From edbb9668a7c2fd9f4928765a829668652481ef90 Mon Sep 17 00:00:00 2001 From: Miles-Garnsey Date: Thu, 24 Feb 2022 12:32:55 +1100 Subject: [PATCH] Add encryption design doc. --- docs/design-roadmap/encryption-design.md | 126 ++++++++++++++++++++++ docs/design-roadmap/sidecar_injection.png | Bin 0 -> 568923 bytes 2 files changed, 126 insertions(+) create mode 100644 docs/design-roadmap/encryption-design.md create mode 100644 docs/design-roadmap/sidecar_injection.png diff --git a/docs/design-roadmap/encryption-design.md b/docs/design-roadmap/encryption-design.md new file mode 100644 index 000000000..a3be8c938 --- /dev/null +++ b/docs/design-roadmap/encryption-design.md @@ -0,0 +1,126 @@ +# Cass Operator Encryption Design + +_Miles Garnsey_ + +## Background +Cassandra offers a variety of transport encryption settings which may make cluster operations more secure. Internode (server-to-server) encryption secures the transport layer for communications between Cassandra servers, while client encryption secures transport for client-server communications.[^1] + +The k8ssandra ecosystem currently offers little to no support for enabling encryption in Cassandra, which is a hard blocker for many customers looking to adopt k8ssandra, cass-operator or k8ssandra-operator. + +1. To enable encryption in Cassandra, two things are required: +2. The cassandra.yaml needs to be updated for [client](https://github.com/apache/cassandra/blob/945a4fc23ac1f60b8380be3b60aef89caf3daba2/conf/cassandra.yaml#L1261) encryption and 1[server](https://github.com/apache/cassandra/blob/945a4fc23ac1f60b8380be3b60aef89caf3daba2/conf/cassandra.yaml#L1214) encryption. +A trust store and key store (JKS format) must be mounted into the server containing the encryption materials. + +Historically, we have been able to successfully deploy encryption configurations for cass-operator using cert-manager (another Kubernetes operator commonly used to manage certificates) in several client engagements. + +Details of this procedure can be found in this [blog post](https://thelastpickle.com/blog/2021/10/28/cassandra-certificate-management-part_2-cert-manager-and-k8s.html), but to summarise - cert-manager is used to generate certificates and the podTemplateSpec in the CassandraDatacenter is used to mount them (in JKS containers). spec.config.cassandra-yaml can then be used to configure the cassandra.yaml settings appropriately from the CassandraDatacenter CR. + +## Problem statement + +While in the short term we have a methodology allowing encrypted communications to proceed, there are some difficulties with this approach over the longer term. + +Most enterprises have policies regarding maximum validity periods for certificates. This means that we need to ensure that certificates can be rotated without incurring downtime. As detailed in this [blog post](https://thelastpickle.com/blog/2021/06/15/cassandra-certificate-management-part_1-how-to-rotate-keys.html), certificate rotation operations need to be carefully choreographed to ensure that all nodes in the ring remain trusted as they receive updated encryption materials. + +This is particularly delicate when rotating a CA's certificate, because care must be taken to ensure that while the rotation is occurring both the old CA cert and the new CA cert are considered valid by all nodes in the cluster. This is done by loading both the old and new CA certs into the trust store until the rotation operation has completed. + +Now take into account a further two facts: In Cassandra 3.x, encryption materials are only read at server start, and refreshing them requires a restart. In Cassandra 4.x, [hot reloading](https://cassandra.apache.org/doc/latest/cassandra/operating/security.html#ssl-certificate-hot-reloading) of the certificates makes the restart unnecessary, but poses risks if the dual certificate trust store procedure described above is not followed. + +At present, there is no logic within cert-manager or cass-operator which would allow us to include both old and new CAs in the truststore. The truststore is produced by cert-manager and mounted without modification in the Cassandra containers. This means that when a CA cert expires, nodes will not be able to rejoin the ring if they restart (they will be presenting new encryption materials to a ring which accepts only the old materials). + +The only solution to this problem is a full cluster restart (downtime). + +We have made the affected customers aware that this is the case, and have recommended the following workarounds: +1. Use perpetual certificates for the CA which simply do not expire. (This is disallowed by some enterprises' security policies). +2. Simply accept the downtime (This was workable because the client just needed to encrypt client-server communications with Reaper, which is not sensitive to interruptions in its connectivity). + +## Proposed solution + +To bring the k8ssandra ecosystem into an enterprise ready state, it is essential that we have robust support for encrypting cluster communications. There are 3 options we can pursue - supporting services meshes, implementing improved rotation functionality into cert-manager, or implementing improved rotation functionality into cass-operator. + +### Service meshes +A service mesh is an attractive solution since it factors out all encryption logic into a sidecar. This is helpful because it allows uniform application of encryption settings across all applications in the cluster. + +This is especially desirable for security conscious users because things like cypher suites (a common area of vulnerability) are configured in a single place, and can be managed by a specialised devSecOps team. + +However, there are legitimate concerns that latency will suffer under this approach, [Istio reports](https://istio.io/latest/docs/ops/deployment/performance-and-scalability/#:~:text=Latency%20for%20Istio%201.12.,-2&text=In%20the%20default%20configuration%20of,the%20baseline%20data%20plane%20latency) a 2.7ms p99 increase when using mutual TLS, which would be ~10-30% of the latency budget for most latency sensitive applications (20ms p99 is a common requirement and single digit ms latency is considered "good" in parts of the Cassandra community). + +This drawback will become less critical as technologies like eBPF [continue to propagate](https://isovalent.com/blog/post/2021-12-08-ebpf-servicemesh) and ameliorate the need for sidecars, but at the current stage the technology must be approached with some caution due to the need for packets to traverse a whole additional network stack (twice!) in the sidecar container.[^2] + +![service mesh performance issues](http://github.com/k8ssandra/k8ssandra-operator/docs/design-roadmap/sidecar_injection.png) + + +_Image from Isovalent's [blog](https://isovalent.com/blog/post/2021-12-08-ebpf-servicemesh)._ + +Service meshes also bring significant operational complexity (and even fragility) to Kubernetes clusters, and we would need to recommend that customers seek specialised support (outside DataStax) if they want to run one in their cluster. Anyone without a healthy fear of a service mesh hasn't run one in production. + +**No matter what option we decide on for delivering encryption functionality for the Cassandra ecosystem, we should test, benchmark and provide documentation demonstrating our compatibility with common services meshes such as Istio and Linkerd.** + + +### Improve certificate rotation in cert-manager +We could build in enhanced cert rotation functionality into cert-manager. We have already discussed a preliminary design with engineers on that project and reached a tentative agreement as to how we could proceed. + +This approach has advantages in that it connects us to a vibrant and critical part of the Kubernetes community, gives us credibility as contributors to the broader ecosystem (not just projects that we control), provides value to many projects beyond k8ssandra, and maintains the best separation of concerns (k8ssandra operator should not try to manage the world). + +Conversely, it is challenging because no team members have deep familiarity with the cert-manager code base, build tooling or feature design, development or release process. It may be slow if approvals are delayed or if there is contention about the aims of the feature or its implementation. + +We are currently reaching out to ask how best to engage the cert manager community with a view to getting a basic orientation around their codebase. + +### Build a solution in cass-operator +The final (and probably the default) option is to build a solution directly in cass-operator. + +This would amount to: +1. Making cass-operator depend on cert-manager. +2. Including some new fields in the API to allow the user to configure encryption from the CR. +3. Including certificates and secrets as kinds watched by cass-operator. +4. Creating derived secrets containing the CA certs from the secrets that cert-manager creates (let's call this CompositeCertSecret).[^3] +5. Inject CompositeCertSecret into the containers, mounting it as a truststore +6. When a CA certificate is about to be rotated: + - Taking a copy of the secret corresponding to the old encryption materials (which I believe might be a child resource of the certificate, except for CA issuers which are different - see below). + - Inject both the old and new CA certs into the CompositeCertSecret we've created. + - Bounce the cluster (3.11) or call nodetool reloadssl (4.0). + - Remove the old CA from the CompositeCertSecret and mounted as a truststore. + - Bounce the cluster (3.11) or call nodetool reloadssl (4.0). + +Alexander Dejanovskihas proposed an additional item here, which is that we should allow the injection of arbitrary additional trust roots into the trust store. This doesn't immediately solve considerations around rotation. But it does provide additional operational flexibility (e.g. to allow clusters formed up of K8ssandraClusters and also traditional non-k8ssandra/non-cass-operator managed clusters) and some better options for when things go wrong. + +This probably amounts to adding an additional field into any secrets config fields which is a list - perhaps additionalCACerts is a good name. + +At rotation time, it may be worthwhile getting k8ssandra-operator to add the old cert to this list instead of just picking it up and injecting it non-transparently. + +The CR would end up looking something like: + +encryptionConfiguration: + autoRotate: true + additionalCACerts: + - secret: mySecret + key: ca.crt + - secret: + +There are some questions regarding this approach: +1. How do we ensure that we capture the CA certificate just before it is about to rotate? + - Is there a status field in the cert-manager Certificate resource that we can use? + - If not, how do we trigger the rotation logic from cass-operator? + - Do we need to set up a cron job matching the expiry schedule of the certificate when it is created? +2. How do we deal with JKS formatted containers from Golang? + - There is a library available but it is GPL licensed. I have asked the author if he'd be willing to dual license it (GPL/Apache). + - Does cert-manager have some logic we could use to work with the JKS containers? +3. Commonly the user will deploy a CA type issuer and this introduces more complications: + - The CA issuer is backed by a certificate stored in a secret but which is not represented by a corresponding cert-manager `Certificate` resource. + - We will likely need to provide a way for a user to nominate both an old and a new CA cert to ensure that we can include both in the derived cert. + - We may even need to watch Issuers to ensure that we are capturing any secrets that back them. +4. I need to do some experimentation to confirm that when a CA issuer has it's secret changed that it does actually cause all certs issued to rotate automatically. +5. The automated polling the certificate hot-reloading implies might get in our way. It would be ideal to turn it off. Can we do this? +6. Even with all this work, we still only arrive at a solution where each statefulset shares one cert. + - This means nodes (at least within the same rack) can impersonate each other. + - While I (Miles) don't personally feel that this is a fatal problem, it isn't best practice either. + +* Out of scope +* Authentication. +* Authorisation. +* Encryption at rest. +* JMX encryption settings. +* OS level/drive encryption (LUKS et al.). + +[^1]: There are other encryption considerations (see the Out of scope section of this paper) but we will start by discussing only those dealt with in cassandra.yaml. +[^2]: We need to do a benchmarking exercise here as there are questions to ask about how fast Java's encryption performance is, and whether improvements offered by Envoy would offset the additional network stack traversal. Cassandra probably aggressively optimises here, but from my (Miles) experience, some Java encryption code can be ~10x slower than the equivalent openssl. +[^3]: This is a little more delicate than it sounds. The CA certs that we want are actually stored in the truststore or ca.crt fields of the secrets for the certs the CA has issued - while in the secret that backs the issuer I think that we'd need to look to the tls.crt. Critically, the .key files must not pass from the Issuer to any Cassandra node as this immediately gives the node the ability to issue its own trusted certs; so care is required. \ No newline at end of file diff --git a/docs/design-roadmap/sidecar_injection.png b/docs/design-roadmap/sidecar_injection.png new file mode 100644 index 0000000000000000000000000000000000000000..2e6902052ac205e740c2d6dc16144b82a8f9dba2 GIT binary patch literal 568923 zcmeFZcT`jD(l?BX1re2?pmdOc)JP2-r3fSxsiC9vn$UZ(AR4*}p%(=LgetugMLGh~ zdzB)+*HGSgo^wCvS>Esat#j7;{(SaYn|)>PJy)H%X684uK|WJcq_|FdorHvhLRm>( zlZ1qUSKR=l$OgHQgAs+L1EQWW7WUtV{tJb z^&N$IRi(#6{`0W8wkn!ezr1Ap zapl@aXKw*AZazNR$M;vy`8E);5)X%x?iiiZpBJWmqiOXbVgAX|HQnLmeH(n~C1P4R zxx+wX*HlLf^fuW+|Lk%DGscgun+ zVU4gs29jvjXhn9;H4XEWFp8C{_iop0R(;aAO(#ds*A_dXVWeidz08r1MMQia(bO{wsl-d{%QCA$o^9@@g<`9Q0w54)qPCC2-^@W$=m&ByDZcCCB%ULD8qPxH`e(Ctd%#$A_9R0;Q z&fGZ-C$9*I`+f&P+8!1(0+2zDtLU|WB;3r$8L`H+?7f3MjphV?ZN&bM*2uGwDV@|? zgls0>B8A~6t2`bTB_f4i?7c)Xw9tNr4r^RyG%!}bsypn<_BoFX2(sx%Y_$Db}c5o8FNB~n*Rsg6mKxPP``FGCm#DsN94%2KTh$vwZ$ z^NQhn3x(H(z}q((zC6554tT;9cP*DEXvOGy=Ii+9j1MnZJ{QxwH29|TIo7iyG^3Fe!!+>Mm5nD%ubJ6`f`3rTHQp$CN>2%Hyhp&~0m2!^Mh0#`SojEc}ZH{7_tmzq7PH4hMkzd#PuUdZ6 zuwfOy&?%es@vRMi^_~33xj&?A7&heduvhWsYH_!ko6U-Zc&N~3 zB}JNf^tlaoMNbct3SX@0(d<)l%(^8ZCBELJM{>+a`dyc%Gksmy;yL4f$azA0c5R~> z53nIMfBoQVPKZxPG^jL4NYKky$~SVX z809a^wd)=@ZZ)v5FJ=;p`Ocxv0eXPo0HZ)?iB|tRjv>6jmnfyS%;0y7XPC2}N~q$rZ&nh5U-?n(1mkbDFtTi!;mEp{{9GpRB4Do^*C37#mpd((#s4 z!|cm-v4fQPh6YljZjP`uy*0@-;Al-*w>|y`%hK?#pruXs5cl$>q<(MNmR~V$BFT!W z>QibmsvAFm%cILKZYAy=ZU@Wd%N{FBzr23|S5*6Q`z3OQy1v{KxpDJBY*Co=OK0?! z@|1ik7WBh3&onns=lsprM{k~Adi4bNRr(FxmDC&Y!7qZvg1K+3P%zz_d3y7yc~~Z` zqky<$zp#pD-1(!)&%H0M22Th-4QB}Z8E$M zdUQ9=HtYTb&kq%g^3m1G5hfKW_R#o_yyq!q9*J~`iU}Q^6$upy2l~SXZ2EWfS4+H} zD;Mn+eJ?d~95EYlw6qc)wae5AA27BrE{iPt;gi3ozj8~YT!d4E+;Q2_WSDl?#ev+> z-eF^`XZ7`J=CIC)aRtXHVR&&EQHq~^DefhHje(1SPa-YCB!aaiJi_rC**E`pq3>W6 z_<4DEGqJm(1ENwcR-%d$G-5*%c-j}jtd5N#l-7!V?ptnc?j!3i-8wDq(e@wg(^u%g zSHUTU*fDp{1m8*m{lS%kA;t*Ci;=2~6;ewn=~6U4+xsY=0UviCL+>nK#Af|` z`U=%zN#kM?=qtF-ve^9^3bFuP*;ib__ z@voL%8D1QF^ZiZb6P+iKZ+PDveU*5fTC%D?k|&i1W8q`zjrzvIG#s$1zq;^@M~Jml zs8m>mgNM_>fB2hI=w{w#!shz5?)Ud8J3j=qX1Ct`P$9}r&zP0aC)MuTpQn+PmaRdi zv69ZHC?O9`r&CN%R}421J`M(_OplG(dSg0Th{KtKL4_kDD`P|L{CoJkuCuRz z=zThYYHx>0gGp$>qd;N2)@^1zPOp^vQB?vv3c8O6bMn+)M13|I2AYKqhMHI_S|Pg5 zqNox}1hZtoKu^;Y0~4P~%AyESML)aZr8!&l7+VAipiH=f=d{msgQjOlSiE<5oyTHI zbJlN)8f&9zWx7jBtxdhFrkdj8l&~+fRSNB6$ONUF)jq1-T)cmHV=^ozenD`t(@!W= z*nY*q!lQXLMl8lPWYO(=cwCJ=qoqk#?No?Sh%R+qVyXbXXgI?QzJJlQCUHIW{w}7v*Fir>oIgi>gmYh z;xfZiiFOaa5zfhxdhUQBoZZIq@Oo2W8C)- zt6sXQE}nKVRZY8oI!haBs)nY--aKD88k^BA9IWn`jHN3$G_iG{8}V4R`!PT@BwLtV z)m0U+_4Ipqd7?5HF-04gdn$6iA1YDhX)?uIIp&F2_is4uy=ri)orzW^?|9+Jg8r9^PWZ2og1H~3-TSt8XN~Y|5 ze6xLh;1mA!d3C>3dCkwVUH9`uAcA6Q-EVQL0LxLZI76sC@MnVfQuuoM?;d&WYqe)B z`fJIcrD1+W=e>u*%PXg6wPyijuy%&SyI-Em2?}2DDxo4V;39GJf~SXRrCh#Bs*z%P z_4c8$+NYw)GdOd^R@Q4;q^nm~SLj~-7E+<7-L#|1F zi9E%VoL!1I59$_lBsw1m^h$$yMSn0P*ztc=4~d$r?Uh`m207i1>`;iI$wQ zGV!Wq?qX>PceO#d*?#?oCEg%&Qqp%NA)yBTJ})S1vTYLUAGX!jbJJ5*5jRIT^1ZM? zm|609IXeBWheXm#oLF?UbbG<<<>&x+759>2{l^>P#PaXkAXesoyy9jr#j2x2KQDk2#JaQPtyPK=uc7|S4$T;gd?$0H|c*Z*guK?=fi&zN`iim{eR5G ze@*m1?hYLYzplhGDT}OTaY{G| z$zu{_`6t?57gm!m$I%bPdlWW(|L(v)Y-Ux=11$!=`L1>Y`EBIOx)u7=6a99TJ<)-F zxKWLM3>gm$jsJaYoli>SD66aMs7Gch_O>pv|IA!|t#vTDyogIbsQH;AtoVk6l$qqh zwZ|kEZ@>IEi*p(mJ((NkdjwnHa{mF@Kbm;S@$#CY;=kL{fA{K@q$&v|pL(ja2jjor z&wo8c55H$?V0V}CG$m=f4h@^F(hS# z^nXlq(K~^J)hI>Ue^v57=5XeQo~!?+&;Q?= zFqQ5itkA?g7G&xXTWI9Go^uvBFy9?JHQ${&HQ(XcvKV~n>h)LJl$B}x?n}irE(6Wc zWqzJ>JLbyfAy@vNihTMh;BipRhtd)1KgTfcb}>sW*&|CW)p-$Q^ymdgDz`~qHn(w3 zM(hmyxU1;W?N;^+ZONYF&O2;f&{)1IDh~Ck66l%&9XDqN^=p^U`()kEA&K3HEd685tL7Tm3b^K^&{dHSHERW+_LsMuy{))>hO$w;tRGx83 z@J71Wl-;0x)MKByVQ0^iMluk}Zi)?`Eap47R8q3o<;zm|?CZsXxNy$!ELQe!cX^(D zxyz?H9LYF!O?%l-91I1I=`g=MwjCY1V6(}*7XELCZ zYakXsU~(Wpvu2c3el+)E=E3^MQ!(UwXF~eHjo@53L9@iCY-N(#H0ZJ9D`Klv3=*C- zaw61hE-lc{Fh0{QbEtWKl5tCWG~fL7;d`~1#0BwA@2fW%U0Nbj-Hx{3F~KMk6_*DK zmI^y7wztONgv>x8r@3GJp8Ww(TfV_P4v((BlU!-tQX5LxCnGT!&dhrXi~!%Hzx5w2 z3z~f)Z>qA1SHHfO*SM(Najd9g>N)5cGhU1fHgOm8v~G|M@JoF|IRLHX3d^M~a7>I@ z?+V^CY6AdYD|iPzE&x39?$NOqsT5ujF`~-9S);|FUSrOo=2N8gI%_VrggsT*zPDBC zsP*AcrN*hz1V_Hn?6>Oh#EDrf_e6Wy%J@S5m}-dV0#M4ofFCPU_FQtQYG0?pa74h; z=#5XA@eaFZwU4`9)$!hPCFE|q{Rf`0qMsb&3yxzG(Mzu5NtZ+GymUW5|GK+jTQe#H z>SL;QwRZ^?c)!cL(s}$i)oZKFIMCQajl;=s6 z)meIksN>eGbgEXuZe{%JbJoe#99gLS;9->S`u)RQHuc9Bx5qC-$4{C%9M-26F8>-9 z(@QHqPHLPgU>K{KoT!N-H5NUh_{{d_T0LfNB3k2`H=+lg{IPw1>3s0ndMcp8h*b``7;2oQYFs@PclW^oz=9mzJ8fYcVRPE684&h|8!Db#J!DbVie zaCWyJ+P-L)_noR{{q*Y1>iOKk>d0m_r#|cM$kT_X-p}ssLruNL>o&ieFKsL~qu;!X z81^<;l%^G&R28|;mv@=4vul2=v|E=L8$!U2cFzLdH;etABi$o?TpTb5Ow!amdIj5Zzk_d`y2 zbCMH3Xtl{R_g@C({z9u9qCUJ}OZCaEFok(C`_3j~cx1CpTn;@dKIl z;umJ~3K(is0s=OEc8{0pyH4yU*T^b}Vh@Q7+csg(I{qL%_y{okb>A!KZ~oV~4N=X2 z6GX@Ugh*aRQw>+yM}iU`@+-_gQ%@F07d!r1@a=03H;UwA@UK?OrybBNUmx>Ucz2V@ zIkDWq)t={*I?l{vV`9F<gY!)b|KUoQp(bi%FaKeUv)?1_UtX77N! zIo)|jbcZy_&u7L=x8`p(32?`=jO^KoVSlK`iGQ;wY^%Sqe0J$w@y=dGY`)#B{F`HU zqp?9=<3!!gh;t zis6Mg^%m9bZM8Iv%-QDY`k1LVA9j(wXa8_@pM#llJqv%BA1jw0q1)iGLfvVEH!)TX zUh(J%by~?^EpERNC=M^iTgfxPwq~2gZ{Z2<;B3>vYz42WYxLrN{Ta)+`o?lnVPiTo z^d*p9watC*OH*g-y7flxI24d7;J z{6hYz-JP_En9PLsi39!LWJC5b*aEnwk|5G?IzMr1yt#8swh!V`OyLg$f1oqqY;R$r zpQ-k+LjXr1H77?qi*98Vdk0|nj#Br0}P^ZQX_dL$p$7t_NlY-m0G$e_YyMiK%bwEG6itb0A&fHP&+4&POZ%X*e}S?KEf-uVrcO#PV6H@c=3L08C7OqB~zynO|P>r21H*{3lqXMDdDf z`52-GS;5}N4i(S0is@tJR7+t%X!K`5#NNbnX!?Ee%GADa3j?7Gn3}{#mcfbQt`V4; zP{2$QMl1JMN`PB5(&<|o%!4k#<@o!E{p+uK+=~)}mKCcu;dVL`GX4klCX7%^)};1; z03oZ|MEfOs-vfq9mN|*?nvQT<>BcgL$wr+5J(h1Go*N^J)O^P4RKp7(gP56;Lz-^M zvnawbd3Pf|xpye~sVb+MZj9>1iu7w0lLdDLt-5#SgTaUiMrC=RY2fZDqVnshuOi>K zt6j0Nr?KZJZw<>`RM{fT6heT2o(j{^bc&+;FK`EpAr37p$Qrb2s)6 zn&gL|KT?kEuggrwBqV`78nnT#>lY;kxtr6Tud&EuP2hb&IWCKP8b$SM_pF18Ej-yt6OqM5ev|)P0 z)|rjfetrCkaHZygzfa|;usz$I8SRu~Idr;v@@Tn#mW1zq5}x`pK9$e7dJbYhc9f&T zMF@QO$gc4=to9zO(H-B(KasIl<3v0-mJl{_@voKnOXxG=US=eB!1!wPU1_RK&u6;f z6TwbBTs>BARL~N#)Ysvg!G3cFLiVdqCp{yzlp#ooQm2b;@15RWr`}~9M@NR8j3b>O zBk^L^uVOFL@aZ$&+#0Q!)gEl$(tT*!h2hj`4>b*^?HBf5HOT_ta5gRKNp1j5X-0`2 ze*t)Ljnj;5Z!WJ|58vVk}chbpEd)%4v zSRY-Z<~3YmS4o-C%`;iKPQ&NWfJnGT6Sfsf13D^h0~pu1IrzS@S?uhzPz<6QuCR_l zI-$xr)RN~Hc=YDV;ewRw<5f3YKX-*URwoGOR7p?Nh~^7wG#E{0w43~iTR%2oB~Ep0 z7d7GfpFUs87jLwiwyYy+B1z{p29lA}6e@DoX@9O^+t(f=ojC`X$QZB(IwXtxk1|O6 z^)rZiwK7Nquyz12^X)Ot45Q`F#NBJn$8G6e4OvPH5swaiMY-+P7vs2Ig4E)*w0@G& z8sCkYz8*(9l;bzuUC zp57qtsP~zTOh|7oN5d-3%TzOv!y?z^-TR*7%{}*_6q=e*&C$K{4Ww08;dE6`PJOD^ zMIwm4%>C-lzViAy!a>b%%OyOqVx-7)59hT+-Vr9Krl69t^xP!}uq^66VZ3QWNE2cK#EDq50T_u=BY!?P*js*)Gg4{3P5J@}Ku zAOF8S?2Mo;=V48hhTR&52trmEPpB zl?*le7RN@2hqn2$RW31cBCX-{9+BJ{wUubnoS3QOPtveJ6@{^S^H@5tcS53wYl^Zp z9U$U@@*Rrh0q0X+PcT2WE_Sw*34+k19arEs_v&q)`}*dce?wmymV3Nic*ST{bRdr2 zOkjz;TXKO4$yO9BoO))H*7P=%#-T2@fqH9Wi7?B;!Uv{fHG=nAPUursGAM}3SjP$Z zZZ#-)wl(``_a$X%wwpwU8oWPHy{DFcElcchw(RJjxO3wP#FWRb^ZXdimQUK3eI&Ur zA^GR#a^cz>H8H3%&f4Mgw{3pt+C$9T5I%4qyi7iy++)WG$)=I7*ORv1^>oj;LT&BT z^t8H6U_vSOq}*)40Q{o;2H0_5lB0*OerdrM1G#IQpD^H$6v2L-FO^RueM!zvVO&Pn zc|<;U0FL@u;rqZO^wU1jR2s@$5?!m^sslN^k1!h`dXh}HO;T%vgihlV(1ZM}he16zG2LC!cFCG5Kp$^bRE1YfJJO5}XOELDdLTz-^ z^`*yVlctkLKRQh-``09#9$!%Tkgv0o3I8=6P~iHm#+az6AH+)7N#Nh)R zCNi1dI^dY_LOsQ6?!rMnO={;pe^CBPNKvH?AVdDnn&Fd`P~2+di?JKN>VCr3#^nN) zT&6g0{<}L0!{ugEee{Likd}g?d(kc7#tT-`Lq?zcd7kfh!Bb)lm4ia1IK-KXIA2tG z^Ys?!h|#?4BNQiB_<3e18-bVanH|}v&uems+zM8C3v5mcoQa~ zW1i9K4oaNqc~Shi2ZAGr7D2dqXUw0*0~|OaNE)>Et{+tA2ZxjMTa- zsjNS*F9zj4*r5xl=G0HCzffv3}6&H(7uKE?Y@nhYRMV;HHocNxD6GQde zIyAA6d^Sf2Jnb)LYa{cXgA0AA<_mzvSx{rWViuo^;F1qZW zh{2cxFQf|T65+PMfCf_B>iXg~#(tc;5I-MNpqFei3Jzf43LMQ*&;naLpHiaaJChh9 z_>8mtdZWWH9vyScnre_FO^tdHhI*#cnNwC)|{4Dj{Wz>-O;YP z7%b1mui=XA>c9zFs|-5_@IaiXFLh!x0P67l*yj_=W3w*5HYukNuZzd9d8D53&C0v- zqHQv$mws*LE4NUsZhYEY`na$PpAr_!#nn7eXu#~8t>;#+Lh9!wLiC;`Cbgat=Ssv; zl~=}wnxhw(PjB9aVp8~W>Ky?d9*OPn^ErGV#?n?B8+Oncj_p!J&MKU4pv{^>;&^Q4T@jjnaWX!umFG1UvY$1T+>?K7fXRG?{xsVwkBD## z{7mfmt-rCK@(#M5$+-;M z5@LE!Xl<$1CqI1{9`48yUjWZfD6ku7FNl!>A?CR-!O;#{vq^(>=0otT-VlJHn=6d- zQ8iKL%|c#j7jivp}KqArc>I;vpj@~UNVo+lnQssp; z6R+gnom449B?S09(hV7-HB;OKO;GYg7t**+yzJx%XOa)mYzU408g|qrd5pI*(7|lEJNtS71yQ6~uAr^#m(4ifAm<3qXhfjisH7Q6 z1Qle_tAKTz)^`c%LZ*&m^&M-)(!T8rk%H`LoS!%!zF4A~QBmqKCqkMharyRPIXbvG zYq zP=uU^lonpn@svfBBOyx|tXqBr!G7Ct(3?tqXAzUGP=0UFC? zIfT@$kK`~w_)Uph%3>B67;>A}KglVc)E3wmT5NKAoDNhD(x>t3^fuQn=(Md@-yF&{ z76hj0ZAv^Qe6s)CJY2O~lpNEZL8M2SxjnGMrt00QlW0LXzKL zY&clTN;?uxLScOxKH#` zHZ_ZnBYOSz47D!W92HxhBIHluR98ZmKqr>vmN;k4;m^>+-a)2!~TS0gp_ToHy}GH z9d5A_w_wPrhArcyA&?dqZ!u_E6V`|7=Li<7gsLs0hAtmE z!Jm0IiXk7`jYD`tIT=wFY;ei_AD7m9G` zojfbxOIUJcLn4^Dxg+22xf@W-n$(Ppc!D!atZ+DReM_UfRtfyfZU@k0GZ!g8)iTxY zO=({WY1v~#;nY(~gOrq6XVZ6UbnFKS^40PLmirl&CF}u4LPbZKwt=WLHYEj&;4YBG zkuN&Cl!yc3rIN{$>6BprCzK;C6Tnx9&#=tK3;;EjQEa*{wYAbq&&=t%f1*&YvSmeu z47tNMYuWKULgyTnJuupSA+o$4o59z4ms=%6za-$zT1ES{EHZbZCqnP+xk9Z5EFDW! zVSmDZm-jAfQiS2qOW65#M535yK=s^R`jUMuPCrx%uudc!Hnz~ZcUGx0>s8SPF}dC4 z_83;TJ5=iYU}z#@4C*#?{5Vs=d@^dY%I(OGh+*8By2|$PN?O&h9iB}#=f+NK{bmqG z6hX7IwwZODawb#&Ou_EW>%cp!DNIVQpX-j+K;GmzSpER&m)Q<9l!1>5>XkJT-T~K} zT_B~5{?xn9NCYIo*uoMM%VTQ!)6Xzw2hTP%=y8fLe~l<%4>wX>k-Mu(g8oc{zh$uD z1$~YQsvihCa9!-p7|A|G+vt6M&Jw6Xn|`72>UvGfLJ#Hrf|}#gNB#>&GHSa7g^Q*R zoX?EM+$IX(i&^TCU2rG-q%txUFs_y$Up+u-efl#P*a52^um>M{KeEHWIT)ZB9nnKf zm6zGOSjz?0vlULfKz)wjO;O*Jl7dY8t#uxZA1e2qmTBW#UY})l?@2uU2^%`F+BcLp z%RE1|z)K8`A;dbbzEJf~|I}H>;8Fek4D zRr)mh=iXAQPQzadhNH2)$<(oVPL@v9oLNg2$*%!lC+RUB9K zlRWu4n2B!(z-ynag3J&?;6|zdBD&D>3DQ#4)feh&YKn&jQ+L}@M$Z~vc16M+pwZ8k z+R_yx2|*w8bXhcH3BVr3MJ1Q%iF|{~1$GdZF-M;A_So~W1Of91I&1LsKqT66Ha&w` zYWW1hY-3g2HWj#{FjVY~wt%6X#FSCzN1;<}^jcr9i^usrYKM$)wSnTD@A_@{Fk&Xn$i=y;My+JxnII(CXL-RRobIxXF**0+u9y4$9<)mBbkIExZ>Hf!zU< zRYh#1Crga4X_W~$wi3mvyis1F&Db#CVV#npB>5JS3*}hc$2O)+uNji1_wY$kU}}oV z&FJ@OXOvUDnoOYTwm$2csru~%nT5l8tdJ5?dVuEx6qVeCVPhv7;ZRE{Jz_Po8W6#R z=ww+@9GnP7jvW1>#UHKsBwwdgn~hw+PZ`|btRj!~dLdAMqkQ<`d~UgN{jB%*=GGo_ zjuT1T3PcH+);H&#(UwE1IKDN^8)hRGgc0J@^t;RH_c}mOC`0}vit`TRLM+xb$JP-u+#n9G{`TIHG69^9O@NtiNg*e zcyd&DJ}v#oB!R|F6`9N+)C@eWsivHe!zn9rKtzrz)m2>ZK$c(~o7 z2RXcvd%`9h7@#~E?*R7cGg!?Z{3S(Zku?mAmQRWBWHBE51laj3g4P;QXA6Z2 z*o=QpiDg)4=m!~>)}*+<^;eWl=<2qPd6Y@YfbC&>@H8kNx}l7Vdf7LU(P1(nPAGOk zSxWZ5)Z*HDt%P)RVnD^7?o*DB#-4gFtJ_`&D2t@CP8Rr9-fcl)2 za5Rwhsc`gqf=RP=cV zE8j|aaI@5Ppq=gOcRX1y_#4%qR;`j45$=nAVEOj1Ai`g9vnWGSH?$#{2_%@-9NY=y zR}cn9->688dUL$*vbQ|gzTNEJ?^C=J5EYV{c#H@XZH7Y-+m_|UB@v%3-O)O%rmASN zb-RJ@p_jSd-W!O{E^dH?FEy93i2~O%syUA=GB6r+!hTA}swTkdhpNlxXS=Z(?TK&K zv^1bBn#aad#JH)&YN87zJf4i%yji_mAUjto)}jL)yk@_d(rdzYRBAgiK6MC3vTP-V@qg z)v@>p|1|zj^4!Xth`RG48p@IfnT-Y9Ba8aP(1|`VHkdiZL012c_pQKP)n1qmmAbPN()ppFUjBO<3mM^gi*+ojnoz)T7Gy2-ycQ7jUlaV_Pr&TZ2BOxB9z@OumX*ml@ zon$y0BD-rJYwS!z*&A@A2)MAa0maIYv$1%oyPWEzCT{z4rb{A(4^x?m%GXeBbCWsj zf>DJyiGv{%Nuut-pb{LQ1{VbtZh;msS(u%^(dE;{!hwMb!p1N*pE^R1wRE_S@;jUj zYT7V9XuN}MmzXtUaBODKn~&0)647^@XjYXT+4ZRqZXg|9Oi`hld40!--|ry32tJxu zRbT6=r*G6L#>L@VXk4NgNt^O4s84vo5xQ$!ZWey3CYtmpTyW%P)SZW78k}*X^$-Ab zxDSzan5q3EkT6m>&XKBG94QdUh(Fn@r=|jG1Bhm*#85WTnD1X%pjwS3Ee#Z*T<3!(D=TRAMrv+n>XYHiVyy1P9H*}}mT=jD3HAed za5E(eQ`u*h(`=7%NuQgaZ<#e2@vmf|?ywbSI~eJS!}|GGM{2rx%K<(Rt`10$7OE$- zTl#)A7e)X>pJS0evO{xZIU5Pw4Hfee{BSL6`!zsi(&wBC^!Cu^E4>5vYAz~@v21H3 zU&|Nt+V*=hcn^xPkG45HHe{-#Vn=3ZQuKJi?JWI>3u-kVQDX$XuELEL>uz^B+nb1- z2pO<1G)xMYNjV$>{LmJtAcF4ob5?oxcEFVIV8UKU;6D8*g~7~UlL`QCj-b%WXXUb}$`;Oe5AWYb1X#^E}9)w1VH$g3P&?FKO* z@FidP=xnYH&)^x%0G)jsv38kzK3Bd{k8-^(QU*#h(-5G3htp`dmxJ4za-EWHrTR)E z7`VqEdQWg@cq6*MytH`afvO~fcs4%QFw5$f%*&{22OBcJZCO3@nb)#v^?+FE^ZxYp zS1;sF_S6e)|Hh{TqAB8%%5V7Rrv{N__LVtUH}z?5B|^U=g^gdG4LO)69w2!bl+ zB=H`x+a>GQftFSeVuIP@l>`im+n(s>gZEu0NMoNdk3hg*b@+JeiP+)T>Bh#{FKp>y z_pbO^v(KMbhe~F`0v4r}Rd8;UW$&qaCyVO}#||^D}za^ML^?rJ8GO zkO`2KugI;z!pqt-l{*?_uWaGy$Cc2VemyY{Fcm$UU8PMZ>IWpS{W4Y$O?_ZC#ImK) zyZVefF}q4M3U#n1^NZ@&Z~Ij_BGep@Dqe)JXvOPcwsi315M{edRU8dijJDt5s~79! z>XNJNvAioS3S2k23Xx9YR+wo2SIV648JnVvv50}R z2;pUae?=r5Bz=&f?g=fsmX)Cl?9Y)rOapS~ecu#w6u_$5Vj&N8%qB1G6EZ@`{I_^( zSdCaswpJnn^DWv-r|hNteR8|*Qv5CDCzbeh&$^%$`QMn3^&%=(yVtQjYy=)MaX4X% zglMR;j;G(c38pNl$TcdG%_arxO{~@z_S(m)kZLvb6rOKdbLg|=HBCJmP}RVWKNMaH zLYi}>#;D-B5(aXs8FlS8zf#HxDl1s??5T{wMk7(B{j(Lh2W&ywg$7Nr!a6Q6Vj54L z{0I<#>gw_4xDlx(UFLuXRyJPu*OU}5tLY#QUfZx+19IedLxCQbOct$AGHmO4^5CMm z^p>nuPl1be1KH~x^(Mu|9sr8v{+x9LZH4UstC0TFu?{#oiCI~Fegc4*A|K3kP1{a^ zlvC0qr<$`h49kqt}Bl{Oq1HKazZ`l0Lf!EhZOIj>S%HT`e10E5B63EAZD`;F?lHY3h96UHnAGPKec|H1+y+3{7L1C{3XkN? zw|;y`U)Q4sa^&h&HA_p?RM+qS&PeD64Y#a@I2D*Z^S$Mj}1 z@>BW_N4;9w$eL~Iyfef00wz=iTbvm$lg{>*k?y{3~b`NP{{@o|# zP(YnfIoM$|;gkB+sYw5RuR+AiY1+KvGTJ^s#kT}^iQhTcLp=pwiAKA*?VHXMVXaeH z)JT`H??gm$jo-*2n#{t@*i)xnd$A-A>)|6U!U&970;BgiY#;?H3am*B2{QFt<%v>= zPuBD@Lyf8FW-+te&YC|}PE{A@`TZG9^U4b~2sKU7}D=>9;3R={$`L_f;O?Beun|mty ze@lXx16)8-L3yQ=0ptDguElp|7=3>QfL-$!Ll%yy3!@Z2i{Rapr~2@m zFfy)ixxYq&;m8&q6Y>$RDV4QZDb z>9%iF6xObH2j-E)qaCxmb5xQN#K>ZzVS}+9^gn89VxzUCg>#6Uh@L*^Gd&sXG9BcU zUq)lNVk&lvA?$K79+$UiHeZJUb^zg>hvwI)X4qViD_3J)?}tv+({t9^7z4gQ5=Gg! zN(~qHJ?eA4U+6UC0oJX$^rt(9bLI+Gw_2>P+-r&;`95;4~ZWeIG3nEj+ziA z9>knia_JC1o)0UEmyit z^mt48?PeR=0;~m=LXHdATF*o#CG>Cx81)E8qFy%f-SIzI1W)Y^fsE1V3GG^TratZ~ zt8a}?MV={73lByDBMXb9%RHxEWfu|-+ygN0b1eF&yVb%F`{%~o7gB6g zpcVtQA6FncXq0es!6-fP-_I1gICS8Mi7)EsiI($-!2R5FSMmD1gb3(Rg-@BiH;Zl? zW{kJZb!9(U+7X<)VV~l&zNC11ufM4IEP@CshE4=8e7GqRsiY(mc$U_QU#b0`GT80r zPmUNZIAaN3V8q~JNY(z9;{5;4%X|NlW=7?Ef(7fi5W0))g}gBEy42a`r6txR_~fE4 znuLF-*M?m!c?Pk+oav~IzVjnP;}X=xb{$~>t^6>|_SI@d1ifU{=?q=H2UJz);D!0W z9tE48q#+%Qqm|9b5Vl}*j0by_WgceA$ePtqTWfn1mKxX|P8)y-)^vw7Xyhbm{vWd5 zGpebr?HWERD%cGo2T?&FAfYLObPz#-1VjRa7Kl=%_ued6K#G(Q>7s^`(0dC=7a|}f zgdUI*dZY#jfp>eq-}8RYIrqOkHUmZ&S!-SMn%A6j*>CeGF1so(wUw*iLL&@n!mZyR z#FF0>n92~)Rpm~z4x!No>yL$zzyLZNd@=I6+z-Hm@i-&zvwK!J^I~L!s|i4hD;Z& zVgqlT25^j6i7e|YY5hUF>$O~-bJb*>u@6Ha^cX+a<6l}06XQsF_qDp`pIh#^>szL^ ze44Dwb`^N5E5Q9j%KkA{lG7Y^=?o(2=B}Wz;BdR74RqJaakS<&b$sA!bWx)I#Ye$< zxq*L(2$lwNPy`HD)BitN0475|o9RJHTDRkT0=!mcI+Mc?Rc<#VbhYYD2_df}7P37P zwNJB8Nf|Axxcv;4wS6gJ^LNHyTts6@4HUb}$T+D}8t`rqV|Md4mtSvij=99^NDpQk zCq2WCo7Z^BHH)_vXavs>XFpWH^4nV&uw$4$+WOizLsklDSYkmj=bV+pVc4@v zg9TGI3M;Ore5q+Cm*`MkMJr)1=$p8&c*n+?vnh4=E+uMZ2ivVg@lT@6m5|hl2w!C@KWh!p=KtBGN1xb-qW22AagLeeQg%D1i0R`m$ zDy}v_mr>+Mzm5uFbkS8F`9*z5#nun>?#0C!g4;x}I+mnIX6+8_=2S7{Vyi^H87MD~ zgI02Ts7g;w!oc1s#}#Lfod0_OQD8z1*-cT|gOd-UJ{)S^y(U={!?~F7-L%F_OGRk@ z3eTaLaQ2@X{wncPR@^o;W1xp~Z0tcx55zhd|An#d1B8TdSO@OkgaofIn>n zuBq<00Ew}?|LC*eId+{}Np~I7Ic=H}Njk1tR`St$&2PiR;-={Wms6$e)!2{?rC&?c z!!6<_65ibj7`W8~_L*J`gf205O2Z#@sD(o%A?6xXlXfY|UsVX>@PR**D9S*LST$Fz zj>JHDz2HF7NAEAmE!V+0xmVNsj+8>L)=n_tD1BVw-lUtzjobtUE#YD@;2VSbu8t6T z+6GwYgC{ct5`+YlG?lrXZO+rU$5eb|f+9w*$KNPVmzg;DZE8|?=Dl^mMS$?4 zBmWfa?$-Wzg)|O2-mtxYM=*}mRpvr)9|nz=sWj}Yh#V-s7PofAMHWPBmR!>|81tgLeS?;+85xos;!)0v|vQg0{9kDu!~kz2TrTr zFynNb6!*xQVEm*o*BpC_2)dmoO79%p|c2~~vhpy%^8 z^*TQ2>1+h4v7Zd&t_?i7wRO~ZxkQd*%4^(!vdhGWZcX3t8DHx;X_7Rl*ZjusMy_@E z@A_OR=_vOuB|RI$k}*6xY$5X%!#~q#wD<40Gq~b>N$i@3!*c!2BL%fs@VP}YvHaPf z>^46tJqX`Htr-jgtXQaeL##5`V^Qy=-)BL0CMt9fCL#P#Oi0y$EX0;l?iAD#VYx=> z04goKd$BS;yUQnoD@EN?C#er>9+={IVym>etuq{V#`UKF7(i83ILhPj-z2*en_tfFg~jgJczrPvc7aasS&x17x-AeQM<{qAnG8)>JmCz8*Mm$`CIAw@ z6s?^~Ytu=eBR*dw6bar?7Z!qA==tA8;}ci~!(lQ(hS%Ys_kBSF2_T^ZRpE*v@3#8v zglsLrJ!^22VVSz(+IO*wkN94x=jgWSY&Jc7Tz|_4^@^&h)jZ*IO!=n$m7vRtP&Yqj z{&~@}54BvfUsm2xf*$zo6`u?~rJZ$t1;~h%INa4i-QPyAPYs+0TjpGvKLrambz)Nt zNaNOF7U|d4>Xa-_F}|?$3;|_v6;Phlx6nSW#gAtv#{K7T>Qj##b<%4=@357aHl#o7!4-EJFMT=w3wzc;B8`~$^;*8hM#O=XD`ZP2*Pufx+)4gKcr(-%zHSf{|CfF>{DF++ z{5@Fu)zyB%S2iX5O~Q?M+o;7vQSvCv8x(Gt(iX`wZ(@ETQnTb_LY=>)$cz*k!5fz zrJ_oP!n~Q8@YNZDUh)@7O3GQdvcL8*+@%c(V~iAwc=eXpbQ=G9YL&gd1WC%xs&@Ds z<%o7cxop$|z+S(4$u1+P1;ozHC@EbdYE6z;1Y;!laR&zZ4q&5k0cSP~6KS^JDhGv! zUGOk&`*3^Enm{1>02q-qrc`xLCYnuM6MS`;I1^m*faTzfdv@?1&lAXoqHPT0^gUj=1i=hUYD4trT{JJpv(jhy z`GWyh?Q4&ntnMi5%wqN|(<@yAVQk1ab^$G^(voP1-Q__6t{`h0F+*j8T;K4K=JR9J z`ok`X>Jxp&1r~&eC40{Y4Ho11 z>W=oXS>i{@++vXq$Jyj9mpZIyuF6X3Oj{9Rcu#Nit{7qS^R9-@62oiEnwwL;&IdaPEp71hM?IJOhm%->@0WQ>cz=S{tB8IKq&^v z*d6?OymnIuBD$o1GUKXJAI9YDwzL9Y>Wng4DDh@)3yxdq@~hzbSir&Nhj+@3u1>*X zg#D%JwU+l|G7d+wy;?&r*A15IN?HPL&a|)^fC44b*Wc-P?B5hC z914&&SXmRUe>+!Z1Yg_>`(qo_)d40j{W^5OdXwUXxY2)>YOo3*zR=wslt97}g8*$d zFx0KT%TDW&o=!=#$|2*>?}dm%6439+g)78eG7!)AE4B>j1q3^_SV1x7LR2N;udg!w zE|=}J7kU{`$G)ymY~v+y z3)H9Mhkl_LdhpUmqD;$cciSk#)7#Ome&Jfs)3@lnv=Fgg$M6nNc(Qs`17mT+Vk8_T zF7eLoiYv5Q-br#elV4-30HD#tVM-&;T9FX;+J5ySCC2%x-`eRr{EzlcE$2OTqkNi0 zXCDVkT!`|3H072pea70)p0fKm6sH*$Z@ib!*)ZSwGlzg?m2*#KOCLOmND52Lc^&Qs z5;O?V(+XG6o`1YBu_MU#1#p*HJdY2 zlCG4mUJUJ8ygDA~15_OJsq2zOg`77HFB{rtuIY>&J^^c~TvO=){0NY;^UyFDEOBZ6 zI+vX2EU=?!uVIM_SY>hJI>ivqJ9UGK`okgTjnALDrf+I|^tTqw$e;%0^>W@YzFox3 zbjUMAdm%86GEuQkETxKjC^%&_smm6Bn3wn1QCfWsxD(M7aAhj1ooD|^LE-2W*{;rV zvjsnH@|w=HmXm?_HXdv)djT395Y8O4a0B{D);*LIrETWewfLzc)h z&(*ZEOS_>?pKgCL__336s+>pGdV($je%=1 zfU#bx*r8hYqdo-rdHWMMHJJI@PBOvfbYjnGK4ej0;}@2rX#NSi^_0FU0q+$Rx9>1x zNT|>aRbe@3gn|oSxImJ6-K(udy*`qDOtiJM{DVt2h@xOz^8sH)-{CM~PVg0FFZ3;Y9T!>En_{Fcw3`Pp3)GCNpZSZQN}w@LWM zX75Rj9mgD&k|M{PuUWv*YDnlb^l_i!1&V;IVSb*}z`1I^Cg<_`=4`~HkCOc62ho(1 z9q~8Pt@kaHEZ%PAmc1?rs9t1H_9ANAL#%RuKe$ynL0<@C=v+F-KGpJ=Z{qijW5Jfr z16y~Txyf{jnNC>$-ys_W-5{P}XDdbJa9s`I;mW)&{qg)5#f>4gB3F&eVXz`@@7BtnqlKAiiWT0bB> z1)$&YVpv&7to~_ofnhUqN#)=gA5t))?#Mqe4zDlJG|Zke8vHL;XZ1Z`;iBJt5x9VL zbE*W{>giyMu3x=9(B~9TbA^Nx6lHRhM_W@=p3P1ru*!JPjeReiKT!o5Gw3YSXVj_@ ze;h|8veE&3t|ExcFRE%!yBhR;tYXYnt*#;Mvh#b|qF@go*5yMjE&aeEtbaFPC7&+Z z;aH+#_f#u9P9KuIJVJn-lvtU0127vhY}!`sx@(rR7gGugjM)s(Y6M(g4tXzakFv%3 z5?G^G2JqAAMb^39*H(RIqr%~LTp#{v-WFwIl30b3a^S7&nF}`1%LxfmZP4Y_p<+hX zJ2!5fd-`1c9sRa8NqrwXJ+t6b$r4g_xeLj34VYz`9k%N{kKE-E)O!xGU${|e&yP{f zC-bed<1F>ZU8FBQYS54(&nNp&PEP$aKrrib3^JR_`_|~SS4hpFM(@zpo9C6UQL{b< zWl^92V4D+X&Rww#ro#Y#W@lT%mJT9pX>8(P>SefF+6q1S>)}q;(nKf8QRjP#v*(a@ zC7ER{=M5|8gE#bl`6*}4{qb2&b(;R`{XJezR?T`7SD6%a*4GrAStTuUEJD3_N-#t- zOg}0Alh?BuPLJO&;_ij)_oDkL4!%bCFuqjlBtR$wvzUa&zm=r@NdiK? z&+-kpk>7y*AvcennXy>=JW6kn;VTr$V;{<1U~l`KO>Zuh3q9zdH$> zmjb`K$^>Mw+oHxLqGgxt-EM-WLY`4kFJT6wrLGNTW!A4br)-CZpaVeR!x|CxsWNHx zfy+A`URt+$13dPUqO%cEi->6VcM=zIx5X~5k{ar#m3N)u;za??j-cEFuvnm%p%#&` zFYi$!QA{CMo0t8V%e5~Z2l9#76EY*2i0$-jKoj$MqCe4is28pTCIwljSGDuhQ;6yu zPUlXiP{B=v!wx$irSxB|URZi-<=CUJ{_=;Q8faGG-6Qme(%5R|??9BV+KPNm1z_)> zN1&He0gse|&$4*fvT4_eZICd8}jip&`?U9SJk{o%2HT2~!_#c?7XtPX}hkY(RLnC5I) zJE~j%F3trsWqLQBmE63wG%WV24*V$29FcEAvj9G)Oh5D`G)S)o4oQKADj)njR^Tyv zDoG&R>;XUs-GzleNt7@D#`0PnfZlr{KzxPqOGJmJwrNIZW-#ByZkOjm4)pWaW&lv{ z&{_#t&QF7CH*@-8jYNB49-Z0Kg1cU_*wP2m;TJ&a-sft(7bl4)9fl3wxg|@~u_nD{ zl^Ig6;xXoX^4M0^33cqEOCGohaIOqAJ*Y~vNQ_PO{qeQY;H$LY$jM-YHXjm@XVI%- zn^(1T!veP?XaL`?UiBrh&r7-ALEsh;&(XV8)JOcnb2ZW9;v=hdZ&(EUGdWj3={QbX z!RwmqSJN>4WIMoV_)@`b z6FGv_OrHFN^45Epe>SmS_-g{DB0eZc}L zUmwIbrpi7gD0pegiz#f7^IR*HECD2_=mB<^paj-Rk0@Y$g{3IIQm^8c{ylW=pWpcl z0ig7OkAy$?H)A$A$jjSkOHU7WDL`KjTq48-%OeNUh0F8QYVRWC%W9VftJRu3-ZsjY zgF5gP|XRR^Y$gw`kv!p3V`!UxXXz~`QD=yG>_5csyZt@6pk%9dWxeZRUbwe+E11;mjga`Hp z;7A}WZGTwkF!=0 z3r7D#(AL;hJ}w^o=HO?^z#qkkZr(b63-m(MBr2Lq`F-#d?91Gd zi;p_uq09v1+-c~5K%v%rzcIYY$@u*>-6Rzw-P%QBAR-su5!}_+CQymj`W{FMEA&Ua zG_z80s&i0ubYTRcA1W~^e$bQv%GU6T;o*h*M@JI#748Eg z@HOaP2onltdPQH3VBra|g}xjhno9EezpC1d95DUxUri`({?}YYxq-#YYIlBZx?XCE z2NgQn3D1uS%lyiL{<3HjHv|Ak+^*Q#re7LY(hqg2vN2_>Z= zg<(RjddBnS-0BiwP`~3hsxkrL8;kwYKE@})t`M^BB>@oxO$GSUe*IyUY9VM5TiL`R z&f5Ic=^*xNWy)wz?Sbn7lgfYqAh?l3%v7M?vJwZ7O(EN3axlwL*Oz@-MkE#uv=2G~ z+pv5$-)eTzdo{+jZhFp)4`l!xuT@Wj$^Gh802=m?#u;wCpEC$ku(r2@gyS}(iE$T8 zp)C8WWK@w<&HRQ$tn*wsycU*N7$JZ4FytdE5DRym-u>2UtSo6GFKBsnbB(j&^C`hw zB)l21C5_Kw@06L~0b$60p_3$HQ6^%R6^S=5tjI!TAKyzXR33!UmQF5>}xhP)BNZM8~Jk{UA}Q95ktlh z>q5ii%^yjn%1;-+_kKC>YZ`pT>dScVrr@)(?O6i9B25-@h?8?PO?tBX*+~5Dd$%>p z`L+ZaiW~{Unj67#QB?t%iAe zpxG<*QWSFnxTQ;8bG$CGs=wHooBm_^{BFs6J>m)4(!=eO8Ik`4>b2`6&wY*yKQ$a>5?rYpQ{XbM!~_)HptlFJ*$rNf z>;liw!sa91D?@{rID>U_KrH;SnKgKz%dx}tZOm0~A>9n0Y@M)JO^?oWk=>=ug;K$L zXK_a~qrrgw2>c%NNHYDjBw#%Fb}+e?{X&;OAc&-<&q$JCgq{ycAk;)g}DB4Kcw(NXIrxNw?AW zrF$-IUKeb;G3lwx2$@q(xkVDzgIOYjPPY-%dBETk z$fj-ngW7Nl*V4WoE9Y7uZIQ?azSZF982s5crrSb2(dmoTK%IE+gQH^zGmN!7+vBGT z0l<1`V9mab-8cktYSQiOi^E55#s31gQQS3@xp_F%IM41??ltV0W!^u&Qj?x|&u^h5 zN|=4#snhF$nE9g)o5qiQvT;a=9-_(UBP*xV@7UPp)UTsUvF~4bt1AhLG%X~HTr9BN za(JZWulHx(svZQcTDX!&F-{Krm6Exwjh4h4JYw>nD4#^K#02QFB{uAgiwLs!c-!@) zzrRWcRh=~Z19PH(^X1p$->_oZUL4;4XD(({8sMHB@3zBO{Yxt2mI4|AVuKh95+O?u zB8t?`u$&7PG;y2>ekEp)i^m(5zG1UUf+_7uexOSHCqxm*F*B-c?v!hj(c;b5*^B$w z`zhoaEDvXCuLa(>{1Zdfus_Z-uHjQ^w5~OD)@}STklgUNHrZ)w{#CPi^Pcy#%v6I= zu1g{o%xv6Ni_-w+H412JeK}ohajQ_x&EmHA&h3wOQaZr-2{`EZ@h1JE3D3j>?=}}f zykaKw@^xu87s?B@`cy1b1s9p_a{sM#zV57O#ucT`Y@Jqde!#t#1h*b6pj=|;?Rnmg zRR;nz&)4*Rd6V6c(J3UfQYCOTic6(6Sjy-AGn0xZf%(ZY1i`KHciPAG;h*}P1$?!> zX%3_ZcqK6AFb#j#e9sqXI<9c@w)GnAC@jLiUoOqaiJSAUqKE~Xt8|18J-HjsZOu?f8&=`7N|-kok;}8MSMWWk!#qQmV5>DPT@sL` zF3p1UkrZ03f8qtdpMGIo;-Dd~bE}orj9xu{Q91nMES)7JG-9w0zrp?0tWEsgf676e zxl!Tx)4q&9hqFMe)h<>BK`PQhWF?PsYIGb^c&qPT3IqMV6 z&K#RuF+$$*>~m!$(G~oo-+Fsr)GLNJF8kkBpXEl!T^<#P5suPibBEZQ4nytEtx`tM zmZW^&(+(FZY+$}bA*@do_41#7VqO z?uqjd_^A1WTgE+EA{Wxjo5xYky%EJt@&#D9r`b~FLvs&gVULKAEiKCK$cApM#E`tl z7p+Z&XIE9O-f1Lklj%XjJvl2knYy{w&7#GHR*c`=YoKc(%yq}aol*q{X=OBw4-?id z#KXl=GnUWW)S9*Y>}tMg=|s#CEz?FhOjzdn$GBU`cU|VIH4X6kc-t&x&d^UFwTVN& zyl^P{*lljBMJqrVBSE{f`o}xCnDXtyyVHN@1SO}DlJQ^%d%eYD;m~PBKD;B2-;A+A zSuH>$`D{h7WyTeRSW!c1^~aKwV?z10!`_RL@WnTJrEujgy#s!mp5qFYbeof368jl( zy%okIadE|EXW1&nlBK%^>Q5}m`mX-TZ!}@gS6oQlec#{X``drn$_D0K7drn$CGC6eiy3|_Xs{@(Tf9{=#}xM@Ri^WYnLjsu_4!H;}Osrq5;P zWC{Fayglo~4D>!P)|%(IYakN7_l7wEKMDZTd7)ze=UqI68t;zZ=Xn7JB4_R248-VL zASr6aQ(O-8FaIHs!w&sBDMyOGR;w^e1tjg$nC49O_@_L2HH8NMIC|yU9 z2*3Gb)t82?Jfd7?bY<99Ca1m#cBICbMoC=T#Y!ko1*A+G)fva0nU!g^BPDw$%1aZ2 zojf8eL{_xH=Tc;xmx<=k0f=R;K4`xQZfgLA+gOrK1M~-?mP&kHS$KS#K2M<;^odq1 z2$uKx3mArLeZFh`1O*EQY*0k#?u-yxNqe;Le&$i_&)%(}S$!X%@_~obJwXl`(58pd z9mc;Tt5B}KFM@G_qjaEQs6SCKnu+f zGkk3GThJ8r0rYL4$$0ntvWjVC+;NR_we9F~&rhD2e`eO7hk?kTAXErR{ku9J^2Vqw zHUjaer;Yk2tZ{eMm3sINOk9yF)|G4@VvAo%WsJjiGHwAZh#m;rQdg-1M}N3Xf{rSZ zHoM;ldU$!HiACinbch^3HRpSLJzGnJQ^I_cf_e6NK&=Y}OUz#nE)O0ZM3|Nn9Q$%q zbDr@Jdjm|D%X;Ln#cKa46O7y7}3%?ceEf>s!{uv+E=*)-ahyDEpPXflD9Bk*84!?6Ho)lo#J$b8=_N`P&_%ujCR`0s!2 zsHw3?mG$q#yczu1mzr~XaHtKgA)+<`$jku;OSN_|+@=a0f-6=U?0o(vJgM>ES-SmG z@~`XW^72}Xs_^_QG*hsDNhZ7?tzWxI#JumTI5%u1PqAD;U+Z%+zclqtxwC>#^`G(Y zj{D{9>Iwatw68k=`@QW6D~A~FA2{UUBRy^*%AJ78c9*o-3jNz9_MwS8x8-}0`b}RQ zJ0ixN(ibcnVhs{4u+KKAJ@muj+Vg)AIyW9|#z=j!(0ibHU-QzDxO-muQMaGmYHMrp z8Jli#AGR)C(kbbfs11xC3oNbGT9xl`0l7w4wTp=t7f+w~JH;|U0>m4DVacIO_Knfy zn%`muxV}U%zBUT*5ypJiQ)e_6q zmtSH=z9eVxBBOCpe;ql>!g_)C-gDp~N{pA4JT#5>{eN$Ohi95EkT_8_;p&!2nT8D} zq;61O<4$Po4NTpX5)QX~w*;3b`FTH;Xf_9W>%S2gnEN?Vrm*%ziad=m2|v5K3D2E( zo)vU-&i!^KZ}#knQ;)aI1RPTBjZzh($HSnABNz|Q?XRt;`SFj>3LgR&Nw-5kPEWwa zaxJj&-Kw9@MC>=xLbFa~SqCamszS2HSP%Qi4dyOwC^MHy*TSQGT&!G%E+KYq3t=GJ z&Jqs4JQ$xlBy%@7_8TId0}FznJ& ztLtaeH{xn4?P7{qVSeYL>N3;odn8bLQSOKu;*%%7nJK0Ur7L!qFsFM0Jq_2gxBaNJ zS726*Y91$)vOY%m_10*sYRnPwmiXNCgwUO;#LUKA{j3BUJJioo8yz`<#0lGin~_Jo zx<I4(xRNjICVmSns{W$G%Gy*Yv3(5t?*#-UOrd9X)o7_b_Wre{z?5kADl zXK$~`<7;g1+)8%toYZ-`UZ+BMy`UZ z-m;s;2bgJuIBWipID)R5pz_EShJ_0mc-p>kDLI9BW9}(DR)<*M|L$*VYqGu81b@A; z4=?v{sLpaU%r0>l&tMidM4c%inT^~!cH7goD{n3l*>oFYx>DynRFr#aFNCRZX!#`ScQw8jPTc4d4^$dm{rub{A-3MFTh*4Q8kh9sOj~3Van4%AQaZuq#y9e8wfitH}|g+g&sUlPHXK#ehv4_M>Q^*rZ78CHy^&WY27 zB8@u@VozJsarSe_J6{d3UAK@2Y3LQ=lZowXqj+4XiLeYcY8#~9vxcj*nXQYdJ6vB> zx%9okbA1C>!PZ0)2on0wj{UzI_1^R;)+XuIp+&C$wV7G2Ab9b{vnn!}PToVtX_Pqn z!}am@dRt@uV@l1n`GOc3jHAq_+Ev+OaGsm!Ne{W=SH!b}W0GTWsugF@`~BntaC+d= z2jt3?wZMt`E}WMqtO$(9&90S1AQ8|Ghg&9S!OGQ<*v8npr|B?U@FH2ct{tAeTc7vD zb6U(dq0>+%fxEqjYJm%8{z9!7?ufZc*%>A&h9H!Qr*6M46TMbbernyO6@BJN-8Qpf zNFR|z#GWqgvv}hr?^>;mT%BeZS?C+OE$k!78F!ZN6pYPeNbY`uBz$0W&dP9NAhQ1K zbrKcG zA8LHVwaK^gY$ER%49t@JqCL-R@b<*D{FSkcps!1`a%CGoJ~h~`lG>S3=uIg+)!SnI z4kg8m;0Wm<Z0M8o%t zLg}sF9eG7Iy?rgpDk==7I?oKH8y{`vs=BIo)Mq$7Pad=3eB#Y|O?O1<)|{|v)f{Wn ztQ^KryY!ba!iFf9lPxAvG`sbI>VdE$_GBp1Wzg7!jZ#^ah7yPw`GRZ6b!+d6JV6X~ zb3iyAf6wf?NMUZ?yIlg0#kJ7G)HYQYMrnq)gQ2TGA z<2xntRws~mz9o{OtECk-th+J9zMSf?XFXN31mw$u zNPXSt#9#5DGNikzRmowre^fo>5!I@;Yi3IP|9hV`pSHd=dm6=jIA(m*eTnS4TznK} z6dBFk4*nIFTQ=b|tL%UXtDbSDwz>wd8{s2t$}34Oo3=&MJqJ{(WydRGr+!1#nrWap zmFADSE0VEXjBc~`tU3K=zyc%lPFI|G&cbbV*u6U`8!`29#M6;n7*iND9kKH;HxBbO zHh_`qatd?et7=!~bl}R6+O{c|L`)K~hOiWOnplEwU+#?#631sLAt9APwJhuzkSaGaS(KxN$ynBm~)@)A4WVWB~ zR>(FDD0Tc)QuxwMhT>zy5f+parm*yy%W-AVW#5quUkO|(R|=*Hv(hJu+fVDEOL3@vjV$~F3cxaAhR~v8`c|fB}noUdxXpWFQY@OXnT-Zo=IiJsY+7x z=vLr$h064ipSw!CHBS9ipoIN-MriI24p%(niS2jldlVC4SiCq38p)M8ZqzQUaMcv2 zZzG*|<}cb<^_NqpZT_~^U~8X26jF9md663|Q|om#xkxHkK=4d)G~|W4@C5&SO zxf^TR+A~5kr^imwklXSiH8zIi?oqKyin*b6m!l$HW4p|7gDMhwa-aaCXiJzL+(u`_ zHf+bD3LpcspziYLj>;Jva)((g-36k=QWp`J8of;2ksQ)MHFu5C4OvzrQT-yI(JC?DS6H_uh~^v+!+d7g1~6&qq~aJl%?Y%mFhzAa^a(P!qpCp>mX zIAMlq5+N&QB)EIv=@Ww!DTcV{v{3cBd{H38yp_`c7C)FCs6;7sFqrsxh@mlau6!v# zhiv;&(%K=T>BKsVfVJJV1Gw}pd^l+oSc|K(hK>M!IxNGnVqo1X69l|e^>C>b*Och_Ox$%DyX2dQh2Bw2Fg)UDMrL|33EMRz z^z`%|xg{BuHIcP+-+BV>`bVq1ct_XBya)^ox9vmxh72Dhtglb_vo%TUUJzF~#^b*q zzSBu=U{|SLrGjNiqj&HJON(jb_Upmc$dH9r61-84>N~OSIhQrM8p(s)?KkS71uz!& z>kCxqo9X<-b!^6NRE&|~f=9>H{&KFf$yr*2WFeASx`c;h1tKEy2sj3f7Q{Hd#@%qx zi!-%Y5+Q!s2LAs;i&{oKmV}HaF}8h|I>7X#8?C+x7nlp#X$FQ9D*;zks|xr+{)r~o z05mc2aq;5+TU@|H@=>emm*_brk*`U`Cvu_wz73i)%#WTm>w!#CR?hk8_ZoT=R;C8DiLMmjET%(Z2QY^fQxmUT0_Q)+dUHjqIZ z3M%h-EVlZ;&t5KVGV&#g`-D&qfLJxr++-NOo?cSf{+ddtUKRJq9h3;!N?ChdBCs$g zwuO;cu6u>F+?fAzF6Q)vhmYY!@fZ?jv?0-bccil3EHT4uVx^?2kZR2J?mO1fQ@GPA zT3+(aS;zd^+D1?q@tY-rMzq;Hm(0!?-q#x~s8D8$8#sPb_o`yBgS$MRxWtiM zPa^!)xN|T^81YniwZU(h!X4FeuctiL)-{f+*JHLWg%SNl3d3D3)|l|tHHBiI@jd0O z?jp?-CLR;A8#>u75~zc293K*aSgNxz%*qGf3!0TCx2x>;tF(8PNO_{1X|=X?+M;ydTYNf+7#}j5LJ2PnWiS{9xjwGWT~>Ca0c7%) zk;>)-e9fubaUw4C?Mx`|@BSqh-2Do<%1xiz{WQ+@?9i=d!zu#8rT{q2O_Ic^$vlTM zHISl=hjJ=g51tecHVE4Yle{_{O1RW%t9N7%5qq=@=F*O8Qt0CG4{y)&T(?W$9e+Jb z`_NBZ@2jR1m_>Vv_oS-MW$Z6gV-Ihr6T~q7%<02*9;>y_R!fAI>Hl4Md4Ik=`qC}< zoxRaN-rl-(lxS4{H;gAppa5d{u%KZfu_VZX39j5Of6evv`-ey3r0Qpl#aIVYnS=ee z)$LMzn3>P&5Eos{zsMk?rrPwVlYccAh0|=}XBSk+m6$>UC&*asr4x&1b>_}|oau}4 zod`ya>D6CHZa=GLqtIhB>Td6^!W)-bra27_7XlV3TQcLO$75FOs0X-UCBoed{7W~D z?)MwSv-7@4uaHge3#--eeCjIvh={8N#fPdi+qS<=kj^#g=}A$@7Uc*u<#q@BxhW#MGv8kKSCo9*JB~OV=0!)k@+bgx8f*}7KQ-XjFJr&u{qOZYm9tx(WCGo& zG0}`xm0gRe+Zz&6*>2p)*JUo^8+@5hHxk7RHKp-IO8fKE*q7EczzB7)y*Z`<+gb7r zUDEe%7sKqBAx2_h!WO|RXVLy0uQxmHIt+Z5tq8lVtGrevI~z7_wfYpey+IhS;XP4u zcKGd?ixecz*xUr?sEll@m#C;q>=7onytWx0eQ-KD#Jjt5L+lugoG79kMa7 zT@q&HQYiFy|G2UBC!6)JulO)Q`^IeFy$X;f$2}`t@VNfqRi1`R67^*`m&($kMkky+ zRuyu>JRNUj*0|1R3wb;`2A=QUa=nKtVfcF)6>4z&N=ESZYZq$d;9#Px-$)sx zZYz^+e!0|c)kIaShmg{_KF1aDBV);#>)zoj%Aq#W>!5ne0{*&Nawe5*@Mg+Gd5I_{ z(r9zfVeRvAcLO;g!E0VW9dX8UYbC$t3E;@Y(3AUlqV3E+94WXjQqA`2RoCE+q*>3o z&5tN$p<29r^3>p&;kjbZ$U9>rqyFGmZW$2Rmq!_Q%UNil#ZnI9?jg*mN`#?ZErS73 zp{*;KoZV8R1^RlKzpVD8dPaK6G4@A!RZa$uR&+ClHmK1J?w79zdhIHRy>b*n5b@NY z4=D3W2rHcmW;KFrZ~Yx6!sr0k_RQa4tt?}i3K>k{9a{#jS5M?chNO@F4;%EK?f2>M zILp)?W$5BR-cFtceV?uHubv`k%R)A!a-7-HYx@qmLQAzElcF5^i@)K1F<}nG~ZY@Q#@= z6j?DVrdMKr*x;liea=J>WR-Li(@zrmrr4!QICBM1>3A;%SEk1p=Va{tt9d`y-00(ru97(TM|EA1rlE=aL`?0ia@_h zV^;U43{~C(Tex=Ht&&m-w-i4z(x1q|y-~BXE9Pr(BT13-j%-P#7(T_ON|gF0@5e{# zW5TB=&L}0rFg!u9!S1i6T9rE7sZ8ga8-sI_p)=k!g@g8E@cSCoW6M)mxWQh!Z+DXW z_sE5`^W>Et`=WrZ8XR==4?8rN0D;%~u1o-f^tS3B9L-P??hL9+$;*c$(tjzX2jXc* zbc{~1TH8o*Eo}2%XpU)VgA?!*bw9Vd^m!^$>T@c?ymCK} z*fVw}O^LbeSzOL?y4FR`s9W?%L29$|?+M>6#|s5M%U6lW>t)+q9}RoAsmYxicU9=; zlW*O~(oQls{!<)6^yz^-tseBRAc_#x<2<)b*awU2el?l82W&cX9do)SgPB1mUJK(~)QR3*XpjqEVYK z^ulTlfI%GZGJ3s$2*;GL~eieR+ErtKg9i zp@DqX%FQWIm`EsfmLelUg#X^Eh>mb;FpEMF$bPB+e+vPiyuC;FE)>v2SHl1C_JlF7 ztB+l4VRpKIg{aAv<`@d+th7E94@Rzya93_6C(Bfpem0tLQ?@<07>j;>PR=iYLp*nU zr+_{&GEFLZ3+64tiAE)p7Ow~I=Ynedb52R*nO7FnRy5>-|8i?` zKMlLNv?Cj|nt9vzk%o6}y31YiM2ZZ-bD=9w63sE>B7t7K9{4MFq<=g_rDk*MGpM3= zIqo!y{nz~VS;o$j6OocPt1V|?q#e;_>}8oBZid5JY= zxp9vlBdmyzXQy?Quk|Qb)}2zdHY^VwURUh?@iP*B5rP-Cxknwc1P*&g$)Z~UoAV_< z+?bxX3o~k0{dw!nagS`aKJA$W2JQ3nyzAL-YhP;ksuw~Hz}z|4`-d7~DU9^LEDlYIF^1ULFQqY&eJtPBtr;FBv~oLFKt|8i=He7f+QwhlV>&X5Yw zLmyc?p{#C13`VZ&_)J-qpX4%DA(3D*dsc1dm6u?%R`I}*LdMj-5~Y$!dy11e1Y2-u z@98EcnpT;3G78^^wOR*5@bU&%gUh;Cj@l+L;9z9V#P&~ttA zv?`NkxKCI~Xk(vIG#)TqRJn?}_k`A89GflLCz%LAY7hMN{Ph?=qi)e+3c2m)4^A}YC{7NCJhttr7^~2 zfl#51H-xg?0jcFdU?2HCaJYX~i(e2430SKsvHAwdrv?@W5f*Iwk zcGdxDSLiN_j!)?x0t10R_K+|uMkO-GYkxfIA~Rz6{p!_EV`28V+^ zEj7N5?zjmEI!vt75ar}{I-d|hcvxtltMq+oY|kf{bhh?1v^JL!clQ~FNwSCetsx!U z^hgT^6i^_;17`H0Im^@0U3G`Mx^i+ft9I`6=h>-97W>L67X|GlXV(?4n)|rk%W?`w zRKGnHd;F15gu^-Ns()2)@^k=W-79520mR*5IR4vjs^o3$l$sl0)AH$r?a;nZX*}l3h|+Qv6t` zkcGspl~KdqxI3un4pHMqU`Pf`1exq;bUg?A=lDyETbgE;_8C`-a#S+fPMzH5IycA% zl&wj)d3RC?WOvdC490*fEB0l&we(rLMjBMnJ&5>G60+7S$}at*u-RBIZ}T8ohm_+a zo)gae()E}F)u|^9FH3TaHIJ$**OY`#v@>YzUxAfXCmC@x`4~#wJbhH{I_!@*1z}gy zb5W{JM`%O~N8`TRtrx&GMx^k|(QNl*oQ?zK)u(6GCm!=9W zb#KUXzKA8-J0`a*oHHaG7numXT#DAPlfX~u-rJ}SXKgcx zza<}PTy5t+3j3a6=biaQ)d#_W6+IBkK?4)3$j ze5cKN!tkK$86v+UXz>+7+s-aQhf&Z$*eMh2g*bLn%4m;K?d13w@x7x96oML5eh%E< zB0~uJZY4OUg}cNbvm zLYU?JO!l93=eX6(#-Yo;7KV}lEW#q5O0v>nt_u}rdt!fbYISfBEmj5uY#(+D?zyRE zaAjG}n@r^Dkb7P;dIA*W%Dg+5(4A&RA3f#T#YaNX)g9+%saKlK8#^0eFPAjS2Orrp zUuA9SV#zB>P|q~aTdOF`Jk=6t;cWFlChnB4_#A*}J-Hi}`chtWd;G zr9oEJj@FDrXYbQ~=%2brZYg#hEJh8vjJ`QGxk_%YaGD4+j7Vnlh1JRxVl02*;Fj(X zvJ8cmO%!ZyB%o?vW$Mn`RUPapbrB?XpB=|PLIp>J=&5{|Dtu?A`%0(OO|L5$FvZJm zABd=1^53M{s*-KU=8pgT^IrAZrn$#T1!XP4zk<;Jvie0Q?_kyMRA&g`Uw&G5<<8H$ z?dG=%l?$ku+`wreRR@U!nuYkoUzGM$A0~;$(tYE! z<*8Q@%_F|`bqkJ0X2w@q3_+d{{uqo5fRM@|;SS8#)vWgCIpRq)h=p8K29mPtB6##T zRX%pl1y7C!FHTU@&H|s>F`U@8$_k14{-LU%y21@yNA0PU^$c;PJ?6*R26V;NFf)FY zTbh+utMkyUyT`rsH zZ8PT}>FS7IC7=ExbS;w4k;JYYaPey^Mf131S+PhOmd$%uDv38)c&@yCIJCe{5kxSeUqs)w@Y>EQ@35#gh_iRB*{=fJk1KLraKU#viKnL1B;+y*;Az@A2sN7L?3a0LeZHhsy(eh+f z#1Fx1s(gcs#h*J8*`k-JkYV~y7Rgm9XL9ebpw6q--sJ0U8Bg0ZLD^Hc zJkHVr`*ET26NUstk|FIwKW*(P+M#wbJjQ6S_NMay-;0nD2TGxxoV?_$U}<o4_z{(v&*8Vu5$;R@WWdD)&qy#=aZI7 zU9)_?^T!|U!6=q%TIE$ntf<7#LoUde%?Xi15f1@Y{~i$-fIj&zIK7;X88@)#e_C0J}a zL#@D-7WN8VYXffDC+-}%w>9UX16uQOU69pP-jbHhgdCUw3(B%9U8i)EFW#L*wZ>Dc;OU^BQRs}m%< zkU2)v9lx$B`Z<9fN-fYGRfTuv(g20BI^qOw!^e+~Y9>}a^>o#*x3xPImk@(-8M5wx zlQ)k$mtG&?U&(SBJ3+6VR7m{cD%Xk zk+WZQjo{gXwk^SH<(jd~dCP*eTlQZMD^uNW?4e*oZ`4wm@LJ4k5CG68EFX_l)*4pT zt|3n61=a7+m;kPbI?Go+-|Q_n*Gf(jEp|(FbS8&(_9jAJB^@0hcPA(smVa|5eL7|v z-xL|sJxUf1dwf~dyozy`?!{4ZE%{_oRVNeq%6-|V6)Y_@oXhI7J*-SNGh3$gS|Ve7U!H~; zoYk(Er7q1%4|UhX-y0NIgQj7aNISrDSz7bw-Wi4jD4mT;&lE=}EgWtOpVYJ*M6J2) zSbH7M1s`DNhV(mhE%F|d{_u$tqbOYF?itc>NKzs4glA(bM)Q4gDc*hDSF-V290oAK zB}H+&%zh`yFQ@nk-A6f@T<48Bjl-Tojm;ivuvw34+TlFRdA^*;;GjKP_qnj6=RQNk zy#N9twt#!JYn!~&W!J}RTT_1Z@$ZHg)gvs_v&(|^!ukRZe*518$!$yv~RHtGYAnzu^KfTTxnI+7kbD z+Qa#_uf|G^%zz+Sa!Yq^Z3c5-MTvULLp}qEs2PihX% zUzZ}Z=l_|k42W&qTpc#!yVTVM&2ChSvIe_MhKD>F;~E+#M#3R^$a(z+EyMc#je@C| zl$m}4q882cWc)20f#TI=A+f)8kNXWE_urC(E@tl~Ow{^lOlXhIpHk0WN8279TwpPj z%im%eO464ewT{fN9gJ7>|Ik7~9)S~wo0F5{pu493H>$j?W5WbI#`@F0qx7#$STOYJ z1i_mPl>|vjCv26*fH25;NQ{`v+z6YLo7pEiFB^l$uCbMv-A$t-UV#1q8$b6vrL8lW z%3n6ze;-TK8rT9Cra6ZT3jJaoppoB=A>gb8>!h_6){=AnK)x!hQA@)}2@ z3k;7!hRe)e{p84ifX(`0u+M1^$JX)vNbwqc?}hfJNJXtR99Fa7{QbB-%YFMudp0B| z3GWw?{@2DQ27thE1~Crd7d!VyX88{(g3l*kW|(DidCvdK5T>^QIs28^IFaV>Q~f(x z{?*~1v&;T7`X2_3`wMU)GWclH-}-Zhe_vP6`Jo6FfV*7IXZT;1?DZ8FNOcI%AAJ6I zhWUHX|6brfTkwA))IVGBzwq<_y!z)9{4bF5uUG#7(SO08UoiL&5d8y0e^=T55yyW} zA$~*Se>9?B0P5H{}({?3|6-~jxK<@g0hjtoZJwLz(feT z0D{T|$`CjmK%G{stV1_F*^OijcRv{_-u~t;s-F1e8gQ_xX~>Rq*Q+pz46XB3U}<=Gz&ZQ*e`}(UqYUO zM-btNhkIo+h);5q|)J zc5vM+f~TqTUQPhzWHkqcv$@XXO26(o`Moi6(zM3#IGY*b$;H-Q^=htHMHUk<59fyK zb|d{Gv{!gs+rK$4Z}iQEzcOiDAN*|XEI{`04+CAraDNQgz(fJNmmDIZwYS~&28m|w z)f~PqMvtD1&K65Yo@K#D_l9a(sexfkb-lW>B!^(4&NxGj!oLrOLO8vkc znY%lzQ8QRFcP-D&AtKsBSV)LY^wZ*XyFxOp(*fn0Qfz;Q9B~8f1L179yPYip5NUD_ zZeiQrD&CWrHg@QkpJMlZ*dG^t(+Ai)FLp((=f8A{PZ^k_a_tZq2GI7pJ?Tu=kT3y{ zP%)#L_1MenllWhDk9+XviFIJRq&#k>L6q#zr0$VEOp)!O7N&UOq&vvewJoYeDf8+Jt(Ci?24;w@9gr9+K}&Q8`B9wtU2Qv|vyT z#7X97oL3+rwEr3uv^eY2B4+5@vVg~;`jPdT{r}811;`|{=UeQgJ%+pVg*cm?gg9@` zv264Nf@adVkOu0phQ3jmHaTF{&RC8+jloa8&p0J;Pz&2l=-V#z_p*QS4ut$^%DB8Q z01pgKWY`bI3%*sL$p=tLV|T21zpa|B*~uDObGyl5^%RaDC}6PZ$Gf1t8UJR!sVhXd-U4+uUu<1C zTAqEWn}Tmnzkp6GL;LTv(+R>aN9+OOlWj-6Z(!4tcBL0D0AXG7T6(K>kpWo#?)_G6 z8{qovL4JvYDWRY1daQ$OXSnLdFz51YK@`Zqa`_`8P4rpRN^`lXT?#9qnZ9K$~Wnhkgqw4)E_*zH? zwNEoNFui%^;MI)ZqM^a&@N};lY`5s#$0yp2p~=OW)gV;rVj;M`eOR_Ot!g`$vON1S zOgyDTB@h8|(=<5rBQcz5u#P1lN)}8(k-NbDc*5Vyh~iq|-u3xM{6Q&WMV*34uTx<|upNP;>*huLCF*{y4jow|@FI0foTHdle?n<+t^}c>nnsDjK zK=8k~-PP-J+7j|G7&#jkpX@JEV=UQ0G5OF?OMtO{PIohX@+9qG!-A*-eWFj5A1MsjU2jmPO!rcjbLyny9FWL>kT%igpqfB?C>g_cXJPqI!% z{%2pJF&cbJo98{W14ODeKg96qYXmI=*Gk5Zcfrz4^sI412qBl>Zub77{0&`z zKc-ql@BDg#g}XrYQLOB2Gb+utAv}7|`RfDkqZ7nDkV+afTvA!>1~e%0Ht(FX`8Lf{ zOAR?oMzOLiYd8MWh0Hm2i@z*_(D>d*iB8?2dY~- zfGk(5sTJ}|N{bgiAg3H&3(B953b>b-uSrz?$>H_7=X}(P$Gwj(bqtJo?VmCKWrF=f z+kbfIKPU8`v+@rPoy+TgFyS9e_y-d(&UKT2^n`zFRsa9NgwBWF7S^G}95eiL77Xo(7$>5ZQWH?z!Z6V@6-H64zsC* zm+{^Dfo40IuhZ@7L;0W^bE8{&VS4BG&q^|&;+~d6iT=~UFQW!%yaxfwsZD6;;6=WO zsjQdro%#XB?DP$L1^|uWn|o1LkC*>{t)6uz^uW0++y7#dtNLq=D&k z6K7Z*n6f+Jmdhno^_LEeg9*I6rXN{+;ad`oxb+N#o6B95lha^;nD4aR3g&4P@jM|d zuy2767lJKreZTA9YuMaaRqoqV$>yoVEa+jI@qj0lIiezKS8Wnd;(IKBUV%F?kN>o? zn;(H?Uwx(#C;N+rpENP!*s!7lKf$Fz$Xtyg7uDnAisWX`qrTbzhQ4NLIo2?(B;9gb z3o;%jHMbdpdQWY|(f5iBw8#E6^`gQ=lR9-8F;*vU+o!!t+7hd-k`rVOfpp{Nq568h@4MQ zSoNI^ed6KQ7!Dv^j6rqAajol7!c*-e9$+_J=z*~X==1($qfFHSV+-Ur%UN6)IDr57 zd~6&@#ycC5ca>`sm45k3ziRe!l(&Y^y7c z*xCocoy^P$4gin~M-(JfVP3o|p8sBy=Z zA2(M6DbE&eZfw6&Y65O2-UpJH0zZo*Hq*h#0z;GH$g~&tV!4gt5M)7$~}wJ8p|Y zmo`qGq0d6NEQXr>ly9+$+lc#MXZQ%cw>#MSnjcS&6?>n-#W}mn*264Tmc7nx)Y_v_>!HK!IsKsw)rFi%u00J_zGWpNPs{^H+Ug$m zZ`lscT(>=Noglgs0wN=zQw$2DmX1nOb#gdzxd%}9Qx=durjGaf?TCNlMGqFR;^3zN zhZoVWPv0@)=&^W;GZ$cw%V_r|iS{O4oyOb{odexhGU%6$r_F#|2?LOY4i@rcBErVx{Pc@)s9V*YdYlRVz>DxFJg{)JuMvw`|cy zs>3Whhft3l*Cup?YFk_pib%xJD)uURROe(2X``DX#6o)FrZs8 zbGaFacMJ9O_Zg%IwH)}SNuhZ@Tv(DR4+GjDKIIzZ3r1FO`+4bD&%$U+j z7X_b1{?Q1zZnz30Lr9GlwLAKN?NQJ0`JoW1agn}|0soP&pES>NdL4f5#Q*2X+qy>& zOnn|{s|g{MF|65YkCg>&CWUO9N^42(iJZ8Rv2RT|8#l?>Ha`!X&E`oaou!ix+M&hT zTj^738h08eSst|ZD=?I5`5{0Vj1X~tuDu=N)PyJ9na9|Amy|pEw$F~SX;C4_XNucu zm^e$VTKhVBFi(#%M>9C*_V-{v!w?-@PMlaxmZ3v=zSGP?%Vpq`LO0$h&dhC(I3?B9l8Z~R0MZ^5~!+{V>g3U zD;QpVRYMbt=>J7n1p+jMjeY{9NO)crO_IUjGd%+QxkkZ;sq8z-Cj z#Cxbf-vSgOYO-x1Cz2+Es+1Tl@8kbOq-hIe4yYECSxu0t4#3H2Upuwrls4|w9F1pI zXx{*mv5^!l(I@0Zul41h0N{ROZ{IMqnWc2>p&TWYSxwm4p64i@U^X-k&xEY@(F0~} zTxkl2H)e>A7(u9P5c7!z1L1sOctWsf(RsDT<<@1MOGowJC)BGMkgFCe8v_Ct7sf7toT@XJ}4b`v8X!!(LP+^U{ON0_`dXvS$I2RGGxzvDuq1-vy3~s-S!@9 zIa|&8Jx`*&v7&6|SQqE)$uf4FM6RscnTa0rBL(}75wfaf8>(sW32YZRIg6Fy0_vnE z({R_d8YY-fF%5+-JR5VPS=E}7-Oeb%u06xnCgbbwc0_1&{)7;CQUKxFj-Qbx3sRkC zL1fN7{5ps1*|b+nC4HG$5X?%rY^OO;GP=PA3Uaz$2{la_PdQbpahH0FR*%!EUW@;2U>Z}aw!d~XQ^8^|0vroM99$=jnF=VS7T1EhO(XYp=Re@VU1&p5m_%r7kX0+)sH?puenYV zSVNaTuy1^NUVX2=1Sn}SvPPZuV+@^k8?<^hid+q7Xs_WM8B}I$?o1Tmp_5M_?iSgz z96PORux%Bam31hcPK(pJl{A+nyTlx=+?j`+3~q(E-Wn1**{m?t+jvnmds0i0p6uYr ztX0fw+?AyBp>K&LY*Y)w0x7qE9!=IJsXZg5^pEj))4`%&HZ}?9?5bXM1AxRYaT+6{ z2KhD?Z;(eV7v^Y=voLjm1v0@}av+X5c(t?eLA@Ni$MJ9sm%EF$n!FMpdOJqgT`B{c zC(}i#dKY`?j>Ifh)j1J|ZY`iMiIxlHQ}$f>ecK`DiS}d8HS8u41+T9}mIZ z6V9ihQ%ZR8Vbty(i4Q{7x>DA)=(hHau1(ZeCft zPH@`2k(a@_)#h?JLgcFRvd-3~W=cNOg)HSq#jI;>dBO3ejcxQvxGk)LtcrpMkud^m ze&+uDW61y@0Qxc)(r=mV4}dU#p6ecBJ1BPv5F$mXZ%*5_bpZu}(QzdOKrNSz*)>ld zkIm|3!)Y_=76fo3A|aM@roXTIiCjPunRKTJKb=CH_Vw~4=wU|L&V0N<+sR&Yp>h)o z)91Sk-}9tbD};ql*Us#F4%fzN5&;nx;H7X^Od3zVfB%mEQGspkd}>AA71Ma{|5D?Cx1Z7=*r;^=B{AXhLK z%e8^@+>iZ{UL@;K8JotB^d26ssibaFw~#;31uQ_ewtOu$1QV|6qudIY z^awhoke6u{$Xxs@+O;0;*%}2LNzR8OrX)WoQsj0j9@E~BUYk^TXG0*{YVDXI?{qM? z=1-s~%vE@M+)AuWF=eX77!M#HENoEef_%R?wiAe94QbEjl>T~xiG$@Og;NinvY2hY zyRkrxn3;e-jDO323xGEle~LldCK?6!-QtfALiSVG!pe{#8W#ALo5&5YIy zXrXk?b~%Ys*U=nMA>}kT65OqCcOJTqiVCnWX)L(&0G2SdEWr6u3bJkG3N=_Gd%YKUWL374nbm zq6ONO(5jUo0;k@*Ihe;diT1-xs^hZ6xqXALaDf;j9InG|_tTFzwHQ43*}i=*mL1yO zkAF%^4uJ?5y8CRZMZyKQ-c)JSL$lQLa!145TXDxTcSsGU zkh8;)TEBv{(UHfm=vxl&k{X`Alx_-3a~X>@NqjX?ntwY3{4_f~hexc8UeB4`STUB^ zTIlRuVd?^KbFBF>yMBFR>z;8L^LsnZmk}ncS+0@$7hquVulsHg5m?N76f+k~xJT$OMHnnWJgdmd+aE5g$C0Dq3}% zAEq#_qxuc0$v6xd%NJg)Lc{h0YY$suxa^h5R5C}>&PEMNT>1w0ODWHyc;^&MU^bH- z#5^8ugy9IoVXS9?fRriZ9TPVR@+)fbkQjVRVL1KivjlUlI*Iy*lCZ3jYY zD9`r0CxgW4LW0TD3boX9KsCnV+BUn38(#O$WXYi01*%OYyV_FEqQzJ;3f;!ZODFCp zpRAY|%H3*K5HkIX@bsaOvE{8d3VwUlYtggCoL$VSeNw7~Kg?TJR$Y~Vii2ua%iLB0 z*QL8dmWGY=8>kEqztDf)X#lLWg-(cJ&@n(9Qvzz@%4PS>z z*I79CaJse`b-J=PJKQ%f4Z39l#$}B@5Zp+Om^r?~7SJ$Hp{uHxb-maJ)^4Nej!vpv z^~-bLVJfhj3+%12Fp(C`#q877s%1FcT08aS1&XDsBQoYKTt{7Q*8^p`#KC|T&!}H8 zJCkkS#qzkA+Q1aiLmYRqpd!Sg7hP)-voeRjUU`5TYPsjJo#OWco&zdv&Q~sgES@Mu zzMc58|1;f_^8tmY!J>s6p~iAmGQgccO|7p;M|e}Z$Y}v@xr$x9@W~XhfTK2{?s8S= ziuH|YyITX%vR77nr71#?*5wSR2YNM>TlbPxOE|^dT39t+Twj`a(@esS%7+ek6jmex z0tpKcNC=r_z_s>wB6`iAC-voS41z9R-Sifv2Bas37Nnp?h2C}3zXd3&3Z!FWYUzYl9-HzB!Z<9)R%gM_}ZhrerU654v6JPYO+&N z9ipP+zfF%|({K86-TAn!J4HjH?AwB=x2&1E(}5)w9;-0-=nChfO|78Fr|$EyY%