{+&(vh>eN}wRonvHm?f)P_bX@<
zj(J*}g{fQgy)=V~;=qKzqE4psGlmyHc19gb4ZE89<aDJ>AHtjDzK-2biLI6nja%i>
zn!z}4vgAmvYD~5FrA_U9H(SY=vS=0{R{n@S$THB;y_^3z@SG1eInIIU6?M1YcgO5#
z=lk>Qg%qcx82OsR@m0>4rQ0*88%`_%+Xu?dfw@QFMq8kPqVu;oN|gNVwa+}ol*U((
zqdxl*3zbFR?XEM%Q?>Ay`LgW-Y@>pbl%uFSCZJ0Z9XHo*6sB@U%N<SMHw2ymf+Bp@
zt4r3M{mTAft3bd}zzLcs%f-p5n}~Y&EJ=h>xOT(e!Qz?x!FpVRnGx|50yKl0^4{Lw
z(l+kLpFJp2D%jq7wl_d-+p;Q-9yN$A?3Z|;du=ltd+<`3%3_=6<rK8+R<rMFB2Wn!
zSTu(h-o3F2$klq)zdjsu*0~G_V3mgDuuHLTcj?!upEtH_ziVu7XD!JSCH(_J-%DMJ
zvJeg&?zqW)c1J3(d{*j%TEO8}NC=1G%#{x1?`ca~brD0+w3@^(9yvq3pF72NH;Yiw
ze$%-=rx*bXZsS@8gULGvX~eq@4JG7-OSYYZ$s^aCr`EWrS4^nRGe=hd!@c+GUbmE&
z88d;o{izdjY9bM}=jELnp4>MxPRl@MK2T@KO#7}quL-@}w59k3gE<<05h^j8vB%<%
zuNODYTd=BDzA)6f>hUAO@lnqo*Lba!XG5pEoP55eZbGl8H9DMrP7D%IK3x8{cDcbV
my@|Oo61aA@`ub{G7Chn^f@|m1lt@VQ;m6xY0_7+s*#7~7kgo>-

delta 4870
zcmX|Cc|26__h)KaW(w6riO_;6LuDN$Q<Qxj!VK9;vNIv;9ST{JmXCdyY%>}A&e)Pr
z$U63Y-<K>CWB5tm*YBVEdhT<d=e*B7=lwqKaylfD4vA1?z2WyD-~nsl15h{_Fpj+-
zoh4OH&#t~@WR|j2CmHvt@uGpTb3D8yWoJ>d?aGy#k;;Kw%`?M5$(sEa=M@Vp@yOtg
zX{1Kd1s2x3&AKAmB85?G2;NX9ywkvASqTlphoG?9+vlSNQbYv6HI&4VU;MW?-?P>*
zW--7|*>69LG}(BTk0w7HEdIGP3?Nnc+<0A6Bkg@V-}+h7Qr$NaPD!@BE4#@dyiUGw
zp@VR<=R&z>G0&UjcijRzRz*Zq<PoF89`bic$`Z$rU0yRzY@>#+54}zn{QmiA&85?*
zD+4Jq5*kJiAz`0lU_pWB)f(_O;&}{hP*Wn8jw)(4QxzKhAHeX!<y#TkO|!uH+{2nG
zE!0H<snnzx$~|o?O|W*W;jIa@Friy7s{sh<)hF51#a)8hP>{*>3R+%8@|sB_xIfg>
z?pz#qq&eQ4eACNb)xFkCtLcxP>mH-<#gT9H@AFOMhci{lF<%WMEm$pr&s*Eg82TUb
zx3nVW{>!rIghY|Lks<(j^C`ivZt8sF5B$ef@z&Nm&yYwbm){dscE&lMK*C@TD{(1N
zBh}-dKFDP{r!m~w+Jj6;3dv9764~mjbFH0J{!{$AJoDis|B0%W@aEada|=x`TdDvC
znqXn{1{^r4RM$F?%X5^cK0NHRbB*q4;+2JlbKE46t6<f#7f+f1EsQ0<*{!9QG7`;3
z581-vZ=Yk+fJW-DB+qDmaXF%$hd<5oEt9N!xo2s(bjPR1^+O(}XiLTB1ke0NhV4T+
zg>&2&A}#P1J*T9l(r#PkNH3ySnU~v}gjT|LPwZ3Uc3x0jc&ZFh#`6h#<{8e9EP|sC
zH(Mp1o`>IPfB*hw7!daKNp-`U_i_b|MkqGC_t%Dm#P~WCKde*0&DtpM&1sHt!f(ZU
z1?=3-i|Qt=GSXK&f~|zo1nkK9K9AcOUw+qqcVviE4_xd8zYR#+{|4P}-TnUhn7VuE
z`h7!V@%`CUVs5*gY@1!GLXY<I%_Z8|Ot`;m5j}7!P>D+d=!(%2ip|6wyD+z~oGiul
z(W<Da*RqYnt=X5U<Bx7HHtlISIVx)H%@s1Mn7>@ZA=NoMIHdaNe!pYMl%T(;wMap{
zrUZ6|LkfoRJcJs|-%bm>9DRLso2M~FNzyDk;nLv&8ZOJG^k*uG(38F1p6%0<8|*mV
z4{m>6ib;|L$kV}WC=KY<#WqmVv$J!Q1cjcg{4iDwsw?BZj|uKrpL=AE40I+APSzm?
zZpuQB5#Sm6IgwIwP~{l?jO?du=Js?>T#*&4hWK|$NcYOF6|1xO_d-aw=nYvYIUb&a
zt`2{32iib@TPLB;{Mr^FdZk5wsZm#9FTk_J`U6%FiSedZkg9b^%=ISk;OiLFe8vZ#
zT-=+5vU`nN31Gz*ShujT0yh!d*#hglrrn7A41UrI>wv2(VUob>tuP54;_>OXoE#6)
zO?u{OYU=GE$n%hR_=H_B7K6H`@g5ftzgF~|wOQgj0_O0QK?3WwUF(i|5LBWfjcvLO
zq<|;dU>(Bh3Yb*zi}nKqk2LV%jst{P68KZcKZGRC2<?9e3!Na0&0mBtx<2$xI@}@4
z3D;$Y;E#LsrP4uGQG?nRtD7wO^dUuz$R^%=TC5Ns5qk+6U>6mg4u;WSz3?aXR0=qS
z29wq)IS$z7bG90yJM})N#Sddp4>E80oOgW_<LY&5lFS)_MjIxZHG^ym@maATEZEND
zT_L_Yc1$*4-Y~xq-yWMJ2$38$?go9Z4T-td^r^^nKcD@kq_df?IVeq?=mO2zgxJEe
zj7ADLBaF~y6g<MVl(Q9!)+1^2PFHYpJVpaeispg^$FV3(riG8a>oM#LFPP;)N_xrK
zC+CYfIrdLev=O%DoZ2S;?p1R}n4%A^oyDSpG|a`pafp>CP~lAd9I-++zeWc!!Gn|_
zHZbz%#coiaEo2^+fgSnA$zhHjQDha$5Wu3|YUrQ?VqJa#cBQIWk}0H8HWq3>$Lk$T
zH98aIgLXaEJJ>#UxC=C81F?l=7!eCNoeq9r5%i-FKNt(T4PG!@EW|JWD}iDU=!o4x
z3G^(XGP!W;G?ch*B*N@R8nG1Atm0FIpTz`hXU%gIQ2Era<$wpe|B@;n6@mcFzNJ+^
zV#PlCh#09)BWr$^)r?1&HKj!d*QhK1SA<uH^G}0FT%GI#J+g<y!dvb99I(}4nf^Y~
zZpQ}rEYCkJ!e5U|;tsHp2`(ba#l5oeku1(Iz-p75{b)<vm_o!z&wl(-jBX{uY%q<e
z=_jjOj~E$EBL;&sl<yVeftUk;)c*!SSq_jmc#oZ5Ew*|{!w(0JU&A=ECQARMZ7ymZ
zVfH7jIu#^pv{8&t#inj2EO8WiMZ9WrhrXm9Xp_?u8e5Lc>cZmGWGlgwLp%nHIp&4K
z{*{hwc9J<yHAX-Xrx1!cV)+PHgg@Gt<izU;<!S|9qX!g61<U1)Q9PQ?=zuuU8zE3~
zE!-&$FWz-il%I=4F1_EZGGBssi1+7&6qw0PfIu!Gm}{LMBtJrxYxUE!PqFJzkGd*T
zOYo24$G8J*Uk;ZLt>X{b%1ISx_#3y%{qm!U#(^KXu<{}UiXgqe6I@vDA-}sqx)C>`
zpnz~A+$jlvrt7IF|4kD4%Y6+MYAL=e-hY2CSo%zZl5ioh*E{1SiBNJ2+~%`3^jEMb
zzXB;bwMIlmtqk949I&mr#!=wKA1XnB3jcy<>68SzCqh+QkU3qJI4UYgbmrc4k4<(n
zNTCeRO}M|WLzQP`coBlXEO^c^v<$%CCHz&9K*b#BzAGg5TI(mtOsH@d+$K$1ysJW#
z-{hbG$O}|_Ai;tYlF!dv09m*}FxOf?NEAUEX!_)A1NM8=qfq#K8Qy{LmkNgLR6L%L
zgbA=gic|3)2o|ydv&sfkd<wx|5F#P4xCrWVJ3ykBLV-5}aECM}@u3w_q8q8Cw5Hi(
znu=c_jB!GW`4KCi8n?4^*ZUP(mvS}gCPax&B;rFq?x96depgb-KCOl}MTs7y63tQB
zp*>N4Us6eMjfV2&ay%sAFKwUlu7X@%hQz`<!}9B(Gh=Y8tQ)xY%VI=tgU^-ga)%ca
zLV&9#E1=Ua|4xa~#T5`{e|0wNs?RDY=_O<iMz%cp8#K2cLAdiZ?kBWi0&bOl1Koa0
zj2J~C#(<h5UrvKxufdQ84O^$rRNy5ZUuE?D;VAWDi!S&9wVpWW2E7p)GWox5AjM{4
z|8)aeLG(?q#J&aWqu$Jd!`5L~1+1>V*a(?)ppnO7W|^eF8ZjhP;Oi5T(jbzPhv^_I
zuaFpcQ<&Zmv}6fxorS{b`iq%Wk%$2xM5Og9*!vHxRIg$3v`(dQ^Cou>uK#Gx;48#h
zofj*z;^*4Nx_|{;M*e9gS1S#DFx_&wU_cMfFtd0n@=-rjb`hD^XQ|M?1eTz~dafBa
zZY_gr=?6Z*y$aU*bKnEB4O|i9=vF<yG_{N^P?`5Xr%^IR5w#AS#>$5^_3nYwP&dI>
z7_ef!l1UJw5-)5DW~A?MlrRR5ShjL$PouSyQO&1Gl>kvaQNfmXUn*9n)!ACknf`@p
zwG2?5Psjo+Z(M%|#O50kCp_>vY7J_*1$Rhy>HwGdvTDhLf5DvUAUohDCQQ<RjHIk{
zIc=dk?|<g}G+|o3q$QvRHgf3$SQV;%uJbYltmsr8-9fRD1yaewQSQf6V%DqE)tGn9
zh-HAz#lb*7*>?uV9WHI=-?=d8FUfLvVh<*xQ+=Fz4PWiT0+ZAy!>OA1Y7i?-5=}l|
z=z_2QzzVx%5P>X?#8+Pe!Sc1E!KG#R>O2svK#zE}bO>+Eb*wdd=rk*<1zkj<&<Ss>
zvB%wpV;+4oi1QtQu(;@N+A3@H@c}3|_PiU{fYLI$B=OlWI|~&%_WGk~mXxpmvow#u
zg7rpyN;a!pt}jc^;Qf>r43~{@Tg8?LK7Kc8d1c2+<F{LfJJiKbK5LJ9_APYjRnGKO
zUuG|ls=XnBsb|xXBK5Tsnz8Y*xBsU`$vQae&yO9Gt<i0+o}WT%{ZdsYr%ZtnWJ1$&
z-;QWB;75LO3uvFx^55dJJ}I<Dvfq`6mLCtmecZ~I0yvuz*S2$i?0Ce<vrmb=l<a)6
zo78N2crB`2(E1k8J0+&Dg`gacRUKMld^H&s&Dm48awHwO5YN2;de-n{*Ucv9>zA*h
zf4=TL*<D&ZUL_CpZ9>LW5x4<6Cz~9oFQ>%cmxJ|1>BOdC&683xl0D#ePMTBy3*#@8
zBe+(KesxmwWYGv8SIqyPq4Ns;Z$G?(D)Zj}*kCGhKCicvKJl^F@mu5bMps_UoLbtC
z9l`RunZ{8ODWYA1YyB(jAAUD^PeTAob-)Lquc@OGF<Y3kUG~sa%~zqNKg8F*!$k@>
zRS94N(~r-l`gII1AU?^mi$)8!G#L<cMht~rPZ<ZOC&XmSng{1-&*fpI7uM#=eR~#`
zpSt$^%q^pY(;Q5;e#~pE=2MN9-QD{cai72cQ3^V@E9Q`t9qhYoy1Rti_#+GeOPh)A
zc^<u)2}QOZ>Axt=bLGFE^G>-K6Xru4AH_}U6Q1Fc3znheLt|3>ONYizt$0-+wx8uA
zwsZSAnUvwcfI)k{7MhOcG_4eafff0nwTo{qomRLhUzn}L*WbOztOqC?TkC_<L0r8F
zDSdLwrW1OLQvHJ!cj8-)VgUd}n)CjxM#VCht<X&8(yHun2dfM8Lb>wVe)K@#cOS$3
zhuk<lD9YL^WJvmy4&N!}cn67HT59h8?!~MZR0_2KD<@U{&DT9WvYR0lpu54rW9sp>
zFQ~*i%!}sN_{AJ3z1>i`%hSzHL#OHw9lo2mU5)awFDnTTp>F^}!>MbKe!g@oAYHA0
zIcYBx=;M>m4v(`r1IR43Fv^BHN-_3HOq2EE%B|gVa*o~l11F|whRlvo9(ok+DwS!p
zv>7!R`10GZ)bFyD_0z?1<DR&I$pu@$Gq?|-Q*qU%c!x<9i$lxZ=Ap!SMjD#@VrPtR
z?)+YAbvwkl1fXlm9xw{-0MGZ<4BizEIfTnjaj!<QWWM@AfA?<VrJWVc#{KTEbs-*J
zd|-YcluYjtdxp#ir;s{$cJ1wsU2Hgazxy673u!UaX<+W?m%aAdaKmZ9G<;rFX-mgZ
zB|FcW-(w)#V8cA(&~{tLh=CCeG<TV!*W{RfYXo~~GcdYn1sG??j!ad#zNKi$eYv<<
zkBiolDDC<>QSbRnENE`(3sQg_zPMy47f6XdvCt#GkeDzBUt>loFxd(y-n)5ygQkz@
z`s-1ALwmow$&Q}7vvJH08|pZux+g2}9W6H@AbE<w=X5O-S=3cu_-)dAEW(ldrH><9
zZClGC@aQa6&Z$5k>($PV-yC{RNNL6Yb`#*%Pqi-$-lgSN?ycniyxo=P^1Y3}z>?Wj
zj@p<r95gUh{wY~Nk`UAW)UjpA_ZE4gZqv(@@l(Ru&B^CG5pr+p?)z4u)%nzld+n7M
z)%$kb(TU1@V)OY44EqUJ7u`Hoy+`x%^RqZ6Fx`JWA=bU@`Tf3`?UF$PKP|h~)q6l{
zdp8Ie+QICd$(%crVlErb{lsg#%lOKPC@X}$32)2BT~j{c^zHTefyWxwT-+oZpXa~)
zV&%hWTNu_WA@z#ORT&9v?<Ds|4fTOgenD=_r8!)Kn7nV;62MqdIMnYdba~iZiK~JO
zuuK-5cU+eDwHXeTV&?o%6QwlIQdpcjRu~M1XDdyvPf^}MYu<-BRat;@_Q5PzO3}vW
zud8u(N-{kRswTBIRQl2vvHa9{Q6RpnevywR?KEcl;T_Yoxi!nZV|bf6JCRJ8E=yDM
zan=JoN!y;4l}*00yF+?|4r~7{F9Q)WfwilY+GR%cF^fy`b=hurlsw4URh4-;0!jmu
zf9iK}6`=-g+s;_7GXyqT88SRRsfC@gCIiuG#u~nhX>^v>(ZNlkeV)taZq=2=hNcLh
zapuF`_$qlls<l4wW{;}37&tl}<~z{+ory7(t8k1}hq)u|hP;pGmSo*^R>7)@hjtm%
zY|Mm}MF~}JNY0?qd&TdAL@Y@RE^lkO>jspmr={{2yS_QedVjln$0{r?EH`m=JSR6U
zq5Q3{`Se=1hW~!KI!LBFc2R@Uny}~*`SD>5rKNBN=}Yj~*aP3oB`TxI!0)y__P))M
G#s34?d8o|*

diff --git a/docs/inventories/v1.33/objects.inv b/docs/inventories/v1.33/objects.inv
index da58252da22e324f5fc821e06c53f32d70537424..216ece34b1cc94cbdd976d90a11c4ed5e6149a25 100644
GIT binary patch
delta 4566
zcmX|Cc{tQ<8*P5gFlH=+VS1@((@^%TS;o?8n@EEUqU=fbC4OU=ywqz+Nwyh<u~U|@
zn|O<4t1Q_`$WCMI%U6BZ_x*RS=eh55J@>h<bDp(F$n?j^I6a7Jm_9`xQmzkZl!1Sr
zU>p-rb1>q4s1FVbt0oflbRC*a591HlJ&fp0e;2?E@ZjMxQcR48oOtv&_15>ZCpa$}
z7aYqVz6B5m(8%7nRfR(b!|<l(SzTTqk5`cX_MfbK_@g5z;Z+5n=nY-^9fRTsc{yQ?
zCryfm?K98hIDk8<lZxC;Z@7`%AC1Uh*VB<L-a|1-(2O)E$k7AoFQ6H>-U}#*-|jvM
zm-ZHpKX}|$f$Q_53*1nBoy8U1!6%fb2PFH4iQ7-@XSWy0-)^t5qMj(KMNq5;BMUF7
zb1Gsw1~{Wko3fG76vtmzl!qmF=k2q%hvr<LRdim;yl9I-pJ|^KJavZWR>tQYkX@R8
zD?7EIwC;7PNFxznP?}`&v_LU}qP`s|myEn7Vd?0#!h1_^Z5(4{d}VZG!Jz%M4Az6<
zrFG5gOhgHO`o~Bm0dcoDhQ2mW#Gmy!PsLg~!;ut^OM<u~mLX<M{B5{HN69Hdx6<S4
zsV5BKqx6WyJNRrWrW?#Q+P4M`!MnXFY{xMBI&J}$h|fs{ZHSWe)2Hbed=w$WA#Fp_
zz0dNZmJM!(NQo&Qq0>T~xVQo!3;qaKbWX;Faai}5WPy1}Vqz2q??ZU)V6-k-u%Ik|
znk_?HF~0v#qf+fg4QclLyK+RIOk6moD~!%GhMYGQx553DP7Z?2f@&WEAcX<ZFC^O@
zqvJ97SURl=XjiigglGmvTVmVnqq=HI617*4<~N$e6IEQ)UI##)1w^}{i;hiBz<eeo
zbIfUpf=@B{C-fxaTk59vHn^LAh}Av?LdpYw^SVcI*OB%#E_4Wa)$1qO;NsJdV-Qti
zS+lTnvyz}kuBU-btqsn}W-{j46uq+kru1iE6=-FlzhDjZu6{;3e=@`8<D^fU%F>KY
z<kK2`GTrM)HkvRtqT5?{4M41+70r_R1zdt5M#0gkXTGOmYB2aJdL^Y%+F~;pk`?q!
zy*H2g(s9_mJ*PiezSOtCM!Wr-f&K!ldtUMlXx`!%)mBHU*Sz3|=wE4E2cp-}eP^sY
zuZ|;~$IQA7GaOS@>q#+nt%uL_o5-^~PMQJhK<gU17i&?9`)PxlO9yVk+ynU^K-j_2
zbLb+6J1el&Wyw53PP$+#2H!$YdePYCJo5nZELiA#Zxyvsco;YJeF^5XBw2K=(h&?3
zuO|s;!7316-w1310~_cb$?MHgQ^=f2Gs9vzP3c#%w18s!=Hzv=uWv-JJx14)IJ7P(
zA$m%_Z2)<{s->=fY@I~@_-=Ncjz4mmCQC~-k*{l9Ez7JYC2CRHh1~0Lw{3BJwy;>C
z6*_a!11+e#2_QDn-B`Sy!88(do-(tb+YJNqArPSu#Jo_6(<B?_!<KZ-#w!|o+Hz1H
z@Th%mp&syK9D`3jfW!w2sU}uYb^RD+s_bA$e=x!gU0_LzlogLK2`dCDkm#SV%oWKJ
zGiFRr8wT}}o@0{{WPHIEr$x1QL@1u{Wy7FsN#`P*x2cOQ&YlXAg%M@q<?FE9Kh1ww
zU_r#dFrNgQ1&d()ktghBJ?ZIx)e+eSzHR+cCwCFqvhYWp+$LFZriqRsEIGb)2Y9lB
zK1ZN!0)?Rv%Mc+A;a)1RzHM>wo-NLq`cj1AstOC$nF-;|WB0gQTnp7v3gs>E1N*wv
zcL87*{Z-1^Kx!R%dCd$@#~sO?lokJGqEiR3Gpid&1=_H7wDZNeT_k+h?5p+LDdgb;
z(9C^F&kPcBL=ea1CVfjpFs#P}#O?TSVGKmT$1M){<(>TQ*Dd?#^5D4ePkR{DE}eEU
zOk{uu*Tq4aaII4k{Va~_`U@mY<Q-8ia3awx4{%n9e0`$~0DBNLp~-5*0>`{Y`le2q
z3&@8+Vj<CULPgW<oKR~{tVgzIDa;QFXhG4c1g4rBUVO|DcMVCgic5q6HZXMAb=oO6
zd+{+F+%*Qm_v3&FToskm{hIUbugBmc%Op_CCux-z$3;d8a9~#!>7bjYvS@DuuB(!C
zFrTQ5Jj(;E<;Iqow<M~lp*&S+mB!=MunJBfloS2+j9sV5F}SKY{<kwSmB^&i0IXfe
zxg+@$yz(TzTQ@_vAcRc12V9UAa{cg^6kJsj-&WW-^h6j5c)+E6<|E}`3rAay-xYxF
z@MC`&0DP!ojPfxYV_L<wJBB?c)1rXp8^L#lzn+0_Na3CH<D^|G#mCBUI%$A!0W6%f
z4qRX(dJ?j^0S|8UIWyW{ZePU5I&s&$Daobpd4L!mbU8i;<}@ijHja}wpjbYc;suI$
z(LVV&M&@uhNiiI8Bv{c<r-l<L`H=%s%mGHbqVsMU9fl5xV)M*%5=(ti%igr#QTF+V
z4s$&0cSc^B<Aii_B9bM$9;<|-Ji};}RgLX|!ElHzJo+Yfh^+D$<rz(@%xaXrg5-iQ
zIEB>Lf|JO8v3C`eQNSMGZ>u$l>cLfY@z(jC()Wapjq&T;Piyq84U8axZqRpZL|=lR
z0H7uC-+|<gjh)r`J&<>zAYdbiF2yIoTy&3(VKQ`^WBARw7IQ5=U)E*nkiUsg+ydOV
zASPVVZbC(;+9jaY64)FwT1+_=wVX!#?YxdSU1k*dkMpFZptX|NU(REl$`%4VgwR#^
zmUjZ6C=$}l^-N<eHR-s2CnVtp8aRqZ_hGG@Qq17hrk-|%&5otaV%@GBvO|8IvccK2
z(7H3Kl|5sAQTY^78th$fSK?|FO0JSdGY(V#ys69lN&c;wr7Sl@kUKhAviq@jGpghr
zEvc%p?MeeT<P|r<3fo2Y=|Yus&}dm8ApJbR6`tgR|6Zs&B6Gh#?ya!i!Pv+05+%b4
z(k?aJ5GUj_m9>hb<9?kivqTJFgF*LTuQw&z!K-aOEeaWqdfWDJ5qr<u<;@Q(T2ad_
zH0F(Qs}2o4rc$`QI%Veac^-%u4`Nm*=QNKpG*t=foQ*3zl_(0>h@#a9E#RhrATMN{
zC)yhOoy?d-El>PeB<7GWT-66ZRtSv9lq{k=`|)obsQ*ZMu7BitAF9Xn4=0PjToVs@
z!PW13Iu|xMHU;^>le~ZJ*KR?ej~7zI8$FMHGZCTz<<`I!5h~OD*H9&^w8|Ha?ZN>e
z@T3R$F>A<l!FD7GT;RMQjdp#z6$U>PhVM4bNPMdIH%SRj8Io#|p8o5&-BN}^Gl!U2
z+v0Pz%%w=uIOjVhMBlQpI9XWyu*KZ#{^coga*_C9tA#SlZ<ynDXx-O^<ciwxze&FE
zcfN=|>18y(oL~mi1`^zRN1tgE@zN2Y<PdTR%6$pzT7>roTch-u<Op41#GA3&D^SBL
zSjSvBgU^Nf%<KrVhtQA2RayQLk!u+arSX!^AXhj`oL^2X<9B%UKGSE$M7*@3xLQ&L
zAmIYhv*^56sRq!q2G~qOTsljEUrs*b_vd%nUl4Lr5RrVQD|PieznppojRHtJbD|-0
zf{2@-)K{;t)6v`#5+eS$9TapHLW^}?q_m7(e93<)^rYawi<Y-Lvh+D_^7E)E2*1Gj
z@eRuRolw{acV@=xwLnXP-6NNI;@`?gjJ*g<KbEF{yJWA6bb=MjWw)Mm@DA7U@W{xE
zhpPe%Q8l7vnT$y8qNC6+ZHhe8YsX?As!SwBXoAXw=gF~jQ_)^82bppg)07Y0$W$fA
zQpU5Cna`LF%eJYdR%#I#_Nvi6ba0B1u!(Vg-8todH&o>X7?$+YJ#=(x{nz2;;*P1#
zft~)_d#RXrsqIw8ChNlvOg3IMrNNnnN!T>7srOI@`=?}2v+e~-miF%qD)0MAHQc!a
zew=#3Z~(o248jn1O8W=1-WtpB_=OdHa^LfFDM>I0CyHNHNNE_<_%i79maoH!#V`m@
zvlf{rQ)N1)?mg!?Uv=&)OgrjD`{=JWFP9SJQAO(iak@a-|M02(%Y*-?Tz3BVe;9NS
zBPAJ(#I%3Nm=PY@r?!vC@OXH+cp?|m+JEz_RGq7YJ=b+&4Z2Lb|MkErSFo{v$73M&
z#?cow#$yp`&xT9}99mC!J8;#Wp_@7-JWTxAGNcZae#q_K%siN-p|Bpw6!Vhum3I-5
zjBPU#mm{WLB^s;C|7t1abQhq5ruWV-{cBS5v8Q=%;-C4&b+0_F>-1Sq^M4Zh#0tfR
zQ}QRqoA#!RocZ^EpvJ*DiJ;4?2K#FSYTn?@%>~aLpSU@C)1n7>%D?B1e_hS|`!ZgZ
z=KygwdUU=>%-=VCPUY%$JxSeen4@5u<O|&~1uM30vifIh7E61yw>nF}629$01K%gC
zJN~(e!j!wV=<blpMFBneQN~j7Ncqw}s}Cd)p0fy4Ev*lGXM4t1Hcn2@de&(VwKRX6
z9O<>~s;W+H&I<XuyEj$6#U7u^jtNe1AL?6MajDZT9xU+{tMF**)tq=9Ym&bk$gYU8
zVDslU)Pwt9L~CYs_Y^?l%pTr<rljU>z<P62m6grXNA%U6V*#4W5^j9=^AD{T9ORpR
zxVza@cX)1TW!Ax$;POl*EOuJU^JTsAaCMB8*xbE(0~M+H09&PrT$zOci`~(!?TMK$
zi#|kRF{pk-wz+zQl{G*tjuE>7E~bc?<Tvk{mwRNhWNv`#C+XlsQ`VEFmE&SDe35SU
z;SKKRW*djURPP25!P-TywenHT!U2;T?9=&c2@Ma}n_Je!y!2V4x~ua?WyE6XyOT5Q
zkU<_fS@TBq2~+9L{55LvrGorj_LXLCep#-rAcf79wTkrE_B^X2GIV_~`_*aM7fU)a
z=hFQ2qoF0^ni|j>v9I8V(2Bp0Aaa^VI>u(0Q7Ls$txm;vdGv{uaUb)UocrAdpG(h*
zT=s}1)C8%tK$<_X#+)pBfLTpcKM`);6~|ZAzPQl7;#2NMP66jc{QKB1gFp>p_NIP9
z2Csy6uXkW|@yL)8C$uN`NKDUyk5FmYk?p~WVPf5FuzvS}?Y*$xnT@5IruL@AY^%Dh
zwT00J8@5rW)b3UQV^FLTkgLcaC;H|Q#?4D74;p7FZTAK>`0abDdADGAE{5Fm`!`=~
zz{GrhFZ~szlJ{qm$#v?Mwpt^$vT0|oWWS`ih_L^|a&%`ky!Cv~sMots;$;rIL$x~W
z+3UmCLF$!O)PPyC3bu9AD{uY%VGf7wPkr@@d{>Q&wB>TM#dGi7o=w?U$*6;Tsn>o{
zwz*!d6{n?XO<Wz4JrVit$_Ea7KXLblES1nur!kQmIIUuIS(LcMs5zLqmF9b-!9z5J
zwJ<ueW6@CH$A*|%#1MGiXg+W=7HG`1G^oil2A>DD^_`E-)7q&na}pegdS6u?<Qx;0
ztZm$LC+C1bp~FiC)!%=ep|n4do3~d>PBMSIi5Jrg-CG=<otmcB-?fWewEKQ${>RI^
z{Gv*hVCeQ@NR9Ns>iDZ`Uj0PsKFV(R+|JZgcDj#mY!P8}p_9-YG@(`Qc0a^I<GnS3
z0d{ttwZ!+WM(WjlSegwlBMvg6=Dk8U*bjUM_N_u7PMRkJ`}TVb7lM-ZhGOZgLqyG9
zCC%>Bm)H#dqR#2LFZ1-prMWy&Wzci`;lFN|YeN$^?uwO?lX_Ggt?z1F+_a#AyKftH
zV|<@a6gQi&QN=e1jP2^Ap3VAd*R>PVU=KaE#vqk4?I_smJvHu=l$)c*%GFXytK4g>
zPEN>-%T;@QubyeEbtAH;XioqHa|ZYt`>M7UEimg2A#1A@E(&HtO}p$zk5G^1W)sS?
z&gDCYNLY7vn6IyKS88$Axy|k?c(n+eA8wF;*qiTF?lzK`@@3aN$#~sX?xDkb9p8le
znjIT5557v9yy9!75M@Ajerpw;(T4qP)xoB5BnDx)T)g4`C7zEyF+8NZA{V`*>zQEx
PcrWzv9(e4k+2nr!6Jo-H

delta 4526
zcmYLLcU;nI+zo;xaNQe9mN=T2E6aT~QM0Zip)mKJX{M%$+aF*=nc8*_EE5HDTxWtK
z&9uyMP28qtVoF+RXySUS`+48@zwhV!$9c|k&gY!x$xTA6+(z6r1?iAaQ%{4cPlFAr
z0M~aDWN4y~AMw&>`^24zPks&y4oM<Ov%bVjnH5Q*dmX$#iXQZn(K{aM=}RL*5tto#
zmGt4cHl<zQ`~qS{{!FS_An1=Tk7C6B&AEN#>=k+K5}b8ss%xI7yGrDt3x4UD@Aw2!
z$eWM@zI$)@$Vl%^&4T1BH3-nhWi@u20Dtv>4R#ou+-=gDbl4l)QDiRZ$Wu8Wa=Ov`
z&jQr#y|9~<QHg2^!PCZ@YMAa5MtK;$HWT}zsyOYaLx|&HImK~{M+9+1<BHzEQ|JHb
zm6V2Gkw+)7O`r9xT&47vf1-FkU5kC}{ZvuKCbKD?_^spNgYcSF4}up9kr*z$d<(cA
zexn@kxBb>6Z2Z-sPODO;VqnLqjU63IbE8>a#W_AGWUYx_9_G2!&r`#$DGw`CYfuje
z>@hWrbbSu)p^D~ps!8pW-Sm`_#^NcMuYzb#QdfX94%622$B}Cv2=!l2z@GQ;dyF20
z0;Psc+WfBQO6;V|E;FK-exG+93CNVTI983g$z=6bln9YEe3d6PY6?lEChdKn2)&J!
z*FEb=Hu_L4cz^G{dGLoh<iIg|OBNFWqqBx8AVTB-F)N*L26gu|qwdVqK38QI?4g_w
zj?~MjA_k(Pkl@ZBp^F)63I*224PZfbOFgMdzwIs3_e?-3;^s3#uQNdAWy9H|4gEG1
zq;JLPG#9Li%i%j_{fv&%tg7sqdQy>on-+ZVZU7&Af{*M!hVPs!L%_-iR*d85;tn;1
zw*P?7ut~aq{Q|BzUG0J`%{ed&*K>P3t)?((eGfr({`zJSe18#HYg2c)OrWOFSsL2j
z@|oZ~@k|=<Zy<v5iHZKmLPe=DXu+sb(M5XdyK5-PFh;tyhyH~b7wr2SN;Gs{Z#)9@
zA|f$E>22VxKRG0bfmydyX!qq-#LX7Mn8}oMi6e(p&bB~XvT^4tgKB*H1H00P^`&F-
zd@~R4`wIT>1vz}on|)f!6)T>5;4kXu$ec(JITA?ZOO^UPnuZ>lRthM@pR~4g#jd#c
zq);aq=}|iOl?)?6ijnZk$Px#-q`HC_j{FQ<!|~;i><!w&;e!>&mcUEjkX&V(p1C&&
z*c-xID-YkQJ`M@PNkn(H;5=>zDTD=l1E2VY9K<+RVvSs}y18H{XrO~x6i6v5aUKaU
zr!{%dmorL*cImmcIVj1Sb`@T?ekcVFCu7d&xnfV`KHf(Suvd)&{SlQIAjS0I&Op6q
zl$eB~ly_Mu$xKGNt4FjW*%cd|+roouyV1?n739k(?cgQC<Q1L7-7Zle<0yClvMB!%
z4|<5FR6-~ZBCl{rpA4WY@S(~8;5+!lccd1fNQQw^PoQ&d$eO>w?O=~eUhn0Qj&R_z
ztQMRi+sQH8o<p)QplZPfRPNqE^(Hf#Z9$_@$`aUO2|1+X-fr<0ajBDFQ-(J@s;^Gh
z#%Y|SX52gR9V}c%YTD8Dl&sY0f8&f1P{+F$1YqXUv1=vDM$m;t5#T}SGFX54KY2*5
z*r@;HF^>kRM*ozDIemH_+CTSOorlj*y(|Vj1KjnuVhjix1J6|MjU`t#kl+n)IessW
zydI}=5T{PJ#GOwz(aLsjpkFW);R*w^OKvpKBMn7t*_SUl#DENA;DJ)5hpCHD<f2j$
zK%l2QY(({P7<5;1^aW8jEHsbe3)g%y^9_3Kn^It@`!bZW2DVs3*5R9>>iO#Q9Nbk)
zs*{=|7lnVvXm)~fe0)}*$Zr?t?e_qQBZeI>{+>Zx`bfY(!HTKosuyMUT&;eeDOSu-
z#}xEj<%;jO^>o8K<?VD53v}Sdfq>_6i7XG*vQ~A4X57`BmT=CACek6JHUWHa*>Mwm
zU=yiBs2c_g;z7gl@NDJDZ0<5ja*0tyHBtSW3V{3pxZ|<j``itb<T|6siCXXDvI7EH
z|4HVbUu23*kF6p8{y}hl5+YW%ppKdEAy>;~i7BtD7cKXYxoTNZKzs+dZyPys%)2uN
z3`+;$of#qH;Iti}m>uxXQssVeJ0YSwF~5@0XO3+)AyIg6O}_>x#0rWD$j2iFu3(#e
zNsm+E)gL!RAW0$^o~=ia`B^Y%d54sKjYK+yDB*pt6bvSUe>vQ`E(+Tx8sh$}-M6wi
z8rvI2@&Z^5+K4e2BoKzFy4aEW{ix*eBXqhoS%07c+sq_Aj;79=OY8(KgW;J<y-DF(
zlI17qMbAyT9P)O85_Tp!V)`jzrzFb_=;=>eRLs>Opgj<H{YAP{AKJLN14~VLCR#`z
zPoO?*C6lT_W?FD=d9Dc9R|LsDX4Cmx0X784<9}7z+-(K-o7i6+SwNtW%)rnt<fT_J
zM`7tl@MF$XJWdvclnicDMFzcCSBC9X#*bZ?N-dbCkn|{U^yon=V|Kf?%pe5BhWv`!
zR2&i_io}#&tV@lsl`OZR*I7^LzrSqU>`nd<P34=fLVrf*_k9FjfaGz{-xt!O?E+oi
zmFR$ZOZgrsS#F2V_e!8DU0StKnPV%s*I}<Fw`g(pB#@vx+p6J%_uq?x3q_IrO8EAA
zE!dDI{#Wv5CluVru)mX+A`Z3{|CPM8KktZu!bB3CF&{l|@e@eK2^MlrnpXGNvn2D`
zU7${2SK?)4=~RO(<eaQ-`G8lYgZmeSPyFTzu4~re6bXv0gzQ*A2>T_(q<NF<dHIs%
zhzab6F&@vrqWzJIlaj{2G%E?ePV$48bs+;@WthY2{>Hy`_TUvXTql)5psL7A#`~;c
zy65n{7s#oWDi{doC}zo4F*q&#LdWC*AfJ5p)Sr8X7GI}Uv9FW<xc+9pld;tw?AbLX
z8Vqz9mKcC!dKeyrbREzw8E~r1zj6q&c~JMC5iirfEMfK*cz0Ha>a3Qc`w3%>oR(_^
z>(@yO5U2p&{~#U-K7&MR66nK!(%_)W@WgE8kFmG>s3ZrdnHn<m1=}7rWQQLEej160
zRfUMEV!qmff>F9Iu=EQ>lNG9M$h!5JUDLLT?gV4wWU!XyhB72sS+{DyqtZiF6~a;Z
z>2Epl)@v$>4K*XehriXJ!0{;Lpt5t%eh-+gJATY+$`?_h0Wr|Pgp`uP22@O&4<|g9
zhF7~UoP@-l!~_)ME#Ke)(`NGolOU;&sg*;LA+7ifFQX(S-_=gpz9Xj1@(CaIQ7=bM
ziyF6!ikAq60wdMMKzqaz1EtDm#<d`UT9{HoT@ZQV2I=2jzw2CF7Cf;3cboHHE4sfj
zJ|9NSB&eamE3(Lc@OPoJql)fB#u}DXhx^uYU}-tzH5P!aEvTiD#AtBz{;O8T>nvEd
z5sjoF^6SwrPeFri(Z8b-9SKX1z}qnJ=$Uy%_gQ1b2FmyB9vbO|$nW2TJ^-_i$M-su
zc?GDOq}{OJuCo(5+-LL8pS>Zs=j~z|;$as}v{827)sJsAj6dhTnc2|yK0ee7+&y?Z
zdAIlKkc<~cF@bPnmu!@e)eg3ZJxoMQhI0~@n=vcXM=;&BM^sGrpBL#nh&mfeVWKi)
zDw-cUdORsZ<IF=YYTjRK71Dik{dFf0QJNgpwnLvQo_F`f8ax^)=j{nAKKEe6s?c>(
zLnEu<*_c&YWAm_wHek1PZ4<$P0=~<m+D$oco3M{!wVN(4vtMr@ys3W6>)K6uKbP09
zX#)eio+Hb%9D|R6Tb!;u98W#6qIr13EUPK~t=p1GP~}>uHlUXQbl#5c;!V`7)e_cJ
zl_#~*IOz2UrW0zt^O;@m)x?OQ{^bZ{yzg?YWkQbgzR%#Ol;MqWUIy^~6e2#_FssRB
z-{+5g?x>BM!P)>@bLjQc7ivGQb_8w_{mUO%Cb)cU7X1Ir`AOx!z3Li`{ePGg8svXx
z*>y~_^Aa)8TKrt?r1g)$6{3I0PZ*~Vl)rXU#>$nn7mgYA<tMTx0Ba|;PWNPs9Pw^m
z#JkkurH(NGgzG5&7~hAvAeZ5!GWkLGk$zSc@!?tC5%`dr_0#U74SQ$qJtu&zZxM=b
zo3Eda@(!YrHYaW7L;D`!<uXR)-1q7}iXMFqiyv_*J>@DN>>bgRMiAudU!<`DvN>Cq
zHb1?0MoY-A=meYG27a8S!M2@r{xyB<Cai4|+Kj({6HJ?CBsd$Pi4p6{&sl10{<x1$
zVR$<2-Qoqi4c~~(I@Ypt)A^BAXg`Rr?LID2a&R(DSjnBp?6I8)&wIA@FK~kzH#FhO
ze2}fqwydtg1g<}(FSdrK?M+;3i~|Ivaoc%KTkQJ!>?R@b{hRrUU$OX|_M>`sH2&t)
znNzN6t2JAcZtjeM+CuB%s?H#{OhQK|d@Rd*y0PXCj=vc-e&gACdHDXCMVY49SjUAP
zR_(c$%scj*g3a~3_d^#^OKEc!tF(Gc+W3`Lwvk*ncPZMf5YH5U!6)lD#N2dhtMfxg
z>gs&%kzWL6?14LW@+`Imi?ch{V3oW_P(3#g-Y>KVmR;)4d$g}JWpLsC?XC0M0~7MN
zJR*ZXAHDf*E>dqmkgLvJj1J!@7luu2L^>KSmNCOm=0sEo*+=!z@@kJ{Q&4LmvAWKC
z_HXz+IgeV*9aw1R3#Y@=D$6z({kie~FpV6lfxL|wR?pyUbhz%t;Q5Q5t08NV1`F!A
zvM-}Sq-4gQ0}hb^QLfe7v4);53uQQc-<y%<q=5&o@6^@`Vgqft^C5bNg(uO5pqy@f
z7p$SDk=w`kh>`Ie!jH5H!q;0#gircK`kFDKIYO1shrdSUD%l#M??^CM7H5;6xZcn8
z0sh5?#&AZsY-4fVlw1*`PNp>e3%O&_q=<4Ow&MyhI5>sDa@jMs;WSvsE=6(Ir{_*|
z9nBOCKfYFx+xad|z$?{LD6(D%DG6e*(#1XxO~`#&oIkw0FuNX&sLE{uCeT50L>=xt
zw>EftOTY|{ww)VnXOC|+OOYyE#J&JbLIb=kQ&m3X*t6l<f%WQjT4#o7<E7*CF_i~h
zH+$omo~x^}sxQOu%Evzz_HV!b<ID>*&yBW8iwkcMp6wCx81gpni?>phQ+DN}`LjGR
zrX6FxP-u1GMsIE($M}4A8lgdlcYN>YoyL`%D12z>CfQsIY94oxF!Az^!~!6ezOwnc
zpsQ(6K>j{AHUD@vUPe#F+CrQ3W^ukYdW|Don32JC{ng}eGV&?9X&kM<{ZhjJ5kC4U
zD|mZ_*Dmy_W=Y&_3FQRbU6^tTyDw?o<v4ONyuRP7@%?!l!PMYW!>nFw&2BE&G)%OA
z<0@0l6ngg(dQZb9hs|z!wg$-KE(&I)UY2;ir3v>gEk}H@)iK)ser4xh*F+Awd7MRE
zxjj_$TDUwK@n!VNzl9R=$@e=Kg&VXT{K6?69UVadE9P2*FbHVWAK1TI>~fpm`ay$N
zUmq9m`<hZ;Xe2v-F5XVQU}2>3oOjxCYuPO8-PYhdLYJ@jn!Q!#8!!m8exHpu$Z7vH
zUr{=je@c(p)DRYT$}P{=C>(IJ8!ul=7}YuCYWhJ?`7(Gt{U^^?8q)#O8gJT#8+-|A
z>Ch6kEMOSVq(xTO*N+djm2|IiFILLym7R(kbNQfRpp#Xeds2eYYGu}yffGERdnrH-
zaI+6lt-5Z-Ekn1KDggZwq9E<Zx+ynavay>R(OzFC&#z?Eo_mn-L2j|k&H1{$vt3?+
z>Qe_Z{>iCmVrhM?U$a2(lM7)x?Vf4s(A-wCMwRO$mdkR@SoUIB%eDG#iiYgT(yS!@
z)mITytwB-y;&jzMhpu_uo~-x(v9&qTJ}f8hR)=?|0BucKDKfFT=r26!MB4d}C`uO6
Q>-(zL_wAjz^j9ta18G{N`2YX_

diff --git a/docs/inventories/v1.34/objects.inv b/docs/inventories/v1.34/objects.inv
index 48ccb98994b12701ec9845c0d89c41a057ad2715..e754781f866ce1c6504271d3d599a0d049a0e232 100644
GIT binary patch
delta 12638
zcmYMacQjnz_dd=Tj6Oss3`R?|L6k%{#E4EJ1kqcxs6n`TCkBb$dl#a2qL&c8NAE;$
z5kGmoKi~EH@7{Ix+WVZnpZz?0-Fw<A363fWqGd6k_#y+5nAJ$oUOo_Tvx&h13Rzux
z@kMXzF!XwHo_s>IEGlWEn|DdjKL2eGR;+TfLpjc23o<}pU61IPm1;;5btH6!imWV5
z{Gs@aw84q3ZFeIniqStioR_Akz3xci;Wwy#?2?jjs`szkAHeNJ%haQ<ow2~r?g!<T
z#k!<#|M(Gh>HWBxTay7)!w^SFDaZ1+Y%la{*bSsKF^fL5Ub2cr)raia#;y)M4yC1d
zb=7hdQ-@se{@NQjKi~DJcQc^8c{gLMwl6(`LAul+{qLVK;luHS>oSQ9^iF<fJi$br
zu<)hrv7Pp=!h<R<Ap~vn+(vs*cR)$;_ujxc*CU43=-so87X~4KV>vGzD8AldnApRt
zqBnUddAXN0rX1q#DfV$R<1_Hk<*dfN;w}45W1>r*j69Yt?P_uM%VGZbzg@<5>H^_E
zmwB&+o0a3KbpkcZ%u38oj^ndX*NPkV%CW%)?T+PacUjsM#b@6Jc`0kp%CotXZK}N0
zVq;Ff4(u1b@>fg--u;oj34H9N5iI=jGVpI6f5?uzUYW4@FH`7NZywUWZFV7~+t^xM
z|Jz-ZFgeZ}-BYynQW)u%N?VJfd7kufx{73(vz^XQ?KMraoRy*;jMF+WpR}tSC8%u{
z(nb32SL>}MF6aL5RRux+Q0z>RKjVH5;QnCaw_BCv+Kq+FKt*+`-O0|%CSwaj&u#>#
z0dq*=(YR-aS5f*w{BCMu`b?AjQr%Ox>Sj%>$}@A9R{dbyILnaj@W6y?Dx8V{!pSce
z%gTO;ipty4!p~<ReP?#=@l9^Y(M{L;a~GM6@})o^t&7LR-n!+gMtY66xAxpb%S|mn
zXFn}I$tWuT4B#lm+r;hM{xJXq1$t#J1iv9(r<=Kf=`eLj0AZl}UE*D>B$5I8sEb2R
z=dStccN)puKDPwKMq?M@R;3-E$ZeFT$RNoe9BeXGMRz+Y?%|=>EU}0^D@W_W`_Sx^
z&4wJ(MFiR&7E9G&)Yd01Qa4Yt*>T7szK{`!yz>VVwSt2vh42H-J+O$)<qhbPwyF38
zpz^X~@6^9IV;Krcbn}zvpj3p2*w6-BPN9-hL>CovK^sw9KU~k-+gtHdzaIA=q#wW`
zZEZ?1m)+jsQpDEQ(oQ!QBHhWaqwj{ZztMO6H7|7Q{QH`bVb^1o?Xt~bI23QQBSq;O
zG*}rhdffHe$JP0~?8?iIeLgxZRbSB%*KohR%1UvT&(qLq3#g>?`(yekO_}OgLLAJC
zb#PQPU~LVtBc2vmap3W2pWZe;9C!ZOJgeB&+$ZPF+PW!57P$!REWxz=OYkgjDJyDQ
z_|5Mm*>}|hWl5kN6>OAuXC8GIyG_2w5wQR;Z8F*LG1hnaXD-NXKzWS(_>CY-Z-r=L
z*JPUN><K!$jrN_PRE3`H_-u775lrdXdYhC@Y0hH*#I=fKkIxC|>!-vt&=PTe;-`zn
z6E06&vGk2W4#9rl<F?4FL&@Y-Rdc7of?PZM+9_3PKWgfc;B$<gdaERD4;8x;NTEF-
z{c5WBc)lIUD3&aAA%qh(IBT2Sr&q@KRMdA4t0QMa`S&q6iC;Ek?o-hZyQ}x5-9MKS
zq(KvO9z=11!;=!=L7yyf9Pr4MP~_5;`R~>dSqy#q$+Ebhi?NZ?RIh=PB}_}h6Qb!}
zN~Wbt!i4Jm$cZxdTqy<F2RD<Jt#Z;pYG{BR%og;-)Lup{nZaeD=qvZRyE6Tf4M{2!
zHy6F}`eYWvyrEXa^n5ud$LINpi``C-?Nc$6g!3i5iu1Q`bamP9ialeqFE<kGZjvwJ
z7UEzYc|zo#<1Lqa#+cL1b8HR^uN-MFil5-}=yL0v6lX1c)U$i_X?J3|n+rn*z}Fu1
z4c(HQKl=Xgd58Ld?u0~zN9g4Bs$Ip*RH4LP!`ivliPqQr=(-YzcaH<aZ{-8^rYCbG
zVz<y!oWk$C?6s?T&W7n8tZwVf$=oaw<0tqlkng8tXdWuH`Fs7|MKAPS<leX#^DUIu
z@a-;e%_HF8Dh9jj(%-J<h`knmK&f^v-)qMPVZ0P}T4d9DO9IK?xK;_|r1RIP@@E=c
zaCH*D%KC=hk5{|%iyyy{_&j@~BJfEP(lwfhDZ=D4oFXNBL?XK*YNP4CUm_x~&#mB?
z9k$<r^HijBM4o7$|4HrTGF`(Z6RqD&skL0*XI~~~LQf{a=et8ih5X5zK;N6{NA@z*
z`-8rHzTZx=dt^pA*}x`K(_5@U`CUlyip<e~2h3Uzf6U64ay>(Imyrnd+x?7Pu_2Ze
z9^BxgHj8zXiB1)o5wP1DA)!0qyXr%ve{{mNV?&A^vF)<ASxG<Al;HbpEW;O^H<LdV
znNArkY~g=g_`B_#y{pQi1Nb#FHCLKsa9YtA++G^$Wk0nP+xpOc;u~si_2gY?qyN%j
zjYnliaqDf-CI_G0-H~OQU2@^4u9nQu9bT%|KP7p@aK@VS9p&R4-d5mJSCV-*FZ2VR
z7|TS;bzvry?&c|<5PQ0X@SWfx->X^uDT{&Kp;s=*_RNSz%agFh6`)Jijeo*|7eSt{
zzhCM~rSbUnE5~ZD`PVb4dAD;Dr%6z;9k)MWY9!NUc9KFW<1KhSLnBLT;U>+9`0umL
zZGmEk?4A1Q9-(7E-Rj0z9wOa?d(uWsB^gHBY4}XIx2?u&zZPN&gx|Q))dQDDeiubO
z?!?o*Y9k>Lgbx#p04CnHZ%uZz)>B2e-^&A63s=9m&UZXiSxoE{OP@1viOJlz*xf&(
z@ST$jHeA|GNR^wr={akxVQ2{Bi{<%fxYIy=n@}r099%KGcb2AH``k3b==<RL;-8PB
zP2P1TVv{zaj~BjF@zq*b1V3oFnL1wk%i!c8JbfuxlF;0YJq*yLQiMM%mK1j1p=lTK
z)OOOf&&QT+0j*XiP`#<Xj#TMO8#Gxh_F3hm2{~J7@bVnU$giu~t!F$-+8N8<sbgv$
z-ElwPntbQx_AQNk%eA(}U{`+d?;1xT$=sCXr-Fww#6yxt9vO#~D2LWLi4v?8o*zeJ
z#9=N?K>15D_UAy|n{w;In(y8!9~Mz`$xm}?XVd6O`MbExm%0&8$;3ANW}^Pk*xB$_
zK25mvA6uC%t?hkmIJhXk(zLBioj>u)vl`7NXvc72_*lKVFYl<p;CG&!)1PT7Uy=5Y
zYHx}nKMxh6M!y-e=HrZe@F8x!GOYMnVcV2t>C{oR?7{_rmm2!z5#rPG!pmPiI2-V^
zx3_;eshV#!smq5-oAgybNY`xJb{R)%pJld0NK)JMTA%!S;X=vViS=SCt!nPBu~UrE
zHkgEva9`NMjt<W=B51gu?#bS0V=`|&?A6)r{y9oH=yPzsXY~V}!!{`6llO<M2bNi%
zqChvv19FCN!2M!M%w_>c3Q#JW9jf_TK*d+yE8%2<K6U%Mg2hzWv!Za2{5GYVU*7df
z%U(lFqX{#6R7Byfb}sqZc%|i!tMn0XNxFl`r-F=oDYFY)pHsgM{1|T5f4gm~9&eYu
zkm)Z?CTw(~c<A3SPG>Or*Q<Z$PhawxLHRi2<t{7VBJkIom<<rZEiLa!Hhb;L;?VGz
z@|Wvd%a}gH_T5t6j<7}Tr$;5?!UDv&to$F}cn<!Kyj6Vo>dgqxf?c=o8*#qs74_n4
z$3|K%jkKV#xw%|{!=exS@ceP(gMsg<5OC&~ETR1UzcD}XWlH5(%POZl&dQd8CBF`^
z&%rJBcd!5}%FAM^`oA@03z1*FUIK1jn<Yw8rB#WdVgkdxDKm}N72_uO57W8I^(`LM
zRNHtuPCEUG6<>6j1!s9jwG$6rs0z4s458JF3-%0#nhO&$1A*qy__w#dD$QC??i^ie
z7X^hoRgmz!YeMewTPHjBhc1Qzon>F*pSVmk9Wnru+SW?NH{a<|#y6X@EPbl`S>)DE
zjSMH|!iz6YAcv>K4|g}jr;4~VskA-aT^gGh!uwNeI%KS;EUVsGW|5=^<{!Ae{nP!E
zknNJ~Fr8R<i2LI_XIJThj`L4$q4qC#pPwTgJ2-82%fubJRU;ym{BkE7OmV1uBiVLT
zee5>@^H1EgEkbh}Ha*_y4#rFRN_l=au@=8TW&zZ?V`4RWG<qKgjT6uMO<th$OE}GE
zzE=0{;jjAEy5?R}s{*s_3}^N|J$CLcx!0OWj#ImebgJu9vIYL3;tEZQ`WrdrB+rYt
zYItso#Gj5mw<vw0Hgq1UF;RH4`QD<tC!%W_2%2+34HJ<F$jKdU+$p8aFi3gIppRE$
zo8BBqHq(2Ye|7)<_>-oL8eO^|NzCrw-3})#b#IIA!#IZ&P~QN~YI7P{7=tfx^|t?A
zso(+oUz^=X29uaG>pMS$PPxGPXCgV?au2rYOGAYD_~`h$Jo$+Za>Xuhq5b!MJ{8g)
zkd$k`;8ka}!i@b8=secscQBcrOL>mYx!9*MU3JXUA1-+z1gZAkV=dFU!YrFvH7LM8
ze_aAPDC-t~ICs7L-t^_3fZ-%Tcvks-es&5KIG1g)q&&?aNTh1`wS$G<*tWtU8))p7
za(8Ird`4`+DpUNZ*NCytIpKV?oiJ%1U^?^<dKTy`hNL?^t}HKnVENN+UU-{@`(xpg
zY^Cf}!86$a6_a%1Z)tJw5du7QX&9n=c#zQ`FHG{8l+<d83>81$Mca^B`$0{%YLeO`
zP8o?JTT>kCXJa}7hg)tpB&^*<?6c)kn8S9{6HrcWUkRL@+9iML9p~sw95aVEK$%o*
zOvm0;;>no3ZOlQtLTl#GlhgxQ?T0;{ub<o17W?T>e0{sWp5Ne(x5NOtE)*w4@y9!F
zo=?A{AEd<<IQ&(9rn%B$c~Rq7D#?3zaKmp4Ynv<@?s7XnTz-EeRDXHiVawH6J|Sgn
zfAP#~Fp_2a<nXgzU}V3-Ev@KWGe9$ksE@Qc<#P?MS7vCbWO{HXunEZjnX^SKRrie(
zFFc*0*;WQJEpdJcR6k5i!riaIbkbi?u(&qy@_c-zx9;1VYrSc(-1n??q~})1qzt&V
z`G}<}DX>;7dC4TwENR~Sbk{m%BrU_|ONur^G+Z$|!jpDPJrtEg&D(9W1uW3ln#_AP
zi|#8gxSU|UmzBeM=DnrzNw!@ob|byVWlWy`js%BDK1S_U#$@c=l1RD1Zy34uqEs`H
z=!;a^8f;|XW^%Krc;TF9yCA7uy++X_KVVw7XZ78fy#JWlg`=WWH#2pBH?;vy0@ijv
z8s5Eo_cB;H#-}{;r-r8IEO6i+Z2NTe%%W<q;)=mxR;<n3-^hwBk+GS2=x(F%L6N9T
z;nsDiL8kSEjf?p68l_@|l6gl>GD#xof?VIb!yzHj5|Y}pJ5d6H*Nzy>@3-T){CDC~
zKD}zGELNrYnPz$`V%r}DF;g&%Ia>j9JX4G%#X}7nDcCw@aQ1B@D}mt~kC<pfQ>{C+
z98MRrG*fRu*(&&WB8^qkw?}<Jo_LDFEd}<ATHSOlf$69lVI?nbkCr<%rFqs79+AYn
zS;gBx9rJQ6kPP!sOXEEffksQ4Vv1LPk76)Z*o}7C_y&#KGP*nMW%(N4CP6jdE?_{2
zcA|<_-YaIt!6p$+2TGZZwXdLKd~0F?MZrx8M##Sr7Q~-_;#gZ|R2aqyWXVx$Qxk4o
zedR0WQE&k>q1r;mNQv4>ZQC;T7@u3ZU^ZR@B{__n4h6TuS^L6yGd-dt2g{wvee6^D
zKkipzui1GEyn2{D<}f0I6eo5>0I&7N_g0O*y<wBYCLedfzyXm??o001>{Js?{bk9x
z@dr{-Tm2OgK42o|VBs?A&Yukp{7l;kKGV3HN53||{RSaQHeP^79t4Mmv_=$s{!Xnj
z0_Qp8uUIr-aD8&~`YS4nh#}vbf2G?h{r4kwmY=LCCPjAqBfK=9S&hV9zr84sK)rSk
zIFb8?x+a4&xdWt=pJN#jPg!y#c?>6be&M_RMEyLQ*j;8xefxHs<&`J(7GA8%yL*T}
z|MR`ht$}8;_dHgoS6!B<2=~hQ&$Qs99ogn|2y>8r!j6Fb51MbHC;1y@8}F~i!++Vi
z*DnBR3bpcB$Ergo`|;s--yjRih%zk71MEt;qvJF$QXCkl=|mr?%1hz?9g^ahq7Yp}
zTxX6|s4!^(p(CJJ?lfOPO`g+|4%dmBxquA$PP_=JRPvA`0f;msaobnV#r<M}ic-3z
z(D<#*26gAAx%2b&hw{=w5wCbnEB8N|`^hw>V=V_gYh-uT#4T^Tb#a<Kzw;}00N!lC
z@Yz-jw1Mk2HP6&-rIY}{+#YfIvz8&j;#;auAD8~}6O}fPR=N7JlJD-f3Qo=$lz69+
zQ|<|z{6;aQCj?(OX0HjheoUdwmPoKvAu-eV`dkKqrF8dmwijkWJ`>3VEqgn6m0}U?
zdMsQ$oa;r^OgLmhdpvRZ#ipk{fy0Bv$d|7-K^FiLN;;jB9mH-Lnps+dgWV5yybrgs
zYu~F<q9xd)T<6P$zf3K=bRSdeSqSn<op{S&c}Zt^H(Gk5Z(n3uEM~s_ZTH3NrWEsK
z;~eV>b0ZzPQk?VAeu<SbyIW7^dn?+z^6?K7Q`YXT&GoZIS9kHX@2WZC2U*Ac`Ap*n
z6`Fvb9v}KDEG9QCPhIB_Cmy0r;B&T5mg{NcCC6t5w(C_IzKaZ#)|IjN69qpHV%OWx
zOBN;+UmDiyaxP;(xaj&JiCp=(?OB}juJlEtbaF%DKusV9wz+mB(ME<i3*XAI{l-#K
z(3#}j+0xDMVX~Nz=r}=f{cwz3-98uLrSx-P!zdu@2}2?ttuKZ=r9(3kzMsXju|6h`
z;P3h?*J0`9#QQ}kdb2rH>L}%S!>Cs8!+GbAEBE{<O^GLBH#o+sufH8uuTli!>I;|Z
z+y9Bd|9aDM_nydg>1OHTU0wyu1mu-vvr|)jjs8;m!~aJ}w*4&d%u_d*#qv??W@R-2
zaE9=sKCDl{*gi9L_2BK462Eb2EPo3Ya~jse5MuEB0FNGx@5KAKy1Gz0OI7S8S{oa9
z;ep}NI@y>U(VZc5`&3MlaJBnZz^~CjGCoJFuJKR)8TBUP-AA^(_rE^@Q6jB3&aLx@
zjM_htAA}FmN$2w<1XZ^zI!Yd#Sb%fnf%Ju%p8VJps+*}w(Cpq|lH2Yqb>i9KcV#!M
z*hL;Zb=LC(3B0)Rg&Wh!>xXkMmRZg7?|khJv%;d(&1daK>JPK$`qV6(&l}0`b2ekn
z=Vz9uo9+r}#;Q8ko9*sustP?CcfM=AO@4gytBI9yv3csT>Y$j<7e~Ej_<F59C$P@s
z#6o)hX(>6=O*Z~wcShFyq$gQ=WtmjgyZ29t%t`QNZKL70=L&+}Ll+CKRZ((ds$wD|
zpSpOj&KCg}g0Tfsitr?)dHhNdP6*=<pUT<IiNzNboZr&W8>vIO79QqFlF~Jg?ZisU
z)7HGbnnyuq^sX7bCFbX9$|2<uwSdm<5PhA)(pxVt%2}qt6AyO(#y~GKlHnBGTF-=A
zZy^U}gY;dJr?144dL!tI@46pmmX!#Y9PMPaNRGQPCTlSLlw{kk=V&En3ium>p~TEs
zOzlP<Il=1m^-;LCq_B=sa8jyMW?J$O>UOqwo#LBK%|W--h+VorL$`Kb$>hM(UveUb
zPG3hG-^EsA5)8i)GfW@BEjc`X8&#_s3YBUrUyjC>4%tYfFHb&qV&(_OWJSkG{al;i
zjSnvE=W-&BN%}$E!S>GHtKU6*$s>IvxFq6ZZz6_q)RI?vv>KRGzBkpKXel{PEott~
z*2`-5vlBQrGa<sTa&1D@V<8JZtgtQmsaGAT0<C`pRo=CVg5t-iL1m2a@-)Jk6v@@e
zkXA3^VXYtvfI0sC;)>ib`>DD`L(LnzsDTal)HEzaPk4%|0tcu+cbH#}lv6rKfyX82
zcj*rZlfPqO)!;wJqA@R0jeN=QWjNS2e|~U3!Nbc>87@>)krSaPG|y}ldd}%2lUSRJ
z+`3563gE22ia^*@)|hUl)PCqY$MYJj2R<1ch6w=V9MVufhjLdZFghzF4wj*@Pbd%<
zO$vHdl*;;NU;~U+y<+{h_l^LK{lOP;nq(@WUxY05GULM39>tg2=+GIFZwSa&^vzbj
za#&n38)82trFyO76a-?0$UrZ7_XaiNV#!pVrp9KbL^$vZvWu?L=dK0BTsX%3qH!>I
z1VFOY4u#6<MdUe#ECySZCpRWyPAGpAOJshk&57iydF4_A3WR_%ZMpt7|J2FnU}H@n
zACemuk>#YxG=0tEm?zrbi^q~49lmlk&JGXgaC@2~id#5nL1+|Pty8_y)Kyiax+Pm?
zxf;-l7=E2WF3q8AaNF{?PQW$;)Skn^2Hg7_kQ)}1rJ*r0Rp4<95>@QQW5RVBo&VSk
z71Bu#-?&d0&oQ1??@0}AOzY9GRtBLowJ|M=91W*Y&KNaKe=h{9Uuu}|Ii4t!(xBAQ
zg;sjBl%j5qOTKqf5Q5-@#(&z>Rzm+iH}@MnmFAs|+Kg!A9oEQzNJBwQSHQ54EEA2d
zsiwWR7|T@vcy(#tCiS5aIY%~(a0*dx2x;KudzGQgobL7W{qxbL)tGudm)iPm{jqYX
zEc{@1I|-9T+e)Evr{TGG({JexMZK`si}>vytA)Uz2x{(dBMtIcGNrH$SNqg|@ci@4
zQkOY`-fS%Z%~HQWL&=c|z`)vRU}sX+Fb=$|lz;*?q#X2fX@O=tQ@~XO<~?GX@P^+s
zHC+Wr7>>GsQt?fA+o?_<L+XHXnB)vY;dQs-<Wh9>s>#b!(`b;T7)6me$~c%QuR*e;
zNU^2Kd6Fq1Sx8b=>9}u+lAC-Rg%r2#wv{!4IrmAm`i<u`vJGU2w>_ulC6Hh;g21ud
zWiR=`&BV*R-`6s^WZHRioLFtg<YCm8>?(NQT~3mHkEd_@)sXVg#K%Mwe*g8?6&&fy
zjPGap?EPif{LB}Q9C)<j<pz1X7Dpa)LYNruBlx=^_5KvKjnhIfMI3gR4s@`i*?*3G
z3Bn?fj_?DNCtvx~Y;qeAT?a_4l-Sx;R%cX^bI3r!R(9r4a0^tr9GNn=gH?YfB|e>(
z10A(Z>*3&3LUFS0OMGJ?r<S2HHBKmqPRAZDqsbh>Oe4=+<6vcvqc4?BdGD)%FT-j1
z5M-oCu1Th}y$j_Cf60-}9D(m);qb+Y9Kjw^4**6!{i`4|E{MtKJK|4#jwduM_jqwh
zc3NDSC{^8J8MaEl|3Y^EKR}Ap@1A#DXpp|V@*~Bhn`+|gwnyRHdXX^UeR|AX4)%K>
zmm*W%2WjxjY&(Y!lM<%bJNfl}Rs5bvc@L(DEP?!IK^*Ex6qNN<sK^+;nO1<hauE_(
z`JAb$K<%_P@tuZ8t-}vWIpT>jk}$zYE-A&kC(b6eQ#`LWxqM-3;_vk3cwRCxq?VcI
z-M_ma9#2;2OS79qy~R@rvOXJy`e@uYy3)=Li7$+w98DUKUNv0XlVTOc@7U3s`KVu~
zV?7HN0xHf*u?po^?BMWBO(m5N<Od#g6huGjrx{l7NP%u>78QKp-g-dx9pu5tIb=a-
z7+YO!*ykQT<tLFzQU`C2rhvY0B0j~#lRXVmV2L0%%L!O+IDp9nk@3qoh`TXAhl+;v
z;&oiifBruJZkcq@bk=`^$2pGFd{TQ9r$LIpUoT*rn36yEA1D@pyd6jue>%cPd6IHF
z?1Yl{=f6nD;?^H|9KV3%AbuH#7@*7?4p!DUa<4ImZW_ft2&=3UT3}dRQHA3wPLG^-
zR)R_T8!yNyKs_rWhHt(?$eF^yssPg7ic>*_5dNR*TG4xm&3}|({M|H`-BH7m^1pf}
zy#P|*hiPcYpfdG#xCHLgh74NQut>^|NZ~sk9*_!9%Lwp;dc2Th2_ch<1CQ!7n7`Fw
zNx@&&3K-Mjdo<lt&6kb{Q=a_NfPL?O=idKW)|dycZ^CNsFgu*QZrt7E(iq%KJL{o}
zfc`7gPDx0c0;iH9XJOUx$EavSD6pQBsuPSr1~K#d^=9af>TGZ@vxm?ZQ>0q?^5b`K
zMC*>yeBsE1gD+g8Wmqd^NGYVX)Vg-LHaUz{peHJUklPK1&vmdAY`vqM%>37rPeMQD
zCPzLCo2=tWBoGpC@=Uieu`{){cfDt-;d`d~`F~8sGjkB=CGtTN@Z|>^K?(+I@_q+G
zJXkwai)#p`!yq`VUxvFbn@MfhmBF!DadA=_892v5G>W|tCRuBkePVV<3d}JF=lBbD
z7zZTF=N-)6AS)%tL9q$Paf7125RwmCvTHh`&mF`wi)xwuu=`)%gS^W7?paOxp4BAC
z?-|Hz>%ldU(PyVY0Q)uN(CY^Sr&%?Ne&qHuh+sUct!@3q$%&7`W9bSH68NE}A}>Ot
zE12>=O2bj650xfYY11@&jE9$-pv%8f{Y6!QkM&&2Igg^h0FvF27BuV}#lI1N5I)qR
z0KLxe!N#m>FTj4T@IQ%rrNMb$Ez~`yE)D}N@BF;v9J)cdko(RGJ^5c}c^EXM!Xy8H
z%9od5_rT+x`9HyP=yRPE4eP^W>rt!`;8v5DrVg}-gJdIVSdHSO`dnQp@CzUrNotj=
zpJP=OAWmDPyIfQp#?nyl60uEa9yje!wUEvmNwfR2->yBl_IZ{(4&cEz{=JYX&OskQ
z{-<iMnH=(dFZ_V8VBz~#4X8`0V2El!QvNq<WXSyDdhu_55zU2ue@u`b4SV!kH12*5
zyPuX`=nlJw#|z$1ODQCi-AAN71Bv(40_sg4=8?nX#LQ9n>-@hG`XA?41pqVmCFB5r
zrvo54a<IDLm1c5xSv&mLU4YSzd?<k@F?@VYvB9=WL9!r?in8$m8=B<X{SZhr&g$g5
zQ&{@fB{Ez~)h+bp8#eT(Z}j)m;r#;oOSxxivN1!1=8p#<6JGZ#RkZgjW2{c^XGNbB
zy;VncMoh}{=<GJ@XM8~%oc*!|_RNOi$8JUv2OJ($di+!t7Dckd;3C{-#^nL`5uFhS
z9JB>5HbDB$_!!AmC53H}EY@#Mw9hZbi8*K@NI_3=5DTCge4>b5meU-Z>sg2Z;#qpC
zDiju7YK(!qZ;1oWkdc*U#Y73+T4XNR-pRgp`Wiy(1E;&F8abG}WdaJCUmHFLP&LQF
z8GgR_A3gynp^M-OPJiWP{X5o~jPx$o+AR_zO{eg$sW+@Mm5eL+L63ho|6!f^&bX3C
zD4bf+*b1M!mi-lhY4OYZF2?4RMA``_$pjxG#^#m;K@g<llY|iyf+;l;<NGB+(FcBv
z0j)Alm>^%kK-FAY^Z^UXe`VJO$#rcG?<3y^*ZD2us}V_&(O^K5_(#acaHEmb7{=y=
z0$3DSa5TP8hA7q$f(R4!9SdgO&KJ&E1d8d!lUj>miq~|;fs<1E^is%{Ijm!%;JC1Z
zl;z>~+#r-G)@wU$5!m-3Wn0pz2hm6c3}gHtPN_glR1P)(v+S4BRC1Cc`-&Noh!`Z)
zVv0t3WB6?l3ideT!Aaph3D})nc^ni9%<35E7eRU}v)C~qlv49y%dZNOeBm8fT-A@o
zp;?r9-ze3rxTAm0Qm{Y-y2v9zsPA|%$NuOs&LZrXUJ9wT2qufVC|@`T2P$k)Ct73!
z3(dhqas$-XzE%$vm|wK<H+F!T%&i>xbF^WhYM22Ogs+s;_@a>w7@&MYk*+61a8d!E
zI-1TQwa-|nH6obxu$q(7g%nvkR)`MYAn27$H1eBIm#Z0p%yhr0snXDW4zWTWQ<o)V
z*uz3AFu^J`4q=ZN6qsEw)CGc)jA$V-A&gRkK#I{u#UsD_ZE@8+HiC8xD@V!15y8=d
zJ_UZ6_*%PCWN56AB>r*omy*%QbBru=!Y7@lP&lcKPl9OYpiv+gl|u@%=`$R_OTvrk
zrK|W=)+P;U;;W|~5syax#_+?(d1S~6M!}&ln{LA@yxIGx%u>HnFgFWy{owp~P@vkd
z06Q-o_NE<+cm^#7!5HEL!vbKT=9mO~MU(;2<_ZK41fr2$7#;XHkJ)<Z6tdo7_-f*$
zs6fS{k=qy`3qlcDRw#T_!lyt~b_k&kMvX)NA%j4TO`6OL4AJEuAtP6bMj|l%UJ-r+
z<&wkI#SJs{7yO~)5xD-25Flm?CZ*Tz&;|AdqvA+m4*fowTKv*vrQnbx#5myt^=PCx
zrtt=$0InGYd{omX0~?E5Dia$;P6@N@lN!MLNf1*2zdyB#48$h=Ysg1Gcmp2vC7+fr
z-Xn#g93ScWcNCii-F`VM_|yr_dYA(|3R$)H2M9{`lOc@Z;FAJIB7Ds=1pVPjgit|?
z3{j3rSg0Zvn48)Xb3j-jYYxNc1<o54sB<*34-=$KSl7YI03UVrsdEZ?mJYjyh0bDu
z4fuXxKf+=PHO6|eZ!Hv1V9t!oybcQu!U9teYPGEp#}qv^)H|^55-qrZ6^>waoAJKR
zAcMwOOB())!vgXP9tFT1q0sowygHQtIEWM~Y*I&4M$Z&#3jRJsV;A)frNGRL`JN!?
zjgne?H1ZV)6i--(JY$2CCixUl$d*cB<D+ueVOuG_!|KZTsP7!G9luN-wa@q{Fzah;
zZ4GARlLszRxp*iz8?4N*4m6b(t>p~Da?<7+Ru{zwP%a#Ne4c&AelmgZpXAV|X1$zc
zI!vLjvA+*d+X+c`$&g*)LsA5O(N9!IBS%14l!Vn7pLyWuI-d+yEN=CE0u+)LX5FRs
zSc^!OjD|4esYQX45~D1c5n)KZVFG~~LYC}30p;xHT8Q*e0GHaC3|T$FzqV*|;e%7O
zwE=DO6yYa$KdED^jSX$ii@LzogeX&fm~(%$rkbQI*)ky{2{A(Way%NTh?TWL_yqTf
z5S(=CKOCq{5TVwDVAg$VFSLSX$uNmSbP?nDnj6u`7%byqnhpB#ooHkZmLCuG7D($b
z8fobt=$b1eqbBebs_`ot>4BAn9|Sy7Qzk}z7lB##t7$6b%96Pg|3^dP`_ae>tba6w
z`&kT*{{3G-2U`*pQXFR2=kP*rUzRM9B;*ZZ9)IdC8hMGeGE8$ouLVXUo9?5mKf8}&
z`#}9H8aa&huLm7cNl;)3m|eevrrwn-SszJAGGd-^3WNrbVDQQYp)l@*G#riX`w!k~
z%}`W;%zwvHl17qkLql{BgZSg*Xyo5}*Vt0`t{+p5W22E!@INtd$c3WdGXJ?&dxj(%
zh5j#L570<?@V|uhoXWvTDSiLZs8kmzDo6gm#^I!e$Ao;6S_8tEv^BL*a8jsIpFSQM
zIx~oc^H~m#CinfP1bXj~8fa3&LH(~H=`cy=!UIURdAY8VIvlMP2KLXV7fWT<U=DqX
z_kCl8lj99@r~w{$h}sedKT#pe5cE%nvVXG0SSCr0`(;ulOozfBu|um&6IeL_=FkH?
za4EGVHh`a{kQD%u-XwIEkYko3vn3B{GVBfK%;KzkDZ1SDFf|rqa?mEUI9-8RtK+yq
zgOw>O@dpWKf&#NXNF7_2q989c$C!=!OQY_4;(-)}B6~md%wx)m<4|}EJ5<E1jx#Ti
zITV8beURE5rzl&2IsCtE`Fn82Kysx<{CojQO>!+bTE(}QRhB2;vPgkB4}^Xkq__O&
zaZGQq)VyeCs_KY78tH%y;-&s=>_-+3&*J2&dz?%LO8!h2k`xB#e+1RyQ$xtTmD4by
zARN-K5P8n34IkC@t-BZT{E!NTtQHVjASh+Ik}GEGtJHkT@<yFnI2@lFT5DL>1%S6H
zQG#z^4t+i^v<BtKD5(Ae@n<(Qatb?Zm}ZBb>?0bvjV;4Ny#|W)K_g28&0NoPWt6J;
zapT^jk*(POVZewAMWN5f=hn4CKjnc&u3<C()2xZNaI}~2Kh0v>YFA(eWBEGaq-5hG
zViY?6D@lQQ1OPWiK&wp)SaX<JLO&7)lu(-nZucuNb6_Dh37v=^4Jj}qu%xL7oiVL{
zC@??hlxdVfFcs{}wVj&4Nu&M)iI%!N+5J6=e<C%JfJW-!{1YjEEekk0**99$e-QDI
z76rEapC}~Clc8w;6NT|2G%^Rr54cwazlnGEWM=eLzc3LxSz_QrZV5-H`To;Cg;;qq
z1T7?yzn5II5RFX3`EL?&xi>HI{Wpn7v(lm9HZaR}DT3E?@-@bS^wliS9~dU35QL8R
zzIqwN;_7S$LJH*5YbK*h#R!A<Am72!=0D-gbS!UDsfef5Jpeq6q0`4wcXBoTycntx
zC*T4I%NxA=CDQlzE6x-OvvM`MT=ZYFyUAclzOHK7ay2_#7@83R*m<+ej9{K3vH<Y{
z0~wd6Yq}XfIZes}9l8C=*g0|{Jf_g$4qFeLQS!IRzdMgq)w-$A(yi~TM(zT{&z|2}
z%mS3Bl17@qp88$=c{=W`>a>j8IFNZuC4I-*Qomhrr*XsU|M&67;sN!$&*yKkZ+{%w
zLZ09LsJ?R_xdSc5*p1)G+`J9=lfQNDWHRisNMe5L+@a!>z34I#jZ+-t-0@c{`|tmI
z-r&#vJG76tl#WM-8*x4LQkJ%a_9xy8wdc3MZV?mFE28ayT;>1Y+|gJ4uEAQt|E26x
zqng74K>tZjdl6IWs^){|xBt(cljr~06Q=g^Z|H3f8BPwe4X#q3l@$kZy?$c)pj+xc
zYl2rqGXZ~3)$gocj~LW+jHy|47u<1iDR953*Dt6CM0X@f27dSBnmWgD<OQW{O4Gc&
z@*$KWiyVvIW#;(!h%uT;o>`IBQ6J~C;yM<8l!7x-wyZd#uHd5-4ne4hMemtd!89jh
zw6rvHK8<5DA8qodfzI_IYftX@i+A<K<vaS#^(BqN$(mKcdqeB4PSq{mt6YC1ah6+#
zw00&(jSkO$&;0x8D`{KviLTybmg{gb{<utnOM9TR@`XUcs-3$fvv-xAI2WB{v2a8)
zQ3i@{49{GseGtprewY<_xfx?WRKLdV8HM9o-6B5ztX`6f<ZL{nU>^o^ax|xpHH>c^
z2XO(J`rLO{<}U#;gSW!li^xb@8)4O|Gw;0EA)CrX6``t#CHu6PGl?seTm_r3wI7TU
zO+YLgTVHE1i@tr*i&-vvibL<lnW?eWhYf~VuAvs(ywr^^;xC<>2}BMkZcZke=Y?8V
z*Ok4rozTSrB%aB9&~#VfcN#-AL%jC$E+AlTaq5xelT2ITK47?I>3|`=@nv&T^O7ye
z9NXe;ra@WE{>$UZBzw2M&g;sw!j-1e(IxS|h4T*u>*k)(+H<Ss*z><L)i=ow(#)?<
zOGL#5By9KGR6`|V1ue+DHkN)!l%Ff_R}?P^R)0VKP&ach8Js_Lam^pn%N;uinRf)d
z4YnoUy1kCyorvoB#u)@Qe(2oN+-%#QUG#Ey$cU;w&0z;aaPJAdRIG_4<JzrbZPQ%O
z@6K;bAKFYH3-BW0ozQko&%U6xmUL(_XVl#4LFI<}f|jht4+7kn+PML<6YB3i3*)Q5
z(zJzqHt@g(JgEMRP|5z6pK68Y7S=TY)>l9>b$oH2M)T4Ev5|z~&u-t#{3H6bgI!^_
zoxqI6?Y-AaLD|&GmeYqdZf?q-uNF3MHi#|d_88-ncUO-aR1BJL4tmNTylb%7F5X{o
zY;Ff-SSb@yos|^^K5*H57?oRS@$N*gQIg@D+R<>N-t`Qo;yq%avv<vqUGIzo9Cvzd
zCGE9RXU0w&de4=VPo6!x>Z@#Vzrz}sd(!F{IjW%1dHwRCPnos$+o^PE#pH2~am<iP
z$-Sg}L{O%c?ZMddZt2ku7nw|aY2#Lft@z8U0^AR$M;V%DZWB!khf(pkix+%mZ$uG`
z5G@{F$tM$=>-k3E`OEuD1@NaXsFQgiUWFmFPONucWXt{SEMZAu#=c5-X~&88S<%;L
z%1_Aj#+1f*b{8`HPKNxm><n6o8=ka35j;OzS8v8D1YFNDBYi}Y+@Hr+Oo2E7I?nP|
zZ?_}qC4&9M)E$xdfr-EHHYFNwC$9zahK;aSeYLx{>oxWDstr7L2H}kfFTLjMb+TY4
z*PVIw>uy6YW;NcvX=|Kklsw>d+x>JVAW}8i7kH~mvCo$L*ZO3vCA^F=DIrREwczUP
zT-me5%3Lz>PP@8Kh<)+x<_CFt;D<+4Yn2sQ4BK|zw*2mrx?R%wRH&~gqrmFwkGUSU
z@TtD_{RTX?nWd@t9nnfv2Kz6#Z}Bg7D22>6>gFPlIl2;O7A~a47TvkDsNq=a>0-v;
z7s(#6T*-__={>sX4w4qf`!#q6n|Wuasr)o}2OnB#on@4w2A+;)7U+JnvceP26+i?(
zZ&Ri_Rq47Dt2|lZon_dPN!G15DC#`+a09l(#%=|UD=tJd87%ZaQ61zIrafhE^nFO2
z|I$yu>~gvDlfHe=kicX7onOLttqsxlS3T@XvP4`pBp#ILIgc*6jovX{eQe?T{{WRN
B5R3o-

delta 12605
zcmYLuby(Eh^ES=W%TkNdEZrdpN-wcUry$)SU6LO_KspwbZlwjJQ@W(38>CaEQ(pA>
z{;v1Gz0S^=nKN_Geb2S~y9%$P3NKy;RWJx13P-Jlqa73i@XKu!Mzrw6`&NsA&_7v4
zKZljo->&Z!?K<8bE1!5?do1$J)!<#&9Ur}T^Hj5U3TEs&ew#?@l$brqnXZ3TRzs5e
z%$lmjv3&QE?`iWTviwnWdfcQ6-fy9+Vf=|*?B)C08Q`aHE99Bj6-%b~4>AXBo*z-h
z@wqAcB0#zUup`UYYpkiUT(n|Qyno(}XY)vM^Cv|cMjszVLaT#fi#L;cb!W+<unr`-
z=ovS8V|;q^OY|$Mi&~FE_iLf6#Bs)=sr`v;;Cd@FO><=mds6ex{nEAk(a9E8oAUCZ
z-Jz{nT@SNdzSqL@ms1(>Pu@ctofmkP*C||Em;DCt0QIf2&<&@lmrMEjVkULwWqa7h
z2JTHb;!bhzc=l?lDq72zg^14g;r_y<BT0ir`O4OQ9yQ<ew!XKejB?posn6fZ-WSyG
zLKsV(ztu*cy*B!zA&4*@xc$6)JjU_zXzGXYDXwR&(TA&^+q(1GdP~jM(?oXaNO8|b
z!znurTfi+w!lupHTxI@O0Z!Z4iWaImW8C0buTlm+6*Z2cpmSM_oZyzG{chf!S4%!G
z$aY-5q=Af)^L@Qxv1_xRhEuyE&QvLp1lG+lyM~3^sW@1VE->rrV>F3F9-Khxezon+
zhK23$bUj@7Z73$a#O?RsO6+f8X2v^B6<*E7yFg{Fq2tNkk8RqoG=2NQY(||Csb402
zJN-+tkCOK@^|I$$<W?GlylPuDNvh7QJlYK3u_P5m?M5}GTvK3GhT)%oxL8vT=Bxa6
z^J;>9pE7ZO>6qL5XK;MW_2I%rF0I@l5Gv~7Gjp(Mv#pU`=NX{8X18*;&=%u$K(im0
z`yQ}FFL)uOc;*>UA(2LAk?Z>i7k}D%F5HBX&VKFZ*616Kll${`{pix4pr48s0Vna6
z%`Q*hC{?udNuQCW?mhlerXh`i^}h8j=L3DuY6%~>Do^oDU$bO0LZ<J#dg^kB0H%RU
zqNES6YT;zxRQ%h$q*Ru4(Tt)lu^FZ9dlP_sDz`jTAk;u09~HZrp~7Q08ZU(mlwZEv
z%KG9F3iK>)fYS9lj792gL?Oks!H-doC9#9L+*-!#YD0hLUlr2UWi3@Vh0P$eeiL$p
zpLv@s9d>O^PUD>~)q3^I`1_Ik8mi7eR>k?IKp9b-N2?2-pUG3}?glqg6=wbLt^%Mk
z#%xIH*)!jnTk(1lM+KhjB}Ee!lf#Z`Tg7=^-}s5Kdkgg7TZ_0XWr}0*B}^Xlqu+M@
zb|rX@1hWFS&dfd|vzul=Ctbg^;xer+Z!okW<3!@#<fEIVh@lJvrd_A6CVB6yIE>tE
zKIg5LFy$O+#c!Ys^{|SYHcv(gr*r`1)zcg4`0mM$WDTzz)5_zC#-r)F<_6g7&i%e;
z#Wi5my?l$0F<2|-@YVARYKUzz6*S!8{p730`IX%nsIw5-tG--(4Ewm~x3L#?UWPGC
zlF2D3i@9_`&z;TBZ$`H+6X&P|?1~o_4$nx!=qT}bWPAhH7X_C%TAAy;LniA1y3+K4
z<HZg*?ep}yb0MtQvU!K*0fS=NM<PKB=$#+8lz$y#q<sqm*V9g=EFG`w4}WUoOT@4f
zJbhGTYhZK(<|T<dhptL)F9-%~r+3^-6QR0Oml?7V{4C5}@H^)k1+a61Rv$YvzY6u+
z7Ks0R=v3x8%z-KW$m)wz%=s%)U{X(Ehxt3Rn#@%U9{Y~^Oj+83S@ul#ui^8t)bE{(
z^o@%~lW)_bBZ<>*o?w1LHlGLhzvRixvc{kI^9*(RkG=g1`whUu$(3}4YQi5l$*M~K
z0p}_8=%K0Q5pPaG7xG-dD92+ebZMJEXqPSJvJcQbO^+KK-g9XcT}&a61Qa$SDS2t`
z-aX4|SPy?@_o_4!y|muuv&0cr$5)kF(+j5h!nDFjvCvD)&{wbM4|avwEjrJc&r;!|
zEh>$A`@YSk9>t7KN~eX%3p(=`o*L~`@D`gHj7%SEH1dPD#-j%+UwM`)NHTW=YTxV0
zS3CECDTV?XcI!L0tK&>B-UFshHreOJ)ji>N1{PYDH-~`a)7oh-cBM@|)>=_$=c0q~
zOd^k>b=5j#&-fS8XQfcXcg1$?H#WV5C<hA5(=k1g9r8b>3aw!d>=lM&)*o6i5so@v
zmS!bctfBKZa?Q%a4gr^8jsf9KCVASQ`>XiJLREUR@P@~Is_oK-wgB&Aox^YGt8&e*
zCRL1w*E@W=?vXenvtmL%QNy<4>Ud@Lf@>H=Q|;9w`JNv#cg$z7_AP~X5dlK)viGgr
zpr=&`k&XeC>;p<+cbj(}UMaU0*{WX~(FI7JXT3>0BUu$>(bie!dv6vj@UCE?@FFIA
zD}HoDbW?LJ_E7cMdK75rsII7gRok*->P7T+f%Cl85K#T&*`htjd>B4jQA<M@(6+GG
zgIn?EywoVaJ>{-1-@D17K%D%BGDa6@yxg>|b*H<kywh?*>H=4HT{G9jdcua?FIFjw
zrzcfCLN~rtpqtwtdwZU!o)DUUTJrF%Ygv9hB}sblts$bWYzF}I1T-eviu*>;OB^~n
zkr^r+n&=Hoox7M@dZqnw(w(pmJ}FxI%^}TYlH7PV3srX^iA~RK9iZsbH|LHRzCfcm
zZpp?M_TOVtxnGM-S50TWnY8~h*LzoklP8Yf*(gQ%dSxacO7gtE!Jnf4t}BkBMO$pt
zt=%dtIJJLhEC@&?KSom;+%L%Y{46JVYxFcrG;3nyRYTXnGq;p&w>51R%bNAqtx#j)
zh9!4UY-{XhwT<t6gUigcv@WsL_fVp$CVDxEZHKrM?lK`?>gwI|@FBivi|Tw~31h(u
z+9PP(6ME}Ucp`XizE=nC(!v2;sz-e(6XPc9gOz4ihg^X3^iIjk#g})DY?`Cay_;TK
zg|(h(0vjB>#!-4-luL=+70vkLhAYs*3Q6gvBOjk1I=sy?8#&qznDi}Cy(lpci<T?h
zp37gTSc<U`8yG)y^lzQcOt~8{(s=AyHcq2XJV!Vz@!K=UsS4rTwjf@H{)2n;%Y;g#
zM;TC|4PgO%8(vk|6-%2*^ocorJX5Cro?FM_8^XyKwdr&R&BUP*=m=p1!YH3bmJu@l
zSru&a+~+#Rg$_E2xlFr*du=~Y8DV}8*&1Faf6Z7D{Q6PU9;Q>8a9^B1aX3j8k^T#^
zmvb3u8_FCyt|c;`G1n(nu+x||sgREA*AYjTw;NbMEfISahqx6Vl_935O?>9%NoicR
z>v&Xl=Sv62%|o9~yeeg<$K>hW+O&Ivmv1|o%7U?tORC>c(`>lki9G(ZLcMimBjFd{
zF&5x9=fGkbH$JBAolog|>iCOkySwCT+md*3Pv!A1_X>uDGeZ2|<D5r#Gt|nb<LV|7
z4F(u;0MZK>?wZC#xi)v5!dke_Uv6(<aM|j8zAOLd2Q__h->t$?x^c!ezntf$7B(AA
z@v>xrx<vnFebg}Zo?gxNt*T91Hi3CQVKos$q37FARUDpIQ;qfe9Mt3<yJ&}m1o+4X
z%yeB*!aWV_ma@B>q^YY!;r-U-Vu{L`7bazQz%Z54pVx%?ui}IUD-YyW-E}$JWsPl+
z113HDhdiAn%etb!%fy5Qu&|%-`@QlV`W17hNUcL}lgypwvZ_N=rT@D~+rQC}K!{DX
zYxkGu?oc|r(X#=z+SD6<7Zx;?qR&OcwvUaE^;C*li@LSW^?xp(xm=Po`&TKuP9KTK
zTLEv|d=mEGc^qQ(o-5xion;PMQrX1}53Qy0$xRO}Prdt;rMWX};e9Bc?rbzz$6_tk
zB{8>dm><Kqw+)5cd<D`PNgQLM=VdL;pIm$}3lsWtMs5^vhTU|kQF}W$wd6Cgh~ErO
zu$Z#8@juLVTi7o`Wu)?~Z7C}*-txbw{0eBe=`XQtDL|fy&(I(O?1Vp!J+I&AvlseR
zt}p+lkkP#?{lcKMN=ez^aC7SL*k_2tYaSP`xM-Z&&L)p2J2d&o)A+XcJ3jd(^UrKT
z;bAVnMYf*LOM33(Ty^aq?%&J9T|3!c|11}C?&XP&;SB!N=rN4%i1t`{(iml>e3%AU
z5cG5C+<M&?knL<HVW9LO_$JYM70WUNIzREe&X97^Z^$h5?wk3mgu(+htGO?&{Rf2W
zLA9QR*HBepet_o8sjt`3+v8KOW}45;W5vg+n-?-gZzIGM$`lQ^KROY~r|;Bp-Ia)m
zPRLt3IOe1tl6<n$yck^{iH@O+`a)d~Y$G!$X{<^jW4G>=vT%rUxN;S)ej}E-F0zdX
z#cpPw|9IcS#$D9TGW>R<>AvZgfqc?Z>X&Cd)P<7ARU>ao3mfvRSB?K9AM10(Tt!GM
z_~dV=ShUW!<)}{YDd|}njxUsE;Rp%6j863sbZ8{*@gq-2Nw;<5^}E@{9A8jX2Y%hX
z5Jc#=!<Olm1S@iy&#a3>{b7{;zF2c98McW6_DB!uLt5VmdmYa}`|}10yI?VL`@rUA
z7uCKx&o@+aWH<OJwVio8_BXq%)|gVop~Cy6g~{|IWqjm|daLfD-_s-7PaArC+-m)W
zREhL$UOabwD#uS<;NZ^t*3q~B8pv5!p{K?hCv0swu;0UII;B2QzE&VIwi{-huw^m4
z1Lsc66+%C=SSk%g<2b@33FXnGYt~+($O>6oe<rYrH_7pOoOk~0Bnffy?&gw|o>m*0
z8Z<xRK0WmKdg+f$#FwpzSPr$oL18Mp@W~JDQ1sdbS}A-2(SEge{Ll{^W5B16yuJZj
z2dBR27H@d@9c^AHTVIYn>HAGQov?72W-{Y`pzC{8>}b?k|1L1VP8E(UV_Is2`o;w5
znVW18+|~vtE>buw3zeU3Z!Y;87Z6~~>P)3xj{FgO?zqBCv0~KFUUj3d3_H(T*)?~h
zL1Y6J8|-Dea(grVb4SCAu>hL`Y^-aRYb*G<pQR!5x%J4O=-GNxzLnYmtq{k|gXrjj
zws>LmU#YnA1=CW^ye5uCk13UaGAE}`My1dDor>ohbl)8J@|?QRS`EciWXE9VoN>r}
zy?&b=Jn@@ve@ahxJtP(bvu2|uazIb(k>%p|lvqV2hMt#vb79lNF3*6z)|n1lr@iu2
z+HgwtN3&mK7{v%N(UsExni*x<fm?|bK`27{3{N@B6K<dKiDO3z{&iCP{hSHj1_BE$
zzs1SFxM|+uCo;B#^1!lG&@(d1;iv&{m@jf`Ix<pm>E8f}=F)~Gqi#tyxxym8Tmw_4
zi7*rU{F+HEr3EpkN<i7V?9b~uYM~W$xpeH=*SuWAu#;+v{LPi;9@1R$tYk|P<E2^-
zLps8)7W*~F-QT!`pZuNxhinP{x^JChes{K3_ea9o6!it6B#b)~X{nZptRDZS>v_f|
zGoM&SU8p=qoQsd6RHc)FVkvLS&p<ywiC?TtD99v|sWAP<SQUUkqNDdDs`_(Y!dNjV
zr#vzwzs^@%u>X2mve3WQ^dpu8gNiXSno0n+{FHgPe}}6oJd4v@{!N0q=Em!DSqhn|
z$QCsQlT1bSSXO3!{&3Em!Vk0KGWfRCRlOPHdBkD|*)-m;bI9y=@Uu6)QS`1`XjKvZ
z+TA&;^w!nd@B@II*6dMOhNawDJcU4XfA;U8T#b220s>O<Xji!!&^qp0R51y1t0~Ol
zSUMOElutB|{%IZoH0f>~^qJd4_df3Z={i1P?Y&&hU9aHH)AbIhc=U{sq*HfR^5|QS
z<KTHO&O8b%n@Q~woxZt!j+K}f3j}bT8c(SCD;8&`es<vVUWaI7(U!L7(({H>6j!)z
zm?Z|x1}xIz(gXc4J@p<3(TCA3{xk}^tss;l-1LbtLtxfZCHSo+{4=cAIhfhSJ6Y=J
zaMM(`I*u$IHoxYw$HHipagI~r%FkffNm;PRjDCky*Mm%($v21WC5F70fBFiZ{*gxt
zf}}8276Gn^^97`P*U=j12@E=<L=j<MeHi^Le(iJkciR!6Gn#(4b%=iTGdvr5q9WX7
zRkdzG?mDUVc27#2T0$r@@>=aDORz#Ow^B@M{Wku5#+Bv?|4D=2p0{&-%i@uQ>c<5o
z^kdcGlf&ew`x=ngDqlG|ISpnN%+>WNH=JwGvmHqIqG~0HeLf6l6($wg;JeP9s8pfX
z0wTuHqPVhx1YdBUmUMc~+$@CT$SvUvQDkm}e-Ut&q9ttq;=4>;idXrWQX)KgXS+$=
zy=CG2$1!0m9cum*Ug~S?Y|6s1we7&>wT`2RuE`D#XJ9F<?yhZ>eR1W3$gkkv4Z=y{
zb5p>wiRd~Dy)vZ>k#DOL-mu+$kJw6mo05#Z(`ng~3C@+z4bRzG-FB%lOQ^`r5WgRC
zkmbW#>msYjFwf7z-Xfyj^a;aMtwUnnA&iN(nkW4Il(L@wpoaYmPw{Qak1@B(hi<kj
zvOF^TDPew3+L#u+d3&Rlm0q?J@E1;JGw%buhTvFh<9gu@^EWBm<un(u;y#a0EJ$|U
zZf&;jeB8XLjjXxjIy|gS&;*@W1ji|0d-YLU6mxB)K3fFW1V617>WK)7u9vupx966^
zlMWF^w&u!CqK(gJVqZ*L0iU)?zv?Vh?+;Jue7<jMF)USXwBX9k3ZYl$XZ)jRzs3YC
zW$C5oFE3P@Z=Jcm!8uT-8UH3Wpl7+?io02@5xYz?ZTBV7b*kw5QQ~GtY}wM3qP9t+
zKHD1R`bE#E1pL--*SGYe{b$7E9Ob1U%LSQ0s_N!mEc>ynH7MVe@QIW1(slOz^-urp
z3uT&g$X@8wq6uPV$&(E0HivPaS9%$E6g7kv6Nt|ExWTA1(NmM+<k+?qs%Li3;8;`F
zNbzF7|700X2dH?TRMJyq-TiX&T;9D)QY9Gu8Z=8nekgzVMs}@ZOgX(m7(j&1-p$@O
zU^Ua;{akqR;$^%@khr>#!-D>u!r;PohjsUu@L^kK%Csp_TJJ{VYX@onXu4iNo|{F|
zhcPvCe2`bIB4Fugp8|C>gKs<VtdEAq#o~0+8Es|ujaTUpvs#{Q&o94>R3(4Th&Bxr
z5wY*gtX(-m1&*?b7tgL6VU`_Bn-ZV<p59+>3-HAR0k>}5mrI2=n*sL?KFpozF89%^
zLT9<&(h?+AF)0#^bWd&$I%%>26<3`D<3U`TY60Kn&$fvJ2LOvz6RMJrIwVi=VCgAN
z(qxQ3zx`oskH(vbsa+sv%}{HK@0-#BLDRXvU<UpZIo&pnTuC2p+tEzw*x{ROeLk^g
z2Fv?@oSM^0D70A$uICNru&ueSejT+gdz($8)+DX(F|oDzzhEOuO^>Jq0KeB^%LInY
z71l(lT(nMD5%1*jujo%oaffNmR^&Qt;=oR~SwEW(t*B25vfnu8{ES*TKKy*YCsfeP
z_>H1Ae8{m!n;I;UjY?KKTH2b-u3^*4F#I^Zw)ga#AP^kF;mG;9B5NbSzjYkVlFBou
zzf9*`O*y<Gx>nDAn5w}USTXkZCyxYgdABBZ*q9p6y%n(TkR_^K8O4(8-gmo`+K!Yb
zNli6BTWO%5OnPGF+R{|?ljv-zuRtgKG!Egz{jEX<lq<o2lGuO4-b*0s?=g^3!QNMz
zoz75TI6NYvJ34F~ZIW1fl;t*U)OD_(eMazSE1>?XGVb9ohJ(sRV0LGzc0m6frZv}5
zrRom#wAU3+-$EfA)V?-TIT%a_cT<g>QN9-;rbI)iD=5<09`7X&cIl9P5Wz+aTjQH1
z*4B$}mi0Kbs_q!-q_zyEqWHzG_-DtfVHC^tXL=K?q$jDRE!;c!+b+C!!${0ci8iU)
zm{Rpw$>Ubo6^ZKy)Zr@N#uBjdPuo~9Zju^U+7zciJ&InDR2>4hwf6`GvnQz$OUq`%
zc7xX~wglw949v49yG;Mk9$`5(vTmw<<rq7-<(-*@F5Xv~p{l@&#{P-hI+8&nSRp}U
zkH52CoG}Fd?@=s+YjFSHBXZVUx)3v0wwM{=?09G3+inK#rdEh%f)#m_y;~ALOOp4i
z7a;+02-y^5`Y5!E+1}oBL@#RQb@tdz#?1xvyu2YAjR_<TKALijrPClyfM95q8usEd
zS%d^m*(H<wv2+XWFT90dDzbu1r9XSly-3o8s6<Q)B{xd5k>zTY8_YEcb+Qiq>x#!`
zV707gKTUN<jJvXFiyt?M4kWeORymlJmyzWBeK!Mt(;_4>mubLqL|svZ)w=?QlZBf6
zDVP`c%yGRb$~@$|U+=+!g@YcKi2d)XJrW<_#r%NTEA3?69IzB!O<Yf#Zqp)LBm#$7
z_C>;AMs8BH8h;sSW0}aeejLVZwa6cvz$6PSq?1VWqX>5K(7%4l*8V8#i7I*MXSvOG
zNE;t_wIo}xT3Xe$|DB8VwIpURLS0FbmrW<qU>e`jA|!$SQ@`bqy0i*N<Yna6mOxnL
zz`Tawc3IDhga;Q{^^EbiF<yF@-@qaC1$-Jw2@pBan1tNuXx<#O4gM`wfSx5J0+aPm
z)*cB&0a02*GpRbkYh@~K4o)xQD#RPnZ^^h0S>Ba>_AA5XqGywoRT><E;`DVeJvTmD
zvZ`2E!YJNPI{5cb&${7QUfd*gaM<G%16~X<a%kxoa{`a}ZbPokoXbE)y3g!lbos6>
zoqFifbKz{heIdR5JrV0e;K}QXvx|(c!LG`wqa14CbYQ*|t|(It(nN?-<Ok2}XEJ=0
z9hY8XHE`&^qRA^Z55CL^2?iVZL&jv2So2`vu8=%wVlpYMx?B~^ci=4ntcMC*Ge5Qe
zeZ58E^G<eKOcc{EfWVgvB-{R^V^igC_5M6z{S1~1<LB=L`s349AL>BQf}uMDkEO#U
zRR_b@B5i}{{!IX)`O1yZJWGF^cJTp-GT$D6h?PC|ER*mWy`}GW(<%uhOcFPK6l5Hh
zGedtHn!=wX%X%5=UjFfL9)y8@-^~`(U>YExPSb2m8QBkFaI4Lg28%@Y<1l20u&TkO
zz=r@G;YxgS3llCI&PS@RBC@<>k;R|_hS4ZoHvNCoAmYz1MP?afMvhVK{B!kuK)AF2
zKkN>h^y)<kzZK8DcxvCA{+eUQ6_=DA6znc6075ek&(UQVaX1ND^vR)qt*H^d<2h=c
zL|X7M3F%2YPmGJ7i(kd7q}4x)22jjItL<Q@Myk0cAxRWt>*%@Nf;4cY*=!!8nJSWM
zLX>tFz(wKOtoaPlxIWg-BHOHHDqy$!PL!!W%x^Ejy?Ha#G^QI5#PCq{Eujb8rN7D^
z^UavxBkK4{)-;6n2_#MYaoQ4$`4uWvA(tU@m^2z?th8;1(P+C3VwD9%*g8JiF#h1T
zW@Tbb8mZi&>S*5-Vo9O0hZ{_zS(1jRyHC6Kftey%aq_w!5hvG5Q<9l#B|b`cW4=QI
z>80|1;zCKmYAOZ7+iCsCo6Q%fJY5&^K&H!(2iUIV2|Rj&?H5}gB2J$Rs?oR^`qcyS
zdGdqGA>YsQ)<={A{ut<jpnhUyVM>{-rA3pnU}azgwOM8UjQih=zDr|GCMl=Dlp=je
zvRU<kH6IpTB|J-Ms`alPws{7<B8n*_oqmcWWKNj=(!nn!e=>f$ibj21RY%78zzI5I
zET@FY7Nk{Z&tvO@#OY1Lmq~3y67r&xco)a0;r(iWv>eEBLuCWRAWtkJb(zo%ks@Wy
zqYFp#S85n?X5+&7M0I+|n1uUDD@0oUNXeLao9#c6tS=P}E_z^$2W`=AdSHywng{hL
zzYTw69BH5u#DF0+=7kcZrjdk%C`Nv@Z5X0d8~`!N{AHp1qztuVwoj}^wGRmcHpUoR
zpnNzblWBvk!w&oEyc%&ZKw!dS<|uBCl3w=N(d~f)nywy->1_=UJ(O?wucbC@9;upt
zo#VdONEVPGrj)XH$>yQwmXtsux9m+B{-2gOmD*sa=Y=EbL|@GuaM*`v=4M1Xi$0da
zd{syOpOygn^$!eepQ*ajYUJ+olWEnhW%?>41Z_q%oANJW!p@g9@k5MNw}VBWG4N{O
zCTb||9X!uwghAmVw$@Xo_zAh;(RBPp+U_E5qzNSO*xE>L`yhVYPS$vxaZ65hX$0u#
zkS^5DB9wtWxF{!VW-}u{TtsT<83Ds-dYAGKAlRAQxvR7=%S?6#b{yj<<j6Yzqsd}q
zZm8_gzbdma;Zy5e<5e_e{eZsesEB=qsqg1z*dpGI^RNFnHAi&8DwGF4#z7pQSG&}%
z1LwW0b?5HwldF6yNURj8p@D`7BJZ~zQhVq#<#)8JjDOQFuTPg<ElK<UE5I3VqdJ+j
z5S9UP3NkqVCxt;y!r~`XpN4QOW53Q{F5;0^)1_cu8zthLP`;hDaPVb);I{JzV5ub9
zXyE;CPrxv;@%Oyc$7qF0>^nID9hw@XNQhjdE<v)Gj0okLh0T<6s@vZQSNX=NVX;2^
z;X$f<Cew%kr`iYpX8VGjH>jT*9m&gnV7pT_qTZXqyS0^BB8`GaT1kf@Oj)}MD!z)I
zs~?z`V}DpT9<x2D@j^s1^Q<mLvR)3U6f4?i7j6MRCk<)D_@nLrh8e%yh1)CE%r$u6
z%cJcoa@Ksh=uQE}5cRxhB(GvlZ=)X>ZV?E`NmE<@5fi4W0CL+I-*)9z>kg*7rScr1
zSEA+9w{xhfTk3y!u4mW79C-!z;dF1mX<j3NC@x4rK#a1KY^EPyGCAw5HD?pcVQHZy
z^T?x$pl&EIIaA{O-DOa<(UPm-#7t62YE1nP>(axpyr+BMD2||qVHv?*7<dE3t!uZl
z!0=H?sgrqRQQ1&GDvY~O3M9o7OJk8y|8Jd0$jcY#9ZH9Po!wXu%d_ldatla9lX=Vg
z@XNujw#pZMJBYV@l#7hIydnQ~kx|jEvFlUSvmY@pErlam3O5^aiwe0@Pip*@9+!}u
z<YfCyKRfp^g?LMpK3oAL9_|zx(&xzyz$b@oWY&<i(+h_>l;%dNvb{z@N(=zS)<aCM
zj)$0@%tvm$>SFG+z6tyhE&2Z!aVJj`brxw^jT=p;FWoHdBq;4p$9)f_2fvpf4>hhc
zJ?YE8yFlB%V7wdcKJfDtr_cEMdVR%hOa<c>MGLTDg;E$J!RMSckGsV~o=`+}*CoU7
z#qbWX@`$7kd(eLGGT|r@NnxUsId}UYq^D$NlR65V@qH1U!_~8n?N?x-C-u-M86E_R
zPdEp(yq$641q4a+qX1tx6I^P9q&ovYHE*Ycwi+QT&%lD#IU?kvMo7tXaJ5MaCUngR
zK#rY*Yb<h@$WM%rCKuppvy`bM)=MNtnf1U@{29Hg6+0LCfYC#OU|n7V)ZT~Wio`IK
zDQzNUo0DNfV%<YfE3DqOWY{k;jA2TfSlRAm7^!$SC)A3MN$xAG<2SwQK>Q$^`Uw+G
zGEo9Yn8BLMDHBc(k;^u|SFHSWG5`aK4<3ef5V^Qb=y&I@zkra_n&F1AwZFMSVtjj-
z!-lT>1$2!J8F`mN*)`Oja*f28c$XuBKKzCC1{pH*E(NoTv!Ht^8MZ18=caUxkpGbk
z!;t9y40R0c-AaZ<i@!L;`c9;dr}+x6sE%C0;V^8PNT4Sv{NeKayM8tqK&7yIH5qm(
z4j+NKhRJUx!>A;>hbbLndv}vzk`iz(s9likQ8KJweDEM_j)?DtCNg*D;qubE%HWPj
zoZpvBINd}+nphb>h_9J&hKXDR!qRj3ZkTYUiPYV~(#+LwnQ&H!`0&E?+FkCLa5_fK
znx!sfX1|eIa0<1-q^<z^a+3x#>6!pU=c&wU5^AB%Z2$u8LS`~L*Xku4KuBN73}u*Z
zIY$GC&fgCWm;3|vbW|jT6dEH@?!el-T0wFT*;z=yl_~8adykW0;S%s+s9l)sMKY{R
zqI-zaim>k{88#*n!bSO7L<&_BX>!Ne@VHz8!ze`qAO0IihWSZgkl}0nOK*qBQ~)bo
zIsB9d5e|Sd1XihH?syPmK)62dB$_6Ayu)Px;T+B?ElQd#h_0*+MtrGfB8&xqYzt~C
z$8M3`8~;_M<C-br`@gEFfL3@AivgevzEymJ9UcS>2u~B3q{92ngLn;u>+uc&X!zGW
zh#CN-&p!r9LXC(0k-+#2wZX(iSAcY7hkE8;zRR%^hvFacAhdwL08arQ86%(GgP&Tq
zv$3PlAvPX7@=f9=V#LGoP|UXQ1+Zn&VCvX`Ihg2Nl5;4CQ#3l80m(reX*6W_t#!vz
z(LH^oe=ma>3bF`AQmX?{!(=9+E9OSQ+AP=3$d5!tDq@<LoV#LjGSEf%pkSy_I^urA
zRmfvOkrKd43z9}hvf@jQWdv>IoCd<u(7`n(IhdSsbP>3y{}nh(5@Lu3GT>XqrQnQ*
z7o+?bp*->n4he$IV}jpw1X2_g1;MV-IcrNL!Fg$+RN(+`5G)b{ti`K_`hrZML_N@@
zv6O5($0z7x6(%&f)g%b_kwS?@V2~zZM&2WAWcXuA1H$wlCD_P*YRSduHLC`~U>F(*
zENtB%QXWkg0YmHNf;#d^aY#WDFhB<Us}OC~c(@R1o(_I3+8HT~SR*jU4NFv>j2xDr
z6Ig^71~f@Np@1dGn-m)cg@C6xCs92}V8lv+4Z&-;1_&t)98CNn!!J+ed&pqg+U@NJ
zOi?&Kct{YJ<W3TOVFTJ**mpdzuzABAhB6kS8%pOq66mJ&NebeP^$#+W4)O3x)Zh>J
zHSqUTumtD8A~KoJY7W>4I5pi~M(zk-Er5-%prP9eHszMQ!$y33^wLJRj2`0&UX>&P
zHlq76-NSUC>3YO#ji92t>2i*+fW#C^eg%G+D<vnXp@k9q2ad7Hs7O5lAuQ<VY<eXH
zv}mOvrl5Zy(~6FVv!ex*<JU+&fx(F50*jbrxYV_A5F0Q$yB;+TC2MI&5P%adVx8iq
z<}D2wzyURx<lw1ANkis9<nv^)AgSR_X$4hj2t7_XJG4ZSj2V{jA+U%|MwxFI2hq(;
zXVuFqpcX0(xxxXZ35-!qeu{_3{|nguo*kA@6xhJj#pQB{i-2>`Ircbn7z|58DDlFd
zSvR<;tw=-Ia36vI`43U5l;Qc(5Eon!JG7`>n*)|m8rZ<rrR+kDhrr;ZbL@2%Fqo5u
zAn?M|1s16$o8sXc|2=Dp2bR$K?^%3e_=pf*I;$RD4mEli2p=B#{QK$$&m}L_Hl-on
zc>koqg9k?3^3Ssr6FvgQ`?p|#fYxIfh&ukiifInU!<o^|$nmRD&IDk@BY`<g=v;-Y
zb_xuiQ2%nb^7w2#obWA^7bc&yMKvLGav&Z~hyDXMjKg^oAHgKR%j?zi!!I}`>?8Xl
zXnLz1pRBQrhA9Dlmg_I~$c-?V{$p^uOkob_9c=G0SkOF&l64TEkD$T+ryRH*3VCCw
z>Ud%LCf})%HlC70NYf8FDeqwHG~gPu95U9Q^bzIQ7?}cNSEL<8h$L~k<6wH80)@bS
zo$9yfURux4URGBzm2c8V9AFLZ<2r?eTZu`0?4yqWW5dbtwR3Q(k&136FOTecL^$W^
zi}kVPtSVl%1EMrY&>P9sq_u*Ss&_CX4OqZDg|g_3KBE6$T7)Hl0>cfe6dsno(l~ko
z9E8D;jNh1%2WE&61i{OpuA%l}3Jm0EfAvgUN)`^e0)tvi+M{rq7?28qm8<0-1<-3x
zN4j}BWO%ToT8Cs0X)PFGDa|YB)$xOh3=AZ|MKB)JS}2o&jUnO#=${NlMJwcSqq(?+
zrLR{pB6ngW7lYTxNkSB0>U2TvOz7O|wh)9M;va~$%HWXqkZ@7!A~%JvaL5t_)Myfq
zr!)qK91?$+)27AY8y=xjOM*k5K>lICQV}-J67&yUYY+tK3*axjs&O=!kv1uks~M=<
zMGX<K5@v9%Nf9Qy7emAd4xEe94hJVkA<qwuo&!tI6v>LT$(0-u>B@M^z=kZ!mmI@H
zHw>&|L$YR6j+OT!Kz7Z?DW?&zG?u>`Lr`R{LS8VMx@K5f-Z3k3Cr|RPvc;Q3!W7xS
z{MPY+2y-q&geUIbjR7^XL?N#LP3i@felR}=k~QzaAG0FJZu(e8gAHl(@qw<@Fkx8?
z5q7vCN|Y9n1H}q?`DlCsVW~lA59X!+@$yFG>n9pdt>l@QBn4$b-&GPm&*I1*^k-s(
zTNMj12Q$2yf)LJ)bK%ep>x;vO0eIapBUL4%Bm^Z*TPlz<;x#4$B@4QZqgDj3`^G?3
zna}n28`Ah6;jfvbpPI?TV3L9-Z8`4YuVrOW3ZT}wN=k5XkikA9$XD&H?w)&pjU<^^
zuM(c6K8CU?_y}5CE=FNG!_sdVJuiIp?k<~dme)>V>U<*S4kve6{t&R94<N6Rpw~Gm
zx-(c9eS6LV_oS{hwz-iV3yA1jq^dQxyRjS#2$eT^_-K2hJ@$txE>_qMC_j9#rFiqP
zM*RlQ0U)l*&Ql-njoz=K<-FbvL9xl7_LzvrN)L0Fp8cqP(`2jgR#`@reruq}-_5u4
z!n!ly{C}r_jHs#gMv?!L;Kz;v`pn98tI4m9kG`8s#H+mQ5w|lICa|rvRbb(irmn3>
z4-=df{OIP_v-tn*kInwiK6jtvZvvE@X>%c)nEw*MOb>hAIr-1p;=y}5Z|8G634+qF
zK^<A>BTZ;+cIXrkYRNH%>mek6xNW+oa}}tRMod2%|ND8-5gTp1Hy=YQCBGrY+0#vQ
z{u9|6ewl*7oWKG<$%6Xu7R!EjvdNYtqJAp!@o4<iEbLI&gO#qV7L7~+h1~UT7w?7^
zJ%@_T;{YzNGws$=;bf1QH*R+4@vV)Ej^)!cP6mYcaZ)x7P6F?no}4y|`JKO9S^lP)
zez-1Io+UKceD<lOlxT43xbomT{#L^)nn!UfoVrAVy(4=Bi7TRGu#{a4fpn8C)HdO5
zWLt^bK>e1%aiW+!b+i5o&0gjr?T2?hC7Oai+v(k0t?)^#lYdX5aRTLrT=!R2+Q4%o
zW8vLpxWKCw$1JP;J0+I%ISYZz*H)BmE6<ts{f{#h6J|*VvL*c9+%qdHAps)are(q8
z8og!q<vY*nio%;`f*o%TA*1?6V_wPJzju8ooEJIHw@ZB+9Rm6W)33|7p6lY!o(q|_
zOE@@Ae@t^oH(pNJe+tyKR%m<M87w#=?=$?{mc+QdN`0RAwk^=q#kAeXv>Grilx}<;
z{<_3Ov_I%mP;&C!7r20VEv)B$NI#S^a)?VObMAVVDw^zkAvjTJJ-nOx#n!*gSMfCU
zqe$Y8z<t2Ecde8DJHxvITc!_vUBjOB;?G;Z&Lm6K=%!l8dA$d!PZaO3n!1_{Dm<ST
zDD%PM7p2x078VM`OLS_NsXP<*aS90~yL7r9{vbX-ky_^Q8f^B*mr!~fjLjJ~rkv-K
zp9OthoBSGduz>R=ZLdM>h})iKO8E)wtjw9tySddsC{7B0R#}YjNY9emCQEX46ZsK8
zZ8qQF?2T{rk|8&sZFW}w+ojR&(bUc15qJw-PhSFjGnw5r;eWTK(h8n@W=OTaP)U)G
zLvXWnepGJD-*)4-vWUtxdAsiF=5Js$Gf?Waa(C%rR(+&*ZRcBW;KYk<qrcuI+iI`B
z24C`iXKuSUH~)O*DDItD7?s72L9-8-MPjF#)6+k0+&~mSzgiP>S3Wn69z(q5ZF88`
z-S>HaYoWK&av!vLm}cDAYXd7by(=M<)U7S8*dL|)q-@8whXS9Y^&Fmnc8%54o$fNO
z=h$qD=4yn}eKCfezPR<9Bzb=QW~}JC+0N*rSKlDIlW$6uLk83ygFQJpJ8kRac%rgz
z;@7#879>-#$=flV;^S6-8A4(r^{e;AjIe|-?Ld{cl<TldUi|f$vIoRqMrne3e<_#k
zWcY2Kqfr}SlW>QJ;Q866dMkP{;CYsN76?uAmPuZlL1P1~HFSWxqaSa-Qp~qJo8se6
zF1<qprhdB|KJ(DrP2<pKS}DIsUf9|a->qx#<~lOdIdf>UjtEworWG3IYO^=`{^5Ea
zZF=+1r3=vb3Mk9&NUfFQJ^)JWgnLePUuB&ey5Egmy1y2cAFil(x;{}Bz8Sb}D^dO;
z^81fymw*}YW?JAjQ#mnS5FxBQ^Xfj<b>g&5#eHZlh4L}5EG{J5qQdPo6C*J2=j&Ik
z(FFhFH`UKC^&52SD~kpCmaMuNr%s9`N~2ziP4G-1Tt8^_8Qlf8txTp{%-x3HKcBu1
zxe-Zps*iD#5N<8}sr7+)JNBZqgRa}6t&I3E(oQzrF3VZ-8Hw8)jKx!_pGo(ljL$g!
z<Q)ca*Vw+_|0K#;;dPN*F1jR<kMA2LVCgbl`({lgZL8R=YJYakS)cK#CZ&Ym<rn+I
q25&1FDT3RrdtD0G+J)tqC!~EU->ie*M{r-?a9`h}JHPsM^#1^x!3m`R

diff --git a/docs/versions.yaml b/docs/versions.yaml
index 791b39a2bb9c6..bce16b48ea561 100644
--- a/docs/versions.yaml
+++ b/docs/versions.yaml
@@ -25,6 +25,6 @@
 "1.29": 1.29.12
 "1.30": 1.30.11
 "1.31": 1.31.10
-"1.32": 1.32.10
-"1.33": 1.33.7
-"1.34": 1.34.4
+"1.32": 1.32.11
+"1.33": 1.33.8
+"1.34": 1.34.5

From 360318446b453358ceb09a2c13d84484d2fa8279 Mon Sep 17 00:00:00 2001
From: Inseok Lee <matt.lee@sendbird.com>
Date: Fri, 13 Sep 2024 10:23:06 +0900
Subject: [PATCH 02/10] redis: Support eval_ro, evalsha_ro

---
 .../network/common/redis/supported_commands.h |  3 +-
 .../clusters/redis/redis_cluster_lb_test.cc   | 25 +++++++++++
 .../redis_proxy/command_splitter_impl_test.cc | 44 +++++++++++++++++++
 3 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/source/extensions/filters/network/common/redis/supported_commands.h b/source/extensions/filters/network/common/redis/supported_commands.h
index cdbb850247248..521b5913b30dc 100644
--- a/source/extensions/filters/network/common/redis/supported_commands.h
+++ b/source/extensions/filters/network/common/redis/supported_commands.h
@@ -49,7 +49,8 @@ struct SupportedCommands {
    * @return commands which hash on the fourth argument
    */
   static const absl::flat_hash_set<std::string>& evalCommands() {
-    CONSTRUCT_ON_FIRST_USE(absl::flat_hash_set<std::string>, "eval", "evalsha");
+    CONSTRUCT_ON_FIRST_USE(absl::flat_hash_set<std::string>, "eval", "evalsha", "eval_ro",
+                           "evalsha_ro");
   }
 
   /**
diff --git a/test/extensions/clusters/redis/redis_cluster_lb_test.cc b/test/extensions/clusters/redis/redis_cluster_lb_test.cc
index 4a970ae1e359f..0590c24c46c62 100644
--- a/test/extensions/clusters/redis/redis_cluster_lb_test.cc
+++ b/test/extensions/clusters/redis/redis_cluster_lb_test.cc
@@ -604,6 +604,31 @@ TEST_F(RedisLoadBalancerContextImplTest, EnforceHashTag) {
   EXPECT_EQ(NetworkFilters::Common::Redis::Client::ReadPolicy::Primary, context2.readPolicy());
 }
 
+TEST_F(RedisLoadBalancerContextImplTest, ReadOnlyCommand) {
+  std::vector<NetworkFilters::Common::Redis::RespValue> eval_ro_foo(4);
+  eval_ro_foo[0].type(NetworkFilters::Common::Redis::RespType::BulkString);
+  eval_ro_foo[0].asString() = "eval_ro";
+  eval_ro_foo[1].type(NetworkFilters::Common::Redis::RespType::BulkString);
+  eval_ro_foo[1].asString() = "return {KEYS[1]}";
+  eval_ro_foo[2].type(NetworkFilters::Common::Redis::RespType::BulkString);
+  eval_ro_foo[2].asString() = "foo";
+  eval_ro_foo[3].type(NetworkFilters::Common::Redis::RespType::BulkString);
+  eval_ro_foo[3].asString() = "0";
+
+  NetworkFilters::Common::Redis::RespValue eval_ro_request;
+  eval_ro_request.type(NetworkFilters::Common::Redis::RespType::Array);
+  eval_ro_request.asArray().swap(eval_ro_foo);
+
+  RedisLoadBalancerContextImpl context1(
+      "foo", true, true, eval_ro_request,
+      NetworkFilters::Common::Redis::Client::ReadPolicy::PreferReplica);
+
+  EXPECT_EQ(absl::optional<uint64_t>(44950), context1.computeHashKey());
+  EXPECT_EQ(true, context1.isReadCommand());
+  EXPECT_EQ(NetworkFilters::Common::Redis::Client::ReadPolicy::PreferReplica,
+            context1.readPolicy());
+}
+
 } // namespace Redis
 } // namespace Clusters
 } // namespace Extensions
diff --git a/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc b/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc
index a0f4d1ef65017..e7df19c022fe6 100644
--- a/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc
+++ b/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc
@@ -529,6 +529,50 @@ TEST_F(RedisSingleServerRequestTest, EvalShaSuccess) {
             store_.counter(fmt::format("redis.foo.command.{}.success", lower_command)).value());
 };
 
+TEST_F(RedisSingleServerRequestTest, EvalRoSuccess) {
+  InSequence s;
+
+  Common::Redis::RespValuePtr request{new Common::Redis::RespValue()};
+  makeBulkStringArray(*request, {"eval_ro", "return {ARGV[1]}", "1", "key", "arg"});
+  makeRequest("key", std::move(request));
+  EXPECT_NE(nullptr, handle_);
+
+  std::string lower_command = absl::AsciiStrToLower("eval_ro");
+
+  time_system_.setMonotonicTime(std::chrono::milliseconds(10));
+  EXPECT_CALL(store_, deliverHistogramToSinks(
+                          Property(&Stats::Metric::name,
+                                   fmt::format("redis.foo.command.{}.latency", lower_command)),
+                          10));
+  respond();
+
+  EXPECT_EQ(1UL, store_.counter(fmt::format("redis.foo.command.{}.total", lower_command)).value());
+  EXPECT_EQ(1UL,
+            store_.counter(fmt::format("redis.foo.command.{}.success", lower_command)).value());
+};
+
+TEST_F(RedisSingleServerRequestTest, EvalShaRoSuccess) {
+  InSequence s;
+
+  Common::Redis::RespValuePtr request{new Common::Redis::RespValue()};
+  makeBulkStringArray(*request, {"EVALSHA_RO", "return {ARGV[1]}", "1", "keykey", "arg"});
+  makeRequest("keykey", std::move(request));
+  EXPECT_NE(nullptr, handle_);
+
+  std::string lower_command = absl::AsciiStrToLower("evalsha_ro");
+
+  time_system_.setMonotonicTime(std::chrono::milliseconds(10));
+  EXPECT_CALL(store_, deliverHistogramToSinks(
+                          Property(&Stats::Metric::name,
+                                   fmt::format("redis.foo.command.{}.latency", lower_command)),
+                          10));
+  respond();
+
+  EXPECT_EQ(1UL, store_.counter(fmt::format("redis.foo.command.{}.total", lower_command)).value());
+  EXPECT_EQ(1UL,
+            store_.counter(fmt::format("redis.foo.command.{}.success", lower_command)).value());
+};
+
 TEST_F(RedisSingleServerRequestTest, EvalWrongNumberOfArgs) {
   InSequence s;
 

From 1d597ea91c0872cae56704a6755dd1b82363e08c Mon Sep 17 00:00:00 2001
From: Doogie Min <doogie.min@sendbird.com>
Date: Sat, 2 Nov 2024 02:32:31 +0900
Subject: [PATCH 03/10] use custom header for tracing

Include code formatting improvements for consistent style in trace test files.
---
 .../opentelemetry/span_context_extractor.h    |  4 +-
 .../tracers/opentelemetry/tracer.cc           |  4 +-
 .../always_on_sampler_integration_test.cc     | 25 +++++++-----
 .../dynatrace_sampler_integration_test.cc     | 25 +++++++-----
 .../span_context_extractor_test.cc            | 38 +++++++++++--------
 5 files changed, 56 insertions(+), 40 deletions(-)

diff --git a/source/extensions/tracers/opentelemetry/span_context_extractor.h b/source/extensions/tracers/opentelemetry/span_context_extractor.h
index dffeb6218c921..517a9700bafaf 100644
--- a/source/extensions/tracers/opentelemetry/span_context_extractor.h
+++ b/source/extensions/tracers/opentelemetry/span_context_extractor.h
@@ -15,8 +15,8 @@ namespace OpenTelemetry {
 
 class OpenTelemetryConstantValues {
 public:
-  const Tracing::TraceContextHandler TRACE_PARENT{"traceparent"};
-  const Tracing::TraceContextHandler TRACE_STATE{"tracestate"};
+  const Tracing::TraceContextHandler TRACE_PARENT{"x-sendbird-traceparent"};
+  const Tracing::TraceContextHandler TRACE_STATE{"x-sendbird-tracestate"};
 };
 
 using OpenTelemetryConstants = ConstSingleton<OpenTelemetryConstantValues>;
diff --git a/source/extensions/tracers/opentelemetry/tracer.cc b/source/extensions/tracers/opentelemetry/tracer.cc
index c18c23569dddc..186e913b12ab4 100644
--- a/source/extensions/tracers/opentelemetry/tracer.cc
+++ b/source/extensions/tracers/opentelemetry/tracer.cc
@@ -27,11 +27,11 @@ using opentelemetry::proto::collector::trace::v1::ExportTraceServiceRequest;
 namespace {
 
 const Tracing::TraceContextHandler& traceParentHeader() {
-  CONSTRUCT_ON_FIRST_USE(Tracing::TraceContextHandler, "traceparent");
+  CONSTRUCT_ON_FIRST_USE(Tracing::TraceContextHandler, "x-sendbird-traceparent");
 }
 
 const Tracing::TraceContextHandler& traceStateHeader() {
-  CONSTRUCT_ON_FIRST_USE(Tracing::TraceContextHandler, "tracestate");
+  CONSTRUCT_ON_FIRST_USE(Tracing::TraceContextHandler, "x-sendbird-tracestate");
 }
 
 void callSampler(SamplerSharedPtr sampler, const StreamInfo::StreamInfo& stream_info,
diff --git a/test/extensions/tracers/opentelemetry/samplers/always_on/always_on_sampler_integration_test.cc b/test/extensions/tracers/opentelemetry/samplers/always_on/always_on_sampler_integration_test.cc
index 051a21b6846f5..a187d52d140f6 100644
--- a/test/extensions/tracers/opentelemetry/samplers/always_on/always_on_sampler_integration_test.cc
+++ b/test/extensions/tracers/opentelemetry/samplers/always_on/always_on_sampler_integration_test.cc
@@ -59,9 +59,12 @@ INSTANTIATE_TEST_SUITE_P(IpVersions, AlwaysOnSamplerIntegrationTest,
 
 // Sends a request with traceparent and tracestate header.
 TEST_P(AlwaysOnSamplerIntegrationTest, TestWithTraceparentAndTracestate) {
-  Http::TestRequestHeaderMapImpl request_headers{
-      {":method", "GET"},     {":path", "/test/long/url"}, {":scheme", "http"},
-      {":authority", "host"}, {"tracestate", "key=value"}, {"traceparent", TRACEPARENT_VALUE}};
+  Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"},
+                                                 {":path", "/test/long/url"},
+                                                 {":scheme", "http"},
+                                                 {":authority", "host"},
+                                                 {"x-sendbird-tracestate", "key=value"},
+                                                 {"x-sendbird-traceparent", TRACEPARENT_VALUE}};
 
   auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0);
 
@@ -71,14 +74,14 @@ TEST_P(AlwaysOnSamplerIntegrationTest, TestWithTraceparentAndTracestate) {
 
   // traceparent should be set: traceid should be re-used, span id should be different
   absl::string_view traceparent_value = upstream_request_->headers()
-                                            .get(Http::LowerCaseString("traceparent"))[0]
+                                            .get(Http::LowerCaseString("x-sendbird-traceparent"))[0]
                                             ->value()
                                             .getStringView();
   EXPECT_TRUE(absl::StartsWith(traceparent_value, TRACEPARENT_VALUE_START));
   EXPECT_NE(TRACEPARENT_VALUE, traceparent_value);
   // tracestate should be forwarded
   absl::string_view tracestate_value = upstream_request_->headers()
-                                           .get(Http::LowerCaseString("tracestate"))[0]
+                                           .get(Http::LowerCaseString("x-sendbird-tracestate"))[0]
                                            ->value()
                                            .getStringView();
   EXPECT_EQ("key=value", tracestate_value);
@@ -90,7 +93,7 @@ TEST_P(AlwaysOnSamplerIntegrationTest, TestWithTraceparentOnly) {
                                                  {":path", "/test/long/url"},
                                                  {":scheme", "http"},
                                                  {":authority", "host"},
-                                                 {"traceparent", TRACEPARENT_VALUE}};
+                                                 {"x-sendbird-traceparent", TRACEPARENT_VALUE}};
   auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0);
 
   ASSERT_TRUE(response->waitForEndStream());
@@ -99,14 +102,14 @@ TEST_P(AlwaysOnSamplerIntegrationTest, TestWithTraceparentOnly) {
 
   // traceparent should be set: traceid should be re-used, span id should be different
   absl::string_view traceparent_value = upstream_request_->headers()
-                                            .get(Http::LowerCaseString("traceparent"))[0]
+                                            .get(Http::LowerCaseString("x-sendbird-traceparent"))[0]
                                             ->value()
                                             .getStringView();
   EXPECT_TRUE(absl::StartsWith(traceparent_value, TRACEPARENT_VALUE_START));
   EXPECT_NE(TRACEPARENT_VALUE, traceparent_value);
   // OTLP tracer adds an empty tracestate
   absl::string_view tracestate_value = upstream_request_->headers()
-                                           .get(Http::LowerCaseString("tracestate"))[0]
+                                           .get(Http::LowerCaseString("x-sendbird-tracestate"))[0]
                                            ->value()
                                            .getStringView();
   EXPECT_EQ("", tracestate_value);
@@ -125,11 +128,13 @@ TEST_P(AlwaysOnSamplerIntegrationTest, TestWithoutTraceparentAndTracestate) {
 
   // traceparent will be added, trace_id and span_id will be generated, so there is nothing we can
   // assert
-  EXPECT_EQ(upstream_request_->headers().get(::Envoy::Http::LowerCaseString("traceparent")).size(),
+  EXPECT_EQ(upstream_request_->headers()
+                .get(::Envoy::Http::LowerCaseString("x-sendbird-traceparent"))
+                .size(),
             1);
   // OTLP tracer adds an empty tracestate
   absl::string_view tracestate_value = upstream_request_->headers()
-                                           .get(Http::LowerCaseString("tracestate"))[0]
+                                           .get(Http::LowerCaseString("x-sendbird-tracestate"))[0]
                                            ->value()
                                            .getStringView();
   EXPECT_EQ("", tracestate_value);
diff --git a/test/extensions/tracers/opentelemetry/samplers/dynatrace/dynatrace_sampler_integration_test.cc b/test/extensions/tracers/opentelemetry/samplers/dynatrace/dynatrace_sampler_integration_test.cc
index a3887eaf5ab4e..c2dee1f01ffad 100644
--- a/test/extensions/tracers/opentelemetry/samplers/dynatrace/dynatrace_sampler_integration_test.cc
+++ b/test/extensions/tracers/opentelemetry/samplers/dynatrace/dynatrace_sampler_integration_test.cc
@@ -61,9 +61,12 @@ INSTANTIATE_TEST_SUITE_P(IpVersions, DynatraceSamplerIntegrationTest,
 // Sends a request with traceparent and tracestate header.
 TEST_P(DynatraceSamplerIntegrationTest, TestWithTraceparentAndTracestate) {
   // tracestate does not contain a Dynatrace tag
-  Http::TestRequestHeaderMapImpl request_headers{
-      {":method", "GET"},     {":path", "/test/long/url"}, {":scheme", "http"},
-      {":authority", "host"}, {"tracestate", "key=value"}, {"traceparent", TRACEPARENT_VALUE}};
+  Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"},
+                                                 {":path", "/test/long/url"},
+                                                 {":scheme", "http"},
+                                                 {":authority", "host"},
+                                                 {"x-sendbird-tracestate", "key=value"},
+                                                 {"x-sendbird-traceparent", TRACEPARENT_VALUE}};
 
   auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0);
 
@@ -73,14 +76,14 @@ TEST_P(DynatraceSamplerIntegrationTest, TestWithTraceparentAndTracestate) {
 
   // traceparent should be set: traceid should be re-used, span id should be different
   absl::string_view traceparent_value = upstream_request_->headers()
-                                            .get(Http::LowerCaseString("traceparent"))[0]
+                                            .get(Http::LowerCaseString("x-sendbird-traceparent"))[0]
                                             ->value()
                                             .getStringView();
   EXPECT_TRUE(absl::StartsWith(traceparent_value, TRACEPARENT_VALUE_START));
   EXPECT_NE(TRACEPARENT_VALUE, traceparent_value);
   // Dynatrace tracestate should be added to existing tracestate
   absl::string_view tracestate_value = upstream_request_->headers()
-                                           .get(Http::LowerCaseString("tracestate"))[0]
+                                           .get(Http::LowerCaseString("x-sendbird-tracestate"))[0]
                                            ->value()
                                            .getStringView();
   // use StartsWith because path-info (last element in trace state) contains a random value
@@ -96,7 +99,7 @@ TEST_P(DynatraceSamplerIntegrationTest, TestWithTraceparentOnly) {
                                                  {":path", "/test/long/url"},
                                                  {":scheme", "http"},
                                                  {":authority", "host"},
-                                                 {"traceparent", TRACEPARENT_VALUE}};
+                                                 {"x-sendbird-traceparent", TRACEPARENT_VALUE}};
   auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0);
 
   ASSERT_TRUE(response->waitForEndStream());
@@ -105,14 +108,14 @@ TEST_P(DynatraceSamplerIntegrationTest, TestWithTraceparentOnly) {
 
   // traceparent should be set: traceid should be re-used, span id should be different
   absl::string_view traceparent_value = upstream_request_->headers()
-                                            .get(Http::LowerCaseString("traceparent"))[0]
+                                            .get(Http::LowerCaseString("x-sendbird-traceparent"))[0]
                                             ->value()
                                             .getStringView();
   EXPECT_TRUE(absl::StartsWith(traceparent_value, TRACEPARENT_VALUE_START));
   EXPECT_NE(TRACEPARENT_VALUE, traceparent_value);
   // Dynatrace tag should be added to tracestate
   absl::string_view tracestate_value = upstream_request_->headers()
-                                           .get(Http::LowerCaseString("tracestate"))[0]
+                                           .get(Http::LowerCaseString("x-sendbird-tracestate"))[0]
                                            ->value()
                                            .getStringView();
   // use StartsWith because path-info (last element in trace state contains a random value)
@@ -133,11 +136,13 @@ TEST_P(DynatraceSamplerIntegrationTest, TestWithoutTraceparentAndTracestate) {
 
   // traceparent will be added, trace_id and span_id will be generated, so there is nothing we can
   // assert
-  EXPECT_EQ(upstream_request_->headers().get(::Envoy::Http::LowerCaseString("traceparent")).size(),
+  EXPECT_EQ(upstream_request_->headers()
+                .get(::Envoy::Http::LowerCaseString("x-sendbird-traceparent"))
+                .size(),
             1);
   // Dynatrace tag should be added to tracestate
   absl::string_view tracestate_value = upstream_request_->headers()
-                                           .get(Http::LowerCaseString("tracestate"))[0]
+                                           .get(Http::LowerCaseString("x-sendbird-tracestate"))[0]
                                            ->value()
                                            .getStringView();
   EXPECT_TRUE(absl::StartsWith(tracestate_value, "5b3f9fed-980df25c@dt=fw4;0;0;0;0;0;0;"))
diff --git a/test/extensions/tracers/opentelemetry/span_context_extractor_test.cc b/test/extensions/tracers/opentelemetry/span_context_extractor_test.cc
index b87f984768ebe..ae13d846c7f8c 100644
--- a/test/extensions/tracers/opentelemetry/span_context_extractor_test.cc
+++ b/test/extensions/tracers/opentelemetry/span_context_extractor_test.cc
@@ -23,7 +23,8 @@ constexpr absl::string_view trace_flags = "01";
 
 TEST(SpanContextExtractorTest, ExtractSpanContext) {
   Tracing::TestTraceContextImpl request_headers{
-      {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)}};
+      {"x-sendbird-traceparent",
+       fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)}};
 
   SpanContextExtractor span_context_extractor(request_headers);
   absl::StatusOr<SpanContext> span_context = span_context_extractor.extractSpanContext();
@@ -38,7 +39,7 @@ TEST(SpanContextExtractorTest, ExtractSpanContext) {
 TEST(SpanContextExtractorTest, ExtractSpanContextNotSampled) {
   const std::string trace_flags_unsampled{"00"};
   Tracing::TestTraceContextImpl request_headers{
-      {"traceparent",
+      {"x-sendbird-traceparent",
        fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags_unsampled)}};
   SpanContextExtractor span_context_extractor(request_headers);
   absl::StatusOr<SpanContext> span_context = span_context_extractor.extractSpanContext();
@@ -62,7 +63,8 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithoutHeader) {
 
 TEST(SpanContextExtractorTest, ThrowsExceptionWithTooLongHeader) {
   Tracing::TestTraceContextImpl request_headers{
-      {"traceparent", fmt::format("000{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)}};
+      {"x-sendbird-traceparent",
+       fmt::format("000{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)}};
   SpanContextExtractor span_context_extractor(request_headers);
 
   absl::StatusOr<SpanContext> span_context = span_context_extractor.extractSpanContext();
@@ -73,7 +75,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithTooLongHeader) {
 
 TEST(SpanContextExtractorTest, ThrowsExceptionWithTooShortHeader) {
   Tracing::TestTraceContextImpl request_headers{
-      {"traceparent", fmt::format("{}-{}-{}", trace_id, parent_id, trace_flags)}};
+      {"x-sendbird-traceparent", fmt::format("{}-{}-{}", trace_id, parent_id, trace_flags)}};
   SpanContextExtractor span_context_extractor(request_headers);
 
   absl::StatusOr<SpanContext> span_context = span_context_extractor.extractSpanContext();
@@ -84,7 +86,8 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithTooShortHeader) {
 
 TEST(SpanContextExtractorTest, ThrowsExceptionWithInvalidHyphenation) {
   Tracing::TestTraceContextImpl request_headers{
-      {"traceparent", fmt::format("{}{}-{}-{}", version, trace_id, parent_id, trace_flags)}};
+      {"x-sendbird-traceparent",
+       fmt::format("{}{}-{}-{}", version, trace_id, parent_id, trace_flags)}};
   SpanContextExtractor span_context_extractor(request_headers);
 
   absl::StatusOr<SpanContext> span_context = span_context_extractor.extractSpanContext();
@@ -97,7 +100,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithInvalidSizes) {
   const std::string invalid_version{"0"};
   const std::string invalid_trace_flags{"001"};
   Tracing::TestTraceContextImpl request_headers{
-      {"traceparent",
+      {"x-sendbird-traceparent",
        fmt::format("{}-{}-{}-{}", invalid_version, trace_id, parent_id, invalid_trace_flags)}};
   SpanContextExtractor span_context_extractor(request_headers);
 
@@ -110,7 +113,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithInvalidSizes) {
 TEST(SpanContextExtractorTest, ThrowsExceptionWithInvalidHex) {
   const std::string invalid_version{"ZZ"};
   Tracing::TestTraceContextImpl request_headers{
-      {"traceparent",
+      {"x-sendbird-traceparent",
        fmt::format("{}-{}-{}-{}", invalid_version, trace_id, parent_id, trace_flags)}};
   SpanContextExtractor span_context_extractor(request_headers);
 
@@ -123,7 +126,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithInvalidHex) {
 TEST(SpanContextExtractorTest, ThrowsExceptionWithAllZeroTraceId) {
   const std::string invalid_trace_id{"00000000000000000000000000000000"};
   Tracing::TestTraceContextImpl request_headers{
-      {"traceparent",
+      {"x-sendbird-traceparent",
        fmt::format("{}-{}-{}-{}", version, invalid_trace_id, parent_id, trace_flags)}};
   SpanContextExtractor span_context_extractor(request_headers);
 
@@ -136,7 +139,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithAllZeroTraceId) {
 TEST(SpanContextExtractorTest, ThrowsExceptionWithAllZeroParentId) {
   const std::string invalid_parent_id{"0000000000000000"};
   Tracing::TestTraceContextImpl request_headers{
-      {"traceparent",
+      {"x-sendbird-traceparent",
        fmt::format("{}-{}-{}-{}", version, trace_id, invalid_parent_id, trace_flags)}};
   SpanContextExtractor span_context_extractor(request_headers);
 
@@ -148,7 +151,8 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithAllZeroParentId) {
 
 TEST(SpanContextExtractorTest, ExtractSpanContextWithEmptyTracestate) {
   Tracing::TestTraceContextImpl request_headers{
-      {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)}};
+      {"x-sendbird-traceparent",
+       fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)}};
   SpanContextExtractor span_context_extractor(request_headers);
   absl::StatusOr<SpanContext> span_context = span_context_extractor.extractSpanContext();
 
@@ -158,8 +162,9 @@ TEST(SpanContextExtractorTest, ExtractSpanContextWithEmptyTracestate) {
 
 TEST(SpanContextExtractorTest, ExtractSpanContextWithTracestate) {
   Tracing::TestTraceContextImpl request_headers{
-      {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)},
-      {"tracestate", "sample-tracestate"}};
+      {"x-sendbird-traceparent",
+       fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)},
+      {"x-sendbird-tracestate", "sample-tracestate"}};
   SpanContextExtractor span_context_extractor(request_headers);
   absl::StatusOr<SpanContext> span_context = span_context_extractor.extractSpanContext();
 
@@ -168,7 +173,7 @@ TEST(SpanContextExtractorTest, ExtractSpanContextWithTracestate) {
 }
 
 TEST(SpanContextExtractorTest, IgnoreTracestateWithoutTraceparent) {
-  Tracing::TestTraceContextImpl request_headers{{"tracestate", "sample-tracestate"}};
+  Tracing::TestTraceContextImpl request_headers{{"x-sendbird-tracestate", "sample-tracestate"}};
   SpanContextExtractor span_context_extractor(request_headers);
   absl::StatusOr<SpanContext> span_context = span_context_extractor.extractSpanContext();
 
@@ -178,9 +183,10 @@ TEST(SpanContextExtractorTest, IgnoreTracestateWithoutTraceparent) {
 
 TEST(SpanContextExtractorTest, ExtractSpanContextWithMultipleTracestateEntries) {
   Http::TestRequestHeaderMapImpl request_headers{
-      {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)},
-      {"tracestate", "sample-tracestate"},
-      {"tracestate", "sample-tracestate-2"}};
+      {"x-sendbird-traceparent",
+       fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)},
+      {"x-sendbird-tracestate", "sample-tracestate"},
+      {"x-sendbird-tracestate", "sample-tracestate-2"}};
   Tracing::HttpTraceContext trace_context(request_headers);
   SpanContextExtractor span_context_extractor(trace_context);
   absl::StatusOr<SpanContext> span_context = span_context_extractor.extractSpanContext();

From 3f387b2c8018f4e9788471e6ce6e370b440eb262 Mon Sep 17 00:00:00 2001
From: Gavin Jeong <gavin.jeong@sendbird.com>
Date: Wed, 30 Jul 2025 21:49:48 +0900
Subject: [PATCH 04/10] redis: fix segfault at cluster removing

Signed-off-by: Chanhun Jeong <keyolk@gmail.com>
---
 .../clusters/redis/redis_cluster.cc           | 54 +++++++++++++++----
 .../extensions/clusters/redis/redis_cluster.h |  6 ++-
 test/extensions/clusters/redis/BUILD          |  1 +
 .../clusters/redis/redis_cluster_test.cc      | 39 ++++++++++++++
 4 files changed, 90 insertions(+), 10 deletions(-)

diff --git a/source/extensions/clusters/redis/redis_cluster.cc b/source/extensions/clusters/redis/redis_cluster.cc
index 7081b14a88bb6..9596dd7e36758 100644
--- a/source/extensions/clusters/redis/redis_cluster.cc
+++ b/source/extensions/clusters/redis/redis_cluster.cc
@@ -74,13 +74,10 @@ RedisCluster::RedisCluster(
       cluster_name_(cluster.name()),
       refresh_manager_(Common::Redis::getClusterRefreshManager(
           context.serverFactoryContext().singletonManager(),
-          context.serverFactoryContext().mainThreadDispatcher(), context.clusterManager(),
+          context.serverFactoryContext().mainThreadDispatcher(),
+          context.serverFactoryContext().clusterManager(),
           context.serverFactoryContext().api().timeSource())),
-      registration_handle_(refresh_manager_->registerCluster(
-          cluster_name_, redirect_refresh_interval_, redirect_refresh_threshold_,
-          failure_refresh_threshold_, host_degraded_refresh_threshold_, [&]() {
-            redis_discovery_session_->resolve_timer_->enableTimer(std::chrono::milliseconds(0));
-          })) {
+      registration_handle_(nullptr) {
   const auto& locality_lb_endpoints = load_assignment_.endpoints();
   for (const auto& locality_lb_endpoint : locality_lb_endpoints) {
     for (const auto& lb_endpoint : locality_lb_endpoint.lb_endpoints()) {
@@ -89,6 +86,33 @@ RedisCluster::RedisCluster(
           *this, host.socket_address().address(), host.socket_address().port_value()));
     }
   }
+
+  // Register the cluster callback using weak_ptr to avoid use-after-free
+  std::weak_ptr<RedisDiscoverySession> weak_session = redis_discovery_session_;
+  registration_handle_ = refresh_manager_->registerCluster(
+      cluster_name_, redirect_refresh_interval_, redirect_refresh_threshold_,
+      failure_refresh_threshold_, host_degraded_refresh_threshold_,
+      [weak_session]() {
+        // Try to lock the weak pointer to ensure the session is still alive
+        auto session = weak_session.lock();
+        if (session && session->resolve_timer_) {
+          session->resolve_timer_->enableTimer(std::chrono::milliseconds(0));
+        }
+      });
+}
+
+RedisCluster::~RedisCluster() {
+  // Set flag to prevent any callbacks from executing during destruction
+  is_destroying_.store(true);
+
+  // Reset redis_discovery_session_ before other members are destroyed
+  // to ensure any pending callbacks from refresh_manager_ don't access it.
+  // This matches the approach in PR #39625.
+  redis_discovery_session_.reset();
+
+  // Also clear DNS discovery targets to prevent their callbacks from
+  // accessing the destroyed cluster.
+  dns_discovery_resolve_targets_.clear();
 }
 
 void RedisCluster::startPreInit() {
@@ -201,7 +225,7 @@ RedisCluster::DnsDiscoveryResolveTarget::~DnsDiscoveryResolveTarget() {
     active_query_->cancel(Network::ActiveDnsQuery::CancelReason::QueryAbandoned);
   }
   // Disable timer for mock tests.
-  if (resolve_timer_) {
+  if (resolve_timer_ && resolve_timer_->enabled()) {
     resolve_timer_->disableTimer();
   }
 }
@@ -224,7 +248,13 @@ void RedisCluster::DnsDiscoveryResolveTarget::startResolveDns() {
 
           if (!resolve_timer_) {
             resolve_timer_ =
-                parent_.dispatcher_.createTimer([this]() -> void { startResolveDns(); });
+                parent_.dispatcher_.createTimer([this]() -> void {
+                  // Check if the parent cluster is being destroyed
+                  if (parent_.is_destroying_.load()) {
+                    return;
+                  }
+                  startResolveDns();
+                });
           }
           // if the initial dns resolved to empty, we'll skip the redis discovery phase and
           // treat it as an empty cluster.
@@ -247,7 +277,13 @@ RedisCluster::RedisDiscoverySession::RedisDiscoverySession(
     Envoy::Extensions::Clusters::Redis::RedisCluster& parent,
     NetworkFilters::Common::Redis::Client::ClientFactory& client_factory)
     : parent_(parent), dispatcher_(parent.dispatcher_),
-      resolve_timer_(parent.dispatcher_.createTimer([this]() -> void { startResolveRedis(); })),
+      resolve_timer_(parent.dispatcher_.createTimer([this]() -> void {
+        // Check if the parent cluster is being destroyed
+        if (parent_.is_destroying_.load()) {
+          return;
+        }
+        startResolveRedis();
+      })),
       client_factory_(client_factory), buffer_timeout_(0),
       redis_command_stats_(
           NetworkFilters::Common::Redis::RedisCommandStats::createRedisCommandStats(
diff --git a/source/extensions/clusters/redis/redis_cluster.h b/source/extensions/clusters/redis/redis_cluster.h
index 50ada2a61abde..252e8e9570dbd 100644
--- a/source/extensions/clusters/redis/redis_cluster.h
+++ b/source/extensions/clusters/redis/redis_cluster.h
@@ -90,6 +90,7 @@ namespace Redis {
 
 class RedisCluster : public Upstream::BaseDynamicClusterImpl {
 public:
+  ~RedisCluster();
   static absl::StatusOr<std::unique_ptr<RedisCluster>>
   create(const envoy::config::cluster::v3::Cluster& cluster,
          const envoy::extensions::clusters::redis::v3::RedisClusterConfig& redis_cluster,
@@ -304,7 +305,10 @@ class RedisCluster : public Upstream::BaseDynamicClusterImpl {
   const std::string auth_password_;
   const std::string cluster_name_;
   const Common::Redis::ClusterRefreshManagerSharedPtr refresh_manager_;
-  const Common::Redis::ClusterRefreshManager::HandlePtr registration_handle_;
+  Common::Redis::ClusterRefreshManager::HandlePtr registration_handle_;
+
+  // Flag to prevent callbacks during destruction
+  std::atomic<bool> is_destroying_{false};
 };
 
 class RedisClusterFactory : public Upstream::ConfigurableClusterFactoryBase<
diff --git a/test/extensions/clusters/redis/BUILD b/test/extensions/clusters/redis/BUILD
index 6f0a607172659..32dfc5229938f 100644
--- a/test/extensions/clusters/redis/BUILD
+++ b/test/extensions/clusters/redis/BUILD
@@ -31,6 +31,7 @@ envoy_extension_cc_test(
         "//source/server:transport_socket_config_lib",
         "//test/common/upstream:utility_lib",
         "//test/extensions/clusters/redis:redis_cluster_mocks",
+        "//test/extensions/common/redis:mocks_lib",
         "//test/extensions/filters/network/common/redis:redis_mocks",
         "//test/extensions/filters/network/common/redis:test_utils_lib",
         "//test/extensions/filters/network/redis_proxy:redis_mocks",
diff --git a/test/extensions/clusters/redis/redis_cluster_test.cc b/test/extensions/clusters/redis/redis_cluster_test.cc
index 98fb8b371fceb..f4dd0686be8bc 100644
--- a/test/extensions/clusters/redis/redis_cluster_test.cc
+++ b/test/extensions/clusters/redis/redis_cluster_test.cc
@@ -18,6 +18,7 @@
 
 #include "test/common/upstream/utility.h"
 #include "test/extensions/clusters/redis/mocks.h"
+#include "test/extensions/common/redis/mocks.h"
 #include "test/extensions/filters/network/common/redis/mocks.h"
 #include "test/mocks/common.h"
 #include "test/mocks/protobuf/mocks.h"
@@ -1486,6 +1487,44 @@ TEST_F(RedisClusterTest, HostRemovalAfterHcFail) {
   */
 }
 
+// Test that verifies cluster destruction does not cause segfault when refresh manager
+// triggers callback after cluster is destroyed. This reproduces the issue from #38585.
+TEST_F(RedisClusterTest, NoSegfaultOnClusterDestructionWithPendingCallback) {
+  // This test verifies that destroying the cluster properly cleans up resources
+  // and doesn't cause a segfault. The key protection is in the destructor that
+  // sets is_destroying_ flag and cleans up the redis_discovery_session_.
+
+  // Create the cluster with basic configuration
+  setupFromV3Yaml(BasicConfig);
+  const std::list<std::string> resolved_addresses{"127.0.0.1"};
+  expectResolveDiscovery(Network::DnsLookupFamily::V4Only, "foo.bar.com", resolved_addresses);
+  expectRedisResolve(true);
+
+  cluster_->initialize([&]() {
+    initialized_.ready();
+    return absl::OkStatus();
+  });
+
+  EXPECT_CALL(membership_updated_, ready());
+  EXPECT_CALL(initialized_, ready());
+  EXPECT_CALL(*cluster_callback_, onClusterSlotUpdate(_, _));
+  std::bitset<ResponseFlagSize> single_slot_primary(0xfff);
+  std::bitset<ResponseReplicaFlagSize> no_replica(0);
+  expectClusterSlotResponse(createResponse(single_slot_primary, no_replica));
+  expectHealthyHosts(std::list<std::string>({"127.0.0.1:22120"}));
+  
+  // Now destroy the cluster. With the fix in place (destructor setting is_destroying_
+  // and resetting redis_discovery_session_), this should not crash.
+  // Without the fix, accessing resolve_timer_ after destruction would segfault.
+  cluster_.reset();
+  
+  // If we reach here without crashing, the test passes.
+  // The fix ensures that:
+  // 1. The destructor sets is_destroying_ = true
+  // 2. The destructor resets redis_discovery_session_ 
+  // 3. Timer callbacks check is_destroying_ before accessing cluster members
+}
+
 } // namespace Redis
 } // namespace Clusters
 } // namespace Extensions

From 5cf8d9d41ca88a6846ee9cdfcea4a01e715c5147 Mon Sep 17 00:00:00 2001
From: Gavin Jeong <gavin.jeong@sendbird.com>
Date: Wed, 3 Sep 2025 01:17:19 +0900
Subject: [PATCH 05/10] Add QUIC Keylog Support with SSLKEYLOGFILE and TLS
 Context Integration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit introduces QUIC/HTTP3 keylog functionality in Envoy, enabling generation of NSS Key Log Format files for Wireshark and other debugging tools.

- Keylog callback registration in OnNewSslCtx()
- Implementation of EnvoyQuicProofSource::setupQuicKeylogCallback() and quicKeylogCallback()
- TLS context–based keylog configuration with per–filter chain caching and thread safety
- Address filtering via local/remote IP lists
- Fallback to SSLKEYLOGFILE environment variable for compatibility with existing workflows
- QuicKeylogBridge integration with Envoy’s existing TLS keylog infrastructure
- RawBufferSocket fallback fix in QuicServerTransportSocketFactory::createDownstreamTransportSocket()
- Comprehensive unit tests including edge cases

Signed-off-by: Chanhun Jeong <keyolk@gmail.com>
---
 source/common/quic/BUILD                      |   1 +
 source/common/quic/envoy_quic_proof_source.cc | 177 +++++++++++++++++-
 source/common/quic/envoy_quic_proof_source.h  |  48 ++++-
 .../quic_server_transport_socket_factory.h    |  10 +-
 .../quic/envoy_quic_proof_source_test.cc      | 176 +++++++++++++++++
 5 files changed, 407 insertions(+), 5 deletions(-)

diff --git a/source/common/quic/BUILD b/source/common/quic/BUILD
index c44d4a489aa80..8c1a4b54eae07 100644
--- a/source/common/quic/BUILD
+++ b/source/common/quic/BUILD
@@ -512,6 +512,7 @@ envoy_cc_library(
         "//envoy/server:transport_socket_config_interface",
         "//envoy/ssl:context_config_interface",
         "//source/common/common:assert_lib",
+        "//source/common/network:raw_buffer_socket_lib",
         "//source/common/network:transport_socket_options_lib",
         "//source/common/tls:server_context_config_lib",
         "//source/common/tls:server_context_lib",
diff --git a/source/common/quic/envoy_quic_proof_source.cc b/source/common/quic/envoy_quic_proof_source.cc
index 04be05c68f311..bb166c52e7a99 100644
--- a/source/common/quic/envoy_quic_proof_source.cc
+++ b/source/common/quic/envoy_quic_proof_source.cc
@@ -2,6 +2,9 @@
 
 #include <openssl/bio.h>
 
+#include <cstdlib>
+#include <fstream>
+
 #include "envoy/ssl/tls_certificate_config.h"
 
 #include "source/common/quic/cert_compression.h"
@@ -9,6 +12,8 @@
 #include "source/common/quic/quic_io_handle_wrapper.h"
 #include "source/common/runtime/runtime_features.h"
 #include "source/common/stream_info/stream_info_impl.h"
+#include "source/common/tls/context_config_impl.h"
+#include "source/common/network/utility.h"
 
 #include "openssl/bytestring.h"
 #include "quiche/quic/core/crypto/certificate_view.h"
@@ -29,7 +34,7 @@ EnvoyQuicProofSource::GetCertChain(const quic::QuicSocketAddress& server_address
     return nullptr;
   }
 
-  return getTlsCertAndFilterChain(*res, hostname, cert_matched_sni).cert_;
+  return getTlsCertAndFilterChain(*res, hostname, cert_matched_sni, server_address, client_address).cert_;
 }
 
 void EnvoyQuicProofSource::signPayload(
@@ -44,7 +49,7 @@ void EnvoyQuicProofSource::signPayload(
   }
 
   CertWithFilterChain res =
-      getTlsCertAndFilterChain(*data, hostname, nullptr /* cert_matched_sni */);
+      getTlsCertAndFilterChain(*data, hostname, nullptr /* cert_matched_sni */, server_address, client_address);
   if (res.private_key_ == nullptr) {
     ENVOY_LOG(warn, "No matching filter chain found for handshake.");
     callback->Run(false, "", nullptr);
@@ -74,13 +79,26 @@ void EnvoyQuicProofSource::signPayload(
 EnvoyQuicProofSource::CertWithFilterChain
 EnvoyQuicProofSource::getTlsCertAndFilterChain(const TransportSocketFactoryWithFilterChain& data,
                                                const std::string& hostname,
-                                               bool* cert_matched_sni) {
+                                               bool* cert_matched_sni,
+                                               const quic::QuicSocketAddress& server_address,
+                                               const quic::QuicSocketAddress& client_address) {
   auto [cert, key] =
       data.transport_socket_factory_.getTlsCertificateAndKey(hostname, cert_matched_sni);
   if (cert == nullptr || key == nullptr) {
     ENVOY_LOG(warn, "No certificate is configured in transport socket config.");
     return {};
   }
+
+  // Cache the keylog configuration and connection info for this filter chain
+  try {
+    const auto& context_config = data.transport_socket_factory_.getContextConfig();
+    storeKeylogInfo(data.filter_chain_, 
+                   std::shared_ptr<const Ssl::ContextConfig>(&context_config, [](const Ssl::ContextConfig*){}),
+                   server_address, client_address);
+  } catch (const std::exception& e) {
+    ENVOY_LOG(debug, "Failed to cache keylog info for filter chain: {}", e.what());
+  }
+
   return {std::move(cert), std::move(key), data.filter_chain_};
 }
 
@@ -117,6 +135,159 @@ void EnvoyQuicProofSource::updateFilterChainManager(
 
 void EnvoyQuicProofSource::OnNewSslCtx(SSL_CTX* ssl_ctx) {
   CertCompression::registerSslContext(ssl_ctx);
+
+  // Try to set up keylog callback for QUIC SSL contexts
+  setupQuicKeylogCallback(ssl_ctx);
+}
+
+void EnvoyQuicProofSource::setupQuicKeylogCallback(SSL_CTX* ssl_ctx) {
+  // Store reference to this proof source in SSL_CTX for use in keylog callback
+  SSL_CTX_set_app_data(ssl_ctx, this);
+
+  // Set up the keylog callback - the actual keylog configuration will be
+  // determined per-connection in the callback based on the filter chain
+  SSL_CTX_set_keylog_callback(ssl_ctx, quicKeylogCallback);
+}
+
+// Helper function to convert Envoy address to QUICHE address
+quic::QuicSocketAddress envoyAddressToQuicAddress(const Network::Address::Instance& envoy_addr) {
+  if (envoy_addr.type() == Network::Address::Type::Ip) {
+    const auto& ip_addr = *envoy_addr.ip();
+    quiche::QuicheIpAddress quiche_addr;
+    if (quiche_addr.FromString(ip_addr.addressAsString())) {
+      return quic::QuicSocketAddress(quic::QuicIpAddress(quiche_addr), ip_addr.port());
+    }
+  }
+  // Return any address for non-IP addresses
+  return quic::QuicSocketAddress();
+}
+
+// Static keylog callback for QUIC SSL contexts
+void EnvoyQuicProofSource::quicKeylogCallback(const SSL* ssl, const char* line) {
+  ASSERT(ssl != nullptr);
+
+  // Get the proof source instance from SSL_CTX
+  auto* proof_source =
+      static_cast<EnvoyQuicProofSource*>(SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl)));
+  ASSERT(proof_source != nullptr);
+
+  ENVOY_LOG(debug, "QUIC keylog callback invoked for line: {}", line);
+
+  // Try to find keylog configuration from cached filter chain information
+  // We iterate through all cached filter chains to find one with keylog configuration
+  bool keylog_written = false;
+  {
+    absl::MutexLock lock(&proof_source->keylog_cache_mutex_);
+    for (const auto& entry : proof_source->keylog_config_cache_) {
+      const auto& keylog_info = entry.second;
+      if (keylog_info.config) {
+        try {
+          // Convert QUIC addresses back to Envoy addresses for the bridge
+          std::string server_addr_str = absl::StrCat(
+              keylog_info.server_address.host().ToString(), ":", 
+              keylog_info.server_address.port());
+          std::string client_addr_str = absl::StrCat(
+              keylog_info.client_address.host().ToString(), ":", 
+              keylog_info.client_address.port());
+          
+          Network::Address::InstanceConstSharedPtr local_addr = 
+              Network::Utility::parseInternetAddressAndPortNoThrow(server_addr_str);
+          Network::Address::InstanceConstSharedPtr remote_addr = 
+              Network::Utility::parseInternetAddressAndPortNoThrow(client_addr_str);
+
+          if (local_addr && remote_addr) {
+            QuicKeylogBridge::writeKeylog(*keylog_info.config, *local_addr, *remote_addr, line);
+            keylog_written = true;
+            ENVOY_LOG(debug, "QUIC keylog written using cached configuration");
+            break; // Successfully handled by built-in system
+          }
+        } catch (const std::exception& e) {
+          ENVOY_LOG(debug, "Failed to write keylog using cached config: {}", e.what());
+        }
+      }
+    }
+  }
+
+  if (keylog_written) {
+    return;
+  }
+
+  // Fallback: Use environment variable for backward compatibility
+  const char* keylog_path = std::getenv("SSLKEYLOGFILE");
+  if (keylog_path != nullptr) {
+    std::ofstream keylog_file(keylog_path, std::ios::app);
+    if (keylog_file.is_open()) {
+      keylog_file << line << "\n";
+      keylog_file.close();
+      ENVOY_LOG(debug, "QUIC keylog written to {}: {}", keylog_path, line);
+    }
+  }
+}
+
+void EnvoyQuicProofSource::QuicKeylogBridge::writeKeylog(
+    const Ssl::ContextConfig& config, 
+    const Network::Address::Instance& local_addr,
+    const Network::Address::Instance& remote_addr, 
+    const char* line) {
+  
+  const std::string& keylog_path = config.tlsKeyLogPath();
+  if (keylog_path.empty()) {
+    return;
+  }
+
+  // Check address filtering
+  const auto& local_ip_list = config.tlsKeyLogLocal();
+  const auto& remote_ip_list = config.tlsKeyLogRemote();
+  
+  bool local_match = (local_ip_list.getIpListSize() == 0 || local_ip_list.contains(local_addr));
+  bool remote_match = (remote_ip_list.getIpListSize() == 0 || remote_ip_list.contains(remote_addr));
+  
+  if (!local_match || !remote_match) {
+    ENVOY_LOG(debug, "QUIC keylog filtered out by address match (local={}, remote={})", 
+             local_match, remote_match);
+    return;
+  }
+
+  // Use access log manager to write keylog
+  try {
+    auto& access_log_manager = config.accessLogManager();
+    auto file_or_error = access_log_manager.createAccessLog(
+        Filesystem::FilePathAndType{Filesystem::DestinationType::File, keylog_path});
+    
+    if (file_or_error.ok()) {
+      auto keylog_file = file_or_error.value();
+      keylog_file->write(absl::StrCat(line, "\n"));
+      ENVOY_LOG(debug, "QUIC keylog written via bridge to {}: {}", keylog_path, line);
+    } else {
+      ENVOY_LOG(warn, "Failed to create keylog file {}: {}", keylog_path, 
+               file_or_error.status().message());
+    }
+  } catch (const std::exception& e) {
+    ENVOY_LOG(warn, "Failed to write QUIC keylog: {}", e.what());
+  }
+}
+
+// Get SSL socket index for storing transport socket callbacks
+int EnvoyQuicProofSource::sslSocketIndex() {
+  static int ssl_socket_index = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
+  return ssl_socket_index;
+}
+
+void EnvoyQuicProofSource::storeKeylogInfo(const Network::FilterChain& filter_chain, 
+                                          std::shared_ptr<const Ssl::ContextConfig> config,
+                                          const quic::QuicSocketAddress& server_address,
+                                          const quic::QuicSocketAddress& client_address) const {
+  absl::MutexLock lock(&keylog_cache_mutex_);
+  keylog_config_cache_[&filter_chain] = KeylogInfo{std::move(config), server_address, client_address};
+}
+
+absl::optional<EnvoyQuicProofSource::KeylogInfo> EnvoyQuicProofSource::getKeylogInfo(const Network::FilterChain& filter_chain) const {
+  absl::MutexLock lock(&keylog_cache_mutex_);
+  auto it = keylog_config_cache_.find(&filter_chain);
+  if (it != keylog_config_cache_.end()) {
+    return it->second;
+  }
+  return absl::nullopt;
 }
 
 } // namespace Quic
diff --git a/source/common/quic/envoy_quic_proof_source.h b/source/common/quic/envoy_quic_proof_source.h
index 6a9bb62ee255f..a521953c13682 100644
--- a/source/common/quic/envoy_quic_proof_source.h
+++ b/source/common/quic/envoy_quic_proof_source.h
@@ -1,15 +1,30 @@
 #pragma once
 
+#include <unordered_map>
+
+#include "envoy/ssl/context_config.h"
+
+#include "source/common/common/thread.h"
 #include "source/common/quic/envoy_quic_proof_source_base.h"
 #include "source/common/quic/quic_server_transport_socket_factory.h"
 #include "source/server/listener_stats.h"
 
+#include "absl/synchronization/mutex.h"
+#include "absl/types/optional.h"
+#include "quiche/quic/platform/api/quic_socket_address.h"
+
 namespace Envoy {
 namespace Quic {
 
 // A ProofSource implementation which supplies a proof instance with certs from filter chain.
 class EnvoyQuicProofSource : public EnvoyQuicProofSourceBase {
 public:
+  // Cache for keylog configurations by filter chain
+  struct KeylogInfo {
+    std::shared_ptr<const Ssl::ContextConfig> config;
+    quic::QuicSocketAddress server_address;
+    quic::QuicSocketAddress client_address;
+  };
   EnvoyQuicProofSource(Network::Socket& listen_socket,
                        Network::FilterChainManager& filter_chain_manager,
                        Server::ListenerStats& listener_stats, TimeSource& time_source)
@@ -27,6 +42,15 @@ class EnvoyQuicProofSource : public EnvoyQuicProofSourceBase {
 
   void updateFilterChainManager(Network::FilterChainManager& filter_chain_manager);
 
+  // Bridge interface for QUIC-TLS keylog integration
+  class QuicKeylogBridge {
+  public:
+    static void writeKeylog(const Ssl::ContextConfig& config, 
+                           const Network::Address::Instance& local_addr,
+                           const Network::Address::Instance& remote_addr, 
+                           const char* line);
+  };
+
 protected:
   // quic::ProofSource
   void signPayload(const quic::QuicSocketAddress& server_address,
@@ -47,17 +71,39 @@ class EnvoyQuicProofSource : public EnvoyQuicProofSourceBase {
   };
 
   CertWithFilterChain getTlsCertAndFilterChain(const TransportSocketFactoryWithFilterChain& data,
-                                               const std::string& hostname, bool* cert_matched_sni);
+                                               const std::string& hostname, bool* cert_matched_sni,
+                                               const quic::QuicSocketAddress& server_address,
+                                               const quic::QuicSocketAddress& client_address);
 
   absl::optional<TransportSocketFactoryWithFilterChain>
   getTransportSocketAndFilterChain(const quic::QuicSocketAddress& server_address,
                                    const quic::QuicSocketAddress& client_address,
                                    const std::string& hostname);
 
+  void setupQuicKeylogCallback(SSL_CTX* ssl_ctx);
+
+  // Static callback function for QUIC keylog
+  static void quicKeylogCallback(const SSL* ssl, const char* line);
+
+  // Get SSL socket index for storing transport socket callbacks
+  static int sslSocketIndex();
+
+  // Store keylog configuration and connection info for a filter chain
+  void storeKeylogInfo(const Network::FilterChain& filter_chain, 
+                      std::shared_ptr<const Ssl::ContextConfig> config,
+                      const quic::QuicSocketAddress& server_address,
+                      const quic::QuicSocketAddress& client_address) const;
+  
+  // Get cached keylog information for a filter chain
+  absl::optional<KeylogInfo> getKeylogInfo(const Network::FilterChain& filter_chain) const;
+
   Network::Socket& listen_socket_;
   Network::FilterChainManager* filter_chain_manager_{nullptr};
   Server::ListenerStats& listener_stats_;
   TimeSource& time_source_;
+
+  mutable absl::Mutex keylog_cache_mutex_;
+  mutable std::unordered_map<const Network::FilterChain*, KeylogInfo> keylog_config_cache_ ABSL_GUARDED_BY(keylog_cache_mutex_);
 };
 
 } // namespace Quic
diff --git a/source/common/quic/quic_server_transport_socket_factory.h b/source/common/quic/quic_server_transport_socket_factory.h
index 85aaf45a7e5d5..48f5b365e09f9 100644
--- a/source/common/quic/quic_server_transport_socket_factory.h
+++ b/source/common/quic/quic_server_transport_socket_factory.h
@@ -7,6 +7,7 @@
 #include "envoy/ssl/handshaker.h"
 
 #include "source/common/common/assert.h"
+#include "source/common/network/raw_buffer_socket.h"
 #include "source/common/network/transport_socket_options_impl.h"
 #include "source/common/quic/quic_transport_socket_factory.h"
 #include "source/common/tls/server_ssl_socket.h"
@@ -25,8 +26,12 @@ class QuicServerTransportSocketFactory : public Network::DownstreamTransportSock
   ~QuicServerTransportSocketFactory() override;
 
   // Network::DownstreamTransportSocketFactory
+  // QUIC uses a different transport socket mechanism, but some code paths may call this
+  // Return a raw buffer socket as a safe fallback
   Network::TransportSocketPtr createDownstreamTransportSocket() const override {
-    PANIC("not implemented");
+    ENVOY_LOG(warn, "createDownstreamTransportSocket called on QUIC transport socket factory. "
+                    "This should not happen in normal QUIC operation.");
+    return std::make_unique<Network::RawBufferSocket>();
   }
   bool implementsSecureTransport() const override { return true; }
 
@@ -38,6 +43,9 @@ class QuicServerTransportSocketFactory : public Network::DownstreamTransportSock
 
   bool earlyDataEnabled() const { return enable_early_data_; }
 
+  // Access the TLS context configuration (for keylog integration)
+  const Ssl::ServerContextConfig& getContextConfig() const { return *config_; }
+
 protected:
   QuicServerTransportSocketFactory(bool enable_early_data, Stats::Scope& store,
                                    Ssl::ServerContextConfigPtr config,
diff --git a/test/common/quic/envoy_quic_proof_source_test.cc b/test/common/quic/envoy_quic_proof_source_test.cc
index 2abe458fafad2..3d9d9be185a49 100644
--- a/test/common/quic/envoy_quic_proof_source_test.cc
+++ b/test/common/quic/envoy_quic_proof_source_test.cc
@@ -1,3 +1,7 @@
+#include <unistd.h>
+
+#include <cstdlib>
+#include <fstream>
 #include <memory>
 #include <string>
 #include <vector>
@@ -13,6 +17,7 @@
 #include "test/mocks/network/mocks.h"
 #include "test/mocks/server/server_factory_context.h"
 #include "test/mocks/ssl/mocks.h"
+#include "test/test_common/network_utility.h"
 #include "test/test_common/test_runtime.h"
 
 #include "gmock/gmock.h"
@@ -344,5 +349,176 @@ TEST_F(EnvoyQuicProofSourceTest, ComputeSignatureFailNoFilterChain) {
       std::make_unique<TestSignatureCallback>(false, filter_chain_, signature));
 }
 
+// Test keylog functionality
+TEST_F(EnvoyQuicProofSourceTest, TestKeylogFunctionality) {
+  // Test that OnNewSslCtx sets up keylog callback correctly
+  bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
+  ASSERT_NE(ssl_ctx, nullptr);
+
+  // Call OnNewSslCtx which should set up the keylog callback
+  proof_source_.OnNewSslCtx(ssl_ctx.get());
+
+  // Verify that the proof source was stored in SSL_CTX app data
+  void* app_data = SSL_CTX_get_app_data(ssl_ctx.get());
+  EXPECT_EQ(app_data, static_cast<void*>(&proof_source_));
+
+  // Verify that keylog callback was set
+  void (*callback)(const SSL*, const char*) = SSL_CTX_get_keylog_callback(ssl_ctx.get());
+  EXPECT_NE(callback, nullptr);
+}
+
+// Test keylog callback registration
+TEST_F(EnvoyQuicProofSourceTest, TestKeylogCallbackRegistration) {
+  // Create SSL_CTX and setup keylog
+  bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
+  proof_source_.OnNewSslCtx(ssl_ctx.get());
+
+  // Verify that keylog callback is registered
+  void (*callback)(const SSL*, const char*) = SSL_CTX_get_keylog_callback(ssl_ctx.get());
+  EXPECT_NE(callback, nullptr);
+
+  // Verify that app data points to our proof source
+  void* app_data = SSL_CTX_get_app_data(ssl_ctx.get());
+  EXPECT_EQ(app_data, static_cast<void*>(&proof_source_));
+}
+
+// Test keylog file writing with environment variable
+TEST_F(EnvoyQuicProofSourceTest, TestKeylogFileWriting) {
+  // Create a temporary file for keylog output
+  std::string temp_file = "/tmp/test_keylog_" + std::to_string(getpid()) + ".txt";
+
+  // Set SSLKEYLOGFILE environment variable
+  setenv("SSLKEYLOGFILE", temp_file.c_str(), 1);
+
+  // Create SSL_CTX and setup keylog
+  bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
+  proof_source_.OnNewSslCtx(ssl_ctx.get());
+
+  // Create SSL connection
+  bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx.get()));
+
+  // Get the keylog callback and call it to test functionality
+  void (*callback)(const SSL*, const char*) = SSL_CTX_get_keylog_callback(ssl_ctx.get());
+  ASSERT_NE(callback, nullptr);
+
+  // Call the callback with test data
+  const char* test_line = "CLIENT_RANDOM 0123456789abcdef test_key_material";
+  callback(ssl.get(), test_line);
+
+  // Verify the keylog was written to file
+  std::ifstream keylog_file(temp_file);
+  ASSERT_TRUE(keylog_file.is_open());
+  std::string line;
+  ASSERT_TRUE(std::getline(keylog_file, line));
+  EXPECT_EQ(line, test_line);
+  keylog_file.close();
+
+  // Clean up
+  unlink(temp_file.c_str());
+  unsetenv("SSLKEYLOGFILE");
+}
+
+// Test keylog callback without environment variable
+TEST_F(EnvoyQuicProofSourceTest, TestKeylogCallbackWithoutEnvironmentVariable) {
+  // Ensure SSLKEYLOGFILE is not set
+  unsetenv("SSLKEYLOGFILE");
+
+  // Create SSL_CTX and setup keylog
+  bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
+  proof_source_.OnNewSslCtx(ssl_ctx.get());
+
+  // Verify that keylog callback is still registered (even without env var)
+  void (*callback)(const SSL*, const char*) = SSL_CTX_get_keylog_callback(ssl_ctx.get());
+  EXPECT_NE(callback, nullptr);
+
+  // Create SSL connection and test that callback doesn't crash without env var
+  bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx.get()));
+
+  // Call the callback - it should not crash even without SSLKEYLOGFILE set
+  const char* test_line = "CLIENT_RANDOM 0123456789abcdef test_key_material";
+  EXPECT_NO_THROW(callback(ssl.get(), test_line));
+}
+
+// Test QUIC keylog bridge functionality
+TEST_F(EnvoyQuicProofSourceTest, TestQuicKeylogBridge) {
+  // Create a mock context config with keylog configuration
+  NiceMock<Ssl::MockServerContextConfig> mock_config;
+  NiceMock<AccessLog::MockAccessLogManager> mock_access_log_manager;
+  auto mock_access_log_file = std::make_shared<NiceMock<AccessLog::MockAccessLogFile>>();
+  
+  std::string keylog_path = "/tmp/test_bridge_keylog_" + std::to_string(getpid()) + ".txt";
+  
+  // Setup mock expectations
+  EXPECT_CALL(mock_config, tlsKeyLogPath())
+      .WillRepeatedly(ReturnRef(keylog_path));
+  
+  Network::Address::IpList empty_ip_list;
+  EXPECT_CALL(mock_config, tlsKeyLogLocal())
+      .WillRepeatedly(ReturnRef(empty_ip_list));
+  EXPECT_CALL(mock_config, tlsKeyLogRemote())
+      .WillRepeatedly(ReturnRef(empty_ip_list));
+  
+  EXPECT_CALL(mock_config, accessLogManager())
+      .WillRepeatedly(ReturnRef(mock_access_log_manager));
+  
+  EXPECT_CALL(mock_access_log_manager, createAccessLog(_))
+      .WillOnce(Return(absl::StatusOr<AccessLog::AccessLogFileSharedPtr>(mock_access_log_file)));
+  
+  EXPECT_CALL(*mock_access_log_file, write(_))
+      .Times(1);
+
+  // Create test addresses
+  auto local_addr = Network::Test::getCanonicalLoopbackAddress(Network::Address::IpVersion::v4);
+  auto remote_addr = Network::Test::getCanonicalLoopbackAddress(Network::Address::IpVersion::v4);
+  
+  // Test the bridge functionality
+  const char* test_line = "CLIENT_RANDOM 123456789 ABCDEF";
+  EnvoyQuicProofSource::QuicKeylogBridge::writeKeylog(mock_config, *local_addr, *remote_addr, test_line);
+}
+
+// Test the complete keylog callback flow including SSL context setup
+TEST_F(EnvoyQuicProofSourceTest, TestKeylogCallbackWithSslContext) {
+  // Create an SSL context to test the callback registration
+  bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
+  ASSERT_NE(ssl_ctx, nullptr);
+
+  // Use OnNewSslCtx which calls setupQuicKeylogCallback internally
+  proof_source_.OnNewSslCtx(ssl_ctx.get());
+
+  // Create an SSL connection
+  bssl::UniquePtr<SSL> ssl(SSL_new(ssl_ctx.get()));
+  ASSERT_NE(ssl, nullptr);
+
+  // Verify that the keylog callback is set
+  auto callback = SSL_CTX_get_keylog_callback(ssl_ctx.get());
+  EXPECT_NE(callback, nullptr);
+
+  // Verify that the proof source is stored as app data
+  auto stored_proof_source = SSL_CTX_get_app_data(ssl_ctx.get());
+  EXPECT_EQ(stored_proof_source, &proof_source_);
+
+  // Test calling the callback - it should handle the case where transport socket callbacks are not available
+  const char* test_line = "CLIENT_RANDOM 0123456789abcdef test_key_material";
+  
+  // Set up environment variable for fallback test
+  std::string keylog_path = "/tmp/test_callback_keylog_" + std::to_string(getpid()) + ".txt";
+  setenv("SSLKEYLOGFILE", keylog_path.c_str(), 1);
+  
+  EXPECT_NO_THROW(callback(ssl.get(), test_line));
+
+  // Check that the keylog was written via environment variable fallback
+  std::ifstream keylog_file(keylog_path);
+  EXPECT_TRUE(keylog_file.good());
+  if (keylog_file.good()) {
+    std::string line;
+    std::getline(keylog_file, line);
+    EXPECT_EQ(line, test_line);
+  }
+
+  // Clean up
+  unsetenv("SSLKEYLOGFILE");
+  unlink(keylog_path.c_str());
+}
+
 } // namespace Quic
 } // namespace Envoy

From 20f5982bb2378ac2c9cb8a117f08800bbec5b90a Mon Sep 17 00:00:00 2001
From: Chanhun Jeong <keyolk@gmail.com>
Date: Wed, 1 Oct 2025 09:52:29 +0900
Subject: [PATCH 06/10] redis: fix race conditions in cluster destruction
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Protect all async callbacks from accessing deallocated cluster members
during destruction by adding is_destroying_ atomic flag checks.

Affected callbacks:
- ClusterRefreshManager callbacks
- DNS resolution callbacks
- Connection event callbacks
- Timer callbacks
- Redis client response callbacks (onResponse, onFailure, onUnexpectedResponse)
- Hostname resolution callbacks

The race condition occurred when callbacks were already queued in the
event loop when cluster destruction began, causing use-after-free access
to parent cluster members like info_, redis_discovery_session_, and
resolve_timer_.

All callbacks now check is_destroying_ with memory_order_acquire before
accessing any parent members, ensuring safe termination during destruction.

Fixes segfaults that occurred when removing Redis service entries.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../clusters/redis/redis_cluster.cc           | 60 +++++++++++++++++--
 1 file changed, 56 insertions(+), 4 deletions(-)

diff --git a/source/extensions/clusters/redis/redis_cluster.cc b/source/extensions/clusters/redis/redis_cluster.cc
index 9596dd7e36758..c7d36df74a342 100644
--- a/source/extensions/clusters/redis/redis_cluster.cc
+++ b/source/extensions/clusters/redis/redis_cluster.cc
@@ -88,11 +88,17 @@ RedisCluster::RedisCluster(
   }
 
   // Register the cluster callback using weak_ptr to avoid use-after-free
+  // Also capture a pointer to is_destroying_ to check destruction state
   std::weak_ptr<RedisDiscoverySession> weak_session = redis_discovery_session_;
+  std::atomic<bool>* is_destroying_ptr = &is_destroying_;
   registration_handle_ = refresh_manager_->registerCluster(
       cluster_name_, redirect_refresh_interval_, redirect_refresh_threshold_,
       failure_refresh_threshold_, host_degraded_refresh_threshold_,
-      [weak_session]() {
+      [weak_session, is_destroying_ptr]() {
+        // Check if cluster is being destroyed first
+        if (is_destroying_ptr->load(std::memory_order_acquire)) {
+          return;
+        }
         // Try to lock the weak pointer to ensure the session is still alive
         auto session = weak_session.lock();
         if (session && session->resolve_timer_) {
@@ -103,7 +109,8 @@ RedisCluster::RedisCluster(
 
 RedisCluster::~RedisCluster() {
   // Set flag to prevent any callbacks from executing during destruction
-  is_destroying_.store(true);
+  // Use memory_order_release to ensure this write is visible to callbacks
+  is_destroying_.store(true, std::memory_order_release);
 
   // Reset redis_discovery_session_ before other members are destroyed
   // to ensure any pending callbacks from refresh_manager_ don't access it.
@@ -113,6 +120,11 @@ RedisCluster::~RedisCluster() {
   // Also clear DNS discovery targets to prevent their callbacks from
   // accessing the destroyed cluster.
   dns_discovery_resolve_targets_.clear();
+  
+  // Reset the registration handle LAST to ensure no new callbacks are scheduled
+  // while we're cleaning up. Any callbacks already scheduled will check is_destroying_
+  // and return early.
+  registration_handle_.reset();
 }
 
 void RedisCluster::startPreInit() {
@@ -261,6 +273,10 @@ void RedisCluster::DnsDiscoveryResolveTarget::startResolveDns() {
           parent_.onPreInitComplete();
           resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
         } else {
+          // Check if the parent cluster is being destroyed
+          if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+            return;
+          }
           // Once the DNS resolve the initial set of addresses, call startResolveRedis on
           // the RedisDiscoverySession. The RedisDiscoverySession will using the "cluster
           // slots" command for service discovery and slot allocation. All subsequent
@@ -279,7 +295,7 @@ RedisCluster::RedisDiscoverySession::RedisDiscoverySession(
     : parent_(parent), dispatcher_(parent.dispatcher_),
       resolve_timer_(parent.dispatcher_.createTimer([this]() -> void {
         // Check if the parent cluster is being destroyed
-        if (parent_.is_destroying_.load()) {
+        if (parent_.is_destroying_.load(std::memory_order_acquire)) {
           return;
         }
         startResolveRedis();
@@ -316,6 +332,10 @@ RedisCluster::RedisDiscoverySession::~RedisDiscoverySession() {
 void RedisCluster::RedisDiscoveryClient::onEvent(Network::ConnectionEvent event) {
   if (event == Network::ConnectionEvent::RemoteClose ||
       event == Network::ConnectionEvent::LocalClose) {
+    // Check if the parent cluster is being destroyed
+    if (parent_.parent_.is_destroying_.load(std::memory_order_acquire)) {
+      return;
+    }
     auto client_to_delete = parent_.client_map_.find(host_);
     ASSERT(client_to_delete != parent_.client_map_.end());
     parent_.dispatcher_.deferredDelete(std::move(client_to_delete->second->client_));
@@ -336,6 +356,11 @@ void RedisCluster::RedisDiscoverySession::registerDiscoveryAddress(
 }
 
 void RedisCluster::RedisDiscoverySession::startResolveRedis() {
+  // Check if the parent cluster is being destroyed before accessing any parent members
+  if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+    return;
+  }
+  
   parent_.info_->configUpdateStats().update_attempt_.inc();
   // If a resolution is currently in progress, skip it.
   if (current_request_) {
@@ -409,6 +434,11 @@ void RedisCluster::RedisDiscoverySession::resolveClusterHostnames(
           [this, slot_idx, slots, hostname_resolution_required_cnt](
               Network::DnsResolver::ResolutionStatus status, absl::string_view,
               std::list<Network::DnsResponse>&& response) -> void {
+            // Check if the parent cluster is being destroyed before accessing any parent members
+            if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+              return;
+            }
+            
             auto& slot = (*slots)[slot_idx];
             ENVOY_LOG(
                 debug,
@@ -472,6 +502,11 @@ void RedisCluster::RedisDiscoverySession::resolveReplicas(
         [this, index, slots, replica_idx, hostname_resolution_required_cnt](
             Network::DnsResolver::ResolutionStatus status, absl::string_view,
             std::list<Network::DnsResponse>&& response) -> void {
+          // Check if the parent cluster is being destroyed before accessing any parent members
+          if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+            return;
+          }
+          
           auto& slot = (*slots)[index];
           auto& replica = slot.replicas_to_resolve_[replica_idx];
           ENVOY_LOG(debug, "async DNS resolution complete for replica address {}", replica.first);
@@ -506,6 +541,12 @@ void RedisCluster::RedisDiscoverySession::finishClusterHostnameResolution(
 
 void RedisCluster::RedisDiscoverySession::onResponse(
     NetworkFilters::Common::Redis::RespValuePtr&& value) {
+  // Check if the parent cluster is being destroyed before accessing any parent members
+  if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+    current_request_ = nullptr;
+    return;
+  }
+  
   ENVOY_LOG(debug, "redis cluster slot request for '{}' succeeded", parent_.info_->name());
   current_request_ = nullptr;
 
@@ -632,14 +673,25 @@ bool RedisCluster::RedisDiscoverySession::validateCluster(
 
 void RedisCluster::RedisDiscoverySession::onUnexpectedResponse(
     const NetworkFilters::Common::Redis::RespValuePtr& value) {
+  // Check if the parent cluster is being destroyed before accessing any parent members
+  if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+    return;
+  }
+  
   ENVOY_LOG(warn, "Unexpected response to cluster slot command: {}", value->toString());
   this->parent_.info_->configUpdateStats().update_failure_.inc();
   resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
 }
 
 void RedisCluster::RedisDiscoverySession::onFailure() {
-  ENVOY_LOG(debug, "redis cluster slot request for '{}' failed", parent_.info_->name());
   current_request_ = nullptr;
+  
+  // Check if the parent cluster is being destroyed before accessing any parent members
+  if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+    return;
+  }
+  
+  ENVOY_LOG(debug, "redis cluster slot request for '{}' failed", parent_.info_->name());
   if (!current_host_address_.empty()) {
     auto client_to_delete = client_map_.find(current_host_address_);
     client_to_delete->second->client_->close();

From ab759f81b467de30af801684100e7a624eeaaf09 Mon Sep 17 00:00:00 2001
From: Chanhun Jeong <keyolk@gmail.com>
Date: Wed, 1 Oct 2025 11:40:05 +0900
Subject: [PATCH 07/10] redis: Add comprehensive null checks to prevent
 segfaults during cluster destruction

Problem: Segmentation faults occur when accessing member pointers in async
callbacks during Redis cluster destruction, even with is_destroying_ flag
checks. This happens because there's a race window between checking the
flag and accessing the pointers.

Solution: Add defensive null checks for all pointer accesses that could
become invalid during destruction:

1. ClusterInfo pointer (info_):
   - Add null checks before all configUpdateStats() calls
   - Use safe access pattern for name() in log statements
   - Locations: startResolveRedis(), updateDnsStats(), DNS callbacks,
     onResponse(), onUnexpectedResponse(), onFailure()

2. DNS Resolver pointer (dns_resolver_):
   - Add null checks in startResolveDns()
   - Add checks in resolveClusterHostnames() and resolveReplicas()
   - Prevents crashes when DNS resolution is initiated during teardown

3. Timer pointer (resolve_timer_):
   - Add null checks before enableTimer() calls
   - Locations: finishClusterHostnameResolution(), onResponse(),
     onUnexpectedResponse(), onFailure()

4. Consistency fix:
   - Line 714: Changed parent_.info() to parent_.info_ to match
     null-checked pattern used elsewhere

The pattern applied throughout:
1. Check is_destroying_ flag with memory_order_acquire
2. Verify each pointer is non-null before dereferencing
3. This dual-check handles the race window safely

This prevents use-after-free crashes during Redis cluster teardown when
async callbacks execute after partial destruction has begun.
---
 .../clusters/redis/redis_cluster.cc           | 72 +++++++++++++++----
 1 file changed, 58 insertions(+), 14 deletions(-)

diff --git a/source/extensions/clusters/redis/redis_cluster.cc b/source/extensions/clusters/redis/redis_cluster.cc
index c7d36df74a342..94bba9a401a7a 100644
--- a/source/extensions/clusters/redis/redis_cluster.cc
+++ b/source/extensions/clusters/redis/redis_cluster.cc
@@ -245,6 +245,11 @@ RedisCluster::DnsDiscoveryResolveTarget::~DnsDiscoveryResolveTarget() {
 void RedisCluster::DnsDiscoveryResolveTarget::startResolveDns() {
   ENVOY_LOG(trace, "starting async DNS resolution for {}", dns_address_);
 
+  // Check if the parent cluster is being destroyed or dns_resolver is null
+  if (parent_.is_destroying_.load(std::memory_order_acquire) || !parent_.dns_resolver_) {
+    return;
+  }
+
   active_query_ = parent_.dns_resolver_->resolve(
       dns_address_, parent_.dns_lookup_family_,
       [this](Network::DnsResolver::ResolutionStatus status, absl::string_view,
@@ -252,10 +257,12 @@ void RedisCluster::DnsDiscoveryResolveTarget::startResolveDns() {
         active_query_ = nullptr;
         ENVOY_LOG(trace, "async DNS resolution complete for {}", dns_address_);
         if (status == Network::DnsResolver::ResolutionStatus::Failure || response.empty()) {
-          if (status == Network::DnsResolver::ResolutionStatus::Failure) {
-            parent_.info_->configUpdateStats().update_failure_.inc();
-          } else {
-            parent_.info_->configUpdateStats().update_empty_.inc();
+          if (parent_.info_) {
+            if (status == Network::DnsResolver::ResolutionStatus::Failure) {
+              parent_.info_->configUpdateStats().update_failure_.inc();
+            } else {
+              parent_.info_->configUpdateStats().update_empty_.inc();
+            }
           }
 
           if (!resolve_timer_) {
@@ -361,11 +368,16 @@ void RedisCluster::RedisDiscoverySession::startResolveRedis() {
     return;
   }
   
+  // Also check if info_ is still valid
+  if (!parent_.info_) {
+    return;
+  }
+  
   parent_.info_->configUpdateStats().update_attempt_.inc();
   // If a resolution is currently in progress, skip it.
   if (current_request_) {
     ENVOY_LOG(debug, "redis cluster slot request is already in progress for '{}'",
-              parent_.info_->name());
+              parent_.info_ ? parent_.info_->name() : "unknown");
     return;
   }
 
@@ -393,12 +405,16 @@ void RedisCluster::RedisDiscoverySession::startResolveRedis() {
                                              parent_.auth_username_, parent_.auth_password_, false);
     client->client_->addConnectionCallbacks(*client);
   }
-  ENVOY_LOG(debug, "executing redis cluster slot request for '{}'", parent_.info_->name());
+  ENVOY_LOG(debug, "executing redis cluster slot request for '{}'", 
+            parent_.info_ ? parent_.info_->name() : "unknown");
   current_request_ = client->client_->makeRequest(ClusterSlotsRequest::instance_, *this);
 }
 
 void RedisCluster::RedisDiscoverySession::updateDnsStats(
     Network::DnsResolver::ResolutionStatus status, bool empty_response) {
+  if (!parent_.info_) {
+    return;
+  }
   if (status == Network::DnsResolver::ResolutionStatus::Failure) {
     parent_.info_->configUpdateStats().update_failure_.inc();
   } else if (empty_response) {
@@ -423,6 +439,11 @@ void RedisCluster::RedisDiscoverySession::updateDnsStats(
 void RedisCluster::RedisDiscoverySession::resolveClusterHostnames(
     ClusterSlotsSharedPtr&& slots,
     std::shared_ptr<std::uint64_t> hostname_resolution_required_cnt) {
+  // Check if the parent cluster is being destroyed or dns_resolver is null
+  if (parent_.is_destroying_.load(std::memory_order_acquire) || !parent_.dns_resolver_) {
+    return;
+  }
+  
   for (uint64_t slot_idx = 0; slot_idx < slots->size(); slot_idx++) {
     auto& slot = (*slots)[slot_idx];
     if (slot.primary() == nullptr) {
@@ -486,6 +507,11 @@ void RedisCluster::RedisDiscoverySession::resolveClusterHostnames(
 void RedisCluster::RedisDiscoverySession::resolveReplicas(
     ClusterSlotsSharedPtr slots, std::size_t index,
     std::shared_ptr<std::uint64_t> hostname_resolution_required_cnt) {
+  // Check if the parent cluster is being destroyed or dns_resolver is null
+  if (parent_.is_destroying_.load(std::memory_order_acquire) || !parent_.dns_resolver_) {
+    return;
+  }
+  
   auto& slot = (*slots)[index];
   if (slot.replicas_to_resolve_.empty()) {
     if (*hostname_resolution_required_cnt == 0) {
@@ -535,8 +561,14 @@ void RedisCluster::RedisDiscoverySession::resolveReplicas(
 
 void RedisCluster::RedisDiscoverySession::finishClusterHostnameResolution(
     ClusterSlotsSharedPtr slots) {
+  // Check if the parent cluster is being destroyed
+  if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+    return;
+  }
   parent_.onClusterSlotUpdate(std::move(slots));
-  resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
+  if (resolve_timer_) {
+    resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
+  }
 }
 
 void RedisCluster::RedisDiscoverySession::onResponse(
@@ -547,7 +579,8 @@ void RedisCluster::RedisDiscoverySession::onResponse(
     return;
   }
   
-  ENVOY_LOG(debug, "redis cluster slot request for '{}' succeeded", parent_.info_->name());
+  ENVOY_LOG(debug, "redis cluster slot request for '{}' succeeded", 
+            parent_.info_ ? parent_.info_->name() : "unknown");
   current_request_ = nullptr;
 
   const uint32_t SlotRangeStart = 0;
@@ -643,7 +676,9 @@ void RedisCluster::RedisDiscoverySession::onResponse(
   } else {
     // All slots addresses were represented by IP/Port pairs.
     parent_.onClusterSlotUpdate(std::move(cluster_slots));
-    resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
+    if (resolve_timer_) {
+      resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
+    }
   }
 }
 
@@ -679,8 +714,12 @@ void RedisCluster::RedisDiscoverySession::onUnexpectedResponse(
   }
   
   ENVOY_LOG(warn, "Unexpected response to cluster slot command: {}", value->toString());
-  this->parent_.info_->configUpdateStats().update_failure_.inc();
-  resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
+  if (this->parent_.info_) {
+    this->parent_.info_->configUpdateStats().update_failure_.inc();
+  }
+  if (resolve_timer_) {
+    resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
+  }
 }
 
 void RedisCluster::RedisDiscoverySession::onFailure() {
@@ -691,13 +730,18 @@ void RedisCluster::RedisDiscoverySession::onFailure() {
     return;
   }
   
-  ENVOY_LOG(debug, "redis cluster slot request for '{}' failed", parent_.info_->name());
+  ENVOY_LOG(debug, "redis cluster slot request for '{}' failed", 
+            parent_.info_ ? parent_.info_->name() : "unknown");
   if (!current_host_address_.empty()) {
     auto client_to_delete = client_map_.find(current_host_address_);
     client_to_delete->second->client_->close();
   }
-  parent_.info()->configUpdateStats().update_failure_.inc();
-  resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
+  if (parent_.info_) {
+    parent_.info_->configUpdateStats().update_failure_.inc();
+  }
+  if (resolve_timer_) {
+    resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
+  }
 }
 
 RedisCluster::ClusterSlotsRequest RedisCluster::ClusterSlotsRequest::instance_;

From 40aa08d13369e873920b0473b723330f148e4c1d Mon Sep 17 00:00:00 2001
From: Chanhun Jeong <keyolk@gmail.com>
Date: Wed, 1 Oct 2025 20:53:59 +0900
Subject: [PATCH 08/10] redis: Use local shared_ptr copies to prevent race
 conditions

The previous fix with null checks still had a race condition window between
checking the pointer and using it. Even with the null check, the shared_ptr
could be reset to null by another thread between the check and use.

Solution: Make local copies of shared_ptr before use. This ensures the
pointer remains valid throughout its usage in the current scope.

Changes:
1. startResolveRedis(): Copy info_ to local variable before use
2. updateDnsStats(): Use local copy of info_
3. DNS callbacks: Use local copy for stats updates
4. onResponse(), onUnexpectedResponse(), onFailure(): Use local copies
5. client_factory_.create(): Check and use local copy of info_

The pattern applied:
  auto info = parent_.info_;  // Make local copy (ref count++)
  if (!info) {                // Check if null
    return;
  }
  info->method();             // Safe to use - won't become null

This prevents the crash at line 376 where info_ was becoming null
between the check and the access, even with memory_order_acquire.
---
 .../clusters/redis/redis_cluster.cc           | 46 +++++++++++--------
 1 file changed, 28 insertions(+), 18 deletions(-)

diff --git a/source/extensions/clusters/redis/redis_cluster.cc b/source/extensions/clusters/redis/redis_cluster.cc
index 94bba9a401a7a..87866767b3048 100644
--- a/source/extensions/clusters/redis/redis_cluster.cc
+++ b/source/extensions/clusters/redis/redis_cluster.cc
@@ -257,11 +257,12 @@ void RedisCluster::DnsDiscoveryResolveTarget::startResolveDns() {
         active_query_ = nullptr;
         ENVOY_LOG(trace, "async DNS resolution complete for {}", dns_address_);
         if (status == Network::DnsResolver::ResolutionStatus::Failure || response.empty()) {
-          if (parent_.info_) {
+          auto info = parent_.info_;
+          if (info) {
             if (status == Network::DnsResolver::ResolutionStatus::Failure) {
-              parent_.info_->configUpdateStats().update_failure_.inc();
+              info->configUpdateStats().update_failure_.inc();
             } else {
-              parent_.info_->configUpdateStats().update_empty_.inc();
+              info->configUpdateStats().update_empty_.inc();
             }
           }
 
@@ -368,16 +369,17 @@ void RedisCluster::RedisDiscoverySession::startResolveRedis() {
     return;
   }
   
-  // Also check if info_ is still valid
-  if (!parent_.info_) {
+  // Make a local copy of the shared_ptr to prevent it from becoming null between check and use
+  auto info = parent_.info_;
+  if (!info) {
     return;
   }
   
-  parent_.info_->configUpdateStats().update_attempt_.inc();
+  info->configUpdateStats().update_attempt_.inc();
   // If a resolution is currently in progress, skip it.
   if (current_request_) {
     ENVOY_LOG(debug, "redis cluster slot request is already in progress for '{}'",
-              parent_.info_ ? parent_.info_->name() : "unknown");
+              info ? info->name() : "unknown");
     return;
   }
 
@@ -400,25 +402,30 @@ void RedisCluster::RedisDiscoverySession::startResolveRedis() {
   if (!client) {
     client = std::make_unique<RedisDiscoveryClient>(*this);
     client->host_ = current_host_address_;
+    auto parent_info = parent_.info_;
+    if (!parent_info) {
+      return;
+    }
     client->client_ = client_factory_.create(host, dispatcher_, shared_from_this(),
-                                             redis_command_stats_, parent_.info()->statsScope(),
+                                             redis_command_stats_, parent_info->statsScope(),
                                              parent_.auth_username_, parent_.auth_password_, false);
     client->client_->addConnectionCallbacks(*client);
   }
   ENVOY_LOG(debug, "executing redis cluster slot request for '{}'", 
-            parent_.info_ ? parent_.info_->name() : "unknown");
+            info ? info->name() : "unknown");
   current_request_ = client->client_->makeRequest(ClusterSlotsRequest::instance_, *this);
 }
 
 void RedisCluster::RedisDiscoverySession::updateDnsStats(
     Network::DnsResolver::ResolutionStatus status, bool empty_response) {
-  if (!parent_.info_) {
+  auto info = parent_.info_;
+  if (!info) {
     return;
   }
   if (status == Network::DnsResolver::ResolutionStatus::Failure) {
-    parent_.info_->configUpdateStats().update_failure_.inc();
+    info->configUpdateStats().update_failure_.inc();
   } else if (empty_response) {
-    parent_.info_->configUpdateStats().update_empty_.inc();
+    info->configUpdateStats().update_empty_.inc();
   }
 }
 
@@ -579,8 +586,9 @@ void RedisCluster::RedisDiscoverySession::onResponse(
     return;
   }
   
+  auto info = parent_.info_;
   ENVOY_LOG(debug, "redis cluster slot request for '{}' succeeded", 
-            parent_.info_ ? parent_.info_->name() : "unknown");
+            info ? info->name() : "unknown");
   current_request_ = nullptr;
 
   const uint32_t SlotRangeStart = 0;
@@ -714,8 +722,9 @@ void RedisCluster::RedisDiscoverySession::onUnexpectedResponse(
   }
   
   ENVOY_LOG(warn, "Unexpected response to cluster slot command: {}", value->toString());
-  if (this->parent_.info_) {
-    this->parent_.info_->configUpdateStats().update_failure_.inc();
+  auto info = this->parent_.info_;
+  if (info) {
+    info->configUpdateStats().update_failure_.inc();
   }
   if (resolve_timer_) {
     resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
@@ -730,14 +739,15 @@ void RedisCluster::RedisDiscoverySession::onFailure() {
     return;
   }
   
+  auto info = parent_.info_;
   ENVOY_LOG(debug, "redis cluster slot request for '{}' failed", 
-            parent_.info_ ? parent_.info_->name() : "unknown");
+            info ? info->name() : "unknown");
   if (!current_host_address_.empty()) {
     auto client_to_delete = client_map_.find(current_host_address_);
     client_to_delete->second->client_->close();
   }
-  if (parent_.info_) {
-    parent_.info_->configUpdateStats().update_failure_.inc();
+  if (info) {
+    info->configUpdateStats().update_failure_.inc();
   }
   if (resolve_timer_) {
     resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);

From fe1542b2ab5f14a05bc3d462eccfb41e39dc1201 Mon Sep 17 00:00:00 2001
From: Chanhun Jeong <keyolk@gmail.com>
Date: Thu, 2 Oct 2025 10:47:08 +0900
Subject: [PATCH 09/10] redis: Use shared_from_this() to keep
 RedisDiscoverySession alive during timer callbacks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The 5% crash rate was caused by timer callbacks executing after the
RedisDiscoverySession was destroyed. Even though we checked is_destroying_,
there was a race where:

1. Timer callback fires and enters the lambda
2. Destructor runs and deletes the session (unique_ptr reset)
3. Callback tries to access parent_.is_destroying_ → CRASH (use-after-free)

Solution:
- Move timer creation from constructor to initialize() method
- Capture shared_from_this() in timer lambda instead of raw 'this'
- Call initialize() after RedisDiscoverySession construction completes

This ensures the session object stays alive as long as any timer callback
is queued or executing, preventing the use-after-free.

Pattern changed from:
  resolve_timer_ = dispatcher_.createTimer([this]() { ... });

To:
  auto self = shared_from_this();
  resolve_timer_ = dispatcher_.createTimer([self]() { ... });

This should eliminate the remaining 5% crash rate during Redis cluster
destruction.
---
 .../clusters/redis/redis_cluster.cc           | 23 +++++++++++++------
 .../extensions/clusters/redis/redis_cluster.h |  3 +++
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/source/extensions/clusters/redis/redis_cluster.cc b/source/extensions/clusters/redis/redis_cluster.cc
index 87866767b3048..2c3e551e219ab 100644
--- a/source/extensions/clusters/redis/redis_cluster.cc
+++ b/source/extensions/clusters/redis/redis_cluster.cc
@@ -105,6 +105,9 @@ RedisCluster::RedisCluster(
           session->resolve_timer_->enableTimer(std::chrono::milliseconds(0));
         }
       });
+
+  // Initialize the session after construction is complete so it can use shared_from_this()
+  redis_discovery_session_->initialize();
 }
 
 RedisCluster::~RedisCluster() {
@@ -301,18 +304,24 @@ RedisCluster::RedisDiscoverySession::RedisDiscoverySession(
     Envoy::Extensions::Clusters::Redis::RedisCluster& parent,
     NetworkFilters::Common::Redis::Client::ClientFactory& client_factory)
     : parent_(parent), dispatcher_(parent.dispatcher_),
-      resolve_timer_(parent.dispatcher_.createTimer([this]() -> void {
-        // Check if the parent cluster is being destroyed
-        if (parent_.is_destroying_.load(std::memory_order_acquire)) {
-          return;
-        }
-        startResolveRedis();
-      })),
+      resolve_timer_(nullptr),
       client_factory_(client_factory), buffer_timeout_(0),
       redis_command_stats_(
           NetworkFilters::Common::Redis::RedisCommandStats::createRedisCommandStats(
               parent_.info()->statsScope().symbolTable())) {}
 
+void RedisCluster::RedisDiscoverySession::initialize() {
+  // Create timer with shared_from_this() to keep session alive during callbacks
+  auto self = shared_from_this();
+  resolve_timer_ = dispatcher_.createTimer([self]() -> void {
+    // Check if the parent cluster is being destroyed
+    if (self->parent_.is_destroying_.load(std::memory_order_acquire)) {
+      return;
+    }
+    self->startResolveRedis();
+  });
+}
+
 // Convert the cluster slot IP/Port response to an address, return null if the response
 // does not match the expected type.
 Network::Address::InstanceConstSharedPtr
diff --git a/source/extensions/clusters/redis/redis_cluster.h b/source/extensions/clusters/redis/redis_cluster.h
index 252e8e9570dbd..eb8d0406888fe 100644
--- a/source/extensions/clusters/redis/redis_cluster.h
+++ b/source/extensions/clusters/redis/redis_cluster.h
@@ -223,6 +223,9 @@ class RedisCluster : public Upstream::BaseDynamicClusterImpl {
 
     ~RedisDiscoverySession() override;
 
+    // Initialize timer - must be called after construction since it uses shared_from_this()
+    void initialize();
+
     void registerDiscoveryAddress(std::list<Network::DnsResponse>&& response, const uint32_t port);
 
     // Start discovery against a random host from existing hosts

From e7bc43ee0c6cd1c2b3ad2a7f5366615a5199ce20 Mon Sep 17 00:00:00 2001
From: Chanhun Jeong <keyolk@gmail.com>
Date: Thu, 2 Oct 2025 15:15:28 +0900
Subject: [PATCH 10/10] redis: Fix use-after-free by using session-owned flag
 instead of parent reference

CRITICAL FIX: The previous approach had a fatal flaw - callbacks with
shared_from_this() kept the session alive, but the session holds a
reference to the parent RedisCluster. When the parent was destroyed,
accessing parent_.is_destroying_ became use-after-free.

The race condition:
1. Timer callback fires with shared_ptr<Session> (session kept alive)
2. RedisCluster destructor runs and completes
3. Callback tries to check parent_.is_destroying_
4. CRASH - parent object destroyed, reference is dangling

Solution:
- Add parent_destroyed_ atomic flag IN THE SESSION
- Parent sets this flag BEFORE destroying session
- Callbacks check session-owned flag, never access parent directly
- Also simplify all safety checks into helper methods

This is the correct fix for the 5% crash rate when removing Redis services.
---
 .../clusters/redis/redis_cluster.cc           | 63 ++++++++-----------
 .../extensions/clusters/redis/redis_cluster.h | 27 ++++++++
 2 files changed, 53 insertions(+), 37 deletions(-)

diff --git a/source/extensions/clusters/redis/redis_cluster.cc b/source/extensions/clusters/redis/redis_cluster.cc
index 2c3e551e219ab..1f440f274ae1d 100644
--- a/source/extensions/clusters/redis/redis_cluster.cc
+++ b/source/extensions/clusters/redis/redis_cluster.cc
@@ -115,6 +115,13 @@ RedisCluster::~RedisCluster() {
   // Use memory_order_release to ensure this write is visible to callbacks
   is_destroying_.store(true, std::memory_order_release);
 
+  // CRITICAL: Set the session's parent_destroyed_ flag BEFORE resetting the session.
+  // This allows callbacks with shared_from_this() to safely check if parent is destroyed
+  // without accessing the parent object itself (which may be destroyed).
+  if (redis_discovery_session_) {
+    redis_discovery_session_->parent_destroyed_.store(true, std::memory_order_release);
+  }
+
   // Reset redis_discovery_session_ before other members are destroyed
   // to ensure any pending callbacks from refresh_manager_ don't access it.
   // This matches the approach in PR #39625.
@@ -248,7 +255,6 @@ RedisCluster::DnsDiscoveryResolveTarget::~DnsDiscoveryResolveTarget() {
 void RedisCluster::DnsDiscoveryResolveTarget::startResolveDns() {
   ENVOY_LOG(trace, "starting async DNS resolution for {}", dns_address_);
 
-  // Check if the parent cluster is being destroyed or dns_resolver is null
   if (parent_.is_destroying_.load(std::memory_order_acquire) || !parent_.dns_resolver_) {
     return;
   }
@@ -314,8 +320,7 @@ void RedisCluster::RedisDiscoverySession::initialize() {
   // Create timer with shared_from_this() to keep session alive during callbacks
   auto self = shared_from_this();
   resolve_timer_ = dispatcher_.createTimer([self]() -> void {
-    // Check if the parent cluster is being destroyed
-    if (self->parent_.is_destroying_.load(std::memory_order_acquire)) {
+    if (!self->isParentAlive()) {
       return;
     }
     self->startResolveRedis();
@@ -373,13 +378,8 @@ void RedisCluster::RedisDiscoverySession::registerDiscoveryAddress(
 }
 
 void RedisCluster::RedisDiscoverySession::startResolveRedis() {
-  // Check if the parent cluster is being destroyed before accessing any parent members
-  if (parent_.is_destroying_.load(std::memory_order_acquire)) {
-    return;
-  }
-  
-  // Make a local copy of the shared_ptr to prevent it from becoming null between check and use
-  auto info = parent_.info_;
+  // Use helper to safely get parent info (returns nullptr if parent is being destroyed)
+  auto info = parentInfo();
   if (!info) {
     return;
   }
@@ -411,7 +411,8 @@ void RedisCluster::RedisDiscoverySession::startResolveRedis() {
   if (!client) {
     client = std::make_unique<RedisDiscoveryClient>(*this);
     client->host_ = current_host_address_;
-    auto parent_info = parent_.info_;
+    // Get parent info again in case parent was destroyed between checks
+    auto parent_info = parentInfo();
     if (!parent_info) {
       return;
     }
@@ -427,7 +428,7 @@ void RedisCluster::RedisDiscoverySession::startResolveRedis() {
 
 void RedisCluster::RedisDiscoverySession::updateDnsStats(
     Network::DnsResolver::ResolutionStatus status, bool empty_response) {
-  auto info = parent_.info_;
+  auto info = parentInfo();
   if (!info) {
     return;
   }
@@ -455,8 +456,7 @@ void RedisCluster::RedisDiscoverySession::updateDnsStats(
 void RedisCluster::RedisDiscoverySession::resolveClusterHostnames(
     ClusterSlotsSharedPtr&& slots,
     std::shared_ptr<std::uint64_t> hostname_resolution_required_cnt) {
-  // Check if the parent cluster is being destroyed or dns_resolver is null
-  if (parent_.is_destroying_.load(std::memory_order_acquire) || !parent_.dns_resolver_) {
+  if (!isParentAlive() || !parent_.dns_resolver_) {
     return;
   }
   
@@ -471,8 +471,7 @@ void RedisCluster::RedisDiscoverySession::resolveClusterHostnames(
           [this, slot_idx, slots, hostname_resolution_required_cnt](
               Network::DnsResolver::ResolutionStatus status, absl::string_view,
               std::list<Network::DnsResponse>&& response) -> void {
-            // Check if the parent cluster is being destroyed before accessing any parent members
-            if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+            if (!isParentAlive()) {
               return;
             }
             
@@ -523,8 +522,7 @@ void RedisCluster::RedisDiscoverySession::resolveClusterHostnames(
 void RedisCluster::RedisDiscoverySession::resolveReplicas(
     ClusterSlotsSharedPtr slots, std::size_t index,
     std::shared_ptr<std::uint64_t> hostname_resolution_required_cnt) {
-  // Check if the parent cluster is being destroyed or dns_resolver is null
-  if (parent_.is_destroying_.load(std::memory_order_acquire) || !parent_.dns_resolver_) {
+  if (!isParentAlive() || !parent_.dns_resolver_) {
     return;
   }
   
@@ -577,8 +575,7 @@ void RedisCluster::RedisDiscoverySession::resolveReplicas(
 
 void RedisCluster::RedisDiscoverySession::finishClusterHostnameResolution(
     ClusterSlotsSharedPtr slots) {
-  // Check if the parent cluster is being destroyed
-  if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+  if (!isParentAlive()) {
     return;
   }
   parent_.onClusterSlotUpdate(std::move(slots));
@@ -589,13 +586,11 @@ void RedisCluster::RedisDiscoverySession::finishClusterHostnameResolution(
 
 void RedisCluster::RedisDiscoverySession::onResponse(
     NetworkFilters::Common::Redis::RespValuePtr&& value) {
-  // Check if the parent cluster is being destroyed before accessing any parent members
-  if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+  auto info = parentInfo();
+  if (!info) {
     current_request_ = nullptr;
     return;
   }
-  
-  auto info = parent_.info_;
   ENVOY_LOG(debug, "redis cluster slot request for '{}' succeeded", 
             info ? info->name() : "unknown");
   current_request_ = nullptr;
@@ -726,15 +721,13 @@ bool RedisCluster::RedisDiscoverySession::validateCluster(
 void RedisCluster::RedisDiscoverySession::onUnexpectedResponse(
     const NetworkFilters::Common::Redis::RespValuePtr& value) {
   // Check if the parent cluster is being destroyed before accessing any parent members
-  if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+  auto info = parentInfo();
+  if (!info) {
     return;
   }
   
   ENVOY_LOG(warn, "Unexpected response to cluster slot command: {}", value->toString());
-  auto info = this->parent_.info_;
-  if (info) {
-    info->configUpdateStats().update_failure_.inc();
-  }
+  info->configUpdateStats().update_failure_.inc();
   if (resolve_timer_) {
     resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
   }
@@ -743,21 +736,17 @@ void RedisCluster::RedisDiscoverySession::onUnexpectedResponse(
 void RedisCluster::RedisDiscoverySession::onFailure() {
   current_request_ = nullptr;
   
-  // Check if the parent cluster is being destroyed before accessing any parent members
-  if (parent_.is_destroying_.load(std::memory_order_acquire)) {
+  auto info = parentInfo();
+  if (!info) {
     return;
   }
   
-  auto info = parent_.info_;
-  ENVOY_LOG(debug, "redis cluster slot request for '{}' failed", 
-            info ? info->name() : "unknown");
+  ENVOY_LOG(debug, "redis cluster slot request for '{}' failed", info->name());
   if (!current_host_address_.empty()) {
     auto client_to_delete = client_map_.find(current_host_address_);
     client_to_delete->second->client_->close();
   }
-  if (info) {
-    info->configUpdateStats().update_failure_.inc();
-  }
+  info->configUpdateStats().update_failure_.inc();
   if (resolve_timer_) {
     resolve_timer_->enableTimer(parent_.cluster_refresh_rate_);
   }
diff --git a/source/extensions/clusters/redis/redis_cluster.h b/source/extensions/clusters/redis/redis_cluster.h
index eb8d0406888fe..8530fc7c06b15 100644
--- a/source/extensions/clusters/redis/redis_cluster.h
+++ b/source/extensions/clusters/redis/redis_cluster.h
@@ -271,6 +271,28 @@ class RedisCluster : public Upstream::BaseDynamicClusterImpl {
     void finishClusterHostnameResolution(ClusterSlotsSharedPtr slots);
     void updateDnsStats(Network::DnsResolver::ResolutionStatus status, bool empty_response);
 
+  private:
+    friend class RedisCluster;
+    friend struct RedisCluster::DnsDiscoveryResolveTarget;
+    friend struct RedisDiscoveryClient;
+    // Thread-safe check if parent cluster is being destroyed.
+    // Returns true if it's safe to proceed with parent operations.
+    // NOTE: We check our own flag instead of parent_.is_destroying_ because
+    // parent_ is a reference that becomes dangling after parent is destroyed.
+    bool isParentAlive() const {
+      return !parent_destroyed_.load(std::memory_order_acquire);
+    }
+
+    // Thread-safe accessor for parent cluster info.
+    // Returns nullptr if parent is being destroyed or info is not available.
+    // This encapsulates the safety checks needed when accessing parent state from callbacks.
+    Upstream::ClusterInfoConstSharedPtr parentInfo() const {
+      if (!isParentAlive()) {
+        return nullptr;
+      }
+      return parent_.info_;
+    }
+
     RedisCluster& parent_;
     Event::Dispatcher& dispatcher_;
     std::string current_host_address_;
@@ -283,6 +305,11 @@ class RedisCluster : public Upstream::BaseDynamicClusterImpl {
     NetworkFilters::Common::Redis::Client::ClientFactory& client_factory_;
     const std::chrono::milliseconds buffer_timeout_;
     NetworkFilters::Common::Redis::RedisCommandStatsSharedPtr redis_command_stats_;
+    
+    // Flag set by parent's destructor to signal that parent is being destroyed.
+    // Callbacks check this flag (owned by session) instead of accessing parent's flag
+    // to avoid use-after-free when parent is destroyed but callbacks are still queued.
+    std::atomic<bool> parent_destroyed_{false};
   };
 
   Upstream::ClusterManager& cluster_manager_;