From f3defdfff767db1ac5d86bf486ced4166b8c4613 Mon Sep 17 00:00:00 2001 From: David Date: Mon, 16 Oct 2023 11:00:52 -0400 Subject: [PATCH 01/13] enhancement: add boot image updates --- .../machine-config/manage-boot-images.md | 197 ++++++++++++++++++ .../manage_boot_images_flow.jpg | Bin 0 -> 71285 bytes .../manage_boot_images_reconcile_loop.jpg | Bin 0 -> 105979 bytes 3 files changed, 197 insertions(+) create mode 100644 enhancements/machine-config/manage-boot-images.md create mode 100644 enhancements/machine-config/manage_boot_images_flow.jpg create mode 100644 enhancements/machine-config/manage_boot_images_reconcile_loop.jpg diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md new file mode 100644 index 0000000000..4b2252bc20 --- /dev/null +++ b/enhancements/machine-config/manage-boot-images.md @@ -0,0 +1,197 @@ +--- +title: manage-boot-images +authors: + - "@djoshy" +reviewers: + - "@yuqi-zhang" + - "@mrunal" + - "@cgwalters, for rhcos context" + - "@joelspeed, for machine-api context" + - "@sdodson, for installer context" +approvers: + - "@yuqi-zhang" +api-approvers: + - "@joelspeed" + - "@murnal" +creation-date: 2023-10-05 +last-updated: 2022-10-05 +tracking-link: + - https://issues.redhat.com/browse/MCO-589 +see-also: +replaces: +superseded-by: https://github.com/openshift/enhancements/pull/201, https://github.com/openshift/enhancements/pull/368 +--- + +# Managing boot images via the MCO + +## Summary + +This is a proposal to manage bootimages via the `Machine Config Operator`(MCO), leveraging some of the [pre-work](https://github.com/openshift/installer/pull/4760) done as a result of the discussion in [#201](https://github.com/openshift/enhancements/pull/201). + +For Install Provisioned Infrastructure(IPI) clusters, the end goal is to create a mechanism that can: +- update the boot images references in `MachineSets` to the latest in the payload image +- ensure stub ignition referenced in each `Machinesets` is in spec 3 format + +This mechanism is user opt-in and will also be released behind a feature gate. + +For User Provisioned Infrastructure(UPI) clusters, this end goal is to create a document(KB or otherwise) that a cluster admin would follow to update their boot images. + +## Motivation + +Currently, bootimage references are [stored](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L204C1-L204C1) in a `MachineSet` by the openshift installer during cluster bringup and is thereafter unmanaged. These boot image references are not updated on an upgrade, so any node scaled up using it will boot up with the original “install” bootimage. This has caused a myriad of issues during scale-up due to this version skew, when the nodes attempt the final pivot to the release payload image. Issues linked below: +- Afterburn [[1](https://issues.redhat.com/browse/OCPBUGS-7559)],[[2](https://issues.redhat.com/browse/OCPBUGS-4769)] +- podman [[1](https://issues.redhat.com/browse/OCPBUGS-9969)] +- skopeo [[1](https://issues.redhat.com/browse/OCPBUGS-3621)] + +Additionally, the stub secret [referenced](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L197) in the `MachineSet` is also unmanaged. This stub is used by the ignition binary in firstboot to auth and consume content from the `machine-config-server`(MCS). The content served includes the actual ignition configuration and the final pivot OS image. The ignition binary now does first boot provisioning based on this, then hands off to the `machine-config-daemon`(MCD) first boot service to do the final pivot. As 4.6 and up clusters only understood spec 3 ignition, and as the unmanaged ignition stub is only spec 2, this was now an incompatibility. This would prevent new nodes from joining a cluster that had been upgraded past 4.5, but was originally a 4.5 or lower at install time. Issue linked below: +- SAN [[1](https://issues.redhat.com/browse/OCPBUGS-1817)] + + +### User Stories + +* As an Openshift engineer, having nodes boot up on an unsupported OCP version is a security liability. By having nodes directly boot on the release payload image, it helps me avoid tracking incompatibilities across OCP release versions and shore up technical debt(see issues linked above). + +* As a cluster administrator, having to keep track of a "boot" vs "live" image for a given cluster is not intuitive or user friendly. In the worst case scenario, I will have to reset a cluster(or do a lot of manual steps with rh-support in recovering the node) simply to be able to scale up nodes after an upgrade. If I'm managing an IPI cluster, once opted in, this feature will be a "switch on and forget" mechanism for me. If I'm managing a UPI cluster, this would provide me with documentation that I could follow after an upgrade to ensure my cluster has the latest bootimages. + +### Goals + +The MCO will take over management of the boot image references and the stub ignition. The installer is still responsible for creating the `MachineSet` at cluster bring-up of course, but once cluster installation is complete the MCO will ensure that boot images are in sync with the latest payload. From the user standpoint, this should cause less compatibility issues as nodes will no longer need to pivot to a different version of rhcos during node scaleup. + +### Non-Goals + +- The new subcontroller does not provide a solution for UPI as it does not use `MachineSets`. We plan to support a UPI solution via documentation that is based on this workflow. +- This is meant to be a user opt-in feature, and if the user wishes to keep their boot images static it will let them do so. +- This does not intend to solve [booting into custom pools](https://issues.redhat.com/browse/MCO-773). + +## Proposal + +This automated flow is fairly straightforward, but will require a bit of special casing for each platform. + +- The `machine-config-controller`(MCC) pod will gain a new sub-controller `machine_set_controller`(MSC) that monitors `MachineSet` changes and the `coreos-bootimages` [ConfigMap](https://github.com/openshift/installer/pull/4760). +- Based on platform and arch type, the MSC will check if the images referenced in the `MachineSet(s)` is the same as the one in the ConfigMap. Each platform(gcp, aws...and so on) does this differently, so this is a good opportunity to split the work up between platforms and see if the implementation is effective. The ConfigMap is considered to be the golden set of bootimage values, i.e. they will never go out of date. +- Next, it will check if the stub secret referenced is spec 3. If it is spec 2, the MSC will try create a new version of this secret by trying to translate it to spec 3. This step is platform/arch agnostic. Failure to up translate will cause a degrade and the sub-controller will exit without patching the `MachineSet`. +- Finally, if the MSC will attempt to patch the `MachineSet` if required. Failure to do so will cause a degrade. +- Any other failures in the above steps will report an error; but degrades will only be in the specific cases mentioned above. Certain failures may also be as a result of an unsupported architecture or an unsupported platform. This is necessary because support for platforms will be phased in(and some platforms may not even desire this support) + +__Rolling back__ + +The very first time bootimages are patched via this mechanism, the MSC will also backup the existing bootimage and secret references. This will be used to roll back the `MachineSets` which can be done by opting out of the feature. This is also an important mitigation in case things go wrong(invalid bootimage references, incorrect patching... etc). + +__UPI__ + +For UPI, the proposal is to create platform specific documentation based on our implementation of the the above work. If this feature is +switched "on" in UPI, it is necessary to warn(degrade or some other way) the cluster admin to indicate that this functionally is essentially a no-op in the absence of machinesets. + +### Workflow Description + +From the user workflow standpoint, this enhancement will be more or less invisible once turned ON. The opt-in mechanism is still up for debate and is one of the open questions below. + +#### Variation and form factor considerations [optional] + +Any form factor using the MCO and `MachineSets` will be impacted by this proposal. So case by case: +- Standalone OpenShift: Yes, this is the main target form factor. +- microshift: No, as it does [not](https://github.com/openshift/microshift/blob/main/docs/contributor/enabled_apis.md) use `MachineSets`. +- Hypershift: No, Hypershift does not have this issue. + +### API Extensions + +We may have to make some changes to MCO CRDs for the opt-in feature. + +### Implementation Details/Notes/Constraints [optional] + +![Sub Controller Flow](manage_boot_images_flow.jpg) + +![MachineSet Reconciliation Flow](manage_boot_images_reconcile_loop.jpg) + +The implementation has a GCP specific POC here: +- https://github.com/openshift/machine-config-operator/pull/3980 + +Possible constraints: +- Ignition spec 2 to spec 3 is not deterministic. Some translations are unsupported and as a result not all stub secrets can be managed. In these cases, failure will be reported, and it will cause a cluster degrade. +- See Open questions below for some more possible constraints. + +### Risks and Mitigations + +The biggest risk in this enhancement would be delivering a bad boot image. To mitigate this, we have outlined a rollback option. + +How will security be reviewed and by whom? TBD +This is a solution aimed at reducing usage of outdated artifacts and should not introduce any security concerns that do not currently exist. + +How will UX be reviewed and by whom? TBD +The UX element involved include the user opt-in and opt-out, which is currently up for debate. + +### Drawbacks + +TBD, based on the open questions below. + +## Design Details + +### Open Questions + +- What should the user opt-in mechanism be? This could be simple as an configmap in the MCO namespace, or a new field in an [MCO CRD](https://github.com/openshift/api/blob/master/operator/v1/0000_80_machine-config-operator_01_config.crd.yaml). While feature gating is an "opt-in", this proposal only works when the cluster gets an upgrade and a newer boot image is available. As I understand it, upgrades do not happen under the TechPreviewNoUpgrade featureset and this feature will be a no-op - so we can't use feature gate as the only on/off toggle. +- This proposal relies on the golden configmap having a target value for every platform/arch combination that we use today. I've [noticed](https://issues.redhat.com/browse/MCO-793) some cases like vsphere don't have a a reference as it stands today. Why is that? Are there scenarios not requiring boot image updates? +- Heterogenous platform(nodes span across infra providers) concerns. Do such clusters exist? If they do, do they use `MachineSets`? The current proposal assumes the same platform across all nodes and uses the infra object to determine the cluster platform. The current proposal will run into an error if there is a platform mismatch and will exit non-fatally. +- Hetergenous architecture concerns. I think these exist, but do they use `MachineSets`? The current proposal maps a `MachineSet` to an architecture, so this should not be a concern, but curious overall +- The user could have possibly modified the stub ignition used in first boot with sensitive information. While this sub controller could uptranslate them, this is manipulating user data in a certain way which the customer may not be comfortable with. Are we ok with this? +- What platforms do we want to support in GA? GCP was used in the PoC so I've added that, but is there an interest for certain platforms over others for the first release? + +### Test Plan + +In addition to unit tests, the enhancement will also ship with e2e tests, outlined [here](https://issues.redhat.com/browse/MCO-774). + +### Graduation Criteria + +#### Dev Preview -> Tech Preview + +- Support for GCP +- Unit & E2E tests +- Feedback from openshift teams +- [Good CI signal from autoscaling nodes](https://github.com/cgwalters/enhancements/blob/5505d7db7d69ffa1ee838be972c70b572d882891/enhancements/bootimages.md#test-plan) + + +#### Tech Preview -> GA + +- Feedback from interested customers +- UPI documentation based on IPI workflow for select platforms(vpshere + any others TBD) +- User facing documentation created in [openshift-docs](https://github.com/openshift/openshift-docs/) + +In future releases, we can phase in support for remaining platforms as we gain confidence in the functionality. Priorty list for this is still TBD. + +#### Removing a deprecated feature + +This does not remove an existing feature. + +### Upgrade / Downgrade Strategy + +__Upgrade__ + +This mechanism is only active shortly after an upgrade, which is when the ConfigMap containing the bootimages are updated by the CVO manifest. It will also run during machineset edits but patching will only occur if there is a mismatch in bootimages. + +__Downgrade__ + +- If the cluster is downgrading to a version that supports this feature, the boot images will track the downgraded version. +- If the cluster is downgrading to a version that does not support this feature, the boot images will not track to the downgraded version. So, it may be wise to opt-out of the feature prior to the downgrade if "normal(i.e. older) OCP behavior" is expected. + +### Version Skew Strategy + +N/A + +### Operational Aspects of API Extensions + +TBD, based on how the opt-in feature would work. + +#### Failure Modes + +TBD + +#### Support Procedures + +TBD + +## Implementation History + +TBD + +## Alternatives + +TBD diff --git a/enhancements/machine-config/manage_boot_images_flow.jpg b/enhancements/machine-config/manage_boot_images_flow.jpg new file mode 100644 index 0000000000000000000000000000000000000000..36d40923524e76b7e6c591a722e187ba37329720 GIT binary patch literal 71285 zcmeFZ2UJsAw=W(GcJv@1(vK98E+zDGR02{0QbI3Bsw5BuLJj4pN2FtbfOP4QK!8Aq z5CTV$E+8d9sM2eK^bQa2ci;E<-T%1vf8QAIj`7BOcV_IJ$y&cP=Wk8cUVE*z*Urh% z$v40+I-1&=fHP+RfHS8bz{%8^A?-(x?4B4IXlm<${+7`SIF zP2fEMaN|z^pt}1XY5$1H^QT@<|Ha(-)ALzpX8>Tm5CCAb005Z30svR6{w449^zU%{ z^)!p?l$Xcp#|7X9a02`a&<4N(4giT$O&V|?AO(;+838;3oICqNew@#p%J~cDf5@c^ z7Z@&FzI5fvXyoa`G2|>C)M=7n9GO;RBpyI&+Tc%*kf}&uO?%X`T7e6#rE&USha# z?)>GmSAOI}e*v6&KIMMl(l3`UUb=MtBH+x~bLSZ@Tx7a*^A58V%k2k-W__1$@ku{T zNa|%}=a-XLFoBqQdLv#W;wym(d&xU~^1Gbr`2XU#{^IZZ0T`m5~1!A(ThAb7@tImQfDdG%x}Xcev%&ioLdTe4Uw^d1Pn={ z_4H^G`braviBG|+ENii z1S&G&K#O=$h&-M3K3#5U9J>Y&9*v5>t+c(rWR=eV>vPiZ^Ob4d`ay?{UGd>ms&^R1DrmIZ!{tfqD3*CI7o}($ zPO4~|G5%d;PFnBwvLUm)jD6(iEr^eSd z<7z-Ym(%mM(!HDZmQL6tQt4vrJm`@aD~q>&49LtETpSBT8!|x*(>6i2Go#ecPla^A zAUQOV7^s)yclQs6^=n~`krps%mCOy0E5T~YVrd!X;&%T5hhNRASFUB&mEv=js&8@E zRs*g|1#L)f+?A?@uR1SjfUNR~+l)prT&q$!`AADZIm>QLO zW9)ShaRdwWVr%qB2pmqUUT*Mh3aCfkIlMhhtdTm1t+SXgV~OI-(9*K7F!&NhJUslR zUeMq*Z~1ExbWkgC3FKkl^orrNi#a@ZI+C*iV_L_0Say$gJG=9nsIMmV+76D-_Htp)-dX2M_1o-f335A~ zZ@rs40X*EYtk&W9z_-sr;9+z}&dg_}KC{!K9k9lsA-3rUxyJ5& z;ws`$G^@C{{CHMFztPg5#Jf8|cG0n%8(^6>pEn%+9@jogU1n!pn%?B8S7-392{6V7 zT^2n$2%hGi_z6!jR0niH!BhF8iT#lK{ZBfcoB(DthTl!oxR0a!?Ec8fH8LE? zp-s5I?h&5d>tZdej&oz*e(Km<8jSt@`*PDK4yBNuk@d09UbcMNj!5#_oHaWj>Me4n3DTEI@59z!IWtv&d5 zq-aciPo(h}oYKE(V&c1PU}$V8>JWK*ghMoQr^b+@UjqVxP?;|A zwqwI{xGoKo2@Ky`7d%tq%#hv1+BXSLPkX;c|D3S#s==#Hj){c(qBz+vegYL3MG~P4 zxKZ_6MRIsj3*xsD)3S;p2x|%<|WEo1I&klSSr?h2q3-Y}V7fxoz~Xr67j*ocU`$Tb@E{tC1O9+5#T^ zGfM*)4iMRDi$Ma$o-)nR~#pD`l ziNtRuu4mYc!S*nxVKyIX^sD;yX54G{ye9KRIxAZ~Xq~v=tA4cz>g42ZprW^OU_OoT zER$UmqHy)^*gD#jps!RUC9{P-sg?f*+uKG)xQ1~1bZ?Lv#Z9jYTs5{cU&urA#Ua3Z z{IJZ~F+(N}3IqavyWpx{x=1HJMWnvT-(!~aKXQw2WVCWED1-zVn5tsAzBtC1c$-ZC z<-urq5J;>?T!}^uF!s3cDh^hSb_&G4T}V<*+=aVD8cXBWJe(MHq?3dMpcKp3F~52p zS*m*tVr$C`ylBM9d+lmo<$$xNBe4Gmg^!enN)XHM4JK6BT%OW9FYkb zNyb{HVYZEQXbq8t-S`Pa^@M_A)p*I)SJSW7(l8r{xZVw|7FlWIe#JP4gd9SriHXT7 zNcLFCzqN-uxMzQyYm=K2n4B^PL_F_#1gqBHT^M84@G1%4si^BViLuPcJm4S2nP`|; z$FbLPraOc*Yl^<;|0wurwXka2lGG@CjHOoJ8)G@dWbUEF#`l!?`OOd-Hr0#9e~K7k zrgQYI1C@8i{8&7kqelKXvUkYpWC^Wt)jEp3Q4Nch+}}9ut$(SzDVK4;7bHg1l=RTWQV5zwqDhArF7*`aymp6MF)gYCr2AK#~UkH=ps^PqD59tjN4Ti{Nnw~iad zPAdC4>x*@xuhzL`I3HPKER(5R2j`MpV4=iXj>HH(O&)&{XRgjB);E4j!MoLULwR=N zZrHR9#LXeUAU9GWKc;Toy}c+xc{VTyBUO&6F-A=IVCp&9J+cLt2t@G_?TUk6YgA3~ zP+rD#wR%iW0((D-iE|gPj77)?^KpVa%(&hrOpplx0p*GHp8Coiti4}YTctTF7XIlw0v`P7vvZZu?FB*Lg%igZHSh|%pidpGjnR?9}Qh`J-PCQ3sg^6?Yj!6()Gp=Vi zpiQd!nfk09i>n{W&}F>%bj9dMh@mR@M8?WtSA*Q zsKzdp+;)Le^{SU>a6^U-w*V$FzM>+hOye;&y~%d#aqdL$TgnG;&&nf{4|`K`^BGom z$d+qvIhg9qKJ(8>u{t{g{dkU)JH9KZHLb}@U5>Vp6o^ueaNT!)*9KT9tJ25j&)Xs+ za8Xoq^|hxIl$ZzZ1?~m8()j3h(IgBl?;#rt6~S^7C(eYz%Wh3-7%LO=j%dji)YUn#tO>8}&Oa;N&PQf}o+ z#|R9w>(C-v?CO}r83NN5*Bu_~y{i;k5k4P~kkJW0_TvlCdFnXQNSu&d;B^Ih&bw8Q z_{&nBl@9DfP1U}{djB4A8Zr+yh=vA#mP6$mRmr$F*1Qn>s7MFOIr)Qqjo{qk16Bx_ zQ+R^m$o8X>&0g6{bQCKk}~fz~q(8<=GHh9(2(Tk?mL0a%%U2QL6ARA0sOG z?N?XFj<_Lr^jh9#Rd-~Lj_+fXvM+A@#*g{BKRK8o`x5pl@ZU3}hlp zEBVZM_DxM|AsJs#mQfuY0+efhfy7iH5q|D3DY2^l_&#yhUbg3Bjm-~kWjm+7u>*m) z#baVK${%n)67tUA6S})p0VH|!V0M(zoHc|3?C0JL<%OzXQ`#|6m_WQAinHaxoOZ7w33Hv;c1EJs(WdkD!4&yGw=XSUl73l`dSSF0bhnFbyFI_!HSur2>R zLnhT1tOhiDN;J{wMhdKbjkO;zL~;~Z4MyezP% zro3L;uyo8iIzE-bx2-2~#}BBj%(MMiL7n`2)gA$kdtzz5@0gm?XLhYYLwII(>}!d* zeGMHnChsC+MrJiGj+OI&<{Fhm-?t$)z`HA74F8t-xgggHO0R9pQ$SDQCtnRox{>Vl zv04Hp*+ogdB8s@Bu@RQ*rY8XLUdce*zDq^^``ud@=V4;f5?s-vZ9ytMH7B(LR% z5Sv+$Pq$2c9j0Nb1af5QgkmH`fFnLO9pq1COlG!s%dtt>>bf}p*AWs%y+iY5#oD}n z`A{51+=V}Y8E#?%LI%|IaM2+~)ktREO;yhmK$+z6;+3wFs=^0ECWTQ3Dl z7%ELn(iN;unt;E5k=UP@SYCb4b<)AGBvuZ{R06XM5AWAFm50>_f~OZt!SO@t3E=bM zRRvRZMe743YF8#2%{XgYUOc;dHH@mjL2<*p>~?;cl)2@e zi}4Xha%2cbSUsM@nzdCXuO+}UJX=a?>H~gnTvfROZI*cy@ZlrKFyMnBL@xEEB2Nrr z9b3#1-kd`x)i67*J_LXBqiOVp?pJ6Zi0EqufuO36$);s~WU5BWZ-j#rfR+A>P>S#g zz=yes8cwfz#lP-V)E`+bfjI-MWU#i{CPA1YkWQZDtpxCAH)(5DbkG z)&mWp%dTG~_w&_P#-h!Bfp~vUSoxFck7+NZ;QFGEzjmkU|>d)K9_c;=%Uf_M$dTS}s0g`e?- zL3JX{ZDcrFDvC;BBsDFdlBhLVInp?N6i@zrTO6@!k&jKv742CG6K1!aHEXZ>4pBm< zVYX~i_q7y}gB1`vVMm4P>5kt-syOd8$`-2Ubb1{QQ`FR52vl}Ky$(UETdc?$D>`c_ z3c^vp*riEe^0TR?bAPb)!5~(H;nAkjT?=h<;n=Ui6d1ZImicUJpL%(F~wZS zBX0H%MonofF|jmc*<foSqRxw6=MX9Ktl zZb)!i^83ITAEmv~b!Qh*gh0sNmUBEf!U>g$J|zscbTb==PT>_CAcqCVMitNH<82Ac zHV7d=LvL5b_q|9v5eca-iiQ&mGgI)oAqG|Z#v@E9AaV5QE!O}kES6t7_yM8%aq(81 z_VOAU6;77$Bv;7UW;Hw7UJtL=capBXbpmLUu=E%SZa93>uy!-6BElm}DWuZ#0pj(d zVR1mlqi3cXJ9^nKx=}?FG65J<)rRfMbCOawp1&$kpFxHNEC1zGxFWK!^0t4l!q~~( zNq>v=QhjhfdT|$Z`Om1Peh5rQH@4e|$|mRtxKQ(B4gUXrxsaXwjE-7jFbkVcwFq}a zUkcA4jJN2TA0^Z%<~t;ge1r(GAwHJcbGQ`j2T|EyxNZYusg$$ZHpNl z8gJHV(c~aHU(jrk%fZzgfl<*#I4`vvO(3@n$}y0>1sS7n z6lXG6&+Pq9aUV9$9|-qI+|H0|dY02RYq5&zqb^Rn_kzq6?TljV1?XdRn~7Tb>_$;z zRiSPb9U7UT-sfg@JE>F=Do|;$xR4>@QQvL;j^bxa1{X1UA+32O9RwV5QAKk#tXvdu zk6}=xs~q`ikEq~L4J29XdEnI%yW#3t-8dtVN!&z;Bf27YXQHE~?rfyK%6&$Tjcg8H z)Obd`qZ06yjl^o`v!(q}-`K!p_29iEvt}IR2lNHI!d?j%VsmpdajnTM}R2UBM`T2e>y6^0JK?#N^T#$VXf?S_&|<-*$sUkhtJP` zU*M#ws;r*C<)#5+#%yY6NCU8m`5hNz_?o3kJ`D=SiMNy{lib>)1i72zmEQ3bkJWkc z5s-(?{MUPf#rkTTvJ5r{S(^ni>hSfQ&ILJ$i24IXdj~&*X7}Hq@s=Lt_X9#0Uqe}Q zhmV8bP^GQxpwz<)YaU_vtSb0n*~%;|?MoW2qk6G6T~R;Xb|PUGf>kB(pZQ!(T{ZdO<4Q+#|C>81B7BcpO6<{ z0ONJyo1+Ugwl=6ygzgy(N%06X*csDPpKW)Tk8+rsm>iw>!zj`J_ua^Q-(uc2ayrDy z<(fAawD#+VhewQtUA@^idhv|A_j5g7-jaWcN3#g17kkg6Nk}efkx4KlnI8tW( zJA*`T`31?lO%>_AEs*Fr1sd+irBpK?TtBbH4Ut_K7tKYhK=xHroACRR($v^%{B;C8@R&ncZo@??Dk*8013|1Nu8`#7#+K^+@p2i0<=j zjEBG`=9zDLRzFA+sGhDTLb#>!paRYxw2U-h;cV9xvCtm&_FZ4Tdg?TrI&cYsvI!S*#vJ7T@fpAnH|5U&jp zI<~>Tvx=xkko>EmT`t3c-Rvs`SyUf0EWBLDZr9OOvHiu5kAzBFr!|QB(H}iy@M+&K z`|$tDI@kaG_oDx<;eSWq|I`S`GU`)=5%hwW7c8u7(Iu#ZQZ1LZ_M)sdo1KXR#={r> z$;ZExA8UpVKaH$Q|8?~7VJ|^X?G{9s1oTMhn3hrh<`!C3hUJlwIlj=czrT-Xy71;t z$f}|NmqW-2;A8M*QnPdDUqdGVJ3CVqXO~09xUH=%N4|@v7#@Y@qZ7c(eP+MtFDHN( z7031UCH`N!cR6{NmzP>KZd}5St9Zto&Wac|@2;|^oB+-_90doPucc&tms1}cq`VF1 zVKS@ppXS^-zPbP&|DOyh{!Z%7FDiUx{%g(htA}h~)9U`GcZYv4dibk9$aZZy+GAo@ zGF$%d&RhOL=+EE2N0O&oZcj9Pw|fZxyYINa^Rc+}Vv-fv5-ZgZ`mO%YvA;Y2DI(`S ziR{GvcRc>yLVk|NRaBUxeuq>l*X#ZW9YTyZNgz~RqT3s}4L+!AcI%V%TY)(qCT5WX zYT}=`H_7?FbFEE$s_4}l3IIsR{PBP4MfJax*RQsMCxAc2)KOX6?+i4qes1{w`pvq` zao@GuS!2?oN(U@QS+WoRIx9B$*MGw8)u*`)4pu@lc}L5gUw#g60?T33k}C7XZD=Su z=np_0^*>?kKZe|pI6?)czVi>C4LhCgxXJ2P+7_j4=s->YH*g2|&}gGBB!8%zPU!uf zkp6sYl`MIW#-(HDkXOgCPuY4@>X%OdI_mscjmz~bS<@{3!G2>2hxX}!7?LuWiLQ94 zMxwVJOKH6s45q3#3;)G1)Wb9VZ^7r0#S}A5ThC>m`c;dE!;2Z$VhdBgO!zg2W5SE; zM~eB;zYC_?=e{=TLyV1Y_oip@y!KQpl-WI@ky}#$@ILvFStDZh^oD z5mzk4xf~GR&EIw9ry2I$BRcsxpFS%4bdkC5nyvBe!7eXq&-+pPCE?!Gs02fO9qImD z-vn3Xn{WPBzkA>JS4l#6Npmr#d0sEM~k5>|MPkBLsh=!h0J0iyCOv7i zmoi=|deCmuCU?}@8PoDjdRUD)275|pGyir=h`c-h(|_g8!)vqScmlXxAkv4dn)uZ+ z4IBiKBKUe$1QLSUqbTayE&i=5z846C$VA!EBg;V%Y6@6z7)QO_YTvfq5dY_Rf#LJ%Q%Qk^hSri&TFPcFQl;J$?3}HMP4Zd_lw)5x zLsZm#ORE0?ADnud)}sskwq_#SOtAEdc4~CZI|8qClv8mQF`o@Chn4C3Je}8+j!Hzz zNBUXqTy`a9%jolL3>bHEA36at$|0_O=wH@z-L7i4<&HKq8RzaceAd{*m zw!J#xfgM*x{E+IyP>IET4Yuw6eqC)aQrqQKUWIgF%GwE_Dx6ffc>h)w)RsyQeRu*0 zQw*JL*dUJ-u9LgdJ`9#;;jcsX432#SrqO-H`eYDB)tX;a+kz;>ast@*tFwbvboMU_ zTHa3Q;l>y*FPr3zDJtG8()6;T2EcTT<4)K4{zUzoN&}|_Duy@)Z6%)ciT3#tM*h|& zFj?=XDrbkrjv+7me8U0^d#N#2Q#xA1%R z!kE=vV2jf6 zgSrO=nQWO0zn=gsd~eLv+KtJs)ZUq=Y)LK!QI7ffk~k&t$0Awx*vrq1@{0ZOA9tMp zrMZ{bB0?vx-k5PYDqto#Mf57&ZKWWYSUW*WV+TZoy9dJOJtYtCJUxs){eL%J5Zcj; z?5b~4cj^4491x}O{69hM?9j8-p@FtNVfDZbZ`n@n0}iUXpwOx<+_6brDlkst<56nX ztlh5wNx9$tZtXsTeSpcQ4fedl*1@5qRlH)GP@Rg5mNqq(89gYz14FME_;%qmb~-n* zQ;{Q_kRLrC2m-M|F?XHWymnV8{b|7Ld7|}ckR45)=vA%v55t)tpW6(JW*xGa)5B@$ z6slQpdep4U@24&~=6H+DLy*AzEN0R!;$7!Bl9i&uV_wHo%K~jfj%(Y|UWAo7dyF@*wWxSJGBVQduT#rX#KQ#c zCh@YmS@{E>%!!*hYPd-Vw~9D~4nk5mvU(9x?vMVGNklzQpXY78$ubTiSbxLL7$|MS zegES8v7PxRaVW;?`QmphqI>O1`^Lq4w17_aN(D*rNbA10& zXb^byN%@h;XVHx>+pC)rO>Qf7B4r=_Z{1CjN9)&`T3iw z#x7>G;p+uFj5Q^p{ix$kyT7T_ZfhP7B_2P`IV#rqV5#otL5nb$cOe2 z3vU@H9i4KwN$s?fnI?8hdRVm8)9n?R+rE2;WYo0?)Kn*RdRSR4a(-*?($~l_p{gv9 z;8EXqGGf5lB?U!QPE{uK6mjMa{pNz@wl7f)Qwv26GS1|XE;!vLRH+9m(2RM6iyxwRVpfK0ocJ~{F9kZriRwy#hf^RU4e-qgN4r1%8p0NT=c-?GuUB+kpnLg) z#2=;BMN!%#8m4?Zz7r?KvJLK=RLH{Q)+7>T^XC`(%eaY@fqS(A)=b35WMpT)rt%5pAHf&dpgGn_>UyBoB!&sZWE`_Og#+?Al|BTmCa@A{Zc9M;k=*%qcA+0HAsIUF% zb*Q(d2$wTYQ55YxZLwK?bmjB|$=u}4D51jShxe1x^&s(9BHDQey{@VUeu}dA9j?gJn|MMgzhjI;YSO(PeiTIc_<9|- zN4akj=ysJa=kp!x=k-|y)Y7{s)FpN z)XVc>w{1|^TA`4!#Tl=(y-u#d#tNUJ>Y@+iiFb=tRe9sxuzUIB-O*PIVKTW_1>3*- z6WAU26-uw}^x)D4h4cD*4UE&06AHU(pEXZ~I<6$IyB^VQ8&EHb92TAcl%fq*GUAWH z>g3$Z2fxnRC7uB0ja@kB>>IW>Lr(zG%6E^pElvOpO^4Xj**C(?%mO64^(F*G8r=4H z@F8AKp~tL78Ra{xair#%HfxUlSmkH!)b*04rEE*(Jlpc6i@ZF$Ox)i4QZMgW*msyj zb8NsC7sH&sN9w!*25_a71s48Qlyx>Ijlnn9(x^I~8rMurtxaKyY~?B%kl)jxq16xI zn4-t_BDEILQVP~UowtUTmPKfJMv=vFM!|O1j#(qp4#pgclGDz03(s`#^G-b1k=N&*?-(ot*14~vze?Eo za>X-GYFF%;2Pxe%IV*56RPVXzx>AZNFS33~7R z*Tv^S<^P{s)PG&V*R6>sPy|*>`sh)1q_D_JQZYu@O61^m7Tmn1Zn0~Qo@x8-+PFcH z|Am{SaF_JyZ3b^;&HUbZ28oq1;}m5rq0?JT=nJq%v-+Dj10|pJoHqlgus6>W3Sh4- zHdLRs2z#&44|G}E*L+)16gr}pz=HxNh`x)C;fgl!9!&OG=hHrx;8F>^&{r0}saAAm znzyl~Fhgn2@X@kXbm$G9OvLgm=te2ePZ<9X&({_>_3L%N?!UkIGe+uAB`~0`49%ie z^%Ew0YO=BAy}Qz$}Ob!3ET6 znEZ81hHT4FZPd0@TcVTX=Y>OFjvTbSK4_&c6Qf!70V=6~)MIGFV~c!c}T+Vah~v;7Zn6z8`Yu74ty>$i>b+t8y;pHvlMIfj{V??e`3g z?)6~#N@E*g+-}LnN8?G9X6uqNdlEbM6$0H1$lbAu!d8y-HMsto=c}cDp&hU4RXCQo zJ5X*X?$@M0OBg7TBGWhWyu1{dyQUs7goWLeF`63*JWxGEg6qUD4Mz9PR}LN@-s&^j zV&m;Cks~Rzr5WvWu*P6nMLG6nk>dkE)akZ)QM7fY$wFlPqskY~No0*ingt;#6LW>L z?y})|A3c~83<8n!0(NQGW`c~^rYRR4V~;8f0a>e^?#a>`pG*~#l}8(yRkqA`JSG{0A; z!n@Y4JCs4gPvDOWY|ASU_9uV{0^P5Ayd&ue3w^$*>h@i&*EXAjCR@^n9hr}`U^P9n z_Xp}@aq&JT-qXPvVlV-a2K9FFMEwX~P8-#|<8J>^0H*iKwdRc&hoP}}<@|Ol*+l~j z3y5eBe_S=yy0s@3w4(~~n`kYq4nTbCgZEVWxniy0s+e(n{6`%L8qImfpz^C8yZg>? zwP-+F9owh+KdqKv2iHUN2k|l8Gjr4czuA%CWcP!_1y`KQ@ssbOw>&oG7eae5_m&RX zs%c0b$DO*v(z!#V&=fy1iM2>Ujj`Bwq}fMJH&Qp&w9Pemzy*xRPyU!kV;86kkJltG zU@$XO=B|Plg|+TUwjW?sbJr$|)+OH1~redrVUNvLF}zg(yD+9go+r z&ryssh0h@=8|;{ZIg3!10R7860l@@^=MMdl%D%4yigEK}Oq^G6ix;Iye&p~tTMclZ z&%N)ATJ5e@ki8Yx(8F)JpJeL_&}AV=?uO%AT)*797+CL0uXW~du}d0X{V*#bb4yo; z7)XTl_bLi#K5lM50U+jZOC&`z_k>AEWcirwCjw8K;k%`*n>DvYLq7EDFX^f#O^OSu zVlI$7BceF@O~1@)Xo--`5GJ7IT6C<1;<)y>GCaYfeax+%Pl3Iird;{~ys@yCd}}L! z;82~~v9(?=A{u=DbV02MJtD0zoQ6%_WReXs7=j6_MO##r8RL>59PW!(!4hsx!dcx`bC8tfrc+>5e*oZ2F>0v~a& z6)6g{Q0j#X=OaZ6#*XByyokG(zPT6@S$fGI+z;G0#J3JaTh>yez=G>jiG6mWY3{_z zO5^}ES*lwTnP_Y0)gmcV4Rxmk7VO#QEnyyE2Fd3-c>^0pREc0VcY_Crq}z+UL%Edi z{ANpDxq045jUAnSjrCi2iidl_pcc#t0?~c8I9;f{RA5nvzTNMk60eLMC&6*H7z_qx z|GXz#|N5~pdC(`#?(0X(m-&}S^wm&@iebJwT?;RYwyHVUOnl_tk{Pt9q0 zDH>z_^rP^bqcftu)lLBnn4MQGiL(Kwz(R;AI%zquTp&XI&3YlfP^w(*EuDjg%8j#SfJ%QTStT*0lOOynTSskp}PG#3|QVcFtcQyQ{Zdv|f%xw4(>jpo)3Fx`~<^Kl~ndYL!Ta=ma|+^Z>4Eem08*#zPdit^v%O@oPH2kwkf6{lIc@odhL~! zbdZe70B6DFXnW7TJ|p8{sGYX4Hx`xN+j{ygWoEPsc^0H$Gu+TFlgfZ)*#SRklf`uw z0|UBLS@Vf$pkBh#er<5(&|E=01ZE1-QpKI_RM%K9i(hmiIOvuHN2qa^&_5`az>i2==YA;Z*nu-+vRB|q{XfWiAo7a0b``9IxH6O5CkaOr&X)NuiS zOID@;#YSV%hqxKk0xj8z>N}F1wiZ7*(bt?ARG70Bc7vg(lfUaeR&YbMcSYv};A!di zkl?2*4m25!K_8aRqatYuK2-UU;`BB5$%(IOnL#NzTmQ70cV}9#v7s%&$f9lwFfgk!BkKti_{R3btq5DJs~=VCCBNeAQ!`E~sl}0*@M)+xE%{7}|vOO+q;euPNR& zEE`5eCu6u8IR0oE^@AeW($b?@Qn4AZ8g5*=87_YBN1 z=Y;|rcf`m}$&*J0%#aXPO}?_mnxt;;F6r_Eh7CjGOTFFiZ`~^_OKRJESPM(9dY)6W zH2f#*skR~qPGiPyaltk9QNoP5ZJMWHvc0UfSwQ8|T{EjkH(R=*WIZ+KFa*_gzJkMg zo9gvc(9~>Ray^$|r?kGHH&=^dt7nZsY>!ro{$K|pH3i~o;g*jyMBzcEHMlrO7{uo5 z*)|t0ZE8jEjpnVuo;ZjNR>suoeT$eIiXG?_?9KGGPjuS^T39>h+tCwMy^QA#46tab zqJqwC>2&6oJ3z!x6g|Ajpwgr!IW0*J)1Hx-xr)Y_u4F)rgKPg%)Pwlivh2E149*l` zt6aAlxyj?y^DzF&_m33?GB`5KP}YEMmxO2t8weqnGM={MPO7IGjb|W zeNC+D6oG^#18=nT00A?;<=dvXaJOPkadtrc%amW5%Pacnkp;@(Yt%^fIX$JZM_>412sHwDUM*6!&YWRFnG0$7f0wO|cYv zE^cSb-0(^N&LsRttDvF+qLFb|qGXata-s6@ViL&Aom3qtgsLkFk4W$>^Ylcyu2^=4 zEe>QEO-mB;r#Quj@fCxS!zOW6^RV3EOBwvZeYa=5azyxWN0+*9893y}_H#iv*16PZK% zJ{usXP%r}>FXG#2z*kdhhZT`pz_i>wt>)5epT0MXXd!l4mQhKwCmqp{AyJ{OZ{@nf z77i)u3mzVPCE_V|ea}t+QT459b!Q(Ym;;wh)}xc6-b8y}jN|@{Gop%kC^~LIlSOt> z%Fh;a3zi0?Ae_UB5Z1sPNt64@N51{4pvgib`YsJaiJHGH<_EJi1X&3rwCF5BU3o

=kO8Jb%A+}}4bt*{k5W|&xTGzm^>+0AA(=+=!E%M4uDS)%X4B3d`a`*A{iX3TvqzEWq9oIze8p-`Z%DZYpQtn2<7B zskO@HG-q({g7=^1g#1*hEI1pldqiF9uvq|4@u7`{6#Y39Ox+;IoYH9Cug$Q`sO-PNf>u}+B|s8`nkg(Y2X#aMog{^ zXY9a+^nCzi5uXd%-0aKE*D#RyVx}5$;oe2>OJvUkpE@d?nkkrHoer;mHeuub5?`xJ zW>Buhh*Fd<3qTPj;DpeXf#nY`2TI;p0xv#7kS?`|;)XiGR~O-aX59?+k&%{yi;gp~3aMkmv5*}MR%n__b3y;9flD$kCCDCw+?a|CdoAH9=osIImlG_Uqj4M! zIzb7nDtUhIOFd!?ZW_$$JC!sunRO7q&i~jLuJWA%?NG6#-C{>p7Or zxpM_cN-^UtxvX5V6Ha4HN@b6`qqrWODV$O_@IG>XUmTJ#T7p)ffP;JpCT~aJmqiO+ zZ0PE5tHy*X5i#qV5ZjnBIht~x?M3(Dv^a<>d8x(w%VGu)l${uWcIth+{dz3-09cF) z&&ZNDE9jV6Eg*{I93LiZf8 zcuXl#dGrbSi-p5Vb!-ODT+Quxj~U1UDFc3Uy-reLQkT0=RL%7nTyw=2Pf@Lb-9{(& z2|a5O{Wejh;UTRYVmk|>8?jIJ8SE+-_4!M6x+kUG>c3`dQCh=VzmYOHoJq|^wZ=;W zF|k00lvYx6Itf!aeRlHMT;=pWDQ}Yld+kP*vG%oP&w}DW(W1LAy4=>tBX<`l4rp#X zd@R{?-YwjR}bAO};!`2`ami6I39!9f9=@KhN{c=P6De1m-D5mRuij$_L}afFx7&cl-L@HTrR2Kq)ABLN1d254zPyznP*6-{P_)3$xkU|(=17mBnxzHryAj^RW%%?4y$Zt) z2u94ysl+aZCcW7)h_InnKHCe(z>8)^jKjHfUHo*wE`1pi^-DG( znZHw61%qvxw;q`fvtyRBHC7gHRPr8r zdsl2d^x1;Vh^~GsNzt5+uyC|s9b@g&Nb4h)ni3a_Pm`RAk*#*6J1dO7D#+e|}t zQT|5#XDMpJx^vqf>uEP*V%E2tLml6w^VjP?M&r%&tnPk_g}U_|EwARE$yZm^nbx*k zD8bIl&J`c}a4gQ;t>z)TyU(`+>FKK&e61puSot>J|D~QVfgu`CY)r{tSW-$o?9@@Y zzzryRLR9TsxHk<1#c^^#us`<7TjhIUU`2jr9eBtqN}Y2}(E17@Phzg#vC3ue_?f)k z_gXpQX=(|XX*y{qz52JILmU)ED_{k%l|n6^gC2ahwfyhg9e%%Y{cZ=@^4-Q2@cnOI2J69!KAXFZ8F_Ct z3leut;;Dd*!hDO)J*4am7Dw|N**alUJLE|yFCW3IQ#>Cm_V;i&>z3sx=?pGBd6$iB zGdR~3_|_&~OcWF9vS^xuDZAZ!z_TVTe{;jC?(C2$_re>CfZd5bqQXsl}4)z5o& z%(L@nS%giI)P^r~zq?sw`>uu7AQjl>C4XS!NP!iZP<%a`9QVPsKSOLob&_f5?A)77YB5wNi?6W9AzZQ2;ewnzc zyS^8-p-t9nTa|O2OioffZSZ(JrePzgoR|Fd&WkQEmw-Ryxu*z_eQVW_SH1BwYu3>Q zgI2&6jhPa!S>Qpq60~@ZDEF)HMFQyAh9bE^NnSVSbQMS_rMSPt?P7za3fYqAQq3jP z&wzr0LbT3UH?CjZ$KY)j%@q0K+0;RvK`Qc(GdBx}cx})Uqp>%DIk2bGUr{l3+iI9> zJ2phVQRx>fP+Lr8!HO))0{5G5b=ZD*NU4XI<@SUkYHLH6Y9~L#94#GQexQGt%i#`q zNPjd`)lc>4GYVAb8xaUG3~2bp*@l-l#3f^7RoV=gy|{*LqeSuy9zUk6a}!ZH+v{Zj zSMCOia!&INQ3E18_T+{GV4i^;$v{~}hE1V&z5ZL+=2zRd9Y%(RIu~y18F8{J5t6R+ zlJ`&gKAE*Fcv3vIj_qJBN+(==2CZFrViDHfzC>*sh^2WWP-(c+ypI`Tbm`8Rk}Vc^ zZOUk1Jz9pvvk(KNm$*;lMpU%7W)8F+^yYgt7A_pdR_lefEn<2ejE6jX^!o8o^BLFS zA&)Vc5D0Bdc9spoB@h-KAHeF4rACqRg1%kO$^2?t8RGsqTyO7M(B_ZTSu7$nfj3;x zSOJ@qK3aJF`|%%FOUuulu{n^E+S>sfVbA_eV|{1=r&^}M=h)(@XggDRA2zD$U z0z8mEwNFu(wqg&wDSW)5E9T8BoT`uyS#( zo;JmAbW4}@goU6`iwL*R-vAnA$ViKsycNDpkH$67&aKw}qN;ZBeA@poUBs8&oI+A< zQ@m@2fUGFoX(3nVZIWar@|d#^3hfkT91jMok{B@+%G6&xZ~ec5RJr1%(m-ZveQnSB zYIk(?)<{4&a`?p#Txq)oAQt95A2_g+dYPyt;^fnap*qZ%MljF5`g6Hqir1*ZMIN4d z_3Zpp##kybV0G)2-i2>~4;L@D_Uzpi&p$Tdu>I4=9iDFh_o%Zbiy2%w;js}tnOE;0 zy7=hJ(`5kxB4{F{@x`oSRY6f##XKc|gLrS+suu)|IXm~#cNHZSoP-@}#Tb!J{mO&1 z%DGf6NDUJpCFfXM80q204mZx_rZ6sQBCO*B-}aX8VD)v=Ms>-0V(a9p2sVRJf8S~@ zsxpI!Xf)b{bOJx>1PBcC6MSM(SFV8J`Jg1&R?={6=<3bo7C?p6s4SEFnkp zqpzX(xy^-(bk7CvS5CgB`i4~9MeBZXAW!#z6gMj0y9@t8|JNopP+?U`AvSmPx%W=^ zzG(6%Wf=((Ry4kG*4;X*p!Q{^dj8{z$;Mp^_6`}mYNsIgiLYsy5@ObuyL#I9lbCZ& zzSwhL<)uyG5}Zj`m7^oXtpm*kz2KD;x@Fw$4R zH#X5WxAN%^W)=DjL%%{=WAjWZlpn+EXSw>H*}0BKRdmA*)gnP9%TWZm<5S zcI@0tH6k$H=W}VmuA5t*fyZ!{7qTQgjn1~38`EYYoscA4k^q{~6V7E)vfBonjkD5D zo@Yx*h-m^kmo5!`972Q-E@uFX^?^9*rq8f$I={E|YPd-50OU2b{3|1THnxJoQOBFp zdf@u&bfi2%IlLn`I>*Xihf2Fo2cC$DRnfIw3{$5ra-ST08U7(fsyHgaibY!^93oxn zou2OE@GRrKvyX&W(aGx2O>}4`^>YWFpjHcL*|6qfEOo4 zXNt%&zP+YoVXDY=e5C(OHFL|5WjT@)Nb_CKP~upbOx-RGF>;IA;gl{6)KTB%rc%1J zq2x_AV_Fb3!YBo`wR5V5M^MGD(V9zUseUui5C$Af>;B4JXIB*NuD;ah=H>)xeZJ9g zifq_qoa1^4lbJ3|bi}*%516)?w~L@)1-h+sIa2Ua#%T1cWWKWMrYKPc++0i2vkt13 zsi=L-BdT+ud#FxO$B1_M;h67!dNG|8sQTu;%3{&YKKEdyF?=|aw)|r^I-8UC3zx4E zHyQtE7Ilf&$zeB0s2z$`95y+N*sWJ(xQ`C3t*t5rHg61d>(FVGGrDKqZ6n9=PwWtl zZ)x0SWs-v4ArTWlwlX%*7ts}bX zL3Uxh-iTnhWiLkT-w$b19{n6gL7FH8_jdaQNQwYZJ34jwi2rdwU)f-<)vazQ_u%G?Je#UJ5L7 zPry3Y#v>kMG^|~_9E)sokh0fFpkB(a6epMX-n|#syI495QjqTsyAti)X{K$xB?O!K z+_7r1pKjC242+gE$6|rn_Q7H~sH8F_qf9cSZeL~TmdOQ%Zf|UTa>G`|ByL2?et-iz z%cn0jB(=$8;(v{O4EZ1*uR>BiC!Arc@q$)Ti1uIKuku|LW;ln2lfC?`0tskRSYhd* z*lKGlq-4d6QDbldM$gi#kl^(N@IYE7Dq%m~BQH5+t4!&}UD8-NCS}z;Vq<3JuEiR6 z$@<;PL&yU#%U)pZHwO5>UoE!fBN06ipIRFa%U#KiI!x}knUO*3bZHW18aCr+c2Q5* zjGe0;74!MP#-}duz50jZru%qXS0bnu*I;09Z#)2^mEw{Hh6=TAXd8_%2N1!@fJ;jw%pPnmle_6ksN3AY8r!ZkiDHQL!kcEt{qFbg9dIcz<1+yml z=byvu+cRqo)zxm?9VqV6t1s14=8q-jmpMpO{d^8y+u>F@eE*$|r-Hv_`@IX9rzIcq z@U#CEQ=vOJ%%a!eKuC&FFR31f)1$-#!uKxry|nN0OUcT`jkzHZIU}Qc!IwVyE=|vq zhi@HM?1`VOS(~4Fch9rGg$5maR2Cp0b=3xiVD_k?J{kAwd1Td734umrv&qNIhP6kn zbJB_oSoKi3;zHdlBc zE~%7`kfnNlUikUk^W={YnlTESXMHWQne&HtJaK)$BvUP|5Sd~mEx2?GrJ7)5k=`O?%8%c3j~t7m zM`YgLkhgRU34S@baUmb4?->{yqF2vd&qXTdGRg+Pl;VHvvy0lhXcpPm={g(yBE7Pv z-^P6gyKUtA2%B!}Yd_Xm*gQ|PX* zXDH<(Yck4BOOzxapMXv`$pkFSu9_qu%w@**2Hc3FRCC@!c0XI9 z?rPhY`HniZuDQA_uN=-Uz#%ks9e)?2d}ftupX0rCXyPmir+D4F#i?6W}J7|pOL?0 z_`09Is4S+#Cmcz#_WV%>W*=`{Ur|}5W76!gp+Kfot&;jJTGTkoozf)kB{&TtE2@9n zbE`;7v;!0v>U_Ot0vg62;^~%`jkE%x^5ceV3GgIvHGhIOJi4n;+gE5|iZv))SMBsT zyJW_0ukk5E6QYcqDR=M$&S6@YDAYHhEg?}0-pIR%i8 zk(}mV0oT(q+EW#2{}zl5O9LfSMKH{g3yGo}TRl4;;7LeE_@i*@4`-lT2)X)$u9TJhypY78a5Q&GLJk-Tqg)$@ z2B8`oy|;q)RWD^auo%&y9_tO8i9&JJZW-c6lt|;RV_To6YQ6!sv&@mD!3@uGUnZ`GlyoQfI)c&t@gXF0wQ&#xxG>fit9z$g?Ib?X%M@Rs{9U zDL7G8aFW)n;a^l`)l?rZm@pF{FB|Q$9VYtNjACBuea*OZ9R*iJ7@Q(>xP&sf0v8uv zG85I`jlmkCbm0o{*eu-X8ln=hqYs4$N(t|5>YewlG}C`XAmdI7Z*>RdwMNHKtiJqo zy?xQDwzJ?8s&>-wAsikLyF6}`;bPpY-Zzr(5!0ByW8hNFqAkATa;YgcqN)-kl3X5| zx0snFH#cLll{$bVji}!>zHE|mIw`d#E^Z-7_ep{h_=>JN8_ip2(=`3^7q!43A zn<5m>RotDTFgd4TVnHU>2+lc-Rcu!+s)a%9?l6KU?~Ra+a3(^C42!mz!QRR}b(t5& z&ef*1;3qszQ%r$QWL*}sanj3Q143(qL`&`QXgV_8EAOG7Y?KqVEhUg0IX zr#BE8V1!NFM-bHPDdJj>;i^9)*$3vomTa?M#6e!Dqc1AjabPEN^;tF6E*S$Y%j zZCS@MW;2ZCq>5f5Pm!9$PaHd*qli>)?jvvP;8J|7rbRytmd|%RnS5MlHjIg21M4Y? zI@dqtp=xHdH83GG3O}(d`^z`LwVJhvXpvD44$Owe=@}ITD?_nGqXJzNYLBus_<=q< zkl?s8d*F<4FfNgp>0CwaIO!Q0-P_bgWv#BYiOVBCE}Cf;j(nPCftRmaV2~)&BGCqB zn=WHJ&$+Y9z7uwAp4qL8M_JRf=nxUZq%)cNITdiSJ-?@)ATiGjW zOH0?W)v=IVZ62;M%VyNKW=U@CC=CwE2C1A;=TAQaH@t#~8&e+}i5W#NUoC)+csP{; zOQ9m9{?%&wXbdT`{)aD=5WLFTeO!kj5Ud2PY%{vxrxGxuJ*~Zp9cepQNr=*W-iaD_ zdtv+os(1>U1#wXHl(pg>-(`F0X5^=lFurDRbM`dlQE&cRQSM{14ecru*>x>}>x~jJ zrJWz3#p)Gzch6KxfCCK>=KF>#ORP=Bpr=2OoGy6>T_VY&#-Wsv_+T+M?;Ai+%QQu~ zBrS(r;ZEECOvuS>u7b5=sGc|~(J4;sd^+|BvR~o*Z9FIf!p7x4?BWv z7zJ9#m)spU=4ypSJEF$>9%%1zg~ZLr&^ zG3lWHC`P%!?OA9Bmu4)w&&8nypS>``niS8Z4!qRe0~QBUAR@MY+S5ymt77|sAkdme z0D{PfxXyvXk~x)PZ(3wpU$M6;u&56a^85w}(9dw1pP1JT)(~Tl>MxKJFAr9PX_t+m z7WZd`O@!Z1Ki2Q1yFx4j%EYB1n!`$g!zD#LDpd;@T%0bgdGbLxtv}YKQM+|MDeLY_ zUn#Iz=&nB_OOE~{I3zt$3oI(i$+ac^6Y&m1GJ+JpFNtiNG=AZ5wf##iy(xV6^Hyb5 z%vF$mLVS1Vy(xzmZb1j4KW+zF$Rr9B<`=#%^AoD93R~_);oMYF1a2?n%r^VUI%W#bNEtF&F=2`?caO6*qoasZ*(6e4q-nW8i^QQ5%c65J#6YQtiE| zg%siiqb#f@+}ihH?jFPdJwcb2S4z{3Q1}LDQsD)+n2LJ^7`%K_FDf8?K~I!VXvxR&@aXYC1zXZh`?wft7PG@WPBnZ90TPXUh2wEpY#|AlXZy%*y5%O$>k)Y&tKKdL%ttp{q4X!~g$P1Jrz5@SM9-dz$_ zUytJ#l@DZ0#Jl>If77tO`35M+X!19a8~Yn&&d>Y@M{KwFzX2{5{0fVh%$p#`SE?HM zEZt=LZh`hJ<_oaVr)LGK_V>*6&zAA7j(~hr0&Mo|M~VrROIK49NBal98M63?BTh(od8PC&?T;aBEhyO$&-lQn6RO1Wv6O^)`plOH32W=6Fl%RwJsY|o`HqQ#zi*8a7o;RMQRK!+PDKuQ5bWNhV zzy-)R;lQ+^N8zKEQo_I7r#U74wvvx-JmK*3moA=A*Vm{i@F|)1tJ*t(Fq?SVKHs7l zN51E7kVwxV%w9rdoY_CRz_BRX@e$nJ!hN|5AkTgL%ffsVb#6?hT3xot6}q-E8hBif2>lr zj3NkrmwWoQQZD>OdP>)==RcMH#9;O}X9rKB`x^PiO!5bqLh=pIT4d4=+q0wJL#>cA zR4a#m&slYqfVBqnqp~V*bmMxc_$+ychR>Vu1lIEi&pP2)VLD=o_pIZ1XCD!%xKBH9SXkvD9y8VpdZ!WE$xfAmveQrN zQf6XMxzpV+{Fd#;P~;xp@2387eDrXX=N_LzHeELW6k6Nmu9((t{xp0`;mmP13lqe~OV03P!oPL3jT+UtGo=56KXfyOj|MChe z=&_doM>(35#_P`y(V=!8Oc_jdW|(a6^yiZ4iVyv*dtP)TLxy769IA( z2J*HzjGL25i+onIVNj+4Ochz0)UqgE@&IS;a1iT_8{1diU4RXN{d{r^-nM!vtjV0A zUzF`t^z&e5XGJK`RDx4e!~Xt))cbqKAYJ*C3Zj|}O0U^uzxgszxa3+oiq@3EZQ|ds zMujc+>*=axN_qFa*Z?PM&?6%WT`Mz2Ut*GHG9`j`w}p!SQfvD0QL$bj_^e*J;HZ`7 zGUC-j_Fv!EPjj-fo>VN@eKqcm^FdsqB&Q}@!JNln)wD8Nkk{IOe8J;7+py}hhrXZn z+3Nl=OZYzer|Eqlc&KQylzO=9=l?X_cR#pWk5mRMA}I0V(i=W#rjr^g}{ZkHr!`~@spRGUS%_-_-h#DPTsF(lcT86OV zy^F>XE;J0duQG@ix<*4fiZyMe`t|UiXYT13V z`%&vXV~ZaVv(o4{(NHLI3g47lu-vRk=I%d#F(mQhC6)n#!#y>@vPUZ#N{eAuDT{*Q&HFvEyRTk}jeVEWnxT2tY5#Wk{pFDQkDs>32rCZe z7miZ@NExTDH~uoRM6Oiuyj9KPJiaXrDaKE?vcmqEaK)|U>-EHqV;fIdH9gNU88O=w ze&-H{_a6!WXqCGC_(YiZ$aWd>)M3v*68_Pq6X+2&llZ+nu8pf#{*^f1f7u9q@xQ|O z``Gwi7%#qC>3(p0JzuWo`a&?=287|W8>R5HbrDAvnFB0C8|5sKH<___nLmE^pZjoO zTBHF0uygzKDE|L8_NNzDAUVx#^*%n0?x}<2FMAL7^ddCR_DQ#v)Rk$2sQxte&?GRI znHkr`*RYwoUYLEtW9EhMb&<=&Tj zBekF9AWyUJkM?0>dxNKZ87yLv#7qNU`q5EE)1YNuE+|5k1m>?0LR&c7W2jaCR}?3Q z%X}a$-D!^oxQuVynp>@7UK%wNl^!W4p=%3JGuogy1Sp=}8A2steANLJRvjCOm#V-H ztAGtwL7wihF)Fuq^ z;Xo|x<#11Bl9D!zcM3uk%JqTaIcmE;xlGQb6}zN>%$mgA_1%g_&jj#pP%D4oGP8@G zHYPFXTq;tju|G?nD_xmvI`>XrK`H(&rkpD3OOScZz|xg^tP&x=&$`t-ReR^5V2#qn%9qzXdpjAsA&%= zq6zFTJzpXeIQ;ll%XM-8SX^n@Tl}qRrPHkvj^1G@cV0px;B(Lc0lU5qk2p?($PIOl zaO7lIYva;&uEt^T?)>xc?zd1Zn8M|!tY|Hs)Z=>qhjbHKCqlyQjR&Fna(h{kQta>> z8I80iIft)0(IpeyXJQzw*JS&cBU4d|)saPe-vEw~n)LVUq0z%=7Y2?J{BEp7G$xt$ zFjOQH6(5%?J+Lhm};JJ8uw(JG5m&H`tf;w9xFPX)Hvwm7m|6fzsocz>>6vxYc#)0n^U% zR|k{gp;CdViG82ld!>FJ1~WZ_wpqrZQ4Y!%sL7_SJ1UAw?MbX%xu#pBW9|~;`L!FC z(gRY>@C$9>sN#4clUqp*68SlhdGNvQRNt0=xqo86}?}+!?wRm~sD*w8y_3$w#^zoL?klJQO7?&lccQJz5hA z+m|>i0^+R-=B|bWsn(161_dNG=KOHZ>t=nj_giBE%gXVbRbXv37a8wSk+WAQsQ2-w zsinve>HV(xp*>8Y_iH#1$OXSZq4bEXb#LiQS18+U)pyhq+Ur>|1%r+M!{Y74TRZkp z5&T^hsKB)e!6o&NmqRLY2a>x{yK&yWijqZ3Y3CK8M?30^b*``j2w?;k#Ai;o$FafdCGTKaRkz*NpWu%hs-G21eca_k1(_ zUh6{zP~8&ScTkstVqGw8+I7WZY0*h%F)S-cJVSNhi*YgT29MSuoqohk|o2F#mFf&X{o}L#KF~`&nGyC4Z z30d6y24G$uU1}mVo=7DxaifcGKT4xNE=?{jcG)rs*->NpIf>5IHhytuRc)#0aVe=5 zWcyrpx?`hp4!4orFLxaoz3NmIIeP`*`|RQGl?N!#$#V7AmdsZm`V^t_7lq!1R+t6_NY8h@d?qI*p`)li%!^r8zAA z<#TlUayC@Q_#Az?`xl_7Kj2u?t$()ZZvm%OzWqF|cOw;HPa0IDAo=^JqfGcw7)I`&WGCl5kr^+~g@Sf>r5h? z=O|3pFZA!bGuyf)l|3uVn6}?w`Th}E;ltoZuL7T5A@B7SJ6oOVm+}-z1RF@6q}U!k znS~N62qC5yz+r!*ufs$Ud1@%~I)>aO>6#SV}ZQ6SVr$wN4_o{+3bvpQfbY^>Zx$c>0gbMMENzZhk0q+Cpf)20{gy7 zzlDFPVeDB{pI?*oUU|gP_Wjfk$XNL&hBqm``2g=3nQ?osO8(Ygv-o$4U$@rPyB&Lv zQI^gfZk*FF9Wy38P;f8rblG~))>RjqcLgWR3#!bC;cc9$sT`>_y7kE2c%vuO3z9C* zcqp#y=}+}$F|=WI&E#Abdy0t=%F=+r=*V#%IKBI#hs6WCdS`>y?VD4|(na{TEpBk5 zOY1hc&e6}qj9bR*~FOc`TeZv1_llaFtcF$)7-a|>{b z_pcJ>i^ztGMx64a1<&F@1U1PF?sdP)&Zz_PT!W6GmUoRA?csfbErU-TXn5gHp|@XV z<2Qgnlboo`1+w_yqDPZg^=aJh7SkBZcx8+xX&fhn$YliDXQ6Uhv_pPc4!C%Ng}!!^ zy-bVLTMpey-f;!?CKs6P$R+CSUAzPcdEfiz4!)LN(Sz}Gw9$OnD+RQjsBsH0PA1$# z51L`dNNVRju=Y0R6t^~`n;7}8`@T44L$lZxXX@d}4k9U)*v}>X(%J;Fn+%sSp z18#zxpBX${`R5XTj~$}7lpn$Pfh?v&jy=YN_QD$mOJ9bdR&}u+V4rGmAk&l)?rMfI{%w`=y>;k%a=|vEabb_VCa090<<}X1{jTw32o&MTY4=K~ zc&~kW+Ra2#2qpRTWRYIzm@rKw(QkCaO1T?CVL^gGYX>aGF!;4E67|z{^^myX18rHK z=sqr8bz^vrgZf9;87M7uX=~R5&eVJ;KOm2M2w?p#oTg)6YEQ>~mme5&oH51v`9`Mh$FwN~Gq zP98;F41GR~g)#_WMWz^>u|-@bv?CfvtVT4RFSnqoA8tIrUJiVY)fqB#E=r2o$7-!j z{a(mn)6elo8|LBNn^il<(0ncBwjng%GaHm{16a7EY-=4x$8U66XZk_VLcQr>xnns^ z+m@ecCUrMX_X^4~mFgNW{L}#4Qj8_b?^cmEcwrJ5IvPDqb=HAO?)(sQJ^W0Md{#r~ zgM{2P8l-p=7SGt{@<@O-32??IJbYaWOX^)Cy5=uXhQfP=0D5l#fRnN43NeOPaBiye zwxGbXnSr5)b?4RIB5SCQF-z73QM@mHLd#2;VXUNrv)X69C_0ezH^*Q9-k2lnCT}w0 zE#J&V9myK#9D>Qcrq$vwU5hp^`pR7nUaVbh;3^m#BbfMo=`qQ(P%TQ%kp+#g#sY6g zyutOx7@qc+Wuc39zvuS%`=6Dk2Ky~=57S4)G@Cv*@aQytc<#ZBwlyLRCy<#NFvQQS z>oPsn_{SlnfGvcV%B)H~7ozU|CV|UWY-9wZJ+^o5^PkK3w~GCc$DZDumhGj4SV6mb zjm0OGEuFke+sK{Ri+VefS>dO5C#g^GAQl*nHQ8&QyrU*n_!tq_C1p~sE=3V&Eb7)2 zu)uuM-}PJ^1f0||{Z~!b#Q43Q3gySJd}V+jaL$^WIn(m|P-@5wv=*C@n37Hqp}HaF zd?h2Exu;_RUEGG)$qk4a&H@l9h$$~ zfDCqiX{G9|vCo8Lzaq)c30B|FjC5;fVInO3o6k0$>lAtp_bLvRSWKhm2i*`aEU`r8 zFIAwq%&?aD0BQ#R(ToSA(KFQzEBc9ZGnKCQj)Ma--r3417vWT5tr@vQ`Qu=7EU6&7 zB;Jn#4$>Y1o3SlDi)$#G(}|0Tzh2Tnv7TQJGoSWzQ9BPSKoE60EWR_>oUn-R^VVultST4JH(Onh!zf?Wy zdOUC@4Tucsd06x19uwR?&KV?Q);Xn}`2@Mh6hRakcY~~p^cENI!NdDh@>jF4b+^R| zA2|f{R5DFJZfMFh`JJ{g;LmT-6R~L0SG$u~kgG58#XqJN-B-{UH&Fb^C>9oUK5{DV z+IWXjHT1%lRTt0p@~rCWDr2IS{H<5g0jBlL=UtXUWrQFd->roxgShBXL5|yNg8UrE zI+>T6T)@ELCcmPzwBl*7Z(>BS7eAwQcwqI@CyzTN%}UNQfs2p$#x8_VGwAlQbHF?k zs5_HuM>dUQJ}T>37;BRmd-OqhYJ6C{Z;RmS-C17`tksQxt&;&Y# zoK?lak`?UZy&LQ|Zk=BKeY78;Xq=Y*de3T^_`K__wdDzqio$e7vd*iIsxvl;=ktQD zJH@oMb+qSL)pH}@u46F!)}=zDOZ%3UWPxu0r{q4c+m`_o$I@ROq!p#}Hh`Bb4Ih<+ zdF@ME%F(6Y9JAZ3UP##0CM8l}>bJfN-+uV(|8IZ0&1XKm5!?1D;f(L3D^3*y-^gWq zVP%aH@=`SknF`G}c+KCePnGl@Qg4mx>A>HxnRZ#Ya!ySmL+%Vuj<1}kQQ5DuoXPp2 zCB?D0W3ZI*C6iC6Lz+*~P;~f*0X+v{b}SN+;09DpvLi!Mc7LTU!OWQkS`el^~QEb)Jp6yPy8f|J2aLMp*jb%S5h2nSQ zN%R1{b==3Wzpqf7gzo_Sc>R9N4p()y?daP|GnLk0t14uP~SLCJd)-A5#&g zx?a8@Hum#MhG+R81KRM6cq}tSQlD{I-V6wZ3vhacpp!LR(IgZqy6iWaibG5N5fmT-WMWF<1gr`J^m&@}@g&XSYBdH3PE#!vZI<+na?HZg8_SjJmPdi!= zzW{slG$pBfHWY4O*HN3FADndR$D)f1oBIg6>kP~mH!?YmuJOk1p#;NeYgxMY!+?5& zn=qIv8K47lxcartr&Ev`)n-u~qK{Fe-Fox9(sauBot=4cF@`8vx(K!;R7grHbD^RW z=5pA+TIsxX;8Olz!-8jX7WkLuQ{mHmdhNCtlN{Wb$UBs|r$?E0I++Og;K*%Ty><58 zXjwlUv!$})y_!3;PLBPy>?19TdeIZfxdRMM}nY2ydT!O3u%KcW-{{ z;KQEdwLxg__4bV^o#Ig288DOGYL8?05WE@OWUAGI?pkpTmpY`V#;=h ziWHP9ve)MIY~ZLHFzgN2_=49md^6si}f!(AussxwhV%5+GFJ45LlCs)Uj*y?XEFIu3a5s`J{5pF28=zr;S9xv5 zMQ3~k?yk|MA7(6BrvOfMaJmn0zjW(28L~&<-NU~D%u(+o7QkuSd~q(RN{mnFB&M~* zIM_;2!%{VfWr7=QG5(Y3@$U27R!6KKT-#y6r#J^TK*^TR%4)N~<(e{OQrrXMQ7g4>vSSGV*sVF#-eYfq~0q&JF`z zQXw)6SHgm#h8X@SD!mIclXptnS0(4WfJXH_N$y#~lVRsTq1KDTb0jCZm=|htl;{^sA)FxHsd@v?(RVr1l%YgrR@y$WTJb-!uK&=dr7smQ}jpw@JKg zrWIxyp~ZQi2I#YRF1vXbJt;RxlFF+3E6sqpens$F`eXX2%*BrVV%*1&w^2BnFCsY^ zo9S9mkjul13G>off@Pv&b6o&m$%pSv#NGC`yEzYBGg`b0UuSQvPP4&d54b&(x)(&i zL+p0Zu`LT(B1!ce{@UP}U%#u*KZA!DO68~WFHk+KH5%<7X1B?m#+?z)r5Mo*LNrj8 zJNyF%gRkR8zj>mGLd5rY|Uvl_&iXJ+>!s7&XL5svHY)LXCavJT44Vqtj=s&T` zjQS)LgJVZLqGN`8E|i`|SBPM??#@pcJ8L`q0xId%6OmWpxi_Ppz~Zbmf}?WgkW&_| zA)Y@!_W1bW!YWj1&$4G%)4g+s98xvGUGs9%XJ@h}4>+871)zR3>rdq$uJECM$h!Hu z7dyaT?1s+i{L+hig>5iksylBN1!J`|&h+GR!BvC?G$%uCYONth zmrZyp?i4~%$_da7SQ1Ma7LxyV7oxVhsZ(G;dx99b>?aIBsa!gY~wJ$~NG zn7ow38`HxZ*)8O!#E3>-69oMWk%Y)C_&yS~iojO;aFklYqk4>I`X6jUU++`=V<_-S zVCY-u!dzy(GbE1`JxV?`IXE~jgwR^H4zN(iY2+z(O1w_$Gw!yQ38a8Rud*D64LO5g zQ_v0Ld&4CIKq~FlpM>yR)O6} zln^S2<*hX%Nflk-D{m2-`uIKoRP!H(^MCUf#{vfIfcHUD^=|-@ ziFgiVR_WIH;17=OUrMyj>jz)AbXe;RR6sVrYIVi`TiI;S}#Kery1L8nu~I|EKP?8H@yfM;lBGfcIT8Y=c;+;gL1rk0rwMCS&b z;f@mW_kAzLj|mlQ5t6cFxuuNF%FoZwE2<#)nEX1E;-h+Jui8VSf9+;QhsmqYA1Gl& zCD#g+MvUpFA);5w=4w80E-U|+@jGH(S8nR|AMl|^G7eT?jY zb2xAjOAtI%H^J|gRN2wo=F|;eYJhi)luFaxQ5&@DRr9Vq$#qM8d&;7B`uhRYy1t^e zzt=hw1LJ+^WQKvVX6Xu{%m3<7<9k5G|1F}W?>(xLzOy{~Z}Xn|T?hR4273ckjotmw z4-8G(*oKqPU;5;5yz&fSybzoY18)oaY+k1;6lw{rYA)68ihaNfp zN4%Q?8hp4SZRw0+RDrjjkhq@+wO&JTeLFNgmaeI*=A0{cvJpyf2;Dz$Hg-(kU>&v~ zX2ZS#M$liD>`T+_LdHe0YdWI9yO4z-xLRy%4i|TK&bgSWzGuj`56~{(jIOGQg&n}* z-k-mh$*BLlp)8@U6H_u-*ItEm| zaI*mF4>O&p9Ae`5{1vl|q$KF>)b?hjJ+M_hOOt1XLekU=uC%&4r+Rkj2lwpC{j|L{ z2eCYJf?q^+YUe({Bt28B`W@?dZ?XXvx>dVbI8V)rE zG1y25Vf7;?NpnZmDTxccEP1&oZAgpW_f&L!ed)IX&wez-4HqaNem%AVqqB;HVS<0fB@-AfQx92ps~UjSV3{7)n5@N()H{NR1H6 zSm;ek2qA<>uL0>&eX`Ga_PJ-D&%Mw6oPD12oHys?T3Mg9R<7$>SNs2ezpqt^?W`W! z`~29#W$~LLUZ!*3`OMOewY|lRuRdJ56>iQVYOfm~;IrbOdl5Vp`>`vA%eVa)mYMwrz-6hjbW#O=Cc<#k;zMpj^ z+tdzBd(3c?!#oW&DK0k`D0E!ow`#h>C~s@ug_ns zYa9*!I{!E{dXMIMMTA%D(7vQT+nwn9B1<^~y8 zOXeuJvXdkWA4rPANG!vfwvsK!Qq5#Npp4y`wI?IX#mw?+m=+*ID_ISnL8k|=zqT3C z^t>j+9T&u#14z`UmH2wO=pQK|rM0y?ww%OO)S-v-adHS{?cWYue15XLe7;sZJ#HMB zdbtWbRD{!Zu=gURzMqRJmPMHSgfl<`2Xmici26BJPwl=qv2RU`j<->;)h?XKB zc&*nen<_bQ_opj?lLEjG5A&NAo8q8TqCEY|U`KGw#&Jx4X?&H0)hRKYE82;K<7$z)CqE!65Av68FBM#!q+nBic{DoXi3v zIN@Ye?@le7mUNsPMCmJX@Ig1mY4Z0TBW0d7OoKew?agvr6CV@wa=xHbgs%?178pRP zEY>vI$mi*gtVB?Z_QHe*L{qSPakMjbq(vv7m@EAT(XIqy3>&*Oes;X6c>j zwlJv5vT^wztmA!ji+t#jTxQ>2%<^Zsa@=~`m8K({iPCxax$~oslSgKHuQmQagZm2? zrrdE>p3KWCD;5S66k(HLWdT7DgIV_Y9k0^KbCzB~Q4$E0`MqJ&lF_uU>Y6YjLTIt? zgpn`Rs~1aOqSiq;KE>L+iY%O>g)j-tfmO`Ci#R)2g_lF^7@;|2?54f!le6{yr*a>r z?|Bn!f&g>4$w4#0z_I*>TMj_6yVJj)TPQ(r+gDzCBk2ueIz!h)ou|zpHXgtR1wL(eI4D{93B-8RmYLS zdJiyE&kJ|!%n{NwnaW1OtWs(k(K~gpwdO3c#L8L|S|N#DaSM5Tv6P2HB#G-hkqYpR*bW!*RSKK|px zMT9~=zCF1^SrLXq0P1K2t$A|g7V``P0!(KU1Z}TUYIRD}cky6ZAdX=yZMR7E#+KVl z^e5+Q(`fFjOdVAHn=fSI)zO{C(m{v7`Vd=g^KnUG5<+Wk;MJwoaPPZ+JSlfHnYK$@ z75TK0D@Cq!R*z>(ROX4m3-U6(W}~GSrSr4^di~mVxVZL~y#k1cyH>)IJ!#oKO$YV( z%T^}NdeQP6u`s4g#}or_hbM1XN&(a$;n|g>&5h!@CuLc-vnxBcl{4ep)Z&>4VUm}_ zE7RKX?2*)47r%)0*d)&iVSKYEfG?wI9(lAnGTgDNa1*l;sM+%mA^(5im;J`4s`dLn zA431vp1oFQarr^_qllk(3{nE}w{1X$Z%Mm$tMaJ?o=sgo4-ux--<>LGk9=fD)kUJw zs8dly@#yV@RrC5S^TFaJs=vqMV>vKAPyZ^5>p%I0$2P*taL-$pcKk>=ABAk!XnS-rY$02Y3#QAgDTfsUg0^ z=GoL&o>B@7?M%b>3n^8aVn`3Z<0pCLc?{(8LA^T_?_DcaA3KI60;*DEzw<@1K$|}9 z1x963Fa^Vo9a;2Ol>}MPBXZR*A(V77ez78b-~2Q^_(J%|qzjMjy_?!g?*H|v=)}Z9 zPf3?gj}gK7=YmD@(Gboe58f}Zrl34hK^E39`x2t)D41L}*7<42lGQn z5lUzQ-f&o)TFszUu~uZh?wZ50ht{E=;{D8jj>+tYYe2QU1U%KBfP7lZkNP`So0%55 zx^xj2ml#pvq}zFe_Nl~@VYNg9BrLZ*Hn%A?CJ`4rw}@oPUdoEt^u#XS6P-Z^7= zMndy5-vv3p|9U(6k4atsuRCI#+=o~R-)v>;LAGr_p1t#wa;Dfs#G@$$0$hzFHEP${ zZLyl!@;PsfYH}B9&k)nwxfh2)X6WMQhlP6O8qTL0NFAaj+ko9L2uRDXrohzNX3~V< zgVwlD6hkde6eq|%%yvba(WmZGgnY79$!#Q3<|Q@7lwZc$)Z%6027pj)niNU39!mznF8YelOEHX|iNM=XiWKJJ5;VtUk5MTV%LZl$= zN@^|?aFhm7W4Lr(lE}&E^-Q`q$aX#q=99Zz9+WkC;5)wTv2=Alh+5mb@3eTBvAKhvZ72Fq?8iow zJ*A}Yr@#@YB+D>ONA6z14KBPNWT^Z<^NdL4=TeV7@nTibiI)j{Mpu6wk5PeCWGp-_p(K1$Kb+iA_UfzPG>Qf6nneq7fA8iU-OVux0Nyk)iM`>)Ef z{j8>Qk?-JN6}5s5gR*KHtsFAFF(4M#pFdnwfEv)S`uhZc*R``d$N zEEB=NJ|SIB(|+k`j6q{`zl_*2QnGHuIUdTq>RHwCqjmk`ufPY($^85|+1|0)avfCj zRG%s7?uTMn{{X~}S7B`xJcGvZq?R;JxfB;>BX(+1R##?Ld&l!-r+!}Zdio*)k zO8J_WR{JfhWDeZD7&|tUD8Nzafd;LE0t>5%*iG{l>d?Amk}B9X zA2qEJww=7tS|Y1HXGa0{nko|m)FqI$X}-s8YQ5@0v`X+A45&nnckUNb zkUSE?Y8_5!VbJuvPv^=uoT#GeQM)>pcy0M3WDV|QezvztF$A*7b6M_XhZCrkS!K!H z5QMCOvXh}ju1F^>c(EkgLV!@ucIog^$xJ$rOdWk_av|Kg24Rn1#?tMse$*FqD*R^G@65V$M<5WJR{^tssTvgOa$05D<7X# z)!<57HH*}5TTr8y3v+DoSseFOF7<6$4uFla=nXDwXXcxwYLK7XOhF97UkCLe9plDJ zaLD9{v5vVrX0-dZv-ZsbTkn#9=DN$^^l3Yt!YwN+t`dsH(H7PgE6IaK$gKKL3>v9) zm!qQiPnXv@E~*L%$hzP0fYoht^Oz1&da*0EE3G7r{P0x7hqpKGSd=ETUCTZWEFNzw z%}u*XD#vhX<8y$z6(&C@fV3Q&cL!m&r_|A@kzCRY{7-;cVJKQZ`W*s{0D&{&PN0zoK7qG-<>S3MM5zqYcx!%-m1;=PUj~2S(hS{ zxg8$vTcIE z^R>eF4&d9FE8u2cFC{v9=E`7vh+H3fUh^>Z{TwN7M4T^U%hw1C>;w zf(cwJxAB*7sP7E9dWhT`0c$OAmJ?nHei7C%1F1~D9uFRvnXnB97k9H2~#UAd4;o8cmJUf!cTH=o_DaYl?xkBIvX@PhxPIEFVoDSTX@QRvTy;%vb zIj8uER4&{V99gt&_ACfj{^a__ONo#O-?^DUc%|I<))K>=g{2d!wQIeejRr9cD(^{O zYE%8}h9(yq-rd7sGra~EuT{8*&t!t2@=)(_ca|I5_S0Ow4IwM{jHZ3Bs#y>W2({^+ z(^q)IX-=^lW7LSavH4j+w=2snPl#I6HeeB2P+NOX$sl+#oC*Ohr^e)->r#c-A7A>B5FClbZ&}+whO7%$oJez( z7sVK)atOqb4M79bwRBj4_|go1^j2Gv?aKJzkDuCXd@P2|o*gbF+0Kca6U+W{G2}{6 zN$2a=dx}Zpi=_~t?G~hn5_Bn^)zZA?m}L31c%f3ILqW6~DcbgS38=3ZZ@+*F83lu5 zva&Q?#p_qdm1t7gBB>Dq4OaJf9`>Qg-ZZN+LfX2tK)ddiJ>L({TK^ZiqJi_|-Z9!Y zPuaj9vv{V^lgD2_sjCrym?fng*UU3am$=xb)JRV->q%K zhTU^r=Uo*%vsc_{B?%d{wkv z*T#v#JKcH$%;r+}-RDw2CnarMZi$-N)Okg}eEU0JvhyPGaE872DC|XkIA|-O`C6pr zjgS3$*?X=Y#_Xs94kW=EpL+wv2K{H+)6*YgF=?%hw?5pXoMAsfNs&u-q++hR$q4qs7d+ zcwDx~%h{3Z*14vf23(QbJDLNxcRbZn@lbM807Q-}x}#e4#%d5hqc>e}5e_S;ug=gy zH?{mH&C~ifuh8#&Y6s92=i9DZ#-E#~p?jq0Fm%*EivRLI-cvC4->dj0IP%nyVKj-b zlY#z6t-jyuUnC4pp#tn~5}Tm`nunD<8*Xx@U*VtT~}eeC5d z^SOyl5v<3^nyn(09hnqadu5}%fAy9+;QS|-fPJEc;BclnZ72mBKI9;`!=?V3_u_9K z*54Y)jkN~nm7)50&$sWPU3Vb&D$PYa=(A|L&IZ6IZ%a3$-ADSL6j?I?&%Ok}d)i-K;1@q49iieP!4Ya@2rpS)O zyB>5KHvTJ7d5JW(D7n)%*PZsB-yoPf&Bc*Wf1d+NY@^D;Igv zFjX>d>ce+F^Tu->I?8vBD;1n2>fkV?)2r^{VLfZ;_t|_B4>#uj#SX$HU{Fx-SDmc- z6tP&RY#nV^;~JX@!+-O@kQ-!W@7u3sh33|>1{=Q;4u=8q+v1@>@|UmQiV&MqsxZr0 z*W9b%jmcM~35d{$4<5+_cN{_m=6ady`Q$%AOa<4l4P9?;xPBu{3giO+&j#k9vSIX51 z;Inspn;~pz+5U!NiL8Clw#7;xL%hGXB-Og) z0lFoa9Nu9o7!h~0PepHMe)-iDtnhHEI1LO9Fo{Tv{cz0|`3>z7xsdK+UfJ8Tz=4z?a>|Olj`MGHc3iNc#tiEpDX+J zHmaX({h>TWcl(D@ZJs74y;jQ^#dPmMC?LFqM5=>sRFFPOsWuvz*Aw8$RwH%@^`4O7 zdo0m=JHNH6De-R(oqqBW@&ym1rvSU8r!)B-6A=|1o!Rn@&iea`zg~2*${N74I4Evg zQDZ{axre9)V`nHgWpHd;ax#HPRLErZ(U_!z^sXfsG|=1;AB|}VHA@1wF4lf z6iZ@|09zKeyF-JaQLTZ8o`ZXx2Q<4thhT{_5F0j zU`g)`r>O6TVwHfbfoj@nJ^twV>aRuGrly^&opBxwuy0(YI$hB)c;(BSRyxOA8N4{e zw!S`E7Sb^TPre&}fgxemdrhqSJKv?x*tmrvJGdJm>eeyYx=#y^9g?)F#Y?f{sN80) zLy^vUxy$yci=cC2Nr|&e{37N+YALj)cFx##5rZ9Bcrfeg5r}ClgVtT5@3hC&mxmRa z-3c2U|8-#_!d17+s|<7(MU!&!xLcA8zzbFPAP6ovV}Q0;BgV(a>Mxtbh2CD+lu!?q zQ&AQ@JKJ(YMmp5A7nZ`UJu0qK8Tk!mOPi@{t(zLXm^8C<4>6Q(A0SS5F9yd{KH4`n zyrh)jZg)6n1+i(oJi|PLlqnk012MP?A9w+I363yrh|wjETyk8@lx(-Dj(NkKF^wH< z%x3mtOUeU$8qes2N_aV$fJ791KbY^c8(XWdWu-Kvpg_L2n?G0mMG-!!v}ColYU@V~ zR+OunvdyHVtUDmt5(bu$I_oXR#&CC~A>2!wE>d-{UYc*Snc4ClK68e-g5%VLE1;g9 zcvo?yZh&5^+Xw>#ZAA-7wxo5nibklLVPIaa6|vKCeM^v)#Z=IHb(SO14}E5$HCt=a z6dJOZ{^xn2ys07=-!#l{a8gNm%dTmC)*5oAIo z6OG6H+UX-QIVQI|R`)vzmO&1quRgovY|UjL$WexHdjn?io6Mml&BV;LMv*Eov)tB) zVv!rNqNVKoA^3zv&}=iLbhIUXXhuue*pD2OUn7Ae?Vz{?rkV(&_HAfDzTA9lEQvgn z-^CvC)XYxB&f$GyW`xhM6-?wj{*yoZoZR(|Ght|71P}YRz{gxjyH_;Xc$Me)>?L$>@%`6)hxT63i_`_ zdk}V^?R=+t{`?mm*uVaHox>F0cd^-xiQg^)OguVFZmyNR`SMXS!n#b-JSVcLeAaW` za(?b8mFHXCnbgkr%V4!;;=?^23UkNmJ6~YJVcyy!_x$Hc_5C$H#c@KyA^G|1gbxpZ zFP83n=VKcm_UdynUeAUc6aaFS8zxHpjY|_6a*Gs0$oy2rGe7J0N1<+o8TPtf*vRDB z^`xyE={5HzC9b!I=I1Ij<>SgK1D=>c%pC5?N1HDP0j&?+O5aBQTu6FSS)c!CSac%b z?kqqx+JZYs$VF?=Gwl7wgiqEF%iuMG{64mmSBqzimdUf6<}ZdoB@D;+eN~+j18^OF zJfxQjY5xQ@A~lM4H*z|hp9{1XheIEvd+QjtVu@!AtZ({GuTYM5uF!1G#6Z5<8>j*< zq~uW#Fw3PW8`d>hjVpH^Zd_^&Rhlab4*Do=np3i6WxfTsovlr6t6B&by*Zd zt2%kBNwI~aQD+T?sL8qsmQCa2NIpZnv3QTCbsFP7+*#@dEgon{m!Qlc;?{NmE1FWp z=IXbQ0M*T%H+?|x`B}`$c-(KAD)+u_I6Ve_0aQdzwBTVNg=;` z&&&KK0qmu-7*gTWMg^()#jQ#{ipOp9q!PV|_IhgIv>+2bs-x-zdiHR(*F4=*)Z2(h zmF*8&y}Ff}r!chi=4vDKS#99a^%{@Tfsr=ISUEG@#vzGWHUQ%eHwRkXP}nk&;h>Tu za;cv5AHogw1phQS8f0ur9x9 zR~?M>^n!U8SRkMtRvyA09A&pgyf}78w{vDdsY^uXIPdLg3b(+%YjuZ|5W~YK1FX~YiH#IPOO+*YowAPEdAjpJEcS)dT7tXQDQ`wLFPn~( zmmIG#K|<@wATf3PB0(0}n~Q#(M8ndGCc;>4Wzr)^I6h44Xd57&XJ{p){A9{XH(9jP z9>SBVxnqRspUjj(Z|IBh`{!Iya8kpJW!IyMxd#d=dhR3M$MsW;L2a`@50VwxHWwt8 z`lLwA-$DhTZUTx#Rc|>*CI-;tvbKuxpgohzX4Y?2)jw<@+N7Ogxp*DI`>zW9Z78M% z{6PVQ+_8lEEMs!XoDi^GNyaFp+>E3{tT17fr1Al%t4L0BlL$;uscPkqZjGWv;8>YW>T-}!t4`=QMwJrPnFOX1)hTeZ%^ z-X?xzrM%Y4A+r%;VA7BjZ5a?hy+{kw#bY+_;27KPw4(={k!RoD;}w9%0B=g1?29u! zT~skuxm|~SUg?d1`?-!E&L`QG*kr*VHD;!1)uSwUlQKHc;Y8dgdO=J(V))h5h7hUv z^g3kFLU77+knUo2menj*(WysB^!3IHtMr0)=e0$p#x(T7e)87@ZMOWKNV;yQ-erIx+Z7Y{%0vp;B4Q(ts zk2=0FrWyNVk7n?T9zu9WbD3s$Xy+g*B%b4zKNeaKot$ReeS1CP#V=p$q5$Th7DDwt z1*wHa)__iKk5N(fpuA5I*Zwy{a*Y<-3KRY! zDoy6?&{asfWKnoj-^uB+8bxAZk>-k! zKAdr5`Rpv5LAK(z2{@(oX+rI~;LsM`dIPT~Y39(v^7Qne+0LQ*y=j_VRYZbu$%oFo zO*Yzo3u`)vO<%K6COUWwL}c0+K9%fM7b9iS4v)%uE|}El0Z*6YP4$-XOq8RYj#gqg zXi9MHpo70F|4I=d#SO6w;i+Qwf7w6tX+cBRx%Ng`C20b9uiU7$O1m_%gvN`3q39xn z5LS><2lVMfq^qawF9gxW&jdvp%}^`9ESFZk=>GxgTc->YsZb!-^{q%%l6&U~EYipyWws5-|2XD0y{}!?B9`2>XBHO!-i{t}{*UK*bj*sV58X#@W-UYq z4OY!Zzk&`m6E`fsCGKlE?~)>3d;E36FXHXLo<=CjU*@+( z-fD6Aoz5RT{`%K9_#e39%2_Sc#@IL8As8Y$qRRmxa`=*fGmc)VFlkt1E2r<%E6aL9 z3UQ>Ere76E50XJ{6?!B_MaPUGf}}dd*Wz_J9{<~WwJu&(S(lk#^#J7dcHJdx+Xsd` z_?uuKKBn#U!M#V%75#lK106)_A69oRC~tdDVm&+VbkAw`YvtqlSCfL-AOlvgdA(1a z*rdU`O?yvXIPHux%jFKeFT6#&%t8xIw9-FJ@`-NvVM zU$K1mV>F$0bp2+p_)!^W?XOdUCzp==I9nm#`Ecj{3%ArFH=iF04SCm6s1ujihx_dO zFwWl*>(#%B#w0e8EoPV(E?RXaA|1&+gS5=pWmTRX)_;c)U$Ib#@PZnZdzEV*=<13h z`FkRK8j5TXwN72{LGT0V$lZ_yDhTv$R_C2&)|4D>!iV9(4P5rz6Ri>dhGA_dRl*v- z^Bs&I@c=emU41LmYcA12?WIf0Hro;XV}ApENU6y1Y%Q;LSHuhLpD4stUHPb5U3Xka zd_2LlsRaVRppB6#H#Fbh4Ovf_SN}`_2npR?k6!=>c@QK&oQo=7EJFuZOzlM%X6kG1 z*tYI-`xI(r1googc4OB^B02Oz$POvbZGjGXS3+EG{B`&qNd8Lfysc?KV!;4Aw6YK;e#6TUHzbk+G}1j0TUpl5A! zQhptzopmS?Tk>Pvix+q|Ws4OT@D|n)FSr0;_Pg85o|_m_>$}z6iY!X_KUb%%&b@=jsvD-ZO`VG=4E39eYeJn?wRE{ zD!WrF8GHCP(>2F@cJbca9lzFSLL;`Sgl zKU4wAepY&ys3MEW+85MRkge4D6>i&tves_r!6XOW78`Zst(i{&-EJg6R&<=%SgD&G zQ(=jUh?@L~?%-tq1lfACO!$TlH`RW+q9e&kLFw!E)}Nr7po-3Rsv$-(Czghm7Kx;q zZ!Y&KbZA(}RJ*Lg;~dxaZ-e2|wS#b1Z^)qbZ!Ucr6NXM5@eL@1c34JoXGv^{`CfLh z$fe23zNpp>R;_$wMU$~LeE?YX*LI^;pd10SZkmnutz{9Pf2_W}bSv)`u|Bn=CM@rk zPjO1h@SMZso8mV(12Cpilx~yTPND~t2bAq^vVfN$qJuWsurzl`)=HKWZrrzZn5#Zm zZgI^z6_y6$Htm@8v-;2v69$x`4p9v5qlPhW{ATTb={DpwIWKcLhH}vopyz@iDCLk! z;ycNeBp*%Z%gwNw0{a!Ju56@)(7+5TC8ikT*(PM;aJpp9U`I;2U&u-bMy{PV|9vn| z#fCx66>U4ziLR!n%XZn06*dm<36c8$m;)KFT|~aFfwD-Ii08OIE2~pqa8;Nv@h$C3 zu{Z>YmjW4L;W}qoei8O)OBm+@lTLBnJvplX913;h_7v8BRB!13!n(-~i!)F?3NLN3 zGnN!rpYC|k>A^JRD&Zq{My9dhqNG}feOui=9;=4mcYX6^fc3;_O?O2vtW7m7C_rb< zVBRHjm6XYiP;uUE%~wQ&&8be=J1M-C+g@_XUNpQgBvQ2N(R%oj>+4c-Nf833;LuCY zvZWW`%U$wSRRfl3Bq;)*6Ej%!YUb(LqzikxoAN0W=I{y0Q!E}PG&?mTH}@!VFD#97 zZ=+kGMl8!FC9Mdx?K8d={65{T9e8m8Rs&*Hg{ax(#wbCBs$9>TjT(DW2S2Orqq;{5 zko?h>3V6QQG+r)B5~_p!#}Bvv_}@Ew;g5e?**Z}4LHdl+?|jpN2Y>E6ezo-HX3xKR z5yCFm-T4|#Twkpnch>Iv_pVYv@StT;PvFEhA{rkN|Ihl+2Il{?-gctWi-WsayQsQe zb!5~?=Bmc*!}k;?_P2eO_w_l8(Hl8AW1N;*R@q+{^2}1~uN`1!@NOBu%%eiG>=hLO zGR}d5_Yiemb53z%xe$!JbpwyT*HT;MkexL@oAo7hSQ^@pPOQR`sJ3Io?|kt(h9(1Y zbvpUl(Be*B_BUiT{L0yP)MpKJROhAzG5{Qa-qx2m0h(XoeBrcPzT8JCy=6H(xSKMP z=2s-*zN&lHV0ky{EWDPFu~|Ds0x7{ghEE4{cr>@!$e0P`Rcr|kd|=nPBO3X;XPtZl zc&;TpMP6CQNcCdgOHMhiRSA<6KjwQHDoxqUz=n}v#PN6mr*iXJ_#Qt<9G%@Fm+YYC zVAvTR7#LAZj~}KFHmBV60=PS|Jj1lJdJVrx5@&Q^YaflUqe16nGX(xpddcp)Pzh!) zQ;{fXg(V_@cqORcWJ1{h-&vNZjqioP>Cm#yA8wAV4lBx3Uvu&W3toT&91L%FlG1rH zk>`jysklqT-YukK$?ysd2=$4PVi5PdBAQLG%;0ku-#O(&Wzt6-YHrlrv)!Mz%lfx$ z^3}mNHe0jx&GywAF^Fy~DL;#>-nCXcR$QF?Fcp)f?V$T|cDZ!cSkK0X`?=RYvtZA; zxc(e(;I{M=KMRchs4|SDnSY?)l2A6V_&VYWwwE>t?6+DZ;UH`)k>--0=UQx=!CpN^ zvV?b0Z(K!NZ{f$K3n(logLW;bYsTX6EOLNaDi^1WQzl#_SJgV z(?xf(YQ1BG)V{`o^45g`!(+DB=dTo}R*}Npy&G0sblt#)$PlPpRm)lVc-y6rXW(I1 zTjFfJd+>RNiSi|%U@)qXNx?%v7@paTZjkw(+@;7eru*dOm@ar0+w7L{an^5li3@MM zt&HMtV;d+4DR~HFK6mj4-I=i2b5Cqq>~lOqlrX=JQLqk_RxzWy#PLLX$05jKZYxN1 zSVE?!EY9sC(CmD(qbII^0 z(vA#8tAJ#e)4gQy1D*=joo+|r@>Mz-%5&E{_! z29)29>M8V~_=D~|c+4$%>m_^>cvJ&x=x^F^7RWSe3j?|9m}o%T%YQ$!AA_=PMyfoY z5_^RoU=dZIB_uZ@_Hhy}H#hfQg*@QyPMtuyCWPI^i2md~OtBm2;;#9}OBPL1#XkUQ zP(vA6UL>@|=5p3nwB;vg-o?ruy$|1hXj6p|txkv1C=4;PX92AXH>9-5i_**di942o zySr9IMtL&G8Za3`I9~9XSb5{vv+fK&QX3Lgv+bRQ6lxl&ww86gii`Ht8OqnYL@@{y z3LB#b$gy6F3^z-)aiL<0h6DS)1!Z+wp8eKC5Or;m!zruvQtyC*yaYr6&ziV1zJ56d zBsP?*+r0!(9*GLaIU^PXFtN&1J3!%c5DQ%k0#M5>iZGLX{576g-}yfFN=MlXGyUJW zoi2?_(T=k^<#i?e3#P^jk|J#j0(CO#L>d;>Jc~z!lU+w*s=aX1o-LL4EU(rY3)W(; z&L60xc!eu?xqIIoO2#2+cp)qP_H5}4Kjk-1Is>~e{~RNh!_ug5{W=7wy{JMJ^%9pN zV1RCcR!|c9;y}r~(XkjLu4qY;xL5{6b*gBUj?>Q8*svEep~vevw}++01+Aqjuv^KH zuG;-o23yxpDOICX$^mkG`$lK$K5BrZ0}yK+duRtB$)J_|TI4~B(}DFs3IyU5`-GGG z5af-mI#=VtO99zx0;X3oEd63k>qDfINefqy_+^8@ES^WQ&$Ok2V`$%pxnAM~UHeV>I&bGW9){gAP#!-TKY<*RqhCI3slia5NY16R;z7 zyL=7;-;-e73iV&mqlpFSLQk7|A-E2%rFEPM-^ zY=03d=U|m)pFZILwG#1~SkO%3j?9Gb8`Z#RR$SY*+7W7@E3 z{7EBL5q!8(8}F6x`YWG9QLAukS-r9hf$THoYBQmpbk9wxA%A zG^-LQnO(fElnj41k#X7Wtf_d6v^%MoH~@8&i$VO7*8xc1>a40GvC|DLuvCG#NGx28ZmcEL60`&xS_%8tmtZq}!Ko z`Zrfa8kRKyN=8?wd6NHp)xRKTr2wiIMFd~^;2k!@fafGz{N|?LPA0w^xNoihW=o~W zdqC@rwSv8X=y0uGhI=wZz|EgMm~#R$fBj`^&56qs`FensMM_O=cSTx8m)j6MaXDwt zI()mCIsy8e7okX ze{ufKmwm%SI(p6Ft@c`DP#i}28ka&>E&SvPqyp0gk5RW zxx%+_r0vc__B3h`rrC4ZP;)Jp1n zoJ;rm;+<6$>^)mlLQ0h07V@hpOlBp!VWdZff^vG9XbjC)uHBcR2OFR%bJenYi(S%0 zo@0#C_p*C5A%K|`UpF47;hUCX+eu-iKvSS`EX@EyG|>~jjJ!j-xT5OFEMBzrLu}WzyKht z?oy(8Et5FSR{`5Cds+7QLF%mbPn&@drQ|!eywmH_1{il2?Al}yCFCmpgB37hd6-13 znS?!l?D-W8{*qbqR5~V^i_14N>=bMLFef+9D76RxLii#4rq0CWr}Ep{e%|rF6%pRS z6^NzR4DD?M+%gk*6RZH~G3@lLs~B#H;X_N67Y$B+v~zkl*yE-By#L~U)jT&ISed6| z3h%st>X*@@BX?p0@ z_3*n>*@H2;5m~8oe0Hy)&R&-SF@A&Psn!t_Txp!Ig;?-9!ZPOvm&fqPLjRtHj}}el zCL1rRaoUa7y%-%teZS+_Z6LxKon4@OujGGt)KmYJ-&VEY-gS@4s;4$X+3;bK z$=B?n8@S*zi%CI7A1ZH-(?Q>Q=6RmVQsK{2&;9L@&=r-nBPsjXeiv8~@tu*4e-q=Q zq?$|BRJmC-odPyU&+GvQ-JtCgweec;j3_t6<2T{b(cY%f*ZQM|iX7#96iWAUA9VY7 z8C7r;R+uO)WdqjpdwS@-!m-5g{letZ8Dw7EN)EO$a{Z%xs^?{2@^0pyz~1%me1+@Z z`PK{8`F_;oo|b%=uImhz5Zp_&0w zzSMc`$5l#juZgMWsq0cK)2>Fevx*!E4B4zx+rL7wjcD)NS}1Uw22Lh z3TB7Enuc z)s#Mff|FTDmaEANOO=pMk@|XBjL%keozsu|Wg2KZ%d}$7XAiXm{iheXJQX3Leza&D zLuAu9Un72Pc3yRwx^bq|A}pz85D%ytbz~Z9JFIG^X4F(_sLVSV<6W-Aedw=#6Dg82 zBkJs#ub!Hq#p*Cay#pq^__?^jF*AZXMp8y=$peONF>lgr;2JgYr6e>BbY zj8@**3JRrlD+|i#ud%ZI`BQQrm)%V(J%%~_In2b7;Y3n|Ixo6_OjN~~cs;g2BG|MS(*a)*w zN;*;01Z@c`cn5Y+@s|gH-;Yo8qMJItv#UITNuc}BpEM#+Iu+$&>1i&nYn>3bCS-du znh-U3yWC(M^9}Y=CryB0T|lDGMDa8+S!lXQE^Y4s5iQBh9lifck(QPfAOYF zC&tgsup?-yshgRn%H%gK~j&%uXA z%m4AAB19tnfVZ(*u64+B*2xS{DlIrib>qg^7iFba;?Yk?$C=CP+^@xl(RKIxjtK@j zy2)D$yD#?PDDw8sYikkF%M z_pJn)kwP`O+Tz^QZ{j?N#CKwV>27#=hZE++9+?>hivTab8VhTDMlg3?Ulyx986lu{ z`BI{-HhGL^)$yjNf1&5Yz=GFu7(Q6&r*bGo*Tq;7y`cxqKhX8@`BHpNqve70)%*AY zMYv{R?z@l_#8Pw0GOHldC(Jt68>Ka8vFCo#;)2O~&26iY5U4qGN6h`Bxq=MrWIS** zpJRW!4E>B84(*(Q)BD&qXy0b%7bx78hlDa}uP-udWzGZwpDH4*nM3hvw4a5MF z2A0uwM%}sM@Y)9jS;ScRXtD<`Px+AJ(MxyF@YzE0!^)iH7Up!#o~(69h4?T~`p+f$ z-I7GZb2!iW;g#i6>ZA4_-Ip#8{k(Wov6%bODi8n*^FpOs8cIkA6>DQmz6>oxjP!cg zq|JW=A5!6e$^ZU85b^u3Tyh86E7{nHOw%C}!&LkCCG`Xqv91<`=^`q`JC|~gSYNol z!E@>=$@ak4V{|G$l`KXcP=iHyP+W{*+usROpwt{Dmoi@znird$*^m#SF~46&^f z;uhUQ~xHnG$`Ykt9qldl2x9=yfH{PV@s6xvzEk(6m!uPsy*sS!aM|EIj z<$K6u{FJX=jg!*JB_tdZw61DsV)_!Jp0XrSUe>wbQ`EwxR&#R20y5H%w%)-ToLJ%J z%=)#W;Onw&R+KO>NL-m>g}1hTuawdvjpr|oPT83KJek`#ASm-&W7tRT0BawtLs#6+$J3J&^_^gi7U;x&I!VK@8E`tm`|4`DwExYz2WF)cPg*Ae8`Y!rLz>UX z#x~@YZ%KP>)qgg_v6o>cL6ZsPrY`N^rz25$BS^F*kx^rv=4aqEQ3TU>o;M$3b3Pi& zoJ4;h1Vc8J^xxi$#HCI_bwU@y5z+U7qNsgORe;4%E+=`lMfaA&pssD8I-oFJbnmVs_6&`x3RnemO5hPayh{9n3#7a(rxE zR#u5|5H()QZNq<-7nqC`&xp6Gaj_ZPSb=_dmr#Hv>(RiyY!^Dc*^cXH=(`_wr+-Lg z<^RBcApzKp81R!g&*BvI19!QO`Bwhj>Zv@-xGjBh+e%F`8;QWJ>s{xyI%i!w>Ca&f zF)VDrXd4z5hG#r1dqj+1eUWSSsXS16AnJD4s_M@yqzwZAvMbFlF!DWrTT;)WbuOIE zDUua4d4^5rx^PlAxAs}t9M&dt@tLkG`kuM+t2WOLr@RnQpq7Vt!rEQhl``1V9Jjih zTHa1dV6T`sIa+#?Q=Dc1z6|x+i?~$w)Yy8N4+yNTw{qe^`Rw1)$mYg618-a4!g@#& zV@%g_t`LI5J(o(Hw0Py$GNL6u)jiol_WYkX^UEBPm$|8czy$RYjAA-&fWzwKWj*>j zI9wR;iBP5O=I0(hNH0QR0CR|N%a<|HC-cDW50)I{VmyFEWl>k^LJ?z3|HDrJ>LI89 z@rPbjQdMU3?7ZgXDr=cDxL9`FqpY9W!%l;vb=AC=JP1l_QBZPvgc6k@@tF-H&f#~i zd-vr}@oL4ml8O0=qEGKeJtcHSLxxg%=NV1zAgxhSEEIEVWxNRJcC1jVaVwS{^xg}kP+YacIStXuc+&r4xTYR}fz_?oH*2ybc zCnrWZdqK8oO2>^U=dL=l(ly363?2gURK4KLb-KZw?as@hC8@gY)9{LjzE*!YDL1Vj zUcWo>;!Y)mkKCR30^Ha?=CQx2RW-VF(?GnU;WE$T{3!9*C_loR_P(wBKF_W328TPx z9yzK&x_~NoIyO$S6D%D)(mk?e6qA99f!ddyr|?NR()}#E^fuS@Vv-5MdJ9dLy$7!b zh4%(i3^LCarj%xwzl{oa*0=Hlj&)7Iu0(m7l{$^g>heIZOxwG{;A=S2GZwL$3uY)I zw?7Ci3%E^Nt&bW6RTWnXg>(OTCtgV?)Nvw7!-r~;sjRB#Lazf>^l6#ele{* zWY?VR&?!ec)aduG8|$@;mu}2-iq;C?wPxtv+Kh*(9_m5VM2EjJ z97_V@H~w-e0y`GwPqdCN z^OKt6`U~S>zwq7e(zmG6i4;VdF!h1O_*ZZFx>P+p{|&6O)JCNooN(V?+yCuSsWV3} zf!5pO#1Oeeo@SR(>3yk`;je${5XU1;1{*C>U_7y8h{>`Lm4SBg+tqXA(za5Y*ZCd0 z)3%hWg8$ngIP!>etZ194Lu&cko&v4;fdWgOd;!ujo?b1#n5-vDWm?6GFojK5EgQ=Q{_W# z!8ti))zfbtES&yyz$<*INL&OK{)lRCI1BESG=;<(WIFj6CQQBOvrL&W^P@*nIrL1* z+>ze$a{b!kP&D#Bw8WV}!mNXmgMk<>Csl=<-G&#Mp9p2<@|Lh!l~0b71YO=tL9v<< zd_O4z@RhAmxZ&A-2cOx(ot++S;kwS;HL?7-9A#DsI%t&I@)nAR(^9nEA>i zPKl_OK?9cszjwiy+Pv1i(vJd~7ns)ZzHvTx{9Xujgxp$_rY&q)=1HfC*bn!|v458J za*QXbYsahVBMqxZlv}ssK}&1NTephnkIA zd_KJ3c641>;qua>0S3lT^cKDJaA_ui>zAaXPvi89Sv`uj1OS{{mlbtb0pMVw_l*;u zuenaKH-i;4?*{8?Ze-dXnFihA(#gm!oY`HQpek0+JFa{_WtY|DMq6Vwu}Wt?-!nha z9)5by!Bd+fas2e)9OTQF^@aPz>#pb!uQ6Z}gokp-?`6BJR%dIeZnigSQ#-y^EPXGB z{#gjeD%yjN=i1@h5h`vMp>1EHa9Esw!xTUtFtTOlB#oa%`Px9qksLUO;8RY{cR3^> z9RSjHN(Yz}PI<-qP2B<)H7U4UK4%pCTCnmnCRJvrk|xNn4E)4FR4LQYM={r^E%J%o zc#qMf7asunYduo$(}NaHV*-CGF_P%rE^HdfTFze0 z1r|q8fxD=SvfsGqk$IIR;47~t9YpA3@(pAC@p1Y?#68Q&EyubneT6Hwkf~&7M!7Ti zFVtKntUy5D2uAR|?P_OFt~YOdp@Vp#^2udkK^8tzEDf?HfNx*IGc0G};9&mXCGXQiDF*6jB*MpLHS1Fs-C8~7^ZG*yUdI|USpzX?_MOR6D`V9Bv7kT+z>~q#$&5% z^|tdmUsEg+Bn|UrkDGBythEin*Ri*alit>vP)p?!h>+r?G(Gt{Co|IQl^sjbETgN5 zbNu!)6F6k&{MKUi{h_GoN0*6R9o5cP?L4z#mu{5_6rV*A6r`PEW8v zYNN5F;pK(EBX;!ge6iGK(0Ro~WLO_-o% zA5Ida#NhnhNT3@8?r=2eRDxosCdgJFlP*R*(DJKS&pvTopjlcf>am74FimAx zNaMe>OeNHU6}*w)Qr~2z=NGsJUztMgqRr}23p1IprGYn#M z!XQK1qQO4n;8W=E+frMPur6HjQCxteuf(V4CGA5lxF)K#^frRERRr@)Wm?w(aoa$G zpD(YU;G!3TTxRlXaU1ndHwd=Q0IpPtW`OosPLDaqycgOYm+zL8!^B<{-)J5{@kL^# zxjU&vZ3dklHR=*I9x93~x+v+MN6n-UD>8h-gY(qrY_b!vDa^|5Zc1tN#M_1ZD0-xuY z)8$mc1%uAzUwg7ubmP5vMnZL)z8;4+Nhz6Me;cigHPvFk?e7_+8C$~P(h{=KLpJ^= zm;n|0p*1_gl^jLt_IpdX*(cAwhgC&Tdbw&DC@8{!_LDc3`zEN&zHATp(FWCN3c1(_rH=^n@PtYs6J$parJ zlP>=f7MZ{JzQ}w;=C^vv%PaB7+JYIHo2O!3vUHu#RF|B^zNs-Ou?n~qIljuuqSYOo zWM8WI%p>uN9pC}JG6crxigIwoCzI7R74p0}I0w*VvV)Xx0cZ%p;7`ttf4|qnxUo|I z)S}KAo#z!x1o~jC6T3)Y_5I+lAtAEob$L{M0yM6g7S}ikZ;)073yRd%{Y&Zb=4NWV zN&T(Q1P%h^RBqg}C`>S&%3spkbh-;Aq&fj?U2dnOpM3S7BDYvi;oaS`m@^@lKeN?_2p3);~;sjy)tBtfA$4KQ0!hhd;MzHp<8%;TYLGd^ai zt*V!%1b?qJu>A8CUC+tImzcAwvv-!S>QWDjjXU+>}`6mvc7R$ zmYG@R&I^zV=-=|VRao|Hf31{Z5)3#I*-UO}2j4J@(pqk#m@P->Ee~_*n222p0cILl zeSseFIYYi6vlJb@@!oVxNU<*z?c(5~mi722^^9NY1T+V&U+k79Z$s2&e+2W>HZ(sM zFW3(3798jtrpX>qH6AKFKK@?g(T|Vt|Lyi~Kh)Pt=A4+c-MQPcEBKAeDdddNQVMTI zV0h5y)N7BA@jd_g_o01sP#LOG2mPhxK>5Q_^vD9f@d9ltBL>NnJ3Gy|MVuK&QUZyL zGs7~G=|XW#-pF(d$55B|!7HOC1{E>L`mE`ZS-1CFN5`68?*K(TJhrloXXs5B_KZnY z+}xN2tB;vBpO3ea0~XUo4HCr%=SofEHI&u}tZ=w8XD?fzF7BBo{$5^@7(d&Tkjh}N zsI>}G5Syc;wvpv^u`B#qPdY#z4PxN_DGOJ8I9@v7Lx6jQbLR_O$Hex?*-=_C;fTqz)3|=(TR9g!Y@AUGQ z$dYADFNxoQkM80pbycFc@qk`|c1JDx{VH+wD)?g76^O>`P#601nYORUYy)lO*Ge%+ z($6L1DLl!e%bg4gDVy-DPRy;7T^H;?u*q`C{ov-s?`i2peFrGkixjf96%mp7{~n-A~GGZuv{r@jCM8zS{}* zE{PX5&74Kim&cooAM5PA-4WlY#{GX zK3BXhdBtj?yj?HgavJEar5G!c%H+>$fw9jx>C@as5qA4Z4XV4@U-krpS4{(j z@!Z~Lr|m>-oSMY-DvtGD|7a;0)Tg|3vCJ3_S+C(9s@MF;0c4?R@5T-@nh}y6 zNhp5(J<)&b9}@j%x#jk+J#AuZ?zb(v+CmFu{c~?DL-Er3yBD=+7vQ}IMsx0&^-ssO zD=)+LTlQtM!;5KXD@Oh|u6a~i@ZI#3Ai0y4j+XX>tLL^p(d^RVvtm0}P-#oyMdM7> z10|Q2F@N?K$%+*xs;1pez)A)w6Q-ogI((UeuXPmkGv(VR=8tGk0Yfdj(6tOzugM_| z{fq+0LXGm2=ZOMnBir1k7bsLe1bh{qmDW&Rl@t6mYe`sI5@#WGm1z+E-(io_C$;5Ry#cA+1V6qB9^l%})pRrHO6l?IUTF znrhE2zg(h`S8*k~@+jU8OG#aPP^BBg+$8P+#`_k$!bB<$&cWt68_u4jZ>Kv&6)=?@ zNA)hs!RN%1cP!%xaqwCw>~CpJR0d~JK1Djb*N!M018joDZnU44hrXI5Q!iVh)DuDL zo>76Pd#}P@hj&d)Bmhl{jH?R_VIUP#Lu;$i^dy3BP=B*{HEnEBIM_6YN*6}lU26l& zw|2;4QP(GxSZ$shsx_XF*O7GqKLah{wkfOFOF2_JLTDjmU^~4&us6@x@V?@4;d4`(gJ7MkB4s zg6f(dgF=nyY?_A$W@FiU|L9og(;%uSKBDCS^l{dFn^k+u4}&S4Zgfcfy2>p~H9T~H z6*x2|GSNskNZGIlHaMt5scf7p6 zP}9aIcs6)9HtpQyuzhH5QQpcoF7B1E!5~z36_as6iS9lA-d-T9pWd6fJaPE?OA5*6 zbL9*>kOD_;8`}EM*sR6%K99-cb>|%DJsV)L_MP72@j>XXCLI4)|Cp$B;BckLoiawL z=2k}e^jVG@_Cr|P6K)j+Gh3gE!7}~4-qsN5+X#6r+Sg#Qk;AdjP);rbN6_SnT-@jz zX}`6G5ahNPfO+6u&{{iz&1sz#F3(^(BbI;OjtLuG=@nw_FjfMtdfk+tKU}L6IacdX zBNTq!5Uv#~W;L^$c+lN6uPxu-muq|KZfcviOuAR6lSdt-ddhygs>+aF3JGwyxA3^? z0n!)IC@8ePcSWtQ#h?uU zAXWo2)~V7J=l&Evz2pY;T4>-wk#GVohp?{QJVlHUH6UIWWDOc>=ye%w_4vlMw0S7u z?M3#FjNIx?8b!US@QoAMB?1os933mudkUW8pgBUj2D(?Sf}JX-?9~3>0hlli$sWu#Y&Jx|4pq zp|>#XIu7KZFPD%|X3@0u=W1hN?NAl3a#hgphuKl~&$@!_Ai8uydjCOb>X>Ab_m z-X4k~hUH>^kdW2jTO0o)4(_j9^|XKDV*hcM)3c?cyibKTGf3)9Gw=wc?jJ2$!#5_w z9!17@Ys372I9zSOm{EJhIJuc(q$jA{N;x3U{Ul!s`2(+Pj8&x1W)+P-*3`QV?7sP> zc|tBON<};;F1qu1O_;$^(z#T>`<;yvSu-)%7x|fS@@`=TyVx%$H7_8>Up8u*xNVkE zWM`R6ueTDK<{!@&_z$&Xl}}r+3*(q zL=Edkgu#i()#o1@_ic_;WzE#BZk9C;HAP2IQ*F2(&Zz4~F4?Tr{@L#H{)ug1S+FpF z@l_cC__)h>hxS6pp95FL+A*@eR?T+b?PB=PfR+i%Q#qS<&Ccg9OsOT;mp-n@{B9Ky z!n-}Pz1r_r@s;pP=xRpy82sj=&)==uT2Ak?{deXX9<5lsX!Yr1E`#1mIefR8oOl(u z)o|ctQ{p52`=q*q$97^5pTc*mA11^1ZuP1{t$)`Hx8M&}->1U;&?iQ4w1MgQ{|`aT ziNb#c;BPBn-TsHen5V1hK{0$4Jj!Z)=&NVptP3~u*K_O%oF0EM!a eW=ig_1_^OHT*uts{$Jl7|MLG|kHGnFw0{G`Md^zG literal 0 HcmV?d00001 diff --git a/enhancements/machine-config/manage_boot_images_reconcile_loop.jpg b/enhancements/machine-config/manage_boot_images_reconcile_loop.jpg new file mode 100644 index 0000000000000000000000000000000000000000..468f565a6996b2888efb6e2d3678523b48aca6bf GIT binary patch literal 105979 zcmeFZcUV)~wkRGO3aCgCrArCDNbjihgeIX0p=>&#hu+;=KtKp32_;mecO*avAh@M> zB!u3i_bMI4hxeRw&wJ*@tO`;E zT)PGUT)R2|Kj*KFfs~XiUP5$KL7FOmiRc7e!Of=tfQze_2SiQr$tz=%C%3=-CC9Hg zOKVT}U-$n4uF5?c`BgdqFeLC_r1{?kliJvNT3;pDy*fEOu83bTOLK+O*#8CR{)Jop z1(*AU`+B*1U8Q;X3-{26C|%(;S2(x*|AbrpPq?+a$FKA;S83#2oV|b1`USr@zH94h zpm%k@b9FKTJOL1Z8bI+^{jZ*{z%3g9kU9haZp8mR%nAbl)P@59k0<^f#_=8ipa=s1 za07o2`@2lsEj=v%qqv(_*Xwq60Kk3$0C3M30HFQ~0FXidBkt<*U-0(iDvI%nFSo11 z9^eeH1v~+O0ImRQfZ!D-0(c4#21xvz1SkP+T>k~Xt~ajWCdtiTaEFBC776JcGBVOT zq@-kbDejVy-zO&}y+?WPKE;Cvln==6Qc+VqpuWN%{3_(yubek--nq*7fSi>4D)j#+ z{QMI@dFL96^y7_dY=G;O*KSZ=``HR$z7qHK8`plp->OS;`{u1XH?ChJCA*4udjJ5C zT)SeNl;j@8ZPHt}NCDTb-?({;Z=m$Cuu~*){*|=SxQf_k#r?RT`@E#Yp3drV7 zMB5cX#w$jy-TFH>S6p4cc17?u$(^fM4a%#h>(_7ICMP4gcJqqyD|5MigYqWpE#Vis zBvh7g}H;2Geu=v`XfM!khjV4kA~xh55`_o206Nl^yv_}kRiF-X;9q!xaTL1RCPcPgf@ zW?Q9J*57mOrXdze8;ZuO8zFmW4Mu4_e^aRXUZi_|nEexA%g%{- zJY2w4V>0b>$c7lt2$}WD%=$b{yW`2>kW68#yVk#~ocnatPvi{;-+R5cE1)5FDZ&Y; zN{2jZziv|i{%6L(aMJB*)_j>7^i%w(Nl~nwbnBw*q3%Lg$fpla?MIZSIOhx8gpp0c zP)9RQX$sG6`)QQ|8F4ll#t?%;!F(Ic_p-%?e7n9+t%f-~cbuX)CgFWV${Z_^mAXYa zMqA+H21ls)blHY4k46^pg{kB6$G{}BwPDHVCYrr-KI_M8vODj01d+1+2j}j5xsx9z zL%n_&UYO!!I6D}!w-dID0&k8;@z%BNxkwj(s(9~x%n){QT7lQmf;#9@zf**2z~-k= zbr?#zZT5h@oP)=065(r1v>z-cAc5F?K3Bn^T#ONACyJ(cc`^4)A6U(!^#N=I4lBgz z(s6VT%gNE8?Y`HX)h5(O){s*EV;af{H?+GkQkOGAvx2p`lb)v9d4 z2x$!LFLM1NilXcr=;R`x^ZKDIlpOUP{9j?0T-m{6xD@8(5hfCGB#dSwjXrV*4>$X0 z)s~;Y_Xk*nD?ri^rR$xr9n{;qmciTV_MosYSOYxAQF@{tNu1E^JfeGC;2DcG1pO(>^mNc!h`hcGTmCUCv7HD* z<(og3kA>zuZ6p7QSn1 zf-0SvH174su6+>1YY`K5FOTA(_3BtzLFOBJ?}Z6;r0NB08n`DgYjnMSopGEH71p6DfPKel zQf}IzW0wNmTa?o(vhT#7XjEJ^kjU3Q6W>V=sq2>fZkoX8NbN;rzm!Bw+fk+O22N!_ z)lCQ)waaMC&c`T6*@^F^^j+b{BECvF*IOz#?CE+^5@V%B;EQ}^!Gh(L$+@iM;jNny zMh8_2an_*2_&V)yX+=Q|6PJ}tt#uU!S@+u{b_f3D4ZcQ>+w%4~e*O7FYv*3xH3r7a zP_|-m2vBh+ylKj3K`z3~zm0FLdmN;p4q|TUAAK;wsG}oRQMX{U^^hb&Y}kH-(W-$p zLA-TAxdm%Yl$Hm%3@6|dMeMs&Ct=!)sx~ioR1%jmb?izkf)72|YGtQxKXHo9T*&A$ zkt`YS|J_2nJx{$=eY|bHZy}0wKQLSN)n;j*b3Mq{8lo9*chxqC(8%SFtNEF}Qfu33 zPWNNm5}=qD-NKznm+|!dMH^?$;Je*+mPK|D(nWk;7A0LmGOAfIp{3oYx~732H|gr{ zwDd?e@;1X-`@6N}vSY1dP=OvdL+8c^3y35Y){$5kQ@^Cd#J)I4$1x)UrqZUPj|VB- z(4nd=@oMj$)EAqrb5rsxnKVAhHwebGH-cAWBKQ{|bwZyk<<|8zpim&Ay6Cua7v&+@ zadALi@n}zwY3;rTdB$nRq;2)9LEJ~wvu10~@zdaEH}%BDY#AfR*w*fjn44b!YZU^w zv4e8tDza$ri3V*qU`tVLNg4W8LNAvku}maYF*Ak`GtwpB6IuIB^o6rZuT#VOrvAW+ zXWNbyXFT&>A9vBNRX+hK`}>z?WvczFr6FFaV@T(3`7|A`Ts+u;^Ij=l1l9a58)c2T zt3o1cC*iro;1})HB_wr3&33(nwL)vgx>$+vGMhId0!ZXp9vz1AQEms&K7Q}V%g*Ww z&?`bwD#lxNYhwULbZ|y{dq=Jm;~s z_})r0g`bw8qgYcePrm@7v3Gnm1~29BzSFB>nFD+jXx?Sp*yz6>(&qYF`8nK&?{}-S z+3C=@wPb}pr zf-n}gh^ujQ6g~D|lAZDH{S+?B#H)+hWzW^6q}vx%oYs^HgEl!%TZ)Vvo3}SkHhz(9 zA84m|805B-8P)WCN8xZELmcK6?*=Wf-odS?Ib z0o+ct4DS0ulwoC1UhARzBTL>Fl%V$_xc{)yGV(Snh8zYKJ1CQSqkxW%?6Om}Q{^jr zI(YHOG%&$Kd(BKuxlSg-s~_Z-p0df}>cSX_v}F^88zv?P;=ZW4*$rWJtfyk)EP-zk z=#z0-=K+b4l70E?l>@--YrlCX$Y#sF7t`)B{91DT({_mC%nW&nn6T?vzM81UR&Hmy z^T>+MVCLF1seGKJ+cDp0+n?SG76%#+*R1FK(k}wKk=4_B2*Wz-YueqGnd}NACzIeV z>^RSwG^Hz#-o4i70kMjbq=}z^-!l3$0oUH?|7|e*@B9Bv36Kdc;8#F9=b7W%&Nxi` zvzU&|EtJUlTJD&{cT`4F(<7?ECy{-}CTEBMa9HuUugsyUmDUB2_w#gHAZ2cn?-I0QS@_I`E? zIaU3<&1NchgIE72fNrl{5emfM3TX19mgOpulTZ6TbuS6UHQMsMmoRrutjtA}5o}ad)#@^BeLdbL>+4yH z)gXn8wJ8(%#2g{Zd25DAJxWF1r~UQeJPV!$CTQC~1Ci=6NK>}uYvwzU5j^&ZPpV`L z)Nv@Fi!(UeHLcBNo}-z`Ir}(m|H0X4vxE3SE{>oa6eLTxjZ&}@c(+`uq5b zalWq)u}4yLGekn%6UyVD|AMz))vL#))IMhlK)~I0!{13h*j8_;j4pNT zpVSqn5C{$bgn7KApyU(vfOkgm9xh$+0fA140RsiX-+t4nA#iFn0_B`wZz^w!Qz8UJ>_2ILggyN<3|8USJBjev&Rpm~YjnGK z$Um>{b$s`BWQAjN1)hFtyU^e_cpt zt4$3oN|`2k;Su$4*sU6+ai8@L?7mDsGEl-zpr1lg!Rq+Rs`cdBA`KtqjxCd?tr#CF zPjZ!tlX!uST)N;jB0UKUY%-)sFja2u*Egc`khtjJnCSRF#HWJude>C$qbglcA4m8+ zc`x6c$-jAATb6#2oCQTFOu}B!?lY>9#lys$!9Y4!p(m6E`58mg!^m}7Zt2E$6PR1U z_{_cdCFu;}w7M%F9f_8;&CoGL4V`j6gVNgp#Ra?6mys%T?b4}U7qAMxUpU~yfJUL?ZHfP7;sY6`~AkUe}UsZbDZWc}C*OM0Vm;w3+ z$1R~T{Vq`!FRlBmny5QAF_vqGE`{i~9H^Kwvhg4=kd<4PKF(SY>JW_&RWm6d-ZcRx z8L%)CBQ-nl`C6$)Od_co%6gM}h@$OtU2LL28y;(d07Eo;J6`-=+-d;sR_rXU%v?zi zi4bnD+K?L+?5YrcM|ZLT*#UM0>#=LZCyx{{-pxV4#DJt?y9rNlVuh!Xp24m3=2NtL zKs&mH`k>zV%$b`@-S@+Jx$3Q)a#rg-f6LfEqxPGeJ(Trex(g^Fnxs^c77$EbQHCA@ z)=?sDM$!WM^#1TEc-6Z}VVe0gJ=m37P<1Vd?6Xs=bXHk`y+v84YNnSxUYz6srr6Tb zIdA`f*Bp3q(rXdL{|wt4bbmz37o{@b{WuK}TEtm8+sq58&zY*zDhkMBc*VNjlx-=^ z7;tkzbz8uiN`xs4@`yd$=D=Rx&Q-{Btn*XY{-WJ$^=;D*fv4nKQbaQ_@!s?DPXTgh z_0BD0)B4ddBL?l30MWZ?eBdtL`ISE4@>J~VHNhQ7mxZpzLuS&cNyOY~s~PBXf0gNX zj?%ELVExVFt|G2iEe&36OgIx*bx|`Iq)o3sABhupsblomz<<`>GW}c{n!bLE8JMUQ z5In=G=as~>T)(&T1R+oPiNGX(G6^GcoW$VR~Rs8|hb9D+H-V-m6_aZVtftiDJba1N6G6={tPh)XW{mbVjY1I@h3+{T?ynz46y%h^ zX|gA~1-HZ-MV)d!9+b3eXE#Q%#A=_t3DimXTi%B#8~u~F(y$~OQCUK967`X2u9u_d zhu9uRc-!uK1bCcBbezL3(1ZPHN5wj}m~1NZtwpe*sghj~*O@qbo+XiL(t@lLok7T! zM=RTY7GY;5r)Xh*H1EK#3D=1Vw1^_N@IFcU%!)O6c6S=z=vJM2vba;oRec)T!4>>M zzMz-2*4N-wNcE^$8?RkYBRK6A#OPgp7xRjs<`e96i3rlL`d*8a4EeXSm47Q<^2F(1rUCCc{wc zK=-Y>WMOPsp5N<;&=SK^^rK^6@wQR7yjI+&nxvetFJ0p%7e4`YUVo+kHv#f72@nI! zphN5O>h1IW2;3@D9k; zQS^Y4GUZE2bL``G+!CeT7kqE2EoYZtYRgzR&b!w&`%(w?{q|oC2jYL( zXqm#y6SGv-R@-IL2ULxUQ~nTxp>j@U&669)C6L7kPFY*B&aF9{U4&gQXKWxP!<@>U5H2-b^bU)HnLq6xm%}G_Ee#~?M_&s^VdJ1c zb7|Ri(k+GG{>sChk!6OIj!U6Ax5;OF5sScYQ_oN%T|)n0(&BY*ms#2_1kUX*pI(H1 z!T-{o#s8|iaOzZF9fyz`3Eiz8a#Q{D*CBQB8zr2t>K>q>$yzgI(t~u#^2wE31BIF& zozL$RKezP7YS4au&Ek^{-36DhxgBTwn|m2Fp8F-AJ>D-F8{@>+xJx6`Ge)YtiJ5 zDX}VR2UVoq)8fR=TZj#rhO__CJh0j^p%L^KH}#**4lCcWO0ZIR>8BS_xYqM1^(WwQ z$jgHerq^yzj*x$-{x@=F5h>lHg29L-rn!jyfN}PJFh@0joQ-?VmQD^uw`>c=;vrV; zudSQnuNsd9_;t>yO=PLEpnc!6bZywg{ewIh0ecC}aWx7t&$xH){<5ckbdgfm7TCjC z9D^T+=*~R;WlYchS7QouztOHnra(M#erz$L_YA$~!0ggOgMQ;&hX3d?|1E}pi{bABsDE3-zpdfl z*6@F?!;~DZx*x=uSA>00_Zg|yG)b3yOm?CTpDi71ns3sLMeN%*_lXu%mzgRgly$tx zUrfxdT6kf>k(u9nkM(VyDl$>rK4i!Sa05^8{{QrK^1qAt4d#xGpsY_7izyYiBL4m+ zx-yUyS8f@y*;qK^ko7^(1HX;>2~cx^Txc|0X78?CrU_Pg)-l|C-(Mlz{VDE#YTBEU zq%!Tn2^UOA}&ebQ5P$*W>PD96;V%{VJk%u7TD5mVodyT{Pm!5XZEf@ zIVv9f%;JuU;fUj(?qzpU1f5ln5?t5cg?V-{`~RpgIK)F#;ln?TabYiv(Y!76;o29qtX z>)Dl;?ft`(Bn?7Ux*Ypm4wCI!{ozYqrRW?Z%>{D3JK_>GJe;bzKfp0@FAxiK{8IAW z_1^E+-@>(wG8TM9D`-bv06YAsb+64tg~Gv{@tHR?U?Ar%nfWx1!eb`7cn6jUPXTaG zkkhLC*F9Re`SH$u!M$(FVFwpxtX>Vr?H3GO>memsLcHZG10>MZyb8p$5dM&{*fs8x zR1nY5b2~23XZ2u`X$qG6{cdfzCEUt7&u%m+nW_0|MVm`GUsYD1lv#;!(}wf$#Y&QG zZA4nY=LN)TOX#{+lFhmky{%T#hMl%wrYvcZn4dCH*@q!|HYeHI<{(LHB}4H}R}KF$ zM`|Bes~y{}xQgJQ z%R>9wZim@+4)aGtswWMnTZb`ip$t#n6|3484J#|A*{=3WVL2H&iLm|nc^xZJP-N4+ zsjwqTe*>mQ&48A>IlYT^H3uG!C%M_s7`cg;i$i{W#19=&&5*QtQPp-k`&KZ$k&4Liz&fwsZFb01|PC@{@#zuglbC7u_kqK+P0SUffvmJq0Eb)e*zvTY&Si9eInT=bj!Ek zCt&7yG{|e}^-n;=?b{t~%hX+i4M#MQK|xHi8cxwJCw`GV!JmFu8$=Bet;rn2^wM%a z@HB}J@3b4%8{v$qMw9$Y2H#Hx*(Yu%nTJNX%VARFyG?FK)FdzOa@h!vxDYILk-m?d zKPDEnPsZoH&#sQ;5a^IX20BBNmaW&Z-vw|v+u;O;wfaOe9gVk@!TS9=9ua~cr1EWe zT79SNryye{DQd_9%|6a*ZoIyYPoup@I8HQb%~VcS|AG#^W-6VyyKR=E899^#22pP{ zJeXk@IC%*Z@%6&6m|tL>0+XEQ?M?-)txKr4$mQCnKJ;KvuVz8=b`kNDgCmJZD`2&Z zx`uLiLLPRiPc@JEGCyrl(4c_6WCg5e6ocRwCopmZDG3>b?Z%R@xdDhv!}JB1>y266l8Y^P)ZEB z+r5sR!*d1Ve8aHj_S>{ujoR!g*WVnDkvWgW5T=t^9rknaH4SxMpFnKv0x_V<{^j({ zrcezBteK(XYIXTi(eMDanPi5veyKvH#6-B4$J@ZFRf+ zB*i})6S99dmA34$DQ=RpTR()0Vbx5G3IyHDQ&qN0h>IS=J8QVVO6&j!8P{;4yzw(i zNLM;DwF|TIF2%5%tVjIi*nOAJ{?C<(E+#}ds0zH!B*7EvarxT+?abte{7erP@vulB zEgyYKGFSZuqHkl9te&J&M@dfW!xgW+onJASRHGq_hG9^_hGmoDqOK6*&Dh9CM9oj}RF92{DZj1mdDLD%IhCA&V6Nwac7ZgUWe z4KK0!PP;B_K6)&7{5EC1KizM(V><_yVC=gRdbH~s{xWyhE0}AjUQpn8UX6JgL~BSF z=a&;PXcc@q8*-~G+H97IMQzAS0NA9!G!PNObToA|TiRZs1CtX}NYhVs(W-HnT*kMb z)7EirHSM_c-~&AJzfX^Py!|80>FAB^X=780Wy;Kl`O|zAE-oMPkq!emt^OMw@VLx8 zO-mW&dpxNsifw7Q_qn&M{(9cA)bhxLs2VJn}uy=7fI zOmnuo41#mEZ3Y<1x|z4j-^9dk=%(yQ0-t2La1tPEp9ag+2+qN(!9u$4{ez}K?ccW` z!^huAp5}HLJ~K~M{f*j#*)3Ziqv7Jnb01}AqpI%0Vduz^{F2bVZQU>I=bPe_vN0UX z6*{Yp5;xE!R9{SNpXwGXx!a|MIRn8Ege*h_ zrjJr0xzNtn@AYo8=7{GdA!;dXxbX;;t8J_lW}wibGaap5{B&%o=?qPuRoR=~Lm3?K zv*rdwKSj?}F*1*iJ}8enGPxNsROjkL>-~OYq|Ww!4h)y8*}A_Dw(cXo+sxgU`?Z5RgBP|MTyIUP0tK)PSoU1r)rr<>UkC0l}^qE zV}cyHY4;?bzG50V^^r_nPAC&@j-Pro08GsR7Uva^E^V(Q?b8IZwz=j~QgU=ghNF!5 z_(uBliU=F`l)G1jFYI+-J9bPDv*)y`D^u*0Yjbnf-cCFiKjpA(t-%xy6zXgRrd@Dp zlo>EfADC~FLF#pG!~KN()T4(9$vTIO!7hhedvR$qE78jpm76PC;_`l(Mmn*g(b_3X zvYzuMFC4nmxvY6w-OKpqA%@A4Y`VE8k+udyct-H2;_|gNuqYZjUjs&d9&|HFH$cIf zM0!Mc!xoBcYux%SThGCjrXA#MI*fgy$=Gp9+oqSLi&%AZp=y-`LwvS;hBv9gLn-A< zfymz4seUWgRGk7>Sf=0-|5W)9uqs1FB`>4wU36}uz#&{J7ncQ0>OsDokVEHjm=1VK zr!1tiraQuTt76co0K$AhQVnBi=7yk+t%@z`7%`t~ZjEj|{!O8LNA6i#ToEI*VR%2Q43kNZKc296{p{f9xG)RLsQ;03_r|B) zOIL+l*+vVVvvJH^NnCKg&&E;2+j99M%w)yH(?4YgD3%x2mHu78UuBSdNng_tJ%V2+ z))a-MqI0Hte{foRh@}{fWmtUcVyN7gz<^+kisq(20o1Z@ug#KzK65Ix0su}iAOB@5 zxwD)tcMzlyI5-W}=E@#-(9P{xEBqdx5ZRv>96olnrf`{f!}CjPUcP(O`gZkC0KNE` zan0}LqX|ORJX!Zl1GhwLEvn_j;XBp+(;E@!XAajB3k;5d4zgZ3Q-|Q?*Z#_R_mhEt2s{KPdyx@GM zZy|M1lJP{n3v5K&8Y(J=jI$DFwLL@8EoIEz)?>b?;uS4T%FC9Uy;Jp7E|*n9m$hH; zAsuT?VP{+ds~S<2LJbnDja)7Nb0yMP;;c*UpD0F;uK1}`J#E*gV!S+6`}I@KijKT~v2p zpzfWYLUO9v!!f;jqnWcV`+uSpxsV$EcF8ZnUVr@VBZscUrp-2mH!fix?s^7j;`t!Nv)6)j?o^bnSB<7JbxIOzp#67ulLA zL+x1=r|H597RursAAer2|oi+=9 z2;PFDd=8MG|H*hBhG%_C(%rNjwW}6MDNszW^p55y(7^bX@DA0LIL z%u9qk*mX6~5&9x~qVzs}C}RzGe$c>uCXY8bgnF~QXO7FQAzTTQ3A_Ofwn6>PNm2Zb zqS28|Q4Crp@UBUB6*~gvPoLmsG=|%77MMQPEn-x*%V;V{IzNn`s!E&l;9n*PCljQt zO~UIW*!bxsb6B707d!yZzj&118*OQn0|WYkymXD^6#I8Zx}N=$-rg8EZeu1F?%8SD zi^U8zvg+yyY96IJXA1ooF9Ndxw<>qDA*YXpPEqr{{HlH4`Fc@Ci z)QwMnICx2&?z3cHXA(F2SNaNb!dU!2oyn}8*j_y{Sf8C=U@>lw11PiO-*GCaQ0a}W~ua~NB zfF(Y9I{ALezOd_3cwii2xKb_mpP18g$MONvX|BdJAv&y17_CKO-4?}vV)S3hEB_zF zCB2O_Gu0+Oj?u}TaOm>$=KBfZ{Yw^_rC#Lgd_LM~CcW3vyKac21v|ky{ z9B)1ckbvs{MH&8|PS#O*Hp{iccgo54#d7S28|pam0`>6Q>G!3ajTDOpAxFtnu2qe6 z0AN0U>c54RCw1HJ*)sSF^1YI!dcsFFFv5F5j+d58S&mdr0bmo!D9CBv3Ly}sfG#+i z?K=)A_U6&hEprs-QLDpbF5Af*U-P@ZXKKckXZ>Bgo#MP!`gQD5t*gm}(47;FDYwus z&oYW3Q0Yg4$5mPSJGY3E#nW158yh|h@AjFEQ_)>nxo3UPdIhQl?z0L?U?DWhxkX%c zbS%0Fu@2PE)X#jP97=E|>E*hciHAj@&!hwN)`X^oUTph${`n9AA(-$=6qUcUnC@ZO zpZVO7Wq$j%pXTmSv$aLvxWH5#D%oD5B=UBTcJ;Zse=^mAD+f9}_ZUcdNXL>M@pbN= zRD)xhYO2N8s&s-z+Q1bkex2y$AApV_rIo1y*@f1y6ImbEr~ zx!4$!`#T`m5q|YC|(tVPm$5#dGDia%}E*8h(O#QxsAu*X#(XJ|kPZV17ViLIv zjg14{0%uE779O@JylhaFZ3QRPpElI)JsnA;v26qbpPYI)f6Yy1A*Sk^9tnRK;>`HeUOn+HnYKDkFpC@G zCgT4moDzy?6HA%{P3D+ntUZXmSvb1HLP^O59~@fwQu6i?kv_uO8XF2b6D$~aVo)ii(uz1s z${>VT3tOzMb+@OqxbDZW0~78GX0^5(et8KBUaeZd(7Z)=NjQR;1g~@XtP-_64JY0F zq*Le0UUKpI3goM>HRX5dO>h?sxN7gYd+%>-u%J9mC2)x`$PR(LXkBiCrcOwpddyl$ zaFk#w-k_-i*RlM-V8#DpAotv3<4JM%{^@5>;-;J|SNK$o(CuXN`3j2rm|G8!*(P7t z7o?IF5|Y`)_JE9WuBLDA%ifnA=)L;_g@Ym*wUu=# z!&|p<+=qUfaxydlXT>;uTYKOlHSf=7C00nlPSvWbHiA?=<~Mvps%I-bZyCCZ_>BBm z`)oPj>s2RLy!I|!1M^B$RCC7xs)Vmoghj2x!m}APMVV?J#O2}DC8gr+u~3tkfxt%+ zEheatP3gyZ#CO1Nd}aO*DLXURHS@LZ;T*?F=BeAOae*!jXJhKY=|H!ADyF!23shYMxMq+`8Pef-X~UtJySm-kJqK9oFs|g&l3BfJosd| z)kzFLf%loU%{_|=?}#bldi2=w^Tnd6AErT^X^Dqf(8AM&ba-gYq#1$w+B7|tZrfe7 z4^<2DDvBTcK$1T$7}GU_xO3(a8J&w8W+JS|ullpWXey5a<| zt6F!dD?VsTh3d5~Aiggc=l0_8o4KfdyK;3JN5O_6HXzkJ|Qq~S6;=@b{5dZL~_ zKO12^Sz6!v6&Rgv>3cU*W7xjRbKK2Pg_%tkG3DX!4V~R9Tqfg{OS)@H+ulak$Y>f+ zKZCSd-`h{*6l?3Wg&9A+FzRbJb>Ric5$@Kq35u}mk`I6#QrbU~rAC&SRu93viIVO~ zdcrpsN<70`KcaC6{1KQ6IR^rAD%;oqe;3|+Tx%|8SeEglVy4HS@_unm+3vYE@@llB zY`p`!wA_@l{0SI*d_M6yC6FSj%%U*dgev?@&Ymt|}_iz#{>pp8$u~2SkO<8q^aEvnFj|rnv10i;EUbO5cc@ah^&o z)jiLz^AuU^B3C=k_Gw^_?K7!AFufSTiOZsDZ@xarTSFewxMC8YG^!wT zwG7jR3bPC6QBV_|wc4Phhvp61K+1Qc8SDH$k&*7ZWc1Ep9jSotC-u#5+vm>cum$Ey zbb&ZF?M$JRlg6=JW@#^FV<#Gch5euD6_c4j;FFZ#+IVG0b^(M|Zd|f%<|K>oMxwQW zf0Cr_yJ^<87d0{XiUX%_#y}O^no&wmX&gaG0^z5KECANbdS~EV0=6<$wPe1=&@dl| zI5$zMEC%#t3Ek`eCTdAqVlo9X`pQ4vQ81d<^J%&6pn&UK)6(4;d%q~LwDI)$VbUZMJvC$#d91;1*T9#Wm_dJtAdQ9_o_sJcgu=^B7dgTHQKWV zgW!xXMS$&keoi}lh`A(>A6Kj;#JeM-iAQ~NC}4G_vZ zrQr2-oHG_4>Pp4=F(uM_Ys4mkK~GyKoW!o2nQE!B>!1T7|ZSt^W2hk_m- zAb2y24ugz2e#EOo!K;;LcNnmLToIEet&3(#%p9<|xNuAZ07g=5Bi?^@cE}3-ynojl zuvjMaDG{-B%bT1I*U22m)K9;jZL{>O4XYEH564{~bqi0D%)vS?16H!Hr(1Y`0!p+? ze7t5avn5{XES>4tzE>!|{C>nXa!vmnZ)u z8x6rh>#IcrRtKAgB=+ZFcEA(b>;)5qg`n;Ar7AWoSv6f-DuXP+7k->B6kSZ7;D@i%ABSE?oW7r1pr9jl4r`t)~9YfvC=)D&8cXk(ok)bO)PLSH4@p7(EJI| z&x$5k)SI52THMFqsZLEo4p!E&F1Zfp&GCxBmKo{ztSX|VzX1QzU>DdiNUX| zd=_+=grvpnNh^imz1C6Gs~#&7Xb5mR4pA&3SyPFgJave1mJ0;^7Bh_Qld6sG;RXX zA~0%V%TZ-COg}C%)>&6{Q`IhzR#|g_EK5)D?7jtv4SO9Sl3(*1VJy}bx3~~iPQxOy zA+kXukzZwr9CTz3WPex{r)M)Gs!IZlu|}}L)v)6AIkwa2u);+obvsCOPIptKGN!Z{ zx4_j~uyTO+UR(IOxB!%47}gPH`*W@vxzNuh8l@470{J6wpgk`;_4zs0^pE-zS`9uE zlBTCkP65~?+IwaVuUkD<`p%*aqYWyfi~L2Ks7vgUne;7wRL;>3(<(CC3c~mH71a@@ zvU_xN$!Uc)#*Y1I2C8`(eB$|1n7dWsX27~Wf#fL;Oo=TLuNiH{E`J2%0ghzTY__}3 z;CemC(wXP)Y4sav@j#e5XfJR%k`JP~N|oU?+|yj~$mI!iCcAEqhsfiDj~=`Ys0_;& z$=z{}AjVCSi-f{ipBo1yu^7gy4f}V`Ts0IQXt)JWf#@*l4c(~zb6TTCW6$Z!)`p3+ z0hG~)z@LC`tF$7U5Q7c;C+Ez(jU?*UEl*Dq{rn!6V?E_^5rIYyVF8a>61$X3)^C@n zmdb+8o!I1v4?C_A$@e?j+J?Nhq3);0OW<#h4PpXKz;`pv-cm8uWtehd>^VvkV0^0X9~rE$+$KxzCu5Ne_?!E&ysxj2G;ec+i=)$vhM#vRpc#D3M0?6X*`zix_^^bNwo*ClaU?a@ra zWQ24ScHQw0^bm23vI zyRznvxJNrWc;;!h4-avQ0QUs=o8gR*hjg3;R5s!4Q7T_LD&y0>wD8Hhq4>A56l!*O zcL%!%EF_G#R>pL;#AR7rn~lER9KPsNv>tBd562k?W^Z5hquf#0P|M z9;h=)RFqA0(sP}%!$ke zuYAm1-IIHVq8~aWS`MJkF4BPLMPD`^EZ8*8K{KtR(p_S%SOx?hi$RZ5{!ot_{kkkc z+mau9$rUTbw^oOR&-gO^TIo5AX3WE&XIbD*QG%N7?S@3 zw=tp9_}gT4)5CM}TK3^|!zzZ#&m98ASm1C^6qUZ8p;qZQbRTNpBL;V;gQwy|R+?>l zN^yJx@UCHSO}hwxz<7Q^`|sbQYGM4iT4p7?P`I2eVe>PvicP#ETsE0@No(=po=Bgh z);;Y6Gvze0^6Yvjl9%x}LYPjBtCFG?hua5^2uAUoC@jZLTW|Y-d|SC`FE-f`-c=mU zsd{Gt9Cy!dvVeJdSRpr6!`91%+OA5d=mp1s)tG^$!#EeJX?pbCG43H*K&JK&3&|Sn zl(l5@l1Z(~Bca@YzG0cSbG5$_vP{w-@pIHRo)@ISQ4z2f=a~UajQsIG326yEc(Iritg|j{>-lMajszr|7gBjo2 z+N@*ZDR~LSK;_-TD6BBws*gi?(xNmM(_-BqKAhfv7jw$hY=>Ic^%PWm&bP(vXmban zB9AZ&lfG*!Nfo)M49}mjQy$HPwWsS+nSnmQM8)VfgW{}d?|iAaGgP?1q$=>Lu&;3a z|8t^I=5G^?`2U89MyQ3o*SHTKYPii+lMgJd)%LMG<&CQni?)vHTy9L479P2vNU%$! zJlqDe&AMA5Kx;t)>LrE41tA)J{HH>R$Kx)lwHnnQAC8`A>|#Fxt{r}8RWC0!)Tt-* zcBdBeF7{=`jkU#elY7ftO$nhnq6v037WKUT`FojWA{{q7w)9ns$F5 zggKS#!MG(Weky8fQ@vWCX8pUbKI~%s%!*kS$Z`~4+^D)R(t!mGTvz(vUDCH--^S3L= zh=g&`;+SP{ajGgWGv8vrmNfa)3k1>nKF_h2ITAQg88$j5tl{FGUyv10`(!el6`mvi1nDC2eeFeccXE3s z4Za$)$3;-07sSqOcXiWc%yA3M<06ZKS2k>rHgdQL2xNe8nOdcni*#Ys(4{g|b}*qS zk~v%~o0={o?vJ|oZ>;mK40dTr;nG#sS;Lz1S=xy@e-DK{vYMSipU+dBmrh{nYaYm5^5yR-P zYJPRD+yprlN5tzL&LIL<+IY&qg=ua*$*AV?~P z6X^zeGC1x22YYWF71y%$i*{tk69NRcAdNR9NN`B-ZY(qwx{=`S7Muv$XwyLO;O_1T z-nhGj#@$_Vd!O%Q@9guP^W8Jvz2l5G#(VuoubQjZs+v``x>nV!-~3GxXFK&rAp5&` z3GSInTKbW)rSiP4)TN|D5{;4tLt$YLjQJyD6uTG8PnUBna@9j92Oxa)?p13C1U;21 z2FE>XAZ`cH9#y<-C-=j_evWy^RhfIRVA(bj?R&A-BdBuu7xfa@E&RxFwXw^z5r$mV zzUQt=5uU>363%?EeOvwVX}25Tw6fGlL*KgtlNJM|x!AFq&^x$bbz0NGA!i&%fpCOl zsYQb~q?0o^sB#9XE{d8o;iQ3%fFTND(Zpw!!*xQ*s44h^j~=`mo$!841C77~K|?wI z{cdWxLhlVXW*aaqo4Xhd_qycsK$F@kN=KXe-d$}%cF8V~UK75PyBlnh}WIoS`h95##0d&lX3Y3*omy^U(E%zv`LlYln^8pFVjMile z0e}`(3gAEAMNQm}yPgc10mdx#aA?U==$>FFggI9eOf>~JR+|Rj zmsR1PJ5ovUJpK@}VfOO3#1}LSjbXpFX_?@W!XfZSSrvE?T3W6=ddUdFi@*?DVSOf$ zLG$hgnVijr8bOX}eQ~{!WYfbfcVqP|h~kzR3}u)Gk~D<|c40p)E6i-G>_w&x=VCtq z=}D#yd*cNI4N6(v+r0bQ!UH77n8lDohX66O?xDZY2LX10Zj(Yq9y_O>2) zU1!JI3L26gp6Q1hdKp$L*~I~TC(|2Rr}?FU3t;ozEDBnAx`EPNI($w~?~vBmxvrZ`7T81q8YZoY_`1 z4C=Mc?c$~)kwe=XmuCSvuN@ekr4?7zw1Tz_RP`JQ`ski@yWLdfs(2V29sQ`b{?ws~ z!4Iw2j{FF{gO-HMD9BmG8juidE|^cp#7vN*vLHz-fy@HCll1;gHiHVX3cQw#lU%t- zc)6svrR#QnshxZ=i7LnD3c1^+Y!oOt5%_?2^@UvcG@b_iz%DftjROe)G&J`w=Z&ryQw~pzrHt9Jv9!`N;F! z0sRyjutnwBx8iB3ZoLt4*449A$_Fiz`QrILW*WoNp~0ZYflz6#BtbA;)KJvjjE)%$ z!b|trmqFFmtnWb~@|r=W{7wpALQ|_F*zHu;rc(K_tKPlpD#F<(FehIY*f2t7;G{%rV_CQ6&@rY$QzVo z9D$}}e*fYZPBQ!gqkOI}amYsMcg!hl=(?!SulZqN>y<}G=!8dE@PR+g&5SR#gXHx{ zc_|oC{~kN72bG@+W+gW(pPgAf4{jBINm!-kmxiSm$TF5%9l~z z)L%1T>tJ%n?7fXSpY52{|I$@%;kp4QQf+>Qn~7!Z$v1ZsC0Ou(q8wq#@tP!4mQRW5 zlm9*Co^yu^Xnzb^K#Fb$sq7}{0oHi9>Uh2D4uQE|UpM>NivFa@zu1?vLjjL8EAv5=dh_*L(#``^rCo@uD}6xI}va| z8Ne;t~5r)vX=f`Bowuad{<5bI$B`u#03x9D3+9!vF~np z6i?+SS=&IyEw$&zE)6Pvv4k#O{&ub>enIgA5UQ8?TNlILB|~N(m5QhH`D4H}q~+Ia z>y(w6ltW1Y4;jnXx_c<(8jo_$i=l>UV}s;#KWejk8IOJdz?$+GZ(2ms$^o#i|AVRO zKlRh|4UY=+dB+tvVCRja2z=pk(UY#_ov_=f@!1m5R_8>}lK&arGL~sNtK$Dur993{ zvB}hwFP@3N+bAy&zWe~hVLg?cjVAmD4^Z#Ue*k2bd>6i46%3%LQU*LcdDyC_9P_X5 z+?v7yFj6}22xoy^X;)o?-5Z7RwN3<|Q~`k-TE}YufWWKoKXtpV_Q{Cjc~l2o34FMR zr9(=+)aWer2f*36rJqpQxqmVWccHp73rKAu)ZT9Q7Nz4{TB{}X5{pnA-pW}Gvg*El zws7G|lz2t^*?Qh9Y+wy0CdHx#n=f`p9&OIJK6}C6--d`jpbwlcY}rM%05g9u$AQ16Dcz2kg;)O8c3=-GSAP?FF;`nu z3XXHUEO4c*b@iDNGv?XAH@kOseDF=++Q&H!&%{KCX6kty56#_Q%OFsKaU2Q-9pz4^ zW9l`06cynrY*#ACiBC~zP1Yza=N=x_WDFfp<6&6TFl)EOz^^vel@q3PoBn|@7q--x zxbN|k&NdMvmg9?V1rg!knsu&jMkjA03&p4+ROr6@(fqT8s347pPe<~f#DwUAdUZiv zS95lhUc$+|S@#o>tNHJy<(XcftJ>SYb9!F;z!1xX8)H)u>l)}+>8K`|3<(T85|$Lt zD^*yZp(UirA4{ZJt2PMIXOtTmkW<>Ehl47;`4$+bFrsJTJE;}4kUK$|4h!+r!*{rN zaG=WNs)zUyazPpO6EvD4H%DUM^&<3lXwVQY5@aAIL-#C8u`{dKXd zZDTnL^oyw8JRukH$z51GRzYJd`^R7EWV&as_S;J_1Xc%A)h zGS?K@N)W!SzaRIJLh)%GHHehhW)OPD#iF}+r+j^Es3FtBRQArn4**D&ody?b4e^A& zX?Njt&pU5<(Jh=Ii-uduregg)*x(lR&A@7ZMR%5`-)u=CMi#iQ-fj2?a_q}hMpC?| z7m-eg0E3ardk;E2Kow(wr}yzQUJZ4sx~i5IFV%n`PvZ856J}(qyA5N^R0wtMW&hSZ zGCw;xsN0)2hlp2u=s1YO(!>-l<;LHHf!tcmP26uxkYDzjl%qdRMdQ^jsMX} zu!QmYI|KJ8naa`7>}g*Pjv2K<<)QS~>kx*n3Lviu7fBjJv+k2jon^8P^~EwH*X?05 z3tIUI685;WQMSFM=jB%&zEGxLfgc=gw_xH`?zhKW}z@kg9v3ii4P=ByTd^<`@%9AI6- zrgtpe9>sTcJayyBKEnuippQ#P)axKqE^39KyPErX4LjStRC3JFG-8`1mIkTTwxPEs zk>#%qUo-1y$eRish9lKwKGJ%8CruA1`rzv{e_NJ=MlJ4TVMa|DFUTL!7cx&q9E0+Xmx7S1& zE2V(axNB1^$_Kn-8jjXbqXYSe zRv(EmW-=}epo)#wA`LNcMe`4H!iF#&`$8n;> z);Y8fXqXPMxmBW@fWvqY{5#fC*vlLLohOJiybuM1aQ zl~KuXZcbBw;Jfa_0`1M*dH}$*3$HhIV8iq*fuMF>uqtEW*+&?)A>qzA$Pa-w@Mp9j zM`SU9dhOOZpU40D(#Cu66Nh=qDYMFI&gK2CwG^oobu7ZP7vFhJ9_KE&v_8FrHp>z|sddaPh$E;1Xp zed_Ld_V$;IZ*JUZto#8G5k}QW+4(HI5^5>@0r0SESUlWbegCW0_=Pz4<}WVJpqmsu zWMMat37alYdwu|-MjO&^SC&(4_c&eD*Iho7|0>85vcJD7Q|j~&s)^u8>~he)u(E3% zJ&TBRa;(Qc*vVH+y_yS)YG&|anbUAeNCY3DwydZ8*rK|tbtM&jwKSy5wVs=Q4r2h1 z&AQMQy$PL#B+~$S!<~(}&EZHqqpq&zl~>Oc${%5;krRC)CA4?P(vdRtylB|&N5@W{ zI~7qZ=6ND1>qlMyV!E$?PVKO%>lC>pn&|}TqtO&p;;QD)eBNd)*px@(@J7O*;hpx# zDR8vQ9a*fG1IbZR#RXf*xhQXMKi3?bN;F>LT~!Nr9Un{NTKSiWDSfeim}uavFDL8K zh)o#TUhlIK|AB%-2tC%;2MSAAZv2Excuqt^z5UnLyq#v#JzE2|1E;OX09PnF$ov?7 zX~ti>;e+G#gunNXKd$u+`5tRpwlN#nBo~(-<2Q?354{ zj(Np;5n;QAcc;2LLy0b#R*j=?FTFxzjWRnD-HOEcgUV=wlD8c|5b)FZ@AFfYPE&@2 zncv&OPIA@QoQ~a3L=d%!+m`2Zm~D^K?<@S84aaV7S{4-~Pv&6=E5Abvg|Mh3($e^o zI@$EqFG~@Gr-m%*pYkUfCGUnP*ME`?9v4T-%9>Xz+2}*e?9_0}%@nQoAQe-^Y^9@$ zHXAbh-&Sn2iDj5uF>1{T{<$2J>?N?z2(i?)fnv@VXk)H4aZ_!SF%9>9)-o#j3qCVK zq_SQ+;ot_-e1XHA&l}>Erf*YY?p6$q4)TbqrbtD#R|N^PCbH+#{v$N1v}9;QGLcX@aVK#CSbfHPL3kOb;296 zRuUBr>g^v11+&&e)R`wJcvu6J=`^DmHou|VzPc-`c*Xs&XskCjV=c3Se_uMZ-O^|79Ig<-yVLyqP4Jtl%tPnaBO646^a@IQM-dL_rS3L=S zm|1Pc#`d!HX`qipg!owTck#F;gX=OQ9P~-_8K_TLd1+*(P##5las3F~z2>25kzv95 z8rCGo0P{4MVhLf?x8vno>7*TOy`}3+4)+}-kBM%RnY~KwgK*(8!kRcevk<*7Dg1l-0N#Q6&ScITGQbWMchVNj8bi33g9I~ zGQ2b_mO*MbQn}h3SkhJAy|euZc}xo$k!nU-d@E3`Reafz)?B;&SsC5-RI|`X@wpQI zKphB&Y03Xq`GlxmxnbH1qyphm9x6;%nPmhU8lYvoYNHqgiGVeTAa;sDFDVsM+hR$w z!YIYMgg;de`Uwq`GFAX_Puts%DN`P|fo5&VRh=$QCj-YT^xe6|d#r2+O`uhY_f1gJ z5GP?U9a6dq*P`9+yA>R|q|O%KQx$FYD4W8e%s#ruz8Kk6)*%{WGgEPwP276GbkCoK zhEvE-Ztf>US2U}BCfXAd$#-eH;D(sxF5=pKT)+S%aBy-J7F1Om4mSh&ItMB%!?Xz* zbnSvK4TFve_5xphTBbPbCfj0JBwi7r^&DCE%(~(whN+#hBu;gQ0&r5h|MGtNSHiD0 z{#RJ5m4?%;cAZnq4?sEUYaJUy~RMP7CqRwU%xVUdi-@b5bcOKYge83}aV z<`Om_;F!X_zqIBx+NKh|%G`QT_qT^{iLlVA#8jdoqv9@*rkW z7ZpO)39WTTx8F&DD1biAH3Oa}SCgY@wlm+K=a?tKMJ?T3R~>w1>@yoacXk=9kkBs2 zpq3>q%cQ63qJNRZ4AMQb zbcM0xtN5V)D-GvRz_mQKYri;oMfjy>T>3)J=e1dVjz9bWjO-+C_+lh0un0~0f@9!@ z0UhARx{{yQKNk8onbaFY93HjWG1an0;E39xZ=d6`^%t-x5@>2G$D*)&rT}1cC!BfG z1*vuo67dkLpjl92%CYEo;`HchgYABp@@&~}|&oxDO=*16!_lT#l6yfW?h-9Gqmohk4?H+XSyo)M3 zj*j1(348lZBWQi&hUe4|0OURWFVosv>mRj83OzS7PWtl)un5)lOSA`}Vlr7a?_oYz z1x%Ps0@e_WO!&4CGmt}z1f^oHRQAbIdot;{EqfO$TN^!`?Fv`VRj~{@0 z!}rNlHw@?1%EL`d=<}hw`iz!O0$P{wq77N)<3ZtBM!tSCqI^k)GK!g>&Iw00>=-SB zwY|31zUW(%7v{$64uXo$$jsv$Zb>`Hh$6!|r%mWGktq-qoMc|8;N28+aZPD!G2{gA zDW8cpjjSP<6T|b>l7AdOJ=MCr*m_{~Mg4U}q=FuGvA3)&6~QY_M_|K+oyPHSq`8rn z2oGX6$CKW$1Sfgu-aW$7#S7{v8nqfj4{{g1TT?#qJVW0K#~G((I(S~o%tN5a)fdnT z>a?1{2NS9Zb5EYF_$?`YceF1dVPcJvcs?-_ZIRdQ%Hs4mb(gLiSiYpM(R?=fW*6o> z?r!flA}``2p(|TjI)GCzH-tAZ1=_EtdtHKvRiVsw7nRie;U&omsM1fXvaAB z_5ID5)kOOkcs7kvK6NS9tQ#E@DbcAr)#V3Q$!Rr(F!3Zz?K!VcvusgMn`SYzbT1DV zXf4}T#%8G7jV)zbh;UPp2~Qrs(@W% zWUJb8bRZrXEFNhIS2_`;yAX&z=Kx1NjheKyjoZ{7-+m$2q$)`Vaa-1wsils(1~j>Y z4qX&ufe;lXU5zt(Z)h?$4XIR(>>9{xFDHZN$$Kk>cDCtY#vgW;1xb0J*V?!mwJv2PQ&uuxs^Uv7jt(o6H2ojnWvkulo8@RbhL)9tLU75&1?DB5GO_ z*%}`%4>^6#^|h#!p2wI7(&y75UHe8%Iq0^Z9tpKKZw;y$XXi0U*hVg%O=RV%scRGu zO5G!m;(a07HN~J(0hz@Moj?Y&Gj23dS`$enkjTPOGGAs z>>ikdDt}Zjm)i}?K-kwZGlXn zO9F+P0YNR)0%6uM74km-EF=0IH7%wl&+nUPQItfh3$c+q#^*V5n)1BHD6d+kM&kwc znbN)@`7&gPR9+O64Mzk_Zq5tU#;cCVb=1^qsLqU5gl9LG0CE#$KIqwx1Rij{RTe`4 zu}{g3OoO{HCvY@nt0X)u`r!^>q(k1;)>W27nA0NuC(@;nKvQJ*hVySyN8De^yp{5)3}D!}WA7NRT1)?jP2a!n4igq;TW=pk3~jdrDxJaK z{+9dSiuuo<_)j>s2y57s!FTa7Jd5!smg6OdW@5%l!Hh^$SPTm5 z_3R?69DVeKd2Cb;vYL)dbw59f))T{y4PPcQMXA2zu{aT>^coYU6+UjZ#?yNqzUzE( z_5KdUq*v|rH*9R-17X-DU;Z=C$ximYsfLO~HQqU@yRMiML9){tgN86$+rLc{M{yqg zlV&EnkYbAu=$^N7(&aZ8EHpxEm$Qp{Ppg^STEcfE=nc=U)CjC@zgRF>;y8F@OV*{v zl8BI7osX`fXrgidC@jMccERb>i?^QiIyg9>F#In@T`6MG3omnIqAv=xDMq zxX2&RADTnJE0B@p1t3Iw{Y81zy1(oe|AS~=+Iz?>Frn1k)jgKlQPa~sifzNw!+pm7lVWaaFk1;N_1TT}kA4Ic zmO&bXOz9^rrDODgs>u=t*`IAZWmnCHiMu~?5ne$n_WT8FC-;coyzr(;pkds$2J!h) zWE-tfm1h-9w6>+1$M7f{4hYQp->TT^ElFX8kXVq3_OR> zXNcN~H#ciE)MSO}kbWB{kqOEh6d!>oJ3j#C^+~3H8v{Si&#~d#6}Sht59J!RF=qy8 z;#0I1=q0}rp#KdMXL6qgypxyF=ld`UFNGFpZz@zl!*%FyeW#ZQYOCbRKDxU?%PPJI zWGKwYK1h7wwZ(i8D~*p2YngT%NsOm%LfmuB1C`I$mNHqz-Zfxk3;*a>yE^8l(=y;L z9i|ziJSh^)Nk!DM@q8qTQfZ4BHWN4qs!vv8TIpOBH~fH^^gDu9J+67F&|tdWX{C9t z&UTj25LB0&V_hfQLo=nzQ9_hCNOdpGv6wk0(V>k&aNfM!iZ`PCg8`k7tp823snPny z@}^E@u0f`*&6x-V&A_6k^GPuqeraG|3uyAxQ0jrSA{fkqje#-`UeZriv@|mF3TPQp z+Cpe=ds-PLBXGHe`A;Ty$Dn&$+;U4ighAiWoSX=^rU^65oV66jM1lD3oJ>;U`l}>K zlHT@tJ7n>Y$v9u4W^R1^a*xPz2VC84t?nx22&Q5A7pc|r>xjM>evUIU-;z4&#A~?L zR$Xtt=+Vd|*V`1^&fH@{{x3}cRucugu5)Zlbe`EkB*C}9GStBhLQ z&^yf?4;$9mdVi|C(7x?yrro2G)Gv)|2`S~#Y!()98Se+5ksag0LDI%&Qm@0MP^nMj zxUNz{%e++PnahkiM_tdgnbiC@={dLBp$A0;k5&bF#Z*FH%L_SC4t zfAddHQax2X<1MK90oZsy6Pf8|uD|gItF_;=xcLV46!#Xl6bh;ZtFvjVLy@){w;?|O zK)dtkV!*Y7=r7p6&Ckz`?&Gn5CZv9?PqYbr1vz$95|ystHsTu z$G~}Q8mefBOphU7h6=Z#mg!kGv+{zAWKXXlrINI>_V>=>vWY`BqwD)!bVri>+pJOby3 ze%AlLj=%k7?t`7uI5chKU>y;*f1?^3@w)%!uUG#mT~nT$U1iCdMG$8klsAqL$WvS) ztK(0K0z75R0cBo)Uij~%uK8M6XiI5amgNS2pwr*wU%nU72;Uq+ata%*;3_!AbDYR0 zqO~u+5%IRscXB^}k|m&wRES8G`zk6lVc$8&?+NtWzcHO5TaTZyhovcarc^EFLOok) z#YY9B|4vQ0$#1X|FM@11eZMuBu6=j#lm#17m|}peZ+nU-E+h}%`fiSJ($@>9)Pkfxz*@W!iP| zshhOFsPKzoSY;^AefGl+lP#~~{-VJzdQDT;J-TdiZa?eixpwCl4RHR{Yb$id*JG}B z!QD94>(j3q{Hd3dw3S$c^^C1>>A!3lfmEKP|7Q*JjVY}rr#*+HG93k_ZfNPRmWIBo zR5lTY&5N7UmT`N;e7SnZu>=T{iEnrEZ}c{$Q4UC7=h+JKaXm=*HrtK!N8X-~OcIM# zegG{4B!B6kZ z{!yS%e_^jj_?Wio91HKhjyeM>ImoFcfkvO#Z5Xd zT8}@9`?F4eRGE_CtMiF{$^;l7dHF|ae^zO(oAU_LaI`!o$l|rXvno}J1O%P`Y&o$% zYDCo(W3&YsJ7gb77Up+pk)4e(*@v|=GKvm@0Z%Ra>)(FSi z6vmvb8X1mFa!WFNHV|o8_=3s#11vb>)<0zixE<&JKtjh>zdAC;ggz}#s)!EJW5_~W zRYsgsu2@Fk=ux}>d|bo-QCfK{ILl0N15AU(+Q==duaDmk$jgJqOA`KY zIk;Rz)Z-9e7gp=A^CUe7u12%Q)779{faue%b~{VHQEyG;WhTkE3SuA|86|GmSoB;x zaXz#Y#@z|SOg8FJbxmC4OQ8R@@Elek{{0_7D!9zz`(dua8Fhr(aCw6x566aGTbBH& z_%x);l!J!78c1A)mgFCQlR=Lhu>vToyt}HK(UUchH;sc#RuzRm&lZQaX__%Z-(eAR zisat7mS8Blak(nY`IAqlGWnNiwSeB14a?$HZvUcKwU=_WpS!oeW;`6fZ$dX-)r{KG zPqR*FY1fV z;vk`hCNeUxUT-ahr*9y==N{}ngDHT*G*nUHXF5?urtwNIS+7*tG`JZAf(VHMH>O=(G86(6^%FKN_t%u5Sctd z$z+TC8?Uy~a>Is;Lu_Z*AF9wzL7eU(1n>(9n(G`}Se|Pj7^<^s^0b&}1kGH=S-GI| zWNYTJs%Yy;=!1AjC9(wMuVp)?-#c>e>?r$<(?j&IolC_9mGtMXh4*jdNFP)FdV?<_ubUe!}m!+u|<4 zVxM*wwGOvO`(APnsSTeJxUjOsW59bboVD2BO%c*#A#p{-E|rktBrP@$M2P~-NHtBB z;7hiW6Jn?ja81ARZ{zt*N%;)DzC%g2aOn^}!a-)pc=W9a*I^UxN~942fk@*p7~a|0 zZ1kogTr6x2&lziWTU%D>;5ugLhvskTt%@0tFiKs^Lc$`Y29TO2t|WM1HaaY~>+RtO zdNkpgMA3N!bmN>h)yyoWXzF? z<*IvuYEYBOs2oK*cEz1H^>+*>LFqYB@0y@b#bR}v6zZeyRD$ntpBhzdE^JA|@ zzWkazksKgz^|Cu00XOzp3}Ej|3+IW8mzukRubfVb}CnXnAE#=4dq*U|*~E zbkMOVBVFhCWVcT>Z_xP!UtL*xjhigk26S)k)mDk(mcb$Xw6%U4W?zjUM?{IlLBW~P z29#M@Vdiga!re#lKC*>}eALIQme}8W9l>G=zawuxV;~V_6h+)4^1PMdTg$kHj~M~` zDv%jQ&)+FPBJG_1tUo**#bC?H6*kqh;>PXlsw3JgFi7STZ+LT111cUv&V~Nflf_X za`O=JPf<9ysnJrntX0;y3Fr5@4z%zClAx=deyIH1xU#dSdy$g`oApo!V4m%Ti_D1* zd`PtRL-zVjCUaJ-eM{M7R&S~*s+IGl^8|Oc&YEN%6K@CGYHo~~lEegRUX=}BO#w#Z zv3TN{S%)Ppr~H`!dhuwt@LO#<@Y`;3U)}1T(WQ7Ie%ZP61EA=NWylu#BP9b639z4? zShHW85PXViTmN?piY4lP zafPV{oI|1-EPMOUgm~eNlMK1b{0w=`l&=#4U1G_8iB%p{YwW+%v;R!^zrDRHAA7DT zA6FywzSQZnuLQ1$?S;sY7MA`U=Vt=%D-I@}=cqcK&oShN@%Hma0spkAsD8E-<^TPL z3emnUq)%^#p+iUFfBnEY)n32S4j|=^0IFK1PER^nxf-@U52Q&U(Dwq|LH=#b{QYY$ zf|-kPO9mUe)*y8kWG3Y2_YMvp9T3$xXS!>W>f$owp-Z!$*vzESz?q2Z80(gOWquVw z9`XZ#SI2y1#S_;%x})@gxE^1%`V^&ikg*kfJXBWazfw99pOnlrez6v!?7nS#w86P= zex)jk$yry%y0*BII57PH1ZjOZU^rIjF69Nd1CvWt@x^qoad?{$1nX9=uJG9{z89Qi z+EnVJ1uPZA?G;ajV{KYBWb#1Lum`9Jx+AV=2NJ5!ZS4;c;2cf@0Yik@?IFk9GiJmx z-c-~0Lt!`M?y2A9y&r)0morkrmPsp z*@OgaIgM5F>V%lXu9kO71U^xMY6%xkN!<(&hAw>OLF~2T6<@)0Hb^<EKJ~O~PVHKlE`7(E|_iK{QJ}^qWVg<_=Hq zEt$MXShjS_hi6f8nTwBi*~M;@ZOF*6J#S-viz(x=u>cW!m@dU-0IBbCS}Ywy21%G# zov{(3ko7ckh>op*_5$^6R{qcP(oUqlp)wZl7UTPw#+e-${lY&arkZDNS?ghxh@Ck`^4XAHHIICw!*rjrqX^9rrTKKMe3*S?uTlv z`j7=S=2vBP=2=Uwn$h;5I#wS5*+d~|)@Q3=lOYywOR9U7V0}v#17}I0dkFydEli=9nsJ(zY;MnxS99=$H9{MgVO8Mu0!mp@(@wbI_Luq#RNZqH zb#WPEn-mkdw32z)@g7RzTYK{$cV=Eis=B7Ws`7AO*J5Ybt(MmhCPY=5W!!IJ&6%@) z-S@z!z+Q{?LqZoFN`pxf3N5{`f$=BwEXyL-mL6<;#zqI}cqQ2B&yAbc3%cojYRU#G zr#T*q=L^Ylc)doif2_RG^m%G<$E1zJ-FT`mN|8G1HRdjy<1zclR)R zr(%o~RL(>DdMISiuX)GBM#H0t+-pOCwRN4&rY&d)T_y{4DBTIO#|8y~Dd5lwn{ZA` z^;-B0#?tKyaqar{`U1&G1Sh<$S)7}&c8Z> zViEwLfnx{1GOmm_iLDQFJ%J8Z%F#%eYfKc;c{df2x^vx)WoLqKXnDp8)mqRv3;AtKeQQY8pTCe-wiY{-%3zv{r z$p})P8M&acD8IkT>uHr zP=!?)dW+fMP@`GfA|AF9CUeel#rfWq7=c*nO@8)q5^t+({jRbWiOa^t8hq2oras~z zCf1QVH&T}&5V2NG!X_Ci?qR5koJ{3>yfK5I{nE9wiPQK*_Vvq_RM|k^5~k1VC5z=} zkLNS!S)JlSF?Yo=vBFO>7nsa|dt;AK*SbbmdW&Ek=IbiOS51bjVH^D{hH zbrT0B0id`4aPj{}6n8M&v~xb;b1MyoP?+Uto5l8i>s(B=eLae~idhm2x#LkpY2^w4 zJb(DFGjfpkyUaDY+6Y;H^hlLLDOtpf)U$^6tmz}m-GkZZb>Fejz_erSGW;(9GW@Zh z+1%uL<1sSo>0))J{79ZcFIU9Otf7tv>-NF$(1U$7U$5QTcOCb<{s;ijC4Kz!rvG+a znW zd5}e)-?a|jSAZIlE-JFC>NU`rcgj`{+t_lK2c_PBw zdHYYI^G&p6ta|3IsYY@ zw=5|bt|f>&H#2M7VGltT;@^_vh2$d#>-&Ao49yxadW@n)OEs3FaB=6%r3&%-`kM))MQMdY zmTR5pn=JJ7Qo3(3ojJfaiG%4W^+bx=SU(DEe=c3l8WuzMWssxQTnN%HBjYfeQ|NI(~8Mv z9_ZS_RK}pAH>ZMUhrUd%jN}ZpjbFt=v5yUqX*<5s^ANy{DhcL|R1e z;xhL71~d+D^3_!J>~35oS1%36oZzi3zsji7RGzu5I_c+-0UkjX17GN;GBt-Gk#5~I zv)71HnX8!84cyP6!RKqzh*o7==yY!t=sXNCz$(!4*@+Np<3CiwmVv)b(|9^*Vg-Dd z_ONn42a0AHE1we`5l3Zo2q!0cAuto~HKS%`m6Vmo!+8%{M$ttM<%1+>X}Z`Tp2b)n z6AY-U4}3rpXi_z5n|UeRofgffV(Cet|K-*LIFJ5BZ?2~J67F5rEPM*cU4KFS6b@sw zWD1w{Mm}9e48r1cGY-UUVNi~RTK#S+ws<}j&_tRL-A7bK*}M)B0XCoEoQHI=lY2fb zKtH8-yDiK>CX#KT_3`MmP3U37Z`DLtE78lpk2cpSQk@Obt-QXX zEuoDDXb&?p`o|`c-4KV=4M{9B-e7}pU32q4pni;2Vb&=j1@bYa$_vOTR6N2y)>>{0 z0C;xa>+iY#TL)8H*2oeP?^&hkY163~1BS&)Ph1xvh9T|RXL}n14TO5{;Ue74TSK-Y zJnJYA-5&t|)7o=r`N;k@16w0{-(hj@1ewSI)zYQzJ0bfDnQ)OI3aov$-nZOd#nahW zQlkY|utp{X%6sF)t7Qvb)I=3TvCyK;ZL#xxmm`Q1y*l{xAw!=wRVo(hUMmI#2>Uh8 z8Gp}g!|@FWq{&4N1*^l#WF@3jb7~XHzXI+r7XGbP^p)~S?a4|Gk=aVat!_+eu(9(5 z)P;84ihzfp53tbxd4gEp??lEQr%+nR=iRz8zDxVNPUr|55v?-I`CD#-=lU)oXHaap9bC3S^x zwWyXs<3jR2)tAmL&&M6)_wtzfVlx!Ef#JU+{_WfU3-N#C1$a#NUtOSD*Pm!g=GnL| zQc8kMDjKK$37^z*Kz#7 z@{QS@Ew=Z5`vG9UJtn$pe;ir4fBwIp7XSB9O}E0?I#&y;BPKN(8Z`z6nU>}|FHL36 z&k#M&IlImh{}*#_8P(SMuKm(gSyfsnQlO;;5 zRv^J$5}X!ycP(0+;@)+#w!C}&_j%7A@A+`XIP*hb4w5;;%*=B?^Pa!!x_--hJ$82; zU!$O5284rFeE0En8wXyN2*qx99eqrKLDAHPx>EV_G;(>G^8k2rmH#v?4IN=nlZ_p- z5sbz8KR~l2UnO7pE1;5Qe(3zLu>Nsfbtir>(pTB^_f>vKYHLkR{~{|ZCmAp$F7J?0 z9(-PBpZ)fq6f~^=c}yOogh%fg-bKD_c&+`A-<`^BH4QpFpKC%7tBJ5zFnXivtRJaU zj?w^8n{|+VUD8gY;`ABFy$tYE7%d;!-FY$7pglusev7nI8?st!6T=&`8w-nv+>1P*~AF6bFPRyN6=kp61b z)_*}VD3q6xt_j^Gg`}8lz2@QEL{#FWnwFwwNs`0Hqpn^iBJM1RUC!8)<3A7FfB$*& zpEK8cdjB%5{cY^OJ==NQRUI=XG*kGI)lAQF{8g=T*uY4k;#V6!DE3!-HTV;FCd2}y z0D;8eDy|`Hj%$&^p9Zp7MpechJar>+_EcFeCqUU)!4{vXs#e?ZJ4guDjZGuU`RT(v z>6H-QEFZd%bso7v)WF2@(EVQHRL-aoxR>H^TATccbedRn?&Mst#jrq%LML!`rdKld z($7iecF)kXH3&P6oH>?J!opKqSie(Nki)CFMKIgVc}}&U%nT@LlJ-zz40qLcs+@hX zD!I42pY3J{tBRRKJlQ^@H{eAwzTw$9A<6mHnMYAvyLvO^u-~ku8beoZa9G_n!W+a7 zHy?ViI#dqkV+-EthTbL#fH5{Jo!qbH5-svQPz6y^X$U=@EF%beka`6MvoOi;^n=`fBm zEK-9y@ZsUx-;#F>caoYsb1K&B+8MxpwzmhF_Y>OhsOv(&^Qbd)MLiBxT}mAo8X5#K z&_w_F-#(|mS8sA&C#Vr)icwMGxv-2BXh#KCN)i%T)6agkTKs}+^=+|q^{~%XIZq`Z7HZjM zx(xY#5dAM$&(QdqNvvxA2Z!hC48ov&kykbQ+HGB!u^HUdoW6^cEF!0MT>~47FqZLv zO3=RF46Em<2x%HM7%w4y)y5=td$YE?e&eGIW_2Ptcu4xXHSfZkG z6{b2yeBS)rc^^;Ao0)j69ky77?2SY8jw~9bTqNJm0!FoKfL6eZJvdu72(|j3Rd3~+ z4CNI+<;B_-I&C+;cyAM8uxVIV=hyICeA+CJ!U(T7IwAd&@J41cWqBk*RlB0u%W_^W zK+Es2h;e9viW(yRq8F;RQt$UB`D^FlIbS+V)QYqQB*E2&? z83W4Bbmu5d6eY(w5;cx+SRcG)kKSpmem2^UpJg;_ag33#O5<7FGt7PAVgLT&R1=wn zp9#WP!7bZ~jy~A8v4|lZvYUso_7>phsCgl#IE)bbTZCG!gMYKO_vBO}9AMGUcX`z=+Fy9H!R|u7eVzwxBgc!z7*wp(1t{Ldi$j zq9_Jx>~KK;hRX52(rF;hqLlDChwxdvCBch(;-$-U7F7pE8dI| z;qYaQGKQV(V!-yG@zYZYJkGVojE{OI_VW&WNAUDlZBLR$n1#L+<1FabTXhm6%xZhk-OX{{ zz=!UYUV0mW`?sLu4Ps93W;vfqD0GT>qFs^=0k+>4R$ne{9<>6+mMtUEftr@f$GDhm z_P;3VSqN0j7;@73%)1)F>`VZDC?>brK;2I~fwu2w3w-TD>h;OvUFdYk*PHUX#rBAT z0f9jCm#81JdK20Oi8XJUP1gcB=qfs8Z8;cW4}-V?Q3nu4rJjz4;X-$wetAQbxJ8HN zKJpZ=tF~lC%O{R~6sHv)fGEib&4dLhRHQB|8MoMkeA6))H&|I&wh$l78><;_YlHv6 zO<(D*)=?N^8rIMn%CWl$31eRH-irGIw$X5sfgJJ%vB!Y!2%;UD8(G$Oey+&d+0G18 ztE!^H1$a0<5_!c}Rs^2$auH##qaUiNLa%_FZ8rG0Qo}FFP?dzY>@D zK52gvF@JdPbF1HHzbTh{m^cQ_Jmm+6P@pJ|*a(C|)jRh?yn`d|=&KIfN_vcoRN{6$ zf(;eQ59!|Bb>hSK6;$>+WK_+D(&&w_-?b|oyhS5yQfz9unBwMytRJxf%g|)PssTMc z?O35^mX3@i@XK=#`f+iP8&eq>%wj(@*F+n6#XLKn)K&6hxltqlRS6A}kkZH%*yS!3 z%0I5=JIXDzxhgWE;6#b_AH;Vh&|%nwC)t&w=UzPsa1t4%lz0y|LN(3W*)^lKrjcvY z8r3Z^Iao^s%(`Zn98c~aoOWB8cwDyqPBntHBhmgwAf<2|2@T4}zrprGGytKO9|hy6 z5;ebRhbHQu>vYfC7sSWX;f>-dz3eQqe#`VLOppv3mZVpU7p;EKa?W@{izy4&(pF-F z2dzo?tG+VQWnhej+bQX?NkbT}VlC)ti$a@6#;D8O(V!<`ub^ww`I=o`*bN9fF?REQ z=7w?*zg-5X=d)*Dfk~gvVRoaN0N32;nyDQ z_l9!*+FiK`id!w@mgL`y`F~}Qmi(6wrq|j2;873%Y+NN%@8d&Yp8|$si~HZ=Cuywf zD*x;EnM<-lM?U}8q|a?;CjWVpfEklug=f7LVvO$Nu{?tEMWI`y5&7z96n-R=_2RQx zZD!**PmRY`XJWF-mkB}wBwbf6p|I829JG>n&gK$X*eiL5!%1+@y*0!^mvTP~1q`vQ zB2vu+lf&?Ygcnu0LBAH_@%xgrePvt1e2FWMUc%pN4~)aF1LCLq^yE#I*v}F2Yp0K2 zMB>t@q~u$$l6B2RrZMb=!m;l264gQ;t~*oi!FL}R=!}!x+OyH7jd|K(%kH;?+g?X1 zJ3q1D*XszO;;X=FxztU)#TDZ*wrqmfx1Xc{smpRmfe@?2PIhLh80ou3Kj=F+S(;0P zd6(MJeMj!UZq$85*%LFQ!bY|msTiCg%+10-l*=HI7)BxOk@xm1LH>y+*rg!Yo%k>? zz6QxENZngWw^A=-#2JUyYMTRm1Alg|NrYaM-=9xn0cFuVSOp5S#nFiK{-MR}Wf&_}g1O zqOmApzgmV-5U2aCsj+BCZY5Pz0v9`+3t0U?vaNCeHnB_vSQ_t>YXz3lt#%R_LnwEO)xMC(BLa!aXr`I1!AnF-?#*JD@E=sMQb; z(nvw8)>JU5ah0REWn#T7Az(gFn=GX2<{|x_`Gjtz*)QYJyj-YIE>=^mYzbAr92G|| zgU=7}4wAE|j%{vhR(2}LV75j3T&dju#1?cdam=(~Y45xEH8n}vR*9?uLYkMTtwuC* zA~2A&DVAeu(0g>?vpcw%7xw#J@5On&XAmPnX2)*!H%o(7`y16I_}YP2bFimoOioW1 z4MJyFQG8VPSbkodV)di&VtALOZiuoLkH>vWjAUU?fZbvlPQ||)Bs%k%k*4ws777cy z``x$;G&~|{zSi1&G%*5)-&VK)&DQ!H@aQL%6(pHJv)mwPAfIRkAK&8zsJnZJCWiv% zcb-p>h*izK(^1@MZ>(T;eyV%>vRjYkq)I9+5%;AdiEZr^CtrPLGjCRXdqJ~z#j=sk zHct1IXgg)9gZasitySR8rUfr!HxJJYoGn|F#>t7@yw~)js|(%ju+cIla#*@LlV^If zOgCO_8NNTVBGzcva_K?Ce`{f2H$H}?)~+;cLW7vqnFaGtd-FJ)(2NF<-ey4WSBa8X zM_y&nb+>>GgdJ7E?Yz8uK{z{Ag1@z^N?hXibt9MfH)Z1*NpfnbKN`uP=+g_1{1Hk{ zWLsi8$kwyJ-b%}m%TBm5D(+s6`vWm=cvQM-!gIEnh@uCk3&7TLvKSY%IXp`S3s214<#Z2Y(KlRvoc76BZ=Ep4?kGrlyYAA*kpUF`B#En}R;kW+;PkF6 zz?HML*pxr3PjTimtWs3!R$(`%lo!N>M~-diLp9pwV}=sd35s{}1O4n*@8Q1dP5?Yw z2C}-EK}4ci=_hnzN01S`C8v-x(gu1zl7No()me=A?9F=eSHpzX(BoSJ7^#vCopt*qe#^>$aNo9={C1%tbv;;5-M)I8OyDmgcgCpQ`PFQDZdMuU4&KVOgkk!lrQLuW= zxB0^XLjGdNm)HzwvTY^?GRqBvC>dZY_BdQ(ml($(944=Fgod{=OP{~Y^D|)>dmp<* zDew%HI2O&y#%h2?$XQiW?UoF$oWpZ!0;qRfm3G8`8@x2od2QVDTD`6*j-@RbbE1=l z#Zx6ch+^R~xr26x(rY=EW1TuJd|{*OHOoqgT0ow`l7iY0*KFWwl&6m+y~bL2pn$A?k2WrXjAQ6+2wmFvN^R;K^-PEh7cRo={zV|72st zZRf?b&b4>TQA-*dY_Qr7?6xW6#{=I8>lWX=NW4NUz;q5-e z=%!t0%qoJR4h2MNaRes80=ql)6JB)tATrsO&4|6{_d!=W?SdOJ8+%G?ZGD}zMTv|> zn)|AcRZ|~NW@?#1iUUv~T`OZ^vD44f8`ivDLw;+o@3rjrZj+s5D7@wObB}7f#gB`F zWT1uc3VlDk7*CYcTLIn@($+WJ%b5wHWU?zO*RU%b_y|Z{={R#{;(oF=^x16Kb+UXN zUEE*3Br&B&P~!#}PYZkV{A#7ej%vPRjFx{W%OV@Z-b`N~WqzxmQ&l21UM5{?2`K<6 z&IUsb!Hc@oAiSsOAm@6)++gV!2J~8pl-&5NG1@^69Y35;aGgN6Fs=p0y%>f|Ok| zuthW@HeRCsIeXKnkv7%Pn=Flhz|Jxu2CN53V7fqQ-%$K%hh1%Yq5Z~W5_@G<>Yt>L zkh(cl9%YV%`OE2KxipYCPbb8oq+$78l}dHl7QuAHL8U}EhEFzTE4TC35H_o~mC;Q< zT?rc9aKWh5ZO+ON+@3?bz{f3i@Us(TQHSvDSI%TV_KX{r_y}-^p8@1YJ9L}GwRg$r z_L)c5$<8P_Rp#=TMqWtXQXponNLHU#sl3CMJ!Yn5Cs#P_LLhri=2z~DOD>R}Dz&|X z$R|^a8Dm?TkSZGEq0dT)w0Hz4Q=v%^;SS##QqGNj?QmxOU4zh)TlAX{^*!^2XBI|G zltfNvZnj}nZhE7D2NNC0zMp7-UCpp%$~lmViinSGldn;!Yu4*~MtIm)of#3lXs?nu z?O@m}_oQvJ!yrsGPZp6f0)^2aZ28FFmsOd!?K!ob;@hirWj>V~#G#T_@~V`vZNumW zXRX)__&6V4R`6#>A?z*R(s= z!=}w}uR&Vg0y%MTT~Egx4Vv@lri(Sm%MD`;moj8k&Kg4YFt-QI^vePfCz@L?mbFUE z`vc#?veDMX{bbSb+Q`gngtev|a^7CBy2;Yh4o;=Y{!a99RjZG1y!#}>x zezJ1Vl@g~bk23ncDX&MOV-WMA3Mc#W7$iywpT)7tC@*pke+@RB_2^q?VLFoptOqC^ zw~<(CFuZ%9k5|gUKs!tMnkty#x!-K?s+g@cvb`iUpCQ(9dO?LTcW`Fyt+5%3@ca(_ z3{wY28`G~GZ33s`8J^n>vIlp)&87T_eLn*Rk*(M9B*}h6l)FENS62+AOM}E@MUXh_ z@!47LgV~y(&igFCmQJGW1gBrL=9MJ7uRAel<#V3dVzUshw4W(l*bAbghHHF(xWRe` z@J7*TdAS?i-& zW+p`=b2gtu1awv3yZ8Jw7Ke@Sm0A^k%bmAT`{Ns?)bwQ8uRD5fi_nm8wB53Cs#F#0 zNw*L#~HJf2wvS;{0w7vGl6M?%8_qCmfwVZFtwqs~J8 zJ{MR9+!)^yW@poBg^S=s?vNeb7j|30Re7lP#xYTa%BxrKoYM&BRnVRIEPk`xjgqzv z!n1U+X4o34VC6AKt=!Ja%FpM5dk)R36BhN_x~y$Nb-@!w{r&-rVO(|ub#Q>_`ysys zG$5uar6VHkj>E_sUMI)5<&}wlQ8c|W&MIQ&-qRrJ`1P{cPP2zRbD?4fJN}m`F2KtVz;6i8_nu-(z0ZqUg=8 zN|To)+e6fdz?TtTLltL383$yCi_Q2w!EC zs^NT)9ua07{cm(~1L^h1=Wm+0(}P^YkF)#`KE&j&N~stR^_+%XZJo-(*4%bF8-vgh z0_TZ<09n5^E=s@e$!kTggnU1hTJ>!+j+dn9Gm|?DcawaPpJ5dbx#r` zCvXM^i!!J5$s6uzh*mGL887krAaYo>VLNIbVWJSm$Mg%58-U#mGF`nt6ys1^*Kw?v zeDRCYkCKC0ABZRzDl0#P>sI}w!Ew)yy3hMc9_>%9e2ZFfI`tg|B&b(TE*d;$`F<4@g}lMYuw7~zo%SKQWEaCiO!iLDn88*sh5;b^Pc`U4 z9Yof7Gg|Lrzm0`&P0`xa@CP;(?gYEh&u(uQ#O-0d87Ll+XkbMZVo~Qa*;DH|)jms< z>;q_lv-@m8;%KZ#`RNJ=)K4r#B;}+K-knHS_)eIvaJZ$$-J#a(N=C;KK=_#4HRjhY z(p!e)+nG9klM^OiiVwv_i(VK^DkW&-7^YS`vyU6o{9BB zz)54N2^l&?QfVt;i$_PlZUZ{4G?qSGtnK86x8oM&}$_ zsxQ9B+LKU^X#Q+(kV>c`gL8o1r58H~dIa}ZjuYgn-EF*X-G_+$5=1#Ta7200k zP=vgCmb{U~L(*U^w99ZO{ia+fyZ$zYNJ^2l^pC_Bii4nlqu2|4N50&*Hn&a){ciUiQy>fEwKt8Q)Y|!E)C&(kYfQaz@(>F` zyUXFGr> zu}`dEHiO$|XU68m>wEPYX7e=l)w#s-5RFJxVYa@c2d)}CCZAP-PETbzvsL+-{JriO zoC_$9=7j2}LqpfARez+85G}fk6X$3w4-xKZ^m4BQ)z16c$B* z1a3&76eNlZay6{NBW=ly8(e;GmaF-v9K4*6XXgfw-1t(>01{LMDGSUl!FnN3C35az z8Tgflo|l9vfZ#n@yibzcep;P-`SegAx5&=ginXco0M+6IzWR@f@oTQM z=e_CIQ0d#>_h>-(W%MPn%W>74hWTu$FIBR-^2*g(XCtY-`7y32G0t0`XnJ_c;%mzg zJ;dSK!4a?Fy*PsO^WCu1v+idfTCAt`o6Wu~iEgSd2~`&)j5?kM>($s)G8prdIl^EQ z^4NWMyhdPK*5TC1>i9F-;$POv1{z1me(z*kN%@-j?l=M7FBFVJ-~Wg4{@RVK3lEFG zD1!BV9Cb&DKZ5?3X$Qlp^zx$A;$IY#zfq4f`#S&ct#8+T|I_-GahvBdrhmt>gW~rg z%RkBcWH}GY6?$_2VOAnyQYu<>@Qz`BZ(HM7wy$&=Dx{ytoNbfhbLY`Q%i4-zUCPwE zewPZx5t8r*{~JtNi(&gK0|PxHJ!zyZs1uAY4jb3;8u6WxgHusCv9hu*zp`BvO%oRD zWyTG4-}BINPAfl=+`sQX%~|QOxB*MU?j5B8(xnjix=#K-#wi|ny7i_?!JO@3Zg%9< z@;}IL?)Fn7<1aGyx*p8~UJQ}-5p6aC>Z(4@g=GO%Nfxoa%~G_Sysz_jEL@7%`Or%33D^(>1Ytg^ja| za!7}Q;sqIs`%U)q>WL_*T7UF)%ha(-e3vw#;p5*3lk=pJ#mW7S^Q1>TT+RkKgW<+% zC*_{}%O##Gn~<}JoXh6$TT66ZJ0%xd@FB?BtU55=a2mtxQc$--Rw-?=v8{qR$6aPq zGi@_n@ITdqB)*?lhj(9l^7UZD>o_OttFA0p25Srzbk>fnhEL#F)lFNJ?7%M}@c5z# zTQxk-8#T(m*%@~7VWd^7@{X~dzxtke!8l;hlso>gtdNO3kD>83H~8PM)z>;CXRl_q z-N3RTAIYZIlRr+Vf?<>}RgJtwa`ih1V&jWyWz4)kk%D!XIHKk+9$tV_iGfCt2dW7U(ukZ49 z>nv5}Xsk$O>0=flKY{i@Zb5R~u>c@-?n94WY?Y){v3{MQ?!A)eL?hTz~3;6ZV{btgpt`)6uj)752n?>nDVm3_VtRTbz z?4ZLTBojKOwv(YwO=OcYR3z#DDLr`m;lbd)zR`ynzBTY)CFcp3g=xPyuV39GyE;q$ zw}1DX(>6-n}y_UQAke~?LXHSD`5K5w#OTt$l#&1>S~rOiRLU7iv#8)pMc*_pdO z`@uc2^lV}5BQ_yuB^0GSf&F#PNceAW99jT;ZuH$z=z!Lu&N4krwSv|ddu{?9Agj8#D_iDW5`ONFqv&({ENbL=Bl_tL`}~{bmh=Lw~Q{?*)KY9qZ4pWnhBiL zh{k(+0wFU&HqYlYep&r~QVzYyJ{)q5U2uKP2jQwkPOKoRb5ym)A^hUBl?7D;g9O77 zua2H;o_`id1sO4%Y6zT$`<`Aqgs$~B1*Nq(|3&eYLjOC@!wg*o9~zZkY-ztJys2vh zer8zhJ^hQ~Ck5U6yUlAcgK2(`r2~KbMe*lzxuVcZ&V)-v=}U^6slSz+16`~Zil(kaZr7;< zy{}Iaa$;p5MspZ`U?Dw9Nw#=8v}YgiNWKN>jQ!qh5^`=Ezc0aZ-r`=rbz92n5?0vx5kW9dAz%e;HCR+36tlQh|fw)%r*b7dmsgIC)UUo^p=| zxK@kJ`_Wm_jfZson3Am$Zw~xS$fZ)LoxL5d*rWmk;FByf1vs7xm{5~=Ys18Qb~hGN zh+pJgS8tAZ#ygP1GVXjr-U|Pmc{s~LkRv1{rU@+SEFvITF3ziJE7Z*x>!+T^k9x^^i+vV=*GwRrrpR-oCMlh@Jh)bjQF zk5Nw(WCOqg8h{R`SLmppNh#L=xD=d%MQLO;lwfm2^H|p_#Cbf92dIYO?hj6NI1#=# zkS;jmt|W^rbIM$}xp~Pi&{=NAuOm+#}S&q4(zC-pNt0 zCEB6Q)6wxKs&vnxwZ_9gfOq5~K`iD^&4t*))4Q#0Cgi*KEEd3AJE^KbAZO@swYv>u_no7+F?*~CVd2y=Tay8MBEmf=gsc#PD z_8(BPD4X2b%c(1$<>*G*EBolb(wHmbSIY^I{Y>Jc9l8?&=Gj$ z^h}>rlwF?J{c`=0k$s|2i-4a;Mcu_+>@>G>I7>xt0F3aZmrH~ik;x~p3RpL@fj}zT z8c*lWJdQRdw43UtqQ`xdFRj)ji(RCFop|LWbk3u&^}{uScNO{Olj|hvP-3uT-izT& zCq$Q?IN>t4PF^5r(BP3uXD6RYrcKG`;&<;a2JTz=URbb-U;W&&k3!dQMrEEE>$_wX z9WM&(yBDLX?LDvFG_R~;9xaR;is*~g^Z^U>DO-1AJI9^@u{x8WTlmyA#j+ue4%ZfNzW zqsRtdEjt&#<)5jCEBKHzb`KWmSFqR&Q&lJ2aU=;ChzRC#0U71R!?|G*kA=&Plx-ke za7Cx0<*Mq+v{ICgr$|DT4`;rrRR@OZWkJUHE7~d*Ry+ANl_WL*i5sq3CD*|07gz|i z>V&^;vNY_MB_t|(+kQ0FaGthOD~c5uV$Ad?)mSF6tTMmrJW=(`<&@pQ!c@O>2Ug(< ztNUFpc)P(Waj%Q(3Jc8|KAwClc^Uz-7sJyi^=(x!LHN8yo>Ori3ndDJ-+-Jy+^tHi zD1M-?7~9of@p*G3pm*7@8h*l}Crlr=81w;-Ok*EP&7glT6C7MovKa^gf{K*0Di1@T znx#xg>j-B7wgVqT)w9E%^sPq9ZvD(Ou~J%r+Qr(&M@yip#VK?d2mCwc)(}l<@wf4fto7`bSZu zxF>Pb^q+pk6+E=;yG1(eRl~efybW*fkfIv0JtCs=c|jxg}cd!f76L?q{x% z>26SZexK*nh^XuP(d&*$Dz|9@?l?oa*wR%3bXj%)XkkAtP5_$0&Z;!w-n*N5m>&=W z{#-BqHv~WZVV$7gvdP8d87Xp>&M7c{IX|Gtu=uBeE+E;x8MCShRC6T6)DUvIGlZfz zJ9+pN4Di+~BMeqn>WPXG!gOz>&I#={VIw7)s>9LG4x>BQ2QpoH*`tw=1$BXmllhHb z+K~(IX|@8M1l*NdWe%Ov1g!{vCbUOR=DVbOro|c(4^uCRlA4Lt!az(dooKDJ#lRTr(8B|xe0*Fxt<^=EO5n-KJp-TvhG z=J=*?)K8wcqE{gomsMNYZzUyvXuXAXJ>QM(z3~~yeQvPx(xu^XnmOX=vW< z58IDS2nif+>6ep3fm*(Vp3A^g6%4rnd(5@8J27oep|N>c;y4b)xVYKTfYVsZ;nnZP&z1?+Yib<kOJ$G$4qwO4AY9gU zsSa%vJ$B^Fs&lH(Bu)~HZEba>+klXO_1f*~`(i0? zyRvM;tv@@6FlFU3VR?tS2ul%r3eYb0I#mlUAyOH2vPs;ZeyBxeodU zV-3ayT}`y+?)jGWo7nNcD59+_GPsS(<6K@dJ;J|o{%x*4SG%2E{CCF2x*!tO(3e@Z zH;J8cct&k9N;Gq+H)!~gCqKT=r@L$zM~Z!U7#uFez(J*vhD0iN0)_Dfy*CWm=UD|D z-|L*nj!E8QGd!gQTfUVI06iEm7O`xJ#%&~6q{c_iE9^qCP%M5+t|BM2qdgX#xFP7= zW{?n2uZc)5dTM6&pk0}|GtR72>bmcTN=E{cFN)hC?hXU>*&SerdJubT&uMM+;nvYA zgje;njC`{fUG1R6%Ol>^{k&^31Ovx7BN?@Vm%Kk&w#i0_GqgcQxa15~xA0Zbvl)_s zp+jJFJ)43w2I5ul!D&@j+=0(&{7LkDnH}BKj6M~QB{tdtk!j&BPInQNuxY;G6=G`u zoi0FcTN8EE@Ucz(QM zb_6N?F~cm%OM2+EG;(4d?NUW2jXf%|(RV%w zwxjzj{Alg`rd}@>-*b9~JqBu~H%_2al{2)R#+G=^U15|&j!mX{1YB`MBO}cU)4@>2@u=(a}tXMbmc57n!w1) zoPqk#2)sM{M}hexnX>F)L;JPu#=JyvbB#NmxzsGNv< z?*0=sN8tE{CNW&;dR-|decFid(JMRTZ^&KMIvsAFe_tsqG~^b3Df#`N$Yt6k`SjeV zN@V}N+oH||UD2l+;|O5w2VGb)YS|d-^FY(O6K=SZa0jiLXDBCZ8$O)E+>#+elPZXQ zL7K>#dL4t%Z%77fdwn&^^ zJH8w775f-`YsTP6;c7jxhrgOaA*YTFhbOURuE$ypm; zP{rLjpuU8r+DnFNznz#65R-RN$lzAi=>1%y1OdbhCXP3Egg7lqc^+XNl-%bUOI}Rp zz^<;ove1D=&~9AMcQN0#QvTIEKV0=%$=JZVh|wZoVYF&T)|*}EvmAdGl2(%$uqR5$ z?nV&+m*jLcfz9axqb6^W9{VcEqXh4H5B^90kCmK^!vD|py8NroKQCnec@ay&>-oHJ z-)FxOYgYFpx)y(kbi}i~mS`3dEaSflk}fv?i(>x<)7pn2-_I~IM6&u9#Ya*8ZpwR) zgWF7v?mA&LV)1jMRkPN)ZLi`OlC~iicmF-1@g^hKd~?=Sp7lf(#TRAE3L6*p?@j!X zfs5~mR9JRPLf`q0Ny}a0XKBHzI~lJ(Y4+SlW$rPG$ZKT=h9%`pjTI%cq`G<~;D=QO z6RrFfl9x1}{r;TAhl_&Z+3kIDFXY;zUIAM>r;}%GYkOlTD}+51743s=MSijckEP!OluM$pu#Tu^;lX8yIf8MAo&4 zdJ{l(dy5yq^7Gz(n`ho1M1b7)P6Y?Vl$QQ1A|=au&>!&=FS>}QG00$*1NN(b%p0r8H+2~xdZvuD6@fr z13hP+Jw0_Tfd_f^AF3ZQo2R=ZPcBKN$SFzTLZds59l8V<8ZU)c%8e@jqKK)Vx=<

~OWUH6nk7c7p6pNo(*!jaFR*PTO1!7bc1|OvBDw(oS6*AA$5+ml~v@qiN|}j zhKz@bbM+jGbHbF$i}RtRrFBu^i7MB5j6(@FmDYf7tbTvVA)@BjVxAUlG_gKz`NZ(6 ztv+ZJ)X8tEDx}n=^FFDZa@ei+2+Fx#=kEc+O%|$RNoa0JA`wXKCTYRpQY3)Ey~#p$ zJq|$Htw_jNy|9=DW4H~dH%lOZtSN)2(&vmgxe7)sR$xk@o_&enk=cCVQXS&%0GX>d zq`MtAcY!`T6%{=>*lk{Aj?YR(RE1{o@HpeM>4Svj+IXOak_Sy2u?;7N;!Gz?sijx~yh(*DVo64g4DU%AnZ`Nk6;7hcTkl=Hye45U;9Oa)UCL*h{8cayu?r4AMKLtgD{gcLtR8+3Q;79GA}_y|zT7Eah>0`e2SuN(o& z5o2=l{Z2D>lfyl+S-<*>`BT`-Qa5_(hD}opOd{imZ^UAsYbJBbrZAwX6ZOgRv1l?O zIrFouPsb~G-EJz=`+T=gIV`}vYu46v#nbh+Qbon7kj%4R=eGs|L`cJ0}y%B@v?5au$C{uUteYN00 zm%p`fWuXU|v%o znf?^4h^jcSg}p61_p^t-*>1s^5WWb;SVPg7yoGUeklI>{SXbAY`h)s{q_?T8F+%PT zy{fJ47sE|XP2cvBu_4Z6?%{xnKDmE@>uD{2N{q^)@wTjW{}*$g;%T0t;?)B$Uj|FK zG*{A4o#lvS&-ty}XD{kG)-}!*0^QVZ{A5o3@Ud+P7Rz$3MYr+`KA&#kdKPf|y*voW z5zt%RuzIva}63Ap^Sb)jL2`QlSXbnuVr^+!YMT2fw8@8#@XI?r>qAjiInQ%-0 z&XGDpr2d)ZCk@V^JD|Y&!CZq+8X+68geioTFf)S#+DKRJ?WD3=G*n$CI~fXTCWp3) z1LZr}ZG;%&D3??!XoXI7?mYxoH3}_-$|M$ecNSFN3}GKou${dvRP5Ib3zFncV%q=( z2CDP8w9|ipM4J~Aul#)AQYgP@>M;eVRt78P&H^BT&1_{X<1nny;MBS^pCh%U(nL4k zK|f8bf{nc()iXAK;|TS_RmULd&uLSjdrr8CVh_hDwXyA<5zoTaqf38D=h{-XHbg6s>#lUk&2K-n#W8{K-JKJ)D@;^Q zQ)u~23@ts)@v*)RB$8PyCM#94A}iVQPVTekj1b~LHl30H1T<_A7jK*~fw9eceeCXTfD84d;B(qxUJ=o7zMM_Ae${?^Pc?5t94#!09Pi)-pUyEztl9 zv4z(3^aq}W3GEogAlY>bUIRh|P4ve!%tOE7E@9AEhYs(okpsIZ>M(9MXLA1sfG4sF z(9MM1Z)GNMXMyZ9r25`)um_kk%UZ`#+U|gCg~`!i51y+Syr+wy!XHca$Dam$nQ)@V ziDOJLUaRJJ1$o?f2|(!kc%dYFz_g5*P#gp5Tbc5Qr+{cSftpf1#GJmQ&17S8YWM;> zX=xUuZZokZMVmfb@5f3y(+TOZ(;V6zM9n%I{#QGmp?c>+0U}wL zDQ&jK<&hC$mzk1b_#Kq!(CM^09}%*E=AP(;uwEqD%S^WnhNz{g?e%qAOixsc7`Ht0 zKqH$uFe$O!`+TZXfjlSNIUQ)>qfhcLGz&v?STzxXnq=BrAcYN8krSBco;BWr{5zFQ zK%E|6GS!JOn5P}NY!l8XqW;<4on@2GN@SgI5A+)X=CWt?S}GX7VWjb+a#tWQ?5DO5 z2A`mKc*{bUcsmDGxgNi3CdPKQ+sH`w)*vm&m@425KO5=LG~iAQwR*IlUl$xp zsfyF@jxsTk#G3Wp%jdi9+-Z=sq_D30TarFmYproFsxZK2yP&Xa)7TYO`(r{?D`RxF zjKn=&DqgP22Ini=%I#`%vYmm}&_2)(Kb&YLJ%q#vMSEJ&Xv`_2SR{bWWm=g+c14Cn z8iSbJ*G(@~Bsnd6b?`w{NaN$~cNQ;ebW{>?lk{re(gf4+^<2_Q>9@2k zk~iE7Cv+RKQms$e_%iulGq`tLU2pqY`|*j-)D1s2wg0+V8EZ`#cSdJ(9d|hubd5|tB88cX+RVtmd|vXO`A(u z)OoHo?0B9!@SjOroQs}qWZ$Z26~hwdDw#scD*&TsL)M!#=qfLH(a~%ntHhpa3Qb@6 z6X*G6ci+wn{=w#dzBuB4dDZi|c^JcvGM2BYUeV9?`#vC}1sq$Aip-D2ODm}SmA)*G z2@5jK zjr6_pUjvc6>6C+)#{Cb5ZN%T^j@&e|@r&tmns>%Zs zDm~hGGyA$TyZ$v;>;IzdJ)@fH+jU=jtk?ko=>iEoAicvYJqd&k5}MLm=tY`7D!nHJ zkS--afPe%@Xu>1C1dsrsgH-7X(m|e+_uYH#^{%zohcnI?Cm&`qGe+i^CI4CO`?`Kt zssZ@_Jy7S$s*sh7_-uywfy4lK2~G*6dsxXWgfe*79D)RcHLW+5nd%6s@G+{Ih(sE; z<2i_{kROZY6Z}`omFIs=xjLL8ybaze=D=uA7n_keObcqJgrm{N`H{=uWCur)Dqv z_G%wLy;k&G8lwxC|Fx*At8*h$R|n}d{n%BD-YdDBlq=1286>#DZ1z)-JRf5Dsc@f%CI#c=D^BqeT8?E*gZC~OeGz9+wJ(XGG zm3fGymmJ1S4q?ISvo6mt0&}-{ji~@=66QH2aU|EK1;>8pnFbbvCTj|IdX=OdKH1HdJ&GY7BcNFoFpCb zuJF9dLs@_6saW^$zSDMl`M~I#w6mo6YhA`ZIk$vJ^%(3O2)Gkx15L#1p$MQOZdZf$ z=8NwcBEfGE=AdICmbKsR8Oy@yq|Le++TPXYuOuy0z}s@FMx!S;A>(p{` zP@_$C)iOmH*iCMUBkz6~-OBN`U)z_ngQjvaAOL;*O{vYIo-Vu~3Wh^PzPA@YTeV7MnN98ZQ=@KXghM;hGJ`kYc1wPxZ(R9L3=@Loz3if6Z%vUc-hn5b5G5{c9$q?h*|0XU8A)D_4JHN}nWSZA&|>&BDKqF+jh3lj>2Sqq-_0=>MJerp5X~{WMO80z%4Nf$-z`M%lG>#xtib{ zB%id=Mg#D_KC>A<965+0qfs{NYZ^{gy)k2&4aFMxmVjSxt#Ks!tf z=Vkd>KGX2fmNBB^R%0)nsMYBa@};b`F$nrj4n$_%#nuG$XG_;mQ>gq=3j9J;WEpKav5-VN*#-! z5O~{FVpBp@JXx&$_3dvbdg`&3Yh%eHS(HZ3ll_p&!S3i$(*sSIl;ryfj^D`{6#q}R z?msBovG6x#9s)KxWpEromqWRw-Ss!8*TloDH(=3a>tX zPy2t;PRWx&CR)5m_k=MNfFfs_4#{u}pIxer-qeY!j` z0%s)Bt3U4rugoCk{-kdBYk@w1n+lae@Q;sMgbx%X8Tqi8INip1{$ zOE#}1@hn3fFueJ6{Pxo;g0RxB@nOAa*P%C>R{1p1`r~sd)z!E<>t+0NVpPSg+~q%X z>&t~+y~;CUK|m1rB`|9`m`8Gwln`RGNw}IMeOoj4a_71F&v@Z@#tpDQHr;XmAX*^X zIWt^5OyH!;^mY{`ei(_`HRU>LGrW@V)>dl#obp&YEkA4xRrRFV(0@$$F{z3dQK%7+ z9RtqH1l?Af)kZltnOH?E+>I{NbzL42TjNULGltwrH5pAJyoaBU6=Mt6DNBYUds%lP zNXgZe2Vd*kIO5YB4lJbO>6XVW)gy0cxFk0%sPnL!8>~d9KoEt-cqTN?DI$}O&eOq3 zW@}u;rqE$Mqw$WYoH=Yv!w%?xQ5@xw^vdz$0cKbIEE|J7qc?#-bP_c}SI2gL#U&Ip zR%TC~uQ{0Pk|Cmsd8KOzM%=QJebi5RN8=jNg9yew@P10AJkX|GJ>)%T)x@T>#>za zkdC-38^=FXn8`l4{+8*?$q4Isv(+i*@wz~#wYWkp!W|lG`18PFs@m6P#fra9Sm-2^ zUjRN~X;wkZp3A%)hYRLgM&wP@<^LJoJ$6%Q-C@R!gYCo2UJ081C6Q5Cf>H=3_=Eub zlYM+VzqVB)h1qpSqs%>h2$c`O>_Q_G$QGL(a^|9v0NvJy9{5oEgS6P zkyQRMGJ}_Q#lcCt*QUsV92V81y}|l{#Veljc?-Rh@{mJ(9CEQK_$+gztI<)h=?iDy zt9TsZ$J#-LMVKQ=KWa$A*j$@fV3Wsl8zbxg7d7tcAO9s8?;SPq?%y=5SKR;m$>YJd zi6C4{bL-Y1G(*}Fm#v|$uTnCZG^#_j7QK6Pt3{F6Mjkd%-8p^@(d7K^Kc>0A@;41Y zx^nXK$mw;c5xYQY4J|YnW%yGNF%aiskztqxhVrP2gKUt$-*ENl?`yxoTrXV;`>`c{ z^GJlcuK$6lW0uJrtHT^-2xVTnBfWvdg3B3fh-7g^-017OUNZESzRHC;+R zt{Kz@T4$#nclMOj>2p(7l;A3vV?3Ad>@YxE`ek}^WG*53avR6?rS`zx$@)2-2wTUE%(A^J}aU@$6cxS zMsq$|8fYMpL?ZRZ#1Gm3X5VNPNO+(x9>!5mk4z%Bms4F{x=*8sRN(l(F6>r9+lIuWvUaYHx?tt%dX!XI;!Sj#)c!eH&yumX?NbMab$}%@moI<^S^=?_i&#mTP-?s(vqN3WE z4<^J{Ua23({0g0QU;w3KWpPSZ!X#ab0cPVFxI zCd#8C$+N&G2S>fb)|^*Qo`%GabPO39PyS8wy8RpL-O@)QS)TGwzX!Gb2^w|p81Xqc z*ACB14j+i7LOz);E=v)OyKsbT|9<5b?7@>vPJHX(6ch5{^uy&Ei$JBGNw1iOSg05V zFkVv{pEs+BeDsG?m1Aa9zLPm)RYwn$GcGIme(~6L@_iIJ^De%4FZg=;xU?L`%a264(PSOCX< z(s6DYF*!Xs3Qn?4kVcJCq|=S%dGv3CMifI<+|G!$cgHD*cb zV?wN1AWA3uk5NE}r=dqz8oUr{6`V0-C6Nx`c9@<-?LXW@p$CeKMOxATC&4Ut%RleI z?ic0$zThsy4rjNMz|Vj~E{9YeFxN<%#z92(xIuP>QvZC?O673Nm2B-JlF=Hr0EWnM2uH}scp?kyg z(+Ax1JcsxQ)4$$3dNw=F1e~k~Jdg!;0w?UbTV>P8%q-q=`3kqx9?;2^*PuQhi$ba6 zX*fqJQXncxa#)A@70)x95mvt3%J4a)Q8$YexZ_E7HOD z)15LIH3=ND#%CUO-%CB!CEVx_-|@B-N#kR+HlD=9YN4^ZSTLwD6Zv=$mc3#sn~wUq zy()ERj-RA9Lbo8g5iLbb?Wu3xobqJ-;8S(t{ajU zY1V(~bh&4}j`nCz0*C%dvBW}+LL{V+sD#sy#jN^FXS2!Lhup>!YBfDAiZ0l@O3N`a zD+i)=BR)l*RAaUUOR1+rRY5=p4Z3^gmdr7mE1t zwBww6oD{4*9j=KAq1&zC>BTB;&rYoby&|oxG)bYW(?w+;G?|{=n3CE|pXUh*@SM>0 z&Y&Ag6JhgYh&Qs8%EpzYYfK48YPj$`dKKJM-wam)mu-gIVZzjpeoW@L*RMAx#?S*)Zxv)-RlM`S$C>{CZJiu!VDq zq$SZqglFL?=EcTEs@e0}kyxz>;I>E!0VOjAvSzsM`Qgz;Z)S#Ic#kjVVPu~N$^q$%dSlN ziHe*g0rs@s8PS)#e2M~PIbL&c(j0W3bC;9^HJ$_{efo{7x;$7oC}Yo&K4~jyOy+Lq zs?^>+pQPc6hg+)USZt$_nfaaS55FRJo^>WGbc%@kTLisNrLC9dFW3N=viXQ|Yb8<} z%qf=XtBqcyrcNe4pcoHjJyW;r7ivh+WJbo9`AV;k2*LnH=t$rm9CSrsB`yk$$kxIR zP{U$U-E*QplOBSzSs)`3id1)J(p|-Oi#v0eB1brSrhWQ``9Bxa$JTuuY^4XvrGjw) zCxBeZM>ma}WZJiAt)8U&j;2DRmv#fafh>ekDD;NAkH+HmhUX%E(B!~dMY_B}!_Jq> z0?NZv`9^DFBUxBV5i@h+<>hd2`4_1H0YX%<1G8s4CNT$Yn`S&76)P$?UbNdS)rvtf z+?H@%5=|Ji+=VVma6j#k`UUJ@zLCY`8@V(NYiS6;RzMus+?T(-oZ?%GMG$*de#%6i z(#~mFB9|R4syr;x^28&1N&xl;x^sG_@t!y%^si)0*$yic${p>P*-&V~Ob`9@H1WP9 zwkb3JS+$ZDlg!xq2}b#Ms$bTdq6|JiDBS+3t9N2VhDLRX7-l9B*dEFfasK&vqYT;x z;h1*lF_HJ#(Q&SvZ^rDvG2CV@q>o@8X$f}-$V>vI^prMM#qxZHrqQfvzZULCxT($X zvzgO@(1Jq1^x57%jnI36pyHYuOC_gv&CiF&U4@H-+MpmbW65X+_O>f8=i z{gvz3F(mF1JbN5zWR0*dER+r5ueFH=GPnrH|^uYd`p;$B`l@j!{ z#*k8UooWBTb34Pr$rC3~Ja0?1-+D5Yo}o?h*r^0qmdjfhyke=tBmuPp#MlP=APw;W z++lp+85|%q@!H&#NYPk-8wrI7`2@bVJ)vXhQcnJ}fPS0JDJxG;H!nnTtc|&N)LPBT zUFU~e^uIMWV^8m(X*Gm0H`njRwnO7SnT@0`g04Yd3i84>dEklsZD}%%bE=N9-Hq=p zIVFGQ!3_547lY6%$K;24o<)lu^Hu5Zfj+|7j%~b>y$Ry}OAXb){BEnrRd!vY+CJyK zO&OUipdWI$9^WTfViUMjsBDjoHlANkXc*4kvrbA=YW+h!PFhe{RxaTZOD(a_aAvQ{ z)Cz6ylTKwMDnyIm1r3L}KUf4DqqEktJ?7vknCxzh2nBbd6AQ35=-+V|ljSTi(|Jyj ziWdkVPihv^#w5S+HG*2|WTj;r&U(dUe}h{YrCV-;4G|&nrr%?V9A!R3YqQN8A}!2H z9r->(KUG7)fqgCZd+(`Eu!{Z=&V%0p`tQ%~i>e;ygub4LK2)byiTR>rOWV13;qf*x4Gf`Z9Vme`}(QV&3+=fK{rTS6&H8HvG)h7?Qj7;kb7<~ zb-*k@!Ib50;yrzg;J(Q_gkomq$5X_+TuBnBWaQP4GM`=Hy^TQ&El*`ZP1Hpc%3(S` z6k{Rm$t%hCb%E}}64@@DEKDl04>o&%t~Uf7mpyKZ*a?McL*$$YqsZ9}rdD2FV<#B% z{S~+UJ1+@+hi|0+a=NpyeFzuxF!% zLZ&O|kK+qGD}#;$c^|P9_e7?uQ)a%(Mz9S_X{PAo2C1*LXfdYpfYlD19^ClJj4jvI z`+c&Hpomsg{TKa9nEeosf>K7%2`tuE6$M5msU%kkPDesK1mdY2O2#XZdcj| zxeS$yR=aKqL8f7RA4t&Tn+)}7i@|P5GrI-Rlgn-_-c9HN(d_6pX%>D*c1Lvvv%SD! zW$Tc(0ndv=M{TWoXsK6XQ)6fVbIODC9DcZZaT*{UW!4Yt2VHdA*mJ4FUtSq+5DrQ2g7rm47S#N9@Zn#ql_NJ)4GRGViZ{J!jngPZ=5$$Nx!Td62IH zS80qq#~&317ru^Y?C++gAiYiex^gOlt)8BrZJO$(`XB6to=S>!idLm`%&qBXP6hQo61t~-RVu1a$XeQU9k5@q!7YjzmEwoSeHh~F zf;Gk``Ae4IXIO_qa4?^{a-$y)?`mro!%)q33BD?xucmh!A-3^@Q984}VX;4%uGGGv zeMSzXI9jFpNAhcCcK`H3vkQQOCC9zeX57b?n$NoAkYC){E+d19^TRmIPoS_d{~*;L z=LTV11@fU(LKFHw70g;~V75Yj40z!B{P>DpgJcE7yt;53JP&;@T7O)NtdM1$GK|!2 zojVJex%G7fo<81L!V*3aljqYVlLyT9~* zFoGpq#u2DztZ84!Qj5h2@qRqq=|{-k5~QAUsfE$Hhv3HZo-u4nzaPVsnoCD98K}pg zi=-jO6|O&E!NS7XC2!I}n1#=H;4Q1ugB^cQtwD?n=k*W-c;o&7f_FMLIPcr5UF8RS zVb~VOaD&@beYK6CNq;l7PidN9-O$37hy{R<-Qm@u-fIbk{?KdHgF!JKZ z6<1ZIG6-nAg8Z=1*D>Nua(BfiY+&$e$KUot^wQe69jYPQ&h?PpXW39ft|gL}8+8z~ zI-=m3v`oE~1zU+v^LQr^mX!On!nBISKaa7Cw|u|zsbfT1dOb&vPD$54V&N**cFZ&P zcyXq(sf*Vp!pa_y7u+oDZj~|qHx1i0H*$O&N?&QNF}QlKtbA%5EVnbW)qQA)GpLAF zcSbl&!)VL@D3XCX2S3b$JcQ-b%bBHdZN{T?ldPFd@LRIwZbF}Kxi{5U`ED2XHpyfq z)1V^=rPh3p9QMc7I;RbaGyWjj%&?I5b9^e38JfB>gCC}P+44QmO^?->fJ`HM+O@1K zeY^;(t#b~%>F@yGxkTwpesoVIp`uJdJ2wOFJDK))@HVeZA7xM&GSZm}%w(pI>9Zn4 z2Xu@<6CdT5j=TmnA@6T!g^cHSZ-w4-gK zJs^%Q&sb1s$Og1xxUzbDV_T>T_7ZQHGK??9x#7++xOW*sSAFlXL%f_GPAkA9)gHvm zNPF+%qO4p0G<|OWDo>V5Htl%6)i0PV*KTEvy+GGDpBo4JyA;T6<$vm{gc=3B|mY0@ zply`2J6=)l5|R_OUahwus5I?Akj6rc>FfRwHU|N-kGDfzhv=0Xk#x7>;l`=ZKFJ)r zq%%z>)tAPmI;9SjoHTG;OuVZz$0(du6s1dcm++1uQ4JSrH9y?q_6g98Ftg6wo$%_M z%Fu*~A?kd{Z0bVGac^_k-fcz2YlPpox7-*xB=4J^8+ustTOvkHoI{3Q{PFA*(o z9l%)MBw8}Tb45rkpGR9KY9;F;Do2Lw4kloNp#Ur(4A-{^`o%QZ;;A=a^Lag@d454Q zaArSXYlZ(WsgnW+*K%)s>BGjk-?DFY)C{!QTCIM(21|m@IOAW3{+OuQRrh`hXuuWG zRVZEw`(|s$m>;5wwu@pOx_-oMaa?q&C2!t8e2}HOZ5yRs^G$!kEqpjc_8X1dmC--{ zb>aSBleoo@aLbt7w1`+Q%ei^QQTQ|oqPJn`spDn05@nFOsP4LNWO7tc0gT*hx*P;Zi)db(}vFTEPauX2bwKzJe4 zPzi#BsvP#$Zxw}6-`&Jixty_cT2YTPllLw+WwC$!o2ijoLv%EAs?DH|ol7eUJQ)Ex5}z@M`SQFHuab;Mz-x()8Kq zTj8rnrV9bYH8-Q=vX~ex@j0XS0Z7R>_|nu3S!YqU)WurQ0YO1snc~!_NQtcotvn=K zfmRxwK(c4eVWq!3Os^yZ{oH=jZQfE3lgDzC1NJdjE!QPStW25!eI}gVO|3T7m{VLM z>-6-xCALGgitG*&zvLUfAO$~+3%Ped&;}A-#-m?j1(#84NiS0 z`ZmqfuVT;cmP>8)XZr?!AH&ZON7sR#K{|GzF>zF$IJ!J8?5Lsw0b#KIp*+FGr!#%# z#cJ4?)sO?ZMNVB@QbvW6D$Kc;P&lJYy7Zy9T2so7&h&pMQWWIm#tLQG)#j_5P1#*pn5R;775XfAoo9p02>o~tpxR^mXweX z7aknBLf-aIJ4q`pwx=K4DL5EJYU{tZc1X52&p7A;s%ZTVJ@jL8hCX0)FZnf15XM*5Az;uKCGZ$}q^m&CR{L7=HpPiCwroVtTO!ZCswlponEi89u?1d&u3h=9u-p zJF>s!ty3md;yWD-qLcj#vSC!0#n?tqtJKI6XI85AFoS-AVDY^gIZZ8zYYM5M?L|SK zsUzuRHkQLC6zu#a)!t3xgKrJ&t#O*5Amq`&pnptoEs%3(8wwh>2Xbo?xw#@M_e2F< zc58mCl5mhqx+!ftB_^YiWgm|WcAp-DemzG#>YX>mRYHZH4(B7R=dCgzEbfp62 zW`fAiqlA&}KZ#%QXpJIXc*-;e5UW_RfvNH3%B;$Lu2?1x{9J-_dR6QZp4DI8MS4l+ z4&?6g0d?CN0>~wUg&Xu4Oel}u)D4V+Tp&7|Qg3UTmN$-DtF@qlu;F^2L&ciO^(~Z; z#GD;7-^&SI{zb|IN#oQx*!ve9d#DWE5AlGp{yq&igidg7a>PJZ2q`&lbSAGP#X!{)Fd6h95fdTe16q zZX|nQ6(HU5046admMFLseCwMODt@GfC7EserYYMIrC1D`(fcU!S@nx!Ze#-$9zkRbXD~H0f z+@pp5N&TPfc1IZo(ww_P57cj;ksoCphnNVLAR6x0)qA8$!Uojh9qG701L@tOcCL#P zY%$}%LjI;1tnl~S8iUmdRLL@@ZT(FnY&o8(Omn5`>0keGfss8);#L&OY)_ny8p(iN z&c+{M4=PSumbV^sl&l)d`$*EJist@q`&mj=%x|fRbIe&=-!5VE7M`T0dRhX37vDD| z50bn(UbCw|`|`~jq@+$cECc4^LNREgpXH#b-`<^Wz8x)_2!7#h#hC62ws@bLo=ummBXZa@Ab21 z#^{lu9`y%Beoz%%)G zmiqp4sj@5;Df`1Xn5eLu;pIkVY|1+qu4ysYn@8oU*gAfDF>seQ8(i3&(}tpz|JCX* znj3WgV~6oS_SpY^zpLmTa;5{#cjN|1C0U(~y{2-m)&zCiB&d1xQ(7f2rQU#(v2|>Ox*@>`nz{Wf`)$N-ps%vT3ukV{q`}!|en2oiXQz#q5KH zqXVYvdDUOlYODkv5i`V>YMC@n$7>9>9$KbY)_KxZ<``z_raMeCxq^|IbdQt1Zn4KO zO?IAZuBjisdEwr(qB<1u}m6`?o6u)XwvLNi+M`z2}Gw$m!8$e3LYBvceD8J zbGVy{DRLjfuEkXHDdfCVrhOEFEBWe>mTe`p;AeRE{GLcJaOo7p>nGfIp3^O=){b5} zVPI*j;W9D_V@u5ur%=hgmRZ3&jp#>DM^38-6`jM5tj{D*ChmhCU(98OR{uDe*s-V> zUw;i0fs?Yi@pYLY9})|dv?l7qmR?c@t$7g`+GQRDR6?4Y)9@flqw=Ue4%K~6@?=*z zG)Q7oc+|2wYCsUlk#45fRNCZhFfC`La<73jR;WU6)@^SdUvVUk0tLvflP7FvGgRWT$^v1_D#x#ZIZ`(_&zm#QZ_w5U)@p#c!{TY(R{Pwg0 zHA-smkaP99Rs@NenbIf{<(W*F)fEo8R0)z zHsj^-en~=REU}S3rkB*KKHRuzAArU?kY7%qgmyf>pR~PbPlb&#fRzj=|!tP&a(Z@uvrjgxTzrI|9z;xHZaaqm64(k!`SZin0WT0M!|7AJZ*Wl;{ezpsZ9udNw* zQA3^nL}%;^uy%u8%>bnW_?ROhd1iCYSR(FoJIlS%ZFu@OMSM#@*hfY3^%f1yi}_J89gFqA5WL)Ne&Yb4;CKmO+hLZ}ng}m49#{{>#C>NTh*`ebdZE3S=9f zrGk~Bd#q#^5n`)5uf3}RzKe8we$ucrnK+~{9ZxVCeC&u9B-#XoU-VNP(9|j?n;NBP z6Y!DLneks1OE-=X7$q_2<3Spuv!bcYy)_|Nv!BkRUpyId3}JI=YIFk+)r^d?* zw3*KVWD+^ONDxRhFV`g}H{u;UWWu-Q!{6=i>+>Bc_(mj&OaXc6XFsDgFH{#{FcJD+|LY`rcc8~K|k>4P*brCX6s9Zc;5fqnc4QIYj@*b zZP++#r1F@p1d3#ACLgtz9bfy}Hfee75~lt)&0XEH(A>~`8*I|@G-GK6Jk}EXyp!6d zP97e)U$n3D3938(!xh}Ra)|<4Cf^&(+Tring(f0iue}-%dS;M^gN)vdHBFiRWb}ZU z81FFqfe=0NaW<}=`7{%3n3<}5=pvP+dvUg7NwG`Nw>$A~EA{iVIvT(9B1a{(nQoY8 z4-RL#37?}rS+Mrc7rpn5+$WeVs)}nv7oz;zm6tG!;RY#n292D_T9R z2$5Np|D0-PXwq=AX;uB1r_XQUXTc*IVq<^P)E+ATP4jTA;MW5V%xY{BM~iA{c%$;F z3e8osS1dCYE@6=%yr5jpeAfICL4l=Im zqpaYGLyTJf`3wH6=^Cgxw!E%@m5ds3kH87OPl)e4V`{HM*BxSJjS({L)HJQ$L`%TY zY%lRwN}@wneUja_JWrS~KRrcKQb@v)KsqPOYLa=g1~y7Z`R&f~w4377PvaTkcpn2j z*@59Ubf4+wn3*B$;^Ms5dN+5?xW?M_-8k<}MZRp>&6TIWToDIETUv~F7TSuIpT$2W zqdk;AoFE~2Ts^v7ldF^b`nUX}8^7Y&QeQ2&9L4N#Ya!-2MMb^nilRMvwj_Ag0Pd7Z zCx*cL3uCk7l6%kQ>lZ3zyJYADP@WR$l-i{wW7le2$te)i}lkd8=;6mheAtF3^eJy^FVv+;b z7)9^%+8SNPYPOVRiaKlwxdsV-`jiapk;_WSSd;&Yc()<3eM5(g3BF@Um$|(U@-l^~ zIxC3MzA|TIl1_0PgP52oO*^$jO$Q~4WkVnhiGqt3`Bdlwm>!*5JopmxUIOYXzD0g( zDHtOY80#9TQH|b^t%b2Db{FYGra*cHF5rA=rk;9hU0qa5fNyJf@&!I*zP&17+T7ZU zn8DM4#8`ATIXQAjcSxsMKxG*}^!sX-gg$KU^O;99#=L3*X3ZO8J@UTs@aogilj6PZ zTy4hYC#;%eg}Sr&_!28CxuLx++%J~zn<>*ua0IGvYO}tYq0%Kkr$lT!y#`x<6rWcq zPRp_m4VVAb@}myF=NGK{#*6CLdHMLSe+`jPjSQh{B_-`C%k+;8K}0q~jE-Rd3(Nf! za;{Bs1|d#ymC!|Iz%w2Sq-%Z$2WM>P=T|m*g4YN$mK9JvZYZ3DLKhPyB{zAv-)zVv z@a5_{oVs6Y?3?QSG-g>Mf12I~`F(vXuk~|-ulG=xS9XPK!&h==`BBk9;O^fvxm~f# zN3=gF(I&K>1S;=q8$wq ztjreAFlm?ZNS|J!hH9dea|~HBX+;0mj{Dc%``6^k#ogU`s!B}R;BOk@+^OKBSO2#_ z6?mqu`bXv1tZ#?$H&G{%&K1!?G@+DM@7Ls51Xc)6YsFWLL}CGjqE0+lgCo|MPVO7t z1QlvXlm5hPkM;HT6j6%1D%;OXWlS*P$(pU< zeZAc)tjZ$2cftPCy20Y39Hn5Qp5|&Bhj!-(MwG5h9iOQ5bvs<<^b%^C(etrxNTen% zB&+#(=K)gzcVr)GYaq_mpNO84>9_Pa0@CNKKuq+8)+_o?z|~)#iYU@L272S17y%X# zlkZE4qfikBk@KW*CSCuvKuNNEXei>@14`(7PH?op1by9(>NtXB=4=` zh_Y|Ht&B+hh60mI`po7!i7i#H27NMqw)CIhPvfTNEUZm?zFY=EEqw^k%ZmAY!*$li zNU;<>bTh_cxU$FZ?zE_7iX+2#@C~)3yHmnZ%k7(w_AY#I_q)!{BG_h5O{kN;L z%I1*uU?rw6TlpB!7yQPAiVDZNsV0y}RH5{hxPKjIMf(fn!p1Y#lYGT9(zD<3|C4x_ zM(yy8j<>bnUzPsf4K^VGrtft6bX1rNTk^}o)3(Fz1BQK792}g|=usHJ+MhI+kAsYY zZfzd>AtJIJ{_#ej9XjCr+C49mTD+M%ot)g)jkGzSl9G}}S(2*qAFiI5Tssv0T78oQr^)odyqrN#2=B!S2S^1vVg$j(`!(>PpdT8tq6p4b!Fjl>* zXU@gp9ULUMxTtcgcu9@(tQLS3B${J#O6zm8$?BPWGeYcjm>%~HvA=G-zxvl6NW4?% zrxFuNS(8KYIwwHu7B%pGcFZYktX^Oc@~=>XF()S{``7~j&Abr)%dWXkSNm@EULhuH$CF7q-djJEdHBEj?Xn}jUQU!oua*h zWMTS>lO3&W5_L|Po-hWrPo?EGQ8n`DhtsQi4h!bK2T~mQUd&R{MWm zLDvM(qk({7l`7x|-|g z4R35`h7LKVPuOD&%ws4(U{b#4_&GfCAYM@$*pqK(^g^aou6Ziy*zv|xFtFWPh{J65 zvO4@Ulj++vAv=C^!7#UN4QIHi^o85Du%nA3(_Xf-aGyoIwP!_BLs@uIRI5>*afM9p zl%$0qOwLll(;MRk__?bJs=Il+p?pAyE7Nl{IO1p<*g%Q^_HIFQxeMNZQ@JMS=1)qF zISw9jY(zNHREJYwo3_ktM2XLP=GK?eDLJW-t^FWOt(ai%^U@l=RGGBQd+hw=DL^a$ zihxO^0s!cAvneh~iCNNcxVnXx?aOeUp^-kH?~~{c_o(N#Bm2)&&j>bP?+i$^DN(gz z;kA=y!_lvWZ+LGhx1QhI({xKw4d&H5u$kyA%a&-2ZDNB^;YkeJ< zhibn6^hMCh_8g6<$&k}3bU_b@a3014o!&6@`6g&8wGHo2&}ipeKlz%5Aq={iYfQ1u z8;!60HkX`Vxguv*K8iwx;KpE#n`#j7CehHQe+14Z1Iljh-M^!~Q&4NUV3hAL7f)9j zVuByR6oL{%sZxLVc#V(15qC}BK{eX|LIknHm6s{=^vRc{mn#IHBtQn>)46s>XNJ*M zNoZzfu%IaC=d~w-3yfZ`WxK7Z&n4KL1TUQd=6^Z z)f1m&BZ?&=Jl`z=WYUEF<}9gAM)LHz;?|u>3oUiMMU->m4fo9r^rkn#RktKN6YK z|80gXAN6Lv{>_Zom#ZD#Gh08;3G=M5oI>yIM7WO;Ntvc4T3cTjk?~RDHFr-}Ez(TwZWi18tWeK+96t zUipZ7T%bYAb=YWYE4%efZ9ji^++7yj^BiRuZ!uXADw>=~4SUd4-lkRc7bm z=4z;459=gAV%-v!ECdE)?$p}C)MP!!_iC0%#%10)2Up4EXL~ps>Svk?&4;_DWhFIJmNso>(y>2X%7gz`16yLUtTI{^eH+3 ztV7;)=9?1YxL#j3LEpL|sg`rO+K*}Ud-MRa@_uT7&(nqtHHZ4^f}x2;(gjvvP(s2u zX*e|K$!MLGjXZMPiG@i~LH$;ups5!g(TliIq|N44w@ItnSqKCQn)MJa;=P2F1-hw7 zb{XmF=l)~2YSzcLRu=nweZQ_m=NrY05g*n0cxq`jC8y8OX~{JO8l|@!I^tA973;IU zyRDe8EW<|6yllpL@1rqn&ZW7klv~7MeaLc0=ww2`ei204tc% zK6q^dHI_KwJ0}DhrJ+(0 zFOOBSs?6Sow{d?esL48rP)vTFn`7h(2H-}Mez8%H$>V}Y-bS7gUW$rD}FZR-Q%~LyJda*`~&Z$disOZ6QJR~^m!^g(%nD&U~3N0lsqk~ z2=j+y>}`Bq+#`$Qj|Ytn#BX?(e)6$iH($7u61A)iXt2J5VCj%$BqKWW0jKdWzU<|% z_4H095{=HTGR(oa|A)Ny42xo0*G1c`C@Lr*S#k!+NR&*|1j(TZ5}Mp#lO&^4a;9l$ zG7_4MNNh4nj)KtSBsqiRjJM{RYwqRTYwf+yJ?Gwip7Wgg0b_L4sQSjJQ6qfeeKA5Y z5hAkhV%vHU`U>q1e5~Oj9;8l=@KZNXi+3-W=JNn8EMI!@MC{c?V|4 z$`okw9hVfV)?hb1|Gy}B5K@cW1?zV-0rVx z@g@RKiO8ZRvanC!(5y*Gx^y+WvIaqvK#t)TO^WR9w8hAT>$n(O^ zR-D4^^Eer-!%F#H(+{?#u|TQz$TpcmT2l?j0uzz|xp_M8j&I-{)s}ZUQ zZhejP8i>_@6pAYI1$?M0w?+!IHly`a!eU|oe7CPfwc%8PQ`b<6?;f#KwP89iDXN^a zIJq`BEs+^qRx@s3VeHPfJAL_wZ*4PI5P71aV6oQ7ccV61@3;kdEU69d;vHs}*5HH( z=4y(<<_nYcPt|9&7gk?8fzem&rK#R4R><0L?$?NgK}a#mA%svJEz-=XCsm;r(sVSB7J5&jb^EWl~Dv zRVNJ8%#KK3(@&9C9*uO`zA>$%2fIfki-l^p3q}vjn3EPKcn;Q036g7K%ji5O;I7n#i_d@ZA;jB`o>-l zP2`2c@5bi*ddg>P0QZZkFeh^NT_j!Nf}EtcDn@}zKC5opA++)bN#N9AXeM8I+0dQ( z+DxWK=gKwrrIY2`$Gk0o`&ub5q1qf3t3g4ajhx?p-;Cqs)X?h4M$Y}P>@x5m7yVd+ zf9AJZ9`VDNY87D)YZ^~se3>~J3L~YaBe5FX8hR`kgSo%TPq|olE%`uz@s8iCu_Eob z$$I_N#H8jQ`7?TQg#jC=^bvh}^j$Wn7!x&K(6PEA52qs4k*00{Nxs{nTx_fVO^yaZ z*TsF|A+*$nCeK(~)Ec2hDrc-5s>(;b3I&btins$d1TT9U+Jl!<^>;^{XiQMCgPyKH zHjPtuko;zo$#iv0OY_QTwR5kEF4m|E#@tufJD^Is-S<`See{UjH2>sa_MX)%?gkB> zcVUUrd+2-FQUW8NdjLfYYC_av5LlR@*aG2UZEbTmE#H5}>A8vdaD@tlakPJZPuXBF zq8Eo24eqe~V3lwRu9M3`qq3f!B-nF_UQ0TC^R??doa1Ps`T$M!DC{zI!m?wtZtXS2 z)&=pEfQ3_tgu>akydzi2$E{7C!LBay_(OI3;bEutL<|^2u@eJ8fo{!RlP^l; z)$X_wmvBu!-?3ECqSuvbJIc-jxou zqoq$jufiQ4%CA4pk8|z!N698CEoRbT|&@8CYEu!1m@yb)=lHbBFyC7p~HY z6*~GVq#nV+2CNFhU)lGP(P}!AJJyt+$Yt|e*R~!vrw&JZWNxr>5KScJt$9t6Mvfb8W`8TlkqY= zS+O_W)(W$zbl1JUSo7jWy37}j|D3()dEe{&(!%u0%GAhev}{X-aHhThubRs) zVcZqD&CW4_3QOmKPGfD4(_qN$%s1XT`emJ%Ms3*2p`=Rdxq;qT9virXI=RJ%h%_%i zdz=Emeqbm~wX5W%6Q`T-j&!II5wy3-9BWh)E^>%YXh}vf99Hsj#3`u9RBtu{FN&sD zU(JyCC+KB)F_Cw68EP&>iInhB#gR$WC5f$MiT@W%hW8x7~+u$Q1KvWDwvb z?iZu}9YBQ-NbgCwOB@m=$8H6Q^};3WqUPqEJB92phcVR~o7xp}r9I zL+>dxfUzK7H*^_iFgaP5qxg2|o{h4)xJPV z!o#h*GSR?AE^b#*@$qz*^^=Ylbh$UK)n-2-qvH zjwg5<17TDS2u5mH%snr)J$89L{_cujX*0{L)T5>2OWysoWOLAiG*-7(6IR!kr7?Q7>q=vsESC<0L`EvnI|(&Xd@O>(`ULM#bi?W zFpoLg*gRfEOFhWp^Q$o*I!=zcxKjXbngy*rehBPPelu1;PB@={>Con{H`tl&o(?hA zt1rkyl^MUh_h9YmwkLThCznO77Iz_!^Ol#iAajo~b@NBX?^q*7D@k;lAF|k5Dx_TH zLqW^xkW5h9%(;0ut6glZ#%v$n)jXJ^!SZ`9ydk{uw}S{I z4?FGX{7BSC+eMkc?>hP>jtkG3QHWC@9*HkQkEVHU^>)m+;?O|9_JMlBvqeO56HXTT_XzjI%Q@hfH=rl-lSH=&cGr4X#L zHkqJ5|4@TQ?9rA`m!`$6l5YZ^`Fq9_F0+~EMGUq6dWO~!bH|K=E~-(CYYcE{Jkz^H zM`h8d?(OufJX=1|wcr8sD%H1DN-XkfR@Plyq>-?DSu)r% z3;nKZnIA&do7nf|$Pq>Yv zVOLR824UV{Ma^-TussVW;c=D1F&VG8HJ!?tN=X~f%r%jDyHN&fnh|YTqZkeDmzk$f zYxM!S*{sSb8%4KBU;5A}KaE%8;Ue5^j`ybJ_}fD>6t&Et1CMK6guayR5BHX1{G3(+ z$E>D#DS^=-z3jY?5@f?=*u3%SG}rF94EJZJczy%o3Sh1{M!o zqg++NVXa2BkpQ?36?2FXY&1}Kg%bD9S`zNrJ^GBKtjxB^h7uzwP1soijS%R5c;zw} z>m{UUcPuz2!dxBZ%{!1M{KozpRxCkl2O;d`j@g5Bd(a_K^C2peEQ+g*B9}Lz%6a76=U6c3B8YG(T; zk1ev&@$}t@YFtPA9%$|F(e_&G46DuUDnAPk5u4La^3^^369jshrb%v4Gk1coA8gJ za~0Am6*hC>aU49|9F-d`XV6~Cua4P>?s`&nu@PT58Y_*x*CsV9C}_$HlY^|flOmP9 zspS+GZ0IH>msi-}i-NqSug2ZI@pjGKVG^`&)fqJsqnXj5={^ zvtgoouYPxJMjnsCIB^eaY1}Rr0lH>n@|IeeZ+(j<4yqBs-pL{baZ*cDBOuWWb-Fc} zZF8pr3lYlihI!G^IoSNXXK!;H%U9odH21p{bul+m{V^3g^O;_v968OL0PLX zxwwMKRW^pA4daFd+h^YV3^A@JbQF;=egfFYis0R!AoS72)m~a!j-X0f5H;WG)0q~HgN6<5+@elTBW(G)hoGFvz9H43q*Hy-?zuS#WQ`y6P}%EDc1>_Dw(&qvW1xswa66g8d=qBYAJ<-9M6nIw#0w^SBS7t2bW! zN0ZIfioxy5!~9DU)r-`30EMnI>$*vjo^bAmDC3 zN`AA>=TKFQGRyJ`{|SN?UFIBrx7{z^)sd)9dJ3WjCti&lDk5QcG$u~|sB38<7eA+X zpfafL5_Ng>LG682t3(0Wv#HL;7*i#N>g8IbNele>=Fj|k)J&8xVIto9yrvrXB z@MHVieh~`=)ctU7Qe8MUz_MrdIj2T!>|KI2zOPGxABs_X>xjkl*qDi;Yye8fMD|P1 zV5xg?&@qfee?R{=>UM2@yLDlyP@is_%`&45bFZ|dU`fqsf<#X46!?*X)Fno~y;P~a zo~pV&0jups%s5qxw3(_*Mzi-1n3YfZxAXCpr(1is3U{|eSV;wwCl1I-n@OcI-ACaZ z8xB^#p20^g)crkJAfd4*Vh!*0ytBp{(s_A|luaN;XKn*|tmr%T4JyLeQLlx%SQ<)F zvW!wgLS;{a;%;&2dB%ZFjh>B<4n-KV*zLZY;zIj-&j+*zgCj*6D6L0o=-HFJZ&u>0 zRaP0`rPYa9ZUQC8D=qS&6x-sbEhdZ5H_PDW!6Mu~^-JiFedx}~aYI(+GG+Kj10szw z=FzZ`nP{Eh?rrLOEXoPvb=d;}16i+WloL;KgK7+sinF6(IV2&WbGd~@wQLpL6%&U{ zBtfbn$nGQ{SN>T$aOoa4_LwXaFWcei5BimU+u?ccxvr1#s?Mx@pA2a!z)qh2tPGAT zJ(b)kThz>@Ng~!yh?AgaP)9^+*^z?kgy;zd_DS%bcBgg|V!M+su{3Tv1nORW;>198 z5~HK73a}|HEpxpfBF-FLv*$YxT}f!MSm-FR5fBM&`)#nJR6e>TFs|HriUzHKVX0ui z&kE{uq~pcPeZ(-`&NCE=f0Wazs51-#=|2T}Ggb6_Bg^5uEUZ1%MJ8YZ&WPcV?+6M4 z7BwF{Ms!rL$-QuM9r~`QQfcLVyLVCrWP2sp_@c5lL)>_F98^yD1aS?R1=0 z4kzJ;mOCVd;WJd zF@~}@qnPp+HwPZR)DGVKaqQuyZHl(2fBw3;ynzk|5g49!7pwL zE|rB0kipt=8b%C@Uo-*nl4V7RBB_|%{-})Nru_Tm)3At6 zqt8FQeuC7Z$Jj=>?Rp;&ZE=4#cN6!`?bwLjcyO!lfRqwh|IR|F7!h%e?#teVoVdt0xnig&aNk&Lc`Kfirhi zJiPU%Xk`>SRqa=zzn@%Y(v|9b`t$sa___Kvp?i^kiudPv_V)ioeBm4!pJBeAAXoW= zz*}5@R)JDJqo`^)QBwdIuL(K;i$PdJ>i0iThlIovTe>bGhZ(Oy*Is%4TjK}(#SUFq z;mvB4Y)Es5pGCP+Mh2RYrueR_;g=@=9WU-hQj6TQYJL1a*YHcIg_Ya?`EC0jbPdE` z%!UQ3-t0X>nrX(Zkb)qzfX^)dLiaHtWzLze(nB2?Alj=D7m?&xyz`eC2qds zR`DN~n@pG1>&<+B^0z_&DV{s%U|Y|qaQnwSk-ryRf576=P6+*{2boNnEOP12K@bbq zM*fiU*`FnU=VGA%+l#*SI4UgGesg@2^6w(L1fuHAf;rlw9vJ;8(cg=1eFC7_5e!wk zSJwZO=AJDaTl>aIiip>Df6$_n0x^9Yow2dacF|w+D_oVyC z-&FXO4%xe$`keuze(wG0-%lO*#D1t3NA8_e9~}BzeSH+#`prXI&&F>?)BGZ`|0wmE zUou(!PCP^RA1Y)W5NOj<{92ROZGouik7a%>9mt39y5>zx+a&k^iOk^PIS%uDoA26- zFPES8xV2=hoyCefKfmj!szxDdwz8XTjw80_p-jwVH8rPMTjcGgoq&b1aMQ=J9K9S_ z8Tg(`kEVRJ6~G9WG~+D$&tP0qgGVP~G1a5z`b#xI#bkJm?wvg88>G+hc<{J+WJ?5; zH=CQWoRpPRPcG>~Ox31>L*|M2dPF}mkrn$*ISf2|;35PwSf6e3N=|VhEOFqM^H}r~39z z#v%(}>0<9GmiU12fxnrCacTRrQ^h>Tpw5$r1!E@d3Vlv<>V$G1y-p&7;_u(Ny6MhN z!5Y9{8={VWHDt?-#8B%cWu?;bP97~i9pM_asuYtCFezP_Qtfm&Cs#@8WOdJ98jh{W zO6<0zfMxMDJWdR^tR^9zfM<6dguZ-slUJWTf>T0ZH;_a$HQ!vQkDm}CGnc4g|0zea z98h<9LjqeAx$<~M4a4z<3}@M9&;rE{Y6$f_wP~LE)8UNe(!!#ew-;KiUe^7XrxQMW zamaO*52piJ%wZ^Ff~e1h%?LaQSO+y)Bzl*n7L^eFs(f&J%QKBU7|ddDvd4XOXIY)C zv`0N)ueHfmFjTN^kc#fy#ZfPOFr71ZdR$R}f#3%Qc&YHJy#3@Hb#)W>8@=}Ya6wKS zX<=N4FfUm=y0#)APa9lpj$!VLPN)ITOU&G@qsHsZ<~Bo`?8lYP#q~%C*XK-H zVP`tk2P{&(PVkJDp%o@%8V*I8T0%7|Nl|+)2fJiZj-7srLaR~hezP=kHmU^WV3kgZ z0$z?tXk2%6$dRfl&RjUFsUT2V%?`SO`jT1=cMds@rXkSuC16&0BHUZs)yr71scm4S zY)uqFmTAA+YdlC~7^0q9Y0|7$3v=-4+ZbEJ5N zYD4qr$oZE+k(~xv|K0@|6j{5rWiwY68GBgZtgCK>BjvTb< zF;d2ZOIJ^J8<`sZSZ_6G;UT8uu4AYcCf}Bq{sOsy8SZW~{aPF~*PS^0W<9&e%lf|Ojc1e&MH7^IC@Nx$7H2OW>NoA1a zoK4jmf!*VY!q6hM_F%7Y6|rE`s<1b-rt!VXY!8^@=3Rayh4~i@n2!;VhJON;u{;;) zT!O+o0W9&y%-73qeaSK}Ms@mS7eIAT4Vli}2P~I+mpe!AUqvoNK0aC1&?+iOI3Qm# z&Qon&m6+u8)?s(skToI5*a&1+kdwPjS=mXWgwWvIDxU}Bu)#r)Q`R6N{^7lO74lL+juj}x zvCl>LizB3cnePvz`+D!BcfQQYMx2p@Jl&c$66QZaf)MxbLXux>XNcY!>>Rb14OQj6 z^%j~47s^hN0-*LWU^P2yo^?7d?#SqgN6Lm2Ck5u8L7=O2x%dn8&Ab_wVRM?VpZF*j z?tkh=iXv6zz=HjiQDg2FWqgT|=1AAc9*Ex~wI38oeB~J_s^?J~jC1cb4zSVDD}M<9`=fhDY~c*t^tQw>XrNI~;=Y>411*L+?n^@U13(ypw@iPxj=&2-4ue{m6~<2eH(Ioea&`=amUib96j|>_;fYSVdG9YKOw< z)g+ihW+LF*p55?oQoXkh7&AGc*C$O6w<(JAJ2uytR3c4??Q#ZRT1TAfA<xE&6l3idR4@u%0$|&*ogKiI@c0w(21y@2RVqVG zJ|P%B+e+<}f+U>XofntkVPP&Ty_5G|x1Fpn5#<#%?rV^_M{*g8a5Wu`b>(=F5hk;N zzFlLD$Hig^P_y`OEmQIOC-XG@ut5_Fq`b)&sfJZM+Ik99H1;RntVE}go{!r?k2sAj z)!qlZ`m_@l!>W2cln9O5nud5DV5p|cj%)mKL0(f?<#B9~Iap|$a+kwgryaypUbo4F z`MWhMADvZkXaf)+eZ3P9`Zi;Ocg6wvj^fN|Qiki(#FN8NoI@*{@0xws1<}DNwU0#b z!@PZJZuSqStpZ}3;E;#RWDuuiRUAg)JxY@rvuIR5GO?Ybg-p#q}dr|6d zn==F7)H>%(I}^JGdwbfzc47My1m~H&M7dw|l=}Tkk^}KyNDfYaB{=|~$c+ogq}p^R z(4%__7K?YL;Jbj^3lA1fHxq z5Kr0y)BVgiH^rAmvsnpQFjR0liyby5y{CBWBltC%*V9* za*{7#$vSk35e>KW_3W%AER!R1yA$r2ymco|bbV#xIL<|efF@fu)Q&VA?7nh7r|>5E z9crt&8Ub%@n20-biJAb(sc`UV36eNV!kxD!8WHOoI*gHeF4FpolJ%^0i}JBVUxRS5 zx; z$N`yR7FM3gjTa+1WX(g?Y;@MkNFAmuAFdKaM@}| zhrg|5hg*ZoH{WKoRP5s? zMp^OBg!+SLOl;p`DYSI?<_;V=;wpRNwCN~h70L(KjLGpuL#{=mr8v!n) z+k+xBE0|!yKEGYqKzfWDtM^D&zPT9Flztl*a9cH8yis%(?Vnv^qW88*FwQC#P9vfa zi={`ORvxXXwhw16`IxeN0*%SB;&mM2teX6Ygl&M2l92N)(6RsDX?Dnz`tG#2kdP+? zF6%Db?SfuMnoA{i3Jn~J4R}(kBhBSviQ8gmd3bo}D8i$Bks8(ZOW)S<)|Iw`167^B z6jz$q@$b+t$h-8-vbWoSt_3tMyxp=sM&zZny_S%AaPm|n(TBpuawqvgf1u;r|LXMn zj}o0+lLe7OO7(TPaM^c;MokM{v9#mW_&fu5T{sklJOSM7)cG{->3RF*=N|sn)U0v^ zYSwGI9}Or1l#?HekT*U)HLDkk@vn2G7I^SZPWH3hx9a8r^sR#iC96TYT0(Qz8IuKa z`|`Ov3i?Wwe7TX)(dhVAjnKA8-Woy83`oSphFGX+E&}^dQEI?`VoOfGqk9hIRD2#q z*(-6MpZEA{>glsPr?k}YUk|ms5Ui&Z4)6jpB=ro)x z3NXMTVC2l*9z+anbJJr2xvToBj=VA!3GHZ!f%fg8cjs?f!V= z3Z|k~n+%l+*7Pzcnme@gSwX;2NlO#;FNe_oo*)0mbPyoWT=wMuq(C3{F2uH*9S{A} zPTKi9!jL~fBCGn4gK6a6#dJ+!N5>)0XovIXx69*RNm7n$;TcL_ZQN12Obt92Sm26= z=FdjdZyHJDto6L6UM7vz@OWay5>xf-m;kSc%y`RK-D1~jub(aa(*_4$x6N(+&WFyt558TOpsg?+R9<4JKC)c}Q z3fX#d*%nJ$w(uc=k40fctw|=O5+K}UOSxCt^&K|AvoTeTJ&`3f+x!}-(=Ye#Aqw*Y zOECqYL{%iBfCz#^T24Y5_}iM2*vv#=Ks~Zqz$u&B6seBwtl(rgUq84D6H5WI%Bw&IEoC(ybP8Y_Xn<^C8qCOtKNT&m|z0-iPyI~e?^Uqe|V z4KUN!S7Ei!DP>!`2Cm!)E+A@E<&x)G@+l3emnlqZ^DbOCFUIT1G8su^2&;(8F4d|T zG&H*8gI5l!D6NLumP0~J)YNS>{8Ess8z|}&CU?VCN*`HxQg21cs;NbJG)qdDk{u!# z8NEMXOoFm-yxmdB`ACv#xsm0^-68HFMx-8m*}iXrsJqJ`mD5QN_M?`Bi$zb(DxZbs zRT!1hLY|O6s@A$RIdpNn3)#Km-sxbLw#Kw{jPUM(qqI1VR9|nCo6n!bVTrIDxJ>m(duV(V$lp$Bos(?{t&VM*i)HJ|Cwk?)DE?iE38u)V7X|j9b+GmP7eGd49I@^F}I;A3@ zp01XlPU~GIK2sLxwuZ$G1OP!`>c~-~EHERPQltfnis?%L7|#a9I+|IH*l6Flql>!J z`r=zcd^_5$^CUfE)NHZ4p6(TwJl)(0GH$@=k_2YB4YmW*0)fYeAR%6Rm2JHNBp8tF zG3zfMuq5AuO_Cgm5G`ul_@k1)IMB4YqD~JS8o6va22StBgFs(6e<}B0CJERFuLL4# zG|~y_#^@W0^SIzR$nnLk^Gh2Wa~7@LWPg5tfcR@x|FOaE#9zyl^n9d7)P|_Gu{lOq zWlBO6a>Yx&pEes$AP+^v9}p$$Z~GYo8(T*Uqc3Lz^v5 zVBMubU#qe|r6<>%G2&y@dLoP1R1?4w&jFK67{NY18E%JfUOx<#$>2O}{ZTqzGe=nc zbz+(RAPB@s@JDR~-P)KeQQa%1OqnJ(4f*^@kiT8-9XBQwTFj2JZ=?($ck;zNh)Sm? z5)aoE1=l4aa~s6doknz|@&YFDj#ps;q2?Hgua?UaVeNvmX%DQeWPa%0!~~5Wb7|1noe$givnFS|GWRvUrf=!3moYyH_G&3fdZUh&Xz01 z#r5+ntw{}yzc=s$d=zuKa2px6w>&m3%u zXPp76vlVjoTSGg>>&9o+am)LeeOoXTlhF3C)eORzx#fupVy5t0!(4+}MD(uUg+2B( zZT?;HKx3!D<&xc7kT;{%A5ZkRk&7R)><=E`Yppa9kw?i68y7kaq#Z}^ahB07k&m+( z*!Ql5#)n2S#4N?Eskx(K_M%V10EKS2gDdpReO z@omMDnkV0et({XtA~=N0OVhANi_ah49ARwZM3C!PZ_Oof3HGvbTDefc(v6(cdH~8g z{FftqgJq(2natoe#a`e`Vg9pCt~543t4*F8<9Fe(Lv7>{J~oD!P{mT`^cz~9E$InS zr5RdQ8g5<@yC)Y`yQDu@L&hcPQ!T%wy1il0t~NJXBtZRgh@agjJj)%TUtP6(zOHuy zSjyaLLQQFDqUGM_CE?)v7NK$6M~Vs36TRbZCh=OF4>S|U1K#LYYU~mlD|!3GQfC&M zu5r!q&b-A(DzbJQIkMku1py3NHdQOV+>lPA^0F(avB*R0~XA1Pr<$a)c`S~)sT zq$rj{T#f3C^v>^_<9~IqCW~A!xQOhSJ-&<^)o;pcZXD3jXe8!VU4_3T{*Ma%s~i3Q z_1pg#)cI%7eOCDA|7jVXj%|TLQ6HyM$}>D5Z^$`iPJA63lQkhyYcEve^&2I|E}H{`1_+8} zpadjp4;Ms*XSY2NlB293SnmIjNZ^!N%^|L)|N) z`~>_e$H6RM0tR}Z_=mt1&@6mLz#0Am1j_x3XxIPZtJrL}6Y z_Sx=X=@i$8>bIbKgx~*C^uNs9EPL8+>!`ql*IINqIf0PS9p?*P&Z|t2kwN*GIcPSIun!L9@(2)A$A^#)n9wwavlAw$#QNxDUU(oip{CUg2CXK z*6D-!HHqWLR^Bw3`vK&NCi5Xp%8G&6pb-+uN1TH4W2Q<`=+ z>)n7{M7d8O`s)yDs3pDon{JDqJ)`aS=fo}?Apk14yf53r!UPsQ8$cS?Mb~bP&o>Tc zmbz;SCQ&1J@aakm0~6ySlk3+Yq+$mMl>YM17XCk7$@E7(tehx#(1Q6|uv&5THyRJJ z8seLNpK2~0*SNc%XA?QSpI|K=E9$QwqLPBFI%EzQQ)@2{8`sEr2l122aVW=YRx7_D z$H08liBlogKClnxZN_z89Y=IL#B49Mw1&&HvdYc5OXlTSifT_t+g>r~9i~ox*EZbd zt8sH6Jt{9}G8Zy>e_<2))wsU;cJ6Q&Cuh%&mbFUQBr6*q2qg0skWy)XMwx?m9ltw* zU(}j;SWNq&IHssJS?ae~d3G zdZ&6Lv8$t~EtFCezkJLN%;k{WSJ)Tdl^!^Mz6#i&xn$~;3$(k)v6t_X?A4^TsXVBgs5z!gt66rnl^6 z8fY^=;`F5N&h5DZYAGp_uc;eUaOb=>hcgs}4MCD!3DPWD_lg|}$%EqJa_+>eqE?eS zthzHLUnlIbwfrIZKmR3Cp}a)aq#T!o_(JSBOf+X_R@s29;gg*G%FlOo|M~j=_Fry_ z{TnmK-TUq9UTJm33-QIb`qDV44Vo^-Jk{#HNk|!d2i+nP`2N2loYY>=ox*n&`daB6 zV^8a{4j3g#;xF*_skf-(yHZ_pbY1Mk$CD5hWZM3K`iZlYXYYP2!M)|{W^~pX-x=`r zXhb9PxCneO#?-*7?e&R^i_x{$J1f(i;RBBK9BMI_U*#_)0+Vz?XQ^+-aUR#vo}B5# zc2#@Vovyy3LefbP9MN{cl!XVv*`$7VL5y#Y-;PEms)yEC@>#cz0T_X-|26~xmArck zG&uN4V4EvpoQr{*QuflbA49V4ePj77#b@+>s`CZq(u?+iYL1|8u7Z6Q*vdXhT3`3a zZxl{}2I5-=aMBFeUWJOS#c}KQ^r4O3QvLERA>Q^%Ub51WC-rs3F^&^h4%5F4q)$N< zFIL|EbF=<`AD!@*XWU8-+JKlKFg$_!2*%iSST%F~O{uir@K?=G zEk3Ao-^NvuD3i$vEj2Ajb$tpIk(YqxegYve7+%?dRYzHNgqp0n@iy7Lxy7yMW}HIG z-xkp6WFNOwGc1=0S@9B&!?YHl;_~2z1s>1GvQxZqJk7R<_IpUw(=c47cm^$J8S(Uk z9J|37S1cSeHi?>$?`5anBWn=P*z=I}&h{t{QN-Eihf+}4^GuY*2P+GEbX&&lJBtQr zPq!c_T<$Vd`lqgO(z~;PE4fOxgj|~K;BJLCiSMHr9#6oHzy)JMl}MekvRZc$ww#Q9 z(I+|nXfIQJR7|Ix_CzYS_Ko-l(0v)t7r!(Qox6SdoSXDF+J#41sJvAKB17sOt#jbR z2rB*OC5IBKyKo6Fzr*ZAl5u53{7AR;nd8P67rJ5=dLqA+R=s z35+U$3d4vCyxolqLYcdd3qH7~O{1QhHQ4yA{y@YgET#D4H+MT4brtR!_K*UhH(Dj| zf@J-<9&0WhOnElWO3fb7VG+i3_n6CZJJvZia<^`Alfy(`Iy_Y76;0p&wR(#k-pn-l3G9Xbgu7X+|3{In?IL{Sga4ux6)pP8sL*KO| zb?4WvEJ|`g=Dhjhq$XUEgJHfP)E6YikUk2C;pM+u#?i6kR<%&H5Smgi#(ya~)%+2hi}HZ14sz>48mJ$DvF#p^uQF)-bjjJKS$Gb{Y6J6AEU z2gjF%sI*$?o`p4eypNg)Jw=p7N}?WrQ(UkThGXM5S}>WWrCpd9LqNa-B38a_7~EqI zyaheXI?CD#9*jx0{|u}!U;WbMeo1QAcppv=88@v0kc|E8>AzaU#$JgRhX8TSKS2{p zSP2Z3uM>Ov^LC#yxwDWHxu;D|5f>KWM?||}&cKR$-K7x#b)>-eiM>=@KH@b8U0daS z@ylagO$}%*XccQ3$jHPO$8|~7wJ-6A1A{K96GeRYC3ZnnV-RcEiB?9I{Ie z{l@ucXG0l{hRf9HtSNw)vCh zz8-}KkV?{2PJkJh!H%@FoEcOfu8AI4L+O8MCm=~QoO_XMeQQ1|?Y#CiyPBa*BoH3! zBMklt>c)cZKK|>)|HxhWb*gUyNSc3H2Y@Qx{^P>`Z7H*VxDS5X@WFPTbzOo(et4bi zemm&lnnG8Q_deQZ_zD6cH0=KuWh79VxfLGs%yAB>S7I$LbsF4sVbfT3-h@UIDv@%^ z#CMImV_p~G0Z1Co@u5pqN(LE%D(!a#@R=;8_ShSBi$mx4d_Oy1Ui-17PpkIrRCfA3 z?hsh87BluHMN&3#;uku)6|z<+7j#`*V5qK*n?L_UXUOx5&X9_3<%tSEZO$#{J!KoK zC7#gt2xJ)$4H)uA)rc*wJO`V&1nLVm|P^1zpx{yS58K@k(Y-inT>PB#^yW}6c`ER zQI#z3w4zb8`w7w>tVHyeU#@AI^Xz-yHZ9Ry(S*yXgDXDvF59a=iV1_tTrM3(QU+*0 zztKb15im!}w4@--u^+0&aC=TK8o>hG9iVZ3_?03y*-(GkjTHfHNA34MgWd1~kY~@- z<6h2H`Iya{@R-AwRujYx{K|BBZ67Pwcb4SwzT$dVU6kV}J*F8{RLx);F_&ataa)5& zJ$r#rX^Jo5L@pJ~fPeI(XCem-S?=r<)7JYUyELpmpA$QkSPDx$)~kg94kU*pDmTD- z!E^ji_+c5AOvLX96WWDh1_;V1OH~z67gD(QQiuEOk+~gq9Hn?6f(2&dkQEASyw;EI zO!XSQo8y!8?(|;b(h#ve)5XfO1P4jc@gMo#ue(boY^{cOxQ07xHnS4&n;Rngl)G`Qci_-+ddfc>XwGgO~ZE2>03YQm5km>t8v8N3=0~ z5HK|#nd=-cz|leqO%2J>#ySHNmq_i7QzLnYK297We; zq)2nD15CUjWSG@<$c(?!p>(ic*F`z$YhtoKxRt#-T#;vP!aFFaP%Wd?GvrNtQ++*iA}U-s@8cq}jzq&@-d_?YyuI z46Jl}qy%Uls_(2xp*6!VixE#A+LaZ7L(TAmm5wbczJ@P#TF=WmYtcZdIR>(jLFa8U zFdRG0^)KS1!hq@C_QhpS7?YUr_6QO`9F0@-%{wL{C-ss98Wy`P`) zlekp=o_es-cz%h_nx8oma`O>8ZypiuB5!&Y7RcvHhROIX-!LN+<8^cASywV2VWn8u zvFnW41fuTOcquubM?XOcp_z)6Haig;#kN47p=a1L9cPSUc)Y^BgcQP)R&b7KI71Ln z&FoOkUwyw$b_4AV5srY@+Jf$VG$GXJyi?9s8@X6Qy|s-M5xow(-I@K( zw2~~`6{9X_`*IC*h4%Q@diHelmptHuyqr1KT2cfY-0ZQa(2{sF$6Jb3AF% zT$tszcni8v)Wi^~$MEuw28AZXr)DsHFW(0o$vp=%>l@8h&(Tyo-RCpuwp=3~cYBwY zht}V&uG!Xz)DDByPgnvT8zk(r7*`(G&AiF~Od;|6F7+JPrDFD6RBY{!TeqeU*Ys>x zk}1CTIRU%WGGLdQT#R-c!-~BCQ8*vH{j=-*^8d-6ZNWyOw7@g7E_hC2l%M#3HmYX4 z6J8k94Rm!37+6cvahmgh0M8|t!t^3f(suf64|=nMkJ&>lVxnk*ipLe{0L9SO;(oK@ z%irjx^3xQIJ;)Zv9;1Z_EQ z*!Wn{t}B;1ORK60Q46%mNq@XotFSe_f{h6iv7;1y1J!H5G$9>qGL+-QGdfr!6fS~J zGv!9BR)L5Y}^yV3ug%EICi>#yu>#dI6Nt(eSXPLZwZuNO%!$ats=RR)R z!DkmF$CC36Oxyd$v-dqeB@Wr$5#Yku*t4;@oBu|qhGF3q!|v@qtO>VhDdt-f$bMnk zvYr-0MLW-t#i;Q>jOHF8g=B$w0t+tTM1CQS0AUY3t2&ReIw@$YP`389#}=3@&o_%Y z#||-XO^my=M;xa$e)ILC5}EV)36i~hxHJSC&2R`M(pFX1QB)<>P98p68LT|pH!$#o z_Z8$?jE?DOeDU}?-Ng3<64Xi@^8ciz-1&=*eYjM=LLo3uD8z}feoj;HZV6SvfTH?640qWv}`pK)bd)}T)B zp~eiQ%yEVW)&)T}s#CP;zFsPAzr=g%8>6CahHTQ3y&}+KX=~8B--V=| zeH}EZ{8fWR9qp`XF!Rbuzo!0-H6DSEj31+9 z5V>v+k=*bk-7r;R3rpkr(93sem@2_H4G*4LX2>DeP?d`sKZF7>vkU^I61d!;Lmu%= zItj@yUJ`Exj_vu}`nRG~*$Ss~%0y3k?c#@5X@)mY@dJa7j^Es02U78 z_{yBzN+xAgM85@X-A}s<5JqV$T zfYKA1Ac9C!AoL!ZQbl@|E?poH5CJIxf)u5f(0dsWg7i>BFTUKlSD$ld=B>BZyLZ-I zZ;`*w`PNzc>~H7n-`U?eyYv=DDK~s!Z(h;t7qDYe$cmOzbf$AG`o%b}xp`PCg;c1c zOuQ=Jh3r&=+KQqZu!z6(<8rcg*3R86Hr%85eKbZ2I@YfkR{9VcFkoLk!eEv+-7 zS6hojuwVz6Gc*~|)T1DoG@VYQ_75GuvZbZDBPm;~Fc%8ENUx`w_ER6&q#-7U3&;oqSl;AqZ?%@U4y-RrVJG*PrA))wfXGW{#JC1k(QXcYznP}8u4;V$t5AOGC z0Q=bg$xGljEB<$#lNJ5I;?SE14kSxA&iZr^XO$YWvLUMILaA9uJKj#uXsv5hF!^X< zz~`|4(n-?E{+V3PR|krEQ|cz_y||CB@D{KoGgZM1W@chU*rRRbJ__Ff-NG>cs`kRR z*YWv4a{HjEAWVZ|zy{o`BXHoNQl+=*b@}ep%dq<86c9voIf}8B`TTX3gyK7mskv&& z@^+vBl?R}s`H>f^6>X(F-zWxr3^&=uSSK4Gk>^eMW@LP_?q}WPj{^y#^`zuMU^t9z zCrJgeS2l{A=6$lD4Cl38>T0ZJvXW8yWxc5R8x{Wwr#EigMT8KIadG@|O>o)iL6+jU zwPefJ(=q%gmfNX#)%b`An#-=1vaY0RSC4QxZG{TEJ&SBb&l7LFqVQ99iPC;HK;cgM z4p2=HS)Y*x^{eNvti_e&<^^hD6$V;XzD*$3i#avv7-wm4(LKuWb%}Im%lf&IfLtxX zxY;&qQFEbK#HBO8Wfk9R2_K=O3e-t;rNsliDxmAo>GD{@h_v|DD8id znZK$#@Hk&pvtCRsE-&`_?|lnBAJ86Bl(4-?;b{@LnIs#}jG2ZIbc%P^-^T zm{9e2LSznbiib#o&3`_^F{Wul|8hO2`0N==28rNC{DwoeZbDyb1&WWO- zCD@|7Mgqywa;K~Nxq=4=eeudA%Ou876;wSPqd9;xof5pT{=F*)`OmfMw%8I?jHcb|t zU4Ck}&uijd0_>I=tHo~_bnKf-qz4X>{p;D8eU~V=UK#aZAxj|1I8)b;AhNGb)xf=D zC(pMcpG^C+YML38b->t^KSHQB)7om045nmdUFV+F<_O6IgXj4eVf%^3)$3mYYY-3H zC4E*mP~BUBG!&;~LO7+25cR~o;09*Hc^W$@tnXEz=a9mXlu0Zw8Yk2P!DfSNZ5q^O z*22@QT|SH~=4zqEr1Ytae02M-o{CsY_!xxYhrWbl*~<@&DSBgHw+TJP1uZ>HH%J@} z1a}ve>V9eSjS`35Uo1dc4vy;|feSh)zPIS*C~655{{6wIjhYR{(fK=>bY~(maw)_^ zK9FlfNZD7+zrJjzVA#UYcXdL@;`6L%U%HDbG)U8Zl_+f%pi3dw)P%LY>~uL#vfe(x z&cd2ie;l#73N;lh%6)he8e1>Brv^ooFQwVoLK<}@HEBwpl)L3^*BrJN>p%0{iLDV9 z``%JoZIUWYbyu4>Xto-(Tqj<3fiR7@uZRaPHBaA3^H+UUoFEo7oE|x$x-e7gO+1YO zFMH?Ji?XF>2iEdwyGAO3rYe}Au!LY&71$KczE`*YM#rh#B@dL@{>}Msr6xK-rn+m~@aQoT* zX1}_zQGsnz8oWS@4PW!sI?2AQH-!!u?cG;>d2I#YRNyCBx2BDkJetq|1PjPGgTc=TEx8ptNxO zU?y8WXM0wem4Nu4DCgw(-!;!6<^QjG{)iS39?V#Ul77dSN-`@8jq@$p`4CzCawCJk zL5J+-uka#3UCpWBKS2KwgkU7UgN4#NHV6~r23+%IbyO3Q?BoVABzP$;Ne*AOCrAYe z7Fs&235%AIFwUE#V4J(Y!P-+D(oW#_(^`sx8@Fzb+Lc{~!+Q{gsOH@pH|(LjbAaUH zyI#B~B@Lbc>Y20|b<9%S`Ade%h=E6P3)(hlvj*^4ZWxTyD1sD5LP??WBVO{2N7YwO z_qvW5Ok`r5q_FirzT=OGcrxYRimWnX53{r&?kOs7OLxyG_K6yp|MYm&7pi8=NWL6z z-_t7(%C!NbZqRfMFJ(T{rMYb@jZs*-_Z3hhuKJ<0+9;^!d!$>m~?(LE^R8<~Q%s{QByQ+J!dPtTfqS@bDJxCMsRpfC)zk#|D?b zvR8XXXw2307{aLMPzyRRhCc@5G?tx{laIWx!r5vUsJY{4<*TcHZ6-g57u6bF7pXDT zdZ$sb1vJ_&RA1WW9`3WHJSFj3b)+Ag!!Nk=%eac@t&HGvDaeP$dk6?m`%9}?ntOcI zEk~>&{oQXW^gx@InsevmsPUYmTyfkQrO&r+IeOP)NWF@@vMwZ5Jm$% zxvgmM@lAGaaY^~hE9vp}iz>=Ulv>5Z(vipamW+*(U-`sE%JgG5W&}?PhsZg>z;DMt zfR~vcmpQ_~xrMiEX%&q*X7%cQ#+s(MCEHQWVP>pa0-)yDFed)BYx}X&2<)|KcPR}a z7nNaz{^VI2CFq!g6Jr6Br*9m;=fJ%C+`j75KiQT~O?RF(5V_5}BpQbduQR$bR@=9G z>k%IY-I226lib!_VMrObe1m#oirR{SLZhNWFcs>)*%rg3u;3w$9^6!}T)_2Bbs9i$ zd!&3sl$XWO0HGpXE-k)add+#E6NbGWhN2UQxmh5Kr6 z3Vf>Q6oSkpDvXU8rkzuZQ_{CKC(?qi0_X~2O;b!fbHcxnrOaAAc=8It-bQO;kU8qC z69!iouJ3c|A9ua{9KqJksb!l6LeU0#leglI>Q+3LhV{GI?6N;LTF6CDUf*EEee_ub zyX`Ad*)HB}j@=!7fbHh#Nzy;bl>spy2ALG8#jthaq>V{MAiNA8q#_d%hL)f0CNo+eBZAUIpJu$29z30s^K!vzKM&_!3Aq1Jw4L~%8WbD4bGTko}4fo z7L9i(A1nZ7BX63p>nIVZ{l2)`5QEkY%S#}plM_DM4@||jCgPZfa2nKYa=`+{#@dJa zuq_*@D~N{3oz9ZrxnyvbXl9>)5RZ;8ducMVif%NB&-zXotx+?UGVPqC(}pc!=86{y z?X6K`Bdt_A92$?b(wwweL4z=!MiAQyfpLSB&d$(F&7P}ltXk`I+2|fTI)8?5yfrM zC>^Pt|E?WADS6)~t}pFpxSDiy#8sa^T;YH9L+ULF?diiWo}dO7E>U3Ky2pA=q(LQ6 z+^xhNd43x~klm0zJd5-K(5a7l{nfnv8|JgHr(qkWH-G!3V$mv(RJOjV9LsQI&s%iD z^c1MXoA$kx?sDS5rj`Puko(?~ z!n6}wu`drS-z2LR1lG#U__Nkkmp%o0(7CI zIySvgEa};X#xx=-5Z)Jd1xj3s;5~7!655NIZ;eq@OfpKa;OZTGpTtidiUtdJ!`=;4 zcL7e}e*Jt;!q;eJxHq_ETzdN55$N_{^TcMw#DZtonF9D%02sL+Uj#TojDPdL{%V4cOrsUL??E|Y4u-MRj9!!*ak??7%MH+&Ma`+_JmC4Q*md9eU@t&7YS zUG8#=Y^M9qNRUse*skhPw5Mn8(XIhK@+JHRXUMuH0`@oU4g_m>wC~c_rc8dW1SZNT z{6M$%%156J_Z|6QJK{-IG`0Ix{WRYUzZ(0{e3JV!$?N<-oYv{9O0g-Us=+XKVh!SK9ZX zNxjuhad6M9JDhUJ1p*_0<>(vz??aKwyCb^nN3V}rAxZsMD#vT(Z<>9qLC3gqjJC&n z(DBavcQiaU5{^x$Uv1BSGAK`ek8W`LX2J5|WsRB7hSSqQGTeiaV%U{ghFLGVlRY|A zJp#NgEw!rAbRHH_&i28hRIw^%{-KS%^}VXz&pYn}=xzJG{zHuaV>XT@a4dm8mH^q; G;r{}1&(6gF literal 0 HcmV?d00001 From 8662b407df5118d9e7179933c5837cf798a1218c Mon Sep 17 00:00:00 2001 From: David Date: Wed, 18 Oct 2023 13:10:14 -0400 Subject: [PATCH 02/13] add roll back strategy, minor cleanups --- .../machine-config/manage-boot-images.md | 45 +++++++++++-------- 1 file changed, 27 insertions(+), 18 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index 4b2252bc20..3fe3f2fa8e 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -11,31 +11,31 @@ reviewers: approvers: - "@yuqi-zhang" api-approvers: - - "@joelspeed" - - "@murnal" -creation-date: 2023-10-05 -last-updated: 2022-10-05 + - None +creation-date: 2023-10-16 +last-updated: 2022-10-17 tracking-link: - https://issues.redhat.com/browse/MCO-589 see-also: -replaces: -superseded-by: https://github.com/openshift/enhancements/pull/201, https://github.com/openshift/enhancements/pull/368 +replaces: + - https://github.com/openshift/enhancements/pull/368 +superseded-by: + - https://github.com/openshift/enhancements/pull/201 --- # Managing boot images via the MCO ## Summary -This is a proposal to manage bootimages via the `Machine Config Operator`(MCO), leveraging some of the [pre-work](https://github.com/openshift/installer/pull/4760) done as a result of the discussion in [#201](https://github.com/openshift/enhancements/pull/201). +This is a proposal to manage bootimages via the `Machine Config Operator`(MCO), leveraging some of the [pre-work](https://github.com/openshift/installer/pull/4760) done as a result of the discussion in [#201](https://github.com/openshift/enhancements/pull/201). This feature will only target standalone OCP installs. It will also be user opt-in and is planned to be released behind a feature gate. -For Install Provisioned Infrastructure(IPI) clusters, the end goal is to create a mechanism that can: +For Installer Provisioned Infrastructure(IPI) clusters, the end goal is to create a mechanism that can: - update the boot images references in `MachineSets` to the latest in the payload image - ensure stub ignition referenced in each `Machinesets` is in spec 3 format -This mechanism is user opt-in and will also be released behind a feature gate. - For User Provisioned Infrastructure(UPI) clusters, this end goal is to create a document(KB or otherwise) that a cluster admin would follow to update their boot images. + ## Motivation Currently, bootimage references are [stored](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L204C1-L204C1) in a `MachineSet` by the openshift installer during cluster bringup and is thereafter unmanaged. These boot image references are not updated on an upgrade, so any node scaled up using it will boot up with the original “install” bootimage. This has caused a myriad of issues during scale-up due to this version skew, when the nodes attempt the final pivot to the release payload image. Issues linked below: @@ -62,29 +62,37 @@ The MCO will take over management of the boot image references and the stub igni - The new subcontroller does not provide a solution for UPI as it does not use `MachineSets`. We plan to support a UPI solution via documentation that is based on this workflow. - This is meant to be a user opt-in feature, and if the user wishes to keep their boot images static it will let them do so. - This does not intend to solve [booting into custom pools](https://issues.redhat.com/browse/MCO-773). +- This does not target Hypershift, as [it does not use machinesets](https://github.com/openshift/hypershift/blob/32309b12ae6c5d4952357f4ad17519cf2424805a/hypershift-operator/controllers/nodepool/nodepool_controller.go#L2168). ## Proposal -This automated flow is fairly straightforward, but will require a bit of special casing for each platform. +__Overview__ - The `machine-config-controller`(MCC) pod will gain a new sub-controller `machine_set_controller`(MSC) that monitors `MachineSet` changes and the `coreos-bootimages` [ConfigMap](https://github.com/openshift/installer/pull/4760). -- Based on platform and arch type, the MSC will check if the images referenced in the `MachineSet(s)` is the same as the one in the ConfigMap. Each platform(gcp, aws...and so on) does this differently, so this is a good opportunity to split the work up between platforms and see if the implementation is effective. The ConfigMap is considered to be the golden set of bootimage values, i.e. they will never go out of date. +- Before processing a MachineSet, the MSC will check for the existence of `io.openshift.mco-managed=true` annotation. If it is not present, the MSC will exit the reconciliation loop. This is how `MachineSets` are opted-in to this mechanism. +- Based on platform and arch type, the MSC will check if the boot images referenced in the `providerSpec` field of the `MachineSet` is the same as the one in the ConfigMap. Each platform(gcp, aws...and so on) does this differently, so this is a good opportunity to split the work up between platforms and see if the implementation is effective. The ConfigMap is considered to be the golden set of bootimage values, i.e. they will never go out of date. - Next, it will check if the stub secret referenced is spec 3. If it is spec 2, the MSC will try create a new version of this secret by trying to translate it to spec 3. This step is platform/arch agnostic. Failure to up translate will cause a degrade and the sub-controller will exit without patching the `MachineSet`. - Finally, if the MSC will attempt to patch the `MachineSet` if required. Failure to do so will cause a degrade. - Any other failures in the above steps will report an error; but degrades will only be in the specific cases mentioned above. Certain failures may also be as a result of an unsupported architecture or an unsupported platform. This is necessary because support for platforms will be phased in(and some platforms may not even desire this support) __Rolling back__ -The very first time bootimages are patched via this mechanism, the MSC will also backup the existing bootimage and secret references. This will be used to roll back the `MachineSets` which can be done by opting out of the feature. This is also an important mitigation in case things go wrong(invalid bootimage references, incorrect patching... etc). +The very first time a `MachineSet` is patched, the MSC will also backup the following via annotation to the `MachineSet`: +- `io.openshift.mco-pre-managed-image=` storing the original provider image reference +- `io.openshift.mco-pre-managed-secret=` storing the original stub secret + +A roll back can be done by opting out the `MachineSet`, this will trigger the MSC to restore the MachineSet to "factory" values by using the annotations mentioned above. +This is an important mitigation in case things go wrong(invalid bootimage references, incorrect patching... etc). __UPI__ For UPI, the proposal is to create platform specific documentation based on our implementation of the the above work. If this feature is -switched "on" in UPI, it is necessary to warn(degrade or some other way) the cluster admin to indicate that this functionally is essentially a no-op in the absence of machinesets. +opted in on a UPI install, it is necessary to warn(degrade or some other way) the cluster admin to indicate that this functionally is essentially a no-op in the absence of machinesets. ### Workflow Description -From the user workflow standpoint, this enhancement will be more or less invisible once turned ON. The opt-in mechanism is still up for debate and is one of the open questions below. +- To enroll a `MachineSet` for boot image updates, the cluster admin should add an annotation `io.openshift.mco-managed=true` to the `MachineSet`. +- To un-enroll(and effectively rollback) the `MachineSet` from boot image updates, the cluster admin should remove the `io.openshift.mco-managed=true` annotation from the `MachineSet`. #### Variation and form factor considerations [optional] @@ -128,9 +136,10 @@ TBD, based on the open questions below. ### Open Questions -- What should the user opt-in mechanism be? This could be simple as an configmap in the MCO namespace, or a new field in an [MCO CRD](https://github.com/openshift/api/blob/master/operator/v1/0000_80_machine-config-operator_01_config.crd.yaml). While feature gating is an "opt-in", this proposal only works when the cluster gets an upgrade and a newer boot image is available. As I understand it, upgrades do not happen under the TechPreviewNoUpgrade featureset and this feature will be a no-op - so we can't use feature gate as the only on/off toggle. -- This proposal relies on the golden configmap having a target value for every platform/arch combination that we use today. I've [noticed](https://issues.redhat.com/browse/MCO-793) some cases like vsphere don't have a a reference as it stands today. Why is that? Are there scenarios not requiring boot image updates? -- Heterogenous platform(nodes span across infra providers) concerns. Do such clusters exist? If they do, do they use `MachineSets`? The current proposal assumes the same platform across all nodes and uses the infra object to determine the cluster platform. The current proposal will run into an error if there is a platform mismatch and will exit non-fatally. +- Should we have a like a global switch that opt-in all `MachineSets` for this mechanism? +- Somewhat related to above, would we also want to allow opting out without rolling back? This is for a situation for the customer would not want to update the boot images any longer, but would like to keep the current image instead of the "factory" after rolling back. Not sure if anyone would use this, but though it was worth considering. +- This proposal relies on the golden configmap having a target value for every platform/arch combination that we use today. I've [noticed](https://issues.redhat.com/browse/MCO-793) some cases like vsphere don't have a reference as it stands today. Why is that? Are there scenarios not requiring boot image updates? +- Heterogenous platform(nodes span across infra providers) concerns. Do such clusters exist? If they do, do they use `MachineSets`? The current proposal assumes the same platform across all nodes and uses the infra object to determine the cluster platform. It reports anror if there is a platform mismatch and will exit non-fatally. - Hetergenous architecture concerns. I think these exist, but do they use `MachineSets`? The current proposal maps a `MachineSet` to an architecture, so this should not be a concern, but curious overall - The user could have possibly modified the stub ignition used in first boot with sensitive information. While this sub controller could uptranslate them, this is manipulating user data in a certain way which the customer may not be comfortable with. Are we ok with this? - What platforms do we want to support in GA? GCP was used in the PoC so I've added that, but is there an interest for certain platforms over others for the first release? From c7ebf0da9da55220701185eaa21fea7de89831e5 Mon Sep 17 00:00:00 2001 From: David Date: Tue, 31 Oct 2023 17:27:03 -0400 Subject: [PATCH 03/13] clarify opt-in mechanism, phases, MCS cert issue --- .../machine-config/manage-boot-images.md | 45 +++++++++++-------- 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index 3fe3f2fa8e..f11d9c415a 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -38,13 +38,14 @@ For User Provisioned Infrastructure(UPI) clusters, this end goal is to create a ## Motivation -Currently, bootimage references are [stored](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L204C1-L204C1) in a `MachineSet` by the openshift installer during cluster bringup and is thereafter unmanaged. These boot image references are not updated on an upgrade, so any node scaled up using it will boot up with the original “install” bootimage. This has caused a myriad of issues during scale-up due to this version skew, when the nodes attempt the final pivot to the release payload image. Issues linked below: +Currently, bootimage references are [stored](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L204C1-L204C1) in a `MachineSet` by the openshift installer during cluster bringup and is thereafter not managed. These boot image references are not updated on an upgrade, so any node scaled up using it will boot up with the original “install” bootimage. This has caused a myriad of issues during scale-up due to this version skew, when the nodes attempt the final pivot to the release payload image. Issues linked below: - Afterburn [[1](https://issues.redhat.com/browse/OCPBUGS-7559)],[[2](https://issues.redhat.com/browse/OCPBUGS-4769)] - podman [[1](https://issues.redhat.com/browse/OCPBUGS-9969)] - skopeo [[1](https://issues.redhat.com/browse/OCPBUGS-3621)] -Additionally, the stub secret [referenced](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L197) in the `MachineSet` is also unmanaged. This stub is used by the ignition binary in firstboot to auth and consume content from the `machine-config-server`(MCS). The content served includes the actual ignition configuration and the final pivot OS image. The ignition binary now does first boot provisioning based on this, then hands off to the `machine-config-daemon`(MCD) first boot service to do the final pivot. As 4.6 and up clusters only understood spec 3 ignition, and as the unmanaged ignition stub is only spec 2, this was now an incompatibility. This would prevent new nodes from joining a cluster that had been upgraded past 4.5, but was originally a 4.5 or lower at install time. Issue linked below: -- SAN [[1](https://issues.redhat.com/browse/OCPBUGS-1817)] +Additionally, the stub secret [referenced](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L197) in the `MachineSet` is also not managed. This stub is used by the ignition binary in firstboot to auth and consume content from the `machine-config-server`(MCS). The content served includes the actual ignition configuration and the target OCI format RHCOS image. The ignition binary now does first boot provisioning based on this, then hands off to the `machine-config-daemon`(MCD) first boot service to do the reboot into the target OCI format RHCOS image. As 4.6 and up clusters only understood spec 3 ignition, and as the unmanaged ignition stub is only spec 2, this was now an incompatibility. This would prevent new nodes from joining a cluster that had been upgraded past 4.5, but was originally a 4.5 or lower at install time. + +To peel another layer from the Ignition onion (sorry), there are some scenarios in which the MCS TLS cert contained within the above ignition stub may be out of date or incompatible. In such cases, just up-translating the ignition stub will not be enough. Example issue [here](https://issues.redhat.com/browse/OCPBUGS-1817). Solving this is not a direct goal of this enhancement(this work is targeted and scoped by [MCO-642](https://issues.redhat.com/browse/MCO-642)), but it is important to keep track of as this is a new failure mode that will be exposed by solving the above two issues. ### User Stories @@ -57,10 +58,11 @@ Additionally, the stub secret [referenced](https://github.com/openshift/installe The MCO will take over management of the boot image references and the stub ignition. The installer is still responsible for creating the `MachineSet` at cluster bring-up of course, but once cluster installation is complete the MCO will ensure that boot images are in sync with the latest payload. From the user standpoint, this should cause less compatibility issues as nodes will no longer need to pivot to a different version of rhcos during node scaleup. +This should not interfere with existing workflows such as Hive and ArgoCD. As this is an opt-in mechanism, the cluster admin will be protected against such scenarios of accidental "reconciliation". + ### Non-Goals -- The new subcontroller does not provide a solution for UPI as it does not use `MachineSets`. We plan to support a UPI solution via documentation that is based on this workflow. -- This is meant to be a user opt-in feature, and if the user wishes to keep their boot images static it will let them do so. +- The new subcontroller is only intended to support clusters that use MachineSet backed node scaling. This is meant to be a user opt-in feature, and if the user wishes to keep their boot images static it will let them do so. - This does not intend to solve [booting into custom pools](https://issues.redhat.com/browse/MCO-773). - This does not target Hypershift, as [it does not use machinesets](https://github.com/openshift/hypershift/blob/32309b12ae6c5d4952357f4ad17519cf2424805a/hypershift-operator/controllers/nodepool/nodepool_controller.go#L2168). @@ -84,11 +86,6 @@ The very first time a `MachineSet` is patched, the MSC will also backup the foll A roll back can be done by opting out the `MachineSet`, this will trigger the MSC to restore the MachineSet to "factory" values by using the annotations mentioned above. This is an important mitigation in case things go wrong(invalid bootimage references, incorrect patching... etc). -__UPI__ - -For UPI, the proposal is to create platform specific documentation based on our implementation of the the above work. If this feature is -opted in on a UPI install, it is necessary to warn(degrade or some other way) the cluster admin to indicate that this functionally is essentially a no-op in the absence of machinesets. - ### Workflow Description - To enroll a `MachineSet` for boot image updates, the cluster admin should add an annotation `io.openshift.mco-managed=true` to the `MachineSet`. @@ -115,7 +112,7 @@ The implementation has a GCP specific POC here: - https://github.com/openshift/machine-config-operator/pull/3980 Possible constraints: -- Ignition spec 2 to spec 3 is not deterministic. Some translations are unsupported and as a result not all stub secrets can be managed. In these cases, failure will be reported, and it will cause a cluster degrade. +- Ignition spec 2 to spec 3 is not deterministic. Some translations are unsupported and as a result not all stub secrets can be managed. In these cases, failure will be reported via an operator degrade. As the MSC is a sub controller within the MCC, this will bubble up from the MSC -> MCC -> MCO, and a "MSC failed to translate stub ignition to spec 3 due to ...." message will be visible as the degrade reason. - See Open questions below for some more possible constraints. ### Risks and Mitigations @@ -136,13 +133,10 @@ TBD, based on the open questions below. ### Open Questions -- Should we have a like a global switch that opt-in all `MachineSets` for this mechanism? +- Should we have a global switch that opt-ins all `MachineSets` for this mechanism? - Somewhat related to above, would we also want to allow opting out without rolling back? This is for a situation for the customer would not want to update the boot images any longer, but would like to keep the current image instead of the "factory" after rolling back. Not sure if anyone would use this, but though it was worth considering. -- This proposal relies on the golden configmap having a target value for every platform/arch combination that we use today. I've [noticed](https://issues.redhat.com/browse/MCO-793) some cases like vsphere don't have a reference as it stands today. Why is that? Are there scenarios not requiring boot image updates? -- Heterogenous platform(nodes span across infra providers) concerns. Do such clusters exist? If they do, do they use `MachineSets`? The current proposal assumes the same platform across all nodes and uses the infra object to determine the cluster platform. It reports anror if there is a platform mismatch and will exit non-fatally. -- Hetergenous architecture concerns. I think these exist, but do they use `MachineSets`? The current proposal maps a `MachineSet` to an architecture, so this should not be a concern, but curious overall -- The user could have possibly modified the stub ignition used in first boot with sensitive information. While this sub controller could uptranslate them, this is manipulating user data in a certain way which the customer may not be comfortable with. Are we ok with this? -- What platforms do we want to support in GA? GCP was used in the PoC so I've added that, but is there an interest for certain platforms over others for the first release? +- Heterogenous architecture concerns. I think these exist, but do they use `MachineSets`? The current proposal maps a `MachineSet` to an architecture, so this should not be a concern, but curious overall +- The user could have possibly modified the stub ignition used in first boot with sensitive information. While this sub controller could up translate them, this is manipulating user data in a certain way which the customer may not be comfortable with. Are we ok with this? ### Test Plan @@ -155,16 +149,29 @@ In addition to unit tests, the enhancement will also ship with e2e tests, outlin - Support for GCP - Unit & E2E tests - Feedback from openshift teams +- UPI documentation based on IPI workflow for select platforms - [Good CI signal from autoscaling nodes](https://github.com/cgwalters/enhancements/blob/5505d7db7d69ffa1ee838be972c70b572d882891/enhancements/bootimages.md#test-plan) #### Tech Preview -> GA - Feedback from interested customers -- UPI documentation based on IPI workflow for select platforms(vpshere + any others TBD) - User facing documentation created in [openshift-docs](https://github.com/openshift/openshift-docs/) -In future releases, we can phase in support for remaining platforms as we gain confidence in the functionality. Priorty list for this is still TBD. +Additionaly, a phased approach such as the following is the proposed: + +Phase 0 +- Support for GCP +- vsphere UPI documentation +- Opt-in mechanism +- Backup functionality +- Ignition stub management + +Phase 1 +- Support for Azure and AWS +- MCS TLS cert management + +In future releases, we can phase in support for remaining platforms as we gain confidence in the functionality and demands of those platforms. An exhaustive list can be found in [MCO-793](https://issues.redhat.com/browse/MCO-793). #### Removing a deprecated feature From e5602403b3bb72e0b986956e96214c4cf6ae44a9 Mon Sep 17 00:00:00 2001 From: David Date: Fri, 10 Nov 2023 15:56:00 -0500 Subject: [PATCH 04/13] fleshed out opt-in, degrade & revert sections --- .../machine-config/manage-boot-images.md | 56 +++++++++++++++---- 1 file changed, 46 insertions(+), 10 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index f11d9c415a..facde7b5df 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -70,26 +70,62 @@ This should not interfere with existing workflows such as Hive and ArgoCD. As th __Overview__ -- The `machine-config-controller`(MCC) pod will gain a new sub-controller `machine_set_controller`(MSC) that monitors `MachineSet` changes and the `coreos-bootimages` [ConfigMap](https://github.com/openshift/installer/pull/4760). -- Before processing a MachineSet, the MSC will check for the existence of `io.openshift.mco-managed=true` annotation. If it is not present, the MSC will exit the reconciliation loop. This is how `MachineSets` are opted-in to this mechanism. +- The `machine-config-controller`(MCC) pod will gain a new sub-controller `machine_set_controller`(MSC) that monitors `MachineSet` changes and the `coreos-bootimages` [ConfigMap](https://github.com/openshift/installer/pull/4760) changes. +- Before processing a MachineSet, the MSC will check if the following conditions are satisfied: + - `ManagedBootImages` feature gate is active + - The cluster and/or the machineset is opted-in to boot image updates. This mechanism is still TBD, see Workflow Description for more details. + - The golden configmap is verified to be in sync with the current version of the MCO. The MCO will "stamp"(annotate) the golden configmap with the new version of the MCO after atleast 1 node has succesfully completed an update to the new OCP image. This helps prevent `machinesets` being updated too soon at the end of a cluster upgrade, before the MCO itself has updated and has had a chance to roll out the new OCP image to the cluster. + + If any of the above checks fail, the MSC will exit out of the sync. - Based on platform and arch type, the MSC will check if the boot images referenced in the `providerSpec` field of the `MachineSet` is the same as the one in the ConfigMap. Each platform(gcp, aws...and so on) does this differently, so this is a good opportunity to split the work up between platforms and see if the implementation is effective. The ConfigMap is considered to be the golden set of bootimage values, i.e. they will never go out of date. - Next, it will check if the stub secret referenced is spec 3. If it is spec 2, the MSC will try create a new version of this secret by trying to translate it to spec 3. This step is platform/arch agnostic. Failure to up translate will cause a degrade and the sub-controller will exit without patching the `MachineSet`. - Finally, if the MSC will attempt to patch the `MachineSet` if required. Failure to do so will cause a degrade. - Any other failures in the above steps will report an error; but degrades will only be in the specific cases mentioned above. Certain failures may also be as a result of an unsupported architecture or an unsupported platform. This is necessary because support for platforms will be phased in(and some platforms may not even desire this support) -__Rolling back__ +#### Degrade Mechanism + +One possible strategy would be for the MSC to degrade the worker `MachineConfigPool` via a new [MachineConfigPoolConditionType](https://github.com/openshift/api/blob/master/machineconfiguration/v1/types.go#L492). This would be an API change, but a fairly simple one is it only adding a new type. The node controller(another sub controller within the MCC) would then [check for this condition](https://github.com/openshift/machine-config-operator/blob/master/pkg/controller/node/status.go#L142C34-L142C34) and degrade the worker pool, effectively degrading the operator. + +Every degrade will be associated with a machineset. As a result, the MSC will have to maintain a list(configmap or something else) of currently "degraded" machinesets, and remove/add to this list during a sync as necessary. Based on the list, the MSC can then intiate, update or clear a degrade condition on the operator. + +#### Reverting to original bootimage + +Couple of strategies here, one with annotations directly on the machineset, and another via a configmap in the MCO. + +##### via Annotations + +The MSC will maintain a backup of the the following via annotation to the `MachineSet`: +- `io.openshift.mco-managed-factory-image=` storing the original provider image reference prior to the feature was turned on +- `io.openshift.mco-managed-factory-secret=` storing the original stub secret name +- `io.openshift.mco-managed-last-image=` storing the last provider image reference before an update +- `io.openshift.mco-managed-last-secret=` storing the last stub secret name before an update -The very first time a `MachineSet` is patched, the MSC will also backup the following via annotation to the `MachineSet`: -- `io.openshift.mco-pre-managed-image=` storing the original provider image reference -- `io.openshift.mco-pre-managed-secret=` storing the original stub secret +##### via ConfigMap -A roll back can be done by opting out the `MachineSet`, this will trigger the MSC to restore the MachineSet to "factory" values by using the annotations mentioned above. -This is an important mitigation in case things go wrong(invalid bootimage references, incorrect patching... etc). +The MSC will maintain a backup of the following per machinset, with these keys: +- `$(machine_set_name)-factory-image` storing the original provider image reference prior to the feature was turned on +- `$(machine_set_name)-factory-secret` storing the original stub secret name prior to the feature was turned on +- `$(machine_set_name)-last-image` storing the last provider image reference before an update +- `$(machine_set_name)-last-secret` storing the last stub secret name before an update + +A revert can be done by opting out the `MachineSet`, this will trigger the MSC to restore the MachineSet to values before the last update by using the annotations/configmap values mentioned above. This is an important mitigation in case things go wrong(invalid bootimage references, incorrect patching... etc). + +The reason for keeping a factory version is in case the admin wishes to restore to factory values manually(they will have to opt-out of the feature first). It may also may aid in debugging. ### Workflow Description +It is important to note that there would be two "opt-in" knobs while this feature is under TechPreview. The admin would first have to turn on the feature gate, and then the opt-in mechanism. The secondary knob is necessary as some customers may want to keep their boot images static when this feature leaves TechPreview. +Couple of strategies as before: + +##### via Annotations + - To enroll a `MachineSet` for boot image updates, the cluster admin should add an annotation `io.openshift.mco-managed=true` to the `MachineSet`. -- To un-enroll(and effectively rollback) the `MachineSet` from boot image updates, the cluster admin should remove the `io.openshift.mco-managed=true` annotation from the `MachineSet`. +- To un-enroll(and effectively revert) the `MachineSet` from boot image updates, the cluster admin should remove the `io.openshift.mco-managed=true` annotation from the `MachineSet`. + +##### via an Operator type + +This would be be a global switch at the operator level and an API change. Here is a rough [PoC PR](https://github.com/openshift/api/compare/master...djoshy:api:manage-boot-image-toggle). Instead of checking per machineset, this would effectively opt-in all machinesets and be checked on every sync loop. + #### Variation and form factor considerations [optional] @@ -117,7 +153,7 @@ Possible constraints: ### Risks and Mitigations -The biggest risk in this enhancement would be delivering a bad boot image. To mitigate this, we have outlined a rollback option. +The biggest risk in this enhancement would be delivering a bad boot image. To mitigate this, we have outlined a revert option. How will security be reviewed and by whom? TBD This is a solution aimed at reducing usage of outdated artifacts and should not introduce any security concerns that do not currently exist. From 8fde15a9ea9364753423f7a8b8ba64ff1ac9d2d9 Mon Sep 17 00:00:00 2001 From: David Date: Fri, 17 Nov 2023 15:40:38 -0500 Subject: [PATCH 05/13] updated opt-in, degrade & revert sections --- .../machine-config/manage-boot-images.md | 45 ++++++++++++------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index facde7b5df..1c8735cdb9 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -13,7 +13,7 @@ approvers: api-approvers: - None creation-date: 2023-10-16 -last-updated: 2022-10-17 +last-updated: 2022-11-17 tracking-link: - https://issues.redhat.com/browse/MCO-589 see-also: @@ -65,6 +65,7 @@ This should not interfere with existing workflows such as Hive and ArgoCD. As th - The new subcontroller is only intended to support clusters that use MachineSet backed node scaling. This is meant to be a user opt-in feature, and if the user wishes to keep their boot images static it will let them do so. - This does not intend to solve [booting into custom pools](https://issues.redhat.com/browse/MCO-773). - This does not target Hypershift, as [it does not use machinesets](https://github.com/openshift/hypershift/blob/32309b12ae6c5d4952357f4ad17519cf2424805a/hypershift-operator/controllers/nodepool/nodepool_controller.go#L2168). +- This proposal only targets MAPI backed machinesets. It does not intend to support CAPI backed machinesets, but we hope to do so in a future release, perhaps with a seperate enhancement. ## Proposal @@ -86,16 +87,20 @@ __Overview__ One possible strategy would be for the MSC to degrade the worker `MachineConfigPool` via a new [MachineConfigPoolConditionType](https://github.com/openshift/api/blob/master/machineconfiguration/v1/types.go#L492). This would be an API change, but a fairly simple one is it only adding a new type. The node controller(another sub controller within the MCC) would then [check for this condition](https://github.com/openshift/machine-config-operator/blob/master/pkg/controller/node/status.go#L142C34-L142C34) and degrade the worker pool, effectively degrading the operator. -Every degrade will be associated with a machineset. As a result, the MSC will have to maintain a list(configmap or something else) of currently "degraded" machinesets, and remove/add to this list during a sync as necessary. Based on the list, the MSC can then intiate, update or clear a degrade condition on the operator. +As mentioned in the above section, degrading will only happen in two scenarios: +- Translating the ignition stub to spec 3 fails. This is likely more fatal and won't get fixed without the editing the ignition stub manually. +- Patching of the MachineSet fails. This is likely due to a temporary API server outage and will resolve itself without user intervention. + +Every degrade will be associated with a machineset. As a result, the MSC will have to maintain a local list of currently "degraded" machinesets, and remove/add to this list during a sync loop as necessary. Based on the changes to this list, the MSC can then intiate, update or clear a degrade condition on the operator. #### Reverting to original bootimage -Couple of strategies here, one with annotations directly on the machineset, and another via a configmap in the MCO. +Few strategies here: ##### via Annotations The MSC will maintain a backup of the the following via annotation to the `MachineSet`: -- `io.openshift.mco-managed-factory-image=` storing the original provider image reference prior to the feature was turned on +- `io.openshift.mco-managed-factory-image=` storing the original provider image reference prior to when the feature was turned on - `io.openshift.mco-managed-factory-secret=` storing the original stub secret name - `io.openshift.mco-managed-last-image=` storing the last provider image reference before an update - `io.openshift.mco-managed-last-secret=` storing the last stub secret name before an update @@ -103,12 +108,18 @@ The MSC will maintain a backup of the the following via annotation to the `Machi ##### via ConfigMap The MSC will maintain a backup of the following per machinset, with these keys: -- `$(machine_set_name)-factory-image` storing the original provider image reference prior to the feature was turned on +- `$(machine_set_name)-factory-image` storing the original provider image reference prior to when the feature was turned on - `$(machine_set_name)-factory-secret` storing the original stub secret name prior to the feature was turned on - `$(machine_set_name)-last-image` storing the last provider image reference before an update - `$(machine_set_name)-last-secret` storing the last stub secret name before an update -A revert can be done by opting out the `MachineSet`, this will trigger the MSC to restore the MachineSet to values before the last update by using the annotations/configmap values mentioned above. This is an important mitigation in case things go wrong(invalid bootimage references, incorrect patching... etc). +##### Via new MachineSet fields + +Another proposed strategy is to add the required fields into the `.Status` section of a `MachineSet` object. This would be an API change. + +##### Mechanism + +A revert can be done by opting out the `MachineSet`, this will trigger the MSC to restore the MachineSet to last known good values stored from the backups. This is an important mitigation in case things go wrong(invalid bootimage references, incorrect patching... etc). The reason for keeping a factory version is in case the admin wishes to restore to factory values manually(they will have to opt-out of the feature first). It may also may aid in debugging. @@ -124,7 +135,11 @@ Couple of strategies as before: ##### via an Operator type -This would be be a global switch at the operator level and an API change. Here is a rough [PoC PR](https://github.com/openshift/api/compare/master...djoshy:api:manage-boot-image-toggle). Instead of checking per machineset, this would effectively opt-in all machinesets and be checked on every sync loop. +This is an API change to and would involve adding two new fields in the [operator types](https://github.com/openshift/api/blob/master/operator/v1/types_machineconfiguration.go) for the MCO: +- `BootImageUpdateMode` This is an enum which can have three values: `Enabled`, `Selected` or `Disabled` +- `BootImageUpdateEnrolledMachineSets` This is a list of enrolleds machinesets. When the above type is in the `Selected` mode, all machinesets in the list would be considered enrolled for updates. + +Here is a [rough PR](https://github.com/openshift/api/pull/1672) of what these API changes would look like. #### Variation and form factor considerations [optional] @@ -169,9 +184,6 @@ TBD, based on the open questions below. ### Open Questions -- Should we have a global switch that opt-ins all `MachineSets` for this mechanism? -- Somewhat related to above, would we also want to allow opting out without rolling back? This is for a situation for the customer would not want to update the boot images any longer, but would like to keep the current image instead of the "factory" after rolling back. Not sure if anyone would use this, but though it was worth considering. -- Heterogenous architecture concerns. I think these exist, but do they use `MachineSets`? The current proposal maps a `MachineSet` to an architecture, so this should not be a concern, but curious overall - The user could have possibly modified the stub ignition used in first boot with sensitive information. While this sub controller could up translate them, this is manipulating user data in a certain way which the customer may not be comfortable with. Are we ok with this? ### Test Plan @@ -183,10 +195,11 @@ In addition to unit tests, the enhancement will also ship with e2e tests, outlin #### Dev Preview -> Tech Preview - Support for GCP -- Unit & E2E tests +- Opt-in and Degrade mechanism +- GCP specific E2E tests - Feedback from openshift teams - UPI documentation based on IPI workflow for select platforms -- [Good CI signal from autoscaling nodes](https://github.com/cgwalters/enhancements/blob/5505d7db7d69ffa1ee838be972c70b572d882891/enhancements/bootimages.md#test-plan) +- [Good CI signal from autoscaling nodes](https://github.com/cgwalters/enhancements/blob/5505d7db7d69ffa1ee838be972c70b572d882891/enhancements/bootimages.md#test-plan) #### Tech Preview -> GA @@ -200,14 +213,16 @@ Phase 0 - Support for GCP - vsphere UPI documentation - Opt-in mechanism -- Backup functionality -- Ignition stub management +- Degrade mechanism +- E2E tests Phase 1 - Support for Azure and AWS +- Backup functionality +- Ignition stub management - MCS TLS cert management -In future releases, we can phase in support for remaining platforms as we gain confidence in the functionality and demands of those platforms. An exhaustive list can be found in [MCO-793](https://issues.redhat.com/browse/MCO-793). +In future phases/releases, we can add in support for remaining platforms as we gain confidence in the functionality and demands of those platforms. An exhaustive list can be found in [MCO-793](https://issues.redhat.com/browse/MCO-793). #### Removing a deprecated feature From 201a4141c1aad90034dbd6097c4c2906d8abeadf Mon Sep 17 00:00:00 2001 From: David Date: Wed, 29 Nov 2023 15:48:22 -0500 Subject: [PATCH 06/13] added API changes & examples, CAPI section --- .../machine-config/manage-boot-images.md | 272 ++++++++++++++---- .../manage_boot_images_flow.jpg | Bin 71285 -> 59490 bytes 2 files changed, 213 insertions(+), 59 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index 1c8735cdb9..38d8f0a0d8 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -11,9 +11,9 @@ reviewers: approvers: - "@yuqi-zhang" api-approvers: - - None + - "@joelspeed" creation-date: 2023-10-16 -last-updated: 2022-11-17 +last-updated: 2022-11-29 tracking-link: - https://issues.redhat.com/browse/MCO-589 see-also: @@ -29,11 +29,11 @@ superseded-by: This is a proposal to manage bootimages via the `Machine Config Operator`(MCO), leveraging some of the [pre-work](https://github.com/openshift/installer/pull/4760) done as a result of the discussion in [#201](https://github.com/openshift/enhancements/pull/201). This feature will only target standalone OCP installs. It will also be user opt-in and is planned to be released behind a feature gate. -For Installer Provisioned Infrastructure(IPI) clusters, the end goal is to create a mechanism that can: +For `MachineSet` managed clusters, the end goal is to create an automated mechanism that can: - update the boot images references in `MachineSets` to the latest in the payload image - ensure stub ignition referenced in each `Machinesets` is in spec 3 format -For User Provisioned Infrastructure(UPI) clusters, this end goal is to create a document(KB or otherwise) that a cluster admin would follow to update their boot images. +For clusters that are not managed by `MachineSets`, the end goal is to create a document(KB or otherwise) that a cluster admin would follow to update their boot images. ## Motivation @@ -65,7 +65,6 @@ This should not interfere with existing workflows such as Hive and ArgoCD. As th - The new subcontroller is only intended to support clusters that use MachineSet backed node scaling. This is meant to be a user opt-in feature, and if the user wishes to keep their boot images static it will let them do so. - This does not intend to solve [booting into custom pools](https://issues.redhat.com/browse/MCO-773). - This does not target Hypershift, as [it does not use machinesets](https://github.com/openshift/hypershift/blob/32309b12ae6c5d4952357f4ad17519cf2424805a/hypershift-operator/controllers/nodepool/nodepool_controller.go#L2168). -- This proposal only targets MAPI backed machinesets. It does not intend to support CAPI backed machinesets, but we hope to do so in a future release, perhaps with a seperate enhancement. ## Proposal @@ -74,73 +73,35 @@ __Overview__ - The `machine-config-controller`(MCC) pod will gain a new sub-controller `machine_set_controller`(MSC) that monitors `MachineSet` changes and the `coreos-bootimages` [ConfigMap](https://github.com/openshift/installer/pull/4760) changes. - Before processing a MachineSet, the MSC will check if the following conditions are satisfied: - `ManagedBootImages` feature gate is active - - The cluster and/or the machineset is opted-in to boot image updates. This mechanism is still TBD, see Workflow Description for more details. + - The cluster and/or the machineset is opted-in to boot image updates. - The golden configmap is verified to be in sync with the current version of the MCO. The MCO will "stamp"(annotate) the golden configmap with the new version of the MCO after atleast 1 node has succesfully completed an update to the new OCP image. This helps prevent `machinesets` being updated too soon at the end of a cluster upgrade, before the MCO itself has updated and has had a chance to roll out the new OCP image to the cluster. If any of the above checks fail, the MSC will exit out of the sync. -- Based on platform and arch type, the MSC will check if the boot images referenced in the `providerSpec` field of the `MachineSet` is the same as the one in the ConfigMap. Each platform(gcp, aws...and so on) does this differently, so this is a good opportunity to split the work up between platforms and see if the implementation is effective. The ConfigMap is considered to be the golden set of bootimage values, i.e. they will never go out of date. -- Next, it will check if the stub secret referenced is spec 3. If it is spec 2, the MSC will try create a new version of this secret by trying to translate it to spec 3. This step is platform/arch agnostic. Failure to up translate will cause a degrade and the sub-controller will exit without patching the `MachineSet`. +- Based on platform and architecture type, the MSC will check if the boot images referenced in the `providerSpec` field of the `MachineSet` is the same as the one in the ConfigMap. Each platform(gcp, aws...and so on) does this differently, so this part of the implementation will have to be special cased. The ConfigMap is considered to be the golden set of bootimage values, i.e. they will never go out of date. If it is not a match, the `providerSpec` field is cloned and updated with the new boot image reference. +- Next, it will check if the stub secret referenced is spec 3. If it is spec 2, the MSC will try create a new version of this secret by trying to translate it to spec 3. The new secret will be named `$(secret_name)-spec-3-managed`. It is necessary to preserve the old secret as `MachineSets` that are not opted-in to boot image updates will still reference the older secret and use them. + +The above step is platform/arch agnostic. Failure to up translate will cause a degrade and the sub-controller will exit without patching the `MachineSet`. - Finally, if the MSC will attempt to patch the `MachineSet` if required. Failure to do so will cause a degrade. -- Any other failures in the above steps will report an error; but degrades will only be in the specific cases mentioned above. Certain failures may also be as a result of an unsupported architecture or an unsupported platform. This is necessary because support for platforms will be phased in(and some platforms may not even desire this support) #### Degrade Mechanism -One possible strategy would be for the MSC to degrade the worker `MachineConfigPool` via a new [MachineConfigPoolConditionType](https://github.com/openshift/api/blob/master/machineconfiguration/v1/types.go#L492). This would be an API change, but a fairly simple one is it only adding a new type. The node controller(another sub controller within the MCC) would then [check for this condition](https://github.com/openshift/machine-config-operator/blob/master/pkg/controller/node/status.go#L142C34-L142C34) and degrade the worker pool, effectively degrading the operator. +The MSC will degrade the worker `MachineConfigPool` via a new [MachineConfigPoolConditionType](https://github.com/openshift/api/blob/master/machineconfiguration/v1/types.go#L492). This would be an API change, but a fairly simple one is it only adding a new condition type. The node controller(another sub controller within the MCC) would then [check for this condition](https://github.com/openshift/machine-config-operator/blob/master/pkg/controller/node/status.go#L142C34-L142C34) and degrade the worker pool, effectively degrading the operator. As mentioned in the above section, degrading will only happen in two scenarios: - Translating the ignition stub to spec 3 fails. This is likely more fatal and won't get fixed without the editing the ignition stub manually. - Patching of the MachineSet fails. This is likely due to a temporary API server outage and will resolve itself without user intervention. -Every degrade will be associated with a machineset. As a result, the MSC will have to maintain a local list of currently "degraded" machinesets, and remove/add to this list during a sync loop as necessary. Based on the changes to this list, the MSC can then intiate, update or clear a degrade condition on the operator. +The degrade condition is calculated at the end of a sync loop. In the case of multiple failures within a single sync loop, the message for degrades will be accumulated to include the `MachineSets` associated with all the failures. #### Reverting to original bootimage -Few strategies here: - -##### via Annotations - -The MSC will maintain a backup of the the following via annotation to the `MachineSet`: -- `io.openshift.mco-managed-factory-image=` storing the original provider image reference prior to when the feature was turned on -- `io.openshift.mco-managed-factory-secret=` storing the original stub secret name -- `io.openshift.mco-managed-last-image=` storing the last provider image reference before an update -- `io.openshift.mco-managed-last-secret=` storing the last stub secret name before an update - -##### via ConfigMap - -The MSC will maintain a backup of the following per machinset, with these keys: -- `$(machine_set_name)-factory-image` storing the original provider image reference prior to when the feature was turned on -- `$(machine_set_name)-factory-secret` storing the original stub secret name prior to the feature was turned on -- `$(machine_set_name)-last-image` storing the last provider image reference before an update -- `$(machine_set_name)-last-secret` storing the last stub secret name before an update - -##### Via new MachineSet fields - -Another proposed strategy is to add the required fields into the `.Status` section of a `MachineSet` object. This would be an API change. - -##### Mechanism - -A revert can be done by opting out the `MachineSet`, this will trigger the MSC to restore the MachineSet to last known good values stored from the backups. This is an important mitigation in case things go wrong(invalid bootimage references, incorrect patching... etc). - -The reason for keeping a factory version is in case the admin wishes to restore to factory values manually(they will have to opt-out of the feature first). It may also may aid in debugging. +The proposal will introduce a CR, `MachineSetBootImageHistory` to store the boot image history associated with a given machineset. By providing this CR and accompanying documentation, the user will be able to restore their machinesets to an earlier state if they wish to do so. ### Workflow Description -It is important to note that there would be two "opt-in" knobs while this feature is under TechPreview. The admin would first have to turn on the feature gate, and then the opt-in mechanism. The secondary knob is necessary as some customers may want to keep their boot images static when this feature leaves TechPreview. -Couple of strategies as before: - -##### via Annotations - -- To enroll a `MachineSet` for boot image updates, the cluster admin should add an annotation `io.openshift.mco-managed=true` to the `MachineSet`. -- To un-enroll(and effectively revert) the `MachineSet` from boot image updates, the cluster admin should remove the `io.openshift.mco-managed=true` annotation from the `MachineSet`. - -##### via an Operator type - -This is an API change to and would involve adding two new fields in the [operator types](https://github.com/openshift/api/blob/master/operator/v1/types_machineconfiguration.go) for the MCO: -- `BootImageUpdateMode` This is an enum which can have three values: `Enabled`, `Selected` or `Disabled` -- `BootImageUpdateEnrolledMachineSets` This is a list of enrolleds machinesets. When the above type is in the `Selected` mode, all machinesets in the list would be considered enrolled for updates. - -Here is a [rough PR](https://github.com/openshift/api/pull/1672) of what these API changes would look like. +It is important to note that there would be two "opt-in" knobs while this feature is under TechPreview. The user would first have to turn on the feature gate, and then the opt-in mechanism. The secondary knob is necessary as some customers may want to keep their boot images static when this feature leaves TechPreview. +See the API extension section for examples of how this feature can be turned on and off. #### Variation and form factor considerations [optional] @@ -149,9 +110,200 @@ Any form factor using the MCO and `MachineSets` will be impacted by this proposa - microshift: No, as it does [not](https://github.com/openshift/microshift/blob/main/docs/contributor/enabled_apis.md) use `MachineSets`. - Hypershift: No, Hypershift does not have this issue. +##### Cluster API backed machinesets + +As the Cluster API move is impending(initial release in 4.16 and default-on release in 4.17), it is necessary that this enhancement plans for the changes required in an CAPI backed cluster. Here are a couple of sample YAMLs used in CAPI backed `Machinesets`, from the [official Openshift documentation](https://docs.openshift.com/container-platform/4.14/machine_management/capi-machine-management.html#capi-sample-yaml-files-gcp). + +###### MachineSet resource +``` +apiVersion: cluster.x-k8s.io/v1beta1 +kind: MachineSet +metadata: + name: + namespace: openshift-cluster-api +spec: + clusterName: + replicas: 1 + selector: + matchLabels: + test: test + template: + metadata: + labels: + test: test + spec: + bootstrap: + dataSecretName: worker-user-data + clusterName: + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: GCPMachineTemplate + name: + failureDomain: +``` +###### GCPMachineTemplate +``` +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: GCPMachineTemplate +metadata: + name: + namespace: openshift-cluster-api +spec: + template: + spec: + rootDeviceType: pd-ssd + rootDeviceSize: 128 + instanceType: n1-standard-4 + image: projects/rhcos-cloud/global/images/rhcos-411-85-202203181601-0-gcp-x86-64 + subnet: -worker-subnet + serviceAccounts: + email: + scopes: + - https://www.googleapis.com/auth/cloud-platform + additionalLabels: + kubernetes-io-cluster-: owned + additionalNetworkTags: + - -worker + ipForwarding: Disabled +``` +As can be seen, the bootimage becomes part of an `InfrastructureMachineTemplate` object (eg a GCPMachineTemplate), and then the MachineSet references this template and creates new machines from the template. The stub secret is now stored in a `bootstrap` object. Unlike MAPI backed MachineSets, both of them are no longer part of a single `providerSpec` object. + +It is important to note that InfrastructureMachineTemplate is different per platform and is immutable. This will prevent an update in place style approach and would mean that the template would need to be cloned, updated during the clone, and then the MachineSet updated. This is somewhat similar to the approach used in the current MAPI PoC of cloning the `providerSpec` object, updating it and then patching the `MachineSet`. The `bootstrap` object is platform agnostic, making it somewhat simpler to update. + +Based on the observation above, here is a rough outline of what CAPI support would require: +- CAPI backed MachineSet detection, so the MSC knows when to invoke the CAPI path +- Update the bootimage reference in `InfrastructureMachineTemplate` to matches the `core-bootimages` configMap value if required +- Update the ignition stub in `bootstrap` to spec 3 if required +- CAPI backed MachineSet patching + +Much of the existing architecture regarding architecture & platform detection, opt-in, degradation and storing boot image history can remain the same. + + ### API Extensions -We may have to make some changes to MCO CRDs for the opt-in feature. +#### Opt-in Mechanism + +This proposal will introduce a discriminated union in [operator types](https://github.com/openshift/api/blob/master/operator/v1/types_machineconfiguration.go) for the MCO, `ManagedBootImageConfig` which has two fields: + +- `Mode` This is an enum which can have three values: + - `Enabled` - All `Machinesets` will be enrolled for boot image updates. + - `MatchSelector` - `Machinesets` matched with the label selector will be enrolled for boot image updates. + - `Disabled` - No `Machinesets` will be enrolled for boot image updates. +- `MatchSelector` This is a label selector that will be used by machineset objects to opt-in. + +Here are some YAML examples that describes operators in each of these modes: +##### Enabled +``` +apiVersion: operator.openshift.io/v1 +kind: MachineConfiguration +metadata: + name: default + labels: +spec: + managedBootImageConfig: + mode: Enabled +``` +##### Disabled +``` +apiVersion: operator.openshift.io/v1 +kind: MachineConfiguration +metadata: + name: default + labels: +spec: + managedBootImageConfig: + mode: Disabled +``` +##### MatchSelector +``` +apiVersion: operator.openshift.io/v1 +kind: MachineConfiguration +metadata: + name: default + labels: +spec: + managedBootImageConfig: + mode: MatchSelector + matchSelector: + matchLabels: + machineconfiguration.openshift.io/mco-managed-machineset: "" +``` +Note: While in this mode, the label added to the selector will have to be added to the `machineset` object. + +A [ValidatingAdmissionPolicy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) will be implemented via an MCO manifest that will restrict updating the `ManagedBootImageConfig` object to only supported platforms(initially, just GCP). This will be updated as we phase in support for other platforms. Here is a sample policy that would do this: + +``` +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingAdmissionPolicy +metadata: + name: "managed-bootimages-platform-check" +spec: + failurePolicy: Fail + paramKind: + apiVersion: config.openshift.io/v1 + kind: Infrastructure + matchConstraints: + resourceRules: + - apiGroups: ["operator"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["MachineConfiguration"] + validations: + - expression: "has(object.spec.MachineBootImageConfig) && param.status.platformStatus.Type != `GCP`" + message: "This feature is only supported on these platforms: GCP" +``` +This would need an accompanying binding: +``` +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "managed-bootimages-platform-check-binding" +spec: + policyName: "managed-bootimages-platform-check" + validationActions: [Deny] + paramRef: + name: "cluster" + namespace: "default" +``` +#### Tracking boot image history + +This proposal will also introduce a new CR, `MachineSetBootImageHistory` for tracking boot image history in the MCO namespace. As a starting point, here is a stub type definition for this: + +``` +type MachineSetBootImageHistory struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec MachineSetBootImageHistorySpec `json:"spec,omitempty"` + Status MachineSetBootImageHistoryStatus `json:"status,omitempty"` +} + +// MachineSetBootImageHistorySpec defines the desired state of MachineSetBootImageHistory +type MachineSetBootImageHistorySpec struct { + MachineSetName string `json:"machineSetName"` + Details []BootImageHistoryDetail `json:"details"` +} + +// MachineSetBootImageHistoryStatus defines the observed state of MachineSetBootImageHistory +type MachineSetBootImageHistoryStatus struct { +} + +// BootImageHistoryDetail is the struct for each element in the Details array +type BootImageHistoryDetail struct { + Index int `json:"index"` + UpdatedTime metav1.Time `json:"updatedTime"` + BootImageRef string `json:"bootImageRef"` + StubSecretRef string `json:"stubSecretRef"` +} + +// MachineSetBootImageHistoryList contains a list of MachineSetBootImageHistory +type MachineSetBootImageHistoryList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []MachineSetBootImageHistory `json:"items"` +} +``` +There will be one instance of this per machineset and it will be updated by the MSC as `Machinesets` are created/updated. This CRD will also need to support MAPI and CAPI backed `MachineSets`. The goal of this is to provide information about the "lineage" of a `MachineSet` to the user. The user can then manually restore their `MachineSet` to an earlier state if they wish to do so by following documentation. The MCO will not directly consume from this CR. This is not planned to be part of the initial release, but more of a nice to have. ### Implementation Details/Notes/Constraints [optional] @@ -163,8 +315,7 @@ The implementation has a GCP specific POC here: - https://github.com/openshift/machine-config-operator/pull/3980 Possible constraints: -- Ignition spec 2 to spec 3 is not deterministic. Some translations are unsupported and as a result not all stub secrets can be managed. In these cases, failure will be reported via an operator degrade. As the MSC is a sub controller within the MCC, this will bubble up from the MSC -> MCC -> MCO, and a "MSC failed to translate stub ignition to spec 3 due to ...." message will be visible as the degrade reason. -- See Open questions below for some more possible constraints. +- Ignition spec 2 to spec 3 is not deterministic. Some translations are unsupported and as a result not all stub secrets can be managed. ### Risks and Mitigations @@ -209,19 +360,22 @@ In addition to unit tests, the enhancement will also ship with e2e tests, outlin Additionaly, a phased approach such as the following is the proposed: -Phase 0 +#### Phase 0 - Support for GCP - vsphere UPI documentation - Opt-in mechanism - Degrade mechanism - E2E tests -Phase 1 +#### Phase 1 - Support for Azure and AWS -- Backup functionality - Ignition stub management - MCS TLS cert management +#### Phase 2 +- Tracking boot image history +- User facing documentation for manual restoration + In future phases/releases, we can add in support for remaining platforms as we gain confidence in the functionality and demands of those platforms. An exhaustive list can be found in [MCO-793](https://issues.redhat.com/browse/MCO-793). #### Removing a deprecated feature diff --git a/enhancements/machine-config/manage_boot_images_flow.jpg b/enhancements/machine-config/manage_boot_images_flow.jpg index 36d40923524e76b7e6c591a722e187ba37329720..6619a791d6d7ce69a1a6d61ef8060fe311864591 100644 GIT binary patch literal 59490 zcmeFZ2Ut_vwkRCCBB+QFY3im*Xws$0RtYFo2q8cyTRMS&CiJ@1EkY0!kY3avB?$=< zN(iASNN-X?3jyg6dT#;`&$<7(`@Zix=YO}n`~UC0JJz?>9CM60$Cz`jvDTVp%yrOr z@EveLSNnlB;K&gG;K<e`PcP4&nGs008OXg)-5(d)?f^ z^7^Uof6eie_sAao_-FWc;85;H&rj(9K$q0tN%N1$XB-^S_J;|U4o_j!q4LARUOL1t zIsX;E@e{ZEE3W<%_w{=0b(rSiPaI`xa_F?2ABYJ0C#`Z|1f?Co>&0j);a)i?9D&Z?2-Wh$_oJC%D_L< zgx>=I=l=izO4|RK_Rnqd_z~*SU&I|hydHIO0svNW000gP0D$Wo0Kf+S3-9pqcglAC zki~ykF3-cm8Q>0Z1Y8F^0C)iG0n&$<9N;EE7NB&%0Neu{JNgrTUXLBZ@sr1Y!s(MI zPnA3O3__^0}wJaziSnd8Tf z9$`D=BQ5|AH6ND!#M$#F*-oB5b_Q_d=&|D`PM+dCeeoAA*-KXh}gzl0=clWTj;K7OjfbHiMbuhC+tH(k+9dZSnL-OQ3aKI_8*tT6wz8> z3kT=t+0`S5y7&*Dha)F`J`{h0;FyB{{={NRl9HX$MC-d@9+N(U_St)Jz4#-pU#~8G`=(CsLOKBL+f}v z%N~!Z;C6IN*Si!222bY_%4GaEmn$x#mCx*?UQQE%=aa}9Lb?XKjydx@Blp{EXj_^{ zW^W(s;Q;_rviv38=MTFQe%G7ktFMpQ%kjcLdbQGwY!3jnzAKFbdKYOe&d zTq{PjWhh@hqE2Wz1EIfMqvv|sx|eYt>4V!lBUpb?mYzYsitP33A6`(w+#Yt)&4z~L3b=Y4-srjeYKUIUJRkV3KT3d9Al3iPQ=s~_#MRhg!t#n{rY)8zmI~a2h*?Ivz-hKhzOa|Xjw{>4d zn@uX$y|%08)}Lcuy$pLLe{SUYgJoSth&WgT*e=*Y5DiPfQ=MXAU7a;&Q-yYw8oqkr z%gdXHM#|omr6!}RlJttZ%|&P7Yx}8ebbe_C90B_=-Qijv+ostH8a)8O+yfTfM<|g7a^%tE+j{!NwY{-oG_COxDyJLgXFlEwz(~ZE-|zo=#_vr4M8E9G*fNaTj0E)N@QA7z{FYbfuzkskI|Z}jk5`ij1!=5&>1%42;%UjnzXs2Y<2c(CcVBPV z#Sc_GTUvbn@R8};SZkpoTN0Pvo918Z2)nTQOL@`amldYwf^sOW{cQ#bZ(XHf`mkz2 zf2YTeg>8n433k-yA5o}XPS(zkf^yE=V3?cWMfr-z2&7JL z2B%Q3$5r>OR@#m6WH;irLR_<+cG2LBX;0ZXn8vQ6057Q_cXCzGTMJwHaUI4P=jxc5 zz|UqN7CYq~tiMuLfCA=O_vYAqu^3p{%>F^!(c3>Gizs8I8OXm13@w$fola6;?^@8f zl|$djqZlc~X)jAAY7~qYuZ7P~ek_6Kt+9IK0*VuId|M@>11)>*x9%$E%f#C7|GNAn zWMuVZ*Q`kM5hsJZfTtXaBA2C*?_!UaN(dqE=A~AcTy7PV#nIyT1{p#b15hl@z*vX9 zJuG-X^JbTpn5DNT|2N{zDny$#7)28Pl7oox@)JL~*(ST>oW zEQGq%3c1?y=zhYBlM3(Y?Re`q_AxA}%$H0lY>{boe9=~Ga3_IY{~6cPL)g`>?gv)2 zqAha?WnJ{E`H{ z=uQQ|fD$1P6Oo_@KOPV$Ghn`Z`6@pmqrbL#*C z`7=-}RLlYxr4Tng%sudi>H9kD>W#IY{+G_&AjSLwD|fm_O0RDO?0B|U8xi|GUb;kh(IeJu|Sl5y>&=`i;GeV9yDQ5}`Qsoyeg3 zG%arKsBvJ!CN9O+NXBLkO_+g&J#9r5wfY;vr<8+t6ZVR;TBY8)26)Sp1pWxQT-1tw zWI=_bn@2-UJ(YF^@g#-^-Y(S}qGgo=8UJCKy2bgD-eA0x?-cCX^bvm2#t7tN_sPLh&6fEZC&Su9idST> zrhQaW-eQ57x&rL*=v!|yk6)Gpn@J??+lp6O-K@A8KA)hl z0t<;9Gxm_~P^5Edf<$wp3&NMiq6tsFXpAOgvl;RfBLb4){Kzkh;Uv^tDv`Y*VhN8I z3}iWQoId~z_Ie)xOjq(3*+#3YmWJyxN=IP&XTvL8zgRp<2y;MEE@tMw@K|@{-I6ow zZsfD(=SUWcnTv>Qi<)5Afpe@tETvyQ1AW~`x$myyZtZ5>E&9)4JVDA#l& zb@vD3Z6{WS{t7Xm)^%!VrtxPP{i}9D4gjl$3vZS(>vT9Qon61K$-_RKd8aNwWHrV? zpr#BQi47lX`p~qVSN~O@F{VHxygNXpaSC+#8e6%rqou*SiJeU%bzaFCZ&7$LgIp4Q z0uzgg2S)Z)M{5&e0&m2Hm|>Mf6?s!ZWyLTLrmsh>v08ul>#OqH{C;;ccM?2@L8D4) z*c`%4I)2c2cto`kN>R>fe^7OGa;U=U6XNUyi9Kw@E~gx-VqZ)yF}Hw7P_)cGzqWCf zW(`HH;dwlbOVxY$^{hOD?k>H=U)DF-Oq4$WSV;14NK6zDiVS@($Y(%v1iezxP9jk;-i7OhWG(HGB z^D)5e~ECwrIdUDqD2ho?Utu6YN2Gvw1oi8YVz+_+Nn&o_s6gmJ9jmB&?jPUgL z(UtQolTmb*jArtPRicMAW#8AeFZ8>#%~?OE_FL#&`WbX!aTrzJ3aiJg>c&mR+dXaC zOO1UzQ~+hm^<8C)FGr!SK z>e48X=!f#JG^>q8wN1se#w?f>5{3sOn0ktgt}X*EQ~g$Bbrr2U>K6Ioi+k;*FL$Vz zkj}K|J>$!Ry?^ZU?D9Q#LGE)pKVW@~62_dVFmQGh>RS{UB+e%~PUm96qUaf1-rQ>6 zRcou)vFp+I;w|Tuba@CMgfp_D)3{Phml*iS3q!xpY%X^plzD`ktG=k-P|iz}8}JM6 zPVOMX=XzL9RxaGhE(@1FDMsbKOy^2g))8&fnzSE`Y_8HzST~z*Rn%W0;dVuZFiG)< zl(XyifXap%NZrT-z}jf!pWFUBtIAfuif%St>ea$Fn?eq${aujh|R$2HZO`4~kk zx*03Ms4SW{YBN#uoVv2u`2i@ZI;(ZTAGyD03_;O`JWMqAW8i8*Sq_LPANOGr15b!= zgF>z2I2eTnT!wq6fb<2zftvw4@v~jeWv8BLJT_%dkwvRY9 zhbkM(T1GzGp5v)M8z2P9E_>=-U?q*V#gn2E+SNNh$2_8wH;U?c1gg9{|FY%Ju{C z`@$(tR;xEcYi}Qm7##@qt)E}_k;JG~=q)O8)$)zF%gI{SV#I;gv@R@Gl(DXOCUpdA z+0|h{9jjLt46sj0YFU10rS`Zvbvi^3UFFDcfRN7m^7zBjt!X*8Kj;@AnniBAE*&cs zoV$wf%Epf7?xrC2tVS=1NYldAt$-n!p|g!sK0~K8MTZUmO7&TyPT%vxtfpRqf_0y( zm6=PQNuJ=c$&Kw*@5~e*!i4t+nrHU!1spz#!{XYRN(%<)I^W<esfcfm8a?rJ0!t501rj-Jh27aeor$ z0@V6C#W|K7ZTl#qj+32qYYoo&FlGTC8h|Smjl?UJQ9s(4_f$sY?$HA&_h)dHhxXiR zy7rbk53%R+y)ZmP)HO3cF)vj;RiU6;C@7b>k=!9@YI6V>9}RZn>SK&3E(%!5OsPMx zyOO#_xL(+|DyhB3Vu5x)cGhyaI=*PhQ1CLoKaNg&lb>4BV!d~K7hH7lx#2B`Pmec) zy`}U`x5nl+eNFIr@&*s>0lBnSTxIq7}Fi1E(`(rZ*bU*wr!SV3_3RU`Ft;7F3Q~tl2@BjRC|9#W{wmkB0 zznMpthNZhV_%s|@copF=47ZVxy%tQuGWGCND|!HUMGUfEYDdV}#zxMZ1yK$7L2um# zXuSRy4|+uWC$@KWn(Q0c_3ay#Z~W>v#{FNW_ z1ChPs*quAW43__Y^ZzTf&+>ru!y%*s4CAEnrWaBV;j;;k)~?7M2Q$2e9XE_VHMgpY zf?jJmTx6uFKoX5TQ11o{TT7LP`M-d>(}Pl4gkwR z!}#o9ue+&FqpUw{vovgz0KZUwx+VO5I9d03zhik3gVS{ADtr7%vnVKV6mQh8u#lP( z)E5ALosvVp_B%k@@$XCc&*uEcy?T#(8t;G0KLBvI?%*Ac*|IbTfCqrl?JB7L@4xo= ze;cRWTkQ_0x(T?4{{9au$r1H*FLP`dXcE$x<2CYIsLR%7t?4_mD^pov`_o$FHAN%5 zCIDd7^bdvnr!xQNiOqkNauD+VDB;&N?9vakT(|12d}Az{apQeT2@Zcay>s239?c-N z_4^zy4crwNTdjFX@#mhVhjtvnK1~k_@q4_nD7eR)zw^ugXRK(advRk)@y9%<;EiWp z+S{X9NHFr=qbSGt>4yH62`y%usn*@_vA;MJO=)=4Lx3iU{W20dr7>rE3{}gmjvd+Bp*Gg zGAwUaj)PI?GqZXL-UTOFOaw@f;$T4MYF)UXnBk=&{q4v4)%+H~g~2U0KFFM2yQ#=3BC7EOE7zJ0vaEThcV&wnuX0#yALE6f6)B;a!|9ZoFS z%{noP?^jTeZRFR#Z=AXit1(--;Irp5GiZPeh{)M&#`euodo&)GQi7*vJRa+*B8PvZ zT9IZbpWwbmD7rU1Y0OCd2^`hx!%7iVLEpc#G?d???(wu&AG3PT4QrQa4S}092qN-P z5<|HWd(NkX+NC;NEAON~qPSU)B+#IaNQG~P0~lA4Fm4UrDeVOu4dQjU_CIsC2}!q+ z<=>LZ#^CFIkv!r1boR2mU-c8UO4oRMpU6qDTQTw83#VMswy9OUci94atN-EGcLmiN}HqFtLbhRn)r3I%v;Dckudi(}g|(ZRN;OpVKlt+K((m1W0VS9$uGDrOd1Z7#6fr z%uk;%BvctLP&(`;nnuH;<$GV|+|F7XAeCXmqvgm)bcR-?#Xj-+k@-{EYF21^qS2~N zlF;JH+^_XizIHy5$pi27`$l)w@oG13l}3)Gqi9%btqWUfs8IQQWj-TMB5m zxd5ILKpeHRvkNeUl3GpeUl|5G3I0AdfR?;_0C3M(w`-c)ln4f?bkRFuUCSo(82OS26B9T zFmarxjVq#+<2EG8Lb9`4bXjiXaaek%=&t{bO~L$8320>A$>s5}sTS=P*(BGKbtKXM_zji!%{}gai5@j_|-CV3A zHsH^9+Ge1{qL2ZkDm80GQZ(aX6sSp!@A)!4+2fO z%gTp3E|_ZV7fyY0yj5qR%bJ4=6%V;4E$A3{=0$&q^8G}z!wbG;68QSQd$h?%pL>7n zrgNW^{#sE{e-_4-fEUipj#hgm?X_A*d%(phK+B-7rldnUeP5W;jnc1(Cg-F9j?($~ zj_vBySAst7#Tm||3yyJXDXfGIznD;#80UsVD`P=PBL&cIS>SK>ajru4DdT2TZtRYa zbv*F=X8qL5^ByZQ9ryzP_D^5YlbDm&MP? z)41f^Pu-x{B4ah|moVb7+Ql7)9e4L-p0Q>u~7aha|tK-mmv4z zzef4d%F$DbrLH~UQ#{33hp-XX0=f}ckdn+}+)uFc8A{I}+I}?`k*%{Gq8|3fFIKG& zoSLmJi5W|QWtz8KQrZ#-C}Vt}4tW?x5Fi$?husO_SR<8bdO$G^KiBi&31{oA-3+_K zjNkUZ{PEMd_n+VhJH3S>TfKy6ZaeafK0!S;43w&59!u%*>8!ZY?}Wmms%uTrbXBaF zjVZG=`FHtAkq?lW4Xz}_)el4PIF^SIGQO9_NFD#R&6=TepMC&1Vb~hO$;oL&1eu&FzX)*Nlp!n{##&6IqG^jq4X37Qi_lz0`@6;zbJtZ!cO#?txt9kDht5n9VAh zx7pZ3&^bz$%V?({;z!N_V1gWFP>PjTcMY%4zw)jrq*ennekDQeJueQL3K;|;p%xXR z7+rV}K>!TN%1|n~tO5k8#QWH;`qOq3REQh;uX(y86z5YoF~8v)%itg1=YJ@dbBmJb z)Xuc5NLTZxL)!L@1F~n!KKRhW7}icH6RK$MM!bjz_>JlKO&Fw0SngrFFfmra4Z5JS zBB2CjsvJ5}2DV4ajC6^0mz!a~;8JR={c%xw-lPCGeTByz-HNTYr@bUm8=WA*!lnR0 z#l;CNC{x(7$90BQrTBQLWqYuIAA8HY%_6tEKYMb2lVh&^wv~$3YZh@O4L zZW2;&n;NG5$Fk#GQ_otakq;M?@Y2m?YfRtUEvaBnD*M)?wGobsAwL(AqN{0jsi%Pk zYOukRq7gbOmU&EHEgdf?bU3)=hZOIrhfP*ZQwh%AD(7Iy783=nehDw$=seJ!9_%6W zI;lAo0~;m`J;g24jeVh!!yTO3(sqJ^qO$5wRN5u&{MXlnHjA_%m}O4RD`WLsbM>!n z@0J$Mm>peU2T89d)s~TGlz@u;y=)ktM$>rqk6tk#U0hpuo0(#6Bv~;x;@dt#0zr}- zaVjfuHZWFq4zmm-|m^jNaJ)~b4y+hHAAhU^Ia=<7YlthE=^b#$+dDAW)@yA%^G0l z(!~`G#GY?R=(n|6G`*g(ahz?5?x%so?iiMJTczOBx*~%#yJ$(94|wr{)RY`q%&hGh6nuHQZcAU6tu$8LuM>Yu9by!@;!W# zG#|42Y^|AQI$Yd!_Iuu;*%iO_Jy|`(v^T?NGTI_ro6Dpda&ctww&!=&c@k8Eu7+Iq z)Wbkz-_B(}qaRlWW;qRhBBHHZ2gB1EzM`=14~iwgME~76-$0*xUiBz_=hW_0`lYnh zuf2-AllNZ_m)OUsW+r;i_ByLvPW1MoTgw8!K1pr?LtfQKuWfC8b)Fy33cxt!)*ACW zp*c;*G|;_uLPPnefCW*7+qJO7LAf8H#s$sy)B>gv(;9}QCF$HvULKKtbjx(8bs1i8 z4Ju@bi!+ z+DPrv{hZnLrp?#7lSF74(=NM2m6)4b9&5l$9VAdp4JextN`crl6-7g};IH}gD+zZZ z>R5pW)zK&Q8)gQ-+T+Gw?CZy@o16TVUjIt#>yu~!v3|DROEtwOya$?-zPa3cY!yOg!jO$g%~_S^5?2ZcxS{Fa zLSe$;QP2r!|4_9!eMGv$HHU&Y;eNU7K1;COQ=y}&fwz}@$-E?rKcY-gvvxu3mQBh; zN!o}0XkR=`5?k?>l$n){i7#QD7D8dEL+AO@Vl|-ZQ&b3)og-= zw|efN@#VK`rAltQAg0U+Y4PfVP2Cd)sZANL4Oyj&h+L{inR4b^d%nIj{kB_^==yrj z@8pRcH!NPBKQqB^)S2X5Uw>91vv_!+3Tu0ZB}VXu@8`RnR@rnWYbp%1*>y8Ahm`88jGu`3A!0b@m)@*azI^Sa zrF4Wx9-mLruh^^MhDp&A4F%6nku+U$J%F&&epq^4wXNi9JC3eEAksV`kVqw zDM0EbGeOtX)eE~a(;}*rSojLxLCW`U7;vgdkg_=GzW2Fo-gwK)M9Gcys5Ihu{MGW= zGQmZ%m_a-cXec#y$NQ{&Q6XnH(krjhZXs5L@FA?m=z+0$!_aFt5u95Z&7)_5c<6R9 z@{U-wyJf%neag6BGM?Xgum=ui z4^QG(jA%8i-M6jj+O}EL{IPHV2qJl5bA%d6+xw5KYq}KAm5jypbm%=HP~m-Vzujx< zF(#`fq80NHIVksB;^Ksid#aAd`VP*MZl$IkqGrKCOn|=tF@y-w-63Db8Av35_C?66rL`Cwf;NLw-?%Z-$oII^Hnz3?bfc$ zSixi;&IXD)^GvMxZMFZgW4dLnwnmrV4{DQdetE6FGjrW?DzvefVU)-9-KfoFT2{u2 zom@uF$lxIe2WEP;&(noMg)HgXBo=1AL#=J$S_Df{b=|H_%93Z6t={+!)U#oiulRTj zR5`}hNU-MECagqDdsPVPg9_l(<5KSMaagfep1ll%MNgQgNf>#SLm*^RFGD-I`x8H3 z9aOFmsA)gc$A(a~_+o|xcWn|#nhMB5HA(dAvQ#ZyaBz?J&kp^S(!VcL8-)%#FoB5< zTU>6=7M@g$OVX;7tXlt=d@~nqEUo>@J5zDh6tz4^G~~**&AY;`TFa%>7h~}X$zhKk z7nzt@XSR^ut`$Qslspjs#UXs$L3eyeV^}!a#+m~2Ubv_ICRn&jlZZ@NbXoVLYeGHa z6EnKL(5|*qP%_RGHOd5|jj6nGA?<>9FLrN-kd3~2x{OfZGe_r20vy-!`FBq_hsx>j z=XseF?@9+JNEt)LC1EAHe#anm*AoBum1|oC;mL( zu$uUD>_kM)HFS&ZsO7c3n=vteXLxbAS#T(G?}P2WOzOI6!^x`d&?1S$T}P`S_+-G- zywwklJ};+o*F$~-giU?^hsF9A!~5z#EhBiiu0EQ%d>ir3Gz0*kzWw_` zCAQ2bDL2~67@Nb7>HGbm-gPH2e?Qm%4$i-0keDF8ezLLFOB+B^z+1(TStxD2WTvtaJBa3R>#Tre z)4Cv?Gn<4AF5L|k2mBIC`*R!EFrtab^j$RkF8Te>)%lOaQTZx{DzCFQ2}}V#s((zZ zZuq8HdAmyJ#S6_DmA@59k7q9JKAWGqcS#F_4cVOZ?lC^Rfbjn?A!glgppT<3-t2ZNDFtLPML zb~a2;vQxzuJ+uiTq!H*)nD;Sy)ZLv=Wfm?$MP<%e+b16gqf|9dQ@d-CPv;Ffgq=YK zLNNg#p_JPGfVm3xv6NslLou>&0>4u#SFIpAksON|D3&j-`~!`*72>bl(SCO%@>lLk zoqAht6+I|L!@J=Tc!N?v$zSi1lM~$+yA>NV*gksRB;I#;o>VoX`|XGu!;d@~(4~eD z_j}sSO^qxQF}w$T*k0FfGnqejx1s(v4t6E!$MWr9!)MFKt=D=b6!``YT@y1JQpNV= zZvr&9KJVvwcxw}1LcBuiy%80h2+4TzH|ndkd}kT=*S-}kU$;06vaXrZUZfjls0D`@ zTl_I794d6Z@jX((sGmkC7l{sH_YCk9>ciuhgMP0LciLppg6oETu+OFtq#R-<&hEhp zusShT#k``;Ed?J9-gvlketW8;P1rmCj>Hccy~5cje0rx(93yQ!CG10h2N}{>j+oHW zn$pt2`l_6NaLZ!{zvG{wn#kQ78FU4@0(RG@K~`^fJzO`{nqorN@c62BSY0@V6jSlp z^Vbjs@3+3Z_oXlI2t^!uM=9NBI^4t!Xdk$q(nqcstPQsnOy`;=P& zJm*Q2ge^IBt=!nR&tucqBH}TK)l6xlzfm8}>H&Z76#c+xCe0q930&SZ+kX|v|IX4p z|9flBxbcsgo&OLk0hhc>ZsC>diU&rhWfg`TxFV54}*sp|1Zd zLlk@osV(~op-4oCHiSnEhKK$J{Q38Ue*(6eh+zGOwLq|(l-5@qGM?KFo||kS(4=xr zpP=Y)Q!QNx&7T_;-;}DNiuK);%6MqyyEXz-JOCKd_oj4@x4(>nl6nNBDHFZ}Y=J&^ zj5NTcy*o!$@-j=i8m1?sINMOg%33HvDwKC)0dJ;CsXb{QzRVXsbCS=A++zVEC8V0^ z!C{y3Gg7eM$(2_=nBDIwX8v(52HNVI(Uv~7=~4;56*>yLU1*Cid3mw>tYq>8fAkE$ z;+p#ewV<+jn9oA3VjOhs;ey8}mjs+cQCrvn0JqZ&PB4?*v*u9m(0}__aC3#6T;QJZ z0{uI~;NJI!n4O2;)JytY!<(r!H$BEJ?YCM!q!Qp0H<~pG6lRAtCm+~#H zM!8Wfc-Pjp8Fz2_#jb|UW>>)9J@0?w46&S}_}Xt+PT)U8XSwD;gAg%VQC{IuFhT9~ z;EW}OXfR&YG2AM%&@mGj z>fL^kIwa9A^xJ(~VHsyL-r?PP{sa@CbG=&NxbOaM*fvN#&&P1Y9d zGJMm})}$h|YRhNaunz_!@{mlR>JjV{>${)Pq~RXzC$GnEv*pI^#G}LV$E$7#yAd4r?A+T9vV<#axz-nsl1&Ezd4K&;E67 zGtz*K_PunXqMO+Ry=Nup{;<)yE6ISUjq^CwXs| z_}$XGtTl6k#d|iZ2KtF*sYbZ0%NCJel!qbaP9Vy}BsOAHVjw>Fb?{va1Be0K0O%;7 z1?g(5YrIsT!QXfVSEfQT#9-2mA2z8Ua}`ZDTl(@_)zGI|@W4n+Wd(h8@J1%iD~3#V zvADb1RiEh7DH1tWr$u{V7zw9N`BEN%!shruzB=MMGB~uKK=Z z_EY+Ux@j6HkXd$vB{XEFOv%YOwarzX4>m>M-7Aa(@Hf2Hs`JCwD(Ud`jP{&acU@>g z!q_V)G&3Q@2dlLO;_?C`Dh3-SwEDS7dm<{LS*~q-)<*8lt3N#IEzH7;);1;bE_F6x zXo3Y~6(BRf>n^d&+MKQ@ou~7DX9ii&?nf-v^DP)xQVbL)J=R)tf0b}*VcN-KdZHg1 z*^4am%-9OeZd>O*U&#__exa{pB2g&OS_h9}?Z!cBALjO_bGgFVi^!^{N8LDyc528N z{#1|fr$p~|_!H~1U3wWGhCw%20!D`UCEsorzqvi7I^W1{Xo|vv7Z(Fc=t74Th!3to-E0a}2Jtj$#(ZV-+?8Pyg<<8-l{uAek*xTH zXx>?%)5Z<6g5t&Zln1tk(^#Z717FO);o0GD89^3pNQGam&%4Z~fW*{$QiSL1n%=%` zd0Av?h*>Z-*kA_ky}8{S-^OtIkTK(13VGPkCF^k5;WMkfWN-lBX+PZKtg#Mx`5NJo zI`NI(J(}`7%I3rSC`Upp(8)cGi@sg-;%(-(aATa{~F#z>NfHL7OGDx?+)v%^2bx*!ecL_!BZ*!Oi=5#(4d9bdDi%QYQeIx;U*_ zo@4B_dnz`AzgM-sVEa(zh7VKvv56$pXXT=fn6m9}A4+d@v>c7QyA-rD6~$QO0aric ztu40_Pd0`fmG`-GNlpXUA$Mb-PBG8aNGxO>3ThSg@Xh5B&7NAfk{c~cx3EpJBFa#0 z$*O+Bhy7uc4)D0wDnzfp;8njb*w7=mmkJnMf_6ep>a7i+m%2OaV(S$=b!6vEnf%c| zAL_$Dd!)lU8GFl5A}?pzQTVDsSjLQu!m26u&|kqIpenn$>fUYFmPA9ITY>E&y|2J; zOPhufJ+-eoU`nh!O0NW;K#4L)@#;|L1HK7CFLb=mUD~KpZA_n63gc}}&AIbA?Brp| zb+g&{vQ;+b4UwhNnB15<_v`R@8HtoQkXZVJ#6u4G+(BJeQZm9uDw`^*XP22nH7XjIPK!GB!=W(a>6xfg~3jBQrnN{ptM zvdwh`nr@z@Bcgdu;d1JWy`&0glbYiRq#k#n{l_8Yf|;}a8GZCr8P&ya9QPuf`kbEV zh}5t(=TT2c%FK;t^x6Wg+z(wGqME`hmrwSzLK<$mRUQj_bjgR+5~tE&PXP;fdB)yC zE-N|`aTE4^_=2wyl=zYbgH6L1#!p={NG8iXQ3&YOKgI&=f73&H7m8up-+VD`PVZ>;WL2JQH>HChhKKL9e(^#)wex%Yw@{ zU_(b&-#0AJW_3>3m)Iidi4yWy$GT{?><1cLA3fDw6_8Lb#N@WYq!v>(=gv9s>+WID z6HMTICA^lO9fzZkanZOiZhWS2(Eajxw|F3DQ>rwRP2z6Ij6P-@PX zpZ84<6=?CI-*VjO?gm+UxI6bm{$u*QXwkzirgYhd2xDVKUsa%eZSV3;a%R z*F)6g&u4%7C}X=P!13kLgYPc_`}z_rfVmk6e7+xVj#`hp=)21;Hy-cZubXO`>(Prc zRZ!>!xw5`z@cLE&zoAuv5*2~Qt&AK~P3!ZmB%Z6!ANg-Q33y7U@CQVXq4U#)a-tl9 zq|oEOAjMY(bQo6f7fXZ;M}UO=NZ7Vx;fR^8g}Wcoz>#B;_kO=+Q?9GE5Tg7St|AyA zwPj**B?iikoqIfIG0F34DLykP+W2=-UyBq=EVijIRJ5Tl&n<0J zaJ~z>-lw1~g9~_)X4(#ZfjFuB#?*w8;z#r~2Mu5JELm{(fFeA*Z~)RM;l7k=1-g^a z^CXhN=UPNA!_UA&a-NAo%Y3z20vWmK1k3KgxYR>WIEi49Yl)U9eK%V#rA-U$6{mC~ zNGOh?6cn&D5P`>ye+;;NCaLK@Uqb{LyQ=93)mj`(>nmV4q(!q2B~ZAFy6=`sm1Wr{ zV8n`@ysgqY-HD9kVClt&3YYIB+g*vrQ3eU1!hT}DS*DvbumkdW!j#D=9MeEQG(E_4 zfrAn|wjVglQwd+#*xsDOPlGIs*;9R2Dlmtx5ZQNHCYo0bZx-^hA%SEBRQiNnapwS% zk~(O5sbr1tx+Ed{R#upqo>2O@#0D6l-93y)s*m&<6yM{Z|L77ebA9p7=A~m-Txoot% zD5UbHS*P`?x#i5+d2M!R`zrbV1Uij|$1mV38}|X|zic@=vIFVvHg0Q5(TzC#-3BvO zd)+OivI*pUZ}o(oli1CCk%(7r(U0uR?xABS7_+&w;b~B>C}&mOP=OwQ2v>WCp-1o0w+^po=_gF-`e3X zB_986Ci(BWFP}=XH5Ft1PKQFRin#CQy8(rDSyr!q`514!s-djY(WRl5l-_wil9uR0 zal#U+8^)Ab2^L;u*pX~r4k>{}$q0cH-pj^?4+lOjm}#ZMjn#tH7Wo9oYU##vp7A_R z)^DAYfgbSWVM4xg>Z^1j6zR|`Nv0v=ylw9a3JQv8{RQs5`4@)S@k8QCGyaDhti~k_ zs~>kdu(w*4)fmrnUY_FhmMlGcY!eFA0^3s)lkqeajkpd0@2-&ROPHWV1J9_uk1?F_ zrsTOM{Fx2rqukft;{idSUa_~mDtJuQYMFToFrPP~rp{L{V}{xPTW*wb{96>BC{@kz zBiGpugjNhb+tF&BMh9y>)SM0i+MeUr`aY;P(<<#B*4k&PoN%@n|A4cLf!Ox-GMY|n zT`QOlf9+`<zI?q8^l~kbx%7;PQp+l z@M?xx8^cpk@A?s4Cw|QdG$Os(Y%LY$TrIuL0o35wIOG0_DNaZ=O#9UEDrU}n+zpnP z41_o=uxNW_;F`ez=(~x4=hA3&!-7f_kRA5G<7TmF0{%o|N{ACkmWXz+=i@T(sq5?D zgmriVUG3^3>z=P$rGqY3rn9bAsAO9jvUcvsosPJ7i7r{fWSISLJ+z zhh0$*)Oui;9d*uf;27aRKdg;(fXd?1#+kvl8#6 zYbWM@ocio)eQL|ld)|MWTHdoVPl+Eg|CMd?SFhAro{v5PlIx-LD&vb;>Y87I_)6yS zj_-b4Q``2L_YayFP7Fz%OVgKlsqRygZ4nahn0UNlp6A8r44MGWwsf?Y5T2Ura;Exc zTE`26!AwqLE;}Z`nE^YWviw^~*Qk%7RQ_Z8OZvJ97suLZCu+TZcYnc_TOvL)K&a=o zog=QylhA)#=YO#G-ce0v?cOl<8I^GuM5M_G3IYlfLqPgC5D+0Ch7ej{1OW+6N{IBa zLudm?3vCP~kU)@<#1I2B(n~-}Xd$5Vme51TH*=ovIgj(K=bU%F=e+A%>s#Ns|KQ%6 zd*|BwzV3F_-(~r$XHjkcJ(272ugK@-06SiVmpZ*hc>`%MuZ#_oe1ZH`+?4jq;oo}o z4!?ET9@!}`(M}EMs?uclvmgj7u(0qoVY#}T?%tk8x-BUn!~zC$4nvJSHxLe?C?+|p z?wldPGQ_Bt%aUgvR`%I?^7?#AQ}!iH%Z23Aw^M--Ku zh{c#t(~N60@mDMKiles%@{>d~*+I@JXM3;N;;EBowNpuc?L&_!t$sxby1rPBuq1;J zt9I2gupqcCM{G7nTh7^zS=7uZF*`e<=Zh7p)qD~}YkJObp!q^{aUryyNy_6<( zXE|3z2=^m72I(q!^?t!~-fs{Ol#%=))>RA~;F8MW+0fgZ*42JIruXaeXCddjSx&DR z$PCKczV?2`dU$$_ZF)?)FI9w*`260BOOvkWXS+i}3Hdn#q`5Q9N7j81n?{B&vP%TC zxq-vx7WG#TuAe=-+y_>XuChFP*YECztFxpWqtx%gjC@Fvn0oYKQooN_Ss$CCm@z)Y zw78h|2?he%`&M*cr>G|ssVCr+ehwvH@*3{PXJfL0w6;fofzQjto+Z5#U{sxZ{Yik= z<=x@)3IJ^xx(_MzDuE%SUWbL)&!&dvL(AcEBj2AS9_@|ru5?aY%kvjjg&(zE1w(ve z&lgg9FOeY0c43+|rZC3rXfQsc{{vU?rE$=~X{`b3DDOKM%aN4sskD1yL`7L4DA{~E zP$xCK0I7I=9f?x>c+&6Ehq$6^cithJQjl41c8e^{%pg$(gv#c?f^vIz;`f>7D~)F- zy~G@9w5*`rWAxiwp~T)CXe-ENp?KhQE;p5}RLrv|%TG|$ev~`KJzqfpC9MYgQ!aTV zC-DSs@bvGGh&`kgh9(JQcIgx|6oq;+c`j{qD4-y>{aAmRojfs2O4mGXM2eJG=xW4%f0pjBB50kwq$vd#_B8T>73E*KpU@er&n=2VomAT ziQfU&G^?2R-gEWwcP#C!9ww`f+R+G#p|$X}TQgdk0R(Ps>#WgFKOOf^dCq{m{ggZ> zi06(WPDP%q_VRUOP?T+nW4Gg{622xTwauN6jyLgc(&B=VG!g5?(YH=M&1UKor^rZQ zM4mzqzo)i28F~l6hMYAOOy&#Q@|>`Nk0P9RFO+hN&#HX1iR#$T=Gw;_$m zj)YRo3tujlK`qA1H%%O?&a>qW$EULSE$;|bsc>-Y?NeKL2sHyrNr*!#-!fU68 z_PqZ1cD>UiaB)G{yO+Cj2P%~H&q7YK;KzB85_$n$yc9;a4#;r!ow6ZdX0y#TRJD?Z z1Bm9Dv3ft59c74#=jWpf6D$o=rmZ<*XXi3aEP-u{->s&4&!oM0EfAn)Yr~?NEKRQa z(j(Q^v1x379R0)1K&rJyC^GF*(yh@MP}IlT)eXa;T|H_Umnf_9ye)ioZ=zeDhXAr3 zppuCBi8;~&IL;m+?Mom3w)p=bPhKVABAL)w&--;!vM|C`aYHpP?M1wE8<|}0WcxiB z!V>ASp0);0A+^}vtRpHBcWZ&l>bM5(sa~n(dl}B2v~o}%@8E9lO*z#L*OZQ2Yo4=K z()O+B^7y&Qdu-;Kd5TrQLTzA%ztjMme(PJc;fV;o5l?`9;$@#B*=Gbv68Yx) ze=zuOt#g~F_HMcDT}MV-2ux_b45>uE-nk^DuuMeR-@|eJvs& zU~n}=2AWvov8|qd2{LvB7M7(0#raVmG~pChX+LiK6OO_c9>xEHd-0#o@c+2~-w0G$ zsfTR@!pepVGuYgnoV2?=J(J?+e|{pxGLy$>^f4rx$g)-T(b3T{-6Fyktl{cKf+vB1 zrsh5#{N{IOE_b*8s#7c!Dfg(MGZ1(|ROUkS(+0nCY`+>Ru6>OQUrLPU*AgP$MDnr>x90VyoQdpTAH{!p{0mlx`;j-G+^7G; z+<#*3>Bk#4uD`=y`y*hdgLt`S)Z+#Bw7=QI(&X2R9gCM@E*VvGz3TC>m0b+GNro(7;_s2s@zx~tG`F&_>x~f`?sim3PWmIqI z0}VuWzt3KN??*wRKM$@RTgGC4@LcHQOqqKe=ns8t4(4h+$Vv@(ev`O8Jhgqe`-3GD zNmXt>p}c*)Zo6l9R}e&$wa&Tq?TN<=sC3j0hOCJP!3;)1^IzR)ry?1SBjwq@99H=! z{7MIHvE0yff5)F@^!rk~rV9eo3j)j6^iLd6#wL`YvVC{kkCx_2$VeyAE;N&a1&M4y z*3Lhr@ZCSqDmSc=K92$uDkfyd%JM8D%k)}kmQTG7>-^$oHGP9DGn2`vp;i)*Q5x>+ zXiMXL>6k^WuSJ$Z!`6{L(9phVEKWgxzzyslkU`45D|EX37XfV8c9J#iI9>Dl6EGU|H7Q1KQEuOt8gF@EyHkOisIQF{7C<6lsNg z576oNj7W8%3|?btYB%GQi9bKlytQFuL7XIq%C6;PO>M^i*ioL@ZzwMt*y0Nk*KTxC z22!vlw}pADzZ= z2Ljra+Y6f}yjh`bM7Nwxt#=~vixP@*i>1B`we2G)y;NLHIZ~(8uaQucJt3ln7hQd8 zLUQsrP~=p3nf?}U&f>rbRIx^#ZLE7%W}L%zVD76GbPj&t71$Paawl+&QHv4HPfrSlUck` zHy(H>ceC=P;mIb_uZ{}=BQG8x9@0RP{Xg;CO=Q9B$f-4fL$cgx3BgRj{8&1gxP{rl z?iwxfH-p~UsfwFewN+P_72!>@PJ%jp=P@Of<*IYbZ$AqKnl*?IdJ+~ha(KyeraJdA zuluBPZ-MI_%uGx^Vz47QCPae$t(w~&tUGVGP7+ux;!`&QxfYhVr{%(OBjU{2$@HHps(4$jQ)>9V{MNG2j zbby6Ykv~JHTPriysy@&;HNv1#Wiy(0U_Aw-76)d{`=wMF+Ogbfs8COd5)Cyw4U^gVyHY!E8VB} zgK_nHPtUo4Q%4E{$0;zq3SatSYzHQ|2t|2G4 z$l0aB1?Kg21*buK$Y~_9j|Hn{Q-W0JJ6&bT1e81P>s&1d0zM$Co39 zEM|a~mSE@Rt6=J#n(jHX9jx=8fU6#%04=OtfY&!aB|7M}X{ROU+SQ2g*bm568RV=bytFnUEM= zX;wSdPxmA%S1c=+v2*Uv6MBuB)*ZIh(J6swpp9JOs-H*L3;vD5;P5)By0&V5RyDLO zrp~>1S_?WPh^Z zGdL&)VF)vnyEWuF+)v~q_-Kog-u;EeY^gdV zC9m<}7OieME*8J9Gr|j)*dZ7i(=aMs; zD6sVqJUwX3(YxF`V;FsnW#gU|8Wsq!00IFbBBHwTc@o*<@~>zNMWjbnXatxDHFvBd z^+Cnp40WgoP=GlKT_rRa%VlJAbofWN{ZZ|HgSq2(oQ(K{^+~-8G6A$N%O{CNi3}-w z_pBV_OCsqCieUvccP)nGicu#NlXIWj5C|JXP<;N_wcDl$y{kY5rrA`=smyxFo{+Wp zfZx=be-p{t^;d5Ui76_H$;fDqb5T%GeEHRsD!WpTK&OJVbHuiBG%_6!zybAw{cRrk z4uBvaD4~wjMSlC37j!xT2UOa81d{p$R2Y=~l}bMYb|gF^;hmZamL#f6{ks zNq>=~W8Q!AZFy>9;p;#sB`IMln2i^dIpNV2*eIS{|452Bh9yJkeKxu(TB=Cb=@R;-_?Bs!-qcS=3Z17j zp&yf(v1yjs>(k0rrQh?pUChZ!Bilt!hyWmGJM|=DnjU@Hm|Yrv@>!^V^0UxW(?3ph zkCBfFuxwjD3ms2+YBe0S--O=}STLyfJ23Hx+9}x+I`lfY3w%&?Vq^`tH7`4Ok$f7y z@q_+MW?u81gFl3eLyP|SEHq%hVL74pxUMnppv(Dy5H)m5NMlLouL8wsW*JSENUQF9 z*vf=>`aJ=Npe?$!Tj-(UnIZ7~qw3GwYEKDrB4_T>4NXtYBt2=+6?y5Quxe;ontnVH*jK>6*zau;f4`pn)2AnzG z6L;d=jOD)kugr&2V}va|U}oKCA=trM+qeG@xj9!`?u=SX*`r(?qxtqS0qS#vuntVb zEf=0I@1nd88JUC(ynelut@c3SSa{a)zJnip&V|=Ju{=(@!}dS9kSZf~J1EGK=#_yf zb4nPBZ7VJ=#$bMN|Jjk&bxQK_bFW}coRWVPM|n;2gTaM&cP(Zd7UsNUTZM1yNs_$7 zmY9>4CpG zRemF{WblP!0=v&_qjsXMVzBSJkA z-Y>WIx{%~M2@hI@-w#+N|Fm}eUUQ@X2jV0;D;$M3@0_}qvnVJIFL1*^Yvu)3LK*3P-^z#;o~+l>Us0SzAe0*!S(@fXwwQdSzfd0cVkgS3i%YNP=x7b}=St86H zN#B3}$hobgquE-|o~|Y^S?hEfkOkVH*MPy(+0Q~dL7#;Nz3RG6b_>r5Nz2cFEcc9D zWaVv~-8Vk>t%i<)^YT{=DcaH%tk#4?M)qp<>QsII2OsY9skZ7=bXHE|yy|Kve-S42 zP9VU|G@qZ`D!0LyaVv2wd**nthjMu#aW)`qmaZfS6JR2aL5#nSh-9TrIUf%Ypbg$z z8qz;H1l?n8#tf?VaxW~H1cHNe=9L?orF~hl(+Q%TH_RV3-Do<`f9Wv;C0Fmdng!D7 zz6#hacUAjbos=d3z(yHI(y7W76;+;ED(T&8nnDp?7h{O1dNX}>Ki7c2lb&pd6l1A{ZfKMU0oAU8Fp2YZod-}&m@O_vP3PVd=H zc@YpauA{*<)k-u0qLBa>HGI8?)1fFMwCI;Ua4V#9$21-BAK%vr$r1(dnF{}l_I zy>Fx_vd!l#sU){sQ~gbaX5a)z92a>R%--{Rw5KZh8scCyZ|?G>Cak(8K0zG%S?Ec? zCb9N#=qYcXFquZ8eY?!$aOdKZ>$6UOYZr9B))b&i;(k9Lidg1Y5Z%1OqWdP^#kY{q zxE$s#$`4Aj?iCRQiZ!_?O56<84ZB$5dTy9CRs4>9VK}`~qo~Vi6I7ftkBQ$3f%o7S zu|$_;r)tzeaRB$D(>J`xs1-Di9c8)8IQro%-piKZo+ZiFSutX%^H{X_xsKkpNQ)37 z7gxeUPHO)gDjh_Zg>zuR7$sVrNf<+8A{aZ4p3Nv1jmaFvyfyF5_-TEo{vp|pC$93& zOw6s{#9ALTTk6|hsT?Yf3g9li-kO~m764fx14wpd2r)S5xo35360>JAn zi%5Y8{vL?Q#@?2gzovOBsjBu|;8nFb7W9)q<2#bx^Zdo>YM=cf9JXvan#_SotmTIy zJ1q3gr(LDDA5BSa-lL9hw1>tNZP;h_u?b2sBg6o#rn^EU0%&e-DJhr?@ajAB(TNnt zV(y^1XfOf~a&!FPBPGuljk1i|r5MEiLu=4K_R1$#GPFpYuj!eE>h1zr?74;#DkPep zxm--%ypO7xS0X;}a-V9cLvChb&^!|B_JWz0!T89T|HOkYlO;~$Lo2BNb3T=oue4PeBh}t#mp~RB9dH1 z&VtWEMWjpcAj=DZAh^vV*RR}(!#r_wc-olg6iUxfFSkUoAqbC&s%i@ps|%vcdn z|K2mt%!;tsS>Co8OzL8x5gTW%0u)BzHw5Lsz))+jCdm$gE6VJ@oUjtq$lE9S z0$D194D4!ar4HJUYBX1)yvcjn{qN#>PyJB_`hikEc#c;A8|8USJ!DEuh|r}Kiyoo! zgq<1}#lqyuWPl}O`DSB{BD5H+pQ{MWVJ#Eq5@{nJs&K=o$^A@z-JhYk4k-u1ib9e( zC1tB=mD2))Vx+r&_Jn?}?9-CP(WWg%rTVT)R8$R4X|xHLDDCb)-|@@gBf;y=^FK#) z0Syvf?>~{cvsU%EEUd@pRIlR;JnVWyMdPE|OFzK zF^>4v;@kZJhi%Nvp4NQUiO)g^FP1@E?eWh-=c0D?1X{pnA-8MaoL=GIykWSB@S9f2 zTb@{a^6(|EW~>8l@QF$99F~^&@;}W(M?an6pz1P6QT2~s|Bxzana6>UwbxNwowtV^(gf3WgrtPSf4GTU3MjTEYZf z=-txaZd*`a;iS|$mxn9nvik`HKrIEWq!FI4$-w^=fA4rIlsPL)gVl3SX z?@4Ga-?|U?xN~jlE&B1@YnmRd!P|TYQlOyTj>o0BB9CXwpSnsLET2N3=-@+A6<+^LxjKqD_C$qs6qbXbXSxJt zO#!1URj81Co$uta3?yA#nH&Is0Rey>*Jt_W5MYeZanPTa|A^~EDz9dupPtq00qd^U zNg0F##G=MspW4rLO``XIp#e%5e(ybF_?CNAhjURpLApSkP-yJy zKk58y2;&o(V>Tg6M%{eB$#UX?Agq5rsxt%|nzwO(We)ie0&457Yh{x*_?tR|D04td z%x9sV@{J3&e-aev!NczZ7CQ5$HFOs)Bx@i53-NkA@jaTEG3wVfi~}`$IKx@^LQVB) ztE`8b4Hh>MnKSA`{G@5kxiPz-66$pwM%rzfc!-BB|MoMu9;~e&rwCheD)Q?!pD#CG zTeuKr=t)H=RN7o8{!aQq1Bpz-o0!OpGo)G8V+>7>hBa8t?7-pob3UOZ9i+GVRW7Un zi5xi0V+$4?TZSm-TZ|M5+bnpvRJ`7LHojd|1^CBMPW*CwaR z1{Um9F4BiDTf>d{I;eQ7Zex=B0)@FSYhiOaWx=>~B_{2D0>yQR+A(s~uDop99K zVz$wkCaB32jp2Tz%DA-$IX})hRyW5rIyaI_m`Le?j-E?Xnkgt)-Uwd-50jZLE$dIw za)CaQIMvSJ6@=2b)C)cN!j9_s`WGIojL4{je!KGYc{0vn+*D5f=jBI|lTWVXgHvHd z`RvVGEZDF{g;)IDeqDLxPiyAYf#SH@>*dF2WAlo|caX} zvj?W{$yG+=!@U_dlRpid%4wG>tJ(q<6D|>aXWMF7EqwANb|h0Q1d8J^fXjcoJCDM^ zoHIeI5mpl}PcPH&jE?|pebelbbK_LFY3kjE9fD2EB*p{KBY43#c%>4eOKO{=2QBn8 z95M&}ZwC_#8IE&4i$+Uuh>EM_rog{a@ay%Nfxtw+RrBU3v)O};2=op9XQ4|S==Ivf zxp-rt_B=$VUR^6tW?wCT=ibK11bZ(9FxInUPy{-EMD;JDUw%oa@8{FBFGtIMLB`eU zm;Y;%V)B1zCnv%-!cO+8s#U;xy${z+o$l-3xngH$_^V@nKR8ud5nJio z2lI{_1B*1vq$RJt9}OZ44?CbPX$o>Lbl-Zscr-cy3L9pKX<8b-IyEGKc@%8gau*M> z!?maMCPXSY^XVbPvTD|K)L2_MM4-1ZEPnsnRr$a3_sESEJJSnMxwE{-9AuGsm{zS# z|Co|oKvn(RwO4bnk4pil#gPLD-`XkqPrKKH3GD^Hv50#3uG{{=d2x~sX5#$wS{)0O z1h)6O6`-Or_etun#{FasqbV1;AVb1`vdAM-H3RxXUZpe>KLRP@vTh0`EwwCYjc89u zYD%ynJ8>ySFe45WWwACdbf2l(b9ys6do?}UNue~r!G}L2y{LAy7`#|k!Na72%mWm4 zJBJ9x(>MZ7Ip4k?P#diWwRZOcCs)qvi@tP}*8y^X6!levtRQtfZ+mBH z-RfY@@b?p6?Yz~$t-~mqkRPXVl$7%%efjk|PGy!6BB8Q&x9-8tyg|&aiUky2L%a`j zyS*cci3@~9Nl^vPYy8a$$~7IhWigF`nT_To76QdA^jw;&av!d+8Ar+uudJw0| z*rjv=1QoT>;x%+YobQ`?REN1$1l!;k8ie&mYuBi=aG1JBoF5AUgh(V9sJgzqU|Ov2 z>8t(&yMN)DnbfU8Ix0O%F~w)|0C$OLSkrGbziTY=kVq}swZ0nN7@!zR&QcXbl$wV^ zQi=VIFgyG+3k7$Vj4pE)Kw>@6bT|h;6edZy!W!9zHLye=pb>&+0?LMqmn?!m2}<9k}TsUh}#9Qgft#?C*z zd?RquW-;$X%}7}}TJf7H>4t&VMDTc1k)gfXDiwE5}1^2NlqfHxH zO~8z}Y1az?(FDhF+cN%I)g}^$Ra+*MwdAyCRXDBp(qRttY8LQ(G{ME=S(A&4yVExs zX0O;Q(Q*;c%elBhPL7`XwNX>Vl41qRpme+|4^bB9gAiDB%W$t@MnQ|2l|)S*93-N# zhji)n_VFc+Ajl>sY3`meL|J167v!$oqvhMfdgX&`<^50}*bt^T8oL5Ufkkv(ya-ri zQCzcZy87}&D^Op%os~O!&{@khF<)A7&nb1DhiPqJ9=34-QDd*R%BLl{Juybjmdq&r z9$PmqfBv{qG^h02k@=Ewnhldqa0aq?UYpLBp^oR4O9qEiR6=rpwA^6i-*uLkFyZ$W%J4PB-u@>--eJI&cb@e(T#-Abmqmdjz?xyfrJC%}Z58w)BUoTwvoZ-7He; zuOvIV4t%2to{x26q17HFmHHS7Dvutd5l}yo7a=|+Mao40YhJ?=6p)(&0E+0xWY~F7 z9AvG)!)0(ApYA$!CjHfby2*A4jvz;v=ruPFxOLOn6Wqq5*drybVqSe!Wl-N=NLQhy z22Zjh_j@DuPjD{$Hh{R4Iaqrc9#r&vL9*{E^Lc``pj=3h;GUQmc$-wR$R~A@c-T?p z*ubW;c^9n?V|QdD@Wz^Z;H($l&yV6%sW2FiOIr^AD!f zd6v(LeomYSd9HU*gd5U32CkjB6+P$au{0%cxQX}VKtJTn-V(MUnudV|1qktCkyBR=58RN=f0klp6)2$?!Kk`Op3YZdU zui2S*I;u@^clZTFH;w^U5J_no|%I zM7HB@fLLT3WX5krMKL|?Dl9=nElA9fxF~l{=#nQ$w4e^W6~_dME@qR8%7$^IxbC!j z+vNOjKg63>j>A>Tf^+ZmHlwO;epiTo+Gk~Wb}vcC&F*{!w{@&$M*~rpJ-v~IOe^sO z?{pV#`;^O6IA`zBc$5J{?Ut>*jTo(*v*yN&m8NZ&IS~OmBh>t9h+j3-f{Pl8A!X3c zc6vP5)GTt9#)~3s^DK!H6IKa8X;=NdgVKrP>0?#WUD55rK9ow1Svu6dqztv8-sPsd zs(~?H1I%aL>Njmmm>Tott%BmaC(=$UycDZ_=zOh9n`%}0m}hR0U>4zKCK+eSaVjn~ z*0YkHQRZQYW1}@4;?Q9)Iz6=;8)+=3OvqKYf=JJ0bimFwxeoncTohvd@Dndi%eIiB zW31^zHMvK%(~*48&0h!rDU~>t&?gd8%fLu2xSMg&{;tA|^^q(Rjb=TdJA={f^!Q$g z{Ntbe@81a%cYA7UM~$dG5#=BfwRZg{IhvIqI~O)2qNmVFzSHbY?q<6{GEFU|g|{U8 zkWs&{U-;c2vo3VznUM*_W8Ig3%|Nw=ai&-(H0-xODgJAX_&9i{#P;q~wgN)6o6JiQ zeRszR+pjQRT#izqZYGf}1j1~7-ES)blz@Du!EgU5xg!mb`@7{H zvJ02H4v>cIs=ss-xlv5}jjm5;@;?jB^?nvIKpbEUI9DDCeUgPAgTxK#IrkE|q7qD? z>UHLcs$o!^wb2$dXwR+EXnnjn=#9OKl5Zd5S>=E!P^xplx6w;PJeaU!Wf6PdtM(AC zE&zj5!IZ(wJ>qywsIG2=J~fYD?h+E{JzKr$!?Zz?OK`O4ObmLCDk3O2s*4Vskk-19 z?nv<>Wp`gs-P@F+XZhOTHsDKb8+#A(wmvxfyct?Gzc6qj^EN3lY9&=m)47RWK4IXX zapK|Y&Pzn>B{R^~%6==n4ot^Rq`0KLc8mw1>;iX)M6F$TEG!6~DiXL+*DnoEi&I&ASMAH+Wl9d7hsz*LPKQ(+yN$|9;hpO#aea(Gw<#h#n{IQ6<+tphfMuL&N zjhFEF!b>yEeSW`{#udAx*DKvy%BSWNhs2B8;^*p|7|rc|J2SRED?{H`-GNhb7_Y>< z?!+6p1o;7BR`C0qj0-8pDIA6mW<8kKE!G=c^LD@-3IjE`xRj3jCjhc{M1%G7tt!a< z!IXTnP$FENQWl;CV+O&I$Wa^tP-hNfWDs0~1$KW?yOoE&eW;(m0S2~>cDD$CD zOMJghp0W?q&-dW7(5>2gFC#vzmOsy1(cdu>9=>+FtVPz0e6-I~RDmnS+6CfO_r{pc zCck|a@}~>;k7YXZSV4@OYe?#wlpJDL{Dk4XV%FSz??^OFA_qhWY0eR|%GhYS z(R|~9x|E8u@rT|47-l?USQ0ypMmAW%#5KKgFZe(K7@B#9%Oe^#%*Xnu`N#-+c->*-JG6AVtM0=zc~0E6z3UBpj2fh6WF)%N zRTdEEk*aqTJfXKEHD`}d7az5x_C6ei3e7_mp=wlQWJ-GQ@(a4xWZQC6ksv`SsM4B# zQoKc;87!ts)HkDuwCWE7ikVN}Xy~vAl&Sz`SIh^)xH;v+HX9X$jJg0X+*KnMxJ{tN zpph9x#kk@OtVg70{D`@QOx*P@glm&0R~&7${XJJC1ko`H4j?GZ=f2Ob*}v92Q*6(M zKoA5p%H*zD6?#ig_OS9r7HypQ&gFpW3tEFHy7w*P6_)Ho%k{_3Fa>)wuYMP_2y>Vq*R4%o~itYZP3{jb+7p@Sxs;7qx`- zbUL)~)}%Lc*k);oK-du{&1Y@CK0qSCFvOCW8{=Y>&-L~r9%EJEnAzdkVG?bVxPiZ!BL5?0-7JTsy(ax>dBBV%W&0v4QXJAc*9esajl#wXQaNmc`tfT)PO zzUEg`a|~V?l7B0gWQ=R9#9Q<4?8^kO#Cx|y{cFCO7kfvvB|~iF1l3LB#-gG=3&~Tx zD&f5ozEvFGN}E2W=+MjUc#rhr>1$VBrxaP;W$f z{DHZUgU+FTN-q7=xf0d@f)1Bct`h~TGyO%>jbIRZ!$A$bH~bHV)^3kC!2SjOw$FIPd+as&+%JQ zSFAx!qxWH8FZ5WX+mf~6E-oE<)vB!43<2V6XoYDP5^s%`!N%IAoe%a?6$B;ALBqB4 zQ`lLW4WElL=2`)*8yfARG5JlJIFc?l{un{gW$`V`b0gT#lZ%d+BBGYMt)WIRb2f+I zg?nez=#XlK4QZ%3UyA@oyzRRK8@@zAd~{!}SAk|S=SH|maE7*WDAcF*=9y-H_Ttdh z?a151p`kD92Mx`R(30ZkSe@(TmQi)xBj(?D`B)WFOQL%$g$Fx~mW*Ht00^{G{{5q! zsaZw>qk3s^j)-hn@*ALotOOP&iER+v=wVSwf`9aKw(&zDVM9Ww+Lu9>E_GjOR4k1% z2Q>qPD2Z_4gR26VuuuVX4D_Jw$3xVR!M})3N4Bt6W@47j8v-vOE0|7GU`Xm|zc6z9 z{daJ?85q3V+Vn7?Xk>(BJ@yen-E(gT4t#rloV{uv{^C6U#hmz6Ox8M9-N-pa(@$Zv zv-3tI=Yjh{LOe{D+a(KgG>`^KxpeLq(=NzjONB02O#l9ux&Q2Z7Xhr&-pwAqLPN)= zer=_eQWIb@MNoV9jvfiLeMS9dYrIk_0j3*vHOmT0;N{--o)aGfI~k4b4TzgA>cxKO zO!q*O18G{jS|&3FUd2N;VRWh91K;n37T7=hN&jCbx1KqFKu~yTTBLi^G|ztauFARB z4b&SWP5HL%&%(=y?yUo8<>u>z%~Bpa;uZg4zMxj`{5O}@HI|-2H58m@N7BtBL&Q@{ z%VS7WuIWKTm4L1o7}|)dMS&p?ef(KJHom5|>mi|<^8lY;hRa;vQ15LjO_s2o@*3oq z+t8#1U{x%!GueMG@5}Ab0htt*^rtZtAwWxjLH9H?`#yXs!rN{n$lPwZ0`tFm7^gf? zW2|=BtyP!sK$0O6A{_(V?RBppK?=Y}dU&UUZVn%*Zvs3WxiVxKUL4~)&|r+ysh`&f z9NYj~2Q-a#%5;YoTtR&Na#kUwgzEDqb1`>M z?RRy%QjRxw-CiC9WX+lk4v(K76mnQ49=HMf6*ylGG(FqwQoO228~+sL7NpM|oE zc0~Jx^i^gJvW6o^!yNhtMh@`lpM_k#q7A&?d=~12Mtt?faxCu%ZI%Ca;ODs;!u4}- z4&2Fg-j64Jzh7A|$UcCq%P;!)pWvp+Znycp*8B0uc`rV zs4+lA5cEW{1#|Q+UIy;MfP8 z;m{Fux`KlL`2-P>_j-4Pz81dq*GI^Bjdi&VWciz^ zOTW|?SNOq@L`_$9mZ&Jdj1)~X?}jV6WV)n%?R>hsMoT_`ycpm;P19CZRtv~$edt9J zn%6F5`rJ``+NZ3+h_}2Bn@tY?W;XT!?ewlu|B-6n&_J*ap$s(k4YXfZad+k81nQh} z??@I(=!nzre_fg^0>`oouem#XZDp+w);5@LLH8w&($Rv1jU5p&%U|n))Px)m;^n7G zze*zdvF%IEqNnZ9YKMsg=N?72;yyP@kU2DW$YrBh;MX*k&E7)MWrI8=prql!y7*e z)_3?nN@o>1G%e2h=_3z^r4VCsG|2KL9>zO79NuLOtY}R6*pCN$)o36nLspf_YU&Ao zS&I9rHr-Yu#WPe#&x?ctLd>$|(GHX5tG-|p0MqI3F}%9SiLS?H>1W^}8;TZJ=2fbP zrwm?k`c1uodYtc5;i#aKgcxb!0P5E0yAjf_fPdoP3BQx?E6c!bWf{gIt|jy_HPJ#n z85tdPc%l=5UT#bl5$g<0mFy=wP8oskXz$!CpcTDE3gaPfq|nb1zLl$M4A{k@=i05h zokmW!gB%vzP2iY=E6eSE`fXSxW_iD`-{*%0IWV5m$b{LH8n+^BcvaS>tZ=*zP1DIH zUjWCorz!v`rL&6eCxO{C`^h z*=C8T(CPfW+k*TN&%jq-^d6j3_@YLI$rrHg|Mr;|T&KTnQ&XBD-sh*9HcwwoU03hQ zDGeaVrWlgbDyddGn{ibB^@x}6eKvH-xE-fC=a0YXy7@UjJ?oqv)$xy(fI`VsnRw5p z;FOLXnotSdJCEC=AKd##YdI^z^4f#i^cwiql`|3!10Ng3r^eR4Xgy=khj@Y4|19(^|IC-SWW@8Hg-bU}$|D*LuV<*?XJ3=j}eEH6W>(uf;Fly~} z)BkA6eogIL?T?)cD~x*b%StLE^0ZZ?z>V<37tJk5E&l&soOqg(FftbU#=-A;!(g7X ziLhA)iz8X?qGhEo+!>RrsOw;l#Nd<@zZDYu`^_h?{Y!R{6_50=MJo|MwQ>8UkOo!W ztmIXGB0JJpvonkWcCx{dS{T~jmY%}!WKo)z@C`pOOo~e1^~X7;ER{rF?%Z?TRas#zWMQS}=6QJK92p zSF>$Dg0@(}sHE}C+KVw(J%)%2H=`=GC6(X0V{hPWZ8UFfs&G`qic7&Z<(dJ$2uPq) zUl>e`1nGwM{1Wxsw~i_f>vSvN>6AnDt3~j!6^Sv(Bb>e6CzN`8Qn!{!51=ebWHAut z3RgrsmAtih+`t6tx>^Ff(!4Sec0QHE_qYqnxy=lD_t{)85yvT*pr9v?K)}h#=6;>y zQj;0OuF6(em`_cfZ#FfB4Vs>L(9h_AO{SKGhCl*PNc5qxKRJ0N;^(GSmAtci`u8>1 z!c8QW+s4p*YS7v8^|4xt;hP`{D9tdmI0r7%#BOx*uhd*2<`=CP(r zV#i5bg8|barrM$fu)u)9v5mkOge)W>IyN2A0-_2q363#U7%)wu7*T`-2vbB8#f4r? z5g>%X21M_@7;?4Q-=5^0ySsPKwtIi~Uj3nOMw+JiMleN*pbjtbYMlqEmvXbBaGXLY7bdJ&=qhv;;p(VTFZg4N&&wjQ-Gl1wH?J|Bq2 z>Y@>Rd>nD8`{MJzxBox#cBzw`l2wJX(5x}P!Bb|Rs9vxVj8KEachyv{5M6t0F8G?0 zMh`srAhu`lO$otAvZebRtMh_!<1^hM{SH5><(mJ&3ev(9ZZf2vcz<%7w0v}}uz~Zy z1(3+eVKOfckCoAG$q{?9J41O^XP+1M4;JN$6lfRGpC)BM*Y7GJn5V6j6pp>apj z*ayKD%loeu8Gxh@ja_DqeHfxYlaN&Pq<6?etKS}M?9AdGc77*VJX#91Vb@HZ+<0mv zo`g`9XoLYQu20rO8#EEx{4_5^?%>4R2q{S9Mpc+v@{qS+Yi!8b0H2+N2L3K%XVt!w>65hXoR&*ND+3p=%8)yk z0cobLYHNw?JH{h0F3jY`NwfU=&&K*noQlGSy`91-!R+kq!)*c z$lU5v-JMKMDC6t3iRu4t;+FdH1No&NEUa=Pg)`EUGnx09(!%M|135Is4$04j3rRiJ z_0wp+-)s>^8>vlbICxH(?^ZGZQAXWMG0R){gec$i>aW$&*KkVR@GL*vkO zVtwnGZz&n;WsibaTvCf0r_b5fIq-2yIs{_?Z%<)%f7p^x;$VDQ>D#O;}s~*sI46qGW(MyOHkxb`dDxNTuR*H?J>UJxTX%85Jo?{9qS+6ZTf7hzDRoUjZmMaNUF;d zOgwUy>l@FIKWF-%!e5lVzFip-JVk~uZmed=Us@3t+b1XOg0%`}v(>~B>}N?k`X9N@ zrT_SsoPtl!l{5XG#)cZSqaT=2;A1c_s$v?BP%yZfk0bMgp(e35nWd^~`YVl{*;7=Q z5g4Qog??qV{h~t~Q2Qu(gU~4L<5O!x>}@1ze(uNZY#z)4ns9NYR^&0;oq7|&ehJC zUSTd=KQJT5A$+6fG&&=P^r$eu$SRX7ICH+of69 z5{Up6<;6G~e?Jr;_(;m_Or7Jn;>4Db%1*vu0V39BQ?ol>jAmEW2S=3A0ovQi+`#tz zY~g;W7^!o{dJl|^NPom&_XBe+D&$QmExtq1_ZLb`zePwD<>%z)CJJbomLV>?A{N|%P9HOTJ~@IzO12(>iV7S8BL5_f`hgsH=(7TGP6}SdIZ|DQ-y)iyZ!a-ir}=bQCsj-5k@cQ-_{WKVzwUpkO2Z zxLV48bP@&@Cb+v^l4>tb@?g6qYe1n;Oo}3TPAD#5__N!c$|C@=S^ME@xN$dF#Q>?nA?fi7BEO&jC?`NfOu=wh~ajlRJ)=^6_HC%%g~gfZI&0fNK7f4yK+XmvuQNIr!=-itR?7<`WmY@LnUPEHqD%bG5@m2+Lfu-??cr+ae7|lbbQkwbQF* z;ryd_+>&Vut|h?K9>g2>nYHP_rcM$Wnn*mUX=_1dINRDDsKxe2Ue zp3Vl!h^Ce_rF_dfwIc5oF_9dw(j@PWs_oiO;O*HkO!vN2ns&va2iWN?A_uP5oK`Rf z|5(X~l>2pk7YaIm5fLWI(~0Crx4?)=jnVDPFByv3zHM@1voOxlFCn>SP47XAeX{m( z#w%x0t?X!p&}I@9Ggv&#(xTd$K8TUgzNiH8naS0!Ez=DZEwEOtV{baKeeKl~h8Y`GiQYk2N zKyQ?H_Zs=kT}T1TIDR?On0#`+vxVj#V^ksG<6qb(mlV3YRK@yndhvubr+MzzPc;hD z2>Af{5fvKv$8p-#Tw>LShb9$4(xj9t8f9y|o^f$rDv}d39F|l*yV2pMiS;=1cV*|E zUrzHZH`~IDSU6d_`+kQU1JG%2B~;>8-984_Kbr$H>w*l&D;fd5eKH+xKZru#Zvd>S znjnf5boew~H2Wm6dZ;;Js9a~T-5e@30u)^UG5vHwCpS1;WADmCTIr~=pHkE9spn)} zffE}MgUstI<0VK*nzL4bRysF{LD;e0JC#r2&xoMExYNX!R`Alo`T;#UrE2nyw4>2@ z?<}UnQVCGu3DA%xo_Vr+g!<3Xrrb z%C*n4r<03W!V~mKQfI5M&wzq6T`P;=BIby<_Q4-fZl2t6DJ!4jS&44V<8@QbhypW~ zOW+tPe**@{=OCi7aFU~_L{W>K=CyK~OP#4ci?i@Um1s$lb7B%Cl7-@ui)Uxh3|dgy zw(-Z?V*G+h3&aamU_>|2gdNzTP;-wW-^M}_qBXC8gbeG^ZNg3oJq})WlH-N-N2PGk zecq6}i_&XcNoEpLOAp*rqpoEJ<_)$<*O}oj105XC57xoS>(5o4Xr9)22rmFewoVcf z+a*@?aD|b{hJF-cRL&Ezn{Q}W3V1W}7LJ`sM@Z=t)IW@1xcTf4{a&;b+(ZzK z{g6+K32QIyE6c`M-fd+I6Ss#OTu*-`aq4^}q$Jaunp*XOh!J9; zyBGyy5Kq@L7CZDfCv`ID3csa&Fq}fU1CiU zR+7vD<36n(L{67aQg|G8UX;v2jcE7t>%$7C zd)J+v4imfAF7~Xwp4yQ^I2Ys;QAdV=U0^BC0ym5Oj9CqeJ{3W#en}=SB|2f6$aQmx zt`}cAZP$SCUl4L|$Cw>}@H1<$hy4{Z*D0*m%vf`jI=Tw!H8}8Vm`a^f2zah8Adaz} ztJ+d#bz3IC%d6UoFj~b9)bbE?Y59ZZeoHpwoJ zHeeDcOXhX+k6TW>&uuk2qhDtV00tow__)<5LL|X z)=dHxV2hB;_g|VQ*7LRQ*Zx}7Sb8XSE>DH~9aiYZ!3p&Tg?G!#-%>COoo9Dg0m z=I;FwWzoh}UDPriF?uP<(obAvc#`z7u6${)5Jrbe*c2AJj?Pm6UEwC$k$bE2xkzP) zO@2R+9+~Xb@E-4^k$N5{mxPk>BJp9KBG3DljXkQdoG)39Cg@8U*_EgYM7Q|Hq3JAW z8Kv`?ee67iV0}X5(~F~tlk>Y0Q$7weIU4g)iT6u+;K0H}N&gjrW>dg&bUbRUd=(57 z!X33dzr;9m)%lG|@olNkwTj76lW(yFK{P_hP))FzG$r534caF^gbj!Tza*uYm zg`#2|+}*vYLc;_}4v(Hh@Hby?|K%Cz-y1l!pK@(B?n95TL)?mKEf(D0-Y{R-z%d2P zK7DJp;F)Hb4pFTRo|p3PuMIo!Jn?$dpt(oov70_ab9FCKq*t?0u6+g@@f`mkZ+iGi z)G1eaqmS+Pa(PD?!?#)-R+|EI@#$_Y=FqKW9=27 zWojYLIj^~GY8VMJo#Shj;u0|B^xJP-79-m2tw5_e#r8-%nIu={Y7-EKHqCkuyzzi0 zPmda<@-P?^Cd9*Qd2u=^CzO&dUNCGvDtX(IGBXv~DdSswleHyV{6Ltm3RN4H*^UQB zE!TGSlh#ST_9EJ23w+5M)-Ch_na;|g#j@s@1yDf7%)W-9F#}a)P7=Q3`YJpzGqe9) zGsfw2uE2H4;Dh^$S`T%6fy9arIdlrKTvAh5SYTBPaGf50_)p{H zpSS-14Oy9zYIlv$C@CGc%32J6lfN#;}k@SPbIlN67>J z)EY!Y&OB|)(Bs)s)4P&WC!SF@3VC%!8Sg&{7^ky?PFt>wSuE3m9+RKqqMsl0KAf&O zu5hRtUD?J5`12OWdoAi}as`I{5(>6a*h+mbt@o8-On-N;FS%*l?ib-TO@U#9v8MA* zg#)F9TTvgX&K^4t9X%WKy+3i}fBT&4Be(tlv?vsyy;&Aq?Iz*R+ySj_Kle(>{`!r5OSmkM%cZX#qf;yyu5 z6b;i^Qx(kFB2=T0Zh$#JWN53F#{<7iIre8faRU+~MeZq8=%c$9RF^$J&b9a@TKWO2 z2&0AgaU0M?sebIaBI7cd9@*=iEfU;N zUUld0w1!&o6828=_z%k`B1-&iN<3zTv~#+ARN&U#s4=i4ktNhKJ^@EbkQF;=1xs5N zz_5pc;Y$}a5=Ni}&IP_e6_8(Eftw`Rp5%~%%Pk8~g-&*?&hB^x+>@GD^yzj|PMc2a zm5e`+PV1F1*ZI~~zSUk3drNf}6Qc6r5#h#>`VdAG;90+DYST%x_qM%g_!Y2Dpf=y# z9gVu;YwVbauuo0k7MNgg^K`K6uM{ttmWy20*7y1@(1WsOuD_V62B`G)%(v&O-xxHI z%Vy@%X%ZBUBHKzexGUFrL{+&#fI~1ht*sI0$6heK;b+v>iRFnG3)Ki~%P0PlT`B^a zR2oANtLx8B>Yo9Vfc;~n%cLt0FyC72sT3e|88)NibcVJTfpX+tye2WM@KtnI`pjX{ z8CNXaYGGvrXAvXMYci;>vci0`??0IwhC4nQEX`Ml%l3EnCq?F|XX`gfi=HAD? zOUNzNs^Bn~M#c-a(XuZpe0hF{qY-F}9zGgQD=1>#7?^Y={79H$D(wv=M&eiX=y8 zwK6GMbq`9Qd~~>XWQKRI>~iyQV)<;AM?W7zxmCiut!=rj+PWSNtf0x5>~((Q(0>qdAtpc93UYGCC#g$zrPVtuMu z975N>7rcuA9|QELbE}fsVMR!#1Lv0$7d%Jy=D&KX+Uh4X>F7}^M8r)#+PMOVBtHtz z)CfjBFV*D0D)H@lxk3G!%M=yHz@UHYXF9jm=yX5KNUYwq2F&Vt(GEmssYtSt^)4gKy-kYFI$L9}aRyoV zdbWl>we}Tmjt_)8dwqV`wqWc-wU9vy{M zJ?*m8yWFk2(Hz*TJ;AVjlUJ&dlDjBYHtAadQHc&QWjya6=n1Gh%og=9+5uje!wN8z zHa$?Pen?74)BX;`cbcP>$cgGS@>qr*yWG7i@8GgRf zz9_OU|CtKwk-F8sFX@JKHteQ*$;{WY`0bZovl?v5m}{;clPhIp$7)2obfkby^+-85uS)K z_!RK6Zw4x~D+di845e#sTd(&<6cRCjsBSQ{FINBdrSp(mJ|9~&Evf?ug;|0d)7*V; z{h!{R4RS(5QYT2|Hj+Q}013qGib_j!Q9f(F%`?-f|hcGH?^mm#KpN8)|}Mk&X5=e+_66U5E{?1{VoyuE1O1M#fH(ZEdN7 zu@HtzvCAsL2z)bR>Q+clpglunfU8&V*y}RJF)u&?R6JBCOb;Hpm*;**brjrSroRXTyJ0a|d9&%Jui0j&sL_mq z7t@=t_wIRFOfV2cFW2v`kX%G2TQ;HXImq=%k7~I4Q4)u7sW))5SHu3+u~?S=o24az zR&*Oh(|NrA=ct8xi+HeOR=mkl3BS-Gh9qe4Q?;`FgHD^wjB?!u$pp;mFu9uMDE+JE z0ta2(8+xA#qut~H+U(-uemTyap5!xm(n0k7^eD__f3F3eUGBZcW zvg-WP!u@-Y*B_FPp~Wp-*h6l6E=8H%mam3BoKVoX{cCfpW`an90p!+&U_8yHa8{0w z53@#BtN)QV3z#>SpR`DQiu5Z#j*~VPH?)MrGrVh@Edr&A?DTJK!66lFju#^wrCeeh zGugQJh*QQNw9W2sg><%Wb64hN%mO(wo4|k-CpIHmnU*yF-2?$el(oow)=E(i?UWjL_ANp2* z-?`IeKviRzdtpbyr4JN;=#v~E*j~tUQ1(~Qle4bCkyoA79hjbu^APzAmaIR7uPR#N-kCQ25|pX-1bF`0WgM2#t$(oJ_H^y}+l*VY4tIs5yI9YaSytHGh*8WurWEFv(nK$(lH z_Ak5jf9R=yZO8tv_vC*Nt;XH(hb8Yq7>6m-1^F9S%KzDc6K{Rm0d0bC9d* zaJcR^&PvePRs%;!o5*m&OxZo@?$$$oRzw3qx10sDYMPHWT1@N@!)%j(s&yL-&QP_K zTY7yMjAkHsazlaoPl4Q0c0?69o2WW~SN}tD*#miJ{&z0kM%7QFV+x#6d5)*p#AXuU z+A5FUgkCR|CdVyauCW>bM+AVjm$*zO>d5K@4jo}oxA)O4-dyC3Sq_SLE~D+^E1)d6 zywrTmFZI({s9W{KYs0(%Osvg^ea6`qS&PC)a5uBk$x{E$dL~+txwT{RDao79qhf)g zRgfN<7#>`r;ITUQ!tzQ40A-fhJ*(eM>yn_fN3sTqPrB+{)~}6#g{fd=AS?qSCOEyz zq0?>x3>M+MIS|;JS?QkxN#FSi)I#=N__&w8ly8APPKYFY|D7$x&G!I%pft(DR zb@v-DJRXcKZ*j?Mgjufz+zKD7Jde$~=(ud>Hi9!3p)fl@x(v-_GAZ|q5RbF7g|!G} zpq{t3s_LxSOd%T_CwU_NP|zg~wE z>U8pV8F>@aTZ~5Z&Uzjrz3yy(^mosF=r>zo>2))6P`KRE{X*OFcC}feP$yB-G0|Z1 z;$j(9BV$P44{lnT^RWIc*0175Uq{?R-1wp7bH$oi`AnmpTQ$>y+hHd^IjpF^>X!ek zF^9YEH&{%;9eHuAG}l?~m;t1G^hwXl&4S}1)|jswG=OazxIAKKZnCj~03Q8u>s=M8f z!Kjjm1MiVze$L3C(@l@ysqE6Ci1f9HWU0KkvfWZ$c6>S%THlE$yFXQUJqZZRf2$%C ztPoN~zV&4K0tkIQYcbHl|8sFjWJZb4Ave-b@!=yP5}|BlpR5Y0atc$sHe{r$r=ij6+sC&+E)RPri zoq2Ul&qL-UU%w4^!matyK5fVw;U<{6-y!JtgcHnpsV*GAV~6KbXY@)PDZpf4@Wa4+ zkij{-@GP|!UJo#?6{w~Q3F7{)!=`)!hqH%7O>=Neo%SMgJj?76xy7M=CkX}nj2*Ue zya;4Ir%cmIg+sE-AiNJWE-3FGd_V<`&}LP^u6~y*irtLqb{$gn^O;NuUmLFnp_)%$ zJRDc5w(>&m`_LRJzcXqijIUgQ(^OChU1oYm<;%^r#(BJKQ#GRD4$r5ArUqK4W^ZUv z-`+RBaeW)NvK&08LzjDh=6aG{l~Ho?u4Vpn;gWitT%mH7%nG3J8l5y#%hzkxkF1Sm zbJ+eVMK+AkySen(KUKrXJ0-eaaZ!guh`)+F zq5W9)C+}kwje^A(VqiI8HOBED_`n7JRQ4s@Cv?@=V@L47C$RoGHug*hRLRfOh;^G)4(phIz0|6jJcYC@5<7C&;46K5nU+>Y{mVgaJ`4<2gUoN$iyL z?1DwvsANhM%IU$cy0amuVGTQm+60KLyG?ps&{I=k)T0Wg^ZBf|M(srl-bKNmPSGu7!x!o_ zLQ1z^BnxS&`V^UEC(+t&Z7K8Y&uZJqZxm30J@rAfdd#fd?OX4ri>J`v6|_xtzk0u= zIqur8FTY22v$QoZ#xn8grn=~a=z5B;M=;c424o#6%WvLkRrXm}xXOG}IPSS@lf@jl zs7liEtKMjv{*bfkyKz1}5|U!WWJ!Ovjf07~H!)o796S6PZj@OtUpQopKg@_}df#OG zYiR`#(SK10febr#Z2palo#8MrRskOKghBuX8r!kWhYWekYH&M;L;~J+TmRdg;#;O* zNh(V5+ed^!{LXX9od(mT8-8w`DTh)C$9XDLSsyfcmDGRCcPnqzxBEEF!1a&nWKJ_*g`CiI#H&=M#N&5ZNaYwzFQrW?jD)f@yWlk@WWEpV8_ zNJ44V#45O69;;Uj%OlUpKO+Ft-nid~}SjS+V{r-Z(F^fA%wYE&^+Sm9Y2l_wVpxX$5E(sTW=ut2*q zD;pPFf1r1LZ^JQD0p|(g;b|?IcoMm{0dbyEx|CZx_I-^#11y?#Y%Y4C`f6cSt^!r1 zjpSaD5n_C(2kV$3^o<|zc!(FZ^+ zahfO5GBUfCuiI=mpNEerI7Xb26#VM2ceJ0!6K=rGP?k6Z-}$vN@!97GuxT>D(5p8!X^j z=2>SqqbG?C+-}Pq{IqIZxo1|Ed9QA~tkcb7vF%Bva^kRs65QqjQUtQ)phu{s*ljP4 zC}F%N@NEiKhIS00@sBM(6!#vPJC|fd*CkGRMjL!@mQgZ?PJzb>?dbc+s%vhNH*;)U zV;pm*6_4DDdY4q{aJNK zXL~iB3p1vQ3(!UURIE%10Y7%k6;$u468wlBDTmZO7$6Z^Ztp~Ok|AvcSy}HmwP`nGelPbRv*Umi;R_;=KH+7iAV>8AuP z550{ezQw;7LzQ%B791z#$Mv}FZg18?{r95opStF%&+D&!||kD zMHsoYyY%vhH4)Xf&{H-elDTdH2=-<|GqbJe*EN5`fOhgpWJ5u?P+I0!y7DRN1sn+j ztXtA3+-B?JPBr%Ej^}}V*blsI@yKr{mQ&Ue5XawbEPm2rC9*aFO$5a-%fPkDD{F~u zTbKS4`obu1=cmlo4$lKV+x|;p6rKi#!lXpep~T!D1^yBGKeA|UYsggaFUQvJC<2P! zq}{_MN3{BhaYRK`xap3=huW(M_c)Gl5@?r?j}Ph_Us4}1b}pd9{vcAX!g^tQ4zjdq zgf?KMvTAelawXqoZb;u|8-mM+R3H4%ouNvJGGSw3duIFBqo_=V^;( zm)(Y42$m}V{ff&8UlqEV8VQu*xFw0j%@x$jGvC?j?@5cWTzHthlFl~Ciu?H6K zup4ceSyfVB0fV>3+xK($%u;KiP(D6Q0s-JBk!Jj>t6C;&_&D;@2NSDc;Im|tAuvqd z2+pt+E(jjJ!SrR&e66GARR%F^-X31MGEcAS+YoCC&M7jzdH?%#Y=o<6P@vUwndaQA z+4+I%fQ3b3UW%!#t~>UZWpfTW>8+AOiK_!o4cCQ?#B#y&Wzi3;JSkrf_T4d}JS$gT zsMtgEiFY@qqS3)~Z%Z)vovcAON)9G!v5ABwdi}BwdAgffyd2Xv^Mr|Bo249i4Aw70 zf;)v%m?gY50bY;Exgk5qQn;j7cz2eAb~sV%pf2b>?J7PPs1xYkGq*A5~3=w zr{c8T&(omQD1!0bJ&7N7R~5=W@1JexG5cDRxp;TLe?az_r+k^F^Tabum8h<+P7FQF zSY!d-P_Eo^6E1$eo3gA^kXYVz>6ua1IiPCLqX3oL>7NT}?mIq8`MfD28AQ3Zb(&Tw z1K4t{(EP@YB|z)mZ(P^qTS?0qN)SpvAZW5j+BU3XDUTI%Az9G`j6H_5(43 z3Mc?|VSP?{|JpHk|JbvE*u)lc&Cyk>%>(O@8Vg}9{Kx*@V)irJ%LD>JkG_deoAkPy z<1~W_c$K+gn{B>n$(u6t@ljy&M7WZSheb^ zSdCAgbmG?lR!!D^YjYy#_wR>3I*!U*&twqVHfhM`mLCfv$Tx$7B*x5A16e)7xYd~X zNyqI~pNdeSL2JF*fr;|Zj>)NKuMG>JrbsxPQ!BZsz4X~K8ednMNG8!klVyG`j~P*z z_94akX4M}TU8h+Ku+n2O4{eK|ysVnzh}Nx-J+SCDFYJQ9EI0i6(GaGilO&uV#c{3! zXp2Nsd`c14i(uXlA#T^&e6lGKUz_vU&8i1omnwXKI~#Rf%8X7PDeDgY@T4&)Bdzvh-q8N2A5klf{@#wz9lcw-Eh{X*~#O-gdSc0|3&}5 z*C8*nu_wHb<7~xBU_%W^r+Z-ck`(>g;Di!)0Ga$#WgSss>XPjObu;AdR@^564_vUG z3X?ATl+HqtGk@bUAiIZjmNgFpi@}4Pvmg*lWY}fV4VV=T&%)C6PZvflA4|7Aq`-(UC_!b4$|94uAK))R6%*T~@?J~#jDGS7k2W2Y_GJUW|>4Z}V! zf4%agY0`C{@OEQV39&IoF2gY9avTi@vdk^m?BHAw=Q!>I8J{ye_4M109Uk4%{RmO_ zox3X*hrsacDy*WfBODTtEQuRpl=$qxS9c+;d*P0V5WU9-Z0*vl7PmIkJYexCaIhkC zvA%c)iKZOwzPp>pQTi8w&tN6Y+ z{0MZvTFzm~5NvyX(6hr<#M4wqj~dHPdJ@w;!%R2)vTmhR*#tRN8}Xc>dgzx0C)U7N zr0cGz@6o9V(!@emw+|4?@9EVx@w#(W94N$k?|AWor{h=t`kw8Q?RHflSO-Md#4juy zB#)PnkW3D+PI}_m&{^Tq08+nJ3k2OH-_#vcj)e%c3E3AzW|G03c6D;;kyHi z^-5Om0v-z0ifzJ31KZePYY7aZ-;fq03~x4LO30>U#mkWowB(6G?Z7_iu4@kUAFqt7 z3*}=$6i3HSt!Iw*bTxasW&T7d)DBVu>ANiu+y!UEHbc%;TA%D;yK-%KNu|A8DU(Fr?LAAY>Ictor2ZZQsijkF+w1eu ztyDhDj)`-Apc*W0akbcyzsU9}Q^kVmUR8S(IQi*(^w(7&4yLM`VHL%e@M;40f>RBY zQWcDb7s`X(NM+-P5v)7+Oc?}pfxS!i`Oa8{=YDNSIc+J-3P8-GZ5|=06V75xfFT+i*-U-@^Z@ShSAO?6_KOIqSb9 za_+(CuzFeJ1FcXxW=G3hro#E4_vwO|hh3wgYx^pLdZB>2J)n6LC50N&BgqLA#z!r- zYWJ5Wjd;}YjLUdRZ1u7IERNoM3ki(ien9IqG!BRVGgX`H9exweezBk zO)#=`@7sxjK)XOY31y!5zn&Bi`iul|J`MDa`V_Su8LO`tM(%q1Q`_S!q?K}Z(3yJ* z;0JUAB&K9NDq*peYS9}R8{f_n7-I1CGV2q5M$<=t^ai9_7P)}L5jvv()3hZleCkNQ ztr3uSoMgQ4?#)U6##%J#w!>hZr|Z_^g)2I!Z1@w7!TIGsrT^c5l`P$2t&=2vzZ72n z{y)&5f4lwq=YO>pHMOsIM9r2a3 z9QnnNNpiuDz?0nL9NQBm{0_YR^abb4i-wiAwe^d(xK69<{B6d+j*pK1ajs^3FS_}z!Ek}V6GG`ZJY-4|tKR+LqWK3lKfUO>F3$(!z&c`u_?3Z|etfX)+7qOzj_Y z zP2fEMaN|z^pt}1XY5$1H^QT@<|Ha(-)ALzpX8>Tm5CCAb005Z30svR6{w449^zU%{ z^)!p?l$Xcp#|7X9a02`a&<4N(4giT$O&V|?AO(;+838;3oICqNew@#p%J~cDf5@c^ z7Z@&FzI5fvXyoa`G2|>C)M=7n9GO;RBpyI&+Tc%*kf}&uO?%X`T7e6#rE&USha# z?)>GmSAOI}e*v6&KIMMl(l3`UUb=MtBH+x~bLSZ@Tx7a*^A58V%k2k-W__1$@ku{T zNa|%}=a-XLFoBqQdLv#W;wym(d&xU~^1Gbr`2XU#{^IZZ0T`m5~1!A(ThAb7@tImQfDdG%x}Xcev%&ioLdTe4Uw^d1Pn={ z_4H^G`braviBG|+ENii z1S&G&K#O=$h&-M3K3#5U9J>Y&9*v5>t+c(rWR=eV>vPiZ^Ob4d`ay?{UGd>ms&^R1DrmIZ!{tfqD3*CI7o}($ zPO4~|G5%d;PFnBwvLUm)jD6(iEr^eSd z<7z-Ym(%mM(!HDZmQL6tQt4vrJm`@aD~q>&49LtETpSBT8!|x*(>6i2Go#ecPla^A zAUQOV7^s)yclQs6^=n~`krps%mCOy0E5T~YVrd!X;&%T5hhNRASFUB&mEv=js&8@E zRs*g|1#L)f+?A?@uR1SjfUNR~+l)prT&q$!`AADZIm>QLO zW9)ShaRdwWVr%qB2pmqUUT*Mh3aCfkIlMhhtdTm1t+SXgV~OI-(9*K7F!&NhJUslR zUeMq*Z~1ExbWkgC3FKkl^orrNi#a@ZI+C*iV_L_0Say$gJG=9nsIMmV+76D-_Htp)-dX2M_1o-f335A~ zZ@rs40X*EYtk&W9z_-sr;9+z}&dg_}KC{!K9k9lsA-3rUxyJ5& z;ws`$G^@C{{CHMFztPg5#Jf8|cG0n%8(^6>pEn%+9@jogU1n!pn%?B8S7-392{6V7 zT^2n$2%hGi_z6!jR0niH!BhF8iT#lK{ZBfcoB(DthTl!oxR0a!?Ec8fH8LE? zp-s5I?h&5d>tZdej&oz*e(Km<8jSt@`*PDK4yBNuk@d09UbcMNj!5#_oHaWj>Me4n3DTEI@59z!IWtv&d5 zq-aciPo(h}oYKE(V&c1PU}$V8>JWK*ghMoQr^b+@UjqVxP?;|A zwqwI{xGoKo2@Ky`7d%tq%#hv1+BXSLPkX;c|D3S#s==#Hj){c(qBz+vegYL3MG~P4 zxKZ_6MRIsj3*xsD)3S;p2x|%<|WEo1I&klSSr?h2q3-Y}V7fxoz~Xr67j*ocU`$Tb@E{tC1O9+5#T^ zGfM*)4iMRDi$Ma$o-)nR~#pD`l ziNtRuu4mYc!S*nxVKyIX^sD;yX54G{ye9KRIxAZ~Xq~v=tA4cz>g42ZprW^OU_OoT zER$UmqHy)^*gD#jps!RUC9{P-sg?f*+uKG)xQ1~1bZ?Lv#Z9jYTs5{cU&urA#Ua3Z z{IJZ~F+(N}3IqavyWpx{x=1HJMWnvT-(!~aKXQw2WVCWED1-zVn5tsAzBtC1c$-ZC z<-urq5J;>?T!}^uF!s3cDh^hSb_&G4T}V<*+=aVD8cXBWJe(MHq?3dMpcKp3F~52p zS*m*tVr$C`ylBM9d+lmo<$$xNBe4Gmg^!enN)XHM4JK6BT%OW9FYkb zNyb{HVYZEQXbq8t-S`Pa^@M_A)p*I)SJSW7(l8r{xZVw|7FlWIe#JP4gd9SriHXT7 zNcLFCzqN-uxMzQyYm=K2n4B^PL_F_#1gqBHT^M84@G1%4si^BViLuPcJm4S2nP`|; z$FbLPraOc*Yl^<;|0wurwXka2lGG@CjHOoJ8)G@dWbUEF#`l!?`OOd-Hr0#9e~K7k zrgQYI1C@8i{8&7kqelKXvUkYpWC^Wt)jEp3Q4Nch+}}9ut$(SzDVK4;7bHg1l=RTWQV5zwqDhArF7*`aymp6MF)gYCr2AK#~UkH=ps^PqD59tjN4Ti{Nnw~iad zPAdC4>x*@xuhzL`I3HPKER(5R2j`MpV4=iXj>HH(O&)&{XRgjB);E4j!MoLULwR=N zZrHR9#LXeUAU9GWKc;Toy}c+xc{VTyBUO&6F-A=IVCp&9J+cLt2t@G_?TUk6YgA3~ zP+rD#wR%iW0((D-iE|gPj77)?^KpVa%(&hrOpplx0p*GHp8Coiti4}YTctTF7XIlw0v`P7vvZZu?FB*Lg%igZHSh|%pidpGjnR?9}Qh`J-PCQ3sg^6?Yj!6()Gp=Vi zpiQd!nfk09i>n{W&}F>%bj9dMh@mR@M8?WtSA*Q zsKzdp+;)Le^{SU>a6^U-w*V$FzM>+hOye;&y~%d#aqdL$TgnG;&&nf{4|`K`^BGom z$d+qvIhg9qKJ(8>u{t{g{dkU)JH9KZHLb}@U5>Vp6o^ueaNT!)*9KT9tJ25j&)Xs+ za8Xoq^|hxIl$ZzZ1?~m8()j3h(IgBl?;#rt6~S^7C(eYz%Wh3-7%LO=j%dji)YUn#tO>8}&Oa;N&PQf}o+ z#|R9w>(C-v?CO}r83NN5*Bu_~y{i;k5k4P~kkJW0_TvlCdFnXQNSu&d;B^Ih&bw8Q z_{&nBl@9DfP1U}{djB4A8Zr+yh=vA#mP6$mRmr$F*1Qn>s7MFOIr)Qqjo{qk16Bx_ zQ+R^m$o8X>&0g6{bQCKk}~fz~q(8<=GHh9(2(Tk?mL0a%%U2QL6ARA0sOG z?N?XFj<_Lr^jh9#Rd-~Lj_+fXvM+A@#*g{BKRK8o`x5pl@ZU3}hlp zEBVZM_DxM|AsJs#mQfuY0+efhfy7iH5q|D3DY2^l_&#yhUbg3Bjm-~kWjm+7u>*m) z#baVK${%n)67tUA6S})p0VH|!V0M(zoHc|3?C0JL<%OzXQ`#|6m_WQAinHaxoOZ7w33Hv;c1EJs(WdkD!4&yGw=XSUl73l`dSSF0bhnFbyFI_!HSur2>R zLnhT1tOhiDN;J{wMhdKbjkO;zL~;~Z4MyezP% zro3L;uyo8iIzE-bx2-2~#}BBj%(MMiL7n`2)gA$kdtzz5@0gm?XLhYYLwII(>}!d* zeGMHnChsC+MrJiGj+OI&<{Fhm-?t$)z`HA74F8t-xgggHO0R9pQ$SDQCtnRox{>Vl zv04Hp*+ogdB8s@Bu@RQ*rY8XLUdce*zDq^^``ud@=V4;f5?s-vZ9ytMH7B(LR% z5Sv+$Pq$2c9j0Nb1af5QgkmH`fFnLO9pq1COlG!s%dtt>>bf}p*AWs%y+iY5#oD}n z`A{51+=V}Y8E#?%LI%|IaM2+~)ktREO;yhmK$+z6;+3wFs=^0ECWTQ3Dl z7%ELn(iN;unt;E5k=UP@SYCb4b<)AGBvuZ{R06XM5AWAFm50>_f~OZt!SO@t3E=bM zRRvRZMe743YF8#2%{XgYUOc;dHH@mjL2<*p>~?;cl)2@e zi}4Xha%2cbSUsM@nzdCXuO+}UJX=a?>H~gnTvfROZI*cy@ZlrKFyMnBL@xEEB2Nrr z9b3#1-kd`x)i67*J_LXBqiOVp?pJ6Zi0EqufuO36$);s~WU5BWZ-j#rfR+A>P>S#g zz=yes8cwfz#lP-V)E`+bfjI-MWU#i{CPA1YkWQZDtpxCAH)(5DbkG z)&mWp%dTG~_w&_P#-h!Bfp~vUSoxFck7+NZ;QFGEzjmkU|>d)K9_c;=%Uf_M$dTS}s0g`e?- zL3JX{ZDcrFDvC;BBsDFdlBhLVInp?N6i@zrTO6@!k&jKv742CG6K1!aHEXZ>4pBm< zVYX~i_q7y}gB1`vVMm4P>5kt-syOd8$`-2Ubb1{QQ`FR52vl}Ky$(UETdc?$D>`c_ z3c^vp*riEe^0TR?bAPb)!5~(H;nAkjT?=h<;n=Ui6d1ZImicUJpL%(F~wZS zBX0H%MonofF|jmc*<foSqRxw6=MX9Ktl zZb)!i^83ITAEmv~b!Qh*gh0sNmUBEf!U>g$J|zscbTb==PT>_CAcqCVMitNH<82Ac zHV7d=LvL5b_q|9v5eca-iiQ&mGgI)oAqG|Z#v@E9AaV5QE!O}kES6t7_yM8%aq(81 z_VOAU6;77$Bv;7UW;Hw7UJtL=capBXbpmLUu=E%SZa93>uy!-6BElm}DWuZ#0pj(d zVR1mlqi3cXJ9^nKx=}?FG65J<)rRfMbCOawp1&$kpFxHNEC1zGxFWK!^0t4l!q~~( zNq>v=QhjhfdT|$Z`Om1Peh5rQH@4e|$|mRtxKQ(B4gUXrxsaXwjE-7jFbkVcwFq}a zUkcA4jJN2TA0^Z%<~t;ge1r(GAwHJcbGQ`j2T|EyxNZYusg$$ZHpNl z8gJHV(c~aHU(jrk%fZzgfl<*#I4`vvO(3@n$}y0>1sS7n z6lXG6&+Pq9aUV9$9|-qI+|H0|dY02RYq5&zqb^Rn_kzq6?TljV1?XdRn~7Tb>_$;z zRiSPb9U7UT-sfg@JE>F=Do|;$xR4>@QQvL;j^bxa1{X1UA+32O9RwV5QAKk#tXvdu zk6}=xs~q`ikEq~L4J29XdEnI%yW#3t-8dtVN!&z;Bf27YXQHE~?rfyK%6&$Tjcg8H z)Obd`qZ06yjl^o`v!(q}-`K!p_29iEvt}IR2lNHI!d?j%VsmpdajnTM}R2UBM`T2e>y6^0JK?#N^T#$VXf?S_&|<-*$sUkhtJP` zU*M#ws;r*C<)#5+#%yY6NCU8m`5hNz_?o3kJ`D=SiMNy{lib>)1i72zmEQ3bkJWkc z5s-(?{MUPf#rkTTvJ5r{S(^ni>hSfQ&ILJ$i24IXdj~&*X7}Hq@s=Lt_X9#0Uqe}Q zhmV8bP^GQxpwz<)YaU_vtSb0n*~%;|?MoW2qk6G6T~R;Xb|PUGf>kB(pZQ!(T{ZdO<4Q+#|C>81B7BcpO6<{ z0ONJyo1+Ugwl=6ygzgy(N%06X*csDPpKW)Tk8+rsm>iw>!zj`J_ua^Q-(uc2ayrDy z<(fAawD#+VhewQtUA@^idhv|A_j5g7-jaWcN3#g17kkg6Nk}efkx4KlnI8tW( zJA*`T`31?lO%>_AEs*Fr1sd+irBpK?TtBbH4Ut_K7tKYhK=xHroACRR($v^%{B;C8@R&ncZo@??Dk*8013|1Nu8`#7#+K^+@p2i0<=j zjEBG`=9zDLRzFA+sGhDTLb#>!paRYxw2U-h;cV9xvCtm&_FZ4Tdg?TrI&cYsvI!S*#vJ7T@fpAnH|5U&jp zI<~>Tvx=xkko>EmT`t3c-Rvs`SyUf0EWBLDZr9OOvHiu5kAzBFr!|QB(H}iy@M+&K z`|$tDI@kaG_oDx<;eSWq|I`S`GU`)=5%hwW7c8u7(Iu#ZQZ1LZ_M)sdo1KXR#={r> z$;ZExA8UpVKaH$Q|8?~7VJ|^X?G{9s1oTMhn3hrh<`!C3hUJlwIlj=czrT-Xy71;t z$f}|NmqW-2;A8M*QnPdDUqdGVJ3CVqXO~09xUH=%N4|@v7#@Y@qZ7c(eP+MtFDHN( z7031UCH`N!cR6{NmzP>KZd}5St9Zto&Wac|@2;|^oB+-_90doPucc&tms1}cq`VF1 zVKS@ppXS^-zPbP&|DOyh{!Z%7FDiUx{%g(htA}h~)9U`GcZYv4dibk9$aZZy+GAo@ zGF$%d&RhOL=+EE2N0O&oZcj9Pw|fZxyYINa^Rc+}Vv-fv5-ZgZ`mO%YvA;Y2DI(`S ziR{GvcRc>yLVk|NRaBUxeuq>l*X#ZW9YTyZNgz~RqT3s}4L+!AcI%V%TY)(qCT5WX zYT}=`H_7?FbFEE$s_4}l3IIsR{PBP4MfJax*RQsMCxAc2)KOX6?+i4qes1{w`pvq` zao@GuS!2?oN(U@QS+WoRIx9B$*MGw8)u*`)4pu@lc}L5gUw#g60?T33k}C7XZD=Su z=np_0^*>?kKZe|pI6?)czVi>C4LhCgxXJ2P+7_j4=s->YH*g2|&}gGBB!8%zPU!uf zkp6sYl`MIW#-(HDkXOgCPuY4@>X%OdI_mscjmz~bS<@{3!G2>2hxX}!7?LuWiLQ94 zMxwVJOKH6s45q3#3;)G1)Wb9VZ^7r0#S}A5ThC>m`c;dE!;2Z$VhdBgO!zg2W5SE; zM~eB;zYC_?=e{=TLyV1Y_oip@y!KQpl-WI@ky}#$@ILvFStDZh^oD z5mzk4xf~GR&EIw9ry2I$BRcsxpFS%4bdkC5nyvBe!7eXq&-+pPCE?!Gs02fO9qImD z-vn3Xn{WPBzkA>JS4l#6Npmr#d0sEM~k5>|MPkBLsh=!h0J0iyCOv7i zmoi=|deCmuCU?}@8PoDjdRUD)275|pGyir=h`c-h(|_g8!)vqScmlXxAkv4dn)uZ+ z4IBiKBKUe$1QLSUqbTayE&i=5z846C$VA!EBg;V%Y6@6z7)QO_YTvfq5dY_Rf#LJ%Q%Qk^hSri&TFPcFQl;J$?3}HMP4Zd_lw)5x zLsZm#ORE0?ADnud)}sskwq_#SOtAEdc4~CZI|8qClv8mQF`o@Chn4C3Je}8+j!Hzz zNBUXqTy`a9%jolL3>bHEA36at$|0_O=wH@z-L7i4<&HKq8RzaceAd{*m zw!J#xfgM*x{E+IyP>IET4Yuw6eqC)aQrqQKUWIgF%GwE_Dx6ffc>h)w)RsyQeRu*0 zQw*JL*dUJ-u9LgdJ`9#;;jcsX432#SrqO-H`eYDB)tX;a+kz;>ast@*tFwbvboMU_ zTHa3Q;l>y*FPr3zDJtG8()6;T2EcTT<4)K4{zUzoN&}|_Duy@)Z6%)ciT3#tM*h|& zFj?=XDrbkrjv+7me8U0^d#N#2Q#xA1%R z!kE=vV2jf6 zgSrO=nQWO0zn=gsd~eLv+KtJs)ZUq=Y)LK!QI7ffk~k&t$0Awx*vrq1@{0ZOA9tMp zrMZ{bB0?vx-k5PYDqto#Mf57&ZKWWYSUW*WV+TZoy9dJOJtYtCJUxs){eL%J5Zcj; z?5b~4cj^4491x}O{69hM?9j8-p@FtNVfDZbZ`n@n0}iUXpwOx<+_6brDlkst<56nX ztlh5wNx9$tZtXsTeSpcQ4fedl*1@5qRlH)GP@Rg5mNqq(89gYz14FME_;%qmb~-n* zQ;{Q_kRLrC2m-M|F?XHWymnV8{b|7Ld7|}ckR45)=vA%v55t)tpW6(JW*xGa)5B@$ z6slQpdep4U@24&~=6H+DLy*AzEN0R!;$7!Bl9i&uV_wHo%K~jfj%(Y|UWAo7dyF@*wWxSJGBVQduT#rX#KQ#c zCh@YmS@{E>%!!*hYPd-Vw~9D~4nk5mvU(9x?vMVGNklzQpXY78$ubTiSbxLL7$|MS zegES8v7PxRaVW;?`QmphqI>O1`^Lq4w17_aN(D*rNbA10& zXb^byN%@h;XVHx>+pC)rO>Qf7B4r=_Z{1CjN9)&`T3iw z#x7>G;p+uFj5Q^p{ix$kyT7T_ZfhP7B_2P`IV#rqV5#otL5nb$cOe2 z3vU@H9i4KwN$s?fnI?8hdRVm8)9n?R+rE2;WYo0?)Kn*RdRSR4a(-*?($~l_p{gv9 z;8EXqGGf5lB?U!QPE{uK6mjMa{pNz@wl7f)Qwv26GS1|XE;!vLRH+9m(2RM6iyxwRVpfK0ocJ~{F9kZriRwy#hf^RU4e-qgN4r1%8p0NT=c-?GuUB+kpnLg) z#2=;BMN!%#8m4?Zz7r?KvJLK=RLH{Q)+7>T^XC`(%eaY@fqS(A)=b35WMpT)rt%5pAHf&dpgGn_>UyBoB!&sZWE`_Og#+?Al|BTmCa@A{Zc9M;k=*%qcA+0HAsIUF% zb*Q(d2$wTYQ55YxZLwK?bmjB|$=u}4D51jShxe1x^&s(9BHDQey{@VUeu}dA9j?gJn|MMgzhjI;YSO(PeiTIc_<9|- zN4akj=ysJa=kp!x=k-|y)Y7{s)FpN z)XVc>w{1|^TA`4!#Tl=(y-u#d#tNUJ>Y@+iiFb=tRe9sxuzUIB-O*PIVKTW_1>3*- z6WAU26-uw}^x)D4h4cD*4UE&06AHU(pEXZ~I<6$IyB^VQ8&EHb92TAcl%fq*GUAWH z>g3$Z2fxnRC7uB0ja@kB>>IW>Lr(zG%6E^pElvOpO^4Xj**C(?%mO64^(F*G8r=4H z@F8AKp~tL78Ra{xair#%HfxUlSmkH!)b*04rEE*(Jlpc6i@ZF$Ox)i4QZMgW*msyj zb8NsC7sH&sN9w!*25_a71s48Qlyx>Ijlnn9(x^I~8rMurtxaKyY~?B%kl)jxq16xI zn4-t_BDEILQVP~UowtUTmPKfJMv=vFM!|O1j#(qp4#pgclGDz03(s`#^G-b1k=N&*?-(ot*14~vze?Eo za>X-GYFF%;2Pxe%IV*56RPVXzx>AZNFS33~7R z*Tv^S<^P{s)PG&V*R6>sPy|*>`sh)1q_D_JQZYu@O61^m7Tmn1Zn0~Qo@x8-+PFcH z|Am{SaF_JyZ3b^;&HUbZ28oq1;}m5rq0?JT=nJq%v-+Dj10|pJoHqlgus6>W3Sh4- zHdLRs2z#&44|G}E*L+)16gr}pz=HxNh`x)C;fgl!9!&OG=hHrx;8F>^&{r0}saAAm znzyl~Fhgn2@X@kXbm$G9OvLgm=te2ePZ<9X&({_>_3L%N?!UkIGe+uAB`~0`49%ie z^%Ew0YO=BAy}Qz$}Ob!3ET6 znEZ81hHT4FZPd0@TcVTX=Y>OFjvTbSK4_&c6Qf!70V=6~)MIGFV~c!c}T+Vah~v;7Zn6z8`Yu74ty>$i>b+t8y;pHvlMIfj{V??e`3g z?)6~#N@E*g+-}LnN8?G9X6uqNdlEbM6$0H1$lbAu!d8y-HMsto=c}cDp&hU4RXCQo zJ5X*X?$@M0OBg7TBGWhWyu1{dyQUs7goWLeF`63*JWxGEg6qUD4Mz9PR}LN@-s&^j zV&m;Cks~Rzr5WvWu*P6nMLG6nk>dkE)akZ)QM7fY$wFlPqskY~No0*ingt;#6LW>L z?y})|A3c~83<8n!0(NQGW`c~^rYRR4V~;8f0a>e^?#a>`pG*~#l}8(yRkqA`JSG{0A; z!n@Y4JCs4gPvDOWY|ASU_9uV{0^P5Ayd&ue3w^$*>h@i&*EXAjCR@^n9hr}`U^P9n z_Xp}@aq&JT-qXPvVlV-a2K9FFMEwX~P8-#|<8J>^0H*iKwdRc&hoP}}<@|Ol*+l~j z3y5eBe_S=yy0s@3w4(~~n`kYq4nTbCgZEVWxniy0s+e(n{6`%L8qImfpz^C8yZg>? zwP-+F9owh+KdqKv2iHUN2k|l8Gjr4czuA%CWcP!_1y`KQ@ssbOw>&oG7eae5_m&RX zs%c0b$DO*v(z!#V&=fy1iM2>Ujj`Bwq}fMJH&Qp&w9Pemzy*xRPyU!kV;86kkJltG zU@$XO=B|Plg|+TUwjW?sbJr$|)+OH1~redrVUNvLF}zg(yD+9go+r z&ryssh0h@=8|;{ZIg3!10R7860l@@^=MMdl%D%4yigEK}Oq^G6ix;Iye&p~tTMclZ z&%N)ATJ5e@ki8Yx(8F)JpJeL_&}AV=?uO%AT)*797+CL0uXW~du}d0X{V*#bb4yo; z7)XTl_bLi#K5lM50U+jZOC&`z_k>AEWcirwCjw8K;k%`*n>DvYLq7EDFX^f#O^OSu zVlI$7BceF@O~1@)Xo--`5GJ7IT6C<1;<)y>GCaYfeax+%Pl3Iird;{~ys@yCd}}L! z;82~~v9(?=A{u=DbV02MJtD0zoQ6%_WReXs7=j6_MO##r8RL>59PW!(!4hsx!dcx`bC8tfrc+>5e*oZ2F>0v~a& z6)6g{Q0j#X=OaZ6#*XByyokG(zPT6@S$fGI+z;G0#J3JaTh>yez=G>jiG6mWY3{_z zO5^}ES*lwTnP_Y0)gmcV4Rxmk7VO#QEnyyE2Fd3-c>^0pREc0VcY_Crq}z+UL%Edi z{ANpDxq045jUAnSjrCi2iidl_pcc#t0?~c8I9;f{RA5nvzTNMk60eLMC&6*H7z_qx z|GXz#|N5~pdC(`#?(0X(m-&}S^wm&@iebJwT?;RYwyHVUOnl_tk{Pt9q0 zDH>z_^rP^bqcftu)lLBnn4MQGiL(Kwz(R;AI%zquTp&XI&3YlfP^w(*EuDjg%8j#SfJ%QTStT*0lOOynTSskp}PG#3|QVcFtcQyQ{Zdv|f%xw4(>jpo)3Fx`~<^Kl~ndYL!Ta=ma|+^Z>4Eem08*#zPdit^v%O@oPH2kwkf6{lIc@odhL~! zbdZe70B6DFXnW7TJ|p8{sGYX4Hx`xN+j{ygWoEPsc^0H$Gu+TFlgfZ)*#SRklf`uw z0|UBLS@Vf$pkBh#er<5(&|E=01ZE1-QpKI_RM%K9i(hmiIOvuHN2qa^&_5`az>i2==YA;Z*nu-+vRB|q{XfWiAo7a0b``9IxH6O5CkaOr&X)NuiS zOID@;#YSV%hqxKk0xj8z>N}F1wiZ7*(bt?ARG70Bc7vg(lfUaeR&YbMcSYv};A!di zkl?2*4m25!K_8aRqatYuK2-UU;`BB5$%(IOnL#NzTmQ70cV}9#v7s%&$f9lwFfgk!BkKti_{R3btq5DJs~=VCCBNeAQ!`E~sl}0*@M)+xE%{7}|vOO+q;euPNR& zEE`5eCu6u8IR0oE^@AeW($b?@Qn4AZ8g5*=87_YBN1 z=Y;|rcf`m}$&*J0%#aXPO}?_mnxt;;F6r_Eh7CjGOTFFiZ`~^_OKRJESPM(9dY)6W zH2f#*skR~qPGiPyaltk9QNoP5ZJMWHvc0UfSwQ8|T{EjkH(R=*WIZ+KFa*_gzJkMg zo9gvc(9~>Ray^$|r?kGHH&=^dt7nZsY>!ro{$K|pH3i~o;g*jyMBzcEHMlrO7{uo5 z*)|t0ZE8jEjpnVuo;ZjNR>suoeT$eIiXG?_?9KGGPjuS^T39>h+tCwMy^QA#46tab zqJqwC>2&6oJ3z!x6g|Ajpwgr!IW0*J)1Hx-xr)Y_u4F)rgKPg%)Pwlivh2E149*l` zt6aAlxyj?y^DzF&_m33?GB`5KP}YEMmxO2t8weqnGM={MPO7IGjb|W zeNC+D6oG^#18=nT00A?;<=dvXaJOPkadtrc%amW5%Pacnkp;@(Yt%^fIX$JZM_>412sHwDUM*6!&YWRFnG0$7f0wO|cYv zE^cSb-0(^N&LsRttDvF+qLFb|qGXata-s6@ViL&Aom3qtgsLkFk4W$>^Ylcyu2^=4 zEe>QEO-mB;r#Quj@fCxS!zOW6^RV3EOBwvZeYa=5azyxWN0+*9893y}_H#iv*16PZK% zJ{usXP%r}>FXG#2z*kdhhZT`pz_i>wt>)5epT0MXXd!l4mQhKwCmqp{AyJ{OZ{@nf z77i)u3mzVPCE_V|ea}t+QT459b!Q(Ym;;wh)}xc6-b8y}jN|@{Gop%kC^~LIlSOt> z%Fh;a3zi0?Ae_UB5Z1sPNt64@N51{4pvgib`YsJaiJHGH<_EJi1X&3rwCF5BU3o

=kO8Jb%A+}}4bt*{k5W|&xTGzm^>+0AA(=+=!E%M4uDS)%X4B3d`a`*A{iX3TvqzEWq9oIze8p-`Z%DZYpQtn2<7B zskO@HG-q({g7=^1g#1*hEI1pldqiF9uvq|4@u7`{6#Y39Ox+;IoYH9Cug$Q`sO-PNf>u}+B|s8`nkg(Y2X#aMog{^ zXY9a+^nCzi5uXd%-0aKE*D#RyVx}5$;oe2>OJvUkpE@d?nkkrHoer;mHeuub5?`xJ zW>Buhh*Fd<3qTPj;DpeXf#nY`2TI;p0xv#7kS?`|;)XiGR~O-aX59?+k&%{yi;gp~3aMkmv5*}MR%n__b3y;9flD$kCCDCw+?a|CdoAH9=osIImlG_Uqj4M! zIzb7nDtUhIOFd!?ZW_$$JC!sunRO7q&i~jLuJWA%?NG6#-C{>p7Or zxpM_cN-^UtxvX5V6Ha4HN@b6`qqrWODV$O_@IG>XUmTJ#T7p)ffP;JpCT~aJmqiO+ zZ0PE5tHy*X5i#qV5ZjnBIht~x?M3(Dv^a<>d8x(w%VGu)l${uWcIth+{dz3-09cF) z&&ZNDE9jV6Eg*{I93LiZf8 zcuXl#dGrbSi-p5Vb!-ODT+Quxj~U1UDFc3Uy-reLQkT0=RL%7nTyw=2Pf@Lb-9{(& z2|a5O{Wejh;UTRYVmk|>8?jIJ8SE+-_4!M6x+kUG>c3`dQCh=VzmYOHoJq|^wZ=;W zF|k00lvYx6Itf!aeRlHMT;=pWDQ}Yld+kP*vG%oP&w}DW(W1LAy4=>tBX<`l4rp#X zd@R{?-YwjR}bAO};!`2`ami6I39!9f9=@KhN{c=P6De1m-D5mRuij$_L}afFx7&cl-L@HTrR2Kq)ABLN1d254zPyznP*6-{P_)3$xkU|(=17mBnxzHryAj^RW%%?4y$Zt) z2u94ysl+aZCcW7)h_InnKHCe(z>8)^jKjHfUHo*wE`1pi^-DG( znZHw61%qvxw;q`fvtyRBHC7gHRPr8r zdsl2d^x1;Vh^~GsNzt5+uyC|s9b@g&Nb4h)ni3a_Pm`RAk*#*6J1dO7D#+e|}t zQT|5#XDMpJx^vqf>uEP*V%E2tLml6w^VjP?M&r%&tnPk_g}U_|EwARE$yZm^nbx*k zD8bIl&J`c}a4gQ;t>z)TyU(`+>FKK&e61puSot>J|D~QVfgu`CY)r{tSW-$o?9@@Y zzzryRLR9TsxHk<1#c^^#us`<7TjhIUU`2jr9eBtqN}Y2}(E17@Phzg#vC3ue_?f)k z_gXpQX=(|XX*y{qz52JILmU)ED_{k%l|n6^gC2ahwfyhg9e%%Y{cZ=@^4-Q2@cnOI2J69!KAXFZ8F_Ct z3leut;;Dd*!hDO)J*4am7Dw|N**alUJLE|yFCW3IQ#>Cm_V;i&>z3sx=?pGBd6$iB zGdR~3_|_&~OcWF9vS^xuDZAZ!z_TVTe{;jC?(C2$_re>CfZd5bqQXsl}4)z5o& z%(L@nS%giI)P^r~zq?sw`>uu7AQjl>C4XS!NP!iZP<%a`9QVPsKSOLob&_f5?A)77YB5wNi?6W9AzZQ2;ewnzc zyS^8-p-t9nTa|O2OioffZSZ(JrePzgoR|Fd&WkQEmw-Ryxu*z_eQVW_SH1BwYu3>Q zgI2&6jhPa!S>Qpq60~@ZDEF)HMFQyAh9bE^NnSVSbQMS_rMSPt?P7za3fYqAQq3jP z&wzr0LbT3UH?CjZ$KY)j%@q0K+0;RvK`Qc(GdBx}cx})Uqp>%DIk2bGUr{l3+iI9> zJ2phVQRx>fP+Lr8!HO))0{5G5b=ZD*NU4XI<@SUkYHLH6Y9~L#94#GQexQGt%i#`q zNPjd`)lc>4GYVAb8xaUG3~2bp*@l-l#3f^7RoV=gy|{*LqeSuy9zUk6a}!ZH+v{Zj zSMCOia!&INQ3E18_T+{GV4i^;$v{~}hE1V&z5ZL+=2zRd9Y%(RIu~y18F8{J5t6R+ zlJ`&gKAE*Fcv3vIj_qJBN+(==2CZFrViDHfzC>*sh^2WWP-(c+ypI`Tbm`8Rk}Vc^ zZOUk1Jz9pvvk(KNm$*;lMpU%7W)8F+^yYgt7A_pdR_lefEn<2ejE6jX^!o8o^BLFS zA&)Vc5D0Bdc9spoB@h-KAHeF4rACqRg1%kO$^2?t8RGsqTyO7M(B_ZTSu7$nfj3;x zSOJ@qK3aJF`|%%FOUuulu{n^E+S>sfVbA_eV|{1=r&^}M=h)(@XggDRA2zD$U z0z8mEwNFu(wqg&wDSW)5E9T8BoT`uyS#( zo;JmAbW4}@goU6`iwL*R-vAnA$ViKsycNDpkH$67&aKw}qN;ZBeA@poUBs8&oI+A< zQ@m@2fUGFoX(3nVZIWar@|d#^3hfkT91jMok{B@+%G6&xZ~ec5RJr1%(m-ZveQnSB zYIk(?)<{4&a`?p#Txq)oAQt95A2_g+dYPyt;^fnap*qZ%MljF5`g6Hqir1*ZMIN4d z_3Zpp##kybV0G)2-i2>~4;L@D_Uzpi&p$Tdu>I4=9iDFh_o%Zbiy2%w;js}tnOE;0 zy7=hJ(`5kxB4{F{@x`oSRY6f##XKc|gLrS+suu)|IXm~#cNHZSoP-@}#Tb!J{mO&1 z%DGf6NDUJpCFfXM80q204mZx_rZ6sQBCO*B-}aX8VD)v=Ms>-0V(a9p2sVRJf8S~@ zsxpI!Xf)b{bOJx>1PBcC6MSM(SFV8J`Jg1&R?={6=<3bo7C?p6s4SEFnkp zqpzX(xy^-(bk7CvS5CgB`i4~9MeBZXAW!#z6gMj0y9@t8|JNopP+?U`AvSmPx%W=^ zzG(6%Wf=((Ry4kG*4;X*p!Q{^dj8{z$;Mp^_6`}mYNsIgiLYsy5@ObuyL#I9lbCZ& zzSwhL<)uyG5}Zj`m7^oXtpm*kz2KD;x@Fw$4R zH#X5WxAN%^W)=DjL%%{=WAjWZlpn+EXSw>H*}0BKRdmA*)gnP9%TWZm<5S zcI@0tH6k$H=W}VmuA5t*fyZ!{7qTQgjn1~38`EYYoscA4k^q{~6V7E)vfBonjkD5D zo@Yx*h-m^kmo5!`972Q-E@uFX^?^9*rq8f$I={E|YPd-50OU2b{3|1THnxJoQOBFp zdf@u&bfi2%IlLn`I>*Xihf2Fo2cC$DRnfIw3{$5ra-ST08U7(fsyHgaibY!^93oxn zou2OE@GRrKvyX&W(aGx2O>}4`^>YWFpjHcL*|6qfEOo4 zXNt%&zP+YoVXDY=e5C(OHFL|5WjT@)Nb_CKP~upbOx-RGF>;IA;gl{6)KTB%rc%1J zq2x_AV_Fb3!YBo`wR5V5M^MGD(V9zUseUui5C$Af>;B4JXIB*NuD;ah=H>)xeZJ9g zifq_qoa1^4lbJ3|bi}*%516)?w~L@)1-h+sIa2Ua#%T1cWWKWMrYKPc++0i2vkt13 zsi=L-BdT+ud#FxO$B1_M;h67!dNG|8sQTu;%3{&YKKEdyF?=|aw)|r^I-8UC3zx4E zHyQtE7Ilf&$zeB0s2z$`95y+N*sWJ(xQ`C3t*t5rHg61d>(FVGGrDKqZ6n9=PwWtl zZ)x0SWs-v4ArTWlwlX%*7ts}bX zL3Uxh-iTnhWiLkT-w$b19{n6gL7FH8_jdaQNQwYZJ34jwi2rdwU)f-<)vazQ_u%G?Je#UJ5L7 zPry3Y#v>kMG^|~_9E)sokh0fFpkB(a6epMX-n|#syI495QjqTsyAti)X{K$xB?O!K z+_7r1pKjC242+gE$6|rn_Q7H~sH8F_qf9cSZeL~TmdOQ%Zf|UTa>G`|ByL2?et-iz z%cn0jB(=$8;(v{O4EZ1*uR>BiC!Arc@q$)Ti1uIKuku|LW;ln2lfC?`0tskRSYhd* z*lKGlq-4d6QDbldM$gi#kl^(N@IYE7Dq%m~BQH5+t4!&}UD8-NCS}z;Vq<3JuEiR6 z$@<;PL&yU#%U)pZHwO5>UoE!fBN06ipIRFa%U#KiI!x}knUO*3bZHW18aCr+c2Q5* zjGe0;74!MP#-}duz50jZru%qXS0bnu*I;09Z#)2^mEw{Hh6=TAXd8_%2N1!@fJ;jw%pPnmle_6ksN3AY8r!ZkiDHQL!kcEt{qFbg9dIcz<1+yml z=byvu+cRqo)zxm?9VqV6t1s14=8q-jmpMpO{d^8y+u>F@eE*$|r-Hv_`@IX9rzIcq z@U#CEQ=vOJ%%a!eKuC&FFR31f)1$-#!uKxry|nN0OUcT`jkzHZIU}Qc!IwVyE=|vq zhi@HM?1`VOS(~4Fch9rGg$5maR2Cp0b=3xiVD_k?J{kAwd1Td734umrv&qNIhP6kn zbJB_oSoKi3;zHdlBc zE~%7`kfnNlUikUk^W={YnlTESXMHWQne&HtJaK)$BvUP|5Sd~mEx2?GrJ7)5k=`O?%8%c3j~t7m zM`YgLkhgRU34S@baUmb4?->{yqF2vd&qXTdGRg+Pl;VHvvy0lhXcpPm={g(yBE7Pv z-^P6gyKUtA2%B!}Yd_Xm*gQ|PX* zXDH<(Yck4BOOzxapMXv`$pkFSu9_qu%w@**2Hc3FRCC@!c0XI9 z?rPhY`HniZuDQA_uN=-Uz#%ks9e)?2d}ftupX0rCXyPmir+D4F#i?6W}J7|pOL?0 z_`09Is4S+#Cmcz#_WV%>W*=`{Ur|}5W76!gp+Kfot&;jJTGTkoozf)kB{&TtE2@9n zbE`;7v;!0v>U_Ot0vg62;^~%`jkE%x^5ceV3GgIvHGhIOJi4n;+gE5|iZv))SMBsT zyJW_0ukk5E6QYcqDR=M$&S6@YDAYHhEg?}0-pIR%i8 zk(}mV0oT(q+EW#2{}zl5O9LfSMKH{g3yGo}TRl4;;7LeE_@i*@4`-lT2)X)$u9TJhypY78a5Q&GLJk-Tqg)$@ z2B8`oy|;q)RWD^auo%&y9_tO8i9&JJZW-c6lt|;RV_To6YQ6!sv&@mD!3@uGUnZ`GlyoQfI)c&t@gXF0wQ&#xxG>fit9z$g?Ib?X%M@Rs{9U zDL7G8aFW)n;a^l`)l?rZm@pF{FB|Q$9VYtNjACBuea*OZ9R*iJ7@Q(>xP&sf0v8uv zG85I`jlmkCbm0o{*eu-X8ln=hqYs4$N(t|5>YewlG}C`XAmdI7Z*>RdwMNHKtiJqo zy?xQDwzJ?8s&>-wAsikLyF6}`;bPpY-Zzr(5!0ByW8hNFqAkATa;YgcqN)-kl3X5| zx0snFH#cLll{$bVji}!>zHE|mIw`d#E^Z-7_ep{h_=>JN8_ip2(=`3^7q!43A zn<5m>RotDTFgd4TVnHU>2+lc-Rcu!+s)a%9?l6KU?~Ra+a3(^C42!mz!QRR}b(t5& z&ef*1;3qszQ%r$QWL*}sanj3Q143(qL`&`QXgV_8EAOG7Y?KqVEhUg0IX zr#BE8V1!NFM-bHPDdJj>;i^9)*$3vomTa?M#6e!Dqc1AjabPEN^;tF6E*S$Y%j zZCS@MW;2ZCq>5f5Pm!9$PaHd*qli>)?jvvP;8J|7rbRytmd|%RnS5MlHjIg21M4Y? zI@dqtp=xHdH83GG3O}(d`^z`LwVJhvXpvD44$Owe=@}ITD?_nGqXJzNYLBus_<=q< zkl?s8d*F<4FfNgp>0CwaIO!Q0-P_bgWv#BYiOVBCE}Cf;j(nPCftRmaV2~)&BGCqB zn=WHJ&$+Y9z7uwAp4qL8M_JRf=nxUZq%)cNITdiSJ-?@)ATiGjW zOH0?W)v=IVZ62;M%VyNKW=U@CC=CwE2C1A;=TAQaH@t#~8&e+}i5W#NUoC)+csP{; zOQ9m9{?%&wXbdT`{)aD=5WLFTeO!kj5Ud2PY%{vxrxGxuJ*~Zp9cepQNr=*W-iaD_ zdtv+os(1>U1#wXHl(pg>-(`F0X5^=lFurDRbM`dlQE&cRQSM{14ecru*>x>}>x~jJ zrJWz3#p)Gzch6KxfCCK>=KF>#ORP=Bpr=2OoGy6>T_VY&#-Wsv_+T+M?;Ai+%QQu~ zBrS(r;ZEECOvuS>u7b5=sGc|~(J4;sd^+|BvR~o*Z9FIf!p7x4?BWv z7zJ9#m)spU=4ypSJEF$>9%%1zg~ZLr&^ zG3lWHC`P%!?OA9Bmu4)w&&8nypS>``niS8Z4!qRe0~QBUAR@MY+S5ymt77|sAkdme z0D{PfxXyvXk~x)PZ(3wpU$M6;u&56a^85w}(9dw1pP1JT)(~Tl>MxKJFAr9PX_t+m z7WZd`O@!Z1Ki2Q1yFx4j%EYB1n!`$g!zD#LDpd;@T%0bgdGbLxtv}YKQM+|MDeLY_ zUn#Iz=&nB_OOE~{I3zt$3oI(i$+ac^6Y&m1GJ+JpFNtiNG=AZ5wf##iy(xV6^Hyb5 z%vF$mLVS1Vy(xzmZb1j4KW+zF$Rr9B<`=#%^AoD93R~_);oMYF1a2?n%r^VUI%W#bNEtF&F=2`?caO6*qoasZ*(6e4q-nW8i^QQ5%c65J#6YQtiE| zg%siiqb#f@+}ihH?jFPdJwcb2S4z{3Q1}LDQsD)+n2LJ^7`%K_FDf8?K~I!VXvxR&@aXYC1zXZh`?wft7PG@WPBnZ90TPXUh2wEpY#|AlXZy%*y5%O$>k)Y&tKKdL%ttp{q4X!~g$P1Jrz5@SM9-dz$_ zUytJ#l@DZ0#Jl>If77tO`35M+X!19a8~Yn&&d>Y@M{KwFzX2{5{0fVh%$p#`SE?HM zEZt=LZh`hJ<_oaVr)LGK_V>*6&zAA7j(~hr0&Mo|M~VrROIK49NBal98M63?BTh(od8PC&?T;aBEhyO$&-lQn6RO1Wv6O^)`plOH32W=6Fl%RwJsY|o`HqQ#zi*8a7o;RMQRK!+PDKuQ5bWNhV zzy-)R;lQ+^N8zKEQo_I7r#U74wvvx-JmK*3moA=A*Vm{i@F|)1tJ*t(Fq?SVKHs7l zN51E7kVwxV%w9rdoY_CRz_BRX@e$nJ!hN|5AkTgL%ffsVb#6?hT3xot6}q-E8hBif2>lr zj3NkrmwWoQQZD>OdP>)==RcMH#9;O}X9rKB`x^PiO!5bqLh=pIT4d4=+q0wJL#>cA zR4a#m&slYqfVBqnqp~V*bmMxc_$+ychR>Vu1lIEi&pP2)VLD=o_pIZ1XCD!%xKBH9SXkvD9y8VpdZ!WE$xfAmveQrN zQf6XMxzpV+{Fd#;P~;xp@2387eDrXX=N_LzHeELW6k6Nmu9((t{xp0`;mmP13lqe~OV03P!oPL3jT+UtGo=56KXfyOj|MChe z=&_doM>(35#_P`y(V=!8Oc_jdW|(a6^yiZ4iVyv*dtP)TLxy769IA( z2J*HzjGL25i+onIVNj+4Ochz0)UqgE@&IS;a1iT_8{1diU4RXN{d{r^-nM!vtjV0A zUzF`t^z&e5XGJK`RDx4e!~Xt))cbqKAYJ*C3Zj|}O0U^uzxgszxa3+oiq@3EZQ|ds zMujc+>*=axN_qFa*Z?PM&?6%WT`Mz2Ut*GHG9`j`w}p!SQfvD0QL$bj_^e*J;HZ`7 zGUC-j_Fv!EPjj-fo>VN@eKqcm^FdsqB&Q}@!JNln)wD8Nkk{IOe8J;7+py}hhrXZn z+3Nl=OZYzer|Eqlc&KQylzO=9=l?X_cR#pWk5mRMA}I0V(i=W#rjr^g}{ZkHr!`~@spRGUS%_-_-h#DPTsF(lcT86OV zy^F>XE;J0duQG@ix<*4fiZyMe`t|UiXYT13V z`%&vXV~ZaVv(o4{(NHLI3g47lu-vRk=I%d#F(mQhC6)n#!#y>@vPUZ#N{eAuDT{*Q&HFvEyRTk}jeVEWnxT2tY5#Wk{pFDQkDs>32rCZe z7miZ@NExTDH~uoRM6Oiuyj9KPJiaXrDaKE?vcmqEaK)|U>-EHqV;fIdH9gNU88O=w ze&-H{_a6!WXqCGC_(YiZ$aWd>)M3v*68_Pq6X+2&llZ+nu8pf#{*^f1f7u9q@xQ|O z``Gwi7%#qC>3(p0JzuWo`a&?=287|W8>R5HbrDAvnFB0C8|5sKH<___nLmE^pZjoO zTBHF0uygzKDE|L8_NNzDAUVx#^*%n0?x}<2FMAL7^ddCR_DQ#v)Rk$2sQxte&?GRI znHkr`*RYwoUYLEtW9EhMb&<=&Tj zBekF9AWyUJkM?0>dxNKZ87yLv#7qNU`q5EE)1YNuE+|5k1m>?0LR&c7W2jaCR}?3Q z%X}a$-D!^oxQuVynp>@7UK%wNl^!W4p=%3JGuogy1Sp=}8A2steANLJRvjCOm#V-H ztAGtwL7wihF)Fuq^ z;Xo|x<#11Bl9D!zcM3uk%JqTaIcmE;xlGQb6}zN>%$mgA_1%g_&jj#pP%D4oGP8@G zHYPFXTq;tju|G?nD_xmvI`>XrK`H(&rkpD3OOScZz|xg^tP&x=&$`t-ReR^5V2#qn%9qzXdpjAsA&%= zq6zFTJzpXeIQ;ll%XM-8SX^n@Tl}qRrPHkvj^1G@cV0px;B(Lc0lU5qk2p?($PIOl zaO7lIYva;&uEt^T?)>xc?zd1Zn8M|!tY|Hs)Z=>qhjbHKCqlyQjR&Fna(h{kQta>> z8I80iIft)0(IpeyXJQzw*JS&cBU4d|)saPe-vEw~n)LVUq0z%=7Y2?J{BEp7G$xt$ zFjOQH6(5%?J+Lhm};JJ8uw(JG5m&H`tf;w9xFPX)Hvwm7m|6fzsocz>>6vxYc#)0n^U% zR|k{gp;CdViG82ld!>FJ1~WZ_wpqrZQ4Y!%sL7_SJ1UAw?MbX%xu#pBW9|~;`L!FC z(gRY>@C$9>sN#4clUqp*68SlhdGNvQRNt0=xqo86}?}+!?wRm~sD*w8y_3$w#^zoL?klJQO7?&lccQJz5hA z+m|>i0^+R-=B|bWsn(161_dNG=KOHZ>t=nj_giBE%gXVbRbXv37a8wSk+WAQsQ2-w zsinve>HV(xp*>8Y_iH#1$OXSZq4bEXb#LiQS18+U)pyhq+Ur>|1%r+M!{Y74TRZkp z5&T^hsKB)e!6o&NmqRLY2a>x{yK&yWijqZ3Y3CK8M?30^b*``j2w?;k#Ai;o$FafdCGTKaRkz*NpWu%hs-G21eca_k1(_ zUh6{zP~8&ScTkstVqGw8+I7WZY0*h%F)S-cJVSNhi*YgT29MSuoqohk|o2F#mFf&X{o}L#KF~`&nGyC4Z z30d6y24G$uU1}mVo=7DxaifcGKT4xNE=?{jcG)rs*->NpIf>5IHhytuRc)#0aVe=5 zWcyrpx?`hp4!4orFLxaoz3NmIIeP`*`|RQGl?N!#$#V7AmdsZm`V^t_7lq!1R+t6_NY8h@d?qI*p`)li%!^r8zAA z<#TlUayC@Q_#Az?`xl_7Kj2u?t$()ZZvm%OzWqF|cOw;HPa0IDAo=^JqfGcw7)I`&WGCl5kr^+~g@Sf>r5h? z=O|3pFZA!bGuyf)l|3uVn6}?w`Th}E;ltoZuL7T5A@B7SJ6oOVm+}-z1RF@6q}U!k znS~N62qC5yz+r!*ufs$Ud1@%~I)>aO>6#SV}ZQ6SVr$wN4_o{+3bvpQfbY^>Zx$c>0gbMMENzZhk0q+Cpf)20{gy7 zzlDFPVeDB{pI?*oUU|gP_Wjfk$XNL&hBqm``2g=3nQ?osO8(Ygv-o$4U$@rPyB&Lv zQI^gfZk*FF9Wy38P;f8rblG~))>RjqcLgWR3#!bC;cc9$sT`>_y7kE2c%vuO3z9C* zcqp#y=}+}$F|=WI&E#Abdy0t=%F=+r=*V#%IKBI#hs6WCdS`>y?VD4|(na{TEpBk5 zOY1hc&e6}qj9bR*~FOc`TeZv1_llaFtcF$)7-a|>{b z_pcJ>i^ztGMx64a1<&F@1U1PF?sdP)&Zz_PT!W6GmUoRA?csfbErU-TXn5gHp|@XV z<2Qgnlboo`1+w_yqDPZg^=aJh7SkBZcx8+xX&fhn$YliDXQ6Uhv_pPc4!C%Ng}!!^ zy-bVLTMpey-f;!?CKs6P$R+CSUAzPcdEfiz4!)LN(Sz}Gw9$OnD+RQjsBsH0PA1$# z51L`dNNVRju=Y0R6t^~`n;7}8`@T44L$lZxXX@d}4k9U)*v}>X(%J;Fn+%sSp z18#zxpBX${`R5XTj~$}7lpn$Pfh?v&jy=YN_QD$mOJ9bdR&}u+V4rGmAk&l)?rMfI{%w`=y>;k%a=|vEabb_VCa090<<}X1{jTw32o&MTY4=K~ zc&~kW+Ra2#2qpRTWRYIzm@rKw(QkCaO1T?CVL^gGYX>aGF!;4E67|z{^^myX18rHK z=sqr8bz^vrgZf9;87M7uX=~R5&eVJ;KOm2M2w?p#oTg)6YEQ>~mme5&oH51v`9`Mh$FwN~Gq zP98;F41GR~g)#_WMWz^>u|-@bv?CfvtVT4RFSnqoA8tIrUJiVY)fqB#E=r2o$7-!j z{a(mn)6elo8|LBNn^il<(0ncBwjng%GaHm{16a7EY-=4x$8U66XZk_VLcQr>xnns^ z+m@ecCUrMX_X^4~mFgNW{L}#4Qj8_b?^cmEcwrJ5IvPDqb=HAO?)(sQJ^W0Md{#r~ zgM{2P8l-p=7SGt{@<@O-32??IJbYaWOX^)Cy5=uXhQfP=0D5l#fRnN43NeOPaBiye zwxGbXnSr5)b?4RIB5SCQF-z73QM@mHLd#2;VXUNrv)X69C_0ezH^*Q9-k2lnCT}w0 zE#J&V9myK#9D>Qcrq$vwU5hp^`pR7nUaVbh;3^m#BbfMo=`qQ(P%TQ%kp+#g#sY6g zyutOx7@qc+Wuc39zvuS%`=6Dk2Ky~=57S4)G@Cv*@aQytc<#ZBwlyLRCy<#NFvQQS z>oPsn_{SlnfGvcV%B)H~7ozU|CV|UWY-9wZJ+^o5^PkK3w~GCc$DZDumhGj4SV6mb zjm0OGEuFke+sK{Ri+VefS>dO5C#g^GAQl*nHQ8&QyrU*n_!tq_C1p~sE=3V&Eb7)2 zu)uuM-}PJ^1f0||{Z~!b#Q43Q3gySJd}V+jaL$^WIn(m|P-@5wv=*C@n37Hqp}HaF zd?h2Exu;_RUEGG)$qk4a&H@l9h$$~ zfDCqiX{G9|vCo8Lzaq)c30B|FjC5;fVInO3o6k0$>lAtp_bLvRSWKhm2i*`aEU`r8 zFIAwq%&?aD0BQ#R(ToSA(KFQzEBc9ZGnKCQj)Ma--r3417vWT5tr@vQ`Qu=7EU6&7 zB;Jn#4$>Y1o3SlDi)$#G(}|0Tzh2Tnv7TQJGoSWzQ9BPSKoE60EWR_>oUn-R^VVultST4JH(Onh!zf?Wy zdOUC@4Tucsd06x19uwR?&KV?Q);Xn}`2@Mh6hRakcY~~p^cENI!NdDh@>jF4b+^R| zA2|f{R5DFJZfMFh`JJ{g;LmT-6R~L0SG$u~kgG58#XqJN-B-{UH&Fb^C>9oUK5{DV z+IWXjHT1%lRTt0p@~rCWDr2IS{H<5g0jBlL=UtXUWrQFd->roxgShBXL5|yNg8UrE zI+>T6T)@ELCcmPzwBl*7Z(>BS7eAwQcwqI@CyzTN%}UNQfs2p$#x8_VGwAlQbHF?k zs5_HuM>dUQJ}T>37;BRmd-OqhYJ6C{Z;RmS-C17`tksQxt&;&Y# zoK?lak`?UZy&LQ|Zk=BKeY78;Xq=Y*de3T^_`K__wdDzqio$e7vd*iIsxvl;=ktQD zJH@oMb+qSL)pH}@u46F!)}=zDOZ%3UWPxu0r{q4c+m`_o$I@ROq!p#}Hh`Bb4Ih<+ zdF@ME%F(6Y9JAZ3UP##0CM8l}>bJfN-+uV(|8IZ0&1XKm5!?1D;f(L3D^3*y-^gWq zVP%aH@=`SknF`G}c+KCePnGl@Qg4mx>A>HxnRZ#Ya!ySmL+%Vuj<1}kQQ5DuoXPp2 zCB?D0W3ZI*C6iC6Lz+*~P;~f*0X+v{b}SN+;09DpvLi!Mc7LTU!OWQkS`el^~QEb)Jp6yPy8f|J2aLMp*jb%S5h2nSQ zN%R1{b==3Wzpqf7gzo_Sc>R9N4p()y?daP|GnLk0t14uP~SLCJd)-A5#&g zx?a8@Hum#MhG+R81KRM6cq}tSQlD{I-V6wZ3vhacpp!LR(IgZqy6iWaibG5N5fmT-WMWF<1gr`J^m&@}@g&XSYBdH3PE#!vZI<+na?HZg8_SjJmPdi!= zzW{slG$pBfHWY4O*HN3FADndR$D)f1oBIg6>kP~mH!?YmuJOk1p#;NeYgxMY!+?5& zn=qIv8K47lxcartr&Ev`)n-u~qK{Fe-Fox9(sauBot=4cF@`8vx(K!;R7grHbD^RW z=5pA+TIsxX;8Olz!-8jX7WkLuQ{mHmdhNCtlN{Wb$UBs|r$?E0I++Og;K*%Ty><58 zXjwlUv!$})y_!3;PLBPy>?19TdeIZfxdRMM}nY2ydT!O3u%KcW-{{ z;KQEdwLxg__4bV^o#Ig288DOGYL8?05WE@OWUAGI?pkpTmpY`V#;=h ziWHP9ve)MIY~ZLHFzgN2_=49md^6si}f!(AussxwhV%5+GFJ45LlCs)Uj*y?XEFIu3a5s`J{5pF28=zr;S9xv5 zMQ3~k?yk|MA7(6BrvOfMaJmn0zjW(28L~&<-NU~D%u(+o7QkuSd~q(RN{mnFB&M~* zIM_;2!%{VfWr7=QG5(Y3@$U27R!6KKT-#y6r#J^TK*^TR%4)N~<(e{OQrrXMQ7g4>vSSGV*sVF#-eYfq~0q&JF`z zQXw)6SHgm#h8X@SD!mIclXptnS0(4WfJXH_N$y#~lVRsTq1KDTb0jCZm=|htl;{^sA)FxHsd@v?(RVr1l%YgrR@y$WTJb-!uK&=dr7smQ}jpw@JKg zrWIxyp~ZQi2I#YRF1vXbJt;RxlFF+3E6sqpens$F`eXX2%*BrVV%*1&w^2BnFCsY^ zo9S9mkjul13G>off@Pv&b6o&m$%pSv#NGC`yEzYBGg`b0UuSQvPP4&d54b&(x)(&i zL+p0Zu`LT(B1!ce{@UP}U%#u*KZA!DO68~WFHk+KH5%<7X1B?m#+?z)r5Mo*LNrj8 zJNyF%gRkR8zj>mGLd5rY|Uvl_&iXJ+>!s7&XL5svHY)LXCavJT44Vqtj=s&T` zjQS)LgJVZLqGN`8E|i`|SBPM??#@pcJ8L`q0xId%6OmWpxi_Ppz~Zbmf}?WgkW&_| zA)Y@!_W1bW!YWj1&$4G%)4g+s98xvGUGs9%XJ@h}4>+871)zR3>rdq$uJECM$h!Hu z7dyaT?1s+i{L+hig>5iksylBN1!J`|&h+GR!BvC?G$%uCYONth zmrZyp?i4~%$_da7SQ1Ma7LxyV7oxVhsZ(G;dx99b>?aIBsa!gY~wJ$~NG zn7ow38`HxZ*)8O!#E3>-69oMWk%Y)C_&yS~iojO;aFklYqk4>I`X6jUU++`=V<_-S zVCY-u!dzy(GbE1`JxV?`IXE~jgwR^H4zN(iY2+z(O1w_$Gw!yQ38a8Rud*D64LO5g zQ_v0Ld&4CIKq~FlpM>yR)O6} zln^S2<*hX%Nflk-D{m2-`uIKoRP!H(^MCUf#{vfIfcHUD^=|-@ ziFgiVR_WIH;17=OUrMyj>jz)AbXe;RR6sVrYIVi`TiI;S}#Kery1L8nu~I|EKP?8H@yfM;lBGfcIT8Y=c;+;gL1rk0rwMCS&b z;f@mW_kAzLj|mlQ5t6cFxuuNF%FoZwE2<#)nEX1E;-h+Jui8VSf9+;QhsmqYA1Gl& zCD#g+MvUpFA);5w=4w80E-U|+@jGH(S8nR|AMl|^G7eT?jY zb2xAjOAtI%H^J|gRN2wo=F|;eYJhi)luFaxQ5&@DRr9Vq$#qM8d&;7B`uhRYy1t^e zzt=hw1LJ+^WQKvVX6Xu{%m3<7<9k5G|1F}W?>(xLzOy{~Z}Xn|T?hR4273ckjotmw z4-8G(*oKqPU;5;5yz&fSybzoY18)oaY+k1;6lw{rYA)68ihaNfp zN4%Q?8hp4SZRw0+RDrjjkhq@+wO&JTeLFNgmaeI*=A0{cvJpyf2;Dz$Hg-(kU>&v~ zX2ZS#M$liD>`T+_LdHe0YdWI9yO4z-xLRy%4i|TK&bgSWzGuj`56~{(jIOGQg&n}* z-k-mh$*BLlp)8@U6H_u-*ItEm| zaI*mF4>O&p9Ae`5{1vl|q$KF>)b?hjJ+M_hOOt1XLekU=uC%&4r+Rkj2lwpC{j|L{ z2eCYJf?q^+YUe({Bt28B`W@?dZ?XXvx>dVbI8V)rE zG1y25Vf7;?NpnZmDTxccEP1&oZAgpW_f&L!ed)IX&wez-4HqaNem%AVqqB;HVS<0fB@-AfQx92ps~UjSV3{7)n5@N()H{NR1H6 zSm;ek2qA<>uL0>&eX`Ga_PJ-D&%Mw6oPD12oHys?T3Mg9R<7$>SNs2ezpqt^?W`W! z`~29#W$~LLUZ!*3`OMOewY|lRuRdJ56>iQVYOfm~;IrbOdl5Vp`>`vA%eVa)mYMwrz-6hjbW#O=Cc<#k;zMpj^ z+tdzBd(3c?!#oW&DK0k`D0E!ow`#h>C~s@ug_ns zYa9*!I{!E{dXMIMMTA%D(7vQT+nwn9B1<^~y8 zOXeuJvXdkWA4rPANG!vfwvsK!Qq5#Npp4y`wI?IX#mw?+m=+*ID_ISnL8k|=zqT3C z^t>j+9T&u#14z`UmH2wO=pQK|rM0y?ww%OO)S-v-adHS{?cWYue15XLe7;sZJ#HMB zdbtWbRD{!Zu=gURzMqRJmPMHSgfl<`2Xmici26BJPwl=qv2RU`j<->;)h?XKB zc&*nen<_bQ_opj?lLEjG5A&NAo8q8TqCEY|U`KGw#&Jx4X?&H0)hRKYE82;K<7$z)CqE!65Av68FBM#!q+nBic{DoXi3v zIN@Ye?@le7mUNsPMCmJX@Ig1mY4Z0TBW0d7OoKew?agvr6CV@wa=xHbgs%?178pRP zEY>vI$mi*gtVB?Z_QHe*L{qSPakMjbq(vv7m@EAT(XIqy3>&*Oes;X6c>j zwlJv5vT^wztmA!ji+t#jTxQ>2%<^Zsa@=~`m8K({iPCxax$~oslSgKHuQmQagZm2? zrrdE>p3KWCD;5S66k(HLWdT7DgIV_Y9k0^KbCzB~Q4$E0`MqJ&lF_uU>Y6YjLTIt? zgpn`Rs~1aOqSiq;KE>L+iY%O>g)j-tfmO`Ci#R)2g_lF^7@;|2?54f!le6{yr*a>r z?|Bn!f&g>4$w4#0z_I*>TMj_6yVJj)TPQ(r+gDzCBk2ueIz!h)ou|zpHXgtR1wL(eI4D{93B-8RmYLS zdJiyE&kJ|!%n{NwnaW1OtWs(k(K~gpwdO3c#L8L|S|N#DaSM5Tv6P2HB#G-hkqYpR*bW!*RSKK|px zMT9~=zCF1^SrLXq0P1K2t$A|g7V``P0!(KU1Z}TUYIRD}cky6ZAdX=yZMR7E#+KVl z^e5+Q(`fFjOdVAHn=fSI)zO{C(m{v7`Vd=g^KnUG5<+Wk;MJwoaPPZ+JSlfHnYK$@ z75TK0D@Cq!R*z>(ROX4m3-U6(W}~GSrSr4^di~mVxVZL~y#k1cyH>)IJ!#oKO$YV( z%T^}NdeQP6u`s4g#}or_hbM1XN&(a$;n|g>&5h!@CuLc-vnxBcl{4ep)Z&>4VUm}_ zE7RKX?2*)47r%)0*d)&iVSKYEfG?wI9(lAnGTgDNa1*l;sM+%mA^(5im;J`4s`dLn zA431vp1oFQarr^_qllk(3{nE}w{1X$Z%Mm$tMaJ?o=sgo4-ux--<>LGk9=fD)kUJw zs8dly@#yV@RrC5S^TFaJs=vqMV>vKAPyZ^5>p%I0$2P*taL-$pcKk>=ABAk!XnS-rY$02Y3#QAgDTfsUg0^ z=GoL&o>B@7?M%b>3n^8aVn`3Z<0pCLc?{(8LA^T_?_DcaA3KI60;*DEzw<@1K$|}9 z1x963Fa^Vo9a;2Ol>}MPBXZR*A(V77ez78b-~2Q^_(J%|qzjMjy_?!g?*H|v=)}Z9 zPf3?gj}gK7=YmD@(Gboe58f}Zrl34hK^E39`x2t)D41L}*7<42lGQn z5lUzQ-f&o)TFszUu~uZh?wZ50ht{E=;{D8jj>+tYYe2QU1U%KBfP7lZkNP`So0%55 zx^xj2ml#pvq}zFe_Nl~@VYNg9BrLZ*Hn%A?CJ`4rw}@oPUdoEt^u#XS6P-Z^7= zMndy5-vv3p|9U(6k4atsuRCI#+=o~R-)v>;LAGr_p1t#wa;Dfs#G@$$0$hzFHEP${ zZLyl!@;PsfYH}B9&k)nwxfh2)X6WMQhlP6O8qTL0NFAaj+ko9L2uRDXrohzNX3~V< zgVwlD6hkde6eq|%%yvba(WmZGgnY79$!#Q3<|Q@7lwZc$)Z%6027pj)niNU39!mznF8YelOEHX|iNM=XiWKJJ5;VtUk5MTV%LZl$= zN@^|?aFhm7W4Lr(lE}&E^-Q`q$aX#q=99Zz9+WkC;5)wTv2=Alh+5mb@3eTBvAKhvZ72Fq?8iow zJ*A}Yr@#@YB+D>ONA6z14KBPNWT^Z<^NdL4=TeV7@nTibiI)j{Mpu6wk5PeCWGp-_p(K1$Kb+iA_UfzPG>Qf6nneq7fA8iU-OVux0Nyk)iM`>)Ef z{j8>Qk?-JN6}5s5gR*KHtsFAFF(4M#pFdnwfEv)S`uhZc*R``d$N zEEB=NJ|SIB(|+k`j6q{`zl_*2QnGHuIUdTq>RHwCqjmk`ufPY($^85|+1|0)avfCj zRG%s7?uTMn{{X~}S7B`xJcGvZq?R;JxfB;>BX(+1R##?Ld&l!-r+!}Zdio*)k zO8J_WR{JfhWDeZD7&|tUD8Nzafd;LE0t>5%*iG{l>d?Amk}B9X zA2qEJww=7tS|Y1HXGa0{nko|m)FqI$X}-s8YQ5@0v`X+A45&nnckUNb zkUSE?Y8_5!VbJuvPv^=uoT#GeQM)>pcy0M3WDV|QezvztF$A*7b6M_XhZCrkS!K!H z5QMCOvXh}ju1F^>c(EkgLV!@ucIog^$xJ$rOdWk_av|Kg24Rn1#?tMse$*FqD*R^G@65V$M<5WJR{^tssTvgOa$05D<7X# z)!<57HH*}5TTr8y3v+DoSseFOF7<6$4uFla=nXDwXXcxwYLK7XOhF97UkCLe9plDJ zaLD9{v5vVrX0-dZv-ZsbTkn#9=DN$^^l3Yt!YwN+t`dsH(H7PgE6IaK$gKKL3>v9) zm!qQiPnXv@E~*L%$hzP0fYoht^Oz1&da*0EE3G7r{P0x7hqpKGSd=ETUCTZWEFNzw z%}u*XD#vhX<8y$z6(&C@fV3Q&cL!m&r_|A@kzCRY{7-;cVJKQZ`W*s{0D&{&PN0zoK7qG-<>S3MM5zqYcx!%-m1;=PUj~2S(hS{ zxg8$vTcIE z^R>eF4&d9FE8u2cFC{v9=E`7vh+H3fUh^>Z{TwN7M4T^U%hw1C>;w zf(cwJxAB*7sP7E9dWhT`0c$OAmJ?nHei7C%1F1~D9uFRvnXnB97k9H2~#UAd4;o8cmJUf!cTH=o_DaYl?xkBIvX@PhxPIEFVoDSTX@QRvTy;%vb zIj8uER4&{V99gt&_ACfj{^a__ONo#O-?^DUc%|I<))K>=g{2d!wQIeejRr9cD(^{O zYE%8}h9(yq-rd7sGra~EuT{8*&t!t2@=)(_ca|I5_S0Ow4IwM{jHZ3Bs#y>W2({^+ z(^q)IX-=^lW7LSavH4j+w=2snPl#I6HeeB2P+NOX$sl+#oC*Ohr^e)->r#c-A7A>B5FClbZ&}+whO7%$oJez( z7sVK)atOqb4M79bwRBj4_|go1^j2Gv?aKJzkDuCXd@P2|o*gbF+0Kca6U+W{G2}{6 zN$2a=dx}Zpi=_~t?G~hn5_Bn^)zZA?m}L31c%f3ILqW6~DcbgS38=3ZZ@+*F83lu5 zva&Q?#p_qdm1t7gBB>Dq4OaJf9`>Qg-ZZN+LfX2tK)ddiJ>L({TK^ZiqJi_|-Z9!Y zPuaj9vv{V^lgD2_sjCrym?fng*UU3am$=xb)JRV->q%K zhTU^r=Uo*%vsc_{B?%d{wkv z*T#v#JKcH$%;r+}-RDw2CnarMZi$-N)Okg}eEU0JvhyPGaE872DC|XkIA|-O`C6pr zjgS3$*?X=Y#_Xs94kW=EpL+wv2K{H+)6*YgF=?%hw?5pXoMAsfNs&u-q++hR$q4qs7d+ zcwDx~%h{3Z*14vf23(QbJDLNxcRbZn@lbM807Q-}x}#e4#%d5hqc>e}5e_S;ug=gy zH?{mH&C~ifuh8#&Y6s92=i9DZ#-E#~p?jq0Fm%*EivRLI-cvC4->dj0IP%nyVKj-b zlY#z6t-jyuUnC4pp#tn~5}Tm`nunD<8*Xx@U*VtT~}eeC5d z^SOyl5v<3^nyn(09hnqadu5}%fAy9+;QS|-fPJEc;BclnZ72mBKI9;`!=?V3_u_9K z*54Y)jkN~nm7)50&$sWPU3Vb&D$PYa=(A|L&IZ6IZ%a3$-ADSL6j?I?&%Ok}d)i-K;1@q49iieP!4Ya@2rpS)O zyB>5KHvTJ7d5JW(D7n)%*PZsB-yoPf&Bc*Wf1d+NY@^D;Igv zFjX>d>ce+F^Tu->I?8vBD;1n2>fkV?)2r^{VLfZ;_t|_B4>#uj#SX$HU{Fx-SDmc- z6tP&RY#nV^;~JX@!+-O@kQ-!W@7u3sh33|>1{=Q;4u=8q+v1@>@|UmQiV&MqsxZr0 z*W9b%jmcM~35d{$4<5+_cN{_m=6ady`Q$%AOa<4l4P9?;xPBu{3giO+&j#k9vSIX51 z;Inspn;~pz+5U!NiL8Clw#7;xL%hGXB-Og) z0lFoa9Nu9o7!h~0PepHMe)-iDtnhHEI1LO9Fo{Tv{cz0|`3>z7xsdK+UfJ8Tz=4z?a>|Olj`MGHc3iNc#tiEpDX+J zHmaX({h>TWcl(D@ZJs74y;jQ^#dPmMC?LFqM5=>sRFFPOsWuvz*Aw8$RwH%@^`4O7 zdo0m=JHNH6De-R(oqqBW@&ym1rvSU8r!)B-6A=|1o!Rn@&iea`zg~2*${N74I4Evg zQDZ{axre9)V`nHgWpHd;ax#HPRLErZ(U_!z^sXfsG|=1;AB|}VHA@1wF4lf z6iZ@|09zKeyF-JaQLTZ8o`ZXx2Q<4thhT{_5F0j zU`g)`r>O6TVwHfbfoj@nJ^twV>aRuGrly^&opBxwuy0(YI$hB)c;(BSRyxOA8N4{e zw!S`E7Sb^TPre&}fgxemdrhqSJKv?x*tmrvJGdJm>eeyYx=#y^9g?)F#Y?f{sN80) zLy^vUxy$yci=cC2Nr|&e{37N+YALj)cFx##5rZ9Bcrfeg5r}ClgVtT5@3hC&mxmRa z-3c2U|8-#_!d17+s|<7(MU!&!xLcA8zzbFPAP6ovV}Q0;BgV(a>Mxtbh2CD+lu!?q zQ&AQ@JKJ(YMmp5A7nZ`UJu0qK8Tk!mOPi@{t(zLXm^8C<4>6Q(A0SS5F9yd{KH4`n zyrh)jZg)6n1+i(oJi|PLlqnk012MP?A9w+I363yrh|wjETyk8@lx(-Dj(NkKF^wH< z%x3mtOUeU$8qes2N_aV$fJ791KbY^c8(XWdWu-Kvpg_L2n?G0mMG-!!v}ColYU@V~ zR+OunvdyHVtUDmt5(bu$I_oXR#&CC~A>2!wE>d-{UYc*Snc4ClK68e-g5%VLE1;g9 zcvo?yZh&5^+Xw>#ZAA-7wxo5nibklLVPIaa6|vKCeM^v)#Z=IHb(SO14}E5$HCt=a z6dJOZ{^xn2ys07=-!#l{a8gNm%dTmC)*5oAIo z6OG6H+UX-QIVQI|R`)vzmO&1quRgovY|UjL$WexHdjn?io6Mml&BV;LMv*Eov)tB) zVv!rNqNVKoA^3zv&}=iLbhIUXXhuue*pD2OUn7Ae?Vz{?rkV(&_HAfDzTA9lEQvgn z-^CvC)XYxB&f$GyW`xhM6-?wj{*yoZoZR(|Ght|71P}YRz{gxjyH_;Xc$Me)>?L$>@%`6)hxT63i_`_ zdk}V^?R=+t{`?mm*uVaHox>F0cd^-xiQg^)OguVFZmyNR`SMXS!n#b-JSVcLeAaW` za(?b8mFHXCnbgkr%V4!;;=?^23UkNmJ6~YJVcyy!_x$Hc_5C$H#c@KyA^G|1gbxpZ zFP83n=VKcm_UdynUeAUc6aaFS8zxHpjY|_6a*Gs0$oy2rGe7J0N1<+o8TPtf*vRDB z^`xyE={5HzC9b!I=I1Ij<>SgK1D=>c%pC5?N1HDP0j&?+O5aBQTu6FSS)c!CSac%b z?kqqx+JZYs$VF?=Gwl7wgiqEF%iuMG{64mmSBqzimdUf6<}ZdoB@D;+eN~+j18^OF zJfxQjY5xQ@A~lM4H*z|hp9{1XheIEvd+QjtVu@!AtZ({GuTYM5uF!1G#6Z5<8>j*< zq~uW#Fw3PW8`d>hjVpH^Zd_^&Rhlab4*Do=np3i6WxfTsovlr6t6B&by*Zd zt2%kBNwI~aQD+T?sL8qsmQCa2NIpZnv3QTCbsFP7+*#@dEgon{m!Qlc;?{NmE1FWp z=IXbQ0M*T%H+?|x`B}`$c-(KAD)+u_I6Ve_0aQdzwBTVNg=;` z&&&KK0qmu-7*gTWMg^()#jQ#{ipOp9q!PV|_IhgIv>+2bs-x-zdiHR(*F4=*)Z2(h zmF*8&y}Ff}r!chi=4vDKS#99a^%{@Tfsr=ISUEG@#vzGWHUQ%eHwRkXP}nk&;h>Tu za;cv5AHogw1phQS8f0ur9x9 zR~?M>^n!U8SRkMtRvyA09A&pgyf}78w{vDdsY^uXIPdLg3b(+%YjuZ|5W~YK1FX~YiH#IPOO+*YowAPEdAjpJEcS)dT7tXQDQ`wLFPn~( zmmIG#K|<@wATf3PB0(0}n~Q#(M8ndGCc;>4Wzr)^I6h44Xd57&XJ{p){A9{XH(9jP z9>SBVxnqRspUjj(Z|IBh`{!Iya8kpJW!IyMxd#d=dhR3M$MsW;L2a`@50VwxHWwt8 z`lLwA-$DhTZUTx#Rc|>*CI-;tvbKuxpgohzX4Y?2)jw<@+N7Ogxp*DI`>zW9Z78M% z{6PVQ+_8lEEMs!XoDi^GNyaFp+>E3{tT17fr1Al%t4L0BlL$;uscPkqZjGWv;8>YW>T-}!t4`=QMwJrPnFOX1)hTeZ%^ z-X?xzrM%Y4A+r%;VA7BjZ5a?hy+{kw#bY+_;27KPw4(={k!RoD;}w9%0B=g1?29u! zT~skuxm|~SUg?d1`?-!E&L`QG*kr*VHD;!1)uSwUlQKHc;Y8dgdO=J(V))h5h7hUv z^g3kFLU77+knUo2menj*(WysB^!3IHtMr0)=e0$p#x(T7e)87@ZMOWKNV;yQ-erIx+Z7Y{%0vp;B4Q(ts zk2=0FrWyNVk7n?T9zu9WbD3s$Xy+g*B%b4zKNeaKot$ReeS1CP#V=p$q5$Th7DDwt z1*wHa)__iKk5N(fpuA5I*Zwy{a*Y<-3KRY! zDoy6?&{asfWKnoj-^uB+8bxAZk>-k! zKAdr5`Rpv5LAK(z2{@(oX+rI~;LsM`dIPT~Y39(v^7Qne+0LQ*y=j_VRYZbu$%oFo zO*Yzo3u`)vO<%K6COUWwL}c0+K9%fM7b9iS4v)%uE|}El0Z*6YP4$-XOq8RYj#gqg zXi9MHpo70F|4I=d#SO6w;i+Qwf7w6tX+cBRx%Ng`C20b9uiU7$O1m_%gvN`3q39xn z5LS><2lVMfq^qawF9gxW&jdvp%}^`9ESFZk=>GxgTc->YsZb!-^{q%%l6&U~EYipyWws5-|2XD0y{}!?B9`2>XBHO!-i{t}{*UK*bj*sV58X#@W-UYq z4OY!Zzk&`m6E`fsCGKlE?~)>3d;E36FXHXLo<=CjU*@+( z-fD6Aoz5RT{`%K9_#e39%2_Sc#@IL8As8Y$qRRmxa`=*fGmc)VFlkt1E2r<%E6aL9 z3UQ>Ere76E50XJ{6?!B_MaPUGf}}dd*Wz_J9{<~WwJu&(S(lk#^#J7dcHJdx+Xsd` z_?uuKKBn#U!M#V%75#lK106)_A69oRC~tdDVm&+VbkAw`YvtqlSCfL-AOlvgdA(1a z*rdU`O?yvXIPHux%jFKeFT6#&%t8xIw9-FJ@`-NvVM zU$K1mV>F$0bp2+p_)!^W?XOdUCzp==I9nm#`Ecj{3%ArFH=iF04SCm6s1ujihx_dO zFwWl*>(#%B#w0e8EoPV(E?RXaA|1&+gS5=pWmTRX)_;c)U$Ib#@PZnZdzEV*=<13h z`FkRK8j5TXwN72{LGT0V$lZ_yDhTv$R_C2&)|4D>!iV9(4P5rz6Ri>dhGA_dRl*v- z^Bs&I@c=emU41LmYcA12?WIf0Hro;XV}ApENU6y1Y%Q;LSHuhLpD4stUHPb5U3Xka zd_2LlsRaVRppB6#H#Fbh4Ovf_SN}`_2npR?k6!=>c@QK&oQo=7EJFuZOzlM%X6kG1 z*tYI-`xI(r1googc4OB^B02Oz$POvbZGjGXS3+EG{B`&qNd8Lfysc?KV!;4Aw6YK;e#6TUHzbk+G}1j0TUpl5A! zQhptzopmS?Tk>Pvix+q|Ws4OT@D|n)FSr0;_Pg85o|_m_>$}z6iY!X_KUb%%&b@=jsvD-ZO`VG=4E39eYeJn?wRE{ zD!WrF8GHCP(>2F@cJbca9lzFSLL;`Sgl zKU4wAepY&ys3MEW+85MRkge4D6>i&tves_r!6XOW78`Zst(i{&-EJg6R&<=%SgD&G zQ(=jUh?@L~?%-tq1lfACO!$TlH`RW+q9e&kLFw!E)}Nr7po-3Rsv$-(Czghm7Kx;q zZ!Y&KbZA(}RJ*Lg;~dxaZ-e2|wS#b1Z^)qbZ!Ucr6NXM5@eL@1c34JoXGv^{`CfLh z$fe23zNpp>R;_$wMU$~LeE?YX*LI^;pd10SZkmnutz{9Pf2_W}bSv)`u|Bn=CM@rk zPjO1h@SMZso8mV(12Cpilx~yTPND~t2bAq^vVfN$qJuWsurzl`)=HKWZrrzZn5#Zm zZgI^z6_y6$Htm@8v-;2v69$x`4p9v5qlPhW{ATTb={DpwIWKcLhH}vopyz@iDCLk! z;ycNeBp*%Z%gwNw0{a!Ju56@)(7+5TC8ikT*(PM;aJpp9U`I;2U&u-bMy{PV|9vn| z#fCx66>U4ziLR!n%XZn06*dm<36c8$m;)KFT|~aFfwD-Ii08OIE2~pqa8;Nv@h$C3 zu{Z>YmjW4L;W}qoei8O)OBm+@lTLBnJvplX913;h_7v8BRB!13!n(-~i!)F?3NLN3 zGnN!rpYC|k>A^JRD&Zq{My9dhqNG}feOui=9;=4mcYX6^fc3;_O?O2vtW7m7C_rb< zVBRHjm6XYiP;uUE%~wQ&&8be=J1M-C+g@_XUNpQgBvQ2N(R%oj>+4c-Nf833;LuCY zvZWW`%U$wSRRfl3Bq;)*6Ej%!YUb(LqzikxoAN0W=I{y0Q!E}PG&?mTH}@!VFD#97 zZ=+kGMl8!FC9Mdx?K8d={65{T9e8m8Rs&*Hg{ax(#wbCBs$9>TjT(DW2S2Orqq;{5 zko?h>3V6QQG+r)B5~_p!#}Bvv_}@Ew;g5e?**Z}4LHdl+?|jpN2Y>E6ezo-HX3xKR z5yCFm-T4|#Twkpnch>Iv_pVYv@StT;PvFEhA{rkN|Ihl+2Il{?-gctWi-WsayQsQe zb!5~?=Bmc*!}k;?_P2eO_w_l8(Hl8AW1N;*R@q+{^2}1~uN`1!@NOBu%%eiG>=hLO zGR}d5_Yiemb53z%xe$!JbpwyT*HT;MkexL@oAo7hSQ^@pPOQR`sJ3Io?|kt(h9(1Y zbvpUl(Be*B_BUiT{L0yP)MpKJROhAzG5{Qa-qx2m0h(XoeBrcPzT8JCy=6H(xSKMP z=2s-*zN&lHV0ky{EWDPFu~|Ds0x7{ghEE4{cr>@!$e0P`Rcr|kd|=nPBO3X;XPtZl zc&;TpMP6CQNcCdgOHMhiRSA<6KjwQHDoxqUz=n}v#PN6mr*iXJ_#Qt<9G%@Fm+YYC zVAvTR7#LAZj~}KFHmBV60=PS|Jj1lJdJVrx5@&Q^YaflUqe16nGX(xpddcp)Pzh!) zQ;{fXg(V_@cqORcWJ1{h-&vNZjqioP>Cm#yA8wAV4lBx3Uvu&W3toT&91L%FlG1rH zk>`jysklqT-YukK$?ysd2=$4PVi5PdBAQLG%;0ku-#O(&Wzt6-YHrlrv)!Mz%lfx$ z^3}mNHe0jx&GywAF^Fy~DL;#>-nCXcR$QF?Fcp)f?V$T|cDZ!cSkK0X`?=RYvtZA; zxc(e(;I{M=KMRchs4|SDnSY?)l2A6V_&VYWwwE>t?6+DZ;UH`)k>--0=UQx=!CpN^ zvV?b0Z(K!NZ{f$K3n(logLW;bYsTX6EOLNaDi^1WQzl#_SJgV z(?xf(YQ1BG)V{`o^45g`!(+DB=dTo}R*}Npy&G0sblt#)$PlPpRm)lVc-y6rXW(I1 zTjFfJd+>RNiSi|%U@)qXNx?%v7@paTZjkw(+@;7eru*dOm@ar0+w7L{an^5li3@MM zt&HMtV;d+4DR~HFK6mj4-I=i2b5Cqq>~lOqlrX=JQLqk_RxzWy#PLLX$05jKZYxN1 zSVE?!EY9sC(CmD(qbII^0 z(vA#8tAJ#e)4gQy1D*=joo+|r@>Mz-%5&E{_! z29)29>M8V~_=D~|c+4$%>m_^>cvJ&x=x^F^7RWSe3j?|9m}o%T%YQ$!AA_=PMyfoY z5_^RoU=dZIB_uZ@_Hhy}H#hfQg*@QyPMtuyCWPI^i2md~OtBm2;;#9}OBPL1#XkUQ zP(vA6UL>@|=5p3nwB;vg-o?ruy$|1hXj6p|txkv1C=4;PX92AXH>9-5i_**di942o zySr9IMtL&G8Za3`I9~9XSb5{vv+fK&QX3Lgv+bRQ6lxl&ww86gii`Ht8OqnYL@@{y z3LB#b$gy6F3^z-)aiL<0h6DS)1!Z+wp8eKC5Or;m!zruvQtyC*yaYr6&ziV1zJ56d zBsP?*+r0!(9*GLaIU^PXFtN&1J3!%c5DQ%k0#M5>iZGLX{576g-}yfFN=MlXGyUJW zoi2?_(T=k^<#i?e3#P^jk|J#j0(CO#L>d;>Jc~z!lU+w*s=aX1o-LL4EU(rY3)W(; z&L60xc!eu?xqIIoO2#2+cp)qP_H5}4Kjk-1Is>~e{~RNh!_ug5{W=7wy{JMJ^%9pN zV1RCcR!|c9;y}r~(XkjLu4qY;xL5{6b*gBUj?>Q8*svEep~vevw}++01+Aqjuv^KH zuG;-o23yxpDOICX$^mkG`$lK$K5BrZ0}yK+duRtB$)J_|TI4~B(}DFs3IyU5`-GGG z5af-mI#=VtO99zx0;X3oEd63k>qDfINefqy_+^8@ES^WQ&$Ok2V`$%pxnAM~UHeV>I&bGW9){gAP#!-TKY<*RqhCI3slia5NY16R;z7 zyL=7;-;-e73iV&mqlpFSLQk7|A-E2%rFEPM-^ zY=03d=U|m)pFZILwG#1~SkO%3j?9Gb8`Z#RR$SY*+7W7@E3 z{7EBL5q!8(8}F6x`YWG9QLAukS-r9hf$THoYBQmpbk9wxA%A zG^-LQnO(fElnj41k#X7Wtf_d6v^%MoH~@8&i$VO7*8xc1>a40GvC|DLuvCG#NGx28ZmcEL60`&xS_%8tmtZq}!Ko z`Zrfa8kRKyN=8?wd6NHp)xRKTr2wiIMFd~^;2k!@fafGz{N|?LPA0w^xNoihW=o~W zdqC@rwSv8X=y0uGhI=wZz|EgMm~#R$fBj`^&56qs`FensMM_O=cSTx8m)j6MaXDwt zI()mCIsy8e7okX ze{ufKmwm%SI(p6Ft@c`DP#i}28ka&>E&SvPqyp0gk5RW zxx%+_r0vc__B3h`rrC4ZP;)Jp1n zoJ;rm;+<6$>^)mlLQ0h07V@hpOlBp!VWdZff^vG9XbjC)uHBcR2OFR%bJenYi(S%0 zo@0#C_p*C5A%K|`UpF47;hUCX+eu-iKvSS`EX@EyG|>~jjJ!j-xT5OFEMBzrLu}WzyKht z?oy(8Et5FSR{`5Cds+7QLF%mbPn&@drQ|!eywmH_1{il2?Al}yCFCmpgB37hd6-13 znS?!l?D-W8{*qbqR5~V^i_14N>=bMLFef+9D76RxLii#4rq0CWr}Ep{e%|rF6%pRS z6^NzR4DD?M+%gk*6RZH~G3@lLs~B#H;X_N67Y$B+v~zkl*yE-By#L~U)jT&ISed6| z3h%st>X*@@BX?p0@ z_3*n>*@H2;5m~8oe0Hy)&R&-SF@A&Psn!t_Txp!Ig;?-9!ZPOvm&fqPLjRtHj}}el zCL1rRaoUa7y%-%teZS+_Z6LxKon4@OujGGt)KmYJ-&VEY-gS@4s;4$X+3;bK z$=B?n8@S*zi%CI7A1ZH-(?Q>Q=6RmVQsK{2&;9L@&=r-nBPsjXeiv8~@tu*4e-q=Q zq?$|BRJmC-odPyU&+GvQ-JtCgweec;j3_t6<2T{b(cY%f*ZQM|iX7#96iWAUA9VY7 z8C7r;R+uO)WdqjpdwS@-!m-5g{letZ8Dw7EN)EO$a{Z%xs^?{2@^0pyz~1%me1+@Z z`PK{8`F_;oo|b%=uImhz5Zp_&0w zzSMc`$5l#juZgMWsq0cK)2>Fevx*!E4B4zx+rL7wjcD)NS}1Uw22Lh z3TB7Enuc z)s#Mff|FTDmaEANOO=pMk@|XBjL%keozsu|Wg2KZ%d}$7XAiXm{iheXJQX3Leza&D zLuAu9Un72Pc3yRwx^bq|A}pz85D%ytbz~Z9JFIG^X4F(_sLVSV<6W-Aedw=#6Dg82 zBkJs#ub!Hq#p*Cay#pq^__?^jF*AZXMp8y=$peONF>lgr;2JgYr6e>BbY zj8@**3JRrlD+|i#ud%ZI`BQQrm)%V(J%%~_In2b7;Y3n|Ixo6_OjN~~cs;g2BG|MS(*a)*w zN;*;01Z@c`cn5Y+@s|gH-;Yo8qMJItv#UITNuc}BpEM#+Iu+$&>1i&nYn>3bCS-du znh-U3yWC(M^9}Y=CryB0T|lDGMDa8+S!lXQE^Y4s5iQBh9lifck(QPfAOYF zC&tgsup?-yshgRn%H%gK~j&%uXA z%m4AAB19tnfVZ(*u64+B*2xS{DlIrib>qg^7iFba;?Yk?$C=CP+^@xl(RKIxjtK@j zy2)D$yD#?PDDw8sYikkF%M z_pJn)kwP`O+Tz^QZ{j?N#CKwV>27#=hZE++9+?>hivTab8VhTDMlg3?Ulyx986lu{ z`BI{-HhGL^)$yjNf1&5Yz=GFu7(Q6&r*bGo*Tq;7y`cxqKhX8@`BHpNqve70)%*AY zMYv{R?z@l_#8Pw0GOHldC(Jt68>Ka8vFCo#;)2O~&26iY5U4qGN6h`Bxq=MrWIS** zpJRW!4E>B84(*(Q)BD&qXy0b%7bx78hlDa}uP-udWzGZwpDH4*nM3hvw4a5MF z2A0uwM%}sM@Y)9jS;ScRXtD<`Px+AJ(MxyF@YzE0!^)iH7Up!#o~(69h4?T~`p+f$ z-I7GZb2!iW;g#i6>ZA4_-Ip#8{k(Wov6%bODi8n*^FpOs8cIkA6>DQmz6>oxjP!cg zq|JW=A5!6e$^ZU85b^u3Tyh86E7{nHOw%C}!&LkCCG`Xqv91<`=^`q`JC|~gSYNol z!E@>=$@ak4V{|G$l`KXcP=iHyP+W{*+usROpwt{Dmoi@znird$*^m#SF~46&^f z;uhUQ~xHnG$`Ykt9qldl2x9=yfH{PV@s6xvzEk(6m!uPsy*sS!aM|EIj z<$K6u{FJX=jg!*JB_tdZw61DsV)_!Jp0XrSUe>wbQ`EwxR&#R20y5H%w%)-ToLJ%J z%=)#W;Onw&R+KO>NL-m>g}1hTuawdvjpr|oPT83KJek`#ASm-&W7tRT0BawtLs#6+$J3J&^_^gi7U;x&I!VK@8E`tm`|4`DwExYz2WF)cPg*Ae8`Y!rLz>UX z#x~@YZ%KP>)qgg_v6o>cL6ZsPrY`N^rz25$BS^F*kx^rv=4aqEQ3TU>o;M$3b3Pi& zoJ4;h1Vc8J^xxi$#HCI_bwU@y5z+U7qNsgORe;4%E+=`lMfaA&pssD8I-oFJbnmVs_6&`x3RnemO5hPayh{9n3#7a(rxE zR#u5|5H()QZNq<-7nqC`&xp6Gaj_ZPSb=_dmr#Hv>(RiyY!^Dc*^cXH=(`_wr+-Lg z<^RBcApzKp81R!g&*BvI19!QO`Bwhj>Zv@-xGjBh+e%F`8;QWJ>s{xyI%i!w>Ca&f zF)VDrXd4z5hG#r1dqj+1eUWSSsXS16AnJD4s_M@yqzwZAvMbFlF!DWrTT;)WbuOIE zDUua4d4^5rx^PlAxAs}t9M&dt@tLkG`kuM+t2WOLr@RnQpq7Vt!rEQhl``1V9Jjih zTHa1dV6T`sIa+#?Q=Dc1z6|x+i?~$w)Yy8N4+yNTw{qe^`Rw1)$mYg618-a4!g@#& zV@%g_t`LI5J(o(Hw0Py$GNL6u)jiol_WYkX^UEBPm$|8czy$RYjAA-&fWzwKWj*>j zI9wR;iBP5O=I0(hNH0QR0CR|N%a<|HC-cDW50)I{VmyFEWl>k^LJ?z3|HDrJ>LI89 z@rPbjQdMU3?7ZgXDr=cDxL9`FqpY9W!%l;vb=AC=JP1l_QBZPvgc6k@@tF-H&f#~i zd-vr}@oL4ml8O0=qEGKeJtcHSLxxg%=NV1zAgxhSEEIEVWxNRJcC1jVaVwS{^xg}kP+YacIStXuc+&r4xTYR}fz_?oH*2ybc zCnrWZdqK8oO2>^U=dL=l(ly363?2gURK4KLb-KZw?as@hC8@gY)9{LjzE*!YDL1Vj zUcWo>;!Y)mkKCR30^Ha?=CQx2RW-VF(?GnU;WE$T{3!9*C_loR_P(wBKF_W328TPx z9yzK&x_~NoIyO$S6D%D)(mk?e6qA99f!ddyr|?NR()}#E^fuS@Vv-5MdJ9dLy$7!b zh4%(i3^LCarj%xwzl{oa*0=Hlj&)7Iu0(m7l{$^g>heIZOxwG{;A=S2GZwL$3uY)I zw?7Ci3%E^Nt&bW6RTWnXg>(OTCtgV?)Nvw7!-r~;sjRB#Lazf>^l6#ele{* zWY?VR&?!ec)aduG8|$@;mu}2-iq;C?wPxtv+Kh*(9_m5VM2EjJ z97_V@H~w-e0y`GwPqdCN z^OKt6`U~S>zwq7e(zmG6i4;VdF!h1O_*ZZFx>P+p{|&6O)JCNooN(V?+yCuSsWV3} zf!5pO#1Oeeo@SR(>3yk`;je${5XU1;1{*C>U_7y8h{>`Lm4SBg+tqXA(za5Y*ZCd0 z)3%hWg8$ngIP!>etZ194Lu&cko&v4;fdWgOd;!ujo?b1#n5-vDWm?6GFojK5EgQ=Q{_W# z!8ti))zfbtES&yyz$<*INL&OK{)lRCI1BESG=;<(WIFj6CQQBOvrL&W^P@*nIrL1* z+>ze$a{b!kP&D#Bw8WV}!mNXmgMk<>Csl=<-G&#Mp9p2<@|Lh!l~0b71YO=tL9v<< zd_O4z@RhAmxZ&A-2cOx(ot++S;kwS;HL?7-9A#DsI%t&I@)nAR(^9nEA>i zPKl_OK?9cszjwiy+Pv1i(vJd~7ns)ZzHvTx{9Xujgxp$_rY&q)=1HfC*bn!|v458J za*QXbYsahVBMqxZlv}ssK}&1NTephnkIA zd_KJ3c641>;qua>0S3lT^cKDJaA_ui>zAaXPvi89Sv`uj1OS{{mlbtb0pMVw_l*;u zuenaKH-i;4?*{8?Ze-dXnFihA(#gm!oY`HQpek0+JFa{_WtY|DMq6Vwu}Wt?-!nha z9)5by!Bd+fas2e)9OTQF^@aPz>#pb!uQ6Z}gokp-?`6BJR%dIeZnigSQ#-y^EPXGB z{#gjeD%yjN=i1@h5h`vMp>1EHa9Esw!xTUtFtTOlB#oa%`Px9qksLUO;8RY{cR3^> z9RSjHN(Yz}PI<-qP2B<)H7U4UK4%pCTCnmnCRJvrk|xNn4E)4FR4LQYM={r^E%J%o zc#qMf7asunYduo$(}NaHV*-CGF_P%rE^HdfTFze0 z1r|q8fxD=SvfsGqk$IIR;47~t9YpA3@(pAC@p1Y?#68Q&EyubneT6Hwkf~&7M!7Ti zFVtKntUy5D2uAR|?P_OFt~YOdp@Vp#^2udkK^8tzEDf?HfNx*IGc0G};9&mXCGXQiDF*6jB*MpLHS1Fs-C8~7^ZG*yUdI|USpzX?_MOR6D`V9Bv7kT+z>~q#$&5% z^|tdmUsEg+Bn|UrkDGBythEin*Ri*alit>vP)p?!h>+r?G(Gt{Co|IQl^sjbETgN5 zbNu!)6F6k&{MKUi{h_GoN0*6R9o5cP?L4z#mu{5_6rV*A6r`PEW8v zYNN5F;pK(EBX;!ge6iGK(0Ro~WLO_-o% zA5Ida#NhnhNT3@8?r=2eRDxosCdgJFlP*R*(DJKS&pvTopjlcf>am74FimAx zNaMe>OeNHU6}*w)Qr~2z=NGsJUztMgqRr}23p1IprGYn#M z!XQK1qQO4n;8W=E+frMPur6HjQCxteuf(V4CGA5lxF)K#^frRERRr@)Wm?w(aoa$G zpD(YU;G!3TTxRlXaU1ndHwd=Q0IpPtW`OosPLDaqycgOYm+zL8!^B<{-)J5{@kL^# zxjU&vZ3dklHR=*I9x93~x+v+MN6n-UD>8h-gY(qrY_b!vDa^|5Zc1tN#M_1ZD0-xuY z)8$mc1%uAzUwg7ubmP5vMnZL)z8;4+Nhz6Me;cigHPvFk?e7_+8C$~P(h{=KLpJ^= zm;n|0p*1_gl^jLt_IpdX*(cAwhgC&Tdbw&DC@8{!_LDc3`zEN&zHATp(FWCN3c1(_rH=^n@PtYs6J$parJ zlP>=f7MZ{JzQ}w;=C^vv%PaB7+JYIHo2O!3vUHu#RF|B^zNs-Ou?n~qIljuuqSYOo zWM8WI%p>uN9pC}JG6crxigIwoCzI7R74p0}I0w*VvV)Xx0cZ%p;7`ttf4|qnxUo|I z)S}KAo#z!x1o~jC6T3)Y_5I+lAtAEob$L{M0yM6g7S}ikZ;)073yRd%{Y&Zb=4NWV zN&T(Q1P%h^RBqg}C`>S&%3spkbh-;Aq&fj?U2dnOpM3S7BDYvi;oaS`m@^@lKeN?_2p3);~;sjy)tBtfA$4KQ0!hhd;MzHp<8%;TYLGd^ai zt*V!%1b?qJu>A8CUC+tImzcAwvv-!S>QWDjjXU+>}`6mvc7R$ zmYG@R&I^zV=-=|VRao|Hf31{Z5)3#I*-UO}2j4J@(pqk#m@P->Ee~_*n222p0cILl zeSseFIYYi6vlJb@@!oVxNU<*z?c(5~mi722^^9NY1T+V&U+k79Z$s2&e+2W>HZ(sM zFW3(3798jtrpX>qH6AKFKK@?g(T|Vt|Lyi~Kh)Pt=A4+c-MQPcEBKAeDdddNQVMTI zV0h5y)N7BA@jd_g_o01sP#LOG2mPhxK>5Q_^vD9f@d9ltBL>NnJ3Gy|MVuK&QUZyL zGs7~G=|XW#-pF(d$55B|!7HOC1{E>L`mE`ZS-1CFN5`68?*K(TJhrloXXs5B_KZnY z+}xN2tB;vBpO3ea0~XUo4HCr%=SofEHI&u}tZ=w8XD?fzF7BBo{$5^@7(d&Tkjh}N zsI>}G5Syc;wvpv^u`B#qPdY#z4PxN_DGOJ8I9@v7Lx6jQbLR_O$Hex?*-=_C;fTqz)3|=(TR9g!Y@AUGQ z$dYADFNxoQkM80pbycFc@qk`|c1JDx{VH+wD)?g76^O>`P#601nYORUYy)lO*Ge%+ z($6L1DLl!e%bg4gDVy-DPRy;7T^H;?u*q`C{ov-s?`i2peFrGkixjf96%mp7{~n-A~GGZuv{r@jCM8zS{}* zE{PX5&74Kim&cooAM5PA-4WlY#{GX zK3BXhdBtj?yj?HgavJEar5G!c%H+>$fw9jx>C@as5qA4Z4XV4@U-krpS4{(j z@!Z~Lr|m>-oSMY-DvtGD|7a;0)Tg|3vCJ3_S+C(9s@MF;0c4?R@5T-@nh}y6 zNhp5(J<)&b9}@j%x#jk+J#AuZ?zb(v+CmFu{c~?DL-Er3yBD=+7vQ}IMsx0&^-ssO zD=)+LTlQtM!;5KXD@Oh|u6a~i@ZI#3Ai0y4j+XX>tLL^p(d^RVvtm0}P-#oyMdM7> z10|Q2F@N?K$%+*xs;1pez)A)w6Q-ogI((UeuXPmkGv(VR=8tGk0Yfdj(6tOzugM_| z{fq+0LXGm2=ZOMnBir1k7bsLe1bh{qmDW&Rl@t6mYe`sI5@#WGm1z+E-(io_C$;5Ry#cA+1V6qB9^l%})pRrHO6l?IUTF znrhE2zg(h`S8*k~@+jU8OG#aPP^BBg+$8P+#`_k$!bB<$&cWt68_u4jZ>Kv&6)=?@ zNA)hs!RN%1cP!%xaqwCw>~CpJR0d~JK1Djb*N!M018joDZnU44hrXI5Q!iVh)DuDL zo>76Pd#}P@hj&d)Bmhl{jH?R_VIUP#Lu;$i^dy3BP=B*{HEnEBIM_6YN*6}lU26l& zw|2;4QP(GxSZ$shsx_XF*O7GqKLah{wkfOFOF2_JLTDjmU^~4&us6@x@V?@4;d4`(gJ7MkB4s zg6f(dgF=nyY?_A$W@FiU|L9og(;%uSKBDCS^l{dFn^k+u4}&S4Zgfcfy2>p~H9T~H z6*x2|GSNskNZGIlHaMt5scf7p6 zP}9aIcs6)9HtpQyuzhH5QQpcoF7B1E!5~z36_as6iS9lA-d-T9pWd6fJaPE?OA5*6 zbL9*>kOD_;8`}EM*sR6%K99-cb>|%DJsV)L_MP72@j>XXCLI4)|Cp$B;BckLoiawL z=2k}e^jVG@_Cr|P6K)j+Gh3gE!7}~4-qsN5+X#6r+Sg#Qk;AdjP);rbN6_SnT-@jz zX}`6G5ahNPfO+6u&{{iz&1sz#F3(^(BbI;OjtLuG=@nw_FjfMtdfk+tKU}L6IacdX zBNTq!5Uv#~W;L^$c+lN6uPxu-muq|KZfcviOuAR6lSdt-ddhygs>+aF3JGwyxA3^? z0n!)IC@8ePcSWtQ#h?uU zAXWo2)~V7J=l&Evz2pY;T4>-wk#GVohp?{QJVlHUH6UIWWDOc>=ye%w_4vlMw0S7u z?M3#FjNIx?8b!US@QoAMB?1os933mudkUW8pgBUj2D(?Sf}JX-?9~3>0hlli$sWu#Y&Jx|4pq zp|>#XIu7KZFPD%|X3@0u=W1hN?NAl3a#hgphuKl~&$@!_Ai8uydjCOb>X>Ab_m z-X4k~hUH>^kdW2jTO0o)4(_j9^|XKDV*hcM)3c?cyibKTGf3)9Gw=wc?jJ2$!#5_w z9!17@Ys372I9zSOm{EJhIJuc(q$jA{N;x3U{Ul!s`2(+Pj8&x1W)+P-*3`QV?7sP> zc|tBON<};;F1qu1O_;$^(z#T>`<;yvSu-)%7x|fS@@`=TyVx%$H7_8>Up8u*xNVkE zWM`R6ueTDK<{!@&_z$&Xl}}r+3*(q zL=Edkgu#i()#o1@_ic_;WzE#BZk9C;HAP2IQ*F2(&Zz4~F4?Tr{@L#H{)ug1S+FpF z@l_cC__)h>hxS6pp95FL+A*@eR?T+b?PB=PfR+i%Q#qS<&Ccg9OsOT;mp-n@{B9Ky z!n-}Pz1r_r@s;pP=xRpy82sj=&)==uT2Ak?{deXX9<5lsX!Yr1E`#1mIefR8oOl(u z)o|ctQ{p52`=q*q$97^5pTc*mA11^1ZuP1{t$)`Hx8M&}->1U;&?iQ4w1MgQ{|`aT ziNb#c;BPBn-TsHen5V1hK{0$4Jj!Z)=&NVptP3~u*K_O%oF0EM!a eW=ig_1_^OHT*uts{$Jl7|MLG|kHGnFw0{G`Md^zG From 1ecab792bcce3d1cc190ef40ae9718c577f4ff69 Mon Sep 17 00:00:00 2001 From: David Date: Fri, 8 Dec 2023 15:55:17 -0500 Subject: [PATCH 07/13] rename controller, add platform list, api updates --- .../machine-config/manage-boot-images.md | 72 ++++++++++++------- 1 file changed, 45 insertions(+), 27 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index 38d8f0a0d8..1fadb200ad 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -43,16 +43,15 @@ Currently, bootimage references are [stored](https://github.com/openshift/instal - podman [[1](https://issues.redhat.com/browse/OCPBUGS-9969)] - skopeo [[1](https://issues.redhat.com/browse/OCPBUGS-3621)] -Additionally, the stub secret [referenced](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L197) in the `MachineSet` is also not managed. This stub is used by the ignition binary in firstboot to auth and consume content from the `machine-config-server`(MCS). The content served includes the actual ignition configuration and the target OCI format RHCOS image. The ignition binary now does first boot provisioning based on this, then hands off to the `machine-config-daemon`(MCD) first boot service to do the reboot into the target OCI format RHCOS image. As 4.6 and up clusters only understood spec 3 ignition, and as the unmanaged ignition stub is only spec 2, this was now an incompatibility. This would prevent new nodes from joining a cluster that had been upgraded past 4.5, but was originally a 4.5 or lower at install time. - -To peel another layer from the Ignition onion (sorry), there are some scenarios in which the MCS TLS cert contained within the above ignition stub may be out of date or incompatible. In such cases, just up-translating the ignition stub will not be enough. Example issue [here](https://issues.redhat.com/browse/OCPBUGS-1817). Solving this is not a direct goal of this enhancement(this work is targeted and scoped by [MCO-642](https://issues.redhat.com/browse/MCO-642)), but it is important to keep track of as this is a new failure mode that will be exposed by solving the above two issues. +Additionally, the stub secret [referenced](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L197) in the `MachineSet` is also not managed. This stub is used by the ignition binary in firstboot to auth and consume content from the `machine-config-server`(MCS). The content served includes the actual ignition configuration and the target OCI format RHCOS image. The ignition binary now does first boot provisioning based on this, then hands off to the `machine-config-daemon`(MCD) first boot service to do the reboot into the target OCI format RHCOS image. In certain long lived clusters, the MCS TLS cert contained within the above ignition configuration may be out of date. +Example issue [here](https://issues.redhat.com/browse/OCPBUGS-1817). While this has been partly solved [MCO-642](https://issues.redhat.com/browse/MCO-642) (which allows the user to manually rotate the cert) it would be very beneficial for the MCO to actively manage this TLS cert and take this concern away from the user. ### User Stories * As an Openshift engineer, having nodes boot up on an unsupported OCP version is a security liability. By having nodes directly boot on the release payload image, it helps me avoid tracking incompatibilities across OCP release versions and shore up technical debt(see issues linked above). -* As a cluster administrator, having to keep track of a "boot" vs "live" image for a given cluster is not intuitive or user friendly. In the worst case scenario, I will have to reset a cluster(or do a lot of manual steps with rh-support in recovering the node) simply to be able to scale up nodes after an upgrade. If I'm managing an IPI cluster, once opted in, this feature will be a "switch on and forget" mechanism for me. If I'm managing a UPI cluster, this would provide me with documentation that I could follow after an upgrade to ensure my cluster has the latest bootimages. +* As a cluster administrator, having to keep track of a "boot" vs "live" image for a given cluster is not intuitive or user friendly. In the worst case scenario, I will have to reset a cluster(or do a lot of manual steps with rh-support in recovering the node) simply to be able to scale up nodes after an upgrade. If I'm managing a `MachineSet` managed cluster, once opted in, this feature will be a "switch on and forget" mechanism for me. If I'm managing a non `Machineset` managed cluster, this would provide me with documentation that I could follow after an upgrade to ensure my cluster has the latest bootimages. ### Goals @@ -70,22 +69,22 @@ This should not interfere with existing workflows such as Hive and ArgoCD. As th __Overview__ -- The `machine-config-controller`(MCC) pod will gain a new sub-controller `machine_set_controller`(MSC) that monitors `MachineSet` changes and the `coreos-bootimages` [ConfigMap](https://github.com/openshift/installer/pull/4760) changes. -- Before processing a MachineSet, the MSC will check if the following conditions are satisfied: +- The `machine-config-controller`(MCC) pod will gain a new sub-controller `machine_set_boot_image_controller`(MSBIC) that monitors `MachineSet` changes and the `coreos-bootimages` [ConfigMap](https://github.com/openshift/installer/pull/4760) changes. +- Before processing a MachineSet, the MSBIC will check if the following conditions are satisfied: - `ManagedBootImages` feature gate is active - The cluster and/or the machineset is opted-in to boot image updates. - The golden configmap is verified to be in sync with the current version of the MCO. The MCO will "stamp"(annotate) the golden configmap with the new version of the MCO after atleast 1 node has succesfully completed an update to the new OCP image. This helps prevent `machinesets` being updated too soon at the end of a cluster upgrade, before the MCO itself has updated and has had a chance to roll out the new OCP image to the cluster. - If any of the above checks fail, the MSC will exit out of the sync. -- Based on platform and architecture type, the MSC will check if the boot images referenced in the `providerSpec` field of the `MachineSet` is the same as the one in the ConfigMap. Each platform(gcp, aws...and so on) does this differently, so this part of the implementation will have to be special cased. The ConfigMap is considered to be the golden set of bootimage values, i.e. they will never go out of date. If it is not a match, the `providerSpec` field is cloned and updated with the new boot image reference. -- Next, it will check if the stub secret referenced is spec 3. If it is spec 2, the MSC will try create a new version of this secret by trying to translate it to spec 3. The new secret will be named `$(secret_name)-spec-3-managed`. It is necessary to preserve the old secret as `MachineSets` that are not opted-in to boot image updates will still reference the older secret and use them. + If any of the above checks fail, the MSBIC will exit out of the sync. +- Based on platform and architecture type, the MSBIC will check if the boot images referenced in the `providerSpec` field of the `MachineSet` is the same as the one in the ConfigMap. Each platform(gcp, aws...and so on) does this differently, so this part of the implementation will have to be special cased. The ConfigMap is considered to be the golden set of bootimage values, i.e. they will never go out of date. If it is not a match, the `providerSpec` field is cloned and updated with the new boot image reference. +- Next, it will check if the stub secret referenced is spec 3. If it is spec 2, the MSBIC will try create a new version of this secret by trying to translate it to spec 3. The new secret will be named `$(secret_name)-spec-3-managed`. It is necessary to preserve the old secret as `MachineSets` that are not opted-in to boot image updates will still reference the older secret and use them. The above step is platform/arch agnostic. Failure to up translate will cause a degrade and the sub-controller will exit without patching the `MachineSet`. -- Finally, if the MSC will attempt to patch the `MachineSet` if required. Failure to do so will cause a degrade. +- Finally, the MSBIC will attempt to patch the `MachineSet` if required. Failure to do so will cause a degrade. #### Degrade Mechanism -The MSC will degrade the worker `MachineConfigPool` via a new [MachineConfigPoolConditionType](https://github.com/openshift/api/blob/master/machineconfiguration/v1/types.go#L492). This would be an API change, but a fairly simple one is it only adding a new condition type. The node controller(another sub controller within the MCC) would then [check for this condition](https://github.com/openshift/machine-config-operator/blob/master/pkg/controller/node/status.go#L142C34-L142C34) and degrade the worker pool, effectively degrading the operator. +The MSBIC will degrade the worker `MachineConfigPool` via a new [MachineConfigPoolConditionType](https://github.com/openshift/api/blob/master/machineconfiguration/v1/types.go#L492). This would be an API change, but a fairly simple one is it only adding a new condition type. The node controller(another sub controller within the MCC) would then [check for this condition](https://github.com/openshift/machine-config-operator/blob/master/pkg/controller/node/status.go#L142C34-L142C34) and degrade the worker pool, effectively degrading the operator. As mentioned in the above section, degrading will only happen in two scenarios: - Translating the ignition stub to spec 3 fails. This is likely more fatal and won't get fixed without the editing the ignition stub manually. @@ -110,6 +109,25 @@ Any form factor using the MCO and `MachineSets` will be impacted by this proposa - microshift: No, as it does [not](https://github.com/openshift/microshift/blob/main/docs/contributor/enabled_apis.md) use `MachineSets`. - Hypershift: No, Hypershift does not have this issue. +##### Supported platforms + +The initial release(phase 0) will support GCP. In future releases, we will add in support for remaining platforms as we gain confidence in the functionality and understand the specific needs of those platforms. For platforms that cannot be supported, we aim to atleast provide documentation to perform the boot image updates manually. Here is an exhaustive list of all the platforms: + +- gcp +- aws +- azure +- alibabacloud +- nutanix +- powervs +- openstack +- vsphere +- baremetal +- libvirt +- ovirt +- ibmcloud + +This work will be tracked in [MCO-793](https://issues.redhat.com/browse/MCO-793). + ##### Cluster API backed machinesets As the Cluster API move is impending(initial release in 4.16 and default-on release in 4.17), it is necessary that this enhancement plans for the changes required in an CAPI backed cluster. Here are a couple of sample YAMLs used in CAPI backed `Machinesets`, from the [official Openshift documentation](https://docs.openshift.com/container-platform/4.14/machine_management/capi-machine-management.html#capi-sample-yaml-files-gcp). @@ -171,13 +189,12 @@ As can be seen, the bootimage becomes part of an `InfrastructureMachineTemplate` It is important to note that InfrastructureMachineTemplate is different per platform and is immutable. This will prevent an update in place style approach and would mean that the template would need to be cloned, updated during the clone, and then the MachineSet updated. This is somewhat similar to the approach used in the current MAPI PoC of cloning the `providerSpec` object, updating it and then patching the `MachineSet`. The `bootstrap` object is platform agnostic, making it somewhat simpler to update. Based on the observation above, here is a rough outline of what CAPI support would require: -- CAPI backed MachineSet detection, so the MSC knows when to invoke the CAPI path -- Update the bootimage reference in `InfrastructureMachineTemplate` to matches the `core-bootimages` configMap value if required -- Update the ignition stub in `bootstrap` to spec 3 if required +- CAPI backed MachineSet detection, so the MSBIC knows when to invoke the CAPI path +- If a boot image update is required, create a new `InfrastructureMachineTemplate` by cloning the existing and updating the boot image reference within. The name of the new `InfrastructureMachineTemplate` object will be generated by hashing the template content. This is consistent with the current CAPI approach to naming new objects. +- If a stub translation is required, update the ignition stub in `bootstrap.dataSecretName` to reference the new spec 3. - CAPI backed MachineSet patching -Much of the existing architecture regarding architecture & platform detection, opt-in, degradation and storing boot image history can remain the same. - +Much of the existing design regarding architecture & platform detection, opt-in, degradation and storing boot image history can remain the same. ### API Extensions @@ -185,11 +202,11 @@ Much of the existing architecture regarding architecture & platform detection, o This proposal will introduce a discriminated union in [operator types](https://github.com/openshift/api/blob/master/operator/v1/types_machineconfiguration.go) for the MCO, `ManagedBootImageConfig` which has two fields: -- `Mode` This is an enum which can have three values: +- `Mode` This is a string enum which can have three values: - `Enabled` - All `Machinesets` will be enrolled for boot image updates. - - `MatchSelector` - `Machinesets` matched with the label selector will be enrolled for boot image updates. + - `CustomConfig` - `Machinesets` matched with the label selector will be enrolled for boot image updates. - `Disabled` - No `Machinesets` will be enrolled for boot image updates. -- `MatchSelector` This is a label selector that will be used by machineset objects to opt-in. +- `CustomConfig` This is struct which encloses a label selector that will be used by machineset objects to opt-in. Here are some YAML examples that describes operators in each of these modes: ##### Enabled @@ -223,10 +240,11 @@ metadata: labels: spec: managedBootImageConfig: - mode: MatchSelector - matchSelector: - matchLabels: - machineconfiguration.openshift.io/mco-managed-machineset: "" + mode: CustomConfig + CustomConfig: + machineSetSelector: + matchLabels: + machineconfiguration.openshift.io/mco-managed-machineset: "" ``` Note: While in this mode, the label added to the selector will have to be added to the `machineset` object. @@ -267,7 +285,7 @@ spec: ``` #### Tracking boot image history -This proposal will also introduce a new CR, `MachineSetBootImageHistory` for tracking boot image history in the MCO namespace. As a starting point, here is a stub type definition for this: +This proposal will also introduce a new CR, `MachineSetBootImageHistory` for tracking boot image history. As a starting point, here is a stub type definition for this: ``` type MachineSetBootImageHistory struct { @@ -303,7 +321,9 @@ type MachineSetBootImageHistoryList struct { Items []MachineSetBootImageHistory `json:"items"` } ``` -There will be one instance of this per machineset and it will be updated by the MSC as `Machinesets` are created/updated. This CRD will also need to support MAPI and CAPI backed `MachineSets`. The goal of this is to provide information about the "lineage" of a `MachineSet` to the user. The user can then manually restore their `MachineSet` to an earlier state if they wish to do so by following documentation. The MCO will not directly consume from this CR. This is not planned to be part of the initial release, but more of a nice to have. +There will be one instance of this per `Machineset`. It will be updated by the MSBIC as `Machinesets` are created/updated and will exist in the same namespace as the `MachineSet`. This CRD will also need to support MAPI and CAPI backed `MachineSets`. The goal of this is to provide information about the "lineage" of a `MachineSet` to the user. The user can then manually restore their `MachineSet` to an earlier state if they wish to do so by following documentation. + +The MCO will not directly consume from this CR. This is not planned to be part of the initial release, but more of a nice to have. ### Implementation Details/Notes/Constraints [optional] @@ -376,8 +396,6 @@ Additionaly, a phased approach such as the following is the proposed: - Tracking boot image history - User facing documentation for manual restoration -In future phases/releases, we can add in support for remaining platforms as we gain confidence in the functionality and demands of those platforms. An exhaustive list can be found in [MCO-793](https://issues.redhat.com/browse/MCO-793). - #### Removing a deprecated feature This does not remove an existing feature. From 3205857331dc75b72b11cdc1ee1b16eb72500b5b Mon Sep 17 00:00:00 2001 From: David Date: Mon, 11 Dec 2023 15:50:39 -0500 Subject: [PATCH 08/13] updated with new stub secret approach --- .../machine-config/manage-boot-images.md | 27 ++++++------------ .../manage_boot_images_reconcile_loop.jpg | Bin 105979 -> 99433 bytes 2 files changed, 9 insertions(+), 18 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index 1fadb200ad..913d4a292f 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -13,7 +13,7 @@ approvers: api-approvers: - "@joelspeed" creation-date: 2023-10-16 -last-updated: 2022-11-29 +last-updated: 2022-12-11 tracking-link: - https://issues.redhat.com/browse/MCO-589 see-also: @@ -43,9 +43,11 @@ Currently, bootimage references are [stored](https://github.com/openshift/instal - podman [[1](https://issues.redhat.com/browse/OCPBUGS-9969)] - skopeo [[1](https://issues.redhat.com/browse/OCPBUGS-3621)] -Additionally, the stub secret [referenced](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L197) in the `MachineSet` is also not managed. This stub is used by the ignition binary in firstboot to auth and consume content from the `machine-config-server`(MCS). The content served includes the actual ignition configuration and the target OCI format RHCOS image. The ignition binary now does first boot provisioning based on this, then hands off to the `machine-config-daemon`(MCD) first boot service to do the reboot into the target OCI format RHCOS image. In certain long lived clusters, the MCS TLS cert contained within the above ignition configuration may be out of date. +Additionally, the stub secret [referenced](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L197) in the `MachineSet` is also not managed. This stub is used by the ignition binary in firstboot to auth and consume content from the `machine-config-server`(MCS). The content served includes the actual ignition configuration and the target OCI format RHCOS image. The ignition binary now does first boot provisioning based on this, then hands off to the `machine-config-daemon`(MCD) first boot service to do the reboot into the target OCI format RHCOS image. -Example issue [here](https://issues.redhat.com/browse/OCPBUGS-1817). While this has been partly solved [MCO-642](https://issues.redhat.com/browse/MCO-642) (which allows the user to manually rotate the cert) it would be very beneficial for the MCO to actively manage this TLS cert and take this concern away from the user. +There has been [a previous effort](https://github.com/openshift/machine-config-operator/pull/1792) to manage the stub secret. It was [reverted](https://github.com/openshift/machine-config-operator/pull/2126) and then [brought back](https://github.com/openshift/machine-config-operator/pull/2827#issuecomment-996156872) just for bare metal clusters. For other platforms, the `*-managed` stub secrets still get generated by the MCO, but are not injected into the `MachineSet`. The proposal plans to utilize these unused `*-managed` stub secrets, but it is important to note that this stub secret is generated(and synced) by the MCO and will ignore/override any user customizations to the stub secret. This limitation will be mentioned in the documentation, and a later release will provide support for user customization of the stub secret, either via API or a workaround thorugh additional documentation. This should not be an issue for the majority of users as they very rarely customize the stub secret. + +In certain long lived clusters, the MCS TLS cert contained within the above ignition configuration may be out of date. Example issue [here](https://issues.redhat.com/browse/OCPBUGS-1817). While this has been partly solved [MCO-642](https://issues.redhat.com/browse/MCO-642) (which allows the user to manually rotate the cert) it would be very beneficial for the MCO to actively manage this TLS cert and take this concern away from the user. ### User Stories @@ -77,20 +79,15 @@ __Overview__ If any of the above checks fail, the MSBIC will exit out of the sync. - Based on platform and architecture type, the MSBIC will check if the boot images referenced in the `providerSpec` field of the `MachineSet` is the same as the one in the ConfigMap. Each platform(gcp, aws...and so on) does this differently, so this part of the implementation will have to be special cased. The ConfigMap is considered to be the golden set of bootimage values, i.e. they will never go out of date. If it is not a match, the `providerSpec` field is cloned and updated with the new boot image reference. -- Next, it will check if the stub secret referenced is spec 3. If it is spec 2, the MSBIC will try create a new version of this secret by trying to translate it to spec 3. The new secret will be named `$(secret_name)-spec-3-managed`. It is necessary to preserve the old secret as `MachineSets` that are not opted-in to boot image updates will still reference the older secret and use them. +- Next, it will check if the stub secret referenced within the `providerSpec` field of the `MachineSet` is managed i.e. `worker-user-data-managed` and not `worker-user-data`. If it is unmanaged, the cloned `providerSpec` will be updated to reference the managed stub secret. This step is platform/arch agnostic. -The above step is platform/arch agnostic. Failure to up translate will cause a degrade and the sub-controller will exit without patching the `MachineSet`. - Finally, the MSBIC will attempt to patch the `MachineSet` if required. Failure to do so will cause a degrade. #### Degrade Mechanism The MSBIC will degrade the worker `MachineConfigPool` via a new [MachineConfigPoolConditionType](https://github.com/openshift/api/blob/master/machineconfiguration/v1/types.go#L492). This would be an API change, but a fairly simple one is it only adding a new condition type. The node controller(another sub controller within the MCC) would then [check for this condition](https://github.com/openshift/machine-config-operator/blob/master/pkg/controller/node/status.go#L142C34-L142C34) and degrade the worker pool, effectively degrading the operator. -As mentioned in the above section, degrading will only happen in two scenarios: -- Translating the ignition stub to spec 3 fails. This is likely more fatal and won't get fixed without the editing the ignition stub manually. -- Patching of the MachineSet fails. This is likely due to a temporary API server outage and will resolve itself without user intervention. - -The degrade condition is calculated at the end of a sync loop. In the case of multiple failures within a single sync loop, the message for degrades will be accumulated to include the `MachineSets` associated with all the failures. +As mentioned in the above section, degrading will only happen when the patching of the MachineSet fails. This is likely due to a temporary API server outage and will resolve itself without user intervention. The degrade condition is calculated at the end of a sync loop. In the case of multiple such failures within a single sync loop, the message for the degrade will be accumulated to include the `MachineSets` associated with all the failures. #### Reverting to original bootimage @@ -191,7 +188,7 @@ It is important to note that InfrastructureMachineTemplate is different per plat Based on the observation above, here is a rough outline of what CAPI support would require: - CAPI backed MachineSet detection, so the MSBIC knows when to invoke the CAPI path - If a boot image update is required, create a new `InfrastructureMachineTemplate` by cloning the existing and updating the boot image reference within. The name of the new `InfrastructureMachineTemplate` object will be generated by hashing the template content. This is consistent with the current CAPI approach to naming new objects. -- If a stub translation is required, update the ignition stub in `bootstrap.dataSecretName` to reference the new spec 3. +- Updating the ignition stub in `bootstrap.dataSecretName` to the managed stub secret(`*-managed`) if needed. - CAPI backed MachineSet patching Much of the existing design regarding architecture & platform detection, opt-in, degradation and storing boot image history can remain the same. @@ -311,7 +308,6 @@ type BootImageHistoryDetail struct { Index int `json:"index"` UpdatedTime metav1.Time `json:"updatedTime"` BootImageRef string `json:"bootImageRef"` - StubSecretRef string `json:"stubSecretRef"` } // MachineSetBootImageHistoryList contains a list of MachineSetBootImageHistory @@ -334,9 +330,6 @@ The MCO will not directly consume from this CR. This is not planned to be part o The implementation has a GCP specific POC here: - https://github.com/openshift/machine-config-operator/pull/3980 -Possible constraints: -- Ignition spec 2 to spec 3 is not deterministic. Some translations are unsupported and as a result not all stub secrets can be managed. - ### Risks and Mitigations The biggest risk in this enhancement would be delivering a bad boot image. To mitigate this, we have outlined a revert option. @@ -355,8 +348,6 @@ TBD, based on the open questions below. ### Open Questions -- The user could have possibly modified the stub ignition used in first boot with sensitive information. While this sub controller could up translate them, this is manipulating user data in a certain way which the customer may not be comfortable with. Are we ok with this? - ### Test Plan In addition to unit tests, the enhancement will also ship with e2e tests, outlined [here](https://issues.redhat.com/browse/MCO-774). @@ -389,12 +380,12 @@ Additionaly, a phased approach such as the following is the proposed: #### Phase 1 - Support for Azure and AWS -- Ignition stub management - MCS TLS cert management #### Phase 2 - Tracking boot image history - User facing documentation for manual restoration +- User customization of ignition stub #### Removing a deprecated feature diff --git a/enhancements/machine-config/manage_boot_images_reconcile_loop.jpg b/enhancements/machine-config/manage_boot_images_reconcile_loop.jpg index 468f565a6996b2888efb6e2d3678523b48aca6bf..14de6a73f740387fc138edd8572df8ef966e85ca 100644 GIT binary patch literal 99433 zcmeFZ1ymf}vM@SCNFW4)1TtulK?8)rJvcM?;2vOr4DJL?LU3moAb5hiyCwv824|4q z!Ce9&JaWG8Kj*%C&$;K`wf=YC|K2*)Yr1Qys%zJ-+P!;gUr$|s13ZGtLSzA0SO5Ul z%>lSx!kU6eNg1ocRAeEFGJi0-0XJ~xIRId5=i&sDlYFY9tM~NYw?FRq%`-7`cKCh$ z2XLeJbmF&m0AQ5;AISV?WE{A;v)PTn{>_iU=_c_TV@Yms63ahu=HIyKAGpYG+}*{& zNnT>H$O^% zGXMsV14#bP|IPm!u+IPh1Wo{e+tGicnI-}NwE+OYlbOHK7(N031pWX(&CuUyfAfih ziId4+)ZMu`-?Fd(01k5jfQPyO0P!#YfUEx(-p%PB*!J{>MR{YF{mo$sumP9@o&q2M zJAfI0;|2o*o&&f5eAgI&6yWx)-|+i<`v&e{-}w#qv9a%B|!o?#ZCVE7CgFpJM1nc*mx9{A)x$)5hoCi15|0Z021`yuIO2P@e zjYS8zMTm8q5bL@fKz-xx8?&%}7sWpT``(?qw{G9Z!oj`azj_1!U}N1#+6bf27q__Cd-7k2?64OD>eHmroBfi0=3)3XTeSYfJb`0 zeM8i<2~p@+1pgSWmDRM)Dr%Cei!Ire$~Q;UKbV7kFs5U7%dSffnCoBTL%|Rva5V-r ztaS?$9jZc&?V8w34w{;0B)h7UIg*NaaDr!g+H8`goK2Cz!&XbYM;vW+udPCrIrX$p zA2o=w-ue_bXFYpHK<$DYorQgG< zC!xoY<~|ngu?3)r0!lY3ZvmnrMv)o5WrxfT+b&O@U1@8c{REWyJ}*bS^=QBB%K5#t z6PkuDvMvw;9})teTKP#VUYkzTySf_#?|;3Y=Cvss$MkMKF2iQHDqnv$l1LRvPVe&Jgc%?W$dzK>lRC_#kD#VZH6BwuXuCW2RkzChoRt6f$Q+?@tM$EvP>Y59x&ST&Qkw#N^){DQ3uAR&Mu}X)1}6 z$>lvEtbYk8;kj&}k>{2C@w$c<)zpaU*!o^tUXZ9udya{r*sf*IK^?&@q^)gG$l3ZM zTFsY9U+36LAHoy0Vo2kM&5mm)NVs0EsI3o_`*cSpLk-?X9zjB_c@BsKD8Z1JquJU- z)wGly(uI!!L&|`n0@rsxwdKvMI9)WQMFrB@B1KVhOmt?_*8r$(?fBRvQ7V%gG}$H= z{Td#tydsn@oa16iU(jvKQlW4!Axw(pw0cl=ip!$kY#{*cw}peOqVAN=;)DCDar&ht zvmGN0;dXj2*r?Z)Tyu6q&@;u5ysYv(jkW0f=jI*JekS7#ac!6(FdF_bMCL>*c-XR@ za95Ts`Jvh_vcEBdmrTB@;H#3Am4g5evcWqr-n)lLQ#3)#yuG~>DIIHW+_SCbai`b6 zG8_16VA41FQT@gX5{?9G(xTdu8p9!>NzIT}mlQ)mAM?RyF!Io2u`0Fr(UBDvYXsU+ z8V;`pK^DsTOqxUHEN9PzpITCex_hn0>5smy6KZtBp489}%vfZ|9_1F3 z>6aMJOGUQKk<0YC+;z>T8g7utswFI+U4N!wjZo7Re7s+nJ=LQK)5d98R?~B|t!|e! zr0ZdsjY_Adal-#@_@vWeM&#F!*xOZV<*baDb7nW|cq=s^(u|9W&2^QKa2NG-K$!aS zKC8N$6{m9X9Xp-3Z1+V+$!X2r!IR?11XNy^?OguKwO*~}DC-VB^(CKSVdkcv4aUs& z`P5EznUlE$hQkwW-3Zk`u)Dd7vS_kw_Jm7U@*%ApG87!Mx{z=rHyF{8)^52(a9dp^ z>Dc)}ybf+M%WmN?9w&2R&`MGWHG6>BKxet*^K4Q4=1IP9b{aJ^8n1iB7!FGf*oZoB)nO@s)n4zio`E0=Zupv28(%Q^0EScZ|tLA@fLHT4DdIAq6x5DbOEKeCj_ zA2Xn9S}{!ledl*of~~g0nq^AccbuL%`o-jyfq(G6de2U*t3Om+-7Uz<9j?|yEWzIj zg+fu5ZEyk8tMM7EL^yBVplEvb4{enKcJsFTR;PhC_II61R%BV>d${;@nrBviEB z5I3}^V`I0j9`UwlbdKdy-)JtciO_q3u|iTM^`6vWF*zdZC|Xq6r2!S&113rd<`l`- z5b122G_zKMT|czq9-Az2Bz&)6<2)>#lxHSC+VfZgNR$>@|B#j_nS*YB8a7(K*D~AQ zf}5eV)=b%Mr}L3jZ1c*XhllOOp`m)aiB?}tj#E7zHyjfwrzW3HEp(2Y8P1$0VD2*~ z^OtE^t*5F3IaslJQB7(#e#TPKIWu$@)|l`8n4XVUQ%8I`&f%f0XlS6DBAxaQbEnFY zLYKLRF-}NUuKSeh>6on-I+dmRy+jgxm)joRw%SotTAX0c+r1%*I@1mwEs2GD*9|bF zcK7+pGX7Z~OMWkVp`|XIeawn|TcrS8O;`P-cqiFqcn1eRKdqrsjhJKmJs)1g0}w@) zpB&BsxvT|Fsh)N|@L3Z-X*WFem^nbSw~stA4yjEt-Ug$v(^tx$s0$Cvl3)=|bY6S0 zp#iBSGw+vO^#k1c@V{Q?|GNIqc;I%J?-%jcL9`vMFVmZ(qHiBn={$ZEbrA^;AfS z-&Mv82@t`b_Fn@&}X7iPuZW6U5Frqgs2OHjcAx zj{cCyItn=mSHAOV3_dpMx)cu$%~#B>`Z%ZF>w&#=x;O`=6PK()2$>@3*X!JoZu zWNZB5dQW`Uw#VU0(2M+2#aQz6NMa&v_O4Fd2cmc_>0XcRqhKavEe;3U7qu8WDdGkR zh6wZB5C%e~tld|r>Ybn2#5K~gzUr9h({DKRp#zBQe0^il?x};8@Q%o9fGcB+$kBbh zWp{z+%dBd4wngibki4d#wrsL_?#FgTra$;(l;-f)z;hWNx=wOwTC1%J=s?g-JQ@Fb zd|oPq9yLsatd1mr;erF9=0ubEf}YYW{HVCGd^QlVoXTgEYE{zwQkP1_72mdy?1>kj z7U9Drz0Sg|WMA0-iou>;YU|oQZfku~u$KZUZt~;di~KZ!QzaCM%3@hCHIQ9QyZn^| z$SaTBsm_&}E_TViw4pWY;i|q(y!(2$a=dWIwo!<+X)~R|>q%qE*C29rhfJaVynI&{ zp4j%o2Ib%ySja$kRCJV{`3F1p0?)^D_qbIUH-5$CBrp^qh*?H)3UFenBxmAi7_n)_m-xb4B)fun3bkFnN;w#+jO@7N#)xxxfx9gP!vt0Hkrk&*5cQbJ z$8iiJ?3^`K{QajKR0(Y|bt79`e94hpNQ84?`W~G2j1R9X`BIACn?3`E5;j$om=zsP?rSFrOU=GLwsWEP*Im~?UWT(d_gy=LR>FAvrwaGT)gSPd+ym<2T^F_P6&p-4p4kAoqeCL}nju#|x^5?ub>`KjEI|Ka$gZvjOk@7PQX5XA=4|?oxBS z3S zc!_*xE;0M8LD*sL%I$6>T%nhpmaj7Wi;|+nQoG|Qor(gQZ|Q>lJUF<&yN1inS~mJ( zud8k9L~1@A2F#WPE;7RprSY5y|J_&@9$7bR|H7+zGmbZc}6>xuV67R~DICY6)Q zZ(+^D&&{`d&wk4Nh5PN_aYf2FU!*r*0|+~aR^3PiaFAP2g7ioF1ndHDq!LpYR|^*cO&3dN_0f9hK> z&bo=APeAys`Yl-V?->3m)Tc}{yt-G47RWGYY3sx?ILSBq9lbw=R&xoyJDp8#+=STJ z#0*g4`A1${{}B3DhW~sV{}thX73t&te?7zhxBBp3mDay%>HqUzOFROxk%Es;1ge=Y zB-zKj&I8X~z2C)681__EgqtK4Fz$HG3>16vKj}SgdMKxSRtCWO!1BMlMd;Gr^sEAuCV$MN71BJV!_lmN7ao*5|8MrT6T~wTdU-_(Pn?5M1AE-%uwQHWI!L=lA z7C8zn4;`ywQDpDL@G`_hU>b#R?X9m{*Qg+p!@nu)gpvc!;(8q^^q;WE@ zdmWYRl{WY`BRYw!ozH>3tru^kZa)c0S;)Ybido(<;xZ<`lQ2n(twikKMj<)26k-=c z4B-_pua5zOWcApkcC$Yp>=5_yT0THtEq~aM4;YKn<*n7Nkg~|CWRHE77M^ZurJgS- zA6~0wC;2d3*5ucQD2eNuYIPS{Fp}qHE-iq3k;&FGY%2X zhFJV}fg{lI*_vlI$hBsS?9$}Y#DS27>LEE#CGeR2j3iFLe_KDP&ox`*jsXThZYE!LYwF*TdD9QJLjl%JlAX`y=x^$nvxKerM<>NCFjb;HxNB&rg?WjlD*Ie^tm~QqcoaAsVXU`7GyBgPX^joTv zHP@;a9yM0o5`kz;zy!d|qTBkd4WlwhBp3zf8{!A>!v=T;cE%IIO;{UtPoTP>`UzhbOSS!GoO> zURRHkqR7sAK$tWPH$BXG(ep!$*F=DCso>e^&xJKfuDD9u45GpH=JArG7*ke_N)@*# zvsNqiq>@e1dkqaia{B2!OWPJ_4I~{e;zNHp)kQG$aid0LT`e-ebW(v9-eJxZ`l24_ zg76(rb8bfGaVgj*X+vvXbebbuynaO{40(PbFMAFM6GCP!Xc+2)f&y*ZhC-TB} zJ*hw=BGo!{1cd$&_zC;X22Y-YOB=~z#e`tin znFOb-WEAJj_(Wigs_o{aQI~}-cpvOc)-6=W1vMiF_B7@TiD1U+R3r%()REwb_Czwp zEJs3Qm`h&x*;Gpd!onPti`RANDr$3V$tZ*PPGnXqB!m~DBI7!Np3UiV+E0Y_nJxI# zN71W<0cq+x3c?ibgT&o^w*n!j)@;>;%s+FaQ3=<88OhUe`EBXlv|U$IZU~|#u{Tjt zRi8*zv)BfC)DSXo@UpdWZv|Waux%wKgtfa(ONjBeH>}u;iCHW*Yf^p}U z@vqd{*p}}Pb&Wz0nk^aJ%3*?!Qo_hZ+>O5j`LpD0{aGg6#3HKl+hB3ECNwCS-sOe~ zKN+R!RE`u2URZY7cz~}+qN+t_DzJPCohiRtcy~0B0ah5 zoDpZiBqiisu#uA+t(;*)cAga3!(&H|f=^;&P7j52Z)4%vJ(f^wN=b5da0)1F2)!-ON^^5I5GFU94u6A0ILn3Z_g_v%So!CHjJ0eG;URDFMbH=pF42 zK#=btjLqnb#n~t;#su}_Glj-7-nJpt9i6NQjzTgizKUcuS)0+v%j&r9b|max*$_w~ z`31Cbc%wfW6eU(xz(wdajhATwS|5t<^lWNdIW)@enYWFKJ z!fw_3$%(w60o2?thE$lv@wfqLgeiQ-CfZ*+Wyj;LckE=Bw84jzZ(nHXw^CEn`Ssjo z*6BM_2jXTC#P`=owc)ntY8T9bGrb&PTH8eJy|S@on8q^9POw%%Dqv~erScQ$a;D7k zL$cBQ*e+s5v@K^^YP`>yTi%(r^5_*`cLjOA%j8-3I#D_6V7`Qv!(uWFV=kXqp`_rE zRp*s#1vOG5FiEcQc5G#Md1lBCbQ zLBUX%B?cE6us@9(&)`*ODUYc8rJv_bpSeams zEK@J+4F#~hlBcIUX%zXi>L-pGv1k_QmVsu=3?YcYpnry!boNp(?3rqvMe{4S?D=mW zCTOFm72JABj$T=0p_)|u1d)><F{JUYnbaL)Ltm zi|k~sQ?%G@U;aW$SY7NZ<23+MI>7+DUF<;ouAbXpkneSoRlHMjWRNW`*Bd?rB}3m- ze?nLUrD)MoTAUBR^@@R5V_jEukuMI7yr{cll(o)JBC+V)w{|UxVC;>{h4RvCz!P)P zgG~+^!&$SL3Gq8oS=4{ML;W-LA7W*{p7(k!kNpE>A|K!nN6%VKewv`py7KCL{+f>G z?lSd6`8k6RtqQ>7c{fGwp6}Q5uPl2}Y7Q6wi}m!cIh0HT9GXP)tIS^o9R#W`P-iUu zl_jy&81ALl^)2Q&Km=>$>r=b*=1YQQyxbO1nXi9ky`OY{a#|hrg?rb5pue*2mF#luSkw5)p-J}d#p1nd@IBiW4+p26pO6v!l|}GZU$A^5UJ}Ho7}yy7PIiQAj?lrlpmRG!MBM^ zC8v9ey;qX|uCMTW{&YJz&HuN9^WQDQu_H!O-PSRdck#2c^C5Ju4A9vqvu$o_cQT^{ zpJ1+Y?Ke$4^OXDCp#3+Da*yA`2A$Q=d!KTC$$Gs{d;>%s*hP5h^ETsRv_04XSltmT zaf{agJ@IqNA9vo$?Oy|mX@1gr`@Il#J@xtpZ1XI=%(6P)YggEM3Ban4fBRnxy=K=O z@q2~=ChT>m)t|TDRMCigYdzSZNDr&Mlvuy_CcyYO-0{f*c^<;sD{O63l>Tz5%=p#p zPs7%kdwZc@d@`L6+^zwyL}sy;HSas_awg{;NBtW*O$*!I(}b!8 zJ?f<&4N>yH&Wp%q_{GWWPv8A5MFM`n>v4&$x)!@kwD{jN`~Fq-{lI5xUe&*tadH>G zZVC9f9V-85N1e{hA7io1%n)ws2@Z5VA5nXCWK@0da-ac6Fov%xbO?T;2hEl}N9WIx@-vchy z`-Ih5a<3D#P>P*jVErKg?Emp~FNmN;?5$%OTf$UhptG36<>J@9sE?GEp{u7Hi~oHE zPX*%RJmbfUUyM`VEW;_)R#dMX^DMomzKPc`f5ikmPVwRR)gdAx{91okeg3zt#)R<) z=lS{L`EDq)e5-H`(<=55&`>SpnU-nAMN90T2Hy($BL~TX=>k6ci)UTK_}m>%mt+ou zmV-B103>XtR!i)QhT9U2Zvnrz8T=EtX)tpXbR^n3D=7mv=q3+1-f8jJVtFUM+!Egp|=N2!SOS07zax3p0e@#TK@;e3AJ2txcI z==Oyj;JuSJ`QbmSWwEj3Nt|OSOmPi3V(KnUDEld^?P`l+d#yC3-IAc=QVR`R0UrQ8 zuxSFC2;2893Ewo!stnw8OV;$W8q%t(*|tLxSj;{33)rpK>RV_iqXFdaQvZn$006p~ z#8V*ug_3VMT{M|*j!&S{uUO+E`K)`Ne0#++G_C=CoICIO>a4FM#WK!sW_mYrKK>(} zSUhO^ifmuj_1+jKTzg1MZ`^rdI;%{#$m(h4mDe>u{^wxf=e>>AOYvv`)?h@@KhpCb z=(jQ^2r8bWhcI1kk$%sse!m^av;_He(e>gId<}RcHJ#?5FU11_8tg$s=KdK@~&w{F;rDyXlie? z|0P!uUrue2`C?JI3=OLm>q=YY(wl5SAI;jHv|yxda;Qy|I}T*d00p5JbxtadpI2(L zDM09!bU9I`_O7jxR5ks~8>r-rEy~YegjkudK|WcDBBi~B6Y;|3D#^|S z`fUOsQ*il`(415VF??qB)qrwQkL3vRwOV;hoq2gmL9$d{zK;rDr&^3K4JmZ0FmgF2 zB*%~popXlJUv`Zg|?IpCxN&fg-2_OHd^EjZo6i^$t0 z%1pLmJl)s+tW3H&Cs)7g{G}Mj+v6Hw|H|pBmBRASCGe1!gT6s$Fb}QXUmnHSoQzGI z6`s229E3cF$RgzkllnvSi8SC)j9JLQ_;!hpn>atPxWoKxh`}_q>(dGo2P;Nh!J&r( z>bQEJ z)XFv+>$@J2Z1jefoV!H{ijWJev z9|iHWb@lE_RL6t3q<};l$Q44hhJ>V{y4fO@6$+*^?$22Lk$M*%JBMo&kH`BS>31^}Q)eDxpd zmA^+I%&*_!wQziJr^Z5qMXNmGqR0Ldh}0`&iQlYhk!HVJ5@InE96p>0dmZv%@piY} zH2}AD8)eTsY}snW%)BFRMI|E8qTXO-J#W4GF8I+wMHOW=Sdny) zVWgEB6ORe$&U9qw8w7ikFB7#kg{eo*7|&4#<7T>&;>$P44CQP0b2z&|K(Jv=`D4VG;Dm z_d+9<{;b<$S^S+36Guh&$8QxnRYkpQ40H-les093mY9EU-|8P+{*Fc`G2LIP2uO@6 zb=l2kuG28tw?d667z!mdxp7$fFz((KI2xo=;1s0Q9HL-;b%9})L`usu;Z(x-8TOq@ z%GCN{gQFt@J{NAF<~S`p0zbm|v*W(wf$i7r zdfS#?r(a((_YMemRoJxP=xmI?f4!`O3Z#>4FtPiTfbSH61J=z$w%lHl#5>1G1_#H~ zbkOCt?}2yMp^By}tJ2++ogaZ5rWy&$x;%Z>h%Ou>LUw{rxS~IHV`pLcLAexq`Y>P2 z#^k^yYF(DFI=f*thObQo|9uhYXp1vPNQik?xMIAev*b?tEe~f{4diuyp!`QV%~jp^ zCqk)?Au}(^Yx-CpsnP^5iW(ad))M*9Db`9VoiWt6dl6>0(?k#H27PIc%F}UEO(E3; zXX)v1`>GvmbkL@i^<9yJ23@TLi;vrLb0&EB{}t zML&1gmK#?*<$srckf-+P*NmSwEmG8V)N<(78Y;47^TQ`6pSw-OmN)oz3Et2diZcKJ zhKc)sr{Mmd-cbDvc^(sOXOZb{_?!q^QyWARP{w# zC(Cp!ySfP&mAi_oTetiDa%$eAeSHnsWYLWU=|G)qCdZEU*g~w;j<~7#-~PNCuZwaD zRMq-e&0cv8h&-!>&0A5@EmAt*ES8m=@U^Jy?a%lm^BIQMS}Oafh#l6&SGy%%17f`9 z{G~nuJnjLAW`^kIo|HOIgw}b>7=SeO!m8qPJoySH9`=)Nv!yfXI@AN*V$Qq!+Rayh zrhXkx_2*UdX@bcyvtXtv?tLvI*dg$BxDmnq&fd*Q5Jf2Oycy3yVwrxVY}iD1^b*oP zuTJGFG(4>8bit=fD>oocL3d008nDGP{z+23y4JX+W8!AVWB!jO#RyL~bJ^9SgoA<) zmCW{x$UQ}0^ly>*==0MT32RpZ%c66iDp&G! zSx~wHW&GMAMpcMHpephZ`z+A`ON`JL4Qr#mOa3dw8l#SGHD-I>=rgnDfI+{V<>E9w z(p0+0Gm0V6+9(+RK;EfF{aM~f=aR;Bp)(H%!7aN9a!gFXd#}W+z}d%+n5oHf?dEqa zOv(MwW%IIHZ-a<5P@4{Nvk^P17_LnJKIs8Gk-0|Yt`?z_7v~!@>y`Gh%233df)C=1!zL%?P@97c9^5ue&vVE8zz0MR4TQ-rc$l14%%{aQxS`4Q z0wh_m?iS5zTWZ8cw zt<&1RVX3T2jp^e^N_y{LN<7pK7^hy2=k+}wM;08H73$LMv*w(KM zjy08}>OOv)9VnCxZG@hyF}mUyQhZ0D4Hl(kCzeY^kW75G4>&}F&m;)_zKkJw?F-#Y z3j+d^A*IEJ->W~XYb1S%UqBhyQ9Lf1hxV+Rt%_+H zbuvU%mGN|IWmZ%eL>Mwv``P1^y2f1nQz@vp@NGzC{{9KdeIdGT!>w)LeCTGs$|8i2 zbVCmY6~7lg0f8!bMQ>s2hC(Vkw?C97TMewbYUq{~WDAV&vkEQnlMzr1s?H!Ewid@a?!xgRfFrQdWi*JUUE^UCSpaIw^^ z?@i;Ww8vhZgt=(weL0mPK47>8_?Uh4NqiGbyV>{6nv&yJB1hc8)3*Ro1}9VE4=d9e zlTeql{G?^9VvX~Ibz0Sd5@X(>Lx6* zK1R9boz39ViQn@XVokwU}SMXtxt}5KM zLm*+LswN3KHvNf>5$6?b*h1PH?QMiNH^9-RZD^=74*yU*c031}as!*mzf996&R5tG zNO-ML96s7nzMW2jxXvR|A8sV zWOBtOL|&IXEXxKnJJKWkEJFB!k5PX)HjNi;fRd<_qhE{v7+>nk#5cL-Y467KI}S2K z6)e$2s$L)?0`Lri0OBCP1=228XI@fxd!pOvHmF`yNr;~A)RCO!>4L-%+KkYf($Qf| zDS%U?v=$YH5%jRIW@Q*TmEJ^vq{FcFEA-8-Sc@6KL`SEcHBRuiJ%^*8q2k z2YpA)5~CLr6s>!Y!~3jt;;Ij~tQnsrZK!U}sh369QW@XU)h4)|2F$Dde#$Mvte2ar zD_`6REHHgsoV_((UTpI!r#q`i;jLvYF0mM`Wrvr5;U&eyc{Q1NX3u)mci|O z6k|K&Yq#M>dZq8m`68)`o4-Y=M;PMc z2(A+lg2ka-R!VO3*mrGvQx8gN>J!*c89ph1h~eHBU|kzo#L_R-(2Yo+{6tyNz>!)<`9d!dT_8yx z%Xq0ktR%{xuZJgS*ve>AEq@S9H!V!xwrXQ~9w{0q;aN-Z){(vkxzdHS7ucw~Om?iZ z(nDqP0_`kYxo0mGJ0nu5M$gCht!XDzLI+H#tjIHGl@Jp^Xa9*dDyghRus6;{0-3A< z=%&+1Kp;~;XKgh@8bOerDM9c+sov0f{F9wUmvTjyb2wclt1pqMs0mHPnrfw<>XHUR z7bGifk;ahLRSTYy?_@VLbOqVyc?K)CzsEswQ3a~E-MlDlP+3jV(o)R2106keh3o-U zGfs9wZySyqwp!c)tg8GuzeVQtFoFl4R!_Oi14V4{*qt-lN7H z0v#*r#HUrRJ0srCUXMRYPiLvsu$7MNLr=s*u>BnE^F@q^h$ecM^epE3jjdomb9>)( z<%a2CEw2A%$Y1(kNA6>fvq-`n|FO=Za@Vp%*-M0iJ#le%n>r(uTa5vQ)LN01%~&mu zNhx1g)V`u8(UQxV3Di#HPzmmmR!~q3I3EymqJX4I_jaqzMH`WUxaoup84BCP-bqV) zo44>2D5olZA9EYY%-PziS|>5Vsma-C%vm`jouH&)`BdFY2u~_V3X`)+O?PF`*T&%N$%jb7yt?KH z^Q(ATp~G`@*flHC!Waf411ECz`H5ssq+lumjK1XR^@K^UgKHm=H(@XKhqkRL zKh#%kF9Px6Nr!H+A%eyk6~ZF*iM(LTvY8A>y#7;ej3e16wD)3`Ivs`@8p^W`mG(1; z*DjX``a&zWnD!Ij#-MhgS~!90t`z>>y57W0eYFpm8au2tbtWvY(tuYZtS2@eohn3X zTktuzdK{S{TBkJ6K_vRaw)NHLma%Y)_=<{N`avVsgWXbf>P$a{%GpI&R0dd$K7a*^ z%FdVekD*?Ztm<(Y74%}P=wY2s>mxieZHgT5Dr;yD-psL}ZR&x7o-2cvjF}*ea0M_} zj9BdAN~o{=D02`|@XT_0(qMWhLCso-++3`E41`Z%9qBJ?JI^@0jzxoWARxQ8IV)lE zogq8jYrB;%cc&)(?aiYtvO8~U-1<4Ou~2jPsY=|NkQEm+TdF^%Y)uwE3p1Bjc*u^= zw>ho%dVJBL&I&@fYv}J4J5;VSj%F{hE8JL;E%U9KPZa}Gs1LBqgF)F}A;2WXa}9XK zHVg)btIqaB$d2LZbz*&6SM4&$ccO%-o0VASjGY?#So5W*GfV2rZqPYG)sT&XgdK*X zN)n~bK`3d9)r@GsvuAh4wLS>pWv+#6djXw9gEVfI zixMO!2)>tT_1_s)O)3+}_rcBvuan_q1)p(Gi^$4M#W7rxNVbgba8`DK1-KbTdzh8X zh-n=MV}WN$zS1Y%>i34T@6#=6n?6#?3P#Gpr7h5u{NQ%>gXNa41qGwpW0X_6bUf*Y zSd#+D6x%i?fw)#>Bs3Y6>m=GAW+rGZ>2Jmc-LXPfA$#K(vJpnJ-;Wv7KATR0iwaRI zC~mF}IY+guda9M|S1`rlEvQ07q1j3mGb(nfySqEwIIV0-Je`;98Zhe}cJ(Tg=Wlay z^!}GoStG*^BbboN2 z3!dW}Wq{-eC;B2B1n0IiG9} zI(Kq)jvE_gHNvY--Ln0}SJ@U0$xhPQYjalQef76uLE}PO1-$H5q64zN+*B%Wf8LJQ zaO@R?@@1BAVZ_{jrSE>9%y9_w55rC)yT7Myz4GfCfFHY^53`haGN?su4Hn)E!t7d@ z%0(Byy%<{y{j<=e=cQH*=?eEhMVGFmV3d#G^l&%kC<-oXP}161rv&iFDk zto_Y3fM|v9_E6nC#3WpYWD2?@S;Lg5cFvL8?JIRi6Lu-TM^3T%GqjoX@$PQyN)=6o ztr1UNQ|3Su*Ed_=hZFl__RmDpf@;J!62#VPb0sFg_{O<$`D-dNn#K0(#=K=yZvi6% zzrRHG@8K4)efn&D^iapXji~$KrVzt)%g>dzu*Z{+lxa)2p{VMc6;u7u?-`II^)YE3 ze2*m1t`#+~ikUCb9ELYuzjNk3F7>-;>kCd8e3Inmi~ zvIsPix^{JCE;LGy{oJsYQ9jgEuHrfa-nrAW9#(0~YP2iUX|$V;fsQ=Sa{6ug>P4U%%HrJCVPP&v^!ouaYFh<0skcM#Ao}EZ=3*+zY8VEFS;s^Du&E|1 z7%Ed7m>BBdNxywWf#<83ua`oi?Qbn}JoD%%6@$Jo7Pi|toPYA=D;3Gy&yFiJPrVpb z0Y$Tj_7rj(K{&g}la%BU2kPwa?vDzPsi*Fw^AL+f_jl4RKba+^?-KF5 z+Yy=#^|0$zQ2At+Z=W}|Imh!fgcVl1l72rp3^6`R3eI1b$xR*0Z3a#(^?ZX~+>2n8 zH^vP{d$UfRg2AHoF;QZL21gLp@fay&;F5BV5+1XaN$WjU4GUulM~7YW_QM&TUBq1M zRPC%w(KEKOUmDdmjlA0;Rztg@GM_!w{0hovs>gfvj8ejQdks<9N`kK>XbDI%opV9i zcjW0ohbn#s^>}VB)++QMDp&^GQjPsb2c2kDXBNdC?R^i~Lqn#=Xkw+CFF5qbBGqCF zKNK#C$H#MAA?9bai97_n4Wz2aO-I`#|_olHLEAHpz9Ac#g_&z*Gw$!ZWQpWF8{_H*|& zZmt30_Hw~jiE`NLtmf|{sA_E(TKcsVy9a8>T{~z|=PdjBPz8958{wl;S9r1E7`;hT zXqyPh#;F9Y1I71-d+`Z$xvq{+$NN(_;2Gd=DmYmY@Vd=Pn?1z?*2$?RrxSvW{>BN~ z?%-bXAVxZqY${+4s%T~rnF%w{i~C0AZ_r-;Nw11nlVi1FFa7LkzGmTL#D*8oQG!y- z-4J6)MWVfOB7we47{1=X$S5!q)rD-hepr0W111l6f0FkFo@c-2nK!9cKR86_q0}&xO#M4;Yp+>KW{zhu0{?- z9PMzW^oUYxo1Lkie6)MmytDX+T!l@Su-{sSaeJSU6(4=HcKdsy4~`MJI!-)fRJP+R zl@8s5Qh~B@AP6tb&HjECdT3?(`|vYcw+ZAABH2{AXC0y#W3VyZYdx8Fpt=yN0yB=U z1_2ogd=(hvVhe)5K^wgxbnpygGp5WU?Txcg7HGtoGi3ziEHTsQ!fCHqffGVJULoQd z>{+U4t$99C(I$nk(9tcJPSxXf6ibXriJ(s~7n#TwErfpML+hAgQ< z7`28-qD5|X1Os!F^A~$vaDnb{TDKiUv(CEW=^C5B0K-c0fo?h5jI{~))rO(YRd zkMioaj9g&*Am30cFXp0g1l==7eyBCr%KNKzCxK-90dWPJ|3JY8?u9f$i$>d}!BU5@ zC)-K;eVY=0k1*l>(Sq|r&a%=zW*VHUGv45o1Bv45!Bg@HLS8;hwiTGc=xNM^;KJM` za-Gy-_UePNbL4x7X9pPFbOkFK4Q*JsQ(d#NYtnC;auA*@qyaPc;sFrpakTc_Nn}Bw z1KcCPCYV{HsAPyg38s@_vbs3Ve<+ZeY|G9ToG2&L84FfVBLmtp% zhN<%LBn1#7@XW+q{8d937P)9{aXEV+BCC3mksrPsG2JVb{~_=KjKuh_Q`oam;qja}BgaN!_!KGT=wI0~+U`_t%rO>+??aC`>W0cwe6_4i zb6B_=agiUssztl8)5ST-r_ouz9SdOZ)clOfMMjzGg5>`%^4>bEt)=Z3PQ9fCiWewQ zAiKG*a8 z6q`_J^k~yArQ;JVl#X<@;p%|~+FiY|Ymq(JLVNv$)_xlqh7$?jv@j6|jdZx+IhS^u z>%qV(l=8A6iV4c|#6|Q-^Aln?>qc2dW)vlUsw4Q5E-o-vvDf9H7zyutpnaS_0&MF^ zz3dskLy$|ZPkeu?_>hFT&WpH=(7`1_D3~as?Jcrw*fgN}vzi~BWSGhha;I#jM@Gv= zBIa;sw_$#vcLF3+7B@evS2Ct3lGT&U!R&NJLxQ$o{!BsVP?Z1Ye@34$YL@_gaIMHwmoZttC(?? zud35UqIEsLbZ-V8`U)1irdO(y>#}0R)kdw7#jr(A`1Z3+5__loUI>_Xw{KVF__p6B z?GM^z$6XH$SXr(WWAX+&}Ma z-RNH%JFhrNA9Is`S+!x11;_cmni|`4+_+u;qk9vVoKlGxEo7HD+^lO;Hc>-H&&5gy zgafN4!fY+711!BUh9=ZI3_7jpLYo|Zl;!&Vxnb`nVV-gde7Tu|s6w;uAZL44|L`8g zfC!sow#lxOwHj;HS0a>-CGj@E=4a_|G$b z?rr8?v{|o+^({Wyh|#+4W@>_$OQwz)+RkwENzPP%s%34@N%$f}4*yTO#K6uf%NCjDHXjK#&&e_w0L13+C;m802 zxZ|7#tHzV=S_w;nEl4xn?(Vkeb))LdFzH(}oVREwM?x9Wgw=A;C2M@xdZS7ADXj1X z;9iK}-9(2EgXsD4tPO-_*{KT?T7LVqJuPSr|6L&mF0nVWmr9>*r?ZCR3W>^L-!0B2+| zfx=x3C%X-lpN`CmVCGjV6Yae(TZE^RC#y?Bnuiy%4?jO%v!Kb4XZFv-i1x3S$kC4k`7xl zLNuouflmPsyk2SJjXY1JOD}EB<0>m+EE7hL32m)vY-ro0fqf&GB?ipXRUa)|l*X=f zJE};PZY%av$H-h?Fp=Q-Xqtp{*a9^Z?Z+t#;Shp^-(a+4ggnV~THdx!xd{4%(O7HnC^@7bvg^+^y z8bve0G0c=Hs3kXL#8sUn#wA0cDm*bE0K_1Zg_su&ucDuU8Cj(m>I4%yRyiPf9D?LK zC$vF73z}Ub3+t4H&^2w7$C+oA5(?G$-!+z{>FlI<2eZ;&CVl3Yh=2bOcUU2;s93=rIv{;o6g!dvjr#){{>2U#*)( zNA#YDSBY*yFeDX7eauhIX;{NOZS|H}9U;+F-Oxdu1=MJj?|m;hexkH-jqZ=9?iOm5 zLp@&{z<7MXUTYXDFKgx-IJ1a!nL?0{Wd3;{xg~r+zb&g2r4xGpEBKQkFr>Y}w6QC8 z*|~Z%P>vzEGn2f~TraAHP9gnJrc|2*W2>gYAl*8(G9GhE%7acjq6h&?uG%?=0dsdMRD0o1PAyOvlA2_p;Jba5Ek6lRV0|bY+1UGmoaN^ms)d%r1F4=Nt19Dek4R zccth0J2+ytDL9LS8sb)m2b8jdEW76M?B+MxY8tfqh>=h?bcL33Ly(HToiI(RKEa4c zcQJcQ7%kWZV)Mm;0pVmuktjwt(@}K+HbW>?jy#+cMKH(}cj2(gbj2$0Piji25XtEv zVZaeI+W>?c#IDzK$}>|eUy^N=k`2FY6PSveS!uk^tTICep8T9qKnvQXf$8YLXtPpV zY0N7BvqthrqX;EyD!*mNa@2Shb0_6luj<5z+5sE|W3S)3d#y@pS=o z&-^@&KXvjwQy-dUW0aG^{c3Qy6aSk39h5MLRgKJ5jT~CQWkGK5WM6fuWhRc zcj5u=mJ$F%K;24}cQ`t@iH8ldDe9ZbGlxcmA9F$5o%y@ZKqDb zj)V!<;;mLw3h!MQRJueuvZ*@ps=KC;rwSKpQzP#U2~R~wWK3l&>4EX^CC&9nDs4iW zXK)+E+&z@enxY-oN)>TO$CR11^GLJ%0Yikajf}31E|m_hvSgj@yyoQ8^PlzG`0}9F zf)!KbmQOIU&Hf10n)s9-yQw_S1K>9If`Vo?h*?On2(ebvTBhh!t(XrE#MXZ=y zaHcezk+&taeJfkqQQxz$TcINcT+V@d=)w#}w-QEYKn7yCHC7tiD}K|cjr(oG2iuXu zu{e0<`dKkqN#=&0&Y33%aQAyiK~k|~!L|q;hu;2(Da|q~Xk-}XXf+$%ATarLaD`KiQq9QuYe~W#?$N$5sEwxzEg;^dN3NH-rxv95U$4@CuK&{F&3ib~@i@GP; zv(`u(dR61XefzfeCV8%bsr6F$^^4>1kz#JX{WhQI56nBJB9bKMjvJP&mEaTABW!pD!P9&J{d@f2rE;&P%Ue5^eYUJj|5)Ht4B_Md33bmvAt zCEC^Mg&fiwKDStZP+*RBhZjfk9DV+->_q)vQDM@`Wf;eiW&IZcq{!hXOHxniFQdAX zYWy==WshtN(7YMIEw2-ht;s<1Wd#XXc9fWl$}GHtsdl>^@=9^D(`opVQ^HSd#Zp;z{p57YJv%) z(;fd(_8`B*fMfW8>h)42mMeF$(it;HGt1WG^jGv;nG5yb`fz`L=an)GwySsR8UF(G z_Wc43*Z3x87{oM-5wh{^eGypOj@>cq-&-GX88>vW6Io1h_(2g{NxhmOhJ}wFe*XG_ zJ6Kx#`DoqxyT9~%7}rc_3q?x&09nVm&|s?HqF2z3>>@=8F_)l~U>A4GA|3h>EAKI{ zT80k#QC>xIW+l%+^^K$<;&RE4Je#u<-G~97AFaOt zyxqS5x{q5ZJFO4i-{U4c(?||kRr4W&9MCi@i_@G$9|k=+Bhmd_X+V$fZnS(PTDlt7 zxxGFi>5A5`{VJ~MWGkzjOl zHp1C8F1}?HcE!1{dBllDMr}N}m{9r#&?5Q>07zHzY;oHiC0rXzzu>r5xO|d$&CsL; zm&2F1M*2$S{sP1rPTz^MAHVSTmfnx1KrRZV>%jb%NPxpUeWMk`3}-65BUZ0~dLqe- zDyeb?q^lN9T$o$KBMBqD()^Va@gE|YMOmb-jI$u>eEbl`H2$(zmSA8e_4*BQaBzrE zw=vy}8&A|*87m@!pPN&*rK94H9)|m8vF1UB&=@I$+YuasGL{oPvFZC?CIA*)W7U1J z`3ciD*3TP#coTbkFh72pF333Q$;_z&7e8po@nJP%F&!t{95TWxvXE(bifsy^UJ$u` z23yA0h%XzzEm}UP^85UAdKT1iM$`>|GVo+wXPmrWy;l(r6uQ`YZt|>G@eM?U`6lgA z^)+*xQU1rU;BKewgUGegjYqhB=F(K2g_E^$t7#6=>BvQ>KiU=^7nm*&gHu#-1A+BY z`~W;h+wFDo-ny9)(O_e!9cAaT@iE>^WtFUPwIU0IpFPY%QN*m&aht}>STJ+7Kr1m^ zt;2SqZMIahBvHql{VqZxgTBwJPmq z%Mav@qcmuf(M3y{dXf`dAJ7(t_#3$#motAgCN9n2dNRsQ&$mq*f8RT6@sSAY);>I9 z;30D-D+6(YhQcuYla{FrjhAE03ZZ7Hg!wVI(!(?6y?cwO@2vHgSC9lObQJ_a3Y5NV zZq6xualpHy|HKVyZs|~Azn3OuZVsWNXYa9nE!(W@NuSETTE@>A-lBY0#I@A_*i3S= zIwG_79@9ux4Os~vd3<(BPtVB%2QRY|i15U=NdyDI7=nbL94sYTWn#i!OTVD}Y0Han zrNic%q?pc*q!9L3bW}wgCry`6)xLkB{Wxk=+nd-SMS>hFoGi;irjYPflKDq;d-rq< z6(Y4JY>^`-1GbC$vRP${mxU~9a>qANlRp)4mf_t9Q=lWAa#!X>+Kj=U0EXb zXZfcg67gJ&H;Q#%Q%o%^+P!^S_Tuygex9uPX@1!E#P{5d}5 z&GmvA&S)wY$l-um;QF$;i<~X{G}m`2=v%h3ojd@*g?|0FgaAJaUmGg^Uw}mAUw|hF zM&n1x*Co!=H!$%lZn?(J`M$VZ)$1BUwb5-uLRY};)+B6d7WQ|Sv>|5*-^Nng(6B#u zIr!zA`*%gPy>Lwe=7&K;jUa*e^)}(;+LrNTi%^kQFI5H#5c-sxM%LT(YxS-tH%*)@ zCC7GbIrR|~8{4AtcqMR3PMr*1nL}=K7E$X!Q^e0JJTmnb%#E1tt`Dw4y*x>YVgln5 zAGfNjVpdOz|5TR)7M+7=I&SoXTyR*JcQA%_eM&I+hxw?c?yIU3f$j1M$0>EB229%J z*r#urctyr2=alcn!Y%PtWOrukqG=!^i1@<7?0K9br*lN=h_<|9dAS!34~QbJ1|C7J zjxv8$l(eB=xl$24@J{8MLxM&IH!`i0uXNspRr~9V7#V31;UatZXcK`w!tOF$mZ&2+ z{N_!#+GO3s)9{+;1a}4MWuIGxj4eH3GNMu4w%>D|U3TfFgNo4|9V+q*;1{(} z?u)EW2vkq^fR3Y?BqJP6Zo$N!NE*SashBE#L}C(>O_r2V=NiGf`31dIDKG38;)bmQ@#_Z1cxC zn`H!ASI6IX3+g5?hV(yOyK;_tED)9zK^ zE9Vy;Q+T21l>H8re!^Z!fj^j|yH*C))((n6s@+}lZW$Q0Q|+L)y=ijchfGY}>tk<6zr~%!X36zRf3pO}5k$1n zpf<#$QExS8r}J>rM$CXEzPUhZc`K+kO z?&hB*3*+IOFQz)EtVz)2hZ>Jn`eo7=p%GU74 z(9J~4NO^&}=ZN}Az-@zm)1^+Qm+S>8>g$zeB%{ZdB->*qCznXoy@DM)|+vS9!5-EO?bOsHfMVJ6?vFau{_Eb18mcnrkIS4|UJ!cjDoCw#eL^ z5S})faW#FssV`-sL*S<*nk;<0xy7`hFWXe2&z~{3im;B35I|Ye#-{TgNg|YK%bh3b zmJ9>FH4+QP%mNWAz!6#Y7N?mpJR{GrndVN;xcdm)jJGT4=sG-9dlJkvvS@>xp%)l{ z&{tu@X!6-6Z>bJnJ-MLTOSrRfZGuImpDegm&ZcKP^P<+LCEwrPsuDe=suWZrmpCMR zzfYmFW}F6lxh#jvofTb9uLHFNQ-HD7UDDH~w)Cnb5|(JZ9~p|{;>z1-p`*+Mm5Z9v zf-lDbo#*eL|f9|qzN8yOmm6COT};C zNJW4?_>M*0JZ*gQg5c_3yEJ??@04GFK>L*Zn{|pg;eEo32>`&>?CalGga@jG>74?q z6!J=mkNJ~f`B+q_#i8XgV=2`Y8 zETDiTN%*X5!)>{Z`C|Iry?^75`OhPbp6i}Gx@>**ALRJo_!#dGhi9s#bhk06_+2d2 zZ;|j`rMI>hIj`6OYYBk*xxmx^?*#a*)qV_hE=q}S)>~pva;}M?K5Z$>B4{aTP z0hCs%Y$H54AD+qoX7~BKxUgC##)-pw*Fq_MtcnzCxR-0igVl%6^kBC+?cZ+A5`wj# zul=2?z*gs0s=S-g8&OieVtc_92>mK5yA4Ga-gKnb2EbAOsoFY>q8NmRqY^w+rH(d~ z!bc&ty;kp=_Pw&2m_I_(X=D!gv3?@6iuqR^SF%f|QI6~#hiK8(3+C;KaS>SUJUz!q zp%~V(!PNI+mGg-v%O~XbO@i>m=t%;x?n#R%)qcB{4Qpm(6ZYo7 z-SV1FEnP47*8F@$8>kwZW+;taPsWAT<{I*43MT+~9#SXebNL2biTVUw4+7)n40Rt(03P4A#~##%`P2FM-h6JVQH*cq_$DFq zt)GTvQ9n`Q2i=$N9Cs*w0p3RCG;#v~LY6syFYzxiMc#iQXZR)lMWyk|JLea`01MwE z&Xcz%d|`LfzYG94Wmx|u>762op`M!x$ujRjbUN%uMg)__O!#n(t&|UYw=Xl^_slNG z+ASR#Wu^=8WBQ*anOC6HbH*-T<^wVaRPig~tk9e(#cg=P393bz28Cjy z<6=?OU^*Q{3LzA;YO0HsVA&c+D19}}t=paKnU(!5@%aS@{_5Vj=*_&Bu2!46KC*d} zfMl@VkIp@S#((k`Al@B+SxnMnA@#mvphAW$k&wz;6^IgHF`?UJU_V zd>{yJuAzjd#&LfGb`n|uVHvcYr*ZP z)44e0F5uQWeatPu7+H1}H9H<|#o41&T@b0hOc{3%~WdyFqE8lF$|i9R$l*q8#9R1}&k`#vcL)wGuF z$swf>bR&xw;fLpAj3#7sUuJ|aDWAD2Dt9Kw9$Km57YP#@9a%=)n}b(?Drlw3Cx*+S zg1d*lagy@0i~Q7Y^s$Y&@Q_a>*Kmun8wal`h@Gra{c!GPiGiD**v%OenNQO?&BiXH zD{oZ|WKB7bU`_O7z}#Sp@cyXao*r545fMZ~9lwJ}@;XcD_w3%_%;jPO!R;6pGnq`v z2y_KRl0&HSW!w6m+?iZ()$#lGQvcaxuY@&&=q?a9Ms3***_{Idc8mlOnr1Rp%^+oD zWJ{wH1byltvVZqS(YX*LUu*k!ubPl0tf=9btvnmd1fRo&>PF1!byf(UwsSmdesyc6gh{?C@=9hf4A>3Jwgu(%%EUmU zU?ZNSLk{F7mhHXacKOPh0{lV7+^yf=L$0p%X3@0hi5-$JrXGF>?;gKA(WM8s)j}f0 ztmKi~vi3v!`5_~Tb|RB(BZVEO^gMKLYnNorfv)K?HqpaO^03S%1cE)dsl*jfUaUQa zI(a``qg9!&KI-=K3;-a;dH1In7kzIWJ#YNPhh%;i&-x_y8c+P3eh-e>KImC&{J7(!b#d;xJz zz1@{Ed2;@C@G9@7pDE)9%1ieAo%JhKHl3rF{phPWclzeTx*mqL#?jr}5fR_B>K&#t zAfxvcCtXcS*EYR4IXV0yj<7qoTnMSFD&88ir*Em3WafjN`DJ%cXo5e?*p`aaZa%4$ zu4Ie67w5MLS)J~B8)|E0@rIqm3KLQATAM}5@@;tvZj-bz#k-q>@ z%A_U#kLX`s{A=*99Ey=OPBz{RcWv@HSEvtW;?`d$?SG`fW52w6z4$zc^xDs7AMf>F z^ZEC}VzvfQfcLFK$AjqqKSCFOqv5=U%rbCg<;8;m8Uaq``~U4B`Yo=b|4G2DLE%ki z8b8Ahllp%dnO3&@kQV22er5=olXeB%X$f2e2yiml8oUMEaXi41iB%^2Z$@ALt@eM7 z+^!wLmDorIk=*$O&|D26eCzxD{O#u(H{_K8hj)_GwZu;$2+M<;{9Z!f*Xtk@lQ`!; z{)4jLs=tdh1ncdJ*AU`s#md(FSyUVR4;w(S3% zg4>|n$#u(B-b8bjaZ58HQ;*ubBSFQan&RS5S-lpWkLF#N4S<>bsqa#rqQFeDy7bR# zI%R|=*>CAoniP)=<*(`w8w(5oJ1yf&nQK1`rKMTX3B0YE;T1#L)dqK#bJI_E@W<5- zW>wD?6c&XRrrMA=2bDC*M3K^uB0Xx0mh=^HY56gtgVa>LC!ov?8_4S6Y zWO^?=yQ@?Uc{c2lsA#=2*S@lx z8N#)abvG!Kej~UQMNYuIoc^X{Ix#0KK%Rc)WZGVhrCZHV6(>SAk25FXBOv|v(|wg7QRVzB-)Kk>OtIWwQyhC3;SBnrQv%K%>VjA+;a0 z69&DtBQC`kl~Ll1QS*mQxYhWow2Dji;BLI@qUZhB!vElol|RqWMM6Vc7OC=zZ)#ti z7F(@Ge*~;C{Nc{1Mm0DwQ-I-kB&*MvH}MLYdvX3?qIJy5Mn7`l9L&i-6<%*Dad;~r zlILkopLXtSmGvZWu8=Z>k*#BvHTDdjXVwgzU!!y<;bk{`bH95khb27Y24@kX*a>63 z5!^;+ogUP$e+axO>wc@>lA*O!&QPjL^P*dLBb1bN(Ad&;QG#4o4mnv;0b+K_WDohl zET=*d6^x3_|2~B@!hfV9qd1xSUIhk5dkfTtP8LoZfi)GehNAZlc&m3_wh6PGsB$NL z*tHooUtkKZ<)dWhYu0s*?ScOSXovcYzv{95Z8e^hIj5XFuYGT7D==BED6GDnDvWkV zpmR)7?=eFnkHiOJJ;=mxH>}hm?t^r`oq0`We5LBk8h2n7**!l&&UQy`HI<=ZOK7wi z(}`r@V*TAS*_vItj_N!I=Ow;m(5ctfS~^eF?6`S_p+SVH7q3C0w-v{0YV%&F=ljo2 z(2GuGHVNEcje7N8UWc+wCsWBg90^L<2M@%?`jeG|1(T7cMW$w^@}6w*DOFip8|sDD zBuBV2R0!j5YSWBVh)wgDrAV6?8+3((J#UOye8Y%gS1jgDt_%(|pQ>2KNkb*9F?juQ z-KybeqfSLVW+Zj|np8oa;(Q}Im?xuCO*T@*&vK+-(m5CjD>m6vlgdnK?>8ejYkPe- zT+V%EPMu@nT;mm7sA|@>$TCbQwA7>g=3x@!2xeqw0}>uQt?MOBa3(pB-cJ*A1(s1k zAmS8eVf!x6jBZ!2G$ zaf?4LD|+*FZ-OH9rJe9jHaZhi*!ir-NAkNFOCE+n0HHB97G(ie_voEC-w^noBWk|o zbxir&2>V-dL+0mnS1UWR)nzwCorba3Yjf%b<*s5L5qnnn+I2LdGG}~`)$Vl3K5TmB z3E!b1+!5p8D10tdAC;R{SA{EI!^HyL{R5;bKWcJ|19L|pH&vg zv=2LstD#=FVnj5tU-sAMHT<(q)c>TOH0J>_lEBCDlzv9s|3Gu4$^8_i`OiW=|C4%& zQNRJbnX}Je*)wP_1#(rjD|V3gMzzRbEv??l*yYVftlp>i zF6@T1WJYB5lIXRR=#Ba4jTwg)K6Y!B1f<0hkJ#Wh4^6)-qVId=0lDX+W~W)ljb^nX z)2>NzY%8_r2I!Ua$7()yo)@ppG$#9UzRX;#E)?0UC4^w^Y!0v)5Q&U%`M%EbK3Iup8z~y6L|S&1K*~J-jKGXMTn}SNQH=i8q=CIvgt|FnF$S&r>5DO64u!IVTVi*Q<)m$AzE1El&pT11)({BT5|zseYJqevs(^JAs|dP{ zd2_0fvMJ5bPSpB$&3e;aPrgE(F-Q0OSNyXlZC&G~5=!Z|t(~*7t%(gXf;~0m4D1RZ z+52T`7;=H&h$7U9uBxH~a43CA$BT%5i<^sqL}Zq$liom8I8c4Wq);OZBeYF7C%--u zMDsC@{AXalG*d)HVJ7?d2LuE}+NMiY!p1dXKZ2yDR-Co0Q=FenV=U#LyN>98!07cG z;P$tiyPW*r&?_1Wea7Fj2#4N;QUEZk0b73 zO1}&wvk=MX(rEtIe`gTmX8bYtyqy2PX!1#3Y-t;+tgOnI(x{C;=^LWyqNLf=UhE<% z%JMF+2s#LCzasrm7RX6;70!v3ip}Jh(Vn7*52T9!g`;&_{7>iRji~bZy*{E*-&uOy zb{{%JT>t>Lr{bSuMhJ~X)8Hv*5SxC&{aH6sFdgz1v1)Ga?SHGz(n8?5q?~F|Ar{$x z1kH3pN4L$xwbrXU#y96Y(Z)(ESF{?!jqqeqMm;(ZSP@_G-Zd*8ReXnvt=^`(Jrku6 zvj9CuJD%+4x5*taR$MA~s0Wu62lpKs<%}F;Y3@~}1$po{TtA)YnERb1C({hIn=SlHdahnSdjGFl{w?s|sDC)vsq-#l^tl%`n&}bj?xx>3Nz`<^ePf8d z)VKTOi%8R%`X=XR*53fnhL!$C(qAL^+UsOfi&1+x*Tz9H4+@ULwjE^8?)j8T>^?f3 zf0Odt=^|+3YValCRy6t$vV?dnzi3|@V@|+OyXD(PzhGe5;S~-{BZdTp!)l+->16^NfXoMBTmLK zHRD=zd++{ajWVlj%2RIy;!Jkx^!cT~7em9|2gY7zPQUZUuYfxh6u%dDzi=iYA}Lmk zdTWl--9EY0TwJDnF>-1kpg78wa8l_7hG*ta&a;)Ci?3Eh8)2YcXq>#Rs%?TdJg^qQa<8%lw#l z{mP!&IHR%Zt5?1K$|JSlyZS^T&-ETNswIa|#;%mq!;u5^+wv-GI68KOm9ITmt+C!u z{tgMXY6KX>!WJJ>h<-rL0i}x5bBT;JiEe|c(kp(S6&G#QfsBkA4()kLfDJO z&9}}ch%^m`u3EB8?jt{!NA}$&nx!h)-X~Cn?)Zl(tRc(MM|P4MaS__3+!?@6bj@5X z4je5uiCF(H70h;Kgjr2aa6R38g~!V~?WVI+vl9vDQ4}$5)^5hutL{o95fNF@8yZO? z3uLjRHPnjHEyb?v9<#w4$q9=>nx?=Aj0exWPxO%Ii}0!${}{%sZi_i{!R;%y4X+^D z_JFWT=v59Xs%m5iC3qEx%f9ctx<)RRAx20iq2Ac;VKUK6%}Of8@=RYn-U+BBk^;A0 zjJ^z9%AYki*OOOC`O#4|5gZmhg;Um!W>}yivrDzmC>qbq*|!8&7Z*~^6ZKzkDm%OT z+%Yi;*K3xRiK~)lo;>cCWw79*6Vez=4B>ou!58oQ3e>6_$3?Sw$0f$UNS=#1og(y|jn&rn4I*4ZvImqEIe;OX(ZhYtS8q;fY`{_)nJNRiFy zb;J72$iY&oEZos*SQ-;w!6_8OUM23;{%&;nT$GejnibS(Lxh7Ngl4Bgi5sawgit9Y zJXgjF3YEfITA4~oZpMRDwHC{&lyq3(PgiqBA02ol0QYG|1ceOPo8aGnG_hALvpE6B zTq=K_#KxCdo$$XCe0k_dZYwEc9t4$FTIWq^(~VvB>fU{}3VeYb3gk~2d-7vvei9OQ zZ_^Nxrd~U7elYnMixyP>oUNiSiYv-o*b{EX1cq?*lBJL*NOh$jSp!Sob-B4GpEEV3 zM6vj8=m#zGAfou26Ip6iRgJ{549)c9bd=+1Zt4xVTo&9b^wI?+P9O8*GP>!^Bf8Ij zo;K`~osggJ20gzQD-+YceC&a*GmUq)}=ciSAW4DmD;(y=YF`C3MWt zCSr>0KL>_Xn#+%{s7MliunCW;^t~$=2{X}IYIPqtZ+?}~Y3D?#^vk)^{ zeZkIRvb7PIUJ)i99v;!)Djveu#9np;$*Bt%OUUO(ecZkGUqD zWDYEA2y3$I2?FY8SuBz;IOG)R#h}#kb>Av~cbGHH?(SRxUe0DO9pDCiP9ksHizE8Y zzH7kHLs?C;cSqM9H5uAfV~CHi`~WFB@Q5A1v@`F2HG)`h%%FtVq^x`B;9r8Vc#PLg zsm=Y5!0aei+a+QT8C*i!u*PfEM<<(kWau~-q2K&aJ1=lH@2cvtrR17#!6waHJp6e!D7EgLU~yrrBzUL{T%3yPC%?YLtC>K{uy zf#EJ*GQNpaGN~x;^42*N)zh<^Z-9HbpZ{nFyfam^ad|7RM;x-z%^|SbDGXE%D+OMs zVjcZi6G{Mfg|*d6coA($mC>zQ9F!n4Zatc$8h_&Ry#zy2N1~Nb(DNi^& z&Ile_kyoqqv*Fv)#yg8-D&|eyUjU~W0E;)%n2aN^JaPq}HeX`$iJT}R#6Uuvfb%A3 zajir54&$S|(0ze$eufl|gj~hn)sIAR|C7SIIvhzRHq_=bS#!yh!m*BpOJJxX+U{O3 z1a=oe52RFq*O15WGs`x%NkO9lniG*!SpI04?@gh$=nuzuM-0&qI?Nl*!Z;7UBinS2 z9l@z7Rjc*hVR}f2l+_GuFGB3If0Ki;riLbI+<`92#OR&M(B`Hj*z(?Ys;mSs=po&* zAJ2Y#aHOiM|a(?>Y~ISfG|s z**0_xtCg(ykbPfWV`_PHE z&i$O**w))g=pZpl)@KoAbBpMjdT7P_#$T750O5Pt&d)PDx>NkHqgu604u4o*<9d{1 zb>_ZWXn|CbQ_Ysc*Q7inw(skNp7u#W5e(_#gwv8C+^aHP0rxB~%O>TgPvhR?rMnA_ z9wNkRyG;(m0W_IMsdb$1gLGtMzdGo@ACcOOF1yE{neAhaWDl_Q{174CgshXz;`Kb0 ztNX%dtE-N0I#e>PiTXBU6Q3y!YneXhCaf%xZlVJfvhZxlUA+c8IBE_^YX!Ao{S!?g z5Cpbsosd6U7RMJxT-F~8*I>HvgzY$#6tmmb85G$9_UmvfY5bQ#IX7A9t3|>685$ci z2()v^b;dWR8Cli6i~7@hb;eVXD}Hc7RmM)~#x@kep~O%+Z!QiUR4oRK)$;&=e|*Ki z-v1Z3MYjq&ZAF!qVrw2~Y*KCcU-bn=ea`$j&9}F2<7tPP-tu(6|B8{()UuO*DN`<-%J7^J)=_4TXS?a2_GdimFF`Sp@LAoFsgb7bLGk(E3@M5UIPR*BUC8y}-SV zm%^9d*EEb>HM8!1HaeXIQ5KY)$`00VfFI9dM$jK{*z1X=DoTz`%C0GV?#aqzy1H1N z5q^D2!EV#MQ`%J!B5h66bpKQ>U@qRa%Y~iXp^yzTSf~hR7OqAnJRFg-nvb3m$a^My zxUsP?%VL_C6P)^pfKL2HQaIZFs4Z*2)Ss}18NvjD#8 zH#aOQ`5Kddu#@6f_c-wq>4I3Ggi`4`Q3=&UlfVd-eXHqr7Y(1kjVw2&JKko}$?$h; zgoR^0n=wnY8mWAk~6ukcp0ysE_%b-U?BExt-op1NUrp>KAP0l878mH%TC~ z-A;?raAxxu?^S)sge6*VlHVqkVzd<4A0QRO;V9Dnmf3!bTFL9cFjcR|S=B;>Q%bEW8)D${ke3G2&o}!ZH8OVWY9*TS!Ipt8NJduh>=&VSLC>2 zEjyqLSS5D_Q9XolYNFarjGJR{&@k_eDml!>eurAMXhIwsM0OkU>{UVGdq;7Ftj@;h zh{~-L_7N$WidPo2^Ya1m^XX9rK;~5=R-^C>Ri`ZVPjiCGwxqD)no^$<->P} z(&9$^ELRusi$&t%dp_>!Mo!WxOWlL zF94u;j7hWE`*grUQ1mRsqls4m05HYdm)f88aO-%u9tviCcP>#k_(!Phsj$)ljULT3he3j(VnR|)vhYp z0Ss2$^i#sQXY!;!AjkO~(aNPHKc17{Z6TxvCMwjPK9CvCTaxK51Z!-9VYOjyVWX9Y zhMKY-)c3RM$B%yjOmpsXZ5s`b3GLUoynyS!Q|H!anS{WI6nFf;fMUE@oH8e><$6w_ z>RW0uzD652w}e#fzhGkH;$HEE%8xouGJpy?qPyEL!SOob!_9HH3`M}b-B#UtgQEKJ zk@io&cm9sMr1wjWIog6%(Zxl53gcQ~`go=*f+LnJMn5v6zq6gFkP+BB@`y%&=~Pw~ zN5k(E%kiK-)UZu_W7QzRAr3Kr8wJZ0R7jH<*1JwPQ|;*Xk-^7T7dCJF`g25SvLFsH zqQ6qTDjZQ4H>1n_gNL2=xCcxb5o65_EU13iGvozc)x(Hh-o-k(mi~->4u|%HAeJUa z#ybO8g!c?AiB_tps;a4Nkni`#(z%s!A}WDMy`D52KE_ky)29)y`k{>P=t4%>sN7i6 zqzeMNm^mdNF^0eiS9xY=l2KJ>V@Nwf&R{!DrePp`+L4=pW$q_S{(7}PM8S4Yu1iTi z%){oD!*mE03W!`I(}e1sn0n_*$WOA1RHX>&42_Zg90i1a?N#_yXSL_+1P+TcJ>Bi~k$fc=;sQ!FKj9lP)^r>fOAfY3$ z(K=zUj;b<^jkFsohk+=1_4}WQ1}~Nz>tBs$tddYf-dGQ4zhJe=&|PQws?ijwp;(PF zaaEJ0vd?N4EROM}>s&^<)J}yok`UrHf)K&o-|1CglcQU=rM(j6P7abID2y}{2DO>> zc{6kd2e_r?cB>&U)Au&mb0EVzf;)QlMiJ0n5BK0&62eAnhSz)_Ru#dqnpA~Peuy<2 zI12k?G`b^%rXpBjZ8H#!sUfpcG?^PkBLA^+WS!zb3lOvIyQ zh1+HVq{O6T43az4otBwcZ*}tXhr#_9fpU=>42&DQcRF77RgJ2<=+hAzPCLTn-=JBz z_u=I5_zxW(t2i8B@Z@s{^D7X$Ojfp9=;Q>x$Gka#)%J5q2ex^?!Lmm2cj$`gyyzi( z$Gs#=pzfIrf^ys`oINP3-Ip^HHZ?Y~HNx>dUCk7vhokCmHG3B#M#KjzJ=i8`lzgDZ z!*7+AkKfSFNn1zGIVIioC;=m)`V&Gc&>SVHSR_Qr@B&7jqV@yR(Io{@ zmT|$|n#>piENrv<`=QIb7qx`mqU01psvJa0m$p)z`Z(N`QwF0=`bXC`9LX%UKQJgK8Ik=Rh)@`b!o{AdqN8IZ?V?qmx4Mc}XN1q!SW-9GVwT`j8$CP=i4dsZ zSeC{DLM?so(rrfGAb`cb-pp+%wfuCIRs$s{vyYmG2%sk0$Q*Fnp&eG@%# zTbzoiJ05d3oYvUtGoIgS^X#TiNxRgcmBQEs|B(Fphq3J8_E!JQ5SBgEZ@Ud`FWHLm z+ni%9a;5v=LBqm0L+Nb6%ZHAJkwa>SRt~LYm7w8A?hVI+{XQ zGqJYr^b2sdL=vU;Y<_BuvtHGU`GF~+X_7d5Q1y{%FYF0eGE~on9L)g-_B)fq;jAS+ zQC~)7Mij&(HB_Ts6j)&j+1RH+6K#T7aq`Zo6nZ>hyKWbRo484<-VbF~g=2;cssN|p z@k&a%ME(<=K^0J$BFsBuN96P3BCt?pmT89qYSAHI;_;b1S$^%)rjVsVfOU1?M8oRZEO{wRUsUmMK1AxmN>iF;90H_@!(g18 zndVOx`J@pmpTU*~^mIHDy}C@nJz?-v9$NW^tf|i&ZLS(Wa09rqg`DWD8lQw7cRTW+ z*k#sLhMnQHrgd#rkbbPCKX1OzJyy@Kb@U8d9AQI@x;d<^suq*rT9zhwWdSUalZfC# z1R|_em}O!^q+}||b55}*W31~do97o!)t($qKq82X(9^v+v7-4eFFfy!EyRnW&D6$O zSGB)~cNbJ#TL0!8QiRMDl+#!?pN4FSR!zv!^pWUOlaKBZP4L|Arz4} zd45>rtt=MB*qLRuN~;o<)F}{mypOUE`U1-dlXmflXoptDB+~ov5?N{|gm-`6 zeicg*p~yTvRfTp#?|K&Jb%drVdBV1Jhvxfx2f{kadbD=EhU{(8lv$u9Ji0fGkQ#Hv1eiB?&C-PMqWR$sq3 zPy6X(E;j}%HA}w#!Q5L$wbAZ<+tf=bv}lVIE}TFE#T|;11S!D^L5c;3;!X`H79@l~ z&;kiAB}njIrMO#hDK0@@hwV?f^!>n2@BhK`+h~>pLa>f`&=Gz2_O%*W zZ-?bEWTiWfw4htQ{@9c%k(U?P3~lQfl=ud))PiL+pl|d*AP~=j>JfxsT2vJWH1gOa z$2RF8&9L_3ad%PI0dbvMR4v5ZdWAj-nn(j>m0$?kPDW~->L&h_Z@l&7fqE6wtPp?a zLb-LTcc$QnSfv0V$=1WQVMRn3Qy&7r87NJY(wZblyYN-MG&YE#x_B%~Qq2s_KM_4{ zSX&Kb_TE+mfZfC5-`t|gvzc+HuvSoKHwu5Owl=Wi?f8BEJkkIM2CVh${cgMAWtwALfXUSmKj^^R1sC#daV6MW)n#9^2eyIaYYyRre=Zfa=ckzrU4}LOusz zu;y4E2M4fku!UQwgrv2TWPsw@nQrGvqrd(6`w~%4 zBx0E_c;sSJ!94()eHv=nJVW-R^KHiUgW%bsWSezj7;FCsa-rU3{BUdCjB8OSoKy&V zIR{0~^wkrZo0r-VtAlyweZ1VeVgq z{cX?f!{HLc75IB87Wi<+u0*>k@zXsGS7&hYa2XCelqbgfO{ZtZbHR?04eFhzs~5#U z^>S2xo%ei7%&pGNCr&{jJAY|2kW~B2`-t_oa8f}G?yO*;1 zFibOW?v|w2m5*IJp2I>ZlPB2ksijW=$`Fe!c;_s_GlEUT;W?Cby+G6$goRvy%`^;G z|87gdcp>8>XS|;Lk!jPin{q(sjDE#(^uc>XW4Bf;|bj@Ca`y|dwGe&xB?+V1=x z3Erb(WTKPfSZQ{`5pp$g9mJ z5>&|f4Pf$-_#cCwP$}Jz_>itx=c(bQ>vXliPx?>GIBMAQ*LpJfRpM|fI03C>;5>j& zL|N{RL9QUpjB8{Ydu)!g4sd>AxNOR6PuFI`le%q$kkL|Fe^M}RSl(LSKB&H(>tv)Y z-Iuk*84p5#H@5Q-I>!R|!;t$)G)xBxkp0!i}pnjU6E9xvJ zVNqn+!8L!?Emg~Hvvk@O!YTHtN!9vWVjhz-{}eIh;F}~D1hCfuz|)d%a^)Ip)rGA; zuQ{OR8^bbUekoX2A9w>~L)Ke*gNC-pYg`+F!_b$}FMP*OW->R%>uXaR{vxxt)6K8>-eW(2w)9LqmO8b{iv_+x(Ga((Uv5VAL^k{#PphQ`0uXka*jmSX^ivkZF$^bpS zP-EgFFH2!6o~O+|n}BUr6UlmtDuKYo{f&e}XPqYyofb6ZFWQ{f{rX z#XWrM%YK!C{XSTG4v0NMbCbz~C%GVs2Mp}$BXDy5e4LdpNc(y?2Yi({K-Bjhh3w+-aswjWmAz;t=7^nzb#b z+YuRh`hJ;rgvD*`w^x#V-M7+a?*6)Yi7c3Hjq7wC7d7T|(1W+++rcypV{*&RPes8+ zYKSc;-^0vBV|hcb6~_emh_w^}l0aWU4|h6*qva&xBqR}Ew|s_9&lv&@>%X?u04-?x z#)68#3iiu%#3gnkDuAc!wzdMn+O#H5Y7N&|=}3eRk=??$kh+a0!`$8Pxa$)Z^o7LA zxq!TtiE#-u1Jp&2$V&=x3aVpmm&S6phyARin_RM_)sc?ycI>I^F>Uze3Mq@|A66KE z7sEVUk>nTXaa==zl}Cb@w9F~kH#DVEdT3g_LrZOgYV5K+h3zA!cs6w@*)fUPxi8*GnMjhfUD=y9E>Fcg-1f^ zYdazNZg!dd-Lq1a-5$h*AY9oc@BK!)<`$jSlMB_Cw;OJ&=-E3vf^J)aBrvX$(&Y%y z28w9AMB&B3?e>9lU+b8Z84rZ;tTai0zdaSa$M`vJFD3{!KcE-gZro|;Lu}eqtgx2& z;|5c0t9&WLQ)}+SD)yU8>KU z;**X?4Rnr**V=HZFzm5>t;l4rr-*3x?KEGj5{Fl0)&tcQrBdw*Fc%iWD1Dsh4Auv> z|EVcIi0$~g_J)$cmdM-NU)a7B^*CCsh(XW4hkQ`I^lK33MBJGS=I79RV?rICS@GFq zdga%>LGEQiI_Y5d2_P&z=v15WI8CvyMalDdHq`*9*C$PtJ{ee!WcA~t31s9;9CRy2wIjG$8 zhl~~do{i#nIY?2%c0{_y~#Q$3^ADFj&aw!^iWO<@Fey|XkGX5vo4KE-WS^Qc+ zjooq`P*fjth_aduir*&6jFI$3HA5Qdd2Gd zcaj}lcDr>pt-`X$CN&bdSAS+Z{zV3#rbdwX;X^e{aQz-+hg?q}`@!Ze85ywe`9H2) z=gP~7JU|irXN09`*m;JE+o6;C+Vt3TuN^g`3zn}@&aD3K)bz!z%yO6KWdCeIM#d>3 z-*qhVXdsa&4B_!`X|?=*CQ0KJ{hPMy|XffKlYf6Uia@4vH!XD&wu#$$2DU=wG-7>=KV5(zk@R5mU~Rk zYg}Et1WDzqU47~5mywZ?{SXBZNnARTblK6T=u^-D-R)nmbSl+luGpk=(NLv__yG61 zGJL*o*8~`#{)q2-{$TPGTlAM5t=;;Iyv{Gec(#8pl3f*FJ1zM=HbBg7kPG_7%>M7i zKORiYG(IW@tebWgW8m9Ty9$vnx^G`5k+R>l-A-U_ry1)xRT##LecjB`?6a;#(*$2Z zsNL5URBD-zybF)w!KfW>#tnnCgC{9tX3uS2k7&OZiXE~0e7XG>nUlTG;2f*`86uIc zaQAq^^#1OGzT?so$&0uKvu^FC1A51^KMAkQzNd98$O)pZ2$zHHqyG%udV5Ji5d5og z!rzzg?7Vo;Zh4&VXLdEbypTHe;NOd6q2I~=qhX@#2pCp*G{WKv3o>d2kP8jag(Kx!W3 z3PihFj^QXycuZBMxjZvd zvL2X&*IT9D0<4MQM)1c2dC!&R*2W)~J~r+btXZ3WmB(a`tl?VzoU4T@Yn4O*z)5&i zt||1E)b;t&U8iomfR-Brclwg#XOR?OUTZCaL;u-Kk~tl=+iJe@2?3@jR@=`naY{eJ z+d7GIoLHMyREu&{kS`qak%&9G=}DyJ}s<+sfkGQcPUBE`lYdIcB^TzH;c}Ol(pa z3aq6YAy7l5fZM&E^7SI;40b26NL#Ysac`e5Of*wOUnF9QI(K{fN@qL>B2tb}I*m$f z*X(R;Jo?+mz4t@9zLz%+(T{e>X!jpJSh)2mYv=UN=2M~RJO97^?qGG!_rg}^l7g*7 zGkd*xl*wKN9Fw7FAhxwL>G^PbdbEc znKBykwSV*as8PD+swI1;A^@Wz%0|mzu=YP-JoV@cYQ*RJ!LS%@roe#mjbhGM4TuCi z8-KVJGfPQco@eu!y}9+}#5O&pcHL-@^b-{RgHQfg-W=T4jJx(yg@S5Wmc?_toNMi6 zrm;5sD%K=!1?_AZR$wsxea()MKs)j}tsBhAp|?+6k=%8Cy_277`3d>%X>t?X*U>>M zx1<^(QvMO4u=Gh26Q`7^J=EUqB0$YAP$5BdPd`ZKWj0}kgKbBuSyzH#*s!YmBb%vZ zmlQmS7Hyi7GszGu49ydzHs7@uU)Ob+skNLkv9J&`wA~a3oS_hLR@?P3?baq5wES|U3_$oXy+Op*f6Tv z>l&T4CU7M%4k=IUBWUi%M z0?!p-ST7J(A6po>m!Oyv)1O&f{WOp)H)NUTkMEirjl6hqm~+^F*m+9 zOs(0vP))-eQ_ycIi+nTC&VO&MtHQBA>+aPAb`FadncIG2s^A)Jt@)enUNO?~>^z zsD>D{qQS%D0_8J&U%Y5A;?{JH7z2CHFX_7!_#i1;L`CL!e~uF|JZTuwPY{`{2dg{8dpuR)6eQ}}11C(}MhddN+~+L=}Si)0Tb zUs9wdtyXN>9KHOqBipZRI>6XpUsvSN9xF2jatOe&4?K#(0q=1x>haCUAL}tPT%`Cg z)PKv?yVhotk|LVjnbx(i7cB8uNzHUtDVqYXh0K+R|8tW8u5QLtLGjU9(&V6)(bvvS zyT6SuS#P(X=lwVM>|^&oW?kKAe;g{p`f)A5HF!^kx zXZ2`F(KKBLMqH4_H8m&7Oc&t1wRQolwdnmA^L8w5{>icY@d2d~thlyj%I2_dWwI7% z`eIqL{Bsw3({_-L3|N#W8`4)h#cPZ0>UUBAp8C!N+-%mCDK9e-V9Ip$o>MV8_Sis; zMOfj>IhJ`@VdfkLSQ$;O#4^Rs@5cVO!#h3PBhb%5~1D< z88T33&pHns`6@cR&qf=?DJi48uQmFoeV^`uxsJMd#>?dz10+iU0%GFMFq`3=n-G;L zl3<&qkbrb_sSBn&fn=C*|LL3&Zl(3dXxg4x_M8<3z`o$AFk@yZb2W4ifkxxP{v z=Z}qm!V-;43B>(%X{1ThQvAC%G3=ivC^&(W^@b+GZg15 z&ZqEmso+s7wy)ERe5i6dreB|Ma+5r``;lFzF&{G~Z;>w*8)OAnZxhcap~(RQCL<$8 z4URapKYbfWcSF>?dPd|b zf*RUo0$&9VYPL+!y?JX)q?1dPCx1(%LR#0kYE$VIzYLepfGd>U3z>D;t7*%F`lp+A zgXZ`_=+(a1_zrQ#em>KEdiU?$-;I;64!n(_*Uljn$8X91 zpMQ6oe%+fP-Y?CssNZ8$Z2HJgCUKx^DI+vH>{JG-f-R>45*F8MFUUAEM-{)?d>Kh0 z3CQ>=Mf#3PXvSkb(IGca<$o208bH!cN7K+RR$LY;ee%R)Mvg^Y$4&)6Y}QdAEivl@ z#eR4U`VF(9{nv*G%?^BeI*a-*T7)6Lj-=b_hs08NJvAZSOq%+bm)UNVo4N&j%*@Dj zmJqWtt(NS>`RKSlB;3`f`uz0!_rwy*fDZQBK5WmN`+oJ(*m7Ad7z&M}`$Q@@vR=3* zCM=qdcB>({HC{saj8QcGa2$;35i)w6YxCR$z4;6k|;l3Y{YP_={oe-@b%+lhE?ptG0ea!F{wQF z8aa>xtLM`N<0}=rxKW+9GPt2iZs1SXFcmBF8=5|R&^o#;0|yWj0><@ys*=&oEMEYEF&`UD7TfceN-%y0lH_cQP#1*sK_K02o2> z1DX(&;#>oO^EuK6oU?zNR|93DScobE&O{9l^3i_amo_|qNf5wipyoDy zi#F_A3>4u7qy<(1htw)1GL!pijX5|4t$`+=rVLrYA5#Ol!)iSWt3_X`L+lKCjK0MK zsc;_pjhhOe@e<>x3mOqUx3cw`^KaVl?OSS{?o^bc6`lE?p`7{h={xN0hpujWOq7mx z-;^5ABjv2%H5hR}Q=?bt(83KjXQ=j3u@F-EkvWH}W;mw`rW!0%=M3z%G1|fW+NbRr zs0eFU{~0JaLUdpE%n$Jikgq-ay(Urdq9*=Cp|8XFVVf`U)$G*Ij&a+pZ!mSEd6Z>AumO`aTO4<@ldThD{nW%=VOYJQiWpbs20*cC;-N?sjjtfh zoCP(;xq#TB^ho7_q*HO-FFL7}TN6c8KGx_F17gYI^76)cm2-kx`7>xM-o z-1&Q}b2}VDoA7){OHqAg%{%!mmt^0SUnf;{+#S$)uqj{If)b;4^(HkF=$l?%T2dQa zw(^Rld%CP+Q)tz&h9SCq7t@*3?a|2!w-VEqK^0+<465M=yj~ppzEFaEeub04^)B0C zrB0zzlXuc-Q^(Kp*e8d%8c+aWY2CS@OA1UJKv{H`+YQHS=gRuk2Q$;*WYTp|e_-h0 zZl%lAjee0z5%LjB!^9z}y`)#ea$<`+wPa{%6$A}M2H{rjIr05 z+32LBL{Q=j6>Q@hwpeee8U$rfC07$ZokPo@6Ec9)=KZ9^&74N#mbJCB9}KYZrz{o; zY|IU%*7y*m`NZu{66_+ z6-H-R*2cKs$koly>2OJv2)DIsb=t4<)fcaN1ec59qxWO*@fqTrnwo60s)@Aw9kLs(EK)n_cKZ@QnM;9;ZmPvyg>ojGk&$iQRM) z^{he=_E-3#Lh)h4GLQDIt+sk%t9@&*`T_^1sLsFyXx9$@VD4*ZP2s)fJiJ|!X}6{| zt$?fJWMZX&&m(g8+V;LK@6`rekV)#x<&AD(Eh8~_UUB7RG-r>~s*YqEeC&Nd{tSoS zVbCMZvaZ38HXPEFSw+I&n&-)JCMJ`{-$h+LqeBtL&eJ9WHsW=){Uf4|qu>|GK#=<7 zt$OPAUK(Ve*yZ#a=3wze&vNAY+0>N}Q_5k>)oiia65JT&SLHv&4|NlY%_Tr1os?2; z&+%#|i2#omCr=40!ZV}6TNT#|JDh;l+^2q{r7k2xiYlFU4PC z&mXgQWjJ-%4&jzIETT|1TcBj4xr41UQu?6U^1**wGSS9u2W!um&H)Kac@f7mtH0U- zPv+`EJL{F!V>l;K`(&`O!maKB(@6Z;6GITOD#|xeeiOf1r|j zB?p8r{nvT~%NAe~*4~$Q1r?~0K}(BEIv4H)YWHd7wyS+p^4*2Ep~%*&PhCU5O(jc{ zPGv&aBy|6Lt{BYlK8Wyx4g2|v16vD)lKjm6gOQh()%3AZir2{g-Z1nOc=N>lPeqVb z=+HIAe|bg!_>1gs&7O$Le)48~u>kfVToaWTQ&mH@&JMb_QkZ$VQ|JjoPDLC-R=gu? z^RFWMf2UiPYPKHj4_o?N@*ckD-MJNbT(>Np;k-?L8S^A1fYLFUvL}dPRsHjO_eVDn zX$E;JQ9$G}SiY+_vMwQ4cqNNsCBvQBs<;6P76%Z#$75FubaonRwnQ=3rE<#nmO99f zu2ZrH(2N)V91^>0m;Y(ABdd{mEh$M+MRN z&cWQ&11Pt$?$*^NJ@U+F4V=f|NQGnb zSy^#zNbo?>tKIK|1jCYTaTE4JJSNGKJ4(B0?}6%qkwb?-2`}9??;b8h&j^(oN5pU}RuSbaqFaT)SQjm0D{HPdo5^nFdwx7F$~?y%_%BXgOo@#b`<_ntly_GVK>>;9nL zfQ`h*gIl5Pe4wOsH`@wph@eeC5tF=o#*{q2ILe`nCymZXq4bwCQLmI4jTCja$^(B(M*J}FY zrKd`yD^3CWFj-{cJGuH&QY9D4u4RU*hXrYFVm7;4hhtT=@aUP=o^vhcR!M4ouZ$u_ zJEq8})=o>O(PiDlMwvxMWTohOHu(FYeLffE%uOGu8_ZsmFxTSLUX86!CT*3| z((?kI;ONiFDZOQjDswajAIoAS1W2W7X8uWpEIu=!#iK zW9tSuU!`6B-pvJawpO_)UARM0@<9H^T&R ziMgn#+hL_)9+tR9{gxVh3EWoV zoCYcRI2c(akqttk)I)DX9m@jvL52m12S;=n4!!-xV@E*W;r!_Z@p){Q%;z|gaK#h` zDs$q(alzsCmDB-hplqk>WvEqgf&5g}V8I46#9w6oUlz|o_qPT`PXxyr(!z`AH|5dz z6?YQacK+b>^8G_uUJ~s1^FLt6qzSH3vsWZ9%b?Jao8{`}_kmN5R?EjN4{l%1;TQVq z>yHmfWJY2{+&}Nxq>pP9<7VR%I@LWF;@B7_t*!ir#HZb0)O6phvQ{h-n{6H6VRlTb z1UpgJH?d^`phgXhA=!dv@S$0M1YjcLyb5lM!p8O;b1JAU(eL+&RNRs`Hr}W=daqMz zP-7mfgYU1}_L9qK_Y!*niceO_SmB<~2*9-_F;+L^n~B%u2Jn0^8sJKoAKr#|&~zT< z>DzCjftbnf%O4%HwBH$m$nzIe^s>A&B`p)GJk;|~nV=(K)Qr?L+F;Sy{O{*hp}(zQ z=rxm8w}JO8smb>VFH`e}TTnTj*?Lmtm{DbrEH)kFmdAx&rbJLXA_UsKkD4;aw_mSY zYn9fy0jP7$LIodDCi8WTIGT=Nnd)&GeT`~MS&Upb_@Si=;q1$D2(BmdCepVhW+Rw{ zN9g*kS0a=Bp%MAQ%-H6*_Ru?aRe0eY{V^ulEb0kMM?bCs$G-9h3R{TAW^K+kYPyK? z>T@fU^vDI?(k>HwO7o4g#-IaDbm#6Edod|UUtn9O83N&4bI|3~xrpKs&#$tvt;J+{ zB~&KNni%D#HZc7zppOKYqFveZJlYw{{sE}2TCh!YQ5Ada`%W_2@fa2^iHH zR$l$lSTR&N?EMx0=?uR$R#EWdfj>qU^3}L$qrH?p`+LuqFlO`ubU2cJ>9iu4Kb<6uc}ZGU_wwxYi%DBeo8}Gu0zYji2aYR3qYH@!gLT2oicd> zcgE+PrWxO@EmI#qbR^k*y;uLb!S<)j$NuEf@X;oPQAoH38xSeP97o2^S0o^>B#}An z^$J6jzDH{U$JW?}{Zwe{;y6f2w1EC21x?o#fFrQjwKerdt3>LNx{+;1k!=x0>KJDl z5)nwefIat16eo^f z6*U)s4|!Secm7trn(|}L4vRR{`BO1m7Mp(G9LV~X{ZunHW>ZomC>x zr?2svHga7ZYEr(kO?I2B_`i?%|KYErNCv)<;o~Ss0jUxea^E{Utmy2+Q0@-}w4gsA`; z3y#0YDp1aE@8mo?4SZ>;m#54x9F2!4YpxzS4OGv8<93KH_k;x7u`lPG7^lZAI9goW zIk)8*a`dM|fNJiMvxwTCsoVwOZGWIb4_x5JpT5=973RiF?Cw}ibSy(c#0o}6q)2aD z{wP}*=J;XLx9`aS3jxTU?uxd0UjF4=^X6rwZ>*?@1W@p4tZTHd2|h$vpY_Jkc8|R+ zn@*%VrX0Y8up4Fr4mk;e>BleVVsX3&00D_yZL$bhLNYE^@S+qpW%*0U>(7M{uv7d z%k+$(qX80?9#b_sc!aG0?BBBdF$F~RX`lU+ciBkP+{y)fBSwDUI*AQ>b3ggeYe=jfEq@{|~pHj6ubbul#D`LVBc}QW5^Pv_s`Zycj2TgHKMwE`u zaRjC#N@YWV(P+7KV5WzlpvXfUb=e0&1ZiB^%!1kjeR+^6R$FaqIwohT7E|iD?SMEs z)&c8rVIgAT9l;=jh#7smddAYa*se?9z+QN|RjrX`etEB>-Am~Xhsd^L^v}Bc-9djO zw*~X4YxJT!>$cyeSfguc`JH|SVvGO3>>^w1vwn)>-)#|=sELh|M0sIO<|^dg4Rc;vfwi>`@Fw%*7#2CA z3J-eX)MQd5{=FnKUrSM2H&qGku0*OZ(@Ncnt(I9dtb=&8(5I``u*(TdCKKKVS=Q9& zKk>R}o~&S^EyHqMG=)R#IMYpP5q;*QB4!hbK5n)zgWLCD!L^k>3S|`F!rK+ z67hD)&E`=NMlEBq|Fe%_1&^rk_XSSZ5&zNQGJaBYnWP3@nmkreG0B_EB_`(sO24`R z+)MNUCUR3gy6T(k#RAmi@8;GC^I+T43`(zYYfGgi5s+5G#Rx`<;7Yi@vTeg zR*W~7rWcn*roPR%aqT9*E+q(Zp;ueBS~^Z0#0+2fJEsTZ~qFISe*&2~G2GhEGvmV%>&t{5q* z9`%&qQ_Zb88YG8Qbv5)(wX@Gs5`L?!@KGnj>}7IoyogvpO1c7AH?}FlLgXYOxpn@w zl|Ka1+B#HT19>AxC=YSYQ<)TDwJby0V}xYV#|d8Lp`Fu#Qa5cV2iWcI(>{1D{AxP1 zaNv?O`9mXz+w)Di($SGyKzaJ|a$DPlwSVpKnEC}9og5y2R#z-F4Xz=#5F(b6k>LgZ zZ$xVU)2;hI-9E}SV}rH63BO-VlAKwC3@^I>TlI7A^~K2M8He$|!H8`CDyKWrnA$tF zC*S(An^?B|g<7cWEt#^ofIjirWAl6DG-WHi{s(?5$iK*bvCLE|oH)fN`u7nSK}zPS z=ihTaekjtL;*?YvV+y`kRoW*K>f9D$#9@ffR0RA*CeFRAxIKIJ0BBne>@acJ>7UID zI0@j2K{9DX-4&vNtc#K)zCPyjrnW}9uvv&1MmKBAv`KA=Bsb$YpuT?%QD*WzxFZSW zi8>g;58o;ZUKoE%;?W_N}xBqds3-{9xBEN|7Dy}W1B0)CCL zIOoQpfU74{aSS7PQKiDuGn!g?!p=-WUrqnBEp8RHc@u4mlIxri(1PmWF3uSn_b9c_ zY4h~sgrXk>LGYGbmu{!ZdR9kwD(}x3`dG8JJQEn_IRG*iIhM$f(h>KKl&P@Ii;hc?LejrnAz52M(Ap{XTWg5E< zl1Ld((nzQeEV~C1x`!&^Ey}IpNUYbbTb8q(e&RCgaBd$cme$wJ+ksa~WK4_rph{dH zv1hd9$TjzQdTKZ-5LhnGk#&7msb%&9gsLcnHv3N`GEaG270i_eiCpj7f zMTdc0b#iD+m$0YgP8yGBSfKX_%JsE_47WKpzqdurHYI207?9Gos)H4kmvD%>=7NF8Jzxa>V3tl2z zG_kcSIuiEXb}g46z8)s7Qt;Ap8Hpd2aD8$l#Kw-;*z-Z8-ciXd?&?_4iaNC`HPDi z#@!#Ygvfb|=H-+*6RqY+a;#v|$b-R&a7Yp4XEx~?V$C8sdjDhf)qma!*b?6~UPDd~ zOf(tO`I-*k3+Ua<{MQNhxHM5`a`=-m^kdFT#s_yFxP}t553-9c<39XF=JV7a^`BcI zt+5qb)-7VDrd|ccyaV|-hpX6M?*RbRgYTuzba`;E0GGIqg_vS5;fksnYwo+x-t2w+ zi;VPp9(hHQ8vWzvzv>0=8r3c7|Jq>~d>xJA_S!ork(mt3n?#)CNkyET)Qu&IyHE1& zJzOFCZGWGHCnX)g#KgBp_PbFh;x8R62)aE^Rx6tg3u17s;mx zrEvc-j^rfi#eSw<|JGg=BKQts{D^;)!cpRIx6B3hVx^hr3u4Z21OPn6-a`}Mj^H#2 z(n%oS7p2^KbsRfwE{SD-Uk5d;t)VmFc^db zo75SKT`8AWkK8jCNsregP9A*^FQt$uzyZCzn4>>pe5I@5Rh*GiI7c5@4?YC{iXAy= z^ia&0;*DNS5XIM*v4jiKb2e?HvNlYNfYjkT{teb^%TpwIKO>bpH!5~@NC(K&_NOe) z(_cr_YEO3K zPLn|v{KJ8F@Yi{MT~Vde1_i4Oviq$6A2)lQzR=XE!(Dw|_Ii+ko-N2_J3ET8^~ucf~oF(WL2q+B<53XXxTRrq9S3j~Pg`H3S3>yo0#6qKYfJhvXB_hpIt5*4_Oh84fZ%Zp2k%bP^MQdy z;08cK61(#cg~+Kz696;cn3HYf@1h^=FN$%t)x_}{ca9=$aIZykL}uo#u(7(IS9(&m z9U^He_9fI3MNzSZ-JfUTlQOT5FHrq%>#D1#^wpi+ip}EcnVMp`v#gyH59yRh7QrfS zVDv+{#LMO%U&3>tG4H^$^-tq%bSOzEbWc$!y(e98;FPpWkNpq9n(9#=3Mc<`343p~ zPTp`zM#5;3IeXm)M>*baa|KMv$QAUM^sTG175=_lgIadA&~kR8I!9iEQA(L4qNabs zaN+pwPMw3vA2Hq-%bJ*i_4P7}=8fULv-;l7<%hqjYC_!BxP8vu(FP_EjDA)nDVnp` zSFd8oT(=!z;+R}4g5HV>YnY+LflSRs)*SU1ccnW<;wtoDh6}$1Pge1sSxLn^og=-W z8cGBdNt2qNW+t^8pL$YGuFaJT%0tlqslY=3Nw<4 zPcqYhhg{zsnaea&=O_cF!->Gm+_q_I(9e!IOtXItOLIub6Go!9wmlluB&KzcUUzaMW z!f1r+k+cv?T_7>Ts)U}g-8mO>a5^g(4%V5$nRCd|d6Mcp`=9lQI$wT!ia_r$$a)a% zjg6T3z{IKG?DO>* zW1H`;0(S!F43-ZaTG#j}Kz zs21g;mxhQS@mj4qbz)}vr>+q*1#-${Hv-S-(V?DoW5y%iyxhw@PhU9B`unkj?}S$&0yszAs#2K>>)5izB{L%ccR4wE zy3LLk7ZTE_JM?uW)oQNhCPufXyK^g_S-8cO&4h&IJsDjW4z4GjmuMDNBtfp{Z2hc& zz>^}}y&;a;MSQNZ3b_*9Rf3>Ju|yXhWpeF8Mk)>IO}bO3C!H{Sy5RyxB}fyJh+cM+ z^B8-tt1?oJrB2GPS_x)mVco) znp0Ajc?_!2yH8_2BGln#!K&GJthn~8-Y2=5_-+qRV9_rFlq5qa2%jqdBr`>k9qFLP zzJo@mjaSB1ecGRubC;otG!_f%F$q6E|DDfd{?8h_+5f7s<1+v6?%`kE$o(ITH{AcP z`j2ndFCNFsAcOf|);ufaQuipt+mcY6S`AnXx3jbNVHBr`s4g{$)s`^-_C{YIEsdj)uNrX2IQ zN%xmY?rL_&;MD$eGSwQP7sTp$G&lBVwA;%;c&!jDH8rt&ogBR6b3~ow0Df4*RI7I? zOL~=lSa27NMRAl*A!5zuU3^lf;DXa4VfH`afazlZcFbg)r)X*b61Oyh--yC_AfrH& zz3&FNFzEK}aF}sEqqZROg|gsT@wu+%XrR9a+jh&I-3e`vqlL;*7i_bdOt~TR$wS9$aklbj$ffcH@f{vi*{IkZTcVi z>2H|yCCshHb2Z|0F)|CPNJz1A(hnRM?M5=^C+3kg%gAhp$lSTCZ@<@VH31zJG|Bl}~r zh7%269#knOjd%xZOtrVnS_lp=#K0vark)J2CqOmIstc^SzVTJ*=s(a%aKqK$oLp;Y zqO@d^xkh`fMMP(9*QFto;fye08j2o+h)HqXDz}?(kVb!}g$dg|NEfP19j*#efEyIZ z{7MVU%6woCUYpiOZS{bKED&=7OUeZfPXWknJ6;Zt>cI{(>_%WEvumH3b!-V`-C4ya z71#Y;i+j4Q>%DhGcl~s1jh||D5y$$Qy&k6fn)BO%EA+K!Z9U9kB%=tJ!!$v2Nfdf) z!kAdlQq{oFV#X*zL-I^MTr#U$i8N9Je6*c71WTB_PB3SenQ3ycXbZhg8cL*^Vj^-E zM-+&L%UtF=#ra_2t7*|K8Wvijj!qDDCuK7&9I#bqQ`L}>9ky)@>CEAF4Xh1uIj=YO zpEcc@I{G|kyt!+r?;+x9Z^*SP0HF@pH9geY%IOm^ zj2`79aVMiT;v@v{AeeVU?61c;- zN9;f%zx7qmyUolR=ow~D1dO3AUIjJYF1o9pA2Q9h`&;^B>SC=LB)8OMJ+AbQTH@(# z7#E5TgAU!~TC%6I-L(mKVm?lJt>$QW*=dD_O}$}CTTV_s8nq;}Ph}kxKlT1!%)NJ1 z6YJiv%~rPxiV9MsO9?$7z2lY=NJ5d&6Us(vfY6In_f~o*gkY#r0t5(1@2K?92}L?m zrS~f8{&LRqopbi{uIGE-zrMBJS*+xqWHK{MyJznE_q(nqdOd~-t|Y>3y-jmPv~=?B z?1zBuoe3#@ZnG@kAb(#{O+<6-P+qjI{Bg8>A-mzt@LoeFR0q=8J+knbr$~CNt(@6z zt_XLf{~f2|!`NDw{{{AxU^ihKt+#FRHU{-QCdgEZK|H z4?hcLXTGV{W;AC$l}YCL6eBuQn;ygfpee7(6C%WDOg|=n!mmeBg2Tm_>6biNE)v5u zxb{%FanEUReG0dj&>XCvlWlhqBKdI;{spJ;8XrB^YJeB)emLi?H^bE&6BcdKIA~je z14{82`Etzr+cG?fBn-zTfD^C{CNuhf-mH~}E_yGS%;qQuHHmQcO0v#$2lbEdi7u2x z=`6_Z#;`wY0DE3&yq3){udxF`VX^UTd_~?%VYYDv*$()o`Q}BvBrHGk;CMY^dmVZ> zM>}ULUfEV&9cPS{8OarEd52~oFXOdQsD^MfeZsFSY<7!Cram4qIx&V>l@T`qhVCP1 zTxdEjz&l2`)7*})<2I^p(5;dCRI1v(k?t`%jiFrH4LnDZ8dMw>Ieo~kv_WmdKhXHV zS|>mVJq+oiq;D;N>EvhXC`eq*CL=^L=c>u+hH1<}s;TT?x~z{`u1Ts<^?GBSPjK{a zRCm<=4E9(2?TsvYZe7jhSfjw>gosDH`^1Z>(zH1CWh7No?U$W0mT}LY#r=p;^OrN4& z!siMxDE<*G*qAT~CU5Pkr9z#)37g8s>!11{CiuJA;#)8&(TJNhEZG}s=mH`?D2Jl_ z>_k;EpUn8lxg=&(@>Sk!Z$q3+dG@__3Yg4Z+Dc|hV=<*yEo{xy>nu+i7>L_19?O*n zyi(GOr{o9L5ub{bc;pM>f4aLr-O*jz3RQWk!!;4LGoUNQScRg!SEn63ZHIL}@K=c= z-Kun70iMylGHslYblR1&DAE&3@hQv{R!D4Qg0L7A#bsdYAjKYJ+2y-plB`_XnAI3$bk>>@!^b1u+K_n7mW#>Wu9f zdl`%~lkKY{^-ozn+aeOA)@_SeGk2($Ye7vUJ0HFt&Yz*LjXC6E!J!kwqGE%!yt0g| z2EHsMb94&=0<&~mepdf-C7tr)_Zex~0`0^vt{Qd@AX`UX{i?vS*UQ_#4B8r2Cn@9n z9uyh-uE&67v4dx{Vl^m&wwipj1yV}yyYg_bu~UScWAdlAfp2y2=SWC#a)8wUp16=X zZ>68)UfR>v#*9qwot6``EuVqjUfe& zosid1L+d~;^JgB)`{NkRCI--QwD6LY0pGw_YoAXdLqE{dzii9ds<_)wNU%7R;t5jJ ztHTJ`m44E?b#LuU>D|UHQV0G6#<94~my;{cqQ~@yTne>$&z1X4qj^!E7gU76`7& zov)1?7Sd>w#T|dYG2%v5-Mg>P3W!(8Am6Q#-yxGUW?uF_C(QPimI^WbY#Mc+y261& zaZP|9rUj-nStwzI6P(^5sPvOT+QioGb&RoJrHxt2x#ariYDOJyeNd>dwZhFKMKua# zgTs!93Bnb`PCximO=j_)YaloZqB5O-&NpY!99OKM-O%ZX_gVSH-i0i1wN8W(LQ{soV`w8rrdel38}yu8W(ps+<7s ze2>1cQD@DbY$qsyOTE1P<3FWJKP$;F@7oP1wy8kc((AFtf4`2nuzXurugc&Ek z@AN$ALv9M&nGFgvS;VUH%;C@u>=kIoMM|Sy61(hOodY#H z4U4$rMgY-HH$=Ew6qLeZCT9j*9L)YzF23RR%g6YJj*!Uc95Y> z<7z2vE(TAec1mJ9oQ*cRS5Rqc*i7@o!c2c7yMmmzKXO~c*5xmmM zM8a@WfG@=q+9wp%i4$z$pUhkIlH%p%nY&#eOnmmbK^T{+QRAgquloX7A-E%RJD6DQh9Z+6SY6`H?U^d`aMhCFxjl4yl z%1NudbPX6tZ4) zZ1nUG{Q-`D6{M&rUsc-KoTujuKL7d4(I zu0FASX_}g^ATGh}8d20TP#BV#K4cQYW_)ICSXb+FBKxdM#i_*mhl)H!v3y6VYrSZt zps{)l2EA;99fs`nodo`Fe0i32q5@b~?HRu$Ui6CFuEFk**2I}((;OYXh~IA!bJOV~ zAJ?k6yKRv6=YdVxS>ib!iEk9rx_`&Ud&Nu-HP#a|q@9T$sr=N{{;L6>qDFH7qeovb z>@Tijb)Wso7M2+>INT1476Q}JrDO0cbbJ&Ed~Z~ovyhDX&0bzOB;3!HKN+3;BKCI0 zGd~gjRKYCI#@lM-H+;n;ghvkb@v02#LK#6m7}ovJWwd009+mcdv{9jH57XqU1*R*W z)U2=MrND=aa5U;7?Otr#I(tmw@$1o%nBQCX32A{jYFC) zdtJlA;z-^VC_H{#xU)Zqa3}Kzg-28SZ86n-2 zd*VLD4X|n{Nl9+=Is5F=(;%(YNt=2`NaSMH&_Zi3Xe@?k?sFR&27zmnl%Zf&m54r- zOLaRF`{To4#f4dp@eKCt6hLV`X^i_JgwIDtLilA~r~bGdoqLnw4RJgAxN)uCZBbeQ zmw8KfILB(e^GIt&X36`S`3hg(R(BUaA_smiup$n2ex_%dYEnzz{8*FC#hD@ETXVmC zEj|rX&I9`{WvZQ(F%1?2fuwSsyRXXv2D+@o=q1h!`AJOA3!eE&3G+(J7cQzXIhoQl z7-`t$1EU7Il0#{!;vx?2{)K#3E zw-zLX16f1a=XcUn${$f1Sxk4Ny*M7P-Kq|}Q!B+w@_en*q#?bcQCr_>2U><9^{#Nq z-fU$e3V-5$Kaldv)s5(EKw`J=YlPgB4ZeW~2qBP&Fbk3}#LwInITsfWhEMvt#bvPK zliym|qAQ^{;XxwB^4`3|a4=BIexhb95pU-r!-~%1RST9{v~k=x=>Z_I(gQKgiklCd zm)ny$+aFe1sS_o`L>t(7q{MhsFcyh5alM9}&x;^gE9Kj6{XRU9@mxJ-`2Gh+m=t62 z1>DoQY^0pr6x7w}+@|)(*OA-H2qTH91Iru=L3pOdngR|{mAe(E>tk*|{39pmo4m3X zI$ja9x9r7ZBj0UXay=t^zEoBYI`oXRN2M}=8?9A zz#TTVI9L1=f}tGnJ7@FLA7fE%oysjS)9R0ZZFftjnGK1yrFu2fbrS0b65ocmP#L*|iA zFj!QkLjq<_@(a&07(0hJT0}L*u!;3lAw=KE_qiMfr7h}(eWw_S?~0rAeL5;z zfTr-2M11HxDS5@Su}S>{LPxr=fn!bEhSTxeelu=AfWfoE=egXM&Phur4tjWD(04n8 zD4N)i=*AJZ_7V=OZcRt3=8;f%6eXO=pr@{0uI4Lm6%xm)CQkSQ)t`(&duus$HW~8{1YL zd+SB6n{5$+fX%H^5qqehc^L~#H^OM?NxNAR#50&LSdbT{JsuqEbrj?K^ex%906mcY&WH^pSu-kJra?wG(a!RM$r8|KH2JQm$I6tx)mvw}!(lgfZlcf5S#;4~1}3Z{#*n29rVM%jkSh~rp*U0qYn>U zHsVL_p;lxX-H91~&U46+e}5iXTqd^%Nn553p=+W#OrNWt>~@}W0&Je$QdL~mZ7;UA zZg{8#1qKfFJl?#`3a zNfRbms8?U&-O{8he}XE4-nWE4Q;_5Z#x*`7ND&piiZko;QF?0P)RWM3oVZYc;a^m+ ztGRyfFR~B$Y$Y>oQt{1_;(L9Ff}eMcvLnt^UWNG{jz4iT18l1h+@Z^7e#IigO577| zSEZgkcgOKWkh4J!5|`ujg-S&k9aA;#c{c0+JJpTf9<&;Fi%K@dm^}~~eUiWGD^*Ze z`xtG2!_FoYU&KXgfWbNUrBvG~gvVz^q@$fz_aZq%H5ClZ(}WsySj{{q$!m^}@x{xovZCYG2O8;Wr6wJN!IJ3BC5uY%pv zZZdZ1UU0)V9{cmOl#VI?*&i2pWNh3Y5l~XGlj6=0knvTF$go>lIzXvLRu=KRhr+?q3 zs&Kr$`OvGuGd-#BPJBKB*vN;ImLRjZCScI{b1j@fx4X-Q-TGKhoWF*cjB6TI2-tI? ztSxWGr07Y$d^Gg%RtqUnvO>DDA=AmXoIhW=`5tpUz%^gG*D=|Rm|B^}J8RaRxsHXy z;)R25#ah}U;-GjC=zAeUS~i?Me&v95o=+9I>@x>-u+n^6Z+6#pd1G+jS%r{007yUtzsHm{7CI+5^qk}thyOj@|RTN1pTO7V8 z-!y#XahgAJAVuk>*ClOp@5*aH7JXR+>v-l`?9`BWvmfPBvEb7B2m?!{ew?l}6cUyH z!Ipbnr$MJTYS!~sJ<`3BB2c=w>Ksa6(l|K;|G?4oH9Zj!{e(|KsNPbNKY1e4HCsmB zndce(-ATtUd$J7+hFaKmzYqpWwH7(Sa-zi1yZ_`!JD!3zB0%Gdqrs|-e2MmSXDl?n z6k#S%ep*AVld>?doj@cl(K{`1@| zzGIG4t0KkHqWIXJs}XQs(Fi2$!t3VY+b_OM1cxZYBWNw3wq%#O2Q_B5ru#B|q{-fH zH2qDIE&BXi(VIy(JTuJ!`f?o%ZaR*YA%ZlP=-l$9D9X*Z9Y4Od4lb-6sw#<`p5v(v*SP6 zpP`8N0M;X1&%xMDSnv5<_&R-r?l8K;II}228bjz7TA)Qb7tD+X1vFWvAdxWecztGS zdEM~|&neX}<;?#>HS+I|OyD)!zSDK7);i`gH#v0yxch=32GZaNaCwimI)glJKPjd|CuXs3!x~pv!Of26(v>_!6L%GHvyeVA!3blQx0~^+OhyjSKT~u+E7uY}bUyODWgP!DWz%n} z5x4RE={6;;?zZ(~vOR01W!ToQ{2Zy{kn&Oz0?KGkGno>$iz8THsdVhxPdr8!4qDwQ zbcX0hD{&y=&Kb|248|R;AvNR}Qj_U2FYPN)`-;2)uRQouR&f*3G_LnbIop4)F+{C` z-ecF|tG_#dUt@?4Q9E=15l^y|Cjw3PX-PCN@{btIOQmolzB$*O8G}~=+hCGdolC>) zMS!)r|5ilVZ|%G#RW-AzKFh&O_45+F{pif|?{?W^yQ`LMj+K>J?h4x?LVDm-ZijkH zk8>G{Fw`>4B7Ceg@Cn}M67;xzvfK?CMv)!*3rXjc z9InSL!9u(Se^D7cYK@RB_Y2GTF?*S2&}Gy{Dg8y|RY=Jy8^T|K+@wF2L-|t-YRuW0N=`)>%mk%Cr zY#@Tm5R?0oeCQg?ZxI*svGxC5UdDKc%mAY2}yB}i{%zjBRMZdLf zYpOBf&4doe1HhCL5|E7t7K?-Ynhd>Z)C)jk_AI(7eX!nMGWgjc(>fygQAUR;x+!8e z(HA>E==bm?oNQ_^U%6L#jr>D~R7@;cw_^a-ylp6JswL{xe7!TIk7(t3oxh4o*BNMh z8F#+QGZ9FUK`~7142LJF8Xmyo{9F|Yj5l3XIEtPh-!E}yvZRkEtMb!Ykb>}t$6a`R zqI~Te(-eMw4ebe2LT-Eqt9q3~n)ANWK$&mY-bY^7-xJih3B7>IaYFN{z3W<^qKYi zJh;ota+8r8_dLIE4AGowI-&XI=2^^-2CV&PzP%h^LWKpwV;Tm^md>G%8_60-1hrf@ zc`=M9iG8(#>nbCS#!__FV2kQmHg0r^-m@E%sj_t=we^+hI9}=ExVl;)8Ie1^WwV6h zI>d0VfS%+8-PsgYmve}cjrAJ!lZy+4ceS{>k!kRo{+Q(8#^S za{HzucuLZrQe1bRjY)L|-`BWeDd|N~`nLe$a^}{wiZxqB>ie!L0S2Ck5R0x_jT&$) zx3X?SA{QpES-ba=g-cQuB=sxQWv)3tz?jya(>E6Tn{k5TmD>lvSzF2G<4n^#P_V1r z%Fw!g_Ah<0e@035R=IrwMxsU{$hTP>$WR ziyju1?B*<`s-axZmSG@BLHi^l9?Q zt37-oed7NV<_q>Ai`|!d?m3m7s;VPuyv;=C$s@tiFm7n>6C=hzu*@n18zj5gfr99| zBW53xik7C?@1_%@#7PzY1?p0Hc{=`3TL5==CNG3SS)?d)60tp%e~8b{i}V1eN@X^) zr7WQWycOjprbU-Z^%7GF-^Sl)G?48Tm)Wgfqtd_COBXj7H_{=GX>X4~?p!sqe2eym z#x|#$y)dFtya7Sizwprl^o&lTwQcgzebk+Vt_H2H(SmcZM$YG;N51-FUoLJ6L`W#Q zf+uN;++0f28_G}00M0nT&zs~W`U|!%;B>=A&Q5h(sV30OPD!Uy!VQrH*UG$z|>$UkxTaN zHpl&X_Q-Ik$-U05J&l`_{y9FG4#%yQ*iw{{Fh6B`<^*vtf%vh96`b>U)}}LPgi6ly zi~Bd@4ViCs0PT%O>;qauOnG(NW{dZv z_rDGWcElO=Rj0x|;MI*E%j|zVAli`cvROX41C$>ZZfi7tkwvay0bEot{b1WE>%Cxq zmc1Ip!X-@sz6uFke3;jqlPH}ZG?5g|st5wKpD!mS|CW%CD%h{&r{qudSUXBdJ=?Po zmYRz_HwuQqYSNj|FeAi2alyacI##@Xu5a|z`*Wkd(JHtyqlk88(hF*@+hc8Xop&*m z$6l#Nh9yUa4dl2Y#c&UN75~j!$ofa(WE}c^3)Xl*@9AGu-L6zmh2PYKR@pvn*v%h_ zrs+R56t9Ep`!d|jf2P*Di%pA*{dRudgZD{n_}tj6;ZW=T8W|r5oL+(fMVT7Ov*t{5 zDB_B#ngb~4L?iwqS4LLvtH$PH)=###WG7iS8?x`skk5_LGq}n+FxPuj^|Ve+9`F2w zD+O|RgLpCa?Z-29Xe{hm_hDbdM6GY~C=)v+$e7gzLr4D{lV(FlclY3LC)~e_zx<75 zdivmRx>5us-8*gfNx-Xv(n;%^rXQ&!3NwA7v7A1pxjOdZ65O@Y+s;68jbNR0PK%v` z+Py51_=l`H@y)LSf=t$wPU%WS9i->%p444Xw6fnV~X~)2vb9FpC zOI%Q4iA`4v_0(66^jMt?#gc2GPfg;5#v35AFVW#FJKF`Arp;V-$BvFllRDc_EgeN(Y8?^!oam$(hZJ9P7QlObbc(A5=JxO z^wYX?{ddzv8QsU9QnzoZI~V=6$fhr-5b0EYD`o8OFE+M1CJ#stV?R1I|?zk_NEd?Ni~%%WF;yoY-A0%A4tJ zQUfTHN4#=kiuVNvG5{<>!ZIF*u8`TtaMjz{RJdj5T8GQlFw4Mr_^K?^TT_#{^7eaL z!JW56xoQ>tR_oq|p!Rq@hqO0!FnD4JO9Se#G?e3v!=UEP!xtHk-i3JEf9fh(C`uUH zeujCw*Tc`Gzk^gtBV%rb(jaqnZ8hx% z1mEL$A%kQgO5S5}RA?>;4y zr(*CS6%{4)^k3&4je3*gg{c2G*k4pf;Y{Lse^-ZgEx$@1WETA?8#?^@Iy7}T_0s3j zAwM{kZUdH)MPs3f7uQT$_%6mv$=As4gXvIs*CY^Sko!#tq$jq~UAVj#GyCKdajK*Q zXDKDn>n0+m_)VZz^`X=h;C-EmYwlzU9r%kWbrn*LvW@qRn;$;;@zoHwtmD-9-7B5X94;l?47 zS6q?k(Rr=h9^{U&G3z9muTGJ9R$VBO(SV%B?w${+_fmtclb*etsN0qqoxSB@jxknX z(h9zcG`%PF(6MG(GiqR+-5TTswR7QnJX~N-7+c~2upB9Q{HhgSvR+t&aIE`_ioV&0 zJ=a0I6mjNViYE_?Jd#{G0j=mi)RXyer`NNVE_Wg=?9FUQzb%gh_b=)ldY7Nat`H@& zG*(QeA10UUyq{GfX&*kM=-%E{-8@nku#kh$*O3zPzrok$^ zR!q^3AiH^JZ}P8X)EPztX?iVQm}glH`)2I}%|u;KCFbpoHr9YXe{yuN=rN`O|KNL( z?hAXm1>&i0fVrvIFD8A&u!gUU7po94&Rgjov#N}&y1EoHRmZSTL7zb4M&GJlpLtsr ziU#WknSUeWO0qX7dfzV*$f(d{v;~c)gf;?i<~{SIOFpir(!XnLrX};VqCl7RIHt<( z>15lR)*rjuSPteAePgzhsO4=-m$HMP`(G|DQ9BKgeq32*JSlV3X0C(QvITn^uJSj!vFtPdQwrHR(5Kel&|mn zevu4Tnld`tb&xQoaqVGKH^>S=2(7VY-x{A4;Fz{Z%%8Pgw7JuB3LonGK-*|57>=Tj zi~p|A9m=J)BDnx#h^j)@Fp*X~@B$&RfU7`5x)8HRWm)M z54=J6dCjm8;mH<;VZD7($JfwiaSr6v$3OZBGpB>*I5Jc@aPycN``+HjiK#Y}OqY6= zZpFLNA9W5)cmK3DbQTYxdmT2JRZ*nb8VmUAr^?EBn<~7&nyaKhZ|&Uo$-q6=j~qVfYD@k^DB35 z6}{zu?r<`Zo7ylFzmOK!Fa_p|4Wkfh`Msor=t6t$R*E%zE_P6?^`>n=BPU6>A@qkH zdu`W|cl5fmFo-jjq%{dgt*5#*8cTcw!K>wM2w8=q=e36 zyG33GtNMkZH#R16cT6X0Q-gtQ8zyHyK6`D%0{ZReELM37V+-43@^QC)jlD|QYZH(Uzy4zSM^KKFPrl*&1sT4c;~g+x~7Li z&pn0fk816Qh1U8k&BujOS#?vNxcNjlWYsS(rn$|&YmRb&Og~6kS6rzxSgp%BPkn=uB>}pzAP|Y*A~|g#0_Gz-1BwFTH#NoN zWDB2JTA20ptTfVN*}uXKWd?zKZ=k`nco#|6=o@YX2k>0fW%h;740n`)?VYa2{WV*$ zjp4pz`6Gr+G2SvUCB9%bA3+@l1mEt5Yktdf7h&E9(F= zct>2iVe~8Ri-|SP)B2qUg(J%&1PS`rvJYx%h;i6zUKq7TiYf3aP+VjDLcc!Qy0EQk z)Bm6(dL6G zEYI^HU9;eZ-Q^4o%jj$b^Xsg9p(QD}!B{nXvBGkp9Q6X$v0j7CO254F^?uN`b+5pI z^;N9H>7&&d$ZT!3n129vA`A0U3?zehLQO{B43T&j7k#fZUzG>Ul5WsfZL~ho9?Mj> zIX7vE)ff~Joz~n}-dgdJN=UQNQp@ge8uqfe^^w?%MIPYeHhq2A5p3N;UeIsVUAA)c zZNcWWC+jn;{Aa!*D4pge?RtQ$eWRO(ns}L(aX)0bb8A>ee&nWpb;`wh? zP4A79<@G8_LAf$UcU@w@Bg=wD1RcM3Jw&iYd+huZ_<5-gK zv9L%p=QnW%*N(927UZ_wiw%pWmgJG-Wij*_jE*Y7WPadzvHq?ApMgHUdZz$|PpRbLVi0yAKb8CYzS|>4v@j7Va z*=V@sqNSU{S=`=$W`V*05!@X;6FTtIJ66=09g;%OBemRB=~+8MpddLVOMu&xPrGw0R|S5_A$VU%6HE7-SD7=>?gm90bT z)r=}<1B6h;7sl=3EOhJ#Y6$X_>#TxPHzN5-G&*0uDylOA?$C}9MDZQB(9)Bg`7>6a z5LE2}g-ayGn?b{vrNVjt>#>m0!06i>pTVJhrWg4+3)()nibJiZEy*PwJ>Tw$ zk2^rQU%~RXc~+=?S$kOfue;uVz5fDt{1)&59PnF@s!KAc^+sn!X8~>al`^ouq#d-YOlEBT1U82Yi%HcoieLQa~cs6q6w)Jsn-`o>^vp z8peYr22Ax~1Inm4lXAPaNpVeOBE~xA%-8OGLP6|-1TdKCif_Og_R+Bc&tHMc5X1fm z^z}iKE!C+rC-5%E-uMqzIg8+pU~9+|QAHBdiS$sRttdN)gVGXK9Y@-6m{n1V<$oS5 zG%vU$rnySL^c7{=l{c~u5BU?ej5+qi5o)kMEVI&=)T=5X=3k5=sfz*~<&CyTBH+Uu zIvlP*%b~rtu)Ck5wz4ohLT?Ul2h1_jJJfl*9ecMr)$Y=XKu|WPP+mLbh@BnefZVnWZ=N9 zOfR!1Cx1~XHxfrKl9zyk%JuKltWE2G!^Nj7#{OUpruT)&(QDOh0k8b#e(x&yB)C=M z&OO!<(-O&D^T)uYs0tZe7qMes;@P+EaLCkM%XGHgPUXdrm9EA z;kp7L!SjkI8xup;1M9|EIs?hqqWuxgJ5Bx*v{jVgVCC5os)T< z+2FqIJ>5sFhQt+o#+gZ4U-+KYexQ%L@LOJ1IbRj-7x*+R1L-@P7)Gt`-(ueuLe-TA zxvRKd9}4KJ+~pjSB*>rAtW1jN0nBvYSRJjfH`4Y&kpX(V?E)_?4cO);HHW<=S-*pD zim!<2A%@r7xEcL@C#m1ZCV&F+e1GK-lk~FkJUtC(O>&52z!YCts0QH}0e`|G09cLR~v5vmA;?D z9)P9zL?~2j7CJAs=8{s;=EoD}=J%B1bSlegLq(N>GIRSbjh>Hj)N1-E*>i-@%bG&T z0OSfqW%gq#tYd$`_06cpY_!~7`qC{9#mf%2RyOSv zm#)~Kf8#qz;6^ZQ!s;beVw02R;_R?4PL<9>AE|B>P*L@jm1TI!G<`c`*dEI6)SS{> zk)mjEFkq81!Dr*eaV9O`!WCd2Vw4$bqNA70|YmMM`vDFVcmR?lK>faf&6fb>R@BUrrNMP;oicI&l zob6yMz)k=9A1Is2dcts#k3XYyk)c_R@7p;UZi9-O zBOGYn4|J#9=)M`>S`XqKV7$PpB!_K7Hv|b0+sxc7Vs`iyRZjihi2Z4+CI@URZIXcL zmEs@I+q@r6u`!`l>Xvy_>KAQiZL2^z{Cy&apvT&k4(idBRk0?ck{Db{6+8ck^IZQY zUP(%P)a?5>(_8`8XuKC*NPbYd-1HP~ncA4sF|O28!h&u-C)#(!a`!y%SJ~PEa@P`S z*kb3Rouwdm>{*z;13q+a`oVPt=;XFk^zwnH&kdV8T3_~8oc^pBISFPvS-1ryU)^8b z<70+5tLwV(CvEQW>%{xB{*e*a581STdY>rQ?(7l!<_{7-9#z#GOfSRy%mt|UndYHc z*A+GeRX}ERMkJ2a0wZWo@y?q~Jm4CQJOk0Os#tGv#)VLRlYnN%Ms&0ObV!JOx39k= zDrR9&f656yTH3wmg)eV!H5PwXWBVw+vrRBz+I6+sr@;^WkaR$+jNo{sGpQEL(-V36Xg`;*h^&U8zu~Qich*n;wzT zQ;{p-&tvhZ%KpiytT!)U;wd}no=`AygA+*Ne=#VTn(zW&C#= zS?fndgaT;4H3^=IbU9)@j|zj=r~u=^ziQ@;su3$ zEXAqXgnEU$u?`6A%zVO$Bkhes&Z#Ie9w4kwM<1<}yi@)u<+_P*q5PHjiuqkRIz9hU zxEBwHpAW_BWC*OPE&JS*WXVcSy+E$b)pU78QNuC+~ne-8Rm$4HfsAa z6D&UvrDrsvx^lRtTJ)d_b0~zR>wXPEBjg%WV&}Db!z#qdIz7)3T1msi8W?reV7vBGV;aTkUpoQ<4P)fZMH!{9G7aL@eF$?7xsry>HrO={-jVf~8X^2HEHqjcGw$Bo6ee*}DV*l;U zSKO6#8e!^&F;GfcnFSJ@vQPh#^?=qwt7po@LDJlyBV?zMQ5PDhh8<(<_w0V_Xor68 zMii1WZWJ7}xGjD=HWK^wTK;e?v$STr#J9c}yNN|ed9v_)cm?6ffS-xRieP|>NQ~!1 z8a+GI4&w$2N@FO}scIG-X3(4{cuDZV_r;|x9r_~UYmPEBurKRXI`4-%D&CuRiJFv6gC(YUHJhrcbf>SaG&_^tZ(>w`g?YMyK9l!Fs zgV;kX8ZW#7qP84E(161zo?=^4bNMwRD)x> zsW_4S0sbuQcMZF20sfUh0|fe;J96^KPcJt`utb^}Ia|^t zn=;o=!+;+fYJTFCIiwDXB$b5LvSzIshFPy{bXqmthg$0 zG28EiZvW1(SLW0X9RH~s^&X?AGM7pVsIudVcRCX9vy9o@U5r`&r9qFbn8?c#(>~TU zcHqmr^D>}&k~}_E3}bpDO%Mjg{iE02lM_7=|JYUp)&JeMK+5a&vS%Auqe`6aB05yl zkIUu~IwZ;af$^LdV&83r1Vyq@WYgT56y(!oa$1tDFxe*ym%rj6^F&6n&eHa4P_#N`4#||1nb2RJoc>@b?X~l4&b?K{?l7v`%0AWP%SCOrrN>+( zw^5H#(HI9`5iRxZ60aoh(`{}pTuGUR?-RqY)hbcMAAZ%3CC6<;8T68!P@nySQ<}5r z2Z6Z|50XIB?cUx}ayYak37+$@RPSL^rfhJ`R}+c2U3chUIh{J)^pU6V+vI$3AOsPR z(b-68VI2zwO9eOIPJAIb+Z}Yp@nnctQQ)|r#Sk=ZVWJ-mkFHRl)9JK1i@&EW3#)?n zA^Mj2btopUI+JeO0MByyRv)3siCSjU+FGB1g`o_1Kg3zt6mCdlNlD;_z%rhd+5s&1 z?3|Z)=N$ScTHH85`aU}%ytWKFzPb>Ed;Czkl73OXm`b8u3tDARx%UcctF%ZRWnl1} z!c3JxEDaYl4wvPj6DQ-juJL8bPVhCNY!_LvpS>|zbA20f^zZN+MHT}-Ro-llc(tT$ zjeO~M(d}UOPn}4yOl$4qGQSYzB920A%s|2rDcHm--c2KW2K|Ayd$QWMR`d)Y_)QHs z=p?nq>utvKu{Kp_O$FcbS(1g}InU=#WG$gPHxHalm}VCiV-)89|9Y(QDyeApkU8GUx|iymNf& z^d`%v)~UY#=g(w@F-xZE4u=&_qIsg282?!Or|hzXA@u|UfJT6CMwkkeQ_*DJ1(TzGL`5Zp?0c&^uY4Rjpidj8XBX;Ykr4BdMz1 zplGTcti+j-7xn29UVfSoqarKkEE&H6QQlvhhIV7xD%)-%reXF#fzkJgLYGFNd}lc= z8V*)Porl7%l6Xdj(TnF+56ep_g5qvG7sc7VVHqYVu@jijTU%~ zmHO>(^ZIA;mv6RLaa>oF%M|7BXWmnt$b_ffw|?6{@mF78QwV>ty?0DPO<^3h$=grZ zwC=v}6xcD!M+~86z`lGzoU2wn|24z^rlyU2{J$>ce;Mbr{On$*vH!91TTPs?v1lgV-${W5rQ-J{DzkkfabP$%_&aURe`fce z=^R=+{;yr^ee+G`ndQU-njbGB(|$l#7rpCVF?g?Y7LecWca3eC9liBTd)^nVO{oL; zzG-?AOO@B8S zeyj5Dbz+dRT4DK8)R_M9f84*n4+cfP&R%z+a{bT0asNNZfy^E!O%U$?W7c;+H@p1|0KA`Ah89Ydbs zJp7Vb?zq}Jy#lgLLUe!sk~4{=qB8ym`tg@hrEMXu*VetZEk1hR`n0~J9X+b;31zA% z6@SAYxuEICGm~+~Cie{$TFC?BRZQq0d$PFp*t<30YpWilz!E!nceqzV?~=5DHUI&; z67{R(_x3&u`sHan);A5_Nd=L7*P}l$TMuxoHXUm$##XFzmLJZ^t!ok4O}n=KpZ2~o zEY2idw26@r0s#U957M}V#y!DlEVx7PG|;$vf;%*gTW|{+Toc?0?hrJ%yXE%GPBO{t z?A^U*_nh^MqYIC5gj zjeYhfm7o(fyBj!v+Hg`;1LV;8MiAdC$9io^gmF~V+3)F2 zjCBJX3ma!%?Ur+K#AUqNMZhDLyLT+Ur`N@3ze?D%yZpFVWziF+PRyhNJCF0e$?-jX zROI=b-#HBDIpT{ zu5RWXi&(>zbunR-=Hbmeq%ovBJ|jo3dcva z%uG8qUMXWRZ)Kh}HjkXICnQZ4Df;pPSy2=Bo|o`3(|xq`FlmYt=jyy;Iqc>oms~{t zF)qZ>-vS^#PgTEj9BJI`^x7fp)6yqwC7ArP3h#2vD12K3{((4qyi^0j#v`x*kAV2+mGj1D~&c}VY9x!2pWcRE>#gzp9)`Bc}sl?TR z#KZij3@9J0XZW%@S*VLVXtXnZ`w};a; zQx-vS!YI}qn`-C9-v0$+UZAIp!@4=K5Zop?^tst7Yef*=$>j4OVO@dIMqXO9605|8 z*tJxaQ9HOcvDq(RkuEM|;1e63(hE(`0E_NO(r68J#f>@!Qd0?p6zHi8@t10-+{<-t zXJFPjZmscGz#ye6r0P|4Qc%7u!Y)}I^QPFN7Bzc*nqbAjvhx7*N}YQ-omL`?a_lg2 ze&e2YC1rFUId$>6j20TY%}k4-o*?ZZ+1l!DS92gmrn$SqLr1Qx9EEjXmh6cj)#046 zs0yqx?h2mG6apf&ULYEG12L9m&#;lJaK@(iJl}f5O7O=J#-SipwVPes!=KK}3dxmM zvg#-^K`E}u5EQcgPSV>x`Lx#YQL`Z$3Q&8E7pl%MFId!U7<5X9e8B(XZq`bpK`?&= zXj#(4Whcr-c(F8rg?(1O%0VH3je79?il$h}0nxVJcylqO5>Kd7A$HJu6bO`B0Tp)w z18LeZD!SEj0z}ivSwQ5(HiJQQTMTXG+h8(VZ$;*{upmc{uiZV)Ms(}!3!ImPb6t2j-b54G2Q9btnb&P0?cB3eRgx; z2BM;o7`a~WG7f;Y1=;!a7|Hl~7Hl(gko6srUNTs;=Ewv%$NR97EDvRgiwMO^4(^g0 zDHpvm5r+})f_f>Wf+cf!-N5_G@~NgX%fsa?SEIOhx_6D_?D^kNY{uMgDc!B#Ln<6D z5GhbbvWpdMACXIHXu%4(!_yI|1w8F`N}AEglkDUVkx=dsyBB9>GL_W8U?Q4%pYmwi zr3~jFcnqajnk&ZRa4N)gz(43KK(m#5BzJzTt3ZvqjdrX49LxjoRsBZ=T>GK9lobJO?-v=up%$o#Ex%HJmkETW%mn#I?D3rOmL8Z`R zeLL6=bYR>|wa7$65?sHxI-k|Kr#_v9s}h?WvSe=70NYIvIAEf2^(zSt`_Ml$m9yLk=(rSd`LsGzd(?gHmABO>t1ZXP$SAP1)!tgk-y2k>3Sc6p z&7UfrjDEW@>|(DmuDm+1OqLZ`fG63L2U}nGoWV@;x|Q%yMivD<`1H}7_H@j=In*8( zm%7J&nTkL zb(|d>>#07go&dFsgl6xaPpWXqMDV~coe6W#kJ2AI5K-a1JgwtUwaJ{07Hd92!+ugR zLnm<8TXaV#Db>#jCK!Xk*cqfg|FLZk&OFfdn&n-)TePzWy1v|@zdXG1ZUs2d8i(!Rna*qW=pTWV6bzbL^JQr5LtjRIo*5fE`_4e zxTi2H)Ks%W8V5Uaqu?OBol^g>AbmDfYC!@)4Jg9JrauhE;O}22%?w=8^!s=| zp{|YT4h0tMtZ1Fb==%B1KeaOAR>C)swXCo@VA9j+6$@`%_ZSzU01#Vt;R#_yF=Mvs zA@1d-7N0ADB@B1hPc<0`iGZTs&_@7(S`1=!BB^i4j>X%YSs@=`ioky)cXk?twTY$a zOm^A1FVeq7xaxTOe_6~Ar6RZ55r*lzEClNB%CulnTv&ZZ2>2%S?+9X*xCLL!kPLfl zOToC8hxUbw(9aPz6q;~5C~gS+?#^Pp|NY!U z+LfZLIB?c7P8qjK4KQ#ixb`t?CFdBs@7^j6jDJr(mMV*dER$Aa9AIXettjJM(MK1N zDW;Y>nuy?EeFYR6xcO?fJv}ndg!mY_-A#U;#!zOvMXWpx*SXe6u+N^`k~m<(BZ)O% z-D2+M$YUg9o-xv;(#&%o&ELNeVal_MB5ZxDakE0>a48Uk9Am zG!U4dc;ni`m#xOe&HGPkovwxh>uEI6BvOz4p!atKQJY~)R ztr}EZcu;wFMh$N}Bd5wiVmG|>nR2#&uH-h4=~ksRtzg;O)!5Ntp#F=)bLHgQ zHJp6!bgXT}19iN=CNCk8nSlw*z}r{ul1QPmysZ?H2YWwQF=1n4LzdPuETOU7JFT*N zn389>x$O28u((>v6^HzM#C|Tjh}sPumt^05abYT@WV}|i(Cc|_$#eux@pzlcgM6_q z4TY*9x-!X7&Pqq_^=S7Sn%Zk1vuFvhLVLHB2_UjCaM~V0enQe7I|vX*e*f8A>-k6rTrD~ z5b>d;0Qbqkhtb+b=ZuUmmYhYSrZ!cmyUVHfsk(~R8C~Lyya{L0lvDk319EbQRLq)& zr0Gigfsd*wm%#Q)?@QTt6G2--F2^bGi~Dn%0y2sUqo2l@73455(!>zn*3w&-S@?%o z_>GKv`r|^!U! z^Vb!HEo=Q{5*)KPWwA#?Hu`hy=Ou?Uz>P}BDNkpXTEa+?1@GRQGfRYy4r|cd2Uh|q zI(mY`A|k?Qj2o*xrc)C7t=sPKIRw;QQUMZvH~UwGpn@&&02fzHNq zA++EiYdI1Ko@0j+XC$C1Ki6U*64`36f30_YK9;P^@d+mU1-5cArz?_cT*$RUovJsyYe0=Bal#%4praA^|JR^Fy4`Pkg?mq{mBk>SMWbrK znhK$W?4(1T6YWz`&c5(~P9k103a3p}E5m?~krZ#`#>@h)sr;neOW4e-O{$It5hwKa zad-I**W2?OAB~oJa+$sY_~a50-uqY^hpG{3SLw=OP5ciWTlXBve@_%3lm;CK|>CDUQiw{sW*L0Y6i%c zDO;mV&)t!@l$cjm9EtfT5TM>MaHfOkyip0-M=e+B4BK3r4lN`O$) z*J8popGBKJZ5uA2Fk0vLaNi7~$&MISc{+?gzIBwP?YUUQx(K#v5(;E1pcLmP(XIH> z+BJdnc#%#d+f8}1a!pHEKOmO?GIHTS=JWBb(V2Vk3nP^<&90#568!W5EG6v_yfqyK z3g1cHWt!INQbL7LjCghmO#8iU^y;qiOPw2SD@*2_j+$>cW`zZxtBI`1uP-w28h`NN z975qYS(=ER#ijGVHP|-XCxfsJ#D%~jSxXdZEC(#+>Z9zRr%6_&xLIM*a@uT`a!<$K z^t+WP%=K`wtn0vAv+|TTZZz+PT|4@trf)oK8}%t$Ur{f6HPX|--64i8&ptF>T^s0ie=s;& zlMqE&KbDK}J!TlO8H$fmBqj!ZT7vin6MlaNJ8YrDKf&x|rI4I_b`J2!R5{An$qh;~ zoKIW04*<|S`T&@C@j`XUX6QzJLC;x%@ur6C0fKRJRF&@EBHtt*<-9NFtu*Bfqsj!^ ztsu^h$l-{lXjs#=GhM#gqLt=w`qKBy-F%Ps;|2zupl8%2_cNSa5ce{(Z0u`cZL&R= zFV!i$7WhSNFCTGIFQ`{=B+EI<1U{}BRGpeknlxTJ#q=J%8U-Nr_a^?ZvQfsKySMG@bO)zgs{g{i{^1g5kmDg+ zupu-LO1Rcr^&sm4AcfHWQ1YJ!ALH8EP29pBn_zC6tj-ka6juq55Wx5fxI_=n1oa3u zV@EaZ5eyLW#f8I`iX1NkPa2DLgwky9+FKEN@pBXF4o!i=G+(snAjC`NA5WAo=L<5c zjp3h3=y7&dUw=&fT8%Is!rOD9SnfESzL#=cd&d%RaAb1C%m!31OU$IQpN*d58p<8= zq0UiImXv=6xDB%W8@T18DMhSb_7~9CDT1h#YlesM`R z&j8Gs&wefN=YLP)sHVb@5lSSp9?lPw{3#`l7ZHlc%N!}Q-c))Qc$bL+IbQ+OaTIpl z*-HW1BuD9A0p3jE;@=vDGNmq<2WTNgq1NyX(-{#~kA=n!d128chdxsev4+Qiz_qIM~Jm05~hu--qPJ z>R<@A;-Wrfk3PP>wKePQ7!KD!+s1??*|7HRh<+67oGr}7`#!nBxu4gH#>dv!Lu(@l z)QDxeCi9mn$dlI;i%3&~BfbI@_N-Uj{SBk_Oa1pIg{0YGf)Bl6@^FOrYGEyJE(}a@ z7>tZ;Nm!fo(2!;@1ZZHvNsrBo&D&u*dEyDczW?EG0Np5Rw(BC63pe7d+jQ#6M>P`O zPK%+4^sn&48v!kD<$G62GiLihH;vwCh*d{=1J<@RFC^rzd7#%o3iYNspMq0oD^2a| zlS1KyNO`e35rey!1thwD_=3abSu9{Rb}vhqc`l92waiD(-12wz`2h~nd;!H&#R1F) z#ibe+tYxt9vYcu>#E+x_(EWXoehOgA5M3JD@$BnAx`GxXn9Y73cv>=-v8@6cW`J_f zpI-guK@3eO$o->$<3DBV{-N-HAo@=^SqOyJcj3R>5Yqkrr<6NWN}2MQGqC$jvby4A zdn6IsLf7egcnXDO8)ytM2@2-y>EQ6R@j=5$QL%CT!6uT#&t?Wt+NOFMlg@ivo03a9 zohpq>0_*%*NgAHhyiOb(l*?S&(K(%80g-WE0oe{z>B>O~uPq)f3km6jj-@r!7r-<}-yh4+A!wO! zGqHp!!)ESjiu}*i+MJH{_stqdm|zowcEMiZG)u9L;CPdI3kT3y{ae7DKr_#ufJXXB zbQb4Dfi3Q)1@N*8F+8mq!BOaINA<58AHn&3}uaF_sN&6~rV+h7?dn z0Y$2*5q3lC3~0?ZWD@h%7*-P$!mlFV;j*#p#6$@kG1d1J6cZpLJ4%Fno~3G@Pg=M> z)Xrs!oIWbFv)yx2p_tzN$83E2wG`xd#fN70J!nw+n8b(mR&hz3&cG1ko$!s{QDsl94&rn z;0(Nam#wl5`e%p*(ydPZX-9#}tb>bB-kZ-svX#W>Uja0A*N3D$xa0jx^H*ZmOP%C} zS^^Z{-v#2xPd!G%t{*l$e?t83g6}H;b)HY^M(i6)b6j94lG>LSI- zm&y;97}>~#&{F*#m9p{g(Vz%E5SC8ClnM^@$l}y1J3z{4CQMdH$`6$0BV{;**bT8L z1cEvEAMMd-(o7#S1lf#>UL-;bELh#s`nLPDyxR>Yf!09YY%MvmCP7TmOuV=VAdQ60 zlCa3QV9z)3|M0y1<6(vH!Z|pjhnJCB8(*f>3574r70b?&cKjjt ze<1o@^kRnytD!XF6nN>&U^VBHzux`1Gxa1w%M-9WU*-940D|MSL4ph?Ln`*?}DsW(XCJfQ&?bD*^2 zgx>lU@O8t<7p(mI6PZDi;93K(H@>y}@ubu%S3z;_}`c0EMcBHcFZ-2(tv zBXz&S{w+YKb^C&#(}NM@u?HdR!Y+Js6|&SAgC}rW76D7W;;$?~_wKSd3rf8Vq6XYy z&G}aBUw;bPB=H*^(Y?9gW4+b7HK;g?%%I9&*{(_Q3=?L7`(xjf`6P_Bw4PC)x9$E;}+i4aI~JWNWcv z)|1zq7xsavQd-+`nz<-uneqPB9lMTwq$Inpm23C)4>cH5k6&CElu8BwGorl&D?oGc zQvMxR2qgqt8GOrj8olD--EeRs6^Q`5S}#ILXt;rAvbu0d`+@GRQj$p+zrP-!Lnrc{QQZzw!};OyD*(7@odKkO>9!E#}M!k!e->;plF+Bk4~zr)UuSPqEbo(nvudg zChgx>(LJ{2pFDMOR#Y9*=Rwnd(9qn$$~hGP1VRvOS+Pl>-t*k_!4hDtQ&?)}qb`16 zdVCC)2gd1e7+I}k@nv>ckzemYdd_fZmbfjG`kMp$g1O2M@5Edmv(RUj-?(K=A?_yZ zI|=2<1q)z2{Gy_y@9?r$OOXQz4llejX;#T15bj?q)gOVg;_8=O)-7pTEN;lCB1XG> zXm2@jqFh`@VlWf`5!gyd5Eo1%)^C@bI0uc`bhWgy-&`t1RASJ%H)(n=ld2|YL zo4>bVPsFl{|Hzd{w~Z1U0J41Zrc8Pf-7niWD|blw8Q@my%kM+>O8_Oi+GYzVdAe13 z3Xd@TIrh_wzejH5Ha7+rX1h!2r4&@)6z5s)EYju9MLy2nfO_H}kfNV|za4W{zd3XM zIrD!Y#!cmBNWLq1hUyR+FsCMdiFqxAQ?=7Ha%8w`@adwX@B_fna{Af72gnVUcwISA zY(1SO{WvHo-mx1NbQW|{e?53T$SrS1V>dYC#pMIKpq*ELq=}#+_0(TC6Gve5w4?e& zi7YVU7_%nDd01R4IVtSh#{`FE?vnT^bd;*1x|n+nA5}TDJ5LlqW##5^k;&m$E%Q-% z1*TCK2N!rEfX zegyy|!hh)|1*ba+2W?!570bPJ#-yvpvtMXZlkQ|ZQtkrikx%zq^)k}$u0gLL7J8#y zr)F%LT1ujUb#d*OEyjiljs!C~A$Ybsan`bzz~vXUd3kS#o|`vRzkx(|N8mzIf_pBF z+~v9|DzJqqH#Wv4rC2q9!2P(>p38I!r)-~TrWVWi29vs1B4;IE0aubPo9fY{=d(f` zwxuFG^=!nI`EwSemPgtq=?D`ry+SFc!H@&Hf0Im!DMD z`EgC(5NCd<6RMgJwukhtYRdF-v`Dg;4a#8p52k&dUzo0#au?!Z(p}?>nts(&FqTvZ z^PLiu2CIi;Vqjp{u(0f*uwXS=uZ9gl5@Ih`N;KH>OD9Tkx?s}|afW<+&Xvb>nxl&i zuLKNYC@`X1Shxg`d|O{cf#3JS)tyIUGru6H>MKi|p9Vy2;07?AV;#q10L&Voq?QWIP`3Qq$*5ruWgbf$T9>bsRIpf*vbv-H}1}9ms7%0*Ymuj}p zs3(J1_yXGH_s%%L6=dU1U0MuF^)yYpK}k=kGRD?6Zwa~E)6w?smuR|&bmXwo-1FQp z8WJ0<$vCjAn0hTJtrRG0`c(Tl9i|hW^lb8QdtQxmoOvE!w{#y>@7k@2BL_~cU{P~? zNB;nx6tvdx{0JI(A4z5V+R{%u5FpN^y(wG8q&74;Q*R#MP9J(tvX~ zpBnoWC1#`?52J!r0t-UL5?B{0cMKChCg<}%x!Gr~_qe<;?n8UY6^xAJQ zGvl);1rxyH5$#R>m#(~5uTvlv#(|x&&X1isrN6Y+KLFY$u{QQ>og}DlM|Gyl%fkjz zua^S>H*cx@aq|4r_>FSo(~h1?zmTs0_uWz-lm5MkxHEKu>#KP~)M$l^;l{n@&kEU< znVx?yo*-0?OJCNSp~s*M^rEYSu}LLI-6@E*%7zyb1y?9b{`55IlKp*rR7P9*y_=yBKzXu$%$oH3r+x;@Tw2V|y zWiA!Z2C15}zu-};6A5ZUA?lAbG9~yry1PVahSTL?bqizQ5>^vI54$XDgyE;epVZNQ zrV5bjf+Jn;rq+5G@xhTpTf~8192sMRX!Lj2dgm!L$<`|a%B`V=GlzO-vTI3wXv9}BZlf* zdR@R1?e;70uT2mVH6FiQo}qB-Py(QCW>9N4JI2($#?*M=xD?O~swC)bL3K22H$QIH zlc)WqrRR>)k@4}?SHNq2C67fzf!3k5Un2T-h#n=3~^yQ6&Uk zx4lc7Y32nnHT@fVuJ&em2b%hD796GhhgJr{X2SY3md>Ly%NwdAKtTEkNzwQ)jWb4z z(Ak%O2f}@SGR}x3B#a^YhHjRe%9K|vMu|lo+qC%9Yx44DEr}Zsay7vMsGlaKMKv(u z5T+SABz-utCK|A_4?sNxpzb^f!(V#Ep%Q_9xrSKh-;1CzwO%XMk4>{I)`69erQE^qdJp#Z9L^m&YToyBkq~}iH>D|=)UR=svk1=99Yw5c(5*y z2-dy>g|{~=2@t;eA*XN!?vkzNk(}=Kbm3BGS#rj$nV+Zg<=vDYGLEJP!)!NY4~8wW z2z7!kb6tw6jN6^)@!v&X)tMJ4hqfuKf(O08N+kz-A!5ImW7g~(r6pX6pTczSi`_?Q zA6%={;KNLp4jMFzV;+rMNj8Xjdr3Lgafbis-5Bydwwe2jbXg3r_JclJ^-oyK)>zyMZQI+rU$8 z6P`N8($1#`+ja2W6fi^x1!PviW{uQfSJzE7k4gMn3&hS5xo|lPG{OK3IT_WxC1Z1I$yDkqQmXgR5X#7fg@uy}0(u*c zc2F*+t|AzY(36-d5{^jMSP!fhE*u;!6&}#1c#Avlt2jl=Hc`BABF>nv$`~`<-Xeyq4h%7>2;Doo>)#Y2 zEYqPOF0cB0m#N8ePy;B|(Bh)sHS+ET5qvTi*F18hG}e!;~g5*2$ya3g;6vs6NYhSRg0n2FgQiD=-&*L_w=ag^Y>K=NIsCypsvlS zs9Q6Y%t%0QO3apjr%#j5-q=-nNF0EK^~3xju8o)5P71ho4moU3KKVdKvtq z{xt{fc|jP*tof)hkpui;g-pbG%<_L$+p7x+;=2XG&JoWXi2ZI7m@*`Bjx-whXve@LoaR zWE=wnO?f>6+bsP9-R?)WydlaL4RuNEss;(5q%f)tm5=Gmbq)E>*iHn?sTI=+rZ5PD z7dA=YrI1Yz-83xTr(yN|SV|x*y+qo}@R(^?>x4O%g-Hl#wEr!zwtqp1J>r ze!bmyXLz-X*q5vb|F!P_2lvX4qU$OXnPFc6>E{{uD4|7pB-30RXViHunqJnK#pI`F0$W-D@CD1 z*qd&w!94LVHr9iUayRlPa)Ta(VruwC%EiOez?kri5U@NvBa=n~FD?!PBhLRIzTT4= z8)Tr-sS7SP&(G&mqp22QfYOXka;}>tfup_SvTbp3$z)ax#AI0Wq_vqX#wGA=V0B8J z{tuLSA_omEXOhGiEI5dcTHVl!7tu=h*%zQ~iC|?PoFx|;3WVKv-H4DJn4Fb8>^%_D zI`Mi{N@de1dyi6}N~m9NE@OCxBQLY4uxyyngs^H454u89p<78H_oNaG%Z!M)XyX!_ ztj90kRkZ^%%5tr%jGIs2h3L`F!5S!*{?UO-$n)E3BO>AF=|TNb(z{g`nYx_~StU1f z-obJ^RbL6`RY?NUQX^5!64%4Hm($PVorNULbA}q0#8)&s)D|lEF*8wE*XbmLz|Qz} zDFwgr5tzSIlgCXv_sOm?4QkAcYqJv(3P%`d z4C(NL@a34-G)Jb`1w67g9nr#2jYte z_NB`$r5)>GcwqNQJGcc#z6uE9wT_V4ZjlaqsCF8GQF$HoQ*3?&}j$FaPPr%D@4 zUSw~7F+2}YJUl(_joFK8E^g72Dc;eCb)0W1bIU_lW^?v+wCvxH5v#s?2)V!nW9QkclY5nepO;=g*2?Gc+E zsk`k@TO4Uc#x2K}*IImKo0UnXkh=iM6jLx*mp0sV5c8>qHZ0M!!B>hNS8h^-aCK_a zE`7L@P1u#QU$sv$h!9isBb75KJ2cj>Yi@z(d|H&rq|$gb zR5rl3vVZA(A?^O*mB2&Oi}Vii!7A;%H8(VJX*s9d$K|%GpVTA=45!5mM|(br3TMz5 z7$DXNXfG&{YSzfZYpyRvtmnO_;FSxj>5Rqw%PZXD*BcY*+8d5KUsfB-@NPmWJxSf` zQ z-)^QmIM7ra>T0!Id%uw3sC3?u@ktaj!yc9O0@Sd2(*?=G^AFSYH=hrFI9G4n_t2jG zA@{#OdNa*oR9@g#V|cscYSIxr>?6|>vuWrhgO0M!9clEsz)b+M--DL_1ROUd;R_>Y zQa3}WYdEH+$6bT$*ozLx_hQaA^+Kz&QiS-rHYlArHPIa_k~pt4wgfqVYK@vxI$;u zDQO%Zh}m?a&&PX17lqc5Z(krdl+*nK=r1^#rnS&l5YldQ0LKw`jSc<(FbE<#JmNH# zfiA8U8ZQvO+)FWIfFf`F-w6ksTT!waMK+4g>A_v%6SddXQr<|^`WBI=>QlT^()1f0 zGErAHd5&}0aN4`;!7$u8AsD4Tf}fp)%TR+=UpW<(QC*_s1 zO=lG|I@uLN0%${HUKqiE<`Qb@dK4KgrTj=9u%%Hve%lIDY_i5s4~IyQ0!uLH?C65@4tL&daU>ai1?cg=JW9$scsI8x*24%qE(l*L8*$@;HS|F% zM2tVyl>oEo3f#$ILqkoKJ2@c4)=1VYpE%KYl;e@*fssIXnCYZR4_+<2Pa|c@Hb>+Y?V!gF8OXj zQ?q|RAn_z7XLs(Oh18QQMR%*MuTX{|gX&bKwM-3b17nRpiRo!=*{VrZ956{5RuWiI zWE4=Al1oJFgFs6LdR^Z;#ItdjmDS)1*_!BeV2k!FVE>M=m^xV`_8p;QD|6raTjQu**?WF#{TMYlT^%#o!w8bcrn1vdW zfzv67DFK%35Z3aF1-zX(EPeTRdy#>t2A(wl03mLATFsby_SlEKkp4t|OnVTXz8@Fw z6iWPk`@m>G($dQ>K(Q!*t+ZRE{=S*`{k}Wl5vL$6x~h(L0qQ3n z^j1B%lX4y-Cmdlq z{#Jw_SH~z?;5uwQoI7U1hyz1|w$DeR5?e-Q`fPWo@7&Ie^%}p44(U$J+1PPMuqR-L zikZ46@_DK01NwLEIa?+Rh7Vtg=eivg^yM->@`=b;O!{qkvT`OAWi5Jh%do@SLKGI$Sqd?gR~4*a-JX>6vj&mR zlRe~J#O={FR8)hntR>Xcb#D;p-IPzVr-O>T=JBC*odkzSauCi4kG;|4jcV?@KtfTi z9{O~6<=)}VjOpu_y>TooCTr!AciTYu3^SFo9ayE5J}}Q+sTwRo6uSzgQ-5g6e|JqT z=TlOzShpT2BLL?hA(wtd9-cTej;qY$Jr7%@GX%Flw4GK%I2S{oK@f~O3Zrxu8HAgT z6J~IjpkAXsn?L~bRTE+4mR`o%=i==LMSSb495S~k_OLBFb+B;%e3BqF|2mD{XBf3x z4WT`vU0n;%!HDf4AFt>(@W!1bTN0`QynuGjL}J!`^H~{w_xih-I&xt{zeh8ttkPG2 zZHNxhX@Hv<0KftI^mmj0?-OonK|>c$THe&96_!w5y_O90t8zcVAa2&!u*y!cRNYyr z;P;R4yiqaCfYA;*XJ4hxf3-Kd)cIVsH%RJZ&$_p$sjx9SneGV5J*-;lPmyvN0h+Y5 zLJG{94tKk-1N9X5^72ge+KuSNSLcNws~!DwEG#T?IVWt0`(j*N?9qq)m71$kGlAPA zM-n*WjmsBO#5$L>M=>9xP64Qp>__ejsay<&@MJCtQ#Ev26TZ4z66(|IMNP>YSsQ3^ z>tic?KXN=TTl@u_%HLOPaKHmz9yLDES& zRWviVbvw=CBO_6OChyMM-)15Mk-rbGRBDmz*rvbl?O<(%@udl3u%$*xr;!_o+8lkl>?oJhm2-&$4W02&st}&-+fj!_hY96>s1fE88EAaFE~3v#V-RY!GsX zD#pAm%O-ZOk18;3((DyY>bXAMUp+dGzw-R#{$%V#qz!9_h416e7uoa`>!Yfn{wjKh z0}T>kK6BQC?fXQRqwNEjPZ3uE^5jZE*QWZbeg$pGZXfj<3HQRMX91pS*97dXJ1E1|c$n{Pgc;*#DcYv%f3;ZzudW z3&sE2@coA>u&qWT&*vZt>>753Zh0@A>-j8W3!!2etNuv?a+&@mru)ksSM*oy zrxcgXPi|ck7ttJ*>L5SpX#bY_arTsWAZ%CS%=a0xUw)UHnIosUsDR677g2$aR4ZsF zAC7}P-pKZV0K9zK3LE+#o2{8I=59_hU*8jW>hN0=y5UIk>-#Ah#ApN&Vc+WWbC!ow zgdY7g>(R)yEFWL%loacc?ydAx9)8tg)B8UPMAAHmHogQyfi0~qUhpBptzLwcc2rCT3clF=kYa%QQi85ITVIsnfhD#Ksv))3|gc3Rvub2KeN8qmy_P;s$|An>%zE1of?#4Y_ literal 105979 zcmeFZcUV)~wkRGO3aCgCrArCDNbjihgeIX0p=>&#hu+;=KtKp32_;mecO*avAh@M> zB!u3i_bMI4hxeRw&wJ*@tO`;E zT)PGUT)R2|Kj*KFfs~XiUP5$KL7FOmiRc7e!Of=tfQze_2SiQr$tz=%C%3=-CC9Hg zOKVT}U-$n4uF5?c`BgdqFeLC_r1{?kliJvNT3;pDy*fEOu83bTOLK+O*#8CR{)Jop z1(*AU`+B*1U8Q;X3-{26C|%(;S2(x*|AbrpPq?+a$FKA;S83#2oV|b1`USr@zH94h zpm%k@b9FKTJOL1Z8bI+^{jZ*{z%3g9kU9haZp8mR%nAbl)P@59k0<^f#_=8ipa=s1 za07o2`@2lsEj=v%qqv(_*Xwq60Kk3$0C3M30HFQ~0FXidBkt<*U-0(iDvI%nFSo11 z9^eeH1v~+O0ImRQfZ!D-0(c4#21xvz1SkP+T>k~Xt~ajWCdtiTaEFBC776JcGBVOT zq@-kbDejVy-zO&}y+?WPKE;Cvln==6Qc+VqpuWN%{3_(yubek--nq*7fSi>4D)j#+ z{QMI@dFL96^y7_dY=G;O*KSZ=``HR$z7qHK8`plp->OS;`{u1XH?ChJCA*4udjJ5C zT)SeNl;j@8ZPHt}NCDTb-?({;Z=m$Cuu~*){*|=SxQf_k#r?RT`@E#Yp3drV7 zMB5cX#w$jy-TFH>S6p4cc17?u$(^fM4a%#h>(_7ICMP4gcJqqyD|5MigYqWpE#Vis zBvh7g}H;2Geu=v`XfM!khjV4kA~xh55`_o206Nl^yv_}kRiF-X;9q!xaTL1RCPcPgf@ zW?Q9J*57mOrXdze8;ZuO8zFmW4Mu4_e^aRXUZi_|nEexA%g%{- zJY2w4V>0b>$c7lt2$}WD%=$b{yW`2>kW68#yVk#~ocnatPvi{;-+R5cE1)5FDZ&Y; zN{2jZziv|i{%6L(aMJB*)_j>7^i%w(Nl~nwbnBw*q3%Lg$fpla?MIZSIOhx8gpp0c zP)9RQX$sG6`)QQ|8F4ll#t?%;!F(Ic_p-%?e7n9+t%f-~cbuX)CgFWV${Z_^mAXYa zMqA+H21ls)blHY4k46^pg{kB6$G{}BwPDHVCYrr-KI_M8vODj01d+1+2j}j5xsx9z zL%n_&UYO!!I6D}!w-dID0&k8;@z%BNxkwj(s(9~x%n){QT7lQmf;#9@zf**2z~-k= zbr?#zZT5h@oP)=065(r1v>z-cAc5F?K3Bn^T#ONACyJ(cc`^4)A6U(!^#N=I4lBgz z(s6VT%gNE8?Y`HX)h5(O){s*EV;af{H?+GkQkOGAvx2p`lb)v9d4 z2x$!LFLM1NilXcr=;R`x^ZKDIlpOUP{9j?0T-m{6xD@8(5hfCGB#dSwjXrV*4>$X0 z)s~;Y_Xk*nD?ri^rR$xr9n{;qmciTV_MosYSOYxAQF@{tNu1E^JfeGC;2DcG1pO(>^mNc!h`hcGTmCUCv7HD* z<(og3kA>zuZ6p7QSn1 zf-0SvH174su6+>1YY`K5FOTA(_3BtzLFOBJ?}Z6;r0NB08n`DgYjnMSopGEH71p6DfPKel zQf}IzW0wNmTa?o(vhT#7XjEJ^kjU3Q6W>V=sq2>fZkoX8NbN;rzm!Bw+fk+O22N!_ z)lCQ)waaMC&c`T6*@^F^^j+b{BECvF*IOz#?CE+^5@V%B;EQ}^!Gh(L$+@iM;jNny zMh8_2an_*2_&V)yX+=Q|6PJ}tt#uU!S@+u{b_f3D4ZcQ>+w%4~e*O7FYv*3xH3r7a zP_|-m2vBh+ylKj3K`z3~zm0FLdmN;p4q|TUAAK;wsG}oRQMX{U^^hb&Y}kH-(W-$p zLA-TAxdm%Yl$Hm%3@6|dMeMs&Ct=!)sx~ioR1%jmb?izkf)72|YGtQxKXHo9T*&A$ zkt`YS|J_2nJx{$=eY|bHZy}0wKQLSN)n;j*b3Mq{8lo9*chxqC(8%SFtNEF}Qfu33 zPWNNm5}=qD-NKznm+|!dMH^?$;Je*+mPK|D(nWk;7A0LmGOAfIp{3oYx~732H|gr{ zwDd?e@;1X-`@6N}vSY1dP=OvdL+8c^3y35Y){$5kQ@^Cd#J)I4$1x)UrqZUPj|VB- z(4nd=@oMj$)EAqrb5rsxnKVAhHwebGH-cAWBKQ{|bwZyk<<|8zpim&Ay6Cua7v&+@ zadALi@n}zwY3;rTdB$nRq;2)9LEJ~wvu10~@zdaEH}%BDY#AfR*w*fjn44b!YZU^w zv4e8tDza$ri3V*qU`tVLNg4W8LNAvku}maYF*Ak`GtwpB6IuIB^o6rZuT#VOrvAW+ zXWNbyXFT&>A9vBNRX+hK`}>z?WvczFr6FFaV@T(3`7|A`Ts+u;^Ij=l1l9a58)c2T zt3o1cC*iro;1})HB_wr3&33(nwL)vgx>$+vGMhId0!ZXp9vz1AQEms&K7Q}V%g*Ww z&?`bwD#lxNYhwULbZ|y{dq=Jm;~s z_})r0g`bw8qgYcePrm@7v3Gnm1~29BzSFB>nFD+jXx?Sp*yz6>(&qYF`8nK&?{}-S z+3C=@wPb}pr zf-n}gh^ujQ6g~D|lAZDH{S+?B#H)+hWzW^6q}vx%oYs^HgEl!%TZ)Vvo3}SkHhz(9 zA84m|805B-8P)WCN8xZELmcK6?*=Wf-odS?Ib z0o+ct4DS0ulwoC1UhARzBTL>Fl%V$_xc{)yGV(Snh8zYKJ1CQSqkxW%?6Om}Q{^jr zI(YHOG%&$Kd(BKuxlSg-s~_Z-p0df}>cSX_v}F^88zv?P;=ZW4*$rWJtfyk)EP-zk z=#z0-=K+b4l70E?l>@--YrlCX$Y#sF7t`)B{91DT({_mC%nW&nn6T?vzM81UR&Hmy z^T>+MVCLF1seGKJ+cDp0+n?SG76%#+*R1FK(k}wKk=4_B2*Wz-YueqGnd}NACzIeV z>^RSwG^Hz#-o4i70kMjbq=}z^-!l3$0oUH?|7|e*@B9Bv36Kdc;8#F9=b7W%&Nxi` zvzU&|EtJUlTJD&{cT`4F(<7?ECy{-}CTEBMa9HuUugsyUmDUB2_w#gHAZ2cn?-I0QS@_I`E? zIaU3<&1NchgIE72fNrl{5emfM3TX19mgOpulTZ6TbuS6UHQMsMmoRrutjtA}5o}ad)#@^BeLdbL>+4yH z)gXn8wJ8(%#2g{Zd25DAJxWF1r~UQeJPV!$CTQC~1Ci=6NK>}uYvwzU5j^&ZPpV`L z)Nv@Fi!(UeHLcBNo}-z`Ir}(m|H0X4vxE3SE{>oa6eLTxjZ&}@c(+`uq5b zalWq)u}4yLGekn%6UyVD|AMz))vL#))IMhlK)~I0!{13h*j8_;j4pNT zpVSqn5C{$bgn7KApyU(vfOkgm9xh$+0fA140RsiX-+t4nA#iFn0_B`wZz^w!Qz8UJ>_2ILggyN<3|8USJBjev&Rpm~YjnGK z$Um>{b$s`BWQAjN1)hFtyU^e_cpt zt4$3oN|`2k;Su$4*sU6+ai8@L?7mDsGEl-zpr1lg!Rq+Rs`cdBA`KtqjxCd?tr#CF zPjZ!tlX!uST)N;jB0UKUY%-)sFja2u*Egc`khtjJnCSRF#HWJude>C$qbglcA4m8+ zc`x6c$-jAATb6#2oCQTFOu}B!?lY>9#lys$!9Y4!p(m6E`58mg!^m}7Zt2E$6PR1U z_{_cdCFu;}w7M%F9f_8;&CoGL4V`j6gVNgp#Ra?6mys%T?b4}U7qAMxUpU~yfJUL?ZHfP7;sY6`~AkUe}UsZbDZWc}C*OM0Vm;w3+ z$1R~T{Vq`!FRlBmny5QAF_vqGE`{i~9H^Kwvhg4=kd<4PKF(SY>JW_&RWm6d-ZcRx z8L%)CBQ-nl`C6$)Od_co%6gM}h@$OtU2LL28y;(d07Eo;J6`-=+-d;sR_rXU%v?zi zi4bnD+K?L+?5YrcM|ZLT*#UM0>#=LZCyx{{-pxV4#DJt?y9rNlVuh!Xp24m3=2NtL zKs&mH`k>zV%$b`@-S@+Jx$3Q)a#rg-f6LfEqxPGeJ(Trex(g^Fnxs^c77$EbQHCA@ z)=?sDM$!WM^#1TEc-6Z}VVe0gJ=m37P<1Vd?6Xs=bXHk`y+v84YNnSxUYz6srr6Tb zIdA`f*Bp3q(rXdL{|wt4bbmz37o{@b{WuK}TEtm8+sq58&zY*zDhkMBc*VNjlx-=^ z7;tkzbz8uiN`xs4@`yd$=D=Rx&Q-{Btn*XY{-WJ$^=;D*fv4nKQbaQ_@!s?DPXTgh z_0BD0)B4ddBL?l30MWZ?eBdtL`ISE4@>J~VHNhQ7mxZpzLuS&cNyOY~s~PBXf0gNX zj?%ELVExVFt|G2iEe&36OgIx*bx|`Iq)o3sABhupsblomz<<`>GW}c{n!bLE8JMUQ z5In=G=as~>T)(&T1R+oPiNGX(G6^GcoW$VR~Rs8|hb9D+H-V-m6_aZVtftiDJba1N6G6={tPh)XW{mbVjY1I@h3+{T?ynz46y%h^ zX|gA~1-HZ-MV)d!9+b3eXE#Q%#A=_t3DimXTi%B#8~u~F(y$~OQCUK967`X2u9u_d zhu9uRc-!uK1bCcBbezL3(1ZPHN5wj}m~1NZtwpe*sghj~*O@qbo+XiL(t@lLok7T! zM=RTY7GY;5r)Xh*H1EK#3D=1Vw1^_N@IFcU%!)O6c6S=z=vJM2vba;oRec)T!4>>M zzMz-2*4N-wNcE^$8?RkYBRK6A#OPgp7xRjs<`e96i3rlL`d*8a4EeXSm47Q<^2F(1rUCCc{wc zK=-Y>WMOPsp5N<;&=SK^^rK^6@wQR7yjI+&nxvetFJ0p%7e4`YUVo+kHv#f72@nI! zphN5O>h1IW2;3@D9k; zQS^Y4GUZE2bL``G+!CeT7kqE2EoYZtYRgzR&b!w&`%(w?{q|oC2jYL( zXqm#y6SGv-R@-IL2ULxUQ~nTxp>j@U&669)C6L7kPFY*B&aF9{U4&gQXKWxP!<@>U5H2-b^bU)HnLq6xm%}G_Ee#~?M_&s^VdJ1c zb7|Ri(k+GG{>sChk!6OIj!U6Ax5;OF5sScYQ_oN%T|)n0(&BY*ms#2_1kUX*pI(H1 z!T-{o#s8|iaOzZF9fyz`3Eiz8a#Q{D*CBQB8zr2t>K>q>$yzgI(t~u#^2wE31BIF& zozL$RKezP7YS4au&Ek^{-36DhxgBTwn|m2Fp8F-AJ>D-F8{@>+xJx6`Ge)YtiJ5 zDX}VR2UVoq)8fR=TZj#rhO__CJh0j^p%L^KH}#**4lCcWO0ZIR>8BS_xYqM1^(WwQ z$jgHerq^yzj*x$-{x@=F5h>lHg29L-rn!jyfN}PJFh@0joQ-?VmQD^uw`>c=;vrV; zudSQnuNsd9_;t>yO=PLEpnc!6bZywg{ewIh0ecC}aWx7t&$xH){<5ckbdgfm7TCjC z9D^T+=*~R;WlYchS7QouztOHnra(M#erz$L_YA$~!0ggOgMQ;&hX3d?|1E}pi{bABsDE3-zpdfl z*6@F?!;~DZx*x=uSA>00_Zg|yG)b3yOm?CTpDi71ns3sLMeN%*_lXu%mzgRgly$tx zUrfxdT6kf>k(u9nkM(VyDl$>rK4i!Sa05^8{{QrK^1qAt4d#xGpsY_7izyYiBL4m+ zx-yUyS8f@y*;qK^ko7^(1HX;>2~cx^Txc|0X78?CrU_Pg)-l|C-(Mlz{VDE#YTBEU zq%!Tn2^UOA}&ebQ5P$*W>PD96;V%{VJk%u7TD5mVodyT{Pm!5XZEf@ zIVv9f%;JuU;fUj(?qzpU1f5ln5?t5cg?V-{`~RpgIK)F#;ln?TabYiv(Y!76;o29qtX z>)Dl;?ft`(Bn?7Ux*Ypm4wCI!{ozYqrRW?Z%>{D3JK_>GJe;bzKfp0@FAxiK{8IAW z_1^E+-@>(wG8TM9D`-bv06YAsb+64tg~Gv{@tHR?U?Ar%nfWx1!eb`7cn6jUPXTaG zkkhLC*F9Re`SH$u!M$(FVFwpxtX>Vr?H3GO>memsLcHZG10>MZyb8p$5dM&{*fs8x zR1nY5b2~23XZ2u`X$qG6{cdfzCEUt7&u%m+nW_0|MVm`GUsYD1lv#;!(}wf$#Y&QG zZA4nY=LN)TOX#{+lFhmky{%T#hMl%wrYvcZn4dCH*@q!|HYeHI<{(LHB}4H}R}KF$ zM`|Bes~y{}xQgJQ z%R>9wZim@+4)aGtswWMnTZb`ip$t#n6|3484J#|A*{=3WVL2H&iLm|nc^xZJP-N4+ zsjwqTe*>mQ&48A>IlYT^H3uG!C%M_s7`cg;i$i{W#19=&&5*QtQPp-k`&KZ$k&4Liz&fwsZFb01|PC@{@#zuglbC7u_kqK+P0SUffvmJq0Eb)e*zvTY&Si9eInT=bj!Ek zCt&7yG{|e}^-n;=?b{t~%hX+i4M#MQK|xHi8cxwJCw`GV!JmFu8$=Bet;rn2^wM%a z@HB}J@3b4%8{v$qMw9$Y2H#Hx*(Yu%nTJNX%VARFyG?FK)FdzOa@h!vxDYILk-m?d zKPDEnPsZoH&#sQ;5a^IX20BBNmaW&Z-vw|v+u;O;wfaOe9gVk@!TS9=9ua~cr1EWe zT79SNryye{DQd_9%|6a*ZoIyYPoup@I8HQb%~VcS|AG#^W-6VyyKR=E899^#22pP{ zJeXk@IC%*Z@%6&6m|tL>0+XEQ?M?-)txKr4$mQCnKJ;KvuVz8=b`kNDgCmJZD`2&Z zx`uLiLLPRiPc@JEGCyrl(4c_6WCg5e6ocRwCopmZDG3>b?Z%R@xdDhv!}JB1>y266l8Y^P)ZEB z+r5sR!*d1Ve8aHj_S>{ujoR!g*WVnDkvWgW5T=t^9rknaH4SxMpFnKv0x_V<{^j({ zrcezBteK(XYIXTi(eMDanPi5veyKvH#6-B4$J@ZFRf+ zB*i})6S99dmA34$DQ=RpTR()0Vbx5G3IyHDQ&qN0h>IS=J8QVVO6&j!8P{;4yzw(i zNLM;DwF|TIF2%5%tVjIi*nOAJ{?C<(E+#}ds0zH!B*7EvarxT+?abte{7erP@vulB zEgyYKGFSZuqHkl9te&J&M@dfW!xgW+onJASRHGq_hG9^_hGmoDqOK6*&Dh9CM9oj}RF92{DZj1mdDLD%IhCA&V6Nwac7ZgUWe z4KK0!PP;B_K6)&7{5EC1KizM(V><_yVC=gRdbH~s{xWyhE0}AjUQpn8UX6JgL~BSF z=a&;PXcc@q8*-~G+H97IMQzAS0NA9!G!PNObToA|TiRZs1CtX}NYhVs(W-HnT*kMb z)7EirHSM_c-~&AJzfX^Py!|80>FAB^X=780Wy;Kl`O|zAE-oMPkq!emt^OMw@VLx8 zO-mW&dpxNsifw7Q_qn&M{(9cA)bhxLs2VJn}uy=7fI zOmnuo41#mEZ3Y<1x|z4j-^9dk=%(yQ0-t2La1tPEp9ag+2+qN(!9u$4{ez}K?ccW` z!^huAp5}HLJ~K~M{f*j#*)3Ziqv7Jnb01}AqpI%0Vduz^{F2bVZQU>I=bPe_vN0UX z6*{Yp5;xE!R9{SNpXwGXx!a|MIRn8Ege*h_ zrjJr0xzNtn@AYo8=7{GdA!;dXxbX;;t8J_lW}wibGaap5{B&%o=?qPuRoR=~Lm3?K zv*rdwKSj?}F*1*iJ}8enGPxNsROjkL>-~OYq|Ww!4h)y8*}A_Dw(cXo+sxgU`?Z5RgBP|MTyIUP0tK)PSoU1r)rr<>UkC0l}^qE zV}cyHY4;?bzG50V^^r_nPAC&@j-Pro08GsR7Uva^E^V(Q?b8IZwz=j~QgU=ghNF!5 z_(uBliU=F`l)G1jFYI+-J9bPDv*)y`D^u*0Yjbnf-cCFiKjpA(t-%xy6zXgRrd@Dp zlo>EfADC~FLF#pG!~KN()T4(9$vTIO!7hhedvR$qE78jpm76PC;_`l(Mmn*g(b_3X zvYzuMFC4nmxvY6w-OKpqA%@A4Y`VE8k+udyct-H2;_|gNuqYZjUjs&d9&|HFH$cIf zM0!Mc!xoBcYux%SThGCjrXA#MI*fgy$=Gp9+oqSLi&%AZp=y-`LwvS;hBv9gLn-A< zfymz4seUWgRGk7>Sf=0-|5W)9uqs1FB`>4wU36}uz#&{J7ncQ0>OsDokVEHjm=1VK zr!1tiraQuTt76co0K$AhQVnBi=7yk+t%@z`7%`t~ZjEj|{!O8LNA6i#ToEI*VR%2Q43kNZKc296{p{f9xG)RLsQ;03_r|B) zOIL+l*+vVVvvJH^NnCKg&&E;2+j99M%w)yH(?4YgD3%x2mHu78UuBSdNng_tJ%V2+ z))a-MqI0Hte{foRh@}{fWmtUcVyN7gz<^+kisq(20o1Z@ug#KzK65Ix0su}iAOB@5 zxwD)tcMzlyI5-W}=E@#-(9P{xEBqdx5ZRv>96olnrf`{f!}CjPUcP(O`gZkC0KNE` zan0}LqX|ORJX!Zl1GhwLEvn_j;XBp+(;E@!XAajB3k;5d4zgZ3Q-|Q?*Z#_R_mhEt2s{KPdyx@GM zZy|M1lJP{n3v5K&8Y(J=jI$DFwLL@8EoIEz)?>b?;uS4T%FC9Uy;Jp7E|*n9m$hH; zAsuT?VP{+ds~S<2LJbnDja)7Nb0yMP;;c*UpD0F;uK1}`J#E*gV!S+6`}I@KijKT~v2p zpzfWYLUO9v!!f;jqnWcV`+uSpxsV$EcF8ZnUVr@VBZscUrp-2mH!fix?s^7j;`t!Nv)6)j?o^bnSB<7JbxIOzp#67ulLA zL+x1=r|H597RursAAer2|oi+=9 z2;PFDd=8MG|H*hBhG%_C(%rNjwW}6MDNszW^p55y(7^bX@DA0LIL z%u9qk*mX6~5&9x~qVzs}C}RzGe$c>uCXY8bgnF~QXO7FQAzTTQ3A_Ofwn6>PNm2Zb zqS28|Q4Crp@UBUB6*~gvPoLmsG=|%77MMQPEn-x*%V;V{IzNn`s!E&l;9n*PCljQt zO~UIW*!bxsb6B707d!yZzj&118*OQn0|WYkymXD^6#I8Zx}N=$-rg8EZeu1F?%8SD zi^U8zvg+yyY96IJXA1ooF9Ndxw<>qDA*YXpPEqr{{HlH4`Fc@Ci z)QwMnICx2&?z3cHXA(F2SNaNb!dU!2oyn}8*j_y{Sf8C=U@>lw11PiO-*GCaQ0a}W~ua~NB zfF(Y9I{ALezOd_3cwii2xKb_mpP18g$MONvX|BdJAv&y17_CKO-4?}vV)S3hEB_zF zCB2O_Gu0+Oj?u}TaOm>$=KBfZ{Yw^_rC#Lgd_LM~CcW3vyKac21v|ky{ z9B)1ckbvs{MH&8|PS#O*Hp{iccgo54#d7S28|pam0`>6Q>G!3ajTDOpAxFtnu2qe6 z0AN0U>c54RCw1HJ*)sSF^1YI!dcsFFFv5F5j+d58S&mdr0bmo!D9CBv3Ly}sfG#+i z?K=)A_U6&hEprs-QLDpbF5Af*U-P@ZXKKckXZ>Bgo#MP!`gQD5t*gm}(47;FDYwus z&oYW3Q0Yg4$5mPSJGY3E#nW158yh|h@AjFEQ_)>nxo3UPdIhQl?z0L?U?DWhxkX%c zbS%0Fu@2PE)X#jP97=E|>E*hciHAj@&!hwN)`X^oUTph${`n9AA(-$=6qUcUnC@ZO zpZVO7Wq$j%pXTmSv$aLvxWH5#D%oD5B=UBTcJ;Zse=^mAD+f9}_ZUcdNXL>M@pbN= zRD)xhYO2N8s&s-z+Q1bkex2y$AApV_rIo1y*@f1y6ImbEr~ zx!4$!`#T`m5q|YC|(tVPm$5#dGDia%}E*8h(O#QxsAu*X#(XJ|kPZV17ViLIv zjg14{0%uE779O@JylhaFZ3QRPpElI)JsnA;v26qbpPYI)f6Yy1A*Sk^9tnRK;>`HeUOn+HnYKDkFpC@G zCgT4moDzy?6HA%{P3D+ntUZXmSvb1HLP^O59~@fwQu6i?kv_uO8XF2b6D$~aVo)ii(uz1s z${>VT3tOzMb+@OqxbDZW0~78GX0^5(et8KBUaeZd(7Z)=NjQR;1g~@XtP-_64JY0F zq*Le0UUKpI3goM>HRX5dO>h?sxN7gYd+%>-u%J9mC2)x`$PR(LXkBiCrcOwpddyl$ zaFk#w-k_-i*RlM-V8#DpAotv3<4JM%{^@5>;-;J|SNK$o(CuXN`3j2rm|G8!*(P7t z7o?IF5|Y`)_JE9WuBLDA%ifnA=)L;_g@Ym*wUu=# z!&|p<+=qUfaxydlXT>;uTYKOlHSf=7C00nlPSvWbHiA?=<~Mvps%I-bZyCCZ_>BBm z`)oPj>s2RLy!I|!1M^B$RCC7xs)Vmoghj2x!m}APMVV?J#O2}DC8gr+u~3tkfxt%+ zEheatP3gyZ#CO1Nd}aO*DLXURHS@LZ;T*?F=BeAOae*!jXJhKY=|H!ADyF!23shYMxMq+`8Pef-X~UtJySm-kJqK9oFs|g&l3BfJosd| z)kzFLf%loU%{_|=?}#bldi2=w^Tnd6AErT^X^Dqf(8AM&ba-gYq#1$w+B7|tZrfe7 z4^<2DDvBTcK$1T$7}GU_xO3(a8J&w8W+JS|ullpWXey5a<| zt6F!dD?VsTh3d5~Aiggc=l0_8o4KfdyK;3JN5O_6HXzkJ|Qq~S6;=@b{5dZL~_ zKO12^Sz6!v6&Rgv>3cU*W7xjRbKK2Pg_%tkG3DX!4V~R9Tqfg{OS)@H+ulak$Y>f+ zKZCSd-`h{*6l?3Wg&9A+FzRbJb>Ric5$@Kq35u}mk`I6#QrbU~rAC&SRu93viIVO~ zdcrpsN<70`KcaC6{1KQ6IR^rAD%;oqe;3|+Tx%|8SeEglVy4HS@_unm+3vYE@@llB zY`p`!wA_@l{0SI*d_M6yC6FSj%%U*dgev?@&Ymt|}_iz#{>pp8$u~2SkO<8q^aEvnFj|rnv10i;EUbO5cc@ah^&o z)jiLz^AuU^B3C=k_Gw^_?K7!AFufSTiOZsDZ@xarTSFewxMC8YG^!wT zwG7jR3bPC6QBV_|wc4Phhvp61K+1Qc8SDH$k&*7ZWc1Ep9jSotC-u#5+vm>cum$Ey zbb&ZF?M$JRlg6=JW@#^FV<#Gch5euD6_c4j;FFZ#+IVG0b^(M|Zd|f%<|K>oMxwQW zf0Cr_yJ^<87d0{XiUX%_#y}O^no&wmX&gaG0^z5KECANbdS~EV0=6<$wPe1=&@dl| zI5$zMEC%#t3Ek`eCTdAqVlo9X`pQ4vQ81d<^J%&6pn&UK)6(4;d%q~LwDI)$VbUZMJvC$#d91;1*T9#Wm_dJtAdQ9_o_sJcgu=^B7dgTHQKWV zgW!xXMS$&keoi}lh`A(>A6Kj;#JeM-iAQ~NC}4G_vZ zrQr2-oHG_4>Pp4=F(uM_Ys4mkK~GyKoW!o2nQE!B>!1T7|ZSt^W2hk_m- zAb2y24ugz2e#EOo!K;;LcNnmLToIEet&3(#%p9<|xNuAZ07g=5Bi?^@cE}3-ynojl zuvjMaDG{-B%bT1I*U22m)K9;jZL{>O4XYEH564{~bqi0D%)vS?16H!Hr(1Y`0!p+? ze7t5avn5{XES>4tzE>!|{C>nXa!vmnZ)u z8x6rh>#IcrRtKAgB=+ZFcEA(b>;)5qg`n;Ar7AWoSv6f-DuXP+7k->B6kSZ7;D@i%ABSE?oW7r1pr9jl4r`t)~9YfvC=)D&8cXk(ok)bO)PLSH4@p7(EJI| z&x$5k)SI52THMFqsZLEo4p!E&F1Zfp&GCxBmKo{ztSX|VzX1QzU>DdiNUX| zd=_+=grvpnNh^imz1C6Gs~#&7Xb5mR4pA&3SyPFgJave1mJ0;^7Bh_Qld6sG;RXX zA~0%V%TZ-COg}C%)>&6{Q`IhzR#|g_EK5)D?7jtv4SO9Sl3(*1VJy}bx3~~iPQxOy zA+kXukzZwr9CTz3WPex{r)M)Gs!IZlu|}}L)v)6AIkwa2u);+obvsCOPIptKGN!Z{ zx4_j~uyTO+UR(IOxB!%47}gPH`*W@vxzNuh8l@470{J6wpgk`;_4zs0^pE-zS`9uE zlBTCkP65~?+IwaVuUkD<`p%*aqYWyfi~L2Ks7vgUne;7wRL;>3(<(CC3c~mH71a@@ zvU_xN$!Uc)#*Y1I2C8`(eB$|1n7dWsX27~Wf#fL;Oo=TLuNiH{E`J2%0ghzTY__}3 z;CemC(wXP)Y4sav@j#e5XfJR%k`JP~N|oU?+|yj~$mI!iCcAEqhsfiDj~=`Ys0_;& z$=z{}AjVCSi-f{ipBo1yu^7gy4f}V`Ts0IQXt)JWf#@*l4c(~zb6TTCW6$Z!)`p3+ z0hG~)z@LC`tF$7U5Q7c;C+Ez(jU?*UEl*Dq{rn!6V?E_^5rIYyVF8a>61$X3)^C@n zmdb+8o!I1v4?C_A$@e?j+J?Nhq3);0OW<#h4PpXKz;`pv-cm8uWtehd>^VvkV0^0X9~rE$+$KxzCu5Ne_?!E&ysxj2G;ec+i=)$vhM#vRpc#D3M0?6X*`zix_^^bNwo*ClaU?a@ra zWQ24ScHQw0^bm23vI zyRznvxJNrWc;;!h4-avQ0QUs=o8gR*hjg3;R5s!4Q7T_LD&y0>wD8Hhq4>A56l!*O zcL%!%EF_G#R>pL;#AR7rn~lER9KPsNv>tBd562k?W^Z5hquf#0P|M z9;h=)RFqA0(sP}%!$ke zuYAm1-IIHVq8~aWS`MJkF4BPLMPD`^EZ8*8K{KtR(p_S%SOx?hi$RZ5{!ot_{kkkc z+mau9$rUTbw^oOR&-gO^TIo5AX3WE&XIbD*QG%N7?S@3 zw=tp9_}gT4)5CM}TK3^|!zzZ#&m98ASm1C^6qUZ8p;qZQbRTNpBL;V;gQwy|R+?>l zN^yJx@UCHSO}hwxz<7Q^`|sbQYGM4iT4p7?P`I2eVe>PvicP#ETsE0@No(=po=Bgh z);;Y6Gvze0^6Yvjl9%x}LYPjBtCFG?hua5^2uAUoC@jZLTW|Y-d|SC`FE-f`-c=mU zsd{Gt9Cy!dvVeJdSRpr6!`91%+OA5d=mp1s)tG^$!#EeJX?pbCG43H*K&JK&3&|Sn zl(l5@l1Z(~Bca@YzG0cSbG5$_vP{w-@pIHRo)@ISQ4z2f=a~UajQsIG326yEc(Iritg|j{>-lMajszr|7gBjo2 z+N@*ZDR~LSK;_-TD6BBws*gi?(xNmM(_-BqKAhfv7jw$hY=>Ic^%PWm&bP(vXmban zB9AZ&lfG*!Nfo)M49}mjQy$HPwWsS+nSnmQM8)VfgW{}d?|iAaGgP?1q$=>Lu&;3a z|8t^I=5G^?`2U89MyQ3o*SHTKYPii+lMgJd)%LMG<&CQni?)vHTy9L479P2vNU%$! zJlqDe&AMA5Kx;t)>LrE41tA)J{HH>R$Kx)lwHnnQAC8`A>|#Fxt{r}8RWC0!)Tt-* zcBdBeF7{=`jkU#elY7ftO$nhnq6v037WKUT`FojWA{{q7w)9ns$F5 zggKS#!MG(Weky8fQ@vWCX8pUbKI~%s%!*kS$Z`~4+^D)R(t!mGTvz(vUDCH--^S3L= zh=g&`;+SP{ajGgWGv8vrmNfa)3k1>nKF_h2ITAQg88$j5tl{FGUyv10`(!el6`mvi1nDC2eeFeccXE3s z4Za$)$3;-07sSqOcXiWc%yA3M<06ZKS2k>rHgdQL2xNe8nOdcni*#Ys(4{g|b}*qS zk~v%~o0={o?vJ|oZ>;mK40dTr;nG#sS;Lz1S=xy@e-DK{vYMSipU+dBmrh{nYaYm5^5yR-P zYJPRD+yprlN5tzL&LIL<+IY&qg=ua*$*AV?~P z6X^zeGC1x22YYWF71y%$i*{tk69NRcAdNR9NN`B-ZY(qwx{=`S7Muv$XwyLO;O_1T z-nhGj#@$_Vd!O%Q@9guP^W8Jvz2l5G#(VuoubQjZs+v``x>nV!-~3GxXFK&rAp5&` z3GSInTKbW)rSiP4)TN|D5{;4tLt$YLjQJyD6uTG8PnUBna@9j92Oxa)?p13C1U;21 z2FE>XAZ`cH9#y<-C-=j_evWy^RhfIRVA(bj?R&A-BdBuu7xfa@E&RxFwXw^z5r$mV zzUQt=5uU>363%?EeOvwVX}25Tw6fGlL*KgtlNJM|x!AFq&^x$bbz0NGA!i&%fpCOl zsYQb~q?0o^sB#9XE{d8o;iQ3%fFTND(Zpw!!*xQ*s44h^j~=`mo$!841C77~K|?wI z{cdWxLhlVXW*aaqo4Xhd_qycsK$F@kN=KXe-d$}%cF8V~UK75PyBlnh}WIoS`h95##0d&lX3Y3*omy^U(E%zv`LlYln^8pFVjMile z0e}`(3gAEAMNQm}yPgc10mdx#aA?U==$>FFggI9eOf>~JR+|Rj zmsR1PJ5ovUJpK@}VfOO3#1}LSjbXpFX_?@W!XfZSSrvE?T3W6=ddUdFi@*?DVSOf$ zLG$hgnVijr8bOX}eQ~{!WYfbfcVqP|h~kzR3}u)Gk~D<|c40p)E6i-G>_w&x=VCtq z=}D#yd*cNI4N6(v+r0bQ!UH77n8lDohX66O?xDZY2LX10Zj(Yq9y_O>2) zU1!JI3L26gp6Q1hdKp$L*~I~TC(|2Rr}?FU3t;ozEDBnAx`EPNI($w~?~vBmxvrZ`7T81q8YZoY_`1 z4C=Mc?c$~)kwe=XmuCSvuN@ekr4?7zw1Tz_RP`JQ`ski@yWLdfs(2V29sQ`b{?ws~ z!4Iw2j{FF{gO-HMD9BmG8juidE|^cp#7vN*vLHz-fy@HCll1;gHiHVX3cQw#lU%t- zc)6svrR#QnshxZ=i7LnD3c1^+Y!oOt5%_?2^@UvcG@b_iz%DftjROe)G&J`w=Z&ryQw~pzrHt9Jv9!`N;F! z0sRyjutnwBx8iB3ZoLt4*449A$_Fiz`QrILW*WoNp~0ZYflz6#BtbA;)KJvjjE)%$ z!b|trmqFFmtnWb~@|r=W{7wpALQ|_F*zHu;rc(K_tKPlpD#F<(FehIY*f2t7;G{%rV_CQ6&@rY$QzVo z9D$}}e*fYZPBQ!gqkOI}amYsMcg!hl=(?!SulZqN>y<}G=!8dE@PR+g&5SR#gXHx{ zc_|oC{~kN72bG@+W+gW(pPgAf4{jBINm!-kmxiSm$TF5%9l~z z)L%1T>tJ%n?7fXSpY52{|I$@%;kp4QQf+>Qn~7!Z$v1ZsC0Ou(q8wq#@tP!4mQRW5 zlm9*Co^yu^Xnzb^K#Fb$sq7}{0oHi9>Uh2D4uQE|UpM>NivFa@zu1?vLjjL8EAv5=dh_*L(#``^rCo@uD}6xI}va| z8Ne;t~5r)vX=f`Bowuad{<5bI$B`u#03x9D3+9!vF~np z6i?+SS=&IyEw$&zE)6Pvv4k#O{&ub>enIgA5UQ8?TNlILB|~N(m5QhH`D4H}q~+Ia z>y(w6ltW1Y4;jnXx_c<(8jo_$i=l>UV}s;#KWejk8IOJdz?$+GZ(2ms$^o#i|AVRO zKlRh|4UY=+dB+tvVCRja2z=pk(UY#_ov_=f@!1m5R_8>}lK&arGL~sNtK$Dur993{ zvB}hwFP@3N+bAy&zWe~hVLg?cjVAmD4^Z#Ue*k2bd>6i46%3%LQU*LcdDyC_9P_X5 z+?v7yFj6}22xoy^X;)o?-5Z7RwN3<|Q~`k-TE}YufWWKoKXtpV_Q{Cjc~l2o34FMR zr9(=+)aWer2f*36rJqpQxqmVWccHp73rKAu)ZT9Q7Nz4{TB{}X5{pnA-pW}Gvg*El zws7G|lz2t^*?Qh9Y+wy0CdHx#n=f`p9&OIJK6}C6--d`jpbwlcY}rM%05g9u$AQ16Dcz2kg;)O8c3=-GSAP?FF;`nu z3XXHUEO4c*b@iDNGv?XAH@kOseDF=++Q&H!&%{KCX6kty56#_Q%OFsKaU2Q-9pz4^ zW9l`06cynrY*#ACiBC~zP1Yza=N=x_WDFfp<6&6TFl)EOz^^vel@q3PoBn|@7q--x zxbN|k&NdMvmg9?V1rg!knsu&jMkjA03&p4+ROr6@(fqT8s347pPe<~f#DwUAdUZiv zS95lhUc$+|S@#o>tNHJy<(XcftJ>SYb9!F;z!1xX8)H)u>l)}+>8K`|3<(T85|$Lt zD^*yZp(UirA4{ZJt2PMIXOtTmkW<>Ehl47;`4$+bFrsJTJE;}4kUK$|4h!+r!*{rN zaG=WNs)zUyazPpO6EvD4H%DUM^&<3lXwVQY5@aAIL-#C8u`{dKXd zZDTnL^oyw8JRukH$z51GRzYJd`^R7EWV&as_S;J_1Xc%A)h zGS?K@N)W!SzaRIJLh)%GHHehhW)OPD#iF}+r+j^Es3FtBRQArn4**D&ody?b4e^A& zX?Njt&pU5<(Jh=Ii-uduregg)*x(lR&A@7ZMR%5`-)u=CMi#iQ-fj2?a_q}hMpC?| z7m-eg0E3ardk;E2Kow(wr}yzQUJZ4sx~i5IFV%n`PvZ856J}(qyA5N^R0wtMW&hSZ zGCw;xsN0)2hlp2u=s1YO(!>-l<;LHHf!tcmP26uxkYDzjl%qdRMdQ^jsMX} zu!QmYI|KJ8naa`7>}g*Pjv2K<<)QS~>kx*n3Lviu7fBjJv+k2jon^8P^~EwH*X?05 z3tIUI685;WQMSFM=jB%&zEGxLfgc=gw_xH`?zhKW}z@kg9v3ii4P=ByTd^<`@%9AI6- zrgtpe9>sTcJayyBKEnuippQ#P)axKqE^39KyPErX4LjStRC3JFG-8`1mIkTTwxPEs zk>#%qUo-1y$eRish9lKwKGJ%8CruA1`rzv{e_NJ=MlJ4TVMa|DFUTL!7cx&q9E0+Xmx7S1& zE2V(axNB1^$_Kn-8jjXbqXYSe zRv(EmW-=}epo)#wA`LNcMe`4H!iF#&`$8n;> z);Y8fXqXPMxmBW@fWvqY{5#fC*vlLLohOJiybuM1aQ zl~KuXZcbBw;Jfa_0`1M*dH}$*3$HhIV8iq*fuMF>uqtEW*+&?)A>qzA$Pa-w@Mp9j zM`SU9dhOOZpU40D(#Cu66Nh=qDYMFI&gK2CwG^oobu7ZP7vFhJ9_KE&v_8FrHp>z|sddaPh$E;1Xp zed_Ld_V$;IZ*JUZto#8G5k}QW+4(HI5^5>@0r0SESUlWbegCW0_=Pz4<}WVJpqmsu zWMMat37alYdwu|-MjO&^SC&(4_c&eD*Iho7|0>85vcJD7Q|j~&s)^u8>~he)u(E3% zJ&TBRa;(Qc*vVH+y_yS)YG&|anbUAeNCY3DwydZ8*rK|tbtM&jwKSy5wVs=Q4r2h1 z&AQMQy$PL#B+~$S!<~(}&EZHqqpq&zl~>Oc${%5;krRC)CA4?P(vdRtylB|&N5@W{ zI~7qZ=6ND1>qlMyV!E$?PVKO%>lC>pn&|}TqtO&p;;QD)eBNd)*px@(@J7O*;hpx# zDR8vQ9a*fG1IbZR#RXf*xhQXMKi3?bN;F>LT~!Nr9Un{NTKSiWDSfeim}uavFDL8K zh)o#TUhlIK|AB%-2tC%;2MSAAZv2Excuqt^z5UnLyq#v#JzE2|1E;OX09PnF$ov?7 zX~ti>;e+G#gunNXKd$u+`5tRpwlN#nBo~(-<2Q?354{ zj(Np;5n;QAcc;2LLy0b#R*j=?FTFxzjWRnD-HOEcgUV=wlD8c|5b)FZ@AFfYPE&@2 zncv&OPIA@QoQ~a3L=d%!+m`2Zm~D^K?<@S84aaV7S{4-~Pv&6=E5Abvg|Mh3($e^o zI@$EqFG~@Gr-m%*pYkUfCGUnP*ME`?9v4T-%9>Xz+2}*e?9_0}%@nQoAQe-^Y^9@$ zHXAbh-&Sn2iDj5uF>1{T{<$2J>?N?z2(i?)fnv@VXk)H4aZ_!SF%9>9)-o#j3qCVK zq_SQ+;ot_-e1XHA&l}>Erf*YY?p6$q4)TbqrbtD#R|N^PCbH+#{v$N1v}9;QGLcX@aVK#CSbfHPL3kOb;296 zRuUBr>g^v11+&&e)R`wJcvu6J=`^DmHou|VzPc-`c*Xs&XskCjV=c3Se_uMZ-O^|79Ig<-yVLyqP4Jtl%tPnaBO646^a@IQM-dL_rS3L=S zm|1Pc#`d!HX`qipg!owTck#F;gX=OQ9P~-_8K_TLd1+*(P##5las3F~z2>25kzv95 z8rCGo0P{4MVhLf?x8vno>7*TOy`}3+4)+}-kBM%RnY~KwgK*(8!kRcevk<*7Dg1l-0N#Q6&ScITGQbWMchVNj8bi33g9I~ zGQ2b_mO*MbQn}h3SkhJAy|euZc}xo$k!nU-d@E3`Reafz)?B;&SsC5-RI|`X@wpQI zKphB&Y03Xq`GlxmxnbH1qyphm9x6;%nPmhU8lYvoYNHqgiGVeTAa;sDFDVsM+hR$w z!YIYMgg;de`Uwq`GFAX_Puts%DN`P|fo5&VRh=$QCj-YT^xe6|d#r2+O`uhY_f1gJ z5GP?U9a6dq*P`9+yA>R|q|O%KQx$FYD4W8e%s#ruz8Kk6)*%{WGgEPwP276GbkCoK zhEvE-Ztf>US2U}BCfXAd$#-eH;D(sxF5=pKT)+S%aBy-J7F1Om4mSh&ItMB%!?Xz* zbnSvK4TFve_5xphTBbPbCfj0JBwi7r^&DCE%(~(whN+#hBu;gQ0&r5h|MGtNSHiD0 z{#RJ5m4?%;cAZnq4?sEUYaJUy~RMP7CqRwU%xVUdi-@b5bcOKYge83}aV z<`Om_;F!X_zqIBx+NKh|%G`QT_qT^{iLlVA#8jdoqv9@*rkW z7ZpO)39WTTx8F&DD1biAH3Oa}SCgY@wlm+K=a?tKMJ?T3R~>w1>@yoacXk=9kkBs2 zpq3>q%cQ63qJNRZ4AMQb zbcM0xtN5V)D-GvRz_mQKYri;oMfjy>T>3)J=e1dVjz9bWjO-+C_+lh0un0~0f@9!@ z0UhARx{{yQKNk8onbaFY93HjWG1an0;E39xZ=d6`^%t-x5@>2G$D*)&rT}1cC!BfG z1*vuo67dkLpjl92%CYEo;`HchgYABp@@&~}|&oxDO=*16!_lT#l6yfW?h-9Gqmohk4?H+XSyo)M3 zj*j1(348lZBWQi&hUe4|0OURWFVosv>mRj83OzS7PWtl)un5)lOSA`}Vlr7a?_oYz z1x%Ps0@e_WO!&4CGmt}z1f^oHRQAbIdot;{EqfO$TN^!`?Fv`VRj~{@0 z!}rNlHw@?1%EL`d=<}hw`iz!O0$P{wq77N)<3ZtBM!tSCqI^k)GK!g>&Iw00>=-SB zwY|31zUW(%7v{$64uXo$$jsv$Zb>`Hh$6!|r%mWGktq-qoMc|8;N28+aZPD!G2{gA zDW8cpjjSP<6T|b>l7AdOJ=MCr*m_{~Mg4U}q=FuGvA3)&6~QY_M_|K+oyPHSq`8rn z2oGX6$CKW$1Sfgu-aW$7#S7{v8nqfj4{{g1TT?#qJVW0K#~G((I(S~o%tN5a)fdnT z>a?1{2NS9Zb5EYF_$?`YceF1dVPcJvcs?-_ZIRdQ%Hs4mb(gLiSiYpM(R?=fW*6o> z?r!flA}``2p(|TjI)GCzH-tAZ1=_EtdtHKvRiVsw7nRie;U&omsM1fXvaAB z_5ID5)kOOkcs7kvK6NS9tQ#E@DbcAr)#V3Q$!Rr(F!3Zz?K!VcvusgMn`SYzbT1DV zXf4}T#%8G7jV)zbh;UPp2~Qrs(@W% zWUJb8bRZrXEFNhIS2_`;yAX&z=Kx1NjheKyjoZ{7-+m$2q$)`Vaa-1wsils(1~j>Y z4qX&ufe;lXU5zt(Z)h?$4XIR(>>9{xFDHZN$$Kk>cDCtY#vgW;1xb0J*V?!mwJv2PQ&uuxs^Uv7jt(o6H2ojnWvkulo8@RbhL)9tLU75&1?DB5GO_ z*%}`%4>^6#^|h#!p2wI7(&y75UHe8%Iq0^Z9tpKKZw;y$XXi0U*hVg%O=RV%scRGu zO5G!m;(a07HN~J(0hz@Moj?Y&Gj23dS`$enkjTPOGGAs z>>ikdDt}Zjm)i}?K-kwZGlXn zO9F+P0YNR)0%6uM74km-EF=0IH7%wl&+nUPQItfh3$c+q#^*V5n)1BHD6d+kM&kwc znbN)@`7&gPR9+O64Mzk_Zq5tU#;cCVb=1^qsLqU5gl9LG0CE#$KIqwx1Rij{RTe`4 zu}{g3OoO{HCvY@nt0X)u`r!^>q(k1;)>W27nA0NuC(@;nKvQJ*hVySyN8De^yp{5)3}D!}WA7NRT1)?jP2a!n4igq;TW=pk3~jdrDxJaK z{+9dSiuuo<_)j>s2y57s!FTa7Jd5!smg6OdW@5%l!Hh^$SPTm5 z_3R?69DVeKd2Cb;vYL)dbw59f))T{y4PPcQMXA2zu{aT>^coYU6+UjZ#?yNqzUzE( z_5KdUq*v|rH*9R-17X-DU;Z=C$ximYsfLO~HQqU@yRMiML9){tgN86$+rLc{M{yqg zlV&EnkYbAu=$^N7(&aZ8EHpxEm$Qp{Ppg^STEcfE=nc=U)CjC@zgRF>;y8F@OV*{v zl8BI7osX`fXrgidC@jMccERb>i?^QiIyg9>F#In@T`6MG3omnIqAv=xDMq zxX2&RADTnJE0B@p1t3Iw{Y81zy1(oe|AS~=+Iz?>Frn1k)jgKlQPa~sifzNw!+pm7lVWaaFk1;N_1TT}kA4Ic zmO&bXOz9^rrDODgs>u=t*`IAZWmnCHiMu~?5ne$n_WT8FC-;coyzr(;pkds$2J!h) zWE-tfm1h-9w6>+1$M7f{4hYQp->TT^ElFX8kXVq3_OR> zXNcN~H#ciE)MSO}kbWB{kqOEh6d!>oJ3j#C^+~3H8v{Si&#~d#6}Sht59J!RF=qy8 z;#0I1=q0}rp#KdMXL6qgypxyF=ld`UFNGFpZz@zl!*%FyeW#ZQYOCbRKDxU?%PPJI zWGKwYK1h7wwZ(i8D~*p2YngT%NsOm%LfmuB1C`I$mNHqz-Zfxk3;*a>yE^8l(=y;L z9i|ziJSh^)Nk!DM@q8qTQfZ4BHWN4qs!vv8TIpOBH~fH^^gDu9J+67F&|tdWX{C9t z&UTj25LB0&V_hfQLo=nzQ9_hCNOdpGv6wk0(V>k&aNfM!iZ`PCg8`k7tp823snPny z@}^E@u0f`*&6x-V&A_6k^GPuqeraG|3uyAxQ0jrSA{fkqje#-`UeZriv@|mF3TPQp z+Cpe=ds-PLBXGHe`A;Ty$Dn&$+;U4ighAiWoSX=^rU^65oV66jM1lD3oJ>;U`l}>K zlHT@tJ7n>Y$v9u4W^R1^a*xPz2VC84t?nx22&Q5A7pc|r>xjM>evUIU-;z4&#A~?L zR$Xtt=+Vd|*V`1^&fH@{{x3}cRucugu5)Zlbe`EkB*C}9GStBhLQ z&^yf?4;$9mdVi|C(7x?yrro2G)Gv)|2`S~#Y!()98Se+5ksag0LDI%&Qm@0MP^nMj zxUNz{%e++PnahkiM_tdgnbiC@={dLBp$A0;k5&bF#Z*FH%L_SC4t zfAddHQax2X<1MK90oZsy6Pf8|uD|gItF_;=xcLV46!#Xl6bh;ZtFvjVLy@){w;?|O zK)dtkV!*Y7=r7p6&Ckz`?&Gn5CZv9?PqYbr1vz$95|ystHsTu z$G~}Q8mefBOphU7h6=Z#mg!kGv+{zAWKXXlrINI>_V>=>vWY`BqwD)!bVri>+pJOby3 ze%AlLj=%k7?t`7uI5chKU>y;*f1?^3@w)%!uUG#mT~nT$U1iCdMG$8klsAqL$WvS) ztK(0K0z75R0cBo)Uij~%uK8M6XiI5amgNS2pwr*wU%nU72;Uq+ata%*;3_!AbDYR0 zqO~u+5%IRscXB^}k|m&wRES8G`zk6lVc$8&?+NtWzcHO5TaTZyhovcarc^EFLOok) z#YY9B|4vQ0$#1X|FM@11eZMuBu6=j#lm#17m|}peZ+nU-E+h}%`fiSJ($@>9)Pkfxz*@W!iP| zshhOFsPKzoSY;^AefGl+lP#~~{-VJzdQDT;J-TdiZa?eixpwCl4RHR{Yb$id*JG}B z!QD94>(j3q{Hd3dw3S$c^^C1>>A!3lfmEKP|7Q*JjVY}rr#*+HG93k_ZfNPRmWIBo zR5lTY&5N7UmT`N;e7SnZu>=T{iEnrEZ}c{$Q4UC7=h+JKaXm=*HrtK!N8X-~OcIM# zegG{4B!B6kZ z{!yS%e_^jj_?Wio91HKhjyeM>ImoFcfkvO#Z5Xd zT8}@9`?F4eRGE_CtMiF{$^;l7dHF|ae^zO(oAU_LaI`!o$l|rXvno}J1O%P`Y&o$% zYDCo(W3&YsJ7gb77Up+pk)4e(*@v|=GKvm@0Z%Ra>)(FSi z6vmvb8X1mFa!WFNHV|o8_=3s#11vb>)<0zixE<&JKtjh>zdAC;ggz}#s)!EJW5_~W zRYsgsu2@Fk=ux}>d|bo-QCfK{ILl0N15AU(+Q==duaDmk$jgJqOA`KY zIk;Rz)Z-9e7gp=A^CUe7u12%Q)779{faue%b~{VHQEyG;WhTkE3SuA|86|GmSoB;x zaXz#Y#@z|SOg8FJbxmC4OQ8R@@Elek{{0_7D!9zz`(dua8Fhr(aCw6x566aGTbBH& z_%x);l!J!78c1A)mgFCQlR=Lhu>vToyt}HK(UUchH;sc#RuzRm&lZQaX__%Z-(eAR zisat7mS8Blak(nY`IAqlGWnNiwSeB14a?$HZvUcKwU=_WpS!oeW;`6fZ$dX-)r{KG zPqR*FY1fV z;vk`hCNeUxUT-ahr*9y==N{}ngDHT*G*nUHXF5?urtwNIS+7*tG`JZAf(VHMH>O=(G86(6^%FKN_t%u5Sctd z$z+TC8?Uy~a>Is;Lu_Z*AF9wzL7eU(1n>(9n(G`}Se|Pj7^<^s^0b&}1kGH=S-GI| zWNYTJs%Yy;=!1AjC9(wMuVp)?-#c>e>?r$<(?j&IolC_9mGtMXh4*jdNFP)FdV?<_ubUe!}m!+u|<4 zVxM*wwGOvO`(APnsSTeJxUjOsW59bboVD2BO%c*#A#p{-E|rktBrP@$M2P~-NHtBB z;7hiW6Jn?ja81ARZ{zt*N%;)DzC%g2aOn^}!a-)pc=W9a*I^UxN~942fk@*p7~a|0 zZ1kogTr6x2&lziWTU%D>;5ugLhvskTt%@0tFiKs^Lc$`Y29TO2t|WM1HaaY~>+RtO zdNkpgMA3N!bmN>h)yyoWXzF? z<*IvuYEYBOs2oK*cEz1H^>+*>LFqYB@0y@b#bR}v6zZeyRD$ntpBhzdE^JA|@ zzWkazksKgz^|Cu00XOzp3}Ej|3+IW8mzukRubfVb}CnXnAE#=4dq*U|*~E zbkMOVBVFhCWVcT>Z_xP!UtL*xjhigk26S)k)mDk(mcb$Xw6%U4W?zjUM?{IlLBW~P z29#M@Vdiga!re#lKC*>}eALIQme}8W9l>G=zawuxV;~V_6h+)4^1PMdTg$kHj~M~` zDv%jQ&)+FPBJG_1tUo**#bC?H6*kqh;>PXlsw3JgFi7STZ+LT111cUv&V~Nflf_X za`O=JPf<9ysnJrntX0;y3Fr5@4z%zClAx=deyIH1xU#dSdy$g`oApo!V4m%Ti_D1* zd`PtRL-zVjCUaJ-eM{M7R&S~*s+IGl^8|Oc&YEN%6K@CGYHo~~lEegRUX=}BO#w#Z zv3TN{S%)Ppr~H`!dhuwt@LO#<@Y`;3U)}1T(WQ7Ie%ZP61EA=NWylu#BP9b639z4? zShHW85PXViTmN?piY4lP zafPV{oI|1-EPMOUgm~eNlMK1b{0w=`l&=#4U1G_8iB%p{YwW+%v;R!^zrDRHAA7DT zA6FywzSQZnuLQ1$?S;sY7MA`U=Vt=%D-I@}=cqcK&oShN@%Hma0spkAsD8E-<^TPL z3emnUq)%^#p+iUFfBnEY)n32S4j|=^0IFK1PER^nxf-@U52Q&U(Dwq|LH=#b{QYY$ zf|-kPO9mUe)*y8kWG3Y2_YMvp9T3$xXS!>W>f$owp-Z!$*vzESz?q2Z80(gOWquVw z9`XZ#SI2y1#S_;%x})@gxE^1%`V^&ikg*kfJXBWazfw99pOnlrez6v!?7nS#w86P= zex)jk$yry%y0*BII57PH1ZjOZU^rIjF69Nd1CvWt@x^qoad?{$1nX9=uJG9{z89Qi z+EnVJ1uPZA?G;ajV{KYBWb#1Lum`9Jx+AV=2NJ5!ZS4;c;2cf@0Yik@?IFk9GiJmx z-c-~0Lt!`M?y2A9y&r)0morkrmPsp z*@OgaIgM5F>V%lXu9kO71U^xMY6%xkN!<(&hAw>OLF~2T6<@)0Hb^<EKJ~O~PVHKlE`7(E|_iK{QJ}^qWVg<_=Hq zEt$MXShjS_hi6f8nTwBi*~M;@ZOF*6J#S-viz(x=u>cW!m@dU-0IBbCS}Ywy21%G# zov{(3ko7ckh>op*_5$^6R{qcP(oUqlp)wZl7UTPw#+e-${lY&arkZDNS?ghxh@Ck`^4XAHHIICw!*rjrqX^9rrTKKMe3*S?uTlv z`j7=S=2vBP=2=Uwn$h;5I#wS5*+d~|)@Q3=lOYywOR9U7V0}v#17}I0dkFydEli=9nsJ(zY;MnxS99=$H9{MgVO8Mu0!mp@(@wbI_Luq#RNZqH zb#WPEn-mkdw32z)@g7RzTYK{$cV=Eis=B7Ws`7AO*J5Ybt(MmhCPY=5W!!IJ&6%@) z-S@z!z+Q{?LqZoFN`pxf3N5{`f$=BwEXyL-mL6<;#zqI}cqQ2B&yAbc3%cojYRU#G zr#T*q=L^Ylc)doif2_RG^m%G<$E1zJ-FT`mN|8G1HRdjy<1zclR)R zr(%o~RL(>DdMISiuX)GBM#H0t+-pOCwRN4&rY&d)T_y{4DBTIO#|8y~Dd5lwn{ZA` z^;-B0#?tKyaqar{`U1&G1Sh<$S)7}&c8Z> zViEwLfnx{1GOmm_iLDQFJ%J8Z%F#%eYfKc;c{df2x^vx)WoLqKXnDp8)mqRv3;AtKeQQY8pTCe-wiY{-%3zv{r z$p})P8M&acD8IkT>uHr zP=!?)dW+fMP@`GfA|AF9CUeel#rfWq7=c*nO@8)q5^t+({jRbWiOa^t8hq2oras~z zCf1QVH&T}&5V2NG!X_Ci?qR5koJ{3>yfK5I{nE9wiPQK*_Vvq_RM|k^5~k1VC5z=} zkLNS!S)JlSF?Yo=vBFO>7nsa|dt;AK*SbbmdW&Ek=IbiOS51bjVH^D{hH zbrT0B0id`4aPj{}6n8M&v~xb;b1MyoP?+Uto5l8i>s(B=eLae~idhm2x#LkpY2^w4 zJb(DFGjfpkyUaDY+6Y;H^hlLLDOtpf)U$^6tmz}m-GkZZb>Fejz_erSGW;(9GW@Zh z+1%uL<1sSo>0))J{79ZcFIU9Otf7tv>-NF$(1U$7U$5QTcOCb<{s;ijC4Kz!rvG+a znW zd5}e)-?a|jSAZIlE-JFC>NU`rcgj`{+t_lK2c_PBw zdHYYI^G&p6ta|3IsYY@ zw=5|bt|f>&H#2M7VGltT;@^_vh2$d#>-&Ao49yxadW@n)OEs3FaB=6%r3&%-`kM))MQMdY zmTR5pn=JJ7Qo3(3ojJfaiG%4W^+bx=SU(DEe=c3l8WuzMWssxQTnN%HBjYfeQ|NI(~8Mv z9_ZS_RK}pAH>ZMUhrUd%jN}ZpjbFt=v5yUqX*<5s^ANy{DhcL|R1e z;xhL71~d+D^3_!J>~35oS1%36oZzi3zsji7RGzu5I_c+-0UkjX17GN;GBt-Gk#5~I zv)71HnX8!84cyP6!RKqzh*o7==yY!t=sXNCz$(!4*@+Np<3CiwmVv)b(|9^*Vg-Dd z_ONn42a0AHE1we`5l3Zo2q!0cAuto~HKS%`m6Vmo!+8%{M$ttM<%1+>X}Z`Tp2b)n z6AY-U4}3rpXi_z5n|UeRofgffV(Cet|K-*LIFJ5BZ?2~J67F5rEPM*cU4KFS6b@sw zWD1w{Mm}9e48r1cGY-UUVNi~RTK#S+ws<}j&_tRL-A7bK*}M)B0XCoEoQHI=lY2fb zKtH8-yDiK>CX#KT_3`MmP3U37Z`DLtE78lpk2cpSQk@Obt-QXX zEuoDDXb&?p`o|`c-4KV=4M{9B-e7}pU32q4pni;2Vb&=j1@bYa$_vOTR6N2y)>>{0 z0C;xa>+iY#TL)8H*2oeP?^&hkY163~1BS&)Ph1xvh9T|RXL}n14TO5{;Ue74TSK-Y zJnJYA-5&t|)7o=r`N;k@16w0{-(hj@1ewSI)zYQzJ0bfDnQ)OI3aov$-nZOd#nahW zQlkY|utp{X%6sF)t7Qvb)I=3TvCyK;ZL#xxmm`Q1y*l{xAw!=wRVo(hUMmI#2>Uh8 z8Gp}g!|@FWq{&4N1*^l#WF@3jb7~XHzXI+r7XGbP^p)~S?a4|Gk=aVat!_+eu(9(5 z)P;84ihzfp53tbxd4gEp??lEQr%+nR=iRz8zDxVNPUr|55v?-I`CD#-=lU)oXHaap9bC3S^x zwWyXs<3jR2)tAmL&&M6)_wtzfVlx!Ef#JU+{_WfU3-N#C1$a#NUtOSD*Pm!g=GnL| zQc8kMDjKK$37^z*Kz#7 z@{QS@Ew=Z5`vG9UJtn$pe;ir4fBwIp7XSB9O}E0?I#&y;BPKN(8Z`z6nU>}|FHL36 z&k#M&IlImh{}*#_8P(SMuKm(gSyfsnQlO;;5 zRv^J$5}X!ycP(0+;@)+#w!C}&_j%7A@A+`XIP*hb4w5;;%*=B?^Pa!!x_--hJ$82; zU!$O5284rFeE0En8wXyN2*qx99eqrKLDAHPx>EV_G;(>G^8k2rmH#v?4IN=nlZ_p- z5sbz8KR~l2UnO7pE1;5Qe(3zLu>Nsfbtir>(pTB^_f>vKYHLkR{~{|ZCmAp$F7J?0 z9(-PBpZ)fq6f~^=c}yOogh%fg-bKD_c&+`A-<`^BH4QpFpKC%7tBJ5zFnXivtRJaU zj?w^8n{|+VUD8gY;`ABFy$tYE7%d;!-FY$7pglusev7nI8?st!6T=&`8w-nv+>1P*~AF6bFPRyN6=kp61b z)_*}VD3q6xt_j^Gg`}8lz2@QEL{#FWnwFwwNs`0Hqpn^iBJM1RUC!8)<3A7FfB$*& zpEK8cdjB%5{cY^OJ==NQRUI=XG*kGI)lAQF{8g=T*uY4k;#V6!DE3!-HTV;FCd2}y z0D;8eDy|`Hj%$&^p9Zp7MpechJar>+_EcFeCqUU)!4{vXs#e?ZJ4guDjZGuU`RT(v z>6H-QEFZd%bso7v)WF2@(EVQHRL-aoxR>H^TATccbedRn?&Mst#jrq%LML!`rdKld z($7iecF)kXH3&P6oH>?J!opKqSie(Nki)CFMKIgVc}}&U%nT@LlJ-zz40qLcs+@hX zD!I42pY3J{tBRRKJlQ^@H{eAwzTw$9A<6mHnMYAvyLvO^u-~ku8beoZa9G_n!W+a7 zHy?ViI#dqkV+-EthTbL#fH5{Jo!qbH5-svQPz6y^X$U=@EF%beka`6MvoOi;^n=`fBm zEK-9y@ZsUx-;#F>caoYsb1K&B+8MxpwzmhF_Y>OhsOv(&^Qbd)MLiBxT}mAo8X5#K z&_w_F-#(|mS8sA&C#Vr)icwMGxv-2BXh#KCN)i%T)6agkTKs}+^=+|q^{~%XIZq`Z7HZjM zx(xY#5dAM$&(QdqNvvxA2Z!hC48ov&kykbQ+HGB!u^HUdoW6^cEF!0MT>~47FqZLv zO3=RF46Em<2x%HM7%w4y)y5=td$YE?e&eGIW_2Ptcu4xXHSfZkG z6{b2yeBS)rc^^;Ao0)j69ky77?2SY8jw~9bTqNJm0!FoKfL6eZJvdu72(|j3Rd3~+ z4CNI+<;B_-I&C+;cyAM8uxVIV=hyICeA+CJ!U(T7IwAd&@J41cWqBk*RlB0u%W_^W zK+Es2h;e9viW(yRq8F;RQt$UB`D^FlIbS+V)QYqQB*E2&? z83W4Bbmu5d6eY(w5;cx+SRcG)kKSpmem2^UpJg;_ag33#O5<7FGt7PAVgLT&R1=wn zp9#WP!7bZ~jy~A8v4|lZvYUso_7>phsCgl#IE)bbTZCG!gMYKO_vBO}9AMGUcX`z=+Fy9H!R|u7eVzwxBgc!z7*wp(1t{Ldi$j zq9_Jx>~KK;hRX52(rF;hqLlDChwxdvCBch(;-$-U7F7pE8dI| z;qYaQGKQV(V!-yG@zYZYJkGVojE{OI_VW&WNAUDlZBLR$n1#L+<1FabTXhm6%xZhk-OX{{ zz=!UYUV0mW`?sLu4Ps93W;vfqD0GT>qFs^=0k+>4R$ne{9<>6+mMtUEftr@f$GDhm z_P;3VSqN0j7;@73%)1)F>`VZDC?>brK;2I~fwu2w3w-TD>h;OvUFdYk*PHUX#rBAT z0f9jCm#81JdK20Oi8XJUP1gcB=qfs8Z8;cW4}-V?Q3nu4rJjz4;X-$wetAQbxJ8HN zKJpZ=tF~lC%O{R~6sHv)fGEib&4dLhRHQB|8MoMkeA6))H&|I&wh$l78><;_YlHv6 zO<(D*)=?N^8rIMn%CWl$31eRH-irGIw$X5sfgJJ%vB!Y!2%;UD8(G$Oey+&d+0G18 ztE!^H1$a0<5_!c}Rs^2$auH##qaUiNLa%_FZ8rG0Qo}FFP?dzY>@D zK52gvF@JdPbF1HHzbTh{m^cQ_Jmm+6P@pJ|*a(C|)jRh?yn`d|=&KIfN_vcoRN{6$ zf(;eQ59!|Bb>hSK6;$>+WK_+D(&&w_-?b|oyhS5yQfz9unBwMytRJxf%g|)PssTMc z?O35^mX3@i@XK=#`f+iP8&eq>%wj(@*F+n6#XLKn)K&6hxltqlRS6A}kkZH%*yS!3 z%0I5=JIXDzxhgWE;6#b_AH;Vh&|%nwC)t&w=UzPsa1t4%lz0y|LN(3W*)^lKrjcvY z8r3Z^Iao^s%(`Zn98c~aoOWB8cwDyqPBntHBhmgwAf<2|2@T4}zrprGGytKO9|hy6 z5;ebRhbHQu>vYfC7sSWX;f>-dz3eQqe#`VLOppv3mZVpU7p;EKa?W@{izy4&(pF-F z2dzo?tG+VQWnhej+bQX?NkbT}VlC)ti$a@6#;D8O(V!<`ub^ww`I=o`*bN9fF?REQ z=7w?*zg-5X=d)*Dfk~gvVRoaN0N32;nyDQ z_l9!*+FiK`id!w@mgL`y`F~}Qmi(6wrq|j2;873%Y+NN%@8d&Yp8|$si~HZ=Cuywf zD*x;EnM<-lM?U}8q|a?;CjWVpfEklug=f7LVvO$Nu{?tEMWI`y5&7z96n-R=_2RQx zZD!**PmRY`XJWF-mkB}wBwbf6p|I829JG>n&gK$X*eiL5!%1+@y*0!^mvTP~1q`vQ zB2vu+lf&?Ygcnu0LBAH_@%xgrePvt1e2FWMUc%pN4~)aF1LCLq^yE#I*v}F2Yp0K2 zMB>t@q~u$$l6B2RrZMb=!m;l264gQ;t~*oi!FL}R=!}!x+OyH7jd|K(%kH;?+g?X1 zJ3q1D*XszO;;X=FxztU)#TDZ*wrqmfx1Xc{smpRmfe@?2PIhLh80ou3Kj=F+S(;0P zd6(MJeMj!UZq$85*%LFQ!bY|msTiCg%+10-l*=HI7)BxOk@xm1LH>y+*rg!Yo%k>? zz6QxENZngWw^A=-#2JUyYMTRm1Alg|NrYaM-=9xn0cFuVSOp5S#nFiK{-MR}Wf&_}g1O zqOmApzgmV-5U2aCsj+BCZY5Pz0v9`+3t0U?vaNCeHnB_vSQ_t>YXz3lt#%R_LnwEO)xMC(BLa!aXr`I1!AnF-?#*JD@E=sMQb; z(nvw8)>JU5ah0REWn#T7Az(gFn=GX2<{|x_`Gjtz*)QYJyj-YIE>=^mYzbAr92G|| zgU=7}4wAE|j%{vhR(2}LV75j3T&dju#1?cdam=(~Y45xEH8n}vR*9?uLYkMTtwuC* zA~2A&DVAeu(0g>?vpcw%7xw#J@5On&XAmPnX2)*!H%o(7`y16I_}YP2bFimoOioW1 z4MJyFQG8VPSbkodV)di&VtALOZiuoLkH>vWjAUU?fZbvlPQ||)Bs%k%k*4ws777cy z``x$;G&~|{zSi1&G%*5)-&VK)&DQ!H@aQL%6(pHJv)mwPAfIRkAK&8zsJnZJCWiv% zcb-p>h*izK(^1@MZ>(T;eyV%>vRjYkq)I9+5%;AdiEZr^CtrPLGjCRXdqJ~z#j=sk zHct1IXgg)9gZasitySR8rUfr!HxJJYoGn|F#>t7@yw~)js|(%ju+cIla#*@LlV^If zOgCO_8NNTVBGzcva_K?Ce`{f2H$H}?)~+;cLW7vqnFaGtd-FJ)(2NF<-ey4WSBa8X zM_y&nb+>>GgdJ7E?Yz8uK{z{Ag1@z^N?hXibt9MfH)Z1*NpfnbKN`uP=+g_1{1Hk{ zWLsi8$kwyJ-b%}m%TBm5D(+s6`vWm=cvQM-!gIEnh@uCk3&7TLvKSY%IXp`S3s214<#Z2Y(KlRvoc76BZ=Ep4?kGrlyYAA*kpUF`B#En}R;kW+;PkF6 zz?HML*pxr3PjTimtWs3!R$(`%lo!N>M~-diLp9pwV}=sd35s{}1O4n*@8Q1dP5?Yw z2C}-EK}4ci=_hnzN01S`C8v-x(gu1zl7No()me=A?9F=eSHpzX(BoSJ7^#vCopt*qe#^>$aNo9={C1%tbv;;5-M)I8OyDmgcgCpQ`PFQDZdMuU4&KVOgkk!lrQLuW= zxB0^XLjGdNm)HzwvTY^?GRqBvC>dZY_BdQ(ml($(944=Fgod{=OP{~Y^D|)>dmp<* zDew%HI2O&y#%h2?$XQiW?UoF$oWpZ!0;qRfm3G8`8@x2od2QVDTD`6*j-@RbbE1=l z#Zx6ch+^R~xr26x(rY=EW1TuJd|{*OHOoqgT0ow`l7iY0*KFWwl&6m+y~bL2pn$A?k2WrXjAQ6+2wmFvN^R;K^-PEh7cRo={zV|72st zZRf?b&b4>TQA-*dY_Qr7?6xW6#{=I8>lWX=NW4NUz;q5-e z=%!t0%qoJR4h2MNaRes80=ql)6JB)tATrsO&4|6{_d!=W?SdOJ8+%G?ZGD}zMTv|> zn)|AcRZ|~NW@?#1iUUv~T`OZ^vD44f8`ivDLw;+o@3rjrZj+s5D7@wObB}7f#gB`F zWT1uc3VlDk7*CYcTLIn@($+WJ%b5wHWU?zO*RU%b_y|Z{={R#{;(oF=^x16Kb+UXN zUEE*3Br&B&P~!#}PYZkV{A#7ej%vPRjFx{W%OV@Z-b`N~WqzxmQ&l21UM5{?2`K<6 z&IUsb!Hc@oAiSsOAm@6)++gV!2J~8pl-&5NG1@^69Y35;aGgN6Fs=p0y%>f|Ok| zuthW@HeRCsIeXKnkv7%Pn=Flhz|Jxu2CN53V7fqQ-%$K%hh1%Yq5Z~W5_@G<>Yt>L zkh(cl9%YV%`OE2KxipYCPbb8oq+$78l}dHl7QuAHL8U}EhEFzTE4TC35H_o~mC;Q< zT?rc9aKWh5ZO+ON+@3?bz{f3i@Us(TQHSvDSI%TV_KX{r_y}-^p8@1YJ9L}GwRg$r z_L)c5$<8P_Rp#=TMqWtXQXponNLHU#sl3CMJ!Yn5Cs#P_LLhri=2z~DOD>R}Dz&|X z$R|^a8Dm?TkSZGEq0dT)w0Hz4Q=v%^;SS##QqGNj?QmxOU4zh)TlAX{^*!^2XBI|G zltfNvZnj}nZhE7D2NNC0zMp7-UCpp%$~lmViinSGldn;!Yu4*~MtIm)of#3lXs?nu z?O@m}_oQvJ!yrsGPZp6f0)^2aZ28FFmsOd!?K!ob;@hirWj>V~#G#T_@~V`vZNumW zXRX)__&6V4R`6#>A?z*R(s= z!=}w}uR&Vg0y%MTT~Egx4Vv@lri(Sm%MD`;moj8k&Kg4YFt-QI^vePfCz@L?mbFUE z`vc#?veDMX{bbSb+Q`gngtev|a^7CBy2;Yh4o;=Y{!a99RjZG1y!#}>x zezJ1Vl@g~bk23ncDX&MOV-WMA3Mc#W7$iywpT)7tC@*pke+@RB_2^q?VLFoptOqC^ zw~<(CFuZ%9k5|gUKs!tMnkty#x!-K?s+g@cvb`iUpCQ(9dO?LTcW`Fyt+5%3@ca(_ z3{wY28`G~GZ33s`8J^n>vIlp)&87T_eLn*Rk*(M9B*}h6l)FENS62+AOM}E@MUXh_ z@!47LgV~y(&igFCmQJGW1gBrL=9MJ7uRAel<#V3dVzUshw4W(l*bAbghHHF(xWRe` z@J7*TdAS?i-& zW+p`=b2gtu1awv3yZ8Jw7Ke@Sm0A^k%bmAT`{Ns?)bwQ8uRD5fi_nm8wB53Cs#F#0 zNw*L#~HJf2wvS;{0w7vGl6M?%8_qCmfwVZFtwqs~J8 zJ{MR9+!)^yW@poBg^S=s?vNeb7j|30Re7lP#xYTa%BxrKoYM&BRnVRIEPk`xjgqzv z!n1U+X4o34VC6AKt=!Ja%FpM5dk)R36BhN_x~y$Nb-@!w{r&-rVO(|ub#Q>_`ysys zG$5uar6VHkj>E_sUMI)5<&}wlQ8c|W&MIQ&-qRrJ`1P{cPP2zRbD?4fJN}m`F2KtVz;6i8_nu-(z0ZqUg=8 zN|To)+e6fdz?TtTLltL383$yCi_Q2w!EC zs^NT)9ua07{cm(~1L^h1=Wm+0(}P^YkF)#`KE&j&N~stR^_+%XZJo-(*4%bF8-vgh z0_TZ<09n5^E=s@e$!kTggnU1hTJ>!+j+dn9Gm|?DcawaPpJ5dbx#r` zCvXM^i!!J5$s6uzh*mGL887krAaYo>VLNIbVWJSm$Mg%58-U#mGF`nt6ys1^*Kw?v zeDRCYkCKC0ABZRzDl0#P>sI}w!Ew)yy3hMc9_>%9e2ZFfI`tg|B&b(TE*d;$`F<4@g}lMYuw7~zo%SKQWEaCiO!iLDn88*sh5;b^Pc`U4 z9Yof7Gg|Lrzm0`&P0`xa@CP;(?gYEh&u(uQ#O-0d87Ll+XkbMZVo~Qa*;DH|)jms< z>;q_lv-@m8;%KZ#`RNJ=)K4r#B;}+K-knHS_)eIvaJZ$$-J#a(N=C;KK=_#4HRjhY z(p!e)+nG9klM^OiiVwv_i(VK^DkW&-7^YS`vyU6o{9BB zz)54N2^l&?QfVt;i$_PlZUZ{4G?qSGtnK86x8oM&}$_ zsxQ9B+LKU^X#Q+(kV>c`gL8o1r58H~dIa}ZjuYgn-EF*X-G_+$5=1#Ta7200k zP=vgCmb{U~L(*U^w99ZO{ia+fyZ$zYNJ^2l^pC_Bii4nlqu2|4N50&*Hn&a){ciUiQy>fEwKt8Q)Y|!E)C&(kYfQaz@(>F` zyUXFGr> zu}`dEHiO$|XU68m>wEPYX7e=l)w#s-5RFJxVYa@c2d)}CCZAP-PETbzvsL+-{JriO zoC_$9=7j2}LqpfARez+85G}fk6X$3w4-xKZ^m4BQ)z16c$B* z1a3&76eNlZay6{NBW=ly8(e;GmaF-v9K4*6XXgfw-1t(>01{LMDGSUl!FnN3C35az z8Tgflo|l9vfZ#n@yibzcep;P-`SegAx5&=ginXco0M+6IzWR@f@oTQM z=e_CIQ0d#>_h>-(W%MPn%W>74hWTu$FIBR-^2*g(XCtY-`7y32G0t0`XnJ_c;%mzg zJ;dSK!4a?Fy*PsO^WCu1v+idfTCAt`o6Wu~iEgSd2~`&)j5?kM>($s)G8prdIl^EQ z^4NWMyhdPK*5TC1>i9F-;$POv1{z1me(z*kN%@-j?l=M7FBFVJ-~Wg4{@RVK3lEFG zD1!BV9Cb&DKZ5?3X$Qlp^zx$A;$IY#zfq4f`#S&ct#8+T|I_-GahvBdrhmt>gW~rg z%RkBcWH}GY6?$_2VOAnyQYu<>@Qz`BZ(HM7wy$&=Dx{ytoNbfhbLY`Q%i4-zUCPwE zewPZx5t8r*{~JtNi(&gK0|PxHJ!zyZs1uAY4jb3;8u6WxgHusCv9hu*zp`BvO%oRD zWyTG4-}BINPAfl=+`sQX%~|QOxB*MU?j5B8(xnjix=#K-#wi|ny7i_?!JO@3Zg%9< z@;}IL?)Fn7<1aGyx*p8~UJQ}-5p6aC>Z(4@g=GO%Nfxoa%~G_Sysz_jEL@7%`Or%33D^(>1Ytg^ja| za!7}Q;sqIs`%U)q>WL_*T7UF)%ha(-e3vw#;p5*3lk=pJ#mW7S^Q1>TT+RkKgW<+% zC*_{}%O##Gn~<}JoXh6$TT66ZJ0%xd@FB?BtU55=a2mtxQc$--Rw-?=v8{qR$6aPq zGi@_n@ITdqB)*?lhj(9l^7UZD>o_OttFA0p25Srzbk>fnhEL#F)lFNJ?7%M}@c5z# zTQxk-8#T(m*%@~7VWd^7@{X~dzxtke!8l;hlso>gtdNO3kD>83H~8PM)z>;CXRl_q z-N3RTAIYZIlRr+Vf?<>}RgJtwa`ih1V&jWyWz4)kk%D!XIHKk+9$tV_iGfCt2dW7U(ukZ49 z>nv5}Xsk$O>0=flKY{i@Zb5R~u>c@-?n94WY?Y){v3{MQ?!A)eL?hTz~3;6ZV{btgpt`)6uj)752n?>nDVm3_VtRTbz z?4ZLTBojKOwv(YwO=OcYR3z#DDLr`m;lbd)zR`ynzBTY)CFcp3g=xPyuV39GyE;q$ zw}1DX(>6-n}y_UQAke~?LXHSD`5K5w#OTt$l#&1>S~rOiRLU7iv#8)pMc*_pdO z`@uc2^lV}5BQ_yuB^0GSf&F#PNceAW99jT;ZuH$z=z!Lu&N4krwSv|ddu{?9Agj8#D_iDW5`ONFqv&({ENbL=Bl_tL`}~{bmh=Lw~Q{?*)KY9qZ4pWnhBiL zh{k(+0wFU&HqYlYep&r~QVzYyJ{)q5U2uKP2jQwkPOKoRb5ym)A^hUBl?7D;g9O77 zua2H;o_`id1sO4%Y6zT$`<`Aqgs$~B1*Nq(|3&eYLjOC@!wg*o9~zZkY-ztJys2vh zer8zhJ^hQ~Ck5U6yUlAcgK2(`r2~KbMe*lzxuVcZ&V)-v=}U^6slSz+16`~Zil(kaZr7;< zy{}Iaa$;p5MspZ`U?Dw9Nw#=8v}YgiNWKN>jQ!qh5^`=Ezc0aZ-r`=rbz92n5?0vx5kW9dAz%e;HCR+36tlQh|fw)%r*b7dmsgIC)UUo^p=| zxK@kJ`_Wm_jfZson3Am$Zw~xS$fZ)LoxL5d*rWmk;FByf1vs7xm{5~=Ys18Qb~hGN zh+pJgS8tAZ#ygP1GVXjr-U|Pmc{s~LkRv1{rU@+SEFvITF3ziJE7Z*x>!+T^k9x^^i+vV=*GwRrrpR-oCMlh@Jh)bjQF zk5Nw(WCOqg8h{R`SLmppNh#L=xD=d%MQLO;lwfm2^H|p_#Cbf92dIYO?hj6NI1#=# zkS;jmt|W^rbIM$}xp~Pi&{=NAuOm+#}S&q4(zC-pNt0 zCEB6Q)6wxKs&vnxwZ_9gfOq5~K`iD^&4t*))4Q#0Cgi*KEEd3AJE^KbAZO@swYv>u_no7+F?*~CVd2y=Tay8MBEmf=gsc#PD z_8(BPD4X2b%c(1$<>*G*EBolb(wHmbSIY^I{Y>Jc9l8?&=Gj$ z^h}>rlwF?J{c`=0k$s|2i-4a;Mcu_+>@>G>I7>xt0F3aZmrH~ik;x~p3RpL@fj}zT z8c*lWJdQRdw43UtqQ`xdFRj)ji(RCFop|LWbk3u&^}{uScNO{Olj|hvP-3uT-izT& zCq$Q?IN>t4PF^5r(BP3uXD6RYrcKG`;&<;a2JTz=URbb-U;W&&k3!dQMrEEE>$_wX z9WM&(yBDLX?LDvFG_R~;9xaR;is*~g^Z^U>DO-1AJI9^@u{x8WTlmyA#j+ue4%ZfNzW zqsRtdEjt&#<)5jCEBKHzb`KWmSFqR&Q&lJ2aU=;ChzRC#0U71R!?|G*kA=&Plx-ke za7Cx0<*Mq+v{ICgr$|DT4`;rrRR@OZWkJUHE7~d*Ry+ANl_WL*i5sq3CD*|07gz|i z>V&^;vNY_MB_t|(+kQ0FaGthOD~c5uV$Ad?)mSF6tTMmrJW=(`<&@pQ!c@O>2Ug(< ztNUFpc)P(Waj%Q(3Jc8|KAwClc^Uz-7sJyi^=(x!LHN8yo>Ori3ndDJ-+-Jy+^tHi zD1M-?7~9of@p*G3pm*7@8h*l}Crlr=81w;-Ok*EP&7glT6C7MovKa^gf{K*0Di1@T znx#xg>j-B7wgVqT)w9E%^sPq9ZvD(Ou~J%r+Qr(&M@yip#VK?d2mCwc)(}l<@wf4fto7`bSZu zxF>Pb^q+pk6+E=;yG1(eRl~efybW*fkfIv0JtCs=c|jxg}cd!f76L?q{x% z>26SZexK*nh^XuP(d&*$Dz|9@?l?oa*wR%3bXj%)XkkAtP5_$0&Z;!w-n*N5m>&=W z{#-BqHv~WZVV$7gvdP8d87Xp>&M7c{IX|Gtu=uBeE+E;x8MCShRC6T6)DUvIGlZfz zJ9+pN4Di+~BMeqn>WPXG!gOz>&I#={VIw7)s>9LG4x>BQ2QpoH*`tw=1$BXmllhHb z+K~(IX|@8M1l*NdWe%Ov1g!{vCbUOR=DVbOro|c(4^uCRlA4Lt!az(dooKDJ#lRTr(8B|xe0*Fxt<^=EO5n-KJp-TvhG z=J=*?)K8wcqE{gomsMNYZzUyvXuXAXJ>QM(z3~~yeQvPx(xu^XnmOX=vW< z58IDS2nif+>6ep3fm*(Vp3A^g6%4rnd(5@8J27oep|N>c;y4b)xVYKTfYVsZ;nnZP&z1?+Yib<kOJ$G$4qwO4AY9gU zsSa%vJ$B^Fs&lH(Bu)~HZEba>+klXO_1f*~`(i0? zyRvM;tv@@6FlFU3VR?tS2ul%r3eYb0I#mlUAyOH2vPs;ZeyBxeodU zV-3ayT}`y+?)jGWo7nNcD59+_GPsS(<6K@dJ;J|o{%x*4SG%2E{CCF2x*!tO(3e@Z zH;J8cct&k9N;Gq+H)!~gCqKT=r@L$zM~Z!U7#uFez(J*vhD0iN0)_Dfy*CWm=UD|D z-|L*nj!E8QGd!gQTfUVI06iEm7O`xJ#%&~6q{c_iE9^qCP%M5+t|BM2qdgX#xFP7= zW{?n2uZc)5dTM6&pk0}|GtR72>bmcTN=E{cFN)hC?hXU>*&SerdJubT&uMM+;nvYA zgje;njC`{fUG1R6%Ol>^{k&^31Ovx7BN?@Vm%Kk&w#i0_GqgcQxa15~xA0Zbvl)_s zp+jJFJ)43w2I5ul!D&@j+=0(&{7LkDnH}BKj6M~QB{tdtk!j&BPInQNuxY;G6=G`u zoi0FcTN8EE@Ucz(QM zb_6N?F~cm%OM2+EG;(4d?NUW2jXf%|(RV%w zwxjzj{Alg`rd}@>-*b9~JqBu~H%_2al{2)R#+G=^U15|&j!mX{1YB`MBO}cU)4@>2@u=(a}tXMbmc57n!w1) zoPqk#2)sM{M}hexnX>F)L;JPu#=JyvbB#NmxzsGNv< z?*0=sN8tE{CNW&;dR-|decFid(JMRTZ^&KMIvsAFe_tsqG~^b3Df#`N$Yt6k`SjeV zN@V}N+oH||UD2l+;|O5w2VGb)YS|d-^FY(O6K=SZa0jiLXDBCZ8$O)E+>#+elPZXQ zL7K>#dL4t%Z%77fdwn&^^ zJH8w775f-`YsTP6;c7jxhrgOaA*YTFhbOURuE$ypm; zP{rLjpuU8r+DnFNznz#65R-RN$lzAi=>1%y1OdbhCXP3Egg7lqc^+XNl-%bUOI}Rp zz^<;ove1D=&~9AMcQN0#QvTIEKV0=%$=JZVh|wZoVYF&T)|*}EvmAdGl2(%$uqR5$ z?nV&+m*jLcfz9axqb6^W9{VcEqXh4H5B^90kCmK^!vD|py8NroKQCnec@ay&>-oHJ z-)FxOYgYFpx)y(kbi}i~mS`3dEaSflk}fv?i(>x<)7pn2-_I~IM6&u9#Ya*8ZpwR) zgWF7v?mA&LV)1jMRkPN)ZLi`OlC~iicmF-1@g^hKd~?=Sp7lf(#TRAE3L6*p?@j!X zfs5~mR9JRPLf`q0Ny}a0XKBHzI~lJ(Y4+SlW$rPG$ZKT=h9%`pjTI%cq`G<~;D=QO z6RrFfl9x1}{r;TAhl_&Z+3kIDFXY;zUIAM>r;}%GYkOlTD}+51743s=MSijckEP!OluM$pu#Tu^;lX8yIf8MAo&4 zdJ{l(dy5yq^7Gz(n`ho1M1b7)P6Y?Vl$QQ1A|=au&>!&=FS>}QG00$*1NN(b%p0r8H+2~xdZvuD6@fr z13hP+Jw0_Tfd_f^AF3ZQo2R=ZPcBKN$SFzTLZds59l8V<8ZU)c%8e@jqKK)Vx=<

~OWUH6nk7c7p6pNo(*!jaFR*PTO1!7bc1|OvBDw(oS6*AA$5+ml~v@qiN|}j zhKz@bbM+jGbHbF$i}RtRrFBu^i7MB5j6(@FmDYf7tbTvVA)@BjVxAUlG_gKz`NZ(6 ztv+ZJ)X8tEDx}n=^FFDZa@ei+2+Fx#=kEc+O%|$RNoa0JA`wXKCTYRpQY3)Ey~#p$ zJq|$Htw_jNy|9=DW4H~dH%lOZtSN)2(&vmgxe7)sR$xk@o_&enk=cCVQXS&%0GX>d zq`MtAcY!`T6%{=>*lk{Aj?YR(RE1{o@HpeM>4Svj+IXOak_Sy2u?;7N;!Gz?sijx~yh(*DVo64g4DU%AnZ`Nk6;7hcTkl=Hye45U;9Oa)UCL*h{8cayu?r4AMKLtgD{gcLtR8+3Q;79GA}_y|zT7Eah>0`e2SuN(o& z5o2=l{Z2D>lfyl+S-<*>`BT`-Qa5_(hD}opOd{imZ^UAsYbJBbrZAwX6ZOgRv1l?O zIrFouPsb~G-EJz=`+T=gIV`}vYu46v#nbh+Qbon7kj%4R=eGs|L`cJ0}y%B@v?5au$C{uUteYN00 zm%p`fWuXU|v%o znf?^4h^jcSg}p61_p^t-*>1s^5WWb;SVPg7yoGUeklI>{SXbAY`h)s{q_?T8F+%PT zy{fJ47sE|XP2cvBu_4Z6?%{xnKDmE@>uD{2N{q^)@wTjW{}*$g;%T0t;?)B$Uj|FK zG*{A4o#lvS&-ty}XD{kG)-}!*0^QVZ{A5o3@Ud+P7Rz$3MYr+`KA&#kdKPf|y*voW z5zt%RuzIva}63Ap^Sb)jL2`QlSXbnuVr^+!YMT2fw8@8#@XI?r>qAjiInQ%-0 z&XGDpr2d)ZCk@V^JD|Y&!CZq+8X+68geioTFf)S#+DKRJ?WD3=G*n$CI~fXTCWp3) z1LZr}ZG;%&D3??!XoXI7?mYxoH3}_-$|M$ecNSFN3}GKou${dvRP5Ib3zFncV%q=( z2CDP8w9|ipM4J~Aul#)AQYgP@>M;eVRt78P&H^BT&1_{X<1nny;MBS^pCh%U(nL4k zK|f8bf{nc()iXAK;|TS_RmULd&uLSjdrr8CVh_hDwXyA<5zoTaqf38D=h{-XHbg6s>#lUk&2K-n#W8{K-JKJ)D@;^Q zQ)u~23@ts)@v*)RB$8PyCM#94A}iVQPVTekj1b~LHl30H1T<_A7jK*~fw9eceeCXTfD84d;B(qxUJ=o7zMM_Ae${?^Pc?5t94#!09Pi)-pUyEztl9 zv4z(3^aq}W3GEogAlY>bUIRh|P4ve!%tOE7E@9AEhYs(okpsIZ>M(9MXLA1sfG4sF z(9MM1Z)GNMXMyZ9r25`)um_kk%UZ`#+U|gCg~`!i51y+Syr+wy!XHca$Dam$nQ)@V ziDOJLUaRJJ1$o?f2|(!kc%dYFz_g5*P#gp5Tbc5Qr+{cSftpf1#GJmQ&17S8YWM;> zX=xUuZZokZMVmfb@5f3y(+TOZ(;V6zM9n%I{#QGmp?c>+0U}wL zDQ&jK<&hC$mzk1b_#Kq!(CM^09}%*E=AP(;uwEqD%S^WnhNz{g?e%qAOixsc7`Ht0 zKqH$uFe$O!`+TZXfjlSNIUQ)>qfhcLGz&v?STzxXnq=BrAcYN8krSBco;BWr{5zFQ zK%E|6GS!JOn5P}NY!l8XqW;<4on@2GN@SgI5A+)X=CWt?S}GX7VWjb+a#tWQ?5DO5 z2A`mKc*{bUcsmDGxgNi3CdPKQ+sH`w)*vm&m@425KO5=LG~iAQwR*IlUl$xp zsfyF@jxsTk#G3Wp%jdi9+-Z=sq_D30TarFmYproFsxZK2yP&Xa)7TYO`(r{?D`RxF zjKn=&DqgP22Ini=%I#`%vYmm}&_2)(Kb&YLJ%q#vMSEJ&Xv`_2SR{bWWm=g+c14Cn z8iSbJ*G(@~Bsnd6b?`w{NaN$~cNQ;ebW{>?lk{re(gf4+^<2_Q>9@2k zk~iE7Cv+RKQms$e_%iulGq`tLU2pqY`|*j-)D1s2wg0+V8EZ`#cSdJ(9d|hubd5|tB88cX+RVtmd|vXO`A(u z)OoHo?0B9!@SjOroQs}qWZ$Z26~hwdDw#scD*&TsL)M!#=qfLH(a~%ntHhpa3Qb@6 z6X*G6ci+wn{=w#dzBuB4dDZi|c^JcvGM2BYUeV9?`#vC}1sq$Aip-D2ODm}SmA)*G z2@5jK zjr6_pUjvc6>6C+)#{Cb5ZN%T^j@&e|@r&tmns>%Zs zDm~hGGyA$TyZ$v;>;IzdJ)@fH+jU=jtk?ko=>iEoAicvYJqd&k5}MLm=tY`7D!nHJ zkS--afPe%@Xu>1C1dsrsgH-7X(m|e+_uYH#^{%zohcnI?Cm&`qGe+i^CI4CO`?`Kt zssZ@_Jy7S$s*sh7_-uywfy4lK2~G*6dsxXWgfe*79D)RcHLW+5nd%6s@G+{Ih(sE; z<2i_{kROZY6Z}`omFIs=xjLL8ybaze=D=uA7n_keObcqJgrm{N`H{=uWCur)Dqv z_G%wLy;k&G8lwxC|Fx*At8*h$R|n}d{n%BD-YdDBlq=1286>#DZ1z)-JRf5Dsc@f%CI#c=D^BqeT8?E*gZC~OeGz9+wJ(XGG zm3fGymmJ1S4q?ISvo6mt0&}-{ji~@=66QH2aU|EK1;>8pnFbbvCTj|IdX=OdKH1HdJ&GY7BcNFoFpCb zuJF9dLs@_6saW^$zSDMl`M~I#w6mo6YhA`ZIk$vJ^%(3O2)Gkx15L#1p$MQOZdZf$ z=8NwcBEfGE=AdICmbKsR8Oy@yq|Le++TPXYuOuy0z}s@FMx!S;A>(p{` zP@_$C)iOmH*iCMUBkz6~-OBN`U)z_ngQjvaAOL;*O{vYIo-Vu~3Wh^PzPA@YTeV7MnN98ZQ=@KXghM;hGJ`kYc1wPxZ(R9L3=@Loz3if6Z%vUc-hn5b5G5{c9$q?h*|0XU8A)D_4JHN}nWSZA&|>&BDKqF+jh3lj>2Sqq-_0=>MJerp5X~{WMO80z%4Nf$-z`M%lG>#xtib{ zB%id=Mg#D_KC>A<965+0qfs{NYZ^{gy)k2&4aFMxmVjSxt#Ks!tf z=Vkd>KGX2fmNBB^R%0)nsMYBa@};b`F$nrj4n$_%#nuG$XG_;mQ>gq=3j9J;WEpKav5-VN*#-! z5O~{FVpBp@JXx&$_3dvbdg`&3Yh%eHS(HZ3ll_p&!S3i$(*sSIl;ryfj^D`{6#q}R z?msBovG6x#9s)KxWpEromqWRw-Ss!8*TloDH(=3a>tX zPy2t;PRWx&CR)5m_k=MNfFfs_4#{u}pIxer-qeY!j` z0%s)Bt3U4rugoCk{-kdBYk@w1n+lae@Q;sMgbx%X8Tqi8INip1{$ zOE#}1@hn3fFueJ6{Pxo;g0RxB@nOAa*P%C>R{1p1`r~sd)z!E<>t+0NVpPSg+~q%X z>&t~+y~;CUK|m1rB`|9`m`8Gwln`RGNw}IMeOoj4a_71F&v@Z@#tpDQHr;XmAX*^X zIWt^5OyH!;^mY{`ei(_`HRU>LGrW@V)>dl#obp&YEkA4xRrRFV(0@$$F{z3dQK%7+ z9RtqH1l?Af)kZltnOH?E+>I{NbzL42TjNULGltwrH5pAJyoaBU6=Mt6DNBYUds%lP zNXgZe2Vd*kIO5YB4lJbO>6XVW)gy0cxFk0%sPnL!8>~d9KoEt-cqTN?DI$}O&eOq3 zW@}u;rqE$Mqw$WYoH=Yv!w%?xQ5@xw^vdz$0cKbIEE|J7qc?#-bP_c}SI2gL#U&Ip zR%TC~uQ{0Pk|Cmsd8KOzM%=QJebi5RN8=jNg9yew@P10AJkX|GJ>)%T)x@T>#>za zkdC-38^=FXn8`l4{+8*?$q4Isv(+i*@wz~#wYWkp!W|lG`18PFs@m6P#fra9Sm-2^ zUjRN~X;wkZp3A%)hYRLgM&wP@<^LJoJ$6%Q-C@R!gYCo2UJ081C6Q5Cf>H=3_=Eub zlYM+VzqVB)h1qpSqs%>h2$c`O>_Q_G$QGL(a^|9v0NvJy9{5oEgS6P zkyQRMGJ}_Q#lcCt*QUsV92V81y}|l{#Veljc?-Rh@{mJ(9CEQK_$+gztI<)h=?iDy zt9TsZ$J#-LMVKQ=KWa$A*j$@fV3Wsl8zbxg7d7tcAO9s8?;SPq?%y=5SKR;m$>YJd zi6C4{bL-Y1G(*}Fm#v|$uTnCZG^#_j7QK6Pt3{F6Mjkd%-8p^@(d7K^Kc>0A@;41Y zx^nXK$mw;c5xYQY4J|YnW%yGNF%aiskztqxhVrP2gKUt$-*ENl?`yxoTrXV;`>`c{ z^GJlcuK$6lW0uJrtHT^-2xVTnBfWvdg3B3fh-7g^-017OUNZESzRHC;+R zt{Kz@T4$#nclMOj>2p(7l;A3vV?3Ad>@YxE`ek}^WG*53avR6?rS`zx$@)2-2wTUE%(A^J}aU@$6cxS zMsq$|8fYMpL?ZRZ#1Gm3X5VNPNO+(x9>!5mk4z%Bms4F{x=*8sRN(l(F6>r9+lIuWvUaYHx?tt%dX!XI;!Sj#)c!eH&yumX?NbMab$}%@moI<^S^=?_i&#mTP-?s(vqN3WE z4<^J{Ua23({0g0QU;w3KWpPSZ!X#ab0cPVFxI zCd#8C$+N&G2S>fb)|^*Qo`%GabPO39PyS8wy8RpL-O@)QS)TGwzX!Gb2^w|p81Xqc z*ACB14j+i7LOz);E=v)OyKsbT|9<5b?7@>vPJHX(6ch5{^uy&Ei$JBGNw1iOSg05V zFkVv{pEs+BeDsG?m1Aa9zLPm)RYwn$GcGIme(~6L@_iIJ^De%4FZg=;xU?L`%a264(PSOCX< z(s6DYF*!Xs3Qn?4kVcJCq|=S%dGv3CMifI<+|G!$cgHD*cb zV?wN1AWA3uk5NE}r=dqz8oUr{6`V0-C6Nx`c9@<-?LXW@p$CeKMOxATC&4Ut%RleI z?ic0$zThsy4rjNMz|Vj~E{9YeFxN<%#z92(xIuP>QvZC?O673Nm2B-JlF=Hr0EWnM2uH}scp?kyg z(+Ax1JcsxQ)4$$3dNw=F1e~k~Jdg!;0w?UbTV>P8%q-q=`3kqx9?;2^*PuQhi$ba6 zX*fqJQXncxa#)A@70)x95mvt3%J4a)Q8$YexZ_E7HOD z)15LIH3=ND#%CUO-%CB!CEVx_-|@B-N#kR+HlD=9YN4^ZSTLwD6Zv=$mc3#sn~wUq zy()ERj-RA9Lbo8g5iLbb?Wu3xobqJ-;8S(t{ajU zY1V(~bh&4}j`nCz0*C%dvBW}+LL{V+sD#sy#jN^FXS2!Lhup>!YBfDAiZ0l@O3N`a zD+i)=BR)l*RAaUUOR1+rRY5=p4Z3^gmdr7mE1t zwBww6oD{4*9j=KAq1&zC>BTB;&rYoby&|oxG)bYW(?w+;G?|{=n3CE|pXUh*@SM>0 z&Y&Ag6JhgYh&Qs8%EpzYYfK48YPj$`dKKJM-wam)mu-gIVZzjpeoW@L*RMAx#?S*)Zxv)-RlM`S$C>{CZJiu!VDq zq$SZqglFL?=EcTEs@e0}kyxz>;I>E!0VOjAvSzsM`Qgz;Z)S#Ic#kjVVPu~N$^q$%dSlN ziHe*g0rs@s8PS)#e2M~PIbL&c(j0W3bC;9^HJ$_{efo{7x;$7oC}Yo&K4~jyOy+Lq zs?^>+pQPc6hg+)USZt$_nfaaS55FRJo^>WGbc%@kTLisNrLC9dFW3N=viXQ|Yb8<} z%qf=XtBqcyrcNe4pcoHjJyW;r7ivh+WJbo9`AV;k2*LnH=t$rm9CSrsB`yk$$kxIR zP{U$U-E*QplOBSzSs)`3id1)J(p|-Oi#v0eB1brSrhWQ``9Bxa$JTuuY^4XvrGjw) zCxBeZM>ma}WZJiAt)8U&j;2DRmv#fafh>ekDD;NAkH+HmhUX%E(B!~dMY_B}!_Jq> z0?NZv`9^DFBUxBV5i@h+<>hd2`4_1H0YX%<1G8s4CNT$Yn`S&76)P$?UbNdS)rvtf z+?H@%5=|Ji+=VVma6j#k`UUJ@zLCY`8@V(NYiS6;RzMus+?T(-oZ?%GMG$*de#%6i z(#~mFB9|R4syr;x^28&1N&xl;x^sG_@t!y%^si)0*$yic${p>P*-&V~Ob`9@H1WP9 zwkb3JS+$ZDlg!xq2}b#Ms$bTdq6|JiDBS+3t9N2VhDLRX7-l9B*dEFfasK&vqYT;x z;h1*lF_HJ#(Q&SvZ^rDvG2CV@q>o@8X$f}-$V>vI^prMM#qxZHrqQfvzZULCxT($X zvzgO@(1Jq1^x57%jnI36pyHYuOC_gv&CiF&U4@H-+MpmbW65X+_O>f8=i z{gvz3F(mF1JbN5zWR0*dER+r5ueFH=GPnrH|^uYd`p;$B`l@j!{ z#*k8UooWBTb34Pr$rC3~Ja0?1-+D5Yo}o?h*r^0qmdjfhyke=tBmuPp#MlP=APw;W z++lp+85|%q@!H&#NYPk-8wrI7`2@bVJ)vXhQcnJ}fPS0JDJxG;H!nnTtc|&N)LPBT zUFU~e^uIMWV^8m(X*Gm0H`njRwnO7SnT@0`g04Yd3i84>dEklsZD}%%bE=N9-Hq=p zIVFGQ!3_547lY6%$K;24o<)lu^Hu5Zfj+|7j%~b>y$Ry}OAXb){BEnrRd!vY+CJyK zO&OUipdWI$9^WTfViUMjsBDjoHlANkXc*4kvrbA=YW+h!PFhe{RxaTZOD(a_aAvQ{ z)Cz6ylTKwMDnyIm1r3L}KUf4DqqEktJ?7vknCxzh2nBbd6AQ35=-+V|ljSTi(|Jyj ziWdkVPihv^#w5S+HG*2|WTj;r&U(dUe}h{YrCV-;4G|&nrr%?V9A!R3YqQN8A}!2H z9r->(KUG7)fqgCZd+(`Eu!{Z=&V%0p`tQ%~i>e;ygub4LK2)byiTR>rOWV13;qf*x4Gf`Z9Vme`}(QV&3+=fK{rTS6&H8HvG)h7?Qj7;kb7<~ zb-*k@!Ib50;yrzg;J(Q_gkomq$5X_+TuBnBWaQP4GM`=Hy^TQ&El*`ZP1Hpc%3(S` z6k{Rm$t%hCb%E}}64@@DEKDl04>o&%t~Uf7mpyKZ*a?McL*$$YqsZ9}rdD2FV<#B% z{S~+UJ1+@+hi|0+a=NpyeFzuxF!% zLZ&O|kK+qGD}#;$c^|P9_e7?uQ)a%(Mz9S_X{PAo2C1*LXfdYpfYlD19^ClJj4jvI z`+c&Hpomsg{TKa9nEeosf>K7%2`tuE6$M5msU%kkPDesK1mdY2O2#XZdcj| zxeS$yR=aKqL8f7RA4t&Tn+)}7i@|P5GrI-Rlgn-_-c9HN(d_6pX%>D*c1Lvvv%SD! zW$Tc(0ndv=M{TWoXsK6XQ)6fVbIODC9DcZZaT*{UW!4Yt2VHdA*mJ4FUtSq+5DrQ2g7rm47S#N9@Zn#ql_NJ)4GRGViZ{J!jngPZ=5$$Nx!Td62IH zS80qq#~&317ru^Y?C++gAiYiex^gOlt)8BrZJO$(`XB6to=S>!idLm`%&qBXP6hQo61t~-RVu1a$XeQU9k5@q!7YjzmEwoSeHh~F zf;Gk``Ae4IXIO_qa4?^{a-$y)?`mro!%)q33BD?xucmh!A-3^@Q984}VX;4%uGGGv zeMSzXI9jFpNAhcCcK`H3vkQQOCC9zeX57b?n$NoAkYC){E+d19^TRmIPoS_d{~*;L z=LTV11@fU(LKFHw70g;~V75Yj40z!B{P>DpgJcE7yt;53JP&;@T7O)NtdM1$GK|!2 zojVJex%G7fo<81L!V*3aljqYVlLyT9~* zFoGpq#u2DztZ84!Qj5h2@qRqq=|{-k5~QAUsfE$Hhv3HZo-u4nzaPVsnoCD98K}pg zi=-jO6|O&E!NS7XC2!I}n1#=H;4Q1ugB^cQtwD?n=k*W-c;o&7f_FMLIPcr5UF8RS zVb~VOaD&@beYK6CNq;l7PidN9-O$37hy{R<-Qm@u-fIbk{?KdHgF!JKZ z6<1ZIG6-nAg8Z=1*D>Nua(BfiY+&$e$KUot^wQe69jYPQ&h?PpXW39ft|gL}8+8z~ zI-=m3v`oE~1zU+v^LQr^mX!On!nBISKaa7Cw|u|zsbfT1dOb&vPD$54V&N**cFZ&P zcyXq(sf*Vp!pa_y7u+oDZj~|qHx1i0H*$O&N?&QNF}QlKtbA%5EVnbW)qQA)GpLAF zcSbl&!)VL@D3XCX2S3b$JcQ-b%bBHdZN{T?ldPFd@LRIwZbF}Kxi{5U`ED2XHpyfq z)1V^=rPh3p9QMc7I;RbaGyWjj%&?I5b9^e38JfB>gCC}P+44QmO^?->fJ`HM+O@1K zeY^;(t#b~%>F@yGxkTwpesoVIp`uJdJ2wOFJDK))@HVeZA7xM&GSZm}%w(pI>9Zn4 z2Xu@<6CdT5j=TmnA@6T!g^cHSZ-w4-gK zJs^%Q&sb1s$Og1xxUzbDV_T>T_7ZQHGK??9x#7++xOW*sSAFlXL%f_GPAkA9)gHvm zNPF+%qO4p0G<|OWDo>V5Htl%6)i0PV*KTEvy+GGDpBo4JyA;T6<$vm{gc=3B|mY0@ zply`2J6=)l5|R_OUahwus5I?Akj6rc>FfRwHU|N-kGDfzhv=0Xk#x7>;l`=ZKFJ)r zq%%z>)tAPmI;9SjoHTG;OuVZz$0(du6s1dcm++1uQ4JSrH9y?q_6g98Ftg6wo$%_M z%Fu*~A?kd{Z0bVGac^_k-fcz2YlPpox7-*xB=4J^8+ustTOvkHoI{3Q{PFA*(o z9l%)MBw8}Tb45rkpGR9KY9;F;Do2Lw4kloNp#Ur(4A-{^`o%QZ;;A=a^Lag@d454Q zaArSXYlZ(WsgnW+*K%)s>BGjk-?DFY)C{!QTCIM(21|m@IOAW3{+OuQRrh`hXuuWG zRVZEw`(|s$m>;5wwu@pOx_-oMaa?q&C2!t8e2}HOZ5yRs^G$!kEqpjc_8X1dmC--{ zb>aSBleoo@aLbt7w1`+Q%ei^QQTQ|oqPJn`spDn05@nFOsP4LNWO7tc0gT*hx*P;Zi)db(}vFTEPauX2bwKzJe4 zPzi#BsvP#$Zxw}6-`&Jixty_cT2YTPllLw+WwC$!o2ijoLv%EAs?DH|ol7eUJQ)Ex5}z@M`SQFHuab;Mz-x()8Kq zTj8rnrV9bYH8-Q=vX~ex@j0XS0Z7R>_|nu3S!YqU)WurQ0YO1snc~!_NQtcotvn=K zfmRxwK(c4eVWq!3Os^yZ{oH=jZQfE3lgDzC1NJdjE!QPStW25!eI}gVO|3T7m{VLM z>-6-xCALGgitG*&zvLUfAO$~+3%Ped&;}A-#-m?j1(#84NiS0 z`ZmqfuVT;cmP>8)XZr?!AH&ZON7sR#K{|GzF>zF$IJ!J8?5Lsw0b#KIp*+FGr!#%# z#cJ4?)sO?ZMNVB@QbvW6D$Kc;P&lJYy7Zy9T2so7&h&pMQWWIm#tLQG)#j_5P1#*pn5R;775XfAoo9p02>o~tpxR^mXweX z7aknBLf-aIJ4q`pwx=K4DL5EJYU{tZc1X52&p7A;s%ZTVJ@jL8hCX0)FZnf15XM*5Az;uKCGZ$}q^m&CR{L7=HpPiCwroVtTO!ZCswlponEi89u?1d&u3h=9u-p zJF>s!ty3md;yWD-qLcj#vSC!0#n?tqtJKI6XI85AFoS-AVDY^gIZZ8zYYM5M?L|SK zsUzuRHkQLC6zu#a)!t3xgKrJ&t#O*5Amq`&pnptoEs%3(8wwh>2Xbo?xw#@M_e2F< zc58mCl5mhqx+!ftB_^YiWgm|WcAp-DemzG#>YX>mRYHZH4(B7R=dCgzEbfp62 zW`fAiqlA&}KZ#%QXpJIXc*-;e5UW_RfvNH3%B;$Lu2?1x{9J-_dR6QZp4DI8MS4l+ z4&?6g0d?CN0>~wUg&Xu4Oel}u)D4V+Tp&7|Qg3UTmN$-DtF@qlu;F^2L&ciO^(~Z; z#GD;7-^&SI{zb|IN#oQx*!ve9d#DWE5AlGp{yq&igidg7a>PJZ2q`&lbSAGP#X!{)Fd6h95fdTe16q zZX|nQ6(HU5046admMFLseCwMODt@GfC7EserYYMIrC1D`(fcU!S@nx!Ze#-$9zkRbXD~H0f z+@pp5N&TPfc1IZo(ww_P57cj;ksoCphnNVLAR6x0)qA8$!Uojh9qG701L@tOcCL#P zY%$}%LjI;1tnl~S8iUmdRLL@@ZT(FnY&o8(Omn5`>0keGfss8);#L&OY)_ny8p(iN z&c+{M4=PSumbV^sl&l)d`$*EJist@q`&mj=%x|fRbIe&=-!5VE7M`T0dRhX37vDD| z50bn(UbCw|`|`~jq@+$cECc4^LNREgpXH#b-`<^Wz8x)_2!7#h#hC62ws@bLo=ummBXZa@Ab21 z#^{lu9`y%Beoz%%)G zmiqp4sj@5;Df`1Xn5eLu;pIkVY|1+qu4ysYn@8oU*gAfDF>seQ8(i3&(}tpz|JCX* znj3WgV~6oS_SpY^zpLmTa;5{#cjN|1C0U(~y{2-m)&zCiB&d1xQ(7f2rQU#(v2|>Ox*@>`nz{Wf`)$N-ps%vT3ukV{q`}!|en2oiXQz#q5KH zqXVYvdDUOlYODkv5i`V>YMC@n$7>9>9$KbY)_KxZ<``z_raMeCxq^|IbdQt1Zn4KO zO?IAZuBjisdEwr(qB<1u}m6`?o6u)XwvLNi+M`z2}Gw$m!8$e3LYBvceD8J zbGVy{DRLjfuEkXHDdfCVrhOEFEBWe>mTe`p;AeRE{GLcJaOo7p>nGfIp3^O=){b5} zVPI*j;W9D_V@u5ur%=hgmRZ3&jp#>DM^38-6`jM5tj{D*ChmhCU(98OR{uDe*s-V> zUw;i0fs?Yi@pYLY9})|dv?l7qmR?c@t$7g`+GQRDR6?4Y)9@flqw=Ue4%K~6@?=*z zG)Q7oc+|2wYCsUlk#45fRNCZhFfC`La<73jR;WU6)@^SdUvVUk0tLvflP7FvGgRWT$^v1_D#x#ZIZ`(_&zm#QZ_w5U)@p#c!{TY(R{Pwg0 zHA-smkaP99Rs@NenbIf{<(W*F)fEo8R0)z zHsj^-en~=REU}S3rkB*KKHRuzAArU?kY7%qgmyf>pR~PbPlb&#fRzj=|!tP&a(Z@uvrjgxTzrI|9z;xHZaaqm64(k!`SZin0WT0M!|7AJZ*Wl;{ezpsZ9udNw* zQA3^nL}%;^uy%u8%>bnW_?ROhd1iCYSR(FoJIlS%ZFu@OMSM#@*hfY3^%f1yi}_J89gFqA5WL)Ne&Yb4;CKmO+hLZ}ng}m49#{{>#C>NTh*`ebdZE3S=9f zrGk~Bd#q#^5n`)5uf3}RzKe8we$ucrnK+~{9ZxVCeC&u9B-#XoU-VNP(9|j?n;NBP z6Y!DLneks1OE-=X7$q_2<3Spuv!bcYy)_|Nv!BkRUpyId3}JI=YIFk+)r^d?* zw3*KVWD+^ONDxRhFV`g}H{u;UWWu-Q!{6=i>+>Bc_(mj&OaXc6XFsDgFH{#{FcJD+|LY`rcc8~K|k>4P*brCX6s9Zc;5fqnc4QIYj@*b zZP++#r1F@p1d3#ACLgtz9bfy}Hfee75~lt)&0XEH(A>~`8*I|@G-GK6Jk}EXyp!6d zP97e)U$n3D3938(!xh}Ra)|<4Cf^&(+Tring(f0iue}-%dS;M^gN)vdHBFiRWb}ZU z81FFqfe=0NaW<}=`7{%3n3<}5=pvP+dvUg7NwG`Nw>$A~EA{iVIvT(9B1a{(nQoY8 z4-RL#37?}rS+Mrc7rpn5+$WeVs)}nv7oz;zm6tG!;RY#n292D_T9R z2$5Np|D0-PXwq=AX;uB1r_XQUXTc*IVq<^P)E+ATP4jTA;MW5V%xY{BM~iA{c%$;F z3e8osS1dCYE@6=%yr5jpeAfICL4l=Im zqpaYGLyTJf`3wH6=^Cgxw!E%@m5ds3kH87OPl)e4V`{HM*BxSJjS({L)HJQ$L`%TY zY%lRwN}@wneUja_JWrS~KRrcKQb@v)KsqPOYLa=g1~y7Z`R&f~w4377PvaTkcpn2j z*@59Ubf4+wn3*B$;^Ms5dN+5?xW?M_-8k<}MZRp>&6TIWToDIETUv~F7TSuIpT$2W zqdk;AoFE~2Ts^v7ldF^b`nUX}8^7Y&QeQ2&9L4N#Ya!-2MMb^nilRMvwj_Ag0Pd7Z zCx*cL3uCk7l6%kQ>lZ3zyJYADP@WR$l-i{wW7le2$te)i}lkd8=;6mheAtF3^eJy^FVv+;b z7)9^%+8SNPYPOVRiaKlwxdsV-`jiapk;_WSSd;&Yc()<3eM5(g3BF@Um$|(U@-l^~ zIxC3MzA|TIl1_0PgP52oO*^$jO$Q~4WkVnhiGqt3`Bdlwm>!*5JopmxUIOYXzD0g( zDHtOY80#9TQH|b^t%b2Db{FYGra*cHF5rA=rk;9hU0qa5fNyJf@&!I*zP&17+T7ZU zn8DM4#8`ATIXQAjcSxsMKxG*}^!sX-gg$KU^O;99#=L3*X3ZO8J@UTs@aogilj6PZ zTy4hYC#;%eg}Sr&_!28CxuLx++%J~zn<>*ua0IGvYO}tYq0%Kkr$lT!y#`x<6rWcq zPRp_m4VVAb@}myF=NGK{#*6CLdHMLSe+`jPjSQh{B_-`C%k+;8K}0q~jE-Rd3(Nf! za;{Bs1|d#ymC!|Iz%w2Sq-%Z$2WM>P=T|m*g4YN$mK9JvZYZ3DLKhPyB{zAv-)zVv z@a5_{oVs6Y?3?QSG-g>Mf12I~`F(vXuk~|-ulG=xS9XPK!&h==`BBk9;O^fvxm~f# zN3=gF(I&K>1S;=q8$wq ztjreAFlm?ZNS|J!hH9dea|~HBX+;0mj{Dc%``6^k#ogU`s!B}R;BOk@+^OKBSO2#_ z6?mqu`bXv1tZ#?$H&G{%&K1!?G@+DM@7Ls51Xc)6YsFWLL}CGjqE0+lgCo|MPVO7t z1QlvXlm5hPkM;HT6j6%1D%;OXWlS*P$(pU< zeZAc)tjZ$2cftPCy20Y39Hn5Qp5|&Bhj!-(MwG5h9iOQ5bvs<<^b%^C(etrxNTen% zB&+#(=K)gzcVr)GYaq_mpNO84>9_Pa0@CNKKuq+8)+_o?z|~)#iYU@L272S17y%X# zlkZE4qfikBk@KW*CSCuvKuNNEXei>@14`(7PH?op1by9(>NtXB=4=` zh_Y|Ht&B+hh60mI`po7!i7i#H27NMqw)CIhPvfTNEUZm?zFY=EEqw^k%ZmAY!*$li zNU;<>bTh_cxU$FZ?zE_7iX+2#@C~)3yHmnZ%k7(w_AY#I_q)!{BG_h5O{kN;L z%I1*uU?rw6TlpB!7yQPAiVDZNsV0y}RH5{hxPKjIMf(fn!p1Y#lYGT9(zD<3|C4x_ zM(yy8j<>bnUzPsf4K^VGrtft6bX1rNTk^}o)3(Fz1BQK792}g|=usHJ+MhI+kAsYY zZfzd>AtJIJ{_#ej9XjCr+C49mTD+M%ot)g)jkGzSl9G}}S(2*qAFiI5Tssv0T78oQr^)odyqrN#2=B!S2S^1vVg$j(`!(>PpdT8tq6p4b!Fjl>* zXU@gp9ULUMxTtcgcu9@(tQLS3B${J#O6zm8$?BPWGeYcjm>%~HvA=G-zxvl6NW4?% zrxFuNS(8KYIwwHu7B%pGcFZYktX^Oc@~=>XF()S{``7~j&Abr)%dWXkSNm@EULhuH$CF7q-djJEdHBEj?Xn}jUQU!oua*h zWMTS>lO3&W5_L|Po-hWrPo?EGQ8n`DhtsQi4h!bK2T~mQUd&R{MWm zLDvM(qk({7l`7x|-|g z4R35`h7LKVPuOD&%ws4(U{b#4_&GfCAYM@$*pqK(^g^aou6Ziy*zv|xFtFWPh{J65 zvO4@Ulj++vAv=C^!7#UN4QIHi^o85Du%nA3(_Xf-aGyoIwP!_BLs@uIRI5>*afM9p zl%$0qOwLll(;MRk__?bJs=Il+p?pAyE7Nl{IO1p<*g%Q^_HIFQxeMNZQ@JMS=1)qF zISw9jY(zNHREJYwo3_ktM2XLP=GK?eDLJW-t^FWOt(ai%^U@l=RGGBQd+hw=DL^a$ zihxO^0s!cAvneh~iCNNcxVnXx?aOeUp^-kH?~~{c_o(N#Bm2)&&j>bP?+i$^DN(gz z;kA=y!_lvWZ+LGhx1QhI({xKw4d&H5u$kyA%a&-2ZDNB^;YkeJ< zhibn6^hMCh_8g6<$&k}3bU_b@a3014o!&6@`6g&8wGHo2&}ipeKlz%5Aq={iYfQ1u z8;!60HkX`Vxguv*K8iwx;KpE#n`#j7CehHQe+14Z1Iljh-M^!~Q&4NUV3hAL7f)9j zVuByR6oL{%sZxLVc#V(15qC}BK{eX|LIknHm6s{=^vRc{mn#IHBtQn>)46s>XNJ*M zNoZzfu%IaC=d~w-3yfZ`WxK7Z&n4KL1TUQd=6^Z z)f1m&BZ?&=Jl`z=WYUEF<}9gAM)LHz;?|u>3oUiMMU->m4fo9r^rkn#RktKN6YK z|80gXAN6Lv{>_Zom#ZD#Gh08;3G=M5oI>yIM7WO;Ntvc4T3cTjk?~RDHFr-}Ez(TwZWi18tWeK+96t zUipZ7T%bYAb=YWYE4%efZ9ji^++7yj^BiRuZ!uXADw>=~4SUd4-lkRc7bm z=4z;459=gAV%-v!ECdE)?$p}C)MP!!_iC0%#%10)2Up4EXL~ps>Svk?&4;_DWhFIJmNso>(y>2X%7gz`16yLUtTI{^eH+3 ztV7;)=9?1YxL#j3LEpL|sg`rO+K*}Ud-MRa@_uT7&(nqtHHZ4^f}x2;(gjvvP(s2u zX*e|K$!MLGjXZMPiG@i~LH$;ups5!g(TliIq|N44w@ItnSqKCQn)MJa;=P2F1-hw7 zb{XmF=l)~2YSzcLRu=nweZQ_m=NrY05g*n0cxq`jC8y8OX~{JO8l|@!I^tA973;IU zyRDe8EW<|6yllpL@1rqn&ZW7klv~7MeaLc0=ww2`ei204tc% zK6q^dHI_KwJ0}DhrJ+(0 zFOOBSs?6Sow{d?esL48rP)vTFn`7h(2H-}Mez8%H$>V}Y-bS7gUW$rD}FZR-Q%~LyJda*`~&Z$disOZ6QJR~^m!^g(%nD&U~3N0lsqk~ z2=j+y>}`Bq+#`$Qj|Ytn#BX?(e)6$iH($7u61A)iXt2J5VCj%$BqKWW0jKdWzU<|% z_4H095{=HTGR(oa|A)Ny42xo0*G1c`C@Lr*S#k!+NR&*|1j(TZ5}Mp#lO&^4a;9l$ zG7_4MNNh4nj)KtSBsqiRjJM{RYwqRTYwf+yJ?Gwip7Wgg0b_L4sQSjJQ6qfeeKA5Y z5hAkhV%vHU`U>q1e5~Oj9;8l=@KZNXi+3-W=JNn8EMI!@MC{c?V|4 z$`okw9hVfV)?hb1|Gy}B5K@cW1?zV-0rVx z@g@RKiO8ZRvanC!(5y*Gx^y+WvIaqvK#t)TO^WR9w8hAT>$n(O^ zR-D4^^Eer-!%F#H(+{?#u|TQz$TpcmT2l?j0uzz|xp_M8j&I-{)s}ZUQ zZhejP8i>_@6pAYI1$?M0w?+!IHly`a!eU|oe7CPfwc%8PQ`b<6?;f#KwP89iDXN^a zIJq`BEs+^qRx@s3VeHPfJAL_wZ*4PI5P71aV6oQ7ccV61@3;kdEU69d;vHs}*5HH( z=4y(<<_nYcPt|9&7gk?8fzem&rK#R4R><0L?$?NgK}a#mA%svJEz-=XCsm;r(sVSB7J5&jb^EWl~Dv zRVNJ8%#KK3(@&9C9*uO`zA>$%2fIfki-l^p3q}vjn3EPKcn;Q036g7K%ji5O;I7n#i_d@ZA;jB`o>-l zP2`2c@5bi*ddg>P0QZZkFeh^NT_j!Nf}EtcDn@}zKC5opA++)bN#N9AXeM8I+0dQ( z+DxWK=gKwrrIY2`$Gk0o`&ub5q1qf3t3g4ajhx?p-;Cqs)X?h4M$Y}P>@x5m7yVd+ zf9AJZ9`VDNY87D)YZ^~se3>~J3L~YaBe5FX8hR`kgSo%TPq|olE%`uz@s8iCu_Eob z$$I_N#H8jQ`7?TQg#jC=^bvh}^j$Wn7!x&K(6PEA52qs4k*00{Nxs{nTx_fVO^yaZ z*TsF|A+*$nCeK(~)Ec2hDrc-5s>(;b3I&btins$d1TT9U+Jl!<^>;^{XiQMCgPyKH zHjPtuko;zo$#iv0OY_QTwR5kEF4m|E#@tufJD^Is-S<`See{UjH2>sa_MX)%?gkB> zcVUUrd+2-FQUW8NdjLfYYC_av5LlR@*aG2UZEbTmE#H5}>A8vdaD@tlakPJZPuXBF zq8Eo24eqe~V3lwRu9M3`qq3f!B-nF_UQ0TC^R??doa1Ps`T$M!DC{zI!m?wtZtXS2 z)&=pEfQ3_tgu>akydzi2$E{7C!LBay_(OI3;bEutL<|^2u@eJ8fo{!RlP^l; z)$X_wmvBu!-?3ECqSuvbJIc-jxou zqoq$jufiQ4%CA4pk8|z!N698CEoRbT|&@8CYEu!1m@yb)=lHbBFyC7p~HY z6*~GVq#nV+2CNFhU)lGP(P}!AJJyt+$Yt|e*R~!vrw&JZWNxr>5KScJt$9t6Mvfb8W`8TlkqY= zS+O_W)(W$zbl1JUSo7jWy37}j|D3()dEe{&(!%u0%GAhev}{X-aHhThubRs) zVcZqD&CW4_3QOmKPGfD4(_qN$%s1XT`emJ%Ms3*2p`=Rdxq;qT9virXI=RJ%h%_%i zdz=Emeqbm~wX5W%6Q`T-j&!II5wy3-9BWh)E^>%YXh}vf99Hsj#3`u9RBtu{FN&sD zU(JyCC+KB)F_Cw68EP&>iInhB#gR$WC5f$MiT@W%hW8x7~+u$Q1KvWDwvb z?iZu}9YBQ-NbgCwOB@m=$8H6Q^};3WqUPqEJB92phcVR~o7xp}r9I zL+>dxfUzK7H*^_iFgaP5qxg2|o{h4)xJPV z!o#h*GSR?AE^b#*@$qz*^^=Ylbh$UK)n-2-qvH zjwg5<17TDS2u5mH%snr)J$89L{_cujX*0{L)T5>2OWysoWOLAiG*-7(6IR!kr7?Q7>q=vsESC<0L`EvnI|(&Xd@O>(`ULM#bi?W zFpoLg*gRfEOFhWp^Q$o*I!=zcxKjXbngy*rehBPPelu1;PB@={>Con{H`tl&o(?hA zt1rkyl^MUh_h9YmwkLThCznO77Iz_!^Ol#iAajo~b@NBX?^q*7D@k;lAF|k5Dx_TH zLqW^xkW5h9%(;0ut6glZ#%v$n)jXJ^!SZ`9ydk{uw}S{I z4?FGX{7BSC+eMkc?>hP>jtkG3QHWC@9*HkQkEVHU^>)m+;?O|9_JMlBvqeO56HXTT_XzjI%Q@hfH=rl-lSH=&cGr4X#L zHkqJ5|4@TQ?9rA`m!`$6l5YZ^`Fq9_F0+~EMGUq6dWO~!bH|K=E~-(CYYcE{Jkz^H zM`h8d?(OufJX=1|wcr8sD%H1DN-XkfR@Plyq>-?DSu)r% z3;nKZnIA&do7nf|$Pq>Yv zVOLR824UV{Ma^-TussVW;c=D1F&VG8HJ!?tN=X~f%r%jDyHN&fnh|YTqZkeDmzk$f zYxM!S*{sSb8%4KBU;5A}KaE%8;Ue5^j`ybJ_}fD>6t&Et1CMK6guayR5BHX1{G3(+ z$E>D#DS^=-z3jY?5@f?=*u3%SG}rF94EJZJczy%o3Sh1{M!o zqg++NVXa2BkpQ?36?2FXY&1}Kg%bD9S`zNrJ^GBKtjxB^h7uzwP1soijS%R5c;zw} z>m{UUcPuz2!dxBZ%{!1M{KozpRxCkl2O;d`j@g5Bd(a_K^C2peEQ+g*B9}Lz%6a76=U6c3B8YG(T; zk1ev&@$}t@YFtPA9%$|F(e_&G46DuUDnAPk5u4La^3^^369jshrb%v4Gk1coA8gJ za~0Am6*hC>aU49|9F-d`XV6~Cua4P>?s`&nu@PT58Y_*x*CsV9C}_$HlY^|flOmP9 zspS+GZ0IH>msi-}i-NqSug2ZI@pjGKVG^`&)fqJsqnXj5={^ zvtgoouYPxJMjnsCIB^eaY1}Rr0lH>n@|IeeZ+(j<4yqBs-pL{baZ*cDBOuWWb-Fc} zZF8pr3lYlihI!G^IoSNXXK!;H%U9odH21p{bul+m{V^3g^O;_v968OL0PLX zxwwMKRW^pA4daFd+h^YV3^A@JbQF;=egfFYis0R!AoS72)m~a!j-X0f5H;WG)0q~HgN6<5+@elTBW(G)hoGFvz9H43q*Hy-?zuS#WQ`y6P}%EDc1>_Dw(&qvW1xswa66g8d=qBYAJ<-9M6nIw#0w^SBS7t2bW! zN0ZIfioxy5!~9DU)r-`30EMnI>$*vjo^bAmDC3 zN`AA>=TKFQGRyJ`{|SN?UFIBrx7{z^)sd)9dJ3WjCti&lDk5QcG$u~|sB38<7eA+X zpfafL5_Ng>LG682t3(0Wv#HL;7*i#N>g8IbNele>=Fj|k)J&8xVIto9yrvrXB z@MHVieh~`=)ctU7Qe8MUz_MrdIj2T!>|KI2zOPGxABs_X>xjkl*qDi;Yye8fMD|P1 zV5xg?&@qfee?R{=>UM2@yLDlyP@is_%`&45bFZ|dU`fqsf<#X46!?*X)Fno~y;P~a zo~pV&0jups%s5qxw3(_*Mzi-1n3YfZxAXCpr(1is3U{|eSV;wwCl1I-n@OcI-ACaZ z8xB^#p20^g)crkJAfd4*Vh!*0ytBp{(s_A|luaN;XKn*|tmr%T4JyLeQLlx%SQ<)F zvW!wgLS;{a;%;&2dB%ZFjh>B<4n-KV*zLZY;zIj-&j+*zgCj*6D6L0o=-HFJZ&u>0 zRaP0`rPYa9ZUQC8D=qS&6x-sbEhdZ5H_PDW!6Mu~^-JiFedx}~aYI(+GG+Kj10szw z=FzZ`nP{Eh?rrLOEXoPvb=d;}16i+WloL;KgK7+sinF6(IV2&WbGd~@wQLpL6%&U{ zBtfbn$nGQ{SN>T$aOoa4_LwXaFWcei5BimU+u?ccxvr1#s?Mx@pA2a!z)qh2tPGAT zJ(b)kThz>@Ng~!yh?AgaP)9^+*^z?kgy;zd_DS%bcBgg|V!M+su{3Tv1nORW;>198 z5~HK73a}|HEpxpfBF-FLv*$YxT}f!MSm-FR5fBM&`)#nJR6e>TFs|HriUzHKVX0ui z&kE{uq~pcPeZ(-`&NCE=f0Wazs51-#=|2T}Ggb6_Bg^5uEUZ1%MJ8YZ&WPcV?+6M4 z7BwF{Ms!rL$-QuM9r~`QQfcLVyLVCrWP2sp_@c5lL)>_F98^yD1aS?R1=0 z4kzJ;mOCVd;WJd zF@~}@qnPp+HwPZR)DGVKaqQuyZHl(2fBw3;ynzk|5g49!7pwL zE|rB0kipt=8b%C@Uo-*nl4V7RBB_|%{-})Nru_Tm)3At6 zqt8FQeuC7Z$Jj=>?Rp;&ZE=4#cN6!`?bwLjcyO!lfRqwh|IR|F7!h%e?#teVoVdt0xnig&aNk&Lc`Kfirhi zJiPU%Xk`>SRqa=zzn@%Y(v|9b`t$sa___Kvp?i^kiudPv_V)ioeBm4!pJBeAAXoW= zz*}5@R)JDJqo`^)QBwdIuL(K;i$PdJ>i0iThlIovTe>bGhZ(Oy*Is%4TjK}(#SUFq z;mvB4Y)Es5pGCP+Mh2RYrueR_;g=@=9WU-hQj6TQYJL1a*YHcIg_Ya?`EC0jbPdE` z%!UQ3-t0X>nrX(Zkb)qzfX^)dLiaHtWzLze(nB2?Alj=D7m?&xyz`eC2qds zR`DN~n@pG1>&<+B^0z_&DV{s%U|Y|qaQnwSk-ryRf576=P6+*{2boNnEOP12K@bbq zM*fiU*`FnU=VGA%+l#*SI4UgGesg@2^6w(L1fuHAf;rlw9vJ;8(cg=1eFC7_5e!wk zSJwZO=AJDaTl>aIiip>Df6$_n0x^9Yow2dacF|w+D_oVyC z-&FXO4%xe$`keuze(wG0-%lO*#D1t3NA8_e9~}BzeSH+#`prXI&&F>?)BGZ`|0wmE zUou(!PCP^RA1Y)W5NOj<{92ROZGouik7a%>9mt39y5>zx+a&k^iOk^PIS%uDoA26- zFPES8xV2=hoyCefKfmj!szxDdwz8XTjw80_p-jwVH8rPMTjcGgoq&b1aMQ=J9K9S_ z8Tg(`kEVRJ6~G9WG~+D$&tP0qgGVP~G1a5z`b#xI#bkJm?wvg88>G+hc<{J+WJ?5; zH=CQWoRpPRPcG>~Ox31>L*|M2dPF}mkrn$*ISf2|;35PwSf6e3N=|VhEOFqM^H}r~39z z#v%(}>0<9GmiU12fxnrCacTRrQ^h>Tpw5$r1!E@d3Vlv<>V$G1y-p&7;_u(Ny6MhN z!5Y9{8={VWHDt?-#8B%cWu?;bP97~i9pM_asuYtCFezP_Qtfm&Cs#@8WOdJ98jh{W zO6<0zfMxMDJWdR^tR^9zfM<6dguZ-slUJWTf>T0ZH;_a$HQ!vQkDm}CGnc4g|0zea z98h<9LjqeAx$<~M4a4z<3}@M9&;rE{Y6$f_wP~LE)8UNe(!!#ew-;KiUe^7XrxQMW zamaO*52piJ%wZ^Ff~e1h%?LaQSO+y)Bzl*n7L^eFs(f&J%QKBU7|ddDvd4XOXIY)C zv`0N)ueHfmFjTN^kc#fy#ZfPOFr71ZdR$R}f#3%Qc&YHJy#3@Hb#)W>8@=}Ya6wKS zX<=N4FfUm=y0#)APa9lpj$!VLPN)ITOU&G@qsHsZ<~Bo`?8lYP#q~%C*XK-H zVP`tk2P{&(PVkJDp%o@%8V*I8T0%7|Nl|+)2fJiZj-7srLaR~hezP=kHmU^WV3kgZ z0$z?tXk2%6$dRfl&RjUFsUT2V%?`SO`jT1=cMds@rXkSuC16&0BHUZs)yr71scm4S zY)uqFmTAA+YdlC~7^0q9Y0|7$3v=-4+ZbEJ5N zYD4qr$oZE+k(~xv|K0@|6j{5rWiwY68GBgZtgCK>BjvTb< zF;d2ZOIJ^J8<`sZSZ_6G;UT8uu4AYcCf}Bq{sOsy8SZW~{aPF~*PS^0W<9&e%lf|Ojc1e&MH7^IC@Nx$7H2OW>NoA1a zoK4jmf!*VY!q6hM_F%7Y6|rE`s<1b-rt!VXY!8^@=3Rayh4~i@n2!;VhJON;u{;;) zT!O+o0W9&y%-73qeaSK}Ms@mS7eIAT4Vli}2P~I+mpe!AUqvoNK0aC1&?+iOI3Qm# z&Qon&m6+u8)?s(skToI5*a&1+kdwPjS=mXWgwWvIDxU}Bu)#r)Q`R6N{^7lO74lL+juj}x zvCl>LizB3cnePvz`+D!BcfQQYMx2p@Jl&c$66QZaf)MxbLXux>XNcY!>>Rb14OQj6 z^%j~47s^hN0-*LWU^P2yo^?7d?#SqgN6Lm2Ck5u8L7=O2x%dn8&Ab_wVRM?VpZF*j z?tkh=iXv6zz=HjiQDg2FWqgT|=1AAc9*Ex~wI38oeB~J_s^?J~jC1cb4zSVDD}M<9`=fhDY~c*t^tQw>XrNI~;=Y>411*L+?n^@U13(ypw@iPxj=&2-4ue{m6~<2eH(Ioea&`=amUib96j|>_;fYSVdG9YKOw< z)g+ihW+LF*p55?oQoXkh7&AGc*C$O6w<(JAJ2uytR3c4??Q#ZRT1TAfA<xE&6l3idR4@u%0$|&*ogKiI@c0w(21y@2RVqVG zJ|P%B+e+<}f+U>XofntkVPP&Ty_5G|x1Fpn5#<#%?rV^_M{*g8a5Wu`b>(=F5hk;N zzFlLD$Hig^P_y`OEmQIOC-XG@ut5_Fq`b)&sfJZM+Ik99H1;RntVE}go{!r?k2sAj z)!qlZ`m_@l!>W2cln9O5nud5DV5p|cj%)mKL0(f?<#B9~Iap|$a+kwgryaypUbo4F z`MWhMADvZkXaf)+eZ3P9`Zi;Ocg6wvj^fN|Qiki(#FN8NoI@*{@0xws1<}DNwU0#b z!@PZJZuSqStpZ}3;E;#RWDuuiRUAg)JxY@rvuIR5GO?Ybg-p#q}dr|6d zn==F7)H>%(I}^JGdwbfzc47My1m~H&M7dw|l=}Tkk^}KyNDfYaB{=|~$c+ogq}p^R z(4%__7K?YL;Jbj^3lA1fHxq z5Kr0y)BVgiH^rAmvsnpQFjR0liyby5y{CBWBltC%*V9* za*{7#$vSk35e>KW_3W%AER!R1yA$r2ymco|bbV#xIL<|efF@fu)Q&VA?7nh7r|>5E z9crt&8Ub%@n20-biJAb(sc`UV36eNV!kxD!8WHOoI*gHeF4FpolJ%^0i}JBVUxRS5 zx; z$N`yR7FM3gjTa+1WX(g?Y;@MkNFAmuAFdKaM@}| zhrg|5hg*ZoH{WKoRP5s? zMp^OBg!+SLOl;p`DYSI?<_;V=;wpRNwCN~h70L(KjLGpuL#{=mr8v!n) z+k+xBE0|!yKEGYqKzfWDtM^D&zPT9Flztl*a9cH8yis%(?Vnv^qW88*FwQC#P9vfa zi={`ORvxXXwhw16`IxeN0*%SB;&mM2teX6Ygl&M2l92N)(6RsDX?Dnz`tG#2kdP+? zF6%Db?SfuMnoA{i3Jn~J4R}(kBhBSviQ8gmd3bo}D8i$Bks8(ZOW)S<)|Iw`167^B z6jz$q@$b+t$h-8-vbWoSt_3tMyxp=sM&zZny_S%AaPm|n(TBpuawqvgf1u;r|LXMn zj}o0+lLe7OO7(TPaM^c;MokM{v9#mW_&fu5T{sklJOSM7)cG{->3RF*=N|sn)U0v^ zYSwGI9}Or1l#?HekT*U)HLDkk@vn2G7I^SZPWH3hx9a8r^sR#iC96TYT0(Qz8IuKa z`|`Ov3i?Wwe7TX)(dhVAjnKA8-Woy83`oSphFGX+E&}^dQEI?`VoOfGqk9hIRD2#q z*(-6MpZEA{>glsPr?k}YUk|ms5Ui&Z4)6jpB=ro)x z3NXMTVC2l*9z+anbJJr2xvToBj=VA!3GHZ!f%fg8cjs?f!V= z3Z|k~n+%l+*7Pzcnme@gSwX;2NlO#;FNe_oo*)0mbPyoWT=wMuq(C3{F2uH*9S{A} zPTKi9!jL~fBCGn4gK6a6#dJ+!N5>)0XovIXx69*RNm7n$;TcL_ZQN12Obt92Sm26= z=FdjdZyHJDto6L6UM7vz@OWay5>xf-m;kSc%y`RK-D1~jub(aa(*_4$x6N(+&WFyt558TOpsg?+R9<4JKC)c}Q z3fX#d*%nJ$w(uc=k40fctw|=O5+K}UOSxCt^&K|AvoTeTJ&`3f+x!}-(=Ye#Aqw*Y zOECqYL{%iBfCz#^T24Y5_}iM2*vv#=Ks~Zqz$u&B6seBwtl(rgUq84D6H5WI%Bw&IEoC(ybP8Y_Xn<^C8qCOtKNT&m|z0-iPyI~e?^Uqe|V z4KUN!S7Ei!DP>!`2Cm!)E+A@E<&x)G@+l3emnlqZ^DbOCFUIT1G8su^2&;(8F4d|T zG&H*8gI5l!D6NLumP0~J)YNS>{8Ess8z|}&CU?VCN*`HxQg21cs;NbJG)qdDk{u!# z8NEMXOoFm-yxmdB`ACv#xsm0^-68HFMx-8m*}iXrsJqJ`mD5QN_M?`Bi$zb(DxZbs zRT!1hLY|O6s@A$RIdpNn3)#Km-sxbLw#Kw{jPUM(qqI1VR9|nCo6n!bVTrIDxJ>m(duV(V$lp$Bos(?{t&VM*i)HJ|Cwk?)DE?iE38u)V7X|j9b+GmP7eGd49I@^F}I;A3@ zp01XlPU~GIK2sLxwuZ$G1OP!`>c~-~EHERPQltfnis?%L7|#a9I+|IH*l6Flql>!J z`r=zcd^_5$^CUfE)NHZ4p6(TwJl)(0GH$@=k_2YB4YmW*0)fYeAR%6Rm2JHNBp8tF zG3zfMuq5AuO_Cgm5G`ul_@k1)IMB4YqD~JS8o6va22StBgFs(6e<}B0CJERFuLL4# zG|~y_#^@W0^SIzR$nnLk^Gh2Wa~7@LWPg5tfcR@x|FOaE#9zyl^n9d7)P|_Gu{lOq zWlBO6a>Yx&pEes$AP+^v9}p$$Z~GYo8(T*Uqc3Lz^v5 zVBMubU#qe|r6<>%G2&y@dLoP1R1?4w&jFK67{NY18E%JfUOx<#$>2O}{ZTqzGe=nc zbz+(RAPB@s@JDR~-P)KeQQa%1OqnJ(4f*^@kiT8-9XBQwTFj2JZ=?($ck;zNh)Sm? z5)aoE1=l4aa~s6doknz|@&YFDj#ps;q2?Hgua?UaVeNvmX%DQeWPa%0!~~5Wb7|1noe$givnFS|GWRvUrf=!3moYyH_G&3fdZUh&Xz01 z#r5+ntw{}yzc=s$d=zuKa2px6w>&m3%u zXPp76vlVjoTSGg>>&9o+am)LeeOoXTlhF3C)eORzx#fupVy5t0!(4+}MD(uUg+2B( zZT?;HKx3!D<&xc7kT;{%A5ZkRk&7R)><=E`Yppa9kw?i68y7kaq#Z}^ahB07k&m+( z*!Ql5#)n2S#4N?Eskx(K_M%V10EKS2gDdpReO z@omMDnkV0et({XtA~=N0OVhANi_ah49ARwZM3C!PZ_Oof3HGvbTDefc(v6(cdH~8g z{FftqgJq(2natoe#a`e`Vg9pCt~543t4*F8<9Fe(Lv7>{J~oD!P{mT`^cz~9E$InS zr5RdQ8g5<@yC)Y`yQDu@L&hcPQ!T%wy1il0t~NJXBtZRgh@agjJj)%TUtP6(zOHuy zSjyaLLQQFDqUGM_CE?)v7NK$6M~Vs36TRbZCh=OF4>S|U1K#LYYU~mlD|!3GQfC&M zu5r!q&b-A(DzbJQIkMku1py3NHdQOV+>lPA^0F(avB*R0~XA1Pr<$a)c`S~)sT zq$rj{T#f3C^v>^_<9~IqCW~A!xQOhSJ-&<^)o;pcZXD3jXe8!VU4_3T{*Ma%s~i3Q z_1pg#)cI%7eOCDA|7jVXj%|TLQ6HyM$}>D5Z^$`iPJA63lQkhyYcEve^&2I|E}H{`1_+8} zpadjp4;Ms*XSY2NlB293SnmIjNZ^!N%^|L)|N) z`~>_e$H6RM0tR}Z_=mt1&@6mLz#0Am1j_x3XxIPZtJrL}6Y z_Sx=X=@i$8>bIbKgx~*C^uNs9EPL8+>!`ql*IINqIf0PS9p?*P&Z|t2kwN*GIcPSIun!L9@(2)A$A^#)n9wwavlAw$#QNxDUU(oip{CUg2CXK z*6D-!HHqWLR^Bw3`vK&NCi5Xp%8G&6pb-+uN1TH4W2Q<`=+ z>)n7{M7d8O`s)yDs3pDon{JDqJ)`aS=fo}?Apk14yf53r!UPsQ8$cS?Mb~bP&o>Tc zmbz;SCQ&1J@aakm0~6ySlk3+Yq+$mMl>YM17XCk7$@E7(tehx#(1Q6|uv&5THyRJJ z8seLNpK2~0*SNc%XA?QSpI|K=E9$QwqLPBFI%EzQQ)@2{8`sEr2l122aVW=YRx7_D z$H08liBlogKClnxZN_z89Y=IL#B49Mw1&&HvdYc5OXlTSifT_t+g>r~9i~ox*EZbd zt8sH6Jt{9}G8Zy>e_<2))wsU;cJ6Q&Cuh%&mbFUQBr6*q2qg0skWy)XMwx?m9ltw* zU(}j;SWNq&IHssJS?ae~d3G zdZ&6Lv8$t~EtFCezkJLN%;k{WSJ)Tdl^!^Mz6#i&xn$~;3$(k)v6t_X?A4^TsXVBgs5z!gt66rnl^6 z8fY^=;`F5N&h5DZYAGp_uc;eUaOb=>hcgs}4MCD!3DPWD_lg|}$%EqJa_+>eqE?eS zthzHLUnlIbwfrIZKmR3Cp}a)aq#T!o_(JSBOf+X_R@s29;gg*G%FlOo|M~j=_Fry_ z{TnmK-TUq9UTJm33-QIb`qDV44Vo^-Jk{#HNk|!d2i+nP`2N2loYY>=ox*n&`daB6 zV^8a{4j3g#;xF*_skf-(yHZ_pbY1Mk$CD5hWZM3K`iZlYXYYP2!M)|{W^~pX-x=`r zXhb9PxCneO#?-*7?e&R^i_x{$J1f(i;RBBK9BMI_U*#_)0+Vz?XQ^+-aUR#vo}B5# zc2#@Vovyy3LefbP9MN{cl!XVv*`$7VL5y#Y-;PEms)yEC@>#cz0T_X-|26~xmArck zG&uN4V4EvpoQr{*QuflbA49V4ePj77#b@+>s`CZq(u?+iYL1|8u7Z6Q*vdXhT3`3a zZxl{}2I5-=aMBFeUWJOS#c}KQ^r4O3QvLERA>Q^%Ub51WC-rs3F^&^h4%5F4q)$N< zFIL|EbF=<`AD!@*XWU8-+JKlKFg$_!2*%iSST%F~O{uir@K?=G zEk3Ao-^NvuD3i$vEj2Ajb$tpIk(YqxegYve7+%?dRYzHNgqp0n@iy7Lxy7yMW}HIG z-xkp6WFNOwGc1=0S@9B&!?YHl;_~2z1s>1GvQxZqJk7R<_IpUw(=c47cm^$J8S(Uk z9J|37S1cSeHi?>$?`5anBWn=P*z=I}&h{t{QN-Eihf+}4^GuY*2P+GEbX&&lJBtQr zPq!c_T<$Vd`lqgO(z~;PE4fOxgj|~K;BJLCiSMHr9#6oHzy)JMl}MekvRZc$ww#Q9 z(I+|nXfIQJR7|Ix_CzYS_Ko-l(0v)t7r!(Qox6SdoSXDF+J#41sJvAKB17sOt#jbR z2rB*OC5IBKyKo6Fzr*ZAl5u53{7AR;nd8P67rJ5=dLqA+R=s z35+U$3d4vCyxolqLYcdd3qH7~O{1QhHQ4yA{y@YgET#D4H+MT4brtR!_K*UhH(Dj| zf@J-<9&0WhOnElWO3fb7VG+i3_n6CZJJvZia<^`Alfy(`Iy_Y76;0p&wR(#k-pn-l3G9Xbgu7X+|3{In?IL{Sga4ux6)pP8sL*KO| zb?4WvEJ|`g=Dhjhq$XUEgJHfP)E6YikUk2C;pM+u#?i6kR<%&H5Smgi#(ya~)%+2hi}HZ14sz>48mJ$DvF#p^uQF)-bjjJKS$Gb{Y6J6AEU z2gjF%sI*$?o`p4eypNg)Jw=p7N}?WrQ(UkThGXM5S}>WWrCpd9LqNa-B38a_7~EqI zyaheXI?CD#9*jx0{|u}!U;WbMeo1QAcppv=88@v0kc|E8>AzaU#$JgRhX8TSKS2{p zSP2Z3uM>Ov^LC#yxwDWHxu;D|5f>KWM?||}&cKR$-K7x#b)>-eiM>=@KH@b8U0daS z@ylagO$}%*XccQ3$jHPO$8|~7wJ-6A1A{K96GeRYC3ZnnV-RcEiB?9I{Ie z{l@ucXG0l{hRf9HtSNw)vCh zz8-}KkV?{2PJkJh!H%@FoEcOfu8AI4L+O8MCm=~QoO_XMeQQ1|?Y#CiyPBa*BoH3! zBMklt>c)cZKK|>)|HxhWb*gUyNSc3H2Y@Qx{^P>`Z7H*VxDS5X@WFPTbzOo(et4bi zemm&lnnG8Q_deQZ_zD6cH0=KuWh79VxfLGs%yAB>S7I$LbsF4sVbfT3-h@UIDv@%^ z#CMImV_p~G0Z1Co@u5pqN(LE%D(!a#@R=;8_ShSBi$mx4d_Oy1Ui-17PpkIrRCfA3 z?hsh87BluHMN&3#;uku)6|z<+7j#`*V5qK*n?L_UXUOx5&X9_3<%tSEZO$#{J!KoK zC7#gt2xJ)$4H)uA)rc*wJO`V&1nLVm|P^1zpx{yS58K@k(Y-inT>PB#^yW}6c`ER zQI#z3w4zb8`w7w>tVHyeU#@AI^Xz-yHZ9Ry(S*yXgDXDvF59a=iV1_tTrM3(QU+*0 zztKb15im!}w4@--u^+0&aC=TK8o>hG9iVZ3_?03y*-(GkjTHfHNA34MgWd1~kY~@- z<6h2H`Iya{@R-AwRujYx{K|BBZ67Pwcb4SwzT$dVU6kV}J*F8{RLx);F_&ataa)5& zJ$r#rX^Jo5L@pJ~fPeI(XCem-S?=r<)7JYUyELpmpA$QkSPDx$)~kg94kU*pDmTD- z!E^ji_+c5AOvLX96WWDh1_;V1OH~z67gD(QQiuEOk+~gq9Hn?6f(2&dkQEASyw;EI zO!XSQo8y!8?(|;b(h#ve)5XfO1P4jc@gMo#ue(boY^{cOxQ07xHnS4&n;Rngl)G`Qci_-+ddfc>XwGgO~ZE2>03YQm5km>t8v8N3=0~ z5HK|#nd=-cz|leqO%2J>#ySHNmq_i7QzLnYK297We; zq)2nD15CUjWSG@<$c(?!p>(ic*F`z$YhtoKxRt#-T#;vP!aFFaP%Wd?GvrNtQ++*iA}U-s@8cq}jzq&@-d_?YyuI z46Jl}qy%Uls_(2xp*6!VixE#A+LaZ7L(TAmm5wbczJ@P#TF=WmYtcZdIR>(jLFa8U zFdRG0^)KS1!hq@C_QhpS7?YUr_6QO`9F0@-%{wL{C-ss98Wy`P`) zlekp=o_es-cz%h_nx8oma`O>8ZypiuB5!&Y7RcvHhROIX-!LN+<8^cASywV2VWn8u zvFnW41fuTOcquubM?XOcp_z)6Haig;#kN47p=a1L9cPSUc)Y^BgcQP)R&b7KI71Ln z&FoOkUwyw$b_4AV5srY@+Jf$VG$GXJyi?9s8@X6Qy|s-M5xow(-I@K( zw2~~`6{9X_`*IC*h4%Q@diHelmptHuyqr1KT2cfY-0ZQa(2{sF$6Jb3AF% zT$tszcni8v)Wi^~$MEuw28AZXr)DsHFW(0o$vp=%>l@8h&(Tyo-RCpuwp=3~cYBwY zht}V&uG!Xz)DDByPgnvT8zk(r7*`(G&AiF~Od;|6F7+JPrDFD6RBY{!TeqeU*Ys>x zk}1CTIRU%WGGLdQT#R-c!-~BCQ8*vH{j=-*^8d-6ZNWyOw7@g7E_hC2l%M#3HmYX4 z6J8k94Rm!37+6cvahmgh0M8|t!t^3f(suf64|=nMkJ&>lVxnk*ipLe{0L9SO;(oK@ z%irjx^3xQIJ;)Zv9;1Z_EQ z*!Wn{t}B;1ORK60Q46%mNq@XotFSe_f{h6iv7;1y1J!H5G$9>qGL+-QGdfr!6fS~J zGv!9BR)L5Y}^yV3ug%EICi>#yu>#dI6Nt(eSXPLZwZuNO%!$ats=RR)R z!DkmF$CC36Oxyd$v-dqeB@Wr$5#Yku*t4;@oBu|qhGF3q!|v@qtO>VhDdt-f$bMnk zvYr-0MLW-t#i;Q>jOHF8g=B$w0t+tTM1CQS0AUY3t2&ReIw@$YP`389#}=3@&o_%Y z#||-XO^my=M;xa$e)ILC5}EV)36i~hxHJSC&2R`M(pFX1QB)<>P98p68LT|pH!$#o z_Z8$?jE?DOeDU}?-Ng3<64Xi@^8ciz-1&=*eYjM=LLo3uD8z}feoj;HZV6SvfTH?640qWv}`pK)bd)}T)B zp~eiQ%yEVW)&)T}s#CP;zFsPAzr=g%8>6CahHTQ3y&}+KX=~8B--V=| zeH}EZ{8fWR9qp`XF!Rbuzo!0-H6DSEj31+9 z5V>v+k=*bk-7r;R3rpkr(93sem@2_H4G*4LX2>DeP?d`sKZF7>vkU^I61d!;Lmu%= zItj@yUJ`Exj_vu}`nRG~*$Ss~%0y3k?c#@5X@)mY@dJa7j^Es02U78 z_{yBzN+xAgM85@X-A}s<5JqV$T zfYKA1Ac9C!AoL!ZQbl@|E?poH5CJIxf)u5f(0dsWg7i>BFTUKlSD$ld=B>BZyLZ-I zZ;`*w`PNzc>~H7n-`U?eyYv=DDK~s!Z(h;t7qDYe$cmOzbf$AG`o%b}xp`PCg;c1c zOuQ=Jh3r&=+KQqZu!z6(<8rcg*3R86Hr%85eKbZ2I@YfkR{9VcFkoLk!eEv+-7 zS6hojuwVz6Gc*~|)T1DoG@VYQ_75GuvZbZDBPm;~Fc%8ENUx`w_ER6&q#-7U3&;oqSl;AqZ?%@U4y-RrVJG*PrA))wfXGW{#JC1k(QXcYznP}8u4;V$t5AOGC z0Q=bg$xGljEB<$#lNJ5I;?SE14kSxA&iZr^XO$YWvLUMILaA9uJKj#uXsv5hF!^X< zz~`|4(n-?E{+V3PR|krEQ|cz_y||CB@D{KoGgZM1W@chU*rRRbJ__Ff-NG>cs`kRR z*YWv4a{HjEAWVZ|zy{o`BXHoNQl+=*b@}ep%dq<86c9voIf}8B`TTX3gyK7mskv&& z@^+vBl?R}s`H>f^6>X(F-zWxr3^&=uSSK4Gk>^eMW@LP_?q}WPj{^y#^`zuMU^t9z zCrJgeS2l{A=6$lD4Cl38>T0ZJvXW8yWxc5R8x{Wwr#EigMT8KIadG@|O>o)iL6+jU zwPefJ(=q%gmfNX#)%b`An#-=1vaY0RSC4QxZG{TEJ&SBb&l7LFqVQ99iPC;HK;cgM z4p2=HS)Y*x^{eNvti_e&<^^hD6$V;XzD*$3i#avv7-wm4(LKuWb%}Im%lf&IfLtxX zxY;&qQFEbK#HBO8Wfk9R2_K=O3e-t;rNsliDxmAo>GD{@h_v|DD8id znZK$#@Hk&pvtCRsE-&`_?|lnBAJ86Bl(4-?;b{@LnIs#}jG2ZIbc%P^-^T zm{9e2LSznbiib#o&3`_^F{Wul|8hO2`0N==28rNC{DwoeZbDyb1&WWO- zCD@|7Mgqywa;K~Nxq=4=eeudA%Ou876;wSPqd9;xof5pT{=F*)`OmfMw%8I?jHcb|t zU4Ck}&uijd0_>I=tHo~_bnKf-qz4X>{p;D8eU~V=UK#aZAxj|1I8)b;AhNGb)xf=D zC(pMcpG^C+YML38b->t^KSHQB)7om045nmdUFV+F<_O6IgXj4eVf%^3)$3mYYY-3H zC4E*mP~BUBG!&;~LO7+25cR~o;09*Hc^W$@tnXEz=a9mXlu0Zw8Yk2P!DfSNZ5q^O z*22@QT|SH~=4zqEr1Ytae02M-o{CsY_!xxYhrWbl*~<@&DSBgHw+TJP1uZ>HH%J@} z1a}ve>V9eSjS`35Uo1dc4vy;|feSh)zPIS*C~655{{6wIjhYR{(fK=>bY~(maw)_^ zK9FlfNZD7+zrJjzVA#UYcXdL@;`6L%U%HDbG)U8Zl_+f%pi3dw)P%LY>~uL#vfe(x z&cd2ie;l#73N;lh%6)he8e1>Brv^ooFQwVoLK<}@HEBwpl)L3^*BrJN>p%0{iLDV9 z``%JoZIUWYbyu4>Xto-(Tqj<3fiR7@uZRaPHBaA3^H+UUoFEo7oE|x$x-e7gO+1YO zFMH?Ji?XF>2iEdwyGAO3rYe}Au!LY&71$KczE`*YM#rh#B@dL@{>}Msr6xK-rn+m~@aQoT* zX1}_zQGsnz8oWS@4PW!sI?2AQH-!!u?cG;>d2I#YRNyCBx2BDkJetq|1PjPGgTc=TEx8ptNxO zU?y8WXM0wem4Nu4DCgw(-!;!6<^QjG{)iS39?V#Ul77dSN-`@8jq@$p`4CzCawCJk zL5J+-uka#3UCpWBKS2KwgkU7UgN4#NHV6~r23+%IbyO3Q?BoVABzP$;Ne*AOCrAYe z7Fs&235%AIFwUE#V4J(Y!P-+D(oW#_(^`sx8@Fzb+Lc{~!+Q{gsOH@pH|(LjbAaUH zyI#B~B@Lbc>Y20|b<9%S`Ade%h=E6P3)(hlvj*^4ZWxTyD1sD5LP??WBVO{2N7YwO z_qvW5Ok`r5q_FirzT=OGcrxYRimWnX53{r&?kOs7OLxyG_K6yp|MYm&7pi8=NWL6z z-_t7(%C!NbZqRfMFJ(T{rMYb@jZs*-_Z3hhuKJ<0+9;^!d!$>m~?(LE^R8<~Q%s{QByQ+J!dPtTfqS@bDJxCMsRpfC)zk#|D?b zvR8XXXw2307{aLMPzyRRhCc@5G?tx{laIWx!r5vUsJY{4<*TcHZ6-g57u6bF7pXDT zdZ$sb1vJ_&RA1WW9`3WHJSFj3b)+Ag!!Nk=%eac@t&HGvDaeP$dk6?m`%9}?ntOcI zEk~>&{oQXW^gx@InsevmsPUYmTyfkQrO&r+IeOP)NWF@@vMwZ5Jm$% zxvgmM@lAGaaY^~hE9vp}iz>=Ulv>5Z(vipamW+*(U-`sE%JgG5W&}?PhsZg>z;DMt zfR~vcmpQ_~xrMiEX%&q*X7%cQ#+s(MCEHQWVP>pa0-)yDFed)BYx}X&2<)|KcPR}a z7nNaz{^VI2CFq!g6Jr6Br*9m;=fJ%C+`j75KiQT~O?RF(5V_5}BpQbduQR$bR@=9G z>k%IY-I226lib!_VMrObe1m#oirR{SLZhNWFcs>)*%rg3u;3w$9^6!}T)_2Bbs9i$ zd!&3sl$XWO0HGpXE-k)add+#E6NbGWhN2UQxmh5Kr6 z3Vf>Q6oSkpDvXU8rkzuZQ_{CKC(?qi0_X~2O;b!fbHcxnrOaAAc=8It-bQO;kU8qC z69!iouJ3c|A9ua{9KqJksb!l6LeU0#leglI>Q+3LhV{GI?6N;LTF6CDUf*EEee_ub zyX`Ad*)HB}j@=!7fbHh#Nzy;bl>spy2ALG8#jthaq>V{MAiNA8q#_d%hL)f0CNo+eBZAUIpJu$29z30s^K!vzKM&_!3Aq1Jw4L~%8WbD4bGTko}4fo z7L9i(A1nZ7BX63p>nIVZ{l2)`5QEkY%S#}plM_DM4@||jCgPZfa2nKYa=`+{#@dJa zuq_*@D~N{3oz9ZrxnyvbXl9>)5RZ;8ducMVif%NB&-zXotx+?UGVPqC(}pc!=86{y z?X6K`Bdt_A92$?b(wwweL4z=!MiAQyfpLSB&d$(F&7P}ltXk`I+2|fTI)8?5yfrM zC>^Pt|E?WADS6)~t}pFpxSDiy#8sa^T;YH9L+ULF?diiWo}dO7E>U3Ky2pA=q(LQ6 z+^xhNd43x~klm0zJd5-K(5a7l{nfnv8|JgHr(qkWH-G!3V$mv(RJOjV9LsQI&s%iD z^c1MXoA$kx?sDS5rj`Puko(?~ z!n6}wu`drS-z2LR1lG#U__Nkkmp%o0(7CI zIySvgEa};X#xx=-5Z)Jd1xj3s;5~7!655NIZ;eq@OfpKa;OZTGpTtidiUtdJ!`=;4 zcL7e}e*Jt;!q;eJxHq_ETzdN55$N_{^TcMw#DZtonF9D%02sL+Uj#TojDPdL{%V4cOrsUL??E|Y4u-MRj9!!*ak??7%MH+&Ma`+_JmC4Q*md9eU@t&7YS zUG8#=Y^M9qNRUse*skhPw5Mn8(XIhK@+JHRXUMuH0`@oU4g_m>wC~c_rc8dW1SZNT z{6M$%%156J_Z|6QJK{-IG`0Ix{WRYUzZ(0{e3JV!$?N<-oYv{9O0g-Us=+XKVh!SK9ZX zNxjuhad6M9JDhUJ1p*_0<>(vz??aKwyCb^nN3V}rAxZsMD#vT(Z<>9qLC3gqjJC&n z(DBavcQiaU5{^x$Uv1BSGAK`ek8W`LX2J5|WsRB7hSSqQGTeiaV%U{ghFLGVlRY|A zJp#NgEw!rAbRHH_&i28hRIw^%{-KS%^}VXz&pYn}=xzJG{zHuaV>XT@a4dm8mH^q; G;r{}1&(6gF From 92704fbcb2ff57ae78d9b447c301b267bd1afd1a Mon Sep 17 00:00:00 2001 From: David Date: Fri, 15 Dec 2023 10:02:59 -0500 Subject: [PATCH 09/13] fleshed out BootImageHistory, added YAML examples --- .../machine-config/manage-boot-images.md | 105 ++++++++++++++---- 1 file changed, 86 insertions(+), 19 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index 913d4a292f..9017f56bc8 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -66,6 +66,7 @@ This should not interfere with existing workflows such as Hive and ArgoCD. As th - The new subcontroller is only intended to support clusters that use MachineSet backed node scaling. This is meant to be a user opt-in feature, and if the user wishes to keep their boot images static it will let them do so. - This does not intend to solve [booting into custom pools](https://issues.redhat.com/browse/MCO-773). - This does not target Hypershift, as [it does not use machinesets](https://github.com/openshift/hypershift/blob/32309b12ae6c5d4952357f4ad17519cf2424805a/hypershift-operator/controllers/nodepool/nodepool_controller.go#L2168). +- This does not target [ControlPlaneMachineSets](https://docs.openshift.com/container-platform/4.14/machine_management/control_plane_machine_management/cpmso-about.html). ## Proposal @@ -91,7 +92,7 @@ As mentioned in the above section, degrading will only happen when the patching #### Reverting to original bootimage -The proposal will introduce a CR, `MachineSetBootImageHistory` to store the boot image history associated with a given machineset. By providing this CR and accompanying documentation, the user will be able to restore their machinesets to an earlier state if they wish to do so. +The proposal will introduce a CR, `BootImageHistory` to store the boot image history associated with a given machineset. By providing this CR and accompanying documentation, the user will be able to restore their machinesets to an earlier state if they wish to do so. ### Workflow Description @@ -193,6 +194,8 @@ Based on the observation above, here is a rough outline of what CAPI support wou Much of the existing design regarding architecture & platform detection, opt-in, degradation and storing boot image history can remain the same. +When [MachineDeployments](https://cluster-api.sigs.k8s.io/developer/architecture/controllers/machine-deployment#machinedeployment) are introduced into CAPI, this mechanism will need to be reworked to update those rather than the MachineSet itself. + ### API Extensions #### Opt-in Mechanism @@ -282,44 +285,108 @@ spec: ``` #### Tracking boot image history -This proposal will also introduce a new CR, `MachineSetBootImageHistory` for tracking boot image history. As a starting point, here is a stub type definition for this: +This proposal will also introduce a new CR, `BootImageHistory` for tracking boot image history. As a starting point, here is a stub type definition for this: ``` -type MachineSetBootImageHistory struct { +type BootImageHistory struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - Spec MachineSetBootImageHistorySpec `json:"spec,omitempty"` - Status MachineSetBootImageHistoryStatus `json:"status,omitempty"` + Spec BootImageHistorySpec `json:"spec,omitempty"` + Status BootImageHistoryStatus `json:"status,omitempty"` +} + +// BootImageHistorySpec defines the desired state of BootImageHistory +type BootImageHistorySpec struct { } -// MachineSetBootImageHistorySpec defines the desired state of MachineSetBootImageHistory -type MachineSetBootImageHistorySpec struct { - MachineSetName string `json:"machineSetName"` - Details []BootImageHistoryDetail `json:"details"` +// BootImageHistoryStatus defines the observed state of BootImageHistory +type BootImageHistoryStatus struct { + // machineResourceReference contains identifying information of the machine management resource being tracked. + // +kubebuilder:validation:Required + // +required + MachineResourceReference MachineResourceReference `json:"machineResourceReference"` + // details is a list of boot image history entries of the machine resource. + // +optional + Details []BootImageHistoryDetail `json:"details,omitempty"` } -// MachineSetBootImageHistoryStatus defines the observed state of MachineSetBootImageHistory -type MachineSetBootImageHistoryStatus struct { +type MachineResourceReference struct { + // name is the machine management resource's name + // +kubebuilder:validation:Required + // +required + Name string `json:"name"` + // kind is the machine management resource's kind + // +kubebuilder:validation:Required + // +required + Kind string `json:"kind"` + // apiGroup is name of the APIGroup that the machine management resource belongs to. This is for disambiguating + // between Cluster API and Machine API backed resources. + // +kubebuilder:validation:Required + // +required + APIGroup string `json:"apiGroup"` } // BootImageHistoryDetail is the struct for each element in the Details array type BootImageHistoryDetail struct { - Index int `json:"index"` - UpdatedTime metav1.Time `json:"updatedTime"` - BootImageRef string `json:"bootImageRef"` + // updateTime records the timestamp at which the update took place. + // +required + UpdateTime metav1.Time `json:"updatedTime"` + // bootImageRef records the new boot image reference to which the update took place. + // +required + BootImageRef string `json:"bootImageRef"` } -// MachineSetBootImageHistoryList contains a list of MachineSetBootImageHistory -type MachineSetBootImageHistoryList struct { +// BootImageHistoryList contains a list of BootImageHistory +type BootImageHistoryList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` - Items []MachineSetBootImageHistory `json:"items"` + Items []BootImageHistory `json:"items"` } + ``` -There will be one instance of this per `Machineset`. It will be updated by the MSBIC as `Machinesets` are created/updated and will exist in the same namespace as the `MachineSet`. This CRD will also need to support MAPI and CAPI backed `MachineSets`. The goal of this is to provide information about the "lineage" of a `MachineSet` to the user. The user can then manually restore their `MachineSet` to an earlier state if they wish to do so by following documentation. +There will be one instance of this per machine management resource(which can be a MachineSet[MAPI or CAPI], MachineDeployment...etc). It will be named the same as the resource being tracked. The MSBIC is responsible for creating and updating this CR when a boot image update takes place. This CR will exist in the same namespace as the resource. + +YAML Example for a MAPI backed machineset scenario: +``` +apiVersion: machineconfiguration.openshift.io/v1alpha1 +kind: BootImageHistory +metadata: + name: djoshy10-2tcqv-worker-a +spec: {} +status: + machineResourceReference: + name: djoshy10-2tcqv-worker-a + kind: MachineSet + apiGroup: cluster.x-k8s.io/v1alpha3 + details: + - updateTime: "2023-12-14T12:00:00Z" + bootImageRef: "projects/rhcos-cloud/global/images/rhcos-414-92-202308032115-0-gcp-x86-64" + - updateTime: "2023-12-14T14:30:00Z" + bootImageRef: "projects/rhcos-cloud/global/images/rhcos-415-92-202311241643-0-gcp-x86-64" -The MCO will not directly consume from this CR. This is not planned to be part of the initial release, but more of a nice to have. +``` + +YAML Example for a CAPI backed machineset scenario: +``` +apiVersion: machineconfiguration.openshift.io/v1alpha1 +kind: BootImageHistory +metadata: + name: djoshy10-2tcqv-worker-a +spec: {} +status: + machineResourceReference: + name: djoshy10-2tcqv-worker-a + kind: MachineSet + apiGroup: machine.openshift.io/v1beta1 + details: + - updateTime: "2023-12-14T12:00:00Z" + bootImageRef: "projects/rhcos-cloud/global/images/rhcos-414-92-202308032115-0-gcp-x86-64" + - updateTime: "2023-12-14T14:30:00Z" + bootImageRef: "projects/rhcos-cloud/global/images/rhcos-415-92-202311241643-0-gcp-x86-64" + +``` +The goal of this is to provide information about the "lineage" of a machine management resource to the user. The user can then manually restore their machine management resource to an earlier state if they wish to do so by following documentation. The MCO will not directly consume from this CR. This is not planned to be part of the initial release, but more of a nice to have. ### Implementation Details/Notes/Constraints [optional] From 74966a54a529a6165dc789d32db9fac88507739e Mon Sep 17 00:00:00 2001 From: David Date: Tue, 23 Jan 2024 16:19:09 -0500 Subject: [PATCH 10/13] add final opt-in API shape, reword & cleanups --- .../machine-config/manage-boot-images.md | 246 ++++++++++++------ 1 file changed, 162 insertions(+), 84 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index 9017f56bc8..3c80c7c1b0 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -13,7 +13,7 @@ approvers: api-approvers: - "@joelspeed" creation-date: 2023-10-16 -last-updated: 2022-12-11 +last-updated: 2024-01-23 tracking-link: - https://issues.redhat.com/browse/MCO-589 see-also: @@ -31,7 +31,7 @@ This is a proposal to manage bootimages via the `Machine Config Operator`(MCO), For `MachineSet` managed clusters, the end goal is to create an automated mechanism that can: - update the boot images references in `MachineSets` to the latest in the payload image -- ensure stub ignition referenced in each `Machinesets` is in spec 3 format +- ensure stub Ignition config referenced in each `Machinesets` is in spec 3 format For clusters that are not managed by `MachineSets`, the end goal is to create a document(KB or otherwise) that a cluster admin would follow to update their boot images. @@ -43,30 +43,30 @@ Currently, bootimage references are [stored](https://github.com/openshift/instal - podman [[1](https://issues.redhat.com/browse/OCPBUGS-9969)] - skopeo [[1](https://issues.redhat.com/browse/OCPBUGS-3621)] -Additionally, the stub secret [referenced](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L197) in the `MachineSet` is also not managed. This stub is used by the ignition binary in firstboot to auth and consume content from the `machine-config-server`(MCS). The content served includes the actual ignition configuration and the target OCI format RHCOS image. The ignition binary now does first boot provisioning based on this, then hands off to the `machine-config-daemon`(MCD) first boot service to do the reboot into the target OCI format RHCOS image. +Additionally, the stub Ignition config [referenced](https://github.com/openshift/installer/blob/1ca0848f0f8b2ca9758493afa26bf43ebcd70410/pkg/asset/machines/gcp/machines.go#L197) in the `MachineSet` is also not managed. This stub is used by the ignition binary in firstboot to auth and consume content from the `machine-config-server`(MCS). The content served includes the actual Ignition configuration and the target OCI format RHCOS image. The ignition binary now does first boot provisioning based on this, then hands off to the `machine-config-daemon`(MCD) first boot service to do the reboot into the target OCI format RHCOS image. -There has been [a previous effort](https://github.com/openshift/machine-config-operator/pull/1792) to manage the stub secret. It was [reverted](https://github.com/openshift/machine-config-operator/pull/2126) and then [brought back](https://github.com/openshift/machine-config-operator/pull/2827#issuecomment-996156872) just for bare metal clusters. For other platforms, the `*-managed` stub secrets still get generated by the MCO, but are not injected into the `MachineSet`. The proposal plans to utilize these unused `*-managed` stub secrets, but it is important to note that this stub secret is generated(and synced) by the MCO and will ignore/override any user customizations to the stub secret. This limitation will be mentioned in the documentation, and a later release will provide support for user customization of the stub secret, either via API or a workaround thorugh additional documentation. This should not be an issue for the majority of users as they very rarely customize the stub secret. +There has been [a previous effort](https://github.com/openshift/machine-config-operator/pull/1792) to manage the stub Ignition config. It was [reverted](https://github.com/openshift/machine-config-operator/pull/2126) and then [brought back](https://github.com/openshift/machine-config-operator/pull/2827#issuecomment-996156872) just for bare metal clusters. For other platforms, the `*-managed` stubs still get generated by the MCO, but are not injected into the `MachineSet`. The proposal plans to utilize these unused `*-managed` stubs, but it is important to note that this stub is generated(and synced) by the MCO and will ignore/override any user customizations to the original stub Ignition config. This limitation will be mentioned in the documentation, and a later release will provide support for user customization of the stub, either via API or a workaround thorugh additional documentation. This should not be an issue for the majority of users as they very rarely customize the original stub Ignition config. -In certain long lived clusters, the MCS TLS cert contained within the above ignition configuration may be out of date. Example issue [here](https://issues.redhat.com/browse/OCPBUGS-1817). While this has been partly solved [MCO-642](https://issues.redhat.com/browse/MCO-642) (which allows the user to manually rotate the cert) it would be very beneficial for the MCO to actively manage this TLS cert and take this concern away from the user. +In certain long lived clusters, the MCS TLS cert contained within the above Ignition configuration may be out of date. Example issue [here](https://issues.redhat.com/browse/OCPBUGS-1817). While this has been partly solved [MCO-642](https://issues.redhat.com/browse/MCO-642) (which allows the user to manually rotate the cert) it would be very beneficial for the MCO to actively manage this TLS cert and take this concern away from the user. ### User Stories -* As an Openshift engineer, having nodes boot up on an unsupported OCP version is a security liability. By having nodes directly boot on the release payload image, it helps me avoid tracking incompatibilities across OCP release versions and shore up technical debt(see issues linked above). +* As an Openshift engineer, having nodes boot up on an unsupported OCP version is a security liability. By having nodes boot on the latest OCP supported boot image for a given OCP release, there will be less of a skew with the release payload image. This helps me avoid tracking incompatibilities across OCP release versions and shore up technical debt(see issues linked above). * As a cluster administrator, having to keep track of a "boot" vs "live" image for a given cluster is not intuitive or user friendly. In the worst case scenario, I will have to reset a cluster(or do a lot of manual steps with rh-support in recovering the node) simply to be able to scale up nodes after an upgrade. If I'm managing a `MachineSet` managed cluster, once opted in, this feature will be a "switch on and forget" mechanism for me. If I'm managing a non `Machineset` managed cluster, this would provide me with documentation that I could follow after an upgrade to ensure my cluster has the latest bootimages. ### Goals -The MCO will take over management of the boot image references and the stub ignition. The installer is still responsible for creating the `MachineSet` at cluster bring-up of course, but once cluster installation is complete the MCO will ensure that boot images are in sync with the latest payload. From the user standpoint, this should cause less compatibility issues as nodes will no longer need to pivot to a different version of rhcos during node scaleup. +The MCO will take over management of the boot image references and the stub Ignition configuration. The installer is still responsible for creating the `MachineSet` at cluster bring-up, but once cluster installation is complete the MCO will ensure that boot images are in sync with the latest payload. From the user standpoint, this should cause less compatibility issues as nodes will no longer need to pivot to a different version of RHCOS during node scaleup. -This should not interfere with existing workflows such as Hive and ArgoCD. As this is an opt-in mechanism, the cluster admin will be protected against such scenarios of accidental "reconciliation". +This should not interfere with existing workflows such as Hive and ArgoCD. As this is an opt-in mechanism, the cluster admin will be protected against such scenarios of accidental "reconciliation" and for additional safety, the MSBIC will also ensure that machinesets that have a valid OwnerReference will be excluded from boot image updates. ### Non-Goals - The new subcontroller is only intended to support clusters that use MachineSet backed node scaling. This is meant to be a user opt-in feature, and if the user wishes to keep their boot images static it will let them do so. - This does not intend to solve [booting into custom pools](https://issues.redhat.com/browse/MCO-773). - This does not target Hypershift, as [it does not use machinesets](https://github.com/openshift/hypershift/blob/32309b12ae6c5d4952357f4ad17519cf2424805a/hypershift-operator/controllers/nodepool/nodepool_controller.go#L2168). -- This does not target [ControlPlaneMachineSets](https://docs.openshift.com/container-platform/4.14/machine_management/control_plane_machine_management/cpmso-about.html). +- This does not target [ControlPlaneMachineSets](https://docs.openshift.com/container-platform/4.14/machine_management/control_plane_machine_management/cpmso-about.html). This is considered future work and will be tracked by [MCO-773](https://issues.redhat.com/browse/MCO-1007). ## Proposal @@ -76,6 +76,7 @@ __Overview__ - Before processing a MachineSet, the MSBIC will check if the following conditions are satisfied: - `ManagedBootImages` feature gate is active - The cluster and/or the machineset is opted-in to boot image updates. + - The machineset does not have a valid owner reference. (eg. Hive and other managed machineset workflows) - The golden configmap is verified to be in sync with the current version of the MCO. The MCO will "stamp"(annotate) the golden configmap with the new version of the MCO after atleast 1 node has succesfully completed an update to the new OCP image. This helps prevent `machinesets` being updated too soon at the end of a cluster upgrade, before the MCO itself has updated and has had a chance to roll out the new OCP image to the cluster. If any of the above checks fail, the MSBIC will exit out of the sync. @@ -189,8 +190,8 @@ It is important to note that InfrastructureMachineTemplate is different per plat Based on the observation above, here is a rough outline of what CAPI support would require: - CAPI backed MachineSet detection, so the MSBIC knows when to invoke the CAPI path - If a boot image update is required, create a new `InfrastructureMachineTemplate` by cloning the existing and updating the boot image reference within. The name of the new `InfrastructureMachineTemplate` object will be generated by hashing the template content. This is consistent with the current CAPI approach to naming new objects. -- Updating the ignition stub in `bootstrap.dataSecretName` to the managed stub secret(`*-managed`) if needed. -- CAPI backed MachineSet patching +- Updating the Ignition stub in `bootstrap.dataSecretName` to the managed stub secret(`*-managed`) if needed. +- CAPI backed MachineSet patching. Once patching is successfully completed, the original `InfrastructureMachineTemplate` can be garbage collected. Much of the existing design regarding architecture & platform detection, opt-in, degradation and storing boot image history can remain the same. @@ -199,56 +200,125 @@ When [MachineDeployments](https://cluster-api.sigs.k8s.io/developer/architecture ### API Extensions #### Opt-in Mechanism +This proposal introduces a new CR in the MCO operator API, `ManagedBootImages` which encloses an array of `MachineManager` objects. A `MachineManager` object contains the resource type of the machine management object that is being opted-in, the API group of that object and a union discriminant object of the type `MachineManagerSelector`. This object `MachineManagerSelector` encloses: -This proposal will introduce a discriminated union in [operator types](https://github.com/openshift/api/blob/master/operator/v1/types_machineconfiguration.go) for the MCO, `ManagedBootImageConfig` which has two fields: +- The union discriminator, `Mode`, can be set to three values : All, Partial and None. +- Partial: This is a label selector that will be used by users to opt-in a custom selection of machine resources. When the Mode is set to Partial mode, all machinesets in the selector list would be considered enrolled for updates. For all other values of Mode, this selector does not exist. -- `Mode` This is a string enum which can have three values: - - `Enabled` - All `Machinesets` will be enrolled for boot image updates. - - `CustomConfig` - `Machinesets` matched with the label selector will be enrolled for boot image updates. - - `Disabled` - No `Machinesets` will be enrolled for boot image updates. -- `CustomConfig` This is struct which encloses a label selector that will be used by machineset objects to opt-in. - -Here are some YAML examples that describes operators in each of these modes: -##### Enabled -``` -apiVersion: operator.openshift.io/v1 -kind: MachineConfiguration -metadata: - name: default - labels: -spec: - managedBootImageConfig: - mode: Enabled -``` -##### Disabled ``` -apiVersion: operator.openshift.io/v1 -kind: MachineConfiguration -metadata: - name: default - labels: -spec: - managedBootImageConfig: - mode: Disabled +type ManagedBootImages struct { + // machineManagers is an array of machineManager objects. + // The MCO will watch for changes to this list and register/de-register machine management resources from boot image updates. + // An entry in this list consists of the resource type, the API group that the resource belongs to and a selection filter + // on the resources. + // + // Warning: Only one entry is permitted per unique pair of resource/API group. The label selector provided within MachineManager + // can be used for further customization if required. + // + // +optional + // +listType=map + // +listMapKey=resource + // +listMapKey=apiGroup + MachineManagers []MachineManager `json:"machineManagers"` +} + +// MachineManager contains identifying information of a machine management resource(eg. a machineset) that will be +// registered for boot image updates. This is likely to evolve as support for more machine management resources are added. +type MachineManager struct { + // resource is the machine management resource's type. + // + // The following values are accepted: + // - MachineSets: The machine manager will only register resources of the type MachineSet, which may belong to MachineAPI or ClusterAPI. + // + // +kubebuilder:validation:Required + Resource MachineManagerMachineSetsResourceType `json:"resource"` + // apiGroup is name of the APIGroup that the machine management resource belongs to. + // + // The following values are accepted: + // - MachineAPI: The machine manager will only register resources that belong to MachineAPI APIGroup. + // + // +kubebuilder:validation:Required + APIGroup MachineManagerMachineSetsAPIGroupType `json:"apiGroup"` + // selection allows granular control of the machine management resources that will be registered for boot image updates. + // + // +kubebuilder:validation:Required + Selection MachineManagerSelector `json:"selection"` +} + +// +kubebuilder:validation:XValidation:rule="has(self.mode) && self.mode == 'Partial' ? has(self.partial) : !has(self.partial)",message="Partial is required when type is partial, and forbidden otherwise" +// +union +type MachineManagerSelector struct { + // mode is a union discriminator for MachineManagerSelector and can have three possible values. + // - All: All resources specified by the parent MachineManager are registered for boot image updates. + // - None: No resources specified by the parent MachineManager are registered for boot image updates. + // - Partial: resources specified by the parent MachineManager are registered for boot image updates only if they match with the label selector. + // +unionDiscriminator + // +kubebuilder:validation:Required + Mode MachineManagerSelectorMode `json:"mode"` + + // partial provides a label selector that can be used to match machine management resources. + // Only permitted when mode is set to "Partial". + // +optional + Partial *metav1.LabelSelector `json:"partial,omitempty"` +} + +// MachineManagerSelectorMode is a string enum used in the MachineManagerSelector union discriminator. +// +kubebuilder:validation:Enum:="All";"None";"Partial" +type MachineManagerSelectorMode string + +const ( + // All represents a configuration mode that registers all resources specified by the parent MachineManager for boot image updates. + All MachineManagerSelectorMode = "All" + + // None represents a configuration mode that will not register any resource specified by the parent MachineManager MachineManager + // for boot image updates. + None MachineManagerSelectorMode = "None" + + // Partial represents a configuration mode that will register resources specified by the parent MachineManager only + // if they match with the label selector. + Partial MachineManagerSelectorMode = "Partial" +) + +// MachineManagerManagedResourceType is a string enum used in the MachineManager type to describe the resource +// type to be registered. +// +kubebuilder:validation:Enum:="machinesets" +type MachineManagerMachineSetsResourceType string + +const ( + // machinesets represent the MachineSet resource type, which manage a group of machines. + // Although this could belong to a MachineAPI or a ClusterAPI, only MAPI is currently supported. + MachineSets MachineManagerMachineSetsResourceType = "machinesets" +) + +// MachineManagerManagedAPIGroupType is a string enum used in in the MachineManager type to describe the APIGroup +// of the resource type being registered. +// +kubebuilder:validation:Enum:="machine.openshift.io" +type MachineManagerMachineSetsAPIGroupType string + +const ( + // MachineAPI represent the traditional MAPI Group that a machineset may belong to. + // This feature only supports MAPI machinesets at this time. + MachineAPI MachineManagerMachineSetsAPIGroupType = "machine.openshift.io" +) ``` -##### MatchSelector +Here is a YAML snippet of what this config could look like: ``` -apiVersion: operator.openshift.io/v1 -kind: MachineConfiguration -metadata: - name: default - labels: -spec: - managedBootImageConfig: - mode: CustomConfig - CustomConfig: - machineSetSelector: - matchLabels: - machineconfiguration.openshift.io/mco-managed-machineset: "" +managedBootImages: + machineManagers: + - resource: machinesets + apiGroup: cluster.x-k8s.io + selection: + mode: Partial + partial: + matchLabels: {} + - resource: machinesets + apiGroup: machine.openshift.io + selection: + mode: All ``` -Note: While in this mode, the label added to the selector will have to be added to the `machineset` object. +The above example partially selects CAPI MachineSets and all MAPI Machinesets. Please note that for every unique pair of resource/APIGroup, only 1 entry is allowed in machineManagers. This is to avoid providing conflicting instructions for the same type of machine resourcess. The user can then use the partial label selector if further customization is required. -A [ValidatingAdmissionPolicy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) will be implemented via an MCO manifest that will restrict updating the `ManagedBootImageConfig` object to only supported platforms(initially, just GCP). This will be updated as we phase in support for other platforms. Here is a sample policy that would do this: +A [ValidatingAdmissionPolicy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) will be implemented via an MCO manifest that will restrict updating the `ManagedBootImages` object to only supported platforms(initially, just GCP). This will be updated as we phase in support for other platforms. Here is a sample policy that would do this: ``` apiVersion: admissionregistration.k8s.io/v1beta1 @@ -267,7 +337,7 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["MachineConfiguration"] validations: - - expression: "has(object.spec.MachineBootImageConfig) && param.status.platformStatus.Type != `GCP`" + - expression: "has(object.spec.ManagedBootImages) && param.status.platformStatus.Type != `GCP`" message: "This feature is only supported on these platforms: GCP" ``` This would need an accompanying binding: @@ -285,7 +355,7 @@ spec: ``` #### Tracking boot image history -This proposal will also introduce a new CR, `BootImageHistory` for tracking boot image history. As a starting point, here is a stub type definition for this: +This is just an idea for the moment and is not planned to included when the feature initially GAs. Based on customer feedback and team capacity, this will be implemented in a later release. Boot Image History will be tracked by a new CR called `BootImageHistory`. The MCO will not directly consume from this CR. As a starting point, here is a stub type definition for this: ``` type BootImageHistory struct { @@ -298,17 +368,17 @@ type BootImageHistory struct { // BootImageHistorySpec defines the desired state of BootImageHistory type BootImageHistorySpec struct { -} - -// BootImageHistoryStatus defines the observed state of BootImageHistory -type BootImageHistoryStatus struct { // machineResourceReference contains identifying information of the machine management resource being tracked. // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="MachineResourceReference is immutable once set" // +required - MachineResourceReference MachineResourceReference `json:"machineResourceReference"` + MachineResourceReference MachineResourceReference `json:"machineResourceReference"`} + +// BootImageHistoryStatus defines the observed state of BootImageHistory +type BootImageHistoryStatus struct { // details is a list of boot image history entries of the machine resource. // +optional - Details []BootImageHistoryDetail `json:"details,omitempty"` + Details []BootImageHistoryDetail `json:"details"` } type MachineResourceReference struct { @@ -316,10 +386,11 @@ type MachineResourceReference struct { // +kubebuilder:validation:Required // +required Name string `json:"name"` - // kind is the machine management resource's kind + // resource is the machine management resource's type + // Example: "machineset", "machinedeployment"etc. // +kubebuilder:validation:Required // +required - Kind string `json:"kind"` + Resource string `json:"resource"` // apiGroup is name of the APIGroup that the machine management resource belongs to. This is for disambiguating // between Cluster API and Machine API backed resources. // +kubebuilder:validation:Required @@ -332,9 +403,12 @@ type BootImageHistoryDetail struct { // updateTime records the timestamp at which the update took place. // +required UpdateTime metav1.Time `json:"updatedTime"` - // bootImageRef records the new boot image reference to which the update took place. + // bootImageVersion records the RHCOS version string to which this update took place. // +required - BootImageRef string `json:"bootImageRef"` + BootImageVersion string `json:"bootImageVersion"` + // configMapGeneration records the version of the golden configmap during this update + // +required + ConfigMapGeneration int64 `json:"configMapGeneration"` } // BootImageHistoryList contains a list of BootImageHistory @@ -345,26 +419,27 @@ type BootImageHistoryList struct { } ``` -There will be one instance of this per machine management resource(which can be a MachineSet[MAPI or CAPI], MachineDeployment...etc). It will be named the same as the resource being tracked. The MSBIC is responsible for creating and updating this CR when a boot image update takes place. This CR will exist in the same namespace as the resource. +There will be one instance of this per machine management resource(which can be a MachineSet[MAPI or CAPI], MachineDeployment...etc). It will be named the in the following format: `$(name)-$(resource)`. The MSBIC is responsible for creating and updating this CR when a boot image update takes place. This CR will exist in the same namespace as the resource. YAML Example for a MAPI backed machineset scenario: ``` apiVersion: machineconfiguration.openshift.io/v1alpha1 kind: BootImageHistory metadata: - name: djoshy10-2tcqv-worker-a -spec: {} -status: + name: djoshy10-2tcqv-worker-a-mapi-machineset +spec: machineResourceReference: name: djoshy10-2tcqv-worker-a - kind: MachineSet - apiGroup: cluster.x-k8s.io/v1alpha3 + resource: MachineSet + apiGroup: machine.openshift.io +status: details: - updateTime: "2023-12-14T12:00:00Z" - bootImageRef: "projects/rhcos-cloud/global/images/rhcos-414-92-202308032115-0-gcp-x86-64" + bootImageVersion: "414.92.202308032115-0" + configMapGeneration: 2 - updateTime: "2023-12-14T14:30:00Z" - bootImageRef: "projects/rhcos-cloud/global/images/rhcos-415-92-202311241643-0-gcp-x86-64" - + bootImageVersion: "415.92.202311241643-0" + configMapGeneration: 3 ``` YAML Example for a CAPI backed machineset scenario: @@ -373,20 +448,22 @@ apiVersion: machineconfiguration.openshift.io/v1alpha1 kind: BootImageHistory metadata: name: djoshy10-2tcqv-worker-a -spec: {} -status: +spec: machineResourceReference: - name: djoshy10-2tcqv-worker-a - kind: MachineSet - apiGroup: machine.openshift.io/v1beta1 + name: djoshy10-2tcqv-worker-a-capi-machineset + resource: MachineSet + apiGroup: cluster.x-k8s.io +status: details: - updateTime: "2023-12-14T12:00:00Z" - bootImageRef: "projects/rhcos-cloud/global/images/rhcos-414-92-202308032115-0-gcp-x86-64" + bootImageVersion: "414.92.202308032115-0" + configMapGeneration: 2 - updateTime: "2023-12-14T14:30:00Z" - bootImageRef: "projects/rhcos-cloud/global/images/rhcos-415-92-202311241643-0-gcp-x86-64" + bootImageVersion: "415.92.202311241643-0" + configMapGeneration: 3 ``` -The goal of this is to provide information about the "lineage" of a machine management resource to the user. The user can then manually restore their machine management resource to an earlier state if they wish to do so by following documentation. The MCO will not directly consume from this CR. This is not planned to be part of the initial release, but more of a nice to have. +The goal of this is to provide information about the "lineage" of a machine management resource to the user. The user can then manually restore their machine management resource to an earlier state if they wish to do so by following documentation. ### Implementation Details/Notes/Constraints [optional] @@ -452,7 +529,8 @@ Additionaly, a phased approach such as the following is the proposed: #### Phase 2 - Tracking boot image history - User facing documentation for manual restoration -- User customization of ignition stub +- User customization of Ignition stub secret +- Canary testing a patched MachineSet, gated by a flag. #### Removing a deprecated feature From 5a965fe91e49a0947939f7b3e0f7227f2d82fa73 Mon Sep 17 00:00:00 2001 From: David Date: Thu, 25 Jan 2024 10:35:46 -0500 Subject: [PATCH 11/13] update to add MachineDeployment OwnerRef guards --- enhancements/machine-config/manage-boot-images.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index 3c80c7c1b0..35ef98b99b 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -76,7 +76,7 @@ __Overview__ - Before processing a MachineSet, the MSBIC will check if the following conditions are satisfied: - `ManagedBootImages` feature gate is active - The cluster and/or the machineset is opted-in to boot image updates. - - The machineset does not have a valid owner reference. (eg. Hive and other managed machineset workflows) + - The machineset does not have a valid owner reference. (eg. Hive, Cluster API and other managed machineset workflows) - The golden configmap is verified to be in sync with the current version of the MCO. The MCO will "stamp"(annotate) the golden configmap with the new version of the MCO after atleast 1 node has succesfully completed an update to the new OCP image. This helps prevent `machinesets` being updated too soon at the end of a cluster upgrade, before the MCO itself has updated and has had a chance to roll out the new OCP image to the cluster. If any of the above checks fail, the MSBIC will exit out of the sync. @@ -188,14 +188,14 @@ As can be seen, the bootimage becomes part of an `InfrastructureMachineTemplate` It is important to note that InfrastructureMachineTemplate is different per platform and is immutable. This will prevent an update in place style approach and would mean that the template would need to be cloned, updated during the clone, and then the MachineSet updated. This is somewhat similar to the approach used in the current MAPI PoC of cloning the `providerSpec` object, updating it and then patching the `MachineSet`. The `bootstrap` object is platform agnostic, making it somewhat simpler to update. Based on the observation above, here is a rough outline of what CAPI support would require: -- CAPI backed MachineSet detection, so the MSBIC knows when to invoke the CAPI path +- CAPI backed MachineSet detection, so the MSBIC knows when to invoke the CAPI path. - If a boot image update is required, create a new `InfrastructureMachineTemplate` by cloning the existing and updating the boot image reference within. The name of the new `InfrastructureMachineTemplate` object will be generated by hashing the template content. This is consistent with the current CAPI approach to naming new objects. - Updating the Ignition stub in `bootstrap.dataSecretName` to the managed stub secret(`*-managed`) if needed. - CAPI backed MachineSet patching. Once patching is successfully completed, the original `InfrastructureMachineTemplate` can be garbage collected. -Much of the existing design regarding architecture & platform detection, opt-in, degradation and storing boot image history can remain the same. +When [MachineDeployments](https://cluster-api.sigs.k8s.io/developer/architecture/controllers/machine-deployment#machinedeployment) are introduced into CAPI, this mechanism will need to be reworked to update those rather than the `MachineSet` itself. `MachineDeployments` manage a fleet of `MachineSets`, and this can be checked via the `OwnerReference` field in the `MachineSet` object. -When [MachineDeployments](https://cluster-api.sigs.k8s.io/developer/architecture/controllers/machine-deployment#machinedeployment) are introduced into CAPI, this mechanism will need to be reworked to update those rather than the MachineSet itself. +Much of the existing design regarding architecture & platform detection, opt-in, degradation and storing boot image history can remain the same. ### API Extensions From 92a17e6da5a5c0746da40163eadfb461cd0fed84 Mon Sep 17 00:00:00 2001 From: David Date: Tue, 13 Feb 2024 09:36:56 -0500 Subject: [PATCH 12/13] add final API shape, minor corrections --- .../machine-config/manage-boot-images.md | 65 ++++++++----------- 1 file changed, 27 insertions(+), 38 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index 35ef98b99b..24ab2c61d4 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -13,7 +13,7 @@ approvers: api-approvers: - "@joelspeed" creation-date: 2023-10-16 -last-updated: 2024-01-23 +last-updated: 2024-02-13 tracking-link: - https://issues.redhat.com/browse/MCO-589 see-also: @@ -66,7 +66,7 @@ This should not interfere with existing workflows such as Hive and ArgoCD. As th - The new subcontroller is only intended to support clusters that use MachineSet backed node scaling. This is meant to be a user opt-in feature, and if the user wishes to keep their boot images static it will let them do so. - This does not intend to solve [booting into custom pools](https://issues.redhat.com/browse/MCO-773). - This does not target Hypershift, as [it does not use machinesets](https://github.com/openshift/hypershift/blob/32309b12ae6c5d4952357f4ad17519cf2424805a/hypershift-operator/controllers/nodepool/nodepool_controller.go#L2168). -- This does not target [ControlPlaneMachineSets](https://docs.openshift.com/container-platform/4.14/machine_management/control_plane_machine_management/cpmso-about.html). This is considered future work and will be tracked by [MCO-773](https://issues.redhat.com/browse/MCO-1007). +- This does not target [ControlPlaneMachineSets](https://docs.openshift.com/container-platform/4.14/machine_management/control_plane_machine_management/cpmso-about.html). This is considered future work and will be tracked by [MCO-1007](https://issues.redhat.com/browse/MCO-1007). ## Proposal @@ -77,7 +77,7 @@ __Overview__ - `ManagedBootImages` feature gate is active - The cluster and/or the machineset is opted-in to boot image updates. - The machineset does not have a valid owner reference. (eg. Hive, Cluster API and other managed machineset workflows) - - The golden configmap is verified to be in sync with the current version of the MCO. The MCO will "stamp"(annotate) the golden configmap with the new version of the MCO after atleast 1 node has succesfully completed an update to the new OCP image. This helps prevent `machinesets` being updated too soon at the end of a cluster upgrade, before the MCO itself has updated and has had a chance to roll out the new OCP image to the cluster. + - The golden configmap is verified to be in sync with the current version of the MCO. The MCO will "stamp"(annotate) the golden configmap with the new version of the MCO after atleast 1 master node has succesfully completed an update to the new OCP image. This helps prevent `machinesets` being updated too soon at the end of a cluster upgrade, before the MCO itself has updated and has had a chance to roll out the new OCP image to the cluster. If any of the above checks fail, the MSBIC will exit out of the sync. - Based on platform and architecture type, the MSBIC will check if the boot images referenced in the `providerSpec` field of the `MachineSet` is the same as the one in the ConfigMap. Each platform(gcp, aws...and so on) does this differently, so this part of the implementation will have to be special cased. The ConfigMap is considered to be the golden set of bootimage values, i.e. they will never go out of date. If it is not a match, the `providerSpec` field is cloned and updated with the new boot image reference. @@ -200,21 +200,15 @@ Much of the existing design regarding architecture & platform detection, opt-in, ### API Extensions #### Opt-in Mechanism -This proposal introduces a new CR in the MCO operator API, `ManagedBootImages` which encloses an array of `MachineManager` objects. A `MachineManager` object contains the resource type of the machine management object that is being opted-in, the API group of that object and a union discriminant object of the type `MachineManagerSelector`. This object `MachineManagerSelector` encloses: +This proposal introduces a new field in the MCO operator API, `ManagedBootImages` which encloses an array of `MachineManager` objects. A `MachineManager` object contains the resource type of the machine management object that is being opted-in, the API group of that object and a union discriminant object of the type `MachineManagerSelector`. This object `MachineManagerSelector` contains: -- The union discriminator, `Mode`, can be set to three values : All, Partial and None. +- The union discriminator, `Mode`, can be set to two values : All and Partial. - Partial: This is a label selector that will be used by users to opt-in a custom selection of machine resources. When the Mode is set to Partial mode, all machinesets in the selector list would be considered enrolled for updates. For all other values of Mode, this selector does not exist. ``` type ManagedBootImages struct { - // machineManagers is an array of machineManager objects. - // The MCO will watch for changes to this list and register/de-register machine management resources from boot image updates. - // An entry in this list consists of the resource type, the API group that the resource belongs to and a selection filter - // on the resources. - // - // Warning: Only one entry is permitted per unique pair of resource/API group. The label selector provided within MachineManager - // can be used for further customization if required. - // + // machineManagers can be used to register machine management resources for boot image updates. The Machine Config Operator + // will watch for changes to this list. Only one entry is permitted per type of machine management resource. // +optional // +listType=map // +listMapKey=resource @@ -222,25 +216,22 @@ type ManagedBootImages struct { MachineManagers []MachineManager `json:"machineManagers"` } -// MachineManager contains identifying information of a machine management resource(eg. a machineset) that will be -// registered for boot image updates. This is likely to evolve as support for more machine management resources are added. +// MachineManager describes a target machine resource that is registered for boot image updates. It stores identifying information +// such as the resource type and the API Group of the resource. It also provides granular control via the selection field. type MachineManager struct { // resource is the machine management resource's type. - // - // The following values are accepted: - // - MachineSets: The machine manager will only register resources of the type MachineSet, which may belong to MachineAPI or ClusterAPI. - // + // The only current valid value is machinesets. + // machinesets means that the machine manager will only register resources of the kind MachineSet. // +kubebuilder:validation:Required Resource MachineManagerMachineSetsResourceType `json:"resource"` + // apiGroup is name of the APIGroup that the machine management resource belongs to. - // - // The following values are accepted: - // - MachineAPI: The machine manager will only register resources that belong to MachineAPI APIGroup. - // + // The only current valid value is machine.openshift.io. + // machine.openshift.io means that the machine manager will only register resources that belong to OpenShift machine API group. // +kubebuilder:validation:Required APIGroup MachineManagerMachineSetsAPIGroupType `json:"apiGroup"` + // selection allows granular control of the machine management resources that will be registered for boot image updates. - // // +kubebuilder:validation:Required Selection MachineManagerSelector `json:"selection"` } @@ -248,10 +239,10 @@ type MachineManager struct { // +kubebuilder:validation:XValidation:rule="has(self.mode) && self.mode == 'Partial' ? has(self.partial) : !has(self.partial)",message="Partial is required when type is partial, and forbidden otherwise" // +union type MachineManagerSelector struct { - // mode is a union discriminator for MachineManagerSelector and can have three possible values. - // - All: All resources specified by the parent MachineManager are registered for boot image updates. - // - None: No resources specified by the parent MachineManager are registered for boot image updates. - // - Partial: resources specified by the parent MachineManager are registered for boot image updates only if they match with the label selector. + // mode determines how machine managers will be selected for updates. + // Valid values are All and Partial. + // All means that every resource matched by the machine manager will be updated. + // Partial requires a specified selector and allows customisation of which resources matched by the machine manager will be updated. // +unionDiscriminator // +kubebuilder:validation:Required Mode MachineManagerSelectorMode `json:"mode"` @@ -263,17 +254,13 @@ type MachineManagerSelector struct { } // MachineManagerSelectorMode is a string enum used in the MachineManagerSelector union discriminator. -// +kubebuilder:validation:Enum:="All";"None";"Partial" +// +kubebuilder:validation:Enum:="All";"Partial" type MachineManagerSelectorMode string const ( // All represents a configuration mode that registers all resources specified by the parent MachineManager for boot image updates. All MachineManagerSelectorMode = "All" - // None represents a configuration mode that will not register any resource specified by the parent MachineManager MachineManager - // for boot image updates. - None MachineManagerSelectorMode = "None" - // Partial represents a configuration mode that will register resources specified by the parent MachineManager only // if they match with the label selector. Partial MachineManagerSelectorMode = "Partial" @@ -285,8 +272,7 @@ const ( type MachineManagerMachineSetsResourceType string const ( - // machinesets represent the MachineSet resource type, which manage a group of machines. - // Although this could belong to a MachineAPI or a ClusterAPI, only MAPI is currently supported. + // MachineSets represent the MachineSet resource type, which manage a group of machines and belong to the Openshift machine API group. MachineSets MachineManagerMachineSetsResourceType = "machinesets" ) @@ -316,7 +302,10 @@ managedBootImages: selection: mode: All ``` -The above example partially selects CAPI MachineSets and all MAPI Machinesets. Please note that for every unique pair of resource/APIGroup, only 1 entry is allowed in machineManagers. This is to avoid providing conflicting instructions for the same type of machine resourcess. The user can then use the partial label selector if further customization is required. +The above example partially selects CAPI MachineSets and all MAPI Machinesets. Please note that for every unique pair of resource/APIGroup, only 1 entry is allowed in machineManagers. This is to avoid providing conflicting instructions for the same type of machine resource. The user can then use the partial label selector if further customization is required. + +It is also important to note that if a user opts out of the feature after having some machine resources updated, the opted out resources will retain the boot images that +they were last updated to by this feature. There is no rollback to cluster install values, i.e. the original boot images that the resources started on before they were enrolled for updates. Opting out a machine resource simply means that the machine resources will no longer have updated boot images values A [ValidatingAdmissionPolicy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) will be implemented via an MCO manifest that will restrict updating the `ManagedBootImages` object to only supported platforms(initially, just GCP). This will be updated as we phase in support for other platforms. Here is a sample policy that would do this: @@ -471,8 +460,8 @@ The goal of this is to provide information about the "lineage" of a machine mana ![MachineSet Reconciliation Flow](manage_boot_images_reconcile_loop.jpg) -The implementation has a GCP specific POC here: -- https://github.com/openshift/machine-config-operator/pull/3980 +The implementation has a GCP specific MVP here: +- https://github.com/openshift/machine-config-operator/pull/4083 ### Risks and Mitigations From e4264f305e5ce65b5cfca365383bef387af317a6 Mon Sep 17 00:00:00 2001 From: David Date: Fri, 8 Mar 2024 16:05:04 -0500 Subject: [PATCH 13/13] add err condn & alert, hive info --- .../machine-config/manage-boot-images.md | 53 ++++++++++++------- 1 file changed, 35 insertions(+), 18 deletions(-) diff --git a/enhancements/machine-config/manage-boot-images.md b/enhancements/machine-config/manage-boot-images.md index 24ab2c61d4..5694455de5 100644 --- a/enhancements/machine-config/manage-boot-images.md +++ b/enhancements/machine-config/manage-boot-images.md @@ -13,7 +13,7 @@ approvers: api-approvers: - "@joelspeed" creation-date: 2023-10-16 -last-updated: 2024-02-13 +last-updated: 2024-03-08 tracking-link: - https://issues.redhat.com/browse/MCO-589 see-also: @@ -75,25 +75,29 @@ __Overview__ - The `machine-config-controller`(MCC) pod will gain a new sub-controller `machine_set_boot_image_controller`(MSBIC) that monitors `MachineSet` changes and the `coreos-bootimages` [ConfigMap](https://github.com/openshift/installer/pull/4760) changes. - Before processing a MachineSet, the MSBIC will check if the following conditions are satisfied: - `ManagedBootImages` feature gate is active - - The cluster and/or the machineset is opted-in to boot image updates. - - The machineset does not have a valid owner reference. (eg. Hive, Cluster API and other managed machineset workflows) - - The golden configmap is verified to be in sync with the current version of the MCO. The MCO will "stamp"(annotate) the golden configmap with the new version of the MCO after atleast 1 master node has succesfully completed an update to the new OCP image. This helps prevent `machinesets` being updated too soon at the end of a cluster upgrade, before the MCO itself has updated and has had a chance to roll out the new OCP image to the cluster. + - The cluster and/or the machineset is opted-in to boot image updates. This is done at the operator level, via the `MachineConfiguration` API object. + - The `machineset` does not have a valid owner reference. Having a valid owner reference typically indicates that the `MachineSet` is managed by another workflow, and that updates to it are likely going to cause thrashing. + - The golden configmap is verified to be in sync with the current version of the MCO. The MCO will update("stamp") the golden configmap with version of the new MCO image after atleast 1 master node has succesfully completed an update to the new OCP image. This helps prevent `machinesets` being updated too soon at the end of a cluster upgrade, before the MCO itself has updated and has had a chance to roll out the new OCP image to the cluster. If any of the above checks fail, the MSBIC will exit out of the sync. - Based on platform and architecture type, the MSBIC will check if the boot images referenced in the `providerSpec` field of the `MachineSet` is the same as the one in the ConfigMap. Each platform(gcp, aws...and so on) does this differently, so this part of the implementation will have to be special cased. The ConfigMap is considered to be the golden set of bootimage values, i.e. they will never go out of date. If it is not a match, the `providerSpec` field is cloned and updated with the new boot image reference. - Next, it will check if the stub secret referenced within the `providerSpec` field of the `MachineSet` is managed i.e. `worker-user-data-managed` and not `worker-user-data`. If it is unmanaged, the cloned `providerSpec` will be updated to reference the managed stub secret. This step is platform/arch agnostic. -- Finally, the MSBIC will attempt to patch the `MachineSet` if required. Failure to do so will cause a degrade. +- Finally, the MSBIC will attempt to patch the `MachineSet` if an update is required. -#### Degrade Mechanism +#### Error & Alert Mechanism -The MSBIC will degrade the worker `MachineConfigPool` via a new [MachineConfigPoolConditionType](https://github.com/openshift/api/blob/master/machineconfiguration/v1/types.go#L492). This would be an API change, but a fairly simple one is it only adding a new condition type. The node controller(another sub controller within the MCC) would then [check for this condition](https://github.com/openshift/machine-config-operator/blob/master/pkg/controller/node/status.go#L142C34-L142C34) and degrade the worker pool, effectively degrading the operator. +MSBIC sync failures may be caused by multiple reasons: +- The MSBIC notices an OwnerReference and is able to determine that updating the `MachineSet` will likely cause thrashing. This is considered a misconfiguration and in such cases, the user is expected to exclude this `MachineSet` from boot image management. +- The `coreos-bootimages` ConfigMap is unavailable or in an incorrect format. This will likely happen if a user manually edits the ConfigMap, overriding the CVO. +- The `coreos-bootimages` ConfigMap takes too long to be stamped by the MCO. This indicates that there are larger problems in the cluster such as an upgrade failure/timeout or an unrelated cluster failure. +- Patching the `MachineSet` fails. This indicates a temporary API server blip, or larger RBAC issues. -As mentioned in the above section, degrading will only happen when the patching of the MachineSet fails. This is likely due to a temporary API server outage and will resolve itself without user intervention. The degrade condition is calculated at the end of a sync loop. In the case of multiple such failures within a single sync loop, the message for the degrade will be accumulated to include the `MachineSets` associated with all the failures. +An error condition will be applied on the operator level `MachineConfiguration` object when the sync failures of a given `MachineSet` exceed a threshold amount for a period of time. The condition will include information regarding the sync failures and the logs of the MSBIC can be checked for additional details. -#### Reverting to original bootimage +In addition to this, a Prometheus alert will also be triggered by the MSBIC. This alert will list the misbehaving `MachineSet` and will be cleared automatically by the MSBIC if the sync is successfully completed later. -The proposal will introduce a CR, `BootImageHistory` to store the boot image history associated with a given machineset. By providing this CR and accompanying documentation, the user will be able to restore their machinesets to an earlier state if they wish to do so. +Note: In the future, patches to `MachineSets` will be prevented when they are not authoritative [#1465](https://github.com/openshift/enhancements/pull/1465). This will need to be accounted for within the logic of the MSBIC. ### Workflow Description @@ -107,6 +111,7 @@ Any form factor using the MCO and `MachineSets` will be impacted by this proposa - Standalone OpenShift: Yes, this is the main target form factor. - microshift: No, as it does [not](https://github.com/openshift/microshift/blob/main/docs/contributor/enabled_apis.md) use `MachineSets`. - Hypershift: No, Hypershift does not have this issue. +- Hive: Hive manages `MachineSets` via `MachinePools`. The MachinePool controller generates the `MachineSets` manifests (by invoking vendored installer code) which include the `providerSpec`. Once a `MachineSet` has been created on the spoke, the only things that will be reconciled on it are replicas, labels, and taints - [unless a backdoor is enabled](https://github.com/openshift/hive/blob/0d5507f91935701146f3615c990941f24bd42fe1/pkg/constants/constants.go#L518). If the `providerSpec` ever goes out of sync, a warning will be logged by the MachinePool controller but otherwise this discrepancy is ignored. In such cases, the MSBIC will not have any issue reconciling the `providerSpec` to the correct boot image. However, if the backdoor is enabled, both the MSBIC and the MachinePool Controller will attempt to reconcile the `providerSpec` field, causing churn. The Hive team will update the comment on the backdoor annotation to indicate that it is mutually exclusive with this feature. ##### Supported platforms @@ -193,7 +198,7 @@ Based on the observation above, here is a rough outline of what CAPI support wou - Updating the Ignition stub in `bootstrap.dataSecretName` to the managed stub secret(`*-managed`) if needed. - CAPI backed MachineSet patching. Once patching is successfully completed, the original `InfrastructureMachineTemplate` can be garbage collected. -When [MachineDeployments](https://cluster-api.sigs.k8s.io/developer/architecture/controllers/machine-deployment#machinedeployment) are introduced into CAPI, this mechanism will need to be reworked to update those rather than the `MachineSet` itself. `MachineDeployments` manage a fleet of `MachineSets`, and this can be checked via the `OwnerReference` field in the `MachineSet` object. +When [MachineDeployments](https://cluster-api.sigs.k8s.io/developer/architecture/controllers/machine-deployment#machinedeployment) are introduced into CAPI, this mechanism will need to be updated to reconcile them as well. `MachineDeployments` manage a fleet of `MachineSets`, and this can be checked via the `OwnerReference` field in the `MachineSet` object. In the long term, `MachineDeployments` and `MachineSets` are expected to co-exist so this feature will need to account for both cases. Much of the existing design regarding architecture & platform detection, opt-in, degradation and storing boot image history can remain the same. @@ -203,7 +208,7 @@ Much of the existing design regarding architecture & platform detection, opt-in, This proposal introduces a new field in the MCO operator API, `ManagedBootImages` which encloses an array of `MachineManager` objects. A `MachineManager` object contains the resource type of the machine management object that is being opted-in, the API group of that object and a union discriminant object of the type `MachineManagerSelector`. This object `MachineManagerSelector` contains: - The union discriminator, `Mode`, can be set to two values : All and Partial. -- Partial: This is a label selector that will be used by users to opt-in a custom selection of machine resources. When the Mode is set to Partial mode, all machinesets in the selector list would be considered enrolled for updates. For all other values of Mode, this selector does not exist. +- Partial: This is a set of label selectors that will be used by users to opt-in a custom selection of machine resources. When the Mode is set to Partial mode, all machinesets matched by this object would be considered enrolled for updates. In the first iteration of this API, this object will only allow for label matching with MachineResources. In the future, additional ways of filtering may be added with another label selector, e.g. namespace. For all other values of Mode, this selector object i ``` type ManagedBootImages struct { @@ -242,15 +247,22 @@ type MachineManagerSelector struct { // mode determines how machine managers will be selected for updates. // Valid values are All and Partial. // All means that every resource matched by the machine manager will be updated. - // Partial requires a specified selector and allows customisation of which resources matched by the machine manager will be updated. + // Partial requires specified selector(s) and allows customisation of which resources matched by the machine manager will be updated. // +unionDiscriminator // +kubebuilder:validation:Required Mode MachineManagerSelectorMode `json:"mode"` - // partial provides a label selector that can be used to match machine management resources. + // partial provides label selector(s) that can be used to match machine management resources. // Only permitted when mode is set to "Partial". // +optional - Partial *metav1.LabelSelector `json:"partial,omitempty"` + Partial *PartialSelector `json:"partial,omitempty"` +} + +// PartialSelector provides label selector(s) that can be used to match machine management resources. +type PartialSelector struct { + // machineResourceSelector is a label selector that can be used to select machine resources like MachineSets. + // +kubebuilder:validation:Required + MachineResourceSelector *metav1.LabelSelector `json:"machineResourceSelector,omitempty"` } // MachineManagerSelectorMode is a string enum used in the MachineManagerSelector union discriminator. @@ -296,7 +308,8 @@ managedBootImages: selection: mode: Partial partial: - matchLabels: {} + machineResourceSelector: + matchLabels: {} - resource: machinesets apiGroup: machine.openshift.io selection: @@ -305,7 +318,9 @@ managedBootImages: The above example partially selects CAPI MachineSets and all MAPI Machinesets. Please note that for every unique pair of resource/APIGroup, only 1 entry is allowed in machineManagers. This is to avoid providing conflicting instructions for the same type of machine resource. The user can then use the partial label selector if further customization is required. It is also important to note that if a user opts out of the feature after having some machine resources updated, the opted out resources will retain the boot images that -they were last updated to by this feature. There is no rollback to cluster install values, i.e. the original boot images that the resources started on before they were enrolled for updates. Opting out a machine resource simply means that the machine resources will no longer have updated boot images values +they were last updated to by this feature. There is no rollback to cluster install values, i.e. the original boot images that the resources started on before they were enrolled for updates. Opting out a machine resource simply means that the machine resources will no longer have updated boot images values. + +An Success/Failure condition will be applied on the MachineConfiguration object by the MSBIC. This will require [some rework](https://github.com/openshift/api/pull/1789) of the `MachineConfigurationStatus` field before new condition types can be added to this object. The condition type names are still TBD, but could be as simple as `MSBICReconciled` and `MSBICFailed`. A [ValidatingAdmissionPolicy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) will be implemented via an MCO manifest that will restrict updating the `ManagedBootImages` object to only supported platforms(initially, just GCP). This will be updated as we phase in support for other platforms. Here is a sample policy that would do this: @@ -344,7 +359,9 @@ spec: ``` #### Tracking boot image history -This is just an idea for the moment and is not planned to included when the feature initially GAs. Based on customer feedback and team capacity, this will be implemented in a later release. Boot Image History will be tracked by a new CR called `BootImageHistory`. The MCO will not directly consume from this CR. As a starting point, here is a stub type definition for this: +Note: This section is just an idea for the moment and is considered out of scope. This CR will require thorough API review in a follow-up enhancement. + +As a starting point, here is a stub type definition for a CRD to track the boot image history of a machine resource: ``` type BootImageHistory struct {