From ac7132f802b1961f85a4eb52d610620db02dafda Mon Sep 17 00:00:00 2001 From: zhujian Date: Thu, 12 Mar 2026 18:07:49 +0800 Subject: [PATCH 1/9] =?UTF-8?q?=F0=9F=93=96=20Add=20TLS=20Profile=20Compli?= =?UTF-8?q?ance=20Design=20document?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add comprehensive design document for implementing TLS profile compliance across server foundation repositories (OCM hub/spoke components and Stolostron). This addresses ACM-26882 requirement for OpenShift 4.22 GA and Post-Quantum Cryptography (PQC) readiness. Key aspects: - Sidecar + ConfigMap pattern for dynamic TLS configuration - Upstream/downstream separation (OCM remains K8s-agnostic) - ConfigMap propagation strategies for hub and spoke scenarios - Implementation details for operators, agents, and addon components Related: ACM-26882 πŸ€– Assisted by Claude Code Co-Authored-By: Claude Signed-off-by: zhujian --- docs/TLS_PROFILE_COMPLIANCE_DESIGN.md | 898 ++++++++++++++++++++++++++ 1 file changed, 898 insertions(+) create mode 100644 docs/TLS_PROFILE_COMPLIANCE_DESIGN.md diff --git a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md new file mode 100644 index 000000000..43a2b832a --- /dev/null +++ b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md @@ -0,0 +1,898 @@ +# TLS Profile Compliance Design for Server Foundation Repos + +**JIRA:** [ACM-26882: [ACM] Central TLS Profile consistency](https://issues.redhat.com/browse/ACM-26882) +**Document Status:** Design Document +**Last Updated:** 2026-03-12 +**Deadline:** OCP 4.22 GA + +--- + +## Table of Contents + +1. [Overview](#overview) +2. [Scenario Summary](#scenario-summary) +3. [Solution Overview](#solution-overview) +4. [Stolostron Scenarios](#stolostron-scenarios) +5. [OCM Hub Scenarios](#ocm-hub-scenarios) +6. [OCM Spoke Scenarios](#ocm-spoke-scenarios) +7. [Implementation Details](#implementation-details) +8. [Compliance Verification](#compliance-verification) + +--- + +## Overview + +### Purpose + +This design document provides a unified approach for all server foundation repositories to implement TLS profile compliance as required by OpenShift 4.22 GA. The requirement mandates that all components **dynamically fetch and apply TLS configuration from centralized sources** rather than hardcoding TLS settings. This is critical for **Post-Quantum Cryptography (PQC) readiness**. + +### Challenge for OCM + +OCM repos are **upstream Kubernetes projects** that must work on any Kubernetes distribution. They **cannot depend on OpenShift-specific APIs** like `APIServer.spec.tlsSecurityProfile`. + +### Background: Deployment Relationships + +Understanding who deploys what is critical to the design: + +**Hub Cluster:** +- **backplane-operator** (Stolostron) deploys: + - `cluster-manager-operator` (OCM operator, scenario 3) + - `cluster-proxy-addon-manager` (OCM addon manager, scenario 5) +- **cluster-manager-operator** (OCM) deploys: + - `registration-controller` (scenario 4) + - `work-controller` (scenario 4) + - `placement-controller` (scenario 4) + +**Managed Cluster:** +- **import-controller** (Stolostron) deploys: + - `klusterlet-operator` (OCM operator, scenario 6) +- **klusterlet-operator** (OCM) deploys: + - `klusterlet-agent` (registration-agent, work-agent) (scenario 7) +- **Addon agents** (scenario 8) are deployed by respective addon managers +- **klusterlet-operator** already has capability to copy image pull secrets to addon namespaces + +--- + +## Scenario Summary + +| Scenario | Component | Platform | Sidecar | ConfigMap Pattern | Solution | +|---|---|---|---|---|---| +| **1** | Stolostron Hub | OpenShift | βœ… | Direct consumption | Refer to OpenShift hint doc | +| **2** | Stolostron Spoke | OpenShift | βœ… | Direct consumption | Refer to OpenShift hint doc | +| **3** | OCM Hub - cluster-manager-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | +| **4** | OCM Hub - ocm-hub-components | OpenShift/K8s | ❌ | Operator creates ConfigMap | Operator propagation | +| **5** | OCM Hub - addon-manager | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | +| **6** | OCM Spoke - klusterlet-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | +| **7** | OCM Spoke - klusterlet-agent | OpenShift/K8s | ❌ | Operator creates ConfigMap | Operator propagation | +| **8** | OCM Spoke - addon-agent | OpenShift/K8s | ❌ | Operator copies ConfigMap | ConfigMap copy pattern | +| **9** | cluster-proxy components (self-deployed by cluster proxy manager/agent) | OpenShift/K8s | TBD | TBD | TBD | + +--- + +## Solution Overview + +### Sidecar + ConfigMap Pattern + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ OpenShift Platform (Stolostron deployment): β”‚ +β”‚ β”‚ +β”‚ Sidecar Container β†’ Watches APIServer TLS profile β”‚ +β”‚ β†’ Creates/Updates ConfigMap "ocm-tls-profile" β”‚ +β”‚ β”‚ +β”‚ Component Container β†’ Watches ConfigMap "ocm-tls-profile" β”‚ +β”‚ β†’ Applies new TLS config β”‚ +β”‚ β†’ Restarts itself on ConfigMap change β”‚ +β”‚ β”‚ +β”‚ Operators β†’ Read ConfigMap from their namespace β”‚ +β”‚ β†’ Create/Update ConfigMap in managed component ns β”‚ +β”‚ β”‚ +β”‚ Result: Dynamic TLS profile (Modern/Intermediate/Custom) β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ + +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ Kubernetes Platform (Upstream deployment): β”‚ +β”‚ β”‚ +β”‚ No sidecar β†’ No ConfigMap β”‚ +β”‚ Components β†’ Use TLS 1.2 fallback (hardcoded safe default) β”‚ +β”‚ β”‚ +β”‚ Result: Static TLS 1.2 configuration β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +### Key Principles + +1. **Upstream Portability**: OCM repos remain OpenShift-agnostic +2. **Sidecar Injection**: Downstream (Stolostron) repos inject sidecar when deploying on OpenShift +3. **ConfigMap Propagation**: Operators create ConfigMaps in managed component namespaces +4. **Restart on Change**: Components watch ConfigMap and restart when TLS config changes +5. **Safe Fallback**: Components use TLS 1.2 when ConfigMap not available (vanilla Kubernetes) +6. **Addon Flexibility**: For addon managers (Scenario 5) and addon agents (Scenario 8), this design is **for reference only**. Each addon squad can decide whether to adopt this pattern or implement their own solution. We do not enforce using this specific proposal for addons. + +--- + +## Stolostron Scenarios + +### Scenario 1: Stolostron Hub (OpenShift) + +**Components:** +- All Stolostron-specific hub components + +**Solution:** +Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://docs.google.com/document/d/1234567890) for implementation. + +**Key Points:** +- Use OpenShift library-go TLS helpers +- Watch `APIServer.spec.tlsSecurityProfile` directly +- No sidecar needed (native OpenShift code) + +--- + +### Scenario 2: Stolostron Spoke (OpenShift) + +**Components:** +- All Stolostron-specific managed cluster components + +**Solution:** +Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://docs.google.com/document/d/1234567890) for implementation. + +**Key Points:** +- Use OpenShift library-go TLS helpers +- Watch managed cluster's `APIServer.spec.tlsSecurityProfile` +- No sidecar needed (native OpenShift code) + +--- + +## OCM Hub Scenarios + +### Scenario 3: OCM Hub - cluster-manager-operator + +**Component:** `cluster-manager-operator` (registration-operator in cluster-manager mode) + +**Deployed by:** backplane-operator (Stolostron) + +**Platform:** OpenShift (when deployed by Stolostron) or Kubernetes (upstream) + +**Architecture Flow:** + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ Hub OpenShift Cluster β”‚ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ APIServer.spec.tlsSecurityProfile: Modern β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ Watches β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Pod: cluster-manager-operator (deployed by backplane-op) β”‚ β”‚ +β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ +β”‚ β”‚ β”‚ Container: β”‚ β”‚ Sidecar: β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ registration- β”‚ β”‚ tls-profile-sync β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ operator β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ β”‚ β€’ Watches APIServer β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β€’ Watches β”‚ β”‚ β€’ Creates/Updates ConfigMap β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ ConfigMap β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β€’ Restarts on β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ change β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ └───────────┬ β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ +β”‚ └───────────┼────────────────────────┼─────────────── β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β–Ό β”‚ +β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ β”‚ ConfigMap: ocm-tls-profile β”‚ β”‚ +β”‚ └──▢│ Namespace: multicluster-engine β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ data: β”‚ β”‚ +β”‚ β”‚ minTLSVersion: "VersionTLS13" β”‚ β”‚ +β”‚ β”‚ cipherSuites: "" β”‚ β”‚ +β”‚ β”‚ profileType: "Modern" β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +**How It Works:** + +1. **Sidecar Injection** (Downstream - backplane-operator) + - backplane-operator detects OpenShift platform + - Injects `tls-profile-sync` sidecar into cluster-manager-operator pod + +2. **ConfigMap Creation** (Sidecar) + - Sidecar watches hub's `APIServer.spec.tlsSecurityProfile` + - Creates/updates `ocm-tls-profile` ConfigMap in `multicluster-engine` namespace + +3. **Component Consumption** (Upstream - cluster-manager-operator) + - Watches `ocm-tls-profile` ConfigMap using standard Kubernetes client-go + - When ConfigMap changes β†’ applies new TLS config β†’ **restarts itself** + - If ConfigMap not found (vanilla K8s) β†’ falls back to TLS 1.2 + +**Code Owner:** +- Sidecar injection: Downstream (backplane-operator) +- Sidecar container: Downstream (stolostron/import-controller->tls-profile-sync) +- ConfigMap watching + restart logic: Upstream (registration-operator) + +--- + +### Scenario 4: OCM Hub - ocm-hub-components + +**Components:** +- registration-controller +- work-controller (work-webhook) +- placement-controller + +**Deployed by:** cluster-manager-operator (OCM) + +**Deployed in:** `open-cluster-management-hub` namespace (all components in same namespace) + +**Platform:** OpenShift (when operator deployed by Stolostron) or Kubernetes (upstream) + +**Architecture Flow:** + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ Hub Cluster β”‚ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ cluster-manager-operator (Scenario 3) β”‚ β”‚ +β”‚ β”‚ Namespace: multicluster-engine β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β€’ Reads: multicluster-engine/ocm-tls-profile β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ Creates ConfigMap in hub component ns β”‚ +β”‚ β”‚ β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ ConfigMap: ocm-tls-profile β”‚ β”‚ +β”‚ β”‚ Namespace: open-cluster-management-hub β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ data: β”‚ β”‚ +β”‚ β”‚ minTLSVersion: "VersionTLS13" β”‚ β”‚ +β”‚ β”‚ cipherSuites: "" β”‚ β”‚ +β”‚ β”‚ profileType: "Modern" β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ Shared by all hub components β”‚ +β”‚ β”‚ (all in same namespace) β”‚ +β”‚ β”‚ β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Components in open-cluster-management-hub namespace: β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β€’ registration-controller β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β”‚ β€’ work-controller β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β”‚ β€’ placement-controller β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +**How It Works:** + +1. **Operator Reads Source ConfigMap** + - cluster-manager-operator (in `multicluster-engine` namespace) watches `multicluster-engine/ocm-tls-profile` + +2. **Operator Creates ConfigMap in Hub Components Namespace** + - Creates/updates `ocm-tls-profile` in `open-cluster-management-hub` namespace + - Single ConfigMap shared by all hub components (they're all in the same namespace) + +3. **Components Watch Their Namespace's ConfigMap** + - All hub components watch `open-cluster-management-hub/ocm-tls-profile` + - On ConfigMap change β†’ applies TLS config β†’ **restarts** + - If ConfigMap not found β†’ falls back to TLS 1.2 + +**Code Owner:** +- ConfigMap propagation logic: Upstream (cluster-manager-operator) +- ConfigMap watching + restart: Upstream (each component) + +--- + +### Scenario 5: OCM Hub - addon-manager + +> **Note:** This scenario is **for reference only**. Each addon squad can decide whether to adopt this pattern or implement their own solution. + +**Components:** +- cluster-proxy-addon-manager (deployed in `multicluster-engine` namespace) +- Other addon managers like submariner (deployed in their own namespaces) + +**Deployed by:** backplane-operator (Stolostron) + +**Platform:** OpenShift (when deployed by Stolostron) or Kubernetes (upstream) + +#### Sub-case 5a: cluster-proxy-addon-manager (Same Namespace as Operator) + +**Deployed in:** `multicluster-engine` namespace (same as cluster-manager-operator) + +**Architecture Flow:** + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ Hub OpenShift Cluster β”‚ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ ConfigMap: ocm-tls-profile (from Scenario 3) β”‚ β”‚ +β”‚ β”‚ Namespace: multicluster-engine β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ Created by cluster-manager-operator sidecar β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ Shared in same namespace β”‚ +β”‚ β”‚ β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Pod: cluster-proxy-addon-manager β”‚ β”‚ +β”‚ β”‚ Namespace: multicluster-engine β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ +β”‚ β”‚ β”‚ Container: cluster-proxy-addon-manager β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β€’ No sidecar needed (same namespace) β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β€’ Watches multicluster-engine/ocm-tls-profile β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β€’ Restarts on ConfigMap change β”‚ β”‚ β”‚ +β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +**How It Works:** + +1. **No Sidecar Needed** + - cluster-proxy-addon-manager deployed in same namespace as cluster-manager-operator + - Reads the same ConfigMap created by cluster-manager-operator's sidecar + +2. **Component Consumption** + - Watches `multicluster-engine/ocm-tls-profile` + - On ConfigMap change β†’ applies TLS config β†’ **restarts** + - If ConfigMap not found β†’ falls back to TLS 1.2 + +**Code Owner:** +- All upstream (no sidecar injection needed) + +#### Sub-case 5b: Other Addon Managers (Different Namespace) + +**Example:** submariner-addon-manager + +**Deployed in:** Addon-specific namespace (e.g., `submariner-operator`) + +**Architecture Flow:** + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ Hub OpenShift Cluster β”‚ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ APIServer.spec.tlsSecurityProfile β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ Watches β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Pod: submariner-addon-manager (by backplane-op) β”‚ β”‚ +β”‚ β”‚ Namespace: submariner-operator β”‚ β”‚ +β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ +β”‚ β”‚ β”‚ Container: β”‚ β”‚ Sidecar: β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ addon-manager β”‚ β”‚ tls-profile-sync β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β€’ Watches β”‚ β”‚ β€’ Watches APIServer β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ ConfigMap β”‚ β”‚ β€’ Creates/Updates ConfigMap β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β€’ Restarts on β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ change β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β–Ό β”‚ +β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ β”‚ ConfigMap: ocm-tls-profile β”‚ β”‚ +β”‚ └──▢│ Namespace: submariner-operator β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ data: β”‚ β”‚ +β”‚ β”‚ minTLSVersion: "VersionTLS13" β”‚ β”‚ +β”‚ β”‚ cipherSuites: "" β”‚ β”‚ +β”‚ β”‚ profileType: "Modern" β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +**How It Works:** + +1. **Sidecar Injection** (Downstream - backplane-operator) + - backplane-operator detects addon manager in different namespace + - Injects `tls-profile-sync` sidecar into addon manager pod + +2. **ConfigMap Creation** (Sidecar) + - Sidecar watches hub's `APIServer.spec.tlsSecurityProfile` + - Creates/updates `ocm-tls-profile` in addon's namespace (e.g., `submariner-operator`) + +3. **Component Consumption** (Upstream - addon manager) + - Watches ConfigMap in its own namespace + - On change β†’ applies TLS config β†’ **restarts** + - If ConfigMap not found β†’ falls back to TLS 1.2 + +**Code Owner:** +- Sidecar injection: Downstream (backplane-operator) +- Sidecar container: Downstream (stolostron/tls-profile-sync) +- ConfigMap watching + restart: Upstream (addon-manager code) + +--- + +## OCM Spoke Scenarios + +### Scenario 6: OCM Spoke - klusterlet-operator + +**Component:** `klusterlet-operator` (registration-operator in klusterlet mode) + +**Deployed by:** import-controller (Stolostron) + +**Platform:** OpenShift (when deployed by Stolostron) or Kubernetes (upstream) + +**Architecture Flow:** + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ Managed OpenShift Cluster β”‚ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ APIServer.spec.tlsSecurityProfile (LOCAL cluster!) β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ Watches β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Pod: klusterlet-operator (deployed by import-controller) β”‚ β”‚ +β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ +β”‚ β”‚ β”‚ Container: β”‚ β”‚ Sidecar: β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ registration- β”‚ β”‚ tls-profile-sync β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ operator β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ β”‚ β€’ Watches LOCAL APIServer β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β€’ Watches β”‚ β”‚ β€’ Creates/Updates ConfigMap β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ ConfigMap β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β€’ Restarts on β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ change β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β–Ό β”‚ +β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ β”‚ ConfigMap: ocm-tls-profile (SOURCE) β”‚ β”‚ +β”‚ └──▢│ Namespace: open-cluster-management-agentβ”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ data: β”‚ β”‚ +β”‚ β”‚ minTLSVersion: "VersionTLS12" β”‚ β”‚ +β”‚ β”‚ cipherSuites: "..." β”‚ β”‚ +β”‚ β”‚ profileType: "Intermediate" β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +**How It Works:** + +1. **Sidecar Injection** (Downstream - import-controller) + - import-controller detects OpenShift platform on managed cluster + - Injects `tls-profile-sync` sidecar into klusterlet-operator pod + +2. **ConfigMap Creation** (Sidecar) + - Sidecar watches **managed cluster's** `APIServer.spec.tlsSecurityProfile` (NOT hub!) + - Creates/updates `ocm-tls-profile` in `open-cluster-management-agent` namespace + +3. **Component Consumption** (Upstream - klusterlet-operator) + - Watches `ocm-tls-profile` ConfigMap + - On change β†’ applies TLS config β†’ **restarts** + - If ConfigMap not found β†’ falls back to TLS 1.2 + +**Important:** Each managed cluster uses its **OWN** TLS profile, not the hub's! + +**Code Owner:** +- Sidecar injection: Downstream (import-controller) +- Sidecar container: Downstream (stolostron/tls-profile-sync) +- ConfigMap watching + restart: Upstream (registration-operator) + +--- + +### Scenario 7: OCM Spoke - klusterlet-agent + +**Components:** +- klusterlet-agent (singleton mode) +- registration-agent (default mode) +- work-agent (default mode) + +**Deployed by:** klusterlet-operator (OCM) + +**Platform:** OpenShift (when operator deployed by Stolostron) or Kubernetes (upstream) + +#### Sub-case 7a: Default Mode (Same Namespace as Operator) + +**Deployed in:** `open-cluster-management-agent` namespace (same as klusterlet-operator) + +**Architecture Flow:** + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ Managed Cluster (Default Mode) β”‚ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ klusterlet-operator (Scenario 6) β”‚ β”‚ +β”‚ β”‚ β€’ Reads: open-cluster-management-agent/ocm-tls-profile β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ Already in same namespace β”‚ +β”‚ β”‚ β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ ConfigMap: ocm-tls-profile β”‚ β”‚ +β”‚ β”‚ Namespace: open-cluster-management-agent (same as operator) β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ Shared by klusterlet components β”‚ +β”‚ β”‚ β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Components in open-cluster-management-agent namespace: β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ Singleton mode: β”‚ β”‚ +β”‚ β”‚ β€’ klusterlet-agent β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ Default mode: β”‚ β”‚ +β”‚ β”‚ β€’ registration-agent β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β”‚ β€’ work-agent β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +**How It Works:** + +1. **No ConfigMap Copy Needed** + - klusterlet-operator and klusterlet agents in same namespace (`open-cluster-management-agent`) + - All components read the same ConfigMap + +2. **Component Consumption** + - Agents watch `open-cluster-management-agent/ocm-tls-profile` + - On change β†’ apply TLS config β†’ **restart** + - If ConfigMap not found β†’ fall back to TLS 1.2 + +**Code Owner:** +- All upstream (no Stolostron-specific code) + +#### Sub-case 7b: Hosted Mode (Different Namespace) + +**Deployed in:** Hosted namespace (e.g., `klusterlet-`) + +**Architecture Flow:** + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ Hosting Cluster (could be Hub or dedicated hosting cluster) β”‚ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ ConfigMap: ocm-tls-profile (SOURCE) β”‚ β”‚ +β”‚ β”‚ Namespace: open-cluster-management-agent β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ Created by klusterlet-operator sidecar β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ +β”‚ β”‚ klusterlet-operator runs controller β”‚ +β”‚ β”‚ to copy ConfigMap to hosted namespace β”‚ +β”‚ β”‚ β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ ConfigMap: ocm-tls-profile β”‚ β”‚ +β”‚ β”‚ Namespace: klusterlet- β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ data: β”‚ β”‚ +β”‚ β”‚ minTLSVersion: "VersionTLS12" β”‚ β”‚ +β”‚ β”‚ cipherSuites: "..." β”‚ β”‚ +β”‚ β”‚ profileType: "Intermediate" β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ Read by hosted klusterlet agents β”‚ +β”‚ β”‚ β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Components in klusterlet- namespace: β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ Singleton mode: β”‚ β”‚ +β”‚ β”‚ β€’ klusterlet-agent β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ Default mode: β”‚ β”‚ +β”‚ β”‚ β€’ registration-agent β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β”‚ β€’ work-agent β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +**How It Works:** + +1. **Operator Reads Source ConfigMap** + - klusterlet-operator (in `open-cluster-management-agent`) watches `open-cluster-management-agent/ocm-tls-profile` + +2. **Operator Copies ConfigMap to Hosted Namespace** + - klusterlet-operator runs a controller to detect hosted mode deployments + - Copies ConfigMap to hosted namespace (e.g., `klusterlet-`) + +3. **Component Consumption** + - Agents in hosted namespace watch ConfigMap in their namespace + - On change β†’ apply TLS config β†’ **restart** + - If ConfigMap not found β†’ fall back to TLS 1.2 + +**Note:** In hosted mode, the TLS profile comes from the **hosting cluster's** APIServer (where klusterlet-operator runs), not the managed cluster's APIServer. + +**Code Owner:** +- ConfigMap copy logic: Upstream (klusterlet-operator) +- ConfigMap watching + restart: Upstream (agents) + +--- + +### Scenario 8: OCM Spoke - addon-agent + +> **Note:** This scenario is **for reference only**. Each addon squad can decide whether to adopt this pattern or implement their own solution. + +**Components:** +- app-addon-agent +- policy-addon-agent +- observability-addon-agent +- cluster-proxy-addon-agent +- Any other addon agents + +**Deployed by:** Respective addon managers (hub) + +**Platform:** OpenShift (when klusterlet deployed by Stolostron) or Kubernetes (upstream) + +**Architecture Flow:** + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ Managed Cluster β”‚ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ ConfigMap: ocm-tls-profile (SOURCE) β”‚ β”‚ +β”‚ β”‚ Namespace: open-cluster-management-agent β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ +β”‚ β”‚ klusterlet-operator runs β”‚ +β”‚ β”‚ AddonTLSConfigController β”‚ +β”‚ β”‚ (similar to AddonPullImageSecretCtrl) β”‚ +β”‚ β”‚ β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Controller watches addon namespaces and copies ConfigMap: β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β€’ Label: addon.open-cluster-management.io/namespace=true β”‚ β”‚ +β”‚ β”‚ β€’ On new addon namespace β†’ copy ConfigMap β”‚ β”‚ +β”‚ β”‚ β€’ On source ConfigMap update β†’ update all copies β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β–Ό β–Ό β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ ConfigMap Copies in Addon Namespaces: β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β€’ addon-app/ocm-tls-profile β”‚ β”‚ +β”‚ β”‚ β€’ addon-policy/ocm-tls-profile β”‚ β”‚ +β”‚ β”‚ β€’ addon-observability/ocm-tls-profile β”‚ β”‚ +β”‚ β”‚ β€’ addon-cluster-proxy/ocm-tls-profile β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β–Ό β–Ό β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Addon Agents watch ConfigMap in their namespace: β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β€’ app-addon-agent β†’ restarts on change β”‚ β”‚ +β”‚ β”‚ β€’ policy-addon-agent β†’ restarts on change β”‚ β”‚ +β”‚ β”‚ β€’ observability-addon-agent β†’ restarts on change β”‚ β”‚ +β”‚ β”‚ β€’ cluster-proxy-addon-agent β†’ restarts on change β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +**How It Works:** + +1. **ConfigMap Copy Controller** (Upstream - klusterlet-operator) + - `AddonTLSConfigController` runs in klusterlet-operator + - Pattern: Same as existing `AddonPullImageSecretController` + - Watches namespaces labeled `addon.open-cluster-management.io/namespace: "true"` + +2. **ConfigMap Propagation** + - Source: `open-cluster-management-agent/ocm-tls-profile` + - Destination: `addon-/ocm-tls-profile` + - On source update β†’ update all copies + +3. **Addon Agent Consumption** + - Each addon agent watches ConfigMap in its own namespace + - On change β†’ apply TLS config β†’ **restart** + - If ConfigMap not found β†’ fall back to TLS 1.2 + +**Why Copy ConfigMaps?** +- βœ… Namespace isolation (addons read from own namespace) +- βœ… Simpler RBAC (no cross-namespace access needed) +- βœ… Consistent with existing pattern (image pull secrets) + +**Code Owner:** +- AddonTLSConfigController: Upstream (klusterlet-operator) +- ConfigMap watching + restart: Upstream (addon agent code) + +--- + +## Implementation Details + +### ConfigMap Format + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: ocm-tls-profile + namespace: +data: + minTLSVersion: "VersionTLS13" + cipherSuites: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,..." + profileType: "Modern" # Modern, Intermediate, Old, or Custom +``` + +### Component Restart Logic + +Components watch the ConfigMap and restart when it changes: + +**Pseudo-code:** +```go +// In component's main.go +func main() { + // 1. Read TLS config from ConfigMap (or use fallback) + tlsConfig := readTLSConfigFromConfigMap() + + // 2. Start ConfigMap watcher + go watchConfigMapAndRestart() + + // 3. Start component with TLS config + startComponent(tlsConfig) +} + +func watchConfigMapAndRestart() { + watcher := watchConfigMap("ocm-tls-profile") + for event := range watcher.ResultChan() { + if event.Type == watch.Modified { + // Restart: exit with code 0, let Kubernetes restart the pod + os.Exit(0) + } + } +} + +func readTLSConfigFromConfigMap() *tls.Config { + cm, err := client.CoreV1().ConfigMaps(namespace).Get("ocm-tls-profile") + if err != nil { + // ConfigMap not found β†’ fallback to TLS 1.2 + return &tls.Config{MinVersion: tls.VersionTLS12} + } + + // Parse ConfigMap and return TLS config + return parseTLSConfig(cm) +} +``` + +### New Components + +| Component | Repository | Owner | Purpose | +|---|---|---|---| +| tls-profile-sync sidecar | stolostron/tls-profile-sync | Downstream | Watches OpenShift APIServer, creates ConfigMap | +| Shared TLS library/helpers | open-cluster-management-io/sdk-go | Upstream | ConfigMap parsing, fallback logic, TLS config helpers | +| AddonTLSConfigController | open-cluster-management-io/registration-operator | Upstream | Copies ConfigMap to addon namespaces (in klusterlet-operator) | +| Addon ConfigMap watch + restart | open-cluster-management-io/addon-framework | Upstream | Common addon functionality to watch ConfigMap and restart | + +### Modified Components + +| Component | Repository | Modification | Owner | +|---|---|---|---| +| backplane-operator | stolostron/backplane-operator | Inject sidecar for cluster-manager-operator, addon-managers | Downstream | +| import-controller | stolostron/import-controller | Inject sidecar for klusterlet-operator | Downstream | +| cluster-manager-operator | open-cluster-management-io/registration-operator | Watch ConfigMap, create ConfigMaps in managed ns, restart on change | Upstream | +| klusterlet-operator | open-cluster-management-io/registration-operator | Watch ConfigMap, run AddonTLSConfigController, restart on change | Upstream | +| All hub/spoke components | Multiple ocm repos | Use sdk-go TLS library, watch ConfigMap, restart on change | Upstream | +| addon-framework | open-cluster-management-io/addon-framework | Provide ConfigMap watch + restart for all addons | Upstream | + +### Sidecar Injection Points + +**Downstream Repos Responsible for Sidecar Injection:** + +1. **backplane-operator** (Stolostron) injects sidecar into: + - cluster-manager-operator pod + - Addon-manager pods deployed in different namespaces (e.g., submariner-addon-manager) + +2. **import-controller** (Stolostron) injects sidecar into: + - klusterlet-operator pod + +**Sidecar Detection Logic:** +```go +// In backplane-operator / import-controller +func shouldInjectSidecar() bool { + // Check if platform is OpenShift + _, err := client.Discovery().ServerResourcesForGroupVersion("config.openshift.io/v1") + return err == nil +} +``` + +--- + +## Compliance Verification + +**Tools:** +- `tls-scanner`: Validate no hardcoded TLS settings +- `semgrep`: Scan for `tls.VersionTLS` hardcoding +- E2E tests: Verify dynamic TLS profile changes + +**Test Scenarios:** +1. Change OpenShift APIServer TLS profile β†’ verify components restart with new config +2. Deploy on vanilla Kubernetes β†’ verify components use TLS 1.2 fallback +3. Add new addon β†’ verify ConfigMap copied to addon namespace +4. Sidecar crash β†’ verify components continue with last known config + +--- + +## Current Findings + +### Identified Hardcoded TLS Settings + +**File:** [pkg/common/options/webhook.go:97](pkg/common/options/webhook.go#L97) +```go +config.MinVersion = tls.VersionTLS12 // HARDCODED - needs remediation +``` + +**Remediation:** +Replace with shared TLS library that reads from ConfigMap or uses fallback. + +**Expected Change:** +```go +// Before +TLSOpts: []func(config *tls.Config){ + func(config *tls.Config) { + config.MinVersion = tls.VersionTLS12 // HARDCODED + }, +}, + +// After +TLSOpts: []func(config *tls.Config){ + GetTLSConfigFromConfigMap(ctx, client, namespace), // Dynamic +}, +``` + +--- + +## FAQ + +**Q: Do upstream OCM repos need OpenShift dependencies?** +A: No. Upstream only uses standard Kubernetes client-go to read ConfigMaps. + +**Q: What if sidecar crashes?** +A: Kubernetes restarts sidecar. Components continue with last known ConfigMap state. + +**Q: Why restart components instead of hot-reload?** +A: Simpler implementation. TLS profile changes are infrequent (admin actions). Kubernetes handles graceful restart. + +**Q: Can users customize TLS profile?** +A: Yes, via `APIServer.spec.tlsSecurityProfile` (OpenShift cluster-wide setting). Changes propagate automatically. + +**Q: What about client TLS?** +A: Separate initiative. This design focuses on server TLS (webhook servers, metrics servers, etc.) + +**Q: Why does each managed cluster use its own TLS profile?** +A: Managed cluster security admins control their own security policy. Managed cluster may require stricter or looser TLS than hub. + +**Q: What if ConfigMap is deleted? Does the operator create it again?** + +A: Yes, the ConfigMap is automatically recreated through Kubernetes reconciliation loops: + +- **Sidecars**: The `tls-profile-sync` sidecar continuously watches the APIServer TLS profile and reconciles the ConfigMap. If deleted, it recreates the ConfigMap within seconds based on the current APIServer settings. +- **Operators**: Operators (cluster-manager-operator, klusterlet-operator) watch their source ConfigMaps and recreate managed ConfigMaps. For example, if `open-cluster-management-hub/ocm-tls-profile` is deleted, cluster-manager-operator recreates it from `multicluster-engine/ocm-tls-profile`. +- **During Recreation**: Components detect ConfigMap deletion and fall back to TLS 1.2 temporarily. Once the ConfigMap is recreated, components detect the change and restart to apply the correct TLS profile. +- **Result**: Brief service interruption during restart, but system self-heals automatically. + +**Q: How does this support Post-Quantum Cryptography (PQC)?** +A: When OpenShift adds PQC cipher suites to APIServer TLS profiles, all components automatically adopt them via dynamic ConfigMap updates. + +--- + +## Approval and Sign-off + +**Document Owner:** ACM Server Foundation Team +**JIRA:** [ACM-26882](https://issues.redhat.com/browse/ACM-26882) +**Status:** Awaiting Review + +### Required Approvals + +- [ ] Server Foundation Team +- [ ] Installer Team + +--- + +## References + +- **OpenShift Requirement:** [Hint for resolving TLS non-compliance tickets Code Examples](https://docs.google.com/document/d/1234567890) +- **JIRA:** [ACM-26882: [ACM] Central TLS Profile consistency](https://issues.redhat.com/browse/ACM-26882) +- **Existing Pattern:** `pkg/operator/operators/klusterlet/controllers/addonsecretcontroller/controller.go` From 5c210764a1aebeb2a0bb68c77a2e5c6d61eba15e Mon Sep 17 00:00:00 2001 From: zhujian Date: Thu, 12 Mar 2026 18:27:52 +0800 Subject: [PATCH 2/9] =?UTF-8?q?=F0=9F=93=96=20Refactor=20TLS=20design=20do?= =?UTF-8?q?c=20for=20better=20readability?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Improve the TLS Profile Compliance Design document with: - Add explanation of how sidecar+ConfigMap pattern resolves upstream challenge - Convert deployment relationships to table format for clarity - Consolidate Scenarios 1 & 2 (identical solutions) - Streamline implementation sections (remove verbose "How It Works") - Condense FAQ answers while preserving technical content - Reduce document length by 24% without losing information - Improve scannability with shorter paragraphs and bullet points Technical content remains unchanged; purely editorial improvements. πŸ€– Assisted by Claude Code Co-Authored-By: Claude Signed-off-by: zhujian --- docs/TLS_PROFILE_COMPLIANCE_DESIGN.md | 424 +++++--------------------- 1 file changed, 81 insertions(+), 343 deletions(-) diff --git a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md index 43a2b832a..f94de0f88 100644 --- a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md +++ b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md @@ -3,7 +3,6 @@ **JIRA:** [ACM-26882: [ACM] Central TLS Profile consistency](https://issues.redhat.com/browse/ACM-26882) **Document Status:** Design Document **Last Updated:** 2026-03-12 -**Deadline:** OCP 4.22 GA --- @@ -24,32 +23,22 @@ ### Purpose -This design document provides a unified approach for all server foundation repositories to implement TLS profile compliance as required by OpenShift 4.22 GA. The requirement mandates that all components **dynamically fetch and apply TLS configuration from centralized sources** rather than hardcoding TLS settings. This is critical for **Post-Quantum Cryptography (PQC) readiness**. +This design provides a unified approach for server foundation repositories to implement TLS profile compliance for OpenShift 4.22 GA. Components must **dynamically fetch and apply TLS configuration** rather than hardcoding TLS settings, critical for **Post-Quantum Cryptography (PQC) readiness**. ### Challenge for OCM -OCM repos are **upstream Kubernetes projects** that must work on any Kubernetes distribution. They **cannot depend on OpenShift-specific APIs** like `APIServer.spec.tlsSecurityProfile`. +OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-specific APIs like `APIServer.spec.tlsSecurityProfile`. -### Background: Deployment Relationships +### Deployment Relationships -Understanding who deploys what is critical to the design: - -**Hub Cluster:** -- **backplane-operator** (Stolostron) deploys: - - `cluster-manager-operator` (OCM operator, scenario 3) - - `cluster-proxy-addon-manager` (OCM addon manager, scenario 5) -- **cluster-manager-operator** (OCM) deploys: - - `registration-controller` (scenario 4) - - `work-controller` (scenario 4) - - `placement-controller` (scenario 4) - -**Managed Cluster:** -- **import-controller** (Stolostron) deploys: - - `klusterlet-operator` (OCM operator, scenario 6) -- **klusterlet-operator** (OCM) deploys: - - `klusterlet-agent` (registration-agent, work-agent) (scenario 7) -- **Addon agents** (scenario 8) are deployed by respective addon managers -- **klusterlet-operator** already has capability to copy image pull secrets to addon namespaces +| Deployer | Deploys | Scenario | +|---|---|---| +| **Hub:** backplane-operator | cluster-manager-operator | 3 | +| **Hub:** backplane-operator | cluster-proxy-addon-manager | 5 | +| **Hub:** cluster-manager-operator | registration/work/placement-controller | 4 | +| **Spoke:** import-controller | klusterlet-operator | 6 | +| **Spoke:** klusterlet-operator | klusterlet/registration/work-agent | 7 | +| **Spoke:** addon managers | addon agents | 8 | --- @@ -73,6 +62,8 @@ Understanding who deploys what is critical to the design: ### Sidecar + ConfigMap Pattern +**How this resolves the upstream challenge:** The sidecar (downstream code) handles OpenShift-specific API access (`APIServer.spec.tlsSecurityProfile`), translating it into a standard Kubernetes ConfigMap. Upstream OCM components only use standard Kubernetes client-go to watch and read ConfigMaps, maintaining full portability across any Kubernetes distribution while enabling OpenShift integration when deployed by Stolostron. + ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ OpenShift Platform (Stolostron deployment): β”‚ @@ -107,39 +98,17 @@ Understanding who deploys what is critical to the design: 3. **ConfigMap Propagation**: Operators create ConfigMaps in managed component namespaces 4. **Restart on Change**: Components watch ConfigMap and restart when TLS config changes 5. **Safe Fallback**: Components use TLS 1.2 when ConfigMap not available (vanilla Kubernetes) -6. **Addon Flexibility**: For addon managers (Scenario 5) and addon agents (Scenario 8), this design is **for reference only**. Each addon squad can decide whether to adopt this pattern or implement their own solution. We do not enforce using this specific proposal for addons. +6. **Addon Flexibility**: Scenarios 5 & 8 are **for reference only**. Addon squads may implement their own solution. --- ## Stolostron Scenarios -### Scenario 1: Stolostron Hub (OpenShift) +### Scenario 1 & 2: Stolostron Hub & Spoke (OpenShift) -**Components:** -- All Stolostron-specific hub components +**Solution:** Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://docs.google.com/document/d/1234567890) -**Solution:** -Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://docs.google.com/document/d/1234567890) for implementation. - -**Key Points:** -- Use OpenShift library-go TLS helpers -- Watch `APIServer.spec.tlsSecurityProfile` directly -- No sidecar needed (native OpenShift code) - ---- - -### Scenario 2: Stolostron Spoke (OpenShift) - -**Components:** -- All Stolostron-specific managed cluster components - -**Solution:** -Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://docs.google.com/document/d/1234567890) for implementation. - -**Key Points:** -- Use OpenShift library-go TLS helpers -- Watch managed cluster's `APIServer.spec.tlsSecurityProfile` -- No sidecar needed (native OpenShift code) +**Approach:** Use OpenShift library-go TLS helpers to watch `APIServer.spec.tlsSecurityProfile` directly (no sidecar needed) --- @@ -147,13 +116,7 @@ Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://d ### Scenario 3: OCM Hub - cluster-manager-operator -**Component:** `cluster-manager-operator` (registration-operator in cluster-manager mode) - -**Deployed by:** backplane-operator (Stolostron) - -**Platform:** OpenShift (when deployed by Stolostron) or Kubernetes (upstream) - -**Architecture Flow:** +**Namespace:** `multicluster-engine` | **Deployed by:** backplane-operator ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” @@ -191,42 +154,16 @@ Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://d β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` -**How It Works:** - -1. **Sidecar Injection** (Downstream - backplane-operator) - - backplane-operator detects OpenShift platform - - Injects `tls-profile-sync` sidecar into cluster-manager-operator pod - -2. **ConfigMap Creation** (Sidecar) - - Sidecar watches hub's `APIServer.spec.tlsSecurityProfile` - - Creates/updates `ocm-tls-profile` ConfigMap in `multicluster-engine` namespace - -3. **Component Consumption** (Upstream - cluster-manager-operator) - - Watches `ocm-tls-profile` ConfigMap using standard Kubernetes client-go - - When ConfigMap changes β†’ applies new TLS config β†’ **restarts itself** - - If ConfigMap not found (vanilla K8s) β†’ falls back to TLS 1.2 - -**Code Owner:** -- Sidecar injection: Downstream (backplane-operator) -- Sidecar container: Downstream (stolostron/import-controller->tls-profile-sync) -- ConfigMap watching + restart logic: Upstream (registration-operator) +**Implementation:** +- Sidecar: backplane-operator injects `tls-profile-sync` β†’ watches `APIServer.spec.tlsSecurityProfile` β†’ creates `multicluster-engine/ocm-tls-profile` +- Component: Watches ConfigMap β†’ restarts on change β†’ TLS 1.2 fallback if not found --- ### Scenario 4: OCM Hub - ocm-hub-components -**Components:** -- registration-controller -- work-controller (work-webhook) -- placement-controller - -**Deployed by:** cluster-manager-operator (OCM) - -**Deployed in:** `open-cluster-management-hub` namespace (all components in same namespace) - -**Platform:** OpenShift (when operator deployed by Stolostron) or Kubernetes (upstream) - -**Architecture Flow:** +**Components:** registration-controller, work-controller, placement-controller +**Namespace:** `open-cluster-management-hub` | **Deployed by:** cluster-manager-operator ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” @@ -264,43 +201,19 @@ Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://d β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` -**How It Works:** - -1. **Operator Reads Source ConfigMap** - - cluster-manager-operator (in `multicluster-engine` namespace) watches `multicluster-engine/ocm-tls-profile` - -2. **Operator Creates ConfigMap in Hub Components Namespace** - - Creates/updates `ocm-tls-profile` in `open-cluster-management-hub` namespace - - Single ConfigMap shared by all hub components (they're all in the same namespace) - -3. **Components Watch Their Namespace's ConfigMap** - - All hub components watch `open-cluster-management-hub/ocm-tls-profile` - - On ConfigMap change β†’ applies TLS config β†’ **restarts** - - If ConfigMap not found β†’ falls back to TLS 1.2 - -**Code Owner:** -- ConfigMap propagation logic: Upstream (cluster-manager-operator) -- ConfigMap watching + restart: Upstream (each component) +**Implementation:** +- Operator: cluster-manager-operator watches `multicluster-engine/ocm-tls-profile` β†’ creates `open-cluster-management-hub/ocm-tls-profile` +- Components: Watch ConfigMap in their namespace β†’ restart on change β†’ TLS 1.2 fallback --- ### Scenario 5: OCM Hub - addon-manager -> **Note:** This scenario is **for reference only**. Each addon squad can decide whether to adopt this pattern or implement their own solution. - -**Components:** -- cluster-proxy-addon-manager (deployed in `multicluster-engine` namespace) -- Other addon managers like submariner (deployed in their own namespaces) +> **Note:** For reference only. Addon squads may implement their own solution. -**Deployed by:** backplane-operator (Stolostron) +**Components:** cluster-proxy-addon-manager, submariner-addon-manager, etc. -**Platform:** OpenShift (when deployed by Stolostron) or Kubernetes (upstream) - -#### Sub-case 5a: cluster-proxy-addon-manager (Same Namespace as Operator) - -**Deployed in:** `multicluster-engine` namespace (same as cluster-manager-operator) - -**Architecture Flow:** +**5a: Same Namespace** (cluster-proxy-addon-manager in `multicluster-engine`) ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” @@ -330,27 +243,9 @@ Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://d β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` -**How It Works:** - -1. **No Sidecar Needed** - - cluster-proxy-addon-manager deployed in same namespace as cluster-manager-operator - - Reads the same ConfigMap created by cluster-manager-operator's sidecar - -2. **Component Consumption** - - Watches `multicluster-engine/ocm-tls-profile` - - On ConfigMap change β†’ applies TLS config β†’ **restarts** - - If ConfigMap not found β†’ falls back to TLS 1.2 +**Implementation:** No sidecar needed; watches shared ConfigMap in `multicluster-engine` β†’ restarts on change -**Code Owner:** -- All upstream (no sidecar injection needed) - -#### Sub-case 5b: Other Addon Managers (Different Namespace) - -**Example:** submariner-addon-manager - -**Deployed in:** Addon-specific namespace (e.g., `submariner-operator`) - -**Architecture Flow:** +**5b: Different Namespace** (e.g., submariner-addon-manager in `submariner-operator`) ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” @@ -388,25 +283,9 @@ Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://d β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` -**How It Works:** - -1. **Sidecar Injection** (Downstream - backplane-operator) - - backplane-operator detects addon manager in different namespace - - Injects `tls-profile-sync` sidecar into addon manager pod - -2. **ConfigMap Creation** (Sidecar) - - Sidecar watches hub's `APIServer.spec.tlsSecurityProfile` - - Creates/updates `ocm-tls-profile` in addon's namespace (e.g., `submariner-operator`) - -3. **Component Consumption** (Upstream - addon manager) - - Watches ConfigMap in its own namespace - - On change β†’ applies TLS config β†’ **restarts** - - If ConfigMap not found β†’ falls back to TLS 1.2 - -**Code Owner:** -- Sidecar injection: Downstream (backplane-operator) -- Sidecar container: Downstream (stolostron/tls-profile-sync) -- ConfigMap watching + restart: Upstream (addon-manager code) +**Implementation:** +- Sidecar: backplane-operator injects `tls-profile-sync` β†’ creates ConfigMap in addon namespace +- Component: Watches ConfigMap β†’ restarts on change --- @@ -414,13 +293,7 @@ Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://d ### Scenario 6: OCM Spoke - klusterlet-operator -**Component:** `klusterlet-operator` (registration-operator in klusterlet mode) - -**Deployed by:** import-controller (Stolostron) - -**Platform:** OpenShift (when deployed by Stolostron) or Kubernetes (upstream) - -**Architecture Flow:** +**Namespace:** `open-cluster-management-agent` | **Deployed by:** import-controller ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” @@ -458,46 +331,20 @@ Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://d β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` -**How It Works:** - -1. **Sidecar Injection** (Downstream - import-controller) - - import-controller detects OpenShift platform on managed cluster - - Injects `tls-profile-sync` sidecar into klusterlet-operator pod - -2. **ConfigMap Creation** (Sidecar) - - Sidecar watches **managed cluster's** `APIServer.spec.tlsSecurityProfile` (NOT hub!) - - Creates/updates `ocm-tls-profile` in `open-cluster-management-agent` namespace - -3. **Component Consumption** (Upstream - klusterlet-operator) - - Watches `ocm-tls-profile` ConfigMap - - On change β†’ applies TLS config β†’ **restarts** - - If ConfigMap not found β†’ falls back to TLS 1.2 +**Implementation:** +- Sidecar: import-controller injects `tls-profile-sync` β†’ watches **managed cluster's** APIServer β†’ creates ConfigMap +- Component: Watches ConfigMap β†’ restarts on change **Important:** Each managed cluster uses its **OWN** TLS profile, not the hub's! -**Code Owner:** -- Sidecar injection: Downstream (import-controller) -- Sidecar container: Downstream (stolostron/tls-profile-sync) -- ConfigMap watching + restart: Upstream (registration-operator) - --- ### Scenario 7: OCM Spoke - klusterlet-agent -**Components:** -- klusterlet-agent (singleton mode) -- registration-agent (default mode) -- work-agent (default mode) - -**Deployed by:** klusterlet-operator (OCM) +**Components:** klusterlet-agent (singleton), registration-agent, work-agent (default mode) +**Deployed by:** klusterlet-operator -**Platform:** OpenShift (when operator deployed by Stolostron) or Kubernetes (upstream) - -#### Sub-case 7a: Default Mode (Same Namespace as Operator) - -**Deployed in:** `open-cluster-management-agent` namespace (same as klusterlet-operator) - -**Architecture Flow:** +**7a: Default Mode** (Same namespace: `open-cluster-management-agent`) ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” @@ -530,25 +377,9 @@ Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://d β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` -**How It Works:** - -1. **No ConfigMap Copy Needed** - - klusterlet-operator and klusterlet agents in same namespace (`open-cluster-management-agent`) - - All components read the same ConfigMap - -2. **Component Consumption** - - Agents watch `open-cluster-management-agent/ocm-tls-profile` - - On change β†’ apply TLS config β†’ **restart** - - If ConfigMap not found β†’ fall back to TLS 1.2 +**Implementation:** No ConfigMap copy needed; all components in same namespace share ConfigMap β†’ watch β†’ restart on change -**Code Owner:** -- All upstream (no Stolostron-specific code) - -#### Sub-case 7b: Hosted Mode (Different Namespace) - -**Deployed in:** Hosted namespace (e.g., `klusterlet-`) - -**Architecture Flow:** +**7b: Hosted Mode** (Different namespace: `klusterlet-`) ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” @@ -590,44 +421,19 @@ Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://d β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` -**How It Works:** - -1. **Operator Reads Source ConfigMap** - - klusterlet-operator (in `open-cluster-management-agent`) watches `open-cluster-management-agent/ocm-tls-profile` - -2. **Operator Copies ConfigMap to Hosted Namespace** - - klusterlet-operator runs a controller to detect hosted mode deployments - - Copies ConfigMap to hosted namespace (e.g., `klusterlet-`) +**Implementation:** +- Operator: klusterlet-operator copies ConfigMap from `open-cluster-management-agent` to hosted namespace +- Components: Watch ConfigMap in their namespace β†’ restart on change -3. **Component Consumption** - - Agents in hosted namespace watch ConfigMap in their namespace - - On change β†’ apply TLS config β†’ **restart** - - If ConfigMap not found β†’ fall back to TLS 1.2 - -**Note:** In hosted mode, the TLS profile comes from the **hosting cluster's** APIServer (where klusterlet-operator runs), not the managed cluster's APIServer. - -**Code Owner:** -- ConfigMap copy logic: Upstream (klusterlet-operator) -- ConfigMap watching + restart: Upstream (agents) +**Note:** TLS profile comes from **hosting cluster's** APIServer, not managed cluster's APIServer. --- ### Scenario 8: OCM Spoke - addon-agent -> **Note:** This scenario is **for reference only**. Each addon squad can decide whether to adopt this pattern or implement their own solution. - -**Components:** -- app-addon-agent -- policy-addon-agent -- observability-addon-agent -- cluster-proxy-addon-agent -- Any other addon agents - -**Deployed by:** Respective addon managers (hub) - -**Platform:** OpenShift (when klusterlet deployed by Stolostron) or Kubernetes (upstream) +> **Note:** For reference only. Addon squads may implement their own solution. -**Architecture Flow:** +**Components:** app-addon-agent, policy-addon-agent, observability-addon-agent, cluster-proxy-addon-agent, etc. ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” @@ -673,31 +479,11 @@ Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://d β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` -**How It Works:** +**Implementation:** +- Controller: `AddonTLSConfigController` in klusterlet-operator copies ConfigMap to addon namespaces (similar to `AddonPullImageSecretController`) +- Agents: Watch ConfigMap in their namespace β†’ restart on change -1. **ConfigMap Copy Controller** (Upstream - klusterlet-operator) - - `AddonTLSConfigController` runs in klusterlet-operator - - Pattern: Same as existing `AddonPullImageSecretController` - - Watches namespaces labeled `addon.open-cluster-management.io/namespace: "true"` - -2. **ConfigMap Propagation** - - Source: `open-cluster-management-agent/ocm-tls-profile` - - Destination: `addon-/ocm-tls-profile` - - On source update β†’ update all copies - -3. **Addon Agent Consumption** - - Each addon agent watches ConfigMap in its own namespace - - On change β†’ apply TLS config β†’ **restart** - - If ConfigMap not found β†’ fall back to TLS 1.2 - -**Why Copy ConfigMaps?** -- βœ… Namespace isolation (addons read from own namespace) -- βœ… Simpler RBAC (no cross-namespace access needed) -- βœ… Consistent with existing pattern (image pull secrets) - -**Code Owner:** -- AddonTLSConfigController: Upstream (klusterlet-operator) -- ConfigMap watching + restart: Upstream (addon agent code) +**Benefits:** Namespace isolation, simpler RBAC, consistent with existing pattern --- @@ -719,19 +505,10 @@ data: ### Component Restart Logic -Components watch the ConfigMap and restart when it changes: - -**Pseudo-code:** ```go -// In component's main.go func main() { - // 1. Read TLS config from ConfigMap (or use fallback) tlsConfig := readTLSConfigFromConfigMap() - - // 2. Start ConfigMap watcher go watchConfigMapAndRestart() - - // 3. Start component with TLS config startComponent(tlsConfig) } @@ -739,8 +516,7 @@ func watchConfigMapAndRestart() { watcher := watchConfigMap("ocm-tls-profile") for event := range watcher.ResultChan() { if event.Type == watch.Modified { - // Restart: exit with code 0, let Kubernetes restart the pod - os.Exit(0) + os.Exit(0) // Kubernetes restarts the pod } } } @@ -748,11 +524,8 @@ func watchConfigMapAndRestart() { func readTLSConfigFromConfigMap() *tls.Config { cm, err := client.CoreV1().ConfigMaps(namespace).Get("ocm-tls-profile") if err != nil { - // ConfigMap not found β†’ fallback to TLS 1.2 - return &tls.Config{MinVersion: tls.VersionTLS12} + return &tls.Config{MinVersion: tls.VersionTLS12} // Fallback } - - // Parse ConfigMap and return TLS config return parseTLSConfig(cm) } ``` @@ -761,7 +534,7 @@ func readTLSConfigFromConfigMap() *tls.Config { | Component | Repository | Owner | Purpose | |---|---|---|---| -| tls-profile-sync sidecar | stolostron/tls-profile-sync | Downstream | Watches OpenShift APIServer, creates ConfigMap | +| tls-profile-sync sidecar | stolostron/import-controller->tls-profile-sync | Downstream | Watches OpenShift APIServer, creates ConfigMap | | Shared TLS library/helpers | open-cluster-management-io/sdk-go | Upstream | ConfigMap parsing, fallback logic, TLS config helpers | | AddonTLSConfigController | open-cluster-management-io/registration-operator | Upstream | Copies ConfigMap to addon namespaces (in klusterlet-operator) | | Addon ConfigMap watch + restart | open-cluster-management-io/addon-framework | Upstream | Common addon functionality to watch ConfigMap and restart | @@ -777,22 +550,18 @@ func readTLSConfigFromConfigMap() *tls.Config { | All hub/spoke components | Multiple ocm repos | Use sdk-go TLS library, watch ConfigMap, restart on change | Upstream | | addon-framework | open-cluster-management-io/addon-framework | Provide ConfigMap watch + restart for all addons | Upstream | -### Sidecar Injection Points +### Sidecar Injection -**Downstream Repos Responsible for Sidecar Injection:** +**backplane-operator** injects sidecar into: +- cluster-manager-operator pod +- Addon-manager pods in different namespaces (e.g., submariner-addon-manager) -1. **backplane-operator** (Stolostron) injects sidecar into: - - cluster-manager-operator pod - - Addon-manager pods deployed in different namespaces (e.g., submariner-addon-manager) +**import-controller** injects sidecar into: +- klusterlet-operator pod -2. **import-controller** (Stolostron) injects sidecar into: - - klusterlet-operator pod - -**Sidecar Detection Logic:** +**Detection logic:** ```go -// In backplane-operator / import-controller func shouldInjectSidecar() bool { - // Check if platform is OpenShift _, err := client.Discovery().ServerResourcesForGroupVersion("config.openshift.io/v1") return err == nil } @@ -802,78 +571,47 @@ func shouldInjectSidecar() bool { ## Compliance Verification -**Tools:** -- `tls-scanner`: Validate no hardcoded TLS settings -- `semgrep`: Scan for `tls.VersionTLS` hardcoding -- E2E tests: Verify dynamic TLS profile changes +**Tools:** `tls-scanner`, `semgrep`, E2E tests **Test Scenarios:** -1. Change OpenShift APIServer TLS profile β†’ verify components restart with new config -2. Deploy on vanilla Kubernetes β†’ verify components use TLS 1.2 fallback +1. Change APIServer TLS profile β†’ verify components restart with new config +2. Deploy on vanilla Kubernetes β†’ verify TLS 1.2 fallback 3. Add new addon β†’ verify ConfigMap copied to addon namespace 4. Sidecar crash β†’ verify components continue with last known config ---- - -## Current Findings - -### Identified Hardcoded TLS Settings - -**File:** [pkg/common/options/webhook.go:97](pkg/common/options/webhook.go#L97) -```go -config.MinVersion = tls.VersionTLS12 // HARDCODED - needs remediation -``` - -**Remediation:** -Replace with shared TLS library that reads from ConfigMap or uses fallback. +**Current Findings:** -**Expected Change:** -```go -// Before -TLSOpts: []func(config *tls.Config){ - func(config *tls.Config) { - config.MinVersion = tls.VersionTLS12 // HARDCODED - }, -}, - -// After -TLSOpts: []func(config *tls.Config){ - GetTLSConfigFromConfigMap(ctx, client, namespace), // Dynamic -}, -``` +[pkg/common/options/webhook.go:97](pkg/common/options/webhook.go#L97) - Hardcoded `tls.VersionTLS12` needs remediation --- ## FAQ **Q: Do upstream OCM repos need OpenShift dependencies?** -A: No. Upstream only uses standard Kubernetes client-go to read ConfigMaps. +A: No. Upstream uses standard Kubernetes client-go to read ConfigMaps. **Q: What if sidecar crashes?** -A: Kubernetes restarts sidecar. Components continue with last known ConfigMap state. +A: Kubernetes restarts sidecar. Components continue with last known ConfigMap. -**Q: Why restart components instead of hot-reload?** -A: Simpler implementation. TLS profile changes are infrequent (admin actions). Kubernetes handles graceful restart. +**Q: Why restart instead of hot-reload?** +A: Simpler implementation. TLS changes are infrequent. Kubernetes handles graceful restarts. **Q: Can users customize TLS profile?** -A: Yes, via `APIServer.spec.tlsSecurityProfile` (OpenShift cluster-wide setting). Changes propagate automatically. +A: Yes, via `APIServer.spec.tlsSecurityProfile`. Changes propagate automatically. **Q: What about client TLS?** -A: Separate initiative. This design focuses on server TLS (webhook servers, metrics servers, etc.) +A: Separate initiative. This design focuses on server TLS (webhooks, metrics servers). **Q: Why does each managed cluster use its own TLS profile?** -A: Managed cluster security admins control their own security policy. Managed cluster may require stricter or looser TLS than hub. - -**Q: What if ConfigMap is deleted? Does the operator create it again?** - -A: Yes, the ConfigMap is automatically recreated through Kubernetes reconciliation loops: +A: Managed cluster admins control their own security policy independently. -- **Sidecars**: The `tls-profile-sync` sidecar continuously watches the APIServer TLS profile and reconciles the ConfigMap. If deleted, it recreates the ConfigMap within seconds based on the current APIServer settings. -- **Operators**: Operators (cluster-manager-operator, klusterlet-operator) watch their source ConfigMaps and recreate managed ConfigMaps. For example, if `open-cluster-management-hub/ocm-tls-profile` is deleted, cluster-manager-operator recreates it from `multicluster-engine/ocm-tls-profile`. -- **During Recreation**: Components detect ConfigMap deletion and fall back to TLS 1.2 temporarily. Once the ConfigMap is recreated, components detect the change and restart to apply the correct TLS profile. -- **Result**: Brief service interruption during restart, but system self-heals automatically. +**Q: What if ConfigMap is deleted?** +A: Yes, automatically recreated via reconciliation: +- **Sidecars**: Recreate within seconds from APIServer TLS profile +- **Operators**: Recreate from source ConfigMaps +- **Components**: Fall back to TLS 1.2 temporarily, then restart with recreated ConfigMap -**Q: How does this support Post-Quantum Cryptography (PQC)?** +**Q: How does this support PQC?** A: When OpenShift adds PQC cipher suites to APIServer TLS profiles, all components automatically adopt them via dynamic ConfigMap updates. --- From a07cd0829222ac2e30736d121598779a965aebd8 Mon Sep 17 00:00:00 2001 From: zhujian Date: Thu, 12 Mar 2026 18:32:56 +0800 Subject: [PATCH 3/9] =?UTF-8?q?=F0=9F=93=96=20Fix=20Table=20of=20Contents?= =?UTF-8?q?=20to=20match=20section=20order?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update TOC to reflect actual document structure: - Swap "Solution Overview" and "Scenario Summary" order - Add missing sections: FAQ, Approval and Sign-off, References This matches the document reorganization where Solution Overview now comes before Scenario Summary for better logical flow. πŸ€– Assisted by Claude Code Co-Authored-By: Claude Signed-off-by: zhujian --- docs/TLS_PROFILE_COMPLIANCE_DESIGN.md | 39 ++++++++++++++------------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md index f94de0f88..87c78b617 100644 --- a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md +++ b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md @@ -9,13 +9,16 @@ ## Table of Contents 1. [Overview](#overview) -2. [Scenario Summary](#scenario-summary) -3. [Solution Overview](#solution-overview) +2. [Solution Overview](#solution-overview) +3. [Scenario Summary](#scenario-summary) 4. [Stolostron Scenarios](#stolostron-scenarios) 5. [OCM Hub Scenarios](#ocm-hub-scenarios) 6. [OCM Spoke Scenarios](#ocm-spoke-scenarios) 7. [Implementation Details](#implementation-details) 8. [Compliance Verification](#compliance-verification) +9. [FAQ](#faq) +10. [Approval and Sign-off](#approval-and-sign-off) +11. [References](#references) --- @@ -42,22 +45,6 @@ OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-s --- -## Scenario Summary - -| Scenario | Component | Platform | Sidecar | ConfigMap Pattern | Solution | -|---|---|---|---|---|---| -| **1** | Stolostron Hub | OpenShift | βœ… | Direct consumption | Refer to OpenShift hint doc | -| **2** | Stolostron Spoke | OpenShift | βœ… | Direct consumption | Refer to OpenShift hint doc | -| **3** | OCM Hub - cluster-manager-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | -| **4** | OCM Hub - ocm-hub-components | OpenShift/K8s | ❌ | Operator creates ConfigMap | Operator propagation | -| **5** | OCM Hub - addon-manager | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | -| **6** | OCM Spoke - klusterlet-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | -| **7** | OCM Spoke - klusterlet-agent | OpenShift/K8s | ❌ | Operator creates ConfigMap | Operator propagation | -| **8** | OCM Spoke - addon-agent | OpenShift/K8s | ❌ | Operator copies ConfigMap | ConfigMap copy pattern | -| **9** | cluster-proxy components (self-deployed by cluster proxy manager/agent) | OpenShift/K8s | TBD | TBD | TBD | - ---- - ## Solution Overview ### Sidecar + ConfigMap Pattern @@ -102,6 +89,22 @@ OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-s --- +## Scenario Summary + +| Scenario | Component | Platform | Sidecar | ConfigMap Pattern | Solution | +|---|---|---|---|---|---| +| **1** | Stolostron Hub | OpenShift | βœ… | Direct consumption | Refer to OpenShift hint doc | +| **2** | Stolostron Spoke | OpenShift | βœ… | Direct consumption | Refer to OpenShift hint doc | +| **3** | OCM Hub - cluster-manager-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | +| **4** | OCM Hub - ocm-hub-components | OpenShift/K8s | ❌ | Operator creates ConfigMap | Operator propagation | +| **5** | OCM Hub - addon-manager | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | +| **6** | OCM Spoke - klusterlet-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | +| **7** | OCM Spoke - klusterlet-agent | OpenShift/K8s | ❌ | Operator creates ConfigMap | Operator propagation | +| **8** | OCM Spoke - addon-agent | OpenShift/K8s | ❌ | Operator copies ConfigMap | ConfigMap copy pattern | +| **9** | cluster-proxy components (self-deployed by cluster proxy manager/agent) | OpenShift/K8s | TBD | TBD | TBD | + +--- + ## Stolostron Scenarios ### Scenario 1 & 2: Stolostron Hub & Spoke (OpenShift) From 8694ca8fd80ee59912284579b8e8ef70016fe461 Mon Sep 17 00:00:00 2001 From: zhujian Date: Thu, 12 Mar 2026 18:36:39 +0800 Subject: [PATCH 4/9] =?UTF-8?q?=F0=9F=93=96=20Add=20navigation=20links=20i?= =?UTF-8?q?n=20Scenario=20Summary=20table?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Convert Solution column text to clickable links that jump to the detailed scenario sections. This improves navigation and makes it easier for readers to find the full implementation details for each scenario. - Scenarios 1 & 2 link to combined section - Scenarios 3-8 link to individual sections - Scenario 9 remains TBD (no link) πŸ€– Assisted by Claude Code Co-Authored-By: Claude Signed-off-by: zhujian --- docs/TLS_PROFILE_COMPLIANCE_DESIGN.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md index 87c78b617..f32edb256 100644 --- a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md +++ b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md @@ -93,14 +93,14 @@ OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-s | Scenario | Component | Platform | Sidecar | ConfigMap Pattern | Solution | |---|---|---|---|---|---| -| **1** | Stolostron Hub | OpenShift | βœ… | Direct consumption | Refer to OpenShift hint doc | -| **2** | Stolostron Spoke | OpenShift | βœ… | Direct consumption | Refer to OpenShift hint doc | -| **3** | OCM Hub - cluster-manager-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | -| **4** | OCM Hub - ocm-hub-components | OpenShift/K8s | ❌ | Operator creates ConfigMap | Operator propagation | -| **5** | OCM Hub - addon-manager | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | -| **6** | OCM Spoke - klusterlet-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | Sidecar + ConfigMap | -| **7** | OCM Spoke - klusterlet-agent | OpenShift/K8s | ❌ | Operator creates ConfigMap | Operator propagation | -| **8** | OCM Spoke - addon-agent | OpenShift/K8s | ❌ | Operator copies ConfigMap | ConfigMap copy pattern | +| **1** | Stolostron Hub | OpenShift | βœ… | Direct consumption | [Refer to OpenShift hint doc](#scenario-1--2-stolostron-hub--spoke-openshift) | +| **2** | Stolostron Spoke | OpenShift | βœ… | Direct consumption | [Refer to OpenShift hint doc](#scenario-1--2-stolostron-hub--spoke-openshift) | +| **3** | OCM Hub - cluster-manager-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | [Sidecar + ConfigMap](#scenario-3-ocm-hub---cluster-manager-operator) | +| **4** | OCM Hub - ocm-hub-components | OpenShift/K8s | ❌ | Operator creates ConfigMap | [Operator propagation](#scenario-4-ocm-hub---ocm-hub-components) | +| **5** | OCM Hub - addon-manager | OpenShift/K8s | βœ…/❌ | Watches + restarts | [Sidecar + ConfigMap](#scenario-5-ocm-hub---addon-manager) | +| **6** | OCM Spoke - klusterlet-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | [Sidecar + ConfigMap](#scenario-6-ocm-spoke---klusterlet-operator) | +| **7** | OCM Spoke - klusterlet-agent | OpenShift/K8s | ❌ | Operator creates ConfigMap | [Operator propagation](#scenario-7-ocm-spoke---klusterlet-agent) | +| **8** | OCM Spoke - addon-agent | OpenShift/K8s | ❌ | Operator copies ConfigMap | [ConfigMap copy pattern](#scenario-8-ocm-spoke---addon-agent) | | **9** | cluster-proxy components (self-deployed by cluster proxy manager/agent) | OpenShift/K8s | TBD | TBD | TBD | --- @@ -109,7 +109,7 @@ OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-s ### Scenario 1 & 2: Stolostron Hub & Spoke (OpenShift) -**Solution:** Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://docs.google.com/document/d/1234567890) +**Solution:** Refer to [Hint for resolving TLS non-compliance tickets Code Examples](https://docs.google.com/document/d/1cMc9E8psHfnoK06ntR8kHSWB8d3rMtmldhnmM4nImjs) **Approach:** Use OpenShift library-go TLS helpers to watch `APIServer.spec.tlsSecurityProfile` directly (no sidecar needed) @@ -634,6 +634,6 @@ A: When OpenShift adds PQC cipher suites to APIServer TLS profiles, all componen ## References -- **OpenShift Requirement:** [Hint for resolving TLS non-compliance tickets Code Examples](https://docs.google.com/document/d/1234567890) +- **OpenShift Requirement:** [Hint for resolving TLS non-compliance tickets Code Examples](https://docs.google.com/document/d/1cMc9E8psHfnoK06ntR8kHSWB8d3rMtmldhnmM4nImjs) - **JIRA:** [ACM-26882: [ACM] Central TLS Profile consistency](https://issues.redhat.com/browse/ACM-26882) - **Existing Pattern:** `pkg/operator/operators/klusterlet/controllers/addonsecretcontroller/controller.go` From a9928012ebc0969c69bd7e8bfba79a167c0e546a Mon Sep 17 00:00:00 2001 From: zhujian Date: Tue, 17 Mar 2026 08:50:44 +0800 Subject: [PATCH 5/9] =?UTF-8?q?=F0=9F=93=96=20Update=20TLS=20design=20to?= =?UTF-8?q?=20use=20flag=20approach=20for=20Scenarios=204=20&=207?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update the TLS Profile Compliance Design to use the OpenShift centralized TLS configuration pattern (flag-based approach) for hub components and spoke agents (Scenarios 4 & 7). Key changes: - Scenarios 4 & 7 now use operator flag injection instead of ConfigMap watch pattern - Operators read ConfigMap and inject TLS values as command-line flags (--tls-min-version, --tls-cipher-suites) - Operators trigger component rollouts via deployment annotation (tls-config-hash) - Components parse flags on startup (simpler, no ConfigMap watch code needed) - Simplified Scenario 7: hosted vs default mode distinction removed - with flags, target namespace is just a parameter - Updated implementation details showing Pattern 1 (operators) vs Pattern 2 (components) - Added FAQ explaining flag approach benefits - Added reference to OpenShift centralized TLS config enhancement Benefits: βœ… Simpler components (no ConfigMap watch logic) βœ… Less RBAC (components don't need ConfigMap permissions) βœ… Follows OpenShift pattern for TLS configuration βœ… No ConfigMap copying needed for hosted mode βœ… Config visible in kubectl describe pod Scenarios 3 & 6 (operators) still use ConfigMap watch pattern since they're not managed by another controller. Signed-off-by: Claude Sonnet 4.5 Signed-off-by: zhujian --- docs/TLS_PROFILE_COMPLIANCE_DESIGN.md | 246 +++++++++++++++----------- 1 file changed, 145 insertions(+), 101 deletions(-) diff --git a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md index f32edb256..4755811f0 100644 --- a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md +++ b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md @@ -58,12 +58,14 @@ OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-s β”‚ Sidecar Container β†’ Watches APIServer TLS profile β”‚ β”‚ β†’ Creates/Updates ConfigMap "ocm-tls-profile" β”‚ β”‚ β”‚ -β”‚ Component Container β†’ Watches ConfigMap "ocm-tls-profile" β”‚ -β”‚ β†’ Applies new TLS config β”‚ -β”‚ β†’ Restarts itself on ConfigMap change β”‚ +β”‚ Operators (Scenarios 3 & 6): β”‚ +β”‚ β†’ Watch ConfigMap "ocm-tls-profile" β”‚ +β”‚ β†’ Restart themselves on ConfigMap change β”‚ +β”‚ β†’ Read ConfigMap and inject flags into component deployments β”‚ β”‚ β”‚ -β”‚ Operators β†’ Read ConfigMap from their namespace β”‚ -β”‚ β†’ Create/Update ConfigMap in managed component ns β”‚ +β”‚ Components (Scenarios 4 & 7): β”‚ +β”‚ β†’ Receive TLS config via command-line flags β”‚ +β”‚ β†’ Restarted by operator when config changes (via annotation) β”‚ β”‚ β”‚ β”‚ Result: Dynamic TLS profile (Modern/Intermediate/Custom) β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ @@ -81,10 +83,12 @@ OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-s ### Key Principles 1. **Upstream Portability**: OCM repos remain OpenShift-agnostic -2. **Sidecar Injection**: Downstream (Stolostron) repos inject sidecar when deploying on OpenShift -3. **ConfigMap Propagation**: Operators create ConfigMaps in managed component namespaces -4. **Restart on Change**: Components watch ConfigMap and restart when TLS config changes -5. **Safe Fallback**: Components use TLS 1.2 when ConfigMap not available (vanilla Kubernetes) +2. **Sidecar Injection**: Downstream (Stolostron) repos inject sidecar into operators when deploying on OpenShift +3. **Two Patterns**: + - **Operators (Scenarios 3 & 6)**: Watch ConfigMap and self-restart + - **Components (Scenarios 4 & 7)**: Receive TLS config via command-line flags from their operators +4. **Operator-Controlled Rollout**: Operators trigger component restarts via deployment annotation changes (follows OpenShift pattern) +5. **Safe Fallback**: Components use TLS 1.2 when config not provided (vanilla Kubernetes) 6. **Addon Flexibility**: Scenarios 5 & 8 are **for reference only**. Addon squads may implement their own solution. --- @@ -96,10 +100,10 @@ OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-s | **1** | Stolostron Hub | OpenShift | βœ… | Direct consumption | [Refer to OpenShift hint doc](#scenario-1--2-stolostron-hub--spoke-openshift) | | **2** | Stolostron Spoke | OpenShift | βœ… | Direct consumption | [Refer to OpenShift hint doc](#scenario-1--2-stolostron-hub--spoke-openshift) | | **3** | OCM Hub - cluster-manager-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | [Sidecar + ConfigMap](#scenario-3-ocm-hub---cluster-manager-operator) | -| **4** | OCM Hub - ocm-hub-components | OpenShift/K8s | ❌ | Operator creates ConfigMap | [Operator propagation](#scenario-4-ocm-hub---ocm-hub-components) | +| **4** | OCM Hub - ocm-hub-components | OpenShift/K8s | ❌ | Operator passes flags | [Operator flag injection](#scenario-4-ocm-hub---ocm-hub-components) | | **5** | OCM Hub - addon-manager | OpenShift/K8s | βœ…/❌ | Watches + restarts | [Sidecar + ConfigMap](#scenario-5-ocm-hub---addon-manager) | | **6** | OCM Spoke - klusterlet-operator | OpenShift/K8s | βœ…/❌ | Watches + restarts | [Sidecar + ConfigMap](#scenario-6-ocm-spoke---klusterlet-operator) | -| **7** | OCM Spoke - klusterlet-agent | OpenShift/K8s | ❌ | Operator creates ConfigMap | [Operator propagation](#scenario-7-ocm-spoke---klusterlet-agent) | +| **7** | OCM Spoke - klusterlet-agent | OpenShift/K8s | ❌ | Operator passes flags | [Operator flag injection](#scenario-7-ocm-spoke---klusterlet-agent) | | **8** | OCM Spoke - addon-agent | OpenShift/K8s | ❌ | Operator copies ConfigMap | [ConfigMap copy pattern](#scenario-8-ocm-spoke---addon-agent) | | **9** | cluster-proxy components (self-deployed by cluster proxy manager/agent) | OpenShift/K8s | TBD | TBD | TBD | @@ -177,36 +181,41 @@ OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-s β”‚ β”‚ Namespace: multicluster-engine β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β€’ Reads: multicluster-engine/ocm-tls-profile β”‚ β”‚ +β”‚ β”‚ β€’ Renders deployments with TLS flags β”‚ β”‚ +β”‚ β”‚ β€’ Watches ConfigMap, triggers rollout on change β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ -β”‚ β”‚ Creates ConfigMap in hub component ns β”‚ +β”‚ β”‚ Renders deployment with flags β”‚ β”‚ β”‚ β”‚ β”‚ β–Ό β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ -β”‚ β”‚ ConfigMap: ocm-tls-profile β”‚ β”‚ +β”‚ β”‚ Deployment: registration-controller β”‚ β”‚ β”‚ β”‚ Namespace: open-cluster-management-hub β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ -β”‚ β”‚ data: β”‚ β”‚ -β”‚ β”‚ minTLSVersion: "VersionTLS13" β”‚ β”‚ -β”‚ β”‚ cipherSuites: "" β”‚ β”‚ -β”‚ β”‚ profileType: "Modern" β”‚ β”‚ -β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ -β”‚ β”‚ Shared by all hub components β”‚ -β”‚ β”‚ (all in same namespace) β”‚ -β”‚ β”‚ β”‚ -β”‚ β–Ό β”‚ -β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ -β”‚ β”‚ Components in open-cluster-management-hub namespace: β”‚ β”‚ -β”‚ β”‚ β”‚ β”‚ -β”‚ β”‚ β€’ registration-controller β†’ watches ConfigMap, restarts β”‚ β”‚ -β”‚ β”‚ β€’ work-controller β†’ watches ConfigMap, restarts β”‚ β”‚ -β”‚ β”‚ β€’ placement-controller β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β”‚ spec: β”‚ β”‚ +β”‚ β”‚ template: β”‚ β”‚ +β”‚ β”‚ metadata: β”‚ β”‚ +β”‚ β”‚ annotations: β”‚ β”‚ +β”‚ β”‚ tls-config-hash: abc123... # Triggers rollout β”‚ β”‚ +β”‚ β”‚ spec: β”‚ β”‚ +β”‚ β”‚ containers: β”‚ β”‚ +β”‚ β”‚ - name: registration-controller β”‚ β”‚ +β”‚ β”‚ command: β”‚ β”‚ +β”‚ β”‚ - /registration-controller β”‚ β”‚ +β”‚ β”‚ - --tls-min-version=VersionTLS13 β”‚ β”‚ +β”‚ β”‚ - --tls-cipher-suites=TLS_AES_128_GCM_SHA256,... β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ +β”‚ (work-controller and placement-controller use same pattern) β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` -**Implementation:** -- Operator: cluster-manager-operator watches `multicluster-engine/ocm-tls-profile` β†’ creates `open-cluster-management-hub/ocm-tls-profile` -- Components: Watch ConfigMap in their namespace β†’ restart on change β†’ TLS 1.2 fallback +**Implementation (Flag Approach - follows OpenShift pattern):** + +- **Operator reads ConfigMap:** cluster-manager-operator watches `multicluster-engine/ocm-tls-profile` +- **Operator renders flags:** Injects TLS values directly as command-line flags in component deployments +- **Operator triggers rollout:** Updates deployment annotation `tls-config-hash` when ConfigMap changes +- **Components read flags:** Parse `--tls-min-version` and `--tls-cipher-suites` on startup +- **Kubernetes handles restart:** Deployment rollout triggered by annotation change --- @@ -346,89 +355,59 @@ OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-s **Components:** klusterlet-agent (singleton), registration-agent, work-agent (default mode) **Deployed by:** klusterlet-operator - -**7a: Default Mode** (Same namespace: `open-cluster-management-agent`) +**Namespace:** `open-cluster-management-agent` (default mode) or `klusterlet-` (hosted mode) ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” -β”‚ Managed Cluster (Default Mode) β”‚ +β”‚ Managed/Hosting Cluster β”‚ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ klusterlet-operator (Scenario 6) β”‚ β”‚ +β”‚ β”‚ Namespace: open-cluster-management-agent β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β€’ Reads: open-cluster-management-agent/ocm-tls-profile β”‚ β”‚ +β”‚ β”‚ β€’ Renders deployments with TLS flags β”‚ β”‚ +β”‚ β”‚ β€’ Watches ConfigMap, triggers rollout on change β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ -β”‚ β”‚ Already in same namespace β”‚ +β”‚ β”‚ Renders deployment with flags β”‚ β”‚ β”‚ β”‚ β”‚ β–Ό β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ -β”‚ β”‚ ConfigMap: ocm-tls-profile β”‚ β”‚ -β”‚ β”‚ Namespace: open-cluster-management-agent (same as operator) β”‚ β”‚ -β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ -β”‚ β”‚ Shared by klusterlet components β”‚ -β”‚ β”‚ β”‚ -β”‚ β–Ό β”‚ -β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ -β”‚ β”‚ Components in open-cluster-management-agent namespace: β”‚ β”‚ -β”‚ β”‚ β”‚ β”‚ -β”‚ β”‚ Singleton mode: β”‚ β”‚ -β”‚ β”‚ β€’ klusterlet-agent β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β”‚ Deployment: registration-agent β”‚ β”‚ +β”‚ β”‚ Namespace: β”‚ β”‚ +β”‚ β”‚ β€’ Default mode: open-cluster-management-agent β”‚ β”‚ +β”‚ β”‚ β€’ Hosted mode: klusterlet- β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ -β”‚ β”‚ Default mode: β”‚ β”‚ -β”‚ β”‚ β€’ registration-agent β†’ watches ConfigMap, restarts β”‚ β”‚ -β”‚ β”‚ β€’ work-agent β†’ watches ConfigMap, restarts β”‚ β”‚ +β”‚ β”‚ spec: β”‚ β”‚ +β”‚ β”‚ template: β”‚ β”‚ +β”‚ β”‚ metadata: β”‚ β”‚ +β”‚ β”‚ annotations: β”‚ β”‚ +β”‚ β”‚ tls-config-hash: def456... # Triggers rollout β”‚ β”‚ +β”‚ β”‚ spec: β”‚ β”‚ +β”‚ β”‚ containers: β”‚ β”‚ +β”‚ β”‚ - name: registration-agent β”‚ β”‚ +β”‚ β”‚ command: β”‚ β”‚ +β”‚ β”‚ - /registration-agent β”‚ β”‚ +β”‚ β”‚ - --tls-min-version=VersionTLS12 β”‚ β”‚ +β”‚ β”‚ - --tls-cipher-suites=... β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ +β”‚ (work-agent and klusterlet-agent use same pattern) β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` -**Implementation:** No ConfigMap copy needed; all components in same namespace share ConfigMap β†’ watch β†’ restart on change +**Implementation (Flag Approach - follows OpenShift pattern):** -**7b: Hosted Mode** (Different namespace: `klusterlet-`) +- **Operator reads ConfigMap:** klusterlet-operator watches `open-cluster-management-agent/ocm-tls-profile` (always from operator's namespace) +- **Operator renders flags:** Injects TLS values directly as command-line flags in agent deployments +- **Target namespace is just a parameter:** Operator deploys to `open-cluster-management-agent` (default) or `klusterlet-` (hosted) +- **No ConfigMap copy needed:** With flags, operator reads once and injects into deployments regardless of target namespace +- **Operator triggers rollout:** Updates deployment annotation `tls-config-hash` when ConfigMap changes +- **Agents read flags:** Parse `--tls-min-version` and `--tls-cipher-suites` on startup -``` -β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” -β”‚ Hosting Cluster (could be Hub or dedicated hosting cluster) β”‚ -β”‚ β”‚ -β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ -β”‚ β”‚ ConfigMap: ocm-tls-profile (SOURCE) β”‚ β”‚ -β”‚ β”‚ Namespace: open-cluster-management-agent β”‚ β”‚ -β”‚ β”‚ β”‚ β”‚ -β”‚ β”‚ Created by klusterlet-operator sidecar β”‚ β”‚ -β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ -β”‚ β”‚ β”‚ -β”‚ β”‚ klusterlet-operator runs controller β”‚ -β”‚ β”‚ to copy ConfigMap to hosted namespace β”‚ -β”‚ β”‚ β”‚ -β”‚ β–Ό β”‚ -β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ -β”‚ β”‚ ConfigMap: ocm-tls-profile β”‚ β”‚ -β”‚ β”‚ Namespace: klusterlet- β”‚ β”‚ -β”‚ β”‚ β”‚ β”‚ -β”‚ β”‚ data: β”‚ β”‚ -β”‚ β”‚ minTLSVersion: "VersionTLS12" β”‚ β”‚ -β”‚ β”‚ cipherSuites: "..." β”‚ β”‚ -β”‚ β”‚ profileType: "Intermediate" β”‚ β”‚ -β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ -β”‚ β”‚ Read by hosted klusterlet agents β”‚ -β”‚ β”‚ β”‚ -β”‚ β–Ό β”‚ -β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ -β”‚ β”‚ Components in klusterlet- namespace: β”‚ β”‚ -β”‚ β”‚ β”‚ β”‚ -β”‚ β”‚ Singleton mode: β”‚ β”‚ -β”‚ β”‚ β€’ klusterlet-agent β†’ watches ConfigMap, restarts β”‚ β”‚ -β”‚ β”‚ β”‚ β”‚ -β”‚ β”‚ Default mode: β”‚ β”‚ -β”‚ β”‚ β€’ registration-agent β†’ watches ConfigMap, restarts β”‚ β”‚ -β”‚ β”‚ β€’ work-agent β†’ watches ConfigMap, restarts β”‚ β”‚ -β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ -β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ -``` +**Key insight:** The flag approach makes default vs. hosted mode irrelevant for TLS configuration - it's just a deployment namespace parameter! -**Implementation:** -- Operator: klusterlet-operator copies ConfigMap from `open-cluster-management-agent` to hosted namespace -- Components: Watch ConfigMap in their namespace β†’ restart on change - -**Note:** TLS profile comes from **hosting cluster's** APIServer, not managed cluster's APIServer. +**Note:** TLS profile comes from **hosting cluster's** APIServer (where klusterlet-operator runs), not managed cluster's APIServer. --- @@ -508,11 +487,14 @@ data: ### Component Restart Logic +#### Pattern 1: Operators (Scenarios 3 & 6) - ConfigMap Watch + Self-Restart + ```go +// Operators watch ConfigMap and restart themselves func main() { tlsConfig := readTLSConfigFromConfigMap() go watchConfigMapAndRestart() - startComponent(tlsConfig) + startOperator(tlsConfig) } func watchConfigMapAndRestart() { @@ -533,12 +515,59 @@ func readTLSConfigFromConfigMap() *tls.Config { } ``` +#### Pattern 2: Components (Scenarios 4 & 7) - Flag-Based + Operator-Triggered Rollout + +```go +// Components parse flags on startup (no ConfigMap watch) +func main() { + tlsConfig := readTLSConfigFromFlags() + startComponent(tlsConfig) +} + +func readTLSConfigFromFlags() *tls.Config { + minVersion := flag.String("tls-min-version", "", "Minimum TLS version") + cipherSuites := flag.String("tls-cipher-suites", "", "TLS cipher suites") + flag.Parse() + + if *minVersion == "" { + return &tls.Config{MinVersion: tls.VersionTLS12} // Fallback + } + return parseTLSConfig(*minVersion, *cipherSuites) +} +``` + +#### Operator Logic (watches ConfigMap and triggers component rollouts) + +```go +// In cluster-manager-operator or klusterlet-operator +func reconcileComponents() { + cm, err := client.CoreV1().ConfigMaps(operatorNamespace).Get("ocm-tls-profile") + if err != nil { + // Use TLS 1.2 defaults + cm = getDefaultTLSConfig() + } + + // Render deployment with TLS flags + deployment := renderDeployment( + "--tls-min-version=" + cm.Data["minTLSVersion"], + "--tls-cipher-suites=" + cm.Data["cipherSuites"], + ) + + // Add hash annotation to trigger rollout on config change + hash := hashConfigMap(cm.Data) + deployment.Spec.Template.Annotations["tls-config-hash"] = hash + + // Apply deployment (Kubernetes triggers rollout if hash changed) + client.AppsV1().Deployments(targetNamespace).Apply(deployment) +} +``` + ### New Components | Component | Repository | Owner | Purpose | |---|---|---|---| | tls-profile-sync sidecar | stolostron/import-controller->tls-profile-sync | Downstream | Watches OpenShift APIServer, creates ConfigMap | -| Shared TLS library/helpers | open-cluster-management-io/sdk-go | Upstream | ConfigMap parsing, fallback logic, TLS config helpers | +| Shared TLS library/helpers | open-cluster-management-io/sdk-go | Upstream | Flag parsing, fallback logic, TLS config helpers | | AddonTLSConfigController | open-cluster-management-io/registration-operator | Upstream | Copies ConfigMap to addon namespaces (in klusterlet-operator) | | Addon ConfigMap watch + restart | open-cluster-management-io/addon-framework | Upstream | Common addon functionality to watch ConfigMap and restart | @@ -548,9 +577,10 @@ func readTLSConfigFromConfigMap() *tls.Config { |---|---|---|---| | backplane-operator | stolostron/backplane-operator | Inject sidecar for cluster-manager-operator, addon-managers | Downstream | | import-controller | stolostron/import-controller | Inject sidecar for klusterlet-operator | Downstream | -| cluster-manager-operator | open-cluster-management-io/registration-operator | Watch ConfigMap, create ConfigMaps in managed ns, restart on change | Upstream | -| klusterlet-operator | open-cluster-management-io/registration-operator | Watch ConfigMap, run AddonTLSConfigController, restart on change | Upstream | -| All hub/spoke components | Multiple ocm repos | Use sdk-go TLS library, watch ConfigMap, restart on change | Upstream | +| cluster-manager-operator | open-cluster-management-io/registration-operator | Watch ConfigMap, self-restart on change, inject flags into hub components | Upstream | +| klusterlet-operator | open-cluster-management-io/registration-operator | Watch ConfigMap, self-restart on change, inject flags into agents, run AddonTLSConfigController | Upstream | +| Hub components (reg/work/placement) | open-cluster-management-io/ocm | Parse TLS flags on startup using sdk-go | Upstream | +| Spoke agents (klusterlet/reg/work) | open-cluster-management-io/ocm | Parse TLS flags on startup using sdk-go | Upstream | | addon-framework | open-cluster-management-io/addon-framework | Provide ConfigMap watch + restart for all addons | Upstream | ### Sidecar Injection @@ -599,11 +629,24 @@ A: Kubernetes restarts sidecar. Components continue with last known ConfigMap. **Q: Why restart instead of hot-reload?** A: Simpler implementation. TLS changes are infrequent. Kubernetes handles graceful restarts. +**Q: Why use flags for components (Scenarios 4 & 7) but ConfigMap watch for operators (Scenarios 3 & 6)?** +A: Operators manage their components' lifecycles, so they can inject flags and trigger rollouts. This follows the OpenShift pattern and reduces component complexity. Operators themselves use ConfigMap watch since they're not managed by another controller. + +**Q: Does the flag approach work differently for hosted vs. default mode?** +A: No! This is a key advantage of the flag approach. The operator always reads ConfigMap from its own namespace (`open-cluster-management-agent`) and renders flags into deployments. The target namespace (`open-cluster-management-agent` for default or `klusterlet-` for hosted) is just a parameter - the TLS logic is identical. No ConfigMap copying needed! + **Q: Can users customize TLS profile?** A: Yes, via `APIServer.spec.tlsSecurityProfile`. Changes propagate automatically. **Q: What about client TLS?** -A: Separate initiative. This design focuses on server TLS (webhooks, metrics servers). +A: **Client TLS is a separate initiative and NOT in scope for this design.** This design focuses exclusively on **server TLS** (HTTPS servers that accept connections, such as webhooks and metrics servers). + +**Why client TLS is separate:** + +- **Server-side TLS is the current focus** per the [OpenShift TLS compliance hint document](https://docs.google.com/document/d/1cMc9E8psHfnoK06ntR8kHSWB8d3rMtmldhnmM4nImjs) +- **Aligning Kubernetes client configuration to the cluster's TLS profile is a separate, later initiative** +- **Clients should use a modern TLS stack and not artificially limit negotiation** (e.g., able to negotiate TLS 1.3 when the server supports it) +- Setting client `MinVersion` from the hub's TLS profile (e.g., Modern = TLS 1.3 only) could **break connections** to servers that only support TLS 1.2 (e.g., ROKS clusters, external APIs) **Q: Why does each managed cluster use its own TLS profile?** A: Managed cluster admins control their own security policy independently. @@ -635,5 +678,6 @@ A: When OpenShift adds PQC cipher suites to APIServer TLS profiles, all componen ## References - **OpenShift Requirement:** [Hint for resolving TLS non-compliance tickets Code Examples](https://docs.google.com/document/d/1cMc9E8psHfnoK06ntR8kHSWB8d3rMtmldhnmM4nImjs) +- **OpenShift Pattern:** [Centralized TLS Configuration Enhancement](https://github.com/openshift/enhancements/blob/master/enhancements/security/centralized-tls-config.md) - **JIRA:** [ACM-26882: [ACM] Central TLS Profile consistency](https://issues.redhat.com/browse/ACM-26882) - **Existing Pattern:** `pkg/operator/operators/klusterlet/controllers/addonsecretcontroller/controller.go` From 9a606a2000b61dce691e02b8bddeb5abb1642e95 Mon Sep 17 00:00:00 2001 From: zhujian Date: Tue, 17 Mar 2026 11:53:00 +0800 Subject: [PATCH 6/9] =?UTF-8?q?=F0=9F=93=96=20Add=20Future=20Enhancements?= =?UTF-8?q?=20section=20for=20multi-level=20TLS=20config?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a Future Enhancements section documenting a potential multi-level TLS configuration hierarchy for klusterlet-operator. This addresses feedback from the OpenShift TLS team about supporting hub-driven TLS policy enforcement in advanced deployments. Changes: - Added Future Enhancements section before Approval section - Documented three-tier configuration hierarchy: Priority 1: Hub-driven config (highest) Priority 2: Local APIServer CR (hosting cluster) Priority 3: Go defaults (TLS 1.2 fallback) - Outlined two implementation options: β€’ Option B (Preferred): Hub creates ConfigMap that klusterlet-operator reads β€’ Option C (Alternative): Add TLS config to Klusterlet CR spec - Documented benefits and backward compatibility - Current decision: Defer until concrete requirement exists Context: In hosted mode, klusterlet-operator runs on a hosting cluster but manages a separate managed cluster. Currently it uses the hosting cluster's APIServer TLS profile. This enhancement would allow the hub to override this with stricter policies if needed. The current design (local APIServer via sidecar) remains unchanged. This is documented as a future enhancement only. Signed-off-by: Claude Sonnet 4.5 Signed-off-by: zhujian --- docs/TLS_PROFILE_COMPLIANCE_DESIGN.md | 39 +++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md index 4755811f0..58da80328 100644 --- a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md +++ b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md @@ -662,6 +662,45 @@ A: When OpenShift adds PQC cipher suites to APIServer TLS profiles, all componen --- +## Future Enhancements + +### Multi-Level TLS Configuration Hierarchy + +**Status:** Deferred for future requirements + +**Context:** Currently, klusterlet-operator (Scenario 6) reads TLS configuration from the hosting cluster's `APIServer.spec.tlsSecurityProfile` via sidecar. This works well for most scenarios. However, in advanced deployments, there may be a need for hub-driven TLS policy enforcement across managed clusters. + +**Proposed Enhancement:** Implement a three-tier configuration hierarchy with top-down priority: + +```text +Priority 1 (Highest): Hub-driven config + ↓ +Priority 2: Local APIServer CR (hosting cluster) + ↓ +Priority 3 (Fallback): Go defaults (TLS 1.2) +``` + +**Implementation Options (when needed):** + +- **Option B (Preferred):** Hub creates a ConfigMap in managed cluster that klusterlet-operator reads + - Example: import-controller creates `open-cluster-management-agent/hub-tls-override` ConfigMap + - klusterlet-operator checks this ConfigMap first before reading local APIServer + +- **Option C (Alternative):** Add TLS config to Klusterlet CR spec + - Example: `Klusterlet.spec.tlsConfig.minVersion` + - Hub sets this in the Klusterlet CR during import + - klusterlet-operator reads from CR spec first + +**Benefits:** + +- Hub admins can enforce stricter TLS policies across all managed clusters +- Supports scenarios where hub requires higher security than managed cluster defaults +- Maintains backward compatibility (if hub doesn't set config, use local APIServer) + +**Current Decision:** Keep the current design (local APIServer via sidecar) until there's a concrete requirement for hub-driven TLS policy enforcement. This enhancement can be added without breaking existing deployments. + +--- + ## Approval and Sign-off **Document Owner:** ACM Server Foundation Team From b5996faac9ce28c7bcc95488e0b65b46b7ae7869 Mon Sep 17 00:00:00 2001 From: zhujian Date: Thu, 19 Mar 2026 15:33:15 +0800 Subject: [PATCH 7/9] =?UTF-8?q?=F0=9F=93=96=20Add=20Simplified=20Pattern?= =?UTF-8?q?=20Summary=20to=20TLS=20design=20doc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added a concise pattern summary section that categorizes all 8 scenarios into 4 fundamental patterns for easier understanding: - Case 1: ConfigMap Creation + Self-Managed Components (Scenarios 3, 5, 6) - Case 2: Operators Inject Flags into Components (Scenarios 3β†’4, 6β†’7) - Case 3: Components Receive Flags (Scenarios 4, 7) - Case 4: Addon Agents with ConfigMap Copy (Scenario 8) This provides a high-level overview before diving into detailed scenarios, making it easier for teams to understand the overall architecture and their specific implementation requirements. Co-Authored-By: Claude Sonnet 4.5 Signed-off-by: zhujian --- docs/TLS_PROFILE_COMPLIANCE_DESIGN.md | 84 +++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md index 58da80328..41ff64a40 100644 --- a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md +++ b/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md @@ -93,6 +93,90 @@ OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-s --- +## Simplified Pattern Summary + +All scenarios follow 4 fundamental patterns: + +### Case 1: ConfigMap Creation + Self-Managed Components + +**ConfigMap Source:** + +- Controller (sidecar) OR manual configuration creates `ocm-tls-profile` ConfigMap + +**Who Consumes:** + +- Components deployed on hub (addon-managers) +- Operators (hub or spoke, doesn't matter) + +**Behavior:** + +- Watch `ocm-tls-profile` ConfigMap in their namespace +- Restart (`os.Exit(0)`) when ConfigMap changes + +**Applies to:** + +- **Scenario 3:** cluster-manager-operator +- **Scenario 5:** addon-managers (e.g., cluster-proxy-addon-manager,no sidecar needed as it is deployed in the same namespace of the cluster-manager-operator; submariner-addon-manager?) +- **Scenario 6:** klusterlet-operator + +### Case 2: Operators Inject Flags into Components + +**Who:** + +- Operators (hub or spoke, doesn't matter) + +**Behavior:** + +- Watch ConfigMap from Case 1 +- Read ConfigMap and inject TLS values as command-line flags into component deployments +- Add `tls-config-hash` annotation to trigger rollout when config changes + +**Applies to:** + +- **Scenario 3 β†’ 4:** cluster-manager-operator injects flags into hub components +- **Scenario 6 β†’ 7:** klusterlet-operator injects flags into spoke agents + +**Note:** Operators do BOTH Case 1 (self-restart) AND Case 2 (inject flags for their components) + +### Case 3: Components Receive Flags + +**Who:** + +- Components deployed by operators + +**Behavior:** + +- Receive TLS config via flags: `--tls-min-version=VersionTLS13 --tls-cipher-suites=...` +- Parse flags on startup (no ConfigMap watching) +- Restarted by Kubernetes when operator changes deployment annotation + +**Applies to:** + +- **Scenario 4:** registration-controller, work-controller, placement-controller, addon-manager-controller, addon-webhook, registration-webhook, work-webhook +- **Scenario 7:** klusterlet-agent, registration-agent, work-agent + +### Case 4: Addon Agents with ConfigMap Copy (Optional) + +**Infrastructure:** + +- klusterlet-operator copies `ocm-tls-profile` ConfigMap to addon namespaces + +**Who:** + +- Addon agents (optional - addon squads may choose their own approach) + +**Behavior:** + +- Watch `ocm-tls-profile` ConfigMap in their namespace +- Restart when ConfigMap changes +- Same as Case 1, but with ConfigMap copy infrastructure + +**Applies to:** + +- **Scenario 8:** cluster-proxy-addon-agent, ... + +--- + ## Scenario Summary | Scenario | Component | Platform | Sidecar | ConfigMap Pattern | Solution | From cdebcab91f59d880e33f4d8a53d0afd5bdf4a57a Mon Sep 17 00:00:00 2001 From: zhujian Date: Thu, 19 Mar 2026 15:39:13 +0800 Subject: [PATCH 8/9] =?UTF-8?q?=F0=9F=93=96=20Add=20architecture=20diagram?= =?UTF-8?q?=20to=20TLS=20design=20doc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add visual architecture diagram (tls-profile.png) showing the complete TLS profile compliance flow across hub and managed clusters. The diagram illustrates: - Sidecar injection pattern for cluster-manager and klusterlet-operator - ConfigMap creation from OCP APIServer TLS Config - Flag injection to operators (--tls-min-version, --tls-cipher-suites) - Addon agents reading ConfigMap on managed clusters - Component relationships and namespaces Placed in Simplified Pattern Summary section to provide visual overview before detailed pattern descriptions. πŸ€– Generated with Claude Code Signed-off-by: zhujian --- .../TLS_PROFILE_COMPLIANCE_DESIGN.md | 23 +++++++++++++++++- docs/tls/tls-profile.png | Bin 0 -> 301500 bytes 2 files changed, 22 insertions(+), 1 deletion(-) rename docs/{ => tls}/TLS_PROFILE_COMPLIANCE_DESIGN.md (98%) create mode 100644 docs/tls/tls-profile.png diff --git a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md b/docs/tls/TLS_PROFILE_COMPLIANCE_DESIGN.md similarity index 98% rename from docs/TLS_PROFILE_COMPLIANCE_DESIGN.md rename to docs/tls/TLS_PROFILE_COMPLIANCE_DESIGN.md index 41ff64a40..7d3542ddb 100644 --- a/docs/TLS_PROFILE_COMPLIANCE_DESIGN.md +++ b/docs/tls/TLS_PROFILE_COMPLIANCE_DESIGN.md @@ -95,13 +95,34 @@ OCM repos are **upstream Kubernetes projects** that cannot depend on OpenShift-s ## Simplified Pattern Summary +![TLS Profile Architecture](tls-profile.png) + All scenarios follow 4 fundamental patterns: +### Sidecar Injection (Stolostron Infrastructure) + +**Who Injects:** + +- **backplane-operator** injects `tls-profile-sync` sidecar into cluster-manager-operator pod +- **import-controller** injects `tls-profile-sync` sidecar into klusterlet-operator pod + +**When:** + +- Only on OpenShift clusters (detected via `config.openshift.io/v1` API group) +- During operator deployment/reconciliation + +**Applies to:** + +- **Scenario 3:** cluster-manager-operator (injected by backplane-operator) +- **Scenario 5b:** addon-managers in different namespaces (injected by backplane-operator) +- **Scenario 6:** klusterlet-operator (injected by import-controller) + ### Case 1: ConfigMap Creation + Self-Managed Components **ConfigMap Source:** -- Controller (sidecar) OR manual configuration creates `ocm-tls-profile` ConfigMap +- `tls-profile-sync` sidecar watches OpenShift `APIServer.spec.tlsSecurityProfile` +- Creates/updates `ocm-tls-profile` ConfigMap with parsed TLS settings **Who Consumes:** diff --git a/docs/tls/tls-profile.png b/docs/tls/tls-profile.png new file mode 100644 index 0000000000000000000000000000000000000000..3efc90eacd55859fb2d21bef6f46c642a40dbd2d GIT binary patch literal 301500 zcmeFZbyQYs`!0$Jf&vPNO36~B1VlPtK@kz@Qc{ra?vfB`k&;G2N_eFkln?;{>F)0C z+V{leTHkMsz5hC6oN@LU-yCDP@O8d(K5@r&UHARqEh#R13Ht^%1_s6@ktdI&F)%L1 zV_=+rf^`}`2{&!lh5ubJee%Kr0|SQu`R^1)Wb`!*jGGuDj|60GqZbApq64gsP%AjM z$gCSaeiFNa&6SjTS>#2Ork2r*D?uh(>S>u_1sz+NvioAxc}o4S8$K2+igM51{dn&R zK|{zZ?@aA0){oCu|6C3s`BSA7#LIpE68|HuD7(OnEw3i`r*od{{aKzze|D`#QzP(kQUOw7=J%gwcLJl zt}|5S95Qaq&si#^@)`1(IT<^&_DjXnxcoaK4Oxi6?-(;E=5ZeFjMJC;Jl_|=EaN{u zSYH|}Rj?*PzDfFFt|Kj1ul-X)))=+^?%HJGptX{g!YTMC$3j29i>J^zc8_i$cOut= zXNO5PD?ZQS_{$&r-}v+Lw<)pqa}heRX$y2%ZZ~arC&TGW&%)jDXQMbw$T>}4YAIy9 z;IHiAwdkLGoWQ%;Arq={`nVNF&22R&doq*Xk035CE&=?5MH3fMF|k1#9IE}9#K1dZ zk%VUj8p9YcFWuO9#drx>-I{M(i~Z=bwT7Em0sMP2rAs9l8YWq1E?{5`i+sg-xok94 z#%0L2Fz?#kE`cgH8~=V2YpHC#nSyI1-+Z!x`PKKc0>2W411XBjbL`fq5)u;hJJUNq zzgVwRCPp6rB+qGo>&s|(->cEAkf|nK+JDE5XDbQOhhDS&4t|i^^_3i z6%5zIC!Gz97#L6ElTQNm0uT2)42%Wgvt`IVCzr<4uQ;ypU%q_F5k2`k?sMdpm4`{P z)~7Hq13rKLTzP!Bygt>mztJv1!ft3g6`@mL)W6jx%7pmKm|o$K{XE#5+s&fUHzWa^ zV{bJ$BG`=-wY9bJ&pPdG=na-wth_%Cy8@8+I88frqJ*D{9-GAeY(X3T*3XOZhyg| zC$Z}Dg&BC>a{2bqO)UNHET=)MZYuJ=a)<4S`e2=(A68fEDA0=e=_0{*jQaApb|-?p zE?zgE2oioX{aLx#ye&y&*l}IVveTbq=-SzDOfI{P7A<@ntH#J6S#+AmYJE}Qxx+#>IiI~F zx&<)_SI)P6x`+GQCS9Lukyg--?>Ro zPme-Xs#m|cM8ba1iFUSHttF=BxcE@1(Aa4|ScbZ4mqa!q~EP{@3dI~A&+`XWcO{ymkb^+Hc;yny?93#!uP_{eI$i(%0{ zhQnm2$`gn9?(;7Y6x+pl7Naeix#mCTHmrJvJiwGj3>8~ugJ7#m$;6YQYGbyYzVzzL z%8<}dq9f+_VPRWizD!{|b%t^LPT1JkSI|DVnJT61yRqS__IkFKV>RBbnh>}XQ0TU{ zw)YBp;4?l%^bKlu*4EZAO3}NVY;2p0g~I{Oj$6Gt)w{4ekAk-cEF?JXz?P_o4}vB5 zz4^mxb~`f^IP}_*YJ}R`+V0=KU)8St^MlkF7srt8E6WVnfr}LUWi{=Q941GzDREcn zX%#u>=`-Xq*XP*%}#}I+as_*{D66wW;4?h%=<|Ym?YoO%6#%T?jk(QxRJd2_OUDWyWrq< zaK#xd4QgGOL^9jyEkOu4=H}*AW*ThlnD9(~b` zMzy2+1G}_q;gtuIqh1sNss&({7SqjA;dimz7*$Fh%_jdUU9RYdaf1O<4Ic*ylNawV zm5M6wrDtT7EaWsMgnN@U!i(VMXCLlSt{#AUA-?Rg-#`4`Bs4sHJ8JmgQ;poy#4|6< zOmHwT+-_n)%%ytj&ZD3#kOh>4)-G1d8W}(Tj>T4XaXil^JtwqQ|QS3%O z&I#bHWHtj*v5mrkG6GrlT$Bwv3Q8B1wA$Yv;J$#Nn{DQ2*n{ z+Z;~yt`vvuB?{*qbpe5I5C+a)x;SY)cMu|YS-nVg*56wBuTfhJeGNik2im1EeE zKxJ)bJaD-;Hzn`1{l-kT^Wh#Oyrw7)WPMs4J1lT0UR>j^WWsX$=8kCs@eQI2e0%R; zy+x-fl4vsSiiH%sez%(92tPnZMh4zJ3Jbaj6KhQnf>1@D`Jp#g2emWeK3b%JR)y5{ zqp4{y-=G_Y*O#Y9(2RHe{_RzQo#Erd;o0^SuW|7hZY^!?tAvDxy*bHwMqe8~ok;^1 zc~A>EHuc)*)#1vWTBfQvJ2vA1PP4>i?1QGR9IZx}spSt!FAu!^qWP@SEXesQzaHZ8 z<$*QkFsbEgi)}RK8lcOqYu;WKrf{;{$+1};>Q;3y;&g`fqfZ}^gha`Cjot7$#PtM< z>U{l9eMly?SH(m`(jdQD8a+L^I@9IcZ}xmqf4C9i?@d5GWZuZ2E;^}$+J6BXJmj=J zxFRVo-uyFyMfCH;RFny<_Ey}{MhbZR7vsSaqJ4G*eeSG^eYiLJDatrqrPLap*q?8( z4NgGC-SP3E*L4={Jj34mR8+}gQS1bFp1mDYqj1`gvg~s^hg0<}?)YFD7D#9v7SMU4 zRX8!6$~cke`x{mJ+2p;=c}xLGK*~`j6n!ht((Q=85I}g$xn|{X=35hr!8{=?BmG{2AkjN>H zcj`=eb$`X{#5u7K)TTptgj8-fpIMlYC$sS&8s_=vV;)R%1s-e&SOZoIUX6)MdQB*% zLFDh`LOpU$l6k4}_^28W#cTEnY|Z}$8+IL%{XIXMLvR#641Yqn@^nEX1`JKLTzV=!60C(Hy|elkn@$Krlv0J z9~>^b;9(-^dO(xkvVk_`;NhKm#X?NE)HZ~wshZbP+z+PbN#~=|i%Ft7se|JKc z7kq$DF8vXcjI^|3p)pwihfyD4Q=ILXH_U0iD^m$#u+QLeygRPXeRUq|g(r;h@GKaY zQ+B=X@TZzP{Qy0y<%~;aKe^*_r}j_@lUd2G(MfSEl+0)GK(_NG+Cm+#qv|)2yz$c` z`O~K%0JyaQUFmZ4J}!K#H3XyNvL+R~+8dhHt%<_acjDY`avpB9C&nt-%{-U`uqinz zO;?KHdgc+ts9OYIc*Mu!)~#QpEAkf=z;-KId8{IDEOvQMoIo zVZvxWWH-$R&D>s2ktVe{Q+)Tjpm0*0C`VS`}W z_2J6SyOZiInY@-at!|#eNHsmJia|8q^D0m*mKWks^*5WNyPu=0jD~`d7(yC?8nK#7 zO9`{BqD_fjtJc5!0uavk05XyzA4V1yiy10O zOZm~>d_DDNwMu@{iHQlqt5>fYe2TVg6CqkPMhxt&??k{04dIy|w*v1TXI4OLCswtk zga-r1HR$^6ZS6s)l(#OQpqqQFp(NtTa{c;sNP;RQma~2N28o^|<4*n%!3cTz5z{b#%hb?4+cmI_^CkNUPBB+%F-vSjetxj^QZ;z=%W4 z=yxZaNv#5ar^8Y)H5;4N&dMl)zBv7MQ+ct zknM)X#wace?Ost29zCJWM|g>MKjjr@-Y0uP_5=fC>l{qRc6Yn-Smk@`gtLGyB=FG@ z0NM28Ye?uBzvA-ZIptFaa;?P2{(u>;GAM2|0NOZMYmA79@D3jUBad@js|UWP0&u5o zDZ1#gBHVg|Raf%ybuf4Oad~8~NUu5D;-mr#Q>%1l(f;{XTUth@g@1nmVLemJ0)`-6V&YoF)`w^l^usC-b*j-ADbziue^9hnmV zcyswwq(L+9`p>p3zKvfG0d*2r^a6-luEJp&@LfYDeY2Isr0jBX>E6~N!dc?X8)&^p z({nfmnJOtCzVUDe9K1SS7Y8;6NhcscJd!o7XV)9=@c_8)nzo9NkdSw&oToVVY|`%f zG^W5k+m#V8j?k1ZpTwfxgd6sJ`B+2H@HU7j5nvXI!0b+vR2gG`hCr~ing9(bt-@*l&L^PPwt&NY zRHPxz&d>&fQHZSZp&+zPlz)z7)w_ZV0aj6i3PPA8WM>Myi6B@yFM*7i_r(^|VYc1pDqXdoJS?g|j28!M{yQev*+ zB9wL_rgItcr|B=)>cl|)lDsHVvzp7JHxJa+62M6GfrZuH0cgVq%MR#sbH1Bt*Tw-5 z&j#9gGs9H5Z)z?GV&xlmOmf?o)6FsU)PC2P|5B#ME=MBygX;-HeQ7DNkq0&9fDLm6 z<#z$+C9VR`QeDsmNC{RN?bs{Y#KU7ytKcmjFVty?g+MZ0Iy8KIVh2RxUvWn2x*(#N-g7?Kfo&9ChqO1vP&gpH zl@CsP>#^UHXarS3_^n=jd-+zwjJHQt(U{LY^|0`88vqN-fR4HIV3q)lIY_q`dUO4v zIx>|wkSKhcJr?0x^;F@vk5`sfs__Dy&v9xsglGsC8ueezuNUXr>@a<|LtkGLGm0*m zOV^!+U_^BF>YbrE1nK~}p$LGbSDKKCWAd%!kRZkP?c=;8B~7*5A{usghi;R52mJ8Ys*wBl+RT393QRrB5q`X6**{e zIkMm+hv-uzB@c5<@au+rdWGW0b6Hu-Ix-uNK;^sCNOVXwr3Iz`tAseXM|D&EbW7ZD znoJ76(;gua5hU7qkW6S=CK2lgIL%lz;szo@mTLJP*q(pi_1YXYs&tu@W|!k_mq1c3 zAb8ZVwi+AP8&ka`| zpCeW_?E?H^Hx&Vz$3cwE&~^5YOMr$zfZ3SuUiKgmM@$ugj=*8xgm2Hb1I1~kZJCB> z0W%-Ct`mJ3H;hSb2qu2Khd$OHD%%A&n*JHF4wU>(?CwvNmWkvPhz4A=~|kaKO@;PUgT;6oLg*9X@Ssjh5ymoS|bx=eS0rl zG9+pvvj@OO#TfGb{TlFy7^|)qCsaQdCJ2_P3*p4rcM_*I9a#)52bd`K)cl4daBqVnM^0I*Y`OsB`YCvd- z!H{EnO>13#eqHo*qv=v zz7@TFl}S~(SpxQ8#0#r%BNZ}<7V%m;5nq8JEM%w(&KHSCMtPuG5b_XOEkc?MX7b|} zh4Ea{0dd4(V@665od!-{oA6}##RC8uK#OhjfJwDZfCkm5t54J)Fpq=@v|_2Xk=|kr z+jv0WUGEpdV9`T2UTYU~}w{9io7YnX! zprt+T#asnEPPgg-5*aZM%ffQyW|tCR4MuBo(4AQB-v=Nc<0xWz4ActTw7ka?SjQg3 zgcgwb%)^|3_)A1{t^%AB=kI_N_w(mZM1S1nyVFH*q`Cs}5PMrOFbR-4F!k~8{`B(J zoX#-HH@IYq8X^EEBKaJwvkOfjcT&4NRX=P`k%+seF1Yp)!UKdE8E_-+vA4IbOp7|4 z=*J5wplDpheNV!#Rp^=!rox&ko!kII5u#j91S9g}bgY9h5LFPrCz;~&nn%HqR>452 zhw1qE4nZcn4uyxJQ*z8O4|_;QOCY?`2oi3!XF((b%OO*R5Q+ygCyO|NYNWND^sF&T0Y16}}o21>rR zwswO}-?HigHLLEg5r@H#U%r@vQ-N0B*wTUmrlXXnEA@Hwz2Rg-D5ytqAVov;LZoXT z^UDLB+v<7M-rf#lzf7i*tx*dg9o(`% zPfzBqAV`TorI3*T7Z>)-*KPf4AlnddJ`#4b*Kx41`9a7ANyurfo*KmL&kE=vuIXqQ z$N={n0L3Y3YfnKkQ+WQo2O!;*MjF(K%_D&kmz49~z&CpP5O%67E5FOS@opDv<+x8V zjeK1>+Fw4NS3Aabi-(8T?`A?m0?@=m3S!dXf(|Of@5U*NmrNIIL*tw@P7)f%7>)fe zbpQY$;>az`h;a-O;sOb~GYA47=9hn~%TzNkKTg~I#lmICW)S>5nNYyLf^G@F=|$hf zsxra@0CgtR^~A6-9*|niwo%#3Hd%G6C;+?$7)}b71DjL^CSA1)a)>I(bD@fNFfhKD zT(JE;l$ur`i+cdqE$2FDBkLO)fC~7k;*xQ10Pe_=PJT*7goS}|a1EiozptnApwfV< z!~`N1z+r@!S2{a^)jn0C*16fFY*?8`#z;hI}1(gDw5bmlcqNipK+ZwhHvOyaB#K zJy=BmA3;#|^O>P4xW8BY>nTyFd9U3-IUfKZg2MI0d(i~fZpfhP>+99=EdrQigfV51 zLDMY9v4tYZ5TwY_9bsJLXDAb#J<+_=Ue6Kk#; zttOHz=c-}i1N8;cE6$Yw5#bTP=YWB$3E5?V;G|? zEdGA)UneF9A2htgWP&vX9A;r*ks+IA-Y&)gFGY$1$>FMy|F~hSN(F{?z+Y@YY{YT{ zXb%jaDGue*9L)ulYMmG>Bn2{-Z?r+m6E55XCPZ#K@*0NQk+zAi#NgdP4ufMIDee$j?-wVRxZ?4b@gaUYr1; z_P3YSz}7T2k+M7}emHI~f5i)cJsnP?j=7+Q57l#ol!7v)(`#bAEFb-+;Q=Tv&r;F2 zs>|UfRCF1he}N+VydO(5QlQ^n8idNa$`~EM28YG`?yFD_huVx{zCP%8dX@Ww%K^}C z0JR~819M~q0Pt^O6&MfhL7fa!z_dr*3(6#{Wsa+3wSe^T+(tkmK>=k&geDM8SO6&k zL4oZ8cUbPp9tQ#}+2;@q#rJ3~3t&~i#V9ZZe!-3a8&a`s74jmpe!h#M`E5|HXT(}1 z5Y?2(84DhdUQir)@C8b&D=sonKuudv#C--O+)?T>)6psbwN%GJ{IC#+00H1>R}$70 z%8Ut0Kyy9TVJo!I`M^SSbD;HNbOKnjua8fHvMh6PaWTkt<8^^}YFkT#Jgd!MOeG*= zi|#AU!dCk?gRe6M9~bnMHUPivhf;k=!OW{bzN@hXu%1^Wpgbg@tg$vxPZb*$8OaU$ zkH)65Rj1r&E0pl?fLC(cfzms?>A5`VbGWyO6Nr#%K#vToRbYrz==)$tS0rNZYdy8M zx97yI9Dtf5i2JE;W^h}>ok0NcBjw7eDfK7kFy3#PG43puCQ3)Bk(syxLuzG9Vf(zhU zu&t7b-A2aJ1pwHwEIQ(AAEBjV50uo5p8L|$PlwLu=yysVn?vvATx((--}V4OQxX(W zlaqy*(BNJ)PD-zxkN1aLJ}}?1?}Zu%lzoMnT((Px`M`k%@S!gyxu&t2FGEm4#i~;) zT;*!H-0=Y;AE{Tj|)^o6Ojg4cHlYN2|MMg*+7^_@95V%?>4HvDb*B$l-3Sm z?}`M{X;###xH|~dUMLsYczYR_t$v5zG&(bFFlksJQVwHf*5IAMNAmJWvm7*y?3Dj$ z80CD4WqWEN97sCwz7l9?0f)R}yiCZiv;sQJes|?jJ`nc^7M%ivZbn{KkmEo>m3?^$ zVk8|6O%d2abvQ%-6M>WKI$nnZbf_f$XoVSV)lq6-1YU>+2DuFKCYm3TlNtdWg$40V>1| z*r*NJikn!*#gkzmc&31ffyBlMl|K-_R!#Y-si}E*N>3Z4g84#?G_O>y;aIM3_uRR2 zt*`dMCbyxd4P+QrN2DgUzg&qT)zQ+DGmL>=5L`^LNY-5_Y`V;R^m@YtmA?dG?5W8~ z(0O!POW$T8ePA2pApRcKp^liNDS&k&Lgmy~2<}6m#Y2Y}y}h;l4jJT7 zxkLDtYvUu7V=WRgApxaB@dN)Xu&I*WsVLZx>*PM<*4NK|gEUbk05w^V>P*1^Qj(L& zKzjyx?^|24D8cqc`by}%WKt=~14oAz07TD5zU@>C?P5%K?_R8f)bo}+>b}`njgoOO zmGaX6rfj~QaPjx*x*o=WI)0=BniVvpni>d`kE>V3>8vL z)#}dbxIss1knM&-<(^!gw}Qsjj2Ea3c$jKX3WTCegl#GW(H3xFcSssgDeeLpU|}DM zuolotqmDgSvA;xbod=sDb#308I+n()G!10Tg}1i?Xj~>yrnQK|2ic_dP74rr)0NF` zH7|E4ya>^Lg^*DKyX-wp0YZe-!Mp>=Og{lByyt8O;Y#;l+2xpr^xt~4;}xx$5E=37 z_g+5WjAhkpQw{mef-$~S(p$w5VQ9=RI&OK1UL?wO|F9##iWcisDs!16F(6#oJqL4@frj4HBId`0x_PZ3HPF zhtkQtH?jK90`jy&=kI-n>M{Px>7HX!n*p<0?R5FWmH`c|eIh3aPV0gCY)NQM@Q+~Vm+*#9Dv*LlQe@?w_IDKtWq@+_dmuBxfCAfHpa7b|@Gy~58U4Z3$2K|?Kthm{ZK0C`sn8=D zB#2xwwj0p&T>tZ@G8Eak2&4dVw7#Mcm1*{9XL4TkMO5zEJ4nx+A$4ZCQZ`_x$+V9( zn78gg1nb^@Y7^=*t4o14JuU!{7vj`nK6Lf>fJPqtHFEBO86@%{;zGaxdPSGy%#&#I zz>^?{ofR;xxhx#A^ZDztto0;-K;UdpcCH3GfHX-#f`Zy3?Eo8CmmGA)AdRjKMF&a2 z;*ls9h*(giCx_ip4GA}ddIW0Cr#|7i+{V2c4f!nP;=nNezssM_=e7rJhM{YNz69n$FaP-oKUDcH zK$VXSZijVLp$u$2Fq8K?txB~-6BZTa0K)jvU`%5o2$7>BuQADciY;{3EW2l$}s8!$B}_r=)4YR-Tj&0wvFe-@L>Qj+sIl&V;JA!gAevV$!_ zKCe;wAN9Aq_8z>|@y{Os#lrMW9g)`MCCvipq7!8*XQih%Fd6=4Q#zNPQ3bx<3@H$* z8w7zzNO^r*0mm&KVCR0;pPbdR2CbWM3E&P8NLG)(*bJ|-skxBWNxb<{a=AC?hdBQ2 z8u5jM$8w!}M4cZC67u8{A7|w2=ldkE&8OrWaAZo|!lD!qeDucS;^m;Ivq7u-IFy?B<)&z^Ttl8^ zsMrB$yXnzW?qCDRGUZvs*z7ElV+aZJAoKz)6m2iDS!Nt=gIdITQ4pI&2%~%f5)Pu(m#e?M_bWgG3EIwgZ(eE;csXJ3BkzKF}#3 z5ZMKh6EaVT0riO!octlle0k-x>rKH3TKc*|ucp{13A}*n=$GaR-{cGr?W8`e7)Mo$1O=-AZ1jRT!dhIQJbn7~1go^I?G6;+Wo^^I4AWz8 z?MAEqBw%1*fPwSB{OTGKLa3L)(wVW=Paqgl->j(*ZD_$GBQNz*ki~8c;)#fhi|aEs z`j6?^nZmJ^GFAvnNeL@Q&)1$ne#IW9smq)gC-lUJq7b+9K~Z92V&4RGkim`)H#DTL z$K39RQ>RWrUqejZaYRi`P10>&;(Sk~(Fj4ThYzbE^aIF9Uttv%u7kuM z%VqHi{HK=b?-Yhi8%;+x>r$;C4mrRE0*?ni7^VZ1B=QGwSK3OQ4@$c{hNrRX85;NVoeY>cr$kxH3zqdD3BPcJAb@tgqOiWA%hyC{hS12f4AjI$N*a9Nw z;NW0lLZ^Iki_Kk!Qg|@6#2XKffpUlLA3uI{B3C{{z#G*M0i{FK^$83_PBTDFsxKPK zt3r<+dAxa}T5Mhm-qzZh4f+Hie%nt+arM5AV_>I{tCdw$lH;D}>!;`E=i^s>|9*#y ztC%;IMv5*J7W?9*Oa6g@g@uJS=H_$IUIf{#aoHQ@ZM%wa%E?J8qb43`R5L1+2>=Wg z18o&bii*%xq+c5TR3A7ZoRJ7QO8(x~Cf&dI+f1w=m|tVneTV-S4NWT8Zl7_A;5ZyT zN?ll3Tok=lPxl7WnWtwh%b+x9ub{v1w>*r?w}3u+P%x0*(7W}TWMpKpSaA6(fJQYo zj$ATpDX0{4r!hD)LBa1x;{kd~CU7)h#B;|7?*hx9hs?nT7!(VYAl z077eg4hf&VCA2aCFW7~XGU+PPbfJ(;!{>mTh>{Hcof+W%2g#2?p>=J@f(4dlwpkj0 zuRO7Wl6$Q$vBTyZ)$&NK+4p~+zA^?Lk362sJW255yRG@Tq4H7?qtIxyC5`6Gm+`DR zCl!0+z9qtczePueREA`&$;ruu14zv*EkpR}LL0t(xz~9C(5~&P*D8)a(ybM z){h(}Sp+=d>+KEorxrLCbDe~QgqT=IPj7Z)1i^VQxxU_By;6Zc--9NOB;el|7?d8r zy1QKfXn_jKV8roH#RwXLi9wS1_kNiEIicSI^*>17wI2aZF zan`Raw@&PwS4cJBK9#wJ{efDa@!78y%&gmamP;D)w;uHS|FQ6ui@y!NRwNMh-d3-8 z?(OTK%@!V zpVTX`C)F+l=@VFV>lbW3V;Hd7OxG`E!f2Ut*4FsG_;#b_o!dd#&yaT?HfZYJ#9dRe zHGqHp`-%-X@!$9t<~4hHJ>`N}PG>wb9UMHhjEro~#)tSlTl9an$UqjER6|-{L>3z! zY&O17*es@VEy6*!llNlR=V` z>-77$IP~IgI!L3o*LTt)o%-B7=SrwZiU&S+M&GB-K}hVb=IWCje;u`5rF>*xrQY9n z20p{UPz;WWDh06xkdg4CM~@yqwzsp}-Q9)rMlLhIJ_2*TVS>~JpvB4E-MuA-huR}m zsW2-pZrJtInS;Z_PVHDuGY!Z;f^R_&Lymkc>MJVtK^vDRKD2EEwTfW<5EH`(of&R! zrvZ>aQy@rX@YffRhs4Ch_*{-00beEQfy{z*p4)He!ciVg%_RTU+N`ucy#W6HDJeQY z#Nj(e#>QEz21{@ZhV$fNXYT@(P*(>mX=wJ>NB1m77n~c&GD^1o4(GA)&$#G`rnV~j zmd-t}V`jEtVa<1V7m@UgTMROSq#nrj&`ic~|GqT2Hvm9CzX9k3MGpMIsjD(Oi_Tpb z8OZSw+*avxBcO3X4@^FQUub7_0^#-3r{g782hi=gET*t1`43jAt4^Uo5fD`{GBliU zRREk0ZIqt){QUf&H6jC)P77g#I@?pBr%xN8u!T#`OT!fU9=Xf`2LiMJgq;C`Upn5? zXU|CCTo`CxvX~DA1(EtKG(v$MaD#*-e2eHLSFQZD5*`e*b*0u!QMoKQBgf31HkGib ziV<>)0LO;11`Lnug$PU?1B2m5bMsPXMtJm+Gz}r($AExn(A3mIn!s;jDG+f{O4R#3T9V;cnNHd&G;Nij`!Yo>J^T1D160UWaH z{(8VRsP*dAt!`ikdVnZ3G&CYMPMF*SF3R8GV^m$c48Q7E$EULvr^;%;0h9isp6_a( zI*qY{-B;n{@cj7)SV$6`14EzO1r9lw{mM%gIp73+ThJ~A z1CoGM;^J3=s*=kkI4}V!5s*t8K2Lri!`dl-$Acu6uZRJgJ2aTR2jgg+?@gg8kPeE9;&DE(O>+ivrttZ>RHh=^Y+_8zAlMvKiuh*7fzLrdRAYKQKr}=_0L6yS zej^n?ysT_Tf{<^LC}=g;P|jr`d+)7@qwcA@DfUBuG_Uo-2U%#j1Tr~v{``4CEG4D> zK-7^fpwTwu=o2hz=$}b&{SGgYrvXBZ1~z=97oR>p{yoqbs zIMF^0%mC1v5}cm^Q-+o+4}1W3L3kEONz2MAZl^sbD=RDdf(%_KD28;wxJbJegp{;^ zAN}sYcmURAG*JMKl=blP8m@3s!eWMAbUjVL*-%iBiaLf_*VnNb!{M}N_UDmBj^|x* z$vjzY__iY4u@&PQ!yW0QZ`ZW1Is-Ll&5ZiTGzv9Sqz zP>8WT-#qMj`0!!!80gblt@lsfHR<*b`jq9y#l?l-M|SU}>)eza2&8ZUftH~mL{3ov zJ5Kr#UgjR2nD|Nxr{O|6*zSAQcTrJF2WRv7N|0JmRaH_6FlY&tV^CSm4?8ZEYbpsIvrpKV2GuNed@*Y{%f8cZcnm&k?@Gu<^ z+{41)Tub&DOxy$5LFv6Y@JtHe3cz^6!@J?EkS9K&+YS5BCJp!OJZ`RZW9KM{i`o;2<^#$HqlP?Za7r-ucV^f^VUxk&Y0X)|wrTn-2^q z?@Bv59sn{(E;*r~Ac&;(K&pjunOt~7Q&SA5S;D|WPy_xQo|6&B$w1)`+g8NU%*Gy3 z)__`+n2-SNwOZOu(io`lj) zasl$&89*e1!SZl%d3t$4h5BJ+q9o1Z08-jcq*n!kHn3v+G3XH9f#Ns3+T_(Mg6r22 zRvyc3^)#|TqZXT%<0QU4sD1RW1;hZ703C~wmsc4p8xi6&U3G<)#C#F$<2@d)Jb%Xg_=O zs0M7>6aV$=*V4A4ozOi362xR6h|V*><~P`gp%4gCc>eCgHy5vi`kY&Eq8EJit-1UM z%}dT+yLJuf$MCdJ1cfKA+6xbYoQRbvtRlR%qo`Nz!Go{hF^2#Kzk^O*4U$v(V1gtK zG-lk@$-H>+;)Ey!jM_pYUELz>rW^kCU*K>j-|gE;AbF>|gTsCM_6-^_Xn8AP=1@3! z4nbyB;>2Gc%=diz)8a#SOH{NG`lAC$IAE!GL7e61uYi=u$jG>~v;-3YDPTn{5QIZG zVQ}U0Wdy&xeTxO9VX)}#OeKg*1*yoP)e!)S-T?u)moAmN99MXG34`k<|4Sb8>eVRpa*8Ah281L_Qk-mc%^Us4)U4Qelz946b;;rsMK`bV`Y3xvo$XwG* z*$|npq7gxCF7@_lS(0j`Q~*}OgMw&1QuTFTY8WQ{2SeF3`~9na;*$!NF6No*nM}4h zkBrcsK+Tg^xjudUJAuU~!61&+2z3!`@%y4X_fP2g{lOpcg)Y(Ubb%V3aGC0bvRfw@x*bkC?Bm9i}oLLI&SRr%6toVoU>zH&Dh^FV6fj_NHsHu168Am-$>Y(FI8T# zpt|4nBQ-rr^b!Yg-SNg!NAW9BCnr9C8zEI+l|sFi+1zlq7EgMX+%n#1r+J3}@;2r{cgvuP}Y%sL2uYl5KVIr}DlDE}Sk+ z8kP*%);MOnokL7Kn}gNu*^x$S39sZ~8FmwCwBESA)6m>Y6O+tUf!W#XJk}KaHk5zu zDDTANIk0z4ooXVvXg}@0x5+Cyl$pM;k0*~FG-JPgFfsdOrsu3MX8#@MA$Xtg#o1Se znyK6@Ec6bOO#PntUGh`Q73+_m8CJE$Iiu`(C;B!?vKY7Eah8jOzcMZ66Ub%Pnr~%2 zGU+K(z-s0Ginge8&7};VW_m$kIh9}`R{F~2=r0NSQ6AJzcYR`AOAKB)of9vGwbhy* zg$KSnX8Gijd@kX#09N)!%CIrjru}(T z_78UBAs*cs*3QdXvhtd;1K%p$Ke?1@bcNrdc42?MIk#}mASB|2;M-V}y!peW8rXnc zX-mVZPYjq9Y8AUbjzR-)3-s~0Nz8W_PsLFUJd=-cq1$P5qhN2|w_iwkg&CTpB&U$| zeZzTseTBYt?MYSBghy08Y`JQM{XA3Sr+nkyClw))_S@~Wz8?6h$yH zoC!w{ac{U65;sRka$eqi79*_e9|0bW{}(m&_G8Df6|-C%8`U)%=Na9V1FCts%J@9n zs4)Kt*KU?_%voYNP1$JtvB6`@{T56$4;7#H-&t~(P>Z2|1Ru#4NJ#|Xw^oppS^6xa zXPUS2aRuMXX5r)M>FJE-I9`i1Ad(*<^VUqR{TfiHpyy`)sM4)o9B3|Q5>aZJsb3Y1!>!Z?m_|lzZu7daC%&%bI6ggUNeD(#9$Iv-fY$ zSf<)WRtvYJ-th;wG(krh2<1?jpPS z*Po0q>#x(o5cR9$T#7Y+%%D4rX;pvCN-p0ipOg)*>PYfd8>F_M;oewjW$`re^Yf7r zvq>w+HgDSEKZBBqQk!e$I4Y2MRWctjRGgJH<>J!O-R{u5ebd7>v4xWhIl}S#lKm|y z(4B>llDMxhnG{oOGaonO>tbox{pQIpOnHj^ z_3)4nm0`{tQa1tv#EPyti&ac^Wrm2bIKR_J4Rfd9W|muwo67cN)uf_IZR{LzM}GFw z2g@uGcJ?3C&fj^adb@M^C}n;xGLSK;DNrpuMYBjsGj5?+4evD5h< z6xG3a?-Dgdb@&$N?LYmoUubDDl7KX*4FU-SF^KFa@M-oYv?vRR9+HJtMDJuFO-Z-{9%-W3FA{@@V zi$b{!)SQ#fyvN36ZMr$=aVsV8b4#(sUfh|C35+gqWjoX3kKc)47q^Y}`B`>rVo1E) zk5uW8CATnRdGT!%o^eYQ$J`+r7sgYrT+7IB)OkV?Hyh)^;v_5H7h#2J3gNeQDA$6Y zqw`qM`374D%K{D4`D-SeE?q^7mCYsuzfxC7|7;8$^>0GE#l_vDinV8wfq|NhenhO} zg>qIR1@kQ7c3%67i_B_ofhujLHM8l*M<**w%cMZLj2nKWeTAaJF0-#@YMu;3d$$O7RT23+Cc*>(PtI%pPyKG~5{B#y#kX!UmnOulr&17f%{4Z{9 zZbq`DRXTTeuN~=+-(jSIE4Z1A%n%*jzcpAGckw`?aLXv_se8*tvz3(<+`h44DTivP zycT=R=g761_|QQ?{M!1G(qMmozY=P(_TMl8y+*JJc_#G(7o_it$ansF*`VW|%sr}Y zZoW3Y2t_^m63dO{wpN!OuX1ekt5-&pL;&RZQzRlHkRUJ3x1GV9PDxJbk(oI;A`s{< zP$#ZRQ#SIsID@)HnXa=Mb9--gKh3;C*uSbnbJopU-@O_&H(1a)p7|kw9FKPD60hUC z_8d=>@Bk>GSsKqM2`{FHCKt;NFli8c-o~^vX;06ddz&5f@nD8WZ#(HPKE7A0Ibzb~ zj;+MsAHPX2oSB<*WI3V& znZ3=}qKwFh*%p*DZ6^fAw!ouZ9<^-S_aWuMeA7G%>(R>}A=JzUzaiSp_=8+s8=kEf z(;=3sn#56>PtV(v?Suot3J$m}_$#%=K3=|LyIy|EB)#cpON)efMXp}sYb(!yX$kN9x*YYeaR8IE|FaOtKUVP?5&@djNs@=-0?55(bF7Z3dF4bSv$ z-=|v|{?1BvdS-NKV&-L(Da#8ivn4?f8?tT8Z3^Sz%u(ehN(Q2{x>b#rncLo$d4)xC za2H0G>Sp4PNf*5tkZW1G;k@Bb(iu8mwDX9ECqvpY%U(`hzio3E{nqBSj2Q!Na4@#Dw`VR+{zc|MOdQvf5P^1_9d(b6alnn^ve|vA`E&C_RQfCh zTQL*mv2q>$2PPjD2@uS)Q;b}vA#|bXMT-{j7e>=YyOqLsK|9% z%9_j?S;|Lii#%sgdpRq4cbu&x3Jt8M#Y+a%RZQ^wakxA4!hJ&e^{zMEEvEMlPq7$P zdgkXppiG+hiogS(*^DEKEltg*Ic}yPsPMbe?PQ1Pbnv5&t+o~NKLHElcVS?EK!wbw z1Qz|)xiaZxUVhDcDAaMK(w0QzYGU*ht*Yfh<}s62#?>^tJ78`WS2H8{^`1)+++|=j z1n6RFV-ez$!cIzJW6`n0wSPt;EP>B=?#5|VPazeFck^GXQ+(qNMn>BM@A!F_(h_0I z1ShDXt2TzKIb>v()5R?;zjU^?w%RJhC^AZarRSnr+~wh5W^dzMw;L)>pLWC(#7d;b zi}?qv-Txh9!?cE7Bs-EjcxI*5O$=y>d|d`MW<#i(n+^KYgHlRm4ohOi4$2hJ{j1>L z=?crkF43E2S$YaSL)zlx&YOx00FRO`l@BcqRXFoW__J78tg{9{v$LqD1YZ*gkI0gi zX2BBgBet_sQ)4};>PC2lk(ZqG?TR`#4A|m7^jlf6)g^UI5KlB(?X!#d#4Rk%(Fi57 zHh)&?7sCn)4@b{-Q4ffeQg`c5znq%jrJKvTI5~bP8=|0S_pS`$rJK?JPzww~_rJ~1 zY*j=^#mC#B>^RKV;u2-eVCnXRWw-=ipinOL4u?U!z2TTdrJ;#Y)jpcE4lQsQvTJd05g_}Im149&K;XYbkVU34SE>@dokR$2-zZgvU{ z`2UAUB044D+Ap-P?|LOkl!^jZ{ED4zNp}eLa-XrwqN>z;rO%(!iCNlf)85F^04~$g zlxJaK;1xbn1^lOP!Z~TJXm9_fxcE&|%LGMvroYfEw@dnc$LW^cf9&f4v*mBeQnD9t zXGKsvrIQsOw`y|@XLla4;Mtf9!RYf#ibGjqG9dZmkHry8cV1mJ&7eh5aZQSkraX&0 za?hVP=*mKi#q1{bC67{UhOsL}q73|4uaKJC%}PYEIs5+d4Z2b1-mDzrqZrG0gZhbh zEN-aJY9gli?!m3jq#*n;!zZ@P+hNgOQNgkvYTnMKYU>yL`mK*P+gtjb_w1B3#uif; zbzi-r?53P%8V@#?a6rH0})Fj-=Y?I`c$Pr-&fYbj*}?A0)K2S zpEFH&WL$1%t^yTEY++JgZ^l7c^QOrGN1_PdKDi~{`xgJMbq)0}e?zLG9gN{y$BQL1nk!LxU0!=$Rt-Bkfw+QRm+F#^!ygq4?9rhZh>(?1jYByoeTbNJ`+ytJDYv#fB65&wY0INe#ql}5yA`OZHB7<2MFLQ`U}i&cJ)w(O zu&9{#NI%7mDLnv=I!iF}0` z30;NvY}8^ql62OKd?llm4zf(}D_8I+_Qe_&S!Xes&7Z_o6}G75I8QG~ zWyaS(Duibph~3!ETI|YP9}fvMIdrj6)bG?=`GPlO++AV@Yz=5Q+R5A|s~j`16Fool zMS$$pt!lHx^LGzM6|}U&?z3cwMA=kE??{cm8N#EOI@sGkQgH};3N2YX@rrCh%!_O* znS7(;uccRJezlHRRUWM#eI?hoaC^vzX?d`c$wYqdj3UYM$s7xUuKJj zmHf&jDQ)fK0da#4{SnyeLq`KpxII;T_VkzNXgzLwJl|Q|xx&~}ZV)AZbSW@~m&wD{ zq-SHqVw9|(<9{*s7Eo1gUEeqAQ4k~)lmiHebW67=NOw0VNOyOrfC^I5C?yR7($a_m z(%s$N-S6DsIrsg&<9WXEGWIy`am2l^Yh7#2HEaF;1$o8q{HpS7+e6IDiQbkxCfv4= zvpj&HvywmI*wp-!BHJSrZd>clplb1H*l@8MJY_v%BiCY&d$z;sNt31?-)9<4i&LrA zj=fK47JvTl13(J6%oVB6fnN~1O$CAX*qerZBDX0`UdS4aRx@_>x>s!Hge&d(6f^|I z7s{f9Sg{;7t2Osh1RbRBQ|i!R35ZHuKdmfQ3q9&>k=!@e=ql=0h2h7VS}x7%#Wxzx z>};VXjT@RT6cgky8>77bzTTs1Vz>Wfbv3(p&f8lUUg_u<#3NadkeI@aKWKC{Wj`aK zKRe#5881Q3)Q;tH{{ESJ>39q`x4KXFJTOJZT$R+;wji5eevgP#PQ1dMTVHOHD=Sjk zbV8$i#x&>Xg-O4*UdlETVg_N%H~M;P?9ES)bvxw-6bUu07Q&Oz)>uGlCHz#yq7W6P zGY=bhk!h(o9~uceT;Q)Nm$5Yn?El-^%5i?V4U@J5gRindWRz`l`^EW{R7Yn$107bjGF=>5Z&SZLK_~u9n81Xyd!Bg>q=su?gH?($Xe%1Y25L z16MQ#E5!JUtO-p0`84i%9@YgjQerT;MTW@rHkdA%9+cB=MamyL5Du4ozh9B!{)xiJ z(in#SN2~<@{p2bxwap4%t+x1)9qn@tR&A|HyCFYvg-m>WoT_Aq@@^kUOcJ}pepj>Rp$5?%%2$HO*<8V6RcyZwAwIc^E_r0lJQw|72Ot}Y& zOAI&S{^{88UtB0VXobdy?As_$#m;p$H3 zi^yCbt+LdXmK=@YYzsmTMj6~|Z)oa97S@zmPFDK#CE9*ir7r*-9j(2ct-X2a9BQb0dwuZA zb=>ewEw{6`A1*W*NmZJ@)5bX5Cb8cJK_x!h4ueT+S0(J^vL0}Gb?fGds|*jkv4r<3 zKbM*JI$Y$3y&`Y@+q_pp>u-0NG-l*+_@_J1OC{8#ta%_mDKBNtoM-cDvT$3!!$q{^ z6?ymH?mMUJ8L8!8D;^i@tfZ|5(y(17oW0}`U7MFbPQAfv7flos;Xg2-ZxL|fmd~qm zz}ZA2Q9nF3E{}}#Eh?((TBkrI`4Et0f=FL)m^{2p2i0W3!4&u>UR|c$nbx0_1ByoL zBDG!|F;9tE0SoD;o>s2 zmHsU#Ow0NK|NQyXmFD)-LR~ME2_c1^ZMVVQQ+F|c5D_*r_x8U%uZVij%AoU zm+j$xaa-=^<9Pd}k(AoVTGFJSq)DFV)46ASJngYZc}bPoOT8l%Bc=Q~v|?FsmCXj8 zovA)LViXtokqwjQ8fI`66E}V5hy>ofRm%vnSwl2f%u@02Nu!W>2PQ^m6}w(RN=R-Z z9W63jjp#qZV5AvMS@O5^SlB%CM#i*d)#kf>f9ZJ0v!_c7RRNpB5Vc?WYp;0fi7;OCZV+?I{l@) zB;Fb3dW2ehi1xlG@54mOOpmL6CQ-D9^Ote)xa|&F=~(8fueCw=!eK$7Rc7Pfo69q6 zOMppqbBW((YcIZ9L1VtYH93OsMl*3`<;a{AVfQzWZ2aOrfp;S#72WfUQnBSHzZ(k# zQ1lJ@Jbh)j3hhguhST_H9KAI1Jg=|HByB9|W)RWlC$yoSnYwHIa$tVE*m#nX{-R!A zLmPClu;31seQ!|gajCs`w2UoCpG?a#OkWK|3ac#iW|4nkF)lw`33lWmJVbc|gGzo2 z-xKSFnmDvnPhAsTx*$%TAs(I~M|b+?gG1R#X}oQ(RtG$1)~A2u7MXo1>)BcN__$1R z&4uC2mT{BD8Ap^f&g(55OthRT z5)z(wl}Mz7-Vcvf%VJ-Pdi-L+w)!$3rhWB(C!)(fJ!`ECV$ppn9#35RU?hSIapW5*Jw#A9x)t3Y@_7eot=2QPvhMQsv|`V7*sR3 zN$4J$tXh_*lzFzd(ay`rLFQVWQ_pQ%csKc|nkQ~GN(f>NE``T?dp4nuwJYxIN?vwt zZfsqy#`FTKB_lI66%=d6LtT@ToAA^V==gq%SKTdD$uu{u%tF-koXTv(9r>K1SPU1{ zAsWa(F#Dz8p|R36RxNSdKp92M<9_zL(RM4PvA{EI887}`NmfKv)!0GewG?i;siD^7 zFz7=NN;;CaKI`f=tVB#eB(F%EOEZo?(0@wBzR+AD5}je)uua7G&E8cC(f)WX+PMEt zF5z$2FnaHA8K*gULWsUhq#A`Vg)#}0yzQEhupZWoIG$O(09VJ1Xb$_8GeOD}m-9qy z^HYMGBsN5RL&yD0##Zpu<8q|y7`KEQlwk#u^eXMdAM(o*;3!1Nk|&1$ZS4*-lZnj~~&__VtcZ z=ZQ$RXx)-B+qngH)~;~$L6hWJQpL)r#WJPcfYmIp9btJV6`wyJI~J_hjkk*iBbzT* zSWb2cWw~EL+OPv_eFrYa{p3^9r-CM|-GM#7A__j(^WOJ0anThzKPOg?81F zk>&PDKrA{s2RpMOVQFLtUS#mW^4=*4ZmuXPyYjuCW2?I-?XR&O!nqHf>iqNTi2Crv z;qGGhTQ6L)OE)L&+vbw#K47Cy~IJ1yXGE&i>Vr!<_E;1^Q#-u{h=1N{g3;_^ z;uaf62dYCY_K15nr;p}CUMRi!Bvz6V1ZJAWr*WHOZ}&^DOzigQ*Y>6vHN+G|s=&F7 zrexA|dPkay%EL|fU!RP8{+bL+Ltw_VoEm5T>C$M+!LP60$;i|h`wDARdX^@iQ)#R0i8! zaheIoRA9V6x-cy=kUV4a$zW!YKuOFxzV&`jqcLb&6UNb33Edkjl|p#7Cs8&v(bvcH2cUHWNhlSjOVLQ|)pIU#?|0wtX>FC)lIkUYDQ=j)6`{ZDIlT_sY$Vyl z?sN>j<60^jNm(JLQCE$|>e2${an)dkeWS)7FID8vH9uga6v4v|y-g4r9vmENw=Auy z`m}0JfjP_BDQaMlV7UL0y)~1qHCuij^(b~LUu6qlCGRn&D0-#Ue65eS;H%O>cm$iT zUcoC;g)VC_FGjEQ*c(ll~Du8~%_da)JCzQ3#s$=>E`YH4{F(D>nf zV`-!ZO=L>QpRqmi4p_HwhEj;X?>=8g$u^h2#dj*Jdn^WCd0`JPS*KAHlx6u6!q@9-N z`EyRSa>@%agHcr|kwsiJ77H8H{8g%lv$DVejjS|zz^+C_) zaHXyxD%cpO^xjTR>)I_ju}tL-F$2TH$c6dFeVUU~Te?Rurnxt=5k_P6Dn6UBEXP5u zKFO~srSns>nFMf~>RMzZrM2=rJ}K_I7rc=n#5|O*CL+ZBIzVN9qu6{r(ZkY#&Ll)6 z$fjDmLOt^ntaFQ0s&dAQygUR*7v2)m>i77MpKoJ_;^9W_Kj5K%IHj!^R&UJh;u5jD z{0SxnPamtTJ)5m{FWV!h$<{N8@qvNOB8?-iasw^v7@2(W&^5nmmRNA*MgSN294^ayr zqN0!+#Y!=W#&~yB*4`lFr{P6Kt2w!T>alv1vG{Us$z*Ecpq9s-0hQ9wC$zw|`h2AF zPKXQp!CWUPW_Py_*3Gw=?|;6nRmrhh+9@k_)GEJs#$8r6WC0F4bbp!;9k&p&xUDuP2UE<7eCyga7C zo11E4?;UGvQMb0)+E@V^kv?s1rt`C>uCAqSH=L{Ko69P9uWA40ea?lwQd{E}xKrn- zEzOO$1x60GCj$5}eREak4%Cq)#(kC12~5i2&`g56oQ4#@Htb_XXfPqr31g&NS}4 zYv#Cmjw3Mh*a@rLQD$X~&-dOvHuaJ`i;-I6RGi!3{ogkmOe2C$lA6VS>p&U?EbK_qwKrC@LF%c1w zoZW$)ivyKjl!(B6!gFQRQB$G+7ol4|X!^U*g+)ibV3q{4`l@9i<$e6GPL#opjj^JMwTH3U$Xl+`2PeQ26zyJ!m6O@XzI(q_NUUkWKiru!!5{OWe7W`Rt+3&z_>f0i53A%GjJD zwoek)RGD?8?u?63G4e^m3Q59f-CbLx>$5__VYBnt0;owzXh}(-7%L?!!@1e+$O@Lk z_U7i7gDUkk-0(871P9BqeEzza++IOZ&mQ7z__%rK%gGg~eskrMK$eHC-R_*D{i z^T=y`{nkXP2p@g_hNGvG8&3C$+AX$vrVb9iR1+JHmx;}H>5qPov!8aEY9s8sc4LXB zG|I`DnnxaS@A$tj^GguY3IDmn8j>?z3(?A zyJ}ymi4obw&Tg^!oFDZ@TN}Lg6w>DT-DK~alWh<64)y1f-w`_sZ(dYkF#V<);eLc) z=K6P88O`Na^1l4%4r|JvTn=i@+pp?$_cptqxp_!AJBM#5)%Vic2lT8@B|K{QGxBT5gD8NpW#; zQy^lgjbY?p1U~R~f{^60;dtVWyqY`=sKlY0wS|M4g|?WDycQ{XY^=RxtLnW7GlsfU zD)f6<`lQ#d_Y4*0Z7iEl_LrZ2e}5Qq+c{)k{NqOyl35?0cA0n=k0YGn`ud*o^7kc} z%_EwFKfsr(`9xCwPo{2+@Xkd`FVdLh?Dgvc9_q#}+$70c`ql=jQME5^mj2^IrK5H z^%oTz*iyroIwg1frF!pP1(Tk$UVW9gSYuE{Brcwuw&F9C+nQyfD9&Y$B}&z2E`)?q zmF|jctYL(7@P#MHgIe$h;-^C~_#*v})KMlzCh+RXZ<(y*ZWn>}UPVQ!`{|7@2spX( zTIf}k`|kVcs;L$`eeL)#G&ERL1m{!Olc?C|gd`>VT9?`M^}T~zmS05o|GeWd-bQe@ zW^VICxzpu@d2*RKhA(3!C%c3o7cvwnDG5B*p_+))*Z14D(fL&;W@36bu!otIbzvc0 z&mgCH*5-Ryah^4dr+7zOYh~;w*SCu-TMtPu7vdcO6H^m;!9Z*Q)?pjE6PJ?h1>K2- z)XHBI3S%OI9S@-;fPFQcp>nLbTqa=3Q;dK3(oh2Q!^7s8rlG4WWLj;y} zmsa(bR;Lw}BXIFHm(*4s2ddPwmuXEP-F8r5Thmsd2o6 zZKIKzOKVO=0z5ieDF|Nsl#(R=C*wLOI?0#Xn-kmm zZIb<`uRl=e)rDuJ!kjU*>uMuj)$<8NN;Zsl_{EQoIPbE zhRglp6R&__Oq?nz67O4!!%2?&3|rU4wQqVJo^I%bbXvy9&=?#es;Y^-;* zx1lH}=X|X3XYcaj_{XmCgo=7!eH9$9tcF-o-f^&f$#Tku{$#SUdl{|q?dw-AoVxsP zW}B*$q+ixM1Z&JjQy}1Z;PN`!U}4QUd!eS%+j; z4YFx9tq^Pyb*{R~G3`=1ojMHoA#GCeQ#2G&_AAkRK#7*GcDqM7N%Ufz z*>28fu5&JBoSGslDnb=8!Na$q@)IoTpS9uA6dxY=Uiaqu17V`r0AB84nb;7R{9DEX z^+l%M!7+ZQKkCq4`{Negy4B+Dif6ysvpkV-vC<~a#U$Eat6>=QSnp)#A7Dz9^9 zrz`SqXZ2#92cGM7``w7MSs5v6uhu3V)f;K^!jhL&Y}t9nFSZrW$$vC7=@^7{dBI4@ z{}}hy%sSoM@r+YxysX;qMCcGKE#nxHf+2f*9PqmT7JK(MBd$Wo;F)lD=nx}lPGa! zzek`#hd)%Erc59u@J^OYTKultX}5BjO%&Yo%cjWAevAUU!tpubKWii5vFK%4Og14u z`573yt;4C2mHd&4k2A?-!uhZaH2nlO2Q>Ypo=&`&}Y#S8}(WG@b5MD4d&$ zzV81K?7!3Y!Az@fw7|7ha){|Iry;CB$>NC3-WRbEOyo}qGJ|S)vc-gex@k0v1#zCdZi}n=?XxO zG2lM=Oxj&ur(oB0X*F#klH^C+WskVI7i&D4tK5f&c%od6(@m35pyv2QqI~-S1uaLs z1@UmHN9||WPzrZekUMW`$Ho%yt^R)H;cqB~I%MySb!VSd=wV0&lh(@mfoIj~w<&*_ zl!EfV0XM_%&NJWMt+L>yhaLZCIzilW^UvGI^58^1yrT0tS}rD3>tnDi`5o%}sW~a& zEnr0ID)6#LPRT0zi=cL_aN-0BZkka_(n-H#^z(oNC={pIA@Yi~`I}A6qy|FMO1MLJAY1$eY3m>uNc)BUJ zD3rZ0R-PA?LJvqhbzR|g^253lx*_TDM5=Y!R^{B!Pwbta6c$9C)&n_#4%i}4+%3q; z%*@>RoxkPBrm-(hc1MCG^f3NIYa^p(f&DsIGod<0PgPzPo)RxC-I2EEn_tCHNpB9> zCnuywVRf~aXp9rZNfFeHzwnIt^mlKy=AY#zg>kucY*+{XKU%meVf8hQgYfcL+IgM+ zwoYb>Iae#&{Z##7NU~1pXOG$Z8~*wknsH74^a2c~QLRu9WRc@ zni}eC>mJP;KXA4)ARr;*DS7_W@`s&kEsE!%jqafHb&0Db9jioIqn~)aVq*F&H80D# zNM00gFMaldN4?5QH?O-v_!SXO-PY{BNhZBjraUQ1FDQuc^?0@XrmU#Vr#WyQAszhv zx2pr&-iir_zBj1FnL1sov@C!_`!^X=kFxK-JY zKK;Y}t%u$p2-ajMo!*Prsr+2W+}}6fnel9(WC`U+CJN70N&97J>>YfKl3}4l-;>2M zrnca_@|-5E?co`vO#D6pe`HRk5Q~LjO~tL7l?=aI_)0tr+=`V)x^Wg~Xas&+ooh?J zRxuigRZ|dd{A{zgrPGq#x!hOy$3P)bUB7g2C$7oS-}66k3-QuXP!>iJL+8@&7d^$m z;5JC5vqjTls7p*|cR8XbpssNhlv3#a5*aVVSiLt*IU^)|uc01?*W(!qH6xvy2Q*!E zrwy>Pr;d$ERk*9pp+0VfXYVCEY&%0Y8pUM{ECX(mU*!d8p%HcmJt@MJPC~qX8vE7m zcEf2BZ!&E#_Sc2hD@9QT%Z?ZNMnzm5mV3raKE=yKw&h@S73I!|k$pUD=ID4)V6S#u ze8TDGm7D4->@n$&o!F1-e$GNdMnf^V9AA7^>K<^iXlK(K=Jj-xZxrmD^LK}Z?j$s= zcgqKdSz9-?-^%DD6KtmjCH7|$C>|+MtjUODb13_=v!;T zkEzcqC-2@>{C55F;g-NVDn6~SIM@K+iA6H_=B(9^JvQIjxp2X2Tp5*uo#%gy+qrh7 zdlo-aR8WY0Y_ZVJgV80F=EqUR++nKGe~a1}uYa94Y>hfMy``xUv)ui>W!5TnJI!*A zl`QV5yW4AJ_adiRgVg!9H`UQ7mE1hX4%-Xk%~^&Vj)wuH?b?U_c!v{HuL2!3%gl9O ze&6WcG>d4X^jEo!*aY*{)MK{WB#!lV^oY(SX+lFi&u~Iwb;rOdwOnZX{x2Baz`jbkZDD&RN5Ym zlwhqo_iu0_MeTO*XueHnR!GP@_(UXViaQV^>e&)pW%nAFWTs_yqn#o!-PE_^8&Bd3$EE6~*E03?t1~?{!Br=2Uy6JdhjjLZ z`9n_C>rNXs!5gt0vJTE}R_FFSij0?exoE^9(r-2@$Z@qgrjAU7DK&_o%x;yvtU_6I zAz)BJr1{o?!x(GyOy=!tXS7-llSiX6l(!7E9wOkSUQ{u{oZnYR1>l?wl#9BdxdaLj))2KXCQH`6ZDD_)pHmv$tf z_hLH{t;waLBlAZ2H;$bAo0B{L{}V?dZ3H=3SgZnfI?eMVE}q)Q4YKK_y8@!-Qc_2= z5{r?H#x|VyJSvBs?U<}gj9!78=oK`wdfaJ;ihE(shpWz2ij_q){4GZO{hS$oTeKI+ za=zzlH-N*L(b8;eN*X!gZ|G;2jE371Ldt1|<@y}Lc0U_mx$~Y(DH!i?p|Os@kzxG9 z%a4^gz9JswbN%$MBv43N0JYHNodQkD{bE%J7K} zzs!UudT0oUZrMHsGwV__@WOpjnB{s0CsR9&jqFpDLxi>#fM@_x1AGLI-WjBgK#)1O zdhMF2sVN}wfOe6+Vs)_*zx?Bygr!2thH3)s@Sl_orS-@D|HV!B;&`;X$G*E){E3&G z@!?c&!3<0z6cQx?lJgU;vqM|%)Kr5}SA559fdFVV^Ex6#DXl3yFWFb+BMpkLE_3Tl zL&Zd29oO4#s%ym>^;A?;TzHvltoJr7TxEs-UfJ_H;Un3O98v;hx}Kg6Cx+h!_2ZuR zbXG z&0pD{&iAlv*D*0M!6|mN3a3qAm7AKF3@Jv!rhtv=1DpbuQH#mH7!zexwX~#AIsv?) zq-5SGaqTxP14D!;83^mSxCFFZKY#R`5PZ420+$J=!p|nw8SfaeZXR5u9(sbO|C4U| z?|}a56VeRRW!1e^!@&}r) zUUP3tcBWm3OYX7j4=gVFcwSXKIp3XfR&kv}?)U%^wf9vI>UhSsR)*$QS~2NN zQ?lWqnAQ|a?i0q;*v~Xpt46ey)svgC%P@ghl@!6nO~$Se__-EV zamQc|hgU*^();fcmWA%oP`p03E37dwF-w3+K)^^rCiwJtAI+y0KtUi}Z3LLAv9Vox zMkKe5V3DihZ#hWNml4kn`;RH24#&koIXvmIyKq^Nty(l?`$I{|Y3{O^o1(D@ybC|{{Deu7 zl1j_VF(s#|sf$XI?Egs*wS_o`MMwfZL_&ts<4dj zJb9#*y4sb;R~h-mRHXcS8nt)uIHvc3i~UEgl&=-K5SrrR+{G3MJgZvE-pYE6$Nxck zgWH2)MNA%bl#Bd%@J^Hg`ow4}h;To6@EjlwfUhF)2KDJP5Y0v`5LRP(3EwNkT<@QC zjqp?!6A|~eBBItBdy0y#C(fJD(BNS7%vjyJAFDbyM@MUl zA(Tf)r@^a?WR&uOmls|uY0~ZfADj+ZNv4O`1b#0!iT{%U*=cn@9kSo+akRS3;m|KF z44T@#$!^Anj8t66wC{2EP3 ztD1Fz4l}YljX?6P{rM9B8h;ZKwi*;vR#X72W3D~kQeU5(#R)o#$jQmQgMo6Uq^u0$ z2Kyka31luHVgTz4AXf(Nqq?963 z<+M2kU|n&FdhR#Lw%mQ0HFrhGYW~Xudj~hY0-%nLR`;f*AFY-Zc(0(k8e>B;6no? zmOAqC^3ao&muC%(n$NMZl#)>Zpb^JR|N0fd2Qx7>Ey&Mbhy&pmRSgZ>(h&q>MkX9Y z76C-k5JU``Oy9qJdEGnA*$v4u)D*aBwiZ1v*Vu zRu;&#{sa&)aNAMGZvdGV{-Vst@35|9a$ ziGO?w`oI7h2C;Hr0otz)0eL%b%TcO21<2UW00l$sjqBmVhxGJPIy%)b>cEkLAu9#Svxi4jX66#Wka}m9B*!aVIe2+bfTj#z zNbYU7GQb3D4`vnJy{zkf1-GxTTJeR3h5~a?r^4yS=PI*7W&u%{J;%EWn({lRE?D%X z2nV@UXzMoMin%LM0Lv%uK!-&9x~E6+$j}7XSWSW8IL1gy>FY!71}aT5`ztPm2EDzT zS5)dh$REfYtVDMb^raH<#OzOasCiW7Uqg063$In#8RpzQVA5~cV#>UO%95k~e*BC- z+B0k9)aJ#~rrwticKXODNK%XNcz4dZZd|`k%@Z-l_M-N$qwVMV$XlE0r8eZJ2DCIZ zCVBp;Iw+z;Qq0o(ku$t5!=9NeM2`qi+F~E4p8d%Ec&>X^!(-vZpIU8L;z^@OAI(>K zn@Ke$x+5+3)FRH#Q~Vd+B0n|H(Ds}p+JX6M7aDTOS)Os-lv*gS=9vyn*BgK2WSRB# z<+}Uoyr%LCud*>2h&T()i&P8^Q$6SFXIl=2)KCW!Uw8N2ldibXP?$u-J}Lkz`Kn46LG(E)N|bmBWPrgE;KZ>3zYc^F zO3DTy!vxB{#W|l&fmakA0*vGH(}{ChX6BD;OziB+ocy0!Q;`89^(a<1&k3M+_F4$6 z@y@rYDP5myynK8qjMfu1SA2dBm^lC>P?8r7mmxU_z)B`dJ?E$lZJv(%l<1)0@mJEc$IUjEre4 zDL7M`PI!2DTO0&;?tHO20nZw-{)=U)!XBr5`JxL88MWQU&TeM=u(dKS03(59x$&gr zNj+$uj_uStTM|8M{t6w{*g#fG^0bzBc+l#9=rak&(whQPiUhA;6lxDVGwV_wRy~30 za6!S)0ztCx{an-JDo8$O{9nmuBw`eF_TeT^q)p-{*FQ8vxjit5)-NE%(Mt-QD-Pdg zF3ZrLwK6=}V4>>E*1$%+t@3;FMEpV1fW?6O2 ziZ!!Xjy~^ zyHwqZBGS{-o6{E+efQ)6r{mgZ;7_+GS%4MVo|E$V0U)wA&~JlTf?lEa{uwh&wJeo$ zi9uF&b_(xDFA&siAVW!MhZ_R^v5V^=fcSu9-T3?ym#qOX4uF5ZG(;y~Cf^AhC(q+m zj=7YbeE(-(;CZbN6)gkuDl&cswzgo8CQCS%DDmQaXR#Y7^LN|aW`5r$3Mz5gHA$U^ zEfFAgdfGz(Mi>|Xwj7JZ=IQ=8yqAn-7V;+R`z$qlB}V||RT z3^qsrOF_g29KZ!Upqhg!9jv=#G+oeIReK@EF7VE-r3)m2K{!Sb_f?WubqY2%ww9Jw zu2y-f)nd#`zHxFd->+$I@9EUF^h;)n&X7Bq5e{mHn!GgfoysrO_OLvulU1rbH)XkBqJ`~K?eqf_kmn)su?h?mM-Vz*C(deV`Sq=}%+ z>E)Pqk!bHdJPsfG#9o5=cb1-s_&%<%2qodbdH-j%n>;0kqZM)r+Bp}=>X@-o+H*1* zwV3DwJ8S3Z1M8nhEUN^LXNOS=g46Lbn)_ooJ9&& z-{#N~8V84mK{w(Q_D{R_Ap-*gplb!ncVvu=GHN70kPYAwNwPPBQveYb5lEnb!2@A1 zrb7f7Z70GIm5|p74&Lif;ZTs1(`%K5t>L_X2Eg~{^`ejr+@9~I#x-N-0c2TzJ~OC@ zFfxJy(J?U}1r1GR&M%CkuK-0;QBmpd=@G>p9V~autv$KrgMbFUbd-vJ%m@Ar{3G~y zms-ZEgD?bP_C;}V+Q8v}qwWg0 zK&H(vD~lP^3&FAhPAx?_?Sls(X9DO)WhEs(kCTC)Ki{myvzbQJz7^uv2S^$)#}J+p zI0=@nq-N~Lz{}Iu*9Xn#E~Q@!(bXV91v*?{lmW{=7h3=l6aZ0WA&oX%ot>?l--cZm zW>*Bb5+6U-t|$QeSIkExEq)7(+_Q%v&mM}&$PhE>{^btZ^Z{xQ1w;WFEGvsOdbV0J z4s+ceBnm;h3(&vJS&Ya1B(4q zT`EhU;}B_RsrVnmww`^`E04*P9!_S<7-9*SH3VAnTU6x#e07dPNrofD--J=EM2^E8 zOGEPu8j1KQaTORXQ-qO`0zy81)U~vfvFtnmi7XnP&jzd@%>_zuc=-7D?%oAYAxQE0 z^9k^@7U=N-GpI551rN6YB#gS4RxD?Ws`PUPwzg2U$@pbFCFg&(npcWkFX(@A%esv;;7I;lZZJK-6f! za5`0ocJ10Vf#2W~0BLYh8gO~Q>_kIDn+pRR7%YkIRSAMYm;TWwis=tsM^|WBadPuy}*0DeK*=9L~?&foRE{43p$A%Zl?pw?068ea?nC zZ5{Xa_Qb@*y7bGmtK2ej&)Z9;K`lVovW%>ka-oF|ec(_hg0TXb7C-<`#!}bID7rQPcdHFlok4VS>y9z)=$y=~Rwc$a}bYXFE zD$oA*5b=$h@&|Hu$2Q8K=SJ+nXilyx5zvsmdt ziUW|&2+ytP)$ZHLjzmGb$$AjobX@L}8k{UNNvA}J?QKlbwl>|lc`(&-%UasOT0lUF zaNI$uze`sE=dDB@H4*fuot+jiB6;Qi&B=ww$u%ewtBtk$?LbV^V4!Fy2LHV`)Z;#S z%!)ts*B?v^x~Rc@x~##eM&T30;1ld^?HSdms!<60o>ksDb*h@gNe_HXk;GV%s;ZzsBhgv8-$`_Aqz2XI2|7Gzy)E0>l` z7Grx*NWjI52ThX}HTWFe$JTBe6IWsHFODyjYr zvyty|+~xjQQ*(Rcj32tJ(^W^j8W{#*k(cO@<4yrJB_ZZ07~YgnzXfxw6k;rr zUo9=53$&4yTlF#85Eijr66|XT{SU6CxjA;=O2VA##PisS&R?&JTmSpX&;EkWF@NOF zs~29v*UQGNjUOS10=6w?*-jO zN_hH#uN>dip(vi29vUL_ySkw%%RAU4FNzqy2@}1Sotb%k(R608C_6j$Vn!etF>9R{ zxgBnSX9Ge(@B>0t*_x&D6dKnPNZ@}i)PsT+h{Vhw@2n0-8mFbDb(3fOJzXCVnj<1) z3P&~o0u0Z5k*^JfBv+>zSXik+KuuRYgUy@<(ltr8JZt0CjPV%ECOuTqL~Lwqb2O6V zac?n+#VwQS7y5JK-@k8!jUbxnkc@?mtqAr#?#8b$Fk7LlF==U(qgd~s#d6yt6o2aj z2pYa7pJexvlaRc!I5;|@X}O`dr3e6J;1dCam(kr0f(d3k7C3?m_Aw&9;ny$kv1Q>H zkVTQieETzz0Im*BX?ML%wr!@NrCs!mi0Dg^h@4@hyyp*UFSFQ=FFz1)NLO{YwgyQ5 zx-EX!DUM0cR}zmBsuJer+S+5l%uVJHOuqTo)l|OcHAsh9l7OLp%*#C(h{bF(BYGHr zRp4E9HGixM4iOQ9=gw&VHsLj+1D8H>R#ruiCTTd@|MpxisPL1}%?)aqi&odr# z)lwqAgXj=dQ%>b%+^-AeY+P3NAuYOv4h=?=TXxjYT2Xj@dUhYF#`UR^LU%=Eyz@l? zc1}nbr=bpq*X4gIz*efw-9wMU1e-F!_Xt?dUS5d&3GnfKu=0U7jSxzP$qfdy2?KqM zMY1gzQWLdT)Ya7`wP+36pZdBHQpA*(^TfIc%_}k;b9M3D=px8!d>0UqLI5e9Es?u@ zvAXOWFN-CHi%fA9u80l+0v1vvzsa1OU0j+5-?F{@rx!q_v~Ts%!1gx(Oi=lc43c<8I+)c{&PCHQXoNWo(Tkho`OXSqv$hIcur^DH|izlta>gsKU9R zy80ZV8-V}Ag@S6C4TStaU~i11xGI|tF#{7*h()uR7nPKXN~8tOy?agfb>+Xle1t~> zp}k}bZh-Vjrihwav}BMqw)5*S#@%1w{=cBjw97s}rVTL>S8T6ZywFpFe3ud{X)NS+QTV__AXgw#7VZ@i%oQ zgU|!2j?+By8TXMd?xQ&+6Y&>4KR@%7G^3&2B)J|$beGp9tk5zD(G`n92u%t-_$OS5 zzP~5Ste{T@s)mqU_5dumcQ7F1VH>ms)n3qJtjrgDvyY^3km&&=ZaYDPH~cQ^LOy9> z5fNSJ_x#Bft~UT5F7;$a;`Ie2A~wcg?M$s^nz} zwxKMQTsL?36a_2T6G3tVMhuw5Kt|S3dHTHs{Q=Bg5Sfcu+uYtRC@8SCw%**?87VLf zl8ol?IX)7DPNI*}G#?KKCpVom8A{^1A>f_a=XY<|Rdhk}4hDX9bN{e{f`Xo(rTZ;R zNTWYlyfjc9`2W^YF5908b@~)9TEFz8W0wAD{R;VkghZTDTI(evzIxpva68GDf=r;)+sA zArfPt{|$0un*E&^gxnoIxj1WA#pY8WRolTMKr=$J7U1Xazs%J%YqN*~83cfq10nwP zn>UNzX<#T;$10D@*Q>JT?U0e*LjL2nz+=ey0(xKAoAT%H-wUu8tv{BzmaS7A*SMw* zh;g`HYCqjT=H1>gIcsaCP{o<0C43y5nd#}Il$5$#Ag0d$Qu@W%KnpZld<+fMcd@gx zqob!^97gE%g5YZ}*$uL7K|~87>25!if*yE7pFUn$*`UlZ*}BI|vD(m1?5303?ARqy;$dFr|-^8_!JUtQa zAIlIIzqx__k@!I@5?S@z=YWh4CJ}te4M~#qky61DfZFRzONxujM@`%Xtvp;@5fo4u zL`c<+trp`Hl$4|q0JnQf1b!dlQ0WG%i)c`U_OmxNvmz+VXlT$XoQX`{2!mwdtVu@8viXAnxbn1e27Wndt!{q+4}AaEEnL(_%HK}RQf*6MJ)XC6%iB4%Z`2?@2dwHXS0h)KLXRDOd}!k2A7 z;L797-M#tOYfuO1NLlyABpw?e$PDeemOkFF{Qw?G7+Mh(?A%CUPaodiIvgyqpddz( z9;#li?-AR-$LM#=ws5$p;Jm*sVdw}A45`{y~ada*P+x>=y+j&ZWc>R6>eUS($(F8iC`lYwTVfd_3qg@}h{W;>ja0>1DGX#g?* zV=k`4PnK1QI*`RHf;|W!rjS4Vy3apjs0i|ITU$1VS3v$Fk-+_E2lN{PS~@`zM@dDc z*$y1r5NUi;Z$$iv^(7~#O>+Suu~IFrrZxz|h;s;ijJ1)}%o(zv_av};h_UNxmf5`* zBToFO{O;%EBlENKbI-R>jfFCd(peZ3QaVZ;c9)c*1@ZCmK?osv7-~nm4dXCR%5D=8 z#RUgH;C~LA5(4NCpA73oW3t{>@{k;4HV%_uMwooe0v(qQbVwo|CVzpqAXpeJO_3}5 zLWu^#4vSIlLo_a)^X==25c5GjstHpy|K-io5k`>3OxJL}mVzu>9W?(GMutiy>p1qp z$$7I=mbo-rF!Lcx<>TI(N5x*6DRzUf$Fb5$;P_v-ZD~4XvI=rPJ|IpRtaa5nv~ccQ zMjTm;54u`@8&(+~kp67emqgiIE1$su2lmh8`umDky8DgWPPBO(c_hz&{f1l)V{@~s z2MyWQa4u1<8abzHDjmPhMXL@{1siOgpyUFjEQCzz4&@Y>cF2b)s^+60)MV`h$?njr zQU%KkvZpIx$hy+N zt)YYD*C2{~6`88SA}CeD=q~O-&cNT#FG>(HNc^We*w_wypG3tYe}O|5xswQS&-<~f z^1hLgxTB!75TW+s{j*v!b|z>}gePey$USP_k?>S9a0tFZ=)AhaRa0{WbbA)}Kx8pW zTrV3rs3D1f*}hF1GQJ>w3mTW{VmY;D$Evcj4+^?M+77 zVg+bG8?e`$FFihDfyD?FeOLU2`wk8iI7Ilxs9&Baa@l=nB$f zR5;nhF8Frv7NK%XbOd|dy#-WPQTHv1fgp;60uq8qNlPQCbceK*w6t`Gg3=)=jdXXXN=Y|JBi-G37x;bu zd+&Q=yz$OB106%fAN%aH*IIMUHRnh%MeRru$c`jJ&;SeP-)(Ix%l+wq+v#BjT^!A# z=_|i_^$Jqj<+F4c(x=m?sQ{cAl3f7C$Ld@-L$`~q7Nu;hE;i2F>Fe#Cocf)9*np)y z0Nh}Y30~J%rbJQWUjc|4WCGC$SNM0!+|QxzZd}|wKRdIuvH}bGM^B#QZiRt8E4(TJ z=$LqTD~pTe;AjE<3XmWJr~{AZ^OrAuR~`q=v3;e+N>z2eVDu0Nh?s!^8~7c;)&)oE zp1~#vg5Vk)L8CG=H%IyiWpkpsg*0Q^zUB%XT^`D5-CG&-bM1jm`J9RhkIhUCoTMOS zp;N0s$HHp5|IkN(n3xz`AAqC~P~jUBgWtc=o7@6*KE%*-_yx)|u-Ft2g4Sx1pPwH% znL;uIfG-*m4-KXd5Luvo3x*_rmzEv_n2v`>6)MtFP*?~M*^@Z=a;=6hVBQ2jXDP@Z zFfr}IHaDm=Ce8jO zlkf2Wd*{1RAJ&bts2@4M5Kc-l$P!{|+PMJJKrLy{StI-26~1MC1GKZ~yztVzaGO($ zSxs^ZEFRysW9piu6i@UJn^o*e8)}O~qM?ghdmJ25j!xMbnUvQDtUmmgeVe;Ba=-uYjeIkfr1M4L}8$ zPmoT)4(WoQyw^b<>JhjY)1ATp1?)Io%c~u3fs^YMEDd(Bp24sO8BU`ZUC*{#055}1 zBE(d{v6i`l05J{@Mqdbqidy}T1ULr3`+ArL?f6OPC(kdcm6=3Yr$Oy{30Wu%;;5*A zS%^n^`Xb~~cZtEi$G}nr^Wj5?yOg|xP$#7xel_8SQ>zLvqAK|@=q5r#pV-A33{oW0 zhT(yL0nCSau{cft950|I0GJFr>Q_$uo-9CMKuUo3;G4sg(6yl*z_0N2P)7szV_72eUwSUQu%6Z9 zb@&vo{JQCks(R%u`f7EbYfj*n5T&HUYu5`8q;6>fw;ki2Dg0rt?h_iviD(1i%Z>-2 z$F>0z491I-t@_i6flLNAs?~Lu2`$d7<~AxvpF4ZB?nrfA4U@@W*FJb)8=8JFS~{$A zd^k?bKX{RA{uRc0#`9IpBoaahYVr#LH|MY96-xNv=K}Pr%5vTpzyM-W5)vI~^ur+t zZ@vON`nO9fEAhN;@svYkI#5sk{reXXd6b|@Fnb2OEXKHqhzMBDBXDHaJ#paD_-89N zw+Kz`#agFBUB(v!gO{1YKh~6p7tjzwv=;n z*lpx|_yT+>wL0ghk?=PhSwOB}jFE49S3ClqM_Mc9z2I)tTWlcxc{Y+(6*emOarQ&L zG^x0gy=A$m8V+)B>qY(ia7Y>~i}d5~balvU>qN+EYVv|1jw6LwbYbB(SardM6OJNC zWV<6X?DP(tXTiHXgoq0OE-)yEw1k1vMhxr&r=YHcnuWUdwE=`Kz~ykN5by)Y_LVrH z0S9MmFK!7Vq{MI(oIx26v=7!T+ewILT<(spX?5oZV>~V=zk~9poKBubI|CUIAv)am ziu!h6%xbn7)p2$azDEEd_gm;B)EvSBn;9F6BahTLFrBNTBDmYVHn1xt;*=Ws_`e5$ zugJPScNO@W27e7+4FEU&ePiO=a&-V0ZHwHPUYGarEa!;>(~KvabwCemdw>+i|3)#Z%O+)IjS_^`*N4#C5_`UnK~zS2IdU^n6~Zr^FW>4f^EGNufS97hzH`+?FazK~ z-BE{yVjOqw^#P>7a!;xz-#Uqd~FGx4(>@{7z7{IL0C9F{vHU$wm`IMZ1ir@29>$MC!9m2mpa7&f%^k)cMXIuY}*6SZyx?!2)VVh z(*;^mii+5g?I4i^-idE`jWOPUvP`0j7`4Qy{UX;^OK#ylmRuX2HTjK{B#rzY{10a8X1!i&v5|HcFi`^aXNb zeY3Ju4hezV3z=#x4lc2TLj*Y56Q?Alkgl&q!N{96EscbW<6|d>;@sTut4ZIQsld4E zgXgTo3+(Q!a)bnhs z0gXaB9%!#|zffnVNmA0&hoNF40Yr}K7+ivs1y_>;LHFQYP}=%_q4R3S|_{DsWD5A;wXNhET3Qp zIXk?JhFv5AHP6XB@@nsg zLHNkNh^%K2sx~=M)zz~vE>h}w%{%_U)CkVDw6C@fNF9uf{734*X6MBR8;1Rry#38D zS99CuWP79QBnEjk>nh22j$t(JG$<~}HADcpw|B@f`*uDjn)U*XdgKv}WEw9u8{C%* z6T(xu6J-`nzi?;0YE4aGSS<3k*-Pu4khAYFUI(||@a7uwgONg46*jc=^0=BzHK24a zm0Y4A>Ca>L1q{A+T51j%3FS?>O@G3_4T_X+J zvC-$77lSizFf@Ux*)*b}cQvXyyNcJ!$ke|&{ezLs;7ab|D&ybybA?Nl1V~np2wMmT zVxk-&9&Rp9R?9_13L{gVaaL_@F3sISqB-3&9sBunpk1|gQr!?1@2y8V<;^Ksrc|dt zRXJrQ>S=+{+eyqg3T?_}H<{@5aAI>_7(aVf?>++Oj^4?-18ZMguXISw7pZ#dBR7we z=jki0C#FC9=y?m&@*Mr47>8E>ix(fj5YRIi@^eH)#9SyTAQ1yJ9pTko2&@>79tj|i zR9GZ~qa`%^?h-@$1CoIAmF)a)zhq&XE83dgs`2A~*szv)!^P3Q%{t9so-s8gqAS6yC3FJgThW^u8zp{uMFq)k#r_VJ z+oysF(uA2)5&T3m26JX(b|%6fkX@MHEwEXz1y);|Oa(_78)=}$mIRB=X|EQ!s-N3* zn{99z-&0Uf@DbSI;x=w5o30h^?!DFAt%B{gT2cBLvrV{(Tk<cgl9XtXa#Yw7{ zAAe>=Ecy=Jm|U6V%E}6O5aR+B1d37f@e1NcC^&R#%JTAao16KK>dk<@XhY%z2@D35 z3}4>^At7 z6HWKLy%S?`zD`V1fn7pDGN3bcZ*9$*CYSvY=#eM{pdHYk0$1lfoWyX0J_e3}AQrDr z=lyC$RXKj-)(T6q*|uMy0bUQWrlUXlDwX@-Wo3=R`Ak)`}QSKI3 zO>-T?W&#CS*~0m^>mz3kKPGu}3}`{5Ost8i{;k#eA9G22J5*9Cto{J4bC;+!s2FCm zy;OM~r!E0Q3T*YR!0UgVJ=mRKbZ0c*7H(#CG>C}6^9=MgAnycgODI^A>~4jLQjJ39 z4{h%-oavUESJ3aY>A%sGFbPLhA;W;Nq{9Dm#OW$)`tOJn412LQ>0HTCu*|%Lt=P+W zu*ZC`2jPa6{@IS+8|{Vt7knZ%D!9DNVMKUYrnjIgOM;D+m@ z%e=2w@0Zh4DLj^~-%-?_!Algas8MCW6JH)RwI1v1m>X(Ux54^}2TbU`<9;?X-dD(X zVJuFtm74#&%tn&>s|awC@i1S_E|m_N*0rkE0}}$k41EAL0dY*TGhqfRXG2{9erAutDdpu8sDeN)$@}?ZvUG3eLllA7YsxP^ApR+Q+ zz`rSUBKf{X zdWpkaxQ^HUDeu7sCskIq`mLk1!%0qL8ipfAs{H*_0yJ}cK`?RTq4*<$UAJTOq8iddVTE&w0~TFpT3k==#N z*E;e}T<=w0Mt5VnWfmYuXp#UOv^qHc0q@lzeDF{9c}W(JD8Y9AS-Z6o^@_1^J5yhK zUqA1>uF}F{cw;m35LlFAAJ(r-_Yupp@a@E4YsH{5%i+N(n~ zRZDG;5pp@>;Ghpl8W&SB7ZcO`jDsOR|F-K%k%y#xW8)GXsDwE_!=ctuva&sqw?KX?CV#5#lC*Scrm;8TL4CeMOjJAj9xKz~Spd>$ zpt`f;c|lU_ed0M&#f>aljZ2>M+r*8(27*!SX(zXEST5TezdF}wI;u3)i5AD~3h(+M zeeopXu(7$g?}Pys)H$}7;}?04w_ud<>M{Xn3;-s11gJ48L5CMO0= z*;G~Nj*T#d(N<+q5*K$e7fCH6+oGJShN#;3uoOoB&;rIo97VZ@ZxkNBk(RrDjBPmz2 z$r(X2Kk@4url^Aj8TLXyu@80$H4n=0wEyg=?TYSZq~L^>M^!F_F4Q{MhR68%#RbIa zF{s7ny08-NQ5pSdtfWD6NT?fX^HJ{tTT?Pp(%87TOfM*gt8CYykA4a+w99m;|5l{# zpTs4{+n8lKJ`rGWhdWdz?CeZYkhz)$2u#)0%z(sAtta%dea;xiH!ufCB$y4``eG!XV*FK@CEi#}S{jkGlwRaCrLRgoALI_dPuMi(yoLly4rwD>`?!o&1Y>qXXOi3o0rW*2?Dc9T2zQW!OU z<|pNTdHjHN>Gb6)XjzMoeB)Sk(ROF`#sX=QrwF0~ujQZe^5TOGW>!|dx$@c$PI6ZL zr5cBG#@C`xCK7xreF1Lu&gX-tfmP2Pj?;(|a&k;uU0q?eBR6;b%2PfM1kA=pgv(D-dXN}{THUVq4cpj(OQes=)!osa5r}~o%d5+Nf0oQp6rJL=j6~| z1(9B}CMc+V$EgRlu8dNG!==W;xzjiZ=3z&K+(K=%Iqg%2aBgj|!}tcRYtwx4IrXvW zf>}bx1kYjyDmJYI(%Wx%QjZP0x?9G&jMEGj8Jfj*7^jr}gmVVrc2>ntapVmP$KgQ> z_5sU~o8$S`s~FA9lA-v9MYV`7Lx<1q**w^3cLtPIULTzOG%Y$8e)BVb>)Y+DO&mEp z1~a<6q0<2Mie;Q#^3Qmhyk#D}gB>E8i_7~YW&KJ=yiUh1`Q@RUKsk|->4Dy~B=Yvo z4hNtNUS2H#wVU* zxF$&qHg7Ndf`eLpUIr08vJ(rJ)NA13=e0*r!qC6$r!~F%Cy-sKl>7&evZux_zmw@t2Rm>7b|4_s5#AW160~Nm-tZpK^`* zA!5gHe<{1vwzs4HLF_Y6t_KfHakrvb90*7z1phA1mcGEXALI2#fAi+#?`amthaF57 z<=PK-`s2gL)zmgtv2BOlagdN&pa-RAZe9aTa1ObCJ)U;;|6Oe) z_%lHf#~F(gABi5P{%Mdmdwoes!Kac$0^T6>3Bel()@(JHm{eu6@+K_`x&}Bk$gOVM zHP0x#(BBX|Q73p3=e*&cl$u%~WUlg1j*j?@R|{UIuPLOB1T6s{2-rTMhbYMq;9*@Z zjbyi%6JcRTzPX3uC%&$qk5c8}=@nBQzUu9R%+##%^7#DZy|Xb{Qz}v0W$U~BL2a`s zL0Q=_J$VI14N4l)p0fG8%v%1i&Y3{=Gdew~HFs{Q314V*j&H*V3^)xT!c4-gknvW@o1QVsOH`qRjiG30a9gHJ)6A`0A zL324=Gqf?JBqpVJ>VEq+DZ#dESs})HGPSXGTl3G?c5puTOh5txX9AB_%JF1w_68S< z#^0({Q++yOQW~lY8;PV$t$M{SESz)9t+o!sVOnlGBEnEmyG!?-Hw^5$SU~Ki+ha zG4w38=XGh$3xp50{wVUB?fK+GKJSv0qchwCn&E=t;-GTeAz``F@)1%aaz@t7efP+m z63?Vq2`P;m#B&O|Ye^%4riwE~=dU_q9`XHN`OE~nFC*W)xE^y^07e-;V-N)R@&*gh2J zm}cHq%YjZuh)+gCNLl5LjE4NHXussr0OG`ZOXqsZw)F1kJKK|?tkN@`xl0LDR9wwF zi$ixbWffG9>lo`ZXxQ>;YKs;~h)FA-QdK?`Q?+%kTwpiULae%X8vzEy@7xc=dr<%Z z=$M|5hqTdvdym9(V0b`xyf)P0@IlbGZ=WhZr+obSt&DXd{3gPy;o$SUA2#V|EEi2? zDc)O3)zXGplrb=ShUWLovymdb)M5TBwnvb9#TDm!KYonLfMtH@LP(_ZcUqsiC%U*C zKc9Ej8#%9OIHrR1uz)7&pd^BtLe_MAY(GY`TrZ~>tmV%e7Vd|_v>87B=g$%2v$9)M z%krSsYXIv6J*lnf*L=UzBx7KoEo^M?*sdv8iC?QoBP?Nz*5TiUO3@%YGrJDUX2-~r zEqr4}cd<8wp=6nJf^Y15(AiT;Ey0xPD%`&e5x;b3!Y|4dmfchZo0Wb13yt))Tb!gb zUOl!3d)yli4Eq;U4MNME1Vc_qA@*_-^bEXx6z|1FvWO-SZ$cn8SzEKz=RY~yFtM2_ z>8d&QjgY)l8>(@;JXi?m383qaq!+Dr&g7#07o>{&hh((;Z}I(7)l`$;iO2ihE&^+H zH<{+~>=Uo9lDa=Gn-&o7*U1Nj>sGP&ATA@UB6JU z4`mcB4hU{UD#_bQFvR($r7e8Cg#-<(KiNw3d?No66F|Clc1BBIQ~cXcXE@hV@|{Iu zazS?-8t3W~360wE0@iuc^FuPx^B+&7z7~GxS(_5siGi!rl-;V$-yC!pKai5rFZ;xq zm@J1mV>knYLk_EnIWww7bU44}ATu}ndo?qHyIG*Pj7;mOklo)IEu@;#w9epx;q(P+ zODnm2H58Rfu3tLF3#L;mGlV5d5U`vdVhO%%KAKDAg#NCkYE)Rn*RwLpzLfrIr5Ghb z&T;?3wVupu3i^qQ(YEszdWJx{_;pem(pSh@Iy(3!J(1Dlc5B-0#em01pIHq(7Y}7! zJ(ewDkPf@?~#!(Rx)&XamZV>dNqWNfUvZ1or7?Y z)i}AVGzIoaBYL76YUvqIWLEi-#}cSn4_@qT7d)O$-DFFS~E z+?W|oDq>Ow-kAZvC!5rMOOV$j3QvbdD8{`rD9{RB4xGSyAa&DHa%u=iP>4L9=h*sZ z%@IG6B_VIt>7LJZvf?o?%*I^y8U0sRSDo25%}SW6>qnh5T55;O!ui3Q@m@huW&Ybe z1#Stf_ud&8OwAr3&Hi1(G84ZXmpwhU+P&g*td1YjpIagA%g9PK>zqGp?%fw(c!9#{ zGHgiKt&Ga3sMlkdM_YXY0%N)7Z?H&!IREy>DrmZ1=awQOB6 zJHZ|myrk(bpZm*3~ zy&i3g8@N{wV~NsJUg5L6!XSk-rKC4~AaXbA{hafoujnDWa~55pE!&ew;Q*%g4~DWV zgFpp*fO|nME!+oB%=JD-eRbW+P4*1#%wCvqI^$Z9L?Ldx91(wF)dFYFsgdz}%! zl-Fs*`8>1M%pVo~F7d4C7gQEP^gXH&bVjQvV`cf8(&KlAcee-p*J99a=1sWp(W9+9yTV;>zvC-rwBVpTuv_pvP4CuziS*`JQg&0#?(Ek%{ALMN zA;k0xyP2I!DK-7KFU&_9S^V_N>fyVaMAe_z0k9oBLVVBg zWm__~UjeFLoyeV0rqPr6IOBm*=!!TpB~5oNuFIzlOF%Q|4EagcN36UOIMT~?qe4nq zSdNeT)Au;bHO;M@%HC4Ru&A+qj*$> zH*hW&>&hH%(ULR8nIxPNPHonu?caPG&1R}S>K9Xg$?2le?$z?Hwv&q<6M=WNt}GVJDcw|HFv-t)TFnI=soApZ#TB&58!q zPX0#xXrYD5rUsRNtE&rhWJlE5(avkvy0ixh&-k7UE9LZugoSZA9~C4dBm@MY5|dI> z8$)ya9yX1Lh)5!w$yb;A#;qriLAc+so9!ALaCzprr|=@Vj~Jmx5LLb~>sW1nga56O zmdU%2{Le%7Rn+i0R{p81nDdHiM`IfP#>H|eC}Jof|62JmaY|MN`+9R}3I4EWSh${K zhpvPK;-g2`IMFx5%xu=Wd*CZ*40OwOTDQJ!O$JRS#~Eh2I|>>RHZBBc*Q$%hY~G`uszm zadFFuAj92E2J<&<)KoU512#_C#)i+?x-%FaHFBBE8&NMvsxz1ywIAo#*6OuNt8~GV z=DdC3GWcmZAuFrc@?IF0?&He5H9N$CSA1#};bM-D{{N(3RkyCwuVlpZ@opMXa?cEr zz1|R}#A*VBqx}1WIkzyy+KhQ_r%tYur6$wly|xpCD(FeMxA#s)Z(FjE(gNUY+ey<+ zyG8!@;ZRjngu5;EUf-QBGw1tyNHJU9KE3MDKC@;9Y-jdkRr4(yx4tH%6+_g4{*yqf zdA*c5y%Zsp=rhl%I!R@DJ~LNh;*|WdsxMiXyhQnB&5=ABo4gTZr1h!IMQDD8Aqapno7DGig_vXV-LCkIl<}^G z+kL~`&!f7&=q1Yoi7G+6mr#O#c8_(=7d;^7v_(5OQ*{a9PAGZAqItx@wSCn4!=aw+ zh@i~{Pgzrr-!2t4TikCS@w$hLInnF};k$T;5yEWtgeiBDb0rWFk2q_px}@afc7J@l z1>9%or&D->A_Qn@n8K00qYGl~t zSkj-4zPXC=f;to-Yb9vdT|P_7BTmZuzTKWrR>(m172~Bep<7-Ksi!XQPB&mrAC}xh zI{yJr9@nL^yDJH;#DlmhF=Pi!g1X(Fs8p+T8BRfc-Fi;z6)GEVbjF6>hz&8$d>|76 z-=G3CMyjhH@&WY>CUyH=EM$ApX4y+Zo6fhmn9lO8j+3fgVWU){s z3l$d@V({UutTJs*`JIh1O_xWt8c2mVxAdx$UoCHr7cLs>l6ZiU`9yoNc9QX5((y61 zPW!VdBx$+bheB^92+bvpqvDg!d= z!idjs=`^)0$Ti(mn8D%xMVvvo?BKYG1QFgb5jX!-=q8 z$b2GdX3uYG^o)cxxA?8D*naUtu%?QwsX>WQgu6DD9LLi$tg-o#U=6vab6dA`wJq8D zC|2vmdDH1ZCx-jXTk3p6G%MCSAxq+;?|;Mek8!MHonM!IT>hp$#uS-HHj0<81!jjHR9 zhrq#keQ0~=)=Cq5B5!#kZ~Ix5T+?G7ec3JrpY|# z!u5LLg=5O{!I{;fW}r`dkAt{go!AmW@Zy#65J9$_!6~g~rU_F>bWVO|XN41+cD2)V z&D5K&IERFzg;Tmff7matx>LS?2YHi^Finz`4eU6Wsx~n-RmxEYKYQW-rtNY6&?XEX z#qc4P0jLHX$d>XD5nSoCcr5rt4E1hId`2kv@qVW1RZ|V4*+dGVA{JJezwLJy90X#| zfH?K8j-2kzE=3Bd)sC3__lAO%r#xe0+iy!9ppFDgBe-XkUPrr)nzD5VMVq5af+;hSeufuvBlmb8 z4-Xw62|py4*g81i0je=nJunjjl1rfDWW>b8be)U4v(7E(PS!Xd{EW*My<6xndRNp? z(o{Y9C%*wFJ%m?p- z)lT2lxvVx$;0$`_Rat-&of)FU1y{|6^&JIFS)+{F-6&|Jpv~p@DP{9X-9bp`Z+4_Z zw+Gek4l=Re*ROEt|FnAkE;H6go>+236yZ=sIAU>&bieEsj6zY94l-IZCW%TYx+#~^E182t*(T<$pV{0z7a4-1rO6t@ zSzNT;sd*WXTh-;V9xuD7FT{UPFSUAr_v8!0gWkb}=`CaGRhX|SJFl!MN{VGD)}FwA zAf?NSkf>fDNCKyy=gAiiqaR((uOT*WSy>dYof~KjZ$-ftQBI7ucj>1TiA5-p5>Zfa z*$E>)eQ@7$Y{>Z2lOS(omISC2YYu<5Fs0YNbY#C2MAkVUzQAwPfa(B&I~K;xV6qa% zBQw0r%*f5)ov2635(zzcz?C-?@7tUDL{CKG2YKf>Pyu!H(z>$gpX=GYTgwQE=|9b{&3X}f zis4-po1Gmie!O0dQ0Gzd{cFj0*-gX#T}@AC5sBXihZLRzE+=6YEo`%a^a&}X`JTEq zq73a;4XozOqcvD?LM-+1gdb5%?59_wxYKn2i4(5={{E(>)WSj-E`hdWQgw;BoRZ41 z{g8E4HY9^A@75imc!S>`Rrd9VNE1$q2au7b9uiiv|JGIBMNHDh+>Ok|XX(;P3cv{8 ze#>wpaE4dCjiHwM`EW{u-vL?2M=MK3ek=DVXr zEUj9p4>}h?bg*up1zlJ6aYsry+31{2JN*(V6m!K*`z$B#vj3kwPotI?O@M@Jg(!SirMHp9S}mrV{A4!8)5RN8t*x_dDZ zjYjmA7ty5#A<=Ipl5IAUEx8(HY2Zjta*6Icb#G4(`-f?F;2rw;iC+y^OLPEBJ_3fB zKpNrY%a^eE?)VD5U%b_GKJR&+^W_ynoS3!1(z)9KZY;CIm#Q>dYCo^Hf$|E&9U|hy zo?K3rQ*F&<$Guru(vjVSetr*vkngp2NkoRr4dB0H@9D8#Sv!X5Jc-DikwYax2V4rA z;l9DV!9fMI%}MV-do0|8q?|R6x}Vdox9$WG8bDenO-o1BQSY+Ox7+h4Y8DCHK<2{3 zghxgn@^!_r%gcc_YZQkQ4Q?gSnxI;!BX5W{1$@k3L`DROoRZnwTgWAnF$qP^j} z6u&gM#HGclXelE?zAC&?#DDjm!(zu8Q80XgnpZ(ljmyOo{TUsx;UY6PC)4@b_O0*4 z(oB7FSm6q&ccNh7bqu-7!imrktZA=-*E0&Nd8`(+_{8QX1Y23p^E0xuNj#DLkb&z# zO<_$0RD3w1;4ANG8ST>FfhXx<&E_V0H{g^%`*3DyiMqdUnpXY%xBZP*N~AB}Ax@AX zSo2FsNddW;fW4Y7eL>0w6~{G>C-bSnVnwP&@&UY!$R147+xm{G!jSeV1pps zSwXjwgAqK4@ByZ$8_A;P;A91ePA6JwDk(n55(Qm$UNG6YjQ6jQr9VK0iyC9geVg7%gbLJ!v8_IHp4 zzAL*5*34}YK zN9E?`22HH17O{7J{w7S|UbTo76a=qxQEova%bP4RiVBx?)X+n%FgG!BrhfX|`tMNx za4Xp`VU5J^JPtSNU<|3z0!s}W7C*O{OdgFc@nOMK7m=>~d(P*!jTzem-`6_!hV$be z^6jDePtD2Kw`S_cV#Uj!k*A+59an2+XMw$Z?~wQ_ncwUA9%%fSvqe<--1eE~@5UGW zva<7wOALLLYf&8De!C1b{ORF#P)fjNXr#k`tKBb_rz!yt4htmDRBq>sg~n8*!}z9? zdXc`q-sA_z6O{+0c(8Oq@%0bmG_d29t&caXn!kMOj^|2z>jy8S*T3;VcPW2V+!*O3 z7aZ&RklweiA&=VqEPtPKu~k;}EIlu+Y2v-zLCB?@hw z#p!9x8I0grEZN0r%qy4)!JU5c*LXPnqPiy(Giu7 z7t*gqKQrVfrPbMZmG>(%@rmdjwdZ3MT>jP*dLS|N!@lKGYD5M94QgwdsoGzImmvWG zx%*HW#}QonteP5|m^9MYA@CBk|0|UmGB~9u1Ezj6`y8nENQDdb5=|n8FV?>|$w;n_ zkXqM~Z)ov8+2pA`GyOYetR%SC>rq3p+@u2KHHT5mMIHhN+AmrAJ0?^hET0i2kc z-l;(*)>$W)yOBRO+|7n&kBG#TatGF5to3){efz-ydHnl~B%a>hzRN49?>MN)=|oYL zZCOY>bF3{4QmUWx{dz{|6eyLz96Q=jSn)zrOenAOYPoQ)mrHYhX2j1O=|(RGgN3Yx zC;AiaIM+Mp`W)RdipH~>5x>rU?Y4Ab@Ch^t7|_N}SpMui7p87&yGvY88&6I8Y~ZY? zJu#AvZrna5BpyBHDIMjc+dE!K(*Rjpof2zDxqF~mi?+@&@TW&6Sm{+~>;VsL`qS*h zlxg-^&2#;tzT$XpM?9ikavqMlvNRzLQLT*dkw2nkeMNl|`&=%2%sUFVVbt~!CyPy~ z6Whi_l`}Q*K|sTRXuDcO`LWQG5xWxLszP9zgzeYdoNbVQ=Lj){Jl)5~&(O&Dg5z-b zqsJX|J}7z5ozIhgCGqk9g8tQgf20GpB?DvLz)-&?deT&~)ZuPTG`DRI65865x!N%Q zu%x0-b>A;MTOZD0&8uMlXl<%|zdsYb5-n_ZuJcTrq#>!Tz3l{lZy3L4SbzL?M1HjI zMlFh~&1u{Ez+B1RfHk28AsH4K8CH|5ZL*gN>iqQFyJN>KQCRAYVNg zF1#Gn(2(U>5|y!#y~~LolUqxRgtS|Uk^k%$AKz@!!^yN7GS9ufH9c-y&wXWM9#@{U z@Wr4w>JEBc9i5nZOW+g?d=LG2(Otw;T)sA`ZK%_`5R@$bo@`VQf({3EJGsXDDMZsO z%5FLlE;$tfNjqZoA8e`B_Ie}8#9TXTn$1PtxHcJChdv6M5B>Vhey?<3hcF~vpC&^f zG7OiKqodiM0#MBV`JZ(AsvzF*@j7fz9|;J^Im9)Q6MNH79&}LOp;h^#&yfaeOH5R^ z_nvddZET`(!_|ZIo1j~xcUhPvJG-VzIM~lNurxuzaxA%u!$8CnjVIvwrKY_z<`Hm6*NM4TUTj&=D=`1nkIHHG3RnZIpiENcpmjIq) z|DLxT)Tj#|u+$Q?%PJaU=d^ZpXbmJp#2)-O{Mf={m;F^y+<+bx^{!5Actou2aYr~# zw}#`|?mOQ%#~Rz}^^K{=5_*DqLT`mW{Mfx*XD=|B2ytkSQ^9`WyyuN&rSt+NQDZ-D z)vlY6+iqon68B})f&q+>b=bt>W8jUPsfhWBCu<5%Rk|vP3U1E@gcj`-Nzfnsjq{>j zxaf5zUlI*IBurR8<%SO~t#?D%AD8&)k)BiX=;&MeL+*6vE@ob86582T4+>#eUF(g+ zPa%A}{ELB_zeU=gdiq-t)VDb(yy0VH(Ns8IUghO+cdD7RD zBKsO6dmqj`44Iw5(lcn$9J$;XVms0i_|WcPL5s!b{jCg>Sim38n6g*)DLU1ThLWnR zoQljbPjL-Sk29Cw+yIxBS)8&Qc;jpBOxPF zaV#s#;1iMl0_a-K(rat8ErtlkrS1`NL)Z2NgeWy;9oY{*teX8{XJRQO5pMh`63@rU2XCzhVu46WLWKSz~_N!;DWbOFwAUYuW zmuu%Qx;h9tsCrq@=CfMO&@@w<(s42wq)l{;{VcDnsCXRe#9ads>jqGZ)z_PwzodBT zuAq!Wy(}j0s(R?0?%+`v>Ls=DVXSqBg^{f9F^__4v?;F_imPlRSrhJMd00d&Yp-SB zS8=aX{5^ArjbDcMV!Q^cstyFIA?vyE9z7|91gvb^+^QNKb@ZIi&-RV(fm+_qqfAh^a;C zV@nse#hK8gYG_}%550f?9yHN^jE|2uHIc#47dg59c!dSb%xTs-mez1t;anM+9MPxf z>Sq3y)fX~y8ls?R=B;t^K>yX=!e;lkEjH)Ak;W?-Z(z0kpnv-Nab(0JCfbJ>=i3Pl zbNViKvn{N43)DzRX-4D41EQt{5Nn+CYcg{M{?n>k+cM)EZCV%s2^5J zi3mI=r{Ex`i0%zqIh(Lzc-d>to$&IF$Qf*?An;^jRK+**(?ukv)Wl>=K1D1M+ zL4Bj-SLE_{#D%2vw^szKgVv%MPqWuQ)eF6nd3X3#J)h}UauEslK_!#AL)Wj78?w^R zik}5)@ci;-R_C!wt-EONk~9d4Prh@Gdcu2uxBB#~3m&>l!bH{O453bfSUu+jO+s9o zey1u28x1Wp5AQ~=v0JvR;#IaD>#c<0AO2NK)<5E{o7vPB)%^UjYI@gE{9P&J6RXoZ z&6KS^t(}@TNhSuB>Nlklp1ii`)*!EE|FD37bwhVK?2uBZ${0TM_sslHGx48OKRYJy z3fLTH)`jGIDk(t4yGEE%${(bNkhs%U%;`4#}D;%4a zv^;ePoVnBzm3*ny>=j2?*5s{*fkIW;SYM3wWiFF>w7z|dK-uTD#z8cFudDM=>2Zqw zR*ZYa9paQCb`JUt5q@>M_auP(O@Ms49AJuHP$k_4oc?csy9$eBmU!SPD`QPvUS8+^ zFkSo~s7>ph#F(pdiz6FesQ(yteom|BpQ`(fZRDN7<@Q~#1GVCUX>}($mX56DdvTDy zQ>oZoD)wLa>yS&B%{T581<6q;GfUf1W@ZEsE>722PfU{Fn4fr+TW&0Nmuhm#%TAUU zkP#8NIjtbMciq40_aj`SZdgrhm^x)xxOrUUajFBplj-HMcak$vWw!0#BtM%Pl7xAe z5TJ7>)$HYWB-9ggM2#!FOM zR3omRhI}ILkV`#CiFNdo3eW2LmbC}5}$~?{lG8^yTy6qQ#leNn)IjTvprJ{dmWk6O3v1?+reqrjfEHt z13!$y2I)I3P2fnV@3@%Hyev+nc*^oVI|KYMyPi%( zmCYEapO#)~X(np%w~NxXs}VP!(#;NyH~iEHMMJC=n~!E>^m5k9NG8Q z)-g}Gm`QS%4<|Z1`_#j<8oa3B40H)k`jz}8i0~pgzPv0e8t)MnOus*3_{HyuPK@!r zwx!k=#TS`4X~vZK#sddzzWMUow-FUhHJYsDl?CjZYnJgN%t<}fsz2zoj;2beF!243 zm@u1)+lXc~MgbCk??!eLvi*74k>=FBtb>!CmR7GrqKrs2IXR{eJ+Jt@y)#~rs5Ct# zpWHhXm9#-^zez4trUQjmjdP8ML_kI@J#Sb9!@_5Q&zY~n`|r0z41YaJC&8KZftXlj zdx6JtaoRK0>GsMKof0=wFdO@#)&Z&ChK`{A73zI|)U{ah7f%NJ2Jtr8Cn1X@o?B>A zrM;!$vVTgaR=Q*`9z1Y^QF|xHP8n1N)?&IqN6`vNw}ys>=H|_tt_Q_u=%s@RawJSl z4|h=*{j#aDmg&-CX0s#yV(IbL&XZ4kwze`^GYQ$z_KjvVauj217;hO_i=TRmh_${5Y;F;_ zPpCbzlaojx>4cY+d3f=?)GgfG`|OR{Iv%ELc7S{zV}XvFts+Jq;Oo>Akiu%DGSw z)E`_Ix|bnwUz;9h8)q>+nV+6!w>*AtXmOWVK$3qQi6?&pf!jz%Mb?n_msay;zfd4i zYEGJjWZ+|_q_|;Gag))5$qxnJGamaffBVaOoZdInXZLb5Og=oCs5Fi_g0e~g`L6xr zqs*F5h9LoQE^|j;CEO};?-Twmk&uxI#>+TVT%4aZbf1XKaR8)-2jr^YAo(SP5>73TR)?hM60xlZq`OA4p z_l!;6-~V4sePvix;kNZg1O)`7M7pJ*2?y_F8YvImeh|xWC22IR-VqFNd0LAvC&$G)wfaMGkjy@o+=!rNBi7yF_I+ zkTka&I#3&>b4ZRD!@$P=8$-yL&C&(Vc+L)907_iU$^77C?Wv>U^^=K21D2iLBLa|X zbiRTn#Q$k$_)BK^OTzVm&D;r(eA*51&WkLMYEMTcZXhpeJ{FYz_b3BMomg-ur)qb)zUYpy-QNWiT7QOn3gWNB{Q&s;jG*gY>} z{`!&m{;KaxQ%_r4`6uS__^9DC6TG%d<= zO8ml#9^-onf0&}|GP2^O+m5q&H9X^7#pv{wq9=oUt8zp9t@Z${4 zYxWO$iT~X+J~XJ`!&A_cEZH;P$WCM!=X=O0@oT?3vQMVh($t()VwKdr_mKCB_!c&xRl$;Q-uI~hdc=oIChUmA(UYC@S7 zqXQ|)`WWnTO2Wttr)Qro2P>=E;Bq~2?X6}U69q$O8ZL*9834fw)>>pVww#GNs$qL_qZSt-dV1(Fm{Z znd6VS=HAqx=Z(dm69&)oP;|N6Jh@I?IX`e-5-vAcE!N^CwC@7Zrv~Tz zRKp8igxiQ`A|j%54VB-&|5>_dYFcbj|1_=Xb|wFUfeGQw{EQMv$fQH1aZrI!G7dIF zFYV{EU{IxVb$z;cJUc$A&aWLF1a3CqH8fQE&_@G&CoA~U_#zJAUQV_9E4N|vh-6Ou&PD)$BLuQC!#~LH zRCKIFXPb!sac*cULHmAf?c-i~8=&q2sS}TXFA$Fbg5mM_nYYi}i(ilXI(#vVIN@ zmICOPWkQLFw|)b<#Z|Lk2S*zq%2jrBw|x?UEqBw5=qmM6qwSsp%&1rJNm%P!e4ZW| zXyfK>Oc<#JKG!s`^(^XML)M>DaT#g=PZR}yEY_FIG5kOt3JU@L6aUG|h3BZy_9$X#$EauOf zoQ`*}MHMFqvke{9NaH+bBn)FzxC1{=*` z)tKh*s7ctVN#f0td@@IeVevzJX&z}bryfgKGJs+$z z$Fp%oQCzOWBMG;5c%$2}<(_*pmRroh60JMnmBIXbd~+tieF$3u$W~%v>$W*Iy8Z~W zKkjrAB>BUR1o0UL#5)i=c`GQX<>KmLtz%Va9~Yh~$;u*=hyd@Q4OLI8+v`6@wBlH? zn4dn3B>v&aZfxYDr#bAJz~-P|%6TS_V}_$PqMO!aY;AF2aUSv#eC`?fv})&pxg)Cb zTu{UF>UEl1+iuMcbDSQp3GJDir=jtlea*6$@o4@u)`LofvqMjpwq#LPGRZN%_2*`s zey@LrRwlofwol0q`m{gUOU@g2^NvuLPZx(1XLqB-UWd(aFo;OeV|sEpF(D;ID-zko zv#b!Qc_DUx-y*AUZmZ`A9%-~tf;uQA0_XKEk^iX{~I%Nd3&OM*UdK=TFaSU}wCKdQZ;bw_JK zbo2x2)}Gs~cR_2vXJul*maeQD;uq7EHja-kt2bq9|6@tof9H+0*lmd4*+3l+*xl8R z+CI3tEay6izwKb7BWMwP_v=x;&1&Z;rVxkZ4+CDX?PHY_0yZV|Y|p{YF0$@v<7eTo z-@<2qo^}Hl?A1A>Es(ppZ8A5NDG_;g>PM~~09L}-S+&Cbr}_x?&?AS&>2d-Wi5 zIe(V9KkpU3@$D8n104ZxyeW)8g5O^{XM0;g5r-!f4~uZ}^s}(=uWGxAX!K|V65XEW zlAg+lea1&+Dmr?r&!6=hGste890!yR7n{{iDpFrF58Lq&@dNc=U||3v)Ia*a;Jn|f z?=g_^ws@aVgM8+=~9v0KZl&W&Vy9e3Ylgl zEgcHvxlkyJihqeIc6j(D^0KgWFdLrdnd0Al0aaHJ$NZyG5~ajH-fr1YUteEG zhXL?d`paAR1_T5Nxt#|ARUL#2%Z_R7?E)Me9Dk1~RnYAYIHz4*yrvx?I}X?;Ce5<) zvQpBrMR)fa*-#?D#xsf24Lin=e&#FWeZbv1ZlYxHitP;S{EJzZPEWo-XFMRu=XZ!ybEo3P)`YDb-OaqNNmizgj+TpE7!|?*GB!m7X-yB zN2R>&qyD#qJ^kI68pdLV9GG%_nAQY6G$Hn#%89`cBYI4+Y zNpg30w)l{q@OR!96i{An)9jI!x7hW|%^hg=<{<%a<}s=(zzOp%Emxyg=_Yh`%yvLs zSSBXS2bi8;n&|c5$PGoR#;RTK^Nybev(~Wr!2(Qvn2?*_eGK2)db3UX$$3%m!I*L+ zbwT)7R!%G` zsjJPOM>0^NI_LQjhQvsJ`%w|o{q=Ul1k5BroQDNXxi<5)L&L*|K)njsWR@2cr~{5W zV7>tFU87H*rXKe!mzrl67Mfo?!hqWAC_XlJU1MG?7$@ky0SO%~;1%%?ny-&g?Wc5# z1z@jlpbN3q+!YlRo}HXrjbEQq0Q1cwrI_W9M$~3W8EWu=Qr|9^2m2zal81&ipNjTs z63-9lwuH+Lfy-Oh6(Uex%Mk>qzuO97GGXv2=H}8Xe^yUg&j+mVfy8j2GeK52$o6Yr z!81unNi%n=4Qm69l+i=K-*3Lj0MIcXzK(veq`cV1tDvHSX#@e__3C(2 z*#|3{wP2J(z|$HXz29E6fEIv=!MJ*{;OV}ykr1p#P#}uOVF0`aS<$g~H%{i?4TYkQUCWV(yIAOzXGg?~i`+w_(pQ_^nIEkYuNPmHj z`q||r@CzgM2Yx9iILyYtZWSnVS)~tLXM-5^U`q|;_CDdKZ_QsHGulq& zXn@}aVD@fgAtLr%4DCXr{g=_u@;n7{)q0;=w(@sNFGO8=? z=|Ey30G>m=2nf*M+Uxf`z0;7*BGr?k37PQ9xLjV!&-mHf`3+b5gDZ%10O{?z&E;}+ zv`kp3=h5xlyXP(Nf1v@z*A`jXr&d$5B|^)&`W-&^W-=i%8{OuUtxA5%#Ce4j8pU)z z#1I!O1sxUHml~DM6+W4ei+v@rr&I6~^7uTh&VMv9tR{Q{OC}@$7&M?0ue3&X7fF{^ zbG|g>4k!VSP@+=3)yhv}T)U$MC)r@mwjR|u!oCNq^qA~4%wOBQiAy6+uI|OcFP}gy zXuZ|qpEtN@Qc${4D{AvzbRimkFPeUnMG_)#;DbJETW4oEDXG6ErWe3;w+irBfg-Qj z)(-C(3I*h|sEU;dw^H=Q!I32>O!w9sTndsE(?H@sXxm3^iV2Z7Za_IZGvRB>1z4aXv z%Ejapzq=^`mdbR%39n$jzatbO$cLCXGci*?%aE3)e35QuF<>#v(9ln+NCL_cB=Oeg z?cm^54-Wm>AjI$FyS>-I#+<{g_Unc#zOC7Ah`{HrAW2?ISNK!}h|jee0!z>ED*lA~ zA?s9ZR13b<;c_D?1d#de>IhibSqMKk5|K$J3nPb zSw`3{n5C*Cz38x7P-;;JE1)i+t}Zc?>y9l;CqvOBamZZ*EgWI4<`HrVByRP9w3~;s z8+2d)?o?j?eX(yxm5(_%+BpiPOej|{^`kQ*a}!x|J=GpHJFn}Sgb-(sX0hqNK))f~ zAM8?sWD@7=PcH60vD=W9R@BzMfjocy+&{qo$>z+E>$yfQeG(9ni0hiHl+xjH<9z!H z-mgQSF;ULHy80aC{JNSPTUr4_b|4<}G&PVP1s(dn92{@K$bsv7aC0^%d|iC#ck z=zf2QMdYW{Gf?yWg^e<#$!f7FM4wO)2M&S&ArmBs{zA1~=rsMhC6Dp?H(FF!9?D1( zW~WNSHGKyT=3a+rN()?NgxDk6&!bu) zySQk`Xz$;_u|NfL9l7ZEic{3`nNMy%4tdBBzoQr*v$*lAzuPV|V-TLu{pyf#>v*oo z*hYXry(#|_b<&BT<;{PF?5&JxXIIw-kR%06e~Oqs$jZ@?jin_JuyxbDt#yQzHX8N1 z0MB|b10_xHXqy5IGLfK!#PxL-vBmt7h@`bMd~u`2pvaMqIQ@_G!*1~XCziCsQj*Pt zqC1SIE6`A4lQ@pKnjm%`Hs5Molc=3E-6JStQ^GTvNoL(Jig`R?cR zHV1lYdQJxJ@}exoyyCFDvOEn`7IJs{-K}fZKa!s`-v!8wF^!rzz(5!cy8RJY-u=K* zq>An1Q-Vizkd2V1AEeFs*lQnhs#>eMjr1InUzQ;yFIQez6cruCygTKguO_5uI5ahB zQCsHqbodYmC5lyv8>{PV!u=%2M2$mT>&}B7%xbt0^hNl^C)0J~e3Mq!2QgJSRb9!B z;n@h#^Xt$7{b^HInKlghvpMN1)7;9+nk69c`pIkQmEW)jxm5m|X?7X}{TS)k^WpSB z8kTP_46NF}i+6_+=$^9!ZQ8#dQB5)D#dt9OK~+ThjA^j< z&k!c8Lyp2fQ?)IP6}S6*`)NDb@r9rT@zv(CxUK@ANIja0eT$2Ui;LN4@x(5qmwQM{ zz2!a`PZS{qBW35b`wT)uq%!hRZRBIZ)$G%2DoiOTtwR~1X76=TE?r$h*{RMQ%I-i- z2Lk?lYfa28kWLSoUQhyL;ulx1v5PH^2?;ozlU9Isaaum zxbEseInv~Di>{>t!u5`Wz>f>2J`Um~D1J8@;Kxu)8QakADgOIO^dIqo^$xJks4<_U zIkyAkPd7I=u+NGU2@4C)&H)eO+Sq~|6xHu&Kkh883V=UdZp@?r=Ar!$UO5=olz%0*~Z=b`+23Cq(E{!~dcsvfxi|vu9_b zAYtdrYs`}ploM3b8d-F@9_=_(mcoM~eyJgWDx388peP(@EL@!``3WIOj zTm96F`8@7zZ&!m8uhkk{IXAF2^146Wy1{>Xx0xLnPV&z4&CPpIaMFZ7%TUo2+nwS~ zf#{zf+u;`Nc76=6?(UH%qR1sD&wUpc9~TrFinoo6g0pY1JdrN*ct|DvYwPQS_!Sr? zIM;w+qdev2(wU>SEtA2}WGEYId0?-T)h|rORZ$T!Ra{8@2h@)WimgxAUMmN*8nZZh zZJsPgpRA`!@9Lx0a&vRM^~K=*(9RjRO=Oe}rG(7gLV|)mLnjWq;oo6&%PBvNmtzag`>lN>Sfo-Ldy50qB%Fs%t~ijl+c>BMtg#N_M@wyI{GM;S zFnB1bX{c(v;QllJ{+_A5cVS`ScpRYVmAJS9Ik-M6|1D$v67h4Hb0o!=fsa{GUe zfWL=^!+2tQC;Vn{-cv?UK~QCpqN*FaMasrrLQw%VbODzs(fM0)6qmze_3Aij zR!%d3o3nV{)13P}r5Br8JH}bbUOH}dl#T}FLo%~-d#I14Mr61>R*4~DjzmK=$A}0> z=~bP;+cJVmQc6}vO19bl;dCf-FVOjxY-8eVTjEJ6Py_p`SXFH`#dBR7TG~zelm{NJ z(7t0;!}?fbJG?cPlr+oeYh;Tv?bhF*ikOaK zZEiVE==+a@?USmW?dWIiC52V<&CmXAHh&-N7WvWKBs~Pkj04|R-3EITFxW0G^(`%) z(g#nuBH`11ew1a}a1iT=h%Zf0r*r$i^W;}Vc6K(HTEINAyqqE46~sg`rjY#4oyX5r zq5lG;?4s{(o112waCz&wt!3%5i#5)B=H)wU+@GD^%G|l2of(e4#8!1m$ZLFuwuQYp zqPsfL>vvkHvyQbcdy*uuotl$t?3Sn{CEb@9S-zU};?>doaRUsbmmGZ>?PX|r*nZgK zuiMI^rXV}W%2IZw0!Cm z{uk^#s~?R>e*@gN{@;TQYzNmK@~>RwPOG7{pi`;xNA25nzRw3!lLmd?vngGpH9zKp zKZMDOI|MzW!3+%wO6T&Rr={mV*HyL_8cR(&Q@9yO+#(tAvXk1*&PV;;E-+1e|0mQx zC>9UDigJXZ?Q5ngslxN|qjb_uu^%oZA@ydh6-i0Kj z^u_Q&mpBZf^k#<%!mI_G0o*bhzWQO8_4SU^5c}Wy#mmDB{#lu{sN>mH!bkiZ95n(P z?kESKQ&g}*Tdl#$Yf$(Md^)_^yQ~jqV8g$&Y`2t+-q6 zxn4aIkSO7?8;iKtMgH&j5LS!1Jrj`C)I6N@nMs;3)zAtjTJG+nzxN_ILsC#vmT7S% zyVwj5sxswrqXTEEeCOC$lx;*OGXofoo2`y#3^I87PT2nvj*^cBv3#(1C9{pUAT$KQ zPezlcbI;fT7>0hwxIf=H;LpTu?;cCT_FrKhEqm45*kH#Feap!3?n^a+Z-g(P;X3Rp zPvhW=GNZW2xbkqqa?0}1UlyEr=fW~i-USOulF3sn5HS>F4i?G%h;UaXE>GAR5-N6* z=5yzF*Km4r0^<`_y}xd!gwQp4;Lf38Ri@7Ad41nn`l2T?eP+1e8wthJ z{}~#Z!i$upgE_u`PYLW06NTTHnWLGRN%=N)k>5^#+%hRxmP!~M{djNR!U94JE;j@M zfvp8L__M%Y@u?@v@vfea3m+dF*Y~Cw+C0|3ew8=L6>T%K{W}CIAGzIN68UjU4*vx` z;GL@v?l-K6@K;a=J4b`!G^UNVn*mc;0T<<&^0cdqlxeEo;i2bme`;>9nfr!SvqE~E zR4g4*A0A~8rhT8@?0nw+F&Tl+G6?%2?ciXKvotuLTwEM1HgOmfo=%@^-<$>2*LM!S zKWAd1wYc~K3t{YA)X@^njf-F-;wMC@KjmQ}smlCOl9dGWhqN!Ww~L79+sLN~UOJ25Jz0FAu<3_s7g2*cK0T)TDSKc4*jnJk z9C^#BD5}fH_<@{>1=dqJJ_fMpZ_YY9u_YyOZs1hAyLrRH;pb*k_V(;_6jcqz0-6NN z6&2UUC(QTwcM1xfCMJ{E+^RjV4%>{NkmIu2%fZrlko1sm^ZGt)o><8aRV5~Z_#kKh zJ(B?%C2g_p;*hM9lU4>-UCz3oh_Q#5n2=ca7K7ezOsu=vxd&1w$$PxPYC2mi0x?-w23KjW=gSh15e zj$b2=?JwTa5fjfW1)!04wIMdz?Ev}9Nfn!5AuKjzIs(`PLBd~R@|o37Pvv^jZc?io z4&n}#<9Z30T35R*YbzR%nYzWg@81a_n{+2whOUG`Ai8(`(T+4hs=gTTpH1#eK00l{ zL&oNl;jqRYyM9n(5f|hoBEr+0tJQleAt65){iiWrjfSN3U)`6LwHUy7;pPQpMAFXz zVpd!_HeR?cITUS2O>*?Y@|c0Ry#yFy66y%06}CB}S6Y%nQbGm_Fk2rl*)J^-@b9=9 zC4!`FYpW}Nh&^K{TeBTbRQnd{8@!fh>nUeEJ&_(Ht(#z0z>GZ7DB(QY;=0_Kvf5XyYNqZ9$dlMB74d>;o7Uj8H{NoGU2AP7%HP=s@BI}1*rP7}(`XG`C^{&K zY;NcAaAyJ6H!#FinJcye5J<0-WVo%}_iwXRQwzvQ!l5sG0x&3_0m!Y&=LITEd!tsJ z1|BIW~Atzo{YDa(U4Huf@ZN0;f@s*(VNq$F_ll)+g8;nzR@N7juDOHCXmLz+|3 zbGKQkSy?OC4D9&4yLTBQA%#jB7LnQw$x6!4Ax0p{Z1WJ6l0%^>zdJ_&k9nj-t1d!z zCEz-MxjaAe2%arXZJi)N@K9pK>EU#zI`%o_H9ERkLOU%xm;FJsMuTj_%a=>B39Zx& zo;Wv_TisaFQuj$3# zt56wUlV%Qd7nt_!Z!aQ+2tlK}^!$=@1WIiL(9koEFg;0aE~KJdbxKhS4Y76gk4jG( zw!E)Rtx}a04KH0EuQ`)=-QBJ6BrWGGS3;ppVFwa|E}kXXpe@aesL!7=Eqa{<06eT> zQUfvx2-W+3%ICU}72~6QHn*Pvv_s`uGT}p?m2 z$pxFC0y?C`O2p8wLn-nev2oGksw#bS^n$0^1^&;AnT)EA;1Q5cjVtYMr|484V!q_% z5d$wTNhZZef(HBC%Dm0h+ER%@|L3}KY-|iMG44r8706D!iLNhLe|CvVX{Xkhclrj< z(doB`B?V8zBD1mvMIYpklyKVmTvNRxeNQ%LU#Jrj7VGb;_spP=EupC7X$@`#6Rh$;mBZ^$YK8bN_@=;(mG z@#>_M5eNeU$#|MywQ&or?d{>A;atpP-{Q?M-nBI*s!>kgeUF4aIM_ARo$P8}t%j1$ zEXKl*iHK7^3?GbtTNzc#mlF1cbv}HJfhHE6Sp_{jZuEKgFhLHzs?3*1hb?buc02*L z=3Y+^f&H+4eldT;g8mtGVMzq6CAZU9tJGaoB0^E7w&zAVFC5Y=e)tI=KDg_xuJsFN zl%}zTQlWa_%X9)S1&ZG~o42=UTf^~zUq8VwQlp>{F2su2W3{HL?s z!mQ3FX?r`f2#-X*o*uQZ$t@|xCW-&4zbp;qP20u_4*VJFM4rpQ^mKv^yuOy?@xX_w+4NC8c;ym{$CdOIOlFtJsBJBIW_%5Rw1fO>^W7#9pO?$r`U;zI zCij?PSuy@JZDv_s*MK63rv7K$y)s_t(zGYxt)jqSc=mG$spf?bomO3W^wDh!_T3&y zOrJ4?ImtCt@Lklr4By+d)G*&%rTov-v=|$N!^70Gvnde-FMPJwV>PnHYB=4kB_%aP z;X*t;KlMpSWhG`r+T8r6M$IPGBYy`YAS5Qn0T9sO^^MKiKidkB`umlRTDUU}8}y@q zfNTL7k$MIWr#Y?+4cdHJ;fmP$>!O_rbY^B>Az=;ZbBLGtL$KX5=fjU`$|6J?Ik_n1 z8l{`#sGc5Csq2U9olJd^M`gK!*8HAgi8=upyhc`rzJ{>K;VE}l;d-sBn;6b$lN`8K zCvth{7Wc2~Fj{3i-x9^m>F7N@j*&g&xo4jTVIM6melSIm8m>2g^7=j4-?@HVr1DHQ zm~80c!kJ!!$K&xCq_=mZyr3*9CjObvXrfv{M=RDqaPf1<91TsNYPo&l2Ly<2rM5b| zs$52`TlcGBo|Lz*zG7=~oRD4{a4-y{U&iwu%pz8?Oay6vf&CiBXk8idL;S~4Ve_dCjQSa+ z51ek|QTzYjdGWABu}HnNE>u-C;!0uC8?tCXL-FH8OsFB2H(0z`;lRMr! zwB;3YE8B&KX*=ZB2Ol6braV2!F!;hJB*eaq^L3lYjnMTsYTCjds-n$7AKZ6XE&7V< zw_~;<-Q|<}I3oi0Ugm5!I$d?2!W9SIhjo8_r-?f!Ql&fP+)|Iw{QslTKF}trzU+~G zwL$t_-h6y~Zhy~Y<{s}cptoRs>2lH7yTfXLNX~46S3yjdP;0XK&o2dCeo>9|YHMV@ zWO<6*tqtm459o#Sdri!gczDPr{NNr>r5-=|aZyQOu$*KC6B`BY3wRct`eyCLmv-o1 zzDAF)24l=39?&(CeNhAXO+ilW<3y5H-N$CLLmt&dbV#qXw7fl3964(hV-C}$1`5@l zomfv`cRtn^S`1jp{^;>^_6O62*YyT{r>;}Pzm875U6q!Cp3iha-A0ce^1@KrT*pj|X#$Pbd(b&aTG2s%2bh4#`GzX3ztoy-JISWaDB^hsabtG)C zS}~sAmNNf?NsxmcR=`b)hv64HtH)f00cQwEoko^jNQv7QpIi9s*&fYGM-nWcKokr} zj+RxVYduusJM_Ovkn6rVHVO)rzHjXSaG~DwH!cRr|7UAVFMA*Pd!lNb6HYfWgYPt* z0}jGE$tHYMlO~^28xg889hwN##NfIDq8NTc1hkZghVApMf)6Ln@l|vQ}5K( zloMkzCPL2QvxLrmou}Swmpv<=>6{5GVTEjevixLj+&{Y#*w-twrAe598TyP4IsJWk zHJj77c3LKirQmt8qTU2FkrMLd<_%OL{z08xKSLv73o8M`5ZY9LC zNA^`(J`a#-^*)y{kwu1V7Zk$yyykyOgT3PvFSGe9F)*Oj=nmbxOXjkiSuO*X#mvFg zT&J9LtL1}3Av^xW;RzQ$lJO5SlV#q|lFTHjK3+d=li>|NXh*dJSqKV-U%Gs2dOBS^ ziH){hU*mu4yeu!|lURX+jQq-Yg?qawzX-}zY7D6|vLWG-uDXiK#O0ZmhD+J*sPh#u zricg#RmdA{-dZ{b;xt6d3lw{N-qtQ2N1qfu9EAo$BZ-z%G|u-wS+k8=xlHGo`o!5R zKi6p+On$y{U-(O>QG&Lp0L7L71%fS4baQ&c0trjwQTq5X$SEt5Xo=qwGxqHhGYfA( zWPg5c@e!ZBZ&HAho0Q=vH)hBTcVllq^|5^^Pk$27+^A&xe7(TvIc#j~?WEr`rbl}mA{$0mPNjDJ zNYXpsAL5WOlBq5%+Z0f?{Jq@b`g(^9^1->=dn$I;*LQy;+Iq3+%QGztZm)QU@x9uT zcd0GTR&$i^-&-zcxWaAHT{O5~prza-{rGk)aWyt=tpnrZvxhA#l(aRibJtYsu$M^m zz47*8YB3*1Kt|d40P!e77iCkPeA`RiMVSXu-^6uU$z+rJ`dGOJ>N@%U9@r9T51m4#;gCL-mN>TSwe9F=1btqD*2xIdM(e%nANBcT`7B zVHGTg>bw&i$Mo^EC(fDqi`#E;lVio#-i+@1Z^@6J`OJ@`FM3_Rg5bNU*U!vc*6f(& z6%Q0Ga=Na;{|WBuPxE_mJ3n`-K(*)b>4t#M7ZLTvb9|JSAWV0ztvsBlGR;Vznxomb zx$S9cAQ_st$!tp5929im4KpT8QHYK)s%jAGb=>)>K}ApF>suZkPDSOm`2Ki&ZIlzn zr`q42b>O%s1O<%rC zM&{MzY$YX0NhQhPDjsTXZeWf4j*YH7hn$SRytcK*-QyWAvXgGI0b}B@Uswq~qOJ(f z!+paS*=~`Q6`qyBNpZ+%qjD(md7md{fyGWevc(!Cr`h*3JsX?9*&7v-JhyD-ac0lF zB}0&uk|r424C)3-y0{)sQ@K^*wfnqgCTs0;kK2!>RLfZd0#}?9V)2+*uT=op4-SY7 z?uw_?Qqxn!{sQCTW%Q}T$Gf^`J~dW0xgB88T>?Y{bQ{nZ-4ZDkF1B~bgi=hF2P)zOG1rq&pB=tf zPT{urlFZEFu$mIWq4cme{UDi|xXJMr)NT>*f@oB9kMC>(|QcB># z4Hq+W%j6j`9UHuvfUFEZ%oCQ8-JV;&$zmJFa$l@uGMCa5jXB(;e4Um4j=*ro@G-s z1uy>VrEu;qA`M^4U?7(2Ev}%<5BV0A1{VBL)~xi*rahD(;<+w%8Do{pxx*m?*`h|+ zbFTRQB4`te_BQ#ma_A8s<6D96-zdmC0ZPIzZA5mk*24vP{dyf6ZS(Q@jT+kN`&*wU zEXYUIXtHW;ZKS^;|AeG~mx8}Qh|b5!N_i~S@z2#_Zv?T@oYZgY$^i!810(BA@*RtD zyIuby3(NG3dXyyjX`J+Tjxx5;>PI2LNmK#Sm_B91U?B>nLUP0anOsCE=@=?Z^dzCI zZ<3gZNiy)@%{-60^FkWxsH>;Yg9; zS`I5dAdcF_S<)?QPG`~Jv`YTwvyx}@=+9nI`-t%!uZoFfkq4Sys&QsOc*Qq-R%1`;r0VXW>>8`v~IHlp&vW+cjb9ea(Y%q6l2SR z*(p}y{C&$MtElg5l^-r3Layw1S^?5|ODGd~eQXz=VEnmSNtTpm2R8vhx`{&em z0#t|tbJDw@hZm^%ALmu2UO5vDX}l#m`#CX`eoaM6lUG=p5dBvA{mj6x8*P1Cd2V`F z_a4^|lMVxc9~G4uhZlDYjB!ERzI4P_Wt25ZRl{tu9+Zv84_BwNMx~CO09Hf;>*nTS zm!2!_k(K6B^W*V`R;0z=u14`ICpPi=OFN>K&(;f4DZxlxnF{h= zql%c1da8R)PDFj(WbkawG$MrMTpTP8i7qI%74>6|4kRRvUM9IV2;u$b%En+%$~ z%L3E3y~I$^`YTB9cVI<8njQ$-Zk%xfz_|I#>X`UwYN|otCg&)mh`(Foy6B9CHm2vc z0f7Lplec-{_6jGn+(KF7;_`lD0!P;L!r5ktlA5G%fY@GVy7 z_ntPpD*L!1v;Q_SMC{eZsWGD84Ni#kaseKS7}JB1wm8F3)7LseAGKi7(x|A19-H zY0w22jDIQVJ#9QO5(H)z?bs9vU`whBVg>s?{#|CG0zo41=)tdy5rbtuJ$_g0Q>O9Y zf0-mjqEKjzc$*@XrKtXxXD=ta%1NueR8!1@*jz2{Y95Xc2XP`Q@;)?wkgcCNA8dBG z+bLGN`uXc9K>PEey4*LW9kMD2RSR?#^ekKF(*wxl_I;x=K6?enP@TA|iZl zgk8JOE=ZaB%=%-49JaoFLxQa5=DwJl=M4&a?lUi+p^1Yx>2V*#_pH75@u8kRu_tC- z;@~-?2=TPJ`e~!d$WJUEjmfWrI7%YbN|R{_9RsbF(UJ@)r#gom;&Hp+!`D9`QMW{R z^1ZBVq}rBpRE#z({qtfaT34!$pGlIXi{PrPud5%Cf;i6de~ z$(h(mnR+i!5mYb}910zxv+6ar2TD}ICu0*m4d2k+xHqlBac!Vpxy&!ebW5)VgL%rRy>`+e7HfS5SG)Oyn3U^F6&apk z7ODIF8#&yKuXG*%Nn0G*Yi(u@c%f2?=A;m9lx7#sV^WJ!0INnV_7wh}8ur)FIw!Y( zQkhmh;66=*|7mgl{3k<*{@Prr2ww+X6NhaCH7RMMk>}ZmxnwSXW&}>Po!xCvFiDxV z%2;I~p=7{=$fa^Suj1cPS2K}yyN2VAoLzh-D%_z?<)ms6leeveZhC&(!7zQ7N6v?g zB&cdGaoZizP}tQ$Ad`#j*P&i(&GbEWzQT^dfJE$F4AgRA-aQlf_5(Cn{`kOD=sjv= z0p>0!>p$kBWJdx%&F}%|bkGfszyEW`nn{R2(Ez{K5C4wq{AS*5*?7uxxfKmxu@hs5>M7nsMZ)R6!EdO}}tJJH*MJNgMvXl{}dm_Xu<7Ek-= zwxE=#D_q|?xmYeN{$Mng0X&FW>$KHBz;KfTc!ImGb=Pnv`xg`>6c;BH(}v5*4-B~D z5_ler8O4U6K|D~28ojR>$6N+81trFuZaVzJ9X|1g85cDTUR+#EdedAHMZs6p-y=`M z>$Q57KAa;!{NdmN;NZM_4%HP*`$DcS7r9-{=ovKBC!|Qvf3xX=a$9@O_d{-MhSmL_ z!DY!@r?)ijT75Nwi$Ke;%}dn%Pqt!R2A6C>)6~r%E{km@{D7i^w3JH{reDYXE5P<_ zuD&_T)d?y)4WVRMHf8Il864nDtGhZMYoY4M0%4woRu3QS*Ov$gXCFS9*^!{pQrV5z z&%Z1#3ix)}_0;BL^cQ-Bdgn zGA8mPzCYgmeQ)oi=IEg*uSSpK+9@JBQ_?I4x8REZhQRgCKbbk-<{O(X}^S#}Cy18Q-l1cBoBBJexzgsmZkX>aF=f8G2j9;#; zNo6hxHliFkNuO4!y}6<#btfj$J3D|45SpzpsH?BP?sMqTXtF4>DAU-T&JD%HO&ZL~ zQBzWNx2Lq6{E9^-NRIb#hoar^xm0_4(-mObmw;woTS84wXZVIKSOV~#4|P53oksE| zu;nVljZ6$$JpSwwe&SU}3bu^o@7r{mFD_ap-J(;CAJpRW{2AsvL`C}Ees^USV=K~X zVR*x3!=EW;ivD74YfGGnh~FI_9alzKBiS2@uPv;yXtU7`z&2O`JF}>#onL3Bo>$FY zy#i376}AosQl|Ht(CoaTL>%wzfBaOCL!g9a7CB`U<)PPhddu!SYjY?t9K~_W^t9I3 zR2=(8frb2;)h$LCEBVU7iR~_jpM3DPX$4cc;zl{DU_U}hnZzI@^L6lZa{CnDqA3#< z<>A74Oy$KEcj&M52Z*hAY57U}m#6Z*^Mokqf%zUX;AjCFkQ7eMpYU_}Xf4H4RxVt~ zIU6hf`$RL2-&k0afmCvDSKp*XuQJ-9(+pBkF-}fec~| zRZqV^FkQao>kFnyl1%#kp&Us}F#T9xU+Te*W8>O7H8m$E1 z_V7|qZ8x_)H4s|elUvO}A4JFLeGlW=IsA-J4(5Dbm8nw?4uGq{{?Q*CLF7lSM(JfMPzjK}-sBb3D7 z-@nw#o!`>~8?sd8a$FZ0nx7Q;n0NF3(||@_Pfwd|m)KvH@+0z(_TsbCfk_=sxGws1 zz7h&>TFk0DvW!o>#zHGAa?MCix;macvkDx}nj1ew+=^l`B20~mzNeS>u$#pLz~T3@ z&C5xLA=z`x4P%(hil{fhd%$fzYILhYB4>lsVRE9K?0%sV!r)-ZD?UCxHWepi73BX% z)K>;XxwTynU?3nM-QC?tDxJ#y`Le z?0t2tWl4Xv-e#S6Tc+Q$N&YTb4qR{ZI1pg%cm}vzPQc-F0|OnkF41JA@5|DvLn9K7 z;wQca7X^1y1Gw=4@#^-lfq^215^L*Sygh<1br1(P`vegJq^7cLhV zezGH&3v5Oe+rNxy?tw~}njD)P9e>r-EGH%}t0}3dD4WRKXyUW|R2IqOzBt*xK8q%W zURYH4?i3M{miewTAi)v#@NBs&q#^sj$GAN}+A0W`o>ZV>81@PEBlf7U`iGrz3xH3D z0eY3Iic~DMVx3y(H$DzzeEl0{nG75O;#pDjSU;5dFkyJGvD5C%7)>#X_D_S zjY=@ky{o#?hxMj;Z%_DXqxe!{T9Q)7Q)!2i4k{7)|6e{exV+O__b zyL+aVu1~(1->s_QD#GG`JS!lltQ$nTFvh9bTviO{`;cArNLz8ka%M(szNFwoks&-{ ze0(SIOVm&NO}xymspTEh$ue*7%G@Ui)`=hH7_)`C^YXghGGPp*nPIM`#fR{WeBjc zGMQH?3#+lQUs!Hw6S=;EMaS>*hb>gckc#QaEf&M#)gdJY++?&6lEqJ7%WBgj@<)zS z5j%SV(Q0W&mtKM18D-(CCa-WhyxEc7 zO5K~4xCkB}Hh)z1-QZTJR5^t<4an?T6rt=`3qX4;-n?O%V|F)immdyHzaNG3Ew9_7 zs>rG^Xlrp2dFU?5Elljs&i1RD&ey>CWc&#Q3*BUXUI@vZ1P4Dcs>_*MN@_%OA(_8J zUsg3Qem@G`UHaokoXgK_cr$i_sNrEy>{OD>IC2_>@rm&USn}7=i)e;{Ga{HJulp_a zHHkzIb#5=UnfKF!y1u*-aFh-?uP~6w8lLGW&Lk*6as=D?B{?MMHzx<(us8kMswBMctDYXb`6h3 zPkbq90hqTdGXAuTJ>!9F1l-5_2Z{rY&L5AAb)!Tb7z9A8>`atmAzV3715#dlc?7a_>z+4>{q~8 zp}9PP>#YKwNZSX-^&nYS^0gV$ZjbLYWn5bWuoQ+k*>@o4%f@H;ABEX6rN!k}Ifb(j zkv(eI7wIzDnylyFWnF=2$3g15gf8pzpY&Bn&tG^}JTiUFNUD^>6iPPK!{Z_U% z|1)0oP|d@SyIXI*0t;)?(@W-{cJsTwp@Zx^>y(w&=CaaYw~Q}W<4X;Fp=cx$5h=4a z>(692xBjc!*1W{Q-mcT**>lf6OJ>jGRY;&6OUna3cj}NarQ3i!-10>c(l5_zMZ?8J zP1!KCUp?~rVnkzbz86Cez;h0F4WuvYZ9ef$I_D1Q^O2XjuIaCQ?Rw@DaK3vjc?Lx^ z-ga9Eyx5@(7GG0dRoB+$?0^EZ;H+8|oeKjgg^AJ&*BLP4%E7Teu(aGmo!f;0f*O+T z<%DdCU!{pypcqxB$c$!hPP&V|Mq7CJ2ha%@lUZ-;R#$DFDRv>$UI3X{K3=1|lb7J_ zOH$!UkI^N!Lo=r}|M{l7Rr9fq(d_y|J|N4PnhZWVtfDhsf7pa!ntNV53%6BXSZWP@ zx23hyTkLQhCJktQzv}Z6!~`R>n|C<#Z1++dVd(2L^hU}5f#j~_aHGbJU1fe}9i#5> z4hXLg-NffMl&0!_3}CGq8qk9J<{KYp4qJ_Z@cT`FU*&tXcf#s@Ss`-yN)7MTqNQ?a z;Be6V7b~Kan6w6sP}{2e=U=D$a*7pCEgsTAL0??WJIBUVG-Qga^7Dabq4LiH zE(_b(6gDPKguE1&aH27B`#w^}ysNFyEn^nx{$wdAIKP{*UHi1U8zvxyG)#=cn(X;o;e(HlNKB zR-!v=FEii6PL%2HHA}ywaJ=mQbwI0-w#_}FB)e~{{}`IvB`1szjC;{r>X@~B z$E|5h%=i^DIJ!GKm1NItU51aGwmHtul~cJn&409a{8|Il9du*RqVah2c;d~1k)6#N z69W{vy7IZ9vy;<4NGPc6(__<`n%jToflxJLwdVNFJXb#rXyRQEv*jN9l9%uvdEt24 zpU(#XT@g@J3_xyzwX!sxAK!{m3STk)8Jv&&wlOmW3k{^xbO%_AI2_z;$9Kx?JexRQ z*+SWU<6AI3M$Nh!_900$3aNg+D~oj!&HHT>oIWMFdoJrn7U%ZPnwL`0u~DH_^%FkT#Qoq zJRb;V&JGqSkYNsUjS_m+_f5AZw2N`E#v(_SGZoq`v@{H&h>_V~nq;kThLMI|s{ohZ z&jX9p!#aWGRVrtWD*Z)`JH{u~7OJW2jnefdrgNEmGzD8##VNq1^dIm2nLB23fW$>0 zHX~<6gQxA=#FPf3k7_`EVOa_3ULzgn5&s|g%T7ig0-SR$rtkX%ek9*U!8MmR9kp~0 z4A+OAZSo`gzHZk?{zZp)qGqo_2}|J|)yTmKoLjaGKB~2@64v!iWo(esEC1edbW-iM z-?c86EMi^}hXz8nF|W;g-3MKNmLr|>j#Cw8v$x8&%zVlh5!L9nurYxEnJ=F6EB}$3 zk*pAfoC%8$ITO2F2TD`Gch>BwcK@NDVhUd~#*~6PKGIn9EUx^4Tf`8}!-df~V94oaXP&!x2$=I|h3>|j4r&4(M1FW< zO3!01DS71l>@(v=j#3Y-@kkgNk>p@l0d5|er2#~<9*qc(-yC&Z!B*JYuk5QBT4-&x z*(t{)+HnLnMzFK<;rz#HPaxX`tv;landpD|T~Kftn>c3EVlyl^Gnx^e)&z*YdHG5^ z-`OUyfR=cq#^D6yba=g+pIAh5z7AKeh_EW>PWM z=DWg#h&b((P`lxu+jj382>-2-J_Bor>7gsRM+_`br^jVgEJdQt`6cm+VU}lklGsPL5tp4-(P@%HBA^U##aJ2sQZpZVV!VLN$BGr<{`{k&qKcbV05fi+RrvC|C`eH zzfBB^aA)_qh0xF93~S5etrE72ppL$KZd1fQ5#!HuCPTYl%4> z4V6!=i8&#YtJcGeAhKBZrq21QeXgvd`C9jmS!IOHCK-eetHXvHb?UmBZN@8&OS-s^ z4+GH@dwt8BIo~g7qowGJ<|unu2U(e3`o?bC9WOUY0Uh{>re~hg(?-ujILCg1#g(J2 z%_Y4{E1Q{*3K~eDx?>^9ox;Bg;yq*t2j~6DKRVHXqXRlTn4|_eSy~gZN(ybwc*Qys z82|eOPjrdfv+z8lEHplTgP@H&KX+R$vxQ!m9s$(6ZC6vxzD`6`CZjEFcPEa9Amk!M zY?IKAfbt5KTQmm=kx&Yd(Lq;B9w)pFyO0R@=ESPMfu(jD8p??WLgD`#b|3(sY`#F- zU#+M2r#ayP3eXk_mLQwjP?9j?SB|D5LRAO)AENn)NRAGL*-CwC3`#}Uq{7X_&IQpU z?;R%%^i-<4yL{y4aDcFt4etmY$bu#31AxARqF+X3W9B&>H+_<2H@Ys|&Gw|MqrCSr<>k zKwpT4%HY0eeHh!gS|0t07_L zem&+Ze@onN|7facv%7wk&ub@xa*~|xE@~YsU<-a}X@KWx$_dohFJtRu0;Nr~PE zFSEwoVmVdUuswX$SV#s8>H=JU>69S4qQb05pm9=5D)L1i4ot2K^g~4jJ^ijRuRo zZiHMgupNXE^R52sm#5Rvh!OBM49}uIex9fb^CQ)i6JGniT}a;5M7iY7Toe+04-F1M zR3s6J>+rR#oMFnCb;jR2LUuYGns9s%x&5Ek-%%A?r`1cOVhN?u4PkFgjjMbye$9O(pfKU~*vDEy; zSU$%3oxV`iPUS#YU5z8Y(>i3SAS6qu!? zRysyzI_8qX@`S|bF(r-hncq9pafi{6PnY}Kd#mWF30E9^FOx-!==w?+8Bz%G3Tsv= zzH^{pILO}OE81)Mcy!(+eA+Rx=yQR9e$3YHPsGw%346NcU)plBDd-tXF60A3{F=YV#6+YJ6yy(o5Tm@f zC<2C}!yX>aiW%JTExq2pB~(>KN)BsHKOZ6&TFO>aE1~E1U7BwjQTK56s zTyn13%i#C?3^m8?S!G=1MdjijHTm*1QpoR6@IruvmoIB4s4HcGI+mU$$21g2c9zH> zj;djiyos1~=scgpRfyXi;!6UZCfoAuL^AR*330X3)^Z%snNu~;`J5wYW?}qP3&fW8 zKpM%9+@=T!@5^pe@zSi~K4Vr5|MEQuX)a7^1D888r?|^b`_|f>B(>T7nI3E5YUfIK z8`$;)olqAj(L5uAev52+ViX_kYyx@lO3(-S#-Tt~(1-i80L7$1BW;we3ge^&L}LVF zQ011J@LBKY&lViEe%ITqnNw<$F#Obct$Ejr5H`Kpjr;V$lnlG`pJS%TG*z4UT%2QK z@D(94ENwE4@3j@v`^x{Eue1@oX$GyT+Z2aXdFnqFP}0IH_lHQtYMt{?Nvd;rF2cR4Hxb5=Z<%tI=E`FmY(#R*BhMvCFt5a_#`dqoSug5;Tw77xijr-L}feEVm;!E|i!D1!p)W0Q{XUIqFzx@K} z2Keo7lFcG+M>R>-+)iL-*aMH?Y!*O6(Z(m##(yTDPOJR!!#^OvKj7uDK0K+&r>{AA zd0#)lgjC%>%IGbQRR!jlMrIOizjp0?6D&Tip**Ic{3pwn(^JigmpJ{Z_(*MILnnIr zol>8PE~hH+l-B}DA+zZ%puQp~RhkdIN@{lA!Jg{_+O&xsaX2b`*c+y}TkL4REcXd& z_^OOoJ_1lLjeo}tcf)*mo%W4#XusIHKW$_YY9^IOfmJ=lySv8Fz?{g|8{b`yy5JPP z;+Fk9^#Gk;B>JC&mh0}3e@{-!N{7Al<$MBwXJA7bFdvu!^5b7~{|ZQekbv1RWY8Is zY_JwMVFn>uXKz4UPwfuiOcS^J_(nOq^mlE5_aPZ=+k2`tY-?%2?d4T4`gIyCd!ox= zl^bxJZ~v9rGO-H#-zd+BAcH^j2>>3#Gmj`Jg)Rkvo9Zz1e#etg=ac?HMp71X$nkKn z75Pb3AKw&@3J4W|Ryy5v=Fcn~U8wTA{F3MGQ3F0nLhe#h^JVup4r3V!J#?Ig-bVN! zEG#b4;#0iw!2Ms}(Of=p(8tlog!hBR+?FX8z0j|I)@77M$_}!sRXZXn2d9VA z7tBkG>GQGgIRd}5RC`=>@^dUB1Y!&c&R6Q|x-2T&j3F(+eqSMG#^WSV-6Hvp#IW>Y zcc~PenSp+0+@=@WP=m5{MeLC*EA1c+`eQNb*?m)2mEVx7rz)0Q>w3@!hlJGDUVC>= z=;2}__~Bs`ZAx7W545Ulyk6gvNm@oNMTMa|F2wT@8-PgXOeYOM!9tR`m84LmgNGlA z^8x;RdMc#gDD`N!FZH5u$ug(OoZENdscZUF$f2@*T1tO|Xdl|gilrR@5X3D&q2L(S z&J}cddU5dACg2S{`?rlWgnr7YEs~;)mNMaR?@2R#dR+(ip|4Y5qNnkQ&qKKi`Cecr zQ8}vwM}bzDAhotE1;C$ToH@=|yA`=Q;vg%w4Mn*5{GEh94@Q{B#Ku<1#?Gcxq3H!) zux50HKp>$3*`MKM{K=Lm$Qh`mhVCnS*B6uFUcV^1y#KP2;dRAVJ$izL|5UAEaQ0=a zH29c849DI69md`5$Iaq_0b)W;qGedJpiM!xuzmli3fN~k<1E}QT40rZo`_w_3co_CRlFUThg z*;c3Sxc{>IsBmbtQL#-CAXzCJ@e?u2VB%iFgaJI50`jG{$AFW-`Av{g1uj8VC%g>FI14-Q~bI*-T z%jwC*ZPPc+mxgyYEB>jqbvf!!k;{b9b20`(TMaTm-}Pdek7`l7y?}s++Gd z^F2J+j3&*!9)*zSEKg=<5OW4rKrw*F6*_GC&ok1!=uY<)cI6bj%k4X380rKJ}V)6m)5 z7}kAbX_>2>qdW7Ro<9^_w9trnvG&hu`MkHTt@X<3+Tk|nWYiD)De}0xTO6*v#N68p zrscdlJ=i|0r@2ztP{>A2FU(J|aU1)3GFa8@p`JJt=H#TT^*7)99cs{nzyu@5gDtJOru)mh znmF;c*Y%#qmDzt{^M?T}*P``7RUfa{sBK^Nlz#7bJ)a8a1V0|F0zb!@~!Ww`xPk zATDkzlqhMbN^cg~!M-hFoq`^}T0@TH+-)+DR?_aXnN-fr6?iw|k9 zlFsmEAvKlOSWWZ8sEY^x-kL-=b!5h?sn(l?ddCQS2Z!b8hNc*<{32LW-~Off<$a0$ z4+e5_qwawzP^EFrc2Jv7w5Av$Agskpp;71+rh{|l8gi*L-|T^=rP832j<RQH@=E*y88rq zq-4nys&iSwU+(EBu=0fLm zc~zV*Q0zre^;=AEMyCV!>qzm1=R=KE)YQTj;nOv1vF;)@6{A?Xyy70df0HRbyh8C1N;Z~&ICcaLNj*Hp4#R85B4gp*?O)C3$)cR@^ zGFt6)J~cmeCG9Np+3FR3VF_I*A~J$+^TFsb-L5v@!;9vt^oFzDb6n8QLQ8Bq_x8f# zqrQN>E??mB{fED2APT%BJqvlf`C!|H-1N4US{(KqAuLx2t&FhtyyJUkhEW<&L7j`}W_SNZuP#PhtD5x`fDU4n>c_-4NWIWQ;=!CR{m(37H)28c4~GOYI?Aq-mmsqxs^U~33Y!;)$Xt4#`_yMBJL`J?GvUPtxzd2>LK z!;0YZ=d}$bSDgLpGmfgW+5^Bz4H>nUxZK6=vH;Mk8U;OY9m<_|*EgH=D~t>Z`mJI; zW}li&46TjCnGwT1>`e#Og&bUOUmBP(EnTeZ#d;hP|8ouG-*lRHlBnvJ_21I~6cYx` zsI=?l={BGbn!4eFDB(emI$BK3)E!<$x{%E1uPh5_9^oBbQmItgqMhqKZWrtCQ_|B5 z%q9c56+CB4T}Loo1nm7*E*%cLT2@c1Gt022rmSqZ`eUS&_o_C>)J2ZV>0YQ4J?92^Ybmp#=spHcxzg=}Ln@EYIzNJL&#b{gq^^Y*=;cm(K2bu6$HRTW>y@AQY|+GV*n@7t%!<+J^x#Vq!E zltZ6MLt&3SGwEI4h#Z0IOj-n0V|`QVTeDiH3??77!}+>xn>m2z?d3MB2$}!Uh${uf z15W{&T$q;ryGMg>U0pN|tnWScdM4)x^M|$DEPLq*%IeVYDgOy8{t9zE0AADOT#+@= z@}0$iE&hHd;_YDH59@2;H53xkWHH2AVAt5n_Q?|nVREVPk)L@p!YGX~?L<7m_jdyW z#fO0-(LZDS(q{U;PLfA{EH{ZtOK>?{j@4mNQC4m=+g9dqwXtWRq`rmn0@nd(?33|* zYuS0iNJhQ0tC2E!X2D{sPih(l4)$~(Obqd{ci}e#S@XawQ(9&uspX3R{=!^J|KMO$ z=F-;43017D<{|QZbPz?WCq2<_ZBUqgQ_b;4*KvWSrHw5z2ZzX+`}9TIcUc)W(2v3f zlW9NZgUpluzJ~_W8A}e5$|YF zq7oj=h$~;TpK#aUTE{g*yUrI{hmDZ?GG4R<0Xm8BON!Sm>xW5pk{~ROf48t-^1lPeE+^xg_@B2gM0&oMyGyBnWXD}HSu zW_c|9Jl6C44B+M}5bO>7bfDj_BP#g(0Vri>B`_z8oc8q-0&X984qpu3f<#_a#2_uh);Hm<0G@7BOdL^|R%k1(VxpyOIaraVN_2e~DhnHm z>|BIeS=EHPXCAaXv1wD%cO>z+yR9Fl(H7%qdVZeovSef)ek=6->dsVE0vo$qT{gd5 z&j%fZN&-uWxidPT;}s$fUu^crko67IJb6-z>n^`HW~}TcV%`i4+Oy;f&XfZ$`LJ=zqUs>C&Z_`^+_U@5WdQV`*7fQJ|ya zxOrqbK9?hld&4Xg?b-$PNbg`V4?x4QV@hIbiN?idcwm+Il%!qANwvk`RWrzNM8tUc zn|Lhi*W-22N-rD{GST4>E0KXgo4$*44Yqvh7=%~rAsyolal%( zbJ9qAvnO_I)9`LKHdf)5-qTD?#j$42zjs(9i@1fe8+r4G*S1Wqp&}=j4)^3{BaU?G zm5<f|1qPvk~iOAc0d(xVkY3SB}JMv}e zjCR!1xjHsF`uiqGa(Nv;cc%%*tvfLl-da7&;cT5Z>S)fyGr`lv@;h~P>I_2k&-Wqc zX)k;w&YQtP{3D!JJg&LAHYeOyR0hm5AO9y3-;@9vW=hD`-8v9g(I}*@?`_$c85tWb zbxaL=ZNVQyM{_i6=UHiJmL~!8^2p*DS;1|A3OFcqT+9}T>&%TdW5vyla%{!&_cjm0 zk(Sv>rR(`I=DT@<#lRis`P)b9MBDkc^%HjvRW&`w=l=bBMX*yTkx;{Eh70nBNiN}? z#{bTA2eP|wse$|bi=4s<5m!enr-Q_8(nVpun2#dC-F0pjH*vgSkbyw`rM}!}r4v{w zTBA&eW6yUTSK=WcHFGbYnV3R66G@Lr!N*TWCyu3}ld9*M;pH5g7+2e*>qG$|AyqB% z{^}S~TN&LpJh^JyldG3qId7TBGp`|(_7LnL*vHt3g8vx*5T+q(V^=T2uc+8%a%t-otNg>^tyTkvt z^BM^}t_eIYPaqP}!n}50&CnUSas6*eg?*c1grpIudd=SU7L(8n>q+&vZ8`kMQE@c# zEQ04_S{9n7C1`nK?~iBZxf=?)FzDA9zr~|kWWiTWXM*}tL6>vZ4@n$<&6N^omkGyD zlJ}zFe@|mbEpxQnnP1*OQPn`vsqY8L+gdnG-cUqZZ(sb9St<+>wX-i!r8?M5vWS$ko&RpE0Z@rlzJoJ@#{KQ!8TRd61NGIri)#t`6{A4Inw9*5UAMefNA49{nYLd>c;L zc>D6SAO9FrRb^bnqL3jKe>WM=g0ZiE(s6Bl@HOF)-9N&kgF+K~%dj(bxuA&=vxcdP zAt52o&0Pbm`oC^^do-PwN|t^t@)WCrf#8oI+9{?o9#hNhLUfpZupnS%Z838uo{4m3 z@TwIl63HF+Ucs+pXJfXzwI!!W*;X2nCU*C{o%ZCgBX+ki#x$q zhwt|<7EdpOBZ6P}I#ALU)~H_k++NsPD1FiTBC66Ho)=ylAP+Iubi#CcGDsdZ5GLjS zNeaT+z^08%jk!GSJmr*Je(~DOyH8D1y}qvI*7`wB-bEhhj14y)LyqO845emuxz#VP zcwC7O1pw@_^lekj7)%yDK0;!`^e8L?4RC%@epXibT$y#`SFcynGBT%&z7ch;y@rvI zd;pAt7dpW^45GUPa+c-go{@oH(@Vqp;^N=#wFd?Vk8kb--8@-^gt&zm#lRY1b&27= zc8k9DKRh_xJ(8l7qTrV;C~weMm>!A?e{5K6b9w$oRA&E~3b9k;EWz50Z?G?}Dn9#z zxe`=Z8MG4wj8N0l(_@NFe0_WcaX9#;jJK;hSHJWc!j>!-@5-<)DL>RdJm+O0xw_!% zH~JE-{Fa{abcggmg9=Dx3P9DSr=+9=PzK7$4Rr>h!TkW>UO{*#f5TZ20+?CrTn?hl zH8mejxO{vK*iy2BT(X(DX`iDF}Vi7;hP zCs9FvJ3?it!O3g-*RwL3f9Eo|#RVTU&7`Y2f!W>F9hQ7>T11waa(eFb0_1=9HX(W| z{TC|}gC0Qipl?8W)zaej_|Uz-{W{`sVYS75@;CdzJBpRwYx|`ZI8fcRE3)Q@&(%QY zW8=dEsqIqr?XOeDbRz!q+qDhcjbo7}TmW{Wc1Vs%kOn0S)r+AoG6+?~<*93ZVYIlo zL{gqeVM)hT!S&1Rf>`f$h3-#>(q6YKWRBz^Q)}GJMz;_z4jy419^otCw7Zv|GXy*u zLsfB)-a0$)458y@3PX^3gUwmfuP$NGFTKh}Mn+d+^t(lNoqDn|A#(;z7eh7e^%aWg zB4ZQX@%M29#RG@X`U9cnRIjtA99SyER`BQZ&>}S_fLXqnLJ1HqC2~6b37h%II!Bvh zoL#=yJXvw=d$BqvmPQou(w!6|)xz3VQ^SrNWU}eq|8Rp1;&5s^anEjw3G)!JqaHuwekaVwQ-_#K@&uQ)ovN8z)amd3i*5Bz1r4#SmBIso2AD zD>@cdwgR8y-R~6nWxj_>PSh;6y(w<*Yla31rofzSLoY#9_&a{&Wb_L z9FZnFfj~Q18^8A|LrrCaX;?yG<2L($3Gm+oq3O`i4+XdrmgMB+Mb!H>gB`sou(-)0 zm^9PZ^cI0rtxV7O^b{!LRYczp0_C@&TXh35Cj}64{_`R~kx|ivJ?_}>E41tE7NuCn zvF-s-cii%HYRfV}T4ryqaq@9Yv^~uDx4_;!;m7e`gJ z)%kpOZT9}WIv)1&xQLIBmX(p$X>oW7O=orm)Fkh-BB7=&G0&HV%1XA_emQBy^y-_; z${=*m>`!~$XJLOU8Gtar(`VCGNtNRih)4tGcUz zfPia~CGAFU{Lx{y@F+Z@DUEztKdPOmfi{i8Mi{I_?QXxaq&prJ7hP-IR{PImnL_^6?Q19CM8mg;+0 z#L~4JmMUbV;|R}WO8nYnlg={oc==h@>yh>>fEu`GFW{cf4F7k}4v3*B+PZnAUx-<^10lo(I*h0X0zl5S|M}Plj%-i=g-gKXg&Kz;8`U)H3KbQV z_>vlJ;7E1;h<2OpTab9S_}QXwbK0-RlE``bdP=lm`60A}_v7|%tY>U2>=7PDV%~8k zsqCgS@c{S>zGZUwvaVD+GH9G*!ll+3^rNck^I?Lz$@p0Ldc<4U%UwSZ84bf0w^_{B zjIkZ*&c^HY`{y;Sg-D+o{QI<5?tIXX$i?NY2 zB;3t!m!I$NYF~gR0VZb;*8jq7^gE{;rU_F3(9qZzAXYatGCJ+Oo~<+4#Cau=Kc$ir zI^ei#EfxFoYm@V11|#`7qqGOLndhd0*JF@p9-MDZ9u8I7386jd-FibL!vmsye4-DfKY$IF#_!`7w*6EcB?D2`OchvPc{#ZKMQ{7J zg9cmyIYOW^IhAM>%gu4A#3EdU>s1*P&=B&^4+f?Rj{eC7Z`Hs`tC?ejn!2 z>E$UAdxCMtr1S*)($qJg-eu91_KttVc z-Fc6}Z65m^y;)sx;#PvW&*(?UP1l4&?*I(1VyZ)UIKxFc)+5ym=ZnJy0j1g>LAj)g zT;4q@m%ua!hjF4G?UcDNl2#DWJbY$XalVK7ISv7<{|yzuk~|G&sZh)gFPzMz_~1NPmUIj)>Elf2pTf zXjem9PepXNLaQO<{vsqKWayyuQ4*r6-b+`s+i&uFsj;9chU2=CGBDx~q8q?^CebS% z?NDDX=%@qmy$it_!A-7kpkEZC4G3Tof5|Bi*#AkfXkkXBoaVWjEaoSS?Y;fnrOM!P z0}4gSr~R!$c^OYYWb;Cx%F?Vht3gVG0dN&K2ow7M{BWV`=H@0EiAYcolDwR>+^Cei zf_%B9smH65k=U;pziq6Z1MI?sfAHR~6Ax9Dwj;J!5017_c_~UH#sR zLFZaT!5n?6nJGC@eQpP*Nt)+PDUWDBa4wXxry1Sq9iT4o|EbH=(avtCb^Sv@dS;Hk zBr!8F0Di{kw2wS95{(0m+q2S0rt=uKELdBkxC&HPpPEeSH$g%~{F3==xi^Yw-Tb`q z*4^YsX;(5&&cw~#R|!42<{UBeBX=<`F>i&6l0HZ@3Fgzp%=o|}u##;6u)h2nV&G+k zbX3i?Ju?9c`plHHwf!6f02WaZ@xR}**u^7Eny-c6ZF1M-3zEk6ua_Wz8r>W9M$gWz zH!NnNKjlnSQ6J$X{P))arR#F3XG1-RsllFQA?H@BJ^0Krz74wdmxW@kNE2vXt< zgsa#>{XYQ*qK2$-eVXqyj5uXShPJd66r#-UA-5>K^g1FQO!?K=U)DZguTXGJau=Q! z_<2gaq&`yRm@W2<_S0&bZ^|7~S5T-c%6fB64`_;7I-3jk+oP8cQHil_ZVxh#BV~aS z%jf;R9Z|D8EmMuL)nON-GRBGaV4Em&cOV0ifxLAl{nJbR_hvl-`XV$Glr9c^X2ekoO#@n6j3}$!MWR}1 zdDg2W+z%;#J&)l>)^91aC~n-=|A}cE76yr2_$VoCD1Gb=66!|M*tki{+vv2Ew8YH8 z^l2Fx>9r(fRpp$XtZ1Va*!7l{lD0ZNkdYdz7|i&-X#SNW3Uk>VX}L}O%IYmFA)tQr za#&tlTiaO<3;%e&rb4qGOoaT4vXfvV7=F2x0>Mc&RG;wLp(b)@q~FZ`hqOiE&t>;u z_fh-}iskN4PD6#o51zw7itPTX*{{=Inqz2uaeiQ^7!2|MKLMVsJJHS`9Q*t6ZqS*V zadE61N2h8(u`mgDs)?PABm5zes^wqjn!@^@bM@ZX__<61gu<(+J5+g8dFJ^Ja(h<0 zD(kYmEF(A8G`)Vt=BQ3Xh~qEiQRIQp5^nV(U>$I$uvSPTrDV_de6-9P`1U`sf%)=j z04?3X&(*D^eUsl~S=B&rOj^ItRaNDK)4Qf1pst}IXl7k}BTyw$HP4ztkm`^N1Fhbc zm@gJsJkbqZ9mM&a9Ix|?hKS~BA0%0TPmWhCzHz|ou| zIs*7#DV};An|$z`TlBXzQaA<(al(SB-XG&C{{P9&s1YUENs$e{hr910t=_IQB&b@VQ(D8E>NI7Bv#kk=IJn%=R> z5wk~5(EaE==s=*VH_JaZJ)GF(VmFi)NKChct*0;CRm~M&`Qlb&W(xXz{$;_srzGRC zcUM-@poqWE?tR@s3{p~2Y4$iDn3A1&Gw$<*;&{8&tqZY_Iz8Au-@Au@P-Zw(D?DAO zB|X(=cflfvpCuM2Pl(yZzuEk?szDG zCLW+5khe)k12<9C`#Uc=re~&;`0Xs1L($S3GooU^6Ura?^(9q@l{6=Meo1|jiGg<1 z!W7{}Dd5_*44`KgkfWFJ@#?)Si%kyCyRe3hA)Dzo7oghr_L565@QQGASy$~v=ij>; z*`BLT%*q0>RqEC&Oi#U%;#*N#K3sqfagBTRk&sw|-~U9N2(nIqWk^sUq#Q z5NlEMKjlxl1#PzjxGDU6&I$_h-k3yRHn*s+;uSMQczC#K*=o@-u~WHSj(}PKP(uKo zKo8V3K9`8_ys{rrzxUg5fdp^;R@@8PO=)|lYBJ%_j=k)EI0Cf&&Wv-CX$5bF~=fUCe^AojBv_DB=!vaxccj_;}VArHftOe*7Jgakz z&nX#w!?gy95&8zr-l!n(M6Ut~Z(feEIgkOyO>U^-Dtwdp7G=7xX=lbpwdVk^%l{Wj zmPuPPOypINr$^l;=dc^3hPVTAP*_1OAEHw$ueS0j%$Xp`4g`88?JvxP z6cQ6-4O)LghiUAA!TJ8>CUee%IXU8~sp-oLyf%*s8IarA&~ZO!Tk7`ltWGWP-77zh zM&pu88T4{TZ~{7_evgflv(sF8*=bjMUF5!_>Tw1nDguNbkNNp}=BDV6@*l;F+vw@9 zi_(;YC0EdTqSD@Qpo2Zg+Z4Gc*#qo)3OHQh-H!ovrcr&4SWo6piUh50M`xC?`7`U< zO^`#Ncr`Wp{0;=%iPA^LY|ZQC!#H&X0|5OPigvsVb%Wf&Y(QVC_8Xj^LR@q;V~h2B z6-bRlLKzl%j2;JuF$*Fo^V%XZggq~~%>74{JA2$B@N^?#g=jinPgwuPZIdW(LP7&0 zlwW|vs0k^#@AH>Yf!6*euGtH!B?RA&J6m3?@sLx%djL6ke}B{fVCTuVQXrV@FU{mH@J$r?53u>-^u$2oV>^P&)$B;K;QVR zncMzXHkvJXV4MEun*7;lAdSaM2F{o}N^Lf;QBz**3bcZ)MsM;zq!Kb8f1sg#6)>GH6^zQ7D=jAC{0f8ZQZI;-<~nC>COM~<46t{K{&LfEblP*(R_jt5^AD+11<1w$GCvK726j{Vrr(=LUpP(Z;83)wqh8T$DnLkLAb25kjE$74U>! zlk-ZAv3~mkNJS&OBkIe}>icQq=F%{xH*Wm{13xpf^U7Ve&-}v$rX9XbNjcO?I3>DN z9-XWt2B5wz1MUF|tZoH`gmT^duVG=u5HAV>O;Px9DL(|Vh?eOzvfZ95V0MZel)ZR1 zZ7MA*BPJ$JbxJOuKeZW>>~7XEUFqQ++s*xqAF$W6bNt-6do@K=yD4La$SnqpF))H# zgAEmx;M$8AA-8YbE?phg=sMKZR0vX|Fz{nn_enpPp=P%HSuW81e{6kqRMcG;?jSGH zhyo%lf^he@pZ2`L@mgv7`~R6t+rV=GM+Wf$?3|7Io^@z6zmVZo3(de{OudX}u1oScw9789ifXP@7+Myo~qgMsmm7hmdN z^JCXN(G*G8^6@WpP@rreQx4OxrE{!{70qr6DOpU{XC>xR+4h&~)T$c_9za8TLfd=L!h zq4UHmBx`G|Q*x=0gD2S;;n25ngY1qhkL${z?;Js-(%Uz#u2X=1$;UAF9__g=?tJv= zb}{&<+ik9N1<29n13O=JFhx`>tYJ!s&Zq^w^bZI-sW~k%nw)93{NrD5a@c`p1~()5 ziMn9qM{TVTMQwiqxt0D45A8nH-T!F;jvozwIXh$U*T>eP$+_1pa-oNXaJmnor=*1Y z*)y^S4=QV{29F}r(+6F>ZdDlpiMi+xpVlrP<$6^xXuK)B_Xlg1 zE4Ac3NMr@>YbFh8>GV?#D7IY0b9-{;Q)hDcr>2JQw6h!6Vb~C2N-`bPF15v@_gG1AUF zoDgpQybLJxo}7UG4WKuJzdj*28Ms1p;tZHivFbDI=7R2Ry0>@UgM3dxoQQ!XEw6b- z|5rYAPsH77H^$0{?tm+mfPc)&x?CV#N9Vyl9!~J8q`saWtoLkcX5ZDGVLr#qq*q=+ zKZ!E*BWkWHM4}Tlt%QgznR5^AHYqG(xgE4V5Bkvv)MFC(IQ`t`m0km@#XAOvNqvdD zNgIML)RJk*Mi7VuT(rD%h|&b}efU5Do0Ch&^ZZ0(?qylaIi9jF@nt6KUS9VfDAGdD zj(X9@!LPD7Z?Ej>e@!LY_{vrf#2&KiEn75I|%; zf9}1#Nq&`OE9#S(pRFtZ#-V+*V4!$n}U+^ z5k+D`YH41^(roh!=C@Q5u=x{9ma^ZiX;|1n9c|633K$S$nv`D>4RBY~05Qo*eRE;M z-vgz^(BmZr0yb$@o#IcriN$7je zT|cpmr)mo6i?TAU0u#)A5YX)+DD?Efa?tdb#(#=xcwYo z2g$+It^8Mcc6LxJtI@fx+pOcq^!jce5+F!?8Rfw4;yVxw%I5I@B3!HY=d2@Z%gZ0E ztfpOnOABY)j7>NYpg-bE%#MO06?u`n*<&##qcPb@9(ivxD!A}o!GVd=H1kX_y;*}d zir>Y-82F>ui_PUC3)GDF5p-f%Ux4A(ffb6yiP?>u>ey6Y_BeO}*hT zFK0_B5S1Oc0Qx+;HlK=)|FsjHp@ve09#TlAZ*-^3FMr4!^?I+?9Vo#JX&G*78JMol z>pad}e(;fnUCec5KH5b5;~Q==Q>^dIJ(me$6P{ueu0L-t@XG_IrALcW)FdnxVq4}>FOQA?@Cx1X5KL_{fh~weBTL68jpG&*7fnHptb_+`%CO(M*g^0P`tlN2y)+zhTr;Olzetvap zzuVx6eR}3_uBVq*o^5h;KmvL9{@tJX(LUR0%|mcMQOI`fGo%f`)#T|jLZ3&5*ENi6 zkLQ1PmlwGD>t|!}kt-((+=pZuXL{7TM#pPJM8`5ja`&W`U?*u2{#K=v>I`56Q*k+3 z3$4+4Oo=5&X?}q*7q`v9>?VHGjjg1XxR`69s zq&|1jGGu8zpYS^bvQt8(;8@%@%MG!F{P8#a8&0Y|B20X)ds4P}-^61<`e4BQVgvW< z6I?)XQ>JH`J@n%8j&z!x%IMIM(B7>|3p+>Bn2ehG=U=K4Y@SrwYKg1W#WyQvySf4k z!!Of36G4r}AlK>aky?d>nVOdSdP{M3CZvrlvH<91) z@R`lBqZS%v9dUMW;VO;5yh@);yyQPN_o zbPnP$HF5T*hio}Bb7z7TOw9(Gtw%x*kj|>Q8-c`cBo#{CJxHF5vaan3{{a6kg6M8) zace=(E(JA}?=MrjTHD23^(iPS<>Dz<_pB3ZT;E;&(7xFi{K+7mF93O$o^!$@72aqk`!uI@eIU5eCxxx1=4O-U z)Hyz^qM|z6M8?BoJiPY7Y_4*6oln2++hk*VHC)`CEw0h=$&*U?kc)_Ty@-d&PdT2L zm=ukSipg-QrloqetRHN_Uu@JfWp{gI)H!r+aK1j4{z?Tb1DpeWq_A zi?-+Riz3(5ncBE3=fmvO7gsKoRoZIW4IR*qI|%k35Eu(n2MiiAeL$qle)jaoa5mcXg1TM9l(h`$w%4@OH8-Bu~?-rly^ zP1a+E7y2w(Qnvp2-yWGE{jn%VJ~Zk3f&?CN)ur%9uE_lLn7w1N$LZTh>@T;&Pc z3yhX1LwMutT);nALG=w$Krniab(iQGrTX~BeqMd$mxPCd`2AoKwAhgKQd{tY1G zknt&dh@vZNPj`xLRc=;I?Bf(#QZj*dPclzsUKg>!)U08{-aM5Q0kcrX7man*$ELao z8=11;FoO4sjXvcAZ)xugAsVUYIdH-L6u!c;*()L2fD5Cs)ZA=i6@!A`6_uO$yRGM?DB?HYCI=W z=Ng>JN!I29ekx>l`hF#n&o3>!3%Qbvn>MpjZpxwz?oEtcm5cFGuttVG9_3e*%!~Mx zuv2z>AC#^Ai=lm`EiEnIy?ZQW+8`gs#W6Bgo}aBFvp(V9H@HJcJ;mmU!MZ2=#0Vmt z(~LYes4=f+AyhB!ZEpvhFHVLTJ}8+n(9$}IbQ0=zJKRhQD;2+c%7jq{0xW{u{?Y}d zJ3{s#Y6J~!e4lm!sNoCxjiI9!sxx#!_ZWWeVHKU0X*>4DnKPwuWKyuI%8U<-?Nx>o zXzN|HHas+*V;uCnDP@X^<^e#up7%*#bv$=fO?*`D!&+Jl0O`wn3W0SKKeQkYHyvLj zwjXwN@1GBNZyXQ!Ncg&(93DP;c?YTry}Pka&cb?qtz)R@q5V#tpTd&}W}Qv=cvNN# z+7>b_`T^=p8Ac?XS9Ph2i#Kc??1CZv;niKO%x=$1{;0htoTTK+N#~1WO2bP$9D;Fa zeiK!-#g`#>_4R!TX%u0fCvX;m?8h*eL|r;P!1z5LSM8HA+k&o7-_9HnVU zzKm$=V}bRj zUR1mFM}2xxMGVowTNEabyNMU7-0o}Lz6J?Va?0Ftw=d^Z4L(H1*x0(Ej0*1JSe^0G zHmLDi@eJbzHnUMoY>YXRcVBn6r7r{v;wYj)nQ|oe z-ivXdce2#NZcdn?=wT& z%@{|p3oKL>NoXl-Ux!`Q{L|<~+qCa~oOx=VxFqmZ}$tgpv7g~g< zojDJ@X(T;gsDI|UDpS+wBs8@L0$xxnvY#pxfTyF@5x$9Vn4?vPZhsqGL39!=>F%SB z9jTWJpEtqPSHyg{nZHxZOEmhRSScp;k`t-61%~hXbVBJWK6-?%M!OTjo`3uLRX*h* z>BEQWE8Ir9zbE_9e^V$xS6BjBZ)c9UWC39TlAVLLRfTx?9eS z?|>%65z%H~a4{jZ^d0C17#&w@Q*a(GRkG0RE9Ep36e?GLvgVUnfr$+S?lK0N)z(); z*}flsfn06)*49CWa(kl`-5amA#g%ElF(7JXm2IK@&SW*+4sjl;WQh7clUEji&1Lvx zC3YnDqh>=?bd)~N2@0W8vM#*6nA21g?~vtA_`X=>@o znpyBC^*V?#h|T5BPjkx`x%31};I?p_6Nh4OkB*a?G?kQI5L_&s-OL76DM9+x+vC2xx`xlBIcZ$BM&*Gsmd!FPX&gYuaC zulrvyB*G2rups7Ta|>|041oF2smqh6WIIDFK9l;7=EN%mP$TBI6ZH2|n|;nXzA9$i z2lXx1F4Pjv>mHL?P9`(pW*ek3-DOm+j zEv5?e5W}yxmabxKIZg88DobtiuCnqLKP6-`F>xvp%}nIE zadGr}`N8)PP*2_Jd6GF|vD>eUkm6!vt)Ua}=*U-V^{7W$TSO?F+06;7P%jRL_3%k} zALSawa}_)O8I%e27CSnpvPmdnKg-U^pvQG1iz|0Y_>tIsq=G9N=7L(p81DQdtyJ_2 z_5H1v6`la?SiGD=f0n(`o}Uhw<3&NRvn~@$XuN@3mA?ZWl#$U@jfqpdOH*Q7cO{D~ zENH5C%P0n+7|1W=C8}mTU7U&TWwRexS>DVY0kholv~ z;M>oA$8VYYX}gi|tu+1UaH1#@<{)4$A0l+}$_KzSr=8w`_)`?}QcmW8lIOpHbaWG``7gykJbW0Ax_=O0Qm(7O@pF{?R)M?kBltgJ zAYm{w!VgjKz=iZ6baq61g3&Am0HdSnhtzE*5^3pBhJb zmc8*t=M|K7V9p*ea42*2!#UAe~?Y)^i z7Uqrd9Ho15L8;%r9}eGM6ug4!Tjg7;4$tm)taNI&Y_CT%n>_n9XJ`;3r$dvfRmn&} zzzcLPOkY-CYj6A_GBXo@s|60gRw4QtUiu!Ko}O^UPfQIBvjLS5>DRitAT===U>OPy zHYvZFy$C8Za!QL$MMn~Vyr{6K$dX^*i>=5mF*cHZFh!T*FyR)e2GZmUaYlY#E-n$i zXuLRdRBD508oOGNIWpfKnV)tlDaNq(!cPC!gsLpr8tfcSJ~o!3qq8z>ydI`MG)iUJ z|BuBT0#+U@0X+eUr?yV8Kusm2L}9vE_OoqS(~J07Qs4W5PhRBK>(IQ|JmX0mqa*R^ z)}3x104<3_}}XUx8R^ zxz^oVYmMi2;=0>tyY{1FYEhM~2k(oA*gfQKqjmo^2uT~ov!K2g3u5285b&}YHTjE| z^~4;3Xo=XIF4Mj&3H4N$|Jr#wlR{$~OS&qby;Hi->)3jQ(NY61W^CL1<-Ka6d;8lW zn{ad{6l3AxYl^}tloclQ=nT|rY;A92w&W@&uMecmjLukQc>x8!pJ{Jg+9S!#gVX@? zIfhh__-L0JY%MQ8@VNDYQsIEf+fm)o?Jr+W&`4@(sw!%rlz*30v<7)BGYEB`ONr9tR8{bv@Eh&i?;ginN_U__bW-!R zCc$6J9WKsL6KLAVEQYJorHhvzhigtCIgF;|Y;JlK6bDt!E+=(jMBRzSh(xVeQfvLJ ztlSRTeKt<+JYI7>5fSkt^BvHau+2Z9z$PxSSu)M_Oq|i=avG*7*DJcj^&oIsnA4by z(>OMFUN$+RiEX^|>f3v|r{v@uYG2&a@q=smQW7YB(m*Od*cT=ey_a`7wUx^kc(1Kv z(lLLj9fJk=*ns&ora0N-f91C0n7z(__Zt>~cy81GJr&Wu(ZkIBg->$TB7gi`>G_yg_D!laxF~6X8Y&Z16N**nQwPen!*<^3^%v)k*E#Po=Cr)jsv|~Z7iqE`w zqwUw8(1?0<^{)x1sN~_^eD(hp@{RW7 z6e?)iQ|UW>1}R)k6MrtbN|fdGFGG^rx56-reLY2ur*R^f8~rkKHhy> zi6JXeKk)OXxX|k&GNY!N#qb$g=|6I)^`@sv?;{G^O^hmWSOkD#W8u%^aF`L*QwhU&rk_PzTu zo2vRXRYp0%a~A9`FjLHaN@ zG`So3+-YmP^+L5KB2t zcha1*X0Iar;z4JXG{i$QudXmv6$aMoy_B7N)390$e|_r1E0liqngzM6zRd3`Utf?j z7ZnyQJbfyGi`TGx_3WIcC@}Ht#{29Ph3!XTt$pMqV5>EzXWRiMrQ}vOim%SWJHegD+kdaA((UPD^wKrS(HxoCc7}t&p``6 z!+}(Obmz~+@>?Dru0$<#@8aX)34%@fgC6R6Cc;;h8`8 z7gv8@wFjsV`490LzWC{-ko(?;e2k)fNZ!_4FvVx$oaAAIBarazkQ+;nK254z(NC$s zMXlx>4)*UqNvu_5`D=2kVEIH$b8~aAAmaZBDaJ%y(HIo+iq9Utrqa>yZ9(U8MF)Oi z=DOf_Y3bE93ZazprrDX#`)U8pJxwzDQ(@&32>I&@-VMkz}9M`1`D31X~;gpBhZuJQ6QsN zqo6d*FA)0rCWWV{h#f%=dT_@1C~#j~^U;;PduE{Ks~c@c_}{1(RUW_PaeaQ!8BSL} z@doe_Ie?D{NFwv~^*xl#0M^|6;w!P09mw%Sf$o@27#17K98RmL0cxT<2pkzO$`a03 z%QuCooU%G*V&fX{1SH+JRBlrZCrLDS0OnDk;DkIA7=7AA%Bf87#FzxK2rk_ zVtm-C#2tO?d@vve!sX2>7i`?&7>tXst?{hmt92y{ZlQA#Pa_k?)N$5$TIxCB5bUK{~0? zUuAsP*3OpK0)FwZ$y34i6^WrC)ye{zYW{bNAHj#{Xv`;1eiRo^hR^$+d;>DR^yr!s z?lNrz+}J$*gipu|Ildb}(j@$FN5nVvii6L)34kd``R#HJ7~K?%gYU#~?mFXgIOy$BanP0t9AMnFxf)`M}Uz>kHM5dl}E2NcOK_I4l=*K^#3jT)(hv{W?JN2UsP zR{m>jSc8X#TwGkLX_DTT$Cm6jvcf4Hidj*-DmCRi@6oZask8Ub>CJh&xgSRmh$es@ zB4j2wHvO zbT_3~FQZf>S#ZPmLWYLz_Qo5%#9%V}tM7Gi_&vih)ZQd(SJ!Jgk*LtxAHp}H;-Ar* zUv$dkpYjonvbtkoSrgGbDIsIsK+XNjq7Nl&9oZniE&&uA)t3wgoLt!fuI4A0ZPkHk z@B>5IP%l`try}R`@88e)%t5OGAlUknXGpXJABrW8nqq9M{a+$z6P<`~%0k zGMo_Quk<)7)SvmxuxaS ze3NIHZpHH692_j3$K~->v-j1_<@SGNt0%Ze7F_?+0tAvZ>gQ?1dv{6eDD@8{Re9lv z!N}HBT*g5F#BAyAbsgutG*Z^8q4YnyW<8@tJb{(dO5Edz(az7b56$W>=o-Px^BK8V z1sHixZ=xqgF9U9=$_hG=VZz6^J9F*^VU|=a2UpH)yDa+tEM%sjJdCZ+*_jBKJPBfN{^hKlFZ3zez-=Rj+egeH(h5!a-tb~ z(XzJejNs8+qu5K@tr0z?r!VK9LcCZ;=WlP^8eFu{zNjMEZ6Q(~Ay8|3d00hsSCRAf z=W&T%Rb9@SRB-SuBa^n>*;ciEp!P>c9w8nPZ`Ng0`3R!)Ew{4u_QEsvL3E?u$c6Pd z4!z3_+BHkk`_;*wVX5<$4l64&x4|UsM~jUGU!@WK(XuiZb84S}D7CzCvs1cUJTHhn+zL4t<>M9A!N5!oUI|ret?5A)y;_!`9Cu zByhp|SQ_WOm5o7(m-|*s#{h#It=O4+$mK~IBQu?tr`^g8x^T>pnae=j4XJriX{toZ zof=Dnxi2}?hOejD)i*!A=42f|sFAwhdvfg36B0yW$<6mNu=MCorCdhds1S#Zh1J`x z#_Cch3k{CJT`fDZp z5Iu(GT~Vv*(Z_`wt}FZ-ZdxV0*-G)n;;;IF8q|7lKBF<3IQ^byRDz z9t05Ysi?&MNLj-qnK{3hB4dw>Wi|uj0J2{BNSw$Oq)ly3RgE!)?#|>{rf|S``VMsR z3U!Avm6%kJ&ukKo)k})|XGgOQ3Wn87Vhev6iUt`rFv5`27iS9}c@m5DFAk47z4JtQ z%Z)qPC(5`Nej4I9F1B@JGOHBMRl0N#cv4ZZ-kA1nddxK_9W;(vua`ixM4h_Z(&ty0 zap>)s8Tqd&Z_i%b1^P&d=(79Lsl(IFO3lXy*UCYz=I;#pT7+G1eqwxwTg{`KFL}N1GejcyH`5wY&bj*;T*zNJRc+q7Ut3!em?8;A-LS zJcDv-rpp*t=^M&;xw$8WeRgAT6z5S>L^F4KmAPfCg&o^dd_yunI;b>|XMMFU%h6Y( z(hL8`?^@O4_R3f|LMb(dyF@C#7FC?jx?V6FyS9{OX$;)1D zeYmfsfYbSYh4+<3lZl;GrNedI0s6|iX}U?7N@VY#n^}M35gD&X3gV~NsxM{{x~R@K zi0BvMmW!OP`v(p6c>fQPQlq$OSB1)xv2M$Jbo*$>ppf%!QspVq+<45vRjR>DR+ij+ zD@T3JnqQFLK+O2^v!i|wYRA^*CPDmS^V?cLf1hS&7$KoAKEV$@v+8xuu*OD}V*Rml z7hCsi?e=fUzBl!C9c6r0b#SA}>H?+SxK_{OH}LGT&INMmW(I+SVc5gJTLej81O=rc z&YKaXRm5s)YQ6E?bfV4{(M-yq2AGQ9;+a`rLM*#Zp|vv07n zc=xQ_T)Nh8{l1#e2fGeKxDWfDoeWQJX3nmy(#*_wF;cs)vMYH{fJgAseR!Yei)U(h zoyVTK=3&*wQ=4x(4qR^+s*=`MflC%Z@R#6GP)Y{(4Eu_1sNIp4WQOrvP)6C`(%w_2Nre#~Y#uEd>er!_lowFQI#=Zr_MI5ic=s+OrA zfS1FM%;Yr(AM&P`8{6yV;^1gw(6Ih+znf%5=9TG=QVi>Rqati9QhEjk$c60j5D#f6eR!6BePJst6_}mNak>Y#^;-F@J#B!@P|+?kMi^C) z5!{0wX=NbOXj}0i$Hq3<&C@!LsrT|Hs5dZ#=TA=JtEs6*r^RwwqI4@w5+6L}Hy13^ zIXfIL0sghlOM>a*!s%*xoOaI+_?F=@6t?eJf$UL2ov;(hh!t6nQb`vy6}NYM55vth zu^JV{>{ac1@YkzC{LWrnV#zu<>|gov+X8Lbx!;>btP~z0z7oT^CKuQl^{lnVY+*&X zR%$9!;vflRo{x?$4VQ#zQxu=3ip}P|)+A?0v~p-Dh#I43`(3ee_f3NT`-gs}KMnKs{Zc8Sk!Q4~qyk4BUZKXMytFeV4{s^!xgh zi1MYfiMjfQ+M)RqJc#5+d)tMlsw>>j|NR{i+cGjhJob711&rLb!OvzX{uAVo6Az4^ zVR`(U%SZ+IHf3cRDf?9Z;UdGg@DJ_IDdZ5Z7K`P-&T;WYyo1pDi_A3{oV>%eX`j>X zw;R|fLL#yIO#T*ss-K@sk1Z&DN6idlDWMkN-2R*6WuUEWP3g$5P8LSSzfb3rxQ%d6 zR|d9+bq@;)fshi1jN9urn1&#`%J=4A@kEeSBRw1Nd2_)7K_D$b>^Cacbog<2^j_EA zmFkPIYZM84d@-ra)XsMdS_YBR;f-ZBog6HM31_Qu?H$ zZ>6uU9z~q_CPSu!siQv0_|xI}&`M}1K~Cy$V|jh4Q#U!kFZa^Q%F%c0VGxV`?u6gr zhCuLg7nqefbP8iit6Jn#GPeKmGms_$e-DAU-SeToU1?a`4j|5A4%->dD=Ho7j%u1Y z^O^DWAKkSX7&dZFQIUk5of`Uvzf$*Nl{A>x+Dsi+OTl%!=jM}s~@neLC!vBdt-5pauYRDG8yYKsvpNK0oZc$Ai_clrFoFgz@y zBM(^eL{ZT;2P7Sm84R`nyxhn^4@(~(AAN4q8+`0~<%zZ4__Mvat6Z|#+1bB8MEch& zFhyn2`xy`a7z_^rX*{6z2bLm_Faxu3|BlD~@!~)0B0b;T)%Avjv|&Kz3=b)3GOs+_ z*(rBoIzHpvozhTTTztsn2mntwutbO(T`0@`9muMbx@El8S{(nA_Ckbb&c7eY?=v%} zfbCS7QkuBOlcpWM?6QKyQ={enWJ#elt#8DcXF5g+Zxf0@{fakg4gbE(SEiC=?R?GW zC+aq@cMfIQpD>iZeDxBSewH0xUsvyO<#BO-`*x_(YzuilbCA)gs>FS^d%pck>K>_w z2WHT{QK9oQ+v4icYD`Zes3^J5fx&so+uD9k4ud&^q*~iOy#))Eq?s*oNUXqt-ZGjajSqcR63HE(;GM7<*oPXRY$6=C;0YexAhNg z?Km2IBW$!(k#*I z&(f~>Ni$Pm7hh56xtBA48MdI>u zT;MIOgcnD+JX{l=ny2Gk_G7m-106JwD$d|&CQ$Pu>*)0H- z$>|GW0wxcRebi{oXe6fG?$l2?50NMPGeTOfxb*9T1}s=GvtnS?GGAf7rSUxoMst-E2`6MR@p4F6 za|Cosqas;v%NxfiG?sJd5Fqf@yq*M#W(i;|Vv3&}jO zy&|vq^%`R0;^Mkf8$C{}PS2z`uVD4aMc_@a $2codpH)i51ORb9F zx{^E`)O+Hezof+%f(2Cwk7gpcHw#BEsHd*xb$1fch`DS|+B?Pnqms67xuL36RJQ&) z8Mx5rIBHW_J^MbbIl4HJZc+!@HnXRMGqtvplD5D2#XQAou-7if=Nf&gyt5$g20ho{ z-wTX0*nN%GCMI3S?W+g~2?K~Lc!Y9nBNe#G@B$1LW9PhuDZOmgqGDxm&I)56_Cp(O z(Snu+HK80v2mktoZWEb`5A8cUJM*KtMUE>Sz|iyl`r-8dINHvqN5foNR;Ez?e}mDR zciGw5q14Y5OA9HkS`$>7MA!Bh1WTs#_2<@Bmo@X>WK3>XsK5Wyv!EkUmnQ5q1fZvS z0lJB;zL**LQ4{6I{Q$+>6VDN%*Ta2gx8Qj-zFXhBPFl-a`cuZ_WsFs@`g-b9sqG8P zvVEr|{j>)(WOL(XbIUa$g>IT)h(?&YQDUsQgwJtZiIG^nyb_LDg;o3ZL}_oqT_37r z)!$N>f%pD2)>?0uezdVNV_W#RJ~|~RnMRE>V-G!Fz-t8OKPD!|{wh48({{(EM>tl& zCy4{~cE35IJF7WOm|Y$xL$ld5e%_QW*GowDq{9n@Cq@<)mLnt=eH;4fOv|Xpw!vzm z)G$XeR(#+-$O`2DIxGm}&AtLcv;VmhY>byX$?Y%LV1YoJJWh7w8BS5t+)V^O1SQko z1{wJF%x)d!ERLw85ux|CGvj1)4%2gvZWAQd$m!dFnP2+MO^o%M_NR_LdGU`ARkh^_ z6Mb9lN)T*!MwttiSL9O+rW)IHkge7K|FqkK(3KtOwa^bYk?Vj(=`i9e1Mxg>){ zNBEKN=<643WL9I%S|>?bAycHaY&RXW^1TnaqKjhgdW)66McCz<?401A&T`-hCeMCe?gI6U?p*SWSyqM~9}hVOfR&>=6!YBF~q$s$nIEnTXR+pZ>f+PIow+M5^TbOJI@y#GoIKCU>GJ_~ zN455IcI#sXNiOtzjl?n;d2VOk5q8xTRk)kO^F!?wp&C=gJJ+5JX@_xSfD0-Hjekn? zYyJi*2yaG{3vE~2=xFuK!C6%0DSd*Cdu-H4=A|^M+C6cF9&|g{uKk0AXYXZ*3gMde zgC7?D4d`8i&}OfTe)5H`F~exzBvAWoC{(r(gYVi*DI#CE_dw>+qesUS!?hkIR>Qr$ zPYq+a1(xSN0Qiu_w~1l9q3%0sWB!dCcVFwW06XenCgvtrL$#c zZb~?vrBt^4%{O#ROS zhm35$e&t&R3uvMERD!Ah_F)yNObm=o>=>S*{8lKI3oYoXaGi4AIMd*iv5~EW4m^%5 zg8LH(gpj5_TUi*CYj5vR_yis;t%}vxDd)x<)qL-Sa&*SSLh1HBI=R|v8Mz)cm5VTX z{`|RK8CV%=VTZ?HE`a;dx~3}z#P9W=U)!xN$ekS6%x%w}VJ=h0^VTa|dKWrzm&Gnt zdVgcfD-4M{mGFU^*1UCYLs!;A56#!b{2%PhkbC++6OB@C=4Qxi*^=h4Oe-8+Zw(Mm zt=}=pxr}15OG5OtIZ(P~E+;^J_w$)h|G{$ovW?s7Zz&;zZ;iB6t`igR%R`Z9f8v!q zZm-kp0OBVWZc-Yccb^#!2tx*W)BS(pBt%k}8`^lj9`Ziulr9RYl6drD+i%?c__0Xy zLwDufe_A3*L;3|((wr^$tcN)Y6vmouJq1F>Jnrr6 zuAq*_^NMf0Ye?NjPtUVoP}LNb?v;Xtw||RJ#;GvvANL?cHo<t&*GL)PUwHrT%kO%{a(IMZB8VDSlC6mvgcI?6)3v*=Af7?oO>SC}`E4I{}> zr*Jw6d1qpYMT}P~GQO zcY5~p>6+c_+`>9XWFfqAljbbL6#fw4JU!ppE60`JbJUuy3UZ=%v9J#6c>%J;#cPbP z9ZW@7%$v%;)C@(YXMOR0y<%OD&&$qsxj@2UGp9viaADEeCRZcL zJBRb=HWkbcXrtF|&=BUr(soxpt5aNIb9UUnhZZbi#9(*ci9)Hr-1=Nq%w^9n25j`< ziow=e&r^0CEW)=tLf5U#h2dzb(uc6PLN6jFC4 za-!<)tr?_L&*!`~Wt)-hNOP?ype7|{^v59}=(}thHnD1iq#S_+0%R5GG+0nNK_mO{ z1+(uX)VCid8Cfl6`f39Z9%YL%_QJ-JA%UttICWf4c86U?(`ii=V?m+;NPkCH5|?Y3 z$)8EOoT4i7veM=C;gu@T=*PWnHBGAs-a&}YwB?f$imz1veUDc126oX=;1sVA3)NV^ zR?9PseRu;~ShMb?xLE8eFh)?0mxavc6no?x0!{*-J`}HMga{CP|Gpyf1WTtU8*TZ< zm=r|f4%uX#$`}4{<5N)dr`12cxTTv{@kwg*owz~6Px0vsCkh3R;r8H7-TN5v;pd&9V)T~8GOcAVEQJw}cJ^-xwVSCN*7hljIfHR;=#=|;<>;DTUM zi_^AB7MqNdhe5X!Qt0S?)p^iPan&5e_GB?{=sJG$7##H_(vb*(g$mNldy4iQ4{5rC ziRta-#lnT*+%+)~FZJc$++NaVz*I@h`YNIK4{lX9TmEG#ZIf7G+QVBeaO7&!RS(l7c+{~fOPy2>exk1s$uoJ`BK5fdhbk~X5U2*T}c%hp27#~aP>H2Ej>;JAL zWIjC2Ct2XHGi4u6_+{)$JNN#2AV^bOS#el&KFc>;Rm|7JVel6M%oFt5FE`kF>M!hs zw3!$;1Oe8tKtJcTHee~@R{)eCOFZpoLzOn&ADuD1ri%N>qL&%t&EyoTm@|I#kJeb} z+qYGUuM0GhRGa1|CXGwEx91!4-mHJb1D;868qUxx>mBm3J`?2W&MHw-Rizv9eYxLE z?A|uoR~=|hh}}8NMfRg;;&c;$R1TLTk2BCf+N5Z*cW{tfSUBMlw3$v1zQb)YSijFA zLMu_1H!iZ)E8-<(C7reu9Y7qUn(A#`^`X1Y5`RtDWF-@Cz_eP$iR-P$?r+w9I6)j< ziOlyj%Q5*T*+dQoh8IUHmj;^I<$Cj+ME_kTX**zphK(+2WZ`T~OiXA|Z&p}Ql92cO zK5pxRqiKO@j5csuwxZRRBN@s-R8`ZpN#aYlP-E(PUhlAl@l!MhRkx-`y_&57YMka!vD^||Qh2(A(6 z_%2jjIgu|2r}Z}6#)x;d?^Js3NL3_0-H=5uw}vcTPvb`kl;;(}i;z^(tgQMT^_DrB zYzvNbl5g}_Px0{ZGXJI)7U1g?$;~a_kka(jBg#jOmiih}+#=uW-Qfm_wbUPd5BqXX zW{l_tCV}bN7w$!oyE;05{T56nvm@!IS<YOp&4=FeHq`cI>cY4n;A9dpeeCRGd zAm=tBlZm-O`HmPhdt`a1-3OzX59Pshxl=2uiYcGwO4xKjeXFtkXaDu| z8O41P&$rE_B%YpQ>k@k*BNV0jr-}3mDa93<89^RF zHZE1To5*D}bRnOM_T$d+XH%-?om0#APE~XpoFpX)=+ zB6E8xrL3Z))SKO+R8Zy&bBe_48s{?9X{`#J_6Ou7!Jde2A$wA@!?YNwn+P2MK>oTF zCR&4^nm`Ue#`HS*nfGleTITCugYW5gENH3S0N@%(WjGA$Kt2S0^$JO+yij8qPdW;G z8DF%w*bQ>pdE3qAVLV@xkswLf;d4G@dp z5XWg|2Qb5Y_p4v-er(}AYio5X+w)iV(iA;g9Z`hay$C304OCm-u*pXQ&q^ES z>dbO5egU)A+FEGxzTMk>dp;414eV)geFR#%#|wCLy^{qx`41oLuY9J@79&UW$&W23 zbZQ_rpVcm-7wsh7WR4+JaMwbCi`y+2V<$H^z4r_5IbVclEG9G;eMDB-c0K&n}+ zuLfi^SH8dgge4>wMkB6s5sjmOxzgm$$;s_c;#b<^Rzx(UgN8Yg$y85ymp+`WG&UL`JmQ2K{q;hQo^p4n@wsUN_PWd z`x{X93LN-bs}yeJ7)WwC%zdqT5ArE zj3_B6NH{Vz%1+R$=aot>sNmg$=IJ>x8PcG&2EmO~Qex6JPFTzgD1a{%$(9BU<4iN*&uW*;)&u*}D30kuUsk5rGI@|B%KtA_x%<^oPo&~3IF zWC|izAO5{%0sH7iPSfBrS#9M6_)5^%L2BT{eyFRveM>o-ivJ|qEL8;d({qNlUtg%3 zn1Y!oEv5l#d04D7Q<-48jBabY3g$#sQ&XImgusgm5-rc`_ks7(;Wp${wjM5w^im4= zRwe~)Hrt}a$L9lr1{zNnka1Jh+N|!bc<=n-p>Ol!!i1k~>lc;gY4P+8H4{L7$l-1hBk76JoQc_BYfKn0%q*IYj=?0~wyITcm1?duLY3T-o4r!1^ zy1VnPSC4+4xpQak{mRqFeqSg6C&I+*dWFAZ3jWY?O z%=RP4m~^VcU!N71mPGP=3SJQCDYHH`DdElP&pBEOMrjK2S3gsR;6N zR%_#1@lPus|zrwa~WDOb>P3?I9Xa=C2xTArbN1iu&dS^dA*wYC1ta>5o?9}A8tDJEOYg} zWt)<;iM>&iW)1 zyu{dh@DeLzxT*S^nwka&RR$}NK6zRRQ5JTjm-qi*sKZ!0t(Z%5-Nzj?9}zHGd2=_5 zZIz34!OTftnZPafgnsdyjFHydGOj4ckV%^sxrV0{7##h6y2{ri-?aj;NVw9RUEg%7 zxAbdW$JL|M$zPH`xxFd(tuVICE*H;@=Y5>!*j;AUe-1qQyy6*tN0$$jX?Azd$vzNT zR;W0v50qu&C1UZ^IgV&UIl|VRX=h@)aA5H?pdiEARa8m=gy(+;Ku36@29>r8?ls7FmqSvs8 z55%Gp%5J!&^R{H3Ua!j82uc!=`9)DDc&zsy+tvmrbQC))46dk|TRhF<&U;Kl^(|Hv zV$eFSz@TO=)rGP6|oim$b4^;*L!XIZZd)9TNDJh&#t} z6=?7T+7FYonjB)IYHw}tcGh*Sof&Yn=|;w?xMHki9%9LU+k3bykcbqb0q_O_s7seh zPQXcVi=r^i2%*JI3CI%h8??XI%V1hT4cT#so-=tPz z+5LFiq$A71g7Gzuoch*pm6;q<%9&zhlkYK^sSl;3eyvD)6NlACs7tIPhQNoxW8&is zP%0nVR4f}uY1G>bgY<5qh@y}SaSht=UD@fYPJ=h%5q!${uFC0b=dk`5%NyHa&tWf3 zvQo*Rh#_hA>-dB;>2d#uhh@6c-q`G=1BP>kTX!k-Qo6%LcS(Dwx8!FcB%=}qTrJG? zv<4dFmVdZMDo4h+wFvr|ds_A*UdXVc#YB#D5v(DFQOmy$S7$W6Jhw(`?20`G1_l&n z4Sp~4c%`m3z0R&h1YcuY}Npr{I~?Cxn@_kEl1safqPuqiHI=yT}l@y|y(b=7Tx!1MEs zkazFiz0A4A??LfQsbNfQnPk2&jdtTp(_HH}(n^_sU-ko;=$JSqFmAvwtHoRDn<@5Y z8-hPli`OX^`|(A%_@q)>S823$WN>6;kS8#EHVB+$Nvu-Z{mVsynfW=Y4Sdf!S(t!i zbl6=g$$qvkGQaih+iXeQ`g^4{3oR;H4koj_616DoFD=5yBOL36Sl~y}w+O>FseNeqp9TB;=@*55UPungx>0>755_qxs8 z7*2)pKB-kHXt%MTci>E10ZSs5a#>&2IP=mshWje1dj@ zF?LF#V2;f1%L$8SLy$c+ttKnehv_j?jUpFvPhJ`_UKfnVc;mL*T071b znKMr3?N=4|(WB|?bs}qvK0L~BrTKAMx${?UK|hwXmDDJ4*)TEzXZ7!bk{UVXJo~Ai zDx+uPBzkRBj9rPjJa+D6`uS80dj|ytL6lnSE9G_aX}oE0yh&wHZPGn3o=;;1mcDV5 zWqgQ>SbF-mZGpAEEpxnaQQwE5U1GR~QGFQKjeffYi;OSyMbDmtrPdIr0~cm|0nPSn z&208{|Ejp#4IcI;sN`k==dLR%-+k_>ufN50u(xqC<*!IKdWvpaG>Gz0yMid2>&M)x z)8Z3}f4Aeo1=y@qFOQuE&!aZi$?SYA?!zLG@e!e;3BFe9li75>EZOJ^8L?k4#24a9tA!cS_@1C(i`m}mHR@Q=6Coc%^q}a)4PN{;F=--9B_hNobB=%5UBp}cBGs=2g0hDYT ztT-w(4u2okf66^x)>k~ZZgP_b!#)AsD;`)$3{1qew>$fo2_s|e7c68ljjcl37VS&tZ{rPZwFb~#% z<+0D`uE}EO^H*2$Jq2%_DlyT1ujH8N+~rYPmynfR=a_P(C9}QXi%5@D-&;2U7C!aK zSm~*aPmF%!i`lk;RVT}s-!e8%&F9l2HX($%$ub**c%FQNV+1%}`CgRb{M1%!{vv~R zYOTj|YhRZX;0q_}+S*#k&on3Q*e4)u`2d1<*<-t(7)Ih=U;q7s+NE_UA#Fd^OTdN` z?FE(2Uz^7rDm&O(J6bE!;K4CBQTf_B1=eM5DjivC7Z`{Q@A_V6Z`jX?Rmj*~=Fa^} z-8rmeE?@D&7MvI$#;=qqSfm1!gu!U!wPbAX)rD0K4VD{s0ckoM%&3tI?UUmQc50c- zOdFdUIIlM5GPu6rSmULUCO$KWq99mb_f5piJs~`+V4nGIOfHn4^pM!`7Q{eX2?w4I zq`XA9uE#ZLzXjRpJRlk`(9`Dr;ViBe^~Kwkck7%^o2ozhr~Rz1MaBg=%i7toqdnNH z`rKV$U4?ZkOxt3dw9whnZ$JZLt4iY*R=%1X_JHj?xx=pX2KQI8uLJxeL>M(|U49h0 zg#81r1mBjr#6nZY+-)a;%RD zRDrJ8eX{Y2^N(&NhDwepg0JM|V&C2JE&SI=Ja{hOKFWC3(jnTpwhS?#^YUikv7p}< zkw~ANU=TmZC`WT97kJ(8>dbl7`RO(>zK2ahq<=wo9)8`5`etBY%GWq5jt_8-xMlB4 z4*Fuo$QoI?zWp2rW~YvzO`SSpL8xamZDKc7hQL-cp*8;4RB0cRp=A7Eq}{qshS*eb zLEu>;F){wzi|+0Wo&-DRb*@L2-$i_;1eDaaaKerx(s&mZ9#74DGw5x?kQ>WG*wdxm zq38D7(m}zgpfbh*FMZB=9^xO{=QOxI$Zot;iGUC|$Sod`P4h{FX2`D+#rTuonl^91I;Rb_tkXyw>Y2xqUk- zf~Y8x&)|unn1vo3sqK|3M-lhJvo(`6wdpO4o;(Jw5P3e{Z6FD1NG(QofG!@w~@B~a`W?s(-)Zwydf~xLrvmm3Mi>jfjJtyu98EA#p4$EO~e1 zaRj3Y3O~#}RvBD`4S4}IZ?~~xZV<0(o)zUgVmRNSprZn@IN55mNX&~BP)mBeK=bh5 z+ddfIvfGJz;m1Rbu=}HU*2ncl;TeLc>xIGiFZNwPf^YQ<+FyKd;h9>h)y6BIjBncN zWvBVk-^;(3JEh61_2fAzIS%eIoQ`R>E^+_4>n%ESwY-3u{lk%_>+eRZBdzk{rIoav zUA|4oD^_WHmtPT8ZZyX`16Q;J7F;d-oN$A`FKbRaJGLsX=--tgEj;KANED@tcMUyS zImxYKkT$1BNFa`vzCUyaCxgpY^qTiN^o4@K7u{Y(kBSXDRhcD@}ynJ(kn+YkVg2;1EcQo``D7iO{ z<$QPhs_lJBbS-LF3qJ+k&zhc}x2hJX&C3mpC75vV$i${N8b2(r&(14li#N|+g1e}X z%2X3XU`IyB->%77?i+_4Gj!OvcEMe z3}W5#A5S>hYH90x7K)ZZi7OLFjL%?bp;Q08@k{v!|D=lN9^`yJ@AATsua;j64UIio za&GO-V7kR8bvFNSE1`bIsUJ<-fcUt)n6-;3wTk2d(kId2i}@#vHqS5+Z|C1@ODMMx z!z6r@&z*8+G&coJ+*;5tl@KdTn-`Blb1?G)w&5!RC5eGe8il%#1;6|*8QWiiWhWw= zq>^p+Qr&=fR3fN0){1%VVf|QB0lYmf{n%&|&$SrrDQmQ^-diG-GALa7#<~iPt^Gsk zZv&+be%jaDG#jmTQf4*YP4rsNp1XC_4@eHu{$8DpG_7QYe54FUJ+<*-CYpE|8P$a6 z(NuR^-@Ngnait7~TEx>c8iNsKa-jk`rG$jmWo}aah(!U zTtU=ladc^I90>jJGDAf}L%VhjPw+Ad$}%@0(&LPb<=-iyfA8|Q?En1HA>N;QiC-TH zk^M_O{$GD2yf*K*|M>YgU3YbKCg5x(+Aesa_pkrtJrKX#C`c&=)oJ)kmk~eyKl|eU z&&!`oA-H}W$Y#8&!r&kffX)6d%|R^W0smiGjral5jKcpvA33U&`FX#8|K~xIo4dPx z!bKz_-~;~p#lZ*YACaF#zCAJJC-T?Nq3b8(S2^IHA9}e3{AX|fPd_4|Gl=%*rtlvN z@?v7mNsoNJvHAJ=0mp-mAf3JZ>#HVH_Ev_9;CMm6xp0h@co@|pcS4y)jf=giYBYAT z`|%!75S232bx$k)zn74{VDah1a= zx7)$SP|-6!Uf$~J>fvHzg$f&k{(gsbm_dp|?rqffA=J(I^k^4)IB^7bVC0Nqro8Lk z3YX1HbAetH1qB77q7?R#fI(d`TbUscO*Wo$^Kg4!5S583e;`-GRK^J!SNA78nHr$~ z*V@i5oQcovz-oK00}irGN=m}I#rv_eG!NEUW--=RdzBn|L+ZC?+kCKhmj^8ea@35B z7IqeU-;fEcO-@?PG>5Kupch*Nu6!@h(l?JUrp?-YSm=bgEA`X=!QIR97$cXAc${w9&8KflQC%->Qc^+Mlh`kGUSEO@|jC zb+tNAt7;%wIPk*<8s|H7h|8oSmQCRNWE-A}kB_e?`V(wh8a4D{O}0kdqZA1WVH$&h z!5crm!W-hTook01aN8~1))}sGh4zCg=#}?`_7@m;(K3BcIY$-7USR8Q$-fAoN$u-17JL=dzxvZ;!d3Asx53S~iizXmhw_U>piNGgj@q-Nsa>=qgcKi>zKI zj2apVXAm#-t=AsQ*v~>oU_7TaVl6tJr@N`*VeRehGm={zZGC-quyTR3gA_OMBSVlK z^VV?M6p`T8R+)=r0njpWaBzT1{?pK)BYi;h>-@fGCZV8oz}o$kqgLwxUW2T_sUjl- z3kOHOW`&KJS&m|*9ds?iBf~3G%9OvW5!0S1ptJ0xsHnKR)UR|eMiGWhhzbi24G$a6 z;+PK?JNKr&f=+oMA*j>-ksAnqtwpy1XP&`~HY;0Og}9GU-cE~(iW zVry$lE(D!2J2v%xIH94T&_u?;%BrYg-VlHf&!s@zo@@E=!Glk89dWZ!78VvzN9pJ9 zAFBQB9Ul)pJv|&j2z?T(jZj!#W849H7)7sEC>g~VBS3WU@$oR2Q2BGo-)sz+_6xl^ zYDG|@ovo7JN(ras!u9<5bIVGD-gIebvJ9D;ZhAvaMFouH42Tdk??qKTl8$AieRc>P zZu88{%+QGeN|2?H@tT!Ji3QBc$?l*|XQDuz$0_JgZyMx7#bE|r=Kv)L5k4_-96VEW zG^h2Hkh9xZrM+6U*6T8}p=1Y`<0)#>q6nkJ(k4H@L;>v$(}gyxuC6Z8H@Eme8$b!5 zzWZ$>;(^SDSUQ>@w=&_j-H`~*igt@VqelcQqZJA=C9;Y9@CRUtPPnVPQl6&sTziaswdF)DiGB~5NzlM31`TCYxkCMxhCsr$sP>KyEHeI; z^>s^qeZ_RCm>*w#Jz=wY?pE~C-lLL^EjAx1?MahFCl4TC;I1~K zAFoMsnr)3RQE^=PPL4b6phP(9%)%%H{XvSS4GaOqW0$ZCV~H!|uIpGUe% zPC-ejQ{$56($d*!391N+k-%agAtEB;pmO%ZmrPM7l1WGVwdiXSV{`LdmlBhHIHnw~ zhFv(lLNw?`68pmRG$k_Fr|0!3_kY&{$Px^Oc9I48`S}F}Db^Glb`a4n^k+vYI__@# zcvP`v{P_hk6k=s<@9yk~1QXqD0E-;OsMX^(`o#ww45pIk_^Af=_3IRg8=SDaB`*A6 z`6?dMgJ|>eYTEk5+zSL!4Pj#@kK z?c1Nax*nT%jg4tto#9uq9P4!1U5cPrlg}y~uC&kAWOX<{J5Atmlqk@=Of@KnM!qzd zpI?zvR8&;04lpDBP5tO-wQwMTNtyn##`}nPC1}MZAthy_hJ*OnjJhU4vjqJ>JoAVG60G>Om zqIsb^rT=Pme0)5Mvk_o`!nlm|sfIvPOn3sZ=c8AbbB{9>>A?GtBEkUGDu-On$rAfz zW#@Fw4Exn#HfJ9&eWub$aZ6Hkw_35)` z8C(;6eTuJbyXr6iv?7VJ{)rxt9zV0R^jzp72W#2?87zTR9DB#a#KiEh%NK7nwe_sD zN;4`IjBD3y!dE=S`0{Lo!Iz~?f}?^%+T^QY!WHd8Z^j#5g_2Lp`5YnCMr&~<{oyNP zb;vd-`LI8=#;+?XD)8!?nzFU%z;RLqUV?7eSD3$Rv7x0BJbZa2cG?D)*3r>1 z7q{4>2XcO4nL~eT%P$nLS6;9i^AUBX*ZJrfPK}%<8Kqnm-jHzl>Z|vN^Rj=T)cpK>pnAN{e|0JS z(vt%uJSOcEaP~1$H{ff!k{;QfRv>g-DO(waSL^Cd!8_jvM+%2RrKa8?udlRUes%5U z6rjBK4_}rkv(0kAip3Eo|6)E^Q7lq!JAffQPJleYG}6h2Ne)5xV_~5goJFhgepiH$ zFbZVrD!IjY^n%U-?0W;XRU1;rFVLiMQO zk569~XFINqIxpMW&T8C_N+9L35nA>JwI|_sQw?Yfr`;aN0j-hw+lx#J$SWwo0oD_B zp67t08xV3(Qcz$#UR{AF>7IJ^pL_SRy}XcU-?5nvfamkU21{>3+BS2Mi5!6>*#@~> z_srnLlH%;G7XO%Lu;o5i@lz*3chr|Zv6~OyL7tnNgFW*!RR%9k{ofeC#pS$~%V~Ka zSISWRwx zLmu(?T9P6+o&+ta;#Ijif$`eJgo$=m5#b?s{xg@3};!zi4}T+oB^uWmfwSSYjj=gXZP3d z_l$HPyYRh$GO!_ev)&&UaD)v!bmf(*%F3Q6fR~C4I|BUuoxw2yFfB7582}>(;hB1K zE6mY!HLq*=J~DEDUPL;cQ_dI16#`$$Iaq-i``9#(^n+gH~0>He1!NI{nL8Il?DJ3Orxn~W!1z@14_ncvopZ2L3 z8gC$0`vabii{!PhuV{_R#?}^vH>>{tAP06>YU&JZUOEGzyHyrM@ou{^`rQ(S~t%R zKM~RH{Er_$78hyB$scYP*9JsIMR|LBXJk+pRw170=T#dALEXsE&?cLNxH#JD@Q8>S zkJHL0{MgVJjfanKU}?!TXB&f#acIGwIx{n~v}CZ?IMTohoppYMF$LPCOwhzJT2 z!Ty|O&AeNLkTsFNCT|=%_$wyOW5oo1rpC%n_OaNCxhao^DwtM&P z0a~V|6$fnJVHg)1OLX%l8m5DT13}G-iaVN6ycaw?gqJ2JCi3#~@W0?JD;?J@o;>L) zHP`t3Ik`^NJLFaTod-oeD~w1+-$H)AAdIOWKX6D%rKg$Foj21Rn0xD*82?bvUcNw7 z9J~aWb3tMDe+baAIALtA(p?RJUkUR#w_epOo_a&Tjnttk)by)VT)^ z9fHMu@Th-X-6eeef4&#-kpqf5KYvO2L6m{<|M8ax!xY*y6aUi`#9!XV{Pma92U!7{ z|NUi$D7gg~(pSqC`%aD*d>{=Vv|$NGrj2VS1|SXgfs7L2+t)lNJ7{Rt1n z!F(M7$2Ai2dXS{y;iJH5Fhr4wiL$6_m3GDeood@|)n&J~LiV{6gaS?rfk~unyADXT zWWN@#mn>Yp)Ve8n2y+VlcQKFEy1RmZ_YT1%<@O7koSmPC!=q(TWBz&iWnXH84%`b2 zvGxA&;e(ij$Jgwc*4EZii!q7mD^yN!o~yEw5{{rMePm9K8KpV)q{e4_L>i&1S*UN} zzu)8Kc@xU8U>qJyiw1|sx~pAZqTh18@)^wOfKz%tMUj6-#Lq-G8K&-jfBoORJJ&5K zDUq&0wr18ieZF_?+~8mFO7!*hon#39>&To|7Wb=bvKfJRsB>JuMXnFCVxSd# zS9>0?Hmu-|H|RUya^v92CNgoo1nN(oAz)M?+KhF9_w?o8^^h@4HN;K-{W2#Mz|_EL zT97~y7M9;i)NnsJIe~gzG;&-jDI-iYZNU2i4l6gvg(M}j$ zsA$crfm&*4-1})UMpKC|8x44m%U(q4BDwu@3u@77|0Aj!d^d00n3B)T->d!4Z1l#1sz?51eFCdipEuLe;G9UXK$_u*q6lV_&{}>FTlqt_Xf%_X%7CFk2c53Xjg~ z$-SLiT>-YJJ$m%Dqa)Zc6Eq*9X#m#N6{B#BlD+*d_zbBS79X_$Yd}hX)v*O()-JT5 zIl}!O`C^XMc~12A+kbt9k=!{0m=xxG&)QUIGVX)*19^gPgsp?AK1h~%+W`7)ZESRP zbr;%z#=ytJ6O)jDz!72QJuW{`c=%I^+;G8WJg)u2xV+C~-S&P5@CcB^bwR)gFf{!9 zieP6^jOP`k_qVpTx4B3#bDPCbpV~xR=JPyrgOI`-+uq(j2~C@r-He8biQ2oovXTW& zJ0c3l5?F3}6)NE*LIlpcz4;u&P;r$+n$j%O?-@usaVQo##lZN{-tj0Yhrh`tzxYw^k zVPaFzP23wd;Ok|H_g6=vqNAIGDxmikUK1KQ#Na|N2w64W>INa~%?GS>lfO-m*JB70 zB_t6S@qI%nh4tA9qUPG17>{I9=-YFE6QhKh~w(@9o^-?(-agi!)+=n zxp7fYP;5ElPfpy9=bd@2X8?nchj17NbP(bIQPbAin%p7}u}Q(lk4B@Syg;?W4zuoU zZpN?}T+MY?QdQ;jJUfBxM{Kn4Jr5-n6_4YC~Zo;kw{=vpopIs_fyM&J2~oSEi<>^Br+2 z5IlC?xqbV|_m58t3k#8vk*Q_hX_i}&=TgASEld%81BwXzkcP(c+?)uL_5hVhC!PGHnX$*yX4I?8} zfLs9-RF@f`;R6eXjlBUc#oPNb$R|2FI%pk`I>a|`_UlpS>(uS-?jo385E1y@kXh;T z=br(wQcFdDI%ZlRWYU%r7bo|=M#355{1}cKH8!Rt*N5f8HwsuyJ}@#e5)pZooSY12 zFi+IF1DW)!yUa+d#-+cra~&|p;o%{KF91#EtT=&Sun(@Yo)-DVekmv@ppgU5M$Bf? z2QLK_)5#YcK%P!rZE0y_hhb+N2NM&MCA>vICtw)?W3G24z2u};P*<-6rU0x$YI-_| zT5L=VJY-B<9FR4gZWYM4Zrv)*>HrEVBK*Mf!wnLW_>hnXs5f~Wa)8tA+Ln@(M89@z zre?5xY%Br02cn=0m#*|pU%nB1YYEWBAN6C9TSu1(M~4tCKDWt@crX3eQU7ym<;w943VvPa%t%vBncKd+ytB9-^jSt zsN}E%;5`UWt~AesoB*0;1&Z1MNJ^toP<3QV8MEqDIHgb`z!5D)t>~>-lt+< z2<~GvI@`DjXv53$LyE(j^zlEC<&&qFfx#@0xlS6dNqIz2neX4n4V_d{Q{(bDaT*^f zzlx6j6-@D$FYFehkn~tzS~^l1DF+e=aJcc+ixF{%ix>x|09et5g#|$Dy?d0Rue(UW zIYhN!Y;A13M>7FGhp@75`{8ayg@vz4xUS>j*+JF-cmQ<%%JlTcu`zcrfl`uYh-(GV z8^o)8mgBs&n;PJVh0>jGx|1&5^B>Tn5bG;lgkJib=g&KvoY0+B}b zIdGl#J`0P}n-}9h#4MHcu2Vau`V2okD=Xj% zNGM#@6HyQ!JQ5THFNaDF1UXKP40I2}jvB2@Pk+^SlzaR3Ef~;LG;K{r4lb^tPoKOj zkv%=nnG7AfSy_l+;1;r(v5TZW3@JzR0gH}q!O+t0iocuZBNg@09MP0oJO!Y=;nPG)DOOmVeS_AFHRCn z%fP%m3l|seVBku$G&Oz#WYi zj~zQ8Z-ciodaSK&p{rYH)SV0oE(l_J8*wN_{3|AdpiB`y8xBkBGV3{)P1rJ&M70$Vi8Kr_84LAXa%|OsLHmtbQ zs;ftbhSZGg8Dq!TjC<|?dWDH@z{BqaTIvI3zzVToYkNCA4NW;%&W8^_gMC<>1~r6C zAI({dTj#3DnC3R)|c;7qa(ng`Chw8@vZ9p)YO#GN1#p_7#Pys zAuS47l2k$#h_%tjDTlBDpTeV6GsTquySpFC!0KRv0K*jKoAki{Y@mWhq?` zTMXoxOUe{@Twr}D4pyVEEME-5tVtm(4`7aU0;6ZICGt9dsfQ|(WE2%;<$xlp2ls!P z34|~Ib$OlVWo6M3&CDaN?QvhA0!Xf37tGFrR&J5_ejr93y##t?Lt9kr^k_MsRbv@Y z)>IC=)#Rs}_YF7Ljt&pIFEa@?1G$8J{~DD2ejd~{H}9wicdslb_hT%pq-3`*Q{gZj zVi-NhqJkvv42yogoDYnNr;-Dq^oQh!Ha09eQQ#W@qLHWSHNDm;F?pc(FhFUv(q3}M zbA^qKP0H-qGin#=YU6wzpM6>qOi_9HK4Aw)2VvL5f_il22B^tgn;iKI<{-A_!S;0m z0szO2gEX|XTn;O$Q0@r^60OFj0Kx~r{W>rk{QiBS@TjP`=xBOK34oIt9v&_Z&Ho0W zCBkYM{|B4a$j6ZEU8;ghxuc>S7SC4t|aTc?e%j*$e@R~r|C*-A(ZR#a9F z4-K`nwBQIL80d1Js(QIMxCdFX=t!)Pn@WKk5`uDgfyLY`+-cx45_nfs_uMV(qsmbyomTX>)V)s}+UIMYXk>(#m^hG;w|8O5 z`l8OR@dYmtR^Sw2CvgOo^R?X%Hl7|ms|UvkDhm!>SW3T#!^h(uu1m%bz_egpq)}sd zox%QIBo~sA`3BF}*fMU$>|;)SSX+%FAw`>#D6al5i;WA;|K!4YSh4c z>{e}00@jP3^)twX25VXgqE5nPH>*hjDVF3qV(wyWlrNg&7s1zBoVJDKA3}^*`h*oE zGe#aX;ZQb7hrWGl(u46fJQbx0>)0?gZDy9YY@ye3dF_#RNL{IuvQo`mZ~CKt1sUz6 z@jxAJ&!f*Zo@Y9`-=>r#BJi?! z(aZ`2Fht{UVGA|_VPVil@Hq|}na}+w+#iz1#I+piCX(0+_*4P{iTRT8?mhDQQdhMs zEb_YSxU~VX%}Yv8N)zEKKvECrPE9Q>XEH)ajFOVBuC0xin5qD$M5~bQS1}A^c&)>w z>LtgE!3Xd*jzXiN_IGz7T|#r3ZwdJp&`NyfT1dM{#U~_m#Kj*$=uvleBxw}@#~MVn z-Sz&Eoei1Dw`GzdB8HIPV*Q+5T&%dG90TS{?D69+r~x>*GFs>9*&fZz>R@MwSEH^4 zPYSfQ(OKl1H*bQ2F($mg)dQ%2ljW`pz9tiReVOUt;ZL^ZeFY5z?eIduiqr(>Y_47~iF`o7wEkXtXH~Bg1Vd>v*Vhk_4t=K4$JzR%26(fUI&ShugtI}kCzAY$$Y;WFKPK1 zG>4Ew5em2a5v#N@k$^|_6J^|&1EW%bFP1}x7KYsY&cj(ac z!-^Z$lmGR$cgTe2xjQ(Y9gQw1kb%_O7d!Wp18c~PuvP`$BJFK((|~y^`THpsYKc#_ zslo6UZDif{oD!?bkYza-W-GRHA`S~%dt+U^CEzgLXtCiqK}qg?ur^wMTu5G_IaO{o zXW5OWy~&a6RP?`$z!@nf89#mU;J0rwMig?F04hVp2ExvQX8`gDLPkK$te0r{_}oG8 z0q!d*C_wQTUcp7&I=4een{`Hb?f$L>2(x@3EiDb11%`5pBN=9Z4#8ze*QVj^vKoP1 z8?0{dY;J2S8ZtXtJA=R!1hmhRR9n|WOW(kNlmv0@!4y>}M1iOa;_q%7PVW!|RTItp zQal3t;YXJt72`=XzingV<~^iZ0ZiZRlsis1g5b;_B4SCP`DG;}K(Gk8r1oK>Jc z41+6JE=2?b2m-2X3{ZU7PRJdAs{m&Oe9P0kq@CSeg96oddR$ywA}Dd9xpxnUW{2@= z=N=jgq>g^anueR8Mczj{o70`RBr!sa$if4Sq$qjyX?)*~tqu)M)ID}1%8Qv9dt){O z4W*l1H><@vZm+Ekzcbp+{H|`n}dL$|ONHRmXEi(9^d?EWszGR^AwQ@X% zEF7{wK5v7}ZmJ#)%FChX74Ux#0i;lX*8=A`B-rhnt<>y9lQn8s2P;umn=K_uTnFYmcYzn(BK++|R+7_4*7XhEpm>6-DK!5+I zL~N|A0AQhv^*SM86Ki^U`c?-%{Q%5PkXWZQ^@9kC5+bPg#*On5 zR`%@3&)GlY|Z^z`lnWl2@lHZhUdQj*01n=xlH31E?j zi%U&aRq7pYOv_pQiNoOPfZD^RASdq@R#?VbKjk?+PuCk)4$s$a^^`r_{~X>{SVY$9imSVTzcw3} z8D*JHM+@_>s6|BL^Rt&vj~xlW%5bbr|2C>fXQmJ~A;=Oam_(%6fN6<=Lbp1|kk6}#6^U1u& z5nzA>Px^bjn&hZKcm*&>-nbgba8S4L&FY8`E_*9*6b%M@Tu0d#Ak!g13TFq>aT-8% z20*i_E`|bCdLRryZ?@REd3az~(Mc^WEfe3qr6~SH?)%jrO7HCL@wXWQ%YDlLUTZQs z0{8tw3)1gUIlHsHJ#9MJ-TkBLI!s?y_nN!%>lJ{xwOOw0Ov@T6d4}R6$C zC08`Zl(E?not-SH;l5n=veYDPM|x1@@ySV8;C52eG7&DJYcN$j^UFU`vzPAL0SFl$ zA0Vf4P>-i(W>PO9+nt_#jS{S8 zi@M%co}HbY(d7KRike!>HJG(&qvcO1*gbJK-Nwcy`ghcIkbGA%vJduSV1VWPGYi0g zbtvyV7T8f9ote=;Dg@MB{SuG?{0&6cP)rLE8a4<_VqzWaCzK|5`}+3MRu8TKUT|@C zMnGC90Rg%Yifl9sbba#kEumaiM&>mf*fgQ^Dp#ZIwZDH0gt38vl44@-%kHv(o`=(sWY88DEDurS)0_2lZR^!|Ndy*^)(Q&7+whX4vqJqT~brFRmaD(vRcDLF?n5_IG(%Sn^$wF+FMzps*!S4tB^`$ zplWIV)ydjQ%-qxiB>-8Y<;z2|JrV(deZ!^8eQLd_QT=|_VTU%0bQ8+)oYjfgJ(a;r z8wFvu?+nP$zT3_#xA(3{IXnw~H>Z4h#50VEx6Fb5N0ehDD=M6ol?ll8hYAgVy#fvk zI7VFVo`wbkFaX{mA3y$s>01OPuB4<1VCR7xO5k&itO#yvX%UZ~-vdUW>;1#x>agr= zQ#ZHj+}zycWL+t#YqokSfX9yZ*O}&shak!6;!+9h3zP%_GB}5<%+^-t{edB2ZmTt^eO3eL@XNK%CcmPAMQo3YZO+BNhJ{ToL>gqTpMr20}Er+O_f~#K2Rm zuC6vnQKn}a=W1|lt+FCbT>KT#sM^iU>lpWR^;i>eJ=~deSRER1e^cvx8jIbdbWA;- zM}6}RVfpJ8DOm$`?Ya5d_RgB?9&_Kx6N7m$qxVaHkgiwR;xc%$bv-?JaZ}Icoxy!A zfZ<;OsqalV??@?D?U@Z1wk)fRFCIHsP2BhD}DiJ2LuK zj8h#rQHyU&Z#ChaS)@vD5SugSx$@%4i>ShYtl+W9G=~a@~6q-nX6)9t?w0o2B ze8wg%?GF4yiayF=u@$6bT7!%`_s1c{;=8&Y1DAm8~}P+8>#q{9$i+0D(( zh$1v4C1vu4qvL*MYa;5_{yrI(%^gIbvw|qNIyOcV8##5OAy$u(OPFFtPbCL66Sh*Lcl`thhXxuiZc&V2UABl*Idvfi& zG;dfl_Ks?%SDflUsb{6KnkLD?h*<&frR+GZEoJ$wXhocIWy(?rP0MNuRb%`z{kR&g z?})OB=VbO|hot(9?9;XJTIRk1)rF}htV8CsX78-S9qR?ZPT{(*g5D<~Qvv18p<3gPAq7!nYJT^(pX0_FT#;uc9-g6VHeLNa^#WL2 z<@kgI&_Cpn7|9YR%faCSJy9){v+nQ|aH9d|M(lC!fQ|siqC0dX3J5ST2BmH211?XCh9Kc)XMgHhhex;L&I~NnWzp+`>ZNARaDo~%!Oqb_6)+GXuYn4m zv{=pnUjeiYFj7YAemIn%FHTs{0>BQDeo0Z$G%=S^*ZcBvPO7@#ebRpWcfcAGYGwd0 zxB#px5)wAbuf%0q8UAehY0!!ckq!}~rnGbinQ3H~>ch}k&z)+2HA~3dzv=JCx^B@K zzaVtaKKIOEz$aR$_852Z7Mw+duJTQ-SYG=f^LoSfZZ@G#jos@xCpgZaw=h2!z*gU= zqj!kKN+*Zdxb!{w$B*yu3K0C*UhJh#&xv|LVR{(bQIosM{gDTRI9H=);d9MM@LXMmLzOaAJpx-65fbuPU7e1aIs^J~U{=G^ zr=O!HC|^So>FD49N(BU5c4(NH<$(5s6a|1@Y3X3g8AL%7862F!4S70f8%7k?Lz@Rs zkx($^d9+9k-3rdmXV;H^mP5I_Xf2CLN)8STTwQ$|5)uvEDF9k{-?#YPfGq9>!wL8s zDD`qEQFeRT55c#(s1#J&gS!BP1ECRIOggndSh>TGAj4~@uYZSATUhum3rk^64x)ma zj}I!mwNzA8AfJJ)`{c<-Xa%UOj zcXxgGamlsYEccVUXNPvNyp_-U5Ha*@57xD=f^GIhO64)0p8EV$-+lVy;p>72S%EFh ztpRx)4*WZpJKj@xub^=n81yDKjs?4t^5Mdq)sJz^D#CS4ckf1Ac*%AVwzGd|I_>Z~kQPEX?I- z%-C$SR~HzquPA%T$Sni;YS*9gh$XL`Kq>66%ZrK{;seMAL3S;GOIu0F9x~(Lo=kHv znp;``jKjrdMG94akf|0K4!5EwfQ;DEu_iqYIr&q_!onn^vvB2H_1#~!ZWwOGwY45v zS~{*5gU^gF7}-F+7)_(54tTn_#$>4J(h3bUf&TI8krz5E$FM+)K zShsV|lWEy2d`6GuCi@Uv~-P`r2r#>t?($mH?sDr3@V0 zrPz^VVaap7`O`NE6Qvw}Wi?q_t6#l&?h*8>Wx%Q@WMr1D9zE)wwu>(>EhFida9mX;}YgpI|K|X59%4)w zWYBI>Ir*#L&>fi^r1+x2;fG_1B=I8i{GJjc_;_kk$^>N2$ih^Nw2V{4>8YcYwIlhx zf%Bcws>-E4UCcSktyA=~3%q-}-)RM#D|$sUzG*%{t+<8%uqwxVb>u@$F9-MV%8?OV@x-%Ck#@>BJvRd(>6b$ofjYaIzTRp@0Z ziX$Lj$E9TF&6WA%o1_U%{?V%1dyNe-k2)il`hXP~%^NlMn4d(Ye9A|7UI2n%w< z4+8BW3CCaVs1ctwGlL&5B7=&~C4*YwMs7DcbF=t8A$e+D^YP97)zS9q&4zmen8dSR zTuZ^*_(f}IDjv*9XTE(K@Ptr-B{w+s!_?D1D}QVWEh8pNKivx}Ww1^Gg8QzOIRE@j zYNgIGd*L%b&)E}Qh5Ppe{j$_G((iIHKU~Q9Zko8x+Sk`({(tfI9&kDSecyOy;fF{? zse}|7MhR(1Ly|;k7tx}jy*oojr9vq!QCiyC+h}MHQQCX&y?fqA`2DWyeqQ(Mf8YQ6 zd7k5Sy{;dpI?wa?9^db0yg%>H`!iyn7xeC3(3`J8M%T1_TO2ZJ%bTxxx}?=TYYjYX z7O<7StRdy=u9onqDzV(CwL=_q7Xz~_hhE6p`k1&gHc>BDu=cvIqgU_hJ|=N9R4Xg5 z;h!aieKA22i79iqq_RL%WnQ7cR^*;svpdNwqjCnB&a<4YH9W_9J~D<{RF#`hD@Ic= zV-LaK>a^cjR=uAfV7Fj7C$h&?e_%c7fyEvbd3}DmwL|sHwHYQZ-ZPSlKPSS@8dojq z(_i~m3p>!Gh;&J}qV%Ie9Pfd#pq^fNuGiFhe@)E0tcM9!PLZLyIsEs^!Li(IxeNM0 zSOl1+d)EHinXka?exKA-QvA}zUM1ZGdc_xeR%_3NLiV1+N|>3r!UJS+78f^msE240L@o^Tby39Vp;gh zuz2#$wp9Z4x+S|t9ufi+|8j9}>n0?o}ZH+;o{Tdu;!Q!$^>t4Ow zS<2HTW@TK_o}M}Ne#Sdbbj`fAOEJu&6mFo+5c3yo{FW*GshIZYb6TJM9HXaByLU$G zYiSG0N=S%K>=UMmHbtG5DZ4&CI}W zmpvtzxu});*ITEn;;W|^H`EsMUdI7E-pw`dHS7@R=$QLxaA}kFQ>jbo(iBeFbc}X9 z{=I_+4UwWQUfc(zu8bA4h}tOEA7uOR>dUUv8Vj^xB`PERy;S!Strcg|T1HGhWoB(6 zP2M_|MN_)lQ2!38#q#8^!-@BOd7=-QNlY}E+$O`HD6Iwm=C&`8^KTHqJS)26$&4nF zFFXR*2I}ZnFsyh!^-kdCs_CY0jZjoTiL%A!%L?(gG%vOA_+G;>_kfN=iSlQk^DKMw zuzoSzsD%K8JISKwz$imDrQlM@-z<^dKn)zqh~tm;1B4#}OkP;6`O|1^<( zcn-nc7cr^pYE%8gBg^K+2vX^;BTLie9a zvo9oU-LmHSzWd83Wr=1I9WkX88Rg|}0gH0MKrL-8?NCiY2@uGuXA6atW0mK(1k4z} zpJ8MBaANqc8O`r=1qUT`BP6gL%qAwxCjR11G6R;suAqRwh$_C$G)44VBh7~7u$%=p z(}l&7D{lv{R8_^8c&C@CD#^+DEbk4oE4XBA95|jnrruE@q!_aKc+;J6wb;^y&VuaP zkm!1;o_vJ=r|pO4zSyK3|8{lLrm^qU^}4-Fx2hsjkaA^pkIpTIxqDE7h&++LYpirI zD8lUE2_JeUKcCl1N-DWSQE#K`OFw>8Ge3JZX_AnFc3zPfH$Keh+;(iPdxyQ;1MA;Eh;V^cZ&)SuT3#zViu8-A{xh$ zk)S`GKq$X{t*EXZK+j)rFa{@|>$koPiZ}|5pe&`T7#JDFr>9#Z#6Z6mN8_M^VPPzPGjW%ppOp-A8sa4V-X6} z%f5h&NHFnIL2A1QQp4DoaVWT3XYkZcpSH$ByL9OiCflJ~d5Z0baL^NkUBw36!TfrYn0xke%O zq9NeV$6wOS2Yp+>eKc(v;G}VZR-(N<=*C_2B$Qf_AA_ftr!jg-5qLWo69Tp~duHB% zVo6atG&j=v098Ye#yqWr!GQrwUM3nE6ob#up=W-B-8@PJo6nF7f5m1)8s*US*NP1v zkwW@5EJ&wyW3qhs+^x{C?C6>9=_3a&1|*esQy2*SslhogZR2R0l)Jh@x2KZ*npy9oM_2fs*0!ee?a_CyKl4pKQ33}IXnr;8FQ32kChC&bytWK5h4|!K-cHQFm5yk=T3(6_VR}G)3 z)64O=yJk=@b9Bxe-ulP#kd44KX79Ihef2GQpg4VhL6;8AdUJ%5gm z#fd-4!xOUMB8Z9VpyO3g<7RdAbai*_*m3Lj?F&?|X}HwRSdLtuQ=UVWKP)5}Ye!I$ zZGwMMk~c7~P}kA5S5ENO59*zmhk^lGA~IcJ34%VMNfxo3JY~68aeFq05z0YwKH`Q-@So}4&h6^-29oN6?@fK z3Jcr*5+k~WbW{LAzqyAxi^uoeBS()aV(uWG+6HDwFx+>NLI=flzf^Q2Bu!o1o=Cwu20BpuIEh;;XSc`Xr%LLD)<3NJ| zs@ofj-fz2plOxBEk3%ZKGk4OWqM`Np-`0h&F_)Q?Zsr1!B|3#FdR{Dh-zaJD_^J(t zBDW=k2(A-Y;9C09lBHSKMHqt0i}UoY(A(TYCLwZGmMavftJqzz!M6C7hK|DU&R8q5 z|9HlHZmqVJjSbq0a2-bqhio8LIMD*R z>}@OGrIgswmctwMx&Uf-+oR;=D8C(3G?`#mTI9= zMiGE6eqP@exyzS@C|adP(v3TvdsH_xg@>bW#q^e_=);th6f8*3x}5NPu#V3?JnpnG zl4WmQX)F8ZldHecx>&xo1ti9uzLFzfM6HYpwei;}{XqZBO3_Oed=EyL8I1ssdO;JV zS`+~W%r)d3)7#btreJv zhKe^R-JxIy-0uF(SGy15`1?lZ!Hj^QEhi(h%|EX?_jY|U2eSz9zU=Cn8uzD9^*l?( zMMQui!Nz05S^<>Y&%)xfYVTP24EM-xGW$KhdvE@^$5x$fTyIrZI?kF`mu3gyYqFY_ zz!mGfK{snH*nEd-U%@xMJBL%aO*kOHw}J@kiSBolE!EUspY(Hga|^u} z5z+g6pZLX#7r}c$g#xsNJjF1XvQ;hOD~}b#Qj6jDW8=mGwwBF3he4#y{%SYnO7q7y zlj#^F=2JveuWY>$SLiDctRG95Nriwk7+8zdm=!N;~z_@mcobz`XH#`|o>^nEoYTK2nrd@wDI|*SO&Fx^z{W z92`jtga-?VZLeHCo!m!goldT02wh3+?lt$!Ym{pG|b@)E|!4EGT& znjcfzL9rMZxJZEx_yOS0VHbTqn*u9NO-rjhjiYb}?2r53U_4+MmuPmqQ|t*ALjbW>R)(aOI_#q4d#Lz^B+P5t>7e1j6NuonBKr_Y`jtZ zWeWyOyEc;oJbcR3O{X>Ohl&>(X6R)|F&4{arJ;a3tK)?NE=W3`ux96@vK5IV>c=Sh zfH+gIWoWV?GwgB1Yz=3Vg1O#QZN}o(uFn1!8p2;AKi?+{9CW1I%)#)_aTUtab={@@ zBJ+`z6Jb9`qzILl-;|_dW__}p-h5~lLSG*^ECiK9z|MCI^rn1Zy(*~1&`yGm3pB~3 z=v40IM@SJF9zXUyuHt-CMLF?gK{vi|^{@CSWtgKKvE+I<)X1#G?X&HSkp<9`Q7~D_Jk?K5YuF zmR)pI6rKGRGQqVgceEgXrqFVrt)x|7<}#|Q7cMe@ifAO$S|loX_|S)e$4@DfAKi`J zIL7LhXfwC}L9FUI$;T;2PxUVC6h928Re!+u4UijWV+38o=Zn3Jn@L0??#eY{m?xjR z60+H|L#+cqwIe0mXlRp5Dyq)IJw308*aFca0?Lfp^(DSMcV@>rg}c!Pg4>7m53Vt@ zhft}y{oUCrA}GkXuR4N|Qd+sVl#?&s75#VoNhK~j8ehyhpbPErf8LXvlt@Q3hWn^TanQP6;`CMsUIdH_jh`l)5+}719 zt$Ygn$kC|T;tbR8t@ITU31V4+GoVH08Bo3Q&WZWSZT=$i#fy!Ds9$*Yn zN~Ii+J0~9RJaHn3Hm%%erpG57P!1A#3TDtd=#)-7K8sPZZnl#AdvUqG>{w|=MhbWF z;!{YCxW8<{G=XVo%i!SQS)Y%qX>QJm>E8n14AYKN`Qr8Kvic@KQHb`7(GhA0x)B=v zi*U{ej%H0>>)nRNMpVYF=+W^wyIKvI4eIkK9x4h6k*U|9s16C0=K%qB(BKI@vGXP# z7nnbk4d?jF&Q5Gu<;!e)g)ngrJ|RgyAw23g=h|-__;hC^uJVyssOwDbyLpRmS6=AY zvdtJ9_LHiLZ)qxp|rqmBfK-stByXz=;FF5~VsVP0fSQbU?c?Sn$^8v43y+V`}7^p5I z!#u~t-YR%0?fr!iGe59mPfUuvQAG5475y&N)!f|Nw-SCzWigP=w3-pUEswWAba3gt zA~raB1HQCAIi-dHBB)|YO5TBp+GO1U!Id&sYv+2f)dvS0muIZvLR zTy9Zo$l~Meq~0M_YEAE>@E5~Tx1SfQ9%MA6)@n-&s_*p~XXpE<&By#MOf--&v@3)~ z^eu_JGB>vMChPd%scyxo$vfWLQ&Yh6NV;<6=s=}ONp2wDhYXb*^N1d~x9=Pszp>Gx zT544GC;GM*L08I_&6{1_Y5T=l$Q++t5&qz`{~(8cpQ}*9H6`yXEGjpA#XvLbK)ymG1M2z|z%3blF zl2`6{moFc)7=yVEWjW5zbDVz?wU2MCt84TpH7%CH$PA4tBkeLyP!S+c(P1`r-&3zG zA`(5{wLe~naeO>9v8;S8c^z}dwSgpkQdAp50*EZaUxPZ;_%D`@t9Mj+!%o?5Q1dPe z46V6vEJi&e(PExS*?b*<>wt+CPUc&0+V8Ft^*X678lU89R$J8O{yP$LIIx4B-lpU0 zwyqFQPg%m`B;9^kR6$lDgobjoVnO4L#SzW+XfrC9nwmm5Twv${#L40E?@e>$*wNs# zaOa91kD}H3qr;k2@9vCz`QoJ%Y1F&aa$)w-*e@c;>@fAYNA6U5D8p$t_KB7h1HpaY zrw^;tQ;e!`z`(_r{IDb$xo*FmqWwUJ>Thw&Ezv~Tl% z)43_s=@px=&!X((COS7SI*q5l@d}5~9lLkiPWH*s_4oHHD=0v4kRd{qtl|mmOsWcJ z^fpTvPGDhZ(jfY0BBqJoD|Ned)sQ%d+2qG1?}S#!F1WI>@=?tTG@h{LbV)aUoA@r= z{tn7f+C$p6EZ%G9S4G|@Sgmg|B&r)(joimR$25{gIwpa0mpnLO!x4LD9hk*|He15F zvL)?Cmr7n{AV92|YPm_SD{-Xel;l;DW(NN8Q`AuzMzJ7SM5GOCafF+cde5d^G?xb{ zhHr|&#m3WuE6Y;7VmaQTc~ntun(3o71=}M{haeLjrHiy9Ljcf+W z$!If5kwea!`)t@&>9Va?Y$LNLsmycRy&yYg%lLJEQG7w5 z`?byRw3_9H15D*s(UxU|A*!9utx`oV1+w{O7H<{fnbyaW7OOJk!P*Cf(X8E-7rnhF z9gp1k5v3hyHwC$XOQz~%LRIlFnw}ey`l@Zl%1Qjw)qw?KUYtrJ6G4J!7JHb28aE{H znH3Isep__>w&mm=eezhJ<=H9))fD@#GM=fCMGG;}_Rz;}ma~KJzuVVlABn!wnNZ#j z?!%Azn4JBNN4i3~Z6>ojw0{P)Uy7AU`0*-*wI)VcaIQ8;&W}8Br&(9LAiI3>^`m6d(3()nCltmgeyuDRODS`T&7bYOv*fs84y z1aAB~)A1Xh9oZUR`uJE?iqgWDv!?I6u6_*}F``AZjf{Cn3lQ93^fGg$w%ixtU8gAn zdH}-i?TvY_(RC6HV!=c7@0m|LJ}dMhj#v=t!8!}u$-%+`|GP?~=Ok%4EJxE=V{(El z!mdp+rP^HnR7A~Z{7G)z;hSaw>3mcpb*VQN17BOQzvrSKiBw2G9NIm*sFZx0{<{aO z6r24+zx7Sjk`|)ADJRcdi#@24Wulrj5f&Camo5IVwIrJCeGA1V4N^Jq6G=v5xJh|L^*$9F&Mu=y`st4Ju zvfsUmi;V3YKAvyEr_w`4yOov@!qGS@T>3!}a(W+FY6r?oUCk*z>@{i;+x2eQ0j0g1G`q?eG zHd86-R8V3x^VZYvZpgCxFYAs5%e}vL_-*`cLGEOe_=L`4`&#ReIkET_r1?I0UsVazUH&x*SK3==A2s1VTEKGyCIZj^dn;3#z9N z76x)Cau0v=k!frV_ow{)=`pvnfPJ>9jIMSb&Cuz0pQLw;yeCyK3pUINN?PS9ez?0N z{f$tn9-&f(2r|W6G|JU4GJPbQdIrIq$CTNaw_un(d!Q1;r$S+f-A>uL(($@~XOb$Z zpX%U}k9BrdO6oV9E^3rM$$w4o=)!dU>xHjO_EeGeNy9sYPxc6|iv4*!%**SH&9q^x zsHoo9>uX%&&lKeSPS~m1er}M~Uf>SE$CC-h!(=_Ae19$4w@1w3!{MpeH=tjyY+pre z-;dd`YF(e=ttVXeoj_BP?s0E+-yGA*t&${O1M431SbvieiFjR-bys{Pmw<9zN%w2p zlje!jqVm^buJAbCz58HUD>*-N!ge%)hT|2VO;>gJkfm(R;8cQgHP={r{!{1S+l%Q* z?gB?9!U#1FvKc4+MvO_kKFhi1UeU|>R`OJ2!V;!jmy?0r@vyMusjqS9*x#~_%qAW= ziecmH9=_Gys*A-vo)$|}b9uD>A42b%jYdlOzOopdWi1e3{L!Udum1*5IAu#3*VL$d zjf!c3evR#PW6JWkj_KxRlkRAX26L&2_)Co?^ahJJ4#pPAy`Rchs0+_F>=}$_m+y#- z-58rSkQrV!RNV=4ZZVTL@Z!SDNdM;P58+FV&-}D62JGfboSh#w99Sl8>MozvJ^j0Y z#}?SLp3EU&x@XO~lq_G_jD37rBXjeRdNiCfYsw%6O!t;hqSblWe`fre;IOrdN7rMX z+YNeH5J{TSK%T|G;hgD|S|@KcGn1@2a>MqbqvD;rZHnL6Jlc|ebZ(}>W2@kF$Cp93 z0aHuADczTcqyxt)@pd}`NYm$}<=?BYOpQ975OR+`?UM5;nHp9cDpLhf5 zpTwTUbvb_nu{j1Z3`q(X@8m2_ky=J+Idevy>X7GuU*=>plFU616PGz8f6jb?bCEOW z1RP|>`sN**1f^zYn63&ei8myAMb|a)>xp=1aX4>be5Ka@`f*@Z+vnrK?$b+MKiX=T zjHmbg3`ifa6wDa~4et2|GXAMY~pP~8w<2GSoa80o(bFUWq z5RO5JQJjJ4(Uj&7VUR2D(D?ieH%f@N`eyQ2K-P3s^hxd4<0P)kqpdYLc1MyH+$HZ# z_nC}lFqI01O>s_A1rqLj{3zQ;)~tR+JYmyZR=HxdvDcEvsHJ zJu)fC6(;=fMf17YWp4F}gBlMyi{;r)pW@+}d_1~r*B#(Cw3M<{D*zjXj^|F^`g(?+ zz4B=}Of!DuH}{dhlRFguC!B5k3~jb&>~vZ@0Xbvy3_hoB599`9h(6pnuUaweeB63U z?Ifw}Lpcp8`Br5Smsf~q%ce3(${X`z@NrYdIbaDW>0QeerPI zi`_TS>sp$`xR(=!CR-T8EH9Ke+P47Nn zJ9=%VGbeZh&+Q){h&&Wm-0)AR-ZI@68l!|EJr;JQ^H4NyKE3g|O-~z#auSEpsTh4p z6l!5nABefS3x*WD))^4DTF!zPc_}Zm<32vK2&KV~Yrfst{Yq`0xoKCTbWqzfF;}XZ zeJdaEaR}Hd>o-HRm zq69GU6Z}*nu7CqFI^Jy69RQZ(W6Dc{ixcZN(`Ako5!&jIPU(U>_JgwmbkQ5)4LWOX zm*CjfeW;pQQM`r0L>y``s*LXDxz{#BPJM@CQrlV{Y;9`fTJyriftE}t^HYjS)<6Oa zvtz%#SpjuT)0K&eN0a@Gh@fPdY(DSWaGP@FMrs4ljB)hFamgmx%VqjG^@Ysd_^$>xYTsExA01Y~g=h^_&>Los=F=OVnQ3{zl{HaSDbB>OxyJ9Gv+mgs+^j~q0V^o(n6(fr8pU zZD&{Qd&vSPQ+S`KP=Ny{hdqSTs618qfAa#?L z7pLQ&qp6)n$|4E0XY@zLyOU6LRgL7m_u^!bMrTC+=yzzA!!86 zCkrbl!;h8_d38IU_grZmFQA25f^T0LB&u#Z3gHx0YFFu3M{WSI2x&Az??2jA(ce3W zep#gCy|pt*HEQ&EpHY9gi6Lac;spT^KIv1q5QU;mMlX-h6)Lb-j!64kA47Yi@c z(~h0eWp_HE$MLKMzilgvJZmTsZX$hc>@FuQjiVeLWDOaPFn{9<=un}!fd$QJcjMcF zmFcONAI@PCoJ@w(Jz(d02j^$!6HK4`&V&5e^UC zM%2ISgq}h}3$?roN@G;tQB87pM)V{q3jG(fOFNe_@!Xb`Rk3V+h^1J*#LqpTS;U&Y zip*jEOQr0EqpYv(OPr7@{rWBr{F=bcWsEwWi_-{Nm!0b7CXz);j((&q45Wq8c-0*) z@3BLXE8u%%QGSLrvHR)1@E~z%{>f@g5^vL9T<8`oFD~B1%&ri(hfWts3|0_L6}yFD zd@iB^Drl4|XW>|~U^~oB${qJDHk%LsJtfIgRNa2I6UF49xwtP|4h!6XEA3yw#u$RK z=+OVN(-rN&$%%KcA-NBs3QTJep8J;~#akpsGTS8mM3sfa@=$!$$lwNH{KTPS$B*-w z_Qc(k-eAK|e9F9A=ej%RD2g{-sIAE2p1i}LkaO)j|IZzG3?G|_VgPXdznFKMRm)UL zo1_fp(W$zIi%N)LZcgd&1)QwvSjZPS!vWmqxg!DQjMO zmpx=_zQID%3!iLpSaV1=JWhN#DdV*f`ojU-KcNwcP>63c7&J0$<0mVGsE{FmAZAA> zNQq33c@SeqqRPI0tsPpx_7FIPZn6u0SJ8AvP0nO{S2wIc5iASY9g8mF0jJF_3Cwor z6vp7#GFf#zhd5z8btX=4Qlr6*KxRat0}NiYQHwhH+8JJ*bzTeic|>D&2hN=yiQJPeXAui?^7#vM}zNcV)soV|MI@V)D|nDG=| z+{(-?5UwQ4T^N=8pho@K^7s1-pTpHs2Xf3VvQP5p=4;E;7PqZPpcfKyFGiwc_4GDP zRGH)s`(Mrx+jfIn{oFQj&cCxtrhYMhPxosVKh4_J7 zgmd~bx-qG7cO z2T;ZiyYeyR7XFEfo_0t);e4V9S)aPejgkNKAwUXMh!9ePmuCtD@jbvXbJ=1)nnw!= z(Y=poR_Dh|8e;y9z<9}VW=Gc7mThnvPx4XoOe@CGrh-k}b5PGFKIVW=FRQs;oQqKm zgY22f$r=gCa}DtDcqz#lBcsPO^_`gK+5XtJMs%CV$}W&4A?OZONLdyK^=4 zqEjENI;Ud=+PMgE(FfkD=0DY!=W0;+%I|{vSbRip@TAYrFgxw`_ZcY}^b^(K@BuB! z(a3YI{EFSfnKAGoJO)sYsdo@3LL;`8$(~?$v3+5I_SP`<7Snee-W?#8Rv}SMUf0EJ z@m5-l{>g}Q4|?t-rpi}pW@$*o>L_wa5Qp-5AjBGHpzUq=^8<_HT{w~{Fk=#Z2t$Yz zn^w37rCCf&XmfJ|Qx4+Y%#Hvn^G?_}L#ZieqDqoz=S$R)NtC;aW+lSQK(^Iyye~4A z21+@8CphMyez06(8h&J#`KN^ECXyV5_iHjqvmh4$gY|` zfkwM%{F@Ms@1*;{7BY65$J{+=J7#SkDs8sU>2&(0yJ0O85I zRyy_^1>(p`{5lQ00;Qe5AZh8QJ3oG?)AK6EG@zkaBpX=-LK-P}c>uA5*T*r$go8n> zFeBk4Smd1jQ26mYcoiNs35}~*7^qQqIZ|B;hbiJ4&P;%I1YU%^KtaF<+{;#hnd|tf z-~cEh{m0-CLOAeL*Q>zA0d4&4@M#k~9^yvMQIIp3R!Fc0BtoDc05Imo*kC2dci;VZ z<1vGI4`MizlB4q&!DC>%m25x^&j2%Y+JgnjNuw_65Fm;`MF6!JMnU_9tm!8DQk2q( zAtL7}5b;enm`LON3R6HKrL3$hd$!9Dg`rWrnf=0O0SYv#DF&*Ew(>yPBr_Wk4`2mt z^LJ?zcoH5Gbo6J4VB}o+nemID6SjACcXSZ(B$zBGj9VYl4#j(~lDGhifBq@lkT-3V zQ;>`(^vnk5rd(`3Z*{SGnH?pc80!6s$Q$BfmC$tVuxbrj+i2`;ac9X#Pbul`bG+LZ z5k|As5_0dO!=z;!idKZ$oOC1BbG_KcbG<>w@u0!>sD_bDgZYtHv(ogWB3wrBjQlOE z6(G>3G_z0EWp{3mkR`!MlEvY z8x8Hp{V0Xu(b`w5L6;;OmOw)?Sp?zHa+jYW&cURYvcW+*mBZ}pPZ{4K;KYs)0=ioX zphan-?oKRrD>H#blarZez)S^UW$=`@FfWWEmPTfzFroAEkQ@fFP|xoR#U9C7nv6vl zxLsHQigq}Kj220#st^b#q)I{>4S*IJk%}BCIdc}qsHD%t&vc+|pK#GR%ZtM|OZ`o& zB>3jv#HAccSz|&*W*&wIE}nCI{G~-Gt&|0P3{yqI;JKR4zj}VokxoclyvAy#bN9;Q z^;=cFkH68bXM0ZL!`+@hzRca)t{6x<(?9Nbg5ZY7`7O>jFLU}1(Sef#TVOHFk?+Q! z%-u-%NF3?VkPuNO+}dJ&^U{g;&|i_v6xK6}uz;zrlH_s?$v_oVqh)0!G}5~PxsgL-3v1WVMQ>J733G9iW51yrA>|)P^7#78rPw zyA&}2$!@w)e!`RRC-(D$M!hj#^IhpB5;F-c#P_B2bMq2u>fvqWaoc zi5C2a+Zvnu zr6mFoJ5vM*c~C9zYtCIfc&$3E`!#)JEOORGSbUqUYv<{RfKM=>E#s(IzZnb3{|PX zvPj$6PH%b4S=)FbYvl8$$}4+^v!)5nC4_o})guT#A7&g;Nv#Xq|S zWi$i0Gve{Qdlv-*h(N{t(k?!8Jr^2|OK=ydjOgJG4niP+;{hp_t`l^GlLe8A{yVLz zY2~SIe-AIODPkhktE2mPc`X3X!lz_T{!qrV4nP}SAxb^4!^4^5ml6%Gp;~@Bnl8VyXJ#&JwNhgYYr@1<+(=FZ&LAVzdJ%B<&yu-?*)uD0~=WVD`2ny zd19i_63jZ=C?^U7Svdc}-q0?bid0{Gj{}QYJ7BljVg-T{U`B`p>E0T0FUyB0)YBWJ zzQyk#!@=zl^MoeqwICsYgwae%sg5(7+<|{T#$zOU-rgkxDyKN3RR`>eAM!{TPk8?v zwEH5P2Qk|7V_MAf|F=&$RWlLt+q+ zQJTx}s_R?P^e$n#Nut$Z%@%?bh497VmN9$?=@6Vx*$fKHQSPI5B5N!Wv^wPzl!>Bd0pq4sxqEiU z2;jgWe09um+-dO;*pE?0Zw%$<$k=Q;YMfbtR!6EfH+ZBOh;oqnqf>+_2$aa&e9D|F zRUZcdI@0GT-eUHg(PN}m&tAV~+1ePXH<>@INHfOtrNxcvET%qiZ^tXVCji(rQsc!bzcaJIvvl1Um5`ZPk%?Txhi9}%mv ztd(Y;y?!5sG8C>--PJKN5eh=Dp^ z!Zhu3JK6SRpBu4b@oX$QPRC!rO3{h{g45^{`-drnQ+z`eTk^j;ug`?(oE$A+q795g z;u#KO*FZde*1Jx znF)czDt=|!=2x);xtYXfSSpGY$#6c**Y8E-)APv)xnl945R+usM<9XEo@rTLY+fEj zM-Apan(9S_!BY_78~)9n;w@4id|zS`QL7PX&ynNt7+bR)dz{ zG0g3(eT%(;eXR}99C~|*<_S}%%bZa4qZC27S;JTStcDqEn`DEV?Z-Cp-2mhg9@{vsq?9%yqpq_DN@v*T(z!T#Bk#KcsBJ>fdxb6$*!&VcFT%8}#bJ%R@w} zSHMJCz*q8OS48$6NW|Uv5mz^X(OfFL$MA_5f1Ge?3@-(YycFkR=M{=@8%JIyw6ExJ z?3uZqV2jcFGLA9a2!Y)~GBBXW9$2!rrY7}fS8DZb98-)JHreMTzj}HweM1)_%c!sG zJ`TO`@EE^IrGx{Pir{EUK|IczC=Bz5>y$;z+*kVzrsbNYNM3kquK0lns;)DceBQt+ z3xLD1g5XUq4jRhH_6%hVV-V-9(alR256s3i|_Ak{^(f6(Y=F33QLI1f2ip#2SKz);JBTwQq5 z31I+rN*W*UAcaIyD?{-XZarhClOLwi$#O$j9`Ll0dk*$Gnj=!L5_JV?6usF-ee(+L ze1A_JDF`fh`x-R>!_M}Dc;g?iqXE`*4!5eY&G4ZhU#wvJv<{X)k>UzOkH)smpLjH) zNO6O!F5SrLQys$oF?oAUULweF_&_`c-X_a-F4Alvg`T{EQIUtWGy9 zPYOzEpNKdne5m5>m*hYVdODul6WA?}DG38eBz3|MHyTk9ARJEhuR@RNUzT~-T5p3J zF{%x%Y2(qW8X3|=zANd)PAp<&Fv2(@+Gx83GEQkxk@J}H&HSgj@FWe6NbVZV>-A+` zvGelE!>_l5#RoKIuX1SYftzAX=j_gPTTZaMk@%+O0m*k{G^$(>HmoiE@b|I%Nx{uN zr{)5DVl$81U5S^=SU;i1_eT3pFEJm;!A=c+B*V0K`*(bl4|KGWy9@4LBOrW4(Hia8 zwgj5$Qcg@MmR-p^e?+_R(G?$ouRB8%;w&0~<3Z!6h)6M^?DXOHfwp6XFn2*Uvxx9D z=J}HlDG~9b&Cr!e=rkTe{2gfB7eSO;_~#IViucB_1<=sDPc9%<2Sl+sKJf>Df*hQ* zpvUNqLE$N;EsU6ediDWRHuWj!X$48zVrEMdDn%?!;V3i6jAEa|lsp#Qs^643iz<_= zY8bKuzFJ!+^C5mRGEb>%I6i?yN`jd5)BS~5nhrohQ$QP;vYC$oW~{6!Q6ks+5#d$4 zc{k94&CI#_pLgoM@L?2=yG1|*Lc6%pN(sjyK8YYD(5lM^qp-bB%)*8H3X<$8ZXnxV zv;ME1AJO%&ZbZ>fEK-e{(4+xsge{K?F&Y|4F=!(nks#m~9{}q_Xe0%BGpB&<$~*O- zrHiA8d4qF4+OILx#2S!X7V-xqAn0$&oN05JN0bD-2thDVczytZ@lUFd#U&j!3`Vl% zt!CYeZO$mX6T^3bF}VZQL0}9S{fn=Tv;wPg4#oM8#!iX{=<^{+12F?aQf#z7d^s_( z{N&;9#4Kn9XaWHZxpZbU7q!U})T!Wt;SA1J`Ve>o2E>{m!UW*EglCh{<$EVcK>>cA z_&D4xv=?7aNm2^;;2R)V4L;dOoI#VaQ>=4lMBadVK8?Ucrw;JtD=)9)1Ve-F<~3wO zKM8V$Q|0~yC6AKZ2n3ml?2%F!ff~?l1Zd6%Ejxv4zgfkyRZb zAI=&AeZ8!OwrUlVQl716MuaGCAVNk(HFe-a@ddvIfRn(z_7quSh9IOw)8fzJ8Q_md zqf=bUVo_Q`QR+CFi*%eK2+VATM;U$@=CHN^dpEC7$ELvJ(rHXzh=yCRXfP^(&^GU{ za-)u6!O5J3POkP7ZVel{Q5MAJ4StzUNWa0~rEb7#XZ42qIlJvP{>m)l#!+|nm}3P> zeS_=$2mx}K(VjV^ux{(3_lh%^$wDjL^PbHRQf&NRcnAPu!k!Qyuv#yYFWCv?8mIda zW*xMTMf%q&pELIz3w@3PtV5U}*#<{oI!QD6-hw~MvdCcwC15MI55q)|QG_db69wzz>O9ujPVzDZ=9Y;qD5H0W zsQU$&E5R7u9KR__@fNlm>HjiT0+{)giH*oEZvn0ogv(=Vk(=;D0Q``02>S&VlxDc^ z{w7WWrmdVsNUZ(ZN=wfumhv;sN-#0$z8o+VfjgyUh{uOvFQS<&J6D|3dU5blEfg+? zkeecICY-d2$4RdX2{aqQI{I32*I%+ zioZznQREPvzVXx_ON)^iNF8U0#+?*jgyl$^2(%tICG)ZWzq<(Gd!43Vnot3BpZ$&X09s`Y{naH|vmL6<5 z&4x;VQcN$R6b}0ffJ}ima$^faTut04qz=vznH7#4w(B8*Wt_+PJTCif4;?WW0fn+1 ze4fvr8=*=Ys}Qe2BptL|NOD!M$&gXq^jkxN@|(D5q}t2SL~RTdI)(5b3y};k2@-e! z$5G4=#sR=$5irE4C-4W0o{Aforwnpb1keHOh7_abS42(D<^VMF?&8=HHVmi)Q0gGn zV~8jPjXS;~X2%S+gG2X`V4~v#c2Zd$m?h-;^J~X3mZ_jI5)PZNpvd}(A*?8A;;s+~ zFyh$Y7SZserPY_ij?$IJ>k}BKBc%_C{vUS95i} z^rA*FI`ert!(UbVR{DIFrs|T5k60{qzL+a1$zDQ|E@>pYJ$~y>msK z?~)gB1j(kXuy8qp$@M|j_#~p3P#KKGm;rTNSwQ)$L1!I0UaZUr^6TLwyFgS@Y(m)l zsJ-Wi_@3+uARTUntc@LL0u=i(@Pn6XOKGz zm7?EN@jJwU1UTfIx_%W|Ei>Hj%KJOmeRBdNJW(l*YIFVX8U$uoVngB?U|&272vEhN z5#gmE`#1%n*UE2w6hQI+g0{aAjFJEI9t3!`63IFQX>a8^f922HlaUoAB36W(eoToj zORC0ALTCP|cx%=XbK*A>LnyrQCKrgx-tX(#yFV*{7hZTG`~7_hz1aTG{MhqX5PJT( zR;mlX|FTEorL-xLTdZ78p8x(}h!-h^Dad8dyg9N1PUC2$E14$Iq7>8yOb5Kr%gIoK z+MmA8;mXgId73C$I)Zkp=}5V8HJ+ycg>GUdcoARsxnKOlR$Y1XnNLRxc2iL!fCOPu z=;xSs&VnWk0kb1&2Qhebf0KPzep*lm#wYP^86tf6td~9J4j(iyVgR9q0mWNb8^X&3 z)vqF3Av6)c@sXr@_tQG0YnzyD5#^!gQ-ZtR-ncE!ogSq;u*`#rMr0rnPD2z$K?u5l z{t~QBtbpem+n|;6PX@X%CL(5n-uf8bVV5r-LFpJ#6y_Uc0qR5`pdO^WW{L-YW`Ju) z={v|BWlu%WowhgbAbV!|XNN3_18XLDO#mSYIu5KwEXtl)w)A z25^D9(r(rK8>HS-_-ic6H$n7Ro6{ZitJZ?A60 zlqn8~(9gYpA0SU%=(Wekk`;>m-fpnZ-*5tPQ8lg;DlB3F4d&0aVy%Av<^RvYd;j+n z#WQ{PUp?W%Ebm@WG&aFSA{n`}125&XU!_OtxGrey!^ zwGs09fp`E82q)k``ZkB{z=Hm~^ZtYX!%yj?YW(wFLVN$kh5dT*&BfwU;v#kiO9CNl z`|J9z+Rs0x9^1+|0vk0*c@IGX|MNEcBgUKz{`_Un^YxgdP7QbDG_-CH0pR|+E{6h! zVRL-u;jyn}-F{{;a{v6s|B;)I+e-IKpqZ*sbeEaQ6JO%3ntL-uVwQXn1)CS+2up4xUQ$n0!u~~ z{-TEyHrnG^cLfZ62+CmVZ|eKG&#_|MUoEH4>Jsev?;kXm zOB3P!{bwv?;UAlYm;N>v`161ERD^uI03HKA#x?>{czN~zWY0Ks5OpJwlz+SxKKcBW z|F3<7WLG6fnT+iv2i>2$`Y(NVI548#|NEMeKnF%HwdX(f2(jY7IcaWGSSf|klC;8u z{SScxfH-8n-00)`-6GNHITH#x5Lz(`MqRp{ite_Skl*# zIpiv@gp~b+CH(uJgAoB+fC6wJeG`6y9s{;1h%x{mKLi9L50GZ!cV9gGy}3PQx>0ol ziO8GS6Wh5qS_S}S`F#S^{{5Lp{cS-!b>RmjO*fH+{1e0!CH~oU|0mDK9|uA9X9pd_ z>i%y__dl_1c)b5^_y63+-&^#}#sB8kA$DS%G)Cvi!P+=do-n9wslnMiuZ4Ol0LY7k zlLHTc7QvReA0h=F5Hu@QJp(sFvmMZ@ZT| z)1i?IN?4T~o;MP-9Vv~C)3qiCUiMtW&t5n}EL95eYokHSDuYPoA$x=){e%@~-X3Ly zEO4U91J(ychu|d{e;PJumps<5(@6wK$yO{L;pAI9`Vg^3GGE5|HroddWrDy z1c`jLP=sFP-+FrgZMXIBCwGs;KfXXy2^?Uw{UdItYNQa_@E^_D$K?cz=2bEb{mmaA zYn|o2&vqzAf8CDDB7ZsWxu5%}^7;dXAZFk2+MwL+ZAotqLRUkbvE=0goW-rnLA&>X|u(yQht$%Y?erYGn{K;889RaI1)s^p+<1o|okvqron zqISdHLw`PJ<-fx_S42zuJ{1=q=HYosc?>bNg-?qdFc?KeXiEP0f$4twR}#)9jG@j5 zl_=pS=l9SY4e}&^RF-ee%3ALboc)2 z%jkUHTm6y&FL8st)=13M!uS*ns9?r-%x!3}1?CI>Vdis0+Ac0G`-my3pn#7fAHW03 zvKWSLc^*oVM5zoV2e7Jtn7>7TeM?IVG{sn1Shfj6QVeo|$52TGcrhYo@bd%QoCx%| zzkCVC=pAfYD0Shp4{>rPCnkc^69*9lh;FZDI>Exyi9`wi41tp?5!ILhk1h@1L6BNc zU7*5LnT2Am97x&>L2f~snOpP!@+9RGK~-N=s00tEy4Ak0(=!0IL>{(^%8`E5cm!9!mk zyhXhea#>m)h2`a3#FVUKn85+Y6AEk${MOve%=aj(P|5;}jwqSoBORXs0(pqpY>ti? zq=b%X~z%YR0V%ak>gVe4LBj3M;NYXYb0t`Wv;k+W{0jZ7t zp9$T_xuCXl(3ZV9-}=X>#AQ8x>{ve!4-*V3nrjD$1OhN5-g)(E-@JXxeEd}%hP{>I zh+/gu>ni5{rc80H1##D=4rtrEge549uw5`~JMQ-a_&Vh4rsW}25-yuG)uKuEG3Hi`V7p4~z z?u|pJ2ep;7cW^~@lR zMPri0Np}~QVt{9wO_%W)H6p9idNT zAlaF8=Gd{A&bGEO?4@FVu=w~JuI{i*0MAa>{q5UUFjj7U&=iC1S*d5HNnT|et)BB*Ko3BM9IU%k9YD~Y;dUCG-@JZZh{DL&_=@=+L)!VnY9bM4u# zKvNbUPQ}TS3UV)Vz7K;SmREit#rhp3Y&khwJ_|R#QkdQ#M8s7eR5rwTW8kR5w&SBpb{dDm6| zvd#RX-9Q^HUs}E@{3Ikq6ThLMv3GG4uv1J_luF$7d+;tL-yqecFb^>PdW0~yy)cEc zKVlx3wSmTr6at^|iRQ!vLym;z`uceU%>!KKDmY63&38%ud`ndQFgA!L8Lc6Zg0rVGt;)|2TX*S!AI;kOtgi5;5Ow!f^3Vww7fRP zqpv%ZGT5AxlPt-F0fcyz1L8yDTrV$(yV9W{YqFHLnL=7GYBFlxX@1Uh+-M=5OEv9mCsAayIYKFRGvW6(PI?hZQG{Fl!SfPh{V-c-}kufn^fyzs0^)iOk6kfkK@Fzpn7$-9@RS=3?R3(w1hg2y}dxO0TC=~ zYKC}uUBf}w)MPnayn~TZ4a30%TJYFwhnz9u2L2^4FAoETr6nc(j%#lj6g2Ij%u+P; zk5(f%#~AGe(FDj0_V@KwUGjCE0GGNc!vf>Cj~zIGx!(^NiP^Twcdx*Jk4;Rx8-$xU zLs~imQ_Rgh0aJWK_kYp$=kZwXUHCVy-K0@yB$a5AD2dP@2_==NRGKBp5Sd9TjZ!oa zO+rc(B7`JOGBl5dP^iq3QmLNzslE4o-{0Ts_q?9xkLUVl4_ue?I?vB%ebzdTV;yTD z3y^>rGfsq)ud%U_&kGI;I?bT!mS)Fzr0c&Q?Pl^1cb+`t7xX&^2J_Ds9~P8EHf;ol z*ISe%_7QS|LqnHg$=a{qh>0%)09)6tnU7qSi6_uX;o-x%AdGdtFzxS9`d|L(r&~NE z`YwM+w9U<(qgKTGKfaSMp3~yb4L)-CFqtZzNrFF>wZr}UXH0x_hhJkjIQNN#4|xHX zVztf5NwwsJ#DA}avg({q0 zvuAU9P8vP>0~AHOQDP*nW&~tKqYA!|b6bXDmp}vIR3#C4q%w=Mb?u4V$2O6g^UMa& z?3%R3%4#xG3YoF_J>v3ZrSuD?3XJ!a9e3jPrIV3o&z`+}`GK_^M@2|g+8_=^eSLvK zV`{I0f&%t$P!FrGO}0tb{FeB?~hpMD&aYnsfxd8Gl;OY8xsoyC^v1|>0}&N6Ib74nDb8X&t+z29Hl!) zbaUXc&?y{9CKZNWpJnm^C#n2`0^t#>+_x@Lyi#7Xv~<*r?JW!>eK&1f_3tzJ-72}p zDWrZ7;veNf+q;yt|E%*q56A%oqnkvVf$mWDSL_NR~I=x_fu` z2>%JtXvZgQ>TkQ{tJ6AjbMsdxk48m}tZ`>(=89>trV3NpkGA&A_c`%%reqt`eK|xRSfR|RT9P$^T2Q%rymx=43^h-j=p?(+U7FtLhtXN$J8+3$7QqdTJ3y3)vUM4(xoB! z11UdVqsX%p%PW!fWrv?UHO=PL_^w^|U{V=BXW3lLm8^D_h}RzhJ+*>u9K&#-M#O5>kH)q+YUS>_Mir#pObSVY7+d;9q@ z!!fxLlU6(6=>${3;PUK5T={nF+}TYQAwklfezQX-I}BIfwrdba3G~y(2O*6Y5)%{S zw~%DBpojSqr5~NXaACB|tjl~Cm+EKxf^x!rUr$%Xcq#72NMG2SS#G9lm=B#Kdu$Hd zq!r;S^CD3~Db}!aHZ~`ZA0OR(lv|uPH*a0^p3a>+qoE_guNq?8 z>Y>&+`@#>87bC}xHLTJ*!(QF+Ja06EW%DBCeUl*a>t9}!OWrW{CFRGg;o{?*zcA)@ z>eTDISN#ha2zS5Cwtd=3+aY|h3s*1N;mg4CjXP)p?%wc-`hWfDwT!2fR_s^BK2IwD z_|d&Gw_my7ww`3XV8MbFD+*#pjGX9Sh1fN`SMoR9$p*wczT-^S6q%i)WQOlX)z1p{ ziV^2T7>drEDVj}>d8YyM(0r`7WQi+{ntv-OWR!F5`pa4n0#xojIypoqhmxZ5;mB>5 zQm3L{c<*2SMrLvU7$t^P!iEp%*Y6mJOkm(mBh$k(Ei+e~P_s2#o?5VqeTPdcR(qKC z>FE4r)Fe&-T)T(1jA2_2Y~S8N`KI4483_p$kIz=$ZX#!GmdFs+u9rk#v-zh{+*~>A zX^yRFMki&8;_~tMu%)evQIeO~m+!An!u0)19qzeCH`Y**NO}Kfwih?jC#9F*LfSap z?Baei#mlxm$12Mgzl%-Imk)ZZlQ?&dq2bcB*%%LRdKrbRE@j)`l!`;yLb^Irv43Jk zysP$#6+byfkfObpnsDvnxQDsp=IHagTc+w~67 z9X?3aDj+lS7djaxyt^;o@}lzEVUr$4@)8L@)i=rIM_IS;AS*W!R*Fj8CO+)L%W!MY z#0!WqpS$d>be>e78S~Fw;JIcJS4>>kJ6GEc``g4=AZgC4ISFjnnUxEqT~lxBlKWFC z`IbqK<5o=%eIwuBZ)0Hr(GpVkncJDNZM0k9HeGpDW_^f~jh4Y_eDgzf!(mW)X^X(( zJ02wXAJM~RSc>r9r;jj0HFyLDBYY23Ki5w_UHaufLW0BU)nR{?JKSFtb9a%MSran zGACVBmg>Ld^Jkl*IW^}T&UEU`Q@b%CA=cskwnS^sh>f$<3j@w9`NyNM{jNN68YY-@ z|LU68w_C4X$27`#ibysiZP)D9H8($*pO}5?*2W0Rs-!h**Xm5P$J)|jq}x>bXy|rK zn*4~y%%~4t59{O8uLfn=+}y0?Tzy-*k(vi;_(Y#8NO1}!T+N~rckI|vU2VOx+vqha zea1anWNtoJG-T4I#cX*|L81bZB5V}|IbW%WfH{KtNc8Ks=w2%kn(W3s-E1MP8sQ`S zX!e`PP5LI8IkDC~YcL94T_W?|JwA(=bt*yO&^TyPoa$|&3 zWQpf&gSyW&bQjmbI3Sq6TD}Wt&|Da=w}PXiIR2sO*r5K5&7&NW+4`xXeLfX7@h{Zw z)01(#Fm`eu5~>#R+2wAz;0_=3Bknv&C8dg*e`a3MtXZ?15B&yx$?kx>iOM$oyZ1Z;gFd~P zFObC)LoQChf$o*es;T_@mb@*@+?pQWoD(RQ#LzmWVo$-5;NMr+#y^|t5afP*(j_!7 zPY+L@%TRU>Mg1c3hqsoi7c7i+VqgS$ee8Q0G05Z2+pbtq!ft!|h3*%th_JBLRKGaf z7rT4^{^`2x&i+0spbdII_x>hxGs}EHv6~a~9!;y-i=f0h54z8m7Ukvnd0N5OFa#jm z#B9ZAW>Bw8Cd=-Xr};MM5SVFa+s&^1Y9F2Lxcn|TA?=3_=RHW%5f&_ME4J2C+29%c zYT7=I=8Tfhta0p{Uz-g8a!I;5w)Hc&hqi>3mP&m+v$t;Dx^!BftKcQT8r|nRFwOu3 zuTJcCkS!7AT3R5E-$-NG|fkv-igi55$ONmdb{`2M>ZN z;HX0o`beUJjezvfq4UMuJq0n~>15B(ADWOtJiZ-F38=xqK{~5RKprr;*R_6dUWS8< zOOVObm~vF9nVViJMVl%dn=?*P@daIYDELtP2#p!^tqhRCE!Bm1>fXi6&74;;g zQ&UrOD$3=6o9fn>1%Lq3R$4k8=&EWARz9sr07Yd<<>C_)mnT~KZ{I$H73=2KD)blGz*Q4jpd0T99vWxA++jsAFpE#cOcrfs+I`DmW>gP+(gc~08O2GY_ z6~3yXekuI+-{PyAf=`@~_S^0WqRy2I2`7f{pvAz-#U7ThWlsM09z3Xr zEg})9Y{?5T>Yc29X0v;xa_a8gUE-J*m*zCaRdTK+i91LWVz(qLqw5sxGj7=Uux2)I zjvucvcgd2kOrhb=ysHc{me?n+qT&dc1?(4#cHW8Bm+jlP#|8~-D0gyo73Pe5{l7v)5s@%T!bK$grluCZPW2Gc{%BhLN&TAGqSdR*IB>ejviD9;alZmF<<@{& z{X>kZo>8{T=s>te=x-YXI^?vt5mSfP-qxkV&2a2N5pmm`1_U%a2Y1x5< zoEA*1t#-VGe-Ii;xa$-lKo?Sj25kjyVPPKKA{%Y$!P`?)Q~8+^L)@6PLUS;=m`$tx zg!;V<;ol0GUDQaEPo~vU)!>Qc^0%N z1+6;9ej6|V1N0ZP(33`ddaxA(W71z1*3y;1#4bQ)S^06}{JlRqKroENyYbE)K)p>H zH}1Q$miZ3kUb}Y2#eJXFZT}eN4@oa(RbPc#^4GeyU~8%3#k92VXzx$~Pz($lzuJe( zKbf|Zebo4X0Qq=|&HVWf>5Uqrbuz_@6PQ}z+2hAdt&RqPk3t%({d+v5o(XyL`aK;V zIjz82jl;pW4++c4CTBj!r%G<}4hJ_t zT=wDB@GMm?_A)=m8?0Pb;QPSv$k+-0>-GKi@3(Rpu=T;NM5dY@4-HlG&{l5{nRu011GL*$A=8wrxF39>K;V!2ag~sMM#!J<><&s#;p1*JZevkB<9YnN`?74&6e&76R18SIHv)(tGCMZs^+0|7dr*bu(QE#>MxQCf5x)HSI-&6+&ye{L zjOM(+^53{|(p5-mmQ{3Yth}$)rcE&y)k-f8HF`e+y3cU#TzOxR_Gc5019X!7>EwWy zK%upLS=R{~Kjz!7l)+q%Hg5mT951Z**ijQE1fD3l3UE1e=uncX5uN`2Z=r<9}@7e88OmlVy^Xtt>oKu48bhkUYigS@){VOz;H}vm~exHm#Q&IiIIz%RdQ(a&Sxj5YmN5# zVSl58NT`(Xgtg^Jnr_)&Z`?j;ire@(D`CO@d8u}7H5nkH>hS7s;q#yWU)J$)Z0>W_ z7_lBA3#7dU{UxH>wf!ppd6!7zkeKM`rk0joy?Y;oL-P0Uw@(*>s;a6A*g|M7v==Z7 z7O1E!CxoK1G91JsHWa)fo=cn7ub;%z$83>-LOB@=sGA6>{n)QEGCu*Qpu157pwh+4 zdf}p$ZPwkVKvkoX6^1zO>jV?w(-3X|(1=b@ zS0Ackv6rMOGc&VIk`h-5gke+4{7}_>u1WFno4L)t0WAJF^J|B{-efe92j@01pJ^%- z_SB;s%McK8JU6GgbLQ+%N%<;JElWvRd;<`1ThNzN{QAk$r^+kR`ci31N@8;Kf?omm zBHJ^WKmU+_^bZ>qXih;ZFl*L&{0(>kF$y?7WA|7ilm{u~m*g8d1{*g_etNe_qAC#b51z?anw%9dG(fbsZ%{ zgx_Y4@%8uqYLqpYKmUBgGj8uO8N+7h_0^GMO-7yj@hiGk`_C@2pt3mkJMS^dpVtW) zD>(Y)e1Y>vYXwwoLPzm=jc5CT*1_rtZ9Uqn`g3^kx!plAxz>wy54D934oaD8@9wOf zFtx9gRBoX;hX#Obc8{svZLi+ESy{D+%!3^kzeC%psSKlM`&cLo1=02YT|o065Q@rJ^o(V!}FTxDoc*uz+gk z0~!}UI6h(L5T57_sz|x!*sLt=H;X_o`CFS10r;lt&h_%j$bXo+`sNOfj;CKpUfnl5 zZ_>*+*Ai>P8Klb4u1Z(eVi;;dkUa%Z{)ee;`WjGUmR7G?X! z75dv1Mtj$J*7!PRDkjyvdv|N3=!g&ekAJkDd*($dQ7Sq9iZfW27Mb%g4C;V~-C_Pd+aYaMMtwWVLw zgD5GCLR5B*h$bTuYL|gaXtQwouwa?o9JAoPZ(p>+s^7;I;l6i;Qo5;v3`Z*j--km2 z$4`*qZ}0kvE9H9XT(;t_J+Kv1rc6nl$~vJ0514cAvwnh^jlKQDg)SAPb2xjU(Q>DJ zrZNA~exrPHwy$+X_qMb=aR~DW57UF#A)9K3GKJeHH$-nFaPi_+jz9a z#z4e*>3lvsq@%Ux1>b+P1SdG#u3nwg156wt!R0GJ@dDJpDNj9gs;Anx^_GPz@pl7QBU&kjE4`m0b611HdJ#Y z!%=C_xw>MOyu>Lm7a0GG7xypscu#(yX#2q*#i?>oa3h!p1;QV*jV+@DFt=v%a+y;a zTSf|`DWWsx*a?S}qvPARZ~2QGryE7W@?D6Hooi^g?maaOFS}Rq+kXwjfX8tX+BK{V zOhEFOt|lqD&dzS$56pe^?O#Z5h|vl(sHmwCW?lj<+C3lry&~59+9yt0Vg;aBZAjCn zPaZ$NPm-oMR|*Y_h>4Nz+xI9&tOExQ?ANcQ_VvU80|sbT@ePVi-0ZU zmMt;q*S&vw(5#p=6>t%q27)}QILi$ix_0SurJ|pmT`p^U=~lTw1A(#P?ET(9{^4-b zIO!&}7m3?DWH?N{nw0e6X}04#&}7OGzV)UP0h}Gn6+c>2Cn0wbV{l`yUO#aWFnje! zpzzMy<;!=bs+^qSt}=c44fJB{AC(>^#ppS&n=9GY-FlxqxtviT#EyJl>R#l}}1c1SA+uHPY77>?|I^ScR(~peli{Je`UZ1`)Tffu} zs;lUK@$vKLU{sZ-B_t(p9lSEGcO|vm>L2nLxO`IUBnUZ9G$Lj3Pn{)KH2uNz=f~8i z4IAb&gcCTnnUqcCcb6r|NhGr2&)iISepey{yE5qwo^p2M&Jf79h$WmV6qOZ9`yq1- z3|8+UVY>YtotU;3=VL+o0(W-}EqIDWRf|w~-PZD}e2Y44xAT>j0sC|j@no31x{d)> z{~Ct$Oiu4^zx);+1A-BBgpHrx9XnmQ%jeg27#)AQIQS(Bk&gN{)?Mq1AQi zjcnz>ziP6c^t!Xw0U?d6*P1o5U(Vk4M(v7KHTqPx!s_nToNSaVH@)m#wD#VJ10u4WQ`##-pPN2qvOeJH|-GO9A z`6?z_1g-^pH<~*)bt+guY=L#MvEr_SuB$$`w4g=dmHKg{DM!hx66LXDCA$m@G@v}Y zQ$wwC&L6ApJPrun13 z(z;Cjx0ajln@vD!yi`(_cNSTY_TBbbum3za5fP&fF>ZMDttI;`_aSTdy-GdB&A6sd zsz+7sc0Os-%Lh-Ms0<&zqkfv6>rFrAa_ZmnmmZZteUpoEoYih-nEH+%v=;l2j3IoE zOF!10scB!=iIXg;0TAls=H#rNnk|nW_o|PNNZLLN;5*+VqXo67>ZUr9NNR``NmhZZ zW+viZzkmu?=KY#GCwGetoj3penrmbJ<@JLm79l@G(ByUs=?(^+8Kc%vTW74n+eO@V zptLlR$x$pi=J(fz-NjGLV~>h2A=ARii(+_g@O3q$r`a~+g5==H@-?Y6J~T8apFE2M z59JZ_>X+w`Kv~ZJhR&=2EvozQRLm zSGWKB9N$b=H1Vzbc=suSiG8{{&BCBOw{2B``N8f%At8f|u7_(ZiuLU$Yk^$2c-)iY zsi~6-g(=02Ry4!=o+2wqx@o-%GA%(<+dLSp2_CHDFDYqHkmW(%G3 zeto2++pQ|F*$EAWxh2(w34B3s>BYP$v2A7s1_D4(DfZyu!{9SzS2vgI)NfsL_t4OX z=`%Rz-uW9Z`gx;n>xaAZoxh?T1S?_`GNchYmb{+Ydl$WVyLPs5M!1zAx^3gB2*H!( zvr$`z2dStPuw3$BURIV*aM|-L>Bo&NHmgNiR?L^>(fmk=jjhGw0>A}lI;vbn8`+?; z_3PF}AXOebY+@Bb;_+^#JOY*YcI5aH_^`0Fw9rcvM@&>dcxfg{t?gqK|IFT>PXtAM z?>6zmhXGd*lBvrc{vq-FORn_5fsJS(S_?`W^}#2Oc5WZ3`tLJn2!VnPx|Ure5*Pzl zlO$X0=6BAlDSpZ^1`Y>R&3b%WSp#hHPEC28NmRU`B>~k~9Wi&b{FZgMK?~nNxKN4} zKO6#PGIZz-I5^IHuWyd7u3y!o+!IcWI5wx_Uw>7IDKSs@gJh2OCh`076T8leB57bo ztWX+t?=)bPoEqtrDRt=`c2TO13^Lkv_TaQ8+O3&>N&VKsd-Ny7Hjb!RR~hC;AwoI=u!}D-@I;PU zY~*d{TDehYcp&77&aZ(Q`&6DmJ^0>v0vP1ma-^a(F73kQ%fj|5`F4;~ z9Hof*`0*bQ(UL`9zkdB>&*Pd(J!Iuaj@+FxDim@9!WP#p!E1$F0tjaFp%;}A6pX3K zGxwM5-5s}~V@E+vr1#5D&(Qi35)029*qk?Zf8-UPy05xlygD!@JbXvWp;2FJ42K7P zu6=Ft;3Ef8_WY7Y>Bk>xvN9Fc2MvsL^VD~|;Y*;hxGdk`8C_o5)@vJ^T6^jLw&XOP zHa0PtsHz%y6^C38`7LoI{3=09WapkWm_57Pwq(}&4I7^7q2PCuZdW?{FA6lY0tG;w z9#>~YgtfXR7m}|1BqNFUrO8F+Z+-h_Z}86SiL`aW270==G3!-u1q3_1@%xun!S%+L z7D{J(G!hjj-#~7nU)ITCM*&Os6FpQzb3m_?XX~*6%Ds{DB^vt$gcCh#T>*x@lwgHz&-_}nO%!E8V z=$LTm@l5#JWI?VyicA9mVRpTYh>jkEK4fLtAALyVhx5kf5pf-VT&!3;wW8d1U}4M> z~ zS%RARNHW>W11%QS(kemca20lvAG03Pf1Qb#C&<0zrc5z+OG-;4P^Jl8=~^xoFGAn0 z>FmfE=&KL^aHqx{v)Z5LXiB@**py~okBE53dLj&9Z z?6X>4btL4}sd2HnQJp~|(Y z6DFMX_x0@*5;(=HH6U{WGH;g&(*@Q>-TP4Tr^PXM;;xrzWdLApA(f}&TXyClixhqzG;g1ft& z;!ym&1xvV@#}gjYdxEm~v5ReymWtviSPC;sy*zH0K*3g5!~49@EAAR!{_2Y#X^e2)hWH#Y?PIi$ z{%=nU(qcMBf_4aMW3?xH-X)?uO-_!g8(|nUW$X8&G78Gd@cD8*mOmJInC&JA6SIs4 zl0bz{+nP2$@GaWJwX>zO^N(?s#D5+M+)-F&iSzA|md1ZSZ_#+(k zE?-((G-=qd)j|)SUO99G!Y+v9gkAna;`|dp!rri40ee22 zX#}SEP3XiTqXlpoQ&0LL*a=R@;h0NojB}noCBuDw^QK^Zj7&k$a2u+BL!$61evC=f z0jWs}RFr*GP&g2zi;9Y9G>D3d0@8@1SIg-YA>nn9yZtS~%kJJXb6j^MCMW;Gm~`&k zxd0`^;|D4RTu4QJ)`~s!QDXD|?DlPWC8c`ER+Z*G?FzMX8#e5kbq@!E!<2h_2`(GhLZH)#RGbXipD1;Ic?c8al!-& ztZqGetm|eiv9E&Kef^R++vK}u57MMmEJST@-@8}z`ZabSOHj^mbu@kb0=P_-BQ;*S zY#9{#>du#+(BFvHMw($nVxqtf34K$*(Na>?@893Mt_1`Q;f=(LRY`tH8GZhQfiQ;& z)`FZ81L`kdzYgec7Tz~q-2cOhF0>@CPV44gs$>-3a`6bhp*}co7yCG@LxL3i`(`&;fS$^gYpHyS zBVc`M1M;s|r*h`F4_*4e#xZ_wI)CDgtg^DQ2P%@;Zo|_TAd;yg_dGp*jgD;xElo`j z{D7jF4@1e)em0R`WXJe|qDQPvIPQF9?u-z(%2ZUna~@JZju&bfG$^~+Yqrhx##`6sy?TCQ<7SV=+S=N-cbZ?(CO}8W4$s)ME|BzFRyh>S>5Nwd(yn5F?U)|y2o{K4jU+og$ORsT<0BqG#R~_r_)jal# zXa^t1K?4Uq`%)S#)@|%zDRJ?$JSffo>NMvuHLj$Gr4CSZ>HYqvDOtO8?dn=rxTxwe z9KafvU1o}3T3Y(mr;iFWp!1X{u5gm>)sd8)=dLZNuKt~}r)QD;!9BfJ`=?=gXl!M5 zVf>)%M~@nbb||n`PbI5V*&tY=GylTv*j+jfSjbE7c2Tcl)&Yvm_^FTGz&+tf^$raw zsKd9Y1kp?ppg7{;O%RnP}v( zif}D4a3Cb}Y)?v*dsAaF)x*VKnk0yzV+r-Xx3IX{jxDNavVVXXryk4pwPmz9swDVC zM`!2CH#0VEsv+5;vsF3vJY_>{32sCvK88--tUdXJnc_4mZIFhByZ5h&J7zBG>$$J* z@;%%V+O=lOORT)XrLp9SP92e6Lpn!Cj@g5;;IlOi4G$#}Q_qiX{DWzU813(_?w)b2 zThE@6p7Ny59;6_-y}OoO4-O1G8y7c!tQ%4bWEGax7oS?_?9FUWdNc0IBB7V5gq{>m`St5p z_6?<5o{?a%L@FQ!m<<>ds=0}D9$#CtmMZMSZdZ;T^$8QMZTsy_BOdBVCue8)SuMh0 zkffXm>?TT3cp1dg(dW-^u&{_cx*`iY3>_}ryHBrsy6)3O$YB2%17N$*81!BkS{A8N0 z0CE}G8M;^N|>qhF`kuX0I3EM?m-_poDX-&Aq`8ktUE;o*W~PhoEB z{j=xKFDd%9573nCqT-7=v?EO(eb#Q+aGpmR5pl~X?$E)5QN7Y$9uF{(=lk)xXdloL z{>soa&UrOr>@K|rk5r9_7)`foKz-pH-@(F;f#iZgEg*Ds$l$h zee3Gg!x}zd@o066WDYPVS2X?_Qb7kwgZ4&jo7ZEaP17K53I$#8;lDZ|D(=%R_7|CE z!5QV9>7C%Z*8Qh_tX(gWVXK^-C)u*vecE5BH%OcA4<0Nf)gEPX=h%(P+$$2cosiDU zN{eqID|_?yZ402t2FLk>+OKbf)I`gkMveT<@1%!VS{H`T>Y z`TZ+C0HacLCX4v2rD+rq-{GJjLBV$N`1|VheNinxZHx zD~zr3YJM*fDa50rDY#^1%P9{&2cMyopaGz_l&Zn&v+Y$-hBHk~SCWzr?A<%e7dnkj zx?`k~Y~+Q}NBtd~oZ8?Dk4aVSu}5?Q>2q`rER@jVHat*hKjAMIPryC`T*rOFUm5UB zjetL*vh?Cy{W)=-h{%X`wY-Se@p`P`X;OWZ3^}=T=S)($V={e3ye6}tgrf1%a&=G7 zAK;lBWeMON!-t2H{GxE?Q8>MV_aT&Ylcl^EG~GLcg?go9S0Azc$dq}(rS05#i#ta} z$rjtBtQ;qN$stqBUO)cxC0Brua<+%6te=C(xo-B{xfQ(ye{S+gp!K7DS8w5P89I1y z?S~I!B!+&cny;jzFHc7}RVhfO8fCTH=f`^a&`iV!8x%o-FmmbW6}i8B#9kA8I0QVA zUs+va(8lotiqs!GKT%oKHMk?xy-qxT zEkUK8WQLB}LV%#OpabmVcg zj*nK*684ghUVmw6PbR*9Z@3#!(pjY8$sdW-tfzAcfks;78M|whMBFye!A5egCwf0W zzh}2@#@NvO^Lixu2dWzy%9TF4i*$%XUL?#N9DE4-RJMY=j~G7E_rPEci4&(qvb5BY z^+3k!7{G`M4i|sFeDvB|tVLSGgf{z8qa<|@BR!$-7=5Nl!9n~FxG%2{vCWrQPZoJJ zn3*@i^g`bNdgTF<#-Pvq=VkTB{U@vI2syc(YP9o(374b+p*;cU$Ch;*Xb@RTpwU=+ zLlm%mtQHPo!prCDP6`oTS0Y420*qF?ZofL!C^~2g3B^K|6FLR~N+H?c9oKpT~qs zt=I1;(s0e?(y}klUPwK=nipXAHhJ9g(X6duVDyC4Bu=%0`Gu{n3_n3nw; zO$o`bwTn;~vx}b&u>85CXG(SSrE{pcLbW1YI{e)+4@e$kj;Q ze`8_kXXtWa>=+%-1_T?2pHBPv%gxQZ^vBQBj>{asW&HAZ;5zL+|20apVVao8@7V}x zkV4~t0nH#Nt~&OhMdl8iOCKGIi<475lYKl-wM!v}$|k{A&7OUKalM?#??oKMut}n_ zgizj^(FlNnQb%7@1I3e;U>1unDNIJFszc^rqb)4_(KsFS7(i#K7DAz za0P|#9h4i-G!se+3zzu@5aI&@7Sx>Dn^(Cqb#sT5*+G5{It!LA-KXCVcJyY)l>jN6 zNTO!}i}~QTlxHtqc>ih}BrqH!m6YCGeDCq?(>d<Df&#Q`4rgy0>-M`QsjEN5eu@4pD-kYVdsES`hl$mp%X}a8-89zd+d<);WX0*28RT3I zo@D1at?j(Or|^qDLk}1%cWuA2GX20~$0{2dgh5K!$^hE2C?X>*Y;A?1ePmkAC4%=8 z)fM>>`HqcRI+2>kj}&!dnIg3XBph9cd;R>@C79840#uG{zSq}r@Xd(YIVb@9WN9V1 zQ@$A~gut6D=k31$#6)Gu=MY;X4WeqpzyJyv!W6j?6{LXfSLe2V|IUI7xwBSS0Jv?? zq=q*Nbs#n3^5tk$ACuv=UShT0p`S)qSF}fu6W9a{9LQ|z1-iZuZ)h0KnSkyrH=;{|SuFg-a9^5PApH{I4+Vht)hkgq z6Xv&ps}2}C^vv<&IhBrd$TMb@LB6B0O3HjGi(>+v6vP<~jgSIMX(=hk$%DxQpt=k1 zvY{!kMbE;8Aa2ccYZ|VpsmYT<{RfXlF;4x8+RE)6nGX1SlUoK%XofI@5>^T#gRDVc zbl2|P^xet%;!GQR`SLF^GNE5KG7>8{3xKqQY-)O^-+RwG*5ul?Pa5}e z0lc;nWsKj9|# z?%UVRdwotB=GGSL)*T55*bMy2mLWMqRr~eB<8=%YaEqNcdp07>ph_j!id7P0hv0$s+S7xC;okoG)Qe%F?h!LG{%$+xH8qzKuE0!&*<1g+OoEU6EO^y8 zZ?5_6qP9KJA3LU5r4a2}cXjIAnSdhpd&e^*rh zxCDNbedGdUlf1;*x|+sgx>)WX4hZPu8-RG0{;E<*fY{6C*YH)^t$4HaDd4=OhDKA# zu6yrzXFWLZvt6J|yb#2LyVN3-Ba-A?B>12gk@e+2Ffuq;WX7)`4qzj*6{dm(ZdVrj z)Y4MvcuhF7ivZm)tqSbOlA4C_8(Am;=+-S1u{&xR*$!h}KrM-IWq;6-R7hWRy3vNI z=63VuJ)oMQbeI78369rXr_EDkx6IV^xn%~=%DYPN?90Bfp#YaiW`v5jSZ}#j%-UcH z`uK>fUth^{RJoBT*1h|(beD0?Ldz;e7wip+SRTB%4nMa{d~LCly$jw691@bYgue^6 ziG5uPVye93P*x?*a>a zq34dT&!0ZM)gcZt5T&)OFKRIEu3yIyt%=%GYbijR#@$7N?C@QHTd4Rk)s$$=9e*8g zlJb-zCQ6Cbnd$k}4yEVf%jUC<${enl(_-oyz;-`<`VI15gE&-qCyKk?tgNb{ne&v# z816d`Kf1cN0gMpBLFWvEvKQ6_#%I5&11)CrsL}4cvJr-C*JvTF&*Eb4=MkBSX|lc` z-=?KX{%J-;X17MFc|w9&ik(c$0$Q99#fbLqZJBwhOTf*7`}fCaY5joDc=nWN1-SR{ z-n~((sz*K2(4vC^5UqvQSP4genc<;R($rjT-x?Y~%Cu+q?!zNEB|&3fK7A^U^c%%t zA03?d!#ij2Sm{zVD3mx9z_R4#on$R@bEBmhs#czYH(oRMi-c3v?c2A}WMmoc6P@?+ zFT4)!+o!SZmoU!_7pLf=lxjH|<2MZ!y@g1=sh;)A7T@8OB&}tt*1vfIjgW%5KTnfc zd%8c=cMtn}Yd}$GYPoL_dW2etEW2Yf&<(Vy`M)sC<8Y|oRj}`K;)%*Y0L_1aG z53)}4yHyTax!|b|3myV4svcvANw$Tm`~ExG_8@Uv%)&@wT)mcxNe<9 zJ{0^GbW73EXX_m?sauxj_kD;%nje-iUL4)eoPv>~Z`@#Mi7(b9ZfwJZC9!5Ro~+ox z!x%iNP#8ZKsjAvW{V zvU~mJ}&fWR+0E4LUZ&-B@(3#^n13PvZLvJ=rpe|rH$Er zwokHlvd!MR#N50VUAB>{I5<9zAa6aZ1-VP;B)`b?S2k)bN4z;fz&IawnO%!4$jHDI zUT7`@mNj+ZZ2~7cUMuDc<3tyD_0mt#=L4>X`_F3Gnsj2KY4^1x4$toScvvU}rz0Un z$C0V^LfuhdDZ>^`&GXnPU84HDC{0iqoxC9b@pAb*>dsnukF0a^ge%D=X_Sl z9J<%s)O52BMyUMbWLF~s8ar+r zscPlBcRP0)!Q%*xN~M`c#_y-I3TV;5IR;FWCY^U#CJPqyDXlN}oWL9m7Qdl^K?cE* zm`YZ4XX62K7W2j3=UdO#Spv{6rQs-laQGsWNomeK?tKL8XJu&&?(N>gVyy~FEO<)@ zb@cNzz4O?f2TvfOl<4LynAp62O%jQv1P4ak@|1&lm2XcL5KfPWj2gUH5Z@*w7%yI| zhWkTRi?X8P?dF5!@^5KJXPGG|Dk5yp;M_5vSp7?pmzO?1wWsyy!>=m2EPb?$#K#XU{!#<=(w6 z=kKu}e4;=oLu_qq=oG}H7+>H64=Eo6F&k!C<6ZBG6@iBW4>AHm)1~&+tKOJOHsTXU6B<|#(KjgTEj*u+cFVe;Vqeh4++*VK6a_+smIwO7xcIsJy^ zlpzgIr4|vL+%Fn(=d}ZYkp%PhIs((M2kRWJ6$`zm=BbT8rs#kOpJdZ;Jxxb=5)YXe zKFMcCCfA!^-69|gv@|*HlF<0`4&jvl;az1leq%{2`Bq+OHF;<$gD`dl%(W8g8Xt0~#*ViLC z%U_$o6m6VX>+0(t6rW2@4yqVWwUc3SU*crFjwth(AD5H})6ZKg$*%KqbC2tP!0H&5 z7-b)(&2V-$wzl{8K?t?J`1w5w(vzr)m7)vP1_=v_2#e>a!pWs+R)Rn(BzI$APgx~- z#zF|J4CJ< zm=VbKrHznwE^joDb6hkW-gdH!e_hM{&wKM`<>JN3!1c7Aq9yNC+H($8EU$$Trc_OL zPRuqiFk8Abu!zv!_Nme^)BYa*9)uGT2{J)(`6V;zD$r;4?Add(*9;afthB|%!7jL2 zk9vJmAPHaw-IONw_d9p-Vj5e1q27hezZ}VCUNPU8UED{9Ws4pTj>E0rHGNk7Gtpg` zvXU8Jvnk&n$Bf_|OdZL^nGotdMB1Rm0v|%aB-B%ixgkOSI0!_yNZ_>nx6b}P!Pn*Ps zq|Amar8ehjw%)|d;apHy9xbu?v%Y8FytxKpx|`ng&YgD=F^(*bNec%^O4bx# zOZ4+I?v-#3G*GW{-R?ZLsi zom-jNDtqwZ;LRd!-76fME8LyEqMlt`1>^losWdkx{)J==>?h`fwmrh;1E@^+M&$cw{dNoAS`~1sxZckXRPKy2Gz&$MY(g zutyMo)LV<}7ZHGQ@W4TX0>2U%N2tiuYyp0b6L%S@T{zdjsc2@;^M(eE{ETBqT+9~m6@=%Q}g8fqGc;r z9`q|N+c;t4(y^3JG)XKh^&6G~GIO+|?!th3j~|OayzKn7egz*_*o6nn<83KWynDOS zarP)i&Cl%RSN5tDJN(8j;1+B+S!sGE$EPD%o&=9L_>vpn9|OOf8^7gEmoDWbY)ZOL z$-nu2(&57r9ny`kxI5|Fw`tNSlL$eLghx&CPd@JQsv8IMia6aSoN3%07_EQ->v3lX zPF|?U&?s8b>5|lo4#GzSYQ0klA=tSz&dlqHHN<{gAK$(?yhjbE@}A-xJmDqN zNESY|ijycs9)1MH6)m~=t^Qil#MF}#kK2k=H#``;%r2Ju`b=qSO?D%-?%Zla>!lF{ z#wTxrFJG=_n_f6~F?77{BhkreYHM!GjTt(1>UETik6d6w+mPg2P3(z{>OPBXbUr$3 zb5Ubd|gU%bnq;Ba(S0gxKlN?G(=X>{{OkSIvnW?E0K{9f(q+Yl*&Z!Fk8Bbr}WWWYB zb;?|nbajSc+qc@XPal=Nd9Byr8KT{~oxRg}bEO0z~t#5D~Gn<4QW8NA_U*;zF>xFlfq<297-{e2e~bgpgfF zfE)i1`|OLHm!BR~g}(lt!r7Tm?+PPj z$?Ycx?(UQO;KAKIIKu*UJ-uCeL&72z{=y(AA`~1`nBC;6XzLNu*IU7X*z$c^-emW zVXAiE*#%PKI&ABbWabpJ^^{*_sDvH>ZbNpnWP=_N{)$d#Q-rf`U7}z@)!xMnpyJ z?zr+wD{<&%CkBjqBAh5qFJBUAe zdb@o}A2t7UIq939qa~a(G=xb?NC1*j3`mQ1yT0{De{}?Z-xhC>z3OryXNx19AYc&V z)rSSf;%7PJkiK8<@e_v=vBDyXLS1 zGG0CDeMrOdk%x5AuavHPu}5m#&72}^86wVg>?UCwX{p-@9l3TPg>kvot&!afSW=TV zS2xtM9%*R+x@J}g7+bH>ha>ggE@*kaGJDIWg@H*ycs`fT9t8(r5IsKjTgpEBCfSA4 z0=#Va_1WFW2$qhIFP2Uk9Ji*oNv}R$d&4BWoJMpS+C<{8d8hqeNm<<GEC0)N#SZRTNT1C8|PF6f{5?>3DyW^;B9my@Gaqf?vp8L2DfC)Bf_PBC7! zc*&9@_PO77TegnuVz5mrXKcW$T*_*z7|4^FZIVXMh+p3qH}&#sY$0DJ(4h*Nbhcy5 zip?X39QsNKA`q$u96CFEc5Ii+(&Ji%sWiPgLR$+YDgB;SIYnG=8~Lf0RM%_ET_v7g zxJ0kMKC*ZGkDDlU_rBWsW>1#@)9w@Z+^$8Z)*$7qXnl0Z%egFPqaIXQX5{-8!x$F(Ie)gg8 zmH46CdNn6>g1@~!zj#^?F){nr*8JI{?$=3TWGwSBGCBE+ddly|Lu3mjpR}F5vZkWU zT8wD z$q|^vt3CD9l`D>bQs`;WM6&4+LBGkW-{D#&n5cey2%g6OB;1pO(c3dCrr+lRIh4*% zt8yZO{MS4fq%WtanD1JpEXBIRHK5ATe3-x2*V4voQoD3JhKSFcp;{P)m?viBl?$k(=N;Ni_Xsj8MI=i|t_ zEcFAKVNzZ6mN8hiHIB2Ml{;e%(L1tLvh;pgtI`q^lUs?uj7Ob_kR5UA_{1sQA26-w z{tvYvipKwotM35EvVY&#MvGLE>>>$eXGXS=Br8<5?v`rDIEtKX9PwJ?g2kEX_sfzATZH`YOm+z#z~s5XQwe^PJzK+A0a&zMMm>_Bn$?4Ue?oBy;v30)Y0)Nb;s<5 zf|8Q(Q+qhhoEa2aKp?~sxn$m-0ti_WTa=ED}ws^7-W{o;{B> zE_wcKzyjl%nTa7GF>^R}o05=78Q;4HT5P_QeJ{2QuB>z3GPi;5mt6P+VU0t!OuR8l zY^_J}C!?ByN1;ppcqQVM@uH^h*D!aZrC(Ca=P{_{b6WE_RKk1T{!s2P@z#1pf(%wOC=G zI#P8Kg>L{0!rkDlG(VZda31;ac6eQIvs6Xbg-N5DbEnR@yw5)>ijbuWoazc2H!qdl zNwh=8BW0fmmBT+F(0{X2;eXaY;y`!JtpQA2+59IV7qv-9s9`zRoG48W^eM*lEdB2; zLiS9);{E$)i-g!0`gtMe-f3nb5RNzX>-TSfwhmJ{&{UX7N=wg*7y#@yC6TKKqi@=0 z^jxZ1Qg3WllN&>{ap<{0e?L2DIZD5stTe5ysTme>U~of=Gu^DKSDB+y`9s3Vz zv5S_<{{#`kD94@WaBbCRma!A=#jMMCuUy+s2Dq5gjGnJzlFayRdXG)<7-MKG2@~zg z8$IanE+hi5_qbri_(<#0=(M}HQ?gF}QLzcv%bRP8!{0_g{e8pzBp?osZLs88{O0`c zdPk2|^iIUtc?&}dG}$Oii&p07|1R}^KL)4k|L*6UK3ZN+gI+GYtEnKWkFwg9K(v=1}SHr7B@m|BO`o?~Lt2gF^YgCP)x3=h^oJjA^B zj+&|I1Q3tqwqM72?;XC-h#tnMTz&iY?UBNEu3h*D%@?~Q?(=ok*6zmOq%8-tGBXdKG{k9XfF{Od(%fCq)LlGFYcM zrYOlUr2fI-Uq6N}2@0!(B+Ro=vtM?71CQAI<6pH;tQdiL({x(|I3L#H-O1agrpX9` z?gDbw^8GTp4xCg5b!=zY*%d1of%tX4T>=t7AQV~~Pjs~~qw(TVq>wJaF7&bpG))gd zUPENI^|3s$*M^%tYO71I5FV15Wg=w395*oK0&xKK^S2Zx16ng^nTuKyv&WW)>i6%DV|xLk7IPa&sP*sPf00g(vIIkL7}9xQGJ~i@ zK<37JeYfET0cD4X<0? zgGRjs8yQF;0R7>XggbR7pa`4NV7z=6*ST}WK4^$-Y>+U4y%;WCFNM6(>c*#~UBzm| zz#6D2?7eKwihx3+o&)9<^!hcv;`F(5FQ+_#)?y6fow|ZWi*XI0XHa@D)pMNezEG4; z*pw&~sTo5pqS3wqoEX-BjBz_iLzv5B=7!dU=UnhFaCxRp**Q2M(|?9Jnnx*|-jx&- z;B$Ytii<!0EF3L;~%N~>GmQ1**APA#^A|7DA5xyf9DHwlHB|@r2uH@2F z_&7L-g#PoPM67vSLnG)waJ6LO=Go2+?lQ#$XAZ#dAg9aR>?~##;$0U3)8hW1PpvK5 z*H;BwmC5ehr_H;uKSH8;{?P>Pl;-#$$?8QSI~$#h38$z6bo)E zxHF|=KA3vpt|8{g`d7m(tT^l{Wj*hEnn5KB2-%F6x{kF9M&pB+6hO9MW@s4-oTvjb z89L3ed=G4P+-9h9e7Ow;xMZOlB#d=tEfG9|y*9_G6*uHf{TqzAKu`$lI}Z<1KnwnR zQ{v)SWQ&vVg9+g!0C=73hAYWO`2aDM@2U#D33p@X%@vlEBI|!#3Yz(jVaktQD9m~~ z=q{Kv`ub0!qOe2)#7cn#V@xz1{)s^BKw_NJFw`#uwbzLn%u`OPZJZ0Z6cga@KQm3Z ziaCw_$iiw7=@}!Xq`k)H=={&pi}kTZV-Juo=iW7xT~%TO)WA=?j9O<$es7$I)-(rXiMqfL&c5An7w|1ILvD3?9eYWRwYg?5~G-^1j@G8mnjR(rM`W( znTuE8xOzFd7+V5BY<;tINYuCFPyL0e2y3aIB?}^vb&vPp(VF%k829Z{*1zG=(@EUt z&S9VthAFaXE{+t4Xy6zC@GRspn2bS_}>$1HaQGsm1x&97GW{@AkOR$Y$sniLFy1JG?G6Sy)`L#~n>BnU-Jg&md5#oLahczM( zvdsIGL_T8P0+xft%rVroaTugDH66U;oBk}7FC>s0vh@+|uGj&VoeW@WS;0%4i<)r)8Lcodkz8D#iBjM`!fFEMSb&T{;9_lqPzA_H5H%! zy5w(GLe}Wkm}$%u2|6X-6vX5bJu28xFx11}!l}W$CvNhtu`waKiqJG}Lq`aGrLnR) z_Z~)6@tBx%Xr{U4CgQ6RVTMsc9LKt-AHtEeiX1M?b!?8x3KTXnnnZNlpAeTmXWauQTtU=_royyCEoT4*ut1+cLj|u6^dKB!Ml*Y3 zaomB|hGAz-&1F1vc%orgTV(9FwUgG*BXtpc2#jM0j>C8ENTz6mhk5T_BEC1qO!TkS zk6(e16T}-(-%g(V5Fc-3X4VUHtpb={V_=4$L9`#SFbJ#RY{Xl`1)9P%^L}r!|+ZJo_FO6Jqt^Ff+`DmbmqMsqo`C>ah$`v9ET;!(7ZhR9qE-|=Rpbq z1sXORFuCqwihJ)~)_98>$}?bbIBI~};`H)Klr9~D&EG76WmtoV_2lo(QOTs?!f_zme|g2<(Um?!}$$f!{=l-tfULz zM}iFjn>@ii*|rMQO3>uhX0XH4hyT2s#LB!HdUj!X%?;CD-Ht z8Xs6x!Er0QWjvf6f3_=b1KW*Mt@4%w+@73a0EmwbO;6TjHRt!{W{PibL9j&I*qJ9p zw4MVj#(gUtY(AP%v2#x1&+-q9Kxfu`#fFY3234o&kkkE=m7fE|?_`%cLesbi>}aPW zD5b%BxzEJ!0wdm`wLub)3nc!-Ef zTK(YTiEAaLwW%q(ob?>0pLlWLlg3+Beg96Nl!4^oI>pG$j1b^1*L0Iib`W$>P!{oK zSiB207|kQb{l`f-t#b;*G`6HUR1_FL-I$QZ1Sd59BJqH63mHLf=WwvnARP(^qg}09 zxRI|Q9d-!}m6Mkb#aQIcn+#oNjkDJSry{WQ@zq#$fZDa+naE=1`{dyA!I+}P-F=cp z3n3O83~+mvj%h<-bzCShW6^YV^Ej_0kLG*n0?-ISq;$K2E+00(02ht*4}|optEl+f z@yx0w6fLz50>(f|j%#Q4vXHO@kTdLgie1@i9`YC)(9lF&uk9j??*DWBr?T&gre}m1*+^n3NQZm zI}$Cg{C`%x8(A6xPu+dNZj8gwL*XMfQG>g8;k4{>ZF<%0(E}o)FZ5SG_*9QzJ!0#3 z2hY_u=m$_f^Ue&CR1ELj-n`KWTl^;!ho{rqWzWp5Tg2~ZpYEp8STy=G=@M0@x)nwa z?*BV+)!1L5B-e(8m_#?*X7q^}hI9+ZD_)pxh!Uttm>d0zmk|+>Nx+$43>)GN4wU`~ zbB?;tr!6N3l7&xREvB2;AG%Wf@P@$paG zZ2F9C;8PoNate1B^(0s2zZ<{S%Pap<{z3nD#c&VA1wuKbz!9vVV1pD^TU7t1EkY0s z+$PYYW&D^qQAx&+ao~Ig(*p)knJQC%KiFdDde4PF%wflr_|6yDj6MYU%0+Ll!z$qq z8(iQ1l^5b)^?>(a04Ii03nbOQsU&(Ra&&dkj${BR0wQq#&w=ekPEP31z96y&pcSN* z1crTBSoP2ho@;D!_Dho>=$t*d(>dWEY5Z}dZu+)iZbvsgwxj<`Iowtd5y;;OP8d<~ zo}K@iNG^-rx-~#xJ_D^JoN>!BkDw@RZOu%6{NLp?z4wU`C1FhMy!?NJ8V%duDk+CO z)o!@jFaP%gUcd7H-`C%JfZr}sIC8KTIxk+fydzmsJ?$qYWr^lAJjF3WdV%)*RgGcl zzLFc$y(+3Y?qtVBoVRHw?l3j2WZ#E5+F z^4G43D=9r5I}mEWJBvvsv}4g=h|XO;7f`7RlEyl~C{& z8_%O`_^cZDtZ%$jfl|!*tT^%hNUqGh#NPwubGMczNAKQ|{nYj6(UjTEj`v@@_h#x7 zzYBjgO#dZ`nBfweiMP`ttBSufo#?CO-!ajNzk^Kp<7xH^ICJm{o`@NsRFZJLA9R#rZahoO?2k?Q_+)=^L4OBqnxa8(h<23mDY9AQ@%wg(So6Yx z!8h9H`c&>cy!I=ii%~LzGfc8>q9^NUs=zEzk-iExVv zd7ri0TAWzRHfP!-$t$o~8f9}z^V(k?$uZIENqvBVnJZ9aVB1006cD#xJ$e`~9^x%j z$T>M1Yeq%AdX{g#Bbh?K$ zncVySQsh-X!dm$C{Z!by(r%l{*xes;?nb3d_IZ#swX{#&zL#aao->=qRgjn!I~vyh z+cmo#uZvvb#GIMXX#H1Hw+5MOuc9K3JgnuM?rbezJ8&jG{-sXuhY!m%Km5oN6B0ST z*NWs=?wb2#epNNAHZ&wK;BrvEHktL*WFfcVQQIk=v`Noko2#miZN~<`MKi9?8vU}8 zQsYfiSCUU_@9xMky{-R;$40kuLfdW(D7DttKUWVhB*Rp{;XZDRGehyM$u>$gkj zd=Ip^cxMy{8+&xm>WNrCeDGChl$?v=Q2ba*h1P|8JLPQrBZtUdthqQvDJX>G@6=fu z3Y(O7Sg{oUQgpKC6a#C5$vx?|QA5LITA|PaaXG4xKAQ;!lY<+%t~C-G+N$X`jda-O zraDUx9kR3taS7hpSD>P)t0eSDO=_2t4TIaN-=m|`g?b(NVWE>vaIgRT`L*g*Muj%T zV@u4uuk#eT=RQgK?!em^tmJ-F(D$P2$ z=`HzI)Ab|4OXGuUv74cMuR|xJwf+pQGxNGnohiDPm}JB8MuwIh8!830_HU8>2Z;rK ze-6ka2-4a#n~ldfJ{Eke(XTmO#By)8l#XWhRnX)ha66~JhcVIdy_;0{$oi>4ON6!? z7i3HX_VjP?hhl*gCoit=7UY*x|=rZTxok=SbeRIOVJ$)_MZs$XRk9D z(x|~(7T`O{z?wTa-Iz3{8OIc@EG1dn{fT5M;Ls5}%c0#xJ;mfF@>Smd+{}CwQ!hug z%e|t=U(9++gofOafnnw1mFZu0b5*xeX?}d`ep41ET@$|XZL)AuXo=qKx2-T;eWq=$ z+lOJj_DxZ`;9rma`07cw={dE_35@m6-o;swV|uIIeEN=hx9>8`ubI~B9LGOpGq2)d z6CIviyO$;9{Z9z{QzgTwFQ;)dDhmox(z&Hbk3WW zrRCKhO8sAbx@M|aTU72{S#77C9p(GHD00ETxnFG5apJd7V|j#-#l(5Hh6dy2gC1_W z^>qs*&Wb7A%?p?I$o@9lSP|>$e`{-(x0Q4m8p5!s-4?ehJSw2{!&Ra>?7xlc!h$GU1R2b6?-x^L&^0w=Hu{H0XdhE@#NVTl%#vTiM^k{ERm?6>hpGzd@X!we^xQqPr{ zc9ulw-QyKmS+m!aBk8OADEesBPh{-`i}L5=zhuL>rou+e=hCP}cDG-?+SnLU&{S&u z!=m8(RR5Fc0^v~(6lHr{U3=P6(y2u%TH1~>9JX9LDtFhk(5bXIZ4Zav$+L|28cOfY zy*9B`bFyx$)t9Mya6{yJpg`SBrip051bi>-V3y%+p~|TweGXm7_j~k(Ur03 z*1MTjcJD1yF8Th)VIiK>Krhm_I_1+u&mOHVtFZ2#(zASGe7^Bc@TbQ%a-KP+{Ofy^ z!cVeu)*m`_bs{={wIxJ%-Sw`No!!B@sM3jqr1lz(FQ3!%c6*lx{OPuvmG`5HbdXTk zWp25CfVSAwW=aQV@gVj0+n--$X0(ORs5OuDXUeEQo^~{$2xearcyL@fm6er!VttJ< z>4~qc+F+8p>x~m<2U>#@_4O%ps29eif)u`2*7RgWAn&8D!lyIzx2oP$gi5_Gc0B#w zICCKqPu~c^{SU&jHcRdn85)n4aC{>~Uw5Y>&+wJ;+H)1FpO2=*-p))BF}T&(FHxOy+HN`^EbqW_YLM3| zHCH<;;n%M#!OL`F&!`V@4Drs-8+VydQ~A59wcOJloaoy6{8PdI(`;JWCAQ!xy{uzj zUIhh5WsY(F79WrJa?OWyK41R33xgX9K02LTw=V1V(t8(+RPNf@WjihQtakY6EDI?e zR*|c!@_!oWj?&nTdPCZe;dREjTjc&E)ytQ)?UrhSSyYwejDO5iWn?~$&ADpmRz|B+ zAZz`ZTI5;Q^{ZN)twRc*^M1XI%j9j%*e{r5B2XLCzMC8M3Uv%!FSn2;-6=(O2Tyyh zG!w??=;4r$DeIP;w=b2-5}C~u?a0{qIw6_8FD@hG;MOZOTFVF_)nFs4V=ouu25*1u zHDS8KbYuUA9AOcWs-Tvh9Xoa~^z3q>Crr}6k)G)VtLAd@p(BKnvRFA5{Z;wx%t!xo zN;n1DMdxMD?*+@;r>3yr8W6)bzjLgb_|!s7_Z#j^`TD;|o$B}W0)t?+KP|c-~#YuLi ztyGc|rXKqZH={k-Ti+!~WutnIUkD+_$z*WVquX_JsAA4BtY^1Cf5|mXInS06`<{Hi z$S=iH#ZGQyAw35fGUkgJ>tp_-@Fm27VoH!atVO+-SdTdt{7j*jXIee$bmksCI2%I)u2JNWBI0)bFi=J)IRKLL7fhjv2j>i_g3D0;0eb}d80SC8-xPu7TNCuHK+OpW>1TsH zJY-N%fL~_TTR;VCUrtVQc*0FinqhoG2B+6AmLrfJ%U-$i5|n+&m_dEQ_)(Je%k|T& ztS|-;C(bnQbHdolb^sm!#`-#$1Y)FqqY#1Q3K^n!`f-6i-ibjdy7GfGg4c?BpSipD zk4O$3bHV?#YIpUd{o2np9>Wa7POO)xZ2c`m2Dg)YEZa_tm_5VRl$0u$k;2ceP5`!4h=pSa@^D&)jFlP zzcXOZPlpH0&kQCytd3f5#4BXHc(Jl5U)?aRP|U^_nB_%vgAG}3TiF*=+4^>zNsJ$? zKx<>x!IJgiuqLlrV*r|h;ScLyNINSvtzJCtXz-~`fxgwV)X)4dj>bcw9%d?s&gDKLP1GMnmAcwW@~l~cp$W)$kwHNR1L@r14P7@ z5E!1JTbn*r1V)88vvMTX2ZqGO>m34{wX?P3IK?@Y#`uEBeR zx%cvF;9ew3J7dNM-4pEvOGyYG>~p6dBP$A43lFWWV`Bh6UGxtsH zlc$cYt@Bzl7*_YZ)EmY0GxHIgWxjB%*E6U{v;IZkGM?L9xbPu4w%Rx*y=8iBqe5dz ztgNh@bFx!zP;un$T>wbWdh)%=nzA#((=0QKV(ym8#4^WQ#3pWgjra)?1LM7>jrv@6n)_BLM6)K_Q-DyUuw825kq>H~9jd>Ly;MAOn#LYQZ!$a0N29ZM`}krFUi>q2j)utK=spA|yhSs36RNH! zbZ00~o+>>_awCR%X7envt46rAZ?*A`&C*xf5l(-n0j(Yp>OsiXNd1 zWnL__@1|7>QgJiah*!^D^$}#<;#j-QMwbVYU-=U!i)??9d(lxz*_3D*RHdTzjJGFkhCnjB5ceE!*Fr6k(j?=6-zD=X|4*Ywgl%yj79p$v?KjQ|@!|fd=xj z^2fC_*-VTR{)|!2f70SMyX@Fn@cS`E`4s6d?W~g0KKqZR_feq1(Uhe)YirLK2hs83 z+n-UnwPVQY=7Ue_gt6R0=O<9e&qOZf|zjCRS)VjjDEXC zkp_wpmPJ7<64}4H?t=fhI59g;Juqq&PoJbebqaE0ZkRa$Fb4|*goVM89CPeZYeRlw z*pQ$KX#c25arEdjGC`cbu!1f1NG7^Ly!zsuaG!fescpL5_L4Ni}*a$qf zwWW7MzQ(Vip-T#sI)(N}_|fvc@cD8$x-Zv?Mb0J}L44rdfjs~l9gzFMp#jkghkg|J zbN;X{O!Oxg=xN0vj&J+t*DuHu8QgFeW;*djh(}P<)uj!7*#Q#ZWEZw<6cNYYaLj>R zce3a1ty>Qu8O9VVTq@sTg)8OjBK{6oN+>LzO_4(;1YRx=!qAU;BM4Q*pypV&8pgz+ z)XT}uYz2M~icVaOS#-i|SKn~gF05QoWBsUclL>^2V$L%nA~ak2MVJx(C14Qs|NIai zE8SV{zANIGRd4HzZIrzH^armAq3MtYMY8f264!TXCqC_Y^VwRzV)mX%dSKxDNKrfc zA!+$*Cv_j2t?|{*QBn(78h+pDU44Mo%s*PP)S&J-pH&dO_GoO(Y=nH;Ietq1J3^0c zr^GO1zb*LqVlCm-)JMCizR`ha0K-CL$@9|;`AyBr6dqe^{^;UnX*-OQIJG(cv0**E zo5WOi)-OXk`=5Neyv26m=SI}6`wF)2QFkDDi3w6&*XZ5exYQ3X_GzyDBHb|OI=AU^ z{y$s*p@gli^K5o{CzCF2=__cx=0w>~LSk&Uf?)^oyMuaLR`ROrQ^tGT-P~ViW<@DPt-XTx=m^SpujGR8Ot5ilIs+bO*(}heiorZdey})QY1Ien{=`| zC$CCR@+unK7B-bL5nfLwjmz9wZ!4a+*Jbw)FwH=kbvk9Mv{wekYA+|Z6J@-6c6$uF ziPHlN4_dAeB(Kk(%kHpao!yc?;K2?0+9C6+*RFwVa@x#!b)FUWQbkNW^gKKd5gmBw z5J52o;#bJITiZ1=QI2A{peW8ZX*UBQ2CNEO6oOy#Z5B3_U0VFYu`2*|?aOS^4{Xznk2Ph{UKYsKFr|R-vdmR2s1e_j( zDv>MM4Cq3Q@AIl(5EE%UBq90m3t~Qb@-j3fV(iEQ7U=STb{Jxrqm3~Nl-Z>N*s~-}iuIIln z>SSenY$#dkbItAh^2W?>2jwN*8`0XrQD1r=*FCPYo4W9mb~3l#F0xZODxUErnM8+Y z{iM!fp-soqgrCs;kN5AVojJo-9YlAa&?LKXL0Yxf`&E#&xgm-F@732|&VJ}(Sz56w zNG_S@k?!3-q&qUwsC3`htWMtHSy$rfeDg}+%w7_Ti4r=`p9uxe?-lB>GNfLNj0_HN zC?7g)7N!_hS5^A7OGZ8QUVPGf9lser!50tSF)U!wzDqu`Z(p*h;0cxi?MtQAbbUu7 zgbSsWvlwIm_mb)syw#G_xZ!H_v$;l!n3tDtR9HDW^mJ;hFLg%xr-E096IribI;{Qe zrMw{<@w@pPjcE3h97@^ssnwTlU8zZrA6JUho&EiL_*Y6|wz*iNLpk$pHt)`yKN{g7 za=h-jEY9uywuhzdeW|!d;hG>K#z?ezyUdRZ#2D1e~2-_z`Hiw;FNi8Qo^9TpBOVEUfux&mEjWn$=pLU?6Gp+7 z0pyUR@PV@4&ForQ30X|S)mP*mE@r1&K@*x`XlQ)rbjbe-EZKgyuy*&R-QBxYpB-Xx zn~+l14JVp+I;D6DAl0i>CHSAh`j$}#wn`o=>sTzpq`c@}nI%d6k$!O{egHI(QBece+UPFB+Qj@bZZkbcRwW zbj^Pmm)Za55tdYmsrdQNN7fFe2s-Ti;;@uBKf76&k#v>n9ouQ?66KXuH1E|9_PnbCpwp1Mw z*Q{7aMv&=xMe&uIF}tMg+IWch{{0!$Ub&8Y`FZyH2%xVYV&6>sPM7^^qxEzM>@5vt`*soCWF#htV0AgppKpw!4ew0M$apo`JWa|VM z7yhVAOQ$3!i=g;O^gQ$7{xCFEIgoNo2#tbiJs8x1#qnSWK0w13Y|)}a*j_y)E|fV% za@{5E=?upCTfTo*o!GUoP=xJ|vh(*U{j7`(urF%?GCcnbiSFQ~2Bm?LXu73FG702t zAM6nYZ?)71vewRAY}hfOB^4D0Hyc)e+*RDa&>S!FWZ52~ibZNZ0AX&Zv--nQ&}28LV;1bM$jO}(oQowtKwfGYaHuN%o|t22;Z3L3dgYqi zWw+#!UASiTqP;61098gK$L&m860?@}w#e>v&fJf;F6s18{jAOKei8P?MPs;xqdm4l zdbV4pJ%wzWZhCkd_q1-l?B&=@3&UIXolE9@mFb5{BntVOIxoOHP0fFv z6*>P$_3p@|`@CPHxzI}2>ii=`kMp|V#ux7gISk5A5@O=}of)2!+<8Rv4>H8H1Zvoz zAmie)1Z#=ld_+2dwJNqvXon*{nDz3yND+lsXHPDXDwfKkoJD#xm1IwZ(mX z4j;MbXYJTE;TdP7uC3K+pYAE~4mr-M?p6dDfB)d)@_VB!nqq7X3sL1pPk@Ky+kpk`NK;K&`Rkh9B&+6qQqlTEHyE%1*ll z?UmwXY$XhC1$-&>%5vA~?pBtUN38G+EOs>K_<5yFo@07%eLY&t`ow`<)pGKkeEOm9 zGI{SA%Xxd3CdI_uGAd&^IiHX=t9m!){g{zZFpXtmVz{vIu7m_l5)vCnZL4Cxv{1>j z5{Jk4ei<*V<$tLsYgFLPm0NYp!y^Iwb!uk@R6}MAtYW3uP6`S5Smok8rr7dvBTro4bR9C4KZ}@^+P^vT$w=$|{a@v6Ek;Mv4Jc#`J0?Xy zbg|txX>vkYvV3;k!LQn4_D*!7{-47pf0PPGw%xda6Mor(&RQcf@KwCY`K**IW){}- zqC9RVdR~XE3$t@5$*Vkg86W@E&GSrN-UT^1;&Tsa)MH3mPN^=7s=1;j{8Yk+c`k&F4^*YEEmevP zxlTEl7+q;OURP1~*g81g;4ab1*1Ve~RT3UI@qQYX6CS)^)J0W#h>?=1%=P-^^ z3%p#YAn>eq7TgAztq`VP>l+&n?rOl~^~6&lnD(Pq2NF1dvj{}f*DER)P)Xa%+S)GT zp(2+6{Tc7bV9^2(k4vw4>j2Z9Aa+(+1u5d5gVS+mc7LlXO&@E~Z)0`od45 zCe)|&`t=h6IW~TpqPW-VToQI~Zz^_Q2^-=BK;2?+MnJa+P^ z?$nPQUXW$m|5{CjwaPg8gYh{hR~OkZo3mYM4pW=XEZG&k?z#eWt5$cb9?6LKUPzWA zRx5PO*RQK_uj`5x{CEd_xbVX}9usFzY+L-*`5MQ;%V5UsuPb9eT2v~?RWzqlL=7Ah z*iQaNmd~zZcD?1AgQTvcOr!O&#N_mWvV^*#5v9iSbni`!L+1OpNu1_96+)a*GXKq& z;>6i!?~kR@EEQOH&sld+yS-ekRPoNrz0sLYO_$$q)jJ%++`-N)v0CX=U)5I^ms;KF zIfGGv*NYe7JjPA1>4uIE4J0}{G70bvVN-|;=K=z9vJlH`|MHlNs1c5omv8qHO}9V! z(uc)R4V`dEGo;-w$PR&^EtFkt{5dBl2N;J2{O~X=LBcyPKbZ9;CDDnAq(8q!=Nm@{ z(P=6>58PSvXUo3?VtfXnL>ca1p1Mxse|Q2wUyk%JSi&=}&=DRwaSf0genFI()*;oX$66XHsevSxX&zsEmP>(0gl)#njIUks=0 zcI~v@t=r1;p>CG9yKKHcf{d}n(`Vv~)QgWS=E8P)$;bSSeUolDa0IIE^sKH@yz%LI zcigVb-q**^vJV|SDmo@3CB}vQc}KRZI_-MGWq7N-&yMS~IW5p~bA4x`r|a$8VM-C7 z!$p3^v2WTk4U1f4e)ra5zIVqQ757-(BVmWKf#P>g8*4+s>LR{}VwSGch?bPrD^CjB zr}=FDc#uP5H)L;6LXnuMS+i<>|EQQ>ptyW#X131k$a}lCYY*PEdB$rrk8#H)Km4F0 zZ&^v^x90b-CVnb&mW0G~X@PoU=(F@}?Ik5zT1veyV@bctw%8x`WEuy*s|;Zu z$CDpFb)fHDncwg_V8RRcHW)>5!C#x59fp0TW$z0x0mHuR(d0u!CRcE5>fjg#B+lC_ z3HV@Pcp%|Y)wX&teI?r*+Q6gc*+oU7tgHmN3&7tJsziK8Ft@&HQAqm1KkwfAN;Q|yJ zFs|6WYZoZ|1G#v8rDB_nS7EBMpYb(iGC1)A(jL3$LiR>^P;%aIm|Ii?NCJQkI3QB6 zp(a^fnyN?7HNI^-(WV(>FsR+|vMwtqtgWwbBOYf^lA4;@GMkFqz{1jUP{sf*ywJgC z!lUcRkv;p5@2sx|s~B#&eJ~NnctuS^<9QscN6+F(m6P-AxI~a2uX+P0w=FFlc+@&6&24lFB9t!gK1kP>@;2#FCU4AzTyt;l-K3;m)ojnJ zs|G%*s0Il&aNNElqS;=OM$gVGc40+d?UaP9#tjK5V8wMV$=(Rh`m)jMm=(5JZk)1n z&%x2bm8mDio8jRKHj|M>_KFXztzjW{NhjiMe7svUV~@OpgR856VH4-^;@ZNFH3wr| zvrTWx)~ViE5>mN+RMGLg1!9VM_8Xsv1iKko4%Q!E(x2PRjycJa&%+W|ly&{yuPer< zPLa4XT>C6wO0&HrXs(5%xN`T_Y4dL^CwaO*P~6&fhp9p%+}AN6EZ|0D)K+GZ(#`3c z<+rq&CS9ls6n8s!sP2EqhFeWE|VwJ2IDV$rXh$ud26ByjEkS*qq;9G7Uhu57w zlDL7Z(7VCqy0g3cGXJNGfVKGnibEBGG)$Q;SOf}Pi`ddYN1~k#($a?gojWIcqwr+a z&>kjwYjYg-lTeMozRcKA5!PQyN}$6}qZmQYg49gAS+`YjR3pERA{+@Ba)O)cfAd|w zsD9bDw)Iqv&VC6ZPgw=!Y``vzNkReo|_-?zRK=io130HxN_mv5h~OL7W#n$ z70mlmlC>-MsRdCb)?Ac%w(rmpnv-V|P4Bhouzfi4Xh_gZgH!jrG^gQ_rvi4iogH0R zR-U$;TxhD#YifR0+C4bEm*kI@#&0bRt|H>4;wOoD_V^Xid1dL|&+dL&ftTSkDPRz^ z%W7n1`GDJ*hH5bRG7}2*yJ>5A|=} zym|5B#Tz$HaP;K-)6PkZNjLBhoYZ|$W-GqRK~zk)eNzd~{x3d67Q(a-7vur&L(9K@ zJ#VOF(hHpKp23UBY=Wx92LJ>l3*CqwW>w=~pfg^?0L<6>!c|R}V)w>C#`)qtzp(I$ zrEdrIRYFAac?<0n75A%n`IGv8O-g=v7s@M4hjV%;#`^MTgoN@TyApQaP4vqc@~UBl z)2|_}g1Z0G+iXs0`3f2I9XSmVnhE?C8f52JOsVC?0GMk5Z4 zGhmttA3yG6ad*VuK=A_?h;w(pA2vAn*K_4m!p5nFZNhgyPTbf=u43S~ zH{;L=VGVhegpc%e3=exBt%bg)6k!Rk3myZoS~!xHtqCyODL~JkSTp1i=O$`65*y zOD)&ig;Z_$YoSGf&F3<(T*#|{Vc_?EGmIU+EYY0vC@kE7W%2W1ob5m3U*4GCy$DWwbfpdqdD$db#xR5{@h~p3fCH!278HdcA%hf{>L3AUW z{IA3SY#vAe4GxkLHFQDShu}U8L)u$f5K#TStu4r*QR(t!1Z)YL!I=0>XsGY8^R9MJ zcM;7i9VR^`DoQJMkB*jh6Wj)*Nnd<)1osJk&Xfax=IBqq6uz7IlxgnSj$d!qrnU~8 z)pjMb5ApxpRuZl(YxK65{=}@*4~xN*3R4?PwkXhFw7hu_Smh|C1JhbC5AQKkQbL@AoPer2tQ*L8%fJjq6so4D)NmV}h7Ye?*6G9Fu?ZWm zAz}>6xhUc_F)1l>JpPVy@IBv65T>O{cef0@&_DM7;y~Al>IH!rZXJjkn^(doL$KHZ z)-%H^j6`QtYs$(888FtDlC(kcannXM#_3;_Bqa$Eei%i;MjZ+F9r$=KBAXZ=e;BX7!I<=(Jsx=OF`h!GAfZTW@f%n>K;ZSCv`$pa?s92NYEEh*8-u`)J)hD`@{Q&Vee zo6swdf6~&U{Jw%+{7~+9^!1&j9>>q!EQSRUR z`3_4TJaU2#Lm;<6%1lpbc=Gx4=LjAk*kDe+>`Yv*TuzzffXu)26f0amuP1BmYSbZe zi8L@XD?$)nH$?4tE-(XUNSv>GbACrOie(Wz7xxfuhm;NCcbGzp+D^L=J{(-jRqM5N z)l1_#MTV*UH_sdRxvQ)Wv1qWTh26=vUFmiFMkf=ZWWvcQdNb%ew?Txmyl#>C)*Gty z78&1wtJj*2o8CWfvba@e8|65AS+UQhW5@Udfr>xv?e7y3av`6<(GGJ3f~~h_&cpYx zRDbrY0`xY#5GTh=MC&T_ZfHWYUH0kXr3jugYIqAb3RLP?91HNIK)s+0#|>O@zq>)^ zff){B`UqLEIDk-3!@vTmt+-%De(i}o4fYx%lOUMX30)u&b>6(pE2X0H86HroY~sX? z98Ihk#lLu{kB$W%;2$;9p_#<%!}A3fKRoH+fk5)%+_|Z#sX38qftm3}R}bTPM5ng2T!Ro9GU?jNo;v$;yKSUw z;Db;segvB`>}Bq=bz`H>YX>>$3zQq+1z_ocN;o$?jSiKBf#+6qLPn6RU z_adTiwiB@8)ozpK=s8A4Mn*|V*upv6uK&A*H~&)+`odWVg89B(eY%-CPmS)nM`Uqr&1BbK**B`2Dw5dNe10SHlo zzx4|;``KZ+OP6+}BNOoNwXA4=y6YvPZ*h=eD?nu|OfJtq&1MN9$v+tZuDv^1W*C*9 z%;P~4Bm29r61`Oi623Y+0&83u8IKNx5Y9_s!QfcRL4@r`fRp3o+lW@9$(f}4rElG0 zNJoO*-|N>Y^oT&#!0SViYHVui!!p?9gGGw-Z+>ph#LUcK@!Ymwq{KhB6RofO#SqcQ z%0GB;-V77}bC1swxrh=BtO+8w5D~%~lUirm>DT!0yUC-(Cwk&Ucw{6HL<1=Bg?nIU z4Z9w|KJeb~^7OnldwScila~K}(%jF2FS_e23H#v_*;yBMw@sVuueA_1;syi z6DH8@Z^fUINgO71C%oOi*Sym4DzTiDCx5|sVA2Yh0lw2OO4k8=iZ}=cY zbA3}iU(xx;^h7R2Nt54BJmC+9F~tn}qr5)oN_=6d|U-=FaB&O42r zMBN&?>UnEuiHY7$*)NT8OFR#JdI_Fm9r|Pcu0c+ut?l2h0}C3MLP*5N##Z3bM>Lv_ zjw9+rFhpu-3D(Bb9tC0O;ok0}r5j zOarX#MBot!iL5lS=kw<$V8o^UZJB>8Wdmccf3JqU$7B`m9XP7!to}eu$R<4W3|%{s zfgdqZL$>4{gP{ts-)CxQtIeYk?9(4@0sm)-uisL z-~a#k9mnrFI-cWso^*HL*Zsa;<9wa3^K>C%XMex;KM(aK?VdYPeI~1ue=90Jm%Tq2 z_wJ1d1HvR#KtT9v%68^V3)k!e+L2xfpYU|0r^6BeHaeH^Ou$rFG2avxv3N%y*yHg- zl={wSFm+zSGj&7VtG_!X@=NciPz2M$mv-niM!L;E<#;YjndqVx+& zI~)~g`gKd#>|>4f&3@GoGxwWTWfgDi6VsnKp(@WY$&o6|GB5dXR=GE}R8a5Y#V3n2 zd6fOi{vjT}#~(4!XHNn$9ht><71_4jejOc;-;gz`B%_*H)>$$Ky)u6OVdIv8Nhgp>m|S zD{)_9>5nil;M`#@FgP}*e*3m31q9`;kO&A0a-c{Ayg=}!U^Fm3*LdmYrFXF(vh()U z@bd6REC@QxyX>3z_(4WSg<-%zL+5jBv$}PGy4;)ckF;?KZq^e+awoKk?UjA$Pj>w6 zuIL?*FQMu_xXRyq`}39FSkJewYUdZJs2x@pE$g!_wI3R~v&n~Ar=^L1-%aGg?C+0s zb}0!5>_bJQ0o*1~5#mBQ_MK7IxS?lbt+ak?3w-MgyBJxQJ^V<*$0s%{|1jTKjEa!k zhu0bPhQi&wD<?n=6e-3ok*fr+XQ|ayPY@~!exIQ z^-H3^(#Z0;>XSWmP9sJ%;L=CN%@7rBj?;s=Wp~ezht5y7oFQrF#6!dNk4m)ZWtWmGAwq)p#NIUeBMg zKJE0zdE_Ip(Z0PNHa5f~KHMj)yJ;vi(yZoe#zvGYM|)jWlb`Hx+L@`wOa=e}@Wd*)6x?Gj#Bw~paxup?HsZ+$~9P+?KSB;ZKr+fAUdV+fEa z$?(vlg_}5Y>-u#Q5GJ8(G(T^#<*|m+5LGIi|MJgy<5p{HccBXbQ~@##q+j5D3!*|Q zZ0{l?BZptX2yg0-h^v2kI#*gWMgefFVs=FwfkGH4W<7m{@?rd;aO{)I=QxjXj(_ z&EGq2{f#*LzXw7@PWc+Q)$`6eH$|zwNM_g57h7*Q)cqUDHCtG|d^}i@zI|=~{KOc< zbW9d1z;gbl0)spLKh+Ng>u`sD85DGX@v43Ded28D$0h212M@d)u?l+0)N9IXk~ndU z0hYGXnajVVA17x3r&sM6XWl_PyUn{f>chBFw}@}L1D=pCRX_V7#rS{Wgpn93;H;JllyD2 z=n-njt^PcT%1yVWET zIA}2bdZ-qsz>DGk_z>X=LU9$%Ngvv4nq^O&Ig^>5UJZYPxc(u+MZ9a5t&I(|e=31# zyoTD1YgYl}l^(kgOe6uHnIzCrc3;U7g$!lF*E;kD)7{^;X@$4%NGPa3)S!#W7@?9U zseN-n3czMt=}12AMKAetwCF%b5nr8PQ+Lq8F%LWT)`bE;doRbm_W=jNRIM0}|#mn2b4PyfLCT8M&q|G$G!yYPgLii0YoF_Ml_JhXaR>oH>4$&!H?KF=J5nYPG-p zPsc>k*#$`wQmO-Qxy+r^4AQ!uQ+p`H$a?NO9;<6PFZss%jsAnS1-$1l%{%S9D3BSz6Bafid9_z$awOStX!s z2PrAP^r*Q4{jrBh!Gty}3AZ!=+jMJQHTph=zPZHhGrNJ~5a{3Tlf452aFv1XSos)U z1du!c&8-Khl0wK$;LY*wAQ?bwz>LmoT6sv&N8ogDD2quLv6?IO`7hPkwGJ$^iSIk z)JI4VYY1M@ix%PJ+*C^yCy6%Sb~kgI*4lQliow47j8aEk8N2p{3mETFaa&o*S66j3 zwI45YZr?kd?^rw4)#6p9T>Rr_aN!wupTa5IUo8f6MsAks?rKaQPS5-fR=Lh_>{$Ab z#gbboh2!4%#NRC`|uz{58#7?JZ zCT$-IG1yZGfaAB3wSi-aZW=R~@@PeZYV>r-CyY+08#SeT8QuUa1k+b+7+bWkZ7aJg zjtF-V%M;J0!1B{YGJptRazX+LMDt^cA!_y)nuqx%+h9pzXKU-jDDpNuya;4l`dwcUQqS~>0q0rBU6zzG8_t6FE>FAtM&prcHKV}`&Y&tscV`9Xz_AtCW z&c>GasEzC3K}^MjHe#G$O2?9S8)p`o`kyW|#AZQEZPAwA*mks<*E3cNnC^-+>FsFPp)&LImuz+3#zNJiAzXRXE3 zExuKYHV_{#ak_A!+fGGOMC@u~yvqr{iNRH=k(Z=V`Ro+(5&EwxTCL7;E zRJQh1lh8OsELD=txJ$?QZ(Hk7eea{k*GB60&I|mmdrA^L7*`>!tk*}B>L0odM^EBT z2ZV&%1c#zR#?k&%3ejRpFVVQq}>om$dR6 zCMU*b&9_BQ_%RVps}8rthoPTdI|xh(n>QW@y#_{0f-|shDq~O5>j=RTUs$xp3_hbAR?sTwQ&&r_@ctJuo$u zvolTZ^*Lr(#$vq|^4fQfMeM1RWhU6FW2w>oSxjOg%V}= zg3$r+a5lC?Or17Y+N<`Y*dK1m#@m>tM?Jdw`2JE7rO>oBBM(t~V^L&pm&v`H1?HzU zfL76i87~Z)*FH_kF|`QEOK;jR;HBu?MKsKO`d$oug-=>bYdNPXv6MtV4LTU-90BJ^bwEhku@8(a2ZS(sF`j9-&x~{&E=*nvR+Da)E+3r_$?4ANr>By_&!EA>gb< zbFyP_u!ppeIy_9u|MwKI&&?_=LZD*y3U{&VTff^aGqIvb5kx76PuC$Tiyna)j53fs(X1a*8@ z)i#n4ZfRoTEGpLrXVyaY`IFbUh;j16hb5U5C;dpNljU>Fry(a#B8Q`Y+*v zF72JgTTb7A&&|-EzwmC31p0vWt%euNiw6IL%bun$oh;eVct(-lbVD0s3m_3hb|t2x zr`fOF77zIOykqrNS3@IJ)DBP*U~g|{myg!O+k1b66Qb#^eTVQKA9dsgOit~Ja=h}~ zHkX<0`0p$p30IAiftH$kJX#w0%J$^^65y8{reE&zEX$~t@!|}hi7I$e!^ia40X~OflnK1G;+Miyr%0ht6b%yku%h z)pjOLrrgM3C6zlP=m4S3?Gg!X&)o0KenfT>YF#(|eXr0`-SDcrq2rVgnT_<-ZxqeC z{Rga=F8ciDj1YZnIMeq>)u*-+89yy8!*FDnX>pcW>Enc{=~F4^ZNs~wBv^@v=BY45 zf|Y4zGiLp$XvfCJMjoWV`#I~=@KTA=>Hgkl7|&pJIRY3zA+kGH0C~mLzk#+4AwKT* z9!N3(hsD$sg!hvD@a;2g(5b|irywU+epw6!`Vrq+h*%rtfIcsE+g-1Naj5H=j&^F2RqPVMbU~g<@=8ele@k6SZl>^=QrYtDTfyiA5Cu*@_ zw5|Ae3k!?Pw6rgwSW_`KG10fyvnb&he^Q5*&f*>Lmzexh``;DJr{@4s;prYFBo7xO zi?gg_Mo!FPR~6)~;!=3G;1+gCvVbHEMB3+qt+TR-V|vN14bLarU!uvgxDR~o(j_94 zFzNZ6SrQYX=l4h^2`c4TWb-^Se32X;=qcEup+b6gRb>;nk}HKB)vA7Zd+m)Q8*j2M zIS22t-Fxz6$i}Il%D>{2VoahptRCOkpi!6oaz-=HGyv85$hiy?Zw()ntsqOAxs)lL49oof&x70g>n`v;|T7BPtId zhPu_kMtOS)qTB$n1_$wOSX?18jt_`SU$w5vV0U|E_dtSj>E=zCT1UskaN)d|P4gw=52J?1XMqUGO}u@mcwf1qi_~b5KDrX=&+ojZ9y*rjDvclkdjWxo>ayrd_^^T+P+ga-1Fc<_zA zbLQ>Z9^YQ?$qfix>aQJB?G?S(J-J)Elyof7y#02z^X9gp?P3P;t*wsV>TBDl^3&Gk z)aAp(gcOy>N;Y-0LP`j|(1z94KrV{?|Fiy4pn|aUpY;z4E^co4U>;>H$;tt|7I|mp zK6lB*bNL3b6k=t@DVfm^aQZXflnz(d8Le*?nXo<)a-t01KW*FIH?FP{78dgW zk|HmzbB++4d0|=&3LgkA;bCEr^8b3rWmo5ifbga)kp@k@8tt>^&(DC}&%f;trm3b^ zNyXg5I#M9Zjpr3lZU3&hxjD>zVQ4kXI1GIaJ-s0iIw+K(!fXoHZLmWTcHqh4+JMs6 zqrMzZJ}@d13TDdgmWGB;*gRQUvblF0;TGacxNulESGzV%OfHFwm*Q{yrd~PZ0`S#0 zAs6#+H8naheQde`+=bdvS*QDj9`uCZH1Q7-VE_;7sk-WFyXo#H__Xlb*bpf$eGE+p zCIvNc9R;Aap1nBTQ(FI5=h1(;0C*z$<)GPw3nV~5x~7~S!n>Z3id zf9eTAj9tj;ntFk`pCQeG1NaO4{c12O2Zto`_3L3mjW8lzti;2|hecH2z(K9>u);-{ za05$(_caVvg9^X?} zQJ7!P90qe2JM#Lnsl7*O!A@iND&{1FtvJxap>J)j-jnCOgzyVJa?oXDB5nZ-r=b~| znsNq!jPE~4&(h}Y6SDJW0;A)mU%aL|3qsr(zMlLIZ4Hdz!4LA4Jy##f=SMOfv&uG^ zQlscLg?4-Z)Oq{`CsOkosU`AP+et;$>xv}S#LDbh7*9+4zLMe z%Tm=^gh>oY_8mW)o9QpEl?+{GJ5Y_{)x;iKQf2cTYqnU_USDZJWba}>IhBth3d8@8 z$-f8i-Gg4ntkwI>4EF+aUVP9GR|M^Ar@opR$U->=Dl*dpB$cVwx!{k1Cc@&Oo2vY$ zP@Kd^MVYRwb0ky%!(gw9q@+VPu2YEdab>9bHR&yy*kL4O3i}eoXQU-8o0r!Uo_rQp zh9gHNCMF;O1~*heE!D14R9dyAUO_fR9PATc4}TE7K_&1xI5;uVv$8Dqc3;eg(`;Eh zk+wF(fkU(V8kXtYho423kA75${NSO;mSoU0!OEWc>#hq8`PAn}*zv`o<2@O1Q0U8ud2ZhIEB6dc?_Sp8J^yL(8{4Ty`TqXiSAhZS>}MrO zUY4Bx*)-B|e1K=be4XZyob87ESu|+^Td|>Nr~DIfp(C4tFcFip=6Ed6R`D2Syijqn zp6u9z><)b6p7pe!IjA`V+Sqa?dIdNS$z}25VI(Go9Xa*+E4Oat);wd*JXi`}126iw zZ|668rVe0IOSW$xl({W)86|za;7o;q0%Rs&E{QGS<)IejH7JV=AYbj=d2aT4BhHTC zcxhDKmLD1hV8g=p-oM%JZe z3dBH7AWTe7ZURS4g1a7v74H!u>Fpovuh>sw-G7s{l9!UO`YK_Kf*cebY;Ax_MO7JA zgm3_k8{!41Q{Kj2F@0+P&|7KBwjXSX}G`l*wD}MTcX!gRsD-ki_+sBp+<7I!hBuevsaZ8FXXdX9whB^ zj=+5XTug0w`4tV%Eh-Gc4sLh+?f3clZyk6}a4w*-L~=!-qBJkCs-2oOWyU?!D6l$f zdRG*VTJcKG1a?Aq{of_s^G4oE{(4(LP%WZUm_B zpSO719r+$J0gJ3Pftgwdj_Y#<%iPVi9n#P z@F^7?1uTs{y8ZE21T0694i1u&lRF8(?RsU#kxmsRd z+Czq%i|YEzKBvtM5pM1SB_YWAV6gRE-M2gE${||Xt7}aq2F-EkNzsL36bKy54!6oC zQlrqOv7@6fS^q2&JkA^_vuIQxm`HF8u~|WvHS*$lBMwhR2L!xgqAkeN4l2uE1`SmekulwG_X$$^72Z;N*X9Y;Emx~ z!-b7Z+@AM7pQ7#GK9P^M7Z`0fotc|sz37ODML=G;bgD23M4w-^C#=1dI)pWUDh=P^ zl7+gO8o`~?H~|S6FOL^mDgz%sz@hgFxU0!CF zIFt1KIa4$>D}^63Z^=kFhK+wdwtOsYc`h=fjdVe8WV7Cta1ah zPqAe^$UUy4ahJ#l2gmlKoLwtN*=D@X zJTXegOd~;?L5XJZ5~lJ+&(Ol8rcT9N@j_BJ5lQ{^>sId%5%WRs#6&g@`qM{`o_pNR z%@Y0%BQf`tdzgP5lX(GiOpIL#Havi!k=0<8Rl4?YXK#N%VBlNy=QE{wE-s%j-!Lh_ z+o{w}PfH7!y7vhuJuR(qeYC)&M~s}@4;>v2O5b(nnBsUek?7R4`^7t;EaMsgrAO9(A10`Wf9NSVDm|*TgIYaum`~<#s3zPu}NBmNqSenOVW%^9T zj=`!*oM7D_35qr$W+oD7CvJ~vo`ygMF06gxfyPG$@1Kj7q0Kymwf*na1BQdWy~to9 zY0S7G7;eXK-v!m(=-dYLSEqWZ0&xNZk#x315+!Q?MNoXfBQ2}J8w5}!^&Sbl3O3#3 zjKZfN8}K(2HCRp#pJG~jWu==H<+g24Apb(jbdg~Sdu89SrbJ=xvF{O0%5sU5hRH`^ zf&7}%(ygTcP_GknS6Icadiy!aV-~PPx_fSp*>$woF?CI;@{)Cf2&O=2`jKQ%dG{s_ zplU}J1Xq{Pqzw=2KOoNtm7`@7GVVR+C?{D%bJP{H=iZ8foB@6n6`{9>=}V_F7tbHL zK*@ZJxg|fDGmD2OazynA^V6`M&n27`ZUw%6f1q(=ZG`o)8*qys{d$?r2Bv1F>YEpc zbEe!nKO`?-8;?Cd@l#K@&(`0jZ)_uH%=BK*JH1_ue=Y;dyY?xfuD0}dT{_5H3X#J< z^ggS7F%iF>ThxD-$facazwMYz7y=V-UA?W2={U1}lE8)3cTs;cq20Fec7C9S=0hIB zaw#crAO@SpV%%j4(GIFVu+{}w(s4p8IN!zn3Wypp^wT{P6Gh-KVV4At)5ePUG306+ zQQ!qlaeUMV4<2ulr8r2wYv*mIvvTtCaidHJ4_@JOO;OJOM4bQk(a4bvUGFM0 zL|Um(jfX(+$^wqZ5RBHJ(}NL1cfL2C*cyvF5HGIizEkY9?n!Vm#nrC{n<2vBJun!ft@F^xFH#(VK|0B*vp{D!%QTz7{h_(exgJDkzB5o^JR|dyOKEudIZGVUvxn?f@nS*UxfcX_X}^ z-ciIj<((&|)V@P!J}X|~JvXZPK?5^{s|BhX67cs-T17=7vEF=3WGE<=>e-@HheYK=}wKur@Rc9Vfn4<(t%QF7(X;!bOIrYSaXZ zSu*>J&^{7v=wx*jv%2!HF5F+d1a>CPUq9LFk5x;;o@zfC<3$4v8h0%|ob&UKiHW9` zmRR(I>D=!EYhzINGu+xl4jf;`uj3MerX{*Stz#xevNP88I>n84Q(cx_c@am#%-pl- zH2h5_elzsSc;C;rFUkM-1Kp};RQJBT)J zO?#mwcDX6Ru~*~V%;tEfwT9dj2BGmqAuksH$i_yW#cm%Ro4RCrhO?xuL+!^@iJKDX zfhsY@fp3CeSQ(Ie1arS%S)b|W@3L3O)1+FkEm@oC7!s}*sL$)`=vd8*R5MCgp$%9HV>*Pb0 z{Z{~G@DV_b4I@Y)6NC>n1qEk*QPRD9T|n$KnGs9#DJLghn&(G*yG-G*`-fXP$ifnP zIy~AM=k0J&-5-udoco2hoWYT z^&lVL-{Hpab>4u6BO$ES=Ga6k4Piw&Z{~~~1J`ME9CTfxvD%AGXb;Y>58!Ft8^6SI z?<;_Ak9UYK``t3B6mLpAIhx^V#tsYba)$`cV1JI2_<1IZMpEK zU~sd$Pf0_g5WMu5Q}02J1p2@JKW47;CxCbhT2E?NT4t4$h|ZAi;^<6(IcZ-Xw$OiA zJLO!X2=Nc&ai%k(=^uF1mDww6eqo@B#?;SYqc!5ChPZnD_ohS65qHjgT4(LeIC;wH z&>x^;E&i7}vgyQDGg2nseQe(lO8I=BcsPf#eWG+J#ho@c^G8Urv+?H%Mc*Ky$d{3= z8v@?1e7CLtByKz)`t-P$XRdq~9jyrkA9v=$iihWgPgX>qjVFY7Oi}2~A3^xb?U|Z_ zw|xhkf6$nxDXSEN&zu^A|W4x!J@ON>s;y(TaLO88(09q9cdEtCJGB$?oS#T^+u7=jVSkHYO$~;}M!cW|%&QkO>CWdB+1>=vEx+KWY{L1hK}X z1M>*51ne|tJR@irmZwsya3t$kFp=k&#a(}tirTg%qr+68* z2*JgC2Y7gV{CkE6=wV!~c7mdef{7o9&p@-UsjmBLYfdk?S}6rbO#s&M9D;eNc>Xwy`} zg;H^Mz;5i+!C1Sl5Wt35KSadBM0CpTH?A#EdqRT=Fn5z5>N0L#Ua09EXQW}__x48F zDkbHXE4`BftTjsuEu=*LJ~GPMOB4rVmx^c!99LK+qc_xE53NbHIsYb(4pQ4Uo#!5`k*?? z%7KKS>#YC<(6#~}!YW@=lTvS)a|frr!PM^@KX*Qsj8C7saq9;M!54JE!u)he+5sHnDgU-&FV5C8t!E6H3N!UW8b z62QrTP)|y5S?32x zIx#wBV4&^Va~#iI$>s+AP$KpX6&CKRksfq$>Oe((eSMW3`bNxfF!pgWJ6MR5jWI>v_FHI$G;>X&U0rvw+L!8| z_PPuB8Py6Z(s%o%mM-JJB)I8yO^67BqV)5}X`HJKU#;by3%u;(ZamgMd7S0+pAu(< z4EPzjx4l$4I>{hrYb%iU!j~ndDg*lDpKV-Jk>_Tv5k&i~BM)M3#$C@|jS`G%rH0ZR z+3E0=WxgF^?q5zyT5I?Y*Hg-ZJr3AV!TbF2RY$FM9C~1DY-|Q)?vxlu=XL?}0e%bf z0RS=Jk)r|zYaPXv4SRsNmq*S?E>qJ{?dO51^nj=Oi8wKBt&Tj@aA)%E<}<&2K5(Lc z^ZGSKV)?&AjbptFEQwsZ`!+T62u~tPO@}S=JYE7bK+M{adhG3DJLSccR{Eb$ zv)ymca4B)O*Gc3|icXFh5%2C0mBu)1^PE~&6|GbZ$%OTUh!TO@)Ii4Ij8Fz7#aPs+7C+&fAR)H>2 z*YB-0ul_ZPJ>i&Czmzz6zpR%1@NGMZ>hoV?1i*RHd#z4B(BCU#H#0updPB!-ugtzz zA4f*np!Y2PZ^jpnssWf?fTG9Mpi2(Tk{i{el`G#dhvDM~999Lq0hK^_ zcsRag{kUtG_&IN`GRd)o)zNea$jjH^jH04f+Wi2ziHRU97wzZcGl7*j5FCif)=s*8 zLI?$R51zubQ`PZI!P^l8aiT23P;A8ScZ+@Z&_#7SCJotr7r42{3v*A_wU%Gq)&PL< zd@hlZ(d5EdD<%*^a9+pMkNZnNV`C#GS{oZ1qO{vBA@BfI5;H%{gz>lmfk!q%_%|Vv z%3&$~6tCc4dM8a3Y|j`M8ajCs0yj6tjq5lq=}NoKy!+R<`ImLWhCS;V-e*#?vtQ{e z#~m3Z5h!?#B5{Z=0v{~ua9`@oGe21=={~2N8buJ%n_^|ZiQt}tXoGDqJdyw_exu3t z8{Z5m$^;fM{A?P3&^_lyOvH&gFUcD%Kbo6Md$jr4Rlt05aUrVvrDtd;yC(9v>^HTV zIdKbJ)w*b)>Oz5j%ChKEZZ}OiU>PVMxOiP*6tr;PApf7*$nguP(vm)h3EQsS-Q6G! zX_PpHpMqmdUj^Pk`>$V^CeBZi7x`TKUhme~^~ucXvKHCoHyMRm8HHH7ib~E;tyAMT z;QA{$Q~O?ztDih8S^n_hqdke-!MjH~Mwd}56kU*7e4S@^Mk@pf`zueWE`zLL6hT`_jj zM(S!%!8nFM&waiOR>Cw*0wfoLwc7-Rg#73(V4HgbCpp*M4;?HkO{bWdE*pVAw~Mr zc0C=?sa58;uU~s{;Qp@VUM#yRq2KLikOot-z40>GlcW(B|w zh%{od1T_KdpEhsOKmyVdFclb|P*A)oCpXaBs{|d$#>OwKBMN!%Rx=>?Pk>|C*-Nci zYg2vmEyyh@Gh+FeY0_pF7atruLbB{N1Yh*QowDQV_B&<$@lVW1^3iWn%x*F(Z zCyMh<(vXZ%tqeK0 zrd~Z`2Z|ldB0CkdRzCPiakD96Fy2rC+EpX6 zN4zNK|H}n9B(N)%ol;@P4l+$)=P(kD=7ygacyeYmN*<30>vgamT{^odxZ0{+ZTe~R zJ*`R8R4nQia}d@s^qfs!stPcrv!Em+P|Ym2^KsV z$ta1TvDD!03_GqrE1HPi7-aCPGm%=npzACnlU{8(o?O+tK%QWqiWY9B#YgNqb zBN>^!17w)?c-Y6yX~=XwSwrWes~E>o+DOH(laaKls-*OlSqN;a;3pE;@ymS>_WCug z>-9CRYr-6O)KR#IigtB$ggI3MDWVmaPt9WhXw%ce;)>O4iOnBhbpxEsj2D`+VZ97N zAC4zJOloKt3O$xsdoWv(a0y9EJAXa|Rn2UiUVVfjhX=nkEC(d1l$7rE5(=6cz|Aw- zRcI11?M%jjpw-~$!QvpjM~Y@p4m4pXz_4hGg~(<{(1a^9v#`h<7ZmNwUxW<*C97ZN5R zzHV+b#-};YR*>EeFpk`@Ixg6o;l;cD%bG9ogP|hFwJUOSUwwY{yXJO`dsp)f^il<$ z9)0_wVvxUY)xYQ6eeFX!aj{sYHqakw`mSYL%^`UX0!|ct=lgKNs?-0-NxQS6uR(<9y_Co{{p2kQ)ce9J$voq?v(+h%#*)6ywNvQsS(W$US9NlrQaXMesl}tolktfs z!zHq9M}whb$)$g8n8P1 zj4|wPa=D#uSfD_o?aznupK@6>Gb_u(iN)?6r1`(RqsaRRtP0eps!*tU0y1oDl&J6< z7#?<~$4Ca>N}NClM!f*+daQtJNWq1f8g((*E0jHU0E+V9QrN&#b9iT7d-^TUeJBeYe9zZH;}nF|;`Sp$O6)CB95 z+UVaB#D}b`mxT-XZT`2!%-paeN||Ih=i^a1kXo|A5(hbk>6#GZl8e}6>x47VGq(+% z5LUCBr&&JjSp{4ICW+8qsrzeJ=GnE|yJC}MR}JMwij0|B$qsY77kXUOqo+1j&;dq` zsM8;Tu^>Z*8^ILoUaLaF5kLizOSz~}sOh938RaCr=lFk;rOO`-S+O?^3T$VlK@doI zlfa;05ESR`UIocDFnH{2Ub@t^_%}0VoV58K@yQ@dX#FSJ^WGP={sDy!{@>||8ZJ1! zBf3j?MVI1lzy!+5jzN8gITOw@DBj^11i1+SyxIj;J_*LTNXJ@#7A+c3v|%(_`7Oq3 zvSS&d>mnjWAbcQrTC&mq#5ll&>m@2WbnF%t-gJo3Xh<>N0%Bzc(1cO4E+Zy3_Bnaa z&=6ufTnvSDs{HHxAUQ0PNptpgKZZ{F`cNcB9%G=Syv(?ajV+uz0*GgoEvMI-%Q;fcbBn`EmZQHhyM5BfUb8tUB z?=?xuIH&*+eomM$FTu)BzEg#ZG!hxA)v}~15H4|_005(a#H#8^FEs~`}2L0Xg$BlNa1wjio)_-B^{96 zOrk{pxKbPzwY5`7JwVi8{omA4uMS2yI$i{83NdUd1MQ-!bpgNya{Q}Y)b;5&gxH<$ zJNKLrRLqm~A3j7H=*eYZ8QXvS$dPcgQ6O&j=N2;7W}7QADe9}TB55P#A2 zb@?Pv96AI>#0>7bhgyF!P(%=5R)->;-Kl55zsYmRw>Sg#D(0UKq7eLJkWy<58;3rd zkoKsbI+_9OhM8#8;C+C(F8v40;W7Auy}!%H%^k*Lc=OJkqhi3jAEBw_wx_0~Y%6vw zz*wC;#Z%+X45*y^_Z_6R(dpnFYC+M)HyYA5xMJzfS&iQUWh) z=-@xCQmCF`B1aKR&j*Eh5P;C%-d0!NG>WBPJu3VA?(QA6fmFQ|Vg=bB+p=_hKIGrD zRr?m7?^pKvE^DQ)Sy;!rnw>=R2G?USp}u4cHbW*38hBE`I`iXOw-fDR!NS$1Y{;uu zWF#a}A60qoe0BlDrJ+&~8xY_zeJ?E)mzVb)zM-fHXRNQ-vO;TZLY`N5pix?@BJjAZ zJBtQ4xX!I9nqz~5l9Sl7kGb~rN*JrIOeney4vavHoq@67dBy2qRV7`WOmk1*ne~{S zp2qa)K5X8Chqy3L0g~qdy@p9Qvs#Ihio1O&v4D(sdZOAb0EB^XQD;WI9W2-Ys%&iy z;kqWFpfCkoh5O)7!IDTeDUkMcbq&m#knGN<^C5I$hVO&bAG0x}2xR;6Z{LtF6NdXWsX) zsWIo2Iqh@X;jeJ-OQg(SIrJN#sEL!H?QHq>Eipc1$7h0>FF8%mEK>jc{P@TKB+U|V zW^Z-13?`7h?2uZ2(Cx~O#XA3h zfaOU>6o&+9?eOq*C?z9`VIYYMVfXDhvX8)HkIiw39TR5kPF+ZW{Q7og^OQ3gyvRPMC12!cfO{gft&Q0f-dP_a_-h(kf3kkvS zhXZvijN34UYV5`>q&aj5M1cILs7qK10_O}W-xrAnh+BUC?A6e~8Ph!L3oFy-7cR84 zwgRZd1z6USZ9bVAw}tT6)z(7U1Wde%u9A{BZ`$hHZT)PfySLRz@PKk4np1Yn+z*^` zSzFsYOe6t&Pc9<_LL11N0u+^^XU|Hl{Z^4`@M_3FXttK_B>@S3|6bxzZGAl_>f(U` z6;;)fQyEE|G1_xY8$7R_?BS>kn$n&7_nUziD=J3A^uqL-#+-d~Uy}ehd6<%-FhGm- zcmDPUT;+(}D)H_JN;e`!VMhJ%gQcQkIeq#zNZ!qcBk!P?>FD4vt<5E>M0dzVYYMyC z$OV^4p1ZkSm?c(EjnC*R$;`Hjdb-wh_nE!jSqSKzo>h@F(GV6pWiYb+N&uPY_3h62 zC=3C%;rjXWX3QK-h>@^`fI$5F+c(928PJwb8L!3#hs^ZwaU7%>3^_=Xo}MNxQv*#1 zZ-xt(Rl-^R+SWfz*gRl2b4JWP)Xn;9@EcLb&1l6$;jlAggPsr5#Y7#4Tqu!^@w6jx z#wa9ph3?$7s}>TR%=6=I7v56sblI(Ax3!$T1d6BozkM2ui)SueAXqz+Fr$(|i2)!6 zstWhUP$rpL(1^LaM~#O0`}<=7k)XBlOzqY!IGm1Lc;^s;7x3{R9XJ8ngV|&xlfWTJ zl_7rT&EN9t1}287*^eJOI_EH7L%MtW_I3`32ZMRD3aUR`o%50GC@cZ5zbzApsyx4x zi{phxy*tSVj3|H#A3vV4CE}p*q6oy^Xn!u+8G?YKnFWjrN(|D;+85Bvs!Yl`b%GlIQ0;{CKlvGmR&j^fmgr74a?P0BVl%W-va z386C?!8e>PktDt%Ayfb*du#|=L?9&1xk3qK?Gok<#AFOnZ72~`&gkQI-sWj=1bz}7z;>5zwznh0cCR4}Jbk!)I7Lobdb z8WY~Lko5;*{*2gKR!dq%Ao@l9lDx3!44+$D7ANmhp zMiI~ZC0pBP!+AVV9@>egwj&`mwF{^s!v1tE?l@q`-mkYvn5CpDBeg=w|GlSa>MRF? zVn!2-Az?mpb#}hyCj#H3MT%l352n}uWvV~8X_K;aL%pUuSc=cMn@vEPv%uDpXpI{b zbdjQ+pHIQd{H%I5G+&$PgbIAKn-hDETEM&0d1cA{WF zquAFbD9~A;kU?K1Eh~$mb01gw>)hNW5OnP=-u(MqE_Im>%ju@GW!_6RG4YAf(Nd~E zCK$W&)xv^&DBh-<9b~#6`zu5Hgrs({JH_EUhDi_Z{8~30FL-j@54Aa-bd=wiav;tjfq+eR zVxtu2qtgdSGj{25iUEcr*5a8*$^o|ki61=}T9n+le{Y$nJ4a9DQ@0*zDEZw(V^ckG&QvT3VQktT{Mu_+)>et$;3RncG63XUk zYI*Uhdx?mm?Eh1Ne`bOq1+JucRovsN=vW}UEmDLZ*}5)VbX;?%Upe#&QURYM-A`oh zdp56Gv_II0@V$^ZUBxH=|6TqrpQ@}Y&js8_R2aBBs(f;v6LJ4j?|!GNT`lU67}rKd zZT%9%i{X+Naf$Lu1MOOYD!e*14{BTW{Wi;JSr+?4@W<&th}%i z|5zyqJ=5!xd5O_ITGPuN!TsN9I8S@-y%PKW$8K8v!}LPmUzeAcmX;}j-lxPU>O^4| z%P&-Lj57rO5lULoC545xzf50PSv@+U^O5aat(>3ztC#-QZ%*HqQIxLi(5U=zO({BK z>Vx5j4@wcjb+&Jo1kd`oMH;)rX1z*$6PRr^WN7a&HkcHzU>2w~7#lY`J!eRJIB|GH z;CtBF6KCZvEX^c`rfSEsxJt@LvYj})&Nb*Hxi;rb!|7?B-a<;+Lb{)rj4tkDQcaoW zjk!rpi>l|Dxq7j-wmef^9#^lX>dugRDcS2r|!pV7Md2fiX(zc>2uVMM2gO?Y5nP}qE0{%u6OnqNB8WzwD&27~6x zfsrq|BuVJVvYU_SY^<~-z5hk5wuh68np!7Vg`1e{2N%x;x(5p0e*E;eRBkSgwkbQz zNiQXns~DqbiML77xj%HL_u@$BsSGR1qmHVngjfX@i?0mdLjwcgcpD#^d~!-T;!czd zkDig6*w%MK4)awZ%lGg3nV5BSg*qO764{|#Vt^vSYsKy#~9DI zePsskDuv8VO|32Oy7re1@rge(cGI*|Rgt!+W;>ObV9@4wc&cCc83xuP;hP6W5~XSC z7;C@DaI$l7Wn^}mFYOl_?lziw@j`(lS~sc4)@Iqx>N$k%_WWPkt}8KBQ5n+Y_dP;) z(b2`{7+oew940@yy-=&8V5q=CQC#!L`H%c33;0j2ZnUs(YVB9cHMDjXuzlP4s(*0& zt!OI$$XP+p{hdJv9*pL{R3PAtQRAO4PY~n_@P?nnmcL1 z3AWTv6SFES*FO-qiv8u(yw>sE-EZ^n>~YtIr;mRN30`-y%m4d>4aZwTVXerXggMl- zZ{CM~OA(#-E}&dn@BTdGC!4T3*_dlxq~3-C0&LQxMnGY#VFkWGdUaIvJk* zV501Jjegt@tlZpLZlY;alu(d#SX)n0#Ur%FQ#pZbMiTAe71FTNX5iS#iLjx?l)|v# z#8aog%UmPb$1iADT46fL*#Bi2sd+)jo1%Acz|nTID@kh2T@IgSq`uF8Gk|VvV<-+J=3any=RrO!+^LjXrNSNaUmx6Bc&R+&gVY`B#5#^m$$z9ryad zf#dj9&)C^j@OXVxP6%^*3(LnXQ%P1f$$JYNe4Ug{?>gbvwHr3mBdmW4)^^jrv9cTz zmA!UjY0Us<;-K!t%wwn3?4F9SUF_hpxLn*Nv*k$qzY**I5cbwlQMT**_ZTRMG)RLZ zElP)g)JUg*g0z5?NJ>d7ql9#afHaDLAktxgq{PsTASvC=?;M}~eBZtQdS|)z-fOvW zxbOSAuj{Pia{x%1o~6#z%x1OT`=GZ>ggq4%Nonh{`4D&R-`#m z`*tSEhOJy1xoz&GXh%51s>Bh_7@1j}6&p+N!S;7=Z&2#fYPUwT5sUh}cklItyx2vm zUPnZ~aeg>N+Ip_hh)7@DgPdfn5!|UHhQ2J19BCIFVMbLX*N;-i00&m`N$ixhzrUL- ziViu@zug>cG0zYJO14qXl%i}MJlRjD%|9LMc^G4NWCV4tpcq;O`hlkBMwJ9av z&@>70DwoZ*>*{Ye_quz& ze;+5OOc}+bepOIVd9wf2w=_f*_(Y#b$q0+KKCoZUl2ig+-YrXt+2W_=LxGVmjt^q% zI>Z*1`!tyQ1$`y24O@2?iu<#vO-=rOVq?R}&3>!G%Uav?ENcFngmD|Mnfd)b_T7i3 z_L9DTCZ_oKU}X8%^V}D^D_@Vp?Z+LAilZVAFCv`}dlg5!cxWmxtAXebbalE$cR$+H z(RKuFZ|xL(RU-@J&^bOqYOhRHVyv3)n$xEUH?jmyA3QKzuD2tw0|z;7 zF^9XdIz+`E?~z|I68BiB)t!005Ux_1;Nm_ zJ&D}*1j**dxT==AipWT%$0t*Qms(48fPdMs_{()=b1r8F-ykqKUwHY=?VqX&3g_*w zb6m$2b=>oUl4I4NEvDd5aZ&FwMY%0ZorJaJy{Or_swd&|JamMRDp?ogw=nb$W_c78 zHH3SXb2F1WZ^z9y4ecZq;^G!=eAg9*NsPwO`?PKql|@$z(V`x&(iZ;^qYOf7Lm_G= zz;*xs(6xWp-~8(b(1;%#(ygEUV`@3~(9Dvp4prwoiLh&a_YSt%kW8?EANBJ3{wDXv z@bqi@@p=yy@e>g{$vSUNHW9pXH>2u8ThrjD+{MLDt&)>$>*<1p?~_xI^6F2-Zt{@` zx4#N^ND!gLx_aNbB|>k}!C*DO@bqp%q?$@4iNj@Knd~gWvBQC`A92a?@&3_TZV~(A zYhoFinp^VET-jdW9u2!3&#t}eK{qr!c%TcbM(9H7XR2+=M8%TKB%;^AE$m&8qv zVGDOOJ1MJ&O%5FqlQH!zrFz6IVb3;T1_wu2jjm~#gHv0y=)pUoFMgpZck~pke|3y; zrS?8Ik0+x4vi=P089eRf^A?F7nwSGPIa2eUL8<2|&m4#Q;MnA5OiyS4p%^iBwuwN* z%h=fH*KJSs0xQS$*K$Jk_R9LTF=SB$yC7SNPK)rq;;&nc8&QY<5Ry`8`~eRZU~qZh z+PTt@jg?u<{Y-ZIs{!N=S!#V0vCTX%l$v8O|L-h-z$x7iwQCnb=)@v@zFg%L%b`p= z*uWtfcb?rCd-huU7hE1OP;5%xzZ&T9J?ivQ9(57E9r9J&xSmF3Y3SkGp@M`gJS~gs z?C+qHI)z{HBC2)AyNM{JBCyHp{b9w|rxHDE8%z>?-VLG1@AA<_=z*2S3GX+KyN<6S z9O@Z#sSs~-x3(pN{%b?~`#(c}sHa_f(J{G$ZdBeok7IpdP~EZesSpphAO$k!WGS&M zhyyi0JMa;C$ia0fNl!p4#>Iur{l+(G4cOsT4NAy){d6AS$~%T82&MSsM?osyvpX*G2@iGVY)p z?%Y#)yoL@E(BFTFwy+zluRRX8d(4a{3Ip!IPAKV5q{K{?-&ql`-(07*)-RLJ+ zPS-2n;Z5v=u3UzY|HVVe?j4iRP#Mei*tUvvp)U_H7;^zFI?5ZD@o&lX&NM)T8koSd zTkqzyz7|nl^07qprrwJlI|wc)%q?5;ZMv3RcUZZT-qbfh+@D5*9mTpQknqZ#!YrD_kU0CqOF&bv(%CptuZ`Ng#wgG&duQ?|D!s znCIEwR?|SK?)ZJ!uA)-Vc7x~1d?2sc8w0ynMpC%hxvYF8Bd=Z^i0cphD$9y_a@R_L zlG26rLu4jfyKxQc{2%`7sdl|* zzkY3amN1jODM9QAXd|r~#?z@8OE*TT7MD;W=94_0bd&cJVuL&(b%>jp>j|fOXnXSp zYZx(&Xv?#CX3L}kIH>yUCw{zodE&WG`ZFhL)F8u_e>}*iQ)v1}&w2OHUi&C!hNlT4 zuYH2S$fE3>?!jioDII&!v6S!6q&v(h*LuoJSchX-vNeNG-)UQjcnE-r_fK-&(4C4r zb-~XS>y^dp)-tz_J6<+6TzsGpqM6DHp_FX)_k$0Njbmb;dE^rv=U@h&RhS66-thLh zVP|CINvV@WZewnodll{6exZ9+OHWbpp34HULko zbMSm=Jao~qgc)4;xON6harX{mF!xR)U(S^0AH*ich0tp9Ii*~Np-ch7HIMx%YNqO1 zV)rG(`z&^zg%iUX&Xhtwf1bPOjzp(6$b~z-Q5hfZy6d|z+M?6KO*)-MPC2Wr)UrrT zLrbk+(cwDx>sR(rU-6ylMT!2Bryx39?i(C**xmX3yP+a}UERh;lIk*Dmc7*?kHrgg zmH@+1S;^FFA3lT=4O?%ufbJ`kJ@Z>WEY*)#)OWc4T`>vrx9CVp@}cCfvd@ByC!sZo zF?%=o#bf4pC@ zw)l5_OiGTEmtS;$N5Jz|aX@Ci=&c`ZFr%$%5#v3 ziAZ>$dY__uvoPb0mGX6VjQZCzDgtMWWObLjp9JfbR<;J7Q*7m&+>V*6&%s+GCC^s4 z@V%`woc8C>G{@;XeIv)()mbOLgw^ zTTTTb_pOhh4l}|{qt19TGB_wj_Cw|)H6P!aCNnB;^X^TQinC`8QHlUS!2A zon+40NO(!%a^ydb5}uiP#O0VAlbj;GbuT6!{*2-i;Y&={Pk&L=dP=*oml@zX{RaB-9-$-rE2r|Ldsjms z!MyxWg4vbtY{U8p%5eWk#{{o-D-hPE6VC@8QJU7u1Y4BF0Y@@@XF8+`XVX z)ZLjPI!-9>(ap})o+jF{(vc|u(^X-Y95r9vAcN^|Cl@-E%7t%I$+;1b(#bgt?+r9uUB7sI`Asn-#&>1^|@~q zOtuyA;tvj1?0}(9X8Wd3(a7-51SZ%gt83uAjY@yo;i zDuDMzPk+SsNl#1s?)K^N66p80M?%YlWGGlB))pl3im8qi)wf5=E0CBpq2Z9w*o^l~ z;#>?yt%vePhV;UVlKm(4-`t(HlCx@F1lQHYWMo8z6~<&l<$hlaa~B=c>_1ny^qbn6jJ5SjZNG2ii3vM|=%7ZYrL|pQYvfa+AwlVtEL*o2J-QDl zAgwxK6L?56dfX7E3nsfJ>JvrA#kMJ_k5!rIYN8C}VFb$e%0Iq1Qbm}0U*DtCM3Ctu zhWS2(y5(5ziVZ~wrUa8}1ST!v@1cW*1zv-0Vrxqe`q={|}gWluFj*lal1_F$KSw!ACZ<{$MTm5W*>2SHzzC0kc>6 zE~uGIZdAmOh533F%WqA#bA=2i0f8$?RUV-~-E&WzHX5{@tYu#Wry3bOzK)tdPQGMr zXn1g@sK=;#O98UyS8tL$=Kh=+L$C92Gcq#bt}RXj9?IX}AI6*MX=s#IfM!P{_&DbE zYy8!Lqu0=>f`?n1pBc8jBn^XKY~1K*GINUGGjBS?91iBs7(DE5|JL7by4DqG284OB zu^wR-*@?mcP3M5@tV9Wbm`7l*IEeC~f^&%WZmpoL?y9J4z#6n+##eQ<|`{})d8 z4qjcJy){%kP`KHR;+cup-gTwMXD@C4Su8J2%p*oYB~?It3Nzuul5o7iavT%KZOmuX z(Bs_t?)@)0HPS|M^xf9X02zH1Xacu~x4C!wP>OWu^H?u9IYHBoU6>`&=MrJ_9b5`a z%O3me%8`0C>w2BnPfH|)g)}=nJPx%Vbqzroado0*;ouqK74#Hf+RcSwngaAhWMrH8 zlsG<2FzyI~TF^Z~OHjr+9>(C~<8>@7WoqSe6p!ihJLLHnOQ*T2h!Wl!9Th=0mE zkDmKxeZ_&JgGS2xK6jaNyC1Ryn|U`)AgjJSgg_5pK{)EeZ-g53;*t&%`Gi3SWg7j zlIn-)w6J}ih4FfG^JT{C(8p$GX5QKg2K{t5OgE9BU{vexC0wF>umul|c&@3k?uTM>aT>>h_noSo;(Sx=NnOr&INUgFT%o~Y<2FHa~_w%{<0ev!6pOF z#A^gxEt%x6eAQb{CBwezf?v%EXAokC^~3TOIoQZ_l3A`Ud{34t>9oIoDNY)5?!kNlCQ~D-{JccIi-c7$LjD{WTO` zDPA3}=-krJWd}w2{@=481c5?>=_6`V<4ujed-w0h#Y6~08fNR7zL#V0(YU_*(@4Er z{nW1d4`1K&3GSy8V$zlimLlA{4WUry{B;_-ew~{gceL!KPix=;ze8qv;Y#ln`=q>_ z`8LWR1os?8>g6|_(aiO;dTnYd%)8}frRSFiebTN|+02tuj^@34FIxP}tS#QcR11pE z>9L&ixe=>8hnk3cJ)XN}G^m7;5V^G$_5F(D|hojEi(p4NlNQM{Et0 z7l2^K#d)9mrL4?C?wW6b)#z}mNiUiIYqvK#AmMi(+{0M`L-&vm(i-~7Rz+@3bRxD@ zg_Y*dPX2&CB!l~uO-u*nT>2s>F1V0^lBhGwoD+~!-#Cp|f6v!Ed6|@sq`lab-xOZR zu%3Cl>uP|89?a#^+<4gYswRfq|EvGu_G;ScV&8skHSOZ!eD2nti3yjP_YWs(anoTL zO^{O%r1EHJN~h0`Rc~2#emfgBWdgsksD(e3i0Ax%tdf*+?tghJr+qx<(+W+(z<{(90e+wuM)A4)g3c2QTRi&_FHZNlpqkoakE z@RykCV;HP}4@@@+L}LFF`nxNYF3(q>=Sx9D;{ihLoE&=%Rcxm{fY8O!ai1*Og;$}b zzV~CKSwJXVwd2Th5E7o&4t=WNVMN9xZB5;G%7_el#`g4O^BE(S%Q)_hGB4|u)MRkq z<=KdaBtFo*=XVIfabVsJni{VonZx7i>q#c4Z^u+3cJVP$e7ev*)(9gZCbux{^xvXz zzxAN^kt`JzK4OnzG8~CrY+FLW8iHXb(49ilP2?#!>#1tT3Auo&&XF@nn*u{ZWU&5n zA&io#@$tfff}gXpuxd?^p}?@+(gF^YJ?laJfCCT`0dPjK=y=nDb>!g0hR|QqRHbAd zHKu>}?X*_^?BY5%v1NAKbqOO_es%Z8aIM>)5bFx3spT&{$IZo1pd%-rr0t9>k35+z7%W`$Ft=4G9GU(e?m4%k1YA|NNFFm#>l>Zn|% z&gEhlRZoRJ1b0D}OmuX}%a`Urq~zAIG)Un&*pN*^@SU?shW$sNjaJNF+Eo+tdY&EK z1<#zDv1?WZgDr!1rhSbz?{E)q#2!R@?_mz(cGWZgnm(7A>(?+go!@X?mHF3p;4q<~ zFmP@z4DC8V6GD!1YCQ7>Y)rP*CL#d}LTbKD{*b2{5c4 z(j{Cs#Q2w2mThp68oYS%iJKfvP)8)B=arLHwW)Z?y3*nv+xyHfz5<;EH7MC*jR^9wLi_XSA_8xyrd0EeCyVewGgJInj71gOxDa zA{YiHW**jcM5+PYaV@0Mp{_siwv#qq#YxIpga*pdG4Gf+p*v^dIrVM+V=kC*5d zt6-sny*-GXzH~~*m_j8oi@WgwjQfZw@seI|4JKM%mndx-u_A%rk8N{-&Ia@x?VaCYlqFqS+n)r*=d`@a0U4TWDG#00tIQtIS=U!* zF|x66%9q;MNOTcd!7#W|;2{p@8HBTN^I!8%zj5pK1YStCK#ZfRstR~y7;FSk)xkk8 z#rzqBp9qAi00?s5Tl^phU%@lGeBt3KQI9Hjkj;!1f=~im@6CC zr=^9^Bf7A(&D-7^0^9cw=Q<$Myi0uryZsnW-I^G4tn-xD&nBnX9lcxxl!$f(?$*{v zW|lg=y>WeaSGhTxFw*_R3_d5>hlBv#t-H!p%fkdggPPi%J21v3CmWmMpPAogW^P71 zw_?KYgW73pD5<%vEu^hsO>Ow}DTyQA?T3FFIiJ1b5L_L{3krT8C2^$Di`nob)=x-; zHcIiqvObHU;pa0Kjt_R_ac>Tl`?k~_Z#7L(UKw|1&CB@6!zS{MSxjF~R@T< zL{ED3n}ytuP=G<2f7Ds^cw<6TL&iAFZ|JX_QEwx+|`x{@TEpvVluGw0(6 z`=9G9vZEhvaQLLatQ{!{;X-*s@hV;uGrQ}whXY1rKQtFcKnAvMy?)HNvzJzxXyq8ufaAM$wVzSmL{cppGj~52gSZN`25@%N~{FBBSXBF82bzmYt?N&`%XmxVjZ7dH}>(3&PZ?c2M8C=WtUk7EVG+lKH|9Q zJ&=|SS{=Zn0Z2zcAZ9dt(*-*>v>-|O1SXSh4%Hg(!!8BFejMd~hC@q8!xuY3K@z_z z>0$H$z2jTm$H^rFz46Li5?p2UT{z+SlDpOyXbsP(9Jkt$=jB=kYFt^|(kFQW(&s&-rn* zFnYy<%Xl)F_)@*&kVkVf^!rGY)fk4{mN7%dWu!36{vT`NEej~l)Pk%fY~?K2ZNRLq zGqBMmBKi+SiuGzD!P>w?*@LQj-Q z^6yE-oExaj`1677M2xbD>rhh+E-(E|NfFK7-Wgi;RD46*^HJ(w6h}SR#q{rkFquX7 z+H(VeEcL0>|6P!OPW9%*y%>qWFsSgJnzun7EBx<%5u23c0k)bzv-Ii#X+FS~plCu> zQhg5L^8kdyAe)1VCPW{gJVwm}?*T?CwBZU;tNL0}F03Dy??$g4>^4{Wdgz42>@WTX`IV)iGY(;(p*{AdHiHPGEm zN|vnWw+x=I8{Rh` zoOw$BGfAk)tg-552%~w~p_7rsNs2_iBs7A>gF4fgC45o*D)OBUyTAA!(+mq7kL=>K zyByL-=puC1kSz5?Mx|mrJrWUvN<3h?pB1<5{8H%5hc zc&MO8SW)4w&V32dNL`@O3NWk1g+6Rq58*d4uoRlCU+-1v zazI|Et8q_Z{Jptp$y5YmeZ*au%k?uV%+w5lhXrT8;IB{H zKIU`%Blqfg`g&usZ-K6a`jbE3(}Y)P=R{uY~xux~w^tOl>c8gL&NL+FJ>MPY#2@9g3N$EYfqD&KGstM-eGPdt1GM}eAdb!^B z-ns3yKKM;JI~jz@b#_^7M7}lC<8#)401-VR!hPG47Q7@HQV8Ye~g? zfkt?$oOt`?D%#gS(Jy7p`yI=|yju~z2OI9;s7Ji670mMHvoZ%iv+9@m<~QV)nGzM;V*#nCMKpAZaf|m zgy05cmv6ejzlwOvwKzO%+@8$6a2+vR7hXnT=0=~5x%Aw1AY8OA^X*{wdmZC^BX9lr z-xgPd;7{l+?b`et4;|GeSIc75^76m<|8_EJDhYoS2x$ zrvHXSnk48uS;s*5hX5%*j9GzqJwS++Zja&E{_y*{s!f7l>+5;C@)M*ITPAXPt*<^S zTkpIk<~w+;7?n?gNIIjv2AiRu&KZUokWy*Q&yp(A>@0Wx6=e3OirLZV$xlztH;r2o?9n`BNC=iWPP!unT zAQb#SECzZ~=tv>Y{9TXm>t4C9&-nv1v7mnNzFa_+ZaeMt>@dvmz;3Z3fM^9wjrXW_ z2pOU+Z)^`Y|8iiycNHN(^v^<2ZE0?Pdk#K|pr2fh0lQy%thGSZ6@(R(cRvHh4jfYX z`1x7>z17JS#KaEJ9fUeoTzou#G%!RQ934SUi2~s^vmSjZlTu1-_?uelb%CYDMlEX& zZvGz4tgP(n$B&bfbba|SwbjM%vhdIQS@?mz2Z1Q%02wI~jiqL!2HFFn`ZwU^>I^Vpyq;cCxxVZoEU}qgpZ3{5V5yn zlPMMpkjo;Dx+Y+6`7S_!L8|)Y|Ng5;w8GO{fMiIbQKWH|$2Vd%P1V1}&g8Mzjoi~jvKJ6{t;4~wT&RR5 zzPa7;;1B-Wf`3-vzZc*~jOwMJ(8RyAp`?VpS*6DNjjMLj?{DKM4q#S#;d;Q@2N>h< z6gZ{g7fj_pSUpjeeZECW&8=^%eReIWbdYBn_ z-M2QjZBPor5^0>TCw}`}Eu}DnSJ1(MhkqyzE?v2;nd8xwd5rezZAWx=@L72)jl#<5 z52P4;EBAbfxks+~p1y^20i5z7rTa^CR6jk__gSTA{Tct+O#buDxX1=0^+N^s^T^+d zPVZCFpJR7<*Etsr#cvZL=!i2158QGaA*}(gYE&sjCTvn*DWu2y&DV6UipoHQu*XG1 zK|Iqil*jE21-z@Zem`oC?nL1sue?gJmTVf34P6jViPUJM^AZBNU}%UMUiK3-#!znf=-1AH3qyBF zNNKFqtB|plNaBnSS5tIuJd835&(QqSQ`^nGMvZ&~Q9{=cLP`_<&40fM{`)GLSR(#V zl`;7^JWZmrl~7H=iH9%7Sr*Y1_UJdIL0BL&`hl|s7>Zje7*2s}FNsNMB26vd>7->*BD|RY_q*IJ7aj(jQ~!o@_PKg9 zlOY8Ky}2_hTwueTG&}tVNBSEJdc!fpdf4V!I2G@=o*p1)8aeeTVjMh=eHyE>DWVFe zGvgz*^0LPj*#{a0 zf7z$cdqC7u4%P3#{%R>*jRJ;cdoL8gVo@0D`*i z@3W<`=A5Cxw;GWkj*Zl67BDf`_{=0W+~+}U&AFT)x%b$L57{8eoT!G$qU19|FpB)$ zgZ}R>pYV1MPstjM=Xj=z*iRHzE}fc7j(la6i{iS382&IH@_{UzA$Mkm3?-LDbt=%V zh@trG0dF+mzZRj`+8s=CLMApW8+)aGWWVyyAP@NT%T58tc)w0Yh^^y={TQ=#{w%iX9>qm~7!KTc|Gs&v{bG=!x+Z2m zq&jh-Oe0O9s!;m_l=J~)0W>~T0TnM5U}cDxl1QF>x_iC z7V{3|efXlGJ^7o0X%c6R_kZ^;sSxfP?H3mRcrSSFC~6Cl;Nl`F;K<*;MT~fRvL(uC zOT*jSn3tS|Z|&U`T)a?GvU-79~@aHT0rhAIJ0U<;wemNXm+?~%3K7tMcYd%vZ4od7q_wJmj>yV*y%iWhYBY;RP(5#b`;lK zCeJrDV+;%8OZ`7juImz*69OBK6a~h^Yo04{a3;$Q*v~mtLSJJ0)>P)sSFT)GD9|Kz zZhutSpmx^lH-KruoDdHQvQg{oGeyA5puw4Ss@x`W2WQ9ZtSmG!AD}G4uTKJE_|EBf zOMCn9(>2Hf{j!dn4o?oMSL4vUckeq2EZP<1W`6h*?QDqXl7l57mu-20ja6J#l@0xY zu!bx)rP{Wat)~BU=w2JiNN_hqdOba41yso>qm{9%0@qjst~GXOsw>w%9WmF5KNh-+!bS37 zFvdHdT=-4dznqt`}S(`;zfCd5=V`5QC!QJ{@NioLks(U zGe)T}zJjA1BV=X-Ym10U6Z3SuD}XG8fZ31)A?1zy=k1U>fA)FT+xs?V@&91L)}GT7 zg=Z~reGUtrAfWzG^!~=*yp4aLe``_HbfBR6m-Par>6G?(MXhUIbk^$wcI?w`Y<$Tz z^in(IrxiNo1Xt`hKfUGePHbLiIbuD)PQIK0rym>*%sS)|Q; z#>b}oS<1@)7LVQfcUoGS+ZjcF&$SIqopub7Y&2I^pG?{AL5u*>ZU7{OzJARKDHyoSj+C!L z*WT(rbX|bJ2f$Qi1qC<`0s!6s=y4hK!TGa50ki~=D**VR;t5@4diny`RUjd;wjP4f zH;Yp^&H(xd`uUy!X=!Pw&q5Il?3v!3>ZGR^S>C(X3#lCd+NP(baFO5~0Tb4cZNaZ| z(?bLR_t5x3M?iZQNWAcuMgTQOBESCpX$#Dzc10K*ECL52O3GcRksTcYs`nW1OsFp!>_`!)i;JkbsxG6q4Oy@A|8!0v!a zC^PypjX-ll13D2<6xCk)PSD5(l7WRq4&;t7<5yYv7iTe?`L(li6(*RT+pL&#j z31}2h9m7MCv8vqFJea%l zP~8ovn1haci(SI_h+FWFFQ=J6+j2HQb)i7ERi6b*KALsiy~cw98<(!7jmN|t@9%M= z0)ylR&it4<4T91fs&wB=Sb39^M5D9hlu$vzN$@eZTlzo2Q*~u!I>og73q=oGNwxTI zN|1!>E|Q=Ql6=Wi==hy3;UNWF<(?W|zeFe6HS3lt)^VYd3t`pwPq4Pv1$RF!IawKZ zVdzsX812xLp#ZW5jC~_Xj9e&vqWcy3*9d93Soq1GF6M zp};5!mp(Qk;v-mS0lmnA6=(rKEQaA47=(bgLPtZxWR;PYwi=97a@0@?ux7!Z8mRgo zbU#5|AFbxIG{}o;hV>561>e(SHw!JWq5~pzpmsS!S+h0G$Ce?^!sb7JdU{BswZ8!5bc?^(`}~6>nd57o6V)3l9<3r9mib z4q65Rlr}6(0^AaTzYDfUKV|@T?gVQZC=2qqyn=$_07-y>w*@;$%iEFA549O61lti4 z3n-4j2OujetE=^3i$p*WdQfx2v=;DVVDaaByiMuJCm}IDF#&T$)}ZTOQvUUCQhB9e%G$%DDHEVFw~oV=VH3w0Q`#c`X7KW+x|#N zsTEjG@QsPo2mRFmV*p+k;ISUt+WwSi0dJcg3+0oC;uCFv5c3uBm@6G+nTDL@=)ACnLsw9NT4fH`loBoeI{9vxdZ_)m6poME2Zk%zsogtV&SlL2z(JZ%mP<{QU z@WjU+!zWPJ?`&%`>lCQ+lRQ0&rVlV3`D96CC>L1B%#c~dH^k&|A=tw6)Pk*N^9sDYnf}mr zgKdR(fr}x$$!LfZsCMw2P?hXh`V~mCM8WtYBxMBx(k5RndMwfUB6#1T%CQ)elFs(= z1_P}9NA%F+E&W+oekxVU>_?^c6B4Y7tdD?x)n1+KeNRts82tLsnz5l3v4XIpm6SNa z3!qZ<2k4IAk?u7XfPE|iz5czq}VdAB`S`#Bi0%#95i zpwmLD3d&7)dJKWf4X-}o<;!3;s}Hf>JDoj%tsbhyWzmf%Fl13E3q9B5}jRl z&(|)1up%BNIKh+yPE0r%aFI|uCm@hxNfw!xAgt{Mc7@j2A-QRaYF^%ROBOIwVZwa5YpPMCvg85z?g(ykt3a3 z+TW-XVuqaV5$F#<%%NI+A7F1V&)UT@zi`bGC}39IZRyWNV7?2WFpCQd-K!A*li`mC zV$2b|$S%vnv4!@~s$8D%ISloA?h4;y+8BK5<%sU;o3--rZ<@XdPJZC%qpd9@DR~N@ zrmbgi)lhJ*b(&G?{=Oi**_D0=LLoS!0bN6@hw!?5i!Ka!Enu-WUw!~s^aNE1dfNA3 zJA+wom5!hm6qE*AT3a#YsJ?KHH)SL7d8T-OS3d|Yd z#!63Paa<5uK@0#fE4ltMAbLUHDc=NP9Ps)I3$&2Q(B8|*Vf7A%z9F~`h^9qGepTZZ zf3|^k4StmRns8}(dEsr4JvAyYC1ng2H*5;fD};*y?_;%2I6I0vB@RRCs$Z_T*TB31 zAvK?jkx|{pj}9GWGTyM z5+jIPm-rN$YRL1W@kK4IPT2S8>6k00oQ>vLKN;VcP@j{+Ed-bUi0 z0s*}V5Io8K-(&|4u((YJ>}|%|ia&kYTwmWm_)`P}cvkOVH_S=i+TMm{SnF@e3WF7( zi^kp1MKOZqpZK+F84^WASOe{Z)qGfSml30APC;}1l_KDh;^Ka$;ruSX_cGc%?DqZ ztcgtsA7MKHzlXQUP@q>&5oIY0fwS6vq|6ooM{vrUQqFk5_8+|hJpA!8TYYbgVegmc z=N9~GRlsbB+>?>U)QmyGea(+B0q0B7UK}+Tjl$^x&tTsBOM5$jOTF8x4BC?oo8jG+ z522D?HA@k7!QxOqap^$wh+betyMJp$Syr|YK(YzW1JG2591Yu#h|)4p!TpsEXf0 zNh_UiVQZ^;5$vkl#a`e^2Kj{Joj;rN32V!_;8)2Hy(3tWs`DHnAt4FL{&&meTOnry zxTs612?0KSGDN4JHX$Z~dgQ%R8>~OoQwEEuh0(_v^+l0$NJ>Z zb<|5R0}BuiNdbC({8z=HG=jlnvr*&m314(!1mo$GJND+P^|fG&Rb)`fck5Pygh8>X ztZf?|wlFPV=o0Eje9iDM{51k`Gqe(?TTC;b6)KSNZLkC%Lw*hBKHb5^KWXiX)K8mM z=9*)td8}{lobFwk(&xO+sQ`~&hTjC&<&0D{CP#Z4yTw`=Lbnd>b4DFk6hLZQ>#?1|5dmeh99q4nhJ?xBN7eOS zcFA67_^xIz*ua9**vmSBZ4E80J4BD%-kME2+`{gxwk+ViB1<_dosjwS?%liK2c6xL z3xwMPLwW`VwQ{H{Zo=|>=*FX>sF?nX4Nk7vRg zVj?dQKObKLZ*}!GS^^ys6p%hyN`rI*So&DW8GKw2Z?~lD7{!eQ!ek2bB(O z=W&=|g_thXM?CR!s|=(FUH4?*HheNBq!puutN~3pox>lx*>jpj_W4e-~Cem^qQL6WIhl8 zBj{n{?>+8kLh~$OAT0pA=#HriDjzS{w458fUw^i>krB9qt8QZD{>N>|+MA}aGh(-H zbd}OYzMM8w%d%FgMPO7moceb#5`kb|0q!)!iQ?{SSF7{={^n(1l441J8i#hxF8h6j z6yj=^f0|fQrjPaQ74`L#3E@CA+@*$sj_{MgyPY#JP%ug?wyKlA2ctPywr4tz*{_#TZ{ge5bKY~_;|L`ch9)x1wMH_8 zv&D>>@=WBTu{9XnW!B!sQaf5O<$<%2p3^7D+}>XOoDmp`K-&BoD94+?hk#j8=LKmR zQ%JPUJnr%-`wFh#1ZzB2SM{AX%?A(Iw=5`=uTk^`>g#Tf8$l5fWuvuI^p5tkpams}=&Z3nSCf21T+CYYr}1^}uGuX+v-&?!U$S?hrKRoe$a(@> zseM;VdSCazKrUV`V8oY}p0FOt#Fs6ORSOfiLkQE}+8X>y?Ah(qpdh@l0tx%(iZe7e_WjdeKu}X*adrJH z*0i!|Q)p`&Y!}lth+H=Xk?k0n3`-m9_VR1h{5iz4VxLw{l3hUAI5jiVIJZfw%Th`K z!55%T(GieNbAPo(L%xtBzJIwK1a ztj3lo7O0{DIW#BV5)#Jl@$uB!8~xz4z92!s`$s-gDZ@jRMk&^u;CLn;h)Pv`dY^fI75ZE9-jS%(S$ z)WL@qxT<(Ux{ym14@^xn=0%_kC;1Oa6po$fWBnc21~)dGip^m(5d7_61`_}C3|anbqOCo5i(@)9TOhqw~b9rP%M8vHU}4k5*r|^j@5^`vO#ay&gSDG zm@SiL3+Qj|=m;YOK`a#ite*td<$_28k_oFFPG)8qE8nCc(;whOXWFSwrhp~}<;1K0 z*_9P6PML+}GgRj+oZxsP5Dy3B4?Wm%cFokmnWbzwh!h&mjUvWCdNDf)2id&x_2A0y zFcCBGw3bT)ThLhFF@;SYOly+eAmVHo(Gqxb#B@9*zh>;2Yx_j=ZIBe7@iE6(eT<2X*>UwD9F5;eY|8u--IRK#}d zt|&y`RgO5d*Aymkt`Jo?d>gn9&MO2^vx6_*=A9xZ@8$9a!}>8g+6|!3t%)-kX5LiL zw&=JHnbsw1qb6s!oyGE{h!x1EYijY||7!(Ibs=u>g8B`S*0?!83z`$|%QJIxt|Q-G z!Z`_U5%i6eFM9y-NYSakm2qF+z(4|+lpcQYV2F{EA(&V;w&cDbquix4=g!p)t%K*n zCLh+)=>0yoYS)hfyqoHy7t$aJ#E;P{E-Ym8zRJN-T3+5BNp!nXQ}eg@u3mi_RshH0 zEQCJ<-m*gy&kj9$wB&isxXp2+^>cSVY|sam7I3Bj;CP+@9|!`q(zV32X?b&}-X&hy z+qd-rJ?l^bd9)PgIWR>Ke>hk|#~j)9FG6}=1VN^O3YU)>VZIqTIs5SRkcgkXb7kO& z)!Fa{Bfk1y6p|+b0a!vuC&fkMxicB=0D2o9@#`kgj}?yW*<$M8S_W}f2bHyE1KmlyD0ypxY0zK$4#iIvbF91H>J~=<(5z19)8f5)yt;I9l(X zfV4+YK)^hxg3HOt0caJ5sCPC8Qkjs=otd3Y&&YrrLOD1%1unfd7y=z6TfiBev_p%# zO#zr~tN6>8892(AAVvn;k4Z|pEGg+l+$Sjyt_ul45UqIszNo_t6*b>ezVx;Vi6@5| z+g8ALfGGK~ni?ztaH1RrWg$NM^x;DkKsg}=WLjhcI=C>4U;rSU1Cctwo|E-^+=6y&2Tv%7%v0o(ca~^r@DJ%i!$QYN zVDFJJax9GlRR2k-;X^-nU<1$(4ZI|*A2 ziX8?lzs6TU5Z>t75aAQ_U#JD@68K;r_SNDv!jt2Zh5AUiUJTOALjlSA{pm|G9qeWu zpS#;@YNnvWQb|GT`BE7c%-$O{ z^$ZM)=e9m=aT%%*4XGR_$0_-KW9 zkbzH+vsfIYy=F!OJsVoKZD1uq;pvT31DywAgP&d# zw6FDfD3QQCKr*)XBZSM4&(hjoep2D4Zp*d>OR=r=7EDdZ^69kojL5GgzQW%e1EwD-8DFK=RithkPf=)>k+6VKwSyib%F(i;Ix-(hV(S)QTR2u2Vj`Mnt-p(5A!P^U^#Em@{}dz z1%w7=7XY8Cc}FXPSX>2Co}8Qu6bj%&YwAMJ zm1r*8P!MB>();`Ow=ia~-+^)yHQC7G3r$ghXc9-n4n2#1LMc!VZwm=txB!6(2rRfD z)c;*yf4?kes-vX%0rVvQ$gTvzCWxlHtYmrilsgp@PXso?FonW;f96s z1kDGuWOQ|hzJHJZ<##c#JhX6q;m^^H_^bov)AL7(4~@`d`tMLj_zrcegSy9l*cA90 zusD%$lo%PY@!y31f@e=j86386e-~cGRN%k=WnW^#t5>gwbiJu)$;q+O{%ktUJ}SDJ zWvE|vQuj;*JLMYGI@YcZH$~gEx1V5DsjQ$qUw%~NR=(*>pN?aJ0dNc%Z#=u#@aY8H zyXp8}rw_g)UN1J&O1_Lt&3^QzYO)^e)B5JGTjKXthHympdpKV*TQ#-RmAx-ihjQsu zAFUUaef6VCNK2}QjF-brmRR7R=FR2+M1-t~hb7_MMgU+b9| zot6^PskAoLXPvc^;Dt0S@Rtrs8UAeYg6n^Me|J+j>bQA%uXsc6dO5({|8u zaS53?kvV$?c6PH!FT!z79#)CpOQ%??v(P$xsjMfkKd=WYZu1{&f%$@ot9*!E<*aXD z(XOI#ZIVQ??JN}tuo=;+^6*qLiyto!7W`V2zK}MpA3S#8dIrC3tFNnzl5dD}+7!3K zcM&W;>SM&Vyy(b3M`8~D4`6?=p1q1@J zvJ`gL&+T`1GnHt^#}b?tuX4C@UAlxE^?5^UWW>6!P93*Ti=VKyy&Z3xt6S40M37`k zA4rxL*9-Gfk9$78oky>%Y<6M=ep$!Cp=@SmlX*<+X~$LFT15j&4qon4<+kFBxtI@z zXn>>7IS8K@bFvK9t<<|KT^Zne#e4m{KtwLD_5(G$)sN9HWVNd*Xy=xzib`3{Flxqi6HFMM?3KMr`bSXC(>>(%umQdeb?SSt)ZEMNM&Y zW!u3XU+wJX@0e#~Qf94`xj&WUU)yW_>F>2T&dKSCv68h?a+n_I<*~;YGS_&&85H&K zqq?z{inc&r7Qe1P7%&SX-`I%D%Ien8i0|IZ-Pv|8Hp?%K6?Z$}FL!Doo878g-r!F) zNlm#H{Z&PUsC&8dZ6A$|QEhEW+iJLT^zio~+6F=}qp?yO-`G!vZWN!+yvJTr=eL(q zvdPsod%I1KoeshC?gcaMKWkGz$%Ncp7?LK{aGZ#E_>F6(aW;ExI?n`deeu;2dZ5U0 zc8DN_U0vQSEGG(GxvnqfyVWJ6qV|2SzBzW(``A&&{x6<^OC0h(hXmMBuC-2^qw7yD zap9bpm!T{4KGuPrH7P6W0W?{jp43Prm1UTZ&)Yx>N5)LKHFx;IY5d*r%>^Ssv~2E`ykZ(PsFv{D zi*3JPOs%dQqI1@R1K!tPeA>^}uxFHWQ<yR4hapsAgn01ybS|#;h)UOzhi@#&B)wZi_G`rQ&Fm} zUUH!_7jFq^W)~y#dcJWoUu%B6mVRp?c|1~*;J)WFz~?#bDem@tT7xFPQPs)(zTJbY z85NoeS7{Qo0(ytgwO}u7lc}Un58Z8?=@dzoAE^>%J0c0eaak+kg`=yTi6Pk7+Q3x& z(e1dj^c-V~Qm@&ID*2@z2Tl9Jd%7vi{y_v!`E2YqN^@>saLGX6env)SaO`rRyjbj~ zy>>H9PMNC#<>`)&`7KT9T5aiHdd+c?%uMB@tE!lA4$O9};SZ&9dcKUST-4$*GF>&E zTav>)-fL!&c&VSesGXR|4BFO?hn!e*=%9inYgN!FYwv2i3VcyyarRR`E)LOUv-$9*t*fVWW-6W zpoJR!Fx=3ghmFgfmT%n@xH>4!Iu8Cp%a#9ra?YPGn3XxfJaX#Sx!Ngp{8GPd zrg_&378*i6T=c%z@EbPQ(saAYFn!pMyJOya4s(s+@?mvcSAie}c!l|arir`{7cb7O zjkWBDI($=o9JAA4vns~y0bDz7rsDzVEkZf9%)b4Pa{6ZW+Uk~-wo1H@!tVX{Z@1JG zn}65uPV<{YTC!+4s?vTmwr3XhT#55o7Yqpt5iIz!EMa?pxZ{&`rN>l3k0?8@X2sYy zeL)@`sdot<+UVD&_+J+Fuq(~nf>HG(d359J*R~rs7MzadTH(3`1^%6l&HwHLvB<|*oGPVYsv#`t@K=Eq-6<_~0E61mZ+6cnmGx&;%w<<*HdR&8t9rRuEiQgT z75ZH%Q6+bcpZoVs!7=UbgDxz+j-ca&0`S|vVvu(4^-1RHOdr*j^*mC1A`DJvYv z_HJ&Xp3!J_*LP1Qlatps&TU~_;N7IOkQr$$x20Wf^3Qs0Q!xeXI~9S&o+lVRGh*k} z;N0Z~=OsDvT28`PH<$VeE7ix3&I?){XCjGP&(6s>(-#lN)r^L{_m!rFAstKoA)KqO zC0?1Cro?g3CQyR$9N-0C2+5={X8B)Ac{kATqR;gqG^;Z02T*U7HCfVTA;?*l_tw?%as;CEn z!ERnsl&yD2Su1t42~JBFy_2ea&7RC&vrC#udYP{Avwg<9#_}wZ@F-kkG=Ji6ySEs^oSsVOZlgF^C5DSUHGQj#+2DL&FpO@>xspUy_DQ{nH;=5c^<94tCT@};t z-V1&SV-R^XR!-0@FaQ)q;FzXGFW%Kry`@tF}$8RzY7v#m^O)7#fI;tttmLJhm&@sI-?eR@M*`m8o zv0qg^m}z+z$rDNei&d(Q=Xg2JXcX5iRnFl=N4;zwlh*QnP@b-n-#GkZSWSS@-m`M8r1jc(pEvneO>FU-)DC`~I4KtCMIf zyEin2hKuWq#O))9?WYmi-CQBOtOx{4Bd$C51S{kpKkyPGT1}tTuWfxov{hI~j!X=h zw9cOW()U7(9(+XqR=2>l7XIrC)<(3>W6m#@e2z4A%Od}pJU{<@U3rvPRxoU%H{i04BUFxd(@FDCBKEMc|to(w4OZ#fFnkikwv7r?N zb(T6fFAgdSiUAfAkvk-9$|dW!hBmq2eHArpFnjHmgKqn02Byo>GJ7J;v6Xed>ov>W zP&{{jTGNHu*x3~wTss)Xa_t-GH&E~RU4t<-P&Y8dU0!{iR`4l;ZR~SzC({AU_rJ^& zQx(X(%v`vBy%lm5f2gdVAeTbIH@6ku4iPIf7=>gugr3>ikj#OB`Rw>xPAS)lI$tp~ zDu{wLX{L$c%3!jMxu|1du^fvQ81M*!4WoEpiwU~e(Tzz9J#+$+3`b-=gj~BAU&o2} zo=)ZrNggOHI|p7g5#n$_67{|Ub3hlR-*v6wzFbcBnfS0bb4!wMIe9oaU9^7VdgRvM zcWW%2eE3Lp;hRsAdw%sfv7Yce!gG3n@4T*U?GW8Nv^Qj;E zA@xS_M<_&rC8=H~6wDc%QgbtKM}yNdD;ZFKL~2?@4q{t~+$vM)GSreH3DnvDu)Px@ zRRMKUQOLp9H#LP4nMcgx9=o3?0EhIK;9o$IoB!30|Hj?v{0|=^f91iUdxAAjiJ4yu z&i4X`v)>d^r==2D-U``RfyX}ct>uTo{$?zkEKnqXlMT88vs*avyQ3^k-}TsEkrAVg zn$1X6B8lYFotU0_$NVAW(`A8n4b?!$AEbFo>jE=EOs185>Ak9-LfI-0P&0cANRpsk zKt*5lzFcuI`aT}=0;-Rb#@DNlw%UV1|3pW7Lg7a4od1kzUg%@B#{(j+6T7F;47EXB zCN3bFh(M%C{)x6eD**853m{Do<*xS~Y|J*JH6>(2$k9 zDiivgmoXBDOR)JMPs?Goi$hQJTEQ1k&|>wT!06%c%c-i$P51-`Bqhyve465!@5FmY z-d5u0FdG%}Qd;ucF$vEJxz2PM91iK!9tgCsgerN{NBLU9#_qVJ-{hs&L>{(rtVR83)Vj37GX4%i})rM z$0?Z~kN{@(53|1t`mqm|*uJJph>yRm-gJV3BFLY5EnOIKs{sgCA8uW^;4N~qu!HY3 zF%_XuW;ZiZ=}+Io?=@KE=vrGo7QTf?z$h~ ztfry-eTc?xa<%yl*AfskbMwSF?tYqK6;f2(O-XTZ|7KCxaz?KX zibY+7`?YtfwqN}m6&Q_rmzBlH^o*^$?>aS%(`Ow(tHMizL1=`kHgo|7eh4q`B2cW* zUi+n>F!91EJ}qsA$h({$9c=}jD5w&KQjOtoND#pQ28kR!DPrLVR13_!WXQ<;froSN z?^-evYKnB6&O&e8l68^(6|NkjPQjG4CMr`?)XeLUHJs0$fAIA>+GBO{vb~#6Rybe6 zojW#h`|66&i#gi$O3K?QI;N6=l*dNT4DXP@TSx}kqxKCdit=pR@=ajxF%OkA53TM0 zB7>}mOqUS&qU{ykIh%}1q;m4_^aSjx(`NZkxkk}~iXO(9b$gX9Pf5UfXfHZdDU^;D z{>Q_x*1PSp7HDaiWMq{1Y6-tUr@P`mhZ7~5a|k6bdt1gz@{MYggpOZeqYcfPn2_zx z6)$mpvnb>`ReUm5RB%!{?X_62iK+hWaslfILH;ZAA=wQr9}j%H$(=$jdH$aPd zIvrF6g@o9J^HQLLDx9i)iZBEFKlez~b0aqMn(#<`UA9(X_V+71m-yGFhr}UHMZ}1W~-ZevkOA9bcfE8Is121cCNLX?Z_guQUj;~kTcFmOd~Nm zNV8ayZs+{q8_*!jYA`J+;f4)vb2z0^s}?s=#513*EiJ8Zq2@PBXV&Tg)5#Lm2rnj60Fb5wf^Tn(MDkulsM!k8?O# zj?wm>I{%>iW8$!(j9S;9oa-&54_zQ}ypG$J4gfF-HQy7mDccXYY#ChkwGyoem z0JUKmnd4UP0Glf_4FD{-POt*EYpBYj9E0&PGD=SJKlY-C-i~XV?@}=J0aw3Euc8ecF!5QTjp$tUy{oQ5>|1#Zx!aWJ zy~6bD?3ODW=g!5OWJyx^@Y^&vg|8T_;^4)!%4`nO&hdY$CM@%t&8|vgmQHI;2m1uI z+=)pbf8Eaw%~Qx_q1<^_MGE6n{%Vn&8QJVn6ydF*u2Z=|pX*K-zrWe7 zGu*M>&Y=P?V$h|dGP9jq5Qaw`;1>p@o%HU#{fO_0Enafs7e3gUyx0EnQ$UHoha|`P zn;E3T6KoY>A6G`SWPPWDZe4iqKz_!4ZAt+=LaBFX^f2Hypo(=XGaTfQD&0_0zkzQ@ z$Nl62$n7BR$;i|IIJ~XBeHQvm>Hu;Ha4Z14nM!0syr|*e;%ca?lY8*MeREy|nDem? z_Vx^d_qUb&ashre`s0}BVoUsMkS2v%2h2~Y0#5lb;-QMlM<_2vMeTwi1)fMt-9bKT z*j6o+Wat~3qu|`}v-J;+(|%mAx@CFx?rFnAf@)c<3STYjYv!Y8tR;-q4dsS(1T!ZF zOK?$H98T5MS6>|qy>g$L=Gjc;){Q$%5iSQJ6N^WWOVcz*MlNmTPRF@5i(}lx=zT^} z=v3Ip!+TT0iI^z1_5^8vfIHnG1>W7kD5cj~R1Eb@O0>1>=o|VdL5m{z)sp;D5SLXHa`*xa0!=326AIe;r=Ik0Vtv>E)OKbjS35zZ}#y=T*P1v7nfdZI|AK#1`2 z>sK~=39R6qXUz#3{0$9UW$Ux{_j7eMZld!v$G#si;+o=nB49C9q!29% z)%0W(I)z8e)3_p=L5LfzUSTj)A)cIURqkY^{v^Wd{&b_LUbCAdo!fo+Y3$zfjUR9D zoAb?9of+~=5(_8GQ{r?=pMT$_l8oFM=$K{o4&EO{GTB8}Gm*S-rlF(b)hsZbX^H2n+BO)_Q2d;V_S`M%wG!VuD7(X+&BcU~`tL@QY9#l*!k~(k=z&YpAWyVe=G#RpxpTaN-BM7WE;l zciuY8wCICC1H?hZF5!PFbg}1UWj;?a0Ozf+TQ^hkB!aQHV0}G~&^+6_6l2(1YSs`& z;LR?hiO@)Grq>S3yAOl!`ox8ctz0=VVSid}=P_Y^p4nszXS+GQz4arYQ8X5CQI9+I zRwSg`!+4^Br;8dnhQ_7wDZhS8u7q6LYi~wk>P`A-ow5hEG}l*TwYqYHbIfrROml*! z4$Cw_Jw9VfC`9XTRI)r58R%Td<5d5cm>j+8m9zp9v;H_BheLc*L`oo;(G0TjOX{y zyS=@(M~@;#a<76choBzdAAErH1!D`G%`B~AYru0rd%plA&BIDy3g?=&rvMev!hLt{meW#Js%jT#lNcX20KPgPi(4#*uskOEoi*1`v{FlaOj>f~oNi=Hp~081EG1Os?0 zyUXO8iw-`n>gkjZtM~B1o(bk)2ixbwF;HQ>5ZBh$Az`BDURSE_&eIivKrnt_MuF8N zULzCf-JidUdpVa)-_(<{(kL|5pLFU@E*^5KH9QD~{@p6K5Qu%hb3|YjT%VoHdXnm} zdhTYeviVnn&lh@5`YBkb0Zv=MVz5jln0Z>;$)%t7jV%d`nit0(F%x(^tBz!>na*wu z9n2&`;x*g(Kkg^-hG*{o?G#V^`a(R-KOggd=?9=gbiON_TB;}C%WL5Fi$04jy?xU9 z94+BRZqO_u&N1=wrjo)BTw(QgM51b#j;2+1Sq%gIEkh+$+DUCd1EfSA{v&Qg%IaNZ zrTK=cXrZstuAvB)Q(?y*IfE3b2~B}7k`(d&!e4?L0>SEiZRS%@>&R<1`SIq%9WpGu zdZmV2aa2E~W05tn#}N0Zj{PAMBR~{OB-3i&EL-ah)evVK#;QB6WE@f0%z&nmeQn|D zV1TSQbN+vbwJ}qpHbs{DVeb4DOUICtoAhqK|dtLfBk)Jy^is= zAI+@Z=?!7QF%n#hBDbur8`XV1-7a~GbwaSQ%Hrt(d>*1MVdQTaei_4j&Q2Kz@Z%pA z`O{(>`yKFO!C@`?X>ke9M*{nkli?FWrc|hlhzlD3PTsz{=eUfLo|jSkadIirrADn~ zJ}+0t`VU5b4An85FohRx&?J>nlX~+&$9DF8j?NgxF~ns>O zweF(=wZ2^Aeut!cNIm$tV@>Zk`Bl?_tBV&9m*o>>_Pf8a{yUo>C{EVQ;50Rh^$;^z zuaIu<&I&|QJWO=3?s9mpKaKM*+cNLGL0nS_umkj>z+?oR<126UX2(e3@EaHV> zX!kX|4*^g3;)NN+H_+MimKkj=uKM|v+&R?wM3XdduG<0~-G33uMZD3*=aFOXW&pE= z5SNj-i6G}geKFHIHlfS77hXwGXgHLZ>H2fsyZX;+f`7g6e)OMGT>m3~@ZuS$7jAWOxBkVN!av?WH2ynU zFElg2d~>N~y+guAc=!g;xV20#|K0g7G&zY%6T-rOrquns{C{@czWnLcf265zN&Ra8 z;nx5A0~iFv{|*Up6#jQH{27J+Ym4DA93^K)A?ES>dy*_qT7Y)$z#oavDyn0-R8l>l zT=e(fFZj@U1mdC4sgup?Y&BT6(TrRQAntlV60?D{=US#DeEHet%KiteB{zn@B|9z@IOXz?8DgFP%MAZi%Z^Z~~z}v z9aDL6PJgLg?II7JauHnULPh8+;8Yo7Os+*g;S_+B&;9~EJs^T3c1i#>;6?6-{DAB= z0;QD6Nk_<(0{g_aHhqU;e()=*c9q~J6vi^3bsBZnJi4G@y-_p}C)jB7zMpN8yYNR5 z0AX_mmCFpbUVeRTYZBj8_xl0Xy5mBz>c=UosOs2cwQbXdT^E1|a}TOIeGyya?hw^* zoGY*zNHfW-2vV?z00Deo-$$8bx@MplCL;#Xo_R=s>jq6l)n`AyRkMbgCJlba!Dd=p zla~+q@^5c-nZ$H04(wfF8f$)Z1Q5#=Yt2ZocaU|IAJF(r2YMOZ>Q$?upzc(|lw{mj zHkKW0!M@O2b#3tiRU7}@bb$nW@yM&=r8?vA_Y3`%Ud?V~bj{j%hW2s;8W)}kH_zE= zmM;=Sg{|YLQDNsz7vBbg{K>dvb1Vj2){^{NGa=n$y9tY4sIGGwj^-P=M0;wURN&{= zhfiMNfp!wkBSSDB{?9rxw>nK6P6iMEAh)k+bSZl_98~i9+vqM$jGOWnZm!#m3iUq9 z5ZFps$tB7M?-ca)M?oTC5b(t%uR9pag**y!wu_C*g{zs4QgmNEs0h=ssmn5Xh30Fj z;E=ykC6+iqBXL=2`1T-{xed8UBUrotnq>h228DSKlEi1bf?T$Ge*1vPU+g1N4^Xl71y7+7d*2k13Q-2y*{6dmkOC z%(rOTAqwf8a_B{@S>`zyWE6d0O_m{Az|=_IT?xkhqBe9>w|>&^?fr zmIgr+OVEG-^2eAWiC`Dh>jBx%@3p_Dk#C$VG~~Y4G>!K1%qlg1ry##y;xg*rDw3$E zmN+%|HL4&pyi-iPJ@|Tz`=k;6{$^Mf-(dE;@#=rE0A2^ao}$DsSS1-KUjuX>Ix##knmbyNh-DRaP|xux1eif z5(tj3+YoloHK0Vbpsmn!SfE2Ont$ENt;~RNtyrle zYgZ2-V@*mm+Wak<`lZv%mi^V8qEA^ox=2UEx(q5Q8O^CClLItG)5&oP)xd>;(lt<< z0EE6LX}q*Q9i%2D76i~Jk@O;-er_4Jx<5e zY@zntiFAK3{BDm{ne|%zmV7a95Oa|@A?K~jezDtL{U*~{{5+n^uiKky&ZHaX>RMYA zt5wT%l0pMx*Zzt!Jlv9toK?WQYkAd%(sH2DF0j_7tIx4pg5M4oC(i24%d?gvk&Oy= zN25NB4Z4uYc#2qTRS{Udajs5yv;~F^LSqD?it!xeTlEIc8RVOc*A!CM_)x8up|I9N z7Z*i3o<-C1ULE|xD$bwZF4+AmHhDJ^03CSwVNzCsx_V^svW1l$554rOXPpgZ!xdUU zn+R(wq>Xo9sZnw*xcO5vuy!FmH4emwoS=K%($Fwr5w*6qHm-QIP!V#6Ku-XYJH5wQ ze~`5Tb_68BOYBwEwZa1XDz=lUqz1E6tlYGR(_D(F+8_@1dDhir){)?LPky-4(1N8wRyO0 z+C0fic9XQHWJz6c+tkH3{w`!=WA*lTb13&{*>MRhn7sEsh$m_b*JJx@DqG8Gfpe(D zrFO_eZ(&~83`R@vu9SS>*^W6 z>bo0*GVkZjzC+5OZWXyV*H|+CSY6U(JT|$%=nd8JtvOqH4F7o05mnQ;j|8RHm_D{# zY0}Y^bbeiqIF`Sw;OI%+TM3mbb@9?XN=wU~u93#l7fZ{EZOH76WvM5AeNm(nTP2QXuiVoojrUZml$b{OBPraYhK?v&4OA$T>Tgyb zi|)1#Mk;Rb>(8!En|Pg(y2|+*vy#;guOX|-e#x-MW!l*InK#w`WVS7>?KIJ3`h%nU z!D6xR9D_V;8AU5cV{4~|lJRdQGaAdGrq>LAm6YT^mRzb>QxrH0TnW%z9I%C~)>)C~ zPa$`jaANbp*oI4}bxfg2|0_uRM)Q9?Ur2ncw-rItsU{sKSS_`7WCk=c&`MYMM4d;T zlE&j^nQ&3%{?*8h^`O?Li+D0PrU-l3^*ee~rHcVoa0+5uGHjb2J@DRCYD+ykK9rKg zv=;)Q2eJ5jZTs%#cgJ-!W9d+I+m^i>=TVle{N7*O8(zh_75!pLjfxbq(j<+CPBO4} zY)uaBcY|6|!gr7}fog}j@$@c7>u0m7S@E>vH*Vxd6-e-Se?irLAe492z~5>J*h`bL zW-7lnT|wR}q1#c2F03bK<=%ZR4Q~($i$5p|bItp?Q!T|p^kfYai9|nJWtmB5HiOjm zIQ!bzpOcm0lo5|M3gp&Mk*L~H@PO)YUlwDrr?yLh+Hze_yVRktE zkYvm1u(XL=nd%2rnqV-R=KJ=P;W6a!q8s3091D_DTvJK>zLRTP$ML{baBONbZvX6>jogqTb(0S#{%LQSwXA??-&flKjgcpUR*q@z z6^;v=u!7jpmOWJDWku$+C^`|fH#}i1{y^|e%5;MJnH>ilI2o-gKBZrMs%8D!inkn&4|`% z`>TU_$n(#H>tS3OGv9iZ>Zk}`t2J0?ZljV?t1JsV-vRC-V`f;OUBdUMST=Y+*aBqA z%ZJa*efxf-^};1_{zdNPn|D$3FJBwklB6pFl*xM6?U;8UnB!E?5nLeyex5 zMv_dn4Fl&ci(lgReyF@y8-X2t+WXz~eaI+1_hW`x_;^ZY5mbxPf%Y8I4{WQ zy`0EGxC)|r-c!9$9i)MJ#q^Ndl6d^|VZ<4!e-iee)fjHtJp&O0(ox{GN!A_91%ftS z9kZ)S+)cN>`#hCS{v`(HCTY>gL)AeD==w48#RQ1Ek>AM;s2*r&~Xy#`e+a# zAYpO;0y1{s)qz0V^KUN>rNVwlW!ZpX3j|e4P&0>BSkFDFXlDo>ltqb831i1|8zx0+01_ZOyWW(%sT(JO@ zWS|r#>ivAkWtyB>j3_&a+5W{Ru|4t{Gzu_KTnpV2tHED00{s=}yXy|b|8Q=Nua>=E zfjwUUL}=g|7Z17OG)!V03&fTxw}w7(s0@LME=&%T*k-|*-G_0*&)N{x2UVVHTd9!OLZ75`nsQ*N8RCYb$=+*D?ulkZS^ZQmgsg$Y3RvBDXQ zuT%280lTQ40n{$H>$!5pV07S#q56Nv91ot<{tC;%bxvhyV*^7dve5yFW*8Qt?4B3C ze;8=8+xnehoL0kCg#O|EO%TFV0a@z%H9+5nne}0Io$+OlJ1b=Q#MRZ66dG3HU>62# z&i3Su7h?zuKXo%ID)vB>XSl@HkaQFjD)t*y>~FyM^6g@aAw3<+r7q)`{L?)Lf9)&C z=E5on`}8TP=+mc9+&X0rFzUhLn?1DZ+Sg(JiDEty6QHP$8nCVP+Nb`d2Od&Bg2{i-y!&BvoI`{8M?qd?7^PWx-S{4HnGWo_Ve3w=}^2J zw8x6Kikx@fHPQgB+I0;8O!&sRj`^}1W8-4`^j9b9l(F+U<%{=eD^ftRp-Hei3)rlM z{Xne;nWEL-mx9IimVX|sD;=zJES*NYi~YAKXkG%^rs~!xRVVyHF_%5jbS*sML# z;hkob=Vm@ydK}bCwC(EHTAiUXE?Wf(4ebd|>ZGGJ3^sd>`PBXcxUI75LK9^{~r`Vhhvj+{UCJ*^Hj@|Z0lsP41ex`VkF3>HVeUwbxKb?1XU|1``F(OvBK>-28b%=0;BI0gqedNLF ztz}awc)kL^Sf0+SUJsgqjO2hC17`ZlZ0Z%>^n>Tb)uy5(zJVV;kZ^To+|r+W507m- zUX!g^I2Vf=0_Up_UZ`p%(B>{)49pgk(;qP1FsObfxxW(J>I_;dL=Gz#7wl>+^XBZt zNRa32xLgi{FGUKAT+SmU;by@_fW76on^X}t`$P4f0lB$#7RXC?~tVXzU`6QM!u?>k_Y9KjIEj1xmJ;_;GrLjiPI z;FV&cyiDN)gYzkSH3_UKqnPt^FnHh`V>}6QU@af7O!`Rf>4Vf|Ya1wK@5TEt`_+IA zusK*<+UM20&&R`)4U!bFHD>{?w>}Rdm(1jk7V@Ahn_H>2(+QG)DzOod!{0pPym~c4 z(rX{KmmMyL4On`j*Yt3WBXd`qAT z+=O9QTz0!6l82u^AJ%K}pp#aHu3B=(Zh#)XuRGzkd08$9V=3O8~Kg*8l+v;vw`1?N3B3 zp;r|Ty>R}wPS)`R)}qIJUTwn45lXR#E-vK|B3Lg1PRVOR8J_;&9QpB6XP1S&)`We; z`vK(9k))xj$g!S#u$v1hme67W>w#^^6$I1(tg|NCjoY+ zbsOMMJX~C45ZZTK4V{L~npJTCI-4r?7s#1J*G<{kPVD0`2jy_kg%&dod-QG(2wbaWYsFGNsO(`9Jfz;TADMg5a@Fc zE+L!^1=kBDW?|2S_VEkKs)JNf;&*`NBz_0Mg#;~7;a>ivqIff`VYSo}pie~GEZ_-# z4yD%N8{&|$C|~re0dZk8cty5oQiRBVz$MJHKu;;Prg*@vAp|)9nIu_a{|qOAlDUjb z0L%mpunKmzfHp_4`zEmcCG5r{P2wWY=RV0B<39pE+d}#|U(QT1U*$Q+M@wTMG!A+| z_U1k?>GV1d%8;oHa(ZMC{_&&z#Nju!C>Dv`nM7EKU^^a6_RfNkKL!pTK-MsozMHOP z@nR&08nw1j=$xrN#siE|t7by$Za_$``y^K@Q6?JpYETXFjB$PHb+F~dVkM^_DFml^ zhnv_cjjC=KmaS8Vj5P)|F7Z+<^FO4gf?!VXH} z8MY8z#mcDc~#N4z`_`W>)a~MYD zQt*AjOd;!mC%U?EfUCAY`MCE(U32pyEV54~pw9!wJM+eKbBg$%Q;1APkquFht(yZm z;*MR=DDmxzcLNXYk1eL=7RS%$w<^mj9+ydYym*l89)f=ke@%4I05)6-t}ghQvI<$8 z$>vW|<6O-{kwl-cegW{se#g@{&fOse#Q=3}Tj})AOn}>HhhUl;?96MT{I(Ud}MnMGMTn z>4v131E;Cm{IT3rJtkUUQuaRjPL}q_Ol}t7oKmEL=Y>V*g$1c{0h}(&lL@;nX5v*h z1fzOj2&tq1k(KH8-2zSsP#y`c3UKB=mJ1tX=4-K4zuI@)1nhDX0h9f_J(7f}9p~l* zS>tK`igmyRFUjG2JNw2?p>if24}8OUT9VoDy9K}| zmjW0ef90{ib5fVRqYCb@G{_)j+VVwzN-y{DarS!|BOqSlRp3F?$1NQx1UK{Xs3GWS zq1ys{=b@(pcq!>Va6G9h7STw}fTHpz6F7TR7axM!m$vp^gw+PV;FG$55-(XO>L{O~nNF)Iw&&i@wF;tzrCBKGvJ+?cmn8NiQ6dKjsv8UZe z9y&`~0r|B`=*0|}%0EG(3bL0igUFtO>Sg$b$@SmaU#FT`wfofhDs zLd+?e#TB+2@VNA{DXBiVR{xAfCtL9n-X@r zF%+y1fLs88k|?J|I9{^VbBC^Lhhlj)7Ntnxrn~F0N;fAzQHLBtY>&}Ym`A+|%PuRh zVS!{!5|n6OoS!-CRSD+qH@Z@w$?9=WsRwDi&h5_Ovl233(|(&pFiHKkvU`-8A$oIb zIovT6@InP0O0u3E(@AoILLdxgSK#sJqp>tF1QO)lN|7GyFCBPpbgFyh@PnfE^*ME> zoepr95^gty@nnh#UAmMAEoY*X0U9f)n$uPS{$Yo^VW_+$IMBxCvo+8nU>LHNSh2MS z>m6{M?3E53mV55LH5zSG6={wd1Vcsi?%?dyDShGi>`)$9j@HXs(BB|qRWMV#Lff(Y9E4GLncXXt{ejR*Ir^)uWP zQjg6iM9C1(0esadKs*bcMoI%oN-n2#^@l}H#j-!9Ij~#Db=)!B^PKO8nTE3afbdyM zI;s1Q&k*9@!~T+T>cIqX`h$*xb|K)N(kr6O>*e_>3*doG+1l&# z#||OtLOf65zpbqC2&7rL&yC)bplA2NG1@Y{^LJai78?HT#l+g_<3X{K*FTHi4^@{U z#oz~*f(Ayx8<`AYfP0=J_uRvb?2dvm>1&z(JRN4c?Qiii;|Az$4~nx4#6!qKUm>bibg$AQYvZ z(M&5yafcL?w*rpCYy>rnKxdMxPSBwpI{KvQ`i_TlI=`VJdfJyz5dhwW06wvS7+p}) z0CV(J`kEMf*t17m!7&gGvLxw*e!5?OFlasA?7mFX2j}E zhL6=*55K9da>Z-CwWHTQ#eHuDR9^8;IH8gCc09UknqNuWd~cg_nhqO*ME&Y3RIsyi zrE@AB{UFaLhR^y*N2AoM_GmRad|zbzqtej9_PByp@l>&8Z>36V^xIQa`)%?##+8o_ z5D}EjwxgNEUH99J$inzC^>RIH_x2Qz?cCujo%pa%pzOyu&$dm=1XHlaz?>u#@I(i3 zTSZABQan`$r#23m2&}#Is64;LuIy6Pelt6Z#|@N|EonR?#s}RTG4p*5ipaHP%5D;B z$tTxPw@LL|l3%a(PhkXiv(;rP%AODX0J|{c;qSM*S+>{}uMjOL-sfwq7<-dIFhjd* zS2(mnvNV-9mbYv^lU~P3`E}M$jMdt}N369r<~k40LOIHl&wJUY)=ScJzFL(_O?-Lg z2)(xZ4BvaGqN)r>i<(cQ{UQtJ)~d+TCAeDk!&zK4(w2D~Eo^#AW-2~-2<#+_*Tf1C zyUB4vceUbnmr^ySi|cKoCD)5^DkdNS<~-ghoPv=wY;L^y%ib@a!FWre5(TG-^=_9! zb|2%uJ_E1~90?s5N{CuHrV?G~SwfuwZK+?^Gsiko3 zU?uUC)X@{OA878LKl(|AO8V|R@BFPV*B;I<{y;pYp*>_a`@uR1dHI-}@=;H(fwPAF z49b$j!?KuR@%^$btKz|;t)l+HwKzUeQBem$78dl|x5s<12B!B6#M+03ActWe5eEYO zLe96LQ4DlF11)um(37B%H#DyR!EzA2g_qn9X-)*K)QE_) zB}OMsoB$;@U=KnE6o)r`eVSfgUJ*oHL9-WcfuJiQtbXs_?|}jLPvy*K&%O%?XoQAR zSS%kWr-89C^n%KO+d+#>=!;-IIb2!~H-XeM_&cCx4*g=`BtLWJjEsy77@iV3WhJFx z=!Ws_8v>-jpr5t9eLl3Lf@m8QEP)l%dN2g#6zI|gI`tM77SMU_iek)fpq5;@Vr*{i zM=(@ZRfRhj78fVp1cdz&1W19VWn}F4xqyZ)=mH-{L_|iOAS3eu(P% zWxwCB7E9@^8IUT*O#pSxoOBv-l4`CgGDV`=Gd#P?&1r^3if+ zN#$7Ir-=!opu$luWwQdN;^>C#k%PFlvB0Cg%7Y#bMT2LuE-WsDvWis0c;Q~_=ZpIr z7AGMkm62mbDQ{lsHd>&Ms^k}!YSx)v@mytG<@Fv93}B0k=l%Ti$g}a}ZV;-eael5z zUR8B9(^E!yHHB~NpF4X+C``gWmEdRy?Oq`v7~gDkcy^HTlG;*4JH9fmuB?&_mFgQA z)~mOE#Kc67c>F@}1vMS>6PBkh1l0^SxZ>9tJ5Ws>m6o@EEq+`4SDwDQ`j04)=-6u; zj|lg{1A>VR3m&_wC**(bZl#oFXzdC#Vj*zxKYyFDbnq6ruJ8JL1V8i<0glzmOQVtf$h1=UUGur$qmYUBKB08cdcb9f&1&2BX!X)%25o*it z=1<-5s5E#xZn;%Va;nGf@b*!k zGLld83;FpEH+2eE_29s0+}SD7@_ z-M48b@U%UdG?$lmNkbzy{?iizf>J#J^8X?P3eS>|99~8{S71{g5PlB)V7Jf@kNl6u+XzNH8nL**a2XQh4=-#3>f`_k~4}G z3mv`g-6`wWF&HI4|8aMTQ{hELB@c3Z!QFF)CeJd z0a_qlum=+~a8@_i4S~EV2)?YK+=58Xf?u1^meqXwFXClvEU<_Cs0QLQo-LAQojIKc z-BL~SCV;r{cvHt4K zLhMC&TiIFZC53o(>C`yQ&GbC{AZ}gpJ0?9%NYjZ5Pe{#9jiJxd&T2A_&f!gB2J0?q zB)|O2>6agV^97v+#n|?*w>;ZinV6E_8U0|EF5rcVsJYm)6t!>rqt>P0nic=Nll9>p zgmS!^jmB3(3gmr)S?Bu9f-K3pa>2l%nfz@57LJecHpiY8QY}zJWfa0co{tQN+VecRo zLl81gPJI82j38eg)6&wy#IqXi;V8o|eGYy|c-B7Ni2N1Y07C{yp+)#X5-BB*y)Gpyu?P}#(W-p zE_HGG;_TP>yU~G<2n0D3jeNBeyHmTTM6_Bn0x?gVXjk8Wjwb(@2=lZ)TTuFQ&1V-T z7Rs5I;X2aGVa|hcWWax zKXW49rYf_y-<^KjS#`Vj3l4T>9j75ShG6IQfK-Xe(r>gBk4~6{_;pdsrtAZ2f>Mc3 z=Y94V%fDbE6k>@VGxN~O++H02p~_EHvlXC8i2I0#djb>ltfLjb>@m2b}#>favVv8uV_IbJ$6~a}FsQS8>QoUsBr1L)y z5HBX1AUn40+$cKZRae-NH9%}!cSQb)@l^J_9Q)y=M;sQFa!K1O(h z6{_EGT zg^%|#8tk)wbeiGlZdhU!3P$vXWBnVri|88~()j95xUMT%KFp>)vFkn0Hs4@>c;hnD z!^~U~Z6~Nv2`lysgW&9-Q_`uF(c9Jm7**4^}@ z{CFN`FUmgp8?DDT(bPzYHy7VhoP5~#qmfOD<^3d7S@{mnHl=ND@c-PN9B+QjjX3D` zTtFZ`28qcv9#Fq2%=$U6{afnb%?|+&#-aYwx|;ilzi~+|QORS9>52a;y`;39ILo^F z&Q-1P=}~K5p(3Vc8w5rj%}eTve_o&Xgt+?(j?~!*yqj}h=Xfb2vVZWw=Gm(`gr7*X zcEF4_XI6G-u3UpVudG%`k|468Zh866oRrmixc4RT&QwtE*45Sd#?I%$1%nzdsrGfJ ziPEMzt9uCjg_B22Cpho+3C&E>XKQZW>O68_gJWTEzJV|me`9}Z!sj01mt%;xfR2uC zwH=;x=}UX_=I6^C+s~hsbPdv%9r8Ds^D{9$yM6K0?qd1qIRattc9ZrbyotIf`^+v2 z%y)%_k>$Mnsd2Edu;}RWLPPJ9h+#u==>rva*c?{@jbImm>D&2B@GkdPqrfxQ%RtzEY@Aq^3{VhRcv;Jn^Szm>YAFKW~8P@&Okup34-glFgG^n@xbfm&oBT?WM;0pI8whUaA&#%un3;TJeXvfgVU?QcAft_b(YHWnV z={SYCr2*;TPjBzuQ_9Ch^$5fxomquhG1~kbQJZe1lDddgr!K87CaymBrM$X@&qB{E zEK+(C490c9fziCK=9}YqrU?9N^MPUV7m6;#k@BUnB|ciKj>l$fqjG%S`GyGxm>vNl+mC*}0S#&wuWm>J0!dp6#f z%N8+NO{kZi&s{!3yuP;<+WvLaZ~9fW#zucHbj1bS2@*xpAFzM=7Wzv003(^ zuG7~iV%ZCUX^?s%D0t8u24F;H9i??)T3Q+?C)`})qL&T!4-Q_!SynW=@b~X8P0QSz zoDzs{XG}&QpfzV7o}NyD%=kGYCp4SpNZ>G(?YoYas*0C(9@ zlwxdbTtQglzMqv!evZ2Aa1}P*Gh{RjIe+!`Khc9!nyu&f zrhDDVe~TvMUBS=&9zL0Q>$l$5dkMbUDc^P+;d{62QRrDcHwxl}6+F2mm8{Pd}bEv`#QAe=6;5bl!I3E|qX6RDbL22(iZ?wl!4X^^BUDcrr7Ih*1WDnn3EQucF zJq#!1S?=_B!gm#A`EqlPQxx@K@dFy;b28OBV%KtI)e^hM*AMaqfP3eN8rmN zcqz#B;srp(tTOa;bWmo(e*jzfy`p+%78b?UA^%Z#0xVYRN(DSo^Uhu_aSyf~7;IYqWdXl~U zPzVhjH;cagD_LRHiDR>_nC|gAm#GjOOz|qz^QhoC|JBC(Yxbsws^|HEIhTa0n3^5} zj<5Fr){I8W(W0~q$~db#t3MtQGyiUAV5r#ghh+Y5&fm4If|bpL=Bvt_%4#-m3mb!o z&!xT%dX7>`GIB@VR`kPH-z5eNO$=<^W*s^4`a4}iY`ULFeXV`=G`HJLVCVHC6*aTT zlX1R_##1~uMIDVh2!&w<2cEjq>FnYn%_8@lFyhAj*1r^MC*Tg`OyjZ)0c2=OnVN2c;K&3sMKvQE=ge;{d|Eysyq2 zBqi@pi;T_A0$a-_DdFQsk?Xmzw{p-z8oWkA_(6PN%70NHNkoK%KYed~U_mG-3;{!T z_*J%_pC3RV&U^qsg9BHf1=s;XKL-qDR(}2~KsB!J;`r(LWn|n!rWFvGnwy&;e96)> zR7@6N2uLHANli&<5rtUEq7~t=C^6%5D6AlaDEs$1yuV^>LO_5B#Jhq|K!CqLKRz-aA04$dhc*2l-Q5T)apw1(1-q@qnnM+eUr_)>BK znUUZRApyZJE2REP2mtZCz3~R592~0D*&jbfG-7~RAM}%7A5Fkr!Ubcn>+3@VhNF|y zf6Nd#%x;yL5#hcOwWgd*2gnzHMm3A5<$189bQ`?zUph9wfB)X*-5~e#AFs0u)pq`Q zrr>W%i)_A`(`oXPybFNy6rZ8yjrTR*Db=Ffb5)|IM75XXix?yGUKVe78gMMmCED}O z?}-gQpSYQb(@t9tNVuMeyDEKhKGjTl2}X010>`4(p1az-W5024U(K+*I9Cy|D2O7= z`Y`LZOs1SWnw9l!V&`#I((=M8=6>yOMat9Mr&Nr4jWrDYXOU{Q{L)eqt16U&m9^VO zGTs*E?{uucOu7{O-dNlErfqooXcWQcwEm1g1mP#0e>xW5z$EEAdh%>Fmwd5hYWTOy zLJFTJa&&s#ozYD-4cD>G+>TdRhxJ;?#JD?d_u_+wN4AArCd1oT-O3&wc=&`RrkY0D zh5II6+PZyr%+1^n3TvW|b{?)7?{Gw^hdf0K=1}4f${mU0$_YN!`*x=?A<@KCDJP_j#`?wj_8{t1T5*PVKe)2_&KXs1S#pPvmhLCbJ zv|HsFXFih5M~9eKX%vGsfa?R^FWEWoc~GLyFeOKn)@01qY@bt zN6!(q&n)bNGaRh6g&QI|N}_c|4@MH;Xbn)+9i(VrmMahSP24i~B`6g)9~(L>g$8v5 zD@Vfc>+uNO#xJ#9U4GAalJt|SVWy)mS&Lm*Yzu`ot~;t4t}Y&~vVS)fjh{>FR0X}*Hoabm{vq(Mu( z%FU#|zso#V!?SW@)%zb&k?XYUP7C~XjGOlq9zoSci@EVC`ZtHYiQ)=Yg{0*5w0URB zzFsM*O?`7n{n4kFVP~00(YX7?mEU@<19SciJIGP6*@}wJhIvN^%gWr}>m=H*bGcJ` zu2lb%`0CEj9wxiawp7-9(!A2_AIAeoIoC9_PhFlp?phLgFQL2edFoU=BDO*=lPz7M z(NoF_1B!xwUe^swR=NqFD7|=SlQ2BOx$dx@p?JotWol_TorS7-#H)FX^YqbTp@-i- zg#BW$r>BM2TBv>>hFZW-ZO)j|4+U!6;s11cRJO7T3VUE42svQD$7#!jz6X-)%mp#S ztEyZf=BlFF$+EMu0C1H|gnd9u6Z`jdoOn#mnbYfAL?oAT z1swJ{+1XC;N7c5E9IoMPZ}K?ofKmY+*WtegbVWKY+5R+ytQ#M;*k6M5<7B2 z|6E(vLZ-yvE(*-8VGP)2M0s90^imB{-U__1{DU1io;`!;4^H-9At)g(7-(ozSh`aG z1KbMj|9g$raO2E@%4hrhH}jZ+f<9RqlAx^8!Hj;ij5@VPlVDDH)9sOd@uZTT;NFSN z6H*I0R8;KeRfI%D`|?u$jYtTu?5ssj+<**qH#aMq>}LRdA?Bpg{v)u82 zwG=7Q69@=UWJ%d9eCy=wVu0xUYSh7FGwa_oyf}h;CvsURBd*rdQ;UctD_bPezvBbx zcavf2(Pmd0Y%E_6B;C2K7j^@Gwl!XveP|Zs`u^VE@Y9j^E}t(ZDSw3~|Lxj&wlzMk z)+1JmvODxReR_e;lxeTLsdyfz{Vcmib01Y*B0g^~y@;N$*0D0SZR1S7 zhlu%@jzvt`_guZs^{MA(6fi8;r*rF2CA;FXgc6xi#ZgfsJ5g!yY3|V6ab7AYE%Ua= zU)L9K8UJnCE_~)7Eg?Zq&FVP0^dXR7QPcV0u~ZU2!msRonO)^z!cQ%ke<{M(s=9I% z+Lgxr55x$?oF_*dm9XU`+3dXt&YP94)JCSJLN#r`0>cF|m0)ZOUeW+^Le3hWTU_8j zNGYxNc|_XD0hxBLuE3)W{z(C6Gt{3#*Oe6y7?>f26Ux`2Tq$++DHyqJp8?!T`Z7O? zV2n`;(l~*V|B;^N+4qiUN;_NIMqj}!eQY!|U?&EjV!V9E#>GWob_vnvIQVc(7FdE; zGgc3v!ht*UO>8tYBJ%R`@Z&vx40VE^WkUs#Nr8|6^lT6_my$AF|232(zz9Aw{=2lq=d>ExqJOmp1N)YMmXtnvT1>0DqtnxSC{##c6^CRJUm6=J z;td{wL=gu16&Oh$KFGln2%`%~gtdRl5?!sRy8@MM33J<%eV|{1TEkufs#>Ui@8M9# zYC}ZqSJN|f(EhkVSQ=P{K%uKn^utmMLjGJemjlu8Ve$*5zJL<4x?>-PiaR-(+(RI_M_WlVoE&b$+QCxPzTf0zU2LRV` z^FWBml(viP(WB2d%*QmBc(K}=;uNJz2fi-jv+ciKe;zmRdIEPo^9Nable8x40p(ny zMSjBc&^vqT%eL=w#6ubJ++DYsaQIC>GQJua>*`x-#_-Va5J&Amv&JXVoId+WYgb)U zL*=UmBVG3SE)7o8XVGR9oTiZpDXPDUaYy{ZZm4b)vhE_>506UgzP)UCLQ0y(MHv!X5u#E9|zhzVXBNl#0j{RCt0JzoIbQ6i`%LcW}~qbJPdE)_E+HReWLRk8z?8 z?r?y7!Jp}88P3 z;>=;m!^3@&Rd09So?!wfA!ctM-TB@BaRL4=bBQvZo{0T@h>vj={x7BNr|bDeM1IU< zot@w5zpBBuMXv_0*c%6l6JCu$t%B@xC#pS$8mu*{I}o7t%l`Y@}3#NfK_E! zLbE9TT%`ZSi$`2pqp@zDL;pzPkxAbF^)7qoUWcz%)0 ztk*oyE+!$*#v^u6QGAK%6qo02B+I?==Eva(;gU&jGOFO!d3)Q38bL9E${k8qT7k+H z?8}Fgwap~4C0kn&uG_=xLduya78copV!wA|qqAk{103;IMVne0+OFpEo_PeFYJI=}uFFx`PM7zEnZMMpy>ZTEkjQtb&cB2Ok6+#M-NNj<=3668Gf_4WBVIc*&s zMUaR!(cpE?F>_pH)9NJ!26Ee5Tbf#0Kwq(&t@{B=FnB{+IyxXB%-6a6m#a(j@Tq0| zPwU?ttgK~t6FFy-Un?sEeG$$bbg>!Nl#uJn?{&rwqE09>pd+b)d&$VqQ&XFS-VEOT z2`w!s1zTHNudlA`9qvH+0koj3>}&{o^aUbcXlN+>3T_W*OJ6fH4fOTDR8|rM%Lcko z7+^DQHIkFuH~CRpSZ6xg9K z23ZnNqu>*Bb9MEBE)S$J#>TWSYd-{lk}W=f=7%nem=O~ceAii2c~Aw zk`M5?enIx4&O}2q50v=#h%YJll(?X$n}vp4N`P+--F0e0H9BiN)`*E1Wzsfb$f#ws00b+OJJylXOQ*%J_!Dhl>idZ7`YWlaxEj?!Tcq3}; zw2*!O3eWI&R#v8ec!xqx{+q$?$@fNIu}PM+05)s)V?Ow@#w3+TX!5n%wOW2CoLEdshA&@4Z{*vR&Cf6C{dmlsPOOI4G0fE4&R2W$cme zaahn9`!OC3v)Z%BC5p~j8vY}Oo8G+>@nDkL+FH=Tglbt@SV$4j=jP?L_y8}&RJ;0d znxLgoz}5MkJ9oaWqT>R*gMopeofptL#C+JmpVGRm*XXssFQjb=41nfvv}GjV9$>$8 zA&ke$tjmH}$eE7ens=ae49@n1!)}O(0#N}|1)wPyOhRh41YbNn7obVXTq2&vs`R<` zw00MA7xr;-oP(Ag3V`T-sBQX+RJz_ZK}Kh8E(+pTON)Ps`$85M5dp!MblsZT$jbZo zU(d(_Jmzq7viD^OEF0I?=g}6@C4A$DZ+<`&Z+PfmatgQy@j-er8T?)#Ccp){}es~@v6u2sC_W_3!y<}e-^li@gt zURgeuU|(<^QWYngKhXPO%}VxpFaE{IL6Zxm#rYp~QjMgA+ivXo75nrZ!91`IR%E8MWyDI4PD zXT^LX7ULXVx0hTfh4IpT2Ghr+)VVH)udjrs)HMcp7M28TW$?yIiw)OpHx9( zh&*oMm-Y#1lU!p5=@pZe>JkY}h5ayEMKWlHJJ3@Rh^5Y`NhOgvw^AEgg9zWQ_p>1t zg88AcLZey}cCC*R(<1q0xO~YxIe<-tJa~frM@Ri1&i#M-I31Ja%Ne})PG8Ece&)Ak z8*wzRJ3fp#UmMh&2>c|SxS!Hi-1@ZRmyuQazOXGbOb@>Hs>C*vPNH(v6+!X_4a zfMC~9Z?nX>$(GT@_b{xijywt5-`-T?<#r+T4oE&MrA4Lx_(kTgsPp(ddt-oNc`R`q z96PC>>+QvuZK@;by~L z2|;`<_!0QWA^EJn@_RtL~n05l62G~}Y!C;_1oP+Dhudk~;EH8#E~l$fQ& z2HRrzpNfhYDTNMYp&W-KSrZc%xCJ0pmTP=R{Z{~C^Z#A@ox=TC7o)>T&-!LyuAvvx*?Cy5?Vq3v+S8f6845LeQE zfcWw)>y3s8X}$8is2%dZTCma4hA>Fep!OabZ5?c!<$Cvk1d z?~YW%6s?x~Ud8Q)4$06q_eb@=w?pNJ1{;vHZD3!Y4r*{0?jB< zlR4>*YM(@(5Q(gC))^*B$ex?tX3C80hE#7PJn%gFXqiNnr1; zDM3kLhzI%(*j5)gmX?+>I# zi2L~Q&-C=r+%v9M*(oVxFY{fO(ZAd?v9XcexD)spYi4L@&q}SfsfqIX-UAoSidV4t z`!N>dP`>I*4N0tnp&-6Ah~z&f{RSj=YU=E0{jK3u58he-p}w`XjI80!?yruXP=*I7 zj1i(b=Q5^r;XpIZNRP)EUCmo&xve#=!j7mKjqKg-J3^V*y$NLz3Gu2Izq;XD|~zSPo4MS?|@!rvZHLx27OYC zeyn4e9sUNGuraefX8n;Qdw}yPJ{dh5*VUDJ7}H8{f;Ru7SB|7~cMq0YJQ_y${XLw^ zA}HUC3=D$a&+d6vn!TBq0h-TRb{FyfdCEh27cPI_tGVa5~3jnP8Sy!j)%D9XxGWK2mevWX}pc( z%l{$#fObn55xo8$Muk}2qDC-n3Vt4eWka;Yaqr?%D>cQ?Yfcmw8F}Ip=Ijk;sif^K zY^k=>f8Y%pec1+tXD*@Ppd!Lc;}Db6p<(k-|1zGUWGvw{QIbu6xtEd0nZs*aQn*6y z91~=&rOy6M&CwNRvmvVcDDw1NN13)75mYWL+2^t3}FE92jBMsN8icegwg@OM5 zh-Q2>`<@u_@A<_M$84YOD=1v$o}Hb&cCv+tWApQSWcoX)UzsLDTM%G^2>))q? zQ4z1jh2C%P<5zXcGf2Kk=}R)m$t~pezBqd(7}}}$lIH=lKtl+MSg0KbYkpoPlI)+) zO}{!?WEi+|$S3ySI5Q{)>5J~G4@zm zDt!MMs~DU5GG&~B;YLI`p61TRw*!vK3A}h*vAeoYR%*o1-_VL=A`tt{e!=Z1lD8I$ zuQ(dlTn7bMInvdajj*!lEG%r-cXvCZb|U2Q@>PERH?X@G^v`tp6QP>2nre2iv7nd~ zm6H5Z-lrpk;9tQ+ORWy$C>1N7_mcz`ab`j5{BI}gZLwUi*tM4y1SFc%vjJRsc~QrC zRQYKvUYwIVX0a(O9DRB4DT5?+ULX>Z18>1yMkXe!UEPBka)#2+|PTFs}pzEH5wkNZ+>$s!c_*C=pl^wyfBOt9PHbeL^<76Pdlb zq|ob|-|9gUfeU=8k%RKf_q|;{rS*x&h{+I)8c~nXuPBjS*X|ucGnpa z3fqB>JR)mTISP)NcPj}J_6$<`YdssDN#@qVWcmfatS-1L7B7ZQBa+Uywd@QXU4gW3 zDraEf!A*925F!~G+l2r0MkXbNJfJne@zAk{sh6p^XOnEhyi`Lmh=2U+jf(o&`CWTn zmGLg(%A7!gbuAxgJwNi)Rup9?Ob{`oAtSnEsBSy69E)Lg@cHwjl9JYk9CUKD9;+2! zA8&ry&-*wM=Sul_n9J@@%^mu^2Y3|SX{o*k1^i- z)|VHCJHwn$j}QpP&0z8Rl{O2@Hx+<^Hr>a5<+WtWk}0wrQh|9Y`QIJnWf81r|6A$Y zq)}8yjgRe*It#rs6dfK~!I0(ae~_1+PLbrtYo0;`OypKHaI>Kw7Cr_vwGpkxYhwfF z1rG<*L%CvId-Q|GadI;E5C3|YTi7-nBMFdE0^ zet#rF&muwJj?R4Y6_t+g^Dlc=cRkq`^c6y@oY+4>(@Q_#u|s@zefU~BSaN^zS=dL> zMD{m5J;7c`_-`F0bZalAaS&g!EY~Jt;z?C{ZzuJQjrR^}YG!ws$7$eoDQ=zuCS}Zf!3hvrqUuI z-Mck={_252q7|^tHJ7!5gMtY2XM_z*D3l1et9@E98m6S~>Nd3+Q#9yOVyyRqVC_?2 zfZU0BQtxm81`;oa;5!Y)S&Dnf?AVCc&S|9u6mdzfF}~uR9jsumh9qyWpYxHf?M9#M z`#7F(6;YBUcL=?o%<1N`y9FhP`g=8+4$P#efGZr{FuSB2$1hDybtK8|9lXh_r7vyw zTAM!amA1Vxl4yD@;xg{tDPj?em#q%I`iuv7Vf0K<^>$ZxuQ)3j4b6jfO|AR7{@jY6 zC8WL1-i!yZ==LKJrj6dof!Pf>RUMU2g#HhR^glonWxxjU4F)bTZYbp04_xCuBqk@p zk3a>rmb0@*qDHc41p4aL8l7g8tkruc(K>z~KDpTjhK?@8#_~BCnMcuHGLVdxxNX`yz0^AU!Oa zeQoN`q=aUU)ex#Y8JVF0ohy3S{R50)WyN0z>Kvg5VKwtkP4-?>=7ATO+;|RnPc^y= zM^}EP|J*;=BkOk+=iRR?#9No86F15UiV6K9@#}k9WLi?iT7la$4_=S8tg?Z!KZ!dD zglcI`PPU&qrT5iFLuxf71B_!oSY)zua`tu&RsIgBz(+RL*YnTeBNM_8P)!;eL-#NG zT#;@JBtDRd41EI$oVcoLRd)6rmpu+HF44)hInSP+)|RFR?@tuXWAS!U%2>TZxgaSk zE1v+)O52!tFt81vRd9bewzAc&Bw65B zxSHJK+iknK$;=N=FYCD<&4%#HYJh~x{D0&rt(@!C;x@-FDwdn~-Chb@lZdy41$tc7 zNVuhacr>%TO}tL|kQ`4yX6j<`xc;cG<-TFB%&&%}`F)!8`IC}tUsh2D3da&B78giOD^f>;DI4j!$ zm(ia?1g=(onC?Y{g>`kwDJo;W+rhh7H^2lu$AI7>Z1)=34BGqhKMY#o%nhI}3xu`fXh~4p|SqyL$A95~V zZEb0!EA|QEH;X>DG`A(9IrD&%th%zgb)Oyv$nrMZ1$ELwN(cVey0T(oB{<0ulLfSN zK(<4tUd&?GH`I|8D0R`-7DgbN*yj$L8tzk8;*D^b7e0APgN9Y+e(s(*m~j2<9gS1= ze7VP;f6tX6e~*&i_3|0LD95*e>}Ng5Vy`kX@($qA_|yRvbC&Rn_jo9l zq6D7^;8n$IZFf17kdQ<~OuDf z-~_!8GckY%2W%1^_2XqKB1;qyKG&sf8y=>;Q0RNm;dXR% zn0txSWE;rW#xgyorM+w9@chM#kK*)KC)?y3QsR+IygkK{I-TGNvy@RmDJdld#NpuJ zV6cDq7!&gg8^s$)NuN@)^7C)|4_^x*A!2YTEeqW1(pOe*9D4PX-3wOq=BJn$g+~tT zY-~clF}k`s`aTZ*_q1xIzM5tC{DAw(wTQWK+$N{sS}CNduP<)=oVUfY z5aRk|V8PpePhYp0{X6CA{?c6(_k|9&^l5J2vSxEj25zyto(|(L;+jfd`PzoGZltAc z!AK|7HO>DVO6AjXz7!HmM|(_*v6=LrkNV}F-q>d?Wh;;l@jLbQZ&vk6^%_u~we1xy z8a^l_1(YZHc=>iJnC?pAXDIFi^wOdf)2`#i5$Y{@DkQ2T;KFXLnbTv*s?Ym1w9z{_ zMp2$dxGKQNZrT{R{1*3K+LnQTP|$J7XuHPrce-yl=S_`A9{bT-E5xkDNueY%W5YEi z=Rxj?3V4}R<6WP7PknmyBNy3n4-d^?VKFk*?@T$6s{DACB!BECpRpMJWh1NZO-i+( zWh2T0A(8NCh9I|-{YQ|S)OjHx)<{Xt+S?6sx)Ls4jxa>cH~NTqx3~uehB8H>o=AQC zPy5hwv>hDkK^R^gr zRY@hwtZ$z4y|z&$QUMpB;yg z3*jXagdmrv9X-^!qqB$}_BG7h^BbbS0`EWC{9NM^3ZgxSWpx!u#mETAR`y*ZxrYEoy&oE+ii644-y0uUSy@3sro$J5 zcTi9euW=9kSs98R6S_a4HEG5TEb95j_{Q-gJ2LQW=>fp zyNNo)iOUF2qwbBWdd{~W?DgdLStkv`PhJ@ly`d-~Tp3HsQ@JAFyW+m1YH>tF z6{nrt{XIK73nWBAa+2eN#sJt25C~>wW-z?DtUhT3Hma}HB*Fi?ZY>y=)&x`L8XF(w z4{q^zn;uhjUdU(IOMB2e3`_{s8S>Tb#gZu)!=6T+UvuV7*VvQ|w6M5TKGu(6?}dbv z9^~yddCJb1y2(fP>%LR39@((u(dB!qg2L+J5yi#<)WnGuB$?FpH3VV<^`3VvFK^gJ zSxb12<1{M`ocJ#dRI-%xdTJzM zQQDZ~nxP&H#NJV6C)h(E-XDU}b$-{&tI5e)bjI9rPCa_YGfg{9)J4t1g4dG&Ia$t1 z%tq~;3k}vN(HR{s9hWm#hd%R#`Tq5#n>!D-)(JO0COe&je2N7ReqLrgar-UuVu0N< zAoCh>bzEF{j@_b(8QZhI18Iy0ZoYzO5kZ>s7=Zt#A&K{$_JYGDkc^Z2Fo*ssDbu{qo0@uipn3Uvkt1z$(LG{IM zV_>lVRtR6Anh{u6)@kOSD%h8KVIU+kbHGr}0ee>+4du74VX$)q0qvf3w0=x5%J@&I zH*X#o)#T*-l^7FW{huv>>vsxW^j(slhcU|*L)W>TmdV!%0{PWjygEwZl~>2ku?e@c zA?|->fn4$NA7%5=!_j$;-CD0h(wW`*iqkVo&S$JTp_tOuKDPNkPzs-lu<}G_#7!CM z{M;7m`;;iMQ$l{q-{kYe!teK^223U*f^hy~l{^}%5sI2~XP2dU)ivE^<2DZuI+bzE zphP8=mQK~nxyxBWcjfJu;eu&(p3B0$-7-%)6r;kT>4;)K#RP|4WnF#3ydwXPNwkxl zS|j6t=fJhSE^DZCyw~lmjSaK4IBG`>L7xjh_5W-V66ey{1*HFVI!WH#wcHGzYZ3i1 zdb;~_A?ZtaQ!AUc>Vi<>kF~RcmN?;=k%p|Rf8`kq9HgWqCb==?UHR!{Z8kpZ=ieMU zH9PU|J(Pb~@MU{Wbf0+m?FFwDfsQc?kLPDyD zQTBMUvyFQ9&YkJ|sNGrLx{7=L-TbsOrn~_;B>OYaKUxq_-ZY8ZkY=gjr@oA@;S!)u zOA0Ic;k7fr{p6@XwBe`?)$1WMb#PvGgQTZuucOnT&7AYUq4#_t*hf**9*O_2Y5w2F z`8_Z&hAX~TNMe6b5@BLv{yaNt5Y~0~m6%1`Uvu2IHa5yjKaQ8Xqm%q1VS(i9XooZH ze-;H{X6o~nwq7V2rws03f^aUROvlbrsHH4<^Kq5Hy%*MgVMBp;)%5hNW2+U1Nl`*g zVq+8N5U-UHq{w!b7KIPzG7d5;$E}`lmbvFY zijt(;WW&Nl&Q#_OdWnG_^%XSxdUZ_?-FUD^;fbC042>Q9cHFCp~!Ut&& zL_u%0i~fXzpcXhhUqkcq=!!gRJq}IXPT8@Xfhlx-*(I5uoJ^|tS4Ba=9!$}!UAuf>DK@;0Lg=laakCMiz95pDYnt zYzzts$#&qR0spQ4=u9Y9*4CnO(wBy`TyGc z?zbkI_TK;^`luixy=f2u5s=;lRGNZ-NG~B+fY6cNK@p`R(mT?74=wa6-4J>QX(0rp zcR0iImh+tJ{BZt&^WDo!vf0gKb}~CVbKjqGNn+`Zo|1U8AgPkzy*RL3INxZArv?4& zzv4v%x`6`dTwDF*JUo4mx-K4QS_G324=ue(lemHsc zw1xf5@z<=sD0uqk&=G8$Fovw%r9zJkMMpf5#FH_UStA&Z*ua`lALW*jpL$*EbGVOP z@0Pc(!TyP2s0%0(0#;%GT_ zjl!D9qb04SIIw=-L&~F*7Wo%{oY8?>hs>sYBR`F0aRI>4IA3eX&Hl48AlnM15E11X zhE|^A^n|y*_ES6$4Z7m_%=VaP+LDAKwuJX%i=cr6C1oL-%FV!-LVaQi0G?w`v}w+X zYlgd|5*D?&t;v1JZ}|ECO}bAxyGKm8s~3DGoIeZN*{c0TF{)Wc&u-f%?dx$p8M1C$ z?RDV>YxSEFlijhlZRW52)MnPE)yvK|GeJzkCcMp^Sz^Zrs*3m~_ut6C#fwep?3=+} zV&+SFVg@Kuh)u0yU3rabPHb$9_Y;_%ox9u;zn52b@BGq&x>ky4Zc}TcO=r`zd$%U! ziKk9%U+$22G>=+D)Y&9@^TEAVPJy8EK|*P1X{F#lt@j|_LxnJKd_+y__tNacoZQ;q zhkPzJ76+NX?*gPijL<7B;o*V5l%7K%qfAm^5#jub8j+E)qC#Bw)$lAE#sX}><<(UP zL^kKHY}{GRE`2`rN=`1NmPUJKmXr(bYr%_G`uVjBw*i3Em=A7$f$IRU3OBZ6hhZE9 z0?^@#y-|fT70UX$sr!1?%5sI>4%90=ZOvV!_EUTVTnolag~i&Y2;)1fY`Zxnht;^i z=EpKuY>$pO_Wb>dz2V=y_J2%islWlLanf1)wYFJ(qrSF!RbhoBRAe5{+3NRpuXfB# z*DNikdPm(u80l7;E zmLeUVvYG{VVu(%Wp@N3XE(1>VQ}ZXK8%o$0SZjElFZo^3Y7t6}Z1#KSoPV~q0HJ9d zAiE(q>FCBsM-hNt2Zg@Y)59$;`l`KpN<%{fs0M~2-hdVXMkgMFT5WapauEAxW9t~A zJTw9B=REpV-|VwMm_EO-aCmSKOqFu-^X;9S>-qA_Fcm9pbw0fka#Jb0??$3Lq9+WWWU~_48*8(Aiz1ofep<76Hh`3q|U| zL7)x>1Wu-FpF&Ih0|LHxB>_Zxafu*+S!ARm6oy{R&Clxsu{dBPkfH!Cqi=990`SfN zEd(Sjcnt1P-3J=#<QADG&URWCs}siFwWVsv7?GqpRPIQ<0bZIblhKkn*D|lLbH++ zPiN-)nGFINwiXYI`JN`F23ptMUjHbA{&_cCPYrDoCHC^#pY7t3QhR$x0*I!Chy|~n zmb`gQR6E&OR5w-ZRMqlT$e(KgXyKWam12X}&kiOkr#~++%y_dmq|j82>zBo{SS9f2jBCsESFb7cakATq z1!o70Y3o#20E3X?N1Ze@SBYQ1 z;r<8PNUex!39p1O-_M4U9&3-UUGscK-ZtZxJ^Ag&?idtThL^+=+ny{5zVdL2-t=nUY<|c%EO0E)C*TCxVBs_!; z>|xam-lq0@ydVCYP}8n{qu1-G_4?hS9G#e?%V$M($063a)8`^*F9u%Mm>{lYgg@i- z9e_&TB$j#l!P`Ri17QfWRnawtAva=~O(-GsFFuA88;x4-+S^S8rSkjl?Vsu?P>%{7 zo_JolmtO&h26bNAs_5+wWkN&n#$~*u^d0? z?of0~6m7k%?^$=W=e`r$xjm!H4kg(pRq~qNdaT7Pm0Yd3GynVdSRiilZwCN zB@M>fP-=eX$ zj|()b!{uu56-MzlJ3*#pGVgyM1=EjMpDav7Dn#U3pPQc@C!fbv1YoJ`wi$&3e}3+y z*jt~h{BSBqK2|$7(o64&9DQf8KPpV!XJ+gIwe4?pJKsJW(ZT9KOI_Qj^R%=@Z#XU0 z(yk|&xS^%5U1%i(>_6+9GC<{>LebZm>;lzW0OqHP2WxO6fUgAA281dQ;uoqL2R22$ zLqoeS#ZQ5|0oS-7$6?Y>HEEh;|F2&=fLb-&y=1O+9rzwJV8!|+k1c@a1?EsJ(F*t# zWs;M@^!4*I(}3g^94NK}?B9cr1^d%wwtw1F)p>Y|qT#?TC>pNG{otc01vPbaO3Ix) z(`vf`+%AX>f=7YUMhPGxT-a7%**`;Vfon={lEj4l2cWi1U5o?rq#$+5E)Hm5<`^#@ zz-m&77s5Xr`PCzT2z&!v=6tCE_$E?&6sUne6siWo-&PH$d&W@!wy*)f)eod?0A*|D z@k-{71qQbZ78R6XKu!ZZu}?s~RK=V@c2$c#6^jL?5obj+c;3GILdySV-_(SXKSP@m5edlw3HPymj$e?qFw7p2>ZOaL@J)8BS2*sP<&7+^f%113SJu zS1L!eJms`cq^RXNXb(SEh}msS+c$on5%_c7D3FS$jKR`w@+Ybzw0@b;irC^?R?&tJ zCe!O+)t;P#gI)X3IE@Ew+0tTNZ_@nL|0=W;zq~u)X&|+oXD!y|v=7qd^NH2`OlB)0 zyN3<*5~qn%ljC1}jRdV`^3VvT_+8Cr*t-byRWF0nYFY1my#}14WvTlJ>U8b}7UgJp z>{92qHW^cHm$tZZD{&qrwLMK(9q~o#=-@~rne#BWcgDT$FkX&@XJ)sjEHiy1KJ;Y( zs@|(PKt*ODb3rLqa?Iju!4+BRF7z!CAmKU2nef3weH4Io%;IqboRluNH=y z(R}D-F*%y4w;LR&sJn&!q-9VNGt)QYbxND-0StZW%ttDQk|lRfHb4A6+ij)LR6KHM z+v-e{gJF8NUIn-0tS@F>eIgqwv4234%w_9PcI&492JQah5zoAop4ZdtyRl2Qle{|})L(x-IF+V4{=(@f_AP6h+rG4ulz4Af z)z!+-n$ztKDSEf_s)Hm=TQ;IE*Vm@=+%SjSh1}awb;l?6IEmo)DPb$@IP2NRVC4`e z8-z3NgN?mKjelC&@6sYkCjK`;L!4{&8Xc_WQ9Ia~j@8%Y>L7&ycpG$5p6(b~AOx7i zmoewuP`Ihr0)!2K(^}Dpo~a9;^PgEtPR#_4T%^rhGp?}A;&R#uj)H;$Nc@{gV#?(M zVf*-reT<3}a{PPO#Dp90S24Lt1Qf@yPaT2p!8!tO3WWmIX6<@+7XY=wfMDqdVB!)b zn*$vHd0bY-sF-#V0Wfz5u54kZuM}b1({GgWWaZ@>fU`27Tvuve7_9=ic#9fwUm$jY z95FDjL3rlH_m7Po0t9FLX~yM2h5fO!t7H2sH0>`t7@S;4-YyBfVys zy)tR&+MNMKrF|$A*z;YuM9GITS@Lpc%>%EO(jz~3qYmLnxFYpSm{d|l}4(ZogTHG9%1CE-rOg@YPNjdy&uRXC6bE0AF9F- zUhyti7L&7_obc$+k+C3yps-1M8OFeQbQKClzP9a5)_QkW8bsdycfZLGIPa+j4=N_Q z_aAOZ%!{8_f6y6;A-$m&TL%$CTJ5$42unFTnPE;ZBe&rt2S~0L-H#>c7(Y3fO|7O8 zW2k#vaX_A%BV=1SDpLz_G}Tf&q~tzwz`7kRT&MW%U5%x7rON_i8k5Vf zt-1mA##jTk__IqNn#geJ$IOS=y!5B1)&hc)whj*T&ZjBhQ)Kk6S$rK6D75*r=dXU& zXw1w=oi$~S441hT334{X#)?e1XJVIr5&TrX;W68EY*67|Nf}1KBG-4ehXV69>Zz8l z3B*Q|^z`AT3FeRQ{jicL>vbEuL-3=^mty(_EDMo)WTv?t^FwP7Cm&0kS08mNZ$>pJ zIv*X@mD-Q3uq88Xe~!FMotTiA?73g3C3!UJEo(OlU{c z+BS$qtxciuLzl??X?dT`aOmP~`|ffH^RTjs@Bf*T_LWUqx4Qe$vSor~cXfPd(>+x= za%f0gO|5c$%H$E9t9^)nV91t5d+Zxo)(p1+j8j&Y#>n8M)m_y$Z%*?W;R0G7TMK7B zJsz~Q1q_TWKA)gIKH&Y_+hHdx@)he7(Mj=H7&9NjlOkY%34z0n&~PLY6d$OlIB{^$ zDlacSzHJ?mgRAErEt6kf5J0qLnT@;^9{6iNfBY=TZzqspxSd}c)Ols0Gkgp?hULJD z(vEproR*0pFCzmUA(pLoR>%Y zBp>SM-)sH>wSm7# zDZhLsaqCL)se3Pe0p z1s>e-RNsGbapm=AM>y+-Q%#v^V9_yb!t|{&KmQ?cGUwvz1@b)r;1A?`ULLZA*VNPi z7dH^q0DcRApoiT(vYM(nJk$|g6#~v}AQ#L&RREOTKmr^PLqZuu=ka((5Vv4t^oVNC z=cBm}6#qb|V{B{;gly*K=75?!NIRLRoP)g9G%yb7+5wnt>1PkghGO{Xf-_+Vq;8$T zOvyWWHTCY?ni{di%*d!HkTnB&Z=E{fzUU^yQNULL{y#u>Ud(>w7dUgjY>!IAHJ&3) z`r=a5vUL4l30y=$93342xfBfdAlw7k2?#{?5CH|xmMS+VXE(T>pFe?>=V!o$1v>9- zL2fbO;o-p1EID~&X^9F1r3yzx;Ew^HB4cXlW~^=tL9qggvubmx4AIh(QzOopjyIizhv#}u!r zu3u^bKPr^KY77Zl5}l-q`|ji1LR8M!%#_y^J15I{$}~8?`W2^uS*ny2F8M_E9;@K7 zvuq?PUQx!`jV)`*Gl+vjbZ;VRO58CkDw5I3(Tb7k77f*S;WE$*gld{-Y3Wt+h}v~m zocgxO|E_UdC7-Dl{mrDQu8E&Wu6DC-Z))-VNN_ZJ=e)`1D4}la$W>a-czV4KOBp#d z_X7`Y_IdWHAPdI%An$CnhD}ru5WzBGdLE$%eOj`~o;OsKJG;6>7uJ_e^F z#<~tl4&Gi*EMDqok!Ha^WB4#zq)XM+HA2g0k5Sj$wCN=qC@KA(qrAUpec2fC65jMD zk$FE@46N?A6Ely+bZy^z>DtzmuzF0U^X;t}L}w;WQ+BHs)mrSDLO2g$#&)&g|bwzv2kH^d^6riGwTz6!mG z;zzyJl2{E!sif$rxajZhJAdZ9i~oF6P8^qatW8kLy1u)+y)FneT&e3{$UIdy6?bIl zdd|biy){sIH6SQx)f2flsFKD?Of1@Yj1+@CS1*^HeJQhwTMZy(+WE8RxV`my$vqM{@?j8DL?PNp*Q4R-P!7$sSN6<`j#LmnKk?ms1J71D5nO5OD zjmMw9gh*s1u&`np&NOAHNa@9d_TJKiKoZ#0Wg5G!2n~wOFV%8;*IlZO>xa%}IEq%O zUvY+c8(*&F<_KH~eIUs0^XbT{A2rC?bo>kKJjN>c91;nKHzCgjmF+@tRgu?rN@5gY|1VPSTpQ_Ds$b9Dalf z+^#Z7APAAg?6y}*Dc6W2)c@j5eJ0oTmDG4+h6g(B>VX-CL$`Xkd?N2Yq>zG9x)nrv z!nlYCfV4COg5X`NV!Z`ymlfYWqLBn~9wXP*E1YRbNE%?9_j&;K=c^v4woP&c;HcSU%46{Yf!f)Radjm2agMjtUoC;>asugjFMg=sG`A&JN0?mm->mI zsy(V4;uU|_d&JkDDZFs<_Zyny`Mc?g1rt7zK_Dra^YimScm%|K>wyg?5CXUz2IA9u zSd2Wr=FHRU?9jx~aSvE*zU=K>uU=+C1`-zDma-l#J;69^c$Ldlugol25J?k3&bSHA z2*Su2BeAWtYHIwiBe8K5f_fF!v>r2lxw#7DS4scEQc1IM&29{4sKAXUcG3ZCwAxyr`;z?C`Y_2nBMj-UpVNB!LC^p z^1o}pZuD737T9i*T&GDflWmM_MhHwhccd-Z6>gXtr9dH#8Gj}tsP9W|di$*@PP<`> z3F;+1C8s56b+AjgTJiV~-##|Pf;A?dOy%UrM;5x(?KOP1m5d~4x{E}5Mc%$0GrW1@ zI>R}c9P8za+KiHTJ_atT#dm=*+J%GYVB!4t?Y%wa=g)0yX5SM%Audw!uy5SGE_(?Q z-TCdQaR1pdgO--?;@cNk)ouIeqR^S#(2;frf3>0~DQz|9k*1Z?=ib=2a~~gX+iTf} zGFj&zcJ*S^GC+0+Y$8$&>O|h%3&UZRa!&rY!Vac)dLR~k=`X^;C?q3OGy-3OIRR;Z zK%WKc91CC;mZh8sG6QRKb$~|?+&HRhYJdRF&iWJp;vMr*r_85a&sIzWrqm}=K20>V z=z7IvQbrc(At1q7_%Q8jaGlYwUxK*$$vUTzrWO)Kh0x0fB$qCiGdfSD5S(5Xt8~;v zJxMVdKp@HLj*jpYY-}FYM~1GhZw!)}UTsXZH&{A57d1(z7OnrV^bZdIyOVKIf^H5d zlY3Zn8QBycgx&$8B%Fi9{rdF_I6dkY)WMa((_Xz2Ldk6O#GzlxA$gn?(ntv;WKX9{ z_B*waI7s1R%TJ%=q&6eQHU4fEn-ZE-^1omG=Rb?v|GJm{vkxg&y;S?(or@QZa^(NE zzx~hK^sT?S9}Zq#Rr~``sPCOw;{TT5=XdgGwJ(1tuT-<> zHR|T<#t1OpPEWrVEGOLqz6mA$kMFyg+?VJf=G3RZtFx5b@8|ME7NB%)h5<1Rifuxm zFmUq^p{{s?W!0!BL8|9|kf4?m?o=x?jJH$oVv-IC4F)qrEO?^epRl@9AR^(G{8W`Xn~- zwHKBiEk$Mp_7|nCy=cuY>AJ+rQ~n%C5CTii20o>WdW$!2h(IhN+{{&sQn%h$k0T+= zKaSpK_&JNX z$8{^S5yDZ54F70s>aFe9?Uw3D?pf^P($LVYN$sj9D# zlhH*H=fMIcHm_QU@MPp4RDtX5)zF=^p^J2aEN3Kq%^P2d^xsK+3oa{;Gwr~SkKALG zndS+9Y@Bl}%aSiuORazORbDW%TQGn=DWt#>XX9Z)&cWVYVB*X&>fe%~(Jbu2Nek zZ7esTg0sGc#{1n~Li^ozOuMt6?S~MgJHH7>nwPNE`Al$9OxSJ@g3lBtx{%1GYrPWZ zSsuPF@eXXh)n=GxyJo>S8ev9R+f=s%!d$wktDvH4^)yaW&@UFg$kjZ<> zNUdxbsg2dS;tO$2H5O>gyXV$K)XioTJQQyYik&p$onvoa+!~j`eQbz&JF&lMyGI!o zaZ(V;)-}jYBJ$Pas~0~FPG({C8xB#CizPk=? zE!iuHMObh zNX?we$`6D_F-U3_V$8&e5AtB-HgenNm77mYWBq#SET3B#dXFzc_PTU7l9S8l67nL~ zXQGiucENIXeNSi%)qwDsu+?Nte7xJ<5I_-uO@OW!=%@A%?11j6Z^rNrVu(p4MD1Ru ztrFbuk_XV>EUzJc_u}xhz;RiEsDW!vYZB!;GWK*|?2l={W_M9<5OT z`$|B8GV9xoce*ZWf&;^i4F@8qozv;S`+J>RWnJ7IC@+iLiumR>C-;v*2RQZGSel(J zUHQBk7$X$nYX^5S4CDRE9qn-gg(}7Hh;d4S8xNEtSeMT~WD7`Fi_{#aB@(_J;_eCo zka2+Y&bpW=1OJjQq>Oa5FW>~TrMX2#=X1bD@d(SdIA2gX?K)vunFEXP=$_$kIQb(- zjusWeNf+&JEn5;+r0%^xL=(k#2kvoDPqZm-A||x(scYIsF1tsO4b<J1Lf zS$=XK;{FTqN>@Lrf-5V%_@zujg5H#nX^Ny@Q#8+H``V;70h-4dZVjn4nXv1`DE||x}TaCSdCm} zI57qK?h-rbLW3X5-1WLJbEIMm<zDWwA2&YNdnTB$!Y{uB=rK5gl&~fEH-1G#@>l} z07h-CraUceUe5v0KHLV3w-}gjO*X+dmX~rdTkai;j-`c#v!k1XpFVMkx{S$(JmBxJ z$3H%fqMu4k7%U|1)$rO%A8vZ;|B^OeHYMoGebonQt~s4h)AAorgLdV7(1_c-gY?02 zX-(Q*Tc2sJU%aq>M7J7z*#~X-XqdkBmGvVUuoKh!SXFl*n?}tik8^)^K=j*sX_w(6 z{rB9fFDbsLt>SP>7$8V;A(Om&k+r0vSc-_f2=BWhqxpG^;Lm}CdkPhyfdF~iqBQvF z@INPZW;~MVe2X-SMHx>~Q@14sCNzp1?{a-cBTj(fw6Mi!isRkJNKSwl2d1Nm;`}k) zGfSgCf@M3IX;)RUVOI=0HJF!YuvTpQduG%FwrdIshaOYh$UI2C-#R6FKg791GeK~3 zpFKa@eX--*ql8Bm{|v%8UF-6zMFN!vBkof<%Y^UsdC21*ScJ*3&?PFT4Vl`D1uJI_ zVFkos=5TnhW)|91P`5xXkFo$9G(+m5&6N0+IQ`^svkUjY`)TCheez&UHqf`T@>4LY z_NnIfr#HNG6E(9qPaH6F!M${iA&8MNQvo`pVzDX+pMed4ut~E-#KbNW6JvWsL_`uy zpJidd;=zm_gSFQ!7(OxU=i>z_6XPg_axg4AY{rv9P~^-5JP#guD(u`^Y#D*6P`JfNGft+y;?78A^O8Ywb zC!yabH@e8!hBT@3V5E1T^SPn>R#LyF8orMEmJ3WB$;;bYHt=%@zH?iLvw_*#u4#E( z$mU(G-H_{7cGXZ(RIH6tmYaSP8~(T&`{Q+FXO3Akk)PiR4A$-#?6MZeL~t>U{Is2k zUggGw(0x);h^pua)5V4F6A#_s_no`Su%m$!5Fk#^s-jHac0~@LJeyE4`Dd?m*a(pw)}3Xj&-a5wR0 znbZc(O{r~ztX--(9@6+8QSm%-JebEh>ZAX$W=qLomYZ^k%8)@BZh+PU!tI`!UyPU^V7v~Z{45?TCxy*Ap z=1zqna$f%Xp#1-F@L% Date: Mon, 30 Mar 2026 11:29:40 +0800 Subject: [PATCH 9/9] =?UTF-8?q?=F0=9F=93=96=20Document=20cipher=20suite=20?= =?UTF-8?q?format=20conversion=20in=20sidecar=20setup?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add note that the tls-profile-sync sidecar is responsible for converting OpenShift OpenSSL-style cipher names to IANA format expected by upstream OCM, keeping upstream code format-agnostic. Signed-off-by: Jia Zhu Signed-off-by: zhujian --- docs/tls/TLS_PROFILE_COMPLIANCE_DESIGN.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/tls/TLS_PROFILE_COMPLIANCE_DESIGN.md b/docs/tls/TLS_PROFILE_COMPLIANCE_DESIGN.md index 7d3542ddb..f4f3a5085 100644 --- a/docs/tls/TLS_PROFILE_COMPLIANCE_DESIGN.md +++ b/docs/tls/TLS_PROFILE_COMPLIANCE_DESIGN.md @@ -111,6 +111,13 @@ All scenarios follow 4 fundamental patterns: - Only on OpenShift clusters (detected via `config.openshift.io/v1` API group) - During operator deployment/reconciliation +**Cipher Suite Format Conversion:** + +- OpenShift `APIServer.spec.tlsSecurityProfile` uses **OpenSSL-style** names (e.g., `ECDHE-RSA-AES128-GCM-SHA256`) +- Upstream OCM expects **IANA format** (e.g., `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`) +- The `tls-profile-sync` sidecar is responsible for converting OpenSSL β†’ IANA when writing the `ocm-tls-profile` ConfigMap +- This keeps upstream OCM code free of format conversion logic + **Applies to:** - **Scenario 3:** cluster-manager-operator (injected by backplane-operator)