From 6eeabf95e26feff623bdd54cdba979946e7d6ee2 Mon Sep 17 00:00:00 2001 From: Kit Patella Date: Tue, 10 Sep 2024 11:10:48 -0700 Subject: [PATCH 01/13] refactor: trim named returns in pkg #2950 (#2979) Signed-off-by: Kit Patella --- src/pkg/cluster/state.go | 4 +- src/pkg/cluster/zarf.go | 11 ++-- src/pkg/interactive/components.go | 9 +++- src/pkg/interactive/prompt.go | 15 ++++-- src/pkg/layout/component.go | 26 +++++----- src/pkg/layout/package.go | 7 ++- src/pkg/layout/sbom.go | 17 ++++--- src/pkg/lint/validate.go | 9 ++-- src/pkg/message/pausable.go | 2 +- src/pkg/transform/image.go | 26 ++++++---- src/pkg/utils/bytes.go | 72 +++++++++++++++++--------- src/pkg/utils/bytes_test.go | 78 +++++++++++++++++++++++++++++ src/pkg/utils/cosign.go | 75 ++++++++++++++++----------- src/pkg/utils/network.go | 7 +-- src/pkg/variables/variables.go | 4 +- src/pkg/variables/variables_test.go | 2 +- src/pkg/zoci/fetch.go | 18 +++++-- src/pkg/zoci/pull.go | 7 ++- 18 files changed, 271 insertions(+), 118 deletions(-) create mode 100644 src/pkg/utils/bytes_test.go diff --git a/src/pkg/cluster/state.go b/src/pkg/cluster/state.go index 3c31ccf128..f2279b0221 100644 --- a/src/pkg/cluster/state.go +++ b/src/pkg/cluster/state.go @@ -193,12 +193,14 @@ func (c *Cluster) InitZarfState(ctx context.Context, initOptions types.ZarfInitO } // LoadZarfState returns the current zarf/zarf-state secret data or an empty ZarfState. -func (c *Cluster) LoadZarfState(ctx context.Context) (state *types.ZarfState, err error) { +func (c *Cluster) LoadZarfState(ctx context.Context) (*types.ZarfState, error) { stateErr := errors.New("failed to load the Zarf State from the cluster, has Zarf been initiated?") secret, err := c.Clientset.CoreV1().Secrets(ZarfNamespaceName).Get(ctx, ZarfStateSecretName, metav1.GetOptions{}) if err != nil { return nil, fmt.Errorf("%w: %w", stateErr, err) } + + state := &types.ZarfState{} err = json.Unmarshal(secret.Data[ZarfStateDataKey], &state) if err != nil { return nil, fmt.Errorf("%w: %w", stateErr, err) diff --git a/src/pkg/cluster/zarf.go b/src/pkg/cluster/zarf.go index 3557544e14..eebbd6d295 100644 --- a/src/pkg/cluster/zarf.go +++ b/src/pkg/cluster/zarf.go @@ -174,7 +174,7 @@ func (c *Cluster) RecordPackageDeploymentAndWait(ctx context.Context, pkg v1alph } // RecordPackageDeployment saves metadata about a package that has been deployed to the cluster. -func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg v1alpha1.ZarfPackage, components []types.DeployedComponent, generation int) (deployedPackage *types.DeployedPackage, err error) { +func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg v1alpha1.ZarfPackage, components []types.DeployedComponent, generation int) (*types.DeployedPackage, error) { packageName := pkg.Metadata.Name // Attempt to load information about webhooks for the package @@ -187,7 +187,7 @@ func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg v1alpha1.Zarf componentWebhooks = existingPackageSecret.ComponentWebhooks } - // TODO: This is done for backwards compartibility and could be removed in the future. + // TODO: This is done for backwards compatibility and could be removed in the future. connectStrings := types.ConnectStrings{} for _, comp := range components { for _, chart := range comp.InstalledCharts { @@ -197,7 +197,7 @@ func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg v1alpha1.Zarf } } - deployedPackage = &types.DeployedPackage{ + deployedPackage := &types.DeployedPackage{ Name: packageName, CLIVersion: config.CLIVersion, Data: pkg, @@ -285,12 +285,13 @@ func (c *Cluster) DisableRegHPAScaleDown(ctx context.Context) error { } // GetInstalledChartsForComponent returns any installed Helm Charts for the provided package component. -func (c *Cluster) GetInstalledChartsForComponent(ctx context.Context, packageName string, component v1alpha1.ZarfComponent) (installedCharts []types.InstalledChart, err error) { +func (c *Cluster) GetInstalledChartsForComponent(ctx context.Context, packageName string, component v1alpha1.ZarfComponent) ([]types.InstalledChart, error) { deployedPackage, err := c.GetDeployedPackage(ctx, packageName) if err != nil { - return installedCharts, err + return nil, err } + installedCharts := make([]types.InstalledChart, 0) for _, deployedComponent := range deployedPackage.DeployedComponents { if deployedComponent.Name == component.Name { installedCharts = append(installedCharts, deployedComponent.InstalledCharts...) diff --git a/src/pkg/interactive/components.go b/src/pkg/interactive/components.go index 719228cb5c..b742aeed4c 100644 --- a/src/pkg/interactive/components.go +++ b/src/pkg/interactive/components.go @@ -15,7 +15,7 @@ import ( ) // SelectOptionalComponent prompts to confirm optional components -func SelectOptionalComponent(component v1alpha1.ZarfComponent) (confirm bool, err error) { +func SelectOptionalComponent(component v1alpha1.ZarfComponent) (bool, error) { message.HorizontalRule() displayComponent := component @@ -30,7 +30,12 @@ func SelectOptionalComponent(component v1alpha1.ZarfComponent) (confirm bool, er Default: component.Default, } - return confirm, survey.AskOne(prompt, &confirm) + var confirm bool + err := survey.AskOne(prompt, &confirm) + if err != nil { + return false, err + } + return confirm, nil } // SelectChoiceGroup prompts to select component groups diff --git a/src/pkg/interactive/prompt.go b/src/pkg/interactive/prompt.go index 5af5f9c451..b6b6e69c94 100644 --- a/src/pkg/interactive/prompt.go +++ b/src/pkg/interactive/prompt.go @@ -19,11 +19,15 @@ func PromptSigPassword() ([]byte, error) { prompt := &survey.Password{ Message: "Private key password (empty for no password): ", } - return []byte(password), survey.AskOne(prompt, &password) + err := survey.AskOne(prompt, &password) + if err != nil { + return []byte{}, err + } + return []byte(password), nil } // PromptVariable prompts the user for a value for a variable -func PromptVariable(variable v1alpha1.InteractiveVariable) (value string, err error) { +func PromptVariable(variable v1alpha1.InteractiveVariable) (string, error) { if variable.Description != "" { message.Question(variable.Description) } @@ -33,5 +37,10 @@ func PromptVariable(variable v1alpha1.InteractiveVariable) (value string, err er Default: variable.Default, } - return value, survey.AskOne(prompt, &value) + var value string + err := survey.AskOne(prompt, &value) + if err != nil { + return "", err + } + return value, nil } diff --git a/src/pkg/layout/component.go b/src/pkg/layout/component.go index fee2d90082..c3ce6ae930 100644 --- a/src/pkg/layout/component.go +++ b/src/pkg/layout/component.go @@ -39,7 +39,7 @@ type Components struct { var ErrNotLoaded = fmt.Errorf("not loaded") // Archive archives a component. -func (c *Components) Archive(component v1alpha1.ZarfComponent, cleanupTemp bool) (err error) { +func (c *Components) Archive(component v1alpha1.ZarfComponent, cleanupTemp bool) error { name := component.Name if _, ok := c.Dirs[name]; !ok { return &fs.PathError{ @@ -75,7 +75,7 @@ func (c *Components) Archive(component v1alpha1.ZarfComponent, cleanupTemp bool) } // Unarchive unarchives a component. -func (c *Components) Unarchive(component v1alpha1.ZarfComponent) (err error) { +func (c *Components) Unarchive(component v1alpha1.ZarfComponent) error { name := component.Name tb, ok := c.Tarballs[name] if !ok { @@ -138,7 +138,7 @@ func (c *Components) Unarchive(component v1alpha1.ZarfComponent) (err error) { } // Create creates a new component directory structure. -func (c *Components) Create(component v1alpha1.ZarfComponent) (cp *ComponentPaths, err error) { +func (c *Components) Create(component v1alpha1.ZarfComponent) (*ComponentPaths, error) { name := component.Name _, ok := c.Tarballs[name] @@ -150,41 +150,41 @@ func (c *Components) Create(component v1alpha1.ZarfComponent) (cp *ComponentPath } } - if err = helpers.CreateDirectory(c.Base, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(c.Base, helpers.ReadWriteExecuteUser); err != nil { return nil, err } base := filepath.Join(c.Base, name) - if err = helpers.CreateDirectory(base, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(base, helpers.ReadWriteExecuteUser); err != nil { return nil, err } - cp = &ComponentPaths{ + cp := &ComponentPaths{ Base: base, } cp.Temp = filepath.Join(base, TempDir) - if err = helpers.CreateDirectory(cp.Temp, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Temp, helpers.ReadWriteExecuteUser); err != nil { return nil, err } if len(component.Files) > 0 { cp.Files = filepath.Join(base, FilesDir) - if err = helpers.CreateDirectory(cp.Files, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Files, helpers.ReadWriteExecuteUser); err != nil { return nil, err } } if len(component.Charts) > 0 { cp.Charts = filepath.Join(base, ChartsDir) - if err = helpers.CreateDirectory(cp.Charts, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Charts, helpers.ReadWriteExecuteUser); err != nil { return nil, err } for _, chart := range component.Charts { cp.Values = filepath.Join(base, ValuesDir) if len(chart.ValuesFiles) > 0 { - if err = helpers.CreateDirectory(cp.Values, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Values, helpers.ReadWriteExecuteUser); err != nil { return nil, err } break @@ -194,21 +194,21 @@ func (c *Components) Create(component v1alpha1.ZarfComponent) (cp *ComponentPath if len(component.Repos) > 0 { cp.Repos = filepath.Join(base, ReposDir) - if err = helpers.CreateDirectory(cp.Repos, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Repos, helpers.ReadWriteExecuteUser); err != nil { return nil, err } } if len(component.Manifests) > 0 { cp.Manifests = filepath.Join(base, ManifestsDir) - if err = helpers.CreateDirectory(cp.Manifests, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Manifests, helpers.ReadWriteExecuteUser); err != nil { return nil, err } } if len(component.DataInjections) > 0 { cp.DataInjections = filepath.Join(base, DataInjectionsDir) - if err = helpers.CreateDirectory(cp.DataInjections, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.DataInjections, helpers.ReadWriteExecuteUser); err != nil { return nil, err } } diff --git a/src/pkg/layout/package.go b/src/pkg/layout/package.go index a38ec599a1..532f46653d 100644 --- a/src/pkg/layout/package.go +++ b/src/pkg/layout/package.go @@ -52,11 +52,14 @@ func New(baseDir string) *PackagePaths { // ReadZarfYAML reads a zarf.yaml file into memory, // checks if it's using the legacy layout, and migrates deprecated component configs. -func (pp *PackagePaths) ReadZarfYAML() (pkg v1alpha1.ZarfPackage, warnings []string, err error) { +func (pp *PackagePaths) ReadZarfYAML() (v1alpha1.ZarfPackage, []string, error) { + var pkg v1alpha1.ZarfPackage + if err := utils.ReadYaml(pp.ZarfYAML, &pkg); err != nil { return v1alpha1.ZarfPackage{}, nil, fmt.Errorf("unable to read zarf.yaml: %w", err) } + warnings := make([]string, 0) if pp.IsLegacyLayout() { warnings = append(warnings, "Detected deprecated package layout, migrating to new layout - support for this package will be dropped in v1.0.0") } @@ -74,7 +77,7 @@ func (pp *PackagePaths) ReadZarfYAML() (pkg v1alpha1.ZarfPackage, warnings []str } // MigrateLegacy migrates a legacy package layout to the new layout. -func (pp *PackagePaths) MigrateLegacy() (err error) { +func (pp *PackagePaths) MigrateLegacy() error { var pkg v1alpha1.ZarfPackage base := pp.Base diff --git a/src/pkg/layout/sbom.go b/src/pkg/layout/sbom.go index 7ac39c02a7..fcfb300be6 100644 --- a/src/pkg/layout/sbom.go +++ b/src/pkg/layout/sbom.go @@ -26,7 +26,7 @@ type SBOMs struct { } // Unarchive unarchives the package's SBOMs. -func (s *SBOMs) Unarchive() (err error) { +func (s *SBOMs) Unarchive() error { if s.Path == "" || helpers.InvalidPath(s.Path) { return &fs.PathError{ Op: "stat", @@ -47,7 +47,7 @@ func (s *SBOMs) Unarchive() (err error) { } // Archive archives the package's SBOMs. -func (s *SBOMs) Archive() (err error) { +func (s *SBOMs) Archive() error { if s.Path == "" || helpers.InvalidPath(s.Path) { return &fs.PathError{ Op: "stat", @@ -68,18 +68,23 @@ func (s *SBOMs) Archive() (err error) { return os.RemoveAll(dir) } -// StageSBOMViewFiles copies SBOM viewer HTML files to the Zarf SBOM directory. -func (s *SBOMs) StageSBOMViewFiles() (sbomViewFiles, warnings []string, err error) { +// StageSBOMViewFiles copies SBOM viewer HTML files to the Zarf SBOM directory. Returns sbomViewFiles, warnings, and an +// error. +func (s *SBOMs) StageSBOMViewFiles() ([]string, []string, error) { + sbomViewFiles := make([]string, 0) + warnings := make([]string, 0) + if s.IsTarball() { return nil, nil, fmt.Errorf("unable to process the SBOM files for this package: %s is a tarball", s.Path) } // If SBOMs were loaded, temporarily place them in the deploy directory if !helpers.InvalidPath(s.Path) { - sbomViewFiles, err = filepath.Glob(filepath.Join(s.Path, "sbom-viewer-*")) + files, err := filepath.Glob(filepath.Join(s.Path, "sbom-viewer-*")) if err != nil { return nil, nil, err } + sbomViewFiles = files if _, err := s.OutputSBOMFiles(SBOMDir, ""); err != nil { // Don't stop the deployment, let the user decide if they want to continue the deployment @@ -107,6 +112,6 @@ func (s *SBOMs) OutputSBOMFiles(outputDir, packageName string) (string, error) { } // IsTarball returns true if the SBOMs are a tarball. -func (s SBOMs) IsTarball() bool { +func (s *SBOMs) IsTarball() bool { return !helpers.IsDir(s.Path) && filepath.Ext(s.Path) == ".tar" } diff --git a/src/pkg/lint/validate.go b/src/pkg/lint/validate.go index 2de0ba8e91..0083c8a6b7 100644 --- a/src/pkg/lint/validate.go +++ b/src/pkg/lint/validate.go @@ -234,7 +234,7 @@ func validateAction(action v1alpha1.ZarfComponentAction) error { // validateReleaseName validates a release name against DNS 1035 spec, using chartName as fallback. // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#rfc-1035-label-names -func validateReleaseName(chartName, releaseName string) (err error) { +func validateReleaseName(chartName, releaseName string) error { // Fallback to chartName if releaseName is empty // NOTE: Similar fallback mechanism happens in src/internal/packager/helm/chart.go:InstallOrUpgradeChart if releaseName == "" { @@ -243,16 +243,15 @@ func validateReleaseName(chartName, releaseName string) (err error) { // Check if the final releaseName is empty and return an error if so if releaseName == "" { - err = errors.New(errChartReleaseNameEmpty) - return + return errors.New(errChartReleaseNameEmpty) } // Validate the releaseName against DNS 1035 label spec if errs := validation.IsDNS1035Label(releaseName); len(errs) > 0 { - err = fmt.Errorf("invalid release name '%s': %s", releaseName, strings.Join(errs, "; ")) + return fmt.Errorf("invalid release name '%s': %s", releaseName, strings.Join(errs, "; ")) } - return + return nil } // validateChart runs all validation checks on a chart. diff --git a/src/pkg/message/pausable.go b/src/pkg/message/pausable.go index b9e8fae1c7..3a61f3cb59 100644 --- a/src/pkg/message/pausable.go +++ b/src/pkg/message/pausable.go @@ -29,6 +29,6 @@ func (pw *PausableWriter) Resume() { } // Write writes the data to the underlying output writer -func (pw *PausableWriter) Write(p []byte) (n int, err error) { +func (pw *PausableWriter) Write(p []byte) (int, error) { return pw.out.Write(p) } diff --git a/src/pkg/transform/image.go b/src/pkg/transform/image.go index ca6fcdc820..c12bb1d232 100644 --- a/src/pkg/transform/image.go +++ b/src/pkg/transform/image.go @@ -62,32 +62,36 @@ func ImageTransformHostWithoutChecksum(targetHost, srcReference string) (string, } // ParseImageRef parses a source reference into an Image struct -func ParseImageRef(srcReference string) (out Image, err error) { +func ParseImageRef(srcReference string) (Image, error) { srcReference = strings.TrimPrefix(srcReference, helpers.OCIURLPrefix) ref, err := reference.ParseAnyReference(srcReference) if err != nil { - return out, err + return Image{}, err } // Parse the reference into its components - if named, ok := ref.(reference.Named); ok { - out.Name = named.Name() - out.Path = reference.Path(named) - out.Host = reference.Domain(named) - out.Reference = ref.String() - } else { - return out, fmt.Errorf("unable to parse image name from %s", srcReference) + named, ok := ref.(reference.Named) + if !ok { + return Image{}, fmt.Errorf("unable to parse image name from %s", srcReference) } + out := Image{ + Name: named.Name(), + Path: reference.Path(named), + Host: reference.Domain(named), + Reference: ref.String(), + } + + // TODO(mkcp): This rewriting tag and digest code could probably be consolidated with types // Parse the tag and add it to digestOrReference - if tagged, ok := ref.(reference.Tagged); ok { + if tagged, tagOK := ref.(reference.Tagged); tagOK { out.Tag = tagged.Tag() out.TagOrDigest = fmt.Sprintf(":%s", tagged.Tag()) } // Parse the digest and override digestOrReference - if digested, ok := ref.(reference.Digested); ok { + if digested, digOK := ref.(reference.Digested); digOK { out.Digest = digested.Digest().String() out.TagOrDigest = fmt.Sprintf("@%s", digested.Digest().String()) } diff --git a/src/pkg/utils/bytes.go b/src/pkg/utils/bytes.go index 7dd159b91f..22b3322614 100644 --- a/src/pkg/utils/bytes.go +++ b/src/pkg/utils/bytes.go @@ -16,45 +16,69 @@ import ( "github.com/zarf-dev/zarf/src/pkg/message" ) +type unit struct { + name string + size float64 +} + +var ( + gigabyte = unit{ + name: "GB", + size: 1000000000, + } + megabyte = unit{ + name: "MB", + size: 1000000, + } + kilobyte = unit{ + name: "KB", + size: 1000, + } + unitByte = unit{ + name: "Byte", + } +) + // RoundUp rounds a float64 to the given number of decimal places. -func RoundUp(input float64, places int) (newVal float64) { - var round float64 +func RoundUp(input float64, places int) float64 { pow := math.Pow(10, float64(places)) digit := pow * input - round = math.Ceil(digit) - newVal = round / pow - return + round := math.Ceil(digit) + return round / pow } -// ByteFormat formats a number of bytes into a human readable string. -func ByteFormat(inputNum float64, precision int) string { +// ByteFormat formats a number of bytes into a human-readable string. +func ByteFormat(in float64, precision int) string { if precision <= 0 { precision = 1 } - var unit string - var returnVal float64 + var v float64 + var u string // https://www.techtarget.com/searchstorage/definition/mebibyte-MiB - if inputNum >= 1000000000 { - returnVal = RoundUp(inputNum/1000000000, precision) - unit = " GB" // gigabyte - } else if inputNum >= 1000000 { - returnVal = RoundUp(inputNum/1000000, precision) - unit = " MB" // megabyte - } else if inputNum >= 1000 { - returnVal = RoundUp(inputNum/1000, precision) - unit = " KB" // kilobyte - } else { - returnVal = inputNum - unit = " Byte" // byte + switch { + case gigabyte.size <= in: + v = RoundUp(in/gigabyte.size, precision) + u = gigabyte.name + case megabyte.size <= in: + v = RoundUp(in/megabyte.size, precision) + u = megabyte.name + case kilobyte.size <= in: + v = RoundUp(in/kilobyte.size, precision) + u = kilobyte.name + default: + v = in + u = unitByte.name } - if returnVal > 1 { - unit += "s" + // NOTE(mkcp): Negative bytes are nonsense, but it's more robust for inputs without erroring. + if v < -1 || 1 < v { + u += "s" } - return strconv.FormatFloat(returnVal, 'f', precision, 64) + unit + vFmt := strconv.FormatFloat(v, 'f', precision, 64) + return vFmt + " " + u } // RenderProgressBarForLocalDirWrite creates a progress bar that continuously tracks the progress of writing files to a local directory and all of its subdirectories. diff --git a/src/pkg/utils/bytes_test.go b/src/pkg/utils/bytes_test.go new file mode 100644 index 0000000000..492048f788 --- /dev/null +++ b/src/pkg/utils/bytes_test.go @@ -0,0 +1,78 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +// Package utils provides generic utility functions. +package utils + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestByteFormat(t *testing.T) { + t.Parallel() + tt := []struct { + name string + in float64 + precision int + expect string + }{ + { + name: "accepts empty", + expect: "0.0 Byte", + }, + { + name: "accepts empty bytes with precision", + precision: 1, + expect: "0.0 Byte", + }, + { + name: "accepts empty bytes with meaningful precision", + precision: 3, + expect: "0.000 Byte", + }, + { + name: "formats negative byte with empty precision", + in: -1, + expect: "-1.0 Byte", + }, + { + name: "formats negative bytes with empty precision", + in: -2, + expect: "-2.0 Bytes", + }, + { + name: "formats kilobyte", + in: 1000, + expect: "1.0 KB", + }, + { + name: "formats kilobytes", + in: 1100, + expect: "1.1 KBs", + }, + { + name: "formats megabytes", + in: 10000000, + expect: "10.0 MBs", + }, + { + name: "formats gigabytes", + in: 100000000000, + expect: "100.0 GBs", + }, + { + name: "formats arbitrary in", + in: 4238970784923, + precision: 99, + expect: "4238.970784922999882837757468223571777343750000000000000000000000000000000000000000000000000000000000000 GBs", + }, + } + for _, tc := range tt { + t.Run(tc.name, func(t *testing.T) { + actual := ByteFormat(tc.in, tc.precision) + require.Equal(t, tc.expect, actual) + }) + } +} diff --git a/src/pkg/utils/cosign.go b/src/pkg/utils/cosign.go index 21bfc282bd..f81183741a 100644 --- a/src/pkg/utils/cosign.go +++ b/src/pkg/utils/cosign.go @@ -33,6 +33,12 @@ import ( "github.com/zarf-dev/zarf/src/pkg/message" ) +const ( + cosignB64Enabled = true + cosignOutputCertificate = "" + cosignTLogUpload = false +) + // Sget performs a cosign signature verification on a given image using the specified public key. // // Forked from https://github.com/sigstore/cosign/blob/v1.7.1/pkg/sget/sget.go @@ -171,7 +177,7 @@ func Sget(ctx context.Context, image, key string, out io.Writer) error { } // CosignVerifyBlob verifies the zarf.yaml.sig was signed with the key provided by the flag -func CosignVerifyBlob(ctx context.Context, blobRef string, sigRef string, keyPath string) error { +func CosignVerifyBlob(ctx context.Context, blobRef, sigRef, keyPath string) error { keyOptions := options.KeyOpts{KeyRef: keyPath} cmd := &verify.VerifyBlobCmd{ KeyOpts: keyOptions, @@ -181,74 +187,83 @@ func CosignVerifyBlob(ctx context.Context, blobRef string, sigRef string, keyPat IgnoreTlog: true, } err := cmd.Exec(ctx, blobRef) - if err == nil { - message.Successf("Package signature validated!") + if err != nil { + return err } - return err + message.Successf("Package signature validated!") + return nil } // CosignSignBlob signs the provide binary and returns the signature -func CosignSignBlob(blobPath string, outputSigPath string, keyPath string, passwordFunc func(bool) ([]byte, error)) ([]byte, error) { - rootOptions := &options.RootOptions{Verbose: false, Timeout: options.DefaultTimeout} +func CosignSignBlob(blobPath, outputSigPath, keyPath string, passFn cosign.PassFunc) ([]byte, error) { + rootOptions := &options.RootOptions{ + Verbose: false, + Timeout: options.DefaultTimeout, + } - keyOptions := options.KeyOpts{KeyRef: keyPath, - PassFunc: passwordFunc} - b64 := true - outputCertificate := "" - tlogUpload := false + keyOptions := options.KeyOpts{ + KeyRef: keyPath, + PassFunc: passFn, + } - sig, err := sign.SignBlobCmd(rootOptions, + sig, err := sign.SignBlobCmd( + rootOptions, keyOptions, blobPath, - b64, + cosignB64Enabled, outputSigPath, - outputCertificate, - tlogUpload) + cosignOutputCertificate, + cosignTLogUpload) + if err != nil { + return []byte{}, err + } - return sig, err + return sig, nil } // GetCosignArtifacts returns signatures and attestations for the given image -func GetCosignArtifacts(image string) (cosignList []string, err error) { - var cosignArtifactList []string +func GetCosignArtifacts(image string) ([]string, error) { var nameOpts []name.Option - ref, err := name.ParseReference(image, nameOpts...) + ref, err := name.ParseReference(image, nameOpts...) if err != nil { - return cosignArtifactList, err + return []string{}, err } var remoteOpts []ociremote.Option simg, _ := ociremote.SignedEntity(ref, remoteOpts...) if simg == nil { - return cosignArtifactList, nil + return []string{}, nil } + // Errors are dogsled because these functions always return a name.Tag which we can check for layers sigRef, _ := ociremote.SignatureTag(ref, remoteOpts...) attRef, _ := ociremote.AttestationTag(ref, remoteOpts...) - sigs, err := simg.Signatures() + ss, err := simg.Signatures() if err != nil { - return cosignArtifactList, err + return []string{}, err } - layers, err := sigs.Layers() + ssLayers, err := ss.Layers() if err != nil { - return cosignArtifactList, err + return []string{}, err } - if len(layers) > 0 { + + var cosignArtifactList = make([]string, 0) + if 0 < len(ssLayers) { cosignArtifactList = append(cosignArtifactList, sigRef.String()) } atts, err := simg.Attestations() if err != nil { - return cosignArtifactList, err + return []string{}, err } - layers, err = atts.Layers() + aLayers, err := atts.Layers() if err != nil { - return cosignArtifactList, err + return []string{}, err } - if len(layers) > 0 { + if 0 < len(aLayers) { cosignArtifactList = append(cosignArtifactList, attRef.String()) } return cosignArtifactList, nil diff --git a/src/pkg/utils/network.go b/src/pkg/utils/network.go index be0b80a2ed..ffe5490600 100644 --- a/src/pkg/utils/network.go +++ b/src/pkg/utils/network.go @@ -39,7 +39,7 @@ func parseChecksum(src string) (string, string, error) { } // DownloadToFile downloads a given URL to the target filepath (including the cosign key if necessary). -func DownloadToFile(ctx context.Context, src string, dst string, cosignKeyPath string) (err error) { +func DownloadToFile(ctx context.Context, src, dst, cosignKeyPath string) error { // check if the parsed URL has a checksum // if so, remove it and use the checksum to validate the file src, checksum, err := parseChecksum(src) @@ -69,9 +69,6 @@ func DownloadToFile(ctx context.Context, src string, dst string, cosignKeyPath s if err != nil { return fmt.Errorf("unable to download file with sget: %s: %w", src, err) } - if err != nil { - return err - } } else { err = httpGetFile(src, file) if err != nil { @@ -80,7 +77,7 @@ func DownloadToFile(ctx context.Context, src string, dst string, cosignKeyPath s } // If the file has a checksum, validate it - if len(checksum) > 0 { + if 0 < len(checksum) { received, err := helpers.GetSHA256OfFile(dst) if err != nil { return err diff --git a/src/pkg/variables/variables.go b/src/pkg/variables/variables.go index 929cb13182..353040eab4 100644 --- a/src/pkg/variables/variables.go +++ b/src/pkg/variables/variables.go @@ -15,8 +15,8 @@ import ( type SetVariableMap map[string]*v1alpha1.SetVariable // GetSetVariable gets a variable set within a VariableConfig by its name -func (vc *VariableConfig) GetSetVariable(name string) (variable *v1alpha1.SetVariable, ok bool) { - variable, ok = vc.setVariableMap[name] +func (vc *VariableConfig) GetSetVariable(name string) (*v1alpha1.SetVariable, bool) { + variable, ok := vc.setVariableMap[name] return variable, ok } diff --git a/src/pkg/variables/variables_test.go b/src/pkg/variables/variables_test.go index 07442e97f5..f0aeea78c5 100644 --- a/src/pkg/variables/variables_test.go +++ b/src/pkg/variables/variables_test.go @@ -20,7 +20,7 @@ func TestPopulateVariables(t *testing.T) { wantVars SetVariableMap } - prompt := func(_ v1alpha1.InteractiveVariable) (value string, err error) { return "Prompt", nil } + prompt := func(_ v1alpha1.InteractiveVariable) (string, error) { return "Prompt", nil } tests := []test{ { diff --git a/src/pkg/zoci/fetch.go b/src/pkg/zoci/fetch.go index 923e3d7c24..ca46d8e996 100644 --- a/src/pkg/zoci/fetch.go +++ b/src/pkg/zoci/fetch.go @@ -14,19 +14,27 @@ import ( ) // FetchZarfYAML fetches the zarf.yaml file from the remote repository. -func (r *Remote) FetchZarfYAML(ctx context.Context) (pkg v1alpha1.ZarfPackage, err error) { +func (r *Remote) FetchZarfYAML(ctx context.Context) (v1alpha1.ZarfPackage, error) { manifest, err := r.FetchRoot(ctx) if err != nil { - return pkg, err + return v1alpha1.ZarfPackage{}, err } - return oci.FetchYAMLFile[v1alpha1.ZarfPackage](ctx, r.FetchLayer, manifest, layout.ZarfYAML) + result, err := oci.FetchYAMLFile[v1alpha1.ZarfPackage](ctx, r.FetchLayer, manifest, layout.ZarfYAML) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + return result, nil } // FetchImagesIndex fetches the images/index.json file from the remote repository. -func (r *Remote) FetchImagesIndex(ctx context.Context) (index *ocispec.Index, err error) { +func (r *Remote) FetchImagesIndex(ctx context.Context) (*ocispec.Index, error) { manifest, err := r.FetchRoot(ctx) if err != nil { return nil, err } - return oci.FetchJSONFile[*ocispec.Index](ctx, r.FetchLayer, manifest, layout.IndexPath) + result, err := oci.FetchJSONFile[*ocispec.Index](ctx, r.FetchLayer, manifest, layout.IndexPath) + if err != nil { + return nil, err + } + return result, nil } diff --git a/src/pkg/zoci/pull.go b/src/pkg/zoci/pull.go index 9fd76e9ccc..44c16b5646 100644 --- a/src/pkg/zoci/pull.go +++ b/src/pkg/zoci/pull.go @@ -76,7 +76,9 @@ func (r *Remote) PullPackage(ctx context.Context, destinationDir string, concurr // LayersFromRequestedComponents returns the descriptors for the given components from the root manifest. // // It also retrieves the descriptors for all image layers that are required by the components. -func (r *Remote) LayersFromRequestedComponents(ctx context.Context, requestedComponents []v1alpha1.ZarfComponent) (layers []ocispec.Descriptor, err error) { +func (r *Remote) LayersFromRequestedComponents(ctx context.Context, requestedComponents []v1alpha1.ZarfComponent) ([]ocispec.Descriptor, error) { + layers := make([]ocispec.Descriptor, 0) + root, err := r.FetchRoot(ctx) if err != nil { return nil, err @@ -98,7 +100,8 @@ func (r *Remote) LayersFromRequestedComponents(ctx context.Context, requestedCom for _, image := range component.Images { images[image] = true } - layers = append(layers, root.Locate(filepath.Join(layout.ComponentsDir, fmt.Sprintf(tarballFormat, component.Name)))) + desc := root.Locate(filepath.Join(layout.ComponentsDir, fmt.Sprintf(tarballFormat, component.Name))) + layers = append(layers, desc) } // Append the sboms.tar layer if it exists // From cf4e9891d531b792849394f80830363411242fd9 Mon Sep 17 00:00:00 2001 From: Kit Patella Date: Tue, 10 Sep 2024 17:38:01 -0700 Subject: [PATCH 02/13] chore: finish removing named returns outside of package and extensions #2950 (#2987) Signed-off-by: Kit Patella --- src/internal/agent/hooks/argocd-application.go | 5 ++--- src/internal/agent/hooks/argocd-repository.go | 2 +- src/internal/agent/hooks/flux-gitrepo.go | 2 +- src/test/e2e/28_wait_test.go | 3 ++- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/internal/agent/hooks/argocd-application.go b/src/internal/agent/hooks/argocd-application.go index b234f29e84..e7351c89fd 100644 --- a/src/internal/agent/hooks/argocd-application.go +++ b/src/internal/agent/hooks/argocd-application.go @@ -59,7 +59,7 @@ func NewApplicationMutationHook(ctx context.Context, cluster *cluster.Cluster) o } // mutateApplication mutates the git repository url to point to the repository URL defined in the ZarfState. -func mutateApplication(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (result *operations.Result, err error) { +func mutateApplication(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (*operations.Result, error) { state, err := cluster.LoadZarfState(ctx) if err != nil { return nil, err @@ -72,8 +72,7 @@ func mutateApplication(ctx context.Context, r *v1.AdmissionRequest, cluster *clu return nil, fmt.Errorf(lang.ErrUnmarshal, err) } - patches := []operations.PatchOperation{} - + patches := make([]operations.PatchOperation, 0) if app.Spec.Source != nil { patchedURL, err := getPatchedRepoURL(app.Spec.Source.RepoURL, state.GitServer, r) if err != nil { diff --git a/src/internal/agent/hooks/argocd-repository.go b/src/internal/agent/hooks/argocd-repository.go index 1875772d05..cf2e9d895e 100644 --- a/src/internal/agent/hooks/argocd-repository.go +++ b/src/internal/agent/hooks/argocd-repository.go @@ -47,7 +47,7 @@ func NewRepositorySecretMutationHook(ctx context.Context, cluster *cluster.Clust } // mutateRepositorySecret mutates the git URL in the ArgoCD repository secret to point to the repository URL defined in the ZarfState. -func mutateRepositorySecret(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (result *operations.Result, err error) { +func mutateRepositorySecret(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (*operations.Result, error) { isCreate := r.Operation == v1.Create isUpdate := r.Operation == v1.Update var isPatched bool diff --git a/src/internal/agent/hooks/flux-gitrepo.go b/src/internal/agent/hooks/flux-gitrepo.go index 2fda2969bb..77447b7c34 100644 --- a/src/internal/agent/hooks/flux-gitrepo.go +++ b/src/internal/agent/hooks/flux-gitrepo.go @@ -37,7 +37,7 @@ func NewGitRepositoryMutationHook(ctx context.Context, cluster *cluster.Cluster) } // mutateGitRepoCreate mutates the git repository url to point to the repository URL defined in the ZarfState. -func mutateGitRepo(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (result *operations.Result, err error) { +func mutateGitRepo(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (*operations.Result, error) { var ( patches []operations.PatchOperation isPatched bool diff --git a/src/test/e2e/28_wait_test.go b/src/test/e2e/28_wait_test.go index e150d163fd..e67b60d178 100644 --- a/src/test/e2e/28_wait_test.go +++ b/src/test/e2e/28_wait_test.go @@ -20,7 +20,8 @@ type zarfCommandResult struct { err error } -func zarfCommandWStruct(t *testing.T, e2e test.ZarfE2ETest, path string) (result zarfCommandResult) { +func zarfCommandWStruct(t *testing.T, e2e test.ZarfE2ETest, path string) zarfCommandResult { + result := zarfCommandResult{} result.stdOut, result.stdErr, result.err = e2e.Zarf(t, "package", "deploy", path, "--confirm") return result } From e72a2736bf475d0d3879133ea653326e747f74d2 Mon Sep 17 00:00:00 2001 From: Kit Patella Date: Wed, 11 Sep 2024 15:14:48 -0700 Subject: [PATCH 03/13] chore: ensure we return zeroed value when returning errors (#2988) Signed-off-by: Kit Patella --- src/cmd/tools/helm/load_plugins.go | 7 +++++-- src/pkg/cluster/pvc.go | 2 ++ src/pkg/cluster/tunnel.go | 7 ++++--- src/pkg/cluster/zarf.go | 11 +++++++++-- src/pkg/transform/artifact.go | 10 +++++----- src/pkg/utils/io.go | 9 ++++++--- src/pkg/utils/yaml.go | 6 +++--- src/pkg/zoci/pull.go | 5 ++++- 8 files changed, 38 insertions(+), 19 deletions(-) diff --git a/src/cmd/tools/helm/load_plugins.go b/src/cmd/tools/helm/load_plugins.go index 28ea155030..df8b7cad67 100644 --- a/src/cmd/tools/helm/load_plugins.go +++ b/src/cmd/tools/helm/load_plugins.go @@ -318,11 +318,14 @@ func loadFile(path string) (*pluginCommand, error) { cmds := new(pluginCommand) b, err := os.ReadFile(path) if err != nil { - return cmds, fmt.Errorf("file (%s) not provided by plugin. No plugin auto-completion possible", path) + return nil, fmt.Errorf("file (%s) not provided by plugin. No plugin auto-completion possible", path) } err = yaml.Unmarshal(b, cmds) - return cmds, err + if err != nil { + return nil, err + } + return cmds, nil } // pluginDynamicComp call the plugin.complete script of the plugin (if available) diff --git a/src/pkg/cluster/pvc.go b/src/pkg/cluster/pvc.go index 21a0a45ecf..6bef179623 100644 --- a/src/pkg/cluster/pvc.go +++ b/src/pkg/cluster/pvc.go @@ -10,6 +10,8 @@ import ( ) // UpdateGiteaPVC updates the existing Gitea persistent volume claim and tells Gitea whether to create or not. +// TODO(mkcp): We return both string true/false and errors here so our callers get a string. This should be returning an +// empty val if we error, but we'll have to refactor upstream beforehand. func (c *Cluster) UpdateGiteaPVC(ctx context.Context, pvcName string, shouldRollBack bool) (string, error) { if shouldRollBack { pvc, err := c.Clientset.CoreV1().PersistentVolumeClaims(ZarfNamespaceName).Get(ctx, pvcName, metav1.GetOptions{}) diff --git a/src/pkg/cluster/tunnel.go b/src/pkg/cluster/tunnel.go index 764ae9a6eb..9798fd3272 100644 --- a/src/pkg/cluster/tunnel.go +++ b/src/pkg/cluster/tunnel.go @@ -83,7 +83,6 @@ func (c *Cluster) ListConnections(ctx context.Context) (types.ConnectStrings, er // NewTargetTunnelInfo returns a new TunnelInfo object for the specified target. func (c *Cluster) NewTargetTunnelInfo(ctx context.Context, target string) (TunnelInfo, error) { - var err error zt := TunnelInfo{ Namespace: ZarfNamespaceName, ResourceType: SvcResource, @@ -102,9 +101,11 @@ func (c *Cluster) NewTargetTunnelInfo(ctx context.Context, target string) (Tunne zt.RemotePort = ZarfInjectorPort default: if target != "" { - if zt, err = c.checkForZarfConnectLabel(ctx, target); err != nil { + ztNew, err := c.checkForZarfConnectLabel(ctx, target) + if err != nil { return TunnelInfo{}, fmt.Errorf("problem looking for a zarf connect label in the cluster: %s", err.Error()) } + zt = ztNew } if zt.ResourceName == "" { return TunnelInfo{}, fmt.Errorf("missing resource name") @@ -113,7 +114,7 @@ func (c *Cluster) NewTargetTunnelInfo(ctx context.Context, target string) (Tunne return TunnelInfo{}, fmt.Errorf("missing remote port") } } - return zt, err + return zt, nil } // Connect will establish a tunnel to the specified target. diff --git a/src/pkg/cluster/zarf.go b/src/pkg/cluster/zarf.go index eebbd6d295..b38b55d783 100644 --- a/src/pkg/cluster/zarf.go +++ b/src/pkg/cluster/zarf.go @@ -52,7 +52,11 @@ func (c *Cluster) GetDeployedZarfPackages(ctx context.Context) ([]types.Deployed deployedPackages = append(deployedPackages, deployedPackage) } - return deployedPackages, errors.Join(errs...) + err = errors.Join(errs...) + if err != nil { + return nil, err + } + return deployedPackages, nil } // GetDeployedPackage gets the metadata information about the package name provided (if it exists in the cluster). @@ -325,7 +329,10 @@ func (c *Cluster) UpdateInternalArtifactServerToken(ctx context.Context, oldGitS } return nil }) - return newToken, err + if err != nil { + return "", err + } + return newToken, nil } // UpdateInternalGitServerSecret updates the internal gitea server secrets with the new git server info diff --git a/src/pkg/transform/artifact.go b/src/pkg/transform/artifact.go index 0aed7a46ea..2c78dac233 100644 --- a/src/pkg/transform/artifact.go +++ b/src/pkg/transform/artifact.go @@ -87,16 +87,16 @@ func GenTransformURL(targetBaseURL string, sourceURL string) (*url.URL, error) { // Rebuild the generic URL transformedURL := fmt.Sprintf("%s/generic/%s/%s/%s", targetBaseURL, packageNameGlobal, version, fileName) - url, err := url.Parse(transformedURL) + parsedURL, err := url.Parse(transformedURL) if err != nil { - return url, err + return &url.URL{}, err } // Drop the RawQuery and Fragment to avoid them being interpreted for generic packages - url.RawQuery = "" - url.Fragment = "" + parsedURL.RawQuery = "" + parsedURL.Fragment = "" - return url, err + return parsedURL, nil } // transformRegistryPath transforms a given request path using a new base URL and regex. diff --git a/src/pkg/utils/io.go b/src/pkg/utils/io.go index 7edee56422..f4ec9b07ab 100755 --- a/src/pkg/utils/io.go +++ b/src/pkg/utils/io.go @@ -40,7 +40,10 @@ func GetFinalExecutablePath() (string, error) { // In case the binary is symlinked somewhere else, get the final destination linkedPath, err := filepath.EvalSymlinks(binaryPath) - return linkedPath, err + if err != nil { + return "", err + } + return linkedPath, nil } // GetFinalExecutableCommand returns the final path to the Zarf executable including and library prefixes and overrides. @@ -48,7 +51,7 @@ func GetFinalExecutableCommand() (string, error) { // In case the binary is symlinked somewhere else, get the final destination zarfCommand, err := GetFinalExecutablePath() if err != nil { - return zarfCommand, err + return "", err } if config.ActionsCommandZarfPrefix != "" { @@ -60,5 +63,5 @@ func GetFinalExecutableCommand() (string, error) { zarfCommand = "zarf" } - return zarfCommand, err + return zarfCommand, nil } diff --git a/src/pkg/utils/yaml.go b/src/pkg/utils/yaml.go index f3fdaa53b7..641c219977 100644 --- a/src/pkg/utils/yaml.go +++ b/src/pkg/utils/yaml.go @@ -192,12 +192,12 @@ func SplitYAML(yamlData []byte) ([]*unstructured.Unstructured, error) { var objs []*unstructured.Unstructured ymls, err := SplitYAMLToString(yamlData) if err != nil { - return nil, err + return []*unstructured.Unstructured{}, err } for _, yml := range ymls { u := &unstructured.Unstructured{} if err := k8syaml.Unmarshal([]byte(yml), u); err != nil { - return objs, fmt.Errorf("failed to unmarshal manifest: %w", err) + return []*unstructured.Unstructured{}, fmt.Errorf("failed to unmarshal manifest: %w", err) } objs = append(objs, u) } @@ -220,7 +220,7 @@ func SplitYAMLToString(yamlData []byte) ([]string, error) { if errors.Is(err, io.EOF) { break } - return objs, fmt.Errorf("failed to unmarshal manifest: %w", err) + return []string{}, fmt.Errorf("failed to unmarshal manifest: %w", err) } ext.Raw = bytes.TrimSpace(ext.Raw) if len(ext.Raw) == 0 || bytes.Equal(ext.Raw, []byte("null")) { diff --git a/src/pkg/zoci/pull.go b/src/pkg/zoci/pull.go index 44c16b5646..d8ba73775e 100644 --- a/src/pkg/zoci/pull.go +++ b/src/pkg/zoci/pull.go @@ -70,7 +70,10 @@ func (r *Remote) PullPackage(ctx context.Context, destinationDir string, concurr err = r.CopyToTarget(ctx, layersToPull, dst, copyOpts) doneSaving <- err <-doneSaving - return layersToPull, err + if err != nil { + return nil, err + } + return layersToPull, nil } // LayersFromRequestedComponents returns the descriptors for the given components from the root manifest. From acf3ff157a00f0ab944eb4abd816025d25596b88 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 08:33:26 -0600 Subject: [PATCH 04/13] chore(deps): bump actions/create-github-app-token from 1.10.4 to 1.11.0 (#2991) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8d08047ec3..e2194a24f9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -179,7 +179,7 @@ jobs: - name: Get Brew tap repo token id: brew-tap-token - uses: actions/create-github-app-token@3378cda945da322a8db4b193e19d46352ebe2de5 # v1.10.4 + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 with: app-id: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_ID }} private-key: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_SECRET }} From 90a433186a306791998a0b1ff795608386bdde05 Mon Sep 17 00:00:00 2001 From: Joonas Bergius Date: Fri, 13 Sep 2024 14:44:06 -0500 Subject: [PATCH 05/13] refactor: break --insecure into separate flags (#2936) Signed-off-by: Joonas Bergius Co-authored-by: Austin Abro <37223396+AustinAbro321@users.noreply.github.com> --- site/src/content/docs/commands/zarf.md | 19 ++++----- .../content/docs/commands/zarf_completion.md | 17 ++++---- .../docs/commands/zarf_completion_bash.md | 17 ++++---- .../docs/commands/zarf_completion_fish.md | 17 ++++---- .../commands/zarf_completion_powershell.md | 17 ++++---- .../docs/commands/zarf_completion_zsh.md | 17 ++++---- .../src/content/docs/commands/zarf_connect.md | 17 ++++---- .../docs/commands/zarf_connect_list.md | 17 ++++---- .../src/content/docs/commands/zarf_destroy.md | 17 ++++---- site/src/content/docs/commands/zarf_dev.md | 17 ++++---- .../content/docs/commands/zarf_dev_deploy.md | 17 ++++---- .../docs/commands/zarf_dev_find-images.md | 17 ++++---- .../docs/commands/zarf_dev_generate-config.md | 17 ++++---- .../docs/commands/zarf_dev_generate.md | 17 ++++---- .../content/docs/commands/zarf_dev_lint.md | 17 ++++---- .../docs/commands/zarf_dev_patch-git.md | 17 ++++---- .../docs/commands/zarf_dev_sha256sum.md | 17 ++++---- site/src/content/docs/commands/zarf_init.md | 18 +++++---- .../src/content/docs/commands/zarf_package.md | 17 ++++---- .../docs/commands/zarf_package_create.md | 19 ++++----- .../docs/commands/zarf_package_deploy.md | 40 ++++++++++--------- .../docs/commands/zarf_package_inspect.md | 30 +++++++------- .../docs/commands/zarf_package_list.md | 21 +++++----- .../commands/zarf_package_mirror-resources.md | 22 +++++----- .../docs/commands/zarf_package_publish.md | 28 +++++++------ .../docs/commands/zarf_package_pull.md | 21 +++++----- .../docs/commands/zarf_package_remove.md | 28 +++++++------ site/src/content/docs/commands/zarf_tools.md | 17 ++++---- .../docs/commands/zarf_tools_archiver.md | 17 ++++---- .../commands/zarf_tools_archiver_compress.md | 17 ++++---- .../zarf_tools_archiver_decompress.md | 17 ++++---- .../commands/zarf_tools_archiver_version.md | 17 ++++---- .../docs/commands/zarf_tools_clear-cache.md | 15 +++---- .../docs/commands/zarf_tools_download-init.md | 17 ++++---- .../docs/commands/zarf_tools_gen-key.md | 17 ++++---- .../docs/commands/zarf_tools_gen-pki.md | 17 ++++---- .../docs/commands/zarf_tools_get-creds.md | 17 ++++---- .../content/docs/commands/zarf_tools_helm.md | 7 ++++ .../commands/zarf_tools_helm_dependency.md | 2 + .../zarf_tools_helm_dependency_build.md | 2 + .../zarf_tools_helm_dependency_list.md | 2 + .../zarf_tools_helm_dependency_update.md | 2 + .../docs/commands/zarf_tools_helm_repo.md | 2 + .../docs/commands/zarf_tools_helm_repo_add.md | 1 + .../commands/zarf_tools_helm_repo_index.md | 2 + .../commands/zarf_tools_helm_repo_list.md | 2 + .../commands/zarf_tools_helm_repo_remove.md | 2 + .../commands/zarf_tools_helm_repo_update.md | 2 + .../docs/commands/zarf_tools_helm_version.md | 2 + .../docs/commands/zarf_tools_kubectl.md | 7 ++++ .../docs/commands/zarf_tools_monitor.md | 6 +++ .../docs/commands/zarf_tools_registry.md | 7 ++++ .../commands/zarf_tools_registry_catalog.md | 2 + .../docs/commands/zarf_tools_registry_copy.md | 2 + .../commands/zarf_tools_registry_delete.md | 2 + .../commands/zarf_tools_registry_digest.md | 2 + .../commands/zarf_tools_registry_login.md | 2 + .../docs/commands/zarf_tools_registry_ls.md | 2 + .../commands/zarf_tools_registry_prune.md | 2 + .../docs/commands/zarf_tools_registry_pull.md | 2 + .../docs/commands/zarf_tools_registry_push.md | 2 + .../commands/zarf_tools_registry_version.md | 2 + .../content/docs/commands/zarf_tools_sbom.md | 7 ++++ .../docs/commands/zarf_tools_sbom_attest.md | 8 ++-- .../docs/commands/zarf_tools_sbom_convert.md | 8 ++-- .../docs/commands/zarf_tools_sbom_login.md | 8 ++-- .../docs/commands/zarf_tools_sbom_scan.md | 8 ++-- .../docs/commands/zarf_tools_sbom_version.md | 8 ++-- .../docs/commands/zarf_tools_update-creds.md | 17 ++++---- .../docs/commands/zarf_tools_wait-for.md | 7 ++++ .../content/docs/commands/zarf_tools_yq.md | 7 ++++ .../docs/commands/zarf_tools_yq_completion.md | 2 + .../docs/commands/zarf_tools_yq_eval-all.md | 2 + .../docs/commands/zarf_tools_yq_eval.md | 2 + .../src/content/docs/commands/zarf_version.md | 17 ++++---- .../docs/tutorials/6-publish-and-deploy.mdx | 2 +- src/cmd/common/viper.go | 18 +++++---- src/cmd/initialize.go | 1 + src/cmd/package.go | 35 ++++++++++++++++ src/cmd/root.go | 9 +++++ src/config/lang/english.go | 29 ++++++++------ src/internal/packager/helm/chart.go | 2 +- src/internal/packager/helm/repo.go | 2 +- src/internal/packager/images/common.go | 6 +-- src/pkg/packager/creator/normal.go | 15 ++++--- src/pkg/packager/sources/new_test.go | 2 +- src/pkg/packager/sources/oci.go | 18 +++++---- src/pkg/packager/sources/tarball.go | 18 +++++---- src/pkg/packager/sources/url.go | 4 +- src/pkg/packager/sources/validate.go | 8 +--- src/pkg/zoci/common.go | 4 +- src/test/e2e/11_oci_pull_inspect_test.go | 4 +- src/test/e2e/14_oci_compose_test.go | 24 +++++------ src/test/e2e/29_config_file_test.go | 3 +- .../e2e/31_checksum_and_signature_test.go | 2 +- src/test/e2e/34_custom_init_package_test.go | 2 +- src/test/e2e/50_oci_publish_deploy_test.go | 20 +++++----- src/types/runtime.go | 6 +++ 98 files changed, 659 insertions(+), 447 deletions(-) diff --git a/site/src/content/docs/commands/zarf.md b/site/src/content/docs/commands/zarf.md index a72d554da9..0ed3312946 100644 --- a/site/src/content/docs/commands/zarf.md +++ b/site/src/content/docs/commands/zarf.md @@ -22,15 +22,16 @@ zarf COMMAND [flags] ### Options ``` - -a, --architecture string Architecture for OCI images and Zarf packages - -h, --help help for zarf - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + -h, --help help for zarf + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_completion.md b/site/src/content/docs/commands/zarf_completion.md index 151c7d9198..99a58b833a 100644 --- a/site/src/content/docs/commands/zarf_completion.md +++ b/site/src/content/docs/commands/zarf_completion.md @@ -25,14 +25,15 @@ See each sub-command's help for details on how to use the generated script. ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_completion_bash.md b/site/src/content/docs/commands/zarf_completion_bash.md index dce8642c87..349bbf7e0a 100644 --- a/site/src/content/docs/commands/zarf_completion_bash.md +++ b/site/src/content/docs/commands/zarf_completion_bash.md @@ -48,14 +48,15 @@ zarf completion bash ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_completion_fish.md b/site/src/content/docs/commands/zarf_completion_fish.md index f8cb9f27ed..de3f70b160 100644 --- a/site/src/content/docs/commands/zarf_completion_fish.md +++ b/site/src/content/docs/commands/zarf_completion_fish.md @@ -39,14 +39,15 @@ zarf completion fish [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_completion_powershell.md b/site/src/content/docs/commands/zarf_completion_powershell.md index 26ed47298c..53add1dc9a 100644 --- a/site/src/content/docs/commands/zarf_completion_powershell.md +++ b/site/src/content/docs/commands/zarf_completion_powershell.md @@ -36,14 +36,15 @@ zarf completion powershell [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_completion_zsh.md b/site/src/content/docs/commands/zarf_completion_zsh.md index 9b6af13363..94bdf43f4d 100644 --- a/site/src/content/docs/commands/zarf_completion_zsh.md +++ b/site/src/content/docs/commands/zarf_completion_zsh.md @@ -50,14 +50,15 @@ zarf completion zsh [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_connect.md b/site/src/content/docs/commands/zarf_connect.md index f0eb9b84ce..1b504873ab 100644 --- a/site/src/content/docs/commands/zarf_connect.md +++ b/site/src/content/docs/commands/zarf_connect.md @@ -39,14 +39,15 @@ zarf connect { REGISTRY | GIT | connect-name } [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_connect_list.md b/site/src/content/docs/commands/zarf_connect_list.md index 5767cf2176..8829b812e0 100644 --- a/site/src/content/docs/commands/zarf_connect_list.md +++ b/site/src/content/docs/commands/zarf_connect_list.md @@ -23,14 +23,15 @@ zarf connect list [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_destroy.md b/site/src/content/docs/commands/zarf_destroy.md index 1e61fb0d70..64608f4e58 100644 --- a/site/src/content/docs/commands/zarf_destroy.md +++ b/site/src/content/docs/commands/zarf_destroy.md @@ -35,14 +35,15 @@ zarf destroy --confirm [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev.md b/site/src/content/docs/commands/zarf_dev.md index a12090183d..0dd4d1e4f1 100644 --- a/site/src/content/docs/commands/zarf_dev.md +++ b/site/src/content/docs/commands/zarf_dev.md @@ -19,14 +19,15 @@ Commands useful for developing packages ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_deploy.md b/site/src/content/docs/commands/zarf_dev_deploy.md index 41ee7f0b85..7b7131af51 100644 --- a/site/src/content/docs/commands/zarf_dev_deploy.md +++ b/site/src/content/docs/commands/zarf_dev_deploy.md @@ -37,14 +37,15 @@ zarf dev deploy [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_find-images.md b/site/src/content/docs/commands/zarf_dev_find-images.md index d1dcf31ea0..a5f94578ee 100644 --- a/site/src/content/docs/commands/zarf_dev_find-images.md +++ b/site/src/content/docs/commands/zarf_dev_find-images.md @@ -37,14 +37,15 @@ zarf dev find-images [ PACKAGE ] [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_generate-config.md b/site/src/content/docs/commands/zarf_dev_generate-config.md index 9610b0e593..cb5040f133 100644 --- a/site/src/content/docs/commands/zarf_dev_generate-config.md +++ b/site/src/content/docs/commands/zarf_dev_generate-config.md @@ -32,14 +32,15 @@ zarf dev generate-config [ FILENAME ] [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_generate.md b/site/src/content/docs/commands/zarf_dev_generate.md index c311b0973f..58ffc1102f 100644 --- a/site/src/content/docs/commands/zarf_dev_generate.md +++ b/site/src/content/docs/commands/zarf_dev_generate.md @@ -34,14 +34,15 @@ zarf dev generate podinfo --url https://github.com/stefanprodan/podinfo.git --ve ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_lint.md b/site/src/content/docs/commands/zarf_dev_lint.md index 91d446cbc3..57827ee0ed 100644 --- a/site/src/content/docs/commands/zarf_dev_lint.md +++ b/site/src/content/docs/commands/zarf_dev_lint.md @@ -29,14 +29,15 @@ zarf dev lint [ DIRECTORY ] [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_patch-git.md b/site/src/content/docs/commands/zarf_dev_patch-git.md index bbb3933f39..4a3b2553d0 100644 --- a/site/src/content/docs/commands/zarf_dev_patch-git.md +++ b/site/src/content/docs/commands/zarf_dev_patch-git.md @@ -25,14 +25,15 @@ zarf dev patch-git HOST FILE [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_sha256sum.md b/site/src/content/docs/commands/zarf_dev_sha256sum.md index 6c910106b4..91419a9665 100644 --- a/site/src/content/docs/commands/zarf_dev_sha256sum.md +++ b/site/src/content/docs/commands/zarf_dev_sha256sum.md @@ -24,14 +24,15 @@ zarf dev sha256sum { FILE | URL } [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_init.md b/site/src/content/docs/commands/zarf_init.md index 5702caa72b..21758f634c 100644 --- a/site/src/content/docs/commands/zarf_init.md +++ b/site/src/content/docs/commands/zarf_init.md @@ -76,6 +76,7 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA --registry-url string External registry url address to use for this Zarf cluster --retries int Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs (default 3) --set stringToString Specify deployment variables to set on the command line (KEY=value) (default []) + --skip-signature-validation Skip validating the signature of the Zarf package --skip-webhooks [alpha] Skip waiting for external webhooks to execute as each package component is deployed --storage-class string Specify the storage class to use for the registry and git server. E.g. --storage-class=standard --timeout duration Timeout for health checks and Helm operations such as installs and rollbacks (default 15m0s) @@ -84,14 +85,15 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package.md b/site/src/content/docs/commands/zarf_package.md index 0727c57793..a8d1244e58 100644 --- a/site/src/content/docs/commands/zarf_package.md +++ b/site/src/content/docs/commands/zarf_package.md @@ -21,14 +21,15 @@ Zarf package commands for creating, deploying, and inspecting packages ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_create.md b/site/src/content/docs/commands/zarf_package_create.md index 0a8057bf38..b3ef73bb78 100644 --- a/site/src/content/docs/commands/zarf_package_create.md +++ b/site/src/content/docs/commands/zarf_package_create.md @@ -42,15 +42,16 @@ zarf package create [ DIRECTORY ] [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_deploy.md b/site/src/content/docs/commands/zarf_package_deploy.md index d89b0f1bbc..1009c9bf56 100644 --- a/site/src/content/docs/commands/zarf_package_deploy.md +++ b/site/src/content/docs/commands/zarf_package_deploy.md @@ -22,30 +22,32 @@ zarf package deploy [ PACKAGE_SOURCE ] [flags] ### Options ``` - --adopt-existing-resources Adopts any pre-existing K8s resources into the Helm charts managed by Zarf. ONLY use when you have existing deployments you want Zarf to takeover. - --components string Comma-separated list of components to deploy. Adding this flag will skip the prompts for selected components. Globbing component names with '*' and deselecting 'default' components with a leading '-' are also supported. - --confirm Confirms package deployment without prompting. ONLY use with packages you trust. Skips prompts to review SBOM, configure variables, select optional components and review potential breaking changes. - -h, --help help for deploy - --retries int Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs (default 3) - --set stringToString Specify deployment variables to set on the command line (KEY=value) (default []) - --shasum string Shasum of the package to deploy. Required if deploying a remote package and "--insecure" is not provided - --skip-webhooks [alpha] Skip waiting for external webhooks to execute as each package component is deployed - --timeout duration Timeout for health checks and Helm operations such as installs and rollbacks (default 15m0s) + --adopt-existing-resources Adopts any pre-existing K8s resources into the Helm charts managed by Zarf. ONLY use when you have existing deployments you want Zarf to takeover. + --components string Comma-separated list of components to deploy. Adding this flag will skip the prompts for selected components. Globbing component names with '*' and deselecting 'default' components with a leading '-' are also supported. + --confirm Confirms package deployment without prompting. ONLY use with packages you trust. Skips prompts to review SBOM, configure variables, select optional components and review potential breaking changes. + -h, --help help for deploy + --retries int Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs (default 3) + --set stringToString Specify deployment variables to set on the command line (KEY=value) (default []) + --shasum string Shasum of the package to deploy. Required if deploying a remote package. + --skip-signature-validation Skip validating the signature of the Zarf package + --skip-webhooks [alpha] Skip waiting for external webhooks to execute as each package component is deployed + --timeout duration Timeout for health checks and Helm operations such as installs and rollbacks (default 15m0s) ``` ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_inspect.md b/site/src/content/docs/commands/zarf_package_inspect.md index 7a27daff9f..8881bbe248 100644 --- a/site/src/content/docs/commands/zarf_package_inspect.md +++ b/site/src/content/docs/commands/zarf_package_inspect.md @@ -21,25 +21,27 @@ zarf package inspect [ PACKAGE_SOURCE ] [flags] ### Options ``` - -h, --help help for inspect - --list-images List images in the package (prints to stdout) - -s, --sbom View SBOM contents while inspecting the package - --sbom-out string Specify an output directory for the SBOMs from the inspected Zarf package + -h, --help help for inspect + --list-images List images in the package (prints to stdout) + -s, --sbom View SBOM contents while inspecting the package + --sbom-out string Specify an output directory for the SBOMs from the inspected Zarf package + --skip-signature-validation Skip validating the signature of the Zarf package ``` ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_list.md b/site/src/content/docs/commands/zarf_package_list.md index b8f215ade3..4fddd0dd13 100644 --- a/site/src/content/docs/commands/zarf_package_list.md +++ b/site/src/content/docs/commands/zarf_package_list.md @@ -23,16 +23,17 @@ zarf package list [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_mirror-resources.md b/site/src/content/docs/commands/zarf_package_mirror-resources.md index 1b6abb8fd9..5070a968f2 100644 --- a/site/src/content/docs/commands/zarf_package_mirror-resources.md +++ b/site/src/content/docs/commands/zarf_package_mirror-resources.md @@ -57,21 +57,23 @@ $ zarf package mirror-resources \ --registry-push-username string Username to access to the registry Zarf is configured to use (default "zarf-push") --registry-url string External registry url address to use for this Zarf cluster --retries int Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs (default 3) + --skip-signature-validation Skip validating the signature of the Zarf package ``` ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_publish.md b/site/src/content/docs/commands/zarf_package_publish.md index 1507c83e0a..310e4481c5 100644 --- a/site/src/content/docs/commands/zarf_package_publish.md +++ b/site/src/content/docs/commands/zarf_package_publish.md @@ -29,24 +29,26 @@ $ zarf package publish ./path/to/dir oci://my-registry.com/my-namespace ### Options ``` - -h, --help help for publish - --signing-key string Path to a private key file for signing or re-signing packages with a new key - --signing-key-pass string Password to the private key file used for publishing packages + -h, --help help for publish + --signing-key string Path to a private key file for signing or re-signing packages with a new key + --signing-key-pass string Password to the private key file used for publishing packages + --skip-signature-validation Skip validating the signature of the Zarf package ``` ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_pull.md b/site/src/content/docs/commands/zarf_package_pull.md index 2bb98e5742..202eb2e807 100644 --- a/site/src/content/docs/commands/zarf_package_pull.md +++ b/site/src/content/docs/commands/zarf_package_pull.md @@ -38,16 +38,17 @@ $ zarf package pull oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0 -a sk ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_remove.md b/site/src/content/docs/commands/zarf_package_remove.md index 34cd131c32..edebd01408 100644 --- a/site/src/content/docs/commands/zarf_package_remove.md +++ b/site/src/content/docs/commands/zarf_package_remove.md @@ -17,24 +17,26 @@ zarf package remove { PACKAGE_SOURCE | PACKAGE_NAME } --confirm [flags] ### Options ``` - --components string Comma-separated list of components to remove. This list will be respected regardless of a component's 'required' or 'default' status. Globbing component names with '*' and deselecting components with a leading '-' are also supported. - --confirm REQUIRED. Confirm the removal action to prevent accidental deletions - -h, --help help for remove + --components string Comma-separated list of components to remove. This list will be respected regardless of a component's 'required' or 'default' status. Globbing component names with '*' and deselecting components with a leading '-' are also supported. + --confirm REQUIRED. Confirm the removal action to prevent accidental deletions + -h, --help help for remove + --skip-signature-validation Skip validating the signature of the Zarf package ``` ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools.md b/site/src/content/docs/commands/zarf_tools.md index ea4d9548da..51e9e472d1 100644 --- a/site/src/content/docs/commands/zarf_tools.md +++ b/site/src/content/docs/commands/zarf_tools.md @@ -19,14 +19,15 @@ Collection of additional tools to make airgap easier ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_archiver.md b/site/src/content/docs/commands/zarf_tools_archiver.md index 8f35492acb..edd7615755 100644 --- a/site/src/content/docs/commands/zarf_tools_archiver.md +++ b/site/src/content/docs/commands/zarf_tools_archiver.md @@ -19,14 +19,15 @@ Compresses/Decompresses generic archives, including Zarf packages ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_archiver_compress.md b/site/src/content/docs/commands/zarf_tools_archiver_compress.md index bf79a91511..de2cc0518a 100644 --- a/site/src/content/docs/commands/zarf_tools_archiver_compress.md +++ b/site/src/content/docs/commands/zarf_tools_archiver_compress.md @@ -23,14 +23,15 @@ zarf tools archiver compress SOURCES ARCHIVE [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_archiver_decompress.md b/site/src/content/docs/commands/zarf_tools_archiver_decompress.md index 8c2cb441fa..ead2ce66ac 100644 --- a/site/src/content/docs/commands/zarf_tools_archiver_decompress.md +++ b/site/src/content/docs/commands/zarf_tools_archiver_decompress.md @@ -24,14 +24,15 @@ zarf tools archiver decompress ARCHIVE DESTINATION [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_archiver_version.md b/site/src/content/docs/commands/zarf_tools_archiver_version.md index 0dd240f9eb..169ece563b 100644 --- a/site/src/content/docs/commands/zarf_tools_archiver_version.md +++ b/site/src/content/docs/commands/zarf_tools_archiver_version.md @@ -23,14 +23,15 @@ zarf tools archiver version [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_clear-cache.md b/site/src/content/docs/commands/zarf_tools_clear-cache.md index e0031b87d5..c2e7f8d94e 100644 --- a/site/src/content/docs/commands/zarf_tools_clear-cache.md +++ b/site/src/content/docs/commands/zarf_tools_clear-cache.md @@ -24,13 +24,14 @@ zarf tools clear-cache [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_download-init.md b/site/src/content/docs/commands/zarf_tools_download-init.md index adfc4ab508..723c4d3d83 100644 --- a/site/src/content/docs/commands/zarf_tools_download-init.md +++ b/site/src/content/docs/commands/zarf_tools_download-init.md @@ -24,14 +24,15 @@ zarf tools download-init [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_gen-key.md b/site/src/content/docs/commands/zarf_tools_gen-key.md index 9a15bab77a..421f4029ad 100644 --- a/site/src/content/docs/commands/zarf_tools_gen-key.md +++ b/site/src/content/docs/commands/zarf_tools_gen-key.md @@ -23,14 +23,15 @@ zarf tools gen-key [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_gen-pki.md b/site/src/content/docs/commands/zarf_tools_gen-pki.md index 8500adc10b..641fe08402 100644 --- a/site/src/content/docs/commands/zarf_tools_gen-pki.md +++ b/site/src/content/docs/commands/zarf_tools_gen-pki.md @@ -24,14 +24,15 @@ zarf tools gen-pki HOST [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_get-creds.md b/site/src/content/docs/commands/zarf_tools_get-creds.md index 4d56b4e2b8..8d8511ffb3 100644 --- a/site/src/content/docs/commands/zarf_tools_get-creds.md +++ b/site/src/content/docs/commands/zarf_tools_get-creds.md @@ -43,14 +43,15 @@ $ zarf tools get-creds artifact ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_helm.md b/site/src/content/docs/commands/zarf_tools_helm.md index 44932c83f3..3b836a8cd0 100644 --- a/site/src/content/docs/commands/zarf_tools_helm.md +++ b/site/src/content/docs/commands/zarf_tools_helm.md @@ -36,6 +36,13 @@ Subset of the Helm CLI that includes the repo and dependency commands for managi --repository-config string path to the file containing repository names and URLs ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_helm_dependency.md b/site/src/content/docs/commands/zarf_tools_helm_dependency.md index 034b077242..fdbb387c52 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_dependency.md +++ b/site/src/content/docs/commands/zarf_tools_helm_dependency.md @@ -71,6 +71,7 @@ for this case. ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -81,6 +82,7 @@ for this case. --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_dependency_build.md b/site/src/content/docs/commands/zarf_tools_helm_dependency_build.md index 4721f010ba..ff1b47e6fd 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_dependency_build.md +++ b/site/src/content/docs/commands/zarf_tools_helm_dependency_build.md @@ -41,6 +41,7 @@ zarf tools helm dependency build CHART [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -51,6 +52,7 @@ zarf tools helm dependency build CHART [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_dependency_list.md b/site/src/content/docs/commands/zarf_tools_helm_dependency_list.md index afea96a40e..04b786e8d6 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_dependency_list.md +++ b/site/src/content/docs/commands/zarf_tools_helm_dependency_list.md @@ -37,6 +37,7 @@ zarf tools helm dependency list CHART [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -47,6 +48,7 @@ zarf tools helm dependency list CHART [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_dependency_update.md b/site/src/content/docs/commands/zarf_tools_helm_dependency_update.md index 845bba70e2..15486dfabb 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_dependency_update.md +++ b/site/src/content/docs/commands/zarf_tools_helm_dependency_update.md @@ -45,6 +45,7 @@ zarf tools helm dependency update CHART [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -55,6 +56,7 @@ zarf tools helm dependency update CHART [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo.md b/site/src/content/docs/commands/zarf_tools_helm_repo.md index cc51f6c4db..bb890b0631 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo.md @@ -29,6 +29,7 @@ It can be used to add, remove, list, and index chart repositories. ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -39,6 +40,7 @@ It can be used to add, remove, list, and index chart repositories. --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo_add.md b/site/src/content/docs/commands/zarf_tools_helm_repo_add.md index c6226e3137..427fa498f4 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo_add.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo_add.md @@ -46,6 +46,7 @@ zarf tools helm repo add [NAME] [URL] [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo_index.md b/site/src/content/docs/commands/zarf_tools_helm_repo_index.md index 62db97073b..2568672be9 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo_index.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo_index.md @@ -40,6 +40,7 @@ zarf tools helm repo index [DIR] [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -50,6 +51,7 @@ zarf tools helm repo index [DIR] [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo_list.md b/site/src/content/docs/commands/zarf_tools_helm_repo_list.md index 4e548393ca..987cd7fe3c 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo_list.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo_list.md @@ -26,6 +26,7 @@ zarf tools helm repo list [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -36,6 +37,7 @@ zarf tools helm repo list [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo_remove.md b/site/src/content/docs/commands/zarf_tools_helm_repo_remove.md index ca042bdb1c..af693c1ad9 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo_remove.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo_remove.md @@ -25,6 +25,7 @@ zarf tools helm repo remove [REPO1 [REPO2 ...]] [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -35,6 +36,7 @@ zarf tools helm repo remove [REPO1 [REPO2 ...]] [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo_update.md b/site/src/content/docs/commands/zarf_tools_helm_repo_update.md index 87b19a94da..687c1c01e2 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo_update.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo_update.md @@ -37,6 +37,7 @@ zarf tools helm repo update [REPO1 [REPO2 ...]] [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -47,6 +48,7 @@ zarf tools helm repo update [REPO1 [REPO2 ...]] [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_version.md b/site/src/content/docs/commands/zarf_tools_helm_version.md index c34e4c17c8..3c70426811 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_version.md +++ b/site/src/content/docs/commands/zarf_tools_helm_version.md @@ -25,6 +25,7 @@ zarf tools helm version [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -35,6 +36,7 @@ zarf tools helm version [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_kubectl.md b/site/src/content/docs/commands/zarf_tools_kubectl.md index 18128b35e3..ebf487c50f 100644 --- a/site/src/content/docs/commands/zarf_tools_kubectl.md +++ b/site/src/content/docs/commands/zarf_tools_kubectl.md @@ -20,6 +20,13 @@ zarf tools kubectl [flags] -h, --help help for kubectl ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_monitor.md b/site/src/content/docs/commands/zarf_tools_monitor.md index 73c8d766be..3303fde13b 100644 --- a/site/src/content/docs/commands/zarf_tools_monitor.md +++ b/site/src/content/docs/commands/zarf_tools_monitor.md @@ -44,6 +44,12 @@ zarf tools monitor [flags] --write Sets write mode by overriding the readOnly configuration setting ``` +### Options inherited from parent commands + +``` + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_registry.md b/site/src/content/docs/commands/zarf_tools_registry.md index 67b56aa34f..c99882cb04 100644 --- a/site/src/content/docs/commands/zarf_tools_registry.md +++ b/site/src/content/docs/commands/zarf_tools_registry.md @@ -20,6 +20,13 @@ Tools for working with container registries using go-containertools -v, --verbose Enable debug logs ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_registry_catalog.md b/site/src/content/docs/commands/zarf_tools_registry_catalog.md index 5b01ae2d43..ea2a8fa3cb 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_catalog.md +++ b/site/src/content/docs/commands/zarf_tools_registry_catalog.md @@ -38,6 +38,8 @@ $ zarf tools registry catalog reg.example.com ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_copy.md b/site/src/content/docs/commands/zarf_tools_registry_copy.md index 4c975d811d..fdaec2d183 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_copy.md +++ b/site/src/content/docs/commands/zarf_tools_registry_copy.md @@ -28,6 +28,8 @@ zarf tools registry copy SRC DST [flags] ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_delete.md b/site/src/content/docs/commands/zarf_tools_registry_delete.md index 02f234e0f5..6622747930 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_delete.md +++ b/site/src/content/docs/commands/zarf_tools_registry_delete.md @@ -37,6 +37,8 @@ $ zarf tools registry delete reg.example.com/stefanprodan/podinfo@sha256:57a654a ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_digest.md b/site/src/content/docs/commands/zarf_tools_registry_digest.md index b2754a6d65..2b5be1bd26 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_digest.md +++ b/site/src/content/docs/commands/zarf_tools_registry_digest.md @@ -39,6 +39,8 @@ $ zarf tools registry digest reg.example.com/stefanprodan/podinfo:6.4.0 ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_login.md b/site/src/content/docs/commands/zarf_tools_registry_login.md index 72d7ac95d7..79c59a740c 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_login.md +++ b/site/src/content/docs/commands/zarf_tools_registry_login.md @@ -28,6 +28,8 @@ zarf tools registry login [OPTIONS] [SERVER] [flags] ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_ls.md b/site/src/content/docs/commands/zarf_tools_registry_ls.md index f7754e813f..683c1837e5 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_ls.md +++ b/site/src/content/docs/commands/zarf_tools_registry_ls.md @@ -39,6 +39,8 @@ $ zarf tools registry ls reg.example.com/stefanprodan/podinfo ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_prune.md b/site/src/content/docs/commands/zarf_tools_registry_prune.md index 77fb9bf04a..ec745c4a1b 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_prune.md +++ b/site/src/content/docs/commands/zarf_tools_registry_prune.md @@ -26,6 +26,8 @@ zarf tools registry prune [flags] ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_pull.md b/site/src/content/docs/commands/zarf_tools_registry_pull.md index cb2e467f23..5e94aa0b7f 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_pull.md +++ b/site/src/content/docs/commands/zarf_tools_registry_pull.md @@ -40,6 +40,8 @@ $ zarf tools registry pull reg.example.com/stefanprodan/podinfo:6.4.0 image.tar ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_push.md b/site/src/content/docs/commands/zarf_tools_registry_push.md index beb58ad1f1..efbbe885f6 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_push.md +++ b/site/src/content/docs/commands/zarf_tools_registry_push.md @@ -43,6 +43,8 @@ $ zarf tools registry push image.tar reg.example.com/stefanprodan/podinfo:6.4.0 ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_version.md b/site/src/content/docs/commands/zarf_tools_registry_version.md index aca0c7176f..2547913064 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_version.md +++ b/site/src/content/docs/commands/zarf_tools_registry_version.md @@ -32,6 +32,8 @@ zarf tools registry version [flags] ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_sbom.md b/site/src/content/docs/commands/zarf_tools_sbom.md index b6a733f6ff..963ee996ad 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom.md +++ b/site/src/content/docs/commands/zarf_tools_sbom.md @@ -38,6 +38,13 @@ zarf tools sbom [flags] -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_sbom_attest.md b/site/src/content/docs/commands/zarf_tools_sbom_attest.md index 89c673210f..66d6eac62b 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom_attest.md +++ b/site/src/content/docs/commands/zarf_tools_sbom_attest.md @@ -36,9 +36,11 @@ zarf tools sbom attest --output [FORMAT] [flags] ### Options inherited from parent commands ``` - -c, --config string syft configuration file - -q, --quiet suppress all logging output - -v, --verbose count increase verbosity (-v = info, -vv = debug) + -c, --config string syft configuration file + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + -q, --quiet suppress all logging output + -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_sbom_convert.md b/site/src/content/docs/commands/zarf_tools_sbom_convert.md index 96936399a7..dc08f90913 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom_convert.md +++ b/site/src/content/docs/commands/zarf_tools_sbom_convert.md @@ -30,9 +30,11 @@ zarf tools sbom convert [SOURCE-SBOM] -o [FORMAT] [flags] ### Options inherited from parent commands ``` - -c, --config string syft configuration file - -q, --quiet suppress all logging output - -v, --verbose count increase verbosity (-v = info, -vv = debug) + -c, --config string syft configuration file + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + -q, --quiet suppress all logging output + -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_sbom_login.md b/site/src/content/docs/commands/zarf_tools_sbom_login.md index a5995424a3..4555edc1a8 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom_login.md +++ b/site/src/content/docs/commands/zarf_tools_sbom_login.md @@ -26,9 +26,11 @@ zarf tools sbom login [OPTIONS] [SERVER] [flags] ### Options inherited from parent commands ``` - -c, --config string syft configuration file - -q, --quiet suppress all logging output - -v, --verbose count increase verbosity (-v = info, -vv = debug) + -c, --config string syft configuration file + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + -q, --quiet suppress all logging output + -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_sbom_scan.md b/site/src/content/docs/commands/zarf_tools_sbom_scan.md index 4c25172c0e..fcc63cbe14 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom_scan.md +++ b/site/src/content/docs/commands/zarf_tools_sbom_scan.md @@ -38,9 +38,11 @@ zarf tools sbom scan [SOURCE] [flags] ### Options inherited from parent commands ``` - -c, --config string syft configuration file - -q, --quiet suppress all logging output - -v, --verbose count increase verbosity (-v = info, -vv = debug) + -c, --config string syft configuration file + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + -q, --quiet suppress all logging output + -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_sbom_version.md b/site/src/content/docs/commands/zarf_tools_sbom_version.md index 2d141d1f12..3530449fc7 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom_version.md +++ b/site/src/content/docs/commands/zarf_tools_sbom_version.md @@ -24,9 +24,11 @@ zarf tools sbom version [flags] ### Options inherited from parent commands ``` - -c, --config string syft configuration file - -q, --quiet suppress all logging output - -v, --verbose count increase verbosity (-v = info, -vv = debug) + -c, --config string syft configuration file + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + -q, --quiet suppress all logging output + -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_update-creds.md b/site/src/content/docs/commands/zarf_tools_update-creds.md index b023dc0c56..6ff620ea1a 100644 --- a/site/src/content/docs/commands/zarf_tools_update-creds.md +++ b/site/src/content/docs/commands/zarf_tools_update-creds.md @@ -72,14 +72,15 @@ $ zarf tools update-creds artifact --artifact-push-username={USERNAME} --artifac ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_wait-for.md b/site/src/content/docs/commands/zarf_tools_wait-for.md index 747db896f1..ce19b5590f 100644 --- a/site/src/content/docs/commands/zarf_tools_wait-for.md +++ b/site/src/content/docs/commands/zarf_tools_wait-for.md @@ -54,6 +54,13 @@ $ zarf tools wait-for http google.com success # wait --timeout string Specify the timeout duration for the wait command. (default "5m") ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_yq.md b/site/src/content/docs/commands/zarf_tools_yq.md index 7e865330fa..8916e18e3b 100644 --- a/site/src/content/docs/commands/zarf_tools_yq.md +++ b/site/src/content/docs/commands/zarf_tools_yq.md @@ -81,6 +81,13 @@ zarf tools yq -P sample.json --xml-strict-mode enables strict parsing of XML. See https://pkg.go.dev/encoding/xml for more details. ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_yq_completion.md b/site/src/content/docs/commands/zarf_tools_yq_completion.md index c67ed20899..13651b3536 100644 --- a/site/src/content/docs/commands/zarf_tools_yq_completion.md +++ b/site/src/content/docs/commands/zarf_tools_yq_completion.md @@ -68,6 +68,7 @@ zarf tools yq completion [bash|zsh|fish|powershell] -I, --indent int sets indent level for output (default 2) -i, --inplace update the file in place of first file given. -p, --input-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|lua|l] parse format for input. (default "auto") + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --lua-globals output keys as top-level global variables --lua-prefix string prefix (default "return ") --lua-suffix string suffix (default ";\n") @@ -77,6 +78,7 @@ zarf tools yq completion [bash|zsh|fish|powershell] -0, --nul-output Use NUL char to separate values. If unwrap scalar is also set, fail if unwrapped scalar contains NUL char. -n, --null-input Don't read input, simply evaluate the expression given. Useful for creating docs from scratch. -o, --output-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|shell|s|lua|l] output format type. (default "auto") + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. -P, --prettyPrint pretty print, shorthand for '... style = ""' --properties-array-brackets use [x] in array paths (e.g. for SpringBoot) --properties-separator string separator to use between keys and values (default " = ") diff --git a/site/src/content/docs/commands/zarf_tools_yq_eval-all.md b/site/src/content/docs/commands/zarf_tools_yq_eval-all.md index 29d8b065fa..07cbc3b70e 100644 --- a/site/src/content/docs/commands/zarf_tools_yq_eval-all.md +++ b/site/src/content/docs/commands/zarf_tools_yq_eval-all.md @@ -64,6 +64,7 @@ cat file2.yml | zarf tools yq ea '.a.b' file1.yml - file3.yml -I, --indent int sets indent level for output (default 2) -i, --inplace update the file in place of first file given. -p, --input-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|lua|l] parse format for input. (default "auto") + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --lua-globals output keys as top-level global variables --lua-prefix string prefix (default "return ") --lua-suffix string suffix (default ";\n") @@ -73,6 +74,7 @@ cat file2.yml | zarf tools yq ea '.a.b' file1.yml - file3.yml -0, --nul-output Use NUL char to separate values. If unwrap scalar is also set, fail if unwrapped scalar contains NUL char. -n, --null-input Don't read input, simply evaluate the expression given. Useful for creating docs from scratch. -o, --output-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|shell|s|lua|l] output format type. (default "auto") + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. -P, --prettyPrint pretty print, shorthand for '... style = ""' --properties-array-brackets use [x] in array paths (e.g. for SpringBoot) --properties-separator string separator to use between keys and values (default " = ") diff --git a/site/src/content/docs/commands/zarf_tools_yq_eval.md b/site/src/content/docs/commands/zarf_tools_yq_eval.md index 215184cf00..bdc33ee6cf 100644 --- a/site/src/content/docs/commands/zarf_tools_yq_eval.md +++ b/site/src/content/docs/commands/zarf_tools_yq_eval.md @@ -66,6 +66,7 @@ zarf tools yq e '.a.b = "cool"' -i file.yaml -I, --indent int sets indent level for output (default 2) -i, --inplace update the file in place of first file given. -p, --input-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|lua|l] parse format for input. (default "auto") + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --lua-globals output keys as top-level global variables --lua-prefix string prefix (default "return ") --lua-suffix string suffix (default ";\n") @@ -75,6 +76,7 @@ zarf tools yq e '.a.b = "cool"' -i file.yaml -0, --nul-output Use NUL char to separate values. If unwrap scalar is also set, fail if unwrapped scalar contains NUL char. -n, --null-input Don't read input, simply evaluate the expression given. Useful for creating docs from scratch. -o, --output-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|shell|s|lua|l] output format type. (default "auto") + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. -P, --prettyPrint pretty print, shorthand for '... style = ""' --properties-array-brackets use [x] in array paths (e.g. for SpringBoot) --properties-separator string separator to use between keys and values (default " = ") diff --git a/site/src/content/docs/commands/zarf_version.md b/site/src/content/docs/commands/zarf_version.md index 2bffaa5403..ab3859c1ec 100644 --- a/site/src/content/docs/commands/zarf_version.md +++ b/site/src/content/docs/commands/zarf_version.md @@ -28,14 +28,15 @@ zarf version [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/tutorials/6-publish-and-deploy.mdx b/site/src/content/docs/tutorials/6-publish-and-deploy.mdx index a03b0ec392..5787bfd673 100644 --- a/site/src/content/docs/tutorials/6-publish-and-deploy.mdx +++ b/site/src/content/docs/tutorials/6-publish-and-deploy.mdx @@ -142,7 +142,7 @@ You attempted to publish a package with no version metadata. You attempted to publish a package to an insecure registry, using http instead of https. -1. Use the `--insecure` flag. Note that this is not suitable for production workloads. +1. Use the `--plain-http` flag. Note that this is not suitable for production workloads. ::: diff --git a/src/cmd/common/viper.go b/src/cmd/common/viper.go index 1077b654a0..0e82a33676 100644 --- a/src/cmd/common/viper.go +++ b/src/cmd/common/viper.go @@ -20,14 +20,16 @@ const ( // Root config keys - VLogLevel = "log_level" - VArchitecture = "architecture" - VNoLogFile = "no_log_file" - VNoProgress = "no_progress" - VNoColor = "no_color" - VZarfCache = "zarf_cache" - VTmpDir = "tmp_dir" - VInsecure = "insecure" + VLogLevel = "log_level" + VArchitecture = "architecture" + VNoLogFile = "no_log_file" + VNoProgress = "no_progress" + VNoColor = "no_color" + VZarfCache = "zarf_cache" + VTmpDir = "tmp_dir" + VInsecure = "insecure" + VPlainHTTP = "plain_http" + VInsecureSkipTLSVerify = "insecure_skip_tls_verify" // Init config keys diff --git a/src/cmd/initialize.go b/src/cmd/initialize.go index 4d1c61363b..376db85da9 100644 --- a/src/cmd/initialize.go +++ b/src/cmd/initialize.go @@ -223,6 +223,7 @@ func init() { initCmd.Flags().IntVar(&pkgConfig.PkgOpts.Retries, "retries", v.GetInt(common.VPkgRetries), lang.CmdPackageFlagRetries) initCmd.Flags().StringVarP(&pkgConfig.PkgOpts.PublicKeyPath, "key", "k", v.GetString(common.VPkgPublicKey), lang.CmdPackageFlagFlagPublicKey) + initCmd.Flags().BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) initCmd.Flags().SortFlags = true } diff --git a/src/cmd/package.go b/src/cmd/package.go index a40439d53f..130a11c884 100644 --- a/src/cmd/package.go +++ b/src/cmd/package.go @@ -79,6 +79,12 @@ var packageDeployCmd = &cobra.Command{ Short: lang.CmdPackageDeployShort, Long: lang.CmdPackageDeployLong, Args: cobra.MaximumNArgs(1), + PreRun: func(_ *cobra.Command, _ []string) { + // If --insecure was provided, set --skip-signature-validation to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.SkipSignatureValidation = true + } + }, RunE: func(cmd *cobra.Command, args []string) error { packageSource, err := choosePackage(args) if err != nil { @@ -112,6 +118,12 @@ var packageMirrorCmd = &cobra.Command{ Long: lang.CmdPackageMirrorLong, Example: lang.CmdPackageMirrorExample, Args: cobra.MaximumNArgs(1), + PreRun: func(_ *cobra.Command, _ []string) { + // If --insecure was provided, set --skip-signature-validation to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.SkipSignatureValidation = true + } + }, RunE: func(cmd *cobra.Command, args []string) error { packageSource, err := choosePackage(args) if err != nil { @@ -136,6 +148,12 @@ var packageInspectCmd = &cobra.Command{ Short: lang.CmdPackageInspectShort, Long: lang.CmdPackageInspectLong, Args: cobra.MaximumNArgs(1), + PreRun: func(_ *cobra.Command, _ []string) { + // If --insecure was provided, set --skip-signature-validation to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.SkipSignatureValidation = true + } + }, RunE: func(cmd *cobra.Command, args []string) error { packageSource, err := choosePackage(args) if err != nil { @@ -208,6 +226,12 @@ var packageRemoveCmd = &cobra.Command{ Aliases: []string{"u", "rm"}, Args: cobra.MaximumNArgs(1), Short: lang.CmdPackageRemoveShort, + PreRun: func(_ *cobra.Command, _ []string) { + // If --insecure was provided, set --skip-signature-validation to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.SkipSignatureValidation = true + } + }, RunE: func(cmd *cobra.Command, args []string) error { packageSource, err := choosePackage(args) if err != nil { @@ -236,6 +260,12 @@ var packagePublishCmd = &cobra.Command{ Short: lang.CmdPackagePublishShort, Example: lang.CmdPackagePublishExample, Args: cobra.ExactArgs(2), + PreRun: func(_ *cobra.Command, _ []string) { + // If --insecure was provided, set --skip-signature-validation to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.SkipSignatureValidation = true + } + }, RunE: func(cmd *cobra.Command, args []string) error { pkgConfig.PkgOpts.PackageSource = args[0] @@ -430,6 +460,7 @@ func bindDeployFlags(v *viper.Viper) { deployFlags.StringVar(&pkgConfig.PkgOpts.OptionalComponents, "components", v.GetString(common.VPkgDeployComponents), lang.CmdPackageDeployFlagComponents) deployFlags.StringVar(&pkgConfig.PkgOpts.Shasum, "shasum", v.GetString(common.VPkgDeployShasum), lang.CmdPackageDeployFlagShasum) deployFlags.StringVar(&pkgConfig.PkgOpts.SGetKeyPath, "sget", v.GetString(common.VPkgDeploySget), lang.CmdPackageDeployFlagSget) + deployFlags.BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) deployFlags.MarkHidden("sget") } @@ -446,6 +477,7 @@ func bindMirrorFlags(v *viper.Viper) { mirrorFlags.BoolVar(&config.CommonOptions.Confirm, "confirm", false, lang.CmdPackageDeployFlagConfirm) mirrorFlags.BoolVar(&pkgConfig.MirrorOpts.NoImgChecksum, "no-img-checksum", false, lang.CmdPackageMirrorFlagNoChecksum) + mirrorFlags.BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) mirrorFlags.IntVar(&pkgConfig.PkgOpts.Retries, "retries", v.GetInt(common.VPkgRetries), lang.CmdPackageFlagRetries) mirrorFlags.StringVar(&pkgConfig.PkgOpts.OptionalComponents, "components", v.GetString(common.VPkgDeployComponents), lang.CmdPackageMirrorFlagComponents) @@ -466,12 +498,14 @@ func bindInspectFlags(_ *viper.Viper) { inspectFlags.BoolVarP(&pkgConfig.InspectOpts.ViewSBOM, "sbom", "s", false, lang.CmdPackageInspectFlagSbom) inspectFlags.StringVar(&pkgConfig.InspectOpts.SBOMOutputDir, "sbom-out", "", lang.CmdPackageInspectFlagSbomOut) inspectFlags.BoolVar(&pkgConfig.InspectOpts.ListImages, "list-images", false, lang.CmdPackageInspectFlagListImages) + inspectFlags.BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) } func bindRemoveFlags(v *viper.Viper) { removeFlags := packageRemoveCmd.Flags() removeFlags.BoolVar(&config.CommonOptions.Confirm, "confirm", false, lang.CmdPackageRemoveFlagConfirm) removeFlags.StringVar(&pkgConfig.PkgOpts.OptionalComponents, "components", v.GetString(common.VPkgDeployComponents), lang.CmdPackageRemoveFlagComponents) + removeFlags.BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) _ = packageRemoveCmd.MarkFlagRequired("confirm") } @@ -479,6 +513,7 @@ func bindPublishFlags(v *viper.Viper) { publishFlags := packagePublishCmd.Flags() publishFlags.StringVar(&pkgConfig.PublishOpts.SigningKeyPath, "signing-key", v.GetString(common.VPkgPublishSigningKey), lang.CmdPackagePublishFlagSigningKey) publishFlags.StringVar(&pkgConfig.PublishOpts.SigningKeyPassword, "signing-key-pass", v.GetString(common.VPkgPublishSigningKeyPassword), lang.CmdPackagePublishFlagSigningKeyPassword) + publishFlags.BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) } func bindPullFlags(v *viper.Viper) { diff --git a/src/cmd/root.go b/src/cmd/root.go index 62e0582c8e..188f91e8cc 100644 --- a/src/cmd/root.go +++ b/src/cmd/root.go @@ -37,6 +37,12 @@ var ( var rootCmd = &cobra.Command{ Use: "zarf COMMAND", PersistentPreRunE: func(cmd *cobra.Command, _ []string) error { + // If --insecure was provided, set --insecure-skip-tls-verify and --plain-http to match + if config.CommonOptions.Insecure { + config.CommonOptions.InsecureSkipTLSVerify = true + config.CommonOptions.PlainHTTP = true + } + // Skip for vendor only commands if common.CheckVendorOnlyFromPath(cmd) { return nil @@ -121,4 +127,7 @@ func init() { rootCmd.PersistentFlags().StringVar(&config.CommonOptions.CachePath, "zarf-cache", v.GetString(common.VZarfCache), lang.RootCmdFlagCachePath) rootCmd.PersistentFlags().StringVar(&config.CommonOptions.TempDirectory, "tmpdir", v.GetString(common.VTmpDir), lang.RootCmdFlagTempDir) rootCmd.PersistentFlags().BoolVar(&config.CommonOptions.Insecure, "insecure", v.GetBool(common.VInsecure), lang.RootCmdFlagInsecure) + rootCmd.PersistentFlags().MarkDeprecated("insecure", "please use --plain-http, --insecure-skip-tls-verify, or --skip-signature-validation instead.") + rootCmd.PersistentFlags().BoolVar(&config.CommonOptions.PlainHTTP, "plain-http", v.GetBool(common.VPlainHTTP), lang.RootCmdFlagPlainHTTP) + rootCmd.PersistentFlags().BoolVar(&config.CommonOptions.InsecureSkipTLSVerify, "insecure-skip-tls-verify", v.GetBool(common.VInsecureSkipTLSVerify), lang.RootCmdFlagInsecureSkipTLSVerify) } diff --git a/src/config/lang/english.go b/src/config/lang/english.go index 1afdfab83c..ccc2f83f06 100644 --- a/src/config/lang/english.go +++ b/src/config/lang/english.go @@ -45,14 +45,16 @@ const ( RootCmdLong = "Zarf eliminates the complexity of air gap software delivery for Kubernetes clusters and cloud native workloads\n" + "using a declarative packaging strategy to support DevSecOps in offline and semi-connected environments." - RootCmdFlagLogLevel = "Log level when running Zarf. Valid options are: warn, info, debug, trace" - RootCmdFlagArch = "Architecture for OCI images and Zarf packages" - RootCmdFlagSkipLogFile = "Disable log file creation" - RootCmdFlagNoProgress = "Disable fancy UI progress bars, spinners, logos, etc" - RootCmdFlagNoColor = "Disable colors in output" - RootCmdFlagCachePath = "Specify the location of the Zarf cache directory" - RootCmdFlagTempDir = "Specify the temporary directory to use for intermediate files" - RootCmdFlagInsecure = "Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture." + RootCmdFlagLogLevel = "Log level when running Zarf. Valid options are: warn, info, debug, trace" + RootCmdFlagArch = "Architecture for OCI images and Zarf packages" + RootCmdFlagSkipLogFile = "Disable log file creation" + RootCmdFlagNoProgress = "Disable fancy UI progress bars, spinners, logos, etc" + RootCmdFlagNoColor = "Disable colors in output" + RootCmdFlagCachePath = "Specify the location of the Zarf cache directory" + RootCmdFlagTempDir = "Specify the temporary directory to use for intermediate files" + RootCmdFlagInsecure = "Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture." + RootCmdFlagPlainHTTP = "Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture." + RootCmdFlagInsecureSkipTLSVerify = "Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture." RootCmdDeprecatedDeploy = "Deprecated: Please use \"zarf package deploy %s\" to deploy this package. This warning will be removed in Zarf v1.0.0." RootCmdDeprecatedCreate = "Deprecated: Please use \"zarf package create\" to create this package. This warning will be removed in Zarf v1.0.0." @@ -210,10 +212,11 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA CmdInternalCrc32Short = "Generates a decimal CRC32 for the given text" // zarf package - CmdPackageShort = "Zarf package commands for creating, deploying, and inspecting packages" - CmdPackageFlagConcurrency = "Number of concurrent layer operations to perform when interacting with a remote package." - CmdPackageFlagFlagPublicKey = "Path to public key file for validating signed packages" - CmdPackageFlagRetries = "Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs" + CmdPackageShort = "Zarf package commands for creating, deploying, and inspecting packages" + CmdPackageFlagConcurrency = "Number of concurrent layer operations to perform when interacting with a remote package." + CmdPackageFlagFlagPublicKey = "Path to public key file for validating signed packages" + CmdPackageFlagSkipSignatureValidation = "Skip validating the signature of the Zarf package" + CmdPackageFlagRetries = "Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs" CmdPackageCreateShort = "Creates a Zarf package from a given directory or the current directory" CmdPackageCreateLong = "Builds an archive of resources and dependencies defined by the 'zarf.yaml' in the specified directory.\n" + @@ -273,7 +276,7 @@ $ zarf package mirror-resources \ CmdPackageDeployFlagAdoptExistingResources = "Adopts any pre-existing K8s resources into the Helm charts managed by Zarf. ONLY use when you have existing deployments you want Zarf to takeover." CmdPackageDeployFlagSet = "Specify deployment variables to set on the command line (KEY=value)" CmdPackageDeployFlagComponents = "Comma-separated list of components to deploy. Adding this flag will skip the prompts for selected components. Globbing component names with '*' and deselecting 'default' components with a leading '-' are also supported." - CmdPackageDeployFlagShasum = "Shasum of the package to deploy. Required if deploying a remote package and \"--insecure\" is not provided" + CmdPackageDeployFlagShasum = "Shasum of the package to deploy. Required if deploying a remote package." CmdPackageDeployFlagSget = "[Deprecated] Path to public sget key file for remote packages signed via cosign. This flag will be removed in v1.0.0 please use the --key flag instead." CmdPackageDeployFlagSkipWebhooks = "[alpha] Skip waiting for external webhooks to execute as each package component is deployed" CmdPackageDeployFlagTimeout = "Timeout for health checks and Helm operations such as installs and rollbacks" diff --git a/src/internal/packager/helm/chart.go b/src/internal/packager/helm/chart.go index daf59902e5..656b5560b5 100644 --- a/src/internal/packager/helm/chart.go +++ b/src/internal/packager/helm/chart.go @@ -143,7 +143,7 @@ func (h *Helm) TemplateChart(ctx context.Context) (manifest string, chartValues client.IncludeCRDs = true // TODO: Further research this with regular/OCI charts client.Verify = false - client.InsecureSkipTLSverify = config.CommonOptions.Insecure + client.InsecureSkipTLSverify = config.CommonOptions.InsecureSkipTLSVerify if h.kubeVersion != "" { parsedKubeVersion, err := chartutil.ParseKubeVersion(h.kubeVersion) if err != nil { diff --git a/src/internal/packager/helm/repo.go b/src/internal/packager/helm/repo.go index 378b12c9cf..249f19f0f2 100644 --- a/src/internal/packager/helm/repo.go +++ b/src/internal/packager/helm/repo.go @@ -192,7 +192,7 @@ func (h *Helm) DownloadPublishedChart(ctx context.Context, cosignKeyPath string) Verify: downloader.VerifyNever, Getters: getter.All(pull.Settings), Options: []getter.Option{ - getter.WithInsecureSkipVerifyTLS(config.CommonOptions.Insecure), + getter.WithInsecureSkipVerifyTLS(config.CommonOptions.InsecureSkipTLSVerify), getter.WithBasicAuth(username, password), }, } diff --git a/src/internal/packager/images/common.go b/src/internal/packager/images/common.go index 3e2ad406ff..285c541edb 100644 --- a/src/internal/packager/images/common.go +++ b/src/internal/packager/images/common.go @@ -50,9 +50,9 @@ type PushConfig struct { func NoopOpt(*crane.Options) {} // WithGlobalInsecureFlag returns an option for crane that configures insecure -// based upon Zarf's global --insecure flag. +// based upon Zarf's global --insecure-skip-tls-verify (and --insecure) flags. func WithGlobalInsecureFlag() []crane.Option { - if config.CommonOptions.Insecure { + if config.CommonOptions.InsecureSkipTLSVerify { return []crane.Option{crane.Insecure} } // passing a nil option will cause panic @@ -103,7 +103,7 @@ func createPushOpts(cfg PushConfig, pb *message.ProgressBar) []crane.Option { opts = append(opts, WithPushAuth(cfg.RegInfo)) transport := http.DefaultTransport.(*http.Transport).Clone() - transport.TLSClientConfig.InsecureSkipVerify = config.CommonOptions.Insecure + transport.TLSClientConfig.InsecureSkipVerify = config.CommonOptions.InsecureSkipTLSVerify // TODO (@WSTARR) This is set to match the TLSHandshakeTimeout to potentially mitigate effects of https://github.com/zarf-dev/zarf/issues/1444 transport.ResponseHeaderTimeout = 10 * time.Second diff --git a/src/pkg/packager/creator/normal.go b/src/pkg/packager/creator/normal.go index 847a22003e..8766bfb8d3 100644 --- a/src/pkg/packager/creator/normal.go +++ b/src/pkg/packager/creator/normal.go @@ -281,14 +281,17 @@ func (pc *PackageCreator) Output(ctx context.Context, dst *layout.PackagePaths, return fmt.Errorf("unable to publish package: %w", err) } message.HorizontalRule() - flags := "" - if config.CommonOptions.Insecure { - flags = "--insecure" + flags := []string{} + if config.CommonOptions.PlainHTTP { + flags = append(flags, "--plain-http") + } + if config.CommonOptions.InsecureSkipTLSVerify { + flags = append(flags, "--insecure-skip-tls-verify") } message.Title("To inspect/deploy/pull:", "") - message.ZarfCommand("package inspect %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), flags) - message.ZarfCommand("package deploy %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), flags) - message.ZarfCommand("package pull %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), flags) + message.ZarfCommand("package inspect %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), strings.Join(flags, " ")) + message.ZarfCommand("package deploy %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), strings.Join(flags, " ")) + message.ZarfCommand("package pull %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), strings.Join(flags, " ")) } else { // Use the output path if the user specified it. packageName := fmt.Sprintf("%s%s", sources.NameFromMetadata(pkg, pc.createOpts.IsSkeleton), sources.PkgSuffix(pkg.Metadata.Uncompressed)) diff --git a/src/pkg/packager/sources/new_test.go b/src/pkg/packager/sources/new_test.go index 9ae3147168..17d1481192 100644 --- a/src/pkg/packager/sources/new_test.go +++ b/src/pkg/packager/sources/new_test.go @@ -155,7 +155,7 @@ func TestPackageSource(t *testing.T) { { name: "http-insecure", src: fmt.Sprintf("%s/zarf-package-wordpress-amd64-16.0.4.tar.zst", ts.URL), - expectedErr: "remote package provided without a shasum, use --insecure to ignore, or provide one w/ --shasum", + expectedErr: "remote package provided without a shasum, please provide one with --shasum", }, } for _, tt := range tests { diff --git a/src/pkg/packager/sources/oci.go b/src/pkg/packager/sources/oci.go index 8bf6d6d1a6..b86d3797d3 100644 --- a/src/pkg/packager/sources/oci.go +++ b/src/pkg/packager/sources/oci.go @@ -79,8 +79,10 @@ func (s *OCISource) LoadPackage(ctx context.Context, dst *layout.PackagePaths, f spinner.Success() - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - return pkg, nil, err + if !s.SkipSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + return pkg, nil, err + } } } @@ -141,11 +143,13 @@ func (s *OCISource) LoadPackageMetadata(ctx context.Context, dst *layout.Package spinner.Success() } - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { - message.Warn("The package was signed but no public key was provided, skipping signature validation") - } else { - return pkg, nil, err + if !s.SkipSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { + message.Warn("The package was signed but no public key was provided, skipping signature validation") + } else { + return pkg, nil, err + } } } } diff --git a/src/pkg/packager/sources/tarball.go b/src/pkg/packager/sources/tarball.go index db1b2ed01a..5b556f78e1 100644 --- a/src/pkg/packager/sources/tarball.go +++ b/src/pkg/packager/sources/tarball.go @@ -107,8 +107,10 @@ func (s *TarballSource) LoadPackage(ctx context.Context, dst *layout.PackagePath spinner.Success() - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - return pkg, nil, err + if !s.SkipSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + return pkg, nil, err + } } } @@ -185,11 +187,13 @@ func (s *TarballSource) LoadPackageMetadata(ctx context.Context, dst *layout.Pac spinner.Success() } - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { - message.Warn("The package was signed but no public key was provided, skipping signature validation") - } else { - return pkg, nil, err + if !s.SkipSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { + message.Warn("The package was signed but no public key was provided, skipping signature validation") + } else { + return pkg, nil, err + } } } } diff --git a/src/pkg/packager/sources/url.go b/src/pkg/packager/sources/url.go index dd4aa05ff5..3e51aa611e 100644 --- a/src/pkg/packager/sources/url.go +++ b/src/pkg/packager/sources/url.go @@ -32,8 +32,8 @@ type URLSource struct { // Collect downloads a package from the source URL. func (s *URLSource) Collect(ctx context.Context, dir string) (string, error) { - if !config.CommonOptions.Insecure && s.Shasum == "" && !strings.HasPrefix(s.PackageSource, helpers.SGETURLPrefix) { - return "", fmt.Errorf("remote package provided without a shasum, use --insecure to ignore, or provide one w/ --shasum") + if s.Shasum == "" && !strings.HasPrefix(s.PackageSource, helpers.SGETURLPrefix) { + return "", fmt.Errorf("remote package provided without a shasum, please provide one with --shasum") } var packageURL string if s.Shasum != "" { diff --git a/src/pkg/packager/sources/validate.go b/src/pkg/packager/sources/validate.go index 1c7914ea69..baf958a699 100644 --- a/src/pkg/packager/sources/validate.go +++ b/src/pkg/packager/sources/validate.go @@ -15,7 +15,6 @@ import ( "strings" "github.com/defenseunicorns/pkg/helpers/v2" - "github.com/zarf-dev/zarf/src/config" "github.com/zarf-dev/zarf/src/pkg/layout" "github.com/zarf-dev/zarf/src/pkg/message" "github.com/zarf-dev/zarf/src/pkg/utils" @@ -25,16 +24,11 @@ var ( // ErrPkgKeyButNoSig is returned when a key was provided but the package is not signed ErrPkgKeyButNoSig = errors.New("a key was provided but the package is not signed - the package may be corrupted or the --key flag was erroneously specified") // ErrPkgSigButNoKey is returned when a package is signed but no key was provided - ErrPkgSigButNoKey = errors.New("package is signed but no key was provided - add a key with the --key flag or use the --insecure flag and run the command again") + ErrPkgSigButNoKey = errors.New("package is signed but no key was provided - add a key with the --key flag or use the --skip-signature-validation flag and run the command again") ) // ValidatePackageSignature validates the signature of a package func ValidatePackageSignature(ctx context.Context, paths *layout.PackagePaths, publicKeyPath string) error { - // If the insecure flag was provided ignore the signature validation - if config.CommonOptions.Insecure { - return nil - } - if publicKeyPath != "" { message.Debugf("Using public key %q for signature validation", publicKeyPath) } diff --git a/src/pkg/zoci/common.go b/src/pkg/zoci/common.go index 41cf415d1b..29e9f34564 100644 --- a/src/pkg/zoci/common.go +++ b/src/pkg/zoci/common.go @@ -32,8 +32,8 @@ type Remote struct { func NewRemote(url string, platform ocispec.Platform, mods ...oci.Modifier) (*Remote, error) { logger := slog.New(message.ZarfHandler{}) modifiers := append([]oci.Modifier{ - oci.WithPlainHTTP(config.CommonOptions.Insecure), - oci.WithInsecureSkipVerify(config.CommonOptions.Insecure), + oci.WithPlainHTTP(config.CommonOptions.PlainHTTP), + oci.WithInsecureSkipVerify(config.CommonOptions.InsecureSkipTLSVerify), oci.WithLogger(logger), oci.WithUserAgent("zarf/" + config.CLIVersion), }, mods...) diff --git a/src/test/e2e/11_oci_pull_inspect_test.go b/src/test/e2e/11_oci_pull_inspect_test.go index cd045ae0a6..ed5f3ee0a1 100644 --- a/src/test/e2e/11_oci_pull_inspect_test.go +++ b/src/test/e2e/11_oci_pull_inspect_test.go @@ -61,7 +61,7 @@ func (suite *PullInspectTestSuite) Test_0_Pull() { suite.Contains(stdErr, "Package signature validated!") // Test pull w/ bad ref. - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+badPullInspectRef.String(), "--insecure") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+badPullInspectRef.String(), "--plain-http") suite.Error(err, stdOut, stdErr) } @@ -69,7 +69,7 @@ func (suite *PullInspectTestSuite) Test_1_Remote_Inspect() { suite.T().Log("E2E: Package Inspect oci://") // Test inspect w/ bad ref. - _, stdErr, err := e2e.Zarf(suite.T(), "package", "inspect", "oci://"+badPullInspectRef.String(), "--insecure") + _, stdErr, err := e2e.Zarf(suite.T(), "package", "inspect", "oci://"+badPullInspectRef.String(), "--plain-http") suite.Error(err, stdErr) // Test inspect on a public package. diff --git a/src/test/e2e/14_oci_compose_test.go b/src/test/e2e/14_oci_compose_test.go index ef060af819..7159394107 100644 --- a/src/test/e2e/14_oci_compose_test.go +++ b/src/test/e2e/14_oci_compose_test.go @@ -65,47 +65,47 @@ func (suite *PublishCopySkeletonSuite) Test_0_Publish_Skeletons() { ref := suite.Reference.String() helmCharts := filepath.Join("examples", "helm-charts") - _, stdErr, err := e2e.Zarf(suite.T(), "package", "publish", helmCharts, "oci://"+ref, "--insecure") + _, stdErr, err := e2e.Zarf(suite.T(), "package", "publish", helmCharts, "oci://"+ref, "--plain-http") suite.NoError(err) suite.Contains(stdErr, "Published "+ref) bigBang := filepath.Join("src", "test", "packages", "14-import-everything", "big-bang-min") - _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", bigBang, "oci://"+ref, "--insecure") + _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", bigBang, "oci://"+ref, "--plain-http") suite.NoError(err) suite.Contains(stdErr, "Published "+ref) composable := filepath.Join("src", "test", "packages", "09-composable-packages") - _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", composable, "oci://"+ref, "--insecure") + _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", composable, "oci://"+ref, "--plain-http") suite.NoError(err) suite.Contains(stdErr, "Published "+ref) - _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", importEverything, "oci://"+ref, "--insecure") + _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", importEverything, "oci://"+ref, "--plain-http") suite.NoError(err) suite.Contains(stdErr, "Published "+ref) - _, _, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/import-everything:0.0.1", "--insecure", "-a", "skeleton") + _, _, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/import-everything:0.0.1", "--plain-http", "-a", "skeleton") suite.NoError(err) - _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/import-everything:0.0.1", "-o", "build", "--insecure", "-a", "skeleton") + _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/import-everything:0.0.1", "-o", "build", "--plain-http", "-a", "skeleton") suite.NoError(err) - _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/helm-charts:0.0.1", "-o", "build", "--insecure", "-a", "skeleton") + _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/helm-charts:0.0.1", "-o", "build", "--plain-http", "-a", "skeleton") suite.NoError(err) - _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/big-bang-min:2.10.0", "-o", "build", "--insecure", "-a", "skeleton") + _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/big-bang-min:2.10.0", "-o", "build", "--plain-http", "-a", "skeleton") suite.NoError(err) - _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/test-compose-package:0.0.1", "-o", "build", "--insecure", "-a", "skeleton") + _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/test-compose-package:0.0.1", "-o", "build", "--plain-http", "-a", "skeleton") suite.NoError(err) } func (suite *PublishCopySkeletonSuite) Test_1_Compose_Everything_Inception() { suite.T().Log("E2E: Skeleton Package Compose oci://") - _, _, err := e2e.Zarf(suite.T(), "package", "create", importEverything, "-o", "build", "--insecure", "--confirm") + _, _, err := e2e.Zarf(suite.T(), "package", "create", importEverything, "-o", "build", "--plain-http", "--confirm") suite.NoError(err) - _, _, err = e2e.Zarf(suite.T(), "package", "create", importception, "-o", "build", "--insecure", "--confirm") + _, _, err = e2e.Zarf(suite.T(), "package", "create", importception, "-o", "build", "--plain-http", "--confirm") suite.NoError(err) _, stdErr, err := e2e.Zarf(suite.T(), "package", "inspect", importEverythingPath) @@ -183,7 +183,7 @@ func (suite *PublishCopySkeletonSuite) Test_3_Copy() { t := suite.T() example := filepath.Join("build", fmt.Sprintf("zarf-package-helm-charts-%s-0.0.1.tar.zst", e2e.Arch)) - stdOut, stdErr, err := e2e.Zarf(t, "package", "publish", example, "oci://"+suite.Reference.Registry, "--insecure") + stdOut, stdErr, err := e2e.Zarf(t, "package", "publish", example, "oci://"+suite.Reference.Registry, "--plain-http") suite.NoError(err, stdOut, stdErr) suite.Reference.Repository = "helm-charts" diff --git a/src/test/e2e/29_config_file_test.go b/src/test/e2e/29_config_file_test.go index e947621518..0cea0b4dd9 100644 --- a/src/test/e2e/29_config_file_test.go +++ b/src/test/e2e/29_config_file_test.go @@ -103,7 +103,8 @@ func configFileDefaultTests(t *testing.T) { "Disable log file creation (default true)", "Disable fancy UI progress bars, spinners, logos, etc (default true)", "zarf_cache: 978499a5", - "Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture.", + "Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture.", + "Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture.", "tmp_dir: c457359e", } diff --git a/src/test/e2e/31_checksum_and_signature_test.go b/src/test/e2e/31_checksum_and_signature_test.go index c83888fe00..0c50817099 100644 --- a/src/test/e2e/31_checksum_and_signature_test.go +++ b/src/test/e2e/31_checksum_and_signature_test.go @@ -37,7 +37,7 @@ func TestChecksumAndSignature(t *testing.T) { // Test that we get an error when trying to deploy a package without providing the public key stdOut, stdErr, err = e2e.Zarf(t, "package", "deploy", pkgName, "--confirm") require.Error(t, err, stdOut, stdErr) - require.Contains(t, e2e.StripMessageFormatting(stdErr), "failed to deploy package: unable to load the package: package is signed but no key was provided - add a key with the --key flag or use the --insecure flag and run the command again") + require.Contains(t, e2e.StripMessageFormatting(stdErr), "failed to deploy package: unable to load the package: package is signed but no key was provided - add a key with the --key flag or use the --skip-signature-validation flag and run the command again") // Test that we don't get an error when we remember to provide the public key stdOut, stdErr, err = e2e.Zarf(t, "package", "deploy", pkgName, publicKeyFlag, "--confirm") diff --git a/src/test/e2e/34_custom_init_package_test.go b/src/test/e2e/34_custom_init_package_test.go index e4d3307fc4..d63226a9c8 100644 --- a/src/test/e2e/34_custom_init_package_test.go +++ b/src/test/e2e/34_custom_init_package_test.go @@ -38,7 +38,7 @@ func TestCustomInit(t *testing.T) { // Test that we get an error when trying to deploy a package without providing the public key stdOut, stdErr, err = e2e.Zarf(t, "init", "--confirm") require.Error(t, err, stdOut, stdErr) - require.Contains(t, e2e.StripMessageFormatting(stdErr), "unable to load the package: package is signed but no key was provided - add a key with the --key flag or use the --insecure flag and run the command again") + require.Contains(t, e2e.StripMessageFormatting(stdErr), "unable to load the package: package is signed but no key was provided - add a key with the --key flag or use the --skip-signature-validation flag and run the command again") /* Test operations during package deploy */ // Test that we can deploy the package with the public key diff --git a/src/test/e2e/50_oci_publish_deploy_test.go b/src/test/e2e/50_oci_publish_deploy_test.go index 75f5937179..88ea94fcf0 100644 --- a/src/test/e2e/50_oci_publish_deploy_test.go +++ b/src/test/e2e/50_oci_publish_deploy_test.go @@ -46,35 +46,35 @@ func (suite *PublishDeploySuiteTestSuite) Test_0_Publish() { // Publish package. example := filepath.Join(suite.PackagesDir, fmt.Sprintf("zarf-package-helm-charts-%s-0.0.1.tar.zst", e2e.Arch)) ref := suite.Reference.String() - stdOut, stdErr, err := e2e.Zarf(suite.T(), "package", "publish", example, "oci://"+ref, "--insecure") + stdOut, stdErr, err := e2e.Zarf(suite.T(), "package", "publish", example, "oci://"+ref, "--plain-http") suite.NoError(err, stdOut, stdErr) suite.Contains(stdErr, "Published "+ref) // Pull the package via OCI. - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/helm-charts:0.0.1", "--insecure") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/helm-charts:0.0.1", "--plain-http") suite.NoError(err, stdOut, stdErr) // Publish w/ package missing `metadata.version` field. example = filepath.Join(suite.PackagesDir, fmt.Sprintf("zarf-package-component-actions-%s.tar.zst", e2e.Arch)) - _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", example, "oci://"+ref, "--insecure") + _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", example, "oci://"+ref, "--plain-http") suite.Error(err, stdErr) // Inline publish package. dir := filepath.Join("examples", "helm-charts") - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "create", dir, "-o", "oci://"+ref, "--insecure", "--oci-concurrency=5", "--confirm") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "create", dir, "-o", "oci://"+ref, "--plain-http", "--oci-concurrency=5", "--confirm") suite.NoError(err, stdOut, stdErr) // Inline publish flavor. dir = filepath.Join("examples", "package-flavors") - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "create", dir, "-o", "oci://"+ref, "--flavor", "oracle-cookie-crunch", "--insecure", "--confirm") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "create", dir, "-o", "oci://"+ref, "--flavor", "oracle-cookie-crunch", "--plain-http", "--confirm") suite.NoError(err, stdOut, stdErr) // Inspect published flavor. - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/package-flavors:1.0.0-oracle-cookie-crunch", "--insecure") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/package-flavors:1.0.0-oracle-cookie-crunch", "--plain-http") suite.NoError(err, stdOut, stdErr) // Inspect the published package. - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/helm-charts:0.0.1", "--insecure") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/helm-charts:0.0.1", "--plain-http") suite.NoError(err, stdOut, stdErr) } @@ -87,15 +87,15 @@ func (suite *PublishDeploySuiteTestSuite) Test_1_Deploy() { ref := suite.Reference.String() // Deploy the package via OCI. - stdOut, stdErr, err := e2e.Zarf(suite.T(), "package", "deploy", "oci://"+ref, "--insecure", "--confirm") + stdOut, stdErr, err := e2e.Zarf(suite.T(), "package", "deploy", "oci://"+ref, "--plain-http", "--confirm") suite.NoError(err, stdOut, stdErr) // Remove the package via OCI. - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "remove", "oci://"+ref, "--insecure", "--confirm") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "remove", "oci://"+ref, "--plain-http", "--confirm") suite.NoError(err, stdOut, stdErr) // Test deploy w/ bad ref. - _, stdErr, err = e2e.Zarf(suite.T(), "package", "deploy", "oci://"+badDeployRef.String(), "--insecure", "--confirm") + _, stdErr, err = e2e.Zarf(suite.T(), "package", "deploy", "oci://"+badDeployRef.String(), "--plain-http", "--confirm") suite.Error(err, stdErr) } diff --git a/src/types/runtime.go b/src/types/runtime.go index 0faed8c9e6..8f9ef51996 100644 --- a/src/types/runtime.go +++ b/src/types/runtime.go @@ -14,6 +14,10 @@ type ZarfCommonOptions struct { Confirm bool // Allow insecure connections for remote packages Insecure bool + // Disable checking the server TLS certificate for validity + InsecureSkipTLSVerify bool + // Force connections to be over http instead of https + PlainHTTP bool // Path to use to cache images and git repos on package create CachePath string // Location Zarf should use as a staging ground when managing files and images for package creation and deployment @@ -38,6 +42,8 @@ type ZarfPackageOptions struct { PublicKeyPath string // The number of retries to perform for Zarf deploy operations like image pushes or Helm installs Retries int + // Skip validating the signature of the Zarf package + SkipSignatureValidation bool } // ZarfInspectOptions tracks the user-defined preferences during a package inspection. From 09bdbe10c4be5ba416281619541d2920a87e2a8d Mon Sep 17 00:00:00 2001 From: Austin Abro <37223396+AustinAbro321@users.noreply.github.com> Date: Fri, 13 Sep 2024 17:50:20 -0600 Subject: [PATCH 06/13] ci: stop codeql on merge queue (#2934) Signed-off-by: Austin Abro --- .github/workflows/scan-codeql.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml index d1815026c9..380d8ced0c 100644 --- a/.github/workflows/scan-codeql.yml +++ b/.github/workflows/scan-codeql.yml @@ -16,16 +16,6 @@ on: - "adr/**" - "docs/**" - "CODEOWNERS" - merge_group: - paths-ignore: - - "**.md" - - "**.jpg" - - "**.png" - - "**.gif" - - "**.svg" - - "adr/**" - - "docs/**" - - "CODEOWNERS" schedule: - cron: "32 2 * * 5" From 97f6178eca88c3a6bcee53607fcad86d0de5f0f4 Mon Sep 17 00:00:00 2001 From: Austin Abro <37223396+AustinAbro321@users.noreply.github.com> Date: Mon, 16 Sep 2024 08:25:34 -0600 Subject: [PATCH 07/13] fix: add shasum flag and test for https pull (#2998) Signed-off-by: Austin Abro --- site/src/content/docs/commands/zarf_package_deploy.md | 2 +- site/src/content/docs/commands/zarf_package_pull.md | 1 + src/cmd/package.go | 1 + src/config/lang/english.go | 3 ++- src/test/e2e/00_use_cli_test.go | 11 +++++++++++ 5 files changed, 16 insertions(+), 2 deletions(-) diff --git a/site/src/content/docs/commands/zarf_package_deploy.md b/site/src/content/docs/commands/zarf_package_deploy.md index 1009c9bf56..2dda0e6fad 100644 --- a/site/src/content/docs/commands/zarf_package_deploy.md +++ b/site/src/content/docs/commands/zarf_package_deploy.md @@ -28,7 +28,7 @@ zarf package deploy [ PACKAGE_SOURCE ] [flags] -h, --help help for deploy --retries int Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs (default 3) --set stringToString Specify deployment variables to set on the command line (KEY=value) (default []) - --shasum string Shasum of the package to deploy. Required if deploying a remote package. + --shasum string Shasum of the package to deploy. Required if deploying a remote https package. --skip-signature-validation Skip validating the signature of the Zarf package --skip-webhooks [alpha] Skip waiting for external webhooks to execute as each package component is deployed --timeout duration Timeout for health checks and Helm operations such as installs and rollbacks (default 15m0s) diff --git a/site/src/content/docs/commands/zarf_package_pull.md b/site/src/content/docs/commands/zarf_package_pull.md index 202eb2e807..81bee3464c 100644 --- a/site/src/content/docs/commands/zarf_package_pull.md +++ b/site/src/content/docs/commands/zarf_package_pull.md @@ -33,6 +33,7 @@ $ zarf package pull oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0 -a sk ``` -h, --help help for pull -o, --output-directory string Specify the output directory for the pulled Zarf package + --shasum string Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum ' ``` ### Options inherited from parent commands diff --git a/src/cmd/package.go b/src/cmd/package.go index 130a11c884..500b3bc7a0 100644 --- a/src/cmd/package.go +++ b/src/cmd/package.go @@ -518,5 +518,6 @@ func bindPublishFlags(v *viper.Viper) { func bindPullFlags(v *viper.Viper) { pullFlags := packagePullCmd.Flags() + pullFlags.StringVar(&pkgConfig.PkgOpts.Shasum, "shasum", "", lang.CmdPackagePullFlagShasum) pullFlags.StringVarP(&pkgConfig.PullOpts.OutputDirectory, "output-directory", "o", v.GetString(common.VPkgPullOutputDir), lang.CmdPackagePullFlagOutputDirectory) } diff --git a/src/config/lang/english.go b/src/config/lang/english.go index ccc2f83f06..26f67b60c5 100644 --- a/src/config/lang/english.go +++ b/src/config/lang/english.go @@ -276,7 +276,7 @@ $ zarf package mirror-resources \ CmdPackageDeployFlagAdoptExistingResources = "Adopts any pre-existing K8s resources into the Helm charts managed by Zarf. ONLY use when you have existing deployments you want Zarf to takeover." CmdPackageDeployFlagSet = "Specify deployment variables to set on the command line (KEY=value)" CmdPackageDeployFlagComponents = "Comma-separated list of components to deploy. Adding this flag will skip the prompts for selected components. Globbing component names with '*' and deselecting 'default' components with a leading '-' are also supported." - CmdPackageDeployFlagShasum = "Shasum of the package to deploy. Required if deploying a remote package." + CmdPackageDeployFlagShasum = "Shasum of the package to deploy. Required if deploying a remote https package." CmdPackageDeployFlagSget = "[Deprecated] Path to public sget key file for remote packages signed via cosign. This flag will be removed in v1.0.0 please use the --key flag instead." CmdPackageDeployFlagSkipWebhooks = "[alpha] Skip waiting for external webhooks to execute as each package component is deployed" CmdPackageDeployFlagTimeout = "Timeout for health checks and Helm operations such as installs and rollbacks" @@ -317,6 +317,7 @@ $ zarf package pull oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0 -a ar # Pull a skeleton package $ zarf package pull oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0 -a skeleton` CmdPackagePullFlagOutputDirectory = "Specify the output directory for the pulled Zarf package" + CmdPackagePullFlagShasum = "Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum '" CmdPackageChoose = "Choose or type the package file" CmdPackageClusterSourceFallback = "%q does not satisfy any current sources, assuming it is a package deployed to a cluster" diff --git a/src/test/e2e/00_use_cli_test.go b/src/test/e2e/00_use_cli_test.go index de0c5a7a51..9071a114b7 100644 --- a/src/test/e2e/00_use_cli_test.go +++ b/src/test/e2e/00_use_cli_test.go @@ -50,6 +50,17 @@ func TestUseCLI(t *testing.T) { require.Contains(t, stdOut, expectedShasum, "The expected SHASUM should equal the actual SHASUM") }) + t.Run("zarf package pull https", func(t *testing.T) { + t.Parallel() + packageShasum := "690799dbe8414238e11d4488754eee52ec264c1584cd0265e3b91e3e251e8b1a" + packageName := "zarf-init-amd64-v0.39.0.tar.zst" + _, _, err := e2e.Zarf(t, "package", "pull", fmt.Sprintf("https://github.com/zarf-dev/zarf/releases/download/v0.39.0/%s", packageName), "--shasum", packageShasum) + require.NoError(t, err) + require.FileExists(t, packageName) + err = os.Remove(packageName) + require.NoError(t, err) + }) + t.Run("zarf version", func(t *testing.T) { t.Parallel() // Test `zarf version` From 866bcda48210c6b4c4de218c8add891fe077396a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 10:55:47 -0400 Subject: [PATCH 08/13] chore(deps): bump github/codeql-action from 3.26.6 to 3.26.7 (#2997) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scan-codeql.yml | 4 ++-- .github/workflows/scorecard.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml index 380d8ced0c..a5190e7fc7 100644 --- a/.github/workflows/scan-codeql.yml +++ b/.github/workflows/scan-codeql.yml @@ -43,7 +43,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 with: languages: ${{ matrix.language }} config-file: ./.github/codeql.yaml @@ -52,6 +52,6 @@ jobs: run: make build-cli-linux-amd - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index b085ba42cd..7bc855f0b6 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -44,6 +44,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 with: sarif_file: results.sarif From 5e0a331d7cf6bc3542fd15abcb9419a34e958416 Mon Sep 17 00:00:00 2001 From: Philip Laine Date: Mon, 16 Sep 2024 19:42:48 +0200 Subject: [PATCH 09/13] refactor: pull command (#2989) Signed-off-by: Philip Laine --- src/cmd/package.go | 18 +- src/internal/packager2/packager2.go | 5 + src/internal/packager2/pull.go | 231 ++++++++++++++++++ src/internal/packager2/pull_test.go | 85 +++++++ .../zarf-package-empty-amd64-0.0.1.tar.zst | Bin 0 -> 578 bytes src/internal/packager2/testdata/zarf.yaml | 7 + src/test/e2e/11_oci_pull_inspect_test.go | 5 - 7 files changed, 340 insertions(+), 11 deletions(-) create mode 100644 src/internal/packager2/packager2.go create mode 100644 src/internal/packager2/pull.go create mode 100644 src/internal/packager2/pull_test.go create mode 100644 src/internal/packager2/testdata/zarf-package-empty-amd64-0.0.1.tar.zst create mode 100644 src/internal/packager2/testdata/zarf.yaml diff --git a/src/cmd/package.go b/src/cmd/package.go index 500b3bc7a0..dfdd400bfc 100644 --- a/src/cmd/package.go +++ b/src/cmd/package.go @@ -8,14 +8,17 @@ import ( "context" "errors" "fmt" + "os" "path/filepath" "regexp" "strings" "github.com/zarf-dev/zarf/src/cmd/common" "github.com/zarf-dev/zarf/src/config/lang" + "github.com/zarf-dev/zarf/src/internal/packager2" "github.com/zarf-dev/zarf/src/pkg/lint" "github.com/zarf-dev/zarf/src/pkg/message" + "github.com/zarf-dev/zarf/src/pkg/packager/filters" "github.com/zarf-dev/zarf/src/pkg/packager/sources" "github.com/zarf-dev/zarf/src/types" @@ -308,15 +311,18 @@ var packagePullCmd = &cobra.Command{ Example: lang.CmdPackagePullExample, Args: cobra.ExactArgs(1), RunE: func(cmd *cobra.Command, args []string) error { - pkgConfig.PkgOpts.PackageSource = args[0] - pkgClient, err := packager.New(&pkgConfig) + outputDir := pkgConfig.PullOpts.OutputDirectory + if outputDir == "" { + wd, err := os.Getwd() + if err != nil { + return err + } + outputDir = wd + } + err := packager2.Pull(cmd.Context(), args[0], outputDir, pkgConfig.PkgOpts.Shasum, filters.Empty()) if err != nil { return err } - defer pkgClient.ClearTempPaths() - if err := pkgClient.Pull(cmd.Context()); err != nil { - return fmt.Errorf("failed to pull package: %w", err) - } return nil }, } diff --git a/src/internal/packager2/packager2.go b/src/internal/packager2/packager2.go new file mode 100644 index 0000000000..b0e8dc79a0 --- /dev/null +++ b/src/internal/packager2/packager2.go @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +// Package packager2 is the new implementation for packager. +package packager2 diff --git a/src/internal/packager2/pull.go b/src/internal/packager2/pull.go new file mode 100644 index 0000000000..bc2930ce16 --- /dev/null +++ b/src/internal/packager2/pull.go @@ -0,0 +1,231 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package packager2 + +import ( + "context" + "errors" + "fmt" + "io" + "net/http" + "net/url" + "os" + "path/filepath" + "strings" + + "github.com/defenseunicorns/pkg/helpers/v2" + "github.com/defenseunicorns/pkg/oci" + goyaml "github.com/goccy/go-yaml" + "github.com/mholt/archiver/v3" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + + "github.com/zarf-dev/zarf/src/api/v1alpha1" + "github.com/zarf-dev/zarf/src/config" + "github.com/zarf-dev/zarf/src/pkg/layout" + "github.com/zarf-dev/zarf/src/pkg/packager/filters" + "github.com/zarf-dev/zarf/src/pkg/utils" + "github.com/zarf-dev/zarf/src/pkg/zoci" +) + +// Pull fetches the Zarf package from the given sources. +func Pull(ctx context.Context, src, dir, shasum string, filter filters.ComponentFilterStrategy) error { + u, err := url.Parse(src) + if err != nil { + return err + } + if u.Scheme == "" { + return errors.New("scheme cannot be empty") + } + if u.Host == "" { + return errors.New("host cannot be empty") + } + + tmpDir, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return err + } + defer os.Remove(tmpDir) + tmpPath := filepath.Join(tmpDir, "data.tar.zst") + + switch u.Scheme { + case "oci": + err := pullOCI(ctx, src, tmpPath, shasum, filter) + if err != nil { + return err + } + case "http", "https": + err := pullHTTP(ctx, src, tmpPath, shasum) + if err != nil { + return err + } + default: + return fmt.Errorf("unknown scheme %s", u.Scheme) + } + + name, err := nameFromMetadata(tmpPath) + if err != nil { + return err + } + tarPath := filepath.Join(dir, name) + err = os.Remove(tarPath) + if err != nil && !errors.Is(err, os.ErrNotExist) { + return err + } + dstFile, err := os.Create(tarPath) + if err != nil { + return err + } + defer dstFile.Close() + srcFile, err := os.Open(tmpPath) + if err != nil { + return err + } + defer srcFile.Close() + _, err = io.Copy(dstFile, srcFile) + if err != nil { + return err + } + return nil +} + +func pullOCI(ctx context.Context, src, tarPath, shasum string, filter filters.ComponentFilterStrategy) error { + tmpDir, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return err + } + defer os.Remove(tmpDir) + if shasum != "" { + src = fmt.Sprintf("%s@sha256:%s", src, shasum) + } + arch := config.GetArch() + remote, err := zoci.NewRemote(src, oci.PlatformForArch(arch)) + if err != nil { + return err + } + desc, err := remote.ResolveRoot(ctx) + if err != nil { + return fmt.Errorf("could not fetch images index: %w", err) + } + layersToPull := []ocispec.Descriptor{} + if supportsFiltering(desc.Platform) { + pkg, err := remote.FetchZarfYAML(ctx) + if err != nil { + return err + } + pkg.Components, err = filter.Apply(pkg) + if err != nil { + return err + } + layersToPull, err = remote.LayersFromRequestedComponents(ctx, pkg.Components) + if err != nil { + return err + } + } + _, err = remote.PullPackage(ctx, tmpDir, config.CommonOptions.OCIConcurrency, layersToPull...) + if err != nil { + return err + } + allTheLayers, err := filepath.Glob(filepath.Join(tmpDir, "*")) + if err != nil { + return err + } + err = archiver.Archive(allTheLayers, tarPath) + if err != nil { + return err + } + return nil +} + +func pullHTTP(ctx context.Context, src, tarPath, shasum string) error { + if shasum == "" { + return errors.New("shasum cannot be empty") + } + f, err := os.Create(tarPath) + if err != nil { + return err + } + defer f.Close() + req, err := http.NewRequestWithContext(ctx, http.MethodGet, src, nil) + if err != nil { + return err + } + resp, err := http.DefaultClient.Do(req) + if err != nil { + return err + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + _, err := io.Copy(io.Discard, resp.Body) + if err != nil { + return err + } + return fmt.Errorf("unexpected http response status code %s for source %s", resp.Status, src) + } + _, err = io.Copy(f, resp.Body) + if err != nil { + return err + } + received, err := helpers.GetSHA256OfFile(tarPath) + if err != nil { + return err + } + if received != shasum { + return fmt.Errorf("shasum mismatch for file %s, expected %s but got %s", tarPath, shasum, received) + } + return nil +} + +func nameFromMetadata(path string) (string, error) { + var pkg v1alpha1.ZarfPackage + err := archiver.Walk(path, func(f archiver.File) error { + if f.Name() == layout.ZarfYAML { + b, err := io.ReadAll(f) + if err != nil { + return err + } + if err := goyaml.Unmarshal(b, &pkg); err != nil { + return err + } + } + return nil + }) + if err != nil { + return "", err + } + if pkg.Metadata.Name == "" { + return "", fmt.Errorf("%s does not contain a zarf.yaml", path) + } + + arch := config.GetArch(pkg.Metadata.Architecture, pkg.Build.Architecture) + if pkg.Build.Architecture == zoci.SkeletonArch { + arch = zoci.SkeletonArch + } + + var name string + switch pkg.Kind { + case v1alpha1.ZarfInitConfig: + name = fmt.Sprintf("zarf-init-%s", arch) + case v1alpha1.ZarfPackageConfig: + name = fmt.Sprintf("zarf-package-%s-%s", pkg.Metadata.Name, arch) + default: + name = fmt.Sprintf("zarf-%s-%s", strings.ToLower(string(pkg.Kind)), arch) + } + if pkg.Build.Differential { + name = fmt.Sprintf("%s-%s-differential-%s", name, pkg.Build.DifferentialPackageVersion, pkg.Metadata.Version) + } else if pkg.Metadata.Version != "" { + name = fmt.Sprintf("%s-%s", name, pkg.Metadata.Version) + } + return fmt.Sprintf("%s.tar.zst", name), nil +} + +func supportsFiltering(platform *ocispec.Platform) bool { + if platform == nil { + return false + } + skeletonPlatform := zoci.PlatformForSkeleton() + if platform.Architecture == skeletonPlatform.Architecture && platform.OS == skeletonPlatform.OS { + return false + } + return true +} diff --git a/src/internal/packager2/pull_test.go b/src/internal/packager2/pull_test.go new file mode 100644 index 0000000000..8cfb9b4600 --- /dev/null +++ b/src/internal/packager2/pull_test.go @@ -0,0 +1,85 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package packager2 + +import ( + "io" + "net/http" + "net/http/httptest" + "os" + "path/filepath" + "testing" + + "github.com/defenseunicorns/pkg/oci" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/stretchr/testify/require" + "github.com/zarf-dev/zarf/src/pkg/packager/filters" + "github.com/zarf-dev/zarf/src/pkg/zoci" + "github.com/zarf-dev/zarf/src/test/testutil" +) + +func TestPull(t *testing.T) { + t.Parallel() + + ctx := testutil.TestContext(t) + packagePath := "./testdata/zarf-package-empty-amd64-0.0.1.tar.zst" + srv := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) { + file, err := os.Open(packagePath) + if err != nil { + rw.WriteHeader(http.StatusInternalServerError) + return + } + //nolint:errcheck // ignore + io.Copy(rw, file) + })) + t.Cleanup(func() { + srv.Close() + }) + + dir := t.TempDir() + shasum := "25f9365f0642016d42c77ff6acecb44cb83427ad1f507f2be9e9ec78c3b3d5d3" + err := Pull(ctx, srv.URL, dir, shasum, filters.Empty()) + require.NoError(t, err) + + packageData, err := os.ReadFile(packagePath) + require.NoError(t, err) + pulledPath := filepath.Join(dir, "zarf-package-empty-amd64-0.0.1.tar.zst") + pulledData, err := os.ReadFile(pulledPath) + require.NoError(t, err) + require.Equal(t, packageData, pulledData) +} + +func TestSupportsFiltering(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + platform *ocispec.Platform + expected bool + }{ + { + name: "nil platform", + platform: nil, + expected: false, + }, + { + name: "skeleton platform", + platform: &ocispec.Platform{OS: oci.MultiOS, Architecture: zoci.SkeletonArch}, + expected: false, + }, + { + name: "linux platform", + platform: &ocispec.Platform{OS: "linux", Architecture: "amd64"}, + expected: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + result := supportsFiltering(tt.platform) + require.Equal(t, tt.expected, result) + }) + } +} diff --git a/src/internal/packager2/testdata/zarf-package-empty-amd64-0.0.1.tar.zst b/src/internal/packager2/testdata/zarf-package-empty-amd64-0.0.1.tar.zst new file mode 100644 index 0000000000000000000000000000000000000000..1860c11d3ce1eddf767483119ec40a8d179c0b03 GIT binary patch literal 578 zcmV-I0=@kxwJ-f-02ieZ0OF!zAV5p?gK=K+{e=l*v%M7EpBM#$1g~XeGovvVCd1>% zpg+;NP(Ga#!&8KUijT(*UL+)*sqm)*4`fg!Z+6u;i%;qcM12YI53_MPHBoc~R1s2* zCXLb}b`_K!XjZ3*>Fg>#UORZf%ot#m1-rq7w;8jI9$}HS0S{ELFmk*~@65W8zBKJB zMlNjpnGXHBtDtP=w5aDsns@u9k&dtVYs~OB!j{Igd`dqio0LsDw{Rj^qPUJpW07M- zWL!w_)e}z>3Ex$XNXHjGoof6#7b5jtwGKXb;R8*H{$f`-)X4dT@A$K;pjVe(-%*Ll zJP^SrToL_%p{}q{K2zZkhalWI?r<>FAC_Z}ncu;#bsLRW3rO|(2Z|ghD(dx+9B7f2 zEg9b;6D7K3aWd()9`ievBr)_rSt4}+9&jLMKR05;yB}sWpJ`M22>1Y8USnnQjn)B0Q|rK z6jliA2NIB-0I&cX5KQSMffWXz4Zse#!2LBH7*GaQ830T!061V4;=nxNq6lL^r3cIi z0;miSP&Z|PiUAW4Kw+|o2^O#zFraSGjR6vB^fJ?P0FA8(tOzg-0RRJdfuTGF4|s<` QoqK_mLj@+c1mvd4V226+ng9R* literal 0 HcmV?d00001 diff --git a/src/internal/packager2/testdata/zarf.yaml b/src/internal/packager2/testdata/zarf.yaml new file mode 100644 index 0000000000..2c9dcaa3d3 --- /dev/null +++ b/src/internal/packager2/testdata/zarf.yaml @@ -0,0 +1,7 @@ +kind: ZarfPackageConfig +metadata: + name: empty + version: 0.0.1 +components: + - name: empty + required: true diff --git a/src/test/e2e/11_oci_pull_inspect_test.go b/src/test/e2e/11_oci_pull_inspect_test.go index ed5f3ee0a1..52be7ab127 100644 --- a/src/test/e2e/11_oci_pull_inspect_test.go +++ b/src/test/e2e/11_oci_pull_inspect_test.go @@ -47,9 +47,6 @@ func (suite *PullInspectTestSuite) Test_0_Pull() { // Pull the package via OCI. stdOut, stdErr, err := e2e.Zarf(suite.T(), "package", "pull", ref) suite.NoError(err, stdOut, stdErr) - suite.Contains(stdErr, fmt.Sprintf("Pulling %q", ref)) - suite.Contains(stdErr, "Validating full package checksums") - suite.NotContains(stdErr, "Package signature validated!") sbomTmp := suite.T().TempDir() @@ -57,8 +54,6 @@ func (suite *PullInspectTestSuite) Test_0_Pull() { suite.FileExists(out) stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", out, "--key", "https://raw.githubusercontent.com/zarf-dev/zarf/v0.38.2/cosign.pub", "--sbom-out", sbomTmp) suite.NoError(err, stdOut, stdErr) - suite.Contains(stdErr, "Validating SBOM checksums") - suite.Contains(stdErr, "Package signature validated!") // Test pull w/ bad ref. stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+badPullInspectRef.String(), "--plain-http") From 06255b2ef42a00b08795418c6fd0393a85ab8c63 Mon Sep 17 00:00:00 2001 From: Jason Washburn <35488541+jasonwashburn@users.noreply.github.com> Date: Tue, 17 Sep 2024 10:35:40 -0500 Subject: [PATCH 10/13] docs: update dos-games refs (#3004) Signed-off-by: Jason Washburn --- site/src/content/docs/ref/deploy.mdx | 2 +- site/src/content/docs/tutorials/3-deploy-a-retro-arcade.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/site/src/content/docs/ref/deploy.mdx b/site/src/content/docs/ref/deploy.mdx index b0974485d6..0e700b0083 100644 --- a/site/src/content/docs/ref/deploy.mdx +++ b/site/src/content/docs/ref/deploy.mdx @@ -117,7 +117,7 @@ $ zarf connect [service name] :::note -You can also specify a package locally, or via oci such as `zarf package deploy oci://defenseunicorns/dos-games:1.0.0 --key=https://zarf.dev/cosign.pub` +You can also specify a package locally, or via oci such as `zarf package deploy oci://ghcr.io/zarf-dev/packages/dos-games:1.1.0 --key=https://zarf.dev/cosign.pub` ::: diff --git a/site/src/content/docs/tutorials/3-deploy-a-retro-arcade.mdx b/site/src/content/docs/tutorials/3-deploy-a-retro-arcade.mdx index ebb499ffbb..08c71a810e 100644 --- a/site/src/content/docs/tutorials/3-deploy-a-retro-arcade.mdx +++ b/site/src/content/docs/tutorials/3-deploy-a-retro-arcade.mdx @@ -22,7 +22,7 @@ Before beginning this tutorial you will need the following: ## Deploying the Arcade -1. The `dos-games` package is easily deployable via `oci://` by running `zarf package deploy oci://defenseunicorns/dos-games:1.0.0 --key=https://zarf.dev/cosign.pub`. +1. The `dos-games` package is easily deployable via `oci://` by running `zarf package deploy oci://ghcr.io/zarf-dev/packages/dos-games:1.1.0 --key=https://zarf.dev/cosign.pub`. :::tip From 3c8dcb8896e247ddbdc54cb7f4b06da052b63abb Mon Sep 17 00:00:00 2001 From: Philip Laine Date: Tue, 17 Sep 2024 19:32:45 +0200 Subject: [PATCH 11/13] refactor: lint (#3000) Signed-off-by: Philip Laine --- src/cmd/dev.go | 8 +------- src/pkg/lint/lint.go | 39 +++++++++++++++++++++------------------ src/pkg/lint/lint_test.go | 4 +--- src/pkg/lint/schema.go | 3 --- 4 files changed, 23 insertions(+), 31 deletions(-) diff --git a/src/cmd/dev.go b/src/cmd/dev.go index 7077f5dccd..85f08e9c11 100644 --- a/src/cmd/dev.go +++ b/src/cmd/dev.go @@ -286,13 +286,7 @@ var devLintCmd = &cobra.Command{ pkgConfig.CreateOpts.SetVariables = helpers.TransformAndMergeMap( v.GetStringMapString(common.VPkgCreateSet), pkgConfig.CreateOpts.SetVariables, strings.ToUpper) - pkgClient, err := packager.New(&pkgConfig) - if err != nil { - return err - } - defer pkgClient.ClearTempPaths() - - err = lint.Validate(cmd.Context(), pkgConfig.CreateOpts) + err := lint.Validate(cmd.Context(), pkgConfig.CreateOpts.BaseDir, pkgConfig.CreateOpts.Flavor, pkgConfig.CreateOpts.SetVariables) var lintErr *lint.LintError if errors.As(err, &lintErr) { common.PrintFindings(lintErr) diff --git a/src/pkg/lint/lint.go b/src/pkg/lint/lint.go index 344f3b9db0..dfffccc2f4 100644 --- a/src/pkg/lint/lint.go +++ b/src/pkg/lint/lint.go @@ -9,13 +9,14 @@ import ( "fmt" "os" + goyaml "github.com/goccy/go-yaml" + "github.com/zarf-dev/zarf/src/api/v1alpha1" "github.com/zarf-dev/zarf/src/config" "github.com/zarf-dev/zarf/src/config/lang" "github.com/zarf-dev/zarf/src/pkg/layout" "github.com/zarf-dev/zarf/src/pkg/packager/composer" "github.com/zarf-dev/zarf/src/pkg/utils" - "github.com/zarf-dev/zarf/src/types" ) // LintError represents an error containing lint findings. @@ -42,22 +43,28 @@ func (e *LintError) OnlyWarnings() bool { } // Validate lints the given Zarf package -func Validate(ctx context.Context, createOpts types.ZarfCreateOptions) error { - var findings []PackageFinding - if err := os.Chdir(createOpts.BaseDir); err != nil { - return fmt.Errorf("unable to access directory %q: %w", createOpts.BaseDir, err) +func Validate(ctx context.Context, baseDir, flavor string, setVariables map[string]string) error { + err := os.Chdir(baseDir) + if err != nil { + return fmt.Errorf("unable to access directory %q: %w", baseDir, err) + } + b, err := os.ReadFile(layout.ZarfYAML) + if err != nil { + return err } var pkg v1alpha1.ZarfPackage - if err := utils.ReadYaml(layout.ZarfYAML, &pkg); err != nil { + err = goyaml.Unmarshal(b, &pkg) + if err != nil { return err } - compFindings, err := lintComponents(ctx, pkg, createOpts) + findings := []PackageFinding{} + compFindings, err := lintComponents(ctx, pkg, flavor, setVariables) if err != nil { return err } findings = append(findings, compFindings...) - schemaFindings, err := ValidatePackageSchema(createOpts.SetVariables) + schemaFindings, err := ValidatePackageSchema(setVariables) if err != nil { return err } @@ -66,31 +73,27 @@ func Validate(ctx context.Context, createOpts types.ZarfCreateOptions) error { return nil } return &LintError{ - BaseDir: createOpts.BaseDir, + BaseDir: baseDir, PackageName: pkg.Metadata.Name, Findings: findings, } } -func lintComponents(ctx context.Context, pkg v1alpha1.ZarfPackage, createOpts types.ZarfCreateOptions) ([]PackageFinding, error) { - var findings []PackageFinding - +func lintComponents(ctx context.Context, pkg v1alpha1.ZarfPackage, flavor string, setVariables map[string]string) ([]PackageFinding, error) { + findings := []PackageFinding{} for i, component := range pkg.Components { arch := config.GetArch(pkg.Metadata.Architecture) - if !composer.CompatibleComponent(component, arch, createOpts.Flavor) { + if !composer.CompatibleComponent(component, arch, flavor) { continue } - - chain, err := composer.NewImportChain(ctx, component, i, pkg.Metadata.Name, arch, createOpts.Flavor) - + chain, err := composer.NewImportChain(ctx, component, i, pkg.Metadata.Name, arch, flavor) if err != nil { return nil, err } - node := chain.Head() for node != nil { component := node.ZarfComponent - compFindings, err := templateZarfObj(&component, createOpts.SetVariables) + compFindings, err := templateZarfObj(&component, setVariables) if err != nil { return nil, err } diff --git a/src/pkg/lint/lint_test.go b/src/pkg/lint/lint_test.go index 84ea5e4cd2..e2e5493734 100644 --- a/src/pkg/lint/lint_test.go +++ b/src/pkg/lint/lint_test.go @@ -12,7 +12,6 @@ import ( "github.com/stretchr/testify/require" "github.com/zarf-dev/zarf/src/api/v1alpha1" "github.com/zarf-dev/zarf/src/config/lang" - "github.com/zarf-dev/zarf/src/types" ) func TestLintError(t *testing.T) { @@ -54,8 +53,7 @@ func TestLintComponents(t *testing.T) { Metadata: v1alpha1.ZarfMetadata{Name: "test-zarf-package"}, } - createOpts := types.ZarfCreateOptions{Flavor: "", BaseDir: "."} - _, err := lintComponents(context.Background(), zarfPackage, createOpts) + _, err := lintComponents(context.Background(), zarfPackage, "", nil) require.Error(t, err) }) } diff --git a/src/pkg/lint/schema.go b/src/pkg/lint/schema.go index adf41e935b..b6cb5f6e3e 100644 --- a/src/pkg/lint/schema.go +++ b/src/pkg/lint/schema.go @@ -23,17 +23,14 @@ func ValidatePackageSchema(setVariables map[string]string) ([]PackageFinding, er if err := utils.ReadYaml(layout.ZarfYAML, &untypedZarfPackage); err != nil { return nil, err } - jsonSchema, err := ZarfSchema.ReadFile("zarf.schema.json") if err != nil { return nil, err } - _, err = templateZarfObj(&untypedZarfPackage, setVariables) if err != nil { return nil, err } - return getSchemaFindings(jsonSchema, untypedZarfPackage) } From 5ba17fd243dd19a55269172db98072abbbfe1a23 Mon Sep 17 00:00:00 2001 From: Philip Laine Date: Thu, 19 Sep 2024 00:55:54 +0200 Subject: [PATCH 12/13] refactor: mirror-resources (#2975) Signed-off-by: Philip Laine --- .gitattributes | 4 - .../commands/zarf_package_mirror-resources.md | 3 +- src/cmd/package.go | 63 +++-- src/config/lang/english.go | 2 +- src/internal/dns/dns.go | 48 ++++ src/internal/dns/dns_test.go | 63 +++++ src/internal/packager2/load.go | 225 ++++++++++++++++ src/internal/packager2/load_test.go | 136 ++++++++++ src/internal/packager2/mirror.go | 246 ++++++++++++++++++ src/internal/packager2/pull.go | 32 ++- src/internal/packager2/pull_test.go | 6 +- .../zarf-package-empty-amd64-0.0.1.tar.zst | Bin 578 -> 0 bytes .../zarf-package-test-amd64-0.0.1.tar.zst | Bin 0 -> 3683512 bytes ...f-package-test-amd64-0.0.1.tar.zst.part000 | 1 + ...f-package-test-amd64-0.0.1.tar.zst.part001 | Bin 0 -> 1000000 bytes ...f-package-test-amd64-0.0.1.tar.zst.part002 | Bin 0 -> 1000000 bytes ...f-package-test-amd64-0.0.1.tar.zst.part003 | Bin 0 -> 1000000 bytes ...f-package-test-amd64-0.0.1.tar.zst.part004 | Bin 0 -> 683508 bytes src/internal/packager2/testdata/zarf.yaml | 6 +- src/test/external/ext_in_cluster_test.go | 18 +- 20 files changed, 810 insertions(+), 43 deletions(-) create mode 100644 src/internal/dns/dns.go create mode 100644 src/internal/dns/dns_test.go create mode 100644 src/internal/packager2/load.go create mode 100644 src/internal/packager2/load_test.go create mode 100644 src/internal/packager2/mirror.go delete mode 100644 src/internal/packager2/testdata/zarf-package-empty-amd64-0.0.1.tar.zst create mode 100644 src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst create mode 100644 src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part000 create mode 100644 src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part001 create mode 100644 src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part002 create mode 100644 src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part003 create mode 100644 src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part004 diff --git a/.gitattributes b/.gitattributes index db3a568628..fcadb2cf97 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,5 +1 @@ -# Set this repository to use unix style line endings * text eol=lf -*.png -text -*.gif -text -*.jpg -text diff --git a/site/src/content/docs/commands/zarf_package_mirror-resources.md b/site/src/content/docs/commands/zarf_package_mirror-resources.md index 5070a968f2..20a60964ab 100644 --- a/site/src/content/docs/commands/zarf_package_mirror-resources.md +++ b/site/src/content/docs/commands/zarf_package_mirror-resources.md @@ -25,7 +25,7 @@ zarf package mirror-resources [ PACKAGE_SOURCE ] [flags] # Mirror resources to internal Zarf resources $ zarf package mirror-resources \ - --registry-url 127.0.0.1:31999 \ + --registry-url http://zarf-docker-registry.zarf.svc.cluster.local:5000 \ --registry-push-username zarf-push \ --registry-push-password \ --git-url http://zarf-gitea-http.zarf.svc.cluster.local:3000 \ @@ -57,6 +57,7 @@ $ zarf package mirror-resources \ --registry-push-username string Username to access to the registry Zarf is configured to use (default "zarf-push") --registry-url string External registry url address to use for this Zarf cluster --retries int Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs (default 3) + --shasum string Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum ' --skip-signature-validation Skip validating the signature of the Zarf package ``` diff --git a/src/cmd/package.go b/src/cmd/package.go index dfdd400bfc..d168ed80dd 100644 --- a/src/cmd/package.go +++ b/src/cmd/package.go @@ -11,26 +11,27 @@ import ( "os" "path/filepath" "regexp" + "runtime" "strings" + "github.com/AlecAivazis/survey/v2" + "github.com/defenseunicorns/pkg/helpers/v2" + "github.com/spf13/cobra" + "github.com/spf13/viper" + "oras.land/oras-go/v2/registry" + "github.com/zarf-dev/zarf/src/cmd/common" + "github.com/zarf-dev/zarf/src/config" "github.com/zarf-dev/zarf/src/config/lang" + "github.com/zarf-dev/zarf/src/internal/dns" "github.com/zarf-dev/zarf/src/internal/packager2" + "github.com/zarf-dev/zarf/src/pkg/cluster" "github.com/zarf-dev/zarf/src/pkg/lint" "github.com/zarf-dev/zarf/src/pkg/message" + "github.com/zarf-dev/zarf/src/pkg/packager" "github.com/zarf-dev/zarf/src/pkg/packager/filters" "github.com/zarf-dev/zarf/src/pkg/packager/sources" "github.com/zarf-dev/zarf/src/types" - - "oras.land/oras-go/v2/registry" - - "github.com/AlecAivazis/survey/v2" - "github.com/defenseunicorns/pkg/helpers/v2" - "github.com/spf13/cobra" - "github.com/spf13/viper" - "github.com/zarf-dev/zarf/src/config" - "github.com/zarf-dev/zarf/src/pkg/cluster" - "github.com/zarf-dev/zarf/src/pkg/packager" ) var packageCmd = &cobra.Command{ @@ -128,18 +129,47 @@ var packageMirrorCmd = &cobra.Command{ } }, RunE: func(cmd *cobra.Command, args []string) error { - packageSource, err := choosePackage(args) + var c *cluster.Cluster + if dns.IsServiceURL(pkgConfig.InitOpts.RegistryInfo.Address) || dns.IsServiceURL(pkgConfig.InitOpts.GitServer.Address) { + var err error + c, err = cluster.NewCluster() + if err != nil { + return err + } + } + src, err := choosePackage(args) if err != nil { return err } - pkgConfig.PkgOpts.PackageSource = packageSource - pkgClient, err := packager.New(&pkgConfig) + filter := filters.Combine( + filters.ByLocalOS(runtime.GOOS), + filters.BySelectState(pkgConfig.PkgOpts.OptionalComponents), + ) + + loadOpt := packager2.LoadOptions{ + Source: src, + Shasum: pkgConfig.PkgOpts.Shasum, + PublicKeyPath: pkgConfig.PkgOpts.PublicKeyPath, + SkipSignatureValidation: pkgConfig.PkgOpts.SkipSignatureValidation, + Filter: filter, + } + pkgPaths, err := packager2.LoadPackage(cmd.Context(), loadOpt) if err != nil { return err } - defer pkgClient.ClearTempPaths() - if err := pkgClient.Mirror(cmd.Context()); err != nil { - return fmt.Errorf("failed to mirror package: %w", err) + defer os.RemoveAll(pkgPaths.Base) + mirrorOpt := packager2.MirrorOptions{ + Cluster: c, + PackagePaths: *pkgPaths, + Filter: filter, + RegistryInfo: pkgConfig.InitOpts.RegistryInfo, + GitInfo: pkgConfig.InitOpts.GitServer, + NoImageChecksum: pkgConfig.MirrorOpts.NoImgChecksum, + Retries: pkgConfig.PkgOpts.Retries, + } + err = packager2.Mirror(cmd.Context(), mirrorOpt) + if err != nil { + return err } return nil }, @@ -482,6 +512,7 @@ func bindMirrorFlags(v *viper.Viper) { // Always require confirm flag (no viper) mirrorFlags.BoolVar(&config.CommonOptions.Confirm, "confirm", false, lang.CmdPackageDeployFlagConfirm) + mirrorFlags.StringVar(&pkgConfig.PkgOpts.Shasum, "shasum", "", lang.CmdPackagePullFlagShasum) mirrorFlags.BoolVar(&pkgConfig.MirrorOpts.NoImgChecksum, "no-img-checksum", false, lang.CmdPackageMirrorFlagNoChecksum) mirrorFlags.BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) diff --git a/src/config/lang/english.go b/src/config/lang/english.go index 26f67b60c5..2e2a7e2177 100644 --- a/src/config/lang/english.go +++ b/src/config/lang/english.go @@ -233,7 +233,7 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA CmdPackageMirrorExample = ` # Mirror resources to internal Zarf resources $ zarf package mirror-resources \ - --registry-url 127.0.0.1:31999 \ + --registry-url http://zarf-docker-registry.zarf.svc.cluster.local:5000 \ --registry-push-username zarf-push \ --registry-push-password \ --git-url http://zarf-gitea-http.zarf.svc.cluster.local:3000 \ diff --git a/src/internal/dns/dns.go b/src/internal/dns/dns.go new file mode 100644 index 0000000000..54f821e631 --- /dev/null +++ b/src/internal/dns/dns.go @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +// Package dns contains DNS related functionality. +package dns + +import ( + "errors" + "fmt" + "net/url" + "regexp" + "strconv" +) + +var ( + // localClusterServiceRegex is used to match the local cluster service format: + localClusterServiceRegex = regexp.MustCompile(`^(?P[^\.]+)\.(?P[^\.]+)\.svc\.cluster\.local$`) +) + +// IsServiceURL returns true if the give url complies with the service url format. +func IsServiceURL(serviceURL string) bool { + _, _, _, err := ParseServiceURL(serviceURL) + return err == nil +} + +// ParseServiceURL takes a serviceURL and parses it to find the service info for connecting to the cluster. The string is expected to follow the following format: +// Example serviceURL: http://{SERVICE_NAME}.{NAMESPACE}.svc.cluster.local:{PORT}. +func ParseServiceURL(serviceURL string) (string, string, int, error) { + if serviceURL == "" { + return "", "", 0, errors.New("service url cannot be empty") + } + parsedURL, err := url.Parse(serviceURL) + if err != nil { + return "", "", 0, err + } + if parsedURL.Port() == "" { + return "", "", 0, errors.New("service url does not have a port") + } + remotePort, err := strconv.Atoi(parsedURL.Port()) + if err != nil { + return "", "", 0, err + } + matches := localClusterServiceRegex.FindStringSubmatch(parsedURL.Hostname()) + if len(matches) != 3 { + return "", "", 0, fmt.Errorf("invalid service url %s", serviceURL) + } + return matches[2], matches[1], remotePort, nil +} diff --git a/src/internal/dns/dns_test.go b/src/internal/dns/dns_test.go new file mode 100644 index 0000000000..69d0ade538 --- /dev/null +++ b/src/internal/dns/dns_test.go @@ -0,0 +1,63 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package dns + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestServiceURL(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + serviceURL string + expectedErr string + expectedNamespace string + expectedName string + expectedPort int + }{ + { + name: "correct service url", + serviceURL: "http://foo.bar.svc.cluster.local:5000", + expectedNamespace: "bar", + expectedName: "foo", + expectedPort: 5000, + }, + { + name: "invalid service url without port", + serviceURL: "http://google.com", + expectedErr: "service url does not have a port", + }, + { + name: "invalid service url with port", + serviceURL: "http://google.com:3000", + expectedErr: "invalid service url http://google.com:3000", + }, + { + name: "empty service url", + serviceURL: "", + expectedErr: "service url cannot be empty", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + isServiceURL := IsServiceURL(tt.serviceURL) + namespace, name, port, err := ParseServiceURL(tt.serviceURL) + if tt.expectedErr != "" { + require.False(t, isServiceURL) + require.EqualError(t, err, tt.expectedErr) + return + } + require.True(t, isServiceURL) + require.Equal(t, tt.expectedNamespace, namespace) + require.Equal(t, tt.expectedName, name) + require.Equal(t, tt.expectedPort, port) + }) + } +} diff --git a/src/internal/packager2/load.go b/src/internal/packager2/load.go new file mode 100644 index 0000000000..b20eea6195 --- /dev/null +++ b/src/internal/packager2/load.go @@ -0,0 +1,225 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package packager2 + +import ( + "archive/tar" + "context" + "encoding/json" + "errors" + "fmt" + "io" + "net/url" + "os" + "path/filepath" + "slices" + "strings" + + "github.com/defenseunicorns/pkg/helpers/v2" + "github.com/mholt/archiver/v3" + + "github.com/zarf-dev/zarf/src/config" + "github.com/zarf-dev/zarf/src/pkg/layout" + "github.com/zarf-dev/zarf/src/pkg/packager/filters" + "github.com/zarf-dev/zarf/src/pkg/packager/sources" + "github.com/zarf-dev/zarf/src/pkg/utils" + "github.com/zarf-dev/zarf/src/types" +) + +// LoadOptions are the options for LoadPackage. +type LoadOptions struct { + Source string + Shasum string + PublicKeyPath string + SkipSignatureValidation bool + Filter filters.ComponentFilterStrategy +} + +// LoadPackage optionally fetches and loads the package from the given source. +func LoadPackage(ctx context.Context, opt LoadOptions) (*layout.PackagePaths, error) { + srcType, err := identifySource(opt.Source) + if err != nil { + return nil, err + } + + tmpDir, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return nil, err + } + defer os.Remove(tmpDir) + tarPath := filepath.Join(tmpDir, "data.tar.zst") + + isPartial := false + switch srcType { + case "oci": + isPartial, err = pullOCI(ctx, opt.Source, tarPath, opt.Shasum, opt.Filter) + if err != nil { + return nil, err + } + case "http", "https": + err = pullHTTP(ctx, opt.Source, tarPath, opt.Shasum) + if err != nil { + return nil, err + } + case "split": + err = assembleSplitTar(opt.Source, tarPath) + if err != nil { + return nil, err + } + case "tarball": + tarPath = opt.Source + default: + return nil, fmt.Errorf("unknown source type: %s", opt.Source) + } + if srcType != "oci" && opt.Shasum != "" { + err := helpers.SHAsMatch(tarPath, opt.Shasum) + if err != nil { + return nil, err + } + } + + // Extract the package + packageDir, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return nil, err + } + pathsExtracted := []string{} + err = archiver.Walk(tarPath, func(f archiver.File) error { + if f.IsDir() { + return nil + } + header, ok := f.Header.(*tar.Header) + if !ok { + return fmt.Errorf("expected header to be *tar.Header but was %T", f.Header) + } + // If path has nested directories we want to create them. + dir := filepath.Dir(header.Name) + if dir != "." { + err := os.MkdirAll(filepath.Join(packageDir, dir), helpers.ReadExecuteAllWriteUser) + if err != nil { + return err + } + } + dst, err := os.Create(filepath.Join(packageDir, header.Name)) + if err != nil { + return err + } + defer dst.Close() + _, err = io.Copy(dst, f) + if err != nil { + return err + } + pathsExtracted = append(pathsExtracted, header.Name) + return nil + }) + if err != nil { + return nil, err + } + + // Load the package paths + pkgPaths := layout.New(packageDir) + pkgPaths.SetFromPaths(pathsExtracted) + pkg, _, err := pkgPaths.ReadZarfYAML() + if err != nil { + return nil, err + } + // TODO: Filter is not persistently applied. + pkg.Components, err = opt.Filter.Apply(pkg) + if err != nil { + return nil, err + } + if err := pkgPaths.MigrateLegacy(); err != nil { + return nil, err + } + if !pkgPaths.IsLegacyLayout() { + if err := sources.ValidatePackageIntegrity(pkgPaths, pkg.Metadata.AggregateChecksum, isPartial); err != nil { + return nil, err + } + if opt.SkipSignatureValidation { + if err := sources.ValidatePackageSignature(ctx, pkgPaths, opt.PublicKeyPath); err != nil { + return nil, err + } + } + } + for _, component := range pkg.Components { + if err := pkgPaths.Components.Unarchive(component); err != nil { + if errors.Is(err, layout.ErrNotLoaded) { + _, err := pkgPaths.Components.Create(component) + if err != nil { + return nil, err + } + } else { + return nil, err + } + } + } + if pkgPaths.SBOMs.Path != "" { + if err := pkgPaths.SBOMs.Unarchive(); err != nil { + return nil, err + } + } + return pkgPaths, nil +} + +func identifySource(src string) (string, error) { + parsed, err := url.Parse(src) + if err == nil && parsed.Scheme != "" && parsed.Host != "" { + return parsed.Scheme, nil + } + if strings.HasSuffix(src, ".tar.zst") || strings.HasSuffix(src, ".tar") { + return "tarball", nil + } + if strings.Contains(src, ".part000") { + return "split", nil + } + return "", fmt.Errorf("unknown source %s", src) +} + +func assembleSplitTar(src, tarPath string) error { + pattern := strings.Replace(src, ".part000", ".part*", 1) + splitFiles, err := filepath.Glob(pattern) + if err != nil { + return fmt.Errorf("unable to find split tarball files: %w", err) + } + // Ensure the files are in order so they are appended in the correct order + slices.Sort(splitFiles) + + tarFile, err := os.Create(tarPath) + if err != nil { + return err + } + defer tarFile.Close() + for i, splitFile := range splitFiles { + if i == 0 { + b, err := os.ReadFile(splitFile) + if err != nil { + return err + } + var pkgData types.ZarfSplitPackageData + err = json.Unmarshal(b, &pkgData) + if err != nil { + return err + } + expectedCount := len(splitFiles) - 1 + if expectedCount != pkgData.Count { + return fmt.Errorf("split file count to not match, expected %d but have %d", pkgData.Count, expectedCount) + } + continue + } + f, err := os.Open(splitFile) + if err != nil { + return err + } + defer f.Close() + _, err = io.Copy(tarFile, f) + if err != nil { + return err + } + err = f.Close() + if err != nil { + return err + } + } + return nil +} diff --git a/src/internal/packager2/load_test.go b/src/internal/packager2/load_test.go new file mode 100644 index 0000000000..b9b6cf37c2 --- /dev/null +++ b/src/internal/packager2/load_test.go @@ -0,0 +1,136 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package packager2 + +import ( + "fmt" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/zarf-dev/zarf/src/pkg/packager/filters" + "github.com/zarf-dev/zarf/src/test/testutil" +) + +func TestLoadPackage(t *testing.T) { + t.Parallel() + + ctx := testutil.TestContext(t) + + tests := []struct { + name string + source string + shasum string + }{ + { + name: "tarball", + source: "./testdata/zarf-package-test-amd64-0.0.1.tar.zst", + shasum: "307294e3a066cebea6f04772c2ba31210b2753b40b0d5da86a1983c29c5545dd", + }, + { + name: "split", + source: "./testdata/zarf-package-test-amd64-0.0.1.tar.zst.part000", + shasum: "6c0de217e3eeff224679ec0a26751655759a30f4aae7fbe793ca1617ddfc4228", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + for _, shasum := range []string{tt.shasum, ""} { + opt := LoadOptions{ + Source: tt.source, + Shasum: shasum, + PublicKeyPath: "", + SkipSignatureValidation: false, + Filter: filters.Empty(), + } + pkgPaths, err := LoadPackage(ctx, opt) + require.NoError(t, err) + + pkg, _, err := pkgPaths.ReadZarfYAML() + require.NoError(t, err) + require.Equal(t, "test", pkg.Metadata.Name) + require.Equal(t, "0.0.1", pkg.Metadata.Version) + require.Len(t, pkg.Components, 1) + } + + opt := LoadOptions{ + Source: tt.source, + Shasum: "foo", + PublicKeyPath: "", + SkipSignatureValidation: false, + Filter: filters.Empty(), + } + _, err := LoadPackage(ctx, opt) + require.ErrorContains(t, err, fmt.Sprintf("to be %s, found %s", opt.Shasum, tt.shasum)) + }) + } +} + +func TestIdentifySource(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + src string + expectedSrcType string + }{ + { + name: "oci", + src: "oci://ghcr.io/defenseunicorns/packages/init:1.0.0", + expectedSrcType: "oci", + }, + { + name: "sget with sub path", + src: "sget://github.com/defenseunicorns/zarf-hello-world:x86", + expectedSrcType: "sget", + }, + { + name: "sget without host", + src: "sget://defenseunicorns/zarf-hello-world:x86_64", + expectedSrcType: "sget", + }, + { + name: "https", + src: "https://github.com/zarf-dev/zarf/releases/download/v1.0.0/zarf-init-amd64-v1.0.0.tar.zst", + expectedSrcType: "https", + }, + { + name: "http", + src: "http://github.com/zarf-dev/zarf/releases/download/v1.0.0/zarf-init-amd64-v1.0.0.tar.zst", + expectedSrcType: "http", + }, + { + name: "local tar init zst", + src: "zarf-init-amd64-v1.0.0.tar.zst", + expectedSrcType: "tarball", + }, + { + name: "local tar", + src: "zarf-package-manifests-amd64-v1.0.0.tar", + expectedSrcType: "tarball", + }, + { + name: "local tar manifest zst", + src: "zarf-package-manifests-amd64-v1.0.0.tar.zst", + expectedSrcType: "tarball", + }, + { + name: "local tar split", + src: "testdata/.part000", + expectedSrcType: "split", + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + srcType, err := identifySource(tt.src) + require.NoError(t, err) + require.Equal(t, tt.expectedSrcType, srcType) + }) + } +} diff --git a/src/internal/packager2/mirror.go b/src/internal/packager2/mirror.go new file mode 100644 index 0000000000..7649b62757 --- /dev/null +++ b/src/internal/packager2/mirror.go @@ -0,0 +1,246 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package packager2 + +import ( + "context" + "errors" + "fmt" + "net/http" + "time" + + "github.com/avast/retry-go/v4" + "github.com/defenseunicorns/pkg/helpers/v2" + "github.com/google/go-containerregistry/pkg/authn" + "github.com/google/go-containerregistry/pkg/crane" + "github.com/google/go-containerregistry/pkg/logs" + v1 "github.com/google/go-containerregistry/pkg/v1" + + "github.com/zarf-dev/zarf/src/config" + "github.com/zarf-dev/zarf/src/internal/dns" + "github.com/zarf-dev/zarf/src/internal/git" + "github.com/zarf-dev/zarf/src/internal/gitea" + "github.com/zarf-dev/zarf/src/pkg/cluster" + "github.com/zarf-dev/zarf/src/pkg/layout" + "github.com/zarf-dev/zarf/src/pkg/message" + "github.com/zarf-dev/zarf/src/pkg/packager/filters" + "github.com/zarf-dev/zarf/src/pkg/transform" + "github.com/zarf-dev/zarf/src/pkg/utils" + "github.com/zarf-dev/zarf/src/types" +) + +// MirrorOptions are the options for Mirror. +type MirrorOptions struct { + Cluster *cluster.Cluster + PackagePaths layout.PackagePaths + Filter filters.ComponentFilterStrategy + RegistryInfo types.RegistryInfo + GitInfo types.GitServerInfo + NoImageChecksum bool + Retries int +} + +// Mirror mirrors the package contents to the given registry and git server. +func Mirror(ctx context.Context, opt MirrorOptions) error { + err := pushImagesToRegistry(ctx, opt.Cluster, opt.PackagePaths, opt.Filter, opt.RegistryInfo, opt.NoImageChecksum, opt.Retries) + if err != nil { + return err + } + err = pushReposToRepository(ctx, opt.Cluster, opt.PackagePaths, opt.Filter, opt.GitInfo, opt.Retries) + if err != nil { + return err + } + return nil +} + +func pushImagesToRegistry(ctx context.Context, c *cluster.Cluster, pkgPaths layout.PackagePaths, filter filters.ComponentFilterStrategy, regInfo types.RegistryInfo, noImgChecksum bool, retries int) error { + logs.Warn.SetOutput(&message.DebugWriter{}) + logs.Progress.SetOutput(&message.DebugWriter{}) + + pkg, _, err := pkgPaths.ReadZarfYAML() + if err != nil { + return err + } + components, err := filter.Apply(pkg) + if err != nil { + return err + } + pkg.Components = components + + images := map[transform.Image]v1.Image{} + for _, component := range pkg.Components { + for _, img := range component.Images { + ref, err := transform.ParseImageRef(img) + if err != nil { + return fmt.Errorf("failed to create ref for image %s: %w", img, err) + } + if _, ok := images[ref]; ok { + continue + } + ociImage, err := utils.LoadOCIImage(pkgPaths.Images.Base, ref) + if err != nil { + return err + } + images[ref] = ociImage + } + } + if len(images) == 0 { + return nil + } + + transport := http.DefaultTransport.(*http.Transport).Clone() + transport.TLSClientConfig.InsecureSkipVerify = config.CommonOptions.InsecureSkipTLSVerify + // TODO (@WSTARR) This is set to match the TLSHandshakeTimeout to potentially mitigate effects of https://github.com/zarf-dev/zarf/issues/1444 + transport.ResponseHeaderTimeout = 10 * time.Second + transportWithProgressBar := helpers.NewTransport(transport, nil) + + pushOptions := []crane.Option{ + crane.WithPlatform(&v1.Platform{OS: "linux", Architecture: pkg.Build.Architecture}), + crane.WithTransport(transportWithProgressBar), + crane.WithAuth(authn.FromConfig(authn.AuthConfig{ + Username: regInfo.PushUsername, + Password: regInfo.PushPassword, + })), + crane.WithUserAgent("zarf"), + crane.WithNoClobber(true), + crane.WithJobs(1), + } + if config.CommonOptions.InsecureSkipTLSVerify { + pushOptions = append(pushOptions, crane.Insecure) + } + + for refInfo, img := range images { + err = retry.Do(func() error { + pushImage := func(registryUrl string) error { + names := []string{} + if !noImgChecksum { + offlineNameCRC, err := transform.ImageTransformHost(registryUrl, refInfo.Reference) + if err != nil { + return retry.Unrecoverable(err) + } + names = append(names, offlineNameCRC) + } + offlineName, err := transform.ImageTransformHostWithoutChecksum(registryUrl, refInfo.Reference) + if err != nil { + return retry.Unrecoverable(err) + } + names = append(names, offlineName) + for _, name := range names { + message.Infof("Pushing image %s", name) + err = crane.Push(img, name, pushOptions...) + if err != nil { + return err + } + } + return nil + } + + if !dns.IsServiceURL(regInfo.Address) { + return pushImage(regInfo.Address) + } + + if c == nil { + return retry.Unrecoverable(errors.New("cannot push to internal OCI registry when cluster is nil")) + } + namespace, name, port, err := dns.ParseServiceURL(regInfo.Address) + if err != nil { + return err + } + tunnel, err := c.NewTunnel(namespace, cluster.SvcResource, name, "", 0, port) + if err != nil { + return err + } + _, err = tunnel.Connect(ctx) + if err != nil { + return err + } + defer tunnel.Close() + err = tunnel.Wrap(func() error { + return pushImage(tunnel.Endpoint()) + }) + if err != nil { + return err + } + return nil + }, retry.Context(ctx), retry.Attempts(uint(retries)), retry.Delay(500*time.Millisecond)) + if err != nil { + return err + } + } + return nil +} + +func pushReposToRepository(ctx context.Context, c *cluster.Cluster, pkgPaths layout.PackagePaths, filter filters.ComponentFilterStrategy, gitInfo types.GitServerInfo, retries int) error { + pkg, _, err := pkgPaths.ReadZarfYAML() + if err != nil { + return err + } + components, err := filter.Apply(pkg) + if err != nil { + return err + } + pkg.Components = components + + for _, component := range pkg.Components { + for _, repoURL := range component.Repos { + repository, err := git.Open(pkgPaths.Components.Dirs[component.Name].Repos, repoURL) + if err != nil { + return err + } + err = retry.Do(func() error { + if !dns.IsServiceURL(gitInfo.Address) { + message.Infof("Pushing repository %s to server %s", repoURL, gitInfo.Address) + err = repository.Push(ctx, gitInfo.Address, gitInfo.PushUsername, gitInfo.PushPassword) + if err != nil { + return err + } + return nil + } + + if c == nil { + return retry.Unrecoverable(errors.New("cannot push to internal Git server when cluster is nil")) + } + namespace, name, port, err := dns.ParseServiceURL(gitInfo.Address) + if err != nil { + return retry.Unrecoverable(err) + } + tunnel, err := c.NewTunnel(namespace, cluster.SvcResource, name, "", 0, port) + if err != nil { + return err + } + _, err = tunnel.Connect(ctx) + if err != nil { + return err + } + defer tunnel.Close() + giteaClient, err := gitea.NewClient(tunnel.HTTPEndpoint(), gitInfo.PushUsername, gitInfo.PushPassword) + if err != nil { + return err + } + return tunnel.Wrap(func() error { + message.Infof("Pushing repository %s to server %s", repoURL, tunnel.HTTPEndpoint()) + err = repository.Push(ctx, tunnel.HTTPEndpoint(), gitInfo.PushUsername, gitInfo.PushPassword) + if err != nil { + return err + } + // Add the read-only user to this repo + // TODO: This should not be done here. Or the function name should be changed. + repoName, err := transform.GitURLtoRepoName(repoURL) + if err != nil { + return retry.Unrecoverable(err) + } + err = giteaClient.AddReadOnlyUserToRepository(ctx, repoName, gitInfo.PullUsername) + if err != nil { + return fmt.Errorf("unable to add the read only user to the repo %s: %w", repoName, err) + } + return nil + }) + }, retry.Context(ctx), retry.Attempts(uint(retries)), retry.Delay(500*time.Millisecond)) + if err != nil { + return fmt.Errorf("unable to push repo %s to the Git Server: %w", repoURL, err) + } + } + } + return nil +} diff --git a/src/internal/packager2/pull.go b/src/internal/packager2/pull.go index bc2930ce16..538facc5b9 100644 --- a/src/internal/packager2/pull.go +++ b/src/internal/packager2/pull.go @@ -50,7 +50,7 @@ func Pull(ctx context.Context, src, dir, shasum string, filter filters.Component switch u.Scheme { case "oci": - err := pullOCI(ctx, src, tmpPath, shasum, filter) + _, err := pullOCI(ctx, src, tmpPath, shasum, filter) if err != nil { return err } @@ -89,10 +89,10 @@ func Pull(ctx context.Context, src, dir, shasum string, filter filters.Component return nil } -func pullOCI(ctx context.Context, src, tarPath, shasum string, filter filters.ComponentFilterStrategy) error { +func pullOCI(ctx context.Context, src, tarPath, shasum string, filter filters.ComponentFilterStrategy) (bool, error) { tmpDir, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) if err != nil { - return err + return false, err } defer os.Remove(tmpDir) if shasum != "" { @@ -101,40 +101,48 @@ func pullOCI(ctx context.Context, src, tarPath, shasum string, filter filters.Co arch := config.GetArch() remote, err := zoci.NewRemote(src, oci.PlatformForArch(arch)) if err != nil { - return err + return false, err } desc, err := remote.ResolveRoot(ctx) if err != nil { - return fmt.Errorf("could not fetch images index: %w", err) + return false, fmt.Errorf("could not fetch images index: %w", err) } layersToPull := []ocispec.Descriptor{} + isPartial := false if supportsFiltering(desc.Platform) { + root, err := remote.FetchRoot(ctx) + if err != nil { + return false, err + } + if len(root.Layers) != len(layersToPull) { + isPartial = true + } pkg, err := remote.FetchZarfYAML(ctx) if err != nil { - return err + return false, err } pkg.Components, err = filter.Apply(pkg) if err != nil { - return err + return false, err } layersToPull, err = remote.LayersFromRequestedComponents(ctx, pkg.Components) if err != nil { - return err + return false, err } } _, err = remote.PullPackage(ctx, tmpDir, config.CommonOptions.OCIConcurrency, layersToPull...) if err != nil { - return err + return false, err } allTheLayers, err := filepath.Glob(filepath.Join(tmpDir, "*")) if err != nil { - return err + return false, err } err = archiver.Archive(allTheLayers, tarPath) if err != nil { - return err + return false, err } - return nil + return isPartial, nil } func pullHTTP(ctx context.Context, src, tarPath, shasum string) error { diff --git a/src/internal/packager2/pull_test.go b/src/internal/packager2/pull_test.go index 8cfb9b4600..72c85ac4d5 100644 --- a/src/internal/packager2/pull_test.go +++ b/src/internal/packager2/pull_test.go @@ -23,7 +23,7 @@ func TestPull(t *testing.T) { t.Parallel() ctx := testutil.TestContext(t) - packagePath := "./testdata/zarf-package-empty-amd64-0.0.1.tar.zst" + packagePath := "./testdata/zarf-package-test-amd64-0.0.1.tar.zst" srv := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) { file, err := os.Open(packagePath) if err != nil { @@ -38,13 +38,13 @@ func TestPull(t *testing.T) { }) dir := t.TempDir() - shasum := "25f9365f0642016d42c77ff6acecb44cb83427ad1f507f2be9e9ec78c3b3d5d3" + shasum := "307294e3a066cebea6f04772c2ba31210b2753b40b0d5da86a1983c29c5545dd" err := Pull(ctx, srv.URL, dir, shasum, filters.Empty()) require.NoError(t, err) packageData, err := os.ReadFile(packagePath) require.NoError(t, err) - pulledPath := filepath.Join(dir, "zarf-package-empty-amd64-0.0.1.tar.zst") + pulledPath := filepath.Join(dir, "zarf-package-test-amd64-0.0.1.tar.zst") pulledData, err := os.ReadFile(pulledPath) require.NoError(t, err) require.Equal(t, packageData, pulledData) diff --git a/src/internal/packager2/testdata/zarf-package-empty-amd64-0.0.1.tar.zst b/src/internal/packager2/testdata/zarf-package-empty-amd64-0.0.1.tar.zst deleted file mode 100644 index 1860c11d3ce1eddf767483119ec40a8d179c0b03..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 578 zcmV-I0=@kxwJ-f-02ieZ0OF!zAV5p?gK=K+{e=l*v%M7EpBM#$1g~XeGovvVCd1>% zpg+;NP(Ga#!&8KUijT(*UL+)*sqm)*4`fg!Z+6u;i%;qcM12YI53_MPHBoc~R1s2* zCXLb}b`_K!XjZ3*>Fg>#UORZf%ot#m1-rq7w;8jI9$}HS0S{ELFmk*~@65W8zBKJB zMlNjpnGXHBtDtP=w5aDsns@u9k&dtVYs~OB!j{Igd`dqio0LsDw{Rj^qPUJpW07M- zWL!w_)e}z>3Ex$XNXHjGoof6#7b5jtwGKXb;R8*H{$f`-)X4dT@A$K;pjVe(-%*Ll zJP^SrToL_%p{}q{K2zZkhalWI?r<>FAC_Z}ncu;#bsLRW3rO|(2Z|ghD(dx+9B7f2 zEg9b;6D7K3aWd()9`ievBr)_rSt4}+9&jLMKR05;yB}sWpJ`M22>1Y8USnnQjn)B0Q|rK z6jliA2NIB-0I&cX5KQSMffWXz4Zse#!2LBH7*GaQ830T!061V4;=nxNq6lL^r3cIi z0;miSP&Z|PiUAW4Kw+|o2^O#zFraSGjR6vB^fJ?P0FA8(tOzg-0RRJdfuTGF4|s<` QoqK_mLj@+c1mvd4V226+ng9R* diff --git a/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst new file mode 100644 index 0000000000000000000000000000000000000000..19b43aa2793e90dcfaf3d7ba8f899d5c2d4d4508 GIT binary patch literal 3683512 zcmXt8cRXBOwADrVq6HDX_c|DT^j@Nb=uu|$-g^*?2qJnHqDS;zhD7uhK@cr^AH5FV z_1^FK$G-dSz0W#puXE(bs6eKJxEP}=$AYg4R0ur+YiwTH`i-Bxmw!&Z`7~m2T01Md&iwW2W!Gvr@MPM+P zm^BzIEGiBa2aAY;tzjYp;=ph=3|`i5kCm-F@daTZF+mXlYb(GnWGy5JwH6T<6%ewv z76RLfiGqYg1#HEwY^`mqgl(*Zgv5nygc#KiY76z} zbM$g^#Rq}FAQ5X@QIHKxOxP9-1&N8-io-;0g~Y+OAYm~Z5h0L`05B6l0hovg$l6v6 zEM_ALOh!l?m?Mz-|0S)R-K@R%z3i=oL`3=Vg+VsLLZZS@sI9o5HB=O2EhHcc6$IOg zgP>p$Ai_#iKpYH^Yy%YqLPelrFaZ!)TwGktT38q+2o}H>7lgtDtYD(RjK!fgP+$^Z zK>?_+sE9301PaW^N>E5pPzWR<2CxjX6%n+8iduoJ#l%Db+69HhtnsZyMQtB>u>ylY zAYof;Q7ap98v&4jFc`=ITib$R!ayHv#Xur9k5qz01w=r?089|n764`AX5+x?Y!%?< zpMima$qP_|itJON;0^_@n5^90ogHkfyn&nizOJ@>wr(~~P)|Nv2QP0=2Wy{4Kc9=0 zs{;(`<;~|S#QoSICL1?bn1daV4jA564z54~pRb@p;A2HWVXz>Ntpm_g@5lNQOpho+ zm;mGe1i)j8@9E~|4f6tqfWaOm#Ag@i;LZdR6#|I~fFENY6U^~L1Vu!JMMS`W&_#sk zipju$n#81PR^no}Xe35#Sj%-EjiC=c* z2c6(LbOjwW<~d0383!TXsj+T^tXQJdHTLp-_uis^EJ5&vZiW55UG^O2#dO_SPH(I) zEj~x$mSf&eN7Nd1^KacU@E$xkKq$E{!v^B6AKAKaD`7JzAQ;?n{~yKXc~05=Ub<+3Wtik;807YC*WJzX zB+=yl#XaVY+%DoL`~hyB}tt&J}IQz%0Qs<25Qk`J%s<1F?O#FMo=S zypjs(=-tMn?5fsCXkVet?{`j4EBwn_wH1Z@_ziJR6ZkpDU3_tJ8VWA(j*%e*=9URm1--B(374G`?r$^(6LRk2}U&o3U zU)#y~{1bm_7|3%+Pei0upiKNBG5qL)xr;OgK z1fhO;`%PEG`1UsX_t3_Mk!#oa=XYZ8&+pQm#Pk+bJqVYMzgmE{H504(4KC{mc!s-ZTqgOqvH?`3ob=h3rTJ>*k)pKI}EagKD^x2KKS2@q|ut_ZTO}Lm$DFbGYR_PtBGo z#(ll)SS-ep<(rrUjE4lWkxPnj3(@eL!H8=~MFzX7ZW$03%0^DgjCtZxRPNR%!aqn; zz%{xcKOCdem2&nUzTE9jEZU#OAC&m0bEELPttTh3#sx-};ZiEt2U}0}YfRrfP-CH} z!b7sKQO4nj1iXD>(uN1ii2G%-?N>Ylm`>QIs~X`5+i==I{Ju_&6_vzp{(9`dMXr@U zPyACE=-Qr~wHZIwxW3>;e`xQvY{Y0M$6I$GZn(ssr+l(5&bDItWWULbn4Ll{CjM*m&mU!L&HO6@b*`pot-vx%QU~AF%G{A!dpie6d<|KtBHGmh=og+65Oa!3@{Vi zaFR42TsX9J?T`F~*h2Fbt4-@-b{Cti=i#SVbwcjqZ#NbZvi zEOWq5Z?QsKwTK_+3C=_a*4==bRRwoOg+3|;NFt0bxrqmG#62$FKFH_|eNi`me1r!- z*{s$3Zp$#r?M8C}%WuTJr|}r~MY7sz1%ICQNJ+3~P(m>zaj^n($jJp6|dbV0dZ99no6wJi}XTRn(@c#d_qz`bpk z`opV>V7V9I}leA&}-`DD`pBG=LQ zWFKP4F#bF|3_?0!L%9(qM@P**amf~L;e_SUVl;7&8E&bJfA)eKZp!o#r1EB~6#K%M z^JA&@n|x}lI|NTfHC8AM(@~t!oAI~Zc@)3yIK!n+m5!M|LQDazU<7pmYzWCcJe7k; zDg{`qP)2s=RbpL)=}kQ7VB8Xs&5AQkIF%IK#bC%-7Nox--pa;0xCHh9j^|+A0=LX= zBp!y01;aQyMt~>w>7hw@mmPL+!J7rZ2%{J&O2&Z5aKgv=u}z?c+J~p!TXV&W2F=O0tGCm^N72FU^$2%{{AM#?1O}yw67||_%k`k zZ|oa7$_9F#ZA9~1@RQYb=vXoX688?TL|gaXQDrk*gMsyi#&|#A>l3$SJd@DLzx{O7 z@4+<}iv|9LOEMP=MgfIOVGa!svo>o=YG{j}sWo%_tsZa#P%KT-c9eSv*@^qQr)@dz zNjccZH!ZhCYZlZSu5u9CLSOiDX)}^^qn^c_-!sYL6|GO6hc1L7d1?G)yCqZi-XVw2 z?nKFxf^Fx{jE6{*vns=kAzl9SA0s_J%J5}gTy^}<1+zxFjFFZXw$R?;|)} zsXEYG3&fVwDLMF|1;j%o&xQ_#_%(fpL)`*Gjq?(l#g_}p%7j<=H_Zd=-XdC@>r8RN z25rN-kv{2^b!2heC{Hy;&CyGhVh%12zDkaFgHTVkOv!Ovr48t{r<~x`!gW*>tBkvj zAEhR=F3s@SdU{(Aa+seV%Q#Orue!PVsBL)ejqBq5>XQf|{%3<-vH@~k`_Z2~ zn{(3njZze%jQD>2Jks_`_sR{y{wZ_R%3g2PZMy0cY4&n^n4dEyqOcCd>1uf|T%y`V zXwf`w^e@r@Tc)+pne>@KN_sniEe98;Pr6Y~GdeP7Zkj)6xRq*QBkC*3)gp8R1x-fD zv|5{l)8ngiqg+dD)B<9q=8Q;=ZhWkUH{J(xjPq9?rME3wz?fz#2F!Ke8AQ>}Q+lJy8<6eZDtT`L|axvV5f)$l*=06A<*~%;@g=gijyoiGIpU)@57w z$4K{O8Z!U;SN(Obb}DWzPTuo&=)myl@HMvn3I6-ib@Gk$6nU$z_OFFG#_!8t>sc_S zKN}r5P2JF18zW3fPfO7WpCm=>^TjZU4g_eaqkjAI)Ld~L*UI2SH}5AW-(zr`jC1g# zAnNt4eD3XG+R*K-SvB^p|Qj>JO`g$}h5`={C`TIl>l|CLw*&Ew?U==pbf zl7NpXm7sg%=@np{aRs#`iBsmtUfn{s?9F;>IhI~Zaow|(*H;Mdw-L5)wT%i^9{g== zyYr7QAOQP>uv*fs&UB1BJH?3jXd`t)2iGsa$`oygy!hqnc=`s_OOuyof>ks_LnobI zE9*Qnn>jgrDK|$sJklxTTOo-tAq5=;g(G`jx5mV+ry++Y z0mz0El+ZnHy`An`hu4R8YpHF+j4#JV@UY24kJ2=&KA!p;9vf<6Rww>cELgD2L3*9; zbT@EYmEO)iITWgvic})^q9pSNrp3>5mYPEO%AMZ)<2!tf;1R5s-GycHl=-cx8@$rW z_!)5<7@`v_`I2Gy^)IrmmV)z_|I@8Kg&w8Wx(^R~-3D)v2aM!;sws(UT8}|Xhp+3t z_NRS=P^S&|mXO8K`vv^7rN3-4h5dT{FEtbPE7NR~@3c;>zxV7!w3s|uW9T&aK2gUtI)eKB>yLt_t9obV{bCkO~Nszn z9pTs_=&JQk&OQwOW~|5d3M*ee$iq;QD&Cnn)xPkk|M@*5_XS5(`Ib?B#^}&l`5}L% znTf7UrV@4b*QLRmEEa{grJuJke&+OiiUeEoMeDip3Zc;l87elL%*_i|S<#lAn7^dw7_eH`AbdllRms z4`ExU10%~&;v&c!)CC`N4t;MbgDcGw9^De049B%##|4u^M=YHC>c}~k`47!T@wtRtaL0SvHbbM6t39!lx^W0;1pXeGJ+f_Q`dLgtVq}K9c$1C56KuWDIf*(;M(6*}MYKnh)f?u)) ziapWLpz~~o6sr$0zBDA^NWZOf=NsVXjZzB*KNyO|B{WSJFf0#isCTOV9ct)Nw zTr2_qh8G+H=X1Lbocm}L?D5S_LnlB+w3e+Mddq9}O4_qkl_%+xh7=x!U2n^H%H$t# zRfmn^_-2A7LJ?h34mD+)n;XW$ zjvz!1GWm4qwa2a-x78xFqkByw{?G8)Sy99{-e3NiHl5`6pLPP2q!#OjTHvfMU3ug+ zWTg~JUZ8xXU#ViEKBrtm8g}kTgA~f0VRU?TF#q}K$;rZozD6+lMmJX1HP|v>aG2Zs zb|KlAYI~Ubq*gEbFBgB%x^zG-CNq-C#6|@}^Y$We zKQ+OhW|a!w&#X<{zkE3)w*dF&TfMqfA|pY<{RLOqdOP9SB>4&cOslDI4fwc%6y7m5 z+)qB3YBiU{GNA?gm>kZ|+=YM42d`G9u>?P14&_{>CPu#Zr(HGd^78 z4_BVO$3)X#Wog3Ze92dRdySZvD31kJ?}(S*irqWBljuE0{@zzcQS?%iAjm!bJNE8P zWR@X5rs#E3pgDw$<1#wS2MYkuB#Cw8P~-4YrclXMX_9_RLQRE*SbvFC1>$kpV2)L+ zW6fSK;&FK?%45k#WVvukfW=Fuy!b2cUZi{n>2W(reoPAiK-hBRl~6BIDOh~N2!D4*a7YYU$a~iOSmEgK!rW=7?2*PSDt-$rP-TIk{<iQ7P0;> zR=tRIR8ahII|e$%90nOmVA7Q}RK#J=j$`2uYI?+-Y?d@$x}97(kTiWAUQ7Z#wcbf#~NU4($P zAn|~<#u=Ux^;#-Q z;U1?Gk1L^|09*I?t3Tn@vI}unm2e%EU{*l$h-d(qr3wJdjR6=346t=&3d97HuT~O= zQ3E|hMEXBJ_9Iz-dldx#!+0;V+D`I-1|WkdnkfW}toD;UJOQKyQKsq3*~(`Ckm)}n z!v&CqMf-ED<})vm0em~atK|S-jR0R3@nUkpw5#IqY89Z1F92K?allffe(Vs*@ebVW zQCj@O`7u|pM}DvY&AUBH>o2ioII!$0i62M-Sbv!5l!GOKtOtBRT7C?Gv~uBKrY-_N z@QaVqass;efaCEzC=V$Ibg>y&$M>|4s1gBG{{d?e=(%t&Am@ZDA^=qvkw?T;C?I&q zTVRL4B>@DV2nhZg(8Ufs02TcsswbHqE! z+d2v~cVB6~Fw@2O|^eu_~PTO>r{9)F#`YCwzpatfaOH2ql7X6G@ti=jsEyh?4AViv>&qiXYER5 zAsX<|0iFl4gs|QR0>CZpfnr{IG{7rYDkx=|2l(QZW*v{EHCeJ)b&Z1UXr zkK5>*+4ZpakZJC`mwt@hAC&vX@9RWmoz}Fm`_xIh{25E6p1NIFXYWj{_c&D`@A^So z6@8c%AD81@&ZO7bbC-=$+M<23V&TMl{pwk*qq4lK%$$dg`_r58JxKLKvW0l-G-YrJ z=Bl>3Y!FLMO1GyA&IH{)C``VfJV{U8px=QDT{j+5-yF_cm-_AlI6w8RK@=3^(qK01 zhHIp<9J@O^@R#WI@KRtS>4uoG*O_l!32WYS$AR=JPa{$x6P-QU411fTjroz&EhCAp z5>nZfFAdeAR-+fa}6SIqFhe zeWOnF%s&rG*YjH1nu^+0murt&)F(90jor^#+H&3vkyogCMU@oWnKs#)Ho>Zm^Rqfj zqMNT1?!0OS^lqwdZr+yKp`e7uUc#^DV9V2;Jzc}@+U4f@PQp2+r%E|(E&P&Sg=d?6 zsvF%vIl2k83U)KjaOy%C*qi>kKlbJ7Rh^%21%o30HPpq?LONj@3&iKG{-KA0K`xi( z7bZW9q12MTzM~~AjJsyZp|1KBb;F@wZ$)nf72+nl6PmxyJqIg>bdo`uX_KPM;`o1! zOQ&#stRw)gGkK&h$&FFVY_9_y)3Qo}c#Hm+DAPB6uo#y~Tmq)%$Wzx49miug0|ae- z;*lnLW*m&@B{vSXG`FGZ)OItrb&z)4(Q_mq(#>zzOK17SH6awGG1(O@eda~f>~zJr zySk^CX6GS1G+8fLp`Kj4InkN+%hLT-Q_Z+pYNt}#48T7q`>#HJ zMRBa-*e@ruBtOVteFUA!&Lr?K-qB+~kF52NP+NjiZDh!%3F@V-Llu8r&UJ+}Z`Y)0 zUxWPzD(=uPyv|}pH0Js?!l(|If|+KKf4WO9z+3Wh{)}^MoC6tTtf|M{aBk=-RwR4X z+N9TRUX|MUznby%V*Vz zY1J#ok^dGE$ga`gA$PXWFD{VDwG7WGv%j4sL6O%f|GYbfOBh{zIVDH?+vpE0oMfP4 z)Q~aX=Q>poVf$uI)6w=ed-JIw3hi}nUGC?%Hfv&z zv2DI&M@9!jUG3&`2p6M^KHq~b#Nw|8UlqxPL;L=}vd7v zqdStu@S<-$|10W`7ctPJvDDgEfuAtz;u6lWqvIVy#`0b97S*SIv86j|KFMMn?n)}l zT@77rpYu|FTjIL!Rvd-(TkcRc!b*RgWoP>PMcMS&t@$pRO%~ReE??v2trbX21;&j? zcyX+jfYdkWLc>@lZM?jZA>}bC`e`(V z@iFM{-d6k9m7HaSlk$xYI_R_0mMbAm!WY{wZs)9IKc33}F&Zl*7E}6>#7mbY>D%Fz zbudOPfrcj@D$a>+{AE#vvkG4a{Ha1Z+?KZ-g!Xwl zmFTof)F28ILNe{)*M>EJWV`f}d>S@!sESiYW6M;*+&E8I7g?4-O@+v8#1qdG=M48X z7wSe`wOWZo-3xOR4Pxq~NE%pXBLACnuYAB z;q^_@700kX|D3~Gv6i(&>aU!5Y@j(2eYV?OP3K)c&+Nw}Y$l%Tgi>0co!u2r!FVg> z{ZxbsZCy@I!k~*))h+peW$Lp~$k&CqcXWbDTwJB3KHUY4u;Z+ zytC>Ku0H1+h5OIt@LzbQ;1m*OctxnS=?6vYz3}evGQs$$qQ7?(Lh4US_qt*~^k&MT z&^K$^6r*nBL@q2c%X{#`aARwQ=(q>u5$-y5Gb1DVA(&Q|mikYITssJ_phCtSukl_h znPGiEk{7)(bd=Zg1BXiEf>#P3YsGP7F6qR#_AM%n1oeWsPiQ$s=X)eY@Dl=ETpm*! z9GK1~?m>_Lo6XvhMcRHTi8u$R@*7+<|J9Q^K&tb9XG}5DC00u4M+AaJE*Z z9CPdPElF#an8K4?XZVmK=AB??oT}t|zc9A8&mgqKL$gAfqM6dC8U>quP_Fn+U%RJM zFh916B6fm`YDsj(55})lFmla@I9>GF(R6UPuAan|58tOfncvmsDM=9jZ#gMKdS3lP zjkhyP`Ci*VC4Uq)k>-nGuWp-FhUr@^5_w^3X3)v-2VQ2h9F~klR=0mEjgvnAH>3zF zVCv?(3?3J5IP_2y6C|Hj?iq;t@gP%uEj`QYUX_`{r$;&NbV>q~ApPk-1-vw(8Pe&% zOLo$a6Dy7HW*m(?=3eA@=gveCY+n7PgiU^gy1z$R%0>5%?fu$yz5igD3I}_EDY8$P-$+2)xLkS{*(%@345>S7T6(s#jej0`_7UsbONP1Pi|1ZNSQpHE)4INqSbQ5((yvCtA)GJt z>zq`+t(BismcK^Tek;@vFH7zBAdmgz07_!jZY$#A@ndFO^Xg}PQsS3Hre&_8~JPD3 zPzqmF;cwPL8m6JktUV)jwSn5(46J#@Sko{{f`uf~w|2gCjoS8~-eBp{vYHK%%@c~6 zapZCIQ6{Rr%v_TEsA`|V(N~&qEJtrA-D$t#iQ0Icol_ii9gZgXEx7u*<%1GN)vA&D z!M|&B$&spbR{0-0%#xF`F$22R_T^16m2*;~hM}xOZrVwvo!j=594sB@bO{V9p8 zyE%>QP?x5_R~S0!3-5SwGx4r}ul9awlq9uVR*2a9G+0>c98%Ww$7t#4$@#?*>Ptd1 ztIrz(4gW*sxfkNfgn$$b$2N^UTx^?T5(4V7HsYK&D7OZ5rF1z;%Npe_lYS}mtJFzN zy>gct?g|UuVEE|f!wG3mDKh)8f7kJ9i!n9wHau8qI*ID9P%7q4N5PDpNE(0NPim&d z%%SjFou4y&bqy89U0-;`jY=YOWSf>r{LX z{}#M+^HxtCr)dE4r)CH7S*TNIrGG%TE~PweoED!!jkX0IP7RcRKPO*9((=`MxEe^j&oOzw%BvZB2X?6f!SUbbxJ z-9jSg4395$T&&PISU$g_lMdL*Y(I4W3= zHjdgvyyK=_rb|KN@tT`YsX}E{RKQ5FJ8VvWs#V;NsCPe~l04KGHz$mV@Y zR<*B*Hz6QWT?u~wj^;j+6zfmF?%ok5slO-NnM79Smx}8o%~IA@X5Id|Nwpqvy$MZ& zbl%kGFU*FB()co)ruHXt2S?Bxrm{w*%0AQ=`ycA|Q!#?;{~V84%y%!=v$v;!6muOk zJUDUB?{hWkE6Si2-_YN{CB}M~rJ(RE_ch{I+HvgIqf;h}9CE%re0A>(L~z?q-ndr; z;M^uFz(*alZ{N=v-~t+{+H=7+2wJbh6m#~#)b{mF-@LT>7TNMN-vI&(lCf`T@bl1s( zrm8-8W&0Yl()!RXwv4XQ=04OEIDdZ6Vva%$~Hj<5msMOqf-d-elWx+oh;n1 zs7Oa1vB2iQ68*tg*?Cm!YTgMxd^LaaZwAY!IGsSF*%*B*4hk!zZCYIt&$YcKMc&Pf zv_~qh*6&kO&hO=xYV&wcYK3drs`1IQNu{u*apG>J&yA32I>!@v^{R^wzQk2|BYx|2O^ZWoi3U)q<&H)?W8M zW2bE#G^*3zLYtz)`h(r(p5=jV<{J*DQ)4|<<-48ZMtP#zUX_uj|2#`kh5% z#&gzrjy_!d#t+7hW2a+7pgsqf-An3R2Me;D9NoFVZ0C`TzcekJ3n>EQ-|ttk)iCg) z*SLPW5%kv2r_Cte@3!)RN$rRv$rV_}vGs^0j7UEgrx8^e3p$n`M1fg|@xv8ecBgq1gJ=vS}C9lm}IfEdROw>)^9)Q*oMC8YC}N?!onPeA??JCaI$JBSL0OMofDoE zMWL{iY)TQk1^#007iawYBMWZ@T7fzpBscS?_l_~Xn31PbZDM>&IeR-)>ba#etTl;v zJrVEf$5ukgB##mWiZ#!7b%)XwuQRcTbUI|u%}N5x54h6&u6~l_;S$YdpWB{}H3vo| z1%(UVAXoY_#JaM|&&U&%H=IjOFm)5^Mzwa*NwG}r8Dif_RLyeBxxb0%NZ0r$_<>Qq zGG=~ZCB92OfyD0mPq4`)qyMDx&!^j)^ zT(+*I-B}67TorvZaQt~s>yh57N4lSb`#hc!UVjGP&ZO?7I#!Y=J6yXBNjv~&tOLh{U^=Vn0nd>zkQY-3->R7#?)t`bk{YF8v6KYiPYE|Z|RQy;Fb94QdjcF)atVOM^> z@&|R|a;7(u_X?#qLf$dhPyZY(t4Uv7rM7QNnXqVv2$3dRKBFTBoc5{Tz0(LQ@g_-r z39$nepMeC>g{w+Zb_>OPkGR8rh2IzEUtWwmGf2yE*~RE{S8Y|b?WTj^yGOhKZQW@) z9KNRbJ~yNW`$;m@)@hNhbhx|PqiN7j+Fkx?;kO_uuC%X z*K3#Mc}q6^?(kFEwN*kXR?ESN+)<$eZgtLVa~?j2#2rhGms%CO8`R3g(Dt-Rs<(t+ z)2dh6z58|Cvct>z5-LYzdFFWMJ(tYSIS#$N7k|`Cw(-A_E2m-BNpLff{C>tl25?*mbn-giZ7rH9*R}_M&A;QzJ`L;U8WS-&~$<{H@ zhk0&08$2fA$(hrL-T+@}en_V1^bhH1!KsSv&$d%^Qp2dpCWxz@+rGzkx^CHdYp&j3 zpJ#;z!_7$+cByU=cHAZAIuUjqi8T)2(&|ENDnp16DKyRTmiOP#;oeL`+6U%rYkG&j zwh+Yo)rX5SO$a9SAG5~|{nf!FwibB~AP4b|?|FkZd{Gznvz$HdjtAFJ(~i!gXsU*y z{tSyBvTGk=#2%%gSyCY%dg`tMBliWM~2>a?1^^s zyAAAs)*}&+JwL70sh(xgHK|q=b*n8%2rjWQiV1s?cfjPwzWbK5x*m}Xbvklp(#2hP zkkFCzs|9P!9BV?WJ>hPVhp_pDAQlsSV7XbC{uQPjO8CXBOJ@If{^^+&?$Z;@F)QPt zEN5tB2y^58r6}Jq;mo?;%$J*iYbeZ0x@pqbe2X@w$Z5;hF}EuUEFhRZ1|i+BROBzb z)40f+y1Bt|?U4L+UO%<$DyKGZb?6#={=r1Y`Hh8?Y6{ND7hjY>@%$}MRkZTS!Ok_R zW{bdE*ZrAp(+Bur)q@iLLHR~|1eJodnoilTC38y0De015fSsxQcl?G#J99&5K+XXCrZIK-A+7Ikp1Ma|;RHQbeNBI%a)Mk~%k)#Us6oVU5}(VzA1&lSv` zpFBrG-H8Z=&9(KP$j_2#wva3#s9WeX;rx3A zXGhf1%ul~htc;=2;kkn6AMLq8J~rOmAhTO1g5s$PR~KrYj_-u?1qvxc(rJ!d#ZxC% zw2Q)9g#7iRJ$-W;jpl4Up+Xo3AmywVdnzW;-NCWf#wO zhThWYjQNL}?w2)PvMj?|Qs@Vn4zny8Z_+-K>Au(xD)X_*#Y*C1X^~N(ZFGFI_|>HD zD;pyn+#>QPADfe@w%%^7M1Q@-i?YTy*;tvoikPQ|Ma}_%?+s}2UaJkvhQweoK56n! zw!<}DU5{bP&GptOptht5s`+F>e}ON$e>G%0q0$vezxSPT45!q}+_y*V0EbPKTD|^m z;F(xj=R1=`*Nw|3*F^*hGsiw@CWr+#IsLc0;H8u&jnP!kN4pD~s><@#8{JHeL3wL# zY>aCLP1mog#H%wHQ|P`d+LASP)oUZp#wgx?HS#}0(8uzk*^XJM;xP2EP@6RrXE}jb z_kPPZ`FxqtaGFbdWf~|?6zsbnG4b4V7!$%uRq$ew5CV?y*~34dtvAQ8n}A`u(8Uir zm+#u4x#QseUFCTteeKd|lhv9^UE!E0RpU*5eQQVsKpfd1}?d zcRnb6qfF&P)hp%yE}u1yt#M2?q%QXgo#AC%C(}--+{aSSw<}@DgFjZ(EYy0IBzdHp zI0_SQyq-a!i8j7 zYoZ1<#!i?NalrEIHEq^;p3}-_=iv}ZVahm8wjM%|E-mvGi~KrU0HJ;X#3^&oOu(`A zLK@L3<|t0pa*@Pczd6}WuISToS4h<$h|7`dl{P4FyE%}5@J|(&s4*sY4Q@4sZ&#CQ zQjyT4m$m2=Q@ktd^mT_>x^91zMc7G%Q%tVv^pEPtSJOP~$t%*__Psn|KeVW>Q{L5y zn$_$U*JQpJGLbX5JggP`ldvTzW%HZ7DrFZe*z6SJ{~=64J4AuUR+6g4@UZV|x99c< zs_>b5@ zEbQh%`@LNzOpvq97DB$mlFt}@KG#NbUYnqN?D_Tp_;Jz!Jil;eRqKXa@+8GVh=YB9 z^hVi_B|Cgb`7R=*oa^h9HnP{0YdO&+Fm5*r(^#~L7Q1>mn!Ka!#*cg?V=JRhA;K|8 z`rw}_e@__+YV+$GqdrlSn+};4?NzYJ)pJWP@xSG~CNl-?hSR{)`Gvnt5!SE%C%}2_ zoICL3aQrH0eYldzbIXE+63pEgYQ!6!{0&4CyFaYd^&w9IIG6FLg%1}pB{XD8HQ~bR z;tno#IyMDAj2k``D1D{0t{r&U$&{tYIeoi4F8XemZ;4pK`%IeLFQ)(D;o&(;wA5xIvi#ijmslP_AJyla zMzFrqn<}hd81fEfsKQSs<8_{m;UQ96F?%ytMxm;A;)5jM=GNxNaacDe)j143KUygb^4=MTmhiT+{hlF_%B2@O{-nX%$hzm3a|%C+k8>j` zYmCg(Stm)|A#V9|`cdQB1EcY9rX2WvD=MJvvveeOx$^;%T&F5?uaMHzSbl#e>Jn$$tR)i7mY_UcB3G^Y#udi2^EvQ@t` zx;ur_P3-qFI(w;{;|b1cV$6pu(mkVJJ=uM0`2fRl>~#JQfqtZzfL_3vl&)Nbr$}ps zZw4h=E)s4_`5kzw)zM0k_SO}?utM16%dk7~r8{2n`h*V3A8(!vq`FC9}hRq`c5|A)xcG-$$L-(YKMQSw@RP5xS zBI9`!SeE0k=U?xPFOwr+@2hS5b_-TWlPy~XJRKed%`ts>dgboHMC{WR9t%Nw!Is}9 z#W=W6tjrlHS40wJ^JRxP9R2&^WakH@^Nb!21V+u0=LIFR7`{RLmM!o9IBZDmDThyg z#A#XRsk<|Cac1-zQkbq+WW=|6*7g2{wUM>}9^jjegkS zIO~AHQ_|_1!TJSWTgFC;dRym-(DqK#o7k?myVS)Grp#%5%2LP1&b=Q_nMGr;nJ>DT zKdt=BLv%Vpe#0g=m8;{}!b*N(ek4sFO%d$HSauG|2=Q zebrfNtr@3!xRpUj|L_|tSZYYc#9KH;{5cROBOChhJ>d-OGcUejq7jW& z%^>59nvtPU`f|s#wd?o+xl_qcFH80JSYLMfbQn3gD>%L!rVqY0D6c}Of(wJ`_n%JP zfJKSq?*{bl+Sd@VaoY4sYpeOxLGDOd6iV{HigeD4m76ka1pjvseV^j&@_gQtQ=@*x z=OTrj?eU0d#AUe;Y1umn_~Ucxp!tojitELSeAFI0junvRZJmnIhztWZ(%sT{C!+*0 z^Mq%HBPjid-VbuSs%3uvB=GoB*o(FDB>0Fje_&Qto&1b9l(J?iGXnN@~$p=w&u>Zn)4zi=EF>gC5y6BTh3uWh-mRZ)} z+;je*Azmy_50bmkcee5HYnuE>+m>sfd(B4r1xI|kn5KB4%zTAti8!s$K0{`@;XvS~Jf%~8G3)YFlc?C}0DpuOr3WeFgS=lM{ zOP`Oj+$OdddT-1}DLBqc4p_v7u}&1Y34vF>`4MXy3j3;Sw);gK7u7C2v(G{U7CE#p z>@=+OzXIR%ywBc`O!N;2T^ep4y=mk$rLxnA-DmpzcF+Q;mj&N#S>puRcOAlxp688J zRWy(6^}3DYYO;6}&F*Di-HC{<)NeR<_cSHS#o-3kZyq|~7!CXvccl<@2l>_PvilYk zH;Ov!+x~cbYJzv)lT|H%^^HKZ58IS59hq70<|-vy)Alh$LTIad<95wz?1p|VJpCYM zd4_x91Iz|mg@tqdqF9c)UrS^KZSPvGP{NRJGw;@$vKW&&oG)(>cy4N#B_!LoI!HB7 zncN*{4_13{>$LhMqkcf`Q@uPc`HM?`wELp7qpj=I=H5TqF_kh~&dv9)HOSsZKVa$s z#wFT8o&EmTV(om870h~{fMY#^L6yCtRuZfRO2oUyC*4&|(W6Gt=Tt0L6H?3v%CDD9 z?0-`fxo;a78P}XSw62WRd*MX>-tNEOXYKhn7#UtgnaJAT{2!6N<}%;)o-bdGi%TI_ zv+;k=y>K-9-iJ>yuX)p^UZqxfWqqNYb5EP_0OM|O%poD?G{3da!yC~1@5QWyk^S%r zdCYDd^e6;Jw`%$r1v_3|V;%U{%*uC_?h<3xWZlF*G!5ey5ERs>6frUyGHhyL>yH>t zf#IZk5wWqe`M(St&CkN=T5>Zb^*9QDms!F#LD6A6Ask%XN<9IhI-Xsq&xF5yMQL!Rtv_X_%boN;Gi_@59@qLrxDUKxo%t&hCJXKC&NGiY%;_}(WHr)R3^ z7w&)F;%nAC{h|q8s?slfn1ZOr+ZUYA1#H2Z^M?N8K&^>fGW|h|2BPfcS2S28SSJ9V z><*AXd;2kyULZRc^Y1&U0HD3sNNH10|33=&0#|IvvLDf$V@(i!QqD5>IaZ}?B+4P8 zIv#w2IpBM3?-e|Bo~ULms@_8_?9mpVUtxwC;{zW^5YJ-lW!~^@UB()t^8*PC)Y|-h zw01c1KL6TM=M@rYuLe!}chM|!+5XmZ8&Mi2Q0vd{=~p?bhUq{1bn6pl&|cckAJ*f~ z?ny*7-pWT$u({MyTUY(T`(s*Ks|om*g^p>Dw3>iCm8~3Ux`9$!WBllS3F0G3MD1NV zHxZg{y1JOM%s6R^H;8{JL?JZ*Kj&^+b z@U|v$8@F@yhb7%)q8i6NZiZl?ElFQrSl&)z9#4TBd)PUQ`L(CkG@lh8#zF71O+8Vs zswTlfY`-0xX-k2CnS_R#qRWxYx+t|>#}vQmoJs#00a?n@vdMG(813sMGlXW^lI+de z%iri8qB;=U*vIN@MIVPTw zE@7LsquSMMoTb$I`bzy7QgVTb?s#3_?(^*zFOHRS`gcUx8o0c@`j~`_D^^R8Io})a ztZWSg{);bY)_vy^S!AF4OCo=oK{0`IadyGFtX>EBS`>-r_m96{(N@z{o=pU8>X%H- z@g`^RT%3HhGk7lEQq|P}zWQi12O;t<5&|1T#eL&9d(&N&}lxgLp6ZRPC2jh}!$% zkeSWhl8_l9cZKdr9!R>%ov3xIUR?!_MD~zS8ovVLSp66eyo#+Xjbz#PJI52Xcawhp zI(B{{vq;qu*=j$+ipITc_Bk&z0}aa=k$q0OMNY7XBkA^f{)}?-d^SVA)~?lCT*EI? zbbDI@4|R^$Z`FO-G>THHU9&cN(PnY1);^!NX07CTYdQMDNVO+1kM_uXRf7BN&7QJJ`f0@I!A);8NxFkR9qqlo2WO6SG5in1W4dm8Z?qIuK=O3VD*J0hikQCB@8d z`X%!;mSAHutS>7NxW6)qa?DjwkjB3jP6|e(4N)>*=pUT9s6P;;ZiYqQB7QpG3{B6m z#Vo80O$)XpKJo@p9q%#v5DWa!)MS>Qfn`E>XNLg=IQ-Bh6%ioFIp+VXV;Ac z$W%^cFJ+Bhd{JT_sP&V#B=8tqN^2gq-oBDQv9CI&ePo6SS{J^8PH-;CR8DDo*@w7H z<!Wg0$ zpWy>epw^~WS*r4<)EHlTOM>|M9R~Lfm?|GJK%hh9&cS`;ONi=tQ{j{FAAB!5G=-(b zM7DH?9!}wEYh_RI`@1rzNn|Y8@k1>y0i+T7^D|tzO&wZJ>*-j@=>q{?6kX3br)wMHiCN9i%uSpOZ zTHNElOD#Fd+But6B>*TRibGcOM-nuzjgw8CRwV%_LyIeaNR~U!xw{wuDpwl;AXrce zWKCmgQSH#FU?9rSi8VvLpv^o>X|r+TYPM}P^NCr#g^>?ev%=j|Gjtlb)Yn+KqYXPt zsWv&s1fJP;I>x0O)w=w^^3@}Q$TF95tY&UJ|4-ap28|4?_5W$UMIBaGdB!~LGL4?0 zbV*h7BbP+Kjy`s!1Q8>lwUHe)L#G+EQ)ejkbmqx|(mZM%@rneYLDYKpOA<62d#{!t zPQKP-7-Ofbe9@j^nSy^8eM`V;I9m zrPlQ?^Mz>kpES=IwqzP_dYeD=qa_4e43hd`s5s?T)5ft9dpB$d8+_m zaHnaP5_Nzy!VH!V>PSJ?CB*PE{b8_G9@@leUH*^=JE`&$ZpV2;$64myO(|`v<)8en zfd?$XJUycaA2mZZ-K=%nOlcEqbdPe-r8-I(7+Kdl^JR>ZMmQ+v-uvp>k32Q5>jCND=!NBSCgvdz<)*h zvXY9Wp`YiPLEBTybe(C-^<<3U+dA#GI5R{x#+Y_voEhwFWBoS2qbz9F0Ud;$yG zJZfFJT)&p~I0I~geb~w;*v~IW5OS>MCmsA>EY`KlcIj6dQuJqmRmWT=!R9S7$~TOw z5~7!G$Wv?qt*V!kiRzd%mpkdbI!Ys~B6jPaU#!#5Wy{U!Hze?+j`74#pjPz-2|V%6 z@%ps<{CNo~XWDWh@Q^2QtafU%38;1D%lvUY%iQ-30Kt~TfSG;~*w^%m0YJ?;H8@rN zw(?BE)Lld!XM12?rY)C*tUo>@f#=Wqw#ffV^ycqW1Ar${hcz*nZvY^RD$`S^@~_%8 zvu)o0#oV8VM^WUD18{XFL*@W_)C>d#3_56{z%nk`%}AmdG6OZ*(I}wEk+>r24yZ`F zNe}`9oso3fUJnT1s_X8m-*t6&adnNZ2Mz?nAqWIHBnpTeHMAUpCgDixed<#^;c|b^ z``7!t56?rUtE;Q4t3LI)4`ZTl9B_THH&eFZctRN@8F|&J6M>rf5%xSyV70wyW}4`h zv{rav`73UeoR6&VAgmWT>QKP|IlbT}(UUuGw{`A!E2zN(Yqqd&R1e9S>(95(Xq zR-GuCUQWHwzTrkex=F0rn}(2C)Ee?-3Q94It5$iC?CE+%EFZ}?nLU{hb01=)M_z31 z=UG4IjdP%QVqSN10f1X_iFNAeYgPao3{{1V!cz;Jh+Nsn$puS!3ge`Y1}DN-UGb_L z)vFy;zDDhE$=$W%VeJQ!_>xj{U$jR#X<)yOgyRR4Z0PPBHdJ1#kF0K24v!cp>#i)NHz?T9|dmqT8;l07o|4L4dE zr}DsAeHqT1>qO+}=itkeLozZMkR?A95F*9fDK(Sub$+UsX6n;D)O+X^2G=WMplSKt zD{iFD@eM*^%}$P|Z-z+)UvXP{G6or+A}g*O8-oWd;F^U}gpGdv7l4^kG6r9}fN{5Z z*Ri!@AI!Hz+bbCZvsfp6C|Qtd)~h^Z_!@>ukK-j|>iOnO;)CWkyo8KNHA~uItWVD& z#b5G6kI9X_EX(|aKU#*m+{;QV@ zQ5R%)0C%nVKfDF{{=(P)?!E+n3!p8_o$EwR_8;GHBO4%~X!dyO?e&_Qt8?;RjX5p1 zrEGF`7GPr!o^0=U156i<)I0oTHwx*~e4a%?^kKA%Qptq z+tTElu+ig_IgAi_o7o@j7-&J)&vPP@^$De>Gop`jMA*wBy6kh*byLZJaQvtkXDBn? zg0*8}eaP3lCZSvzo8#-vPRu{%IguE@2bQ?7aUO?^>}7msxw=2zB2SC3eP#&iA#4;j zuotchJ5Xe4Nu2V-7qJpd5c>}fe!)aHMhD^vd1yq>^hMLLkyi(AD5qY95%fc0K%&ph zV*oq(B{xbwi?}PQQE0H9En$Bv85d5O?`BEben=ic$(x%QMwBz)JCp~pQ8*PIAUCnz zU`V_Zy0%eofX_l?_!?f-zRZoxLD+c3SJQvvKby}g`zr@Rad!m`ufBI9)2~D`f*4eR) z+d7$$nYhr{c_I41>JL>HX*eF^{9YCy`)owLw=K2sgv98;7+-d<9vgXws^R4u6$h%v zlkHm>YiRUsS(Z8GqJ+Bm=Tr03B$H7L`%&GcR-F023pPyqqUpj4yhHn>t)r&nH7yQyN(k z&Gxrqy>QtZZZw{H{Xh;VSy}90vLiO~@~WLEvRJvPL^~1GjxpB5;ZHNZqw*l? zUGfrm9>l3U11#@^3BdCk~lzh<0xbp8;2=^f-I%vDe$qnp4rTeh9yD8l#FkV<% z8}g;OP?P(H)<$C%^uU~NxSeBjiZaG{5Mp7{^^`nGmZs_yGh z*9l-19{o9`YT-j~L4vouw3p!gZ)0dcAB!Sl_$OG87a+QYd|Co5Y$o~fcG!tO&SDVr z#3DB`KLKZBYgX);suy@j$H^6xlDi&qpbJm>FL+?t=dqXa#1kQ(Cpxs8Y)*iF^O3)> zk=9_tt~~8T{`Hbkk^{D*a1Pe?@yJ{w@1duisMMc`BFPB(vdE`TIna1%^1zj^xX}Y| zrOSP=?k)L4%InI=a}Qw0w&IU&bcfORd#nyeN>6Oq2R!Lwfak!PP11e7lK25e$U!%< z@I^N&(S1Ji2=RPP=~C)Fx|E4&y_dLAu%3FwB|HcLiI(^ik}h2xw1y!#iDj?G@g9oV|8Jr}s0b3fm0_uQe+If&RC`byfd2whFRN9*~) zzC#bOI|(d?ca2X)t~7R~^{Rr{pExJ60Y!A*p$JRcmp6el-LG>I}Rzq4WvBtEqhthpoi)0MEdX^J4rDq|$D58Cvl0NZE zmZk0#LP#z|T5@R?HuC-jPgc38cg|vd_bon^Pxx5=W=T6l z?&!406E`%1iJMdbjV|y}?*lJEdNh9v9HHd?PD;apAHe*|-p*!?dsk)7?3_~)1G2AG5xRYD8 zv#?QktkQ{07x#B@R{>4_{eQqI>GPSeGTp3|nco4ev=Ul7DxIm6nfc_A4odya*vMNn z(UofTkkSrHyCnZCvS>Sdo~satf%Afg$F7 z2lA>vLC&m5#U184VVxq2srQMc?o|5F$<|MX04I-O7%lK3oY_9n!B{VxrZJ}D(0H=b z&iLwNjpf3?y3d=*(1q(oE}NuU--XtnUa*3&t&exEZoZbT{{ zwoKph8?oVomA%nzfB|KQDuuilFYx#j7y6$Wl_bsQV?^kVkAVn%$E0|p$Egao z4c~)u^f=aVj%45*V7{Xang{N4Ax4APKN6VA_=j(>w&z7W*`B||jbi)LWIHzGHHfit zpPcz6&&(~xg>Kwnb>7Yp?W1I-8==TztQXcVbR#l!a%%OfBt37$AKfUZ&UGL;JKBRI zw$Fi)+l`IFb21R2+&yI0zahSodT&|Gd1hX-;$3{IFQ(& zprV>q`Br1(mICL@A=-&9Z{h1;5;GQY4RIzPeTeKtFvBJr*f-XgpIH&bFzmf#$_WRg zUm1YwW7YIFrBAeguj0yQt=d{mVTu^890xfuk`L3axV*8W?LUd&7j&pY<3H3 z+lxN9P9x?=1%u@7WIVt9ekY~;-E3v)z{eIrj1B~jMzmH&jYnT1LqW)>I%OHc>Xbht z^5qfGjJyp|$Ke%mHteTou-5SNej2rv z5&M5BjoQk|%jr%e870qSW9%|^5{k1Wqc|NKd4X?TOvWz7MzNz58{t1=EnEw}A*BCf z+*vPJuiLL(%Z~qEOSe+F60x`b=d{e6=!h%CX|MdxvF5Aydq-A zjI%DheFi{r!$0Ar&j;JqWHacj!iGH##HjisY*fF6weVZmurGTOR^nZ(PD!9g$@|?v z_0nqwL!Jv4ro^Kj)H~yOH(E-)EwyeGWt?Be495KT@1S%AgZ{#A*h_BVC*c-s6#np( z6OroWlt%lMkrzBp#AJkq4^y_&7e1tP1$)L%$=By7jZ&;DF>DmBdCG~#lTBw+r^?IP zKR&}Xs_(Kv|9zG(uvk+B{=2h1NY23O>@1`>qv_?3lIJoI3W^^ebgsCIabK#Xj-AaO zejIW{&h}vK&BrJspC_N=_TOI7MYu^QhwLxQ)4XX(euO#Vs<-T;RHR1V(AW%5> zM;zGrOR>TOsfZBHUCj^tO?Wif;ha`Qn2kXU5gv46B3SL_MoSQq;&hZJ<`(X{6 z!e{Ijqlyp0j6Q%%-r--YgLXJ*RHi*jUSV6L!|Y8zHVT(dcOtUnEdQ)W$s>FRCzQJo zd_I}YZ)H77?(Bxp3X?C!@NyR-53*Zo^)jU7W4$^?W{HekS9l~n8^>Ffp47Ye874mt z8|FZG3HUJ=-Z>q>>n1pF;bqd~&t!1Rs*X|bpJ3+7veb4BobE(-8wH(Ve=9kAno{*m z))%Q$Vn}_HeIEjI@UJGZV^I=6Al3v0gw*O7lCNjyVu<314k;(^Gypz%lsN5(YohZQ z@okLSfY~z&H$KV0wP+y|nnPMLo)8zWa@MnVsox2j!InyXFrJWmcRleMJkfI@uo%7A zGTXpJ9MV5vy^}8@grezI=cl0ach5lQEY>-lY&c^PiMRjYM#-rHWGH24SneIHOZOFI z8@Nqeyef7&U0jlIt`ZxXwR$$Pq#cglT1LGu8*ZdS3&Tn2@n(5+INmB>9dDL<@gx7( z8SZ8w*7Oh%cviJi0H65)DU7KQ7j_3xqPmvx)i*D9pyWH9l(GdBgo5JZf3V-zk!x%rbQ(E|tfRHkpuh&(88khWwq4Y<| z4K{?#LuddSyZy`H^r;^R&vez-+zq8rph^LVBgrUy ztANqE7I|PaAZf|*SUV0bH**)dxi)&1mz|m-7a~`@Nohnq7pQcVXopJTt@3m;JsJp> zVI$glfnL&AddOYLOhc9p=vzsLRT$1}!)D|&DrajEkat1jrO)y8CEu{$Vp-UqhzkDo<^E=W zf_nGFQU){SZU@4;cgl0{a9=HrdV|(L)cad&aDOYQ?;6raw0D2W-Sz1O+}*Vi>-JvH zxgokjt#UxR~mb$^;s_n&wcO0AWy*D`!HoU)?%s2(miFwFvH#v~mi(Qh|?T+*9 z$?a@4$9k|9&cg9#*%iAL$#yGJq0qyIv;ED=jd))K!ibk{bD=Ih4-zgpVC`Lr5OSi! z9spO@F+PW6NWN@P!ku~t8X*HLkVMBVWyh?B&*IsEAJtT=m(3n7t6B{8@H# ziv9<8Ag&B`90_~$I|~melJOX z*7{omdA_jzEU2uR%p0?GLRHjz!yJJ1Y=#NiFU15;%>zt;F0#cm-t%$ZOoUcEpT$cN zu{qql(hh=823|@ce`BKc_(lvg?*42{*I{jxg8@-@EG{3Fg>4ylDcx^LQ&@k}fpdSx z>bz{EWMS<|hj|UAo3S?AfyL#sv#@PA9i5H!*$y1&m~oH+9M&rx$rX@V8nl=;_?OWGD>b+uuMRR9qr-lhVjvK#=)%y1}h&jh+^IDVYjr?vHXXW ztH@T?CN8gKtBGy6%It-8duN>+vBp2AvBuh3_UDC0tYU4%`gVao7nlQIFO8Q6#hAIPFu|Cs- z_4^&z2z3*r+yu_uA_=Q-U;`FMY{kMB7`aWXX@?yh<-z)09(G9k*4>xQ$k}?aJ|Q-2 zP)`b&t`{4cv45R;mDq59Hjb}XdSY!0Zrg>`69OA5BsScY9n9YR86|;L6{4gym1tX}+#T2`7;1`=wnIHB zNV!cBqre||LCW2FhmkHY2=Rx+6`>3o6jw+Bm5fpv46IYqBQKi!@e8wTxb15;Nj@$A zx+KJ^7$YgpZNq^R6<5UyGLY;L8=8|r3f_Yz@h2ML!y$XC-Wwa3#^$6^q`0wmx5xaR z?MEXlVPH!|I@a#@Frc_ybEBp-8`ej7>Krxe<({$AF4+kcXhwKU!n*XmunW80+jy!i zb~;<`Rut<@uk7l)hjl*AP_#b66U#4zLN+UpJJ`*l+FKjPjxNP|zb~PK3hHm;o#{LS z7B;3+@-q{cj88BF!|NdacF{5`LDmqsyw`!XQpflSlNyat2i11BxFn$-PgAKNE?MQ= zA~vuEus;Fg7mdT>@~R@NmpZUsl!LWQM#OqyVP{Be$dI%|FxK8ynStplto3RP8Zj4J zMq!J;8Ef7A39&)$Eg0RmGp-^?*RgKf4q@ks;QaPBgpjh=N?}l$g;yT3GbrbI0PoKR zNXJ?mx$M2XEfunvq9eC#gH_|iIc1Pv4DoIn@ZI$V=*K}gWS+_u^c@8>o z-~u;;quc4gYZh=KPh=4LhEJda9jT@R0I;)jNDKc_3VA=-$B^~#13qCw@>9r9toQp6 zu>0)ks_C|S^H zE#P#v!gp9#Ff?lju!eMNeAbWyI-aQyvQ^u729zM<##?l~HI+Mvy-(7gbd&^ssJI2| z;jBB2i37pzhqsy${WdHvZ^ZhrH0u4d8aNM6RX53)ESO(Lv~SJzlJ@OR-*=h4tI9xcq1G z0d$?}!J3WDz3~EY2#m_A=syl^r^o zSw{W|i|>xQ%D@d5)0LPOdvIH8?L8E0M{qq>&p0c;XOnDXPiJHOeh<#A1hRJ(&OONx z51XsdNeAAdxKU$Q1~+(*q(ADw+Sw9g*f5EGq@C>QweR^q!R6 zNYW}C6C#VdB2)ydoh(cK4Zv#t5Bn|^Z+3C+3sQKHsi2^-4+oXU9&CKX@D0>nU|hhi zOSyolmB0n;vl3l)Nm1$#LobWud*>Xb5$ymDjLKI0I55>w;g__-z5fB_s__(q1z4G{aD!Gz<9;7S&G8 z=IUd}Tr>DVUNG=pY34%Fiq~y z4*3dfd{$~hh^z%$*&Y*^DlQ}clscOI`hlb}I-3FT4U#^%V?Mjq2^aoRN6|G&?D6wJQtV2pj_J-RHYe?4vBGvCsqDtm>X->u%bt{680`fyt9EC?fO! zkF{^yfMD!-v98aOue`(=;0lvxDfr7Qwu6%^+~DweNoAbVGo2`TwN<_=><5Ywyg=Ea z{*WW-PnJshym6OKwj|Id-x1LjE`O<&p#2*f9zMmP+;s6&l)JFHItLqt>Llj{T8U&O zr8GjDBI+8C`R|ank7p1uW|v|OGVZaB+;`@e5)aqUxY)~qD>>q=^0*W`c{dhLeB23W zX;lT2di|4}C~3D!QUD$ZoS0$9xhKp_oZH0noj-flO6|#z$S4PS@MkbIs;jda8K-I# zX0kyNu=e+R7;EiML;_nXhG1Qkrmk~gx&ezTx?dp)>m%Cw$jYQG5?BduKRMBfk_*{` zFPNKvU2BZZ%SI4qu$SGN+DU2h|9E7{9@a3vlhUFXy|&U@6r)aAEQ-+{jC-Xn#qCct z`V&PlI(KGPX_45_23y%U(TT|29S|HjzOk{WhJv)eh7Hz(4VLP-lC|8>0W}s*fwIGP zo0YA|Ud8alRhH{aC{4hc4K#7dk*`vk^6O#5+x{^isK>@h`VN z*iNZro5GEW%i-o8PzT!{XPD%1M=BK~4z$T*FF^4#vq)zfrFG$Kte1GOuAtiDY^;YJ zSi92$;f=bDp>HQPG95Uu!|aX&O%-lzWcEyzzgT+e4UY9Ma5~%;EXC?P4^nclwh3!H zNez&fqhigCDI1Ac(^o(!R*@|vuY$I@9)y=FB3{D!kD-(%&mx5CO0%(kmjkaY_CTnW z-e1xkwM@t@b>P5OtnI{N@o6RjS9FhPTOzsZ?luMqrWn!Im1vtvw67z%TS|mRNx$At zu|Cx!1=h-$;kwKKrfV1v6t2xIz;vzoy`-0Vus+vQqV17xE_L9W=Q^ao&Wdi*!ks1B zF?iLEs4G~G#gRXj2>bkruz!8T=zdEiu)d;SvAAMP4^%9!=d4b>4?yk z=I*Eq3vFdMaJnKhD6Yut$?mtc25U1Nn65MrV<8z&DBakCo87T-j}WX)?~b+6p79qQ zHz=VCsK zT1%4cfwjGidzjP)agX{~fKzN6PPQKBJj9JZp3moH#oR+Jpf7@@l76=*qP0tbFDqu? zC0M^*($-`3Atr#0@UXL&yAm72G638`>Ch3h!{F{>P>TCMC-(XlgeQ5!N=M`99T7DA`X}{aMXph z;&8Hy6E`*mKleD%V-M%PXLuDV<4wDwv`D$zw z=itB^alzw^+50;VY!??i#D2bXIj>qcjVq5AU7YxD8`d`P47C!YOT&Dm*D(eh>`EWz z}`Q2`tFlfb&)<&gCI9g-MIFi^nyNKZ-b zR-C&|3apEWBUVa*tr2m=2FZ{d!UM^wPC(O_PoVzj|CqpfFPlKo|9WoH|9Y;j4|~qh zNhzC_Brd<}|pe zd_S%cs_7MOgx34cKQfU$@*ka2@+L10<2^my&0Rl&_h8*Vp%TbT7LFg4Zv;>%quw1) zxvh$}+MX9DV59K5`xqyidt_4bzE(=dW36)nkhtrfaH2`c5v@Q@UH3Ur@~@n<_F%u4 zSn_+@Oi=4&3s9IA2hp3Z=i0Sx_mIaZrLnU@AF3Wc zsjeMDwk>0uF}QT58$~E2UMFD+4g!e@5o3&xGK%NKQ(Ih^Cd`vjSJ+R3WhH^b@~=o= zwyMn$x)#^two_t50&Clis-a}wGTzSfxG##dwcohaGN(2}(YP+N`sGszaZf=Q(0kH;yE=;^-y@9JYM zJ@rOJn+QQ)?CX=uD5YaZ`&;hC`rvP6H);waJHzdDp{uEZUyGgYW8f`C;?kzrX{We! zWl_zSa(Y3zV#l=6Y{5qLP$rJk4VZpG9stGMBu}dN)VZ-(AFRo4G#cyiQqUrfqganW zCcxLf`XK1GU&TDPw`^xz(-y4Pvvw|Fvl-HX4G;5D3+*ZI>dPvmgvt!E@MlWRo3YkLY=o`nXQ0q*JIu|3 zIpnvrO9gQEaqfI~X~np-M|s6KOU&2pAdhQj)f*8uK7#T71{D?dPDm1P_qrhO@a35! z=XbUtgetEns+D~iP}_iPKSrq;{+J?!qKo?C$|DZC&O8NadsX7Z+Hpxc zR2%YTkk^k{(>`81(U(CMGo-!JbSUQKb>xa4xj4gV*3yTuo@q^K3`3XRbu)O9!wfby z)}J0nijP@=gBK0eJ|$I1FjX##D+qP_Gc!^KM7?Sp6vu7_JPlk_zsF{{(PitP&mKxP zyZ|c2ccHL*x)1C2!86<_mj96A#`^4Wc>dZybD@#Eca+lTHRX5-udi^~)Fw?yCCd!n zZ;U!E8HEFPxzL4}XglPt4A%9{z`C8`TPPc7XVPj=+oOK(VKWG-heWK~KYYrKq~U*F zhY+f`66*y%a_b>VLwZh7?Z{U8u@>+MAlDq_?9hb~LB`nA!Me=e>V7ele{zO1n7>2$ zvZh7e5HzYg7zQGhmMb%vevs0j+L0;Nukt5?YDb1xpTGmQ;M_1u&a^~V$;c}x<&ov= zJ0Ob+prp%0Y%oez9;B2EI!$S;@OPDNgyjBGU|>#}8_9Okp;6jozk@YHJld>>pgi)1 z>24H^eU`Mxky9$jl^tS33%UEpE|lL{R6EVr+u11AH)%cSksG1{JN5j)NQ=L3B&RyX2(XxOO<%gbR6E60|@{#gutXJePvHm7(d~yOI zL_7c#DkK$CKWT?z7g{kB46`cjSe={$&rYaAjrWj$QA%qPvK#B(9&AuL!ZV)JU9B@X zHu%BF;Fz&i;S;R)JMzTkr%y5_4`qY}f6rzr`!Xc$F#EI&5;+0~`pqZc9KJig$<{3- zhDcGYV@Ob3yp~O(s4l0d=BWH&QLJO4axHvPmEcnPVl|P5X|aRNo46>Y+8T3*5#CbZ zoOx|gtfNR=k_hG>6<=KC*dq6211kN(HB`w8YHPvwOgkLZj*)eY?$Kh8xi}c>9HKBP zMn>(2og-hiTat^W67)+&Gw=Hy$56i*qsMuDtK#G~D+eUj?{i$12Qsiqz8&jgtUy4r zpS`83>n&p3$FLPoA%~5^jnYM$pK68>Xu|x|Qr9RhMp|a?r_{{EYPAO`nM_!dw8;*T z)clF$YJmxTmDxDntlW+1I^_v-; zUl!J<`Lf#9fd1}F9-zDzZ#`O~9Vg!(<4HV$11`R7v`4JbUO@<11N12oj`J~gL$#gL zBnX|9*?8+w^L;jVH`Xg0k-$$ger*<9zDRp6StN5GrDQH20WJUBq) zE3tl6tl%aDsk|~VU1KIM+BcIh3=W0(?mA#q;JYl@;JUI4k_~o&BNv}OKMvv(Hta(f zEf+(HlmNv9ClH`=*OlaM{RQF4zdm{Ek0~h@xQ*?j@%$egP>i75bFqJmz#Yh15Wb8)0<{lar@7kU27J_&u#UOUr;)%I(}g*;|Owh63H=K;3BC16SO zC&K=OzxCAHFpa1yI6g95_IWBE_9y&Q(n}CFGH;6rTZ7^XXJmM_r{ac)J{FbeeSPAJ z%v;0aioUTVhdY>~tft1xXc z>m@DhN!|rI)J80h*u@~`G0W8rYkNr1eufrnK*eoAj|VR$xmNQ>=bN+eQgWr$yzhK- zHeO23e#e`K3SG@PcqutxH9O8X55-H#CaZbe`Q{?Llr&h)vGdIsFD0*8&2OD=F2zep zt<}5*4*IZbFl_|(880P|L$cRhOhWcZ+Ht&G!Nl#EYd&HU>n;~%h05S-sBX~)Uv<8Zib#(2Ybfb&{mLPk`%)oRF6&noLDnx1Y29nF9ps0-fMN2@%&0KV6xmr6 zYo?#0H2Ifvyc$~jrQt#);{o+BoNy5(jA%Q#iT7u#vK>}`sKR=g18bd^g|34wp%H6q zuvl#3z&b1zufu^auvq*B78=>1$>L-L8b^JN1K(nCgh@VOJcI#eq%H^2za8OBFV>DV zg?ta9rjRcmk?Rgq8q}KN31t@N<+Nj@Cu>_0j<+gPERmwXCuwI$_p_Bxbwqg56VaY@1jUAuY|z)!px7|RmrXw1 zpIYPEJr+|wZx5F*9=kaHe;hCtRp*PbcQFwK^a7?P!&A<5y% zGor;8F(f}6V572=&M^2u#$;qi^zOb`Ku~(KxoCUHH(ygqe*Yb%{-ep?vcUq|urbYt zB}4X2$Kr_Hke+5vmLO@J#P==Z#X2Rejr94JqnqCF=1;+ASJFDWGKsFO0i&P*?lE8U zkVhtOHStI6tizvE9X5W$I}kny`ScsEyS@Eu_5rfb6S-OTIpkcdodC?C?i1K2^+{mb zr0z?{>Y+}?f2zmQYSYLo>=YTrHmnWug;Oc@z+=+Nx)ZXc@th1C0YXg#O6fd~j=9@F z4NTUmA}aBs8XiE6!+fO3q_m#(Ve^e21zI4+w*p>+zOv7QUj&G9w^LdlKPtxGKYw?Q zFAE$0u~zIPdFqJO1t<=r(QP9i?qXklp9gCzaog8e#OrYG1{?_ahAOTIU5f)_eA%)s z?5F;W z$sGqlhH>D)sR}pFg#;u`-=+}Lqb(`KG^vGaPo|U6Eva-ukrwWzk#%X}jMZb^Dd4RC z<-8e}rRQagid9hZ!hE)3{2m6I>gsXWD11105tMgh=UAQRK@kRi+alT~MQj?ucJ~ek zRv+>p^Ecq|`LpsHtj={HG zu7@W-?*I?al;xV?wkvjb35cyE{Q%>rr+B2m!@i*v19-_rL-wT++S1kS5WZRV4JALr z>M8)5IotpPSTMJV?Ebck@`fE)+lq5nvOUd_0?CT2*erR+9av~0|AM|@4-SMKO0Sam z0l6pE!ze;Gj))axBl##K*JFe>Ap7za>m{^_Jl?`_-B6xkN!#0$o`$e7U5IFHSYr=p zOd`lV%q~3SHt2pQ&vfihNV*NU1;!Yc7c{4o&oW0 z^WZESZrg?9iCJG_-8Ql|(-A9-J>o`4>4E9y2wiXfIqW}RrbmU~M7EExgCHy%BRjuI zA^F#L@$bDjN%DZvJV|nJ@&5u)44Sfw%NY0*V8i23ntuV5+Q7!T8e^ky#cdZs>4ST_ zp!8fs+bn6D6mL^78-@L?k`{4*;VStbNEG=qWS_Oq@7`p{^n5XMnMGpP>)o2BW!YVPk?la zb9az2EtCf9%CjxXdF(vpT)^(smS+QoyVIK4#Z?#9-@~geTud{^Mzrvy&3fcDA1}5&^F7 zSw#M^gKvBOMcaOpHNCE65cdb~E76+HYudmhh$a0AK8+G#%`Z(c5?CXNBZ#COA-kI? z#V_K(UZt2PX@ortd{JS?fn76t;y`1C8yk1#;J~_yG|?S(;icRR2%;~T0h=H*z%-x7 zyaH4eJ1lcxy-h7D2-@gB%TPh8o>QUU>?~?TY%JN**M>`_g zQAu2W92+A9$#yf&J%YvMI~ht9jx$O{y*JzeZiZQsb_k-PPD9H+=skbWX!K8~WMPt;vB*H`F?a`6r z%mGoCzZEYXPihviy`N|Q2smTiyKI~rskb6!H`cv1N zkR8+_>nAz5g-Zh8^1myarx0O;dU=w#xhgS@)U`@w2bLag}*b0KP{2>y1ul(3z2-@baf}Cri+Z)MkyJwjnZh2WDNY%7D~&o@d@Ed z2J#Gl5sv}zq#;D)&Cpfb&sy@+7+!cC0(mA}*!4lcor6biu`(og#Szr9F@|2)@-A!X z&sv6-S%Ve#*E1gI7p`WQ^CQbb!q%B(Uj% z+scjD$jkf50kI=TwsJW2V56#?%-_a$Hnf>%_bnBG(P~1-T;`|bpPRV@MG=Pc+^0!p z7*N1QUgkndqiN;jX05Bv<;A>5NdzFjh{HYbalcdt7VGve#=23wRq>_b-6FZ&b40}Dld>YVNr*ktgX7PH3;`-&+z^+Cv#>3UF0bBMi7%|)*~oobH;x_6 zIh9L~HHa!}Lq11Ziqb~3H8m}YJzR4@p63Ud?>h$j5ScP=Jx?aPhHc6$mfhHDNm@_n3C zL1I(;J!4X}^(-^`rp+k}{KcCY8=Mz$75{Ojw|Y7+8*f+32#X1&ty-vXwq zOfyxX@}x?F1$}0kX8OB=ndVQF=$|q4SCfG9@2}qCL}bV|OD}Mh4WZ;UHiVjra}ZW1 zXYr_^ST!1|Kr)!0Bid1{9bqpNYfh#iq>>?+u6nCO{voJRm+XpF3rLJ_PKA~JB)L<0 zQ&+RkF)G2+WWpv&Q*~*7l%ObhJR!U9Fvb)@g6iB=SR3sL)`by!PaS_xgsyq3Lp}l~ z7?ldjZ^VW$GD^3oXPlKTytWuj%cht8VxXv!-};-Qt_RwFtQ{#ZD5>=%i`X3K<`H$F zLiC=K3z-!Tl?=__B92;Bo8A-C;w+eLFRN#4P9Yj1|6p#kL~#(2KHk6?!307mq;+De zc6EvooX+lj1z}{HyR=k>^_R1vDWw&Agv{B<6`9ikmsuZO4PI4i3WmrN#D*;)Bf7pI zP?;VwqFcE9#bo34Y%O2e#o0hfKqwqI9cmZc8uVdS-IqAn)E!K*(Ig zUW*ya`WB?3J(}X6-&}9$DQ|3|bVOZfFwAKolRO)?MCh83F~XY9h%FY^3KI$e+pO&* z-K<&tgDnwH-)4Pa7G4?-tPN>RFvHjvDQVME?rS?q5T>Ze7knsdet#!4PfAXsUC#{j zfk|&C=?(8wzzX1C5}LN3El%qJXwK!hqz~4MJyL*F^x=Xn&TS&QHd1OjEqM1>na{pk zXMO&zb(EStz$m;<8SLM4&3Lqt9U zTUcuD2H!N@f#d6y0a&fdLdw7?EF%`<$()k{NiRx!!@l+KX}8H>XCHyj4<R0iyKh=orIt_EX z;iC6|7cygDMXWxZg%rmF6DB3;my|+W;e`sH9IW?yujCi_`r+@h*Uz}|VqRN}Z{w=T z3!PfJv&k7Mn_N&kmpZ?DS29=&#?IZSboVFJY9xp?&!llny@vr^|I_?@K9z=$&d}&N z^^71slM5oL?DIs_+mPapsB^QBSks@8P1g=eBcO}AB0993%zU!TThkni)lYzr4%f}i zR_=`GPdLIgR2HLy%gJ5m`$hDT9?7Vt*m#UahCkt{=oitu`I{qwIA)X=}0C?wQ#?>Z0rXtq%l2Dxghm zKL*uyXXOcO^jHr?piXk5!j$8bhHK|$^EL8BUFGDBC(iq-GGZ8lci9DrQ)U}uOXJcpgdqpRflRrG(weYNMx!F$&oKPHC)mamja!+8xJN+gnDykcl zWt^$wB8gsyMA~DrO7-Cd0*_Qntq%662NW@-WT>KES~!8FZpT~#pu=8 zkbK#Y*fuCGPJkZ@uh4qUSxU7v48lJHkY+*)BMm{d8rj484a!47^<0`f5X?0foUqrp zTJ^!yM3N)FpfsY-b@*G!H9vt){*osix1Nx+EhR zcf^fWKpF4(tJq7-T&$iJX69hM@Emrd6^B98UJ8d%J=aZfMSa*5sH7bu`!{l>L+e+RnnL}>OUIyP$8hc|TYtX3LYE^r z8Ntx=@UWxeM!X2?;Vekc%oR6Qkaq7PH;U4DVjLF3yG&b@POwrOUWA;hBz>@#NkW&o zK|bbBM7ZxSlR7Ul;)?O%97R`MfTDlDp3;aBXDFJhFgj{d_(6H^M@ku-;w8$sc#C}5J9Y|}z2miYm)euX_`3ox{iGegq;q>S_s7d-lpymI zrNO1)I2Geh3YOkd+e3!@NNK!BijtXVKW4*b8QeE=(jjxv{ zW4#&#;GAe$nH7x$)4}!R)f0TuIT7Qt2cZT!=?316lYqO8h|A+uAThs zbIKuL4_V(#saX}#XF4K!FL<@Ql2Y>#^=z8lv!+>gMfBUq_$`o-a9BQs1|FS=?IAnx7!gam?PHM(-A6| zE!Lc}AyiOSd1HY?eCEG)s9O{}Gge&qPdhvJJ*FLYAhDqtPtJS+3mfQuqx7}dnLgse zKiCmUHm4yZuDDZxyc%{C_))Am&Cmr@AL^kTA+Kzw)F^F z;Z}AX5Eq8n^{>Q*E7|oBvF7!3xULz*+OHRDG?;dOb~Qk(8OiQmC)V_2*V$tHdmBPz z=qHpW-FAdN&vYY1?)rq%*zim--VXA5kI3(!z)0)$yqrp243R%5T|&JyyUI-h24-QU3g_>z#;vXg#0D zzJ?Zinryw2H^PjC=ndsbS2`1e9m&CI2z@SQvG4zw(&RaCyJK&-SrIW!G}-!Nt=N-1 z$|i8-H3*qIn{3x7_jGj|Y<0U9x;3$GSM^26e3#v>Ln;|s;H-2+hmtX zKHE>P<11VE)j}sC87nDG&gvTXCPiwp+1SKMa2ursH!-p^+JlV|;FVlALMZr^+}Au@ z!xL|!kGa9xjBECp#%sNg#QpkeZCk`bZmmX(coe;J?aQf3~BpU*A&ElTmPrg43xvy(s=2&3(Pk60&LpE&e_wc9iWVRELq1Gh+ zC8WU6oBXrD!EjD_QWX$twdag-qat}gT^cWcW{;goue^#p{~CLaRL^VFe? zE?ouL9xFVMDrh7C1iA84uE`zr1>0kLa=3s{K@V}^HSDiTT-f6rr3Fs0#?Jn_p*F7t}ot2#G`@t+Vv1ry}y$=F$#grmupmgFAa#hyA(>`bA2 zW$a9Wd`0ZcZL%jipgj3sgwT6#v)g-4GwnSWrit3C09xKh2$8=wP@4R6>TwhuQVs`0 zT*%~I(A(*I9B_)NNk`G7Wl*$lrqu9QPZM`{)9P@{FTCBea)lM z!g6xg7nDY?E+>rBkNV5WZC_Ao?zECCaUs3OrQe(7Pt@58(!?6Ziis<>Xj|1}&#L}- z@_KCK8LzvLxT2tEQH)aAOO9=zG`XBHe>)0n^KMSgX23d3toarD`)l#Jsr;5-e2z(+ z1w+K=?qq+n=3Q&xbFtHz;=%~`xf}f*Be?7FHWBkUjzk&V#5b2y~!)qZ8i_`avP;d0gBtgat1c=i_*q?|elFa>J8D^;aMEWg>_n#UJgXl-goOw~)A^8cE{o?IFflhqTk8 zIzEkwhojCGIklEjQuH&W{~zA|J-mr3 z4;;qNv`L#zS|&gvML`M%EehDE)kd1NV-q-$bgdS&fKYaeE*o@Z?L^A9KyVsi7)MdA z-gmw1;%)JYs0h743n+p`0YMQF=m|q9*S132&+j>BCgtM(-sk&1&-;A;X)|-?+&|ZI zJ{NbBxXfJ>dnW-QzxxpTP*}Fnr%ZFXNak4s0Gg~6mF6G}K38^r1Uypyyh-^HxJeo| zuQ)#fRw+dr^KBkCYqXw`zesYWQiahae`8~3uj{M`>2A4IAaiM_U!4KahmehDjJ6-Q zA{3c}G9^AVq?A0+2%x8t;q^x01S>*5rCI!#BX>43|AKrgLJP;a29fGB04z^-_<>Mz zN%g+)pitkEMdMt9s++>;EQ;!b9{?}|QTf0bxu&mH)TQ`b!-X|X$~c!x?&vG^r6@2Q zYhSXEW<{R>=(zLL8Z;7fZSmfmexN(!=fVKWz06It0V-b2h7JaU4v$e-QBY&!;d!yUPGw%ZU-7OGw zIsEQJ?{gn=u`vm3Z2ha7gy{ZmmT%KVK3{F@_cr<>4nOmcw9~20Ni-I3q_DJ(0U(7} z_r6#+ccGzW@rM3xHdNgWK;~>>*PpJdD61V2|Msu(Z~f-CCEWnp?2~k!3^n#_G>szN z`&ckVpDX))j)|M`Ca#S)kzh9Aq}`o5X+oqB{RA069ln`)GMaB+MF^=?uGIO>9h7u$ zw~(dhdkUX0stlG=$jBPDeC2Ms)Hmk~%Nn(+J6vpRc^d)riSco~(q)e0AOAJRp>+X} zP`tkW%toJ%B!%z8OS!@%t0;Z*MY|pp(8`dM^HU02^2`xrs_wX`w---K6tGpyKeI971f}Zlzq)8_r|yKEv4csZjmGIRHi_rkntvL?K!uR7cMN z#CXmC^U&LdKd^w$10t;KC#2DpxuRr_iT_@SXZ3tT}&j zGFiT#(^S%K{6`8RfBpzSA3(q69&f^0&M)jEuk8wU*W~+%5r!M|PpkK_gp^ljhHati zN=b5^AwEGZrDr$+L&AR|+e}x)7wEgl9j@?|qI|>>=E;aJ0bUr z`fDJ&$Za>_Wm<<(`vEE#Jz+L=H?5@3K}_Jv%M_wl(iiOwHaaDq99RbsyTNRDB%^ZE zTp7f7+`RL$7$X@h1;zPCSUBhwQU1o_Q`*VdcJrG9h|K`Qro3yU^t{2+5TdLz%Qn)n z4kTw<%;%5kbFI52G!iSvOUbtsnQ8NOav!Y{TZ#}0Xsc_Ot;xf#4Cd8;oP2lGFlb$Z z3x<^L6bcLT1WC`!5~6P+ zg#6WqgzA?l45;z1qDhQmTEl;(ss@>R4+Fc0jpFd1BXiJ@@Nn{g`Fw9=4sx;Z^?IKa zL>~SeV2SP}UbFb-5H|^{b4rxGLFEY9{DJXypfQT;@~)Mx$-739vF3e`)*ksefPM#C zp*M!x5gkptA;(-NRR3V)HfilP$N7`hn9X%U^?It;UK_TN2Ay`_n3o`(x%?(^z16r$ zq-sT<`29m{-Ddz=QD@}bZNh>_j8i^-*QKX?mp2r)A{0s}y>NLG8+sOiG@S$pU0=F{ zoS+y-<*B@3;oexDQ-Or)KCJ0EGxcPweaWJ}if>Y=$_@=LB}wZqw=oo|dnF>oPVva; zqvm{DEC%xvq8lv;k$v&^-y83*m0WHhFPvdCX$c8^2|!CfHA{u)(-wsEL0EGh+RSKR zUx!HpC-+W4WXgZ(%55Xn@n+{T3!XV8Ses?Ta$^=*@D2rpfaY^?hS8Jeb0r$aXtZ}e z#FerOBmI^T$D*5P&hc$2XbP#Kx-b5crFMJU!TMeyn0^1^NI~S_duE?}&tRWRM2K|6 z%=f1f4VOh*XhcwZkFH-S*|82FG@N;Wl#=>&#!)#tAK1^bOk6bbZEpiGK1f%n;*C!# z;Ij4fIpJ;7Y^$04F+Lt;KP&pf+srQV?XPW!+@6RKYg90&=%5gB=8L$&pX1*KC3*QZ zWUu9VC>WxjYLAwKa+!ve3w zv=*z#BCow=WHVuFT}ozr!G=1B4)vJ?bEwmd`oqHkW7?9-!RGZ)PhB>N8+#@(_RSvS zMDM#_nHG%Xjs(Oq8onF9gCW1m0cr5Pn`oGpER50t2u=9t#toS0_b0p<)5%jJ=4+Uu_uM-Qm%(m zqzXNh;{3Y+JAOxSoajR_mO-!`iOWp_Kt*(2t2D~j)K10^3n#ozBX z>`h97+M9;e)dMa^Pu-ijOwPy9F!0qLOwGd zuVIgUMPqW_f27eZjotq?zyvo;njCwj<9CKC^N&qWxXfdtgdIndO*+e9bNqTEX(@%@ zxB4TrD3OZCulA>V;jF#hjv}}JS%^jw5X!qji25i#-e8)cNfdiVS%v5#&OB4na;`{A zLE!xR5Ib5%63y>|3AEX0OZbXBYq$?NcF4T=NI)q66HZTXw?sx|#%(q#v&pUiGsRlF z!?4wHb2^CI_GIQ zdI|$j>!T@%=?#0T_5zxxoI%{t>4xP;9JB2;=O1$0Qui2IP~5oMgbMMez? z|3Q>HIe-5{#7WEKjR|JCz{*`x3f8qoKX)o9b7 ztpd>R#85DuqSke702szjkJf~zg>Eb*pRv<_nOWS+Wm6H|IsGbeIkPHVevKXJDQ+Mq z&&IvWZd{bOs!OuuT^sHd@opPwM<_fXrW!WrkI~Wn@;-o`LWUisW0Ce@bzm-2LMo>s zX$V~*lKU^?kec9s{=RRlRyx2rbch{cuE2q{%9#y`h&=kzg~0V?FI@;+fB#DW1ii{M z-r*cw=;yAWLy>2it{Itl1u1;Vum_xj$h|KaSy&xdHA5DwLHgjg;ZdSZkpJb3yYw>S z_3<{Ju*SuSk7wJ56$#*XT$ZxRt21tx_W(T!@FX8yb zwh2`2l3cccn&%3@rhvTBL7rn+O;*qz_Qc!3T9vDa+_I-x(`4 zCIU;zeJ=nMMh{8xfW2WG`RZkWSV}rV7hbJ>*>H+;U}3eGkJWp!uxd%bir*GH(3gV9 zCRut{+qR$r z0oaJ;O%5{lp8)zgtXe;D*-;$6%xpBV-f4)vi-XN7icphx^^E7iJ_z}>hh5!bq>Gz1 zkiy@^5Echy^3p11{(rB_jzsxTSG=3XYWB}gVO>7M#hn7yz6y~4X@B3aW_A)e?}wiL z&i1BQ(ZvZ1PW478c9Vnl^^`f}rKaI@&BY^*(C%OO?gEiCR9~NhkUm(9boL34z^YZg^s{p-jRb!o+FllC zyga-TK)*YVn4)~lN}5&zh>=d~tX!<6U9;7O{KA?;ca^38%h2hfHBwfr#>T=Y3a`}Y z0&d@dYsnpY3Vrcvjj*PM4d!K=F@xSK0b+}7Mtqbk^RO$Kk&~Rk4(6Xg-u%E2njT-l zkkv>3sUzx#7+KBf9%=5$2Ef zY>#*Gm^MG^lBh_nSyK=>{WdMo-Bi5%+iHsQ@$LDNk>JK^_GsiOdV{5XK;+|>0Z7@4 z0HNEl(mEkX$3|z8`XbdX1X??6b8m4s#ZL9Qm_VF)ol@^=w!dPe^Xl-mShemQY=Cx& z0dw@9g$;ngTWq1-fbvx)%rKE;*3S5J9-wPrl$q2w?e%zBK2{AF#$EuJ_jm@@y#KYN zAo7=g#XlJs8!cSOD{pq6Ncm8Cnn4ulSYs1J=GCO46?gsPi0T?NY{9!P(Z|j_`6lAFDGR*wZcz#?iL$ zO<1+QH;939h?{~1U%NgC!#9z4xwg-&-H!QWEmlhD(L zmCA81{GSlPW!rmp?7yiOh@dDRv&SPU1(nvqvP0xAj67K1pel_?8mYV;7cNXISIv6* z7arXS=?8*JtJ(0E7WyfW&2%O1PDSWaf#8}QJwphl8o-H6f^~YiL2E7+5Z+p15L6Zr z@cJc8FzP_&oahfS<1K(#vmIT;xJ>k2dttUU_WvOn@vl)fxz06{g`2ZQK4yWWxcFYi zcBdFiPPm-_vA5%H-DLH%05Pyqd>JYar1-MVMYkJE?q}Mk+1G~;nG0gCmHlu%q5~i>&s9HQdu#`?5ZRx4d##2nQxC{@0$NL1; zD%bRYd17y4aUa_Wc6a&1dyA*?3w0%6Cg01zU37ImewMMzI7J~OH@|PxELFibL7b{4Hb+X zipc9+l#X*!CJSa}21#Si_{Uj=OVB#AKgr4Dz~>B2iB^p%$p#tY z{>=#Ci~WsI#~HFAVD$(NcPBEwS=s*r-wdacq!$@f4@suj9gQQm1Fs;>8fBkir1Mte z!q|x1qJ>!$q1#_H<9!5{Qe`ue$05UfQSsZ{EvDZF{jfLva9KbdlYyf(EJACvMOaoR zX6~i}e=~FH*ZX6o)!in3%8`@IMT*SO47E0!-C-Q)Yd4%iclWg;e>DizH*-dG)ojMM zlMODKN_IZaCX*2_)$e8u*cwhMRA)JKzub{voB+ltJzclLjXit$Gn=Lvs>7ClRMs-5hA%Fvj%#kI`vZ6qzO zDur(d-Be1@n^d-#gOHR=HvE$o5y!Jsqztlb498EuN%x;F8gV}bpy#k7!JuNYA^8mk zYKVNUGI7Z`FgQ*!mH_zOZR{q+?`|{B5tpj~v5{8e{A$$eMJyYA(27v#x}b8Tlst2R zjNfQQC;%I&x@<7{k7?aZgQ<+{XTL~#i?2z0p=$7%9$};I8MX{TrJHPimJV;7%Mj;| z$JU|?(nQ!v9$(qh^DYZQu>%$sr2w0p_g)o1Wq$2N%2LKw<#YV3hq0FS>X$Zj;jT%W zX`>iTi6!}(YWo4^WA$5(A=c3M`mGeb4L&>5hCRFJBP}RT#-39wUOh|YA=hMMPu*iD zLOfP>PdNQ%TpXgq`GPXobW6_+IN{0Lq358$-9{EKVj*{wajv2eH-*e!1Q65=VJP6) zQJ&T#3wgFa_H@uwSDu2kyRrkG&5uPwsX?W20#Ad^bUZ8)87qfZc$uAk27&R{O1$-Y}s`dR>GwEJ){CI#&Utxs7$u>VB z&lv8~KBly`uV(>0P0fO`Lki=}5xShgSDP6Svzh$krJnJ9ckY4`M~k|b^%Q+(q{{a# zGD?X{1JJLb^ddPx(ZrCY4bE6$BUdVPbjY_TJD_R{6A%ih%N84UX#vl7Qu|(g`830q?va+GR!BnswzVzi; zmgQqz-;10~c`{}hK&;w;AJHyOr&RxE!3VX?7I*z#t42R9>BBB_pVMoiN1^Y}=m%h+TW$Sl3HL z=||$!JbZ6lE$dm6#HI1FTd_Lgu|8DKHWDs8`J@4OY)YO_XrICp2RZjNBV{oqOOnQgfg5@txFlfq%hj?j<_M|-^4N=2z zeti@mz=CPS?muG0O)5#a%w@d7Vn?daH5||1IQ`PVuH&&b;?Mh13=gE=9F(1xXJVx? z3pW&Qego?M3`P((aK4aiNBVZG zS_2NIV@oM**7vTkqfF@vta_`vcr?k~7WX{70RS$_%(`JAi$!y`_+B#SMwZzz-N7d!G?O zrIR(!;?a?-jpjcwYTa|%hJxCN3AC5>YXCx-lZ;4^J}NgwlI$p2Gk1#IQ6Y_;cdy*> zpp-0kJR~{v(OC5!S%kXwCE%QsWJgP)HR18@ zefrCC+A^mdl%;k#s{SX?1)a_DMt z3cDv&t6Y|#at@rT)sDoaqTC76m7?Zzy(D+^n)MLYoNs?Z1q3s=O0-3&RuDq^1gv`Z zq}UO8aGnjho1R_!<1Kwq`$?rfCNsM4{el+ac{U_2*UPc$eTP2h(&uG*8CJb7(&wys zHndD1N6u$Zyly3<-%Uo$cX03e8^1OB;v#ru zII3(D#}z6Y$K$f2W?r3KGcD8hppxpk+zc@UVrdA(DT|Wxt`7@7Z4O{)q%wLfi$0T` zmon?d5buw+O=P~dv(v!o2Ojw~$%=G4ICI%UmDM=qVV9MK(L-U+rB-l;aYZ~7iVe#f zbKNzQu;zWP)rKzE+-(^GK>2lEDw5Vy_{j)px1@#=C$ex-;FKv1R)a>EbH{VhCaj5x z;q+%ii4(BgnD~7AZ~kc8Y@4`TPr}dYpNcCMCFhL@r}?8W`$i0n3~>EX2yqkq0`AVc zF+9LeKM|Y{v*xQ@na}EpA#Os56SdJGevT{%O@W%{+q;w<@J%=cmz`>`+{`K8 zh_F?t?o08)vpc+hQF7k!u#I-Js++l1MmxFzWbezVc4VDZ9P!4ic9bC9g}I-EHGMHq zh^uSo4VTS+*QFqEE@3=I5C43bZQ`{dzVtHl#3zSdZox zhKO(Q|HAP{+3^3bXYrN2Z}N6z`F}&Bsx$xB_*b95F#b!-S=ceSlIQv#!Mw=*=M8^v zaONT-TH)=#3#=nVI}(im+Gc1SDy|))oc|&)ON{4V`j^{=0!s^{hlJ|?vTAuQtmW7j zP_TUpcov*M?%?|G^Sj&p?iO&4>EO})U!mLZo+_DNPX($K;QY^d9@%{^Nr?7IL@1P5 zN_Jmsdbcklhp(kN=^Pto(j8X(4y^zbpKE~W!IAcOQFnh&tT^Z-XdVgA3sNO}FRjzmFihSNGJl)t0uwgBg>U#~PVsFrug_i`BL1M&{A9ghO zGq}bAM>hb(wi|YBj!+)f$}9cunu+c$L9H^Ih`$*Xvsq~d*2)Ve`rS3|E#$i2SaAAD zv^3Yf#hmOM2VU-X*Mu@Bk|eWgKC227LaA6Qzb&X)pPj*@iKMy1D8{TfIjC7*nZYCX zmWe^7n{4d>aMwht60?z%X81cNhflbhDD|Jn3ML_;`Yjaq_|FU9{hKBUJ zpj!8}^YNfs7i&kw_hQw`Cz#>^ik(Fr(pMJ+MN~D6iR?;^#atae>KA}u2S|d4_ z@YAo2J%xYLSvshc^8osh60EdNnhZnhx_DHK#TMZsd8l@tXZFFwjr$L{G0w0 zeDzrK4x=MCY?&-BtUAbhEUlJ>62GVZz|6*uTPX56$dU^skFa*UKeCddOj6Oo64YWX z=ZPO!$ySRUkw13;EV6#r#iNBj*Nxz8Ima8uxCWl&xrpkMxE`KG%&4t)!DjvwLC9oBti#l~qo2>=is6COGfyWb#Y)l1Ya8 zwf%^peu<_#&HQ7=3E05DCfYBxZ3IRJ5oGesR{tnJ-Pw}WwIk28xDQRh+9=0LzStEgq=KS%n zY3htu&_%iHq#-fdK98{I-|K6WXcJ$Z_1 zDNv4*TTcN*TV^LU6l8FEl4PNpN}+mdY(uv}MOI!;MI5IY6m%oQlt400v2#lo zXGdhX3xHg=IhiuXzg-QW=A1>0N~wqF7Fz|QyP+omNHaUP^}ce*hR72)vgKWQ$i}qi z^|c9f$A9SH5mgm?f%EC#coga`C8N5Gh`il&yYs}!cu6Qve1N_=c9uszCFWCF@$mB@(tngPz~?Ub)eNmMeL$*9;&?6Ka3>_|$%id95* zq+3P!I-Ej0=KyF|So3~((1ysTAsY%Tr{Eu;uyxSJ?f`Q+I__T>K%81{SQ7v^YuXKB z>4V5Huh}=AQ-7zh?qY*BKrKl;ey9z5c5W1%~YpDsAM|GXMeYNk=b)us3r6 zLXQs$EDz;PpiBCz4Y8@>f;VJEb&(xBE8N4h>^KhBFS2) z-m3ppsLr(&MnO6iP-htg^cwnE^J#!UncpHts*)>_^!GrS-$s8IAnCzCnLm~Oo`k}w zfiiyv{hf`Z!a$kdL4V(dBr%}gZxhv7M#p>Uf-gG_AjusT%meLY#IQBpw#bfA&KXy$da?5n`aADJ(gYa&+U(d>RcmYV1Hyz z#RzIBs`DIC5T52)q%3#aL~u6g6j~}A;;1nWiKkV#n2wC#g?{yJhbaHW5kDl}B0Rl` z*%8i5N5a#en_*sa8Hr@tO4`QR$>`rPo^dL78-4ojtnsu2oXSZa zMfX)a8o#fheEz*wHmF=aY5-Q5oZ4t1d+C06mF z5buw+h?7HkB|hPg1S@*%ubuIjAWEK#9qNJePp9cvXQyJ#yL6ik5kUZuQdbane|Gfc zm{f0s-g>ErL1%^f(b>1XIX!b_;6aTV6QH?Vj2_qPkZ!~3sMs(jt|d}z&$y6) zDuX1iNJiqa*jz@yDvt6fE|Gluvkg7xt|1>?1;7~c`a3CcVIjLm_Xkjm)75f^xRf18 z-_0tHG9dR#%7vHvqiq$LKIMo{X(uzY*eR(YC%K#4Z9b)$ymuvi*$mFNDc3WSjn;LU zow?g+Kl?M-^b*`HSiKo*-h!Xm4rcZYNlZd0u$=PTc5uFSibpJLUBzIZ(oMVQxQ=!K z;2cA{P;U+@?c|F706p@-DXe+V?q`j@AW${3g))Fva9(koM?r1qh97On?1|ZwHPiXs ze##I?Zo^uRY)e5*9#Q*(vwsV3a2VP`>M^D}W?`90gqieR%_$z~t1psGo-+ErS}+8H zRhJ6{aFhuI6ez`ugY^bg>r?Gi=!j6#B6o0MXYKLC`OOCqLbXSe{EKe>aGlI4yBDM`2IFTAb(A?3Duh5f5N?#N#_E1`b8^1Y~> z7nM`R!kTfe3{hCqAqs0wDqj(isZeR#+IS=`_9;!m>Sr@JgnY^#QHcqw=hJTd!+yYA z9Zu|xmEAt2fm8s1%1SU-C&HH5%_7wKJUeG^xIBKY1FHicYvYkmt+c5#Qhn+Shfgg} z_iJ~9<_BNOW?^9khmcyFsg@5Al}@!XeVN;d_YQ$8gYRIgG$ zqQesxi<)mF2&+{(3SspwVRZxMwqkB`klP#J>dk>}XEhsw%FkqDH-O60N?@e{b9Di( zo{oH%TI^6xs+H-&>Msm)mPBFo*2H2PY!z1T!rX6|tHs;RvzrXa(ov=;fe zbL40jz=U`{_zTw@xk;DN+pHuivnq8#jh&)=?8-`@Fl}W96&8g4+7x(>zDRgTRMPX6 zy4s@&^1YO}q{`XfN$>&prW&V7_g>C~2%N)<2dzP}Cm6x-eg~qvKYF~CE_&Otx^;ok?REae6 z2o`6vTp2zWrd$bQEvM8hEkQ+CE66Q!*95hoYdT%WsU%jP%yg@%6UC(ySk{e2jIZU4 zn@T0v9DjBSBF6{VP+%D|`V1;3KTk*)$L#lRAISLHI7+vsW6i5i;1RJ|0B{+Jw#@F` z^Zo}LimgmAY^P_+T`4Sf*}v%5dlLclG_16f(rGp%ccsjGUh%zS)0fcpUmZXPUYU); zR$T~Tmb6W+>iq+ty8e(ocDuq&1(IX zu2$>%1P&om+lPe@u~43U=laC^5K;>A$nGlvgin30J86+xo~!s=S;YHUGGa!uYGt0g zrqSn`${`-DPq+`EhZ=pZX{l7c|Aj|tWgb?Jt{*VYcwb@XXs?Y%Nl3t24*J1{CX(vG z0BU94`rF4cIkILVIA8mPM|yH&0VT%Bw0OW|U>~Xu75mns(FiS5T1oDe0P7PdY-&pg zmG)Z6&?^Dd@(1MZOlkP60djYSG<23z?zTzEa<@b3ucs)j!C$Yycr! ziBfk%@pQGkNLfO=RqAe#sqCr9lm(~-58O~J$u-H!63PNNiBCVsY}@`wzsPVKKUFc z_0onX`G&Q~=Mn_}aXm%Z@!`^9Xxp_{q81VH3O#rR~t;U`#neJ>=uPJ<(w$286`qp zK(0>|g*C;%IwHf`0fNf*-v`Vt zW@NI%BXAxiJkp=r@XseX1kRuK8d4(;z8d`|B1hdI2lAqp5~g0 zz*%T~49;nUN0-t%a@=VWx={tW;WX7azqF8hKTbxttT>lGthe1~bYcC8N4kNPp`?je z%Tbr6u&4-Mn2d1Y<+5qn0mcZ8v%>#>2`nov4U>)4(Kfo6JWFATm9t?h`Dc4KyP?Sv zl`hJ^FaqbipLt6CGfl1W+)f)JKOm|tZlc)!WigKe%CP`TY9w#8;pjf8Ds($mex4$3 z0D-D9?;YV$U~yrzM*4%;fRNt}qOfKr7l4}l>Ne?m#_5Afd&n^noSt8JQ$2qcN4H43 zLR@gz$&#H1#FR#Ti(2K%^eN}CvLBqA4>3h{fuT=6zLSv@3AzDmIp+odZ203Dlq||E z3FJ=$0VscPag@7~79K^sfm1v}W=L(V%9R;{i6L$ZIPdzEwb~o2*3~+X13yQ>>zlpoZXg|%zqsVo)Al^t!8ELbaW&~?dTmt+LS+fZA9H6o>p zu+1NBnR~l>Go2eauROpbwIEe1a;QGnfMGjuSrg`V#`*(5q34WH{am*hRA~NT9>uD= z0fhC|Z6}Nq_vx2JoqF{r{<5&?^;mVfkMc-;ECZJ%v{|c9@F*f(8R8~*8XmhEt9KP) zHMLf~Gc!@_9Chaa-I{o3rsssPq*hq7YvYshq*1Q;x+VWFuVVhcEA+II?l*H-*ps2(&(Mlyd zfQeJ7#5Mq+7%S&l*i@`q5p7-BI|*yv)Ng4IE_V%l14H-h;SnPQ>cF1}k0ORKxb!!r zE2zEh;1Kf6$arijR*Q=i!mcQdB-eHBCUB-6VEXeP)Fnm|&M!I;LeVBE1((%%9$wHX zxz<}O2$6|pHiXNJj})1Hq}|0SDt%UlFNRI}i@y)#pA}TSK|=NCM>8}(=bg8FB@!0g zoQRNL{fn#3`pj`2*(8f7AG3*?&t>&5T3t-rUl~uPGKz{3a*c&54gTtu@a>{{e?~wZ zQxsH(?_igWX$OttyP$F$oOm~n0@|ETyab%b4)Q3J;CHu)lVi-062@d;b$}}%|HXmy z!y!(b98kyPV$Jzsj7N*o6C&qq2GL;2=c8>x^`F_D45SFv%&e8-=rOWAX!@F}YPAyMerf82+bY)p~a`Wq!;E2WvU^#CRlUA~L8SKtLIjjaBQ&W=eqU zLiIL;kUGwl?uL-XT{8uoAOFJBX0rqGUvg1E8IzBrHNrE60AS30UeS7+4I#4iPc}C3 zfHI~CoJqg%rg_6mE0$X=WIz%?K)t_6RA*&it-^wpyi=lj{{Y1yMm7{P6ZPm&x-9eO zWz1#UGKBg4b{bwm1L!))^Rkifbbim`Rk>{BEh_+9Ladcourk2akch;F1+2wbOSf@* zP(#uExqxSvWEEjsg_C8O250O5&r;lEurtnpvMZJV0Bu&~7>_tW~Ip-e2i-d^4>a_$jPShnCEV^8RA#H4Njv4Oop0d=0k2s(45 zBXTZ<61-WQ=s6=i^+h+cL7;m_YemlS;XdZrIX0)*^W6Z|P2q$O`GtKk)HfueSpRMS zs1ud@2gG)Cv$EfTa(Sgm>4XtoQh)||s^ z}T$ZGT-FXi@PB|sa zv&z>XeLO{QT$ZSGVbxOSspu@f1((^`OErBfRyL0cbxPTz#%7c!L5-5AA7skl+^Y$u z9e)?CncEjOD~Ys@vKgzXTRng6497~0xVq6pJW{h&oT(ONv{`o@rPO+)=Tv!u;!rCF z;4%kR^NXMntCk(=%ueo`<(|g!Aw|QslW_nrF?RSoT}AF2|Du&s(i&PB5mteUwoj`H^>Rl%!y_a4nV} zd>{GUE%JjeA-}uLy)UR{V#WVYQT4ex75^%6k;S!;tFAG$<-8Qh0`+>5TyK+q?Fhg| ztcjdw^1E{__*wnC29ZPfS*-fk;$gMgY%5j@7vnM@e@OsP!>h1bxHza4S(I%03Dn}U zEdftmd1^qj@Yv&DTb?f1gP!qg%Trks+~$C%PCpt{c4IZX)~6f|D&rTQegms>-Z$vM z=aX$HsE%JOYU4Sq_}|BB`29fHrl6AE;Fc=l$?O`Wh(#rU-Ely!)oC|QSfaNp@Fud_+Jv9xPtK~ z|39%hesNHp=CG;$Riek|>J*~qDbhU~JId~2=lm0w?E_~Kr4OqAeZTT(MnEa0*jS|c zUlJP@FvcY+$yoJozC;S1{5@r?5AK;1M}W!oMI}Y#%?<#v4gvIB&Kmol>O$tddr%#^ zj78?R*{XS;VF#CE|4pJ|%(dVk@0)SYAk(Vmh zbmIX2dE?89{Vc4N@-sN+eb0`p!*{7Z7jyAkdC7%P_@>Y4@Pf*5fG_2aiQ&qUuf5l zFTMw>Beoylkvu0A35tznscmO*NTy@Wd+%oB9Ova7JW|I`We&z_cpBEccbFwIEh$9G zcJg!^fI2yId7E|r5sLSzs(%1?+EXu#*`ududHu;FZ2(J@y;$@1H7k$a!6P!gn?ia; zw5>wGn%8O;-9U@FS>$QyHmrG1HX85yUKmMG^-uHENq(%3pNTc^u13o0ZmFYRwQT2+ zK3pxVh;ErXbVmI&Wow8IdPAcPeS41E@qGJl6FobG(L3BV$}Vtj*v_MgSo5xHw4q7v zn#nNqz3t3Bpq|P~ANc_jA7?|Bj zr(;k(DxR2x4_`*{z?ra}vdaY;?>$V(*Np+ykFn;x=P+F( z%bvg}e~Bch`JGtve%D|_P^0+YP{VJ~20!?QiWYt>Mhqu4tPa>Cs(zPHJ&Q7!8mv6H z5-SH8b*&{9TzkNRm0CRi7e;1>ZN;AN{uhb;-voA5KsgjpeikElAZZ5Ha$fiI#$~;{ zi${h6m>tk8LL?VSV+%c<eQAn)fx2Vh;h!D+bOZ+t}1siR$=F5gL4+Q-VCG z3qZA2ALP+0QOXR+bF$IA{_ZWS^1~KUEkvT~<AZQ}>va@aF)?ot=!=T*@B)u>E)J z0jp^{_VGx~x&9!J#QTa>ZvGKUz@;o)wgcB5Ow_N!>g=MRYUzjNqc*JO^;1hbMNdg* zI0-gKYr?=LYsSlI=2SjjsfdUllSlf)^p zU(N#<0^LAL;^oRBBn@}BV6~t~ISQMwnzzGX!&mI$sWMl77^{^<;7q2tB$pK-tX586 z3jiQrgRoMNfukU$yW7Zh=exn(wu1EQ?1m7O=zX!~{rf;3k?eEbfR%#jq3#l;prS!$ zLNJ!ga%p?{Mn+b0<0*j17xyxGoRaXf^9^X3zSZ!tqT(_oq|^8ENG+Hq0~hW!s$go^ zi8b%6IvdjSLc>>^GtU4`wdBjc%CLW+Xs1H`}EuwO6Vnru8aRxxQaE;3Cr0OI937(}|_4zJV zGi~b+JW|f#GOo>fHLIJB)c~zqt5$Rl+f6>CwNr<6e9i(o;5vmPx1OX8d`=sP!n{-} z|Ng*qI6a;DC(ff)Qm|_M8*Mw6B+*`XouQSYU34q&!|I58f8dcxX{CqUHBk@(jY~$o zOgV8?A56h~u3dSV%J!t;1b`Z)CD9t`22XueqE-U#n&>_O@4;%6MXhdAUPeZ~K{apX zgh`WQf1;8#*1R{=+R&uQv7M~|B|Q#)L2c;X8XID2cqUc{Zra2D&fNc@MxQH{Lu!GA z{z~T%GhkDrRT%sN1=w16|PlSd?YoaM`z60MO^{q8oVJBY$74Qg>}w5g)6T965K zL8V!nnZWq}W*(7E=ei;C#n;R?^7=qoLr{Boqb-y$**EMgE^7$^R*p|(O8ooVDI?B8 zVPCXHYE~;Pp>C{wL@Q1tXRfv(yiD$ba3)r*ZMzNiNgzvF0Z2wCKFwP-QYNPo%K7EORFFFc3CnBcjx=FeUG=w; zRqn8bf4(R%r(xFV-gi%kD<#|8x*@3MJhYofc$ujA1|m@zol0g=g;d!ncce+Ba>u-o zt;8qz4zT=={i6F=Oq8y7ncVXgIQuv9NUs;=&Ovj(^eLo$hnP6p<*6@!-={SDv`UUt z|JDu49<4k9E3LkT)2zs+oF})pbpu|es|~(^i1sc2F%>3W>N4sbyupTw?;&ej075CH zWE22IauHVQ!@bG5HVQt<&yyy@&<)@6C}hD(;}me}+nLc`FRXcwt+ydk*#e;N!s>`8 zD6vuJOb6%UZyCdziIvIIv66w=eXnun>z_&qL-u(9^FS)dYOzx#aNbWV%CEDqKJx3V ziu^kBUyYwxrDN?2gEf!c!J`J|oQue7$0&>V(~mqFO66#|gX<4+^9i}}4l=!?n*}>7 zWr^-tiq<~t_+Q__GhsMZO~qHI>qp8VSld`RUVGFcA50)$7g15HHLw(%>vk|nKyn6^ zX0qTIz@(tkJXw4IhQ8J_5Y7$esEI~L#7@6dnZEICp3@tvA2FAdvK{IuPu}vm_BQK( z_wgtaPSyKBjl#aucfe-jm-+?$%SQP1`AbZt#w%SL4sZxvE*2U||0kcJbkcg}J9b?y z<5a+!wPQ(&5j3Ts1Zz1DeMv#9v0$3v8C<{)8cZ55tL!v^-0@~I!evhX4klgZe`!O* zzAw~V-zhVu29>gz;4Ir@*t8F1me(&gP^b{9ucvb;jGQZ$@*cNis9EHwZVI2!_eIX# zD_tEqH(E-LoGX;<`XM>(gS|Y;*Z0Y3tM>9JL2sI$_R?OS!HM25KW*_|o^B=5KbI?~ zqHu3FfHRkMB00&K{oN*G$R$snHuyrDb?ROoIV3yQtoOf?!eWEcjeoJT8v@G;qb=bK zCSD(X!_X(rZ!^q?2I-mZwxH5V-!(H4taTYUw|&E-XiLR5Ju$>hR$9r=$GSn8VZqvx zaU4QQt5RUY+DD67c-aYL|A}tET0y2^3Sh%pfy;10W5jYf={(*Ia;2;9LYXql$8Bms zrreQWmUA{{UT-J`nMAe#ga%+OXI2cL6r2^C zDc8)@DmYx*oJa(PCBQy3m6;rxk&QQ7Qtnk#|EeL6TyWEi? zEO?NempbRnzR1y7^PiSGW(o@eMwxPPS%@pu?exzT#)!$zc7WI*3o>Uwy6Cge^ZaeA z{$tOtgYGsr=t5&6)wqc-2B3~|w-I{>KTvmnDu~ka-SBAyuRy7gol*}jn zri^v~JsCrdr>^`bHV6mSy#M~phJ2%5KS4kLf~Y3}V!c@uKJW9i)%Tl?E7F^pgOa!R zizz6uRE*@gkaRaCdy~A(4%Ggc4Fy&dMnUofwH(_oRI@B7VrNcmK?OuAkf!gT__Sgp zk9<@f-Otpnm5q#;99(Nd#Mf-z4wZeyqnMh25DEPT5SvebO=$&)%}PLM{?LWHcm(qR z^elsrY89NG68{P0gEoLzA^kFK$}S#Jl0jah?RaQAi;e(JTX=@BpMR8!glB$YKmF2RxuZ~sZl_N<-QV*lfgJ(JIj6qo zktOyi`+ekl9&xdE*zdjH^T-i}yQ@>X|)x)Lxdwu^&rn{@EtLu2`Ip2?f$ddh(#tuL(mV=~mAH4hL z!f1TzN~jUk4^Z#MEuhsmZ>Kogq>8?HP;ZHSaRx#Kzs9D2K5M9GKc!)38Ce>qR3l@x z)+}kx(;$v|7fd;C>uS?SJ072^O&{w}dol|0@82mk29FM>3@g|;`BH4$Imw(vvC;py zIVr(JC&7n zrzjmTccPq20{b8_Rc9vd*4p~7Pec@U1V#nSO4(7U?)=%Czm{r9v8{sBb3Gp zPcdTng!D{*_;LTtNm|<=sk(-VBG2T)y<4SfFeg9L2`+C@XJ~Ex)u~#WU#d=nTRo-f zcc4VeNp{&yeL#BVF#OC>`%BOK0zWfVpY+VP@Uu<5Mr%u`*Tpuo%OekHZQ0VC{{T_Q z9Pl{I(h5MbCbNH|H1_IAO38=pSItQ#1nA$DTG!~6a%b|?A$A%}H7e!K(Yl!_#=y?f zd#&L97dM?AG2zsPg0r!><;;bT^FCEbXK>go9vx0&dQwKWbf_96O_h!ojk`6 z-3x#KW`6aJpvMDQ55bkZ}uH{S!Od{oj5hAPDrh?r4IpTjoFrf@HAXz=H60OX@XLR}XA3_iXe`&kdcR}4 zh>&9XANWE<`Y2guLS?Q4-1mBcY}o^#`m6lQw}XSmX27#jW!V@a=Y+=m0j^?iYydv< z>6H-OamE>$P_9+VHz0KkHdXnuu*1iM7F8C=j+5Xp^yKXU?(`4t-jVEiLHV-kx=4mE z&IY~qKO(Yn`)8{qVTZnF1oeLMiHM9La_4B%)DAXE_J2AH$Vz2foxSSsNU9!ADL39K zdP3hr9%OG?fTK-MdRUc28EJnqL1Q;kN*i6fz7mlG8(FfxC+sYx-p-qNP}Ic#z=%P@ z!QMU!&(J1Dc9XvEmwzfEX}#;8Uoin`Q8L!`oYO@3D#5CGeNZ>zo& zYlpKh&I;SFM3~$O8?OIs5mD9D)Uj$IHvK(66cE|)3lk@?zIT1QB4I#~i4CbT$vvK+ z(K_`iY`Eqot7Jk}4z`LTYebY%l3}f2EUj<>OS|zuz|v-)O@?vSqz8~A0sRlVhsNEW zKbiFoU^5_L{j+nL&&_z&L9Y2s;DSH?A2pxvQ>-5h&@bp`zpo6We;v{f7W(4+V64au z822V8u4gPkqq|foVBDK!-|8Go(8836$J+TPts+_XC#~XzWa)o66*GZMN(Wc6zIIHy zYr^7m8}`+3pQTS|MB&lxS8I!*)KCF53~J>hcP-!{= z%>O4Z?W-eC)VNV#5gy}uawDtOxgHy?&l~N@Ymbe=0z0Z*SRcaPTPY8yx-~D72Ei?V z_r+PMH326=Qt%jQI{=zOY`Esx4GfSLHIm&2nIz_Vyir8HI5zqz=0tfsf4aEQ5hslY z5>(L-t#=gVRIzneLw-J*pn;Z6PBw-e!YL!xcPs+uDuFZ}O>nGL#%A9npoQ3QU1`58 zGC9z)$;0Yg2mZRgI3axmwpAyEX-W4V3$|CJm_1Uk;j$X+8UwAAFf9qRY|3HP@)bjs zi?Qj~-($otPQ5EXfgRXc(V1BI#Crmw-X;8Ad$M4Af`(~H*cm8=yF2U<39;K6Zrz_yE z?DZczOeze@f}zN&9+Y!A7;Z2q3oSo%{h{D<@V-^#9_n!R;rec06X^zTJNN!2EuS6dpq#A~v`SC^A9s0btG7EBy#jC{{b!a4h|vGSJP3+eDUa8GRP+SdcM3u! zday;c#jd1w1P8+9?{JRpgMW$0y0zekihgXABQUm1aDlP?DInc`qWhQRmeZ74m+Pea z7RUDm4U<#CbeKKRBq-fZ76%Kg3MF<8@67%02q^XlrS$CRf5KCTLipOS^{GXkI(?Kp zjC^jvQmJGgp96#c#=ZoNJp)#8S9Y?$IcEpRM@i4$fitOmTY%&M(KPx$JVXPv|HDIc z2%{n0zFG@PiBm>Wi`7LLSZ*7=5TAwR;oP*R(z>9ibZX&7lN^ zbjv_6{|{?V3Mk?tmu^c?te+_K9l^#70kU{RsT%Ud$=iE@^_i9yb_7bSU&2mbe1yJ- z9Qu_t%1-pqBJ$I(jN-Yf?qSo_hn13oKU;3a?3M>r4q(&&Qm%-|{vANd*toT4QvBE(1hg1vV^EJPX8zSs zyoFRe%npmf=)P$JyFC6i`^KQ06KH8jO@jJJ)f3tN7Dh0x0JKLdjwLA8S_LU;I1plI zr&Jr1<$~|kwCItk-&m>9BU94~CdxUHt?X>L*-+#hYp#hFe!K~jp=i72)RKxxLxIVieoYWmz!vfLPyyQM^rOikA( z$~o-98PN7Sg8ISW+==ovVPOQHl<_|&0ApwTIXZBq<%La?8g>Rs0_&XuLa~?HD5c)3 zKjhB07tw~0{>Qz(BZIMix~d;iuVxF1?Wh+&;yPG%(LlZLtYKe2D#c;_5T+%tuj-50 zUL>1Z6LiG69ftK2OtQH~M1!&3jJ3n#FW73se0AiDr`>2F9^=}vmbE#t0YT=PNQ(A( zPP{%xivH7ykYbEO(0R6!H-wqMRv0}pwJTexp7mXZAQaS_;WP%}s`ecS&n~ehvGSQs z3Hs?)#v_jO)iF}K{wiL9dQB)O&Ak$!8rBa^-jCS#e*q{AsM96+Y&bld)*YMvxyuDa z-rWIOCh8Sdizr_2QC%>1A^oso`iFKCQ3zssqj9PFWd}mRd3^w-B2bkml@`@uMX^3a?W-mQK0o$x`XM%>bO#*8ta)nuZN;{SQ zcwcP#Z(^AzwMsuU`n{Nszc0+>Fixt8!PjU&|0$sDcPlz2myS;o*Uka0&7o$p zn=`&j(AWwmVh58n_Z2uDhMZl-5afJfr5(f#Z|?f0fXJY)5RRdaEikedxJrcP-XawcX zj2Tq)1bAlTy$Lu-D;wW>)zx=cdihT zv|5$>mPg~@tuSGMfXcN5Rnx62ndtilt2AyEe01YNz9 zh0_!>b4ay-h6kk8si9!>m|DnQBA9^|t=08-U;RsL`uF89IWR*evp!=i5t|^=2IuJ) zW782Qke@7Pr(=e!n3<{70>X3y)=qjN%Zm!yu<4StbYLrh0l8zP$Wy9mGZ2b(XyY($ z!!BSozg-1q$@u>ji3CjM`^yB7X0^k^E;s`)HeK>f=@92P-~!?JUlVNM*jGp1oa;tm zN9j6B=}ev(WK6fE|6+Vju7J#`4!r@7p=9WH2_T{aKw_AerjfDzv!-;!n>Qv}nkklE z-#9s~>PZJ<=HA-KxX?Sy&c9;Q-+39^VLvjSrXL%r?EmuM#+-;3o38s#r6a6aj49an zI>cSlZQ58l3*j*h9B$6&M@nTInntSTX&r)cF5_lezQ=a76ZN)VE~3DqfEkp3)>=y; zCu@47G+1z?LJaB$$-jO`P-_ebXhEF>=gN*q|G2B_6A?L?*nXp;Q#N_%EfK|C4}Bt{ zEcFr&7-3Y(IqcE?H*KzmJp4m~255to6)ZS1*;VK}Vu@j~j1;q19LF>$3jw-GijJc^ zk;0kB-N+KSzXw8$-De{qMX%;TCt2i*DQ<+pmxxj~!Ue4rBHqv};tdBgEP?%ntD5?= zNC0}Jjm>!+pfXK|x5;P+6ID%UqXS2MpH0&&+-d9$MY|2B6 z!YO6cyI>W-uo{RpvWz^e`y(Fa!>qn`#Ctt=MJ7fi${)KGl!lKnY4`H3m`zL`Hs-po{M^q_#l}ES^o9r zQquX`1T|E)J}1iA(&}&NXR}Tv*lCcV9hk`|{;LAAu4rkTi4clh(b9-0LTbk)jQYGP zAgT5b_F>O06Ja%DoD!7#t|uu7;eTMjDNIr1USS7rNj$Wb-42vEHfSf)A8!{H^)02o zrj~eM@q`Uy6*E8cRq!Cnm{)?TcS+SfQy3=~2We>D+ae0p1ocE=l&Y5(jiFdSggII@ z`2Q{wk>Y5x8mdlrlcGnR2+b>WXk=jj{3!+4^iC{g{j57{K*FZ~mhah#|Eproq}aHT zEoIiu=dZK5?S~YdMhK=2vDckE_sVF}t&In+j>kO5m@!`-;6Mnz)Yla59~iE0X^H!q z^v!{m;{kp9l36Eb9_@o3@3hv_9-$gvQ_Jz7zG2A%UsIsvI2@K?@wqZzQ%g&Dtgor8 zrA6Nn)HlWk+Ih{U#!fnTGAbsr#|}G^{dnoj*?y4c?BBz%qmfjz3&*k8J9g1xGWiUp zu{Z5zSf68WIL>xFx>fZWK{*55G(T7>pqArHVsAm*qyMd?d{{qzO+>L1Hp@9F_MojD z!fQR(0#h*n5Udu&TI`_Y0pb3oSl`0#Ch!vdJ3Q;8)E=QHug1@{ z$pzT-U%pg8)_u^f)eoE=lFj$Bn}6PJzSmzjKl9adwV;N6>N#xsx4+CkqUBW)#d;-p zj)5vR3QO&TI>W4)>)E*+1H?-kk!3_IFPqPfWzL|ce z9h}Lx^W!N}?HMxdF*iEjU5LqWiheK&6l`QZ`zEI;jA2~&k^o>iy)K|-TR>M-<-c*Y zh@9ATMPCB+$c@K!oZ{9G zL_}_BN>Iqq`H&JiqN)g3AW<|WtmGE_s9v2X4_jLkvgj+7w z5nlP)Sw!Xwg2*`9`k#zPSd(Q$-pK^S5CKIb#w;EefH}h88pKqNNelke zGkrhS4^i*OFM&!YLs~sib_S)@vTWst9qjobs9Q$8|9~RuPhsZ;w`cR)jp6LTsBm!! z|G-N@(T+|3u|<4eR=*@7t2Z|Ndzr*(K1#7M(EipswevirAMHOyb@v}1X&2NFunL1; z0@aT79oxW7UvUM^g&+I;E9X8onKxcL+!q^93Kv7%<0u7nqz9=PWdCZ|Qn$YVN>+2C zEReglfu1$D3ZaGi9M$m4P-x5*rFl_pN{D**w$-JN3hnU1IA8^YdAW-JJ!r5S#fUsO>mMihfE^JjONQEzVRLJvL#znOylr zf`(H{Ye>en1SRb$4>y_Za+W#1<>BqwVW$hpE@+Ps^vH~y&Lc2eF>+O zk>(hp&){(Vv$6xzA<3|6>nA;IpKMF$`S}G!a51AZtBa56bC@pwifHjVd zN7<(T(^B7@Dx+gGg=9Oq384CF@LoND^*xH2H;lb%+W;4nwL*)C@JWJVy%{edhpu3U z&vd7v|B4rr+nKzn7Xlb?$PA{&aY4PLeFad=00wvCe-bvZH(TBM9`Z&fNVuDgP4A2+ z0fhVOP6)-gWi$U!4M=z7%sO5z8=KS9$j@676xWb2RGl#ZFR_MVGrz$uyWK831Z(vo zHuKlm_t)_Ik^b1sU(WAQ?{BZd{>U9!&LKTjX4EwViPTL%QQcmV z88YX~tPNc7nI++ZjTP;&Y496cAiG@6+B(=Q-~RrF{p&kyq}+T4pH@rlWIRco`>eyu z9Xt_&0zi@a5Lvh|LKS4qI}P=)XP_p(hu8tz#rEm#F9)RBBY+7Js7h1~)KlLplm?xE z6#Z?ZBcJgc3Ws0f`3>;Gs#{S&|4F?P8@=VgtZfLPD(XG*f(Y3Me3W`WSR$gr>iE>b z0jYL3yJ=3(q27Nk5s^6~r~6Or4)xAwm-jl7ngMz%9@E68$tkrflxpKl>gJ8-gj4S{ z`>!sg-shHz5H2eK5Sk7-v^KhtuL&lakFtU2M(Yp7ROKwzg!Gv{M9xz5mat<)p^t*w z(;d*vL{{U7dTUT`1$~y@5}=!^BPpMBZatW1;27=9OQr0BWe16XguDy@P}a z0xu4ymSR0dy}e%+k*|rZXg4;z3C5Wk-S#X4RJM@uk<7L&d9n?#kk}wm@6|5@gM#%~ zNLvQaQ8|I`3Ck^5)U z>xDttYea-T6@-i7UoQu@nI0iV?tbT(sTK7Q=^!qH=uPmCv6J5BfAAcf3QwqD#;#gw zE5oqaxt_S$QN#_}xvWMOz?kp&MnEBbJJxqlujd63X{{-dbX#p;b;M?+d^Ppn&A!3> zNM6Rpw-L`V+39VW%{9sYcY-QrxBjh=VD+^v3F@m`i@-;)`S(>=>xbA5?dRL-i-&Zg z=zGDG?rC;|HX^dmx-9Gn=>$?NmSWRiw_iZy_)#}f%=}3U1XSodqL}`G&W*JnpQQ8- zW7H8i7#`zi6ZO@R`7ri_vjKmXMeCfp@RRaf9Hm%8WQe+P{>f^;*c>! z9+o`9iuAGaF!ra|+J=qkOiE09I33|7;f-Fw;woxS`bk!;=~4mx}JMQ$4qy8j5Hb`cjj zw2JM!Ck0=eTyY7kHN1p;a|r@>gv<3kq+J#SG-1ZmIBh4d_n5tMsT z?~-S10{HJ2L^NV}EMh0IxiEO=`vpMa2Jq>s2X-q^Y`C_(A)*b$X%^Gy#>h2>Yt0*g zv^*S}{vrL-(Z~`u4y}$(O};v9uSmP)J_CgH-Y6gGPS1#Fp>|rD*$~btqxEF*h6J^m zFJ$VHNzsPL+3ZZnQS_r1ij0Qqwl@IGE$i$NJrndbWMyv`aE^CZ%|Jb+>OsJH#CU3t zDf59>GX1xh0wO&(Bq$RK0DQWlw~HrFisbO2lTDzxKm0pEW4jPSp+!97k>$erL|F(s z71O_dyodrNZ2W`L>qOEPA%xbnQp9n8*u9F>B4bJ`HuDFUq;tK9a|uZD9k7{yYe_n! zuY4^*sWlR|*xrCt+Xr_)g;R#eIn;Y%fsI72_6NQ49-_X>Ws7U7`uZbX;{)l;$Q9Te z=CB_RP1vF5zt(VR!JO`}mIoNKv{?vfZ5}CFloTG;0Po8+2i)m?`-7C*c{(3MjqEdGHd^b<>`nF zdzUY%8uEKPg!Jzfb8G|WOQTf%C!?H4sW*2atblC5!#t}J%ONMvP+Fw-mubD#;M=8t zkB!O(NOqWAbt_V(bH&M5XDFrh)_)nHU2}0-)vnI~q21#AlYbmG^G6CWE=T7jgQYK4 zUXWWG+>E!<{s|$z+&!Z!Tcvj~LG%JXNUHuCAr#w+cmgp2o0;oo3J8Xe)fn0UBe>BX zL4myY4j;kg_6Q0j@J<5Kd%wcA=@N2T2C~?$#oDt5yuX+{cA8tul4@sP9AsQ<`X}iEA}znVxsKv3_VJ5DOlUqf&r@~k zYPE|rXBLw>PUWcAR-NjqPN{BEyJ&~ft4=wlOt7-TS7URkqm+6-SR|sVz7DK?PYZoV zs`{cx5D*qy$g?Z?FkM^K_xi}yiaE&<_Llyd{)K5>EKF^5&@WiUa~Wu{;d<>KjA|#axrU8>Y?%ltW7`JbL-w#r3*)Xm zOGPv~k`^DB+ac0NyEE4bT-bzO*vK0Pm77V`zukxydN^B^KX$Hw$j%kK^Qn!6S&s9? z^^krBmRzS7n?u>ND#*|(-8jqx6V~VG0uLqm1oVl=2uV??H!d71$ zx%>SD4JS%sQyd5_&xy3h#>{N;!oS^!$yeE7hwn(BR5ATG&J|EdtCX{mRIPwwy;9C5 z^rPfPuOZu3g7T&{!9TP0WfA45N_=3hBO(;~;<2?nLevBKG|1F;2rZ5tQM(mJ3yMqHl{BkYuYFcEe;j@H{!*H z>+jEVxx|#~51f06>LpNenD|fk5ZKwU*#t2j{E%GQjB@@n2Y8248+^eMu<*Ru}e-d4bU7 zPfRv3n>QixYBwh+wGl}2|1Vjj%;cl>V{##pFHTdc;anlMne!JU@TnWcFg#xbb9sT% z;N`h+1m#|&G#L8nE9n=*)Z>d6Mqj=##(f0R@R>z6OuhGI2WSWPSvG4@+c9MK+5`=>GL^!XMJe-1%bwDxmewfO+_FP4e*$3So^2mBOzy&;o5V8-uT(a>^ zz8rV3!%myQ7gTOUpx&>dBC^(z!Z(?St;&5v`e7!^#mV{zwtS?Z~XU8(lX%BO)ifBXV^>+n*D0`|4so#sJXuRRTifUul4~5+g6wg9JVZ z!FPW;3xY=!)9;)rAQJq<&DdNs$he@B>l}`O9A$x#%_T(t#LYvzfLU305>|x6+OFsa z$qk>l5%+hzeU^a8>5ttgw8YLx!WtR`QvRS%Y_CD}GTun{H-Hj9!rSs#+gPasAG=YY zr2*E`rP!DOURq={lhxr14_n!gO#iNvNuvg7hIHx!xo=N3;?WB8XA6jofTaKah3xlT zrzx$Pp2ZX7KV2mt(*HE2WM7<8ZMp}k9kA(tfZguKZf}djrg&(!fP562c@N%_j>wS~ zp7%4GXS`wD+@X0Q!ZmEh{MgJNI2#zw-sJ)!TVLZ4)H!Swd}&kUIQ6bMTVpM$XyqHr z`nga)8qf}mX3OcGcaw18ix=h!kssOFyR4PcK>8+Y+j586 zr!X3i_-xzh&+{1rGb0D7A2QOC`tG@-FBQ}|#-QBgLS%>4NJiUjH2CTYqx+=Ab!S%SMLnzf8Z#MWQ@dmOG#igNl(y49=ij%C|@>)$zwD{yCU zlSzX5QBnXrW6W14)po#iLv@qto>14-vE6ExYU>oUM}5dB0ln0v!1l2{aQz(6klcuk zE3Ex&e|Ha$E+enK%T06($p`Rj?bff515rrgZk%4@fet z^}eQ9FHp^mh~-jBA@}6ZPYUQPtl(MxQdi~Fu%nDz&EC2Ybm^R&A5kl@-dr^1DD`fd z3(GNNs;*SB`<(<0`@uZAkk7wXDW@VuPlTRT^8!_Uk$P=7Cq(N?6@4>cyi@P%aI)l= zKPlKC@6o!D6l@9V8}BgtUx)Qr_d|?FQ=bx1z|jaOAdGuD$Ag0w9YRL$#b%y5EFJxY zGM(``aWw_&C)Ohb*&|q^(p=H@zV42VD|aw?h1*VNVz!2xH>YH<1Mii;*(wb+Y&`-3 znr~~^6Vwlmpx(--M5MJ!Q(R%kNUNZ#QWj=L{-~;y(+eXE-X>mO`ZV#9%qUbKQSL{(rsc}WiE~}gNH}vUy$WAA(#}w`} zuz7}vj4MF*(0{Io{;X6lui{GeqFvG#=dEPL)1HiwUjclUZdBj z*Urq=sG#P~?4Z#Uwfjs_qg4I7MxAP&-rDlL6l$g2+A7&>x%$iyP(3zXTPykhH2Zp` zeZ86eKO5cAdxpTHJ7yjB{Pmt8WRx4}8@0U-?UbX_u35h#0U^z*TJBU+s=jg>-f!lJ zXnCr7qmSyl$@LUaKwVmEdnO57yzax+1K9L$s$>W8D+!9nY*fs#j2Y*lBM3#VA)hTt zQ1bgrj2IojHRS2jlR+s;#?-!MC+z@HS%wJ7A)7l@-vo$J6n#M0SP1(k4!W{I%Dza%VyaDc}VFh#vYLth+8{9HPFX zNZ)|X{Jzr!RE$km`aBU8`|5}~%#B9iF?rK85e4*3!A>^hP^d+a7Y$D+vlmdpL!0N0~*etNM@YuhkJMBc0w!&?r#OSA6>nItHW4iz-ATfa)P@1m4Sxr$sY zb)OGk5l#!4Wu6kn%y0TF9XxMcnRD6h-ps^?Vz!wQQv`_L^HWN#ue5F4MbEeqqVOug z@wA21FG*0X)h*2_2j6IKmQO(XIahLRe~Yz6+ke`s*S2}A_1N@pm?9vHZQ`G%2#8d@ zoS@cQ;Qz;D+OA+gaT#+&WId@E(|J+?}|o1YGf zPGe6wc+T2I2qC3_RCK`RBCtD$3citM4@^)RDrl%^&-OqsT(Di5-7CRHXNa7mZOf55 zEP{$ytM`DCRx#fOV?nsXa0SfKY=MlGdodcx7sxAij@(V~icQk&MK=7(fTDsE{7T9l zCHJcGuYF2HNb2w+G$=*qB7`gem~$?(;m5hN`HjcZ5h+>BNBJqn zln~!DY!l>A)5KcwI^;y); zYLz@VDj@{(A#&wIZiLOuEaHz=uRm>FrOk(59?OeO|BDfO zk*tXbh>UzOLD|^Eeu4PKL42)%?1rQgEyy z9cJeCGnCqI%8_!%%Du3DTI#S2DulGnp4gKKNL!l{PAS1gzB9^)m^DonzL=mb4Ngc; zY_|cq(hsd4tRn>Oh_fd{%i7oz61w`g7Nl;&%1vKQa*XXt`4rwdoiQkQQ&YIxKgnE>iPKg7RC7HV=?$DfQkqT}0rW@;~H1vTZF}!dK3l zB_eHle-ug42lh7x_lh>D9^=lw(XDEGz45w={sqS?Tx2j~Wt*OK(a-e3y^O)VqfKgN z_wD|iSKUZ@Y8OJtaJ@E1L{jbGj*US%Gj(%N7LY?g+Rv$ThsYUPtD{q0uex#8`8H_=xiKJq)BA0sK zg`y+CW2c6CmsW_jL8|*Pycl!OjwwsSS&BKZb6~h{Yd8h#hsvn;&BsNApT`9ak;}-J zYZ8MAkHVN?{2U}X1+(eu!|8|&EOw*iRVsuB^j+smMaUN?PaSikhw290 zCLtG_wSYdTFCOFSHr);`z^4Dz$xO7B>wR@0vuqe~yvD->a#QB68xzAaF=#xy)lo<69U0-2GV;z_{QhzWV?gu!y(Vytu5~*$ z^ZQR0(DJ!bbc`L#c5s9*PJAugbl1xmAO!S5sf_w{QS=1$z8JBs=@5Kl`ZFdAh-ixw z)Npl;iXfY%(9a^70qs^4aR-c{sR8{mwqMu{sk(vZ%=9%CnQy@n>?|Wgm)Re>P~Sra z{N_fiXnA1s99F=I)J_4zt>_2zJpp}AHLK$pL1rvVP^*F!n#~RlN5B}Adai)0l>B_$ z%{|S`eC;t{jP%EVd#ZglLBk$JKQKbyL+<&_jm}ip1Z2+>_!2p_U?|=TO;|{%oiql4xa(a_L_)+LFlMGw?`##kK4OzN(j4`6eVDDSQF3m;xRrXx@W)@nW32zk zO3;ZS3Yl}BP5Ol6nsED4>h(+#QP>$WKV=U}sTaXDHuJZgqO^>}-%HRiTS#3_v&)0; zB`E25+6Eoi9F+TJA&7T#lu_@tDIx+-T;JA^xthtqJVgnU_~5kI_XwmCw*z7pQtv;f zh$y;i8k3arCkco=|7?O<%c?5nyPQ*ADi0WQE_EPOo`)ReD`+BO7(rPn4;VG9X??>} zvGRh?RB!pLQ;c{_pp=&T(^8};JH^@5UgAJVkfQg1Z|kRC2STY*G{~-`+L|mTo8COM zqZGY?af-DY%^>m=)JyaKMky^cKDvxinnGjQ(9Z0CzbUCwG@Vi!H1e*U&Bk#lWSF*3 z$IA=*T`NUn?65YcFe2MAm3lWnCL-%fxWU%Zn#VW;QJ3$!B0#y8j^`{!A>g!7g!bTu$k2k7ktAcCvD3B@UYzd`!d~iV5W#-AD^L= zdUsCbA@JvMDTA?j<;3YCT1Ua`vYYH#k)ZmGZec(Q|IAWEMNLQ-23; z;d#Z(PkWfHlu<73TXl4@$m4JKQ15Nyxr+i5v%+-2uxOJs_gc1aqeoOWvfoZ*BO45} z8V3|J?}aD8EALhyiVDQ){sKiF8gKhaKMSpM+?ah2^458zOD#yw!;9}VPKoqXgBR) z5e@dmxogaQ(?mqBB48mI$rf_A9uJ=P_$K!F^ZjlFn5nqsIOnA2P7u&Yea8Y;{!F>Z zHaM)0=@SIR736;j4bPTFYPdIF8e<={mqzd8(&%=_gtJTIAocE?l$<=p?DpG^@7e{|ok_m&w*zjpL`$SjVF!%)YdRvY&q+|rt+$XK&nBp1 z=KU+oDHS&T&xhIDei&zW1)XhKG4o!8XGQi4hJ!ot0c`reuqXcYWUbF0J+Ia*sCAiL z>ueuwnt?MTJn#x_sZBu&l~QC;MoUuPGyaJ6d26NRz0wUL+0k|O3|92pN;W6A&bD?kW$K@Q@ z|GfCJV^}{K(7(PHo8Bo8f#u{h)(#h6h>60tZCdy?zHQ$b!;#W%W4qQi=0C77L4*2U z#q8#efL<7j>1eUS0fgiU@Hu)j90SBYZgO&KqMe}{gQw6p?BRL79fTLxlG9@P^x>=mT4ubZ*5;U!A9j>7p|XsOuSvkIkWR3Es8hTKo0;T60nKWB zm5XsbpHEQVu2?t?p@7zwDMe)m*OuOm^;r0C*!0#vD48E zN{oAut@PLjY`p0vYfadL&CE$BDILMrx$lT#=G`-nt=+T-fY}@TpsoKOEh430zf_$^ zDXp6BM#ew^o0&UC2uP}(o)(m9M>;}Ma2uu#L8-Q5P^!H%1#9)5pj12Xw|jg|;jyJH zaj;xm_n?683F=M7|0mTBJQ37?D3)pm{!z?ca`R|daJ?+HI$TopqZF>so{UZJ9b*L) z?t}GMslA-v8Eqe1eWW?t5|pxoEANJ}0t%U(Q-S|iZKuD?Ai`2Zr;}NbDYeoa=-;Fv)%q19|Dhk@W;qoGJ-wpXt#Y;oKgoJy9`)?_)Mos`BoLnv>on)G+x9n_%G;HRDp%1I<3afdAV`BtF zK2BD+{``L32j!>R<>&D7eb@_DwZQML?Dx`S-QUKaSN9I6d#hddPF~l;%0J5Mc4WWD zB#zkEk1 zUt^blotHm4PC#UHvi#-emp=o``a!#V1uy?SD_@f=f9S#U%AbbvH`(O}^77kQ`3IBb z*PUN}FO+xNrPX89@*T>$>uH~nw2LgwYG-McAyjBaP6f0?%9IBn>IeFh z$%sY2QF6ALE)CsUF7@2*p3H|t0R_Pddiwix^qW+& z}qUyLD+mYs-ju*{N9g6GS^rXWhVhv(=~2jKl+4!ZD>! z$f%Taz!^UCB&FnvpWJr)`@T;{3(4i|2sA3?Z2d>Pgk0WAY3u~J+}Q_5&*!-NVh%)% zw=5)SQM&^5ZYzV}oL#rOo+(xfQ1pNu=Wdgz{3m!=dPtH{LW zq_j{$T$(+NQmPcRR-}gt8l~A2C}cY6qxUK|RQcv|eNrke*b>>oCcYSR_*;N7`wkF< z$ZfN^(KpAa1oQxK3NbVF`vnAsU(%J0FNb;z$`2?7TWl+q6AZjV^M z9?*GY6C2j@m>C~`VzhwB(dk@|4Vjr?t?JF>fmt?`xPA!K^d#q5 z4()M^uP%HE*1sG6`%0r44437bgL3~42tfSJpnMlDXlM+|gVMmOrXn2|5NUP>lM)Ml zW>*c;>_i)-Mm5Yj9hxc(@hTE)AwRq%IFbi-Ayly z6vcWgIQW6xGa6TK!Djxvoo<9{u$edDP63hG&$=1S2iuPx0}p0K1iyUNZTly(S&fqq zDW%pAxQ2Q^9&KAm@e=ACI!a8AU|pGj$R|%ECVzmF0*xDht}AKaLZuoP^=OOhyZ(R)Q?Z4ZlO#634btwHRy*{nZ0 zcoe54N2w7ZORoCWql#e%xVd|*_IDV;{UC?514#7y5|mnL)O+Z@zw+>_9>x{27rUNe z^ATb2|4J~y_TlXuiKwb?Uc_59)p37Bs+#IVk@T5>{~go%z$nGcOXHF&H~0!E3TnBBVgL{z@PN|RRavIYi>Lctg! zXO(XtY0~QNyZ%_UH%E1mrH`=1JHvw_nae$qV+*xk2gD9I5h~ITW7Bn*cgs`M{Y=QQ zN&miEjsv0epqv#l(!ll-uXjq-k`tkLy+f*gjJta*A0i;OYi=3IEd_g=2yG6^IZhj% zPQYgVvQdnM?99JT)W*s(ig|1pKB21bb&=evsSXsmTK|3nNms9!RVin&cSkxTVS8J) zr*Dbfe-$Swtz(Se?(N}C24+!d&a0tOoP1331Tq5BYRHZ6t1B{6Wo%}?JW@bX_nfxFvv8VQ2pxTy&m z(i(+;v^pq@*vOEvV+$@I>{E(8xZoQr0~a)~L+4%(96B8-rIM!zNgV{M46?fODfxb| zhzh0Em9oh3OGA#$`uEz;8EpBe-Py=80#U>Y(Iz#mYAVfBLsh>HP=n#rz^Jp`=*YTpgPx!PZC^%tz$g^ew01#xl9kr7{ckYo zcEK#2pH!1bs-B>Vej=8A=6|H3s2%**sVMHXW7zd?i`nsWWLkoTQ?UMHnSOLQD@eN? zzFR~#;meyh!q%4k5BEY}T}a;-7KbbP!OcOrcM3x2_f?E6^|moFJkjf?kc@xUOTjnxt1}al+L1@=-SWsIh^L!PIzsULj7<(7+CaUy*{7jlOlc6x-5-11~ zV2b5ZY{X(KL>ijF2~4$Ez*3-f7p)lCUA~Y=-4>`j4KmD*H*V`?-PLt>*>x|j7x1=_ zQYhdZ6h%-e$YnxApg>y+&G|p)J(F_L{XajRhbEbM&;6YDyze>h`+1+GYswX%^1nq{ zhETXCqy0CdH6m=&Z@<1PAG-TGgP6vd%JC#tJFwbWx|NOzR=&@_9yhK^4NFd}9yeA~ z!Kg7BOC1u;V#SsHA3GDg)@_|kXKw3j*v77Q1l7x1hp6BHd!f|016EZeTUL*3rL$&@ zF`7N0LjG1N1v(my{z*a{`(YDfPz4=7!nD)t*7-+4K61VSRs2>7_G)qKn{Qpag+knqsv%*4`ya5`P+`KZGLVv_N5MY_6@`FD^l|T&d(Q zvgG4`nIs8+Q^3lx8rM=)fihYzEKBK2>ob$zUzRn>hlt*sW=R(;#0pd{`rd^1^GxPt{Hc-Xdb?G*E*6?{&B5Y zRrU3A-Wd98Fr#{#suSuCth=P$4l2d$n8}*~#l9J3r;@{bTh1&2`Sg2;KiUzt8TZ{! zb?93gJp`m7t3*Z5NnO(6xH{7Y>(v@Iw8kwRgaow;DhNg-pK>BC?DP<0einidfbq$x zRW>~fp?IF9YsT@$vP)f4eC$k~dG$ofU?kyT-b@~~ZnuWTja;Oc`Rvx2FnqsXlq9~k zoh%R&n8)gGf;y=l0Jdd3d=UoCWWe26s)4kd;Xx0Yb@XkjcZXl4qhCTri9%!I5;Jm@ z`oq?BG@mgS+1#$>5CU6h_2iaLHUYANOc4ATXHI+d0M@-tGoYydECfNr>1*3*flBUU zwKMC3z4pvT2lWWqwdgVpR2&t4;NIR0wT*{NawjpF> zwG%@1?fY2w(3;&igGY&}Sbww5O#hFICL;~^#=7elrEri(_sUWpC5D)eA;xVTDXPpX zc_m62tNPw}F_a`h?M5o4QQac?4%MmB0-mEkULa$qnG0m?)qeS0StB^?i0fjF3?Z>r z;;+|JTWy{51e6}>(P}$CPe7J%uMk(3SYS$bBZC4;95YTok|e}+;VuDfh?44H#Dg{O z3MxKO89CsId1A8Gy<#>54eFCiTbm@V8-oH0t)TN`x_~@;X>ay1=0uXD%`f#?K@bYB zV`nRw*X(f*Ol9t0jisKL@e~zT)JCi};SH<%)^&Kp#Ib3A^-3f0)pJsZBZQ zP7Ks1eLBJMuq$DCty2B8E3~w&uA?$y1J6-Rni5-#z~Ai%ubI=B3e|Yw3VviJ)&@Oa z#xSI5e}{*dcxoBMwHCJBMn3U9*1Sv01VmhqP8X0C$Yii!=e9eLUTw$o3B(WocLcnh z)IoBYfcypbXD%UR;{DW% zA|7i2p1ye*F7;1hJ@1XKmrmpHBojEO_V!}e^GxGms6~+*Yp&=$0>aU~bWZ2p|2tMb zgBmKzz5+Aa1q~QfFSB4v=YGm?!&k6S%3SUVs;98}ZLr~(wK#2|si}Ncr!}ne@Y+%nGu8A{=D<-h0zQA`65BgU9cX6KhnhqA=fTz^Z=czg$=6rM1dF{i zoi2zQuvP=U!L9Szg{-YE-y61J?S@1%2JAIhOVhD7(OCUAJ2+q6g4bX@Z)%PSb6Yb_ zKJ7lVKsmf7SF-1%mAo%I&u92v!K1=CjTJRw!i!u zJekk2+G3u^<=w?}sOiR5HY)a@=9ioa8KN%ajd_(d^Cjkj`CUM(l`;dKQ-Olh%Wo>C zJ#rGOhk|5Bu;IA1I4w-4<2WPCvN{mdCi4l4Csuy-G@s>(Q9iPd!JN|O%i3+l(blj7 zOws1c0>bn62gwduZJVm!I?Aa2KZqSFtH*=ugZhLUjc5LBN3t40S6yYuy0_*|9{FYk z)h|+9%2W;i*U6Y(D`kiJ%*H$Y(sB+C>R*;tBE%$WH#+x9h?}=Mtv)8!ujde&FfUxZ z^pOd3!#yTsiS<#0(1bbR?uiHLYB&`B877U1xpg(%oX9Mt)3IW@8GnWH!gS(#l5REg z_mLe~^?#n-u;$;MO_!j%$x7wT&$Ekwa^; z57=YUaGFVHhwNDQ_MS?Y@W~28p(O!sLm}PK1`^keQ($)5LZmV=RP##%#a-&Qw*75; zqn}0+;(t3r?lPrqaCEQeZ;z6&V9X9BNxX&-q6Y~6U6bFs96_Wm@)0y~xju`pt);^t8FT!B_D`u0S92!^-d=Jii97ZbT(qO z1+(y0GLPb`ItigVa7$1`p?sMo&z+WSKKh zTpRPvFQ_ivS*K9PBq19Hl?B2@)K=&4+^^X>KwkEN((B!{QuM! z>mj}S>hzyM`tCoKzN_g9ZTiVeKh^YR$noP#SLOHxhm`Cx) z;BMS}au7eKP;*Cy&x6(=QQ{+9G@JNY(gEQbtXdr&*V5Z5Hwb~oI@T}vD zItU?+SlN-OT(U+!#JV@1R&4(LNx~w*GLC%(QRMPWtmi}r2&h!nBlkiXN4wb>bdRzl zQ!cm=Ihn}A+A=3A&gjtrry}9QTmQI{L&P=0Yx+%|Fuq8p#;lJgmT+R-yGMo#;G_2? zN#c_$8^#Q*dk@PdmY?&d!&=OFi(#4Gf!E1;*4tTNb79DR?55f9pp<#we#$PW?DuVx zH4PcRdBBbmpTl|Kza~+JY-LA3*RYs3?zkqj)Ky1Q7y_35$Y?j(8p#M{RvOU|L?un5 zqsBJl)_~`z@$TlU0U3>NdYec%VtsoWLZP`}A-G^379W|}F^Oqj$J-xBtG(`56x#GXgHQ(ZZ`(s*;tHWj|kwU0SF&&%63+C8_$59P{D#r)!XA{pExDo?aFv@#pLCi#4bGH8 zoW%9BA^|0~L)uM~1Qhph2tk~4(WfLW%%M8&;Fw`auCHz)iioVG+k!lbyP5Vj*Kf9E z??h-zI#wEOiA=2L4NJXwi@mX8rP0a;@cvB>WNa@>63=cQ)vk**zvPa_9+_J3{_@FK z-KEZuMpMd$W-Cq^r8tAy1Vmg9O=LQ~Tc&ceMhQtnG#1%m0twTqJqDZiPG+*1zs-(< z^BH785Kyifj#x4GDGL_AwJJ$ycFy4Zxl$%vPI0*5J8Lj)uH-geq;J(C-begWW}-JM zq7CyXKD3jNkj2NWgZt6$J9mks?f|#Ku!eh@xCY*>nLLW0x!m>Me#cLlD)+pdseQq9 z*PW2i|127w+7%5C>p4fy5@M>ZWj{7vwpC%~teMT0C2@_ojdBdz&#{1vUyC4THr&rZ zN5Pw2&zpt;?g3*!?C3vPKy}rY2-a>wn#w$*mKEFdo2El9bu>X)(;-LWVGkr zNAGL`FS(>AMqIP*fMc{r0$8&R@C!)E?-_CU9wj~tLJ=3%^Zq;;3^Y70V0nw~0n_Zk z5#G0zk|h4&S5N!M4x{gpbd>mm@y@Gs*E3q%%rj)*MfryB3?X*_yBzrj${Aio_hQ-^g)HWZUMuCx>JP??m3EZy&^bd~tIfq#D60$j z#6X}ic2(Lziz+l;px-tS*ZeyKK)=qH^_=%gc|%;#B1t@#C6^)pg2`3#7&K~W%wHD zr0+Ob`eoPX?XsS?cnXhF;9H(kr6EtHvGr#FML6TzbcELg)vtZxrWrX1Q}z9XthRb$ zL1lXyalH)8q|+HW)Kqly)rh)Pnw{*bQrbJ0I42uC2!u9yP}IjJBgI1U*WO zk z+;k5oZn~|+FK)Wa3LcPC(y;D*VKUW%?_(xRctiY=Z_?3K(rW2+tX0BsXMe2MIKjZY zssI@5wCZ%M&EXSAwl3fhG7j9E!b#VcISuz5x?>*1>H)0IhEo2RFL*%kRF6)@yCI)hMv{4p~AX~H>YfT*%i%ExQAuxJ+tU@MYu7g&S@76F5}#d*UvN>O18YBZiihA0Zw%!g7 z(Jfg06puKAm3DE(6Bm_uHKUnyTG;F{nR|IE1DL^~bUK$(x@g=BI(! z=YI3^E%S4i`FY0tY&So%&2+i+Q&#uT3Re>s&V$u_uTQyb3Fic&McpQ`1?}zBJ^AZ-%DUhz-$rBL#(AX@w zMyB|$hnXl^5W41KGNlLFECMRUS8x)?10baxiVCM=We1-)Yyw?&rTJO+pGxyt-cO{# zx@&BA$^$K6cUMsDqy*de#HlNgRac)K{!hrqDNZT}FyJbqf^uAap|l7>C#|KkaqK;G zX+bnW6@s`E*DX14e|8i62;_rEbEg;Xe-=;Tk(RHJ-eUco7KGw-&(i9__7v--*~&DD zVD-x?wP>g(7IM!%_lgNpW_&m+Rm@GPVm=rRuq{PcS6C#rwbF0sXThgSGO(_}?Q+5U zi+kaMZA(P@cD4DIE(5Ke5v!0kRRva9m0ILB=5!S}C{(FG>-k(J8!tW>_m`n-x-v3dNp9xv8X0GgCVwZ|g z)lNoWVaXmJ#pd)Mp)`gr)ue2sD}buG+O3k9)OA{g^ zJh6DI4I$zx93>$9Gz7PzTfv}09vPGFPLdEQi+^rINZeeCv2J@R=|EV^#?e#ZZsTV< z!$YtV;}fT_Zd-cgO@^|}iRfa9@rm!ntu^i{wN|$WThc#k|uDYRQZr8F%gfTj?9Uh2%^zZoGQDw+OlZj#i! zO9vE%YeO8?Yj6db>Bd@wW;1&tZ^py_CuB0z8NLCC%794s-q}@?-!cM=NwB~q$nPR} zXawLn>NVBotL&~XMHmm3K#O}tr%X>$c(n!J*rsb5;a_*&SFAimcd2}Ihy`L>062r>&T%|o*e5~RU zGufOGvimm7hSeCBoODN>A)yY6d4}$-dtdXKNMHZ*f}ivV0ma88yR_^V$AI(Jhh7sshPbBOB%ms#W+;mE z#JYEjSsTwy0!m<6&x`-rfn+^vjfF?Do^z|sfyAw)Lw(|As}$Wvb%ItCjerb?fWtv$ zyM?%hdIVIghtoM<-5n_Mkye_mEg6k5dV3&09NE045GG%N-;j=XeZWQe-&JOv}^|L=JxVP)|6a`=>MzX0;=*odYR)Q zeX;gBgL?E%FxxkMxQRqhT$AZn?e(|J8#(VdIzpOeu)_AU5-=S3C?$|}AG1QQ^Q_ze zbagW8ngS7fS7a90oFyP_iKHY6@Pt%7c4rA!SL+@6Q+qeYmflz|kBr}(r-Sz{gGTQ_tT2 zzG_7#nx_#gXZ}=~zO`^ihv#2V7fPAN-%F`d)Uu@)+uK;|sn6yn$@qm*W`uuq$CDgF zi4UnN?Dm`ji-%r8{njzEdKxP`vW>+pgd_|mAKc8;SvPTI(XYxSZs|~*3IW*%Lf;t@ z`21E6hPaL=Jh4P3+=ZStMznxW9^PPZt%NifgMVy0D&E9glDm{u7RhEgZ+!L&LU;pS zGlw*nl$96{-2qUg%?${}_cIjzVY?BEf5^VSoIofZW8X8+AryaueRm=b#W%9=@)roj zpC^QrLII0u0a`9r8|k#@g>~K$kXcC`!+(Tj*8tGj`uOywI^P>1^N> zU*DeEKOP?fZbo6ZHbH9pvRkcWW&0J@y^UQ&4+4=je4|z?S%=Yl{>n)H)kQKHNcixr znpN_&hTPCc<>D?ihSi;T$R~8cDc=&jCr;jve2;bSirdZgKSV%v-#NpRLKay)&7yNY zHO%zejr1}*Yc5b5|906C*2WuOJw`vrV%=L|X4B;UsW8Zy61$taVw&G|M9_)VHWmh; z6szZ^6W1Ff1@jW5A8nP=E{c!2IfO#_mBxX)*lF%MBM#pJ&JgFT@YPL_P`J0Oo-j77 zv?HZBm*6#Z<58rCk9;iFQ>Gt3Vj2bNEA1$_mZji*O;!m7$#$&g?J8im5Pv9Sw-CLs zUSl;BR*F0RTgI^eYEnI7Qi)ivu^aOkRd(V*tmpmKB$;KB^uT%zZv4??0?3D)ANR~I^ajYFS}kb#in9vJDblVhKS5qwi%sl zDM?2gx$q5G^X?fVAkz(qxbBk#RM&mvNC8>!d|Smxc8U(?=Od}O<-}SkkE44dHe+Q$ zlF;cx`ADPFh<6eKAxpnWOf{pb=A7@vBjfI}lrNzhtMPX%W{jZUl)=SuUtqH)$aSsc zG+yi^B(VqXl*;T^T*(|WpxeKD7J}9EEr+1$8OB%lz{RFE7cTB11F3F^uXcnK>-TU7 z#hW-5Tg{F2?rVPUKxQ>g8<*~ZYV1^&wqMc zbcR$2mfm_;nk1XhtUK$0J`Hk64ir*uJQ2c!vfIanUMY&2l3ETVyMkE(&HJOye8A_Mc)^g&yFx0&G)8;!tv8s&Vbz(iffq46*(=r$0t?AWe7sMR5aL=j7{r&d>-}26?CacVM=F#B z#Lfno; z?cwlL@rhmVby4_U@rnP!*I$PHO8c+G`hUZ(`@(mLPrM9Y?+lMp+J7!a*Ml_cJuqBA z#skmW={z2tcoJ*gUG&M!=k3V1Hc^K)+gl(Q`z1F7gz#Wn z#2SxPS;`F5p9+t~(cR&3SgGbwuvGRAT^q(NVLS3`wbE!dnW>yswuO6z&WR4< z>N7whn&-E8*jv3Gn`rt@^P}=ToFdRxVr~0K^Q`2pR zbnBLRz35We(jTg`YN`dHK=h~>oeIa+lmkIt=oL!!J4O|qX`#P*xlIcNnx_7gSpOH6 zhSH}2{Q^d>J`WdgHg$x6l>9ug{LWe4hO~E9) z_6DYQ>{$lWnkjBRV^sYKrbzaN5LX^buQ1+!-p)?eL(X#OQuPPp_+mQ>@mSBheJqd4 zL6;mmm{q$9uED({$MVP^KFYmvMvdiBh?iAT4*0+hpo|=#V{=Q$0+||XX^z%%tmnP| zz8zX&jGW4laxpG200B`d!3Fyk_rwfv-1YS>eAmI@TS4rb6}YQp2FT+({Za`#GxJNB zxSkx!V1+SWry3B8eTLZ!!{>;Q5u=^F_a( znmzxJP9lU-6X>;m*G-@oQx61qAZ}g@40vUWxOp#eDfBG^;;y zv%;?)+2VkSaaTV!2G2609UdMT{}~Ue!ETzMC3G_#ec~E-16}D~v5jBHTxdDgU9Wqt zSZ06Jk6C6f7aw~eNr$!v5o_3qwGtL)cCd%C z2k*zd1w>pM2e9)kc$W7LJbS|}AoY+jZ+4QDQXMLfmKN$!NnG#WK;O(ESq=RKR1)GU z;OQGT2*^XqN!Ba$X<3PJgyFhN!{Jm1>(yn%wbVrg)$cR0X3H2ZAhlNFwQ8&J93#C5 z`aPxF;DQ-H5^J`jSONUpkg1Rf5v!~%a2Bqrm8`Pvb>{NmuQzd+JLFV4 zMc-Vk&y~cb-9x#rx@Tkc(7C_+)bHtzYV)h{(0p0#sGtM(wu{Y)`EplH$J!t&Z~n*`b*En%$RVwU-|3g!X(oh*#4)r0WKkCujKZ4j8@i+CTf@_- zfJ+reZ48f$%eN&7pcwz_Mghg&t!VG;t?P?^$C2 z$7_&);=kt*qV&U2cp}zcaSuT#l=cpCBUA|-_jD$$z=}cPp2~RcVOs2PT5R;TBvE9^ zO?>2&L^rICmV9di(bkAB;Av&WhsV+E=t3lr9pv^R%dM{>OPMq&T{5)t@c{x#*nI1Q z>ZzT6iRax2`PB=7=+UqjYqv^%^$0*YAL%Qg;CjE>5{R}gAJ%HSWrTpN;S5R=now!< z>m(#NzX@|zDKO$Z=8BxrQ{hEQ4Ug25;W3YP(rPS~ile8(gJt#PB;B8b>TVYzc6r1} zvMtdalWhf`Moy_G6Bf_jP#T`US5|+hB(8;5mpY`?_FgtEwOi;8`WnoPq0pjC|A-4g zZiiOGM@hIFaV_j4AfNg}Vw6w)A>cS3b`x3R#prNCNNNbb8_gplZG4i1xUxh)IzggD zj2`YJY)lUfWG9B#AMV`Z`cVvStl72?5tvW8RtVt-)39m}rFmK_jZ2eg2_8~GT$R1y z%*FWQ;dInByBDan(m<*XTzkY)=83i1KDtRje7Fal|3d^sl_oK97aKQY&6Ffb9K%{^ zb||e9>x-?#^#F+dMcG)dwiJ6uE)t^DN&}Hte-oFAPb=2nz#+OtgnCvI*DqWkBxW!WsRuHdIM@t&;&Fsb zA&tt%ShMXKEFijn%mD)}+uMUv`^P;Z>#ye#LUEa$*F8IuN5hC-Su!(&*^k@JA-w z1e5C1#_wqZH1CRTbbg=2dfx02JZfTc%hX;1O8lNKzm30RX93=Ox(TRQZH9n(lzRLK zcDyyXmx>l zbEQss8~p^#f^wf^MaJF<;7|P^90%mR*-FUPj5+|6F?QWanM%c0 zCJ76^sLy3b*$-hoPsuh7W;*(?1JNLy&Ik2{k~1;2ZW+pnOa!Z|Bv570y_nlkw+!7M zxv6d$hay9o0wA0m87Qz+L5(VXDs~6qq$ptvs$VBoGK2+vhQyaZwCzE!4TNgX{jCGy z!ez*Mk+q~0LTJEkqAcYb{ZFMMdA@gWCIcyIwS6;GK$fs8#8tdQ2s1X%G^Xixq!#g- zZR=10iSIP?OX!AgwLnCM?LOtGB|LN^)oN~|^If+U(+?2V#K0NPUgJMc(p7eszOWMo z0V3m;R@;)H0^+f58v;r4I!Ev*s4YvSSn;Ht{zU7I@oVWUEXvhvlZLYJ7QE8I1^N@8 zveUBB8Xg8??^ll-J=fa7>~Jqui?YSd)mCG^SEYvB+9kxPWM z+Ny@oT@?cVxwrT%2pPq6U$jG*Q4+Bkf67V{ z(P^ja9d?7eU@r)F!^%#pf!Enla6PT#s`G?su8VFuibuMM%AWz1L5vP{0}gSci~8wE0@(IFp7#E0wTL$_kJ^rM@G$x+? zK|zNh#8nvQCnm|3Uq6VhX12YapyPGIICqW^xE6}{5s)(9ib9;MCK+S;p*t-vVWG;| zy_DU0gW62Gs}8bL#&8yNn2A|bpi6WY0DqXLd??XIi04$Rt%qAceB?GG=K>+?5;tpU zN;|jI8I6U9Q2oC@l_`G}b_KNvlGPThdw($w4&Hl>2H0UL^xcTHX-=$_W@0_BWf
MT?f{s$j2>*+EA2M%@!zsTk=jg%@912O)P}Y_b%)c!nMwy2>DKC(Msi{6MoYr7 zkrV67Eo|R*)AfE~IK+UyWeSgE(SJq*W|MR84|YU$Decy!)oGW**s-tleLi2 z-U5}A^{l~1fd7PPIx)~pv(388%r>jU%rJ6LZ#`2-qHcC1I#24sdhk8=B?6-3?{Zcv~-NQ_Og}QDmu>}(MNF^?~ zl6cHDi50Bp8AHv)MP_1a_;#%4eLmDoeA(HR_^k7)#NuO_kP6sw1eRilIjqMS7pw&t*u4-z?X6{QQPe0Hntm4TFX-N5{J zdb0x*d1&gQY*4y@@O;122Xi~{o%$Jc>hpB9SY`DHaUJU> zpwJkso}4YK$H5w9lqjH(fb~+I39_Hr1XQ&%jV<+Sq1HF@*FdcY)h~QAeCmfYOTm{S zGrBwMF!nt`Wt~J{aAh^#e8O(-jDYNRc;zLmyFT&oNZfoWO2SegdNk4-Vy4R(%nQec zHD@AYTavx){(0S{t}TT5E$vtbd6L*JG8#R;<@Jv3k+~1ohR$NLxZ5jmGN9;Ckh- z)yROOglQ#ME5*g?*?<<^n2u0z?JTT&=ev32y9cX3cw)X8z7pcQbmq4S#3pa#f z{m1m-I;`iN91Ic})!U7}k_lE6jfHQ-%1)k&566vZ#o!L5S*5!CdEvYenUl!HdfwZE zd1QPyj9odNWT7mSnHnITR?5C z#oB!m-{j*g>Rzlb+`|K!MKl%`@c1%5JPfZ(oC;-E8pXG;;Kyo!Dm6~5mhquJgK`=$$sE}Sk0#Vh##h1Ul;&bJ`+7Kad0R#=f(zZoI4dU85e&xI^{$){y?9S-ra zmrUJ342{6**$S+?w%iC{7<9A_TLknD0VA>#GMJFhH)Qn(qhS)Ark+@IZ}t6n{$5$n zTYDpqn*4q8SNmZZSSa%Jk+R>T{Sv?U{ z_Zu(G1C?YQah=K#kS7*BC9aEcEQY`3I@_6UHaHEX&HmACcuMYPz^cZ=<#sd1@)`g+ z@jjNYBenw=<339_VHooRdRXG9xag*eAlb(*MZ*&B2if7ZK_ELklMO2}pq?kLDO4ib z1nvmxp{wWcos4r_4Zkm&=%CyLktMKtvRG{{!Fo{{{gXle zVEU(o{^0?lpQH=uX|Txa;FsSA6Y~wq18%VF_)j|Jh(%5dlIaS^dTB1`XwR_cqb(@WXmamsy;G{wuJ%p=&+#OT z!=mfYWX;(8r;Xzb$xY`s$XxM>>va{Xn%YX`h^8*xM)oZ5+wPPN5)XS zQ08pRVzHh!CbDW)(P}!eo|iF@M@l;vb}8+4tmi%U704xb9|KeDnXV`VFk=)oU1@$p2%-S275;;duTG$+9x?>|3 z7FMSz%}HgKWmOsr-4;%(>z3BGgEzlg#dnVJOKwnqC|o_h;RlP-$|)zT%5lz^T#Qis zYYrjRfJn*^V^e89s>H^M?;I0Uh3-d-omjW=`)Thfe@sUJU1eK2fJaS592fA!D7%Lj zSnvJ`+m6a*9))^V7o zd;d+V*^O$KX>On#!(_9+n3QKaQj{-I%EKL$vJfcev#?0dn3PRjl z!@75kS^II9&6fVP|FtdsPyeo#zS*DA3YY2BdYyH;_ZO-5UjnE){#;kl#+@C6lzU<( z*v^);OoU2Hv_UPPc6rZr7m#{DFXHe+2QyXM*WCqVtXpYkJG*TkCE^;fI!ep?4}En` zfpY{NFd1fI-TT6TE{Cbi>$gUpIZ5@ZHl3tSg6JUYISc6uhSMGOr0LUih`8J~)2Hce zgb5Cd@eH`eop4lqUUeHJ(*>Q?6+*%DtB}s4Ducjm3~C7zu0cM23LkGniEWaep)IuPy8_ zbOHfW5TpA@Z~**cl8|^dF@s~g35(hL=L`X%$YA5fc?_j{19APyDwyI4iDA`Np8-d& z%SKTQvDW3P843U@ldq_t~XW(XNuEKUoWsdi$`J2XQ;rP?5S zhJf@UPCbAhJm|C_q}ncY6Oi#*y&b7>Sv?-`?8fXFUB(1+jj}oncEAO6U`j$L#FZ15 zbjg9#A}SEOuaby@>iL;!XQ@Im!V=a7ZSDqAS~xQ_MpjQ$$a>zNGU-D5cN%M5uQ?Ec zDFu}=6?*HC@z+W^r@n%yc5T6Ro|s=fIpTn^YgCfJMl%$8`n0it(t)Ym?w^X{kTQDN z#a}lK-{R>sY@K4UMjTl8PS4~~qF1XeUlb4rR>eh`Z1HSvXJ>p=Ffkzl@zcbWebIr| zMNfsNC#F(8CkS4so+z8dqS5kKbfvk&YIrCqrBX zl|7gV{P0T-swcc1BJ<*DR)}XL>p9;{o$LU8#XyVj-?ynME&yqKT20 zDw;{2%ln$0@RTQp)o+RGudNOg&!RHPUa=lS$*c?gtJ4GZF|pnOyT)3m#oM$TPYjbL ztbTd!?>=$UE?m&Eq#M?)0yf<&3%*$5z`C^u;C@rGm$CY#@vj228d&$bQgwh{Sd=70 z>9C29f6z(D)xG=PRlO^lm6FwqL48&_ajj}&&0OEfnt5k|9R>B}*5FeRvx2y8A`be% z;(OAs`lUX^)t5M^PT|`?T-}Jn91cyEGX3gBTAQamF~8=Q=xEftz&wn&R$p+SINwPt z*js#jWG5l1Hgvl9uCbx1&EA}S!O>M$XiI8xupyJx7UKG-)q(K*{n3Nss{NM<33A^u z2=Z(fn***34wjZBfV3z+UEf@iOAeJV|qSZAzkQ`QjYhYcQ8i2r;V<5@AqAA z-lA{x8Y^*aVy~LJUj3fE;)&}y_G(|(tKYC!8N^k`UhV37^#FV2B(D3}tM|HI$>$v? z{{AI~5B?T^9d}>f2Hc%;vTN~c10HfUzkBrivg`L;40~?XPQT>m(1SLVE+8WfP;>_Z zJfL1H<%^paSwog`F zpAQ7k`+=UlZF$ey;FeM{ToaN6e6-ZYfaj=YQ*8qB6>MLEgAbmkyAMvwTWu4NHj9t$ z4UfS}QwDQ(Dy9vN#vZxBwA}tvZ;)>HxRNA9e3kKZ3k%xzPcG(DzgGQHrskIbdblve zRp@=v{3DJK*ApFd;x8WyR$DaVcbIHpqCPC3?42@orB>q6BbiiY>&_#ivu~0ZbH*o$ zZ*6=DhmaO<>Lr{y(;1CL#+emz_of@!`WDt7aPXeL3@|&&Ur46}8NE|O`+qGCL`z6p z{&!i+dd^CB)>9!%P!CHP<;;g#4NKX?Ro8A#=4dS3KS*{2AKgy-$Ui>kZmWPqWdR{1 z(d5%+NIYdgvk4*o)nRFxPdP4v1!K6suP$kc^d_>D$@$^|lkrBN;Nqp+| zR@*e5Zg%~j*8Gy&4?^gJy?8WY8?A8ctOFH4c*+R|f34wBG=Hqye4oRdt?b34sal^i zShIbS2Cm!LG?8}Jff6}*ewaZnIgQ2bgpgQd2-a+WO#=&&Nsy9}&pqovO|}=(1jL1e zN*~#2d@(FZ{Nue3qzP!rNKK~IY96smlcj+LyO#9#tIe7$Nh9_b>=J+DOcLT(zl;Bk z8FkTig7C{``!y?P?s-@_bXoW|{KybT)^q-|$bp!ZY$?_&_#bO`_^mu}h(&0pZJR|v zHh5uso$7@U7bRjdYPuy!U4D)j{VyEsEaF1m3OJK-QSp0S-7e;f-nthJ#SZUY_&%*^z2Xvj`}0Kxt1CqZ2F$0RdS71dTv& zoD)#uZ2;(ul5lsd)HsnC9YW`v%NTN=5XJj3N5$6+tb2DKup{HY=Li8S(p$hIZ5Y#n z1+1Q|1k>j;r(xfze*+;D%D{TwqF*^o>&$f*97x<0mip26;9{-&rA*ImS@%o*0A$~kRB>OOo^AvXq--B^iPvHC^qq?OM0BVys|TW?$4r=Rk%TY2AIxN6bmRVB%$LNW#` z7tcg?%6e9Y(~Mj?#uM3JGZOhgkQH5!n{ma>{{1Tv;N5 zA8ceS*VYdS2n?jVLz45vffgT5^alSbFt^+SY04AL(Y*}8rof#f;wIZ^;y{VfO1m|Z zp>*f10^;KJorHwAcb?nsX0z?#U((6+d*VRx2Tk5Wd}_*c|nWl%nn(6v+?|GV)l-Jx{JI|>3p9xlLqC8y~QVv+>g2T z7IAJN-y)XrE#mC$En-=rvqh|EY!S;oRW9<8ZM0z{p<`53JuTwg zwdvqQtkA+|?`;vwwy~fak>(b0b|b`nZV@YO2cL!HldEY1;XI&ZR$Yg6X?j!PEL*}+ z*Wq~B+Eh5p(Ns9osoYzJXlLH#Y!RK4ogq?ICEnby)ZvL$i8t>OH^ks2Phavs@shUx zk^^ZaWn70^Ql@ldFYmRwWERb}uA|%1nPl6ll39&P$NpL&N*+g_3Rl3dRi|c4Te?O#SQtC+drqV1&gC&>NYh-$9R|czS@sv zHrw{$Gj;@T#a-$YYopqZ8&12$U207HL?u8?|LklLD{L=PQn9Q7AbghEyP#}7H*vhT z*Ily#RC{7@G*P$0O6A1J&4%M(IubX{OlJ||jhhapgFDL)SUps3^gozx0yP`IJD83V zImVuA$=eTHO@8t~7y03@)8Xo&`kD>wxl?qxd|!7(!<{MX|6au*WS(ow>goTD>Km%5 zFs3ZFL)-$&YF_|@-0{R^1;LpLupJ=(j>7sftFa<%N5QpNvwd`tDgg6&r5dBKl!`C^ z#982iePs0r3+)>125hg>nIy6{tjed(9~E9(oTOuES(`YIiToJ`W8zb}844wmmc z{qe|wbfozuK4J6G54Fhci6y$NE*izfl;%5>UEHdoQ9l_iXVv$P6dWyH*JXd?n-x@B zyF}sX#5Lj^l~>++l0(R-%;;eCUB#K^qdzyO8j^Le-GQ2vLJpx}o|rN%leG9m zr&VeJV2z#iX>_sDe=TCq`m|N%$~9N)A*>#vgxGk31qfxB=FwRAfnsf;lv^A<6`mIa z?DR!Ej<$xU%32K%`}~A6v`Zrevf9CRcdx)B;~ydwxyKXNymP5xDm@2#=QYU2it4o|ghE@5k(X)>o`G{YV%dX+EqhsRcPggdxb;wrD3+wHuO10B>E1Rp-DV9dH zz2UTTWph=-PF~zhTFfQ$@On6PXrar9uAG@zJ(fCYx!%w#unTK8oyza(;fD(4H2gct zV;hdxu=)jl^f)?02p(}37kn7*g&+MM{Ed{~O6?*-C=q}32oVv&BRU6Z?fB8dG^=34=`=jzeO&PQPi2?Ia@)=zr4-rP4({9bfaj>J z8bRe)J8m%2up0Oy)@)z3(uuGrw>a7=)(__p3Tl%nugs}i2NtJqx6-}ASyI*_mX(x< zn@UEuh|cPJTSVugMJ=N9rWUdCq&}6jh)!JHB09?!h}rvEMCSq=-NSB4Tg2I}%WEm~ znR`s!bk{84l4ABYG5d46BVB}7WjkBM*`K$FWpoSM)*_CiTSJ5S%+-Az-34#n_V55@ z1-3j~0~1R34(56Es>O(OPm;s~V)h4q^+=02cNg?JcL1vvWhzfv#GX@~En?3}nPARt zzHAYDmOER-vi+3m=RE2nu=teiX;*UCIf>`k^e<$+dy-VMxNKQE3Tw7!E;x`< zjVedndVoUXM6Uxo%O57vEF^!MOZUx;H{9moVcDn z?m$}cTb|Z{E=y#xHn5XN2nE#rzPA0of?Z3xhq!>c&95FR^XyHGf~$t#;f7{gi|F*H zITNF?x>MGxIoxoX&X#ox?g{ub)_RDT@f5K=p^-u>-#=#hiz&?8OVk|e&HL&&o?;Gy%T)Jey7 z>8L94<~>WZ{AxSay7|aXx&UO(z$!0p3XW(INA776%Stm_#GWNQ*@l%yx4+;>WNRQw zA~{&I_3SG57vQVrDx$@;V%=NM%Dt18JDo!aBA&HB0BG0Al?I)Jzt2~?_;tJHypPHwQwGt<99A-5ohnF zv)5nHvG{9%fvgg54!rs>uLj<05qkz+#U$o0XkTJ)5qm~9Ce~7^iuP{c)fTa$!8mq- zkSg)!GeEkuR13W4BcD(eX`9(2{(_DrL-b#BLG=tAvvuHx6IP$-oa;rwhGy#|vFAXP zIH1jY&#$&a5hM2d3J!^r8o0oF@qRE$bmjNifta7lm!Qt$1vt7pJbblpME;}^i*F2Z zWwefc;e5V{Hn3O==be!Y&W4?dV_37j*y2Dz^$V<)EWlb|*EL(!H^=B^bN~L}`Z+01 zJP!h?{5aNUt;8F@AD9GT#V-oL}1K^jyYKD zlWSc~WG(07S&(i0*9CCN_QdE`7eGNRlHKAHdj{N?a==0^1!Un$h(7*W%TKa8Tad>4iwa8-V0!eSoh}8 z_uu#K!pSW^N;RTQ#j`@3tez;B^_*Ui;b&Clko7G3%XqK1i9EW2xJDcWz6{}ykH5-c z-P@YRBjcIgCekRSu^n|F=3f2v96K{l`*pK}*-iW(d^t^A3*gHM;;L+RFx%p96Xx0A zKKcc)4?cizS6e4WMljQ(YkVh2)=NJkq{H*!caH15EUvw>c=Y>?*Nbv2EFf`JA9kP( z#5Mf{&3MpAsz+(IcOSQ-rlOfntSVGQG5!G8k$x$cj$JOez8A6+FZHynPb-x5qHOvq zpK|E&_d1X=Z7$s!imK@!%G!(Ermce}LpWmD9 zbZ=ZzxIwMSr;<$%W7d2-3j_UUK1sBie4~5NjId(o=Xmn;?jqeTKlnWSX3UD@TH@QbiJl!o=ZuQ(o+6W5?44u%A*dq3cKWPD>! zl7Oc*k>=aP$=ZEVS!hHBOo_Qi9LT5cn2`N&UuFrWd*9`Fq%F$z#NrhkJ1M(qBNsXB z`}CBo*Gh|I^|(*mv`?r{g;_Y#-?J2>-+ZUmIaNP6gYb`bX7 z2?q+U1K30ba1;XwL4{?tEyPtA6D#cS@b>j^^h}kN=o02xvIOzSXirNLSO73LSk}J^PN0n*!IhH}wM(gE91bb6-1BYGfovn-D_GJtn%Du9T*>PC`}C zHJ-h&8OXHPu%4$VrUC08kAiIeE86T56n+4(zHpR;F(tjXI7-4ktmhSv;1O{xVZ=G9 zlQ%l2KT z2n3x3WKzFRy_y6(zW*dWRn^sXyn0u?Ba%o{~# zcx3)Fse?p%5<(gZAF-%Y!6Q8nYg_zA&}JS==^#)(OgjgnuTAz8>qV#-qJ#$uMg(w~nR`EvJR>}1SgXgX z>BaB=LI_cYVfB|BWe5)KpOlGp?zX6a)VywD?KBqD>irHLnIlP@CD7aOB;4-&qk~7< zKHmaLhEAB})(+y=PDX}U5Sm>gJG3UXh3nWVhVm^;@z{&*XI{dxF_1pOGh2}#fm3pR z+468fO@}zq?wReCOVpOI_I1H5MNX#&D@Q%dH+bcqZ8aB?#07Qgkvw6O;TNp5>7&B- zStYV#mRIh<1WB{t3?Zhao#n2{Go5EB>pVsFqhMM>)bvo|?4Un76Vv&%ABSn@OzuqL z(E7D0ayDyVH~X~`!k#n0x6{0)l>(1fE{2uHxyg!!vZmEh*W6 zFoOAOt76jUB}&~H5RGQcNFrb46TivvP|B>T3QVnMCr^|Oi%uD%?z1`>qpSo+e5lv(JDHUaAT)FqreWj3|CWd4Rn*%)lCtO+GtzK zfn%(lF+Vv)E>EZ^M}L7zAw@YMQY{gw=7@mQVHpH#X98K}=F_JL8K%oJ7!Ld%LN@IK zPH1$eNg(h(cIE*2=aazF{XhH%IgDFH$KS@biVj%3XDFkb{)B9=6z|wFzPCCVTPHZM zK9SOA`4=9Uf9;49XE^e{mCn>rBHP6h$)SP}Ermlono!23WBx5pNQ@hFT0mCCPC1gY z76F;Fy5@@ww?I35`=`zl@v&wAJO^$p9G6(i5?JBF>IkJUG4A*e0{*2+t>VZcOb6v>kT|TA!oj#!v2<9mUX;aD78Tr| z*+7N@lvL9{qqV|fx_9Y?8G(T#&M)hn@d)nWS{^l0F$A#;nV@BW^Xh8C;)9!TjrlloKiK5T)*uD5|ty;E@?^ zk3(9DybTCh5Z1Qhf8e$bicqjtIC>%%u#`sgC@$KI^`KoZkxQ4`TE!8)gDNcBe0Fl( zTiV$w79@c1^Izg5T95Swoq4SDDZ11D4``%$2aVH{bouT+HJ}KwY{5IyB1!nqM)v{gB!$MltnU%*W$%=7mS?;*5Y5p~&C<^M;kLx2E8BRq++wb~5GO^> zV-Xv}Q_}Go3K$hlV)mve#p2wq8XgtQs>+5$dd=Qh!~4>+R7?*#ZWYu0vfcEYg4=LV zS(l30O=iw1LcCN0Evntds0ghZ?bQlprJG)u8L*Ea;eWJU(1vG<8~pMOt>Vaot>Vbz zcuX^XdQ(QLSbBiMtgnVg*s`ZpOn;9an@XQJ^+2nb{wjsx(6&i;1uSiQOYt`?I25kt zDa^M-C9Kt{Ef)NB1PgVv=y0o8daPA+^!CHV$`3?u4Oo8l(w^VHw6|3(-H)GcrX%V7 z%``wMulIZfQDJMFlA&`mPYTGRZnJo24eh74WOXaT!TjhbzxGxQM4Nx>RrYT=`?r<- zYhnM|**^#PS-h2PK`8ohfw=NJx-TAa<@O?R<+e(n_#DNQXMX0<@+9*lJ@nck^Mj*= zm>0~>B!0bOT>ON9vVsqoxsc&Fm=e8@0@s9I(YvPh)mP9}Q#))EQy}$jfUAgJr@nx# z6S`x={qxTN^y}KSU z8LYqynPW!7eP~4!BcEzJQPQ*`RM}W$v!H;*Gma=7=x8 zZvj-G5+a6*EC_kXj$m4YSDwnLEI4?=OoK@b;;I50aGaV~b}R~5%gmz3c(fRpKy7jc zGiuVN$eCuVt%ImjWQR4F9>618h}^l;`;fXdQ&Y|K~Sf=ZDc;#N%^ zM_=(DWk!DvicSMLWz6%MqEkHy>uKo+1-cMk-LBq<{6>K-P%r|*$Pp=dmjL0a9oV%g z$ORnb(dV$?e&ZaEOh;>+04CkEhhfh^R(Z6TNS`Hs)=ZJ7+9%orT!neyFd-X}6(JKJ zAw*m`ykBCz&z*-5U5>fVuzBvMIH{T34+ZTMOddQ+2#i=eWIo@Zw8 ziVMQx%CJXhq^x&zM^T6bdjekrDwP!op~%QfgqRZ}%s8VIhnkgxSbrY+j8=+w{J)&> zJ)qB2aplC@>P}eAHxJUbJ)*mcoCKCt=^wCEsxKrXPla+L`NBLzW!pXxLZUs3Tqmnu z_G%X^)hXX5qhOkcG=}zzwUY=T(W5%I>o71<*Y}|a4iaT+T==kn0(Vvr>8qU#Ozl2B z|2y)9c~u)B=1!B4=$e`-@(T{J_D!&mEVkD?-w%nQ`S1%Ox|}k~7Sd{6a zb37F^V{Eru6i!`&~@cJg)s>A7DY5RlqIln1e%wgyCE zZuj432CN`u`_X|ji1T2+xW|DfCS6ilG<8$kW2%)ms$=@8QZBiVVaP|8IJ3Nq~@16`Hd%FXI$^!L?zKV?|$GzMHly{{Q|1y zoy2Se(b8x9IBn1%IOvh8;_4`tDZvFg5k zpMa3wd*nU=DZO+q4`%ncn-CsNu+^D8=Lfo1U?X??B|?Zac*pN9I=W+ZbDnnS@lm9Y z{Dpvs)UmzuHltqW*6bC~aIE)E-zOjgr_Sb@_rmST`41YB?3L;mD-u_6OZN(BMoXnu zm|UrIpX?P-rB-M&|0#l2N#j=R6_rw?fO+Td8r6xXBBd+4|ul&xC&hOkQLLi{^gbT|Mq7dVYSaydjzmmy_&t5Qgv;>QND&i2oV;7=AHX_ zG>hxIM?hY^5ACxkbWF)MQ@VE$Ja6?FJ3=1UX0JG;rRb?+6!<)rT^{vIi&yI-?hzOp zWLC~gMyh+~e#-KJPJ;VHq3qo#&|Xw23H6)Cwd@v9P$bgw2DUfcCsd{#!?icT@X~zx zlr1QbQie76x4Q*2UZ{(vsz)tGuj|BB&CZxvH4FkN>)ept0!!?v54BaguuZXJwU2W* zovbn0X0CY<)RqsPri@zdY}$C9GmJH9=5D%Zhd0xayRFa(QLcqxE+O_#=!QNOTOh;ZU=fE)9oYk2|n2QqC6Bdq4P{fRyW0_jh{*gn|RG zG2W*4a1xMYBRl8;aIb@^9x?9VUIAIf+J>%B=Ei!+s}#7_86I)|gU+NwDTwkScVpv$ zRBSN2FYMY{m4=Pa8FS=1H@-V|)m3%F#sitO$|`mf9e+&~(^9s6&hQAocIN!DK$equO8t~j zmIdxEC(_+)mnCfE?mh)T*SH151t}6IPGWYypGN_^&INW+I#O;dKqwO-bAJ(!0@e{5 z=;;mcPEuyRO-t-$P7>%_Zhl@w!QlE`Ku3}_Zv8Hp41@xxZWJJkP7{c{&#;@0Qmk_o zy9Bys1({dSLRJJ?IMB0UZKRB`(Yt?yM^0i+zeq@WY(@W&hz=;Nkr&PTtPRPf`AO}6i1J!DK-(ZSb zooWx-yn2B{chLGwtZw45)`rz1?YM8F-*~{`b6u$7u%#)wL+5-{ydCp3R>OAe+9bXh zXGR>ezoEOAJDmP=jkAfN)!1aOW|Oh8K>kl6 zz%GTO!0jUfDV3hOE%pi`jo(g@qfPbze-gv0{n(IJvL80Zg$-#PZJ&b;X&x(0Qf|hE zRL*`_l&cDAI;_}`7M!FI!_jgqdYiD}USb09JbyAyoXt9y*9;JlhFzSeSwN!tWD-K5 zX0dii2O%-847fv>c|l3r|Q?vW+3;-v7E=YaJ*7;uyk>D79AQpMW4E)n8n>D&(z>EZ3H zH2)GImAY3RU#W5B@JaKF!R!d#`t`4l(5r)aq^Di`wSYp~lh2flK?PTX{D>mGR>v&{(kHkrIt)6yAlYoqe?5-y9#k(vN!`}(=zx4l_1Qa5{ zUb9oM_N{tYtUGM=^xcWaY{QoAl{%NzM32m1n;5cK=#jazpf(mPb;dkuN4E(!Y>c-D z`gux2B*=Nil|}UUJf93A1l9)0`g(}dPo!o_BRzGEc91E&S{r0Oo97W%ePup-o}HVw z*txNbwTlr##{KbpapDAQNR^X#B(4nOF}4@6rHQm)LwfuekD>v3qUgh4=pmvHrPz@E zMjsx;hV%@5phxNl`ryWf^fP@JgbnEueYg!95`UaW(VMU#Iq1VR*pM>mg997VeY6da z4e9w~5C_E>Hg7w|j#Ff37h~SKQ$SVM(xdbU93|l!dX&HoG?L#zA=8|Dj*#L~Cn+{R z`k6j$L|F(Gn@fJ~?<^{+zXH47BmVdVHuK#jm&y;XFlj`Z1WPO1?KvE z9<9B_35g}_iPB>8ozBvy!U?~@>@EwF+4($zJjVJxU9}FgrI1Hdh}ZqH4IA!PjzN|c z-vY{2J-JRmv%zsx`uG@+yt*Pg^k-zdY?hwHLD56D)J&1@K*5p- z1#*w;U{zYoEBCUBq3;kv(eYlbt?o<`kv>`{AoEKrr0SSD!H(wZUO9tl4paNq6Dha> zkZJXQJfzWYOkFf;l+)*C+4foSWd31#~`u|AYVz%Ydb08f*LjUESJkn|L zWw_}xFmcyZF5jk z+p~jP8fxW#10<8iKz4bwFCMei7-yMPl3HzGtG4wYp0@T-b1(&ui8Xi!Ro|`cR68D+ zmW)Z`qUdT}k!3p0v6LR>gF~QKcHqU+Pw>`07E|vaB*1&Mvk(^@GDCT>p~%&N6u)+= zf=E+V176ucL>4tXKLwd1K1)Uv84udPt{tWJ9S|tisFk;NTA*Srf)~>z9kV)N*KuT% zfC4<$4vp|E@@uEgFQeSi5|oG+(CZJrbMC*%kTKEy&S5I3f!&j~uh<#(>V7%j3%_;0 zoCQ9vL>jRwVO&|gNkFA#k%5;}1J2lxaOeDOEPi9H(3$$=S8=M7v6_dJzp@Np;1#1k zNrgd+53(?Rw*e&NY#&6a(~2O>i{t~p-ymnM|2j^5>Sl*udlHE&lcEv~D-x!_H8ROk za}NrB!r;E%8ScDEfu!FQeD?s~dHt^-cx&Q5<$gOha`$cII~Vy7ksjDU&*tV(m~J!V z+P4Q&13X?l!mG8MUl#SUqzIn%H9$_)Fk`=@L?&{rEG^u;}p0{XNq! z(T0^?ZK=GJa?cCGe#1TcPXa1(9&2O?HmQJM*g_VNfV}d!#3fQxQd^R+A=&5hNL*zb zEU;p*Q>J?))*eDEJ*J_^8Rp;)riIQh@FA=}->zP;OxU2dJCt0ty+`og7<=0qbR{M_ zMRu59ev+Jss;odR?oo$;1O9G*oR~ik9+ zO!37F9fbH@XX&pk;)~G^LPUpO?ytVYJ}mZq30g<)0ngg2g56;zetmR11a}FAgKuDC zupO(LmZ6uw*J;=Pgw;AW6%F#w5P?f;qH?wAPTUs zA(|p*B>c2~{1xcF2cT=dcPX(mSiPH`kym%diDwa57W<7p{QvmQNPvOsMbWD3MGs_|Ggjn0X5MxuPx%u)`mop2r89&uR^GK$Zt7ddg}2{?mk-#vFlSXHys z$s;;6b_}ES^sHt1v`b>TS1yfy9`nj$tzu{%#1K(r9I%wJ(LT5=8C9x&d8{=QR*X)t zuR6dZQS%W(B5pzmG$>e$Y7hz(l$&4V@UWWzypIw>z}*`NK;?A5Jhldz?nt;81vd|cocZT**v1{ocIYV>#U1((4ng9L1so`XiuD-k*nCM=mqVa zj);+69V|QM3b0Q1*s(gP^Sm@imc)Te85`STRj%#oFDPPz^H}U?nt?bfsE*<3ya09dHo^$8T}s{F(U?cKY7??dgks2B&ZJ|8@F) zh8!>MNB8q6asK}3$ngVs6grKK+|2!;7rJYI7stcJ_OTdu5dUmByTJm(_uQxUQz=sU z6tqe=CJ5+`)r?hnlCmmQx+3>#YoMq)SVh^T9Eyd;7DK3?Tqk_2lUK@vzxh{WO8z76 z2~)|WgtAW6M7ppXSf>KYJTIgKsG8YrzwrO;$lUZzocN6?a;bXaKEFoH?LQL|^U9J{ z;TpVh>5Y_G!(dgZm&gU$LBDo#`c4YOSbai%0B`}eQn|uU3yP8X<$KAftEq1xSXWQq zi3&jY@S7je>M3%8Zvm0;N&yYi+7sTYbFtz6>psRe9{f0Qa}-~baQXOY4Q+cibXt*g zzuX^;KMnVv_kn;TM|X3>roek`EK`%uDW?Y{(FeGs113iOA&X*Z`)^%^eELY)?o&70DIV;@9Epi^eg()h4(4S{q@(aV z*xZnGb94t4A061p{ctbOQVp9E=Om-~v3iS=>(`%vx?Z2~Y$@JnJ!N7e_qBQ`Q@^ki zX&x))%sE@*1drhc1MltKf++f9Y)n6GkJ@5w+j9+>ev&eVv3k40o7SHQiKeJWZQ4OI za)}W0x~XudbKUI%a|Sl^V}vXY5oIZ(^6I@v`A5xB`tB<+LZX~G=mN8E`L(N44FkNa zEAnz;?V>aG5X3m&zKY%IVZ+^b9*@jhzmAiDrL?TxQ?lXa65xZ+Y=DH)KWq>X9iXgLK%~6$`L~^H zKMLugWsjww0^@5wNC=s4YGujbwBP}DLg50Iil|LHBOD^q?iB)J`UFg_P$94+woeY| zN@Dxlh$RNMbvJ)GcDaKd)Qm*Rar1?jl2IoOaSjlWe@vf=s{}OP-1Q}h&h}7vQg;@X z#>kzqn@3TX+MYDk4mornHNhc|deW+}&{Jl{03IziD|+zAv#=<1dQv*eZfxY1?Bux+6}Ym2UxEj-~r4AwIc~NF!DX zD3GL`Dfb(FJpU7rIsHJK1d>=_4&}dHy2rh*@W_1lD_VyQkXJXzB?wh`w1ei0N8`k! zp0Eegv5`y9>&EUi2$>@&JH@1}XXO5g?K}?K3Gy!Glzpxr=yqy*=!TvdfsNet>jiZF zZM7vU_!qjo?tpy+)^=gd#|cdI@CThmIiCoqC`6PDDz{T?MLrTx=X1|bSn!gRIHRnK zsboec{!S&20KhBEkw@Z`L!AccD*{OyZqaDz{jBt$szTjh4}+NR8Dyg1tA^ zJY+#cy0A<@(ep8{oLZn{1;h#>om@tD1d{G-km#3)^u+tH4|{8l+LUf^w@9R#Wdd?S zc+(1VCfq6S{E)@|_)Xf%Uj+~Rqp-Z@vwe89vDk``xo{8Ysrysxqt#b77WDt;ixkrB z4AQlecr}+0Pq2|Yz8`H?n1@#Mkyhvx*B(!)>dwx^jr}MSRoGu#d%RnsIU&<9Wchm-niq&` zkEgLJy3j1r`(03#C$2r-y{Z=|D%RHg_$Mmx^@bWOu01YR_0)%ZyYzN8sL1zdryC1% zZij^Q$E^xisgCK7#I?uM11V+WQ?yfcryS}Li>3KNW6)3Hs;d6ts%D>luX#P?0vCJr zzuB-h*-`0HFQo*#H5A@%X)Mgal-WS-z+UEzQPdjm2T6Z|1=0JvE>z9y zJDa{rn>xz^eIYT_*Zr=%0V|_L|LF&gUcI8%u@6PLfYsSt4iOKrk-NW{N74ME&}qfa zdhe`HsW8`2Bw{OHY!2KLC;IT50AC)kRhSC&s7TnzUDga-SlhK^PYWQtZyFF(`k8QF9!)=v90)1pSkIR|;;LQFn3;7uk9-S>^uKrEmb1 z-0Ba{(W|`JaCbCO-nnV1@CR84ZhB9+BC0lEsu0UFiAOaTg^B&umiw?F z{W4QPe%-&RAbOqONDDRb$WznaV`6vqW)ak;Zu03l(M;(GbZhK2W z6`oR$>%i1MX$NEVV(=;)+K&x)aubhyVo{tf;L^7sa93{%E!j;x1h}jxlJS;+qFd;> z62Ak(t1FYGcj?R^A@L)BjNxOz;`J_}k`zNS%bMfNfm<)kr@RYjxC_1FOD`lNlwe?% zeMN^*~?L+;iC;jrVG%xYeT#u|>t%UfEGJ>ke!@*UK|&h$Y7LS|cE<($A}zNmV(O z>XTMVgJ-n#{jpLjN;W6FmW(Px;b2mLlvZj*R-bl;ena=m4&{b`0}z?5!u+8RV2HbP z#*{~Q@+g`aumTdPFn6-rYZA3T>;wez%}zid?`(;a7&m9NfULo5={k9}ACs#3)3YY7 zin07Zx3aV5A5)d%*E;-31HC#5*oO7(zy`MY#(Y;{`u4<$w#nmaP|}&Xoz8mC-4-Wi z_fu@y^PVcq17lZ8gfy?5;}KVFpz|F+RNOnnUN zg&Eiw>i6qIv%t;yVcp?33TzKUAjUw!2#TL_=s|a-@{kWvk>wHPMWGm2!R*+~BeP~p zoS2g$Y*5)np;)jNHr!`-umj!eO#wwpYzWbX_UdWMDglY1TPz68F7&G{VqJ^XDCRw` z@1|vX)WZd0?e{G4UWQ(6C(9rX5=@h%2A6%udJJSL&ESsGufp3#N*z ze91E+;;L=h&_P};*0;f<9=0ldYny|8bgw*UMoXn@NU|8J2K(|MwtEV*#Zb_KP{1}S zqFWHEx!6ryP*+fUT3isWtqTe@7n8)$19Xf-?AUnF&c^8<6D|sEQ?MH5T@B(KieqY~ zrCY>MmIWc7WvfSARlxcdEuamdANIHklEqL5Vjl^ake+o^M6w{HhP%;zjv(kKT@39( z2vNu_>_4NWa=jXR#p^c@ZI$pVYYyn`*xf z+VU;Id&QMQ%djzgih7}cu$#DY=oDO-?#57>j(=ntog+dZytgJOP? zSbH5Ir0%$#Y>7HyV8CyUzDUTz(COgyx>wEydr@bzw{JUz-t4w>eZ6u{q!5fc3o`%{ z_>F3tlA${iezhG$vb@d06`o`YYIA&FSb^COBqQJA7NGo2t_BQzBYS=51IY+4!l76&2|{9A#D;t17wqlF-VjiX3x6)40>w=` z3HF#>==W;p7(n!`)BJRLle5ed+0a>sFBv8F;-)V;NnQFI6lGRrKwJX7J60QP*rmw! zDm%7p#jb{EckF7YN@H<`y|Ntw27tzPsqUBa=z2lw+?MS;>bn(|E@5E1>R$p<<3y}I zj}S6~WO@g(A*4JmzTAWmn%;qu5K_j7FK+?|7jarvC??KYL4TaKs`2gW zzNmF;Xf@V~(JD3kK;k%Wib#UUTG|QmJj&9O9O*4w&Y=1mWdt_3+U-0< z^sr;?uut0x5l{?{t{)J}gcQT%mnm6+yz#L`HwAe z60nvtIp&TpwMbKWaQkoVP}c0z^k3~Ep&$c+9~sz<~RwE z$D^r4TK$@U0>m>)tM{}uK%Rn}uG2Hr&r`qio=|e+tN_#);B{1-E-H zF`rNWDM0q5+#PZ9dp7Zxf5HA1U%~Hm-a$TujVcR_W9kwXW<*?>R2vR*=Fk;!f-UvY zgV-n}kUF8nqg`UQA?gnWzuNaaI?CgL?pU8-Pb3%##e$s4(>@G$My7zw*@O^rr9jY$0LK_sllTvA$`DT5b=r)<6Ew!BwrUop|Sed!{ zS{_Aj2!(?^))Eo!8Q-}U>_jr7S!An{X|7ECq*%!r3-D!T=vpf1dgVa@OG1BM{#Bg# z^+G$ODoxAT%A>^_R1H+zw>7af%=^_Eu6mtmkP~;TSm%blFQA&$6iXl_tr#2bcq5O@ z`!>Z%{cx=JzWsdx>FZuX2!)7}Mx;fr3#dV*%`K1DUrs>uHR%j?GV*4yA=usszFypq z?+K`(2D&Fw-+#jmYmhU;jm&8Pwqw^LObPotm7sas);I~=U5>SSyqHMOzs@dbli-5Z zFWa5X0ZTcgmVWuoE>USX9si2;ablj>9w+7xU&ldf^C8Q*YbR3STLPr7b;is$x5Zgz zWpfIBO481ho5nV}+uYTS^r(-Nvzb|d!KF8L-YpxPkaz}r^PHm4F(n-vT-j%Q!jjYQ z%6T#F;g2b~5wVeWpn*qVJ*nY#tY(2S7U-daNb-M#E-m4l7l1qLw=T{?KWzPvkjS(< zhdtS~AI%@O{?Y09{-46-RBn%Kh;5{+7$06tq;9W)W!n=Vc&6Eh3uqoT-hfM5&}f_Q zi##gB^B*5oPxpUd1CPwx!(dpL^DekU#ProHg6e2H8WD+ajgv%3XZbp?-|x%-q2Eg+ z=|44AVuBD&6n_;d8n0@fi>*@MGoz+;FT})XN{pl>YWj#Zr@+ATa+~?QMl=~JC zsd$NiFkCmM;m~OXRGLYC?Rem3+JZCO`2xy4AcBBF+7WkVx5e8%v!#*@4LxBCS~hF)Fj1F|%q{GG$Xzwy=?6th0}XizAYei9cA~>q^DFuw7B0GlNC&*?2KPKX)ZiYNk+}Oxy+5T%8vEn zj-aDv-8{eyJT_9V!b#m|)7OtDBhP}+>EMl6pPWOao9U?3F*&FxbSwxljPIk+qmFUF z1x$TCQ#mrE`w(3A`tj%OI3*QuuXuAWEcsnv1fX$S!d!P=QX zN;#3T|1BWz>@2LAvmLd~N=nVe8z%OsxhNR$w|)~V$nFe#^|xLE{3|RFK#a5{ADHyLqo>;vyb9~N zGhPAp)XYtkPEY!m08y%jkH)(D8K}vv*~DnIdog7pD$JMTge1VmuMcSZ4;2a>RBFnX z&D-D{ogq@jKLzAbpG2q=p02`rPdxo1AqY)N2{nsz*3je4t)BZAzkt&}rd?mhe9mKj?V^b`$BExExf4!9u=-07x+GXExn-*fa5Q#<1FBLgG#4riM-Z9NM)l6AF?=!nM_Bh-h+S$qBc z{l>2 z^e#QfnOJupG6a^m=m;cGegqnQupnVjH)1~cpN?MwmyYIg9yO?M0fe$7?@#|i$ZVDF zglgvG3lq(nb+kGwcqq{h8|z@7)~0v9n#jHM*v2Kuf-c{p4FA8446yoyT!736H^ME- ziGK^or!`_DcUFv$#u^HwwMhsCx>pd%vrs@j5;!ZlF{aAm& zPNaNFob+drF*3W3xQE{AEGR!BIAM;7E_545_NXHt*>VxEWx0Aw9br&G_O3) zJiMN%^)TF9`}L*J&{LByKOS@i`uMezukc z!z|#yJ7<$&eiA zygB{jIEmV^)@BwY2AJW~hK%;<(?*+nK8_Qg`ZqfT`HUEs^p=1uN?%ESIK(@U^df=6W8Le|MAeJnLfc*N0iKU++J1RZuyMT`iYEK8d zd1_ujm16Bg8$xDtD`6UTzv~HkbWoy<@Z^`6UuU+nd6D^3E9Huqy;?!-Y2`+&zrY;f8-KnpY1@yM^$wQ=9SDIoL;81^@H8ZCXijv;5`WdV6& zLrN{dOsp@s+%-0G|CMMGNHnnqGkp4E)t%K^qIzhe+7ax*tVay@G#Jmr3xPn?(9zHe zA{787VCH3Xqi>?`Wd*M@$DB{diP*>utn1XPotq=Tr2BWpeS{YZg4daMUh%@ft{1{{ z1mx2nv*S>+avg1I3-;=4H6StE*P+d{V%lA|#JFCaL&?b6B?78ZZt&^Tu=xtlBWG;B zcF5d$G#P1!eACdOXFvq_68;g%KVLweg`Vm0K^BCjJ?EJozte({_%Z|mogTk~mX>;^ z$8Vz#fA>s}Q>3ok=b0Y=5+O9r?U^2Lqz^X~g-$EU9yR_%BHXTd^e2dS5j+=pmJs3t z&1;U?bdHc{U-%WgiOw<)8*XtekD>~d`(G81numhro`#vguduFOrCm`BBi24*L7iqg zK(EPG?AlXxUuRE!x(Uc!_I{kqGX`5~n}e=EiZfP55zn}0dcb)c3Qt(v&xZtL7IW;X zc)~S3VT~Hu_6svRt)_$e>?|P#wWr0nzDqmY z2JGlb^NuuxLgDJ;Gg`z|XEDpZTx~N~rtpctzl(n$1TUmJH}G=DHMHXuKM~^IN@sKp zu)Y0e2$xxa=0)Zb`ldb{u;ibxk^Ar}zBBXr%SIyp3l%_4norZ7%IO{mSTD5WzDZHe zJaam+#w`7z;l7T3w175UgbCx05v zc+X0aeeQwjKy~J>1o?n6NUmpOyW)hU_(boTpOcs`ohQV71mMVLtV+PqGb?!%Y51j+ zyr^C|$4;aPIy-xq(L4HBO{9XvV=0kxU%pJ*h;(bBB7;boiN`D=rN1no$ibfpNlYL_ zsyXu`I#C_iN%;M*75|5cbI+Mw2CRQzy_LAxckaj2f53LSXj5dnrpTFCE0ME)ogd%M zTw}OxqwEN4HrcOJJfx?}aFMT<$eEqg>Dd)LDssk%bh|1b9fJH(bX}6hCoXLDUNSav zPyClh3!P!Q!nv~qq@6L3kmN*~Kggf2m&lF{giq*lw!M^4_1y+xJaV6S)Xplhbg&9G zutf{|w67Yxw!D-g%gF|BY98_!6D?Tt%h~3IPg&^4Y~R9RmLGhsAF2eOVN1oXE#pPM z>v&ZvHoR%b=h_VSY|}3wJ34D1owyw8$9X>OLPbh?GFyd zM((J@yR&HnO5K82QK2+Zs&tkrS5b_gX#&|Urjwfw;m-4(K`h5Zh?xD|^(QIm?S5CbRb!Lh*O2BTm=r73#kKu;Wff)Vk{ra;M zBvXr=F|3b-2xornlzAF5jke+WM0%4RTDHCi0m1pSgG3rrBcQ--<bR3~Fs zhxp>1v~fbh?7=w!+^XS?nzSs?3+)jTri7&=GAdsQmuYK*;c4}VP z8*q3^1O335aNvqRy1}^aMRtE%&#b+6J;HAGw22OExQjmJQK(rNpzS8oz7Sykyia+A z7gE{mNAs#r<0KImzn0O3^iLsOf&=S4u@-TL&H3-d2{tC%&5ti6qlHDGV+!QPdg{M% z5;{HUrbJr^T)JmDkIb)@z!gZJIRetN+rE!xD%WCtxC84|_5yL`4rsWJHhk*sI4Qd_ zJJyxn=RK_S(EM>2NNjMgE$0*byy2w`p-py%1C9|`&zH|HqdSuW?&%cdjavD0N(^r; zPeyC)$;<^jkWwBM=mjx8_$_|^72llh@ zQj-cV_0&t`{#ui`wbB{Bhr8}&fhi%6e8MC1=eOfTTL4rJkKrcHg3X!zHe{i%Z)Z0R zg$}F@#9E=TR$td6`!$$7BIRc_! z^}&DR#BVH3aDW3TW7FpyX25==V#BQ(Lgum0DG*2#=CC*|^T1QF$!`QMR&hSpmhnBX z!DM5f>)R^c?=tB@)>%W1bIoDlY8J6@HMdjHaNjaVKt#HQuEgnJ24$Yxk`Wtd>|@}G zu2~u<>UvlL6ugB<{iX{@TorbcI6~9T>e4AgKt`A$7gH z93}9iH<&@B6Ey-#*xt0A(-uH&)LMO&xu!l&o?^dgwWUe(%Dr?}K=F$=U@14BI+%<+ zi;6-qan@8TLSpDs%9Wf}1hPZ9KVffl$vUmDv9_xt57|tlahJb}^+9smIVZ8Ou64G> zX80l@5ieoMs;2daIIKFGyI=d!LpCS6Y~m5pE}C;M5)!bCiu9m3CIKZzZlB?7^UwbR zE=&%q7}{?^NPP)jB?0TG$l(q`Iu~VXwpqU^PGDeop6-=<^=(=U7dChkT^@C-MPpyB z)V=Zp?^%NR@7cxLH-OR(go8Z#BOaMc-i#BnL!9%prE5Oe$bIx9&{>+5zYr2BwlFQ< zpA(qu^cr9Zz=p2PWk+WI8*x%OeTrOWPZmS@9fVYR^(pdSJ;qE#2&sIZbcmro9V|7$ z6MpT-Kyn$8&P`+XP^nN+oA~k+Ilz3<76okJpO`_U#%TibEUNTOC&&`KD`3M$?t
dD--C{V*VC63`W91r%w@&A8n;Y!MDysrhnB<%QR9|r1NB<@Lxhkq)}nm~PejtD z3h1dFozP{}_Mnf^q43_=c-Ky;aci)5Vm}?X!Uk)*%?<5@1d>KY?gIzJ+^aui%XjNV zLe!=30ptuP_9JrU5@Fny&QRj72tvvfmW!K$+}vM%sc#SdorqPv0Kb&USLW&k-kl|`C4Yd#luVp)9TZHz^`IMdh!=L@~NBcvu)N{+(Lu0h{q%4gpe9{h<5wLW- z78j%<<-$>(k@XMh(ygFF%|-CfZP5f|e)9+wbSI@_!=3s8k4(#JaY9#JQ2Vsc5-3oV z)w6qItbIFNzZWcY8trEHcj83vhK*u7cI~SYurVkFyUs^bvFn?vZrB*q4ZB)_-O_er z?cn*PSbqefn{inCHrk4{BE+~tGgMC3JPh|ZodGfI^r(0LgWL!D{Whcchf4LLMVv|T zff~t}BxyUb;Z{BZq+a!}IEkFFA%s{bcV0=URNH%rp}Q^Y{AL8YVPkkkx%uD6 znPYw_*a7HcZBd)J^64HJ(#t?Zx1`Yv=eh>}se=!Iq1i>66q8j*0Df@%g3L$h~SNg{MYw zqttz-fXtQv1rUXIh9h&6VEEw~5DD%znBcA%0#d_CYRjdhBp0`RhJeOr>fDAI0@Ay& za-77yJcBaad&Z|nGt6Lub?{K+^({7f*|F;z3ODtXx$V^r_|&K1`nC}ur?J2$Aq&EK zS~2bQp-i$#dni*Yw(C6`xF==^$bv0R_%^QJ3;}7JcZPr>#o!M<*(L==Y`BNL%T&*i zDgo8FbLi-mOuD?4qY%=odSSyo@ZC-w_U0-9i7TrpbKB=#2tH<2(h6!iQoxWbGtt!> zRSAR1s}co9RU&mg-NB%^ao=Evs1NPWJNxN$zjnf0^%O!LapkwzaKHBsp9t32J@I)+ zL3VxD=k=#Rr($%qJ29TMEBJN0F|6IQUF|lEr>iizr&%?cS)q2-EFCYPwk?$TQF^Gy zJFwyQy~Bn&8)^y?H5;+vzB^Gf4r=U)nl@~>Z%foX3N=}YnnQGj6E**zwSSL~s=6A+ z@imjVosi^AAOisc1~^=zTrxm}NJcVb0y{Fna8W{l00NPYRuN_(2tv}6ksPMSihx*a zpSD(8pQ2B_v_YxDKp>#Dig>LkAl}Y!2p7>1E|dNH?6uE?B+%!5f8Wph&s_Fp?X_=f zueJ8tYZa^zps?jY4Gwz`BXQ^o0dz}Y&9@u)BedFYDIRB@E6?)+wiWp5B^@<{KN*SV zAL1&YToR^10d13)KNm-ZEFs}$vF^Wd1AFd3E_j|)txbI{P9vob`4SEFCaUZ8=k35< z$0)}cz(R&bFQU3$>5{?lqfrkA9NGB%RZ1g2w-DvH9H*ha)b;DNcrX7;4? zK<`Uk>(>gPoFZ!8qa8A9*DwL}7*Rc8qbEZj;+B{@{urmR``95(%WoJgqbk@TSO%AX z612763=k1J(bj4+($*;!S#ws&ttN5f)Feh*v#ZM@)+@ijAR0*RreuiW+$4Y+kNyj` zi;`Q4GEHJ#za&mra|4A$ota&!&AFS?GeV5l3hzB<2W|PU@o0&iGqYUJieI4r(U8D) zYI<;pK4z2kiC+j%7Y$kp(nB$}GTle0Ytm}|lz*ogK>v`ao=5)3N2B+0UrA8Y|jUz$fx2|IqO$W?w-V?zTJOff5Xu=4(cjq8=)U{dDft!(`gLR`Db}QMm`|G zCTp+;SBIk@T@3$$?XjI}yA$OViZP_==YGx!00tKrAnqI| z?wr{@P{=5Ox11<3`HV%QGm%oy{(YPph7yyA>ZyO$4lPBQ&XAp`o?jTq{J{WM$iNUK zChi=U0LCEwokL3feH_i^>F?sy9c8i-LkUMnTFqz=Kx@nb&)JU zJ)iIZ_09{>`At4)D9B5sVSpF(+=PIAI)S^}Mqk@ZfMyKvi@4)G_VW(Veyhf*+-h3A zjIYzRtgLftm`q-p~%qWYzE zM17OH+%gp_=PGt*ngFy})49a>aDAP`1msvxMyy(s#Erk@lvq2*4y`RDG6o-o64i6x zIR|L5MF5*@1-FE30qUKvI|@dG(gJPX`8DfJAl7|g?tr5Dro=dVZF=Q36hmp7>M+&7 z&nGt2Nh+4+E|L(tc7!bz+Kw_T^&*yvEjKePEn;}1f#n?wF&twykS&S9`rxbsVl&ZB zy~AJ`$n2m0{}~x;h1S1}^^X@~JZ$U)W1m~Cp$fL#osdA`Zid3)HXgU@7LGz zc;MYb$aSSiod-L~rxuzjw3ns<=@$5)~=I=G0Av! za#Nl3Dub){X|L>fgOxRQ*IT84QBg5Y_cOn>gILFaqGU~Fcr5&>-Gin>y8HVM5kX`67fkv>_-9%-ZjL* zaCao8`=#oDsX|*^io@{=4o3>x`c=l(FAg`03aedrRIGan+DFZdquZTfld?HZBL+a{ zEU8+llb%7~TXFwXMe3x-*tgu;f5V)}R_@Vy&$+-&dl|)u|Go9!DO(NGFuvhB?7##Cz|K@?&-npr)=5JlG_3AuP;y6W)=5jup^Tb!(ozVf z)~u73ZP?Yun)U57)+FOX3)zaT~^I_g6;UbqMGf*q;N|prP$r#R|l`s z9iUgR1=@qCd264+%kVE=cYyZSU&d*TXIQlW=^@5V-t`+hXx}}?BU?380EoL?-Kue{ zQmO^MU$tk-8Pj`VHRE~4uw9in2){Ax1)h2|P75sJMt*_dx@TZ#Kfar+(bWvkS62(5 z@8J~73EGqj06Dd8wE(Djbn?a~%tXSK=SRZz@k>U$?(RQN`18qY`!%L%*%j#X-O0AL zJh*_N7x76>#X54e0I^w=(k82SwE(6Vp`7G?JjbA6B}y^GMjNSnjMOou;TGIFy{rz< z-md^CQCeatcvCe`a{5)z`DR|@yGa0n?iEBiF7D3ju~q1C`$~FGO^`j{bvYkricwQGxHCN;Y{=_AFw$QlKLQ}u9R`3%5eAASsJqIpREeftAe>Z}16NL!q5tF> z&n#9s`1AJQMvL)Ava5zDv)(6-H8e!y|Nqbs;UnII;vUzzpa9ywa<*1O`G{%o=5|4( zU5S;YfuAd}N+OQ{bp?NhdJada@?-2JRQ30bz1Bu)NyJv7Sftpm+bFH^?5Sq`?_HuY zlIJ~-j-j$kBa&1a{w8!nUr^(@Hz+`Q@EA@+apZm}OLx_HX0XJNu76x5uT9AaCX+~C z5YPA?^@XXbYf(BAk3s&GXT$qSPD-;{3d@zG3pU;hbae>l+ zx!m0%w>pS&d~Tt*wJG+8%app0+?|M`v1>7U!pr8KUeXs(*9$x)E#a1PPVCJmT}EM!yq*mJP7MC(lL|Lk(-?vCNoCr* zw{vrj8Fz3dK4o{d1y3=>C(T0l@yQk1uZsB&MiuZUlTZh3)mAFp_=dI9Y3!d|jAPF* z3R@axUG;+T6itkzdI_oIWO$kWc^JD--|EIM%gYXEvffO%LArz(YLSIP2J7K z?&d1RCslDVt|ZbQDb^MqS%9b>_|^ehY7INNRtJgd`l4^=Q;QMq=a@7b$@Hts9r`?$ zuw^Dd$&)1!8wvyZM3%Mz(@G;F^<4IMx$*aQeE3CJwy@Y8b-#_%g3+hDS8%SVun4#fc-}H@ zL8<&3GrW&uSuL9#PV(&_*4=p{KvKYL0J?}rLEgeGb`I~iOS$q%F>!m(vFK=ro&2+S z`1Q!w4$$6SAE#TwN7ooV?YG4au`MRv)5SAbPs2w;LwROj#`B+_!B-f13|Yt~DK}vD zmIq7~`mB=3t@0I9Xf9DMYUB2!r@)?HJAgc?-LsyNm7tRz3ijase%^Y*4tn|PwfIcy z_4*emWw1sw(D=-GAwsoQ@KNY92_Uw`u(Lbq0PW->NT>SaYS_zC9$1gsp2wcx+8(V| zj#G4!FiRRMUonSz$ZwnElWmG$8Xt~^Cd==bbgz6RiKUz6lW`+`r2LLq&ylZKSh_<# zdC^GkDZk^;)8)4<^2sYkQj+|RMVTdy#dYxeHp)bY@gUYk3>Cmw>;~c=aCplD<_i4* zCTTulOwd)NZJ`A?xc$T?JFabo$vdtSi}|Z_H0LL3-totZ-dBqt#Z22 zR$@Jj#m#Oq*2LF^e91&+Ns=5*lJ_OaC$GvUu9BR?Rf;cTp^=w)qrB2^bFe!JHxuP- ziRg=a<*Uw+OCP|#gZ+temV}!_j@ZAEi)_|zD#qr6`WnB|Y{=y~+}_kueBF4oBWkVC zCKfVgi-znB-~@doQJ<0O*_dVfmCKdL`FR1nj~6p)6``Q9WR;f+V8+dOs}&dZ)DsTS3f8tCz88Nc zKuKhx);f)C|AP*>)wCh6cZ=MVP7Il_omPwC+Zc@6{XAwa?GQ?@|71;4CW<;hOxZv(*V5m08u?V?y*D3_Rt8T zw6R|1u#9c72eGgvl*~4tu#$tf{&H!D z*0W>%F)umPm*s6W@+N94CgBpyilOtJOWnje9e)U+fvn(trASHFV6&|Jrcxd~1D~zc zTAF8&YDZs z(137sjX>1A%Zu!wOSS(3Co-nin)jXh!kX{T>T_!@*+RD%fv0wsqd@p)6)%mSSs$l` zHUFx?@?USzb8FtM(Qh#T{(%Afu=Zb!N8)mlo1To$w)CVD%Of;v92jtK#r0ZU(?6{vAE{#%GoA3wz?wchPoYHb{CyPZCTqE~e7onLVW zow+`Rvem{t%{n7KX*nvr7!5e+lXBAm76vlVvc##4SK~C0QNgOcT1H|Stk`%dFlIw;Y zzDGbW5AKBmhz+x(QTd01Jy?s`MD?h@#G&;*5~tdNpSa1obGM`bc(?l$s-1r| z;t2SA>iS`!0RG4l$>EjTXmGOj?;p9r<-$Pn9Pf6beCm$+mG3U>Fvj1Z{b~areFq!; zA_c&w1f}KLlmw=KSSWy3j?>^oP5qIgS7(Ivq+g*1EQTi8z{+1_SPeuV_e;w)GXl9t zUGo+SAg`0MXfP!bl(HBT8Tt`Vy)`q{}qetN{UvkL7_UcfKUD^&t$bH}vX zoowA`2TiGNw>zn?O4yyuZZ~2st`eYKXY@U(Jx#jmjK-%Wp7%Nc`Q3nX&V?OvYWFGu zXt*VqN#qHPAPv}r`}6Rh93a-+!vrtS_e+_ynJVtKmIMS)te-6vK#rUIYTnY%9nd?< zqwx%`F#(L&izbJ=nJj3ifHdF?#r`1PgM_-X)Ar|#aoysN+!BkT3fU}%>kPgB48pHS zXvi)P4zi}XqUZE)3`I}QTx4mI<+!PLR6evv_i~?GTmS6X8#_pbXUi1g<=HLLfIu{nOvH7nhh`z|3 z2>q+x4%&n@aT;!pST`)eSh#nZ0K_^B8>0H8@$%pYmI!d%-Aoi~c!>b7+i}(Bwbt9g z&;+etf|{TQmk1E(?~RO=P;c|sTpok(3{j5DgNv640NM+qArV9JXZ3dOrA_wau)NUl zaC4|TQ9X<5?Lb{m%oHHDolPghv$CFF?(Ls0K#cLznhyySKAC6Ocz#WaazFsV_ zsaDQV*E7@E8c7zz_ftv($wc)$RBwk$cT}5J9jEm^?vIxV>4B6vf&P_Rk-HtShuN6? zcPLI1$ZJ1b%M7v1yC3G_i2z3^>_D}2j3dJyOu04GYFGgotBDZ$h9vW^-b<#Ig za;s@ocX8)b8&N%(*lX=KtK(EYleH#|sGcD_seW~w64~?PJ$TPwC11`G!^hF$XV*Ra zg`U_j)0ux*48M)3FWl3?BB}wCetnMs;?Aj=;k}{0Ek%7CAy-xS?T}5}b;7YCxn`|1 zMGUKuFv&_M>dY+Ve5Ka!R{l^dn}m-9SJ!wd5QG2cR!)|C5>`%E7YU$UE^fDS`X4h} zG3=;>pp!o)4@ZMGx!MV#6GZlWwFu3hwqYN?T-4G0>BB|b{ORDLPUcT9FS=&_bmlTQ ze=0WrFXm5Woz0*6ar37&i@KOUQR@r_8LglEix}mawul=8WOugjkx_W?m`5anyB?b+ zfb6-jknM_ok+m6N8tkdf9*?COmBdZ|>(h*<&?HQQqr{!#i26&eur;o`119;5r9x{Q zixn-8CMs^2CP2;FKCnh4s^?UyK_>=MjBG6XK4JO8SFqqh8fI3+! zKxA%aAiJ`q(G+wA7`IXv#=T2j2TBD946kfyGzS@_SYy=rpG2|+lOHgWwC^ zH`qaYdU^YCzos&A+;@1QQF}TUorzAfM0$3jW5dwOLG@}#$FhCm&dD|s@hmMtZ+2>) zqYm%4$^?jgXG3$v^h$$-UCI>0M{EG{sVwD#HBRLdqIx_sQoE;D#3{F6>d)vzw%l46@FikCzBGfK9IZ<_l1FB$(wLe^?BkwE~EHQdudnp(s6n zulTDktN@#^UR^Xez&k!FhTq0g)+zG^s0v4`Q^ba;>G_AmU%rAxC-I_LSoFU*z+4Wn zI|CTOQn?)gR&#*;I{@s?04}t07BZsj zKVX>?aF!F%cZi!b`K0W6ztoQr_-;fkaFF~qr0MxhD+Qt!q>=pA73Yw)C(IyytoI3c z$=Ab6srO3)e<;P_t$4W;v}YN#x+9@(HJ<+S7@-`f-z@HNndYHxq;)Q`0@~h*fC|Dj z7DmsjWY3Rt1%Nf(YCLiFBXpBKL2Q_rPSm{5jT*l)YD{4@J`?x2KAnpY-^2W~+Ji>^ zPzykf=iRx+>h&}t;FO4KDdP{1gl^KuiVZWn6E*Jzqh_8_vpESs|1@DRCf0qK1Tdk@ zB8ETW2E4QaPp~)e-g~VxIn<|SZ7+K$gVk8bR(rBsZJ}b_^GWQ8`@Ev#5qG#kfR$-l z&#OFGhZcP(P9xTaicSaK?<(-XV`F*4^Uc@R>3r*LoNpD^nfFewXgBYjTEPyu(h31$ zsY!^qr8k=1J+PKj#$Rog%8|^oGP)_SzHy^od&G?Feqq-~_neu=JsI(O`zyaE_>+b2S_dd5U2g z{F@CtVTI9d;ijVQ|DoNlJ&AT7Y;Si0gELY)8AdbRjAqJN z8#&@0t8b0~`C11q;1LdLcsr=iCU-C^MAN`oxmYAxn<(=4$vhZ2^8YVWZ?O9kygEz^Z9pwTr24e{46Ve_|l%74AIu{WJir4Ve=Nlv+#UYB9vlqIYU}`y(z_pMJwy)K-sfuHjXr#nO!4sOg?-h zF(!SBIV149)m&5<)-_b*Jp>tmTvJC;q0u}04ZDd^WKY>Y9njIvu-N_0UG8QkVUya^ z%dB0*>vAi$rz>b$u7j|ghU8Iz}o&^AX@LG)*+GM?4fo6tIj-g8bHk`Ys{ zYX`Be(J&7}DSY7oj;&(^`_}xziQps>ZVvVHE8lBJhNBtcwWc;}Cx!y(*+e<3{hehd zb;@iUioQcajqROqH1Q6Y4G$p4iSmh-GZ+t<`X2!RpYNZ;AI;ovIO^xzN8HpGc@YWi4Ys!z59<&zD6o3)na7)l$g2s4`Vs~?~yG6f^sCk(Wqf+b27Ssd% z^Ii-ch1ZqZ*Li#($Chj@iHw!B?2)L)9$zBwcVPG_wksbs;}Sc2&;i=jMQmpZ;>L40 z1+JF3t>ex#LRRf(MW4l@$-&o%nm6x$JH#F{%%L9011Q;A8W}F>+u8q0#nMf@?r46dEI#Nka>4{O%295@Zm9??1rubFQThj#)>txg^riPMPE%R6~ z3M-#8%6iTXAUdsErV9|U{+5+bx2~AZn5T6N7mI<*yJHZSs|VU~NiuLjrSywq3|z!^ zTw)K>1R8161qh*s+Bz)fSEx~DDwZ)&yLU`y)b2vmQV*9g)IKj`sHOh3jG^`h6WD$h zr!;&tl;%DvduEm~9(7xz>8M{_B8_FxR%G!7(q|a^*8IY`;IPtgOUTK1-*1KjDAqg5 z1kighF8d?=&*Z?;aC7L(h&8E9fN--|w}*}0mE@p>MuWqd98m682Djabiphu1qYc`L zI}Ify*FIW5yHfzYl8MEh|Jm<=O0D35IK^mh)uRGtqUQZ&l^rU4=qJ~UKC?EYF%f%} z9kf>##i=e}-XbD^e8n8vk~Xg#?;Wx?`J^hUCpY<|rAbXb>0XmzAJf9)IagZ%EO704!$nRG zH|%qO);te)g}8AFCc4B+wyumyO)lUC7{C4ITuRT8X!W}gLXJ&7ses{we1M0|QDMMd zp%<{K#W$#Wbj1HwRsNSLVC9wxczSETY=BsSnR5a^jlx^ktKA*Q&`hANqmxh_pGK79 zUiqIE?ZZ)=*O@@nyg%)AfcC>EZnVq>Az-f9tlz-^y~qK*b`8)I98fv~RQpfH4rv=Z zz^Y`h{?rkcqhd2!wrMF0!>3Ig!FyUQ$0r^!OfKaWvTZ`OJl>0n%|D>RMVc*-rD}C1N8k7zm!>f ziBauUY;`PwfLNiAulGw!Vljgie0C&f1;^k^0haRkNbV1zh`(Eyp!FLC5U^Ej?l3E% z{s6H*Fee5-|CcuPXQ=u=fWLck;bP)L%;L zaETx!zM6e%;Z<#QKgLYb&~2N1(!I()`Q*i#%VxfR+w{R|S-j@5c{Tox>pcrhtGjpH z-&XlsQ}Am(4%Q~0w9stuX{-wm_32==Ufq>f%bUQTVs+-#I_OL%6V>C};{ff;az+nQ zR#y_$HRh)dw1B8H9rQ#X6T7=WUl8c+Zdst06Xnynu}6R4uBJbo8@u`wrL2&J6}pZ6 zva(;f?3bDS8WJ#7>K~CvUj7uWcfF1A>Y3bPRClmnDF6%R#&%t%)S#k?SZr4l+SBT; zmW0a;OTzo5LX4rY$vVGOfGVG|MDiWTw1sT)Np~fA<*V7D6rO5p@=3Ez z#qMUmn)jRC*GT0~GhZ1^v*WbDxjKs;DiBxSOjOs@A8lw%s2p#nl?7A`m*L~jy!n#_ zi2dEz6ot3&#azY~^KiaXZ#KlWk+_6Mps`%NPnr=hSLnG~+6`*74!dEE>Fw)XIjd#% z1&Cc?%kiH#;~xI(ErY&kb8g{#IQA=cG{1B+ryC9q`+ljN;{0xr9cSgan~~x;>V4A8 z*b5BgnwtRvqbdz@`R+skO177VY0%fR-y0Jj^}hL zY?9gwXFOns*a)MrK?r*_`J`EpXfq&IXfN~z&@J_TX_oizCVUj7{Sraueeh;t{CYE7 z(<(N{?xd7zKj+zp+Osd`00dGiHpg;V_Ou*G94qqeY?XI2o=wH3w^6E%N@Q!hh5-bu z9mc9(Zwx9sJ6Rv6Ik1>66r_i&TI;kpHDqyzws%l_4D8V`LEhDaX^VJvGoq^z1-GmUT5~JAW(Ekm@c5ZQPCxOkFl4 zcW6;1ueW52;TYq#Xe5m&7rgW2Se97-xtY7a?@!dbvnn-vZ-7lj&OrA30&}oiK{DP9 zc*Ww=ctPoIK@TciF?PrOT$yxvH0q=ZjlcTnL_m{pOK^fuY*^g=niBGKu&-8`1N`Z- zM}H`xWNH{KfIdzu%E2eCw=IoRJx6R<*}br?C74cBPwYMp{ISu7(sQVxjD2LZ0D*Wguimm<{`T@V}AW^lYpIbN-ScKxSO8uc3ejmCQt zHSgg!@crGt103ooqujEt<(BbsuNdX*?heo1^CQbF%GteVoxz^k*qgBB$J<-}GFJd` zXI$&cGqkjXT6=$PyB0k;G@;$4MRvP#cHB^`QPvLXiCh8nK}7Ws1B+Ug&>hwADcV17 z!lgs+;jf|3-xH_B?r+#Uw01QhdSwjmAGTAxTY117)JDpu$9J{>^-06rQHIr2Hkvyf zppohAHlIm_{M57zPCU3UZ5Y&>$_EFa-;HYqPWKUc|9GMtn>#<&&`PPed&Jbq=q)TM zV4ly&b(jW|wW~X95TNDy2u2Ysj0otd0D*zZ8T5KQJdJC2^ITW?!>D0SJZB@bu&Har z;iJ*$MsNJw`HlRHR@zv{uIrWZEu(UlIdMvqd6Lt8gg@)hlG#R5PVGLY04R;ywc2~* zR5`wly1L!Q=X_YFv0Q32w{5QB{7y-zdHw3(MLT&k6{38K64!MB)ZNiQ>YOH@R1Oz* zG)>Abt~xkrNZ~d2N5x585dY(yj1}r5ZhVJ}Mo*pYA{w35mJY(AWE-ojt++Ez)iNqy zHm&a6Qj~KA8S$)TcF-rjY^g8Gi5)issAX|hK-^T6gRUS(g+70Il>U{hS>@Ia$vL6M zmvi)Yh?*xZL*>_{dr^V-{w$1cqUi$xYNuvoLpHG1AA!KgO7zM~UAf~EuEE36V6t}i zKmesEOD`d6UhTtn&`t~l5D)1(1M}QK#@){1e;8fA*|_*d{EycnHL5*sp^{Lkb}lGI8|w59l~SAC$5g?IG6PjhgL8 zK+8w8a%06t`K_JG{~=L+NTR%e<%eScPF8-&0M2@p8#QjeJ5FP*hR4?_oq)|kV72C`Ka|@MreA5(N(UIX=BuoJrA;rWFB%qm)qrB^1SO3_2@b>Ms;-l=wEyYTt`hue zHixNwn+>qZCuQm8mreCW1N3DK(oRO8x7AF*rH;bZcXf8qnhZ7j19!!#x3=wq0uUNs z9BvMc@vG~kY}_q=h5D7Y3p)^aAAUQ^&11Xg34q?u=CA_Kd+7lpA8^F}=PISRmP4}x zNkq+Cu+$C}_@rTt8wG7!Q&G++eKvZNo7|o`?^>osAB;7pw`We|nS+{&a&mM>fd#jT ztEDI-J7jAq>Y2^5#66-`eU+aXxG$tUF(j0(C|7Zg~6wt}2s zhCZ68d0#B%K|1sPy_g5-%=>t;9hBpmjdCMua_v~j(Ag5*wb%~Y;2CjBT@Ma7qRllX zLMdK%z|`ChMEN$9#Lge(toEB3UB~4QmHeRjK>=VxLl*I&`Qw-y4Nd$Oe$KF=Y4qOZ zSFII`?L4{}p4`hiwO{Uz${U75FfCvv>gwSOv{U^7N*Ic~emiQC<1>*r8xla2Qctt*_f*^-V-|k#Fr#U2qdy@(x^h^8PhM>xP&L$GCLc5s z?iwmU&DsGFtU!mCRrlC|x(bI1&{8yj-$|DnC2tujK;fpf0~lYmYIyDUZA=P#%7x6B zhoSJqrlJAz2~&ZocZ)kJe|KJP8bw_{4Pl^$6r!a>mI3O-5RBL(jSo2I5Orl{z`TGc zr>Ltwm!+@FVnl%ioOArjNqkYdJeL8<$PNxA${D01B1TE}e7eXE`9)d5n~3W9aFJpE zfGzgS4tD231r8YL_hEX5GuTsX$U9zuvdL>k-km(J2J;$u-Yz3=42Q?-{h8;zYvlFf zdAweP=e=*_T^Vff!kyM@X%4Q}W$pfUh?=+lf*r2eo?RiT=XECI*PeDHb(PuBQIsLLG4`)+3f0PkV53|lvm%nSmgi(e!cFhD3xQ$0B zd~B2vwgKIr^61Gf!N1kUCl9Gx?N>3Vg`MyEGPyNP43DIg)=Yq42F8ax zPF+76&fiSB&|sVgw!*x#+VE)|4w!KjoYD+c0JbaZq!jJNd2t$9C#7touCb%gM?g;= zZEf*Fk>XjRoVl>WuUypR zANhUDItBsBKPNBh0h`TCKp;6vWZe7=&su zp}f%KKpc|i{)Q{qKm}a5!vbOyCoFgjIxjpnV5mOOIRHAKt$Bk|zys=hkbor61#mzm z1E4^19)KE93Bce0Aprr{|C%6HWMB-a^Z;N0Xo2{jC#2^nFsS5oAoGeVNET$wcLm9U zjD2TbEJz3ps2g--fY=(n%=8>UV=DqH0!%{yzyMxgC{Muy-eFMZUSQ==fypfa000oN zF3QaVhQ8<)Ev*xEzEIXgfuo6~jG{NjtXZyaJ#PkXucmp1N4dV@R3k|J(;zYc9l}yiEq=5nAZ2q;?B8dVV|!_YeNPLMsFMM zavxzcP{!!w5{; zczvB=RN~kL7J$H{Igv-$q*K=?*#ang!_hSvBw~FfR{(i@H*s53Y=~a`OrK7a&*e+v z`Y92!+$ydr%-_4Bph|w&Vh#R<}; zBNNB>KsLZkCXEv#u0bb}Tw6LVP6^)4W}|vkna7{x6$HAuqjN6oa35jQruw98zZ#S> z4*I0=DM)&QQZDO4F8VuQNSn}~^g}rUc$EX;=$bwxV*PL=n_WxrC8B!z&b5PfaZ;S> zzr(OfJ?7dW_9y^Eg3@@oEk&#|qSFg3V{am~51vOCz4RltrrrPmZ^X{0*_(5q#B|Ur z$Hn#cvBXw!)nae{ffbeL94z!{q}1WfzcVHDUZgbJn}4Sxbif;#ZK;wkCk0nj$(PNc z-?0_dgQ%Y66?V{uOo>x{R*7<4f6*J6!q$~*Bp&|TD(twtwA&c+qg#B^!fd2EkFjcJ zC&y{*oi<8~!_8vd-Zn~oNUG!te!BR$O}g0~MIMx$WnT_MVaH)avHon99ke$l^R3re zP`QxJ1(oZ9!;~m3iEyyS4BuGg60s2_C}ks`uC4KNgY<$xw>c$SF=V~!yEdoo@vO0U zVWc=KF|9sznTf5)3@7-MpJx$yiPRH{l?NPE@)D^(M&Y$pdF5#~w1LizJc8P7i$tEJ zuH^%95bNjIkt%$Ei-*aF?TaolR>DmRw&Je*7xM1i2>(CU1K-rK9*nIwO8)tmDkF}_WMKXTp{A@eK82=QYbMZawT|*2FaHlo5p+8@99pk=4 z>|W)3fO^Z-<=y1(uKM!d+b~d$CKbD*@`B5XnCW!vons~{PQb@a2y9;r6%ZtWmN*r zD#X*PoLAm+M@y7euUcXvi{B=Dze>9B7r8BIgEia|8rCT8G*`*3NvrzjpWDz!-1)HC zm;e3-ONo-vYMePu?96#z+}WL|o*(XJ>nS$D8>j7h(h?=ki1I)0n(0#-z0>73OQ>7z zDM$j4FDI|EyPJ#MRKM$WlNEr7e>}YMOu+0@_F`<@wgukuYm-3-=M55|WHBX+FZfO0 zV^mkK*iZ`YsH~g4@k1kA+HW-m@gD}+b9a$A!4 zSe@}e(@~PYf2Gx*|Md#dpML`5J4q=pa3P?O2f^eTisE@#HBW5xL@th#FyYM&OTP(h5P)E6FE)J zbRYGro;!cAgZ`?QNjxR=fF4zgFzj1qrxP~Nm-9d!hKNM0DZ{w4|4ikwd{QJ4%VAXh z=2ts{RuTdIeBz?cY3?HQIn0TRI;R-6qi1@e{3KuMB|aKAVpJE(v23E=on5IdV9Y%p zYGU0{?(Kc^Pyry6&SR#1IvL{*uOBKvq&R~_T*0A?NXcJ`epPy>B$6dD%91>x$Pvsg zQNGZd1Gx*d`zK=z--tybN>ZdaLn(5UC|Q!YvzW)RREkm}#hFS`1_`$W3&ovja?GMk zbp{;e`Fq7XjR!A9nQW{4A2+Nn$cvpo`|!o}xp;GI>fhSqyA(7{hLiQ4bte>uP_?komh z{)ylyq8u-g516Uz!<*1cc#^3!|EJJ#?(6yc8R#g5vDE+UCje3OYoWLry>}Dk5>Z_T zXV{?wx5sv9;dKI?I#22q7*L74$G=?y(5T!xU=_wuI8M~O&oO9V= z5-nB7?$>7c;3>0+9|pgZG{|N)B@=g7VTZ6>p7$lT!mG;mII{t?AB!-UkCTmw znu=danUkn_shHxb`;n#8I~^h*eTfAz%{mvKJ5V3$xigr;f`u|y5qE< z+iIuS5GAT>|I^&>g+7!h-!Zx7EOo8z&Yd&|Xa&iS1$)-yLnw`KKEMejg2w9D>C0n`OkhjSqfwl?# zNd)ce-za^2mH0qXiF&_esuEY6b5@D#lQ5&^5r9x~#3xyVBzIKLU_zjUC}*^(y!y9z z22zSumyB@hCtU)_o})-nyJ;6fHc+hZNdiQyha@A+YbP9!q#HOk zdS|(#UW3H(czmz-vO~Z+=fVzzJgg@^t{6ttyie~o{JdrGv<#x=wGtx@dUA5-m9Hkh zY5~nG~Fj(PFlUi9VN6;-~X~j|07NhTgUR{^pK0FuJL!` z>9BMv9>^JE8FR?Q$IshvvImfeUvjX+6wBp3lx9aGPS1l=?Vx=-Cf?4+bkHQ-ko9K` z_8_Wj-c)Sx$2;txJwGN+16I_LU%9Zut9(qgWwb+ zZCwWU=jyA!C8hyDU=$BL{m-7A%pZNqDRgypT%$((pH~5(WGWY5nz5Pq8h5q+ofwH3B1dLzV$J>-@j5jT@gBBVcr-=@Yx?cDCL)vw62d5avZX9lP9h1B&w6ok+;3f=H?;2W) z4Zm4pH2f%Q_^LaO){EE6I_r6x*^KSo;DAtS8BsmIV0CaUsZ$({W#wf=`GHAVZAA6_ zW4;5l7u|6@|89g=%|r-#80o~Y{Xxk|UHPeeJ3En8tho(BS-U8P72UU@dl#IXx`Pp` zjV#}FB9&t|zcHp#`oA_gp>vZ>DP5cFLood1>i^JSPi*kP_69rm`q#t`T0?G}c23^G zl7E*Qr{24~%E#WlajSQhU%l6I7f~Ou%v3&{9=vIin(-2k@OZ|rd`}i1p{~zG0gQWv zAzS1VHwCi;*>g%4HwS3W-trGm6h$&#oHSZS_?$uAiE158>@c^HY$rKQ@)=9GrFyv7 zP@P1SOZgW!45%3op{$x}GlY8j#D+qXH~(-jO+IKLs?TA`Y10q8qmAz98&3f$A+KE6 z5wTv%65wEw1sq^jk_zj`Xs=I?Q`s}3p8%j(Z|NsM$fj6t>LIQ29Xq%I+2acxYvE6BCJ} z=K3;9_tjno6F}%gqU<9%mx+AY!br;9 z8(SFt)@Sk1!u?5P4B1{4x!e5c58}=vMBZniu2?cFGuNSiIhXMeaplupkDIZ}7f9{t z7rM&#Pno%8JfpjRn-ZtWzHn5m--b`@Mv0FpTG2bjl4tTy~9ZUp%p7@)=6pU zq5C)aBu7-U6xc$Gs%qCsqs;?DR63@S{6-^u_Chnj>Yq^Ys3!&5DoBK*+==$AN=A8`_3a6? zFvKgv>rR2fde6eX0z^D_Gf9G0r&8BH(*=-Ii~9;d_Zbk# zsL=kziuF6uhbu8V)6HE%f^If?%d`P;F6}$XcClef(j1~Lx5V^3cG6WemPK4rmH@kx z92h~$nI(XB>2VuGT&Y>;Agryg0O}nkqFN3ssh9c+P|@X*<)@h>Cr*?raptWSGZNJU%wp>e0hv*5v z>RIp=6YulpY<575`wk8Eun={vQ@fQ?8Y|=;?0boi-f9N$W5fV;rNysM?X4*Q+L!pW zlTkLa&kiL|x})0GaVXLIB5O0f;``b^P{YhhTqrV1tQZ%kvBf3;Uu3OAdm8W0J?~(y zSA5?c^(k%Iv~h8oXfCxxv9T7XPQjP$_oZl6?alrftND~u?x@y>!R=-OxY#7(P4X{H z0MSzxzdB-bk)2ij!FylZF!^8-Sxhx$Oq`Z%*ZLx;vwmefbp_G{z-N%uuij^&u4j`N zM}dm+aV7vSeUImAdnW@Fhg(9n68YdzUGO$d8Jb-p9~@R9A8_jL6LqbHsIGxUcF@Nc z*0qRrml)@<)?#0kr39rE?ay&aaf7QfEkyO0un&4EeUGSXtweQQo@57Y!f1flE5O~1 zYr)P{j!nWUeK4=QbKX0XjB!rBmFrg4m&gar-tntxu#aE4NL_NO0HtcsX7bkD&K8*| zbWG2zip=B`O`T*RPZ85+CHebTbl3Ycj$jhlB)q9i$L$vMElHpaT4F+x`*&rn<9`nyXwdA^B0HcS$- z{gJ#cdUkrX&UqVoa4=H0;Tz0p(X)KjeiWdQHn&7HyPgi$6I+k&JAoVh(o2>Sp z0?3-VAW7VKl;3d`c9G*&K>TR~k>EJxJ5-xs1(@P|TNHINgh$}#U7gUkS>iuT4pZq}58_8Rlkv1_%3 zOoq%sXW{RTv4hswMro7P>=M9+e(<}VP#-1n$1&Gpot3$%*0k0JHG|*mCO{jBc%I4- zpdwaUXanStRBOo>Hppq?n3VZd>+k+*14M_YuA6!apnaK!Rw0eGW6pu zlrdVR7tvSmhZC{i|INO(xT9L$P$qyKV+9|k+)C%Vj&$qTk%Z5(L>z(}Bj85_OqG7+ zthTNNm0razHuTi>2s^mt!FetLpvBtY5+GZw+l&_naZ_>cZ@lt1-xRAsX}DjxSgQP} zZ66t@Uiq|zC^*(lg{CB5{lX;bx*u1Jt2sjeWs-%2n}hizVm+2208z^_nhMjcO@%!& zN&YFuZInqQ|6@Ic8w_}GM zE-;Arr&64sQ`L6!^`QAtN)?bJ6SWGh(m&F<1Ab4 z>DI1Y*USlbzlC^C?~Bvz)a7E!QMC%x26F11P6618 z&2(bo@drr~}Y2);o)+KB)i=BmMYURz_6o*P_5^ zRADPo$vJK=xlB9og%x~}5y!deD|eeu(d0wf;;wH+#rjUV04oL<(Ql{w(QTcYcaquw z`GP@7s8~t$%HJOMDI=aq7eK$o@CDrxNM7JqPEprmR~!(IZs^0E-l-nX1f<~a4q#`W zB!O=6E5jv!WW-O&+{<<$1Q(*Kk)bwlA91&oJn2_1YOfVDs`3cH=8&WIQX2rQ>POVP z4_KF#i&{E*WO42N#0E-KZ17JqDTe|kqUQZIMSzOET9W*g{lk-vtu`j?=}(EfzD-#% zgcWc-_KA&+-NqCF7U)8Y*%|6ZTxMVD=F`ZJ zznaxXsrILC-1U7pDu!cr0E|Z5Cy+@Zo;pDQ29Ub?PzThcp0EgDCK1n@sR9(cztJAd z$A}(($+v?xZ6KbXk>Pe|vK~xjtkSxRl)8@=yPMJMHj?)eYaFeSwriV50)&sQzu&w2 zH~X`}mw&-0PP?GlC!tBL_h+AINyel6E!4FQ1b70UA$;$R)5t8zk<*Alg}kOOd?GpF zGhGnLXW=7jGD*bxnS)#JL>MwX?4YIgi&HV2#pRTDP#5F5kaFEH0JA_$zx*zl`y2d+ z4c{*ZeMC)tCPjdf{P$N1CF&F#$=|!eMN})Be}8`K%5FrC+Dh^dqG+pHm!}920k2}O ziddJW2vFr!rdVn`Z>0!e6*taBhnLouv0c}&oi=EHSr+k0W5dy))t9fW_Z5emLp=lk zKid91K8hmiAIGcbS_ug~feb`MiP~r)ux8X~W=)nf%s>rxmbie1AQu-!pMmv4W+Xmx z33f)Qw7p&caaVU;cXgNbvdg*}Swx%=NB~8-D6-%Ja_z~G3jvY4xJ3W6V9X8zU}W4M|Jk^CF7RVem~Vl#KCRjK!bfFZ;a4 zqS=vX=+OrI__P#+Jj~eC2Aa=}1x{pioMtQ;ap4-i9r3cav%6WNPZ}&BgknF~VbU`y zt|NL;p8_XZe1v_`&5Zfk-E8qzRE&^uT_f8$EhjE9^2mojmt3`H;p&w{!>uohNphbYlt-_%r2ROC7)s}HV7h3 z{=h*1+4L=>$_Pj)n>-5c%H8a%}r8MkXT*AwG{nhfNWM3-JP0(1gK1*9bu>8 zwILL@8y_??rgpJ#E?8$Dxyy+RbRB@!^O$>ECr0ABqVALwWIWTtSnO`F?TSloOE8uM zgXZnH$IW?!7#Wmctj4`PB?VQTwTmzHNibG**0N||^^Qx$9Beo*6F~VnEP-CMh*6UDL@lF zI0cz$f@8jOj6pV~-a3t2T9~PXf-l44y#7hob+g!@b07)dk;;Y2FlUy@zA7~T`qUH@ z&g6^Q)6D1iJ)DAs*rBtG`Lz63Qd5wu9?cf3%`BKjT`9bZ+Zjed>&0LGu$hmG+nEnG z^?v!Vy?>dK#6O*Yq{O9GqUU$s=|oj$ZxNsGfo!=%54mhauXL3guQovy8}5WEY`hBo z?k5-CZG(3QiqEe{2>G-pvxrV?5Q=zK8W7$t{w__EWbtbsZ8!dSZ8z(%f6d2Mtp3*Q zz)0x8Q#}|3uerDb$B)C;$CzJV2^GPZ!|`IW0k1#H*eoge%`y+=%-)@=ii(7rPP4+hU#IbGuNXIh{c^zYH5$8bi z+N%2mG`COidig=W_o!biIcoUtxr_#X!FyCx>qtSuQli`C+f83CS@^*Sw=!mA-qX$G z+zqSE%+cgP=SGYW3g0cRInuYnt{&-*XBfXf!Pw#>-Cy+bV;?=#V4vwoL6+_D*qdF9 zea4#!_hq_m%?t}~QKRAWnD*w%Ots584>G{t?nFlZpl%lIDSx%R zUVfm2HumO;qg&;Pe)`oULcaqu>;y1q@8;^cRxP=}D;q2v7s<(+Ku!)?%uIm4KZ&{E zlE#^m8DY^U6>!OUxapzelU#6^eJ2X0nMq+3%_n7@e4h`^W6*&{pCo0V=l^r^-3Fg@ zn?tjIWJ`g(KD@5G0$vEyl~-X`ywSOR1KwywpMYNKNFvN+4Jmp^k`&rOeNx^mSu3{9 zf;?84<=T8Hjk!NKg#moL3_+Zaf*D-FNHH~2pH!@m#Unrkr8Cra5thb+3BlQ}_tfAW30U(t)I@|+09 z?s`5ngHvIkrQqOlIHY3kK_@YimqX&4>9XkR3nLDRujqcw{;?$mCEru@B4XC{uyj42 zR6YSvkp>mL(sI6{0erd9CiuQ>n*$kxZ|i3Aa=M?n?>U2!Khpfn_3=J@M2nhkb0T>v z(eqE;25}a-dgJQ8iqUfJ2@FO{dHEFp{9PB$#_5-e{;Y$j#~&jUxXpYi=W-ua=APAo zO=nlwU<1p8)~O|tX0iHZgit^$$s&=>gep>2=$U}F00Xfw_fx0&@P}s+O_8!@sosom zKG9_eeeLAZuS@Kc42u0!KjJ+ZZ_%DgQ;%5a9kXB+jJ9dAO{O*}p!u_AsRgOw!Bv&G zCp@5rq^LhetIkw~`-rY$tR4|$F~d=!{R+h%Wl3}+bNBDSsB}CpW2j^~ixhDz%3jc5%Ixtl8NyWS&>OCmzX6}r3jHs2l zQ`#}Ax+%e1svfbx8^7-C{b410LIZ9x*4rsVQhH9f#`l?;}Z_VqTs+X;WkE)3Cws{nT{n)uxZ6b*Yo|?iT1(!P4Gy;9{}1gV1xv8`mPF*}3dPN85~|JG+@$^bx}dQTr-} z;pp`phS4zl@40Mq$xYdeAb2#GJ0<2dWmNT*OMC)82R*K z3;nvT$4X{)_{7>5?}n4zuhpYYS^U$93YV0;~2%#I~5-oYzib!IrJ@RrDq(9LA# zriSW1y!>vR2)fT=Au~6V*Ox4VvW99aywYK>MJdP@N>iUrLt)3P#rLLGA)<|VsRu&@ z?tT!{f$le|ZsvRNuW&q8Hf3u41lmsMx!_&Xj9t9ZMMNu_+Jlj2$28-?TTHWe8qx9y z-9IHZ=4ONdB<#}cUELTddiwYV2PzGYmdk={a?n?9{B}^%s7$vF$FS+8OLS+4MN#5>KAcyV$sraoCdFdK!IFv4qTE zr5(Txvbl7z5z>5UcC`zGQQ<&rl)&}EYZu{Q&(v5xr1h96-T!>M_-T`Ot(nNpwhgpl~OF`rd?-W1vNpsYu%;yix@@@-nnB~*vNYiGi4@=Yd#v06=X5b&~ zXqL}wg#V%`QZYDjdZOwXk%(j06Ja}__InpsVyA#mc!*k=hQrr%6uWS!|KhdMg91V` zpPMjKjBpkjpRT#ov*Oc(iMrlN=+{I&*hO+1i2lDW;_a-k6Jc9?mFAP?Kr0^S0@Fk; zoji!R2ys7e)#GTEKhhj}$DFHQ9Wa|FMli4b*J|_NfBgPC zJcpCWfR9dKq^1u$hfQR_z@U$4`ORlBnr_ry$5~XyIgH{HBYQ)oK@2Q7LmTlf+@CtQ zn*kz#&H)OtWgv{MLIzB<=biZ-pe;kNj_t{x|m4mwFG29Ch0HW3wxeWiH zZdUcI9feYf_AF*@4;KLF{wZweEhjJ_T!LBCjYr&I$e75heT~p*E~7oek$kSz09dI@ ztQ}<)Yg0=-QJ+{l&f*hmM+tgo1bVHtL;ZY@2qj=+R@$-Tyd70lI;#U~Yr&TP#Y{F4xl* zv5%sE0BtjK5i)n~VT}0yALGEnHr~wTvnJqTpQrV9>eaK!bb*(5s{R;s>h%jY|KzwX z`M<_hfJT4T#aN^{lzzTX`?Aem3_k+{JL6_2GTP3!q3_xMGO#1fHY`b=wwR7o>QPai zB=f&!Kw{4hzF@T56m1c{G_80N$Y;-b3L~FbJ3Mcc?i+#R&eKG9XFiFMSetpfyv!&5 z{UCF{*^E&@pKr4$`q0oH9mrV0^#Zzw==qz5I(u!rT=uNt!#Q&|Ad-nt@AEc`FLI?* zR(sOK7pg#WYzxe^RV%^)h(D~*vqaB-_H!pPZtG?Y4)$fWM-U?uEC>bk2W&*oPkkLg zvqpM1WAOp9SUZsD`EOw;u?fP3_Ntm1g z8hM+z#S^7FnEU%CjN)}<=68zs95A&00dHeGE#TeHwLjayUWUfo+C%8}lkYUx`tuH1 z!+!FG?Eqtponuw^j3D&iA*n{Fj)q3i2Eyvpud~&bhl;Cuu6a798Y2pCpXVUrpBgKE zAbS3xy|9dpH~bDnv|d&vx)_0(D?QuO?hgPbTpPpjRwg$Mj%?JcsJ$ey=L)+b6% z;6R>eU6Yl5PrQvG(O;uD1>X|ImPuGNew=O1{Z8$+E?iln&mSpp0Wg!${c5w#`1%}Q zCI`8)%m)kjIdgv>!$_fL71|O|8v(FU&s+93Ec5)Qf9FgN?URf#wc9QJTH*48SUa%l zY_|BqNb_Q>phmNEw-r@^G4)o)n4*u^>Q2s(+T2f}EzCV9hLJ4RJ|HNx<>DqxjB)y! zXF31z_iut&qWu6q(txswUM9pJ0$4V{X5xe88fQRXB(SZ8LWopH#Yk5W zU)U5!p2R4y!oTEEn?id^=o46`w;4NA9f;^7j;-O#tEtA%S7RSv!GQ_~Q8!xREpowz zaE0keHhd07BzG6t-ecsWZbn`uksYB2ifh7<;^l+0jPaoeLKMfwuBzpdh*}ac` zntb#Hcr+{d=*Q-xSwzogLwX;5G5P3&os4z(q--HPr0Ur@=0Ves{3*R+jwfpD6`|{Q zC7-g0k!!mdt9o`g600-#!qO{-6TK)p1Z=e*nor|S#$qQEj4}7a2Vj|%UF-#`=V!Z| z$irfKf-zWYwA;f>E8>5VB8)FjGgf0C#$`bh+w?j@uL+JTpL zTnk2o&TFCD_uIM|ZKC_Q$UPn&C^D{fBIC5Jn;Gehu?G8-ZP-L4T_J#s+JCtKavpS$ zgbH6Z{u9yd>h(_4=##ROKm#cWG{~_dGe3MO{4GOZR|S4Wbo*=j_5$TEEg3n#h@a0dt=?j8X7D&*o`? zl88)Hr< zU|%7|LsJ|`(MFUufpt2IsPm=LBv9cc$HhQ})S*`eD!lWk2~>D26MzcCYcB^XIF941 z02Sz-#RpLpLg8F^==3KJr0DiNag5~2aok~B=n7}C_4IqO*0<2aE5sFj=-rQE6u;N3 z%tyc3c}&J@Q7>Gf)!1hTxPmjKoB2Ia)1BmvPaKF3W`096hD?35^1&1+Gv^i2) zNu)U(<)e{TH4=r!uj_#jEk}RAC|Ky(JdN>|nnP*5_y+^`;ve<_{^1Zd@ejO$X5+~$ zfIqyS_h$Oc@_g8djZ*z1pDgp7&j7=x7ChdD7ntmUudZAgM3UQ9>GA7Klh zTK&d`Y$SUded72o!*WA6lmF*?!)oF(f|hAXfkoeslQ@X|+1*T2q``oNsDra3VXH_C zS@^~$lCC5aV(T%}Y7rrNQB}JG8J0wXiIIN;grKN3e(@+o(oOioI=h(z`==$|(-r9f z-R}r^8^q@l3C2piEfp@J+h2@h6!2~opF74mujY`cAI;M26>*Ga$<%MFD%ups$S%I{ zs2xBLpMgr{Ui8|fpobh2^l)II#~(Rto{tV|0n1?gbpAB>(gLW|1QSX9%=WbpQWeL{klQIF|kg&n5_7~M1Rsek7 zJkW_2A7bn@Gghz!Tl^(L7G%8A%2;fb6+9${!;$5T6O8$^`I02F4Y5K%Iy5(7WL1a$ zy9t{}he{Ke5FT>=rGFe}EE28k3oix*`N5c_hfB&PzJc(MthOfc4Tl@-Z#H3MGd!(a z30ydUcXN@8*X3cxqsJMG%{So;E)y~E;s7Ty4)r9MajuIuXBuyZI&>WW7hBfNnDMJV zfMW>F7hih$Vhlq$Bm%Fok7&ZE&=#6kC@ic9USID0P8{E)4o%?|B#{dl@oO9G_9l$% ze$V09K=b=Aw=ibB&;`G%Tll9B#rQX~O@z4F^>7zsv8P~+^DP5lbF&VB&Fz`)1dII= zQeDoM<{~Zs?HER4wE;;wd{U^YXlV>1$nS&0DP)DQ!j4cp)lBQr6~7p#@VVQGjIu<6 z@$qHuobLgrFe!$S5pQNJwk(NLcrn44W9FVq|^-LYO}75F<~)XV*g5J%x4z z9p%iuZ4aC`MJ6Q}3+9_k&M0&xrQ(r*Z#ZFK6W@@R#5a^B@eQT1>v>6mMU1%l`*$VZ zf69D6+@H&roGx>^6AVD!afgN=nNhV=jSyV72S^i=0xIVnSMiCA!_O8jIl+`y?qZhgO>W}8HFAsuMxdyp*g4To=Y%) zgjJ>nub(P=TV=7NRa*;R64xBcr1PcW6;JpyMaoh%`*X)I?0gD6Vf60pBDMa-A?U_y_FC)6Wp`WSf%fj)`Ima|6v@>QbyB5yhWifEPqrO;- zd~UWsqr$EpYK>(09mU8ZZ*PrBXBjJWh>;;@FPimd%{c0j zXvm_uyb~pt7-45%<&29%v<^N0_ik7nNBTLDG4-q|I$)ybXZ3d?J_ATF5<{X9ImmTfxee8E<7?ZyM1i)`!yx-S64U+|TdDC~j>q&si?91oS$E-^bklvxjej zl@{ZVEWwCgY9X|-rUVhTvFglELbmG7VXvZ(VhU{_xjpP_wP)laTcjf_axHr3UX0Y6 zkS7|yt9Z%X)tf^%RxLm%G?=jU3T=$9)}Q*KxT@!xc~-S9d&xK!pk499BzHaSzxXWI zP#1kxK4ogXCkjUU0PQ;Y{whmxRgWcq$JFr?>Z9+hjHu~wz{rYwj zC-9tr&{Dpa7<)-6!1~@YaFVq{6OvH_h!E@YYrI3F!CrB0wOFooP_Pvc|c0_AFVG0RDX;kX1Mo;Na~fbu)doBAY^F_gKQF#Lm?=*-16FHyO3eN1ot%Wz z@hS(BmlK*MaTR#-ZVVAA{E_C$^!Q-trcF$u9F7}YP5j0aHIB3y`E>jbnoWWk z=aY4z`sWXrb@L$|1fC+3zJj`q^xnEd-hjSVf|Kfr7;Fu6|EsGxMdWT#pfaO;(2h-PfyOn^XXhA|K1ZdrnV%ma;9(l#yr!% zWCj4BkVUlXIDfl5MhG89XYrExl2aQN6v~6P>C8Qg*TOad$nx91PGmgSnqYL;mC;C+ ze{G&XnIUAajDu1#mXpmf<906O6-p|zhH%h2&A8tb`fMt*g>cX|&G07@d}}n8ol3Bv zZMyN|Df4jfd(oxxu zo~E6~h*JqhXX9CoqtgU5OP$#lmHn44!0_;Ku}(Keq=GS#Z3#QYTA$=JW5Zq^P-OAe z-cz{;0+a#H2kZ>G@s;>!RfI%G?qVni}~;;W?efuZ|q0B8@W0^i8IW(BGD&GS;YHYg_C%VWWc?C zpgj7d0kf#z#y^0+#aGQaGvh0q%sKPlz%*Be2<+tv#&3EO0H&Fz0GOsyIS-~eu-$=- zrsIk8V4BLWt^%eRuOz`Vzdw<<0H!hFdKVuAgX29Pc5E?$G^s&Xxe@M3T;=TGr7z91 zgQZs*?9}6xbiR~!wZOUl$Y!znMhim0)Brs-jnFTH86~t~x{q#MgB=Jl_X}Gvl2>pR zmno}^0Z{quAdHNY@dS&-1-`8?BYZCm0lzu5j}sZY_{}wN<}^{dJ$RQ14m$assz}4x zELD;681e2g<0Td(kH8dtzBD}G-CtoR-koz>wLY`7(Kh}*QS>>|D6$SakbsfHM!Y-u zpcEs4D$?zo5#GhwY(a%R;Qi0sTE!c$NFi#ygI}$riZqJoiiG)dW56+qc>J z`=r6*15t%`DAWdU+3TrK`h}R`lLiO-mK&~H9VqDXY?deU)uh>^U}3p7U&>_e$XDip z$da05P{~Xh2dCXreY+WOeF4!uL19|pHP}|C<#Ot&oE|C(7M3fthu2~ZaPW0fIZo}$ zU6?;>@qDQmS;E74%e+2`gm3hFSV`n?=qEvkLR-o~mmBdFMt%>AL}hVVV?5J{^zCM& z^at-?x%J-vR4fh(@^rI-8@6E-xAE&M!>nd)2C}P^S6q^XB+#2~k@j#wdil`=i$tHf zkI?^cS(DJ#P&#wJ!#TV@$1cR1NbY{)`%?+#*-T!ovGpmg3H1@GqanP+mP%M%{CIJ7 zN65A+JKkz0P8gKpM22uY!Qjk)^+SB%7B{w;X^C$nbRj0xQLpG@hZEXP)W$j5I9p`% zqKs0a7uor{s3ieW6Nokn7uVz!S9gR{*=E9`bet_dy|||#JX*8Ry2U>V0zzzaI5S;< zc<}#=sikq0t%~p6@ALZ>3qtA{OZcI53kaB_%m<4312yUyA@rhH`=k)*2=`ZG7NSNi zbexUQQ8*T4jHwNl+!J)1O9RI*eHI7j>GkyXuS!m zN;;Td%AN>V?W!RM!oyPX$V`8st=H`#=|>(*28`?@*1Eh+Vbe%@Md+N-jrhFlcl~`v zgqbhls!C=HS@^hlqGaZ#noP0kEDL2+?+B%cwG%}__qhZXjUTSRFF?DJ6Jl&Qwh%(qRW!iS>u1R!z@mmg5Lxk$hq0zpAx^O`amp5N1#i)2m zNV0I|YM~P)n|eU3u?b6jlGX4rcKL>WXM8vxq3JURMd;C(0Yg;*RLtTnA_3N zyYEkrA*5vzBEoYkAdSvBJYUqRj6RL_p$f)hmaudgRsF^=!@MC(|bY8+IN($oWDAr6lw^n2sF6A1=# z2ci4SBfh(j^Uce>csoYwPf;itrF54aOhC682}W`aLgQQ)k6S#=a*cym*C*UB8676g z=xAe%EG6_mvRM1H5YR^Y#oDbty2W_0hq1u2lE~rkIBlYo=A)Yx%8YM%81q**lbMQ? z7S1#e1$I|tn1=#8D+Y*th#IxUoA@S_LiEf&#JeqSkQIdPJNZt0mfYdU4$TN?g_2l1 zR*>mNt4~TR>Olz28>c^MHJoh;CX2P-LHz;X{63c@iDiaQ#M3UWdhScfs`(iEtaGF^ z-;&1!Fv00x_R6uB*hc(fZClda_qz#%erbZ;Ltx)oZF8b4Ym#e`iU5|-AN4kEAPZ|>M4_@ZXxcMyO z>r;plVWZ!}sum#3RfMoa^!#gn>x6U;i@(5T0AsOwh?&L35N>gx_#mR^yKLq&Q!hMo zPC%$;5?_{W3PyCBdQemkh+^&FjKV(R3wuC*aDTY4HyBJZcb@6<-)iP*OI|<>4-exF zB6|K`txhDbVD9#H;J+PVVzn;7;fPpWoqQ_~@RqVz8%D)dJvWLGt~{6M3k2TR;E!A| zi;C5y0zwT4mC$ZJDi%0p}ayxcg9yDtpWa~3CBy5vD=ICF3M zJULRKN7ZxL^L}Yk#1wy|Ids2T@2rbk_0e`h>jQeonJ^}tV@zJ*kFbz8-lw>#=a%rW zSX~c;L{Y=R_~@r?^xq0?BDBT$@*HCwev~anHgz)=PvQNJ|J(1milf5jXwp$(#Z}V0 zT$vFP!WD2OyVZE@SORSS5`^pA&&9N~QljU-Bbcdua^U!PIQ-2^=IptXOKo|~eaA*~ zzq?XR@J4&pgnIdYMbCdxFas4sib%ca3Bd_jDXz$MW<20^Afi5!#s9caU>Q*#!6;~* z!bd1gp$CJ7(}0Z18enaP9^}25gh704W$wE57_m)Z%)SiUJbU9mgS#%G=MNT~CjGr- zK4D{DhW5eTETZSTd+#nb@4mvm3`OG_h`JgwqTBo5?nH{79zafrccLKE%*^i1o^nZCxbPstAe5{ze?;4ECCr6sYgy==HnFF%hocR}gB#kdsg*F-K$tp>2 zAz8|s-2vfm_XHr&Dzq+YX4SnrS7y;ev|7Fn%(~;M(RO<6W?H>iNs4> z;l7a_VHeTnVd8xfha5yh@%{Cyg!)NDAL0JeL_+_9X!evZ&1HBk(fYuPsYI(VU%H9V zjr_d>!K~@V9b7`u`g8FK!dhz+FrlTmY|2Fnw+TJYx_Yd9!;|kYPjkfTR|JIAqR1AE z5Lp@?$5sD4)SGyZxzj(xNM7cT9DZhi=@_VgAZ-BerJ>Po2a4b7qsL$)WA5^`7y&~0 zntF`l+xg?!oYM?e^r5@E9VqYx*A7sd=?e``{~#m7G|)Zk7$7RXs!PfVM@%?A5C>o8Kgtl?t5`BI)Sr-!lF3^UjI;K*jNdZMX{XG43&GR7i1#Ojft3vD8G zKZ08$UzOR5e?&|~$_-s4Ws_LDh0NSRQa1gIF@{Lp!8B6$V1^V)bEw zz@CJ&cp=nR?Xrl~zd;Da4uJcbrvtK8bfa!2uOON|s{tdm0Ev-0Xot^RG-wk>Vs$+- z^A!J-F;*QFtN(})>agGU6-JiOFfHG{i4zoKZr2)&BGFKmDX0JG95|@W+MQqx_8%HC z5<2YHeT9)NWH0_ih|e&es$FWP8C>=WM)6~2**G6Y#^<{dOzm=n1}?fw?XoO#M551R z#fL!-(jLa*Be>ji%=l-5vG@%{e~|OPV~}fW?mFIzXKbEmJe_wBC!p1SV~I}^VRtKy zVpQXkMBbM_o00OE`;9L!V(CL0O^&ki@}$}iu7+9VQ$~$Tlc<^@t>a|z@m2qALLIdj zHQIMKV3fiuu&?Jkx%Mn3YCVRy^i?BAgj;IH3WX!Ww^c2&pzvKp&wpq%Hq#*(8O!a6 z%(M@TV!om$opm6hKe!Ra-sDqzpu6zSu!Fx9dY`aHS3_Yi%eWFz{E(x1TIlz-%m12OmbH5g)A z-x{=;xk&E%9I$AEw2)+jxJ>65gO95BpzzD_!D1h%3qsAc82L>JfNuWjEMxKAL@#>5 z;zY&|3C4l~U0+tcBb3!)Z{LiOEsTSy(+%6v1QXZUf5Rm&ZCUT!To6d2wJ8NzJ6YhPuU?_-p2DW{N~j-RU@x3<>@itstfSA>%d+F?jXo)xcMlFlJA6`FcBmiG?H_hJP~+$sW(tSVW&DNZu=I|I zK1U)%ADwO5tTQ>$Gt!FyTEJ$Vf_fyu5<_yCw;UBP)cm_1FQjYM}()12Vb z?_%zI`P2G~(imW%%cK_sgzg99anZG%TpDWO0>1{?-(HlivG6Uba}`F@<+28!jgWXsvoM>N^e*Y$`0=c&=vsot(D%iAXGB5+xYVU z2U5V%Dx)K545AQ9<=tA00%`(w@4Qe(V0L5KIBnt)M1*Cw*AYU7I>3PfY(qe8z+^>0 zO{9cBQlGU6Pgg2>{#_jqL(BMdxC2nMVCOCltRQ-RPKN^$r!wXq^$%bMp$s!L>A~Qlij+t6qFAiwYEaP|Pum#b!}&7!=3wkVIw@7Ay@U|r-Ab9NJJ zI459Tlw%VM=u)H{q8FVzWSK z@o^y9gfc}>-*L)es!E5RcOv;dqUSf9a-d%X=r*DkeR0Zx?)wFEANvrf`nyvOP=$@x zZgn6|79YSQDD>>QDwK22_)xHHy0PR3POU8g>L7Y04yKhe_sNei z3TQtey1$syesM2}l@i@wT1xauMA7|VLd$PD=|GCENM+2O|4*(!ak*sxC#7OS{RN;a z5$Z1`bW$-~U+NR_hfzCEa zsKy1_!(Cj~IcVAqIFaq_;`B6aXF$I*73gl$y?Ws_?c%gA+r#bS)raMmS5%SdbGt(ap@&Z~rF-f|U0qm^xp|MhhKG zk+MUgiJ(0CAx5$Hl5T~sJ1&#CjK7&$oZ~Vr?&46?0WMU)5iHTJzrv@G3+us8Fe>5d zNzH@SZpe%93jrayYUBtp!lh`Li(PZX2$yhVE=7rvO%R^qLCHlTd&8;54VexUd)kUn z0D{MlaQwxAYOFwE^M-RVn$Z2_M(ybY<5KjFH6TTYhp5LE85{d^cFf$r`T(Q2hl`_X zKL>g(((%kSrmSmi2X<-Qkzhe#O01t1^=80&?mY~RzyWmw<_&o<)^0(l@Tu_ds&fy8 zZ-KUkvw7ECB@q_38$}y=CA?>RR9y1Za7Ene_cZe!mgw_@s&jL~j>0EGltT2PuiG3bE>|tIAfhj{aP7Vn`s!5l$6SPdpVWcoOW3G7 z#kKYH%zt5|dQm9LjHIL&z0n2}^vi89LGc@9@7OZ2dJWy69&|7`< zD1ejl3F-%J==)BBLTCBYO<$Z@Tgph_Yv zPjH7M#UORXcOc0N*s+!|4%~4gQ-L({mbvw=jTI~FRDn` zxHZ)QhaO!A5-jj?NhBKDpil;g0Bu6HC#qGHLEakXp7&=A06pej{tt}ezlBdUt->gl z!>$&0{O^A?E#sGP&HsWMZM z6RVS0$GV7hY&Nlu%_7#ZIm9|Pk66bRkYNroYz!vD#<<9^G1+9;m@G1EOb!_~CXWmo zQ&8U z!uP=L`1!{eX$9qM=Cw3OzQB>yNK8_xQh=)HTLT zIfWtn=P{z^ztY6%an*aKdVUMh?8?U&d3IFfZp+ixa;n({ur%zu~n z=#jr%u=Ur=4=8%kkmC--*I6$%?7O6&aZk*F$l~KUw##NF3v#3z71<8cj>x-|1t7Gf zzH^MZ7k!u%65~lr)5iY=oo8p&eCgWk&?rUAul^@SvbqqX&^q4fi4tV=x|Znq?cei0 zul*|=V!RDFvU|qhiWNTnNugwR2MGxK;?@A&7wqSWPF85=$@fbG`k3N?{&UQK5^Vt&`O9LQ=x+P7`GDlVXCbb*o^$zd zl<1Y#a^}AGPoONmK8o7b1z2Oe!ABRY^ha3O5&y0F$VwELxsg!+%ZgrD@7XKU|6KCr z$KOjXh$e)P-+M$609{R)X}4sGU5BXkSNU9X-MpSA|Y@*0_u+2=Be z7GBNP2dpE>%pHW5R1vk&w#5IE@v+r`h*nbN_iQHmGlJ${DSPWG77)$b_YGt8!8t_pzg#kVZ)S;gNQpMFp;Dp0t7KfvpHvl0EobiXKVno< z@{*#N#TwM5-?vSs)~d59^F(E)e~F?^s-n?*1>bti2Qt9wV$bp~vijH=z8+@p%_Q1_ zRm{B=c04{5e|it|5va%rXik}JZ182-5K-$h<4r_+=G$f@d^lRpJzJ<}fy6w2%(+rw~ z&pTgATQ~;9kicw~Nvs7`i)<)#8y{37*ABjzfnyFtUiDGKm)oX4>GVV+9U^Iy)s3ml zUHf~CWTAo6!9Rnk5SsV4?FkmpZO1`ZGx2ivxBiBa&s&Mb=T;@LlJ9px{>QI{<>5!jT%{j*U zEhMtn6j;8DXA!!a&^=_k!Nr!#WEP^?^Gq|w+ei3Lp9ObU3GL$KI_9?j4x_lpY2=8> z{!YD#QGjiT{jrBJuFyXDO#-l-GHaBDjga5=@=PxekeQ7a;c5$rcHKJ8aOp(JMP}~e zT8E;AcIE-u4GY!hK`6waFj*0OC)8)LP(n{VouOzC?aAWwsz5Fzh#^Qm5L9r zQZc7f%xM*Kj)^(@#hmZOoNwC244Wk8G{&}oXmBE+&C4R%f-FL}7`L8gtVDaDSkX#~ z3EkoobD|1YTE8(|rx^=q^Kyu`AcxQ`VosOQeF};Sh_;{rirS1OvnY>f3-X}IFupg7 zvWd1J8;TAX8_XgX(H6L%Xt(hXvxxIB3`N_F-$T*eU~{KiOnaS@yGzOa#!yc&CO;rQ zU>Z)^eY{6RFZ%N#2U>-h`?tTvNS-n^z&854v$3fDqKC2Abs!y>bNb04KBs(2pZG0C z%FH=Z8f`URIR%_yAYmK5vvEap$LLI(7&(CuiVfha8s>NH!Q{m1lOP=xzZCsld=78= zEyMy;W&-{({n0}X6uOzr?k3~3Q2h+?fhZAr##!gbXBgxZGeeSy)z9%=)~e8h<1}A= zCDHCQ#%aEICDCjK$!&Y)nlDWCqH}I)P?$#Qj%E{~jYOj6f{bzvqCq_%knJrbr2({# z|G!lXZFE-hdU741->edt`=Q@p6yx%gR*@!`68$sNr}iKVN!bdp3C$-B))XnrICF+E zd9qyIF**~6ZqX`SrGTXPY$fNIS3bVw3}fY!FNgf!uju*r?sp)0l0w@d=*I;0v;b(M zJVhINaOGvbDmh%7G0dbjF4DQ1tCH%0f`I;_%~U(1Z*y+2TcPb>W=TCdZ zfwaf4y3tm5#70|<@r?-NSLldW zxYDhbAQsT4&M48tmB!Y`?MSA6Y;5hZbH26afP-IWL5vcj7kzfXfz+r~rv5bJY!74R zZ2h$tHAkmocv)!DMYg8lj_I z0rBq%GMi-@zcdS7gpSTRUs%$RU>dK3jxJWbC&M4qowdSwwEn+>Ocx9`hBv@zry2f~ z{yRYZIYiGNasUi61@r7kUPflx3qfwV=+rLPxHii?W|P$t8#Db~Sg0R_{Fv~M1T)SJ zgx=dAkjFE2S$zZ{xpM=PC4{ai)zixx=4n38e(I1(n8=?dG*3bd9V{N(<%kAlLCWCzAIu+;;`^ zPgeHc@5}H1(9X<2EaCs*R2tAf@8W`fUqV|ZpL|y@6$09V$2?IodkZ=F9?{djLtvWz zoQrxV-;=eHw1D>c>%5EN-?xz2n=_%%70^CkbxEOz8HMK6yC-7<~J$dro0QDCKG(QPw;TZwyFXPQ(Q8IfIA>Q_iK144}CEgx02=lIr6rvaQ zCEl~~7DB&2`3}+3HkvIAR|d4@OL!Z+?eG+TE1q`oJ9F2b02&aBbm0!S_vMnhq}4C zKZDHPOo(1eeDnagBq_8D$R^3I-?W>Id_3Pv={|mIoIbdlK;il~IQv?Fg%W-Kb%@i{ zECR+|dkd$jg);(r=sH88XN`ASE+VRhmBzJgy+q}awMp0$B`oS)Ketan`*|f%r8*RE zxro?kjOazH_BxR9Qrp#t4er0q??2JT7;QD~;G3c5w?(3huzFgE34GJu#5qa0EodRS z`%ilvh_*~8bh~l)>8ouwdj$H zglz#@jO&R$PVjzR+2&iKU`FVc_BgBapmpbLy)Tyrv!)w|%+i65OG>wzr4h&F zANu%<1gq&!^mLb#-y(QPX%_f{n5Me`B#z%Yfw})@`FU9Ql3v7m{%-U6+k$w)G~GF|s$@?+Y%} z$ZPpuW8%65BTK;;=jrh4A&D7}f01AfRuq`Ii_m@Y3V^pQUIsX~z;fo^_ZtYVzc9z| zZ3$m1FHW$L2rcU87Y-A;KQQx@F&L_hzh5%5c~paK81m6aFriZs(fpVDZA>7#d*p62 zSL2n=ybnrNLiZVoh#e8SzX2g*S>g)6BL{P@eFc`JYswX4RYtU;F~7eu@?+H^0g2VQ zTvt#VEB&6seowQp6!h4Kr7TEj>63Cy2Xbi6WrUyr=vWI$+0{|8`ep&4!qjk@qE~Q! zs?d}1Z)CPXRuk6n^kBA04dY+uyR$#i9J=eF{Cx+!L3AAkb%2jqM&2tyIC~ z;@mwl{Z2hQWS))gh&zKrOjKY{< z{7oQ!yI1=4jdrAU4C&1!h|Khu3pjG%6vY#DP3JZ`=AXJKJt3_ODxSI0;-kV`>9e5X z;Q`*W0p3J1w!r3$NXW~NG7y}R!e&&s3pF0-gYf(2 zXWf*tRlT#*9{sb&^syU|{%#d&{Jsyu-=3XU=|6Q}n3Bztb&o?3?KAs)NW=8+Iw{Q< zPFyet5fS@5&+$V_%!k>`!~3ER)@Eab_nvHEzI>Xy-5-2`#anUIIh#+%^cY^@Q3@jE z9)y>9SYug3FET^#e9WG~sIa*veW2_Ar$TkV%~a^e)8|zv>r)pnfA)W>(BDt}UsmY8 zb1QUb7p1+nB_48z_rjGL6%Y}>eGY<|pZv({7G`y;J&c%~IpTqTy8xRfX>)leuinou zsGiTRo~LGJdcgl}{oXTd8!%SCnd#TL%H@TY=!l5p83{Jt;5db^b=vb5+Vj>JVa&+} zrg@6jY0&xCtg%6MoeI+R9hU;29dFoLRS*qXuDE$Z-)S~#`XMhOgFkr|UhL4=ST@fr zK2wLxu-*BI3z&0GogKDw>fpEQ;H^n_w%eb%5m`2mu_+@8KXHNS<`Dj2toh;!{^d6p zRM3kW5A>}`lTJ!|iQ@%kLWqbzdzMeGdFE<14!WWMHiT=}ggm3>XwFefVxduUc=4~b zxWIH|hzsU&XkjD;kD9;d$FNM6iW}H)p&z+l1SO6LCy8-8@$*!95w6iz5B@5(I+;B187=bb%l#bE^12)a^^oqVgNRhJYqBsI#QPlXy@2#adqrGL|du_Sm2( z`>O9w7nl`z!k45n&LoFRb}W)=YcFQtiJ8q2CsEj3GCV@!E2SN5-pFy^}^b#?~d zb)lmq*3;gMuaM=6Gn!52N7xGyjdk|$dHJ4l@+V5)w5>|nuCn|i4v|{OPlB}^+-iP$ zoYM3meuSthPG2&_#IQW)rRH)N=Q-I_4httbVl$)6o&*=e?I0prPx1W%nN=rj zW@Lc9tKB>^8<>wBKfANSi*{B|I{(eq=l(l*Q>xt$$eql^W{!slhSp$0h-&#ywe9 zK*jr{O*e4@gpBcmF?Q#uK1)P|cUUIEIZ9bWo76DIK8D^SK|tlph<)wJAZ zztbPYQ{}!caVW0xd->TpD%?)j&dr#pm{4tfqRjd)q z3d|vIby3M(ULXx9_i)cWM<|sxEz2^mW@VE~s1_bfw5+@=DxlgH6(5;xUibGd%8Fyf z)&*IS2j1+W@nsG`Ch(Fp8QoXuVI{LNg`K_@)ZS)^zLxgIdH7?zz3}r!Guz+1*dcsO z<>hhv5ch>QyC~Nw;L8M`4opTwy!CMi;&s9=W4E-4&#i~RrFjC=5k6jndpNG^!gd#! zN%P(H5Cp1lPYn;e=NH*5@bpRu@Ml!MS%;uaoUtB)xHfP)KX9%=M(I`WF=8>3=6|vh zg0rTb;f&v?Rfk@>&?f8|U^|V{Y+vgoz;>{p;`V5sP4rhk#;ZGD>)RYu^0;QpwTP_b zmSTtFql*|pZ8mS)&rN{xXj0o9*0(`h7p#QaXmIVsUYm7YRfbb!jL^5c07p|Yx6TrQ zT3fmub6s3FBBGorGIn`eP;oo79CPRa5%`kn&$t21*m?-`BREn<)D#PzE7IcH)HG9J(1`_7d0VvU?Wry_@5NLhP$TN&Y zwP{y!dmP-Z?{%}XTl9U9ZZ)?;7hn;Ld~k-Dv&Q;f0SA>qDsIQ$n0uQ<`!+&q_)q{W zbwR*Cwo3a>U#<)SF`w-myUrExkDU?wfYmAUHYc_vl=z{}74pxW7kf2vm<2wtF!q-U zveHwLpt0O2tuVIy#0Yk^HF<7;+<94)2C7-dI%9cwisI#}@h!iGfUuX^ozmv5iKLb* zZEgv~mk*>M=Ahf@cJz$iLA3#a_^9lwmxzHTXSNs7?bbnFKP`}{Utd-~De)%YO(@QU z%#ji=axl{$>iV*JN(naY5{Fsj0}G|Z8gBRz)>i;fr9F&{pn@`L0#lTs$oLJ1wdc6& zJyC%lxOl02mkxniJ4G3qNNS$2@oUyZ)!(7PC=G82R9jnpN$UpIOt*eb>jvTw_n49L~u{=(hnQ`7l3wygyfm@e<3 zG?Zwm6U&>N13`eStRhpCJQeqt{kyn-2e(&h_<4`bd_$mJ#-h0*H{-F*^l8T3>&q1n z;J^m!_*y(qrjD(&O%A}tu(MNDqo`_|3vjywWQ-WM%>|~a_`oIc-|U@{OJ(Mi8j(BJ zaj)l&dybgo#f<*3b{UmVtb$;Jx${q)(SX)hs8%fgHDfSUqjc;aU7)7I82)aU+|Die z%$F-f#`0~PDB282cpV4d&{W$&Wb7*ZEw%z=xZ+Ey0;O{4BM|7{3$YulYgMv9aaSY` zYhQ)Q3TR$_N(ABB90mCsHSPq{`aZ0`>$G0+?cx0&)|()e^AiwQs}g%`L(F9_UkXhw zu;OA}Y<}gNWc+R*g2<8xGD@#~*9EBj@=^%&9|c4fBR0?z3J|F*K}KoryWALvl$TL? z_0o*;jU7nkB}>^(S9upQ7FSJ2M(OF43)FC`J98-nfhoTCaOYIqU5QU@0RjMM)uDwK zDhSULdR_I+<8B1Ei`@2TAJ;?QlwwsIuoMEkTi=^Sx5sjkQTh@Oef1HxvFwjt#bN2% zks*62r6>M|Tk#j>)$fR4J^RMd$Bg;o-*b-+Nb{=P_Qy7yDSbBO%D@ViQ2FJ$Oxt#) z?6&>3&Q_+JccC)z!DW0ZvX-pRxGVD|d!1?+BlK(tCNUQHWR(b_Hw0$#YvhwU+mDB) z*dW^X$XA)4oDxA0@84j4(nC3dTj*?067v)3m@lWguvz$^9BJaZxY;kxw;QvP$0&|1I1yHTLgGq*1d>cbxj2BSjJ`o8! zaqg=ag6b4{%D9tp2*}uY6abKR?GeE_VT|IWkAEqGxy{+50U5tM@t*cG+7u+eirX** zhWzrtY=COpX#Tz>5Tp>^86Ac2uE2C(3vCLwA49cmXw@mHKLAT|19<0?$dIRQbph*2 zUki&}b*g@n0G3>yi7Ma92PyyQB@jeCzLvmrI}!aGQP@} zV$9Ph@@Bdc{xDEl#tkElk`AF3gUx>S6iIxKw6P5Uli#xD>CAw!H;Lx6SIsl0Mu_;7>ijS*!KW7BzBwfHv{B=-b&*qEUR(g5UU$%a}la)5*Ix-*!d?8DD`*ca}AG$2or+*Ry> zo2nhw#vo&b&=dltVZ2;{(V?@b{F{}T%RMctDGP)dWsi>rT0bgJUdf$iI29HN5ly9U zq0|ORJc}KOKSzfAi z@8ROUt8yI)2mmMpQDJtoD6$vG*yUD@tFK<^qvl`!&_&MJ>YxmLoj|j(E2uuxB&w0pL%m2 zR@JRuW4R>YQ$uoBH$aehZ{;gkoZA2aZAP`!tox5Hs+Uf0;J7ge51!EgfmWxNma`D8 z(sx)j^1t{O>opV6ZK!dt7|sd-f05Dvfl3xa?Pt7w^W|>5UZ)&uCpeb;(Jl)@Q;TeV8xaGPf<1?Bi`5T?wtO%Xd6#S4IIs) z^e;NA*&;*+Z`2_O`F;qK5U5~-z@}HYalfbvN2SfhG~$kr1Tk@Lb5;>s7h(D?l~*i- zAn4DZt3#mOh-!DL_!Kfmz@lt`gipd`DoZ#<+MIV&;Z|RgZl&^^rM<0r1`+voUhy)! z;?I7X!9Q9EL3#qc)cNgL?GlO*h=`vtX_SCkIQdVpoO=XZ61N`#6yD}0j znQiv_qpcvemdaZ=vvGv?jv}2U#hLJwgAEv8<5qhaf&+ z4rj^P$iy!9wFEhq>f-WjV3zRksC%|*#JuLfKXg%*-0Kam5967DD}z^X&8ly>l=G)0 zY$?EATLc=ND96z&u^I zUm7G+^Zb>0u@XdTyolWIW#sE>M*XhhUaiSUa|`9CZdV{u1G#tWuY5_=$CB11Er&13 zPx6R-b3FvaL6g`)COiFG7Y*?5+&DxEc9cn*D9wMJF%PT;(x#DR4OHukXv%D&lv+n> z&WB6pCqh9cMqgxan4nU_SKQpaJAi)*;SUqE`kPLq=K$`;eqq@tu8z%2;bG(fmJjhCO_YnTAv4Q$>#m(mF)VEw9b}ceW z?|6$bGGQ{#gN)MU)h-ZU?h!yN8yTgW8(hE~YMWYE>yR-+DIlr>ks%L$%LSrrh0kJh z{l6c8An2S=R!G{kT{pd>W-aN5 zKc*@3ITl#V*vIRl;w)syZ@p=ss@nYI1NIeyxa4^D$NmZML4%OWQaJ@Ttaf zrGQlAAw%x_FIGzx(^*vR^8f@!M9@3k(xWxp0)+}G^A2u2Upj;D=qtP+K(e_cc zyC{nflX_1Wk8_)W=euYakMoeA;trD~o^b64WQqdyqrz%u{{YDjlO^uLok8KKup2uc z3y^WnfIoZDWxUW?nL^XHHQ_Hr3x5b5@Xgh{zZipiKx1*2YjGsa;i(piB;X z!v&Bb<_zL4X*$d+x+x9$k}Q&p4B>P@T9*tMcM1VRQv~08$UoDo;?vT)#(>@<1oSVc z+116rNS9yI`1Ga+ZR68(DPn?ZGczp3Wd9OR>}EuY{;>>#_=*Cc_2FGpt}&rEP!;mM z=WB~He)QX@P;EZZMQKy0K(MYvWHw*xZbU}nBj!uI@ET}YRW&nHssAI-5G|f<{>O9t zfV_kWDtMcZn*E;X;>?3FVq|AFz#*qEY5sWv$6ET^!~76F6%~AY0y9_(uFT-*Ea_v; zKO};{IxE{WuVSKn$ags8Yg2LimYYEtFn|48=444*93W%og~-aP3j4GqG;(DD4k}LV zcD6F)sC&9E8NHk>kN?=j_F%p^3g>6;t=S6UdH=myrIqfb+6T^AK*<8RE#rzk}m%$Yru zvXS7Z^jB|k0rTf;FXgMD>i$dYcC6D?Bmea4F3>BQp6sx1#4j-l=D6{^cPnCSiyf3g zWQfgQnM2puwuernZ*yg|bz054Ut_yV(aNO|JjwNBwE?!v)TdtO`qPC^bWz5oNyw0& zdEEt~SNf8(IJ@@!eKv`?(xzgq=94dUvF!{WWII}3fUE#Ib;Po`f1?NP6WCThVoZmHE&n`%cis~WANHpdsKG{-h+zl<-z`aW7}UvqrAC}UC{yCR_f=(VvT-h0gjqyz>4Shw3D`(AT_ zu>X)&hp?&Q1584AYm)$gTDW&hzyUy$GmE$5fkhd3z&daGG26!0*Ty2I@(AvLs4hGG z764$QfQa0`4gzwS-s#Y?_0C)^-zsbq?_LRkLu&8}HbS#es=vmE06pGC(|rX18j>-O zwYVXPj1gD8#%av+zjAT6S5`JMMz~(Hu_leudG?3unl75&#pVXx7Q_b-K4Ol3w#)XO zzG4vsL}YT}OJ%XEUlO#->@vr^W)IB0zsw9w-hGU#OdCx6Z)04`k4X`*+}2aMWDz%U ziCu1gn`0OIDej`y%rHKz8Y51;>H?uP_kvKv589|UapejK1g$^kUE2Bh&t*$-#I19< zv*@lc-9}}{FChrTyZUNPnJ;5sTW|BabUXw>`a#MT+)U0@9e4 zz(bHj^B$PRSihSY>+IjXxHvitt+!1-ygX>z!-G}-_uBL|FfO+}xBktio8JP=vn@`wuT35?=v^#k{^Y+l#~jDnI=oXQKKvg}{wreAxP| zDFlWg`k}QmxccU^!fbE#{`YH(HnDm+1YRleGys6NV#q@KLNL()Y^-F+OFZ-d1Zxv} zVh@p^;>`y~0VoA!0L1R*vA?)K1M93k$XU@l=h?<4CCFHKxrz^%{~DN)3bb!oV-RkQ z^^LC(Zj3pRvBF_a=GSwreNt4`7eZjY#dF#HAOzMm?DJjg?6ux%YFuZnbuE>vS;DL+ zt>IWR7vlRZpLgcq_k6Dys!`95E_|(_DFT|*u{NO?e^rKlXxv@BO z87Fj~;B8XF>rB4+(97ruF1maf1hM|e5ZAN(bPFP!wFLlyadgUN7f_ATr~mE(<`3(- zXkZ;Qiqy91Vhs+s#LQFM{=n!`kik?dzuZMSB-9U+#TE z>&?1uww;2~jQz(7!TeWqZ@Mts8D3&*M^8a>5-UR=31SV_olJNrezuG1KjvsRT%e&9 z=1$0s(uJE`=Ny@*H+EC%JB-LkwsXoR;L3<2dCu#*Debe(`u^gR;B=QHsdGD&)UnkxN>ilr|+(WUPD0I5&@&2CI<&PIxA&7aWL*SiU`zR8kaL3<0W5 z*?UcZPT5wKNXD{hNK94{GU8QZEO)T%1bz%oB$DSjUc1EST!bi*h7J8l)EDw6VDjYb1WNh zY=Xvl5IlwScfERN*2Sbh%=zNizlV1K3C$z@uE*f9fA7m!}+ayRZ3#C%ew)2+5h4JX4<8ai zCK$IOtg{$2za@f<;coNg9#)QXC8Rn_VZB3mh6x&THkJ1WXg-aYjZbvZcOohFys1yUrtg}iOj7u^2I1D3ff+Qv zbYAc2(ekzhV@2w0Jm6w&7L|VLX@HzD#o4?^Uh${PTH zfHbiQk=GP%EJfCFpl^g{C~h^gN8q56gKB3eIlZ8;2oF+_etHh)Dw*_!jOP`FW8398 zrXfRa{hJHi$rYP4#jO@LvK2aQHUw>=HwJ+d8R9MVTyeDY?Z0t|!f$#la-W<9fl5lB zdw{E#1>*JnftDR0e_&J82vN4h_;*VacZYn3gMLeTjI}a6e_JF>9_K4XXbfjPTFkM{ z>iYvk9x6lRKDSElE>=ld86pw4%FmB9#fykfB~``jxd0LVTa3s^N{e%5Wf$5lA}u}y2eGa!ggMMi1Uf4M+4<5P~9Lw{%E39uZtqi32L zoa_q_?K_Lg9`2U?KocWq$}BdOn0Vj};x=T61%Kl-ci9y7BRl_k*1|h51A;dIi0AlP znuAJ?%=)*TZTmQ=xK}M#+*API;T(N|lH+Jxptv2@!7zDrJ6je*9`&$!_XsO5!%0&46EY?^!^S9=`R|t) z|Jjc8REfFdH(fOSLJy@x9M72Dy-vM@D?4ZD&3(%3$N$rb&&sIzXdIV?k- z^I`^bim^!0U=qt9fD0>e_MhYfXm6$DgM zs(8jcuPS87MK8Jl%MxX7`+sATFqSoy=S;V?|2!&g$4B`6M-}Awv>8OPD!UGbe8r0{ zyT(+$aXREZ%)Y}%RAaWFLBY($f*BQ##()lRmF&pcr7Lr4CLQ;tBy1@I9Y`D2QGtv4cf ziwjU0R6!6hf=U;ughMJL{;kr)trhbRM*{2aFqYrw4A2jx)!$~C3{~9bO9sfaE-Jh4 zf*?%l^N{f>huU0k*0oa_(7Uti`^DVxw^^W9%Wl$HC5MGc{UBt#S|tErM%pP2lX?Xi zug+rcW%m0}WV||uy%*c>!;$f7l)ZcH_fg1rbs>9q+wVbSy!tSE2kn$L>B~6^b$9W~ zD_H%E*iK};&B9cC%A|i5Z7oec^k4qj?r+yL2*P@EB<-PWivRNdi>CNOY@d+Toj1R4 zskT)h&Ql*skHTFvFeOOxuf89Gskl3!|KP1eWbnqh5NJ1=zg0wFO-4j~W-bJJNx#@= zz4HMn@df9%#jfLAIlby%H{Sw*G%a~tnlAo$$HlfWRBThtfwF3Eoth@82pl?6aQ>+4El*3&IEy$lDyABrav~ozfdzYD29jGNLbw z00}=N0HD`KKzg14z*G7Tuip8P)G%8BApLVDF?8M^%R`2kpJ^R3#G%J2wI0wr=f!@p zs{5Ka0NT$HS+;Q1NdU?Km4AB|;{$6K0=>2lq)#wupi|Q(OOMMuyT#gEy>pS&fZ0%Y zF4Qj9JAG0^1AnX4>eH=!lNOtgohk3H_Tyd15Z|yL=cPB;sa`sps^M%Za*R@IH(PJf z?0>NePG|L_$!FV7t**?a@~PS9)^Jh}rSZi%LK?A$W&MFxg2>ypRPr%PX-hs--pXDK z-9}8dWgbJ{3C;*HmK*6W6mtnff1!X+WiGVO%d zC!ggq+=Mx-tdUf%=GD6n)TG+P^-&0%F*hRO&^cUvJuiL#sxF#}R3ZJ42QOE0%+D$J z{GVewHZbb^jyvl@1@wy#cLO>gMXS5m?9f}!%#OLOXJ&_HKh7hf|2_y_a%%nb?OrSny$=FwP*gz1 z;=F1fHJ^y{JeG18KylMO++aS@L+Lvce*)R2dtDcmrX_JJcZ6l5?Kb?61AsR1yLk{e zwLZ<|Zc1srHKw`T?a3Uu3a%jHIt!(?clR4Ibsl68#=!L|JMW$em|qS`lG_mE8g~|8T@Sxreuc z6&HTGw?Gx&Oy&F<8`U3%jpf6fRE|X;;4RD=5+)mL?25-Z+5&4EFDpzob6^f(E5adf zm^{jbOgz;SCL6e%DKsKsClWs6u;4gU5+;vw+zR0s!m(m*28=@}eJ`6TwToe*jo-SW zKe&K-|I#j+-T=;wjy6JHRtI8NnN_WnzVpXl3xLYeNf4MPPg9ysc2jEJ-fCxqjNGpe zQ5r3&w)#dR$jFrrQ(Da_#JowI1I#1K+`ai`o5oQ}Ezz9OMrkNd2JOhJ6W z%s)lxdcB)!&E^_5Vez4KxZ6fZoA|3PYCd^MxFV_Y5*JBRxpw7<|G3k}vi#o^67i2_ zR<8~k zv}iIuj*QZepLGHJ5x1|K2!S;a8KtlN&Mv-=1-RzwCD~f;FU>2yvfXpET7BbnLxFaf zrmQqFN{!#S0RD!`<0sn3DBQlB!&tkgA*1w>-?=~-H%gn6L1}X%YD~M){Nx;I^Jn44 zw7X({at>-d;zsjZ=AcH?9SJv@Zq#_t&Gla@AgHQl{CwSo{QTHSXH-7fSf(;u{KIjZ zi|;)$U-fnNrH{;!Axg_^XDGH<>PwpW!x#ZZwPN9PTbETO_X0#_a#U!J>%mWPzvNdm z=IQz_8eV68%MZO(qx7BUUBDc46(juvf(ne%z^sg)ikm7R2xQcxXGR^f&Hj&c(e(lU z5l!KjHMdnkwqFFydHVWo5^<5OL)w}Z^9uUpLrmtldGL~l@GT&aucDrwo zQTovRY@h=82$erjAuuP@cTq0sH%;u#(|r9Z5u_jDra#mA^xh;xM4OTS^H{4d86OR# zb;*=3xhBum(4zH2G+8nwo5oz$5hQe^e92VrM>&W#$47%$YgDLW;lB5zO-@PLl-J+C zGu9u`#zaz+^^Q`_ZSB`PN@EURQtxCxErmN%(x&Xjy-sPf?hy&wwUV)Lf zNC6^c1(t;jIm&Z!AUv)B;oDMV+#p2ma3eCp&xFXvy-s9I5st=JP6uR+ljCCbNBTiG z^6ywAk}*!}2yT=%{agR8UQ?va$@`K55I~~|=az!{dPzU!(42UO<%-{NjbOFKcf_Ac zNn7M+?uNh^L-h_}$!D?~P-4L*3 zyIF9YF@&im(Q!8fLMrkOx8L8plzYV8JQV^R|s4uh)PgRBH46%T^7zx(fp#R5Tw?O%V|hz zH%zUZjL3s-gsseV4#!KQa-XRXScj?*ZmpR~^G{FV>ef9hL2i6B(4ddf{K1pYhW2Nn zeWI?}G~dO8Yd=GVnC0U}-#hi5td&<*qNg~T^a#1eCVkr&fmvIVN=5rst)d)=Zi+Fj zKAKY%@9gt%cq%fAp8FyjRN@o32jSL9RJPdO@{}(bzYS>l$Pn-OA{(H>gGSEpIK=*@ zJU8S0^IbsN?2LTUq3@Ndx&Fu$gilSalr{}S_%z)1u>5&?cfui1fW3sBjy? zMPFAzK;=g#Lr~2~kv$ZBpVkM8FTrQDi*ffrp;?=k;MDYg7;E}0+Nc+GH4xv)AUr0vu5dXM=izm^SoIPlUV zEd5L#e$%<(_t-CPM3zBwDob<)BK2<5R;*YCS)2*%M39s_amZ;+;@RBE%UR}TS()G1 zK-zArfXC%ziXi2AIFx7Q^1$|<-avP6fj`(ma7`A%*6I+jEql+}W?u}!gMVb3&M=ka z*G;p%wyF4D5H`3ux;SSV1m@%XLg;6R+z-O+E9*m~-wSLkgNtB0E*pQ2^0R%`W#3dz zk~U={e2SCj0SzsTGB*l4t>e+F^JzT*(;35ni0GKc=AUW|-5Dk`0jt}U$XIq6hqAk6 zBAPgglPNW%76~1c8c+)-u-W zjE*V7?dcmn1|SMmLmbjg>2zd_*jNNXbU-!DZyyW6S?iS3lM%^Fq4mfJ2`JGLJ7%m9 z7 z<@$cLZiLI7P31Yg5K*bA+}LxHFKJ8_wz!-Cu*GQJ!94+9j!16lR0zlbz0<9IrFS~D z&)J~U9jvn4CH21NT)K?v^*`?oD} z;ZF;zFD;v+Ju5wkz8}W_wtf}z{lKamUU!~HW@9#;j7ZTc zw%gS1SrZ&wt(#e+gopcZQg>|_f~Mf$YA3gzor-WrMzhw#_2Kj$L3#``Q3s#IC&Rca zu&bLR6XWkHh@$8Rg~dN1{TdL&N6-fIpOjL5%fc})f`v!WT3b_aJ@?T{RzNC$f%vqz zI*f-Zh)e}2(W2#q@gcMp;ZM<8>r;eh0xK_!2PueTG4@0Z$5>Go?18Kcqeg>OW*Kicc>f!)qhyK77_7{$q?uzFm?sY$q*x-+ln75K8$ddwWD_~ zS0XZa>J$i?%7a{(-=H&LJ_p2H@ntHA&nQ&~ueeZpRka*Iuw zM9LB^vA&a=%EkioeoARmS&%a@TPh*Y?;aK!s-+Zi=|kKTsx$FrzBX@bq1LYhJb60BWO zT7w5qP`RCVdK9IUjnrDkp(OTbMTp3Mn0&UW{0jJIRQ{glvM1Jx^!&M#AOPlv-25be z5__p(y=qS2RugwmhM*FWs)DoqQSM$nf&s)Yzg3To2s9!e|CkJ>0jYmq(@XxAYkzc}ffc9W6j!jo*1 z%`(65rqpK}`?7}0^^?vFIKrpTYvYw9;=#N0?|S0<92j|+9A5{`r}#uEY90@PN@@#` z5h_Ohl-7syT6jFKmqs9{oP@~W)ojQ0r?h#9$X$`M zRVB-E612`mWobO$*u7L9!JmrmCvdHl5VoXE-H8@$VERb_K%zzKuTzKA zunGX6(_C#i+o1FV^;G^x2!f~=;nr&OG?o83mU}nML2KjR#kJ|Gk?%Az##&E~;|wu( zHT~fz#;sU>gsntN?53z&+O!QB^5-L5ApRpoM((!XaAk{DB!zZ8=}Vf6**HFfj2R-Z z7%Rv)vbBZWvoEJw|DJg6lpaxW8yn+W0}z<~Pg7c*zV@`e{9m33fiKAjvo<8Y%mHHg zh{&%nULnzSM z)&!LhO0;Qxd@b>nULb`ICJx7PqC#L+LsDw+I{;wM*wpv7;-HcfAVH;!CIf7Kg?vZDKXwF~f=Y-VArA`TPVTGh{gGU8b7_A>#B7yqSWfL5Yo3%? zBmls20k#K~b1;>u>>6W3kwhJ{&ESeI$}8KDjLGa_Y(p}ZW4o_v8ViB7kEQgr@V)Cp z#yQ%FZJe@@k6I5RQdYo-!tr>W*P$IF3kM;B+#w&0I;v6QekT$>@?R-69OKvc0cWB` zYUpMhg5E);h7(+`XLHAWluy7`ICm8V_0r=X^Ba^#H}W4_)L4b|M*09JKfq1>w5gQO7;|9^~sBy0|oHfo(s+=rxbcMe=cAIMaQ+bgexK|TR z8Kh!r9_`|1B3Gl@oiwRpik@j|$YW{xHZ?feFEIbmO=)6}HlQMLSnKag+8Ej)({lI@ zbIpeJ$-p&Di9Hg&sfSYQUPQ#Z8LLKAWl-Aep)`oY&M3mA5uZ3T% z1*A>myn*-~*SP&VrG{%+$m(fcxCkRvohM zfi$JSb`tXckPOPX6V6%2MuV~!aJ3c46Yc+BY2eCI2-ccP`=tQJCXeF%vXg5HbA!Ha zTZY4*R!%~C>C!M;UN;~jKQaDn;Ze_Q^V)ef&a5~s%qW+~Otn#JWg}zo#4tDVgF#%I zgXg;u9y~nE*$i9w(n}SVsQ{%wTEEn=hYd!r;+rveU>JhQ{?b8Vwms%wGaiDKVZJF} zd+zE-WTZ-Nr1EseisB(=1uJ#8zvw#z!OFf!&u>N$0P7Ki2X8?T;Gz!@1lD|n2fu>2 z8*uz36K)fGv_Ag%aD{WDU>#~mYS{?Ok0CbjgI^4DrX$YY^b(+5Ps&-V%ga=fKOaF5 zCZiNyh0n%7P=SXk=6fe8wLb9A%UPL)=jHS^G}U`(%tT0WQuyrQNRa$;kV+nOBV!&4 z&=2b5Fj)bSzm*NhsxeGh+~&6S^TPrEw=8hM7zpCE*R&)2ZPYQ#oNe)4nU#{RI7ulH z>nk8ATQlOt3dWKIaMx5sis(29D)Cl?ExJR(>i_^a#rBN(dy0|qDw|?v`CKMFH=)8K z+C(IL&H5(Mq7@US1=dH1$i_H( zhvYTgkl*1X5${N~YeVMfUCL$Cdr<+vnnTL?|r(97~>{^@cBp5g0fSQ+d?M8qo@ zdw}aaRBjz@o7IS}00cPVMnqn~KGpB?0`gQm3jiG9;#B(06K7!$@d+xwKAN+{6URXi zUU!z#$p0#1pFdInV*QZ*$U=aOF~!;y(X!d*wmJN0^!YN*Cl?^hN_&jIjrSltrT`g> z>JUbdjCW(?CTkc)!Keh0@e2_~1;{|f$bW2cA7r2sqg)yx9G*V2B%*Yf1k?d=G+KJ81ILpv!A#78M0_OFZY`L4g!c1vR4^QF?+ z_h*3!BBiecAuvxzMBqzSr_%f7ERdeNIqM8%dsWC7pr|BY4Z%y~6jL3QeuQNAJ$lLVCBXRq5T5c5{7L?{;W8dUuwzE@jO4 znP8O#;>#5kyy}SE66WYYv0;oSxub2jXOEt8SY944ST6QkAzZmf|Gr00Wm!<~9cmJoZ5{gyR{+KXXUGB46R1^ zdp?4U3Df^%qb*T+Sqb+=fLqOJi)}5ui)>w<7;yo}5!=(hFSo(-&umzI5$>5y<;!o% zTo&vb&h~KkQA+t8->kX(&dWafQgIu1MMz4O8@UiWcwIRcK#Qq-d<5H_ioPFX`;3~5 z$g*ON*nxTHXfh(DM~1Pj=^)o3qjGWt1e~MJMMQjm6a;!*4p@05TL+{xHH@oF+`P)Z zAXvxRLQ4OeXRwbSV1`HWpy!6cGfG(LpHWI9Rc8dR|JS?+BI4RH95<*5IC}Yxv)l&f zGBRvPFXv(YR}ZD;`$s5^3bW0x53p`NV~}NrexOt(BW`DzZV0TIHAVkk=yO8F`^|fQ zV3fBYjJI(N1;*u)5X^Tt0QUjv=TH@WxWH63l6A~Xcc957L`!G!QT^v_Fk_Wx)w=*H z+>O|(-qk~CTPiLkw(ukO5Es!sZK<-@%P^_BQ?~U6au%%7(OqThpAA&G$t|)BRMC9M5 z<#8yO9%Ph$wUXPlyw+_S*}{PSf!BA~>c=}W%g-$~iTqsIS@J&KSYGNdZG`Y;%WY?r52c_g9<$=%G}vh3{N!{XN{rNq$-8=1W{YnlINkSGWK&-q`B^ zAU&5K>WKH)F?TKIF-aDqX3o^6v8V)%-HeR4I~)L*wHpE0VE%0yBWQyQS?tq@yuFjj zyk*sJ5i-Fnk;J+)3jis!6YE_L0PtGC*p9U<+nUsw`Jj^g zeYZm}wK7Z=DBeVyc3D(F_((M}O5q9@FdMrmJ(s5rljTZ5g|R?Es=rlpXE@RJTN!)1 zKq*lDCpEDm(H6Vf*XE;C{%Cl{E+#AmzYgOWN$Y{fF6nvtlB` zU$Z&YO63=Cg}^!*#tRg$x#1wA44FDDS$@{oE}h@aq(5IHD7TYSTU__)4< zOXE5CGgg}qJ1MpL+BLhZi_$=IP;q-%?bcd8M9S@4NjYQ#=+?LA;BxL{JU58>HwOD2 zvZq(LNGvWL$q2y=wk#qrjPn!~-v!V0n&3=RIvL>}^PX>b|KuQ}^t(q~zRYMa$_RFlk&yx-;NBO$lmX#dWu5W0G^+!f&83%keziOv6UN78+jA=s5 zh4f~J^*O?yTP=2AM2OuQuMdZz!m@+c!_Df!GIQCPJ>JebO8(lO+iL!D8Y?4KjtuhS_L9<|J%;a1>a#r2IsRf1WP5? zRV033GjF7s`kGSJzZc=GuoV2t`hlxit?Dje+v$gP)t4 zd+ciW^>5R%^b^8*>!6)>DnG*y^0Mc9%|=`8$b*b>g#6_NvCNY9aX%yT3v76ZmT`O( z9y?5F^%>2y4EWMHPJ{-FC48sRM#o3zONql=Lu8zgNNU64^$rjlu6GR4uG2g6wV&%9 zMX`Ji)xwXjNKJuiFGI%QoL?^58J(!7tzsF+Zf(5{J9 z4t7#{oBtIdDg8CmE9=x-HFhrW)#n2 zRQo>Vn^&hmr$W}ncG%1A(C8wXdn2VCd%s&T7mJEndgDYFh!{52e!>JYzNV9q$Qn64 zVX%YY=t!Xn`H|`bL>|c5>wY4@LbVjo7aU0{D zbaHxM?PRxf1ZxX4%VMev7`;O%{B}eNorkFQRcg5%AI7-Jt05!&He3g}#t7MB{WU3o zh~6kh^szvSUqc8nYTt+GJ1o}FiI}$Sii4=e>wlE&o4G@n1eYteq`iez>2OhA`)kiV^=-iA7vMAo7J`i+ z>jHCP^;9&JbJDv<#iZlLD3yUuKWi#W!DBW@sRbb320qTd^ zU|_a)!7t$Q_EuU=f98$WC@vTX&EV~tKr35!nvf5H0|5E`HVyzQD}ug(hUdwfF7p96 zGKs43(*Q(nTZB#%74D#d9`Hgm%}otD{7AWWa>X8lhJ81 z@l2q!Xg}*EU=UT!{^0ry79n^%f$e(s>o(o-3+;Jt(d=AMqgBBJpkz23T5gY900M~W@*{6r5sSR zAW1g3B4i6BNx44cBXtSw098Ptsrp6}&p{vKZt)~TUaJLoOBW%jw;5fZRs!h-MYQ?Z zRP~}|C8#FW03u`yD@+NTUEqW(tY(I*O21doeuz|`7nZcifet&e$K-eZia`;z5zjv< z(_paol&4OjZLPHvsC!k(9M2`g0EGR7LBh(h+h!@~wC0SM6F4SZ(eVZVOU{<;tPlA{ zAm(7t|6`<>@rW5`x`=HY{*{>q;W$x;5YJzV?MxANbj-N|(H^eVorI(wr;52}*%fcRQ@}RQ zLq0DZn-TQoNJ)omDn8EaE1FLb0Dv3_iwmwbUn6b+5Q`@M9?z}pAYt@?Xt3)rFj$n< zNd=w4Gdc+g8Tb1N>3p-qp?W(vAko^a@BbWDH|vR6^`Qc`>A3CcO~-+QFLN5Ws7bJN zm+vt+JI@cLB1i%W+6M)PO6fFB^3KQ{3Q;BSmJ!Sk#CwN%qfZGOSwQve&mLurXV3{k zDq=fgP;V5Veyj}!Iu~R?t`izriZM^5j3yG;ttrr)QV0W0>Ud~)P7lArZ3UW|s2D@> zT&063s1TwoX8h3A%3+A+c_A9_&NxJ-#Addn@tzA*d&Ud0Cz^c=BZ1vkUL>$}LGB&q z)FN<^T{J3m_zs-=n_bvE@8zyuKOZgv7+CCGz~kPGb&VI9!836<<-Efl6(QG3?WHFA zklT9&{3L3htQbXw!$nX@2_-tzh9N$7J*9)L$QlKmhb7-avo?#l?=lG0?~-6BG;28G z5eLx$A1cRg8>*N!oOXNI-=d(F2-!M5Rz7^FdJdYkP6c({Vdf8qt-J9rSoFfEVG25) z1VijHwp>fg7!n%;Xc1C;5g|mTLfi=X#2HtlxkT;E&o{_Axj=+w@X7fuFq87k)R6<1 z!~RZ&`ce^SW&UPp@Q>X{Mb(X7sAHxWXtXOm3q(mvyjJ82ntf4xxzku}iZe}5yLj_ZvI+xvzZTE%iY8^&-<oM9( z2n$Z0Azu!b1mD?D2>FIhbsGbk8*DzdyCT+g*TO#f@iDOrMGIX}dT!?e9+HIhUFttn z*IoM~@I)_+r=_}QnA7EMh&rKJezT0efJWKY8$=*)>=YGKEda89gbShhJ`q<^-E(aS z?caz+1+}A)FPAyLGDlW*gxtEN7i9yblrhQD`c7QhM2Oy&tLCOdzFbc2tG78cDVen# zlFgPNOYa`eUf>GV4})a05;(8D4pG4!H;6zfY5xgZL`L6Vau+3@UtgDjPYj`ha3$3p z3&=$q#@57tfTpKc)CH#4dian02GEhHcMc`B%C8AQUsKUteVXBJ|JWI7e7=oYHFNgn zX_vfz83R5&Boj1fLy;ACWSYTNAzV9iHYth^6oLF-iWz+B9|Dl?iEJnW?4Of)mM(kP z1(>P4;9(nG(JtL6oltTW8iMFgBtt#{5YOTvHiWQQ3Lka>XqImk0RZ@=c0&AVKT%9i z?OqsoW%vhwVO{iXGZNVW3`g=-@FU%SmJYnZ|*<{b`y!g{2lVKMuS+VuTWd5(f` zL<(=QeuYl^$uC*E&|XV`CO_dJ7x3?D z$amK@t73hAFGx07XP}u+Usce@scb5}j&iCi$qj*IW0C_9<+Tj`DZKKkYs9Ow_IA5( z?Pl}`&9d|h?8tQjcX68HyPy<0O*|WInJ?8b2$I!dbPS@eWc`>35$?{{zc7MMvMt~D z3q=qq`7UBEadA}cUk{DaieiRB7@=(&He1B|ejtQuUsD}#+$7Ea_bi6z9itM z!X3oo@om&@e+Hs$mGQJXfNc{%v_nB>S>D{918gh`G4c-A8&DghT-FaeLg-*cLoHw# zuuMh^VNOQ7Dq^HweaxS(h>=<9JryysTq_F4533U@8frPTM?qWlQ-dpFB)BjTk)Hcu z!A(gpi}IIYXisIlMfF9hYXRi;!9b_xg=mvM4NE?f(KO)S752ASJS&0LE2CYsMsyaE zL`8iKk);C zhybou%<^G!Y;2K&e$YbETWxsa=pdHYCzrnZOvJpMvz5)YbPl}usU4JwP`xpp(0V|$ zO(|)E+*XTMjQf3Vei+G;9mSqCu9khvCS_z3Tc*K4R zI%P8y;u+na%Hk0UHDs8(-G5(eyXCP%r%ioCAg{8rqGYhCg4w~1a!bP_1;V%M0S^qh zXGMlZXyiRsB!WAQ`Tk;POk;Uyie;lx3=KXI3jCn;gMm#N&j8CK#x%FBcui_!d1-b; z^rRSB-o?cHdi%wQ4Rot!F)ghSK(j`K!)mYCo*#3@K0{T^(lI;iygePL742bU@e^@A z2U(nw!ZNDmWi=8K6(QO@LqTa+l7wsF#;z>l3H22L^LMC}LMN2KxdnGZV+_9kfD^#g zv04yhXVzrH0cIrnn<-iB#)Q-*)SU8PM!D%yXs>k~QiI4SopT*S(vOXO zEMhzYWNFnFe?lf(Vq+hZLVGD0&1wBSjE>5Kzl#PTIyHxQrc$wHKFU!t9hy0XNo-}O zFz4tWVYoW5nMWx+5mva4)|XmC<3%Oo>(+UKjM($FH)r>83xPjL0t56w#PAe zKUF8PmraP~pvD<20Em8jY+wfVcF_=M@PWZ1Fo52ct>(uQs+;YRRNCJk*hdIm)~_6M+wwE$;%IiR*7HLk0)YEfP<1U_2n~Kvz6csCL>sGP zt{dQkpAm8~%Z?rL*FKQS=Pqal|0=kEF-e35|BE5aJ<6ZJ)Atc_(ZNqY@sPBkj9h<} zte@^rDCT^hn91sR3csEtBw7JY&y)ALz#RAt+qos418zEUB%!xeJnoQs=$%9zY@2aU z(4JMdL$mDX_qhOEp>XVj>0V|&;wkJH7Ii`W#7Jm(whz9l0mabd`&^T8mV_o>f5<+F z_FnR|T;db)vnw*tKrl{J!Joj3zhfCsKK=BkFag?o+rC0@<;=}@6VIw^*nT;)@aD2P z3Vuh(^v%;?oFxXYkXAQNu8`Ifs^Go4%RZ6Mg$7UUOlf_wB~$gjaWf&S*=Dy78a$u` z5d7^mA}}5m@mfMidi-Ec&1Rm+H(euw*y2KmCejZVd`Zaa8JErtD4{|#czvM=y5Uc} z&?xwKp$O1apEG1E$d%0r92%dCvzi#$^r6+%i* z{j>vsZf{FyvP;E$>7u(yB|618N+i&zj*l2)=~R@(#sYPuGUg@vvgRV5iUA^s=tDte zpi}iKh$tne;Bo>S04&Rf8%Y+f{+f`8-Y8nHC-twH7jyO}gs@&D`TKp$HI*&QbjUZ@ zp-v9R)0!gNdGvCKN0gZ45vfh+4jF}h5<*9b=Zu>r6?6ivrx9%P(v^1082CnQsaUondchPZ&A5KqV}0)N_{VD1YG z`!gcyW%G*4IgF0ZHxoh|cr9}=a?>((TA5UZ7k_1!z2GYb@QDjDhXrhoDxeW|!+1iy zg&m8VW$#qeIojNp&Cw8Bv%fq6|A^hp`xy`2&5-JgGf_ZSd1$cc&kX2}KOvh_eRcpN z@s#uzfw9DwyE@*os2CdjqI{cwxz*40HmCX-fT{vu!yh2FKc z%VzMEd=Y>t>~vD;;^~`bzGfY~y?|i@v5;+lnt}6f-baXKu`^d{gWF%tx66Nzer3)P zyMcW7vXt{9v#2+3kg4nIq(yC2lQ@uwVLWRK0&Hv9Fx2VbA?X7k6qNDhgep}rR zTj%%wlzaG1JumKaU8aaq0k=F~1QD|q;^FK#p>#Wy1a|zP_Fw*H#VqpO=mHTV&K9vT zYA;pYOBHkk>g}?cjrQS%3wWw^qE_72V(;dd!NW6Mfcb3wwTWf-fO`8l?cK0Ho%+Vk zF~NK~JP>{9Z^rL@z)qV5wlji05Bt-Z7@UMI(KS{twswY6fw1FOd`6Du zvm7gCu-2Z)`@2|nfjL$*D$BDj^C*cotHljj<)xY!Tg(CV8p~OiP(?Wzr|g5Ht73Sd zgTR%R!`~dK-lCW_`F9vgIsx&#-d6;7pjn-OS{OZLy`y587(&PJzTJf26^-_>cPh-b zKGyt{($7MvZI}Xs&l|{uw-+d8>ELq$Wx{t~V+SixTVR+2fQCNi#NDw2ol?BO0c=GQ z1xu+kxKOI)H%#HEWqgJM?7CNMu>(kTtsDRrANC)%oKa4m1<7V}1*msX6?%xmX= z004Iwq4PjNgz9y~lfw$p`a*+0Hb4ZG)#(ZK_m7OE=$jFejObmxv`=NdgHzB2Xa--t z*98Wo{R#bOm!2%e(GIqRQw%rL$a|iOkm@~eqZ(Hykzl9KD_C4!aV_~DvtmN{WOUAN6O68-K&sayZ`LNi!0 zosIje7YLD);YyG~%wc#_wg^Ij{c2v+arJu2Am7C}XQDagMR4#RfMNA(whw83*=Al3H9DA-NPyuMAevh@9}$dQql z&O#)C0wNx z-%9C|r9h`Tx{X@tPt1g7SrKr7izH2oMvAn!y>J-+U0-V0F7Xvd-Ed=@6PljRX)Z8F zLFD1YOaJ`mKTXK_6S)6YLgdxZ;Q!v2<+RZ9WHa0e*Cj*F;$c=lszddHf$7Csk4yJU zW&NllgjzyK_2sLDvXSeHx+B${(DWP~;{pmt=J*r%gDr%}=6oK6j0O3ydUwP4!ibsM zKeF+tlch(hQE;9f-v ze|ooqE|hG1o2te#QGKEWw?*_V?r5PrJ%a~(!X<)x=TrucYA;#Wg=y~!LnsAJ&nHt| zK%O2QsUYG{%)!l@2_f68)wWOI{Y`|#st2FCWSD&Y5%~$+(GC1h;EryVr~1>=P^X_v zkSOyK52TFRl^#FXt>&0Mx02GpSVpZ@&4Sh6LbLo^H`Vv5M|KeOkO;}g@#dP|jiJ5n zE-HURdvobu>lidVzwO-}ZzMuA&dV}WO+oE}R#hOL_7^d9QyHmoDY9IwA6Fi%_>2pRJ&x1n0OvffFwY}88U z(re|*dS{o~FC0Iti6L|fFJ)n(r-)}*4-r7J)!Jmotw+!VFY!$1aaoK+*#Xo>J1IeZAGD>d8u_z z2wBVS%%J~g=n)#V;!5JVm42B4S>iTZw=2dY-pY83+9#5!tBep*$?C#(%!7F47rB{Q z@(3X-X=_vc$Yt9=Yz)i~`OJY1RYOlX0EmsbW?`wcJ}Xk~tW&uCWIr@ZZ~xi_Qiy4# z!IP6*AjL+?EZsB71*}_HdPB2x#c`gY65;2FjY33A{1Zz%cnUvzgb?chG)w=NenNSk zYqHCJUA3K3aP1Mc?AB zkeSr}_FWLlV4pk_#wi(cSO30Dj5--i!Zwn0+tM zLf0J5)D~}1Ut+wB>5jD`P(^CvJkFj!B3j=uhh($hXkiOSXW_pi?_w#1QoHTG%%YcO zX>yti;C+W|mjGzgxbdz-tUtHVmL(6_(?+xOR zLEu^(K4e!HJY@Tq^(*HV78;BD#z{>!2J9XBS@6tPcC13GuiXT1O6=^;GklMX_H?5s z(bYgaCpZSqGtf>-jP~KwX4Z+j?_}(9^hboO)&@g^zbTLEoo5*q+AP(rVVD424#g5KCLI;py#G2U&Aq`dJLT>_BFXIgI={Y%VZ zC;L%u4!+?PLX7eG5q&F_G|Y=KYrGpx$%iZTJDemIe7Khg02-#Cd7^q_W&E%@R540d zZm`q*UrGvgSy0;lt8EQv2KU_Q`iXEf_vPVe{kIW< z%ip%u=sW*&(LDowdMUS(ebzmdVVf4tiE>r=^bta$BOp38C$ffkB&Y4|G(gEr)G7SY zdL|(Ll`R6pYu%$5!JqdKLDVsm?HNb8h%w4H1K)a>>KQe+$mG*SIZzMAb3_2ttd-V~ zh_OtxOT)|TqJExjZ;Lt9{d!wpwRxrWMs(?Py}fv$7ryNTZs2D4chBvWRwT-~0SP^^ z3>u#Ab6E6Ib1M(fzIq3KZ42!wM8~V(Gtex1vyze9oG#`gXcoNpsS8YodQmQI2qnwt z4z`o>Jv0iq96L9lIuRPBf6Sq_;sXl6_naeygmdZeUB}cez9~Di-IlP=tqgunjtKnQ zA^Hv)PdCwK>YI4Hva4G+ngk8c9XVG3k-U6f0L1g}4gt(a)vc$q68Vs7-t^yPr=DKL zDCOi) zvmy)r-`M4ZX7J!d7l=r&w2~z8q*?_)*A7GIxtHn}Ms+?krnn;;4?8EC&LN8VbGJ=h z_SW;31=rXJiDvNGiF914ZcIFXX%&F=4K#v#zZU>rw3QJ2$(w}8#ss#DG@*iOz3OCI zRdReG2pNU6rCLuT__4#@EdJscA<^C;mND^MCvDXfw{b_l^wv1%m9EH6eWH^byIl~0 zRCj{1oy&r&f+GbHRGJS&pdmn`igJZ(1rZR>Hcqq|l?|XcPgE#zv}og@G2Tmutw+S1 zHUkEl7PzGzN?`wjY-mpE6$yM{os`@_mU=mT4Ha&=KIC&#eos6LIT7IRP7`8H(igi6 zHA#O!{DJBy_?zv7SYx^)Is4Mr|4&hz!#NQ!&_t2pGoi4Z0=%7g`f?&j-A)L>t~W9$ zBGa$*^6J9tUS#KlAHR4pT1)UJQq(v}kI#0fyq}OM-t>5}P{Ys&&JaYKoXoX#l=lXj zv_j)|u`B?hd2o57k!9y{@)QqofjRiS^@Lc%p}BTl=G`ICcnj0t@w6sDv+TVcE)bRB z^2Wbp0Wbq^ozAn;nKP6KNrLrurj7V$7W9M6Py9#8uOK=S?R_sqr_Q}Z$z;jL%3UVsMw zLFV3QYaKNBS29->Rs%Hn7kQS3Ja)V5;z`@J+qy$OSF&`+MWrtL3-1+xALtZ5xex%j z65sb4CEj*U>kkcnw3EU4Xah2+JnBbQ&&P8h+UHN;eVYjJH?M@oRF;41l7CY*UG16t zTbFxQEI+aB>J*W0vke41=o6;*@+qeX?CnR5T4le%ydAR|S!-P@$Htaw#d2&J2eiS^ z3_dsB1@w;{_UN8;aa}ja64B%LRA+Is!OQ9 zEFZ4*mm6+(ln>XATX}T}Xz~ZbE}%%EHfRRNPoV15e4iK3$wbV0Eg!6I3pe9aXz&eA5y-KzBcSo9sOCeXwh)?O2m_6p81}cM1P%cF(N~1PH5r(BLOdHf zgp9|SS>wR1?BFO*zF5#?Q8A;OnjfnnBO)lNx{_c-gd{5i=NH@*`!zR0E479)2arcO zNJ73sI=&+`uN+(E7@_t`R&ex@gFRBrsKXZi#uAo#!QY)M2d*HVqh|yF*HYVfLTv1C zZ3rFh;aYzd6Xl`R4T_M@JqA?pfv8-OGtP1EIYMX*8GAC_=)we%D{PO z@C&m<5YfK_a?%A9;~}v!-cl)rJ6YGqr|H0}{qVnEA;dngdnUw$a410torP0#u(E}Y zNExB*DY&si0RCNY`Gq!0s-vLcWLrx`4bWY;UG>C%aArA=vZ5CU z4Pfno`XE$rB25dS)CZyyfGP0v7X1iE6@aV# zTToLGZ~~CMH5_lz2E<#W_(Dp7fmfJ%eJ8DB<~~C7POd=+4>%nA%pvQaoRkND5kdzy z9u$`!1RMb66;j%u$bUe5`S9 z-9`YI>@VBHf?!jB;sA*Df=1a5Km`8gD!h@o^alHIB8a-Fa>cuW2xcfIU-*>(VoUl* zfZ9J|jB2WAxVfS(t@fy>AIU&h6aV3$ewoYg6{=khK0`XL<|A_5edt2(M{v8r&pjZ-oY514Iz2pYIbC z<572IJgtdQGBb6GQbV(1F7XKw<2DxcwbSlfL{Ey?M;AZ0IilYN)P3Q2i~4nx3$etD z1d`1-@&zGQBk_!Cqsyk|-_Y>%0wM@FmOK|vsCm%1+YQ$#hPtWE>I)5?2b32-I?@vG zy={cB?Br6N#x{qJDyS8|`2}H^35R68Ge^6lGJbgJ1U##gkXZ1yP7ye?a;2oGu}iqh zJ5npBs*!?PFFW`C<18N3ZC3?|_%&Suh_|Q$EGaO4^etT({23-){!jjUS6ebVaV(?D z;^hh#z{T&g4b6T;0LB!jPO`Lo=J4+(i9pkWlFNgZ$2+Y7`YA`?%LP5JysenO^g?5T zTd7{)Oon{@LCB~UGy3ZUky?5XIeiK`9ocv^i)_2YoL|f zcskPpkONzm9gS3Pfmz`;_1oBJpzgIs$8IgvdNfRA(aCk&H7_)SJu6&5erqhQNZ5y{ zssG{tprwP@58ctqdqWMQq0!f;m~**`hM&o!Tcx@N06;}uT8lz6xO1!vC}!E_u`YmP z>FyZe(IYh%J50-lhSL`teXG`=%D8?CY7Nyd@%6)dJ|rZSWLjtNv6KL0Y5kYbENd8R zgQ|=@EdWXsFMOCWr(?h7ZiVJ!oR$ssO^(!KY~;?SqJ$9oNHNRgu`VFR|3KfZ;n=aZ z_A40QrTq$;!5eAo4xa!2-@0qAXkFNU7?*uWi2T;ARuwdYJF(qBe(wa0M92124_Izu3pR}Bld zq48n}&2#?PC7|#mBl6-a&a0;}?=h-J6+5odqr48LN1YqcK^pnD+68vN3lYDqU7&y7 zX=mryKkE=cvLebwdsX30wka%8^})@jtsQ|z!GF#R45_xiRnYAPcqbKH@q|{zA}x$z)H*p7rG}ijL;!Q3S+FYT z0{HHCn6soA{3X4M$G<}e@mzC80Bdn;pAITt3P-sBT!ZI)VDEwLK1Zb)j1#SQl&iA( zMYCyrIOiQgtX0HQbxr_g4TsF?liB&<8Gnd zf5XRe%A?U9mAEG&e*4+ebX1vrO%9`kSqr>9C=UNiV&Qt0aEu2`2H2**5Gxe|qNZ)YFWH`1W%G zFc|1=e3$AbA7ub}t9Kcpr)xG7=&mV*#w0H^Cvp%$ue9C)4NsDOG_eMat3eZ&TtbA< zYl?v?;dlN{2-^Wq-A?P%YYKr>_Y?&sm?f2^WP-`017&Z9~jFs&r9jIBdE--VB{2hZHxjvFP60SpYEm>yLFpM$u8MemVF>^~{yZV^W-V~p z{ktr|hRD9>tNJxwGwr6=S;2M# zeVZ=e)JwKsM*A57DAk7|4i=VK}% z(P@az!(rpRWE&diwyuNde1v=wZ`MA9hUZ202EO=Ms_$z9m^^)kO+j{>0MPWlv0vW} z)IJTfK{8AmQsc#aUnHb{Hhtwm_U1S*G$9AkM6a}--ko&jGOD`_>Vv<9y11Op zu^p-kH$>r>QnDZFZCMNRqD}=Jt-^oZMim`dTCV}L4?q7uEDlL}YFZXMZ2I;E9-zz4 zn%*WEMImxs7)W)ivjC9m^L=^1e7C1BkTU{(e)`=1TRz}E{)T1mca+VbD!2uBa zfVEz#>jD7agngi~SQWrZ^d0e>q>=%J*Rk-Bmu&2aE#~;9`q^6)q^&C#7M4V_W@5zV zbJ{waDO9ejAIDK`T3F~LA8QBj_TLj?-KDqJXyc+;auuHO=*jNx2YX+X-p~a z?0!4d!vO&PLnk2-bE?k~WZ+?_1X-_j0%*M& zzFqeL)2$eR8_}lC;%(d{OL9U zh*G@72|%iqQe?w4F1?A9;-A_(k50<7shvc&$tdj9dc+PoR9B_(h}RNjBP_-f%W~e+ z0RX8#cE2QACuI`OO&N9xx$(qOkv+(@7USMS>3ElDJ!lc{Jp}-;9>i1E5@J<_8p^8M z1R(22MX9bpu*YaF>m6&nRcUwnX1)D-tv61z)8%&C+tk34LVGPQ+N1z|qTtI7q27i>X=-PVLY_=t#RdhE=6_>Zuc4{TD4;atU z3Ket;2UppkO|&UMic@noO61w8rBuj{T|-C%>v_an;^UN(Q}uiWV@BbpA>ySo0>FRU zK!}1$dz=x#Ygy5(>8X<<0Qv_tjFR*8_H0eW>n;$o(mDqXp6VxxQCnY$jw-_*6&2=b z75yZ`!-TqoDh2jx5I=Zwj^iLY z2G>D7(I29Xu!zBn=m$>2l13Ql_$i1H_{>j$j40;)J_%Ouis*+=Gyl_h2L<3y+iB17 z0k)OQPrd5`KyNQrr|RvC)roq0mAU}!%`o=? zkN?6PzfW%)w6Nd1c`L|9>A6jhO{3(>QGPvCWu;RNWC@vNg`ZkU4ZRL3w~DnAJeW1H zSnJJVvEsX=c!3Lml*I#pXRRbeUeBdQGJAsm+bIEr8#Fd#Psnd^(5Mh0irX@9v6hW@ z4`FZ$Dv%dSYL)v;$lB{rBVO@b3FZW%zK;@fDrltes1Z9I9f;uHR7?|rBt#~*m28p%5hnJ zkMB+W9RPs-^bl)rt)21|52kIdBOxPB@2}LR$a>p#TBZC}j^17+)y*V?uu7#TM-f6U zbwqm7N7?kj!E|zJRVr%Kp7@3p4Awq+ojl#jj@HU(ul!cdOxdhpbCmOrJx3cKljIo5 zk?PtgW2V{y9kHx%eaPpK(O%kza2=82jW*Ezt?GbflV!bagj7cj^kre$toT;n->J^A zZpHTvW~%!2^93M39YU-ZA(SMZrAGyj=@qq|^6+n;p>}p|Y9%f8EjKg^&dd`)2qkSl zPVPMNoavJ@_NT@5mVum#$LH+1y#hk!J2l*5CDyT7B zmp=DT1^v=1txkmMZ#JEA2OV~#xf|}}BIvw+;D_vO^%FQ~FnW%VEs>Hf(BNM^LD|q@ zO6n8p%M0bM9jYXgu+!E(oH7ZEl>DN>Dx64CUXTh=zCkSjmq2L0IbNlPp)pBR(0*9b zL}yj4fhO$F?9pxA@J#yt)3D?-82JAG8lovgySM*z1U14y(}JGRsEk2wBg^q(pB?fr zu*o{h?yrSt&$+)@Sz$j3*QKR6X8QPQ+DBP-cpP9da?)uo3#1X;!I`u zKh!9)qSOUa*S8UZ zpZhH#mNPm;rtgH%F?@$ZTtrwP5`Z-Xe|Ifqr#Y$^&8fod2+!cv;{t$Y4a6`0l@L6L?T52^pkcD* ziTE>E01?CKg9wUv*zfJKg(QFKq`*LVW6-SO@H_7jQW+;|nG$GQkjLiN>?=kBUs~=+ zpm9MjdM9G`m0+Mrdg2Vjd!V-z)OGG}aP4b#a;(dtW$W$b(yC4R@rCtn#hlBfR;Fna z{%_XRR7!XUPeb!DdtE`)N*7hsn{;GF&@^`h?T$_4oK!wMNj3aHnvTp3)bP0i&dY6y zVShT+r-KmUIr+74HL#Zrfm!g)F*Y+_921z6kGeSOkTwJlwg_NOlHc7T0D!fDba=*# zA!$Rk7aH^2vC&?w7Y?1FlNCY-AUeKwjwRtS`2a+@?i;v*J}<1orED+FGw+yi85+$r zS}mI7WjU3Mfe?-JTCvQLC~A}M(f4x~GeLAP3^M(M7lnMHyhhg3+yryfn^XY{)t8NG z5di)qAAop5?X9TQBLFv-7vLI51TCm#TLt*jGX z9c4|6^7mRp!wRq^8gs{9jXu4Q0DyYV7{kH>lsnX(QEwF{Z_u_+7vaieR+e=ijJK#BdjHrPgd~9g(L*9c)7@|-t#(-nH8hvz z%KE1ch`vp=bWsI|*jc%$L7JW9d(oy^-|93^l^VwSBW3+{z`!gZ2;KAbp0O~*Nrak>6c-&C4@g3_ z*|si18nViJE*u2SypgMTAgynL)qS6V+(+afH2LHR08%$I3A9+Gl7BISSheFhQ?GIW z7~`GL@cieHz?^*16R|7+7>Y7}rH`GG6~Dovo)^3Eir$p9X>R7lU@R8(qYiunA;jMT z^~G)=)!oMd;3p{L%f2){i*YE(J9CZv#yB znEcdI08(*khi*vFDnjN%?JS2SI=S;C`7Aq0>s;SO$ZCHg-Xg6^g#GDI084e}0iA}| zsO-pSJ;qG8bqh54nZp6F%IpCM`_psq!Y;bBo}#a=mg4UN0OBpGkNNh}fn8@eX>u3s zSaUfKK9W?l-XsHb8s{YdZ0HVdC<1N}?YdBR` zM?&L0TCG0~(fHBQ`YbfwiRWD)#M%&Bd^@Mw$w6B_6Dal7XF-FPX|rk~R4Qau;rE^- zBpvdJoOZ_Md~5!|mjA#5bom2ltm-c_a!t_mlvW9VrDzHH3fJiS9dvm}b?-2}_-H3Y z?fU&bH;9c{s)|(fJzPe;(V`hI7);Q=mUKEj3T4y%4S)={s1v(P8UI&}5Ah52%< zW4Zc?9P4;Ob<44i5vnA|I&RgR@r1@lP>Z!mmfk&@^Vr>TGR%S4Vh%8Gt7|v&0RM6? zRrjoXXfEc6=e|AmVP1B){sE4ictE43kX|t7g9n+Bn9d{@c>WExH2W4+u+7#AX;sKK z1{(Yu`vjmEr5}7JfUy6tVg?63&4bXehs25Ik|O52R7gC7_6T62nO_)cxW52|(0+Y? zd%3Ri;kv^${bgzWCuIA^l%OBrAlWR{(baABV5^GqQ2%z;AL$9()+n3u9bFCkkm3{Z z(O0Q3{u-i_a4qpfngn1dKGB>^3MUc&F4;y?Rb8-pCv5#1a+@IX^!<*VfppS8!^Vkg zNy1{JTQv6jFR6DWk^YQIce5{ityenW> zKB64!Xm~u2igU`NQVy!T#5!UNd(w$fua{#TLAAfNj~X<~%Ci^lv5~T#Qn)s<-}cMW zKP$BJHE>p}hAfrp4l~cRSw7MF2Wy`;D#}B%tYEePX0U^2;`!$;CO-#eu+1_P1xX{G zeI5Oqux?+j`rPzp*ne1VP4;4IdOC~82o*5IOtO`AAT^#amjkj@o@MPeRH_}&LbKDj z*LB?i@2qb*U4(>e^?~2`jR3;gtNbyka70o^SfDJlHUj*SrGv^r@_v` zux}2Y*2bp2PMt(w^{1m1{=^L8S+H9GE91>ed)fuOv0DIW*2{B^Suf9}dhxXv+NpK% zz&FB0q!?qO7fsLAp_^pF#xiv;qIFk?e50T-%jY%b*Uh!EqGUE3Q~ZzBncB;sIm`DD z3nhI0S~_kUV)pSj@$COd03;El*N;1-9+cDW!=JoLh&3VJQZr65@Ap0QE`6$?qv#aY z2J;}ESn7t=r$guhL&AE65bIlXig;SSV5<<fqr9=rLIz33C>Z}WrNZ-yF;@(smgPr)699A)mtDws#>QKuctxkJ|27Li zDLJGVMLlWR)fU=^X8A@cMvbU&oe-6_ekB0>zfTh)w{B$sg}MG+Hky3FYlKvmbSQMJ zBh}w4h~VXax8q$7zD1jNpJrB6+&d`-6Nv(#O4l4TfULzD6fAP{^oat zq+adFtU)T3@YPa@`-DlQwyT0SnU8tej*po(g=P4j4vo^Az80b*`sH4A<}gA&3lpV;jN=Y~e?Q5L$8aN3LmSz&*RViqmhD}WH1 z@5^VbF3jcE3)B@U%(DSSxo2XjQ-39)QJ&fV~YY!9ipV2-tcr|_{yHoTV z_BLNrTCxQrFpNbiLYnlMmTcN>6_Xze)x~3FVh`0ZnE}Z?TpK$;*gh6?| zTCs3``EqSgtd;}n9BLDpwVZ;wi08Mo#|+=@cI%6Ux0laUhnCM$zqEp}3(GYx)VDff zwE(C$G)&{58RlXa>eXwkLvXc)qqAutbBJf<4qMyFv0j9$t>^s-%V~ssUd0IR+|69P znPj{ar@@*U?c?7y2N(XEndg-6mF^IL`8IF^fSf+G#8-ibe&0@vzCOx@NBg%^RRo26 zqjAOGY!9)~#B*kc03w0;K2gnPWgOTc0KE4J#*(J(7Jw3Hlj@pTR7oL-7-K2NX`{0) zKm(AZ^*v6<2#Fv8qD_<`#uM6kxB?>HyITNsQd3WK5khD13AUl>0aQ@1jTSnCXTM-G zXnm2HI>WP<{*3QZdqj*oMTmMu&;-V#;T2Z?uN#?{+T{p(`TFIkyqTnYKb4J->W{y) zeJ}opNzA-ey9E$I9o-skE8LTqVRHmrYKyuf)F}=UO86o8=x4=+*<#4 zsUGA{<2PB}2fp(QO1(98$Kbzv`Ki7%I-@^#_gecw*3d!r72+D~TS z*^Mm5D`M+k$3JDxMEJ&Kc1)aanVqUFf0>O~)tCOwW2yP?+9rU@N)3G9PVisOv{SK= zOFV!1Q~)8WT&AXS08|?DeTC&7sV<8HU|GNNzUrj%UdvqN(z0omSl(Nz+sD#7DCm?w zK|IfYA^>>}wd7ELn=e;Wo5n2L)XxQs(bzKS8aoNi;D&xK09T}r0|27q-d)cDFehb4 zO!IA@Q$uPBu)`^+j1v`fiY>gdkJ;envJW;;Bhjj%EHvX79|J%gALZ=gGEM5;-K3hi z3hD}>R^n;h%2d^>zSJIK5C8fJqtBOi3ZM~CscRM6waLt_B=g%zwGvkTYaeIIXCPSW zPS)MC9@gEC-*k7k)kC}MPvCw}6A}uX(*l$%Tco;YIRFf0Yp(u7m)aAOgdF%xsxvsY zm9Q>^)UCO?veiveHTFS%m6a7ntS)UASw2o$%77*J7Wq}UdMlL)8dc;Tw+uB*Gc zUiTGmi0ERV5H8-Jct@oomx)6GMN6T!=lz`LqzKCI{k(rbCo^Zxoa=L*>-Wj4+a@8s zG+Wz=jXb4ALh#a+WMW(H$eRi@CkYhzlL5V(YTiUrPJm%^7xiBHzJ$QY9UNJ__$4f+J_;stPuceVEbQ5~IrPPnNEmcZuGxF}GVS#55Tkscv*@Ha5hc zK4!;yJ2uNbeX`Idl+D#pPd-E``8G(7TD{%_t!`a*kZrctw@Lt**(d6dm#(Al-y9X> zrOCi#HrDZVa^g`qsirD!II8w`(m&>`)P|grtrAGnqQ=t{WMu61^%D9+@#gD$Jm)GDL$j3f&`U(>Rq{(-5tJe8`tVG?gft9#*)NN?QHwPOb~6T zBq~hixE-60Q)+)1YdoRH7z|a2^O(pwPRS?L6-ISMqD9N)c>_dCYT*5`e&3((*PY-F zmjGPGZ)tL`jTm>iGpU>gMxB@(oWQvD^}jH37*yP0y^;0KsqPFLA(TNWI)PICN7(Bg zsPrZ$HdV!qxr&>pil@vwKf6qx-#7gVLI^^=<%Q3%tvd)C^}cA%1gq+oo)m=O08m+w z=JI>J4=1Qv&x%}hq6lMSuvva%Uk)PnAiF;u)M2}30m<#9*Lwu*>y)#P{URjvW6!R4 z|4Oluch84x7a%P=k*pI*WxhQq)`*5{xsY!zOTRjw+PT;)&+40nEb?*&#-MXFT9?WoNX55=>NJOIbaH6L;rw;Jn%10PBm(OF(AUbjO+ zDe>wZ5<;1Lp!!F@nFtD~cjCLSrtbJCV=0)z7Ev`@MAp9r$SLpNVyMc171r~g!KZe9 zz&};!Z-=uj6;ujk;61P*u3``MsY($KAGF>B!>TCpZ$gGx9_IyXR+Ud$nZ`R3YJw&< zD4s>)<1G@hDjIuciik5l;8p=P1g8w%nD^KNmx32;CEY=}3rAv7L4%qVhiY=~F$-yZN}Zg$y>X&4Q|JRW019KkNhUQ7;QW0uc4 z@HnMW7s%t6gV$sE)vUcssCPz+ORT9MIwAK85&a)X$eQ)Q=@!DgwI>z=HpI;zoa!-! zQ{XWLmd3f;B{VtRmr^>``sou&m*|}nHJ`Qr6H4`t996Q)W>IQO)|-@x&P#4?j+Kwv zE+M4KDe+J2LS8El-!7r%z&Lqr`9<3$bp6<z(IoKI_3x zC*b&Kx75o8`5x z!byRNi^RLPNvN6Z@^87>-!jSH9+;SRe?sZ?W3QFh4!>!egsfcFhoc)^Y-G>UI|VJ@ z3hbsdC0@QwLda_CrgVwDUtTK?-Nv?v!tUywPECuId)c)%GkfFFjSlwu5Nwq1*&-q9 zf!REE#D`7qj;ADqhit>^I-HBd?>}bS$1Xj(5g@Mo*eHLUy>RiY6A;A%+pqFL`0G4R zY!u?oJJzE*rRi%~ODDj(y$%}#qgx~t8|l-el=$$+5^`G?QZ}bfZiKw;c`%~*wDGa> zJ3a;j{P3bJ64IP0=ULb&FWVv^Cg@n-KMh-N*cP^;ZUskY4>m+)OGf#M$#CBm3E5Ll z=I+Twb~Q)PsK9!yk5z7OmXN8iJg(zrDcUvR6Db+29-f_0P@ZX@D^VZ&XQk-+NpvKBuL8+hOB`K%d zqOClgk=5D7#_BB99X+eY8u=V65hh<-yZCdDwG*EA(Mnhi?=OcMmW9bo#g_^pxAhj3 z3%RY=c|F={_Wl9upZvbZUK=ZK|4>4GwLX4okyZ+sFnsC7A|or`ekdU!44T4pOau$I zb=z`EW992Vlu&=XL|&HkQ$3lz$Z1vev^Wf3lI8d@#v#i!04Zr**2U+Xoggi}vQXM| zArvdGXSAJhKjq^#NyyR?E)*+4+E=VMUCY?&p7^1JB)kM0;-#A;lydfhP#{w2vs!;; zRr<8a*qo^pSli*JQya?OUAGJbIGQ@y*C3tB_!^K9!sc|h{XSnv25=db?k4fT2NEh1 z)IXKE)JvnZCf(G{T^H_Q)tPzwu98r!JoSNuTu>|au-8;6CBE^2goKp%$_EmX(#N{N zb~#9m*XvW=QD05E6(DJ5cv9lf4UV3sBBtiHuJ5GOelJ%3 z()$wP?l|ecbb$*`*qo`jt)g$)R6hE?gtB0LSqg8S+DGr`CC5ioN~67M()|I<>{f)* zij$Amu_Zlw!UZF?{~Nx_qB)b&KROWdQ|ps&D2)!BgqNgS;b>!rb;!Rb2DxRXQWRWNzGth1tcK&PooA>;^1~&N z_&ZyUYhbvM#57!-lZE*D-@w+t3_J&^^x);x`_FeE z$f`dEZ2j_)^;w8|o8ab32$r>-fj0$ghzFaQSVFNmmhq52^#ZOR8>jdz;eHpyUqJ>I zH7{0DuDQcxP?&sX=U_4kQg)F~L-9SDJLKP!-VNPJZDEUS@-cS3dW(dFNA+U^|3^+ZhZzqeC*6DEhE!?0Pr=K%>#px!%P=L$qO zHc&efw5@=i;_RIg-`U)=MGbMz|0K4+NTtjA>KNbs>9-LlF>YAdVf_No9z_dkQsTVL z5)v%$ql_jPK_#D5x_BSi^csu3WAS=jzy~OTwf}b4AR%gaA(+IHGKkmJ_BM z1F=T5NNZkQM4VY<=Y5c0Q$$j^ZVdk}bCx9Xc6 zJf~ipChHA~J6ClF$v*v~zP1bOi)5FzxRp}q)m>E)U`7L`hE{K#eL2!6p=&8h&gx*y9C-i#I{=RpftkvlR2A4z{e1q zys2X&rk4x5A|#hUKacap`s}|79!LT9s&<>ooIw zm3}olH<6s1OTHYkUD#~9{4M_EkR7GX^5`!jq&1Xi*DfVr;@TFvr7o|cX@mz-`plyC zA%8NlQ^sH5+MQwH>-3F`y((Ft_F`?{nrP8}vd>~YILvPPnmo`S$n`i*p^2TEl^*QM zgp2V9_D;iFw3eTpJ~U)Ku3gVIKnx)SlWjZ**VxQ=gN+9hufU3%1KezB1TmSYKo;df zYz}j?alJ5_?QfaP7OZbMw<&sXX|w9V#_&!5V+(bnQV@1da{F5t1@|HC3~VliWvagm ze-M`OIK_v}5Ct+8cHZIUhB|VHiF%yr6Yu+<#FpN4@F|$ZS7uPDlNWyP;D>_`X~S`C z9O_IY=k~>hc*WWtn^{ot*)kR^Y}N@WuGaE3U60}|a@-4uNwMP-wQPTq=k!csvy9^m zVY3(uSqKY;c2&dxKS@wlyuqt58Wc}>$fgK6PQ5q23I}XfmC@+7 zC$hzpHO6#}w7r;o!B#e;{bbYqv3A(LkDYIy+Oy?VBduFjaQvL&;qOYQscvJeJro47c6-NP?&Gt z>8Wp37r^QV=mz`0j70QS``{(^AodBl=M%WJ`JRJz4y)w=rp@;L-=?ju9~+87YzDK0 zu#?ZRF9ODjCMlj&qhX`bjg8`&tU;tf84pXaY@&AldkYXk)_holV%0kwJ!5>hG~|{O z=Yn71hJd_k6gG;B-jR@X123qYTCn3+C>W-j?1x$F^W?-R#-fmKEJ$LKShU zp2No8>ccD9wWg={s~N{bH`?0+L%t3O2e47xyhdW|?EYmuk5ygR(AhV zs%rP(+7{R143ICl-0WM*2g%=$kR$M?O=8$acb+T*~D*c>hJgl}Deao6(%FooF2dv=Y4f=z!0 z4v-uk49+*?C^z|vkG(CSfWBYm{xA8_^2r%jo};gUK1(2$-g=NNh>*N01*T;7ocs_Z zsUQg|1FXKQDGidJf<{mopzrp?jtf}dM#E%7c-^nXnZq{_qvD*off#kpDN=KTt(HcN;(xLZ$L8ID)S*`E zv<$CYWnP7`nfLOqOn@j)vOhzb@nV0{oK3Ci_fiUBK<8oFEU(#{Bj5iDLI~2Yk%O3g zj^%KN6@G|PdqSZ5V>J@Y-ph*Ja}G9&OIEX`7zFP7#wC;nGb+o1)u3$8ejEJ5@&hF8 zZ^wo=do^eThgQ3-=ODpZPhAz@a;5fXEKY@XDK^B^Y6Th9XF*z7sDlc6hA^WYBFM{U$LhH_{ zydur1f8V9QFJPn5<8QY{?B)o^X#FYAxJ;YmVZxKa~wMr27U~OUv&vKTuQ1k7tsugfDQnI zhD$Lja*0^V$gR5;hN{p|m0@(VzRy9NoIT?ygFUB041u29sPkC`EtICO1Jr`md`Q@i z*RnBzpLQ1YzV-@u+vhXUmxv#%fnOe?vr)3fP2lJ!w@jc^_P}`x9zf%Iq%pDoDhbJb zoU9vG?O!R44PL)SLPt)k!e96tM=22yT6U7QFq6Qq6YB>`u;G3C&EI((6|(hA_F-L7 z5Fn)!RdM&MXYb$Mln}Yn6Ln0mN_KLL;)qe)@TSCF(zk-5=i)WsgZ)1aeCYvm>T`$> za>Q&sRJ~FKY>l;dfWZy{! z$7$O*z;n8qW^78s>FM&AUG^X8L=OEE^ni-)w-|v#+XNYB;X$J6Su$_T@U!8LymXIiXZu%wXTB`?7Ls%tZV@` zMDg|CtZ#+X`|VQ_A{!G)IkAWP!S96=nX$e4;DXn{kauNCM%9Bb5eL5}^=L;R+e{vm z7cah70vI5VHVdBmcSejUZpND2gY`NOQgOr>zJQfog7sz(-!wmRqs=3_u(#O?5u_a z6V>h|)qqxGlX&$Aq@(Wi< z2&wL9ZjE)#KPZjWN01z6r89|f<@oy<7nPz2p_VcaM5ha1l~8-^dGJ5X!$xc+_dm?G zdtoE?2>&61Yy3<~?a|mQ|2zB4_**EY8|^c;)jPOzP@A>keM+kmZ9zG7n0q0_Z>O|L-0+5k z;z>C^ubb_@Ba6h>-{2PAFMdDEbx*@Avq?OCYAy09BnZ#UGs(Cvo@S<_mrSPKKF@Pq znb@mfBly z^*~L1({DH!_dLH3lH+N1_&P&=u2~&Bj?$a3S^V(b5{eF+z?13reNsYP?6@FoxRiF} zkP~wp2pxq4+j3%t10lV9==1DgduTE|@W6vA2Y41uU@bihzNhvL#O8Y(LBreioP<6PaZ3N6w&va61l}}{*9A^2eaXqsvu|X5mGdZ>_ zHzoY{Fyu2lH_DFx5U6>ZrwLogL2ZhKSclra~lYHA5%^S~zxb$t^Jl;CDorwmjXdReBslHcGZ^!2F%UE;3 zf&Bb&++=-8tj;57Lm&*3%v6dX5|o>G81VtXfBzQ71}y%WQd|;n642hCh8|4+#|e7yJJ}{oe&)o0^N5W9JC#H9Cvl=(>x&Js{v{^$JjM2NSl=K< z$W+ChXydsZ20YEV+5e2?gVi_DhD}joeU(FBq~FWn_)V#1M`dAEqD>v1Xw%NZX8BDk zL}Y#Q6yU#DPd8EuNFV?SVU~Y?P(72?|dMBUtkUXFN~l znlSlg?6ugq!Hp9wYJSMy7Q1}7yfhh*mu-|+C27)@qC#L&R2YwIzXVh><#vw34x_2C$QPrCL(s|^Tg8=?*ve!v-OS}RFB?qFE+){4?JtS zy({XNWPgPX@k@3d7$vOo-jJ~zvV#1#t0yUR^9fvIo)>y7TU)} z*zgW{;kRXPoj--Gm2&X~CMSSxCaAchbP~uOSpe!i+Z~8qfwVt`jjO=@aX92wdHPmv z(?2I{EQG_yR27fE1)Eref~?Gu4odZiqCnPDbuhRQQt#b=1E1M5$RX<8_%zrJ`#}aO ztLaus1M=E&iU9dffy}v|fFu4!D>V*M=qji#$AEgs(@c<^*Owgfw^Q%f$0WpRoc%N? zt`waL^ZJ3uR_SB>4)xynw1k4>AcWa|Bv{SOlqTBh+@QzJyk^W)3Uo@@0vW>EX7o@0 z$fh*bpa_U9L)NC}9$;cc@wn5;GqsQNWp#>r;|8`EYqQV^-;#pgdwp5qnXn{stbXGt zO}~KlQ{#gJokHl@_R)1Jc#`gPZE%$y4FjSL%cWgGbEF#(A! z66>>eN@ER*oATW2SQqy{DcqqcpHAlxV99VMF}q zvz(R2hWPa}oaqx|CDXKzfdEtQuD^pnc+v<#6b+;S4N0G0@jWg~`?zpHdoi zPR1*&zyc5>^8D2L`6o&zq#qnh>G+eAg`WtQz{c>pXCOj)!7~yfsxpEN%9PVYQ5d6L zYza?KaU+X^aS3&ZB$!+dx}A_ORVnnue2K69gIf${aTARxzA#sU+Bk%5P^tUP5XSnf zPgSPF%Tuhkc4R;;5=lA!A$KOd422+6JYtqlzm2UkML`g3w+`50F_JR4&7%+vLP*sAQZnJz|PKe$TdQUz}*s2Er)9cv)5pr4duy!JaN= zC*6J6xY8Xf8LrhdVIjUn9UnV3T=U2397wCd`sGZ{Gy2+B{#FI(5v-?LI2%$49HzY! zcrQKah#i}y4Q+B`nv4Jtcq+a{vw=LY_oiw+wZhK0Yf(oB0Hf$KN3_5ShxFx zjT=E@Qe}+7q`JfY0qX?_gxh?*{P43(j_$>gUR)8Qt^-F2-s2J?p#olmYg>j+sb{bih=PlT z$`8Hm04Nx%?kWh&RO+fgdqsjuNrcSgehH)5!sW5ChuD+xQP%`)s7i@do8rgh_)wx9 z8$kEe97Y}%{gqNX+fWss6_^Yu0^Rm2tle_Fx4?SfL~_E#c3Y)Wz(%47nlTxhbuO!M zJEf2zr1+_2oYSY?SC>evD2f=WQio0PyXibbhmR4po5RKp?r8aBOg?9ea6I+?^q7QV zB?8vJpxn~C!fKn%nmSGyZ$!ZId)^)qg&#E<3;fA2**0W5_)<|XULv6?<4@QW`;Ey$ z_7m)b)7eLG*qG4FNBAQ^$`Ka>*mC*7}fNR4!C?{5dZ&aCrG&w_cdJZF?KA@*EdyL4r3LAfY zt6<%Dh|(rbIm;ZXI)6YJRdc#G%kd`>LUwQK?yD({&JRpV|J((@5hDaOJN6DYu@s(I z_Ck&I-Su2~ybm(MSmPfBer>MRH73Iz84qUKo38-g0Z_hg7XxU(2sRuA9Q%aBl3V3A zEY6Zx{b)gxU=_|AijDdbVCHfk1S8dH-n)MveE3t=h^$69(e4{VX&5{M)Es$jgL0YG zZ1DUCPjU?&#v?0zkaP1zgHrndWACc1yQ_F?Vue+?j0>-Fgmh!G{HL!(WNoeaKMbO` zKYSvR=C_j&(#rmZn$)1=zUP6Ac_Wn5fzw>_PAA1geBd9P>(a4{zE=RC=+y<7R2O3N z5uTOqk;4vzEX0fdg%>Ztn<{)A0z&U~z$ZM|tS-c)+KtUeGL?9&57%^3yabbhec>hV zzh_JAEX~3CdLMbvIUQvEF^4gE&^e1=cd+X^zOD*zIjf0rDlf&I;7XtMoyarb` zPoRi7xTBRV?s-j&48HV;gVBZk*nH_RCqmRKohV7YH}fJZ9SFTwA|PZ9ThmG3K)Sr04j2PF`NB{CeUP3Z%Bw# zx~)t9*@KIfm<}RME|M4BDsW>CcX5{!x5IeX`w*F_R1UddE zpte;GIbI`xE6h}9Sm??3{!`c}Q-JXW&>>Rq3&RNn9>8+qI&R3^$UgG+ZzjCy9!#(+ zlM(JJs6T?_#Ar6bcj(aTe5CrZS^nj>B0F3A3D)Lcc$U;ge#2qyTFm*2ob)-YhE9jp z9~)xyZxTFr!dxc2Z1~TI=T14%1SnJ*g!GDTN}DPpiz=(q%eyI!)&B)W$X+?|4y&Qv>VGe#whJ4> z6l{bLM?9)z3;y%RBm{3zxSM_kz5t=K`KE-@FL0RjC%zGpb^p(lra$F39%nZmf3zp} zfSf^NyN*)ey<($~dceB&XG-n8*bs%sCARRL2##4xevP+K%Y}8QidM<%lw!TS;4#2C zSj=ppIxrQYT3~M$wvUCa`nGm2pe8wg@nkJg>3R3 z-A8Hq8hT1BwtfIdj8aU>lv5<{5`QvW`ni@HF^6ycRzw+;-ZG`iysee|0`_-yvXRfM z3O7RGWmRm#dpQxRh;>~SHfmZygF5HBiddI_PEd~D=72{0EpY1LD}5ht70)aY$WnAB`egDjrioIVVHzmS(T%d2*#ce7vq=JZ#HcYhg# zYQi&oZZp({OPl4T&GvR&+H7xOKb~y1H;^y!j*j%d5JK##HT_to;NP3==h@$XHrr3J zzyD~qAH(u1U)T*;Xtw9zAz#?D*cTS_7q5KSJ7RwTG=*O=NA&W-DBCV%i)g0~8)DWao#M*`A0weAP}7 z*;2$DKJy+C7^#v|IH8&cK=FdZC$mAP4~B(HQ`54iAip zX(Pj>U0N@!pO5^>^ox*6L;SU`gmCF5RmOBPxcG%uhe*m^ht0|YTpCKsiF=(0*&kUK zR=ZHd2(8AChD$f|^j4T`#$vgLrpm$Wv`BR8&3+S5*Lh`C)z^r&7pdVB2 zJvR_LUNfga?GuO{uTVXD$N6*4378elwmUj%yzPu$F+Nzjd3G+AUpbCx3JaU;|L`?= z92=q4VRA+j;(0*i2Ra$^zFyy2p#N}7?D$#o13w4|mDR}c-JJi)djuTdwEW&}w@$TTIw2#vZmKj^X7MO+^*)b}fg^NwBFxum@LM?$>&O z1MoWgJ4}Kq80vmA2VFCb)Z2*kSc=ePs0?!I$|*ja&C_hst2fmp|7YQdbL zfmp|Ib>N)y1F?=g_3S{bqn~zWU}aysZ(vovoflYnsqGG|>|;9vEBzs|Zgn^Hpn(3} zIT88an`J%4q@P%KzMR+$B>Pu6{@)BXI}OOIRE36@2Vxx~v=Y|r=@H}BBqLfKNP`pw zZ$czb$Ech zv19Ta&+7abLeQec?7X~;)rrljBqm=47lob+E~%GZKp>f& z0H+Fnm2n5M_b_q8&Aodg;Q2!;eGx$EYXrcr5Wm>DXN-(P0FiBiV&W7F z*<-PuDDM+Q9P1Y%tl#EC>EXvI9jlK*m~?7qQ17^TAlwkAb=AgBN-A?nr7L)Qr7LgR zS;%mjxhSw8S##vhvLLB+C6aTq7W~)?p_ozcHY#&TFOo9z|HmY*bqAgPGw$jfkW9Ic`%)iP_w?@fsL!&suLSoSnpux zr&%8PR77;}1@j~%uNos@v)sEvM0kgVm-~}+@C^+TI(0I5dftd}m*)>Dda)s1{2&up z+w=kyF>Xa{LN1Pw{nkIm@L03{*wC1WaOS6A#+vr;P8t;g6Vsh81Pr^q1snARj1|5R z&>5^XsZJVL5lT>b(IyT9^nt+%Na8J5#@i=sIIsz6o06Ra3}bNOmY z&q0CGR8Ss$7#rflMkWbYK<_w1yBdPcVkH-Afv9Ud_jQEKMiHf`={h0aq7I~+)w4n~ z+H>SpTlF7`LZ;fAk-0g2?Cnw4c)B@}oabea?Vls&VC54LrTs31LjHDa)R*v}%LLVW zW4*ozspCS4cJ(5=iubIQ&3;fRNhIY(zi{FD$EHlz_OkP9>$FWlrA$B^5UM5Q-vfG` ziTAT*9FU*fklqMzYW0OkRX9M@wg#T+78~`2*eL#S4io=(&XbVU_rIN#XWZsUWLhpZ z#S8K>s1t^h1eL;N`d)!p!R!uo95%-(6|7FsUt{ta^}f7-!$dSh<(s&p1o`a9v!Mi4 zbM>i8q>Huo1|%ffRFVB&p+}TLfmPver`}z0wn5k+xUGM$@1y}Cg^kLJR8YA%2M*IF zv?!=toC+$#k-u$IP+?Li;{Lu&hStvH9@vM>l>$3QYTK=TFLVObHLEn=x@LVR4U(UR ztWUJa58VzvH&HqP8{$6*Z+3}ZfHDIL!{}YWhH8F4Y>4*}2?dQ3Sct_;u&4z9O^dtu zEsqKl_~?E$PePb(R@pmOo%GJJOn_rSlcznX6gsr?V-3o1r1pdE#E$34i8m2KX~xdR zj!)!tzGR$ou^fK~A&9Jb5y*BUlNK45vS^%giM;A3j&$oiPnS^BIOP(~q3aFG0Hpfj zNj2Xbb2N6mK%Esk=DK$VyYEmZhV@1_dw+mBDxOqFW@5V!hV_l^6q92bJLp(<(>P^7 z?0A7W=BT_h89U~Zm#>Gh&fW&bdlFOz*k|igl>vwb6}K(3jtI89XI=vIV>vOk8Odib8KD^tN@7!!oa!H8M><+WLe9VAAhn~fJELxqgnAM3Vl zz9;|@s&1QzpoQ##6cs{#8kh*xSKluowgd#V4{RQDoYKISf9nFUKKEHDp&%(?g27;E z8y5@)fA+D6PMh1g^1c(fox@B2;55f0HhDe(d^%}e9~`(}Ldg2|5uh_ZY>ZF_HK8@KbPEK9+UP3@U~4s*z#35ln;2sduvmYR!PW z>UtU>l*w9c8XKY!3MOBXLs)NiSl1k5BK>~qb;Ou>Fx4eQN{?u-re75h(g#mnAR!bn zi!YS;dzr57%VJ%7szE}_^=>N1C$YlaSp8b>9;<$?cMF;`I*rM9)Z0G>9s@tKvwKNZ zVvlwquJ!g_kU_R5+pv+p9Vc2;PwevHYA>1$lTV0vki9hINW?7v>{=0#iOK-7Ga#>W z)sUc)4?P7xE3m~ar`}yEpc!hT1A3Qm?+`;(2885Q${=i(&&!gK_0)1kwsvE)e8@*4 zf+N@ay(%Fr>;w;7awu%(pJP>aP?|mi@OF#;{$WOo{BKU|FNfoV9kLIv1q9fa;(+C$ zp22gSk9Zf3+Ri7~Q9ItQ3&^V?H3Htz$|&S`j&Gt#U}CfLAOeDeq-Y0ve1P+*cXS<3 zUcZ>D%NBhoBCGDPPHMj#O0;R`G5N4CD%4=|E%n;7L0$fCwTLkJmK?GYM|=E=N>1UL z{yK*Xzo*7Sk)zlw9{Hh&{=ZT+vz_I(#*K3!vhjIA?H6@VIN|QM{AU+hVmtgh!80@} z)L6nH7eJ^$mWIRgB;=sp!HpbN1)JsgRS{8d?pz5acB*+%H~9(_hR#Nb9Tk8$dRu~B z*HG_Ab$}9A^+qRs@0y>HWF2~=lSV~sdjFfsLN(Ydj(;FRs^d@Y15NqD4@6|`eBFg& z<%B?Jf(=<&zga__2t^$=5#jqGKfu5(h6$ZJ5F6tD`xz(TQnzBW{AyN1uN9p%{VIF& zu`04RVivc|6;aCNMA4iGB-E{HWXm`<5^3j0$iWEN9~oj>mw)C$63Z5F?+OX#|&FoAk6 zsh1Gt$?g?a^QX%?>G|AVm-xw&eXZN(NVSDMl(V=Ss{&u_?Axe=?KzQBmB1}Yu z)j+(1bv6pqHi_(1M;_|kqe*CmPN~)xo5c@r1r55nm8~KB!ZpZ)5F5Lid%&N*gP(v} zKWr8+;6?wsRYaD5X(wev3*V;R^xZI))3%C;xD=XHM`5#AqLeS$AepMTEc6;1Qt?0c zGd^aDE9$^z@xuEhGyz_!Tv%^*w+9uMpp6WY{o5N9 z7Z!F=?+y1!C}8Hhf~CjrITIj^cTw-U*%Bh_1Em|e(|yqVs}L&vb@m|poKWcj?QEk= zv99W-)Vkweoz&_-$c57T5nzo6Njf;>JF+!EKAP*g${bM|Fy{$moRW)cDd4srd9srl z5yfq=d&?4A=Kd*2j>B8KaqW7>!XDe;p&Y`H_G?ByD1IVrZ72l=sS}mlX#blq*~NI-904793C@CDj4Xj2YUaHT zxmP5UgSzlecFyj%0-RT7;&5~(WW6Q_Emw;RL5uzdTW_Y41Mf^!AxoFPg;CDpXF6&0 zPD~C?SVDGL3!dquYgYk`!G7v}{cdg=t~+H@n(VHAAO@~v8C7POe9l8$x&I|5N5^Kw z$ls|msrQUJ2?g}|ZUHZu*Por7IgDIj4LsyaZ}X_5tH^C0d%ijCA8R|Otf$|JFsZ<0G!DsM@IW1#^9z#2?dOxq9l@X{1bp1 zoIh84wL2o@V36#$mcHCc1NyHHp2j4| z2DoL8gwkULgp5QrrSv49cb-7yA}}C6>!XxH!@jx~l)rk?1z9s?Oj4Mv@6q_`yAS{0 zTHgh`xn}bd#_(ieJ(AynFnJch4as^;zU$GCvP#zdAC=(6r_qmwjHyZ?CeId9N+V{m z{}vGi=m-8}*fJQKlu<^eFu;{dhjWdJfJ2tTW*g<5x zSqQ;#@R)j6+$ACVwai@@gv4E}6bwqbs+&?aQ+$*y|4W@Tk(}oW2%~-22yH%P-F|xK zACyo{l5Q21WzWf?gD=!11Q9Cw0S`7V!-;nF902^J-r(IC2>C=(6OBr@osIQokNsto zvXjYkb8}DVc=x#r*@n5>kFMUJ;H&| z^B#2&Hs8s-g~<ou=fgSs*YTFpiyD&(8y7Ihn!;yL>Hm>(^j8*e> zR;_h&C#5R|Y}`>`e-cm1i7{;RjjSz@%?bgbb}=aWc`t6SVj627fMe9;iCLM>qTU( ze6W*dfM~yB2gRR{Q)-W318a&|0SW2fN$Eg0r4a*RBL}9>pM=@FW4(wbQ}4Rz5=xKC z09Ku9@Vavb@cb3OC4DE|?cx;1ldCz=i~TJ%=?{LTv^j9&dmTlnhbM!L^M8Yc>r<5} zDC35zPgQ0itIrDX-7&@9*8v;{CeZn@Qy8DthcN}cu_<25AF`2+`Y_pb(~)N}88~|m zcSe~GN-#{m#N<#lHj95fmc^u7z*C)G9WkE)FTTJy_Ip+}Tb&VQ7F(jzt#?Mdz@Iv> z4C@WbETmo<_0?Dn%R8AsiDkY(bYoCSFwHAo0KxK3+2HjDdw@5*Fu;jE|lV3M(( z#Rqox+y}Yq@IU!a4>7u~S=Mg}$~Z|(#US%aQ(f#(M#e9^gs z8j=&04uqnGHCA|8Cyf}HSC)YYfJtF=WP}`@OugB&dIIMlD?AF*4bhAFql0$=r!2>h z2?)jNgmY8uo7IlMTY@TKvswuGX~>_9U0$wbVY)uBQixrC5jOKKxI#ke6m0l$qFs)^ zD{yFmB1}FHE($7_07e1z7TzJDU=#aoM3kaLQtbs^c35BMv73#sJ9f;Yo)ZLZ-x3wZ?`TZ~l>#-tDVT@IXW6N9 zw}s+V4yG0{9+|Gg`Z1sO1x!K}*_WOIgyETt7v;zZ*+;#{W`LJ|7ABK?_6?Y4OPF1a zjlyv0LA9XDnCFX-eQN-*0&b%(phpxpg$IyZ z)eIG+AMWD*h#t%MhYQ*Le+y;CX8HdAiO8rf@+YmTrcP>=rMR8BepdA2$<&*7Cu2PK zI#LL6rNIZ^x=>Wc=I~pd>7+G`4u12WP8xM!aogz#ca z#!kojamuBy|B1*tXJIGBwO5Z|NA>4NUW6)*$`RNYJ6*T3iDM0w5aZdY_fV~bNM#XC zYQwN0K7Egb^pZX*`;N@M^CqAeWTeFAp0a9dyZCLLgbLK5Q30Ff_PZjQY;9cJNlE2+ ztE9?Gdt%vH5dv%YX{cy)0IKGk*!7pv>Yg-vMb? z=gO=Z@lKisj=d>3jK-5%4yGTnqyAO9tt?0Vsa@<{Cn2|bPPld>F5Re|iOCNUvJY}J zyn7q>H8TZ-s?4%sfs~XJF=kAuO0>ywFvS|0JD^`d!^Tx^^&<9vz_Dkf};t zMA*yrNgXadBx|~rFcyjl z0OThqhD{8Xv$`gCe2aR1>{yQKjU78@PT$zEY&9?Cn5?g>z;wOsc(q_r4!hWra-bnU zS>OCjDHwvQ$o}*;KyfX9VU38a-AB2ukzF5r%7yg$VN}h*M*Vc^T{xBTsB9CdIehPQ z)v!B7>`rh07SJ;#sdvRK5|Y=Jd+wExwd7x&^tU*gpHHt?q~1?zB(%ahS9T$6MidWd z8ri80C!1M3Xbr5uFGsnMzXfOwXP0ChThn9y#H8~>*3u(P(qUZfrng13EYVhXQObESHtPjDE9#DrLz5VL z{$~kU(Ib>DN$i~KuppI zC>@)xWnp7{fqh9;qD>uKHRI<(Y=k@!a&U~%P*h-j+1Lptt6uEx7-M2lfh~sV2Kz~z z*r~bvJME&N0cf$I(tY!kDzX=oU17Q*yl$^6;=BWe4GmH6)qmyYtes(Fk{h2CdUuk! z{Rm!gfP?Ft#Pzy)PSe?|#SFh?ig#zOeb^N5&0H5?Q*6v!7h+Rfkhw0xrl@DG0X2J% z0lx9|GbLE^KDOjNQ6@=7*)l!%P!@`!DDcGNtNH(&+a1ri-D>N@GT?TL0%XJUZp|Ha z)mRUI?m~g18^DfG4haGv@rpI;K{z*8ST!a)OW6Txm9k48Hp+jPA)yIioQ>Tgp_F*l zZ4z>_mkT3i@%%4bC}Nfet3?zc?UugGmBF8{1F97v$JRI;qrt&;>oUeus@G#<;Bzx1 zv{vvS1lhGmT6gSoAzVAw&50jz;&r=S5p$TwI@ZM4h!Bd@&VWD(h;D=F8ftyRpSfwJ z+g{8*aPcx1vVGVPF_UJ@yzHwWhG|oUy9aowh_!LoQdhO(P+n_47$pJ#|t^5*lD_ zAy88Rt@ME&igo17r7mQjg$>akg<xE7%K$om$urB`h{om z$xiIlF18Lfc2eqHKUG5Hs|eY@R&XO^-MzuXG#gQRHMrV5vU?7u;BEvxQv z*4gGvRQCi%@fqJ}-TN-g&O@UZyFm8)cLqwoQNNuQFh*xRFKCxcV>8#AaU#a30R0fx z?xfzcr%EVL`i=aM0QZAmy8{G1YNrFnsCM!0yCmdNi~a4^j+HJHUJlmCfwdCSt?W99 zBm*f|7V=ZJgf8u5Lwgi2qu!ruC1m@tIa8^K`aprZ|FKSr^$wq$FnJv0I6+=`KM;vS z{&uVVIL#=1@8)*vf4u?c#CZnyDF;b8yd0b2LvL_uFeO4%Wx93yf=&vn6b^ufTYw`U zkO`(*XZ6nHr!^ZkOtCK6;X*bfSh>A{Nw-I-_v%^+(dMwe$(`QTO(~`k#SM=4vGTv) z$MGSw+~`0PNC}&vv|s-BI;2JV6*s{AF>#2KZNxIMZXK_ zH^r;}U(((@K8hl39Iwtyrzaty2h3n_!HwGNPBds*K^e$kn(2WW88kqEaI+hYIN*w8 z25`A1^o&p`+XXp-*S@;yzOK54T{NH|P7=t02M`qyR4#=chFeSmfzHi(WwWR>KYku%5&wk>0i#!LB}QUUn&2X_EUw~Wsyo6QWu zTh|)yz4Y+5)~A?3d2Dnwa`&u$dk; zc%$TTx}6r=LGWUDX#ddJ@Di?nC=RuT6sWt$#Z!S%JimjW`sl$0pJ^R@@H(v{J=oo^ zKV*|nM-LW?Yjz~;5HGg-^@r@n=6&=y87#sXjFRBXKGUtpvvR93>&XtHb)>U3$&;#} z&Yv_=>8bysuriNQu*ZAz01sGCY5&{f*hN%2Ysl#J*ADg$)^vaqw8GjmY1(()3d2{q zU{CEd9q5EPJfP`$8Ht{-v=!>^^8cC_vUpt5)7CX`{knv~)o#MI9<^(SEfr*cDgg7X z(O4oU8VlJ252E&oa!cF!09O)i3H6j)-do85P}O!m+G6VB>y=^!eV%m8NE}7e>AvF8 z9jTN*YyS@qa_iAI=)mMXC$;08p3zGmkis;mDtBb6GKKUzTTD@9dw38C_F|r*DvJoz zA<^fyg)irX(%>rSY7d=Eq!orct@F+|06_Ycj~9RseWakv@4XHH*g*W~kb=&mz2Co~ zXqVGMgO!R)bRHoYwtXYVpzc0%A{9K6c{U(`i%gMu{EDCZMy$yaxSgo@Nt=0rbY18) zdx)oKms9480dBGv?WVi*L@G%9UPZf%FFOg*+PU5bwfdCAQAIB#J`@vctQ=SGjmAP} z6#WTOL0(M-U|x3$xv6qX+YkE8vxyA(v>dA-g|wunqE~!)i4bKgg{0h~v|U7(;UnZx z4uIN|DY+-P-RJ;{L9QKgyP^Bm`ZTaK6>2d)VTGEJ$}W{*TU&tB+&2dV07^u4zlwIN zVvWS1FX-4qA{}g=Iao#eiUfp-atmt8J;xbs=ZERmlwo>?MIkW-WoTa4_RuM|0cPu_5RCHv;Jp?NcTO9#kfKa7GH||NV#nv`ZxDfv7VY3-*SjLAz8s zug5C6rC|h@ue5!y#q!af6@qptZC(ayqEkGt#qw9Au991zzQjV4b@?mCbBR?+-(l6Sn85b5Uoe428hZwLtky~yHK-4Kwwhu0!n>?M>(~7e0dQ+!DL-@? zb4gtf@emj#Ar{lu>6Oj(mWVOsd24&ie-+yKW%36wu5*Dv~I>13Z<+mwUNCM7j#Ib!6^U7%av7&?AhtzLp`m`&l^FwsUOdF=F{XknQ zdy3>o1QkmV>W;FvdB8qJlLVl-TOOuFDz(9q14(@##gE7|Bcs*|d{s<;5S&cg?__Xm zDq?*R$Al?KNRFqZi`(A-a-d$qQJ!DBk|9PF!W=|4cnE;{3sMtvK=%Rw0G)*BOBJ=M z=&W%Ev!8xTdcy{QqI-!KorBoFeJ0c$4gcmr;6^z%jgjO(jTV4j#A%mr6qkR{Nyw~$ zH$E%?!H=zy>F?Nn8$&$n{>=lw{;D*G13+uY%59Kid(IHYvLZUzZy3?6?_;F12;pZN z05G1Q?1t-D=t%rc7X9f}=^O*~`9KlW9X;oT_EE+4{1@IsjY+T|8M zI^jcyyz*(Sq0l&CYJ=_^%md=sK3V_@+2Kc*&`EQ`zKTY=1&n(-2vM}F8KJ}KEO&94 z0EEB;8*=>U#668S%m41_i|G~Acd}i?jG?Lozy)K2q2I?-7B{mn=3kqqL1js95P$vX1PU~s?yH2 zhXmlND<7Z_xE1X}#Zn*mNGqMUpF4s4QnsIKh1@qrq=OJ#EcL;vl!g6LHmT!k6CYA= zY7Kpi!2>wm{X0#Lcr+SP92lZj43j7NTN1xm4LJoVox_C9B*TuuUh9tP)c%_7yv6?s;$W!1(9f4zf0B4rULeCk=T{ zP7naHO4us7$-Mw9O>4ADpb&sWcQ*ilTO!aj030kWkc`obI|w?9vn04$JHcs<7G~=7 zzh)EB*n%~|zi8jtLPdde`Lr?xmhPy`vMAb>^w16A%LO3^&XU3fmZADgE|?8T%vHDa zTtZaEnxkX~yCW|fF927bw6uYK6TBsmKHaz@+(8n(0~{>fJsqNNjKP$jDz!@CMHZ5t zIQVN8;6TweEP#n}^?`>Er!v%9accc9@10hdZ_q#QZv_;|eo1)<+^3#O{{qze&byCi z?!{t@J4nDXt;%?ONe4;#$cr>E_)@sX0+wydZU$gFaWwjwH^}sgMUwT75CHQtpziMY z7Y~fnAtNM)R(5S^(a4m_Hv%L*n70Hs7@!5$Fb1$B4X>x>Tn{V%^|vi8{hrlY0gR#PTG z-Tm4(so+P8Ua$P^xTK-MuXK}sypS>aqoO3l8~=K!gLo?iMKAo~^{c^jzaEsb;!z5& z(_XP=KIbEi-bib3sJcRxGE~$`90!WcTPwP^^1n$1a21R;hkBSHSGWBy8}^-#Q@I@G zUMl(QaN3ToM0_XnaK1Pph|?0f=)bi>(a- z!M{R0L~b=I{z~C>VVixfHH=g#qsn-G8QW1=D)a81cKD{s!Ca$s9yDvMq|pN4pJumMU}G3#JRh$4>%(@Sw9fFGUkqcg@G8dFV8WLhn#56mQ# zihNnbMC?zQ=7>s5+nGVkt@n4uSbT>G)|ban-omJ~hcD;M|08^l8wvn(AuqnNr+ig- z0l7JdA+uKU>jQu1=0V7x_*3}u&0_R%LP&TqxjA^4UG)2ty&r##H`$kxA`|yN%WS(k zq3*unt5oKCIp3K6NC(l{ZS!vQqw~qBobjU*#)He~R6-l&Se&_J&@<0;;{mGs@j)`w zJ=stnX@%(Q7^n|i{u&R8{QAfYhz|I5kB#Dy8TSid;@nTb;?l{W&R&ak#6P3}nR+olIl}tX(DOKpI-wGH)nx;=~V0}n#f zuHq3h@jWVjU^bqI2P?P$#ankNdO^O*?cxq0 zazUI{OY`JEU?a5TO}|L}$|laoSGNx#xm7?XyIhIH5&!?i8JM+JYHC84vaT zQ(j~j6HPDhK*e)ZD0;765bb?mzGwv(#A!VDgB2*_RXhh?5K9iQ{{~$U^Aha80`{B7 ze)HLH4*Qjq@f2G={0a}0;<3tDWsEXfL3@-U1)Up>VfJVYGe+Y=8;V~Lr)BQFXaz+Z zEX1+adu`O_Y4vgpXQf74mRL}h0JWGEYVG#WDLgzo8e3vPBeDYzmi(fEn^LFH$$DkN zd+Z`@yk8$!@MS7c#`*QX*p%XN=;~PViF^=NoLccqW&HxqbWm-2K}~uMUnJ#hAm6_M zb$;+GKPmCQ7?M=tM^B4S4@&`Hl=*~Cj0|M{gbSqp!JgVxF31~iP46JuN7i^o3IJZ2 zP&s2(TQ`bixK@aQl9MW+29j58`%(N3lq;CNL@wY*;p_hJYsDJ~&Sou>! zg)|-hsUel7=ls+Vr0E%EIv+(OKTQ{z=|LzW714Czb}K*;sh9&G5zwBJN;m+x#Ej&B zDT(oH6gQZ)=u{Fa%dwd`bTWxMSx##`%Q;7La#+r{W=??_$XIu0z062;K^ffx+ynaT z@62m;HTNoWf=fQ}X*+E3nxrvAw%iK!+0r26`?(ziqLbUeZ~&AwDmr0gF6JtGZ((5d<=v8kS(Jjd}O0cZtvAeh$W zs^>h^9UoJ!e?2OwL%}+0JuD?~7Ri7XcW|@-!tOH@1OV{zcT(ucs^S|6AwR2A#Omxc z>ugBYdFt9ad92Pq%{rTtb!M_Um={?gqJ`q7m5Vq4(C#4rLO0PoHJMjHC=ppz;@Ua4 zr?@sI*2LQO*SmK2j%kNeNK?HZ^9zauunLy$QqXy|(s6RU0MK5!MOhJ9Ay5p27f32< zQpD;7&bBshq$QYIWvuHYM9uwFL6N2b766c$Z!GO3q)I_sn+90`fU}yNN<+j(*NCIj zvs2iYlFBuk(^3FHd(zGqMlJ+X+xDXKH|<&R6w8IPh_fLw$o$5Knjy~o@&N&i^P%s@ zR`$K0a^+~R54CGI1FYnU)rusyh}DWSz)e*U=NfGnpVnCDv^{hPAXr)%Sw&}2zz0hr zv0yRYx@Q3McNI)E_FN^TO2wlkRjeNERK@Cjk%L~8wGx{j2UCset86|6tD~obe^jt_ z<&adpU{J`4h9tX5j0j@;5OoDx2 zX{y#vf>{t}?xCw#u*y|X(X|E;^B348qH}VKSFGNxv|VsBV-K5Bdo*3q=aO|yiOIG^+d0y( zVuYpENYM_*R!rd1&aD`cLR+{&MV~Tlr&xWit<`KGwf12ymrM1q3d%# zt!c%GRJyTSNBy|5!+(`Q&>D?}ECH?r4a=g%`$h>sZk1zlvsXT-;`{6YE3BwnkOqJ< zNpaN%@A2alt=+1K>IFqqKT^UAtRQ%U7Z=)8%P_m*YAR>95k1j8^{7EbwG=RQ&ct>( zR`17|PmB`4SUI-krZ50LeHCkVh+;1v;m0Wos=HtBQ>9cwYxt5l-v-53KAI~eGQ*dm zA)BIgBXV=%It4?UdfV`V ztg*h@!)d5P5vvc3RmM;j>9*&2Fdolwj>mJP@whP0kG?5lb`%9k+uQoF5chq`F956s zEdZ3cw;c#(m$?sY3-)aA49zUbCmF};rEXbfZPnp&R~YP>7B9j zD55@}I2&ya_JF!O_j!{)zqvpF39q;b=TU^PlQt0IpS&P$+KEO=;wJ3;b#|V(3E%$f zY^M>wN=SnzpKJ8kZOms-2?OG;kpc)W$OoYuJSVTB6IcP5=Ljzt2tp#%-4o1#^m}%Q z0P2e%&U|Skd$rf?ImVU-U*JLb2^olM6q!BUp$Vw-lWTb}35wox^xLUJ1fYzUn|}%J&-;PV)Y9u7m77@s6&oI&KN8JU+G>&AI{<8H5rQ5nG(!^rA;b#a!B!08FOt4 z*&)YNbW(ABT`p?voU*QWt9JaP){v9f@N2=B8_KkkRD$TDrtuz+b`aB#F!QkvF|XYx zfFU!p%L}6iLp|6<@$%$CP8>{$t0LA6$b-83iRY=T>K!ZqtwRiT3#3msw$JV$0Wz7? zL$V|BPW0ds8_j*2=B7_)PT2o3yMxf(M&%T3p#*~6nZE*?9Mcx&fzUK|FV&B=oN$>{ z*b)wHFo&?0Wjf7FS2DAfW#*Zg_kU<+zU5*D_-CJ^ZA};=n0rMT2X(jQdER_k^}_Q! z7zg$KUp~)+u~6@O_IVzRA&%T3?0NQIeFCT~%rD?VrBHW&%^K=HgtdB-B{(y2fh8^u zW(kgs{e+oFV~GQ1qBl!?GFUL5OKmrEhds}OxSMj&DPr_rrmpqY7ii5_%nB}+SeLBL z639%fWBo2N6Mtuk$IQgrEb-^At|pqf`&h1juwYtpc?Ku%CYY+)rYn~8dsSYswWV~ORiA|p=lLcB3=KF5jSnD%%R-wUUUxD9<@U5 zGju__EH3Q}wR$_L(_W!ode2&^)EM=Z=kJyInbajd?V5sRuhJbA%E1HpCkPdbJZ7~)2MNd0%^l>xgU4~Z=N>}{4`_^ZZO0|*qvIphP+LcoH9Wl*$H(=#DTDMe%3B$Hzn5cl~eyL`i615|~hTZ)UAP{mnHwbPbjdVEcXJdJ|_Z7$AVapOh)_ zTT%eP{1^8LKyK0Ja1is4s;1|CW0U#hfBX6_{{)@^0uVpkXw3njOzTXa|9hzORku)v zo}QUkXgxfD(oje50Rl)+9KAl-pN;lshx%$;4geKbItbqAG-2RPeq2dE-k4`* zdXkwTmYHv64ohavV3~uitvQlq4!E|>yYCW!xM?FabMH;&=9sznnYni+bJNXSznPnt z%)NLg%e~*s?U&5`=1$sKk(qgOGP9Xw7Mq#3Co|u<(+oC|Oulxf00Pz$ZL2ngo{*3Y zY6e$+PL9F#P=Ax=`St#PdVpOFYcp~Hz##y&9acX&OFu8WQviO~ccFNE^HoAr>;>Lv zEYt^TJM0SCE^b;)_m!fn(*L;XmL87#O{Z>!!zeo@gWz8=rcjGE2j{3LCby_~sV`z=l-rmh}OWS!xJJQP1!*rD+y<6oL zMXSBF?YwrpRYeE1hFc-2L+4d=+_#d=UlzcmiHRHVIIGGWUOZeyA>q^gc0wHMWC4gZ zp^U|JM}R+xl`}>&IIE$Spb#Zj7Th)S|9}bB|JD}6Klq0LOpY1 zw^Vkd+&9t&#Ol4okxxIr`^PHo-fRfsrcvF^ayu>W1@(dRyRp5RQDyehp3fLGV^L`b ziLdV@q~xa1d1j?{Y5hz>j5L@ zek+K^mh#5n=^cbL!S&&-JS|HPWi~|Ee;{Fjq#mNFK&-LoMI?Or_w&w7nmo1MycaoS zyg-<9@{17jHx~+EG7FeiPZ3+rIv$MGr_VrN{yGc~h3jmI58PrJIxNUH!`1&UAw)0w zFnqc9d|r#?B&-E9=A960Vy^l{hc)9*zYbX>+|?Dbh)RtWifR8{roB(MuRV059D}G9 z)*i8HThl3K1T0QG6OxZ7`~mxPgN0JXj^T;`kVV{7Nk4QoElSrRSB6*$t`Be%VeMh7 zw$*O7(Ff}8acj+`?Ry6ml@e)CcmHWE4-$!0lj}ztPj(XW48*)hX+ulsy0XSFgDZgg zN)z~Y2B=94j>I7(*_gFFfLeRXyk4f=&LBFwcKf{RC?lBc@U7b^c}*0Ahui^m_lC7R z2pJIbuMK6G6&;!c^$lT;5`kd@nB$lhsJq`we*D<&Ns>7ZU6x~GQ3urB_H{fMZCsqe zTnC`D#?Gr|C?<&cqM!_ed_ zSX@N;7D~n9^QU(ZW~?u_{$xTo+E_HLgG6HsZdvUs{oIevphL#xN14g}6Ipa9S4Vdc z3WyDZ*qr;C_N|X3C-aZ~0-&YO3}Ta-^s~5#v8mPt!Ha>woKbh$)FYL`~z<@!{z;Q%!j`8q5TkjNgSK|oBQ`~ zSIm$_5c3W<1wyu8cOPHF{6W(X_CwwA-I`>-esqaAme4Qpz{a7h0lbcqGUKyO=C3@` zi}@=b_{LBH`1RS6mGN1Abas^fPrw|=A198!{RI$sNRCZp?&KY-x?1<4{olU{(OK3@ zw%N;{lD#}hd%^3TqMMs*$gMN}ob2#5^PMe;DdDZDgx&gQL)|@mjR|l$FXu8TJzka&kzL1sTxFSdc5L zyI7FeZR}X2Cj0--Z2};UH)YeDm@d_|_rJHBS3o^}5qe!2ub@xO@RMEfv=MvkW0hQ; zb9=Zh%*_mNe%<}{Y91(46X|~4y>&Gc=2B9w*S}7{wORo7%a5L#3gzN)X{NgK3b2lrx@`bv>FNv>T6{Bka0L+&YB#p%JP=5ia zm3~Q7(HZ!Rk9o6)oDXG4m4%!RcZV;f&9};}iSM+goPuDm=luH$9u4-GuNFKUv=__@ z_DBp4I434D16dOjw!n=O6P7^wMAQO5JE~y6l&y%>EZ%h!++#p)x7-3=E>3v4^D z7ZD|VsedS??Z7bIdS}AP#zY*S=dqArKAa^LRu0x5U?b=TNuAv4Ls?Sdc(gTm9SdFe z>NDoD+;FP^(0-ROH`S#|w(_1(cfb4$rAqJJCV=?nP8Qxg`xozalIPR@TaR8Sbyy@> zjoi!Tw)8RXqko;tJO{RIzsZxh7)6GH@mOKi9> z!>~+ z6`e5teU%W_g`WB9avq@i;O`*j1-gaFM^Mk~e47V2%vegXdOsVf-+b5b71SNCuVQk3 z?vEothk`dj%r_418bh*UeF5iN*EJZ{Ke}YdU43JwH$bsqCaz3&RSQWIEcHuPHTN)y zQIZF_ooE>)SStF*`Wyfnmc5jdjHmP~OZ*RSV@HRs#*b#_!O80&=5HUwwAlK6Bz%dRmxT_nM=LmDUyuesc!3opZt2_^>V*zy zTX&oKc}IBbN+E@E7HQ~^vC@oDLRqr9mF9N(=#K(eO<4>-cI>)G0Am%@uAuV)A~#R= zyPAWy!&$XXAKscmyP&L2wsFNUTZtZAkfx%>$?-x$2>J+;+QcW(gA20sa*m21$qoX4 z6hMMXlKM)f|Hu_UfJ|OJxgO$y(`bisbAU{yy+FJ*wX2sKjCHJ+V2|j*1>FKxnM|7; z-`|<+2WpqBp^ty+>vze%I{%RDYbfjMf1O=@je~msDJyx#uZ*U&<4u!zetmZr$!*Fh zm>o)|Jl2#1A&G+lyWBd-cxDcj$O!;oelz347!4o5TK73Ae#ChKFh2O)0s#&D5d84hNn`jNXO}_n` z3E5ZsQJ%mXCF0r`yC0{hA=_8l8n8k=^RsUWnZy)GpZ`GsxLC?Y`-~Ca5<!Pi}+{nRTKgvNREA;OtfJ9c;U=qpP>-(|5 zyBQp_%aRXbRmxCY4dT=9Q2rf{v!Z=Q^D)-D7+DPfK>Lixj}hY9Uw$WTs}K5;)Ir_- z$=`U8TdQC%(C08s@is{SFnW3k58J*@2mw+8Mb%L7Vykf{{k*<>0R8-W9g^Jr$x)&M zjCMvO0kDc`#|S}()}eE``ysc(*mIPS2duSW@?HA4n}jF2j0(@}OL zsg!g-t9|hn0kE+=gZ3HE9%Yoi+`ExQ2Zr632MGY+jnD!>(1zNKt%nI&hdq*5?Qx3Lo;=q%Q{Voy3EqO61u(23 z@(RP*!?ahAF*F|cGSzmdHzn=nJM5nz8~;ZqAsVqPy+^4WVMTS?(WT+be9&4ThWfe| z4hm(Dn)R)-(Zgci-KV{J3!M(oN=twrk@%O)U-}X&2=&*9H8@>=jF6FbSbCa0OXR+W z_yacm>(3LCoOOIN{hnBZcj}K3MYN~>ympk<7JC2%kGG*Bn}Ww@prVZAmkC*0Xy=#Q z2Jz~`bc*L&f+8MfyUkN#(TdUmK*Ma8S8Z1V{mce#!H-K~_2W)`K#lR-AwpaY<#u#IMU8SZYwq|J)*St?dD4&D(zI8t zIJE*K5iK({fjZ?b^i>l-0HfbwLIT`mG)2mwIHEtq{0~%aZoyCz ztDzICFJ5UoA8i1%Kuf<#GM1B{O5XqcUH}P)w&=wxAk-a_dZ=}zh2D>AOeb>4E4M28 z2%@^qEjcy}tM5`wQl{YGi&s=!{Nfc4E`Apb(=&Rxc7_BG3cd>xf?i;Eb%sQh+dT}a z?*i??7q5T>MZk)Vh}9I?MaIE{P*{xh_y~1oJ=~wigGb495TeUI0GQ zkkAyeUD2)xV)SN0NPtX~V-zqY+M*}`Xs77it)Sv)(p#S`WH7Sy)ghBC1#HuZV=z-u zsZxp7PC{8wcc-DG{_jQs#8)w1&GE_Y0>G282&G*ZNgd4PkFL6%^Ic|Hi-C;*>Egdm^z$cwHhV)ZwpO256Y zRDHDs9q6hkR)68zTTT%{ezKdpZu~7jfYF;wTb^q}eABIx|4Y{1$yj@FQ`QKGj+aGS zf*C05NfSO&$bjpi{(?k>qxb2LCPmEap4k*iZb~!fi9C7?_vT{uWGp-V#KJYcvWwBUA9LtmC z>)03l*9!vhq0@dG0^Z7@-UtcyWC|bC-}24uqNEt&QKk=Yi2PDEM4u8zVX~P)-Uxv@ ze|#SgVCg|WYK6K(ZRG*P%q@XCAF%-LyJ77yo^HL(zY~Cu`#NE#IABMP)^S}(iwh*_ zH~Q$!rb57J|HW2_-^jMYAUgop1m00A`8HVq5OvBeax*Si=Z(aIsm8`H38{jlF830w zxE!X`^4nGBdj#Bf_-z8H^yEikp-018mbd9i|v2~HL;a7hMCRV8xV(Vcrh^EIz>viyl_760;utP5Pv3sM-{$3XgD;*&9MAMlUgqYSg;4)sC7VOPXO~lsaBgn_gx$0A z1;F{yiQciYew|zy-_u@(qBk%F=6S~Web9$X>bey6!H|5)ziesZn88-(KDub=j1fw( z=WWEXQ4&C6RA*DjC&$8DE#_j$a!hW4S}X;+>5PNvWp}Ny%;Nw^oGe4D=dpl88<`C+ zF>a&cR)%R~SjYhodJpPuD;x5O8<+-+nLI4JK*-NRXG7fgrd;9I5ws~;cu=xw3;Tf3 z-2n?dz%zTY2Q%+yvx6dFRk9&ZHZISu=wySVSoi%WO|1Jtw!mCTWaC-c3@v@thZ4?J zaxB`s;6Ch^@;7i5N5DA%DlUN;0EF(Qyl){yyJ77~8>}^QOrM|3uV>nB%3|BK_Flnm zT6+rRme=ytJ&jlGEe zO+%hysBfV_H16EX*z{=uPL6ryX6A!!Qh2LnFjE1@V$D;QAr=4%E8npcSO6fk+VOj% zEun6zt2QLM+CtqDnW#-cO>#@Z8sLGAxwj`|O=n zt&zswr@HFO9Z+|Vj`F}5QrJN@o3F5}5*{EWCI&2&!#TQbhPj-HUW{Jc6-b#Rx3Y$B zxxWrvQ2Kelrqzy!Vfh$dk{Ie(r1CkKJ?rKxM?o zr08ie@(u@p7eD6o(!~FA0HE)+PK)@r7dX03^97}1X&$fwAl8hqR6dZRiZu^&YUTXY z!WBWOXJO@hUd1D9Dt;h?W?UyOe~^kLV)bb~O9zymAGz1Oze=l9Q4D2Ca!cC}6cEqI zEeiWDLm$RbCd*ZeRLLr?jVZ2+;@Udf?$8tp9@hXVG?wnOo^p$d&Z}b0BI&x}y7X?c zb*184c0HE1-J`2E()Pnzvt`9~O4a9b%35)4Om&?%TU_9Eoeh=8V|1(drKHa06^$M_ z75Sw;DpI9v;wW^m*t%JGfMj~_uhq;``9}wf5$l(%xLC?anoqy4G5_)o%6+R+wu=2y zpC6(2q(TTuj6oTa+1bmQ{`9} z9V7i-%KBA2B4q+SapXsB4%FQF1-ioJQnF)oV< z*|XRjKraEPuEloo=@*z`{WP05`mIk?Z}jSqaWHx?xJaz=SS!b-s+FD;v1Xw~thr09 z8Oar4PsVUPBg$?qwZr!+6-Vfr6k(4|NxKAfw^!pqk#1c}E2v`4WI;Q6Z$DZ^P1|2I zMy&DhR1`VG%oyvhGd*F17g|BEo64SI8?LK___PM67oCkyB0pZF{$@PA5{UageT(o* z=hF~9v=X8tu+(FRx-}}Yg8xSk$`8H%|L8s$qK95Gw(K`0`YS1bG8+Y4DBW0ifslA2 zg$di40dBf6<`g0E1I%q_=p~33zwXz!(53Xsr;VI12#d3%qDLdDYnEMn`b+l0LabD* zk(e0y&AR|g>wdtYY`oJVaQjt9K1 z;1PDqFq`T+SKbSU-hsON?-fb?S5Jz>SP;CI#G1!b#hTH)SmP6hVe9KCv;lcHqjTEf zdr1@WKD7>qo~k{Z!j?U)33=Cx)gC8zPOSDw+-~Gu5z0p6!e;ZclFe`KApkrsj7LhY zopZBr=pCjkdo)@494#H`bd7pyt^<$TV1BwZS-6-L=D9|#pL;zXx85vVZ5GxM$Fv>- zs94C3==|T~&)_ft^%-ysZ?`E$Y8?HZ?!+CQrsxEJ2$>S74!*E8J zPJB4d2rI5n=ki|H`SMKHsLgXnVee+eRXf+KqESyNOr?j%y@N(=fVz8e1rPklyPh}> z*y*Xj5=$T-+2PX~o$=nCglG#( zfEZcB;!Jo3`SpSGDtG{A#hegFEObw(c&1IY%*+T_74nHP9eeB)&$!x`O!Lj!niL=R>@9*&1|FX*4IoOGgiVaYI8!REQ?Y_>!4HkbFnoQwP$39eP~tSm9|GR01n?v{Qm5PjZS9)uUlz^`Zi_fgZikGN^$A1nZfn{W>M zv-(E%N4wPm0F{P%JsB^nZLmFgLEO~(lEn8V_qfHez zwM|H}P0BcBv=`NS(YXmwcjtzAFy4>$j#kl;F)BL1kmB3jP229o06HWU9bjJ7_d=bI zuHoqr#YcIdOrV2gCb9n$Ho-cty8uciq1lp64{=a;d>1zD#oWij%#OA@XE=ase#a*J=3vQlZgprVt$ zm6RDTl4Ht*am1lynyvu zvzRBSi_h?MYy5+XUZS@t>|S<@K-nj4HAjixCcK79Fj-Gts6A{eQ)+8%;-;9_+$+j> zW$b8Z%6g+!v}X*u40ZS4mhymYf`4V0lreEfB<9yM`^@42WgqrHonQJ4GkqsZc`%M` zg0am0FGB$I*qFQjxn2SYq(a?scnPbVALfB?ZHeOAp^AQkvJb6_9!en&B|`vm^N^8t zQ9ngFrCr96orEZ8yRLBF=(or!nSnlxJ3k`Cue+apfd{VI;O~qSmUdL!Ow&;3&%VF| zpXjagRiRx9X)xyPBn0hJQR`Y`BW-b&BGz1@j8~4){S!j)$SgWiMIUGJtyXn~(1p%M ze#uVP*JfnwHP_cBx4;|wX@jlBup7-llFd-+m&QsmRbaVM=)Q6FP2Q~GUK z$^&s5|5PslxORy8C3>#0C&L?!1#b_#*WE;g)RDGePqfRJ)J%wq8dn*kn+Z`?LUe$c zOECMtbODeZERw)~3wSZQoYLZjQ^e|p*;H&C=9P(G@BineyeVA|L}B{hNuwQDfgc@# zy1Qs8)8oi7Ja!7*kHk@#E&yDf4R!YeOOy7W>5RFXm`pyB&a5=<>myJm47ydZrf`s0 z16^WG(O|J=&X5UW&4Lm1XE^=w(jS%nc<9eC`lHaFLi#h5{@go3tSKyjx?AkpqrBP2 z@!zqY-Aj3Z=M+J0`waH}A&nI_n}xomJb<_;AL2PqcK?^gvS%-)m?_jv0O}C;jX44k zwKXXed0rK(`={p!Kp~CL(tioDj*3hjGs}lT?8i~<9 z%!~Q<5*3~JnKpmQ=agfjCv4Dl0tg7o6jT?D1#hCO0!y1J{oRQc&ktWpn{UyJI9jf{ zj;i9QqlzAs2-F=#3zJCsy(JWvZ%ndv#Ie~%`Ekn6jc5Ga?U176p{8+?(b;UWjkmK6 zyGR-;){FvBcU(7+2LbCe;^>`bI`Og2OA)(Odco^UL)R5>4XSi+PVbm@xK)eYx7iW0!{dUy?ZC=#mjglZgLRUqC7iO!d-LDr*!{|B9V>HLHa}f_z=7UeHZug^N zDaV-JX`$Ou6>FwiRdh(DC)aQ_6C&1(OBHKEyjZhXpdz#Z_OZ+qu_nZcHH$4wEH+N= zHG!z;#ZrnwiPb7dPrh+|3tsj_$LdWK;1J$*GL><6>!$GDev|F+-73 zL{I$`KUSqd5c{P<;wTrGVGDDIv_0QAdyWu=GE)uC_)DE^r9tR!nHY;1ID@xcyXc|Y z=z>Gt{oG>yXPR!(?{k}}7KhiyKS*czsFoXKO$9f3>mX00t zOL3*N5u(@V2q8KFQIy%!{EWwgD7t}V)j9oLS*0Gk4>fj4H$GGgQG+iTyjwed&Y!#M z{|J3uaoiM5F2ZOl6HNxRo5IlvQ?l`)qbu3`*RJR!#2DPf{76|;JUIt@O8l6WE*(KRB8XX? zP&ZsYMb*nlv^CU2#if!eR+l>IPo6?Pj>dvc1zFcYtiR4e#}wKWOJN3SLe^D@?p{2@ z=C#boP`G-9e9RivGdGv=AlOfCRa|XLu2-P7`wYanSzd<*qVfa!sF zk&RY&{O3_hUq5K-Bt(ueQy}8dc>$=H)sS0ox!sEn$T3&Lk|A(blT&rA>9!&bfRI(S zjLngo=`5F6@W>p9KcFMEWGwd%$$D~bn(Ep!*Q)BHIY?rOTCeMKaoL9e0PM+9x&4Z( zZfA&Wv9@kqNIbJZ@%hqHD&@tW&sf#TX%o~F1yr$G8MQE=9i*XB^L zee88zDgQmx-Piw>>1}uc(B8$TU!n^&(jH&W0mk@?k$+OEOhM9af@GbF4!50mH3a8D zJu?GQWX)i~)>w}DQKKJ4UpF_wXHT$qUKRnE0H$oJAG6XVoRf{}3pm!SK8Hh>&;`S@ zk0K=*1VyphlSP^o*LGDLaX68ptntr!m%*np`T|>lP9OJ;53`GB1+Sw3STVv%A-B6h z0BD3Qz?D3s=3Z90qi8~gijEq`>IqRAo@9664CGM3HS{~L9wK;T$*9uSQL|c|=tAyJ zv*~ae0BC|uMMoP1&@jTv2e^{lb1HWjjmR+8{;W0a13Dx=G!4#TsLBbkzJU#L)*y(U zve1SYFTw0U%8D@H7!3K0LXvJ605V*Szb;$0F53y&$R6( zO1wr&?3-{vJu`C#54^4`V)WroLgITm2_cR{)?W#arbg^9RIZ5M+_@@ z@#1V_V}1vLrJtF8m{+iYaVH^KwleLfu~nKlcp05n!!i>D|Dccr#B0Zk?b|c}K*{8( zWLLc75+T=ING|y04e3m_eTs8OvaUfRTMk@1u)56j3DM&pYr&olYe5|^|^T-){2oT+GF*sEH)ZNT+UMCS+o+2JvY#OnI@CjkA_TTg1q7%nmDKx$6^g+0y_3Zl~)DQHub;dW+KDqNl|* zF(s!V^aNA39tkDwUq~uF`*I5#jiRfWgr3$atV&t>e2(dw&!fw7b5(pIp|Xo4R*!Vb zE&A+Cf{eEFxnIP`5kkC?RxvWwjJ`B_p4s$~&QuWh(L5514`)vd<d2!s2T zDSQ&-4(G$P=OiggA*mpG8jsAP^S-Hp8IrO2CFk09UT#KpsG%yM=#SG01b>Il$t@~( zrmMK6YF*oTbZH&BkhoE|-u}~f3_Ma2HkVM{IwRCV$hu089Ek<3Vs&{IZLUOhotbM3 z@G3epG4UANXo~BH@`-q178PuH&lDy|zo{{;OH6K2bk$AT+T@m1x;m7!wfRvU)ZGt< zc)(2FR$Wb{99|+jz)$o>zYX=FgLsb~Kv#n};#?v_(XMd4o3$fLv|65pbhv=d7^k)p z63?@mFLnQ$(sjJ9eojarRhg!&RkW+=!S0H7)uyo1>=o6EDmrU?zJ)Q0>Teu|a~1#? zUsJJtfhk7*_nFjdoSl$<$F8IT(}u(z6jgM>czp{q5Dca!i~v!lC|YM~p}2O3Lbiu) zER38E_J+E+jj}c?s9YG$L2VAGK);d!| z{f$0b2VGv|FmZ#fa^_*w z)m*yMI^|})h!|si)FC-@ZFr_tb$wUfjhRTe zYC|Uz*63+wic=jl;XJe>6~z67kO&I`@}ueb^%ZR5FHdBq=i7qj31jbbI)08X^v8*! zTL&ZuIS|m}pwA)bg7M%k6P@WZIeH>yWihDqrTaF`;NB<1WiZ8PtUUSt?{X?YC)st- zaTT3abB`KB_7M`F%K=be3H=sI4wzdnH^_td-_55Tcny;f!hf}LiuQTZk*JHOgPrt3Hgo6jpp<5`9c2I-;jO_ zI#L1c2kNt>nSmmx^DoU|aQ_ec<+rggrnD3FM8-oY27vm`a1RdlPF*=n4z*rk&ZtdbLc>s*2 zZwN6iy+?>Kb&JX8%;y2X8l9nA`PX;d#K-{pZ@2IMrHGMS4uA$vK5*B5Ue|2Kd3QJ0 zeO@a@#+U(WjfQv4S0Z0ic74lW3jk-t=wlY>D^NLLXcytj~ijiYZrT`FMmMMUW%YgY(I|cx7Q(0MDzMt|bz6{sMY;oDg zjFH)`pwH<{GXKDy=fA-;3jCY2!3EHG;X^{0-N~RfU)=P4&rwmHp4wZ-TiF= z4~+XhB!t1tk4}hd_+FU;Fs?iJqqX#BkDE*PXlp7k7H($VR#F;0b~^x|f#1OiK#ZTY z0ANht%y^VtkMk7nmPU`godq;I)s_n4pU@i5{nrBG-H&*=D0w8uY2?A)_?HX1R%!Io8G4^GojXj-xk|pMw z&G7MJX3=E)@k2JDKQwsm2LF<=WJzFFIyc%1J2Y}W&MEqMVyU+Vn!NYA9PYIm0$GHxo3<>I6ucJdTVjpzf{C&iN zwd6@oKYr&nDwO#2Cp%fVv$sttN|kJ*&{;)WngNndNGMJ6X^nQDt1)x}&az5Q$nA&P zX4*0kqgN=`J>+#}G95Jl0KSTbPuV%!z|c`wXS4$G*pTR z-3!O(Cf`4Qp9)~<4yLx^_BVu?m;~`=X2^YiJt1)i3!yUHhCC(lT*^j!?D`yznU6PW zCzk$yjQtCE6UF*Cj!&BG5};*+vRDzc>Y_#A*eFpdjdp3G69}9FBQ^e#N^`MjaC(BFNdcJ6i@8>|j=* zof&_YNAa_8vIM2^3Mkko=mKj!MZ6grlL@HrI8DzVGT6e@QXGS>?Eu8SUp9mXxDb0p#p4! zaq2rl5^FH2N~~qBa@A1HM9C|c+ykmNvfBezRzFOI>ppU9Q8XJ}YuHPoC zdYMqFv+7HV4SIizUp+OKwmF}yqhFrmul6;Hb=OVL!DZ3y zvw3#FFP-5jiR_Wm3eK$OQ?6C@P!_6s=x*AX>W6@x1so&JE>?<%qvGmUCR-62@|p3E zWrUcA1%Z^Jk?~&|FWJ#K0Bdt3thskvS|K$krDCP}vA=sD2tM#1UPQ!#KX^o$$XpA= z#-W(L2QWQH!n*7EXE|hCbB$^7_%#&RB&;uyKBT=HgLQG#v!)QCV=y*N{K2G$b5Gk4 zF2&J(!G{B5u=+E5sxDsO!G!f5th=V3gvjc~m+dcr*#(ZqLjADr>hdhu;8I$$pgnwA z7UpeAWU)R`4P0!Oq`eMZ>vbNf_ehy@Wua^n{gjw!L;qao(Z)!rVE=4uN*rC=+?=&H*0aQ;3>+Y|=w;^ZDxb4~tB=LN3pz-7icwsgb zfln=KsFl&QhLFT4Co#TTOCaD%GzJfTAD_s!O73Y;3Y7JPBxfftVv7ob7hLdHvJQAN-yKi9fTwn{_ShSfoJ*4UmI4+L$U6f`8D9z-4i+Rx7y== z`h%gx#Q)=*By)ld`N|;Fgxp#jU$+fEjeiyHD|OhcabyiqO_sZ{`j=&!bZ1 z0tsfR2bk@6Iv7zB@z;|)QV+=UiFo!rUBLQK8dj!B87O#Lye~0LRUPLk76dzxnv#g^ zG$cdLf+hnIp&VB6tP!GMCNB6V?yLKnEOq%=|dk0Cp!qU4q6b}*dDb~}`B(&8OSReC}F3ao12c|!RhpMt1L4mjcYU~UE+V--kt zwRBAe`I&Lsd!)U`tm*Pc~&BRHf`>zLaV*z^7i3v34~f5X3a+86onT4Wan9 zWeA-9fVm- zs1uJZwVCdQU&fZ5%}SUDAlEWhLg9>OXh+sFFF>vjSpfwzhCl)H z1mv1OfkUc7p$zv1LR5w3YbMSpJu_MmCH`?UA;!54gv8%sGI{<_JTf{iB_yuVqG>Tg z;xn5Gagv1Hc;I@7G65<{7^)6JFrM<9ln`*(4oUqzfgjT7IhfI_hH!whCqk+6;fbXTUx@oaBSu!%0i@5#mG2UDu^(t(z%d5)^Qo)+WWQaWja)3M$!2dk(2dOwd}&&#D8-St&~ zLq=`272(n1-ZMN}WC`A>^-I^6qh>;8Hlt>QCUb^0l1dPMfRYpD$ixX%1a0ZGph3L zu>>qwdkJA>v%S#x@lQgaC=`#c6cI8u)e{o`Or$j0%eZ%t00`AIp8_Ex&rYSZI@6G) zvw4nl`YF@@*)bj&+Zy07031~9ONWh+O2^!36|hk~|DAC1I$_prA~<7P{uw32wU?ql zut!l(YLj4d)O<|{9&O<9yEFaThu1RIxj?e1-z&e(2%qPITsSF&u9w3(5(-_TPo!$| zDzh^`9Oc3JJrc@dczj)E`N3B5Y@1XSxsyHe9YqMqv4lF9pL+Cb0wHGOx3QPVl9})Q znvk%&<3*k_g<#4nXNuL*X%>Xyoe3d<#|z_k!nJNz3X_%n`eM`2YZCOsubw0#J_@)Q zeu_iJU8`V2z4sJ{a@q(HYa4|8+O3pf$*b7rucVZ;P7ddEZxg%$9z69r#Uq@(c~Y8O zV(UITawq*lqAec1xhi4}Lnsfj87obW&{jX(H4T4?LkXuL)AbBB6T&9dz07iFUQe?) z5}TdZGuTPX%fz}X{TmLcc^P!p79QbITy7@Bd@6!O(@}9l(<=zJYZUOr#b>3p4_3g_rTth+tqO#eUhTe~SKq*du076n@Yk4kXH z4tAI~`>Q5G78pIsDQY$W-lc>>CE_bd9>IgMt|l!|q&27YgSu07V%?it7-$^=^B?21V#LR-9M(vwe3c>Ia6 z6R--E64wNt!n%9*lN>6foev)7krDZj5WK)>yNHl@Y7-&GghPbHQ|Pbj{~#pZco8mB zKKOx<_=$_m8mwBpK;oWj{yK%#-M75JT*JAJJPGGWhiP&xI|Ds_c5&EUcAiJ5ihK1u zk1WO2;C=b$jlovVy7&*UMm>gp3mEn#)PMa5k9=xf;Bmk1a(~Ssxd>}R=w{peHitZF zvtRSlUAyN=4u$VWKEd;?OsbtRtZdF8;#-G!Br7Bs+UD0?l}~cWuQnKkUlNj&6?_#o z?={c2r=nB&LC&Wy;SQc9B#{S#)>Q=!ge30Bc`&pw?B3nTBNY6~*s#frEgPZ|(Z8QG z&({y}DDg(v{RM>*B90Um=_(x}T~YO?h={-b1`6(V!YYrHuI5Sf@AYb4rm)&0bxO3t z%4i8WV_|oIwxLau)V%J&z9nK|BToh0JFHZcEsxX&Q(lROla^vtyU|K9q`2#yyNfwX zcgRyZLte`}MCCRsRrKOP3l(<#I`?NWhl-qA)*%~0#-CqNyv;O|YM$iRxu1$T5R3Oh zS$8!rGg=?KRympC*ST%Q9CB`1M+ia*hhOK`|CM&u(@GzFMTm2YlZ4%i8tCT9>+aXN zcZxX#FoBf9U~6N>SA@KBFu@s=vIi;~ z53_nV2&-d$ohvi}^qvk@oC%*^_wFkev@u;oDD3V^TP{`=I!k_?dyow**xG1XY4+gH zm9$RSeW9K~c4m-wP{@pt0ZSo+-_ZiU3E-Xebb!@n9Xi3<;7q^Ham5@8wl>~rfu6sT zkYZKIup$&+f)Fa<%IbNf4RJ(bl%_;t#cC-nEY^lxb15T}HaDchrSu&PpyQ>C8v!8w zQo1_>=yWLqZaIc@rs*6@v07^0QNBEuyBaTq)!u8=yzatkFJR+pZznY`lZYLEqk=Ac zIqW`oj=wAb1CG`OZ^BxCI!m9dg_~#>xMc5d4`;)LbmCUOo;Ldl4u#zxoC6(~d*%s_ z!au*3JrwY(7W`#Rc}paU+x z!E&O_+k_;>3QKEdCdpD8n(SDEUb7%)ZNneks$}(SA~j&uZTEslbGcL&mTsf9)UD8f zv11|K8=reE8@E;*ByP}_%uRVx>_NmF`P^ZrFzuk#)EGW zBF|57USZYqHnKIGv`p^hjn;?mfs^u3_m%_w*G6+FZaokDnAGH0p6^=HFH4t6j^+6~ zW;PLo(DX+P=i9(iy00Q+UbHUsD;$(f84do=_VXyQ{c;~DLRm$QAe6;gSEz{Yn!TbYb27Ej0VYejWsv&@B)^ zkyD!ZP#amfXb-iI*1=6m+c6aG{{1}iWS9?0?z%kFU$j6;?ID zDjFN#B1HWi>+T=MatOZ;{x9~yDYz+Ca_0y!zIlg`_=P_SF;-U-690q#N}*cv@jsae zG|as9>r@|u_frFlET8Y3&gJyoWVRC$Z&MzxEN_9u0e!9jy5YAzsZdrOG89$>xo230@P4 z1>0TWtS4R8C)0f(k2U4LpLrC&77in$pw;TLThp$1RKG;~-fJv}tk^E=1+9ttt(qzs zGrk~1OO@pLp6ow_$lhi`wCHSjnC6%49`y{?-Pe!hkk{&$?6Th7(yc-@WVJxDd%B&L zRgaWvlzmD+XDvZ+q8DnX49WFNcza>%;D|r!JRxDgBK1Y9=I7D@3!J2{EQGBqV+t9EX6;^vM`D3Eh9< zQ42k2-}2sl?%RaK&%+JPqhP0B2L}S1GpV4jZLq#Zr~YY5hJT|QF-3@MZvt(mZ`d6; z1wuiluzCgMkii>FOnATW5+)e;eGW)Kk9i#a)(g8+a7T2ba7l+vlNIOk2K$9!QyNNKbRuij)q$UoX6rQ^{xc>I>k z{^MhrSnu9;fG$~0he|%JObWxb(>zG35s76-B#Ie+?Q>=qX_Fv&9^tiiM5^*5r;#1B#T3(GdKT{?#ti&=s+Hk|8AM97FF4wGx*hOz z`(9|@PH3N^PPeOl?H;Y41M5mUZP+Fcm-VMeVo|_0T+S|^-X4$NnTbiPDsnAzUPZ~; zz2DhTdr|4_O&&XDG73u#~~Yeox={O_^Am1N>W9CEFsg zV1}%E?V4=&sK@+jgRFXyCa21(*G6~a+q-!LSEQR$eab~!=))4RGn`B3NG%$f-qrP| z4V_&aPBJ$mUGLr0dn?!W=%;cxX;Gmkm&uCL;oR`~13UziZ1Fr&y^BXBTt$LM#ae;X zi3zpEYH1l3WsNNrVKR!Z^AL(LY`?n0?Z$+1*% z_#lsjVzu;L016+n6wj4UD~25 zODG-MxPlPl{0c&}{`TmWU^{JyO$$MUHeq>-SD93qPSpN*-}4~Yfu{7uW58LE1)(Bi z>mowbJW0*Vg==}r--KxA^HhP^_&Z}+RH6>v6v!B9(yAjPsJ8JI~p0|6rz>%mwT+)Fcsi~HwP?cyU#;q$_uHkQ)Jx5n(hdl z9tnkJiO3qK_2U!G#@U1UJ(YySA8iCOxPK!d@qvv@u|LUOAVzM=1*#SX9&~Q;>)fg$ z4vnOhsy?Aj^h9c2rkdvoI@G)jth+xgqMZNGE*=@Z<`EKa)kugD{f3ZuQv)H!&eep( z&o;D-EKYy9wKyBujhA!zc|})o`Jta&;_@#PUC!m*pTM|i?f4rFK*T%uq&h~|dC-|5 zyMP^Gy~q1S9Lli>Q8OaTKcV>ET|D!_(_ zt_B!|U+>ZSF%CW7g^0l)%n^+L!5qO8kkgRJB;v4^!T~LXURFrN9QKtsbmlI|Jw?RZ zSnke3IJaSm1^2-F50>~C5~LOqM+Vcx8J0K+b&j$`Gl1=7iFPooZM8g#pF2m0u7Le zd6GvhagEPn-F3XUCCIkJcyGBC$?B$gcrt41{Xy6MnEq$Q_m;Hn*i(jaB(JMLj^ole<8PX^%B->H!`pz1jx*83DnD zd~n9zM>*;U-eAmIWJNyx(bGQFdm8K9jcaVkr+OQG>aTwFl(Dd{4Mk%wbo6O2A&^On z&nAiHkx~;@I@8J~$EC~n!B}m;>RIDPmkk9{3h@G?m?Vi`%d|BTdow2ivvEr99Nqway*wK6l;F`9`hK#}eZ7eQrePs$Oa$w!{I4$aB7G>5~ z+E`IK)?E+LqAq4p79P$0^b-V&-V8=B+nSTauO8a?!tnIi0%I|MfrJm+gV#Zf2Ii;V z@dVoe$sIfxp7pu{@BQBc-shSj(g$PpLOu7u5gz4+rV+9JN4m3eqEtmS&RtAW6}#jG zE2=`bV?Eze(l)XsIG~;rj_@cPyd`|TO{i^gb;_t`uu_qd$kLxZm>X`kOm3$?+mIV> zwoT^3=Wh>nD6USqeN;(XtW?;l`jFda_iavav)f=&fk|az2`xpq6qjCd8>pU>3w&m* z0<3QPyIAe@oOYN;wqPrz>zjLdgp{r;=pV1M-mkmw>%yUWE^wGfVXXed0?K>TQ($&N zcjww&JWB9He0B$q=4)J^!#q-&i4a*&iDL7ELgZ8UaX&NkTx1V@sWhjA{((n(qz+hj z*F44{Tz-(lT2Cw3KWyg_D=R<9DbuWW6r7ppjWzfAA8EsuU>`LorJ82-W4H52gXD1{ zF4|+7%nTregr`{U7or|e^V}QhIz&mR71rJFf6O7HfZZs+j9RX7J8$PvydykbkqhH# zgpft{&_h^v-}M;Wr|4aWBJlsajYnFS`9JbV-HWwpo587eN5j@k2&wd|$60INZsSp6 zKjqH(&B?!s@!s(}z?w{X{@+M~{TMz&tEsJahsuk2BjT5si;(3C=7;=OJb-6P*Kaekmg#>tcr|7%kOZ<0uP{ zfy_Hi%9V%F9h*y+y_b=*#EM3akmqA%n$!yk(Fj6FZm4pAy#*5L=N7DyR5S}R2V!|o$~F63AYWURa5g&b1S&K=}YF0AcayLjZ& zb8JTQ`6Qt$PI-oN3!aNLEBO|ydG`1e5OaywS!aA&Z$)?kR;Nk1bT*!#+FLHxT^|>= zc!Qiv#MWDR7O-B3xLQn^yg+D$$omK(J)hvwXTsB5=>Cu|V3CJMYeP;vx}wU%Ar!3* z^}@P)WFd!)#xqIq%D)+t7*;EA`614yOzUtEg%XKqc$$mcAF2tY==sg^@WeM>h=}M{ zk8iYrQ+tn;ZbS=g$Txa7_}jwjDPI|FLMEI2mO~!3kG;B2I=hE0kkXCjMv71c6flMU zrPS}cM>*sqU~%f#CP-OWcjr9DgK@||e@_yn(K4e=G$yD|HWQM#PBBuHM$7ZU%(T)2 zJVIfF;sd~Tlv2Bo9))PlQ%@%e93+q$Mhc^~AuHCd#iMK3J2$`VSkz^GoeYtT;XUsGyjV&BGE9woLyJhmUcZr ztg51lMPd-M zmQne!6;*jtk$-fL&ENBAq*^&*ktuFu(n*{_r_=c1AsbS?b}DXkrbWH3n&jy)$zCL@ z2mYz|JRvK`Gla+vaMCnE>a~_hj{UWNVBP)Qk32fN7*GKkQBN7FaDn*Bu*Q9`o62=4 z#PyFJd7&*t^U!vU>X(Xy7yu7jKf(MUvHA}*{K$U2I$>0eA#tE z6pWCy0x36q|NTN_ngyZ$>N%|L?602mI*Bq(vLhiHvLIAqr=o~1@62f}%zD;>Q29Zd zPu(-yBc+>ADy8Qo?R@%B6YLe5qt+-j8T!O`a>LD>@Ji5vP-Ke`d6Tx-#su@WfGNh~ zIh^o{ivdNSX5mDL_$}pwRD?6;EVLru{Ql8;Au@;7+N&J2s~*WNM8W=5Z7{apVFMSU zxdF#WwzK-TyFjp(_S7yOY3-x6!n|@N*-@BR5&2$-B!HqdW8HnIEl{*pi6n8>V$JB$|dpR7po1ZU+%BP4p;@g%NIp8n917(7)#G3naj}9KHs?>y5ZaQO(Czh=4y=og;Zz+TBjM04 ztc%yu_P6=fW3=ssx)mj6;PL0%7>`gzlwzB&EMSoz^<+G>>XHYa4=6Mzl8A z5$o>XhEYN4X3EcW*REk4N?eC^*M_0AvkgSFvw|f9hX^4e4lIZLM>oxjAJ~v_{78}vuWXTi|3^ombl!oY1nUzd zM-V1+F(JfBi1=eQ56|T6W=zy!)o_f0wcO0WrV((&3m(;`(m9OoV@$U=`FE1}v`XIe zMM^bV%G$(D!(dtG4CB!yH_88pf8=!9$#mpbe=|D0XGQAfMb=;|wNg2plHiRWZ?d7% zhRt^RrMsQ=5b11!lx2*{fcF>kjSCqz#8z0m*=F)Js)JI!HBr>CneLuoe!xO;-nfm{ z(x*uoRLZr_Grl~ZB+-2om9m(=tnR1E*~$v0oaNNeDfxM0n~74cdP*51yB<+d`O|na%Ky;;)`n++_Cb@s^&^_Qx5MS&yM(M2v6dQ6QJ1EPfs9;!vG#k`u55 z`?2m$F;9@zZDiQ;KmL7NSMV+VeN8ReJVHnma4km&|BDT}pNgRcl0z9Ir6N#90YQ{8 zQU_!hZ(C6*9?jKlp?fSPcpa5mm1gVoc35}6Qve*{+>s6n(i(axeApJc2CNjL zB-q;c_(2;|JyHj)KxS4hOSHu5yzp)`^Z7kIKTF-ffwR_(>Q`==p1DsN6x zM@bIln3d|N#>4|j%4t)rSa-KC;E?(=o{x3Tz2Ang;Aw>TKVS1G;n)09D*ci(_RR%^ zQ2B3ZZT*r1BClHtiFo@)N(Mq5!-wsm_JK*17a4Xy34yA@)v`h-M3BQ=~WTI2fq+l!OzPLCJ0rNJ76tDRYE@-=83~elJLsPMN6o?UyXw+ zjTjN1+{mLuI!%Frft`p)D;c^k+`yisn9X!x%^cdFB;b4B9-l%8p_CwCDKeG;`E;ki zG3mCidF0#|{~2`H<_CocCA_|`5hYoK5U<+czjcCS$C~@8YAQ%fknAAxMSlT16(e%L z4XM@9SjdGn*F!*<+#3dQh*TQ49i|8;ZXHCa_DK&_Yd@;skvv~knn~#O_y`MC2+vT- zIQeX7kh7kMPgn71L6it;2|S46UfKq#pX3VD7VJAjEn+oyb&@Pp_i`2?@0A>toRNltqa?H2K5^mi$lRL9C_Csp1i- z#Jc!RD~{Ph8S!izS|BUU&xTUzloN3Zr7bthO7qh#Ik&CnQ9`(Eg*IKaDdI zw2p&_3)Wpx=l6V8zRaxSz`DDuS?4XNVH07QfXmE`maLv@d32e>Stt2_saRM&97rw1>d!=+6Qc|H!VOq=-JK8j zv-g`lJG6#J@r71I@mTjrL}|1Mvz~zy9kJ7N8@gmF60kZ6R(~!e;)BqbF#Ackwso~* z4YoHMe0>d%OoB+eF6MLK?WcXfXp#*9s&$F(W8wPl=ZJX|Gzb_Ghw6 z%gsv8H5A`C;Vm2T>uE|phlcufE(Abnlkz#LD~b~#>G~I|`b<8D;)j`#I*VnEHd{Nq znrh!^y=SpwLhh-3lrN`+0ZQEdDm0VH>d;1sxO_E_yv{nm?mjqxL-EzD+2|<vYz}+gDjp?7s#ZYu1~Ys5Djv=e^O0X|4hmH6$tPlrqP;%RhV?FQ10Xz{9Av@{ z{|k0F5z96MG3gZssvYzP$8XzGn9D@_*#?SJzyU)Boli`Y-a(cr|%2O!9Cj(5{e(SzleE z4O0dH9^L3?J*-;EqxkQC(FUx$#|)sP+a}DK%}7Ms7cV0bSa;dXs@h7r7G=`A^iw2Y zEhJ*iN=7#RL$|fYiu|TTiFJ2(bNF+l7%kB6)cHM%Kgza|MpAfGxIZ0g#ejezwK#@WU3% z^s_D26_T!Z+0@+X=TLk%+w-MnGw-Yb8dCa(jnR<#0Gjp&{1InsQ2#Mjf6f4kD^IUz zp&@Veo>_j3CTXhBTIK7+!P5BFG3K8$V)S$bQ`Q_^6e@i^Nn8k~hU(sLD%zl0O-w=-x zCS?vTznpkbZeI-#*+wnDns}`4%WCww@+(Wt>^qkO@$mR{uItmV*0=p^Lv;7dhA(o9 z`f_lB^cdFNbNw7@s6sY``U{?#hAOZ~61*`+W@vN2EaOqUi%DpVs|n3*D}m57UQKA6 z^_QFqIm!P^5Yb0T_Q16xAx!zRUtS_NonULZmp;tKG>mrQrxZ$VbT1P`9$-{vZRkoW z^Y+6~@u)fFH!kB*!0N1b61v1cjU-~~myFhEDa_0>)1!H$&RBQvgesa}a+uU1m52wH zQtATlM_k{smNm2GO-p&C6-eE+pd^7)WJ(%|_&Kd{7pu{W4Pt~@WA0LlM`^!9JEHM0 z>^Sc6QXnzAY0|HA)lll{;5S_@?|2ye-!J9S$Poz{>n_9^t;eiU_fnt;785>=gJQ7< zM7eTteF3IC^@H*jj5_@VkgJpZOp(U}ok=_R3bYvpVAre* zKop+s4}NsM;8Ef;rO6s{`PF0U0Ym%qFJh1hp2){YSvH6HbpU;S+){fxSd5riKT zRg54^T*V__nbKqnwo#h6;5Tu)MfyjN1h4aH9T;nT$;5>IUtEFoK{NZ_FD_^MX(rpB zLO1<)RwRYtd9n``pWQd!D|F8_0^W)ffT`O)K{m_occo!tI}t)cq{M~916C>I?EyA z(WSrxK12xR!_>U$Q9iCUvtJhsz*ui#rnM-&GMU^VQ?oka->(idrF;DB77pThpEas5$#kWZoHRBJs zStrhzOg0hG_Zg4kj}St_hiyW{3QOWw&lJ+}f4v+|)Y@a+o#x|^G4k6aiFa=%M2kp& zB7|VhlbA#KT1293E1#?crz&Kn1a3!HLar8(wj-E+I{Q1#+277)zlP2JCYb#VpI*Y! z-*dUY);{R?Ytc`CehF7kV~VS@K82H!wPuByzbe!~g>ODLv2wRb=7+KhvvWD*S5MJ8 zv`+}%Wok+CUB>MK)1TzzHdkX6~%Inbua_-r4|v;_tAl(GL5vn!nsc@D^n zpJjP3?@N;KVY?8qG!denGVV8RPy_ptBwly%D#yT!t|m2aFj527c$_i6GD#o;EJ;$V z>+yXqkBp|hN#fVjGz5s4U1me2SWin%WPD4!@81+*UH$(A=JE%S+s7C2D3Ic;AE_QN z9{xE=oVDr!tS_4gE|bSB1|ttWDB0J&WKi#{>jP_fSM4s=B)`v1_6Fsr+Zclr8z9vaXEE=0WU1_w2xHZiPp<>k|*%MEP zr%64L5P^NFPoq^_lPK?22@&5}%1*F^keCsH8|@*i99%$tglxKRiSs;-??81Nz6nebsTS+9V>5qVuQwr2@Zt z2&TZV=TZ^(y@$;6FIs74-D^xJpTQabe%^|lwM^t+yEjSV;pQvQ0_-*G9%!-G>~+P# zekLfD#vQY)XdWKT-99;~~q z@7bVt4}Hv|_$~`VN|PnjwWSHV@XmT;?jDLO8(aAiT3{^SpCs|m05T3WAl657_r-Gdf~c} z>cH>X5LSQotH&ttdmr&EMsREykI3ekO~i^&=<|4I3qrD5Co4xCLgZt3#JJmvltvPw z_=>$8GNyk^hY*eVbys&Uht%%{U(L+(wEm1=0@r!;r!17e_aT1b%dsPV*ltXY*NN9ZmbjRiXe9P*=B_ekyOx_TtLd57gnWCGs&=VKlv zp7T2E5;lNTdZS>WH(D2}hII;UO5|fLM>0OW)rRm~T9Ar0D^@Dac)r>_I9eaj8j*I6eQ3~|;C{yPLTe%PEORL6%)u1dVX*!-)NE|7DduZ)N{0Oy2I ziD?aa99m~fc^F(YrtD{E@(Dx@oF-*i{Mt0h9!kf$YgwMTrxz|}6yRm1u)o`qABFr- zM!-?XuI8VUY{*Qc%kzxUk`2l86R%+16>O<9kkx6=Djcg#5?mU891hxDLtB8lvkykW zKQ{n=O#$b{dzmQUpo5F<3-<7;r#)&MtG}~ryPNXZ2Dg4-V&^Sin6~NHf58l4ublh5 zk9oxGhhkN4qFp%HGjB4=!5r82{2y*{SIQY!Jx6X5M! z1zX=B1W^8H825KKt;WT@=G86M-Anp#2%;92!NEVj{+Ia*a&dIh1V>zunoe~PaWMejkT~>6JV*!`jMWQ)Yl?_C ziLQqYs|QAItfN${X_pl_$s?re$dBO$K>hJAD=VxvVYPv>Y~yPEdoN=8J;fui$oA=- zZQdveP4nwL9+Wv|$J1^x*wkS4fL|YPA!6aXJPOS4t0zZN6dV3ql2p;nG5uk7aogQA z&pJi7nM`>&_X&?Er@C2jFaMIxMi*0Q&cwR=*Ic;DIbNM42@X1eqjjMm)_eTmsqA{$y=H+roz!fBh->9-#5fPvMh~1!wSRdCq z(1tllT=W@_st`)Fp>1@mpxXxPuF)V|9VcQos}s5%Yi{mKW?AC?RRgTK5 zSQ9q_SZ(kQEp0vhsdw0l)f%kakAe;oQ@M`;tW&(L6(M766TC2=3HM#@7imjE6yovg zU82i*6h8_^YNMnqzux1-avp_y_Ylfrv$=80d3fV%sSLQWdZ3Vq13u+hg!j;NPsyEf zxG7hNUH}P)>$lu=A~N_vj+qJKi&!6ck%-QZ=$cxDSDDL4?))-Pfm{!ANSm1Dj2RuP zlEgT45iGQSS;oj});gP&ia}|uOKr&bVlShqyD94(2>a=PK_*y{FME>^eU=as=o9ELDEym9~lEkM6C5umg$>CGIcDag@ zu93#PZZ;%W@x9|5Aw+SHTSjMWb|0E(ObI=!agQwHk;;u&#-qgOmZ`aiez;5yH%Xy; z=>&De8Yi%kj(z|}8gCCYd8);)9`os=Bn$4=Yz*0vq{N}iGWuz(?jMPDcjhu48IEo? zRK-#K&w{m})C=qG6H9qy+||uSsr@Zj{`CpN{(n$Jf5B>l!0Dw}-S6*q%vijg z_VfT&xhb?CdDfO-|HGh>+(><}Ki1vr+_a^xtRX8B;5|NVx}AuQg`hT3TzUSY$(wxobceH+ zh>;H%zbw2+NPq3#M2(hbkH)6-?Cp^vX_>fIMvOs_0w zERab#fKRPEyEripYg04mroNVl3*X|AZ(jdsoe;5IBqU+=sdeG078J~*^f1foj0M_Y zeQK|fV3|nXXPx-z0^PdPq%0&vcU&NZu4FGDxC=kxLFbOHx9#`UvP}41#MY4T0bSnuX${} zFezu!fa;ghR?P@v=fJ32QicN2s-5pJ+)~z0P`{T1OGPZ{RLQR8B24S1owG zT;*kc+W*@~h#Y>&f@scNL9V}gG;uv0oO;su&w5I6j{D{j@y`!=)L%W}jS}YlQ<)}Z zB4M^G1tHq{sX`*YzL4#@^eV81Wr5>z8cpwURp>6o{n28|3wxMRK>KxIHu|CaIpk@Z zXUo^}((^UHl;ezP1yV1gDwZT8N8r(ZDRUzs0@V(?(}v5Bb;s&fT>hIKmmkWQ`5Phv z!Z)AMf|8@{BpYtMRajMn-@vW6t|f#ZTz)VWm;crQ-&})RR}it{KVVAJ1#28x#3Q9w z`(S(4kKS|P1=yVRNuo`%0bcfhi$~hvbZt@xNH+hMr@hF`=5~F?BZy?uJ)7H3e><@5 zvS*s|!z=HYv?zj#Y(VAxRQOjWjAfOso9tyLV`TuK7H%bDV$fv(g5^aLy2sp6%GuFH8|CC3Cv|#N1B={e3 zon2=$L!jLK4*xf{W;t&%TQgjGrL7qgE!ChTfoE*poxG3xdr9-T1;92A-Df`4A>v~! z=V!>_-dse*Vn55u?n zsS*+W2W8^MEvvy^PeSs%kUc;ii63JRlV;q)##kGCL_bkWy$oR1MDutGUKc zcyN|TMS!;2G)XczD)-IBnydUH_-@{Pu+oESfc-7`h}{wVht7R3Sn;3U0ZmKwNEt-j zK95I%_DsZB^aj{cI%}PTh#yeV+9DSP$Rm_$KY$QYE|AbIffTH}kKJp!iHp7icPGN^ z4(!b9+(tSP5osfx7Kw#=Yty6* z9%Xx^ z3?ULh2u(_(`sDjmL?@3VLX)CnXG%EOr zXY*`SZ+Hv(ZudG#{2b+Aekn6_MsZL0nC`JoW*e^bN;ofUcEJ+7y`D}+Q0nEZ4OohZ znEwvlmf28cv|o3JpWzUW)?uB?cX7zCakqa=H)YZ9LcZ#fpu}6i$fcc10f=2m+?prH(5eA z;b@%@Z3Jh>;97(!?hl_KBz~yHF*?nXg;l$atTTjoBXwpF8Y*FIWGhkZqF8@+0i9-f zR5TV!gC{3M9Ji21avAhNcMWiH$athCNdh;@j|MD$wE+;wvk+cSO=;zg9(kc%VxV!i zY(+BJ5&9)DlJ1eAocr*6 z7>NWr#3Uo81^zLJ?-kdv@~{?wghg~){(Xdd6;PM+4rCYzAy-D z+?w|&8+|HtzvABX0dJl^|8Nh7jD_ox1nfeiZ_!;|xDFv?4+uqua03;}8{{%$*GX_l zue%>!VnfD?uad;CPvDSqACpkB>n7c&T)1h*-B>+k>@KpRa4&aA^ypJ9Se@{T9o8S0 z@yIv&0Q@faFSs`0EQw9ddcWFW;3Of@eM00uU@SSmV6x3nHzi5p_e+$V1xrnp5LQm4 zUpamUvkN-M-h~nI9AyXEBXkd5JR+x zx=}`n{5<3Jwl+jL#j|C=ciy~HAg^j?g@O#XNzEdC_Ywj~|^JpZPrOz(oQ8;bDn>DY>2NY5 zml?O7AS8U)9%|<#;jTBo$)jfDrZzU@VXtsLzDP?g!8SC}m>?w4gNO%S<=MM~^$k?J zdFNfaNkrp8<~U@3mdOzIe3c}RIAiSH{mc{Z{+;az)*iBhkd2k;4iri)Ne^FmA($Gz z@Jz6k(c#l1aqgpY<$VpP1Ko&aSsXIDu1*psG0%BL;UNwgi#8=mWS{1dGD4jfT|;SI z7MNF$%mU-%Mk2oUDvuI3sa49cy6}Y;LN=wwF`qWR=-(hgbH6Jp_~ir8>EZCO2m@8xE5J4kXlH@f9vcjA(d{vK#F;0 zEq~3PCOhc7jZ?2LC9#m8Jt$&79eoMIQ?4H0|vnMyC8<5v0+6L9G(R% z;3jp1mLnPEW39+ptK~@GEy`D>(JIWL*FoF>3tb@f!lllbPu)+%!x~_OD6Elf zf^9v*s%cU$Z-j(;IAfQ3WlPBj6Y(p64(8&S7s4G83cfHo5O`4jh9HCo({Bb_+#V>OCUuqD$d?1cO zE7sjV_27_^zA{Pr=(g*ewGDrGx*d$hrc2)&N{vOfY|7I+NLW4X5ms%(-F7-_eGPy3 z=JwCt`CNy@4tZwsG$F$Ctz}`|QO9#PB%Tjn2!~o@-Th$?4kZ@J-=DDTla=k3#M*pH zS7z}@7FK=d5ms-;x@&O{y1OEh&4N%qm7(&5Rh4om&!(#UeT-+20E<&!(9hACe31xjQ2x!>12L?rsM_Jv zb?^_7y;XQQ9Xe3~ooI6l00=Kzp&7qqrxTiv7szC5pf}cCPu|R<{(3MCjX3+^_yWmh z1zGoGv0NQ(wjea*Gp{<|pc}oKA2jH3S+0KNhy|hNo|7M!t6w=`VLs=JZ8b5 zzBWnOtS9>*xPqY7CS3~+*BkR#!wwQl95BE2@)h8d*mq3u;>*E3l1*5(k6mlLmBAxn z>0U4=Jo_048t=UdG$O~BT{kJsr+eGt?9IaekFj@;kD@vshtKRS8wkt-S%?Z6Wzj@H zStT|riDbeooV6PW0vZAWb`f!*ywc|Yeln-HjdKfiyHooCLR>vNv-JkNP9kH43ow8(d{EH&tB6(9e5 zf{XKPZKMW&Z)bq`kyZ^0BoTiK8xZ-5_3Fgi3Hsk@i3-eIan0iwD8*G57<~|{zq&xF zxMm>-F{&U|f5#sf9TBUyU!b(5_yVQWU0K7~iz~9KLN1=5KCIt!4m7PuU*Jhg9!B)K z|8a|tb$i|e?8G>NiOu7U8PgwvNCLChIk+qJhL~rv8)TRevJwE2Ou=Sws!Zm=N1F@ce%RC!0-V>4`25>YM8O2cTZFE`E z(?u4@klF}UpXw1A;>FvzkF(2rfVx*ifxp#r4sLRw%_RSWO%7zN`v;KSt0|@LPy7+3 z7?}+W6YNK;*uLLLl^}-Ud z`m1D8?dpA8n$FAO_u*$%2i&NXNE?fy-zkM*VMajxDYUdtcy5p!p5<-E?QM8{vi4gD z8+?$=1uc^`%Z_mS*&sQ>qXfOII*=sn4C=%B&axw8NG;bfx~Ti!Y6sGb-zW7DA44z6 z6l)K7V?lC62BqPin;5b_tU8c-VX;{KKInill_BbdUP^{~VTm#T>-n$Ul(he5t!y-Z zZ|D~(^?O^r&3^B9lG>RX>FXz_!kN-6sr_?FJ(eQTow9G_ts5OkTo;qnPSE}+18JS# z+d9U5%|-_*v#S?+MQn^mfcMVom>AvDNhzC9nVp_d&4CQ*p9u<~2WmRG(Seh?Z8Z*L zjQMAmx2lNMolf{EMs1yxdfT-8H{j%T*KS~9(M+8iBfWhkt9&5p=)$_oiPXITvPYU0 zAfI;MX-~oG2^ZGvcpZ}jWsg(MMAY5C#(~s)cFYUwmwN6kBB!yQ|L%?KxNn&f)PkN2 z9^%RyGyd^Xg3gv8Hro12naMy8@EL3BoHSK>kFl}SAP|arA}c(CtL%n6nT#!@*g!1T z^M_pHK;9<8=nkRO{T~fvqcoFlApGjg^b$^^#sdrOLdNeC0cH7*;zv#pnxM8y@M?vYwsrsXJPp0+W=!&X&j7 z54}L3@qn;PJ%6hheS|T6W03M_QM6TgIH37a(#VGiO{sV@b>F5r&^n2H&dyZFD=8Mk_d2Y$i=9-_W+kPt!InFM)&=!EUi^oeu8~sr_(}&dt%2)zu$k%8;722{ ze!tMt0MTf6WCb?-TsSNqx9lv>1eb!l!ZTIovT4m4W=CT6I`%vUiPel{=~{!98a9s+ zByEtg{}UwbMWGXLpA-ZW7wT?_Cda`9zrq^Zt$8DqG1W2U7vT}JsCz~Y7wH{Lq&FL6 zh7(_csT}pjj3*fZ(^jIu2I@}L7?-PY@Sczhr8nfapK{9to2E40)hzp-&Amjb>{LIN9vL}tYBb;kb zW61JjC#8N8K`j?LDOD5KMy_cY1j?=3v7SF1`fO-_O3;?xj8ohVN`Ra9*^!a?7tVB+ zT&9F6t%75G&K0Q&uh50@424lDR)fU_xfmel{NC?^Nu|@p#~n$vWjXeJt+*;z&=FXF zgfet{L@>Vq(c|qkZ08(hr)Qqkn7xZ%rP`P44y3_Rt#%Al`f+ou6FcA*>-v`xkO8yC zQ5}mo80j$w<&B6Oz_fv3;}?gm2wdMGuF#b^swyjaj;gM0STEh@ZN9`>T)z7U%<1sR}Fa*lP>f9Zf$XMTQMJ+jusnb@tilS7>zys99 z36*OlheFgNN8YW9GjFCCO=pj};{|>(8BiN6L4D+S_=v|AyRDj=_Kmh7gtrvw6%IkF zSx5`2TgB>3CYV=_MPl_pU|vrK36&ZqP(21k7Tk6+ejVW!l*hb(&ZEZ zi~jRLa^4#=+<)iG>utuHjk5FX+zgU-2G?l{TZ<4wodmUbS)c+RLx@Xv}dQ9Qcbfxl@=6lX0$=qY(9P z2O7ml%5gY$Xyh8UhIjHc92iX=gOO`nc+TjYYoKvz$jJ`vYk33lJMs2e)SVNBNJ^sm zJP@E2E)?mFb^Fol?2zURYs16$bK|Uct2up6t1K7pj5x49UoiWI@8oLP-?5h)8Tw;w zjJGYQE%3OEEfyPU@S{7iUT!nKw}Iz_XO<1&XN#h(kzQDLubFB`0rDxonO%AvP=*(` zCMaIV?T8G2g3^sG)4*JaUmEyiWWr>;!{Z?3CY4^53tKEGM&l0`80k8U$?+gLDXE7A{46GiB(>3Ipubts#%SyE zX;`yA#HbwvM6jzJeZZ^X;ScS|nD}CXwjASkm<`w3kx}+Sg0_4nAQYze=c59IA_Ms( zi-D>SkqaTex7DHQp89z1|Dk4m7Ju^^OQ=P z{fzdpO#?Pr=NTtL8-k?FWxk2k{10ou8tw1N_-z^NDF3{l12ALUIV+E+9*srr45+*M zW8HqJp92MayCR3oC0Nhte=SF9^c**>8!pw1x9i32d6|)G0PmKnJb1d1GdUUID$;1a zRhh6YJV=9-keo0qxpc6K5<*`^i$Shpl*yuheFoGhCR-%D0xzRFEai9G`t zikyBmaHBSx4c-&b#yfiqo*}7mT}N^PltD$>9p>lkS06^moNW0&`HK~)7iq*UlZ$2_ zhRRzWcOdf&n|00p{2IQLu1G4+hn#JusU4O`iX?9TZt#+8qOHnRSexSHr`FM$#)+2_qwYF{75`l#$&=so4vM>S;YD%1%Z_o#w|l zbbx(0hl%IK5bkI0*9ao|lmy9fCam|_v=)?d|0g<-(dRxZBz?f^xf_>~&Z^$_q80Yc zCS%7rO3m-u>TOCtwu~6-Ie&Z5hK#M}C~d2EUV>T&+mW&99Hls9-&y5gmF`3V&CxAp zM*qOr%5Pm_l>1kY+;I)u=)5ov!fr9SZ7q{kN-C0vd1NHF``CI7EX#)H839#1#aLV5 zDQA;15=hsUl^|(nf|~rD(~Md(?(z_IJ09Z%xd~hw8D1@770kz^#TyGI73o;dpL`8F zIp;?l$lM;_Hyn}sxqV9Z0c%oF)?|p2_7Ba0yludA;myWfXDP+c`lH`PD%#@+U5mu( z8g9s0Gs%tu+8sf%D@f{$SAT#6HV^x~t>8EBkA4T&l&H~;jFjJT?rsrlqZndBfhG`h z!-8_&Gzqef^FBXhh(i%{;}969V%@&rY91s-q>&%w|+Fi!?TN1SLn@p^`ORt8z z6?`?^t<(W4iS?YJg?7&6QTMlxIg-jIZUfH^Iex$0hKzli*$$rRneUB-)2Cx{$nR}E z`$|x+@XTjbKf%b%#h~v(M8x`5@Z7^ybsb5SLe@L*iwOwj<**t_lyF7*0#XfJnyCzjA}v8PMAm5c|jopP}@x2%$M*bR37Xqovu(aAfLo&XwE@FUDmAwF*y3 zGL|GwM*by-9x@hP&nq;3_aZ~u6;8HR<1&mhvX#dO{xd?T1*GoQyhoJ~I|t}2>aJdy z3??XNcQBrdO!edjNhcGuMp5?@<^1g^Fo1~0B4cZ8gQ{bZ(a}~hx*0(v;z3BPUQQ`3 z(kliDQcX&AEb@HId`hWQxms8l*%TH6>MqOurk*!KX=L?}0{QIS3V!O0x+J7M9&J_p z=2kU-UbO=uWfa!16KgKG?M%%8{_55YJ2HOvT!NbY!vYf%jf``YsvUx)e$9rRLEU$< z5s|N3?(FQ!Q<}l!?eZf#|Edhw+}pN*1en1##sFA`Z%q?!zp9akCaLqe^%LXQt4K9NIy%wlNvuMt?OFwe>l(^ zpHH?Txb!tHz%Di8pPU0957fR<$R9A}yjAQs73{sCWQDcF}8RX&L^IsomM@9$3 zTyik530Q!#<;jr%?e;D3I3vBh2ZFu|k4xNGFSYNqusQw(_`94e5Nmhhcx!jJtG)*d z0X_fbZ2P6|*QK6h-9NJsW)OU!vV!E8G0kt~_Qa7C#=YHZ1A4CKPmgmiv>5w9{l0f3 z5Iul(`{Ey2fumS=4@&yoyMfB>Wo0)kbRhHkBJv~F^IuqMW8VpiJuJ*H(_q-fwd)ep zJoU4;$gw3q8+MV2rlbDL%`QqK!^s)2lIv5$>7_G3_J%Vd$OYEj+V>pqo=nygk~Y5J>cJu^_+gaz`XJ2LOk?{Xbv&_ zfGt$#dIqC##`LqVfR&Z($tu3|cLe+$1%F2uW1YL{z>nW|{n!FOvoP#^n&xFNoD01>*K^Q_HT>6mD3|j-t>-8#3PRgj{>JFqLMB+rRA?)Oob@vE%@T}{kbYoB-dEICmDk8_cO_DmvNy9?P{=?BPlxtY|fHpQrj+3CrY0T{e zLpP^HCOBz4pzd-7)SYSSc}Jv?e4)TXxy6uG`A)QWYxemlr@Zw;`cqDNZO?$(v86mQIU<(UMP zxN>$-xdTabXF%QI3aGo%B=w>r@~S`DR(@-=HK-4J;e8ug-W%dV8u!1Dpc`eBwsKdq;u5Uq|EIql6&n*aCMf58v7Yl{N_V1) z%qtCJjo$}(9LYZ|1Fio~6z(;fx|b~kuXa7>WlHI6>V9ak1BHh{SWah~mES~#ZKazr zIcdD{3S*o*Y)S^!-3=3yTR(qh4D>aN*TMav(@Vuhdu7$M3Le1JQO51)v+HoE84G)v zIK%@`lVjA~xDaUOswK8$@`BlqIFOmkCiEk=8`ojY=E1(YNMEeyr}eiZ!@nUx%>l`f zoldTvF&_L=g3=EnTmRdLciE#nR6sHu=VYwsU!7@3#)5(*p@R#C{r&g_!#80E^2Q*G zNa+>fC1Ek5RJpx!>_|+`iqU)lp~}_5qhj=S_+?@8y|&853iUPng$2yc`j!lV?apX| zGC;lS{_T{~vHwO0#o)H5&G^=2#~E-_YQ2-OGS#iXPK+HH86kr4lF9|;Kk3qja%YK&(L&iVk8qR)PB zMcyv$Qf~;?5~1W|kQ~2TPrE(46AOnL1c5R9PU_yiB$oz=i4yj?v)f=^#MXQZtJMc2RfEi^OpAo=JOOgu|syT3<8wwL|7e**lxGeJUhbb zDJLc=#;<;1MKvjybgIVimoF+}G1l{c$-htN?8IL!wET9E6~Vc^&C-2tbF%2`+Z}wj z{4%mQpZjoT@fiBIV@@EempD*cy%5wF>;(FkD^|Z@K|DWE#6~|*?8cv~65uA4!Q|d_ zCWX7G`@M&FYCjKX(-?3tb>Fv$i>#+01hR31+lstRINOS_KwFSvSEe|@7c@x(2WrrPkTZ8&S>RaH+U6n3rqqllvnC_(RoezQ$s(BPv z&zJo2wFh}%85!$CUJTff@zp>udKi&>|1`YM?-*-G-X^j~o9YS1JMF&DmRy7N{2P*m z!o1Kg`q+`N^r-~JkF=!$t1(m_U83|Sdw|Kfd!Q91MROWg&u2$ouN;dYk?o(-cs)1p zdK^%#_W*VG1Hj0~#zKBJOTdQ0g5MjPfcr^8hQ|SkL)B4Vc*Lp*myQ z+5}blU~-CW%I}R2+*X8XJytJdN8YJqxWJmeIob4I=0el8XDUm7c{*F+faBA z*g<-mS<44!Q@8mbw493doafT)$gJ+s+WkFRYv^w6z23Yv-&_YfzKwrv;@;!)FWE9w zN4sJ>wADKmPxp9lOyb&7n39~FG# zt?Zx=5(=^Hei!0S8~pHm0MctI9;b0X2#Siw`7GHTKW-m0)e~I84(*qE!DLQh+x(Hb zG_Ar`B9o5&he^DB@AVy(cMXqNH>Wn@N18z>phQkDfp+c)IS}4t{)TO)Vjzk;e%&2p zeQj?$G9F*UI4Ya6ii_op-W?6ry^A9g>+GUe+ButOk@0QR+Kay*6g{80}Z3JgZ4p4K*XMeU6to5JDDK;BH=ky8qVw_Ct7ULo@2@ z+36e}F$?aase9}KM(-LB3im4ITD-+u6LcNc?D}G!735mYzOKxH-l3}zn&*xAc8e4C zrS7f#u#(sxE919z^ z@#Q|-tYur@)>2eh1jE@52SU*rIQdxy}CdQU`+UZ}tU?*aTVLhA>C+7pBE~AbLPauRJ0|L_U?Ps}ntq z>XVTiE(x$Tq3-bWGyY4l@_VQKe+H`2?8g@JyUt7qkps45nQS_-ZlCMqLASjzV`c$h z>#rVRgB!Zkfow`I5H7(rzs>Gi>Of8o$}qmYNNG^_m~Hm+0FFR$zY$o5o47`#Vxa@E zsui2}fH@KC`F)*sWMurun!F=z@g86s$)DSmZ0P37mFU*URpCs2Ble$%!KA(cA>)&a zl&02$CVFDnfy`Z4&p%|d^Pqn@zddC`#z&Ww$bg{Z=Xa;dS_f#c(iJ3a)V&9efykFw zvmbbrcQA6TtmPkF1e;`Oik%5+tlkS)#N-`$N&ul16@;uZ%ECdtbgG+VnlRX)ck$gAg zc`m81A_EwTII*5{3*&2r8CD2Zza{iPG9#Rtb1BHkG^{oZz~s{@lZ}@}(8(%;@Op@E zPYxOP@Yo2{T`}K*N_n9Fdy{sX2Vb+HX;>e5Uw`1}7+R;C@3IigywZ&zqdOcR$cavf zYPXhkcSAnN4!@b-nsPN zjgd2~tUmG~d(zB$2OR5>0UFocTp}P{j1H?(x+x0O^!l>zx1 zuCfSl*xhQkBV%@y^$C=$-eeG(=66sg`2K*)rDJaQ>3BW+U~VN>YDAt*y8ANB$qHL$ z8P7eLpqrz#{2FhYF zw%WB)`;JWDZPtUzv<>U|OY)#EKUF2D-`fTp_dCc29v-8Aos90I&gOe=D!)=;T!OLa zS&&Qia22>#;mI|YJ_De4!x^)UdusS>Wd=4Ek!7wT(rJ_=L0JJZ!D-xGlb`{TV(OTj z3X*fwJ^ld)lF5;YdY-8s$qZ;IWU9v*N%bCJJ-3_vF)?Lw*zavq4_k@sNi$~~^CJlg z@@Ig1(>swEy^H6O3aGoB#?_3gOWqn!;3*+bQTIo)0Ie2C?K^BR8DD^t5dK5Y-*2%4!bD?Ox4&$Gv!kO# z7X9o1Ia!&Y=5W3ZSV3>h$f)4T2D3M-)2Jj?WTvulRcC=|(+n3pTtjJBsxKG7ySnX$ zZkv1IrtUJDvtlOC)_0j^VVWPj`jQrE8A(aMaSn|As^r}t6U5+Zf5JDL?F?Tn2Rr*rqC zA>jL`DMQdZ$c4btw%sUZ16AvtSiLYR^4fnB`rph*Dy(}NbO!aD3un8xWz~r-J@nQE zm(j8ehvB|yjb{F*?@gb&hte$s7juAsWEHJJi;*|c43T()n1os6& zChmO3(^tN~jIrp;ujW^3dd{B_NRI>oTK{Tgf-3cF-**T~f3?HH>T#jBQGpW$MgM6v z=*eSLK$*-98I=Ha|KmO`Oy@!>&8jsCY8-qzK^a3jT&wWpQFkuvvLHEHs)2+Po8dr= z*$R@Q#+-|kwmb-lS15JgcpuNREQ4ZiAn(-U%Rw8R7p3Jc>Ne-V$GOz~%^U|}eYuru zudgD9j8#u3=*z1kL&VzuwC$i`G)+Lr6sf!KeQb)4ZZ^*RL}~lZ0@iiA@qbSzC|eq= z=f6X3NclCxwg}^!s0|sd%^`RLTzXk$lui6_g=mM2JrZTN3ov2o_+HU z|0bP(L%sr6>~E$yl1k^tsV(_gnz;)@%;IR9VmBUdwsMk+^&#)&+rXsa3>fVX?8?e_XXOes~_yadS1OzvW+`G zuKln4PbI+RY`Nmv3TyT?^Elh+jZ$S;G1lE*fo`%Zlw9mb8=7V0yw2*i&zR>xrR<}7 z<~dM(J!5z(?zW*R_ZV+7f&c>TTt)!d6rQ5);Zxy=c2(Ym6cOwB%RBjH-2e{H=z{+` z3BND};F)a37<^6={_Pa5Re0zLcH&)QZZ3hq7v8o2p*>aMSK5YB_c!;0*qY*vwS0{b zk~Ybt-8gPxC64@iNq=XhOxgn*Ag=io?m&uFj|aT}8IN)^#5wmz+amc=B`Bv{?Ei8U zaRwk}kTNVR1=z-zWgL4vLBqq?!}3{pqw&S#30ee+V%LKLa~7+w%7TzT+9pO9fP#}6 z8y-&@oT3N$GV}{)%{Cr<9DIUL%yl4hV1P7W4c?t&?*i-#;s}yCPE6*zFe%9hlKGio z0kXn6FB7{4-0Qf~D0&)WZ!tMLSu4!wamzduYyK?As|)wa{7yL;-fyqkVNty1P5F$g zi)3NaZv0wF(6ANjIZZ#=P$}L_-Kd01;ASmD*g2ixWL-Mr{(3Mizc(z*HlDuNg(Ek0 zA;ndICMTvR9fP$M&gnDmZ&_W%m-!RUWM8VGsJn(682Z4+pWk=+$A!s{zr6G@)^mpa zWJ6OXW9>TDyOB${Nt=i@Kf-#s-FS{tYTf`|F?tTYU_(ag6=fX8?SSIm81~(d6n6AS z>`df!U~)e)&q3n+qzNy>UgND^kZFIRy26Gc4@0WgG=SU>ko&Mc(l*Y4g8GBGOsJT~ zUKPTtJgn|?27TX0j%`OSfgAJ~MQ*T;dY}+KS=9ZB2%n^~PXfLZkz=gv$#jIYaW=N< z?O)VSAs60f?7ksZCMe06QP248YgtFNvD95TgR9-Qr-PBo3_9$0GaRU1nz|iX5Mn#* zC)irXhv^7~DPCW~rhj7ChV`7U6KwIBMD*CbY!Mh285tE$!+O~QhzVHNAEB@X>t&hn zm^A>5l0t`VC_rS-sAOV%S^_vK&19|abs`?Cqr2fLJsX}Bc42)*Mk&^FW}mPl>P9_V z&cu2dhNf^=%USUF_x{kbH}OAPX57hD2^;G6h6r1wnc)KIeu;jlc%}IFy|xbrvT;f# zCyn>nNB|MXhn-koQBVq^df7C<#oNr?;R39`Ib1*p9OJh4>z)Vpn8|zd=6OgZISTIe zXm{G*`YFk&$K-->?*KOVQih41s$75mM_G}$A25JuC!@H{^$#*JDxqkh`< zO2p>S1}5=SCL8?+^q9cgtHvDp=G@`PaID+MvJU8F1#oBS9~E|$8m_LMj)I;p?Z+6g z(j>L*3TFA!v?-Ir3rmf6*d$Zwez=KhW@L9Gn~j{-4u%){N-K3gFx7#ijs9q>7=4w= z2DQ@`uwx}MH%N}n(EM}AzWv{dwMD;H4a@#-$v$th_}UkmzhwVmEYuqvE`);myOn7O zg{{)8a3&@PVL1!f1cC;psK$?~W6JnEHFAwuTg0liFc$Tgq#o@QnsBJe_?-)(%9ZH% zkpXOA5l1P1d(n8#1;kiM#cF+K(03v7JFMI9>`0;r*dg3sdYMVkG*}s!TDE^C8{7K9 z)NU+ceYtmD)ymu{ry>*C0!7MUfnp+`&&YguywQcw+g5~rkK>0Oc&L94*6n-RZ77nC zb^Gpi8*1~|Zm(-+$T4mdpZ#guD{Pmo>0SMLtm%ZRF|N#WKSai2-TrjD4b4+m z*aWtsk>2yv6%G`!d1K}c3?<7drZYS_WsqdQ$`-&nKP4h$e#KhCo7I!TlF>D;>SpDZ z%Eb4|(3;}jWS{!Y*vj*wGEhB|QJHW?`p#3!(@`X4o?3o2Qk+`>K2R zjqRHVA;7WMPIbNNoXlT=IH5ms2fSY2{pBHet*nF!qut;}4xR_4m2U7G96YJUnrB8F zl`AaIn3lX2F*<=#I!|43H4>}yD5YZUxIWb}v3eAxR4=B{Ix#woQd%?4o!7q1nRi-@ z4y2S;u5ekzXd0zd7Pp0ZOM0~jby7O-uk@nQAD%kksa=d7>!eiNwqih(My%S3OmW+| zfzepRs*Ur^leKaEWU;o)GpH^KT?F24wJ;!T6f7F*IbC6zhZ_qkqZs`Tw`AJFK zW`Isc5?^a0$Kyxr#wUFd!kfX%rVNt28(&^bdK`8g5gUxx`l2q~<&aKFi=y8J^^rH7 zvms?bxOXx{Ep<;V2J$#4s6RNo2RI+ViYwf^l(EpDP+ptH7Bg~F%UPfrPi$DmcBffcl94( zHgct^V{Az!eL`pckCckb95m>0MTobl=O~#x?lKzsbPsg&MedvL3hE>CezYMRZBmBt zVPWzyby38gaNtY@S>gmt-Gs-T*-Un#*Oqc-Bd#{I`p`GR1P@wKtCvtPdZ`oeU zgfkSAQ_{cCT5z&_=&TJHMlXcIE@@^UbPn2PMC5O2$wN`Bjv<6F*iVSQz8DcBVoMNrF~{Lo0bl%C{U%*u-5fYH`N-x+} z%73bIf0{V_uaQr*;&iyOA)t;g9*upwA)|1a9sBkz>5F~4%X(vdQ33XyDFYo-!Dt=~ zh+DX)X@yQAd(y*}Qsbl(2A*-I>re#M#$~e3O#yCCHG}hV^fd5t|6;6UPmZpa%!3tR z^<*!jBQ=S!{8VDpBit)U+W5-+>6iRqc@@A|C#wP-c)Dw45%gsscMcxzW(%3J1y za4Obw)^!)30mYSl0FHKpWe(mB;PP(pNDls^c_ZM%U|W)lR8o@okk$qHJOv@MpI>MN zbk3xdwv6UUV11u<@s^iVa8tJzU(V8>clN-`!mtDDIahyUPxj(3cX#8Zhi%0-U+%)f z2U1`$_MQ4)SUBYpo5Xn7ba(=e3XSeT~SGB@1dUWIt;JBfWY-X?{Iagb{Ag?$O zQpZ@p)h+8(*X#gmdvB7&cT-N|P)ZLf`5i(iuo1Rx!zVUW8UW6AO~8Sq4d6cTK12}= z=n)JpNe+np9O)y8+x)#H@!$6sh_9WlKCnEk{XkeKAz$u4yxz2muN@4CuSG_YuP{0F zNWB#c4aWQwl)P&E6*M>GIiP-w{|NxX{n9UPi=@k>EhwDS?zL$SN%$<<47bKq+z@x} zj$})|gJmAIV@~8tZK5m8c>5Ax9E%eg#cku$z0ItdC+!HC+p%uH=_H>A;B{xtkT&$d z6~2U-J;>N@$7N)Up^Mqtg|y|k2N`2a;S!SQ@-JI*DT=!wnRY;+f42TlX{?LUMnc!- zooxKl(Sw2fn$f29L4DZLRz}lGgZd+*!4~8cb+=C7`*tf^7Phr!w02EnGrUrk0eE6J z_+1X36HdW;j?_J-mnQJ=RBRiTd0=f%gI`Tqx;f#}1TpyE?Ma?uHl>vDl;xutGeg~T zc-2E&#yW-^0Vb11F+%*H6(Mi)Iep&-(C6x4!#D!Pj`dg@^i)qQ%c`u+)na{JIEI7Lu+z{Z)Ti*xqu>WTvZPRsxB}@ zjqGa?*%}vAnJ^=KUSW&$Dy_K}2x68$jpmzLjjQc4bXabfYJPUHHn`d2e)L(R2BDr9Ybx>n%wHcRAS z`&qyE+PU$%C(G~qUU>j|mSo|MS(0D+K^}2Mn-xj+%}!vd>Ca1zesc}6InCCs-h1XZABLifgM0R_dr+Az6 zLJRpI;EM%Fz4$moP_mcSNn)){ki^>be*S24#2!E5G_CQ&&eXlpm@-?REMW2}_We*c zRqa^4v_PM1VGk4XX$nG1uhJ)5*<&uLBQ5dcY3lC7YtyfLv(mJ@86$P%BlYlD8jl}$ zq*ba%#-@I?HvLwzo5t7L2Fc{BmW7nk2HSOriNyMZT+r+JPM4)(JH|U1suh6OflJA6YQO;OF_0qV z2lc#Ftp11zNNW-ZA@#gvNCOK1Vt-QEA1C{h!u~keA3OWQ4!GWL*wEx>y)o*> zyy`ioH=q|UXUoQ>+LD~=&tR$@jAewW{v4C|*_WgS87)WkGwSPMd9>9T)O~oo13^vz zHI#v{8ge4){*b}cP$q)#2Urbdp&7{w(-8xCBpX&ipz0!W3251^SY4fgB7NUyPsSg^ z35v;^LwBxNpcGEqd%1xYB&?`<>g4MXk|@<^t)SsMdqN7`Ku6!7g( zdP87Cgq998uVJr_V{+2?>9GV2_;yCVH3#e(XA`)Op>Y#%7;XxOZm^-2@&ySh-4`IAC*uS|mMOpYJGfBJ68MEOT%G@n!A(HB1xH(z zhbmX1kr7AbN&zV|)ckXk90-;Bu+EKWKn?U8K9)YLhkv|3L0if=fdn7K#)rX7MO-_} zf{^J73z(dmWqf-OLCEqCy=}&ZaDtlGtNFiys%_p@Go9PAJaG_l(ON*rG&K8TlN{(} zNy&P-K)DvK+v#r!>1W+P2ga;SBB!5ofn#c$ebgie zvP2$8ChW%K(7)pdA!A5aS7!^1MV)0N9!}6UyM>ij?o#v5Pjn!(yoh&hNI4Im{E+c~ z5AcxAdj6Z=fi=tC*$LXR5T^GKbqDWqAajG4QumTOVV-KSp8x0XY{P&oXnKHriS?Ym-?3Bccy^o-sLf-*c&E+2 zvk0sU&HilaA7GpA+(QX!TBWxH?E6~j3$0EsbRYl))Vq+J8a9ND#K=v+p2`$S-)!k8flg zMPB`kmLD(lsJI){)XRyD$98{)05Ttd36hpKy^j}svGidS9O1a+w=w;Y8Lj8 zGuiQI)2e}5+8SB2ZI+2`4W==Ywi(kp^T-tztW_tl^$G*OT*fBH$W%`TdD8Q;fDl;u zg$3z;N&hv)p`Eg}p_;*EZDw_bO!mszU#K0a;?vI{g#5n!V)d8oqYmq8r=%BByu~b) z^unL;7Rgt?x)q1gS+~|>vJdOUHp$mqF-X?ZHV4U`@jjbY)(fk3Hll1kY<@?An@?lf zXzsfF8$t3luk1&Hn}5QzQS#NVI@~fJdUL6gBbe3^Wpju5$-}b8xpN5P`vaj5Xlxi= zjSzu^ZnN6k7*nR%o;Lf_-GNYD#5qp44cOO#w`jICTDt0I`^fgRpM35o2W9e^P%L&{4ndo7Hy|YNP*x z$r)ezn~{t_s9mBTV}0~CS#yjhw!e_R0s5i&`SSC!h9q6_P~v1@bDQ7SDL(x)#O7_1 z$!VGFmdQam`wKby3=XyW;^L&n?A=BRxD#~%U(_sTAC|Mv%Vdu)&V*TUQlnq^(w}`M zd$&ZJXr1xZMaWK+#)^_AIs41(I=xVkNpp6cZ{MmuGI??7aRx)JEvGK>NTj*eE6g=Y@8I!7tXD+Ge@75{+^s;gs9YyPL2ZI7s4ctP zbT-S05ckLR*x1r8ED4g2&%WY~Nxq${`Z1Q;foY6ZZ(y&@d&|#W)@}?3f%H0@o{{~6gQY3Z+L*Dbfo z!f_mG#2E5(h*Bk0 zqC3n3lDZ>PCP(54I}SCgdF!dtYFZ__13pfE+4WiEn50kjP|5eH_|y-8v)_|bq{UCp zlatWNZ`7mLK|h;@ro9`vJ=&(E(4FQ1b!R4NiJ!OQP?MUcA?1{5p*zV*(jpVesy~K9 zZRGsWv^Nz)){Cg$_mTM2I!GsdLey`g4ELKLAW2&g2o_|2n(1-LBAOgi@; zC1tfTV=h_dKvsBfZJrf z&~_R8Nr2mBz0lqR9x2xsJ7m4k(GxaTUz{TAg(*E@#rk5WtQR_a!t(URsj^;}+7p(g zFYYDlg}r*h()Go?WxcR>515kbjY+wu#dWdzX|gtK=OC3E64ZEVy&9Xi@Mb=AGdK6OZ1-W0F>6e#O(&n*aeO*kfjhVyLxKsAUmssWO zxLW6weRb?-9i5aVsVz>CJOM)7mARdqcJ6lMx{S(qfLgqRFb;Wx=L-R$UDclXRvzIy zsLdILwSrtQhYJhREJ+_vAMf}k`>q}W zSFh3L)#+gTua;*aaqSrkLM;a@+=~?0^$g}QZiwQ^^=E$u z=XKDNSELWFW&+(PNxNMpQ#~VsWTq!m7ET(zpC}D#>_MCA84-=in(WDitO|@c+>J0r(I+a{A1$(mk` z*Wu9qfS$gg#+G93CDx{ixs6Mlq=7URh_!q4(ZgkOYF{S~wMo{zx0tZXzAdO3{fmO! zJ!Po{xeemD2C=qLB3}|iA_vGR$#;I0JsA4joGWV*w-^Y=`IMhKK1A5+jvX(M| z*fx+~1n6$RZ{O+x=10qalr@W_KSs%I?3MYNUtcLO-fs{N$({^0?-??A4^W|{vx{l^ zDoBozgV|rn*z?A^xRAAu7ZOj^isne35BEIaPc-Yfg!GAk*GlNu$) zI(?bFo7NdG{z$0|#SKZHOv&fuq?{egKBQwIdylWZ!nWqqHD5|(FWDuNlM-XmK9+nP z6}@EAxz0~cN$jOTc1hWd$u}wfHK#U8YnpJV!jnO&-(%Pu2sOwg_#T$Yd+z~82dgpR zh%OV3WrVtki8$@{?^<0IfTffa`Pbhtf6`o zWBLUgT2z9qi*nWTR;BOi+tl-da1+BUXYZK;(wfB`_9SfLDnzPoWE>xWJ#78GAnkOzf?VKmBny|>+UynDFc5RU& zYXytc&XiSISi^IqxRHVN#R4Xa=E!RWbv}Gp(EVY-BJ;y==Jf0{LTC1QvPju~L{6jqyQXKy)tGDlQ8GbE{fsPI#JZodYS{l%_vr+s zzE~os<0oB46{S=Xx1BC+S;l_di#K~|H+6O~j#(=iH5Y5?N#eW#@&S z6|8;F^^AZJ-Gyl#u1Ww$dzicp{tnHuK1pCaR3G)FXP#l?oAJ#jz0JPQSEa6?sHHCsoq77KD0c$|?G z8gF6ZP_$`PzL^$n5}zUnE;>ts+MEK$RyC77>QP~yL`F}g)vvQ&s4bTA6in;(wV2=1 zI)5})UgB*ks8Kvlxn`~>wP3B{NyWP2NtJWIS46qyQ32BidF_pUa>6`;vk$VGgQ4RE zYZrK&vc6QH4YUr2+U89lqZcHbkZ6qGTWh!ghkl^Dib74aZXU^7Tu7_evJ&JO9;@%l zR16O4zBL;*qN|5y1Oz1{bYDv8uQ9QsE4nVkq+OUB)Rv99TxN%3O`A}{6IM*f>P$V2L#L_yPh@_9 zLqS#}Sn-Tb4GJw-Xz<3QnhHBASeqxzQ$6D$)t1_EL!?F1SZBR4>yy^t3kVVZkI7p& zA0Zox9EE4_tSdUw?$Rew(iexCB$ECVrn}8gAn#7N zpeuPgmkVd&q}evn#^nx8@wfzrQ4(zH%8JpsC~_69YG9uRLsQ>O^XrcZGO2hoZ5**}Vx;0< zk}i7$Klv_x*cqtWq4)$8)MrMKq*;eSryB8=LZAG{w3T_1mi`3YoowX?9QxtETJc?K zg(h1`--KzS`7dv*im*9=d5YnxI2#?urlWzX4u(3)quL-zvlceUX}N;8i4PF^kiC~Q z>_1u6$uMl`4K!|^)P; zS)Yb#OWt~fM92}1tLiLl-}v@L4og~9HDn*n--Qqo|1a)s&cDyXe%0y0eimm=**gb`x1MK7e1 zFIFI~+bQ`H;>LJE^+(FpDisvBO!j4;ulz<(dP~EfuVSV3!cP4@>TSa0bNp~K>t#^b zE&IMK%VgqDA7A5=)P~2|NRXMre~2{BwMBY?kbN*p#b_8b6nk;}umuvRg>BMo?%~Iz zi6DWnB`_=MOH~#BWa1E;6?VSHoi>CdUvuQ3KRGYW-kA3Qk0v1L^Qr8s6V?666slQF zbST!Bc!QxMvajLn-^6j}WZ%&xqakR3x2aIvmiJIl_&BI3o-A3ceU0@OSM6fM@(UxL z!Za@VcCS7hpgYW6vNqQ<-%G>7bSUoEMm**BeP3oLAN$FPWXbPYgPH7ohD1J**1ngz z#eopnhaaY}ph8nnIKz5ywJdJSmgo+w#w|tq*8G_x1vHMze@!#L2@BJ+_X%fcgYPr3 z@B>U`Po}WD#X~6#=vAzP>Riug?hX~uVS3o_Tz(i4*;Am&o>4T$vmY>FU?|pRdUCh3 z{i~&^(I&-CcE^u6C9ZIWBBdLGb`VpIR^$+ju zV=EEbEBWdxCQGEcioGDaB<=Ys_DWKpgbykCj7d&=ibBvGN zq0h|ECGsABpfU3=Okyd)p{bskIu;}nqfO#d@4{KKwd(bcY)I0cdmTP(Br`o26H_98 z1whr#1)~KN7G~*rclgd%+!qWTn-qEpdObng3cX%+jjTT;6or1A6ng6oc;Van2J~4B z{siT>Cd(5XqGt$*#=z{+c6eW4HteH{or{~UYa_r3L8vO^c4{990doc28Q zbDVGHAD}~Tb$93wQg`oWdV=J098x@3A{(A#YanUQLv?+}A-ljmP8W1EJE4Q(8K|SC9bwMmT%`mrMZO}y- znb=!U-KN~)ZGsK;f%xR37b%srYQkC!TV}*NoX@pipt1O2r$ji^{DjJ$(VFZTjjLo& z0qnCX*^|pDMV%OJ`-xJCek?{`yZ~9T^tU{ZBZSu4MqwJ0e08hOX)`^UHBSQ68}ofp zHe9NCPhdOO+gy-)UJ)^^lWS}P*QO1WN!&akt=%B}e{_9&d=y2tfAviFWCDSnKt_Us z#NEbUqOdR;G$Uk9XL_VYCK^r9@Cx1yn`K8-mdq$@0wnYdq|&tF0>bX~?z%qqx>wib z-qnOf)R_d5fC3>Xu!0Z)p@$}f=Omes)bCT(6CUd3k4$$}bv;g1ojRxL)cKzE8eD0A zfm-AJFBUkkFQdc}bF>?`y4An#ScI|YJg{OEU%%E)rmb@?pMTNW%1@{4@RXz7*<5wE zW0&ase8p(OF{~nAKVi6YXTTz&v|8Keotkn9V|OUL>?e+} zBc`Th;;_iqZ%8G%sM$;89$Vn77wyv)T*6r1X>&8-ntqzg=RUK9+Dl1X-$jglJo=ix zoWF>%BPMPI08~4VRg^hsehxw+XIsT|QC{XxT9M^Zo_I#&>pc}v{Vn4`%buwnBFew^ zTgyfMc`>1%iTnz2v8Z_b5^BWZ17~qWOnzdqh&+D%eJ|PvakDn!62|)P3(DFHjOC|* z*-dwVyl9`>af+|sOla-nO3~NaQx}Qgut>1Eoky2LzCJ{|p{e30KGSS3+J~Ebrc%vu z5o7(N&rCx;Cn4i5Vmz4m@RIKc-S7^GcWRqR(tnUXu+dRQiuI5YR!N!j@5zWsEZ3s5 zrDC3_zTj}~Tw+!iV!qz&{q$B7Im9!CB@B+qqJH$=;rXRf%eD#j&cY<%0hzu75Psl4vz>0~=(@T}< zRo(6T!;UtY0@gC<>7{6T)e0+ArbCFPKSLy@k75{$ufnpT5@;?;mp`TnAu56p6+Ht{ z(ZawezP@4zl*<+ah>q7ZPhL1XUwi8Uk)le#iiaUO{^{MbM2EKS0>+=tDgr!ak zVyU*`0>;{-7clmvOK5kg_CXi*!lG4OFn<3Sqn;rDAIT!ey=0VDK(bg@2!PhsMY5>U zre45!_MCZ9cNfMb^iHVycQSrSJD+rft1FY4KowMmLZxUSR4Sg4myH4b@z8mxA`7ZZ z7^rw`5LGO!8&R7Im67<-F%ak5AkNRwcSGkTewC8}pt{n^2FA+E(m`NUO=TgbR#_Pg z0CHt9;9tItJe8FIh`Qt%OR+C+*5&t_UCAaa6H--ICY$(>pQ^wkmHhNjIN<}RtfFLU z#avzuQ5hxQsuUGUe7#L^6^qVxe-3U9X~2_f@3iJ(KWr1gdCc5J|(wSVK zekgzp0BZICdYJ{H4t{$lL}t8G`gP|Us~O-a>xYpuChcn}jzx9(Pei$MB*i(2oH0S< z%7e%?S^GqaW2k;iC`XOGkSoW>lxhq2n*dbT6C&o-K0Cw_E^l#JO(uvAN$AOQcQ0KA~sOFCNiUrZPh;YA1NcW-zf)y%bgceB{ zV|?KkY=qi@QIJ}ypyQgp8jC7%gU0F`>3{K_L;?b^3rq=xO1>qEM(ZNKkHAUmO2H7-RG_hU$oPmeNOh`<}Da5GWABb;#P^Or3gc!H4N7gtQ+ z-Dmv6WTp_AQ5)8~&Of8D)6x$g)wqA)^`Co_~i0==T{Hre4a6V{wzFThwCNAWu_LxgdoVAK`EB2&Jgy4oDwZT%?*%yRy{tIy-kCv~KGes~_Tf_P zxqLG<=*iIbJ{-r|y^y-@9H~?Z8Q8vhGzAJ)ssuqVCfO9Iiv+8@hbchkv=3a=ACG|T z^G8!(JQtmp9Cz8g|;A9ZM6o%4KP4Ru*#K)rq{ngG!L`13gSF{PU{l@$8> zIL6UF06_OnGxZKugfUJaL)f6orMv}z{M`UqarKOZ$Dwq7+jqmE%Kc0NpdtyXTqdOJ za$W)vVu)gvJG$jo7MZ(uQa@nnP~{rm1OPf+IrRSgr*G0PauO6V%R@~GpFn1LDC1Qp zZrBKbN68kbr*$uS)(X{1n@8SZ)mA&rKtBcL8H=fa`M1{q2!{Pvpi((mTl5iyOk0fU zo%;XBZ~Jc8l9<-=Fd4%|i=mRcZiwO4c*@*uEWq~vNVNd{s~;jdEHmbJPU4miR5*UD z1vuKv<+p7?mLhgFvalw;lm#Gg)(BrZY%pAoFAa1WfeS|72=oRz%Ui00Rsa}K-co(x z9xD6EZ(Jb{@*Ah_p-JD+$S*1Kb;6p<4vI4&>Lm*x-!QFEO?yC6Hdhg)1NB06%s(OO z7o7)SS*)r8mc{voX-mr`Mfj%&^{n`rq&~@b%Hk5=Fkxx=BTnJ3OVR_Q^Xs-}ZcPIq zKW952zasBy*NH9&X-al!`6EhNjTg0)OU{u??hK5O>Ne019?982Kd2Z|j;1X}2bp#~ zR4$>E#e+nW&y|Si0#v4)yo1o{#~k^km^WCKrUAgTqcn!@w#z-!0%sjz(HX9Kh;Q(& zF@<*dC&04(ihqMuQXgX^M7I%|9br-KXI4NFH}ef`68Z=E zpr9-U)s&3@08pNf*oyKNX(M0&{M}#{SRn(UAQTRak`(%hC=W0z{!hP6#5*OV>03m; zL9&{%=lk06F-E3X`|&AJr@Xd_%7nUGS>KpMU};#y1Rjm}6?; zfLERS3HAO~E~3W<_=a6*JxN_Iq8G1~i^|k;(fkl97Ods@sOl3?w|3}O>cXZgukOS9 z$zxv5UOxY#sPecuzxKnaB*=qX%0)E8R4$@NP333?teq762ge4Jnmw zA{KkmE>GlJ(_?D!Fd*^``6j+W3YlMl25KW3=NHw=-O!~EYPjGX9K{|FcDz`ecdMRJOVe-}60Kogoad2I&l`xG%HJB)XD~6+ZB%V~$NVVd!cD{at?dm9+ z>1L9ctR>1ivJ$9E7_>#B6rT1(-MWkS0AO85mJXv9ZEui}SYuM)|0%WS?xD7kXbXAB ztJ`vc*6Ty-soTMg1*f}_NW6i^)a>al|8sIg$T+ z4>JJe-a7*wX#f7GvzFAPVuS*Z-V56z=gmH5e{{Zc?~*%w%>0@-UP*)o2d>#l*RX23 z&Cs%`Nt}r;K{P;FuLI94dP4h?nt<(~eR?t;q1zu5^d9`?Z<7J$C?qSMOq zFSL6aO@NuFA@>*8J^eHlL1k=>-2%j|^#1WbK{W%EqEj_-qD$~=zM~s97XTkR0sv54 zM6NBO@5f5fiNGrB_YAbnGfu*vEd5l6?%~2uVaVz;7h9 zH|wBo_6?L8^?i`AwaTN4>l9>KptZFD5s;E-+CBW6ZctQIUEMrNm2V z7N8WJ3$+v7x8e;SGhh2^N*v2&=fE7IkrzDym9bA6iHP1~E_x%k|6u@L8Y+iP<>(>g zI;TH~!+Evj$XJqY0`wwUvwTd=rOLo-2$}3 zH_SIdWnwu|BG5EJ?qiT&NEyA$hfC!MEB7&@+o?CtQwGzK8({%14qFbbE;KCM^kL%r|`W7aH~n;ZxcbqUM=Ibwz)v z{&P_t7_xFK-|*4@7%2$v(%MN1v#3@H1Eu;Me8Wc{7?FgZX&;fuBoY}b)!rSz*d4G!rgu%HTv00SCp<^Dr(~Yi3s4sdxfv59t&~zxa zzgNk%jIbEqz(x5pDzfsyyBGi{W!;XL+tJy*GYJ3?7%rhpB5roqy*-LBAdm9&I=(*b z9(hKIEC{TN5-nRxwfk+0tXhCq40FpBU^6dwU3FULc_Tgf8qdNpKZ$v#{8*Dl`uxUcl)NE(Ew<#^<(T&9^WjX zvwTC^6KKD&qx#}dv_BF}s)-QxEAsVgd4u^%f)y1DW1yN{OZ^GmT;7a9e?m~5()CAL z;P9IZd}Yz?0BGZ>0Jc+XI|uPjaq8a*h4@ux>2>XYn5Z=MF?E%3i;JM>`DjBp%2EBhNqN`%@ zO!O6TmHYjF5qhPimy7cDO=L!Z zKr+OiL%Gis=unFoQCUNTAyEymYTA>cc@q&S)JKQQjp-tKg}%Tck+bGV)a=}i_VJIz zo!v_o6@+5`U-`_at5o}-4`c0PdQqrLoiT zJj&y5i0GwrV%-B|%@%7`4$|{)ag05IoM!psN%2>{UkK(yn(0|1=6m)z+ytIJKL zT7DmCV#B!+lz5AV0}v%^35jJ(-Hub*U40n4mA@0}xDD$0xKdI56kv=swhv<;Cy`3` z#xeG>YGr?^cAnmL<9_ox2lDy)lnf8vA@U8|Um>*enM<|3af~JB$>m3&GEI=jqol)*ih`k6lLII-#SR`~U46H*V<~YSB-ITY%3rOQ|@eR2~h* z_@J4>sn2;=Df&{KZW2+iS9x}eSo1Ae@kPF#HAhZxjyB`!nd?iAE}%@<%V-kc0LrH$ zsQ{Ft9L3dvW*jD(h@1MJFwKjuX8@QwBV2JA^+;La-1rIrUOJ<=wj)VMn>u615-zex zNHc9E;V3Sm-OiQ*HDx64YMDrbBw>t44UVK|adZThMcj2&40hLLGZJd_lr?&puce%9 z6CXN57W3G<<&fDC^o$Ha&B(?^lX$!83I=pI!xLAlYCSLb8$auzats2UJq%4f>U zS!nWGpd2>o6?t_&b6(CuGkrJfWqEZzHZNx(OW#?&D6h`P<>f5o=sTyo^6Gq+yqtv= z`fkzh&#Ut#<>f3)qVGxiPoW&PLb=hJS9ecdPG(>vMfQYFjbG)*80%(;!^ZY!R^wLE z*sM0u*|>a^gj^j{U9A;AgJo^v@7#4&siftpVoe9>iRpZUv$6g_g4`~A! z>n8DcqVtl(Pd_N3uS7X+4%kr7y{?X2U?T$5F9$GoM)_4+44(!3>i;${NYn8?^*8-l zE!yQP7%N4Gy~>O&uPUxnIGoicpEV)ZDO7YADn;)q6-On-^`*LkQ6Djjkq!=39_8y< zljI1CsD}=cL=A5lE3M^{Vk@7H(!_F4WM1zqp0GPj}hl;Yp-IAqS3BvWN|&^A3>T(i{R_CP1@

h(+g#OsR%y=eCk z9KhIdFpdcP`mJB%6|@M!CFeR3T0Ey=ayLehg-K##zbqc-J2(hJm zDLXguD;pW$FHbwW9nVog-6&`acDureE&VG2i}Gv{CVFDjUcnomHNBv83oMCA*OaH; zT)IWNOVo=gA$N<+pjz{GQEf1f2_eMH8Q?D;d2>KL15s^(zNl3Qb!JE>%%;MU`myCB zulB1ALag?HlqM)AlLM$)2z4@ZjtVGZzFxXT8VJL?q=9HV4DXWr2dT-?Ka=Q(J@_}H zo;6Ph?7F7pS(&ipd(SRN{hVK(*EgWV$XmnS zW5ALQNFDH=Wed+{orEPZt76hID=?XkRX=`QK|&^hm%B*?zA z_t`$`9%Xxma`K`4Q0J9%T(IO6ij?)g8KNrlC%CGXaRAIIZPrkzHh8v_4}c|AklI(e zOX|;7o>N*f6jVHiDRZMLh-%HoT0qECXIC9iCK+mO*kSY2T`c~p^5Ar z#_}#tyhN0vjX6438~)~Z3=lP6_Gae7^B6vZG)4<9wwvq-w(4I;UXbXX;c7~f- z|L~IU7@!_EL~KcEw_}s7Gf-jp2u!$YD2>-Barc~lP)}RGhz9CLSkiwfq_(0%Q1|^X z#{rCO4RJ)&!efa0WCH`D6tVKHg0WvSAbN^yfJwZS>_z#CA-}Srdf+tMm*EljG%nIa ze&}h|oyv>egK`@5PUW-N<&o%rC<}8l8=EuUU)a*ODF9}$Beu*>oxzTXu&+g;npG0P zmU=o{zJ$UHF_DHse!16DtgIPNAnZxXoTd5Yx2dVT@pvafS}JczfR`tOBp#eMe7k20&_JLie+2Ws1v&D@w*b%=xcZ)o727A-a+37Rb5r>|;SH8y+ znZe$)gIyUxo1<-jH0#iFf;^g(Z)8_QqK5$h>;t>Vjs9}Kt_O5KKv4@7ZU%eP=84gd z@HLtk{fv}NB(bDe;4iz%+T+iLdd`Eh9R#P%4Ob%W3_*T~t;0l1VLp7>RUHy*yq zPDljxoSX0iD-k#2TdT)ievRSb%P_n}?gd+axiVso#r+)KCEYIk{YF2ZZ{A|TA|6BB z@h^#DWq-5%UowDvF3r!oaEs@p&R}n{kJq?8TNn`A7?MT?v}u-5Ed7=NN`z4w&uhaR0c{8=e5$L^JIrxq zL}{eaW^*vR?$D5D*?@Kn9^UG1#DTBLIdjS^x^*A!fyXb`}v_zd4wO@ed6MR>dvBCXX<(e(ByuRsEK^KCxSJXp$5N<0+T1P>l%}1r7TH1 zwiypm5MtLgUcoBg*wC^WM3f|jo};inqx+Uf4q!f1=4{-|fappx6vV896Mt;{_o*s` z*f2xfI-A*WFA9Lwu$9^Qr7>x0eyDSps6S1yrPk){F~k*p!vMGxfAmkG z?z>5H0K-`yM`VE~dm3kh8Pf|q%|_s$eWU@G1=K;jsAry^%mCx+2Fk{$wG9$^2-d5H z!f?He6tM-|*u&LQ4ZBwW_GNYz`yjt09VrDiTmF z;ape}Gs1C%#;E?!UBU+3QPE5iW7;ga1XL5f86gy;0xN`R(Pu12CSjHXkYc4RSz!Hj zB#{m*ajyFYx8#u;&<&7%%S+t=*%mssSke)|S{pNh27whZXJH)!C@Iww6V+DZw=xQt zE__v~+S!z(!6at@QOr<{Q89`JaM|7Juu)i9F*k^6E4H$Xqan(!_Eo6(UfRe2AP)#; zOgCB%V5#X`w2=XI`7W%!YR;c)8L&EEno!kvRgi+}0byEI{2HM`@HQ{J4eHa0$HMtG zg#6ydMb|>jxAbEM_z7I%;%BY6r|DmiZJ%f+1%QBRpnAZp@3n@sK)#*b1_02thm*wX#jwH)tOw&0KfOhB2Qt-*>U>F!-1-!j&XY4 z&Bm>52#wS74u>PM3vsWmV}R)zr!Ke|f7k%pWNr;NON^lZnTk1UYZyRVs%5&RT7GoE zRxMv^j3dqYZVmBQ_D^+yOhEFvQw3Kx7kHWkEF^L>kclVXS1}*-mUr+B$79ZhVOXYV~SLy2>)*Vm-3M-!Yuv zeLKH38~__E>QtVwAWbu%p7XFu1H(f|V2Sh8SB#bTSGyhC5!VE?Viye8%e|mJctV*2 z81rtVfhV@o2pxzcvoF-0zXH724$duefPk80orA6=-eXgqb^y3k^YeqCx)D;Fp$`E7 z<~*rCM-_OGanG-Dq>1=u1AKYSLr~p&<^!nv8fjwp6gS3Epkf_z5b)kD8yMh0#;Rs} z`;ING2LQ}-1+?3Z!#m?h)QA6T1A{dX`SHSV6FGW5@stA?f8P^FE&Y(W zC!n?zc$$<2JOd;);5`7!&XM1 z&OI*E0IJ`29W9D_=9_IXysFm+(4FfbeS1ZVaRYx;ma&2@uNgJ2B z{c-!Tw8UdfkH?1Mx76hP=wlXj@iR8{f&bdnd;Z%^eeM%N4WeEO0FCm*pw5k$O@mR) zXHqgmwNUB2PCgBF-{J8LFu3pI2(BOjLc-MOp-zNEJ#+AHc9z&hi3;Q%6})0q;EwJC zq&Y38Z0e!}^_@MapR}mcEk#PttV&S-Awhj*4{D!9onbB(^~|-8+3(r z7OBe|FY1|3Cb)i=Ag%5}dh9=hbf}pn>Y4co(zg<%t9p=rW06`%#JEpTX5a$`1WTZL zpxAh;gCsimy~o`fKVX3HfT;Uc&ve*m&%134VJJCzC#mO*mwvVu`jv>wBGny%`do*R z^|Lj3o7qy_Kfz3>wiF}o`Y#yEK|}6Cw#yfN$bhH{00`)dC=w<8)8|;6KuYwUnUxIn zk-Y=nn3)>zHq7cB&`0)x-ZRAMoH**7dAHW@ph#3tZ4!XwJSu6wUrHH}9B-#T#Em==vOWL1nziJ_KQA8#A9L1X zO;SpRnp6Ii0cJ0#Isf)C(Pr@HY{5<6(X-igNZ}T&02YH)+cUW&zkqD6PexYkWB-?xcw3F6ZS(qFe z4Z58%az*Vim#DT}yiOwSqfZ$CQ3NXS8)lQJgqb`g;woDZx9?vJ!M)IP7S6=>3Z}34 z#M;)?2T%Tr0f_UHY#7Ja13P`&Qp5$;*hhmGi01hpSfcrYtW60~dO2)Uee8xjFZ;sC zBme^HZcDzVlCF`En9*kNt}Q7qdP^lJ)i&+bHw#PcJ3g;v_9F$BKI9QIiH{FHz5YB_Yml zUt^1yoHgAdX3__jvU#2)p_UUhCe|~Q`Q3X&pVv%VXr1`P=6Lv%ZjQY!!!g_9=)zV& z<{S6h4f;6o_`5wG-~8`OAODR3K$Fv#97QYuL=tGvq+9T_z4lY&)2}c-k0TWQlEg)1 zZVB2|j7wA@^r+&|%T)2ARYlZ=nG5MX0yG9eWnMN`ao#N?b3Q*vX344O=a%Mkd$Gd? zlr4SBD%tY{E_o1_ykwQ^B_$cSWT92EpOm<9$&*&e52WOu37=aZh>&8BflYnqh9`)m zITiI0G|$YehwL|e{6F>^PXAB$8!D?WeZ!9&z*;FYt#$R-gEoij6C4Kj;2>OvL(qZy zXi&7N10ikRAjEy~Ap^{DqMrF$g4Zt}+q`yu+|BFk`LU?6FR}o$rh|7PML;$?6 zS~#{3V`*11|TY0jW}`4ZbV^%g}+B5 z9={BWrDT6i&X1;89KI{I`=xh+1Koqe^_SsrkHsN3y15;{#yl8((bBNS@30#a`Os$d z<%iv@>fgJR6=Si2(S;VPiA0>GCiu)v@Oi2SpJkWfW9_EM6Qem6pT~^{+YnYSFQOxU z8$D%f^oid|FTC=DU8OTo<@pb~tIW8hO1Thf^5fCka|qcQ8ai`vl%kx4tGYmI!-93z zKQCs6SFM_NdV0TE*+o6A2qjKA-wQCd7w~2L*bb2l-o_Up3IwUu4Ah-^D?-GjvBde| zht_HTl!P-ZHYIyQZ6q(CpRTPojb+Ly>QZE%k?+_ZZkG1qiHLgULytNVd0Dl4T-pPS zcB@~z6PtIpKI#C7TlFRb*h=Zfz7W-rBY4Dx-^6S>GUQ{yl<7p(M?2%l4z(*HM$H#I z!5~*F_%-DJ-^jtDsFw292G-yB%>aPXh?LJ}mGV3Ahs^pL-$?#f@TbWC*LgtU|L^i{ z^8X_~gZ%%3&nExB;qx!{>#?zi^iuw5(u{M^Mn1vXRyr=niq85F0HBWHUDjS&ou6m2 z?XGttuGd=(Sf)RTl#WGn9?+cMtRY(Ea1;qG;L}r7=Z9+;APu4RjdH%Rh5^r}22-Xh znakHO0GN(o#&qM%jyOp<`P&Yx!i5$LOHa|b+4v!c&RnHBpIl=hSX_ctv*InHis23< zA4u_y##{+d(Vxm_;E6<6bs|)KuZ8X~HNXJFxgm}`y9mP5DyVbQpTLVv|BdkF$qBOe zAOnns^>L(bL>r~vioqyxYPKV^HT3f2YN$K^GN10YG!lt}p|?&-hKfN$ZykyHK1u+( zaPP*T+F}TUXrNY`cb5+-t(Ty`d^S~38k0stJ!e3PE&t$qq~Efjp5siEjkLkgQQ@Q1|8E$$)UZlx%vT?(^J<`#h)VKLo+(=?!sY{vlisb?4I$JAl@o*Cd{S zx^K?IWRZ@0BF2agYwBOT`+RTJvNca0@BfIj^9u>?j|VxUr!Y;2=xpdJt^jEyu+Y9NqtEmKxZ^F)NH(SM#t zsC!r2R(dZJYmCh+eLU~_Kd9$?`Vfgk$7x`?me~q~8x3LU7p~M-IS$ZaUN#f9y zv-BYcApW<0-mMleM4+h!WP3M5El7nW3=gSlyX!?YDylIeN`HNe0cf-QspjXIF=hVD zzL+wAHbJU7pq$T;zxPB!qX1hGA$iv>#Q*$9cSN#{bVr=e)pn@18Y2eLV5MPDG!QD3 zc1m_n@nh-TLTu&MH?e_nlnktG|G*zxZY1-jXkro6a^fG6Z#{WEkxXib2i>opS%1ZN zyjWa1ngVJQk+&q^cHygJm=1-S^X(7Fh>`|EE$3e!kxjSP-@;STxbfRKGKZ0e!p(D; z8R{@TTtC-2L!HXg9^{FL>Y?@h#{+=45rm!m?WM!%-8Xv5V{3;}J=??by7&tRsbb^# z4tobZNKH3>J&zDuIm-=o-_O%6bWc&wnLmdH#>{hMdx7~2mVHCm$_0+T`K3tC5_R9Y z=~zENh%?_w7;q`GEss&MV2*r+0cMJ4m#7{!Uf53oVwW!UW7--c`)e%U4nf^Ff4T*( zPb?*f7+L?0eVG03)LvA8lWAaazD>{b_q(SV@_YcdK&6!DSo^b_3sO*U$jDIhPIG~ z>h>97BsthGTeW`h+SAaxRlcSm+$=MzY3UjQ$&8Fe>*5INzSdy`@OdciyyVr4+}p37 zHm_^lvDzu0wJFD2l-~`rUu3lNI}Lo&9XD z8Fl$rEaot~bh~Ia)VU-XFFoV_kY9cqTlp*nm5p?M*@Eo8(7RJMq0Vi3m~tM$>{`0m&C-Tqn;gKwvYjvTYc1cUE?Xx+y{?Kp0robwe00HqbB!VRbc;Xeeg z%Y{`3lVNXHI41R04z;UAsnI?Nk1yN~Xmy*{uF16orn*xAY1?qSY@l7XBm=b~RGZ(| zVGkqWfdUWea&N=9PhG3Fg$w*bF>wOZQUP)4a`+2vZ z`+16-=dKE9Gi$I~MBIGI_UI`JfY3rPyik)k7aOi3%okF|TNY%!lpM>anCM3o06_}s zX*+*MXd={eCY?j5e7qBs?qW;d!7R=_2K9VOx}JUEdGd3tlo>kr5F3^#021j?m2C`E zCEjh;kj-0Vo6G#V(9R0>z+?xAN@OE`ffER!(SQw)qe!+3DOpf9(S;>V<^ZVY+%wq$ z%m?n${6}1Oss1A%fHvKwEI0yyY!<4ml(l&McNqVfYf<8F9y)TS=c*6cfl- zw76JQTa8nFXj^9SEuWl*Uvgo=T3c(kD59vHNSHIpW`0lN=<~pNYTB z5K%><>Z^R00Y-jx9C>0Zjnnu)GJ1c57YM(V0nX)#1ldW}S&t_1t}`Ec5aQ}y=?WNq z<`o)52had3qSxUU$=wh~n#2#X^hD>>cP+EgjdnzTrvUIY`}O%$pro!)d!&2B63^5* z1TQL&w}z~IO+a73Q^s%DKwU|K?(epJY+OOA*c?C(;}SQeKIDccX3WIv*+>h9xhjtV zM$Koq3+86wk8UN4iTU;UH2LPvo1dZq{_1kr^J(_r%9xm{n>l5FO*s$asE^qbnn6HIoed3DcCYcrGy+;JO%N(P^-xcv-e!QO8LHdY0R{lSdd#T#0T0wyM;?@xDRA85H!r~xFP?{)df~d9_`#;C_YxG|L06{_2>;a;B3Zl(y zWq*qL5r!l3X^}c>F2`%^TMQVdkMyYfcA5}vtZHQ0FC)}GwsJC}s@X5=p?8mb*xXqV zM$#w&{UG_&ee9QKpuQXtcj{=B;f7VmlcDZwo8SOcEw!(z(~ViwdLoD$_!9AlFf&Ab z`1~iZI=LJ<$a87~tU8_ob>H?04q*N``2sgRPb9I;QZ&Shm3ZPQ3V33xX*o%0r1X&h zmN-jZWiCv+?rWUs0LJo8gqEA0fU3I#xtgu4r_KblJYH=e&LP20 zgs!czo;N&^aPt&QM-Ea7Jk8ijJU_uoQmlDk|f1?&Y{N= z0qvK%Qz(z{8Ne|AO!9U9w(6oDcmCzcZa*GTJxqeYtQfT4J-IE5rIs-oz9z(OOYW~w2N-`{O927ZNWDF~ zq6-j0;a&0;s5xi6&VW{c)hCGrCuwWQSDYU3?q|c-+h#-tRyY0twWnRMWI&L@HB2|& z`!;UhwDO2&m_J==ay<5uWpW5BdyMyK|N>J3>rkY zrP82>Tk`}f&EhJucr0>VpmLRwAh|j}KOT?CV9FHYuTtJiF>YMlArI)vi=S%z6(JN* zYFz01Wl$IS2l3iHkz{xmbw58I>N!8;GQcpNq<~P781%hy2TnA`A%vDC;*Ln!gT^hm z%&#{3Ri0NGU9J1BjCgh_n<=4nQwCmc{5xQY^ZgYJ$f_yS7t{cCJU>idNWl^WtB%pe zwd>+2pp3Sd%(C^MZzVQV6vf&4t9GE48$n3jOb>3T8DVA0~pgkk0V&;=iOL9hkWD^_6!XO2!U7Rht0~u z3t#qKTK`s0#L9z1I%A&G`0o}9>&|k5PssPxYq(W^4$_|3WNYnO^EU>-6)+rI^Z;pV zPPm>e?Mnlo{z`)F$!y3v30Zi`v&$I&HE{%j>T#0rq;hi{MVlxq>N?jVttF4y^!(Rx zWVscQ;Em~P<0w#(fUho8kB~1h)OLX_sj=c>j^f7V!>o-)#unmu5{}Iq40T@=I*4Ne zG}1qgqgrS4s{}qy;$gY-AYSfb?2Gvn*?xY+JC#qLbq9H)KH7Lbos#(UtY4_pW~Qh% zs;41}psk^~C`C?1em-3j`E>6#DLK4LJ`#P3Om+6f#}Gm$t)322uw)l3iA{%DdqnD} zap0>sisIpoduj|ewfpnRAzHeDI_v$FeerVufcgt8IV-9y>aQ?sPe7M)0OH;+V*r7@ zgeBXdx>*PwMEQ2p0x*-?13wwx*Ku1Wp+pjmeyj)k-(Bo1f0(M z2=AWNPb3Zs#_`HH64gg|cVM|#a-@(t5q-83q0)#G5}90%Q@E?;e%Gk7(SmZ{T5)|dft_`=7-gVjHL`%9&Vmj7*&YAY0Z4~0OC5! z2@d~{cHT0He;jd#ULs{1FyF_ax0DdeYpnFG-coV`A-`qbLN<$MlLKUKZeaoem4!Q? z?ps_)Y^Ps8j-zn>yj*L$)EuJ@TOCBx%%S0Ww(KlfuPi(&*&;Vr$C24Ph^FEDyMZ-N zq3%32#sTnj71=STNF#C6?;uT=hePEXqAY?%e+W{Z*kpWfpvnN;R9wEWw;dSv)0ehK z4v{750i&}fZY5%wcLmgabp;M!wEr7VjvXr*Kox|W7WWG`&n;40)CMEz%Q(VK4`JgD zk2N=5p~e$?hZ5D;bi{pDZsjMaYDY+&%DYL{1c^@%Qh}16rW;L_aTL8B4|zY&1W=9O ztznw-5PX$?HF4z!WT1GVARa642(AIlBk)HmW{hbbArRzQhl@sa4 zi;q&kuMMyGyA6?(8l;K|%=*LS4De@}fsz{K2wmWb>GSDAo!?a8X@oPZxFK_GtG$3?Xcdi%yONnZS`H86K+`WRaL_RTA z3~rMh=Dg_IfO;UHu>qyd6{MhgyqG9959kcQtDD?pZdpSG^qG9z&lVU^cYd)4FI|2< z4mGF8YCCZQ(MDMcVvWmi^t;Bn<#wwwV$x)|znGZ1(5d8UWAkXzI;XD+)ahQ&hW5EPyVB-ZM+ zFkV&jcmVaBUrZWcIg-ai?*Xh4<~%#jQrHPF*K%V07uP@r4A41few9u&G`D{g9e(u6SQXfb~^4ZGmklF~<39iXYr%bEv zQiUy~0jLe0Rl!^iZ~$r!s290JEgNccT~NJ(Xg^SMh+2tD)E;+PAgosuhMQ#;YPnF) zc_!ch#-vV!gz{m$UT`?iIp;BK`f8mBiE0a6W-K8$`}4~2!J%`^90BTS8AUW;D|dB= z`FN|Nf5R>FR!2_~q=9PojYxEXU38oEpZ!OKAdTT79|b^Y{vg1XVjDg`)R8W8o?W6E zBYw9PWq9@zpV0hJ$CW*A&9iQmSx*g;{}0+Ir=CdAJ&E|cojmg)$tpJ)aaR*+DJ@7t zeSStU;$96gpuiLHY#|)U+0F}PB+P#q;wESe2-in90s!=a<9W_Geo;M1=0rWFSw)(O zr&sh%V7II{3`f}Ik?2yZ;3_#8RvDwCVX_ezVc(3H&k^7T!ezHgTEloE=3@!)1}pzN zxgj4D${9YduiOvY?5AwRh6gc|oV{(-p|lmh@P9WSb4$$5m7 z_zi67c$&C9Z5!(V9%Q`Pj*zH5>M|ZWPvDQPArC5Z-2|1Vz!jQHQF4m0?mR-#Rr-ka17XRWjD{#|82tPKW2Ns6* z!kYv_fR@sfc8BB)GE+=PkeY%xV-Xn}sY*K~&yM-|jDY--?{H5jSr`T-IVzD4EK_bYc%LO!vf$nqd@xYJppuknV|iH!kW6 zwL-U+x&)$#;Qd}&Z<_w=9^o?tBhC-L44(su3d}G9i=^48mP3VtOXHlZ-f9~3pSe0wcwusTg@3(W_9mIbGl;m$)o37 zM-YpZc2;sL?e4XJ#!tD(Q`hi);lCa~nQY{<%WLx4%4U;+%8f3#++s`?(R8TY zZb7Y${6`#xa;M0}Xd8+33(chfEUAb3u%EFmB3~04Jxxx+iib1;>b@uMZ~)`PyKxkx zr;w2i^_(Z}Z~(-uRmkb}_&XeUxYnDDr{1JLr=apE04D9J-(Ua$j6olgkfzUd29!-4 zWUcRa&&PVt@HcgWg20B!VT0o5T|^tVvYL_$5_cv|C90wY?WjHHf=ZPY;vLEbX0CNl zdCm=_C!qdpI@In{0cAn?`kUt*~5L2@tW0#@IIoR|MZv?S!-E%xf za4evW0looICkv=U%8ly*IU85H^JA%KQ*0D|i1k)hD2K*%$JH?rktve}{xtQ*P+aLq zgU>H)M4E$4d>UXlWTcIv?oVn{*$GX*v)qPA^!G`s-9z26h=_bt56Cik>IVTCsw^8d z@=y}z(0L1)f??D!dQ!YbL;w!8c3P@bHu()NRaBKRmlwK<5gi{kYh*8VC)S9lDpU%sZ7I9zw=Dn>=b+*jy^R!0`=)m?`VP`4O(0A}L=brrbC2V=zZFEa%hncMrbJ zG==$cS*l@ZFgjmejP%c=ZS$f@uhs`Xpoh|lR=;SnNXvllVE=KY!x z=cN+Ym5=e{QI}|)GsBf9_?a|!ko^CdTK!lc@i{GpzWE(^%jC{fm(BO1OmgEn0QH z&l}Ez?}v0aONXO}kp9EWe>1i{od!(S_ zi%A;VSfY=UmB_?$?dp(urvMv@(N-_{VJnZm^wv+JVe>JnG)xhchN}z5Xm=_NQ*3o{ zO$z8FM0Y8)S*ahIW|^VrE_-3QmJOAJ^%~hr{=QWJd_%9a<$GyMyx^4dcqO1zoP@W= zO`t8-vBksOkjkHy1!W`qPl%joeAqqlmYiPBc zG*`A3MQFzIYxP~x54_Qn_Z3Cxkma62ubOQ+3$I=-7OvAWd#6C0K;wQ`y>BLVcT*ZU zmnp@zcT-xW1oRVSir#3hO;e(Kyutdc33?Z8;jcuKQ?zfDXmeI#eK)1i9=~=2TNMHQ zgitQTS`;f4!vN^Bn%CKHxw+K^+@}?;wOJ z@1PeP32R$TQP|9F3K?qpKH-mR;=&;m`Uv?Jq-$b(3|zP-LZVIv@Winfd`__BIfL1VR3f1frMHH^D8 zC~e7dVY*{dz1kO92Ym6cu~hbi&HrWH^zAM9Xst_;wy17|=?XzvE4Ese#HajLPXzHner{{Yh+*6Tl?`bzaOA-leK z6U0#dJ>QNlKBY9S7B3IGokFN0lc#ZE$%W0l@weMhv`vU61x0Tj(jN46lBFjF6g|vw z)p4a`WQ~Ywn*}H0c`X6FS$!Dzm3{)^-5yIRm8){F;kY}(8Ji;*Yu6_6B-*xokRQK! z3XTTnTGxZE5HhY0t`-rEYyBZ>9reY@zfy$)`cbm)Pe}kQwe+8d9o$jP!wxP=csd;$ zYn?5QywxJIk*wnao7**;A&-HYhBx{4S(%V;@%jOFG@H6-Jt87~Ke@i>f&`Q~wo6!_ z2V!3w%h!o0lCNn~VUXQpuYwGOW?tc~+>H0Xr2zKT^%#hQA0gF2#x^9Ww5`qgCglk^ zUkKUJquEtLEIwNbes0;TT(hw`<{Y&_m}Dk6rGD@zBx!L%YxijbvH6zV4|MncTP7la zSOKYf@G9=p3Z5xEEb%S*N$w9t-S<9}63$Pp>~(#evSJ_j4UMT3?1&Zq5Nf@#w`9xt zl4&dcAA3H)mU6BdbLCJQqHf1Spjy52JnQbmw6jT22TN~gC@dU_Oh9TMwiKp4#Pj+@ zn{6Lj+E-PX734q9B`Nt~f`BePOz(Tke?LsW5cf`|l&%A<0FKzf6OKghNab68VinJ~ z8aBq4#Hf0g5}7y#Xsv+M0X|CITULt5*BRC+8TJRp6ITO88jYi?U2KkiS)Zir6|P(k zi(h08=_rBV0a9tF$JhIn0E8-(?fA-a>g=?W1gR7z<{tW%vEivB1JiAURdqH!@0 zBihZqz;oFlQUQ%^rZl#LEW2IFfp%P&BFRnIi#OR zWP&2;-}(U0wfyHlBq7tnc+is!E69u)_|;0bYb1qW0mM}Nl=*{A)4hUR)ANy*rD z0d1o0i4U^b>(j=tN5E(p`OOjdHN9|WuDQM^l(5fTvjmtR1sfK?_$8lp^h<7Z;= zm4h0x?UA#YT1Ja#N0{!mtjO8EY6mv+9t+rc#MI-}+*Y;^8u+3?U~D@|yqGpd+a}g4 z)H*J0xw*=YM}1Mzc*LfkdbW!e?3PThmi5@AU$ISC+p`5Bw3e~CyNm2R_8gnH3t0cM zsNoTzsG*=JenMRS{jb-uvsJ6 za~$1aj}j3_8^y*WX+@cj(4zWBX)M0(ua+It9aRDz^(EF5942tMnu-BCrHLr<8F+5_ z|9O)gkq_1>^fsO@EY(z zZE=mBn7%5o_~>uSo5(Uqh*!tc$6j86)@Qk>5i)^;Z3 zuwf6IV@_QoqVvfbRz@K;)Gus1URJYeR1;P6amHJxYF^-qaq4Pfp&n$ zfm|6<*GEC$A^pqRgRDI(CuB_Ub%vrXPExgri^@*rX^@tNFA-CQYj7$oXve0bM6sig z(GQz>X*cqiZ*2Mp+{g)ed?Az5-;)2pMtV#@KRSz1?a%()3t#;Z%*!9HwIlLvLz0Hg z*W`ELQxa?*de}ZX{*3^WBs`m>;evK8Q`%B943Um!7(wy>u~J0T9eO~7+^@y9dwqNP z={d|uHp~clb5oKgG)gJ&@xmJ*HQk~cpu2#S?O7-y^8PKCN(ukPMcx-D*`Ekp{_@|z z3Bx0k+4yQ{Reh9l%LZuCOCCw(VmBS{wAm1jj^~a)+7;MzJh=6IUUqCcw%%z=ITx9Z z!(-T!)lM!nYgYiSXdu>xO~)-S+Ypw50ojwvV-t{<^#(0vf{%30_b)^4x0ZlB0x{J; zpIa+A^t=;-#s>;1!!8ZTGC+IwJ;-6oT=0CJz_!J`zBu?B)X4e1_U~T?ft|YFSRf+q z?5BBCx88aPD9}8plJwD&lr=6`cVZfl=SBR}m^2JFijnbN2WItE#SFHw0%g(U+!g(3 zvl8j{suMvxe_AnvUD2et!cd~!8CrVuy>!}ajnD}$2*``89bkL|zrhSv1NOCBX-c%a zkJcF$RJl~4&8jo#>r8}F7(p(gkK+mU!TID#giy7U&E=DT{Lg=_VbK~{7S=AqrsMjT zY+x+OIdAC&E3qf&>kOM?0=ae+lwSDZb|bf|x*z6B$Y+&Y@?^@>R3Z0Nh_-~HJr3|73ae#;}IPL!Y(j~}If(b1a zklwu6ruN0A|E=roh`KWth-eXc_&WiG%`rJ$HnfNwJ9VDVh2Xe37pVy@jcI8MqvO-H zeG7Nh$-hMiP2}gWg%4hYHxf2ql>Y>@@kH3H<^YGQ?iW#HwevqkR+EBcOTvIogiqhMr_&n8mhyJeo|Co|sE1wMK~P)E z^J;|j#6&>7;n8+2_c1{*S_Uf0QLKwHbw9R{ZP4ktINB60(GTEgT%1;-Gy1h@v>i=f z%(V1UU%bkDZ!&z+d~a|*_J_oXLg1q;Ah`1z$C<#z$#zUm;quSrtszT$on zZ6dez7XV>$Mx}_#5?4H(DbKs%_uv16Kux+e{uEY3S>zb%9II!^(GsC zFQE0&b5wP*Rj_A)c$pM2-&b;fll8NII*>;$)>M|v+VlA6#Z1q|?fy$;Cv~?h5)t08 zjg=4UCw!D#{~TjBv3+YtvljodNMr(F!C}=|bwdSNZU8uZF_F68SR|rONB(jViK?yZ^I1*C6p_)?H`zAW z&7IWMV#B@b5y*bF^$`)hEjke*HOD}I|NA3ctkNC7e?&y)Q~{g0t$N>Q9uX1g`Bf5< z^Hd3CR#n#|51{2Zs%&LeIo7+#!?j6@w~K9*QhJU?@^4TNHMokl2r^}I_G+&InBrXOeqb?d*B8NUolSq0P}Zc( z#HRa^evoqB`ADxf5|ah*>L*@amByw+z0M9|8DRZ+xSM*I;{|wpadKj!fU2Bx|3xLv zlRUn?qw+~n5O=Qo^F-6Om7*SOL#*Yzj z4-z$d*rhQR$2!$TosRod5joX9mzZT3<17bFBG9$fY@|gxOXd`S&l9biHNsT_%S6n|T+; zzQXC4|DjiH=)!>Y%Yd&^_prHK!5D?jVK4kWrE!)m>LrsSxbdb&c4Pe;>i%On*kkZ| zZ05b51-92se$cRfzZg=v!WmQ8Sb(Z-oC}0?%pwlNd^Ho2e|f!tssyDX7FX|J^eV{q zT=iTLSrf5dE<4$?Fr3W*u5u^&_~0kFAxywEY5POHv*2; z+qUJ-B9Nz7&4%VY7_dp3`h#3rCd2X=yEaKXi?dv6C8KOvZ(m(DG!oE{!YLSaPn->) zUf9gLO@_B7$l!8tqfzV%>&M>qmJMZ1@LfjTu8SH<=dYX`0S)b10}Y8lKvjoPELwN6 zDujhj-XL{;e(ZV$?mQ_lC_e?_~Z&@-AcA z4(W%g((VoGN56kLY*af-Vx5|UyrL$l(r^P~;AZfX&E2ZY2*_DQk#4^f`!^Fhvzf5& zEQ)lGQLkl>qPqpl9^EZMetok>7A=WA)D{=sr448a$k~F@Fj)xEmb$oh#M)?<{xx#& zq-qr|*M|0*78}T%F9pP!jE3bbr!LCYJB7=%;i>0R-9kz!DY&4Fi%I_0pV_5Nk+$3d zQsCW{B8Ql|l?hR!2sYhQuCpOSd|b&$Pb{aDZWh%(*z|uo+>SQewf@Eo**Ri{EJEO2 z+i*J~`)c7_@Z@l|R@7727$4S;fWEQ#N6H;!t)Cm#PtWFt^^2_!GZnoXpncxH)`lSA z_AsZ2rd0`Z0yAi@krYeYgeztMqZd#a3UR`M>+IRQMriDCtrtfGi;8z`C1!dJ$cnBqJZ8u zB8aNSRH$}o%XsQu!N@gj!qH}t)t$o3Fx($JAfmTzPDrZ%<^v)kbq9g(zwrR19Nzpu zis_53dfyiw5YepOxcpuQ8(JCtcvV=GAOFOoE@Q@oz+hpR5E7dy#EzhI)m zNvs#Us&eO2cl~`Zo7i+5rJzC*wr&0oN)>xbV(nUb*c|gX7?n3g$eexrMPxyzStXX{o3zrAbTbHtV+^=!PHnIEPHt13Rk!a zWwL{b>H3j>@sr16u(AI*i*v*Oz`uW$bCjT*OOyF8yBFw2J|y#RV(kCUpSTEh51GfL zNNg6!HNjM`^M12TJe)aw8Y!=13#S=x zBEdHWgbSLby4qC2w+FSX$ZBD}mex{iL)I#6=5-9?mXkbW;!;8J-QGQ#;Sumi?akR%UJEK zlIBwP_%gOiuCxxdIL0g#kubZ7qm2FTM;n?60aD$mJS!EKu~YA-?&mr8bw~XlEdaoK z_t~L#wC)j}D%$WLTmS;9szxS01Sdfcs}Eo^j}EmXGFXMt(aNyl-?jj(dIPSuBSNeB z{UU4(dwzk4s&csr{ts+3J!Lqmpw7LTH=4Aq4Pev##!x%rNyh4ja^u{H=_0a5Mg0?4 zr`8U^ru*0i8{%>6^HXK$T>y*y|IXPEb=(B%TF}X>d1$De34$(cjQMUpqXMGri<1Xq zYzZ7?ddec=7J4W)vSeK8{&YUb*1Mo&xb;-j&n}TRG~)jVE(T)5|I&OBk=T0z+7N4B zxxiAf;n+A|L?y99hWqvTK$g)^I|@m`cdGZe6YdWcEOBaXBP@&38;#PIcDmc& zgAiJA8yhBjNdF210+7AeTOUOatg8~|M9Dj5X3}g1?#`N{+{PbeOMeN$wKHaxZKS?(AP#R5AH9ey#ka5^*Uw;8A6!>#7#_sub zl7gJ4pJ1Y1m92s_tWVM^3F{{+eC=cn9A^1Pl!(aJN!{!36%p|!!KgPFwFKlrh{IfQ zIZ&$m0=)H$oxz3)Fr7tp?OK`=p*N}ntNi>J=;*y-N)O6m3n{=vWhX*p0h7~oQN~8L z9I9+qXmeN}wCxmUAx+sJl{oWSRb2M0Qc7lW3)a>WUUQJb)}FX*4M67 z6gP+y>f%z}2pd9$s#I48>6kwk5Gt%zA1b_Cdg5JnU9!SmI8my5lU*xP-2nli#6KZN z^Bsjw>50wY?%el@VZAw;Yq7AKwo%8Kc_K<|7Z7T3*zOaN057#TlJnU0U*NhOu73;H z`{DY3z=Gs&nqf#Fha_t=B`l#XNfm`F>53R@syaCb

bJBIY5Ca-r3B7nN&vmV2B0$bI%YWixzzW)%OTv zNo@Vf2J3y#ng+mU;}k1^NG41hZY7K3opkWa=_Ejv4Q4E78gGP2K_pM6iSH!qE8UNg zB_o;$B@oGl^o_G@=E&PKG%;b)Nk-yDRKI@DmIgqJoRMZ^;ze)e5GH@^D&2p+dKF`N z#uxNXn2!-l48vCmHKX8qvJ%t&I)30Zy6A{GFRnGf6Y%dX6b9$#8>AR$5pVzcs_)gLDnQCBrbY8_GSlKodGhvWN^M z(Ol3aST+zjkp!9Jax^KCp@bR_oN(-N?k0KhSJSByq+f9C3bpfaKgsJLlzZ+BeBua~ zw*<}44+p@SFc{4<(Op0q{(%jEKKO8O@Zsyhhhu{eCk7u*4?diw4=wVBGyu|#zS~Ut=ojZOcC?qb1lOM* z0RRWke$?h;9I({<7rc(K?Hue(6$aRWpaxV@cdWu|j3g{EHCohqYi{4dSU-I=sA|0Hgb#RH` z>z`yu!1Xo5f#u4r9MKom?GFPp0NTTsG1f+tf3tdtV)RA#A?;-{+bT6}H3{y&gz@ab zg94)Ke75*rYBg~A39a$&IEHd~F+|+VBxB3h{y!V&mjCl_8&}b*4u9`tvLK9cM6(9W zzKoKH#`^H=&j@qkw}+uJkx#M!UTTD@J@l3t;4okBUBw{xRv%M(;51*KvI+&ZqkXMtIW(UCX5Qg$lWTBcMP+DaoW%Bj$?X|4v~AEmOD6iBW`-ztg*(MiM+k5 z#l{n5*}X;6|IY+q88^m6k4`^)lOCNe+fI*8-|D+@bo$%v7<}YrM^(iADZj_i^%syvZpbIr-HNWa%+8ym;_k~Sp zKmA3A^yW>G4qI}oVUzn*jGLQc0U3S=bv&}GmrHp3wL^6|1Jx zXL*YS`Vhli2=f*TW|7W|N||xo>;?d?r~VBk)P(mt4^u#zlW(#>`>#9W*l>&Gz~A>E z4^_Xw`qahDM($!gN3vrxiSG1(jB!SHccVMUv z%NW2|`;6KTcm)BXvl2S*Mcu#B@?JH3x*R5A&0Im?Lwl+Jrt>lG^<+}$!^Vv=nqvwr zGJFkV()qFZ+H?KXh++)zr<3?Js1B>|C$SDpTJab)`ADRlC&Y2IfS%=cVSB8f`w_E= zj2H)eOv#P2r9pr{OfAmyz7Iu}lYpXnU6{lG;7caVN}J&|8=mvtTsP0{}3M2@J2U5=Mc*q-IGNW!4{9cKE6~p`!1J4HTRuA zQdc`oqvDuQGfTVLhjH{5)UukCft$3GeHiP1^qETaeH6$pMwPS;v=eXPNw;6&0Ib=O zm$($wBtDH|9@OSRyTqrw>a+)MKBmf182K*1*N;nJU|090@~dCv0Fd=mhz@!14oAD& z5tIAO{L6I!faoTMs5B{TZAucvVP{j|k~)Kk!*f#@kIJS%brH|x)h#y3eLTPBH`FpA z?IS=5_KZ2An;^5V=EOBKp=B8KU<|X`VAf&C^wimEXM(yyrgkP%muISVo1ppvE7lbY z0|lyI7@%4+$C0jUho}o3aD;zQ4RoYHosi;TjzV?9IFIT!iFMh6*V)6%TZxG4oFMS4 zK41aJFeQP3%sx^()azB}nMFs+^Q+&Z&%@1isbX!KKPoOY!0@3e6KS=XUtM7WK$K6K`Oxzw z(i0_&T7mPb2Zr-&=8+H7F(XB_!YmWgdPzWSA%-%>0Zyv5>9>h>GnrZ&l<`2oLQ2wE zcil{rs1{j7xydZm7BWy>Y;xD$Db~3`0lHG_24bC?G*GN_lNLs!bdehOV!nKG96AfTD^J!=57VhX zi;l^slLG0!q#w^AuP$dWhsepHH7AK=a)rtdzdTypx9FXItfQ7{CETxKw=@^S12egw!{xy;%A8Y{t z5SIEGWp|@h7oIkpUsF%LB&3ZL)qJzu!}Dw2p`h+}UxVnpQRsP6#sDo84;G5$fm;h@ z3e<8_sNMgd7kPyY)b3GNn5hR=dJgO*YiF^Lg6;o(jssrfq6>*pNQ_b}q=@R17Ex|A zL-jX|yY?v)$@&Mq4dtEY=uol-;u78B!zDhZRIFPL@@kg@v2Hn&SG$~XV0T?{u1Tsb z&NV^Y;v5Kc;k_R81ymPJF-JFD!?^AVCil9gHq60UW zph#YwL#z#$U?}Wo^Xh)Xh_wN8qS>Ms%@s0lYBp)%_uKxSPTD?K$ow}1;6%C6HG`=Y_q*I_+ABZA?~ANL#IK01!6 z#7UM2ZO7<1CcMwWB(w-gu=+Xrz4q>C12)g?z;Gi}B_Wd~3NVOCu#)AcE9<&2<@L@imd(cG6mrsuT-pB+7xchp%8P zZZcX$dMVw5G%D>=baQ2z5U~DAySxej-SR8#wbk@QJQ=F?{?}Nb=O}(5(|N3-fPQZd zm%A|Yq6F~cQvfdowBTahH>7)==_p&pOCljU1Q`Yec! zUw#j@jjtwbt%n)COOBYxZ@AVgjF3B69F8@2P>J--jV#a(+Txhsb|SS_5=IiO$7aiz zT;3uHw&c7D&Sx&shw|G_*p>|4Y6gJlB5As{MH14?0GNH${r^WHQr-DlEIp2WqlqBw zW9GvaZdor!StY9W$F9oExsNQ>>TDcsCn4)7B9DEVonURR7^{bqWc z8k4hjoWWr1XQ7{11V zyY!*cUI-+~!!BLpK!(=&rilV~mpFFKfvP=lf$IH>F~;+vweMs6Jwz8G{#t(k6p(;W zrD%PH)I4&LVAGb5Fax+rd#H>eC!;Qn`OK8?mY?C9L@Bz?8pqJtRAFwWE|7+dKS#|plj&rkKQUE1C95ME~N_2 zxYHa^3mG{+`b85zG)seBnZo5Ene5dK`x0!BnVlhaq>)v}I`kays)|^ZKccfZGNY!=uJ>LQ^ z>Y9!1o5&bctAs^LQM%7sYS^P|hbanpmEc#3#`vtI2JW|7B~&Rz8RUH{p6 zA0f}WL|ODMb+{!c5Jj3shT458kcVxh+6tlxSB}x_nPy7TR0aTF#%%bS_7}GqD3ux7 z&_s;mddylk8AE||7>fDb%|Y754wB>@YO&g!?prV$+xMK|K=pQG8;cJ%QKJfXx^ISK zm$Dp`LbWhmd%Yjy=wHd=;!3~CPW@>w>eg->8^@m4s30ygwDU(fTCftfK#`G*lDVhwO zZAj1{ea^OYhwTK-6c{vLVc*W`Ra=<_(H{%-)1d^bVJLwya^e$9~ zpP(E{hWKy=z9|2guZ7oGPd&&GD1eiJzCGnGW=GXNBz z@ASPlhH)5xz-WVlBUMVlX%@oWOQQFYi6H+n-DteO0?L&(=EX%&aodREawk-v4LWC7 z13Xlq6*`9oED*WV^+%xs^lvD`{0HR`OEa|kVHBI)vypu5L2dvQvll%_9<5MuSv|;Y z!}g%Y0gt*oo%#(w^bJ`;%+Tr12&9uVMkQ<3vH&{WnSAgGiWR*)9R!3M%^{=A?ue0j z`PT3_rVxS4td6k$D+(xx{^doNDCg{=#s{IW|D-7QV?H>9UMnk_tOO{#b&ic=iA<%f zqzTH5$xxlLr;EBnM%~^2Lc0wnOgXT!9B8-maU5+Pp!Y#Aw7)GF5wScpNKJvHj>74um?Xr2CA* z0__NAlsm~doxqOv`C5EP9Ak=Fm5V+z1FaLpu|B+864;d(5GkB@Yt;VemUZXSak?_6 zZ~Re(@JBDi5CMWi+gMr@1+zRfqd-|CSV_H~ zgX)w6b*#YyyH0XoW2iGQ0;;*Kbu7U4zkS1j=;JH^WWG$B=>K^z?0?8t?nPat*q%vN z%23#!T35&f+xp#~~y?y(o>^muG|9DAtAhUyh;g7XE0Ptn+|id(jm-SE??#Z12B1=zt}VWT>8+^@dRvtmXNJOls|U4^ zS$)}qMnR?0_PCmTMRSv+$Ym=~?xus%H;L|8XY}`CkJCcsZIAK*h4^o_YVTRhK>rdd zE|Os&3Cfk}wDQB2|AJJ0hLzv;U2;V#i5v;l+J&~m%{GeV>n%j zX=~}}EgK5+=#O+c@(bxu%}x2(Ogec+e=knlgg>v{J%nD2N<}WVBH#{n`WMqEs7^T> zVuAK#B5O;{9=b{-;%2R8f%d>nan>7gB8j{Grnu@Gae1V=1HCumfQ`o4UkUoqzMs=fR zt*OBO%=Nmwe;@g=U!4SiQprMIYP(*mckTcH^6s|lwTeAx1k`+&sMWrCMt~!x^;OZ3 zJ69S#zJ-D4crEw)^BmB|mIHtq9pPZR|17;#bsMEC9diB|P+4rHWBk!)3=E+OG)k$= zATe5YBJ?&Is^)&Ongt}n5!Px4$Y>yGNs%`FeFxS?Rsq0&I`OXaKXzDl`D@DlayH)T zQ@;<^oO|QP?*UVNAKU+Mlml`P4vdA0{joC~kRLMn?Zz4Op?}hm`M>dAtVluzkvkIi z5^u;Im0wf2gOo9+sYrXpLXFkoCT#!pVUF&EVYsPO`(TKfLXvAdpt}ci@OXwuEFtXA zDuQSLqCOup+h?AS?ce^3>OukDhf5*)+Gn0WCpz}FIG)o)54H`Ur;Ow{_7y_Ke)0eZ zN)uaZFLY3b8X&7n9hoOP$apvKo!kygR>nb`4YDFQI*ohM@W&4lns$j42-I-WI!O*XLjIHt%ZwYcM$s*>Ce%;#^2-T0Ji^u zWUpqMAv*4e5n=k(V;tBN!pk0lDwpc#fY;d(7%4VefHC-|1X&QhO4XY)*glt5?z9(m zd*mG)w!eRXNa8+osaC;J#Eb@phy%BIQP-zLO2hVc`bC#EDLIa-tAyK`m2UC_0;3^1 zu01-6D2}BEfXvq(=YBWuy$FA&zey<@ z|Aqq;w6D~-rR{cf(#@lUYcqKOLv^l@ZP=FjSh|;Kp08C*FayOeWY-K7&R|S@@J~qq zkmn?8V2CeezV>Dx#(IQ=m{}@ru35!`C{OVo{lZhe+X)S|i4)8qCJ7~0za6SmDp%3n z>s70$)W!Ao;*Y84#Oyu9qrn1HjZyp=JdVPq9%J{;SA35SBwWR9~_=2 zYO(JgT2$k`X23UWpuTJPhM-Uf08k~<&q&x>007e_GR=JOkOcrGD7;1sbF|M_7qi-* z&2fBltzWwLMy(Y|s3OwpGm5d7fh2(_qQ5cURQ14}65sH)uz@;4K51M$4h#`%PT|WK zOXwuYiy=gs@^%di5_ixkN1b<+qZSW~%5yPKZD(F3DQYR|;ZjCh1LBx(C>9nO7R9fT z+WqSu($Fg5dF{@4A|vg}ONO*zg|BIHwmHFA6v90w%}RJR_=q#opQzMxx2(k+U4%5EkW* zaq@|W%f*_=_N4MilzUP%+#bl^@=&$6RI{Ma5%#5)V*9sk91v%TvvFANN#)n%_G3&Z zWZ?f9ZFyxR9eE2O`WmXaf2n2xq_AJfZ5)W+Mp^pnLL2R6uP_^`_E)P};7fw&cqvJ? zs*M9A>m+{7iE9{_%T>Z`5XkbX?I;(1U>^tQ2iAb(RmZyq zKlt?K57yrF0k@Ctb(TQYzOIG^<@+_c!(7LjYJko z0jjlOCNqU^oMZ+-^L6*)n>M?Gx0?q``W?;F{`MM@XS9PJu40A{UNr%5V?Tfo{lkbc z@xjvxpNv+o`nI3}0JO)9dL3LbSg(D1$Wn1e8#`DlEkB0wP1_3#`T7s(w|UhA%lP1b zQ;$sRO!R$8;902Vj$3IssR$;rYL8u?!@oal1YNn-iwCcstXgSGH0bbEN;>~j(fjdW z>3_4)Mh<_GR1m7UwiT2iUb)X#*=J_nwp~cg*3wOs)xq0QH#(C06=soV;GSw zCZcMlW_y9wYysck7iPB@>#F&>qfTV_Pf;Wxty~_kCU&F)KhyUAgmSxO$xzK5xts<1 zZAwre>Q;A~Qxcx>KL*v@Ol_ZKM@-krAkQ^74i(Yh=Xehaht0<27ZVu>=8a_smMmZMDYK1&( zgwKW-5W$P1sAo?qUO{+*dcYCadDUU3-zE&w$fdAi9k0-YX{X8%}D$~B-5ZUU!P(& zZ0zX~PoN8`Q-&remEO()!>*cwm(COCMt|PdOVpJ?UF8}zc%&VvypZ`Lx}4&kd=tAE z3gzV)Ai#Q+=d5nUFO)!K9&m?Z{uhh`N^Jkz0WNW7X`!O?&wk)@h7bLkFg-)F^P)3@ z1c_FfDX5+Q4&NkW8|yy~7~5FetCupsU++~HG7vY3c(4A77-I#KKWnhmeP3{Z9$WZt zGvw^!3Fj{Bu9<+?Y?&k~tne=D_uOa>WxuTkj-EfwI84R%)omPQ*8eaiCTwUgSycIu zv9H3dKFk3*$E2@(*UAU$D5Z?`@Nauaxia&L5$6 zA4N5sOsO!Bz&Y`GHSiCjm`(Zz7Cm6c`6_LkOo9SVl4Qb{FXzlP`z6M+qYzk&{o4a?BzU&->Numai*(edk63$dEh)dLvUG*jO= z^SgVos8k6oRAy#~8zppJd(o2E!oIqn19}D8OX|T-tz$H_d#W5ULuocTWBWZjIZ;TQG$xmUaS+Tbow$DXm51& z;v2n2sqwo+JKnVgW=P6&nUWHi@NQmUGE|n+%`G0=SM4>1FDoevZBSXBo(Lb(c0GKt zO+uHX1kUs9T^u0eIwO#x1SZp% zOaj2G{3`F(-I*lnbtb)3y8~nFODDWVd`%lpUNY#*MvcK3BUiRqGvHn_3IuFETq4%= zuPY>yNT;AY|W|DhYe$8cIoRq&W zJit)^giMITPF7fX#mCe1J^i%88H8Il0|49(4Ar&5gB$>ovr5QVQR;TYsGT3-#!RW! zGI(`66!!BXZkC+c0v}WW0QzB1S#w_9hb$=y;#MLx4!w^2pm*liemJ#+rJiZ>YCohE z(*Kjl?_Txe;vg_?Xh`Z}laHfSo7a!AW0zWp_35Zs5GWR^S4j7nO11n%CDN5*L6Ccx z6}REA++k9SO<0bPe6h{fR}%fk3;;H(`Alsv$`G$|UD*$UnaSRcZ?p(NBqJ(-u;1btMbYezzkmqBS2~h2;XLyC<5v4eojUrN3L}CuQnf)TV%*4b4CnfYR zyel7h*IYvvr7ZeX?7?Aux8e5Um%6HNP^%0XKd+D%{Uhb*7EGjRP(z7n|wcGnK zW`-W<5$~1i3v(Ij3*}uh<~EDU+SPB<%e>4>KMl2$2^rPRK4v!h>cDprvuA1%L#jJ9{*p>j&^h?FBs$9{oUV)47Ki+&N4flUcp+mOqyB=dD+^Ju_|JyOcUg& z32uh!6O2^1Hqn2JF%gKf_DZ#0ArmqKkZHm8?$0DkV2{>)vh&q8nt0* zL$-wCB5n~8yTQ?py@J3a!r?r4XEcot7)i(`>>`^bqW~R*a+oz2UPFtoL1$~A%Mq5G zJr#F}e0@p~wLl!E=qUcR*$`b4lc#-%8&UDvZ2fC@2>b6Q>?Vbm#cKxWsHm{P7FQ-m z?YY|`niUmIMlL}@l@lCc-Rv7Ep|?SjzIWV^(r5_jNw=Cg&^6-;<%J2MPQLaCT`2mz z$_sfObOn7SS7rd^B|&jbQ&vvqgG86ZGcvsB1m3f3Bz9#uI#GpyDkme?wCJCxd)$Xm zV?;~$;2n;h$O-HH#c~PB<9C5pJY&MrhhSMuRQw--Jih*5WWb7NWcpK`hXO1*r2kKg zE0ZO>@-iyQNHj0h?r+7rQBj7zRw>HqZbPnV`x_mNs3=D%%62yThhXyT!}Ij<5FOWg zsA;W#sN92*YXa}q^x;Z{pj1xw;gV<-#(4Iib06{Pt?S+Zz=OJ}2aC_vZ2>@>=|(%n zViA3b8)rgZ>Varak@$pm>|8IF&@)yM?|`VugOa>xabds$(ZX~+8>-bbqq05p2-c}p zBttdL3Y}l+!=Q6#MG91lhXLqpqlopJAUc2fZ3#VVgKA|7Su=($GbI*6t+pFub=|&A z7|U_%OZWde{Kjeqs9QlJ_aCSdQs>1{-8g8pLgdPGg!NP^LtSp+fOhG-UhEqvx!Is$ z=BN3y0U+v6I%9wa-U^?6Cjt>xt5dFuQg>0MOawxB9Nli4tiXGIIr+{*mfpdh&gP0?P-TY`&BjXlP_7a(8M?!A`R$i}<}=NKXn?dmtBJN3qOX-a8y{sQ&D5vF*6~zQ_VP4DJG;i zru~uLSD0&bXr`uKN#N*xUxHu!iBWeetl0sm@v~uYb8-OE_N$c_pfaZi+mm*3K-cF` zG@Y9Qu>5hNephcS_>`R^HMVMkE zD`~3?RAdt4Yz~}vewf%?q7D#!ljmzKS}&#!5X)QgY-J3T!#3kdY@v4I(H1jROGSCw zDHB*s|!Mg5aP+v*b0W?>T_}ZubKYQ;VA4PR84xibb zO*SMjizK>gDxr=xQ?Vv3Xhw)+*jaei3>pozAx7lhV8oSHWOpGp0TL#wIT^>QAn2|4 z*6-EZudThcRvWB(bvKdxpb8dZF48ltj~R&&ALIj0exEAs3TzBK8NeZT>-&Kx z7vO9#=evP)`l(T_iiL@{*q)Ut7L;wRHQaiNgn?y7(N(d4m*XM9PI*=)Jl(B#3&~vi zQevS{OUl|B-M0u^b0EML76~ClyLzGM4rFcDsC8y&Vo{Lu6X*;7N z%k!EOsilVY&6g(}Ylq%6yBhLh7|k>A&TOL6inA|?qgvm z0PD{ngjg&*`Y}ZN>$7kir0sw!OY|7u?JJ|&7WSz|Wf^ms#C<}0?qp*DBC&x3*jJ`x z{Z;oPcj9MMaZ)yoYfkB4UzK+lYs!oV)gV_TeWl1p*8RjDc#&57g@z9RH%9XQ_&Vk4 zp(3LpN3ShIZ=y1Uq{A9_5Ni9ax#Qh_*aK#1c9=(2*56a4IF_8qZ7Yu92UJx)B5aIR zpHtZan4DkZI0?;Pmbefy)?B=(OZCR$n9x3dI+!ci34N@JVvt*GJvBzrQxr8!aK|o7 zKfrBnodWo9(6QKBJw}L8BZ|07A9R|PWAUR7YFI0HO`+2Ilj-`1LugsXTvD7u%Q~Ja zOp$eXm(bo1W{p^=VWRKPl(r8XrIr}rkAt4Y)_2Ej>F!}`k|gL6wpww^vv{-R9wP*I z4EGCL`{lzz^as=qtPu<2mPf%`*r`Lz^1Ug>e2-Z^q+k|DR>6-x!PsV1g6GFiNR@Q+ zItw~ZVo*w7M~-&$de-<8W{lD&nd48q?1^ToViA}VfBg$5dXr-s!l&>Ct%&};Q@}AZ zv?z0YrJPUihopaBO8-)$(0XWukN}>)v^dty>#lS=`p8w0p>9>2;bJGgRdGgfKj2S; zSAjWk;BhBfV%|n>>+c;1>1VGJ z9{mpoWg&h3;v-7@Ft3?2%kFR?eNa%%rF_u2SjD?FOlV!!ymT#2uegmROe$+i-n}6QbD;gp7sabk$fW=BuW7oxk`9m@fb0PAY+gt$YPuDCV+E zftr|0yJ&Zo1sqVGqME5Xt+@aXOe2TOUhPhadl>P-&e%oz4)Y zEo<#p<8u=UfxS?tibci!_$ZhYPZ~}}JsHfkX!bMK?RM$qFL4pSp^8OxCKcoMLIwY1 zrGn>&6?}VzBDCK=UBS06RE*m_3ckGx%!zf6IgzlHSA?y(cPMzirr@7IaI7lnrZc-S zl|Do0`kGu4|H$N0$;COT$2n&cOW#CAp%DE&M`?2=F`URKUulFYH1mOlfIrpnVQX26 z5bUdX`sxP&;$QIKd|;_6wBL&q{fuWdDEgV&2+R4ClOjZD_j5+5LeanUX!x+?qjli; zz)=yTs8aV3oyH%-nA@9>nSMZ?o~em zZZ~k-snvTTlm+JO2_TOpb3oo5$_8`xB#=khVg=rF@F)(G$uUFQXlEHRVc_+C2xtwgs4IY>0*yj zqM0gRl~rIgEN%5o$Du-8>9P0|X|?I}aYC4~L@m?WeFH*>tLwH~CD@nK<(rN`zZ&Vag~@lI`J`SO=m=Il+u2VCge+-RR zpCcMgR6{Ucr3!*sLGY9GmV)+Q>EmXq1K@`WvEnhB>1VCVbo!;;5=Sqa-e8S}anl>@ z{G-rvx1Dvnz^L#j_-|mW^cwYUD~|ytN5qQTP&~kKw7)t!*Of-mV^nx(Y3twuly;}g zq*ZaM==MiH7h1kZ7uJ`0P*M-N7gNp9m@QfvY>gvVq&Ikj9V7czukjSiC%B5kTc2Rr z7AM1&<~LZ@^d^KN)9ZwvHPN#AOLS!JI$>3xySt2GoBlj2Rwt}uC6Wql_S?#jmq`4M znLV>b>%b@>q(_K;I7Ub^i#@uDty9oJuJon>Lm}do*3ufufck#%&c~^=A$=wOrfl!^HidWT@PW{(NuF}Pe4hP!WI5(qu41P_%fQsc0>B;M^c8^|4^6O_w&bBzlR)mF{BNZ@?Rl#ig?fh@ zSC(mbg;=08oplS*y-X*yg!cCsFzb}zZHN!g2|CyU?*0>YTYsd4IBryZ3b;=dw$7fc z#~j#Krs6T{&*^e)R88R;%1)`G+sksX(OQ1V-iBAw-WrufEFyDR(`*NdeA1?h)2Q9h zbif$h`^-D};a#}0Oir=I)V`na$hv1Io7&`UddzL) zUaE0Nu&->^lyJ6&hpoBx%XBCHa-4NSG|Jg{nr2U!3b-edYX-Qc*%ORNwhfrX4P!Q% zlDw;5b=h7aSG@Xd$2HX7*vB>C;^S)XO#N4cE?5y{Oa(WJ9;+X02HC+Q^lq6OAuIbs zidi0n0-G)J*VK3rL|(Lx+jl$)JZ*jP*A!u1^{QCNB#Ke*33Am|>lY~kX6dq4Cj!bi zzGRWGF2%d38ah?qKNYK@)|B$BzG5?&rMFeF#pzA&pOXlasr4kh(*bd7PT+|*sG$>R zj?@jiPKv4Wka2xckO(5;FE#5UAs)8E#GVu-fj zCAKJwpLG_;6e$6Os$MUJnV*tXDxlvZYoB#$b3YR-Di&PZB&{7q{4QKJMj?v%!I zLf3m#tcf$M#h<5GYLpq8p^9bE7&Ssb!JRA=!JW%^lz5Yxr(E10-M21J#XZj|!=ozh zk^16;PKuSuOXixnA5i|Rm~#M^Kxn^-)InQ;T2-8Fk7;T0GCOier;3+}C8Ser6*Dxv zO!OM62=X?;{IkPeJTC~yG2s`Fuv23=p>iL_N1XcpOn64)hE$<_DJQg7ID~c-h=1;e z_yJEK>#u>V_W}cFw5ykiOWDF9iR1;E&oIY;HZV&sy@N;AzrUX%f#x%G2EwZYW|R<) zvAMDZ@}TgGPAVhK7nm|%da!~=)<3HHhQ(RqcT{#aS)u<60DRS0RYzXK0LUlV4qi6MyQxn6NoXRNxsyO15H?Vw1MsIC?HC^w6c^1!XKgGf zG{T~{ZZ4it)~1Rxe3Xs@B$l}GEFu2rKH(P+o*^Wa}covnO|2k%88-6pr>EE?ugaloS{l&4TgWR*j zscOAEpWxk;t*QRv&%0G|dOG@QVfvSCjo|peK@}%94;&ypWIJX_?K^_p-HhR+o4ZR0?ZgEA~cMEKrT< zq8}eJ8pSFleu!6%%6!FKI1??XC8|;Gowf&R_fYZc>as3hgrrY4zjq@lee-ES6Y( zX9zLEVhMLjF{6lW8~O5$1}{DV&nWmr^8xk@#})euxW0HIn}v`cQH8B;MR=uG#oKXt zfxI)6i_7!>%p|DP8&A2o?Zv%GuOjtGJ5}6U7f-lU?90auUTJ%fTRhL4et&$wyAFF) zc~@jn+D}b*yqdD3aJrwXAyB)G^(f>`H;UuJ){=N4TX2wgwku9QkQTZcWg z{&DBGSCdy$#Qgj;A<5s<4(-6HbNva~{Yn01LG9;Yy6&CL(lc$FC$x(NHkQp6nNKnc zg4@cM7^=8JlPw|24ui4Wl}4lJ)$n1pl^3l~=de}E6(IKs(fh^-(YO_2fhx4~qQCeE zJI#{#FoP{NTX&u&L@`^$7*&=-`Ksab!ZX0d@bLxa?2LFKTM@R-86T-4_kuvVH2x3XIwk z1k#foFdxepWSAEdw#soUTX>}#k78ee+!eYC`|{sl!x@Q>xVVuz%rTH$7tB&>l9D3D zq%J&C7q{5_N*#2tIOJuc#gm^-WN-)tvl&=cPy+HO+%`iMRfTEqA2|Q{v ziqmn3@eTTow98--rhWOeQ7W5qa9Es9XPbd7Bj{FYl01dT)5Z!hXMy?7@(BzZa>ls@ z>*23Q7)B_<)|)6o^xzY0TDs_@bce1RpA>&_uQWvGWvEVJ$L&i@o}Kn(h#la%lRuT> zQg>bas0;T=L%2NOMvP1wFYLD1wnzhQYmLJw_u`QY8;ggE&SAj0mgYNXQ$e?~*yOiu zxS+Y9b8)hewupxU&D}gTv*VTvH{?qll({N+%h*{$f*xgY(7iawspcKzJew4$7{Lq0 z8meS5uL|o|!*rtPBSRCZa4s2VQ4QxKfppCR}Bm*(l$T$fuf&r3ctv4AQW`o zt;k0d;kG03FEXI^2$<17q!YB11T*dqa>_jy&EnuG8^22ewR=>f+-5mkhl+Oq*B?Kc zt#K!Wtv3s=4C53I6)5shXbKMHzr%n%79VqQ$BR!TFIS}FiZq1B=q#$ZoT0RIJjgAn z!xQG2v)7RiB3Lo!$M80N#3?*Z<-LNtm0d(JZzuFhKg22ePKQ1+as51H;1E2c;!(gK zg4D6V-1OrmE`*YIP!UBTe*GzyCbPs~>R9oqT^9D`%N-%FpChDK$r{#Ed^m4>lpiI# zr4C%_4RTA8pHRuZz}&26P)>4|&hEoRSsdh)s`292vKiLs467n&c%fKgz5SJ)1+zw_ z97!`4QfS4EhI3MgO6Ch^_#>M{&(Co0`5E>~yQMvt67(kw=Ns}Vpz!v^Y<_bB(cZ9A z&D!SYVv2r@6ZBd_2-y}rvMxi>-^)y1Cq%DKAAR!LYlUIaV>QU> z^U4>9vFC@sO^hWSfu|`htyIX)uqz;MTNTytbTP4%;n)hXh>1^b8(YSxe4gs^!zAz4 z=WSiyL-OW4Z!c}sU$nGw|1)gshH26lu5Q2<1@9{E)niU(&!p})8njFleEKw#d=Y37eP4Oe)Swp@?W znp*@i6b1yf7w~qnGqM|u3J=H?-VhJC!uu+RdpebcfR6(nSyXA zgKjV%=CG5+YQYU&p`CXd<$QdDf5Z(&Lj{<(6U`_u z(~R1}VzMCG8+K9n=NQH&=4R2SUd^0m=%g#s_5gFN8aOuB%*llNd#UlFnZL`<5fIYH zGK5E2QBGm(ugb_y3v)5P-wj5{gR>bZ%!fI9j5(8x5FbD2=8ofX9(SvBgg%~&0Y^0M zn2L9(!q%zrqZB<)s`w)+h6Ma074KH1PnZy*b_EqdD*lATRGe)KA|Eduufswqvm_o_ zO$bR0P>7c|g46@@F3Jde75?HF8?Iky=lLK0?~Z*Qt16gU43r*G!8aplIWX?|0)VU{rcF^G;5~m0qDe_cCrfuH=m=n)!sA zqu}P}3R_oHdK5fBQ4}Ae_^HYt3HoH`dE``a2jEZBD5{TTg83Ss$?|opm7dFE`ruhT zHo@+xp|i*owlf&p!Nlx|;cLX~*1Ct9D~t|_bd4AcnM+byEF2Kuv;6|B}^l|)XwkmAB;{O$DPS8i@2#-VvA-YvY z=g5tHjR}KC2zTKQ{UEpNu--+rBH_{92qCf^%$F&tDU5^ST>}S;dvT}{q%Po21vzCg znDfShoKj=_=mL>M=L!FaS`oHL^4TJ(AuWZ8%HQ9UgRpQR!hU&=9#xGijSx@eO~3I#qsDdk@!wQo>-UxTmsIL}p<+vw4~C}DNyk^K(os6^ zLv`4Z6jkYYIxj zEB_a$ZH7ki1R732CRa9Vcw{ zVwNiP(m9-qwMwrou!TpSrwrq5gb-tg4W9S`_c%wqBi)l6A>9**5AsGizrcKqE8!5D zCv2@L_u$dAx-9Ps-N<+V9qC?%PkZ&TOiK6Vp37t1jEb4B^x&8t%TDvE`>1lUN7|+0 zk5#;vEh@~C`fNC<<(`Dd+2S^S$W6O8i}vvXW-Xj&Q3V&WDC4arChZubQg9;8sX|wL zU4$~Ol=vh1=5+a`k7zgMVeQ;>eK&r z{^;Da<-M7nw!`sJ7k9W0FZ6knlC)is{(=*9hUjb^mbR<-O7_lR3{u4#ncL)3_$|A_ zJ(Nv0q&cNNmPr|}`Ioq~z}Ei?sIu?$PUc6e$LMsT(D~ueRmf0;Jmj9`MZ? z-l-p24+DoFtKRKz>3uj)k7r`w_0*iO2aKCFxqH=)>jX`5`J>z3O(+|xAS^x>gs_YSEb)qfb{!# zM8Buifw=~{=1)g}M~h>ie-F_DfQP|cRUgb*eDdXB4&dR%Ctn8r-(O}GbNM>-DD2*^Dk%#R10MFIJEC@Wy*a3JqU=4f`% ztelL1+-tio#WlS19w&>AaeG&7RwwXc6GA>@NG= zU@Y<&<;$rFs4vMtNKd)foCwtBJf?B`$$l^vAuxdhyueL)Xf!6Y%*#Ni^izb;8kau8 zMe^&qef5X~y|xH}URy%{0sU8ol9QSm>QUGo%&baGp>>a}7aq}RhdR1_%PIZG4|tjn zAT$->%9W+>B7|0Zx_l3#Zr=(QE|O3;ZbUc!yC@DH!xt|@`S~9 zJ1-t}w{N+Fc6QLs`Bt)Ux)+zobr`;t-M-~cJ6soseJc~se|tT=T@Ut!6YIXUp0Hg( z*zm2O-C4{EEkHKqMci#XH+xWc^tWS#6!*@azB*I4t|#&2S1fH}aWC0{U!w-dY&U(A zMc)YRF>E};^eL+Kb3N=(`2Az)#U=_y(lZW5+nJt$_5U$AyM4ch6dobX@FSyvr*iVQvHK}u2)H{fzG%EQqZZC!|tQEl=2 z%H2{Nq!Ws?O*3EfJcy7Yf1nEU6Dm%Cyj>OM9tLLwY21(>TObdGvTrqW5y-nk9w8g# zu29ykW^M+^eaWM+MZ@uvFB%(Zdy1*%p;^9gVxi@OGlbYJQ2maz0`ics;ZJ7> z!F^IFO#5`XbV9?!8g~k_k|gg3EiRPU$yi7ia1pou0)38HTx?^38*mp$J3t@HUHxN* zb*u;FUci+eqcUv%JP+itRXmvdgmlNO{vo?RrFL+9uMr9Z-UZju%7#GRA#Aw%3?Whv z_Jsj2Vlz&;2}mbEAI)7e&+vso?gL?d2L&&f8!711zL+@<#?UB`CsKw6@^)dv<70&2 zIP=G}!37*;Pz@zugoX7rY#4!6v#co zh8rmnZ2`RNK#XShUXy6?`BYRRu(E!Oru_*$lX{EcrxnfAXnsmUxSnct)>XjuMZj2+>oSLd!L0 z2uUQ^VWFz?&aR6z^ZF&=M9RW(@pK0m^W1>vd-PdZYw`?dpjM3{jkCz0X8zQjSi>Wf z9JBrZtmj84u14Jc;?EN|WFXY-w9_=c#e}LklbgY#U`92`d-o9*7AQLELMZ4c?g#U& zcMw8LSUB@pdW@yv3}z}d3Co306MIRYWGFR>-R#W1{x0KAqCO(5vGfs6c=UA^m2i<8 zW-amvEe|s%Q$G^gc~46$aw(W|Ilz85rLkdX1?$SJN2mHLtw5v1Nb%i*t%<&;?_obJ$F{ils6a-|A-Kxw*B(Y zOqtPX&9pgXxN{DBeJvqG8SX5jL%bTyjW02`zg=k;y6aEb{-U?^zYyI(6_0)}pv><6g>^ifWDJ$(s%kkjMYddx8}s9;sB zQe;)E5jNydQ#`Kdjp8y#0Bd4J+6x>T{A0~_Xw{vyj4f@q=T>^9ARS^q%p3tjom5hEe`?`H`~e$?%B zUO4+{6{-T+D%xB2NRQfnD}ELQ-ICZ6e53%31}_+u70M=7SQ>-td>(N60H`SP0pQ9C zkbOnMhHEINk}FGu4OgC}yiMdH0##R?YrR(fS4>M)^fR0gJ;L13d_|y-knjYUoE^eJi`2EEvLd=Lx9f%(%|8is?K}vnL}Vx|}{GF*YK@2QN7zA9Ooi zOz{x)5iUFt%)DyJiG=nXNAgE$`q_4p5M`4+D6a!C@38S^cAcgbcF-ypx!FnsFZZna zRIg=5M`9rzn6F+RafItu%b>s2YWtA?f=%iI${Ue=yusqnwG#dy-LQ3%ki@S!grYG@ z3y~>cFKxjrUzHGj?ld9EQs9^!-0iEUM45b!76guIU|=#SWNf6$7X{ebleDu&E7Q@Q zx4&YCuc->#?PTZI41<{*M##eufr^t8z-@0j;0*r&WWOikNq4TCcCLSPT>Y%)0Izj7 z&2}Im>YzP~rORD?lEqFk8ZO51gxXI0fF&V%|tZGJOuJas#> z&X+rN!e(iAjuH}dfcaJjLZ}+dnah5_Ba$~YUH`-Mbq3?lZ!`YfaDwt@o2}KbzB6Oj z*hpVP+;T83OxQ4;`^rowo}7mSPJ^m zLS!8rqCoK%pSqj5_kpa61(CUmvDWjZ-RFar^5+zZ#vaZCvs9CLWZnAjDHahrafn)) zS^8N{X!)DHAAc@0Mj`otIkHA>W?q-Y{YqO7-_je-Z|M)an8#>S>Z}m`kF;~h(jh{U z0+84rIgp1|_1j@MSjGo4Oo8^P#=`#Mg`(T)8z$uG;#l-ZB%g)ngjoy4f`~_()hL!k zvV`^rrvHJ9f8k_bwECtmh?4N-v=>Dh9@X%%1>BhR*L;)?+0J^;5kiKyoh5__EnhJa zRQkm=JhGPl4|}9Z7lrxNV7$zLXRIwGdH3pcu8xts8a?gCU8%e5Si86CU(eeZ&LDZ= z2IkLQ71(^inn?v1^9${@gCc7_BZX*8*c9tLw?9SSdci0JeAK#=g6pY2a1iZ}Tnt5}rig-Dt<~6gI`G@4CD5yb=}N7xotSgVEpye3ayEUdMvuxxlzG`I(&~KJC|t zJQOB5A_DzO&&2^$Jj^J>UjaU?nJE#ExqBKrqm4)2kBrg*I=q5 zZ7zUgZId*4FzjvV4d>DlJlS5KP5C(KY6X(q-^Btc7!7U>cagl*+Vh?JHx~TE^R)mP zH~idA9Y%Yw(N6Y!K`^+N{`>HkL4JvK=~O$7wPZB#!JldPV72vPI}0i6jmCtQzp+EP zrQyX+q>ub8avkWtil2cw^8<;+P_{nbY)7TZZd1h{=vMJ;j)l8^UE+~7|5qsjco57+ z@dlQHrK?5U!eqI*P|U3Wb7s55vm?Kr3OfM{{a?iXtL*=bisG1NYGQ?Es-i~n{Ec=R zIWS9qCGkifnGkuFod@w3F}Xy-JXXbg!`C=|U0~4r*&_BAQqpTaM5ZEyXN#m8`==YK zC_*g(>@Tt7xA+UJFJDX%qk)IoToE<{jv%XSr-Pz5YMOHc6&GVbx|(jeAv|Io-|Ik7 z%ZtGIDp*j?C05UO7%5Qo`m0_sl4)(p6q-*()}0_qZx3 zDw_$$+H^kwuPp%5ZB@OPqH?K#_KWt(ZT)Ts?Gv?3d=;SITY&UNF^3Z#{};sSyfCEl zqb%&rY!USC0&DLJDWVxaMS)F*D&}hV7}WyZ6om95hXO=Nd(Gz4i(Cpcdf_E`PposH zfY~VKYm{aVgj|RPVn@Sl!6blrF<}Q3W#V1KY~6%DhFVSJ-yuXmj73rIdvH47 z9*FOELwvBHc|Rfof@wpL)g!cThuVI~>iIJv1VQ{j4#fB8!nEy>)d$#LM%Xc?mRKa4 zRF+YmQ(2O9S$V%_hDHGxYuyw!B(Hy+i_Hkh>!DW^*r4A_u|IKyb#krSUwnk*{q|hB z=hwNAX0Wj=h<+}#yusEZc@gk2uve2+Yy~e_eDdW$ttxsb_5@58=fjT_=Bnmrr<8KB zzmWcVv446R7L-zEDuyPyWpGEX1wEF}P6_$lq|)6Ii)2uqSy{#y=H=^LC=q5x4oY^h z7Z(&sS4g3n25j|%*whQpVEZB|dIKkr%|S%F`s2p2O$q;CX-cVa^O zA`aq%ZXnx$>mxfNN12?us4I05I~Uc(-sOyo6*|6!i+NeX!*@{Hd9(ZqWUr;I5WOrU zFbg88;iFdnt0@xLhzJz8Ws^r3;}hUk%dC*Tu_O$d{S?HI$}$9v7-+ z4n&u)v9-XZgplMkqk%6zWyzP0=O8Zqi^!v712d2k!()UL$CP*2v7&d`f1zDtvF?R; zb}8IWh1(6Ko2aI8@Qvrtx4&lbmJg~z`-|f1$c}aRJLVX%#M*b35Jm0|PgdkEJ13dQ zBdhA!6lr=}{3n)-BciswF4~#@-xlw;QxIA&FuxJINYK3`u*G`vEFp}*8CPHw{*;DC z7+;7F=J2JK2aA*%zZn+$7_lq* zSf(Ou?gqVKIf`8EZz18Un%)-w#MUr!X>aIdaM=<|V&cm0E{-+5Elx}4j5h7dV8IeA z%YN@+@0IiKmGt|>zoppd>=VO&Z!l+x_39aW#GCAACG^?9rk_1#KV!)@arznC@b^!r zk5-T8e^KOSI-;3PZ?o~EE>&zq;VWoW53v~AN4r|Y9I6ys zwNIo-(yifR)_4Dn4FoCrnR=n+_tY-<1!hV8&)g@p{2RM}*uK}+i;8~c2I2Ah+5K3) z@aR2EBgi{C(}`}a<^RaC?!+MrUF~fT7 zId;HxX<|8BSDaZ+D~_7!qz!g1qK4%pkF!6RVBKYZusm@Su}?FTyf4mwAGagDhnHFAI2NJ-?BK1uxLd=jq%8nmCBwIT{E3^z2%yMjbzYLzzcyQy zI~^!^1HD;d-S{{K)u(|?whWbRePKcL^RP?l;zg8}sd|G4MJBR@caaR?&8yv^%fN^r zFdGW2&=vcL$3Ml3KzOq2>62DpKU_tTw}9lm8=_4<;DP9o$hBau5Q9c}A((j& zKH)^cNq~>BL@M$Fb|RHYtJy*4TJM7B=aC6U!*uJ-O;k#xxVkfzP8FVR5>OH8DrSyl9nb}Jg>t8%iTQU>Ggia6&AoO{moT&)c=p~ zccI{fd#oiC`@i8tEB^GH6YYg@xtJfLHTl^T3Bo29yLjN#wD?h% zf{){{_@&akpUj~eXK&!T{2u%fNINz8Q(;3CA!LRK{-}9u>|KP`)Hk0-ZiH6fT6Xh; z&M=*aF9GjqK1ebVYCbi!03m!F@b18MGkOBJ7azClS*4gu2tM9?n$c^F5BpC4hIA}PerawM!;Ofu}AVjL2qY1_$LyX zgb;nqxhA8`y>cvhqds@jLNnK?GH6LLI zqMuA2R9Yo}aj&m!`h>Zy)7=3QSLMG%hVUuih63D)wrVGstN4<8oRQgW)jXK1TqXDL zk)pP07nrLuO73w*#J1`TFjr-k+>;UUwpC|>xyoH~Pi7>it=bLds;rWG+~NCx>;Qa1 zllq%ebmVKUA-!Zf=rM;m+eBfkdaYpQ`Kajo-D=i$eY>aClhE1Pb$6B~kA)_+T~#tQ;s(+Uq$_y@@CjOv-8`-8 zGSaJ$PFv&F4?Fbj1Zb=?&y$rUPygi^qM(gcdYbKcU9h!VFlpVk)61P&ujCX@kBMyPIm;R1mr?TZP zY3RaO!Q*Lh)8>JGdgAKI_!H~M8A6^?3_sGi!K4d+tl`0Ee|R~Vz-jVeB->myxq0*` z?bZx^)VU_pT`>kvCa*JBoz+J#SzSO8VbxJ;1d@3380&scmqJkUQF@&`Sk_vE`-)G2 z)Ct_*%i0=eqO#W6#X!2`6Okd{dg{8-WCVK5Nyn^7g9`Sa%R}=2KdG+&|4yo9|A$on z52^m|N2-eyJQTpaRMSz7$$DqH3T4nYq)sfM~6q%M8TAw05#J~tOT z+9uG^w8Gi8Te(&kYrE6YT0z<>$C?f}h3F#)Ax-WSbiqm6ngV8s(?7r`RoiMNIn~x0 zw-ZQQ-X1w--bz4^^T720cU)+n4CX_$tu?nNE@L6f`U7~MhIfI)T#|pq^zAP5R!);X zk#`6iTBvc?mfh;sM>!$N)OE9x0}`VgLukK5le+{R90=*7b5`G>3hh_nUGaoN-=C?( zKXbzHt_8LGH0dMY;vlDl4fCjlD8~i8)PYd^uuH=OAa$x{HK)q^gbfAEfLy|HTk7 z`RTbd$N zWOIh(Z9@B`_+bYO_s93M@1*U_KV?+dFo{c}n~Rz5bh`8uCp>ZtA=Ea3f{gMzhG<-C z1xY-`_O4UHh7VC1;P12b*4>I(=>VyV(!y)>+sUn-wmZ1i3XW05WJg(R*y8}wp~wS~ zqpUF3mr&V(-;u;$&k~}vl~a7vN1fq`0s3B#ITFY07mk2g>9p~lB=)h7`Vv!E3I_^G zPjg2al8QVOzCM{~9;MJ+b2X4IbKwLbk#&}kU`iUPPF}0YotO9P2hQk+`Q+t*M}lYQ zV}V|srdO`us5DZoVD7G`?(VeXV|cj-a3`26E4q*)=%}`y-s(Vx zuYyIC$^z5%!#@#{^s~@Y^mbq?A;}x-O6OLy+r7^dlKfs>>Diki-|KQ_fEl_I9}Du; z)@@rIsJY?JpI22=bI^31KEP}OcXF~n`Z-(h`tBt>vhI5%MaDN=78b`8{Ey;OmFIFT zlf3)xbD?OgzRWiH&6z?Dk2YE#thIMcymTDv9!n80^ZxKQA-Ku|xWb*B0{VMi6(7W( z-lfzeG6*5XF}5hG)N}?fEsiZd`En=QhW*CkY||VR=8I#=n*pE3Um5FJ?Dh-_m;UGM z_*{`JVXG=;$QFy{^rXNe>&a+}1W8rW)#Y>~JHELl+kembHQ97juzxVI0>*qV)s&*K zaJ^=%DY(s?{zDBvSOCWQLQS?pSCPCQ-{(R`#0&bpg)C%ksbeyatj={Ql3WrnBb>F& zU@K9D8aJfLgDm)pHz5BtnG=xT3uOn)-24l&Cw!#ggC}1E!(TYJi!Vg5F_~|y&$U+m zl118QM&g5|PGo(xo{i|78&xIX0jrD+U-V-=QlF2St|3fasC6BOBEEidz|GtF5%X3%f`M}Q9c>i+cMQtso@Msj> z)=iJ4h_z``ibP`(*^c~w>|Ph!BJ%*=V`Yumi9Z1E!8Kxm+PX~iU{w^!hY+{sz!s7h zTjoMWqnJbT+V5poZv2Ur`dsI(f-IJz}+P8f86V0 zAsa7c5wDh5GwsMXB(L>e7Zul?iz@H1awy$LW8s@%BN&x#w&>6w&Ixk(*b>W02uWTd zyz?V^TRr><)Sj~P9!uG^%)QrzlFlHx`)Rh#YP%H#DCy98U#C5yy@?4ecHqM@wpgaV ziH6Af1<}vLe89*R0atoyZGB)oPzcc@kvt6_1+%n$5|4^w#Ye1r8dD@G)ABRG@D&6w zFDAba!aLW2*-!!asC7F|5u?EaIHBQ#@RT+Aj}Fx3MDR33kA(kdGsqn3o0)t#N3&xHcMV{o{Q)6df|2`P5S@*k;Uh^V{J`{}6UCzXn5Z{&)mTW(5)fE&!U9LeMV*SLGqL%>H#B>?w81x01%mY|m)VNT(xSHi7B-*(nN{RY}TsT_AU@nha(hdnoS?Wr94!xbYkR{J^~r z|MZ_$azUNr1*$tmi|23#)5?+@5jd#Y-u?4&b)GJR39p9T_L(!Yee4qsmZwIK-gb<3n1*8-7(-R}V`X+^cY965SX1={stUOO!tXc{)bbnH&Iy<^|2Tn1$?t+W^Uw6+axiDUM=v~J&YbW+ofNIjnd>Jo zgzcDMFM@u!(1nth2A$QXI^7X|R}z2xj=vls>rT_=`reC1EL5=(7ucu)`1l3bQH2}D zoNxMbjXH%#{sSS@bjyvA*-h&>K5}E*5(k*2H4}K$blSCMF5asO?LTvZxtiApx!If_ zTmH*G?@RiNKG#3vl;-!41EJ)4pvwLFW_i`0Zha*3BmH3>G5zU=2|TjCw>Cu#CC7Nk zts4L2Q4J;6%txwmzgIOL$_H+T{+T1W0GdZ}=l@;9=nGEta*11o!c$8Q|2vJz3v8ija6muTESe=_rXla)AXE7${{dtP8pxSfI z+&|?bJ07uDKQO4sXH=|;xr(sh3|=UDgjYtPmROH(ND-};igqI`di}+*z!s=wo*1Kk z`Mq_;AfM38oQ(6w0o;u4Gnio;?N3#+K%MzPGAVWfzL3CVlsZWoH~6I$-(((yE;V+tOFTEY@dz22N6#iY15 zutky22#=?j|46StdP;cwAhjkIA^kKLxw6jiBSk;z0DYUIj>Z4&K?o)OlSO)5O@M4` z8YM!@A1D@$jzuV7+ub}$xTtN_-qAGr?&`I5rKi#A3Aiuls@4ZNs+tem_k6WJ=uBQ) zS9;98cUJ3znaNA*NL}&!$Vn&H3l7WoO zNR4(Bmmmlj+zld*>>k&2E362U?aWHi_IiQ9o^$r<**%MwUES41mvwQHkOW*W7*|A4 z2=@w2h=NWs1XAy(o}O?~&->#KGF@F=)m2^fJm2T3=Mr@p?eYRUBPto~qZR~dGB{y( zJgMcbn~Or$EwNy%X9gU0Js>*VaGvvq_6+0D4E{dh&C;$=X;S~t&a7)&@mY{2mj7_xs>S-6@4ITO7yVE3Z?da=+l+8I}JCEMB>~@4`j$$lPMx&+166G4ijtC5qqrmLb z6WbnuxnHFeEv2e5p0!YCFJ5l&W>h)`Z}=L!*|Ysg_UH#Lw4kYJu0zG% z{=$R4lk&3?zYF;}p~pz8M?uJi*w`0cU?eGK>#j@>VmmbP+LIKrp8fn9!LavlBJ>2? z-s=R=xtx~%ZO%nndYQ?_8DbR&zHqXUd@F!3vG5IkHv*F|F}Yp{)aOsI|15IStLN2| zYW$xI1t%ZT#Ga0&c(9(B?pVonTCSji86L!awPGgCX%Tv)e=sUN#$NiGbFz`dlR75m zG&}61L+E0jUe1l9l3X`dLjCFSoz|X$)^4aw=eQS*EESEcC-HrHwv$i&wVIR@6WV$P z2{_!{$on|g3mhwne@1Ud=*{5m2+3jA@diTZZBfh~5@=$*KVdzCzTkW*&7XNOFNX~c z|5H4qS^;CG8?l3HT_~~J~;2hvnf=o+gYQK$enUYz0WqwBVpwM$P4TTxTC@Fr?(byJ|Ivk1OH;hDvWb#@ z8{AWA($B;GBP%ZL0!(rc6wUmaG48d0KuD~c#dk!GP zdxSTW+Ve0mzyHphYj4hmv&MpNCO*GJ1MtteVEuPB_pP6Yk)Qk9whgRAz`{?c=>^BG z9_fNjbV=OpuZUG#>hYktkU0H2B5=dDiO{2L>0}pDtBaS<$7r)eo3)`1M08sI-Fq&y zzQaNY`SVv>(&oLJRV{Np8a1pyxgDehWvgIA;X^sq-=@_=a0Vpi2E$QAePzZ;{dOQpPug;oh3=DdcVv+viXc#w7m zjiVkdORNa?&S)39(^9^Q7-b652eadf3sqQ}(i5Q}rKf^^6_xzFiha5&#iK6q>w{HJ zQu1)0pb#!?VwC&a{K>`a#g!=@j(2KT$Zt$l{G2^J`Xbi$b9T)5u08TUcYMblxf>8F zsem~zBvxRh%fWHEw~K)ht9WVvqs8}hH2e*rXZ(o;O|$0{%a?gCM*igNsB1Czy*5`! z#e?9v0pCk!4i71WSj&|hQraYd{pSMMT%GNE1focRN>ihsg6e>*3EP_3%u$Gna)-4V9m6!S*ti7IG*#9Xn8i+?ps(CWZ8 zNs!WKDlv+>7jxem6;S$?v#p18i1dtji{e*09MUrB zS{JfrOQgDum}MW4IM?&zLIAb?N3bUR?6q!0K2R!iwfCDiVQFhf$rymZj6OQUpIpG^?R25FAth7ZqA8ig z3WO2B-;+N{aetC*Vt-nZf;`C?+eW}7?Tn?q11|jRcCdsIw2siTetuWfRmFXKz6bk4 z@ZuDAqXivPm#6srrb{`>cT971)nZoun3!Mu$vm;fn}}6xb2n10Y7e1Z{sg;iyx=7d zl?&!_iu=%=7)5239>0gsQ)m7FMz+7d1Kbl-YwULJMr*wr`Yf{{F6RUV4cZ=cQNUUOoyOGi3)~+R1anWQqT5~nAig}+Xlr*2wBPd0| zWLTbEeXu;gAXZ=&47#}HYln9K{Z@=j-N zW|Y?@SB@gpJJ+c>8Ff2X<~JP6G!Cu_S)MFrdpRzKA9$+I zjUsYnw`hMy7^7f)M-1kla0*=uxR+|pneficnK`z}I zj{ogtaQ2C#{c!eMT4O>FL5ya$XRHea1$g~zwgX;?IgJ=iUbg0e6esoI8WXt_qsWGE zyi+eArklhQS{^YT_d+B!4YT8mQ((*|Hs1j5yYfzq)YA4xa0NYP53iudh&fe>OlY~y zT2+j=?{$aE9=fF^RE)AKtfdm6r=pTd4=rZ%>QY=SZPy10CN_u|(~ulr&N;VnRGM$Q z{E2TX`;X2_E3Yq1!MuyxkXXe(Jt8Cv+C_|$%PyOQ`Thjkr?}91QjOciD_cvNk;8&z zV&O%jJt$(F^hT&hNj7E5b%P{?=pM&5`JduHqrFHQM)yXugNuzrg~nNFcxUa=Btpn& z&Wlp-hFs;ZQ%U8E5IKEeFUQN*085ZWcWVgFUnW^!P>S(h>MVLcz))J(qT#Is=~bMzfd1liIM@^vT*OVg-su13UO!a}0|K z-5+vV>6qn0=z@~}-~H5l{I{6q8V}O1C3H7zk*jWZOx@Q*9z;zkh?q}!S?g*ST5t4n zZK!>Xc}u}1E;IW&!0|-9nHBiiSwVK#>SZZT_d|1|!mvq*iE{-^cIksRd$ha2HN(H> z1ui3`%_P<;C5P^>JuEKS%oQ#qzOon_IqQaaB!bl38^p*Smc-lVVdRCgwp>9`jQdmE zJ`K4-A-(b?J8C^7_1HfCLIzFMnmqih8}*-~eLd%{h`C7diVp?;bg^lZ^%3%x8mYW4 zsU3kd05{$4I5O^Taev=-`S%g4IP;(&MuN%Rf3-lR_#wfE;`=mri+eJ$Ld{6E#@6+5 z?(bC1@x+?%HH-7+fxuirnMx0;^pJ5(VvB$2LQyH6m@kKzAXI`%=>NW$D*XZnrXSr! z%vs)$Sr|0VaorO#e=s6sF7pJ9^KkW0VF(TZ#DvfG#uFy~-Q5`JQ#O0_yv<&%Bve{G zLeB`5K2)ep3ek=bJw)g!Q1}l@34-k|$H*SMIq%}6PFa$k)C);K?KVp6o*?}p*#@ylQ1hI}fXu>F1JJ;QY5l9TGr8HHT zlN4g%o1gWdig>3ghnPycSp7d-s6O5)uN7M|>`(glsaD{D*%+lAV*A7gTb<&xF`ifn zP6n|bq_~zzei4yc?9pNs5040_^@YDpu)N&hTF)@jz`TSv+NYxYUSg_>mmW}QAA9Vq zgw~5?^*<3aN4(3>Za3=wNTmW)_`2PQ?kDk`L=N|eE%{CWBiq{=QapkV0+G|?Z%|ir zmEvLkfiCAb?Jjd9uEZ#w)H7p;C4GkN=kM#jWRpvuDz3*wvlesT7y()el1(0cRI*9Z zv!HOGfJld3_Pzy#b}hV@kHs@Ef?ODvtjLc(|3B1T{sen-Buw}=0;xWlR7(*+3o&J@ z3*Ba}8sqiv6DVQ1Qosgnb)o*WbeE;y_r~{W3)7K=zn5(MUOwX z|CjDjX;=52;Yp*##s1pIdB+bySGv94I4T8=BN8zeodhB_I^-Nurc-2aUxo9YCkxmB z(dK&l({D@856-w;a(4E+^_d6whd>{9f9`R3kxIM3JGcCsYNis&$&ITzNjdYJSz}+1 za3OhX`w-e(GlQ6mlsxg0`2s0?l|IT`J`-4kxAr}R@|;7MYmcPw&7SEv;4<~@6sNXv z#wBk(>aD@lHvZ)z)%c5BF_O0)&Lgz3!dl*poE)UV4HI^e>Rl1D@?$VF^%_0W>bHy@ zmo_L!KMU3#fwXonb-a!cN;bKGEL{^ylchj8MiFo$)szDE+fR|R`9^^55{yY+S2l}< z^WmqE-fFE&NFQ4d%Qd6AA?mz7Y_m%n0%y;}3Ur+TmiW;3Q(WG9cyP^-%`VWW*=O8{ z{jNI2jemLRiLA!hA(wVVvdN=m8An~3C!Wx9F21XlOU&hpH|#%RSB3pYL_-l%M>W$N zU6W@~8sW002U9$<5q#EuH4USvXF-&cO;zmB4_#u89dEX2VT|mdgm$wfi~5~nHnO)D zibll9f%~!pCnbk`hGfznF~eXBFp^9QDPC=8M4%8sS-L_Pbu4#))god#%iyxLl^Xz6 zomemZQ4NAsO=jlAjBhC2ChohabX)OlgN=|v#FCotYzqRhPry-m*=!ZyL_(zvDs5CP zRawT~84mJ(NLjYv9`WKhR)WO5;|&3~gPMu4O1Tf|*?`6%9hO>M{M!)dM1FeOjk=pN z0l8i&A=KUM5g&F8v5H^V3#Wn4K#f9CI+ik{-AhA?N6)b_5c9CV)4qaO#jBjk&z^=g z@WA2}7q4-3zflq$A=s}HbnxnIfin(t{0htzRw=WIRs7qb9>JeQg-x*;NcZ^n**UE9 z@1T`FW6g(;H(Rj2sj(SIo66e$?m`f|9RNaCj} zFmlUv{{m?`>kcD?=wAAf zD5mcROFz+DOjYp&c_LW4L;mSc`^EgJGca=EcbOrjFjkVS-yJl=2t1W{$WP0HuC_T> zPfX#7;Iz=kp4DBVDeD%gbcbw!FEwuzRf1;dVIgxSaVzj@m!qxtNwIS_dbH0;cri6(s!9pnD}=zZAa4|{zntck1st+! z{zrK_>c!G>j5-daPiXSk8tihQNs$9hE?|+`wL0=0Vbo#hw>>GpdzdqBz7cS`K| z7jMES*u7m)53LX)fe4B2N@4}9-5$jLG&jZJ1c2RrXNpJpLLqqEVJ+`O5%Y(L#5=V? zu_w?(J&W*WL5OXazq7)u5KU%7pqWfKhf$S+pz*G&BED0u`x=Z>KM;k2@cb$%USr~P zj8w5|1h2Hp2Cb9pc4{}pQd8u3gW#g;)IpNbQ4~vM$xptTE^zf1{6-YSRt<6^M^+43 zE=94FbqiLaKGIT6(%B>o&`CbELH8 zk#{1cyZc*feB>=cKT&D&%01O{abFg0liF3J*A}4qY5lDWv_zV!iY_j;Wg(^M4 zeOYCWwN|E~D$BS%3M>$a6*v(G+5L`tQe35{*prWfan0UzR*X~ZrIjh}bPF#P?A|T_ zhIXZ&t2D`d*;55Nf|H^@opdAi*xe~EXkuJI5~G*Pbsxik$Nu`H+ld52%D_yH7(M0k zlg~h8nU|FUSS}zw`kwSVTM#0;_j)w1HDaOB$2BAZSLO?`3iKTF3|I%Z&P(wS?fIxZn6+Izlhxv$M68D-`_%;(p%XZ% z;(6s586`vY5+P;!6H#{+1vAtGHw!@AKJXDC%MXnmc{}QBJ%WFsC1qSue=NmSGxvKzLD=w2 zft#%2cRSpWtU34gpyLeeyII^Y1J#o-;=aHQ7$xznAVx7ceh_j>5Hm1N)NQL`YZMnE zrmw(x!aoUGd|tHpte8=B1AO0!n3rR;BJ(tnuT9uKLK}^CiF|m1WHpMS#?$ir1Tk@2 zIYy`DD*W8%VEEzG-|_AG@0^zB?>sG6?Kmyx`TqI23oVted#6U!o|Li&o|YHA13!tp zmCraW4+;r+Gb&ZFwlOYrTFw*j*bKxcI{IYt9I=YCJKX41X(1nb=k*s%q~`_iR;}Xp zT|&rHtsi-VmBF`=3!%Al{sB=vYELrs4eqzciNpFkCYC>|DgKQ?2sJ~$X#BTd!^1Y>JlNUm#?5Q+v=%B#3GP^E#I#9 z`AaSo+0YS!dRh9F#PVe^xA>UbJ^*zdn{tlxj;r8)wtf|{e5a1XeLa1D;5p74+HprO z8gf3S~ z?ArwCh2Q1&bfYIjFLkKT^7lQ6WmPytseo9%6|F$4h!xnj8VJ*$zL(-}qH=^jYR|$W zreh>nYe$}=Vj#7>5aA$`y|)mEM%RKAkJMMtQ)=m9O{vX29>7Af7aS;3doEq~cTU|V zQFmiBn^?uA=Qv-?{^v(2&i+~B$fYHO;y(!aG0wHC%;M(*7&RQrs68fLh5c<|iu;qB z*dG?9xGh9G*J_W$C&i=XCa!UwljytO^M zCZqO!!58GM?E~Pq=;n@vDIS%oHnG4W;I7&d6Auqyv{}*@B)7W+J*B52a%g*0T1@0u zzTm!>CIee8BbKHRFdX=B3MkdrKJP+E2sWTUpDdbx0lmt(KB!|YIA-DNo^Xax4ye$? zuL5vLI;QO7P5j&Rb;!Pdb754vm&hSID*5>WBERxA_uVrYaK_3H)12mtv*0SQ5=^N| zI>x&Y(*8!csuby;+b>6@E4L=bFx|pzV%Mcj!a%0i6ki%X| z00?b3^Ls}zSlX^ngtX2oJ*3iOD(zMUz-5gPC)h#Is+rbnG(})pMMbpz)+W$Q}a=junCTOtF3RVz1q-(s_7-pL1Wv4bGB0 zbe{95wAjCo`_5dShLd9ZuxV1?H*zU5(nLghLlOf!oP89d?D}$xdtOrjXV4p zRajHEM~vx6zecqtpZ^yyrrl@UPB!abOu{I#p(1`nA0SrI;@eU@>^}l)ts;Iz`yL1f zGq1xaQeP48)MvxBF$trNzqtrF6aVPS%dVqJyv*$5*6yYe>lh zk=qN*6-*wul)P?{nutcUpb7iTgAllX9H^lMyqV2dbLxX0P~mKCz<9MXfuW zTJgC~Ew3P|^TB|86Zh?$2EKz7p#SJSis7l zyrJ3X$$xZoxUN$hnN}$Kn)|>CV?ev3Gr3j4$S#cLFCbR#i_R@qyBketg!-a}qNJ@I zxi5Gf1P+{pw5TJ3!uiGP>(gfqqEn+M`x_lrI;}o`!0GVgG036Z;eY@AVkPN|uOk=})j5+%6R4 z&Gn=j7Yp*!8I(hvV&_(v(^Yfw&QU^e8T;2!*a6W`125ui@V#jfO2;bYb|s+)Sk7-; zC{ho*`|M~T!tR9=i%sm%e8Cd;6Du%eKWxj!N>Lzo3=34IxIh-c4I#0^zZ{JbPv}{& ze{Q=~NT0{eO2}3|mHTcVgHebcXYc=7U}qZ}XLI#I(BXfM#^^cYEZ0xk6OFUk`f%gC zr03I0B}b*lqPdH?uk~t-Oy`<@!hLUEjgh^*BF;4e4eS{YtVVW1XZ>UxMr`%>U5<|8 zEx5Ph2w39K{p`l?rP3j`emW^Fs;?B}%$Sa}fr2QBUvhkFpYy#pfAf1kr2uP!DD{`w z3Y)&GZ@>tS4&!aw07zHZz_N+dYU0H=VKf$?VUI)vOyrJ3I{VR3mowLa>uz(Sg|Ohp zHWXr%Rv@0AlaBlP9Wh^3YY7;+bKjn^K)418u-*_#@fQ5M>oJn-YfXIgMvOKWYU7N+ z#_J)Ff2HEpvk3J)bv;IQ9x3%1*JGq*`uBBAg_EcDEMhKFNDUT$O3aW_c!_yN$i%a+ z$EXzFdOb#~Z|qm|luQ8L7lS90_{TS5i^2YxWj!$wBR@WVxX&t_3#jJ zZ`+6c%p?!K{*9v@gNp<9Xt7f8bAF82Z~Hjsxlj7B;ATW>;=aeO#mIgio_KcxM)nXB zFY^mQ{tw0C3&)mO zHR91<6k$j{CT~5QUE?Lj*ma^UdF$Z;aC@b=LU}0JfM=xB&e&M3ktB5ik?IV5jA?5&ZBRm^?>nnm`?InL!RfzPhPh|N4DIpNc` zNNIBUf7%{FWO%S>N@yjqlF9lFgeOAuREU1LE-!ZWN7|sru8y4zYdNvA_v^#Tw=A+< z{+)y;VkJo5AEaLg>HGFSBJ`wxUnFg}m&bk8<1lFatwnChK5jiOsn#kbkIh%bDpcuV zh$|=Lm?sfJ;kr)UPiQyz5_8|UagO7$30L1Afe~46tHion3YBzdL)N+pZz6QJyd{G+ z#1r~4yJ+35QdzZjTUn7laNVsggB6u!KIS3T-7b}KFmGX3-sggCoF{Kd*#Cs#idobK zw73fiZ-V2~a9vW%XmMwY=1nZyhz?AEU|vZq-^#ba$@yzy6`%gZ-EUm@Eep#CJpvY%Dm}=?op%=S zig7r-tOT%&C$z!h^CzUbJ8E!5+dg0LjnbZ z7U_&FA>*)1wZ?{bxRKE-4c})R&Q5=Dt)1=#gIm!m_vKuPk$vQH5#_u5rRv%o&|1hc z*NG2_Kf2ZtPzqxu_k$*B?lzCu@Bi4HHt1#OoP_Fag;+k-xpm(*Px{u;UJ2EAH-jAO zHjeg2dB4v{A^YKfJ64=mTqEGTvi;(*>9`+WJT|4wSfb>h2Idlb2+mK7H@Tc_zyeR7 zg`-3~`C0)y?w8|U2_e-gw!U(M!y$X`bU(#)aC7Ae2@v*wNeDrX2$i0ypk2XrnRN;6 zj`XW~%L+A5S(ZLM!duI-^g|G8Greu{*!9!}Vbe7wPo-aWpP_q*6?pt(H=3~PIRVIi zH(XHeKKmsBu&z!CC+YL?uAF85J?)zl{ zhKP)LD(w=bQpdVMEfScI=B=$%MzE7ly3o2xWds4kRjFs~Ab6wQ9i4qb_9;`?#xf9b za=`4=^eChhZ}efL4;I^M)u^;JR?at$JU;~_99Ztdi2JHW0rCJ}wWtTN%CZ!AS~81C zC^iETbDmenB;ID{ugi`~^XqnMgZznDsz}d{{X|0Y25^y&%|QC7ImCR-OK2}l_RGuM zh|Rw(#arAGp)ZarI+Nl?~B*0;DNmJ1g%z3K4(mj*id z?x34&73bhMq=8hZDc;!hDt#ca0=IqykoVWqQxHw0B$@}QFb??J&b*{r%ay#S7wX@m z(ylWv2|)1E=UtGhE$mN3T`KKZ00?vORT%Ld+D!uSFVN*d|$ee6P6>>&l%+N0|{94@?oLlI^z{Yd&Ol$d-w2f zMAQ5~1J6jB=T*tRnFwalOUyOiX!Zi``&j{YY$NNPh0+QpFks>-b6?5Tg3UeTZE>UT z3OsYq@QZ+lw5qMXCbJA(R-clAB21Luvy$jfeWjs{6RJ9!R{sB*+G+u^r%rC2jd zATCQ6TO^<_XG6pWTW|lBsp2!gbRjO0YK>JNfZl#89)R9%b$Yv=82I^XL~jo`Fo&I|)-0P5yKyR9CIPEXE5<}i0 zc3ZkjvR*YG@^atsk#JldDQ$*Se_l9TdEh)W((%8LUF#f{kAF`n?E z)eVAb)(2A@NM^(#8gspl;r%KXXUBqRB1*g1_H$0xZ^7R#2<@}r5~)VDCPxNN(69YdvMsz=ib58fd zY^wAW`*HvGXGeOSaeW3Q2iS9P@L+FRKzHJv@%zd?VPUOx9bFT$=&!I#|pt>IsB#2Nmh7lwaluQS@Hz$Ndw z5u2VaxQAE){{S~)lhXx+Sb~|;{Vc50a2#B<2}x~;79Dp z02iXIdvz(+K_># z5=A%)AKQ6*SrhYB`~`5@|T$CcMG6iIMP<(jNT)d}aMEVg_Ey z#)#c|OiD)zTS%xahO?o@g(4e*u`&f|qr_hOuNoI3>toZ9kf;&iO`=e|mAwm;U(*UO zvR@%qmABtT@GkMhCe{bJ9H$}u_(Fd|eAcKmzsbaN#$aT$OZpAvvA!%l(>UH^&GI&t z$NIc_2LC{gw2I%k+OSyQjxiXy^Z~}P1nnu0^~E%|HA`xWO7t`_b3e<%sEUt0>bpF+ z{F!g-MTmvRKIjOYdF;8zUHuX14uBK&u$^wiPJnfG)z-XmDDC}LWI0}Wq#ExXhQXiY zqWn1Tg!_X081^Uqoghy1t-VBS94jH@-xv0$b*)=+FbdWOjq_ZtJBASIZsIaRdLE%& z)@vvaAvR`OO7LHKOEV2AIrLK^b%fSV2pZ?J^<1k)5~Rc>CjCWIQ*uI-gWp1MQ>b*6 z;;r$-_vs$qWIt!s@Ff1?YO#f*@#Ko7^ow;NjLHf%Z&{Y+;qTigLe^^0Scvw8CiJpb z`e5;L-}xaJg=in}2O^yc`#JaheE>#uPejOJIpZUxJLEb+_=ED6q7dZ~o?zF(E7(U` zq-^IEVZ>}fALku63uLxW%LdOiHmlD`?7)imNgy!6jQOrh@!%He65;AK(W1Pqk5%lG zP;g#^cEhK=n6R%um{@si#$=IJipsJc^S6YQAt=b-ix{n5vEih!KN(ykDrFGf z8r&igtN4dUU5JIK3z2$Th6lp_WK;?+ie}$StdUdy>_LR?RcT)c*7YC(dRI>~dLGrr zuesXj`LQ-`%@syZwU%l0{7BEUv1mdfX5d*LM)n5Qtw1`tMfTRl31Dr+KrJ-_MWhxhv->VIw5blnb1ne!#e1~ zvDSa~KmHDKH1y-wy3CN09|Rk5z1dEH&4cK+;9|FI&Or%uTtB*^^P$?illsP3*+YX@?D#>9hq=C$y2GtSHD^xvy#n25WRMnJ0uw_6y=y zc?InfEy7{r_=q_}EIaNi8sZ3`<0GZ5y5sRUatKCtQG|9@#5=X|=>c!{VzkNNTpMQa zY%SB7TX%%N$9;MpM)pVSx(jdS*&{hI1+G@~YP4`?kB0;|-ndM0gs( ze0wDHz5cj(_m56-?z?#~cwzi(h8w|o-VZV{n%~i0ni355U&J_>m)7*A1`1Fj+9Qp& zla0|VC3H9Uy)h6Y>W(K?jwU9)c9>%F5i1v8qE)s9k z1{1oQSOK2vaJWMm7$x!TBb`GMfmva#ub<@HZpy&O#FIhf)G{`^^gMekv2OhWaf8b1O%!qb%IA=)sqiJf{~LLu|vypVZcewcQL=~26o`<}@V z+=TmL7^C0@?nB~w6Zfsi#3;Bi-l^p}r}6r29gg{L@rp(_3ej#y%Cm~U50}T+vrNu; zR#UjNPa8z6;@MEl*?WDWlvu^LHo8%`^rSxAzS^G*(c|osKF-&NOHV@es~SZ0F4hRu z!2_NJr#i=rA$qJeq~w<)1d*W9}?c=%|Di+(Vm;c9+p3g@+#r)*eCaoCj;SXBWZ|>hOf1|Fuh$d{JH- zQt~~82ql{eHBZoZSCY3L_O^zU!cGYxwYvBU8KasZ;M=rK6fsf`*rpK9%-{wgR`K1h zNr*l0nuP2O?wf)kqZxt!L)$saq!->E6{SKB-!NEZW36e z(+}Y+C#Co7Cf&<@+uRtDO`_NHrcJAUN#`8pq2gG#S0F z)q})W1#gdkx)ED4A;lxsqGkjkO!N^dt?q$%IuG@z)Mjs9m*Qj-s~w%T!}zNVEa0RQ05I9z90FsL;ULHA{+hqT%s+pPSWVN| zJ=a|@D!FPj97B?g?D4A|S{kY6zK^ppQt2ec&Qz(Qg#DeyDrE%HZxy?1yb!#c1J^%$ zVTP}Btc}E+zvThlZJt0a7cChaJW)Re&W`Lm(sp8t!2r$4%N&?n32*q3KOMydw%$hW zbGyOV;KDQWU2{A~hBRS+}h6B6I41wv*}3D&lY_JXxNV8Njn zeJ*_@F|%T&Q*>WwT~G?wCA5LTSkDwaBev3oG#5_@UbQuz)ZG&rpKF5XIjyAOxVz&D z!L%+UkB)O~344-rPQTv7c7yk!*i`YI+U@3#mD*!4j6Udfe7sXDBBtLsFKLCb=~MJ8 z%h#=z%ImmxMR|-*(Q{&}T}T^fd*YqCm+t0`gywu9X4U=^S>Jz-1b#WebSjqr+bkz~ z-(vRTNzQqc1@?H$yo5HXbi9e@4Z&zELNOG|YS)HvAIGpbhnOLykj^Z$i?}bx1uJ-z zpwwR%La6l?+&T~=$-j^L-p|Ace0rTHMmT>Iu|i591DY99?jv+&k%{fWU}`<>5nImKKE8h8y-iUssZJ6rHxnVWfRFvz zx&B}!cbOxf1)zGJYF;C6Jv_4J`k5l+_b-*V9?pLx4}t!m`W@-W~QQFHP3V#8P`q`3|=o+RYkzIS-j*f0`#4OLK@GHI5c)!!K;S-y)xYfE`ha8pp;dc<2(CjJa3W=(m`h^Ryw zj%E4V2<@(7;Vwxq?8$Gq5!q;GlMnld6?ntvwD62*L28Y6%5_Z=LS~IZthba`5JGHb zkz)(KrQe!!NeZ0kzYqmx4XGDpvr`^qK3*v`hiH39I&ZX>2b0@l+T?gb8$$blKmTis z8*$&bln2>!=~=U8Hn9SK-QsjVNR-ZqC$s`~ZaQ@L;)U+M?(rad3_CL2h0MoiM>er{ zrn`_z&k`%J`a-2$Jsu=An=_TM=vA?T3K7zWnR6DIHS>uTxIf*^i=wIP(-ZXg_!?hS z^0!s7iKk#@hHOdC3>7moE&a@+(6V@D1hF13s+q=p4{;Att+$ka2!uGYN~N4UODvxZ z16(SBX$7$YckgyunA+n(A**b>y`1}E=LAp64Q69RCf;5|Y8wnULaMdGLuymE{OSwz zSibY{Cx3Gu?(X&=`?_d0v1aF2LCot)!3~RCj_ZoW3Q!#Fn<$P&-XbsG>uA@lLVaGdJ} zmyD;E!+3DWT%{BV!7JJ$di}_Yk=Rz+;t)+;HcHtUWiZW%i$b)ASibrH{T<`X3L3{F zQK)8sgYK!FXfif=PvH?e%BdO!h z@X?R>_W{KHanb{d&L75B44I-UrY|oWqwYqR5V8ly4!QI}u@(79%Uo)#$e*Hn$a;H5 zIws1)L)eYJbPO97_ocYMO{LvrBb$;0S2leB*mAAt^B{XiOL>75#eT;~?5W){-^Mrje>^~CrcbZtw!svxU2_fw9k~u-D9~dn?PAw=Lq2DSItskEz# zz48_3&QG$Qm43zfMhG5}KD#9JfIrDjpHD}By7Rn8e3y!Nr#3Z2+asos7vuZ1t74BA zfL!yqm;0_g4^nWDZ|At!FE)f@lfTi4~}LMQpn(PkRvA1V%uy8AuyTtl|$pbs_G{ zP6>jo<%4Tn;0#=3w&2ljj3jyM;j3zH6LMQ@`j7Oi7M$b82-ziqN-2X=+~{$w$%rRb z7TRMC<~DjeKX73za)4epZe#v?L1X~~Bcr})P#koHj7sLb94>$C3 zZWqw~@DZSC@vA1qdAw79SKfvnl+t+QGPAYkPkYeCb()UPkc1GJgm!~Y<|9&jvgey( zAalGBCoKm}+}b4&s*0HSgy57A<%Oz>cU`%=tVX|z&<|8A&~-p;`^i-YB*Z2ikWe&l zVaNLjp)$W-=;Si60y7Unots4+F6!hj?08Ysx&C6EQBIwqqK@1yp=ja4j-QD-#rnwp zI#H+2585TfibS3Ah4%erH|Tdd`n`dNBxKFxfvemIJ%*D_qqICYpTFg0P=|b(pW<}y zn>!Ff4Ypgg0#6^3P{Roqu_kvMl+c7-v`#sK5V8leYliiQ1FPPp(o_87tq4g%A`!Io zUz5e6Uvoh7sWeHfK*3bElke+4@>1L$BjgtGXpnzmt-4ZTg(F3`q7;m|1{S2aKq0x{ zcSHp+cKJI63}N4dA)kE#FhqPM@|`#&eUw4Ii9U#lOU`>xYe<>eju48iaNnR85DQ`q z6(^qSKfQS6Jqg)^h*kXdg`!`+=NxGKuE*o(|I!Dac+|i84?f**i@6Bn=3TGcanD*Ou%(~Y%OX#8=Sd2GXSd~^Yed2IRePX{VpICwJKe-Xp zed%ujRC#T;$59SHj}TfnTWUclcD7K>s!DCLBufmm7sd$I0woYNDL zjm9CVBA(Q)rvPZ?+^!)yE{({4{ zcG>Vge0%U-XorbmI3xNz=|Mr>+JQKSFMfq{WT6iZ(X%1YB(}WZM(o^Ru^_naBjydn z3LJ%o*|EWn64;rzt^bgaU3y_uY~nfY_z`J^#2n(NC3mFXXu9oj+{f-sdXVjbM$$o5 z<@opdz6(LsoN^Gd`WTweJckl2qdnNe_x# zr1_Z5#$r;!{?1^Ppy{Bv-_PW$1hopw;ZqmMcl)>FzW=-v2AOwpkWIl#Lc3uXvEdZK z!r%P$B?}+3{T}cSCgwDH%9$s}FMJxyADD7N{q+Z|-RDH65%Wg7FKkbiSc{x!+;?2k zvX({6nQ*+1+2fuRm$wuVD^UHk2XWu~XB^0QOx{8~#PU7&7Z-|^JWR~T^FpSwPOe)A zez{z0CWe46+qQBUA%BwPFM}YkdFkuOM&?@PLR&ePMR9>YNg57KiZmQ6Bn|D}$kn^y z&RE1{6v=8~yB~n33!v1WB=u~&D4{3*&N&x%3Q5DE9MW(wU*3`+SHGiXeL=DsZ5Jp` z<#;i8FB~K0v{2S5?pxUbSimc0sy8Ra9Wx@B^tr?eO!%W4^+$&N<~riOMUWi9IZ1_Z zg#(C%&;PI6DHOoy0I__5p9=^C@y3ep`MC$N4Lcp$brgX5h$fP@soe3uZe+aYVXq3J zzP`J8k`p;0?Ns?;7Fc%C1J1dtmdkxlo$xqjQ}&>=(?>4%jr!90EW_<=?)$+PVt6ZZ z0a?a7#EaOu#!;7!Sz??ErGqeE&XWh)o(rbr^N8hp)%r%XwWQ@ib7-#;fF84G22N270Hx zRHc1P{+VF(0)GF0l)Vdd6h-zwUft6ZCLy5*q#-I`Tsuluz|2ZCBN<8K1Z%LPQQ<4k zphi(gc74#zLtcZOS<~rlT_ikwt?O%LeXRJ{h^R0jB;lb5C=U&W00DYvLJ(v!Atd!b zRo#<>$Ntaxos)CYQ+@kZb#>LPd#mpK+%gvpK!JKxP>#}a64VCq<}5td><6S6QRhhsg&mYx%WG*k~1Bd)TAd;|O{1Z=dAd7B3z?lFUmyeM7;edUK4 zD@HYE`@2|j37Tp~ej&lD5+bmjV!uENaA!E+%f+9Mn1GU4lGtO@yRVkU8@@{BH=k1qcQ6$f6&tF6 z#o#BinCUv&WHATg<&ui&+(glrokjtQqjdNO3^KqR7v?);a(PK`LS?8@ls0Bcb)^e%?j=1Tt(t0bbPoe6|tY zL|L2olP762d3PxHA+pZ16@ETDlq=!?9>l$iS1g_T^;n)$f9bC@&4x&m~elQ?K&)-WWZwCX`JkcBM+Xm zh#NxsP8xtG)uCnvuL-*EgH{?C1y|suZ#v@Io5*A-T|$J<@Vd7gR(hb%F?nQNi0FbX z>je@d+;D}v)SQiL-qx=TVPoU1 z1S}H(n?Pj0zVbwjwaIOWqyl<^v`9(~(#51DR1;Rutm}`D;hviBGIBnn67cOyP5?Im zP)X&%1=q@nbf|L~Dsz$hM}{SYTd^_35QJN(=bZYd0~iCUDX^NBra;}-^iM2nZo#XV zg#o0HG_1 z6QrQ-n^)!l;rfYc1A8}tPf0##ZH3|&ykMqJY$7u~J);{lpt{YZytrmwI-oZLO{9Uh}u`7Aa+g zXP3Z!5^4Qysi1BSpel2n@b~VpH|2yo;f3ulzsVC3^a(pc=aT0<8XQq<=QexmxUFtm zp3up)1pow7ip?QGSFsT4$d@L2kLts2C-Tf|O5ADI z?GV*tYbY!P5SMX)0p`)f1LrUEz!`RO*8>dVS{iyjaG4tVTQbHIu`1Yr>5u*YRB%N% zIfJ;rV{#)w-gz1J?3Z2iG~yn-fc<6ZH}s^>?xw#?Q`kzI7F8q8+1-@Ok*@DS`pd7~ zq+MatKXthl`pa)2#F20+m7ek0Vzu`iq zfI1f`#ae4M%~tlOO-GQKEU=X^QO|j&lmUXeS5#Z?U@K?(0OAG^@yd-Zr-7JtN>H2O zDya8=Ug=5kN)U z`=ai9LBYMBlU0hH0RLZiJfi1JmmMKFT@w zoMhbnc}YON3hHU8uQ@;hDZl1bvZx6(R+Y)O5VPV?=NRRJZ{fnvp78wq1f!-T{;_An1oA%)HL%d zVjkh41a)7I^}6>_Z79f03s`Ab1$8FR6sRNlfI6Oc6{rjNL7`F4u@w;kPbHb4Ph8>! z@!_wQ7evBIqgyAP0QKP$-loC*P#<*rrFmN5+Kh~hxgcZi+&Vwsf397eDtZsIr5|A> zm#ys2>*E^L9ZFmAoIYjad6u|&M4u;#h12GUY~@y1BI*EAQFIXMKJ66;Ad#kj!xzO+ z_m$xbZ2Xqu3lZwR5Wctr>b?c|;x?%J=Hd&Fy0hxILuu@VtLR%5O;Qf^QX<((RkpG* zyUfq`FBAEGW#joP%wACU-SCP782fv-p#a(xy$f9~t60T;(k&TXqK$ON{UPT6y*s3U zP|omB_x-ra0hGqYd5fjtc^R{Nm-+1;F^4FPi%G+w&g4VNC@-RCXrOF7-+zYc=ldBR ztEuK^m$vgn{YC9OpE$hBzBKjdRNfU@2!Ql7fwTEVRF4_YoI^3ce&ZV zfb9$2$jKaMfLVTN(vXo>yR)rTNh5Sn$ptc1eV-lu`x{mUwOnKQcpB@xs?Wd$*ersY z^QR~SYMpOH89qIROQLd_R9 z7z={*J#yf6?_T^ZPOe1UhF^#efxpK#LI?nPq~#YDjx72k^zK{egjv;QF##n059Xvc zOh#P)deXXwYn=}n44}+OYe^m;{Uc(q!f^ef8=$uuKa@7lUMNnn${iUf}>n5{g?mNz6s6vF~Tg2xhu~383-^@=>V^ zp&LlrsJX`81Q*?d8$&q)-Wn;@xEi8(&t~VKwA&(3BUO&bFAPG?2t8w#iW!}^B%~0KrxDwJ)^7SDfE(dJ*S`u2| zi&EH7so8^v-}GY)prS4cfEjhpBK!jsc$)m9GW#530IReBvMD38MBDbn5SMg}0cHkU znUiHL{I`5!LE!xzk1*wAHsZd(!%=hYKFR<;HkD6e%ev~I6H=Q4>JLyWa-$*_)Y85< z$^emSQ|6@uX`Xg3qdC`MV+b2~IeQimpQqdYj&1Lmg8{pK8w!pPrWbloN>>VOV({#lBXFmg?47&87_X2zzeK1>**ebXv3nA2 z5cdPg%+vsNU&|3Z#jg1gx7fMr42h_=(vhpqe;*-z`hWAuO#X100~A5s`OXmr6xBMv zI>LabYMpD2FyPkiWD5&;C_EtQBA+kfG9&y21;mn^y$zO7CEN0k61NLcA0B^>%m=nI zU2QxY}Q3hLZ{pJPCIf4YntVKww^ z{F|Z6oP&;#q%XF+FlQaY=-kI2)4&rm#@pvNg<7I>E~}Am7101LW7i!?A>?69{uhfuZ@fmo>;TX9gUSLv8%TXc6&W{l zQUIl4dV6j_+2o4G3GB@R-VN|N znJ*U`s|lTSE!mHQYJ;)TDsYpBNL*Y%+2l4CcM;6)L69FHZbH$25;#*!NtKq8mE`r- zIKow>1Nm0C(#W@-y3X3QQyYw%tb%?$>me>j9MpYGFR)29AdyzQ0GcdAyn&Ja|n;AvKTqYp8bz2jT+cLy+5v|>T;e6^Z9f7c<#&KFAKMIv+5 zAqE&X#;qXpq&6%Pd?PRewsevM0OR+QG>ftb}A%m}C_iy`^}aoZXhtWw{u#=}T@STTC#CCw>fD-Gzk#m9s9+Yej=u#g9)l;zbH&{}G zIg~WRtUcs0PXwyJ-K{f!60?32)w(kuK+S&wLUkvufI0(THXdw6D41d$%KX-VNAMpH z&ms$(?|ZECX}*(N@UqwVW0z(*{u%}tdrrj>yWaUq0|QKleSS9ag7dTO zKahp&@&D-vq30~n6HD@?I0EnO=t2)52Bz`pM|geA{Bkd29a-N%&;vrFE$NV>JAl#q zY#c$g(}=S)5SIIIoXNYb1NFQ0k%tMybRVcYnGYNwpqz9C)Fgtw*gzbwj1M5$TWr9V zYB(YvHFo|UN6Hae#MQ_ybr2u@gd8HAwLKHx0~YQ8L7X%md)LNhlM1kQItq)RvmLlS z2Lyd8Pa$sM9tH^BUuD`;e+OHccSC+DlAU77VUvYg&fLwom&a{mfO$ex&zK()6&LEh zk4!oddE0**W1-02yvI7_BF89qzeZVLbO9~zB%b#}AgaOExOW)8*bLV%?&U$o6R%Og z(_G+bGLIPFzC&62_;Nq|2-;@!evJYFg+B?*O+-mG@^Hf~uZX(c4A2-}8_zRnvv-Gd zwV;bUC3wG=Y0nn&9%9MC{8A*TW>PT4uO6JPiaZ0goPX8fH=4VZ0h-7&V#&eiBM70y z5r)h|ZSdjU#N|=$<7qbYt?fu-8}Wz6tvhKNP(9;m?wKg{D#V@KnmC4VA?_>OVGTiQ zn)$QZVkoat;C@dGs_ns)$;N%e5rsSYGXs>{fOG|(8CdT8xi4Pme~Xj&x6tSt@n9sI z)}CFSnBnf|=nE z0R+7Ol{1dKx$Fx?6aaY-6ZHN$L-HnC;5+OKUXoe6Bd>rh-2s4=;Y~40@;LT|Ayy8h z87cT#RFy2!T%=nBcKz&Alu7+WD|G=Z$+A0$$V4GUD*?d?s;M z+2o#9ZJU;t@$ET^xFfh$jp0wTeH|pJBGjBe?_oe4_yeY_a{yoiR9w*50ajz(Q>rgU z7`?=AE$FaL>aN?#02E5k&(Q!x|3L$SQ$egaq5MuNFH=qnW==Pz#N#OXR~nCe`7x+n0ri=D zHUa#9h6bRVE{#Zcih7XBn<{(C$546Mvb%hYjgH$#)PuC?$}3?@AGMM0+c@K* zfvC;ov)Rfx;s$TWOaF26b1bx?SCa#SY54Zgf^r!Yl*Xj-_D<@zf5rB^{)4qAof<$j zs0MQ!YVHt1oqv?c)q5dfhGt<=!g!(k-(jL12g@d`5=qDVJeRMV4j%7~1*R2YsxJ?+Fy2FO=iF*+ZIiTYh(#!*0@%EzNe@rcXXtjiQs;?Bhn z=nEND;?s@%GjXJi=hH=Rd{#2lQ{4gY4`yn>TQ{qBKu;YAy_-o&6SWhnbx_?IQ0vaT zt44L1hE!F4xi`NoFI$%#wbaa7#y!)dJrPkO059o_?Ev8DOe5fzrhZ;MRu*8fTzhVsqiTqGA z330!Zwa(8E74^AP^o9cfVda8kxi_Rp#Fum zzo+|7ku)i?bz>RSN_lLdLa(29%cTj&75vl1hMz%pAi$n##&XcAAnm>2eS4f$CYFnW?^c@4HM00;9%kz}# z37&|pp*|dBz`absqnY0l@Y<>t%#H;>dIw2hYdtnnox` zXsA2?yqQGnH5??`Tp|zom@2yg4}He~qh%=tY!nruBVk2Ab{Z-B;|S`-F3YdcxDM-P zsW^k&_|b2K$zf(bUCoS^n{fz^j>4aTNKa- zk+kBdiwNB;|n}ZqCULu^A4hn8aocf5f(KW z2a?vC&Fpup}2(^agETr ziLzX`Fo%N?%N22iyfQSO0`k)CmwSGSu)NEWwMX{o=TFdJ!u>?wyVQqC__v)ZjjXe? z>TED>sOS6?vOpMyin_#S8_V9LfT#^`+s=?-x^yc8h$fm9#6>1FCcR#$Wkpb zs}Ppdi)t*OE!ZDN+@y`TJqrOK_tLG@HrXKp%=gEiabH3`=iOBfK=L_hwG6=v8-Xh< zM%>q%v78O49fdaz;}Ms)nE?gflLhRUvt4**QZH{cJ7%A`t-#Y1u9tcX>V5%zCpiSF zK{YM)4(d5$RylyE4}W8^11N_nfh}n8G@oYOGkF*Lz?K>8P0?plPqS``PoKfwbjnPc z!QSNO)1U3{R}ZSch-wQ~@?QFujFF^pvz%dGuNP1x!5PV)c$%F=l$)B<>_k8BHs1@T zOgGGyI5HYqu%&RZwEieUq;-C`fAdB5@$eaBVE!*C4hz^O1CN41b$)&jR_KiKHz>>X zt7?%0+siL(X25b|OmiF&7z@?Ur%L?@!C&8`fsxf5M_3!XTOW3~(88-{OV5EWiFR#} z64hhHc$$1)OT3rnUA4ZFV67iR+_?={He&*#@kAUgBM=#Q9=sAEo@U{{lJsB_Kd~?z zTeQI5_`RNN;1YHA`lL1#SOGO>{&z&xm7Rs**gU5(U@xAx$UkZUKWNtV*6=*7HVCNB zc&0s$a1|pW48T0p14eUm9GO4b+tdTJ1$-)@HpbedjtB$n9qxYW0Z$BZRTiwh@$3mq z5x{ozOU-c!)p|PC0tW2 z1BB&JpSe5XH7g~26PQrxDv7w|otP!;6XFfi>1K1z8xfY6}wJ ziaWe`-C0NlRv0y28q^km;c%JgJu~ZyL}bJ}3y4Hh4#ts~b!KfRUU$9wo^8~zncEJl zjya6I(KrdHf~vm;Kos%rd-iv80&Ynf@$Y2APZF4LsQcbu@o@j zRu+blG>9M`u1|6SVBAzd1Grq>hpI(&K@Ex9J7$!YQvlCf`$P7%Vkfdk(ZE~Hj;$6d zjAFVCtwh|YDh8qFL$xndv&}CPUei{7sr3R4fYIxC+)ASuJ03@V)$pr_ zlt#CxFW7Cxy)9RcqzK;qv$6x)t?F^8`$}gxfRMmn5h*;??w*hPSU{UB@VdLcVt~2L zKq>`DXoiinC_9ZIKgChd0o5~;p`LTid=e-B4N;fUNVa>#J@7RH%rkgpXCK%CwNa