From 1b18191c577ef8a98e94251e935f32b9cfafad0e Mon Sep 17 00:00:00 2001
From: Konstantin Schaper <konstantin.schaper@cloudogu.com>
Date: Tue, 31 May 2022 15:14:52 +0200
Subject: [PATCH] Add plugin wizard initialization step (#2045)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a new initialization step after setting up the initial administration account that allows administrators to initialize the instance with a selection of plugin sets.

Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
Co-authored-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: Matthias Thieroff <matthias.thieroff@cloudogu.com>
---
 .../development/permission-concept/index.md   |   4 +-
 .../en/first-startup/assets/plugin-wizard.png | Bin 0 -> 41399 bytes
 docs/en/first-startup/index.md                |  13 +-
 gradle/changelog/plugin_wizard.yaml           |   2 +
 .../initialization/InitializationStep.java    |   4 +
 .../InitializationStepResource.java           |  13 +
 .../java/sonia/scm/plugin/PluginManager.java  |  18 ++
 .../main/java/sonia/scm/plugin/PluginSet.java |  55 +++++
 .../scm/security/AccessTokenCookieIssuer.java |   3 +-
 scm-ui/ui-api/src/apiclient.ts                |   2 +-
 scm-ui/ui-api/src/index.ts                    |   1 +
 scm-ui/ui-api/src/plugins.ts                  |   2 +-
 scm-ui/ui-components/src/layout/Header.tsx    |  11 +-
 scm-ui/ui-types/src/Plugin.ts                 |   9 +
 .../public/locales/de/initialization.json     |  14 ++
 .../public/locales/en/initialization.json     |  15 ++
 scm-ui/ui-webapp/src/containers/App.tsx       |   2 +-
 scm-ui/ui-webapp/src/containers/Index.tsx     |   8 +-
 .../InitializationPluginWizardStep.tsx        | 228 ++++++++++++++++++
 .../AdminAccountStartupResource.java          |  27 ++-
 .../v2/resources/AvailablePluginResource.java |   2 +-
 .../api/v2/resources/IndexDtoGenerator.java   |  11 +-
 .../scm/api/v2/resources/IndexResource.java   |   6 +-
 .../v2/resources/InstalledPluginResource.java |   4 +-
 .../v2/resources/PendingPluginResource.java   |   4 +-
 .../v2/resources/PluginSetCollectionDto.java  |  42 ++++
 .../scm/api/v2/resources/PluginSetDto.java    |  49 ++++
 .../api/v2/resources/PluginSetDtoMapper.java  |  65 +++++
 .../v2/resources/PluginSetsInstallDto.java    |  42 ++++
 .../PluginWizardStartupResource.java          | 149 ++++++++++++
 .../scm/api/v2/resources/ResourceLinks.java   |  19 ++
 .../InitializationAuthenticationService.java  |  89 +++++++
 .../InitializationCookieIssuer.java           |  48 ++++
 .../initialization/InitializationRealm.java   |  78 ++++++
 .../initialization/InitializationToken.java   |  49 ++++
 .../InitializationWebTokenGenerator.java      |  52 ++++
 .../lifecycle/AdminAccountStartupAction.java  |   2 +-
 .../lifecycle/PluginWizardStartupAction.java  |  60 +++++
 .../lifecycle/PrivilegedStartupAction.java    |   2 +-
 .../lifecycle/modules/ScmServletModule.java   |   2 +
 .../scm/plugin/DefaultPluginManager.java      |  54 ++++-
 .../java/sonia/scm/plugin/PluginCenter.java   |  41 ++--
 .../sonia/scm/plugin/PluginCenterDto.java     |  45 +++-
 .../scm/plugin/PluginCenterDtoMapper.java     |  17 +-
 .../sonia/scm/plugin/PluginCenterLoader.java  |   5 +-
 .../sonia/scm/plugin/PluginCenterResult.java  |  37 +++
 .../scm/plugin/PluginSetConfigStore.java      |  51 ++++
 .../sonia/scm/plugin/PluginSetsConfig.java    |  45 ++++
 .../DefaultAccessTokenCookieIssuer.java       |  40 ++-
 ...ginSetsConfigInitializationUpdateStep.java |  64 +++++
 .../AdminAccountStartupResourceTest.java      |  33 +++
 .../AvailablePluginResourceTest.java          |   2 +-
 .../v2/resources/IndexDtoGeneratorTest.java   |   2 +-
 .../api/v2/resources/IndexResourceTest.java   |  45 ++--
 .../v2/resources/PluginSetDtoMapperTest.java  |  99 ++++++++
 .../PluginWizardStartupResourceTest.java      | 186 ++++++++++++++
 ...itializationAuthenticationServiceTest.java | 115 +++++++++
 .../InitializationWebTokenGeneratorTest.java  |  65 +++++
 .../PluginWizardStartupActionTest.java        |  73 ++++++
 .../scm/plugin/DefaultPluginManagerTest.java  | 114 +++++++--
 .../scm/plugin/PluginCenterDtoMapperTest.java |  29 ++-
 .../scm/plugin/PluginCenterLoaderTest.java    |  18 +-
 .../sonia/scm/plugin/PluginCenterTest.java    |  43 ++--
 63 files changed, 2294 insertions(+), 135 deletions(-)
 create mode 100644 docs/en/first-startup/assets/plugin-wizard.png
 create mode 100644 gradle/changelog/plugin_wizard.yaml
 create mode 100644 scm-core/src/main/java/sonia/scm/plugin/PluginSet.java
 create mode 100644 scm-ui/ui-webapp/src/containers/InitializationPluginWizardStep.tsx
 create mode 100644 scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetCollectionDto.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetDto.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetDtoMapper.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetsInstallDto.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginWizardStartupResource.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/initialization/InitializationAuthenticationService.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/initialization/InitializationCookieIssuer.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/initialization/InitializationRealm.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/initialization/InitializationToken.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/initialization/InitializationWebTokenGenerator.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/lifecycle/PluginWizardStartupAction.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterResult.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/plugin/PluginSetConfigStore.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/plugin/PluginSetsConfig.java
 create mode 100644 scm-webapp/src/main/java/sonia/scm/update/plugin/PluginSetsConfigInitializationUpdateStep.java
 create mode 100644 scm-webapp/src/test/java/sonia/scm/api/v2/resources/PluginSetDtoMapperTest.java
 create mode 100644 scm-webapp/src/test/java/sonia/scm/api/v2/resources/PluginWizardStartupResourceTest.java
 create mode 100644 scm-webapp/src/test/java/sonia/scm/initialization/InitializationAuthenticationServiceTest.java
 create mode 100644 scm-webapp/src/test/java/sonia/scm/initialization/InitializationWebTokenGeneratorTest.java
 create mode 100644 scm-webapp/src/test/java/sonia/scm/lifecycle/PluginWizardStartupActionTest.java

diff --git a/docs/en/development/permission-concept/index.md b/docs/en/development/permission-concept/index.md
index 20f190a48d..12df588aca 100644
--- a/docs/en/development/permission-concept/index.md
+++ b/docs/en/development/permission-concept/index.md
@@ -184,7 +184,7 @@ The following shows user as an example.
         "configuration:read",
         "configuration:write",
         "plugin:read",
-        "plugin:manage",
+        "plugin:write",
         "group:read",
         "user:read",
         "repository:read"
@@ -206,7 +206,7 @@ The following shows user as an example.
         "configuration:read",
         "configuration:write",
         "plugin:read",
-        "plugin:manage",
+        "plugin:write",
         "group:read",
         "user:read",
         "repository:read"
diff --git a/docs/en/first-startup/assets/plugin-wizard.png b/docs/en/first-startup/assets/plugin-wizard.png
new file mode 100644
index 0000000000000000000000000000000000000000..cac4feb6fa61e605e2e4f7b033c9f19e4c4538c6
GIT binary patch
literal 41399
zcmbTdbx>Tvw=SBX!9o%o1_>54xC|O}fZz@xxH}B)POu@ky99TFdth+4;5xXw-^uyi
z_o`0SxmEYQ|7Lpc-h1_0-QSXL?Jz}o5EeQy`m0y3u%xBLm0!Jj4SMwoA><7TeB>{l
z*3PR}ey^m(MO58%58E)@aQ0GmT6WxBc63}^M~~CNwC*knFj-o#OPnA_$}o*!Tu{d4
z&m&H0vs8IgDZV}G@dl@R(bS;!2|1o|zclVT2Mj7As>on#tv-D2#3<%KW|BLGNE#!O
z!0PI6bzxolm^QA4qGO&bH>C{4C8{+vdd5U6Sy?YC1(mjX2_?@S9VHDyFO2$xAqKg(
z8uthx281CaF$RQv@3=wm--z=7q7Va2eXucM2%F!3U3m3>bs?Dm{Fvl>M}QyED?>Db
zik6nw{(%WUq8>M%&LJ(&gUa=I$$$0f*cCpOa8B8g8YSIl0vVJMzT3jN9kKI4jEjr=
zce}B8yTo(C50O3_NS&dh!IPvG6TTJwkH@cU{cb;o02aZxsq%7i5;i}34XYCa`aAle
z{bL&jl3-O()Kb1_wdPl~Exj=DXonQ4rlX_9hV{*8VaNhSM6V$;a*S_GG(EPtDdlG{
zbwj~VCqqL@%fP<<&<$rs{ku5Sb?fQ6AGUSJ0ct}U-LQQ|rK$L<>FpGKy*sTyi?F>z
zf2hG-_?4mnt{`*!{feLd#OL{RrMFKU6)bEcJI$I*iPis+1~vomeOO%W29bN?)_3h=
z4Xw359IIFWt$BUW2KBVi7_%6Y`>Yjz$)3)Ol~R;{4gs!|gj@|B2jVS~<o%-GUq+4g
z-WJll@?rHzl`*@>^v7FWezk4>B?)p8SQqt>eHOwln0c=o5MXBi;!~$EoTsaI**aC!
z0Fbq_3kiTo{Vkh=>t+N0j^J*-H97Bm-cu6%ILI*n6a4Ni83o>#<u6XXrUmYtp!!FC
z^=|K>S<$<MU5n}hF6i!_Lx~3>QxEyi5oeSsO{UoZX*&o9k+CSu?O?XN2ulXmh>z~^
zkmLJ`%L&<bH!{D&2~pts)KL>6*<gLgplM|h#8~HLL|oQrM^sk%=Zw*3zQLt{a}05Q
zx}x<1H}oNqInbmCPk7-~Z(DQ5Z1N^v(c&3lnNBqz(ctfSXqNx?nWR5nX0_@Df?56n
zUu%F2F~^8$Imd}2s*UN_7!7yE#PJxlb0c}$S%ey(u_1?yqyvhhtO5@vPkp>H;kBe|
zt>iob^5>#tzPf|d)*0*>A}fQLaFfaE!J@#gbxX{`$(cHM#d8YWVolGQRhnhVlrJ*v
zz>=u0e(OKI9Uo@RNQ1tQm35v$_4RJ@`v8@=f`NtA2vN0!gQSGs*K#2v4n)LVLPIE;
z5}TFrUupBCj3DPO8rk$@tX&JC4v#sU=B+0B5Y5mLh#}qQo4h;o1J7+$Antfw>&WT+
z9Gjze8l^^_ckHZdK`n9k*YKRRBWTcB`I2hX!C@$$=WAR7JU<K4BaYFpBc=wBp|!J&
z#^+eeH@dSGrK|E#10sRn6G(+vb?qiqzju|lG|Qv|1JA29pJlk7-$`U4G2t_6M;Jl$
z+yO2L8e+~|C7*x5@D`<L54d|ATi1A06)cC(P#~50<|m+oE>+Qk<Y}(bhxN78e!d=O
zR(6nkranr_8i!(;xT__2nzM9fXd*Ca<n-26qw{>*ajOA>>7MGH>#U#OcxS-wh=a7J
z3oGE`l!!DW@BDFh;1sFe{keI}e7p=&c7Tps`5mA8a)6|96xBZCU}#-Z02<J1*gL(E
zyjgRlNaoWhlG-OVEoX7XJL+0o{mP~M8%=Jd8j(*1u&;54CkiOZ<&6hkk}hn*504r?
zb7U(ku&H2q<?G6o@0~PU&1(n|W|b&UORQY+n^<>zlzo4aUlRq@pF5*Ks!nN_HG_~q
zK-V7~z>yA2noR1l%v#{qiSUsz#OZ0yE{>sXb7nHJ<Y3_Sj^O9a65;j?G77aGtt*>X
ze*sCtW&!8>2=iYivRR>witUhVytK`Prv+0k;uUnxOS}WwT=(xf3vbj;Vu2L_SZ^Z>
zImn{LA*8gL!B^j_T?hcfakk{<`!GeWQXZL+eKSCe=~dl-mLAImea^kAiY4P-+u0V@
z#CXuA!Zt4C3erm6+)9vS6>LzpWEZY`J;+j=)PnGgcwjJtIN7G^!FxGB%I9ErB7;bL
z(=%kSE#G14?M#wnb<#3<#v7`%6F13y{OvbD{qe$s?j5!w>)_HEZ&@~~oSq(<g)>i`
za~>)?e^!@~|5Q?CkQsZ)`Ui=aGXMsD1fGgC4+sv`+USO0<7!PN#A;v-9K!tP0dTw>
z`VwIUAxF+>G=|OHigLX@#gt4MD~hh@s%HyygilHp8Q=nO_J}P`QSg5vsTuAa_h~|Q
zEN8Z#$~HW+{Nwt@r6ViqfGIG0<qiK^5!;@TA`?wGiqq1p0>GB*#E?+PQOFYhUjQBs
z$@Q1xb+Tl@fq%^*Q~&4+TFcjmwT%fKx`PfBX4ENt*K6DPu!A>Y&MQGK2ew73D|{)f
zC`ScNjq*Cz=FysV+8*3nvuk{ioR2$e9t)t{w+L{g-%D@;4==}}X#FMJ`)ieR(p(K(
zxm<T5_i0zhXhIe=0GHL11+0PM-qo3i9dWs5^c*R=yu+%>M;0Yl?>;`#vhPpC&{D?^
zQjIZ+=D=`l^R_?A+YRhAtk(3PSq3EZD|xlkrx_(7)>uh)!`#YWk5tqD243@myEw|0
z-@gx=%>}}WQui|6a{jS87nob4<m$pOZHErP=l@gdl}O6nyE<ROpp9kzk3*3oyLki?
zxMvq+mg>Jm7V2PbI37#p`SVDtZTtjYJyhd{i)j2Kf9?At4w@DaLRZA5oU%e7M)OOf
z0|88~deb8MaO1VbT0zb%k<tda*=u!*4mVI4;8<`cBlpj;WfJ&lRB)vb{TPXXy9LZY
zuzt88DF36?ts!s^Y(l~PZ)32J!vWi2_ke_(F3G9B61##pzV>wf^17=^#68{?OKi2%
z&8aD-4|OxkRoV)G@_>RhxbxLb_oh#%l0Ys;Xt%{uQ3zCU?wo222B2h(ASLQBCJ)>0
z=DoxcWX_^i#QrWqN55+BiakPFeFX^>SmSe08@6kh>1y=R)w1E{ud|r7D?9#BhCO<K
zrW5S20Qrlqo<`ElUsmOykf!;fKOs54osiTtgHp(II4*Y}6nK%0sC1BCe&6amZl-9P
ze}+QPxaUSFn<i~@=kf;Wppzgxvv5KUdp;uHbpny*vqjd`1s$<V;8T&4(pZ6Q7{g=6
zcJoJjyfGF#p7ih%EAqw>+A3H}_FghFQ<U*W;M$;z$oFeWRxaIyeLdo6`gKR{F#+9i
z<qWDF2Xfwv15DW0FJ`ALN2(P#fqP1eoa(N&#D_KO^{GexB9)}+8yyD3^zBzf^eYEW
zZ1Fl^fPFxL`27s&&4#o`4GGpL>ZaJ|DveA8tA)?@+)@Oar)Z3+bfYRC{LXM_IY08$
zDVgDj$<HT*n9fciUe|F}ZAhO8fbqQU@Y#;{V}8#hwjp<DVkCznu;S{@(etXABhM*4
z<|<4fv%j@zYUx~HrEAyJ`;F|i>G*x|u#uF}Ed*h0cnM(^{Z5>u67gX6yS^P^2;bso
zsh)d1!9dy?)C00k9Dc+((54x!+O}qgXxZvBXO${e@qW1Qn-tzB@vM2F47z$XH+I-&
z`(PiQ7OHpOJ#14#cPmgR8twNXNNo4U&jfY0wv8y={6nIkym^bzn|4aZ!|phb#x8_!
z*P0Yq2i9ChZHwll=8$@qs+*#NQlXGWyQW6cR^CbUf|DMz6$IMHGh%#U)y53#M~4HY
zs8Cf{(ezQBCExc~RAj72ohQat#L1_iN!7`y!f6y+VwR&oKP;BMCtjaAmcHs1^guEl
z@=>GW*iotxSK1f-Sw?5I(Uxz^YfBcd6<B;i=e!&BZu3H~>J#6JQfS;)R~#s%7)A17
zsT(Yx2`t2}Ck{{O`%YgSjIIXnWMMDtJ=U&AKUfHioe4DWcU@GfJg<x*No25;j(zL}
zfH2z^KQ7Qd6CQT)g>Ic#cOV~rQdoDlj2WfjWcSST%5X|YNJ?qfNYw+bdi@MtY<*W@
zrFYv(tO_Aw@ax;{IbrsDILzU@DXP%mi|$#CsKeeoZ<5?u){4FtP|y0dU?r~etLgq^
zX|0v13?s{~aEZ_15&G?L!|UzZoz6F$vk0XUt1Pd~tU6Kc--o0n-VvY(GYHlMOloto
zRimqRHB4!mclroQC#TbY&S$P`pz63q*gaM-qrYJNnt(VUF4s?bo4^7f(1e<;*j6F*
zsr4M)TYW!xBwvy<_R;nzm{y(@TXVIWWtY>(;+oIiXlueH@pCS>{n6hyiFr0_f9NRP
zy2Hd;zc6gY1?>k(PW*~b%Id`UKs8*{Ja{qWoWsX+wf4Iz(^*Ve%Z;=Kh|SH*R&(`b
zjE(O#E!BI4&TxWq44o!75hv8n@4L7JiN*nL0%seCB-cOOXJF=Tm<oeeY7!9DhEC@2
z-10TDF7irc#;tA1zVBw!FuEBz!ODnh(6sYAl&^<tWQnr+xGZlzjW+Zi#<kZv@O|3P
zhVIUjw!O;4e9Y<I-lNR63GU!%R+RtxFhxD520o6$7R!Fe(%7f8^mZ22mwNf*-&c|g
zotggc^Q|G9A<iWMgE|5s4RBvD{k$enaxc9@LFTCqff4K+R~bWI_eK`*h29X1<x~NQ
zy&Ig;iw`47%eby4tGi|+xf<{nWX3t8QPxU$UAGUAlIlI!-tBhX2@0OyNiI&$ssStS
zyM;O3tgr3->z4ZYxL}&a&$<f*SCcNDeR*S>-`aP<y6uvf9pEeHpq+yGw;2x-w?<KO
z+1?$GM*NUf5+4^Bd8o_`7g<>@odzk=?r1P?f(|(UG|dN@PL*K9@=>jGcgV0$FAK+Q
z!)$ZlAf_99hLO%F;WH_cH0R&(=n{#r^lKZDPCmPquy>tB@1rE+ISbO$M%q@t(xYg&
zbNv@@q38SG>tXf*^1}|heTWuGc|m6!pIO&gYDj(0v<D0Hvf6*Y!c?g<KS=y7{G}uH
z_Q1CgtGSwJXH*aqug)g2hKbBMBjgV=Qt=~#j|H!MM=WT@d1i$;8>gV_1m)9n?1IFU
zolgB*c2HR*G_0e7P>$2UxC(Wo`CGeYMV^w%@>eg``JHYfOVla(?NAAB=zDgk$Sz|S
z&ee}WKpy0yH%s03NH3WJ^4fM~0m-}bN*)O|nXRHoy<Vfb4mtKH4##C}wW&ShM3(Cx
zDQ@~dC`}$SC$AYL#hpw1J$j5nht#E&l6N96jov?xvQKvUNOBW5RS5D{W~2r*+-Fz3
zyGha}nl}7m<W3{U&P&7Byx*(-CCnJo6XG08#Vim#ISdb#kH?VJp5kfqa2@#A_zKkD
z91qFIT^fDh1|2;&*Je!GyzT|etR7WixY#66g2sM+0B+nlvcGYbxD7OS5h4H1LVE5z
zDXR2KA`=b{TTf_n&b*Gg&PMOXDM(Sb=YL#0*L|Os^KO%DPcjEjXF{h3Co?Y2+lhR4
zB<FskHuImhj`kf)GS=4>=`P>h=7qp2&mx3)lG)kT{_ahqsG~6qz}zbLOPtOP;`2Bk
zw9YKAp~w3vwsIV26^ctYk_6hdFS@X=xkQ-<A+~CD{8|4!Fi;)`REp}2A#BG)U5c!}
ziGmKs$W8z_W)GdlwsaXbE?k8Y0$@cRQfy@J=rNDEd3d*f6@r!XNDnD#Bp)cKbDLnv
za&e_ZVi;*SymH>tO?meg91O8M^W3u7fAgIPWqQsJ=jjAf+T|7Kj@HZk)?=A}(vmTJ
zM;@EyJj3PpXsb<V7AkR6J2r{$zN<l*!k3#w#P?LwPjrvxNbiV$;Z?CM%_W3>y1wIk
z&;dzIZBNSc*yO~kg5%F)L%Q0g5NyQUHWJf0N4o}{1E8j;tL}RP={uaG-{yY}cw@pg
z*?XL;81vqS^q`eY+<6=72psjq+3w(1F~H1|spzwGqT>7ByAPI({<2irxt@r#qOpsT
zPyV*-SYc{L{UR&R{J}XX%TK0{dfN(%5$JD>kKzs<Y&G<h8BNqnJK=H{d<TSxh3!E4
z7COje!W7SYLlRnBOBY&2WX2ejDW44NP3&H)7<>^>lOOt#Kkc+L<<rbs<KXXHDv^JG
znNbx;(-V#o^^g&AwGg)2#0SE;Sx#jZbjH?6@S&5a(98JjDi;SWN<GOnhU_o(blH#Q
z#Ik&iDPYih*TEuZoA<eL^7J9w<IltLch#Ab=Hr$gtIl?+*qf5)c0<^4*b#$!^yD35
zf%3q`brIyFVAEA;biLDKNDnZq#7bl!?hsw_{L>z>`sf_?^i^UdJti;b)#X0e+Ee^F
zHzTv6p}&uR4Idhy+pXwm!BTWinjoO>d~E6Z(e|RGt}+Gydo`_sPEdfn{m>083}kqb
zR+Z+04wO2(y~=Q-{N`Yesv#E%DC5Zt<s1xE%^Y6t-bUxIZ;EyjG0N8;bP9J4kFXcd
zTK!ajSC{eo>*53ma{t&a353eZlM*v^6(z`b+6yIMe=Y*wh$~m7H_)c#_0P0Qg!Rch
z6G_-Qt`sKg{u-Ez#gq~fQgR17FB~NdTuttH7K8tai`oV><*{9#*oQIbMaH(yC`c!?
zinzYctP2NThqaD<ftPh+54te0SiTIpGG2<1M)AxWVCdQl@wLB><djL@Fm(9+^?*!R
zgurf#zYHwn{2rM2ORdT0++jTZn~Zn3V;#^xb*Uf!`)H1r|9<;_451v?Qd|K_U(KL3
zi=njc5%{xv!f1M&=@_NBvKf~712}kL3Hiu8SHd@Y^g5<xaVrV@fu-d9JtM~UCI?_3
zD?M_n%JM)?n3VxMJ*|>q#Q5ux&ON2TCB|~AuyqQbzC5&IQ_9wk8e21k_PPnR(p|vy
z5RZTpTExU+2$3O9fB~cx;ThXw_W`R1_)7mz1CguD;~>el{yMT`lbcU3;A~^0B2eD>
zGmh?fV#BF^otD9-&mCTS(WB5`z;;m&q(k(YLlxV(B7v{NPIHj0w5!N6`uiXe21rO*
zDB%Z6d{OLv<yLuE{*eJt;{tb@@y^U~YhFX7$+k|HbCpc3JuwzXs-yki={RsO^c<AP
z(apU61_qeL@Dp3Tj255wPQ!`@NB|%1Y%kFZr#zL}Ve7Bzlpu7HH)KG*voO6Y5pye&
zAcx258lH*j9w}zT=#2Dt%==qWUZGtS&$sKm^<)Sda3eS_SN?A7qVkDXy|S<fA9npd
z*p}}FqPbyB2hVTEU6>RU`ta&iDUB+qI+8fMC!}r~=__;ixbCO-7M;j@wtT8s5|mrX
z^Lj36=NVyBP0QPV=<v`UkOqY7U=VC?f@Knfr59C3=P>p?raZQqK{Ie$EK+J)yDX>&
zdI^ZxtTDu2D-9Nui^NTB^UIf<TlZe^zNr|optM&a&-;k|_KaUv#b+%s5%~H2UZj!G
zd2z@dQa*;FMP|WIn9&QqxR_9@{V8aWc2!7U!m6+pN=@3cE?Mft*rl&6UVVJ^iB`t3
zA+etYz?A*J)AawAuqir@oLQ1g*Gufk(^QDqAGt#33>e{=--syO_6`@f0kpqlJ;IAe
z<VsYwQ;NX|#VnHa9RpaQHvgVtwI1&Ub{cr9Ep{BdY?6)<;26YH*}lwBI!_Cs80Vgf
zWBZr)x5e5)*87zP=}EZz<&<|)qO2V6;~xtRium_8`{C&&b8@UXMB}5P@rTOdJ;wKy
zu?eex;Mt}$=YN$N`2M?Z`JdMC?mxLI9nG+Vp&`6vR2@s(hDt=g2P>+ihA*Wc;8Hh1
z6`YUmbvXgDzktcXg_0qPVcElCw}2H9Zcb0f`>=%=BufN)N!$IDW&_b!(}bE5hDb~F
zXHCl;BJ+SujJ5_hH#hGk;N@>+g!4}{9@I1=0E@@ID3bqotj&zM5g1D{bvr+w?DHP}
zxOl(EFfW-fvN%)7bY_RoQ}h2bD*d#@R}6DITHt!3#Oz_Ee|@JiIjrP<-vjGsl`YBR
z0TG+Q>*%n|(EnXWhtl-z*BG4|%YO!(1LhPA2~Eiiz&ezGvI_sK8Sbvk8pkK<5CeQa
z&sl)N6;^jzFqC4`yu1uYl$$gAuYI%KtCi0Tp^w_+*35hiA)bSRihey!lM7&c^%H)=
zXD_1YZ@*hUTo3RaUTst%I5IF$VvJCkeZCaY5@SB3r^oGyvC6yGI+l5xH7I)Izo9})
zC(^XAiaJ+(vo7UH8=pJ4;EF+NGv?<Q|8VJ9^j*=vM4$}^f>t1=hPwB?NYb6p<xA8!
zzrDce+w?d2BIV;QMPlxVi`ha_3+Pxyaa|2vpX!i_`5V5d*mH2Y+J3Oy^TN<pvdOSR
zzZ<g-QYpITuzQmsbiwD8{`Zyt=Siz~;?6E@=w?B>{uRd>*)0zyyYD^FMsqz{=6agQ
zCM)5=cI8fzy@)yKW!868L_wDB-r9V<UF^B<P(cgGNe&TghWj7_8Tyz}HK0|@l8LY4
zj-{G~z8ir|YM#0{&a~65QqoLjC(Il<@k4L(Y$-mAB_vFF&IetFWIxv_|2gPqs`8^O
zU$`XEdvBrF+bE70q^LL2<qVu9?@OjFs_8_Hj15)PA35j*A6whqR(AKw{I6l6Vi}S%
z<X;0<MuP=~kAdJ}{t3(kbH6Dz0X~$LXiKb*_}2@PMd1dK=t-5|L4izD1W*Zg6%6Yt
z;Gf$wmFg&^5mQe?6!+|09q~|0IzCy(ew<B`x28RPC_Jt7s&82qm~*{AA{8Dn$RD95
zQv|)e6AO7i7cC`@LIZ6cK2|cLS{J#|pVtCM#RGTHyeC>6(6Q|K<azkBi(OcV^FhKE
zD^l*@$Ak0tw<I@}>qA8kOG&}cvx1nuq4zSqp{IB^G`E($G`HFkZxVA%4XL;bHrL;A
zS1vw$-jCqI%-d@_iaa6HS9h;(r~B;VzV`0YmzSw;Rq$|9E^4G=!_ZqvR%b=q`+ck4
z25wLNsE%84jTDE?cUydGKKi4Z%nt*N1mWQ!f1<zXYLQtB*U9NI@#6jxA(nvT%~f{B
zSfT=i_hxs4%4+t#o+w?pOnNK#BVbW(!!hQ%UjlUyV7FHA7nrg`vDql|``L84fxkLJ
z8))Q>sOdbIiumCsj#-#eR^2Zv4P6WNSyuJqnhn&i4D)f!=zjvW0hMv3O)ANkQ0+Jg
zK_zMDH3k<0c|SF@nzL^x%#0wjvxxVUSfLBodl9+tVz-r2VY?J!%1&1g(fvlt+wIIv
z3d`L??c3}d<R>ODtuC0lkfT3wfvJ&mK8FPo5zhnd=z@y`7p`>y-{9vN`}a#JrOk)!
zu;q(+p`k*qm?H?pEvx*Z3kQh02IO4cIUweoD$@FXcx5?gn8O1-as=N;h3wjt{N0H2
z0SxZvjkvc<O#^DvJq=m}<@CzBj<Yg=sTeN15xI?vST!9x65j7qH?_Sd(t$Hf^*V;{
zi80><sycNSl=s}uo1Bt)t6_edpnyX2XEiAETY<D6fXY)Id~Y+&CkRHQ%61(hrpj4T
zWB!Um&~bq!cWB%Vb2~D$k^&mvutN`88D_dnTS&tlG!JJ=#EZDg%I_8)Ji@iw$*3$<
zv-_1WZ6*c#gZ+l9bK8j_8D;)pg8CbYD7Q*O9;b|xNdl{R15c8b`VOqZfbUhP^>Z<=
z@y%$B`By`qLT@^4tz%Dw>eM<kbzo9bD0i9dw-tVw>Id|KkL>XT!UZguI2;lXkLj3v
z!$?bn5#-ddvnr%v2Olb^c+T!woycXf`Lq--OdoRJ&sJInpn~?_U&a{i1Y>|90KKe_
zj!Tg-R9wZiG9QG`HY7-azg=BBVPaDx(=Lnrr<vaO{ZW+AmFL>~4Wh6)02+ILca8P@
z$vk9%)|ffoDcjykvnkjvRBauYuZI;67zv0yXR^<cN39e7IZ#;e7n$rPZhS!}SBa!#
z_6aF6s+YWfSUeXt|1m8uhV6rEF|g0K(~KR8{*n@uI)k3(JOMX9RHBwo3HAXv*+V#J
zr<xs~nKhRgWM)OeYDsOu0`Q=~Il-|CC!3+W0fcEzY~E9$vKcNVU3x-1)AF#yNB%yq
zxHs*Xi&MgQNm_-DY?5T6u`0etBcVbCViLOz?JxWB&21S%606>Z&M;WDE2eG!9VIR*
z^+FXTFft2P+>+|kG}Dj#^W6e+;XW3V4S<UGS6YQ+9kI-cM+=X*i266se+-1jKVz8m
z!W=o`(Z-SSkAkF?0D&Tw@Gv1q>iAzXfBNDUY;5@U@Ue}5+)vr)iv{Y?UBb+5Q&s?B
zh&I(Kkt@Bl7Z1p_R_DYiMk0TO=t@7o%QbiSyhZQ}BTzN|z)gjt?Ot4n^HwG&N2xSU
z6qLI))lV~Ro?Y1YL5zzhCcNi-mK1X?c)0rVlrd)T<IFLsK^*l=);y|>+=6VVo6<2*
zS(hq>N<{458c71;4APq-2t}(~3Wg<1ZShVCf+$y1$&fA8p#hG7O_Sfn0+ze&n-3t!
zX!1d$O9$6+QB1Y~NN`^OB$}~vn`j-0j$!c=VzdyS-!^i#EqF}#_v1N$6mL>uy{MnS
z9TGbD*3wM&6&x#w$L{<yPt8Cn*NxQSLXP=GF{v}0WgwM0AdgkyClYok<UNZk?V@ro
z0Uc9ZU?M@~96@jJ2jFacTLt~EB}u_t`lI{mcFmseM8MG<K~R7$N#vCaW{$5nt1fsr
ztB;P}kf|u`!72!st=;SNT|Ttmm0Bzx=49j9;xkz{zQ~r+EAK{S*D)@c18}?ZLpBKs
zOaO7o?X(WE8~m^&KD`)1T?u98#%N_W#$RBl(=cEBD7}bn5}e>-uAq7HCPhEAY`FU{
zh!Xl#j#@39fq`13<=wi+TZi&(O+O9qT>QhW51WE~wZsybdiw!~g9E<e=_1n#cZdg=
zn%amd@Y(;fy@pmWK1Mw-oHJARh%u-Sb{h)^eO$1$fI$d}xepT7RSXr85wm3EpdeIp
zsQ^akyG0lc{4iZd8^;--OYSwK^;*G5WdS0$ulE=7qtIDgP87K)$@;Tum=sdhD8TH&
zC6ajWh>(6?ZKZs+_QL)#Y&Go54Mnt@g8rXIg;p6UNunVN0)_z9AI@WJzi0?X)A@0p
zy<X+@IVH^w(>d1d9rM5*Hhm{6ctGLA^d72xJN%BE-QJOy%Ix>XdEC&NjbH2LXB;KP
z)x!?9F;pTqBm=n7M!3ZgzyOogP<~<Ey+!?d*8<?^jUXs^FBimhCJC8hn=4ZC$kO)Y
z&+aFA+KT1NmZGi3JRe6O&R5z>p0a$*HdM%w#sQMqOLUON9W0<ic(IgiAcfsL*@sTF
z0KqnrYur|}?O(;4VVFg{f-Mgz;sS7-dvAP>b-o+ZkW>HH<hCx=*cwtB1)#cVof-Fr
z7HZR{mI*e0)Dbe;>c0WtutIrP;(;)1^j^vpr_82gDv3z^K%~>FCT=%rI&9s<dc~Mc
zr|~IEqd<XN`ZSivW8kqBu!u$GM}Sr`)zxs`&jj)&g2qoT&J&Dd)<6EC9JH6UUpytc
zUkRINE3D=R+lL$Dty>-4giBlJyWtb{lj6wLAk%O_vGmi|#mo2aQj7!?%FV1G)sZoD
zlQh9N0}udS5xrbUk!cPld(1x{X9Srx(PA<s5u`PQh$E*`(I=#MZxJp6qLSGhTS-PH
zejt9*zLG%0VRZCj|0OOEA9l5nO~x+SyehSv*c&kE_MyO(*oazr01#$Ov{m7SV_kjZ
zCn%3$%vYnIBnVcbgr?ks)3L%*sd5O7L7f-{+q8`pgAwV>pCII4v<wbC9?O4gGKp`Q
z{}Cht5-S~_AiUgt^mbSp?@88NP84kF5ZA*cn4UQDQUaG4X~SQ%o|#9+-hYg-)04H=
zH6jn~7XF@LwZ)s}3Bl;H9*(Kv=lKFs<RdS!dfVOEd0D9-4=T2@n#Uc2w3er(^1@9e
z+(_tWImb60u@<97b%~L)X;6-LqIR%aJ`2`Z0Y@TBM29<aS)xU(6wF3Y_Gv0n<tS{2
z5rk9Fd*qXK;wgbsJrD?bn&U(-(Q{(Z;f_BQt$C*iLbm6#X}AQQo(hIZp`<VwQR7oN
z>bx<vf~cAQusqLT3CP=(%Ms0q5|z*4$(EW}=UKC#IIzF1$~T-o+l)Cm+~}1zw@qIJ
zZWl|<5zvtCJ8fi!0f@pbduSAORw?RO{67!kryf6FRLyZUq<4sC_p|-F%BCHQiC;9G
z5h%x(UZZo)grDG6nE7;4Ub8S1M~FCaQ&HI_9wM6I-zsV{PL_NJns{R=&!{Lw-A2ms
zjbSO~W^xZJrHQ+|g-;=9HC|~;WBTw<jtb`9UY+`cpkJvcg2qk1Sgt2T8}E%6^&P~f
zh2L}Az)(zj6<07*ighoosU`a%5?3&mz9h<#8!6Cv!-uN4$-$)|`56EIZ(Gs-u@Omg
z0d_0R5>I-BOjzPyb1l7G_qs@6wv;&{Vv+T3!p6d>=tKAuPko#btF|8IO4HTxA68lP
zm~)t0Z7m^_7Jk)XgXoB#wKjSKe`n&{>xMDBz@z+8K!U}>WJ=EVVeN_Z-ye!?SY?HB
zr}yeOniz{;?pazfd-B<fZ6FOTou(y0Ls@jlJUOM)=!rTQnv5O>%65<(NxI*gmjT?3
zVN+#ku71uPXiNpXl|EXLd=aZ+wG8G#<EZ=F3-(QzRiu(QEq({(9cXzzp{!<KZLxxE
z6+}b5QIqZ4h?=6ZA4?yGpw@~&YXLb{RTOpX1X)pyV620vD_-tb4Zi%ZRzx|+ynDyF
zinV=s<e|-`TLu|I`vHa#$kxG{bEnn%gr*;*ZNPwwT!Z3V-bZWZ{K9ja-Tqq9MY(dI
zyl&C!&}EduBlX>6RZ5Wi$~xhYq4cz)%$5{vR}jPGfl;E)wU!L4#Oed_1z<dacIKOY
zuq04lZFs^w^$Q!cnwa&d$}g`IB~gGSa^)~UX6d)h&0D(mY^F-g;tKBF=7k?HEwt|%
zA0UB5At^L)ec=L4XT&M1thn9>4$Y)(%9#(<i$ISS$AeAt*g&Z_j*%v3ES61s!_^#y
zeuy;Orx5Ad{ShTWx$I=B<3M_z$t7|@TL~5MK-(ITv!);PzyFesUxn#>O250-WKlh?
z4R8$+>th{${J8-85&2tRJXB5=gIH|4$!c6p^oCpsRBQnd?fHV!Wm=7wR&91rK2P0y
zH&uP;+O{S&*7*Y?Z3b`NtH8A0Lu*EGU}%3^h$y&k3A1Xx?HwNrPw6*+;e$-=LjS8x
zZcrHrB!XhRb`OwCTEG56qghj?&y|vGO%VcoZblqr4XD!wjK5#K_!wdUlNwB;>R}x=
z?1WbWFpXaQ`xE)v8Uim8pi}|bF?$IA?=IXF0_CH=n7hg74YFe5z>YbfVHBLs^1EN_
zBi%c-xKMInv~T3D0vMqvnexso?=ijzTp1G5nlxGsJCv=Uz$mei9wu%X`m*O@-ojdC
z=YKDvbH`z&3S9=cCt+FR1Ae)W0|MWELIN%SOfe1IJQiC!Ob=M0WNHayY%NZGi8anv
zkH82pDmi1+t=bS+5n^w9*LY(ZFhmgR@jS{Ac%?}+FC)r2vyY_FqFVX>s&3L}mt_!X
z=ZkP70Bc;=xQ|^pa@Q4NkenZP4r{bs=F3S*CO!|~7(<iWp~3mkcT-KC4$&P*M^FY{
z0=v||7qf$!ycph$Qt~v0KT;4c;eKbh;0GI|4Pe=};Izv9?r&^m4tr-?ik6h|s?vgF
zelSCy`Q%k)5Arc3!DaZ7S5Ybq729@IEgrJy98ilARXc;s9ZHa=H3MP8tfgDxg7Hoq
zy-r%jl(#Dw1O&bZTPIP9ha<I-bNVy0yeYQ?i{D3Z`!{L16tZ1CirBA@hlOyTS6k|^
zDf$~iUQyK(lIGGYiv!n(g5+qP3~JRBNJ<w__Ub>Lwx+$!tft?sboGz>4JRqRLJUl4
zw?`aS#tF4Jal8rL7X-&E#ceo-$5@A#N7{`3?E<v_X8#)qaD^yB{*eqr#5_j@+o6Rj
z)mPu9Q?3lk^x`o4NAXSHrSwrA6|3Z)6lTwGY6}z)Dxfd8hVoKOYu=on^+VRJON;nJ
zUfZ_q?xzcLmjLjW%#}H$=M-645$hr3XM-ms<7o_Ay+011l5~pay)~!wZjW)_C^a0j
zNw=zg`T{hyVlpx;PjSn4J*>4m$84Z1BJORsPQ3`psYB$87WJxQmw=Z|HuIXaE>nfj
z%MSy9C*WeI4p|VJcAp_4IFq2SpN?N`DC#QU!4E6FP}bge9J``TJ!Xx0gTwt>R~LmF
zz?4-Zh*EmD?Q_4^9NNn3R4}H1W=J*F?N^(h?ynle2DaC26t#cirMEQrM-9Kn(uw2L
zU3tH9EH0S%JvDZOwPyJTFcY<bw4or9zm>JNo*fhCUsmpR0q9ZE|MZrmfHR$*9HMs$
zuk2e=f(HE$u|N<NWqIlm#!ul9+m<%^R++JVp?wsZkgQS<nx2>ju9+QVg4C7Y0AFgf
zw#6u=G{dj(_7ASE=@H%2_{KkroXYHtHCVsqC8-_L$7!OlLmE5-haIHYp%vhmqY^4m
zxbpXHd3(LwtHwJyl8_Wc*9KsC4caL`o#XHysjoE=ipY}R&9y(W(@}x*x0?gk{uGV;
zW+Y7~5F1wwhb3;J7*wAB?i>Fy@|H1w=Z;ExS8jw5O}lGK4h4uTXYQ2qk>~RP5{G2O
zQ#f#vZ&ap|k`I3FY84i+<R;zRU5#6k1oT%TCU$HIoB+|*JgT<HHxl&4-UxY<!_19s
z{Fi*WkA>K9TT;Te;Y1@9Q7$tSxhwh#XVa{Ngi7S;=@0Vjv|~b(W^L$}O$`_Ou+IPB
zW{-WqvXZ&3xGJoUVOe+_!^*H@9*}dc>m*^yjX+PaI**%^^v-$>FHRp(NLUtpPxgLe
z<Yrw=)6bnjUu06J-_y?66~vd$EX?fYxUg?!K%x>Vj+S^qEzxb?L%R}>+b#D*z?yY#
zCs+ciSFK+b>e44EQJZFI+@Q#N1GTH)HhRaQ3gusIG}gBg6pBBkuc0~l#Z6jE+LPAr
zbeRkyEw0%7gdA|~xam{(`REk$^!ygUzFdi<jt?CY%D&9T?$Qgo8mbMrm<}?1ftP^O
z|Fc~{GE*Ph-e94QP%`)`k=bc{QkbeM_Teni=CyT|zKdvsOD9q4hL9Sce@I484?s!R
z=hvpy9m9dSsV|>wBDq<7ccpVI3)vUYKEdVO2Ih>IAY!)(dx!oeVgpTx*pkmytKAb|
z=_Z}|)Xhzhus60c<g|XJ#{tGTE7v?^P`nK+d5Ys(Ga;m9J0=DPy>9q1tTXZvc*nm0
z@GjZ17!b%`X%VAb0E?(}lqA`?*Q=1K&x;pcut_AS7n|ANXR&*Z=r7u!G{E#|{4RwJ
zS+!-y&blSsmvq8osAgE8XvZo9T_^p2&YY_5b4S?b35<kCn<%C>Le_}XM4OappY0$Y
zfT<E&MJvMartbgJiG&Ge9%ndZ6koDFA*|v*t>FK69pC@Mo|y;4gyp;=d`{X)`}ju5
z?7fF!LiA_J)fmhkCZw-p06UMa{au2*CkgITl+;e)k~FBFA~<gP0`hueHEpuPat7x)
zshCf7`{~-L-)X+ns}qB2y8iD^Q+Yh2HM`>-c?v?)_sORPJqxaa@5*uvyu8al3xe})
zyWaBV_?D3Cxa&^L<=)<uPE*N2h?bUhCs2)im1q;EI_MHS3f{NDn_BPPACvFR>ilbe
zlWXt!ibNcD<iB7n^NX}yXm&MulFSE`2$4Zmw`+jcxor0nnx04MrydTZztp@1-x{^a
z6#Ytfsv2C5%TT(i<yDU^)DF_q1i(gFhjo%Wtu8fA=Oeh^^le5~QIEv<AdgQor0ZYE
zNeO!Eod&v>;w=?$+h^Rr6EF{|$aS*MolxqC2x@<*(Z~M0%2XbWsg%6=(;8y95Rdy&
zz4YGAS~-CcmfV0fdBk0%b|sUsfewy;@Mzsiy4M8s)|A*9K#od$@IQsLt__1lab7^k
zA=1Fad|)@!JcK2!OQFp<qTc~C6<}JG;Fe9$W?zPmRmzQ&={nU#wJICQ4x-@`SK-%#
z^m!~G!rHj|myQCS(df0Ej(c}&zs^AOcBhm+pTy0UibDcyKWQq|N!)t?x;zZx&H1aa
z*tuYI@a4mq%A|~Yy{$g(o_yl3Q-CB)oN>Jqgq_!%tNAbFB=8Uj;s0~c^F?{&Y_|N{
zzc7gj?Gh&SoWKbNkdOqfKEinJd*O@?KHfRa`7a4J5HUG9Il-|2J3B%Wi(Uw}@Z-DB
z-<xsO>2Tp}QyFsHf?dCFe`tSne^P%||F2j}$Y4l+g56T%YmG|XU`CCKpioudKk6uP
z`dLg2{>V>lW;F0Fjfu^xgSlXpXb2=c9Nt!`UL)}=CM52YA59!*2!Vf}5P~8tFK6Qg
zpQ+6hgH1$4b*HX8Jkd`<A7lc5ZEs=>8|@6>3Z)o-1PYg9Aa*72vM<>QOufelXR<Vl
zDcUq>W&jCAO60T3X<7fsEt)pe7#3#jt$)-N?#l}<oRh*hr)d+R?FA%U3jjHLSY;VR
zpW~;0&FqJ=;*P@O#(c^x1({1JnN;8;?=~*me+E3pwC%yvJcSN2&G4@_{*hh%zv6e<
zEMQVc?jCZX286VDAAOaDo8(J?j=pf^<}*kijr|{Js^s|Y1~#nLu{MP7p+lE(v4gQ(
zAiZtw(?kL66~m0T2ddOV#VR>6ke!_8(^7kjY_Sd^S_w_?YF6iy?|tzPA%cli7T>oB
z<#P8D$uy#!uvePZ#Puj^T{Gj2j$G5i*GxK3q2vexe%mibSm}=|IQPBy=`<D)e;5KG
zIms-+7!iAaFD$0=dDZ@f;N{({z^T?#z9%vJpFN5=OqDdmwH2&!B|Q2TP}9p)mh#?I
z%=$0;Tly=-S#ryISZ&r+rK8W?tffKZ#}|tyT;^3x=F5o$rKfmgqk+^-(J$|}3`P4I
zji7JY<i+lXr35Ysd~;bQPY+#>lO&r}L)_Yteb2%vvrgC_D?adkb3tm>=^fY7LGsTP
zl^*>;_H<~L(|Z)soun5KSlLcIyZ4CDxa=<3A=8z5;!D1!Sx>n7Xy%)f#ux47$>o-%
z`->&`>(OiTWgGu9Y?gyhubK3)NN2sg_X0X$MTQkHULakDVy(#tPyNIO<WoBmDfFmF
z%zhyb^=JlleVUE&meEo1A-jAjfL+W=3!k%PB@|y3d}gbP!ijezdKA>x?V2-DO_hs)
zxJ}Y8@1a4K`}XLS9Smc9!;8H0n#xaLT12&?46&xH<~oiHvA=6w2yonE!2On)w{C5m
z$*Qu9Ny}5Q5XuSlzwMf9FJhV0_qfyYBMX$OCcv8HA436hqdT|!_H*522|8bqY3+?^
zI8!@q4;kvX$0+i^!rJgKd_VE@vZrFdp<mI?iyn@v(4<p!5R+iPdo}k_ao3N3dAaJi
z3$N<z+v?=lXE)m!fz-_&VdPurOl*5CpE9IR^JY3?J-YiH$MBlx0V%JB7FFcL4UB*M
zK2uA|DE{S3VYAS=R_~X3g7)VQU*Zr2*Zog4!-6IdCxz;IS`37C1hE-{Hgx|u<UY%v
zxDo3Z<)>XSC*4sbwY~>Cy}r+s0@vjoxSO0_*Qk1Pqd(Dqve6=DhzOmHRGJGN6#Lku
zdR%3T%#KEjkd5%ag4HW@udQYKOs2c-#e`<VveoneaY-+h_v9GCpyyqVQ)kZpDj}|@
zXI5=64|HaI;(*bIE`;3YLaFgy&O#^0xk2kf3!5lE731Xzb^YvSt|AolJSP0%e$@9_
z#V?w6-G{Ru^c*c5z~y`U%f3(Lmo~eP@(N(!%@v<kH4%awvJxLbx{#xa?5R#RaX?hC
zQh0CETkJ@^4uNvuHJLj)g8Qn!?wI;he&hV(#!W#?bfwG<i9>QY=J9i8ySagzo)x6y
zb_FqY%z&0{qh!dB&+M}*IqQV<uPm_u%=6nNEXNUo0#Ey+qodP)-#g5*yNj`|C*R9r
zI>GZ7AKF&g>_6|79K_2XZURo)>Q23^+TXoA2@W-M6tl=A`}O3or1D2Us>UKnK-fEc
zPL(XSa%R@qgZ-GVuRuuWbyJJ%HzH;}Xj_8!xB};9z6B|Tp^=l37c?@1X+~B@WN=nb
zJKAh7f)k0D27F1njBgS-B^Y@I6BahwdXpvVPjx`!ZJ`qs<v`ZtvYVyP`d}c9AD>e9
z0p(`Hp5<+=eR6P*An#J37|y<T0=rU++Tc$oDo;GjV{Ia(W_f-m57dN^1$hr@_NDNi
z^7GRp(Aws5jMSIx2!P(po-0=ta-7@qv{{hwz0Td*@5AnD!cRw7=`XUS?VKOmU$%t_
z#Mt|Gd<Y*rAD;ETUc5IBpUNTJx_M!!k!9-hjT#xb<Sf#;X(fc{aW}FMe0mMN42fr5
z{f^~-(!aVnI3v1ZMk!}jV6lAKW1c574G8;=Er0+dN?GWBX_wqx((rv1Wmgy)F(-J%
z;kJeSEXB1s{Ex4j3@Y4p;KK!{Ghf(3I?{sL?EbWOnhrsB+OggqJlt=@)7HtE`84-C
zJk$!$dg0$v_7#n5>mq?<PyRqC1}Fk+dHS)Ug(yReApzeu$5p*$i95ib1fIJa+CL_U
zSc7pdR_-!>P=sl8+*H}VWe#U6Icwwh3``&EuQurU)(tQlvL03%`NJ+C{Olul3#K60
z(F@7y_|2!|@^a!!JS*JF@aRr^Ob^DDGYa&KGT1xe*oPA}7ksqc0KM6yK9ndnyVB3v
zsVp)D4|cj281IT4f@VC#!^;kCI`BVVw0%nXc{1+u#traZjla{%Lj)7A9^XtPd+_yD
z;@qE~Tl|gRwS`<;R9!HCop{S(ev7yc&rziDaXH58xfiSq`#8{`r=6J#!fNhkyC^W@
z%ra;sTDy0*Ns)c1rc$i4`f42rNNW?hhkV`Xe0qsa=i}r?KQaj|aNq>(q)h@(?+5Wt
zqxEiaG%xB|daivv-T=m)IhX3LO{7pX8qe?yAk%+ny||{*^?um>nkB^3uB8FX#os{y
zmEQr8>{6>RR|<WWpjlatNNgzgSyQr+`QJQy%cg6x!jMV{S&o?9vrKkS^PJ|1n*hUW
zojinubF~^_?5ojvxf3`c6U-@@tIDU;512u+%-_tzL^~m~$n*nw9tHv1E5BvRDs%VR
zrwGWS5Pnv{R8pfIG!df?9%9Hp>uS&l8A5^^{H0LOLZ}Ct_bMs1-h_cKy5-|bMwHtJ
zpWG~J5frVDX$wq0k~h`Fz)Mx<B4wLF<3zvYq?&fzD%9D#x_Rngyf{~OHsb_n`#i)+
z3PW4ehqpr=L6E11D-~GCzK_vUrLKlt=U9iAV4=upAE3pOWNj-@IAj5o6%5`P-TM@3
z@r)vwpcjLA9_o9+RrScwzUi!xk~di<L~ts;3{F2lOlcf($cc(klz>>$DXU_m*(Dl6
z_^9HjK;BxiVAZ6NLBOwQ0ETOO!5tIt=AWt@2|eP%8)K}kwx`r~-fm}sm$GJ0bq98p
zt=ouDvY$Ia$s?BDTfC$P?YGEomkPp+%5KLm3R$z5<WEax2FqFAA{|oJ<AihGBB?J|
z&IkG<JI|^-VgX)u_0*BX2XkLTb{EefrufL=6j8~07WH;UkyqZ^E#uD$&FaDL_2dLR
zT0f1jO`x)ut7&yp;BY}#pCoUD9b*k5gBTn!GwI@;T3MIMY^&O7h2p$Uq;JlPv`EY7
zF~5cZ0yDd-rbqVmopXLRYn8`Kq|Ru)D`UVcok_v7RY#4+Lx+zv_bZt}Y`<>7nnUC{
z`*Y?|{!UHhu}q4hq!?NMOln40<0ueW`#~k6;4RG^PZ(pQ1ET{$gsdIsUe0&c9_|#n
z9tK%1YtguU-S6X5M|`=SoVY40bkH8Ik1%{k@6WwAp7Rv_wS!{}gx+36g`T!a)fIh_
zv!L=yi<E;<f_n1pf^z%5{zAAn^gjRz&k+#yz<8fpF<!pVI*vIQJ~9A2c0zwP$Z?CY
zOPYA)#85#C{>a7{E$3Jqmm-f-pc;{EMUJ~ClRmvF<zl(!CSY&`xG&tk&R76^yEzKJ
z=i&L$V9-7F!si3d=P_-+MD>05EU?pmmZg61^#cTeCi7}e3~l`$0M*K22YImKVBf?8
zA$sHxpEn#+J%qsEPwlAe%3E$W)JUT@>R-2O=xN~<4xposjJO2kTo4p)Uo;h_xANj{
zFPlWY3_)>sNJOC@X5;g~j3-VbW}6a(&XGOC4v&HDr*Zv_==DGbdVzgZwlHxBQk%+C
zznKu?fzS)`Eq2F^=lwvKf6V5Z*lMT>BY9N*xu4URl6SO2vnK>jDPOU)lR+rx4b!oW
z%6wfAJ2liJ&ieW!-JYX2`PJbfPqy`WKygCa&IyHnP6)<_?f4I$q7rnPOl~{mh|ngq
z&^b~Y33zF;XF2P=w0c0yAI*Ovq7mnttAjvM;$ARw0MOR$R%B#qKOn0zBzuS+_rRiF
z|7aK{MK8GHn=2<RP3@?oNTyYON0+Hio_c3dPkctao_6v>1APa1W@>-u`S4_IEpwh3
zfeS7S!^r+5;=wqs-kSsKBlYA){i!js!tquzg^ht-)2oi9u-#Fp{^A{`s<Ch>bF^6f
zEWw(NO0~-}SOfy_zFX{#+xr1nUvE;U_pop_8Q9}Tj>%#0{v>mbm_k=f)=hU#IuCiE
zu>-ZQ7HL@JIFYN81MeMwN9-z1k&Mmc5P9zSb944%I1q1PVjFL;LkR^ggr9{3$V#=!
zv$ufg8>}Fz4^aRDB<Bxq==O!31p{E}*+;#zRZ)1)QJL_4czgdlOLpi(i0n$ss(++L
zI|_}KFp}?GDeH$N3{;+%a-VC~wsz|t9^<~s;Ox@%Y(>{LJcgAAZl@XY>A_NUU1QDA
z9zKit#uMl(F5#fT;jB)0NM=e>OW8MN$+iAzuKCyWMc92<{XJSeae)AXW4!y;7**wZ
z*x72|`{0Ibk?RrtpYem>ab82!<WT_6(}w#QL(bg6jKYV<P2UKepsAG2riIi-N+?&>
zOFC=+h%eQ^Lo~L`rZ2O_h;P`-Oiys<!-bwX7_f&$Bq+0kb9qm(w^&;6c}S|{8L%z_
z@WBaP)xkL)Q`#jd+OByPnSH8hZ<mxo_%!j2J^q!v@<*~iI*^XQ=y)E`euL7BZT-)#
zmKl!fQ@Apvw%OKhp9!*WrX9S`4#Q%0iX;cDrgwNoKRKirl?i}Sgr5U_8B=HTS)O)Y
zin0J{w7;fJQr??K@~rscjB?3>v55+KKwWmU>jl2I-{xBnBi?(<O{NM*B;%#z-PG4B
zvj_~H&eSV*m>}xxPjitP{UaW4|3qI&M9435bi8wieDb|TN~L=Ha`!9MwUn#voH|9Y
zlnnLZ+u~L4RO~s7H*5GZB$DL?G=XjW!A-2t{ATlhve$rK0#bbr*g@2bfr~@z;XU5|
zEmFDUEj>Q}%O1%)bBjp=7A7`IkYHC9q412Zb!#_;1_)iX?fgeS+W=;RYj>LO6ZU-U
z?H6GSNq9Js9tOPH`2kCA<7&t8?1BT**BySt6)=FjjR}_H8J#+ZvaNw?B;#A@km?D^
zKPx?VNfl7KA(7r8E+9|WjM+@j8MQ42kp)Cne_@vl{`#GC0wwJIdUMBvz~Raziom&^
zFrwbQ6T<rgov<kYBE2O<>Cf(14B2nDET8wS3dQwrTNO4=rDsmj07CvfP={MyER*sH
zi~6#xiolJI7qa~Fd-_ADsn7QBo9;zfTy79v`HU82b2`@M+-EVX?aLd1xPh70lh=T|
z_a*}f@kLIW1(fkB>N!lIWeBS6O#J&lnfAw&_6`&Com@(#_72sZ+#Zsr|JsZi#f;k4
zZs%0gF6wnKx|-F$Q#5O^QESZV!`2h8aaAWqislRc&6IRMtx6FnOYE8k?DL!Szz^@b
zYqZ0*hA7pkpM+V;E0lUj7aK=LzGhatk4-MSo7~|X*~?Ge#1QuHG}!$1&N8tMNPM}I
z91iD~B3~Q-jP`ows5-V2#`b+Af6nkZ?-re)5=?d{OUobIJOu)TB6`dmZoz<OK<HTi
zJ<-0!|03-zqvHCWeD4?*G`KV#+=A0+fI#B}cXx-zJ%IoT(zshf6A12ZK^u2>Xx!c9
z>EHb4S$AfwnOS$%?RU`Za}H<kQ?;wUpQ@vy{3|Qr@>?;?q9nG4^ioYnO#D%M+N?6*
z{eIXVkQUVW<~1OIGHeA#&8KBTfc30H*g}3TqH|H5cElgI@dW4=0mU`i3~luy6tBVY
zkpD&Ji2pK=_<x#E7$ZV=Yk9irZrukDqJ%_`b_at~Yky9!z!J8m$1(FsKT^@uZ+$Cr
zQ0ak@AIiu-&$P>0d1^i%ighl^v%Yj~#z++66F>b@THS%1=*m}^zFLzkzJurA5MG5<
zUZY@_UA66jGJ7W2u?1jWdYP1zJ|4!&k+NL$ZO*+#D4KQSiCf`q{N0woXXM&(u5v<|
z*wsxRmK4@MB_!66_)(LUmwAu$y|WH4?Mjij&gNJ1Oa*_*eK2Y0HV>+Fty??e<e6Mk
zv95wQUzu7r1#P9&5GZ(CjE*Uu>$ZFNy-2qEX4*u+id4_e6Gnb);_WYENI@&p_L}wH
z#pfSQxM(kC0d?)!A<q!T(DL~q3#~W_qufj4MSRO=%l46b&%b$(?_3W$F7211L%&;+
z3)+4y$ulLs*`RkLmkge_3hDp4K-{8B9efp7_gZii1X?(~Sq;$JAC(S_h}{VQtYp8;
z3y-<cS2KQ1mXzqOSeVr9u)U5mv%(8RGq{m78|d7GjJ4WDlcYi`pD|oHV%N94$b7ID
ze!3jcS8vY$ghO!>V!glM0+l4pvR?a$sf5=3q8$k(YPN?Eg`eiMGUa@*>-%EwnEVSl
zs>gSYzSMvK$b3!{Ph|Vor0%Ot6M^9HCmM!|hu<>fj?;R7r+?d%{jB@@HtH-8YpPhX
zV1%Kbm2|I6Z`6L?X`cqRU_D=7#z6jgaqMMxh{NdjY@vV%OG63dFl4_2@a#{gdl&M|
zcpSkWm(o=$jb-l~O;e|$?b7YvEUdlc9GPZCnSMQVl+wQ_B7mXt=<pd({Bi;dU10PR
zo3|nH6gf8pkm{Q_$p>37FkWbUU2N?&eW7S<vln3kF=xfv=`bN82}cC%tZ#igw_enN
zeie0nL*@<Ik{KiUGk98S-c`5h?r!ECzu^_SHA}(?d&$FjobspMgIvzvxgf1su3m<o
z&;r8mBBGt#$L?&u^tRiIVa(oPbUI9>3I)+51KHlz_26UY1<EK7naNrF%ShFh592gt
zTAVOKp6+-sw?TmzyKmJnvW2989$p%ha)^^3w<R<>*l%!E-~5?m%aG>x(5XlM>tZku
z3T2InYXzo+mw1Gwdm~cw45F7rGP|T1HR*t;y=_(t<}Wisdt5WTCN^APc;0=$qLN_g
zxh0A~If?E0MTZpKnQgn}Wvfh;;5@*6|E6RbAURpQ3>w<Qm=#BUPuy*zito#f|ElnZ
z_KGtRzLo5`E+pD^sN#|Is19x4q@CWMOd)(rkhjS5FBT7I%x|P)vz&tWHRs^zqT&u?
z?-z_kO3=inwd(_8<+FY4V9O`DblP|-{-&RCN1UdUx~^Z-J21G3{$FVkP685ylqz9_
z!0@>m!UkPlJxFOfPouOSqjv=PC>!D3bdn48C_6Qf-5syWRN-Yb4*T;ey!lly;f39?
zpJG8y92#5iJLuB;diu4}NrvrfPY8iMkk6VF^XotY8lOCU{hh?>Vu)lmr9L7{v-ZH3
zvC_PNX5g;mY>*aY9E<0(U>_6k_jUU~%W8+aHXA!?K;(YgF48$WS*g5knJ-7lK7fa4
ztafmfB4%(#bNmf8Wtv_Qh;{!k^GmFczH$~xaSg4i0W4_MC8b^e-K)0Ob-*d?VH&X;
z*V?ZQ!l-7V-1Z%ZDd){OS<|oUg{PTvCmlv#4~L(xa@2L?%@mIc73yYJVsXt@we-N&
z^~LJ1bSs{yQ^o<GLQU`yX{VVIJq8{;+TVO9pT&$?tc{1f`mhDsHN{>if$$Wf8ryZI
z*rGa#Nq?XW51gYQ>UFXDwq$ywRme)M{#}aSurV{2F(Zy$^YK6PIlgIco_g!3pIkJA
z!q>F;NKB&U$>9h?K7wGk+sz}_f*G_2e($RJ8#=FXEr1_P@56!Nr_LJ!bfUfnsv<CE
zX9L(qW1l;T<b?aBl2n<p4#=U{j1#pToS`|@RQ`^qlhx$kq%wYO*Njz1+m7!e%rwHs
zGBR9mOz3r8o5#12xreh6_<~{N@Sv|lOv3^aLNpBkydf&>)Hy<VcO2Ew-JEv0-kA2m
zv<jhycq))wOSBQqxCo*i;j*O2`<lE_?BDy#SgBl@!}(zEp-n9^5{(>oZmgc_h%NEw
z6|{{8c$P54DexthR;nBy$m|Y%WGZ=mPPQvxALOWP?w{tK@q1@xRXf2`Qmp`eW*_-!
z8wJBmp+6lS#JLVS@36+gq%GZ%MZjC34Gi_3|2RfV(*L}`PfJbTN=R}q5k*;1gqj@5
zx?=G1w|^`m6TWcLjqjSYuVXj^7_1(j1R-QxMM>n;A5cT*`<)6^RDCJMy8^-W)G(72
zgaE5oQa)rFa#5|o6RY6t0g;uR^VW3EO8a665;WgRZPzEjW#T$?x13Gd{<`d_5qFtF
zRNQ2*+CTIOZ&vQ!Bxeq-^t{k~&yZihj@~$jVjwKh+*vL!Pgs_l9gY%+Hq0+hKl$Pi
zJonqj+gD4yZ&Qo0V)5-(wc7_ZTu<+|Y7X#v-Q4mUyab#q_{%`HqZLCQ**0;1J#^}G
z0|qY?<o9rNj+GZBXIG%m#N3N>)2t_FawfVTCd494P7s%EV0hOq+KHfk2T#VPyQ=Ed
zKU%5kFcqDiP})y}6xtR7JXs1N+3D@6T|vCjZ~I`PhM#qyL<Rq9j3F0Rdx&Z)v`eN4
z-5!hM+i-*PJv(Q%Dxb5&d=`C!zP-~M>Hf@Bk_h4{85_Y|qF-p+1z<8Emst`hq8`$O
zMdg>zEyS`x$xKewr_TK6>sUbqT`;s{1K}S7u(0>XLUlet;(&6N(p$uzUJq2)Qxkut
z(}}iqCCL{oF8_gXWv0P(Ne5Vo7@KwEuJ7zyHFex616BR<?vei6!b^^+tl^=%yiBJ7
zZpaWqh{R>p>~hv(Uo7V%-xbVqpr%8=zrDPCoW&kq(mZhsM5V9~y1r%_!2VcP`4~XQ
zw8Syw3Mw%3@+1jWLBMPE)}M2w#+F!*@IpsN?KjaE8@d5HZ{5vPy1)Hb8?FrHJZUN(
z;fSsjq58#Mw*kfWUb+SjnNX9sSLx7j9R^#L(TVNC9a!5M0+3_uTiBxr#PGePcv;s;
zw%r+zQ$G-V*Fo|_2Nc=>YVaN8gk=4tg@enM8Y!Al61trCc&?Rl>keWH8IIp&Px3?C
z^b#=w43&BuIY6$$*p5voJ&Z%rd~&}%kHmGS9SJg*!v$Qr=;)kK`l+}v2Nab~jFKWN
z+Zfeym)vG_+am|;xxLL@6RtXCndHdvXt2j^E5AO^fXRp5zaAPa!tS84@2{vYpWHsC
zs<!n*PDJ@wM7|f{AxN;xmvUz76kVyl!T*x@;YVm0JuLeez9(5UQ0OOz_LN0E4;1w<
z-?O6^WlMDKI4rnjo8~7~;0*>4gjPd4^t@@)UADzl`3rw^Qf5$|a6bNTroIL6hJX~>
z%1ayl4U2KEYLR|fH}#KpNNIt`-VH=xImhd-ZHsh+<5RRVYglxR_u}zg>@*S<fj(=d
z^#QS!nkpdZ8#fJ8f23=w;YA??dqnK1ylUz<T90zf4pd2h;+)F-Twiy9rJ=k`OB3fR
zJ|U&SRezS(4^uQAK=0^M<S=)PRm4~E**^LcPXpQ`*Z*WFcjh7AU=B$*Dd7agJUwHu
z$7ex#id?dn6;blZX<?R3XRc}GSmEMOG#_l^T&-voXk3@lpR2IA4XH<Ui-6xKr_Qe$
z;=Yv16?0%aW3La2NFr?1xY-*hFj7VjdMq-GJ+DP*hRglK|JOe3gD1-W9#{L%BfcwO
zg#10RX#6)6fbbs_z!Z4h`}cz<(!ZksF;8u-fw7p)U+GWOK<~J5Y#qbrbR^1U_G0P7
z)s&q3ANj05Ctfd1P*0e=K7Yv($+#3u!iD^_^_05u!;;u?IrTrH08j)9(6w|%;Vkj2
zE>?fmoYN+;2c%yVGpp0OFq3(t7DRETXoyE18&Is86f@aE9L|3c{RluNV0ZtEV5ma=
zfpVXzkC9<#C13YnD8Pl2j)QScJ(WNnbMjCHQPfy;&%9k-&`iX>K*`>=3-P{&#4`mS
zd2x-ZmYEg6I?o${IGI%IBCvpsSf7`O+P;^m{|yxYHLUIfaNN*7a%cSqAb{z)+AsyW
zlkF@=dfdL5{`)eP`mHM<Zb(HTJ&vZ!mdu{Jp<PjAk*A=az;$o|dDo*MS~46E0_=Yj
zHawH}mnyuA$A9Mb4ZqX3@7QW4%J5dQUVr}b_X86wjt8`dGWJkO@<17E4tXt?9XTmR
z%V%6PT5c=3>dk+qybm2z`GGYyIh+iw$h!LCU53f!+4M6|BAhVOm-Fr*=hnG-5u28>
zsQ*6qk~tRoa{+A{&mlH|0#t5DOgE2ZAFL1slv{#Cx%>W=dgRJl|1Y3`mybLMb(`e>
zs+Hh>3<$p<LfjI)x_|to4(`rS>;sF<mH;0ga@*~Y(?tYA0B2?1kl#>_Fop1lii)x?
zdYhZSVK-{UpbWU7)^BuUD*nv)PYEhIea%YDa}0JYWh_UmSgi6tLOf<H%Sye=>r%s(
zw_1p_D|P|+pWcM51&?8&{~Xe1L@pdy2!-v>l%eNSkdqS-m?2bt^N5EqzwZw+l)MO$
zo`Hb@6EiL&ZT{w;)`i+Mlw4fWXC=8Q&{%O*)B(h4BiLxo6bgZRn5t}P(f_Xa??!R%
zZpn;mg(H4e756EVD+DsDKt+px^NAr!T<PR}uxX5Rt9w;AdkUDIo|zDGJ>iDDPq0Eb
zkonLXY>lW#RsZ(DRG?fmg>Ax^Vev1)KVc^}fyXu1rJu?4U%$A>s#)EVaa4dOxb=O&
zh!2lJ{L@ThX5)jg^XC_7SpOmmauLOI>aK|3og`FNBW^w$dUo+oscMQk$O*zT{7)b+
zg8lzf9D{MxZVnjJguccOKTz}!4et7aS}sdYUMU6s%GDio>dKSjc=+>E0)vE}&>k`v
z_f<iq{lFn)3th6XfJ!tT$ZXH|K`ia*t9{zg<NPg&^bn#U8tA&g<oQSKx69Z1N8^kP
z*+n{@v#;meOUkDVIC^ZnHWFOSYf~PGp(4EIF}4@d*PoYFhOAU9Cz5uPWxs73OvQu@
zfC|LNwXl=KPj_#D5XHyflRp!f*z*Ic?GLkedA7uANU>|LnH`F+_V}Bqc(5=!o^_X)
zFWP!LpLHnme`&JC{>mo^zz%BzNn&H!>8`DOH$i_$FHh?}F)9ju*5!T3CKbAz`q77Y
zfLPKN^{L|3C#Lz|ObZ4sGM{_eB`LfA@s<ruHkip9BlZ2wsKwZwXBz>C8sl1-HNtX&
zyG7JtvRY@E?(mZKaB%U|)T&R0)dBI+dMg69dSlaOeEu+r7{$Wtu%yz<NYkFCIXMyr
z$Ed{WMUkB}y)V1Zu^eD-l~P8+#}7^#=xtHj534drH=`MF6WKKA@*=KOo8SDHPj7oA
z<5XcNv;Tl<sZN%)RItHu@w*AND0itb`d`HK;wp#=6MVL~1ef*h&ar`Eem&;qyBtP7
zxbS}T<hNs>Xp#|i+EBm06zRAXb07w-LgRLQYqhkikxC<_4rW`|nUmQY+0N}#*PN}X
zNR^C+Uzn{XEU(Y|Y8f4_Gw{z#Vus=|DsL`GE}3ynl{*hGg;kc7gMg~J_1XtlHK^U4
zaUWpd$VsfpJ8B}SP9p-ZuFoa4=ciJX-<AQF*;b}g0d-rhsckIw;d`fEE;a7$&&j^H
zPestz(?nA{3?r$>6yNz=xjqKb^r{BaU%ZQ?VH1c7%?<gqB0MdLZN$i|juEq^MbXPR
zmdlk3P7BMCPRmYm?c2&<41VAF9;%+xL!|%X@x|u}Z^2qk{=d)=M@4fcl8pn18P^ae
zNi1zT?O-(UiS;_gTAGE1RxQ-0<>32>cEascHlB$FWEya3d7~J~+V^oPr&o1o;)?l3
z;?m-#xfrEtpnbv{OVr6Obi|jvvtjMs(1UAxF9Pjxxuiby7v?Rhm{VkRyAX&6K0(`C
zBtu%xD*H!K8?XQHNs3hTn{mbi#~-C_8#!RT;BM-170w5<hvB}R$P4;3D^|Qn4T^}B
zvfXciD_37f+tdc0UoLw7Q5S0p?dF2z4-^{jG`e`S`+>Dm&1kNP^0|SRk||+>j$RGr
z$XUZe^rHL8Q15(SYiKl}KqtV4=d4@xd>++FS?obdiS40o&#05gejH6AuYg}E2m@>Z
znV!^luv*=HV7}>ZmGdg9R^oOLj2w)mkq$4mCPud)UDDH+vE+m8+_8+dfJ_C0p<y5T
z_&`AvIiI`!ly^`pZ2Zu^Ccxu_t%$iGD_~Y|1aQfyB02~He&k1MimMo3)lsg09a2FN
zarVwv2v0B+P)G7D(xWPBBza3Fv|13Hn6_!XoIEP9Ye>r*yUQ((ZHoVT5(IfevTmzS
zggGS*B=<3!OgDG2V-T({0~}SUci8ID&5|kG<-vlc&u@Oo-B6^_>=xZuUnVM4@CrvF
ziF{MRCJIj-j7>vyb`=mCF2jk<Y4lc<?0)h5_F9L8f!Bx_KQ^QBfD;t5<=U+7kr^z;
zDukp=ptZ{oLM^F&BqnO0ilj^^FV=xCq6GS9HcGAR6kk8wPh)pE3-$t@9Wa9R6<ptQ
zjn&JbBc(&J!g0~K8i(lIPlm^kQ4Jq(u6~LW@*=IR9eno|4jD5iRf@)7S)-dfNw8L>
z1TuFq^XD8qI~^}|LhDC_S6qjO=c>5R56nGg`pmBn2EDI<R@)C1b9$Cr@8cu!jJO(L
zN|heMKMsp4GGhd&sp&a;_#GvXb&z#FM#!U2qJBazc=yNs*E>~oH*wpqlV5&{%Y4y8
zMK|Y9Mg@5H`i<N_6&5x%Ha1Q*){Wkeor^9R7#Lg@sm|oD6#DFIk>{_Q->~*MaUW*2
zY0I6<sWxY@>*R5dMjC7pFO^JtW*&Z6=7uOM5kULK`mN!C+})1#?b_e0Pfn8p{F)n#
zEFjmXuHkMUxcbJpVCJ|Ad>OmZi+|e+kN##?hn*T-nq@qPP<SWbDccE7-g~?spt911
zU|2<GNGT!FfY4caC1WzgHQh7X)B0%zylq~1^A0gOiTvV{+1iK5DSqb>4Li-K>Qzsr
zjV}f0gtJP7O7)uZbO!M(Q({jWSO@`0JGh5G>#dn&aDqMhHigyttShUy=5IVMqcnS%
zVbT0yiNqy~Gq|-_a#YMP6}iAT*$;EhTgvmeNLHcIy!63Uu=*V@qQFnlfnCu)4<<0W
z@Ee%=iAyK!%Inm*PgH~%m*Tm*{mZ2pny@lhp>D&H^*g{}mU2gvg!UYI$ouC&APT^N
zcDBUg)l`T^LHOPxBEtY&{<#LE_<bv$z3+XBeLX=Eys%$dkCXI-#5~EoQhrr676NFf
z9Tkutf>*IN439Bxu5nKxXNW`c$#=QZ4vL9kB!{aW0p9mdJ0yGNkp_?-rse{{fT)5&
z0MJYU$totkkFqwS3M(8QctGM$M$G2AQ5=ijo&PG<3|Bj*hx5}gKFho^6Q_s40f=4X
z%#Jo#L8@}_w1Q`|mpBLz#Yze*ountw1fH>1XD)ixH=qjZ5cWNk*Y|sn;)Ud=DrG`R
zM3MX4qcy#B^<lk{9;_~`h$d+UaE1Y0bq6zjfDJ4=kvCeGfn)%{@SFnw#05J&3A-#P
z`yiXI#FYvF?mrx5^)rdsv4IuvhN*yN=Hgj77;)TvPWWCG?g<9-<|L+-Yw&hIVX$kk
z2P+r(jjIQj1sWLHCdx_8Ij<MS1WY#vk|w{?y=8r56s~p`qgc|kp<FPFj?N|V3mNoU
zO_OTPDF5=_q6;dt&TY>AioeaN3tO%*N2@QlbDT7Aoh~SEbpTb3^LHwo5u9-_cp8nJ
zyG%z>2FO1XfRe<*iB}b3qk(4?un_^<F>&zPcm{%K1WY8-W=E1>!Z#vs-^Lgv-knHG
zi99*R6DiwYuQv_%-%yQ}DA1DC1b6pZl}2$-2#Ynv^Qt9^D<N;OSf;3_!nHpnA7$*c
z1>LhY&F&^$na^_~?h6M?dP(ql%6CAC`4nZld`%eRo&#lBjAT!EuS=w`bme_fkmP&m
z!yC-(-xTthQ1Qw&%lgSM&wQg5U&fLmlgU1k3CFW%-;?m&r2@JJs{AYBjZdpA76L*W
zEauWeM=9)<w<K17hO7!PZ|ThBxM4P;TQ~W>YBMtsEr^HTg)$VT{SF9u_q533yEmz0
z15Yt8JmA#X5}4-%iN5SK-7r{ja=0oyaMm-UIvR9S+j%8gQ}dFJ&0x$#_{qqju-oXa
z^fSh%Fl7{0@nOOeb1-u1@Z4U7aT1(C7<B61|KivVBFpqR=yFBr`f!uAA-3~7lR+a=
zx)Gf5_J|31wi)cFSo3b$u5joy&ajkQb5M0Np05y9xZ4HxZ>s>ghs2hhaNEExX`R1T
zy$}>I;-`Ol8IJ7NzYFUXTaLm?A1)q?r0<=J7td4M79cD><2JhN7&PCyITgXYxnsZI
z4TuU|(Ml4WAY-{!!EK*2sgyy9rKJZ!Fg%4#T3hFj=JzVxgiS1pNvtXdU3h?`7D7hL
zxtRi9iv<R*ExFA~eVqAssI6@!Z^f1h3{=`5V2>?(K6YE@NCo*~i3oGmKvp>vbtr2#
zVcxZ-eZpRKn!+mJy0K)tf8s{77Rl2cJs=HS<C5FD@%K#J`?fyfNuRaB6|WFPX@?FU
z=<cf;HlKr=AFFad&y@ZML^+qq*}d4lX`7+U7a;Vt{~*FQ3VjxMO7#&A6|+9*q6EB+
zoX>`fm5uo*$c5=p!wM`1!3s3(=AD?4jXhc-mwT657Xx>#%{uX$$(J*%{m;$6DSYRv
zE769DVPLjPb(3WA(m%Fc=`~?^cMb}KTLUj(<WWD~HK~8NqP1xic5ZH8_dPdOTb#2=
z`t1{-?VIVyG-6#2Xi%2o4xG<BY!z$B*OeWISfG$jRlsui4$o8r9+EG7QaNsa{W?8M
z7Q(Z$%nz^7mlhyMCJzU+H;w1x-h*?!+~Q|y#bD+zT9D9|wef-UxeJJJ3om4Tn_^5T
zZS}eVu)RKYeM;FvG+r2%!9Gaxet;d%vnW4pj7y4Tw?B4m**k0Y@VCK<{|)~=WL@X6
z(SFNJmg`fV)k#`EenXg3z{ZSPdw#gu^&WR>q?Cu*oPiQitl8VvWb<nv3Dg3jsU68G
zA(^y5T631^Cg*R7D;cA<G-8(50p3{Ja0?pnG@MQMsS_r_-1dQ{(w>(!7uaE>7R)B{
zozJK-!nFJ_$1q~xO%{nZu$89kHKHjLXq=y8Alo9}rns5-M#?KuPHw_DcMW<}_@)_X
zMWbmVaNG-v@;t2ANm=OnI71K!p;H4y_4U4&f-tS>g5ZOf)~EU^>vQ_z^)oWpkr!U8
z63(t$0$CprJx#_2aHJqXRH%I40Z8IF_Bg<|K~%F;VEi}Y<>DKRs6ocTy(&0w+L2?S
zRH#9iG$3)DH)IF~|9=?JS)2g>9D#m|#C|gp=HhH8`j&ZqOh+wr>xX*>HEIwJ9efi}
z@QQ(Si^Mn^gPqS28NE~1^5;!{fU;9-AWrGq`%*aKO6Vml2Tq}C&YN2Bw-GpXV>;?z
zg0-BW4aRh55&fe9Iiz-41b=JV@G>_OWThR~)qy|U$VA#M-i1OE+ch>miN_jchf<+R
z_?XuMXafX1VLoE5b22o-QsCS{&aTQPxm2^nB;b`s3=YTmjqk;2AZ1T$omOW<(VO8Q
zT({*&C25>DChA;zkPM*XcMC{<_~jsHD&QWAIW?f`wKn9|VkbUQ1?QVf%pCZ=BL$0i
zJMz2+`>Gkl|9vYyICp7pc<HuxW$)8v>H@Lgde{8JD}ezaPJA&Pahz`n=FR`yYRgyu
z_qX&v&4H^Xq%*mLSnWDm(&SrM$!jZ=&PS8TvRzu#>u4J`MJ#?BgCdB8^;5E?@l((j
zUl~YerlY{yr4yd9(5d;LF&}S?q{erRB%cO;6rm;vu9afbp}rsA394#FdYNW;Y?5|G
zH-O45^JhF_xoP^BU}v-b_G$@6VRAbze^6h~6p76_qW3@>@mc3WmmMvJrz|>?ZQ8DL
zXNjQJ+fKFlR~MttAK4*9d8xi2h@#Sl#+!E}V-}-(pESSX0q4A(9r}XryHF+QfX)d5
zYsDCdI$xJw6i*HQ#Rl*9Q%VOcSJWMywl(&2+9^mNsTXWKElKoA@N(P&yNK7zq7JRL
zX;R+3x}eT;1M3Fh_m3gy-XQ^>=BxSsY=6LP+X#;MbfgV(*g0?4*$INyBX!>0RPccm
z&S_OPCQe@2+F|3&N;uHoy2$&=+qA|KZfw?3jmsSh%MN^=Lz^Kbtz#=rqAi<!31YJt
zP<;Pj>OfvS4i1s_S!2gE&K>(&Ohfr-Jo*Mjq*o6f+E#{r#0#{2%F61ppxm%Y^uiG+
zWectv4Rh|o29@GL><wplM*0oY-9ODkFL!gdzg}BE@J>?b5`C4yq0kMuZe*<=1m{|S
zVQhh>dT&fB`@Dec`t_fs1Tn7b{x*!Eiw#u#;QwRdbEHC6+{Bz?^_ljBs7b{t37SQY
zIUT3XymWG9H^I$Sx~ysdA$sLp?A9S4ckX8GokzN@^d;|I&Ot;E@Lf>Z;%lo?bn2<l
zcMcgc_FfS%q!q=(Dz+@ZMuN{8J!i#-^?Cg{<FplENv5PBozs(jZ!fa)=(aT}B#MF*
z24y4a8#BQDUK2~Fts31(lg7v9ARkM{+l09C+Wmnj@idsY+E(v*F<)KC3e<z}yxRKW
zt%Em>2D{hDsUUe5RSC%GQ~UzwzTh71u9i>2fpEU}1FE#w-2Ret4dlHgq!AEbCxt_w
z?JEt5#jB20LEdD%VCX-kA8`3R@RQNiP5s-bmMqy!suwV*XF#vi;Y1+=psboV;T4N;
ztNNP>Cc9xBJV0bKvVeG^VK!aOS-T|o@7a@49b6KTkpcRzSEJ6NfKj=ARooACw;478
zjR2Z7g$|8`#8`n2*4|jEi~*ZQ27PVaPns%l{cmkCTqQk*ib}Ne+ns)YeroHXXp!w!
z^nT4Soqs&~Wnb|(g6g=nvX^n-+<jkSI^W9Rs@>;K7_IVmCKrs&XX{UZGYviP&K;OG
zJvN6UOvWTR=(+P8{Jr+T%344X))HH}MUf@>rd1-km11ZhdzMf<#h%L$5-+=F=2X3)
zCz~p>z+>+a{L*Vcwzj%Lewh|EwJ#$MVRa=M|D$RC;JN9=A9V7!TI*y8!xQBlMMjr}
zB9tn?%NR#XG32V#zr~EDkrJCWSoS&poo)1^P>}J62pz0_p4D6fOBV(9fd~)#eyx<a
zL|r&5p?kCN#0TFj_ban-nYFll1IkN{T#9r{{a>|cP;HS6`~8^_=Y0+w>qGJ?#vXN?
z5vx4;U|qI?R*VAW(C*LYOqaB?JJS?40qyujyrl+O{$r#XES)?ePKA8vK_LjsV{*f+
z!)*8s(omCg44$VNNq?K5AuIEStsAR8+%-n6wD4kea~+XM@}}0*_v<LL#eK9=E~vz7
zJ(Et%#Rywn>VVgeg4@;q`bpv85D9M+q`obc&*)_u-@|nIv9KO`+-2b)Dy38}G~7+#
z2|^!f@RLdG-hs!xxFfxgICSO7e1-i$-7>BEJP1_#dMy)%4y+y&_mJv}Xtqz2e#tiS
zQxn&9d~$e=Lf0cJkP+j!#|6JD`#7qUmTt+>@cB+d#>YmvybH;RP3k0<d1mbj<@luc
z&TX=h7%~+0B<9W9@>bVK%PX^KwNxyGUjEcmzv<!%tMY@*T*l?&B=Vin#C<UQh7*5_
zkAwr}whtJCOD{{$GxBf!CCB)aW3BA{!o>9}7_%i%^rI<8w*@3vBSFLYB0aqMG0~@1
zip=9Tdg(mQyf!4?K=&6oo2+ziPy3~7GWARO_Dh3+<(wgq6Z+AfLp@n8EVyFbvZY>c
zN;7Gn%-15AkNq9nB)#~(HeY6A{iIds8b5)TUCr0ML+ve@{obj`{H^>cQCo+7yR*NY
zS`~oFebR;!Gv@DY00WTROyTGP4XlHxf@&pNrZ=S6kK>W5L3XmdIKueB@969~YJ+%n
z-Pu9k?$mSfMh=p^HZl?vF+VJZ8|*+)FZY1zdT3ctOMyg9enbMSRCv{_5k1<Y2@dD$
zp+m^O)^lkpKZ}V%QR=_c3t&T-{fRR83XARg6LvUs_5D<c`j<ZFG7Ixya_n6Uj&-Ke
zTAA$G;<S7LDnWETrafaKa>=!IfA+oe*QKtnlN|ZX)U-A@roZT5e-Nvi??GZ*y*d}Y
ztmgCUs)4F`Q<s|G%um`v!RKq8=I7F(q=*Ib1SHpVz0m5~?zf%TP>qskfB=~p7@#Kp
z@Y$Zc;FQCA)sa+OK-apAO-r7^|L6-Pg>6_<TqTg#g4T7z{oTSNBpy!iSlKcEV(&2g
zB<eIw&stDi|IZA&-Nm&&$ceT_>alDGmM_}<)Ig=(>jfOPq*)U6^6D&8b^-9vrdo?X
zP(8dqKMn9<M%D7h!Qp>v_VK^pVR?LN+Rdg@xFYxvM71ah<_WKgShD66bWoJ2WKqod
zB&3%qeBfwjj3Mv6sfc^S?cW3LGI$vu>3mU(rWskJ5Lu+^b2z*w?UYG{>KcqNu$`Ch
zrKiN1)uXZ+8#mSScWonQ9p09b*1g%`Tgv$&<_TL=Y`g8pJQU@g*I?HFE|Nna0K#=b
z!)X#U`*38Ny5oRJBYxwxSU6j5*%B~*)lb$MZa#~xCB@+*f4+LO9|9^<6SmanJTLV?
zisa6A;x$eirXuo2`OqQaJChl{%=eYEZo)@HZq`pjr77U|5D-3%7WeC|Yj9+;S)<gd
z3z&zC>3oW~rD6d;Lp2D_qNz~FxLV9^zL)o0z1tr}{`*v`K!1GmPwCT#72KZ`?s-Mr
zrdk8mT<`_b$cvjbYFR4>v_IG0DWn{8iTs5zLJ|_cZ<DtEDxSMjPKFmo?+%!-mU$Gt
zoNyzRK%C1l{imagu|s~riQrK!il4^2I%=Q&H{vN|i`?K12<779rKr)5U!|-+c2a)^
z@JhGsULjdsvM55*9aa8L)SDgUt@v&BY|d&hCujiqRFNBpgALR5UVVdVS?y@~5^D|Y
z)bZ|=x)!ASonB7&lwj?7{H{NfZtJI0O%KVq``~8>wl-}19JRT_8&&4W`%~E}rVP0s
zx;gx{Y8Q-{zrC}Mc0!6^h33NVGf^)4Z{Fp8;72Sc#KwH^&40B4SK?!8+{<PSy*I0)
z{7FKyD5e_)zxkdWO*P1dcnCw~GEUAl*!1zV=YdyxFC(q33R}oudZB0TA>OalGJfFJ
zgcy5M45rfkT)J|wEG+S=5B;y&JF)B^CR$#U<d&`eAynq5*O7pRWIHSPhtPC==WFW@
zR1kV*Q;i;VhBHl>$LA@=!u!-e3xqp#ERy;%he2%%C@?UCA9+BUG*0lICJM!y<*AK=
zxBVQmD|yC~rFT)a%e+gPKZETk*pOzl6wbK_%0PF`&d$JbFbXNDzH`EO{i63_8Upru
z5v>xC>qv_eNcLLeh0+<MDf8v^g0(`^(2wF*Rvmskz|g4@z@q;2q_<LAVuw!k{1Uym
zQGQ|hGS86p+GA4%&CNTrS?U(Nb?dQ~-RXB$Y<0#s-)v~$n<*ZdaD(|T=pygMk6O|;
ziH%~&OMha<Nd1+X{Qa_IdPM)Ac!qG@5xr%lD7<Zn&f%nJm%8=mL(r1L+wq-3u|{{8
zW6Ou)87{1GyA|=4ybrRcJ`o^0j*<MD=naEU=M%?hP{*pzOE^tYAARF@8&qC6rg8AY
zE$!#2HAVz-lDeJJqNzc=*yj%9>yA1&O^O{zt|l!uY0~X?-wRMheHKs*QF;zpa2?5A
zI9rE;J}52<f#0B8G9?u@Veh3v3r16$j*N71J~|;;c>5utnX!9Jqc_4gWm3&VR`&h|
zCmE`V-^M&Typ`TBY%5I@4McOPGeqS-b--V|bA_%7BCeLQE;*~r<=0^@c9tpo=b0lk
z=#pi-+kVjZ-6ZS_eS$Ci)vM*V9>`lZ>7NLBhCoebKa(;Wy#pM2O7ImX_*dw^Iw6_h
zPqUovPfVgur(bo4uZ}^9Dkwi#L6Y=9>K?F_AaR_$ACbxMmM&*yC;OTCzitEyTXDlK
zisJQk|Bqp&42F^1xYOFuhmJ+ev_$jHFzfmY2o>t}n<{09pYmRu;bnE*BvPQ3kN?Y1
zJ-s*&{hy9iwlhxDD>)kbdNdRhCx)#vu0PNr5@N`Dx3wiMW@+CeTcTwVQD?|n9)MLF
zE_p&Fb~mxNW^>gSd)%PEBYiBxAuJWpGQgp>60#If&+H?c;mwoLGbW_)S){W%?T)n>
zFDTimQ+FkTFAnO#VfPp?*}2F9!8>x-aYj<~XOULubO(mYL@t(S{h38;%g%GrZ)!XL
z;0fdXc*wk+WeHv_p7BWo>PT?0f&Z$IX=ZNN`g5fvE8~3Yvr4HQBRbvSFhI>SlOB`<
zo|V0jE$PS9nsBb>_~^P4B#Qehp9jV9sOj`)!HAS=oqqoAdCB~R_IHGLb^{h(OIKr@
zekpM3CY*4Vgh=W1GC?kf{`7I?^i>!gLqA{2&z5X>MQ$saZf|!cM~aeMBH_KEHcLqa
zZ;%ZN1;9V9VqLJe4f+#}W7)Hz6^UZ3qycU&f`6cac`7C2<{RX2_gyFfWCp!@+v3ON
zNo<Y$s#o6qlXdIl6DJf7jnZ3xc04-0|Bz=zO(wY~bYrPDG0M9USW<H!d^(YFtRqxe
zdTx&Jn}V4~zsvN8Vt2QJ>)gH@Q8Fa)548W=EX0QraI^b<5+Y&oP3Nly<e<zZ-t0YY
zdl+Sa^<xSZYDZ*;p{dx=cfjp!6d8X)CJG9Q%Vs};eybnJ<KyEPYFH;O;-f}rxl$fD
zD|tYBg?s-)gtr9DW7(zI8t^DsYS0u~q*W$O+2HceA5IWhKA+I~{&+NZpRVp5%Mb}T
zX-Dawl$4Y#H2Jsh$qy*6aPE84c$FdmPAjbrEHZq&$8dQW8JR)#^00%h-sLnx;5=HK
znl>65+K*H$Ax@<tKuHh}N;CsCH8rP!iF=Gj<ODki%MSV;@!_H_E=|(}lIlQtOE&!j
z{u#6TwkUX3o;wLhY6>8Uz0XGtiqR=gE)L2d1d`sL+gl^D4GP~Lc}lE`h8Ro)G6~*@
z_kNmHmcHucbO3K`>#My-4ERx=T|Ary23AJh0*MR|PR5+(fZ-}3RzxWs;2oI7G4bwS
zqqewbCYV9HBZ!-;V4-{O$}{}*Ph8ULR*X2*KW=GD*i{bl+<1xc<UU~Y5N$xQuZKtz
zxePJ^xt>GccvGUC!STt+(o3AIgpFA3K3!!!PPfPRqzheXqeMlpXoVFA(}&O%MV$8U
zk$YVZk$Xk0U)mEb|3o|imcxCq+@K`5|IpG+DlFpn6w2w*eHFa;mZ+cXv@>eq^kXU|
zqO!fjNjU{ps|D99s#`sE(6}))NxXE>Z{YhDb@VnteWm~u;PBh{+K}L=Fj%|FJ^%8s
zI;Cxcjn&7FD4;X83XemD)le-mnJFoTxTLwF5H-Tc(^zNPgH^AAd_c>wGn`<dJdVZ=
z5vr(|bGWW6hEK`YnPS4o^iBw2`{}Xrr&o6A<w>SXMM%BAzh4|TuYY{Pg+$GsaCNUo
zd7W?1P3z<j)m)dZf7GGFIw<%yf{SuF+tffT$&(dBG6)26U8`K(%pE%VNsLhF#ALz6
z_pM1_ME%%BFs+Dz6XWHp8-9k~fpm}6Sb){VB_1DGUqc)B`c84Xw0;I7VvNdb3$T~A
zpl}Qsj&Mp|%`a=VAdgITHO=u)tc2AMx^xTj`jN<jnG3Gee;J=5@2^%1eBP?Ts<hbF
zLpm+nZuxroeEz%MM8a0E^#nh_^ZA_kRtU0v5}m#6Md&GZUF<%YFenS;$^ZsrRKdU;
z{j!lGjn}3mvRv_qE%@qJ5zIVK`eD;Jc-^#pRO^${ljB4a=>#>*XtQS|_;z=|3ErKk
zyKuk-3*p!_T`Q|%n*KBB!mJ}Qd=OjJ<2HM<&w5#Z%}}Hw?!rDB^?1JWX)_weztYeT
zG@=avnF4P86u!5Q_)~g5dt})ZPY&t;&p2VqJlQ?ju~a&cA}oOF9F#UVT9OozO<ko3
zJcyDt{^Ai!xnLL!l8ISa(2R0wYnT&!8)W5c?de0gSaWGxmu94=)6gf?H0eI8=8DR(
z=}2*20U8FBuufO?&{gYYM*jAhuFvo&$qzrsF6)>NY0$pxklWXT#yM{7Pyvq~cS*yi
zTsq~myk9Td;F}w5%N`8)p!gc<BCXsxShE-WMR^@OJ(ia_ymapj|CRldw+-hwQ`E{|
z=quF7?=7XumbG(fBgJz<9@Ta+AXPbrSZvHq?ojjmsOD`TH(^5lHH%p0qOuOWHu!00
zABA28A|&f^>w8s{0%~&Km%ldKtX=BO*}<?e`rA!b`|I1cYc2;yCspKBMIHFjo?x?t
zk!oH<W!IFRr*t&1l-aq!43aK)l~c|982KQTK8TQ;xcmk=N!oNOkvZDZpb#M?B)`Q9
zXpN+Zn7$`*NfcWWr)s?8mbQ}V#pl^IKU>abF<lFC;ezrPEHdFBRswQLjAj(d$1)(+
z-t+nHdJDG*s=o<^PumUP)q;GD$@`wt`|R3Cn-NgnK`h$h^J_Q%Bg*yAIZl?1n->oD
z0BrDR&(-H2pzcn<h4MpOICvi>9TE)$Z{1iaF3Cl592Tjh!ohLBJF|f#8!O(B)uud-
zjRB#n)u+ooDNar8@ILKkmnI)`&iVErb3?_7c6;_8hqlqudxM;}Xjzh%irUp)hY1!C
zr?wl9#eGl0)~K|z!ur`-5BWs_%ke(IKwwhv8PW7lQ`fU+hxUm!@k@NPvtX8BMgw6V
zkN%uu{n)UrOf@51&(c<sZHn)GCD1?kmt~u)cbnJF`|Y=Robj$ZyCHu9ZA~8jj)>wt
z&xa!RInTJwIPqp^VW4iwrfRR0+}_jQnVUDzkL!-h*23jWieTa28}(jBCH<s2kywH8
z?vo^I=UKC*)$K$B4|^%_V0`SvX}F1}Nb9H5>n7~A0lKi0L|jGf-Huc<u7IoBT3?Yg
z0MV8J>v0#c{Fb%nAZO;_X_Ur-ibT`hfTm+rD=(9}ccJ=+srM3CEWDe2NGYtY_Cju-
zG7FZ^C9wJpN4a`DNR#AZ$hKmsvS$#vS^5l4NC-Mix#N7lg3?qb`6@>Q72hT`=PPv&
zRzDTTqFCc9vFP+{1?Q9blGqYD_`yh7zZy%fpVAYd0Y48LKq&&1RL#XJ0om{8*q61U
zHj|?6jIV82b6M@wB=IzTu>ain-r;V?3Gnd)R8EUop0a`OMBA>vyW?c_u7slWn=)7)
z-1Iy8#?l3ET6c|i7|d$;qBhx@w%ao<<-gHURSTmm?blM>aE^%~4mje=Da2~itx}O4
z`|c*22y|R-B@@%j@S;yog_uDu{ccR&Stwv$`4SXtrrc0Oj8$1MTs<7HC8$hWTk?n#
zJ{-7DD&<hw@!M-5l+iU-@G(B>SwbBaqB!q|dwD+~{etpf^iiz3*$$i1wb_C#wvlL~
zH`S~$5(HVHeTP_=PS?|&uB?9`KvAhC^c5yBs0x-??Q$$k`tfB;K>Qn%UYD0YOz_Yu
za-euRi74fvUFC(9gz5Xy#^~Ll!2tk4Z$b7wWjBVX#m5@PVmtLyk-JLWUE#o&*T<!5
z?vR2TxxU#AYfG!co$N=cBl`WHZvsxYeD;4<mkVw6I%m?JpC`{0(wwX`UlCr7-}#6%
z$xH!BPv-WtjFhvwl@b<>W+}1FRR=gZT^D1E5)Th5zK?xG1FNmic?aicP5-=V_z|(|
zA4fCb((H^prz(8asaqg$YP?rTCb}hX6EgcFNnIOZ65@b)ec0Cgk1KIhK)VevMG|dT
zEN~clt)+hZd3G}V6)s%9+P6Dsa$SbUbrBS|Va!PiE<O}CAw!82pg^wz00%JwZ-j(T
zhCMDH#@v<MYwxJT!{o_M=&+Vc@@}{+qKpQX!qcGheZduR5J2GV)ehLt$0p1Dvo8K<
z^f(Qf_|sif-D%OLZjbYoK1UxXQQLc!N~)6Lp9e0d>!(9v1bXMSdBv^@Y_P6tj~y{C
z-vGyKOzuPXunLY4ssU@#)@}MEaivd@$QlDRx)Xg=7bnrqx9Yuu0+6cfXXSk=z53y?
zx7j6*{yR+jt8Wm=SF=6<%ylsK7F+0QePl1XXvroCu53dT#|;{(V1Mvl;`H-u(!-;*
zfN&g_)D8iFdK(87foY|+YZ52w&EiehuV<u<+BC;w;S((9CBe8}K9@Jqk5L{WgDg%*
zf0G=VDqPO7n)9q6w6v7nijqwdd7s-PdPrI%wiG7_xPa3v=7u#55}{>~v9g#x*;rmK
z#Ntf>o=tH!+Zo8E!taQ*v{xWpX;k|j-mB@!59d%7ZZz=5U@Uj<53t|0sQ%M9`gFUC
zexS1`*1|#R;!{Vo^ZnDdOW3+(9L)?+w*h>H(dTke9E%VaAiS;*q-aN+anl@EGpiG&
zldm{$%+>fs=SB<m0D+BGZT+NThl^3q>e}ILCn%?2sTy3f;jcdKh?9Ymps~Q(%L^R_
z;BU7Kk?6y`N(v#!m;n3AEPA()q=<I*`oZP(^r31pc7PZMXA?K$`**BM9|C}RojF?I
z@|(-W9Xru2Vk{%RsF&s?i=iv5X=&U|9=S=-M_<3eSfoA}VCD9fY`PBW%<09f1hA1@
zs)8?cFE`m<P&SPj10hy3KF{Y7aKmh`liS(z7GC1q<BHT?Nik|p`jO@17%H*mXV7$e
zcxa&Zmz8`ScrQX<gT(=LJ&VNl<;w6v+E|%k3}niPnz)D%I<InPe!@}Yr(-+aQ>|fK
z;g%{4`6~^0^82Wac^_P;a-U1%Z|kjXJx`j5z&9B}6)|QJ@49Ep%QP(@@Q^ClWrE0Y
z9%b-SO@)`KBuOaEyni6OVQWzSPK}GHCBMa@pU7n;Vm~_AxUrrgSKo6wdy41MDd6h2
zxp@<`S3pw(z~ctJ#(o^pj@jhcpmKU*nXa4IvVDHBm!;!KF3cR}`P;}gF|yG!<2y#P
z6?q1s#>%8Qq0bGh9xS~O+9W)Ms>}R}UF?LGCl3euH3=wMW<-6SA-HuDoedvAnINK#
zKLrEqwyZbJ9IO!Q@g)0DynRj6FaFyZ!oP_*Omv-X-#^@-q3wjdN9=V1<wkB(Xa`*K
zOn_U*W!)Sy-*pc@SH!Ga%x?mer>#TFQaFb-?W_v0*C_c8WT`=i3hsI{OalpdM520!
zRpwK3)xIsJHh!7w>Yvk9A$==mS9?Jh&E?46BQ5s+LJoV@*LS1Do)y^9zp!{o+>hUv
zxhjSQ8+j9o+|BK>$I*m|E1R(>1)h?8^D8Lgp-)G+P;D+mo&iEBly>*GwEbB}7s>^D
zPOt2pLaBy32C8U=IXSLGff%zmP8r21M8sU@a@se4U4xcNo;J5OV1MX4%zz807hC>b
ztU})H=L(%IXZ1_>>!GKdumZyOR*=Pe2)TvL#pkY;Ge+?zH{NA$%Y#fsz<VYLgX?0Z
z^qMDgPz@%0{x_dmn<XulMcGW3j1E-%`1J^U{dI-G;qH6*roibSrwH&!fb?(Y!qN>_
zNV`$J-RYtub{6Y$FePC!wXh<C-Z-@uhfFQ}tmc{_1DLmdT6~jb#uZEOzL!mJegDnv
zx50iU!i^q+edjNHN3SoQPj^+e788>IB+vz})>@xO><OaW<GDlufnhTUyu`)4ez-#J
zn81eSX1O=y+E*<2Iz(&Aj{Sw$>EEjQ*<~9N*E>XR5JKnrVD{{Sa2T66$DUei6Cq8|
zR~w|Twk6%5eCy=2XrK~NpqlpAwmF^P5qqXitBgL5k;cG%L+%11$`>!F!Lpyk)gRxc
zA|ve5rI)qAyXBNzEW7yAn?3Cr%T$c(?fPkTkK8^^4_t<cHA8QJax{DI>-SPCRb~r`
zwUzw)nVjfx-2ysVz3QShI8pnxIeTNb0@tI_&R!0tFop@mo`G0y*fX2gyXVOFw<rbx
z|C{YhK+BC7<a*r*AQUZ@dqdk#`drWSWGoy%%n7n`C3{+;pbXF_T_DhN{YjBMuNiKX
zaERDaR@^TI95`TpG79tn*<W|aRT_HN54(&_ca?V0#~+WCUfNUJNl|N-3`$;s87h-X
zYFaZ-57M9MGsF}EFwXwE>fn{S@~mQ<ec#+rSUpX4-WfCcW9T!eu39TVGNTzdD)yxx
z78uGm(WllbTz<9BUB%)+kC=9qap2aCvkKD_rPhO3+CD%`J{7)fW`F?m`i+PVy7=FE
zP{H;k4He1x#*dDsCBv9V*NP*e`B@6rH*QF@2o}Q*eFJ5uvk?zlRDkS?Iw#_Fmd=@Q
zbxJ3Ml@NpF<l~K)&cxu`G1+af=<Ao|m9{G+8^%!?nfV((@=f~tQbYEWqdi1wwb9~)
zGFA<}1?)0V`O8|O`?K31kg$09lfN@~`}q0szD5w61I@t7GgMtR23^rZ)^^%Fcr<+N
zv_z=FBog-Y)U&Cf1$%Ii!V^`~52no@HeRMDYCTbUcgW?`sWl^bYMq5=#Clr5V(wKp
zk6_z^_w)Je%q`OaT7w;tV{bh@_5<iOQFP893cuME$!j@%gthkxL7UD&^6Q4jK3g*`
zWfQ+SMnkqbmi~D2q7aO*O5o9<X9hl-{S(Y)#K6&g<FlKMMXT6Ug0fwXvQAQWm8WX;
zP=0qi9WPd3^)r5gaKHBS&^tYNJ7uARm|AU!@ABe{GAL@)(MI=!g3~q=V6H`3>agdK
z*{t|?WGrO^bm8u}iwjn{V!j6c19JD#Yw#mq6bm5v9sP*0?DX))VMYH7_sSEm1ilre
z!8ccYk?7{{=lCrvcLcU=cf!K&yMINP$fI+m`x-(N9Ii?HO6nE5XQE~+P*z4ekJ!H%
zxzR7v8w)>dr=6m4sd<}j`UtnsT}mh0G}l-{-A9Xm?}6rQuD88f_wgT^SaQa+aVhmz
zycW0X0$3q`;SpmOnM5wGX^<u>TvrJQyuC49#IUu-1_iAW^Z9op=5x&*<CET$%7dp9
zi>TtMRwDkr-pLGpU{x8(GiA4xwdY+Geqhrzswk-a5%@$7@`g5s4HES~*j#SkBpSHi
zkiv$8Zv?yf!~JjQyX!mve`)cf8*NV=!jJK%R+|6|MN>;Clna_6F!bA_U_;@xi*?Fc
zpVP;Z#GCdcIbm7Vho|s|9Rt)Mq}4I@fx>D8$2Vw@RB%GkMM2PNoj{^O5&<Sa$yr;Q
z4SZ3i%6C5BFHBJ8TD+>A?^xbl;nqMnkW|*q)lZnLwh=>&9bGZwC~o{eqe1_PWBIS7
zjQ;~4nRxV_UQ-_|i1|E6nwjia^UlZf!pFrAggh1m)p5Q7KUxmNnrm13@MbJzFwQn(
z=a+hRXiWZyE`}?9VbNe$C(9(oRyRA`dzEJN@~wxb>5e^#J_vDjABg(=fR1*^`!;{r
zDNB_MAXaj#f^y-JH*1AEuLEYn_DbH@l-R`@S-Ac2#>=<0ZXQxnzxMz3OPXPtP$0Ig
z^i3weZ1{y>wo#crS-hDSWd^U-PM<@y6Z^+|Gy@2a|Fa`eM*0BG0qfUuRK->Lp(a0Y
zBQGMOdXBKtjhdy>?V1c3P3iAi9XMdouPy?<7_K;m+C{S$uVDXbSwxzdp6X>-Gbs3l
z;qt;(Uuy>GU_lpi+8FWbBCvi7bM||A_~hkUZ7gtEIAqT>ZMt!a5j|5vR)rfuJ^kG1
zGT$mkr0;M^I6$<n>VCNcr+y?EQT$MFvwy;d*B}i{J^|@YCQu8z!y?IyL6$v6AELYU
z2Rh*LXZT0uInOO2QUCBO|9fx#Y_8FjZfSxyYs;qp%z}w}e1cL7Wk>5n&HFz!%q(3F
zJ_diAriv=&W8jBsj0=BtsG_v^@i{=ayEs3T4mG#&|2pw>GQ+OZ*K%*$X0)P$FyF5}
z_#MFe&MW#H;(ZU)aJ~)FRBfiPH!n0r<kk&^1aIeS>eP*Vrf-}>dj4`rE{=0VcZB(m
z;-$d#KQEL2mQmYE0EFFl67yvl{eP96cQ{;MyZ7^p2%;rKA0<SM5{zM@1<|5KM2i}t
zj9#J>Awm){j22yjOo$R?FnSmaqYhCrdhbDu-p-cikMo@CoO8YBo&V<AYwx}8wf5Tg
z_ulJsuXT-wZvVFonoY^yy7k@*7i~w@3sTBXQ0?xhq9eOZ#RsaK>d^WwF>(WJM!aol
zYs|F8X+Qznt<ys^%O1w!8IcpJ%Lk6RJI*VjVI}f<EBPQ-@w$O307zNdPS70AxJvYi
zhu?R0FY39$Ic{isqn=Bfb{`HBJDe7N(X2lnJ_F$|zn0N)hsZ-m(PBLNDp%-(^)tpl
z4>LTTM0k8ykO74|L{s)&rVaN)bw;F*do0#n_wS>{vhruFjgy;9vB5um8U4rDlg8^I
zZbpdKHm`?TuaE08gQ#ocA|$`6W=7VNCG0W3xfy6{FBPfZ>jk>?Y;f)UrK_7MV|How
z0QB%i;ffyX;96vm4m>UEtGe@?2W@8+7j4!f=ByJr^Z~R%+C;C*LfaL$5A*st_Ax<c
z&IO>f9z1Y1L(u<*KO-hD;sdXJszVU;=U-J=_Q}vEYgsKJcR{1^r0RB$y1M^GM4dli
z&!`bS2<jF59F^`^%gb@4_i$Qhw^;?#i?0U}<z(`D9$vSP2UK3m8%o0u?bf84$e)yc
z2tCd23F#b(Hd}|&tvK`Ysw>29&nss((yIXY0P}BTvJBiX9#f#m8OY6>g%;a^d7Pdm
z?@v<4{ZtMd_G5fW=xF%D5y5@y04M+O@+||l6Aq?eX&9X!$zLXFV;d!%iu??)6#$(e
zP(hh3QCT>0Psh?IBv5Tp=0TT5p`FzXpOdX74TwyN0=8*^wA<qf9!Z2&{Xs<<j$v*%
zso1?9&Z<)iq*`5jKMAl7h4C+M3hf5%=l8L6F_<ldB=3THaAYf|uQ5m}#F%;PJvZ7W
z&Ta0cuUa#|S%BPTCv^my2uszHSho%^8Jp8rST3k{$IcT;jV^$f-@q|?zrRdg1}1iw
zeUHEGbBkOrEV}jnFIK%dQ9BnlL2umG?%y9o)ulwbf=Dpri5|o1zYK@CBGdnrqUxEJ
zzd~F*F-pJeziYyqIb6}zbD*aO-U|wJuoJM1_qr?b5m0=H!Jv)~Ss+%JX8DotN4~!r
z5w`f_SALg%sC%5`eH_TUYP4gUPqSb(JPUg739xurI5RM-DHj^s=<M>e+Np-<^RiN*
zDhp$nsFeKJw<Els{#8&WePeDCA9Nr{C}H>0o6rc2dWAGy2Y$P_Ho0>m?M?EQCy4Ef
zxtkP<|LzVvHao=W)clo6gL%lUaIXUE5K4wO6$DjRyCdFr8z90+7sBtp113Acy+Zu9
zGH;XV3)Wd8zoOdi-Br`0yj-xl`J^YCEbQH+e{`Sdh?=(Q>NEd4uZPP9)RV6HV3{nx
zVjR1iMFsQ(h>Q`x`Wkq!d}PUt=$Y|Z75@$ajo;A>MuqW=4div^Vv;p0Q9L80#$l8q
zDrq1R^IYixN<Y|riax{qBz!(Ah923nHMRF`fJ4u~B!Q+cG+O`DM$T5jky7ziYOAL-
z<V;gkPza|oe9uWsq30M`@Z+Rh6;6bXq{;acdfORblHb6BZuc;n@4HF91tW**T_{wi
z>u(~JU+mgSzP<m2Udzgt`zO<#gGOr+0qJWEeHkb*OTCm44;O`_CcWztF#s4r@PP*|
z%9yMu_iURed7(;=ghmEe-t=Bo3$c!6D?uvosvG_&qHGnYGQya^Ef!lm=$L!D4A~@x
zsN1ihcrGx!RI!-on5lNDaPxCxx`C3Sm5Q6$X7kIU6#19Eyb+LGC+eO-Xm(MDdBU7{
z1*pddZhobtTC%p0#<`0gmIr$SH1J-MfS>6#T#WMOqi?gj2LY-}lE@cE*O9RR;K`nt
z=>p{0{C1r2b1o`9;*MU;v5eSI7qg;c-sToF>jIs=zH#7KjjjkQ&*3KX(zwqfZz<!L
zCa0SLG8JCJI2L@035_<c8^DYfFHJc2X32PiBs#a<Tu$!sR$6O2Ip~lsGCdWLrJ4mX
z6%<+!$xq%SdP-#}7Zzxw<L4dIboFj)B5I6;Usj4&xx7=IPF5zqCZ4gxZxljr8{<%Y
z?bjMH!{J`J{dE;0s@t^zmZxQh+PE-7rIcXc<BtK(F_VMp>a+;|OuWhb+cW@|Sgg7r
zbL0Oj{_JVq-F$iZMReybx35yl##<2fO{MyV$!A}5rK)U@yivF6Jc1DoseMAx%eBvA
zy85bOlvK}5@uWs;#!hT%rkvgHg(U(fJP-DYj-2W1#UBS{JQ&z0GZ(XAiulzFJfdjJ
z^4-aT7!I^7VP>MG4Ifx0y&u<rc&_}N-7J_{Ti`JV{z&m>(2qr%HMzjw`PA6m{E(q#
zpJSAMKKn4vnHUbsy)O4u=4JEOYk8-)ED8hl2u}5wz#GsYyM8jPnke@35($UQoe#oN
zm))N+f);KK_1WmYEHe0IN#|&UV4BggM3-l70pM9_&8R$~um*;%>6myjFYi*MwSYe0
z=(1h=!ZvBc$!%V3f~UK4)|k^N-Xb3|7&xozWrz=Yw-?+x9)woNMmnwhW8NVLv@C1{
zsuo>p+hE|wD(?|x?ol~VVhQkT?Fz;8qa3VFu2()kjyF|C{8>PAlqPMV{Rzv>PsLs-
zI1p<?rW1|wsf+jemk-Cx$xE(b>r}Rq`b%{irU~YEEptaSS;yDkxaTH3SPjb^h~s&e
zxybgdL&c~pTjF871!rZo+$+YHlZ$G@tby}Bp50F(ibu@8K{DP_yW__?UERcYSBrP^
zN*E&Q*qmmA<fV&0HVaADgLIIy?v|Fn1M1%f9dRiAC0uRfOa1tWqcj&5Y5ayl+jq&`
zh$#~-sWAp(d&BM`aoX@eB~%TWiw-=Hb{Kzo`5ss`Xri%*$!Y&v;UnNRDtN{C%^VgG
z3(oS0JKdynwE{N*v@_qLH|BP2dSZ<y(x|1Y)wuS`UAkM(_G7usA9m$VO{vwbdtPs*
zf6cstgdJ+DjxIt_?U7NvY468%8UodW6pdT=O*lp*Wpt$Pq?co5ky%}vj;iZS#NE8#
zBeu1Eu}9e^i<09a@~<dU)!V!DQ-GApjtTSvzzy;J_ZRVheaQbGj6WSfoR@AqU$bX^
zR#(y#PtBP#V-Uce#YH~YzMe3rqnN?lunH6NtM8X0^ejm|-mPG6p#GLbBR!6ktx*%F
z-W2Iovb^9enrcTXmL89%@Ntu)_LOUlu1Bmmpasb&hYzmHb;K?<nj}ab&v#_jFxKK_
z2PpM!h~%yQYI`Ah?51eW&~Up~j#U>BFLM2|ijG4^u1`W(CMlZh+DQFE#0VPjudEs_
zr@;n6bPIR)CFUZ6EEvt39~FIXc?&~}Vz0jwzi&g$AUm@^2!=cFdvLhrEs^{z@oLO;
zqRH4@dh%Uiy!ta<`t}t4(<AYl5i8dJ8+1`RY?yjzzsLS@X6|>xL+@!md=0IWZ1+R>
zH?z_k8;7u?;6jKzV@~`WuLXRy;f9Ecob_s9X&ZPv&Q_n%>%E1?P-J4h6jTii-6KOa
zUXOA#ajlNeT^-QgrS8n!eyA839#;TB9^cHaoV15s+PBM>P~YiUhmln!M;LNOy6eyc
zA2qjLfwKO(rMY3w`)*fezi~r(@*ZtqRHX|ZfQ<VL78|eWV1iI9tf{#<W7JEZef=Si
z&4%?EW%GC2mS@kX=H~NvsaX&&sYq|xre=C&0K4o~<4OE(b&ia8RdbQE0Q>g+e<pmO
za2I<dTnKf0QX^=26H*6`(6|CDckp@F7C-<buK|z*m<PZFq}|3J`Er0jtx0!`Jr4ia
z5%>4ic|bH5NQAa&N(koc8EskYs20E<{6yjKDL2dxk9L7wH8)s+1rb<7=G!$d3L2-J
zVq({M_Y#Io2f5X~_YRuLI0X!7si_Mh{~q`I7ro&;EF%I$KF3wXT)%$S$BJDb6$Z^5
z<@7v3&QIqZ`89N(@d8wZ{k`>8nPM;0wa3cJ%G?GmLhZ1Rxu$U!07vRgBV(O9&_)YE
z;{vuQpelU5ZbMk`-%q0c;gF4pi;L?>u@*D6klOH?k2Hz8xOw;U(E!bP0pM0km|iVz
zb>K88r>`X)^dWHUuykiYUJP6KnJaKg52P@RCg=>-lr%NoY)w6D^&Eh&HITp9`>JTJ
ztZefTIGcqVYndpL8Wpg^#C5*qa|I%-Vw&v(l0U+gx~O>1ddQa;iD4xAZn#*Lu{WDl
z<4a#~{L#A&mrjOFHij_RMK9Wp@NW3H&jbq-M#6f;7IG{3m}<yM2Ee}0I?brjSzD&*
z%fH}<T0-<#9mx3GvThZi0X9l^9@}?p8(peV^r!23n1<I=mMxtx^gnqM3`QZS7~{ak
zp!?@xcK#=@c!vTKJp~C`t%tq+4t>@;C%pMZCXt71G}b$mTBYv$+`=A1T*qbV;-QAT
zxQ`0&)w5sH?F>Wa0{2CQ1L4SOF3zyIbn(qf67qUU+FxJNbq4eHUZgLMm9gw(r$+HN
zDS63Fyjnj5p8(PrWQI64hdBB5V2wjdFQqr6jVd!}-OXMU5A`8AD*QO@`Lu+e$py>u
zw0%RY2b<8hkaLLA48L7Z8moVtWfoyUP1vI3r7ZoF*q+@)o^;yNVRe^tCv;1uT%K@z
zR-KjSqm&)M|7o~Oj#aE_#%VS%DK1Xq&U$?!i`P7w?!kgnd_Un5O+AD*T_uqe;;y#$
zUe*5(3$A}Jj`$w-vBE4NZM$Y#mQsUeXX~KlFwF#K3Xh7@p}WSMYOBu6*fRykkly~W
zTIgsgMO$+`x8RtC3}~#RInuUkN``WDwAUN<$mB|>Tfp5Ie;LZJ-3fDUzP!Fl$$id3
zSLx(^sm{_QqI{4nu8Es1I_uL4Ds?{JA^MadT4Q?CvFp*pL1FyDXzPy4{WwBncX7;`
zq=>=tm3Jqk$+_!rEsYP-f6b_8X!VWn3&uq<Chg5?<1gb%%ggHGBDOEvnTfez#gjR@
zwuS86<t+6d9lJP)+NF-^*Q|O93pKqjbgDPV4}K?6_{Gj+job9kxGynl6i(W=oI00e
zKd+!-Izg|;J;JHjGdVCCthbyU@JIGGx+1Zy;eK}LtiJFL%*(~C4_nXKt={O6kPJ;0
zYp!=d0ZY52Eudd1uzgyQt9~VMKdbj2;h;bk)&moPPR~i6pGLU%(wsw4WCCViKJ08`
zmk$|wWmdf9^rArlsc^$Zn;VrdB}CRPFsMF2|C*Q4B~I{c-`DJj7La}E#v-(9n*|Ku
z1h#)0dhs3lz`*K_%KZ2M4jl7VSg*hBl^7S7vh!?-7m*tg(V9UkE7oHPjSTAd?y*0(
zGW#^2j0A$=r*le^7R~v(83}Q*rW-3BZl)$iT&0_;3n5_&5+zXemG+PHJTE$q@NtD}
z9yOY;tu#xe&*Zj?IF0b8`%Z9R!2B?l+jJKLng^S!9?Q*4^=*1dZoM5Qb`7K}!+t2>
z*2s9y5-L9axphVRHo=cEcg<+lgJFb#?{|Z#;F#|xG_i@u^^`KT9s7jo*G21@VTX9y
z<lI1eKb#x#9v8pnK>I;%e+WI^Q}s7*998oxrsyr!LHp)XwwbXFj4^-Zxr*|!t^2J9
z`6TGFlRCDyrlNzXFX<7-?SH{ez2ZopQG1aT)UUJQ?8lHhLFj!E{;{HEyoAFaH#W4B
zIOrn!<4?Vf%m`ENXQ$vU51u@Cby2ZeMU7yq7~2X3EIocD?_kQ#W;8$$*iQB_7%;5}
zX7Ep%+t%^zSGyeMa@tmjyQCcx^O#Gazhv2_g*V!z=AzG)nB<7O0wo*mhbp=^UGCgh
z3Se>r%OV;&qxUWWOOrzpO+9fWI)1LAo#FFA#54l>o)he;yflh>gH<QCT@2|dhdt;D
z(T>?P&!*hh<lxU<oQjAB7qh8r25yjSH5$I!)2a{SP$?_Cr4Nt#v&|ZUrvzCNOHX<>
z^x5K0<pP5bO&W)yOPZq{g?!qF!$h&s3QsMc!ovyCXcM#hgLyuc!)*M`(Z`fO)n+&9
zB9WP-x4SOi<XrjW3z=!>r7f1W=spVUwbb13=s$veT_;|z3@E05nJnAzn^55151F%+
zT~QIQZqhPqaxx8{@Z1qcj=WId!@?Q6P(!quC*bh_QV-76=D0G2-b&0GPW`2-UJhvG
zyfGuW`qkOK{4T0QH+{^5LZ>c({rTX%IwS>-^Y~@v=iSt%ght7utCRC4@ZfmUQ{+O&
zgxb#7R4&r}%yK(em;dz4Kdvr*_?%z^F8k!>gGtrtdXYkKO+y}@=bwscI9Uj@JFWSy
zNtgrO(Px1=TZ!tcrBdVL7=sI#B)0qYqU0?khL=1CkK6xHZ#n2p$qp{TfBWXlr0ucS
zH;;vhXR;2Si@HP0SI*<~rVgVQ57QgdCE0x~(=5E6uys*yX#KF->z4wf$G6sBIGd_7
zowfk`TRCsJ`V4+wrUtu+sQEP{7h4GTsO{+<J;p0;=1;}gSS8Sn#+Yq*xH-pmisyya
z#11kIhLT7-s)*7!&OV-tl6NAh_aD`1YF8k7uzi>64{}3K<-~*$mOfkXnn71n=i0pZ
zeHq#agP4tx1xM-FL8*E?UgovM)^Fcj>q>eHC-yC-3dY9Dt{GwenMBSv?rb8*B3g?b
zp1Bl<YXJd*(c{CaYyu*FGiMK=-yj3`@)lNDxbTJ<N(MD%A^3@}WBS^zzMC$O*;HoH
zB)1h<N0MSrzFE7N3c=GBy%iwxXLxZ5EbTh7xLDmaBtuEISbFJ9l<EMr>-qY@x~Lrm
zgcpZLl{94dq_#Z{(J&)B3WPKowC@)#fJG=n{8))CK^*N<;!=~;Su~ZMDGEJPvi@u&
z47%%rdb_7A{aJ$!Ch&1aTLJ;>tj~U`=nL!eNO`F};x(*3RdKHnBnF%EmMV^nu-huw
z^w-M(^^9FQw|?-^Saafc$Z4JJ;iPIcCIL))WW{I<TRVw73w?Jym6^8`RmmxzJ@zM4
z8t6ZeuO*HdiX;?^PUdYIr7tjl5{rv%bWx|=Vh!yKxQFtrSz#(pfn*JyP-_1&cnLEm
zY6TyoqFz=mXD@ByAqw$sp1zRxE5>yPckLt>NViadh-~$yIQJU-DTixOVu6gY1GY<F
zbDgd>g!si|GeYmQJU)NwDNWzX)p=1{ac8R!gK|BRi8F4lBM;i@G->3$<zTQ_Q}}QI
z3XRZGyuR_z5mku7xk!BDQ!<C?iTQSfQ!m%}R%SiYjuW;1iv~vy51f(o{pjX{xbFWN
zETL}sJyEH~3zn9s#9oe=<I-#y{3KB|TY0$EkE-=+j0|pidD4AP)XqaEu@hR2CkEGo
zhRQQydzP%7T>_74DgFeOXI3?aZG+{o{f{29<zrOVbj>(-?GoQCrzRYor;hl5wZ3i-
z)k;*(^amWx<oS9H+w)*C#B<-B{Tx$gEj>~@-$Zsprm_wqgk|bZNVTC|zJozX=vABS
z8u?38e7JAH6OQ^`KLHg0*$aKLcE1lav@<ts_i59GVUu^uiw}n%HEdFvst7)!VKCqu
z_vt2PO1kSQogNR_gji+!#jXS~Nz)$PuuP`@PPi&SJl6{P(f}IMnL50)xVcCLxHt(l
z_}u${j-<wn<iZ$=&Ufe{*E|c=T|ekXv2AF=hq@~t)pd{6FGG9>`Na7`2#YbYw@P4&
za*2ik@o>rJl*rA#OB+|~4x@TUsk0ZCKl`i;kA!}(_Z$s?`E~(rRN02E<$sd5|2H2C
zXlfvlQc3E;U&S5X@Z4tz^{=Z!A}*Y?atjcyUI=i=tqTVoS4wf=o+Bc3-hwU^yNmLL
zz`pg2{z6_;P^4e~E3QpmOrqbAY+7Y+Py3pT@%{DeWu*_D_%H;>U+@0mjo~9nmf@;*
z7Z<S?E(&MWLOpQfqe|EK&*Il`tWlFqVTItyAWXHsUSH3qMO_I0vtS-p1$5Y?8Ac{(
zt$Hi;`gzUsXRhgg^+bD%kbpCYuPo#~9hG_0J09Z6#1u_#RK$qxcOGy?Tfl6)2ye@+
z)7@iYhpF8`b+urm=bKhse5LLf>%Uc{oHBWKx|B~TIrA34Wte7tTxrk(XOQChOcSx+
zchJ>I+5w<7Fc66RrzykMWo68!5j{5;bCOxAR{Nl6s;GsImgmqce(0aO$+r7FQ{Vb_
z+^T#C!=+U^e?t=6XAD2JBP(71h9xYNg`eytid^ac)p{nRQVIWNQ+_Iy^Vr``kYx07
ztppmsRXAEOY0f?Lcr1bi&|Mnck=CI)X&{ygP*hYDz5PXxh_i*C+9l69=80eth#TWI
z-el75lQ%UlLZ38itFr1*tMxL?q`8SYziqrar{LP3Zhy6r?^akc&fr)3Q=y8i06Krs
z?UIc4oMqXg20%7A<8icnyFxk`dUm$o6l))Q5mTn!*lhCNQqs+;0jl)?c_paR<L2@E
z2D|4m>lK;^9t^$hSQ=@k;5Vo%pyJ~?67P<;W=TXNfa_>Qq2?W*$3}8Nr4~{>(}aLJ
zBMO?cY^+k-Qgnwq@<h~C;_NT#tMNRL`7yXvroij@hj(ebf`5%`S^xe*(+qxfF%>AF
z(VfhE$2K{aeOT@9zvtRlfi*D!-ad%>|B}`}b57RDtWd;n6ee&9_-U%@J}6PP4*w61
Cp;kly

literal 0
HcmV?d00001

diff --git a/docs/en/first-startup/index.md b/docs/en/first-startup/index.md
index 549cb4699a..b5efcce48d 100644
--- a/docs/en/first-startup/index.md
+++ b/docs/en/first-startup/index.md
@@ -33,4 +33,15 @@ The password of the administration user cannot be recovered.
 For automated processes, you might want to bypass the initial user creation. To do so, you can set the initial password
 in a system property `scm.initialPassword`. If this is present, a user `scmadmin` with this password will be created,
 if it does not already exist. To change the name of this user, you can set this with the property `scm.initialUser`
-in addition.
+in addition. 
+
+When set, this also causes the initialization to skip the Plugin Wizard.
+
+# Plugin Wizard
+
+Once an initial user is created, the Plugin Wizard is going to appear.
+Here you can select a series of pre-defined sets of plugins to kickstart
+your development experience with the SCM-Manager. To install the selected
+plugins, the server has to restart once.
+
+![Form to select plugin sets](assets/plugin-wizard.png)
diff --git a/gradle/changelog/plugin_wizard.yaml b/gradle/changelog/plugin_wizard.yaml
new file mode 100644
index 0000000000..2e9c55fded
--- /dev/null
+++ b/gradle/changelog/plugin_wizard.yaml
@@ -0,0 +1,2 @@
+- type: added
+  description: Initialization step to install pre-defined plugin sets ([#2045](https://github.com/scm-manager/scm-manager/pull/2045))
diff --git a/scm-core/src/main/java/sonia/scm/initialization/InitializationStep.java b/scm-core/src/main/java/sonia/scm/initialization/InitializationStep.java
index 6a8c285366..13876befc4 100644
--- a/scm-core/src/main/java/sonia/scm/initialization/InitializationStep.java
+++ b/scm-core/src/main/java/sonia/scm/initialization/InitializationStep.java
@@ -26,7 +26,11 @@ package sonia.scm.initialization;
 
 import sonia.scm.plugin.ExtensionPoint;
 
+/**
+ * @deprecated Limited use for Plugin Development, see as internal
+ */
 @ExtensionPoint
+@Deprecated(since = "2.35.0", forRemoval = true)
 public interface InitializationStep {
 
   String name();
diff --git a/scm-core/src/main/java/sonia/scm/initialization/InitializationStepResource.java b/scm-core/src/main/java/sonia/scm/initialization/InitializationStepResource.java
index 1aa6e68db8..7d18ce981c 100644
--- a/scm-core/src/main/java/sonia/scm/initialization/InitializationStepResource.java
+++ b/scm-core/src/main/java/sonia/scm/initialization/InitializationStepResource.java
@@ -28,9 +28,22 @@ import de.otto.edison.hal.Embedded;
 import de.otto.edison.hal.Links;
 import sonia.scm.plugin.ExtensionPoint;
 
+import java.util.Locale;
+
+/**
+ * @deprecated Limited use for Plugin Development, see as internal
+ */
 @ExtensionPoint
+@Deprecated(since = "2.35.0", forRemoval = true)
 public interface InitializationStepResource {
   String name();
 
+  /**
+   * @since 2.35.0
+   */
+  default void setupIndex(Links.Builder builder, Embedded.Builder embeddedBuilder, Locale locale) {
+    setupIndex(builder, embeddedBuilder);
+  }
+
   void setupIndex(Links.Builder builder, Embedded.Builder embeddedBuilder);
 }
diff --git a/scm-core/src/main/java/sonia/scm/plugin/PluginManager.java b/scm-core/src/main/java/sonia/scm/plugin/PluginManager.java
index 8521b1d40f..977867ad24 100644
--- a/scm-core/src/main/java/sonia/scm/plugin/PluginManager.java
+++ b/scm-core/src/main/java/sonia/scm/plugin/PluginManager.java
@@ -26,6 +26,7 @@ package sonia.scm.plugin;
 
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 
 /**
  * The plugin manager is responsible for plugin related tasks, such as install, uninstall or updating.
@@ -64,6 +65,23 @@ public interface PluginManager {
    */
   List<AvailablePlugin> getAvailable();
 
+  /**
+   * Returns all available plugin sets from the plugin center.
+   *
+   * @return a list of available plugin sets
+   * @since 2.35.0
+   */
+  Set<PluginSet> getPluginSets();
+
+  /**
+   * Collects and installs all plugins and their dependencies for the given plugin sets.
+   *
+   * @param pluginSets Ids of plugin sets to install
+   * @param restartAfterInstallation restart context after all plugins have been installed
+   * @since 2.35.0
+   */
+  void installPluginSets(Set<String> pluginSets, boolean restartAfterInstallation);
+
   /**
    * Returns all updatable plugins.
    *
diff --git a/scm-core/src/main/java/sonia/scm/plugin/PluginSet.java b/scm-core/src/main/java/sonia/scm/plugin/PluginSet.java
new file mode 100644
index 0000000000..e0566a0469
--- /dev/null
+++ b/scm-core/src/main/java/sonia/scm/plugin/PluginSet.java
@@ -0,0 +1,55 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.plugin;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@AllArgsConstructor
+@NoArgsConstructor
+@Getter
+@Setter
+public class PluginSet {
+  private String id;
+  private int sequence;
+  private Set<String> plugins;
+  private Map<String, Description> descriptions;
+  private Map<String, String> images;
+
+  @AllArgsConstructor
+  @NoArgsConstructor
+  @Getter
+  @Setter
+  public static class Description {
+    private String name;
+    private List<String> features;
+  }
+}
diff --git a/scm-core/src/main/java/sonia/scm/security/AccessTokenCookieIssuer.java b/scm-core/src/main/java/sonia/scm/security/AccessTokenCookieIssuer.java
index e2766a3736..b6fc8a042e 100644
--- a/scm-core/src/main/java/sonia/scm/security/AccessTokenCookieIssuer.java
+++ b/scm-core/src/main/java/sonia/scm/security/AccessTokenCookieIssuer.java
@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.security;
 
 import javax.servlet.http.HttpServletRequest;
@@ -43,6 +43,7 @@ public interface AccessTokenCookieIssuer {
    * @param accessToken access token
    */
   void authenticate(HttpServletRequest request, HttpServletResponse response, AccessToken accessToken);
+
   /**
    * Invalidates the authentication cookie.
    *
diff --git a/scm-ui/ui-api/src/apiclient.ts b/scm-ui/ui-api/src/apiclient.ts
index b4914262a0..4d4a0f0a80 100644
--- a/scm-ui/ui-api/src/apiclient.ts
+++ b/scm-ui/ui-api/src/apiclient.ts
@@ -83,7 +83,7 @@ export const extractXsrfTokenFromCookie = (cookieString?: string) => {
     const cookies = cookieString.split(";");
     for (const c of cookies) {
       const parts = c.trim().split("=");
-      if (parts[0] === "X-Bearer-Token") {
+      if (parts[0] === "X-Bearer-Token" || parts[0] === "X-SCM-Init-Token") {
         return extractXsrfTokenFromJwt(parts[1]);
       }
     }
diff --git a/scm-ui/ui-api/src/index.ts b/scm-ui/ui-api/src/index.ts
index 2f4c795887..855037195a 100644
--- a/scm-ui/ui-api/src/index.ts
+++ b/scm-ui/ui-api/src/index.ts
@@ -64,6 +64,7 @@ export * from "./loginInfo";
 export * from "./usePluginCenterAuthInfo";
 export * from "./compare";
 export * from "./utils";
+export * from "./links";
 
 export { default as ApiProvider } from "./ApiProvider";
 export * from "./ApiProvider";
diff --git a/scm-ui/ui-api/src/plugins.ts b/scm-ui/ui-api/src/plugins.ts
index 9f9251896d..d6e27e1ec2 100644
--- a/scm-ui/ui-api/src/plugins.ts
+++ b/scm-ui/ui-api/src/plugins.ts
@@ -34,7 +34,7 @@ type WaitForRestartOptions = {
   timeout?: number;
 };
 
-const waitForRestartAfter = (
+export const waitForRestartAfter = (
   promise: Promise<any>,
   { initialDelay = 1000, timeout = 500 }: WaitForRestartOptions = {}
 ): Promise<void> => {
diff --git a/scm-ui/ui-components/src/layout/Header.tsx b/scm-ui/ui-components/src/layout/Header.tsx
index 8648ef4d52..c7020e5998 100644
--- a/scm-ui/ui-components/src/layout/Header.tsx
+++ b/scm-ui/ui-components/src/layout/Header.tsx
@@ -21,17 +21,14 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-import React, { FC, ReactNode } from "react";
+import React, { FC } from "react";
 import Logo from "./../Logo";
-import { Links } from "@scm-manager/ui-types";
 
 type Props = {
-  links: Links;
-  authenticated: boolean;
-  children: ReactNode;
+  authenticated?: boolean;
 };
 
-const SmallHeader: FC<{ children: ReactNode }> = ({ children }) => {
+const SmallHeader: FC = ({ children }) => {
   return <div className="has-scm-background">{children}</div>;
 };
 
@@ -51,7 +48,7 @@ const LargeHeader: FC = () => {
   );
 };
 
-const Header: FC<Props> = ({ authenticated, children, links }) => {
+const Header: FC<Props> = ({ authenticated, children }) => {
   if (authenticated) {
     return <SmallHeader>{children}</SmallHeader>;
   } else {
diff --git a/scm-ui/ui-types/src/Plugin.ts b/scm-ui/ui-types/src/Plugin.ts
index f4b657c1a2..75fcd57eaf 100644
--- a/scm-ui/ui-types/src/Plugin.ts
+++ b/scm-ui/ui-types/src/Plugin.ts
@@ -26,6 +26,15 @@ import { HalRepresentation, HalRepresentationWithEmbedded } from "./hal";
 
 type PluginType = "SCM" | "CLOUDOGU";
 
+export type PluginSet = HalRepresentation & {
+  id: string;
+  name: string;
+  sequence: number;
+  features: string[];
+  plugins: Plugin[];
+  images: Record<string, string>;
+};
+
 export type Plugin = HalRepresentation & {
   name: string;
   version: string;
diff --git a/scm-ui/ui-webapp/public/locales/de/initialization.json b/scm-ui/ui-webapp/public/locales/de/initialization.json
index edc49f61a3..aa30e2670f 100644
--- a/scm-ui/ui-webapp/public/locales/de/initialization.json
+++ b/scm-ui/ui-webapp/public/locales/de/initialization.json
@@ -11,6 +11,20 @@
     "password-confirmation": "Passwort Bestätigung",
     "submit": "Absenden"
   },
+  "pluginWizardStep": {
+    "title": "Plugin Sets",
+    "description": "Der SCM-Manager ist ein minimalistisches Werkzeug, um Git, SVN und mercurial Repositories zu verwalten. Mit Plugins vereinfachen Sie Ihren Workflow und erreichen mehr mit Ihrem SCM-Manager. Wählen Sie ein oder mehrere Plugin-Sets, um ihren Start zu beschleunigen.",
+    "submit": "Absenden",
+    "submitAndRestart": "Absenden und Neustarten",
+    "skip": {
+      "title": "Ohne weitere Plugins starten",
+      "subtitle": "Ausschließlich Core-Plugins werden installiert. Es können weiterhin jederzeit Plugins manuell über das Plugin-Center installiert werden."
+    },
+    "pluginSet": {
+      "expand": "Enthaltene Plugins anzeigen",
+      "collapse": "Enthaltene Plugins"
+    }
+  },
   "error": {
     "forbidden": "Falscher Token"
   }
diff --git a/scm-ui/ui-webapp/public/locales/en/initialization.json b/scm-ui/ui-webapp/public/locales/en/initialization.json
index 3b05afd8e1..042f0fb074 100644
--- a/scm-ui/ui-webapp/public/locales/en/initialization.json
+++ b/scm-ui/ui-webapp/public/locales/en/initialization.json
@@ -11,6 +11,21 @@
     "password-confirmation": "Confirm Password",
     "submit": "Submit"
   },
+  "pluginWizardStep": {
+    "title": "Plugin Sets",
+    "description": "Out of the box SCM-Manager is a streamlined tool to manage Git, SVN and mercurial repositories. Plugins enhance your workflow and help you to get more out of your SCM-Manager. Select one or more of our plugin-sets to jump-start your journey!",
+    "submit": "Submit",
+    "submitAndRestart": "Submit and restart",
+    "skip": {
+      "title": "Start without additional plugins",
+      "subtitle": "Only core-plugins will be installed. You may manually install plugins through the Plugin-Center any time."
+    },
+    "pluginSet": {
+      "expand": "View included Plugins",
+      "collapse": "Included Plugins"
+    }
+
+  },
   "error": {
     "forbidden": "Incorrect token"
   }
diff --git a/scm-ui/ui-webapp/src/containers/App.tsx b/scm-ui/ui-webapp/src/containers/App.tsx
index def12cb8e1..13ea69d7a3 100644
--- a/scm-ui/ui-webapp/src/containers/App.tsx
+++ b/scm-ui/ui-webapp/src/containers/App.tsx
@@ -67,7 +67,7 @@ const App: FC = () => {
   return (
     <AppWrapper className="App">
       {isAuthenticated ? <Feedback index={index} /> : null}
-      <Header authenticated={authenticatedOrAnonymous} links={index._links}>
+      <Header authenticated={authenticatedOrAnonymous}>
         <NavigationBar links={index._links} />
       </Header>
       <div className="is-flex-grow-1">{content}</div>
diff --git a/scm-ui/ui-webapp/src/containers/Index.tsx b/scm-ui/ui-webapp/src/containers/Index.tsx
index e95533cda8..b11a54ed5d 100644
--- a/scm-ui/ui-webapp/src/containers/Index.tsx
+++ b/scm-ui/ui-webapp/src/containers/Index.tsx
@@ -32,6 +32,7 @@ import { Link } from "@scm-manager/ui-types";
 import i18next from "i18next";
 import { binder, extensionPoints } from "@scm-manager/ui-extensions";
 import InitializationAdminAccountStep from "./InitializationAdminAccountStep";
+import InitializationPluginWizardStep from "./InitializationPluginWizardStep";
 
 const Index: FC = () => {
   const { isLoading, error, data } = useIndex();
@@ -39,7 +40,7 @@ const Index: FC = () => {
 
   // TODO check componentDidUpdate method for anonymous user stuff
 
-  i18next.on("languageChanged", lng => {
+  i18next.on("languageChanged", (lng) => {
     document.documentElement.setAttribute("lang", lng);
   });
 
@@ -73,3 +74,8 @@ binder.bind<extensionPoints.InitializationStep<"adminAccount">>(
   "initialization.step.adminAccount",
   InitializationAdminAccountStep
 );
+
+binder.bind<extensionPoints.InitializationStep<"pluginWizard">>(
+  "initialization.step.pluginWizard",
+  InitializationPluginWizardStep
+);
diff --git a/scm-ui/ui-webapp/src/containers/InitializationPluginWizardStep.tsx b/scm-ui/ui-webapp/src/containers/InitializationPluginWizardStep.tsx
new file mode 100644
index 0000000000..5ab82f7048
--- /dev/null
+++ b/scm-ui/ui-webapp/src/containers/InitializationPluginWizardStep.tsx
@@ -0,0 +1,228 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+import React, { FC, useCallback, useEffect, useMemo, useState } from "react";
+import { useTranslation } from "react-i18next";
+import { HalRepresentationWithEmbedded, PluginSet } from "@scm-manager/ui-types";
+import { apiClient, requiredLink, waitForRestartAfter } from "@scm-manager/ui-api";
+import { useMutation } from "react-query";
+import { useForm } from "react-hook-form";
+import { Checkbox, ErrorNotification, Icon, SubmitButton } from "@scm-manager/ui-components";
+import styled from "styled-components";
+
+const HighlightedImg = styled.img`
+  &:hover {
+    filter: drop-shadow(0px 2px 2px #00c79b);
+  }
+`;
+
+const HiddenInput = styled.input`
+  display: none;
+`;
+
+const HeroSection = styled.section`
+  padding-top: 2em;
+`;
+
+const BorderedDiv = styled.div`
+  border-radius: 4px;
+  border-width: 1px;
+  border-style: solid;
+`;
+
+type PluginSetsInstallation = {
+  pluginSetIds: string[];
+};
+
+const install = (link: string) => (data: PluginSetsInstallation) =>
+  waitForRestartAfter(apiClient.post(link, data, "application/json"));
+
+const useInstallPluginSets = (link: string) => {
+  const { mutate, isLoading, error, isSuccess } = useMutation<unknown, Error, PluginSetsInstallation>(install(link));
+  return {
+    installPluginSets: mutate,
+    isLoading,
+    error,
+    isInstalled: isSuccess,
+  };
+};
+
+type PluginSetCardProps = {
+  pluginSet: PluginSet;
+};
+const PluginSetCard: FC<PluginSetCardProps> = ({ pluginSet, children }) => {
+  const [t] = useTranslation("initialization");
+  const [collapsed, setCollapsed] = useState(true);
+
+  return (
+    <div className="card block">
+      <div className="card-image pt-5">{children}</div>
+      <div className="card-content">
+        <h5 className="subtitle is-5">{pluginSet.name}</h5>
+        <div className="content">
+          <ul>
+            {pluginSet.features.map((feature) => (
+              <li>{feature}</li>
+            ))}
+          </ul>
+        </div>
+        <div className="block pl-4">
+          <div
+            className="is-flex is-justify-content-space-between has-cursor-pointer"
+            onClick={() => setCollapsed((value) => !value)}
+          >
+            <span>{t(`pluginWizardStep.pluginSet.${collapsed ? "expand" : "collapse"}`)}</span>
+            <Icon color="inherit" name={collapsed ? "angle-down" : "angle-up"} />
+          </div>
+          {!collapsed ? (
+            <ul className="pt-2">
+              {pluginSet.plugins.map((plugin, idx) => (
+                <li key={idx} className="py-2">
+                  <div className="is-size-6 has-text-weight-semibold">{plugin.displayName}</div>
+                  <div className="is-size-6">
+                    <a href={`https://scm-manager.org/plugins/${plugin.name}`} target="_blank">
+                      {plugin.description}
+                    </a>
+                  </div>
+                </li>
+              ))}
+            </ul>
+          ) : null}
+        </div>
+      </div>
+    </div>
+  );
+};
+
+type Props = {
+  data: HalRepresentationWithEmbedded<{ pluginSets: PluginSet[] }>;
+};
+
+type FormValue = { [id: string]: boolean };
+
+const InitializationPluginWizardStep: FC<Props> = ({ data: initializationContext }) => {
+  const {
+    installPluginSets,
+    isLoading: isInstalling,
+    isInstalled,
+    error: installationError,
+  } = useInstallPluginSets(requiredLink(initializationContext, "installPluginSets"));
+  const [skipInstallation, setSkipInstallation] = useState(false);
+
+  const { register, handleSubmit, watch } = useForm<FormValue>();
+  const data = initializationContext._embedded?.pluginSets;
+  const [t] = useTranslation("initialization");
+  const values = watch();
+  const pluginSetIds = useMemo(
+    () =>
+      Object.entries(values).reduce<string[]>((p, [id, flag]) => {
+        if (flag) {
+          p.push(id);
+        }
+        return p;
+      }, []),
+    [values]
+  );
+  const submit = useCallback(
+    () =>
+      installPluginSets({
+        pluginSetIds,
+      }),
+    [installPluginSets, pluginSetIds]
+  );
+  const isSelected = useCallback((pluginSetId: string) => pluginSetIds.includes(pluginSetId), [pluginSetIds]);
+  const hasPluginSets = useMemo(() => pluginSetIds.length > 0, [pluginSetIds]);
+
+  useEffect(() => {
+    if (hasPluginSets) {
+      setSkipInstallation(false);
+    }
+  }, [hasPluginSets]);
+
+  useEffect(() => {
+    if (isInstalled) {
+      window.location.reload();
+    }
+  }, [isInstalled]);
+
+  let content;
+
+  if (installationError) {
+    content = <ErrorNotification error={installationError} />;
+  } else {
+    content = (
+      <form onSubmit={handleSubmit(submit)} className="is-flex is-flex-direction-column">
+        <div className="block">
+          {data?.map((pluginSet, idx) => (
+            <PluginSetCard pluginSet={pluginSet} key={idx}>
+              <label htmlFor={`plugin-set-${idx}`} className="has-cursor-pointer">
+                <HighlightedImg
+                  alt={pluginSet.name}
+                  src={`data:image/svg+xml;base64,${pluginSet.images[isSelected(pluginSet.id) ? "check" : "standard"]}`}
+                />
+              </label>
+              <HiddenInput type="checkbox" id={`plugin-set-${idx}`} {...register(pluginSet.id)} />
+            </PluginSetCard>
+          ))}
+          <BorderedDiv className="card-block has-border-danger px-4 pt-3">
+            <Checkbox
+              disabled={hasPluginSets}
+              checked={skipInstallation}
+              onChange={setSkipInstallation}
+              title={t("pluginWizardStep.skip.title")}
+              label={t("pluginWizardStep.skip.subtitle")}
+            ></Checkbox>
+          </BorderedDiv>
+        </div>
+        <SubmitButton
+          scrollToTop={false}
+          disabled={isInstalling || !(hasPluginSets || skipInstallation)}
+          loading={isInstalling}
+          className="is-align-self-flex-end"
+        >
+          {t(`pluginWizardStep.${hasPluginSets ? "submitAndRestart" : "submit"}`)}
+        </SubmitButton>
+      </form>
+    );
+  }
+
+  return (
+    <HeroSection className="hero">
+      <div className="hero-body">
+        <div className="container">
+          <div className="columns is-centered">
+            <div className="column is-8 box has-background-secondary-less">
+              <h3 className="title">{t("title")}</h3>
+              <h4 className="subtitle">{t("pluginWizardStep.title")}</h4>
+              <p className="is-size-6 block">{t("pluginWizardStep.description")}</p>
+              {content}
+            </div>
+          </div>
+        </div>
+      </div>
+    </HeroSection>
+  );
+};
+
+export default InitializationPluginWizardStep;
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AdminAccountStartupResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AdminAccountStartupResource.java
index 45ad79bf37..7ae9df2f33 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AdminAccountStartupResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AdminAccountStartupResource.java
@@ -27,14 +27,20 @@ package sonia.scm.api.v2.resources;
 import de.otto.edison.hal.Embedded;
 import de.otto.edison.hal.Links;
 import lombok.Data;
+import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authz.UnauthenticatedException;
+import sonia.scm.initialization.InitializationAuthenticationService;
 import sonia.scm.initialization.InitializationStepResource;
 import sonia.scm.lifecycle.AdminAccountStartupAction;
 import sonia.scm.plugin.Extension;
 import sonia.scm.security.AllowAnonymousAccess;
+import sonia.scm.security.Tokens;
 import sonia.scm.util.ValidationUtil;
 
 import javax.inject.Inject;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import javax.validation.Valid;
 import javax.validation.constraints.Email;
 import javax.validation.constraints.NotEmpty;
@@ -42,9 +48,12 @@ import javax.validation.constraints.Pattern;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
 
 import static de.otto.edison.hal.Link.link;
 import static sonia.scm.ScmConstraintViolationException.Builder.doThrow;
+import static sonia.scm.initialization.InitializationWebTokenGenerator.INIT_TOKEN_HEADER;
 
 @AllowAnonymousAccess
 @Extension
@@ -52,20 +61,34 @@ public class AdminAccountStartupResource implements InitializationStepResource {
 
   private final AdminAccountStartupAction adminAccountStartupAction;
   private final ResourceLinks resourceLinks;
+  private final InitializationAuthenticationService authenticationService;
 
   @Inject
-  public AdminAccountStartupResource(AdminAccountStartupAction adminAccountStartupAction, ResourceLinks resourceLinks) {
+  public AdminAccountStartupResource(AdminAccountStartupAction adminAccountStartupAction, ResourceLinks resourceLinks, InitializationAuthenticationService authenticationService) {
     this.adminAccountStartupAction = adminAccountStartupAction;
     this.resourceLinks = resourceLinks;
+    this.authenticationService = authenticationService;
   }
 
   @POST
   @Path("")
   @Consumes("application/json")
-  public void postAdminInitializationData(@Valid AdminInitializationData data) {
+  public Response postAdminInitializationData(
+    @Context HttpServletRequest request,
+    @Context HttpServletResponse response,
+    @Valid AdminInitializationData data
+  ) {
     verifyInInitialization();
     verifyToken(data);
     createAdminUser(data);
+
+    // Invalidate old access token cookies to prevent conflicts during authentication
+    authenticationService.invalidateCookies(request, response);
+
+    SecurityUtils.getSubject().login(Tokens.createAuthenticationToken(request, data.userName, data.password));
+    // Create cookie which will be used for authentication during the initialization process
+    authenticationService.authenticate(request, response);
+    return Response.noContent().build();
   }
 
   private void verifyInInitialization() {
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AvailablePluginResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AvailablePluginResource.java
index 66c7d0f90d..ee9ca92229 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AvailablePluginResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AvailablePluginResource.java
@@ -168,7 +168,7 @@ public class AvailablePluginResource {
   )
   @ApiResponse(responseCode = "200", description = "success")
   @ApiResponse(responseCode = "401", description = "not authenticated / invalid credentials")
-  @ApiResponse(responseCode = "403", description = "not authorized, the current user does not have the \"plugin:manage\" privilege")
+  @ApiResponse(responseCode = "403", description = "not authorized, the current user does not have the \"plugin:write\" privilege")
   @ApiResponse(
     responseCode = "500",
     description = "internal server error",
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IndexDtoGenerator.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IndexDtoGenerator.java
index 05be8cd7b5..c3db533e49 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IndexDtoGenerator.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IndexDtoGenerator.java
@@ -47,6 +47,7 @@ import sonia.scm.web.EdisonHalAppender;
 
 import javax.inject.Inject;
 import java.util.List;
+import java.util.Locale;
 import java.util.stream.Collectors;
 
 import static de.otto.edison.hal.Embedded.embeddedBuilder;
@@ -75,6 +76,10 @@ public class IndexDtoGenerator extends HalAppenderMapper {
   }
 
   public IndexDto generate() {
+    return generate(Locale.getDefault());
+  }
+
+  public IndexDto generate(Locale locale) {
     Links.Builder builder = Links.linkingTo();
     Embedded.Builder embeddedBuilder = embeddedBuilder();
 
@@ -84,7 +89,7 @@ public class IndexDtoGenerator extends HalAppenderMapper {
     if (initializationFinisher.isFullyInitialized()) {
       return handleNormalIndex(builder, embeddedBuilder);
     } else {
-      return handleInitialization(builder, embeddedBuilder);
+      return handleInitialization(builder, embeddedBuilder, locale);
     }
   }
 
@@ -170,11 +175,11 @@ public class IndexDtoGenerator extends HalAppenderMapper {
       .collect(Collectors.toList());
   }
 
-  private IndexDto handleInitialization(Links.Builder builder, Embedded.Builder embeddedBuilder) {
+  private IndexDto handleInitialization(Links.Builder builder, Embedded.Builder embeddedBuilder, Locale locale) {
     Links.Builder initializationLinkBuilder = Links.linkingTo();
     Embedded.Builder initializationEmbeddedBuilder = embeddedBuilder();
     InitializationStep initializationStep = initializationFinisher.missingInitialization();
-    initializationFinisher.getResource(initializationStep.name()).setupIndex(initializationLinkBuilder, initializationEmbeddedBuilder);
+    initializationFinisher.getResource(initializationStep.name()).setupIndex(initializationLinkBuilder, initializationEmbeddedBuilder, locale);
     embeddedBuilder.with(initializationStep.name(), new InitializationDto(initializationLinkBuilder.build(), initializationEmbeddedBuilder.build()));
     return new IndexDto(builder.build(), embeddedBuilder.build(), scmContextProvider.getVersion(), scmContextProvider.getInstanceId(), initializationStep.name());
   }
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IndexResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IndexResource.java
index 00e5cd468a..7af2daa8d7 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IndexResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IndexResource.java
@@ -35,9 +35,11 @@ import sonia.scm.security.AllowAnonymousAccess;
 import sonia.scm.web.VndMediaType;
 
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
 
 @OpenAPIDefinition(
   security = {
@@ -80,7 +82,7 @@ public class IndexResource {
       schema = @Schema(implementation = ErrorDto.class)
     )
   )
-  public IndexDto getIndex() {
-    return indexDtoGenerator.generate();
+  public IndexDto getIndex(@Context HttpServletRequest request) {
+    return indexDtoGenerator.generate(request.getLocale());
   }
 }
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/InstalledPluginResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/InstalledPluginResource.java
index d3ff6ff347..c1c598d962 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/InstalledPluginResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/InstalledPluginResource.java
@@ -112,7 +112,7 @@ public class InstalledPluginResource {
   )
   @ApiResponse(responseCode = "200", description = "success")
   @ApiResponse(responseCode = "401", description = "not authenticated / invalid credentials")
-  @ApiResponse(responseCode = "403", description = "not authorized, the current user does not have the \"plugin:manage\" privilege")
+  @ApiResponse(responseCode = "403", description = "not authorized, the current user does not have the \"plugin:write\" privilege")
   @ApiResponse(
     responseCode = "500",
     description = "internal server error",
@@ -191,7 +191,7 @@ public class InstalledPluginResource {
   )
   @ApiResponse(responseCode = "200", description = "success")
   @ApiResponse(responseCode = "401", description = "not authenticated / invalid credentials")
-  @ApiResponse(responseCode = "403", description = "not authorized, the current user does not have the \"plugin:manage\" privilege")
+  @ApiResponse(responseCode = "403", description = "not authorized, the current user does not have the \"plugin:write\" privilege")
   @ApiResponse(
     responseCode = "500",
     description = "internal server error",
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PendingPluginResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PendingPluginResource.java
index 0d59e4ef28..e5b2551b0c 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PendingPluginResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PendingPluginResource.java
@@ -160,7 +160,7 @@ public class PendingPluginResource {
   )
   @ApiResponse(responseCode = "200", description = "success")
   @ApiResponse(responseCode = "401", description = "not authenticated / invalid credentials")
-  @ApiResponse(responseCode = "403", description = "not authorized, the current user does not have the \"plugin:manage\" privilege")
+  @ApiResponse(responseCode = "403", description = "not authorized, the current user does not have the \"plugin:write\" privilege")
   @ApiResponse(
     responseCode = "500",
     description = "internal server error",
@@ -183,7 +183,7 @@ public class PendingPluginResource {
   )
   @ApiResponse(responseCode = "200", description = "success")
   @ApiResponse(responseCode = "401", description = "not authenticated / invalid credentials")
-  @ApiResponse(responseCode = "403", description = "not authorized, the current user does not have the \"plugin:manage\" privilege")
+  @ApiResponse(responseCode = "403", description = "not authorized, the current user does not have the \"plugin:write\" privilege")
   @ApiResponse(
     responseCode = "500",
     description = "internal server error",
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetCollectionDto.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetCollectionDto.java
new file mode 100644
index 0000000000..7ffc4b16dc
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetCollectionDto.java
@@ -0,0 +1,42 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.api.v2.resources;
+
+import de.otto.edison.hal.HalRepresentation;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.util.Set;
+
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+@SuppressWarnings("squid:S2160") // we do not need equals for dto
+public class PluginSetCollectionDto extends HalRepresentation {
+  Set<PluginSetDto> pluginSets;
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetDto.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetDto.java
new file mode 100644
index 0000000000..f590cbc723
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetDto.java
@@ -0,0 +1,49 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.api.v2.resources;
+
+import de.otto.edison.hal.HalRepresentation;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.util.List;
+import java.util.Map;
+
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+@SuppressWarnings("squid:S2160") // we do not need equals for dto
+public class PluginSetDto extends HalRepresentation {
+  private String id;
+  private int sequence;
+  private List<PluginDto> plugins;
+
+  private String name;
+  private List<String> features;
+  private Map<String, String> images;
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetDtoMapper.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetDtoMapper.java
new file mode 100644
index 0000000000..38327bb012
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetDtoMapper.java
@@ -0,0 +1,65 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.api.v2.resources;
+
+import sonia.scm.plugin.AvailablePlugin;
+import sonia.scm.plugin.PluginSet;
+
+import javax.inject.Inject;
+import java.util.Collection;
+import java.util.Comparator;
+import java.util.List;
+import java.util.Locale;
+import java.util.Optional;
+import java.util.stream.Collectors;
+
+public class PluginSetDtoMapper {
+  private final PluginDtoMapper pluginDtoMapper;
+
+  @Inject
+  protected PluginSetDtoMapper(PluginDtoMapper pluginDtoMapper) {
+    this.pluginDtoMapper = pluginDtoMapper;
+  }
+
+  public List<PluginSetDto> map(Collection<PluginSet> pluginSets, List<AvailablePlugin> availablePlugins, Locale locale) {
+    return pluginSets.stream()
+      .map(it -> map(it, availablePlugins, locale))
+      .sorted(Comparator.comparingInt(PluginSetDto::getSequence))
+      .collect(Collectors.toList());
+  }
+
+  private PluginSetDto map(PluginSet pluginSet, List<AvailablePlugin> availablePlugins, Locale locale) {
+    List<PluginDto> pluginDtos = pluginSet.getPlugins().stream()
+      .map(it -> availablePlugins.stream().filter(avail -> avail.getDescriptor().getInformation().getName().equals(it)).findFirst())
+      .filter(Optional::isPresent)
+      .map(Optional::get)
+      .map(pluginDtoMapper::mapAvailable)
+      .collect(Collectors.toList());
+
+    PluginSet.Description description = pluginSet.getDescriptions().get(locale.getLanguage());
+
+    return new PluginSetDto(pluginSet.getId(), pluginSet.getSequence(), pluginDtos, description.getName(), description.getFeatures(), pluginSet.getImages());
+  }
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetsInstallDto.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetsInstallDto.java
new file mode 100644
index 0000000000..833b9881ab
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginSetsInstallDto.java
@@ -0,0 +1,42 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.api.v2.resources;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import javax.validation.constraints.NotNull;
+import java.util.Set;
+
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+public class PluginSetsInstallDto {
+  @NotNull
+  private Set<String> pluginSetIds;
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginWizardStartupResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginWizardStartupResource.java
new file mode 100644
index 0000000000..25eee7de36
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PluginWizardStartupResource.java
@@ -0,0 +1,149 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.api.v2.resources;
+
+import de.otto.edison.hal.Embedded;
+import de.otto.edison.hal.Links;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.parameters.RequestBody;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import sonia.scm.initialization.InitializationStepResource;
+import sonia.scm.lifecycle.PluginWizardStartupAction;
+import sonia.scm.lifecycle.PrivilegedStartupAction;
+import sonia.scm.plugin.AvailablePlugin;
+import sonia.scm.plugin.Extension;
+import sonia.scm.plugin.PluginManager;
+import sonia.scm.plugin.PluginSet;
+import sonia.scm.security.AccessTokenCookieIssuer;
+import sonia.scm.web.VndMediaType;
+import sonia.scm.web.security.AdministrationContext;
+
+import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.validation.Valid;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import java.util.List;
+import java.util.Locale;
+import java.util.Set;
+
+import static de.otto.edison.hal.Link.link;
+import static sonia.scm.ScmConstraintViolationException.Builder.doThrow;
+
+@Extension
+public class PluginWizardStartupResource implements InitializationStepResource {
+
+  private final PluginWizardStartupAction pluginWizardStartupAction;
+  private final ResourceLinks resourceLinks;
+  private final PluginManager pluginManager;
+
+  private final AccessTokenCookieIssuer cookieIssuer;
+
+  private final PluginSetDtoMapper pluginSetDtoMapper;
+
+  private final AdministrationContext context;
+
+
+  @Inject
+  public PluginWizardStartupResource(PluginWizardStartupAction pluginWizardStartupAction, ResourceLinks resourceLinks, PluginManager pluginManager, AccessTokenCookieIssuer cookieIssuer, PluginSetDtoMapper pluginSetDtoMapper, AdministrationContext context) {
+    this.pluginWizardStartupAction = pluginWizardStartupAction;
+    this.resourceLinks = resourceLinks;
+    this.pluginManager = pluginManager;
+    this.cookieIssuer = cookieIssuer;
+    this.pluginSetDtoMapper = pluginSetDtoMapper;
+    this.context = context;
+  }
+
+  @Override
+  public void setupIndex(Links.Builder builder, Embedded.Builder embeddedBuilder) {
+    setupIndex(builder, embeddedBuilder, Locale.getDefault());
+  }
+
+  @Override
+  public void setupIndex(Links.Builder builder, Embedded.Builder embeddedBuilder, Locale locale) {
+    context.runAsAdmin((PrivilegedStartupAction)() -> {
+      Set<PluginSet> pluginSets = pluginManager.getPluginSets();
+      List<AvailablePlugin> availablePlugins = pluginManager.getAvailable();
+      List<PluginSetDto> pluginSetDtos = pluginSetDtoMapper.map(pluginSets, availablePlugins, locale);
+      embeddedBuilder.with("pluginSets", pluginSetDtos);
+      String link = resourceLinks.pluginWizard().indexLink(name());
+      builder.single(link("installPluginSets", link));
+    });
+  }
+
+  @Override
+  public String name() {
+    return pluginWizardStartupAction.name();
+  }
+
+  @POST
+  @Path("")
+  @Consumes("application/json")
+  @Operation(
+    summary = "Install plugin sets and restart",
+    description = "Installs all plugins contained in the provided plugin sets and restarts the server",
+    tags = "Plugin Management",
+    requestBody = @RequestBody(
+      content = @Content(
+        mediaType = MediaType.APPLICATION_JSON,
+        schema = @Schema(implementation = PluginSetsInstallDto.class)
+      )
+    )
+  )
+  @ApiResponse(responseCode = "200", description = "success")
+  @ApiResponse(responseCode = "401", description = "not authenticated / invalid credentials")
+  @ApiResponse(responseCode = "403", description = "not authorized, the current user does not have the \"plugin:write\" privilege")
+  @ApiResponse(
+    responseCode = "500",
+    description = "internal server error",
+    content = @Content(
+      mediaType = VndMediaType.ERROR_TYPE,
+      schema = @Schema(implementation = ErrorDto.class)
+    )
+  )
+  public Response installPluginSets(@Context HttpServletRequest request,
+                                    @Context HttpServletResponse response,
+                                    @Valid PluginSetsInstallDto dto) {
+    verifyInInitialization();
+    cookieIssuer.invalidate(request, response);
+
+    pluginManager.installPluginSets(dto.getPluginSetIds(), true);
+
+    return Response.ok().build();
+  }
+
+  private void verifyInInitialization() {
+    doThrow()
+      .violation("initialization not necessary")
+      .when(pluginWizardStartupAction.done());
+  }
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ResourceLinks.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ResourceLinks.java
index 8fbcfe5132..f4de560a12 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ResourceLinks.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ResourceLinks.java
@@ -1207,6 +1207,25 @@ class ResourceLinks {
     }
   }
 
+  public PluginWizardLinks pluginWizard() {
+    return new PluginWizardLinks(new LinkBuilder(accessScmPathInfoStore().get(), InitializationResource.class, PluginWizardStartupResource.class));
+  }
+
+  public static class PluginWizardLinks {
+    private final LinkBuilder initializationLinkBuilder;
+
+    private PluginWizardLinks(LinkBuilder initializationLinkBuilder) {
+      this.initializationLinkBuilder = initializationLinkBuilder;
+    }
+
+    public String indexLink(String stepName) {
+      return initializationLinkBuilder
+        .method("step").parameters(stepName)
+        .method("installPluginSets").parameters()
+        .href();
+    }
+  }
+
   public PluginCenterAuthLinks pluginCenterAuth() {
     return new PluginCenterAuthLinks(scmPathInfoStore.get().get());
   }
diff --git a/scm-webapp/src/main/java/sonia/scm/initialization/InitializationAuthenticationService.java b/scm-webapp/src/main/java/sonia/scm/initialization/InitializationAuthenticationService.java
new file mode 100644
index 0000000000..ae656655eb
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/initialization/InitializationAuthenticationService.java
@@ -0,0 +1,89 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.initialization;
+
+import org.apache.shiro.authc.AuthenticationException;
+import sonia.scm.security.AccessToken;
+import sonia.scm.security.AccessTokenBuilderFactory;
+import sonia.scm.security.AccessTokenCookieIssuer;
+import sonia.scm.security.PermissionAssigner;
+import sonia.scm.security.PermissionDescriptor;
+import sonia.scm.web.security.AdministrationContext;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Set;
+import java.util.concurrent.TimeUnit;
+
+@Singleton
+public class InitializationAuthenticationService {
+
+  private static final String INITIALIZATION_SUBJECT = "SCM-INIT";
+
+  private final AccessTokenBuilderFactory tokenBuilderFactory;
+  private final PermissionAssigner permissionAssigner;
+  private final AccessTokenCookieIssuer cookieIssuer;
+  private final InitializationCookieIssuer initializationCookieIssuer;
+
+  private final AdministrationContext administrationContext;
+
+  @Inject
+  public InitializationAuthenticationService(AccessTokenBuilderFactory tokenBuilderFactory, PermissionAssigner permissionAssigner, AccessTokenCookieIssuer cookieIssuer, InitializationCookieIssuer initializationCookieIssuer, AdministrationContext administrationContext) {
+    this.tokenBuilderFactory = tokenBuilderFactory;
+    this.permissionAssigner = permissionAssigner;
+    this.cookieIssuer = cookieIssuer;
+    this.initializationCookieIssuer = initializationCookieIssuer;
+    this.administrationContext = administrationContext;
+  }
+
+  public void validateToken(AccessToken token) {
+    if (token == null || !INITIALIZATION_SUBJECT.equals(token.getSubject())) {
+      throw new AuthenticationException("Could not authenticate to initialization realm because of missing or invalid token.");
+    }
+  }
+
+  public void setPermissions() {
+    administrationContext.runAsAdmin(() -> permissionAssigner.setPermissionsForUser(
+      InitializationRealm.INIT_PRINCIPAL,
+      Set.of(new PermissionDescriptor("plugin:read,write"))
+    ));
+  }
+
+  public void authenticate(HttpServletRequest request, HttpServletResponse response) {
+    AccessToken initToken =
+      tokenBuilderFactory.create()
+        .subject(INITIALIZATION_SUBJECT)
+        .expiresIn(365, TimeUnit.DAYS)
+        .refreshableFor(0, TimeUnit.SECONDS)
+        .build();
+    initializationCookieIssuer.authenticateForInitialization(request, response, initToken);
+  }
+
+  public void invalidateCookies(HttpServletRequest request, HttpServletResponse response) {
+    cookieIssuer.invalidate(request, response);
+  }
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/initialization/InitializationCookieIssuer.java b/scm-webapp/src/main/java/sonia/scm/initialization/InitializationCookieIssuer.java
new file mode 100644
index 0000000000..a9e7061be4
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/initialization/InitializationCookieIssuer.java
@@ -0,0 +1,48 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.initialization;
+
+import sonia.scm.security.AccessToken;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Generates cookies and invalidates initialization token cookies.
+ *
+ * @author Sebastian Sdorra
+ * @since 2.35.0
+ */
+public interface InitializationCookieIssuer {
+
+  /**
+   * Creates a cookie for token authentication and attaches it to the response.
+   *
+   * @param request http servlet request
+   * @param response http servlet response
+   * @param accessToken initialization access token
+   */
+  void authenticateForInitialization(HttpServletRequest request, HttpServletResponse response, AccessToken accessToken);
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/initialization/InitializationRealm.java b/scm-webapp/src/main/java/sonia/scm/initialization/InitializationRealm.java
new file mode 100644
index 0000000000..fe71442c77
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/initialization/InitializationRealm.java
@@ -0,0 +1,78 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.initialization;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
+import org.apache.shiro.realm.AuthenticatingRealm;
+import org.apache.shiro.subject.SimplePrincipalCollection;
+import sonia.scm.plugin.Extension;
+import sonia.scm.security.AccessToken;
+import sonia.scm.security.AccessTokenResolver;
+import sonia.scm.security.BearerToken;
+import sonia.scm.user.User;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+
+import static com.google.common.base.Preconditions.checkArgument;
+
+@Extension
+@Singleton
+public class InitializationRealm extends AuthenticatingRealm {
+
+  private static final String REALM = "InitializationRealm";
+  public static final String INIT_PRINCIPAL = "__SCM_INIT__";
+
+  private final InitializationAuthenticationService authenticationService;
+  private final AccessTokenResolver accessTokenResolver;
+
+  @Inject
+  public InitializationRealm(InitializationAuthenticationService authenticationService, AccessTokenResolver accessTokenResolver) {
+    this.authenticationService = authenticationService;
+    this.accessTokenResolver = accessTokenResolver;
+    setAuthenticationTokenClass(InitializationToken.class);
+    setCredentialsMatcher(new AllowAllCredentialsMatcher());
+  }
+
+  @Override
+  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
+    checkArgument(token instanceof InitializationToken, "%s is required", InitializationToken.class);
+    AccessToken accessToken = accessTokenResolver.resolve(BearerToken.valueOf(token.getCredentials().toString()));
+    authenticationService.validateToken(accessToken);
+    SimplePrincipalCollection principalCollection = new SimplePrincipalCollection(INIT_PRINCIPAL, REALM);
+    principalCollection.add(new User(INIT_PRINCIPAL), REALM);
+    authenticationService.setPermissions();
+    return new SimpleAuthenticationInfo(principalCollection, token.getCredentials());
+  }
+
+  @Override
+  public boolean supports(AuthenticationToken token) {
+    return token instanceof InitializationToken;
+  }
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/initialization/InitializationToken.java b/scm-webapp/src/main/java/sonia/scm/initialization/InitializationToken.java
new file mode 100644
index 0000000000..49d9d6c13a
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/initialization/InitializationToken.java
@@ -0,0 +1,49 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.initialization;
+
+import org.apache.shiro.authc.AuthenticationToken;
+
+
+public class InitializationToken implements AuthenticationToken {
+
+  private final String token;
+  private final String principal;
+
+  public InitializationToken(String token, String principal) {
+    this.token = token;
+    this.principal = principal;
+  }
+
+  @Override
+  public Object getPrincipal() {
+    return principal;
+  }
+
+  @Override
+  public Object getCredentials() {
+    return token;
+  }
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/initialization/InitializationWebTokenGenerator.java b/scm-webapp/src/main/java/sonia/scm/initialization/InitializationWebTokenGenerator.java
new file mode 100644
index 0000000000..0f6db0ccfd
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/initialization/InitializationWebTokenGenerator.java
@@ -0,0 +1,52 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.initialization;
+
+import org.apache.shiro.authc.AuthenticationToken;
+import sonia.scm.plugin.Extension;
+import sonia.scm.web.WebTokenGenerator;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+
+@Extension
+public class InitializationWebTokenGenerator implements WebTokenGenerator {
+
+  public static final String INIT_TOKEN_HEADER = "X-SCM-Init-Token";
+
+  @Override
+  public AuthenticationToken createToken(HttpServletRequest request) {
+    Cookie[] cookies = request.getCookies();
+    AuthenticationToken token = null;
+    if (cookies != null) {
+      for (Cookie cookie : cookies) {
+        if (cookie.getName().equals(INIT_TOKEN_HEADER)) {
+          token = new InitializationToken(cookie.getValue(), "SCM_INIT");
+        }
+      }
+    }
+    return token;
+  }
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/lifecycle/AdminAccountStartupAction.java b/scm-webapp/src/main/java/sonia/scm/lifecycle/AdminAccountStartupAction.java
index 8446c352b1..2fc93a04e9 100644
--- a/scm-webapp/src/main/java/sonia/scm/lifecycle/AdminAccountStartupAction.java
+++ b/scm-webapp/src/main/java/sonia/scm/lifecycle/AdminAccountStartupAction.java
@@ -48,7 +48,7 @@ public class AdminAccountStartupAction implements InitializationStep {
 
   private static final Logger LOG = LoggerFactory.getLogger(AdminAccountStartupAction.class);
 
-  private static final String INITIAL_PASSWORD_PROPERTY = "scm.initialPassword";
+  public static final String INITIAL_PASSWORD_PROPERTY = "scm.initialPassword";
   private static final String INITIAL_USER_PROPERTY = "scm.initialUser";
 
   private final PasswordService passwordService;
diff --git a/scm-webapp/src/main/java/sonia/scm/lifecycle/PluginWizardStartupAction.java b/scm-webapp/src/main/java/sonia/scm/lifecycle/PluginWizardStartupAction.java
new file mode 100644
index 0000000000..6ef9a6334d
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/lifecycle/PluginWizardStartupAction.java
@@ -0,0 +1,60 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.lifecycle;
+
+import sonia.scm.initialization.InitializationStep;
+import sonia.scm.plugin.Extension;
+import sonia.scm.plugin.PluginSetConfigStore;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+
+@Extension
+@Singleton
+public class PluginWizardStartupAction implements InitializationStep {
+
+  private final PluginSetConfigStore store;
+
+  @Inject
+  public PluginWizardStartupAction(PluginSetConfigStore pluginSetConfigStore) {
+    this.store = pluginSetConfigStore;
+  }
+
+  @Override
+  public String name() {
+    return "pluginWizard";
+  }
+
+  @Override
+  public int sequence() {
+    return 1;
+  }
+
+  @Override
+  public boolean done() {
+    return System.getProperty(AdminAccountStartupAction.INITIAL_PASSWORD_PROPERTY) != null || store.getPluginSets().isPresent();
+  }
+
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/lifecycle/PrivilegedStartupAction.java b/scm-webapp/src/main/java/sonia/scm/lifecycle/PrivilegedStartupAction.java
index f2344393d0..23ac8d7796 100644
--- a/scm-webapp/src/main/java/sonia/scm/lifecycle/PrivilegedStartupAction.java
+++ b/scm-webapp/src/main/java/sonia/scm/lifecycle/PrivilegedStartupAction.java
@@ -28,4 +28,4 @@ import sonia.scm.plugin.ExtensionPoint;
 import sonia.scm.web.security.PrivilegedAction;
 
 @ExtensionPoint
-interface PrivilegedStartupAction extends PrivilegedAction {}
+public interface PrivilegedStartupAction extends PrivilegedAction {}
diff --git a/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmServletModule.java b/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmServletModule.java
index fa52c95594..59a8d07f47 100644
--- a/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmServletModule.java
+++ b/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmServletModule.java
@@ -58,6 +58,7 @@ import sonia.scm.group.GroupManager;
 import sonia.scm.group.GroupManagerProvider;
 import sonia.scm.group.xml.XmlGroupDAO;
 import sonia.scm.initialization.DefaultInitializationFinisher;
+import sonia.scm.initialization.InitializationCookieIssuer;
 import sonia.scm.initialization.InitializationFinisher;
 import sonia.scm.io.ContentTypeResolver;
 import sonia.scm.io.DefaultContentTypeResolver;
@@ -271,6 +272,7 @@ class ScmServletModule extends ServletModule {
     // bind events
 
     bind(AccessTokenCookieIssuer.class).to(DefaultAccessTokenCookieIssuer.class);
+    bind(InitializationCookieIssuer.class).to(DefaultAccessTokenCookieIssuer.class);
     bind(PushStateDispatcher.class).toProvider(PushStateDispatcherProvider.class);
 
     // bind api link provider
diff --git a/scm-webapp/src/main/java/sonia/scm/plugin/DefaultPluginManager.java b/scm-webapp/src/main/java/sonia/scm/plugin/DefaultPluginManager.java
index 49cc367365..1af6b177cc 100644
--- a/scm-webapp/src/main/java/sonia/scm/plugin/DefaultPluginManager.java
+++ b/scm-webapp/src/main/java/sonia/scm/plugin/DefaultPluginManager.java
@@ -39,6 +39,7 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
@@ -65,6 +66,8 @@ public class DefaultPluginManager implements PluginManager {
   private final Restarter restarter;
   private final ScmEventBus eventBus;
 
+  private final PluginSetConfigStore pluginSetConfigStore;
+
   private final Collection<PendingPluginInstallation> pendingInstallQueue = new ArrayList<>();
   private final Collection<PendingPluginUninstallation> pendingUninstallQueue = new ArrayList<>();
   private final PluginDependencyTracker dependencyTracker = new PluginDependencyTracker();
@@ -72,16 +75,17 @@ public class DefaultPluginManager implements PluginManager {
   private final Function<List<AvailablePlugin>, PluginInstallationContext> contextFactory;
 
   @Inject
-  public DefaultPluginManager(PluginLoader loader, PluginCenter center, PluginInstaller installer, Restarter restarter, ScmEventBus eventBus) {
-    this(loader, center, installer, restarter, eventBus, null);
+  public DefaultPluginManager(PluginLoader loader, PluginCenter center, PluginInstaller installer, Restarter restarter, ScmEventBus eventBus, PluginSetConfigStore pluginSetConfigStore) {
+    this(loader, center, installer, restarter, eventBus, null, pluginSetConfigStore);
   }
 
-  DefaultPluginManager(PluginLoader loader, PluginCenter center, PluginInstaller installer, Restarter restarter, ScmEventBus eventBus, Function<List<AvailablePlugin>, PluginInstallationContext> contextFactory) {
+  DefaultPluginManager(PluginLoader loader, PluginCenter center, PluginInstaller installer, Restarter restarter, ScmEventBus eventBus, Function<List<AvailablePlugin>, PluginInstallationContext> contextFactory, PluginSetConfigStore pluginSetConfigStore) {
     this.loader = loader;
     this.center = center;
     this.installer = installer;
     this.restarter = restarter;
     this.eventBus = eventBus;
+    this.pluginSetConfigStore = pluginSetConfigStore;
 
     if (contextFactory != null) {
       this.contextFactory = contextFactory;
@@ -109,7 +113,7 @@ public class DefaultPluginManager implements PluginManager {
   @Override
   public Optional<AvailablePlugin> getAvailable(String name) {
     PluginPermissions.read().check();
-    return center.getAvailable()
+    return center.getAvailablePlugins()
       .stream()
       .filter(filterByName(name))
       .filter(this::isNotInstalledOrMoreUpToDate)
@@ -143,13 +147,49 @@ public class DefaultPluginManager implements PluginManager {
   @Override
   public List<AvailablePlugin> getAvailable() {
     PluginPermissions.read().check();
-    return center.getAvailable()
+    return center.getAvailablePlugins()
       .stream()
       .filter(this::isNotInstalledOrMoreUpToDate)
       .map(p -> getPending(p.getDescriptor().getInformation().getName()).orElse(p))
       .collect(Collectors.toList());
   }
 
+  @Override
+  public Set<PluginSet> getPluginSets() {
+    PluginPermissions.read().check();
+    return center.getAvailablePluginSets();
+  }
+
+  @Override
+  public void installPluginSets(Set<String> pluginSetIds, boolean restartAfterInstallation) {
+    PluginPermissions.write().check();
+
+    Set<PluginSet> pluginSets = getPluginSets();
+    Set<PluginSet> pluginSetsToInstall = pluginSetIds.stream()
+      .map(id -> pluginSets.stream().filter(pluginSet -> pluginSet.getId().equals(id)).findFirst())
+      .filter(Optional::isPresent)
+      .map(Optional::get)
+      .collect(Collectors.toSet());
+
+    Set<AvailablePlugin> pluginsToInstall = pluginSetsToInstall
+      .stream()
+      .flatMap(pluginSet -> pluginSet
+        .getPlugins()
+        .stream()
+        .map(this::collectPluginsToInstall)
+        .flatMap(Collection::stream)
+      )
+      .collect(Collectors.toSet());
+
+    Set<String> newlyInstalledPluginSetIds = pluginSetsToInstall.stream().map(PluginSet::getId).collect(Collectors.toSet());
+
+    Set<String> installedPluginSetIds = pluginSetConfigStore.getPluginSets().map(PluginSetsConfig::getPluginSets).orElse(new HashSet<>());
+    installedPluginSetIds.addAll(newlyInstalledPluginSetIds);
+    pluginSetConfigStore.setPluginSets(new PluginSetsConfig(installedPluginSetIds));
+
+    installPlugins(new ArrayList<>(pluginsToInstall), restartAfterInstallation);
+  }
+
   @Override
   public List<InstalledPlugin> getUpdatable() {
     return getInstalled()
@@ -184,6 +224,10 @@ public class DefaultPluginManager implements PluginManager {
       );
 
     List<AvailablePlugin> plugins = collectPluginsToInstall(name);
+    installPlugins(plugins, restartAfterInstallation);
+  }
+
+  private void installPlugins(List<AvailablePlugin> plugins, boolean restartAfterInstallation) {
     List<PendingPluginInstallation> pendingInstallations = new ArrayList<>();
 
     for (AvailablePlugin plugin : plugins) {
diff --git a/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenter.java b/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenter.java
index dd1fcd86ee..fa5eb3d7d1 100644
--- a/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenter.java
+++ b/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenter.java
@@ -42,52 +42,61 @@ import java.util.Set;
 @Singleton
 public class PluginCenter {
 
-  private static final String CACHE_NAME = "sonia.cache.plugins";
+  private static final String PLUGIN_CENTER_RESULT_CACHE_NAME = "sonia.cache.plugin-center";
 
   private static final Logger LOG = LoggerFactory.getLogger(PluginCenter.class);
 
   private final SCMContextProvider context;
   private final ScmConfiguration configuration;
   private final PluginCenterLoader loader;
-  private final Cache<String, Set<AvailablePlugin>> cache;
+  private final Cache<String, PluginCenterResult> pluginCenterResultCache;
 
   @Inject
   public PluginCenter(SCMContextProvider context, CacheManager cacheManager, ScmConfiguration configuration, PluginCenterLoader loader) {
     this.context = context;
     this.configuration = configuration;
     this.loader = loader;
-    this.cache = cacheManager.getCache(CACHE_NAME);
+    this.pluginCenterResultCache = cacheManager.getCache(PLUGIN_CENTER_RESULT_CACHE_NAME);
   }
 
   @Subscribe
   public void handle(PluginCenterAuthenticationEvent event) {
     LOG.debug("clear plugin center cache, because of {}", event);
-    cache.clear();
+    pluginCenterResultCache.clear();
   }
 
-  synchronized Set<AvailablePlugin> getAvailable() {
+  synchronized Set<AvailablePlugin> getAvailablePlugins() {
     String url = buildPluginUrl(configuration.getPluginUrl());
-    Set<AvailablePlugin> plugins = cache.get(url);
-    if (plugins == null) {
-      LOG.debug("no cached available plugins found, start fetching");
-      plugins = fetchAvailablePlugins(url);
+    return getPluginCenterResult(url).getPlugins();
+  }
+
+  synchronized Set<PluginSet> getAvailablePluginSets() {
+    String url = buildPluginUrl(configuration.getPluginUrl());
+    return getPluginCenterResult(url).getPluginSets();
+  }
+
+  private PluginCenterResult getPluginCenterResult(String url) {
+    PluginCenterResult pluginCenterResult = pluginCenterResultCache.get(url);
+    if (pluginCenterResult == null) {
+      LOG.debug("no cached plugin center result found, start fetching");
+      pluginCenterResult = fetchPluginCenter(url);
     } else {
-      LOG.debug("return available plugins from cache");
+      LOG.debug("return plugin center result from cache");
     }
-    return plugins;
+    return pluginCenterResult;
   }
 
   @CanIgnoreReturnValue
-  private Set<AvailablePlugin> fetchAvailablePlugins(String url) {
-    Set<AvailablePlugin> plugins = loader.load(url);
-    cache.put(url, plugins);
-    return plugins;
+  private PluginCenterResult fetchPluginCenter(String url) {
+    PluginCenterResult pluginCenterResult = loader.load(url);
+    pluginCenterResultCache.put(url, pluginCenterResult);
+    return pluginCenterResult;
   }
 
   synchronized void refresh() {
     LOG.debug("refresh plugin center cache");
     String url = buildPluginUrl(configuration.getPluginUrl());
-    fetchAvailablePlugins(url);
+    fetchPluginCenter(url);
   }
 
   private String buildPluginUrl(String url) {
diff --git a/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterDto.java b/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterDto.java
index a14e629628..5bad3327e5 100644
--- a/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterDto.java
+++ b/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterDto.java
@@ -21,10 +21,9 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.plugin;
 
-import com.google.common.collect.ImmutableList;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
@@ -56,12 +55,22 @@ public final class PluginCenterDto implements Serializable {
     @XmlElement(name = "plugins")
     private List<Plugin> plugins;
 
+    @XmlElement(name = "plugin-sets")
+    private List<PluginSet> pluginSets;
+
     public List<Plugin> getPlugins() {
       if (plugins == null) {
-        plugins = ImmutableList.of();
+        plugins = List.of();
       }
       return plugins;
     }
+
+    public List<PluginSet> getPluginSets() {
+      if (pluginSets == null) {
+        pluginSets = List.of();
+      }
+      return pluginSets;
+    }
   }
 
   @XmlAccessorType(XmlAccessType.FIELD)
@@ -93,6 +102,36 @@ public final class PluginCenterDto implements Serializable {
     private final Map<String, Link> links;
   }
 
+  @XmlAccessorType(XmlAccessType.FIELD)
+  @XmlRootElement(name = "pluginSets")
+  @Getter
+  @AllArgsConstructor
+  public static class PluginSet {
+    private final String id;
+    private final String versions;
+    private final int sequence;
+
+    @XmlElement(name = "plugins")
+    private final Set<String> plugins;
+
+    @XmlElement(name = "descriptions")
+    private final Map<String, Description> descriptions;
+
+    @XmlElement(name = "images")
+    private final Map<String, String> images;
+  }
+
+  @XmlAccessorType(XmlAccessType.FIELD)
+  @Getter
+  @NoArgsConstructor
+  @AllArgsConstructor
+  public static class Description {
+    private String name;
+
+    @XmlElement(name = "features")
+    private List<String> features;
+  }
+
   @XmlAccessorType(XmlAccessType.FIELD)
   @XmlRootElement(name = "conditions")
   @Getter
diff --git a/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterDtoMapper.java b/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterDtoMapper.java
index 32092ba4b9..c3337576aa 100644
--- a/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterDtoMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterDtoMapper.java
@@ -29,18 +29,31 @@ import org.mapstruct.factory.Mappers;
 
 import java.util.HashSet;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 @Mapper
 public abstract class PluginCenterDtoMapper {
 
+  PluginCenterDtoMapper() {}
+
   static final PluginCenterDtoMapper INSTANCE = Mappers.getMapper(PluginCenterDtoMapper.class);
 
   abstract PluginInformation map(PluginCenterDto.Plugin plugin);
 
   abstract PluginCondition map(PluginCenterDto.Condition condition);
 
-  Set<AvailablePlugin> map(PluginCenterDto pluginCenterDto) {
+  abstract PluginSet map(PluginCenterDto.PluginSet set);
+  abstract PluginSet.Description map(PluginCenterDto.Description description);
+
+  PluginCenterResult map(PluginCenterDto pluginCenterDto) {
     Set<AvailablePlugin> plugins = new HashSet<>();
+    Set<PluginSet> pluginSets = pluginCenterDto
+      .getEmbedded()
+      .getPluginSets()
+      .stream()
+      .map(this::map)
+      .collect(Collectors.toSet());
+
     for (PluginCenterDto.Plugin plugin : pluginCenterDto.getEmbedded().getPlugins()) {
       // plugin center api returns always a download link,
       // but for cloudogu plugin without authentication the href is an empty string
@@ -51,7 +64,7 @@ public abstract class PluginCenterDtoMapper {
       );
       plugins.add(new AvailablePlugin(descriptor));
     }
-    return plugins;
+    return new PluginCenterResult(plugins, pluginSets);
   }
 
   private String getInstallLink(PluginCenterDto.Plugin plugin) {
diff --git a/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterLoader.java b/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterLoader.java
index 3b92a962bc..e519657568 100644
--- a/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterLoader.java
+++ b/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterLoader.java
@@ -33,7 +33,6 @@ import sonia.scm.net.ahc.AdvancedHttpRequest;
 
 import javax.inject.Inject;
 import java.util.Collections;
-import java.util.Set;
 
 import static sonia.scm.plugin.Tracing.SPAN_KIND;
 
@@ -64,7 +63,7 @@ class PluginCenterLoader {
     this.eventBus = eventBus;
   }
 
-  Set<AvailablePlugin> load(String url) {
+  PluginCenterResult load(String url) {
     try {
       LOG.info("fetch plugins from {}", url);
       AdvancedHttpRequest request = client.get(url).spanKind(SPAN_KIND);
@@ -76,7 +75,7 @@ class PluginCenterLoader {
     } catch (Exception ex) {
       LOG.error("failed to load plugins from plugin center, returning empty list", ex);
       eventBus.post(new PluginCenterErrorEvent());
-      return Collections.emptySet();
+      return new PluginCenterResult(Collections.emptySet(), Collections.emptySet());
     }
   }
 }
diff --git a/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterResult.java b/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterResult.java
new file mode 100644
index 0000000000..e23e44e814
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/plugin/PluginCenterResult.java
@@ -0,0 +1,37 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.plugin;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+
+import java.util.Set;
+
+@AllArgsConstructor
+@Getter
+class PluginCenterResult {
+  private Set<AvailablePlugin> plugins;
+  private Set<PluginSet> pluginSets;
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/plugin/PluginSetConfigStore.java b/scm-webapp/src/main/java/sonia/scm/plugin/PluginSetConfigStore.java
new file mode 100644
index 0000000000..106894d92c
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/plugin/PluginSetConfigStore.java
@@ -0,0 +1,51 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.plugin;
+
+import sonia.scm.store.ConfigurationStore;
+import sonia.scm.store.ConfigurationStoreFactory;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import java.util.Optional;
+
+@Singleton
+public class PluginSetConfigStore {
+
+  private final ConfigurationStore<PluginSetsConfig> pluginSets;
+
+  @Inject
+  PluginSetConfigStore(ConfigurationStoreFactory configurationStoreFactory) {
+    pluginSets = configurationStoreFactory.withType(PluginSetsConfig.class).withName("pluginSets").build();
+  }
+
+  public Optional<PluginSetsConfig> getPluginSets() {
+    return pluginSets.getOptional();
+  }
+
+  public void setPluginSets(PluginSetsConfig config) {
+    this.pluginSets.set(config);
+  }
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/plugin/PluginSetsConfig.java b/scm-webapp/src/main/java/sonia/scm/plugin/PluginSetsConfig.java
new file mode 100644
index 0000000000..11c3ec5735
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/plugin/PluginSetsConfig.java
@@ -0,0 +1,45 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.plugin;
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import java.util.Set;
+
+@Data
+@XmlRootElement
+@AllArgsConstructor
+@NoArgsConstructor
+@XmlAccessorType(XmlAccessType.FIELD)
+public class PluginSetsConfig {
+  @XmlElement(name = "pluginSets")
+  Set<String> pluginSets;
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/security/DefaultAccessTokenCookieIssuer.java b/scm-webapp/src/main/java/sonia/scm/security/DefaultAccessTokenCookieIssuer.java
index 7fa6e4c427..cf033a460f 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/DefaultAccessTokenCookieIssuer.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/DefaultAccessTokenCookieIssuer.java
@@ -29,6 +29,7 @@ import com.google.common.base.Strings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.initialization.InitializationCookieIssuer;
 import sonia.scm.util.HttpUtil;
 import sonia.scm.util.Util;
 
@@ -36,16 +37,18 @@ import javax.inject.Inject;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.util.Date;
+import java.util.Arrays;
 import java.util.concurrent.TimeUnit;
 
+import static sonia.scm.initialization.InitializationWebTokenGenerator.INIT_TOKEN_HEADER;
+
 /**
  * Generates cookies and invalidates access token cookies.
  *
  * @author Sebastian Sdorra
  * @since 2.0.0
  */
-public final class DefaultAccessTokenCookieIssuer implements AccessTokenCookieIssuer {
+public final class DefaultAccessTokenCookieIssuer implements AccessTokenCookieIssuer, InitializationCookieIssuer {
 
   /**
    * the logger for DefaultAccessTokenCookieIssuer
@@ -87,6 +90,25 @@ public final class DefaultAccessTokenCookieIssuer implements AccessTokenCookieIs
     response.addCookie(c);
   }
 
+  /**
+   * Creates a cookie for authentication during the initialization process and attaches it to the response.
+   *
+   * @param request http servlet request
+   * @param response http servlet response
+   * @param accessToken initialization access token
+   */
+  public void authenticateForInitialization(HttpServletRequest request, HttpServletResponse response, AccessToken accessToken) {
+    LOG.trace("create and attach cookie for initialization access token {}", accessToken.getId());
+    Cookie c = new Cookie(INIT_TOKEN_HEADER, accessToken.compact());
+    c.setPath(contextPath(request));
+    c.setMaxAge(999999999);
+    c.setHttpOnly(isHttpOnly());
+    c.setSecure(isSecure(request));
+
+    // attach cookie to response
+    response.addCookie(c);
+  }
+
   /**
    * Invalidates the authentication cookie.
    *
@@ -95,8 +117,20 @@ public final class DefaultAccessTokenCookieIssuer implements AccessTokenCookieIs
    */
   public void invalidate(HttpServletRequest request, HttpServletResponse response) {
     LOG.trace("invalidates access token cookie");
+    invalidateCookie(request, response, HttpUtil.COOKIE_BEARER_AUTHENTICATION);
 
-    Cookie c = new Cookie(HttpUtil.COOKIE_BEARER_AUTHENTICATION, Util.EMPTY_STRING);
+    if (request.getCookies() != null && Arrays.stream(request.getCookies()).anyMatch(cookie -> cookie.getName().equals(INIT_TOKEN_HEADER))) {
+      LOG.trace("invalidates initialization token cookie");
+      invalidateInitTokenCookie(request, response);
+    }
+  }
+
+  private void invalidateInitTokenCookie(HttpServletRequest request, HttpServletResponse response) {
+    invalidateCookie(request, response, INIT_TOKEN_HEADER);
+  }
+
+  private void invalidateCookie(HttpServletRequest request, HttpServletResponse response, String cookieBearerAuthentication) {
+    Cookie c = new Cookie(cookieBearerAuthentication, Util.EMPTY_STRING);
     c.setPath(contextPath(request));
     c.setMaxAge(0);
     c.setHttpOnly(isHttpOnly());
diff --git a/scm-webapp/src/main/java/sonia/scm/update/plugin/PluginSetsConfigInitializationUpdateStep.java b/scm-webapp/src/main/java/sonia/scm/update/plugin/PluginSetsConfigInitializationUpdateStep.java
new file mode 100644
index 0000000000..fcaf7b2ea1
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/update/plugin/PluginSetsConfigInitializationUpdateStep.java
@@ -0,0 +1,64 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.update.plugin;
+
+import sonia.scm.migration.UpdateStep;
+import sonia.scm.plugin.Extension;
+import sonia.scm.plugin.PluginSetConfigStore;
+import sonia.scm.plugin.PluginSetsConfig;
+import sonia.scm.user.xml.XmlUserDAO;
+import sonia.scm.version.Version;
+
+import javax.inject.Inject;
+import java.util.Collections;
+
+@Extension
+public class PluginSetsConfigInitializationUpdateStep implements UpdateStep {
+  private final PluginSetConfigStore pluginSetConfigStore;
+  private final XmlUserDAO userDAO;
+
+  @Inject
+  public PluginSetsConfigInitializationUpdateStep(PluginSetConfigStore pluginSetConfigStore, XmlUserDAO userDAO) {
+    this.pluginSetConfigStore = pluginSetConfigStore;
+    this.userDAO = userDAO;
+  }
+
+  @Override
+  public void doUpdate() throws Exception {
+    if (!userDAO.getAll().isEmpty() && pluginSetConfigStore.getPluginSets().isEmpty()) {
+        pluginSetConfigStore.setPluginSets(new PluginSetsConfig(Collections.emptySet()));
+    }
+  }
+
+  @Override
+  public Version getTargetVersion() {
+    return Version.parse("2.0.0");
+  }
+
+  @Override
+  public String getAffectedDataType() {
+    return "sonia.scm.plugin.PluginSetsConfig";
+  }
+}
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/AdminAccountStartupResourceTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/AdminAccountStartupResourceTest.java
index 583f20f0ee..24d306c08a 100644
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/AdminAccountStartupResourceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/AdminAccountStartupResourceTest.java
@@ -24,6 +24,9 @@
 
 package sonia.scm.api.v2.resources;
 
+import com.github.sdorra.shiro.SubjectAware;
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.util.ThreadContext;
 import org.jboss.resteasy.mock.MockHttpRequest;
 import org.jboss.resteasy.mock.MockHttpResponse;
 import org.junit.jupiter.api.BeforeEach;
@@ -33,10 +36,19 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
+import sonia.scm.config.ScmConfiguration;
+import sonia.scm.initialization.InitializationAuthenticationService;
 import sonia.scm.lifecycle.AdminAccountStartupAction;
+import sonia.scm.security.AccessToken;
+import sonia.scm.security.AccessTokenBuilder;
+import sonia.scm.security.AccessTokenBuilderFactory;
+import sonia.scm.security.AccessTokenCookieIssuer;
+import sonia.scm.security.DefaultAccessTokenCookieIssuer;
 import sonia.scm.web.RestDispatcher;
 
 import javax.inject.Provider;
+import javax.servlet.http.HttpServletRequest;
+import java.net.URI;
 import java.net.URISyntaxException;
 
 import static java.lang.String.format;
@@ -46,9 +58,13 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.jboss.resteasy.mock.MockHttpRequest.post;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.lenient;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
+@SubjectAware(
+  configuration = "classpath:sonia/scm/repository/shiro.ini"
+)
 @ExtendWith(MockitoExtension.class)
 class AdminAccountStartupResourceTest {
 
@@ -60,9 +76,16 @@ class AdminAccountStartupResourceTest {
   @Mock
   private Provider<ScmPathInfoStore> pathInfoStoreProvider;
   @Mock
+  private InitializationAuthenticationService authenticationService;
+  @Mock
   private ScmPathInfoStore pathInfoStore;
   @Mock
   private ScmPathInfo pathInfo;
+  @Mock
+  private AccessTokenBuilderFactory accessTokenBuilderFactory;
+  @Mock
+  private AccessTokenBuilder accessTokenBuilder;
+  private final AccessTokenCookieIssuer cookieIssuer = new DefaultAccessTokenCookieIssuer(mock(ScmConfiguration.class));
 
   @InjectMocks
   private AdminAccountStartupResource resource;
@@ -73,6 +96,9 @@ class AdminAccountStartupResourceTest {
     lenient().when(pathInfoStore.get()).thenReturn(pathInfo);
     dispatcher.addSingletonResource(new InitializationResource(singleton(resource)));
     lenient().when(startupAction.name()).thenReturn("adminAccount");
+    lenient().when(accessTokenBuilderFactory.create()).thenReturn(accessTokenBuilder);
+    AccessToken accessToken = mock(AccessToken.class);
+    lenient().when(accessTokenBuilder.build()).thenReturn(accessToken);
   }
 
   @Test
@@ -121,10 +147,17 @@ class AdminAccountStartupResourceTest {
 
     @Test
     void shouldCreateAdminUser() throws URISyntaxException {
+      Subject subject = mock(Subject.class);
+      ThreadContext.bind(subject);
+
       MockHttpRequest request =
         post("/v2/initialization/adminAccount")
           .contentType("application/json")
           .content(createInput("initial-token", "trillian", "Tricia", "tricia@hitchhiker.com", "password", "password"));
+
+      HttpServletRequest servletRequest = mock(HttpServletRequest.class);
+      dispatcher.putDefaultContextObject(HttpServletRequest.class, servletRequest);
+
       dispatcher.invoke(request, response);
 
       assertThat(response.getStatus()).isEqualTo(204);
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/AvailablePluginResourceTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/AvailablePluginResourceTest.java
index dd5626910d..8718dd10c4 100644
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/AvailablePluginResourceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/AvailablePluginResourceTest.java
@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.api.v2.resources;
 
 import de.otto.edison.hal.HalRepresentation;
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/IndexDtoGeneratorTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/IndexDtoGeneratorTest.java
index 926d429d2d..51bb031d57 100644
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/IndexDtoGeneratorTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/IndexDtoGeneratorTest.java
@@ -183,7 +183,7 @@ class IndexDtoGeneratorTest {
         Embedded.Builder initializationEmbeddedBuilder = invocationOnMock.getArgument(1, Embedded.Builder.class);
         initializationLinkBuilder.single(link("init", "/init"));
         return null;
-      }).when(initializationStepResource).setupIndex(any(), any());
+      }).when(initializationStepResource).setupIndex(any(), any(), any());
 
       IndexDto dto = generator.generate();
 
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/IndexResourceTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/IndexResourceTest.java
index 0ef6046564..28cdd986af 100644
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/IndexResourceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/IndexResourceTest.java
@@ -30,19 +30,24 @@ import org.assertj.core.api.Assertions;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
 import sonia.scm.SCMContextProvider;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.initialization.InitializationFinisher;
-import sonia.scm.plugin.PluginCenterAuthenticator;
 import sonia.scm.search.SearchEngine;
 
+import javax.servlet.http.HttpServletRequest;
 import java.net.URI;
+import java.util.Locale;
 import java.util.Optional;
 
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 @SubjectAware(configuration = "classpath:sonia/scm/shiro-002.ini")
+@RunWith(MockitoJUnitRunner.class)
 public class IndexResourceTest {
 
   @Rule
@@ -52,8 +57,12 @@ public class IndexResourceTest {
   private SCMContextProvider scmContextProvider;
   private IndexResource indexResource;
 
+  @Mock
+  private HttpServletRequest httpServletRequest;
+
   @Before
   public void setUpObjectUnderTest() {
+    when(httpServletRequest.getLocale()).thenReturn(Locale.ENGLISH);
     this.configuration = new ScmConfiguration();
     this.scmContextProvider = mock(SCMContextProvider.class);
     InitializationFinisher initializationFinisher = mock(InitializationFinisher.class);
@@ -72,7 +81,7 @@ public class IndexResourceTest {
   @Test
   @SubjectAware(username = "dent", password = "secret")
   public void shouldRenderPluginCenterAuthLink() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("pluginCenterAuth")).isPresent();
   }
@@ -80,21 +89,21 @@ public class IndexResourceTest {
   @Test
   @SubjectAware(username = "trillian", password = "secret")
   public void shouldNotRenderPluginCenterLoginLinkIfPermissionsAreMissing() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("pluginCenterAuth")).isNotPresent();
   }
 
   @Test
   public void shouldRenderLoginUrlsForUnauthenticatedRequest() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("login")).matches(Optional::isPresent);
   }
 
   @Test
   public void shouldRenderLoginInfoUrl() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("loginInfo")).isPresent();
   }
@@ -103,21 +112,21 @@ public class IndexResourceTest {
   public void shouldNotRenderLoginInfoUrlWhenNoUrlIsConfigured() {
     configuration.setLoginInfoUrl("");
 
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("loginInfo")).isNotPresent();
   }
 
   @Test
   public void shouldRenderSelfLinkForUnauthenticatedRequest() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("self")).matches(Optional::isPresent);
   }
 
   @Test
   public void shouldRenderUiPluginsLinkForUnauthenticatedRequest() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("uiPlugins")).matches(Optional::isPresent);
   }
@@ -125,7 +134,7 @@ public class IndexResourceTest {
   @Test
   @SubjectAware(username = "trillian", password = "secret")
   public void shouldRenderSelfLinkForAuthenticatedRequest() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("self")).matches(Optional::isPresent);
   }
@@ -133,7 +142,7 @@ public class IndexResourceTest {
   @Test
   @SubjectAware(username = "trillian", password = "secret")
   public void shouldRenderUiPluginsLinkForAuthenticatedRequest() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("uiPlugins")).matches(Optional::isPresent);
   }
@@ -141,7 +150,7 @@ public class IndexResourceTest {
   @Test
   @SubjectAware(username = "trillian", password = "secret")
   public void shouldRenderMeUrlForAuthenticatedRequest() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("me")).matches(Optional::isPresent);
   }
@@ -149,7 +158,7 @@ public class IndexResourceTest {
   @Test
   @SubjectAware(username = "trillian", password = "secret")
   public void shouldRenderLogoutUrlForAuthenticatedRequest() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("logout")).matches(Optional::isPresent);
   }
@@ -157,7 +166,7 @@ public class IndexResourceTest {
   @Test
   @SubjectAware(username = "trillian", password = "secret")
   public void shouldRenderRepositoriesForAuthenticatedRequest() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("repositories")).matches(Optional::isPresent);
   }
@@ -165,7 +174,7 @@ public class IndexResourceTest {
   @Test
   @SubjectAware(username = "trillian", password = "secret")
   public void shouldNotRenderAdminLinksIfNotAuthorized() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("users")).matches(o -> !o.isPresent());
     Assertions.assertThat(index.getLinks().getLinkBy("groups")).matches(o -> !o.isPresent());
@@ -175,7 +184,7 @@ public class IndexResourceTest {
   @Test
   @SubjectAware(username = "trillian", password = "secret")
   public void shouldRenderAutoCompleteLinks() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinksBy("autocomplete"))
       .extracting("name")
@@ -185,7 +194,7 @@ public class IndexResourceTest {
   @Test
   @SubjectAware(username = "user_without_autocomplete_permission", password = "secret")
   public void userWithoutAutocompletePermissionShouldSeeAutoCompleteLinksOnlyForNamespaces() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinksBy("autocomplete"))
       .extracting("name")
@@ -195,7 +204,7 @@ public class IndexResourceTest {
   @Test
   @SubjectAware(username = "dent", password = "secret")
   public void shouldRenderAdminLinksIfAuthorized() {
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getLinks().getLinkBy("users")).matches(Optional::isPresent);
     Assertions.assertThat(index.getLinks().getLinkBy("groups")).matches(Optional::isPresent);
@@ -206,7 +215,7 @@ public class IndexResourceTest {
   public void shouldGenerateVersion() {
     when(scmContextProvider.getVersion()).thenReturn("v1");
 
-    IndexDto index = indexResource.getIndex();
+    IndexDto index = indexResource.getIndex(httpServletRequest);
 
     Assertions.assertThat(index.getVersion()).isEqualTo("v1");
   }
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/PluginSetDtoMapperTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/PluginSetDtoMapperTest.java
new file mode 100644
index 0000000000..365c257982
--- /dev/null
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/PluginSetDtoMapperTest.java
@@ -0,0 +1,99 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.api.v2.resources;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import sonia.scm.plugin.AvailablePlugin;
+import sonia.scm.plugin.PluginSet;
+
+import java.util.List;
+import java.util.Locale;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.when;
+import static sonia.scm.plugin.PluginTestHelper.createAvailable;
+
+@ExtendWith(MockitoExtension.class)
+class PluginSetDtoMapperTest {
+
+  @Mock
+  private PluginDtoMapper pluginDtoMapper;
+
+  @InjectMocks
+  private PluginSetDtoMapper mapper;
+
+  @Test
+  void shouldMap() {
+    AvailablePlugin git = createAvailable("scm-git-plugin");
+    AvailablePlugin svn = createAvailable("scm-svn-plugin");
+    AvailablePlugin hg = createAvailable("scm-hg-plugin");
+    PluginDto gitDto = new PluginDto();
+    gitDto.setName("scm-git-plugin");
+    PluginDto svnDto = new PluginDto();
+    svnDto.setName("scm-svn-plugin");
+    PluginDto hgDto = new PluginDto();
+    hgDto.setName("scm-hg-plugin");
+
+    when(pluginDtoMapper.mapAvailable(git)).thenReturn(gitDto);
+    when(pluginDtoMapper.mapAvailable(svn)).thenReturn(svnDto);
+    when(pluginDtoMapper.mapAvailable(hg)).thenReturn(hgDto);
+
+    List<AvailablePlugin> availablePlugins = List.of(git, svn, hg);
+
+    PluginSet pluginSet = new PluginSet(
+      "my-plugin-set",
+      1,
+      ImmutableSet.of("scm-git-plugin", "scm-hg-plugin"),
+      ImmutableMap.of("en", new PluginSet.Description("My Plugin Set", List.of("this is awesome!"))),
+      ImmutableMap.of("standard", "base64image")
+    );
+
+    PluginSet pluginSet2 = new PluginSet(
+      "my-other-plugin-set",
+      0,
+      ImmutableSet.of("scm-svn-plugin", "scm-hg-plugin"),
+      ImmutableMap.of("en", new PluginSet.Description("My Plugin Set 2", List.of("this is also awesome!"))),
+      ImmutableMap.of("standard", "base64image")
+    );
+    ImmutableSet<PluginSet> pluginSets = ImmutableSet.of(pluginSet, pluginSet2);
+
+    List<PluginSetDto> dtos = mapper.map(pluginSets, availablePlugins, Locale.ENGLISH);
+    assertThat(dtos).hasSize(2);
+    PluginSetDto first = dtos.get(0);
+    assertThat(first.getSequence()).isZero();
+    assertThat(first.getName()).isEqualTo("My Plugin Set 2");
+    assertThat(first.getFeatures()).contains("this is also awesome!");
+    assertThat(first.getImages()).isNotEmpty();
+    assertThat(first.getPlugins()).hasSize(2);
+
+    assertThat(dtos.get(1).getSequence()).isEqualTo(1);
+  }
+}
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/PluginWizardStartupResourceTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/PluginWizardStartupResourceTest.java
new file mode 100644
index 0000000000..b023a13bb2
--- /dev/null
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/PluginWizardStartupResourceTest.java
@@ -0,0 +1,186 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.api.v2.resources;
+
+import com.github.sdorra.shiro.SubjectAware;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import de.otto.edison.hal.Embedded;
+import de.otto.edison.hal.Links;
+import org.apache.commons.lang.StringUtils;
+import org.jboss.resteasy.mock.MockHttpRequest;
+import org.jboss.resteasy.mock.MockHttpResponse;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Answers;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import sonia.scm.lifecycle.PluginWizardStartupAction;
+import sonia.scm.lifecycle.PrivilegedStartupAction;
+import sonia.scm.plugin.AvailablePlugin;
+import sonia.scm.plugin.PluginManager;
+import sonia.scm.plugin.PluginSet;
+import sonia.scm.security.AccessTokenCookieIssuer;
+import sonia.scm.web.RestDispatcher;
+import sonia.scm.web.security.AdministrationContext;
+
+import java.net.URISyntaxException;
+import java.util.List;
+import java.util.Locale;
+
+import static java.lang.String.format;
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.util.Collections.emptyList;
+import static java.util.Collections.singleton;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.jboss.resteasy.mock.MockHttpRequest.post;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.doAnswer;
+import static org.mockito.Mockito.lenient;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import static sonia.scm.plugin.PluginTestHelper.createAvailable;
+
+@SubjectAware(
+  configuration = "classpath:sonia/scm/repository/shiro.ini"
+)
+@ExtendWith(MockitoExtension.class)
+class PluginWizardStartupResourceTest {
+
+  @Mock
+  private PluginWizardStartupAction startupAction;
+
+  @Mock(answer = Answers.RETURNS_DEEP_STUBS)
+  private ResourceLinks resourceLinks;
+
+  @Mock
+  private PluginManager pluginManager;
+
+  @Mock
+  private AccessTokenCookieIssuer cookieIssuer;
+
+  @Mock
+  private PluginSetDtoMapper pluginSetDtoMapper;
+
+  @Mock
+  private AdministrationContext context;
+
+  private final RestDispatcher dispatcher = new RestDispatcher();
+  private final MockHttpResponse response = new MockHttpResponse();
+
+  @InjectMocks
+  private PluginWizardStartupResource resource;
+
+  @BeforeEach
+  void setUpMocks() {
+    dispatcher.addSingletonResource(new InitializationResource(singleton(resource)));
+    lenient().when(startupAction.name()).thenReturn("pluginWizard");
+  }
+
+  @Test
+  void shouldFailWhenActionIsDone() throws URISyntaxException {
+    when(startupAction.done()).thenReturn(true);
+
+    MockHttpRequest request =
+      post("/v2/initialization/pluginWizard")
+        .contentType("application/json")
+        .content(createInput("my-plugin-set"));
+    dispatcher.invoke(request, response);
+
+    assertThat(response.getStatus()).isEqualTo(400);
+  }
+
+  @Test
+  void shouldInstallPluginSets() throws URISyntaxException {
+    when(startupAction.done()).thenReturn(false);
+
+    MockHttpRequest request =
+      post("/v2/initialization/pluginWizard")
+        .contentType("application/json")
+        .content(createInput("my-plugin-set", "my-other-plugin-set"));
+    dispatcher.invoke(request, response);
+
+    verify(cookieIssuer).invalidate(any(), any());
+    verify(pluginManager).installPluginSets(ImmutableSet.of("my-plugin-set", "my-other-plugin-set"), true);
+  }
+
+  @Test
+  void shouldSetupIndex() {
+    AvailablePlugin git = createAvailable("scm-git-plugin");
+    AvailablePlugin svn = createAvailable("scm-svn-plugin");
+    AvailablePlugin hg = createAvailable("scm-hg-plugin");
+    List<AvailablePlugin> availablePlugins = List.of(git, svn, hg);
+
+    when(pluginManager.getAvailable()).thenReturn(availablePlugins);
+
+    doAnswer(invocation -> {
+      invocation.getArgument(0, PrivilegedStartupAction.class).run();
+      return null;
+    }).when(context).runAsAdmin(any(PrivilegedStartupAction.class));
+
+    PluginSet pluginSet = new PluginSet(
+      "my-plugin-set",
+      0,
+      ImmutableSet.of("scm-git-plugin", "scm-hg-plugin"),
+      ImmutableMap.of("en", new PluginSet.Description("My Plugin Set", List.of("this is awesome!"))),
+      ImmutableMap.of("standard", "base64image")
+    );
+
+    PluginSet pluginSet2 = new PluginSet(
+      "my-other-plugin-set",
+      0,
+      ImmutableSet.of("scm-svn-plugin", "scm-hg-plugin"),
+      ImmutableMap.of("en", new PluginSet.Description("My Plugin Set", List.of("this is awesome!"))),
+      ImmutableMap.of("standard", "base64image")
+    );
+    ImmutableSet<PluginSet> pluginSets = ImmutableSet.of(pluginSet, pluginSet2);
+    when(pluginManager.getPluginSets()).thenReturn(pluginSets);
+    when(pluginSetDtoMapper.map(pluginSets, availablePlugins, Locale.ENGLISH)).thenReturn(emptyList());
+
+    when(resourceLinks.pluginWizard().indexLink("pluginWizard")).thenReturn("http://index.link");
+
+    Embedded.Builder embeddedBuilder = new Embedded.Builder();
+    Links.Builder linksBuilder = new Links.Builder();
+
+    resource.setupIndex(linksBuilder, embeddedBuilder, Locale.ENGLISH);
+    Embedded embedded = embeddedBuilder.build();
+    Links links = linksBuilder.build();
+
+    assertThat(links.getLinkBy("installPluginSets")).isPresent();
+    assertThat(embedded.hasItem("pluginSets")).isTrue();
+  }
+
+  private byte[] createInput(String... pluginSetIds) {
+    String format = pluginSetIds.length > 0 ? "'%s'" : "%s";
+    return json(format("{'pluginSetIds': [" + format + "]}", StringUtils.join(pluginSetIds, "','")));
+  }
+
+  private byte[] json(String s) {
+    return s.replaceAll("'", "\"").getBytes(UTF_8);
+  }
+
+}
diff --git a/scm-webapp/src/test/java/sonia/scm/initialization/InitializationAuthenticationServiceTest.java b/scm-webapp/src/test/java/sonia/scm/initialization/InitializationAuthenticationServiceTest.java
new file mode 100644
index 0000000000..a6e847d88a
--- /dev/null
+++ b/scm-webapp/src/test/java/sonia/scm/initialization/InitializationAuthenticationServiceTest.java
@@ -0,0 +1,115 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.initialization;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Answers;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import sonia.scm.security.AccessToken;
+import sonia.scm.security.AccessTokenBuilder;
+import sonia.scm.security.AccessTokenBuilderFactory;
+import sonia.scm.security.AccessTokenCookieIssuer;
+import sonia.scm.web.security.AdministrationContext;
+import sonia.scm.web.security.PrivilegedAction;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class InitializationAuthenticationServiceTest {
+
+  @Mock
+  private AccessTokenBuilderFactory tokenBuilderFactory;
+  @Mock(answer = Answers.RETURNS_SELF)
+  private AccessTokenBuilder tokenBuilder;
+  @Mock
+  private AccessToken token;
+  @Mock
+  private AccessTokenCookieIssuer cookieIssuer;
+  @Mock
+  private InitializationCookieIssuer initializationCookieIssuer;
+  @Mock
+  private AdministrationContext administrationContext;
+
+  @InjectMocks
+  private InitializationAuthenticationService service;
+
+  @Test
+  void shouldNotThrowExceptionIfTokenIsValid() {
+    when(token.getSubject()).thenReturn("SCM-INIT");
+
+    service.validateToken(token);
+  }
+
+  @Test
+  void shouldThrowExceptionIfTokenIsInvalid() {
+    when(token.getSubject()).thenReturn("FAKE");
+
+    assertThrows(AuthenticationException.class, () -> service.validateToken(token));
+  }
+
+  @Test
+  void shouldSetPermissionForVirtualInitializationUserInAdminContext() {
+    service.setPermissions();
+
+    verify(administrationContext).runAsAdmin(any(PrivilegedAction.class));
+  }
+
+  @Test
+  void shouldAuthenticate() {
+    HttpServletRequest request = mock(HttpServletRequest.class);
+    HttpServletResponse response = mock(HttpServletResponse.class);
+
+    when(tokenBuilderFactory.create()).thenReturn(tokenBuilder);
+    AccessToken accessToken = mock(AccessToken.class);
+    when(tokenBuilder.build()).thenReturn(accessToken);
+
+    service.authenticate(request, response);
+
+    verify(initializationCookieIssuer)
+      .authenticateForInitialization(request, response, accessToken);
+    verify(tokenBuilder).subject("SCM-INIT");
+  }
+
+  @Test
+  void shouldInvalidateCookies() {
+    HttpServletRequest request = mock(HttpServletRequest.class);
+    HttpServletResponse response = mock(HttpServletResponse.class);
+
+    service.invalidateCookies(request, response);
+
+    verify(cookieIssuer).invalidate(request, response);
+  }
+}
diff --git a/scm-webapp/src/test/java/sonia/scm/initialization/InitializationWebTokenGeneratorTest.java b/scm-webapp/src/test/java/sonia/scm/initialization/InitializationWebTokenGeneratorTest.java
new file mode 100644
index 0000000000..3c166c165b
--- /dev/null
+++ b/scm-webapp/src/test/java/sonia/scm/initialization/InitializationWebTokenGeneratorTest.java
@@ -0,0 +1,65 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.initialization;
+
+import org.apache.shiro.authc.AuthenticationToken;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static sonia.scm.initialization.InitializationWebTokenGenerator.INIT_TOKEN_HEADER;
+
+@ExtendWith(MockitoExtension.class)
+class InitializationWebTokenGeneratorTest {
+
+  private static final String INIT_TOKEN = "my_init_token";
+  private final InitializationWebTokenGenerator generator = new InitializationWebTokenGenerator();
+
+  @Test
+  void shouldReturnNullTokenIfCookieIsMissing() {
+    HttpServletRequest request = mock(HttpServletRequest.class);
+
+    AuthenticationToken token = generator.createToken(request);
+
+    assertThat(token).isNull();
+  }
+
+  @Test
+  void shouldGenerateCookieToken() {
+    HttpServletRequest request = mock(HttpServletRequest.class);
+    when(request.getCookies()).thenReturn(new Cookie[]{new Cookie(INIT_TOKEN_HEADER, INIT_TOKEN)});
+
+    AuthenticationToken token = generator.createToken(request);
+
+    assertThat(token.getCredentials()).isEqualTo(INIT_TOKEN);
+    assertThat(token.getPrincipal()).isEqualTo("SCM_INIT");
+  }
+}
diff --git a/scm-webapp/src/test/java/sonia/scm/lifecycle/PluginWizardStartupActionTest.java b/scm-webapp/src/test/java/sonia/scm/lifecycle/PluginWizardStartupActionTest.java
new file mode 100644
index 0000000000..cc06be0cfe
--- /dev/null
+++ b/scm-webapp/src/test/java/sonia/scm/lifecycle/PluginWizardStartupActionTest.java
@@ -0,0 +1,73 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.lifecycle;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.junit.jupiter.MockitoExtension;
+import sonia.scm.plugin.PluginSetConfigStore;
+import sonia.scm.plugin.PluginSetsConfig;
+
+import java.util.Optional;
+
+@ExtendWith(MockitoExtension.class)
+class PluginWizardStartupActionTest {
+
+  @Mock
+  private PluginSetConfigStore pluginSetConfigStore;
+
+  @InjectMocks
+  private PluginWizardStartupAction startupAction;
+
+  @BeforeEach
+  void setup() {
+    System.clearProperty(AdminAccountStartupAction.INITIAL_PASSWORD_PROPERTY);
+  }
+
+  @Test
+  void shouldNotBeDoneByDefault() {
+    Assertions.assertThat(startupAction.done()).isFalse();
+  }
+
+  @Test
+  void shouldBeDoneIfInitialPasswordIsSet() {
+    System.setProperty(AdminAccountStartupAction.INITIAL_PASSWORD_PROPERTY, "secret");
+
+    Assertions.assertThat(startupAction.done()).isTrue();
+  }
+
+  @Test
+  void shouldBeDoneIfConfigIsAlreadySet() {
+    Mockito.when(pluginSetConfigStore.getPluginSets()).thenReturn(Optional.of(new PluginSetsConfig()));
+
+    Assertions.assertThat(startupAction.done()).isTrue();
+  }
+
+}
diff --git a/scm-webapp/src/test/java/sonia/scm/plugin/DefaultPluginManagerTest.java b/scm-webapp/src/test/java/sonia/scm/plugin/DefaultPluginManagerTest.java
index d52bd6e51e..74ec7a0d14 100644
--- a/scm-webapp/src/test/java/sonia/scm/plugin/DefaultPluginManagerTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/plugin/DefaultPluginManagerTest.java
@@ -25,6 +25,7 @@
 package sonia.scm.plugin;
 
 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.subject.Subject;
@@ -38,6 +39,7 @@ import org.junit.jupiter.api.io.TempDir;
 import org.mockito.ArgumentCaptor;
 import org.mockito.Captor;
 import org.mockito.Mock;
+import org.mockito.Mockito;
 import org.mockito.junit.jupiter.MockitoExtension;
 import sonia.scm.NotFoundException;
 import sonia.scm.ScmConstraintViolationException;
@@ -49,6 +51,7 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 
 import static java.util.Arrays.asList;
 import static java.util.Collections.singleton;
@@ -83,6 +86,9 @@ class DefaultPluginManagerTest {
   @Mock
   private Restarter restarter;
 
+  @Mock
+  private PluginSetConfigStore pluginSetConfigStore;
+
   @Mock
   private ScmEventBus eventBus;
 
@@ -110,7 +116,7 @@ class DefaultPluginManagerTest {
   @BeforeEach
   void setUpObjectUnderTest() {
     manager = new DefaultPluginManager(
-      loader, center, installer, restarter, eventBus, plugins -> context
+      loader, center, installer, restarter, eventBus, plugins -> context, pluginSetConfigStore
     );
   }
 
@@ -162,7 +168,7 @@ class DefaultPluginManagerTest {
       AvailablePlugin review = createAvailable("scm-review-plugin");
       AvailablePlugin git = createAvailable("scm-git-plugin");
 
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review, git));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review, git));
 
       List<AvailablePlugin> available = manager.getAvailable();
       assertThat(available).containsOnly(review, git);
@@ -175,7 +181,7 @@ class DefaultPluginManagerTest {
 
       AvailablePlugin review = createAvailable("scm-review-plugin");
       AvailablePlugin git = createAvailable("scm-git-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review, git));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review, git));
 
       List<AvailablePlugin> available = manager.getAvailable();
       assertThat(available).containsOnly(review);
@@ -185,7 +191,7 @@ class DefaultPluginManagerTest {
     void shouldReturnAvailable() {
       AvailablePlugin review = createAvailable("scm-review-plugin");
       AvailablePlugin git = createAvailable("scm-git-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review, git));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review, git));
 
       Optional<AvailablePlugin> available = manager.getAvailable("scm-git-plugin");
       assertThat(available).contains(git);
@@ -194,7 +200,7 @@ class DefaultPluginManagerTest {
     @Test
     void shouldReturnEmptyForNonExistingAvailable() {
       AvailablePlugin review = createAvailable("scm-review-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review));
 
       Optional<AvailablePlugin> available = manager.getAvailable("scm-git-plugin");
       assertThat(available).isEmpty();
@@ -206,7 +212,7 @@ class DefaultPluginManagerTest {
       when(loader.getInstalledPlugins()).thenReturn(ImmutableList.of(installedGit));
 
       AvailablePlugin git = createAvailable("scm-git-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(git));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(git));
 
       Optional<AvailablePlugin> available = manager.getAvailable("scm-git-plugin");
       assertThat(available).isEmpty();
@@ -215,7 +221,7 @@ class DefaultPluginManagerTest {
     @Test
     void shouldInstallThePlugin() {
       AvailablePlugin git = createAvailable("scm-git-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(git));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(git));
 
       manager.install("scm-git-plugin", false);
 
@@ -228,7 +234,7 @@ class DefaultPluginManagerTest {
       AvailablePlugin review = createAvailable("scm-review-plugin");
       when(review.getDescriptor().getDependencies()).thenReturn(ImmutableSet.of("scm-mail-plugin"));
       AvailablePlugin mail = createAvailable("scm-mail-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review, mail));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review, mail));
 
       manager.install("scm-review-plugin", false);
 
@@ -241,7 +247,7 @@ class DefaultPluginManagerTest {
       AvailablePlugin review = createAvailable("scm-review-plugin");
       when(review.getDescriptor().getDependencies()).thenReturn(ImmutableSet.of("scm-mail-plugin"));
       AvailablePlugin mail = createAvailable("scm-mail-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review, mail));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review, mail));
 
       InstalledPlugin installedMail = createInstalled("scm-mail-plugin");
       when(loader.getInstalledPlugins()).thenReturn(ImmutableList.of(installedMail));
@@ -259,7 +265,7 @@ class DefaultPluginManagerTest {
       AvailablePlugin review = createAvailable("scm-review-plugin");
       when(review.getDescriptor().getDependencies()).thenReturn(ImmutableSet.of("scm-mail-plugin"));
       AvailablePlugin mail = createAvailable("scm-mail-plugin", "1.1.0");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review, mail));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review, mail));
 
       InstalledPlugin installedMail = createInstalled("scm-mail-plugin", "1.0.0");
       when(loader.getInstalledPlugins()).thenReturn(ImmutableList.of(installedMail));
@@ -275,7 +281,7 @@ class DefaultPluginManagerTest {
       AvailablePlugin review = createAvailable("scm-review-plugin");
       when(review.getDescriptor().getOptionalDependencies()).thenReturn(ImmutableSet.of("scm-mail-plugin"));
       AvailablePlugin mail = createAvailable("scm-mail-plugin", "1.1.0");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review, mail));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review, mail));
 
       InstalledPlugin installedMail = createInstalled("scm-mail-plugin", "1.0.0");
       when(loader.getInstalledPlugins()).thenReturn(ImmutableList.of(installedMail));
@@ -291,7 +297,7 @@ class DefaultPluginManagerTest {
       AvailablePlugin review = createAvailable("scm-review-plugin");
       when(review.getDescriptor().getOptionalDependencies()).thenReturn(ImmutableSet.of("scm-mail-plugin"));
       AvailablePlugin mail = createAvailable("scm-mail-plugin", "1.1.0");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review, mail));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review, mail));
 
       manager.install("scm-review-plugin", false);
 
@@ -306,7 +312,7 @@ class DefaultPluginManagerTest {
       AvailablePlugin mail = createAvailable("scm-mail-plugin");
       when(mail.getDescriptor().getDependencies()).thenReturn(ImmutableSet.of("scm-notification-plugin"));
       AvailablePlugin notification = createAvailable("scm-notification-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review, mail, notification));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review, mail, notification));
 
       PendingPluginInstallation pendingNotification = mock(PendingPluginInstallation.class);
       doReturn(pendingNotification).when(installer).install(context, notification);
@@ -328,7 +334,7 @@ class DefaultPluginManagerTest {
       when(review.getDescriptor().getDependencies()).thenReturn(ImmutableSet.of("scm-mail-plugin"));
       AvailablePlugin mail = createAvailable("scm-mail-plugin");
       when(mail.getDescriptor().getDependencies()).thenReturn(ImmutableSet.of("scm-notification-plugin"));
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review, mail));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review, mail));
 
       assertThrows(NotFoundException.class, () -> manager.install("scm-review-plugin", false));
 
@@ -338,7 +344,7 @@ class DefaultPluginManagerTest {
     @Test
     void shouldSendRestartEventAfterInstallation() {
       AvailablePlugin git = createAvailable("scm-git-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(git));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(git));
 
       manager.install("scm-git-plugin", true);
 
@@ -358,7 +364,7 @@ class DefaultPluginManagerTest {
     @Test
     void shouldNotInstallAlreadyPendingPlugins() {
       AvailablePlugin review = createAvailable("scm-review-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review));
 
       manager.install("scm-review-plugin", false);
       manager.install("scm-review-plugin", false);
@@ -369,7 +375,7 @@ class DefaultPluginManagerTest {
     @Test
     void shouldSendRestartEvent() {
       AvailablePlugin review = createAvailable("scm-review-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review));
 
       manager.install("scm-review-plugin", false);
       manager.executePendingAndRestart();
@@ -387,7 +393,7 @@ class DefaultPluginManagerTest {
     @Test
     void shouldReturnSingleAvailableAsPending() {
       AvailablePlugin review = createAvailable("scm-review-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review));
 
       manager.install("scm-review-plugin", false);
 
@@ -398,7 +404,7 @@ class DefaultPluginManagerTest {
     @Test
     void shouldReturnAvailableAsPending() {
       AvailablePlugin review = createAvailable("scm-review-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review));
 
       manager.install("scm-review-plugin", false);
 
@@ -514,7 +520,7 @@ class DefaultPluginManagerTest {
       when(reviewPlugin.getDescriptor().getDependencies()).thenReturn(singleton("scm-mail-plugin"));
 
       when(loader.getInstalledPlugins()).thenReturn(singletonList(mailPlugin));
-      when(center.getAvailable()).thenReturn(singleton(reviewPlugin));
+      when(center.getAvailablePlugins()).thenReturn(singleton(reviewPlugin));
 
       manager.computeInstallationDependencies();
 
@@ -546,7 +552,7 @@ class DefaultPluginManagerTest {
       doNothing().when(mailPlugin).setMarkedForUninstall(uninstallCaptor.capture());
 
       AvailablePlugin git = createAvailable("scm-git-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(git));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(git));
       PendingPluginInstallation gitPendingPluginInformation = mock(PendingPluginInstallation.class);
       when(installer.install(context, git)).thenReturn(gitPendingPluginInformation);
 
@@ -577,7 +583,7 @@ class DefaultPluginManagerTest {
       AvailablePlugin newMailPlugin = createAvailable("scm-mail-plugin", "2.0.0");
       AvailablePlugin newReviewPlugin = createAvailable("scm-review-plugin", "2.0.0");
 
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(newMailPlugin, newReviewPlugin));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(newMailPlugin, newReviewPlugin));
 
       manager.updateAll();
 
@@ -593,7 +599,7 @@ class DefaultPluginManagerTest {
       when(loader.getInstalledPlugins()).thenReturn(ImmutableList.of(scriptPlugin));
       AvailablePlugin oldScriptPlugin = createAvailable("scm-script-plugin", "0.9");
 
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(oldScriptPlugin));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(oldScriptPlugin));
 
       manager.updateAll();
 
@@ -603,7 +609,7 @@ class DefaultPluginManagerTest {
     @Test
     void shouldFirePluginEventOnInstallation() {
       AvailablePlugin review = createAvailable("scm-review-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review));
 
       manager.install("scm-review-plugin", false);
 
@@ -616,7 +622,7 @@ class DefaultPluginManagerTest {
     @Test
     void shouldFirePluginEventOnFailedInstallation() {
       AvailablePlugin review = createAvailable("scm-review-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(review));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(review));
       doThrow(new PluginDownloadException(review, new IOException())).when(installer).install(context, review);
 
       assertThrows(PluginDownloadException.class, () -> manager.install("scm-review-plugin", false));
@@ -637,7 +643,7 @@ class DefaultPluginManagerTest {
       when(jenkins.getDescriptor().getDependencies()).thenReturn(ImmutableSet.of("scm-el-plugin"));
       when(webhook.getDescriptor().getDependencies()).thenReturn(ImmutableSet.of("scm-el-plugin"));
       AvailablePlugin el = createAvailable("scm-el-plugin");
-      when(center.getAvailable()).thenReturn(ImmutableSet.of(jenkins, el, webhook));
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(jenkins, el, webhook));
 
       manager.install("scm-jenkins-plugin", false);
       manager.install("scm-webhook-plugin", false);
@@ -650,6 +656,55 @@ class DefaultPluginManagerTest {
       assertThat(pluginInstallationContext.find("scm-webhook-plugin")).isPresent();
       assertThat(pluginInstallationContext.find("scm-el-plugin")).isPresent();
     }
+
+    @Test
+    void shouldGetPluginSets() {
+      PluginSet pluginSet = new PluginSet(
+        "my-plugin-set",
+        0,
+        ImmutableSet.of("scm-jenkins-plugin", "scm-webhook-plugin", "scm-el-plugin"),
+        ImmutableMap.of("en", new PluginSet.Description("My Plugin Set", List.of("this is awesome!"))),
+        ImmutableMap.of("standard", "base64image")
+      );
+      when(center.getAvailablePluginSets()).thenReturn(ImmutableSet.of(pluginSet));
+      Set<PluginSet> pluginSets = manager.getPluginSets();
+      assertThat(pluginSets).containsExactly(pluginSet);
+    }
+
+    @Test
+    void shouldInstallPluginSets() {
+      AvailablePlugin git = createAvailable("scm-git-plugin");
+      AvailablePlugin svn = createAvailable("scm-svn-plugin");
+      AvailablePlugin hg = createAvailable("scm-hg-plugin");
+
+      when(center.getAvailablePlugins()).thenReturn(ImmutableSet.of(git, svn, hg));
+
+      PluginSet pluginSet = new PluginSet(
+        "my-plugin-set",
+        0,
+        ImmutableSet.of("scm-git-plugin", "scm-hg-plugin"),
+        ImmutableMap.of("en", new PluginSet.Description("My Plugin Set", List.of("this is awesome!"))),
+        ImmutableMap.of("standard", "base64image")
+      );
+
+      PluginSet pluginSet2 = new PluginSet(
+        "my-other-plugin-set",
+        0,
+        ImmutableSet.of("scm-svn-plugin", "scm-hg-plugin"),
+        ImmutableMap.of("en", new PluginSet.Description("My Plugin Set", List.of("this is awesome!"))),
+        ImmutableMap.of("standard", "base64image")
+      );
+      when(center.getAvailablePluginSets()).thenReturn(ImmutableSet.of(pluginSet, pluginSet2));
+
+      manager.installPluginSets(ImmutableSet.of("my-plugin-set", "my-other-plugin-set"), false);
+
+      verify(pluginSetConfigStore).setPluginSets(new PluginSetsConfig(ImmutableSet.of("my-plugin-set", "my-other-plugin-set")));
+      verify(installer, Mockito.times(1)).install(context, git);
+      verify(installer, Mockito.times(1)).install(context, hg);
+      verify(installer, Mockito.times(1)).install(context, svn);
+
+      verify(restarter, never()).restart(any(), any());
+    }
   }
 
   @Nested
@@ -672,6 +727,7 @@ class DefaultPluginManagerTest {
       assertThrows(AuthorizationException.class, () -> manager.getInstalled("test"));
       assertThrows(AuthorizationException.class, () -> manager.getAvailable());
       assertThrows(AuthorizationException.class, () -> manager.getAvailable("test"));
+      assertThrows(AuthorizationException.class, () -> manager.getPluginSets());
     }
 
   }
@@ -695,6 +751,12 @@ class DefaultPluginManagerTest {
       assertThrows(AuthorizationException.class, () -> manager.install("test", false));
     }
 
+    @Test
+    void shouldThrowAuthorizationExceptionsForInstallPluginSetsMethod() {
+      ImmutableSet<String> pluginSetIds = ImmutableSet.of("test");
+      assertThrows(AuthorizationException.class, () -> manager.installPluginSets(pluginSetIds, false));
+    }
+
     @Test
     void shouldThrowAuthorizationExceptionsForUninstallMethod() {
       assertThrows(AuthorizationException.class, () -> manager.uninstall("test", false));
diff --git a/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterDtoMapperTest.java b/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterDtoMapperTest.java
index abd6277489..d627c721c9 100644
--- a/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterDtoMapperTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterDtoMapperTest.java
@@ -33,17 +33,16 @@ import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 
-import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Set;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.when;
+import static sonia.scm.plugin.PluginCenterDto.Condition;
+import static sonia.scm.plugin.PluginCenterDto.Link;
 import static sonia.scm.plugin.PluginCenterDto.Plugin;
-import static sonia.scm.plugin.PluginCenterDto.*;
 
 @ExtendWith(MockitoExtension.class)
 class PluginCenterDtoMapperTest {
@@ -72,8 +71,19 @@ class PluginCenterDtoMapperTest {
       ImmutableMap.of("download", new Link("http://download.hitchhiker.com"))
     );
 
+    PluginCenterDto.PluginSet pluginSet = new PluginCenterDto.PluginSet(
+      "my-plugin-set",
+      ">2.0.0",
+      0,
+      ImmutableSet.of("scm-review-plugin"),
+      ImmutableMap.of("en", new PluginCenterDto.Description("My Plugin Set", List.of("hello world"))),
+      ImmutableMap.of("standard", "base64image")
+    );
+
     when(dto.getEmbedded().getPlugins()).thenReturn(Collections.singletonList(plugin));
-    AvailablePluginDescriptor descriptor = mapper.map(dto).iterator().next().getDescriptor();
+    when(dto.getEmbedded().getPluginSets()).thenReturn(Collections.singletonList(pluginSet));
+    PluginCenterResult mapped = mapper.map(dto);
+    AvailablePluginDescriptor descriptor = mapped.getPlugins().iterator().next().getDescriptor();
     PluginInformation information = descriptor.getInformation();
     PluginCondition condition = descriptor.getCondition();
 
@@ -88,6 +98,14 @@ class PluginCenterDtoMapperTest {
     assertThat(condition.getOs().iterator().next()).isEqualTo(plugin.getConditions().getOs().iterator().next());
     assertThat(information.getDescription()).isEqualTo(plugin.getDescription());
     assertThat(information.getName()).isEqualTo(plugin.getName());
+
+    PluginSet mappedPluginSet = mapped.getPluginSets().iterator().next();
+
+    assertThat(mappedPluginSet.getId()).isEqualTo(pluginSet.getId());
+    assertThat(mappedPluginSet.getSequence()).isEqualTo(pluginSet.getSequence());
+    assertThat(mappedPluginSet.getPlugins()).hasSize(pluginSet.getPlugins().size());
+    assertThat(mappedPluginSet.getImages()).isNotEmpty();
+    assertThat(mappedPluginSet.getDescriptions()).isNotEmpty();
   }
 
   @Test
@@ -126,7 +144,8 @@ class PluginCenterDtoMapperTest {
 
     when(dto.getEmbedded().getPlugins()).thenReturn(Arrays.asList(plugin1, plugin2));
 
-    Set<AvailablePlugin> resultSet = mapper.map(dto);
+    PluginCenterResult pluginCenterResult = mapper.map(dto);
+    Set<AvailablePlugin> resultSet = pluginCenterResult.getPlugins();
 
     PluginInformation pluginInformation1 = findPlugin(resultSet, plugin1.getName());
     PluginInformation pluginInformation2 = findPlugin(resultSet, plugin2.getName());
diff --git a/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterLoaderTest.java b/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterLoaderTest.java
index 7adb763d10..6d60d7e9af 100644
--- a/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterLoaderTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterLoaderTest.java
@@ -43,7 +43,6 @@ import java.util.Set;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.*;
-import static sonia.scm.plugin.Tracing.SPAN_KIND;
 
 @ExtendWith(MockitoExtension.class)
 class PluginCenterLoaderTest {
@@ -71,12 +70,15 @@ class PluginCenterLoaderTest {
   @Test
   void shouldFetch() throws IOException {
     Set<AvailablePlugin> plugins = Collections.emptySet();
+    Set<PluginSet> pluginSets = Collections.emptySet();
     PluginCenterDto dto = new PluginCenterDto();
+    PluginCenterResult pluginCenterResult = new PluginCenterResult(plugins, pluginSets);
     when(request().contentFromJson(PluginCenterDto.class)).thenReturn(dto);
-    when(mapper.map(dto)).thenReturn(plugins);
+    when(mapper.map(dto)).thenReturn(pluginCenterResult);
 
-    Set<AvailablePlugin> fetched = loader.load(PLUGIN_URL);
-    assertThat(fetched).isSameAs(plugins);
+    PluginCenterResult fetched = loader.load(PLUGIN_URL);
+    assertThat(fetched.getPlugins()).isSameAs(plugins);
+    assertThat(fetched.getPluginSets()).isSameAs(pluginSets);
   }
 
   private AdvancedHttpResponse request() throws IOException {
@@ -91,8 +93,9 @@ class PluginCenterLoaderTest {
     when(client.get(PLUGIN_URL)).thenReturn(request);
     when(request.request()).thenThrow(new IOException("failed to fetch"));
 
-    Set<AvailablePlugin> fetch = loader.load(PLUGIN_URL);
-    assertThat(fetch).isEmpty();
+    PluginCenterResult fetch = loader.load(PLUGIN_URL);
+    assertThat(fetch.getPlugins()).isEmpty();
+    assertThat(fetch.getPluginSets()).isEmpty();
   }
 
   @Test
@@ -119,8 +122,9 @@ class PluginCenterLoaderTest {
   private Set<AvailablePlugin> mockResponse() throws IOException {
     PluginCenterDto dto = new PluginCenterDto();
     Set<AvailablePlugin> plugins = Collections.emptySet();
+    Set<PluginSet> pluginSets = Collections.emptySet();
     when(request().contentFromJson(PluginCenterDto.class)).thenReturn(dto);
-    when(mapper.map(dto)).thenReturn(plugins);
+    when(mapper.map(dto)).thenReturn(new PluginCenterResult(plugins, pluginSets));
     return plugins;
   }
 
diff --git a/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterTest.java b/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterTest.java
index 5aa202049a..ad03202b5a 100644
--- a/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/plugin/PluginCenterTest.java
@@ -24,21 +24,16 @@
     
 package sonia.scm.plugin;
 
-import com.google.common.collect.ImmutableSet;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Answers;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import sonia.scm.SCMContextProvider;
 import sonia.scm.cache.CacheManager;
 import sonia.scm.cache.MapCacheManager;
 import sonia.scm.config.ScmConfiguration;
-import sonia.scm.net.ahc.AdvancedHttpClient;
-import sonia.scm.util.SystemUtil;
 
-import java.io.IOException;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
@@ -81,36 +76,52 @@ class PluginCenterTest {
   @Test
   void shouldFetchPlugins() {
     Set<AvailablePlugin> plugins = new HashSet<>();
-    when(loader.load(PLUGIN_URL_BASE + "2.0.0")).thenReturn(plugins);
+    Set<PluginSet> pluginSets = new HashSet<>();
 
-    assertThat(pluginCenter.getAvailable()).isSameAs(plugins);
+    PluginCenterResult pluginCenterResult = new PluginCenterResult(plugins, pluginSets);
+    when(loader.load(PLUGIN_URL_BASE + "2.0.0")).thenReturn(pluginCenterResult);
+
+    assertThat(pluginCenter.getAvailablePlugins()).isSameAs(plugins);
+    assertThat(pluginCenter.getAvailablePluginSets()).isSameAs(pluginSets);
   }
 
   @Test
   @SuppressWarnings("unchecked")
   void shouldCache() {
-    Set<AvailablePlugin> first = new HashSet<>();
-    when(loader.load(anyString())).thenReturn(first, new HashSet<>());
+    Set<AvailablePlugin> plugins = new HashSet<>();
+    Set<PluginSet> pluginSets = new HashSet<>();
 
-    assertThat(pluginCenter.getAvailable()).isSameAs(first);
-    assertThat(pluginCenter.getAvailable()).isSameAs(first);
+    PluginCenterResult first = new PluginCenterResult(plugins, pluginSets);
+    when(loader.load(anyString())).thenReturn(first, new PluginCenterResult(Collections.emptySet(), Collections.emptySet()));
+
+    assertThat(pluginCenter.getAvailablePlugins()).isSameAs(plugins);
+    assertThat(pluginCenter.getAvailablePlugins()).isSameAs(plugins);
+    assertThat(pluginCenter.getAvailablePluginSets()).isSameAs(pluginSets);
   }
 
   @Test
   @SuppressWarnings("unchecked")
   void shouldClearCache() {
-    Set<AvailablePlugin> first = new HashSet<>();
-    when(loader.load(anyString())).thenReturn(first, new HashSet<>());
+    Set<AvailablePlugin> plugins = new HashSet<>();
+    Set<PluginSet> pluginSets = new HashSet<>();
 
-    assertThat(pluginCenter.getAvailable()).isSameAs(first);
+    PluginCenterResult first = new PluginCenterResult(plugins, pluginSets);
+    when(loader.load(anyString())).thenReturn(first, new PluginCenterResult(Collections.emptySet(), Collections.emptySet()));
+
+    assertThat(pluginCenter.getAvailablePlugins()).isSameAs(plugins);
+    assertThat(pluginCenter.getAvailablePluginSets()).isSameAs(pluginSets);
     pluginCenter.handle(new PluginCenterLoginEvent(null));
-    assertThat(pluginCenter.getAvailable()).isNotSameAs(first);
+    assertThat(pluginCenter.getAvailablePlugins()).isNotSameAs(plugins);
+    assertThat(pluginCenter.getAvailablePluginSets()).isNotSameAs(pluginSets);
   }
 
   @Test
   void shouldLoadOnRefresh() {
     Set<AvailablePlugin> plugins = new HashSet<>();
-    when(loader.load(PLUGIN_URL_BASE + "2.0.0")).thenReturn(plugins);
+    Set<PluginSet> pluginSets = new HashSet<>();
+
+    PluginCenterResult pluginCenterResult = new PluginCenterResult(plugins, pluginSets);
+    when(loader.load(PLUGIN_URL_BASE + "2.0.0")).thenReturn(pluginCenterResult);
 
     pluginCenter.refresh();