From 8d7c45467c348b0698758979fe6463eb382c146d Mon Sep 17 00:00:00 2001 From: Rob Scott Date: Fri, 9 Jul 2021 14:58:32 -0700 Subject: [PATCH 1/2] Adding GEP-709: Cross namespace references from Routes --- site-src/geps/gep-709.md | 260 +++++++++++++++++++ site-src/geps/images/709-inline.png | Bin 0 -> 34097 bytes site-src/geps/images/709-referencepolicy.png | Bin 0 -> 39133 bytes 3 files changed, 260 insertions(+) create mode 100644 site-src/geps/gep-709.md create mode 100644 site-src/geps/images/709-inline.png create mode 100644 site-src/geps/images/709-referencepolicy.png diff --git a/site-src/geps/gep-709.md b/site-src/geps/gep-709.md new file mode 100644 index 0000000000..1e772e39b1 --- /dev/null +++ b/site-src/geps/gep-709.md @@ -0,0 +1,260 @@ +# GEP-709: Cross Namespace References from Routes + +* Issue URL: https://github.com/kubernetes-sigs/gateway-api/issues/709 +* Status: Implementable + +## TLDR + +This GEP attempts to tackle both cross namespace forwarding and route inclusion. +These are closely related concepts that can be solved with a new ReferencePolicy +resource that enables app admins to describe where they trust references from. + +## Motivation/User Journeys/Background + +This GEP enables the following capabilities: + +1. Retaining full control of Gateway and Routes in an infra namespace, while + targeting apps in different namespaces. +1. Traffic splitting between Services in different namespaces. +1. Mesh overrides to target Services in different namespaces. + +## ReferencePolicy + +Anytime we allow crossing a namespace boundary, we need to be very cautious. To +ensure that this feature is safe, we need to enforce a handshake mechanism that +requires resources in both namespaces to agree to this reference. To accomplish +that, a new ReferencePolicy resource should be introduced. + +![Reference Policy](images/709-referencepolicy.png) + +With this model, Routes would be able to directly reference Routes and Services +in other namespaces. These references would only be considered valid if a +ReferencePolicy in the target namespace explicitly allowed it. + +The following example shows how a HTTPRoute in namespace foo could reference +a Service in namespace bar. In this example a ReferencePolicy in the bar +namespace explicitly allows references to Services from HTTPRoutes in the foo +namespace. + +```yaml +kind: HTTPRoute +metadata: + name: foo + namespace: foo +spec: + rules: + - matches: + - path: /bar + forwardTo: + backend: + - name: bar + namespace: bar +--- +kind: ReferencePolicy +metadata: + name: bar + namespace: bar +spec: + from: + - group: networking.gateway.k8s.io + kind: HTTPRoute + namespace: foo + to: + - group: core + kind: Service +``` + +### API +This proposed API is fairly straightforward, but comes with a couple notable +decisions: + +1. Each ReferencePolicy only supports a single From and To section. Additional + trust relationships can be modeled with additional ReferencePolicy resources. +1. Resource names are intentionally excluded from this policy for simplicity and + because they rarely provide any meaningful protection. +1. A single Namespace is allowed per "From" struct. Although a selector would be + more powerful it may encourage unnecessarily insecure configuration. + +```go +// ReferencePolicy identifies cross namespace relationships that are trusted for +// Gateway API. +type ReferencePolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec defines the desired state of ReferencePolicy. + Spec ReferencePolicySpec `json:"spec,omitempty"` +} + + +// ReferencePolicySpec identifies a cross namespace relationship that is trusted +// for Gateway API. +type ReferencePolicySpec struct { + // From describes the trusted namespaces and kinds that can reference the + // resources described in "To". + // + // Support: Core + // + // +kubebuilder:validation:MinItems=1 + From []ReferencePolicyFrom `json:"from"` + + // To describes the resources that may be referenced by the resources + // described in "From". + // + // Support: Core + // + // +kubebuilder:validation:MinItems=1 + To []ReferencePolicyTo `json:"to"` +} + +// ReferencePolicyFrom describes trusted namespaces and kinds. +type ReferencePolicyFrom struct { + // Group is the group of the referrent. + // + // Support: Core + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Group string `json:"group"` + + // Kind is kind of the referrent. + // + // Support: Core + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Kind string `json:"kind"` + + // Namespace is the namespace of the referrent. + // + // Support: Core + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Namespace string `json:"namespace,omitempty"` +} + +// ReferencePolicyTo describes trusted kinds. +type ReferencePolicyTo struct { + // Group is the group of the referrent. + // + // Support: Core + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Group string `json:"group"` + + // Kind is kind of the referrent. + // + // Support: Core + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Kind string `json:"kind"` +} +``` + + +### Benefits + +* Conceptually similar to NetworkPolicy. +* A separate resource enables admins to restrict who can allow cross namespace + references. +* Provides consistent way to control references to any resource from a Route. +* Can be extended in the future for additional use cases. +* A single ReferencePolicy resource can be used for a namespace in place of + separate handshake config on each Service or Route resource. + +#### Exceptions +If traffic is originating from the same location as the configured Route (such +as sidecars in some mesh implementations) implementations may choose to ignore +ReferencePolicy. This should only be done if: +* Other mechanisms like NetworkPolicy can be used to effectively limit + cross-namespace references. +* The implementation clearly documents that ReferencePolicy is not honored. + +This exception is very unlikely to apply to any ingress implementations of the +API and will not apply to all mesh implementations. + +## ForwardTo + +To enable cross-namespace forwarding, we'll need to add a `namespace` field to +the ForwardTo BackendRef struct. + +```go +type BackendRef struct { + // ... + + // Namespace is the namespace of the referrent. + // + // Support: Core + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Namespace string `json:"namespace,omitempty"` +} +``` + +## Alternatives + +### Inline Config +Instead of ReferencePolicy, it is possible to represent these relationships +inline. +![Inline](images/709-inline.png) + +```yaml +kind: HTTPRoute +metadata: + name: foo + namespace: foo +spec: + rules: + - matches: + - path: /bar + forwardTo: + backend: + - name: bar + namespace: bar +--- +kind: Service +metadata: + name: baz + namespace: baz + annotations: + gateway.networking.k8s.io/accept-forwarding-from: bar +``` + +Although this requires less YAML for the simple case, it is less flexible. +Annotations have real limitations and don't provide any room for RBAC +differentiation. Although it's possible that we could eventually add a proper +field to the Service API to represent this, it would be impossible to add this +concept to all potential backend types. + +## Out of scope + +* Although closely related, this GEP does not attempt to improve the + Gateway->Route relationship. That will instead be covered by a future GEP. +* Although this GEP explores how ReferencePolicy could enable Route inclusion, + the details of that feature will be left for a future GEP. + +## References + +**GitHub Issues:** + +* [#411: Clarify how RouteGateways would work if we supported Route->Route + delegation](https://github.com/kubernetes-sigs/gateway-api/issues/411) +* [#582: Allow cross namespace + references](https://github.com/kubernetes-sigs/gateway-api/issues/582) +* [#634: Request Filtering Between Gateways and Namespaced + Routes](https://github.com/kubernetes-sigs/gateway-api/issues/634) + +**Docs:** + +* [Gateway API Reference + Policy](https://docs.google.com/document/d/18MoabVA-fr5XL9cYdf6cxclqRwFpOvHUXV_UYzSiooY/edit) +* [Selection Policy + Proposal](https://docs.google.com/document/d/1S9t4YiDBwe1X7q915zKO0meZ8O_UPa8bzBLWBY8_XdM/edit?usp=sharing) +* [Route Inclusion + Proposal](https://docs.google.com/document/d/1-0mgRRAY784OgGQ1_LCOshpLLbeAtIr4eXd0YVYK4RY/edit#heading=h.8cfxzle5tmqb) +* [Cross Namespace Forwarding + Proposal](https://docs.google.com/document/d/1_B1G9JcNw3skNYLtdK7lTTzOeyz5w2hpa84cKA_MGKk/edit) diff --git a/site-src/geps/images/709-inline.png b/site-src/geps/images/709-inline.png new file mode 100644 index 0000000000000000000000000000000000000000..d46e9ac59fe63eecd2734f852de2b16da6c1f61f GIT binary patch literal 34097 zcmeFZby!v3);5d?ND4|LNP{$Nx&;L3mTuT|H%Lecf^ z7g~;6r%HM??Ow{331tiw4kj(Cx9DOHA^Jiif{Z=9$!}a_NhcREy@+ESCYm{@c5XVZ zZ-XW#+4}4-nmVz=Fux9+H;{XCs~+!!o!EZW8x7TkdZo1ql&t=`oP>lZgh$dZ2H$io z28_>!`$!MwI_P8NKu_zJu15&P(@&UTydvx`AF@xU>iH9MCpL6*+#*`YnO3cs#M9%e7Xv zP4Ud@ScY9omM=_NS#iKEIXiiRIYARdj zp;yR6Z*sUOqe_JTLr7ziB#jV%jvrxOdC~?V_lD zX4{GpMJ92tvF|Od>!NYrgbgi8rt`K%UWUWkk216|+q%>0*@Ifg(;2fdW%r=d$n(WW zt*a0%ABuJEh@sC%KL|+WsPbYr*eH$aXefjP;NkdQ_h;p3IURoY=+81O&w@%!3-IuJ zd$=hk=i0=wbL-DPxMeuI-KMr>38-qnPE(Rahvbr;^H`L=g`$~B34vMpb2vyRexZ)w=*0j|SLZjN%53R5I zD!6aUtA;eKD#{Ud_4aDQ(!G&?2v$HdO&|w6-qjAj@PurFt63^<^khsG0&Ocjt<9Sm zN6UpKh~4^awNH!g#hm45xm_^EF#4x?mJSa|8Jj2e2qItge#2eDooJd)w0$F4(LKem zWB&g7VX+$v5*2rz~=c zV^@reh%0~i&_Fx^fz^!8xmP$ zS~ZyFS*h$!{^p!m5;-@zU1x?JRcIcFGHp7SoDenm+6_$t^Bp3&2~+#IN$ot$6xuVZCPo?}eHLflQrdB5{_CY6QD()W{aT zXX~|dh3M2aPM#{?Gybfgy50Exd(#pE-uF>n;ZHsGlyZu;{Y+>d7-cyf%P9ILP{@X? z`J7mTE&wah1tGJ7L-HY|LQ--wq0?6u%C{D6pPf-93c{`!n?!`3JKa;2w4Adh^S%Fz zU6R%2mg5+Aa>WASamoyGXE7s$H$j7bgKm!gokL{m(jFR-=7;@MxSD}tXw|nO*Czgpct4*`tCK zqCOfn&7KJN#uMJk6I_L0`n@xSj&z$4)NUZU*l52{ZTd2%ckpfg9#!|_%SXY22&4U^ z3+Jx%Dn=NC66D-$+T7;Gjv?BSYu~>jkddveFufGCUAP~IP*-MNe&qcs-O{x#sTGez zdi$A4sj?TDJ^u#t@BK77J2Y~(uq2GN?6~GJNty$P1Tm!aD(v2eK=wg7QcZZj%(^L9Hu2-1(olEBjW~xLBa+lTH zq3h=ZR&QOa)uJ+FTEqoOF%d-`PAq9D%F9QrYHDD0C_N4f@wPLyg?z^#W_`GdSU}@$ zv)jq{Rz^|iG^qPCA{caDrnBJ)VA;{*=U82dgSXc)E<5-@VmWW9RUMx3uQ zq?p9|tdZb5F^VFu0U=%a`j$9CL?TPyyo45kt96z3gW%U?#xIb=c55u0-GY$VI2=P8 z@d-$|MWaQ96XGmmId;aGQKXq5SeAH$GzVO`Jq;U3+3mF_a`Z-+hy65>IS12^B)Za+ z?#5JUtfkNJhu#YOT=IbbN=Fg-E=y7O(WaP(R%@&Cns6ahskiqpHqWYW&>IXGcST5h~QQqk_ zkrnm_9Ix_xmok(jjU-fh@a$0?l^_Y`U4u4kZEyuSI#~DE~YRo>HF<%12oTuCYh_n`Hrmn_@%`7Xb zKgt==RkYJb5y&`624b2@g_QWdM_6)V?Z)g$N!?tE?2<|p`%>YqmG@Ye_qAM!ULAkQ z(`@GQcj8WB7!)so6JBdt(wr<365)wXWm2js`y7X2A{a15gxLXkJC6{FW67wHYo=jA z-1FG^>HQaHSEEVo@&opEGy(aaj-*1izP&xftj~sI5`>%A^K-q^qh)_Kn}({FW+zTl zoV5hM%#R;Syp<>M0P#G(>A|x)MLjVx9ERFr!SxIIxheUz$sLTxrpw&1h=Xmlq5@th*0io8vT z_u?zl_YP@e_}WJ=?+;~Sn$ztH6S?5H2CpC7o3s8ofc4`tw6+G3d;1AL0aW6ibbr2a z(;RBO70!;H!o66})GYK~OqXBY zjeRB6`&G2)3r-WC5ndsS(l3)cMmZQ?jOhEg6&6b0e}y1+*n2Roo^llHj^sCBymc_X zpVWLKF~ODUdAt^YL}rOITO&VG5`A?*VTVQCe~~W9t0RV3fzL@br$A^k_KMIbS~b-Q z?$iFTAH9~&fSg>xa&V__RhrGp+S6)Rfm(Np(!HI`=i5diM^Ozi*1Cy_OE@paxk-n@ zq!#?hl~-)1OKUcGSI3tRx(?O#y@&^DW)Xyw_}+({b{?s4DO$j>cF^(?(P7@7aJqUp z-tKt?>9JB{VQ-rIWa}?8;fH>m_Xe4Yg4e~X#;L$g`gyRIzjdv@lP6QH*3i2!EI(N? zij8$6KWdGc>PCX&)btBGj;PUXTdXqzs=bcLlH4Qa!b%MT64q+&L%kn-ro@};oI*PK z%%|`{kM-_C6Pr8frr}qp6+OgsS1d&LDO)x+lTb!N+Ju!dUal;uRp;A5mUi{HaFdKy zAk{b(7-XA)=p&gctrg35C`G@te_pj4xY4Iwxc9v^JFq(O_wLjedV;<27H5pOfO2eq zNW%ULPLA-Y2>sn~*z6fxQ2pvz%rMr#WfzYZWeO2ZP1UyHFvW3*!n>ya1SKYMp8U9W z1x}d``k4SKvLo)u4bp%7PXsLY;>88jY z<7Lda$E>lSCl3}7cb8lOBRDbEvkaf)CGp(euKC10V$oC9l<;iJlD`0RFPq?|)5B>UGx`JWlNhd;tBtG;dgQXRvSmP7o>BK3sZNU^(B za-b@S#RL21Dyh#=;Xu3f`Z`FZXQNrie5>h*$m z2BA%Re5Tn&&T?N=2Fcv~BBn>?a<*CUs`_a9bR6ft=vl?iU430i=kun|a?LM~)+0_% zh=l5)n))?ovb}JI2c54kXM#Oj?{$X!+*UE_;B8eF7)HKhXJc^?;(n?>nSR&v(H?hc zb$pBa8ecJG_x9i+S0)fK0xiVE6s5$({-Ij{wIbC!nqRX0IdNypCuwh0;(oG~sE>S_ zSo%DcxS@*VW2nV^Njg_p$sANn%n|-pt*u=~JQXKu)N;X*74HSOTN34L1i)$ z;MwnTJNKURet=v>F}hc+^qjj_4e~U0REuW;(srsK8k6pYEA<{yg6 zrTBtSNee^Sn#w|WW0lnY22!W$X!9o8_$l=dMIGS_((C<+!SF~Asbzxiw<|oPV$aR- zKdX~${+e>wrhR@$SPMzMRmMoVrD~cPqj>rJfXm)ter!x|$??GtUkI*@LoS&ddE)(r zp&u!b=Zj3=tF})krnA{MoHaFXmovl7t@7;b;Ddy(uxXZKR*=@59vmEI zm<7<0G~{IYjO}cg4NdHfpv>+z_CRNXgA)*Tw>LDlf;y8KLCq{|1t|_1S}4dYOav*^ zIptX8?8Ttw7LuNhP!&&kRbx*pV_p*qVIfojcRpai2I_1`=5Awc>%`|SNb%b)ANV`$ zG7AOS?;*}sf)pBZiezGTj!-fVW)5anCUJKQR|tg=Dw%+zi7B7*3yHr>fKP%H=FZOc zd@L+(Zf?wO?96tKW-M&Hyu2)|5Ecl835;NJ^00L_bZ4@4qJ)|FW8($X$=K1t-r2&= zmJDXo(8$ikS&)JPd{6e5aqz9NxI4J`*8^amf17u5HerzhA2`5zzyKBqD=QBZD})Kc z%kua8!MAd9|GeAQ=`Sw=f3mn6+Ox1Rv$ELO{M#K)&f>2BdftC|hm$Ih^H`LjPIfMi z#!zursI4>Q-ydpk?c((JXSz5+VV8c-+uFpG1x)JqlmC9tODQ?Uf8GOgqnU+`{qH+q zqyIkA#Q2}%>|GqKe~&RSW`SBmZNNmFfMvFS8}Dpk`mYW8xAnlj`QIi29`{fC|2Fy` z{`x(a-+twLVQ1_Dd#Kb4K?>M>`AqDLEll|S{FT*&6~fLAW#TY4WM$&u;o@X6;x*x7 z;(!=)81r(m^0IPs{LPeJp{>_AfqXozWL+iiK3TDa#nBrz*W#i^z=VanC<>Y1JfI``rc#Jr} zN2no(2@e;y5f23N+Z1dc_(T+?1SufQtpB>AXl>|hYUgMpNFi%s>*D^eFH|jTpeoLW zFsHF`K{$E1IXGC^xOgF~oPV>Y26c1-K@PLY#>)KHlT3{HB!ERj5NsAUhGtL}dt0;L zc46DX2NnYyYY58?VEOlTuogZsN2sB*oujIqowXnZY_4Q5lfP4nOyI9%;ghv9{(a-` z!B7)ezWtSPqK0NHzds7F{C9)@H%lt!c5b%+-|YNr=s&H9I6Ax8Ia(<=Di~Qpjh+8{ zJO9<-e_B!oSm)&I=pprgSk(VxoWP%Ol?3^zSm1_UEZt-7)u@Mwv$i>ZN%w)*P3DSXsn*)Tg zsVS2wHxCyC3ITEXS48~Nx|5x$vzwtKRKyI#0N7`cTEF+1?Ah<=qx<){xS2yij4-is z^Rcp0{MlYI0Tvjb{$qIpFvyXUYkNo=|cm2m*|056lj|TrIy8h#?|B(m& zM}z+pUH`wi3-wwv+9?DR^GUH>li0Fok#vJ0G*^R2viWjwjP38p78q; z7IL7*<3HbG8A<*A#_xFu^`AlhSANPIeoLmETmD&&w214>p}o3sYPF?&b4zdi9r5At zQqU?+At|EJB{Nmk8sj`95s8nn<$cH$b?9E`sMqfuz0l*Il5;QFzfogqw{}`~^=sejG;%R^^BZ07 zw7xtod-lbCxxf`Q@rjNtH#2wb{F37ABMGv9s4ZJLtO=7^67 zl}GLSQj)hN{rR!74-)S!4WgVk4#$xi)=J*D9Q++mnA5+-JXgdhoR>4I56|hBc8F8@ z@mYzcTU|<$64B?azHy*5y^aYUUk|;bqV3Ji{;qLU_N$)5k=~<`p5X!p#4shwm)S8N zqgKgPi3snK%;{?C%ckaQbrh{#m6Vq$fM0w*#O_kyo9@J;RBuzT0>kFU)U7@g{fd8< zG^f0l$j9s2+F6Fi6;naNQ{WMyib^V{k=1*d(94%hY1qs(Ol`B2wfQ?(}YdPt!at?K2XqOKe&ysb= zGUG?bUW!CT`gbni2jt)2BspVPZS}6djZ2jtt~_`jZ{(CaDMcP!EkfUx{CW7d_+tM4?PI$l+e zkF*3lOlfE8u%|Ygm11#rN67d^wB~HBMwhDfpg@r>a1xd{AZ*68dl{J@ewqqVsE$hh zWpy1b0>WC#Z+xEyIQI1EXSH5rJLS5@u_7gCYJ}439YnrFwc07S&ffh|JV$2FMQ2OG z8~z^z-<5*(bm{!9A9B-``Z;hr>@qdE5HEa)3)^zD{q=Y%x5;DOZs zQkkrL{nsRJu45nX!h`p`(gU#ZgGTGN;a@T2S@lUTy+UArx5bqSNovx6Kyu&e zksMsmI`hNSVx6m^=8DqjM1P@T&J&Bm4jG2H{69;m{S>FA^NqOBV3IDZQmk0|dWyKk zwb($I`VrIE+=QrHRLRt>4<}frhT9MIVUzFOwG9n^3pSNH(ypdBe8An0eJ7-cJ0=^S z;X)|13$_;ZUWUOrDEvVXku+uHWuv}fRM+%!$t=n27!T_J%;Q%h74dIpwLV*{QM+1< zb8b446!9s_E1Rw#>wv_;JYm!0!jFBz6K`nN)q@(5R6Gv8U9ReTh zz7^-z1Y=XKr(eEq*vs?@zDmo}Ee#bau5z|z7Qp6)FPtBk5i_l(Rs-;6N=7=`{`{PE z;NZ5neQU!YG~9-kzSf>?p+7U8y)--G^V!TIuI?X5T1r@+LVNd;%MSN^)J>kXkVvFXQxRU|hf}SiSh(Qk4V6K`cERg+w`@26`}U(0K2G?%2JraU1HNNsuHG0b<^tAa!Yotcg@*l?Z@AI^zpJK++% znb~<^`QSI2E=@oOuZ#wD(DB~(7T=A(4pyT!HpuI}79uL+P&uGubUPZaRvt8+jqWk9 zHzT2JAjrYT(nm3?*een=N$~FmflDwir!c7)Zf@|Gy|(qY>MaB3Q~UZsI?UPnubIRs zojHv@Ae`Pc+X`5l-Wako<5wapLdseuNf*+Rl5AHKz1L0jyh!Bw;HZr~iIA~Tm;v@+ z$@psroxndJEqYeJcChFFO29D~f5DSHfrx^R*R^>@O-~fNPCQkg{R>GTUu*!@go&15rCdZU6mPA@u#e?a~>SmPwY?UqH-|VM9;OHsCr9 zk@Jpgbd8KeK5Rk>bU0an=rF^QxaH*Ml?rb>YH#XwWnStkKK(D)!Y~(nE_0IpgiB`Y z@r>K$$d0s6m=2PlwgsVQioD56vy^0SWyP~k2o(czl9bd67?5S-3nzLW@+t_Osgeg& zxu2hZn_ya;<=6)0&!RAM@$m1ov=l3xx-(xVB|Op%l&mN0p>rrVP(k6PmY4P9Rd~p8 zv*q?pbI*2y7*cU#q}>0U6cPK%;~nGvZ**@R5a};N^_kYcwaSCz<5YLjR|vq8;^qYf zS)7d;#ElZ2iNIrMV?iYxC_i4<>e8;!*g?c^7e1Lu2Hs-kGW^AXP9reYah;e;Ad&KY zaJZ3Y>??MUDYn#F*Znij6UtU|5I>-Io^m<9N}t~{J-x@St)RN(s@|M)&T`Xe zzQS}B2QbV?>N}jneHQPuNGVz~BVS4;@r6|Fgd}6!qAC4|Cj_JIU%$%N7xFE9VB}xy zj8{_Jc##{$R$b#KWK)^-@lVXW4I1Cy_~G$nzFl0x^xm!jbh&FDT074wpgeTQd{wxw zKm59H+Gz$}bpz^I8mVOR1|Jy#BeXDrDkLI;hL2Cn%QiDZy+o(8E^s_ckmzu;KF3a* z$@kr{D08q2ifO_DLrcM`g(~D}b9;C8P2=~^Cf{haKhzb3ycg|aGP4%f$Ia;2d~3xJ zWF|#szI6Za=6q3qvrEu%urqO1+JR?&Zb7Xt!27*=nmr_MswZno8Q_7DraT!I$1`m@ zz-`Dr$A5Evf@UmT#yfXnox2?UjOB~#QUAU(c2i!eu2g)VV@=ICeqXr9)0iKchx7pq`9`g!;q+aHwrlUvm*tM=g$sf;Dzn)Sb>$%^@WHho;r%l8 zW_k>?)U4&RYDiP#~w8lE(f@HfINM{YA`T z$|FMtME|#8A({Zo)L(d&$J?z)w_;$Pa!zR4SC1kJ?=u^_#UK*07Nqz!P&j9`BEpL_ ziF{*3LGWkDdR_b0p((u9kJL5Z;aQb!<8xHr_Xk#M&FM%c5Dk~iR8qIZ<@%ma4sB|v z2sNcJ4qh_|=k=1GDZ75lp>BD{CO5UWbaJ}vf%DkWMOyrk62H9Gg^>&jSFpVo8iM~5 zI|lK7;PneJ^mpIcOJg7Aq2YBTMCtApRTwW$hz?Y=%Mw&NM(CCv^~hDK$WKZ8WiC?~ z0nXn_+KJ&ssNMTfmEl$oRgY*dKt#o@gcT$o#McR6ayqIU()9Eq;9KsHxI1{mH(ZMr`jGe8nW*V$4AtED{#f=x={!++A;4KK%Ys zEZB2V^4+_4){D()?ZKET8XA(LpX8M2<1to{G6Y{I^!Lj)Ha1!oS9BPW)6t>CO9!bj zEL6A@Mkgh?i)Dy}OH1s0qCcb6=FQlAo*VaQ;>9boE_HenXN+-s@09bed+S1XJn+JrVg5$(~0z*Y!|}8!HJ5A@$WGy;65AQbB#?(3h7&KGw0B&UU(RM zpM|AFW@dS1#mLLcD{#0@+-6;lq+-pUCyCwc;nC62)5Twxmq(Gl*8!!atXmCPSrl`& z+|A9+r`tq&ulG2ab!xwU^}GLp!$LWHQAJt#VzTA7BUVAEC(UhvE*-fQW4YS{mPT;y zMw#zIHn#Z$n@17#Z5XJ@$3sDq9P57K!-aCArEu989j$b5Vl>HilDN&a>fc?da}W)1 z@}6Iv?p$8&lziZIq7e}hIn5H>b>)u~JR<;Z++^{+lqrTz6l-^JFM0*^m>6yJf2ayA z;9hXQU!^smZP!H2H_g-wmQ(3<>A14GTDO`0TBFkZkxT;Paya+G*JXQFrwv&~yfD=> zFlEE5ldaRAG(GFzIy)VY*QADx5l>@6HY_FF*q2<}xo2f|oP&u~H;j^bzJ{e2b7<_@ z3eBpvO%uNku*}}EV4zhIp8DY{DK~jZECqfN{LK!v7UvLC2&4lD$_21t7 zLczdTZ+$=-r}I6H-)-ZAS-RoaXQghFawG?mG(MLsht*C-om#A5v2WJM+nXj(Q0wR0 z={x$flIn+|sS;Z$-Bht_F!wV9aC8L?)GN7%=iI#UY4Jw;rC1t z>)Gn?Z{J=F6SS#KEEV7<>^SXXCH4h%7`5)XzDCXt2|=cypn#Kbg zt7|>68pUe<0Re;@=2-Xc-BWjFQV=*oIB2;ODpV_8S$KWWWUZMu+Ve%XfyZ^1;PUbk z0TFSy>9yNd@;wLyGS&2&I{*oTf`uh=YDyzCG}L_b6Gr=646*EC5VoS$){KONgdBDY zsUVF;a-^^$opiTcaB*--p?!GDDk{U4Rh3qg5k5CpQZn%TuDf4tYuF9G!ny8FiHM5A zKMW2?VA6)TA1)DzjL3^>;(5yka^!#Ne&IIR{a_>z?#t zv$xVSoTuyZ8A1bRd$T=#eeFX-k^A!vqq#EphR|C$fSECBOJo(@J(vx>7c#;nAgp(@ z4B%nSkJ%F$chit}-#brzrS>IedqLV%+s;c{Smc|`_M5V6*VwN2e_&4`At44!U;Vn*)17WoQ;E6k7Gym= z`DkL_Ei}Ep`$!P~h*H9ScZ#j~Vg>D!LPmtN%cW3!OiWt@34eEg|BGU^(J#9ENazGh zkDgRpj?*V|T1kMN)M)V$G#g5%CL?>(8t`DWNRu6`=Lwhf((ZJ{vv_IG^L@Dzy(Y_4 z20FTTwY9Z(}J78jqi*z-+MSM>0mn z_dpiH4ro<8$XG0Vc=%;#ZFAFU>Fd3b(NPpk%#zc$-@3XgoVS$0Ow|hGK|(yn#wKJn zfYZ~{qoScXKAW|3TI+t~%tr#goo{ff05O%!Z6|MFklE#+!;G)*b4lIN(UJ4%6U1`t zS#NJ|5|<4ThKqW4Ojn-?_f`+!Yref3o(=#f3YU z&CJ>`*XB@$S#KO&DxV9got>SujLf_6a3~1pIiFv9pT{i|7&Y5^VrhBpm*93Lip2`Y zm6eoQfh*sIg=K@>kKvJ%lUpC)UZf%?7lFuvM_Dg4egOI7S-I)9=-uUyi1zH+v#$oM zQE6!d0CssDRuH_ePNLCo6ohZSnPqrOI5@C*Hl?HCGnYE7N`PJbF`WIf=~Q&01_KYZ z?md^E<(V$}#o0uk#fE-OYcqt<+4c)LkTos^9t11fRN7>UEV>L#SC~mjN*Z)WktfO0 zMEW`R#86M|xdOL_=`hm@3Z?<9j|B_nAi{urcpvZpv)p2o2LAqiK?D_NXAZCjl(e)D z0$QKz={*G-MG4Ri>_w(>K9AD|dN3xbDX=@TMk6GY4v=lxwSkb+5=S~W20$CD%?!t2 zDsRBBc}`_z9N0HdF}4<(8cg)@n6$nHq2Y&whp!(lw*!zE85xDXI~o+^YMa?kP%%LMM^asx4yHZ#RNl<*=h_H7M8a5_FSjCi`B^f4B?EJn8zT(L2Q&5 zrhw`_nx|m4H&gWt2X)PnH~1lm(aqH<3|})d$>dXcS`+ns-sv!J{u~m{YiuM2g%s@J zbfpEhV_hl$Lz$a(P;X2wkJnXIRV6pW-@PMeXCG~+Nf+>lsaf<%0d+ZhbjzNHcz3=b z5jat+#+FGgH8wWZW2d+V2LB*FLPJrj?G^_?;BAfM_E87y?1U9JS~B2~km%Yq$ryJ< z#0y~kI@`-u$&)|XnT!N@A)^;WF7}qyq#Ns#T#AIICLyWUq2I~5xVX62$?(gIiwoH1 z^%TMovPiQ6MqOal2V~c&`)57x(^nLflx5S_AUn4{CiA(_gVo0hP~P1f_+FljDqJ46 zV+x|r+U19~`mRO411nE;AcPk$=pKFK@u8Wk)A3J^d! zg@%@v9Z(h!ChZSMz20aQcP`sw5fk^TCCZh1<>)pbVpS_4}jME*MfKu;>piwFY?XmUZPcmwBGTKtdFtS}lO+z}X+D z7Ax6Ht+U}?O~r9Pn$|ha)gO<1-bWk_{4Bj%FFf6AmJ;gWQ_C&VeCn3Cb6Ob>?ufcfz47k$7o%Qd5~!-#%K1|bZY&_Q zUxVAFHWi_@8rU=SrFo3zkUWSs)Ve@Cq%%=NubsQEW zfq?LdmA}qY$k+gFp4oC+P~&kg!w4IIdXT^TAd19um6x6QJ_x?%0tCUJKZy+xkZ2Gq zjUGSE=W5wlTCU4Ecry50LNSG}vGRWQu55xdA>nf-qo)szXHXvjru&cz&JPyBzy0*p zv5W*k4%-Hw%XR!ngX5;x=Mc{m^Ug?8%;%uW+BF^_v77dT>J@{p@AU|f`3@sP0Ln!= zbul1_C5?W93^P1jYL!jpQ9Awvs$OWWOyWqjjW!bI(|#B{gDhF?iZlb*5;JKJAPE49 z$Jp!ff>*N198!;cKrI~-`t?4;=jz?}?~1U{p4|hWL?f5{4N&piGnm&j>Kv)Pf1Lrt z%yDsXheutc#vDW*zxHaVU#G^$cK}M(1r`rW6xW6{fVkPi=I)zmZaEHQOibbD3$G*V zoHmd58xAI{8eCNrIshqA5W1u~X#T~lq@)C^Tpm9+j=)AlrKWm`BLSdD#n*FhHNMPO z%9d!nSPA1Heh3Q0<`H-H%Sajs{SbM#WW+6IA7WzQThi!c0b9dX|>Pafoy*r zGIV%o|J3_Lsl1{hS2rB^-)MU*|LOTR69^k9@~CKNJ^lT0??pi=@c^+Wn1Bk~m%E$A zJE^`8Rue_!WMp5(p51#-#2E_Q52%$+$%CaU$#Yf=x5`l?w|Y$+ZRw!meeU^QlS9ck z{F*97i?FF#Sm z!J#AFH|~7@v8d?%&&{FxrH<>;$s87Kph?*(;{ZIOLx!d4TL7kz#_BcjXn(q3idwPO z(RN{pbb3Ouc8#){S|=dof;1uEgXvVMp|WHkM~XVV;9#NRGXg&6&m46H$%mT7YU$o* znvv^wpwJux47^*eP61oMmlgqvon!vM3fQ}i{JivI^T=7-hHwDaPAlI~BFlYzd;|`^ z-XGZnjIPIt!(rvc7J*iAf?kuSlA_{s3kwU3Syk_82N1rM=EI`paUVRF5uS3JSuSa5X?M^c3G6z6 zR@vjI1OF1B$2$-UfX=L~uOEHGR&Zw=2nq~jHSH%*R#yIEF54Vkef%jxvw(twBMu;I z@;hwWa=;YCrqih&$}z}{@l&v~~+T}V0&Ah*!Igy^`qK+vp{kv-S)DQv!9D($YC zXPIAK|EAzJW#0B2M#(OSY!pwwsu9i_w!d{aToTdqSjPp)x&_EybaeE^<>fdlz0FKz zzQe*(LC;K3(WRwV03S_!zYin%a&qD{v5$y}8JSvMsj4a}D~p2kS?vrjbU`WZ4LWdb z;00s@DZuZ1(YHmSuB}ZJ_{*LzjngO^7~CT1Keqpm~)M_sRiK=LBZm(9x~61K+!bm&9Nj9-{{NgN?55Tm;k< zaO67sWq*!LBqXE>jr9EE7qiw}Jq)0EQ?*Kcb+FK+S!&QqYRR8H+)WuN&;}S}Cx}G? zR)go^5KtptynI>Vd*^ff^XKr+DIiiRYHDijop0a1ohT(i3b+T93!<_#&nCTkuEaiS zrdJcDDWH3N#>CXI?l|1+{d%U-q8+$r2ym!(@89QuI#6jdTRp*b$poUcyIb;Xe|~4! z4CEpVa7`-+Nl8ih-1gs#e$33ug8!`JkA{qVsKHf~Gv(V}RU~=M znT_%9Yt#y%pnV6O_|YK$0TwoPyBMaRbI-A9#bx=0p`=job%#| zh$DWH6w``2$DUlNSgqK3L<9uMNf5dWLKjQ-!A1e-e*i0^fTrEMkHiYgN}WV$qC8c4 z&})p`uLlx{&(#(!=x=+Sh6HIlAgbrpuf`9QyNcS3%9fn@0Nc-h^d4Dqaa_GjHG`G` zylrb)*y`|A$8lI|46lvF%bFSYHhK|6OoPF3wDq=k-r*+~&QI`?<-OLUc2)5T(*gJW zFC=5frxL2V+-d7(lbcGdy$ny=?5wPiurOoL6FBe9 zjAuWU&x>_i@CXJ1nnVP#6d=T9TE#&7Ds$PHAR@vfo15%TmBHvS z=%WEIqnKW%7xAVplK=rzrKMZw)V8>o0UCs{B!Nk8ZI97TMi97Vz}Z)4d)kzxg`lkh zv=f9d%WHIBUtfy{IyMU+8qqOpTy0cugxn7e_*{22XeaRq2)YH&=fuE#0BE0G*Z|b) zHi3MS{XijD38+XWpmNuMu$EMu75nJ6oPHXYc>Wv?n?}~4EfB@T%&fww1J%gL$b9T` zbR}^@N=n$gZ3+1j$OqPx0p&O6pa(_9#N5nH)Qj1dF)^W9SXl5nn>K^HxVoZ9?8~LD zlleHh^?m0Q;lYESph$)(RYe@J)4P8zi54%*1**UN>~q}krX4-!f_TWSYvMbF3H;cE z1B2U7kJCx_!?iSh;eXmy7Na90KW9!<(a}LyrHMvIL0KMG*N;zd2TBuY=a;f0h2ZHE zPhZjFZf$L;d!@t5&Wu$_ne{XTlrQn~{dricvnD97ps)$bPC;49-q6ajk)+(kV*vbzpwu0MK2`Ea8LlgmbQ9En*(6p!plV32zdqd-2Wg|Jsp;aV>)G_Q zSWQM!vKx1rCP=gukVrxScbFIfI2+6WtJMUf=|D1dd|!Y6$>EhM>5wc9Hb5{SL;;D& zuIV&^sHa$$1 z0Pv5+2l*iDxTAJ(jfjW{!Y8}4Y;|=N(263LCr}sQ4#j*`PNS59Z>=jGVRX-)U9?ZS zp3l2s^L^eTThjWXrYxH zO9-Bhsf;{~+IEQy4=;B3QqTg%G1%5T3F{CA)j|-VXm;=HLOWbSY;!OTD18 zbpY;{L-5&lzTN?J0DuQsrM?EO7+B!gtk43M-XPJmvRKK47I&&%eB6?HfEXfkW>g=b^k|-ux~TRTZ<|! zpo=M}s^UyfPsijnNmJcbhqC~g8nm&w-y=ZpX#&y2P*8-Skoyc!A$$A!tg2?&*w`3# z>v0<9-qY4 zLUz;4aZ5q}IY87z<>en1s+Vj4NCwm$rq#?;S#{mro(sb|2HsQdb3;|sYbSc#*3!eZ{ItDcb<~!jkCf$5hSlmnYd5t%j=H})CQ8^HFdmz0v zn!R{;CQC|2&&GF7=X~#Oz$UVq4H6Hg3+_1RzG|HZB1tT*Lb*xLV;I~?Nuhw-i!{pM z!#Y+TW#>%pTmqJ_QD%e)yag!qF{uCLrUOKtCqG0$D;L#c;{4;gACOyI4;I1!;Q`$N zIE@vRoV=~n_426)LdrnrtX<0hkY>9F2B>*?KL9_J0_M>3Bb25sR}# zLP9bC`lwdmXN!pbs3dKefZD=XoK3S+&xUe6D+V;P-h>Jk}BBR zG6OXPrVc27b#*D&{UDvYvXz(dDJ#n#*7rY$HUcruMx)Wa>?Cz_ZLJiDFG6?MP7zN9 zuYwZ?va+(w7aDnikY#eZJ-)WK78M;06GmWiW{Ksc7vQ#mfr0K*(*VP=l=Ck@mn$VD z)oNMg2q+Ou@aFTST>xx0s&BpV=OBNK4ImaefEH6f2P%*hpj4pi0!l3wn5d#+)XSMv z5Y#{q5OH*b)Ya7iJvA5*7t(NvcF-)*o?_I@4gis{duS*RbOb;^gzb{2j`2{s;MP0B{WQ3cYed^!Y%AjX~Om?fjek%BZBMBpWaY#LuY z=wTtR&#d!P!QMx|d};_fq0{}~h?y>1N<`8YRu)a=Q5Bo;JsL#cCpvXh zHJg=)`T?oSx+gVpJoB{<*U>&$Y7fC|AFhR?t>snh|6VX4r@}&VOJxi_7YPYDnuWuF9ZDpi`#d-rKJTw4HpeNEj{**ER zv`$_zC8bB;g&$!3cVE==OG~jn$h!8_=z`;)0Q3&Q256uS_V-h9a^g1Wv2>WPZ)_N` z5&!}N-b8^;=H-b|n~N$v3L4ta zDHMqJl`~M~E`VgpmNJkk;PE(bR4NRQ$r1wuZ)z2#IK&=bR&X1L5KEwNIf zA+qkMtffT+x)C5de^kx~jt9!W-mzx0YEz+#qT(AJ=JU^C0NdHv9uGF8|t-a#USBEtEo|6fnG

|jbv0^yD*{)<8sMhpCzk{O=hE)wETbFO$hDR&nk-(v} z%@mnu^!VCq2=K6{7!k@VvH%&fbIV!p=Qk5@ym%I)Vgkp3c~Ye1Osn&(xw_9m9^b3J zENS$EtN%@0BTw6}p@kF;29)87m^q~myLyJ5Z z^jqMt?&OIVDz5CHQn#InP$OY9!f{66~8_ll(*99e43=va3C+1g71j*X&+jj^xr zt%*tZl(D;cqqyd!{PH9u_%1?g8~B{8mQj6A)ADm4960pcnXTGQus9haiv%#UhY_sU z=`EMqk!0K>!o$91$B6VA-9#(gYGtz8pbp^sT8BCG`}P{fxIhyFhy7yGa&<8E-6j<= zC>vnsK?-ehb!z?S5E0--ZffEwOu>oMIs5&6)31|cn>t?t=A{yL90$oCd3u7ve*p7( zV<#PAU@;Cd5%cfCV`z_+iy1?iIx?f#)_sK0ldW2+7PtI|xbR}*ENHvcd%`H2hV?e% z;K6B`TT0kL5s@ac^4z!Jz-@1_ts3dG7Us<&X}a&=kgmkXfR3`<+Aq-oQs7w05+0rm zY_$#*7+;NFt8eJd#GBOFI=rY4qeE=0bbLH&b6uM!>&)o)e5$t|SH_4$4;;b4m21RB z|M9tf?`?)_qC=Ar!u5O9bRuif+^DjhxFDvN4BOYluu~)$_`gq|Y~!jmq_`#EDqFiA z9g;|Zqm_C!PP92%nvGRBZ%~x8Z4hxfeNw0yU-CNP#XhE2XlcrB*{#B^I8YFj=W;ZuN|M*TF*~n1IzSzEDK5kZK+S`_W-v1yo`r|wEIIC|{dJ;k! zn%#pcxF=R6xn(sg^=Yr2|5s^e8C6x+_5A}VNH<7J2?CM|(t>n@N=b)EBi$g~4F{yV zQ|Uu@C?zG`-QCYR*LB~|mv_8lykoq4U@&yE&t7ZKHRoJ&{{9Odq+CL)^OTyyt2_f8 z@}+n9>BanB9u@Jbf&Q_)fxRyW+V`u16`t4S6%dfZUOne~wG{&G&KJ>@^^MeEdbMH8 z?m^s^m(aV0Hp2gS(jU!@WZIa-9&EnYpvm4AEM$bkfqUDsS~9KNsG~o6_+WK|wK}-)A#8k} zJ@u%5O(XGD^Ku)ZmQxt1wM?lv&rhsc_cZ#@Y{Yo2m#*210eVU<%IeV!q|2nXCXy6F z$h?3WB$ukuxj5PR!7^9VwBy3B0OZ%^Vr(FG7xAO_9%L`|#Ivy~hJ`Klp zE5>dM!g`rUKFM>cAx^-z`5=oVza^v){iD8X#jWk@RIB|0j)gtl4}a)-nm278%ErXPe~M@~LHNVo zgd~>;cYqG(72T&7|G0Nwz~ARv&&V8%0(|?dDx%F(Mu&3m9lCr`+_B!@A%6=Y&2R6& zJpYy<^6a0{NXV(`DKStm`G<9Elo%0>53&43b>Ngx zxgVAEE!FDmYwQ+C>xS%S-E-#-% zv8XvFsVzoH6E9~tmVa~X%1`yBz57bpa&^PKer|P#YDvWEQG26AeuL-ens8!1NHK>p zO!G!gz^@h}GxBIM04+2LjA5+F?m)9k#Z#a1lVjONT4VRp0ohvxPa-T6AeQ+x^qfIB zG{VvAVoP=Y6VW<_O97(&6*n|*ewhPCcfF*?WeFqEmY;EEPU3~+IH-*W+BBs_EHXB)%t$3K)POE zk>d?UVK+%ZYepywX6fjwVzyEN9odtp=u`;}7gWo3KB>QN^c>r@brls>I{f)8 zOukY|@9yyLh*7pn7?q9OqnUqKZLHf_J#}tgdU-68NMKW^bv z?uyD?4&o!t=lITY zWP2z_FW#qnQThIU=5g;j{c!2B=VZS#JJ5mu5lSx5Oy#dd-5HaiaLCcSHK*AT5lh5P z$-zZkbngQ7G-o#E+{7!&lr0DVVkod>dB!`VFe{A?aQ#QuOq=5}vK#AWh;nJm)}UAq z>O`Z(YHR@Q@EDji@%_E1Pb_@%nFu9fuUMbCc&5~^6A5;;Br9;UIpA0O<^4(`nt%Js zL8<~uy8G)`e_{82ONxdufdb<-y+ReYIJ-BygZIZs&Fa^v+I*+a3Wze*7z|!~=C$nL zds1odi_0Nfi-R4W76ffezLRv+t(o<6yAKgDDNz2sUtzcV0rBgNp_GspXgI~kL!&-L zymAsMem1f;?mjK|JPz5CvMgo~M@&|Ir5wtR1CO0I%TR3oF@AJZvHf787 zE_Xz_Q2)1Vx4yw&1xK}Axm^SVYvY&AFj(B|tp$W-0?qdLhYcV32X!V(WBsq5;m4@K zC{j`aZ>s%&>RYMYUKVg9VaMzlaRqd(EP4iPCmZW#m)8*JkJHw7J0n?CGz6Z}U z9*eoAU~A#~t`&8TMxMhfryo~e=lLQSD3(g6%cWc7UH7PO-EXgK*M}e_;dlOQUiajo z)uKf`sZD|GS0m8jfByil<^Izr(28fG_*y%-6ysExJumRv$Q%aP zSVc#ft%)_H!c-V$@KY@me?l_UPFstA5J$w=#l;y{3Vp`jnXt@Irqy*l-*p*qN!cdN z)%qrf%sRP7dk~LC$Z1rk)e>?N{=)fc!em#iVfJ@=M+cfd=_xC%fve4b)?iVeKH({u zR3Dax8$aNN60yJ5@gQ%wxcBaApegq7d_m}A}Zb*$HK_h{Y+4PcTtA=|^;C4vV{ z#~kQhDS=vLi$|4;*&m7^Qx1A$CoMOL9PcO>zeVE@?}T^mg&OaxJ&5Oz$s(kkh2y)$ z1V5OPYL=>o;39#-1+hsH+E2~WQw?Wm83h&;YqKrw{pZ;&j)FBze$*Vw&Ab2=f1bx! zx@Z*5alGM)sjjc&8?#J74-7V-+Ws4c=*Yq!sp&!q3e?|Uo#(q`uw8NMwv&x7n9J8k zX%)Yb9%`_e+d1B23$9*O-df7Pjbf6JRX4JYVPb?3+o>!Sw~HnC3cf zLaA;)JVF=nOfHC5ti4o}Qpi%ZvV7}HLd%X_PD5iZTib7PH!?&J&uaE@lr8nBF%^^Ci6oUJwiBo4GyP@T^ zROPS>430)__MZy{%tg?0CtCL=vP@<3!?W{vi`=m_gRPJ*j9sp{BPYeU{z#H*Na2== z23QIE&F182^@pseLn=ti){(HckwM=PrX&@gOJUDf)3mZd#=CNh7xSnEu7&{xJ9QGX zc0nGN9j$A4f731S*Wc+;M#YQKn@c{u~GBG@-Ol1WE)>=;sZcw zaPaFD(^XQcRZZPhQZ_ju1UTo;$wD4JlJ5SAcTwB=U}h)w;azdUYbUIpz0kGd&7pEx z3IbbR+`WdwK|e34SaIo`hB;!Vse0aM`?%rtrNPUM{GX_n*l)M}jnG1lpW?l)>i#<8 zSHn=E!Hh*YC@DwM9F$;q++AOqxGrB`QT_ntpD3Pinktep4ES4Vn^&PACFo)c4*sHl+=(}-8)hJFrIXUVYEz? z{?S78u2tKsnVVUaG8Ro#3o+gU_AcMpL?Xyvk!2o|Z;$IeEJVyOTLC&Gm z(B8(_6Mrp*Nd>`r>&@XUgVr;T=ga#y+nRUTESh~8p09&E;X(*?~@3{|0lDs$` zX}@rJsODu{wf(L|;A*O|A%LeTYV7_VI0L@gP}mpdwKu7+1=G6JDzaa;mXC(cwM=TC z?(izjhV8u4z&!}Szvb(Q8E{!Tn(SliH(ZK5p;J^WpSi9wI~f970JpdW55|a`I5Ff? zO05^pu)7yr(CDPp=kbLViNVuNl?iq)7`dSL+ae>|TYu|`%?&*>VX!}T5->~pljfx0 zfh}0!%z_aosG7G0;nF4wxNuT=UQ*j_{5C#b?So^l65*uET3UlZHIc|;O$i9=SKt@~ zeIWFh+FQ0fAK#jilh26s0efkb_a$dp3J#{s9`5c>ISd|wwlxuG0~i7@K$KBi@+T?9 zkfM8h&JPCl=4MW&*A-vcOEqhZryFudv8tK4yGyAVgk|w~nuWr9`+r3VTtLKg#dmq@ zve%!ze6Pn1l}$%V_8aD;OCe15>|8o@-_M?WY24S9VJ9+219no_qKL^Shlwr6<3s6V z%$y;TMz{0bCD7l1*P#X7&Ov8(Yx)NR z;0EzIE5R~h{BA(CICiT8W0kZb&i??I2*j|%q{ z>`e#Pe$O8ti089j^Pl%rZRRT;T|b=f3zQY{Jy2cl%-ZoRR&`Ag0N z#wu(R{p*~ClaBhnKABGv(9SNye+*FF~vIZ6yRMa%#!DM@4b$LF4D{=T}q z{_`0fozant!7mhR1em%8-usqu%tbj}e=?%Ff8A1tVlq?16Rdwr_ zAU8s|JZ3N3pl@42&!GtI(%xEl+ufLwiYKaDq`Obb%1s8(=Hce$g5GhWDeDb=$(R~7 zE8__D!14LH1W*zt2huqgQa0Dt?AKwL~r?C1CXjBL~s z=!$wK!g#o9r(dtvEA*P|%5oS-Y9=alfQ_d5Ac}0lcD_iMxfq6#^h|Gf?w$4Zy*%Gb z8D`d%w8p?10n+V;{_o7gTMkbX_?8naOG;P++rE6^<$$qr2!SJ1h_kYa$nRV+#k{Sb zA=6>E`^)NivG*5*-_rT8!OO7zbzOPyP9RBPC7 zVH0+H*OviUmt7Y(@>ye78?%Hzg4E2wSYWnYqf5T=}-#q)e#T|2Z3C#QYbb1*HveSIR1 zj@;YZ-_1LL@B-)`*bO>^k|(6=8$B4#rp}G=m)i*vdHZYM9pvva7iM3?TDEGu;z0-!nicft&j&c10h-)BQPl6A#rD|%(ih<1DBwsKEHiU+{=su)=0~&m z<;W1D^gnii)CRg+DHWZcput-2LAO$Kzo-#(p!I8KDna)e;Id>7*OM*7;ETGZV>pd6 zDipDqnLDdH7<ex*9VF{}jcPRFJ|Bi)jU zh{>Tjjq`LT%jXvs`5=!?KKyepD>`=$#YS<6hyp;{%K-F7L1Q&QA-@BV5TQURv;>-- zR!#e+sAf+f5rm`}JiHreMCb8hqg~PTG^jVcD2sqGSb@`WDZF;@`2&(mcn{tA4DZdMZ=n(>t+I05EGvktxg%%Yt0VM(k2z;3{vmDUT zkB=4Oy|ZMvSXDLZkl+K8`)6Pmc$Ab8z)cwf5C9Ms=7RpoRstPw1@(&}y$-r~xgInuEeHcO&FG)5~dOodLw(h5j-`j%h&drJt)$nH)f zK@HEzoM^z9_NWq^Dbjj9x_WvHyFv(oYzYOJ6`V{n0$o?vRCht+P5f-1apct$$JtH1 z8yT9dU?W1T zv$@KnBj!hW2f7cWqMVkYvSR{<-N36%aI~2nX#gmA&}W5fPe6N`ep;F(+h=uiR2m_* zFMQ-2)V~2(x<6Kn&wYQF ztj$X)jOdlTt5dWO)Z75#9r&UHvJ6HxwjMa7-FKDfD*gg@^JP|1TSzQ)Mp*1kWBIA- z4Vd@*;iT%}0vLT0Rt%L!!+S2aa4XKUVTiDp&#S$bN04?e`FFgkG z7~=5oaP=nF>Q%~E8hr0e!S6$k*l(Ok5ln(GH@_9Tp2x4Mb0-s?U6a~l?r!~Yw7>jL z?=__7cO$VPvtsy-#gzj*)73GXzYoepD9?0suiW24u)z#OTDe({o~=$H7x-HSg4ylkjl0orVN2^x(F|NB|UTP$R_m znxb}@7fXm9jq)me@SD!&eGU%Nk_5bzj_VdZ(4~d}a4S;aIB1~O<*v+CtE5WLwg}m` zvG|G_PZ?c^EFx&XZgtfN?tNu)@c^9I2_#us&A%oY3I!6&t)anX(`tAQixpyGzgPNE z76JQ3OG}Hy6psc6wtxs}^)CXO=3_555~ecEXs;wLZF~?*ef5JUmx4Dx1IZ2tAf*7k z1lO?vv6AB)mn4aeb>#X;?%f`{G(CLf8T`V-t!@OG5Hd2)R+1pB|wH z{+Hqn3vTp@)D~nmUy%ynM)+BbG+bQxKrm#}=ZGb%^zJ!QbF-e9M{GDh3GR)|1h{$y zsC21-)W=)yc?S?~1p$Z)YHpZO8??H)F3p6!x={bmoktxc%@WEOYIaf)yw-*r1nus>K2_SJtr_%4iwCn}M$%O*)_( zGxy%w5lpz!#2t9JyyGj8!Vw@2Z`$*f=roZ6$eDG772)l5^?eXh1Ma9M1S(Z)Qpd@eQ5<;v5TGGm0oo(qU+c4O7YD&=9kTQpb^Sg+)`Zz$ z;99AMrwKv5YXFrtoQJsp!OA6&2Oa_G27k36lRxleAo2-aC1lHrsdT{Khb&O~OMpNO zL{#So3z0y~$6GCEib{F-0ricpes@w;x==$WxNyrrorVTFUiyhg06@JUfWub|*zl%K z5LJt|9(L|z%gW!{1kw4u22(Z>6B~PUv+zLa^K5b9;hqQZ>M0WmnSug~xe1vCqdvDW z>5eAk<_SSLp}>Z;<^lD`0W^|8NeesbCc6Yrn>vaWFZw0P$&|+&8bs#{Zu*BBh?>v< zQ|>)())jzBmU6y0=jK+hv`5{MYlg0%b-f@7RsYXBqay(!M*YDSH?#U zV&|Xtih$ooaBy&dL#!ZZQ~V8RH2kQXzAYZ-v$$HhaS?fr6hZJ*NyTsp zMRe5%{Dv4s8n8CN0D6Pd0pNBCat^FUI^uP<<#|fVis^5^dVbbv6!O4dpKQg<9xU89 zXjat2Ll7Xm-@p`#Nk|v~4Dj&m%<^K5bkLDyK{F6J6*CfRLQgN{I~8&?*-|eaZat>3 zurQ0}&nIyE1K=;vK?Pi2UpwlSX;SNnwyYZ*Q0Q)DaNS*!$AK3B)}a_{TTc%PfL<+L zTQC@dTohc0etYGT`SYl27gL_~B5nPjTjNi@O~_GAn3mhdwqhE^30&p+}C zvQ+0FD$Wy8RF%(sXH=U@h z<2@FY*Xs{VB;QR!Y0RiT{{XEy)ar3$44FtrS3NUyod8;z+O@5%;H#63Y;bHrL2+>h zfGeZY(-+DH$dgusgCM*`q$N{FAKw>qeKKL{E%wRJCvVHtQ7RNerZ;m!^T%kuH@mzl zj(U*y&zbaxKj8PkKolU(3jB{B1d?6JNJ`7vwO~%YZ5&K7k|?`w?{?cCvKE0MoG;yP zU7(b_X|?5em=4JKHQ!EHaB=6(G1R^>q`TvR2<|g&(QRJd6aWHJ&CD?k;_B0+Rn$g` zDQ9)`?CJeemxMtH^f(#Et5xSLQNKRAy&i<4IsHh=( zfMjwAU0al(VEpglejD@#&A4>0xM=F}4DlL0wEEOxSxMe)$9G-7#&25^X8z=&vkExZj3j@nuustH4?VV{q!#sq|`Rc;AuYjwohK?nI}i zhJ*7svYVSJA;X~bos*w$2u^MQ9`8>2z-c)K^?>q=-?W+JkQ99$=18lohY8BP@crSd zWjw^IrRetrX+>>`F9boH4&o#IF&zf9Tj10hbhR=q1V~U;5I7M+55V9+acM?k**`c4 zTkCZ8R~vM8(>=jh@YLayquLIiQa}r!H&C}lU^#pak|l})#^tic{dQ2R#UUd@2loWh z<+y}|WdLDMfpb8BnZufzK%8(K;I~D5O>;e;+g^``&Qz{>wB|x<#F-%*gxF3|$J&Ev zZTsAW*!kfQ89jiWhK2zcu)e-N$NsXq$rk$q9?)Q#JwZMhV*I5T6*gWg(4>u(`PP+Vap3*Qo?ySqQx7}A#bqK*Ue zfRX=2_MH#%g56O8^QB>&O4oftj3Ep3?4LodVM_>12&6;%jOzlFLh&<`$`PV#gZalQkGy%w+JS6B|{bUK7eh#4^iRf_4Hp2|iV4ApqO#d!p?8I#SHetyAL3$Zh4 z3Nme>3@mJ+M1g!U8#Qd3g(`j22)q!|L{eT)oc_x4nb~pgjd$F);3turofP*H`l*lS zfdk+dW;qmcJ7;OWS|cFc5J>*44cMdPG97SN_7@dnjForJKsr?pWGW z^D3cD-SJVtak(DP4h{uHIM^W4zJ5(;TR*$kF`6LncDTME)Sf_5{ua!T+ zq7d)Ma%60I%5Qy<^Vmz8XSZWqYKD4dc%;>Qwypm$KPH|hf34#w6}~^H^iRCr`TCS&n-b#Prq?;+HPo3lm)@ag;aR3vo@15B>qeSo z*seLxu(L9BG|xYy^nOg>vG`;iNfkcyr5^+ z`uRuotu}$UeME2vp)b{k%)5*yK}h%Jq_V}$MC=pPy=uXU1yB5tO_fr00}z_rXFv06 z45|*M-w>~^5iRcD2RrNCD&=5oV%BFlP`hiG65gLS<_7J~qDIP5Acc41>w3AMB@6eq zv*ky0pY||7AbIjhC{ugh&-9kxU5F4EKaKkCC#VrvX}V%%F$-%R|1zHEbcB<1RXJEbK|E zLw>#fqS1(LD5WXveB)dlMy_4Uu*0a3-r)V(tM9E!`enib1D#{ng3cWzJe;p!oC$V! zAs3d)j-mMb`s0B4_37TXh5PHru!qP!^(x!vEpOn7tNo0ECaWaS=m6msyUpTT_&x@H zSOw7CCS%VM35F5Yv#YM^+)yDJQGR>!BwPe~DHK%COvH5X?8C-n<6KR2Fb(DP+7p4x zL$<@Squ8m0r0`mu1)o?Ke|6Zh^weJK5$yssM17uUJSZ^azma zT)G-G83+ymxpy2waPQyLF}wr?cPAp_T*5^Dha<9@oy{fdk?K$O#TkzvZPfS9p3@kR z*65)Y|293p+DKxdn^URcNq@gf+KZjB*{f8We|FKUVwPJ#!2r(A5Cn&dpvsnF?TUy< z0g;(E0ul~5^=aFhDxITouZGZ=GY4ZgJnmalSG zSN)Oqy7|Lz)dv@>iPMt@hhBZ2Rbp{FdLq{{D>G5IXjMMl zdCqn&!9QL}>qE$DqublKQ0K#?o5RgN9KvoIcPg&bbgytU8igg*o!POdZb@5GIj-`` zFHTNGJ{s@6To{|It-tjAb2r%0bW$a{q%z@Wc9>yPqWXiaWze()Ac>1*+B|ItcGqzf9T~cCr4oSxWyd?$av%6vZ7O$s7p@eoOrCrTUx)~K2 zPu;4p47X0a#BG9vkump?AeX-$1cO3C%vhY)jZ^rPgF={Jzo|HoWl6a}tGXcXc;K^M z>mBjU93z9TehwB7h(MEo)%9Ox!+>W@&&fmAEnAz1A~Kg{Fpq7~4`*kg6&GXKQGH^U zmuBp1YKBquTkm0K7ccAF3(4uB<%_92waf8m2bqiZxK8%Od>Tu}Z$JU8?)_`oKP-ID zF?MuakjqQFsLT^urjKvt`;HO?om>Y}tt-DOtAnlttm@uFK+sNpU}v9Xlvq)it7)yQ zeg+le^xbv_9r^DoWW#RkrZw|;na30N^hodEk`g_FB=UK% z#G&zWTi!kb?h+9qZp0o8fgm=*|3*N8;0NbrC+wxn7qnN@jX0nNB=!fPZYC#A_=8I> zvRc^(S}pG_Dy)JF}!_4At-dJ-UMZ+rP;#@+q(=2mh2n)x3ldV{$y zh%!#_9R$dNZej`HnHX`8@_%YDG&E@??BGVclc^~t!9nEk3QACr^S{ed3ltP%SmD1w zv)qRUHZIY2|E&puix`;U?&vqX4);$v=YMZS{NGZ{|9PV$dGqrwDUx(kH;;niP&rh{*@GCZ8bLl7Xh0f#Or-S@1 z(+H8p5Pcu}*kRoDX}Br`Mkl$~hm}1N@*R!h)D?Z%4Mo<~@=;?daV6N02f!8{~tT2`Ol62z5W0DcX;KEhUWkF-B#p*3gV@dBH@qq3;gv9h_twZ KSedAv&;J0Pn{Z_S literal 0 HcmV?d00001 diff --git a/site-src/geps/images/709-referencepolicy.png b/site-src/geps/images/709-referencepolicy.png new file mode 100644 index 0000000000000000000000000000000000000000..e211764a8b8760df943f1dd0ad8c1716860c801f GIT binary patch literal 39133 zcmeFXby${Nw=asKf}|3Pba!`ylz?=1J#;*Dih!gvB1pG%cZ0NaOLrqF(skzJ`+eVf zzrEL4`>g9a`@i*iyDt;M``56D?dId=dWlj@ZqQ zc&k2k(zA7ng{n1Y7iO&l*0TkAH`(vIy8#{o)Ti|5=LOMAWgI;Q1=Acna_2 z8c#qdviufjTQgF=hV)%Y>4z(;bgVS4b}OG_>;AaK-6@8FTmBZod;bsmX0G+`_0RP0 zO2p&?+?B%k9=BI1%N%P8S1c`$ElV|@ryz?;^T);1%jdT|AtP?>>h;!)y-tW7t|Zdj zxx>t|m6F=1Z$EB7H~2EVR$7X1d3?(R=vRNf)cX8IR{>%%yb^9)Y({;$ph0B5D z>qd3{`HMp~#$|u88Es=EeU*gvy zVta6223JgJ6_oeHHj&BCKvy~wJ;o*^H%Xg=)z{1zR)*#do#@ype|(E&Vb)-#=5D-} zpTBcScSQO1sBU2*C@Jk3sy}@PtJ%4ZxJbMEnk3X`sWwgM%aquYjlg=AgQJsIM$&GE z{dO_XOw5-^k@Cd>1*H!VpF1LlJ`F~>z=-z8@C+{x6voH9e1$S$)Mp>%uo4PnvJj7rk^UEggd zR7g6sEQ^cJc(p9+rRa)lHnnWCdQyqs>|{?ZdK^NScMR6sauHsJv8>6k$tRfnm@!R* zJV=X;E2`MFgr0J+TPnGUgsR!hI`5Tz7#q@dnQ^XNIOi7L|N1#H*|eeMWvrH#z_TyIW9j6R#0Ml^)?HN3b}0fK8I;J&Ojo0-{>cP|F)YQ_;gau zcR@n%8bxq%POu(9(}I52+l5G44uM-mHB)`%m^IUc93wiR;t`x!@d7uRBl7(wSs^hy zT6CiN zXQ3r_%t}%5ir>m$=sNqRLpUjVUfZ~^s!)ZM`4I>0=5)?dC|lNB6gclUyx`}pAE^-k zz<>wm6ZDEBjI5OqgepyIOZgCsZ@qn&8Aq8!I|GrqCdu4^7 zJhGaYiL?5`wj`GuctvQU7Q@$W?i{fy}4c!HN?(;5Z&*qO-@+o2qvw0W6 zSTy$a*D86+a;mG$`8|@E>(RvYu8Y0H>vjcL1;=YDQP)q=P&hzqoLXeYV&X* ze4f5TOznQaf$H+PCV9pH92S*=CN7+`nC@}ZCH2(nO)q!@c%r~Je7drtCp0ORgYs5* zlRq{Pb|jM3khSuz!^on-HtZ@z^v4lTjlaL=46rIVjZILp#KzdUaz{dWj-?}sg!k20 z^sL)HZLR2ncf+L3ug(y0;I5NE-q&~gb)(Zut>xz`mF#maJN0_FB#d#$ZZn^zt~cXW z43xKZR+VNu1Khb4ho##dso-%Ij_GTOA`eWYMVj#h(jmq#*Dal2hBy@9s8s zu*g7XPFX7|fyU+S$3>N`-Mh~;Q3KH~JDNX%qeIE2G{S~wH$Y%WFcfzbx}xzAqN z6F2`K-QU_7%0d>pwRs%1?^z=nq`3A}SSSK!iGoq1xCeYrEK_aT$YTz15%FJOXW~x0 zZEu-&@3i%+2r?rpwc$Sdz`%`ZDkCxfxPy?2mS)}b_1ZFpZBuPZ{DdqY*ACgy2;AAD z;&74`zx}BFQ^K2fukO?WcxZ+k%8T^m`b_ZcA`1Z&4^5)U9(QFzh@KZI=7v3)^(+9_CA9G0z8Mc_b6aVXU3p_)Z^ zj_iEu0e?M$Auy8^FGF@M0snGLxu&NXb&(GHgM!&&Xx}$0VVzF`949_0lFBL~uPZ2+ ze?Ir64;M3fy6ln|81E`>RqSratfhE^_@HLHq$Bgg`Jh0U-~Km839NZD8T3~)wNE3t zS&gmKsuBsCIfGY~syLrA`AL27qPLnLk(oCc5{36OELwlgCOughW_lZ_U}awc;f=!( zUU85*VrG{he!=o|M5A$wXR2;Bk~3viPg13$;v2?mzOzkhk@EMl$nxZD&$5`5D;RLA z=A;b>?Y<*o5hCKD$I;}(=+bIrA1ud=bR|(d?Wn^oxD69ENfJ8l_bTe*=ruye3>K-w zXn*I)RGeEDvC8vI`Iw+R^Rp%6M1VH-G`c9G+cKq^QwrL65HkGFDnqPUWaGWI?^TdC z;l}E13!gVgy^0dQy<#N@jXXX0DGCD4=wBtJ?x0e2D_}imo*hqwC0cZ zQ!)Qe^X)aV$ayTySsr|l6avbWEDl)`6WJlRRNjk*6@sex!O`aPkSCX`81d6cuTc@v zDFS(u^5u2f=6m)#fuM9`wz^JLC759b_H(UWJW+ z#Kni&-VUxle&G8zGtm`u4PxzYQ3GRg-l8!qY&lCIiWvbTI1)5(?}`BjY7QM>vYXL^>US2HQ+X;&gUi!@ET<1_8>3l7#% zxd12o(U9IOBE-y;QGuZ&7d|^%=dh1(WF}X`A=#97IjCJ#5Te>L#h4K6!zZQOS%drf zJr50n8lTyZGo!KAR339=nonqW;SqXGrt^p)avtks5VMekdF|lcN;a(|DjqJ zwcF?K&j}WJXEMh^BcEf^L`Kr%#0g2PhUR`dkuGr>t$ktfDg9kg?uYfAAhW9Igt=Xs zOyn44B=%Gvk5_vx1e@+?Lz`a-2#m*kR$jT zX3T}V=j2k&%$H#b*hbe|>m4Ya_44*Fw{h*+636C7+MVGd+O3{il%+mQ)C+Y$z@rx6 zI2_cB#?eA4XJbYAQ2Y^%7b}t=GGt%i>({RaO19WRw1{^v*J-~$*|rll#4Wc~pH0WB z?OvT&Yz_^e?c|+hA=_p-5xqMOl4+f}k11jo;J~gpdTv>TnMI5QjU0wpduV-)a5Yq) z_BI|@e!a<3_Z#|3>-U8b?yF?HvpY z;-YdKF=MHJ1gJM7zhMbb*lJQXIGks)-`mqv66m9uklBa2vmFCcY zI*_Ma>d_=gFQ0hs`7rt^nrKIf8}Oq29?56#uG+7NuS6xN@1D@b(K%iZcj?%j*$&0wradARs1y(7_aI#{j5 z^viaZqOZ=;Ab-Ez64j)JbT%t?AH6r_{ShZcev6-deltLQ8zK|`8Fxv=8Qj>lxnm&h2 z$WZjHW_!-ipvK=T4}Ljs-o`3CBerB6;x}HULTziuC>Ls0KR;)vSalx1QDE=7Q4H#c=2$YM z3pVQa`o5s!^&+Gn#~5C{*}`yGpo8H1%}GhK=*K>XDv5RVy>~vsm@*6ul_uW2I`GTa z=stc(B30~C%Dmw953IM)Q%sV4!`qf$vfGID>Wt!k;1?{ zvsuWAl%PPce$Dk-XM)@7GF^2N_d3uzBug|y&4T_J-LUVnb#hIuqhO!rexAQz&dh5) z%*5*K-@|GW@Y21KAUR3=;E4X9n3&VOT9@#Z7VZdBZBS?0A{q{E#$f`9cvxTjLYyl!$9Z zt&!(8J#KT}7{bl9+!_c>vx;%Nt*PpMbD4vYQ6;B@(_VZ-rNrdWQoEFtV0!!~O%N)r zi6@jULD6Jx$@2}W->No0N-)hIJW=bdvDNcuH)2|7Aw#A85g|n@HvISlzWoZSoNo=9 zq(&ldwthRJn^glQeSAVNRR4v7fx@dZk}-y|OiFHl2hw%)7kfU7kP0L$>Z7fv(o-gK z?q5~Zl$AB`%Y&pWGzQOAi)i1YqCS`Xiq3s+&|^9AxY<9&K0|kL9>o|H^2C!tnr}ck zC@kH0kc7OG^Wj*$JM)#+IUcb$&lpby}*d$eP^VLnUxU<{f_{uZL53R0q?|LhxqZc+04 zPkfRc!uZ{-InwV{@CS%jqcV6kpXqa3VuvV@Odu8W#_L=?OJpZ!V2tp!YHRB;nr!RR zR7X&M{mj#+uAYacK{ELMEfRwfKlee8>-qcn_Xvp9q~rTFio#rdYOI8x#}cqbXGnZK{!a_?OW6*7j%xC;UTi&s$&5-7E_8yrkM_z0b28VaB%3M7NC!(AuGcRv9)0|G`2M|VRW;x1ARU?IDR2FJ41+- zi4(DriJ1jdfb_7jm6X`RSb$WWLzY?APSnKQLej&*MA<`51>#`^;V~u^5=7#6;{^h2 zOq>jf-E6F(j=XLHq<`e{g5P0}nMjHM3~{m&Ak~mnAQrWCFacc%c1C6faW@MWR#HJE zVtxl>Q(h%8iGPRye+iJ9J2~0$GBLTjx-z=5G1@wqF|qLQ@Gvp6GO@BUfDsIi?ocN~ zHwLI98BD}qGQ>;w5%1_^ z%p?W=Ue5e$HcL@Zf!&0Sn}OSenT5fagPDh$hl7Kam4)SRqNJdXPKHp32}~3a&S(MTK)9K? z*_k;x7&wf36Qcf{w4g+69sES zCsSJo8v#-o3#hZ(e+*TzurX0~GK3k8g_D(oo0FY|nVE%yi<^t}KL)9pI5+|)hsk7N zW@P>AjWL8*0!TCj&Sqg_XlBA>2Q~XM1$HdFU^Bq5hOpQGlK(shd*KyzFfnwpbx^Uj zwH6?SX+{ha`6r}^`Tr3tyfU_sKNJ59HZg|9+dm>s#L$fC&!7BE|JC6CO_H*?tt<5Z zo1Fg``Y$Q39h_Wk9jxRX~Eb z9o+x6zOsq^Uw{3TkgP5Kn2MPAPZHoYg#2ZGM?)7A<3C3L?D*F!h`Axu%mifHe}vjU zpIiJVZp_8Q#=^FHT-w!j<%*wu7(aK zug!oDfO7_+_2-<4ssDH%&A*R!H8%l1!obYM%gjvr*YOhbGrLM=zqEV ze=_hd2{INC6R4x@f2I20hx}!hzttU}^Iy+EJp<*D>0kBnA8rAQod1je{lnew*@B07ETuA@HuuY%<=(z&^d?*sa z0=V}RqqlFw;O=4n(wlQXgC|ezBsCr3;E*w4|383BOvV8Z5uBuC#Su0To?>yq4e8>5 zal~*^Vy{))X7?6c-Bc!jd|O$n8u;oef=KQ^VzsTx`|u&D-ltG(Z0yq5VGqUUVhWvw zMhMRX`X9emjFJ zL!nx*T2>S)?VsgF>#$-qC5O2_X&O*gj>xEGB(ysqXJfyRKApN>T+}O(e#ozS@hCCcfF`pxYsI?y(QifDbKHiMd3TCJ->m8$uaSpSRsr)SFJIr)Llyg4jm zRVx14>TYnaH3daaXT1!W)GNv%vsYF!raI2j51UmUc@!cZsbDVWxA$kWx;u>PE?IuU z{(hDH@Qb1Wsld|BTk!$^8Kc%BiR^R}Opg5|o>7L*V9He5nS5YPVDM_X#_uwF;_y#* zoT;8~f=#?&*?xy=6ev z@W{#nFRyJT-#(0oReRYp=TjXPJj>Q;jEYJsrV35QySEG-ynN##1*(7TNPDvWo{vY(=&VopEI5#0ih}JH!VRJ}+WdOUuqR7Rb+v`m=T%Qz9#ER7 z-OxCaA3*+>26Y)G*oiY9O<~ia9`vpF?t@K}D3+yJuJLM=-)>O-dZmBQAd$*{QPxn? zEI>L|cht63Z-*`$E5l5H!S!|Ch;7cOpF2?{K`cLJgh8xdmcS_*=jOrZnZ7$VY_Vke z+`1;#{N3jTCPudEO}ZxO4Sxa!x4NAbnNKd}`TLrOmD#MpyGv?4+fYWg21(K*GaMPU zOu1N0_X>Q!-Vljw17meF=)vyTc25k5GjiqCKKU6n41d`&p|y<x64cld)rk-a`5Q#JLgMSpo{q#mVX5qM2<4pZk zQi*EpM5bt7dtk$p%`(>asemrdZ11a?n?KHA7iBEv9`ImDQ`}VTfQFKy$N%B>xI|B< z9^=%lY5QvAt3fqRLK+iWk;iZZNqqMA&(0;-AWeVSvq(Ar3EG`bTg(Hfi~90DpK@C_ zSvD}F=Yr}y+xPIY9M-`PWP7Fe`%D>C?Y?P^Avipj;N2z=#DFzCh{L8i9Ds4n+n?z2E>+>Y_{vj*kmQ6?2tPn;PqVlq`}7w1SAK zQeSNa*A_;9l_3kQ#a2*Zlq&mUzFp#k0zozDV&8&^eC>~z_gss}>cuF6u1+8tZkF7b z9yY1y3~`;@eGzd89jq|?ORdJd}atwG0Vnq-}OQly4>rhGE*#zc8)FJAa*+ygbCP_1nZ!vFMGU0LVut%xf1 z)7U>dDY0ce?WYk;k!T~h)p2)edO5g}(-j^V`q{VV&AYLJ;J{S}WFjaX`CFJq7vsib za`xij^g6qwz=U~Y9ThTDW=%~DMKPnm=S=Dp!}F^Fkx6^Df3&}`F=N8Bz@t8&ZB)c4 zkS7a~>|-A56zyVL-5@?B2u=r1NzK%>f53Q;+}#V25+up4b83Cd@$)G()&h~H2c}DBoz_F;Mh}TP+=$1T5<84bYcf^HiE(KI{PKm4w=4$)A&beXzKUI zsAT(_$3JXVl_6UBAd$T+8J%j=({G$L;V`U$I9euUB8_N~UTCqP(jnltpg?W#&id7x z=-(BJ0nae#e)1+nFMfH3s(t=N3wpQ~0`5=K*F(6PUwB8V90!_A_@Oq7Ko0Y=)v}}MURb6rGg)WDQ?B_NAd7ski&i>jT^CRYqm7T zJNSjAT{Zq~={w~+o^Roxo>hbn6!9pK;%Ot=cl1a*+jzZxQzEBH{~`jPr+sHUmjwsq z5ds36`3NyTKR<5ggJ+nSq81i3D=RA;UR%-87!d?~5_2^+7PD3PH%6V#YhTrv-~020 zdQlUfWu|rn<6hN__6A;t?vl#sH8=%3ZVk-{n&#!~Fj+cBTp<~gkH{2e8%;UI; zqE-CD%*^cUV4?qf$$NMpfo*5HJj-TgecgD#l&x5++9A(bqZUe#pP!F{!|X$q>Xtcs zGBY#dc{XFle{<9kEh7d0e&Mpdur4bN?|wmh;Ho3L3R=)MrAvXg_&P=KeIirqO-1)s zdq;=+YA}^0!zhpYFLFBdlJykVMf-T;K5NdC8M8DNm%V8^N@aU{`w980M|u# z1SY0Z%YM)6{aS7w9w}Ce@?YKfY^Q@Km=*vp;QPLc_l)m22RGJM=`FkG=om$k3G)VA7CgfQ+z8gUxPmz%!d(-84 zDzVKwUl_E1bz;if0ZlT;Il`1*=r%ZIh=;!LJnnkAed=(?u6U06I|Y9J$U)UXuwPOv zdH&hVsQbHjYlnxCt*t_@U%!@#Xa4Ys?2W_v_vaxYA;$2N%U`siD@Q9G_(EPfoPnKv zbPXguGBmN$;4O2~V2v?Sy3JfojpLe>lvHPTcl77aer*P2HbJ+m4 z?L&>p*!Vb))Alp4((-CosF;|Tf}-N<{x1v(>=qbMD73Sy>p55hIDBeqDr~zWBMObf zv~+Z2q@?XNdLKS~2*c$lnDxlc&8@VV<7Cut2~*1d3h9XekNaxE&kvU(N6n2#(qHe* z*MFX#)&QCTr!@M#J$i9@In%7~;==j-`SWBUZ^FXK5MWfYHxXZ*fBu-P={a8OnQ8SF zdi?mYIXf<|^KK__oG`V*YVCvRa>(9XZDeL9sg91$_Ch0<-xE}k{Ft9yI>}h`j-UC6 z4ylc`tzYf?C4+MD*8dK3mrst<>IVw2sf9(p&5endmmr_(0XYlHbFgS+Bs$o9`upp% zNj;*MFMC?vUw`lK7cEvB&k#kBh$IZJtUOT_I{*HO417g2Qf;L^TV(++tfhqu6Cof# z5GySnghqhF<3N6Ja8NTPE-t>ZzAjd(*F0Tef_!{@Trqg48@{kbPDND-=|N*< zW3zW~FaqZP{d4Ltv33~94h{`n>t||(S#EMwRCW$>xY)eDwUwomZ@$pL0iITC2gxRJ zj%JD@YgL)Ib%*2CJMCaFGBVCP^fOf1E~Pd#@pIZP$~ZW%;)VyN3cO>roXE3G!^Xty zxVybB#ZCI{ApkQpuQO8Cs0IUNPIk8a#gU;zIIg&*CGDqApRlm8K}u_jA`vY}X=hIw z+?%Nk%6b!-IrVdN$I0n%F~zVWaHcw!qZ)ka%mEpQXPNBYF)=ZjS*;PtNC%pM^F|^f zN_%p`r#6_tW+rFTWG^D(yD&}mMoC9!00fDojLcUMTpX#$Le9HbbG5d)>FIEOZ7`qj z?d|=2xJ0C`u5M&xq)}$@0EEY*$B#26EiZR+)28bksbmw`Nw~Rje1Jw3rh~X4p`n_s zUIH&d1NQc;yTe|If)fRqm4cEo@Y^?G9bH{uPRRAy{-Z~arWdm)!S;X;QOYKY85)uR zEBxM@8Lwdko+TzOK3ZueFCr>RLrc3_J*7v+%Zn={By@9gBPlCuGF76xzOext0q1ph zY4(LlUrtKu>CdTBDr#!P${B0E6m!m`%irVj$ET-VgM;C~zt8q&MDOozZJsK)xVTiG z@`7Xuwpu&K85|r8l5**1`J3rU}VFFS<92FH69MF8IK(!DE1!nz}kRWAjOb%=ejJ{-uSEQPjyb9n;Nl*7p&*PL#d5i<@fF-vDhd*7@PQO8O% z>ePKJEN!t2jf5qNo}Nm_ExD%V=6zl{{r9KXbZSNEnVG(ugGtINDxHhX?|2;65kcA! z%^kNtnCFp8=57NKZT*%Sn5?6R$U6*VCE(}c`6>>;F<&t1NXp5fk&uwY%TU6qTbm!k z&S+K;LkqorOY+IqFy`~;Z6M=61$C5-?K3c%l9Cb*vw_e4^*+cAz|p{=zdqR* zo~sF;pVt{18$(1!&eE=hazKHqL(f65$Fo4T=j+)({q8Vl9|OTX#|qMJg!q64gwmOfr^y$Av!wx z!-o&Q_x6&2)d7}xf`rFMWt_6vxJyl+?-w5pctw^Az~=Z=jjExte3{lcg#ZD+>}o|iRm z=B9bAo=)jg(bJ>+Wb%8v=yh!aDx=$4IF~hQvtH?z(ETO4zUT2{0zQ|f-480Kg7-ID zLLhQhLYZ0&4(97?{AQqU3MYXozrK@2P8Zm!6~@NWsaJrc8VJ}I*E2Sd0l1bt$2r~J zuXTqP={9}=uYa{8GfjKx069%(vsNJHXJ{cHVlwjbJ_7w`Xcb%anTUvp0EGDf;u56T z8sc}rLpg0`ja_G1IXGg$Q7pbY6wt14yZmLc=y@V5c(qNo=)OhZ#7j_8QsVUUNBH$& z>r#!5xcFmmCa}W-nH@b=x(k5A=|)$k+65Q9&s6d?Hl-aw=qGImL}m7C5(f=G8PV{$ zg+VN0Qpp+j#n99oR+&_S7*|cVXWChzo%jG6sj(nQlJ|C>6X1|Ra%X)*J>UCwILW^BrUr(=D;jdP# zb-WtNG#jY(H8+>d^*{$4i=&?V26m&E8Sn%CtL-dmETkeey0rIauRzu%;nRk=ST^wp!2Q@rA$1WFo>;TfpdJA!@)m6Sw8L|dXu4Gz?$H8 zI;lQWV}n<_=s|}R;0uG&*x0HJoVUQe>2(_>UL;{)U~s!0-~(K}wwYvGv)^yh|3$Ts z6gJ>y>HapY7-9ob`pwDkOv`(|{n_d)+ocu|qX1Una6$2#-<{VqyMSmd(rZoxP-P@n zp6J)FUl(BZQ$)n&u9x~%Ki7woxFUhnV{ps{%s3a@S&>I4Cu@`H`qlecAPsE}rSwy! zdA85lw(3HXHto!spqX$-^Sr(4e58xzlxk zbNoP7v#_wJ>7)`AOr3)^4j#m$sugYk9}_K|as+4JSCJ&ESZ6-?1J41s_{YVy%)?zppwIxk7hoW7rJHF)6>I2d4lo;o;M|;9MS_r2pj!z zvM9Rh0l@U8GNa-Lb z0E&78LY9VxrUqxK$=$J0tbkTxAXOmAVmwFn`UV~Wt<1O=qrvqMn5qER0g$e&NI^?3 zQx0nCk3ekF)ek*};s8(V{%pj8W%jbqe>CHRGkySqD=6czwQ+S}U| zr~#}U7N~JnE}ZJfrMLSJ%i!xeQ!DJ?(RO?;QZ4PK^WB6g4n1BnORxE;o-&Q zt17YSI-vk`k2Sw@{ZXR(79eL!oz08mH5hdvr=WNM;L-M2c4%?!FYQ($c-6_ITbt_Q z5V_pS(_dbVdQ@`Bb-Nzncw7-6p#c&k4&;O3$P10Gr7j+o1^Bn`0Itnbp^c7?#^HBk z1{DJw2S5+6K@x!z6cl8)`Y})w5fBhyY-Yx0)cFzj9iQrTuQjLRO8aBL_~V7Vy{b1V zDl2K|>5DiI4kUgIXb)ZxGFo#h_09Ta4PHM^-8HgT?xjd`f_F7W%BL)C0c^Nz!{qQ=H|)frT(KP}mD z@0mF_*4L+vlmV4NL`OFR`4L~xGydqvuEA+Xq!zlcS0khVY0MZk-=3{5EQUw1JKNI) zr_~R9jwNXj#M0bOPk{?L4Nb6*j}Pu#Xn~tfb+Smta*}OJehoukU!V2$t@Mc}55_B+ ztG7=C-Hr?Z$o-S9E6vbd7o4ZC<4W`L%2HZOgFzunNJu!tyK+TZA8vy{Vzcx{$&jT70J*IaQ?x z%Cov|>GHC{3kI#ugM~&Ompz;%&y#S5SDrV=JvO;IrB2S-(%J2Rf}AB-{U|a7$sOet zt3M!3S!#vgDG4j<*jZu$(KV57xdl6JxduJE&1?){;wtZ2c3DEZR-<}V-a8uyx;Si3 zKNbL&7d7~Fl?(my+?2Mqwx$E|ZOZZjU0~r$0B(9gykCH_v%SH@(9sBo<=KRXV}0H{D9Nl?nC%1BBg0+s~OZaHW?SlZu}c5C>x9pxI0 zgBHv%NX4Bi9YHXf4ajWg)KpwCDc~W&wVj$ZpXNi4+Koi+kzO zoC@MhE|uTH)l;WG*=S>9!@PQyE<$@3ctZHo1hVcvJm`Rmgv68k>!o|ZijAv31c6Eq z_}8zKlhP|f7?T6UJG4t_AHkwpOG;L@`ZT@dtL2Cj%*&pz-w}9udClAR5EN-u_Z_@Z zQk76IoNT&S4Rt|q2b%%#yAC>6YuVi3vhN{_Ipgl;#%#YTMk$vJ>fh5OP8%cOx&Se> zxim1)(e=9&tegv!{rcrFXC?u-Ud#J;gztYVHf|I=)KXo`P|Ck6+sz%{v2%3nSXj_K zV7sKE#*VE`ayN5)@NTt#2RkP_p!D}lNlr`Q1!#Y`m4JbLkH3)0Q6Qxg!(O>mx(~1dy2Y<4zr1T)HPGvE}85 zt$3kWNRL5%%m&~DbW~teDw^W0Mw1&0k=I3rO?|^w6P&zpdmZ1JLnnh z2Yvt`e+D}32RbcpA_=?9+0_~we%0RG-h#y7qTb6jJ?)zHm@!4}jgAgJh=zO@%b%bT z0C;6%MH!$Jr|ku>E~2mR!^V&|u>f9uPD!zG6_=6)-WMpByB0*`_06b!S|AQUJfYo@%X!mLP;`Cq*JA<*lai8hGo(DiFaY#;Jerj0b^o0aEg75c~j@3ui0YZ;y}w zJ*5GowTbJ~W5{p(S<ly%a!CpJ8I0z3c8Y;I5-Od2^|n?IG$>@!1XI-Y-&bq> za=E#%hcOL+(#()Er+B~L4wDzUF1_c1F+>0{3~nxtYfcNKlao_Y0E%5-UoQjfDNKS4 z6jRVer~thaz+M3-s%XwFETjYQmjE>9P;l81vqry{=r&FRHZK~8QXYP|`=c1|O$5GS zPXqz1(*@kS<@QW_?joP|eBKeg(sa-Wa8H>8)_}4yW>!|#={kEd&^@Wq+W^I<4fJl^ z0fCL@cV{Kwbs}bBiY(Tyby)2T#@(8K9t+($5COOK`Sp}%opEeMpDV3n=<@oxUp;?r z$Th+Rh*Eq!4glH^yr}tNZLYJ!rQsaer0wxsbkIZh1Qp$d06(uOJqG0A@j`VbkRSVYCkuNA2Ti{DJOI^S zTLu7-!?Y3&R1m=*KOzEFCl1id@f> zzBlNBvH@71%;Ok1S*Sk6y}oh?+b^(JWvDD*iPj4Zv7kpkmoFF~@*1QL*y-#}E0 zJ07o!1E^;)Q<1HUr|kUr4D1AURZ_g*=;&Cfn}lfFO7G_6GYQpjUuS zaw8i8fN;6$rFt+H502ysDz5*eB?ah^fl3C9jt=qyu(T;)A=Zmc3838&i1Nz!^JmPS zNTMx3$8*6jZ|>5#tU8jPhmh{DHgGAyVfAA=7S>>~YV^qHv#DK>P*RF6M*0P6^6J)B z51>z)m8PfwK~|{Bg7^liYyz&+m_xJ+TC@PA!xDS#lGogs8>lpH;6CKeVTO&JJqD;V zcZvj>sa=3Te+&z&3V&}tTSWuosDRP8l+3wyetZrvXv^J|RpY7ULPPZeb`-k6?`MFd zf<07#u+mN^0EBzM*^*-#>7_@7cLGRmi zD7hD;lHiXY%Wj8MX|Z8<4Zy6|ZwdNe>U(|~7P?Ocki61joHG5F^m3e@M=)@?TPE8# z0U~W6t?cJm*}1xIC77kIjLQp|wD~@+;dbsJaEdwR)<$`|<|_SV#H(a@c#%=nTLb)54n5?NL9_ zb2wUXU9#VsX38HWzgdL6A1x+}z4QzjH2M z1Ze5=0N&b0O!Q+cQsHTLbC%kq>hmXl4}^qT3nLs05*NC<{fRalZ_)NSyW%OzuHuTon}ow42o-C~^Z?w@D3rJGttpGVCB zd3)Tfr_aDh$m{eGUGTz3UC%uLbj0+OZ|Ldh)&M}ro3sR*b)GCRRK>GkO)v-Do@&l2 z>B%ZQ%Fn^+>FJiaZwVGqQ)Hg@oX;6cvo}3ysGD!UIXs~m*G}M^NFmJ7n&Cl(eSj0V zM5X-e`r0a{`totWGcHb7GYZUis%HbOd^#bE)bDGTK8s0%TjPTXT5xAwU7)W`P@D)Z zrEAO9#1i)KNyM^3V;vIZ5fy(bImp}q^hcZR8%O27@{`eTwD7xyAPKHuzRc56Nj&p6 z7<;)n@>T?tm9dABF@0zlBJ2ekG!XDro3oJ!`pYWZ$M(HXFqrU6{BA@FltkD)mB1xE z?l$krO6K}zN$j{L_;iDoEen|hSGGun_v$5<2s>d1@6M64x;@R382HF&h8T9i-7Wm* zf?L;Yg7z`kh*~aS6qI9^+gR{6Mwu(7;QS*hz~=E~>3m}g_cQ=#Px zx(bC@ojN0qG)v@svWTMwknAwnHwMVI>J)ynKg+ZX9S6d-Q=(~Go}s3xl$R%(@HPCABWg^zLwIruR@mNZdv{j0 zbp%beE*ldT*T@y0$e8vky76OI7#4glo1To#7J|zgtXz!=rD7gNmR>EtN7n7Qe6Iy_r`v#){{0dCi2NL_kyUy+_B`>|}9+o=5c8c&j$AMj%ibqSl*>2J;N_*fM` zy7IFx2?5^yG)?|0^61fDpTiLRh>938=K#$_6rDb<-Uw_FZsVdDuo=XljRMt?(r`4o zXU+xoYX7!|xhUVR0xj`oQ)(t_=$;OVe@B<}D>e#$JM)$U@Y$s~i?)HShn)EyUZ5F;-r7Zwiww24&HWw z6u);EQx9zy_@oxT>(3V}`Esgp`tkjl*(Y^Be^@v{U+V2&rZII^uFhribL@*JULmkv zFKjUcD&G?65jX-GSxyp}f$MQuRhR zT0OQ;%-fgTPM$)w5y>)#&|53d;Wq~!Na$Qlb4y92ts5t$LPo;FB)@+Oem}bidv}Mf zZl*rBv~;M^AGhS$2hMY6p<2JV=&*eJjRK9T46cBZ)19=#AQgk(sZmw%ug>DZUJCm<^4_JH{_Z#Q#2$G(4 z?A`PCW1b7V(U6?8Jj_?h-_x_L*3zswgS0GG`L?Y1AtL9`w^)WNS8seNx$~LCYyE0_ zA*{uT{{K|=7C?0+-PoM z8j(}It2Hs-Rzbg1lQWY=$-5-6GR=~#ssKb$&yO|_N;>P|IyEWPNfeOws98MYgw7stz7^lNFaAiH8bb&{Lb21`0OVGgyS}{% z#5iC2PD4Q85!lvl0w`b|UII=QD1Ia(>+`Ee1=XH ze2!OHT}|xb)Ln>hL0Zn{@=i`gT}(qjy1M(zm*C!^!6#{gn$k)Z&kUjh&w~0?;x*$; zYuy|y$Y5bY<&YCPrV9H0p+X<{^7#ZS7&mJ6r(AZ!jg0}bLFJ2>vuOgi{-a~4$zm>! z6d4as69vTp$w(_M{Xm@Qe!Y7$wDlH;u&n^XKGUqJaDn>!){=3bZ>ejy(t6fsoN9G{hA`deA$(($**c^lEZZF&i9eCb+ zF5kv9uB|SV!G2a_lH1zY%rw|jgCXf09uDVozge)tEZiT|W7Mto7EHhW8)woP^cYkk zmbJxO`$R46S}bYyV;Sr_#@KU_+lB)XT zXd`LA$w=Q51TV?DKW+~;-ri@6WJ-kY&1XkP$BaC%=Ux}k8djI-+-)oD^zSa~G9bXh z4-9%Au$YZ6-rjSrdL-G?Wf^9jEn&ZMI&9vCS{-3KJuqqPhuc{!C+ojz-Ac~3Op~LE zg04~@HQs5Hg~s1}89sR){CfaC!HQ0+a!CUCqdP_|w}3!yWpiU+ zRwa=wSUCB3<=`MhI`?yN%RPT*ms@XhX#vKp2>)+)&yd&V6;GlIbm{n7MoEYg^e)pN66Lfzc8BHKq=e~0YN7N96- zGVZ?^Ka-`&QbA8;pAZ#0A%U>SS>lrN_*gv=AIT_xskeWGVz&65Kb7|(Q~7JYf(osH z99_1ooKi>h3y5N4gVhq!g9!8sCKWG9OvakqQS18GIe+`dT9bbCJB!8qXp$ZSR|#o3 zv`(A7PkGLc8)xdy@pGh7tfiL43#~Ii93&+rfn-yYg7>F^_95Fdylug{f3c>!!EtZU zJTtd!%O8`6!P##She0&*>Rg{G%63z$^eNsk2ahYSxLi6mBMe)&Izd14);CBIY~^>I zY#FY(jv#ji{RJ*i^~%|SBH`hgduj1jF=JKqakAm}926JRCNZO0wF{d?EH8sz##v7@ zv%E42>($!;k*d@2r`(}e5>__Ubi3h};&S+b7-Fe=8!%tG>+0-!vv#-}JS84nn_Ek3 zktiwBve=L?>eJ0^as6@r>@O^wY;{4L?f52zyL*vjk}_YCm5zQWPM4j~s~FqitZZ?& zWNzhnJzPXym2!8i1z=U2EzAuoPHMtGbXt$1qp@_^62-(@Rn}QBE{mNTKe?$VfW|ii z4zh!QT4`yLQ$`WQb}{}^%>>imdiCHJG1fXxpj0{&5X3; zfz@WSQ0AzHA!Lt^;>#-62HdjW#!a_)C^3j3rpzrbL2ttG?4Z?bPbf4HWm97 z65sIX?%t$@I=>;I)Vwgvt!9tc=8Va_S7CCqgO1LEwPk9uGjt+^pX1I31%v*#vH~iT z1>soOmRH+k%JK3#nOoB>fep9g0e07n@w9_tMw?a|z;!^w1t2Fq!^7Kv?8(Z`j{N=G zz?Fud|6zJBMC3C7AC0F=k`MXWYc(OFx(|1(;(05HpGk3=+o9b!!_OMuO}p|>MoU6( zZpJ`Y3YYnkoFb;c6i+bitEpK()CpR_xP~8+qsc9!-`XLetPH`^Jl^mg zyA42901^eK0=82<$w*0kfztX017o(ynHd2HGg*eiDS*Pv93_fv{$>gVW)a)iP_S(< z-pl?)v~PKReLYgD$uFL^H!=~3b}}C5)6{6j_uvd=o-jf2l1g|Kk>t>#rr2**9$~Y~ z!^^E4)+R?8!>W{j{_@_b?o*Uzff3;xIGW{Qw1RoBj+q3qh2bfdE_A+_`n)Ymqo^?^9KjvwmDH&Nu#f`>f=0gSPo!D^(LoCIAwpZ-!eC-&Dz@9{RxZC=d5vx9gLjLmj~SAR=MJJ zDcCQaoSm)vX=~vU8yxxp-I{meS$h#8#jE*98Xuu!!t)y`Qf`T3_2$Y`=1_Xl*2Eun zx*c3L=e9U(X-v@5%d2ghE7F%9%=xxpr629SQnGA{p$d|CY3_-1{dA13ie%aRA>n27 z-SKLnCExlvD^VY6fiMsarn5kpfVA0```{kivWi%r53zceaQ1}02}*C!a!>IWDTJ&{ zoLM?GRQF+YF$9OB%V9s>tJ$x@ZfLA`5eEqvl zqDi1;Z%s^L7Y#ou+qRKjUmxpObx4}kNzcpraT3;ia#_MR)vYz5%Ye5tS?yU3jq2-@ zu(BB&V|QD@Twc~=l9y8wa>`wDa=n@1RW2z-D7ru)3Q#MqUvpJZh)$OUfyDRx(sC=s zgm4VYXY`YW2iqbSnDqMtCm!tb>Gaz>y++a>JG83R>P^=W7g$fHy>^GVup4TQhoI4w z1l;yNLyEpEaG5Y=K3nweG)cF-ey`9f=`-@72m=t97Xu1*T!zms2)u(UUwys_%gQSH z`Ij8^4Zi1Fu(J3#@^!_f*K!?%v$XOgvUw!$ADjc63n=)Yy+H`NAH0wSpW0e>py}!9 z>;D4ZZn1GVaA`@D59@TpWOIgx~Koh?CPrsl9Qt+ zA8+lJa&mT3esIU!jQSSwH^L*+YHVgX_f$@aO2T)o0P=>GmihxPbBq_S|H{!8=+T49 zSASCl??UA3v(cE~mAd6eq(< zry&Rz=7v*mw&umhEWTR)vXNn~Y1Uo9+6H_hoQDSe0FY9h3j{Jp834fm$A>_-8UMh6 z&*STGY-8|?3%S!{@g5m`OWO-h=)CfaZ@t%P{O6Zy!LjIRF$4dJM#X z*3@WrVbpGa0??nu6_B{fuw-K8=&<9&`&iy!jg%Fb+iX?>scj)qCO~9I!Y6?h4+ZpV zwzFe3)&PB~eSNYD6jZoR1w5Ve-Q_gEo=sH*Bwx7CD=d}L-^WGWWHdIxO|Lpnj=n!u! zpYMNUlAU9g5rDbFyKkWB5e_KyM`eI;0XP*W>N}pDvi$|tnHS2%-V^E=#`R>J&%xcM z;AN~}03NVvoP+*mB|w=#pHdWT=!o1e;Bb;vkGv#g@DC^g(ph1o0?0y@`JYR`6;YnbA>Tr|Q*&0-J*o_{6(S4k@A9ZCP} z40t76E;|Y!U00h&Vm-{RYtminezX9x4arWBY5w`c>^7g zOTMY8L|}zl2X7ZJdhOa%%>`Vfw$d*?>{0zA-gcx;<;#=9#ea*2T{6(x)bxOoS~g!| z0e0!~e$nNp$*9TOk9Ri1e4^z4^Q9(*5f9ha;P^%t^DvK3V8w@L~5qveossn~UAQAnJjchy-x*G%9630AeNg1tQx@=Kjs}5l2E+ z_uk6-$bU<7cCtwgNfFDOfLSj$F6{BJCaujdhD~klX=yb|CBQJ^ZGH3tdK5mM_)^K_RPAda`9cSofEZ{4OVaxm@ ze3Qz@if(~18TXI%H&3T=)--h&Mb)Zbi3AIvDt)B~JT)C&Eq;a95oqgz zxBZ@mCInD`8m@<|pyj@I>v~~PEc_@*j7^I{yvB-@E2a|YtMnmQh|&_@Gj|49<{0Hu zxGeiZNNuWuT)t)v=f;cnpfujMw6ws{Kmng;fbDB*JZ|X+G|%1z_jP^YbMp)V%PJe< zS?eg@o02uxou-dU;71K;+N8FZD5kPUm2w1|=j9Y4{X2DjlPFDC6D$5`Qy0jSX~eJb zdIr#s+kMRk9ndfZZCa28xc-vNGQGa*;jAw>mQaIM<(8=fA@>_raJ=`K z`rNgh$=l?3pegswccvPoe9-%yrNi>&#kUDMYOFodMDhP(0f5$P^M#p$`R!O?rjTUwqpAFB0#2Zx05h*t z%9WO-N;fRjG!$}Vk&AirPcJ2JG?Z;sPj`I>r3!ST;Ybk3(>s?gOP&wzfFCkBJTLf_ zzm84#aK$7T;D-&@yw`$&RWnDZ_-Z3s0>IcqfGhBtHG}sqtCdDkPnFj}MopV&he~!g zG>5>&;3ub&Y+iM5#B=aU{3bpDYU~hj6Tphpd2_k1T5qFYOyJ5Zn2ZompB9TK^xXRU zKN`7m5gs_4VXqJP)0{zn6U3d_a!WF3zuqxhipK@>hOP&8pk}tt(hEnfkFGKyU=7Hu4_D;t>5aG(L8B(iF1 zH?_;t=rWftKHxdPZv=lKA&GA;X&D$I08oMP`t_fB+ikc}fr5(aCb2gf<0aMctRchX z!>-xC`FvMEoiY9min6Xr+TGneS_l6v&}y z>YAnT^6)rq#wZ(27GMHys_Fh_AJlSp)p`ZlSlN%?+_yHvLc$9qVI22~@si@lFJ46a z{It{jGt4d`Lq%EHjutkv|8lRQuY%^v`}_1uD&ptf@1-J^xWyuuz6rXd>KUY9k4B1N z%NbmI@~1ZS05Zbxh}kxEzh%h&$hI!7UB`V{ctTleR7)b0b~w8zT0s$1m&o{RA%NWa zm5|T}cnN@7&Ip&1&kTzl8ZmdGVke?09Od)rp9=G&GRfPB^hrCjS@L~?L7}Gu%)=vP z+MfXh2AcBsf4vZq=v;VdG3*sn18yWHB?Egf`wS{iC*);D0i+F3TwGR@w*UZd$+Kq( zuhn8|56g5o3#PI>Nuy~A*p@et=y>)01(H#4XFLD>DH*ARh z*}#ZJFf@icDlFu_nW}HK>lSuP#m*k<|IQ_Epm_u=AaD>Ld?Azf`M;8+$>C)K2;wfC z@{<|eZ~)#0zj8V3`|j)3%o6)-l9p$LJ5R30^K7HHPdd>21|m zOFYXqqo0JL!IXJF<=y+%f}QyEb2eB2b=3~wF5q6sXXKfP@%RA9`wCu|CYSbDQ00q8|=Z6 z@H`sHL@H+|MRcR&lPv zh!4RY&2i{F;)aKwX1!FXET(tT+Y>-kzH>Vf0Fc?b zhsWvFW3u9bOlR+y#>S@_UtuQw4eJDpslsAE={@cZ29z-Hyd|6|=^TEgnv&C2|4y3j>0JlHzCqtuJx?H9mxcASUrdQE6{Lk_-dRJb@ipml4Yu;B)}fV=1emB370f z`BRMf>J9chswO9P(ZPJAfI>)X--oPr=nd>Op7HuNYd3F8>BW+Bjym1QwFH%yfMz3A zDL^85?k>iGL9`4WHefdawo!uTPhKJ5LzLAS6lYa$Z`HZkG^1MH%29fI7whFrKn=aHbW{QMnfU=!{)8;22uYPA>;4>n8Lz|~`P{+lbp+n)xWr2;}PhlNpIM#E^Dg83J7Z z@K zIV%bI&4}=%yB6+5glBSqp8j52>(>;`{_nK9i{NhTkx1Oe-hj*Na@DnJ#Q=;Szxh4&q=?S zkKqJlN=B0j3IM5v3>xTymKzUrBPxW5Kjrq;jrDgA=8|%OfrQY8WSc@0=8sggIqL=q zOW|>#Q^JdT;1L%B3^>@1ZUg^?A@KS{N8i@N7^#Bk*PzkyZ%zfdK4~`WyvAVsKxXqQ z`GD`4V*u}Y*HlzgbFk?^Ajl1BP)$kWD}C- z>K-l{=g2>PWB@)$xJ?e6J|He3@sh~x}P>?02eB|O(Xv^Y{Z zFXzK7yNA~*!&}!Q$)7Q=%$3YBDn_7=#LApMp|)k)tkm{Iw=akvt}g;g`u9c$IEV_Y z`fx-WZsCO=KLKbx8I;;Y}rV%%IEXC<$7M#rDMezjFh#zGU9n{vl5*)>*K>2uulEOAgGw9W*x zfwp*#WzADp#3WZi8^Ebkk8YUq-)()?iwK-BLvodQD-YwD&F3%pR!awlVKa>T2<{z) z)8a`S*51I|!vu^8-abB$jDUk5VEnOF#UM7}z8|m(B*ewVQ9Gm-tF^>`CE@#{Qyrnw z_^i?KXxsl7+vZNHx$Zcw>wv6KPC(6xs-@mJA zSsh-zXRi74p|uyB=Ccb6ZXVYjALeV0o}~$7av|e5VR{MNBfQ0W%V^wAP_nn=mnkY2 z&umLc7aQE|ztDD(|H^1Sol@K$qpyg0(+Q7%NJ9joaR~fH1If)HEr?veCbg$w03Ac2 z`QDT=5p73I{CRh_kr#{$Rb|SZYdC}M4KeBgzo3!PYeMeYtS_}}b8T|jtTJT`j<%2R zujc8w;%=n0wB7?8TnkXha84IEBg;MRTq-Im-~=%kR=8yvYwS|HAsG&Y{?ykWFA{>on8Bme1Z;$OY-TFPL}t^!qkf7)od?4zR0al8 z%A=+BYcam@2JM)j8>%1anQ+PQ+`ieLHY4TxfK@ozw=mlu4_UY2ax@1D4Lv8PGxEbW zcUG?c>E_JtlWW+o-@n^JJ$L^mmWFPwc&*zVMyeY$uXhjX-Ap`1ZrR5}J>u^(rFS1v zT>KRnfZVxjcY2l=j(fhV0M6|Q3`5=iD2q_H`U#s{;DZMX zJ^Ta$JnR%7y~v(y&pZi<_3Sj#HKvsL3;*2M1adyqITFpb9k@+#5}|{j$fJXWuoQ zO(64^f93Yj>P+uhOH0kG66fIH@DF@^S0TfjTN{zF%0Eg=4~t6aX)2-;6T=4$F6Wk& z^{--M3riISqy3G>YhFCu4Bs`eyAXUP@{F0;i@Z3Tj`#9uSlvF}*EmWZT`!yea&2@V z<~T(`OB*G6?3(h>%pU1^2jhcO>`z&&A3`3)<(ii(WtAbv?Qz37zak^0jEo{&v)C=K zY+NoZ!Us(_&F4MhYJT{hPoG>=K8Qk6%ooEwPllXY5?R9GcLLS)`eeD??v&q$;e|s! z#d@QAJPjNuKbM_}KrS6^b!N6iQ1HnIo)ICnFrQ}1&WSKK&EJ;^l4M|)(+2ePzwm#D zlDTJrIRJQ|b%9v}?8o3WDF|-mEqic83t;Rans#<9Kyt_}UN&N}S^4t_F2r_)6T$5m zpc#h*_8c0Gr64j+8533N-AI~ms=7Di6VREUad}a19o5p#PGJ~O>nWy#D;>81vXZ^u z13uvkf}gaE$sYFUJ+#id2p62b>}oNylKQkR@gYR@_GCOYb%Ly~s?h4UqCF7a^BGj4 z4f8nCm$sbXqKdu%e=LPTo%!hu7iM+|cz>zksVl$QK87r+kbP;j9M)cPg_(LRRbl)n zJJGs7oAy9%NcZ=MP>e9i;St-WD>j-g!41YLF}MoJcDp)tluWGnflkjOB)9lPI%PoX zvTu;*V#Zuwy4Ba;f22`Ulq@V&SUYm@?)rym!|xYa2riKQj+xmosKcIg$yY+Ud!#celaZ5s&K%T=Ba+ zu6SQ<7t1l&4}1GOYNwlbTF6<6}nfTV!|8L+!(0h_Mf?pUYkeu3Ma*@DM*wcGuv z{`baeQi_=eH1llMLT z=Yxmj@X}#kjEWB!$o9XVuWbfce$%RpLY58}_IYitIr@K_Y3=YIKYLF?lKAV_a_;2y zRpPAM+3H7^tD`@e4|RyS<82VIbhr0}GsK119gPKLib|h^i)!YG3>u~2L*IjSjz+V= z>!BHf;_EBCVDpXt?tP&Oymmp;t+^hlbVPz*sixS~>3*5$EY)yX_h6dd+UkKZNgDe& z zq2-nZh0iJ|0gqZi8Bq?54IuY8c3sv<$6H@aG!%dq$s6sGX=%xBuDGyTVkgpDZ$$G0v6z67iW`fKQ|dRHGk(s59t zlR<7iucAKNn=I`-Q2o;PM8491hLoWveCYeP)SB<{@tpA2HI2MC^f~-t^3JJ$D%9z) zbC|Lwb|~SY*FOrJF0wK?`nepcwm83KQ;+k|iKg!Q-4VpZ%~vXBQtZO_tr2T$Z@j%d zWro?!6cSyJn!RE*uYWeXqG{h$|2YM96b82E7P_I69?nzeY z`I>_dOjIHEg|!TNGrWfCQ(6?X6*PRqcRiq{OV@5g#`ic@^`w;Nk}-1I%-3;$vZnfHsrSd<`uq zy$7xh8kLVqr+Pz;lNaJZDam;5-#Kur&A2~hwq6WL{XonVviW5i)|NHCOPsDmBN7$peJkiV3bAAwt2{wF`K!a&=#yV*Jl8}w zX{w+*R75Hy?2GYwLk1+Gp*NDaAVYR1U?xKMSMK#wsA(vONlBCIu5nDJ19h)Lz-RsC zX>-g@Z%=i}Wn3k*3K$V+O;zI{wvYB9nBQx(_G|!`HjxKZ4wNArNszF{Ys|knBG{9P z7s*HY6San>xN|XVl*i&eOiI3U)?qLgGV%*g$_%PVPW!JM4~t$LgYLJG0PN zw{{;(xKFZIxKeEZtV0R7<5-chg!u#N|CnfmV$7%PHeAsh@0cVH3?3HF{vWQk1Q8Ub;!;BNAyy=(ddb;fC z*%PaqV?9rZ$cTsXcK(Z#=|wEf_qs58vL?ytcfD?`4qT;8Cof1ucn^lkK)oFw`FD9e zvKwi<*3)v5WL zm=^(i?0LdIe$}(Jkmm@X12-WVu(|la3(H;ZH>e)TRCe`9YEEi%{Qei7UZ$GfO`0Y- zAGNNmAV>re>KSa+$*|vl)k@yb<8n5^wm4ewm_sAV z-iHzJc}?nQcbua&`XnR0YmUJnA9FezRTh&7>fSTe-=>E>e}%TS`mo^8c0Ao^iPYu6 z)!(yxy z>ujscu;Z6<9p^b5a5z_=y2y<-Rw&cW6#iv%oJam$dv~|c^iePPBzEDXpqSWeURc%k zDfuylJdu8R9H{OQ#qHNYT+Fx?U$iukg!3`Rodk@9wHYyeZ5Ck(#hbR4*>F~48!$+h zmLmW~X~x$mF8!2Bm4S~Rr_uy`go0%q3;l%IJ13c zzLZ%TJ)4=YyFr{YsxSj%MC^+uA6q@{)J>X5g+(b9eJ=sQx~!|Jzy;&;M=#d|d08oW4}f4@P; z4Js`SCGnSGxS1@ciEI1?W-mAtqz7z5XIhUb*zY$7R5Kz*-cOY-_JQ^7Ir7UD_#lj@ z-my56O6NvtxO1-&t$gv&_z=}KoYS%To{B1@sEDA;lhvoRHAx_|%RW!J6^nIUH~!?( z%wx7Db_VY&2ch&->1-c0y<1nHF8MBV8nXy}Lv1Ge0JFYTvP--_cKqp}!!JBv5;@AY z+bNct<*`pFtG;0d(I;aQlD9?AQd&s~#!15vsknoWL*4a3h#j}Eh6$f5tzX-_1c18X zo!iC~lk%*-9x#~~>Z;beMZwDBX2eqPt{fpWyF@K8lvmrOtBJ=N{QIy$m^CN7#;aYL z3g><}zF`_h!M_3eN@o+33x%xOGS^Y?u4Dp(f4g_aSX*J|z@ek&ev3Dr*58K1rn@fe zqxw9AIY+ah2*V?rVXy4_ial8d(ly^?AL+{2QtTW(E1vN-cU}NzjIWKt`VwJ%3rRdz zN1P$8t@MHRCMot)X9EKSVCy6C=?77@$#mVy>>$0cwg9?6>buOk83CO`yd%oj(wjE* z98N17s`0Z5rMT__xrCFNN<+sotn$Rf*!lXj)XeM~l^&X-q)766Pq8%rad|3(_cOW_dd+breZS_4XceR5|B;MzZ zm&eqhK)MhXD#-X9s1)*S#-l@8BmG>aR8-XsefYnB;wcm_A78g?_2(t*5Pq*Z_^u|P zCv~Es2Bog*zg2OeCLpF@W~w$lt?d1CAFVTHLjeDD)qg&%$BJ)6VA%GwXc4wuA^#sG z{okM2t}VQo+9}|Rq^|k*!=y$ke+AP9#Uy_FxKnmw-?{v!tMZR_7^KT2xIdRYo3Gdy zo&2W$4Gi8w2~f|d5zlU$@VgVnc6Y`7=kwDBImplcWV;%OlUmj1{YV_zNBHjB;ddj; zyx{-1F<1(TWji_`S9Wm1`C3JC=1|&QKC6B9Pne#2Sv4ak! zCRQQZX!(8BksL;0v5lu%L3{y$c~p_vjAlpQci{`;E#=*6TWsQV3kuhoZ0+E4knN1f zC48;9)UyZ%$;$=ex*;*oV!tTP5fjI5uB>=RMvaLN+uL}SzQ>#5cnEL>F%(z9JO|J+p^1yHN8xt&*v2dosDdSrl5h^qe%>J;~C<)b^h1_J>e!W+ha^-iQQTEjC>ljgDKSR8}`Su*Oe5^norJeY$ zDWmive-EF6cujncd^WC`F}2wLKyQQd#U;O^v5Dd?`CsBYs=GgAYvqWP4i&wT2ncVt z;lCq*)hhrp`YGq^2^81(jbZ1mHzv2eaCuM6i1OZ&8~ARjxi{Ii(#12X0p~p9s783N z{wK<9NIT;KUou6;9P6D6ESAc2%)=xW6J>-pn3xd=JqM*}=dF+a?@*5^H7CS3i1JDn z4dzVAcRmtos{bc?#W+tY@x)4WJD<|bs98;I{%;ky(61!ajS)xdFooFWr9C1Ky5%9Y zA~PwmoOFhd6ib12`pl}%?iKU2H0A#ib(IMh@t}{(E@B0P2osdlJMjOF_~^_m9A?&b z_Z~{S3WMR@@sAY$`)6od^>eYzXg}3cq95=7dygTtsfsrTh8sdTKD0=O`YG~QnjPnq z%pmQ7AXbwU*_q8^;bwK!ZK;qa)|mQ7iq3j$muE;aGu)G2^^0ki@_$dmf^IXW=w9i- z0LTTXbKjunzt^vj_m`;rzoxe0c>Zj@Dn6K}r@vd|;CT;oC;b0$o&AY}iK=SnI`wC) zK>_}d7{1MBuU7rMi`M(;2TVw-f_d^Dtis9lLpL*_oyByigjp2xB{l)&ycMRN5t2BR z5r^?cR5!>nyp4UrmG5`|=2$d1G!XM(+sA?Lo)RB)Ls!{AV=8^>nRwmm^{r_{BE?*Jot(B)3sqDQ^^wM!?=^Ulse z{_BAb#xweQ72iI(cF=$4ER5+U715u~MVX&vv^Ra6iVc=GV!2+fsoF>!bF$n&y&Ez0 zAUnUz0Mb7?z13e7b}a;p!`DB;d;iQe3*Um%=={)6-@nWe5-RusS_+72H;)*!o#~*$ z36Ev7h@UaT|AuEFKNq)w^^7z>A^zYo`7+J)E+4u~x|W1cRuBWuO3jehwJNgNf@Vik z>Z=I~Voa8}uizop((j!TKG6K>F;7NhMBp##Uymi}H2D}wCEXSsAci^qaYztC*23|f z!Qd;KF()c(kl0gXgSX%tI;B-68{o{0rQVbqoCT}9G4Uh02EH5yOPp8DH62aZS<@V>14GQ-LA-gtlp&mHQNdCs4duo1P)%FE&m3?MCRwc(-{k zz}GA}`GkRX^`d=PjVpb-E}N4BQ#LRfrX>QND!{)kVjQ_VosVaP8Ygk~&)%YNh-#eA z=iFPN0%Z8j-@WG>^A{~aCHrHbw|-B&lo%zfkxon%dG>CAA`VQAHM%X9&x2M(?;5${ zWIah5!?Dlj&{PQqDZY{fDKPo;XWNLNqs#n~-`S{yavpGg4FRv=kCKO-`9|=nOi_Q! zmAqs*E!{B1!{5k*Wx#3aqBEXW9oi#aezS+l?=MvBksE}&CJsb(8;{oWv-2=4m_qjJ z*i+W7y^{6c1(&G$JGfiqNJni1t4;5vw&?a&(L0?L=OehCEPUTEG(4Hv$2dJLSBM`z z;AnXCW#5&@V;Q6cV!6Qk0b{>UiIM)WXXDvk^r-&9l!fO`hDuo7OjM3G!wW@r2x@k? zpMvQSji$=!eV;nJUEaw49=g8Cn2vS1K)_gb4;$%Gv8eOp5Fea(c8o}}epA`GXVIEN z=n|D2*%yaRq`l~Ej9p#Q-lWbX7heCsuJuQYWd})F+HK+qF>y+_-cS5_=y+aEd}-`f z1v4_br+(6KWv&@M zzPjRv2_gTBc^Iiw4C36#zvRid5XxL zzgTx+rzjqnJlMZ&v$kSU)Z#H=JodY;LF$oJ^xH~jXgI;OJ|Y4)dvS+ZjclPdwIFf9 zqlieCkU{FLU#T(DvO+9U^AIwIk4=*AwI8je^utbsPodM;(1_5wz0p)HIi=%Geb4@mVBu&IYbxiBnbCot(=CHf)0fh zN+*AG9lGi;K_gra-upY=N!}?XpI)L-RhEG3SlKPpvzW{i22U#U>%b>X$}pIZ4SJqj z6P1i$jPb9q%XJJtP&;6~AvDVX9el95RcE*{BvRcg$T)~lA+Rm~82d!ANujIh5duOz zFs#t0`F%Jvia%X(+6(!n)$^+vz22EW$zo~h)$SLBg{uwfpF#?{i|xB^54*wFPoH4m zCjM#g9gpYVC9!b6c={`$8cAz1JgR4K=no@Q7xj3_yK_1`q6a6#bV|EVG*hM3=~*PB z^~_^$RYpVN;M}lP%Lljl*N3 z>ZbkWB4VY?if=abvn!qEuvv_kgA?E31&$hZXv7UGm-2VE9PS5{e8rCnM+?q%7f^3D zSYX^hDe}1AwrIT=yQ;i-x?)ow$9rV{d+;_PBEaOQP*<5j8)P8)`Vl+di6vgmu1lAF zQ4(|DK$PfWn}W0fo@O)O&rH`^j3`+&Y&xZZls{`kEgMJL$2x3@@n@&!7XwYHbkhr8 z4Zib-xF_E((5Tt%dUm4ylUWrW#qP5pezGeIZ2gYe^W(P%&5}k>gS&82j}3#NJfAI_ z*C;}y09l5&)U|3TNS}F8*aC|-w{G26$9h-O#~=XN$^%iX>eVHkwpG=o$-|quyhid= z5ZGuF|7JlRq}1i))$AMnzG{~0K#N`s+@7KMdDb8V4-PlC9P_(JvMnNw9*22qF+pY3 z6?%R;rmoLJ{LZiOqfTE@3}z85lt*Ue974ArwpOrThcxH?*t8`p)83`A@NoJFrm!`V zV`}rsYk58wuSUP-^`)!JV2>3)n17>>A9zCySDW3c=i>@oXidrOw*+0ye9>tq6z|+t zUpX3>-L2ueK~}{~*rjvqYfZsu6M~o5x10)#xON#t;HWUfPi?+t;P*JELp=7lDLQmq zi47fqU41s0GM03*Ls7ct2;8jfVm>*_HJ(3r0T(>;&y2f1vgNtHRmm{Eih$ zKEK;ZYXZlyX1^!J-0glXa{zinSkmgrfud%wKPa<2YWzpb@fq#qjKGzp=5Sgo+ITqR zE!8J%^i!r)FEUVA7;X$|^GuM(9fi8*;~x3+KP9gq04wxR!FS(*MfE=^O(*>~Oa2a) ztC!u+PH%L9LgrQIY&mnNQq;0=6+R8Ta|Cmj%>EFw?B(VARn#nm1p9-}f_GR&@%)=f z`k)f}6DqkJ)xmoszZZ!sSfOt~}t23hVV zIsVJf5t2xR>)XGpw~MAZR;5b>enP7pYQ66B(6xpAry_ov{(|4b3fr}&DCgKbybdvc zxn}psv$_9Aqu=9^@?~1RtarNGe%VL*Q}--STYqRJI2^3A`rzvSQ@?EXNhDiWnf-7n zH`wb;ctl}c2geHqswErtjeyHwainF(wE1Z+d!Fv9r^ zhnsy1{+9ZhYO?CCrw97^+B3fRG|l`Rw{=ijMu1d^Ld?mT$if0lSY^H))!vk1AVFm1 zbPOlMmn%H9XQ|H)e4oy|I`5U_Ueyp)xO{?FyZ`jZApMV?y%!S}Ng?1^8g3F_kRNw# zB^Jjm2e7E^6RI{xj*7PzMMbafAAf4bN|tdwnpmMKv5+^Ju;}TlkIGvvctzUjz($iI zkoeAr;akzoDHSMN>K}8vMR~=^VlbxXETiq1$~cciyVm>TBZU3%N2B!|UxEUq@#;+&x%pKQ$ zC8V5Qj^-v2GbaqW2iS2C;7Dzq)5zbX^zxRFuoT?j#=dy|l2aenuQ8}>@V%4N@K*h3 zcz@kz-1=Tzov@W|eckr{b=v3FZ_um7)vR~iJ(0ZMD5-i#>ZegO&J$&UIuU?fm&7Ws zI5=6$KXf!$2tE26xo}qsVZaF$>grmzsSgM%{2V%mBJ;{Yl5ZPTnpnp)GR5XPq;q)N z)m=;M3EMIP4c79w#<3j-m_9fm*cx|l!0PcE^Sr0Om&d%%KjW4MBtl7pEI_Q8X7qvtqB zJ(6wvlK$m_C1-;r5=vAfIssNO(GgJ|Ab^DWdj@@%nx%OLywXxvl3ZNhfgf1&}#n#57%k6B6n+u3b@FV$%?{ZSUdlIs;>O0Q6V z$(<^*Cza@x88t@001gcAm>@y?tUG$?^2;^POtz4wCoZ z4ERhImhXy=7plza7=l-m`=c_NC$M-)zN%dh+QKdAt(Boc{giJEP+jSF{6dYddhj}@ zO+`RR8icwAHyt2D)}i&Px5vwl%$Mui{Z*>-8tfGgZ7iqH1j}(QSjY#GPacU&&0{ELVzKkzYPL8*Uo5$uk?mFQ{P?@7we6=LSIm}Bee61P zIcYi?h^oBY9zw5S*k9nRP^g-CF`;{K?~FOf{oQ?ude&v>7Qx@ad^7W5;me`{;q#X$ z+bc)3@PPs&TUwbS$Q=b%R&~eY*0|d?u_cc^tT*^IWc1|0g!sQ-t7c+>ck}dz*cg9sNzJ3bdDpqxJkMF- z$h~OU1gU}+4|Qm<*qoDO;+(H#Ht}9y?bYsufONKS8p#AQF|jgP_b3VuBK`2e+Osq@w>ONZ`mbtDSOh9)~ zOOEo|3%p#cRvcwD9WPVFetA|Q&Rap0+b;mN0CiVKx#c&%Q|Kz8Pe(Go@VgBtNx$R$ z1S%72dpuk4JYPx5+b9d!UMI?i@7N|4FegZ|9M8mpH;_fhEu`e~a+T2&52bH|QA32E4w|dYV+$6b<%e znd-W%{+m17O@i*X^A%$)4=DI-O+3r)i#sYpS!W6kgAXIB%! z1*Z)oS{m$JSm4)YlqxDj3>VZdkLGM&#_~oKQ2F5gv$-3ZH_hp&EdI_Avz8(F%T+zM zivtNWEjS>c2Y1q9!LQ??iugT;q))u9ESS1r>rgU|OuU({rv8SpdN2P2eCrwz5WW1* zPEw3i4kV{-d9V*ACdT_`b9gEV)RR*;_=Z|Y=-)f0hy$f0MFzg}3@~EI1RIhL=6ryC zpHqUYjE;`-?{=6B$evDo@F!Ge@_D3ASM8&~6I*xz+kX1*RbuigOmmP8Jk?Pf9eygf z(QKCKo}8Ws4QGJsZM-x%3I3xPo#__=*AyxkuYFxQ|MP?e2MLt&)glq8FQxq*{1gas z5zpipJ6X=d1OofBqc-8U>rRj1U`EqME_^D&T=!N*+}UF_$lBnb8wW2u-+&wbNH)gc zbY6ARk{#Qedv6kb{1R{E!?%>nfBv$+l~?#25_#FY#SAs74GIWgtY}dtTo9tNVaSAI zh!R=OIYKP>32Fc-1EhMxN^q(EI&_9C)*PYPO>z@D?G(dqEj0b$T z4gN<4(mw(PRip|0THrt6A3854@LVxsU}*mx>yn+e5Fp-wJA(TT=fZDJ#l&?_TQ>G^ zqxqn`@bK@)sN(;9mVYk|S1^c)|9u#te_l|)|Np;$OGfDE|1X#N|M&~&-~(cDk_>0@ U+P4Srn^F Date: Wed, 14 Jul 2021 18:33:38 -0700 Subject: [PATCH 2/2] First round of revisions --- site-src/geps/gep-709.md | 73 ++++++++++++++++++++++++++++------------ 1 file changed, 51 insertions(+), 22 deletions(-) diff --git a/site-src/geps/gep-709.md b/site-src/geps/gep-709.md index 1e772e39b1..fe2b4a3bcc 100644 --- a/site-src/geps/gep-709.md +++ b/site-src/geps/gep-709.md @@ -5,18 +5,22 @@ ## TLDR -This GEP attempts to tackle both cross namespace forwarding and route inclusion. -These are closely related concepts that can be solved with a new ReferencePolicy -resource that enables app admins to describe where they trust references from. +This GEP attempts to enable cross namespace forwarding from Routes and provide a +way to simplify adding Route inclusion (Routes including other Routes) in the +future. These are closely related concepts that can be solved with a new +ReferencePolicy resource that enables app admins to describe where they trust +references from. ## Motivation/User Journeys/Background -This GEP enables the following capabilities: +This GEP keeps same namespace references simple while enabling the following +capabilities for cross namespace references: 1. Retaining full control of Gateway and Routes in an infra namespace, while targeting apps in different namespaces. 1. Traffic splitting between Services in different namespaces. -1. Mesh overrides to target Services in different namespaces. +1. Mesh overrides to target Services in different namespaces. (For more info, + see GEP [#713](https://github.com/kubernetes-sigs/gateway-api/issues/713)) ## ReferencePolicy @@ -71,7 +75,9 @@ decisions: 1. Each ReferencePolicy only supports a single From and To section. Additional trust relationships can be modeled with additional ReferencePolicy resources. 1. Resource names are intentionally excluded from this policy for simplicity and - because they rarely provide any meaningful protection. + because they rarely provide any meaningful protection. A user that is able + to write to resources of a certain kind within a namespace can always rename + resources or change the structure of the resources to match a given policy. 1. A single Namespace is allowed per "From" struct. Although a selector would be more powerful it may encourage unnecessarily insecure configuration. @@ -91,7 +97,9 @@ type ReferencePolicy struct { // for Gateway API. type ReferencePolicySpec struct { // From describes the trusted namespaces and kinds that can reference the - // resources described in "To". + // resources described in "To". Each entry in this list must be considered + // to be an additional place that references can be valid from, or to put + // this another way, entries must be combined using OR. // // Support: Core // @@ -99,7 +107,9 @@ type ReferencePolicySpec struct { From []ReferencePolicyFrom `json:"from"` // To describes the resources that may be referenced by the resources - // described in "From". + // described in "From". Each entry in this list must be considered to be an + // additional place that references can be valid to, or to put this another + // way, entries must be combined using OR. // // Support: Core // @@ -117,9 +127,14 @@ type ReferencePolicyFrom struct { // +kubebuilder:validation:MaxLength=253 Group string `json:"group"` - // Kind is kind of the referrent. + // Kind is the kind of the referrent. Although implementations may support + // additional resources, the following Route types are part of the "Core" + // support level for this field: // - // Support: Core + // * HTTPRoute + // * TCPRoute + // * TLSRoute + // * UDPRoute // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=253 @@ -134,7 +149,8 @@ type ReferencePolicyFrom struct { Namespace string `json:"namespace,omitempty"` } -// ReferencePolicyTo describes trusted kinds. +// ReferencePolicyTo describes what Kinds are allowed as targets of the +// references. type ReferencePolicyTo struct { // Group is the group of the referrent. // @@ -144,9 +160,15 @@ type ReferencePolicyTo struct { // +kubebuilder:validation:MaxLength=253 Group string `json:"group"` - // Kind is kind of the referrent. + // Kind is the kind of the referrent. Although implementations may support + // additional resources, the following types are part of the "Core" + // support level for this field: // - // Support: Core + // * Service + // * HTTPRoute + // * TCPRoute + // * TLSRoute + // * UDPRoute // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=253 @@ -166,15 +188,22 @@ type ReferencePolicyTo struct { separate handshake config on each Service or Route resource. #### Exceptions -If traffic is originating from the same location as the configured Route (such -as sidecars in some mesh implementations) implementations may choose to ignore -ReferencePolicy. This should only be done if: -* Other mechanisms like NetworkPolicy can be used to effectively limit - cross-namespace references. -* The implementation clearly documents that ReferencePolicy is not honored. - -This exception is very unlikely to apply to any ingress implementations of the -API and will not apply to all mesh implementations. +There are some situations where it MAY be acceptable to ignore ReferencePolicy +in favor of some other security mechanism. This MAY only be done if other +mechanisms like NetworkPolicy can effectively limit cross-namespace references +by the implementation. + +An implementation choosing to take this exception MUST clearly document that +ReferencePolicy is not honored as well as which alternative safeguards are +available. Note that this is unlikely to apply to ingress implementations of the +API and will not apply to all mesh implementations. + +For an example of the risks involved in cross-namespace references, refer to +[CVE-2021-25740](https://github.com/kubernetes/kubernetes/issues/103675). +Implementations of this API need to be very careful to avoid confused deputy +attacks. ReferencePolicy provides a safeguard for that. Exceptions MUST only +be made by implementations that are absolutely certain that other equally +effective safeguards are in place. ## ForwardTo