From f8cc15d5399d39d9aac6ca1f1cdd2e8d81253fa1 Mon Sep 17 00:00:00 2001 From: Patrick Seidensal Date: Wed, 10 Jul 2024 09:39:58 +0200 Subject: [PATCH 1/4] Don't capitalize namespace names --- docs/namespaces.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/namespaces.md b/docs/namespaces.md index 77f7f96f3..aa4d1f61c 100644 --- a/docs/namespaces.md +++ b/docs/namespaces.md @@ -16,8 +16,8 @@ not be able to target each others clusters, they should be in different namespac Git repos are added to the Fleet manager using the `GitRepo` custom resource type. The `GitRepo` type is namespaced. By default, Rancher will create two Fleet workspaces: **fleet-default** and **fleet-local**. -- `Fleet-default` will contain all the downstream clusters that are already registered through Rancher. -- `Fleet-local` will contain the local cluster by default. +- `fleet-default` will contain all the downstream clusters that are already registered through Rancher. +- `fleet-local` will contain the local cluster by default. If you are using Fleet in a [single cluster](./concepts.md) style, the namespace will always be **fleet-local**. Check [here](https://fleet.rancher.io/namespaces/#fleet-local) for more on the `fleet-local` namespace. From b82c54f8551c65e55af2057a76690c3ac8afb2de Mon Sep 17 00:00:00 2001 From: Patrick Seidensal Date: Wed, 10 Jul 2024 10:21:27 +0200 Subject: [PATCH 2/4] Formatting --- docs/gitrepo-add.md | 5 ++--- docs/namespaces.md | 9 ++++----- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/docs/gitrepo-add.md b/docs/gitrepo-add.md index c545f54af..d3f9d7d1e 100644 --- a/docs/gitrepo-add.md +++ b/docs/gitrepo-add.md @@ -161,7 +161,7 @@ Example: path-one: # path path-one must exist in the repository username: user password: pass -path-two: # path path-one must exist in the repository +path-two: # path path-one must exist in the repository username: user2 password: pass2 caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICBNSUlEblRDQ0FvV2dBd0lCQWdJVUNwMHB2SVJTb2c0eHJKN2Q1SUI2ME1ka0k1WXdEUVlKS29aSWh2Y05BUUVMCiAgICBCUUF3WGpFTE1Ba0dBMVVFQmhNQ1FWVXhFekFSQmdOVkJBZ01DbE52YldVdFUzUmhkR1V4SVRBZkJnTlZCQW9NCiAgICBHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpERVhNQlVHQTFVRUF3d09jbUZ1WTJobGNpNXRlUzV2CiAgICBjbWN3SGhjTk1qTXdOREkzTVRVd056VXpXaGNOTWpnd05ESTFNVFV3TnpVeldqQmVNUXN3Q1FZRFZRUUdFd0pCCiAgICBWVEVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFaE1COEdBMVVFQ2d3WVNXNTBaWEp1WlhRZ1YybGtaMmwwCiAgICBjeUJRZEhrZ1RIUmtNUmN3RlFZRFZRUUREQTV5WVc1amFHVnlMbTE1TG05eVp6Q0NBU0l3RFFZSktvWklodmNOCiAgICBBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXBvZE5TMDB6NDc1dnVSc2ZZcTFRYTFHQVl3QU92anV4MERKTHY5CiAgICBrZFhwT091dGdjMU8yWUdqNUlCVGQzVmpISmFJYUg3SDR2Rm84RlBaMG9zcU9YaFg3eUM4STdBS3ZhOEE5VmVmCiAgICBJVXp6Vlo1cCs1elNxRjdtZTlOaUNiL0pVSkZLT0ZsTkF4cjZCcXhoMEIyN1VZTlpjaUIvL1V0L0I2eHJuVE55CiAgICBoRzJiNzk4bjg4bFZqY3EzbEE0djFyM3VzWGYxVG5aS2t2UEN4ZnFHYk5OdTlpTjdFZnZHOWoyekdHcWJvcDRYCiAgICBXY3VSa3N3QkgxZlRNS0ZrbGcrR1VsZkZPMGFzL3phalVOdmdweTlpdVBMZUtqZTVWcDBiMlBLd09qUENpV2d4CiAgICBabDJlVDlNRnJjV0F3NTg3emE5NDBlT1Era2pkdmVvUE5sU2k3eVJMMW96YlRka0NBd0VBQWFOVE1GRXdIUVlECiAgICBWUjBPQkJZRUZEQkNkYjE4M1hsU0tWYzBxNmJSTCt0dVNTV3lNQjhHQTFVZEl3UVlNQmFBRkRCQ2RiMTgzWGxTCiAgICBLVmMwcTZiUkwrdHVTU1d5TUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCCiAgICBBQ1BCVERkZ0dCVDVDRVoxd1pnQmhKdm9GZTk2MUJqVCtMU2RxSlpsSmNRZnlnS0hyNks5ZmZaY1ZlWlBoMVU0CiAgICB3czBuWGNOZiszZGJlTjl4dVBiY0VqUWlQaFJCcnRzalE1T1JiVHdYWEdBdzlYbDZYTkl6YjN4ZDF6RWFzQXZPCiAgICBJMjM2ZHZXQ1A0dWoycWZqR0FkQjJnaXU2b2xHK01CWHlneUZKMElzRENraldLZysyWEdmU3lyci9KZU1vZlFBCiAgICB1VU9wcFVGdERYd0lrUW1VTGNVVUxWcTdtUVNQb0lzVkNNM2hKNVQzczdUSWtHUDZVcGVSSjgzdU9LbURYMkRHCiAgICBwVWVQVHBuVWVLOVMzUEVKTi9XcmJSSVd3WU1OR29qdDRKWitaK1N6VE1aVkh0SlBzaGpjL1hYOWZNU1ZXQmlzCiAgICBQRW5MU256MDQ4OGFUQm5SUFlnVXFsdz0KICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= @@ -169,6 +169,7 @@ path-two: # path path-one must exist in the repository ``` Create the secret + ``` kubectl create secret generic path-auth-secret -n fleet-default --from-file=secrets-path.yaml ``` @@ -178,11 +179,9 @@ In the previous example credentials for username `user` will be used for the pat `caBundle` and `sshPrivateKey` must be base64 encoded. - :::note If you are using ["rancher-backups"](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/backup-restore-and-disaster-recovery/back-up-rancher) and want this secret to be included the backup, please add the label `resources.cattle.io/backup: true` to the secret. In that case, make sure to encrypt the backup to protect sensitive credentials. - # Troubleshooting See Fleet Troubleshooting section [here](./troubleshooting.md). diff --git a/docs/namespaces.md b/docs/namespaces.md index aa4d1f61c..20cc59970 100644 --- a/docs/namespaces.md +++ b/docs/namespaces.md @@ -125,8 +125,7 @@ defaultServiceAccount: "" ### Allowed Target Namespaces -This can be used to limit a deployment to a set of namespaces on a downstream cluster. -If an allowedTargetNamespaces restriction is present, all `GitRepos` must -specify a `targetNamespace` and the specified namespace must be in the allow -list. -This also prevents the creation of cluster wide resources. +This can be used to limit a deployment to a set of namespaces on a downstream +cluster. If an allowedTargetNamespaces restriction is present, all `GitRepos` +must specify a `targetNamespace` and the specified namespace must be in the +allow list. This also prevents the creation of cluster wide resources. From afb8ff989aa1ddcfb6bf2f74fecb4b5173ed2a6e Mon Sep 17 00:00:00 2001 From: Patrick Seidensal Date: Wed, 10 Jul 2024 12:34:17 +0200 Subject: [PATCH 3/4] Add graph about workload namespace configuration - Add a graph about workload namespace configuration. - This change also divides the structure of the namespaces explanation page into "workload namespaces" and "fleet namespaces" for better readability and more clarity. By doing that, another layer of headers is introduced, for which the TOC on the right hand side has been adapted to show the same details as before. - The source of the added graph is added in the `src/img` folder as Mermaid code. - Also, paragraphs have been wrapped to a certain max width. --- docs/namespaces.md | 205 +++++++++++++++---------- src/img/FleetWorkloadNamespaces.mmd | 31 ++++ static/img/FleetWorkloadNamespaces.png | Bin 0 -> 75832 bytes static/img/FleetWorkloadNamespaces.svg | 7 + 4 files changed, 163 insertions(+), 80 deletions(-) create mode 100644 src/img/FleetWorkloadNamespaces.mmd create mode 100644 static/img/FleetWorkloadNamespaces.png create mode 100644 static/img/FleetWorkloadNamespaces.svg diff --git a/docs/namespaces.md b/docs/namespaces.md index 20cc59970..6078a0407 100644 --- a/docs/namespaces.md +++ b/docs/namespaces.md @@ -1,81 +1,45 @@ +--- +toc_max_heading_level: 4 +--- + # Namespaces -All types in the Fleet manager are namespaced. The namespaces of the manager types do not correspond to the namespaces -of the deployed resources in the downstream cluster. Understanding how namespaces are used in the Fleet manager is -important to understand the security model and how one can use Fleet in a multi-tenant fashion. +## Workload Namespaces -## GitRepos, Bundles, Clusters, ClusterGroups +### Namespace Creation Behavior in Bundles -The primary types are all scoped to a namespace. All selectors for `GitRepo` targets will be evaluated against -the `Clusters` and `ClusterGroups` in the same namespaces. This means that if you give `create` or `update` privileges -to a `GitRepo` type in a namespace, that end user can modify the selector to match any cluster in that namespace. -This means in practice if you want to have two teams self manage their own `GitRepo` registrations but they should -not be able to target each others clusters, they should be in different namespaces. +When deploying a Fleet bundle, the specified namespace will automatically be +created if it does not already exist. -### GitRepo Namespace +### Configuring Workload Namespaces -Git repos are added to the Fleet manager using the `GitRepo` custom resource type. The `GitRepo` type is namespaced. By default, Rancher will create two Fleet workspaces: **fleet-default** and **fleet-local**. +When configuring workload namespaces, it is important to be aware that certain +options are designed to override the values of other options or namespace +definitions in workload resources. In some cases, setting namespaces using some +options may result in errors if the resources to be deployed contain +non-namespaced resources. To get a better understanding of how these options +interact, refer to the diagram below. For more details on a specific option, +please refer to the [GitRepo](./ref-gitrepo.md) or +[fleet.yaml](./ref-fleet-yaml.md) reference. -- `fleet-default` will contain all the downstream clusters that are already registered through Rancher. -- `fleet-local` will contain the local cluster by default. +![Configuring Workload Namespaces](/img/FleetWorkloadNamespaces.png) -If you are using Fleet in a [single cluster](./concepts.md) style, the namespace will always be **fleet-local**. Check [here](https://fleet.rancher.io/namespaces/#fleet-local) for more on the `fleet-local` namespace. +### Cross Namespace Deployments -For a [multi-cluster](./concepts.md) style, please ensure you use the correct repo that will map to the right target clusters. +It is possible to create a GitRepo that will deploy across namespaces. The +primary purpose of this is so that a central privileged team can manage common +configuration for many clusters that are managed by different teams. The way +this is accomplished is by creating a `BundleNamespaceMapping` resource in a +cluster. +If you are creating a `BundleNamespaceMapping` resource it is best to do it in a +namespace that only contains `GitRepos` and no `Clusters`. It seems to get +confusing if you have Clusters in the same repo as the cross namespace +`GitRepos` will still always be evaluated against the current namespace. So if +you have clusters in the same namespace you may wish to make them canary +clusters. -## Namespace Creation Behavior in Bundles - -When deploying a Fleet bundle, the specified namespace will automatically be created if it does not already exist. - -## Special Namespaces - -An overview of the [namespaces](./namespaces.md) used by fleet and their resources. - -![Namespace](/img/FleetNamespaces.svg) - -### fleet-local (local workspace, cluster registration namespace) - -The **fleet-local** namespace is a special namespace used for the single cluster use case or to bootstrap -the configuration of the Fleet manager. - -When fleet is installed the `fleet-local` namespace is created along with one `Cluster` called `local` and one -`ClusterGroup` called `default`. If no targets are specified on a `GitRepo`, it is by default targeted to the -`ClusterGroup` named `default`. This means that all `GitRepos` created in `fleet-local` will -automatically target the `local` `Cluster`. The `local` `Cluster` refers to the cluster the Fleet manager is running -on. - -The cluster registration namespace contains the cluster and the clusterregistration resources, as well as any gitrepos and bundles. - -### cattle-fleet-system (system namespace) - -The Fleet controller and Fleet agent run in this namespace. All service accounts referenced by `GitRepos` are expected -to live in this namespace in the downstream cluster. - -### cattle-fleet-clusters-system (system registration namespace) - -This namespace holds secrets for the cluster registration process. It should contain no other resources in it, -especially secrets. - -### Cluster Namespaces - -For every cluster that is registered a namespace is created by the Fleet manager for that cluster. -These namespaces are named in the form `cluster-${namespace}-${cluster}-${random}`. The purpose of this -namespace is that all `BundleDeployments` for that cluster are put into this namespace and -then the downstream cluster is given access to watch and update `BundleDeployments` in that namespace only. - -## Cross Namespace Deployments - -It is possible to create a GitRepo that will deploy across namespaces. The primary purpose of this is so that a -central privileged team can manage common configuration for many clusters that are managed by different teams. The way -this is accomplished is by creating a `BundleNamespaceMapping` resource in a cluster. - -If you are creating a `BundleNamespaceMapping` resource it is best to do it in a namespace that only contains `GitRepos` -and no `Clusters`. It seems to get confusing if you have Clusters in the same repo as the cross namespace `GitRepos` will still -always be evaluated against the current namespace. So if you have clusters in the same namespace you may wish to make them -canary clusters. - -A `BundleNamespaceMapping` has only two fields. Which are as below +A `BundleNamespaceMapping` has only two fields. Which are as below ```yaml kind: BundleNamespaceMapping @@ -88,26 +52,29 @@ metadata: # labels field or from the GitRepo metadata.labels field bundleSelector: matchLabels: - foo: bar + foo: bar # Namespaces to match by label namespaceSelector: matchLabels: - foo: bar + foo: bar ``` -If the `BundleNamespaceMappings` `bundleSelector` field matches a `Bundles` labels then that `Bundle` target criteria will -be evaluated against all clusters in all namespaces that match `namespaceSelector`. One can specify labels for the created -bundles from git by putting labels in the `fleet.yaml` file or on the `metadata.labels` field on the `GitRepo`. +If the `BundleNamespaceMappings` `bundleSelector` field matches a `Bundles` +labels then that `Bundle` target criteria will be evaluated against all clusters +in all namespaces that match `namespaceSelector`. One can specify labels for the +created bundles from git by putting labels in the `fleet.yaml` file or on the +`metadata.labels` field on the `GitRepo`. -## Restricting GitRepos +### Restricting GitRepos A namespace can contain multiple `GitRepoRestriction` resources. All `GitRepos` -created in that namespace will be checked against the list of restrictions. -If a `GitRepo` violates one of the constraints its `BundleDeployment` will be -in an error state and won't be deployed. +created in that namespace will be checked against the list of restrictions. If a +`GitRepo` violates one of the constraints its `BundleDeployment` will be in an +error state and won't be deployed. -This can also be used to set the defaults for GitRepo's `serviceAccount` and `clientSecretName` fields. +This can also be used to set the defaults for GitRepo's `serviceAccount` and +`clientSecretName` fields. ```yaml kind: GitRepoRestriction @@ -123,9 +90,87 @@ defaultClientSecretName: "" defaultServiceAccount: "" ``` -### Allowed Target Namespaces +#### Allowed Target Namespaces This can be used to limit a deployment to a set of namespaces on a downstream -cluster. If an allowedTargetNamespaces restriction is present, all `GitRepos` +cluster. If an allowedTargetNamespaces restriction is present, all `GitRepos` must specify a `targetNamespace` and the specified namespace must be in the -allow list. This also prevents the creation of cluster wide resources. +allow list. This also prevents the creation of cluster wide resources. + +## Fleet Namespaces + +All types in the Fleet manager are namespaced. The namespaces of the manager +types do not correspond to the namespaces of the deployed resources in the +downstream cluster. Understanding how namespaces are used in the Fleet manager +is important to understand the security model and how one can use Fleet in a +multi-tenant fashion. + +### GitRepos, Bundles, Clusters, ClusterGroups + +The primary types are all scoped to a namespace. All selectors for `GitRepo` +targets will be evaluated against the `Clusters` and `ClusterGroups` in the same +namespaces. This means that if you give `create` or `update` privileges to a +`GitRepo` type in a namespace, that end user can modify the selector to match +any cluster in that namespace. This means in practice if you want to have two +teams self manage their own `GitRepo` registrations but they should not be able +to target each others clusters, they should be in different namespaces. + +#### GitRepo Namespace + +Git repos are added to the Fleet manager using the `GitRepo` custom resource +type. The `GitRepo` type is namespaced. By default, Rancher will create two +Fleet workspaces: **fleet-default** and **fleet-local**. + +- `fleet-default` will contain all the downstream clusters that are already + registered through Rancher. +- `fleet-local` will contain the local cluster by default. + +If you are using Fleet in a [single cluster](./concepts.md) style, the namespace +will always be **fleet-local**. Check +[here](https://fleet.rancher.io/namespaces/#fleet-local) for more on the +`fleet-local` namespace. + +For a [multi-cluster](./concepts.md) style, please ensure you use the correct +repo that will map to the right target clusters. + +### Special Namespaces + +An overview of the [namespaces](./namespaces.md) used by fleet and their +resources. + +![Namespace](/img/FleetNamespaces.svg) + +#### fleet-local (local workspace, cluster registration namespace) + +The **fleet-local** namespace is a special namespace used for the single cluster +use case or to bootstrap the configuration of the Fleet manager. + +When fleet is installed the `fleet-local` namespace is created along with one +`Cluster` called `local` and one `ClusterGroup` called `default`. If no targets +are specified on a `GitRepo`, it is by default targeted to the `ClusterGroup` +named `default`. This means that all `GitRepos` created in `fleet-local` will +automatically target the `local` `Cluster`. The `local` `Cluster` refers to the +cluster the Fleet manager is running on. + +The cluster registration namespace contains the cluster and the +clusterregistration resources, as well as any gitrepos and bundles. + +#### cattle-fleet-system (system namespace) + +The Fleet controller and Fleet agent run in this namespace. All service accounts +referenced by `GitRepos` are expected to live in this namespace in the +downstream cluster. + +#### cattle-fleet-clusters-system (system registration namespace) + +This namespace holds secrets for the cluster registration process. It should +contain no other resources in it, especially secrets. + +#### Cluster Namespaces + +For every cluster that is registered a namespace is created by the Fleet manager +for that cluster. These namespaces are named in the form +`cluster-${namespace}-${cluster}-${random}`. The purpose of this namespace is +that all `BundleDeployments` for that cluster are put into this namespace and +then the downstream cluster is given access to watch and update +`BundleDeployments` in that namespace only. diff --git a/src/img/FleetWorkloadNamespaces.mmd b/src/img/FleetWorkloadNamespaces.mmd new file mode 100644 index 000000000..e0c4921c9 --- /dev/null +++ b/src/img/FleetWorkloadNamespaces.mmd @@ -0,0 +1,31 @@ +graph TD + start([Start]) --> gitRepoNS + + failsForClusterScopedResources("`Fails if a cluster scoped resource is used in the workload manifests.`") + style failsForClusterScopedResources stroke:#f66,stroke-dasharray: 5, 5 + + gitRepoNS["`In any **GitRepo** resource, field **targetNamespace** + + Overrides everything.`"] + + + fleetYamlNS["`In file **fleet.yaml**, field **namespace** + + Overrides namespaces defined in workload manifests.`"] + + workloadNS["`In **any workload's manifest**, field **metadata.namespace**`"] + + fleetYamlDefaultNS["`In file **fleet.yaml**, field **defaultNamespace** + + This is what manifests get if they don't have a namespace defined.`"] + + failsForClusterScopedResources .-> gitRepoNS + failsForClusterScopedResources .-> fleetYamlNS + + gitRepoNS -->|if not exist| fleetYamlNS + fleetYamlNS -->|if not exist| workloadNS + workloadNS -->|if not exist| fleetYamlDefaultNS + + ende(["`Errors out if no namespace was defined up to this point.`"]) + + fleetYamlDefaultNS -->|if not exist| ende diff --git a/static/img/FleetWorkloadNamespaces.png b/static/img/FleetWorkloadNamespaces.png new file mode 100644 index 0000000000000000000000000000000000000000..86b6735aa3f6fe8d304a6f86bb63223e43e223c4 GIT binary patch literal 75832 zcmaI8byStn7Cn0CPU#eoZlqg~kPxMjE~Sw!0qHL3mhO`7ZjhGl4(XD7``mkfZ@f3g z8;?IcdN}9%_P1lMwdS15kPq)=Fi=TQArJ`0JK49&5C}{X1OiWhj0oOAX)ON)USJ%Q zWh5ZwzsdF?ke85mZ{Mi8rX4N2XsXPTBAuSJzSA_!;TI3&Lg4xCfj1#&p<7mGQCs#$ zm+<$eyili;R&0%QwVFS=-s+Xd0S)4vKHp!i8A!ftytzTbMv>%2x%JBEml0^Z*=h~h z8Wp%%xq$V@mO!TZ|NcWci%1PgT-J2G{aJ4$`A<58^>1H`!snD5&fnv=b{oM({pWT2 z|!c~|=8=^i43i=Qja&#-w}dxdSa zhZ5oHOa*v7Q|m{+Zj&hmCR%P|oIKV944>Q31iNMxcn`RwO>&xr8RPbkE~M8h-cO4C z`Na1``qL4;R^fymBi&KZHg(R{MLyzm{Jq;ESJ@F;?)CH8=M~;ZT}uz-l^&ka#e|82 zYOyIHM~^JWQc}Xlf&79$!;1-*e}g0J(GIs-tfiS-^L=-v8pSTcU(y&JoLGW;e|s30 zJ=yY^kn1nbA&tMisPMR`+t=YYFClg<(_g78UAQ{Vf8c-0Y_V?gJ~m?x{dTRj!ke7F z*|@bL2^$}2cz>{Rbk7$NA6fgjdq1V^@s@$S`)*Z6oT)6&u~bY!lbNq9HRJv@O=4AG z$?orgW(@zXxSNa%-Ysj~oK@zT8e4!>_l2<{Uj@#ESZo$=> z++;z3xwdLB1Y1O7$RV0^#&;w;OF8u=8)8?IY#y&xD`Ipi(>5|PO@`#@Q-rd%x}?Wf zcSJdBk}Ryw+ycg0Q{IH{gysyj;Bhg&>STz+M+-JHT6desW#MFBx*@-pA=Ijq%X~C= zu_}p2kv~nx#~CoPBv+(}O^UI8$dJdIoJ_k_d%#c|q9=-wdiuVIwIl|PU)M8_H=_Th zQ}%V-0#~|jCz?Mci7Q3QjV-t`n*V^KvzmqR_Q{*#q6#Vva>L!!B2K>~^5B6{H{(OS#bN};PYW>!*ClEF>U!<-pE(5SYJY-`*m z7`^sBlx^^_lF$+i@OYnS|fIF4I(4s0ogAbPGc#INOZk3%LTy zLE#Ur!k!;|!AVz+{(#(AX8h@llpq2Zz38K>XSYyVOh|F}OaJdSHLrLSz6sloak!Qq z@FN$Y_)BneahqfiwwvPIYnX5VoUlO7K*~+tCh;G~BL+8t<@U1?_nxQ-8=gXVQL`Z|16Ai`OISX8&{c!3R;Tv7~tg7lCh>11) zvWxuEBh>2o=`X)K_s@>D*HC=knim6Rv1`O$4LSXZ+tvg+C1SXGu4n$n*uH`xu?r41K;=sc6aA! z$MnY~Cx`r9oTYlXMrmSV(y_9FV%(=7)g4%eP`6w^Mo9mjtgF*+7tb1t64CHr8t3%t zO41Ke-SttBM7zGcD@W$dz<_K}V`3BEow%ji| z8VNdjFwEe$Bxdu!MEWAr5#it@AsuM~v4$ol=&Y>PX@XAh!-@AD6IJhgZr^8Ic2^lA z;gFJIkdt$!@Y#k{85g|K(7=LxJy{{Yy(^b;y;UJ1A<6N$X}djcUJsoWW7s2bK3)pm z9h0QO3tc-p@}0;j=vZ2Ug{*D!;N0B>a=fnY7>o^yNlWwZi%2ybiW4Z*=DRP}PgV%j zZRTC?3V1E6@Ga`@iqznAEoN`7s)YKt$Bm8gW}j(rWTZcMKrrUO1Ls5PbU!Md(3TLB z=8++3)3MBqjL7+F`i{9d_!4#N{)O6R11lX;hu!zm;HT=IQn&$5qx^O=QGchqf0si# zJjp*t=4O2)*|_&u$n{iKA&KJ!_e88 zn~m1Hl7qw1`yc*UPE=;GHo2VmNe2Dy?#boN&dK3$*wF;D2OiE-v&Iart2@(ZrKKoT zREio0oVk}&>*NV6^E!KRrpH0o9X{QaPKQ*kZmiuGyIFIUhK!JxT<5ecEp%Y1P}Iv7 zeAc_^H^#Gc`M=#_LBw5eUyp#D{O1qvT!S5D0_$REO%2||-Qig1jmAstjX!0~vhUyb zT>tepT;vsdMN4aNwt;oh51!2qY_4z$5roCMe_58ZdYUb+1jkE_m=N&st`@hc4+ZZ% ztrlu1U(o;VqV%@%(P3krIxJ%Xn8PEdyh=$ycrMj0k(ZZ;zfhi&0~aIf?{xU|J>(th z-d->a1P%#PQoKVf800cUy?EREQ}mTpcH-5aM`0jWhpF95OUh?|?~H3|YJQfL!9m7n z`55d&t-ub!4&gR1QbvP}w?AW(ft9>DUJfiPll1xf;>C-vPY;X=nW9)_+Aa`?LJBu2 zz>wa<*$LB>V~=YVyj5?pPiNoY5YeS#>B>2H%Mq$H30auG%jRYgrKj=RAyda7<}0Qm zSzB8}I(kB?Io!^bTpw?$CT7xg}k79C{FT94_O=*l{5oh?R*PBMVPXPX6s?8JR_g|3!tqjHI?U((Z5a{wT4?fMyRuNC)5Q z!}n$vTL8PBUmYwX4riYwEi6!lMOyJrrm)1qJHv^MK>%;P6d; ztHnCRtgNW$j10t#-IyOgbWFan>-oQ7OYH93kv!+*=I%P0mmeaNOyxbk-Hc+Dm6H=6 zPWZdNHwPa<%ExMd50GVUQHb#e8U(z&k(7j^qQY8RTSJFb)>x^U*uy|HX4U7azo2~{ zA&RhBzUvq*!%$E>WD-$Y*@XYz=844g^mw^%Jh#BBE?94D8vmFE?!I0GtgHe#b>g72>8QY`w@Jt2C9_8h9n)H4*{7EottX7-Yci_Bri zHCwm&J#=+1uP|^33E`B+3~3MU!`Sa6z;eqpFjSJ@~ z$cl=J3aPwU`T0(r94viNl*(J8jZ+3BBq`foPdX|Ezol}duTO8p{QQtyx&{V_;E|1|9^^6-Tn@=5 zXcf?zCX=LC(47nGn&I+Moht(aucTv3s-`t|Uu5UZ zc6Yv7q5=0aD=TDwYL`(IePhE&ZpORWnZj)LH=Mb-d4v5nY@L-B3V;Sq<9vd42hI!; z4_}Q6>PoLiieATb9X6RypC)#d?F;U3U%UWt(`uBNQyGSH?o|o<{R6|>=O;-h477NX zMokq&8C~q)bMTaf)maM>%;~fI2`I5FNqez8BJfxK>)IQdi<$x@WY&9(saJ&CZ?pIS7~aTIXqcUPF1&Gm|GrxH?3Cke7;`fN=nwk z+mmO&lTcA9>G)SxQ^P%A;)uBuTW2GoIh!uMerRECo}8Ryxlb}X4@2_PL84>C8~ZWOcSy8dNlG$4G#0i1B$pM25Td2@E8WfstjB)*Tk zW;x47O+%A2a7)5l12_E3^^!q0CQeyJg~PbdESzi~B_uas^17+XJ+!EP$>d_AH)xSj zS^0A`6?1jg`}&gM&r;I@O3|eD#^dge!SNMA*@cud7Rf!{ZuvZl0&F zH*7bK!W)3FauJ@ha|HevxV;KUZW!_p?W5Y?z%iRye2#ki;|K0UQ*FFaX1(oZ7Qp>L z!||U!_+X46>&THkz@mUpxaFTg(3MhuiQBRBZ)fF;| zLW@7!p7=L3%pxQ62l3f%e7!xT1X&bPw1_uIC-k=3(7U17lE9K25rpN3{o(@EkQnpjVxx}_m9TJ=@oJkj^!oi# zltut>TRd(E>go_)G)6?gadB~BW1nL2M@q^Lz}?yB>LceGHqJI1&Ja!Nctl&WCr) zEpEgYJBr;iB`_dm>WZb0`nofs|JBh7)<+zqqens0(|Dzt>k(i?U0~&||6T;Nw!VP; z)TpqHPD$~-IwYh4Fc?KC*0WHHHUZWmh41;RcN_?8e@eB!2L}@(W41-LdU%f46p>oY za0O&!h&DOy2c!$}Z5+%%TD-_3Qu!)6rW}Z_kLFP!W;4ZbAfi_qcH{a72CiNIwVZ37 z-ObreoW_YTVCrBy+12&*@_ee#bzm)%W;1OUDCH7x;=oN73RYw%k8FGD_e~`AKK+$e zdXQw1?fh4Gy#7SoYOWGqc&vN5mANk}6D7g4%KO8iRJ4TC`^hmkKfhzH zfk5>6K^~o$t5{;=HD?imk`nvTN-Hsl*8#Dy@KgD2o5#zkb2a7yyw;y0^}Uky4cbFq zd@)?C;{k6H=T4&Y^K*A*OOc|AWPn`NXdpV~^h_%PgwCJuUTB09zs8@+kMLKZ^8+(L zz`ha;@>j!!nwaQeQvl3lvGmV~AlyNIDV0`$*`BZNH-37kt*m$H`azpo<#{itkai2F zsSXip?$c~?L{m_(NW8rbLMKLO)QM!(R^Rx$=(@MRFG+14f5?u7pp9zTg zY!KB;Ps@MF$8YCfb)+Wguqjc_9F~*w)Y#4szhg;~%ETzG$SG10IVNdyS=Uv+_3P>H z-sNMt`;~4X$7^?fR@1h6HDtBWavOnC1i!MP;_#$bv>`hbg&J8DePTP-T65(;-1IR0 zbKw;s#O%+Y=Ja%T?%?&R-iK`&3E8|Xcok_60+|Jl4%s<;3r6;DmU!+A1I zk}AEKD%ISPwpF%~8ukWZWUAbQ2|O+0zn7R%HnSBrBAf2`F1Fv9(&mUV5GWLb+_Yzd zC;nT=7vl6w1Q$=>C8HiC-FyoOh_y*S$k2iOlzeulZbTWqGR88R~E+@tsj@@B85@FcK4) zv)NA7|L(8g8Qol{4NDTZ_>z?Jr4ZflT6Aze_yuAXh|;`Z(^lCm|dA@||o znn^u~HH7ZCPr?UL%-~;ALH@Rv{rTX4{!u9%@$1hdIy#>c+@3=pJj;JGbjJN)iM<$q zO@QBS7&%q&>>I1{+ST3t4YfIpkdTby!8G~BZbd*{9WRBL7cwL`G?d|DayN9&J|PAf z4UO@t?USIy3q_oYl*Lu%=)r7rG;Rv@zvN?$ma;`9L!b0s)z4`ihxYRf66#;F&Qj;# zpWW-c_~6SJFq6@F8M}z zikvB_wsrKlzs4Y7&j^5lYx?PO;!MPIpq(d_-Q7izqg}t#;C6u;h;bO!=s*vxbCHp6 zkwAScU2iig|B$)VqabgkDl=Vs%Q{0!zsns{?QUn9^7;#xdPPPQKuPH3kTEb2A^!ft z9n(cL<0Tr}-yWT0ShP0sE?KXy4$VeV`7lX=vb5d0G2^ zzF9uqPAucJ($v5G_g78$>C_Or$;mQuVBl+>Yujx$EvT8{qD6ekc}v+J9>=ov#jwZ( zezbb)ELpmGC`o0ClAn(9rB{9Xrvs`kraRYrUWzb+$56no1h2F%8s1%gq%6aU^$sm< zFdnvD71c*4D}2yrdp^UTEdWSUaUuvx1;X3&;XgzI=cFKLs~lW_??LAWx(SW@(0f`v z>OU@BDY_L5M3M^yQ+gjoAYmOFjU@T(EjN<~Vx0t$@}agPRTZx8>a?{TLPvxDEOuUg z{9)lneEFj9eTj$$b4BX zRMRmmToMYxBAbiMlI%B}E*wM%<=JLa)g;SlBKiKE@f*3jvbbSynVd4-p>aSR#9%Z9 z;r68c*>Lg|`|TaYn|3eBO5=WaP>MCER^{dAuPrscI6eP_3Mi9-p`k8tzG4y*LIcod zyN4|qGlbpzO^3bUq95Np9#(9gf^=devz>sH@7S-(&Uz$GfZ$}coq2~?-r36ZqfVyU z#|DtOQB$ppU{bC`ta|IiiHUi0n{W8WGq=VhCua9XiW$m9L5Ul% zD@4y2Tu$m2D;mF8SJ4Q-j?rtbyb#+_QYz-)J!&9|M zK^EqdXW9+hn}Vu6U&j&X#7(6bUs8@|!V{~#WO2SF@YOj%oaK)iQ>dw-AqEoC7lkx_ zv?z*Y6@>s%4}wqv)`iYLe_(cY2%zBr&;XbK%Uy4dSz%$HI@daBCYqd(rc1sAW{BM9 zST9EA$#KB?Kte)Lh`7!80Wfq;*Ra{FwuOS-JCbxJl$K6w_NP>!FX|bgsp)QDV4$N+ zTjTV6+d(0j3+es)QD|lc3Qq_G6sYVI7hXqmLkGs5baZrJ5;uwXzY+n)@4z1+-)L*z9c+l&#eao8ORX%@e z2Po(h6T@jSbN7`z=8r~Ltji7C znj6LQqYK4w!egLhkhAgDz&nIGc17?E@)e0Px|ZolvTUU&-+!X+e?VCI{b{|IV^1G{ zEWW)#?OmvmXX&`QO=t1LV`#7Ynwwq~lf%2qngN)$_I@l@^c_-O;;hOaQ%psjH(Hfh2Gx5Bq? zERIfB@oh6)=x|`LxA!N0u1_tef|RC==xTZunFTXS+%>KG=1L#B<8vAQ^rKpDmn)=c zSJP_P+f!>M1SF`hee*R1?DoP+N9WeWnS>CYlTsAmf z0_@qo#nhq)`AQ20P|duRk?9&4fyE%vWPF0mCtl{~zS;ylW2k(J1DbVms`kcw^#^VX zlM05T_}R^Vtck*p&g6+p6N)QXqb(_97i4<44BNfHeh)9U;R~yu2=&OZ<&Up;`8> z($D&DzoY&e@=t}!+oD+Ad^tIb0z^F#4aPFcpxmC#N{g>d)G?q#s{wP&g8O1M$9DA% zL{uScslg5f5IUwz=<&?9Rry`z_KYLH>WBfx{gBdy9Pj4%VH7%xZ0I}Gs8cpgWzjMNGG;Q5Oj z*2^E-$7nyU-2BY03OVV_&5b);;ZLDv4(PdAiZ3liCzd;FiU7&8x;ihv%Q64c{fW1% zl9C^&L-~c84JLEv0a=9nvROPPOkN(E>02+l8vs$Dmmu&CP|N|MUsjA1Q~4+vCh9Y9 zD)JzH#n1XWojq9Pr1|sBkQ6nsybtYdZdFoMq0BWrb{i~5b5#^28qbkiTdx2RMuG%C zOQnDvVv;GA#5+pb)@FHjHG3=&Q0UbeMrcUcICfCSpr4{pRP%>z~wxpfa zl9F3WU5;9j_vJt9{qn2|Os?0rw+f7M?S1G#67m75VqR;!yWai1lk}OkI_1s7s=fXD zr(JH!d%ohx0PJiEuD@wi)+^2`P(4gV?gcM@%lIUY6^5YxYtgXPURfNRG%_)(_uWOk zwu;FAR8Ng`Wj(H<7?ddE42BF&739YX$EP)H_0^tzM)D*lw2WxV-WNyaWOEq({o3Y# zSb-zKL`a*&HMH^TlfE#K?zv^c%!f5G+h1=1!TMj_ONB3XQ5twadjc7* zugh_X-$Ojp&Cyw>hJK^*?Wq@2c=1j)yb7k+0+`jZz)k(O36oWlS8mUv z55>K0=R23tSV4HaY_2USHm1sD+AdQ~j*0Ps7OrL5wj=4y*%EhH7#N*}A5GheHOkC{ z(fwC^iC_OG*4vYC%vc$JCb;PpTcnwiw526z_d{(B8|( ziafL^Drt#la?s$knaCz*VJT(Keg35ytEK@|;3Sr0JGZ++Ef=)n0VRi0_H*G1kFQeG zMZs$(H<7E!=4es}PFRPY&-Lf0GK01UnxW0!0wXmGS^_73=?Hsy$w+adLA#Kkcl*5adLhfpPUSQJBbSvs(_e}*Sqi4)d_fQ zbV9=jpOFB4Q)SGT_X85}@9}0IJIu+@&@h5V=9*eW1mo|bOW$18RHgZpy-q6$#M+u1 zDxHaVcxe(fH)z`5*Mj0W)B9LLSsB*KiVSe^WJ#%C*aPPalsq18H^-R)F7N}O%v=9EG+CaTGXp}!1i-;?a-p)0;&~n@NrBwW zvGj8vqs{e2%*x|sLLyZGZ@WUX9W`cFJuVJmOeBl>Oc_-&Hgj*-{kw+ycGrhyA*PGz zgy4Zwq(Nq{^SW~F*jO|OG6g&aVW60r6OmjBk7Xo4cSbL-+fz2EFbDD!rUeQSRNwr3 zI*=!BT<*75nhwid9*aPL4r6$rYOB-ii~~@td`|Bb?)vSSFBWFDqyYp!8MP0uVGHd*nEO@VP zaIxbDrMao8GmMv;q(Z$gK^Bij_#2ABAPBJ^Ocw>cpvUyQyaG9GgTt<1t}>(ZiKvfO zb;8=iKb0h2>sJf)C-7qJXnQk&{TPL%Cw(ZK1vM&Dtv7S-y0AV-)?Wo`hsy{zh3T%rU^Kp19sdW znzjO>kWA2#f?V)h1 zvWtT_UF8MWec0+Vs0SAy$ zri&cVbP1mOBIE&0=Uacn)a&jl_AE@UQE|6k{~co{&}X79O!;`SECbU z+LT8NSL-Xy-p?Wt@6+9X8uyn&zQe!;Ze0H@kt+Y07Pjk#PICDI-0)Ma1(v5L+;sV) zq1N;J^tKK_cH!Whkx5JU(S{;GxL)Uhv%>W@`{)M=^kANCBD~OBi7#?;>;Zy#f2}3q z8A$v~wW?JV)CNs-Jh979rx)$?&eQ&Bv+9D%~0Of3Sb@0#if({5L=-`t3`}0?-CS1gN?U8{I z5uR0yc-pya|v7X3CmIWwaY$2;&yeET8cCqS_5GLC;G_Zr(=PdqW*vZNsq))+A12?k1;0IKFybAY^D~yQ(TK)F8N`4GU;C zH;n*mN|D5i*+o(2{W>-_w$CiXzPtZ!V*ku96^%5=ZgT626mIda4wB;;*y3@JJ7$VBez{Xh{l~%6H?Sx8MY%b#cypjat9l1e z&OxQ6Ec}AJFvGvhmKuo5^{#>dtT{UN0IP<^tAK|qFZ=cY!khK79GX5L=Rxc7QmxmN zfX-rd6spp!A5W1O91IEFg_1?ApK7|l!${&s?doob@>OkB5dEwABxS0m!-Aic3)ZXl zLL3NIKrZW!XC{OKF({wHiB)bzqO_RVZM{GS1kls9H!suDUO^!A1)rhRIoQ3~;E@cp2vSl~D(mVPKg@8w z+JXTmwzSMz>`oX+B@=})=|A)UP_8kcMa1^aNtZ#_>Y&HF}~~`!5aha zAV4>+0}%eXWyxZ=p7EGU%wEpP%1&t-}zSM(phs z!ba6w%~O2-j8XY{6xKfwkp?KWe=79DK}mJF7vrhX43-f}K>%d~@Qob+b3g%h{VxH? z6V%MiXyii9y+BAhZGTSh0s7Qjo2Lkiiqo*erzH;b$y}vi(c&Tn-WV#n z9em(dhy-O1W3h8+Zxgh-0lpXLODZ3`@k)z%gF6poV&bFg`4-Oaw0~%kk%}*|k)sn5 z0_`>f*FeFw9ogPBxNTr;9GX$j0+T{blZ#433b>mQ*a|(Vjup}SS6tm3U=KozG}w?W zN#FfHWqiMWaoK^m1r^YN$z^ZppFBD#Z@KE205F#<0YQdYeWW)Oe=&|?YJ9u{P!iBx zHIl@M2ml692EhH1vyl;V(nji&l*9n|eOTy4W^IvyUnC4zX`qD&i`FkSiOQ1fL>50x@=CP~a&5NLqF0)qw!%)D&h{2&>Zhx-#o z-~izV1H+UI4ENPx1M!*p?Alrwq={59HL6R`J$Cj0+ljy}hRD68rdqtwHe!RkkUs3> zp-dmzh-a^DY)qz_&bPZ|h~W_t@r%!#sS=)@wTN`DRTXc(%x%gEP4M3`UTdC|#3sx+ z;6SE=o@FB59W|`ZLyclgKWtbz4vR3uq@}PMd1o9kDu30Ndbu!quUKXWslabScmFM2 z7&~T!V=He1V`9uvt(De)9DRV-R|ft#9yxW9u+3lY7^+bJoFgT$t0_yn>M@y|8At@9 zjw1(ROUS|~SfFw%-D<`C-@Z3wPvp@>4YULaRs?VlrZLkYVD@AE2rd`8zOagfN~2#W zh%SN5&{_DJ0+Q5qu>6CX^Bs!K(S7~@88P!19x-rN$i{D?hj$zv1peRG9b#1uvD%w40Xb~ zAACQmfXb5BYVv+DdpFCxIMOfr;C(r(*I1i(bAhnucu-=>kOO|QI8aqyds~Ql#+4tu zL@qiusf+YT`nzcRAMYSoCO5a=tCtkYW)(jJlEqr@YO?$D9cDW z`Svm#KiOgO`dD=Duppbau1_w3Z^SZ!c)G>4FOHo!gbU^(zaT`*ePTRe9{s+PBc8_# z+^or%it!6`{x0LLPrzntV-(6FPnyRItgOg6G;s^RM#`x8$_l3G+;LDl@A>4clX)XL z_eq&*&Eb)JMn7c0#POPA>g8rl=i|Go?SIjG>0hG-Y`kcc48tEaIp7CTEh}tHa0e85FI4!uYje+QtMZFahfA-4S6{<71s$^1m%U#bCnC&Ap{I3 z17ct5thI}$x!oOKpFWKJt7{&yTFmGEG8#oR0mrf^V=mPAfL-l*-~P{t6y_%a#AINb z1STXzq`tpr+C3)bY$jdEC6cj@RKOmSs86A&eR_I-q|Ni)zq`ehlhasY%1m>)#fM83 zPviiH3v0rm+uPC+m(tPB3z`e^60vIQ#m;a23rH-BG^GHjedDVMPW+DtUjodFZ(gXXWudosJm%)0g|c^`8cwoh6rDrgaBt zOT7H>B>mg&hFD)e&-33z&f@popdFz<)gyJ*-i$mEWb;_)Q#`8|#|GcN*=z~@34x@= z)eQ}O>Nr{=PPT3Cg@nh~mFRo3Z2m2~mG1Grh~Nzm|Fh-so2ak9Uud;zLHuP>hHbM@ zcvMu>q%)1QBm6L?GWS;b2b;D?u2oflZUjEfoJQHRg{#USVi(tH3w8_|I_d3|kv4Fih zRaPPEAJj}h7`wQnm|?+%c*4B0C##pA=`73dL zEphyvmGaaCz_cHOCS1Uq_5F9Jst0b!+pb@wuQ)iq5<@e zj$cO~0u9k&j`D3cX}dWTKKx#Fq}Ae)0dtmDP%tHsMDmh@V?1{EpPS=G)7F-~8~@k^ zp<70QgQ~wO0UsaV%IIiB@oV+h&}A|g496zvEab`9&4bhc6`D~%Lt{1_z5B>S>pE6n zBODvVuy8{nMhFm8G;&gDCAvyLgaCIM zcW4o!udgpIbnz00g(mX`w!1mP=^-hfOLz9*f01mui3S)F1@{_>K;HEpix;Q8rRFrz za^~r`i}eFvvzKOdv~POAg&`^wL{=6Bi$~PW!3a!BE#-h*LwNTJm)S@B6bwWBrNLQBqZ&;@268Qlg95ut3kV^V{ml7LXS=$_)z%n zzpb=(#?C?*@c3C^wnnrx6tWLoE%=!O4OcB0P-?t}9G&A^)?Fr)C*wj@1 z(Mi}}RfZdUTX>BAHM-=kf$DctEv0V_{Q>zs#Yu0etBka+Wr{7dS|^aDBRJ77C?KvG ze9BHNnJFC|;rNM>^DqYpUAUFa&W-p@v|kEYH^^e$jnrILwyCd_e*Te z?UhAbBBH&rgCtQW;V~7pVT*7uOA2(cy|9q63nw*ldBxp>1Hm{`E$@t77r9rscOO(* zUpDF-zmY#xwS|rly}M`UL6Ig&u8%`O1`-I_`)$V)U44m}?m?By1s+BYoL5&!c(HNO ze&Glw6@FO$z%*Gm$43aDAgk|+BlGg@oSbyiT?Pr8KE3ml1>;IhO%>Cn)@uc`=O8@R z4|VgYrqB%&&qQ-Y15^T=Ux+yH%tR}JphQ(EaG>1moqVsVu_LCmVq;_DnZWRsB^(&L zi;k|Y8kySF`p!<@YNJEJfVotlVH<4pfSt}N6M9%2nJ$SQ+;~eHiJhIDTe^otreUa; zrE3P#*hLkP4`R-*MK+@1%e&{WOQ^B`(ryT*2LlV>%HyvBr-tN&qyT7bE5r|8L>ci%-czRMvQ5_C z4&>bkypvuW9aU5}#fjmH9p0v}Z%k9it>^>8D1r_n&@d1(FcNDrNgOy|(N#H}P*QUE zA#yYH;W^F0oDcGSlb?9Gu=oi&JA1>bSJEib5zCDZyF_CbyD+j2?7BPrk;lU9OGyv( zHx99=V;7TYUDoF4-DC|OH|2l&ZMt6htD-l>>W`iYi}8OE;ZlV3?~&@h0Sgjpn56C| z?XCr4rJ=v@*ec}f2ew3{aSV?c`D2FIHgr{eN<|J!deLfAt(BT$U#b8!^k;|l!ycKi z0}_4_qJ{M_=i*2i^7J-7BuIxiQBjV$tFBVXZ(WTNnCI>Jx8ac=_AUGE6qa(GBDz$G z;i%O1b5_yo6ug~fb4R_3vU&;JHYuqN#D5QR`@_B=7<+BuWREQ6 zS&T-~sp?Hh-ihpw&3$N+ZMEL8p4lx;=fvx#spn!5X6~G65>3>;(G?YPgpl0pwc!ud#?*N*ej2 z1_)>%azQ_^$MowUDt`cUA*rH5YmsSOV8VR-@0b7cJ6xbfMa#WWG4aQClG2D#bAYxi zS%j2Rm;Ar)4d4P3!QlUa*>X|ft8aBNOo{r)JETA^P)r5tY*3aln!!tgF*LhoU_m1E zip%5_Ic6*LyOtVbt4xRA028?Cj*40epbDU#XkhD&NxG!~MvKZyvtX#RaZL1Hr)qgH z)=RV93nhiusrP(aRO*`VOC-I`QiIOVW#D!I&VEj-Iai=_>M??n#RT9dS43uYS4p-+I0!mAdQ9{w#mUOD#D{TKVYhP;>Buzr|7fQ`@9PGNzR@$VEuT#( z>4S!xMkx8Ayt=R;2*^_;$bbn~Pj9OP0BRec#fOMT?$HJYsJYmvGZ*dX{dT}W0Q{aaS<$ExU}e13?#%4~ zTk~)=>jibF1A0Wt(eV|~9>PB6(B-I=TuU7j0)wxRiw$5|lmKsPWp%`9zhyEvFOX2U zN-o5^b~JB1*Zy2OiL_N`ZE1J5A@Fe4k5XBBeuepEjKUAF;pOENP`@=Ge*eQXT^CG=(^|vT^m0^!^z$u zXy$<$5rRYAQ7|wR0ae%uZJ|il-K5?;SiE^1P9}f?1M~cnn_JTkefM{IN0wwW&Wjfa zaBwt^U{V1iqWrC6wb_Lf%)wjGJ_86AV9kV5Y`f8yJ5%`HKTm{WaG{8&)oG@w!_Xld;j>k(m;`T7V#72O*G3a;b){n%30zyFe z72p0GJGmJ1$W|{q+L~%{Bfb19R5&*)!!#;NK~Am<5jWYA2c0#zz?`?XK0ywQIA8ZC z+mnQ5Uy${~K!D-_fdpaxl>jp1-8DHpm~uccnIFwpt4-X1Y0<3y3 zJDmi)dn9}|p;w1D2EC!y92^`yX#(?h@_EW5DLj}bE3KUyy`)vK3+*wcdAP};p zy*d1o2?NOx_4M7_WBB&;FEOAmIr0uy15tNjcMig}1LsuG`hkVb?eXG;B5e4iOz<_WaYP$_Qzez$a(C(wNk~fz3JbS=Xeo%LbE5+Lls~c?xInPU$q{T% z)S%W3$nC$~{Ra0LO5mgJy*+D>+v6cXh7XR2=mRsvAZ_7sbNAEvuOReO5D2itzk1ao zsjMs!Vni77me$=ynHIzji}Ilt=-nK0^j!|I(iRr>S&L`^5U#f?%m`0}PUwoR%jE;i;;{~9H^y=}b z#~JryZp>BrAuQU&mJC+LLxu#j)N>O&jZ`jMttSwyTz7=+?0jcpWZ20Q}yZ2m7Z)3DSu-JBqr zfreRsw+nU9UWRRF$9Z~5re5qN-`{0mWaKSS!8xo`>Zv~h=R9N}V`ZU!OvC*7_I6fI z?C{`#`6`_mG`zlh7ZPfH{vK)PIF|1tAsyfQmmawT7s5bNFXcu^yceVgOPwR_tl4NU zgh{>-0G6Pm{|gV)Hgq&+4kYUk(0Y(3>JS2y&I`KZoT{yYl9GZ;2Mdeq#;UHkSJ0FA zaZKL#97@rHuBjwZ&kSmxp5ETLCQ4RTR$!Iv1;@n@G;IKu9Q-E(iPZHj_CMBsryn+a z`v)r>k%A8NP6%*e&pTW}-E%<8X6eQ;9rnPVFH(`Iv{^QS%IE+wKBhHKOijsv@C;0| zlt2zrSy-K$d%M5e({tnY^l0eh0HT7_5hLTfHU9T8CiVppmzU^rWc3LNyqXEUKsuTz znj%D?r~t+wNC#--%8^m(+?!B=8d8rI>oGvvY2WX3Z%LLvQug+pxd~}$$W{FJ4=Tsg z`g)DKg`(2H&nfuytLObR95kaUdQ|3QWE=!uiFj%Hr>8G4cp?XkayQ4G*hH>yU&fvy z{*;NSd^;tmElWrsn4FrbbUkC~#RCLKKM+KK2&#&b!FeyqB_i@SNBat>(;&rxnr1Ob z6POmr$x<;G<)3s{DcIFmi-jBruhp{KipPkLASS>+-3%Ox5hwN5EN`0|MN%M(Gd>-Tkc#x z@M?m@BuJG>N_AQuwEsxEyQfT|c!Kt;%1Z2B$25>0fU(D|Z2nNloS)-g15LmnT?ws& z+8aTWENy6dVLYhZUEywTg?T?}TZs8q0XqmZNMnD+{QVmj8u9@)eLre^0L>Wj4eY=R z3%aw`=BnUs|JIvQF8={dwfXO_`X=-AkkMOwPTEgUXlPylmoAu3PiN9z|b%R_v<69KtlrqgJ2-R8=b6JYc@@zL9>#>*^1M>2@znN z1D+F;LA?&L$2*M9P<$Y6#fW^WJpkwqf3#4G0=5{)Rk8Hiy#m19jJIT!8X9Y1`Ujyo z1Ase2Yil^rl%15!(*YD@4zCAxptJYI(0D*C6%-3}z(dhVC_Y8Ch+};y< z>VGVUX2U>;g=)?qItPREal-X|Mof z&($_KATHsa3S+t4loN@0(Shy$^tgzx!bCfhA94RY-+XbJ^!wUpbM^J>c}XMsW>!2? zg+epyDrU9XxCJ?FZR?2*wORseYq9AzB(=Okf;{KE>$fbmuj*vsYiX%*ek5Pq({RPp z$#T*SKQ@-@*`~Se2;2w^3f;IRxKS7x*%Tbw56PB&x?)rx@tY}0w103#b~))wLMkXx zD|t7SUzXwi^ruV+hrl`Xa5iUj)!6OFWZv-kZz1d3?ZkMH58(J^k$`p_(9fMH74{h$ z*B%lfJ#1N_mMfpAG^JqnJ&vvZ_SVB{xd}#FTZn|)HOTp|C|CPRkqXxNHgiWsd$|$t zPS4HHU+knhfs~%__&8&%g)pi_yPk7!@ZH1ZlrjNJQebTCYeYXWKcuKPAMwxwEiO-< zX+d!Ka<)NiRx2nM&on$&wVJFQvHI<^$K9XP*9$ny6vd7x@?&fL8GOs{tPvnD}CyE@-4O&No5= z=T>lcEa*ufwOC~<1>B$0#i~{^&-f(G}Os@qB@8?hZpK(n! z^t~SuKnrmmxFzWE=w4XgLM|?zESW_bNsjeOSiK14cZ%w6U)Ef`Si~LG|CA?TVyD%H zaKQzfWw_+zgA298jZTM%tlG|%&a%{Ki_I=b@l0w}&O{O>9*xwUI!%s|VCWxf3WcCR z_TYHb~zqzGgzH0^a8Db(nnG+1_H3uZj; zeuSB0J#hyZopX~0>MaB5b1V+OImd8>F{C0YI?AdT1!OcZC|>`Kd8)}G6tLB9%y#=m zapUkf+XIc*Q7x9v&dv}*R-e`0Im3++TfdJf848(Cl6jn83_E_a*6^>e@^)F=>{l{V zePQ_epHO0zbctxrfDq{^`>%E;_u%gapsZI7k`0KX;%F@fiBw3O={=3qQM{hPO#hcI z?{GmPp6huY&Y=B+(DNK8T|Ql{#=5<74kuG7*RCk{bDIx?_*lb=ec7EyhM3 z2n7_jY+%wdF_}=bB|hI&`teRdTjyY~P-9b#d-y3UYvkp*b3;t^Ro&Tsu-jyDd{D+$ z_v5kLKWmh)olIB=bIwjrw?{UQ+^pIuQ^Qr-_3@dK`w%KpDCUzRX+Az}fFDxpJ$cye zSM6X;-Mly^#TYL-kNo`9Hy}JbQ|MzC5DYc~Ss~*D4`wRir$|fJ%4LeGfN6&SsNom) zSAs!Oo&qY_gWUyT$=JhetxCbJ*di1NCEW>}Hh1nmuJ^5}ArQFw5ich|`nvhk&OI`( zPdoMJiNOTT44NY;e`e6XT2E;I{3#0@S@zw719bhhzB!GGCjlKDQZISd(sk={9JVJP zr^p`n=&)X1T7eMnZ7fqtGgxP&x*%mIEB@s8_wL(*xQOS83PLEHEG;3fOk(EIL3zLE zJt9}&7mw>(SxNch%;c%AJ_l=|UoTTE}lDE3XNQRHa-_h|Uhz#b;}opukIj-DbN!v!B8O`@ z1RP#gG)_)A%TWYw))vJuLPbn6j!8^Ni1+$jj~R#L9?8!+C5S2`N($d(x_6v1bH^<%xU0vM%RcS+DV35mJTMy)t!Z#DaHkeZt>eyjyp_D&v%4HH2U zciPf$pQ7cU)Do+0c6PSbSpr@w(Vw+_J?DR>>n}NZd283Ft8%L@00o|0ou3l5%`YiM znf7WPw3AQ0bLta5{_`FMo?DJ~RS+ysgGQf)@URrhCr>^swfpAl)Vz1yM(pmgLvm=p z*xs3`skA%)E3>t|oxuGZgMdKo@6KE=+-@$H^9C6+x#x&K1RFXot_0bX#4>|sOKzvF zD_G`^+@x=&oJ{_1Nigbg`r(M_^jc`}GlL4P|_Eph%gl*@4g`0dlQ zdi58pn=U826my=Oc$tIZQ{V53iwCrubL@|*DIw$P_7vyBWQ92xg6tk1dYN9(MhC)G zF86N!{A#c?XwETRL(ncK@T_%;$K+YXi2dVG(Q2n{VMvk+Dxbpz-gbU|8VS6UNa!RP zZ*VKNXTr|#lTE2M;vin1C?~ytp8x}sOT06x-g@=|3kB-M#`aw5=awUxX8lfu>ZJjd zvv)dnZCQKSU(Xb(i+kMi z??GWu4e<7ceU{t*JM~PX!V(kMP)j8ZVcG6=uY658%p=%b7vM+X?Y+t!29uZ`csQML z%nenAP4ah(RD)FuT6=q=?brJBS+X2f9?{DO)Vk{YaOaGTkDvNcz3Ogy;pKI;dJM2W z452cYVJIR1Porhp&Q;s8GChMn=BZlXQ#H!o^5s-V((m8Dul{KnInNojOc1!Hv%dsr zh^L|gu(PqVGvP63@zPc@y1Tpk&t|#khzOs|Oe#t%P!4`>iRv|3zjeUNbB~s~#mLMo zZS|M8jxE>9bRakkeCBiio;}sLF?T+|%a0cEK&@+4FMQ{F-k>=wP%By4{2G-T*pJ7U zXHKu{j8>w5O->HgU$#r9T|JYE?P;59P)!^!fo=3>x|2kJEb6UZqPJfA(q0a&PrGyK zw^E69N%n-0gdn}#VURq%&XFY*e%*4Ll9K7G+Y#ITa%VSzp2r(m`iLlHvTMHVx2`GN zn9CaDdnah7VPQnq^-4yvkR#f|WQOa!4ptp&YlF;AbSYZAi%k@wP!+wtzW z#Z05x0q60H!nW>$mwGlac&#(Eh+&$vRn@U1HcY~Y% ziYzcN5E=oA-4HR^U3TLg#t(PUZyV^K`5GWH=s$;uE}>ZT8q2As&|m)}f>*hj#W zHPgLxvNvy*%wR$?zxT|wxmgLV*J{*K5ORX8{Q)%yWyD=ScoWO@$J{-UP2o1Z`oin- zF5LACks|-HV)w+aUy06z9w)n~w9$K|xIJb&K^8_v!smY(jFiLWtX>d@CiBEa-Am%M zk;<0z;&q8IzmoSFbL5pVT?`MZ?%7|#`UO#}woYmwO9Bgum@r>oDqCCU-kFd2pq0nT z`bHK`%7dLnjp)(#FSjSN-=uOBlZ);I!k(uz1e9JalczyK9v6J@-j;Usq9s2g?hz0K zXV9;zMt86s3X&S*YkdElt;G^iMT$YLmMbd^eTkk75q1m=^PY)vZ`8BdEMz5z65qNlf+-C6;Dll(R$S@ zo^&MNdM{?gK&D;wpmQj@eDCO4J2(erI;@Xl;0p8xJqkYAZPt~m;eHaQWK5v>g~9_o+Neue-~2t2kG|A) zccGn}0FRWkwKr+J%3+-s(ECX7%stq{#4kMj=e(~!H~G5D7ir4$C37`Z*_-97?QBbj zx?)nWF-ukI|6_vwv$4_O;_s9uXajm72SY?zD=5jymST$7pNRbOyf~ToeWbz#I9K5M;wGf4+Vi(s^%wh79F7UnwDl*8R+N-|ctoz444fr_9gm({OMnvG@26ASHa|r`C1JNd#ARssM?PE9(Se(^^6gBPus>}c zqAT$^&u|FQvT0;w+{tqE7|O-f`TeJ2MqFi?*&U%}9t0XrU@k()Un>9)RI%QJ#>2B4 zR&rV%LK4;&brlAM-ABebkyuhLZf-V%pV}9fR`(x0YO-l463H9{EsFEmA(7$su3rZ} zHd-^2fPjEX$@qAw6XW8kI98ib5CL=R@4;)cZI&`#Ik_~Fndh{x-_kxK1Vcc43i#u7 z?865SD0Pe`lE3MLi=Mh4^}oNQV=NTF*s0I5rT8%W`=B{?1hbZ@+|Y;nLKp`3qyGJ! z4w0A?Wz-2Gv6m89qA)}g5&!p>heT-oI-+2&{-yiR=V1Q(%LEDcD5at_j3?6m^I6D0 zG@^7%#-9c)W*|07p==?vYNxv5v1r18UmYsSu97*pb>na>OoTVhI#Pde@lTogAU6ML z*7Kd(1KKx}Bf!IbyER=kfv~MRe|vYV_;Mkz#Q*=)PJbVXes=V{JR-m*om|T|Np+O_ zcyB^1c89XY^}q)0?nd8CO(}=X6@Ru=gQ%e)WmD5Rk$~4r$k;}^^Cg83wE9zTGH8AO zpwgE@icL-?4zD9mrNAp^j_O#MmsVLt1!bMAJEzR!L&A$UB*%YRSv}9#rl)y(+5xAA zq@@Xf)^hD={4R&Z&`-)WIaygzSko>&ifcU^Y}Ir`T+V;6?-FyI%Q>!%xjz}g!o?iy@xW}%`Bp%5U?nLPV44%x+0dyVex9NK7~R3D+`sFtfW#gV4R1{ zx{249HrP->-n!ju2-&ZtZMF$e1P*Dn0t88vpUwRPxpHD{Aqj0;6L^pZpjj}x9tM_H zDb906P5$IwlHhWMs$Tg=OtlyrC}8Aj|=$9 zVg;i&fEs-t{0lk(sRDvKIg160JXF|7XMxA-7LJ-5sQ~Ky3#`0E!><}Rjv(wN7`F2M zs&mIefhcCMXNZf>tc&g=n+pyJGC*xk0(gV01W<2^&Mz$7j#y3gIvNF5c`}1i4lgp- z9>0~Y-iJ}C$;L=&GOz1Hwebt6^nC&M28Px($FmNny7c?qi;c@}*S|V@`p^fe5P{O3 zB%85?#a8>4wl?`1r<+1TI1%yj=3ac<+#u!Zhi5~D0#051ZJ}1b2bb7a`}Jg?MnooO zOdNg`eJ?h>QbP(Ll;^;$5s{r&{;w5L7DKsFyD48X}EtdpQD zF72=ywxD!oBc;(sqNWIJ7esEO)_3?QM0`&8Q**gU)3rZuhHbe-}5MQ z_)z6}PK)vpi@?(`fl_3;#{>x&U^`Gyp!bwO6_En7;l;HzIhYk8vnZ61P->vQeM|Pu zVweaV2gZtZa4rrEHrCWqCMzD#Z|hJt8(n{g%;4hUGF)XZ2U{Xfqdc|hc7$bbqRGkW z>2P{8-H$3)`AkurS?_CMuS>^A5)u-iVvdY=fxZAO7f4&I57g8?1Ky%&yfdUR};-Hi1HTg3eYO*`eid>CCxA|m}zAsK! zvCCat@_U^4K&?N&yc`0l14;w-xCW)7~@C_;z}1!4ONnWOmA&L++}4e~%&1 z*Vp%S&UJrzWwx$Hj&Wy2h2-($B#t$iXWo!mjZO;TieNxZ_i&{-a-L`A-snotm6i3 z2`t2+P}(Mh^IeTxelyB{@L;jDyj;${r?Ye7!rpMvQ(48NGiriS>&3VS?{n9-mgyX0 z2|Zdl-42AxD=>2U;Che)i{pcC9hzd*{^Rw&gaqzqu5vK>Y+6h6{yAEp_O+q{St<>d z%ni`ZQvEZ-=f*o50tEzLsRt}<>?J$L-s2I%*WW41k?ph;{lhZ^eb7(nAh}*&;<7W^ z&o`3CJkx5rFwiYf^<3>w>w+#Y2;o`w*O)stOCI}p^Y8lOruo#kpZR@GNKlY7G&7U) zxTxc3UtGL$Wvi@o7KDWQ{SCp!*qf+7m$$L-QU8J37W8mLd~O~{w=ea24}K~!9PpCV zqnH1ppLlHi9l0>?JUWD>ez2Ct^R>J@S2@3o$cbE2(sJJwlrf1*fGd}~)#g99QZNcb zKhs--yJ@*!&j)(s2TS3>`MPyDsj0ITx^v(T06XqsO@_sPd*w zlrsF7xl_VwoQ?L5k69bmpqm4=L5}N(>k{Z0aCx4&BpS7cqbGTftvkffFLXoOY47l2 zZF+C-SX^4VrK#yXjBJ_o>H`|QWl#VTh(PlQHWCj2rS%8Wu+k3sEFiYKAOC3_8~Y<5 zC*h?4&=TeK>txPrkF~xxeJMP`qX?V2A$7ld>n7{0gg)>V6~5{loE=|BKneh7QL?KO zqsK})AqE#G1{_vn+%p8HmZO%)))bfPex7U2!z_nv4)a|c2)xE~^*Y)$_`Q(g9uWR| zE<-SUkf)SOFyrH@&wxb}4Rbd<&u=jOAFv!ek*IK50JShnO)J?RJ#-fXoYadU$UB`0OlMifntS zkr)OR&!wJ?S&oa_+5Gx?^I|JIm;EX=NNJ51Tkfw0lIPc7IuU}!ScN$DPdg-#i9;40 zLna(1U6g<^-a{}hHSIlyr3n}p34XboZ34#;DrvC9<+H?Db=|j*I7*KG@Wn&uWHV}W zF*MpiZoG|A_oOh=ng;n~=op>+&g8$iIKV~zhb-H@E)eJ^^vmxK;-cH$FylF7i(Q>MUBacLrpC=!eV{4%oFbNRa_fg5v+|Xzg5o5mix$C z@`Nn17xLBfYNt0KUYBX@@4x<>c71hu9xvU-f%gOn(roHA{KNU(&Z^By6kGD$Nv^ir z&Qj-M&EIaTmj$wC zP^}$Zo$mG9m9EcewfE9H_OotN0igY+xm_(Lz<*6J;-~UofERFYBuzeodvcOBfPe~M zZY0e|KfjPNB#sjYxGRJa9B~Wz!vM|2eVYbaCv5}P=#byH^84tFJ18UM26dCM(SHCn z_C6LxS%&;PpJ41pe;YLt11F1NX&1YjzKYD2_|LDy4>{Ih!}%{Rz&*?m_BR|nRCQT(*lJ3ua8<{iqbCQ zTBpQAf_x;_H|9d~rMUNwH9=ZRNLZLzgNJO-<6oDRfghAHg64EHO23Q&`TfQwtYbKW zyaNBi?Ih8i9Fm!XBfwI+TY;=Y_}H6TW+WFyjTZ|7L;^@Q|MdEg;ZSHrY8Z1hE8$5i zmNC5C61U#_N>vJrYLA>xygq5CsrknTrx$&dTh`idwcvA&Ez8!wRv6tA3Xodw;@~9d947ebTEcb8?$w7P3aCIHw%k_tbJ19yI_L8JreD@T4YM^Pt8GC)7otPA zx^Vb(W`F8<>po*PJ`{PC(Z0!2j6F7Uj>LcdU37JuLKOvHmsN;C5BG|>MP)~*o0d>Sfx0Px1mxAg@Ygv>@Eeq1^Hxq1syrgs!5BV`Zmt6p^uz@ohBUrscIY zIv!0Z=pI@$Eu#cwXro)}dS4!Sz$3z-Q0zR`xBF!NB~Lc@DcW?Y6N?aUxR_Oh%8js2 z!#L!#vO`f($t1s|Ut*!0a^vu|P7%$FG&!@!kYM5R#XbzSW_ApO2Vm?Y;2*(MMk1&( zdJvTHWzbwwg9o1?H4cH;d??an&LR1slY+Ww8M~eQ(nh2}l%fR-1B#*>9|}qRU0kz* z8PNfO(2-rzBlnL9{TR+aHHs>u3t$zYY1JONQFlCBQ%oOZ%8;`vR7-al%!yaCJxO@X_YDGpda`PnfdRSfRw_UUjE&nI;JslAhnp zdsBh(`g<0Am%k6$N$X^3K%7{0hu=Nb?D0(<2?-`}di+yn_i~XY>ej&x&F|Kopm6TF z)~)y8dNcVg9eNY0AsZ_|t$S$H76M~LN&;xBhN8|YsZ_vAzRw)z5LxF##^)xVBTa+? zF0iKy{^TylGtL&%KT1XVc`QfhH%1G@dJ~^Na|#3Z=8Qq(Kc~VfDwE&ebYGkvbb|e4 ztKkDKwRi7!tIgsbOoV>Z*A>hZ4c*<7(9pSUqt=|CN{7` zOb}b2pQ^!dt@7P#%3QY*5n8){5=8zc7wgnGL4_G>16(>HTwGkyFcJ%|BEk1JfWF2t z;|@>QADYAU_4S3ib&0=zsROhWfka5_6A7S8O)|YHBm?7fl?{5T6#ZiRH`fME!h`wKohztUo52ywba1$uN zacqFTJ{@SUazujhLx`W>DN^m;U1&xHr*A6Y9ju)lZ36m%KFcGJkIK5Zylnn-mp!f0 zcBw6LsV%hJ`qLw>Pta7bs+i0~AY}htSo1EfMB(>HeHq_G&d^YV{c)aOU)X3C#Xft@_r=AybBC?67N1Ewpt6#) zH;GeDZEkO=9lD4(uviR$CW}qV9fL){1h%rsJ?9Ahv0IHmt33q^YAQG-BuM*rsbjlg zs;0cLRFuB%jTBk`=x98Yu&}V@&giv36LMacM!GbQ5AcuhG;5E>v{so)KsN-l*th&A z^EYQ*mhOU&n&fbf44_T!$DD6(v4q?Hnwk>W<9+!Je2&eITzI5Dp z2seLQk(T};y}S=B4BLwnTO5*?g7DJWNt~f`K?0wC>((uKc)3vVGzQ$Ka=E@d9$a^L z$<2Ku0vebkBqW8LVw%Q0`8?{0(zK^&-Z<2ltB(%$_kXsvwO!aion!xW@#jY@Xmd@J znGDzF0wwXasAv?_{Q356sh8bw$5e$7Tnsy+H8|eeq^8 zzCHS?$Zn+zlKfsPf!^0QQ!k)tDh#etdw>64$&E9$G~7lB50@=aK80B~0^YQb$1+8&dde4SPOMg>or{AZ9dhleThdWYrH*K0VIcT_?aha#nM2%V$l5dn|^G7NAP73ust}4@BaP!7cSNWk=ph7>2RI%KFI{%ORMm9%_2B^4hINjKi`)M-6?`v~U`fJQ6q}Ng670rc z0919jGnWRK6ZNZp(~bR=ZZUYVw)Xa!u-?G%1>(sMha*yckN8rf_A>8lFXTR(C^ws^ zb!CU|5Gfc<)YA3GC8wpN{K>C#TPSOsywRMaYu*co7M=(4O<>-+15}E9U_gc&wgwFX zLGi|o8z}IUAUgy(ZjRZW>>7OdFm!!gu3l>Bad|Wjb~5p(H_;$5(L>yu^EkK*P#XAG zM%K`B!^ESF*Af9|M}D{uV_0Ih&~h%hg9q4|bD!=2GAnpu+{zO$H=8mlNLStSo~CRS?LYW&=U!VlS4 z)g^_OOeNL4Og01o`k@FW zlap(3N~qiA_*$U>+pkf`!v6jFP#M12vnV0DKbjfjF90^x@K+l+=) zvK(L+d8nxUpgv2;H(2%6aCJg(b(|_H+ZkEvG;&FcCPS7L0?@uj&`a9FeHKbRkY;i` z{5`0rqH^~}kY&Z>4)TF>DXXO9AU57+4icVh4G9I1boTf65BB#nFAlm$?_leyK})W7 zkhnCku)DusuEGhM(meuSnh776j{0l~llch5jcc`h#q9n35+ZE0M}i6ueMfIR)R2V| zrT+#bb{amfX?+%l$O*&6IaosPoAl$q(0Bdw4>o;M<{J`a6%mDpAAEgRc3wmN^MpdC zHD>KTJYGTw(txIQ9*SrbA}m8Xjh`@KX#^<)^!M}g!$!LTc%`PIazOSfC@MV zw#G&tA~BEt4&XNgVoaZf8YSQ8*-h%IfOd%w_fhf?n*2w;OM2})*vnW7+;=nrAt%ig!G?2l#O3+@z{0Nn{*v4J2Rryo@mg$}zD>LH zD(y67FCk^L8o(&6GRobEmrEzGp&g+9l}CbOhu;hoq5wMBe+_3BiZVyk{wJb?zClhyn)! z0SGr6S(d4&M3de9ee(-qqgkwI%2$v%bMQC3>}h`FQ0ckRBaPsmvwNoD^}rx68J8P1 z=Xl>JsG?HgQ-?sP6p^HUO?C3=&CD`{ho+*R3e%Y=nU??>!Um_w?v_(2Ir82PqBToTL{=dER*qN{c8&k-RzZf7q+#C6->Bol!^> zet$c$(SoK}iybYJD@vcydSRa3^#R$&pBRp1S993-9e*h0W|YWUl5U*IFncz_<}r(A zDpM28q&f|)#Ntus!J#OtNm2-8#a&#{cvchf%IjZqrvJ=;{>Sv_Kh@~}k6*IO1N_Nm z+A~jppaK@meJZqp+EXo1xP(F9jl)v;Bd{=Tuvm_)g%BT|Vx=qrW#n-4m;yO@+G)@u z2ck%g(_Ltr-2pQ?*YxW0%(be&&}IXxIUmzr1lS7L09+1?n$0rvDksQ`1VXb`!h&Pjm?3^}Ny?&VXw$8_k&^7CfZf~75z@&h-h=#T{Bg%8D zF|k~!QzeVB!XqiZb|9MF901l9F{jsY_SmIOjnn1Z!LuS7CMJAbTpMUSV<0EtG*V}p zTu+dt7%`G5Oh;!1$*jNY^D87fEnm@uh(-Sv8JX^S7cVXVsN;&LY5oJro^|Iv9%FH$zv!Sw>bP+-o)Z7+| z&c^r{-zl***z6q;AW;yip3%rA;}^kK_6aFG-e#kSe<-P#7q*i9p{X}iVPyk2rOwT> z@gvp(3X)z0^o@gVX7}ObrHfM*{>yKC(6A@>p8fzggaU8KV0S(hs1)Uftvk@SD>Lo2 zd-3KBNrG8ej0y)bqQllNQY|ellv($Z7nqoPJ;_zcG*YJaTfYpTs*$|D(u?9O!HT90 zrDWTuH0e^F_r89dw90)I3=K{=en0|+_&GvIf1YJ=Y3XFa|07bhB)-0ZeJ8OM+Lr;L zb-pn1CgpZOG7^Z!5`Y2Mldv>V=l(P(1C9Wpx`WSnp}iM4Ez_oNhY7d|)+|- z0LDmY5Ab%_o&Q{$sMibozlBwD%jeNkuUx%`bh#n{Sh&pfzk8uM4ZToeb~7eA?<*l} zqM=|=d6}K00%uC`iy#FGLOEZyK$UdReCS#N4vbY>eBOUPTltW^+H&^oaPw3u{CXp{yZIiw6jZ zja=Z}JT8jmSfPJP3aQnYM?cu-xdM#@zSk#%zEGQ}Wq;+McSk~o13JV=uFb_M)&m$~ zkK`N0vlzVO=cfTu5+E%qMoo^({NukC^;d3aj+-yiflynhSrO`XG%KrS+7_~BJ^kYo z86Q8KG%yOA00#)jG4t~w(WgO=uqJ>z2>y|sAw+XZ(1Qg@&CxV#&@?h3@9!?$tac{% z0a`Q6-$wEj!eMJ0tB*lL7#&>orX2Z-^eKPptl zB}DaW(Q;?N0Dg>8Va1u{e%y$S*8{X+s28(<2Yd_7O9Ed0tlLu`V78I)*W&uDbQ7TL z4vKmH9$HaClAYm>;fx4N7-0_qg$_9;UfYKJ^_7_?i8rnH_bo^C@+8TT5Yd zaXkf$NSF)M$5c1}lr=Cj6PqY|)YA^-9lg%kb9;im18z_5Y^@#$RWLkTYYW{3(&jD2 z>Jqq7c*CfIrG{i+=?lgDTW~*(0!FHRrKTy6KH7jJk|~CJpWHhwdfFL(Ks#dX)gaW^rjhvnE0+n8ucjZ?KPvzC{1h&7p6MKvp~dt=_e>WO9kaW_Rs%0|lI_ zBoc|-XrnPR2jiKpT3XIgfQX;VmFh++bU_fM-y*dD14?*@!#TIJ-JfN){MCa3Kd#}r zUbNh_C|~oah@)hsU$61v{arXD4E(DbApRm zR<;iYDZqBd1h%Vvg22_UPqMkq6I}h7iHfQ7N@*JuCaW6CBQ#xc<3=pXH@^U95!M@W zaxEc&%bMqx;lY=_nGzKZC+oV7)DpwUx&kzjf^?G2MHab zmqMM}HUVO4c-S8kZxu>Tft&8Q>6PVn zGzl%j2}CK-D#X+Hh3U0_|#1FX_j^xP$&j-%= zG%~N4q~l*{cmfDY#@afBnjrES)G&*zgM*RDeCGr(00r(pT{DfXZuW=USY|KTjvu9g2)&v1Z`Vl~ESHe1WUVLpHjYzutG6R?S0L=H?n&%K(C=lYE< z&(dIYo+<1vH)OqYQAo-f9Tf#F4GM_4tAGjrqX_`;SijsIM}A@!*9EL@_$d_<9;aLG z?&zA|w~zvyo;9~IM-&jdq>2RR*e|vyJQP9ZU*tpR{gWm)m97N$Z?%nLSM5BvVH8(r ziKdnpDKPH!1Oyt<5W}ad9et6)3O!vpmlF#RRT$XV^lz4^(E`^2hV;O#P2`*_^v%u1 z1>uAVoTbWP{fh)09UTJr(m;A$9wHErPH6YYGxT7s-|o+}2J+u8PRm`~3D$tdK?1oM z6;-AqY5ZeH2L>AUZy^}^-X*RT-dm)ZsQ1JJ!8Hg`@qrNV^W$8p-O7XMnYujS}=GY1011IwyXvq^k<#B?Jacj`H}{q)2s8jua%W+OW|6;1$<@x z+W>f}!`lIv?|`WYEbr)M|6_$B&ASJGn?RPA4Ll4K)gsLgp`p)k$#@(4`uaRbZR%9w z0AJr=c*<@Ay!nR9@3Ani2ZH@r;b|&J$dnPvA0cF*us|IA{${FUwHGq`QoV)KZ=l(G zMny+Ma$x`hb&gT{AB*qw_b3aZAbBLf??|j^1_~o8Lw8&5#rbnM0}>_6TG5n)7)e?~ z5)Pb#4*xQ}N*7{quZN6I`SJv1rF*m2@%$u)8k7t`1QR?XWmSSn$C@m7Rto{&o?fvf zR4T3y2vDB8$0Z`!k}BrEzH${8pAPAWL8$K)P=l8VwG9Q^zG6^7_^gE%P+<2q3QH$Zl1i%=aqs zEM|{)NXf4!=2p^DD9ODuDoZ7}OxdzWE@6XFm}Hir<37N=%h!`5vk8Z3k-{VaS77V2 zsRzvpSi*ESHQo35@#B}Y9z;L}6H-$4S(<&5KLZSY&mqKU{2a=*2LtNofU%Hp4iYGw z?UD+}ky-n=+^OXjy>cD~$Tn9Y)g?oY0Lc(C>;uAJA-ovIt{151l(c+cYug#Oz6qrJ zW;pqUosLFaLK^5E;1=t;&f{>$;2E2YhA}1((@}u4h^m56ZU;u-@82=D(<8AR|H|el z2VwD$%5ClJRw41hjGcyp;{9krgV{uxEA;&XfN#a3-}ug64GFb|Mk;}7c+iiIbAfts zke-&X2^_NrjhUEO3`L2c>>R51G+OPu6ga?1@p1K+^}bHz^*BL^?u^g5P4`+A2&a)W z|92*K`HB7b<*Yk7H1W}3y@`XU2%ZZZXLj3XeK>C6_wSBkog_?L0b!RDhT2-mdwBLq zU?j4%xR_|_#+nt9j!ixbCAoPj$u5W`*`U3t>1Yg`ftRjqG1r$R1c3XY%pnDx7Enqs zvbF|*0xoXaN7BDO+>RtYK}c$ynTh7ISLHvhySJzUi@D4Xl9DYbXkZoo{JY%%N6pY7 zDJ{TD2neZdfwVRhvT#9=Fme9?IMk))gAPFLzenQX1BwmgGR>9cgLpwBb93n<*yXDzkf%jv_|E8s!vfo|J~GJGYU*i2p1Pmqs!Mjjd8R_nt<|mbrxi zbjtb$i*7h z5_kVccKQ!#_kT-V|DV1DmyH9%gNbkJX0Uh#LB*l0k_~|J#tq_wKQ-GBy(%TOsYGvO z44M-?x7^3;2FCVX{)=5D7^hy}p~4eVPo$0~ftEfS2)v-83P-z}xHs#*4MoYq)%kj=PIq%SQwIYc(@uN=7Nr6Zo$)b7QK^fCB#oI(AA(r{501tij338s9= z0Wdo=i+z?PRib+nDe3{w3NsMP4O&*L+LfEiAPG&3THjGc6n>SN@D->&Ti6(-*Vf(# zqhEV~H*dY(qpqN)#K(E(1@GueM9Xw6e+VP{R&8L;}CoFM*v7 z{3t+3%US1k_f`xCD-7iTg5-cK_zqy~S(i*S_yR{|W3f)K>7VIqV9g0hNY{qL50HE8 zvO?1b3{?xYj;WAj_?zfq(2?1L3QI9hUIEHrL5Qe6G1OJYoz_m&LyY>LEJOzklDHC;!TZ|GNCo3J|K`6lK~t zrWCQv!TC+CFrZq>1Ah}V2ol#E2dfbCw`R#1jTFcn6|b_ z2R7%vnDzJnO9s{R>23j-N4vkBy?E^G%nVOYHk8(hA2@OnUCRWoSd79f(8xgE*sde^Z5WLZS2%#iI95N>BU z?=ea2T`B4Gg>tZp%ipi;_3Q^*wM1E#=F(0j8#GTZQd z1w`Ql9_L5RpJc#wn#Hu|WKHwq38zI9bO3DTZhaAtG?Zgh$_hxTvhGbhqF3!n0X4Bg zeiS(h5CxW@kpN8sG&oM}zZk4m4S{(4kauV%R53S5O004UrWU%n;zCS1F*Dtnr^XAaNKmpSl`kQDTEwJ5y z=6?fJ=Yv2821P3t5)QjuI^KkE?Xk!w4w^F1yg+3^j{=CZ8B#u2H9Y~^CQ|zXy+gRN z_>u|zJkfW%s9@@3R@^>bnOrrB2kkWwGrKH>5+j=;Ux3I9j61Z#Ld7aX5qgJy4UOSxW;w#)GwH zNId`MH%mim2CgIr`M)X7v$Hg5FO9aLdI2>NI~{=!C@QlU@W8=<&7>cjg7?)zjt52FEj?O@^nKQn8lQFg(+qajREbL0G3>rax$9m zbHKNRyg$&98l}J6S`V4DIePgXEzZFpsuwhw7~({6E>S>5xgif6SQO+21X=q_Z~l-d z8qbMJ8#>1gjvI=phbsSv5v>h_Pn4FH=@;bP(R4P|_IyPG{1g;qJT>1s+h=F_d(kc6 zp3`TSwYYeP)cB(SBmD&!CHE3UKl9qT}n+W`c)*f^s#S_ zx#1Sg-{OBLdv65Y&2~1O6~H(M(ofEdF5T+aEWXWdzcX`;IC$4b+E?$eeq(!TocXXi zIhmxlv_143o0F3n`bAASG6nP+L$PFhv&6 zVPP5|?k+7f`w5kBzIee;dxl+-`hvz-|t2Vm$<7)o5x($W%hd46qtx(}|)##x!F1;N_qHzr3ka>JP6 zNCWDZE+7~65OH%Oo}E1+WHo%S(#3^eqenrluWRe%l>N@BxN$J^++w`gzO;nP>*5~t zv`3&ArCD82z(hx=Ot1iP4HHMaz0zXc0phu1Dq50 zkxWXi|C*u3=i^5j_@Jx$Q@!}lpYKMH>hD~+Nvz71glrTbl^;sw&O-S2@^%Kp|i-L>4bv4QF%o{u>Z#Lq1|!2<}oYA9etlbBDQ ztr%EPKnJ_HX`<@GYIxBbhMwMMSTZ`7T77+w;ApqOkUSJ2p+0=K&|EW>w=+SlgQXtn zOE*En69pzlkSAa1>XJnWeAt|Fz9%co1n_}ZNe2Yd#wI3@h$CsJr>Ury3s-Yb%+h-+ zY8{`3Ewx_{Su2%h@W4Qe?&(u0_Sh!;hQ&^uCm#Rw!8DiLXOIX zzx%SKJ_`KWYq*v%K3E;q93{ecQc&_$%+GS#uEf9~Y#c36NNm8OAfuy-ANOhSR%6nB z*$c=GnA(K={5D3$#;;$$CWIx2X|{I9W49?lXo|yfBr45IQ`pp0G%`)I#%a4*O>ad` zc(h$`98QmiJJ-&u>n}4-6c@kwIDq3qIbP7UTP%EJqf6xB?_HDcna2`THlA z$IsxbHF#qU7fO zu)8Z?TZ;gX7(Vr{`uGA@CpRms#+ORc`6wHCTJ}nDB((zekOx>o*1ei(gd-YH*;a*xR>EI5@J08%L<5JZSpX*4pNe zal<8Jp00INSPg=x4KZL3f@ca&PJejl%|VamuK3=pbo*hlr*UbcSijkhXER~yj`i$~ zXTAB(fwBLq0p7_*!FnPCDQwWy9*v(}pRtIz%E<40q)1Iw0pqv)Rj=W#iC`F?wR&9a z`7f`mC>AHGqV7P-!?GMYniEgP;UCHWpYv!kLB_l7br?Efbb{6_^gPC+o5(<$p@e` zHE7<#1;_#_95IpB13;G#2n?Jr?{5R^iwBe6T>X1`u)((PCSca)&d!e(!>bBac8*0G zTf=Kq`}_Oq)eiian8#ns%5qeTD&h2|Wp+LLy)*Z}&RFT6KjZx@VpHjIN5z{7nkB_w zWXQ-UX0cYc!GES1UQ-iS-#u6(P+t=nPnb62Wc;Pw7Tgn4W&Z&A+iw696Dh{zra0F3 za|x`faWA!Bv+#_gXkm}M56-6;DG@%P$4tk2z#>Ei0aK^?qGrxd06di3jx43x!|wj@ zJjdUu9gZl{a=cEON%P`PgkqO(@AMiGwl`dS?hcgxl+DjMXpVr5wjGjP;Do*ev3T}aPPL6hs@D9C3633@a85cc)1ObPr_U^2w9&m<6!o1a9 ztu_L^TTmFj@91FpmMudXZs*{TYj5 zy?<|joQ{s5_W%s`;CQdcd~Voq#Jm8|n|{yMkvndjlsRs?p;%i>evzkVdGTV<fMzNzvimy9|To)!Oqv?x0~ewX?GW_v9Dp>1*o{!Br3=jZo1j zWadP{$qgla#}16!y{2@yf^?cDmi4#qdxfd|YqBVXpAf ziYTqL_$GDOXlXyx*47%o9R{o)+3;_@aUUT4P2}YEa5UK==RAHwc37zlmBf3H#t6?40Fcf2%tE$q1 z@+sSHWkW=@&P!QY`6U^d%AF!z?Q|h8^uYo(s`t6hs~!sDN*HfCblN!OO---l3c{UV zdVJH9epOy%yM%_X`AQ>OF)}VrOjcI5G=+rxST2RSVm(V;zFlAx5t{4x%|jcR>UQV( zp{S#zUS@>%@I^U)D2CBO4DvG((RzGB!qS350yOJxiqyDjs;gV{l?&SH2zp=ap|i2G zv#_#?6sZc>wr(6AeiO>fn(~5GkOzRHP+|EDNq;~pl_liBKPr@) zkeJxASjEzEVNhOD^1+>tH+fYiw%zDJ6w(a8T_IpYEn2{~j9e)DSiej;D=##&WkT8GP(R>?-(QNipv~-DraAkLKLJ<{3wz!}`K#0K@NBWVk@Gq*io<3$7HYY7i!BBK zGndxVIFa8i(=Pr7@%o0j zm0fZuhdsBx82RqRq)4N~Vufm74h`;)QYs;JOAbOekoF0(;*I|u5};De!YQ`~-`;Ku zD=S~^_%5%m?yu(>{r**oiiLk6*FTE6=LYb=CJXEXL4y7ovH%J=ib%*Np9HfSqT*Xe^G@7 zmFjTgpuZiCOOrU=e+0yRQrO`z$NNAb%x}84$PDvv6sT$7U{85G3^>*R7;t`&toL^f zZqP_gg8G98+#0hqEPiNJt^#Nm&&c@6grm1q$&&!rymj$h~U0L2nWG#Y|MUl zp6P{+?p>dT2Ik(x3WLQK4QlFXqlvN-(7X~>RdKnvs;p#&x52{0^x4|7RxLb&jQff_T6|94Q4@B$N$KUXB!$$E~ghq=Leu`fjnVE6pe!3*I}9@@s~ z{||F-9*^bQzKcGT22F}cicrRiNM?#sDP%}R=9v)6lqsSCX+q{CQ$nVUk&Kx$Pf=u^ z=b3ff@34M*t^HYhueJC7?B9C->HYY6JkN9A*L_{*d7Q^^m05Eus;T5Rvd7?#9D9|1 zt7>vrDVF@=Y{Sp<7qud_3JQG=uW&+vV~D2ExbB@WzLsgQsa)`^WJRD|U#V|GRS>`D zzGHVV9(!z9fC1S%yaryx01Zcc7=JO@Ey%)-JNDWx96gtU`1-c(3Xm0-MjUt zo4B?eDA#&aUz;rcqM#UNa{}IBU-$$BN~)?3k<82(aOuFdBaSPmelGM?EIDfeagv3L zacjniAUXLm_5S-5xCp^6XV6^;31@4Yn0TTlVPlKoprJ$wKw2_?U0r>`xGV1jwr2DS zKn`Wn8uO`=8MYsYw3C#Gj48w*VwiCpEz>Iux}+qv?Kh_Q4dK zJF;>dX_mV>JKY-_-&g*kV`pL6Nli`7b$xk*?T(?LAW_5o~8vqJQP6B5@QaIWjMxwm9EqpO?cwf(T7BW^%&i2zyj(d+EKc4dW^WP3j zSB~k>l&Otm_4aq?_z#{oh8L{}Y_Ii(>X&fjp0c0J(p?xCA1{G-JSy*FIF^Y<43xuL zdGH} z|8nW*&^`4l_%Tsn32ej;o^jg{DnxwQno!P1Ug7K#>uh+`2GFj?;TU`&NtuJ1E|BN( z-Gy;;`Eao+A9^O6*+DYm=&10>J)D4+&dYUEPb>*?V5QMvC&CUGrbqP)T*`Kf9V| zoo@1RE)PpE&4@=AyF`%4eH_PaSY@yYQ~`&P{M#E&o2BtwOQc+iVVShH2fR19;wmTo z#jv{lv)#nR)!@@Uu)6&jTYC`=Xv)1ICp>+)5n$MKzHvf0++5dPK$FH*=B_?u&DS_+9F~(PzSY%z4*&Xfjo!Hh_Keqtb4gRB{Ec>GBuY<1-VLQjkJU+b z%}sn4*k-v{Sjb&nT`}h&BYIl65ul3kgcwl##)1>0q#$$GY2pCE5TP2PK(O0rNN`#n z0Fe*&ov+;7NMVO>B&uQpI`Qhwn-6JvVlEa6Y4=A|VTbc6&GFG<@(-Gzx`chlWPeXg zBri!EJ4WFK(cycQ;qiz8Xa_G}xzf^&t-LyrDG1X7wDTXL@B{s=|^Q{6bRbDgvgbZl}U&w zg;yDO*4;nkIJY6bs)HsI@~I*S#omhC|7hr%sFnf4OU07rECgaePV&^xudK9m3&hWk zbHknh${-?R=H-3y?%k2lurM+qr$t`SYz-i%B+-N-9EkyZL7k=PzDJ&(FN1=fLQzUa zMuytq1yo|xw6rn8<1JdQzdl@k&GtBagKI~mB(AsSLGcIk`h#_mBshpX$ET)S5yAcm z?cbxoKsv~FVS7v9)IJ34+^(=6JMdUy*(Ji;CCuq zrvwFEhpjM0e+B_5uE&Sl+16l#x#8}mpkhbuOgbRpB$OZ*ZS`+10Om9Okj!r0x>e8E z_!7i$-oLc2Ufn4nA(54vi)#K7fMHmT@W9EkZXol)HKJ0GIzWs31{FM$S3xnBsaFvfAUX zudA!{_f&@3uCr=t2US&7FN9~NryqrAC}GXW(D1!#!mV7}6BxYkSo?rVS*?dk9_`F^ z$PJ!BGA(Hp5p~h8w5iE|)7IUHVK#*I>$$UMNw|!SAK92S1@`gwWDsw-bhi{@3%EG;G8U9<-eRzP}9+&j24Yh#5%^&4Bhj%3@m0#``~hb8WxAgca^r!7>m zX!9M&j7}6+UL=>vvmI_u^alSGvf-mFEbh?sem4HelA4-|S^Wt&!=pCCjhxkMZ_4hE zcLw22XGW3>_AxQl;^a+)A2H~0jFVr$W}wf$m# z=~B70a|>(n$l3p|4}RKQ8cV2ohvS$FD*rZMMg)-w{gNw7G5?FbKK8wFDj!+TJ_lyM zF*`8P()H6aLnLtxewlRY)a9`M-wHG{$|!Ldy1$7(6}BYUU-Ojp=Ke+mhw0M z`sI6fmhWY}Z!9X$Sx%B(O_P*1bPfy&9Ba&P9vGWNjbXG!_}Ix^>bFI%ci(>!t2~_R z))Hp3yx;rurlP20qrR_EhuEjusaG9eoK|pdW?sKl;c+NU?7EWj@2q^Yy$bAPGfccH z2mhussN_G&9|4bRq0CNjA9ZiqoQ7B3t4@!9-ph=x}1zX@V8l0c+PX)3e}_iE+k-X(l#}X z8IUawxk@hc#Fd$cN1^+ear6;wjQwVBKed0&Ij7-fzl7d1bdSV=%fJE=5X8pAyKaVBH3VyIDZNHWM)&oVyBsWF21@`Y9Y{&e4%En@JwcNp2bRb|&{zHZ z{RP5A7v7t-bYVWod(W7MhLR%W%-HwRn9U@j9sT~O@aD~%z?9`NDmz`a))xq~zv=xD zLcu6ofrKKQ9Bzw6UHLoV;<)>fhk#y7ge;*?$3|J! z+`QZEgnBc`9^DYLZ9R0jGR>rc3%iBZXm)L=@Iye24LSEOLUohgYWAV}R7Uo5;LgWy zFH#VRKIjMG@PSB+YlAmqkOdQ5kPJBWjK%FA>uavoAS_`rG&L1pyE5VTPXBU8?AmLp zo}lt=GBlAYTy39qC;-Ok6?sVpNxD*?(fz&9ohfD&f{&Aeh?dl}G#ItA2A_;}rnPq+AkZnEE(vc`Ud+}5B@aK=VQ zpx(p`f{rKr#62;dWK(#5Jbiw66A2EtPv%B$Xq#)e!%(t!T=S_$?iW~Hwz9AKQckVn znSa*T-|rcr^?(F`ELPS(I9PD1=O~-R2VnJ3Q+SHpcZ$DO7)DGi0AGOPyye{zXYQR_ zTj8Iv>06f7CeUbWp}2sjEG=07EWCGjqnC{`?~wntvGpo3v_I6+)U*izEWppBSh20G zW-w8x2gC=~CL5YtgNj9%w{C~&<5x789K>PO+WPj}Hv!ZI!9G4ayIc#PlkC!-=;|i0 zt(dOz^1GOv$W{kSoL!e&Cx>5!PIYkfo0A#=CJp(;<>hg$BT-|gB5V&+?;9sD7ZRI7 zxNoMN_^Vg@hFX%HBYT5_gOyU==k~Ag8$I8|iyS#9TF6@S90ZUwLrloGTQF;G#_p$^ z{T~>_U-od&sL)T>(xkdB<5b&Ax(2sdtf;Kg4Bu7ScfG4E6p=+E5wE-5cy z@}MeKqbw`S3~Lg{VVuUw31TL5EyFaCosr=k&@d9DnlyNG*X_F5g{fDABFbMrCEv9kL5 zgKp@Zr2IPC+UOp1Vmf|WYoc?B0ibY%eN8*#j7baPhW3^h$opyT;pPs(XV)%%@)Q@` zdVQ7Cc61TkKbJxv2n$^dQfJR@xOPGwc8vAFROdcwrfDbysQ2%e_hX!xnQP&uKc(Bl zKangKVn-6P9X(=H+pjQ2BPg!=?sx109#9O~9s=)1jUKO>cqS#KMaX%XV{&7`>{H@Q zH>6zDJI2^KhnTO;R;xvFtQS1}>P+wM-mGI{Qt~ruD_X5tYO}`vx9zvf+}A*npru@O zUlSvKslP_!yVovJ*vEb8Kj^yQO!e~RpN*_Us#@T7Vwp&W`GG_$pxi)l!8~{kaS{28 zz`&K{g&R>au$T^oFaJ^SG0R}5jCp_fq9af8#{&!uHp{b$jAB^|bHiOEmE>?H4pH0H z)rEy6zm`w8=-le+Y>poNs~`?Om5DnZ#vHY#TS=j;jEw$+Z8Od!_}L}HY?9PBfeOW zD)GVnuT>}(Oetl~2wIlvnwUgq4{2nMcMwQD(q!nxb0kr>9XmaHXb+Rbx1y+e$>#yj z8dCH~1?$TQ4SWerK{B?a>~gboVME=XO^Hdpcr1P+RtQlSL5_0=_wKW%6%~EZ(`!j9 z>T6gc(y!gOz;fbmCTVu))2anI6CMq=~xwU;a5c!%3Ux_RrCnT!OMe0^sc zE(?P7$iYGIP)jtN=#oTo88Miw3Q9XaGo^1%&%n@-+^tOl&rM2A&Gco9vCUQUXIA>YfYS>q+tU zI;!&9GAmR#Cn&Dod+j&8x&zd!62Rl{UDntTkf_z&_av~Gsr%QZt3I_BqI`A8ZzpOk z^gGe1E^Czdo26)rc!47;M6mO4a6YonzWnV;U`3*O3OZF-ni^r#e@<{6uI!T%V?}4F z1fOLhn5xc>Ug`!=cA)eN4i0F}Ym)z*NQbltV~k;~S}w z2NV?5e+oS|4>wMgfKswUGyn)VM)mO64D^!>PnxsE$?+FRb&AbW@mg+5a*~zrNUDjY-G7}_$ zRBMAHXyK1y+Jv|jiPgL57&o}fzd~hX0_6+0>hZr_UprJjs)VKJNk(4{vOc>`(^m9& z&s#xDP9V6T;l{;Vg2zB?4#@?YKRmW>ciM11f^&{dTznUX%i!l_)$QYau&`cOD`|P; z%)AH~beJMWf`y8Inpf-Dzm5OufI?mL;X||2iCe<;`zp@68s2uyWP8MX2;i4;_rXlyF4C?rYvIKqbuB?v1NKh433CLE+C0hcI3nRUNzDf_UqBkLFw)yn72c4kRfE9}HY&m8Q zRSGGWgy;O8+8>t z(ICo1pn_l=CXxXGs_+`yRc>i?h|VqyTDnAX9iYww-5R7SYZb;Y6t0|WF2E&^b1-To>|MJ|5~brb0Qoo0U;);}azX1;c)7YopxtbqVqM_U}OsQ}m;y}|<^msd}H`Ro8OpVu* zs^yg7jm+;Bvtn>Av+R0;`?ejqXCWhqyFQXAr4zg3)TzAy_xBG4+)7k4$NoX<;0y{7 z2n<}QIS&JG2oO6IMm)9E_4Slz(M#kFo;M1?tCu4&gbA$b5!Kx zt0y}kXrUcB{ssj-$RI3-PXJ~~Dku8@sa;WKU2$96#jIst0ELr^~YqZ^v(ungJptHa?X zrMnJRw~$Bx&-7}qvMEL3w7n>5DgCfU_Tm|QC2%K$yXK*^*deJI zE!*_a7o%6==Rm@;vKRQv9PcP|BR@go3WSrE?!ktwZqqxgnv*cu#4nO@@UXro!gFW0Uv?$V%hZVJo^BR zTo+b$_7I5nz^gcitzmw2>9EnjGoD#{%Yt7tV0{*sYU+))?zwB1Ts+nLm^gLe15Z3K zxWB7lkfEBC9&4XNhtv<=Brp`?gAtfkYyuTQ%W1CZUYA4cR*+$F2abRy`Tl~p>v+zs zL)_eE7|$U^mj#XB-TQNpA|!0yQWJx229Nfa@-x`jbXVrJq22WW!*=WL(W9J0e`Yj} zGT%E-+$_jJzC(GGefQ64Y_I1sEu2j{Tm7C=Kc-@M;2Re=DYc*(j(X>m&A>^Jy(o|^ z@&-&CD=;LH2{t)nw&&YcCZFP}s!+_$Q_VXJk%Js}t?gPw^Ss- zyuutd&1uQqDCyibjhD{@MA#0W(6THnG(#O0znwc${U7v$0%Oi%ex-PoLtL}s7x-`r^CMuF|3=AXMQfukbXR2g!%yu)3#)cQ)qwTjwlK0ocTHB^3%FEtp@%!0& zd{Qn8+|Nx*9F^F}2}1Ztvvb)Ob4dUbQWIU9h_=qK$ zmnA)Cmp^1!Q47M#jteIuiWIK>^+_3M7ivGRfN z@6;~!@q4&>-BUet{!h`Ki`bjHV{OZi%m0rc5U%vBzJ{7HFh&V-3y_C5Xi^dMK?`IQ z4#v_@g_OZ0d0@1yx3weCpz5s&j%MYw2}oX29cK1mB^TA#!=!N)-a2m$Usj@`p9XVK z_`&>UP?PbJNQW6)f{N?q&1}*ZSM;PN69U3wr_#o)Fg6E3lLxrmT6g?nBM=+Aa zu429BxU;{X_TK0LZ1EC+iB@}UG2JiGjE!*ZI*WZBbP^7lEkp^1zW^V}PzV#=6Aa1x zL(`2mqK@|@TawFA#+ef&9>w=Z(N*`(4n@JC+*2y@+qZ9SBQ1L9)lMH4&BxQDjouaZ zg#HMU&AB%uhv5fN_K1sLr{0NBxgLBk`v)z=2!9V_=fJmz8t8!GdheH>PV>clta<}b3Jp$dF*e^w3m|)G^ooyPd8TkWOc+pA;dZC}RNNshAz;0-FR7_Z_(KjRX)MX&u{ z4onk?L$9#DUe;z6Po|n(xsytvY>7do2uz<29Vy_sf+7x|OD4lK+P#tYS8VgywTWc1o+FBxT2utKz49*)M|CL-K_af zMNLg9DvW5Q%UDHNE{GWR0!xS#?EiE>B?S(-H=w&!yR6H_R$dezv85o`SmpU2!R8GI zAgUIo{^Qk`VDqnEM|6yhpJ4uq!u$LM&)%`H?&;Q=8b&;*kTG4l>U0*IE`gR0w}siO z=WMNhSnfIu<{|1afextRJaX&x^fm>KF7|?2dfSs zeMJmIVa&=*X%~(w#~kYTa=2+!E2QQfMB3#20@t$=^j%^vJ{OYv+Z_|~-v zY@~{QniK9M`}#STbe&dgJl>7>@PGmcZHRIH;ZDI%;6ivTx9!&S1_u3_%{g*AP5B=G zi?MNlyNQhR`e8B3g8@Myk`BRF{`EO!NK2MpAOOUmp$>j2gMi#zb_+p_mtiZ`@L2~+ z-JNISRi>xPm`uAqoH&ul%gf6#E3<`WNN4&}*vb2C%rhnf^Pd=Zg(KSv-d90VwYgbY zMGBbRB0 z8vk6t+r<}od1Bytr4R4qD(?NOS3%A(xcYWu`w6XXnZ@NZ-@ku-e84c|&tS>LWY4bHLE$v$T^yl<+mXqUKFkb~! zDtXt+DjFc{>V)e(DlG_8(?Bsx_S~IJI0dG=$`;@ z)NLcev_7W6;9U1Ix;TlIJI7I})tlxbt`5=Y)=*H&bbJX*&tY6zPzraksQq}+j|}l& zMnr##ESBlth0Zu!e4?WGuLQ0?0S^%@KQ^da0K+P!emD%8Z+ZD8(8F>(B@V}4<7mxW z+A1YoYXzX40Gm*-(Vl2Gab^SsoY)ipMN>Y4a=u?Y#sz4=9n>Zd?g1&_<)uYc>~j!CTSXU_Idgz%V5U77Ba!?j<@qdckpi z_||JIMMFw&E}rpy`>X?S0bxt5+8)}GX4+OCG1Y4X@7O9J0??4XILR)*T0%exC&xu5@~Gb}HL8<#WZFVji3WN zeB%C95j9E;cn6h!d$?4GzF7taHdY5z6P{g+}!aLLpDg0Scfd%c*_;)KgG zy#E(O+W!>3(myCzD#E6{)oD?wa~hBB`TS+gjkRBFL<133tL=NjUS3(G)-AAYjD9fJ zO|bC$-j{64N#|D6GRl@q4;=V?t>V2>_L-(wu|_-bo*y!sbBq{{NN&!f#59lu5<@Qn z;Sb@VHkX!?A_jzHe;NOGqonD)n;8+3q>C zZ0X#}F;y4-gO=5=guTXJwl8i%gd`hq{MMv_uyeEG*~n`LMsl|xOW^9u?O&fgdGf8h zJ7RFqn1rPj1hRuh&OI=buGKb)N0imdJrVTX>{FKj)R6z);5C@pQ@~Pd05LU3SuZ|6 zdgRDiBVYzikeTFS%rrE5z%Qbs0T70Ni8tNIC-4f)2qM_W^H29d4rG?EaQQOXJDnmg z4*#5$0SBbU)YsSF`{K&sXrX{Xf@gGe^lt8bJq5?GB)fnLWZnTOX%!5Nn^||6kyXGV zBy@Ae3H}m*M4euaInE9ix{+;q^6Xg;C=Mv56*Da~Al!e5GKK_%!m#Ao{@Yo19|Cg2 z{{}lUdF~H4{z1(Q-_q-81wf8Yp)u7p>r6A+1E*r_jxgKzh=^eN>Ntl;=NF(4Q5`sN z>Do0axB!t3!Co8uEzL3E^7w}1w8NDoH7BZ<;Zu7%hoKq?Ib;4E)DIj~*yY5a$Sq}Z zT_rnd84--7}W-o^K4!94i`{w89>XxqApfQ0h$-yrC)gNp_vlppj` zT|GUx9*FGcR{a2m5+d5k_U!SS9moxq8jRTNV{d|8PuI|JiyQQ4{UbeDIXU%UEDF5Z-^-xN> zEevArS&(O1VSWV|l!TC(P@FS1gzdP82SK|=F;X(l!^XA+{?whnet|6mXUTEwt$|R? z1Lk>%%LrT+mId1S`m8Wabo0293m50}4l=Qs)QBWUa{m_pkD35>2g{j1l>+4)wc#bMZq zvmHOa6Ej5kN`q)zx18r`?_VzGG9?RTE9dlEwZtt)PMp}q&7HtftFET@>cxw9P3r)x zP|v|{B>;IEbixQyeBYk}aU&2EE+Qxbw5Eux+MiJudqIGDxM?eYtlT*!)7EOvG2Mvn8Ff^644j`Lq&fqU4SXo(tZ2A!EV5&xR zf+kl1)ic1Z!TM+-=K=Gb2pF;KL?G&LOLB5w+xDs97o2=k?NgJJM_5@s@C{8FE5V57 z!Gm@87?NdqQ9?h;;14r$K{^hir$as3_*w zRam)CyuJ0{KPV*9&*O}05>_Y~Fk?7{N0rM~5(GGdzvVAsXXb&W%@0l^=yQd$Lk*{R zd9~rqk6ybWSxd6|48k+|klcXKkIcG!z)b|%66?I@wSt7s;^ZG_^DGInD^}qqzy(=og=%PPuRQ#1Ufw|C_+PpOx&6OP#4`veIR8t7O5{jtY5oXZF~2lnbmi<0x> zqQ{?&nEhU~(;2!>wd2D1bDvARPN8;|OG%S8Qb{mhUn^Hfn!?oP@D z-(RhJH=j@8{uMoz?@D!sg(L1$g0)0#5%pVe84MAn`Cwx75ac=jd+uL*pOoo4Zs@sNqi zcEw_rnmEJ9EWudsvDZP#_UnP6uiK{PKWt^4{uDT;`(c6Q{P+t-pYk-#X786>-c;Gr zj=U@i4^rq@ztS;V`^{>f51-fNk#Xda`pY9wo*>e6A{&TSU7bt3clbb&ywr}q6gDGb^cCVKNYmuftQV9*3N2KZpG!a4^DF6C z=KJ^KY(t_uUrO`+i+uk7<{tb%yL0~&ud2HE(RJe_^aZPl?PySe=M<)!UiWBAD`4dq zr1WKYKz+#Ru-kU(e4X!)EW1pZGA%rNMpj(Y?<{d{tY~clDRihVaxZ=lFv3u#>5B9$ zTNxw0LkLcn`u7*^W0F%6BWDKwr^WNkJ-hS6|Ku3<-S40wKZ}c2yfT6@%<9_0UW}@) z4%PRaf@B6<6d@s+stjjPtKW>Y@W6|Q0pup>$ZLPqI(Twy*xeb$+mVLa3t%X^W_~7V z41Qa{MtPl=bwfj+O%DFt^y$-`*~0-;@UE>aDV5oTIoYN+73r>ApygIJIg3FI=2j~? zA@!OqqR+I0N5p<|PuQ1ao|KfILZZ1!9~;?8INFr*?6-?wJof15Te02_%f~u8I!|Mb zOu)y2w=&K6xF)nyyNw1|f|@smVjbY#Kn`0R)5XQpk?2i#9%}VnnrZnnJ|1Ke0td)c z`zb#ntQ#W@G4U%62`yBJM@;pJ2R#gU56Q4PxcJkp*DyFZA270oLIaX?Qqt|Et#H!ZofDQW#Q7~l!+7uYmhl_ zc_$Yla`b3145&mk10p@J%?D+GicOPyi zkbjF`rO2NA?b}1`5K>k6cP~acI6{z+`1*qP860%GRX!RW*Id;L7_l2)6@YWt=HJA3 zXtA5+?m(TZ(-^n@$ZHF~N&O)t-NNg86Hu)_#GT%>o0$~=EF1*D|ZcJlm3;7GN^nGV}v35^Zodp_H?i4D@L0T zd$VIKK4=fZ;SNHigP+$<38A^TTBibimxMjF9 z|4s0@;$Mwd+S4!4HUmfV0n6#knJZbkh5ZFVck%+&N*P>?X_OJ`6f7Nm|T$F8%8 zt+D~LM@qbPRu&Dy6PetQDrt}{R~w#B!}WLD*)S2`!KO-{%FSsGGa`UA!D}h2wcLq3 zfX28#MKGj>v+)7aNb`wJ@BV>f7)aub_YMmahdnjRnKQ_BoB))OW~+tOTgw*{Bd5M; zvPEladSyNJ)vu0nWKW(sg8w!*IWx0i=eoA>3&f@~LpGODnd$y5|AE?P`=yYrAC+VG zN_;ENdgySNN%#7d&@hc|A(@wU$kvd4Mq^b3SY;(MJDbAF>Qr{U?X|l7 zV9iWUb46(Y#`k)B@$wi|O-PQTfcec&m-Y%WO61i-;)$3gp%-VI_A@XPjdlDX(VQHu z!cQHRXHO+1m4H?7b9X}DBR>Udf`9`u6f9aEJ?=irH+_b1jDD@aMP~BU3IWL~pKcPK z%wv%L|i##K%TR>+AVJUtAX_HJ>jSKw1l@Sz?ia`1Ocgp&oXt zPQk_xphykXUYbUlxAY}AV}21oB3=8vqGGw*z@&vWGwGaaxcC*)?+{Bz!z^iqMAg^9 z!NHs^{=@VnC@bj$VwoOOB}?z~Dc?^^8-VA6�#2YO;ZUtL9?>r~sd%Ad6K=y3JZ- zW@|g&E_lc7;iikPBwb58;xsh8zc#N2pI-98MA8Q1E%Rwd7yD7{)$f(!iQLfrTq?|` zXSdAsJ8!T(jA?cUJSz9m?UGlYnWYrM>asbuzh#4V#UjZ`_P znDzO!t%Lqw^Re^mA=A@bS1w(m;%eeYyF&2|nFjW_p8)~Q_`E$mN^h_uqbJK4A^i1W zZxkKfRB$5N*DgOBAk>6+7Xbk%K%?t4%W_`Jvm8*#|Rts zz2RBnpHPuGIug2S%ln}@$T8avaQW1!pP=5VcBqr%+I^3@X2ks*&n{qqI)%@AF7HCVjr^|??mj>MngVXLHrqW5nWwfBAb|?U|?9L zJv+FLA(s&LDl+0pAOD^MQ^D;`hbU6l-RSu`o02+ z{s&uEY;In=)b}wkcmPe*{JJq-#dW)te$%E+jiv(pM)LYNEeLiDo=AL2Z`$gk%zp|t z&wn9|F95@4-RGY5{gMfP8l9p5WVS`2k&^*enunyv`9ry*IeP@uj09O!kl=U7j zUL0{*HetkJ(%sK{p79t8J8oPb<=7gdsU9Ynq`(tyyOGh2)zwu*%GIc6jN$eSHPEFw zIgpSXhoRYvSH~p(RPwBtJfH>Pb89`LNh-`Fv2{#MnS5{2+EZWS3L>8WyLa531x!I> z#jbr70yi^EnQ>zp6FY9^<{{r3!A5DeWBWif2l=%R7m^laaf7k;W1xfw)`S(fB=kCK zBITs8umz^hPQ7PfT=E>NnT!n97%tDkG+e+GlEGPb9GynVr@nhK8iFb%^cmYG# z#;)lT=jDgSvk#HGMR;kYDaHHm>F_(gZcDwlCrmBt?iRFI?;PhuuD<0}PEH~2lp7f< z=e2h)G<)rtM%ApjxrQy2l)D`mZ@E6bn0EsObg>N}kW%2a*&u^sRLisWW+Mq@kQ+?& zFQ4r3IJ#Zt$pBLB?yfBxgofT8>~cOE;8*Mrh=l4FePIq#PTSBwOoi$cvGLt$J@5RO zx%lF_aUzd3lKLM8t%Hw_9*Eq(cdtxuY1e6s(Xh3OTFl%C3R82U88D>7xZe?Gr^et& zjUoYOZ`13s-qNL?St){YA*#$QEXRw?Kre%Vk7dB|mmPOJ?E}$3WPWkoAgq>&84?b= z#%9Hz{-Sm)#+|JpIFpPV9T|@8JK(n`eFE*vQvBrN2-1Ityd0_(Juf zJ{BjCs|d>dAM;X&^^iKBs1_}rW!;2qn;c$PGGIl1g;Bi#Xje5fS8V+`6Rsyz;}72a z>bMsKLi?c<u%mw8G*Lx8n70Imfl3UM*XqH>A#MnVvfCE3B zdZ;+ce!RYT`O=eEdn*O_AOuIwx>H$7Ir2KF7#s7#L#S{3mng1OA>0pzZSpJAHEsP_ z%vvnsoLQ~!pC}!Ou!}tV@VoHGdWW05uZAw}613d% z6M}slvT#=5!Le4C^m={ESEL=dyC+>kE`g$=!mZE0x5mg_;r`G+I4A|17L-QE1OxMV#W@zi6@y4od*R5>p*rM`E%2ev~^$2*FDD31<~W#x#9a$^XqT0O2APT`uS6l zBrH-^8Bh&hwH@(o9$rH2%vQ#ewbfnj81-(SQI@)ZV_ub;ATc7LQCCXn(?(1O$J+ zQBk}E?zVN=HVUPF5f5QQh5`T*O!BrH%|6c@D=Z7lH-GDP6@lZ3{_<=ICM0R-`G7tW zzI^!3t!;fq^&fmwepK6{rROM8+!T}!10mYDP%8zV9jmJ~)sX6KO z_2^5a8!bJdqIR#iZ>&dx<9O>!cbbvfA08AK=1pat*u2%rH{F1<`6(p4zZjasIZ^jn zXUCBf4{xfe0pP;-{)2V*x6&w9BU88JBkXTiD<+E)>Mz4th5-a9gx8os!Wsi|GB1g*-9+e}0xhcx}fWojPQ%Fqv*_-VQ3-wce7 zzVCIvD@N(>h>CNSInXNNXhs=P`|1c#U@nqXjSKGUlT`zo&+BCoO>qWoSMvCUg$q7aM#Ok#!r?6Gg+!}^08lMA|k8{ zVq5NA_GTX5^_(rO)K^juCo~ZFgIgc_SSf^w1Y*4G!I&L+Ey%4jTh9{rcWP4=%!N8csV zfXsLT<%ME`GQU%fYnS(RCeV{(zxoS*9gb3pZ_H-~>PvqqA=SQ5wx2n%itk2@)617H z_kyFinXjukG&orH?xX+--$NnW+W*p36_eNAYGJ`1Yepy72Qa2l2Tb4tzS5szH6L^n zP+!gP^7FH!)%ft?!%lNXSovLA;T!SXVPZFuokLssQ+R&%xCiL{T>i2TV!M0G{9sOV zDojM+53~>1<<{($r1QQeDC1LOufneAIyASRCH60?EMrr;i5bR!-$7WRN3Dl@`N*rQ zEG!^U@bw!ct(4lonufoCi3HexK_|KNPasH32{}sIewtWTv{6FTkYPMbAGK%`C@Ddqi#@1_JVbCKbgaWwr{awws?QK; zAYcK5GD+&sclp*1QR7OvJ@nK2frNw#S-l0w!Dl~tGyD3jy!}IXmcqlM>4okdwY6Q! zc3Inp(s^|))=Wzw`CaR~b2eVPLWsv4GlkzMB+-8(XF9;xvd>x3v8jxlg3=00l2Ov7 z95x}w*p%7W*oevsY#}tUS3zlkO=us`j(dZ39?$kCkn1lW-N*x9spqfCqrt)0-Dw81|-$YN3X{8uI1EbRYN3Lia_& zB|X#f@l2c17(IXg%1-n6CR2F-NZH$O16d39OrcMyU5o4MxylBzEW0D2S=`FcZv*dC zIayiC!=m%rR%#Zz%Rl}uy!rZd6Km(OxBun>z~ZxM-5K;s+p+el;-`|j#&2!g z?%cU!)2RB8+>=;IyLVG`a|ECs(={-dk?9zQ?T}eEO7~4$eCq5tg7WMo0Nj5ED;H_R zr{v`?SQ{`+R8AG}SZ!N-v3VvOPC)RRQ^;_=c>WQYiKRT&RB}^5qPYYZkPD?LG(4K_ zJtbH2rskLL_Lg49@L=w+On|0X#D8Fd*VTS%pH8udlN2h z0LQTF5Qr(7QN+OA2PJ~&WW4D%%KIt@6ywAHjE>5dJ=ao9P+dFT@e4=6NXtfXfAv-} zg2TtHTE%|+_-6D?c%m;PYkF|1R2{q^kdivo?IOxRLi!Y)R%6-EpPtz^H%wYa ze&vb_m@aA?1v0@U0i?RpP~q;qjEqvaUPDc0yx`+)K631sC#a;>lfRk7oR{BX2Ow%p zl&kY1Iu*Mo$mD=W-a4YjSnziicyHzO_VvPkoM8s^F%ltNT~;qDRV35-We2+ zMGa{?;Q>_IB_T=jW0KVU@rsG4m}|q2U5k4`4gH#@pF;1>vGv7X1p>Xro~CDEak(-; zt1iCbMo`VbyK`FBXp{&lcWG^H1omr$LfaB$0&I2e+?oEFWyKBpB3wIkzO)=k=v9!D zb51ndji|d?qJ%{WhjtCJaj5E|Zf*D&RHM*=>Vk&y zBU1VSP}P>>Eo*-sTZugg_-5Bl0aK+~bXrd)@)_dCj(wGNaykUZ`xupY1;|u(@f#j5 zDJ>1K>Rr8-&=l0nqm|DG#mm{KpCl8@Z%|QUr#u_2L(SDRRfi%^=~)s3alhD(; zta(j!STfxD>Zte}h)vl>PRlCZ9So$`h_?Vx>nO37eiF?Isc!dAL%M%n?#p}nSrLQD zygso}&$foRWqep}K?{8s=}p_VZzsgpU=)zm<*x<4IibE+GW#ygBQi3CAo+nDmmnj z_cbSmK%FltRxyrPup#5Yd1+fy?SK8{B;nqiIM6< zq=Ld9h*dsp`O3=j$R&l7BnWzf0>H`x$sl%3JyA6c$hPCGv2@vUUt;iMWt9?CGdE*% z9K{66hk{v0F&=C?Kx+OgB#BXi&4}utnbs!zH8aM&dx4#n>fel(t!{ayyltq^=_vYR z{u5W20vvw|cKZ-b==!RSAXMTeCfO@?EcLUDfQvXUG(HiL^-2N5EyEz*Cj0)X{2uw;+ z(iOuPJ>xii`~dr-P{*Q{{+-Yzucx!;7kXSkESy|eD1qJ?r#BH+N<#^X?%=B^TN|lp zM=zNuou-eTpKhfIDepw*%AuK8Y^LSW^0gm(p?+{^W=8dbniVDUcD6m}0|>b}7SklO z^uz)8-IJf_(IZ@f*A_IU`_iK9CYXtquC7iSI8DXkl*g@<9>KA?pEJ0IhS)E0gI~X( zQb^G~#w(Z!Tl*ngQjFz%fra*Q*kS|$=J`-_qNUgNVWZl8)-L2-*DjUAVrY`B^XVdk03>p3mI?e zD)q483Ip-Q>(90?m_z^Ro0i56+ncsKVQ01?i*4^%w}r(xvR?_?8;kDUwbmileO#E` zY(|g*i6=Rg!(TQu%v&3nW0HnCW=~a9=5-(q9%W-QT)el2>j5#$NnW$Q3}Vd8(VhP- z^mu@hk1)3d7Nh1R{3cWJpP(%)dI*Gx2rDq}AP3Qd<@oVOt*xU2H?4bSYIBhVV)5n9 zQc!t$2k{qSu*mO{$8^w_?PAN3-l?+ud4XibC`Q5^0DWC&F5M3}G+<90H7f}ce%?7U z^mLC0I>S=F);R=;R8)NK}8DZ1CU>^fLPxZHhnt08FB zpFdL(1DTAu%7QViq)3NdIgN8`y zJ!gvqyFdK;*@*2F_u8oHEg8?)t*<8^tgHeOCHx4mFBD-1IUsV6{Dk_tAF$*U?ZQ3T zsSy~o{KmnCsH~;s5nDi(j}sFQqpaBqzC@JSDwt)!*j(R7}r9o$t_Cj>i6J`J`gnS2WM+UC{O^naUA<0T{Df_F5wH zm5>f+?6NY(5fc++$>l(2dm?-P{`*+Q#Khil``J8NqL}7`jKxyqzUg__&U9 zEW?c^ahZQvB*d)gf~Z)iEhmP-@ban-X+e6Q6a3?$a*Ubx4wU)}(3AOm0O3TEW@tWp z*lW@42UXC2!@2lt1(frY&UeA~0?Y@cV&&za581LXe!(!;8SoY{G@l#3py3t7YN?*h z&#nGt^=hu|oOPayW?VVvd3g+?dezbwS)@;;M!2pMlLMDkD~AAu_Fa@YvdNko4+5Eo z{o~{5V`2d9Igj3yggt(2*^@_$cL7}WqAY!wx!@X+rKkIzLnB8F;|3g6Mrs=d$4C;Y zJZx_<1a$O~d9ug5^FlzGFYd|1hs@A|MqW=iNW#?E9jXs-?q~rBr;jAv&UTA%)!hBz zy4E3yRdpPG6d(2%24jdo;Od>7uT&G)FP1$QPw&wD>i81Tpj0&XC|Ftb@F6Y(kwrQd zL}erbf<)OH{)e*y?IfW)gpyudIgH*7F`vkrlErDnsT@O&%)D@uFg!MGIdewDpbqGH zgv+pWZMX-opy1Yb8o7>6bN)QQiI62=8DsjcrY5N|=@%q}G{J(&TTtcs>X%R&seWn= z?h|(Ict&W}Sb=-`FiEmX=Ym1>t-9I+@dfOvoiUJ7fap_xf3V9ZadFWrj%=F=ghrrap zv4ec)tLR~29nXIH^xMm?`*|_@A00h(Ksc30AtHbE)Kc5^UK*B6qy(w~!2kgk!3*!# z)*Rqe^Y-mqh=bgGea*d?(+>(bAp?;Dd+E?mJ(6s+l4$4`=LbhnIPW|x@{;93CkCh< z$rHwa1iyj!f7kY;6oQ-6=X6NuB&qRXP;VO1k62q2gcr{(YCa)XsccHe9tHHcf3OhhsvxjNrMh74YYQ%S2FkZ zn3q!pmG7^;(WpW&GS!W_g~0NFgy5dn#jFR80i_^g04YYGjTZsrb>$JKH5#X>iKw+o z{kW4$dFq)`L`PV}r%=n+-VL`{SYf}x?>^88t4BKV_wVjM0(laJTD-@^m{vl{FJGwn z_U$^1XWcR2Iekz7W9D|sR~RvW$0~t4P-C+x;fM?lEDYe#B2eHj=H;!6Y62D#6O%=Y z79CjXuj$LrG02B{2En|kpNQuHIn34YRjKrqb9^! z?kRuiZ0{J*4;=t@fyrp|;J0rLKk`gFiPQ4)&s?n}jm6FdHob4j2vz-yu>l$Oo_@5x zoq6<+FpR4RNZj_J!~*K&P+@NVjEz*K>WTLUW2tyv2_J~G0r7y1kB^)^mWBQ!lT@k5 zgj}#wX%*sRoYJjmD&4IAa>+7%fX*vKFhR^)M?05Y@o`~AdHR$HRrY){M(fheI z_f^BQ(4ivzSoyUQR0UXI4{hZ?{nvT3flvhDa65K5wR0jju9UOb8}qLgP;ChXMV8~- z`!A0AwuD#{`vuxwN?`V=2~+O=*|}xsrGz~ZHMp+;Jz8_-1_I^BV-wUf_u`aE#n>}4 zvJiSt%TO_g(?ufY?e}_$pB4e!f0%1GL0F%kxpPw_fD8qtQ2E#|D6 zZHAEC5&Oo2`8!1|nGD3BEeJF8yR*$K%|1XHZ5uUS(<`xooFvDfnMUsz^+ zqtp5?#eH>9R_(j)3rMGQ2uLH+A|28QsC0LSpor3?NSBC6gQU_8B2t2MNJ&Yjq#&L9 ze!t(|=j=1H&&-*#=gj&3_+}ho`MzsC&$I6Py03U{2?9u;GpCjL#?j!HAJdx0%fIrLs;7!nKuUuIl|?vtQLRibz#RnuGf^aW z4(u)_=4@R#5(YPbeuV(mMnpmq1V|n} zO-&AD*?|HA_H#L49stUj{gY!xe}Dd4|Ne$hBoe2c(2Z1`9e5;M(rIxP+p9%1$ zCsi@q{&C^4P>5OrHwq;7E~Ij&Vb`33EVXJ)M=Eu>gZZ7^&KRN=rl`hP<& z%XUlKETGSmiuMEFSmco3Wl{3R4IDn#6*(m84{uhznoV8ks^rbgCN=$CHNsq4gO|?_ z#xmgcgt4gjW!er%Kc4v-JzYQCO+rJ>5f<&&4SWEwVPzD2JT4nXoC^*v>@bzQcSy#B zf{NO>3S33t5k^zpd5_%dYhdpk6XRVN9t*x|<}j#JO(JfF?*?;&@WX@6$zrukoCtC! zgcBGa~Dj#G`^2eUoozlDw~T4C1W<>RYZ36<>@ zliTY~E+B+``Y#A!SIVm^Ri~N2O)@eHw*WW+RLkNXPh()j1{aHfr3SOkEZ=pPha7wu zm=GX59r0}WYjr$_ZNHJia<_f;BQV*6r2&%F5Wo##PxpJ9%!#f)8KS2Pv)05EChh$_($%lVd z2h;?h`Vde&Z(hw~?NVEXa>j6IwBbXkurX*?OU$YBoP$*{2T@EfEZ95}YOukhU` zCRZ$b6L(%#?X{H}^6|s)4*|9JK$@njk#U6mmEW-PJ07pm>iYl0+!6V_0xPL2yMjYC-h^W5MFG9dX#ZbG&8$s{Q;viR5uA8~k*VMILr;MU z00ulP65a$u?~Mcn1%LMEiqk7vWZ`r+T3C5~^VWAM5z41bGU46S))s^wuITIfWNyc9 zpOC$)&TpXVAOQk4Hd}psfdyXa=B z>m@@Y<|YbnD*lENoUM>O4{U!pd+3#DEF7So ztacP)W@ffL=w1zZM<@PS5inbLvdf<=tdN)pFK?&X7C&TVU0#T}UY_R*6;S@(+{DRY zS$z(M7Oz7>mX42IWxdSH6BF0)&HzGbo|!=jl6eV}6#zKu{I5#f>cOdIrTg-q_g8FK z3EXSlF!fBeGW%ib#w$N0e6|WC2vF(2YPyn?0pPJ}3+i6blAwZ#vl8@jC@8bY^a;ov zaMj`)YHue8j1dWe!~6RwAUHO?iOo>u?EYatQ6OUi@B$pMEvCQZrb_vPRRTBQ)q2n* zJo7oPYk`&?M&%V2-+h4l(%Il0n<{=n;paE4UunaK09YSH`tJe)c3`a44PJ|2Jd6$f zAASl8GxLuoe+q&d#}c{=#GY|@v07~w=S@jVHdi^LCI3|I!Kok>u_!7ryM)wjF58VtgAuxxn%=Np{rNVY6c zVC@Gofk+C;YnH(Fq7wfs1`7#rbzuOef6NpV>3k#xOzhLAgxU98a&Aj0+M=vvT&`n~ z5Rbe`DMIuk?(8yzIa$jg^1=V|!~Z97T9g4>!AEVfW{bJiQpV@ze@iLxf55l@zfxr& z1qQE1NTUX~K~}I&8{#2?pC4=|fDl(nM=EO*I=g2V23jH}EoYkIHiY<(oPm5SMp z-X73~djv^wKm1kjGe=m z0adKB8~ip41gP8{k9W$;uRwA)JLrBx<|}?sBN~zC7`Qs)x3$c(KUkk4#GqfV`22p1!p5kl}B+HJh+7rHYCQtpamfJ)DX%Pw2!w)PT_H z=nmhx7c`YH*yaUo)KH@dh%mv1|Gj-Zxa$7^gcAgO(AcrVaSoi>Bv7?kI5^-mH+UcE zfqIdG+XyCt=(@VP0OTseU;r4%H!d$PCl8@+X!{@?SP|(m+vp2~_b@2!;iWIz8jKHl zF(kkkgjaVAh)Ay!5rNqlE&}8h){|BCFhU{;*tfiG@>Lj`X_HR`X#n@cAfBz zz}MaiWOd;3mj(n4KtH$&h!pg-^p$KECzEGxx7Q5 zk9EN?@)%TNNkUKP;HRNwX@YQ;SJ))15NoUe5nXyseiGoDj{U@45M1={^DZ=)|HGlD zLVzdyl)55Wg#%tD$fcFeQ5sE+}LOu@|GKusY zg6<;>y!W@aw}nMSK&fZ?r#1`rUrY0y)L#4D?JmSBEj1~G&B_P!K~#K zlu}VJhJz&XCL78;Z*>p==z;k?P%jriF9>oLkUxh71<6Op7={vtsqRG(z6}ezpJxpz z&jH8B9xz(xZ*aD^?}F#*I?|||E0aA~W`p-mRPjH!0DaUj1WB-`2R_!MHE1^>(VlE+ zAS0u~x~H+~0mM2$97H=P0kQG$+J63g4?^u>KyPk*XKo8oAdWm<1DL^XN5R_!=mXK- zxByTATJ;C+jT&eHRZGQ$h3))Js~yPTON;xRC&DrXzDI`jL>@%Ef_xJck?&y!fo$(9 zVL?G2_a{I!31S|G5{AH%jfoBk!5m1JU=k3}s^^5;1Qz#m^YgLUf&jz82VI0m1R)i6 z{zI!OLm@3-&EE#9TSym1OxL^HLL|U1aM0KEhEXL_6N=Qynmu^}Dc)%SBCNn+QTKF2 z=Bqz6|1l3i>q1D4Q(cH90p6YNAAZ`DVuJaH( z$URnSY6}quaC}_{BA12+F*3};e&{tscOVx($a%4`usTQH1J4kYt{@a4qNY}cH~@c$ zy@QQ{T(gsjaExFR5CEQ1&)>r%=>h9Tu>&wF*n5^wo(!xFW+QVckg9J`T*Jyknfv`4 za<`V@q(h+rQFcWdOlKE1HhSO!;Ga)O!m0|%+3#T=L5?C89v)18g26D~z81On;Z!oa zy1by81Yb~#y`?UoA%hb%7FcsO!}O&Upae_a$O7~0JMv*(H;gtdp-`=)b#DhR%6#VpbaE? zqSA;7(P6%xOvQTTjKCm-5!J{M3oC=1b*X!pTJhq9owZV5{8)o@lA~-5pXJQl*wfOq-K>Q^mxc06qksB8EqpOpT}0A zs!Jj`K^8eOnMxNzFTW~hDP$*Ia$68DSOR~0Nd$T&<9wY$`UVGDP*g%(U*YKb#102H zgQVbF&_?E{u`8h7DqZ`|>>!Z*8|Hp7ULoe#yXt`H?d8D1S2AKJ5L4;(0I8oOxX;Tt z;Pu@oa^K{2Cpz-C<46DX2MOdK-v9gGups|%c>b@y0ilsxdcsTu$fG$xxEbrcbe&QL z0UC_YwtB`2@51Izpu1NI7)mDj$KeKOLK)w4i~7zG zb%MBt*Qid7UmU55FPhoX*VXf_`Fqb$Z&$0#Y$o=u2I031motOZ^`E1kb4INC7T+-+ zC`1`lzGzM*_TLZ_+;vuZn=oT!NUF{Zm0^Sj*!n)OP3i6moVuLp874 z3yTMw+(DI1QeMx6n7MW0b9N6>G%Z5lm+FxJl9}{uN;-zlI(=W!yP5bDvZw5G4y{r0J| zl1@QKBlY&>^d zbDE8`I1`H7sn~1TY*JCU5}H{RPIYfbo$x`XOSF?RHMVfqf9LZRFQ18Vn|r!qR^#IJ zCkn*9VuIOY2j}E9!7bI3WHsDcy+-{_L_F8en8T(cp0E^>B^#jGbh_J0%I#qs5pdCx z7;xQ{_x<2G%V=Z6Kg}o?y=g#77k|uY-8ME`$1~{8xo`l_OcB*qPDfe&vx^m za;)9V6IUmzqRjFZU8gg$OZnOI(A2n&gC?}fQw*|*FpY~_UGkwqi^JasIrQTz?B>hf zkb_isDU~_Vy?OlCoJNG7d@&UAMD!J>)2Ul{@kJS8e}XF;Ew76(VJmcy$KcfIH5JC? z59ui|1$h{9osv~+P`hf+x`d{}?T}Sb3@JLxDQWQbv(@b41`yKn4%)igvkE=Y(-jfW zC|9syD=5B?X%HDHe{HQ9qb!&Q|9EK3eH7h0^7+X%COzj*N=D$TjY7ZB{MJ14#U7a; ztxmQ4OP_y!F4i{QCr@5kzeZ1#|8oL-C?2>TCTaWn3+s(ZvL8@W`}A@MJS}^qsx>g? zeq&)7rtcN#t$|mi9}4RloKQT!CK7$g;SJ!g-qM$pd>#!~(2u(o*Mp~auGeVpm*jqZ zftFpf=V20M#-z7jQ_p*(ikcOhm4b`vy7)+SWNv<4yf}tJsC%wY;CVaiNiQngs!mm6 zRc_^nKUGV{f3z6Qx?sg7cz8^~c;ms;L}Nn4nizR(EOVk!g@?zVC5?=gVM^*QT}b~J z;}CQ!E34u+{IDY|r?BUoh)aGHE+FKlisvBm;nVO`6$udCAmO3mS(?ope{qt>6zkY+b^RGBmMqTW>37)SzK(z#US6 zd#L1c;Ti7=VigU)p*dyrTH zyl((2q5{PLQe*)9YBcb^LMDn>wFXN}I&p*Lw9xE6$ju&rl|=+{(tHoJMBqKm1wemK zRmMI8KX9G^z(<9|JOm6%pcHq{I{>lse~E5atpZ68k}t%OA}tv8!RRXsoGO8bvz$Bj zzmAW2kj+xQMx1nDyBT<`0N#342H1;?OiA{j-Bb6YrHxWd%`Cb52nf1rh7gk71KPe< z=u%Iw{2)S!g-XJU157a&YG(!CfS__~693NuZPZKY$*SKl{(&qe0uaIQ^7H3`Pa)7` zNNG~4!ikWh8Bl~9HTuwj5E9Vo=bOh!AuT4@15r3S8iI?uQ!3%scMS}6D6fxuO9MhW;WhTi7+Ox`9ub z1g&r)u*CDUZ}&_3h8R)l1J;w-p-pLNE*#RkQC)q4ni?7a_xJ9@3_Q!Yqq7t2Y*6#n zGC79xxQ4jv0XPPN)A8k55b3Q21t2{_a#>qnUm6J9ku*yni&Ne$py!BR&z*7_FG~eW z`#2b_ms@r5>~D&M_Fc`+_$tb~l=vgAoCAZ5!vj8%#?ELx9+Z0!N!@pVp&3b?)$Ywz z{xZCwwlI_$m*c~Db~*EV4-%EErb1?QOA00|jT~&oP@JAa{wAr;5=LB3&JE(fKK;8( zh{`(y{i&OkfBSpSBx>k^Eiz_UX~f-eelqW|x5Sr~y+}mwPjq?NqW4vp_-MzLa=)?l zn*x)-bKYOmQ*-q@mxNE6E=-Dh+&9O`3~T975x~{Qz{Z|kH;(REUievD*xA<*Q*20R zzB5DerYlEDNw3rpcuVMh7YC5%W*kZ@7QHb1NYQMpr0;mQBl&OfXCrPPgTD+2s1bfT z#|G#hTGLf}XdK(^QndTI8k~B(R0IUkuyEM~oqwTWhOEHGNOqoetuqq$J|u-~7v@7nV601>T( zX>ByDQAVL7$@kpGFYA;=b#{FGfH2O?^w4H0#mn@Gl zHZg91iG3{2eZ~~$6flCD)&WH@80C z$K#aKvm!SL=p;DW@*a4%tm;Z`)H&*M0_F)iC-LdBv8ArRyng4lFzZB}@m!T?DDCO} zibdw0M}dlQOW{ zI`o!MFvaPIkP&x6VPVIl0fL5RiaJ4?eF+?usXfH$5Fcy@8jt5gx;MlhrN3k3+qHci zGSHs#q!Ay1g-;uqlj8`Fvz1c#sZ!L&!Qr7|lV3cQUV6GD77orJ{@+~>aX?5YqN5*{ z)s%?0;^Wc;wY6nH6nU{&L~K_MrQl;c=scnCj&R!&Ww`a58XWh;VP(k3h_+7Du~bxS zXL=vG?=Hs7zU-(3(}tesw#wio)=_1j9sB-$BrKlJZsiUN)5wt0CkVt`<-lbWTnId~ zuo2A`<;}c!5MF^w7lY~O=m^*fxw^Wmx|UYxdoE+-4DXKz`P1h`K7Dg7Oi$N-aQ|xb zrEP3Pf!R9o-e1=;2W|1xR1RB(@X*A-48KzzEB++u7lML9{xm(CVq~p|BK!ULIInCB zOJ;>u>a}$?yOH``M#h!q4z>@IJG8VZx+fC@Jf9}{>F8#@u%aN6lI;H+;1@i5kozE| z+q$Ci&L6No`t3Vy_~bxFwHF5_?WADqB^^RwJpcQ*rez=eJmA7V?^1lIm_Iqbc2jJs z><*=-!}O%)m{CA?a884t>y@7ywp z);G|U#%5%o1<8OW32pAAnh9Z6Iq~#`?^aN&UztsZ z)YRzU;^OAy&A_z{A%%hmG=F5U3w~5PKDvfcBdex%#!>C%b*eSNHtDDb`_FD-2ptfM zsoD$wya% zEh#Y&&(G$UeQy$t2bfcKS`AST{Nm&)9Kgvje&XjxK+Y2_7enV;_ILsVoV&6=A2TpA zDQfGdx6W(T=YyA8)=w`@4QD2S{bCM(U5BDt*na29Y}2`DQY zJU(9Jo!-;Y(cV!R+-9mX!hrD!Fa?^2hKPZm9$4wBQl|GbP79ZAKN~W?A)g!^Jq86=2;B4ZSUQu_T4p><5*EZ7bkeJ72WeXHC|e_w*0$d*J-73{x>57 z72)H9dNZ!;P2%w#0cv~=&7HaPlZ?V5#hXM~pFd;e=ew&J8EKUsO{yIp_Wk%cfVd%C zh6Y6Nd*<_KK35mgMvdpUfdV@-cW`=!nGL@Y7H0eB*o6b6}w5J(uJ4>*}60-+1xB^(U+^MR)%40*{n*30$}r!8AuYei6J& zqY@Lzzzn*5y51j5E^0D;&-%erHaJ1o+7dJ;Pt*+zUa2Gy@3s=owu}iO;L=24-GjL* z?f?>+gW6t6`Ae{2Z3!c{Gd^T#G7w>H6b)+~%Mdj4a=|RfLEA+y0rzs3hQ%PKS zDv-SNXU3b}tPSe|LzJHQa+o>yM;hwvpEM)pMTmF2@b9LQHDe8Kp$Nx`5VOZraR14iV}Dqwt*`g52y}*6vWejR_OJ^v@gGZLPQ5SEY`$3 zwv2LF{D9Y92h9!&0*HbP{LdH~FTHR98V#PCBS;i+y#+91`0;Tm5&ad}O0Rx&{B5WS zugKnWCSgEs+w+Y>LC{M(KTXRsV_A|Zwz;8NgJQv(9MOxlTge|T%T{CW?4;tGd|u6I zEV?*wRdUCbC2!aGd7f%-g-ddEP44II+_3x~L`l~Ll-p;NmHL9-y;mcl})nW;eL$ddKfrwB>ISzehVW}EO=19R}p+8rQHqoEFQJhvD4qu@Ep}# z8@|VjA0OOQ$ix`F=jw(YN{NpapEdu;swuh(J8q}xiUE92acx(1Kzh#&lQi?~Aypu; zDxIHhTv1g=@9%3x(g;}d^P!nWDj8YK6lSx6{LWt0J6^QG%$|)!j$?FRc!gYd4-Z?< zcKr29#{}9h3nFClY8>>JWNmqE6x?H}UVgVB>uGb)rNK0r#vNOLt&3dV5N%kh!U;kV z3?Q=ME5@XcS%E>3sU^56Y|(&e+u@caf%08Fm5RTAMJqGf$V z7xww{#h=|>A$DVpTn+PqbPv$wQd?U;nqOFe4C$t}`klkEQE-iZf&3_Ns6*9znW|QP zxEhR!w-)~A&xCg40VEP$2Pd3FDJg0gq9lqQ%z{3Mgn;f>SY)IYR#46H{_u6LI4*4t zGRfn)2Z(!GBSxDuTfx)yF=Jx1t^?`E4)@dVEpzrzQQ41w=EJG0(|_vb9OSZ?muXm= zj^GIC9Df|W9bI-xw?ink`EoFujfsnkO1I=3BiQ`U;gs+7>wFaN-^XV+y~uqB(rQ8w z*tC^fh9MjtohxmyWD<0H5%mIS;zaWD z=z5i`DA4mP0MWCv^K;=@y>jk1IFCB}``h-GX|6*@L_pBT2ijVIdd>mGkgz5do>GoKJ;sK%r9N9Bf+t85O38pj)qK z0ktNjx_UVl-eXL7g#wujRVEYPdA5-N0rpja)zt_%ieY3+18!!a);)qZIUm29p$?CT zc$1p?nx`=_;KPSQprU*m$;T~J?eu^)acO0yWB+%=^&2-(-H!xABaN^S!mcZrfh4Te zzu!XD28(ZPqO#O^Jf~=rsz3Dv#oRpmN1?71@`cv zFNE-l_(|i5ph5LBdAqeasW|onp~QqZ@oIfu{vGkTcj+*4Ab*#CX!-jPZ5tz39)3eW(6HrH$@M;}6dI`TC;9E?f@ zm*YAXwN*}hJpGeiX%%6l^kr@EJU~Ff+L_aBIP`3Jv0YCWE|im_C78IhWC(XVrn%V- z{H{*_y5FDsTRgWzkB9hD)iRhZ1u^VRF=b_!+Cv!NJBAUj95zweu?TE?kG&ky{(i2( zyr|llt<{woOvLf=@rIwRlkwe5eu)ciPA;xO=IaLf`cNnk!QRGb8v8QDGU`yxU7%m+ zG!^}&vhM5G$57r4%b%bIH2E*)GC5cVSA&z_pE>Cg>C$2@+B-Zv^~#TBjP*F*Z+oB( zeC(%)kO!6X&hF14n+7{i4-fD-2vK7v#eaCKm}~j3_M7k#j_S8{f4T*g9OTB#B3pDa z`jk0LDTc=Kx2-pRWVX_bSF+I|oCs=l7tNcdM?=FkPjW)6}OtHeS6GdYApCcL+X#?g~%r2Fv@3jH_$M3(pI3}rFz$# zuWk4xrv})M?K;@(!*&8Nu>#BDH%e`z>q~!6@cW%SlNxgrWdjEz?|1l6CG?D*rSDsJ zjU0J6j=poqSL>un)i5yZUM+m{qH;6eD3fo?$)W8gvhAw7CCp>~P-k~o@makMSEM&H z^6Y^{k1YIPo*MK>k_x%Aq;Hl<+t^UQje7#j%|?Wo+T=|&PeFcnXY0T(uB)uX#6K-h z_VhzzN-v8-4`roO&PudROoCVXZeOtyVL`1{?y{KfP+H0*S}R$F?=+ZoSNqv|HMIJi zTqmRJ@06Hdq|>gcjA*ehjrx7$`K|7qEpMzEA8j9cdShqx#qUSeOMi>;ly5mX2ykHJ z2JugIM)}$H8RKR$@Mq_1_tv7@TV%WXr=_OOuTN56oz30~{myuNsv{UZH%G+GV%*x` zee25xPjC+YOv71-^LTjAa+YOB$?;~TI-G|iEVPZCeSK*6tp5%XhjquMq~xAK^G*rX z;AbO~_}4N7AyalIbdw(n_x36{rpju_n+MB9VBK)L?0$E=?!Nu2$aPvKGinBqb&3d(whsiK?dA&WJ1)O9 zDg^>Y5D3iR`*PA+j5xUTb2AO3sgf5G&^y0`#&xQuuu#m$7p=_y$_;LVtbqYPK=jwV z&sOUm7=QVSPDsdud|SBhT)qq;#0BmJACS~Yp;dVtX$(k^A@by@ckh@V%9SG}BU=E0 zZD{0;Am1}$1Y-J21HNPiMPPx$5c$JV z??!@YKWJ+IvUBNp;cc*^?2+H^DQZpg%_uO14I<5{AgSkZB0~&PQv7cCk z8BrkT`RP@-2mEZLXgZQ|_Yq(YOq`ELGREQy(gQBfX5)|*RZiX|O6CtB7xu|0DcLq` zSXE9?@>?-CUR@$RPw{7cTq~r1C-Sg){`^V04>`9+4KYFpi1f2%XYZ8tIDQJ9M5C`% zGrW{B%=DD)eSc4x0)_zC5{Bt&!2{{M#11<>wn&rf_N4FZCa`My8m?X_nTEv9&~Eh_ zux1R*ZGu1y{5$TqqOzDDh0hX5eHG!JG`y-s+3Ox8(q|&- z5eV7SyluClBh$++Wn84zb@vR4anERKRi;GpMb}f8mqzNlBcCxZuo&rGv&0 zdJ2y4bn&7~BXowg=UO=UL)=osYOeNPpIQVM^@D5{qB4}zlj{j&E+0Cl`*NC>>$~f?SjVyj%Y*5EBOBc&}gr|GqfQJf}z4#;gF7>y!y-6GU&py;SGMqv= z{?cV|hW`BWf+;t6Zy$><$&`RRoFhH|6t1Xo$ALHRo2AS{=dR3QN*UFgyZ7erR4Yr^ zOp-U9t&{|fL{dkFy)NBV8U2(LYTCq=Q{RncFIPK|5Z)6WKh;sXH%fn9IT_D^msP-~ zZfu4Py`sV0&y%sl+g?V=cu(_tL8??YPmKPcO$~gO7l2M$Sn7Hy+DvoStH0qE6u+H7 zq!G0ihN}CBJRwql`yd^DDmWA4FHU6C-ujD^CizD_^ta*BGx+O&B-tY)m*?bh9h1gW z#9txvv|FCuO9%}59z#!=;VIoY8&)L~WVx|@JN5iVs^Zpe&eh9H8M}%e-N$F=MPges zF8hCfTiBX!8(`V5)7jh?pok%lx0f^8xo;@G7M#>X>A-7K=IC;mNpA8J?Msm8RB}DJ zOmabeLVEXbsd)We!R`&9qsmYRQ%5Fk8oj$at=wt+%U{(oc_!mcf|0O+)?tp?;ntdU z`Xamq?1kZKRld&c^&EFM_5)msPrliRyC%qnPTaDlKL2|A5px3Ha7XF>r1`d2s0#p5 z6M0=!HLq+ohaZ;cyiB{A{}stImsrm%V#^$%?J{36$ zb2^Hp$2UhiTC*&@>aazlcGXoi5u(ONyI+U1z@KYml=n`lXVf7{uTQ&s6qP(hyWOU; z1g2xd4)0gmsuG)TxQ?mx22%GrGCFH0tK1EldS%X6ENoUir}xyr5JwmVFT%P5Ro1mX zR^dD9Up?-hOB`gX(bT<6odjJ3c literal 0 HcmV?d00001 diff --git a/static/img/FleetWorkloadNamespaces.svg b/static/img/FleetWorkloadNamespaces.svg new file mode 100644 index 000000000..72af6f3ad --- /dev/null +++ b/static/img/FleetWorkloadNamespaces.svg @@ -0,0 +1,7 @@ +
if not exist
if not exist
if not exist
if not exist
Start
+

In any GitRepo resource, field targetNamespace

Overrides everything.

+

Fails if a cluster scoped resource is used in the workload manifests.

+

In file fleet.yaml, field namespace

Overrides namespaces defined in workload manifests.

+

In any workload's manifest, field metadata.namespace

+

In file fleet.yaml, field defaultNamespace

This is what manifests get if they don't have a namespace defined.

+

Errors out if no namespace was defined up to this point.

 \ No newline at end of file From 686f1ac0e7a0fc577e53775cb0c3285b87688e9a Mon Sep 17 00:00:00 2001 From: Mario Manno Date: Fri, 19 Jul 2024 12:20:57 +0200 Subject: [PATCH 4/4] Shorten and clarify cluster registration namespace docs --- docs/namespaces.md | 51 ++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 27 deletions(-) diff --git a/docs/namespaces.md b/docs/namespaces.md index 6078a0407..97c16f71f 100644 --- a/docs/namespaces.md +++ b/docs/namespaces.md @@ -99,31 +99,35 @@ allow list. This also prevents the creation of cluster wide resources. ## Fleet Namespaces -All types in the Fleet manager are namespaced. The namespaces of the manager -types do not correspond to the namespaces of the deployed resources in the -downstream cluster. Understanding how namespaces are used in the Fleet manager +All types in the Fleet manager are namespaced. The namespaces of a custom +resource, e.g. GitRepo, does not influence the namespace of deployed resources. + +Understanding how namespaces are used in the Fleet manager is important to understand the security model and how one can use Fleet in a multi-tenant fashion. +![Namespace](/img/FleetNamespaces.svg) + ### GitRepos, Bundles, Clusters, ClusterGroups -The primary types are all scoped to a namespace. All selectors for `GitRepo` -targets will be evaluated against the `Clusters` and `ClusterGroups` in the same -namespaces. This means that if you give `create` or `update` privileges to a -`GitRepo` type in a namespace, that end user can modify the selector to match -any cluster in that namespace. This means in practice if you want to have two -teams self manage their own `GitRepo` registrations but they should not be able -to target each others clusters, they should be in different namespaces. +All selectors for `GitRepo` targets will be evaluated against the `Clusters` +and `ClusterGroups` in the same namespaces. This means that if you give +`create` or `update` privileges to a `GitRepo` type in a namespace, that end +user can modify the selector to match any cluster in that namespace. This means +in practice if you want to have two teams self manage their own `GitRepo` +registrations but they should not be able to target each others clusters, they +should be in different namespaces. -#### GitRepo Namespace +The cluster registration namespace, called 'workspace' in Rancher, contains the `Cluster` and the +`ClusterRegistration` resources, as well as any `GitRepos` and `Bundles`. -Git repos are added to the Fleet manager using the `GitRepo` custom resource -type. The `GitRepo` type is namespaced. By default, Rancher will create two -Fleet workspaces: **fleet-default** and **fleet-local**. +Rancher will create two Fleet workspaces: **fleet-default** and +**fleet-local**. - `fleet-default` will contain all the downstream clusters that are already registered through Rancher. -- `fleet-local` will contain the local cluster by default. +- `fleet-local` will contain the local cluster by default. Access to + `fleet-local` is limited. If you are using Fleet in a [single cluster](./concepts.md) style, the namespace will always be **fleet-local**. Check @@ -133,17 +137,13 @@ will always be **fleet-local**. Check For a [multi-cluster](./concepts.md) style, please ensure you use the correct repo that will map to the right target clusters. -### Special Namespaces +### Internal Namespaces -An overview of the [namespaces](./namespaces.md) used by fleet and their -resources. - -![Namespace](/img/FleetNamespaces.svg) - -#### fleet-local (local workspace, cluster registration namespace) +#### Cluster Registration Namespace: fleet-local The **fleet-local** namespace is a special namespace used for the single cluster use case or to bootstrap the configuration of the Fleet manager. +Access to the local cluster should be limited to operators. When fleet is installed the `fleet-local` namespace is created along with one `Cluster` called `local` and one `ClusterGroup` called `default`. If no targets @@ -152,16 +152,13 @@ named `default`. This means that all `GitRepos` created in `fleet-local` will automatically target the `local` `Cluster`. The `local` `Cluster` refers to the cluster the Fleet manager is running on. -The cluster registration namespace contains the cluster and the -clusterregistration resources, as well as any gitrepos and bundles. - -#### cattle-fleet-system (system namespace) +#### System Namespace: cattle-fleet-system The Fleet controller and Fleet agent run in this namespace. All service accounts referenced by `GitRepos` are expected to live in this namespace in the downstream cluster. -#### cattle-fleet-clusters-system (system registration namespace) +#### System Registration Namespace: cattle-fleet-clusters-system This namespace holds secrets for the cluster registration process. It should contain no other resources in it, especially secrets.