From f62454df8d43782bbe0c3a6e3ac8b8d9c9bf7798 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Mon, 14 Dec 2020 10:09:55 -0500 Subject: [PATCH 01/26] Bump version to 2.0.0 (#450) * bump version * regenerate deployment files * bump to 2.0 * revert webhook.yaml --- README.md | 2 +- docs-md/changelog.md | 4 +++- main.go | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9479b65df..926360974 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@

Best Practices for Kubernetes Workload Configuration

- + diff --git a/docs-md/changelog.md b/docs-md/changelog.md index 2000eacbe..85cf8d62d 100644 --- a/docs-md/changelog.md +++ b/docs-md/changelog.md @@ -1,8 +1,10 @@ --- sidebarDepth: 0 --- -## Upcoming +## 2.0.0 * Standardize categories of checks into Security, Reliability, and Efficiency +* Changes to the dashboard UI +* Update controller-runtime ## 1.2.1 * Update date on dashboard footer diff --git a/main.go b/main.go index 315c98325..97c3d11e5 100644 --- a/main.go +++ b/main.go @@ -20,7 +20,7 @@ import ( const ( // Version represents the current release version of Polaris - Version = "1.2.1" + Version = "2.0.0" ) func main() { From e4656bcae81b8c6d9fc1892a72823f096257ac7e Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Mon, 14 Dec 2020 15:32:22 +0000 Subject: [PATCH 02/26] empty commit From 949eb9e04a5690f8e391db698c7a981c7b90b14e Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Mon, 14 Dec 2020 15:33:16 +0000 Subject: [PATCH 03/26] fix action --- .github/workflows/build-site.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-site.yml b/.github/workflows/build-site.yml index e6580c72d..2002abb16 100644 --- a/.github/workflows/build-site.yml +++ b/.github/workflows/build-site.yml @@ -41,7 +41,7 @@ jobs: echo "Build created a diff, but the last commit was a build." exit 1 fi - git add docs/ + git add ../docs/ git commit -m "[CI] rebuild website" git push fi From fab5cb9a2140cc1e4f9acd29a6d0be15703a90a2 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Mon, 14 Dec 2020 15:51:00 +0000 Subject: [PATCH 04/26] have action push to a separate branch --- .github/workflows/build-site.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-site.yml b/.github/workflows/build-site.yml index 2002abb16..432773a60 100644 --- a/.github/workflows/build-site.yml +++ b/.github/workflows/build-site.yml @@ -43,5 +43,5 @@ jobs: fi git add ../docs/ git commit -m "[CI] rebuild website" - git push + git push origin +website fi From b511abab607baf262b6f8f09b7223415b7ca24fb Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Mon, 14 Dec 2020 15:52:37 +0000 Subject: [PATCH 05/26] set -u --- .github/workflows/build-site.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-site.yml b/.github/workflows/build-site.yml index 432773a60..14271aca3 100644 --- a/.github/workflows/build-site.yml +++ b/.github/workflows/build-site.yml @@ -43,5 +43,5 @@ jobs: fi git add ../docs/ git commit -m "[CI] rebuild website" - git push origin +website + git push -u origin +website fi From 6b7ccdadc4c01e6da61f37a61adbdecf63e71627 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Mon, 14 Dec 2020 15:55:46 +0000 Subject: [PATCH 06/26] fix push --- .github/workflows/build-site.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-site.yml b/.github/workflows/build-site.yml index 14271aca3..5135cdbf0 100644 --- a/.github/workflows/build-site.yml +++ b/.github/workflows/build-site.yml @@ -43,5 +43,5 @@ jobs: fi git add ../docs/ git commit -m "[CI] rebuild website" - git push -u origin +website + git push -u origin +master:website fi From 3a2fb3584b291b7a67f38b57da17b50d07d9e1d9 Mon Sep 17 00:00:00 2001 From: skatika Date: Wed, 16 Dec 2020 15:52:48 -0500 Subject: [PATCH 07/26] Refactor common code --- pkg/config/exemptions.go | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/pkg/config/exemptions.go b/pkg/config/exemptions.go index 2f4135257..01829bf9e 100644 --- a/pkg/config/exemptions.go +++ b/pkg/config/exemptions.go @@ -18,18 +18,16 @@ func (conf Configuration) IsActionable(ruleID, namespace, controllerName string) continue } + checkIfActionable := false for _, rule := range example.Rules { if rule != ruleID { continue } - - for _, controller := range example.ControllerNames { - if strings.HasPrefix(controllerName, controller) { - return false - } - } + checkIfActionable = true + break } - if len(example.Rules) == 0 { + + if len(example.Rules) == 0 || checkIfActionable { for _, controller := range example.ControllerNames { if strings.HasPrefix(controllerName, controller) { return false From ca6e4b43e4946d25f04486d8187813a75c52ef46 Mon Sep 17 00:00:00 2001 From: skatika Date: Wed, 16 Dec 2020 15:53:22 -0500 Subject: [PATCH 08/26] Rename to receivers to same name --- pkg/config/config.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/config/config.go b/pkg/config/config.go index 0137f849a..4a8bce937 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -40,7 +40,7 @@ type Configuration struct { type Exemption struct { Rules []string `json:"rules"` ControllerNames []string `json:"controllerNames"` - Namespace string `json:"namespace"` + Namespace string `json:"namespace"` } var configBox = (*packr.Box)(nil) @@ -102,8 +102,8 @@ func Parse(rawBytes []byte) (Configuration, error) { } // Validate checks if a config is valid -func (c Configuration) Validate() error { - if len(c.Checks) == 0 { +func (conf Configuration) Validate() error { + if len(conf.Checks) == 0 { return errors.New("No checks were enabled") } return nil From 9dd7f0947a6cda7c6ef78792fce23b34bf0a7db9 Mon Sep 17 00:00:00 2001 From: skatika Date: Wed, 16 Dec 2020 17:15:09 -0500 Subject: [PATCH 09/26] Add a comma --- docs-md/customization/exemptions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-md/customization/exemptions.md b/docs-md/customization/exemptions.md index 8e6d28a83..9a755ac74 100644 --- a/docs-md/customization/exemptions.md +++ b/docs-md/customization/exemptions.md @@ -18,7 +18,7 @@ kubectl annotate deployment my-deployment polaris.fairwinds.com/cpuRequestsMissi ## Config -To exempt a controller via the config, you have to specify a namespace (optional), a list of controller names and a list of rules, e.g. +To exempt a controller via the config, you have to specify a namespace (optional), a list of controller names, and a list of rules, e.g. ```yaml exemptions: # exemption valid for kube-system namespace From e57668fc7511ea60def3c68d212a369f44b36af8 Mon Sep 17 00:00:00 2001 From: skatika Date: Wed, 16 Dec 2020 17:17:43 -0500 Subject: [PATCH 10/26] Fix typos --- pkg/validator/controller.go | 4 ++-- pkg/validator/pod_test.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/validator/controller.go b/pkg/validator/controller.go index 35024f7ee..a20771770 100644 --- a/pkg/validator/controller.go +++ b/pkg/validator/controller.go @@ -54,14 +54,14 @@ func ValidateController(ctx context.Context, conf *conf.Configuration, controlle func ValidateControllers(ctx context.Context, config *conf.Configuration, kubeResources *kube.ResourceProvider) ([]ControllerResult, error) { controllersToAudit := kubeResources.Controllers - results := []ControllerResult{} + var results []ControllerResult for _, controller := range controllersToAudit { if !config.DisallowExemptions && hasExemptionAnnotation(controller) { continue } result, err := ValidateController(ctx, config, controller) if err != nil { - logrus.Warn("An error occured validating controller:", err) + logrus.Warn("An error occurred validating controller:", err) return nil, err } results = append(results, result) diff --git a/pkg/validator/pod_test.go b/pkg/validator/pod_test.go index bfbc22abb..c72f64432 100644 --- a/pkg/validator/pod_test.go +++ b/pkg/validator/pod_test.go @@ -100,7 +100,7 @@ func TestInvalidIPCPod(t *testing.T) { assert.EqualValues(t, expectedResults, actualPodResult.Results) } -func TestInvalidNeworkPod(t *testing.T) { +func TestInvalidNetworkPod(t *testing.T) { c := conf.Configuration{ Checks: map[string]conf.Severity{ "hostNetworkSet": conf.SeverityWarning, @@ -185,7 +185,7 @@ func TestExemption(t *testing.T) { "hostPortSet": conf.SeverityDanger, }, Exemptions: []conf.Exemption{ - conf.Exemption{ + { Rules: []string{"hostIPCSet"}, ControllerNames: []string{"foo"}, }, From 272e06bbec171826c13c736f4c243d3b8e168149 Mon Sep 17 00:00:00 2001 From: skatika Date: Wed, 16 Dec 2020 17:21:50 -0500 Subject: [PATCH 11/26] Add ContainerNames to Exemption struct --- pkg/config/config.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/config/config.go b/pkg/config/config.go index 4a8bce937..9f7d4b872 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -23,7 +23,7 @@ import ( "net/http" "strings" - packr "github.com/gobuffalo/packr/v2" + "github.com/gobuffalo/packr/v2" "k8s.io/apimachinery/pkg/util/yaml" ) @@ -40,6 +40,7 @@ type Configuration struct { type Exemption struct { Rules []string `json:"rules"` ControllerNames []string `json:"controllerNames"` + ContainerNames []string `json:"containerNames"` Namespace string `json:"namespace"` } @@ -59,14 +60,14 @@ func ParseFile(path string) (Configuration, error) { if path == "" { rawBytes, err = getConfigBox().Find("config.yaml") } else if strings.HasPrefix(path, "https://") || strings.HasPrefix(path, "http://") { - //path is a url + // path is a url response, err2 := http.Get(path) if err2 != nil { return Configuration{}, err2 } rawBytes, err = ioutil.ReadAll(response.Body) } else { - //path is local + // path is local rawBytes, err = ioutil.ReadFile(path) } if err != nil { From fdd30717e51915cb0bb535c9ba516479f97bdf20 Mon Sep 17 00:00:00 2001 From: skatika Date: Thu, 17 Dec 2020 09:54:29 -0500 Subject: [PATCH 12/26] Remove unused parameter --- cmd/polaris/audit.go | 2 +- go.sum | 20 -------------------- pkg/dashboard/dashboard.go | 4 ++-- pkg/validator/container.go | 14 ++++++-------- pkg/validator/container_test.go | 15 +++++++-------- pkg/validator/controller.go | 11 +++++------ pkg/validator/controller_test.go | 15 +++++++-------- pkg/validator/fullaudit.go | 5 ++--- pkg/validator/fullaudit_test.go | 2 +- pkg/validator/pod.go | 8 +++----- pkg/validator/pod_test.go | 10 +++++----- pkg/validator/schema.go | 7 +++---- pkg/validator/schema_test.go | 5 ++--- pkg/webhook/webhook.go | 2 +- test/checks_test.go | 3 +-- 15 files changed, 46 insertions(+), 77 deletions(-) diff --git a/cmd/polaris/audit.go b/cmd/polaris/audit.go index aa00435ba..3b7d6611a 100644 --- a/cmd/polaris/audit.go +++ b/cmd/polaris/audit.go @@ -80,7 +80,7 @@ func runAndReportAudit(ctx context.Context, c conf.Configuration, auditPath, wor logrus.Errorf("Error fetching Kubernetes resources %v", err) os.Exit(1) } - auditData, err := validator.RunAudit(ctx, c, k) + auditData, err := validator.RunAudit(c, k) if err != nil { logrus.Errorf("Error while running audit on resources: %v", err) diff --git a/go.sum b/go.sum index 251ffffbe..1f87039ff 100644 --- a/go.sum +++ b/go.sum @@ -231,8 +231,6 @@ github.com/gobuffalo/logger v1.0.3 h1:YaXOTHNPCvkqqA7w05A4v0k2tCdpr+sgFlgINbQ6gq github.com/gobuffalo/logger v1.0.3/go.mod h1:SoeejUwldiS7ZsyCBphOGURmWdwUFXs0J7TCjEhjKxM= github.com/gobuffalo/packd v1.0.0 h1:6ERZvJHfe24rfFmA9OaoKBdC7+c9sydrytMg8SdFGBM= github.com/gobuffalo/packd v1.0.0/go.mod h1:6VTc4htmJRFB7u1m/4LeMTWjFoYrUiBkU9Fdec9hrhI= -github.com/gobuffalo/packr/v2 v2.8.0 h1:IULGd15bQL59ijXLxEvA5wlMxsmx/ZkQv9T282zNVIY= -github.com/gobuffalo/packr/v2 v2.8.0/go.mod h1:PDk2k3vGevNE3SwVyVRgQCCXETC9SaONCNSXT1Q8M1g= github.com/gobuffalo/packr/v2 v2.8.1 h1:tkQpju6i3EtMXJ9uoF5GT6kB+LMTimDWD8Xvbz6zDVA= github.com/gobuffalo/packr/v2 v2.8.1/go.mod h1:c/PLlOuTU+p3SybaJATW3H6lX/iK7xEz5OeMf+NnJpg= github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= @@ -372,7 +370,6 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= -github.com/karrick/godirwalk v1.15.3/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/karrick/godirwalk v1.15.8/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/karrick/godirwalk v1.16.1 h1:DynhcF+bztK8gooS0+NDJFrdNZjJ3gzVzC545UNA9iw= github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= @@ -555,8 +552,6 @@ github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v0.0.6/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= -github.com/spf13/cobra v1.0.0 h1:6m/oheQuQ13N9ks4hubMG6BnvwOeaJrqSPLahSnczz8= -github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/cobra v1.1.1 h1:KfztREH0tPxJJ+geloSLaAkaPkr4ki2Er5quFV1TDo4= github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= @@ -994,27 +989,18 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI= k8s.io/api v0.18.8 h1:aIKUzJPb96f3fKec2lxtY7acZC9gQNDLVhfSGpxBAC4= k8s.io/api v0.18.8/go.mod h1:d/CXqwWv+Z2XEG1LgceeDmHQwpUJhROPx16SlxJgERY= -k8s.io/apiextensions-apiserver v0.18.4 h1:Y3HGERmS8t9u12YNUFoOISqefaoGRuTc43AYCLzWmWE= -k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio= k8s.io/apiextensions-apiserver v0.18.6 h1:vDlk7cyFsDyfwn2rNAO2DbmUbvXy5yT5GE3rrqOzaMo= k8s.io/apiextensions-apiserver v0.18.6/go.mod h1:lv89S7fUysXjLZO7ke783xOwVTm6lKizADfvUM/SS/M= -k8s.io/apimachinery v0.18.4/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= k8s.io/apimachinery v0.18.6/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= k8s.io/apimachinery v0.18.8 h1:jimPrycCqgx2QPearX3to1JePz7wSbVLq+7PdBTTwQ0= k8s.io/apimachinery v0.18.8/go.mod h1:6sQd+iHEqmOtALqOFjSWp2KZ9F0wlU/nWm0ZgsYWMig= -k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8= k8s.io/apiserver v0.18.6/go.mod h1:Zt2XvTHuaZjBz6EFYzpp+X4hTmgWGy8AthNVnTdm3Wg= -k8s.io/client-go v0.18.4 h1:un55V1Q/B3JO3A76eS0kUSywgGK/WR3BQ8fHQjNa6Zc= -k8s.io/client-go v0.18.4/go.mod h1:f5sXwL4yAZRkAtzOxRWUhA/N8XzGCb+nPZI8PfobZ9g= k8s.io/client-go v0.18.6 h1:I+oWqJbibLSGsZj8Xs8F0aWVXJVIoUHWaaJV3kUN/Zw= k8s.io/client-go v0.18.6/go.mod h1:/fwtGLjYMS1MaM5oi+eXhKwG+1UHidUEXRh6cNsdO0Q= -k8s.io/code-generator v0.18.4/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= k8s.io/code-generator v0.18.6/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= -k8s.io/component-base v0.18.4/go.mod h1:7jr/Ef5PGmKwQhyAz/pjByxJbC58mhKAhiaDu0vXfPk= k8s.io/component-base v0.18.6/go.mod h1:knSVsibPR5K6EW2XOjEHik6sdU5nCvKMrzMt2D4In14= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= @@ -1035,12 +1021,6 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= -sigs.k8s.io/controller-runtime v0.6.1 h1:LcK2+nk0kmaOnKGN+vBcWHqY5WDJNJNB/c5pW+sU8fc= -sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= -sigs.k8s.io/controller-runtime v0.6.2 h1:jkAnfdTYBpFwlmBn3pS5HFO06SfxvnTZ1p5PeEF/zAA= -sigs.k8s.io/controller-runtime v0.6.2/go.mod h1:vhcq/rlnENJ09SIRp3EveTaZ0yqH526hjf9iJdbUJ/E= -sigs.k8s.io/controller-runtime v0.6.3 h1:SBbr+inLPEKhvlJtrvDcwIpm+uhDvp63Bl72xYJtoOE= -sigs.k8s.io/controller-runtime v0.6.3/go.mod h1:WlZNXcM0++oyaQt4B7C2lEE5JYRs8vJUzRP4N4JpdAY= sigs.k8s.io/controller-runtime v0.6.4 h1:4013CKsBs5bEqo+LevzDett+LLxag/FjQWG94nVZ/9g= sigs.k8s.io/controller-runtime v0.6.4/go.mod h1:WlZNXcM0++oyaQt4B7C2lEE5JYRs8vJUzRP4N4JpdAY= sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= diff --git a/pkg/dashboard/dashboard.go b/pkg/dashboard/dashboard.go index 64c7c302d..eaacb778c 100644 --- a/pkg/dashboard/dashboard.go +++ b/pkg/dashboard/dashboard.go @@ -191,7 +191,7 @@ func GetRouter(c config.Configuration, auditPath string, port int, basePath stri return } - auditDataObj, err := validator.RunAudit(r.Context(), adjustedConf, k) + auditDataObj, err := validator.RunAudit(adjustedConf, k) if err != nil { http.Error(w, "Error Fetching Deployments", http.StatusInternalServerError) return @@ -224,7 +224,7 @@ func GetRouter(c config.Configuration, auditPath string, port int, basePath stri return } - auditData, err := validator.RunAudit(r.Context(), adjustedConf, k) + auditData, err := validator.RunAudit(adjustedConf, k) if err != nil { logrus.Errorf("Error getting audit data: %v", err) http.Error(w, "Error running audit", 500) diff --git a/pkg/validator/container.go b/pkg/validator/container.go index 44f138a29..1fa8b3876 100644 --- a/pkg/validator/container.go +++ b/pkg/validator/container.go @@ -15,8 +15,6 @@ package validator import ( - "context" - "github.com/fairwindsops/polaris/pkg/config" "github.com/fairwindsops/polaris/pkg/kube" @@ -24,8 +22,8 @@ import ( ) // ValidateContainer validates a single container from a given controller -func ValidateContainer(ctx context.Context, conf *config.Configuration, controller kube.GenericWorkload, container *corev1.Container, isInit bool) (ContainerResult, error) { - results, err := applyContainerSchemaChecks(ctx, conf, controller, container, isInit) +func ValidateContainer(conf *config.Configuration, controller kube.GenericWorkload, container *corev1.Container, isInit bool) (ContainerResult, error) { + results, err := applyContainerSchemaChecks(conf, controller, container, isInit) if err != nil { return ContainerResult{}, err } @@ -39,18 +37,18 @@ func ValidateContainer(ctx context.Context, conf *config.Configuration, controll } // ValidateAllContainers validates both init and regular containers -func ValidateAllContainers(ctx context.Context, conf *config.Configuration, controller kube.GenericWorkload) ([]ContainerResult, error) { - results := []ContainerResult{} +func ValidateAllContainers(conf *config.Configuration, controller kube.GenericWorkload) ([]ContainerResult, error) { + var results []ContainerResult pod := controller.PodSpec for _, container := range pod.InitContainers { - result, err := ValidateContainer(ctx, conf, controller, &container, true) + result, err := ValidateContainer(conf, controller, &container, true) if err != nil { return nil, err } results = append(results, result) } for _, container := range pod.Containers { - result, err := ValidateContainer(ctx, conf, controller, &container, false) + result, err := ValidateContainer(conf, controller, &container, false) if err != nil { return nil, err } diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go index 4ab651b1d..a75526b7c 100644 --- a/pkg/validator/container_test.go +++ b/pkg/validator/container_test.go @@ -15,7 +15,6 @@ package validator import ( - "context" "fmt" "testing" @@ -69,7 +68,7 @@ func testValidateWithWorkload(t *testing.T, container *corev1.Container, resourc parsedConf, err := conf.Parse([]byte(*resourceConf)) assert.NoError(t, err, "Expected no error when parsing config") - results, err := applyContainerSchemaChecks(context.Background(), &parsedConf, workload, container, false) + results, err := applyContainerSchemaChecks(&parsedConf, workload, container, false) if err != nil { panic(err) } @@ -90,7 +89,7 @@ func TestValidateResourcesEmptyConfig(t *testing.T) { Name: "Empty", } - results, err := applyContainerSchemaChecks(context.Background(), &conf.Configuration{}, getEmptyWorkload(t, ""), container, false) + results, err := applyContainerSchemaChecks(&conf.Configuration{}, getEmptyWorkload(t, ""), container, false) if err != nil { panic(err) } @@ -187,7 +186,7 @@ func TestValidateHealthChecks(t *testing.T) { for idx, tt := range testCases { t.Run(tt.name, func(t *testing.T) { controller := getEmptyWorkload(t, "") - results, err := applyContainerSchemaChecks(context.Background(), &conf.Configuration{Checks: tt.probes}, controller, tt.container, tt.isInit) + results, err := applyContainerSchemaChecks(&conf.Configuration{Checks: tt.probes}, controller, tt.container, tt.isInit) if err != nil { panic(err) } @@ -301,7 +300,7 @@ func TestValidateImage(t *testing.T) { for _, tt := range testCases { t.Run(tt.name, func(t *testing.T) { controller := getEmptyWorkload(t, "") - results, err := applyContainerSchemaChecks(context.Background(), &conf.Configuration{Checks: tt.image}, controller, tt.container, false) + results, err := applyContainerSchemaChecks(&conf.Configuration{Checks: tt.image}, controller, tt.container, false) if err != nil { panic(err) } @@ -418,7 +417,7 @@ func TestValidateNetworking(t *testing.T) { for _, tt := range testCases { t.Run(tt.name, func(t *testing.T) { controller := getEmptyWorkload(t, "") - results, err := applyContainerSchemaChecks(context.Background(), &conf.Configuration{Checks: tt.networkConf}, controller, tt.container, false) + results, err := applyContainerSchemaChecks(&conf.Configuration{Checks: tt.networkConf}, controller, tt.container, false) if err != nil { panic(err) } @@ -923,7 +922,7 @@ func TestValidateSecurity(t *testing.T) { t.Run(tt.name, func(t *testing.T) { workload, err := kube.NewGenericWorkloadFromPod(corev1.Pod{Spec: *tt.pod}, nil) assert.NoError(t, err) - results, err := applyContainerSchemaChecks(context.Background(), &conf.Configuration{Checks: tt.securityConf}, workload, tt.container, false) + results, err := applyContainerSchemaChecks(&conf.Configuration{Checks: tt.securityConf}, workload, tt.container, false) if err != nil { panic(err) } @@ -1068,7 +1067,7 @@ func TestValidateRunAsRoot(t *testing.T) { t.Run(tt.name, func(t *testing.T) { workload, err := kube.NewGenericWorkloadFromPod(corev1.Pod{Spec: *tt.pod}, nil) assert.NoError(t, err) - results, err := applyContainerSchemaChecks(context.Background(), &config, workload, tt.container, false) + results, err := applyContainerSchemaChecks(&config, workload, tt.container, false) if err != nil { panic(err) } diff --git a/pkg/validator/controller.go b/pkg/validator/controller.go index a20771770..90b4a0716 100644 --- a/pkg/validator/controller.go +++ b/pkg/validator/controller.go @@ -15,7 +15,6 @@ package validator import ( - "context" "strings" "github.com/sirupsen/logrus" @@ -27,13 +26,13 @@ import ( const exemptionAnnotationKey = "polaris.fairwinds.com/exempt" // ValidateController validates a single controller, returns a ControllerResult. -func ValidateController(ctx context.Context, conf *conf.Configuration, controller kube.GenericWorkload) (ControllerResult, error) { - podResult, err := ValidatePod(ctx, conf, controller) +func ValidateController(conf *conf.Configuration, controller kube.GenericWorkload) (ControllerResult, error) { + podResult, err := ValidatePod(conf, controller) if err != nil { return ControllerResult{}, err } - controllerResult, err := applyControllerSchemaChecks(ctx, conf, controller) + controllerResult, err := applyControllerSchemaChecks(conf, controller) if err != nil { return ControllerResult{}, err } @@ -51,7 +50,7 @@ func ValidateController(ctx context.Context, conf *conf.Configuration, controlle // ValidateControllers validates that each deployment conforms to the Polaris config, // builds a list of ResourceResults organized by namespace. -func ValidateControllers(ctx context.Context, config *conf.Configuration, kubeResources *kube.ResourceProvider) ([]ControllerResult, error) { +func ValidateControllers(config *conf.Configuration, kubeResources *kube.ResourceProvider) ([]ControllerResult, error) { controllersToAudit := kubeResources.Controllers var results []ControllerResult @@ -59,7 +58,7 @@ func ValidateControllers(ctx context.Context, config *conf.Configuration, kubeRe if !config.DisallowExemptions && hasExemptionAnnotation(controller) { continue } - result, err := ValidateController(ctx, config, controller) + result, err := ValidateController(config, controller) if err != nil { logrus.Warn("An error occurred validating controller:", err) return nil, err diff --git a/pkg/validator/controller_test.go b/pkg/validator/controller_test.go index 8bfed5051..54231148d 100644 --- a/pkg/validator/controller_test.go +++ b/pkg/validator/controller_test.go @@ -15,7 +15,6 @@ package validator import ( - "context" "testing" "github.com/stretchr/testify/assert" @@ -47,7 +46,7 @@ func TestValidateController(t *testing.T) { "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, } - actualResult, err := ValidateController(context.Background(), &c, deployment) + actualResult, err := ValidateController(&c, deployment) if err != nil { panic(err) } @@ -82,7 +81,7 @@ func TestControllerLevelChecks(t *testing.T) { for _, controller := range resources.Controllers { if controller.Kind == "Deployment" && controller.ObjectMeta.GetName() == "test-deployment" { - actualResult, err := ValidateController(context.Background(), &c, controller) + actualResult, err := ValidateController(&c, controller) if err != nil { panic(err) } @@ -117,7 +116,7 @@ func TestSkipHealthChecks(t *testing.T) { "readinessProbeMissing": {ID: "readinessProbeMissing", Message: "Readiness probe should be configured", Success: false, Severity: "danger", Category: "Reliability"}, "livenessProbeMissing": {ID: "livenessProbeMissing", Message: "Liveness probe should be configured", Success: false, Severity: "warning", Category: "Reliability"}, } - actualResult, err := ValidateController(context.Background(), &c, deployment) + actualResult, err := ValidateController(&c, deployment) if err != nil { panic(err) } @@ -136,7 +135,7 @@ func TestSkipHealthChecks(t *testing.T) { Dangers: uint(0), } expectedResults = ResultSet{} - actualResult, err = ValidateController(context.Background(), &c, job) + actualResult, err = ValidateController(&c, job) if err != nil { panic(err) } @@ -154,7 +153,7 @@ func TestSkipHealthChecks(t *testing.T) { Dangers: uint(0), } expectedResults = ResultSet{} - actualResult, err = ValidateController(context.Background(), &c, cronjob) + actualResult, err = ValidateController(&c, cronjob) if err != nil { panic(err) } @@ -184,7 +183,7 @@ func TestControllerExemptions(t *testing.T) { Warnings: uint(1), Dangers: uint(1), } - actualResults, err := ValidateControllers(context.Background(), &c, resources) + actualResults, err := ValidateControllers(&c, resources) if err != nil { panic(err) } @@ -195,7 +194,7 @@ func TestControllerExemptions(t *testing.T) { resources.Controllers[0].ObjectMeta.SetAnnotations(map[string]string{ exemptionAnnotationKey: "true", }) - actualResults, err = ValidateControllers(context.Background(), &c, resources) + actualResults, err = ValidateControllers(&c, resources) if err != nil { panic(err) } diff --git a/pkg/validator/fullaudit.go b/pkg/validator/fullaudit.go index c7cccc916..1fe4b0202 100644 --- a/pkg/validator/fullaudit.go +++ b/pkg/validator/fullaudit.go @@ -2,7 +2,6 @@ package validator import ( "bytes" - "context" "fmt" "io" "io/ioutil" @@ -17,13 +16,13 @@ import ( ) // RunAudit runs a full Polaris audit and returns an AuditData object -func RunAudit(ctx context.Context, config conf.Configuration, kubeResources *kube.ResourceProvider) (AuditData, error) { +func RunAudit(config conf.Configuration, kubeResources *kube.ResourceProvider) (AuditData, error) { displayName := config.DisplayName if displayName == "" { displayName = kubeResources.SourceName } - results, err := ValidateControllers(ctx, &config, kubeResources) + results, err := ValidateControllers(&config, kubeResources) if err != nil { return AuditData{}, err } diff --git a/pkg/validator/fullaudit_test.go b/pkg/validator/fullaudit_test.go index 63690da84..943cdd2a9 100644 --- a/pkg/validator/fullaudit_test.go +++ b/pkg/validator/fullaudit_test.go @@ -32,7 +32,7 @@ func TestGetTemplateData(t *testing.T) { Dangers: uint(1), } - actualAudit, err := RunAudit(context.Background(), c, resources) + actualAudit, err := RunAudit(c, resources) assert.Equal(t, err, nil, "error should be nil") diff --git a/pkg/validator/pod.go b/pkg/validator/pod.go index e159cd751..6bef7b910 100644 --- a/pkg/validator/pod.go +++ b/pkg/validator/pod.go @@ -15,15 +15,13 @@ package validator import ( - "context" - "github.com/fairwindsops/polaris/pkg/config" "github.com/fairwindsops/polaris/pkg/kube" ) // ValidatePod validates that each pod conforms to the Polaris config, returns a ResourceResult. -func ValidatePod(ctx context.Context, conf *config.Configuration, controller kube.GenericWorkload) (PodResult, error) { - podResults, err := applyPodSchemaChecks(ctx, conf, controller) +func ValidatePod(conf *config.Configuration, controller kube.GenericWorkload) (PodResult, error) { + podResults, err := applyPodSchemaChecks(conf, controller) if err != nil { return PodResult{}, err } @@ -32,7 +30,7 @@ func ValidatePod(ctx context.Context, conf *config.Configuration, controller kub ContainerResults: []ContainerResult{}, } - pRes.ContainerResults, err = ValidateAllContainers(ctx, conf, controller) + pRes.ContainerResults, err = ValidateAllContainers(conf, controller) if err != nil { return pRes, err } diff --git a/pkg/validator/pod_test.go b/pkg/validator/pod_test.go index c72f64432..6d04345c2 100644 --- a/pkg/validator/pod_test.go +++ b/pkg/validator/pod_test.go @@ -53,7 +53,7 @@ func TestValidatePod(t *testing.T) { "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, } - actualPodResult, err := ValidatePod(context.Background(), &c, deployment) + actualPodResult, err := ValidatePod(&c, deployment) if err != nil { panic(err) } @@ -90,7 +90,7 @@ func TestInvalidIPCPod(t *testing.T) { "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, } - actualPodResult, err := ValidatePod(context.Background(), &c, workload) + actualPodResult, err := ValidatePod(&c, workload) if err != nil { panic(err) } @@ -128,7 +128,7 @@ func TestInvalidNetworkPod(t *testing.T) { "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, } - actualPodResult, err := ValidatePod(context.Background(), &c, workload) + actualPodResult, err := ValidatePod(&c, workload) if err != nil { panic(err) } @@ -166,7 +166,7 @@ func TestInvalidPIDPod(t *testing.T) { "hostNetworkSet": {ID: "hostNetworkSet", Message: "Host network is not configured", Success: true, Severity: "warning", Category: "Security"}, } - actualPodResult, err := ValidatePod(context.Background(), &c, workload) + actualPodResult, err := ValidatePod(&c, workload) if err != nil { panic(err) } @@ -211,7 +211,7 @@ func TestExemption(t *testing.T) { "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, } - actualPodResult, err := ValidatePod(context.Background(), &c, workload) + actualPodResult, err := ValidatePod(&c, workload) if err != nil { panic(err) } diff --git a/pkg/validator/schema.go b/pkg/validator/schema.go index 17c38e466..6d1e5a89f 100644 --- a/pkg/validator/schema.go +++ b/pkg/validator/schema.go @@ -2,7 +2,6 @@ package validator import ( "bytes" - "context" "fmt" "io" "sort" @@ -114,7 +113,7 @@ func getExemptKey(checkID string) string { return fmt.Sprintf("polaris.fairwinds.com/%s-exempt", checkID) } -func applyPodSchemaChecks(ctx context.Context, conf *config.Configuration, controller kube.GenericWorkload) (ResultSet, error) { +func applyPodSchemaChecks(conf *config.Configuration, controller kube.GenericWorkload) (ResultSet, error) { results := ResultSet{} checkIDs := getSortedKeys(conf.Checks) objectAnnotations := controller.ObjectMeta.GetAnnotations() @@ -139,7 +138,7 @@ func applyPodSchemaChecks(ctx context.Context, conf *config.Configuration, contr return results, nil } -func applyControllerSchemaChecks(ctx context.Context, conf *config.Configuration, controller kube.GenericWorkload) (ResultSet, error) { +func applyControllerSchemaChecks(conf *config.Configuration, controller kube.GenericWorkload) (ResultSet, error) { results := ResultSet{} checkIDs := getSortedKeys(conf.Checks) objectAnnotations := controller.ObjectMeta.GetAnnotations() @@ -164,7 +163,7 @@ func applyControllerSchemaChecks(ctx context.Context, conf *config.Configuration return results, nil } -func applyContainerSchemaChecks(ctx context.Context, conf *config.Configuration, controller kube.GenericWorkload, container *corev1.Container, isInit bool) (ResultSet, error) { +func applyContainerSchemaChecks(conf *config.Configuration, controller kube.GenericWorkload, container *corev1.Container, isInit bool) (ResultSet, error) { results := ResultSet{} checkIDs := getSortedKeys(conf.Checks) objectAnnotations := controller.ObjectMeta.GetAnnotations() diff --git a/pkg/validator/schema_test.go b/pkg/validator/schema_test.go index 303357fd9..36ef40fd6 100644 --- a/pkg/validator/schema_test.go +++ b/pkg/validator/schema_test.go @@ -1,7 +1,6 @@ package validator import ( - "context" "testing" conf "github.com/fairwindsops/polaris/pkg/config" @@ -144,14 +143,14 @@ func TestValidateResourcesInit(t *testing.T) { parsedConf, err := conf.Parse([]byte(resourceConfRanges)) assert.NoError(t, err, "Expected no error when parsing config") - results, err := applyContainerSchemaChecks(context.Background(), &parsedConf, controller, emptyContainer, false) + results, err := applyContainerSchemaChecks(&parsedConf, controller, emptyContainer, false) if err != nil { panic(err) } assert.Equal(t, uint(1), results.GetSummary().Dangers) assert.Equal(t, uint(1), results.GetSummary().Warnings) - results, err = applyContainerSchemaChecks(context.Background(), &parsedConf, controller, emptyContainer, true) + results, err = applyContainerSchemaChecks(&parsedConf, controller, emptyContainer, true) if err != nil { panic(err) } diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go index 9a11ade56..0ab79e9b7 100644 --- a/pkg/webhook/webhook.go +++ b/pkg/webhook/webhook.go @@ -104,7 +104,7 @@ func (v *Validator) handleInternal(ctx context.Context, req admission.Request) ( return nil, err } controller.Kind = req.AdmissionRequest.Kind.Kind - controllerResult, err := validator.ValidateController(ctx, &v.Config, controller) + controllerResult, err := validator.ValidateController(&v.Config, controller) if err != nil { return nil, err } diff --git a/test/checks_test.go b/test/checks_test.go index ac74430b9..a7d46c85c 100644 --- a/test/checks_test.go +++ b/test/checks_test.go @@ -1,7 +1,6 @@ package test import ( - "context" "io/ioutil" "path/filepath" "runtime" @@ -57,7 +56,7 @@ func TestChecks(t *testing.T) { assert.NoError(t, err) c, err := config.Parse([]byte("checks:\n " + tc.check + ": danger")) assert.NoError(t, err) - result, err := validator.ValidateController(context.Background(), &c, *workload) + result, err := validator.ValidateController(&c, *workload) assert.NoError(t, err) summary := result.GetSummary() if tc.failure { From 4e044602f4f2b7bdf61c7d6503cdf44cdd957c0b Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Thu, 17 Dec 2020 16:29:49 -0500 Subject: [PATCH 13/26] change how controller checks are handled (#454) * change how controller checks are handled * add changelog * simpler fix --- checks/multipleReplicasForDeployment.yaml | 19 +++++++------------ docs-md/changelog.md | 6 ++++++ pkg/kube/workload.go | 3 ++- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/checks/multipleReplicasForDeployment.yaml b/checks/multipleReplicasForDeployment.yaml index b2836fda5..6c2a921dd 100644 --- a/checks/multipleReplicasForDeployment.yaml +++ b/checks/multipleReplicasForDeployment.yaml @@ -8,19 +8,14 @@ controllers: schema: '$schema': http://json-schema.org/draft-07/schema type: object - required: - - Object + required: + - spec properties: - Object: + spec: type: object required: - - spec + - replicas properties: - spec: - type: object - required: - - replicas - properties: - replicas: - type: integer - minimum: 2 + replicas: + type: integer + minimum: 2 diff --git a/docs-md/changelog.md b/docs-md/changelog.md index 85cf8d62d..c7485c8f7 100644 --- a/docs-md/changelog.md +++ b/docs-md/changelog.md @@ -1,6 +1,12 @@ --- sidebarDepth: 0 --- +## Upcoming +* **Breaking** - fixed inconsistency in how controller-level checks are handled + +## 2.0.1 +* Fixed Polaris deployment process + ## 2.0.0 * Standardize categories of checks into Security, Reliability, and Efficiency * Changes to the dashboard UI diff --git a/pkg/kube/workload.go b/pkg/kube/workload.go index f4fe5e194..ad4b4149a 100644 --- a/pkg/kube/workload.go +++ b/pkg/kube/workload.go @@ -136,7 +136,8 @@ func newGenericWorkload(ctx context.Context, podResource kubeAPICoreV1.Pod, dyna } if lastKey != "" { - bytes, err := json.Marshal(objectCache[lastKey]) + unst := objectCache[lastKey] + bytes, err := json.Marshal(&unst) if err != nil { return workload, err } From 2393f0bbf9c6c3a4f63513340677f9fd816a17e9 Mon Sep 17 00:00:00 2001 From: John Wynkoop Date: Thu, 17 Dec 2020 17:11:24 -0500 Subject: [PATCH 14/26] Install Doc Updates (#451) * Update admission-controller.md Corrected name of helm repo for polaris chart and added blurb about requiring TLS certs. * Update admission-controller.md Updated to reflect the kubectl and helm install methods both require cert-manager. * Update admission-controller.md Adding bullets to the steps required for CA bundle use. * Update admission-controller.md Fixed typo in the chart URL * Update docs-md/admission-controller.md Co-authored-by: Barnabas Makonda <6409210+makoscafee@users.noreply.github.com> Co-authored-by: Robert Brennan Co-authored-by: Barnabas Makonda <6409210+makoscafee@users.noreply.github.com> --- docs-md/admission-controller.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/docs-md/admission-controller.md b/docs-md/admission-controller.md index 044bb62c5..c1aaf2cbf 100644 --- a/docs-md/admission-controller.md +++ b/docs-md/admission-controller.md @@ -9,6 +9,14 @@ configuration through dashboard visibility, but to actually enforce it with this Note that Polaris will not alter your workloads, only block workloads that don't conform to the configured policies. ## Installation +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the install methods below will work. + +If you don't use cert-manager, you'll need to: + +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the webhook.secretName parameter. + ### kubectl ```bash kubectl apply -f https://github.com/fairwindsops/polaris/releases/latest/download/webhook.yaml @@ -16,8 +24,8 @@ kubectl apply -f https://github.com/fairwindsops/polaris/releases/latest/downloa ### Helm ```bash -helm repo add fairwindsops-stable https://charts.fairwindsops.com/stable -helm upgrade --install polaris fairwindsops-stable/polaris --namespace polaris \ +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm upgrade --install polaris fairwinds-stable/polaris --namespace polaris \ --set webhook.enable=true --set dashboard.enable=false ``` @@ -34,4 +42,3 @@ output unless we are rejecting a workload altogether. This means that any checks with a severity of `warning` will still pass webhook validation, and the only evidence of that warning will either be in the Polaris dashboard or the Polaris webhook logs. This will change in a future version of Kubernetes. - From 7c9859885807a1bbdbd812d295aec0edfb52af64 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Thu, 17 Dec 2020 17:32:01 -0500 Subject: [PATCH 15/26] Fix test fixtures, add a test for controllers (#455) * first pass at fixing test fixtures * tests mostly working * add controller test * remove debug stuff * delint * revert test file * remove extra controllers from fixtures * delint * fix messages --- pkg/kube/resources_test.go | 29 ++- pkg/kube/test_files/test_1/deployment2.yaml | 20 ++ pkg/validator/controller_test.go | 81 +++--- pkg/validator/fullaudit_test.go | 38 +-- pkg/validator/pod_test.go | 10 - test/fixtures.go | 264 ++++++++++---------- 6 files changed, 247 insertions(+), 195 deletions(-) create mode 100644 pkg/kube/test_files/test_1/deployment2.yaml diff --git a/pkg/kube/resources_test.go b/pkg/kube/resources_test.go index b6b4caf14..dda9e7b62 100644 --- a/pkg/kube/resources_test.go +++ b/pkg/kube/resources_test.go @@ -27,13 +27,13 @@ func TestGetResourcesFromPath(t *testing.T) { assert.Equal(t, 1, len(resources.Namespaces), "Should have a namespace") assert.Equal(t, "two", resources.Namespaces[0].ObjectMeta.Name) - assert.Equal(t, 8, len(resources.Controllers), "Should have eight controllers") + assert.Equal(t, 9, len(resources.Controllers), "Should have eight controllers") namespaceCount := map[string]int{} for _, controller := range resources.Controllers { namespaceCount[controller.ObjectMeta.GetNamespace()]++ } - assert.Equal(t, 7, namespaceCount[""], "Should have seven controller in default namespace") - assert.Equal(t, 1, namespaceCount["two"], "Should have one controller in namespace 'two'") + assert.Equal(t, 8, namespaceCount[""]) + assert.Equal(t, 1, namespaceCount["two"]) } func TestGetMultipleResourceFromSingleFile(t *testing.T) { @@ -87,10 +87,7 @@ func TestAddResourcesFromReader(t *testing.T) { } func TestGetResourceFromAPI(t *testing.T) { - k8s, dynamicInterface := test.SetupTestAPI() - k8s = test.SetupAddControllers(context.Background(), k8s, "test") - // TODO find a way to mock out the dynamic client - // and create fake pods in order to find all of the controllers. + k8s, dynamicInterface := test.SetupTestAPI(test.GetMockControllers("test")...) resources, err := CreateResourceProviderFromAPI(context.Background(), k8s, "test", &dynamicInterface) assert.Equal(t, nil, err, "Error should be nil") @@ -99,7 +96,19 @@ func TestGetResourceFromAPI(t *testing.T) { assert.IsType(t, time.Now(), resources.CreationTime, "Creation time should be set") assert.Equal(t, 0, len(resources.Nodes), "Should not have any nodes") - assert.Equal(t, 1, len(resources.Controllers), "Should have 1 controller") - - assert.Equal(t, "", resources.Controllers[0].ObjectMeta.GetName()) + assert.Equal(t, 5, len(resources.Controllers), "Should have 5 controllers") + + expectedNames := map[string]bool{ + "deploy": false, + "job": false, + "cronjob": false, + "statefulset": false, + "daemonset": false, + } + for _, ctrl := range resources.Controllers { + expectedNames[ctrl.ObjectMeta.GetName()] = true + } + for name, val := range expectedNames { + assert.Equal(t, true, val, name) + } } diff --git a/pkg/kube/test_files/test_1/deployment2.yaml b/pkg/kube/test_files/test_1/deployment2.yaml new file mode 100644 index 000000000..a705174d1 --- /dev/null +++ b/pkg/kube/test_files/test_1/deployment2.yaml @@ -0,0 +1,20 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: test-deployment-2 +spec: + replicas: 2 + selector: + matchLabels: + app: test-deployment + template: + metadata: + labels: + app: test-deployment + spec: + containers: + - name: ubuntu + image: ubuntu + ports: + - containerPort: 3000 + diff --git a/pkg/validator/controller_test.go b/pkg/validator/controller_test.go index 8bfed5051..bdb70482c 100644 --- a/pkg/validator/controller_test.go +++ b/pkg/validator/controller_test.go @@ -16,6 +16,7 @@ package validator import ( "context" + "encoding/json" "testing" "github.com/stretchr/testify/assert" @@ -59,41 +60,59 @@ func TestValidateController(t *testing.T) { } func TestControllerLevelChecks(t *testing.T) { - c := conf.Configuration{ - Checks: map[string]conf.Severity{ - "multipleReplicasForDeployment": conf.SeverityDanger, - }, - } - resources, err := kube.CreateResourceProviderFromPath("../kube/test_files/test_1") - - assert.Equal(t, nil, err, "Error should be nil") - - assert.Equal(t, 8, len(resources.Controllers), "Should have eight controllers") - - expectedSum := CountSummary{ - Successes: uint(0), - Warnings: uint(0), - Dangers: uint(1), - } - - expectedResults := ResultSet{ - "multipleReplicasForDeployment": {ID: "multipleReplicasForDeployment", Message: "Only one replica is scheduled", Success: false, Severity: "danger", Category: "Reliability"}, - } - - for _, controller := range resources.Controllers { - if controller.Kind == "Deployment" && controller.ObjectMeta.GetName() == "test-deployment" { - actualResult, err := ValidateController(context.Background(), &c, controller) - if err != nil { - panic(err) + testResources := func(res *kube.ResourceProvider) { + c := conf.Configuration{ + Checks: map[string]conf.Severity{ + "multipleReplicasForDeployment": conf.SeverityDanger, + }, + } + expectedResult := ResultMessage{ + ID: "multipleReplicasForDeployment", + Severity: "danger", + Category: "Reliability", + } + for _, controller := range res.Controllers { + if controller.Kind == "Deployment" { + actualResult, err := ValidateController(context.Background(), &c, controller) + if err != nil { + panic(err) + } + if controller.ObjectMeta.GetName() == "test-deployment-2" { + expectedResult.Success = true + expectedResult.Message = "Multiple replicas are scheduled" + } else if controller.ObjectMeta.GetName() == "test-deployment" { + expectedResult.Success = false + expectedResult.Message = "Only one replica is scheduled" + } + expectedResults := ResultSet{ + "multipleReplicasForDeployment": expectedResult, + } + + assert.Equal(t, "Deployment", actualResult.Kind) + assert.Equal(t, 1, len(actualResult.Results), "should be equal") + assert.EqualValues(t, expectedResults, actualResult.Results, controller.ObjectMeta.GetName()) } - - assert.Equal(t, "Deployment", actualResult.Kind) - assert.Equal(t, 1, len(actualResult.Results), "should be equal") - assert.EqualValues(t, expectedSum, actualResult.GetSummary()) - assert.EqualValues(t, expectedResults, actualResult.Results) } } + res, err := kube.CreateResourceProviderFromPath("../kube/test_files/test_1") + assert.Equal(t, nil, err, "Error should be nil") + assert.Equal(t, 9, len(res.Controllers), "Should have eight controllers") + testResources(res) + + replicaSpec := map[string]interface{}{"replicas": 2} + b, err := json.Marshal(replicaSpec) + assert.NoError(t, err) + err = json.Unmarshal(b, &replicaSpec) + + d1, p1 := test.MockDeploy("test", "test-deployment") + d2, p2 := test.MockDeploy("test", "test-deployment-2") + d2.Object["spec"] = replicaSpec + k8s, dynamicClient := test.SetupTestAPI(&d1, &p1, &d2, &p2) + res, err = kube.CreateResourceProviderFromAPI(context.Background(), k8s, "test", &dynamicClient) + assert.Equal(t, err, nil, "error should be nil") + assert.Equal(t, 2, len(res.Controllers), "Should have two controllers") + testResources(res) } func TestSkipHealthChecks(t *testing.T) { diff --git a/pkg/validator/fullaudit_test.go b/pkg/validator/fullaudit_test.go index 63690da84..5eb193259 100644 --- a/pkg/validator/fullaudit_test.go +++ b/pkg/validator/fullaudit_test.go @@ -11,13 +11,10 @@ import ( ) func TestGetTemplateData(t *testing.T) { - k8s, dynamicClient := test.SetupTestAPI() - k8s = test.SetupAddControllers(context.Background(), k8s, "test") - k8s = test.SetupAddExtraControllerVersions(context.Background(), k8s, "test-extra") - // TODO figure out how to mock out dynamic client. - // and add in pods for all controllers to fill out tests. + k8s, dynamicClient := test.SetupTestAPI(test.GetMockControllers("test")...) resources, err := kube.CreateResourceProviderFromAPI(context.Background(), k8s, "test", &dynamicClient) assert.Equal(t, err, nil, "error should be nil") + assert.Equal(t, 5, len(resources.Controllers)) c := conf.Configuration{ Checks: map[string]conf.Severity{ @@ -28,29 +25,38 @@ func TestGetTemplateData(t *testing.T) { sum := CountSummary{ Successes: uint(0), - Warnings: uint(1), - Dangers: uint(1), + Warnings: uint(3), + Dangers: uint(3), } actualAudit, err := RunAudit(context.Background(), c, resources) - assert.Equal(t, err, nil, "error should be nil") - assert.EqualValues(t, sum, actualAudit.GetSummary()) assert.Equal(t, actualAudit.SourceType, "Cluster", "should be from a cluster") assert.Equal(t, actualAudit.SourceName, "test", "should be from a cluster") - expected := []struct { + expectedResults := []struct { kind string results int }{ - {kind: "Pod", results: 2}, + {kind: "StatefulSet", results: 2}, + {kind: "DaemonSet", results: 2}, + {kind: "Deployment", results: 2}, + {kind: "Job", results: 0}, + {kind: "CronJob", results: 0}, } - assert.Equal(t, len(expected), len(actualAudit.Results)) - for idx, result := range actualAudit.Results { - assert.Equal(t, expected[idx].kind, result.Kind) - assert.Equal(t, 1, len(result.PodResult.ContainerResults)) - assert.Equal(t, expected[idx].results, len(result.PodResult.ContainerResults[0].Results)) + assert.Equal(t, len(expectedResults), len(actualAudit.Results)) + for _, result := range actualAudit.Results { + found := false + for _, expected := range expectedResults { + if expected.kind != result.Kind { + continue + } + found = true + assert.Equal(t, 1, len(result.PodResult.ContainerResults)) + assert.Equal(t, expected.results, len(result.PodResult.ContainerResults[0].Results)) + } + assert.Equal(t, found, true) } } diff --git a/pkg/validator/pod_test.go b/pkg/validator/pod_test.go index bfbc22abb..4e5a7b4b3 100644 --- a/pkg/validator/pod_test.go +++ b/pkg/validator/pod_test.go @@ -36,8 +36,6 @@ func TestValidatePod(t *testing.T) { }, } - k8s, _ := test.SetupTestAPI() - k8s = test.SetupAddControllers(context.Background(), k8s, "test") p := test.MockPod() deployment, err := kube.NewGenericWorkloadFromPod(p, nil) assert.NoError(t, err) @@ -73,8 +71,6 @@ func TestInvalidIPCPod(t *testing.T) { }, } - k8s, _ := test.SetupTestAPI() - k8s = test.SetupAddControllers(context.Background(), k8s, "test") p := test.MockPod() p.Spec.HostIPC = true workload, err := kube.NewGenericWorkloadFromPod(p, nil) @@ -110,8 +106,6 @@ func TestInvalidNeworkPod(t *testing.T) { }, } - k8s, _ := test.SetupTestAPI() - k8s = test.SetupAddControllers(context.Background(), k8s, "test") p := test.MockPod() p.Spec.HostNetwork = true workload, err := kube.NewGenericWorkloadFromPod(p, nil) @@ -148,8 +142,6 @@ func TestInvalidPIDPod(t *testing.T) { }, } - k8s, _ := test.SetupTestAPI() - k8s = test.SetupAddControllers(context.Background(), k8s, "test") p := test.MockPod() p.Spec.HostPID = true workload, err := kube.NewGenericWorkloadFromPod(p, nil) @@ -192,8 +184,6 @@ func TestExemption(t *testing.T) { }, } - k8s, _ := test.SetupTestAPI() - k8s = test.SetupAddControllers(context.Background(), k8s, "test") p := test.MockPod() p.Spec.HostIPC = true p.ObjectMeta = metav1.ObjectMeta{ diff --git a/test/fixtures.go b/test/fixtures.go index 2de46e980..13163c82c 100644 --- a/test/fixtures.go +++ b/test/fixtures.go @@ -1,7 +1,7 @@ package test import ( - "context" + "encoding/json" appsv1 "k8s.io/api/apps/v1" appsv1beta1 "k8s.io/api/apps/v1beta1" @@ -10,6 +10,7 @@ import ( batchv1beta1 "k8s.io/api/batch/v1beta1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" "k8s.io/client-go/dynamic" dynamicFake "k8s.io/client-go/dynamic/fake" @@ -17,6 +18,20 @@ import ( "k8s.io/client-go/kubernetes/fake" ) +func newUnstructured(apiVersion, kind, namespace, name string, spec interface{}) unstructured.Unstructured { + return unstructured.Unstructured{ + Object: map[string]interface{}{ + "apiVersion": apiVersion, + "kind": kind, + "metadata": map[string]interface{}{ + "namespace": namespace, + "name": name, + }, + "spec": spec, + }, + } +} + // MockContainer creates a container object func MockContainer(name string) corev1.Container { c := corev1.Container{ @@ -45,166 +60,159 @@ func MockNakedPod() corev1.Pod { } } -// MockDeploy creates a Deployment object. -func MockDeploy() appsv1.Deployment { - p := MockPod() - d := appsv1.Deployment{ - Spec: appsv1.DeploymentSpec{ - Template: corev1.PodTemplateSpec{Spec: p.Spec}, +// MockController creates a mock controller and pod +func MockController(apiVersion, kind, namespace, name string, spec interface{}, podSpec corev1.PodSpec) (unstructured.Unstructured, corev1.Pod) { + d := newUnstructured(apiVersion, kind, namespace, name, spec) + pod := corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: name + "-12345", + Namespace: namespace, + OwnerReferences: []metav1.OwnerReference{{ + APIVersion: apiVersion, + Kind: kind, + Name: name, + }}, }, + Spec: podSpec, } - return d + return d, pod } -// MockStatefulSet creates a StatefulSet object. -func MockStatefulSet() appsv1.StatefulSet { +// MockControllerWithNormalSpec mocks a controller with podspec at spec.template.spec +func MockControllerWithNormalSpec(apiVersion, kind, namespace, name string) (unstructured.Unstructured, corev1.Pod) { p := MockPod() - s := appsv1.StatefulSet{ - Spec: appsv1.StatefulSetSpec{ - Template: corev1.PodTemplateSpec{Spec: p.Spec}, + b, err := json.Marshal(p.Spec) + if err != nil { + panic(err) + } + pSpec := map[string]interface{}{} + err = json.Unmarshal(b, &pSpec) + if err != nil { + panic(err) + } + spec := map[string]interface{}{ + "template": map[string]interface{}{ + "spec": pSpec, }, } - return s + return MockController(apiVersion, kind, namespace, name, spec, p.Spec) +} + +// MockDeploy creates a Deployment object. +func MockDeploy(namespace, name string) (unstructured.Unstructured, corev1.Pod) { + return MockControllerWithNormalSpec("apps/v1", "Deployment", namespace, name) +} + +// MockStatefulSet creates a StatefulSet object. +func MockStatefulSet(namespace, name string) (unstructured.Unstructured, corev1.Pod) { + return MockControllerWithNormalSpec("apps/v1", "StatefulSet", namespace, name) } // MockDaemonSet creates a DaemonSet object. -func MockDaemonSet() appsv1.DaemonSet { - p := MockPod() - return appsv1.DaemonSet{ - Spec: appsv1.DaemonSetSpec{ - Template: corev1.PodTemplateSpec{Spec: p.Spec}, - }, - } +func MockDaemonSet(namespace, name string) (unstructured.Unstructured, corev1.Pod) { + return MockControllerWithNormalSpec("apps/v1", "DaemonSet", namespace, name) } // MockJob creates a Job object. -func MockJob() batchv1.Job { - p := MockPod() - return batchv1.Job{ - Spec: batchv1.JobSpec{ - Template: corev1.PodTemplateSpec{Spec: p.Spec}, - }, - } +func MockJob(namespace, name string) (unstructured.Unstructured, corev1.Pod) { + return MockControllerWithNormalSpec("batch/v1", "Job", namespace, name) } // MockCronJob creates a CronJob object. -func MockCronJob() batchv1beta1.CronJob { +func MockCronJob(namespace, name string) (unstructured.Unstructured, corev1.Pod) { p := MockPod() - return batchv1beta1.CronJob{ - Spec: batchv1beta1.CronJobSpec{ - JobTemplate: batchv1beta1.JobTemplateSpec{ - Spec: batchv1.JobSpec{ - Template: corev1.PodTemplateSpec{Spec: p.Spec}, + b, err := json.Marshal(p.Spec) + if err != nil { + panic(err) + } + pSpec := map[string]interface{}{} + err = json.Unmarshal(b, &pSpec) + if err != nil { + panic(err) + } + spec := map[string]interface{}{ + "job_template": map[string]interface{}{ + "spec": map[string]interface{}{ + "template": map[string]interface{}{ + "spec": pSpec, }, }, }, } + return MockController("batch/v1beta1", "CronJob", namespace, name, spec, p.Spec) } // MockReplicationController creates a ReplicationController object. -func MockReplicationController() corev1.ReplicationController { - p := MockPod() - return corev1.ReplicationController{ - Spec: corev1.ReplicationControllerSpec{ - Template: &corev1.PodTemplateSpec{Spec: p.Spec}, - }, - } +func MockReplicationController(namespace, name string) (unstructured.Unstructured, corev1.Pod) { + return MockControllerWithNormalSpec("core/v1", "ReplicationController", namespace, name) } // SetupTestAPI creates a test kube API struct. -func SetupTestAPI() (kubernetes.Interface, dynamic.Interface) { +func SetupTestAPI(objects ...runtime.Object) (kubernetes.Interface, dynamic.Interface) { scheme := runtime.NewScheme() - - return fake.NewSimpleClientset(), dynamicFake.NewSimpleDynamicClient(scheme) -} - -// SetupAddControllers creates mock controllers and adds them to the test clientset. -func SetupAddControllers(ctx context.Context, k kubernetes.Interface, namespace string) kubernetes.Interface { - d1 := MockDeploy() - if _, err := k.AppsV1().Deployments(namespace).Create(ctx, &d1, metav1.CreateOptions{}); err != nil { - panic(err) - } - - s1 := MockStatefulSet() - if _, err := k.AppsV1().StatefulSets(namespace).Create(ctx, &s1, metav1.CreateOptions{}); err != nil { - panic(err) - } - - ds1 := MockDaemonSet() - if _, err := k.AppsV1().DaemonSets(namespace).Create(ctx, &ds1, metav1.CreateOptions{}); err != nil { - panic(err) - } - - j1 := MockJob() - if _, err := k.BatchV1().Jobs(namespace).Create(ctx, &j1, metav1.CreateOptions{}); err != nil { - panic(err) - } - - cj1 := MockCronJob() - if _, err := k.BatchV1beta1().CronJobs(namespace).Create(ctx, &cj1, metav1.CreateOptions{}); err != nil { - panic(err) - } - - rc1 := MockReplicationController() - if _, err := k.CoreV1().ReplicationControllers(namespace).Create(ctx, &rc1, metav1.CreateOptions{}); err != nil { - panic(err) - } - - p1 := MockNakedPod() - if _, err := k.CoreV1().Pods(namespace).Create(ctx, &p1, metav1.CreateOptions{}); err != nil { - panic(err) - } - - return k -} - -// SetupAddExtraControllerVersions creates mock controllers and adds them to the test clientset. -func SetupAddExtraControllerVersions(ctx context.Context, k kubernetes.Interface, namespace string) kubernetes.Interface { - p := MockPod() - - dv1b1 := appsv1beta1.Deployment{ - Spec: appsv1beta1.DeploymentSpec{ - Template: corev1.PodTemplateSpec{Spec: p.Spec}, + appsv1.AddToScheme(scheme) + corev1.AddToScheme(scheme) + fake.AddToScheme(scheme) + dynamicClient := dynamicFake.NewSimpleDynamicClient(scheme, objects...) + k := fake.NewSimpleClientset(objects...) + k.Resources = []*metav1.APIResourceList{ + { + GroupVersion: corev1.SchemeGroupVersion.String(), + APIResources: []metav1.APIResource{ + {Name: "pods", Namespaced: true, Kind: "Pod"}, + {Name: "replicationcontrollers", Namespaced: true, Kind: "ReplicationController"}, + }, }, - } - if _, err := k.AppsV1beta1().Deployments(namespace).Create(ctx, &dv1b1, metav1.CreateOptions{}); err != nil { - panic(err) - } - - dv1b2 := appsv1beta2.Deployment{ - Spec: appsv1beta2.DeploymentSpec{ - Template: corev1.PodTemplateSpec{Spec: p.Spec}, + { + GroupVersion: appsv1.SchemeGroupVersion.String(), + APIResources: []metav1.APIResource{ + {Name: "deployments", Namespaced: true, Kind: "Deployment"}, + {Name: "daemonsets", Namespaced: true, Kind: "DaemonSet"}, + {Name: "statefulsets", Namespaced: true, Kind: "StatefulSet"}, + }, }, - } - if _, err := k.AppsV1beta2().Deployments(namespace).Create(ctx, &dv1b2, metav1.CreateOptions{}); err != nil { - panic(err) - } - - ssv1b1 := appsv1beta1.StatefulSet{ - Spec: appsv1beta1.StatefulSetSpec{ - Template: corev1.PodTemplateSpec{Spec: p.Spec}, + { + GroupVersion: batchv1.SchemeGroupVersion.String(), + APIResources: []metav1.APIResource{ + {Name: "jobs", Namespaced: true, Kind: "Job"}, + }, }, - } - if _, err := k.AppsV1beta1().StatefulSets(namespace).Create(ctx, &ssv1b1, metav1.CreateOptions{}); err != nil { - panic(err) - } - - ssv1b2 := appsv1beta2.StatefulSet{ - Spec: appsv1beta2.StatefulSetSpec{ - Template: corev1.PodTemplateSpec{Spec: p.Spec}, + { + GroupVersion: batchv1beta1.SchemeGroupVersion.String(), + APIResources: []metav1.APIResource{ + {Name: "cronjobs", Namespaced: true, Kind: "CronJob"}, + }, }, - } - if _, err := k.AppsV1beta2().StatefulSets(namespace).Create(ctx, &ssv1b2, metav1.CreateOptions{}); err != nil { - panic(err) - } - - dsv1b2 := appsv1beta2.DaemonSet{ - Spec: appsv1beta2.DaemonSetSpec{ - Template: corev1.PodTemplateSpec{Spec: p.Spec}, + { + GroupVersion: appsv1beta2.SchemeGroupVersion.String(), + APIResources: []metav1.APIResource{ + {Name: "deployments", Namespaced: true, Kind: "Deployment"}, + {Name: "deployments/scale", Namespaced: true, Kind: "Scale", Group: "apps", Version: "v1beta2"}, + }, + }, + { + GroupVersion: appsv1beta1.SchemeGroupVersion.String(), + APIResources: []metav1.APIResource{ + {Name: "statefulsets", Namespaced: true, Kind: "StatefulSet"}, + {Name: "statefulsets/scale", Namespaced: true, Kind: "Scale", Group: "apps", Version: "v1beta1"}, + }, }, } - if _, err := k.AppsV1beta2().DaemonSets(namespace).Create(ctx, &dsv1b2, metav1.CreateOptions{}); err != nil { - panic(err) + return k, dynamicClient +} + +// GetMockControllers returns mocked controllers for 5 major controller types +func GetMockControllers(namespace string) []runtime.Object { + deploy, deployPod := MockDeploy(namespace, "deploy") + statefulset, statefulsetPod := MockStatefulSet(namespace, "statefulset") + daemonset, daemonsetPod := MockDaemonSet(namespace, "daemonset") + job, jobPod := MockJob(namespace, "job") + cronjob, cronjobPod := MockCronJob(namespace, "cronjob") + return []runtime.Object{ + &deploy, &deployPod, + &daemonset, &daemonsetPod, + &statefulset, &statefulsetPod, + &cronjob, &cronjobPod, + &job, &jobPod, } - return k } From edf28c8790af4ad2d0507ab2b6315f6b38dd4045 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Thu, 17 Dec 2020 17:48:25 -0500 Subject: [PATCH 16/26] update for 3.0 (#456) --- README.md | 2 +- deploy/dashboard.yaml | 2 +- deploy/webhook.yaml | 2 +- docs-md/changelog.md | 4 +++- docs-md/contributing.md | 5 +---- main.go | 2 +- 6 files changed, 8 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 926360974..badaaebd7 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@

Best Practices for Kubernetes Workload Configuration

 - + diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml index d67acde04..c51ab8c42 100644 --- a/deploy/dashboard.yaml +++ b/deploy/dashboard.yaml @@ -109,7 +109,7 @@ spec: - command: - polaris - dashboard - image: 'quay.io/fairwinds/polaris:2.0' + image: 'quay.io/fairwinds/polaris:3.0' imagePullPolicy: 'Always' name: dashboard ports: diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml index 1cbfdafb1..38b00b81a 100644 --- a/deploy/webhook.yaml +++ b/deploy/webhook.yaml @@ -109,7 +109,7 @@ spec: command: - polaris - webhook - image: 'quay.io/fairwinds/polaris:2.0' + image: 'quay.io/fairwinds/polaris:3.0' imagePullPolicy: 'Always' ports: - containerPort: 9876 diff --git a/docs-md/changelog.md b/docs-md/changelog.md index c7485c8f7..5306918c3 100644 --- a/docs-md/changelog.md +++ b/docs-md/changelog.md @@ -1,8 +1,10 @@ --- sidebarDepth: 0 --- -## Upcoming +## 3.0.0 * **Breaking** - fixed inconsistency in how controller-level checks are handled +Custom checks with `target: Controller` should remove `Object` from the top-level of the +JSON schema (see changes to `./checks/multipleReplicasForDeployment.yaml`) ## 2.0.1 * Fixed Polaris deployment process diff --git a/docs-md/contributing.md b/docs-md/contributing.md index 80ae2a1dd..7b3e98bda 100644 --- a/docs-md/contributing.md +++ b/docs-md/contributing.md @@ -83,10 +83,7 @@ The steps are: 1. Clone the helm charts repo 1. `git clone https://github.com/FairwindsOps/charts` 2. `git checkout -b yourname/update-polaris` - 1. Bump the version number in: - 1. stable/polaris/README.md - 2. stable/polaris/Chart.yaml - 3. stable/polaris/values.yaml + 1. Bump the version number in `stable/polaris/Chart.yaml` 2. Make any necessary changes to the chart to support the new version of Polaris (e.g. new RBAC permissions) 3. **Don't merge yet!** 2. Create a PR for this repo diff --git a/main.go b/main.go index 97c3d11e5..67fde74e4 100644 --- a/main.go +++ b/main.go @@ -20,7 +20,7 @@ import ( const ( // Version represents the current release version of Polaris - Version = "2.0.0" + Version = "3.0.0" ) func main() { From dd2976794a7a0b1a3387085bf49584de5e17a054 Mon Sep 17 00:00:00 2001 From: skatika Date: Fri, 18 Dec 2020 09:50:04 -0500 Subject: [PATCH 17/26] Implement namespace and container exemptions. Also refactoring according to gofmt --- README.md | 2 +- cmd/polaris/audit.go | 3 +- deploy/dashboard.yaml | 2 +- deploy/webhook.yaml | 2 +- docs-md/contributing.md | 3 +- docs-md/customization/exemptions.md | 17 +- pkg/config/exemptions.go | 37 +++-- pkg/config/exemptions_test.go | 235 ++++++++++++++++++++++------ pkg/config/schema.go | 2 +- pkg/dashboard/dashboard.go | 6 +- pkg/validator/container_test.go | 3 +- pkg/validator/controller.go | 3 +- pkg/validator/controller_test.go | 12 +- pkg/validator/fullaudit_test.go | 3 +- pkg/validator/pod_test.go | 15 +- pkg/validator/schema.go | 19 ++- pkg/validator/schema_test.go | 3 +- pkg/webhook/webhook.go | 7 +- test/checks_test.go | 5 +- 19 files changed, 285 insertions(+), 94 deletions(-) diff --git a/README.md b/README.md index 926360974..220d6b664 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@

Best Practices for Kubernetes Workload Configuration

 - + diff --git a/cmd/polaris/audit.go b/cmd/polaris/audit.go index 3b7d6611a..0b14ba7b9 100644 --- a/cmd/polaris/audit.go +++ b/cmd/polaris/audit.go @@ -80,7 +80,8 @@ func runAndReportAudit(ctx context.Context, c conf.Configuration, auditPath, wor logrus.Errorf("Error fetching Kubernetes resources %v", err) os.Exit(1) } - auditData, err := validator.RunAudit(c, k) + var auditData validator.AuditData + auditData, err = validator.RunAudit(c, k) if err != nil { logrus.Errorf("Error while running audit on resources: %v", err) diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml index d67acde04..c51ab8c42 100644 --- a/deploy/dashboard.yaml +++ b/deploy/dashboard.yaml @@ -109,7 +109,7 @@ spec: - command: - polaris - dashboard - image: 'quay.io/fairwinds/polaris:2.0' + image: 'quay.io/fairwinds/polaris:3.0' imagePullPolicy: 'Always' name: dashboard ports: diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml index 1cbfdafb1..38b00b81a 100644 --- a/deploy/webhook.yaml +++ b/deploy/webhook.yaml @@ -109,7 +109,7 @@ spec: command: - polaris - webhook - image: 'quay.io/fairwinds/polaris:2.0' + image: 'quay.io/fairwinds/polaris:3.0' imagePullPolicy: 'Always' ports: - containerPort: 9876 diff --git a/docs-md/contributing.md b/docs-md/contributing.md index 80ae2a1dd..383103065 100644 --- a/docs-md/contributing.md +++ b/docs-md/contributing.md @@ -50,7 +50,7 @@ Each new pull request should: - Reference any related issues - Add tests that show the issues have been solved - Pass existing tests and linting -- Contain a clear indication of if they're ready for review or a work in progress +- Contain a clear indication of if they're ready for review, or a work in progress - Be up to date and/or rebased on the master branch ## Creating a new release @@ -104,4 +104,3 @@ The steps are: 3. Make sure CircleCI runs successfully for the new tag - this will push images to quay.io and create a release in GitHub 1. If CircleCI fails, check with Codeowners ASAP 4. Create and merge a PR for your changes to the Helm chart - diff --git a/docs-md/customization/exemptions.md b/docs-md/customization/exemptions.md index 9a755ac74..c774d8678 100644 --- a/docs-md/customization/exemptions.md +++ b/docs-md/customization/exemptions.md @@ -3,7 +3,10 @@ Sometimes a workload really does need to do things that Polaris considers insecu many of the `kube-system` workloads need to run as root, or need access to the host network. In these cases, we can add **exemptions** to allow the workload to pass Polaris checks. -Exemptions can be added two ways: by annotating a controller, or editing the Polaris config. +Exemptions can be added in a few different ways: + - Namespace: By annotating a controller, or editing the Polaris config. + - Controller: By editing the Polaris config. + - Container: By editing the Polaris config. ## Annotations To exempt a controller from all checks via annotations, use the annotation `polaris.fairwinds.com/exempt=true`, e.g. @@ -18,19 +21,25 @@ kubectl annotate deployment my-deployment polaris.fairwinds.com/cpuRequestsMissi ## Config -To exempt a controller via the config, you have to specify a namespace (optional), a list of controller names, and a list of rules, e.g. +You can add exemptions by using a combination of namespace, controller names, and container names via the config. You have to specify a list of rules and at least one of the following: a namespace, a list of controller names, or a list of container names, e.g. ```yaml exemptions: - # exemption valid for kube-system namespace + # exemption valid in kube-system namespace, dns-controller controller for all containers - namespace: kube-system controllerNames: - dns-controller rules: - hostNetworkSet - # exemption valid in all namespaces + # exemption valid in all namespaces for dns-controller controller for all containers - controllerNames: - dns-controller rules: - hostNetworkSet + # exemption valid in kube-system namespace and all controllers for coredns container + - namespace: kube-system + - containerNames: + - coredns + rules: + - hostNetworkSet ``` diff --git a/pkg/config/exemptions.go b/pkg/config/exemptions.go index 01829bf9e..1ae61984c 100644 --- a/pkg/config/exemptions.go +++ b/pkg/config/exemptions.go @@ -5,35 +5,48 @@ import ( ) // IsActionable determines whether a check is actionable given the current configuration -func (conf Configuration) IsActionable(ruleID, namespace, controllerName string) bool { +func (conf Configuration) IsActionable(ruleID, namespace, controllerName, containerName string) bool { if severity, ok := conf.Checks[ruleID]; !ok || !severity.IsActionable() { return false } if conf.DisallowExemptions { return true } - - for _, example := range conf.Exemptions { - if example.Namespace != "" && example.Namespace != namespace { + for _, exemption := range conf.Exemptions { + if exemption.Namespace != "" && exemption.Namespace != namespace { continue } - checkIfActionable := false - for _, rule := range example.Rules { + checkIfRuleMatches := false + for _, rule := range exemption.Rules { if rule != ruleID { continue } - checkIfActionable = true + checkIfRuleMatches = true break } - if len(example.Rules) == 0 || checkIfActionable { - for _, controller := range example.ControllerNames { - if strings.HasPrefix(controllerName, controller) { - return false - } + if len(exemption.Rules) == 0 || checkIfRuleMatches { + if !isExemptionCheckMatched(exemption.ControllerNames, controllerName) { + continue + } + if isExemptionCheckMatched(exemption.ContainerNames, containerName) { + return false } } } return true } + +func isExemptionCheckMatched(arr []string, predicate string) bool { + if len(arr) == 0 { + return true + } + + for _, container := range arr { + if strings.HasPrefix(predicate, container) { + return true + } + } + return false +} diff --git a/pkg/config/exemptions_test.go b/pkg/config/exemptions_test.go index cead8aab2..82a0ad360 100644 --- a/pkg/config/exemptions_test.go +++ b/pkg/config/exemptions_test.go @@ -20,61 +20,208 @@ import ( "github.com/stretchr/testify/assert" ) -var confExemptRuleTest = ` +var confContainerTest = ` checks: - ANY: warning - OTHER: warning + multipleReplicasForDeployment: warning + priorityClassNotSet: warning + pullPolicyNotAlways: warning exemptions: - - controllerNames: - - test + - namespace: prometheus rules: - - ANY -` - -var confExemptTest = ` -checks: - ANY: warning -exemptions: + - multipleReplicasForDeployment + - controllerNames: + - controller2 + rules: + - multipleReplicasForDeployment + - namespace: kube-system + controllerNames: + - controller3 + rules: + - multipleReplicasForDeployment + - containerNames: + - container41 + - container42 + rules: + - multipleReplicasForDeployment + - namespace: kube-system + containerNames: + - container51 + - container52 + rules: + - multipleReplicasForDeployment - controllerNames: - - test -` - -var confNamespaceTest = ` -checks: - ANY: warning -exemptions: + - controller6 + containerNames: + - container61 + - container62 + rules: + - multipleReplicasForDeployment - namespace: kube-system controllerNames: - - test + - controller7 + containerNames: + - container71 + - container72 + rules: + - multipleReplicasForDeployment + - priorityClassNotSet ` -func TestInclusiveExemption(t *testing.T) { - parsedConf, _ := Parse([]byte(confExemptTest)) - applicable := parsedConf.IsActionable("ANY", "test", "test") - applicableOtherController := parsedConf.IsActionable("ANY","test", "other") +func TestNamespaceExemption(t *testing.T) { + parsedConf, err := Parse([]byte(confContainerTest)) + assert.NoError(t, err) + + actionable := parsedConf.IsActionable("multipleReplicasForDeployment", "prometheus", "", "") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "prometheus", "controller1", "container11") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "prometheus", "", "container11") + assert.False(t, actionable) - assert.False(t, applicable, "Expected all checks to be exempted when their controller is specified.") - assert.True(t, applicableOtherController, "Expected checks to only be exempted when their controller is specified.") + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "prometheus", "controller1", "") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "", "") + assert.True(t, actionable) } -func TestIndividualRuleException(t *testing.T) { - parsedConf, _ := Parse([]byte(confExemptRuleTest)) - applicable := parsedConf.IsActionable("ANY", "test", "test") - applicableOtherRule := parsedConf.IsActionable("OTHER","test", "test") - applicableOtherRuleOtherController := parsedConf.IsActionable("OTHER","test", "other") - applicableRuleOtherController := parsedConf.IsActionable("ANY","test", "other") - - assert.False(t, applicable, "Expected all checks to be exempted when their controller and rule are specified.") - assert.True(t, applicableOtherRule, "Expected checks to only be exempted when their controller and rule are specified.") - assert.True(t, applicableOtherRuleOtherController, "Expected checks to only be exempted when their controller and rule are specified.") - assert.True(t, applicableRuleOtherController, "Expected checks to only be exempted when their controller and rule are specified.") +func TestControllerExemption(t *testing.T) { + parsedConf, err := Parse([]byte(confContainerTest)) + assert.NoError(t, err) + + actionable := parsedConf.IsActionable("multipleReplicasForDeployment", "", "controller2", "") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "", "controller2", "container21") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "prometheus", "controller2", "container21") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "prometheus", "controller2", "") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "", "controller3", "") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller3", "") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller3", "container31") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller4", "") + assert.True(t, actionable) } -func TestNamespaceExemption(t *testing.T) { - parsedConf, _ := Parse([]byte(confNamespaceTest)) - applicable := parsedConf.IsActionable("ANY", "kube-system", "test") - applicableOtherController := parsedConf.IsActionable("ANY","default", "test") +func TestOnlyContainerExemption(t *testing.T) { + parsedConf, err := Parse([]byte(confContainerTest)) + assert.NoError(t, err) + + actionable := parsedConf.IsActionable("multipleReplicasForDeployment", "", "", "container41") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "", "", "container42") + assert.False(t, actionable) - assert.False(t, applicable, "Expected all checks to be exempted when their namespace and controller is specified.") - assert.True(t, applicableOtherController, "Expected checks to only be exempted when their namespace and controller is specified.") -} \ No newline at end of file + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "", "controller4", "container41") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "", "container41") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller4", "container41") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "", "", "container51") + assert.True(t, actionable) +} + +func TestNamespaceAndContainerExemption(t *testing.T) { + parsedConf, err := Parse([]byte(confContainerTest)) + assert.NoError(t, err) + + actionable := parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "", "container51") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("priorityClassNotSet", "kube-system", "", "container51") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller5", "container51") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller5", "") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "insights-agent", "", "container51") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "", "", "container51") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "", "controller5", "container51") + assert.True(t, actionable) +} + +func TestControllerAndContainerExemption(t *testing.T) { + parsedConf, err := Parse([]byte(confContainerTest)) + assert.NoError(t, err) + + actionable := parsedConf.IsActionable("multipleReplicasForDeployment", "", "controller6", "container61") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("priorityClassNotSet", "", "controller6", "container61") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller6", "container61") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller6", "") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "", "controller7", "container61") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "", "", "container61") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "", "container61") + assert.True(t, actionable) +} + +func TestContainerExemption(t *testing.T) { + parsedConf, err := Parse([]byte(confContainerTest)) + assert.NoError(t, err) + + actionable := parsedConf.IsActionable("multipleReplicasForDeployment", "", "", "container71") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "", "container71") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "", "controller7", "container71") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller7", "") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller7", "container71") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "insights-agent", "controller7", "container71") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller6", "container71") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "controller7", "container61") + assert.True(t, actionable) + + actionable = parsedConf.IsActionable("priorityClassNotSet", "kube-system", "controller7", "container71") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("pullPolicyNotAlways", "kube-system", "controller8", "container71") + assert.True(t, actionable) +} diff --git a/pkg/config/schema.go b/pkg/config/schema.go index 0ef8b0557..255741b10 100644 --- a/pkg/config/schema.go +++ b/pkg/config/schema.go @@ -152,7 +152,7 @@ func (check SchemaCheck) CheckObject(obj interface{}) (bool, error) { } // IsActionable decides if this check applies to a particular target -func (check SchemaCheck) IsActionable(target TargetKind, namespace, controllerType string, isInit bool) bool { +func (check SchemaCheck) IsActionable(target TargetKind, controllerType string, isInit bool) bool { if check.Target != target { return false } diff --git a/pkg/dashboard/dashboard.go b/pkg/dashboard/dashboard.go index eaacb778c..ba59a0b5d 100644 --- a/pkg/dashboard/dashboard.go +++ b/pkg/dashboard/dashboard.go @@ -191,7 +191,8 @@ func GetRouter(c config.Configuration, auditPath string, port int, basePath stri return } - auditDataObj, err := validator.RunAudit(adjustedConf, k) + var auditDataObj validator.AuditData + auditDataObj, err = validator.RunAudit(adjustedConf, k) if err != nil { http.Error(w, "Error Fetching Deployments", http.StatusInternalServerError) return @@ -224,7 +225,8 @@ func GetRouter(c config.Configuration, auditPath string, port int, basePath stri return } - auditData, err := validator.RunAudit(adjustedConf, k) + var auditData validator.AuditData + auditData, err = validator.RunAudit(adjustedConf, k) if err != nil { logrus.Errorf("Error getting audit data: %v", err) http.Error(w, "Error running audit", 500) diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go index a75526b7c..f455ebc7d 100644 --- a/pkg/validator/container_test.go +++ b/pkg/validator/container_test.go @@ -68,7 +68,8 @@ func testValidateWithWorkload(t *testing.T, container *corev1.Container, resourc parsedConf, err := conf.Parse([]byte(*resourceConf)) assert.NoError(t, err, "Expected no error when parsing config") - results, err := applyContainerSchemaChecks(&parsedConf, workload, container, false) + var results ResultSet + results, err = applyContainerSchemaChecks(&parsedConf, workload, container, false) if err != nil { panic(err) } diff --git a/pkg/validator/controller.go b/pkg/validator/controller.go index 90b4a0716..68016c9a7 100644 --- a/pkg/validator/controller.go +++ b/pkg/validator/controller.go @@ -32,7 +32,8 @@ func ValidateController(conf *conf.Configuration, controller kube.GenericWorkloa return ControllerResult{}, err } - controllerResult, err := applyControllerSchemaChecks(conf, controller) + var controllerResult ResultSet + controllerResult, err = applyControllerSchemaChecks(conf, controller) if err != nil { return ControllerResult{}, err } diff --git a/pkg/validator/controller_test.go b/pkg/validator/controller_test.go index 54231148d..b116871ea 100644 --- a/pkg/validator/controller_test.go +++ b/pkg/validator/controller_test.go @@ -46,7 +46,8 @@ func TestValidateController(t *testing.T) { "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, } - actualResult, err := ValidateController(&c, deployment) + var actualResult ControllerResult + actualResult, err = ValidateController(&c, deployment) if err != nil { panic(err) } @@ -81,7 +82,8 @@ func TestControllerLevelChecks(t *testing.T) { for _, controller := range resources.Controllers { if controller.Kind == "Deployment" && controller.ObjectMeta.GetName() == "test-deployment" { - actualResult, err := ValidateController(&c, controller) + var actualResult ControllerResult + actualResult, err = ValidateController(&c, controller) if err != nil { panic(err) } @@ -116,7 +118,8 @@ func TestSkipHealthChecks(t *testing.T) { "readinessProbeMissing": {ID: "readinessProbeMissing", Message: "Readiness probe should be configured", Success: false, Severity: "danger", Category: "Reliability"}, "livenessProbeMissing": {ID: "livenessProbeMissing", Message: "Liveness probe should be configured", Success: false, Severity: "warning", Category: "Reliability"}, } - actualResult, err := ValidateController(&c, deployment) + var actualResult ControllerResult + actualResult, err = ValidateController(&c, deployment) if err != nil { panic(err) } @@ -183,7 +186,8 @@ func TestControllerExemptions(t *testing.T) { Warnings: uint(1), Dangers: uint(1), } - actualResults, err := ValidateControllers(&c, resources) + var actualResults []ControllerResult + actualResults, err = ValidateControllers(&c, resources) if err != nil { panic(err) } diff --git a/pkg/validator/fullaudit_test.go b/pkg/validator/fullaudit_test.go index 943cdd2a9..884413153 100644 --- a/pkg/validator/fullaudit_test.go +++ b/pkg/validator/fullaudit_test.go @@ -32,7 +32,8 @@ func TestGetTemplateData(t *testing.T) { Dangers: uint(1), } - actualAudit, err := RunAudit(c, resources) + var actualAudit AuditData + actualAudit, err = RunAudit(c, resources) assert.Equal(t, err, nil, "error should be nil") diff --git a/pkg/validator/pod_test.go b/pkg/validator/pod_test.go index 6d04345c2..e2b186842 100644 --- a/pkg/validator/pod_test.go +++ b/pkg/validator/pod_test.go @@ -53,7 +53,8 @@ func TestValidatePod(t *testing.T) { "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, } - actualPodResult, err := ValidatePod(&c, deployment) + var actualPodResult PodResult + actualPodResult, err = ValidatePod(&c, deployment) if err != nil { panic(err) } @@ -90,7 +91,8 @@ func TestInvalidIPCPod(t *testing.T) { "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, } - actualPodResult, err := ValidatePod(&c, workload) + var actualPodResult PodResult + actualPodResult, err = ValidatePod(&c, workload) if err != nil { panic(err) } @@ -128,7 +130,8 @@ func TestInvalidNetworkPod(t *testing.T) { "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, } - actualPodResult, err := ValidatePod(&c, workload) + var actualPodResult PodResult + actualPodResult, err = ValidatePod(&c, workload) if err != nil { panic(err) } @@ -166,7 +169,8 @@ func TestInvalidPIDPod(t *testing.T) { "hostNetworkSet": {ID: "hostNetworkSet", Message: "Host network is not configured", Success: true, Severity: "warning", Category: "Security"}, } - actualPodResult, err := ValidatePod(&c, workload) + var actualPodResult PodResult + actualPodResult, err = ValidatePod(&c, workload) if err != nil { panic(err) } @@ -211,7 +215,8 @@ func TestExemption(t *testing.T) { "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, } - actualPodResult, err := ValidatePod(&c, workload) + var actualPodResult PodResult + actualPodResult, err = ValidatePod(&c, workload) if err != nil { panic(err) } diff --git a/pkg/validator/schema.go b/pkg/validator/schema.go index 6d1e5a89f..9b1ab6553 100644 --- a/pkg/validator/schema.go +++ b/pkg/validator/schema.go @@ -7,7 +7,7 @@ import ( "sort" "strings" - packr "github.com/gobuffalo/packr/v2" + "github.com/gobuffalo/packr/v2" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/yaml" @@ -77,7 +77,7 @@ func parseCheck(rawBytes []byte) (config.SchemaCheck, error) { } } -func resolveCheck(conf *config.Configuration, checkID string, controller kube.GenericWorkload, target config.TargetKind, isInitContainer bool) (*config.SchemaCheck, error) { +func resolveCheck(conf *config.Configuration, checkID string, controller kube.GenericWorkload, container *corev1.Container, target config.TargetKind, isInitContainer bool) (*config.SchemaCheck, error) { check, ok := conf.CustomChecks[checkID] if !ok { check, ok = builtInChecks[checkID] @@ -85,10 +85,15 @@ func resolveCheck(conf *config.Configuration, checkID string, controller kube.Ge if !ok { return nil, fmt.Errorf("Check %s not found", checkID) } - if !conf.IsActionable(check.ID, controller.ObjectMeta.GetNamespace(), controller.ObjectMeta.GetName()) { + + containerName := "" + if container != nil { + containerName = container.Name + } + if !conf.IsActionable(check.ID, controller.ObjectMeta.GetNamespace(), controller.ObjectMeta.GetName(), containerName) { return nil, nil } - if !check.IsActionable(target, controller.ObjectMeta.GetNamespace(), controller.Kind, isInitContainer) { + if !check.IsActionable(target, controller.Kind, isInitContainer) { return nil, nil } return &check, nil @@ -122,7 +127,7 @@ func applyPodSchemaChecks(conf *config.Configuration, controller kube.GenericWor if strings.ToLower(exemptValue) == "true" { continue } - check, err := resolveCheck(conf, checkID, controller, config.TargetPod, false) + check, err := resolveCheck(conf, checkID, controller, nil, config.TargetPod, false) if err != nil { return nil, err @@ -147,7 +152,7 @@ func applyControllerSchemaChecks(conf *config.Configuration, controller kube.Gen if strings.ToLower(exemptValue) == "true" { continue } - check, err := resolveCheck(conf, checkID, controller, config.TargetController, false) + check, err := resolveCheck(conf, checkID, controller, nil, config.TargetController, false) if err != nil { return nil, err @@ -172,7 +177,7 @@ func applyContainerSchemaChecks(conf *config.Configuration, controller kube.Gene if strings.ToLower(exemptValue) == "true" { continue } - check, err := resolveCheck(conf, checkID, controller, config.TargetContainer, isInit) + check, err := resolveCheck(conf, checkID, controller, container, config.TargetContainer, isInit) if err != nil { return nil, err } else if check == nil { diff --git a/pkg/validator/schema_test.go b/pkg/validator/schema_test.go index 36ef40fd6..bdea8e997 100644 --- a/pkg/validator/schema_test.go +++ b/pkg/validator/schema_test.go @@ -143,7 +143,8 @@ func TestValidateResourcesInit(t *testing.T) { parsedConf, err := conf.Parse([]byte(resourceConfRanges)) assert.NoError(t, err, "Expected no error when parsing config") - results, err := applyContainerSchemaChecks(&parsedConf, controller, emptyContainer, false) + var results ResultSet + results, err = applyContainerSchemaChecks(&parsedConf, controller, emptyContainer, false) if err != nil { panic(err) } diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go index 0ab79e9b7..c0afcd34e 100644 --- a/pkg/webhook/webhook.go +++ b/pkg/webhook/webhook.go @@ -82,7 +82,7 @@ func GetObjectFromRawRequest(raw []byte) (corev1.Pod, interface{}, error) { return pod, originalObject, err } -func (v *Validator) handleInternal(ctx context.Context, req admission.Request) (*validator.PodResult, error) { +func (v *Validator) handleInternal(req admission.Request) (*validator.PodResult, error) { pod := corev1.Pod{} var originalObject interface{} var err error @@ -104,7 +104,8 @@ func (v *Validator) handleInternal(ctx context.Context, req admission.Request) ( return nil, err } controller.Kind = req.AdmissionRequest.Kind.Kind - controllerResult, err := validator.ValidateController(&v.Config, controller) + var controllerResult validator.ControllerResult + controllerResult, err = validator.ValidateController(&v.Config, controller) if err != nil { return nil, err } @@ -114,7 +115,7 @@ func (v *Validator) handleInternal(ctx context.Context, req admission.Request) ( // Handle for Validator to run validation checks. func (v *Validator) Handle(ctx context.Context, req admission.Request) admission.Response { logrus.Info("Starting request") - podResult, err := v.handleInternal(ctx, req) + podResult, err := v.handleInternal(req) if err != nil { logrus.Errorf("Error validating request: %v", err) return admission.Errored(http.StatusBadRequest, err) diff --git a/test/checks_test.go b/test/checks_test.go index a7d46c85c..3f4ce9db4 100644 --- a/test/checks_test.go +++ b/test/checks_test.go @@ -14,7 +14,7 @@ import ( "github.com/fairwindsops/polaris/pkg/validator" ) -var testCases = []testCase{} +var testCases []testCase type testCase struct { check string @@ -56,7 +56,8 @@ func TestChecks(t *testing.T) { assert.NoError(t, err) c, err := config.Parse([]byte("checks:\n " + tc.check + ": danger")) assert.NoError(t, err) - result, err := validator.ValidateController(&c, *workload) + var result validator.ControllerResult + result, err = validator.ValidateController(&c, *workload) assert.NoError(t, err) summary := result.GetSummary() if tc.failure { From 5fd9e014932af4846373374da3df9a1fe3afc926 Mon Sep 17 00:00:00 2001 From: skatika Date: Fri, 18 Dec 2020 10:00:18 -0500 Subject: [PATCH 18/26] Update version and changelog --- README.md | 2 +- docs-md/changelog.md | 3 +++ main.go | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index badaaebd7..220d6b664 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@

Best Practices for Kubernetes Workload Configuration

 - + diff --git a/docs-md/changelog.md b/docs-md/changelog.md index 5306918c3..749947c9b 100644 --- a/docs-md/changelog.md +++ b/docs-md/changelog.md @@ -1,6 +1,9 @@ --- sidebarDepth: 0 --- +## 3.1.0 +* Add ability for exemptions for namespaces and containers + ## 3.0.0 * **Breaking** - fixed inconsistency in how controller-level checks are handled Custom checks with `target: Controller` should remove `Object` from the top-level of the diff --git a/main.go b/main.go index 67fde74e4..0941c39d8 100644 --- a/main.go +++ b/main.go @@ -20,7 +20,7 @@ import ( const ( // Version represents the current release version of Polaris - Version = "3.0.0" + Version = "3.1.0" ) func main() { From 5f793beb737d1f2dc8834d8816d3f2f620e2d790 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Fri, 18 Dec 2020 14:08:09 -0500 Subject: [PATCH 19/26] Add architecture diagram (#458) * Add files via upload * Update README.md * Update architecture.svg * Delete architecture.svg * Add files via upload * Delete architecture.svg * Add files via upload * fix images --- README.md | 8 + dashboard-screenshot.png | Bin 272960 -> 0 bytes .../public/img/FW_Insights_Polaris.svg | 421 ++++++++++++++++++ docs-md/.vuepress/public/img/architecture.svg | 1 + docs-md/README.md | 10 +- 5 files changed, 439 insertions(+), 1 deletion(-) delete mode 100644 dashboard-screenshot.png create mode 100644 docs-md/.vuepress/public/img/FW_Insights_Polaris.svg create mode 100644 docs-md/.vuepress/public/img/architecture.svg diff --git a/README.md b/README.md index badaaebd7..8b7c569ac 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,10 @@ Polaris can be run in three different modes: * As an [admission controller](https://polaris.docs.fairwinds.com/admission-controller), so you can automatically reject workloads that don't adhere to your organization's policies. * As a [command-line tool](https://polaris.docs.fairwinds.com/infrastructure-as-code), so you can test local YAML files, e.g. as part of a CI/CD process. +

+ Polaris Architecture +

+ **Want to learn more?** Reach out on [the Slack channel](https://fairwindscommunity.slack.com/messages/polaris) ([request invite](https://join.slack.com/t/fairwindscommunity/shared_invite/zt-e3c6vj4l-3lIH6dvKqzWII5fSSFDi1g)), send an email to `opensource@fairwinds.com`, or join us for [office hours on Zoom](https://fairwindscommunity.slack.com/messages/office-hours) @@ -29,6 +33,10 @@ Polaris can be run in three different modes: Check out the [documentation at docs.fairwinds.com](https://polaris.docs.fairwinds.com) ## Integration with Fairwinds Insights +

+ Fairwinds Insights +

+ [Fairwinds Insights](https://www.fairwinds.com/insights?utm_campaign=Hosted%20Polaris%20&utm_source=polaris&utm_term=polaris&utm_content=polaris) is a platform for auditing Kubernetes clusters and enforcing policy. If you'd like to: * manage Polaris across a fleet of clusters diff --git a/dashboard-screenshot.png b/dashboard-screenshot.png deleted file mode 100644 index f4da05689254b1cf43937449bbbae10a03cf5638..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 272960 zcmeFZby!sG8a|3h34)>s(hZ7)be9Mc64Kq>-QkFWf;7@4T|;*(-CZ+u4c$Y>S?q7` z?}L4Q*Y=$M&L79?VrE>k)_UIed7rqS`+3)VlaqOeiB5oyfPjE0A^uh#0Rhz#_=`eA z0gj9xh&3W0ptqZeh{#EZh>*$I+ZdZ!8X+KvfBO-Qs;DrD>(^h;SwHZEf{gl*MjRUr zcpJ#@4GKkiBKh@!aBJ|xU|msBq#xMCI3H~3KYm9p*42} zW>bGWc0SIt;q5Z(bu6kp2NA(DS*4ilzZi2;tt_IV4rh zr1!srzduCIrb)UU@vqJ1%+=sXE55os_xZu2L$-JiK{Petcl2I~oIr5!INvumR0Km( zb589TO8n*S7sDB*pcgJ7_7JW|-|f4e8@x6UVE)kX!s4D#if#1}8^Q~k?8Mk^DUn6F z3%QD?2cr6sgD!KOPwh`%q`Cbn%g^8ZpqyeEwqMC*cKtOr^?T=X=1VtE1_O$dZ-(LT zw->G*c&{o;SeBo1_Y4SQOZuh`(B7Xe^}wGbm&DEb{O*0xSHTs*wl{8an@9(S4H8d# zU}s-mz>NL;Wo&a_d`$Zu(fln|7t|x@{wZVfLziZbyv`AlLq>$#GJdgStz6TGw*IGW zEwZ)+FBm;P8Q~9-M+h`X)+&-@_p<@)XgbkW62Y;N_MGM(`h@mq=75H6HxCB&_2ci87LiR3=l`-|I6V-iNfp4_YE5T5)!lzA$Pvnpt zQ!o!f%tZ(sP4~F&yUbx;2*3V{z)XhSbDxh4NzHT_BBM6x z+2XK$QkWyELMi|e&SANt;iNpOL%KhA|G6I-+M^HT1nHRgLYblLO9;hevK^%8Us6-v zzQC9CZ3!h(M+f@_{Ctv41i3#dBq&V#(_!FQ_S2e2aG}cqjaAm~O*k=F8^4Tq9b=G7 z=O1&SBw=Lz!kFW$LYP5_{-v}_UUg3ZRmXRy3H^kc?<>OR@2?+=w4msbH;5yJe@>^6 zH{_Q897&-hPCWFzjJ)zO@;>_M=U;lJ&uQ9F7K0!BZqav*L5^9Daf-3;x%dA53gQZG zCMxU4Q@;#-r{XbHPI}b%kJ8PIEx7tp#iJ8XCjuvUCj>T8iLlz6Viz@Sg{$6b@>oBx zCbq^aAQ}I((E?vU*>kPqm?78!g)}+rai6@oz`7v6P`i-!B)y^py?;%{^%xON0*RSC zSx%BmoJ*ui!d2`!O)j?dH|rKOisY)8s<5h%iT8Cfo0M1)BN8iAkK`Y|Oe_mf6w9U5 zqH>Cu3F|bZEP3UItM*n~f{~JxT!-d3RPY1a3uPRgE~0>h5>QF<(3@&mw|5!xz1cG( zROVPt_sjjKa>jCDr?{GW_s{N8XFPDs13SDfNmG$rIUiS4E|7D?lPEqfNm&vye18<7N4_KnE10^t@gut7?xPOq)AlY zo5X1zJST1G3|Xh-u6T7e`05C1O;N!Q>&WdV)Aco5HNNg=?jZLk^~CNlxb_Nh94(T|891G&G~YuGKfEE!5>jHbCUd3&AWT-8U* z7zqO~p)})}W0~zydW7cjHc-=Z_nOYb^tJe`O6hB3m|?V8W&ifidOxosuLiHuOAXXl zs7WGUnyudD8hl(tZ>MSJWX(50Gu}+H>;JZbvr^WUGrE>n8dy3~-B&%^+Cn{PlqH21 z*cV_3HqdfztvRbIu;pJq>+GFmXy3|)l5TTs<8Px*C-<`@zl^E2F)s8ELmf8=@&6sM z7Q1=soAtYUAaFxz8Qub&h~LrLy8Ld{DPuya-*{Af5O$WZi@)!5ptS;B@IOI5dv@w{ zVsX-b7JV*=^%`9qBOCKMnj^aAlZhvvG0`7Dh(=lm7k9bX6F|Drb4I`L-n<|mBwr?% zeFJ`z@v~RYR@HVQs%YDG*w)U~0O{-8Tgz{*IA$c(Wcx6+Dz&guI%EEzk`Q%*QC#W3 zBvP-}XCmKad)i|Bi*bwhC&su&tGMmh?L_vx_o(**KCeCKeo{caP8IMZK73cgPGVHT zxAfA)CVrZ;-Araaq1K@n#u(>el+;((>x1c(_Ba{<2a2KlGF-K8I;ET@9I#l3?>m3jY+E>b*^TzW-^S1<8MvhY1=*Vm4T zWae=EWVK|`4#_^Amt&7jzA_nZm@sv1N2*GpQwJbhV^lCa5A_qzGYYjV$bab{%<*o^ z9^=$yKS{HHDqt!EV-c4`BfUYqF59bkbfG*jc^P@>vI?p6b7i_y&is&)lt)x?^p+YH zgRI(2&2LxHUjYq2K(8LDS}xQE_&Ct6lNC4ZI`Sp=QO zb?q?E1~%-dZd5t9Lu^DZQuA7!TQgd9#`eavv}_t1EH69!Mlgv96FIkMK0~Qy99>Gs zSMF1>T zvV)IbE?frO|A5LkQZ+I{G{Rq1j9c(y{D?HpVYN-Kv02)Q!^vYEAKv<|3Hvk*PmucB z@z}IuaLgdzz^Pq2WQR|f_rnMRJH7RDQydPuxF_*EvM9-xR?ap8d!<|b=d$=oxm;j3 z_eK1n*iWpKCI@|372@jJiBi1dP@YEk{ORX|N~WHg0XycUg=MLG(S4Q0&_3;>D$n%* z=#K~$H5I}_ZXF9#7jwbAz+om@o&;Wkf?7?RntAuMY6oLjY`ivS|MY&X(;5ftsGN7+ zg=eR2rhc3~OUf?9XXo^?=iG*5N#MD6RS6+f>ri~_!DlBhMCWk z%OyRg!sBI|lG%pCXM7m~3|_{&`771U2MU+>E;+S(ya$iv_w7%V=6BW`cRa23&Q3^Y ze99hCJv^)rYruD_-A+8Jz1%UWvmyRYzD!GchtHPQme_JOUq zngap?F7?gdJqdZLT?B-C$!3bGj;hk{c?@i<81)Qo^o6#qJd2l#w*n2CbyU#B=)@KdNt%aMuL*c*|tGqN$hrVv0UBO~LpH#Fvv ze=GLy%Ypy#Qn8uX&s!r01A8-DM>891vYY$r>DxFt@>5XU2>ScqU*j}#HTy@BwZp%s1x%3X<{Ktv z#@9@L-y67;@8&3voSCbUrRrNVDfe|0G2Kkz)|CFz*T0Se3KKx*WBOb90_d4f*KL6HAToO^s|dU!-YgCR!u@XG<;7p` zz-L4Y+vG~gdISU^1c|r8imvxIr%^p|Mj`EcwDHoiWQV~Y$+Qas>RpOoDR06dubjQM zFg=8ejtjo(x7uUZeM(V%%u6R4MuGM@E@|2&X*9M+ro!a>st*?7lGV>W8{2ZeKkFbf zQ{%Kz_eL1u9@1l=EcqWV;x$4fAgiI?YH~z0vX2P=>t*gKS<$lS|GwSLxAIg%y73gQ z)`9=?Za1Ouj|P~0l6Oy0Ov^2DFk`%+sHkXoa`Mi(UA1N>$GrES<{2uAXpA*EGD3BxprS%cFa_}` zt2T~_@5#)fFJk{tR=iRI-HHki504b0dYb4#{)eR%T1Vm|2^kq1lQb|$dj>JL>OtU) zWtWoBwLmF@$h8hQVVYxLU_?whZ-4od9=Yk|baa^5+1VRX#)wWiCx2QE-Pgc0DPPUP zAH&7N3&iq$|L0H_{xYSR(!xdq)11AG-CvYL@TpdGBvOU(BMnST40QDLvNE>8t);U+ zDe0q-5NLhf+|1Op2oY*{R3dE-OsIS%%Un@WQT3&h5HZJ}Vu z61sW(7Vvle!eiAIFaIo`4!JBE+-H{8Oc5_aX`-Z?ms5tznm;PLrM2N)tFYEr|K~tt zW@#D8ZZW0`0{c~{KOu(Dfc?ST4@_0in6t0#@wdv7NgQfTa{p6O6AH$- zfRF1mkW}=Mhdr=#xM)o|{nNsSx&m>$h0p=@Ph%4zO93LZ5bpm2L;QvZq}DoSmp?~U zMD)iKD295Je+>Hn|1keQrOkBtl$;7}js3;lD$|S5Y8& zZ+@B50^aLO*<~M-Gk@?{ z-wRxslP#;pw4F2S;92)NQ z#(-ZKV?_Pe(Da|}y0_M@6gJ*hrSyaofb#u{l6<1rW8lh#58a$FEd%|vY=}#j4oH`L zDGQ3m479|RbqOUd**Zq&l$)m-MKm!Tg5<_knK*xIEli2yaHHH2+rbD3-E>bXyL(u? zPDsI*jp0m<55t?y+dGtI78bGqE;JjhKj4IDN%p%=)wJbK`gFvL^i|x5%xdCLB-{_0 zsU!}-$cWe*29z}@yO{MG&Hlghz~n0cRM+=MMcqxiVB7({@BA1(EN>=BJ?HabA*2~* zd;JvBLEwgp1H=Nx%k<6lN8nzkSIXTny&>g*%#O$=4%Kt?pr29fEnAA3hDg=O%At7& ztMdP)KNcNeWe<|c8Sci01&TQ>6}XGdq##=Y`=?3d*+7#uK5T=kMZ+Ka9~`K5lHIiH z+q{xDc*{mB`wp8po`1y3nW`_FIC;76WuCpEA3UY2Y5DFB0vb{VBw3MSKD!Hyp3u&z zoo2ay*R80ATXc2AFsFx)0NurZ3%@kjJbp3QEm)fq{x{gVn zdFZ({cVkn{CZR_Hbsmf!uoAV7A59#gL6aDj8s7#nD)Uu&hA}uFKZV{=9w-tBmYI>s z@sxKU(t{_vY!bsZtk+nkK5_KYjXo9+tu`eFdKX+K19*enaicZxJg;}Vjn<+C)i;Xi zm+W;n4(V){B??RA*A%oVyk1FWBr?-7{+Ioel>_BM4ji_9Cw~Y{A@OxzhqfhWp1e`t zlGp&}1w+dtoPO?OCrfC@_l<2`xwN6hUjH%~bEn5Zs`xcZhdwn_7=%4XK)&rR_EjTh z2i^O%$DLW-LwZ61*x+Mj#(+Btq|$EEsFjKHzU)CWr9Jf+ph8AY#;S6Sz$T&3UiV!23S)9%NaxCCu{mWzEHk+Tf_0W7k5(|XcZaFGL3Wb z;hn=|?1*ilZPGp$15<&{+tCzl1MQQFl1%PO`{&ly>}wmm$v<{To?C$1ON4X@1LK%k zoV*(jb6)HrSMhwduO1|f{&Z*fWRHCSS3Zfi7riUR8gWKRDt++zOx0SJ?DrJs64yMH zwk^n->(B6El4r*>BKf(OCntpa%e}Iyz-m37XiFX2Pp}r-fr6~M4Vx>LKUXriP282$ zLJtgym6-M}Li~n3@H3dOk%S3zSm#G3w-^(Ih_3ZrQ0OP(;0kp3IQ|3Ao2T81$)IWpBxYMH9MAHSye{Zr zaN1p)h(`c{F@66_b(4rmMh6*t2X;_n#@~&x{0~hYP;nO9#p(XDSH{6>Z$Uope^UFO>YB)!Af6gX2$Kqp)`my zXXXYSi!K@SrQ_epLj>`d-N)sxaBbnxH(iWG7Iyg>MT*+cJsb=EC}c#a>WI3FOheer zx^1T~R7JeMBz#Qkd+8ml3Ze&KQSUzL`-9t)CG$dxGxphzk5+D0x6yJsQ=|_v4_BEH z?y|Z3o%_MS30%iz8dFZvjR>-$H{avUDk&1;*cuSyupal*uG}+Nmb^3Sn<8KB@UN zu)38~S)J)^!yN58`mQ`SQW;&SWf-H>Rv`NK`EY1QW6*9zOttm!a>s&3yjdboujHCv5c;mb@-3FcZT{RoEK5{T<;00OrI6e^k;4y7&dRR04 zS-bK<q2Nekk+P z68V7XllIHYNw$EcDAUj3ZZNR>X*u>2TnMu=H*eCqyVfIsQDwFz*539>p-c?65y{Ie zgABdjA`5D#CYhBq;B_7EW}Hro+2-8g$a$B}I!?igu{15Rq9A4Z^7iPO10w~4Dnm>g zsqaR2)|4!C3z)>@)n_x(+mmQf0@9BBI;|irCMo~RnRO+*dJepEjg-THz3|yZ9o%+2 zPCgnzet6V>rm<#M2mN8vW2Zr`;hY`m+?G&@b9)_x$TWapSqkqQV!VC$Yu?8!^J45F z0dh#XzDpC@4LVFU&62EX!)j7|W zPmh;M^GM77qb;wH9d&ss4X4~lOh}}Zw)WXrMBH6eGYG7SSXyiG9a~^Uly+zgKYK(P z)wV;k@;-hzgin6KxPAo4kU%>0W|E>Kvr>lRDXp ziIfQL^B;8?_3gEuo|ZUeRg}as_gjIOVGMWEbI1SD4HsSwjJ&|qsi%ftd&%)ht+X9O zG#SkA9n*M7cAAB#!oX)v4RzHp?!U#%>``xfPL4gNb1MQ|zE`y~_81|D`IbF#GXkl3 zkqM#q*20iQBiF%4hhD>t41yu;Ew$znj0)*WP_1c>(2`fPmFtSNmKk*=%X@!I+1@j< zuCyGl9^zCi37q3_Af;lzeY19ujH?fv=+2fkR=Gv6~9|= zuWhpX<$4$F48&MS04YzaEomaNi2>?jMtfagNx4*kfBrm&>-P95f$_73#QEKJ!;k1} zS3FwlZJJgOz4%Z=*>JO;gZs1GWQL+qNg3dIV{M8Ch|rjcl7)1jOql$IX3d$OUsNxx zHpoVBhniEnA*4kgMP%MaghICWFikgRs+0&ClW{J{j?#mKT04?O_c8L%>WZQGCGIm6 z7W{EQ!Z0l>Ihep|{Ze88b7o1ga&zVgRlaSmLSh(?CyWml)Anzh>th)qf4%}Ao5&Ga zw;4_x`>MssWD>+@F5a~An#M{i_05bCjSXj=>LJFUCJqAdra*;-MA*Z%L5ahNyO<$8 z5P+>Ud=J*|Olj|#sd?mCXTRiSEoG|)Aylqr5ByjqP%Oo>#j(?3xRYl&ZP+?Wkmh~m zSehCTqr_fu24A|=qEA*^puTi~!Nh#csBftsExjC&qAo~6cLy97qp^AO3a__KQzb29 z=yNAJ3<;%d#(i5@pBm5YEbD&Pxyk%AA8vY+!w0((4KOqrCo2>(EX^*KVC?wJzbn!dC|h zb>GezWYj=Ff2jw{ytCeTAV2k-_`}a^7sup#V=C>-;hI$ZNC6==qUg?CUAa98<20Qk zfji~@S&zz)(XcR1t662|)gkSG1Fh;H;f*^|%m678X)9uPq;TF#!?S8uv5}f4tPF4& z4X@IQ!pH~_nr~>%Fm0Sy{(|d$nDL(P6y-mr%cYDARPiOX%0Tk+Ez_Ue1Pxn# z>pNA-9?q^JLwH=4AFHet--qE{bz~?BV{7}2-l*kdkIvGxFB6dV{$)~u23v?5KcYJX z_<5y7LC}U+quYT&h^zpZfZg(v{_P2bii6H_m?SQ%upjy)h%d2KSL9uf$#Yy7<#AYC zt5PgF^Njx6B^ZL8&~d6XOAMl&OWfKenZ@4UabE;PI{>5w@xH`+dn-YKTrpg~>xEb( zHweWU%Z40hRBP9umu*ozR@TQ0W0|nt_Byi1H@%d%?}mXWkSe7(PIx$;(9jVLa zT76#dP-*O>KH@K#uAOqxCQDVQ<&sAc(O)a#?cotnPO=6dzjS#byu6QnWpzqf&No(+ zdN6gD;{cfg!%rJrP`xeTYwbsqUi%!cJ#@1(Z~dvlUSw8{l+6H_)=>kIJnUqhwnz@M zpHS4g(wZ{+dISn0HLUT)_C2UN`{_zU^isTsPTAipyg)8D*A+2c;}j_ksr=TyT!nJm zf|fo4286|D829xb3lge%;5x1>F+H)7t|xX_PdyA~7@@U8Y^4o}`qX<|X}x>ku+w#D zK~nOMjF$tA(m9*MrKLD9So=YVCdNPGy@ymH2ZU`5Qab5dP>?JUxl9F&1=`fArAW+^ zmOfwGZRNEp`>EFj?fxEjrN%}WBM?pLTJ835UpTcSexD+nX zk2M}_PQOigrI!mSq>TjCN&pBsdTcb^evMMD==`O;XNQvVm#c&$@WpY=ij&2=7+@J* z3vJ3&H7O_38MQNRQ42CL%^xq^EhF53NECbAlWm8DSZdNACB<0%mVl7Z>m8}*?l1fG zoGdY08vlQ=0o9wPQse3oKKD3R@A%lS-44C<&ukyfXh_Ofks!J)_cwNHcq9`#S=17%eT5VhB0P^KO;}vEH8+lhd`P1hwbsvxSEs5=9d~B5+~Mog{O*UL!oDb- zH1U>C{COR|y~kCpw$HdY+bHywUY#t>as;rX4dE*wW(e_Mu=QTcn3HfT)#Y7F!p!9> z*>G&(6LMVzuH(6Cy*f%P&Urwt7so@hr2Mf^^%esMR%>W#LrhW4HdwiEr)w4}45%Cb zu!yBRx74^d9G2{(P4hm6j6hXX;f7s3DjSxG0JcNF^P~e=wI~wBAc1mo>F`;Nzpr{! zJ8waR%)(`zSoiJWitmzr(xYSs>E;-JSyr4knMg=pB+ zE73^DjjY!$!(iR>{-lg}nzkSu9GtQ? z%#aQa_Z!_vtsw$gDQXfWP=UOkW!!{7dBek+JEWzMHGnKvjt&5VNyl{_x%zmu{1P0##y{DLe8)XVtU(-qsfv+Y9ddLB!rL+{J8&gMsgn}h;$dzu#jx!=ekwm#mTWS~iEf1$ z^=qef#p>16Kt#Vno|e5NkL|Vd!Rk0I#%r5lPBylVaUCB9Qty+WJEutKp55Ku%X{sl zA?7i=*#u3$%%}kbq#WYg1$Y1wVvh>py(j)}spag(T_{A2#<+Kg-E%J34S*WF6G$jj zl0*@7_gu7-HplZyEe9(2l$7QgZs*%jeIVT92!6DzsrM`A8PDuf+n|rPX{gq88dWNp zao^x}`Jy>Kx6#MD6A46tGOq3HwBT?c7^Sy5PXkaRwACi9FC+I?b^VRkA1Or{Ja&a8 zx_Ii)*d{?LtTbkKnzn0qwx^ysPA~4AAi_VSiGA~q{iV&O>$4R0&Tv?ov)sm*8v|L} zV~gDlu-!}b%w~g)y0#mhfNUBmrjTPgN!)oP>msV3x-d0uG)5w8iVB0q+Zz1thARE` zq&;0-H!%1|iPZSf0t=$%9U5aP3P?28{5zj3j(+-+gwrOu{@x)Wpj+ds=+hn8NkLPd z@z~+lK{F<0IR&ATgj!Wh(#%aFRoqj%;CM1|X4hgQ>i>g;$I&z}sT>$uvZg~XJ99sO zt#L2Gpmx-(m&qYx@iRLVQhLe3qXP?jN3u5l9@B!<>+l0U zpKHTy6;as(ErAh0NQC30e^vVU|1-qr)R)@Ldc zoULW~BGeY9=dE};Cy72S*zY=wqP12kgP#4B_`_e$X=zZiha{6rJ3P;!jNPtwEF6;3 zj=q4$UHb$ST6;-)yBcaLA|X|Lu(PubK<)}EI@)cR&M;s;fMlM0u=TiwAHrz>>ttKs ztPjJ2=KdVHI6b%|I2}=t{nn>O*e?%k(MWq2a)gPTd*Fle3gGY!<0_v{aA>p`NWiQb z&eroT8QBdx9#?NwKrbrFjYa*51-F4V&C%whcl00=(?bHbj=y3*fE=hqKAxIK{OsYE z?DKpxbv@JjX`o111Zs*7vSL#wipN4kF5u%fthXMjt)n8&6(PREnfw9*#{-nUFWrqN z3xW3i{KqHkN+KB;j8#oG8Z0VkmdzGVC;T`A4!_355lk9{@L#ONGQ50=P25#mSI0Nh z{nl~Hrtxy+{L|;lxg>s%E<&3+z1bF)zfjHtJlzJ!=cf+7K0ql|Esb8m`+Glz^++Vv zea&mko$3arzOZ{=^I-LT#rfeT{k649n6*-xz-_O5Yyx;Cm+#8LGM2!J?%;et?@+aa ziQ5LavSrITK0f>kASjX&nmFn{q`!L~^IG_7=lZIDXSa5{CU4Y%^IU77Vt=>!Q8y5w ztf3UCJD%59mzNdAe--IMsYvVE^}_3d-ZUSgVKrzc4{)}8e&TF9B$ZqJYUwu`ddaD_ z5q48krnWGz(G@uXP}E`kXic4e{m!NryT<^Wzpu}zqrbP%YCi`;J;PotDk50OEHTv3 z%@diwI)x=S=z7A}N9EPjUT#4v@i5z=WoA#GIAnsD1eTI2d&S_rjyyXes8BFuX zdG@ST@mgF~p11y()aQcSVk{qf>l9M&aa`pWkEi7r_CASkGB;cx8hEN{Ts`FYO^S)j zkOXaKH7tp6M}vCVJ;zh9PP=f`2MvCyT45OrWVI9TLXHXD`!DHxwz-?-*ODUf0^@uT!LB zi3ailmk33u74BHkIgl_*cVcPEMR{bm?myzwon{pjoW;|m=J{M|{oIf|s_7`0cYAl^ zrRP@pxMX`UvF{Z5;R;jZg}kHohf*S+i@lOjWsO)sR$n5o$~KU0Vwny6Ooj0B9k(D# z&NFT%I^qT73MnkcJ0ReH3+hJgbAnvr0C2Ogpr{RXKYGXW@q>I2g_~fyUO(9+CiI zB{{i#up-5(zuV$c(Aku%t{ID096)ML@Pj^HSsA{)w-)@^7|~kJvG3#9I%~=rPAe?8Vid6*`jWE=SiAa(7wi_ityFrwA@@t>w36y z4j2qq(krY#+VAzU8iO6r`ruujXEZBAlM}12f1#2_f-7er$F-dLEof?$)``_pj`gV& z0?k8ftYwc(z>Up)b6T^-H#jGXUTq;y1ONp~LsCrT>rZ>%P)wD3pB*bSD(d5clgC)c z7B1p5d<5Y;rum}D$I~veR*40aLR|j)mChvqcOZ;h=QJvR+4OB8_E>4aU;-pWfuu=j z$z%lMx6yL%-3eTVYsplOQQnXSZ@(D~X{7*E7tu^*JkGnlYt9Uh`0P8(_yq&7Z!ms< z4n!Hu^@dHAt$X07h^TL$VzeqE^zsNQ3&31+rAq))gmBvqguZWOW{&+9y36)5wJh#yF8Xcc($eo{Y!cSrG*FPI|8odE!6t>9o_X(4kAlGf=rk`CcwwBJd zC$Oi?zr-;e*P^qwyqayp%p32NiYI!e^aUuA7Z&E&a7{JlqVz6nq>S{03C6>7?*P6s zAO{Qv*ws;|@J}2~ImlXQ;aS&iap1EUex0pQ%r`U#q8JLP^Mu|#j|g)%i3&2 z8X{M)n)F2iYJf6T71LqQe?qw;(Esv^$3L%c*&G+s|7hAphr9DR!30TN{P|Wg&&U=~ zD{aQ>YmeEU0sdFfH{LWdV=x54h9Pf}*H1e`PqoE(t6rcq}W`wfInXFY&Gp;dtPZh=OzYI9T|`aib)$$tO%Y@cCWib4cn3Oc*B@(7nq?)b zTUOc($SHcfk6T_%3yE4A&N_#mjCnzZmHZ`VY@0E?y3Mod4-=aE;>N!nDToMTqV}fp zmzQVRvIO)!1CuwZVeucz4cg9VBO>R~CfI&T@VPoYYEIQ2o9TsgPtq?hFQ@Vc`eIrn zZXS#H!$xOXjR#47KrKsy>JEpbR%m9k8j{bfu?X12509lp_`TkhjhAt67GpJnMI@ks zm&e@={BcGmkLwnLdC%O(c?$>QnmE+93DA?>*K@p;#!0|u9(Y!EH8C*M1LkAY^M{I+ zhKHXXDU()EhMFNJHF`&^hrJ7Mf$PL7JFUkXAwEkp4qU3vR}Pw9N6I

r#JI2|#6; zua~hjDGHP82^EB84E<%f3Ocu7+ha5`;2eZ6(qRuwLs&2Uok}AkBRe8rD)fv-dK>HO zdH^`G!=Kc96_(lj-CR6ZBn9Qw!AkE_;!l&47IGd4esR7ku-0j(aji>6!j0Fz`h+^` zvazW1w#GyNPhGz95I(MjDvT&~((*ms z%p>9?&XI&3f|2!$TApiLs@6&Edgt^5I7-b`*N;~k-^Ehu+wS)=Z5{?XiW|b*jQO9y zJ=Qi`-GLHBjDOtP$*J7N)u^b_PpV6eu~6=dJ;n*sri$C4b%DK4ir$Pp!Y7O zFa7AN(x2RAPg&EHS>FTx2 z_)kgteM-cK2<^c_2OH-7wlLeP;9*tZK?#wRy=d8t73?&ar`N$X$2}B~B6{SkfWp3H zd?V7ytU*DzV3rr5-4B4x$y{i9h%?b3~%mB96 zEK)ph^{%oe=gx5IlIyGU_{fHS)fN0vy&v%E8w5t~vAmAC@NB|dh|7LSys;+Pt_|NF zVwQDkg;BXcq_5%uk^umAK;ZrUZXDAX_4;=#vm#sM`NySr#P%*tAMYJWKhSXYHhbei zv*GbHJHh*Gjm4ntp@mA3?Klrv%crBWBsQ~fr_U%$eQx%>i8=0qhgTp(sO`=VH5*vg z(Zndp+L;+HF^w9`GPq*ZBhC1TTgi#b&LrDfn=`73)d&u)hXb5hiWR)qA{&sa2!e+Cga4 zot9qgO^YhFpMk-Ai^!No(KKQc-9%kCPdE<6+<0(aJxe;?xPWGfRT~8EldZL!WXTIA zP&Sv{kZZ=*K!xJ6wG6qLn)Gw5(4J>KBo&y#6Nuk9>Q^f@?zC$sHkn=0AOV=P{Kl&@ zh6-AJkrX{Erx!3&ck7BwZAh~MuuCgbaxL##|t1Pe0SGeQ&Pk9+5DM$gf*uDQh z5hhODdT6#U3T8k~9FJ$Nm-Z3>Xtf-#MukNEbp;l_QeHT(5ye%`de_cYye;7JWvh=q z;=|-Hv8mfwczAVq_G^WFOi0sTs314DB-d{Br+?QE6>T$sjF=^za%A=4?qdvER&24m4!B1Yda z{Zwd2j^j9!#gxZRz4FsTo7f}Mpd}2VKD|`-y868~!sVq1SzKa2C_TY%5&-nBm=E*| z9n1?HO&F9+8pk8^`xB!r)d*eshe%GxS1$A1-;z}T4b3x2cwbxPL%bYz0)bkA>7V$j zfy7~|K!bX?O~LpEYU!3<_75dW_714W9F~M>Q)7ABv->p6q8!(&Bh7%&O6PQRHmoP; zbkhI!hbvNr%Zyu=X^3)Z8HcHMgJ<<-{qfAoGL_=<)rZB0>82~a<<>(1Us?n4&Q~xh zbl%+mg+D`m ziu7kK;s<7U>0SZZAXwW6YSdTBUPrM`Ct`$FRI-AXWq`x#4W^2w*2`=y1L7lO5_u*$ zPZ@Y;;kFxK}BVumaa)<_x@&;$vAIRxX4YL{sXA(Dpx%djVA#g)#x!Y-%{fvIbX=7^uMVScrz{$sleqt)v?UDy!B2CYhEorM%$bISTJiPQm^+DrRd=%L zIoWZ_qE-FyE0Rfj_W{CWp0m!PN=OpMH8zuSr1z=ZAAD36lx`|3;UPOrf( z1uz8yXMiaNr{@TV+*H1Qap;BpKTZ0RyrG}KQvl@f<`1VltzGjRZ$_@jadzp8&cC+} z6p{qrTPmj~Urk&wj*pC-tURh{thA|zM*)on{v~!I!Yjx)hOF(IRe&4%1kX`mdf`_`V7$yk@Lcw-x*A=a>|E=YvO`bZAB zf9jafarwA*=|sYOF4m6%k<5625*0Y;VeK8oO$NE2t;5HGmI7{j$vu!J?k)$rc&~wp zwT%lt$h7;X#DU-O?Ql7nt~kVdMF+wztdJIr@z z+kbC*PA)4*#9A~lJv=lbp=2Wb~!_>XaVWvHraDyC=oz~ zLr6#{x)HgW+Ar@f=8S9db+p*vosQfRALHN##A85!$&%h7u1&q&W4rpDw&$Mc#v!-@ zB1z)DN^ZeF@Fu0&hcecMYv2ORL*))Yo)oBfF5t+KtW^oG_1G#b<;R{Wsr)7`Ks&6F42oaC!ZD9qG`g;b(=^S}XnNCKU7BgdnIqzvf{H8qO48B3j)r~UVpEpol% zXl-^p8h}s%?6*mHd|s-Q;`QMt(PUwKWcBnU_0PZHFz&g=~(dICMotEDq7F>$NID#3LCF#4%bItEph*HHt#ps0$D~G1apfq)~r%E zu&-ueG37fL_9Y7nt}@q%c;o}5xN&N8&Ng5Lsq>;`8Ra0W6a*#+&s+P8>=`=ch8EKvg#g z;r}<$n-3Sl=(FXT;?D6FEW_+;QWjC#vVuV5wX_&&w<_Xw$Z~YF2bnZK(?Oo9+;=E_ zYadKP*jt-~wXJRfBZB?(^LF+t1^{W4-QtD6F(%IXdg#S{l!pV*@)tlAQPtl&_0z`( zzH{>k#uZ?qBNFgcgH~1>6e={s?;rEV#pInQHI%*bqVq$6jS7Q**GiN0a=@OQ_JUav z$*IG#-WAyUTl?i%G=RoiX|j%_#m+ynaP#5Ki#G5=PE%_!D_`b%M<(W~=c~Q7DYQ@0dxkPy|-Jrzr@u3q>2V zb)$ayq6T6)#D8CSNClv~x7+~V_It*CC|!cVZ}$=?VbfDnDdwurWXwY(5=+PFA-;A1 zo3~;f*ss_~s!pCITZgDofAkfb@@?aYUX(3A7f`R7a0B_Mx7ka_^7LdeBqJrI34&`$ z9_PYOJXKEISM3d#qJhi^HOFt%br3+}M8`vTx49ff&m7}O-Il`a*D|8j&wIbzw18sr zxD;({5BLPIJD%Mu%#tuC;Zch-X1|_UmV}y__+j8gNw!YUY6R`N*Y9i2{v30!0{Y#y zZ#Mg#LBVai9q$O6De;*3>?;J#A^$K2p+9f>uV-^ZKOrO`?c>eEBnwFA{zr!6oDugm zhRp$rqJdnH9jD~Di}e`wY-B**e~FmQR4!%O8>$W{R)ng)ss@#yVPdDvPTg)sPzkif z+RsM`^cpJEGnyCHJrlviC6F53P~@#3e#h)wd4!YHQE8YXckZ8xN+a z+@A#yRniTe2G)Y)eemG)qw9mEwbLA24xCf76kP&b>T*#t)-Y6+TJftFd{pHebCOtE z)-uZ|+hy7jE%h=Awz_Ijp2IHjqE4`P5Yiyfy}59RT;T*i`)wR_wIqA+_t{QssHBB((8hA zuq>Ti)jS?eiu=FCLIG$Oo|_za)12G~n7mWJ(oym^_n&QbW|A-X5dy!(QCSWy2WVtA|xcRy@b_Z>Q};lehVN5{h5C2qW7-?Y*RGI`A(zY{K5GRxZCfb3{f2& zN^$Lqe2INrWVKO*d4nU}88?ZQmr>*)Z{c?s=r_Z!Z%K0ZS#QB65o&dbnS4^*3a6Bo6G`0N;eSgtD0 z-;ucTz^ugiDjAzSzKMf^2CM5HC@G`W-gVY`fu^h%lqLQ2pS;c@0r-7Hk}|=VlE)J) zppYpvHfZ}E2JpJGHX0==3)mCpa|EU@X2c;kJ2bk0CNWq9@OyQ4}oA( z!I^3(r)<`dyhH6Y!%-|DV87ip=b_C7IhkU5AM z^WFwPq`Z=nkrvHVLdh8DnjQ)L2oXLodg|tsq+M!S*!JxytskbJ!lk#V*HhvN8K7HY zV{Lv}@)?U$OIg|2{!}2@=gJMA+djRV0dh?FFVFAwGw&$WYpmz;&lvj|;`H346lwj7 z#rCkQ$&MPVuD6f;Cp>l)5C0GY69>s&E9I*GJbiom+&&R>WK#9fM%>WA)UdS9W4E=$ za)k*fpkxuDp?sS?%%B+~>V|=_AJNeU3|ZB;8e8dwKx6YvApU!HY@by%&}KM+6AkOB zZ#8FSrji#URiF~tel)d_07g-5w2g6`Q@`dYZcy67Tf|f#naKyX;WPeY*FZ$l)+>yA9rGrWFuEj-ALOBxSHtpxjxr1n{BA~QkaSYTJMZN z+aq`uuD>?z3D8+zQO=Dg0SqDPfeP&gP$cX)<0ESymxv7S7TYakj6c4n0g+T<WR87;Z zA#q?YoN_V7L{(VlJ38`>c9sl7@N7u^Q8_@)N&0(Lzqr}+^l)oh3C+r3Z*AE4Zw3$K zhyy$o+nyD!=Tx&<((PH_wKRBz2zyWUBZ0!L7#X_uBu*0-@p>!!yyw1p!&Gq}`^Pg~WN8P+* zSD-_1`DPnvbDg_4YzQ#uc9RA!Vm-xW!5{v`bQZ2y3xyuubc~Ot zIJ$vyX^C~%305={cJ#yrYtYJDO&Df81GKNxGc(;7o5wu&+VWYG(F|*ZntP5jj=q($ z*5i+m-b)smbRzwhx9A?#HXEd2enDn z={tCkG`%(!7k^*Bc0Y>MvH$e`=HfM|*e-xbQfejf&9>~miXfeS?Fwa-)&tJT-1=yN zPi~rKQLGpJm_Ky7x%Z{|^s5YLMTu?R{Yc;%;Z$BWWOdnY_+7YGJAZw53BceX09`)7 zAb(^~lLIKaHpop_rr4ob6}RFyNOMY^fPNa&&EY;I7VFSV;q!v5@t;%AF3IkJ*jMNl z2CE^Dmzx1$q~gm!B+kj=Zabm^_Unc?-4N>|ZmWrk{AmJ-7VW4@!#bhBnpb~bQqD|c*}e%>zMJ*Iv~3-Qg{oGftgA> zP9Z;Gu|1oyOicj@5|-{n_ihJh?7Hp7XmNj~mF{wiz{p6R`aBW#@D#ivyzZub+zJOp z8b-1Avj;LS%z(XX(Cs5^%+Y3MP-lUHaA!wx_2XXczXn*rpj^ zCC5O67GTfm1-_P?e8wz1TAOVBi3I>Lw(=f)uI@U`=Ap{X$;s;~K0qE?&J`%EH@1?+ z7&4&c%*#H)XJTYLM0*`S67cM+ZDNwYz0pbbaqpW$(8?0L#)GOdaT}ra`iG8J93azJxY+MuQ>C~HTGW=!s4dmEYBxQwd-%+z_Xaq<^p zuIsDVc7Q4MGwrKPN{xH2xVEakSebfbP9jqFVworravfi>2g6xKgyPK(&+A`&F zZLb>ncWvH?H9zyy#7N+I3u85kl(;v7-yc;Qqj`(}@VHtUwO<-K zF?;XGK5gvGfcyJw#jG>IX^}wuF}8DGPYit2Htf*?wc-}G*ID(I#_9Fuhr|h?@^9Pt zDYbr8WKNuYS0ATrqB&UP3_9@KM@FV{qI8_I ztv;_9FZ<=>=i_ZQ7c}RU5`%=GVV$#5w3gR&kfw2c{X7d$Y%8pRw|(;9Jjy7QxBZ5h z)q($$1cE1)U8xkeR;KT}Sh<{EG%eYDbZy%!$m;(&MwMWo*@%moBYeJi7vpOo;IxvX zf(#30k_iluAor+d)Spcg3_Fi7^%TV_YC~Jla7nC-aktz;>}SYuGCM`Hewu^1e?VGi zeBlL&-QDrpK+xVseEV-i1pZvi3m89YZ|P~|xFn2WvBH`%iDMlcm{EYAv=$M%oe(M~ zB!}UhAOc@hyWODqdZmw_GO|gfkQo$Mot9#ZE|{`sBaT$o`zd$ocsczFZ|`z=T)8&x zZ_uYeG!wqa`z4k~0U|=C3`zYV54HX0KG2L2cpJy`(fCBE*+{{WG-D)4++=b`N~#Bl zEjeTFJHQ{x46ln2^7q6ri@u(c-4ro>lp?qcw*9;ur#$aV-&$S9(S5xxm&1**0XE@W z#P{R-&y@PA;r;FP%VA9`gh>MPG{! zkIILI7=O8VGKdG-!t#6Ku}Z(!kLZ1&e?loNsD1+D!*MTnw5k%0LIzXZ65vwD95!vL zVbs&o;YM%D+d}H3tNHW2#ZD33Z=j(TieCF;pOw3x)GuYJKM17M$&Rpgk#)SR%!WEIdxa_)JqqlblpEz+bzc`m-6~y5G}DuS$}R)dAn-YZL&qHr~Oq;F86R) zQ}*m|efhj^mM1VUP((;))8+#7Bv#z@)#xGPeEnGqkpD-L2wJy?(PZE1Bv6!yhLScc ze@>~st(+$mf{2C;8Zl>+d4d2dzFs;3s}>8vuUoe}TOAHmQ*VBGIzdlJw-CVkwM3Us zzH@y3tc}Pje0RPbsm`ZC7S>6LPRgyu>9DcFJhYs%9l@*VMh$V3Z?21Oc$Bha{VX(a zNfDmOB~;_Q`s~~l)SbrIMC#)~9hpA*N0W+Q=fd*Wj+!=!%OjZc~sjT)`{%3SsDqa18j+fgLI!&QI>BaI zcMlg#uaS*+(s_h8h2FKni@GG5VrKHN2}P*EYu0D_CVzaF(7aVB)NXoSu3Dfj2xG~8 z?{V^FyNMa>Pa5;tPw8Q(Xt!Obk%&8i-Y~<3Zy!Gruc3(wj;&wRbB0=R2Y?nV%qMF6 zld+ieq=$hEgyWi;E*9;%#=W`QBjChH3nev1PJyp~>szvm+V~0J^DmzOfW3rKcusTg zsbBXMmN__14L7WJI2@Z@@X?=9B3|}OCO6s?-^RR?>R8%h!N;X}EO=YAS<6 z{sBi1hNjFp?*QmxkcMi0h$tD!uHx{uzPZ$e}=AyaT zg-=&Bg!cI-u!^N~beHB^NXDb7JX2wDjvJ3#HMr2~)xq~?dV_#`zN76y#Fjw4~KqA%G*ERMj)29L9BqahOfx7i1@J&IVn$r zvJ?LO$V*PbUQ(Bh;)dk5_^3gSH!rJ5D~{GzdwU5_Obazh95}T4W&`aVCqd3gV{A2O zJ<@yWTo`9rL%SeX#~GT9IPftX6c;66Q2rDw_Y1F`TLb4s@$JRDFMOg3@%L5CypzPX zM#c?ZS6N_K9RAd*bF>-VQE?eqtIgQAzJ2d$x^mC6{u(pmLLSG>MbK!A&T&z7Icgk< z1M+cg&_wUNwyh)}Aiy#dbT$h5r@tPH;Oz@v#wFWTBCgX~k`k;jCvH1GoqSs^A~cU9 z!`^IF8S*N*@wga&nS1gq-aguX-^wO$WRV;CR6KcU6)k-?cV)?|JN-yr6&er0d#-2p zuwr;gwSrs6G%CMr_$~0vh++C%kY)rRO%Rq+Uwh&v{@|o<0Ns)D}Dk4Kvm=gxOb@5qn{vh+1eutbb-nz`A#>s)5^>4f~OeG_H*vqpqi z@3|e{z8Xd_YhE9R4$uPQ7``uZIK|^~bTIT~>Pr)MA#2jOne+sw)fD%%Yy9~0`Xt^Y zwZNnCL9$J+&tF8$KBxL}dgN9JEmL-vr`}%6<0~&O=UoStuv6~Ay1YCFBQZxlh5gSq zvcX($M934t#6%r=xk17EWy)%Nh{+>4o5Ee6=WkM!dn%7OMOChzPHWt$0M1OxcN6&? z{%DCo#>P0KP1?n~1}>L>91i9;5>T6&bQ-=f=SeOJja_nM9HIyXMe)u!-@Qe zD2~GnVQZR4c-!NP_ms?X0{C6QbXhEwQ-pSYpquNF#ol?XV*a5XD2z0}91Y=r3GvGt zQ66UV75kszLH-w@GKVw&UHQgRz~I-&z{8>A+c-T|%=7LRO#b{-$ermazBoW1;8+vciIPoEM@ME=If?Ck>t6UD{Stp+KyYDGhTO0catx@c zZnX?yCU+DfYYHlI`t#%i?wYUjxUQ&)wH3l2 zfDquT{m6$aNpI-IR2*3+&_qyQZw8G!Z##-efO3n&M!!zQ<|NY@4#&T$G5|5&Fd?xF zeWV*xY}o`m1)8+$mVEqm%7F^H_e_DNCIYH&{QXuWZOfq-yVT5vEjA-+|9*WG8nQ8> z?Hm#D)#0hp4XW0Y9}USI##$PeNm?9~4zhlGYJ{=pXhjJ4JJ^Iu^F~ZwHq>t>UDr^ZLhAYwOJ#cxI3RS*hBhhBqgefZSSj4$SnbGu}NDHykRO|MVm@t zsoXl|?(oRhWp6D6FBaTy^mKTtg~61K$Im~F6wBJN=iaw4F(e#jw~k;L)HZ}xo|X2W zs9U_NSt==DBRr=?ep%Y|VT;6Y;I>6+_4_i6e@pdx2j-us;-iUfSR!V%XXUH%yjp|L zj!|8q7Y{>($-5Bt0y-Z~BO7VgKf{i~>OG6(I>a*Am}4n)TF+Hg9w86RHCyZ%=bSH< zi5wmj4~xRAJS@?=uMO3DE)v4JRJ!>B{p0`WM|zC{_h4W*&u}9Fnq!(_6^xHX3W>^0 z%4)qF*TVFAiL!tfMO6Rl8pSBsbGUNSram6oh=Nt;#k&f$k)iMXtLUH>?Z=`?JfN^ub0pIsw(?66A+sO%ac_4lA)o8Xd5Y z8yzAqNZ%qGrKJ~G?0t(LT3@IvXMJkb#o1?%3W=dA(l@LI9rlu$%5i5m#1uZ@gX1&V zz55yZ_c{CpXe?Jd9|yTzB?_2(uh6lq%h#EQOz3YA&%?-fYWwybrU*$mt2H7=o*Y|Xf2$S=hy0WbT#P<+5q84& zyP@6nVFK)3_2q>L&%eD3Kp^BLq6bY&iE|oYXy*#+v2%O%xfR70;~nhdSLYHs;zY*% zYI=rlZ+~c8peLBWtMa&8ZxvTJ#Zthi+)3%R$yFJ)SzFeVK{cTAcemi68ekx8f{s__ z=EZY>>&eL|*;=}f?nBIV->6NzX{fxhs*+a;H7I#_s6aEm;Je``TDg&hk7PN+-+tib zz7)|G0tQi!iA&NNh9Otc9e_9Xdz%K~?J&x_#aCv=Hf?(dQ3C$teq(OdN`V zBizf!nshg~$TKsSC>@ti(89c{q<;VWa4jB9IwSao1(Znu15kF25Birv@E<@D@z4x^ z`qvAunWgf@Fk|`)G%1fMqaJZ9qE?VlIr&gN(ehG!s?P5+W@@FmX`fqfMT`7UaR!WV zzto%9dpY&#rn2n^8*udZj=z0={C9EuRA`RDGwEkj`g1XC6k%}!KbeJ_hBA@>p^}Je zZsX}s&nILm&5A>tyg#wVT{%s(|8tmVe@X#Utc*W}UKTh3&2iis95?!c&>OGa2EyX2 zjkL76f6I%Zk-Kip%GfF=VlG}AAvbabawb^QbCiAM24lY(S=71> z7W4udq&Hl@i%IdBM+iu&ZB+*1K?PBMXeu%)M&@C9PsmAZnB_M$@NjiDPAHchJ&nJ) z3>DZi77a4w|1D#cYK92)wEOMX{r2NumZ*Gq*SFK zLN;i|!O%?z)vP%mG-!NV{G^C<6p79DrPOGhIaB-JZx#a^ZnJEU`S)*-g&E|oXVVmp zmn^Wzdc2T@AIKH0@+vs?;?1p%a((*3f#_8PAvH+cv{KEBl#Np9sAN+3qpb&TTDD0_Yy9WQJZ3 zbB1w}on1uSoK0Z~?CUJ3dR`S(&8Sa^Dr%TIuKxlLAG7^--7SYAyg&3;J`^0&o zTdhJN`scIbL=SF_I)kXA5{qSr-74IXo7arP_h=$U!tOdEi`9}?x*v+C*G|$cM*3< z`ybB^y2gOPE@sJ2{If9N*pJT`75G+n-)Y4KzRKd)X+KO~7(}9MY;PRca*Nt*24FA<0Sp1)w744KI1^e~UQ4-^o*>S+^XO z{wgF}df={LqQGUa)z+dd8<`6K2#=OVB1}Ra1NwsCq%>1zirIOBsnE>-@Ea3>MaN^_*|CZNJS3Icf+QH#K^;Y zA&?a0R9rNH);p~M2*Pr5CNBu!utWm(2!#0syi>)tMdUc&-BuWIY2ZjJ zHK!`AEj4t=sylXabZ}Ujvg=TonBGo=*z93_PY|5EZ> zkbi%Awh&Bn>4qlcJ5c^xfBu?0ptfz(5*eb`N7L`3JFKDJFK}o}MubrL&kz0jMJdT!-uWg`_+DPOkUjtW zorLlC)jXo{*uwOXd0&nGoIL#$1NX3L9TzuD?{Uv86SAZ1jJd#lw>K*f6ND@Bj~`2$ zrzk5>)}*|`!x8oG{r9fm5&SW?pqhqE>}WUEbqkV%5{`!_*S&IEDe^RQ?a7MqeMs|t z+&+62pR8%Clw>SAWEvbb`j_KOd`>E-54ycQ`8|(Iq=S&*(J*hp{rfAzg+s20)Ubr! z{Pko6uNJaQx#nZVvd0*4h}2D#AJP!(WbbF^qm!acBEd~#vBxKf1~SXY37BMW2eo`M zK^_baPPNQtmBzUPfxGeZx8PWz62{@k_Pkxi(d*AOx$S8$xCnL#dM(|s2 zF5w=2lR_;BH&=%G6G4fwtK`@^|N0Jq|4I=g@$6=o8zwlTzzr zI0(CLl|H9zqWoCR@|5u3DT3ov^8uTmo5wN-z462y4zEuX9`ajem8X+T=!DUp>vvz2|ZRC_f0TX=%(7%79m5r*2ZOm?q^EZ#6XR=9Bge zDqgqQ(`q@2z~6YyTX3Z~o_c0Sc+XvLJ~bATX6g)QvCCBnXX3FbH>CNHDeW`dwxYGx zr`>qJcJgE#NY*~uO5j^+n$pi|)TGV9{5WETiDH{MD!0psqRIZp`dO%NHLKWtjsAPN zz&|vZL%&M|&=~zVRC3sg9upMeCdEYF?u~n}MS6cjm1wQm7#-M15%mXM1wmj$y&vOU z&j;8mXuSMq^qe1Js8`@?yT8NucbJh6ZZ!`pbO!6WiR%HS{W37&F(;h!Gk z7#R<&qGg8QG-p#-+m{R1aNbj|STjx`xM2XE@+ka8tZUz!w>_~>fDDES=zc-@1Xr&jC@n&jqR?|`P) z&u%WW&zb%jspl#(uInWy9+T6^Yn%JzY{>6?1J8$ipNYRQz^w7Uh3qIe<7nAXRcMhY zM|ZEQ23mmo)O-Rhro#B9MUd;M06XleDe;%Yfn;Q49DwotfntO1<6KE`@svBfC!XFu z)Lwmmjr505G6P>+iKv#(hQ>Za_W4KQuW|j~=&q=}D+edK2L>SmnAm5>2uv!p@N=mMQhU*;6lFNgS z1H3fa#sBkPH+=)=>Xw9xAIfZtyz>(cB2X-jd$^#5njN#`gNKd)hq?3aR$#^cF>A`KIt8bhroh#&&*X>l(HvvA{;I*FL?0tY&S;Kd-2 z2LgwGg$_Tywc`am{0FE7Yer`qfL6~|`}quCT$6zGV>{SEbVECiAE^FgK{5bPXfZl&fg zZv^pvDm6c6Ef6Z!PkDX^;p*lhJ^49+VRg*igj{H4ohHqbZdJBGNUBu!?hrsb+dK#}IedCOOz`*WLDxE7j zd%v0U;5O6ESnug+1Y(?X8%7#~u-@t3;sGf3yWs7D`3hPdo}ctYcmJ*s^DczaWkh}} z{2ao}@d^XkYlbsQ;ea_w5kxxvrS^1i=4&YYWy(F@rFfjkG^cv-G5(nTFE{f;5FDer z3bu{0pl7KWXpP3=w4U))Jz5_rlpV;D6^+bS#eH)3_x}PBBH#YWt8_84?G-~@dX~U% zedvqJV+?nccgW==g$zl=0ZZfHN(%|Xz(^78Uz@WsPh%p#K)ew^J_EC{KzPUw2O&Vo z)2jaTJe1UJ_Z@+#`7&sL+--sQf;0IK@|?u+cNA-fb8WrykPSSA2$R!fKNGp5BiwAG z3|WB7gx$>WTf&;M9rxZ$=9lNnhrLsqN4(W@^XT}SLVzRSy2}m)H^K`ZslUPPd?Aa+ zc{*7D{z>O>TJv4#pHl-ecc)}Lk|OH_NG~m=)^s5PyB)YZ3uveXS_6$Z2G0PzNx}lF zV-ELyti<{>p441z0<)n-{2%NA5Xf2tY$m;6m8Ci)SGAC8%4Ikz__(EhEhpF21iRv| zuVZ;2=REsxF$nl|jnqE$$GJohc^h2jmroF=v)0-u*&*QC-}Bn{5n-{~#`^w<_VCB8 z=l25mkIz`M9i+ljTz&r+kR}U*r()y9!^3$s0f7{m+Be%rw1Llq3H!j9zN;xt+usM5 z-T%;N&4R~xE=Dw8ltTv5|A>2eV1%ns>ErI|O$|&%2aEkvm?+HIJuS@BE5bq^3=Pbz zT_1YvoxAhrCja+q@z|bv>$rEAG$NWns5AkiVzKY|95&QUM+y?CD)e#x7+Dh=^t(3=k_fZX_}Q{2aI9#gU(CV;-tvP=dcl||LcjU4IW{r9?@$=21Ti|5P@b~ z))^jDiz)e}t7dv|V1+0b&KoQiymrlIT#u8jAdJ}at8L*qXAam?|9c71fTz*E)nd4g zHCm((k3q((HPF-^OeC7GSvmar_T9gTaVLmhUH__atlTLk@m>>+5T<|CG9_x`mcGyl zDlD9HQ}3L58N8<9>al~r3$(pLS+hm^Qttci;K}?ocbL(8VguMIp=8}%2nB&d5D2%W z?l1Q!y1H@?eU^U<#OY+aVp-FYlgS&;TEciP4+ajvbczY5)j+1S3Fu0X?M`_K%8Wq{ z8>0gBss-r=?IH57UQtm#d?*KW)3QMfk`S`K{rhAXM3Z-p?_}%sbw&nGNWl43)I_A7 zCC|N&7$z>(h~gIzM{z4#M%JdGt6+kn3A-!X8rEcLq#`^J@&6k}z(2gA1gDZmZ}y=I zpGiv$$VjAP&xRU1NlHjy`%Hi-Lpd;0Ps`4(Hr2Yk&1Nw!3>zP*)~0+5T3`sZ-A@-K zqFkK|%F4nktfpna>@re5z$M-B9E#2EVq(aL>m#8x4x7I*>aPuoKn{<VU5f$4>X)mPDg$JB7L$I1} zo^NyUcj9P5hpZChOREod3D3=xF}Fvq!YoY0Xq2y>lrds;SY-jcGIA zSs8CbX5V@qBENjO-0uzFo=;Ha^PnNafz>n?(=5dwBv$|Z|G$dhh1E-hb3Y~`88xxdf*XuAE6h_;g#6B0!cB>AsAX^s*nsfsDc&C9V4!Tldk4*n@l3@lOY zeN)>2!Aj+PRz7Y?#*2JB9P#5J*SkS5-x;886wkGxYBzmQArRmb%yPq8a>l(@kVh zi5}w2_`Z=d1G*nrw;)(=>iK6$&JpxpNufZ<4|IH?S~xVc^l3f7U#3-`7I3Bc%_5g&$MTP;$Ucpqw*C_~|MQsS zqjSudk0H#jekA*#5tu&pkdg|LuCw@A!&;4PmE^L;F<$3XO4U&HbUa6yKK8M`_kbls zzvXCAGgbf6!UFr|_G)W^c5OcpKA2mz4*HXn3E_Nm-<6>2X=WvqKlsp! zi%Y7$`=A>bl-ehL9UE|$j~^T2MW{V>XGS8y!et9aHKY8&=_st!!r41$(5TO;rVIg`t? z!xz=_;B#hjmX?;)>l$@H-ieOYq+b|qpa>k~FBe`zC0Fu>WKpJCc7(Tu;|{X$-}}LH zH|Rdhn^0LlDD+&~mB>i*9wM91@AQTHhJt@TKgX0*28Gz;fJT_{`f&b&?8o6Lq;R2%EH8uqfCN1j4Lx1*#_}U-x*w$qqnV+ssh#_{S03>bQqQNhT~)eFI%V7+uElmja*KRO@3)qXa1ggBElQx^c>@D^1%hYly!1-Dg-OH6 zm;rh`L%S1%?&aK?sgzc)cean^dQ-5;bNkO@C7`y`ZqX7~8m}@wbdi`j;n466m!<58yh>_SN`N`uPEeV?R{-^%q1U&w+b^Od41b5pv`lWwS&H; z0WWqTm@IWd@+)AoQ%^tI*T=rbtjg8FFvTR;OzL=ycH^laeGmuOE9%yhNf*d(pX_Xf zjL%KgJy>b}6-uwbg%*Cb%kkFhs|zO*M*|)L z)4|UIKvVJKAw=}+Z|6vk`R$$uS_J7&6#Q4@n1nJ<9$iW_zo&iWkN5<*2B>FKh@JYu zmye2Y(f1Th1<1u7pQ(j8<5Gr;!hqQgPOl!2KDozuCH@|uRz>rF^^A`gATINA1Ob=cANbm7EkrfiZ71|dstzK1pX?{_K#RVYVdysNVYl_mX= zP^cX0SZL7`JY;a+-NjM5#_j$0BqXFsvsqhm!MycP1v3o_HR1o+a$~UN81=48HVwij zX;qq)mf;{$1SYq%w0t(~jC?($tl9_kC&W8CI&@C$*9K`dN?&2*>(s|qSpJj%@kM8B ze`qE=9QO=xAZ~`Y9sXGVW9avHjQ3!MXgFqsG0#kF&wnf91Bqv|3D|pC6k^P$<^(8! zS81d6Ecw=^D^B(lG(ir(xI|iP*#BTMS8Pj;bzCPr zJ2HD76u}4YPXa9?-w6Y$aZ*bn>`i*bX#yv)4L=4qe(?X5K>oKFDH(7NItWI^W-UgG zynOGFkzz)1#5n*tnZeKU6ph`DF2|P6+x5p^^E4Y}E~Z~{zcDp6CC_Y&|81z4au6rG z#FRMabse&j){?+>N}OTNMB zhl=0K`vzg=nuzCYDwSMSrN$5#pOBEhD@D*%sy0@r%V#=KvDq31$F5OnNzxV15q6uH zeWr2@^tVd`DQd6jr7yz2Un-dZVu(;3etEGd-0I_OgW~QeMt9Fw=Vg#3FKRFx>tajS@6qm?8Nh)GvmPiXIWi z!TwFa#*^-V6pB~CX!x*C#J-jAM1&%_UifQ;WnUG(Qm$d3)d8$5>i>j>1{hUDfUEz- z2s&J#ElKe_XeWk;QV4|2On^G&6cj%7FM1{!6gz;X<}$MpCTTaP>&xS8oqFfkZn*hB z`y&deR&m0V<$_*jp2roo-rSV9O^C9mXcLXzA7 z-mm>@GK1(E#wYW{j9&z=mD@c|j%`Xav8SbCP_p-UeKUgJg7bjox3c5Wl6YPyI8^=_ zUdr|kX#+xcc!Xj4R74cdksXDu6;Uh91O@h-^gf33ESO0I6!?0ejPQ1RQMs$&?_!0dbv!AC?b9@+wu${hkP zG?4t;johc(A9)uoiUVOA%oEK2L}&7X==n`M=Wo&k+g4BMzspNqFBM_eMRo!>hgHy! zo#yQgk(E}u%Lb^*Lf0HUOzJ;YM-JUvzMYb4uL}!D*}~+o(w3P^Wj`fg9e~|+A^*;( z1(?qt=ka)juZXSn-7@@GP91#j_fPzC7Thqeg=2a*jTWw33xFZ|#ib=@o;!i%S{l)< zif<Q#$OIgX`v%QA$VuW5kfckaq& zousKL9Z;Nc>E@dKlSoB}^B?UDD@D2ur}xG1<;`eF)4m$5T)Kmc1+tu#5Evq^Z=`>V zD*4eUx3<;h%l&W>2Y7rKxeZIfe*K+9fGgWL*Y?sBC5VVE1PET{RMdWPrw|Q!%~cBY zdrMh>OuLcpzri9HO1FGbv=ppI39=WQFGpK7FF2 zE7MGLGazGPf-JGMoj(eyQlKRclOX=i_Qt0pKAu>kNDmI=uivO+^19=f>n+vG>VXU& z4GYVl`iSia{v#bJz!uQI>Hf(E#z5|8q$i_?*G~5SSAl6d0c3cL0D^A)s|$VxLV=YG zHn~C1V@5)r761c#;k{nWdg)AcKGXbGA;L`MB{^rX(p@tIqd9LXA!v?EZ#x85t+ud;C&>QZl}{GOhPVBdxYOq-%?p=}`~k^q#`zme&RYYQeCSm+3& z<>uC^nRb@?qXi)S#wG+@e>w1ZfSjv_t*>Jhz#7wlK7RJoF2mUNpnF2OD)|aS(+!GA zyl$VtoXt^|^&e_Bl3Y&ZgXEZyCT7H`LoK{y(}2JSeG+HImz8~-J5VNI5NZkh>gxC0 zs+N%xXpw(RhpH@Z2cB%_CJC0mc;Kdw`t0V-;ctR5!e{7|=%=wwuWCow&8*;@pVd<%g`PlPZ>}Q2;Tw%Ey@Ki4GrbDr|N0BxHOeLvIpWh>^{HhitX2| z`)%r;hRC?vY7$NZ=jv2CiU@?*&z}_LrOvRAOm9o!v3Y}9?}Ttr z_ZFBMN)#rp)ZrA|ye^)eNdUDSGFwY!CEkh>S}OUbMXGK=1U&c8*8|c_wWVsE>gA0W zdx4z|R~tKDab)G9n6#CoJ6twv6sM~6zxbv`=YMDC`~yikkQW{iON(^!K2=v5MyB4# zaiJ|)b~J+q(g6R5E~J-2K1z!FPLpLGODqIEYYM}RsK>@}gAL-^vjXJQzOqU8ByfrD z?(T-i#!3_y7rXB_f5#!=bC16|ZoD4D)UxfMJOFaBqf?r*x6t#7zApvsf;p_LpdfTj zYb^oh`}doVNRfcE?gneJ??zIEmzn_+5b5^o!`XY@johW4_lSu%O0K~^r^o%!s4fLc zW~o5*Ld3nMnl^xq3YmbZtyDS9 zl(*Io#757fTQwUh`%4TZGngzB4D?Tc6iXVQu&~MO%Gux0cX7nYnVokp9W9N+94ipS zD3AH93>u<=(8JLbDw3X_kMc94ATX+kn!s+;f=}GI91slyTWjEwD7T~3Ur6blA8oRL zafk6Lo3yo<)74raw_CH(b3V5>z~gMez`jpf2PjFq)wuvX`mdMfizH*u6FBWZgK5_} zK6k=mF#n2s@4cJzLf+1Q9S%(wfbSv6ivKtg%_oQR{I2sV1|VnMaGv{q0M`D4eG)<1HMNxzD{?NST$SKgKcWSmJbA+O(-C~? zV--w0rOVB(>fz^ERm~y-!ka`ySh$Kf@b+&+qlW+yq36xKIDMpkUumHA?&S|xRFmE| zSS=OUfE^}#e3&et*jYs%;|HdS3o`uFsEut+eO_e?G3t)TqA$aQ zu*HQW`SzvgXU7TbYngztIx0-9bAE&9UEreBfKSX}RDOXzhbzne;8WJ6PhGXzUe zIfpuS*iO<|(Tap8Sa4=FD~XE9$9!7N6}(5m3BT)nTW~fwnAdv?;&V_>5P7^#rarlu z0rqfL4Z!kKP=7Ff=AQ8vQ*SoM5c2 zdN9slrgYrb`j^$vk}O6Zo`mNi#H+R^Kp#mACa~M-?!5L`zXb|pb|MnBydV8J7#fIS z24y%;8G^iiV#*rt#x zG$x|Xa~54-%P7BaZLX*QZ*SU3Fx({zPVIC=EedN-(F0J)89*tr)9f0QY(#*p{2S9{ z054#;U%}nIVZhzF_S<>)9vS?<`g$T3%~)-SZPw)Sm|hU-U9aS?xB>Sr{W{~4fO+A- zxH8a>6d>7Y3}!{bbrn#l5GkysK{oeU0BNo9=u!(%soLu2Hd+8| zec7anrjRds%HW_mgqYeRe|e;6xgD!H95VY-V`5}sP*X?QN!lZj8Uzm6YC zGT8Y>>&5v*{M4qK1%p-bVmEJ@Yv_B)hmxC-nwBX*K|E-SOdetZ0s^0ndM|f}hR~|w&!MnSa=?&k3g;uzynSYSWCA1QtY5C9P*MjS4 z+aOPr2KH-b8qm0MxH{k`AsKx9mHE2)vGojp4Pdwu+Wh||GvA@MRFeW3emv980%LUD zrV`|Ii7#}uMFmo3V`bofWll5nkQkrVgQ)^^-I%u|d|1eMS5xja>N%Q%2}xRCSU9O4 z1BW|zuB9-aW2GfArf$$2$?QbtvhgHGyS8HV5Qy;b;+dD1Z8JP$9jThrE-HHS+OcYV z`;95WL`#bxNJea8zNWPCo%1?5IpGo#O2j{$>&!%e*FB9&NRS4>u;Jy1TlD7@kcHa6WzdNl;J__tl&0aQyYAX9h1`xSrL9#O(F>_4gn{HIGL~ zDEONa0Wx+WWIv+yDk*uYQEnQc2FfiBZoK7;_gwZms8>U{wmwYJH2`iVj`wr{r`61v zS3T`HhBKJ!{p_^AS#R$=LHnl-X3lJG^=$6-@A|le$8S#;`T5|c0i4W z@l8jRcmD8ECr80t7byL%0HK|90N(u<(@sh6v*8PZ0-2O+&w9;zK^g#mszpm;MTTBS zU=kC1oAs5U;m4O@K6?0Pro(yScla)fXo6H9uPuB9dIrWo_hv43kNA@|eiRN44lE@e ztao{%{G#-dMdNW%kk`H!~g1SATR%M^Qr1%DNr3F zqpMmks1;7>ap?Q<7N|5&NciglR5A#@y42SXrmaP`Tmd{mT4ipDS>H>#$I6ta+n5Lw zO@Hz>K{8r0c=MV0s2qccPOb{0jm%VgtcZuD>-Ay9gk@L_eS_shMKJjI2z{S}fPh#2 z9S;?3Y;57-1g-o>iDag}TZAB_rgakgpKQi@94o_&?K zX!s16$J-Ux_hyCDs;bx}0JQ`pF6A#yef4tvF{uUkVIV(8J|#^9a)D;l8i1E7*QqO0 zW)8f@6Tq%>CCq`(yrf*7A9HP{RR#j@$c1tDF~6&Xq*X&R*>5QH_<>i+4@ITAH#`wr znxd5F!-^g9)8;*T!uT~u91Ndcv=^i%uRyhHQI=sym|tebT86Z1+C$2naNAxc*&vwi zwNr!y=W)N*RsuauDrnEiAzF7eqvsLrav8S8&m2s2J5o38P4+raIa~)4=_Y`Rs<@g8 z7p}Nh%muK)Po)Z>?xi?D$n0Vmu?Ba_?_WMT&+iV0PQYku7)f42&=I~->ewlmMh}hZ~k-HMQULQMHiMh|EZVP^*e!-HDW<({N0aN;8xh020H znq)x2jMkJq?m1VaF9!v_UJ%IreI!})L1hbkIpNNGNTz}Zi3 z9F=^Di)(zN#ah$707%H$e$NiDLKC2T@wG0!4Z_5C;t85ml3^_o_VK-v2yj=6ow7!| z9t(TaHA?7jY9#^3Y66WpOPH$2)X>2$z1uR;^a?NH|$120-5kHuy^E-2sX zGBY!`K5Dz5^!JdLETpBSYLzkpKKrgaN)JfB_oi2 zGng-<6+12#+{#oyMa_y&tCoC_Zo>H4)Iyh(ncBj-E!9mWtuD0R1s^fVY3W|v3L}9z zhuudJ8rps34&MvniFtDg(O?mPf8CTLstm2>!RI{EVfwU5bZ_$T;JcCSAC8uM_@*9l z6l`FGcobYJr2SL0eESheX%!n#&RET#D1<58ZZbD7zI{}?@f6Uz!KPeVmeH*u_(~+K z-3#vEOBfdW>}y6I4FK^T0ETEnh6CGN9eMF&v((e#Z9K7c^$ZrpbAR>xqn~AJNZlt% z;NvHZnxpQ#qU{%U?T}pNf(ws0t`0Txux&T28};ao`1vU+4=5(HC}VTFBvp&zK)#~<}|wyq834qRUy^C=rL51#y3Z_yn+k;IIG zpUsMM423HXZWP`ns4FXDnS1mE@aoEk!f_hsE1=5qi<5GGAg2;7N{LkI53yXGvRC>6 zvFvMos_MKq^rJzTk0Vr&P}^b&6N?Cx!QP`>I5CB}bEY!o{`h(q9Z$pD7#YJ{p+}CF zXh_|qSS7%#)OVII$Kart{u4DD2^3i?XMM z`aBSo)~Sd%w~0IeN<-vloyUV9Cl{H939_5(B7#J|=ndq>K*8WR=bQLuSjy5}I%4$8@Y$ zt~<_qM(>!tjyJ|AY?l?fju;<25OjU)ecDOnQE*a9-MHK#{={7Kd%)7Dqx510r3-@= zo#AK+CWEZhoJ%^a`dl2{b*wqYbj;zf5&creb+MQ@&29gX^YH}8d6iGbYC&_**LUPs z>a*zy;LC&lNk-=k_C|cvKpQTTQZjP1mWh;Ec6E6hc$&H8wwTXo%@q*A_*-yU0J3nl zz76a~-ieBW$$SF?=~&oy04#0bB4vCR7tns!sCOFG9a9qWX*-fPf{*{#HKG@$|%+wRt_cSsW zXZ@PI=fY@TZJ6%93MR|^f(x^r89PX8h9QgFvH+}EsoLW1U`P`M;8mFzlxk7*V#2>_ zph)I?FmVYbA79HTR%^YkDi-TJ=ik#QWq9zNnVUng2uOC5))tf}=ajphH#sFKypMaG z*x3RaC{=fBNdh&s+M;{}Wb_4k9yeP6xjh9o<>f@6HQ4&JmBE=8sKVmqobUGB z^LWONGt^KHz8ksAy91B|on@ENbkvByq{T$k+og5aM=n5aDb>+rIw>>)s)=8<*dcgv zZ(#vHqm2(<3p+aZp6y;Ijx4u)K^*@2W6%a{s|mMvsnOlGbZNR6e7wGhbbDia9- zpu5<16bT7KB?w#}T48J4WuGE3Xk-S42BE9%&^;&sn)(FTBELEfrF%^fJjJ4NlP~(jnduH-AFe`qjX4#v~+g~(ka~? z(%tYq2k(8~`~745-xzz`aUF+o&ffcpwVt`=oNIK@lMton>^i#*y~{`n+;q^dZ-qxqDrl=yk8l7d|YZRsh550$ZzD62rmt~ zTl5%ut*KR=xvknQfE3_2sI1XFQE>MF?e%(N->yqb`qB%iwxsdo<lFKqY($iYyWH!Eg|mdI2^$|K5iG1!evTaU0IpwpWEd~(_1AB_0q-~>DT;9x&$p0V zj}sk`nL$0@zEzD10?bFnmUEn7=PvL(U0v%GIQHtc8J0b0PNpwVusU0>nVm;!b~-Xd zLQU>&E|;UzQYR0LP`%XZ0A-^?KoJyCcfx7H0E6LPZu-4?>I};!=O1d^Q^!oE#`((DDrO8YOhA zQ49Z<4X$&p;aZa{ej}q&^S*B&`oVnYTH9kxFhgj>Ik;Im!d>o5Q&jHZTU`0{T z0VjCeH-G#r>!L>S1h}$hRg+;4u*Vv6Omo+8%3@i#0b``NeMff1RIVQ}mOX2JyVcSw z@+~W!pPh`98-8g-9BP-!M_+$ugOex$HOXG=Ua5V+ev`Z5mAvcLSra0S_cB_VeqjkL zX&i1Y4(${U<7|rZQSETv;J(-`=UtnH5~hq+B!8)?8XOKQDG5ruyBv1lWqnxw@w_z- zUh2-mZQ8vN?PxIN`;K*Ov)!9BV8i~3%AdvQdSp1+!U0q?d-@ff2YtEY1FNhtEOt#7 zp8--304tI(T_-UYU)MJj`x8%t%=rz#n4C6|tsfVkyiEBCx1gvW|I zaEVuNL&GKzNGjdw=42E6)cRf($$viq`=Ny0k_>6;;e6xvx_94Wm3qWx3H^FKb|vpk zmWgBpVh;7vuWwX^blVkQeCoBkT5x)(%Y)n;sO0c_^zuL8Cr61g4|)}6(_TR<5Z-%8 zbQrIA4G?3Ahr-^FaJ^1;E6#)> zqh2(KQ409)=N1%sIEdo}(_WYCS@?jy-U z=+gBEyV7@g$+=NPS^ticUStrLM0kK81JSl=G)fg+*zv8nO1QNhXvH19AKtsMwoDqY z{!w{dsjQ>;3_q|TFt5@32OC_|!Y{+*H3@@;?X}akn;^t(& z?(6d&sVB70j}|kNYc+R18bwJNF>2NfjZ@IjNHkErO3`ILXb;97(Wq`81xDLLp#7{B z!H<`dM}HnGTycc$b%QcESM}lN<3m&KYsTQc>7hCSW7K23Pk=;h&WE$}54+5p%x88P z%XMSlFJyw3FY!6v+xOUddD&lJu&5AgTHBtWRcpxkkW5=$GNPz-wahj9^dK|decP$x z!+sLv;>ZWzNs&lR<`1g8x`wbWZTsI$`S17)3{&rdQp$O^ku@mNU1S6+RW)?F3c^QZ zj0&f_*0O9}l5?hF{w}D5?)}E8c(k~yn&Ve^7HWji@x@AIoo;;~Pm))_vIsUtNt7_cfbK!#V3lNuPJyZf?t@-WqhU{;E zkw|HNkTW|%c)7ZL3CeJ?l9C~#b6eX0wBP(KBT#v23l2cy1L&|NU3sIER0Gm$ShFfx zj;Q%uDAx*IPs+^y8&AG2TwM?1rN>HP0gl07{p9l_-e zOg!;Lxltq*IG7uePDXg<6x0iz*Yvl5q%)!+Uyq(|+2V!pFftoVW##3jfC64M#Hl~# z`B`-ao&#;ww@|%RJY2W;y2>s)e{@nu=6R^E{FJH})0gY6sB*0w&WfcOMwjg z^hb@n40v-OjdRM$9nxW#1eJ{6dPdd(5y(`WC^0O4S(Nwg-4hB;ct2RBx0IUFO37Q} zI_={4;^EgTKaO8CF^0~8)46?;%QooO;k7r(C?hbqwY61M8MhBVS7EA9jg_G~Yt$-X zhG9X0ud42HEznG~1AI%_@6Ey%DbuQ*xd zCxvq&irv$Z>8PKOoeGHNKUMhri_GnPMoE>^)-c<}gSvtkd(!y|_V(jVMdu3hP&4Ft zyU1^?Q?m;v`IJ6oI`?~3_k$XeaqWVu;cu>3m4!)*ae-#-(}-{SHYp9pl{s{c3JE`X z7!icBx-a~i`n|DL%>1(xn~jGO+FbdepzuEbxrl7K)To$FbNu zse5|z(`(hmC>LwLr?cZRM?ykk1s+ed|_#1LgK_cGqy5|PpF~+vnLyZ$K#4$?Wi}lYq>U!;9 z$FAyCeRt7Hi8r1++6X)EQJPu3{v%YPB!zY>xTph&8ix`#p^xtMo-^zDYv@<}>7!sy zHq1X_Y=ZXx{INAxH3JHHwu4Wc&iog1vH%eC7931$-S`_(O-3@2!e0oa)(9j1OW3{e zYiWb)?3r^o=}bQ2$`JC)6Iqjtd5$NdL=KX-_HvIy$w6Wq78|K^Bv=NNTHkc@eB9^K zrPx*SvI&QhWJzX37^q;K3?dnzT<6N*ohgX1Joa(^Q11t0>KMLMfZj-lWp&}@A~>1G zwvnMqo9HA~QJJLL8^*ak=!q`gB(_$RoAr>2Z!(V!xt z)mMA~s{(}@f*Cg%^a>-A*h@q9GkPvAH9EXqQzMGd2+egjpbu!r&yj>>pwgcVJvux7 z!4-#61>fPPu0hqh3fOcMU`2=vc3*r2#XjTN#$V)p( zii~`dOmhv6aiQ0nJ@A@M=sm$QW)Mf22_KOU^LQ#|puKTb{$=K!WbypohhF?q(BYc> zH-?2JwG9wHL+hOZNGUr=H^9(PPfh3A-iLEtr$@7_RSmT4nCXe-wjEdLHE$^129=pS z0D0%d6&^H6X@Xch-s3hJ*$$^(aT#lcqw&V2TZs0Em>q6#oxMRS^&32V@X zRQ8zzGz^U4QL|qot4WHIG&=vAzBpUp@Q<7?pJGWWm6VCbwTJXt%BsjC0 zxcMp+#%n-Tw%i(2ka5rV9M6x9t>1F5536)KT^O(O94>7RSO8E&$F` zcM0eN@$RS6HVWZuD=O;W?{atbqT450&C5)DrDUum#KIC%$dOhujOx(Gjoc-8C^tNY znSdT{jr@s`AYMM){kITLjbTg#*T@l%`tW%UF1(kRoR zJfk%@t5NCOS+MCjvd>*zqQt7U*{!vJIQlQu50OXNO`a=m4YjUVk52cuIT*wG7uM@ ztwp8nv0q1ZrN)tsJq%QP*uKv0RJoX|6c8BV!3)nIaiCW`wNL>>pEUQQ;C^ykE~@uQ ztB%SU0{HLJ_#1uGd# zmKo;Ij*%%RSB7ibzx07uGUEmlPyG-MuqgYD`8Ln^27RY!N>3`? z(-gf}5_p^#4z<6Zh5wjt1b(3HhJI_|KP~|G!Z&lI=V<%r9NK~Oye4)4>H+EiZLw`V z=NgMr#ar_>5Di*o%K3O<9OgB?GXo^*qM(#lrBGX2+kQPc&B3Nt2&7^;0(TcbJ)Z&W z834t?P%84o#PC;8_=%etRM(cCp4e`=_d2}S2Y0}he;Qw2$z?T=0Zv_p{cE{dlnXqn z+}8I!hF`eq$F(6F+u%G)v-H2`*&33TdrZ)9azDeSx4HdhtfnuZq0iUd3ODA`G*ghh zXl^hoajXhdK7y`gy1ZKRh>FiW%_P;f`5s^VMVZreV4H~q-UCYiP_dttv$7I(ihG{T zN{#fpmlXbi3MM58utl;AwX2&8LYJ$jighwwZFA*uJ$3`NO93CX-u|i1-h8uW-Dbi; zKnKm(1$7bKYp$767?`Bj{90s3It$_{I)2}e738BE-)wdq&cdqOEGCdlb1&$%YFDuN zseX-)CbxP^f#gK@48X;)(;)80G(|CWQpl*iw5xt7C@k=6yND7S6P<5Q3@&+Q(Cw9M zcAd8*v6>2LipZF$BUkYvP)X3Kl?f+F_Z30Gw>%)StFk|Wn=eifp=0>gi$6to)$_F( zzpEF%T!5~i5i~UbTP6#5&5w%|KC&jzbpm+gk)bge zlQnv0EYa?MICsx%+{^~*Jm5eogyPcgG}JhE3DKie9c90qBnC7lKwYB^X@@cme-4%# zZ2O_}W1LsU&iB4}Jgi5g4f^=l;V@mY98Bte9)|W{sFhoaUD0czTLuVuKhB=Uu^$pR znA30+fv}}_#xN7lfjdyk%l0{%1F_1E%o+WEcu#XAEzQF5j5^XcPsiWX-@?r@Eh$d` z^XcDV_$4!fOWkDz{40%a zqCD7Y`tHDbzU-;jRP{pK%~ojKvbSAQQ3b;$8p6z>xpt0HJD8P&c2j>(Z@h?n52Rsn zPKUkMK{KgY2VWWHlaG5d6ChAb1Td3gO9VDweMpmKy~P&C>>)kJ=poZ6CBi#X*DldX zG3j-`jaS{u#?91{#o629}JPol?-Qj8C!Lk8=8Ejgo)Hp5O>zz>CYpG*Y8RKwW@J$vij?6X1p2 zbh6Nrv-$AfwIlyRSq354wm!;wlV=FAWcC!LM|k2q6W~4mhbg7iK4ykF22F7)3J$7 zm1}Y*O9jnv?DfJj?!WCzW4vpQ+&%pH=uBYnOrKvmzg5*nYSU27F!GA+*!?@exxWTDt@nThQJmNdipf!}w} zvyGLN6&e1%- z61Pn)>|@U1Te>s!w}9aoNPOk{DEMCB2#)UN^F8B6n%q{Jvb(SU3-$i}j6<(iBLbjQ ztkZPy;$B|x7#(K4*=+2UT+Le2g?a^5ntRk<%?eshHeBTkIsvXOnJkc5bDhf6b;$s; zf^cdrj+t#hOQhwGHLR+^K!0FY3oatA;>Hj0c)dUc{P9#S#f#SqFG=H`|LT-wBZcGO zriMVTa z6C50@C-DJyg|JePX>nwv+<1^-18ZS(L;iR2hn@_AeaAmmQHaKb_FH<^Ntz{whY8W{ zXfKq{nWB^UOs52z5c-4p%s?y{YfoDM^y107UU=oE7PapdzdZ$1W*$)?XtIAjk1~wx zXad8h3GXd1sHUcNrohd&zB2uDrawT-GK#lX-usXQjdp2q7=yRBgvT z7ngs&5lQP+RRx$-B6`5B0FYDC`u9;(s;zE}Jin1jZ7w)w_L5s>?7S(qTkFy5j`>kk zm#^s(iTumvfj%eL@){Dcy87Gr`m;KvHk%K7{?oVNv>kHcxrj@T9mE5^J~p$6!C9B@ z_Mu-UuF({#y=b9a+7t0f`i6GxU)AK7LG1o}$x-v6B*B8IN*VK6>wd7K@lpTNuTy%p z_1aJJU*K6*mCS~0WPUNdt}V&2d=q@kXSpUCPCY)|*>Xou^`X8n_KW6p<=Pt1&?{>M3gr_O2cGM-e%;@oHni%2pZWBJUNTyu@)hQ309)8+WCr4?9NxN}M6{%GZf53)U5%G!iSS$ne zfeLp4ZR2B!tl&!+)T|xTfja}tr1DQ|*A-$E(0wmJJ+*GzFi49s zdz0umUZIJ=(BEMCo3dwMK)HapC95-0;9704+YjOF&R)WaVWB9-vNw%+zUqqrBcZ@T zPBp+3pBnG|m*49y3^hN>u-P_ge&m$1L^lrY)N)p9!SD}zDIRDNGwO)%J5M$klNLz}QYhb6dJgjkVQba%#2=(N) z>%nMx+|xbHEH|2IM>rM|kq!jhPswh4c0bb6WJkT7x$AFP^RNk^n=QMssO}R!OA-dI zS9a#8+|VQsxFrz|(x-nu*Xmd{}GvOsAAxq^sbGli36{ zp4ykCMl-c!-EW~C?@Xy9YrT$_3nt9SbhC^ zx*GeHNlsB6R&9m($6v5*E{>C*T)DH8OAMW&AvF-C?do+Uu+jQH=HG;^_hWcvjWdeM+xW#yv!({ zL*(HQnWiYO@yRc39x>$ zINv{&JtkZq0e{qN$1Ytv^WiA6wmcC%-m!?_OyMO?)=4;+>UWc#tCLo8E%Z2NZS?cy zpL)uY_Z^=e|8Yf*kh1Glad^;lkYgv*tvteUt>ws#T;T}WH;vWXs^T6CTQ17>OzpvY zZ3(pR?s$n+M%dRjwqBbIktit~^1o~tEK(v62YeQ>A-N0Jmac!@vz+>tZYxOjX%b3acDyi3`7@uniBm}FWMNpH6i!~C}X zS;7+tsyJXE!{9w(0BZ~q1_~+O-#XhRA%NXaiCq1a!&xy82M76An;tcLqn{lp^d|0PZ2u{aY#WafB`Z zK{iwg!V})c6^w<_uXm$c6|x-$Q-@yXxy@CgQK~LKg_lU5f`<%;YL5`<`hadGAqp%E z1%@9kzIHkOwm`u4K8-)c*H3G|@(grX`wa@l-;k&oYkp@XkW4~tN4XS&q7GLEdCGdzxU)@+DbZDsM40uh!WUg;kxH_2fu znP&^)`vnO1Sb-#c!0qfm78eb`Zg1S}Qwj8&hyY4mSU&zKlvO|=4Op*8!o$Pod%XBZ z#gl*K1v*MqbK%8Y}Kmjf#iNks?4T<@$Qr=q! z$%5O%CyrQPcY=#KksFq7x(dU}eFDc{lYtpOdwGf5F>d(5W-m-+apotL>BgmnK9}Vi z>lq4_>=UzK+%Q7Yhd{6o)fe$8sDhzlVg%&VbuEpbVpZ;!cCMFe@pB>M%*>JVE*nIW zl9KXlR-hBTo^nzCz$>2jzzzVM-tMcX@Vy2_09vsU zoPh9O@34U4Kzx6vajMIwS4#N?ZlB?x^ZL=hjtJx_n9q1V(gAb*`4Pqe ztxo_##P8M}&E|pN?pdm#ZJ<@4f7N#D^9%-Bz@a3uq2oy7pK=<7L?-a~Ck;oAmcI$9 z^%H(Tlfh6wTy@Y=x04iXV8WyLH|us?nz&QZAHhxhMqzA7cin`todF@P-7uul6qLU+ zx$M_-Uk_(V;q~-)gc~ZAxKGkhQbNmtQnt3X{1wRmShDy~9^4h7*2$_8ns6{Rqrmzl zO?0MKF+5v(4Z^t#QcO(jaLn#?-e?195?R?~3DnVH@M$Rt;=}9uhm*1bl@laamc`^i zjf{YL$qncDU-7LO0q_&l3)W*8TPpgJ1O#5tTyGBav3g2Gv}-4gn`vFY%N~C_^o9Ty zv~I}+q7YSJclB5Qyyyg*)%N6|yX}b$s|R*27QQq(TS1{U)e;djyqLVxou4OnAS)JJ zQPZ8*fE`3ee+G{L?_&NK>WK$Mc>iAiLw*(j(gScLlWI)0148MT)YQE=B8KoA&{_~< z-`WjGgLCv}D$T|CTu;&g)WWq()$F|7js$p`@i(mV*TI5?>Xq${7PqWK*?*a{LkYmV zi0n%DoHX3n$Hf|n73U1n0PhCt8j1`Ye-&_@KYK~4N>w=t&%mnP^F>!I(4pUpTKqznp01*?=hq}UYhP|h^ zxBS$4G#3+)w7mfn+>~cypcOy_?`8N-V|d;UO>{zx22R^Q)Ce^OWnHQ$gZFE1Z--u2`tgExv%lHZLG z^>GM9)no0*g3!iQdEe=ZpbL-#mMC5`70`8M^!=I7 z5pD7;boiew&hKpgbrS`qumsX+ISZfD4znaCN4#62-*3waiw8Z9`+xc(XIPRh7C|RJC zSBUXS?;*CuLvV?Br4h>Pw9eiJwqTl28cfUsJIa44pARq5+q)S=s8c-CzV9Lby1M0G zxlV7D^)h@1c#oWgML`Z_12G3^8kodopFQzWx5XazpPj+k>Jj4?Y~9Mf8}H*+(C?p_(~9`=3b1 z#1CWeYRl_MZNbaj}yBH)z1>4QL=4z+0r`s9`$8yhGD~U6*fz4A$T^AA9jis8_4<|pAgkCGU`TkEaCc&`asz~Zn`AXUlZQ~quNIS5lD(y zl9%UVG+so-7@B|Y_F<1d2IOz^CN?$;VFGrGbkK3a1f|Qw!p56s0so7zfJ&c zQVyt~dCy3xr~+$d52Glgpx#ErGp&O67|_b~oXbYaC~zzDj`?*a6O#ZBeK&nFx<_f( zxuZ89p0f+hp0MwXwAwyoNUQNNBQst^LtWf`S0OEn>!-o{*y;apss5Ry0?8(6ZM>jM_xojg#s@?t)K*p|}n`b-hAk+B#mpvizL*nxZ z!awN|G=TfmloRfqn^d~YckY;HnCpf3VgF-5_%LCVpq!63e`$5>#YW*~AQdXik*in$ zoC08g)i6V0`&z259jMm*2!!@*7RFJhED`6oxh|4?BT($Ja} zx7S_6f``$YJwTnz08*mrb!}k0(s1*T=)C@A`#cr8HG0D% z?ezD3>%ga?dsb^JWTn97Q&gC0Kp41010A*tpB5RhyKe%6hF2db-!0Mj)c+Yze|$Kc ziq^^b-`fG^RUp%@w)s|$3#qc0B16_!pZsXV!pWI1?{Th`uhZOAZiQ3i0ci8AK%l7i z4Zr^eLhO0*;m=fg&Lv!dUaHu?UH~Hg4;zy#?971C$e`FgbME=L&GqziiP3CHUp8Nn z80g38Q7wNIHcZyK%U`*D*C0W3z|DWlikC0^|2KtWT1N8}wt%+Oc3LbnRIAS68&#@v z8~ty9C}xA6?Cpijn-=b{9CHrXe8+t(R`LDpo~wU-cTQw*BbUd&}9=9EWA<@;|Y(*U)>rgeX|Lk}|` z-v|gnVA|TxC)t_v#tWvh7)Sh(@7mb_*n~7xxvz1YUhaaJnUnJyIOhq2rN54Z90?7- z-bjdaJhq?4?^o_Eao%|kSd%)uFMM;VCnrB*-NK9s{(uzF$Gf3Ec`W|L%8q4PV?8n2 ze8c%m+csWIDB|@23cg{m!}g|~{H)JObq%ps%+F4fUm<}-KMSD*i>{QerS>^6aJ zL=O1L&s+o40P)U}zf@lr!B-4ElyMN>H#V%B;0KWky!%C6n(_XH^+@sVsk^c?} z3p5Y^q{M21I#X?(10+YLdmaV`FQJxzU`t0Z`&BMb^QIUBk zqk~w?P3|+Wk{wj$oNTFF34IUOJvr6Os`oZi{1SF`}f}9ilwC`tHGaY zF(7rbbt8PN>i5Vv@O!%dy}I%<#h= z3kQpWM)*B!hZjM`mU{^Dr$bb3Vl>I;Bi!-dC;^@3z_7y~{Cp@~1@TWpHnXQ7=JpsD zb+oq+0c9Dz(Fjzc@Dvw!y>u5;>*bm~Z-aW-zxx1BSBCIDbfVEh4VA6e|2)k_aEs8A z(fOO%oil99^Bjrbh)m)q^0P03Fdz097+7eN0ys72P4QwWEgs5{x`{yD9}}lOI?#{* zUb^hi45=#PaY$e^_UsVcfyx(wWl_%#{9zkLd545|Y zDc{T2`P={f22Zkssk`qEFA?1OuaT-}ezS&s{>I=~dY?A4$ONWj3l;>|I5{13GKdQr z3wksDl$iTZa9~7Ojl%){|4vv`sQ(>ld_SSI+p7@ee8u1*U{nefi-JlcrZM+b86dI* zf;OhiI!XTY*x1gXK9*;@@{2M8N5fzbU_j% zcM8NRHbN3cC+f;A@C9s$RDli81_tWf_)9s3xN|Qh!OoFFr<8#$TkL3T-TfMuu z`K}K5!30?JJ_a`fu3@T!o8{QDtP<)gqVmpM49=#HY+O~MW4R|C(&F9_@fLGPcA+{W zN|juR9Qzq)Q+)y`7Pr_-s1Lss0HI{mB;^SS(b{yetC{V< z)0!E^Gn68S!6JddqLx^U9wRWAA5Wo>IS3+0G{}mJ{zgy0*@nmc2KpTTT#FvCPc0go zew~UxGn&s^Q8}mKp&8#3G!=DgCPI`t=&mB!szQG^T}z^j!)pu zCB${FlERO!agnQ}wXTq9fH$IYc=8|OTe63H{rgh~&tQokDyAX8Zu>Ewxes-AAVi6*Z=MO_AC;_XpY8_SkwK|@+l{^A; z6RiqEwVs>AY#Ks>zLbA2kZ$X4-?FWvT4F)$4=k1dD z`^uTA4!Y8$^!Xnn1SJawK37`xpB^LM_g0Alv%@qTbp3i+zilciT7&;W7?=$FthpajXDR(%hV(`@7@DyPfCph0}ZJbdX_ z%(36h&nJi(t3+CHJ+;^!)}zHD@i8Dj=&$QPI{szZ&2Bl-HvxVvsOqVOR=KW2%)|Q! zL*Nb3l=k*5?8W=CC-%7ooC7F8k`eNSYf@O4G6c(KF(<`2Y=8lsXKl}e{}m8IzR4@410Sj3kkUXAMX(mMP7pQS7-yAcH$@m zFxL%%HMm5-cQh3kWFKLS1SYTAohg}CcFdjKu&E;TxMa=hPbt|Je;-fmksiIUMiL8B zW=>|;SmAT--(0T$*NAaJN31$CSvC_gzI7&d9ld?lj=7+wB z_OzCEc$cyt&R#bN>p@kBgnQT)Zt^9S9U;BLQK{53t!oCaM+2Kidy;Q`X zZD=Y_$#g1u2{kf=_MQeHK^LgnLnz_^i-Q6LWQPuSV7f?qf4lE>+XS|2#iIH>?)wdc z$wMqZa5hwoW7OHxsjA;^(x|7pMc}Qo|M`T&Wbj3Hd}=BK)Qm#RIEnDL(0Cu%U9YG@ z-vxnW>)dM{4XGvoOuFiVr?+8TJ^(N1y}3Nr=SM?0p!5OJxEm;&8@RXzLZB;w@ZDk- z#Sep(c@MNRrdlm?C5pGMYvYnuh{=4=p;N_3h-{YdoN1U_rbDMn5)4N+wX-ds6|QeR z)ECzUUjK5m;bVYx08AA=XH{RH@5h7x>jiif*z%2@u)Kbqsa5}R1XyiKynoMTz8s{F z@fFz3?4D-Ss?Evr~q(wj@99j?GfNJ(U zAJ5vp@BzqE_j-R|S)3xsFUT6M<06T#LCjgR6okFUY9TNH_DE#tSV2K8ww**&HGw97 zhxL%+pl9KS;caT$1zOLr1-6MA*V}y|DA1$|t;TyfmORHgl^n9R z=9_&wyZYMWNwl|i3DWThRzD!ZzS>A}(hgqX^fu`Oedsljk$3p^*Lq^3L7iVGg6~ZA z_Z^nUkd&TbCS7AY*j-E*#bryvPfTroIYNoH7E@&%`>6050?2zcVPJ6L>7UJo6Tt|J zc>};YNhjCW*1CZ~I2mv`N1f3}Y{BqNG1A7O zB{$rrc>L6YW>WNukaLS0>?G<>uH>JCX)pEm^Mq?i3*g1|J6`B@t9oQAV=)xBKOkIRWWOnxp3mGYvOTj2~ zp6-X-fo`{;&>-lVHJK{7eVFN|Bm9=6@eT^3CGz+GSLAsIMgr#;=o+SxKBMFMZD`B89G< zWU${?g7B=v5O95;m$or2;XHXLnz&_W^^*{N@QXrdOw0Gr{I5VY^jODA>E~&pacU$` z3iU6b@c{SZSfJo$UQD=p)cO%1m1Wio{Ep(l6O2BH&_2pVq982hNBlF{k}O?3(@6Z5P?}#hV@sgyjdl?*=5^Fa7{a*vO2G41)xQjb|dTd3kw9 zd-eO0VB^b}q^`G+aO<&uX01<+F^n(WBTGQ(+Y^DS0eSG2pT$2;8Ow z7e{7*r36Dz(ilOiZOnUMX4QOe1CXPN{gfMocOSn9x%4G4!x&pNT^i--G<&v`3VR+z zsp8X!F*2v?O0}|&Yaqwu21Zi9Zp%e_;!vgs3aNmR?;AB>Otf$dxIH~UI&zyf zh9*x4+yRdNd-|9d6HNrhKKD8pd!OIe_mM}yu2^?WhpbyL8mSu07xx8s+Lp#0g6a4od-+6>n<9f#pvQQFj8Bx>%dXD5I~qw zD>DcVBjRCCN9tiRG&V*c3|&VsNTJoJD#*;r3fLJhQVkv*2x2NyE!FGd|7i*sCd4!< zMajzd9Ld{4mErJyvij3}&A{uoyQ`~YhPUA3M|h13@4ED1cT8-LWy8m_ZlxuoaS zmAok$*!^|9#hf%h$ZWxZ{)zqxAkT)k80j%W3XOo96&w;NvJx^umI-r? zUdFFgE*?omsSB6y|461d#67V&B^v?hpieHg>YmibeFS5nKz}WSdo-7fYP4ui69Id1 z>aJsUTp`;E(nCQ{ef$}@#Yyv0DG@Ysuf>C^}_({Jtg4x z9SKOP5`dvCiK>LP?#TeV8yT>0(x9QK>?P>V;m1nh!3g>5!OnxAK=17(z_}xv8I^xh5Gzexb|Z##`w5_;FJaIJ>pIilr&a8f`1(W zfivsk4DX@84(lEuAN*n+b>#f){TM|`L%zk!u zK@eaGKPOMs&+OhG$qGHgY6n=VVXH6v9mAJe(u9)G1rb#g3tPs#cyya5p1+n|{!EsB zC$#TlzT>Z5L4)RerP3#_BOpZ$N0P0K_|K6hNxcQ0QA#J99l@x1bYL_4J); z=nb*dhvE9LxNp7GxEhfh`5RWyFa$~< zByUO#89+?Iv!RPZ4?1vNjTD3EAkLHm`Fiirx3_Q^2K~Ug?iFxBn8^6!dy2AzN=Gv8 z{~8fv)BbR|<6DxM9(`FF8^A9OW>lF46WM6L^177W+|@H4X&OVl@kdOz$(7}@cL8iQ z=5MN{@LQ{d7of{o0I$g2*d=B~u7c(+l%oTQEK~+~7)!RrLM=~>RHcMVrZ1atU~hm) z6(evA$Dnu`7~XUc(FK?J zhNnMCc+5FE-^mw?DZ5R#Cj~TnQs0*ny@#wf)Y>YYMZY-;l4RHVft<{#0J|}a9Hs#& zD2AOCtK{t?uUv<{*(qs-D$<8jaS)8pLiNsS_Pam%RH_>dI=ZSF-+p#k_t`rkmN@Y^Qmu7cZ)BcNpCW!y`Q;+N9iCjG}6l zN}Z$(OR4hbW=wA!fvukUeUNCCIY#$TGZvrU>5Ke9;DD-$L6nC&2$%4wY{sg-u>Ce% zfAK}%K_i>6havEEjsl}7=P_DUYH-&Ahi-y7VkRgY1nukOL077TS%u+pNRza z2r}vhdG>k7L|VopbP3E~EDizU)+#W%`<aWz*KPH668_w7kj;5G90hX+0g?O>!A5MPLBdoMHS8frh ziZm%aH6D#Sb>9_+w0p))sAEMv@GHV+q{-xQGrrD~bO|PumH{!Uq}0lfff*dzp?Ny> zCvx(Dlv4kPVTT@)407LYM(;edFC$NvNy!vQ9}9*B=vq95Kxy+{f3&~r{4VO?rq z^-<crBNs6U(8WJcUMC_BL=A-FZ|B36~2 z!3;bn|6==Y?(;=$P@0ExgpCXtTTN^tQdOGgRo)qkjMo!Sj%4TM;O9<33*xcick%QZ zxHd9SeW%^1oY)rQTGLx3*%HUiwxPmyEGV_M;)Edh)b~423cwtIUDK~Es}TVxf^fj< z6ASOQ+Hd$xLC58}?@y|Umn>QXrU@%Hj9bJH7)E?c=MVO-8%v%Q9%?a^&=x_RCuem9 zt;Agx`wUZDuVtShT9C+BX`AOc90&gTS#%fnwDf9I5K#dm*B8HuGf)sTDSxi$)mPID zc-plyc=UOAUPF}Rz*yNQMa7Nri9!C>-Sx-`$(saV+1@(zgL6Lf)a!^37Unq5_c)w&x0Ox#;Od8gl(1{SYO{0kg&YJmI z8C-_(p+!P}zs2s7H`p;g>MVH%FqtTe;X2AkhD@3$-xAEId5Cfw@v`*DT0b{!E8GEv zut<=Aerw;7^%NWmEGh0Q@F++m*tVzDA&FSI4CFL56xXm~tpHTfQ24=5!(Zf|!B&R& z|8g1qDKc6#943I!Cr`GLqf)uWpduhJ_Ul~V6^!^<;Zu780Np4urv15c z5q5-aLM%)9nFQH=on?w3@#4;Ph~0`i7_rzm&0~E3b$dV1jtnVU9C2JZbyEA2a--_O zjL>|=&)7T2x*ABK&{_A+1soOeKDwkq$uO3)&*C41J4ye%hwftci#-0KwDmJo!YiRB zhCmQock*XU%HzZuxJiHVR4cD3(1(ATz@3$m@H@+0K<|EfSOUnkRA{ z2%=L+vTEiFt~iS7V{HodQIcCVtd(!KXCN~i+2v?TpK*O(`&+a897Ggm`NgEg^2I&uf&2y(!FhLn}*zquvN$iZC?shvg=K_ePO4jbov|1vipGE>c|v zm?xj;>Ji_Jy?e)oZ9y7DYm3($n(BTe!4|WIi!VGp{wKAp;R_X(C^%BJ4cY7FU<)EA z04<3mz|fQTUfqVWz}%3Y1ImvSa8+OCeI59>2*89jsZ^mu$7o@~kH?V51N(F^;?VOA1)o9xzD}lp0m&1`*6*zrC-zb*Y_k0$N3EE4Vzgu ziPnHKK?;&MigG;CJK9uDy8ubOhKeD(fM1=oKhq+z>{w3H^%K@4^g;vj!mUD*_=yuD z#B{lonMk>@w(eMju=AscZO_3ei}OQD$edfwhZ#+JHo8YVNA>DO0Y2Ca9CQ{WcG53H zyIIWeEX^jIWKI}^^c=HVLZUvuBk-dc_{z>lto3k)bt-`9M9UjNzPBp8JrH&8Bqx8G zGnI8`mSJTOxpF9xeltnj96`TXB1NeoOI?-if^)t3^SSfKZsWd)tp`g3*?t{^=zPgv8FyyG_P(MxEU8hE0MxVsUjO&L24|6dW8D$zvJD zmVaV=;*2s07DP772bsrLpj$j69?pX5SAA{_-#PS?!}P#Zn05xU-<3-blhIYY0=*0h*mw;2Qb>+UnE>mRc-FWomon z3LBOI5?U$N07P0I@Tt)N<&L^(&lx|?AAXB+X0#)Nsy9{8rC#Z7dZWg+QluQ#4D zVI&L?S`#PBrA;%jjTN?GcbqKm`5B{L%9qJePHdPf!WVRC;m0l`jeOC)Dl?i>-mais za;&Xiqn~$qM4d9}i_-Nf893mCq*W$Om?xGS^3$5y4HR4t={?5xrLZ-o7_SuYmQ1u2 zTZ9#dHfOzM)tLVUmEwbwD^be{cRSj45@>47XPQsR1&*AU@}7c<|}jTB0f6uG2g=QT3Y+9 zKSyMI`@5a7&4a&KOXsd<+t#O4QkgF%nAY`NpI-3Xe7=N7IyEYN(XPnr-u0bIUyb_` zbL4%Qv{iHTSVBXo+7?$DvwrDJf($?xJlQQCSGPVKx)5;Z1m3Q4=ar<{ zl-T+;gm3nVsLVL{M%vpRrn%uf%mfH*`BjSkksiZZsZnF7z*!_;KtKRSf4EaQ7!Z^j z?Z41{k)>7_huw6sKL#*m(jk?=2y%QrUik?NWcfRS$UanQAJWx+F_=snEmrCR`gy+C zL{O$yXyneF%MxZ+vl#7p2Us|uB7RFiE28B|P+d0Y{rRG@D&r0x)>HFJ$DPR1<;r6t z87=nb>rh}wLjRV0SVrlsy}?;C62a8%%`GTTdT7ij1Jq@dnVcuWmKMTxk(nKQblr%D zA&d7ZlKj!S%F5QoSU5>~VicOPmmd$QJ45d*W@B*K$0$mUny+cZ?NSQu^Fx?ngSUK@ zZ-Pu_$`R_%hQLJ05ZpP=TfZf{Jj!{_t@*91SCH*Vk&T4v9Hu;D%9oU{&k7# zcd}D6uEl%haLP2M(9j4xvg}tikCqrge!-m-wqK%NBuipBUHw>k*HZbL4T;@ma}yvT z>pxkv3=O=cXTx~P3g4InTiMIlbMO&!4-0=AQ9Wt5U414v)6h=R1NC!SEr18d1zM#y zQ$G-z=PGB6=_D5m)JymwpUTXvaE^T9iBYGxU}?DHXAeRE3EBroq9KQ6KkGg+7^TwoO*%_9oOskSgYUY zVrJR;RJg}*Rd@yS7t=X!>k>DLCvJ?8dXKlo^B z;63zf0<+-GnYyP(>k}%(D-DgN=RL23=>Q`1JO(kLI>K_}t^e`iIkRmOA$2>{yC-WC zSI}hPlL&1Qb?>v(H|3f}lnr=S+QUrneeol6ASlgdm!mjk@S`1s=?J#X%w}_XGmGDD z{sKw>I~32UF<-~sR8J`T6DnC?;76`FO+VaKbzo4AW$hq+kF|-+?<+W>{+=cPOo}++ z=)BabflH6TaeS|ZAE!~uXK%HqV36?<`Y+_EqtfrCcf7MQj&7OZJu>Uo8@d62Q`rau zV-{G0KWv&Zkz=^HFfef3b>~6IOxsbuT6o^$xkF>PuxKEnpiP!?KA&Hw;GGQT)Qh{j8vCr)y_XXkPm$Wh7N$PmG58%RtHYDLgzYRUm)fD zbq1e`w|BUWPC9&)48SRm*~eRmA^+uDaa|>05-#)$!yrQXH0po+W!_eBi_oA;>8ost zbZCyV)SAsERoFN5$?{3Vtz8H%FkBA)kOAn9w6PAdzJ3)^`U-1Tx!xe?R&N}hiJ#m(z6mgrNP8@D^HsjPNDMy(hcGQze-yG9BpXVD22x!cCUT0#T-`jS( zNMOX~!UCPxV(#WeNo~j?424+ zumIh{J9o}&ze$QM7F!3fwUoayCx4Zjd5037>jk!{$azhuIC6Wx zwOtT=iW5fTe3a^QcoHSou#Lhj>%Tt>#L)#)5aA*h*7C zQ#GGlr1?{mCi0E#Q=@95An!Le_JzxVD?k7MY3+=*yt8_VX zuC{Dxb+D@&zBq(>!aO?Vh=Dz@ZQsUUM|J80NM0uK`404}LN1HX%wE&=*w*EHK}=%T zgFOjM3#l9K`uv z-SZw_q%hrV&v_%>)Rld0UixfK3snfRVpLV^;K8)|I-1dPiV`L3Kk2m0y&(bwj2$jt z2F_)r=u)jMG6V%hK$tH)=(etoybeL#_=OL!si+X+qYMVt4jTH_!>X|2$Gei`O(8QA8?b>j+$x7YMa6=+{YGRfZt zhRad%&P{awdb-<9{2z~=918(NJOAOMUo1|e5{0g&r^thCD5%Ir({y;fR9U6#w!uC} z&GY+66O{5IZVwmZf8pjCRB526He@Qe9&3#6BG@7#r80ozTV8ly`cG(SC7O$!eL3&= zWP8xXw(Gt&@2a5XY1G+Z_D#Ow@Y-?2e)s!SEr0fL=*n$}3_PQFjiDbOeh#u^I8B(v z9Ay~q1*Y?}dE)7R#4vShW|g7GyU4XHAOCoz>HK99WI~qNSe1*Vev%q^E1Y(*%MnA( zgq~-w?|Mq`UzL%m8z8>V>+cKGR7&+iYZ1!UDVF%xMr`|p&fv@uCO3_ zx9&0(y75UoVrAsq3DnR>et<9c;kc+gT%-o^L(68K=mNoc^f)r?XXG!VrV)FL#en5) z%)_X|SAKrd0+VYp2S=am=D)-0w8YR98myb7P9ZumDBSbUCu8>DtJrP;nLzbZJS}8Qu)6 z`eO9ro-Ad;jz5n14iUZ=-3n8f_R|`#wt*KQZ?Wyq?`E;{9}b_cdsx zG5U$CYx$bTGD>S>|G+=$7ykm9E%sX=^~H61AI3d|LnKGi4^>PBHq3YBFk@gn@k|}i zW9WUEuNK)GM~c>1nG+E^bqs~)8QrTM?Q(rlvi%BOJetawOyul*Fqtf%*y(jhlQpsW zcsY%fr?Rh3E`6=(2|aR~k8i_g z5m}9VLF*bf7wl~gk&Gv>n2b5q7Cb+gppAL=deoTIkQCmXXX3F53Ar!p+vPSbOh_W; zE-?l&@TQ7o&uFo)d+aP*6S^bz{obf&m2xyD>`=l*6e7uuLAP^*L2F5~s@amGX%{Y+ zS7@E0iJqJAS3msgI6|3X&nFwIuTR+<86{;DQQdwNKvCuNMQV^iP3Q}j8(96cz`rZHVv*D3c7usWQruW&uukA#}c5Iwo3Ar_{N>a9&EXl{PZIIeP8 zKpkq{M5f4)&_5rD;nc^gpF7#?xQuOHQSLZf5O1w7Gs+Nft#x=H{+<>CO7!Y0ywsH{zuS^r~zzFEK7h z-7kP06G#@C8}?2dnHV{f3p?aX+PL0VVF;iv=-n_euhz>4`0M~?6IS0ftddEd!cZW3UGDF$(|RC`2_XX zdzp5>xdkz=;}^DW7q|C@C;LlY_=$Snb*6f%*C(CS-9;jeg`#BtE zSb@N}UK+`(luWJYUHRiLaY5#haO%Twp|3b=6K*gZEgwP}dC}D`LSb1Co-LS_%5eMO z;6`dYDy-l|mcJ_`V|$K*CX#R?~9;v{E_>4*!nUFsTYfn5Ac3m>Xm#h_w=y} zcatk5E_(K=W?E)NJk3kuy5dc}_j`J)A+c3m`XQO@`Y?V!{qe5#XIPmPv2GlP>J5ot!g#8SGBah?!OBC+-!o{tg&_$0r*jgn0Ge zME|s-8uhV^^sD8zo?Q0enAR`()oXX%N<+>=_cv&GL3Z~F4Is;G+ZBn?eNlIB5cVb{XONLeOYWJqCHmQ0HId<;y)Xx|>7j0x_?KB${&^T~RalcyeXwMi1n;_iIY)T7 zT-8{7Cs4tl7D054);mkgO{^XghxXVT@_!18KLlnZ2F3_h2*wb_BX?8Pa++vE;d8f2 zl+d|@lbEk~`D#SpsNJLbG{yD%x$JKSIBvKdbu!Cu_iYE`%{NZSI)maeDu3Fbd&G`a ztS zY21v#IS1a4gRM{Nbi)=!(i3!iu|dhwFGGh@iTo|dhf}BU{+3Cj50Q0p&%_H6z>n85 zr)l{tlzrmDNE$DA61M1^D<(4~94KWT~7a4=E;{+Y1O;fC6=z33bMQP=TR?sf4LDfx&t9@=E z*kiW|^RZW`#b}`}%48ciIno|O(g4N=j;v$XV);XdPW|j*cgS84PqR*0%TIP0N2VZh zuCm3If?UBd3k%e7%;s>F?6g^Y4Zz5cM?L!WPgA+mGMpZR7;`p%l2P1Y%EmeHMWRfK z`8Q=c*ifKe{Bm_y4|vSY&ONFc*eM#Y1tKQv;DG~zz9GA^g7HpZj5qGMAx#r$|E9i zFkHdD0+RuY(Jx1vx<;MpC*{{xfH|=IIAp+8iYkE9lv4f)?^&D*BzIs@@I(f(Rr71X zLplc(!8>ap*65|*kdYlKZNta!=M}w+)CojV2Op=+TZ$gO6!_)V+ZJp_X-mh1{ejj$ zBGeL>t8{Jw%PTfzU0~OGomrx3e z{zr=Dx!SmW#B+`&V_hv2Wy$= zuKZbE-|q}g;3JA!>HC^NFyxteg$1sRuB!D!0d%DK^WzpIG1EJ}7Qt@wv*L^%B?~R%!zK$ny=S|46 z#?r1D_FuUHn(O9-sqiMRFd-}tA4Xy0c@g$`#6Z8k?>Z-o+<)9_;I~Vg*xrv6t#C8n zQXXsLyY>El7=M@YlTCs}k<(zPMi1>d_owb&`{Y|emBf{`vS+gsb*`^}tG?fOtIwFJ z%|-m;l1;$zo{~-MFX?i#vwt_&29+<+NK`J0|90Z+seM~D?K)|HN}A9#czVj1b7851 z{isr~^TY0cuc7fZ7TUfz{J8AXYnNXW=^`kbv#$5;B?>t?79jsY_%+5JBs}Q-A#L0q zVAVT_%Lv!!`i?zS$!-GniQm(jkG`SqWR{m`Ro6r%*a>Jn7tiedeZlm&II9z7N@(I_ ze)%p8$72JgXaBNVf(mU}4EXsn!+FOQ@&uQU+dIpjGziaJc_{{um)iD2>z~K_h-G9@ zds~on{nr-BEuI_cZ)AX1i(V&YV&5*9N)VR%^+Egxjs?9xozBtd`i_<*zmp`!^CQ?^ z#dd-Y%bWh`&F*_~Z@=>Vw@}x7L8%8=hbHEayZL$oDn9w@X@PU%GJ`)B7VtF~e$F;p$Bt~z8D?*4F7-2R)Qs_S7k)zFgrhf;BIbe4KjtIk z(hR0(M=LKy>kslA3-v_Sam~`piZ@&y$j4g{r_X+idSTb`SDM5;cLft+%P=8l3OUl& z?8)({EBm}c`(Rr;;HZ%AT>(+H&`@?!gNZQICR7-$o?;QPfARd?v~Y zPeu&}P4BqFzY>86614vXC)$45Zrt=|%}Wq9DFA=1Y`aSl1NoZZHuN&@h>D(aZ~y+6 zIWkP8C#x}gI(d(SYZTWOckbG?Nr=965AvABCl2v)mCqu^m4gnRa#>?DnQY zrTS}7U1lOZ7Z&rOjOu(toaMi7L>UMe0&UIye;4CaXyL%jy<2Fm@hrkPxaR)ab%z)Z z0rvE&CT-MdpM#KC_d}XQW`QpG=1wiQ7gqOyOvlQ^9Xo;-`%Q)k^K&C*C&*Ik5ao+6 zXea-mG3e;!6A2N8iO>sOW&Zc$#OZtY#E8>&kED9!1c@LB35Fzj<#o^eJ(1 zpOt&0{jPc}Pt-f*sacRth-yU+=#92aw@47=rhfI6`vlDrZz|Y@X`KQjNn5%WzlB z?l4D9ucL_azwh({V6%0_VTsuPeuMDFZbKlq%pW}XLWF7fj4kpeN`q+-9gZ4zjbJOY$=o7k|sH+@eH= zIO`sR%5|HV1gjfDe`G(;|5GsVEG4{^OK#j431u#`8()0#iSFMWqR@y&-UR83PjlYC zmyyp?9MO4VyC;Xw_2X~i7|f*BYpE(d{tqUwBVwIuFmCVbD;baPAyT1FGYB$p*KI+| zQvUtqS8>2SXEu7K`u2a9Ypuc=w#Z1TH$N_78oK0s{KfHchez={|h3ainFWyf>;H1;}X0YAKNlrc5kCMz{9I|?r2?8<1!!w1(bm` zPU4?H5}S!{^zY|LU}i8%G?i=ZyZt|Vd=Q6ZU3@N=x^l|ep+A`(%VVf32IOZK2mIcj zZj)PB7WuP`vyNlSbT5{&32cWI1~j@~Vg0j3;Nk&Y%jENS3yuGtlVZmIl%+b;C9|x= zo%veoz&jzHHyS?`$$>Tu+{4NiC#KsDzljUUhae?f5BRIn-5q2`w;2Cfc4*X)p^IF` zE-&;G{r5v7Jy$YJ{k<>$ChfONw74oJR>1%mwU>6jQ!Iuv;PV>yZ&%diL-2NwM2cbA zHQ_3U3oYtir?33KU*Nk>lwv|{JVW!RH2d@E^cS&?w_cVdqd*4t6bCAZd#azhT>m@j z$~d)k&+@;oP1vK;)!Qj|9aOBfuMB3d_jCRCsj#VhnHgY*D3Zkw{_pqsK42^wj=gvw zY^?VHJ~%y^lj$z)$Q_N39|BXJ>VzgiP+P=Z9lOi?ntby~c+yMiU9LTIx2#VDmmGB2 z|HQ~YOPmC|Z)EV}$F4sWJ^JWKY!UsD^?B2~V^li*m|l7CF%sg$XP4^JIKjv_>KJ)h z(C!KzIbl|WhE9R?aHlNYp!PqHj8O<{u`(PTx>*ZumF8fz@G3r@9qi>Z=d%|NXBljEn9ph*>MhJ+&Bjz|WJ zR>(;LYyh2aW@Es+%{5_bt71w9;8O(uD`Ij7yW(pT$$lK-`l@Q z?`fdgxC;Ab#$YtAZy8z{5ioGVn0ld$B{>T1j3as#t2g+1wF0qo(XDSGe2nWKamh`^ z(EQ>b-Dq|*5XqeV^tTz#VWEL5O7Kq^;R6?u20N4U{o6}}^Uy->k4G!_#9SXnoMH-kV%=qNfUPiBjC(wGR`Xl{mPR)|h+qTy;`y zp|O7ThVGmC*s1VNCbp4i7GFx!lMAnZN;XAb^|7!>O;Al@X2rj!D+ygby#7dasJMhZ z2_vjNJ{~nB-%J7fj)Gd4bUCqe_8dWkm?uhR>aOVZM6mJTcbqW*EK2zWz#2hqkIxr} z>8=13K@X+c6yuja-_t}49}kk?hNp$K<&Q#{p1mX9#pUnJVm+c7F80RIKh^V|#i=b5 zHP%_3_;yBZQA!Bwx|N=qGkeUX1)}nQ*PY%s4mwxV#CbD6wYbI@&8LI8>RCbb7-IDm zErjs%^By1-xmP61K8j|=z-THCK=qaRxTvk~CFqJYY{kJP5!4%lm<99a(OU#5=zCPZ9rf*4 z?`obYwf%?UpFcrI|H_bobNB2+tkZvi=}UVU^k6GBT7B`QVe4y&pr17%U-GFH?`3`o zXK@YtSMh2h3A#RP3c8D`z{E?vl4{CO9%zfEBA`d09Dhu_Hnu+7U`)^3#5#tG{q*{# z!V>-$Lb)cv+A9~Yjs=bq>%T@H&__7*&18|~{7(plYV~5a^YmK`RR^IE_D#RCFH9)-W3X@J{PmEK!Z* z7#}*A%lI~87z@5Yi{fXFJ}n@y6CbXny5!poR9OsHhIKXlU)(*t6@nn;;@}mfi}C?F z$2S1B^{OAQkZp?`b-{G%XodH;n{?EWhcDs65p>>yhq3J7fNx?d?eo~qtVMvXj?TCy zo<`r_IK9JPpacE75*xp+VQ)2cKaPCT$U!VOCuMvzF_CASz;_rI90Kpz1&jRf8A z2WWj}J~;QFyF~!SFc4o=E*kgm1Zwm(v`>vzu8xZ9&zbz;zzaYY;M@e$lq-lKr(a}b zWVgZZ4qI${eOe#nhs4gm{p)X}pq)$);Lw``Qt$!fPucfMGWi{*birqZ0VZec%Hsju zO9gE^ldl$X1miDk4*?FWdM4X@ZkrL2uvJ->-bY^Si4RJ0P3#-#uW{&Z=DcA zN)Pe&%%S2aT?vK|ztdiV*}!92mwlK9gsUs-?@atSlYT*WTp{-DzbXesQ;jv5VrkZk;k|D?xf2ErEeSzmJU z!dEH*hp+DEB*mM>|D2^AEw|~M?5k4-KoCQBtDlqDfuih*%6Cq7_7AIce#0=yE*!T$j*T{X3VQ_SxpI1_9LlN=hvIYOdW%{3t*heD zlF%K^`q&YEnF~SUKaSQ0qi-b%W=+?|y#T@IE@NmGxcW1Ynl3+TBy(|xo>w~P)p#v? zX-+&5pBHB@vAlisO6PENl_pGb72DP>pWrLYI!|6?wCqG5di=%9mpVr|-w+YWV6(WE z1}q<#=wc4OxjEJ^?V+Nbhp%?+;nX@tt>^|!3d9-d?1nih9MC|iyZVTFa&88z0ZhUv z)egj4_?YTFN0lCdlz6j3MF)DXSQSHD(n!TH=XzDDQ7KrY0W)EH|ce9== zpLF1R``#u5)v_Fb|5&*pUn~2SD2P>@!OhTyiyuw2Knui|6P$om+Q@_@W&o&y{p@_? zIP)lfZ+pYgwQ%IOX z6{B*^do-+o+zve=oRaqeB$cCJj8+AQQMwmj>JzZJQ)Hh><<)(ErR0ZK4xObav=7%T z7o!aiS*i=6@E$CH^=KMKsvPKHsOhD?3Nfx7|4Kf=Nj-lbK^ZQx%$luRoJ#){aYWy( zL75uBu!vSv`LW8$ETTt>O<0E%hW`lIK+p8CG1J4<^RRfw_>u<)RkfHJ%>S?edX#=1 z4X$h8C^eia+E1rm2GZ#MR8hhmynYH7Z5lAbOK`lnSPed~6VC_(@EI<+ypRZ7RKe+) zy9H*9Yg95vQX75u)rwe(YQ$lfy5>jNpM}7QrU*x>%6w-OA@`KPl6}NX z@XMDKnPrt0op~9j7j23^a)nW(pPb;B5l@ry+45*%@~%3UgzMsGNeCA#YeLWD`8it+ zw*!z)MZS_n0jyL749?{0OWZi~Zo(LZUrd6@35yDrWwE9z5Ux9cJ9GdZ8zVXr=U7s2 z6V?T-Y|=EULQnGmqzPq5Zn)*T-vDNorzY;}K+B)jaxH0B>Ri|K-U!&noZORte#7W9 zH(zbsCeU`Q-#6lmbAg|5!L)eg$)>0uEvl^~(9+*8pHh*I3BwT)SMm7$vk$1xKiwQZ zu?t(Mv()(|&Zav!E60>T=Ium^@!RvHmaE!zMQnvU$WY)Nv&-%y5bDK&Q15@)Ga5(G zgzD>Y_wCA0m+JO$n#lT{klX>cpiknbpupj;fXP6_h^tW~mDgsO?jb!!6A|26vRUEv7G#wc{Fv5Q7a_BEvJr0Ua)()Jq%9B9cCG zB>6nDzYZ3Xf092U^n42HRa_afx}{MA+83W+=(VGehR8VtUbIjkQZDUFEs;VbY9Bm1 z`2_pdxk7OLDG1bOtooN(UQv~AVAm2VUQoa5XmTb{mwHMc`QySU{g`y^xk(&8t0&P0nJ<)m z^V!($Gx1tPJ(8usXuX%rIdHti%{T4O6_c_eKguVEpsd`a$!R;y89@S`eouA>uVluYrK>=Xo zsH=K&jXyV2uhmplRrTdBn_EtpWpdgo>Sog0g{dO`!`wQy$j9yw#W1V;-!}&cy?9iw zBj_+C#Mw-=P@IG;(jv?E`fSV$RP%F@2=!TuKzHdo0Ss-W+BZvV9};l!Nhru3JwP_= z1S+WGY@<9nvMvRaGnu%}Y)my7^9}aVE_{Pr#!oN#I@O-9dY<<2b;IhR?9b47(PQ)xy194Rj2BgWcKLNX5Z63b?X^<;`FetA zf?q#qAS+8$f_A@o7aBUgK8r8Ozekv5SX^r`R+@B3^SwOsCuw1cFJbxUV4MWyf+{TvIi6Oo?s2CwVMq+vuvaK99pCJm24_ z5I_?qD_s=8{ro_}P1@r=^1emjqn2eFMvl<_e2dX6Gn7Ibq#V|Sh0BT4`9#5yUKDJ( zJA@@Dv50dApo|;32%`fu!i0ZN99f@;VLc(e7u;!H=aY$Qtd{7MiOPwF-j`vnf3THC zI+ji||Ac(*E?K;TwEY7${x z*y5rSL0`u0NIO!)f}fWNzazY0Uq38l$0w5v6O0@wlKsAl=26~9TsQ;*bryq4#qGv* z@QNg>Dxg|2*2U4jK{>i;oSI^i%j&FzIm68Dazu6j;IyOabzF-Cqsrq;dnNCTs>ac7_g$m&omA1wI0Q-H=DQ?NLQd zBH@81!N=OAY`gib637P#duiFTX_wM`#Tk7W@R;(i4Sb3p4izwZf0Bnad8fY)p$plx z(%Jy@J&l5AhW65S$*&u*Dk$OCK*~_2m%2Tp?5GbM)FZ{8b@YxkNb)e&ll*Ra4%kg{Gf2;f=wEuDSuSFO5@gM#_H_gdfH7yVG~3{v#TF}c0<X0@w1j7iK6NLxb~8R7*|8a`qFY z{jKh~$9MY31dJmuQhEjQA~z7k)* zRM@tM@kibB7aS&XA_CY2>}ALgfW8g3-g*(uI<=us?efS6~cX!d69dyb&dM3Z>NrHDX?+eEw!W1u5U0u zH7tt2!IZ6!^-3}-^5Z&T#`KD67tOmJNZ%v&FEk198Vv&s>a<=tUIYe=@bavxwx2c3 z@R@(flC;qWZp(^WZREyQk$E{unIiB!$G?B|@mhSM$fuN1y_xOFz%3O4BfK*k9CE1S z?IYt4z*svP7_*%}dVC$_nN)aX+NP!qh7Bg=G>f42EfC#kJge7$WS4!E&D)0QR~~d* zd!cz+suRmaCS8hOHmZ2$&NuQU_s~qNdR_c-g~QZi-ZbLB&`Do`0<+VC4c9@d`lG)j}Z@P_-oUwq~~ z*^%`A^D31hSuCC;dkP~~iBfM?X_A{pb^tB~k@UUxImG>42FYKwhyNkVt5!atayf0` zdcl>8S2sBuvtLU{;TF+(NNviSZx~exWN1f!`p?zyKMYxcJ|6fZa<46jc1V?rhJzy! zS0eo?U|>(~>`Tt&+$3<=z$lGUu+F=mt9BNxgd;G|DFh1!+Z_$*vKKH7VmBdXf}Abx ze%4VCQoRmAtI|Yf#;UGmT%*lJvTXZ1)svs#lIU|Wnb{oH9^kOz9uFpLagO+LwrdHz z0J=~Sdtu%2rYNG?ck)dEIx z&?9G_yMX!h+0MCSy$BZHDwbNFiU)77ZN@I{41dV~o@;$-wCL+b)c7+(5&y12F@wLl zsOOw+29pnS=gDSX*bQZ= z>)GFV9BNdAb}^j?PY|8=nB^YH{u!>addBH{0SwE8{o%+gS!O!`XtB!l%*+wCk>|+z z<1NhEG>f#e?bk-`%F1j&q-~{WqRsbeG~gN&gE~y3>VtcoC<{(G>Z#0dPFwJ~$_lL@ z3uN~O=`LDl3f`GJvC(4>i>4$ zDH`TyZ&&G2KYGWHQ{xq*02@JegnSqc8=5l(`A-*ka~S%Cg9JQ~T?D~6)cTSbyUZeg z6$p}}t%8a2?DJsrrwdt2J#d13#|Un&*9pJkrkPJnxVMM1G3#4n$*i4)f?q4B4_Yv;BA zb=|El=D6w8{^vm>`I*-y6ObrHNciEbUSp531Va6JB7U(Kp%;BMSB9emwclJ67U3U1 z6*K-<=$AsFA1c_-yu=04RVyuIq^zv09+oA@1mxP;tGVJ#atqCZwFTC+1|K|H9a9h9&b{-_k1W7$qAJuMHq3y`O{7B;mhBarHyK@_?@jO{Y07LF4AN#6 z(WY$Uf*v(wg@=$dB8TL@+gkj1=WPcWDnSTUXI20~OT2XLjS?u3E8lZJspbBh zt;xc7x6}-2BwuYy!6;7{kf$tr^&6j2iqMZZvmv$zoAvMej4CZ&G>G|=KS!nj_GN+Tg7ocp`{vEA4xrs8)9Q5jm*63i0Fxmd;Ik!OE=s5#MIEU#Rx{8 zYc!B(5#&7d*jwj>w6q>Yu}j95#W2xKzs~TO@41aYY?Zl=UCoGjp``_=2)aX3#^;L7cCBw8&kAy22jJI)dgD(6VdH(9|Yo40i1T_dV zjxD?2g~(!rV$ZcG6MUY9hLfYhYq~{^tIj7p$U=p8Q-J)Q@T}4gTwIC*e;`^Xn#)e1 zM2>GtbClxFQp!5Ql#5I5~aX(Dul48ACGVM=TH#RVx0D%gX}O7GE?{gn&9TJ^Ga z8ijFE5fy~PxfO2s5M(o>|>^3 zXy&9wnskal2{gy>mya3asY2Ms;?;rj1YVfp&#WWGE%hFZayjG&&70pDl;&Ej@{&qK zqd-i!wZ+$rbx2nqraM0B76Tp6QiMJq?FUa2yMMVoh$rZxENqJU>~*8svCG5fdZ$v)b%9XIM45E6+lvm@X}7V zmGJi#mvE9Dx}5q`t6FRLq9^?;gsEPURx`4l8oG{TFS8nShJAk-G5qLIfvit@g%>*EAsph3^l-~z?9k`bH~GIMwXUV= zNoPC^{EW1c*X8~~SEgg^xubmmJy9ism&gIIGEfB1A*Dn!6LB<-zZw7YH+e^rJ}Oe5>VwJ&5N%;z>_ zQ77TAZvp?NB%A2AyI7*|?I>JuVz)`A-P z_sGc#UwNLym@^RW5m~J&y_kBj6fs@nvn^_e$r=!F?Qu6GggNH18p*HkgT-fO$cr;1 z=AF-D-oDKj^Kg9%zOnlsA2V!xhsi;^s|LcSl)pQW^|BL9y^_Ghp(o`VkduBUeQUbd ztmA4UKA1;#si23AO$1YC*@t?xL2c*zoql6s>~gWB3!jUJ493lT4S*vc(>s3>oFl+MyVz^mCA z(LaI*?ocA2uV>Os`B1Z7&0*y#Io!LZUwfzU_E<({=GINk3NF?o;MWuZhb^B|*-i$t zm|+7@@NR&G^B>b)({{3xvqZc2LeIp%;VREDMsR88pXV)dJi(w8_pYK*4qNi@idhio zjzm!|B_*@40MiU{8B;lc=5p^QMZi+TH_7p7Gl{Y1m3Q?LxbI6@*B~c$(0-`_U(tT4 zvQQqNm^VbAV_ZQ9@D2W|0j`(e9zGlJO^y3#GX62%h z>tW~qdt3;KoVREnMJW2z>_vb$$qN8vzD_Rrj}GAoA7UH{WE+=Idgk&-egfL?I^rDO zPNsVJKAIjeYV=fv`0*F6<*_8!32RlSw_`>!-bQ~%jrz>vcom&PlF|Y>|*l_ zK!>7gKG_j^(~^a za$~&B|2c$KhC>^9FQ4+3D;s*+M;F@g0_yi;$`l7qMq56;#DS9G$x2>OP#${R9VKo`P)fvF0n|#t2Rcz zYU7z=y3nNvGnFywBWmnPYKKZm^gO`jF0?!ABZgYA?d8OtR7gH+Bo8N33?ln5Q{11D1w;Xsbsyka6A&CFvBf8HxZ8 zEQJI?``;aCy;Q_AEMPRUD7lg_&$iwY`G!{?)fs!B!E|>!L*W$BmJq^w6rYI$)6;Def(O21UDs+(`J02RyxI6r+V8V;@ex? zhgac~9x^m)bv|sO8I?o{}-FN(1DfQ%w2^gnWS_v9tn%JIw)sg_aYag@!7DR%- z#E#W}EY%enFJMJrn0;*~)wokTdtrS*J^@R&^VIDG~~=%D(lIn znHjQowS!VN+D9KtKWdcyuQh36gJCfdmjIe)yex_Rbayop=&QKA`m%$jP4s%lfNm%O zc_nq&P(s{Qld(0DS-Dc1|*(9?wYq}J-@l)l2=g01DyacLs z_uq6J#`U#pwwu4dSjq~Gj;&9PavLNAyQys5Y+g;MzJwFE(ie8&4e;jtA5RNn8l~?z zxIV6e>*I*{%`kD_t@@!(|AhJ5fj{w|p0cg6n2KQ9xRGw{?Oj?SL>^^dRY>E*vYgxR zNdFvaA8lu6=X5Cl2f)pZXeUw#I@Dp=z(dI z#B9UE6L1HOhFI&EZre$+x<5S=ujWeo+;@nC1x-8zrQT|GU~0BOh*-#KDo znkpu;YkCSw^bg=f=tFd8&Y;TKd}*RA7cI-VA6o4^e>=aFWc}t*E!wCUo_YW+wET)> zDiuTfIo|{IZ+ZCBtsss99AUC&=N5kd{_S)8@X|=$Jxz3QPcWnQM7W4(|PXR5ws zhpY3_2DUBolO4Rx!QZ%oK(er~-t)C_foU1GD-BS@qI)L~z`PT~6K!hir5b)~H*U9f zZUV$_w`c1;%N#y005gJdQTilAZ2PnHgiB7lhJM~SQPHK=6L+l%&)e*ig4o&!I# zpm;*AXT+`KhD(Obnf2? z^Ap2qT@hx`<)cDe0lDl&2p;Xw$!DMF$#KN7L{NcGu)}bxH;ohl$^b?Sox}}alxamf z2*-1q56jVplb%ixxu9-}E*lOY(K{QKmOc&yyR(cs-r!5)4&zskr1TrH1237tZDV;G z0`3LN=0htIJD4!0s*?4V&r-EBjK0|z`e5-s)OkE3&S0bd;nC87Nl&Q@Vh;R1JScfg zpBuBv@e34G@Z!9Lbf^EhUasJ>Tb;*FX?=eK(V^5%VL@3*00ITN{Exe9lhT5PAPATO zo>2@Jk3?J|O#W*~hA?M!2uOFLvE5Gc_S&2~t=O|lR|PHwY0wVVAASeiyYvATkM`w^ zAWP6g7EBhSYsEhLbtMjtP_?$UwyjoTwXy0K++yoJV6?A6T$%s-%R?dsIf%cn9}Wv! zqG?)xe|*oJrc0v6xAeh^Dp89?9}FB<^A#ToLJ(7D+L-*Y#>?cbIfOEk@1_6Dock(q zFr}O?@nIGDQ$f4P3*vpT)hu+J^8*~uZzX)4ern!xw?QE^O<&Q2(^5|KJb09m<%7vG z?D7oRE{5fck*|?dp#co3B&p=j!<`5)KLNcC1RDJP*ZJ_uwR5!kTiHnSE#EtCkLKOu z`X zZGEvOD=5IzP{wpHr0(@8tc#U9tZUK1KrjooEt!$k8JoD`{~uxB9Zq%s#-G^{qD4kJ zMX9VZqi|YELZxg`MmR?Hj+2H4q9SA@Bb;NOW3NZqdz@oaR(9DV{O*sQC%(Vy`dz<& zT+h|RIiJt_eZTMbJzn?grSpI#!3Ud>R_k|Y$0DFVS`J&)*3Il^;NyitUuE{_hYhsY zf8~~KxUZdz1K#h}V`g`pE@4SNdcAJp2p|=5Zb}Qaw$4P&!0t5ir;_>kl(ljd-lL?K zE%tO9T1RSjw(xf}UA=736XRrDcR{4`T%>8pXn(uM^nsg6hFqQD$?Ikj?$QHt$2)GI zjolxW@8aFA7?!lAxMY_12IMgJSV&p-;A5X$61pOGA-n+rKx*9&-$(3-V6C;v9XVR$ z^{MPq;ys^dS3-8&pnbISqS2?5)Vt`-0`CI<h) zrM>FQ6PIE>i^jw&m}|t;)o##kUSNe*0XcdfGZYXsjLVBO0e$ZnEunykG)aKW_) zXf1MR!+;A-@!8G;;!jx#z#J0aot1s?ot7+%{==o%eCXgOY8A8Hm;4*n3BowQaTv49A8>Q0nHcOiw112U@|C*{`(oc92q=er zslF}zK4fR|9DQ#Bb1C=p=cu+DH+C_8Mz^JnjqV5{I_ZsdP}0|K?-h7)AnjxHXCJyV zhm~EQKYq*?!~eV2WwETXIxIBAsA}q=+{u{^kA;W5e0jD*A6D9|1!AK8Jahetsuvy2 zUwlZtAf+g|hI{>V8#U^)SI|G6CY9z7hs*oQ54CER{(gj$)zi9i>hxEWkfvy}sR{~3 zp4@jw(Tp(ImmsygFSFHP;&Oa9nz+w%``OG4S*x>`>95Hoo+}b6xXW_XEGi~5vnA#3 zNDk-4MvKxoNg+#fk;_TgCrI4y7kQuA-IPP0nQ3TXz$d7Z7#i;d-E6Z;HGx!YcuGoc zG9hT$!8(-cGZorxrO%tChA7{?;Kqm=4UI*Vk;d#79M0;U@s;`}{$NL&`G{HV4+l^& zCWVkFRA-P+%^yvfkvvzf5-oPk6?6iYPkyGAJicjD2_vVFEktytZ= zKUXrLz>F2imaJGCX5J1ag?tUYJKi%pgV*PI5E|B;LBYz>S%k}JEW5N8N70{}P^MUc z%v_vDR{0tiaB7wV?$(f=k)U={O|2G>t+gOZ)fTskuw@5xA+y8A;P)*ai~=M|2*Eab zd*psBX@*JSnz1Q*=1`f{ z66Ob0N`yRDn#QHwDz#NhPP;`SZ3={}(>3=U)&cfO;S;@rc*Bo`Zqv6D4)srEAwV*k z{n6;FLXnW|&R~%ZAAb0e{%yC?WMT;YYXX}U%>r1(0-}d%l7JmsTTaw!M$mdI!W1{R z*EO9vG-T$jG`HsI zvSs6K*4VG3OUq&@{kGPepXZ1}zb>)swM4~aJmkO>?d>D97k!8-N}0W1-1F$bo0X2N zP%R6owBE~E5^uEXTbXP)sZqa$FvauMj6H|`+Z@!FwBn&ea~Jbpqp&*@2~(E%@GK`s z6ARVA_CsD?s<fHlc0)KuwDOVEdxp;qXNJ8%jDCJ3Qy;;JUZRKae(q^t`Rl7FZ zDhyvjA9>sDD8WSEoQ>$#e6vA&cZWuE&GhuNEyYZQ>bC6UoiYtobulc#nDTX}wfLFV z0=^uz^_{^kUB>I~E>+Vcr<1_Y9wP5qh+VkABHMyyO&ZhblwXfX*U$_9Jy*sfND=+U zsX0d;59wLXQ}opM!7iFF!MtsRU9>A~yFQ>#&fR~}Uj2Icjq$L!BsNmkV9dHKEZKOa&CoOWAM*Hx+Vl3- z>npwM13+D1J2B1Qd`p##NuYPYOWyl}LS`+9W+tM!!Oxh9IC={QVb0g-DW$H9-=0;& z(Ci53%jPhoVGXofBQh~@oZIY9#E;1wzi2&9rQ=zf0_uauh1brg-Kplw3!Wkc3(WK9 zkwXJzv#0i6C#Fn|syY%{i#(KX#jg?UR$YkeugroHA99pxtN^YX>7hReH>s~8uH((r z32P63#zZJaY_6WtYQNeI-`(CZyPSCLq279j`F8FHUZxM)3+Tj- z7Oa5`f+(efxXgLhIrW3*+7kI_3JT5YwT-HCTk7e3RJ5#^ZO9KaiH?mexC-A&mnK_z zIzlh-mp?W)!jj$afE*kx5CKX|-{G?4|CHnQuOqB08M2~9FPVIzYHCf{dewFKBkwrJ z<6W&I%FVL3Tdp#YhYm{W&aY4H+jV=V7XL7qs{z5}shOghwX)Kv`B0P_y+Nd$$3-zt zZ?pN`@tmlZKK0aEo{Q5`yv-3$?(1`DlpC`AFg1x35yA3k-y@sD^oS{IF>}^AO0r(9 zXx;qoOn|3Kh$RqgTwGi6=C#W$L}fzUIi1=sdoAdhCK>*{DUNnRo%nM)`pRPR z5;QI5%OMjZ>M|<`OSH7zkmj=^uhC)jYh4-c;na!Rl3LaLI+nqDjscL9mcwF>s;=KT zlX@W2vvBtQKap|z;t$rPBLN984qe$~CGSmN=tZf?L%T614dFSqfm zeK)l<4sOrztv^nZAlIIWRdrHSz4}UZn~5)md&gc4N<{|fG3_hrG@KvFQn~ipbLZ&3 zj2Z0n=Sy6f-GhN|2Fl$cgF9ZF@GpJUVnEobNu#aKnqu8s_}v;^e&;*oxWVAAFOHZD zyY8?8d&0^o&z?^2E1dWi3nhJJ%KKJ{%Y>o5sl@wDTEq0q=Jh0|EL`*Ac!^ZJUDrap z*v)SL5jVXz8r7?#q0wtb)*UGenU*ZkdLDDFO#~e&)%d*mvCyvq>i7qioirpU<7FdQ zhp&)BLnxHOJ-OSQ5#^Qb(C$(pqEY87jZJ((Lcxw>o1y!7|%gc*i1D9_!j` z5RoLSwg^Jr?*RQ#6n9tOO;i5DvX-rN$*aoTp3W)yRrepOvr1HjVF`u!Up>g43&!VQhu%;PMh131oI*oJFk`z-k=lM^o_`iPX-wy!P2 zE^a*d&Az-n79T^93s@ra%1-h!XI@HwXn0&ZNuBX%gSNW*Q4L+2C#_F%*kV^W(~@bZ z^3%2l;OBHa9KNX*t5eW~#N{)mr?3;(R2N$Md~aLjNHdN1H}oZ%Xl(C5hPGTF8LHh~ z-;>;mH>`aGLHmcS=HD_VEYZ>g+0mAO6t4+HNeXH-PI|8YFz~-GF`?`{Xx$~hu0o}w z=RXIl`C!f#={~~bM}NosT$#ptVRDvVr@Vfyd|N%i7 z!Wh!8Lk0&5i0z_cVzs-!kx7O0Vn@eZYtK`9^(OUqr~0+)OH?3<+REHlniZl2FY6dJ zt%cz#gP8n(&S4wQiQ-R&0C2l>=zM*Cy6%s#T4UTu&J@+O`j9I@@Ljy3l>(NJ?rC@pDFn=mxxnn7Mt zNhzTZ_|4GPk?|u`yHKmVmz!Qi1%^#bQoDM+f?F>e8^``w#>05Z9*G&Uy`Cm>YFtc= z^O@SQGy`wbLTb|d+;s%)&H?fslr+ulb1!#H4%&xPlVHf>Gk`Wk$Va}{YnPBK*JiE5 z$HrQFg6Xkg%dx1jh>|t@$Q-QIYM{59na#undBe3#C`V{R_{>2`P~n&bTWkHMZyhA4 zbvU;yt#CB7x2FSAQ~vD->|bZ8oqh_^Nvx^9d6(-R@A~6J!IQc(a3j`R|eAAHoNh8{ym(Q-6LFLQ(b@<5MRF7X@ z*$06?(a9kT5KmQ*u?`~MD{`$s&ssiiObJW>xs|%|8Zp_%m3jWY^2&~(oF4mTWvJry zaaKXZct1IEyyM$oEu?>D^fw7=_N#+{E!PPf!k#oVZ@^hz@Qil{Wua++)W1kp8sA$y zCuP`0mIy+#Qjrc9+GS1kQ!{Kx0ivtQ%u7(i+SzfrB9}bO#5)z zyEV1bZ}({C97-PIPI&|U)(9iwPB}NBJKfabPUv%;&M0zXR>lo|$rg!mUcb}lVMcQTS?a>LpD;W#2s2S; z4-_{R&7WCMOv_WQ%X=88=FNZRwOnTBRzMHYq1wuR^O`)`bZ;f7nnlBK{IMj|(9PuM zhj9as)orgvPX0FZ+$$^g^o5rQPPr`DDng7*AUNpgG*KkD{Z()gmQBXGDP2Ff-S_&r zmIljLZRfu;W;gKctkcVZ$unPuT>>6FO19S0);^INcMq*hW6QZMEi~vndA!-618RTP zK`g{%hZDEW56lcpw4np#sX7tThda*S=qM+}D-y6D>9y6{T1)h;Lz|0vvYQSeD!0i+ zYs*KCCG+Y>5M(n9X=OW_JcabmwRO3~DFaduSCicBJD6|k+!zFYnm=j$)!=X59ub{Q{AU;Yyr-eiQVo?zL4*ZO zzqC;_TYG0t;;8jYNSF0Ch~AU4B8^zqMr}N4+<|x;nRw>l;7GRmW6Q1RE{I-^=L&yr z-6=bJ9p3&Gab)gxbs31&UGD_v_i05+U0)oYtGVrUNrbxuRGq%(MvnpM$zNg=;b#PpE)8zM@D)eTXFpz zicJpq{{0>$p}=h+2nsDN#EIFXuh+tpojS6BK;8vt_qn)pzrPURlb0_lkyGUgeb)_W zI>l=ii@iG#KkI>nO42Q&Ws~xrYj2NuLfN?1A(*f+V!d0 ziQszPisUWYiPW7#chI8R6gu}9=5LyQ?a`kt-*2b4FP3|1k2BgUslH<<$h&$zNj*(o z%ftusY6mOcw{iQ}UG4CjYDPDE&$3)@KX4U?c|;_8d^%*BgyUmArlsud1LIWDT_ON(*_ClM@ohJSH=nRs6bJ$mGx?W)2<|Fgo*s z9)oAIV6BYwBJ@C?pyxFZ8#m;Jhv+4hOnUE>sUX&`#YIQ|Blu()M%=Cdp(4jDF|xUf zUOQQ%dOlaGc0alP@v2rK6vjjWN;%R~koN(qHqqE#SL{3{wus6(Ue23g+)RFr)*_rK zpRUj0z|GpHjv{7B3)4t=_INZ0V3t`Q?3)yqNjDfX*A)&pw|{IeUCy{G;Xz(sESE>b zpOIJN^l^unp~hepvUuUkJT6Awc8?%-Re9u*jA&5-Wom`Q&Q-mS#w~LTUTVz_FC+wd zWGle+tyD4ae`xqIYfv83p1XW02nGh11RL?j0SIe0rJyp^;l@vTDm5=Jp@X!WCy4ee z>bLf-6I02@e?EBIop!V#UhgS)c<+-aOT4V+&>nVbokZ-wlCcpG?w77%13%5A8()7$ z`XxTd7J@xlqK%CT;K}qr^yq+?FXQQ$t0h8{55q3@zL)i!)WS?wSHX>lI!)?|o%|-# z?wkSVsKP8he5g>MZ$U-tNk=76@>s z*YzUF=AqAJ?0;Nuzx(V!P0e|1QJur`?1+h1eMkJN*=w=3^u`kUMu=rb_lHNsn(W4s za~`@Jl9lb&UC_w5B@Y9;SZ(GzQ0SVA;j$bnAC+TvK4@EUXsBKb`m>=eMf1a|&Gnyx z3LIHQliWetg(Ro>Ltz`NeL?)TcV;xgh>Wk*3 z09`)g^rY^Bn9baMRZrFI;78<{7M<#2XFPbkIo`+~ODTFbTg}CZqTr2chg#$M$s)2p zg88~4aakg$_w3W`z}$f;maOAB-F#^yBSe1u)Q{>pwlLoo{q8M!Hd1i3e!NvuuWY^| z;G(GIr!_56+~TeVgNc_4siaq;6*e;so%@fB*K;&@i?lsndcLv;uRPIm?u68;-gJvx z%oUanq*P~evQf^;GfU!U%$V)d=mKB|5QPS7RBn@nF7sJ4MoFK&SD;{+#B%m0#v5&c zrjdv1vBoQVH8kjC13HFYt6S&%`A1s08Z;`%FfL%XJ60cHrV#4JNUdi*GE7H(;#QZq zQuP4nm$Ng?s;iZNix1AXVzWC5~;>cW8&!wfO9$Eaq+LpWRc&P%fM$-4{OBsp*zl!+(?xMJ^jK zoRdzVv6ZPxtvlczQO;1pxVQ&jD{qlK?zV0`z4UdVB5`5JC0{FMyCv~rJpH)%N%kwv zOiFt4O~=)QUO()rZ*{osu&TDeB)-r;zrcC6iD)O0)M^gVG&NXY0Z6Hx@IO24V_IC_ z8#ky*j7g+K4_aR

E0 zIrL7<6_^l4hsm;)OV=rwv5YU#?&$PCz1~f-)Dg4mDtwr^(q7`H zSY#Rc7OyOkQB#GJyL}-_92O?I>4KaQ#7pw_4Y(p>Fuw8?ql;H2GK~H|Lr_ z_?&*w))JfQxW0bp5JRP6dToW(`s_bvJhod#7T(Ammu_pl98=KP^f6a5iGDECJzlLD z9YO!oUP#IM+~s)eYPZJCn}@9n=7LOF8}H2DT4@l>fv#jVM1q6wbIe!{&rNh{*!wE# z3pIEVT6>`?Z5brf8ug*snaGz&|2&g6Iaz;H70W;qkH5rRhBXkCkZ9$ehZ%$cs7*`K zWcSGNB77M@oh_-&NQunptWVqCXjQc8*qGj3sEwx5nNad3a@seG=BnUyY9DdK^l;96 zg6p-2v+et$n)||JT(F^c6F8E!cT)=TGaZ!GRkuM&DL zg~~})ehj&v3*b7K>~GmN0&~Y`pzu9ag!%Tc#x+IWjrX$OThM-3{B5hKRu*H}C{k#8 z+-z0!S&*@#Ip=8}Ku{qC5tV1{&oEt39`{}G-?nY@t}djNyOX8JwwFH0;aifb-{nHg z9fiaYvoMR_{esL?w1<_VGUL=E^mCtzRs_sxh8l}s@ZFuyYkNkry5RfVQER{7&n&cZ zJNjq4y@_PSHCj-eZqO@xIQ!W_@nVrV>;3*R-{|!Ri6sKeT>}FH?{Vcr+}S34=GU)e zP!SB$=mQTE&0d=X)vEy7;UX)Iw@tGA7Bv`k`;OvkJDq09+fFne~@+D&T0fJ z(H9r;Idp^&=_&NF6UcyHGbh0f{`=lzdYjTl&nTMKU#2JT$QSA5+S?HH4w%XdxfIHn z$7QZH_U_AFBdwVw*p@C2GOsd?uuIPl^NNVn>rP3(-N&Ha6z0auDhyT7Z-KG;e{V|M z`(4MxsA>Gy3vZ4pru&B6ADz0G8r}mssj1 zdM}8+!mDUI)1L4Z`CO2{Qpp48Ke9Ie%AQQwwa)vOCb)o<~=XoJoMZ=t_mNkz*| zCnuV2QN&+OZahkMGH-Cytxta2`)Y1`?eFOGUIv!8&c>xO+b*a~3>J5(+#QSb%VKnQ zo_0uIn>om7-%@)vq{0rReL{Z^>Ne^KTJh@n=e-(f zK?MG&{k@TINV3f&3GC6b#WyCd0fMQmi?YAZh7bdO`}`wAy7(#Py902d60P5tOw4f0-jKGuFxE`pk@A{>!?!TrL=jG^&-pc6-aCJHqA|yN zJhHTdc=y@b82uoZRCWD&xG>kys$fAG58At4R%JK!u}g$=o%%d(w}XmKUCw1XD0oKy z^tmRNhqZHy*)0FQ_r;Ikv5vW$GI9J(ZKI57t9(7(f6E&Rb#k(0ScYt8rE+SGnt0r! zcSIt9DFx-s&2&hGc85TcaoG!po7!sZ{9-1djyOKvy!qca*;gVpKl3P7rILSF7Gr^e zbLKl-A^30Y7H;ZLMT5zwwW90w(I&ZESC?Yr8YX@bOjT&`eh*`%d{&WnBI*l(=`t z%geGx{@ziazrLK+94Er~VnE5zQVRag^m$#QOM6p_N7&+1gL%|r&8UX}!EtiH{U*f< zevxg~6W=k8H6rhn619MO-(S1?k`4>5`7pNzyvcv1Y(eT)hdGlV%iA6vn#=LcKX$hj zsBM=<^DFIswM`g)FZAg3yZC);%T;sf$@z(92W%X!p<<4jJ6f_RN~ZsRKiz^l*N>2V zU+DsdE;ly5s*OiFuq>D4j%Gz^N2R7~o8UG1VJ6 zqx-;O$y87Dw!FvU?$4*vu?MBd>4cN%mS(8W7%pDTGh|JQBtJm{4Hf&S;^{!b^!%vr zO|>GSVgYGcbvp69`Ln!vlF!FGG(Eo5Y?hLXmA$+OT=dqPRVh}~#lDq)gr*yFm2tZN zVi$|2dWkBbj=%Tx<%P29UDe2x0= z(r%;DhuWYAgAMnVe-fcq6}lr7mXuiVq2#0U-nMp>D7QH+7u?@{dVSpzbko=y2@7vd zb2?G~NyzfE!=&~o{AU=fKKkGqf31v%NdGlM42o7g_;$stJo!l!f3A-NPFSJ%+x|}% zZNmm)G{ZP&&P7#H?;|=)|GR^g9*yV58Ls{4zCA74bkF);4Qk8NvA_e%7N>G;`6o}h zJ3481f`Wrq++>Eo24F(d==KSU*MK?h#OThFxJY+&&b78`9=vbQ{`bI9XUkF ziv@}o{ysDY9RZ1HS#z^V^5!Pq-E}N6F@T>vWrtF)Jtr6S_5u61cf-$oDKmOcM}2Nb z3)%Wjy(C-JBW0aO#PB{Zpa(5Hk4kK)W_bQelMhUG3sOS^7Pe^9P>{W2?>_YUP828w6iaTmg(5xbpAEF zUr2c06LETG^JJr5Vs7gdoGmnsz12#27V9bF%Z&S?PB4lT2Duisxc$~ zO4OCY<%}z@vczf6?l5Io%2-)=y|@1zf@=8p3o!XeF*J+6&V85ZAsh^d{(((W7~YdKb$508oa@%}ygXx2AKrFuF|^f>Kd)xM`(R<9A|ffyQu z&Rf_0*VlB&4j*Ug%lz55sN>YCB3eRWC>8N1CzF%AQ`c;s9r{@t`E`2a z=|79_1v4ztG57nG1movwv9|K|n_uUJ$=m_&Naiok-sK~Tdq8U;^hnNQxdM20_z=N# z$6qft)&ujB0WX~Ndc+ftOXlX`8( zzlQr;HhgB&p|ko(!?8HEa3zG5I^Z~Kofo0*G>{G5@mzHn0a0-y>XRoB^MJyrv*lM; ztvlL0$a^U7xpI;%v%9(?vpd6Xd*gyQZS;-4;OLu66~`F$OSO9%7ZiG>=;{hUF1dX~FKv9`6}ASZjD(jON)sf@ zfV0=i*l^U^Y_q6zOWvQAC;6;5&gEn%b>Zjl%+C$|s1?iDZ`F-Qideo`vOawo?YJ2+ zeDMX(o$b9Lv^@t=+OTBM@ zK6`+z#B5Q`TJBs(?Z9rav{2X+PqT*~)KZt>9WJv(AV3m3~@e}F=x&qK~iMU4`Fi8)3? zlIeq@k4~IwR0W_FpPUz=XEast>&sqf874#nrperY(29qR2ZO4Tr3nDN~kW_DeEZeOyCdBV?B ztVtg*bPu}rXGQ;bx^<|>E?a*ML7^LHao4w7z;KrkB5Bp{gXBKa1FtV|`!98DXcK{W zRZm|gLbZ4E=HieO&0fiklk=PHb3#fmVw{S~gkH*n!w`c8?$)lfI&h|fC%jY1{4h>O zRb`wd9C3T@#`wwtgJ!k_v8x5mtfq-x>Wrr|^b7eoi|XO(+C25CdQjqugc6r28}d{L zIa>&**Y~$YI)7(Cn49`f>7Rjq69R$B%oNuTw*B{V^rud$K4G+caO^D4@HT4Pju^h9 z6%Bq9#-9UXg92Z({uun=@1;t`T(@>T`_j<9y^68BGGh<1p1>j1%sce!9{WzHF8^6+ zWVwBq5gf%YZeDXXz^bMLJCRn=!vYYr*FxaiQ0op13*)-cZ!v0ssIeRu5_$)aVuhnB zAKF?b@2xGvlSjIa9(NfCxXj&+=!}3GxBb~6EI*Zw{(0_=LxoZ|AdgaOX>L{x{i(j0#V9`s$KfsQu=Z^9gZ<8B8+1=IVbqic2w%x3;uYfPjfH zumv=peP_bq2KKmo$qS*IsH&>s^wpywa;7qqb^)t_-`K`hyEEKsAy>Y6sS%Jc#Q38B z977D(SjVI#-a2Wl>*&R$_4=JVyk4F^oa%^u;%q8fzvHF^C{xy;0|g$rh1q z`M@g|*!I}kVo&N^MfD%=$I4K1lANx07jFg+_<`Eew|GKWfi$5~7RkiB67~r$o9=;$7${Y_a~s5PB(NzPfsY< z4+|Y%7Z?}l)dNt|Jw-*uUoxD`Z9T4IgdvAe<{T)QyUEJmWZ9j{JYES^J$mw+nf7Hm z9OAP;UuM|-QKTEJJHyvMzU~~OslmYUPvW)?1p#D*3+NhZZJr#}JSH*cB&t1})Sl|< z)eBE_jPBk@Xz4g{=%Y8xzXbZu5$i{TML5dX75~Q-{D(4li0T4#qbM+O%+vr&l@ERH zZ%gf?2s}O*!SVMh9iBW(O~T0rKA^XNw!O17pn78gS&L(?`es2*+IejJJaVK_IWTEn zH864et-?-e!2_=QDlEbU&)g@yDbcb#LSWdZnBVi*d)M(OoA%fvI>seKLg}GQ>pt!Z zX=guwn#sFTH2?Oz-{Ae4uFa?+6v~jKk*7B8r2qyV1SSEg;Rxs;A@#nS937??`3$() z)EMsT#^TGUs@rJX$v@J$Wr9y<8{eZF>2QHSte&i)Tzo?@IITUmot`koX%DZlkU} z1`ouMW;mjbFxUYdM2MOU(AydTvBIISo)`NBjMjcHf#(u{zF1L?+$1zL_z}b~;@3zV z`YiIm#Agh|7T5>%5DK`g&QWS5R2UfO+M}$n2}4(#)On z*CR(BGwk8iEvNtU+C8-9qhqyA6|oYX>kB=dIo!x8KA@&%eYMav#l-^ z)e5F6R`YPRXBJt-joXMd+ntfZIVvy=G_MRQrvK{w4n^g^paRyPu&?AimdmmzUB`Cg zbo15|Vy_d%o{~fhV-F_I_pYyLAZ(!E(%%9RsHSjsAGMh2XwN#p$BqF~%3-3ZFO5Dx zR-!f^5z!rlX4ad~(2eQGkbn{U!k!r*U2%{xnw-fJVHU*d%do2wfZ@{?Ry&MJcSRcE zdjy~OKCfPSm|H9xE6*QFDm{=&6wJJpCHp?5JmTT9S!2C=b_e*K8VUQ-R{7P9Fz-uT zaqje0m%Hs9Z6CNZUYx-38TwY9Q)qBx=XLHpLU6d{8(w0?-llt-_oc7xn9{4JaxQ^H zgL6?|=~PCV!+ZIK*7ok-60T(;@o5nMzPtS`Oq9`4^9aSy@TI<&zG239&fSP%dS-)0=aMZU=WNQe%thLpwEgQTO^4O` z>Z?xhUeOVLsZ~2X@^NZ6r^>*B3^88g)30c@xKtl@aH+rikBM&o9IG$kZ4aJ5 z2%AzM8RPu{QBnq2OtRd}%nTy!XDi5vFX;j`tJ<>~-q9f1Yxk*m80d3r1j&JcyEP&K zd{q0GD0)(2=Jr%baPV-hLN8t~PaQfRx%5Zu!k1kK-)UT2H|>Oxl))w?5zAZ4&cM_i zeNK;AVU&9v2r1tWLp4*a7}1-X=1e7C!)tg1z2R4Nq@xg4$z$^COR8dF9UWv1YSJX< zpXlC495?JM*g2;_5@N<(*<)(?R&mmp*2;~jDCM1OnH%6oXB@h2(L+v+I-j<_-DSiV`J5|x~g=5!m-1xTRDGZh6J|)DfLuhjQc0{#} z*-#?Ac6V6vA(*DTWfz=$V5LT^-kE7A9Ke#%W3A?H5HiJp2OV--(TA4PE+GN@ITK5j zbL!#GlJycfQjoDQt-$ske=Bx&_UfGBh_N&g=Hdvrh=**1#_;`3E;2-ynW5)FKU?Es z1Gcm9jLTTURJO^INq0a*M9;ClF_}|Wdz`CNnZ*r~)X2jRT5eo^{*Y$^0r=E3Irgr@ zs!Hs5k$2E~)a~kFsoSr|z+`ZXYz%}5%izpj6zP~yEu%ns8C%dA)8?Iozb$p&G) zbP#YGy>4i(yR3f_o29;AD^tf8J)wR)DZw{k=~PJD?kl2eZp*J8E;R{%wWEt|3q6&w z8Es{v4e@kKC@#0TM)?U!Abv#GyD)cFpre%#rX_?3{=V;*$b(YCRv zauO?mWia+InVXwa0mR{mSVpi;Aw-y5?=&6tep13;!Zl%nPKvJl#|q9uSbS(q`qI*8#->TnYqFQN#=?X&UBRtpsqQUVLkUA z&@)VzttS?GJ*BES#-!)bW8e#pBakeYoFL7~=6L_CWTVFDOC}0O2)`=x*WhqX zzt_Wd_aUSOKw(`8GrR+%Nhu`9@-FOYYEn|8&G>qWy*IBoI#D z55hZCr8=;*sf0-qZd4kL-I**g@Q4fuxO>3Xy>)jfq6p_w!;|U(IFUh!lBE327)hwv z#i$(G#8*+ZEk}}$yL9OGb@5wJhpVaaogonI6)lBwMwa8hi5|O~XYdj$`{a~bR9?eD`N^>{*j?H{@%-R=5MruQG)7@rQ+(b!i9wRh!gMLy&DQm z%T>TeDbu7u^dc^Xo;VWFO+!ND$;+8qAym<@pHLHWJL9ozU-Z;~E_C7?8KIFKs*gMv zSh$ge9X}pG%Ug{W5U5VE8Bshlp6Z<>n9<9Asqy(YR2#x~H{IhlC4D0QR~Z)~YF%#F z7kbk+Q*A*9lnqfmV?kJ6yzwZ>8DEX-XEr&j|vi6CWMDq#CShH?;4SEu}47UTII>2WZyadUbtv>*gK{_X7%$&IVD76l^@HlTj6acmYHhYzOo zw&-T{%b_xTFgMQ&RGNn$KHw`Ka$K>g5!E;9XfkG`C`z5*NH+J~T?TLwBPHKo@ww`f zw{M4?>yWRE@FiWYbf($6zn%DoX{1fAIO+6(&8v@!whL0DT=xW!hjZ<|7>p#>osd;~w2Z6pIa(2q#4q6-UC$F=EDP>HSqOGIIgzXnEsCz^5J{33#+K2;yfxWB!f!nGsc^TX2JI zUof#aJm(0tkVu2vk##mbAeTcWKX*};hV_}RF@2tWs1L0oSB zTr5W}AYXG`Mrc^hqCsIJBKLXHDg-hVT|3|MCd!LjkeER^PJG?;q^{We0wQQA-UdCo z!HK>8<)}8-m~VgTo??uqq@I~-GOFFBmZ^Rs`YO8g^X!|5x99|gZ5oui7PQriU%mXx z{OzBcJ7n&<8AyGt7;5#Xl#eG zzIKM}Nv_+cnb>eA8Gp#M!aXl^LhO6#wF?VdYBjWg0+%!p6;7qiWcmg1hPf471-I7b zQaqOgl`QnQUU(7Q8nPj@HEC!Y?OjX64T{yBz5qZ8bDs3=7IWG3qnY(BEw?s++L+9O zgWdD36c~yh062)02&jfcbpifWrTa^_98?Rh-!qLPJ`~o;+G(}QM@{G92F$b{?CE@FK_GgrWZyy=^9xA zB$?mpIdwZUf%tPIax6!c5q9qi1WeGQDt1ER*jS5rhI+<50?Yu7u0f&u8r-FZGf1z# zLVoQR%h)V^%G#_0VAHBVy`pvuczC!uq-~A7<+`LGmlkpX80^JrnYL!f(UbF z1Vry9lF5#eAjixBfczhe;-9mD7^d->uAUTSM^yw+cG=dPDu2H~E)w5==lXR6D=e!G z5QrrkHZC6RqS9FvG-EJd?UINc5zBfsp)S81(lV^@Z@VFu7OHxc>|9b=EfYB+f36u} z+^TK5QGH#=|5Y)=G=tZY>^?c^)_@s4;M8>pA-d&dWDXrY$Xq8w1hU5G$x@>|2(ZTi zCIqCESjSGEl{ip}@La7m_9erRWlAgYMoRwl)kaKe{E)RiXCK0w9UBw#MNK1lb@U|6 z?`wGJut00+m$SzwoHnspWXF$;kAL6-tS_mx+Xsm6xCZ=h)~_Et!Zuv{VIzhHfQCk= zy>#+@Df#!KuWR7Twg897K0U=^JOZI*d6 z`b>iH$2^Czqac?pwLT8Xu5B^Z_Qg34h93$a{`5OAv^#E5TC2sBG^&F}C-z-9{J@8a z0r9cur*s|he3fP%(|lhwi-NYax3*D#+y{tblIW8_PG}a&Z5q}W# zZ9f0ZoSj~t8>`(-0tXrx5y4|m36ru8au_2&i4m!NrIqJM0BVa%AkN(yV?!rsyO><2#KSAlKp<*>dYrf%K-0l6)X@?sM7UQ9h~Uv0KU(N=VYotc-Q z&v@KwxcJfZ1n{LBL0B2byL(=ASaWQkztqrT( zs3C~^Z**Ue7QM^_t`Qfj3cWvXxAAvAhTvyxe*X-S`TNlrd&ZU)O0`lorLycr;*SW_ zr;XaS&oSJ1%U)@-XOn^NF{zT#JWSr3$&QZ}e9Wm8(~!+4#GFOFrI0H#k0iy`IRA^O z0mtqLkZ{|`$-s!WZ7s>!TWiO(zX5GC#=kdy6MutdO`v}Au66o%y2MSrBB7hlDzg79 z6eh~y{38y0twlID-6vz8E&KAt5B8?~RZ4qeFV(0-pFc%cms`MmK)Dgwb@a z|9L^4B4xIv@65NWf6V~?40RQd7S}Cww{F(}!*6xn6H|C$pM2b@!y8uT!@mDb@18W(0jY|Ev9y-`Lm$O%z72I@( zj7tfsgH2;krlpG0BobIKtl4?9-fLyc?)E7G=0)Vt|DXd5sdcbe z-|31m-)lNmyyb15jAh_yF*GFLD zA&GEcJJ@dW(82mQ{HE5XcR8PuY($onmv#Ermm{l&HUMuz^~MGotAAZ~+M(-a zc(au%fYPM}Uh8agj;=vKHEqHTUr}V9-n_6h6H98o&EE&S4;>iIr@lj{E^c|ee~w&N z(-#q2(-gs03zRxA{%HxBD&VX}5=4_VlKJ>q@sal+Y1BBMPd%kmcRM$68#e*ZCDc8oQ}kCt}{!+ z^6l3nI-eYOG9mp_pUXJhL}$g1d<(NnsggVg=exrBGq9aVG4An{M4?uI3>%HYTh42YEs#Kk{N zR&(8GLH&FE;@F^I-1*(#i|Vh*!WS=5f4wa+J$-O2CMHgDdV4hrECRQGuW955zJ52S zcRP<)o;rOdZtFecjv#=ihU>?-*v?O#sC<&j9lf+WlIpjXJec`69#vcq%}*ePXoZEo zZ=0?AL4};0|Gdj#6*z@oWOvhV{pbO}Pf@BnlO(Iso2Dxc@bMxhbni-(Q>VRMZO28u z{Qr&CP92BsJ$g{!&6d|hyHj_*N*>0Gyq%KV_iXCu>_#+*E|qb54KVz}Kyz=s!J`u*D9cWO!CRU?bz?yeGL#G4dWecEQ<%WytEHHnCP$Rn2?R4z`q}S zmlcK>TLlAjvy^A7{&Xjm_gyh>y;?R~5pYN0xY1U)7V670xO^6!>uPpyt_?1gVehS5 zm0SW+R}_^k+a}MIBSv}_m8q-}Xd`QfgocF=@`AT=92 z9vng*gN6Dy1A~dWrN1OzgNvm;Z0pPPDT0&d=a}d9!eqe3*K+0V-H#wetd!?C!6zoB zw%ag@yA8Ri3?mx-X!yvJCjj+8q(O&Bl4=3Jop+8I z+O^n=N)(FgK)L5}cK+K$F{lFFrN>PSBlKoSn!IB5r$@wUx(mn2TRL9=h{}~9f{?AJ z6#_TAm{{yJZ)tRE!9ww>>Ar*uM!H*9xZxG-e%P)sokIvHgBet`tA(I_nCPYWl;xl> zg08Wj>gnz$-oAbN-1hUbj^<|`fY@2p=Nq3a+_J3KfaWKfO0V|wTr0vFhY-B*9XYZj z)9TktP~ZA2gH~;z*s_d(DCS zhyEF)aRq}C^8yXpH*Oqy#^d_=M^ZsIfDO~3a@XOM;k$9%Fc(pHft0sW8dk3fL|*~( zi(j^J&>{wAf}4%G2pMg%y(0F&(3wWrEvFuJ5sCOr-R`|&#~s_(Ao^9i%&G2!^r0|Z ze3YdUorQpaz~Ji(J8hWamP0e+bJ|jxqsEc?cdrmajdT{88NTxwe;RSPE4x3Rd_In6FDN+8E37+gr9L8dENX9ftPM^e5|S9KZ!3>;SKKY0^URZfwXcS zMweb>j0ZTVd6<_i6TArV(xWo@q0ArNy*q+%tRV~w%wDI#yRuku|U<-G?c!+IEJWa!&LV|S*q zPHW4KL|U+ekGuUTKpv27(~s~~c{pLF99Ffg7m#YQaa-!$WI5u+Um&2$srTmn zdjxd%1}W7Hn``|*R5et*vpQ7v=+UZOyQ3YrY&MO`G{RC1@J@ zTV4t0%0XLLA>Ooa7U{!4EqEo*K(K$gB})PucZNHAtozv~*gR?+R6Dih z7W-(*BixPOX|uaj3AgqGnMnv#R2pT7l_{a!XIy7Z{Z~!RhCg0-CV4t}rrD*V(-Q_e z#Ae8a`bu2b=Y|Ww(kzr=Qfu35Tu8y|%6bB`iLc*?EOa>A6js{*+>aP>27I@+nNg?J zYf(dA1pkj_t);enC1LJgRUcr*k+t`>LA>=ql4w$w+;_x3!=pKVf##_79_0n|9erR#J&rJ%SiC8m?|C8yitzwcw3vPYflRTf;aO zt5EQ`btjl17hzWt1t>L2Y@w^Z-04f1QBT%A&be*AMO-uKoQ_-GNL<(e=v0uVg4#3g zD*+`Q=S0!cP}m^S!OYaJ<{INHRBv{0W;ru{vV6|7^u~^kToK^pL83HJI`{|Bx(~XK zCY(BP4JifTOj)lenjZO-dta$&-ZJ`b_N$H5>~E-a9YQ5qxxG&xWAF?=I+AkflM3cW zn#*f=h*M4-JtlY?DUdoU_nL@Nd@}%0-v7hicfU26b?uG_SP-#{qDXPZf^?;KP)Cuj zAiXNRgwR3@5Rg&EL5lPm9HmI_i4a0iMvxk%1ri`2B~n7Dfe->`XJ+2-bF*V>q7CgM+3EUcN zQ4*4z^3@S#@UQp$a0P@@wzYmEG@!iT3?Q)D&~?`@{gncN{aRqWYQk;aq9y59v*8LS zJfJ%&SpfTW_izTCm*QR?F2zCrTuHgdx$2=nVAy}5q&TeE6?ER#f>{{K!ds~~F1SCd zU^0NFc`O)I)AEHiXb9LCy?6L+ZV;T`r{is`Id>g zJ1J%t((s8lzbBS^fE(!&_4zNOA)w&`#ul%Wc+p-HK36yF% zpqwOWd6AMEkT88&;dAK$3upxjWe%8^*VsZh>V||I>R?IAbd7cpAj-_I0mTh9`>zsj zHbIfmzo#V+5HdD^=YEi%Ve9`qoIdKtOD7SkH|3FXcy-f0t^HkYLhV0Cul(r4!J$sU zOYY3F2jW?5Z}7{L*2$hA*`LvG3Tn+Em(`EAgU`L9J3#x77Qlak0c`^|s`9*JL^kD` zxOg%U{HT0SEC8CE$r~Gib>0vc7nhjm`5M4x17wCB+A!DD|C-3ftj$4OSRnsf`oW>!z8Fnk*-Nt>EGo)dp3J<_Ue@f2^A*=|8|P6 z?H$t|2s1#mWAZpvzla?~Nd5G=?;5<^YiJIw>-C%zVEp~L{p}GuDctpKQ&HfRw*z;= z>#Rf~_i@2%*}NkIQYqD?rF!)*DqJntE%&bvT!8>F^0g7C#4H*^B9e1M?#-2W3GrOQ z>jCW<5Q#~#>1cseq8Ym-9Q3=_804uA`Hfqr4S2C@C!L=@xy#Og3r*d1MHn{tfUWfw zf{iWq?_zgL{^k7}*z9$n_3`?>=J*H%J>K&I#%fdr1845U4AFx?gM0T+v4W46hyD8j zm$`-Ag)gaN@8*2b!xVSmAonLw8@?iNZjR^FRUX7&c*&np+VKy@XW3W8c+uB$nY^ZK z-*EDC)dfE4*iCw0U-ArROSqsEKHl%U=>LQvu;VxL9(O)lLV*q`d#H5pNgy1n%T^$P z1!gmX0nf5~ZMOT0sHhHGCa8)Ma9xpWxYAByC)DrgFWjn5yn3E0J}h;G1`kI|T-0O< z!_?pE;FoM&FD}E1minGm;1NZ^Q2BQ`cM5eIM1Abb;zR?-g)Rw~^p_A!V^^qd!rQ!a2X%gk z{_XU)LDf6#W|tuA#osPmIQU&U2V|Vs%uzLb?WpVP17f|YgX}U+BdDeKZtd+By4bI; ztvSaE1+7p5`<~y72Kp6ppFu2CrFhh5N6xOd6br75-eZIJof8&Rd;U^J=$}}g&IF|7 z-9?9efAZ`q>$I`@RHjB{A<|f5^WhhhkJ)~EU;tUJUjCgmvzs-8EVIrl3s>Jq zozw;>`Kfr9aIlA|k3jzQWEJ`Ed;V9Tu>etqIn_g@An?vB8JTtKq8P=y=QGWdI205V zT+ajk-xjVGkSn9$Uu2HBub9?Z-L5fTyZ~+f2|W>3HmxkLW-j+g;og$*04#?O5U)!r zE9sOCZi+#c>>VRbhI8XWY1s@IR_^U_)cix7~wdKElp50p#1lhu042! ztw5H$`Lwp)*=sO9?*MT9&PO*OpP0CNgs zV~)5JA+>dNcjTuK-zO~FA!ky`* z>2;kru~GMj*N~^SWnFY$cDm*;K0DH9XtYFQ?b9W8Pm;3GW0AkJjt4T;P35;VZMQ^S zlHcs<${ygfHhSf>=zM;(p>C!@*Q@cSuiL-8oIdb!evFYE#d#2gXE~SOE`{u~wla8R znm>n=2XT7(`gaKJcAy!*qcS-qrB^{y0n}GN z{0Ms1`N;^NWH|eTN7}u9cmXg*-MJ$xS{i<>;O1>8uQb)acP|OCJ1tU_!rBIQp~V1M zMb9{J+!*#yCA#TjPaFMIp9n>+_7*UYnV?_&X*Z;V%=}M`-&JsJP$s z#{rgofVtWqJ2hI5bH4+2K}iola2GtkD9_W%>-v%b-7x?qkQ8|I75A+N4w2VSK#i9i9W_-Vv@7+1%0!@P|}|SN0DcJaU!t zT6s{HtDz8KZ;fJ88<0kRV^t37=RktivG$QI<<92&1~d=n=Vc4+eZI|?mH&nj$jDt8^M?f&l1;v zc*&2g00-Q@MRG(^>&NupDq(+-&vH2fA;fW2R0j4%gQtzC;x6rW@%rd@>J4C1eg!~1 zkwkzg2YLX76u<3J8TC7=xz9S<&u`xgkK)wc0!eWn`$& z@SLmQ?$>BwBR(z}c2~K$xDtwAfJti`azEZ1=otgXu4@1Ky#p@?Nh>Bnlv!ii?d&!8 zF7kN&FK7)f3*6gR2h5B6dv>fufa;@FG8`nj@ykUW8-j4Q=V8Yf4KzhLZ@54f=urDB z3;cQ$$V*vk+G2FgAr-&H&dch6TAnt*H;aK zFyOYZHPT`Q62zKXD!G$EbnsdD&w#vhv(S3=74UUbWuD$&hYeidL2m~-1>O=QZH*Vn zAp9*(cn>RX`8_Ufwz}=OSJLJ}B$6AUaCpqtu&%AxFlYE%kiaW8GSJKVPXP5r#Tq$Q zBH8E~!k)+(-$yw0nJyzQulii*?|b#n%+|I3inY$2TVkc9&ug-72!VBb`0BP^tzdse z%7%N2@VCP6+y2-#Xb5a@#C`hBG?8e{7O(1UaHv?rEz1#FDUI(WH=|3io! zNUj&y2Atnl4VUZDuD!;T+4{=2XfLO!5s(7VWYKt?x@Ubt;M`a9H zn_%K-@B%-tdc|z%`D%~@Bdwl{MA|8%2vrU;Izq5iCjz^bVUcpPjtD6Expyg6izFf+ zTWrsDt}z1VD(>|keo=JD>CgS2ctERdM*9wGXmfK_F=8$bD0R4ZPDj+%Ip6CDdR>_G zudcu-?aS=G$b#aNvrb=X8=BI~EBVVtqq5BwCgkCCK=0+}EpJkim@IWkQ((#@6j<7UB^F1O46BwIiOOBTk{t1!hwh4r?|tBnU(hEotUCu05XGM4N&B zCU)SPb<@j^Lfy4gD{?7>@tVU2${$0$28eh9#Mr7RY>6GM$@y+#(M4HJP3D!wMR@z} z(@GWt-Vo7P5Su-aZk#zqxV|ChoHi9im7lN$gel(P091k$Xo?D?I>QI@m9V0JLu}C@ zXWo{Vr9c%SFS*+D1vt>FJ2xCB{4OWuCSAO(){rr-21|N4ToV6A6#wvhAfGMV@ny65 zwQIdKiVj?n+`$JsrCINY^?z1#>mK42n91%2{U1G(m9CTAO~*^PW1*lKt4^jjaOj1F zgJIo|4VNo5riU~f%Vs@HO-+R`{jb1TjqzCan&A$Jkhg!c$m4}7#?GtO0M(Tm8odb% z2AZjWOGOC(Ws(81OwfZFQJj8c*#EteAx@sHp#FP$lTX5&7>}ZqRPUJ?bozG~39VGn2NG^yYSjYr-z31m`!t=XwX8}8Yp_^)HEcUEOv-B) z3@XSXz!nBOVc04qf%4&FUpc2QOsoz9xxlc*17Lo+TMquc17GhXQr6}7>3O#DYKQFb zFc&+;Cj@MahS?k(T>uil*|Qo!OO{~#i`|>$!6gu!_*9ck=bd@GJnxT9Y`EQyX`}~% z*r)U6At7gS?>{0MeiHY6xP9Vg;csmHrJ_miSc2DAM^1j$rdA4}4|xtGA0BM)OL4jS zpWGREj6YET7aoahIjNu~albUCcDS@cPOqOm(Q!_hEmg(t@H!~44%#O!fzB{=XuK;W z%vzLyHI+J4=HgdZS7+xn%+~Zn8LO}U>Yn8U0W7~KSqk1hD;aNEK|l8_P-hEL4+2d` zT_9PU3+ZVwtwS{!RCAN^h@cDd>h0L$Fx44i@oZg%BgTv300rR3B^m5SazyY5N`Yh@ zQ%o=N+Gzn1Xnbw>rke}U!>`YmjurI(?VD;Roeqdr@ASekA_Fp)HmD>*1V8N`6K_2+ z;>qcQ+pDvTyv~7!p$avA0Q%dX`0vSbG~BKwc7s;kd#cgIPYA~sC%#9j1pt}=X?=fJ znQIIv&guIDC#48=s}LjM5QxUvbQ=zVC$0vbu7!%dgPSPDlA)Rg*UHKVWs7Ony+B#Y z^{I7MBOq%f&dknQ*{v*GypGrluPXcWb` zAHTJGWIL=`x%FUSVWB^muKk?*52~TQ58RsHNzN+8jJ1^idH zxv;MP=>q^2km%ZM>ntdz4}xfWYcidWi{k-kT7Kvw(C-I-r5K|P`BDAGv;PW|fW*`Y z z>dC|@vD@2hkw$j=p{gOcXGK*&o1HCbIH#w_AaQZanzHh@Ho*@ZBrd)Eqhosplj(_^ z9H6@}nwVEd>_pzZ3jyjHzX@If0_@-K^e&*iEmr+VY2*x~8cKPTkNzHAK2;jcjuZNp zD2RP#zWd5O5}0yi2UM7d9=_m4C``(baqvk`8j{p4b12pX{d1ZCu1AL6(-&jUD~Dy{ z4v@gbD|fH_xPWsc0Q0WJEtv#HzPU*Ni2t7q$HR0`b1?;N&Fb`mtVV&QjX^MS=_(LJ zT?urVMl8<2#R;|5_B&QgDPLyf$qiTFo= z;nhb!6O{+rLW20RKcx~}v5 z#NljmZ{P#hk&}KGpZ{!n^WHBfIGs+qMP)ro-!Iq5S6gR=?gcN`jZwDLahnnLRb<-e z@=nVZ65hv{2#`6z!Ff1WGD#Rs%jANP{XUwFZ(gDhQex@Pe~5^{LQM` zJdp_T$^q00&ci1zYDfKWfCGNzq9ewlU&mcji&>{d!tM-JEyF()p*@ir7)k6DFZ7%J z>hBgCG2>e;Thz$OLy?YdsQ@r9Wwt|i+ocbD27P>3CX&WLHsVLhC(=XdZkvBX@||)h zNs+XzNSgZ(n?kgZj=pu1SbSCQhjM}H-s<^PMyUl>9Ll8pK6e&>p|gaxlbTzCv08p$dW_#|VOr)O(@Ul%2TfvCnt<++5mnmod z%@x*HnZ2(mNS9{cTNk!h&*MYxZdC?j7mu6n6hU{2Qo_Q?kD^GpPjZ=LItty(3|-zD zrJNqAoOWG~iu`*WIPY?;*^;)xcNUf{WN@{ZuRCg*!;XQM9Zp@Wz7dVdi*Vg~i0p*D|BMJT`5QgKH44B61J9- zKc=zlm$-Op3_F+YwPQ27H)zayxHZLxcqeid3(wyu5Tzc=cO#phknB#;_6LG&pdDm9 zR&(QzJw_33I}SI(hv+Kz&v(O5FekPq&TB!7IKAa|>yVq}%V2QXC(?3Xa7#dj_SkLV zwWJmhNZ^}rfV@s~kn34FkDYhfEmFdYX~Fm+zTIYO!}g~R@9Xn@%fRi`@J%nfQ{m)~Yh?gJo5 zbGKx_c`2*r&7}&4i%%h|&|#<04%w?_P{xTQ`K_r>j(rXN5)kdR4LnH|?#|kXrbAoE zmA}nt`1HHAXJgWguI0Qso2z8sb*V+eKP@>Aj{)JH0i(R}we1hfFYC0aTu5X1ArXgv zjxc*gd^b2by%Q%C#|IR;)*T08R>2xuiu~3Ei6^DHHBYP~x0Zxgf71yxj#x0oa68A(1OgSn-?R}7}#UldsRf4o!2r8Ez657mE9GOI!rE9_Xfb^ z`o!lm5R44WM!&(uO1pjQIZ^egBjfBJkspPH(jj4HSA{Z!Q56*68lW2*`Q){9bf5^3 zh9%|SC2Orj^DV*cv{s)RFTwp2kIQe%qTff($>pnT(-SpY=nYj=VCnGPFZ?#)Tf^v< zhVF{G*!gv>{dEkG{|(&U?8hJZ0r%~W%tC*_?&jv?R*&z4(|xwK##Sw z{m}ByVOG5AJFpbgiQ6nGW7?xLFm`M0wuaxfkBq^BNYgU88u|38I?90Fzii0}*iwgw z7wvr$`>p1oHo25Wds)n#H6T;oFl>8z+u($_M#z8~%svS=@uxAUaz<>t5uu(M?Aks; zuM~*NQ|dKq*`E>B8r=$O#z!mL+!C%kR)t^$XRFh`e+BJH#RCUy;2ht- zD_#2{z9|AP>CRjpCF{7NjnWSb@<+qR=a-fr)m^0CUJj28-VrMn%osue5v>23y``0Q zYmkfh!BhWiJNv&JyK42V{iAN#$~mBmJ5y zPu80b*@YA@C$IO-8x7^qt9|sk4gdShR$-pQBg;45jh_7e^$ae)C-Fth5tp$RM<)^( z+slqeA12Y?gU@v1=@;&acP{zv4U|{F${&h6ZKeI6_XIDTkP|gY^&@?a^@`x~;3Lp$ z>%UtQ!SDkINHMs0$)En`(++TSSZc4(&p~$&)-OD%KjiLY`Q!JG%Z-Ynz9bcx|MuN# zyb<^9UP5(>G}3pLV=Nq$m>3kZZP8e8$gIKskoM#jMkN2jJ-j#Dmp_ zlHc#Djwu+9`+=pJ=biR^!Dm?-X}Ke;quM3tUDSWlr> z1*@{^A-!FJNB+Cf7qwrV1mXYn=6@XJUrW^b=u9T8g{m1gzBx|o4Vx(1qIOgbFu^u- zV{Mn=Jz;%C{M0LT_VruJl%?fVQ@a21+;{H+z7{;QLFD_tGI{u@EqtIiVuik?DTj$z zE8n8R>hPzc16;ALGz2_~4z`-QX7&B;4@SJ5IZ-|CfCv!%J|;jOw)JE2j_bJLajcPY z3dCL}KO#K=rLEd+A5PC=t-H}em#tWfcii$q>n(`H?@eU#1TaP65Am)qzh8lBo9NSZ zl<`RKv+p1=?-)j^%^acJ5FbC=_oHK9w|ho|Pkp!HoQDOy*>-@9kQDm<$8>|q-%r=s zzaxBmigBC7WIhPPPi)dB>dq7l!Gri;-Tl|{YJ%5TzSLrM`aAQTya-%Yx77FDuhJ&gx2k1zZgep|;v%{QGdpa< z*S+8!sA8-!o4WkON}K*f&JE#~`vr$Y?0Aeb&EJs8IS_sk&9^im%d<8yHZH&T z7Cumc4xAr?o9-*YwHC29G-x&!M@8GXwv7{AtaaUbpOhBk!!SrqOs{WP{V;RDjRs|^ zGqDj`aD%1MBkjmYPmxrtlro&elyd_>#P`P`s?`T9ZLoxU_r@?*f7UJ(&OXZvX4czB?uVxc~YTE&$B$EQ8TG^L=1SSqeh=alQ|Bb2v{y z70hP{nt-nN0%ZjfYYfk_4FTV zEng*C9?$ymO-I3&XhVKD-8V7mvEeH*B1>C&03B%=&)*wBgr$^uS|5yVYbGBzpVf}o zt=iwj1u2dB-rmaC>vvcH;AeA%6bZ3U+s86L>1g(AEIdeD5Z-P*gp|+ss%!*vg>oha zBfg%_|HdZLEgvxsxfKiwntAd)r6Om0-G)2_+ou#^;ey<_>7YK%7tA*)Cnc`3>8sI-OJw;Q*xwyI{bZ58}7=egEF(-KE-J zI8Zvyx0gFSo2P|n-!AZ+uI`M^4g{cRP;k>gUK1WHDK#cer{dJgIGHuhYWfR3*y|%R z)ZicXFgPY=yxX2$J3(gxAY{uK>3YlYr8Y-{*1DWlK>tOVkoP=BJK?FCm#?k0E49=( z6hfIO=;Cq^8Y5IXq~;#_iM>ySOs##&{zk&;*ka&(VMY)wf(B>)K3SK~T57Drhf+iF zaQl6x7OQx_UJVq9DaV<~8O;UEl~}DYHW*{SrQoox5D-i126XgT#5*R7yw74!%vnSN z`T=dWJaM;q?~B%sj-7xyZq}xy5VM7)VH-AC8T)GvLHWBgq8P2s;=PAkvkrT+YU_=l zc8}q2S$WEO>c2TVfTY(i^Wau^7N-jcq3c=lFK;WZTwULcSq>iS8;$k0sDGzpJ1Me1 zjToa0;Y0fZnzZO0dm}=_ilMtW7J47026`(He#=_hhxT8o0g~qO^|4x+<6)Zh-V8nx zjjeaJWxUs^HIJs6BG*!v+1r~@c}v>IxKVbt8@Iy0cWVnw(}|o{CY^KCBFY6}gpa&v zX5+FG0GHZI*ppgV@kvt_`tK3e#a|?D-b*%x>&}rh9&h+m*tK z#X8N!x;bh4wMxWh)t*@}sD}rWw<5?&!SBZRR@in-ja=%8EYHVlG2QmP(J7>b?O2#r z$@<{AzVjd+KIDwt{!=uF53$|W!96+>?6KGks9Q~1Ta-Q93T(9t7Cs#q^c^&p1d=R4q{*c4~}-d&tW$XQNuiq_-ed#41R*#Jf~1K zAGv9PXuzG=hVJ#^8huahw;{Iq?4;`vW7EO}m+{LSDu?zrjQ0b{9>ob+e@6KqfOpAz z)Fmm3f|ygK+ex8tLt6K)gV-Stfu|C_IW*HBjM_GN7t%#ZVc+9zX1T)6o)l#QdUp=8NF;k>(=*7Cj;@iW=vz`*n{adZ}%c?4J?ChTE)1 zs_D4>t^MW5S&PU*+L_%~hcvzw45=sZvT}L|gjM~P)n`i0e=vK=yS>XIdu@o2e)`Bp zEN~+e_4)HBN8+`G$VVaz_C|_w-vs!Xt;N{>NDtm$CflhUZZOgul~Mw_ZVQe>>uY#w^`nS#s0L}jZiXzWr5}x8qJsgBZnrqCSLM;B z%h1X@E?(jPV7h3|VO{-ORhrus_cU$$7wskj$@`nQJ%SDGp|2%?WJ9$|AV|gWU9+w` zR~cogsyYizBt7_o+#co{fl9Hk!fP2a}P1=hmZ^tjYA?R+*Nl2xlhF)|oyWU{ub33z) zS7asXkhgcnz3bQFV;g0!q`g%5%&v8d#4I&ZJ6Io^LGX{?^UxJmuZ5U znUu^wrgw* zr5R0*37p-cu_kDn2S^)(j3+YNPipRLjT^iYur)<8h*d0NngLzSG3VKYysY~6d%k7l z>I=8>`kpiOOfLkr3dV-1jRh$0A)M{*CVroxMdSC#34W`bKv@b>gBv^I zxJrKtKUdwWqKdUxczFvTkpaQ5I2LT}4;ISGZ4aInTv_Wq`fPuXyw8mM4BeZ9+K2Jr zQ%??z;Ha-UYF)_Y@b+4U5lh2dChSYx4pP0%ubA5#K?#m5rWK9`Nq>^(=kiuk*`Hby znZc*Ixt!Oc1ZWn+*+_2FI}Q}OM(`=C0L55QPg5|cn%d|xxZvAwsquRM(ZPMXxMPlL zD{h;A|FPTi0qz{Nx3g!ffFAdS0;8Op!WwdledDyqtqD=IpHIhgN**nok~c3>paf}E zWTcwPp$N#8QSxC>)abnckx!S#q{1>@T;%|$7P_gwIV%8=& zOF;c`nU`-pOjOt<_9Ymc8XLVKWcBKL7qUje3^@17C_8`>X7q=TI{Sa<% z5<}Sy>cw~6j$@sxUEl*aY6uK7aeq~d9z6G{4tJ_t11OhJjGdo440pzwXD&rwDCiwP zWd&C@eLds2y@cOeTDHQ64Uc^(l|&x!Kj0|MnR=F|04qi{a`GshGG+}L!*FyjTu`j8 zRMUw6>Gi4~Rv$Hupx4SjWC#0|MNuKQaz>21!f^IpIf-1}URnJ)s-*B7jc?*w<8d}W zQywSf8t?5m>@TY2CDvBX>oVDwO#^Y}COf^*CM%Ry}72nY1e9+&SG05#cxIPoZqx;oq4F_J9FQ zV5s6)C`Mc81y$B|fQ-6%WF#{Z2~9}I8w=WG%XECO=^(l~zK2bV2; zrSmc|RRSq%TY0>z-XFR-R;z+Pd++l*ESFj3vtFqi>&M=~!41NyJ7ONeZC81(H^d_o zTAT&zs^AXr`Y0Jt`B|@Ox`rZL-<@aksE}eWz8pI2cyv86f1Ifyc78ISA%`d`J8JJ^ zoP5h5UCZL#thsQ>48`hHT&3e^?@rO<6i6z`(Rp-&wH&;)-d8(g73z1+CoXadx{vN^ z1|#I92fEBWZ$uI>6GP;%ChY5guE-QeeR}NJEm7W!>{{85ePEkS^USb9$y<%N8;SEg z4(COmE|0k7E={MIkD4oZS60WFh2@C4T+mp0#J5;A(oJt+mlb%Sx>-}2pqjFg*13dd zXkfqke{?`ry`1&V5N#8!sI5fvHf|$~xJM^O&u%plusadx@eaBCjmtfId4vLX$%f_S zqnqXwVDE|cE6T#x7)2}LF@1jh$d%ZE&YG8QD<7{|6uObS&FriaY*&@T&F`fvJpEnp z()?!rw0g%U%c^bLlUbCcnRk7fNJz@8#|0CU(Z1C@m!6j7REWCE{`txQRZ^I8{7!Dy zU6dVtT>Z9s{M{1E)OmZ#Pa=#@Iyc+L;W{rCBq zdZug9^mFIC50S`qTE)fMeSeJ7M=b{QL$8Im2 z^sU@7Ymrv;84o8scll}xln)=@jf$94NUuV7Ck5Q7m{onduAQ5Wu(;rX(RMa(PCQbkI|2AhxBP^F;cWfjeqWVEG?if zJW-UJVya}Ymm40IX(DrP^fDtdo-}tmbl7&`_mV?}%P9diT_lKxyK-;pe#TH@h7g=e zD@!-?R7syzid(BUaLNoeQcSzjIVR^11E)}b}JH;mx{*0RHq|qkrb!i083Pg6Ja8;0&YmPSj8n%I7?${w4 zCW>6B_o&sO`P3w8?oPXx0!m80cm zHaCYILv8NgnZ6vAwyD=8*CjV`)8I_CVU7jyfWLPiPqh@!NG0(uKN>YINf{d~mfh!U zF}>T_cteb7vT!mhC`_!_P@?Tcq08*Epjv={;}Z@bO>)KhfhgyeDr6;|z(RxMnp z^}LQWM^H+vqo^d3J(>A@5X> z1(+pT7f-)3EEL1*e+m;F!0S3@wuc2l9!Hev^s&>ny{WGyQ4M0}b&dwXo>Y*FdYD&a zLUqX(vrk*1Y?zYIoBYGNB0-+IE*Ifjm0oCH=fI+Z2sk)hAs%aXv)jxcmO~TJtP)!) z{2^!4*2TspH`jN-NrGXNvt~fatq$NYeghp7cM<7oF?-s)qgiDf)}OLN5t@w%or&l# zT?`|Ap5Cv^ZG2qo!y+C}bM!kp<8j~E_ZnAoO)5txyGs3nHHfevDKnuySuaoHug?z8 zx7}qdL9Hl1rV~?B9v)qTh7IH_-~ZwRm#UwhVO>uwX`S+Y7jAS#Aymf%erzt&AiHUQ z<5KTl1*XDlcgpKbK`hxV-%vR1i3?_z)N}iBvby5ap+{XUsT0MWJlzqNnfktS4OI~k zEl=r?5=v-QZ9*HPVyzK5mFDDqZbcV~baapG-YM|UU)MKt_u455p9ytVx$A$!w6KJs zEp%yp?fs4hy4H}(bty#1zE^E-3@MQ!Qdp~Q;6zE0e>F3f?{AjV|2fU2EAW)$P9JTz zFE8I~Pt8FdN}MiZ>>P&@vY_d!v60_mckJ6{MO*H35X+FyK(1L@wHvQq6F+ZsXBfv&%X4Dq@PqAtV-(`lx@z49{yV zpYK9hGLUc?5MkDcVA^iv*SdH8N`*9(m1pu?b^tdl^+k%TZ=?+!KBrXJ|X9bX>Ll`5<0va{eruqwC`oyWh86Kjr=G`p_dcB__(4g)}*iO zm6h7#gz+9|W+Jq<&%9$UwN@|PFKyTL0W#gAK9rIgFmSa?Jgws|#A&a~fgxd)n_?op z77A1v$%w5DD~vYRl#)mO^QvsxP>XE1^i(M&!@AL$HaO+)*5Kk28+1XF(P=Dw6sPa^Nw~4@*DL?*c8uiX;a4F|xBBa(IHQjNR3h25Us%{{#F_0h| zj)W|%uOlCkd={rr=SlPuui3K=PLQ8U-k4Pv6Ma0hO%pcFNQa3oA~wU>!C0TiS|uJ- zf)`}{&H+*vIpC4!f{AV!>QcjETAb0kl7WiSM_I<#>y8-D3G>A-s7uEvbxQ$jHDS9J z&xFd}94mfl#8Cn_*PF29hYbfGnr+}fmB=5H#9pGlQ3b#i*-NKsK1ciRSc!p$(h%hOfJ zt2aF1Bg4v8%bbrEe$RK_&^_YgJfREuBUowC23wLM)^Y93%7%$S`^$-VvCq!ffsnje z&>B}2J}bdQss`Cog_+`VuXrtb_6L`vSy{n!vi$KYBdJJZm8%2QIeLCiEE-QqGtCp)3Yz?{ zN26yBteZfliHRmwMzTaI-{quvb%Q9lWrT8GH703*DR*) z+|+5~za*OY=|=ip`U}%g15{_??x)0!flqtp9g$DYG-|)%ZH-r0G9E|BzJZ}(xTH(_ z3tzK#Q`KcHes)6`M`k<8+mkm8$@Ql*-|Bi_;_HljxqG7nBEaR8Kj}>`94Vf(41J`K z0KRSGtZvj*FvUz24UP8=h(LH@Wk~b|#MfUkQ^B+Xh;=Ium z4O%E`&@{T6QDAa(^oaTuXitS}%5dkQg>xnI$JgIa(Nv61*>*RI@<(6BKZma^m1@6G zNz9YT$TLpnzmorH)r?`yk*y+K3y}bSU97_*UMt+rttIO&+{lP=*<2-YM*T#w;Gznd zvYQ`q?dqs&=c4%Gv}YTsKg|^$9huv5p(JGA4GVZUk>wa#l)oO*QnnuQ407S8SeFF# zMa@v-gbeRQPQrj?{<^Ptw3COjQP)G*dmH*6xrv^d=W%PKhu2dwF1IFy9*-HxQ9e|7 zK#kHe0YJ%vs3X44xKCaS zpWDK{>|0S9l_o(3dDmg7fvWd3G{t69Q!SEBkiD8&vgTbU#MTQdE*^N2ifv!mJrC`w z(JYLge6>_;)q&M($nWDBDKcE3L@rZyJ~BXh(VvIeDJLeRQu7CiuH<_p)3x3~(SQet zLd9x@E6}pdPkVLW&TcB?*AOglJ40&Jpiz;!eLmBLM6uxF@k>+#Y5>%t@tVIf7Q1Up zdDHZ%j>uD6*+v-!f5!;&<^n3GFhZ4DS+ZEHiA1F@T~aX$KpKqyM2+c`^ItX=x=hJw zzFJ}J^Y*iv#?k+10fgz0Ta}nFqb~HtcANH7Ri`Zjx9+j?2wG}4i#Wb1-w3&n$wdWZ$ip#Zq2tVrWanE?_ z25$m8jwBlYEZXzXC#AjV8>Q%JbsQfa5Lb>u`y2H&T9=56pQ*NUv-83d35p>D z_J#S6`rqcVG+ZHns4#DzvGocidL&?>=v7O6)6p<9Xs*E<>_^Ll^`qBk(42#{$E;9- z1F)g6gw-ZJ-w+ok$vWOsQO2boJUBK&6+LoHLJS^VzWHl`DtC&T*+m&L@RGx$!&!Js z&#hukRZlCgkzM2m=QGy_^tC)}LhlJ}-O#%(!LReME2yhUD{}aHN^|v+#Qkh!KQw&$ z0`q-<_uRRPA8FpS(uadvp@w|PGg~Dq6)7eo_@NKFojMZtOn9MGKWnD@+WN-N`dylv z&7^~k)EbPD=4atcP7FsTbEWj-k4cN?+}G#-2uN?#u#hJ5i+@Y;Tljrp#;wzd6fVnu zVfI6Gfuf_$y8Z0-f{ri)-4{-peocj>bW(1;kiRPGf-&1`&T$*53|n^JN>kM8tu64+ z-YpkbZ4A(*4mi0ayfDRDw z=2-pnT0Oz(oVediCVD@%m&BTPsc2HjgR?}Evkx&+uf>A0i)v}^W4Jt+&@vCY$13e& zHeS=XnI={OK4E<<)x+8H0O{l7*<5N)n2in22R_xyGh$8}wEQf2GoDk4=ke; zCd9bW$&!*ER*qh*F8|9T#i9FM5fu<*P!$TvPpQYujlE3W(H(zOBNcocO==D*s7Du$ zDFxjy$=j062bcA(tcTu2y3w7^fB~N*p5)>pPCmqL2O`|9e&Jos`bR1>IkAxSIMW1e zM4KM=RqlyIRIUe-P|0yO>v~T~Lg4)XvLtxC=~g9ZDtgoUR?YFpj3QHHZ*sW?O!;Vv zHf-*c%s$KB0@0s>H?jWlgPUZ@+fUX#D7tzWILxvn?l;o*FIu0M9P$>|8^@~_nP$X3 z&k?h3&xYe=<+MSks}K$qTw)<-8NfI$6x5#wAZ4$zaCgZ}DSG2KJ-&R^=ls7I(eWYe zazRgwRs4o4PGyXnzcxzsIBXaV&GaucME>!4&z={09u;vtJl;lh$Chg?&4H1&3ER(p zR{YS`|H-}gfe!@ACLjJGf3us@NH(v;ja)J1Zf}8TZ zAJTv;5m!HULCkY(2g}PjMDPB1eEyND!Tg!@R)h%vk?Jbj=H~*MWh?Z3XwOvyi^49V zn8UB1B~NW{Hlq9z;w_J(4a0C(+>;-swTag!a;3@IvL?8_P5*ccNwZ0w4av_aO@4XH zL?Cl9-QTH=a3k|k9l`>nr{#4OUiNK-A1nJ!oyu=UD0@pGTFBW!B! zWz*q$n)k1sM`ZHNVRj-iMP|_jrPu2DRfd$Qnzel`_Xm6~c=+TjLiX1UYHU5mkcWx{ z9jNuht;HU6LR{1J@;v(q%2?8~Cv>aFm?La=@YeBbGt~m;c799FQ7xT}ihq3MRMBf} zNx=OJ<@#ASf{)xQZT~fwf1pjtC3>t&P9r#3d><;&ZiQFh+up8FSD_bJj4P!FmXha3U+1l z#+QmQb_rtB=x%jId!mntG5${X=y6?B(#wAPT*pw8xeTY*hV!i{0l%1B7%62r*+337 z9HZK?*6f}bk48Fq*taS&;698TqkD%G%!JB#N3LGap4RAql2Rfi9c?+yBE4xk&V{Kp?FD3-iXh5G~E#&aI`_1ml!nq4w&Z`yJ_7bupU*iok` zaP^?vMtt9uX4aqgf`8}>H*GY+#~iEkTnPf_d{}Bgfae-P7rjZ`*gh?Jr9;ZM44xUEPvVYXEMD#+uHYMYIaLcnuTZQeigSvh~{lc0Ga+;LENC5p_KeDQap2OqNt_JTbK!$+Uitux9_{9GGT|d`PucR^@{1o-r3Y(NK~ZK z0g@SB2qv0XqZZ}dNc8WG1fJ@oAbiiBIxv(HZc2Go4p-owL7_Is7MhZNMh6=EUgx)I z!1nil%7`eyI<*f%92k#tst9-VAQzRpM~Z6C0Tgy2W4RYAx~$Ee%ocG7_{)A9*W_n1!^d7q^qZ(Vm-5YZd2! zjm?eacAyH1EyFq~%EF44gpJbobrp4k(9jAG)a;ADPIvplL$e^SVhwuB!r#Xm-0iB2 z-q-4oJaA8TiC37B^xexv@53p{FVG%LF@`-=0s_BFH8lm;c%B%gW!QUxY2E%pY501} z!Uk%n4YgoeCaFU*^-G)D^3U}5If%+aq}7%3+Y2kDP2RCdC=H5x#A>$N6Q4GtRUN%s z56cYNu2J1r?bu0Gd=j*0O3rX-C-p|E!dfurThdjq+@!dXIw8}<9!23I&oZk9p^`9_ zs#<7$bcI+b$@jbkD|c6I^Cc%ax%Nfp8&aGk(PLIU^#`cQ1m(DSiN!-t5i<+2P%5FT zm>2~~uRs}35bhAobiD9q8pexJUxrkm<;%8|sisVc?)xQA5;xr|U|qbX#6>R^+(KDP zDeaqS_k$|4;wsb|Prm#n2SRwex~Ki7b=xpNHqFd)YFpNe6n0zIrgk*>sWTsb9sJnO z_!+jTx8C)~CWbHssLU2<*_q!t8qMsMbCCasz4wf2GHct0M+6I~I67FUcBD&}E;<&v zln@|P5fDf~NA3f4=pt z^{(&!;hHff*R`*Go%`I!S@v;=Nc8v#chBbTRE9cCv3Fg~3o+YU-nWw$-Uxm1lI4vp zSl_ySXRWwnDcHniKW56|*Dp_8f@qJ#8aL_b;gknoWZ)9!pE){In%h-~im|hZo8h!^ zy4C$d6_Ly7-l6)i`)yu2uF2I-?hq<^6sI1#kWxzOt6MAE2*ZUJ%uLBf3iu>w8l1CZ!#-Y zL35Y64GAnQ|FvO%t;K9go3kGiIs=_55cV)k5bM>rV!|%8S1w1r-XH`gDU0|7);qm^*oA6y zu9P=UJ=Lq1lAlaHNS-StfhGb%Q@nP4&t0oKMPXf=84g|h3}sXHJrMk6J)a^sDh4)Z zqnh5qCo+lPg{gRJ3k}W!{ZJF^OtAeHx&yMmDphf}-CBQ5CB3zpXvD(Z3PqnXpKA6Y zPv;Q=MXmBND`X4VjHv?uAW`cYv{knBviZogn1Xlolpmz&j>NtsMO5`o5yC4KEBjqC`8VGzkE4r@GohCRd*?bkEl33EH9bIAhG0o_gG1o{vkh zC^~e`snCEU;k^wjM|DP9?8Q9k4*4qxQ`l zyczweWxi@<>B4exrxd5(xXP4}Ue%QbdVykw2ba~4+4oX24oZ}sJh%O4MmdugC!gAO09R$&Kv=2eJU4{1?Ic}2J z?|fm3l$P3SDSsBy-Tp*+o~20$;mD(Q zg6=(6O_Kz<(KX61}T_{9^pq>0}k56Gf>B5N-GQEg98m{G1PJX(pYAwz<;0KMWYn^`D5FMR9?n=sg7E4nLiGtP;~*#Lz|F5YQbc8L*VF3)_+ zmyJHg4LSRVjBV`zB!PzIMTPrYH3M}u#WWYy!G%nyql>hZw(R_Xr~Z}JyX$M_gnO3i z=eTm=5t)>CP@Jg+7LK@3H4QDQT9AxiSU-CqUHNpKd09PHXurc=_DS&_!*i>nyAsJ$ z5{3*E5{s-!qcKOkFh+Z(#e#H-*yoTRuH%c4Fxl?>fcpKn`j*0rD%3J}UlYE*JlloE zjowZ3?-H{cTQ2loUUjzUSDY=mAU9Szk0t}Lro|vUIC5*%8hWkjW3CR8S}RkT<=|0x zPW!hqI*}VInmxJGPAY-ZzPde7KrW<<$00r7g|IzM?4`5Cq8Sq;<6(`WN_eNraZm); z89rh67kz-yICDU4{%QkO*t@+=))d#bQ;A5N5~FRZAyucIA&aD% z-`lMC46jM7)wLaOkBY>0)QhUY6J25CNH6}e!zO2LHV4W6l_RK^@j5+%-7u^(oi)tc zD-Q(4R=GaqxIrGOjZ#sUu{s*-z1~+kR%+`yJm2_V`=&fO8`&;gVX=_1YkV|AO^94D zY9Sg)v^}~5F@i_U(6$n${A_&|04gq-DR0+j2Kvo82cg#R*@<5hWZflFy!bedXCoR- zWOM^z4x6%FCUv)l*Xe-WV4Al`fq~6K#OckWS;t4{IAOsG(15jGTNF@0NrFV*X%C=X zgy`O(uGc6GNYl3KB2y;I0jqW^03c(!Tn{()OAY!s#XAmo!3K;CX*Ue%k?ipOiMFO= za=d}VWY)%K(RS4u!>+wba(v<0*{rWTl+Wx(^(rFG2)y`_fF>4fvg;Hzk0Z+kW$nWQ zLdVF$E+1Q3A*362*1ATw>cz78fTdM?a)gGve(Qz)#oLQX8TndBYqPW6&I~G=iCu0T zucdg18BQfHZwME)4|vBr-cG7UAjg8JxIpUX(68~)x07m7-ba(y#S6}XX3Lb=7u>6XrdM{AorYB1?XgDwqAFM4LQ6R6wc&AZm^D1d6gu6Z zBw5iY?rSAjOwW{cU8!CuDlAQxH^=KW2DvchjU7#}F329l1F=*~(jQL`_dRq?75*)L z<7Bt3W{TpxT|5)QNR?TzH`BmmoS;m~8{bVjT5M5XfPP)+o50}kVAiu{yK@f6-LMZgD3S#ZJCT=t-pE&j!gR4I=mb^XmaZ2ssrI*hQ~PP=10ysbM2&Sm3{gmQ!WBN z*>n@1Oy6R=ArKeTD#E6$5S;5egTo1YssF6{S`R~Vwvb)?i2ZU(O+}`EQp98T)Q-&U zPDlKen}NM_*{yM^30^)yu*f6uc&e__)(8VL`+gJK#Z0km;^X*hO5Ant`Eyx;ODn^+ zmz$p5rzN!s1VFn$Psct;vrpuQgjWj|6~reN51GN7{?F^%FNL)iJe78-pmo-m6jC6F zz{)&ZmG%-R9`!Jbv+-78d;~pca+4*eVf$!CPJ-B#eiT7&*ek8XD|1A?iNZvNr)%5h z2NHFa=9?F=;};@Sa}eTooAd*ZW|U)e|5!8_xnjs@!K>uAPw8tSfA?j}BkMS*)fXxD z*Lr=$3I>Qd5a<@j0k9uOP`V6Ru+%snCzY@w+rPtL(>%T+-vn|+90yaB8vuh@)^%$yQBJ~z;$u)4GyWbzOT>nnEC0c1IU?}bQxvAz6+K)pq)}z zUTMHK^W^#CPAnRE56>8C23P8E`L}u_sUfvNUn8tW16CRZ=0s2m$FW?!qo8;xYnZEn z4l#5&9KWkircH1vW7#pT-M!r6Ycu!Qc0qs8*d-j=ZVvd>h=8_{vdR85&HreY&AT&# zPi|ZKY~IQsz0Ypz8~JF?^kb@WRkK#b9-6(;WZ^hm-LHY$Kjh*YP$tTGuVH7kgX&_k zQsna9l$`tNePdnTlv>PtwIYXMG*iddG5cBCm|InfVEhE#=dI&POJIWa4X$F!q~ei3 z)Bfc|jsiq4^47g}lGU`1g%EHmer;ByO7@!YsXX&(%8Gd~YO0eFFZ{H!t9n3YWROn3 zL;D(MBQ?)@EOrD_l`Xevzdq9BgL-4ZowShhN9@qs+&UH&mE47Zo-dCH$~(a+4RLCa zvxuvLvBAw7dJW)hJu!T*f!F7{ZzT0hAj?KcMMb2aCcjt(sCW4u{0k3=4SuO0dMU`2 zMc#^u6EQjbo5uLs2hbheB@HKYWyr;Z8+9*ssNp!e3Q|O-l6*RyEqlpR3Ubatxwfi= zv(TAo_O48NZOpEwrCMK#A*$MgzvTjwXUvP~kUCx2s(c7;Dx2jVuW6jMTW#g_hFA*K zgK5S_ToVtaj~8eRw(br)C%fTmL1z~KE;A7sDeY=ixcY>~vDe&K_xN)$1~%*OrZ5jD7S4k2OY`5p&B!ji&%zS)l`KEFt!BRT`SHFbu;bRKG3ci| zHX$mCsNOk!Z|yc8MTBI<))d41MB+w)0VT@uqF$SiBuy=Tgn!Oa5bc$ew^%e&QDk@5 z$aiRN#lj0$t1(4d%4qAl+E>MibX1E#4@`=B5N*Q?z8WKrI#DNnuOuF zg*Sc67RyPF1YGH+<5pW}pMq*n_DF^yS*7drghnsO-sSl4F<->)0G0ps8;O_+;VgAQ z=-a8c@rRAMqnB;Ls~RD?l?yNE3Ikjk7J98M%`LewT@M2Xs@E<{-XEV_b*UWExAoenGkl> zsy9@hvRzpBhdK$8p*eO`V?m;vb?T~%dqC_-=p{+QDYj?AH?#ClaB8{s#`!>}&>`|P z&xJtH9UL~#x)fWgX76`DnXJ7=~N@gc!7TS#;K&1 z5`CsN9uxPm1(bdzmIXlA$Z0rOkuC3!D7xACH7V>1oWP2Y4P%QJb%xw0OdZ$7ZI}}- z_C{M_LE{xw^R0=U-|Zw#(|I$7Kg!L$)_%B6su{LyfX>)Bt~RI8WSe5A`vBggabJx2 zCzCga=pP_!@-+%J*h zm=oKS3az6+HlPUGD@xj9dY!wcllwdqH&h4qD9UwJGcWsbl$&MO+Sg>BREQq}nG(XO z?Vv@fqgDoqPuAtO_8{NS}GLC3@H|UOUdi(JmSje*P!L0HVHQk{^VUTqjQd9{!YUEPYojr zR|7#NG3C02N?NzV{8W(+EuOkOT1IEoqDpCGK91q*?)@I({>QUfLwY}^(y)*2BP=Y^ zSI>~zsw7py2@wy&+Mjal^Kf3tX|bPulu+N6+acZ%M0e5v*n znTCKS($v}mQD)Nu?SwV9^o{mVeIY%;0{5}p0KfQ}@ukDd(G7nFk2E(?9w;>R^kV0v zdgxBwfoU5GLd`x4v%J*SdW^30kzxxY2Q7a3venkIV8QEiRCq*GXNPBgz7%juo=2wA z4ZCzwg)z62g|o)=y_H(LZB<&GhIEGYIvLYbt%ltai`j-$C^ImgkD{-+8emeN?=~_x zf*P4`8XF8vpnXvgFbrndLr4Gz`>reng!^Q;lQ<}SmC zgbGAN3kZ>-;?^aZniY`D0`X=i8V@p1OX-sMZ>SVpzi&QpK-GOOmocOs-7j=peVvvC zTHL6R6joGqSJ}I(RW<0KVFgo^eaOCwuwFERcMizLez2>(iX@L5L4+r!K>Ilfa-%|1 zVR_q#36h|x8eiWxh_UPw*GiCPIxaLiq0F#WgVhBiUJ2t+F$rx85+ph~-*$w8esHy* z@r&&8aCuf%9c-iybS2E~kDmI&ohwM{tK5a-4?+8AZY-wH;~8Hz?`Ox^F0NaA1D<#-yV%j&+@=!gY=}kPMyIsyas$&A zgorzrOIEd5`^)Y5IA*jj43&X@aLwCazsdR zYFH*ImtdjOG1r<#!(<7nc|?IQ+*W5vD*HVHVP^%)?b>s#8fQ6IX1=XU`a0m1%My^= z5`JE$3-TWPm?yAq-s49GypP%gd3#tu%;aS2(S0Ucf?QrE-s9wT^UIv5cK3*k#0P7;-v4LjhCd?Cp^ zW7Xck8Fl3B$7Z`*uDXg{>0%qcrs23x&*!daK{YLrkE809mT=un1!_UVH(=8Etu39p zHkHQgNyK}SZ^h*6)oe5mNRYB}?hTYJ49^l2nzK5F$1F}Y7J77b-4mitX)dtl5^CiM zXYC#+k7c$6f@p1cKA9A^9jqld8nwy6mTUEybm2%p*?=O@Xw|1`td1G4RKUB#zAPDQ zqMsw^6Hxp@yx7Xc|;rNUl^Pd>Cez_zc{sCdPgzYlE#F1wWuc7 zDme1&AXGyfKu?=tKWedRL}npSf5fvvj_G93){G+VOCyi zI1(e39;X$1eL4+_xFFPpdWMu@w}t{cOZbSk$z z)4Q#?m2hC8#L`=+y#QsHVG<`yf)nu0EB}hvAULOa8H2?<4opu}D&ZhB#lR)0$I@yC zftAnW`oqy3&nfDyICn<%EUGaMOEzDM+d#%|R5w{=(elGADrzs-1?2Ebn?}JIP{`GK}P6cCs{X^Qm*rSulrGiPgIyW2qgzPL_tz6Z=q_p0n~0 zM~$(R4doq$KCe^E#vUwHKl1;0qM-Y(DP<*tk)Md*vudA)wI_Q76t3vn4wuGlh{Tsd z+RnCTSA1qn>X{a@Mje$66H95Tu0N~SQF1(1X46#|@rk!Q&n|C9dzdcURXT`n(W8YH z->Fup&stA%CtbK%cc(UvE4E%+$WJ0=td{hQG3}qSfizrQt@W8=>LjdkQhjV=qDfJS z;H1&aho>I1ebrNa3(X+^D2II;w{9O_>(TGgi)|Cea3gvG53i0{rdt^=OOB3nwY;+v zVib;e#bHx*2A`78jk9 zfr6$ts|&a|@et((95kzJO#K4-7e@}L7&3bE8k^79-G>mmvg3{>6wJF|uaD@(T9GfO z)wy&Jb-D{=yMdFFy#uBBtaKA=P!?&9xI60rRevOtA2jG4F!*9A7kT50%h0QZn}zQa zj#Q@|Sj3JUifrY#4)(S5^A*T$CR=80q|93upjLU6gU$7~782`gt%~hb^bU;mz)pR~ z)pP7HsGUabCo8e|odjvaqixgbAD?b>Np*reiAK-CG{X9{TnjSPlBt}CO&uR4&8 ztYmd>pI6Q}g){F~P*919b>IEhXqX!GkWwOFA;QV=TRNZO8-On;CW=Hi1OF|0*BRY# za=Vi|HFCL8ZM|_r+S19TiqB0&X*O2le-_n}^laGg#jZEx)c&2|3o)AUdaB*gpE+edi)izDyk?TG%0l1GAuJBSuckGD)aKdnI zQ{mH$MXJ({$y?9FcEVU5Lc+a|GUo{MMxo^I-Bm%r9cE^ z45T?nJ--p-jKhJG`k({#oA-Mlw}Hd*OUR~+COCXrwx%S^_x@eEN%Nn8>@5j?2cz+S zI9~ptP5PD_={2CXQn^QXd+1xfvmbtOS9_bxvNa5w@=FRRUS-gh^#G?M`un%z`#-cQ z|L_p~XK3F|&wpm^JEQu4+txnb*bOh+?+O^n)9X`R@l`cIb*9D;kmD!8E&rFrq0V(f zbTJmSe%pJ*F$bBG;Y;bVO7KpV>@+N_nofZ+SO96AD{=3Dz1`vBx-V}yYNWd^+Dh2F z@_+Y0-z>L(Ex;s^yW8|HKzVhFj|EHEH(+l=m$8Pa6Ih)Omv5gjuTdh-=z8d{|M1K2 z=+c7g4z6@KsP?7<(VTfxSRMRuzRI&51d0vMP=t8(9jZvxQJ(k8KdioQ$96G|1*tU2 z>L6m0N;oCZdY@LDNCUJb{pmrQtKlB)rcU3unIA87psoP|wdf}Tk=j>v&e2BTbVc5u zIfVLAeuW(b;I_!`U2ll|@);V&4^;vV)|$}+RW#Gov5HkKMX4Qxd~M%BV@`t2dpclj zK3Km0*`Gf+q;Ia;0Eiud=7WXrU=*7(*jZZ&KugNZ(RC{_yn0K`f8Ny0o~o;5$ovP?r#O*m=S@S;r%mH1E?O$6@t) zsJ7@50`E*3ybua2I_{9fj##Pd{`C_F1Ve5;dL(pUOZaB${Gw`J*sw@N07(B$37;U~ zLB9bNN0*&H`^%@?lYi>zZ*T*qnffqD0yXyC-MHcR#gzn3l;a+ILcd@wskpT|RWjr| zvd-^Z;r0g6fM!AbhGnTZjvE_v4!}`7IA@ov zQ2-S%_Kv}SJ@gaS&H_If#y1yiPzA%DJ6t>b9Xk5~tpM?G)o*_F!@uAEEjVBsLJHn1 z`<6EK$L|3J@qix|)%RCso&i8v?~A?GufMkg#{BW}-+e;Y0Pq&|u`}VjPk(qrELi#v zE8+WJ%*KLbmg?(Nv0s0W6;9jv>lZsD2vAx;h&=4qRt*ek_YcGT?#ll$r2iPw|CNSx z_dH-l0;-r|-;+;&XWYOY1Xr*Em>5^lM2LtvVBX+mdDm-<;TL@S*YJ*4H`wR(h!1Ig z*^EEwK7!|IIwP>itt0yT)%?9@4Ssd<{jNLYI#RSOk#Qfv<^VRZ-BCWjbcc6kScPxY z%p!{hy{vX(5l`jjsoN5U6kR1+`Q|*3vm-hmUi>99?#DfQjd&M;n$+CFc3>+WOrT3( zV6R8(%$EZ=hK^_&W5-ZHMurIF#mXcO`aN>7{GT)QohzC}HHhIxd$v^si8}Jc^26nw zJx0HIOC-XrSg>5rJ0I^ljXIpG0@wo??!?ZBU(ScEC;*l6p4(K30=WfBTXV?wUftlJ zX4ko?ijWEiRDf3^;d@H_A9t7`tzdve>kx-?b>3rLBFu{jmI(mS0A$Gu@4h(kWNy@> zn@IOf`Br@8Cl7dy4aks>%r)`2j_w_rvy&jGfJVgUSj$&#o2%scKl835{eKx^{}wF9 zekRaoDjqs^669X$;Ec1@sTmck?TDv~vu5A3aR1JAs{yq9w%s1sDEHZYuemvczPHu0f%V$G-> zRpbuoe*tAu!EYtiwu#nqwv~HT;L+v{Sl^*@*4sMJ5*}ZbzO#hyjT`(E{m+j;+++yM zUq2#-Q5%j}F6;z^R~fTV`^&%DU>n$3_70u9sWfX>^Cs7svor^UHx>Yj*MMeAXNk(+ zfBo>q8o})n_5Ok;sSSwbQsSg?Sno*eeZ(9i?Toe3BqRBk7Wm-Qg(JnCrHDlZtlyFC zxeMyAk?St5BM|4jZqADB{^bKVn}6io`ohWN$2P)FaSZV<@-=v>KX4h(6@7nuJ8lDzU47MaL#A<_3ZZp`JdB= zl>jI-z}Dk`e*WDv-fzeS!#^J(@xQEw|Crc++sglcO|1GF-`@Y?0{HLg_^NkJA=?}K(PdsI8|JxNWoiM)NAeRvO=;zn@<_4F(vh9IKxON=**HC^oynj9m z2D)1WlOyL&ee>&|5A@y96UAb9N!Twg_RpN$0ynocP5Mq5^ru7qzil#eD_FD=#bp64 zderJBbN+!Xd>}vhxYX?%1uA3aoU^ThD4E7^PR^tCpB{^7r^+GTFlv7>TfuF>LJCGb zte&2>s=Zg@^X2vKMYF*$9+x}VQFpE0N;lgw!2X@$yG)s?P(4zp8Vuy+-|!;)^v8E0 zH~-M>dC5Xf_s&R`veUfy73ALKfu6P1O2*OEz5d`z*S7Gh)2Saxqg5WAwLXg-67}o1 z1}yy$ujZ4&_Ver_NgxPVS)k8cV+slai-hx9r~j=1+&lqHghkz$;ZJ3~dMJwc44L~}s@%#N+~!$VD1z@M5)X(W(ueciZ&G3Mubu*bfpumC&K<~h@I z_TES9ihkpEFSqIIKUpyUnyTm4EUZ|zSNR=WtHBm8xQzA==I9CZf=9Sql(NiqsX=Xv z75g<8{1LCx-dH80Iy>b_@N?Qp)`8&p&5eIIy~g=47dGFOu4G6Qh#BAiZx-GCOUS(k zhl~?F#fVV?LtNAgN=V9W@tRpF!yMi8TZoY5=@TDOTjoIimE%a#>LNLnh9jwltDKL% zx(CkTk>Q!1<};ma4}@18p({Y7p;hM2`-WV1db2=~47#baukS4L;qRwA&ZWYiISxEq zt35P_ddA}5@Nbr5@TolqhmP#1cxF7a+Y4>%HyLyN(Bbu^UcG68YrQPDhrxuNE=rYH z3nsK=TQy*O8ia@sH=aC_Jq-q#8B9Y%Fdabiw&%wgk!WC>12>ovLNE@6JGk9pH1y)=oCC zQyH`h3OLwiw0eK9?5V%UToAGb6o&;%yIt!yye0z>zE`YMNyA3(eL<=KYWj#}z_QLa z`Bk*4;+_pm$J1MHKD~?RY>7GD*~qEJs}zoJT(U4m7i&}kzj?_w&jZW7tYQ4w zciVD<3$oHc{jUlXHED#8WM68515g}QXi9mK+c(PdxBa3xSP1tL&lm=+jPLG!aV1#>*VVL0g;Cz})tE+ffT}a-1qlH&^g~SREWn_+)B>`ge0P3cR5Q&bF1r z1_tpoxZwWo1H5T|}{R5{3iQ`)d1 zl2RGF7+4@)1y+WWFJms9QT@1%g@tg7qb%^>Y+28J!9!yPYX%UVoU`nFL+skbQy9P7 z1T!q$aa-S*nShc#|F1j7{(VOm%405(kgw=OG1!r=Y)NO-y-$0~#>05RdWFBT1tZR8 zAft}|{286ffJ`t#wWj|rJkT2Yq=62uF9-C$_ea}<%CVfD+J@&3&*$P~j-EZ1o4bvTYi}uDy6=dGu9Y1Q{6kKu5B4^E#t`OO{$xA6Tpt`u^RBy<}8l zVXxX&)*nL&&yYP0Uj1muG;_Wlq?#5ZKO~kFE;mK;qylpr&Bu;7CDfe?T#H`@c4v9h z(du*IQ;x{I#T+J#Bvze+)PrM(?Xv?n*4PL}$X(d>L<#xD=}wL)js7kkc(MAI^on;! zV1Fzn`KJj4txK-B4AkAkxey!NVs+&9V&}VI9gH>N^MLmZI=6HF@1xP7s;C*d70GsC z3v4Tq+Dqxr=N}Z{#uSOS{KI~Z4eZWcvWD3U=J$CGa?U>feMpr)WD7KZ3-@x?>A$)* zJ?wzmPjXnitloS&TKN{g@8=gMj%iiEW6$Yy1n=g*qkD0jwQR1Mnw=u{VX0e{DVlpQ z5KL$!7KIiX8upv7>-_yXuZ>yxofs!<%hGXa`y?P_Bb_z?WUj4IjeAY;Ps{Ls^!3r; zTbmobg|F4N+=6M_ZsN&)O5qJ65x+bDn>$n1%JryFP9XT`z$%;^z{@@)s+*Yq*z_W z)^*Sayq`o~ynM1BcoD~?o1qAY44>?69r0Phv(>z(0c~+YuLCZ6On1aFvp!moi)@>t z>oa;mrLi8Hs~@fl9AD1eCN93(RabKvkpm2V+BJxoIt<)NV>Exz`qvwS ztKkBHl?os4?|jo8i#Mrq&-!rX@<_BN+3W`WLeiD!-x#poM0hrtDY-wtuM~qQmEsX zgD1sknPU!6D{1G_6NHP?)q?N}pf98oY84Rg33=^rQSB*t)bgIqh{qz(QAz>r9_LHP zcJtpm@wM@{7`8fjw4(Co=MPR9_9Iq-=ipCHpz^Q{*7+_!7AD z`Jy7{N1x3nSb?7F}!ZSTj!xJQAM@#mn|MuGM~)=k8TfJJ;v z=mcWz)}xhf;}p0z3H`F)JLC=3voqtBJHES@PXKlDXGra)BXIQbUQHbSwf}O1Ku}1! zH%E_?VQvGFiw~i^GzzMP%4b!{MW*_^M%WE5er&QzS2{_j-QanZ1vTk4QDU&+Ep#&XkjNcS+LeZkGgRx6Ffec4A zPpfl|=)(RDXF?S@!+8Yf>Z+@{I{91)p`ns5YYY+1csOucD(iUe%yyyoPMTt+lm~6}5LhoOS84BN2Fo+3_&LV97IS)Tx|M6sZk2FvbVZ!m6l z@70lq?9Kbb9}6Frs=T&jHaHOkXp)~3dMi)pOgw6XzJQoB$!c4Uo*P5i6kQ8vm&96n zS*F?q%PGhMAhvv2HWa~r5TP{r^h$`PF%zF1GzPGa`lVwy0d6ZJM&)KJ6L`mc)lmc9 zStJ?VBH=4Udl5le`K>WEFP?7YMeX>)q~+ug^lBaht>lF}sWC-GUyjMTkQ#t0!*)D{Los?e7Qu$jRH=rqV9s->$JpJI@rOS;za z+%*XCJ{85!x{x|8Aa(oUFak$hk4D#`F4$b2Oc~f%1Vtm(dd|`0sxk8TjxQ`fb3{8>L&k-d<*#jEU^tfxXHvqh_SWC3P^=FZ#XPQXud$32 zxw9o?ee+Ug5clb)#utNc?ZTp!jVcm0FCkK!_HX0CJga(qdfY-zlScos2Z0CCY7JI? zw2Ext`Gpc8&<1wHb?ZwO!p@@aJ$2e01&G;&kGXoXc&ImtA;NnMgzvT>~gtUJI5DEgt6<8_PdzaGc;bm zd{ezVXhqU}yl!6YnWxWan%kgR?KV5n8gMh0d7ZFW-zcl2V_`|%bb9~%wZP%pEeZqk zW|H7iBjzq9q8zZ$Dkx3A_IzGRW$2T<%3sf^<{5b@14Uo4M86i4yrZ=ru=vyuudXvA zQVT6=b`i&^K~FxVj2gwvZUySM6wJ>Wxp-MrA6TlhP7M>Vn6SC;OUZCuFk$)5P+ z@lymPtZ|>6ps7f>deL|*dLxu_$kg^Wn&VdJX&1wrnVN%Vbcpe2f&ng%#~_k3Y4Q;( zn`jD&52}CCHrwSU#A4dZ1LFqeV$WP_tgi|3EkNHwM(3%$@tz&}uryC1q0ahS%>*Nm zX5pU|YQOA+d2^vfjVlU-3#DZtJ18S}izLKso9myzHow9#dRE?3rQ+Tg}#&kdR&g?0INf*+-7PaXyZ`S}2~-E1OO>vYq9>+pyzxQl$pJ zb}8X}GjnuKN$vNaW)T{0+O%JNin{b-Ck)c-#M>Zg+hjB>3E|D-(LnA_&I1v~_36J3 z>ptwj0zlJbY;e_nVeBm=nCMLkP-n!A<-aC?xOR7N6f^lviIK%X^TU>jIOX2dFAvc~0wAD0=(f?4FE@fxw`jzgX^5d-9v z(b@wmWy#ggqeQ>d%d?Y>HYjq$SPk@VM7y3k zhgMO&7kYn={>EB93Cw72KFP*~N69PSaily?Noc|uq6_p37h_gEt#FRL=cGCV7D2?j zo0GMw7kE=VA+l=A2hEuBLggqP$o^^K<7OU<(U37ES>nALGq}JQ!`_goW6J`P3i2!R zu4A=BYPHT5+(#Dx^3xb5=GLn~$kmX)*vq$pSDXb0v%O}X>(2S1VlkpXA1Q!g(Oc)| zt>k=R*JQb4?;A#FpnfYbSQy!3&Hzko;kuhoEc|+KR8xT`;h&9oR+rrh^Y~`}UsxIt ziiCtHGEJ*d0AoGySs4#+H0?n)^LE8eMSxtu>)bc*5fm1A3-3>JweNfjPWS*QD>G;E zhSIhMc1W$IgO6&g%o5S$3G@{(zmOZ0sCU(!as<|3&z`a0W+i9tc}7;%{k}9uRJ!-^ zZPx@4794Pa6rs&fzLdN)JZh@Qt#czms2J4H^*T$M`FTu56W^PNyx+PpbCMlrM~OT+ z_u`aT5fkIHI6a3xR4<;xRQ{?idHSazIoBx=C!7?lHVHp|bm)jLZ0+0F z0D_sA4@o61#V<>C_1C$HcM3>IS>U?a9sHIlTrSttC4&(yzvI8?EUQ0zE^PjKUII-R zA$nnp03rk?P0XbZo2OLYg5=IvPWa81T)z+oxI>LLa)dA8gk}ftz0gR-W*uxJW;by| z9-6isf%b0#IB3s%xcn*eAWnR1$Bxe4A}h7tEUm=KVQJk6B|)?Ez@a{53W{IoyCON$ z6s6;RQ^L=dCx>!m1>m*4P3OD^k)Iw3Uc<{1yPwt4o0SKownGW|{0SsXm2=lV02)8< zcvGl%atTv}=TlYO*z#RlApunI8Dr#uhvx4CV^f4VUGE zO74V3y5&AazKWDLC)UB7#EE8bIl^p zLWhiTNL4{G@#0Qgsuhw?_14>mcX59l)X7jDejDkRHy6vbOXzc%PW(p~*~;_`3fVSV z#eTb2`-^R89s9%5nJxwMi=7;hbbbJ7ViYn!vL+2JaayExF;bvq%FM#q`wAqF(!~Jj zrn1-&R6p0yT7S=~s(GpP>yR6vIN|0E$+yV+udYQ(amNnHS>PnQsDz?w4MiYXve~x)u zw=u6jo#XDTTac%CgVO`Z`Gfiu`qY7fGP5bLZk(H<1q8%n3s1?V2{lIG1DM>9r^ED? z)6q%W8A<&9APQh(rD0(!mJ%|71x5%29P+oayup9m7DW&w;a)`I`ElS5H*^SXWQmAYg|L~RDt3Pz&^bEf)Ir$EseD0dOKtOO^mB)>mbap$&o+EG z*k|CKpm}f{<_VLStQT5j;aW9H_6k~k^z)EC2&C-X&rY8Gxb?xb-{95tXx;Lzco8Uf zB(&=8_#12GE07OW6G9{LqxU8v)el;e9MYDMZYs;VD;WREU@ZEfl=xA>cx<0@z7;wwvR zV#ACA8C9XVkF~vLeLt%Q*CN(*huxa_Xaw%nnR&yLEL0Hu59Y!gaS*6AM!cLjSFmi| z4nkb=oaR8$#=HguUs%$_9kZOvoJf{-2uU?2xAj^ewQLxYrOSO@^bC4={-TAJtI z6jdRz(D>QY_A0Ypsp7!u6s*Kjmr;eB5d5j9+H>rRbvxu~;{C1b4r~gpwO_AwQJ0$4 z`yQ9;Lio?pxJ@TmoctSZVLfdkg;_!F_>a6M55`s7M07~8PO98BV%YTJ?lnzLIHq?* zC43l9-%0RP*OjBvul%X<$MeFsh7}PK_#y4Ii<0a202XAg&fPDVdGEzn*Zz$XL^U2{ z>)n~yk7^rpPQ6Gm*q6xW{F@WEsCXo-`tE4D1kpLN(+>#qUbWAQYLJ_|cS=eBxjaBs zBsZ7EZkl6Gx_y@_6YiamW{F8z2HuA~5g1Mr@&)fv@o*8Xl{Z26&sZ!MZ`G86K?E#h#ZSDAeTBYeb0@7b2?&q98UtCvHB=ZbWE{p{*h{Cqc_Praq)pYaPdv5wy zjna`IbDJ|7R?STVp#99HhpDEPAWu`Ke?Nx;L!#1jFiQ=_#{G8bojza5%R6DnbhJ~g ze=4bJ|gP%F* zM*N9^TtXZH`HxNq9CuXb)+>*bEHD~Y;I3mGNNGt?u+oN$JA*;?Zg+ovazgvG2U|X{ zWABlxM(?tPYvI*+2(*e@#0c_CaaudFfzJ7YQrzV!-V-oq)ve;YbRj3rU9YQEPzOllwKwx8PgxwC-I^10TeMF)_EdO(et)uO*^4np#2Do;slL<64yTC6MT}CE zeMKJL2Pxn(7~kFvmQ+t} z8wpX3+Ri?C8w?bwtxg_(<@_4a|2x=+2qS^!jCXT^T$E){+p;$rcLwn!QG0%@jz&le zTI-*lVS&{jGM;!`543<4TnXYAZQig-TQ~g19OyF&E%18IJGXf7@zI|ypc4(pu;x2g z_pSu3NElgT>I_=YnimK%M_yhI)$ZghDV@<(=&fGd@CS(m`?aMRbzJv+?P652f=Bi$ zs1V$OifBRPw{rn>4;}CZYCt7T7}AI~(c+qPWNxnNnVqHg>Zv7z4f;A}4-9~#G=8zG^yJr~h!{tB6!Zx5nH9|9R9l;N%4X%I_~PKWXJLwRtR$ z7DY+gUR%lY6@Gu^w^g}%hfvSpf;Ype0c(HCt&TVsCHEV{#H7Rs^5{PYy|IYlCpM`| zHNAyOz1{AW-O_wJQ9sAu8r%50XIT7A$y%_*$(;m{z3njf=#-7AGiHmezNkAWqxyMv zxUA9Ci-?3u!-tB$1PImLG{M}z##O1OvTPJ@VR-aCdy7G6cDLGAZ55FCd^5GMmxYTT z6Jddi_pqk&hg*`JX+;vLj6iEbzNxgdeMb`9Sl`YPa@e`n9!GR<7khoLWv;w(5Ll;Q zCTzlp^U57wdtB&rZGZ1i3rx9x0_Uu$Ol4EH--_-E-3N#4$Q9Pcu|RBM zLP9-h0OKCGtgECaxp~lK(4qweQs2^R59&hD zBS_O$>StvUoD9JvLB$8=7XIG8E_=S_K3c5yrD13G)rcd< zQO0x?qdafFQ@~eI3u`(+82P*D8c6)hMsmwO*2Wadvo~`+BN#t)DJZI$s}{C3hk|*r z{StkBq6K}qW=MxqIJd?dm&Y87lpASDkL!01E!esHz!T9}@#4suO%8oYVudqw@oTd{ zI5VcJZ;NR9gk8bgwaw3@MtY#T!@g%)`lCa zY&05)8@d%yIjrTBQf)~aDzQCt%-~MJoaRJ|l~969$J@#&q9Y~2C>TX>at4F#7#Kme z(kldpoK{P0n^VA+Vqb&48wlyG9Y<)o5%0!O+f`0bcL+^w#YuUB3efAixhOI^9tyRlLLUh4 zfyM{*PzC>LS-5I$SBbXWy`MX7DrGY%V0B^Yb>nWzxe)~LOP%E11C$UehGQYEerv<^ z<`h-cI`iOg(1kaJr0t1nFeV5uGe>>D9R6vbp$Qs03YJ7pbWbq0KAV4TFrKK*0LAT? zx>|4su(L~Po;P_K|A@o4Cp2TOH0z6RU#`CW%9ru+!c3~FJgG#Kc1>n%d^}vh#RxKk zrR;-q$)Oj@6=8A%tFusZ>r_2PKYQH)#m~=gEU%sn=e-3Yqo?=e)mA?4^Z==-@I~ra zz)V(RhnaJM-KVB{BfHGPcNBPFZZ1M(XtAbV?5(QMCCKOO@XMc4(0&{2ef~`W5GdLA z#5>ojUD)9hD@G_Bbyj6YRHQT_WHOTofm1E5WVwBbDOkl!XMGz;!N16>QPxOr4 zZn2=vs^2V-e9a?s=b&!;bm-P^p$X|yc8^VMBV}(vC%_(OYz+hJP4wX5pJrWhFKpKW zmBvF=&9~Rv0eD4y;8~+*)@=gKKnPBNyqzPj6P=mfEyUwm>vo|DflePViF1KKdtBUz z%Nu~^_6Z*uXA+DUJ(jX+oL1c&yM)9JXbe)jj{1iEgbYnY|b7hHHTi=K6$b2 zZ=}VkUGJ+r92P-gJ~Y-SGRKb$VteUr#>|TWAYUi%Qh``ekFh$Rs3n(HA0(JxhQJQqI zD^i4n-jrSf2!tviAm~&nQ>1s1me5OpfK&x1eF7ms2t}lZCcOpD$l80aHJ#fv&;EXW z=Q?Np@!}#ed3oOF9nTo|xbJ%$704whyj%B-KNfxb=PUXds<@)nZyNPUYf#1A{wDzW z;zcqlJ^G@4It%;WsgmI!g_E?drM-Snd7EqAdPMfChdX`i)DcK~z41^J4~)Bdhy@86 zx-9gF<&WFy!)IHfM0jKSa420zXtDdxihPWe_x4iN=VW(30@oy$ao^$h_qT>-Om(xg zSi6Q=%+^jLjbivZe<3~SThlR*L;F67p%Ad_#djMlRpi!8KExPva;zCYG4rrhvlV{9 z{FVRV5?5lweR9W|c%Y;^Xn3EKL(=xGZ`%G^g!1GWKlRo|N3SSbU+$g}U?U&B3xfdh z+oSJDDMC#I4YY(#jx~e{_$|EWN1-prW`8ELPKLXE2|4vkjjMhcQO{B7ti5w_#J8)P zZF!t4-`zSnPX~ECqEJvf|Lk}G z^3>~S3@0HDrB`4)V|7uRT5a&iT3o4`a=HElYsLk{=VZgc(d-2p18Fk53&lYyG;Iu@ z`Or-)FmF9rhkAou?4bL+-$q4xT2#byebK%WL7j4b$l(?8^_G%WT6fr+(BT@svNl@t zjo#ck=Oc~=#^d+Ouk<;dA-*tcIdU*XCkZd7K}grFcK_{M#7%qylD&G8U!1syOARF* zGa)rfH1H72e_3G-RnOGPV@=}eU9S*qk`CX#@GHc0NxRLP0Lz8?WqI-Tz%BP{HQpsj z=B@FgCTSiM{QIO>XDYY12A@iXp1u^i8@JXk-#flC;B9wMcCn4WK6!@@TUU>a)B9N= zPn8MjbNA+sYs#WdL9_G`l=DX7JtnNue5)DPw3w~l9J_ql^;$JG_sMYGuX{A#(&M~b zs&x{$y^cvaS-hW}VH40e7O0NB)``NW6$LppLtt)#n=!NCWbpH@`ZW|SE>D}6e5oIU zT>6+#)K>EH5ahrRfpBQ!&7kEN^?1~a7qQR7Il)>S1!!sKoZ{rzP- z1M#^?O`KQ9Y7W!!zEmqs|NE0_;_B+Ii8EK(OiGj$SGory(W&b@o zT|u6)^a-d(DkQg7hnKG4JQtcJ6ijiXG9NQUD>J@=L)_+AS!~=moB?J=SX6ker!8vr zr|8MGb5Q1JeAT`*czFXtmWC1b$!VGd{!2WT(r`ecPxwl+cXHK3g547(Z!J4O$5nsn zeSd3T^2}8r7QIOHRn!+sW7>m2FE$TgE*>i0!M#yf?)i$$f>J6!6&l?!K*CCxOrJ=ZXWN}aTRVUa@(k(+vPgI_|sBR+5 z(dqzoj~Q_Ah8E#2W?(js=vnlA6~uL)-kVcY$rQ;J(8H2-KI=y8MT1qJtm{vaF6#I?D;OQ*e7+zf1R{<;Zlkg zW#n#as~C@+*xG9K-ZGX0pq_tBm*~&GOb!>#Z64ctQk+Hv8l}qGjyL?7F%ov%dJ#-2 z1aclu*19V*(b~OO*U{zUJ)X0x5OQ{@WQjziW+xHE@-eoKj5g>XWvPj?3&6xg^psZ= zqnjrA6jma$UjsU{ds}Vken{bl{kDsF-Y$|uX)89C{`?_62742uBLXus!fR6ilu4O2Vhb(dA5h9sYNm z<0j|T2%nfu6Gxvf zb4ZI3t#A1x`r;65aTCk++f4)V8>PN|PR8P-HOzu}UoGdFtzmT^K;|yVmz6?A$##%a zrsR=7@M_m3j6o0jAm%F4f0ovN4gZa{kQqeQ^A9d`mujH1viUZi`Bw^Vf8^$VSlo|! zfUX>-uJx^~>nHEwQQk7t?A+2CyC+~%q#UP04&}HcNlbmQYmo~xaOfVb4C(gCTF!`_ zSvVWejv z{#}_2}rUUA+lLf@IuU39h4aOBV~vwKdyf$V zTHyX^R^EFN;QyFbTd@-{w6l6Qj#isb^ndjDmVRC({)E%-$D<-g1M4^uZOJ27kja>6 z^_`;%d$>$CRnIk_uLPN z0YEM@b9$qe7&;G2d1%~;*%(GBjZJkM2Op?&Z0Tfk#h^dLWZR~bXM71_j<_Lj{1W@H z2=ewMz64s`e%8GA?5$=gkbaWV@q`0Zhn_oRXg(}!3HPJ%gZjj5-ytD={PVD{z24hp z=VGe5X6!0fg7t%`Yfy_s-r@1=EC(Z$U#)ArX0{N;6nyv+IccVUU(X`TEAEE28&_g% z^6&M|-eMS=aZwRx!_CMEWFpy@bRy*CvZNEdh#Asm$W;vKn@!AinFtYXMzLA63tz8>%z|R|#PFPL!w_-9|+~Xd&lI}e@ zs#X0Am;CB7gMAdgi(?NvG81qa^Xk~$Ohv&oh_+vG zb#!^PsL(*z+j&-ZLT!U3^O`^E71Sx1-=EY_j$+1LbQ+5V0yzL*07&P zPDVyNFiiT%*H4*s0SDPf8R*1LCJH;iMto_r7AVob7jGBzAahWnZ;b8fyrk1lKG!Fo z1tbx#J3cAX)D!;fZIK`L@I19Qnd$`)Ai5Il(EJCES>H^&OXt$>mUjH|(N3@Kf-iOQ~Ehg+whnpbZos2f7_C9c;SC8}|-v zj}@K=+ackc$}M*j_WD3hb6Wm#Cl&dXb7lcBsS_eUL(WSfcM7LO8CTN2^8`JOf}L#S z45iqwDQwY8U0~Cb&mYtMbfMXgspq^>bR-ZGuI#lZY8eL(_QuJ2;MV49nVT0UIJo7j68tOBW4YN9LpvaZ!>6SvnV}0(4Q>iE z3l4G~Q_??K#2s}1(JiDUOGR2$)6N>h&u0J@O$FMi8Qh=r&v%-W!eXju9DP4#Ig5Dk z#7aE98DZ#k&toqp9RMC{N3N5`S*JMGl1;l?|_y6ga{P$)4Ke$i-zUhD8^l$^C#qrzA}Y zhT0!O`G35C$c5<3kg)lfd!43=oT=EbT>xnMos-1|=oO<4z1GfMf0$z+TL9dbJHW_h zEskGbqQuBkCsd-23jWqw<}zz5w>s$er6Le$4L10R)L$)2%lSs}jy*iy$Kx7l`e|C> zMN>j{X6X_|ZMxe;tvbJmT6bM^oxL<%!6WHlVn1EhAq2d)jtWl?7qu+ckF=T=Iy<+5 zOld++05V@b82-0%Zb;of03}NaRm2V8CGdphSW8^|T}5=q=xA zyzn7T)bcH@fsCam%t*0S6>^ox9$!5Rq_ktD6W{rPc8D?dVXz~Z6kK*G0EM!R&gu9HtkSXt<%S1o^H zRS^|2Z+Y_)sbf_3_%o9TdJ>Ubl?@8HL;F^gG8k}|%IAD11}eS7?pwPg3>ygKB3US! zT&&%PyX*8X{ag$6j~wJ=7~FgQHTLpjqIH1K4+6`u9oB z-II`S?D$1HpB+RSSxHB3=+gAZF`|e#Aa_YZSKy2QUqltoZlL0L*-Vi!i$I?e;h@ai zH4%%p#5rR+c=z1nL56>ySuoP?wP8JZS#g=}iBDFSnpKjZ4{EbCYuaZTdMc>wlCQ72 z{RRMLRw8EW(|in?kLubSY7(*Qml1(&Nz)@m0?XreI1N8;0`qDvB0NeJHu=7rGloapN=Gs1 zRqeIJQ3eh#n6ag^nqj&AS+syKyKS-e-TSKGMxt0{c29Ta7V)522dl@suR`HexkKII zRKAPNyY2$-AXxESp>vhVEQLCy?UP&|%kUv@$1El4^PYk#r6 zLm_xkHy2uILRbe0^^u}c>yA_L?GeiT;>4`+VJ7zO<^fupFQpdG3HXU(0SS0lK}<=_s44Sv|u=LzORz z)oU%wuO)WUhYRM|Y0MCYR|awB8Phu2v&=py?SzVU@){5rmdlS^Cq?hK0R_5QJgCn_ zyf$5Fbc^HuwpKu4x+17kxYt*hA?@C-H^A440uEE-)6MVow<#LxFY{^-N=E`)wco-< z8~NfOK#QwQTWQd^K>9W~`AmatfghDH?>N>X1}w8&ER&a2pJpIs61O}}iUD?zNaQ;! zGOeHH1|Qf=^KhUs+nBW6fCej`>ajATa0^@3uV-LAa8yv|h;|{!ZmQj0K4|)`gs;*- zmO=nZaD!fE?LyYG0tmA-R@W#%R4Rpp>xR-y-~hSYGpDl&LC=@kwv@bq*hpJ&`Eu&T zO*(Z3(;j*pUYshFQj|nfn}@2%Np`1FgX`{Suy<~+wR-!`q)$`xz)2*=tT{TWa&zR; zD8T$;v^Kr|*|7xp=qNW}@ic?Jy%~^s6Q@m@LfyV^l0%oR2fy3Wd#}Z&xuj`F3;da1 zR^DWn(g-dzAB*ZWD$vG#2@_sz)O5-tIII*)e}UFH17RA-peW(s3SPX^#9_pjG$s;_ zzw4AuSd?|DVdSOHS!4e3p}%J3Q(w2)_%xqvkYPT^O3!lPRaKBk9YZzhp+?L7Ll;7- zYQ%J6 zIuf|ToOZRZ+MQF)w6($`OP|{)R7O9GxQ9iRgVV*##k?H03$!gT3KSZ}O(Va`(+owu z@hF-xz+ldcLwy_S#D1_XHD-Fa)2=uz-GOa$?oI3_o7Zgk)?xd66%yNqs_jgFH)Gj7j~4w8IE}n z9HSbVgi@l%VR8}a5ruquCBRDadv)DAisogo7i$w1wOzVx;1lC3QVd}VJK6i8-kyvm zM(sLywMzE+r<~yym!z_}zQ6yGr_2*}9VS1S6UQ}qUqZ^89Yps~ztp*lx# z-X#l%28{Gc$Jkek`(HIFFkJCyc$c#WWw5QRUpRJ+gnv9>x3-AoED8q&HciB0&x0u zetmbal93(H?=UQ;O9m0H_;^kCbbEJ8nx`6jB6_kj55zo}W9lPXa)P8P@$Bp39m~j_ zPaF8s=nF>j%geT4!LE*1h$D;BX3Dp$<5{xdPcHvlHXnFp>C{5&?vi8USDodUSZn^ zo`V6dc>;6iF<;$)I&#pr`vLRL@&1a%cEv#7p$=u~W?l7>kAxdMuh}mtyA5LA7qKll zpZD~h@GwZ=a%xkk-nDT!_Yx9(_&7^2u=E&n~iS+cMsVL%}vaqW7 z+na~|rDF2DhC(c!NLY>MD0t{I4?*^*5T)XacrJ1&`9Ru$ z+gMzpfU%1w9LraLNcDu5K_PH@R07C2!Vd@@lkVF3*#}QtZ7YWs)34}>=JDT?9XVQ; zVOvUYa1v0ME~JrWdbm(789vu{1`A0k2V#Q^5tYt7 zqWyWLJEhbYt^SC=Xbw+RM)gDP_|_x+?|Qnqq-NS(mK{PSd@6L>Bc&yzI7ydA9fZt{dIn z`V$d>ML^heiaNR!?tfg0-+9-An>&0m>C^L@U%ig9zWa=yv^m6Rvmjw|;4&SYd16R? zEIA098z>nYdwvbr*P4lw@3o9C_fB4RxdAD!gNa@*jTw1iZ{9S`$HZ53!$2NMz3M#G z%}T04BOsq$CPDr%u1fpmUQF8dQlrOD3i*6 z8|Cro<)KkvS7FJ4Us{2bHZUIDwVK4#NdT1wB&;I&gk8J5)CaMSL*o8r8#84&(tPRV zo!xa$l)`XKWlJZkXmU*n#a>JC!H%mLxW^*Xbe3`m!Z~HZ)tSHx&YeJ`b${ z%gITt=G}AdS+fd(OPQ(GD4JP{wd{j=pahAyHhcf6Y*5?xhHK^7TK?zl17e}>%5n-j zd?r~eF2k_e*+vOOeQNh^I>~((F&*uq$LF0|8VeFH!!geQ$2>=Omx&g3S58aS@+`0k zqC_p#KIxL3`3K)vv+^p7vKu~qvifVy5oAhF7j*uTRhv*u+-z?@i!nULoJR{B6Eoza z$AMXhk?OtU#RD`7@k9SOQVVz_ID$C2B=qn{jTJ1dENjAER)<85D=NG-rld+^XZ&?6 z4qB%8%$p$@*xvz#C^ipSAf{x&{%0ax8 zMntWxy6Y-%d7_oXdp^bKg%F|qP60}QB8#e3tWKb5tYWA!lq`P2VzzGjhEfI+dkK<6 zzk^#J(?>WZY)`zYpPUT_jxueSGLeA!9P2_59aI<&wA4B?Uh$|5sycPs(*k1NzKc6m#ed?)7 zH5(|C7c)pRj7!hfW!uWY>iFk)sh^9&%&Lho@G_5KY!QJkU{(oo=H z6Ya*ZU9Cq~XCpFNg<9ImzETDNuB z`|^>)*j|l+J(KHt@`O$RM3(*Tf1ow>P7!54f1sm)%TIJ=8E`7MC)=$ zQqEHr>npRf%J&y_$ZJ-*w(1tcnsfLB^9?DXTy%Z!A~6lr;KkX?BD$w62G}7#zOlp0 zKLwYJ`CO9iIxY8!`evWa@Mwo9S28|ViHO)4WhwIriNR28$Z41>ninFi)wQxQP8%ov zYm^v*baE<^uZZbRXMBHe_i?F?#3V+p(rnDwFkxs~&vuMhHDyI zHYe(cfg;|F+hgi-@^@=Pa7Z%J-r(^}otPAg{!^ko_X6zmHR7o9ajo~EBt7hgio9GOOX6EMm zr*b_(*Yh=ki+5Jf;*DiUlDPC<3io!HB zfoEYrN5@B1VHx*Di{u@@&+aDax9rZLx%#N`VOpIACby7cmHf`s^SlgAR%dR%xvMQG z3(B`d>k%jBL#q_!c>}UwFqgD=>=JOTnCjmh;H@iH9Vz10d1;LoViUH0V^EwyvOu0D zHCTXe$Rn~hh8wr>-paTqL(zoPnKe&ShQHyWf=+8s=svO-o_zF2_Yxn6Bfy!eFQ}6v zIzyAQ*DJuf{`;ZsQ5SB=&K8U(jsRMR%J47hT>>Q$YVYvdp39bG%Xy=KbLu49Os{H2MSIO{6Pu*dKU;h3ey7ddN@=rZ7Z_Eg8Tlk;#BQ=ORiF)r!Zf ztu${q-K=+u1{fb%_nOakWg9t491zbL7Hbajw-u%45sSiZk3bhUu+kbo6=gqdANFl~&W@nUBj9YM z_&qaMrDBIq)}^;(4?5CRd8BmGGoJ47$6DAM87&~~%EfpX7DJ+bNo{Qe_S+KJEW^ndL~!!ThXw_V|;xV&BGP+doF5qL_lMG zFZEoAjg@pX3q#vL{`n715?oWxyml%hKA_0f`@!&8W&sl&7fkC&O7<6mX*TC%&#U$i zVIOq1X;y%vO;M~*XFpKtw1?i;=}m)g*j0_912*c&I)0nZO^)r=_pgQSqpuD*dGbo2 zdPScmwC(u?8QL6N>uAO4|7Rc~PiY$B?u76LJ1O8Vyv-6vAqEot1M zPI3_nGu~Bn^GBKU|6s8>yTh&ibFstxX=6ifs)kuiR;ZItq**b!b}C_cp2a#e@ZBbp z@L7;bD-;(1hL7gmlLOM)M~A(SL)}N$dml#NG2G~wmYD0sP;Qol))FyZ z2sR20a;9NQM(&s@jiDi6hS7+8CZL)ru;*I#$0rkN8I~pqG(V3?IxS=i$38LrqJkP} zR4od!prH_;Lw1Sn$Q*_Q4$Rp;!4->c+rMOnaA0w6|>mS)R`;GR7LF`Ahkzr84}kft%=&n8wG*`uz`$BJa1yZ-J(@gF$jwm8X1Y& zy(~ibYz3MtzhGJtnw%#@V8HSOWOyJMig9f4v@8~dPOc&qFyEg7A0EZbn|>WJmolvO z#k1dS%wK;tb)QWUoqsu|w@9Dqg#eZ6U$>vIi(WjEfW`wkeD}%={s^`PEAC1`!-~EO zS}T5o(A|=q4QU$)_ng%@M|nig&;=pHRF!Ms!#&nykIVNuR`YzFnh@ zN6Qp^cF>(W-S)U^!E7J`d-UtOFEe?Zd+F(3PZo+Q1;_;6<_0o}+hCrB)lRB{-lK8w z(R+NPH{1#fVQse;LnNg={o$G9xjRXbAc9C5#{q}@7&^%&hK>ojV)>xGBy}mHK}n*N zE)4<5oCc+kT%M{^nOb&=R^s)hflEfO3~V^}C{6Y84=gP>I81b0PUUcAwN6WE%#u?> zREb|{o}E=>>VroZI=v$38H_$O%9)&-t=u-SJJXz{94IY^R>96PBZDMtx`oFdYa55J z6AR=tk3}nW9LsPYR2cqjoA>#sB|CCy<}A*dJrwFqy5sA}zVRy2I>@HfS7wkyaUzX}Ncgjj&v_LZKO~wA*Jq z@XR9__uFWe(6L!sK3U?b&`#37Az-s2P*J<<-ojU~k`;z7&D|s2R$}Y7k`oQs0=?9W zY@j8%>rQ2iv3EaW7Wpt+$f>}RhVhp|6Tu*6V$ z98T9HOU0NnSyp{Og)JHzZK$7V%>%aU(?%T_Ib;atdm38lEDG?Y{52XCzDESTlzDu3 zhFPhYZFNiRy~l$gEak%*IrRnILCJ3+b7e|nH)l~DV%hg~Hpppv7&-}s%byLl*AHrH z4*j_eCQl!rT%Rt47pSDyz3$unNt6NIaFNEZI_CuNwT1wLUyWQ6#e+zx62lXoXFLpKHMHh;jT zh$dl;fvzYB`~(P98q(O1De#~TJiuzqJnGHLwqqi;J3DQ<{E5#yx=MsX|EZ zz#BSns}v&Wu6tiJ@wm99;&09*j*P?Fi`?_i(ys^X!LO|==LB&~)?<19{v&E;x+CdK z+7iOWq{c;cw#i9;mv3Kw9m>SyBQ!rUX`&4f&DOgOKb}w1uD>iJ{L0N*1y;uK=fG5b7RJhnE_KFqOl@nHIu1BWqN^9zJ z?um~96u2)LESGD%i&7M%X)L!PI8)Z&lAQMmP43x2QXc!!T}bseIy+gpuJU%Li2LUU zyANGp+=;PP{3@EudYnEzyLrbuXl#?7t2Sv!GfYLko%x-utftFWku3;(Z5Vx-(XEpb zXi6#IyL-s7sgt$@p=8^e$loMv`%3t$v+#z<#FV`AV$K=YZx{D4-Eje*rO%TZ2y%O> z75Eng9KULBH07FNyCZBGk3?tiYZP;VPughBzDrKLBTG7A?|Qu%WM^Dsx9+n|P2nlo z)yF;n(mXGJupdx;hdgrC`o6Vc^yI>WAx#L2TxE5pgpVu|0cqC(Iv_PoK`VIljY!K& zgj5{^ZlcC4kRkIjYM2|*=GvSeCt+v6Vn3-sPxXD}!J@F?1W4d+whz4qa!SJ#{{6_S zSX3EFJp{8uwLWh0sWl1UW_y-C{vE|iD>?kOY>QU1wjGh5@X81`imgih`#BwB{S6R> zVn;+PaL}!1U!gUw`<~Y|5h^Gix5?7HmbeX5=^VpDHfi9^Ypvw722Y+^ z3JFCvU+32F&&?`VDvFnM9KFdM&?cMdc$C#=RUFKrXV?(_Cg_oF)3f-&pb`)1zVhv>i3AI<9N6)lx38=CyuRa+?U zj_DkzSW=PY?aEN+-PF98Af*_7Q5%^VMq1*3p1Xa7e?0i>dhzeKIeWBMf4TPC-fN?B4a7Df>3-NTR$fHA*IhGRLM6_811L2sm?G2r#tGXklryH-Ba%>v>Gz_ zSdcGm{hSyG>ocnM+E!Vr#GoKW@~YJX6a5?bt* zE$RF7>F$D_%rh}=XeH{__9=yP=!|F+N13MAf8@}EjN@4wE)t)~>C;K~yeI>;`oW2Q zuk}6;q4ZqAOkV3Blk0zBzE*+H@OQjCYU|!u>RPv4*rV1!$5G%MJb<-|@w!~}&Lz|n zYriv4yUZcSu_={zIn(}^8g4ls)FWAK&<*^QouNvhKho#*-D6hoHK(nOmqlk`7Z=Z- z=hu`NMfK(~EEhK_vnnEQtLm!r`b?W0S+!iln|ZNHMT!`k!b1CB63_!08ty=oLvwgkS&PzI7gWP0cYOY(M?O{`J-HQz^)tMn~(^ ze!d2Oc(sA&>pOcz^sSmL z-@Eo}UmiHV6-v^6$j@(@`JvA#L$U6<<@JE;=oD}Cui9TVA4-*uZo7HTQfDeCWyF4P zid*UF>K|KklWEbm_N;GRS)*nT_Zv{CYZpa9t$C;6sco>#{N0Rg8PGP5Kp4hsWdbQ@ zVXf()%Cmn?RQkyeKK=At1KS(kBbS5S9xRy;`Lhe{6D(|NOXv?0-pV?9xI2ia`LE}W zHp%StnQkge%YONjkN?+PE6dX-bK}lS+?V*vX>pNmFbg5dMMeM6KmX^?e(1P)%}83w z_MPot4*nBfpr^-)%*NwS|K;Gn)L))eIY;+hAphlnJ)=>^y*B3kvgliXIbiPrE3AfS z=|lWq&gQIYVrA)WDfgIs_2WdnKdoToc~}ighh(SFKfUm;!BE$p?eK}>g{5^{>0~?f z!|(sJaKcKk8XezmPn`eL3-A$t_>G7PEbYQfhQMDA<}`}lyVoY|x4?F#zg$|gcv#v| zvbyHYAHL&HD_A9Zh^1ROlrtsfPcQuOy6E@*z0v--)_-rbKWtk1{|_7OV0R!SWM#WE z@8ECz#jZ43XS!H6mA{MZ<}>|_%uV};g?#GAXXTIEHL?qy)uCd$B&gBkt~~wzO$fyA zckWZifZHQPn{KmY4upl+K2}MNKVJBMfBx5xs6Ha`#*+X0D}Vfr@I#0*HyNh?H_=^= zfga~s(-ZjPlk{J67ys)6S=r$EL$q!E@$dQXp=4bBn$h1E_8;r=_lo^<6Z`zV$Nm`= z{(dU|6W$gFa_y(J}~LSdF9uB(>3}Pu1fXOL#yL=J6(hD~rdy+?R6`aill|`}^t=Js zyiWC8il%d5hx$ML2*(S#2W|!2;_hsN>0yt~{d14~w;xfZx0$DhTGSS%BuP%Gd{Nc zPDffaQN2$3?Vt_lO>}`XjpSa4tbfC}1#n;Z=5NcamcZlkrX8~l#ylI{znn1ZuAreE zG&HjDt)h^m4cX-4OM=M>X=1#WP~NA*p}%Kc4n7nCP6w_{(>85<0MawRyTz_w==dl& z;c>kD>x=n!gFQB9%|e&n1X4bTpZ{^KMG%8u?cxx&h89WlL{syKGR;_#8#(Q!kainw z?UmUIqBOqsF3FHte!HF1MD0f}jGbNhp57?usjNLSv8|>-dYYU+SuWrE4VHy>p!3ie z;~Tc_-IgrZNd~(}m!1yo8vzn4C%(8*uvo7L93mQ_>4{L5o-Ukkw(}~`NociH6f8pY zz&30E4#UIv)la+!r&r1bsM$}atqlce{42IAT_l=|w<%HIMG(AOerv-ee=LQrSEFX- zI$?fbn>ui#UfU+`a|7f+y3XK(JpYxwvZN1Y+Kjw5+2zXpEI4Zzuc)w5ReDFaea1)Ly^nf$`eWHdER9 zpGxjxrbTv5a%#C&z| zS&$eI9w}Hkmy5A0r%sK(kl!4dhyPRg5i`8NkIhu8*jmcbOtSNBG*kRS%Ax`p^uny? ztVbhAuDVd@`g}bS2yNuPF7ZC^hr1X+R~{6n%X1hry3T5_(xLXd+owZ!-of~`j9%I5 z0T`mG_Rrn&;jed=V!0Vfl?(e4i5Q*W;Z} zRQ)Le3;Qv&NR3#J^cERj^~-5XfyZ(1cUG;XuZ|6#FM_rzf0K9r$hpyEUHP40>bGm) z%5ng1{2rvTtf7H*0&UhtF~f4vNvIs3>6re-R0jf56D?dmWqL_KezlreDjdBLGAKMm zsHBoA(YmrWJ!x`F8E=h?b@_E%U^>-&z5G_*M+{{Qaj74?{kbT31{`B1jh^$CsoOy3 zI*C4Qx=S#ZW>u=^42pv!;mnUJ#jQZhTxfiFhfB-`NjLwz2+g*Td*HTK$eiG*K35Wm z>GThC$iYN{OEi*N4|u1%;CJqL(VcpDfi$q?j2=g*^V%D+`hd zTULI!R06uiEp549*LL2b#_2usXTxl4(Kg4pM~Kx7qE>+G(*@FJ+QleLi}zD+9`q!9rWoF@M~c%IA#HM#-*zV*`tgLrK#n zgG@HOH-5hy!1#tYx49))!-52hnk!a&Oy!nGduTj@<|O$jZN2S<9HL@_JbO@AE}j9- zko_?<%}?-{uzvCM(e8@1W;>znCBtnon~nV_+El-Adi-&-60+P%X=~X20li{+w;Xo@ z7QeePqw{GEYrHD(@Pe`**#@W>xQ&ESZY(WE4+X1F#2A}@p*-(AQ?&nM%(bnKge@m+ zcvf!r+W2V4Z**=xthP4X=$&uStjN#*Etu|b`uXu}UH*5Mz|V))INNNA|0oG?{Iegw&UZfB9Exd{8<@3 zI?}ysPA`Y(Lv_Mo2C1WTfa^7088yH(*!;cAxO;& z_RNfaQPMB8B6VsD#;mOc39ra+FUU8l$IriWFPL1S(XH6>yY{IE#$y)yHV|W}Ba+q! zGh*EWC_KBrZG87-FHh_hYBi@0zijf3wXYzRmk{c<{)A2K3#nokD(#Fd+Sf*P&Y<5b zgQtt?aQ-b$er??OF`ap9ERLkN8OC^`Ivao{_k*Lat6b?wcd&SIc7r{RO3#%f$b~0h zFiZ0-!kD_UWQwu2+|$iro=ek`SJh=B2Q$dwI#wADKpP0#U#3%x2(pC%pn4h;LR(Ola~mlCrqEgF1;NnV@f*CMy;X7WSueb&KD~ zcaLd(Ix3<+_D+e-7V{(~s}xl>e}yy+R{Q6|!pOY|aP~P&<<*B1%SXk|ImQJQpWCbK z4{r7#s`V@{bFtZ`Eg?a;j4`z%M`o6Gz_Oi}pLr5Y>Beo@L+nAe-sit3QfZI*mGuFH zE0rvX3D-cC>kUAH{%}@Qi7-n$5vjWptna2+l4&M=lP?(H-n3%xchjd#w1Qew55L4q zZI#Qg&)T)Pt~E`x*{EUPax{pMsQ4a;JT}lTl;nQB3r|4iWT+|M)h*udM;5%MH0TWq z6O9Hx1)8d?ljLCV#aGA?; z{OkVan1&{2tl#_Pd4zq}LSh%?%BLC7nCg3H@~csvVGLHYT|Q!?J#brnPn(|>Gp_cA zRZLeo16hq*++{jk*H$v~3eIgx<>^<}5tz$lCxq#j*hMlcGX6Mp*I;RVSryNCpTZ(> z0|d$B*=&g{19fc=NSvA@)^4-5@D{3A#F>8>2tO%x>hXr$H&;e2#{@@mvvbqs`ggQL zyVPRb)9XZta0OZIaLRdj#yn(j_tiij~9Mb@=<#kre=Yg%50wN)Ym;7PI75U;miw zUmT=Mi+6S?wQTlQmM(neSn?F`#s|MtHB^=-f+}_HbS9tV+S%A|d?Xtk@vSMjQ2P%I zD=aY7d!@gXC@_02*R!y;cgKUXxn!W{V1|N8A&f22j+R{%3V+SIBQ^Sd8)8LFw;+E3 zl8Wpa;^=yLYb?INtl8=k_j;`G+~$HbuYlbiTog%U!Bt%M0Uk;0A{7d-QbwAqaJsi_ z=o&!gQ`!Ht+uCtE(BD5a=f;lbr2-T91^h)I23efH_n1THaPl4g9 z@uDeskA{wA%B1H){T|q-Q6g8_hR}^-A8N!D>_>Bzj!|LkX|91jjPnh~T+$A)`dX59 zSW>X{!E$pj``3_)k&U-QpD0TiAM}Aa*9eXL#>y>9rAFg|CjT2pvL&Ml#nT}!%6R43 zu7l}apQRL@T<>4JRBacZ3?tJgZa9)PIM@GtM^Dn#Z;$U8nPD5dcv6#c1s*BkV|2ll z!|U_i5X*%s3`U+kB^`;Mq4CoGCXPFZ9^%v>a_j1sK#Si`!L4fU+i$wV;GoZ=q=Vq=pPF z`J7U#zFEiY=l!$-?_PRDh)BKiRlPl#XSfz=^K1z(o6iZJ zp^};b49cs$HjI}cN8aE!vSa?NugPmZAkuO*8M9?O6SEQ(dbQPPRCnvk9l3S`eF$ZC zh$Q=hUeTRTydH!kl^M>zjd;WHO@jGY88alZH)@ZX>(>yq#C1nwse^muwe%f7%E+I* zI~Zdus+*mqoe|3eW`>~&Czv7%P&G?ZQ)I}S8)(@Z*q6sn4kTx`UOpVcyCd5>on_%U z)vY2r?6)2{1=q~UL5W7uKVtcCTRIrz9G7Oz*U#bQ;FbL!s;07}_Mvy@hbB8&5jiVm z8+5RBhgrIV&Y5@`(j_zC{0?`G*5Lh9V4v|oW`!9tFWZUUcRj|(%rU{%(_%MHexs)~ zfS-jzJ^a9Hdt)F+-q}-$!Q5lD&&()>#TKZMCvdZOs~tW*8Wlk?tH+?5DU_r3#Eq48 zDVVZr^>V;{b8pH&U_BB({2@jk04 zZ*Dn=Y05Or#@xOXB!swqC^e=m1TIClEkY&wRh8{Y@wEE!xN9<=RyY~M?_RSW1JV}< zvx*z#Xdw*CG~}*rppJ@}9l0wQM(HWuI(5Tq)gBVc2+(0Vf6&K-R7eiYyyVnT_!0Us zdkHP6fWEsCU9q_& zaJ)g=$jsj0zd}iJi=iBDNb!}ZB?b`=+oaW8sgJ&^_;M{YVe^BD5Se~_=|q;~s7S(E z6aO)TC!g6~DF2#!1-|%vwt&S8ji9;Ic$KSc`Pgi{6*23I$s9--5C?il`==a(5L3=E z3u1d3^ze)V>P0ajP9K~HefDV7GK}>!h;*rJj9l{8zLH~8z#(3L@2ZYwQCGdvT%1+! zn9P_Y;r$eCT&ia6aU$uP*eUC+!UTd$Ylc(Ki`^>SoEte$M+BP5*p-Y?&qm#THR_l5 zGrFUETm35)5{RsL%nVo~zTX6o${c=gir<^1xb)(M`+r(%Us&t&eYc3<EM9E62e+h(Z$@3Y zIZZKG!H>QVT47vp@Fry)?>2zFNKmb6MnyZei$|<%$eptC{qo#8V=ot9m6B^@uEP~b zgvc6KoSf*|pTA^ejj26WIm|VizW#2`4lGc(7dja^SU;V=djeZi8XsIF>4fI$Hrwh3 zw8O1?4KF)ZD{gi1?s!ku{qnqf#Ny*Z9>C0@9Mic=SX_}2;&@;$?R`y0lSO4;M0Wuw)&@#z!jVMQ>GOO)} z(v{uiGtla5-g7!*Xc5sF0B5v%2D41MTr~ee-LxD8-bc3rUvOhx_{2fref9l4W;rmb zJJ?7&Rid5GbJMXr@}0?@m$zBoV8U#>3*?M}(4rXixxNCeJua2Tmz-;QB2&n{e4a3U z{jDz?ZAwbtBe0Uf;4BEe2cD{l`3^$5`6cs5mwOd9P?55*$Irr+WNiL8<;vY3cjoNU zn`FS@l)FwrYfRB9>Wl{TVJWx7nJXg@`rBf>0l9|^n|jNS*gp- zwaYq<{)bsK+M+=&c~)Z-O>5}+jqUmmep45*Z(otkj_G2LgD35G0D^iw!0d5>0T(r= z#P&gJH?QX=g*@`MWWI3pQnGBWg-MbV3eT_dXtrp`keRG}5vlEawZ@1f(66zZTwu2) zOg^>s2WLbgtmQ(2dw!yV9X=eL;4kb|&PPk(D2zzl)){{W!8P}d%@nOpQ}$v?*By^1 z$l%`Ss6c8TMEx+9~1{jQ;Te?I8AEJmH6UbQj0RaJmRP-c`1WZ>K8a0o` z1`WPHGf0P4)V6FIX7LJF%scWBCDN`ME)LQ)%uL+FJ{%Ae`qU?2bNA*u1O(EGMo_?L zo&t80wYH6uaMp6bK9g72<{bmL;fk`<19Sp10^Dkml0hxR9hEacOL}+7srg2QwQk?T zUrLdF?#=bKlvdVFrBMG0EX!K}=6!Fbz~jJ4`#9uA2K&>(MqnPsNIIr}{-gN(fiv}w>Fp*$cR=_(1 zU1<|!2U(>rb!YSC7mi$h@(%n^frmG@%yLtad2rQl9@h3|`eSTIQ)O6LUJzE%lbTnZ zdK~lA7GfxR_U0Yfrft1FHchtD;+&ePJ>DT<9;V_H0}5qgl3V>bI|Dsg9>fR{_}1m{ zJ3kLIdx;$@AEPy`eZ3h8^FqEAR?W3CWaU(W6q%A1xgo{;ghw~k!hI}h@~t~sau)PG zHZ~^jdR8FiWtx$_=LBoS{V#apsU0U)8#NF67s|SvdS*-k<{~`&8*^GKqxq7zim&~W z{BVp^lU53Y-}_P%;}@o9CPU+5DR=W`E!k^Kw`L@5+{Q<+|3oubw^65Z#M`t$RP z>bLY`+1;GU-GJ4xlfVB74r@J^-7{c@ zBMls64LJ`}E70&iv_^6bLMDykje5s8rkaTdwlS^68jgJ3q9&dDtvy;38TAmiN%R0U zK;6ErdCSdPn>K7pSAK1?x6Iq1-?^*!lS|`#Z9{Be9gokWI=}T*6Gm6wpi<>_P3?;= zyYfV<`0<+uWCyEx>F^K2BMYyV-X|3fMfCW!n~5FVKTtW$F1UEawFDiLT#l(kQ~5kg z0J2@e}3qTw5TR#Hf6RZh7Kw2?^+sC z&UbLP3Z?sl^f$M@fqN+DJN-3A!i;guy$33+4)Li1D$H6U=0?BKzu^|~rX`u`IibTf z3dWmwW9{ri<10`M*j2X;mbV4=mJsF-ti;#NV+(_9OuiW!7N36$9fMKO6_bgSo0QLt z2;6fIl0#g{(XauG9NoTO!{pt8vdD&<&w4t7pDkR{dPY;|i@A0y?qwRI-duEE&2(m` z@AldE;g1q+E0(5Y{-=EY4L(ptcj(sIQncZnG){6-+^S4=u@*mC`@ znxglz7V|OwRatw^s~nL#?h{()1Jg83v@W=WoNh7Zqcki&j!?-&N4!au=plk)@4_O} zJIspgjSoE-?AbO$)v?FRDzs^x{!q&O#-pIz`5fC%GJ-M5jBG_kV+sZ<&0taV%sKL8 z^_*d?p1(1@3D9o$0D55m*~0RgK}z86cbje*GdcVt(yGaqrq6-^DRaHWubD=7U_Kpv1oEcRkStx+;5 zplW4`9q0+K{-1a5$F~qF!@R&I=>0^e%?gM->q@^xsEp>2=yXkKPP%?!bz^SxMloD- zDRXTf*4ke6tiP7sX59_pycT$z241>hJq44dm>BdmMS>jLvLQT?#IE__3FY-%*JbwQ zi7W>lk5>m`?-3F6&F%}~yb7tA0rJbtJd2VuQ%;gQ}{FDYg3)`4w&!5$Xq zTX$ZOvhuY-!4=cwcqp7l>n*V3MbX$$&Dje`N0R92 z59j-KE#--a_nHt|)}dMYfAwBTLR=^>@8GxLvy?GsAiI;~<&QR*AdBNBcS1R9srUn0 zDe>h|4!e}sJ<%ozA-OS41iYr*1=Wmnp>Sq!1lF9Z>zqA=m`(3_LED3%=BK|6v-W`~HCgY&c;rn>g-oI`fM}TIEa26Ra8&BBX##+H>GMzb|NWJm z%m!Oq#R7p}mLv3wgS6uk}n_|2LG!=%_@~=MUkDK=2 z-_^cjN1vi>)jvo;;Ca{m`&qx;xPR~0e^=bUYvOm}_TM$}|J|CXjK)AhgN?eUlfd6@ zb;wp0_>DQpCW88>E>h3fbDnhgYd)mUrL z;TjI61%6RftyloSDlz{<%$eWb{@)+@pT7WIt8w2P%0=lPFL1N2F&r}&PjLkP_W=FV zcODqPMxWv1_ZL~fU;d1`9{@fP5G>XF`=jW~9|%zDzZdr90Q~ok{jp^KU1NXLME|~( ze{3yF|3BX@NF86xwX?ikrT<|A4CgTiiSW9SBZ8=Qn(~>LN81YO5K-$Kd^d)#24a|HkW|9PVq48A zV2;NKxdoGb!SM5kEeihLQFjJmV*x&j!$^dY%e z4yLSTIyqJ&I6;#zkb*H}TQ0prdv=1L^)~7;YL-yn<6l{z2$mjMZ1q3SMJ4w{kAAt(s;k)FjY6!mo(!+lqn=l9q z9F7?f1%?%PCFX?-R{nxwYTs6>IiV2>#SCwq5D@dKH^Rt&RZv5Lj5xx`Zi_gsDnl$0>i^zi8 z43W>m*8l_2CS|ueo7jAMtMvU?8+;w{NOPUcw|#ue(w(RNQbgEa<376Ddv0tFwC!q!%P&(fw@ZB< zZ~J-gbp*3*RHGd`VB4tqcWCw+@fvpzW*TVD<7|Y%@*q`b2(#8V`fJ&iJ|qu>ao|6il}Z`(0npoGhvtY z+)Laj^N@f_NA2zjdqEd`kP3slo5}6)``5bo+(-)fP`o%BjuhAe3hp#W61W3gg;S@>1Mz$ zwgpW|L^}ckVm*_Oz@WXzbV7E7epvd=O7J>lI^jy1By(@?`N0Jbx8`9g$cb=PWr&K_ z3B(b3AeT^w$f9PDn>1!(QJL^zYsIg>yTvQrjE}@Yv_DRn-EGti@VUa}I4sQO3}6Qz zj2i~ru$f;+>h4P$>aLoPH++GE-j;9WRX+BGk-Bkzf)lpf7|zmb z`=HfDy4i||O2=9?Zgi`ix$W}1U5SIYmfeUHfEG;R{i>%RH#cV*x1wBF-qsfIO1=pq z;6bW5cHbAGQ+XH1aOQ50;=gG6SD7QL`FX(jkZme!kO|q%kX3mBQF@t|J|p_i$gE zGrRQP<{8zP7T9oZbQO%K=pviOfvtJ|Y&R1h)!CiZ`HRhY^aP2prTfE*#GWKTj*k88 z*&cgR1}0%~T%(DglR+Kg|ACyY9<;kLU;{M_1fFBnGa=sRWaUkR=&BqsjT3<6ra7sF zGhz1n%IxZVZEeVt;;G_h(^Ctx%`$d3GEfC6Of9jc3+KkINnZ5eM%CeqAVI|!L!8fc zo-+0vnQ~$;D1*nGWP&U(R~k9X*H?+8>ijL|RZUAZULaFg4L31QAE&;10nHX z%gDg~SGB-ywd7lV}vM8+${(z)cD0krH?SdqOdoce>G@?lRi0czQOL#^+b{dm(a$=dgZos zi(O;x$O-g7%bvy3R2dz;i>WIYp7IFzz}LU3vDuS@DWUAv@ek5mdp zy~=D*i7fF46TSRTu(^*#q(A75(GcZxOv9lamd?pe1gG*EV|rP`$H3^%*wTITMj1=p zMO(Uf1ylD`QcT;<4dxH9L1pNs{J9;562%9_GpW)&S*QY22=mM|spcl4>g9B2f3TEH zVy(E7BHy7RB|4Y3c?xt&ACsYn#N2HvfYT z6A<^U`a|-~Y3_$eX;~)K)`d`cnQW$#kYClxa=PDuTTd-%F=&d-lN))2qKm9S3NCpDf`dt#oKYxbk*|p3D*X zZ06MaP-^pIqR@|kDr|`{S=p*PU*`wRpS0a#li7KiHk#xYZv|czkff>~pK%On;XaPq zEbywAiB!S4TiTs>+?ynE=O%OH>CM)eZYX=|dN(dQt(}|`5rp86Mz1A<9FJ1Y^& z^%yKlA;LB_ULdk(@17p^;*$w@zP0JDwy4F7r3vBjrLrNpVNv~rB*?A=)2 zt$qUIwm#2!diIjo$N2Y@MOzn8oH#9%6!%W!u+>SkS^`%#uMwh~;1q%2nD2%W+0nW0 z?c8!bJd<)W;MP-JMmLBpoc!4$R5tFTLIxw#g~6gL2zHSZE~xeV!b}Lt7=4(*8Kfr| zbGzvG8(&Sw_F6FYa@$rm60z(#L|5=lVIc#x>*EckOA&QD|LlqzpHW(v6}2HI_C?>S zl7xfD>dJW!({_5lN2m-5PP9z1m=DW1@h*OGdXgK0(VttWY(Kr#BxB{ruP`8a?YHlY z3?wyeJhGB8rwSsGTJ_Ag7o1eTBi}EC`d4`|;!6D|uuhs{(bF%^3KF4Gk*gg?s*>u$ zwey=7GT^;6QE*7WZk4PwIi;u-w`4B#o#KA?N^I`b6cHWK2y&q^$9d-;ts8IR#0+zS zI?qYK;ZZBcd$k0s8iolW#VN6J)33Y|B9ogsw8d=X)UFI5{92xhVly7&PQwhzy_oT^ zWu-WTPe4Xn-!Wqh*QAlYkj9x+CS(LW=`0&QA(&s@=%)P2+`*ZX{H9ic8RDzADB3N(lbK0k zV96Au@dI1qP7%RpxL31TKb0ayO;2zmPAr=iD>}JOgE6ah&G?2(`gq_pRcc1D7M_D4{hde_Y zP{x=DN0T)!C@sK}fX@{^Qlw|%T>p!6na7+Ck4My1y~ABP_S8J*=2bU?z|MP7gq~IZ zbMz5Z2%eQv0|U*)6ssnn6p5_t&+a$8frIQFzeodAeyh6whcIjEe($KWdhtH;Z*}dH zn%Y#ZHGM2VrQ!3{UwB|_hDjUprJ4tykTX*%(f61sqsAH}>e+B67_E$WjLPSky}S>o zj0$#^`ejeaETuu8hPeWhvwi5Ax1LEwQtN$76dH=TG1$YygEVl?n&Vy`vF)%v{#oPs zJ49yb;1E_Dj#ih#stR{G1jg*gSlm>EcvUr%0mbB%YuextCvQ%hna`%{Z#fvJ!mFKW%D8GA$C?|us)m3!;+*h zh(V44%;g;io_iC>EN>gj(94~xM=6}ZugEUoQGJ$ULoXnG)#utBW?$M($1PIx*^DM) zw*RX4L&xcEr|Ut}LDsm=D`r>=$BTtfG}=D$R5}`N3+^D*JTlK6!9Hg^@105*lQM?Z z&eggF|KO$7EB>t|Xr)wR`j^{9=M=RjoL~1l3wzt+L-5aaLh@)u**S78RVhQK34t8H z*Lda20s{(G^+iyzV_Yv{PV@whny#uA~_QyFiDDjt+$ZK$ZeSQYD8}e?0-B` zr?^s>TPhIX@)Lu1L_Ix$Fo3AodyeAHDD_{yN0^m=eu-wLcbK|2Mm3WaG|Wo(1*t?l z_ZqGinkX~D5}c?J6Q988OqC$cHDT_H?S4p57HrCSt^XjMQfjWHS9jv@ptzq3nd$+A+`H_td>_J=4XI*7@w!=cl6_V=O|#FnQLPWkYN#=iYl- ze-6DuMCFOn*YB(J7sY(GQ!O^-3n(rSK)tdiwR>V_^I9e4eN08@ca<_9Ia@q;Eoj@X zt^=nv-)VC^VpAde2~8@+J2Q!h_E|6km6VdNe$bcXlUE)hGh@_25p8{zQAZTI-9txj zOch#Hi2s?KQ1n~=BIr0JEe=5Cvfkz(&>JO2h44%nZ2>Fez@n!i(1r1^0AbL9_J7ncG7$fS4bCr z_&!N1U&xbB+Ozu2j(U_C9yVLW#uKz8$0*4Rf$?m~8#WkJjz0H6t=|(H3Emdsf+Y?4n`RZli4(`{TO!f1u$En$_}9dSH}q zG|gbt@(0k$TZnp$zz|!;z7<4b)?UQ#00v&&rB2cmYesZy)CffqR(xYEIz8ql|!%755wpovBhs# z={qZ*Wvh@xo%S^xqDOBNYN}Ef^NaenZLkab(MsgSSB2<4StgQEHJvaa3kR<_B5&R? z@{lQ2ly?05CigA3clPm}H^;Be?dfx-ZV!ID!6e}BJb4ZT>7>0dtb+Wb$uqNPQHu`g z7DiuY^mddcwc*=&fxgEPit$+T=q=2Wv81@GTdQ627*gdBMh)aYTq&6(^5F!$9_=aa zmy30?88w$_TTVnhNMRz)0S>G#RO{nYA+00R9+C+R**rX&l<7m=G!0g5w*Bepr;=wX z*;&YmdTel-4&u1eADs_j<_tbk(6%GAr+7?KZ?gn{A8mKeGu<$%)`>!}=9`>N*`LB% z@g@x%Z8+_6Vj5h+FO0Qf6?L&Scp;4wnkQb%4!h;FkbPdeHHrp#QuY%(x>~N_!wyuG z0g&)$j~DJc=ZR*R_cna7BQ5TDV~c#oz_rt7hvCq55a51+;);uQ9z|Lj-?3 z^+WXbe$D;9mQjwa^MQazpuKuOX~b9OtfL@D-0$TNnNUTx{-+N_ArlY4p0lYAJmW znvaQh^n-wjp~!sfHOuG_atQU58^&g(hEk_Ul{nsto6PiPI3BkPn$RXGdrIu-LsY9; z4wr{AjGsM@@GJF0jJU#=g1#GdWLXQHo{zv`etmUf)J5LMz$eAMO|1<}U0I{)ib(&I zMb>EfreQKkh}r1C-r7IhnwPj(*+w5ey2s>Y;yQYqL4 z{0vs|BSZPB5jzYq%}1`03CnP*2rZh49Y$g$ih&TkCp|C%HRnos zzXxx)S2***jk5Ac_(uOKm>lz?H1jvymSXe{gri0FDv;38XUW*=ni-`c<2XNi{bzTHu&?0#x|8q*Y?>vGe+!!r4G&MDrXz+?$3?wzrT>{(xSzf1PY&n; zr>b!D+_~M!i^AF-%(^*n@?#Wq-7p!(v`3cteEBJ`p+cWnTaz_=l#}LDkLszaa1_a+ z)}WeGdg6rq6tzxKq*;M*j;662-D3u5^t{)psfZXVikLI<@Y1oKU@{R&sA!o{HPm@z zAM|Wu&ZoAT`_WL$h%|Tz<98r)O~n*7U1IK@e|>j4L}n#P3_J=wH8K_n<+fefUd+dM zuRSULW#u(|V=2wzAj}RJf~?y{Tc$=rRyikDrCBoGD-MN3y>;cO3tG4 zErRme$R_3dlJO0?kVx($xsc2oJNI~$9HY2An{7Fl>Tsv4F|coD*>%6B?OEY`!ZVS2 zdQe~L0sj`hf1?_kCka z;lvz&;R*NK4vOPQ@1e#eh371&xVt`OU2D0ur$J>M>?w?8K2JYUVt zO~mVaduf*dEs+oQAiU-e#UhzMkr_jhqW*A#5G;M5auiW9j;KbU^DWMX&r_hv1Si!Pv>iNdF{+&(TZih4yyEN08(enxAdw;EPu_<}8W(~yKE`Rn zJK||#^^}uVv(Zpe`xG2)qL!w$=S*f1^fN3^mugZ`&HF|LNS5pLVVbBvOZn}!4N+ua zD$}-&Yy&<8L}}q5&JClqlShXd;9h;NfNuN z$A9c8e!AM^m$R`=tw~4f=?@e#0~ZMRKYem9`wZA<*wwmktD!igRFV@Z%fk0FpLJ#X zHM4%f`QkB}vBzgvh(_NR(mb|_eAf_POH(KmT2f0_LNu4k2#RfEm=+A5W`bcmpHdIT z4!b-X181nBcP_KUZUD)aa9^cPUa$T7_#Hr{1`fO#d#sS5#9Yd6Kx$pt&_CMGu*P0d zf9XwouDBKnFJz3phRyVI2fz$^jnOJ zlgjL>o*!2AM3d?iO*~N7kSrZY7%aWr1(R`e;1`Z*i0CRvfEICprb3R4n zI|Euz6e&zlI*#4(4tB&`WNWPNL}GFrnoIW0t5Y-#!4Ds5#-EP$n4oVtl6QgDnx>jZ zAP#H9N9BOZRmIxlsK=&9WGtHlq?G48sQC$7(kpl}5l$s{%iE=Z>d%g$kZ;|9h$&$j zbzOyONcEg>pD4EbVoymWsATV`9RGNIyN0<*_~U^JQGR6+Jtt?$3}D z)`~LIUHl&2q?=2;K*BzZSFY{X)PDj#1tyZQB6+oCUao*Fwz<3UH3O+z$Tn8LaOLp;TAo7w2h%EGYJZqHxAZ+QlJ2VK%Ackp=Y*7Lix6Mfc{(5FJBa z0u#b~&xOh%t~%Q4(6EbF4??%}5x5_qPHVe^6_|;W#5XQX``23WJRv*bG8{Zc=4Vhl&s!gKg3*I+_e3^l$^OYh+iFJw`8^ET=L}miCNm|A| z)u@5az=_6XUeB&*W2Nl#*t`ULHNpF+F?>F>Md{bUN7|RPF9>3oJVl9t8RtK7<8rvj z^0QfDD^HL!*fKHG&nRRC3C4l^De<0TDJCVj8u>)u^ze$=l7efk>u0sXolho-T?_^Y zL2B`o*4&%rH{|kP;qbwHxk3g6$=?>!6VbQ<0UGIpL?#8{~FRi^{6GF z&JHlY*gl`@jrZi=0TUMIv%)Ehk}~?TXMs+<fH2$mNb$U8KqM=m&`SEuo8(hZuKH~@3#m70>GN^DAjKn;Nt=`dlZAxd}pP?27kp`Pvb<}W^1h3yQ zN1&aukRgg!p^&JWN$G)Y`NM+}4XH}Gkqj*GrHdErQ=Jg#_04kkN-1En`Hs8CB1@oJ zaA?dN5PT+bgdVaxN3OOy?dyOo**-3_)DZV_$j;eRc`xvbxL<((f{p6_nsXx-UliUa z(zy9)mp6ZKR)uz%fZKy_eifJz_ucbzLua;nGSG$&Np&Z}J%Y@~B1@0tmm1<$Ss8ZQ z-c-UYnx0B*h~7`XoRlyLWA0OE$Z|HP+_fYTT8xi5k9Xa*Bpjw{Q9@bx5h+wzAR6@o zSS0UwZY$Kpfb_uJm<)TPQX^mhMY98y!c7Xoz=<`r`zH2gMR8rKctfwVXg{QzC0`4W zvz&IMUD7{+pQL;$<$fe|TA7IgXtKzms8ZyJX5d-2NBwBzTU=U8f(r{mVZKM=M9wX! z*IGu58duONFe1$Tb#w}jqwFe6)(-YOU(7cGpZ&2Xu!X8;ycyCd1HgeW^Lew-cGo+wu z;ib$`B&q;6_+HcuI|fdzBSKpiAumuw(c3rbXzTK$E{Dy`96u})b@A2xLx4Qw)@ef9 z%QB)oMFLBH<5?a*Ua*tJ}Ai&v`pQBs=`Pgck7GR zYZ!XcdF<40Nly^wAn`Z9`=tFPXiR=y?8n2!Y}g-%b3-WCS@7pQQv;?^o$dDNKqwq#b-%P2UvcpNBvH_I3Mfu#4E1zm3>>{`4R+1q$v z1}7@tYH$^#{_)@bb2I<5!Zw0vPPI-+`)knWcl77KUnKRzIHU|9wgS`PlIFh@9#px#R2h@K4CpmuquIP!Z=5 zJF~yIyS~1*x^ssJuv`%ptlVAT`f4PCX?cvU@8`*2~&)4q^H^XIa1&jT= z)%oRPd5hrAUh|Im2dyJqjBE+q40+CKh05Q(H(wspzsu}TFV4Tq>`x2tpO)FeT7MHwJ}fWfE3Dgb@KCprnJS;73G ztu56p){YA!ZIiWrjH!|~WzJN{v^sr|wOYM8KV3~(%Act2tx*rlSXo*5<9%uwhCQzT z|8*scBd=`1# z99oh_$Wqt!U9rqxK!sA#9hM$AnKKK$nrYZhyWmex)#IxFaZ@?@KzqF)QN6zZ_Fp!L zzwDl0;5ETg^*^o6KRub>PT)X9C%)N5{_n3F`T5UBfEqAspZh;P;E#K}WBeintR6@u z|LI$QxhCZ2+Y6z2vO7inpQ7ZeAA>&)eIA`+69l)IJBQk*o}1M7;Ej!gAcjlV=2eSH-bV4(4P`LN5CXJ7->Q}Y`w>Qev!LyqJX zomT$zLZBI9Oygt!sg4i-2Cm=$|3v$(li2`bCc9>$AvpvfCP_r&u+e4?AV1UD8;g*- zc_9YOKVQW7lV1|=SOa{P4(tEvuj7MT#CLcnTSnH{9DC?r-i>c>NA?tm`J53WewJT#e{(Yl~w36M4EwQFL^OAO5TqRGHhv(9OhNQN2Nnl+EHXO9Im${UBR=~ z%Zye? z>yk_6OzSlW8B+dGZr)+>78oZpZ0s3U9(LGhUI)`MScn904S7G5`1&sFJ`mm#_C5mfT0<-# z67Z03D)BG~@lu#VQpqe50GtQ91SWplQtA$Ri+r1unGM#YoR;FzglP5+7x5QdkW8{U z62iSgB8<-q`=btY7?-dX4?c@W)(|nC&uThF$9vaI+Eyb$f^!Pi`<9VJ*JX%hMyGic zFaQB}wSeG1tL7AMn7msx+ibU5T>iupVj`UGDD=8YLwnDVEbNUC^1gK6N3Fq742X`g zWmcOEVpZvJ`uR}8VT42~31VxEdQOw!+1YwQ&i^bxCnnAB<6S=S$ON2%a3m~Ye}44V z_xv|Afcnf|Ias9ET#e|7rg}584WrqJw;_^OR=|>Ax9vu{%O|jq z5xA&o@(8-auKEzvJKRa?YM*4TOtyhk$ZrvRB_?5cwg!M}`odyL1c)PRDV2T+vJ;OW zoK)P%L~QVf17ko@6PB{yt$_h!=32QM@gTyszRwY&g2`%ing38`EVxW%FBNms07W)!Y4j7kj4TxtALymeUS8k zz3@I(tSE0a?%F&eng?l=&g73;HHclnsZyw?Qi~@VCFu`l^cdDSapw4XTG-lrSR&%P zVdfIr!oWmzK4u<-uvzbyX!YDhK)#Q}u|Ct5!17?Hp!7WwW_UjPEO-VH3kU2Zexwbh$ph=yC;Ej6nEKhltjvg+Ok!@L!~^mic3)K; z*H+{8EM)$Li4$eTH^VnfQ&)i8(@EE;^e(e(k4KWVfgyMH9MVhof~rj=+U z6bi;7YgrC~<*6_M;bht6i{kU&kL1oJh#mZ(Y|vc(A$seyQ{^vT1M=Qc(4W{p-kj&xGvSn`v&tGFJ2#!0Ds>4Dq6axytR6W{ObZg1D?9%7ruX2a1@-KYwnvohv51dy11L&x2hM z!u~Ch(*&Pe85mZNk}wu5!P1Q_R%g~$y;rWhpl~~D@4fN^L@?UQJ@6(ZBZ+rrg1s9| zZ-3k$Uk3wKK5eevSh$LuAR5RJiz9~UG)I}TZo~W-NP4sr^bzx^TW|6J&(iOifwb+u zNqNDML6~B3=oF4La>w{JVhoiggmO`r_Z?^~ph5(u;ZUsFb!>C2i0#Ux8AU92w0dMV zfmABlh{-@wi+cmTzv_Li)wy!Z@y;%G*&a*L`;4Hix&r2Fscm~iagQhFYTr+IgtmNq zy&}IeoVk17z)Sn^4$uV!R>27Y^A&zhaR>m1%*Vnra6HJwD^*YET|dd6bm)YKH>%a} zM)FCL=&RCxI*fU7MzBn(<$atKBHr=m4HYPrhBxJq$-T7Gk9ji&_gX474!UODIj{cE zo3U?gO>d6krirc9r>MvS@~-R!^AXq%m4W#isE8wX43ojJHlrR_b=p17OWAw9G_#(R zXJCS@@8UNnkXf{h|I9Tn4i~9BYeLYy0$VeBlND)ODG};Vug+_?th6G;nc-YdiaryW!ZgN`0O%G zc|@QX7e6tP;qrvsA#cRL?C6s zDr;EzhZ+hMt(Jn{3y(aB+MEujY_5sW@ItqdL4K5r{`dfI$Rygxf|_$l9`pF|o)Zqf zQCDilf4$WNz`E+bq$Ul1({!Z+-MY^#NXg%TV8vkU?FDI8q4Q6DyeoS$5UXJdOA%8l z9yk51O7`g!&;4oMdNFD$;MhKpkp9TVuVJ<0V^mBXxok zM8&%0eeydIZk$E8INvOvo>{}HMiY&{TWeceHt^_xGup;*8@^YxPmxllxci-6lnSCnq^TFJW0+dmlmYIY`k@uwr=Un{mwZs*#S?i*Zwb*wC~uTvZ# z1(+X8@N`LMnon88qt|Y7QCGJyGq2aVa#24K3dnB$gd(Po@`0o018|Vwziszv((qx{ zAknN%{3o5al;M;HN-rZNgu3C^&u$x4*or_2wax_7RZV`nzvX$wp@&n(s6n^B51#i< z9zJCpw2)lq3rWHS{#N7;)m}`W26PEdaFC!yvKF16?T|A0Ra+Ey84mMRV1SQ!-uEPuTPKO3d5HI%i2z)A^EZ}x##e)5fG$p+AEG> ziTAbasQ(h+$a=$8Jo1LIZFcJM9>tB|HT13ycug@rI0Bte&(iYY2g-Y|RA1z@zs!JN z(+pI#Y5p_}fZ4v$7wwkwIX|o@&dDM%VTUqCGJC9%2S$fDur)?li0iN?=>jmy|}av{mM#M+CKo_1W&_Mmj(Gfg+8^J-uf+>4Ex(wmF1tWJ^gG)p2d` zGiwv5g1X+MXNdgvSc4Au(Dm7#A-RnJH2<>ji&=WEJnvD#ow- zMTf_dP`7O%ZT|zh(X_4BvQQUmLzwF1PeOy2h)wAA;Cf_SS5Q4Sa7fS(Wf$#{OeqUl zptY3XeFC1$Azn#^L60Gca4K#sZ1<=X<6AFhFLFgw$#6j^dG7;qol>*^fLr#Y!H~<7 zIz`qk@dZY=+;eurr4?D?z8S^r}cX($*V&(hz;7DCk;1ksGK_4+fi!ne0JFQ-m9QQ8^4^W5&d|-D8JTN z9{wgp`tcg1qd;Oq-Eoro@(-`l%v$4maH9O?^yrO?tDu>&&hL6t)Qy;va^HUlNS0B2 z?omGw+$cAKv0Pbp?wbw}Kd8s{grDsW7hy#ym;b_bT|MxzEZ1x5F)HlIc>`iygWp^Uk`2zd%$XLHEo&qhUn-Ycgupvsr-K1LK zj$EOu7fOVdg7$Pv`M^;v3PL+1!trf(aAygNjVf6HN(jgLQod%^zD32Yap!FV>66F?gLY zIYp{wqMg7`?`=24rcZQbn`ufugPNa!o(+~bNsb#trE71AVz{>%D0&9#)R! z29qS#LZf@TL`ukC#RFVcZSZCam;n5Aai*oV4G^7?m2djy=q`-?+)-OSCBQpjGy{^> zQr&?5oI{88><5O6JrVzkowdrg18PsYHgBEGG+=lM4bNQ{Ted$Z=%^%(xh)DMt`q1z z(b%@~VV{O=`E58b;cm)v4Icm2_VLYUqLO~5AVQ0;zGIX(?7aD%afG53SJm7i7SB+v z79&)Uj7CNiUTSI`r{o)rVXF&P6xKTs#2F4(s1$$BB6Oc_CLt*}Cx)pRPJGY~sv)cS zr?zV_Bc)8zSAG|oa9P_Obw)nhT{24kvQIYj+AH};N4axE?n@#;x#UB5<7?+tT>-MyOPul;4hKf^SSuHkBSdEypU@2lZI?Tb*3 z-$zE5CtER3qjXh(lzma-1U1KWY#mWk(`x&E0FPAf)(@mExqf3Gcloz00D!yhW!lLb zTrN3euL7>HP1{rhk=`U8O|C)djIay*6?SdoXpFXW>d2@+F(7<2e9nRD(W$*+jwk1t z-rIzbM@|dxTcZ0t$@|gxX8a68vV&F(h+C=2*olEUqS1pPa@=cp9dn{uBAD-+Y}`- zf_()S<{bTC{^S=i2$WeO8}tu^dvI2o<|X%IO9++K^@X*AzxY2K@c8G9qN6rDKn)BICZW$&MEVIUMQi)_!GhW3+ z1^Pqu(HVA#q_{vHcp++Yqn1S^>-2UcJW!NAWy&?;tW$Ka{CKo`GO5JkP)aC@z%SP$ z&02gc2i75E04HaF_G>Svg1@-T{uTb|X3yvphLRvLr&L5Q_xekkB3aoD-y9T@k?CLf z?A^^tQSo)&rq6phx(`wa9gs?zZQDKXL68^tg%-`D>@|Q)_&~(ClPkv>_ZsnplX1qm zf(^?iYrFS7M`!OZW#}<{G_}?jLa=?$JC!04N%NMH6~qZO{PL$ll(j(MTxYQj`WGff zfAQ(dJsx=%uapHp6jL!yTmITaZDb2O z(3sfzb==~4PzKZwr%b*8`^pg56v9G@qNg9I7o~xdLcbcMr_@8o-M61n-L^gm`e`#3 z&KX}()|PJ}BbG~vJcp>^AB?&hp%d*Tn6D4S{y*%!c{tST8$W(3Ewt!xR4UXdDMS%M zsGQS6sO&ps-!qnMgA$z@uWzi4pgAR@I_7ed2#CCyi|DeS0Lg3?lkI$bTEK_?TLALb!-X<^eFw|eix(m znkY+ksx5dl7x@DgSjpl@>m{f={hq>MsF0yY8 zWxTpzdbDFM|DFr6?;69}hggV{4`o>XhU-!)`xH_#yZ`;7P)#1U4;v z1ata;V@6{60wFY*b*$t#ln zmMz>r#4~0Cl6|zLIb4;7T;>xp?j3sUDVLMmBWQn>*`$l3zeIW@?(nO;huE9DcT zJxKA7u8_}oIccAFgS7s4&SQ$jP(&-kJCVv?Hs6^8Yv3aM^}>J!4ZCDN`9@q$(vDKI zXul$aayztzlhTS@NpI8HMRUfH_^xvHS!**_M$~70`1H`)TSE&4T_qjw0)J4F@h}ly zvb0|~|9Q7uw0GiU>U)LC{_t(%E$3H9r*YS~hnVScivTP@v%WlOIlb2F=dj|kQjk7@ z%p@CcbxR{(~_sb zs+u(UDOui}ROW+aw&inH^90Eli;nTkAzc%Pz0K=eIBk%RYJ&u|315=!Z3!b zankadw5#3G7m!&Om(AWzb<^%M3A6PqcIe*2cQ5lNjf)8_?x_4sv`ra}X(|HrkwJmXD4n}^F3AIWpH|zqB(dSHs> zp38WXPfTjrC{$E zCv@@g@{QSYTi(k&wmZrQArXVhTSGImyRGhMs4Zm+fqb1c5M*-7tpzFKjfF8n>pdK% zm#8Y0xXhb8l^ddFa>=u5MuC>nw%E=pXr=f#2Y8m#cX7LBRY&zz-BQS}4 zyU!(WkContsm{7k1&1rV(D?&HPT^WgBF+JOJCD=eb-Ntflq978y3ZdR6y=j~y-~N0 zzN6LXPxl?c?mJVF3>=HeH<^*lgQagp;I~*M!57cP3s)Ox?MHk*)O33HpIdCoffzhQX~sxzRoGQu)yM zFY+}rhvJu8vg@i4h`ABsj<)9u zEOpuAK0*#z*lh;MW?Z?>E~rcb>fj)_gB-)0(I1oEiV>ZOf9z3ZIT}D~9VxzPZGn?N zs@>ONCO{>YJ+%SIvy-PrY5STXBe7!_d1srp#Cy>*GxXZBb~wGd;3;}fJ5e#deJe#y zH@YlTVa|0_gycS%sP=Nw$AI@ClJL{5O>F3-wbW)_RC;@L2mab{({WtNzP)`mm!2FF z$u!bDZC--XORihIIt2YSS&kF>4?`-<`~+Tvn&7PL6UaHm^=2=Eg{VZgIx-`h0jz}oa|N<539V|H#~jj z2(2wA0_XQC!B%eQrxM=)NatUB%rT%hWoG@*?TfSNjh#@WjX{0I{b%JE2r8`3vEkx) za{-&XM^Qa|aNGTj7Y82sH1dR*OV6xz-hUX@W>8&N=B^eki!E8c&7^eWP$wiihP#fR zLT-|}QGU<^Z%!!XEUxH2KADIgT%+5)XPXecgFVsJi>##hK0y8S*KtI! z(w$4+tf=aoA$)^4Z*ki#mxae#&!gf6UMqC;rg^)q=_M*h zRHjs3So`RKIafJQh-^s^lV9S{EW+Y3hpt!7ysb}lFFaxOC=9-h74Upt(~e@DXMx}< z?`%5dHjl~nAHt~$L5Zj)ugj6zM<7kPf*O%Pu6pLs3e5}?aG#uPAMPzI*AjiNZEC!- zgYBO8S?TC-%AMLl6@|0}6((Pzo*|%LgAFB8%DtlRM9_oqj>n(MSlI?MBM<1ES|03M zO{5j0UV^UhIZWs2u?Wa9-Jwaj&M5I(1BY&+5q^Oudk%`k&R6U_Yn%$f&`O`>foz~r zwK-FN?M32N9J1dl1760;wL`|+)t->@{mC~-Q5I%cYY`;aJ?;@aQ@RzrR+XQXy9 zSpysb?%>Nz81!miT+@8{Cws1S8I*!5hawPg49IQq?NtT!E=4$|sgHVR;Oi+$Lwum$ zV>hd;UF-)gJ5f4$Hk=s(w$xW5uN~Z%>K+hAEeMaH_vK^HBoqDswBUG!^_mlEl>xyYzZNoA7ve1`{POX#{ z$FTfj@WV~NbtSl#w-Ta1M<52Lqwb$^uDNw0?dLJH=o**nRnR{aGz*6{P4p{RcrTr5 zo@ywV)7Ko$Ei|ixgIL($quaGjd?y}8z1h>J78;@1aiD%H<_0~5^NQ46XIc%Bz`2EY zrX6D(?qDmeAd;^k1&Qm>8!y{aD+0(J3b5x6eK=67c(xy z*Iac-T{j$0@a zk|w{3`3~+pwykc*qSs4nqP-%u>&(WZ7H?NuHB*Xhb=ov5rtke0SfD+=M%tFC&A^t5 z7c+CU$LY2`!mFXZk)!lg#H0mb{RuZe){U1Lqvlq>x%ZxHwYl!-{v)7GwgTFu`jNP7 zKZ#4uT>N3;!ICu3UEE3p3!ig6)(z6;WvMBIG%12B2jM(qP@ga0&rv(8*1t0XXs1k6 z__yD+$r!339ljLA!T9e|@)xcCayXxOX{7D=_Pd_x!Pfn6l{Ej%k1W z-#=djKSEY1IT`;8S?dU(Q?ic2XMMqce6NKQ{N(o``_Cgz`95TSO}Fo}?7tS__l5ai zd*J`0y^I(i4wAiN+47P1KPx+bu@QmXEu0p|L#ow+nH&{Lh=ib;uUI=XaLSt zbpYm6vhw`!j_lJv!8|An;u&kH5U75qX9`TzRdS6|G)_B|SX%VgK12zAwqYHu^vJu)5W#!Zf(n^`a_j)`X7PG4F1?2+Bq)`N6?;>*Z*} zzb4W@Uc?H()?3(bn)n0xLnjGK@E`N*6$1`(&x6&@yxWw4iZBQwVtb(ypwAZhq;!n@ zAQ}OdIX8h+URUwW2DVf$&X2`_9=}a(I68FQ9{hJyzJ(|l5@b9v6%2Dc^@*<#HKa7= zb7xnP#_3svhW_Ng2eLkrTFTP{k?xZIeXARh2W|mCRrQaIMhfI?(gSgyb-ObFMjNEO zT0H+SyJ?NVyRV?@|JZ;nWFa6lr^|U&N@judlHi@~MMz4a0pZIKgyc*sLTm3v@Y^`o z>gi)uOr72o=sZ21nV;%4zrtW-7it=Ugh+Tw^XT& zyqfAtfG=l-9vN-(0Oi@N&>%C=0r%~Gdbi63ii5~}{Ynvlwe`w?Rw0_Fg`K!#4M1qz zZ7+#Wij|*7hW||eSS1iZEUXVmaMOP&*g@kEIcGNu+TAg0Wjj)U!m#7=8tLOq>7@5J z9G>?BxS?d`!IMJmSyVNYTEw?k9bQU>Kps%L0>Oz8-eZM$V;Dk63<9Z8FdwWfgX&iP zS2FV1C0OvFu4$hJZcRoPAntv%idrVG?g-xvZJCa3uk@?vy4EmrBoK7Wv0If}N$2d% zPvCKUdevC25dxwdF$&TKYpn+7eRsSB%`SDatd=-s(;a5 z8p%&#Ofu%o!nmB4N#8n3m8*V#v(5h@am!?MNoCpylqre7UhYu=H1A;S`S3jmTsI9k zZCxbAU-0&t*gCrH;|}P2)i=LN`s~I~Dte!JI$^3?MXPKvc)EdEBB|q2gL&MpWPGvB-ujkq zvUzkME346+ktegGG^&f>_Us+N(Qa&G+N9LF1v~p{hO|tAfVdb;uI5_aLsLYCc-rHrtfn40QMiR5QY3O(glJh%ZKy*BFed20|{hFz2KcQVWtf zvRlSlCZYes|5MSfl(LU+=X`CPjE^QFEx$n|(uOQI${-oeTDJ45@1MjDv~9#d#j7l9 znQb7DHa~G69>HIvdL*EA69wJWgCDsPy=!xUlI^6 z1iiE|-FgQJDlkYIz~zKu^Z|CjN)u2y2eeBecs@iSqRA(u+BFL7PlXrBiV3#LIh#^h`+ zuwER-%EFKq59k7Gs3qm48jS+AZAQM4RSdBED4;l0D}-rM0|s^o?ePh3C4f@S1i}_* z%Qb$!uxcOtbdWW0zJZ;Ut+1ig|Eboc*)#`KY2rmdc{` z@)J9lR)DqJ1F>s1bnOOS4x2zuY=u2?MQ;TB%4tMs!u!#vME^=65CUS>@}Ce6QhU?k zgd{B+)y-#KwckTbp1pv}n=(#j?Rrc`5AH~?Q+p1Of^>I#gNH#hXp+lZH`-gL13zyr z5uvhh(GXBu#*GyLsLCFFuziVFl__mgb1^r0oyy$!Z51Nn{j)7G$it<~?)NFE$tGtp z8miRV2A8fDKfQbybrkrFY*%u2BW<1AV``U<ovP4gk1+<@hdAReM9H$$ew-+D*u$Yr3-L@=|&>B7M`GEx4SlaAabD?RArsr(0tH)>@u)4O&%6ShhR zJ7q+3wQ^JfNkikbKZvwOOE(`pUz=+F{+j+8uJbqno|I~6N^d@pabdC$rkhN~x>@C@ zRH2WxEAh%cp`YAzq4Qo$D1%Vb08;YQ3GjZ%90*7%L6%F_kC!h>3mwj4{p5>*YH*Bq zWxv3(C+#$E$*GJ^9-0uK5ORLa90>Q6ekkNHt3zo&;^^fDN`|`ix!%$2G9jYSc7I^{ zNFXBL6HYFy5`&rx4L1fLX-w2UMrPhLCezg#mB;>&rF`~~^s z#EH5c$5{o9FQN zmbJf+v8JvAgac*oO0C->|KiHY}qw~4|DprI2 zh>|ytf+sk}w*>u=JBs6aE*x!e4;~)-$!bY)#NJp5B5MNzEz^sEC)hTjfz4gz;46@! z;F%en_Czu21ptm5y6SMtk ztJKyDp`3Zfp^uRBSmPm9leW7n;$Cof$krRdip?6$OwwpcCO{jFFj|kS>Dwz`O!pi} zeovD{ZSa%D&PstE#XG)4jh__%gQmgLtCFD^RNKL2rAYD7JKs|xktmn#T}cE$I+iC#MiP6`h%73(O3zfJ<*3B4sQ_+7j_ z#VfBcsf)--3Yk%?5ZAnTx1oV{x(UL8vrLF9Ypc{RqsSp)$&wbtTylquoV&wZ8L4j% zBC46s`|IW=%cJ7zq*d!|?0ONfl%BlLA3y`f>$qTeH!> zJ?_5jUJQ4#|HO;7S)FCBMK6!F&CazAuiTIm^^cXZ%dKxueT=%kV0R#QoK?&_57abr zSfWc<+@)=;NI#yzSo^7Le{eG*FZJ`ax0CM#N!M+V6Pu!YLhtRg#_l2jXz8%-c+sbz zrCfnea?ai20J+n?a?eGZ-UQ>LB$`{^a12*V$hFKBF0P!9cqlehNd2>leQh`haapoQ z^!?Pwqv zZli8gDd)Z8t!Md6R#wKHzgV>0k!8U7D^e|W2jH-t>Lg7Nf%&WfzmoT4Omh|sXnXtu z@|Ma{8{v2sC;2hQHNeqvT|aF<&sAIO+ZaF~39Fnqu|CdCB{;A;hW}iti+u8j9MX^> z$ye`1OM6*Q`Pt%89NEB1@NI%^(&bx5qPMl36ZE*_x~nySYQdg&ts$cn#8ZPwEm4`} zyucDaFl4Wp<{GM?*~qprHOlP+BHF{A3?4<@3j4T5d5prBuokZ$4-OXbHtZE!ur*5Q z94t3k2}h}!9}V7@V;Z(J&pN17#O@_jv0X_LHM4a!$0eN1T2{*%=Vi0lO7Yh#h0-9i zziUzMEz;s_q1a>T93a!0p_NCwN!*vo8DH+q`BLh&1KtJ41eMR@ofrFWLU;YJI3{ad z+u27kZ}MG)W?I6GFsbPj*>om&sj==8^2R=t0pB7S&Met@Ec0~@zfBv1_q6asys@8! zp5)?_jn$`RJ1j2G^rw(Dsa23CeX`kG$rf<7zzKN7-!Ijc8GsdR05ZL$OX^RxO(1>N zC5`3Nk@Vp;-u_5%8t64*bR2Di zGhr`1*|T#O$^K{)M=CK|-bh-U1x6-%g4mCJq8GCxisvR8V~}(=z2{J}Z-CzGp*unx z$a#cl8sl5~eyd^>en)Y6;7l5iqH2`w!##G;SiHP+vg4&! zaLO#->eXQ>yyzyPbE-5pI&u;U30k_kxN80xdDV{#Ao-ma`f}l^B=(H%RhtvNV8&JM z$u+&?F@Qy;@keFbvQX!p@2p6+#-KgTP_wb6hySf2m9~rAxo zZOfB)*$M;U3VmO6q9{4~W^TRZCw50=H5@tAN3Cf}xm3}t>{nc!(%c@R6b1n?Dg@a> zl}O0@GS=Y7Mwxbl`XXdx=rl_^K+Lf*X+fmYDt#AyXSDRzwZfEXQ*AZu085Hb9O6nXpOZW04nuyR)WOI z76$TNI>|R`N6qE}I*F6C1;ZmrS}|WE%`vwm0K9`HGGkAvKa6#I)F~BapRqj&7ZB>3 z?7$ouyR9yf`J|pBB2#K1Z*eBC{ZKVgv~6iU^a2m$o`@$D ziZ5|~(j^YIbMq^f|BlY;$fs-NT2?||s&t^EQHGCs;UUr+WW`v}B-N;+vN;w`y#=Lh zQcjr4B*dgp@pwoc^1G87#cP776gdlZRWHT|z&@OpiV!23{|dfE?e&o%P{&yPqugXtucS6 zi8V6D?Spe?IdeWQ?FYZu1(I$~-c8dy+xBI_fGE)c5&?6-8=UoLnS9XaVUM= z46m}y?%_4Fm4I*I-aH`}_7H3ZJX>uaMB~SsToVEi*iF}sQmwI+G$IyN%1;AN5mvu%TCE4dL}rBe%NLmHI;VHdDK=9B0p8e(xfoWSE? z>CjNkgGRk|A-yTt3`eKIQ_tWEfk`r9Rf0q~s~a5>%yJs` zb%FY8e%$(^stIMvgV>8&?*Px2!5V2 z7tRjpF0W<=#W62u!%#(gWBwpp`E$B5z`S8l!^6tY!+hmO^R-$XWE@#VTu!#(jJv&# zAdBL)%8{{!x>b!}7Tssa;HoKie`FRzrX>^+2fHg5LARj|Kae%+3Z{Y9$pMp@Dqi#P z+hn4miP77W!{YPU$aXhq+O)9S3N%`(Gk+#3*%Lx={DjhVeRR*`LIECz0qizL#QB-{ z?S8zscWu=$NVM2zIROl1V*!yP=AnH=??K=*GwB^Dc>#OiYHi(X>E}EiMmMxI{gx1P zkkyjj7R)^T_}mkkPD=V(zIHva#YJ;;;#b3-Xi;zU+Mj7muoXJ zC&suzdO>uj^Q8KqC4O@lml1eJjiEEsy4W2D7@?cXW!geLWo$4){Xcft#CA=Jw&;Y} zNc7$^5;!G0D|}buFlEi;G2XkfQ*Dj2I!^76?U~7LpN@b&osDLCQe#d)+`{kjK*7m4 z)hdHIk^SIaiQy5GiZ!}xO_Q}kx91L(GmFN24MUBRWSx!XA2G(v1 zT6Y6B*BDi+iboAajd+s?B^-U3L8RoaAzzo_Ny|GRc~CNTe_Ec@fy!JCXP8qklodO> zv>ZdUE>c#;taYnp7WibD*>;MeFt^F->_i`LI@7OEq}hGvet`sC>RE`Utw^H zvc^fo!2pN*fE;P#V`TemMdx^IkRDB4PmNASI#+?bhoh`rUWzFy&pbX`RR=$mwt2F6 zp=%+2yB!G-ZUq3%k3vkxoHn^`4{aYnGj`9I)SQgG+ftydZWqviMkY%SmqS4&)mU|O%~KR>UZQT!J1vUR#H*NLhfCNt@w%YE-Z;M zJLq!}G?*yW7t;fBNyDgT@u?apufuy{*EZsz^6ny}b1&RmLfhJqNKjvHhgX;OcQ;+4 z0Q7@eY1MNPG=BvFzX#S#zF~P1$Nfa3OT%E6RcRC@bYu<+yY$!2Ed@Hg3*^9g{mh{P zu(@6>QJOL%_*(JC)LHetx^Q=rIw~H|CvpfByp>>Yk-zKNDC3d@^I882w!#-6OpBkn zw)%`pHU?b3xv;X6_q|a9FXa5s)PTh6Dn6!=!wS4Ely&}8=zP~=?V&;P(4t7iLy}LQ zZhF*BtncahmyX=1ZQbG|Rd86KLvtX15^4In`nKX$m^4A%z~qV~r#fadF3Y`Hekgn9 zfxARqLHfjgFz4PIh2>n&&|7K69-5J2GT_U_g5|j=;#{j|YfWp>XtHLE|+qersB4r8-kVVfNRQ(8!zm9B~nL6q82$DQ~MKo0w}Q8I4h~f(ZYvG?6h;fKwHeoEvxDU{}Vl)8|&J5D9O+W+MAI&bF=8s zLiZY>gn6rVZ&9u}P)#PCQ{wO}Ins*+fuv&SYGOG$;VKIsw`+}|(>$L`y3_&IKssR6 zZOl5zAWEX!>q5$)A8M#MTSdvfE9iiw`D^jG4=LVmUvryvLnM*}$2D()&*teK8^NCP z!Q*R?l;r%Qe#g*Xo8QyN{Ae9H$&Y<^)16|Kr{yH~s=Pb#)V=#$_LsTHPPYbok-Nrv zb5ntev8RTZCMZFaUanU;nlKT{s#cKZ-oIxufYF;|ik%9xUYW@F^RTvJZ%K+DfD)$k ze8Z1!>wAibWKs_tLQf`MWdf@%xB0>YjJjtRbaGzfn;5TEFs6cFsk2N^xU_L=LT0$L zD>94}jp5KlC7)@a9=z;H0}y7-Zq7(XyP!i`BZE95hOyaIo0YYS;pw^DR#|SSBb!Xl zD{Bui<@fa}l@$zj&Iqb%mEU#4MNfnrfMBt=ea_%iw~-kW<#2}54UBI*Hme+bPINEt zwwj5kysfgORmfKu-_eytYpL{HZXY_V`J9qDXv9-Me(biiVCiTK51TU4p7}ky}RGJ&7GM2L-Ov#l0^VqMR|VbPzPhh5&Jd@< zr9-Njwl2d(I$h}#vN`fKo)|NRL)zyy9znG`*O!jp?QcvI%ah@3e!U0qgBI zBnEXapEKUsJcTsekY_|3blWeNXS|Z>GZkeYqoUNJ07@ilI`R3b(#Htt%FPF{Ns+@RnFd8*Y%W`b7XC7HI2xZ`rF zD@C%i>)vqOs{y^H2FOkglp%1ohi#oGPP$%FRd-q?_Ug$?9U-jDoe{cz*8?(yggm6D zE-aW{b)D}In=`&;Nn%6`T^JCATG%Gr>MrQI=FbElpBYrPS>^r(Vc?W(u&PA)gHz^q zAB7aO2#)U601tYnYZ1J1Y&WR8ya~)2^EAKXQ!&g06oB+k_1b;{s| z8=BCdRFJH)l@1QsYnyQ47@vDugX@94!DmG0pc0=fdUvw}bxrFhk-pTkmnv@=g-#MH zQ^EdKHvslQf6j<<&R|S9=NQuLyNjAu#aXD#M+wC1fy4n$`myfOCpKI1;QV}>|LhES zL%Sw52Tj#2CzNfB+d-%*CaH8)V-F;2FPTAh%2unGMO}3|0lE9mUu7Z>)!(ZHDGGcK z;#RYvmed}ky7Pp_4{<}n!RX1n72P?H+)cwv*2?lym9 zMwI#%xwi^rjV6;_mQp`lw|_D^<3DjKEnc?IUG(=>@E#nxJ9qj#oRPDX(ZMDg|2uH# zlx^MHQki)piX`19j9b+r^6f`f3h3yWdbT-8`h;V!KAK@vSr>2)ms{dqEzQQLymo6P za&-|JGe_-1Pv1_@@@*kk%~ewK?y!Ng~1!gZ?+261X}mH?d4B9@2#w z%IwY`pPMA2_SnfQR!fW5Y&X_#E;c_JDzDKJT_yz+e?0FbWtN<*9T01I4_R_W!zuKE znMsw+st!~v$S!U-`Xsh~UA*9V5Su9^r9TAnekNClnIAwPiPL=i(ncM=C{&T3rPEpW zBb1G#lAVvHO!J&lAa+Wf2eHRbsdh|y}jzSUH5t+Wv+6t$0>B{EQ#Vx2+zLTU_? z=XqMe1hmoZbfwy7H4a_`qW2oZ&P2!2feYaMt82!_&ID)};NI*fX)h(FyV4pobnQZS zBS+q_Lpu0l+BtEx#V%#lA$R%X52iXnf9wV4kJ1qi-31!hAI8BfwRAw)RSi!rR|3IKx}ztuYECz`dF4XE7L4}YO4(x>TCX@6^?US+S+yC!{~ z#b?&U0Pn3uU6)>hNcnMBo9laij>K0rt;9*54D}?Ao>k|zi$vf6f)o*JjvcQ9eJ5^7~hzdm^t_v7Ytx=WQ002$ZJIGQ@g9E4NCfS_ z;jWL?ucw4xxfcL&T7G$w1hm~k^Sz!C8JpUhuS)B6YW}J)<@%=6Imp_EI_(G@1MxZeFlHi24bJ_z|v3;&S+f9-DB8ZJq+PdZ z6dRem2R;#Pfkybb{_racg)eTTcr92*?{*xmI&X-*T)a@&RZ$Jlpa5P9$YAoCzJX?{ zUnk^XE1{``X>KV78qLRFR04+nA-BKDJD8(Hj5MREb zZ1!0}#|;&+F8`BpUX8EUI*bKcB=Ii_1oXJi-iRddzm}+MC@Of47rQ&yGq?E&(?I#+ z%>YiM4hJXK*;Q7#)Ge-+kK!360qc5ZM5SHdBi2*k2etni-9KPIfBX+fk}RbfYK{hR zfZaeabVYJ1p_iXSTO~+0Kq{aOddAK&uN@lE1%CZY3c*T2Q9V{51c*s{#z8DF1|$Y5 z`nL~3o2&q;e9@2&7WDhB{>C>T(x+Il06aj$UHOpKM2Y2=-t(;FC`RVDolu5sFmjAr zQ?WVigdZQsk~s9udcw(o-VnAg2zJnIXN_}^cVj+D;1di`TGzdl0$d1viM zKnK->t^L0b1iUf!3EapYf0n7jzg^^~$IuTV;sWM@$Nv>@gEN)P|CJ!SX9pw(|KUHj3*O?AEUuQ!h^InNVy_1eh;E6$wx@$}N4C4TwwhWg<% zXI_)mMwRyQY~Y+-V7*R`&r9#2Cygcz565B0Fs7>d`uc71p8B3OCi5TU!)nzaBAfmu zS*`u;B%lBy@{5_QZ%6ki(A=-!G4}@$(4Q;sD=%uTAmhEm)>r%@>i-qZKD`h_Sa0F# zkDp*&|DI61KwxP`p4Z>=`z!C&I|m&uHUIaC-%f|_0EAt$-JJQAZ}@vt&Hf!mBI@H? zMbB^k_SzH-q8jx2?@UKi#^xO-~G90Q4qv zi)V56x$dA_*hSbh1Gq)%DFfUc4U3At&@Iu>@jkyFuaD3pe_!Q4@@!wOE;!2$B2Dq_ z`2w~ExM$)H7RI1==g3Pz_mw)q1R*8q!BDs68mJY?+I)iYAB~xbw!IPU> z>jEvS^C~Z%mIl%P&Zj?rqMt6$!iVd1-FA_L9B9*AKNJ=0ToJN(> zBp-ciu(jm43V=}uLCbGs#8gpN$qAEoTT^aP>X7?VDu}S#cAB5~<~$Cno!}`2(*X5Q zRhP+ZjWNnx+9?eS+?|tSl=3iV#iDMD%WFdjN6vm@Bv-9B_$e655xEb%o%IbWHq~t( z+Nlqx14kF*yM`9xTo+airMahxIp$~)!_}Rv-IcNznzlH2U}gQQcDz; zz1$%#@-RmT*GOdg31GI9C4DV$&&ZZe(To&XMtmb%R>oyMHh_|L%rS53UtIA1GrGaU z8#nD#Kb79Gkad}oO>$SOBA&}crn@iNf}JpB0v+vnGD3yf|Cq|3JsXSl!5sN}i1iA0 zomUV*D%h({^ZI!5Z_5etB?`m2b<~+h*c@yXHtG14Z|q3$r^{RimUSpRBv!NC=MD0< zd?;OA-2KZkYQir94bAM*(;_1Wzd795{!2aG6v_SP8c!X{&(SJf=ftWcyI18L|K>wq zwPwfZmBpPIhtbIi5>;WGDgi&&9>RqqAYLQny_u;ZZex3`U5+u^(xQm*jrD{-p`s%>}v%4+|w z-9MNUI3Xe&dEYc`;Q-oF_p)z}^!nIH2n`l`c&}X zo))oeW-;~=$^8Wffq0leo;cV4Fyfn^8D4LOZB9v#QEtt`j5~`c zM+za>YY4oNuxZ@I)6u@fS@XaqpQIEor1IT_(ck!wjqktjRqRpiO}QQeK(LjIKFm43 zU^>#`^>P_Cq;QWtBhE*uz6Jv`7rLAw$ugeGhXfr& zpYB4d*1KzH_}lr~`gcE}ytEOlkq_{8NZ3eHe_iXuNFiWvJcAab%AK>`bc2&$4#a!|dZf9lnCqK^z_Dvjq!}TuRkrSDvg!^kT??F! zLfSeTEy;2;1-=!J=d+5brF@2xTcq!YLh zom+do@|}_sqo>&Crw)mRfHY{%d}BVXSPvO-3Zc8vE6DVCkJXuF)N*fU0ZPxXruXKu zKCf@N!h!JgQ7#i;ElXQEU!s=BFpsvsRBpe=LEs;g2en(;|HyySer|!LzjJ>=z1Pd7 z)DXgSmLC~_lQ0E5GCLfLdp*G8wtl)2t zL?XOPbA#Boj{y6=Pp>~l@%!}pW06{XpI(2A#P{9nkDagf`|kC}NPG{De+1Ux|NjNY zA`Sqk5!&Myr#zq`Fde9+_e5A$tnXLvhJPj-V#SbZrB%;q{ztVFq~FyS_uB#*y&A$bT?OADK?t zr)xw6jGS)-I^Sa4(CVs|+%fn*TVO7BZ!F(jk3cJMzL*0Y2#h?a75TM~Bin~;fFvuK zC(||}6R8htols}O9Zdf;rGqhF!MWtWf)b#9xq5ZJ$ej5i+kB88pv_H3Kro~Zv9@D? z=^SX&eN>`|;nz_osE2r@SF)cxLfM=}6C@!$weU~YZ2Ld&X>}3sBPV8h6A_a zNPYnT2-~$bjyy6=uJw9sCvX*F{B>ZZF*Wx7UwsR%?UR7`67GwKF>RGGR5qv6kOut+ zc+3VKkZ8NQ!@n(gUrBvq^&nd>GVA{{YG8^@ndb#rvB(m(L_cD#65W)Qnj*qRpF`jB0qHz^BFiLgLCQ%Hr@FtGS*r=9#F;0LKQ ze8nr;J(fQVobnFTM=~9ssssrn0=Xonq?(;m*uHl5fqp=pVErUo#rsNY zL33UYSph!wjy>P_l*?%&$QviL7x=~z3(8G4gP-mn*}i> zAhD{#c(;LD$D=b24eo*8U_CGosN0&+BWrGufouRiDFRHxvNhK;4`92KD|(8%1|_`r zfG!r66nU>lZkC(Js;M}@tcKlgtlo3C2K;dw5e8irt-2w_-ZF;=my-9(^?x_*M5qZ54r(p^Db0oFOi?VBIYU)D49 zOHaC(*8G9488F=_v$eQ+rei)keh4?y8r~%hAZwp8&;TAlN`xHU{~e#>7#NjJTSSlJzUt@^DveZN<$2iRG9??cVNDuaW`~)sZ-1 zYC2TDoT{8Ld^j17|?&|SF_uQRI{5lwS zFk8KnQ5)AE=%INFIVWeO-u{wnyLEAdw2+OqL1~XVK|h=N@GD!zl5Zjk8Ge{cqGoP_ z-W%g@GuRt46Yv2Hh>N-yW>fg^mdW9R*}DJS>^WA6r@(fdGNf@tikj%x#}}2dl4_n_Go!r)Xggh8A&(wN90q-8Y z>V*RRr$KyTD$bL6Wft^?tdZMmgkM*G0~i>+#FlY!!*q9zDuM+tOX141eTt}jqXA=n zF&iu2EJrv;etD-%Zo&GHD3JuWqto!E##f@*j?DUyC0hP(c^i>b|CP5)^2&fD1q>D< z&a8SDj|5v3ECuHqf#7PA1WG5-PzEU?+Z473BCR~4C4pPvUCQnL*TTUqh(?6y3DG9x z+}pE<9=BXK`*3d}GVG95Pjlw^M`NA2tcLQ0MdaHpCFyyo(oA?P5!peHfL=#i|L!HH zn~}wZ%k+4diV5P=CXKarkptgv3_JshZnk$38BNtkq)1K4^W->gy>n_K3RW>730A^F z#?$8VAdQD7zly$bI&wL&JLJ-p+ zJG55l!@TZTO-r!z=u`ht+VP`R$|P;?9^CXuqwO1HbcL56^Ced_WGJ&U%k2vVRvoL7B zkcI+?G>N);@q*uOM5ObzVUJdfnMsjdFI_3A9Neo^cPUO_^Xm7F8yAT|J6#9#E8p_z z26c86jh&;6LomVW<>gi@7MYzItKn$l{4H$H@Q>4Sfh;-QeAy;!r)+AsV$b{V+p`uO zw@)*`Bq-aL%BITId5M^0syFXHf@wewRN?Zp*x*YMzKa|K^1Um;I+~476%x5XB5a8h z+VV-w5!e_XP7fvbKUg_}l))xq>krwy`C<1G?Vc^uYxvU#!j>R zkM1{lWhJdnZu17RiMOCT)OPoN(jr5k0zzYe@~IcL!&IG}&%7-kF#$lZ4!Mm?ShIpETpCj%z$Vs??-ULDf?Km(&B<>$b3WG|YrrCu zROQfL#0$AJc?t~`9#mPU_QIBqbbfMaI*f%rp@megL_Zg|+0|v~fwLun#uDJrgvGG~ z_Ks0cIY-Vq+!ZqUpj5i?YauNbIG>46`(ETPoxY?J>|`o9nIA@^C&sePKR(&0=KHgZ zIuPW>pVvhnp)C^zD>uf%w@OtNml>|)=QK_I$~QY(td!L6ziN{v#l>HCCL9n**G^LlcKl2g17 zJ)*!%tCH?aWgC&p3!4?PxMC~J8q3R@&DhqsQshrBHk{Ly^btw$1>0e*W)ZAoWB6A&fRJRE!r`HnKm=yYGD zDrHug>?+SabwfdUD@7|gVPJ8wvh@>s(%Llzw=oOYsi*zN4#qfkpf$OkWpIG zDxGI2Rqq_CE|9*)$eg^t204f$)}vVET}cM7$*wM+@ykLcQoW9$6k^vcpQg%e;_W1D zPRB4#C*F%PVTYUN?(lm}0CV#9rqtGO4nbtR))w95`VlGXZQdZG8b!GL9F!$f>3uT~ zM3n5?H?rh4eUAz6JF)(5-$7Q)`JHo)LPN;ii|-uifK~VvQotxix3;xMob{CEYZLpj z=|$}NkH{AB9%JytJNk1ZJ|5O1K{-Ce{03 zK_E`o2J!r}ST4z~Pg=WHR~@CVnZosuJTos>a10P{m%s9p#c0_)9{@#)^m5y`2|m(P zwoR|i?$$$kd4nf=3O#Yy5BG(1>qfnz=D2MMtq&@SVWgOr+{>ZYvF^voPDqESC|`S*UDDC?PVoRdB_SUtCU6f zuC?wd(~gJ&%}s+&u!8feRPbYilBDrONu=;7fBePVeE(|D^V-+!)`D5PMd^828j(qg z_N~DxISrMk`)FC6czZ+*`#c|HOZ0KgV8$A~VE;I2x4kWcF=J4qu1v@+|wWW%DHLm>bd z@~vxE6h7P-SzUFsg~OiTw~+tnkb*y`Wr?HYF(5W6Vk0K^(!`XCDA{^ zRQRzetzF|p>!GlsMd{?}Q!-5+WGuUU4L@}>ZSqx2brF4VDms zwex^FcVqd^kD9BDV-j3P2RY6^Vu*5TNX@xFY4n;dfvro_!X?jDCHaFAZqjPgz=u#* zQrnixUB~%t%Jp9;b1uVF6W_?HUIz6?(rDLS75eiC#du-Qr&3i~em=Il`_}N{f(V9W zlRh^(dX`F^(!Vgz-EHbu(3d2C7>QsUR9pIPZrl=K+HX>eEcdl>h!hRcGG>5!In#3e;}M9 zCEM7=C#4TtE0EV`dhQ6z%a$p0&gOaQ5rh%) zh+zVmr}9C`_%`7qHZ*&uo@H@U1@hTmvj@vu>16^8veZ@#=IXF-KwdpZ(Xb3I|6*=Z z_xzLFT^X>r4N1B@Ug^i3FNNE@h*-vBM$(ObqC{<@%3wrnJD_JM@Zf>B5AApr^0r6t zwcDvVhXNfv zlEcCYQ_jkZD>yqQc3h6|AK0Okr52kcZ`;bMHb1$A-cvJu;n$woVP?`i&EdFGm}6c) z3AvVUf3>C9C(onp&ZLN&M&4qV>ib4{tC}*3xlo?Dh2n@zPDCePw8SqKI2L2dFn*># zQpo6aFm^P{r1gW&n2gk6~FsSD9U~=Q{rkD;{%kt1xjZHB< zzL)P>G8*>-Pp6CT$#aeyoO00BZaad{A;6(T9Upn$F%0^GAxnn4DS0t=h1E@I@seb! zuu{qj{)OV6F=0uclVxu%t)^$_?mnP@HFkS&1Y{m@0R@p}xyZTEHV4Nz>8qQu(an@c zP55_XP)uOx77Fqbb~Qazr==>*jubL7mZ|Les5CurC+l$Dx>My|3y^v1OP%u2Ke;M; zpHu8BnXMm9SW^;L{0NQPRh?}G+f52B)t)Rg?Wq8loXM?vG8pw_$n*-=&4Ni(&A`gF zb$7kE>zWi3r)=|X&t@t4J1N&ob+L~|=k6;bzvsmZx7^S#99X%sEUdNABe(WZFE_8$ zoQp4WO3YrhtNhsE6Wq;nE%!Q&s~H9mef=7D2)@6X8-r&xw!ElP!@g_D3L6zOdwx0E($)(n2?4~J2{aH*3Hki4Od>~nVdgS@sAZMiXy(3RvtrS`mRwF~v}T8L?(OjhNhJisezS7TfJGbof z5=rzpOH$o?#ZPw1279VSJnpj0)cd0`bE-uk2-&3IgiVM{D*Hd|y?Z#+Yx_RDQj$%y zDhmmzw4tc%vahU_kW>uWlk9h)u{T0kZA4`^wyA7~p=37v`7ic{-l={pUS?|9t;gb9AURX70~@U-xyL=Xsr1TN>myp=mLo#qwx&!Y7nF zr_7V|eOQ_oW9lM$Z-p@I<#g5=xgLBtAh_g)9MNe8mZmdSEa$-H6GzWp{!FUaIeRis z#(NEPp}K>vX6+6Q_P3XAx$0sU=bf_ZAIz|8zW|q7OHnmeR`c17v|E?Hk;A!0!1%S# zYhTCOr9*jJV^hHH-d2wb{gefF@m)r22@NDIU+8V_^f1t6wXcSf%7|zF4Xl6w!Bi`N z-kfpZ@}6Z~;~5lE$d;AJa#$`(aG%z`T!BWo470CWP6ztLt8*{hL%?UMg(Q%nr%5i! zz>joTZEM>389$$))Cm__s4$J$w$hJ7M1c{n7UDzdSjq6X3Om{9V^|ZKT2X?1;GejA z=KPWvqv;jM1jNnWi2m)K&ZIoQ!kIh44Tl{~`ZSFUe>}-8!9BJ2wu|n+UI)U=ZD1mk z&1^z?Wl*N;cQ#}nC;_29bTMyZHE*j(>KIx{r;hRR5$4vhFHptB9JsG7e8$Z?UZ(d{ z19mI{7eBM!ndHDuZN#4uf>*r_FH?8u4hS=yNszSz^BQZpkeysE$P#NU@nN~4RSg$+ ziK|xTc#RE{wN7Vy{kf|0h8E~!G3gi8uT&}ZHM39$nWd4(icJG69YkMpjpTo*oXt5U zhmBGP?!QlSnLm|iOhQAFh{4n(UGKZrv9=N4KWy3p+q)GYg>C(vN7CvtT*3d?uAG7 zy|NV!Kr#Ut;bx7fF!EiCK|MY81nE_$SfUkuIexE{fycOW$)PrkYY6e0aoC9N`uC)~ zYK~Kalm$~Iw|Z&isPROu$;XvaORT5G!1SIzyyn%8XKQySEt}bd9)(r^wumq$@cl%> zlG@pKXHVy7L?5-97MSR-sgLjSt zrIhjmrn7v~!HTWiUYMU0=G3#HX88zcDxQq%bZ9dka~|z+QTOAH9c?M~k4YfuSxK_V zgdh3SbQlZ3DRoPmBmc^+|Cw$%-Ulkv^p9~j&^Y%58*Kcta<4;`vRsQSaIC# zy1ccoM`=f3I?*$kj61HAvSI-uU&GXlFEl}ZoAsW>Q=kH^t-8<(U=NSD)$|0-&ph7R zmOIj&I+bfZn`O%0WDG0Q7+r3`$1tnhd}0v%oe zJd7{VXN78W$7*InDSnFd-gv8@$(LG&LF{&ZX{RAf7Osuw_db-;w=`FU&y9nFnF=Y} zPS}AUVh@~!(}kEe>8mR#J^s)b=rqWql_`tr0MFz63KG`2q1&02Ao5%~o|efU!Ob9J9IrZl$(-`nQ0D`U`bJlw9ej zZ7Ds+DSq~YYrh=Qdk->!ih1Tprq4x*70tHB8AiUPq3Qbc{y}CCILrWNunQf0DGigk z8P|c(VOkFVh_d|3kjsy$(7T4YH!P?OLlmx^4N>7t4&B4&eI|?V@p&Oc%xe9z*N&BH$K0 z1)SR>xp!W5Kvmfs@XxPWkvbgVlaR}eKadMw9D25VquaIyF7aw1j5O^WEL-xYDKR)~K51Y>5UZ_PTwl|&vTU#djZ9;x7 z$}li4asF3c1efN(%IRkL1K{$K&I~Ef2NyJxASz*!Z+8)pFrFL5TRbib)d9I2$)qfo z<HxN_8@MLw%sG`lZ`AN}2gW3z%Gn>>nO(pQ zqZSk`L%0>>Yq;!VB&B`W9DlU|G^Z?F)sL#7zcycit~>pmdq{*9p+t7PdZW{jF~94m z%jSw6z8VRfM#p`rG1~Nf`y$T^lQl2JOc=&r4UD@D;oz1(_Iu}Cm>K9vBzsAdR<2G4 zR?8AYQWhJzlS!`nB%fjjNx4ca$a{^ZE9YSs`LTgzJtG`ofnCR_Wbk_{H-=vPUA(3T zo&)Nv)$`YMD=IM5QYTc-h%WKOp;Pa}Yy;!)=B__eA4MCTbEI9&NI$1V-X~XSvb8_< z`(}1nqfHORD@bHkTg8`GNR_!ZbpXb(JoMv}G?Hwm3SSNXnceOx#_>)jyD-UePR8-A z^OlMr!SocL@6j3|kZQcfg&2)cEv3Itq@Pw3ndEZi6Er8@E(-qL%Me7 z7eNj|^7&{xz>OcvfnV3x?GzE-J*H~R(-NmB0gB^QCo#-AILAGzSsHE$Cs$t^BbNJ7 zuf{N-Cek28^e`DKlf`=OhJBn^nYHJUb>KQs8&ojZ+GG}l1(AE24#bK`ih|&rP~ca z)yT29K;F9gq}|$3PgkTDRdc*&1_Okw%M?Gf*uYCo?6E94Mp=#i*Mi&l8q#7WvC%ay z)HQ47blw!%7?=<)_sFt&Zz)TjY>NX6)F!M|HV54G_4BM^mbcxpEASa%zKotmtU6u1 zKmw1brwLS8n!(23(!-mfqdCy68>r2aUv+AiP1xU0o64mr8>~PWQZJDdk4pqcGmsaB zb5>0kqt-!$)uwlxXD_2(S0;;Dn+}H6p3V1>{1EsPf>#h~b#&}Yoxcr^q;52D+p)LV z*%ktZ4dYL_y0;4b5qW5_-CdQ-EPL7)w7n%sTt8kly zEHZsh>GV1kc1G;Zg?1<7@H*D?`mAc+uX{&bQd-pL^F0-0)T7b$h%`Gum*phb^+x+d zURb@{9k~ek^WV}apfO&Di!OIAdAZL1CNmEqwd0o{8|a1F1!kRlXG#kc7JnWYVs zd0*I$>v|P3>8(0h^$L6L5?vs^#cB8pyLwgEwQe?6SkryT35*L#O6_shF>yfy4{UrP zTEg zG{D^9u%p?J zv2NIZJk4g#WsTJ1FT@AnlF{%`kab!EibG`3)J+DhjTZ;?@ zc2U~2J|rGPL4^-(?_TT#2vnFYFd7|^+cNQdsz(`r0-D>5#|;F&)ga$dn1GaDx1&vf#1+{(^5O{=w3*Thg*BWQTcfvl3L5(&pmV55rxHhQ<`19-6lqaPB37#M zPV!$$3!9}@=UjaoDx-?ek2IaBw#RPE;xKKlD7{}6x=gRZ%z<&~Q+@g(<$1l@P$Jis z?AA2y+L>HDE2{mtU;60^ziG$?kQa}gd0cuVsHdKXq;i7M;VM0H-YD#M-C0A^(&?k~ z)sZoSP%2twzrgnP@m++flg2q0B`-9!AzS9mU|Vvq&#;#?5mYce3=rXglQt(p_^Zx1 z>Tx%o{1RlrK*7xiIzF>b8N0 zRU^u0uuTxl_4Hi6Vjy92fC_|Lj5UUl-SQ%hcs^b;8aoC2{yGF2u7o>gDN#vVteg7+ zd7txFguD~9zY5J1!@oT!Yf)hzJs*x4n*{@^6m5K}Vca{#9U_t6^rrwRf-j5Q-Q&80 z7-S{Dnu7!y&>Rpe6B@N#!z(sayYn_`wtnmclBJ^arKmt?_ptClcMy84+Mffl$WLV~ zRl03;Ztl72Y90f&cx}DSOaSrr5N>B+*5Qova3+OeZL z#>$Q1&2Pv&q%}!oemR3a2HAeo2Q5P8fw6dKr)`&AL7qNwW$6F(eEJ`d;#4*WVrP|X zYPXF}4B2k+^kOxcMuG5^0(p{G)foOrK8I3_9b|!otO26DQNbnB4Ka_bB$q>;+9%9L z4l52w54$dW6uOVB7p9%LTxU*KF6jt5PzU)C32{iUQPv%-N&HisZB1KRPl;rMD}D5y z;p{90bs{c&1tKG-fAOvHw+-wL;*Da=6S9Mf#Hf||Fh+z}Kqx>zm^z=gh#Z5+ziyzj z=&xc!C6}CDhI^9?NphxxclF8nhFd$xJ(J`{84~I6qVZxa7^PO@kQtiG=)BqrN&!j_ zW~J3EcPS+RNJDBYE%63By~DZgg;s`PF*AI-S#=#cnJBlDN6U2PD%;qaw-ONNr)-ID zE$LsZcFu;Jq55wC?%N!T4*V!oFU=7bVoU!RB{o?wmloWwj{v2ITjHC(>cpS6l0H%d z8hc7_Zml4Qa_4ylojyZUyv4*H6_MLZl=A-wm+lafV;8DpJw7YFG24Jf9qnF*r+SEZ z2lhflsRkg&U2_m&T5gDm^IM~*d-=1@BzVP)3yA=FZ^k9&Pa&+Pk&cEh8VonLWAEgQ zHWkq#mohltqeUVd0}0vPcJIu=(4ED1d@OP>NMrp?`zR+w!un#n`1F3f>y>_nn;-4o zw91486FAB2%1YEL11=AjGdZ zP6JEjlK^e99p^G`j%NOXLEXVBWs-mf#zB!*UTYsn=n2qOg19Q2Hr@J?DXFI_hvO5w zQ!QiUE0|p3toqiExb{g|QuVhqGe?q3X4E0pc+|!lkU5#tNoaiETBU4WxWxSfFKzCm z-utooF8-$|=s&5WQQ_L{{8tk`go59157~3}QoxgW_jw?9!{nBUq z!74R(?M=QGr#_0Z9PQdQe54q!xKm0bBALxnB1hB?{vJ$x|xyIG~ z8`!;7mWw^H$9Pm!1rE#P&}a@DVUQ-vhPmET*(G6LZ`pa9fOM`? z^stHVk^UN(KjxO)0VwO~@BNZm^w@14+^|74mSIH~IT-3(3S@$3)RDWsT$BzJO~J}E z_Q_W}SGzeiL^sFqjeGZyO0|}=0%BRD6+v&#P6|o;A~t(snK5SK_xU`@f!<)tLn0r7 zuxxyb>dZ6QVE`hKsLCqz4`kC-TRcaOjz`GpoeD*Gy?=-xh5wr)=B5BJdICTpZJ{F= zxxUQ@Xp@k^m<2WbMhb-K+`2IqB=NQhQkTG#UaqW5+|9fS^a2$-gVElc>LabK`T(x7u$Hxj=>3Hd0tN2oB^XW^N>3n1?vYY^A5RH-0t0I0DtvqFX$zP@?1 z4E&tEPHq;-`lmpk3J_Vk`>wDZqJ!#G-S29i_#7u@e?$1}=ewdol7&s%;#L7mxpC%> zo7CAtgBcb`80CL>us)9ZcSxafJ@~b$XD;nX*SMP1Ve|u;>(G|A9AI+bMmm@ShbW{l zG3TWRXg@ZQ(8AY-bX0v8B&N!3%P%Aj0S-N{>rB#YL58&LriKd$WUP1p5|nD7L%lX- z2XsIJN-n*_5N)PVhJUcF0!YtXU=Cr|d_kT7yObqs8t9Pg-!75E@N&%{LNzcW!)m0d zh#rvMkOGE&gvK2>EqgJhe_{td(p9JhT~NpZedM@IJT>|t3; zNyEHiwpW?0eof6(?w$o#bpP71=cqfpHM0aTq)E5di}8er0~!l*0KK>N*6%Tp3;0&4 zX^>%-A^Q5@K75+zIxfy0&#P3UXCXiuU+o}5+OMwn@siRQP~;SGOC`QluaLjta?*?) zNnQx%bp0btw#>kC*v6x<%bcHH`ZhooN@}Z;to~MBFFMiKaFGcAyIw z3J>)zmV}b+yOGT*IswXj)UJKQ?bFKxU}{cnwqM_~Q}fXDAA(J_R|a{%UZBZ3t$CgH zkyzH0R-*7upGva?*M3Yam^6G<^)3|#^k3_J+Fjr-|S8f=jEP0w-XK5uL?W3En`~ALY3Ut9> zGe?6XBa~G_!=8(n1^6hFeZqdn*M2oPu90*;>}IcerHRd+KDWC0HSt?1yQ{X5L-B4I zOXxQs_y8=khW*J{7d6ePx7B)ol+_N@42@x_KQ*9e2TE6|J#$?F!(iWg-_?9%)^rci zX>5N+p-;S^Nhk{fit;nX;C)Ipj1Taz8rSA~=kO8J%9hj?HR4H~V@aCSVygeu4t7|F zGBy+v=0WPaSN0UfcaX0mL@$2zPr;~-M=(5vzx3E>TY8KS06B_u;a9$`GHajt_%?)1zKG%@AYV&{G2X3iKvrYxn&Ymo8o zRiYZaVEtZZsFK^l`1$S&+iKu;p$@L!*eh$JOqyL1)X&_xi_DKq0^?m>WQK=kGV0yO z!GTS48ZTn5hxVwNB(2^X!A`S%ef^OCuH1#luvH+MoAIl=E+acJ1XP>K&dI;1Mz_@& zg+~%%*nk3P{wDG$d1FoZZyP7|hA{*t6RWOs+NN((Si=a7l4Qj|h3e=wsgob!npztOuJ)P+jKI15ns|jBK6Ak3_ z8N%1!a6vVo?ll06&+mLn`2C7w1DHHzKL61ckL0Lhb-gChEVD6v33&v_cjvVn=E|PY z7>D)WK^!4^VSc)D3{DxT4o#Y29L$S5JxBDypt_!!>ehpigY<7u0iHUIPCBNG%KD(c}TPtJw8xLg_D zb{DeLF5SgM2V=cD9i~(FtNodAFf-p&?(u2^@H|J!TI~4+GKV7Uub7?E?8?Ss_dT(X z2GSEHRM>8nDNVV{MmqIDvm=^DNQKJsB;={n`IlnK$?6hMRVJ=bP4DU&i95)IqdN)$ z@J9}Jug)legW@+}qF%mcu=?xyX2#=Sw8=vG@`?$Ce>os(N=a|~jV?N&e!3DE=2YvW z0}+N~UFU)_}N+afAN- zn&~m8TMJ1Mxid-|&z?D|Na?z9ruL5ZQWG?4xm4x}WI09Ps1j9lCmZuDE(XqA z{#Vie*BNpY2bb_E>l(Rpj#S?5JH3mfTlp1>TaHD~$EdZu`w2t^b%Q{zU+HrNpH2bQ z{-#3>dzpB=GH2auPUvS+#{;KI!9y|E02jxpRDd;Lz*v(CQxT+H;P3qakbeH88G~T2F&~)rV{YasQv*^C!IV zUwgOmJpf~j*LXan|5Fq3x1S6EpT(RpFIvyf_wYa7?Zy|Vu>=vV^8e!60a?@0tKqIc zYa00H7Czw*&eHDYbD96$jbj;{o+8$$rt(iP@_)U5S{*nu_Z<%4e$vVHuhnr31B)>b z?vo?&x3B)MH~H(k8`}b@$a|&a>7S);|9rPoSg;tg*qYu)e?^DC*8HFU1pFad4nPog zU&Jmk{(ATS{C(gj8TMc?mhEla{?ohrZ|~N!8z^oSzYD$!{pp+h<#2ErayJgEC|CaP zi*X+$0qH+@`?de;%KmNZ{_T_e`&a(oZT8pVLlOV~);7B-_U(ZJ`o_(Z{rmshGwrr? z1TA{j{fT13im$s5RodMY`#tc#Y|k{Pt@A^7Z5M!314$21VnH~lU5wfc^x4&bHabZd z2lxo4QdHyLO#c72CYxvD;@-Ztpx@6n{MU1J&Ji-yUKJRH=2QNceSQc827`N5(4dF^ z^4X`Mz*g~``_r5DpBwtr3-As9_k(Rdr2k#9e{HD$-DCf})Bg8V{wtdO-wYR*kx;L$ zTHr+#@L=nC!^@-a>>ML9nPD$Xj|<95H*QF%uPB__Pnvmsl|`(3tkt7xjjZtrH=PXk zb;0EJrv7_SJ!J?okHbs?_VBh%kFxHQwaY%;P?sdsql@(UjoQsbZdH5|H(;uVU2D@@ z(bCQm0xs9i(JrH-KL&MlDs(`eu z_9=7V`U;>*17-`-do^=_zN4WGv`Q|osJYS#wSc`&2eGn_=f2BPX%q|hGcF5ob%gJJ?zlVumsO=@{jt|OL!=nT6* zV)0#7W*tyBrM-Nt3EIM)@=g#rLBkANBa&$ww=PAy`ahi7D$jt7%yJqD}`0lb8-iM)Qb0u0wmx=#Bo+b`{hI(F=8ES3_v*>y6_Njft3qTyBAauVGugggx zHmy`wnckMr%Zk5y*|Fh~UyH>+(FDRf=V{S@<_UXtgGyzGeYLT^V_!=RWfVvTO$iaP z0D}`Vt|HDu;t^r(#g>)n?&@^Wtaoh)A=*duo*8(KnQK(wj1HTTij<&zJw1I6VSB5K^#SgqiHA@fNim(46gV0PB92 zNHPG^M5l59P}{>m2;#=-nL!|87-7#YO%``ZsaDRHDkVDn87LuohMP=-97X zSx&<>5D3+-9QIS*D4Iy{>!D!lZDIInR2UAAM# zW9LY^LlJpIpINxfqkYMQ4!|9Gp+dVFdS8zf>L#4;Z60$IZ#d6G+Rp+X;3P2Ih@6Qu zuYJ9GmKbSMs~Y&mEfh5Kmj=mv)y`rLb~C^GHmy#3=CaTn>{w882Rnojx$z3kzG3B? z=fJg=W>|BWb7tvbq_`#-+GO~@qzjegZA~kFG78NN+>MtNWcRA2A`^NwIkN%_?U+*{ z(OT=Q4=!yA>o*pv+54s@!snHf4vkc&1IM`ZM@)sd7J$(5|FRk3oC#CVL6P)%dyRW1 zt|Nj!VtsYSGH}B63K=|Y}qsy}Cjes?T z3@rI=toTg<1)L)2GN+@6P855L)@^!OozhR%NwNW?^bsEqdEi32lsy&x@y0$@Ir zx*)FvTp|V#@V$fe0HI8Q{MO^BH}8PKq!u)FK$yJ&g2IYQlM2xi<$QxK$T`6tnpxJ3 zV*-s|iWltO_&a1<20B45VJG4D}pvEA+idb{WLAg z>=jtW!cm=BLxM&vJ*%fVf?86v?$^D(L9^8x0koj;dghdqNcfFV@}#t7IR*kE`>GIJ z0PY2fh7j<4p%7?d4WdF)&!|cuN_RP5QNUDC*@N_0?~FhrNkA~nq>@czQ^-l7 z4pTbG;R^Hw40Qd-5w+>D(7%Npvuz$iWGnpe^vi?97x->Kommnb#?|@t=s=pAQlvBQ zAvcp1{sj{Alu^_HXJCb0-cwjz8w!AE`%Uu>0?ZPoC)~*aULfE)>JA@c20#kFv)hZL+#yIsIOSwkk8BaM*GdaPEknXG=Y!rtkAbd(uikJ|DR}-9dp8+{I z2M0Rxkx6#VEh|94183TI&NyFaO=;{1q`T%WLsBoD@hI*BiP5W7!M1Gx`dHU>%13{w ziwblUb~m2@oc|S#zxs8e zrw%XTl&>5gAN{&8mAP}FF*~!oeDf3@iDs_Ph)hkSb8Eb7XXfbU?dBAtz#CvxLSRXb zdpdLmH5QH+Wnag6*bu*`)ixGD?E=Mly6iOFw4+)kZg|ds#Hp#K8yn^NF zMor$nhhJZXK zhq=@+#za#eGQy@H--hiw<8PWJX!5%P`SM1+W)DbXu0ykjJvB&;-xK{#;6r-@yC97+ zCR0>;Ps}TWJ27*R0@DvP25FB30a1s|#95rEpnqZ(@u2KSXz%T=0zOA2Rs?}={*MsL zV-3`z2n|prO-}e*O+h9Ubv|U#NoLsyT(pH zL%I}U8VTy^KcKSq4KOnM!epQASO5c-Q`zUU!`Mi-3C_)!sqQt^ZXmF40r zBU~-71N(n((ph9@0Sos>%COk@GkEk4C96p2%L)ZrG<#0E5pK_y|}5 zFDhS_+Ekc|GI{)yfs7A5J2lkjhi6cMQd&XYPw+lut|eUniKzVIP|ggdfQ-D|AZ z_lf0an7M$IFJf}{5d*%j&XQ{V2E${u3K7GHSapRnzvuB++v+6wceqIZ_4vUah&!-2 z_bq{#P|f#SYe~T4&3z$x={ZyE*-%1FXE>gGuE=Uvf?VavKS}Qmr;QHSM9+^_d-O9t`r4q<*D9iz`j+#uNX!d!v2?|?0ci21Z9aTevrum=y|`=>GUkh1DN)oV zq?Wbj%NeH)ciF&POQ{2@++VpsCUWe0YTDsSnER`9qZJtQ;-Uq8!bz_Jqtr(jL73Pp z>e!$kwY27shrfL~0o#W{T~Xz|u;<9-Kj(EdMjg3=%?~Wz#l@Hq&EFM!x;1zHZYRT< z8yN^;mKfjAk@P>=$#ie1 zYf)24A~oybVLC@O{B#sBX_d1PF#eJU21M02^a6ScFbvQomtCfdmX>zY>ZUm!^-+ow zY$rz)+K(wUg-Ki?Ds>{-{%3pm7~;Q!TKF{ej}||F*0@9N*HMBF8?@bi^K*3=M{wqA zxxGbu7b9eF5x5`vt+@co$@%g-B~+wp4VUD!WD0Td5X)VIK6wewv({XC}T z_iM;(+jZ`j=q1^{?+qf~q%{O zQ0)u8_03=z3rqQ9I~r1jP>Xvndz=90NBH?|m}t7d7CW=_u5{ag`{7l@kJr-yy&ure=5g2 z*$Qs8iRAmnkWxb)cN_=lpwFq3T3A+8&u70q+iOPNbnhLe?uYA9epFO6uVWx0`2`-O z)eNZyKL*>8xxq9V-!Y(>dcvKfju6Btm>}+5Id5*}q*g zJ9vVxutl7Qerrwqvj11GsR9l>Kkb9pUA!A``$$}*z_yyW$c?j{GXl4iD`C}hmJX3F z_)F2_b^ents%)w~Q)h=?J1-jq^X_IJiYT0>o7!E=1sxN|QJnm&-+oXu3(J0RvKB?Y zvbQ#rCY%3Cvj%~4y`|i7w7TvW+{r*QUJSxAMc~VtqPl1w27O6Xb9R5fDtv0Lw0ZAU zh2j$HYR|VA%-C{6yhTX4qT*y`%!5-Ocg6}tH2_NWq=2A{Sdd88e0bRdd-w<~6K#3E ziKpQXPKIPz!Q6VUZdy<418o!~z{adhzsvbpkR)aQ%4PVw6#CTGhY(+{adTi;A!V} zaaat;L{E`lzq5{0;j?V_d||B3^G4hRHS(NZ@nV*IBQtU)6S4e4z^Zw6{4DpFq3DK_ z*`Jc@j)u;=Pzs^M{z&OJ-&a4e>cT>HkU%$NB>Q))KAiW0t)N=<&?R4n6P>6^B3nt`BL#xqOm69ntT+49 zy(U!aZ;y{k25(d+UI>m<{9^qBTL52vG~1!Q&>>NZ2p(_nm6=G|PmVAl6a*2`b`S5- zFf;735^&O=^`6%Y`80D3Jp~=?-x%Oh*aF=Q;N{r1=%XFlo=xM3@e5~Ry}v>~f1bTV zWh3m(ES$U{klfYjAv)->YxuXp`7gJsPA218hBjW-$ZzL9ILw`Jn0V@iaGafvGvifL zJoiX&e68{{r7m_tw@v<_-daBf@k^oJDC$kGA7bh{IUvezqdLYytZ}wl+g4B^3icrg z_^o0-d@|3EEfutT$eC=2TDLZJ`rTGFm6Ra=8^NXA+CSc`@bYUr3dW~x(v2gX5bYx_ zj$teomA0Cx=4Qt5=Q!IcC`J2V?snx=A+A1`;r(Gk;cf8Lhd+}H%9(3_xm^3*At7(e zNx?RDUCYsB%i7Wj@siont(5O@y;e6Z4@b$Mjro;X(`VVWX#Kp0m9qxB+1dbXmR{*N z%#KKqMK$A&=0)5DZDK-E7Nf+aNbrfTw@%kF`s(_qS2XPgHr@q*)}p;ub9^-d5rl%u z@dqd}5#vv}3O*`X!;AEE6oeL}ZiQz2Mq~xcbFw2z9ZnrwrDriW5*s!qSUzu;=t_Gr zsDs*Nwn5I03K8@D1;%wqZtZ#eB}}1wFpHjUV=z9hco{!6Q=}s7&r*}bzibF9{QHs2 zY{5=Cs6LdeIq`O2IsydeE!)(dpQCKBa#jOp^wmB~>|M|2_ZHlc4&Zg!_0hr+)pyM~ z5>vxjXeiod;vdx*L_30vrxzz8qK?NIXTD(HMK#AgYykC1CwO{NJ= zOzc!$q$kz#w{~!qDwx4KJT=knK0+NHT+rw0-n6!4-0-+mm0kzj2}U=PqSiBIES|5@ zsMQXqEwl66mj`7Q?F7NT9-ll_i3JJ#+>Iv-Km5&LMxJHYRN<0krJw68?0Ias2M(Bh zdzozNti&;ybm_Wq()aSUxH^H@epOyG%zEYVrR*QFQdhsv|AvF80#Is3M%c8Zvit5Jgf&004TJxWiP zaV^N$0SqGP7hfB_N|;>v{2V8_ucQb5v3V$u@%LD;giNf#C6Y z_W<_0LNvk0WmxJp3Xv%2&802IR^90cU~m_dCS&XqPnLFB6SoVAJL=1^bcK}K(AktQ zgrj8ey04BpbE{39zra*~^%owS@r#^eG#%jztMlGjYCiorxj7D(qJ5ZD0`C3&J<9f` z?&wtRU1c=w^BsJA)Paqv$!X4nrS0cQzM5G~hy@X|p3&z!?z>NSCX?=vWTUizX?>kX z!K}ZnV+7Ht)=aLstviaz)VL1!!{_Qyrh}}9TGSTyJ*2hT@>x_DmFjY*`D*;P?|WGj zwXwc_tRd<7JPvEa5YBgyWuC zJshL?Aw^Rlo{$=V*3%6${uV4t$nhU!RRGxg*@Sz^M)}{;q z0_)9+0WSz|yU#o$0^V(}o!a!4IfQioEhZk~+`f{!%1`6X4t5g0GaFBI6c^`+6?vaz z76~XRl{E1^6!dFrFoX zH^ks%dS2es2x0OnxPk6)+#dWBzqorYpC4QSW7Z(63`(Ug=@h&_`MffEH3tFx(SJ-1; zFxSLBP}9qy$kPTiWp#dF=~a{_;@iidADikIlwmz#vGH zbY5eQS!5K`1h(2n`W+W9x2`Uwm{U+nc9_9&lXfEYA`ujWSMs8G-DWc%6G3%!@FBOw zLT~QsB27ImwzRQ#(0rmoz`Ysd2VA(3b2`4of)Yy$*D_;lob;#Fe=lHSrQ*LCuJ0VU zftwH?WnX)Uc=Q|!Ku_@%4Oi50AOfx6_x^p`?*ZHXtycT$=C;@0-1gD`-1a-X`9!3> zbAh4OrGvgF2Gbo78U?KihOEL*!UK(q8z0f9eF?B4$yjCFk&DjpnA6*;AFmfL1pi@c z`&q(bH!b4>oZE2ogTO$(e!{nuFxG<4poyC;Lw^tVyhC&+kSR;RMN6MMw%+3}1c|(V zR?(d{+#k50LRjjw#?TY7l|&{5>tmU%i3#%8>AH#lY>Y{k?oX*FY@Yy zofYj3!dWuIr8b_4K6C1kVvi)%dqGg`$dkef>v{Q}2U%h{t)i9J+je*hPF?ZO1y}jGRVeI`xZovA#zw5}oE47^?0LzBQ*)jJ zup_G~rLEWdzGkjxl%s9B``215IEMW>-%8%yz&L%j2I;4-G9j|i3lTCs9XC+<@Vcdj zB)W*T0jxo;+wOg{JUh_QgH-N7+mpXP(Arqc_@9W=w(EG7^DrBK#b4Ih-6E4U%VPtV zSpyq&U!0K>XR%Ghxq-~=DBhW8P@8nesXtTItLImP{nrlvX&y{wd)K8MUc4_DvR8;2 z_N6qw%^yv9y(BdZ#`LDEJu)kBPTZ$T_SlQm1=rN^NgJ;?(2p?$+I^k=7&?i2w743? zxfCoEX-ON4lYL&p*h;GQB96+>opLlkSG-Hpn=Rc8Sb`qF2#PAc(G&k9Vqn{yW~aN= zCMO(I3hWN3g*WhpwP-{S62;}R^h}6 zD8&BK7SiMPp%KdfjMrlTS8Y7@kM%fJ5=F% zWr_xNfzI17tO@h;G41coKV)FGfW3q9uzGnh@ewAO*>H2E76|~`okz%xpmXCx@y#JW zLmpGTujc0plHtH$@_XQju6Qa^9a=2x?CYXzw8Aa!^IJU`r`Jm|C)yIS!1qvcv9}ugAUxrSx6AX8~%^(n#!8qUK>-E~6gT=#&bYLV=IYZ1z(1W6!OzgiEuh@!a&)?MDt&SCS|4-$bvNal`hj3db&n81iMmU6I zgwxM5PVBfBJr7aSw;FY&T;Ij;UfePYy5zkIO|o1Y&Iz|2hDCXB?wCYBS$CgTPb3y^ z9CuvGlCO^!mfFWX%>{_GD&RY@%@5|S&j{UBx$^2l>TNsTszVnaT^d;jJyU9>PnT?- zwwT!=*prv3@C@BA z9cU`DSZC9t%LQ|@<4WIiyFA3G?yKkdq;4&1_?x8q0|u%gJj*@vcqLrxYM)h=tBKao z>y4hesZ4udAgFeWH8WfFbirV^z|cMwcgL+WmEjJxB0Amc!=0IVDvS3eS^e{tgf?o7 zWppilCau9kcPj}XzV8w1doxis?s3xsOW;l(IG9?-&Q`c&%8K0;tRshP=S}wwm#T1T ziyu;?U;}CK(d9g2xjNyP4}TQ0KSgIY5tUW-DshE&WO(pwzZ{jVvyiQ_@FrKTIZo&B zd!5>K_8Ef6p5@Rx&JQ@gvNZES=?=GF#wY^5ulIt|&=O1-8B3g7TS4WKpETfN_Kg=YB+ zhn5gso;GVB&;D*?l_@jqI-sa1-UAZ6D10k@}(}v+AV2 zi3{|a^WFgIQVMMCfQcPe{yD7RmiTs#q(_uM8obxP{BSfxZkoRQtTyodj*yhupyxk6IrPwc$Bc3%A^0(7$ReXYj7hy*Bzf{#YN;0C!yR#N z1BKLyxKbTL*4_5?-etQNoL9eCP?%H$Uc^H|?`rMY;6c!%>`c#VpJ#$(1w5R*=<>#~ z8{^gMKfX_LjTM%x^G+sm=YprC(68j3VfCiSGjfyI08+^di@bu%oSqLeMTheog3-R2 z-7}x0{?Fra@b=8BTHKQ6#(aM9)m|jycPKv@KEYebi* zSI(|Ac~CIb*WxP2uV{aNe=yG}u?p3vZe|=dCLjYd)bJ&rwIRriMS%pVqj*$vPLpyH zKW$E#m+yNl2>=(O$PSgUH@ZcDP4aixiv%d3f66`Mrl&A$_oQ!vM_ z<~)@>)(cklrb&zon@ENMk2%qG#&y@QYsVApfvZQh#03iYs;0eKAI>?P{Xo#0Vpxna z{D0Vc&#)%5Eo^v1Q2`MPML`9-fPhG^A_|HWX`zLV^w5NWfPkQg1A>*_6r?2(dVo*` z0i}u%S|}ZVs?>BVuYN1Zd1e?mW0JlQZ;_Mva+w$Y=y zy0wkf=}_P2FCJ^RV~8q{@P{R!e6}-_#+Nm|X4Ku`bI>xC^4qwLF2~DhCT@{==9O@> z=etCdj5qP{R-Htd^`&E!gdSPHz{m6#Q5W@7uCc5he&wy++v=p>a(yJp@zcCtT)Mng z>qYSeTib4S4<*R?0g7E!8Y380BIV!j`dlo{N*It)Y_G!CmZ>h^UL z&_yj}kab#h=a^XyH$^`|Q#-So(>0QBN-j9MoiqNTeWyw^t!(1ZA2sj4zj{$c3+33_ z_M0m#x~3L8G2mWmHwV=a)IFWA`rbmckKS?QR#iv3#&JtoCweWYkk3tXScm=rWc>T9 z$DCWhtw-FId0QTTj^H-p_|&cOj*KVGK!`I(Dqyfo*?5#As>!{^22a?Jsf6Z-jqw9M z4^OTS0FvRB2$|!Lwfz0J?uZ#{Por3TpQLmh@?H8QA!E$%?hANGEObHI5jJnCMSa*X za)Ut;)=>Mhdt^Jax+$J(z=_lf+2@S)><@6)zpueB{`A~{yc~6sVhfd9-lLam9;jdL zRhXfhZM-agw1wtB{`J58@ohfrnS|F8hknSue!!^zL00)~7kz}fH-4Me&%W-z-j%DB zW*gCS`-t;jzs(Pu{SJT^*nKMhxs`s~Pe1<0UmAAZ@WHs6|J>L=yw~qfQSDAur_#CK zz}O$(;a?x_pLP7VvvQ`f*3P?w{{89y`3-l9Z=pe-e*FXH@~8Lu$5a2`LjITM{lA6$ z-;Vs#3jFVA|3%38A?V)ue-g;9Dqss%_$=c2 zcqtE2GG4c}SXGwQ7i_ALOP@Q4UC{h;!|KzrWf-j01pXFw2vWnmJsUEE(Ox_XZ#CYP z?ZhtTh(XE`V8B_AMBW(8{EaaA)3w_pAZN-kUEN22%o(cm9@D%Nk?0J~ldkVC?ubSV zF%`4Lv>SCyOWnpaU7@mwJ}6{$g7h3Jyy$i{spbMZGEdt|=DokY8^G!u#_cdF^W2fM zr9sz!NLA%Xo`iQ*G%dZod{gMwjA{POuMPW5>Jq%CY*!X0(Vr)~|9SiTTb}T*`{bh^ zT%4QvA5pZ-JGY{-SVO?3nSX^m<^XN1eHTGBI$I1T(FJ4?`SQ4!g!1-w?>;Qq(Uc$~ z^%X;A{KksLm}x8F2~XJg3~uOT>X}vNIxKcuFwH?>En$fs_;FMH`HMYQfyC&Bac21w zI)Kl>+SktO`{-Wp@af9U3Qr&pHv^4{oliGM;>O#@qdu}G&tXb{lm`Kk=xC~yIQEl< zlS26OEIL!q>TOy98!=rMmz`F;RMY|It=z5(r&k? zd-yA%0@iRC2Hu4X1PN5*wE1*t?UiCGnfxeu+lc}dOG%zUchpq-IvndHiaW2?)tQC1 zPPp}%F5he3PAbfSH2--xtu(9{J2Y(R>ODDF^ib-^k0gpeha&`59=;T9@f_{{bUU#z zf=>uYb4m^Kh?v<5Cfq1TFM^z{_uO~j3KEBEHoi3qqyi$F3VEiYMdcBI$`9Vvm{bYR zq}N9E;Q6Cj^h7b;?=f)FQe8({hDQ?pL~HIdDoac~*n3=az}jmLAgU+?hcZyOm_Z;dPpCiDzXu4E(zP zbg$2txa9RoKcM`JUOD7)IrlYnZF#O4BqC08V5HgO{qnv3$om%;x3=e5Dz|5$i=MBF zS+^YWKI>sFX&l1J*N6U*m++^ZBBuj6c7DUV7JAheufUC9tUZ**pfaOcC!9z?l2x!z zmzr{z&?d*1doQX##+J}>l|!{>>i=hyJI7|@DmAY8eLvf^C7!X(0{00#c6-qNA5cpsijwJzb7spXMG zrI-SXEG!|X z0qN4j=PaF-2gRLVAo`i)o=ZWyMW7KJHb4!mzM7S6*UIU;bkrdVAZ{I_vv}_jH%PCw;S7BT76$)^byv6vG0G(kr zz){VyoQ8(>y#*OSe@wO=tnit@t*^}I4^6Bvpt6A7J!lgluM@p&mdV{|^BPSQ3SH^{k7QTQ7!+!zz;GFg zQ_(a$MKdAKZ(nSpjnjLzUpjPaM{~Hx8h(Hlq+!{u+%^dxC_NQux@Mxhfa_@?wUD`M zEmcmtU$GP-nFs}y>ph(c(Jw!|e5yRvHwSL?t{4f|;maYY_zB&QBwCQBMKOBxuWqcb z#)7-qz?;x!JdX|PQoRUmk#AQkyWg#iwdFP(mfBf(5i5L`?eD_B94iuD9=s#aU+1zl z#mimq--q`eY>AhO+-Fy@X z&Y^YYq4ol0GXb8U9MED7KZW#A#9ou`!!1#LznK1fyNLdo7yZy}OF~swEdb&8JTlg` zpwDlwu{HDpCzh%VMv!nbHl??4lZi4;#wYWK7G`=cPNl--i=--wLvtk7FrkTIp}%=x z0GuNzjAt=JT+R0VJGWA{?iQ~)A-G ztdPk4TXZR~c|r+A)OISx1oRSw{+QA!Qe$~xd)_wUMpy@V1`t{s;7!PI_!10DKA2!k zfM!td?li%A&p)f$Adu)X39y?*ujV1A#C-Fpcr-y#69rW_vW z%)$}kHW!L2ON##PoB?4NJgv|K#~r7iIr*QQ+lrHA?w=4 zv0Y}@FRZ(@6O5!>LF;i4MIs?oa979#NJZT3w(Y6W&>0r7G$ztep2rjXlAV{}Yp5O+ z(xINYfi*fF+0MEP0rFr7`Z^j&=SGL&?JU|jB1;7DRSEa`S`#iSeM z2Detzoh@5GIMn@!%>60io8G10)9tA4ySw5gE%2~p=bD79`ifoJzNR;RL>fG8-kY_- zEWE+n9?;tr_1f|74;#b@-ei%hE2P_hDhdKa+Svx^sN7XalIrD#~8quC^J9TB|!_u?MBs-I6I1Ra2)FAH>hIxJLKoZA*3IF zH@1o!BaVE5%8eB~qJe7b5TT8TH1^8SFddEIxq?zHh1^=KG3=4ljkkMNjV~tCT&bLd zzUMH^8lJUA^6)4~0=O*`2A-eDF#=kUFwq`C1i?=8G+bfp&*!i^-eWUvl9@CMCm_;2 zs#{>(isl1*;JMI+$s)k}$KA!`UF9nA$dy)ocGs-Ny?S_ zUxhF|c_}3@8!*_A0(Y>(`+>CUoZg&n?_q9qAFwV?OZq~dmZkcC5W3L*Sp-9~F-Y+e z0$$`~L(oWtgFd`ET`AUjVe|Gik4l3QK!4pQP(^0lCv%3KK;AcubQdg2)Z!({=~7>c zb)Hr&KoumKc>9}DgQHsoBfIc9`dBI%Z@twfei1}*H#!MMv3ZW-q8MP0Ffyl3L2B&2 z3hiyFlmNX(78{Uy`XQ+y8IAVDH}pgJ?O9xT)Y-OFz&@h;@*C0z&qDQNp7R7^L++3Pdgg*iOYMk4tOc$a(R>T#3ML~kh5D3)tG{#B&>uxJ1IcW;Rh z@Q4aMCKu^IL|~L}70SrCKC2s2^MES41o!+o$XQKXV(a(?lz?UbELTcJ2q}$-njkW$ zYhxdyq1Xfp3xG1w`M183H+o(FEb%#qkA=Jma@A_2SzhtpHh<_W= z#k}d#Uwo9`6MBCPoF*&fr|ZnGfYFZL(iAV%WrOKq;niWL=8|>LJ&s;RmKl|=L7is_ zmVhFDI#0UBdEmNy$33UKubW3t$De@ZpxM)owUxpI-duwMut@!Z`V zOrrEjFdvH5_)kgpA2pfW5kOk!?lc{3$i5R$Z{oXrQt~y-|9cab#@>9UmI3=!3iye0 z5IlRP9<5iY8?EB(2Y$aTZ}gQ`w}7l53hXL-ihXQWpDsLH>B$>)#FWTpMpgRG&!&dK}o+NUN&ai72dO=U@pr^GR zyS2xcw@=(v^!rbH7)z!>)uZ2dM8>O|@N{S)-}E&NIz!55#f@X_KBY0wx;4QnyL=&7 zv~uZlh!%}UynWxT*KOO&{#0=Na}Oc^qX7)E(A%X&6<&z@TQ)}YSSmiPd|C};VC$u~p)DT|?!_h^BGh~TU5w*O zL{iRHbBgNrQ8PQ`y02E4C?2p}% z+YVsLF7dO!b>e=uWFH{lruv(Sf_Cip+Wn_J4Fo2+dZ#L41Qt2(7y#caitYh_?6*I? zVnN<8px>FF&EJsjAryF-db!7X*MVJc&n}8NP(DKYx6J}M4fyy;rWtP?W}00ef`hyHH4fBSV@06THpT!i~jd9|F@byhM)gP&;GYJ z|1XZvwG%S{jKw7SuDm-7oM_+<)@1^Yi-Bns2t_#6cYP%lP}Y;ZoV@?p_5R24l&jqf zs(10l7~cK|v@kf=7UyKpBb-jsAIL_sm;Cy^8_!htah3{GP7HV^=&E?|Ir^rybN?Dm zc|^%hb@Ud)QcuK_d~DZ0OdTJ~)f2ct(-jMgVesTk!|L37Y_LQw0Wn^J5s;t2PTpj_05>SB@U3 z)FAgGshdHOqXWrf+EKLMP0P>aNmp+dh&G#%LJ>j3XfHuRC<3AnAwGkGa{$KWk#8%A zhDGOsO4}8Pzm$`JDx60=beasBcux2$Jv$W*S+KO1sM{2&2q_>DNbaF*wjJWCt&*k| zKS2%N;PheR)6aY3%L)ug(mvNS6J(D&oE<#7B1>`h^CjdFvJ=Rq1RW?u)iwS3qOT%< zePdwaAX;;b_kGI&=1$<4ymEG7&ko5^vm4SMA}hUCM5kr)F>(1|v) z)p@G5c7F+w24VqyINf_nmzP^bBfKA;uTv=>-#ZtW!C?T;@Q@ZzLR_JUOvQL1O#prk zEvr<|qDy{AI2F( zZ)arhrnlNWSGo2rWb%|gs(AdozUtt?mDj<(1s8vozwX3%Zr^i8&fm=}tMvKq(4upz z!kN^8VT{43|K!7iLQSe-{WpAIy1<2#ggx#rlxWbQMhI=GM0G-Y2;Gu+VbI-(iaWxx zgg~lRkab?wUwm@qh#=V3_$7J5Wc&zGhd42Qb!EsTjST*#%NYBjH zIi6&P%D}YrzEo(*&VIiYje5(-DcdLcl_v+KTN_>d9;(TA?%2#{J9)#P>~l?aj5MOQ zB?n1-e}AbTnEW&+0&n8ZAcJ%1{5z@7=QmP+iJTJyxo9S=hwg;FF&Hu<-6)nKl+xn`MB_Qy8hMJE$3w->_VHT%CeTG#=Igh@kI)LIZOIo&l6P01J^$T^w2tB7t8^gzAoD_WCCVcjoq9bg+3 z;8l(%6+x}(9!FL|y~OKeoyRHac;qQZoE0SFQ2DDLmNIcSzoUs$*_1S%la?Z`!zyTz z4C`FrG83gJZWm({DgnN2L8{2~B&4Icuq+9~$&r}cPe>jE9Nt=nd16f8h=_?6S%KMO zm|xNzJy7p5rV7_N1>nrq$&S#c87=mLlgPsbj*4{Sa?%*Is>CT3n-ISYMWSbE%UBe(@u_r6x?ljLONI z34w|ZeL2C|Q|z5FN1h+8NU;ZyDc9(9=~q$_$yzcEW)wbn-2eKosWdNW09DheifuW` zmLTW3%RVIvU$p>ZEQ1(teV)<=wM`S~uN^y@(+8QO(j`&h_AaVs>2>qk2ZrTiis$>J zD|yYu1mdiCa}Ws^=Dk*-9ZCq(ea`y;)@cnOo9-^_cx(hCzGf(LejN&K`@7jWyu(lR zSUq;r=eYUULI11BEKa_wIF+l7>3g3f{ktzokNF9cm75#G;7Vmta0b1oE7h^|n*EBn zk=9b$xHaut!g9Z1sprObAOnlRbDOj7p=#|(xBdvdDXKs+0eqpYr2JNpE zK?zc$bslGWPshj#dFcqt7FI7G_ULOHQ1-cEch<7&dou0f-Thg3&d78S!Z|9M$uRyT z?MQ_{6ywt`J_&&*Vk*Fr6j{`MCdVQFM~R0QUpoHh&&o7e`x!N;vS&1 z(y{YoU5e?O7QIbQ+KcS+oY<05aH9>Q|Z_*DW%NP4)WW=MTgEz{kGe*<%FBU@cdXFBON{|7IYil z0?@tIg))>(raMrFIdsY6JIY8$XuVflUPGI6Qq<9!)Vk4~2GUvU4h6z(w{n~nikw?5 z7uc7lWlteyNdW3QNd;W-9Ra`2`-?UMZ6gO3oWR{IG;9qapoZx^ZU4GN zRTqSI2=B1Z2yTum$8Azzc)sL93`=FE&|!8bvzX2$6I$aBHK!TvIeHx*&vA5)vxBbe zXe?)eB}p+b+s@2#1aecbQuiQBBcN_r7Q8aqG z5*}rFc&H-~XZ9e4L7gk@y(-ET>1CFmTI8gaqVMhq&*ap>o$tUh+y+Fy$Mk(*lOqMA z7O#Jcvv2LGo|U8kTesa|+99}+ZJERD6F3jx?7P7Q>teox*4I}7=V=|sk9B3MkbO{5 z_>V@-*>5{m^ZHD%4AMZ3;LsUA5{CdyU>*9w(Lw70LeqynKg)UQnwvm&$uN7V;RT-e zbJQTOam`yxGoRWX?a)@h&vzWTJ#(>CVAX2f520g9x{ZDuV8_yBU9$`C(k*(@;ptCQb3WiWiQ zizRGsUC-r7KoVu2;}!p!?J@;hhr+nh>G&Jk;2IK;AI_`WyJvFRZ?iNuo}9s8RkNzj z-l%eVI4l_}%$i;8Udg@IAsMqW@_EM#(7HlvXkIKo8`XAeeZGs*g)3WYG}+h(z4X;p zP+xSr*cS?6zxF{UVN(ekJ#zqI>hr_$@|e|#f__;_EpwRnj*dr-9rTApac{Ik7*2_7 zB8n-n8|zf2SmtdmpK&n7PbHwfW~81ICNyYSyeCZs=O64|>6*}uq&!<*zrbFvZzM<+ zO8TYKXJ8!*hL`l{i+$$ndZk;p@5%{5I1%aWqPxEJ6E|ekplknG57kBAM2^3inz}i3 z%|edX)FTTp?>6xs#{`mc=YdjsKNgzy|0wK#|KkgDPUI3cri!FdIU2NZo@@w9_%hR*(zog#75PT9f2q1G9xxGPvy z+%Sz=xz1vNjMw)Za*3}wi!NV_lm4L-@aTjbc4Ru@MKoPaTF1^%tEH0vF}LV>wO^9b`5f)o^d1HPdJvw zn|>_2arF5oHgHkoTctQ{Rkl1l#l$mx`RI2T!zwVhLd^z?{CF1GAk}_WJiETCF;E49 zb+}>W3ALy#Jm`aI_EY)M;097T?Di7p%|G6mWlw@+!`thoR%Gjn^w^HWc2hxzqo)FW zxjyo^3(3Szy-s?xTPzu|Se(4CZIOEalLPGe!@}?}bk}?Kt1fZUJ|dLf z2<67(DllSfukQOh*q#-NkCjq`O4%XjND+a=)Oi5!tJ^h3`oLJ^@yV_m<*YxI&5*Ue z=bW_T(tyKIP|GJtuW9+Keli!zw7U;tzm@R_0<+jQ#_A(poATL7PGrmX$hCeE(|vAsll;~n1o+` z5iC=>d{Ns$z$DGn{unR_T=Y=sPJ26N{D>+vOwVpu;Y!~U8bSBVHitTlD-;VFoSH0+K z=+V5f%;P5W?d|c&%%=k(a4Xi$#)HhZzp}y`28t_h&a~OD&&Z7srn#`#OiqVa_N26x z+~7I_|J2Hd$-B!xxf+)sdLpFzfSadgdaf%shvc)}kj59kC%%VL>jh_CL}9hgs%v-= zum#em#z||hsxNp?fo9)c~qY)7$ zRp|vR#BoutHxKsqhBMwaoX?GalCoK>ex5%E8+6qUjG=K*aV1w&dTpTJRL}dURC*P%sJ1CJ;ggEd4(gg= z4u>oisi>EsQYpChy{uPkz^_lRntt>%K|c|#pJ6L)8p;q?P~xp&7+6rsR@*P+VTekk z3gtG7Qo0?(`fvN;Ubwf!NmzkoP%(UcjP%VII&YrPubWIArzr)_<%Z*}pR@#6pc_D> z>BsPk_|b6k8JZi%&uyMR@}9}z+5N&$oP$-^pgXTt*3E^|`sQ1CwyaiCIpq_1jZN^- zG1`pyT#=z(@NPE+Ujffjo41dT62I|-@yPX;kLrfwMC>Et=YQioIrMf^ENqp*W@Yk6 zD1R{A!*XA*H;5tN8b`MsC!y4!yaLJnmy)}pV{pH)7@o3K3efhu5Pf!izPd{(Y(HB! z06#&)(B&#Dl^Th2Z35JRd8)U3oz`jvM;;wv+`L5DW5$DOU9*l-Y&EG_2A;A*_RHFSVNnG z82m&L+-o+o0j-CB*6eQT4TKOyiwkwMZuGlQwm5aoPjz7K&l=6$)C=XN!wcr-we>*G zZ@;zbkbal)T2(5biK)U(RGEwFkUfsW(x@GVOg*(} zg0j}m_Uus0yJj%DDl%*@2ENxkiC(+%Tj$^uFtE-8QLiu`E(Y^3u!Xg8fz{>=1NICN zA$kTcP>n~|wBMBjKe0#OHz&hIc@yRolThGEie*{J7~4TVPOs~5iIym2)szFa3KD0; zJD3>V%IQy_xN**!{VJQ^8vRN=!7B@995+fYbX)ZHy+QRdfY2l9#x>LX9hS&bP~r{50X^F+~53!%g}8Dcb8Z%x-l?(hyRI}4o~MW z+F9c(4ZW#fQ}a6GU5Q)Kp|Loee&8kghhefSHto32^k{i7yep^aPv=cM3ox{3H(pAUS91;n03 z(Me%W|E%4zH@{q+12SQn43nQfK_fg~iRMKySK--+4bP?Qp|Bx=E~*>ovHQUcau^`b z_Qvki@md(l+>lP`%L)Gq22h$W69d5Gt~FS`0rqJR>M16fzr^V6*h1-1Fv+;fQ-W$c zENYbKEBx}BHflSFyE{GlnSv;!MfOjlIk~cykvJ2DCxAgTuAlZGu4ZXZ29^ZJ_+}`tj%jHWPDWll)$4?lX?w}+S}Ms>5i({ z0OXrU38akrKoBG9j;1v@VjJ;8<9=SOC{>(=eV=a6swz2wz6ZrJC9mj^JYomImpFo- zTu#F^);g`kgdK;KRl{(XBliB}i0t9Y`Fc=}>pD&1MnOlJ^lD{4 z{*=TGPbT|khL`laG-hy9S42>c(;S_i3Dch7@755pFcfE*x^nb!wK}c+c%Ak|bx#M} zl6HD3)ei6)wbnx6h!Qu~{_i~RwTs9~(^{fa*#Q{ZpimAmwY9V3oci&u&~n1))|3>y z`&yA*_U+p0R(hZ9A`AAU1wd~p^WQH8zFIuhU-6+?_W|J=igp;fQP+wL8gBap*%<1t z7r%sl6nA68H^sq&^mFsKOCaAJNwLWA{sPr4Nx>cWi{a3CUEnuv-f!D~0*gI_3_Gxd zY-r=TCyFFn;KO~<2A{LAG#_4w;*A`9pCf(i=58?G_TGYeM&hvz<;=9R>D}B0X)nlv zfn5^0uW!RCbhARUJB!DZcH?J^k195wXY1(G8+440;8!iMwOKf0R1fZ{&QKpN*7hfv z1lOL^pl?a5mfm*r>`c$fH42*rj{}{(>#o+Ry>c%e+^H+_LGr-csP{O$S?Db8<17TE ze4|75FRQPFT5^O{qHhE>{ft<$=gbpWuwRSy4*E~f-LANm;c3>nSyyl}vpIp!TmBdS zFEqgHiSb`=7)$&cAMV{7~6GRtIj*QD*#q7ohgAa^*A= z&#eBeyY~keu@CTvQ}@h8{<19mS49?`|G0U2VRSuJY<;n)HCn@by)x5 z=Wn3l3sI6LnEv|A{P63qo&k=|o?!A1fAz--{`krt11eoB^z-%qzDRVCX6={H{n_sR z;~PD8fG>mz$-D617wIMJFZnY%|9#!__}~jUXe|7#p6$11e}b7SM|Eed-4E;b!=Cu# zQ{Isy!WYWtYuNbji}b(E`G3ASc`~a&erD&pGIly2nzBIPV9$rfL4J=_Y_uI27rio1 zjRn5Gt{w;fPkaJC!}A$3iVBgtNY`Xg@j-jAAkS7En_rf=2*eAkMoD^LSwo50%A0XFJZK-4+)`^gl@b9f3NZ$ zpu;zR``Q>vqfiK(%aP%aw8dTZN4%R5!*Zkpj^NxpWR}by2qjNk`oiE2wKX7OY(d|6 zs3^+wuXmdI7WnwQA5}-5iXHJc>9S7QOps_rf~awaKe|(FRSXwd#9)|X>VHtuEnUWV zdZ4@+dQy?2-H?V0(~B{4&5yO8ZWI0Lk^((!%55l&Y_B`OY;6%_tg!8eSHDU?0j65+ zr7+zLbQ4TY>I?>|`nC#IenT5X;x}5pDgPR`K*=$?1QIw(6i^$Qh3z|=Ois>Hq5l(` zmf+Pus2mEDia{8$v&2k2S=uAN3s9avqdHO|vIUxBXH*V}VxlsDfY9K@G9T(a z1s-zNYG6yXPYAI?^9?gPKsc;TFzo5Tp&E6%_|e3sOv94%mX*J=NeaV@xEXH!=D6|0 z`TITGv4HxYSlxe<|CYsGb-mSzrjp^k4WBEAeZe_&;25e|AdsJRrnp`a-Tc4#|1oC0e0IyT6hE%7?uZ>*Ojrf2me}7sk3N%FK~8 zc8WTec43{{B`{|z)(p=x76yVnF^ZaqV+!sDOUrFQs@n1pgW3t$LT%nfkHD`bzyVcB zA_9v@$YaW|bQ7jT^vs|e-Huqtx!l(fvHY+Am2Nb`jwTSMOl#yM#(W#*ynfgJJ(W>F z2|G1S{*#$9adJ0|94Ua3@as*)!UNq;7@xj)cYBZZDa%0mmDB?NES?Eq6+4g-yxJZ3 zJeMsxT4F>RRlvAcM+)GGe75anEZ=pUd;anaXBNXBXQ#1&o& zi8HZ!xr2y%$RT^X7|Ww<%5gvIXj$D}gg-Jl0YN1e&WMD;NhMS74vj0(#~(?b@2&HD zslJ4OrbAYC71f-RCL@VE=o^=xc>Ose->okZn_+qA@SckLl!L;*{YQ3VY;zDS;oFffd(0jD@Z zD`d%tiGR11N!k=q5v}SBnJ0J-M>}eCrq+5|P0G=EJpX?C=HBj8GDJV_l%Bdl*?0D+ zW}Y{?zl`GQpJCXF)MQ)4riztD!WY&)6L~?e^%!M@$u=tO4Aa8nJQokASaSM&f5M2V zv2QDG$KCOGJyGU4*97*QlXm0RBr+fDE*g>f>wN1EGMK2m|0^?xyLPeBLq!gDcA42Z zjo3y@(^atfibW(I_pj3{2-hVCgaPfH!t=qcD^>kFnBWK_fmx&I4UnAjj$Q?#S`y*f zX_Y9`;nqZ_j`$g5OoB(si&r3KT);wCmj-K%bG3T!=gGR++4Z(O}5l86?F<2R}3vpEC;PjF(wQpd#t(a4+! z#_%sG^aH^A@16|;l^|!J_J*iSHp)`k^V^Nm3X)OhvRxS&LeTqB1D10Qmo1ub^b$tM zl!eIwz5aLnz^4oA!F%5Z;FB_Ius#VRe=HKW(9Qu>FegOPed0h?((0tg^}~Eu=j6km z=7AtDH7lk=2$6SE;vGmYvR<|3%6njwvrMnIPUKlOHa+LoYC>$#x61W%qHZGUojVRW%RQ+j4Z>YWEZ4>D&N3<`Lc`an33iA>y(QUNv(>-F ztf=2Tgy@l&0r=sErMfnHs>$ebm#m1+O^~T4DU1^g7Bz>?QT4{<4UMq&IO~f>Ql+VL z?XIsjZB1||bg}rUWRp+hogP{aX@sQ0cpejKM~21sn(aoBbxVA(ja*lO3Ns<2?ooGB zv)whzJAE|*?0J(3&y3p3$#WU4o#2!BeUl=!Ur(wY`>3+Su|x2(%9X;MVchp@j^96E zr?Mx7`-=U8msuGZAK10nEpRMCf*pJAX{H=Ynfl7EyzOPNu2#o$Nyj+v>-cfwOZ{J_ z2GP^s7AREoDs_M|HQrl!x~;rZtgL3*r;_E}=IVtJ_fn2;G7=fLthf@sy6V6@*Ph>7z^EoYb* z{hKRwmkzl$32N-Q-lcV#E%FqNX}KN{WU3EZ$L)3A?#}!G`=Ij;i>~2bt;^5$5f41j z0p&a$w91TTwV7ue%Vz8J7W4bx5w{|GVezq7&+O8k?$ni1U%GQHaoAX#JjH9yId9fz z4qcLm^LM)p?6Z1L#`n}WF&)hT`jpv3cdlT$h`EK}ob%c#{?V=0j$kUbmQNI(^qxQ{LO=y$MG##VSxpu@vTRrMJ4I$ z9-Il8Y3@z?=<%Q&WF3{;5}53+=SN7lb~LHERBhSOVJ!X0!1(;pJ+IA7e|$_oJTW<% z@{l_L4$}rs)}`$G^bY2_cZ;sqBzBILusnpA@`$bui(ApYK|*&HcH(BZn4`N^5F86@F!i_!OK8{uK4b;fgaK&5_sG zk^?MEoy%z|7(QeA({FCvD@sz==~QeX;!H!ho`3lGIRV_`_J>@uT`YfM>iwFQ?H*(T zf&+JBnV;yViotn_2P=E7PNb~Pj0Mc@L^+hz}}#{1MA8BQ>- z+N+UU%v8cZsUVxLD19lD)>VbtERiHdi%t-U8?db?xL&S%*|z)GcA?XTL$-%@rhu8C zOr+wXAiqV@Kt-Cb@WY+HT2X9ajthcg$x4=SmuGnb_$*?Ctkp0~SI)J{9hneWIN=?- zq4`l>%|7V3c*#wPM{gS$c4ZzsmVNZ!&)pvn^gBNdJ+a)rJl=t6pB`zVYv!BZhR4#N z$)>=>phxn1r^&&14^)r_DzpDY>cuJj+z5#;Nyk3ZZ=&cfpQL&H6+CmZ`k$7b+uOe9 z=AJOk$C6k;vu1gZvC^moBUx;4o}nM4$XOrrF6qTeV(nDE#!8(l#oy2T zr7825+z6DC@Pj_&jt?BukRR~I;THoX;~zZX-oxQCl1fTEbp7noL+ZYI%iu57UseEK zcL;n=$`ml?r;&E))VHqv-ZM5p=*UrcUqg<*{2nR`snjV|2iGMINf$ z^syJFl+sR0&%z%6la*`iseT(pGd{64%4@E%56-z!o2w(J&%1`t?#}9|HK>aX39g;h zT{dRM?CsyEm18_C$Bk-cfwEVqGcA}>S?hVFVTh;AD8M1SB5MCsCA1mL0vn%Q z?KvF4$9Vcvj6qsKzs7SqL~85Ee4`|>mxv41omlGUB6jMuvu`_OE_NBVu4Wv% zqc8wqzd*{cjmDvoZDDm^8ct@NHFpjs>?C@|*dC}#O1|n{Ahfy!?ExlnLAtnzS3&%B zmzZRj?Q?Ig0VTualf+o2sWQ)vji6ulMisu(l1kf9Dvi6>FvX1VoTbTqntrU$Sjke|!AVE`(rS6nH{i%pj!CAFYt{RbiK5S58u@d-5G_Y@uiLG1{?; zPmw!XcL;cJZ5*Td|FgWm_}5mR4Kbf&YK%y8R5cf7^-g(6V3^TT* zogjQPcS|!>?zP^APEzUSSui=(t(mz0^lASnX}8h$di#s^wwhCx7t0dQYdkC{=4P2k zx~WiTEOlR=%2ZUjJd?%tE8Olp)tz%tM%_A8FJW$*JjlEab%=DiXW-#!ztuFHsdBlo=HWTRebQH;r*Wy2 zxgky~CoteAG01;FS?)D)kx(wQd3R^i(&yM2GE*bfm$fwgSTBL!oX@q9mO|*vN%6I~ z_Nf#)rGenE%{E&*UGg|8#H-_~52Shag=b2lz9+%3D+iSe*ZLchy5S;nXgiGd_;_+h zsa8&H{KL{`XIzt5gPt&Cl;FduH?N!=bYVUwI}MY4+w>oV6xn@Q7ru!*mF8v~@*Q}l zbcl3#B9Z-#<&!t4x@eOwme-=?JLO2zZ-|+GVIEk{kpRARva(Rv&L!AhZ_FMZmJ$uV zW2+Ls7n8Aht=F2S{>3vrJj~^YZs_+s`3>|%16$*mbhhOX z8q_ulj{C{pmrAs1Ij3D(Ivd%mJhhHpdi@u<(m#&(NjTo#T?5gZ7lG%pgqOSaCC}zW zFG0;VhOM)#MMhIJjv}vF ztxpATYA~C)vM!GpUd{4gDilNVk3I9j{%Gg#qiwlUHnWDa-dEONQK@u9rH;DXhqutI z8DZQbdog?8J%A(o&NKL~^sh0wZBPA3q(`o=7a%sJ$Ho+w(o&#^4Fp4-x`T(`>!8C) zu#BA}kM>}cYMSCgKv(;421Xjcsp*goO!xk;OuQc+6xOlhJNrGspN)Lfih15 z0SnyUIqeY;>|nU}5$ai<4b~^)xA5{t18YY*nR6@sHa7%W+s@hS}?h_ti0lJb3{)?8*eCww*>j=^T0eH#Att3N7K|P@7*a+A>W8U zC*l7{2E4Xxp`{q-yj9B`p)1>bG+k5aGiSmm)uKSbnNKEm83-LJQr*nyWN(bW%P2MK z|E!;{``CG?wN9j-SA3Jf1}x~^P#$BXu`r>ToW&437_?KNza5mpbu|dFbrc$#YjF(3 z4&{@z-x@C8^cB5y?F%RaXzj}PDF|k@#o_2PJUKd;%fXqOMy&={XoO$Tx{kPGITi!y zdT5XM^=rdkE)atPLDXCr>&M@%85AL?%ea!_7cftFx}C(kdJ9EI1UjXq-1E~8OJCkS z8){@!P(z4k5X1c%suUnXJ0DK3*c+<)Rfte3k(7Z?|yJ`J>_PNJ6UTk*~KJ>5Zt$qNc)ILk+XzPB*OR`z|c{!D)U-D;UvjlN?GT z?<2Sezc=ewuon>Dby%{%{T*;542XKmL9ANmt3qaM$F5cgw)3_}QK|KuQ(+th9XF^E9Z-6rM{P za|S-WafRzKb^5V&ef)kyWYe{YeR zK4cUCAg-2MoGeiOazhkbYH#ndT>sKFBaw9_VPEvn_n=$X)UUe(ug(nO<)hUt7iCkP zr|6vV-g(7>{)71Scu5go%d!p|ggr5o07LB=KUiWn^Mahchwhw67xV&xRej~FHws*r z&seo;4n^c*-8tJg;3e(VJ! zfysuYV_t7weI|YRtVbdY4CeU;cSX<<4LzW^zlX5eZz)eoO)0#Q*j8iyF{vp~q9w8f z8?tx|f`4QO$?|oA#AHEx(xqqiw?uW^Ib8>Fke>R2p0Zcmz3%CbxtjQvMy6tokO01} z)bBORK4U@xM(?)=_(8(g>j_$;B&t-Q{3@7g3?%iAOnQ*IZTacrEC}mCdg7P0_-oHnuEG5Xe zM7qfOA_x6jf{C#k8P}Jnoy{Yes<&K-Dc=iTo%xQqy}wwf zyeApdp{$VDmKGaJXuaXSJcrDDb@xeT3SD_Ot-R`QkO0Oqjn`{i#T}H$50gbWnOeHQ zC#F!jHkQ3=ObKVcphRNY!Ax? ze%-rl@43zj6gIEH75;iDoVnRE*m|3NLM${~#OUkB626PY*GFG-81cH;PX^}Par(ZA z#w}a7-vcvhMe7xiiCm+lAmGFKI>y8UH9_CsiaRPLhmMAN`+R=$YayXssLC+fHMvUg zI=yr6yDtBcExR8K&u?3W#k&B0NHUUv?Y)9x9}FKIk&z60QdJp9vLpbETWA*zz!6C2s=uN8g|5#u3ipotWMnAm zo(Md!2uQbL+o9JE|KCDCJ8p2UaeWd!^W%hh(@NbGoHxAnxuCCP=66x6dei3LJB*Wm zFMjVB;J#!DpGn{CO%Hw^p1J4gwCHKEm!3Xeb9j+!_o1*{zMEBBSHCW8I4oYSUA=7H zhUoY6w2t2Z?pWE$Ec;RHq0DphmlG@7J}sz^t5~6a>iPAbkywWefnLq11&&#)-GA)d zhE9$@?z1y~>x;TXAG!4yShCk%`>|Y2YOnLe29_#gMwc7e>vpOsEeQMa;9zsLabH=n zJI^uO?%CGjdEMelpB}TheK1EKl0*chgTujVwF-@LY8NJE-2T4ZWy)J z4}haty?Vf#4Qx%8eLGwDK*(*4DzBAc-Jc&HfU7uE_a8aGU(jKV>Qlp){VU_Stz))X zWO}OlS!Frn^3ntcKZk>6%O9q5ei3Nwzcpvu`KyJuw61--z;vURMdd;t!`EEF6wh*B z*{~qDVC9*~z*8`JEj&1b1VAbH?Yr-|YCw?hO8S7c;PV}o(^+=;B-|_aKK!P2|Me}Q zYu*|KNdx;CyBrdLTUH+)=C|)L%{o2H@rbN>Ud;Au^}4T5KgQLr28J#-uq3{>>C(B) znw&a6{?#9vT^}#ABGNizbFb5Uv-H`Z&R#;OAh2^Le+YPf!6D#+L0RD1N1@oQz-hp; zl3VY9c{>qwHdd(f=6GCb*?~zH)Hh6>ey!6J5ih7^8Ilvv0>g0I&F~W+iBUXiGIClR g0ilr)%CYS~zoGV8+n=u;XE6YQr>mdKI;Vst0Nny3BLDyZ diff --git a/docs-md/.vuepress/public/img/FW_Insights_Polaris.svg b/docs-md/.vuepress/public/img/FW_Insights_Polaris.svg new file mode 100644 index 000000000..ad8d08afb --- /dev/null +++ b/docs-md/.vuepress/public/img/FW_Insights_Polaris.svg @@ -0,0 +1,421 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + more + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs-md/.vuepress/public/img/architecture.svg b/docs-md/.vuepress/public/img/architecture.svg new file mode 100644 index 000000000..288b9d65c --- /dev/null +++ b/docs-md/.vuepress/public/img/architecture.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/docs-md/README.md b/docs-md/README.md index d48263225..f4826a72f 100644 --- a/docs-md/README.md +++ b/docs-md/README.md @@ -3,7 +3,7 @@

Best Practices for Kubernetes Workload Configuration

 - + @@ -22,11 +22,19 @@ Polaris can be run in three different modes: * As an [admission controller](/admission-controller), so you can automatically reject workloads that don't adhere to your organization's policies. * As a [command-line tool](/infrastructure-as-code), so you can test local YAML files, e.g. as part of a CI/CD process. +

+ Polaris Architecture +

+ **Want to learn more?** Reach out on [the Slack channel](https://fairwindscommunity.slack.com/messages/polaris) ([request invite](https://join.slack.com/t/fairwindscommunity/shared_invite/zt-e3c6vj4l-3lIH6dvKqzWII5fSSFDi1g)), send an email to `opensource@fairwinds.com`, or join us for [office hours on Zoom](https://fairwindscommunity.slack.com/messages/office-hours) ## Integration with Fairwinds Insights +

+ Fairwinds Insights +

+ [Fairwinds Insights](https://www.fairwinds.com/insights?utm_campaign=Hosted%20Polaris%20&utm_source=polaris&utm_term=polaris&utm_content=polaris) is a platform for auditing Kubernetes clusters and enforcing policy. If you'd like to: * manage Polaris across a fleet of clusters From f421d7e5a8b54a18bf1ae148211bb672e75e2221 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Fri, 18 Dec 2020 19:15:51 +0000 Subject: [PATCH 20/26] always build website --- .github/workflows/build-site.yml | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-site.yml b/.github/workflows/build-site.yml index 5135cdbf0..3d51f9199 100644 --- a/.github/workflows/build-site.yml +++ b/.github/workflows/build-site.yml @@ -35,13 +35,6 @@ jobs: username="GitHub Actions" git config user.email "opensource@fairwinds.com" git config user.name $username - HAS_CHANGE=$(git diff .) - if [ -n "${HAS_CHANGE}" ]; then - if [ "$(git log -1 --pretty=format:'%an')" == $username ]; then - echo "Build created a diff, but the last commit was a build." - exit 1 - fi - git add ../docs/ - git commit -m "[CI] rebuild website" - git push -u origin +master:website - fi + git add ../docs/ + git commit -m "[CI] rebuild website" + git push -u origin +master:website From 564803c9f8e1a9243b67565f3a88acac068a3790 Mon Sep 17 00:00:00 2001 From: skatika Date: Tue, 22 Dec 2020 14:10:15 -0500 Subject: [PATCH 21/26] Fix instructions --- docs-md/customization/exemptions.md | 4 ++-- pkg/validator/container_test.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs-md/customization/exemptions.md b/docs-md/customization/exemptions.md index c774d8678..b6ea5117b 100644 --- a/docs-md/customization/exemptions.md +++ b/docs-md/customization/exemptions.md @@ -4,8 +4,8 @@ many of the `kube-system` workloads need to run as root, or need access to the h cases, we can add **exemptions** to allow the workload to pass Polaris checks. Exemptions can be added in a few different ways: - - Namespace: By annotating a controller, or editing the Polaris config. - - Controller: By editing the Polaris config. + - Namespace: By editing the Polaris config. + - Controller: By annotating a controller, or editing the Polaris config. - Container: By editing the Polaris config. ## Annotations diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go index f455ebc7d..470f157cc 100644 --- a/pkg/validator/container_test.go +++ b/pkg/validator/container_test.go @@ -927,7 +927,7 @@ func TestValidateSecurity(t *testing.T) { if err != nil { panic(err) } - messages := []ResultMessage{} + var messages []ResultMessage for _, msg := range results { messages = append(messages, msg) } From 54aacb786f7fc2651caae153cf9a240087b1a73a Mon Sep 17 00:00:00 2001 From: skatika Date: Tue, 22 Dec 2020 14:14:55 -0500 Subject: [PATCH 22/26] Revert version information --- README.md | 2 +- docs-md/changelog.md | 3 --- main.go | 2 +- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 220d6b664..badaaebd7 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@

Best Practices for Kubernetes Workload Configuration

 - + diff --git a/docs-md/changelog.md b/docs-md/changelog.md index 749947c9b..5306918c3 100644 --- a/docs-md/changelog.md +++ b/docs-md/changelog.md @@ -1,9 +1,6 @@ --- sidebarDepth: 0 --- -## 3.1.0 -* Add ability for exemptions for namespaces and containers - ## 3.0.0 * **Breaking** - fixed inconsistency in how controller-level checks are handled Custom checks with `target: Controller` should remove `Object` from the top-level of the diff --git a/main.go b/main.go index 0941c39d8..67fde74e4 100644 --- a/main.go +++ b/main.go @@ -20,7 +20,7 @@ import ( const ( // Version represents the current release version of Polaris - Version = "3.1.0" + Version = "3.0.0" ) func main() { From 86b3ab5186ae96b7cb7c85c4adc8655f15fb9587 Mon Sep 17 00:00:00 2001 From: skatika Date: Tue, 22 Dec 2020 14:27:53 -0500 Subject: [PATCH 23/26] Revert nil slice declarations --- pkg/validator/container.go | 2 +- pkg/validator/container_test.go | 2 +- pkg/validator/controller.go | 2 +- test/checks_test.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/validator/container.go b/pkg/validator/container.go index 1fa8b3876..25c593465 100644 --- a/pkg/validator/container.go +++ b/pkg/validator/container.go @@ -38,7 +38,7 @@ func ValidateContainer(conf *config.Configuration, controller kube.GenericWorklo // ValidateAllContainers validates both init and regular containers func ValidateAllContainers(conf *config.Configuration, controller kube.GenericWorkload) ([]ContainerResult, error) { - var results []ContainerResult + results := []ContainerResult{} pod := controller.PodSpec for _, container := range pod.InitContainers { result, err := ValidateContainer(conf, controller, &container, true) diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go index 470f157cc..f455ebc7d 100644 --- a/pkg/validator/container_test.go +++ b/pkg/validator/container_test.go @@ -927,7 +927,7 @@ func TestValidateSecurity(t *testing.T) { if err != nil { panic(err) } - var messages []ResultMessage + messages := []ResultMessage{} for _, msg := range results { messages = append(messages, msg) } diff --git a/pkg/validator/controller.go b/pkg/validator/controller.go index 68016c9a7..d6a497296 100644 --- a/pkg/validator/controller.go +++ b/pkg/validator/controller.go @@ -54,7 +54,7 @@ func ValidateController(conf *conf.Configuration, controller kube.GenericWorkloa func ValidateControllers(config *conf.Configuration, kubeResources *kube.ResourceProvider) ([]ControllerResult, error) { controllersToAudit := kubeResources.Controllers - var results []ControllerResult + results := []ControllerResult{} for _, controller := range controllersToAudit { if !config.DisallowExemptions && hasExemptionAnnotation(controller) { continue diff --git a/test/checks_test.go b/test/checks_test.go index 3f4ce9db4..7e493b423 100644 --- a/test/checks_test.go +++ b/test/checks_test.go @@ -14,7 +14,7 @@ import ( "github.com/fairwindsops/polaris/pkg/validator" ) -var testCases []testCase +var testCases = []testCase{} type testCase struct { check string From f1957631b539fa40f8c716ede989af81a9e3c898 Mon Sep 17 00:00:00 2001 From: skatika Date: Tue, 22 Dec 2020 14:30:09 -0500 Subject: [PATCH 24/26] Remove unsued import --- pkg/validator/pod_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/validator/pod_test.go b/pkg/validator/pod_test.go index 7ce62a283..4af40cb1c 100644 --- a/pkg/validator/pod_test.go +++ b/pkg/validator/pod_test.go @@ -15,7 +15,6 @@ package validator import ( - "context" "testing" "github.com/stretchr/testify/assert" From 0c398d21f2ea22b440d1b16434aa8cc94a82eab6 Mon Sep 17 00:00:00 2001 From: skatika Date: Tue, 22 Dec 2020 14:58:44 -0500 Subject: [PATCH 25/26] Fix grammar for exemption doc --- docs-md/customization/exemptions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs-md/customization/exemptions.md b/docs-md/customization/exemptions.md index b6ea5117b..5f22420e1 100644 --- a/docs-md/customization/exemptions.md +++ b/docs-md/customization/exemptions.md @@ -24,13 +24,13 @@ kubectl annotate deployment my-deployment polaris.fairwinds.com/cpuRequestsMissi You can add exemptions by using a combination of namespace, controller names, and container names via the config. You have to specify a list of rules and at least one of the following: a namespace, a list of controller names, or a list of container names, e.g. ```yaml exemptions: - # exemption valid in kube-system namespace, dns-controller controller for all containers + # exemption valid in kube-system namespace and dns-controller controller for all containers - namespace: kube-system controllerNames: - dns-controller rules: - hostNetworkSet - # exemption valid in all namespaces for dns-controller controller for all containers + # exemption valid in all namespaces and dns-controller controller for all containers - controllerNames: - dns-controller rules: From a79260a324fd10b80216389cbab0d5cea51ec762 Mon Sep 17 00:00:00 2001 From: skatika Date: Tue, 22 Dec 2020 15:30:39 -0500 Subject: [PATCH 26/26] Update exemption documentation and unit test --- docs-md/customization/exemptions.md | 19 +++++++++++++++---- pkg/config/exemptions_test.go | 26 +++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/docs-md/customization/exemptions.md b/docs-md/customization/exemptions.md index 5f22420e1..2f0095ec1 100644 --- a/docs-md/customization/exemptions.md +++ b/docs-md/customization/exemptions.md @@ -21,21 +21,32 @@ kubectl annotate deployment my-deployment polaris.fairwinds.com/cpuRequestsMissi ## Config -You can add exemptions by using a combination of namespace, controller names, and container names via the config. You have to specify a list of rules and at least one of the following: a namespace, a list of controller names, or a list of container names, e.g. +To add exemptions via the config, you have to specify at least one or more of the following: +- A namespace +- A list of controller names +- A list of container names + +You can also specify a list of particular rules. If no rules are specified then every rule is exempted. + +Controller names and container names are matched as a prefix, so an empty string will match every controller or container respectively. + +For example: ```yaml exemptions: - # exemption valid in kube-system namespace and dns-controller controller for all containers + # exemption valid for all rules on all containers in all controllers in default namespace + - namespace: default + # exemption valid for hostNetworkSet rule on all containers in dns-controller controller in kube-system namespace - namespace: kube-system controllerNames: - dns-controller rules: - hostNetworkSet - # exemption valid in all namespaces and dns-controller controller for all containers + # exemption valid for hostNetworkSet rule on all containers in dns-controller controller in all namespaces - controllerNames: - dns-controller rules: - hostNetworkSet - # exemption valid in kube-system namespace and all controllers for coredns container + # exemption valid for hostNetworkSet rule on coredns container in all controllers in kube-system namespace - namespace: kube-system - containerNames: - coredns diff --git a/pkg/config/exemptions_test.go b/pkg/config/exemptions_test.go index 82a0ad360..844a754c9 100644 --- a/pkg/config/exemptions_test.go +++ b/pkg/config/exemptions_test.go @@ -65,9 +65,10 @@ exemptions: rules: - multipleReplicasForDeployment - priorityClassNotSet + - namespace: polaris ` -func TestNamespaceExemption(t *testing.T) { +func TestNamespaceExemptionForSpecifiedRules(t *testing.T) { parsedConf, err := Parse([]byte(confContainerTest)) assert.NoError(t, err) @@ -83,10 +84,33 @@ func TestNamespaceExemption(t *testing.T) { actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "prometheus", "controller1", "") assert.False(t, actionable) + actionable = parsedConf.IsActionable("pullPolicyNotAlways", "prometheus", "controller1", "") + assert.True(t, actionable) + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "kube-system", "", "") assert.True(t, actionable) } +func TestNamespaceExemptionForAllRules(t *testing.T) { + parsedConf, err := Parse([]byte(confContainerTest)) + assert.NoError(t, err) + + actionable := parsedConf.IsActionable("multipleReplicasForDeployment", "polaris", "", "") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "polaris", "controller1", "container11") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "polaris", "", "container11") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("multipleReplicasForDeployment", "polaris", "controller1", "") + assert.False(t, actionable) + + actionable = parsedConf.IsActionable("pullPolicyNotAlways", "polaris", "controller1", "") + assert.False(t, actionable) +} + func TestControllerExemption(t *testing.T) { parsedConf, err := Parse([]byte(confContainerTest)) assert.NoError(t, err)